ok github.com/google/syzkaller/dashboard/app (cached) ? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/executor 0.466s ok github.com/google/syzkaller/pkg/ast 2.309s ok github.com/google/syzkaller/pkg/bisect 25.048s ok github.com/google/syzkaller/pkg/build 11.750s ? github.com/google/syzkaller/pkg/cmdprof [no test files] ok github.com/google/syzkaller/pkg/compiler 5.149s ok github.com/google/syzkaller/pkg/config (cached) ok github.com/google/syzkaller/pkg/cover 1.934s --- FAIL: TestGenerate (1.88s) --- FAIL: TestGenerate/linux/amd64 (2.40s) csource_test.go:66: seed=1599728849140365462 --- FAIL: TestGenerate/linux/amd64/23 (3.91s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:false HandleSegv:false Repro:false Trace:false} program: socket$nl_netfilter(0x10, 0x3, 0xc) r0 = open(&(0x7f0000000000)='./file0\x00', 0x2000, 0x163) recvfrom(r0, &(0x7f0000000040)=""/238, 0xee, 0x1, &(0x7f0000000140)=@llc={0x1a, 0x10f, 0x7, 0xc7, 0x6, 0xff, @broadcast}, 0x80) r1 = socket$inet_sctp(0x2, 0x5, 0x84) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r1, 0x84, 0xa, &(0x7f00000001c0)={0x7ff, 0x1ff, 0x204, 0x0, 0x803, 0x0, 0x5, 0x800}, 0x20) execveat(r0, &(0x7f0000000200)='./file0\x00', &(0x7f0000000400)=[&(0x7f0000000240)='^\x00', &(0x7f0000000280)='*,+\x00', &(0x7f00000002c0)='-{$(%![\x00', &(0x7f0000000300)='\\[\x00', &(0x7f0000000340)='\x00', &(0x7f0000000380)='\x00', &(0x7f00000003c0)='\xb1$}\x00'], &(0x7f0000000640)=[&(0x7f0000000440)='\x00', &(0x7f0000000480)='*/%}\\\\\x00', &(0x7f00000004c0)='@[\x00', &(0x7f0000000500)='\x00', &(0x7f0000000540)=':\'\x9f^(\x00', &(0x7f0000000580)='],-.$\xfb\\}{)@-&/[\\!\x00', &(0x7f00000005c0)='\x00', &(0x7f0000000600)='{{\'$(+-(}{}]?/--)\x00'], 0x1000) r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000680)='/dev/hwrng\x00', 0x40000, 0x0) ioctl$HIDIOCGPHYS(r2, 0x80404812, &(0x7f00000006c0)) ioctl$TIOCGICOUNT(r2, 0x545d, 0x0) io_uring_setup(0x509f, &(0x7f0000000700)={0x0, 0x9c76, 0x8, 0x3, 0x309, 0x0, r0}) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_unix_may_send\x00') syz_emit_ethernet(0x2e, &(0x7f0000000040)={@dev={[], 0x29}, @local, @void, {@ipx={0x8137, {0xffff, 0x20, 0x2, 0x0, {@random=0x3, @random="67516965f015", 0x3}, {@random=0xa0, @current, 0x8ca}, "d18e"}}}}, &(0x7f0000000080)={0x1, 0x3, [0x6f3, 0xd92, 0xd18, 0x98a]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_EVENT_PKT={0x4, @hci_ev_pkt_type_change={{0x1d, 0x5}, {0x1, 0xc9, 0x800}}}, 0x8) syz_execute_func(&(0x7f0000000100)="c4017c5a50f2c4a1637c7a862ef04230b50d00000041d9f93e420fb7bcaeb0000000c4c2a5291498c482c9bdac33de7941f1c401fc2e0666400f38241f670fecfb") syz_extract_tcp_res(&(0x7f0000000180), 0x8, 0x47) r3 = openat$selinux_policy(0xffffffffffffff9c, &(0x7f00000001c0)='/selinux/policy\x00', 0x0, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002500)={0x2020, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x2020) lstat(&(0x7f00000046c0)='\x00', &(0x7f0000004700)={0x0, 0x0, 0x0, 0x0, 0x0}) stat(&(0x7f0000004780)='./file0\x00', &(0x7f00000047c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000004840)=0x0, &(0x7f0000004880), &(0x7f00000048c0)) syz_fuse_handle_req(r3, &(0x7f0000000200)="2692d623148a34aee968f5552fef58adeb13835131afc9602c0eba53a139392d140b6eeb571984017fbc1a936aca427ad0e740524f6307f18e1c7d954a0ba7442367d45bae5150e12543dc5dd03aa5699039f2f627b3d104e00ffaea4263fc86953e5e3ab976c9f66a213d67573b6044bf6faa8c17d51b5550438f9ac6589d2cb2bc4e11cbf8a254594a82ab8987f8ade20d8542ac71ff847b22e67d2ddda8f4ba5f53fbf177009132baa5786a7be31ec6c592cba53c5c8a7ba19db0286bff1d0178da1e4ea10819439ace537ac5f47a1c8b74fa67fc4e1bf92292a9ec657b5e3003146a1c5690855b05cf75a0b11ab9ba738a3dc177d5f7e7fa6b465d05e513a219481089265f566e6bd0cc9ee1fb100f851286e65721f601c83f7a740979b3848f57fb0081efca45720ccfd8a4904f248151b242132a4b45530ae5442ff7a51bb5c599cda7e10e1b4de5c80f52cc3ddac7513fe148bdbc5da2e0c2b39190d8f90fcd459503a4cb8fece55182cf7272a522e5626120c7335c5a37c72d400fedc58873c5960f6cab807ac239d0246aba2e844b68b1ac4ad6d2bbcedcb35a67486471e445af55990270ae097968da00157dd221dea2438d16623c52820f0d24e39c0424ee40484fb0d96419f5e281d0e9e178366820dd5ca4a0c45deeb36cb9e246be6714ceb0347b0c309cc53022374f73303536e593c57588b883903ea58133773600201a7b55dd5c01af52e90ec524abd9f47b3d7185c48259bf5aa76fea9da982b2c4a61065df2b066732103503969eefaa23141c8becb35caf7602e981c30673991b46d54ab2764bf5ecc3f1a8e000b116b769d82625ae9418b523af00f3cfb0eb65c916f6a62452f810b20c3e7cec7d61fef55f63d1da4a3f868bbcfd867e130d3c7ce52246ef76eda2916fbbdfd506dbc2289d00fbc8fd100c4578698d2203dffab9018d6f19ae199f1659c3f78157680cf980597a126b994bdd64609653dc0ddb556c3af838a0a4a9bd7051e45247913cc35b9d9ff368ffdf4e7fad83a52f8a0261c331b6ef226fe676ac1a9cf0cb001385ce35b09df3aecaa3d816f2afc62c27aee525f72f2d31ee0b21c447f80901a65c7706d07ff9b2d7bde92bc79d85f8431d468ac85e51ac3a209cea07281e7d19c1f52b5f01bdb053978c933399b35ac77aa4a1e6f182d250271ca33c3791b15a931bcd32ace19253f1a9044afa49c1a0ddc82e95907f60b7971ec01078e137d1bceb0cf86f64cd6c192cbfc30b4478617fe52aa943e61a182b1b0b2107d0c54f4fa731679af95c32d18914d6959b9fa96a0aac1c49adc61f5f11b544557342c14276beea12fa71cd30a731bd064e9cfd0f9e4be966f7bd1c1b4fd706b8393e6efb1c9f97526f67d2e9cd5e176dc60c274b30061e1ab6a2d004b83adb08f1983baeab990472beff2341def47e0dd411b0691fd0a65ea66d16a4a4ee94c4d1a5ce6b3cfc873481b041fb3005614c1cf841eeab27e03598ef94598ed30c3fd3ee19207aea2a8dbc3f60a6d97e30c58f324bcaf571388f9e83e076cfdc0663cfe93f5a3f19299e741210f6a8501a7238b1cbd6e9f829345c337c62b7cdb024efc4ff11628cb1ee4fda072782bb69932ba6dee122cb37fed696dea11cc25eb2b5678c7d0bd1dd05f35d1d02addf1295a1eb0b259959a7b290e61f2479691588ac520981902f5ab06162e9cf5f0585f540d90cd8381de33d0a0a24da6f231d3a684c925d736f2534a57e48d919d55519c575bb541d638e0e4011f841a5ac331d488935c44c2bce1c2ac3e8486e465cdee8eb513d3c1bb3b38c5d157c04d576d675e00b30c299e211f8f24a7a053b4270d2acfa3aa6343428d92b6db14c1558a8dd58bb9c8c4b1b4935773d140611793ccad54fdc5230da4dfda3b60cc0766efcc6a3b71900a50e2c3e6827b98cc18ccd8ff798247f374857d0621e32bbf0482474de0d42ddba7823e633f1658e7f6a361c32e2459c2beb029a8afaa31289e487104567d40c81ccf5ae2a2e6b344f5c110d7ce2301ff2c25fd8438439a5ea16a446fc7e27f2cb068944e4d8c929c4645f494c2fd1b025bfda1119f9088f707d662c1195f8e4308c470b76245099332f61b2c9cc77871cb20c4ebeaa63e53add25df15c5628585fe886a73e382567c41cebdf2f33f7168747ce24a22fafeb29cd021a92ec8fc272dad24598ebdaec2dcc47373efa97cacffdace150e99510bf37baf40a817d93d87a48fab153a1064821eb504a4eba3ab66d1ec057cf64ee11a6ad40584fa7656a3984c20e494013f83430d760cd6eaa604b599550dcba720855e735d62d420076cca07115d4e371c3d641cb6cdb969bdef10137b8d7f399abe3e2436535c30c7b9a842fb31d322434e73b95c0f5d4545116b788ea0fd473ab32cfb4cd7224948913772e8392d89bf5c4e5511d267201cff62bdc0468f96d9e85323495e925e61140fb419417bc3f803a80d0af3b8c31c2f63dee9174113f8e6e5c93f47d8486422a5696bc05843f7d07f10eb3b5fbc2c378f6e8a975deb6c04ed20c673846ecc19d6dfcb1982ff83a7dca92e8167e5df6437b84834fde1cbfc441105d06218a2e0a55917ee276fa725b9f16a94c67b684bc7b688edbae74382cba7eac9f01772c89194d44eea3cabc002562643c01529092ff6629de96a7716f92318a6cf70cdb8fda8e3d01306ea91580b6d970808552f45f575c3aa638fc51abdd8535a0584072588518f9391b2d789147312a58d0a15b64bf908f249913f141671751003547150d49f472dbed408432493705759929f619a901bf41ed2e4d12d6354af219840e696ae26d40f010f0586068efbbd4a63af99aebd5305a88013ed74de00399011dd8d0d544b907009f361ac6f66ca0ac4fae8eea56542599b167b8f132d2bc2b57c734653c0214fcb4e3a509823aa2ea62aefd8d3a8f27cead3ee3f276698712770addc99cd31112daf0ede7c577fcbae2e64047bd3624dcc04cfb6cd194b79f1b53b990a443628123fbe9b2a3b598beeabdbb7cf4d9cd87be2ac84ee3fe743d72e8984204bab463c896d13c1227b70a88712b77d221efa654098b38571468ff9bff10bb0d30fe6ae7a1f62c4f6066b55f32b0547de75ab1cac8e986d89fc30a362d7308d0932cdd44d8a234860b608090aa5e16bef4e44327ba18667915ec65ca772f8df52105b370087fb1cbd6d11a95362232e5f6fce3f343cd962bec277f3a6aacb82df97531b3a6ffdd224454bfc8a6c2e0b9c86449c043f39ceb9af5c4236e3221c2e259fa8f1284df6334a2a24733dbad6ea990aa3ef9798e2f785be3d5a44305497a1f525f7dee1f7ea82c7d50559c51dacc617f6f7ee56b6c5bca2701899245cbecb33ccddf00a16894682085f40d2f6f6b03a163206311f98077261cd76f439ced044b525112debd31e4c7a9077bd820217a88b4d8e3e76dac45b15019e01deedc943b357ab2d7900d99157af47dfc5971791b25665e953db69cefceac87aef838936ae73d2d25983b2066099c4741af88048c7f86531f2b82d6e05b2ee75f472d9df9c3ee9398f6fe68e0b521c36a242e2d675f4d9da552142743631a4f2b6c011475753a74f7fefc9d72d3f9fb2bdcc71d66732abe50dd578b69bd029b45bca708e87c098af90284b4fbddcc6fe163a000970d6547cfd18cc8a11ba22638ee6eba91029f52594a042e96ed7080184593f2109126cbde1317a94a56213ad11ae1ccf0a58a45dbc81d0809c59073f8a9e17674a476d0337414bfcff7ca6949218467c8850839e55c9c7ad9d51a64a9d2b4bbb17a3653894834545bc286c108bb31345579a2b0b96f6a57389790519d4413a9648820e7846c57aca4792495223fcc029d070f18f24ac665879d7a197c78c5c05185af7c11140c78a35e91de5c0c53fbcd1350c27536d28d5f518696b97136d3f2035f26faad5ffe04dfd5dcc09b129905195579dd15c8c98676236ebd02b6c2ef3e6eb15d87c206c39046f2dbcef9a4523f255f445c3dd82c140b295a4a90fa30a2847ff41efeea8f630d4a5512795380af7d1713a6b2976dd74de50c3feb42bdd4c0258e45617358f18a28be11bad5b5b79103ee1277c761e12901e4997f3b9d4499172176cdd12b6807b236daf3dc05872956437816c706f3c367d7e2c23e96b1fe96596db880507e282fbe23f2171b2f6855d22174a1a4b15ed8abd51ca093d46f0e2d05298168c239e62d89f740674388c24018c47832a87644048d436d65cd7a210282b1fc826f0ccdb6697d0112b2a88e395308d421aada7a0e7d76eca0a6073830218c83ed79419485960572097cb626c6f8467579095dc22632043dce6b67eaa793a2a89822fdc266f5a611aa1c6b845998a828005fe7989253c37613e892348ad7332e334afb5a7087e89ace2f361d66f277dfafa126677e833fd0b2ce4d227937cdf60a882669411d4450b7e859b8247ad2e45742ecb605752f2148d075e1d145add184748c6ece9ba267b7a6df9229a62bb9bee7d7e925d6eb9ae96adef937c030c7d2b919fc4636ad6331360457d06d8c4f6dc10e3065522602b841fb3678e9dabf07d5fc3fe39da21d461e1a4ac64a0d3356f93622800f007be4ee13cc4654c8947ffd11bf7598f50bf27df75f8daefd9bd19cc3b6a06b253e8b590621c66da76496a87be3353fb1cc564366b0979a88c52b8ddaeee8993f6a0a3a543a931ea4eaee9d9e7001e2349144cd746a256df92a46024c7a3b3cb607a749987c9856015b86a23e4394f64f909974ab076b5d64928fc9d1b4cba75bda9e1d4620cac6f08cbf757de6f2911c34ea08481a383201447c2de6e37c07d0338f16a9a73fe671a684ae45c874ff1981506e3fca4e1f1dc9e58f9de6b96f85e31a3c16d3a11880bb1cbc223d0b9f3a6c4a6671e29fea67ae9f109e263c31795b38016b829d41d0d540f7f9bc522027dbca4945d958e0b14c9020e7e0d962d93f61df353bb1842b289b5ebb7d0d83eb05f31e3457346d1bcf883354e9a247c78bcdf11450bd362f4e09f9bc81ea9282305df3aed8534b1f5c15f58127b851e045a0c54193b5b11be1875563f868efe9a6ad830ca4436786d79364e1930d455faa6ebefe86ece76a8b8952dff2d3b83dd8ba4fd7c1cf912a22f6511c3cc11bd2f04690acdb38f7e1420bc15e574ad129655754440d29013c69861d47a42906ceeaa051e2efadeaea997779e05dd912297a4ffa9af33fe81e72067c36e81c48653d69f2a2ba91714d5104e0ea1e6e920a440240598dc628e8205c3313a0b03b7fed3a8788fb2a6de07226c589ef337082214381c9800d703638183dadff31714170bc402b271ef6c235c12c9fa67c7bda80d631715ee1ed4dda107347d143f91ec470c2077c277524fe78a23fab205fab08b1c258f4be49759d1f183a21e400a53a72493a17c23dfa1732122574b55a7f2663bb0017ddb2f472eabd87e407695bce84c15f43091bfc06d4a524672bf2515218561e7c25ea733c185d09806df8e6c921c071ae2f76f5c0db6234517c72e83933ad413465b1bd0cdfe6a046f07a4b239fbb8ed71bddfc2b07148d49965da803a824bc185da70530abb3e42b8a9f19c0c3d86723594133951434bfdbde6be90ea214fa0e17f603cd1ad695b5b5ba7c986148711454c6a5a7a5da2a1631dc7069e582a1c12d2ba25ca01da8f5e703b41147fd38f9668f16cad66df622fe4b02a1eefc0a69363cc0b7c56f034916025ee4bcfd05126772985a9632a043608e65692af2b4a7568f13c41f16c86bec99aae30a2d54f6469f1eb68518d48c421bec6f83b8228308838a9a4819f2fed79e99d105a8f6b1ac08eb9fc1962a8577f27f5eecc91883a024eb743a399ed6aef38e1f533ca6dba255388d25d4eef412f03944bcc0a8c4e94ec31bb65c89eca35cc888fe8530f6f581a3346233ef0936da10e8b69c5fd23ea2a58f9fe8b79a9ef60806c296aba90fb8329e838bb6c7d3c867d4109baa26c4837439e6307170e7b15c2f9f5ee03305f9481f8e793dd086ef2fc3eca555aa2581202bb4ed8e431cf0b710bbd8625fac17b519c6806b7218008e040bd2f078e185011d471d46026b53887c9481b6abea838dc598af7d61eb10566125168adb4b5fa2f49db9e3608ee06baff0b3eddf0537013a89a8f60bec6ecafe74c3ad62667cc736e42318060d939ca8afaeef4189cab94bb6d7c07f7aa21f60027707d8aee9d2fc0319677e8e86c6e020f4353ff8d523542669e4bf2649fc4fe1ac21651527e257a55006c304b83aab8de6e87b02d366052debd14f4712833c340ead1eb9f9f48df1ea27f67282a8a5ba05df68ee2aa98a34b44fe38cf058206cd112d19372e45afb9d0c24c0ca9189948239c99dba444f9c1a91fdf3dffa9fdcd09355e4b30618063eb02e4ac212bf8f7b8c617811bc2740423724a0c5046f3577e0b006b14850ddbabbf60121d151ec730649ba251a2551f6e9246e54623a819e9fce91fe40a8ac2e55332c57b8b7b9a63adf91f10748dec7c0153cff4a412292751b0ab793a148229edd1f908012fbadcd13e18d479d94ea56065100357ba4ba18258e4a828eaaca20d671d986dc6d17997f5b3744693eb36cd7fce3fff1d2d59b9bcf1c99427aeec5c158d12d066d469267f423de676079dc48def127be63b079f0fe8d7dae2f20eab8ddd0f388d52ac059179589c6242c7f9fe8e1d1857ec2998f8dc9aed3b3d38aeed70b0fab5d13bcb536cbf01a2fda811f14fa0f5e4a4d57131860d60aac2607354abc58f9151dd788e787f7685be537e6f86bbac94bef4dbb042da14c1007dcd62aa8cbc705d120e078394fcbdc94729fce6905f1ed8699cacd2e5f0055d377d0d5ca83f18971c195c7ea1dcf11e9feec124c2ba56d0f506060c22cbc366d0aed05f400062984f22122bfd16a31b3a4a6ed9d949be5ec16ae98f2aa8eaadaecc169e97cda0d5b5602a91c101b2e283c0be6c83abbe2e7e2e4cefe3be2231213ebb85883e0a5b0b4a0d2c04722eb60fab23023cf91ca0ab908e4bb6ac29a788fe9ec6b99d75d52f203cba7d92485ef90555aed41060fdd036f42fa818cdf8b9afe26afc1f279a4029254b12dd54da882a138d34af1577e78c1dd1923a56a369d85d74fa59d4532b859f67e65f3e67d654e57dde88cf7c23c9182ec15e95283dbba79911164df2b483be5adb7e6006feb69c672c938a818b2b4636c943b68e8c9335a5fe2aa7427402785117deb2ae7c16ba0d05a50d21cd7b658ce02140dd20849ae250bbb10e960c8721cf96d0e7d81bbb21a53358e0a44f8d26b10bf24eda9b5d8ceef710eec25c0c3b3180c85940f5b15cc13fe68ad19f7f0e9b4cc39735b68639f8fe4622dc784d5d6470ab9e32740db02a9b6732acbbf5876719f557a4e0a42c036bb3f972eaa862c58ffbce08ee0ea21e74e817578705e4e2683feb6c6123ee1b9ae1da94c5ea68763b0303c6397e21691a4d8154fd1aefdf398c41369eb8255d9b847f9d67cf5bb80841f468f7c870f0e194dcf23a6e7642c9514d126432f4b66bdb7b81b54370ca23a05c223c49c5b26803768bad60594817bb98b5ec274d62e264c54cde9806376b405e9f7de3d59ae3ce7db4a68985b1c1a11222d1c2809c96f7eb9a5bf4e50266df935c900a568fe579a6ea474f623591964db43ac647de15916aefacd322236fd53977d682eeeb0dcf798b6f2ff22b36dd00d64e51599bdad703a42d1d20eb8d6a6385f6db49f34fce3b28e2856f2828d77c4d03d34eb08c33b754bfe7f39d0a3430a213b97e75c2c975635c79d30aaf3daa9a1e8ca56fbe499e778118c7e5954ac2ac2bcea69adac96009e1b5cd27986c254282bf0760747559cb612a1f610df09bec5aa1f41f7a3b2f0f2cb28508e2b0caf206be810d65b6c4fc2ef5ec098b274b53681306041669abb175e4ec88981c5a0c05a646e5d90343a0b1f873379cf144c3c8795cfd77594b516ab02a408e0faa37fdf2de2e6f37fa03540d70e5f0297767084ea0086c131ab5b28ab543978f1d4f04291b6dddd72d2aa9a22ae19697950351a2f3da68971d9636e29c66d9fd61cdac7c81189350447c03c146d0dde55a17915b56ffa9fba47e09bafe412b6a8ae720d92b04a55e6548b0035506f80faf9708247982096dd806e1e698fe8f590fcb009fa87586b08cd27097aa53d3087e9f4c7a4ee556491b3df68fb413a92d7f783365c6a5e1fca5d9563e193ed2379f994f32e9a2c7a72215c1e891385765947b9086a560d373ae19b88e781503b1b8b801a8dcf5f67d0e4b0212d854487694ac76572fa1e6f1fe719cde5b278c9ce3938b271060335a5741baa0d7adc3de28e37beed6f781f6f7b321c56933828377a2ff6de2bfc24b2a3472ca5039373d3cdc9afc040ce4e894cff82254d9e4f4b25998c9dc84705463da8a03ea419c2e4c812a9f04d53f2de4fc2e3c1a08a7389ddfb0821764e71105eb0588720871f0082cd911f8edf694950072eebc6421bfc71af27669107e4b48ac971339e69c46c4ea5d50028f14735d84da040a08d3c9d0e64dee8bb645003bfc0162c3e131d3dfccf1a51628bd59ed495b177b417d0cb376537d5816741c25885ec56742154e84a26d9de376d67ffbe2fdb4869b6d8708a7350efc672a48d60a928c992753ad4bd745a7189b3f94f48f64c9f86d9f0b22bf7a1df2096b46fadf266906f394b1de6552928785d68d26b96bda02e49d5eca8284700d5033b0062366a6ce4be44c767d60817b48768748582a5ed3db608291a5efa1011b758f990ab3e4abedf53f01b700dfaeb587b4f414d3fe3a8732e1f215fa869c7b2f8b7f4eac597da81751709bd18eb0869ce11459f8766e6332e957107a791a64011049488a273254f33e0ecb440ee446e8ab76f24ec1f4cf7d314a158c512b6a2731099367766ae40535967d63ce071f068a7d3fbd4833a0c78cea712748a4bf2361d8f6035959a6ab08f3d44f7f81fe74d964d58bb3cb6051c5e68dc6e71fece4ae85ddc895b316f47d520847dd848317b61a47a13ce06c30d14d9852938c6ee45ad2eb1f19dda19b1f83562441c2d306111f511e40a8d82b334b2d983c354f2cf8a2e7a2fc135a4a31da5b0929d0e0c3e1c9bfb2debcd2fc9d0577263c7771c684d34a6b02b31c52f42e07fc1f42e70d740035e80f0c3889d8d28cdf1140e210dff5aeb5aaabfd655ac46e03d17e1e72273ea014158cff2c8ef37008b44e73d2c616862349afa5a16ec6f10d7f85fe4d95df416bdf001748a698a7942192549a4b8600f5380291fecab374b590266a980b2d38d0817e111ca31447ff7a33ee300b7583c83050a591cfb8c38320369b54b9624ae5bfbe7a657323e64bb890ff4abd85fbe8c59a68a616b044ddc977336041335fe1d29e87dfc563a0f7d393ca8353b31caa641d1140109d3f3d68bc4ac8d1a32e039a5a5aae4e95d7d37d5737ef2b997e178682be27b0d5b9cb7bb30bce28da9f9c299880e152d90f6a0590fa289aeb5c4b4c050f7f48744a1e3ed8b706bb1437146370522775b4a824ef29ae2d0854279fef03a0ea673e251f6697166f36996089b88f485c30dd49df1021b1ce794ba447e361704ca20c53f284fdc4fa1a1f40e5f7240f273213b6920e9bfb8ee69f932616ccf656495d998743d61a088e6059fe2fc03572f1dfadfb510c55f5185ada914e2a96628d3ee5d6b001cfd045646ef93694828fe8e0333d9e8537ab9e02ec721713b2b9743e68f42fff78abc0afd4bddc95179af12c3c9508349e656ad59bd64cb6a4bc7642c66efef29a5500937064de05e49e2a81c587e228e0aba0c8a6875c410663a222e557557bcb1054012532e3e6d4830d3d9ca0eb6897ba5405a335503f8cfe345a20edee88a8b143e28c982bb836e0cde0c6deabadbc11d8a63350f1050b71abcbd8eae7c22fc04d59726748c82ed43595d66255b6c30f111e3b5c9c12d97a368be672b0f0e5929838fd8204b55d0e511a32906af5c349cd648a4398147704563a10d5d5f5a86f8f1c88a2324e56cf28d63daac725e7f9fe3d1504aa2d26903760e27e796f7f7d33b96ef01e4e572456fe479a2523d396e6cc88b8a8dc35f155daedb3c29dd2cd8adf6dcc732e5c58511bd389878399c432c1a40dc06e94e24d66e1cdbb73cca992a3a61c545dd347d0be4141a1ec23a6ca845ba1b58396b456ee05e6be7d7c9a0deaad6646d7a77986886d9ee755c5889650e9ebcc4b8dea33521b65171ec9d9eeb4e776d3d71f5261d451f481b90cfc655f8cf1b63df8467e0c1e2f9af5758eb506aaceab4bb35907829e55411eb25b59cb70f9ea06efdeaaef6151156184eceab1ba65f41df32b5346f5ec03ab19807df48449881334a6829c39716921fb7e5d0578eeb3eb3becb8ff5e00fe8422b0c3b7bc77a5d338bd0d4ef6a341dd941d925ec6cd93f289566d803ff2a02a3ef8c8d80052518f9afa30aaf0cb97ea1eedb527b180dcb80368050b6dfb4ebe2cb96d1e0684986a85a6b6eba21660a18c28248cc0d4cdf5e085c1fb6133da1169e5036d35f547ebc06186b695f24271bd680a397d923538127f948a2ba36bf5291a9cfa5dc57af9901bb7ef7c9c9d600086376a0dc680e4e67e1770e72499b58333af898a332c7894959428424fe61c0e0d8fd6c46af79bdb23c8449401587ba116565c8e060fb1af557cecdaf3d10d2f065d7ffd53dfbe8afd1c46904cbaad1bd8f18ee70aa4811b27857433e475ab5c5c620a8daf02bef40286497be51f2532d425905669f3be5ce7b790e945c22e446f0a361e043fd4a76e53e3b04b5905eda63bcebb62e06c6cc0e254f2f0e386bdd730c55a0407af9dec14633b5ac15a33ec523f6a4a9454bc5aa216e143f0f72ebbd6f5c038d2ee39ad7cf3956a3c479a8a653a906a01f48618e6a47adba3598e9c9e725d53439e0f175fcd51ba151607a33593f1256e6b29685a813dee403ec2b4fa09c6d0f4d651e2378b78041f37243347dc77ce3514c634e4f83ea297665f16d656a6df9100bf6553d669e43c0ac2d891eb7779ee8d4f3211cd2a527fd415af0004c2d5ddb62a36dee98ac1489696c556476aca9f6da9bd4f37aca86b83860a8dd904bbe2c3d37cfcd768b59d82a8c1bceffc44edfb04730ea57916da94b4e8dbcf5f01b5a718646a56e62a64748a9e3b7b2f080a2fb3515db535c6acdef1d858f633b080d398c006d740f59bfc063acbb40fe2183c5520894dd5a47bbdd991f2ca2e1d35d04075590016dfc813a8f272926d660b0bac47fc7297d748d1642de82c08245c8a4af39826971b06e25256759fc4aee3de9840c14f99e8a53404bccae613cedd72d32e74c87d8cad6cf72fd2018d5f3a797c08cddaa2d9a5ac5f49bf07b045c4169a8830462c19b4004b62830c4bedca5161451ce9c8ac56f973cc120f7eadb2010de4bc3d719647a8efb1a95dc93cce6ed2e2255b852821491dcd30640eebae86ecc02e365b465defb73694170d3033775968a53f274fd1ab8f3897815af3dfc81fcdb7a3a6d1917cab0a4469", 0x2000, &(0x7f0000004cc0)={&(0x7f0000002200)={0x50, 0x0, 0x8b20, {0x7, 0x1f, 0x4, 0x0, 0x6, 0x2, 0x7fffffff, 0x2}}, &(0x7f0000002280)={0x18, 0xfffffffffffffff5, 0x55}, &(0x7f00000022c0)={0x18, 0x0, 0x2, {0x9}}, &(0x7f0000002300)={0x18, 0x0, 0x40, {0xe62}}, &(0x7f0000002340)={0x18, 0x0, 0x80000001, {0x787}}, &(0x7f0000002380)={0x28, 0x0, 0x3, {{0x9, 0x101, 0x0, 0xffffffffffffffff}}}, &(0x7f00000023c0)={0x60, 0x0, 0x9, {{0xf652, 0x8d, 0x0, 0x3f, 0x80000000, 0x0, 0x3}}}, &(0x7f0000002440)={0x18, 0x0, 0x2, {0xa8f}}, &(0x7f0000002480)={0x26, 0x0, 0x8, {'bpf_lsm_unix_may_send\x00'}}, &(0x7f00000024c0)={0x20, 0x0, 0x6, {0x0, 0x12}}, &(0x7f0000004540)={0x78, 0xfffffffffffffff5, 0x81, {0x1, 0x7, 0x0, {0x5, 0x8, 0x6, 0x1ff, 0x5, 0x4, 0x4, 0xe8, 0x193, 0x7000, 0x6, 0xffffffffffffffff, r4, 0x3, 0x9}}}, &(0x7f00000045c0)={0x90, 0x0, 0x8612, {0x5, 0x3, 0xb2f, 0x20, 0x0, 0x7, {0x0, 0x1ff, 0x2, 0x2, 0x1de, 0x5a, 0x9, 0xc46, 0x5, 0xc000, 0xddce, 0xee01, 0xee00, 0x0, 0x12}}}, &(0x7f0000004680)={0x10, 0x0, 0x5}, &(0x7f0000004900)={0x2c0, 0xfffffffffffffff5, 0x8a, [{{0x4, 0x3, 0xfff, 0x6, 0xffffffff, 0x8, {0x5, 0xca13, 0x81, 0x4, 0x0, 0xbbc, 0x0, 0x3, 0x34b, 0x4000, 0x9, 0x0, 0xee01, 0x2, 0x81}}, {0x3, 0x80000001, 0x16, 0xf97, 'bpf_lsm_unix_may_send\x00'}}, {{0x5, 0x3, 0x100000001, 0x10001, 0x7, 0x83, {0x5, 0x5, 0x100, 0x6, 0xfffffffffffffbff, 0xb533, 0x800, 0xad7, 0x32f914fb, 0x2000, 0xe0, r6, 0xee01, 0x4, 0x64}}, {0x4, 0xfffffffffffffffc, 0x16, 0x6, 'bpf_lsm_unix_may_send\x00'}}, {{0x2, 0x2, 0x7, 0x8000, 0x9, 0x3, {0x2, 0x7, 0x80000000, 0x8, 0x6, 0x400, 0xc932, 0x81, 0x5, 0x1000, 0xf841, r7, 0xee00, 0xff, 0x5}}, {0x4, 0xffffffffffff3232, 0x16, 0x5, 'bpf_lsm_unix_may_send\x00'}}, {{0x4, 0x0, 0x0, 0x7, 0x200, 0x6, {0x5, 0x1020000, 0x6, 0x7f, 0xce, 0x0, 0xa9fb, 0xffffff81, 0x3ff, 0x1000, 0x0, 0x0, r8, 0x8de6, 0x3}}, {0x2, 0xffffffff, 0x1, 0x5, '/'}}]}, &(0x7f0000004bc0)={0xa0, 0x0, 0x3f, {{0x5, 0x2, 0x0, 0x7, 0x6, 0x3, {0x2, 0xf51e, 0x65, 0x1, 0x8b, 0x7f, 0x100, 0x9, 0x24, 0xa000, 0x3f, 0x0, 0xffffffffffffffff, 0x40, 0x3}}, {0x0, 0x1}}}, &(0x7f0000004c80)={0x20, 0xfffffffffffffff5, 0x401, {0x5b2, 0x0, 0x9, 0x2}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004d40)='SEG6\x00') r9 = syz_init_net_socket$ax25(0x3, 0x2, 0x1) r10 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x3e79, &(0x7f0000004d80)={0x0, 0xb8ca, 0x20, 0xe7c, 0x26b, 0x0, r10}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004e00), &(0x7f0000004e40)) syz_io_uring_setup(0x5336, &(0x7f0000004e80)={0x0, 0x29dc, 0x2, 0x1, 0x3d6, 0x0, r3}, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004f00)=0x0, &(0x7f0000004f40)=0x0) r13 = syz_open_dev$vcsa(&(0x7f0000004f80)='/dev/vcsa#\x00', 0xfffffffffffffff8, 0x240) syz_io_uring_submit(0x0, r12, &(0x7f0000004fc0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd=r13, 0x0, 0x0, 0x0, {0x4404}}, 0x8) r14 = syz_open_dev$vcsa(&(0x7f0000005000)='/dev/vcsa#\x00', 0x1000, 0x8600) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005080)=[{0x0, &(0x7f0000005040)="48d5a3400d135dd4910161867c991fc7d68d55145fbbc5c498b58fba49bd01b68386473365a9131272ede1d53bc285051b85", 0x32}], 0x1, 0x0, &(0x7f00000050c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000005100)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000005140)='afs\x00', &(0x7f0000005180)='./file0\x00', 0x0, 0x9, &(0x7f0000006640)=[{&(0x7f00000051c0)="c5f6f420aeec388cedec2b597c8156538cd4586034199f56f5944da03d8ca829f6c6b6", 0x23, 0x1}, {&(0x7f0000005200)="f4ee9edc1be2c2d862a480f30ae30dafadfdf869f7789a4549f5a8dac06fe4c5d5d2cf0066d88bfca6af40745ed617b7a146c940de37505cb965eaa1982c8ca0ec2106f47e4e265f1e19285bba7eb577f60066b5f46c62d2ec0068edcbe6300e4f1e3cce429e45a7df287e8009841db1015134eeaa724311e55181cb7afe7dfdc7946bd14523ea6680ea42ca9f7b0eaaabe1d054277eff607ef4f8402e5dc37e6a528ec3565823c031a8460e8b5f670668f86b90a026043a", 0xb8, 0x2}, {&(0x7f00000052c0)="baeede481736d90f0aa36fb327956dd763578e20199f0dc85f185c9306866ba33c93d2af9613c92909c651254e6a63503dbf317b021c4b3c8de305d3de39a1ad9ac1b0ab3f51f68c1ae1da3e4cc744fd00dfa6d1b96e21134007d31c93013854ed32550f1b82a4c03ca67440d86545dcd29eea99274f655737ad5a54d9e7f9dec49129bb84beb62b1853f69e6a077209f7e55ce0d51686ca764d2ce334cd6d09b5d92357bdef60a635", 0xa9}, {&(0x7f0000005380)="31f1fbee4b48e6e69cb61bd1ccc1e213af5a28e74cffc2e5e82fbbcd1c3400faf379d1a194d52a3667e2019b9aec0e14feed8fea770a9a1bfbbc30997321bcbbcf4d115bb3d3269e50beca5982ef1d22c983d78621dbaa93e8395efe31dfadedcaded0976f5f0c7d4f17b6cc88b897ce5ddff1ade8ef2d62dcbed421589e3cfb5d8550d3651a99115d6e", 0x8a, 0x2}, {&(0x7f0000005440)="7881b6811ea2aec8f27f7f7f523cc4baca3652f7303cd748fb4ed8cc783ac578a9e853a9906a", 0x26, 0x1}, {&(0x7f0000005480)="c505e1805e72c23f489bb45d556079645332082b1b6bef7adc39b098e173f42fdd8d2c65ceb664adb47de173db5b3423e02bfee58339fcb7d85f2d1acd1fed18da1cb7b3d28d4e368aa5f02a8950afd19b0d6003c1fc5424d3e28d4bf7902fa3d999b4f62368c5844f1e9e4d195c6548c1a0e61480c61fe3fc8954810a5c5519a2850aff5444dfe36d6c08fb251d645951ca0aee8ae09d5218ce7d783d4a62070cce231ab7c630931fbc7839ba2979305cabb45f4aa2dc924972fe3a5a806c03c741793eb046d566ef8de1d0b71450b561ba65b0141429bd3e5a4206b47ef097275ead1fe31257a723ddc585c703f5d0fcf7b298134d89d03f477ab7af756e3a4f9e1d06ca01f2b759c955b8e8bfc1b8070198b330f5858c6951610682a3cbdcb591f139a71e883bb7691cb56bc0ad95dd774fdc110d075b3acf5fbbb227227921e10aa5b73da81dca196600376120266cc84f0cc2ee0ff3f6c74b656a61b5f5ae6dab4a9ce84cb97c0b90e7a0d07828819e2bddb1a7277caf687195ec8364d852b98643f555dca6ad72d680643f29c322575f2e5711343f8aa24d7deb87d3ace482bc05dcd5288338b584994a090c451abb284c0104c5f37908eb3307d65e792b4f258600de7707c8b154ffd5f56d7a17c62f092828516f82ea4a126a2a360c703108770cc7e7505c8e180c5f376d0dbaf1e185a504ed013b0b162483f9e2a3bec7d6833082ac954e8f5e3184372e0508ad7e0fb4b2f1201a35882ada415dfdb36587e88795101f9dc6c0d26bbb642421db0973ef283c2bea7f5c9c35eb13ea5a9742852f083e443282cbad947ea05d3f998bf3f860cd125b266e1f3b84c4e62b4e49ae7f852d578eab24a0c5e4c60928b699c7b68c6328f32ca3715b940055b6ad04f9941655dcfa91dc4df021a74504519f0a7df10db505da8ca4a0525804dfd90a31bba648bee57bccd6cd9a596eb945867e0231fafb66c5017b2979ade5dfcfb24cb5c7881511185604906d1f201a1264a54c20c173901d325f5c2b0e0fff22c6834d070cbedc8ae66f2fce8488d77b1f9257a91a001eda075556c23e7adbde0c994bd6980cbdb344d04efd2a3f4e732620260d15f6084ccab9b2f13bf54782eb2f568919e0aefc063f3f2af6beb819159cfdb0534e79e0cd74515b528c82cefaec8547d05f08b00424a02abb0fe20d3055d3b9d97e8bad3a7b2202b8effc5da055f4eb1827dcb1de57defc3ccbe7c30279a3041196a9f0b1a74491c07b9a1af040e53ec71a9110e20f32092addcd058a15079b718fac594d8e75139bc9260ff65647250fd7ce6bdbc305c079c5cc2fe6cd1fca993e8530e03738839008dc658f22664eea7706f6ada24ca1a22e830aad64f4dc44387d83ad4288f44672d9a05559fb29c66fe6679e979f86ee31675f501d95814796612908d1f7037b690b9481fb687f2d52b5a373515f62075936042a0e9d10c91114a9e74ca7ac76558f73fa26fe9d14dea85d4c9fae1f6c53bb768b1457a7f89bcbf90e7069753767f0c1902163e400afdd91ec2dacbe680c7d6454a0f173490b6b1ed4881e82cd79d6b89161d87f4f270deadebeb35107c19c7a6d5408e60b325c64dbb9983bfaf0306fac8a0fb324af5d69c21c62a8b5e257a48de069226ab29aeead17fa45f384750f8bba1d46e0a4127807e10d1570da63b202eeb715386afe3d8b1747caa6a41416dd65524d2228eaaad1a61bff8db8be752c45aeca76dea3aa6808364cf758dc8703417a49b93eca5ad09d63303a4ac378aad34a08decc4a720c3eeaf88ace0a72900bc3dd402c122d00d56b517235ae9112832d637b9317b61f9dcb0c48e728e850dfd52626db296aad77b9c7cd9167f3194747c011a5fbdabca9cabd2f6b7581f9d91c6366d526b1683e3feefd0fe30f53e7cb7de41e89e4e743efea3944ea8afd9f778a7f06bfb0ef238648c21cedfdd8b76eed765774d7a490b0ee464e4488a9c3dd21c7ba2e63a31ae38ffab209460ba93a62029d8f2ade1377b53438b051901227398272639f124d42b555d591a6655f73f6c46c514cf32ae4c6046c380407f7d9cf3c141bdd94691384958e67178f816a63e4cc189c521638dc7a28d2afb6128476e408ee85b99a126129c55e679c0bdcebd9669817e945b0fffa615ab9cef2f859e0ac38253611fe63bd57fdf03fb0d65c1cc65df2653859fc594f9a3eb379d117da828ac5586b3f6d3bccf1d54c45bc1a5fa45ed7ad366cff39a632bd4d14700d30f70c99725c2fb8ee97cbc59f8e5b64fac8fe2f836041bb5708a3640bbc67f9d09ac1fd3646a6f7446f4815989bb0419c94b0a6fc97d0fd9e5190e724d75482cc1eb4c07753b01c4202c4d09d006bd6bd92b33cd40d8f1bf7ea739a686f8d3a12df2f7c578ad2e0c1b29c04f282857045ed90382830cf0f2f2c8d22073edec31dd257300ba67bec88a1e7a5580fdde5019879f6962da50d75c6fd13a19e358e134135dbb8b4beedbed1cc5f8f2034ee297ff69b9db3e005e59fd5ea22ba51bd8febde9ff9f65a21da5e135ca8860731c4dee9c33c7edba508d26ddb5592fdf98506702f998037e6b418c5c783624348f57d2cf2cd8fb837c61853f516c68e765829fe2f741166a74afd1edc90971c4eda7a6a18d85d54ba87f9095bd1626b9b900cf6fe05eeb1b4f00599b6e8381fe28de851e19a0252efde6c5799f56ec2d61cc6ff5d1eb65e9d8e0545a92e6b986627c7f971694210e088b784beaaba64d2abe4441c7b14fc8d2adafac78234ed72599cc416c047750b24ac3c9aa4690c0577049d805bae79922c1d2966d9752c551a91a9fbc0bb95c23acc2a90683531a59f30fc1d1079bd9fc07f0d09bddc01372ba26c13ef306af3256f235d72b759b6618c1e09e8df6935db77453b4996b0152ae137d1caddbd5f8e12621a5481554345dfbb7e2c500371346feafd5dc0f6e2c59ea2c245d15db20e87c77bd908d92850e403e58cdff0e2fc257ff000f3b268dcf141e77525106108a4b6edcf89f1fcfb12a0a02ad7c0121284ea490ca7bf8761eeff5b375eeb0a038a444d2fb950f96517ada94cd96f8dbbd042a4deb188217b7b9dad948bb59843c0c392bd9e79c85d34616bcd99fbff77537d234c051e5e9aa913c77cbdcf5396ce3f0683e92ebd0c1b99fb5c663fb97b6dc2d43554aaa99a27ab99172bac17e3bc044d3d2ef8f873cf52214e71d7d7c5ff9dc791d40cee37536dd12ba095b48a341975784a1614175a1fc49dc2102ba5c27416dff8279ea3f2c44739b8ef9961699a4c792859cee88111437846c9450175b8ba2a326757dcbfd551acd15d783732838b9c924e0923fb795b7704bf1c84dbe6569c0df702a7477fa0996de5d681d10fa2aa52b14253ba913adecf47eabf1b015e73d6bab5dbe5d5dd1e067cc9e4806040db09a1448ed21d98dc6f459f22c951c7b07201467791097b39041036a50ec5596b6d28e14b79aa12befa32ff95629d532adaed5342c84d39c8225382f981ae4f85b7a1ae6b90a818b62d71bf592f84273fa2ccbba65dfc34fdaf561e26d307b743f82bc76f9985c95076c83a1d286532b8d59520bf6c40bc635f51608f49bd4782f6a6b7d37c6fe8e5272ec08f85fb9baa66bd70b1db70df0b12ce35d8e15c187fecfd9fa341721ff6b24a1bb68bd074c2a57d7460917dd2ff0d0804112b0520f05cd70787d8dce6cb69711ef7453b40679ec97aac900e698ce1f8e58ba738590df5c4588ec650688002a2c14ec60c58385b68db238b8c5b189b2fd5fd213655e0c81900949764022d2277b038ce7dbd00d1ec66e23195636a39215326ea452ad0899a522a7a77965b2ae60d5b25ffc64d1dd504d28c611f38ce5c3aa34c4f6cdd1bd7e965e368771189346506e3cbbaf7453f039c6aebdf77a13875499d7db3e08f9c31d35307490e6d3c11ee6977e669cb1aa6420d461955050e0cfbe0bb23d1319ef35421d80e565e5fc9b30d6d0a4da0544061e644eba5b47bc48ece8b7f85d823c98c4bd6cd464acc49a29bb6926d2a9597c64edb8a4ba2ca2dd7bad80da3ba9df143b2b3cb44d6e5ce04aff397f5fc4b0f5af4aa0787611efc5211bbb48b7eb3e1d4cb54ac2b9d0d9da7ffbd18513594674b530e8a206f9b042be81386819229505d35ce04a1e1e0304ab5db61884720f5bf6ae910d48b9aafe2bc5a1a4f4eda0f615c8d0d682a55a52f0d40e138c88c4299aa1b1004400168de6ac8aa18fe6029bf63c640ef7fb91b56a5abc24397d1b2cf3bc0877e8d5219e56723a6c49889cdd5ba03c84fbc415a3e9b652d26e2d613c3dcce414e1fa3e220b3c2e35391ac6520ed1f05148805a46e9934e5febf84e1bba25ba130a9e0584b625df2c2ee4ec0d10afffa191773d4f412f5ca225193ca27887fd47c9c69f21da952f98a99f205314c182b0014dde7563ded90e338da5d5e836f162b96377517c2f6758d9bb41e8bc9dd8f2eb521ad814eac651a48ef64bc45ab60bff9d2e67f03183d044ed437a8bd73043d6a8a5190fb5cd52cfe0689e2da08cd11aae6f25c50d6ccbd5f4ea7ce9b51b57946aa92f41efdc2b919c887a070c519ef600fe14d67664ed7fc211a09e9129b13a7024f2febc3010581da84b44bbedfdc1f54b63c8cfa8c8b5c986649333eeeaaf53e8be863242378b0ff6cff6b1d6e027010684484c636b7c134018e3a732a6b352cfe081f790f0029967ff1820d57d370c2a9f1be051100d5a8eac4241a6c2b640fe73b161d543801f1eb2abdea769c518cbd7271c6d65abe83661d2fd28e41b9ad575b958fbbc5a43f341278656d300f21d8c71161bfc2812b2f7f3692c5758a5fea8284cc4315e2dc1605d0b58243a979af7c0cce313e3e127baf9313f1ab8c437581369586689ae69b868447bfa60798620c68080090c9f0493c95a64ca4f678eaa14fe8cbc9086ea99c78a3d8169842fca3b0d289406cfa9d52f41df0b7fcfeb6e10b7fb8846b646c6e1773320aafac2d38427244932ed237b9834f60c0bc4f9f6b18ee82d4ab5257d03343137a44a52148427e747252c061c88c78859858163f768565fefe4303ceaba94b786b6d9d0b69d0ca920e615255e2b8c3fdd78d8c194e9c8049a9d187772685ac98fa7e7df54f5ebce1ecc1cfc7a62e853932deaccb58d79fecb931d14643ec7020ade49cce0a1e78e34d71096022317d7af536b38f72fbf65f7e4763e6d1dad8c26f56e2ab4cdf778e3264a2ad2004cbce99b77e6ec272d6f083d2083a042f67908e147e601ed42f201f5b9f18e89eaf48d384eeefa0f9f9ec386a274ecdabacd1e2db6b90ad98c475667d27fa727908d28e3745c34b5015edd130d0b7e3fd54ddea89e37dbafa49840759a30d29e21bb09d95003c2895189e439ab7b412c251610aa7afabef41e5abe2235321f322e8bd5924d79a404605378e3bda60d28ea567e6a73964a6ddd43cfa1f5e0cb8be455e1f6dbcccf72cd1cf14e8e507a1a1979f1c2b43c8a649290ba54137d1aa6473568e390a665973823492ec2dce33c39c88aa4247f14f1f0e56adee326080b716dc55dae2a5ed842d790de3f1fbe32f8951eab8dfa54d770df7342731270beb4704277f3e1dc16934af902350cd6b0b7a671f2675f0df884831ae06392669d6bda8493b6bdaf5ae90f4c45f8fb1914e0be057f45db50101b8bc6e649aa6856071225c42c6ee157adbda5842942cca28fc4c7c08e7c2cf1981542be4ab7f4bf6efff692dfe65b45080b21eeef5299171a1c2b736f70da431", 0x1000, 0xff00000000000000}, {&(0x7f0000006480)="829251fbd70caeb451ccf09a96fbfe559b217a4a12cf46a389d82c55ef7f5c64e45e1b6f269559a85e8bcc232bf1500dcb9af40f697165fde6209f8bf001585b6ccaafe194ccfdb7f8990804ee77ed9a345b52a8d7e8f4", 0x57, 0x8}, {&(0x7f0000006500)="34e0c082bd77b51d0c9ab1bcde0acc308149f3e64c75b7173cda5f39d3b4a62c60de76d12d41cec1b7c9bc9e57acb7834282a5758d7c7e4b21715febf6fbf144ad46cbf2cec87f7401", 0x49, 0x8001}, {&(0x7f0000006580)="e60976f86d91dd66cec0b1e30ec801160b84cfb1f8603703d14a6b815d22e1783eed12ce8c080e3ffbf0b53095f69603fa76a934a60a0526341eafafb3867d13e88d1d39e370a00dbe06ddc840ba7446a62597069e1dcd138f82b29ff78af1d1c3133fe9c04d732cdb4b3f6aa26989369b5f6dca6000a0767341bc2aaacd69e648621915b8aa9cb24c6bb5ae3f", 0x8d, 0x3}], 0x10000, &(0x7f0000006740)={[{@flock_strict='flock=strict'}], [{@obj_type={'obj_type', 0x3d, '/dev/vcsa#\x00'}}, {@obj_role={'obj_role', 0x3d, 'bpf_lsm_unix_may_send\x00'}}]}) syz_open_dev$I2C(&(0x7f00000067c0)='/dev/i2c-#\x00', 0x4, 0x4800) syz_open_procfs(r5, &(0x7f0000006800)='net/icmp\x00') syz_open_pts(r9, 0x258102) syz_read_part_table(0x9, 0x8, &(0x7f0000007d00)=[{&(0x7f0000006840)="b3de0d9f2e1eba9879eef08dbd42edd7d622f095e0ce3429b64c46708bf7fa26e69ec157caa3e16d60b3baf5b0d246bfef955e35f85556c9614a60b65cae7c023c99318fc85bc0abfd16bc78eb56317cd8b80c5f5a87856c5cd0b97fc283cbc9d835ff9d70972bd4201169a35c2699bf5a8b31ad3607121019e73398b228b9c59aa5b5c007166766eee5911d5d2f864cb42b8421f38cb21aa93697e5ad166a966ac98aa776fd27500294c4dd1bacf41fd070e9e4a9e5eb70d2a98f915c1391fd75f5ffecfab42425eb016c33ec19ae67f4b100088e090f035d78143b35944f30a49a77b8c5e2a08e9f381a8afbcf48ebad8411455ff2cb76a4a1b557d121", 0xfe, 0x7fffffff}, {&(0x7f0000006940)="330ea746d7dfb4a5e9f33a325a9688ca04cd59af724b34f70ae370d4ac73ea9a65ab003f2cbc01af1162c0fefb2b7e4a0dcd3f2a8c23f2a1", 0x38, 0x2eed}, {&(0x7f0000006980)="efd543d92dc823aef91d85c44c055844e2af47b4d5a67e3a3959dc6d617cd8e9b6c3f5bbf05da73f04bf4f54a6f3d5361dee720d1ff9f65d5d7c18b86534f2912621aa81b4c2d3daa1a67538ac5efcf2e008c791d59152db5fa2d0a23f3997bd1e2502e6fadb36788891843e3de1c4483aea75224b12ede3006b9648dc7661a46da2d146d3df70a1d04b2c64578daf219dcba1b67aae086a2541c4b9b4dc6d43c076544b4cf9cd57e6e26d74217d1d8546224d85f650a0ad3aac78c0cf1d83a4adcc11c2e84df1889c7920347fe404201914727862b460229ce67a1a88de34aa73d39be67fe92210699221103ac5b49a07ff0b3548363c878066d5a0ca8f565a616a049a5d7b6e70badf4649c51aec8671faa444d7e0a6304e273c405cc6f348d19ff1348bacc96ecf1a28119618c91e5942bbf0e2d7fc6997cf6330c106a7902ccdc1b9cd0e8f559355d26f81c77e524882d02783f15b0569690236e3aa74b96bcc5ef90eae4a5e3aba2a560f9b0a513ce1a8ceb0d2103615f828b0125df32eec97110ee2a59e1f913772a859f65d953c20ca8a0c6e852661d86293cb4672413ffafa27032eda8d8b19ce77d35d1304296d8dbee1b7c358fe5ddf94c42411e26362cf42a5c7c18991e3926331a2c7123609e0a3c05e42f175972e445a6ae57154062e21e05666602a2bf0891ee65648e5a967ea16248499c82e74c19edafecf2402ce5321f5bb4ecde058a1176f310bb1338b11ddc60dce03c4727f7dd3c2335d50ae492dca1bd98be4af0744291fa2ba1cd3e93e6f1d9d1b4305c2764118094a16436a014598fb64c34ead3e8f45d11c4fc062c144c8e05220fbdf4a8cab6e288b5cfdefa7a05423ef2d4f3b3bee5768b28034a08de883b817278bd3e785c114329d992c581215f5644ccfa4e894101d5fa43008d803fb9baaefd7dd4b8883b6e7a17f4ddf4826cdd7110ff2c8395349068cd0b9550a3a2f5cbc0db06b1b31292c54879a172f4be9839b1d76896c4cccd8841a5592aac1f5272b6fda924634b50750b38231ff133da1fc86d1098c823df5bca8cfe8c08ba2eee5a4658b2917bf3af4b4e4e47c6b7c35a3963ebc6044f27288c5a3c1a2f5fa45a128be9a13ded8c2f6745ecf4fa94723f9f16382f4db48d0c811fe8eedb8bf05ff38e578d49376550253d2617f86303c543f882adc2008564c8ba13ecd19613a63193d94e9a73b21ea1ddd30b482c09869c0fa37131c69ccd033dd96d8ee7c5f2f8a152e84c0f659e60ce169fcb89de028bea39d05df03cf22807029c1aae459940dd54b78c0dede18723f972d96516e19719e5c9ed006860f2471a8e5b18fcf0ef4ba6681a41fa8009b7e03b444f45ab3cca9bbbc5813d1fa055aaa4d45441233ae7b69b759e3dde766c0f3b13bf968cf8565382883557f925c21075861ec9f35c7cd444bcc7d381dc0d7aa754ba57066b902788f53854cf9d56ca73c7ac85cca67ba509ec3a7c1b42d8c654b34d88da8d2ca85ad4ae8b865b6d2a0c1c4407668535c49f349e276f1a86764ef18e3b08f1d1e3cc1b93cde3f197857fb48b5a5fef31a86fa0022d6a96d815c8c9af9badb7b886ea09adac732c8e4eafeb8473218e794bc6a716d1716fefef86f63d32b6673b435d13eddca42257cfe0717fca3a39f00bca650f5463a24c50924256d3207d29c1b1c95109e40dab607787fb74c4e64fe4acac65c6283ffcc11fd08a0bd1f4930a8beea57a0dda02867866c5b1ce586b32e7cd18ab16a275d6cc043a990e1d7970f79d5b8880eef3fc4ef4de5e840acd0edbcde6bf6fedf3c6a2d2539fdaf278f069794d30a09d615e1e4a5a7617e16241daab87fdad493ed9cf326fe647a40f0279d6a9b2cdc0abf3626415b04fc836510ba6251386ce7e8d2b4fe663cfc3a5de9cc313e9e1fc19127f09207c955f5a8485481f4319224fdf4c2787d583c3caf7acbec73ab9b4d2f245287df9ae29a169c4d795cd03c9098339446dc40237b698998b2423628148cecb02f69d2644cec88c94894e01e1587fc85375450e32ccadcdcaea641d2db6292228660d04c446786c258b6fbbc1d0b6a8a3818200d489c126733922c966195a4007a68d0473578b469b4433eacbe092520244d84da8924b90d7fa1ad31db501f16a59d3d9eb72210d058b3d1fa4d876d5b40bcff5adf086ebdc2647b1b6f88211bbdf547f1698e11abb73dd3a588d9ca26d9ff5b2d28d1e176be8a7adf2e3e3ae137393112f5aaa881814882939dfe71721fa92b8962bb8d940fe1e3948def4033a09e9c04ca7ea8b549695c5ff66c077395026d82576d379bd9cded06ffcc3a6f8bd548c0f68d4d3d72ae27d828b27a582b14886dad1fc3e63531c2870f3159f8d4bd449480c45dd27a2934df90797c0494e0f8ef8289ae410626d4fa966d82443adc5243fdb2c4ddff8550af5338ef2d1c413b4bd4b308209c20e9c3a0080a23d16a3108a1050783d44ba92a95590508d3a5cf44fc6a4af2477f866428bc113c1cc8f123da46ca0a03c5dbd1f6e5754584d8a4103bd23fa5e1f6f3acb154ffed128d0a645829d3341a25e87ae781862abc7a159021124cfb03571a73ceef603681f5e5e1e1574db3016ff5a13d9bfe7e8ac81a09a905237e390a5772d361edbe5808e9d8594f776b0005e0c3d0f71d666c9d4dc493d0163d8854723275d850ac1bf78183a77518f01bb3a280f39bbf606def4f89b11e2bb8d99f8a32985ed9bcb42f110bd2bdda26376d9daa70e1e6575f11ba7ef269908e101948f570b7690e0b5d35ed98cbdd2f3637b9f8f78b2ffbc293188ff2777db050aa219dde788a770cb624d6617001817d6d5c7a5bd39c51ff128eac712b9db9c60a74bdb7820a3572a5091c3084339286279d9ceb244148906dab1dedb62379b14597b7348907fba55424e878c194985cdcb211b71bdf3806339a53006a9006c746bc49108c8100938dc24a08d57b013f4103d87df310858405d06f059b65cd54aea1d0f15cb2a41bc867d22cb9d67c310b05a4f940bd2e7a5863c8e1c80d3ad07b21504bf213da5cb38fb652a47ccd7a5cfafa0c3ffe2aac7625a95588ecd77a9593d0bf2e7df7999f0244335a9fac015c32273009d1f865dfb873c65f52e9081b022b99b01586f5fb1584fd9b1fdaf86c783f61772aff1178e08d5bd067b6fd233db8c432fabbd00a530f1c40b5f05f7883495059d1b58b9523d1f5255736b23ff56cabb4cb710e43a70f71cffd17e3fae9043634869f166a958ca5dec639b85b2134096e697c24e3b0a8cfb19422ff01f4ebef24b7233de1a0f89c80e231b8459f531ac23eb1a2373b3c5807ee6552707152a3169555a663d1bfb453c8c380c5a52c958e302d4d7528aab5d0a66892308098b566a1367cbfd9a3a46c5fb77225b7b6f9f92ed0bc85bcbcf1b4fd2760b9f509d2d11cd0557144b1c89f9f7f2495d0c9ea6c767f1f92570701a33ced477036d06bbead08c0b4a8ab4a57d8d9b758ce05891ec729014eb712c33dcb52efe8ded223b617822443bfa95514d9a82f6b9fed17b22445f692fc870374c0826a9fa43153849368aa1f93052e48f88e8fe9aa1ba8291585e59da0f68fd04b8fa450e9654d920c2b82c9c29a79015d0e302bef5abc9f4292fd4b582d58830dfc71725319bf39692b0f3d72a3204d62e4cd219fd2647a9bc3da61b702699d015f9f15bffb27b6133ec431e4ad67f5c1b46fc62e29d4ae4b07fab07f0143e8e54fea1e629051d6d7c19af8931661d84957ad2ae7b521bd62468aa0a851653904bb9325376fd2d831340356d9bd2782bbc46e1c03069553d2b05d17bb4d8644a0dfc0286d4ebdfbf1fa85f0015da26670909ce840272d1d62c8d02787d56520d309e4bcfcc846474d4282641798dad1779cce11392ac537917335b4f9124ed1e254052966ab2c15dcd1bc1c3c520fef4b3b17fe6f6360d07b2c08ac64c75fcdf5f9eac211db247a227a659e106755e1ba53aba67c831662190226984dc03698dc567aa96b51d2e69f530addd9b4fdbf3a0b20af2a184cbaf53a35634c8fe3d63ec15c506bf02c35302759fe32ad28c1d4b49e94816bb0f32822816b40557c650da4ae59ca645d5a4d6172903c25e00a229eaa0c526cffba53fca44aa163c7f5fb4959a216d6dad9e19f282b9945d2476bbc0133785131118ad46c3f9331c415e70d35e06fa71c2aa878132ed770a04f0721a5665502dded283f70ae9ab72e48cf03c01d80f68ece54de88aacb2c41c5d7462f9b73f6c2741709c83e20084dd8f9d855c41a0bfbe107e6e47a65c2b1ee5007e9d5f25118a295fc6313243df54cdd92ab4dcedb210dd83be1b058ae1e37a7ac51b9c89bf9eca423c91db0d4a42134a93c8979a03a2de53e45e641a2d40f410bc11a968204f72c96e50664dc29be41a4aac4e07e9cdf239f59c9687bd7dc65ceab076b131941bb15c4f9f4c17d7350780588facffdbc1eaaeb4406b956da733ed09eb48604a0ed4aadcbbd94a8ee079310fe2612a669e5623917eec2b12ad9c86af9757a51759dbb00df2e03e3d3a70bd2c02f9f08444f4e0650edfb2786ca57d3630943556832a32892301b58859ef24007f7a7d9b4afc23703c4fb9077a07d2ea8d3a2b4f015de7f31fc306545816b6b670a45cff4a91b60a1fb478b089c67f459caaf5fce9265fea0c7ec0652cd11305623b04c0a9d1aec6571c6a466dc7a7bec75fcf984d6a9636986becef1418b694e820ee2462f2687e0b68ba51cbd03ba76b43fd7cba01af23ff98f74b764463527c6c397e1c8e8b2225874cc74f958a31a28414f170c2b4cbd90c849ccd54f91bce2908e3bbc21b3d5604aa337c7fb1f810c103216bf444339043d523330eee73bf0866da3f3f728877fbb54e2f928423a1672cc9ba31bc686a6d198efeb3618d5e9a1b0819cf6b9338c56c4b788469f532cdf923066d1ba46a56960342b79b09ec8679ea3caa43365b811257a2449ff9274f6612cb0530dd8678cf18bc1f91f447fad7b958f3d0a1977ce78d102829fe4b83b5659c8155af4d2c05d7315d1486300e6da0846a594d510673b0e7472788559009d74490ec9871d9f0f73699d97fbe303cb4d635f542e95c784a5387127dc454483f950f765a8e904639ef413c7d581af20dfb285955801ab7ec4be4d1b2879de662dde2cfcd6604ec0aa07a5a671f54a4f2853eedca56baf00f07927095958db7d325e863f64a9056bd8e103859921463d1754042b85dcd94d933ef2087dbef57d9a3ad9fe8c64a8799587a3ec23b9b252f03bfce42f017eadfdbe973e84e902e36b9661efaef409c915308dce9a222a9cb1db5215c000fc44d372fb186425cd078bee7770f1fa60ff2d0e344725a51a5f478fe96bfb9a18b6cb542bf394bed02218518f1d381d5aa21fdcd443ce84c180a6a8cf6547effa4627cae93551a7564f0dac6e37c5f068edda00b47a6f2d33b54c3681128e83ad17b0f098456b9e97f3e02ce391515ffb0c0511a3d8312115382c15b09861ef750c0006e96c9184e17db245b0255c4407fe4bd6eea43fd8c5e80348cb916e9d04b49c2483911b6deece26d2b65762643aa0417be2768b673a22ad58e667f5ef4e2228db9b7939d8f912de32474325155090b1d9741ace4155d64583ecfb5700301d73ed2abd156408ca5e1b88ba75f84a4b834d4f532015773e9f8d4a3650f8984191114f0fdbaa54405bf51f8b1afe532f74c15a3708eb9370fa8316feefac4e43f855506f5d9872b60363567011cc3308a2026d00", 0x1000, 0x4065ebb7}, {&(0x7f0000007980)="112a657c2770ad17f2e77762160bb14f2f71a17b88fdb946f919b2dfd3efd616e31124ff47ee668f6065a0435a791a7439d8aa10dcc418192d821e36fc0820d7cc0f88b088916d786f01426fa46b214de822d24e4d6c785feac458d98635c4801672bd4e74fd40753932121152ae0ead771e3abc7f741e393b328526e5ec29e8e0d9b3a2bebcd0eb3472a4bd8e50f953ed173ba271fbe9f9d9c463c79f44d093154ffef59c93ada783b4727fc35ba6c0db2518939cb35fb3301d4cf72d2524f83ac4ab57a8acfc93a99c26ccaee0566371229496e93021e86b956021a467f34be66e", 0xe2, 0x6d69}, {&(0x7f0000007a80)="629825e3cb9c42732810eb62f1ff4785718f7a30c63940f2eadf19dae820feb9b7b358f741b834164a9a4ac8ce398c231607f523a26db9e0aecac1d1e89022d1cd50d644f2466b25ec09c6d6ef4f0b3ef592d1408d049da49b953b327e123c6f1963c2f7a9e3cc7e0c52ed1e17d0a8b794666875b20b07a0f5c2c76d9632909f769eb25b162737bea131f5c270b3249fd65c255e68b680271d0c11196715177744e7", 0xa2, 0x9}, {&(0x7f0000007b40)="d1091749233d1e7ec50653f301a734f5dd67ac1e748923e44ccedeeb3ea234745896abcb8003ed61605b5dffa8a9af0aa12ed902d4a35a9260c53ab6a621e210e61e4002838dc29e2f798b4cbe0ed0c12a33c69ddda446b9b884fcbfe28199184bd4aeb097d0d9a393b699d1f55a57d830da497d79b9bd7dbcdbfe7e168d6007611db96733574fb150f4e90991c70fc19edba6beedc5a72169366ae5fca5c1cb413bbc54ff8f127d1b94cf9942b5c9be5fbfc93946bf1d0b289a7442fb057adb0ae7fa4189d5e5fefc75ed5d260b3c2c2445d49579e6b369e396da162d940559", 0xe0, 0x6}, {&(0x7f0000007c40)="768d82c47f166e252530915b63b40d9eba4b95fe087893453f373a94389e1120981cb44576a2051c4158400a59b9c8a940ccae2826414e14ad55c72b04f8fabfe86462409b3ab2a075ea92c8bddcd2b2fc0fd77a97bc271ecd43dd605f29b990837b409eed5965ddb3fb1b91e5bf12ddbcf21c90c7ef2f0ab9bb03f72a647ce8", 0x80, 0xfffffffffffffff7}, {&(0x7f0000007cc0)="46c0ce8920305b2c7f636edbb165920db78c61f8", 0x14, 0xfffffffffffffffa}]) r15 = syz_usb_connect(0x5, 0x776, &(0x7f0000007dc0)={{0x12, 0x1, 0x300, 0x94, 0xe8, 0x2e, 0x40, 0x789, 0x160, 0xf578, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x764, 0x2, 0x4, 0x8f, 0x0, 0x7f, [{{0x9, 0x4, 0x40, 0x3f, 0xe, 0xbb, 0x18, 0xf3, 0x20, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "c1b0c981cc"}, {0x5, 0x24, 0x0, 0x7}, {0xd, 0x24, 0xf, 0x1, 0x9, 0xfff, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0xaa4}, @acm={0x4, 0x24, 0x2, 0x9}]}, @hid_hid={0x9, 0x21, 0x7ff, 0x8, 0x1, {0x22, 0xd44}}], [{{0x9, 0x5, 0x3, 0x3, 0x40, 0x6, 0x6, 0x80}}, {{0x9, 0x5, 0x5, 0x8, 0x20, 0x34, 0x7, 0xd1, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x20}, @generic={0x65, 0x30, "dac16e845b149dafe66663cc3acf393fa7b0ae46cbb8cf207bdb0d3d6cf681661fa00ed58d703c226470a84eaa264be51e6810875248ede794e2207e60b04585603cd055c6348f0eb4f33f2a833f4aee8884d7773be2f45177ad4c03728ff4dd8e40fd"}]}}, {{0x9, 0x5, 0x2, 0x4, 0x3ff, 0x1f, 0x2, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x9, 0x2}]}}, {{0x9, 0x5, 0x6, 0x0, 0x40, 0x0, 0x40, 0xfd, [@uac_iso={0x7, 0x25, 0x1, 0x83, 0x1f, 0x1000}]}}, {{0x9, 0x5, 0xd, 0x1, 0x3ff, 0x3, 0x1, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x4, 0x3}]}}, {{0x9, 0x5, 0x5, 0x4, 0x8, 0x8, 0xff, 0x80}}, {{0x9, 0x5, 0xf, 0x1, 0x8, 0xae, 0x9, 0xf6, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x95, 0x6}, @generic={0x7a, 0x6, "3f8f5c318c80e5a936089fa5be9dc364d3a8ff22238b9200642bb7969b9c0989510df3f2673846f3fe68eec487476d9d8ea37c9e7ec2939c3a85842cad500bf77aed1d9290eb850af4621cafed03c08a55c422c7122f6ec0703a47dfcb279c0b03558b39c7231b38e559d0546a29ca32280a8ce47080aa8d"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x58982e9dfc588938, 0x1, 0x8c, 0x4}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x6, 0x1, 0x81}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0x80, 0x3, 0x23, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0xb5a}]}}, {{0x9, 0x5, 0x8, 0x2, 0x8, 0x1f, 0x8, 0x1f, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x7f, 0x3}]}}, {{0x9, 0x5, 0xd, 0xc, 0x3ff, 0x12, 0x9, 0x4, [@generic={0xe, 0x5, "a9b97bc24de62c3bcf2bfa13"}, @generic={0x44, 0x30, "9f0d5ea24268b8a3211765246b1a834af641e8cd6ea3ef9b1fe10f16bed6b06cc3a165920c9d73909ab9ac8b2a7a8a5dae5d4acf316d0b35d4b644d368a06e0eff85"}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x3, 0xff, 0x6}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x6, 0x2e}}]}}, {{0x9, 0x4, 0x7, 0x0, 0xd, 0x29, 0xcb, 0x7c, 0x9, [@hid_hid={0x9, 0x21, 0x7, 0x1, 0x1, {0x22, 0xbd9}}, @uac_as={[@format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x43, 0x1, 0x0, 0x9, 'd\"', "3709db"}, @format_type_i_discrete={0x11, 0x24, 0x2, 0x1, 0xf8, 0x2, 0x7, 0x40, "5e58dff9a0d01e4109"}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0xffec, 0x6, 0x15, '?w'}, @as_header={0x7, 0x24, 0x1, 0xe1, 0x3, 0x2}]}], [{{0x9, 0x5, 0xc, 0x8, 0x8, 0x4, 0x8, 0x8}}, {{0x9, 0x5, 0x6, 0x8, 0x8, 0x0, 0x2, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x6, 0x18}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x39, 0x0, 0x6, [@generic={0x80, 0x23, "eba3e2d4848f84d0e6ded46e24d10bf9f8b0738910e29f319e942546e9cda8638257f55d0049672a1337067af73c1c29e0bd772a1cd5e16d249ed15cdd3d85a4399aef69e3f5a506ea0e0559306fe1f42dfc10922062e2bc062c34a1adc4bc46b080259ad20b37cde1eba7178fb514b2ef7397715b0eae34d5efd5274900"}, @generic={0xa1, 0x21, "1c020b389a4c59d1f26da857b222a6f6618adb0411bb24478e68ffe758469d4bb34df6aa9577ced55383dff01c052abbde70468ce31100ca3184d1d5f803dc280df3b7ae4738ad05036701e2e38ce844a7d301d86e0597c5bc1b67e7c6a5f7dfbc3311dbd234688e85e9a7d5021e51e2d0dd418038153db65b7fc268f98ddfd9e5036f24497d2f04cdcc752178991958f7243ff4dd5aefcf759a3fe7fb34c8"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x240, 0x2, 0x1, 0x0, [@generic={0x26, 0x3, "b451e24f6972cd6429f81ca173d13fb2c7f5284751638bbc4f0b3de02091fbb4f44533d9"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x7, 0x3f, 0xdb, [@generic={0xc0, 0x0, "ba73f770a427b8438313cb7e9d9d53a7e3110366c878e3c0f6e629ebb2a084a90b2def4b66950fdfd606e0834229e63028875489678bc93698ed8613884254703c315f1ee529d1bcbfaf8d865e738b9e08cbc4a211d480bdc2a6e69e172b1c73639474f1f0115b5f4918d037451c99dee88547562582d57171aa196913f11915d1fdc1a513b16c0b9c1fa07157421046f4f3372d00d4a27eb93ecd79b685e14f3eba647e7b20aefdf92ed05bef68935265ce0035e3b624852350d1234ef9"}, @generic={0xa, 0x5, "290a548e962666df"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x7d7, 0x0, 0x7, 0xf9, [@generic={0xcd, 0x2, "74cd6007ae0ea1297f07018cbdaaa0c87851a01308ad717f235e9eff8010ad1046a5148d352a70760bc4bebdd7528bf7d506da1baac2cf499d52de51d71b05185d7cd268023de5961304521b5f567c74ccab78b61c3f641662af2d55d5157a0ddc80c75962e9bda9ff2d3b63df6a6a0e2aebbfc664de3f3a34d66200fa092475685957f0b3594247a21d463cfe0ccd8044f95319b4d40c7f022d5a9ce9e348cd623dc4c590bee5a1047270954214611a8d98e60aa697a5ce30eeacd2397094e50716739911a4478b495f02"}, @generic={0x2b, 0x3, "9bc9f5807506303fbfd71282a82058560fe8180b205f6f47f9d7cf05280b7eb96d6d1589972f402ef4"}]}}, {{0x9, 0x5, 0x7, 0x1a, 0x8, 0x7, 0x3, 0x86, [@generic={0x35, 0xb, "018a3d5fb94d26c6a689e91eb6a9e49bf1b883b9e3da0a42bf45639bc1b19a0d8e78babd769b27a43dd091ce83b4a91cf5d119"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x6}]}}, {{0x9, 0x5, 0x3, 0x2, 0x200, 0x8, 0x55, 0x7, [@generic={0xc, 0x21, "f2ae0c70731245835364"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x400, 0xff, 0x9, 0x7f}}, {{0x9, 0x5, 0x3, 0x4, 0x3ff, 0x3, 0x81, 0x1f, [@generic={0x102, 0xb, "15f52948168969a7879f686a664459f31fa9c146da65eaa1878b3996e099dd1ec68900a257c011397bcfc10bc428591972ae5eb70e65d200248c433d8b1eafe5df95a196b58ed50a74d48f9c07f50858dd07d94ec76626b5b47c9acd4fdbecde356cababc43c3144fc2e524b71bb4e8bb535daa071e242c58584dbdd6c1e758e33fecd91aac96d2288322ed48acfdaab536ea51298e16c6033ac2b91758482719cc7d764373cedf5d039e75f0be35acdac46bff129af0ad817e14064398be64933b676fab4ff8b8d37cd742e41fd64f87b7f7df873b3d4c1ca440e20a829e34c6977054fd5975e34941c4ca24dcaf07e3b9950280b30fb2c4356eedab3e5184e"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x200}]}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x81, 0x1, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x8, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x8}]}}, {{0x9, 0x5, 0x0, 0x4, 0x80, 0x9, 0x6, 0x7}}, {{0x9, 0x5, 0x3, 0x0, 0x7ff, 0x1, 0xff, 0x1f}}]}}]}}]}}, &(0x7f0000008640)={0xa, &(0x7f0000008540)={0xa, 0x6, 0x0, 0x2, 0x86, 0x80, 0x10, 0x2}, 0x42, &(0x7f0000008580)={0x5, 0xf, 0x42, 0x5, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x3, 0x73, 0x4}, @ptm_cap={0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0xeb, 0x3f, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x8, 0xf, 0x6, 0x5}, @generic={0x1f, 0x10, 0x1, "61408d3d2e1872469226d4d9befecdac208dfdaa385178f48ca75650"}]}, 0x1, [{0x4, &(0x7f0000008600)=@lang_id={0x4, 0x3, 0x41a}}]}) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000008680)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r15, &(0x7f0000008900)={0x2c, &(0x7f0000008700)={0x20, 0x21, 0xdb, {0xdb, 0x24, "b501b9a676dfcb3e98c66e8b6877cac30dfb9856c72094ee90f23170f33dc0416919146a8a2ad605ce54f3d443ec597b337b1b4d39c44289bbfc621a00862648fe2df754e463455ef88f55fb63b4b7719dd8d3e6846c4d254afb2e40116d2b5fcd883a84212217e065cd44666801154e7b43e3d1629dc76f3a7110e80790ce65ee44961d306521e94e6ee941a97e0eab0e8037fef768902891bb4105d8baf0a35f93d2a5635935799c87eb91b5e5ff7ae91cbe9cdadd653a486d72d67dc3b371e4e5fa618759de87ebe1ec278d140834590f6c513e4c95cbb3"}}, &(0x7f0000008800)={0x0, 0x3, 0x18, @string={0x18, 0x3, "2c5ddd5fc63236d47af3164223e9b423e13b8560f28a"}}, &(0x7f0000008840)={0x0, 0xf, 0x35, {0x5, 0xf, 0x35, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x8, 0x2, 0xa, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x8, 0x3f, 0x1, 0x4, 0x6}, @ss_container_id={0x14, 0x10, 0x4, 0x80, "d0d1e2d868e0fa991777cac1b7948258"}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x3, 0x4, 0x0, 0x8}]}}, &(0x7f0000008880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x4, 0xc1, 0x7f, "1bc19f6f", "0cd3a196"}}, &(0x7f00000088c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xff, 0x8, 0x20, 0x2, 0x6, 0x800, 0x9}}}, &(0x7f0000008e00)={0x84, &(0x7f0000008940)={0x0, 0xb, 0xe5, "ea88bca9c1e3f5bdf607f7252573dd8756e9f32a7c4aeea5b3e1ae6fdbe3194c1918d9d9a3aa13dbbc47e1430d7be6a180c7388456d12a5c327b716d2341bcd0ef82a4a34610e28fc7b2e172dfa056c6353da166496ca2540e60bb52066ef4773667409a68eff52e75ff93469e4ff5d69966b81e034c688a2f6fd945ecd05f336573586823fd9f6d40bb483dd27ad46b841455ac07fc319b8cb5f5e2daa64a6c5f3bc099270cd376660ef3456571aa6d2fe48667838d811126caceedaebef9608192b603327f6ee9ed42572b6eb3c6630e9017428ed370bd0324da01eae4a7881a6b88aa1a"}, &(0x7f0000008a40)={0x0, 0xa, 0x1, 0x5}, &(0x7f0000008a80)={0x0, 0x8, 0x1, 0x1f}, &(0x7f0000008ac0)={0x20, 0x0, 0x4, {0x2, 0x3}}, &(0x7f0000008b00)={0x20, 0x0, 0x4, {0x100, 0x1}}, &(0x7f0000008b40)={0x40, 0x7, 0x2, 0xffff}, &(0x7f0000008b80)={0x40, 0x9, 0x1, 0x7f}, &(0x7f0000008bc0)={0x40, 0xb, 0x2, "a6ab"}, &(0x7f0000008c00)={0x40, 0xf, 0x2}, &(0x7f0000008c40)={0x40, 0x13, 0x6}, &(0x7f0000008c80)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}, &(0x7f0000008cc0)={0x40, 0x19, 0x2, 'rN'}, &(0x7f0000008d00)={0x40, 0x1a, 0x2, 0xb81}, &(0x7f0000008d40)={0x40, 0x1c, 0x1, 0x40}, &(0x7f0000008d80)={0x40, 0x1e, 0x1, 0x80}, &(0x7f0000008dc0)={0x40, 0x21, 0x1, 0x92}}) syz_usb_disconnect(r15) syz_usb_ep_read(r16, 0x1f, 0x80, &(0x7f0000008ec0)=""/128) syz_usb_ep_write(r15, 0xff, 0x49, &(0x7f0000008f40)="059cbaeb6864bcc93a17640936d2e5450deb6a94a3cd8dbac2fbcfac932f8dd22205e7ae589b0f0172e751e308a236cea85711d74b546d98b4d75afcc65fd04633c1fbed7cfe4d049d") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 42; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 31 ? 50 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } #ifndef __NR_execveat #define __NR_execveat 322 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_socket, 0x10ul, 3ul, 0xc); break; case 1: memcpy((void*)0x20000000, "./file0\000", 8); res = syscall(__NR_open, 0x20000000ul, 0x2000ul, 0x163ul); if (res != -1) r[0] = res; break; case 2: *(uint16_t*)0x20000140 = 0x1a; *(uint16_t*)0x20000142 = 0x10f; *(uint8_t*)0x20000144 = 7; *(uint8_t*)0x20000145 = 0xc7; *(uint8_t*)0x20000146 = 6; *(uint8_t*)0x20000147 = -1; *(uint8_t*)0x20000148 = -1; *(uint8_t*)0x20000149 = -1; *(uint8_t*)0x2000014a = -1; *(uint8_t*)0x2000014b = -1; *(uint8_t*)0x2000014c = -1; *(uint8_t*)0x2000014d = -1; syscall(__NR_recvfrom, r[0], 0x20000040ul, 0xeeul, 1ul, 0x20000140ul, 0x80ul); break; case 3: res = syscall(__NR_socket, 2ul, 5ul, 0x84); if (res != -1) r[1] = res; break; case 4: *(uint16_t*)0x200001c0 = 0x7ff; *(uint16_t*)0x200001c2 = 0x1ff; *(uint16_t*)0x200001c4 = 0x204; *(uint32_t*)0x200001c8 = 0; *(uint32_t*)0x200001cc = 0x803; *(uint32_t*)0x200001d0 = 0; *(uint32_t*)0x200001d4 = 5; *(uint32_t*)0x200001d8 = 0x800; *(uint32_t*)0x200001dc = 0; syscall(__NR_setsockopt, r[1], 0x84, 0xa, 0x200001c0ul, 0x20ul); break; case 5: memcpy((void*)0x20000200, "./file0\000", 8); *(uint64_t*)0x20000400 = 0x20000240; memcpy((void*)0x20000240, "^\000", 2); *(uint64_t*)0x20000408 = 0x20000280; memcpy((void*)0x20000280, "*,+\000", 4); *(uint64_t*)0x20000410 = 0x200002c0; memcpy((void*)0x200002c0, "-{$(%![\000", 8); *(uint64_t*)0x20000418 = 0x20000300; memcpy((void*)0x20000300, "\\[\000", 3); *(uint64_t*)0x20000420 = 0x20000340; memcpy((void*)0x20000340, "\000", 1); *(uint64_t*)0x20000428 = 0x20000380; memcpy((void*)0x20000380, "\000", 1); *(uint64_t*)0x20000430 = 0x200003c0; memcpy((void*)0x200003c0, "\261$}\000", 4); *(uint64_t*)0x20000640 = 0x20000440; memcpy((void*)0x20000440, "\000", 1); *(uint64_t*)0x20000648 = 0x20000480; memcpy((void*)0x20000480, "*/%}\\\\\000", 7); *(uint64_t*)0x20000650 = 0x200004c0; memcpy((void*)0x200004c0, "@[\000", 3); *(uint64_t*)0x20000658 = 0x20000500; memcpy((void*)0x20000500, "\000", 1); *(uint64_t*)0x20000660 = 0x20000540; memcpy((void*)0x20000540, ":\'\237^(\000", 6); *(uint64_t*)0x20000668 = 0x20000580; memcpy((void*)0x20000580, "],-.$\373\\}{)@-&/[\\!\000", 18); *(uint64_t*)0x20000670 = 0x200005c0; memcpy((void*)0x200005c0, "\000", 1); *(uint64_t*)0x20000678 = 0x20000600; memcpy((void*)0x20000600, "{{\'$(+-(}{}]?/--)\000", 18); syscall(__NR_execveat, r[0], 0x20000200ul, 0x20000400ul, 0x20000640ul, 0x1000ul); break; case 6: memcpy((void*)0x20000680, "/dev/hwrng\000", 11); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000680ul, 0x40000ul, 0ul); if (res != -1) r[2] = res; break; case 7: syscall(__NR_ioctl, r[2], 0x80404812, 0x200006c0ul); break; case 8: syscall(__NR_ioctl, r[2], 0x545d, 0ul); break; case 9: *(uint32_t*)0x20000704 = 0x9c76; *(uint32_t*)0x20000708 = 8; *(uint32_t*)0x2000070c = 3; *(uint32_t*)0x20000710 = 0x309; *(uint32_t*)0x20000718 = r[0]; *(uint32_t*)0x2000071c = 0; *(uint32_t*)0x20000720 = 0; *(uint32_t*)0x20000724 = 0; syscall(__NR_io_uring_setup, 0x509f, 0x20000700ul); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_unix_may_send\000", 22); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xaa; *(uint8_t*)0x20000041 = 0xaa; *(uint8_t*)0x20000042 = 0xaa; *(uint8_t*)0x20000043 = 0xaa; *(uint8_t*)0x20000044 = 0xaa; *(uint8_t*)0x20000045 = 0x29; *(uint8_t*)0x20000046 = 0xaa; *(uint8_t*)0x20000047 = 0xaa; *(uint8_t*)0x20000048 = 0xaa; *(uint8_t*)0x20000049 = 0xaa; *(uint8_t*)0x2000004a = 0xaa; *(uint8_t*)0x2000004b = 0xaa; *(uint16_t*)0x2000004c = htobe16(0x8137); *(uint16_t*)0x2000004e = htobe16(-1); *(uint16_t*)0x20000050 = htobe16(0x20); *(uint8_t*)0x20000052 = 2; *(uint8_t*)0x20000053 = 0; *(uint32_t*)0x20000054 = htobe32(3); memcpy((void*)0x20000058, "\x67\x51\x69\x65\xf0\x15", 6); *(uint16_t*)0x2000005e = htobe16(3); *(uint32_t*)0x20000060 = htobe32(0xa0); *(uint8_t*)0x20000064 = 0; *(uint8_t*)0x20000065 = 0; *(uint8_t*)0x20000066 = 0; *(uint8_t*)0x20000067 = 0; *(uint8_t*)0x20000068 = 0; *(uint8_t*)0x20000069 = 0; *(uint16_t*)0x2000006a = htobe16(0x8ca); memcpy((void*)0x2000006c, "\xd1\x8e", 2); *(uint32_t*)0x20000080 = 1; *(uint32_t*)0x20000084 = 3; *(uint32_t*)0x20000088 = 0x6f3; *(uint32_t*)0x2000008c = 0xd92; *(uint32_t*)0x20000090 = 0xd18; *(uint32_t*)0x20000094 = 0x98a; break; case 12: *(uint8_t*)0x200000c0 = 4; *(uint8_t*)0x200000c1 = 0x1d; *(uint8_t*)0x200000c2 = 5; *(uint8_t*)0x200000c3 = 1; *(uint16_t*)0x200000c4 = 0xc9; *(uint16_t*)0x200000c6 = 0x800; break; case 13: memcpy((void*)0x20000100, "\xc4\x01\x7c\x5a\x50\xf2\xc4\xa1\x63\x7c\x7a\x86\x2e\xf0\x42\x30\xb5\x0d\x00\x00\x00\x41\xd9\xf9\x3e\x42\x0f\xb7\xbc\xae\xb0\x00\x00\x00\xc4\xc2\xa5\x29\x14\x98\xc4\x82\xc9\xbd\xac\x33\xde\x79\x41\xf1\xc4\x01\xfc\x2e\x06\x66\x40\x0f\x38\x24\x1f\x67\x0f\xec\xfb", 65); syz_execute_func(0x20000100); break; case 14: break; case 15: memcpy((void*)0x200001c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x200001c0ul, 0ul, 0ul); if (res != -1) r[3] = res; break; case 16: res = syscall(__NR_read, -1, 0x20002500ul, 0x2020ul); if (res != -1) { r[4] = *(uint32_t*)0x20002514; r[5] = *(uint32_t*)0x20002518; } break; case 17: memcpy((void*)0x200046c0, "\000", 1); res = syscall(__NR_lstat, 0x200046c0ul, 0x20004700ul); if (res != -1) r[6] = *(uint32_t*)0x20004718; break; case 18: memcpy((void*)0x20004780, "./file0\000", 8); res = syscall(__NR_stat, 0x20004780ul, 0x200047c0ul); if (res != -1) r[7] = *(uint32_t*)0x200047d8; break; case 19: res = syscall(__NR_getresgid, 0x20004840ul, 0x20004880ul, 0x200048c0ul); if (res != -1) r[8] = *(uint32_t*)0x20004840; break; case 20: memcpy((void*)0x20000200, "\x26\x92\xd6\x23\x14\x8a\x34\xae\xe9\x68\xf5\x55\x2f\xef\x58\xad\xeb\x13\x83\x51\x31\xaf\xc9\x60\x2c\x0e\xba\x53\xa1\x39\x39\x2d\x14\x0b\x6e\xeb\x57\x19\x84\x01\x7f\xbc\x1a\x93\x6a\xca\x42\x7a\xd0\xe7\x40\x52\x4f\x63\x07\xf1\x8e\x1c\x7d\x95\x4a\x0b\xa7\x44\x23\x67\xd4\x5b\xae\x51\x50\xe1\x25\x43\xdc\x5d\xd0\x3a\xa5\x69\x90\x39\xf2\xf6\x27\xb3\xd1\x04\xe0\x0f\xfa\xea\x42\x63\xfc\x86\x95\x3e\x5e\x3a\xb9\x76\xc9\xf6\x6a\x21\x3d\x67\x57\x3b\x60\x44\xbf\x6f\xaa\x8c\x17\xd5\x1b\x55\x50\x43\x8f\x9a\xc6\x58\x9d\x2c\xb2\xbc\x4e\x11\xcb\xf8\xa2\x54\x59\x4a\x82\xab\x89\x87\xf8\xad\xe2\x0d\x85\x42\xac\x71\xff\x84\x7b\x22\xe6\x7d\x2d\xdd\xa8\xf4\xba\x5f\x53\xfb\xf1\x77\x00\x91\x32\xba\xa5\x78\x6a\x7b\xe3\x1e\xc6\xc5\x92\xcb\xa5\x3c\x5c\x8a\x7b\xa1\x9d\xb0\x28\x6b\xff\x1d\x01\x78\xda\x1e\x4e\xa1\x08\x19\x43\x9a\xce\x53\x7a\xc5\xf4\x7a\x1c\x8b\x74\xfa\x67\xfc\x4e\x1b\xf9\x22\x92\xa9\xec\x65\x7b\x5e\x30\x03\x14\x6a\x1c\x56\x90\x85\x5b\x05\xcf\x75\xa0\xb1\x1a\xb9\xba\x73\x8a\x3d\xc1\x77\xd5\xf7\xe7\xfa\x6b\x46\x5d\x05\xe5\x13\xa2\x19\x48\x10\x89\x26\x5f\x56\x6e\x6b\xd0\xcc\x9e\xe1\xfb\x10\x0f\x85\x12\x86\xe6\x57\x21\xf6\x01\xc8\x3f\x7a\x74\x09\x79\xb3\x84\x8f\x57\xfb\x00\x81\xef\xca\x45\x72\x0c\xcf\xd8\xa4\x90\x4f\x24\x81\x51\xb2\x42\x13\x2a\x4b\x45\x53\x0a\xe5\x44\x2f\xf7\xa5\x1b\xb5\xc5\x99\xcd\xa7\xe1\x0e\x1b\x4d\xe5\xc8\x0f\x52\xcc\x3d\xda\xc7\x51\x3f\xe1\x48\xbd\xbc\x5d\xa2\xe0\xc2\xb3\x91\x90\xd8\xf9\x0f\xcd\x45\x95\x03\xa4\xcb\x8f\xec\xe5\x51\x82\xcf\x72\x72\xa5\x22\xe5\x62\x61\x20\xc7\x33\x5c\x5a\x37\xc7\x2d\x40\x0f\xed\xc5\x88\x73\xc5\x96\x0f\x6c\xab\x80\x7a\xc2\x39\xd0\x24\x6a\xba\x2e\x84\x4b\x68\xb1\xac\x4a\xd6\xd2\xbb\xce\xdc\xb3\x5a\x67\x48\x64\x71\xe4\x45\xaf\x55\x99\x02\x70\xae\x09\x79\x68\xda\x00\x15\x7d\xd2\x21\xde\xa2\x43\x8d\x16\x62\x3c\x52\x82\x0f\x0d\x24\xe3\x9c\x04\x24\xee\x40\x48\x4f\xb0\xd9\x64\x19\xf5\xe2\x81\xd0\xe9\xe1\x78\x36\x68\x20\xdd\x5c\xa4\xa0\xc4\x5d\xee\xb3\x6c\xb9\xe2\x46\xbe\x67\x14\xce\xb0\x34\x7b\x0c\x30\x9c\xc5\x30\x22\x37\x4f\x73\x30\x35\x36\xe5\x93\xc5\x75\x88\xb8\x83\x90\x3e\xa5\x81\x33\x77\x36\x00\x20\x1a\x7b\x55\xdd\x5c\x01\xaf\x52\xe9\x0e\xc5\x24\xab\xd9\xf4\x7b\x3d\x71\x85\xc4\x82\x59\xbf\x5a\xa7\x6f\xea\x9d\xa9\x82\xb2\xc4\xa6\x10\x65\xdf\x2b\x06\x67\x32\x10\x35\x03\x96\x9e\xef\xaa\x23\x14\x1c\x8b\xec\xb3\x5c\xaf\x76\x02\xe9\x81\xc3\x06\x73\x99\x1b\x46\xd5\x4a\xb2\x76\x4b\xf5\xec\xc3\xf1\xa8\xe0\x00\xb1\x16\xb7\x69\xd8\x26\x25\xae\x94\x18\xb5\x23\xaf\x00\xf3\xcf\xb0\xeb\x65\xc9\x16\xf6\xa6\x24\x52\xf8\x10\xb2\x0c\x3e\x7c\xec\x7d\x61\xfe\xf5\x5f\x63\xd1\xda\x4a\x3f\x86\x8b\xbc\xfd\x86\x7e\x13\x0d\x3c\x7c\xe5\x22\x46\xef\x76\xed\xa2\x91\x6f\xbb\xdf\xd5\x06\xdb\xc2\x28\x9d\x00\xfb\xc8\xfd\x10\x0c\x45\x78\x69\x8d\x22\x03\xdf\xfa\xb9\x01\x8d\x6f\x19\xae\x19\x9f\x16\x59\xc3\xf7\x81\x57\x68\x0c\xf9\x80\x59\x7a\x12\x6b\x99\x4b\xdd\x64\x60\x96\x53\xdc\x0d\xdb\x55\x6c\x3a\xf8\x38\xa0\xa4\xa9\xbd\x70\x51\xe4\x52\x47\x91\x3c\xc3\x5b\x9d\x9f\xf3\x68\xff\xdf\x4e\x7f\xad\x83\xa5\x2f\x8a\x02\x61\xc3\x31\xb6\xef\x22\x6f\xe6\x76\xac\x1a\x9c\xf0\xcb\x00\x13\x85\xce\x35\xb0\x9d\xf3\xae\xca\xa3\xd8\x16\xf2\xaf\xc6\x2c\x27\xae\xe5\x25\xf7\x2f\x2d\x31\xee\x0b\x21\xc4\x47\xf8\x09\x01\xa6\x5c\x77\x06\xd0\x7f\xf9\xb2\xd7\xbd\xe9\x2b\xc7\x9d\x85\xf8\x43\x1d\x46\x8a\xc8\x5e\x51\xac\x3a\x20\x9c\xea\x07\x28\x1e\x7d\x19\xc1\xf5\x2b\x5f\x01\xbd\xb0\x53\x97\x8c\x93\x33\x99\xb3\x5a\xc7\x7a\xa4\xa1\xe6\xf1\x82\xd2\x50\x27\x1c\xa3\x3c\x37\x91\xb1\x5a\x93\x1b\xcd\x32\xac\xe1\x92\x53\xf1\xa9\x04\x4a\xfa\x49\xc1\xa0\xdd\xc8\x2e\x95\x90\x7f\x60\xb7\x97\x1e\xc0\x10\x78\xe1\x37\xd1\xbc\xeb\x0c\xf8\x6f\x64\xcd\x6c\x19\x2c\xbf\xc3\x0b\x44\x78\x61\x7f\xe5\x2a\xa9\x43\xe6\x1a\x18\x2b\x1b\x0b\x21\x07\xd0\xc5\x4f\x4f\xa7\x31\x67\x9a\xf9\x5c\x32\xd1\x89\x14\xd6\x95\x9b\x9f\xa9\x6a\x0a\xac\x1c\x49\xad\xc6\x1f\x5f\x11\xb5\x44\x55\x73\x42\xc1\x42\x76\xbe\xea\x12\xfa\x71\xcd\x30\xa7\x31\xbd\x06\x4e\x9c\xfd\x0f\x9e\x4b\xe9\x66\xf7\xbd\x1c\x1b\x4f\xd7\x06\xb8\x39\x3e\x6e\xfb\x1c\x9f\x97\x52\x6f\x67\xd2\xe9\xcd\x5e\x17\x6d\xc6\x0c\x27\x4b\x30\x06\x1e\x1a\xb6\xa2\xd0\x04\xb8\x3a\xdb\x08\xf1\x98\x3b\xae\xab\x99\x04\x72\xbe\xff\x23\x41\xde\xf4\x7e\x0d\xd4\x11\xb0\x69\x1f\xd0\xa6\x5e\xa6\x6d\x16\xa4\xa4\xee\x94\xc4\xd1\xa5\xce\x6b\x3c\xfc\x87\x34\x81\xb0\x41\xfb\x30\x05\x61\x4c\x1c\xf8\x41\xee\xab\x27\xe0\x35\x98\xef\x94\x59\x8e\xd3\x0c\x3f\xd3\xee\x19\x20\x7a\xea\x2a\x8d\xbc\x3f\x60\xa6\xd9\x7e\x30\xc5\x8f\x32\x4b\xca\xf5\x71\x38\x8f\x9e\x83\xe0\x76\xcf\xdc\x06\x63\xcf\xe9\x3f\x5a\x3f\x19\x29\x9e\x74\x12\x10\xf6\xa8\x50\x1a\x72\x38\xb1\xcb\xd6\xe9\xf8\x29\x34\x5c\x33\x7c\x62\xb7\xcd\xb0\x24\xef\xc4\xff\x11\x62\x8c\xb1\xee\x4f\xda\x07\x27\x82\xbb\x69\x93\x2b\xa6\xde\xe1\x22\xcb\x37\xfe\xd6\x96\xde\xa1\x1c\xc2\x5e\xb2\xb5\x67\x8c\x7d\x0b\xd1\xdd\x05\xf3\x5d\x1d\x02\xad\xdf\x12\x95\xa1\xeb\x0b\x25\x99\x59\xa7\xb2\x90\xe6\x1f\x24\x79\x69\x15\x88\xac\x52\x09\x81\x90\x2f\x5a\xb0\x61\x62\xe9\xcf\x5f\x05\x85\xf5\x40\xd9\x0c\xd8\x38\x1d\xe3\x3d\x0a\x0a\x24\xda\x6f\x23\x1d\x3a\x68\x4c\x92\x5d\x73\x6f\x25\x34\xa5\x7e\x48\xd9\x19\xd5\x55\x19\xc5\x75\xbb\x54\x1d\x63\x8e\x0e\x40\x11\xf8\x41\xa5\xac\x33\x1d\x48\x89\x35\xc4\x4c\x2b\xce\x1c\x2a\xc3\xe8\x48\x6e\x46\x5c\xde\xe8\xeb\x51\x3d\x3c\x1b\xb3\xb3\x8c\x5d\x15\x7c\x04\xd5\x76\xd6\x75\xe0\x0b\x30\xc2\x99\xe2\x11\xf8\xf2\x4a\x7a\x05\x3b\x42\x70\xd2\xac\xfa\x3a\xa6\x34\x34\x28\xd9\x2b\x6d\xb1\x4c\x15\x58\xa8\xdd\x58\xbb\x9c\x8c\x4b\x1b\x49\x35\x77\x3d\x14\x06\x11\x79\x3c\xca\xd5\x4f\xdc\x52\x30\xda\x4d\xfd\xa3\xb6\x0c\xc0\x76\x6e\xfc\xc6\xa3\xb7\x19\x00\xa5\x0e\x2c\x3e\x68\x27\xb9\x8c\xc1\x8c\xcd\x8f\xf7\x98\x24\x7f\x37\x48\x57\xd0\x62\x1e\x32\xbb\xf0\x48\x24\x74\xde\x0d\x42\xdd\xba\x78\x23\xe6\x33\xf1\x65\x8e\x7f\x6a\x36\x1c\x32\xe2\x45\x9c\x2b\xeb\x02\x9a\x8a\xfa\xa3\x12\x89\xe4\x87\x10\x45\x67\xd4\x0c\x81\xcc\xf5\xae\x2a\x2e\x6b\x34\x4f\x5c\x11\x0d\x7c\xe2\x30\x1f\xf2\xc2\x5f\xd8\x43\x84\x39\xa5\xea\x16\xa4\x46\xfc\x7e\x27\xf2\xcb\x06\x89\x44\xe4\xd8\xc9\x29\xc4\x64\x5f\x49\x4c\x2f\xd1\xb0\x25\xbf\xda\x11\x19\xf9\x08\x8f\x70\x7d\x66\x2c\x11\x95\xf8\xe4\x30\x8c\x47\x0b\x76\x24\x50\x99\x33\x2f\x61\xb2\xc9\xcc\x77\x87\x1c\xb2\x0c\x4e\xbe\xaa\x63\xe5\x3a\xdd\x25\xdf\x15\xc5\x62\x85\x85\xfe\x88\x6a\x73\xe3\x82\x56\x7c\x41\xce\xbd\xf2\xf3\x3f\x71\x68\x74\x7c\xe2\x4a\x22\xfa\xfe\xb2\x9c\xd0\x21\xa9\x2e\xc8\xfc\x27\x2d\xad\x24\x59\x8e\xbd\xae\xc2\xdc\xc4\x73\x73\xef\xa9\x7c\xac\xff\xda\xce\x15\x0e\x99\x51\x0b\xf3\x7b\xaf\x40\xa8\x17\xd9\x3d\x87\xa4\x8f\xab\x15\x3a\x10\x64\x82\x1e\xb5\x04\xa4\xeb\xa3\xab\x66\xd1\xec\x05\x7c\xf6\x4e\xe1\x1a\x6a\xd4\x05\x84\xfa\x76\x56\xa3\x98\x4c\x20\xe4\x94\x01\x3f\x83\x43\x0d\x76\x0c\xd6\xea\xa6\x04\xb5\x99\x55\x0d\xcb\xa7\x20\x85\x5e\x73\x5d\x62\xd4\x20\x07\x6c\xca\x07\x11\x5d\x4e\x37\x1c\x3d\x64\x1c\xb6\xcd\xb9\x69\xbd\xef\x10\x13\x7b\x8d\x7f\x39\x9a\xbe\x3e\x24\x36\x53\x5c\x30\xc7\xb9\xa8\x42\xfb\x31\xd3\x22\x43\x4e\x73\xb9\x5c\x0f\x5d\x45\x45\x11\x6b\x78\x8e\xa0\xfd\x47\x3a\xb3\x2c\xfb\x4c\xd7\x22\x49\x48\x91\x37\x72\xe8\x39\x2d\x89\xbf\x5c\x4e\x55\x11\xd2\x67\x20\x1c\xff\x62\xbd\xc0\x46\x8f\x96\xd9\xe8\x53\x23\x49\x5e\x92\x5e\x61\x14\x0f\xb4\x19\x41\x7b\xc3\xf8\x03\xa8\x0d\x0a\xf3\xb8\xc3\x1c\x2f\x63\xde\xe9\x17\x41\x13\xf8\xe6\xe5\xc9\x3f\x47\xd8\x48\x64\x22\xa5\x69\x6b\xc0\x58\x43\xf7\xd0\x7f\x10\xeb\x3b\x5f\xbc\x2c\x37\x8f\x6e\x8a\x97\x5d\xeb\x6c\x04\xed\x20\xc6\x73\x84\x6e\xcc\x19\xd6\xdf\xcb\x19\x82\xff\x83\xa7\xdc\xa9\x2e\x81\x67\xe5\xdf\x64\x37\xb8\x48\x34\xfd\xe1\xcb\xfc\x44\x11\x05\xd0\x62\x18\xa2\xe0\xa5\x59\x17\xee\x27\x6f\xa7\x25\xb9\xf1\x6a\x94\xc6\x7b\x68\x4b\xc7\xb6\x88\xed\xba\xe7\x43\x82\xcb\xa7\xea\xc9\xf0\x17\x72\xc8\x91\x94\xd4\x4e\xea\x3c\xab\xc0\x02\x56\x26\x43\xc0\x15\x29\x09\x2f\xf6\x62\x9d\xe9\x6a\x77\x16\xf9\x23\x18\xa6\xcf\x70\xcd\xb8\xfd\xa8\xe3\xd0\x13\x06\xea\x91\x58\x0b\x6d\x97\x08\x08\x55\x2f\x45\xf5\x75\xc3\xaa\x63\x8f\xc5\x1a\xbd\xd8\x53\x5a\x05\x84\x07\x25\x88\x51\x8f\x93\x91\xb2\xd7\x89\x14\x73\x12\xa5\x8d\x0a\x15\xb6\x4b\xf9\x08\xf2\x49\x91\x3f\x14\x16\x71\x75\x10\x03\x54\x71\x50\xd4\x9f\x47\x2d\xbe\xd4\x08\x43\x24\x93\x70\x57\x59\x92\x9f\x61\x9a\x90\x1b\xf4\x1e\xd2\xe4\xd1\x2d\x63\x54\xaf\x21\x98\x40\xe6\x96\xae\x26\xd4\x0f\x01\x0f\x05\x86\x06\x8e\xfb\xbd\x4a\x63\xaf\x99\xae\xbd\x53\x05\xa8\x80\x13\xed\x74\xde\x00\x39\x90\x11\xdd\x8d\x0d\x54\x4b\x90\x70\x09\xf3\x61\xac\x6f\x66\xca\x0a\xc4\xfa\xe8\xee\xa5\x65\x42\x59\x9b\x16\x7b\x8f\x13\x2d\x2b\xc2\xb5\x7c\x73\x46\x53\xc0\x21\x4f\xcb\x4e\x3a\x50\x98\x23\xaa\x2e\xa6\x2a\xef\xd8\xd3\xa8\xf2\x7c\xea\xd3\xee\x3f\x27\x66\x98\x71\x27\x70\xad\xdc\x99\xcd\x31\x11\x2d\xaf\x0e\xde\x7c\x57\x7f\xcb\xae\x2e\x64\x04\x7b\xd3\x62\x4d\xcc\x04\xcf\xb6\xcd\x19\x4b\x79\xf1\xb5\x3b\x99\x0a\x44\x36\x28\x12\x3f\xbe\x9b\x2a\x3b\x59\x8b\xee\xab\xdb\xb7\xcf\x4d\x9c\xd8\x7b\xe2\xac\x84\xee\x3f\xe7\x43\xd7\x2e\x89\x84\x20\x4b\xab\x46\x3c\x89\x6d\x13\xc1\x22\x7b\x70\xa8\x87\x12\xb7\x7d\x22\x1e\xfa\x65\x40\x98\xb3\x85\x71\x46\x8f\xf9\xbf\xf1\x0b\xb0\xd3\x0f\xe6\xae\x7a\x1f\x62\xc4\xf6\x06\x6b\x55\xf3\x2b\x05\x47\xde\x75\xab\x1c\xac\x8e\x98\x6d\x89\xfc\x30\xa3\x62\xd7\x30\x8d\x09\x32\xcd\xd4\x4d\x8a\x23\x48\x60\xb6\x08\x09\x0a\xa5\xe1\x6b\xef\x4e\x44\x32\x7b\xa1\x86\x67\x91\x5e\xc6\x5c\xa7\x72\xf8\xdf\x52\x10\x5b\x37\x00\x87\xfb\x1c\xbd\x6d\x11\xa9\x53\x62\x23\x2e\x5f\x6f\xce\x3f\x34\x3c\xd9\x62\xbe\xc2\x77\xf3\xa6\xaa\xcb\x82\xdf\x97\x53\x1b\x3a\x6f\xfd\xd2\x24\x45\x4b\xfc\x8a\x6c\x2e\x0b\x9c\x86\x44\x9c\x04\x3f\x39\xce\xb9\xaf\x5c\x42\x36\xe3\x22\x1c\x2e\x25\x9f\xa8\xf1\x28\x4d\xf6\x33\x4a\x2a\x24\x73\x3d\xba\xd6\xea\x99\x0a\xa3\xef\x97\x98\xe2\xf7\x85\xbe\x3d\x5a\x44\x30\x54\x97\xa1\xf5\x25\xf7\xde\xe1\xf7\xea\x82\xc7\xd5\x05\x59\xc5\x1d\xac\xc6\x17\xf6\xf7\xee\x56\xb6\xc5\xbc\xa2\x70\x18\x99\x24\x5c\xbe\xcb\x33\xcc\xdd\xf0\x0a\x16\x89\x46\x82\x08\x5f\x40\xd2\xf6\xf6\xb0\x3a\x16\x32\x06\x31\x1f\x98\x07\x72\x61\xcd\x76\xf4\x39\xce\xd0\x44\xb5\x25\x11\x2d\xeb\xd3\x1e\x4c\x7a\x90\x77\xbd\x82\x02\x17\xa8\x8b\x4d\x8e\x3e\x76\xda\xc4\x5b\x15\x01\x9e\x01\xde\xed\xc9\x43\xb3\x57\xab\x2d\x79\x00\xd9\x91\x57\xaf\x47\xdf\xc5\x97\x17\x91\xb2\x56\x65\xe9\x53\xdb\x69\xce\xfc\xea\xc8\x7a\xef\x83\x89\x36\xae\x73\xd2\xd2\x59\x83\xb2\x06\x60\x99\xc4\x74\x1a\xf8\x80\x48\xc7\xf8\x65\x31\xf2\xb8\x2d\x6e\x05\xb2\xee\x75\xf4\x72\xd9\xdf\x9c\x3e\xe9\x39\x8f\x6f\xe6\x8e\x0b\x52\x1c\x36\xa2\x42\xe2\xd6\x75\xf4\xd9\xda\x55\x21\x42\x74\x36\x31\xa4\xf2\xb6\xc0\x11\x47\x57\x53\xa7\x4f\x7f\xef\xc9\xd7\x2d\x3f\x9f\xb2\xbd\xcc\x71\xd6\x67\x32\xab\xe5\x0d\xd5\x78\xb6\x9b\xd0\x29\xb4\x5b\xca\x70\x8e\x87\xc0\x98\xaf\x90\x28\x4b\x4f\xbd\xdc\xc6\xfe\x16\x3a\x00\x09\x70\xd6\x54\x7c\xfd\x18\xcc\x8a\x11\xba\x22\x63\x8e\xe6\xeb\xa9\x10\x29\xf5\x25\x94\xa0\x42\xe9\x6e\xd7\x08\x01\x84\x59\x3f\x21\x09\x12\x6c\xbd\xe1\x31\x7a\x94\xa5\x62\x13\xad\x11\xae\x1c\xcf\x0a\x58\xa4\x5d\xbc\x81\xd0\x80\x9c\x59\x07\x3f\x8a\x9e\x17\x67\x4a\x47\x6d\x03\x37\x41\x4b\xfc\xff\x7c\xa6\x94\x92\x18\x46\x7c\x88\x50\x83\x9e\x55\xc9\xc7\xad\x9d\x51\xa6\x4a\x9d\x2b\x4b\xbb\x17\xa3\x65\x38\x94\x83\x45\x45\xbc\x28\x6c\x10\x8b\xb3\x13\x45\x57\x9a\x2b\x0b\x96\xf6\xa5\x73\x89\x79\x05\x19\xd4\x41\x3a\x96\x48\x82\x0e\x78\x46\xc5\x7a\xca\x47\x92\x49\x52\x23\xfc\xc0\x29\xd0\x70\xf1\x8f\x24\xac\x66\x58\x79\xd7\xa1\x97\xc7\x8c\x5c\x05\x18\x5a\xf7\xc1\x11\x40\xc7\x8a\x35\xe9\x1d\xe5\xc0\xc5\x3f\xbc\xd1\x35\x0c\x27\x53\x6d\x28\xd5\xf5\x18\x69\x6b\x97\x13\x6d\x3f\x20\x35\xf2\x6f\xaa\xd5\xff\xe0\x4d\xfd\x5d\xcc\x09\xb1\x29\x90\x51\x95\x57\x9d\xd1\x5c\x8c\x98\x67\x62\x36\xeb\xd0\x2b\x6c\x2e\xf3\xe6\xeb\x15\xd8\x7c\x20\x6c\x39\x04\x6f\x2d\xbc\xef\x9a\x45\x23\xf2\x55\xf4\x45\xc3\xdd\x82\xc1\x40\xb2\x95\xa4\xa9\x0f\xa3\x0a\x28\x47\xff\x41\xef\xee\xa8\xf6\x30\xd4\xa5\x51\x27\x95\x38\x0a\xf7\xd1\x71\x3a\x6b\x29\x76\xdd\x74\xde\x50\xc3\xfe\xb4\x2b\xdd\x4c\x02\x58\xe4\x56\x17\x35\x8f\x18\xa2\x8b\xe1\x1b\xad\x5b\x5b\x79\x10\x3e\xe1\x27\x7c\x76\x1e\x12\x90\x1e\x49\x97\xf3\xb9\xd4\x49\x91\x72\x17\x6c\xdd\x12\xb6\x80\x7b\x23\x6d\xaf\x3d\xc0\x58\x72\x95\x64\x37\x81\x6c\x70\x6f\x3c\x36\x7d\x7e\x2c\x23\xe9\x6b\x1f\xe9\x65\x96\xdb\x88\x05\x07\xe2\x82\xfb\xe2\x3f\x21\x71\xb2\xf6\x85\x5d\x22\x17\x4a\x1a\x4b\x15\xed\x8a\xbd\x51\xca\x09\x3d\x46\xf0\xe2\xd0\x52\x98\x16\x8c\x23\x9e\x62\xd8\x9f\x74\x06\x74\x38\x8c\x24\x01\x8c\x47\x83\x2a\x87\x64\x40\x48\xd4\x36\xd6\x5c\xd7\xa2\x10\x28\x2b\x1f\xc8\x26\xf0\xcc\xdb\x66\x97\xd0\x11\x2b\x2a\x88\xe3\x95\x30\x8d\x42\x1a\xad\xa7\xa0\xe7\xd7\x6e\xca\x0a\x60\x73\x83\x02\x18\xc8\x3e\xd7\x94\x19\x48\x59\x60\x57\x20\x97\xcb\x62\x6c\x6f\x84\x67\x57\x90\x95\xdc\x22\x63\x20\x43\xdc\xe6\xb6\x7e\xaa\x79\x3a\x2a\x89\x82\x2f\xdc\x26\x6f\x5a\x61\x1a\xa1\xc6\xb8\x45\x99\x8a\x82\x80\x05\xfe\x79\x89\x25\x3c\x37\x61\x3e\x89\x23\x48\xad\x73\x32\xe3\x34\xaf\xb5\xa7\x08\x7e\x89\xac\xe2\xf3\x61\xd6\x6f\x27\x7d\xfa\xfa\x12\x66\x77\xe8\x33\xfd\x0b\x2c\xe4\xd2\x27\x93\x7c\xdf\x60\xa8\x82\x66\x94\x11\xd4\x45\x0b\x7e\x85\x9b\x82\x47\xad\x2e\x45\x74\x2e\xcb\x60\x57\x52\xf2\x14\x8d\x07\x5e\x1d\x14\x5a\xdd\x18\x47\x48\xc6\xec\xe9\xba\x26\x7b\x7a\x6d\xf9\x22\x9a\x62\xbb\x9b\xee\x7d\x7e\x92\x5d\x6e\xb9\xae\x96\xad\xef\x93\x7c\x03\x0c\x7d\x2b\x91\x9f\xc4\x63\x6a\xd6\x33\x13\x60\x45\x7d\x06\xd8\xc4\xf6\xdc\x10\xe3\x06\x55\x22\x60\x2b\x84\x1f\xb3\x67\x8e\x9d\xab\xf0\x7d\x5f\xc3\xfe\x39\xda\x21\xd4\x61\xe1\xa4\xac\x64\xa0\xd3\x35\x6f\x93\x62\x28\x00\xf0\x07\xbe\x4e\xe1\x3c\xc4\x65\x4c\x89\x47\xff\xd1\x1b\xf7\x59\x8f\x50\xbf\x27\xdf\x75\xf8\xda\xef\xd9\xbd\x19\xcc\x3b\x6a\x06\xb2\x53\xe8\xb5\x90\x62\x1c\x66\xda\x76\x49\x6a\x87\xbe\x33\x53\xfb\x1c\xc5\x64\x36\x6b\x09\x79\xa8\x8c\x52\xb8\xdd\xae\xee\x89\x93\xf6\xa0\xa3\xa5\x43\xa9\x31\xea\x4e\xae\xe9\xd9\xe7\x00\x1e\x23\x49\x14\x4c\xd7\x46\xa2\x56\xdf\x92\xa4\x60\x24\xc7\xa3\xb3\xcb\x60\x7a\x74\x99\x87\xc9\x85\x60\x15\xb8\x6a\x23\xe4\x39\x4f\x64\xf9\x09\x97\x4a\xb0\x76\xb5\xd6\x49\x28\xfc\x9d\x1b\x4c\xba\x75\xbd\xa9\xe1\xd4\x62\x0c\xac\x6f\x08\xcb\xf7\x57\xde\x6f\x29\x11\xc3\x4e\xa0\x84\x81\xa3\x83\x20\x14\x47\xc2\xde\x6e\x37\xc0\x7d\x03\x38\xf1\x6a\x9a\x73\xfe\x67\x1a\x68\x4a\xe4\x5c\x87\x4f\xf1\x98\x15\x06\xe3\xfc\xa4\xe1\xf1\xdc\x9e\x58\xf9\xde\x6b\x96\xf8\x5e\x31\xa3\xc1\x6d\x3a\x11\x88\x0b\xb1\xcb\xc2\x23\xd0\xb9\xf3\xa6\xc4\xa6\x67\x1e\x29\xfe\xa6\x7a\xe9\xf1\x09\xe2\x63\xc3\x17\x95\xb3\x80\x16\xb8\x29\xd4\x1d\x0d\x54\x0f\x7f\x9b\xc5\x22\x02\x7d\xbc\xa4\x94\x5d\x95\x8e\x0b\x14\xc9\x02\x0e\x7e\x0d\x96\x2d\x93\xf6\x1d\xf3\x53\xbb\x18\x42\xb2\x89\xb5\xeb\xb7\xd0\xd8\x3e\xb0\x5f\x31\xe3\x45\x73\x46\xd1\xbc\xf8\x83\x35\x4e\x9a\x24\x7c\x78\xbc\xdf\x11\x45\x0b\xd3\x62\xf4\xe0\x9f\x9b\xc8\x1e\xa9\x28\x23\x05\xdf\x3a\xed\x85\x34\xb1\xf5\xc1\x5f\x58\x12\x7b\x85\x1e\x04\x5a\x0c\x54\x19\x3b\x5b\x11\xbe\x18\x75\x56\x3f\x86\x8e\xfe\x9a\x6a\xd8\x30\xca\x44\x36\x78\x6d\x79\x36\x4e\x19\x30\xd4\x55\xfa\xa6\xeb\xef\xe8\x6e\xce\x76\xa8\xb8\x95\x2d\xff\x2d\x3b\x83\xdd\x8b\xa4\xfd\x7c\x1c\xf9\x12\xa2\x2f\x65\x11\xc3\xcc\x11\xbd\x2f\x04\x69\x0a\xcd\xb3\x8f\x7e\x14\x20\xbc\x15\xe5\x74\xad\x12\x96\x55\x75\x44\x40\xd2\x90\x13\xc6\x98\x61\xd4\x7a\x42\x90\x6c\xee\xaa\x05\x1e\x2e\xfa\xde\xae\xa9\x97\x77\x9e\x05\xdd\x91\x22\x97\xa4\xff\xa9\xaf\x33\xfe\x81\xe7\x20\x67\xc3\x6e\x81\xc4\x86\x53\xd6\x9f\x2a\x2b\xa9\x17\x14\xd5\x10\x4e\x0e\xa1\xe6\xe9\x20\xa4\x40\x24\x05\x98\xdc\x62\x8e\x82\x05\xc3\x31\x3a\x0b\x03\xb7\xfe\xd3\xa8\x78\x8f\xb2\xa6\xde\x07\x22\x6c\x58\x9e\xf3\x37\x08\x22\x14\x38\x1c\x98\x00\xd7\x03\x63\x81\x83\xda\xdf\xf3\x17\x14\x17\x0b\xc4\x02\xb2\x71\xef\x6c\x23\x5c\x12\xc9\xfa\x67\xc7\xbd\xa8\x0d\x63\x17\x15\xee\x1e\xd4\xdd\xa1\x07\x34\x7d\x14\x3f\x91\xec\x47\x0c\x20\x77\xc2\x77\x52\x4f\xe7\x8a\x23\xfa\xb2\x05\xfa\xb0\x8b\x1c\x25\x8f\x4b\xe4\x97\x59\xd1\xf1\x83\xa2\x1e\x40\x0a\x53\xa7\x24\x93\xa1\x7c\x23\xdf\xa1\x73\x21\x22\x57\x4b\x55\xa7\xf2\x66\x3b\xb0\x01\x7d\xdb\x2f\x47\x2e\xab\xd8\x7e\x40\x76\x95\xbc\xe8\x4c\x15\xf4\x30\x91\xbf\xc0\x6d\x4a\x52\x46\x72\xbf\x25\x15\x21\x85\x61\xe7\xc2\x5e\xa7\x33\xc1\x85\xd0\x98\x06\xdf\x8e\x6c\x92\x1c\x07\x1a\xe2\xf7\x6f\x5c\x0d\xb6\x23\x45\x17\xc7\x2e\x83\x93\x3a\xd4\x13\x46\x5b\x1b\xd0\xcd\xfe\x6a\x04\x6f\x07\xa4\xb2\x39\xfb\xb8\xed\x71\xbd\xdf\xc2\xb0\x71\x48\xd4\x99\x65\xda\x80\x3a\x82\x4b\xc1\x85\xda\x70\x53\x0a\xbb\x3e\x42\xb8\xa9\xf1\x9c\x0c\x3d\x86\x72\x35\x94\x13\x39\x51\x43\x4b\xfd\xbd\xe6\xbe\x90\xea\x21\x4f\xa0\xe1\x7f\x60\x3c\xd1\xad\x69\x5b\x5b\x5b\xa7\xc9\x86\x14\x87\x11\x45\x4c\x6a\x5a\x7a\x5d\xa2\xa1\x63\x1d\xc7\x06\x9e\x58\x2a\x1c\x12\xd2\xba\x25\xca\x01\xda\x8f\x5e\x70\x3b\x41\x14\x7f\xd3\x8f\x96\x68\xf1\x6c\xad\x66\xdf\x62\x2f\xe4\xb0\x2a\x1e\xef\xc0\xa6\x93\x63\xcc\x0b\x7c\x56\xf0\x34\x91\x60\x25\xee\x4b\xcf\xd0\x51\x26\x77\x29\x85\xa9\x63\x2a\x04\x36\x08\xe6\x56\x92\xaf\x2b\x4a\x75\x68\xf1\x3c\x41\xf1\x6c\x86\xbe\xc9\x9a\xae\x30\xa2\xd5\x4f\x64\x69\xf1\xeb\x68\x51\x8d\x48\xc4\x21\xbe\xc6\xf8\x3b\x82\x28\x30\x88\x38\xa9\xa4\x81\x9f\x2f\xed\x79\xe9\x9d\x10\x5a\x8f\x6b\x1a\xc0\x8e\xb9\xfc\x19\x62\xa8\x57\x7f\x27\xf5\xee\xcc\x91\x88\x3a\x02\x4e\xb7\x43\xa3\x99\xed\x6a\xef\x38\xe1\xf5\x33\xca\x6d\xba\x25\x53\x88\xd2\x5d\x4e\xef\x41\x2f\x03\x94\x4b\xcc\x0a\x8c\x4e\x94\xec\x31\xbb\x65\xc8\x9e\xca\x35\xcc\x88\x8f\xe8\x53\x0f\x6f\x58\x1a\x33\x46\x23\x3e\xf0\x93\x6d\xa1\x0e\x8b\x69\xc5\xfd\x23\xea\x2a\x58\xf9\xfe\x8b\x79\xa9\xef\x60\x80\x6c\x29\x6a\xba\x90\xfb\x83\x29\xe8\x38\xbb\x6c\x7d\x3c\x86\x7d\x41\x09\xba\xa2\x6c\x48\x37\x43\x9e\x63\x07\x17\x0e\x7b\x15\xc2\xf9\xf5\xee\x03\x30\x5f\x94\x81\xf8\xe7\x93\xdd\x08\x6e\xf2\xfc\x3e\xca\x55\x5a\xa2\x58\x12\x02\xbb\x4e\xd8\xe4\x31\xcf\x0b\x71\x0b\xbd\x86\x25\xfa\xc1\x7b\x51\x9c\x68\x06\xb7\x21\x80\x08\xe0\x40\xbd\x2f\x07\x8e\x18\x50\x11\xd4\x71\xd4\x60\x26\xb5\x38\x87\xc9\x48\x1b\x6a\xbe\xa8\x38\xdc\x59\x8a\xf7\xd6\x1e\xb1\x05\x66\x12\x51\x68\xad\xb4\xb5\xfa\x2f\x49\xdb\x9e\x36\x08\xee\x06\xba\xff\x0b\x3e\xdd\xf0\x53\x70\x13\xa8\x9a\x8f\x60\xbe\xc6\xec\xaf\xe7\x4c\x3a\xd6\x26\x67\xcc\x73\x6e\x42\x31\x80\x60\xd9\x39\xca\x8a\xfa\xee\xf4\x18\x9c\xab\x94\xbb\x6d\x7c\x07\xf7\xaa\x21\xf6\x00\x27\x70\x7d\x8a\xee\x9d\x2f\xc0\x31\x96\x77\xe8\xe8\x6c\x6e\x02\x0f\x43\x53\xff\x8d\x52\x35\x42\x66\x9e\x4b\xf2\x64\x9f\xc4\xfe\x1a\xc2\x16\x51\x52\x7e\x25\x7a\x55\x00\x6c\x30\x4b\x83\xaa\xb8\xde\x6e\x87\xb0\x2d\x36\x60\x52\xde\xbd\x14\xf4\x71\x28\x33\xc3\x40\xea\xd1\xeb\x9f\x9f\x48\xdf\x1e\xa2\x7f\x67\x28\x2a\x8a\x5b\xa0\x5d\xf6\x8e\xe2\xaa\x98\xa3\x4b\x44\xfe\x38\xcf\x05\x82\x06\xcd\x11\x2d\x19\x37\x2e\x45\xaf\xb9\xd0\xc2\x4c\x0c\xa9\x18\x99\x48\x23\x9c\x99\xdb\xa4\x44\xf9\xc1\xa9\x1f\xdf\x3d\xff\xa9\xfd\xcd\x09\x35\x5e\x4b\x30\x61\x80\x63\xeb\x02\xe4\xac\x21\x2b\xf8\xf7\xb8\xc6\x17\x81\x1b\xc2\x74\x04\x23\x72\x4a\x0c\x50\x46\xf3\x57\x7e\x0b\x00\x6b\x14\x85\x0d\xdb\xab\xbf\x60\x12\x1d\x15\x1e\xc7\x30\x64\x9b\xa2\x51\xa2\x55\x1f\x6e\x92\x46\xe5\x46\x23\xa8\x19\xe9\xfc\xe9\x1f\xe4\x0a\x8a\xc2\xe5\x53\x32\xc5\x7b\x8b\x7b\x9a\x63\xad\xf9\x1f\x10\x74\x8d\xec\x7c\x01\x53\xcf\xf4\xa4\x12\x29\x27\x51\xb0\xab\x79\x3a\x14\x82\x29\xed\xd1\xf9\x08\x01\x2f\xba\xdc\xd1\x3e\x18\xd4\x79\xd9\x4e\xa5\x60\x65\x10\x03\x57\xba\x4b\xa1\x82\x58\xe4\xa8\x28\xea\xac\xa2\x0d\x67\x1d\x98\x6d\xc6\xd1\x79\x97\xf5\xb3\x74\x46\x93\xeb\x36\xcd\x7f\xce\x3f\xff\x1d\x2d\x59\xb9\xbc\xf1\xc9\x94\x27\xae\xec\x5c\x15\x8d\x12\xd0\x66\xd4\x69\x26\x7f\x42\x3d\xe6\x76\x07\x9d\xc4\x8d\xef\x12\x7b\xe6\x3b\x07\x9f\x0f\xe8\xd7\xda\xe2\xf2\x0e\xab\x8d\xdd\x0f\x38\x8d\x52\xac\x05\x91\x79\x58\x9c\x62\x42\xc7\xf9\xfe\x8e\x1d\x18\x57\xec\x29\x98\xf8\xdc\x9a\xed\x3b\x3d\x38\xae\xed\x70\xb0\xfa\xb5\xd1\x3b\xcb\x53\x6c\xbf\x01\xa2\xfd\xa8\x11\xf1\x4f\xa0\xf5\xe4\xa4\xd5\x71\x31\x86\x0d\x60\xaa\xc2\x60\x73\x54\xab\xc5\x8f\x91\x51\xdd\x78\x8e\x78\x7f\x76\x85\xbe\x53\x7e\x6f\x86\xbb\xac\x94\xbe\xf4\xdb\xb0\x42\xda\x14\xc1\x00\x7d\xcd\x62\xaa\x8c\xbc\x70\x5d\x12\x0e\x07\x83\x94\xfc\xbd\xc9\x47\x29\xfc\xe6\x90\x5f\x1e\xd8\x69\x9c\xac\xd2\xe5\xf0\x05\x5d\x37\x7d\x0d\x5c\xa8\x3f\x18\x97\x1c\x19\x5c\x7e\xa1\xdc\xf1\x1e\x9f\xee\xc1\x24\xc2\xba\x56\xd0\xf5\x06\x06\x0c\x22\xcb\xc3\x66\xd0\xae\xd0\x5f\x40\x00\x62\x98\x4f\x22\x12\x2b\xfd\x16\xa3\x1b\x3a\x4a\x6e\xd9\xd9\x49\xbe\x5e\xc1\x6a\xe9\x8f\x2a\xa8\xea\xad\xae\xcc\x16\x9e\x97\xcd\xa0\xd5\xb5\x60\x2a\x91\xc1\x01\xb2\xe2\x83\xc0\xbe\x6c\x83\xab\xbe\x2e\x7e\x2e\x4c\xef\xe3\xbe\x22\x31\x21\x3e\xbb\x85\x88\x3e\x0a\x5b\x0b\x4a\x0d\x2c\x04\x72\x2e\xb6\x0f\xab\x23\x02\x3c\xf9\x1c\xa0\xab\x90\x8e\x4b\xb6\xac\x29\xa7\x88\xfe\x9e\xc6\xb9\x9d\x75\xd5\x2f\x20\x3c\xba\x7d\x92\x48\x5e\xf9\x05\x55\xae\xd4\x10\x60\xfd\xd0\x36\xf4\x2f\xa8\x18\xcd\xf8\xb9\xaf\xe2\x6a\xfc\x1f\x27\x9a\x40\x29\x25\x4b\x12\xdd\x54\xda\x88\x2a\x13\x8d\x34\xaf\x15\x77\xe7\x8c\x1d\xd1\x92\x3a\x56\xa3\x69\xd8\x5d\x74\xfa\x59\xd4\x53\x2b\x85\x9f\x67\xe6\x5f\x3e\x67\xd6\x54\xe5\x7d\xde\x88\xcf\x7c\x23\xc9\x18\x2e\xc1\x5e\x95\x28\x3d\xbb\xa7\x99\x11\x16\x4d\xf2\xb4\x83\xbe\x5a\xdb\x7e\x60\x06\xfe\xb6\x9c\x67\x2c\x93\x8a\x81\x8b\x2b\x46\x36\xc9\x43\xb6\x8e\x8c\x93\x35\xa5\xfe\x2a\xa7\x42\x74\x02\x78\x51\x17\xde\xb2\xae\x7c\x16\xba\x0d\x05\xa5\x0d\x21\xcd\x7b\x65\x8c\xe0\x21\x40\xdd\x20\x84\x9a\xe2\x50\xbb\xb1\x0e\x96\x0c\x87\x21\xcf\x96\xd0\xe7\xd8\x1b\xbb\x21\xa5\x33\x58\xe0\xa4\x4f\x8d\x26\xb1\x0b\xf2\x4e\xda\x9b\x5d\x8c\xee\xf7\x10\xee\xc2\x5c\x0c\x3b\x31\x80\xc8\x59\x40\xf5\xb1\x5c\xc1\x3f\xe6\x8a\xd1\x9f\x7f\x0e\x9b\x4c\xc3\x97\x35\xb6\x86\x39\xf8\xfe\x46\x22\xdc\x78\x4d\x5d\x64\x70\xab\x9e\x32\x74\x0d\xb0\x2a\x9b\x67\x32\xac\xbb\xf5\x87\x67\x19\xf5\x57\xa4\xe0\xa4\x2c\x03\x6b\xb3\xf9\x72\xea\xa8\x62\xc5\x8f\xfb\xce\x08\xee\x0e\xa2\x1e\x74\xe8\x17\x57\x87\x05\xe4\xe2\x68\x3f\xeb\x6c\x61\x23\xee\x1b\x9a\xe1\xda\x94\xc5\xea\x68\x76\x3b\x03\x03\xc6\x39\x7e\x21\x69\x1a\x4d\x81\x54\xfd\x1a\xef\xdf\x39\x8c\x41\x36\x9e\xb8\x25\x5d\x9b\x84\x7f\x9d\x67\xcf\x5b\xb8\x08\x41\xf4\x68\xf7\xc8\x70\xf0\xe1\x94\xdc\xf2\x3a\x6e\x76\x42\xc9\x51\x4d\x12\x64\x32\xf4\xb6\x6b\xdb\x7b\x81\xb5\x43\x70\xca\x23\xa0\x5c\x22\x3c\x49\xc5\xb2\x68\x03\x76\x8b\xad\x60\x59\x48\x17\xbb\x98\xb5\xec\x27\x4d\x62\xe2\x64\xc5\x4c\xde\x98\x06\x37\x6b\x40\x5e\x9f\x7d\xe3\xd5\x9a\xe3\xce\x7d\xb4\xa6\x89\x85\xb1\xc1\xa1\x12\x22\xd1\xc2\x80\x9c\x96\xf7\xeb\x9a\x5b\xf4\xe5\x02\x66\xdf\x93\x5c\x90\x0a\x56\x8f\xe5\x79\xa6\xea\x47\x4f\x62\x35\x91\x96\x4d\xb4\x3a\xc6\x47\xde\x15\x91\x6a\xef\xac\xd3\x22\x23\x6f\xd5\x39\x77\xd6\x82\xee\xeb\x0d\xcf\x79\x8b\x6f\x2f\xf2\x2b\x36\xdd\x00\xd6\x4e\x51\x59\x9b\xda\xd7\x03\xa4\x2d\x1d\x20\xeb\x8d\x6a\x63\x85\xf6\xdb\x49\xf3\x4f\xce\x3b\x28\xe2\x85\x6f\x28\x28\xd7\x7c\x4d\x03\xd3\x4e\xb0\x8c\x33\xb7\x54\xbf\xe7\xf3\x9d\x0a\x34\x30\xa2\x13\xb9\x7e\x75\xc2\xc9\x75\x63\x5c\x79\xd3\x0a\xaf\x3d\xaa\x9a\x1e\x8c\xa5\x6f\xbe\x49\x9e\x77\x81\x18\xc7\xe5\x95\x4a\xc2\xac\x2b\xce\xa6\x9a\xda\xc9\x60\x09\xe1\xb5\xcd\x27\x98\x6c\x25\x42\x82\xbf\x07\x60\x74\x75\x59\xcb\x61\x2a\x1f\x61\x0d\xf0\x9b\xec\x5a\xa1\xf4\x1f\x7a\x3b\x2f\x0f\x2c\xb2\x85\x08\xe2\xb0\xca\xf2\x06\xbe\x81\x0d\x65\xb6\xc4\xfc\x2e\xf5\xec\x09\x8b\x27\x4b\x53\x68\x13\x06\x04\x16\x69\xab\xb1\x75\xe4\xec\x88\x98\x1c\x5a\x0c\x05\xa6\x46\xe5\xd9\x03\x43\xa0\xb1\xf8\x73\x37\x9c\xf1\x44\xc3\xc8\x79\x5c\xfd\x77\x59\x4b\x51\x6a\xb0\x2a\x40\x8e\x0f\xaa\x37\xfd\xf2\xde\x2e\x6f\x37\xfa\x03\x54\x0d\x70\xe5\xf0\x29\x77\x67\x08\x4e\xa0\x08\x6c\x13\x1a\xb5\xb2\x8a\xb5\x43\x97\x8f\x1d\x4f\x04\x29\x1b\x6d\xdd\xd7\x2d\x2a\xa9\xa2\x2a\xe1\x96\x97\x95\x03\x51\xa2\xf3\xda\x68\x97\x1d\x96\x36\xe2\x9c\x66\xd9\xfd\x61\xcd\xac\x7c\x81\x18\x93\x50\x44\x7c\x03\xc1\x46\xd0\xdd\xe5\x5a\x17\x91\x5b\x56\xff\xa9\xfb\xa4\x7e\x09\xba\xfe\x41\x2b\x6a\x8a\xe7\x20\xd9\x2b\x04\xa5\x5e\x65\x48\xb0\x03\x55\x06\xf8\x0f\xaf\x97\x08\x24\x79\x82\x09\x6d\xd8\x06\xe1\xe6\x98\xfe\x8f\x59\x0f\xcb\x00\x9f\xa8\x75\x86\xb0\x8c\xd2\x70\x97\xaa\x53\xd3\x08\x7e\x9f\x4c\x7a\x4e\xe5\x56\x49\x1b\x3d\xf6\x8f\xb4\x13\xa9\x2d\x7f\x78\x33\x65\xc6\xa5\xe1\xfc\xa5\xd9\x56\x3e\x19\x3e\xd2\x37\x9f\x99\x4f\x32\xe9\xa2\xc7\xa7\x22\x15\xc1\xe8\x91\x38\x57\x65\x94\x7b\x90\x86\xa5\x60\xd3\x73\xae\x19\xb8\x8e\x78\x15\x03\xb1\xb8\xb8\x01\xa8\xdc\xf5\xf6\x7d\x0e\x4b\x02\x12\xd8\x54\x48\x76\x94\xac\x76\x57\x2f\xa1\xe6\xf1\xfe\x71\x9c\xde\x5b\x27\x8c\x9c\xe3\x93\x8b\x27\x10\x60\x33\x5a\x57\x41\xba\xa0\xd7\xad\xc3\xde\x28\xe3\x7b\xee\xd6\xf7\x81\xf6\xf7\xb3\x21\xc5\x69\x33\x82\x83\x77\xa2\xff\x6d\xe2\xbf\xc2\x4b\x2a\x34\x72\xca\x50\x39\x37\x3d\x3c\xdc\x9a\xfc\x04\x0c\xe4\xe8\x94\xcf\xf8\x22\x54\xd9\xe4\xf4\xb2\x59\x98\xc9\xdc\x84\x70\x54\x63\xda\x8a\x03\xea\x41\x9c\x2e\x4c\x81\x2a\x9f\x04\xd5\x3f\x2d\xe4\xfc\x2e\x3c\x1a\x08\xa7\x38\x9d\xdf\xb0\x82\x17\x64\xe7\x11\x05\xeb\x05\x88\x72\x08\x71\xf0\x08\x2c\xd9\x11\xf8\xed\xf6\x94\x95\x00\x72\xee\xbc\x64\x21\xbf\xc7\x1a\xf2\x76\x69\x10\x7e\x4b\x48\xac\x97\x13\x39\xe6\x9c\x46\xc4\xea\x5d\x50\x02\x8f\x14\x73\x5d\x84\xda\x04\x0a\x08\xd3\xc9\xd0\xe6\x4d\xee\x8b\xb6\x45\x00\x3b\xfc\x01\x62\xc3\xe1\x31\xd3\xdf\xcc\xf1\xa5\x16\x28\xbd\x59\xed\x49\x5b\x17\x7b\x41\x7d\x0c\xb3\x76\x53\x7d\x58\x16\x74\x1c\x25\x88\x5e\xc5\x67\x42\x15\x4e\x84\xa2\x6d\x9d\xe3\x76\xd6\x7f\xfb\xe2\xfd\xb4\x86\x9b\x6d\x87\x08\xa7\x35\x0e\xfc\x67\x2a\x48\xd6\x0a\x92\x8c\x99\x27\x53\xad\x4b\xd7\x45\xa7\x18\x9b\x3f\x94\xf4\x8f\x64\xc9\xf8\x6d\x9f\x0b\x22\xbf\x7a\x1d\xf2\x09\x6b\x46\xfa\xdf\x26\x69\x06\xf3\x94\xb1\xde\x65\x52\x92\x87\x85\xd6\x8d\x26\xb9\x6b\xda\x02\xe4\x9d\x5e\xca\x82\x84\x70\x0d\x50\x33\xb0\x06\x23\x66\xa6\xce\x4b\xe4\x4c\x76\x7d\x60\x81\x7b\x48\x76\x87\x48\x58\x2a\x5e\xd3\xdb\x60\x82\x91\xa5\xef\xa1\x01\x1b\x75\x8f\x99\x0a\xb3\xe4\xab\xed\xf5\x3f\x01\xb7\x00\xdf\xae\xb5\x87\xb4\xf4\x14\xd3\xfe\x3a\x87\x32\xe1\xf2\x15\xfa\x86\x9c\x7b\x2f\x8b\x7f\x4e\xac\x59\x7d\xa8\x17\x51\x70\x9b\xd1\x8e\xb0\x86\x9c\xe1\x14\x59\xf8\x76\x6e\x63\x32\xe9\x57\x10\x7a\x79\x1a\x64\x01\x10\x49\x48\x8a\x27\x32\x54\xf3\x3e\x0e\xcb\x44\x0e\xe4\x46\xe8\xab\x76\xf2\x4e\xc1\xf4\xcf\x7d\x31\x4a\x15\x8c\x51\x2b\x6a\x27\x31\x09\x93\x67\x76\x6a\xe4\x05\x35\x96\x7d\x63\xce\x07\x1f\x06\x8a\x7d\x3f\xbd\x48\x33\xa0\xc7\x8c\xea\x71\x27\x48\xa4\xbf\x23\x61\xd8\xf6\x03\x59\x59\xa6\xab\x08\xf3\xd4\x4f\x7f\x81\xfe\x74\xd9\x64\xd5\x8b\xb3\xcb\x60\x51\xc5\xe6\x8d\xc6\xe7\x1f\xec\xe4\xae\x85\xdd\xc8\x95\xb3\x16\xf4\x7d\x52\x08\x47\xdd\x84\x83\x17\xb6\x1a\x47\xa1\x3c\xe0\x6c\x30\xd1\x4d\x98\x52\x93\x8c\x6e\xe4\x5a\xd2\xeb\x1f\x19\xdd\xa1\x9b\x1f\x83\x56\x24\x41\xc2\xd3\x06\x11\x1f\x51\x1e\x40\xa8\xd8\x2b\x33\x4b\x2d\x98\x3c\x35\x4f\x2c\xf8\xa2\xe7\xa2\xfc\x13\x5a\x4a\x31\xda\x5b\x09\x29\xd0\xe0\xc3\xe1\xc9\xbf\xb2\xde\xbc\xd2\xfc\x9d\x05\x77\x26\x3c\x77\x71\xc6\x84\xd3\x4a\x6b\x02\xb3\x1c\x52\xf4\x2e\x07\xfc\x1f\x42\xe7\x0d\x74\x00\x35\xe8\x0f\x0c\x38\x89\xd8\xd2\x8c\xdf\x11\x40\xe2\x10\xdf\xf5\xae\xb5\xaa\xab\xfd\x65\x5a\xc4\x6e\x03\xd1\x7e\x1e\x72\x27\x3e\xa0\x14\x15\x8c\xff\x2c\x8e\xf3\x70\x08\xb4\x4e\x73\xd2\xc6\x16\x86\x23\x49\xaf\xa5\xa1\x6e\xc6\xf1\x0d\x7f\x85\xfe\x4d\x95\xdf\x41\x6b\xdf\x00\x17\x48\xa6\x98\xa7\x94\x21\x92\x54\x9a\x4b\x86\x00\xf5\x38\x02\x91\xfe\xca\xb3\x74\xb5\x90\x26\x6a\x98\x0b\x2d\x38\xd0\x81\x7e\x11\x1c\xa3\x14\x47\xff\x7a\x33\xee\x30\x0b\x75\x83\xc8\x30\x50\xa5\x91\xcf\xb8\xc3\x83\x20\x36\x9b\x54\xb9\x62\x4a\xe5\xbf\xbe\x7a\x65\x73\x23\xe6\x4b\xb8\x90\xff\x4a\xbd\x85\xfb\xe8\xc5\x9a\x68\xa6\x16\xb0\x44\xdd\xc9\x77\x33\x60\x41\x33\x5f\xe1\xd2\x9e\x87\xdf\xc5\x63\xa0\xf7\xd3\x93\xca\x83\x53\xb3\x1c\xaa\x64\x1d\x11\x40\x10\x9d\x3f\x3d\x68\xbc\x4a\xc8\xd1\xa3\x2e\x03\x9a\x5a\x5a\xae\x4e\x95\xd7\xd3\x7d\x57\x37\xef\x2b\x99\x7e\x17\x86\x82\xbe\x27\xb0\xd5\xb9\xcb\x7b\xb3\x0b\xce\x28\xda\x9f\x9c\x29\x98\x80\xe1\x52\xd9\x0f\x6a\x05\x90\xfa\x28\x9a\xeb\x5c\x4b\x4c\x05\x0f\x7f\x48\x74\x4a\x1e\x3e\xd8\xb7\x06\xbb\x14\x37\x14\x63\x70\x52\x27\x75\xb4\xa8\x24\xef\x29\xae\x2d\x08\x54\x27\x9f\xef\x03\xa0\xea\x67\x3e\x25\x1f\x66\x97\x16\x6f\x36\x99\x60\x89\xb8\x8f\x48\x5c\x30\xdd\x49\xdf\x10\x21\xb1\xce\x79\x4b\xa4\x47\xe3\x61\x70\x4c\xa2\x0c\x53\xf2\x84\xfd\xc4\xfa\x1a\x1f\x40\xe5\xf7\x24\x0f\x27\x32\x13\xb6\x92\x0e\x9b\xfb\x8e\xe6\x9f\x93\x26\x16\xcc\xf6\x56\x49\x5d\x99\x87\x43\xd6\x1a\x08\x8e\x60\x59\xfe\x2f\xc0\x35\x72\xf1\xdf\xad\xfb\x51\x0c\x55\xf5\x18\x5a\xda\x91\x4e\x2a\x96\x62\x8d\x3e\xe5\xd6\xb0\x01\xcf\xd0\x45\x64\x6e\xf9\x36\x94\x82\x8f\xe8\xe0\x33\x3d\x9e\x85\x37\xab\x9e\x02\xec\x72\x17\x13\xb2\xb9\x74\x3e\x68\xf4\x2f\xff\x78\xab\xc0\xaf\xd4\xbd\xdc\x95\x17\x9a\xf1\x2c\x3c\x95\x08\x34\x9e\x65\x6a\xd5\x9b\xd6\x4c\xb6\xa4\xbc\x76\x42\xc6\x6e\xfe\xf2\x9a\x55\x00\x93\x70\x64\xde\x05\xe4\x9e\x2a\x81\xc5\x87\xe2\x28\xe0\xab\xa0\xc8\xa6\x87\x5c\x41\x06\x63\xa2\x22\xe5\x57\x55\x7b\xcb\x10\x54\x01\x25\x32\xe3\xe6\xd4\x83\x0d\x3d\x9c\xa0\xeb\x68\x97\xba\x54\x05\xa3\x35\x50\x3f\x8c\xfe\x34\x5a\x20\xed\xee\x88\xa8\xb1\x43\xe2\x8c\x98\x2b\xb8\x36\xe0\xcd\xe0\xc6\xde\xab\xad\xbc\x11\xd8\xa6\x33\x50\xf1\x05\x0b\x71\xab\xcb\xd8\xea\xe7\xc2\x2f\xc0\x4d\x59\x72\x67\x48\xc8\x2e\xd4\x35\x95\xd6\x62\x55\xb6\xc3\x0f\x11\x1e\x3b\x5c\x9c\x12\xd9\x7a\x36\x8b\xe6\x72\xb0\xf0\xe5\x92\x98\x38\xfd\x82\x04\xb5\x5d\x0e\x51\x1a\x32\x90\x6a\xf5\xc3\x49\xcd\x64\x8a\x43\x98\x14\x77\x04\x56\x3a\x10\xd5\xd5\xf5\xa8\x6f\x8f\x1c\x88\xa2\x32\x4e\x56\xcf\x28\xd6\x3d\xaa\xc7\x25\xe7\xf9\xfe\x3d\x15\x04\xaa\x2d\x26\x90\x37\x60\xe2\x7e\x79\x6f\x7f\x7d\x33\xb9\x6e\xf0\x1e\x4e\x57\x24\x56\xfe\x47\x9a\x25\x23\xd3\x96\xe6\xcc\x88\xb8\xa8\xdc\x35\xf1\x55\xda\xed\xb3\xc2\x9d\xd2\xcd\x8a\xdf\x6d\xcc\x73\x2e\x5c\x58\x51\x1b\xd3\x89\x87\x83\x99\xc4\x32\xc1\xa4\x0d\xc0\x6e\x94\xe2\x4d\x66\xe1\xcd\xbb\x73\xcc\xa9\x92\xa3\xa6\x1c\x54\x5d\xd3\x47\xd0\xbe\x41\x41\xa1\xec\x23\xa6\xca\x84\x5b\xa1\xb5\x83\x96\xb4\x56\xee\x05\xe6\xbe\x7d\x7c\x9a\x0d\xea\xad\x66\x46\xd7\xa7\x79\x86\x88\x6d\x9e\xe7\x55\xc5\x88\x96\x50\xe9\xeb\xcc\x4b\x8d\xea\x33\x52\x1b\x65\x17\x1e\xc9\xd9\xee\xb4\xe7\x76\xd3\xd7\x1f\x52\x61\xd4\x51\xf4\x81\xb9\x0c\xfc\x65\x5f\x8c\xf1\xb6\x3d\xf8\x46\x7e\x0c\x1e\x2f\x9a\xf5\x75\x8e\xb5\x06\xaa\xce\xab\x4b\xb3\x59\x07\x82\x9e\x55\x41\x1e\xb2\x5b\x59\xcb\x70\xf9\xea\x06\xef\xde\xaa\xef\x61\x51\x15\x61\x84\xec\xea\xb1\xba\x65\xf4\x1d\xf3\x2b\x53\x46\xf5\xec\x03\xab\x19\x80\x7d\xf4\x84\x49\x88\x13\x34\xa6\x82\x9c\x39\x71\x69\x21\xfb\x7e\x5d\x05\x78\xee\xb3\xeb\x3b\xec\xb8\xff\x5e\x00\xfe\x84\x22\xb0\xc3\xb7\xbc\x77\xa5\xd3\x38\xbd\x0d\x4e\xf6\xa3\x41\xdd\x94\x1d\x92\x5e\xc6\xcd\x93\xf2\x89\x56\x6d\x80\x3f\xf2\xa0\x2a\x3e\xf8\xc8\xd8\x00\x52\x51\x8f\x9a\xfa\x30\xaa\xf0\xcb\x97\xea\x1e\xed\xb5\x27\xb1\x80\xdc\xb8\x03\x68\x05\x0b\x6d\xfb\x4e\xbe\x2c\xb9\x6d\x1e\x06\x84\x98\x6a\x85\xa6\xb6\xeb\xa2\x16\x60\xa1\x8c\x28\x24\x8c\xc0\xd4\xcd\xf5\xe0\x85\xc1\xfb\x61\x33\xda\x11\x69\xe5\x03\x6d\x35\xf5\x47\xeb\xc0\x61\x86\xb6\x95\xf2\x42\x71\xbd\x68\x0a\x39\x7d\x92\x35\x38\x12\x7f\x94\x8a\x2b\xa3\x6b\xf5\x29\x1a\x9c\xfa\x5d\xc5\x7a\xf9\x90\x1b\xb7\xef\x7c\x9c\x9d\x60\x00\x86\x37\x6a\x0d\xc6\x80\xe4\xe6\x7e\x17\x70\xe7\x24\x99\xb5\x83\x33\xaf\x89\x8a\x33\x2c\x78\x94\x95\x94\x28\x42\x4f\xe6\x1c\x0e\x0d\x8f\xd6\xc4\x6a\xf7\x9b\xdb\x23\xc8\x44\x94\x01\x58\x7b\xa1\x16\x56\x5c\x8e\x06\x0f\xb1\xaf\x55\x7c\xec\xda\xf3\xd1\x0d\x2f\x06\x5d\x7f\xfd\x53\xdf\xbe\x8a\xfd\x1c\x46\x90\x4c\xba\xad\x1b\xd8\xf1\x8e\xe7\x0a\xa4\x81\x1b\x27\x85\x74\x33\xe4\x75\xab\x5c\x5c\x62\x0a\x8d\xaf\x02\xbe\xf4\x02\x86\x49\x7b\xe5\x1f\x25\x32\xd4\x25\x90\x56\x69\xf3\xbe\x5c\xe7\xb7\x90\xe9\x45\xc2\x2e\x44\x6f\x0a\x36\x1e\x04\x3f\xd4\xa7\x6e\x53\xe3\xb0\x4b\x59\x05\xed\xa6\x3b\xce\xbb\x62\xe0\x6c\x6c\xc0\xe2\x54\xf2\xf0\xe3\x86\xbd\xd7\x30\xc5\x5a\x04\x07\xaf\x9d\xec\x14\x63\x3b\x5a\xc1\x5a\x33\xec\x52\x3f\x6a\x4a\x94\x54\xbc\x5a\xa2\x16\xe1\x43\xf0\xf7\x2e\xbb\xd6\xf5\xc0\x38\xd2\xee\x39\xad\x7c\xf3\x95\x6a\x3c\x47\x9a\x8a\x65\x3a\x90\x6a\x01\xf4\x86\x18\xe6\xa4\x7a\xdb\xa3\x59\x8e\x9c\x9e\x72\x5d\x53\x43\x9e\x0f\x17\x5f\xcd\x51\xba\x15\x16\x07\xa3\x35\x93\xf1\x25\x6e\x6b\x29\x68\x5a\x81\x3d\xee\x40\x3e\xc2\xb4\xfa\x09\xc6\xd0\xf4\xd6\x51\xe2\x37\x8b\x78\x04\x1f\x37\x24\x33\x47\xdc\x77\xce\x35\x14\xc6\x34\xe4\xf8\x3e\xa2\x97\x66\x5f\x16\xd6\x56\xa6\xdf\x91\x00\xbf\x65\x53\xd6\x69\xe4\x3c\x0a\xc2\xd8\x91\xeb\x77\x79\xee\x8d\x4f\x32\x11\xcd\x2a\x52\x7f\xd4\x15\xaf\x00\x04\xc2\xd5\xdd\xb6\x2a\x36\xde\xe9\x8a\xc1\x48\x96\x96\xc5\x56\x47\x6a\xca\x9f\x6d\xa9\xbd\x4f\x37\xac\xa8\x6b\x83\x86\x0a\x8d\xd9\x04\xbb\xe2\xc3\xd3\x7c\xfc\xd7\x68\xb5\x9d\x82\xa8\xc1\xbc\xef\xfc\x44\xed\xfb\x04\x73\x0e\xa5\x79\x16\xda\x94\xb4\xe8\xdb\xcf\x5f\x01\xb5\xa7\x18\x64\x6a\x56\xe6\x2a\x64\x74\x8a\x9e\x3b\x7b\x2f\x08\x0a\x2f\xb3\x51\x5d\xb5\x35\xc6\xac\xde\xf1\xd8\x58\xf6\x33\xb0\x80\xd3\x98\xc0\x06\xd7\x40\xf5\x9b\xfc\x06\x3a\xcb\xb4\x0f\xe2\x18\x3c\x55\x20\x89\x4d\xd5\xa4\x7b\xbd\xd9\x91\xf2\xca\x2e\x1d\x35\xd0\x40\x75\x59\x00\x16\xdf\xc8\x13\xa8\xf2\x72\x92\x6d\x66\x0b\x0b\xac\x47\xfc\x72\x97\xd7\x48\xd1\x64\x2d\xe8\x2c\x08\x24\x5c\x8a\x4a\xf3\x98\x26\x97\x1b\x06\xe2\x52\x56\x75\x9f\xc4\xae\xe3\xde\x98\x40\xc1\x4f\x99\xe8\xa5\x34\x04\xbc\xca\xe6\x13\xce\xdd\x72\xd3\x2e\x74\xc8\x7d\x8c\xad\x6c\xf7\x2f\xd2\x01\x8d\x5f\x3a\x79\x7c\x08\xcd\xda\xa2\xd9\xa5\xac\x5f\x49\xbf\x07\xb0\x45\xc4\x16\x9a\x88\x30\x46\x2c\x19\xb4\x00\x4b\x62\x83\x0c\x4b\xed\xca\x51\x61\x45\x1c\xe9\xc8\xac\x56\xf9\x73\xcc\x12\x0f\x7e\xad\xb2\x01\x0d\xe4\xbc\x3d\x71\x96\x47\xa8\xef\xb1\xa9\x5d\xc9\x3c\xce\x6e\xd2\xe2\x25\x5b\x85\x28\x21\x49\x1d\xcd\x30\x64\x0e\xeb\xae\x86\xec\xc0\x2e\x36\x5b\x46\x5d\xef\xb7\x36\x94\x17\x0d\x30\x33\x77\x59\x68\xa5\x3f\x27\x4f\xd1\xab\x8f\x38\x97\x81\x5a\xf3\xdf\xc8\x1f\xcd\xb7\xa3\xa6\xd1\x91\x7c\xab\x0a\x44\x69", 8192); *(uint64_t*)0x20004cc0 = 0x20002200; *(uint32_t*)0x20002200 = 0x50; *(uint32_t*)0x20002204 = 0; *(uint64_t*)0x20002208 = 0x8b20; *(uint32_t*)0x20002210 = 7; *(uint32_t*)0x20002214 = 0x1f; *(uint32_t*)0x20002218 = 4; *(uint32_t*)0x2000221c = 0; *(uint16_t*)0x20002220 = 6; *(uint16_t*)0x20002222 = 2; *(uint32_t*)0x20002224 = 0x7fffffff; *(uint32_t*)0x20002228 = 2; *(uint16_t*)0x2000222c = 0; *(uint16_t*)0x2000222e = 0; *(uint32_t*)0x20002230 = 0; *(uint32_t*)0x20002234 = 0; *(uint32_t*)0x20002238 = 0; *(uint32_t*)0x2000223c = 0; *(uint32_t*)0x20002240 = 0; *(uint32_t*)0x20002244 = 0; *(uint32_t*)0x20002248 = 0; *(uint32_t*)0x2000224c = 0; *(uint64_t*)0x20004cc8 = 0x20002280; *(uint32_t*)0x20002280 = 0x18; *(uint32_t*)0x20002284 = 0xfffffff5; *(uint64_t*)0x20002288 = 0x55; *(uint64_t*)0x20002290 = 0; *(uint64_t*)0x20004cd0 = 0x200022c0; *(uint32_t*)0x200022c0 = 0x18; *(uint32_t*)0x200022c4 = 0; *(uint64_t*)0x200022c8 = 2; *(uint64_t*)0x200022d0 = 9; *(uint64_t*)0x20004cd8 = 0x20002300; *(uint32_t*)0x20002300 = 0x18; *(uint32_t*)0x20002304 = 0; *(uint64_t*)0x20002308 = 0x40; *(uint32_t*)0x20002310 = 0xe62; *(uint32_t*)0x20002314 = 0; *(uint64_t*)0x20004ce0 = 0x20002340; *(uint32_t*)0x20002340 = 0x18; *(uint32_t*)0x20002344 = 0; *(uint64_t*)0x20002348 = 0x80000001; *(uint32_t*)0x20002350 = 0x787; *(uint32_t*)0x20002354 = 0; *(uint64_t*)0x20004ce8 = 0x20002380; *(uint32_t*)0x20002380 = 0x28; *(uint32_t*)0x20002384 = 0; *(uint64_t*)0x20002388 = 3; *(uint64_t*)0x20002390 = 9; *(uint64_t*)0x20002398 = 0x101; *(uint32_t*)0x200023a0 = 0; *(uint32_t*)0x200023a4 = -1; *(uint64_t*)0x20004cf0 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x60; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 9; *(uint64_t*)0x200023d0 = 0xf652; *(uint64_t*)0x200023d8 = 0x8d; *(uint64_t*)0x200023e0 = 0; *(uint64_t*)0x200023e8 = 0x3f; *(uint64_t*)0x200023f0 = 0x80000000; *(uint32_t*)0x200023f8 = 0; *(uint32_t*)0x200023fc = 3; *(uint32_t*)0x20002400 = 0; *(uint32_t*)0x20002404 = 0; *(uint32_t*)0x20002408 = 0; *(uint32_t*)0x2000240c = 0; *(uint32_t*)0x20002410 = 0; *(uint32_t*)0x20002414 = 0; *(uint32_t*)0x20002418 = 0; *(uint32_t*)0x2000241c = 0; *(uint64_t*)0x20004cf8 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 2; *(uint32_t*)0x20002450 = 0xa8f; *(uint32_t*)0x20002454 = 0; *(uint64_t*)0x20004d00 = 0x20002480; *(uint32_t*)0x20002480 = 0x26; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 8; memcpy((void*)0x20002490, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004d08 = 0x200024c0; *(uint32_t*)0x200024c0 = 0x20; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 6; *(uint64_t*)0x200024d0 = 0; *(uint32_t*)0x200024d8 = 0x12; *(uint32_t*)0x200024dc = 0; *(uint64_t*)0x20004d10 = 0x20004540; *(uint32_t*)0x20004540 = 0x78; *(uint32_t*)0x20004544 = 0xfffffff5; *(uint64_t*)0x20004548 = 0x81; *(uint64_t*)0x20004550 = 1; *(uint32_t*)0x20004558 = 7; *(uint32_t*)0x2000455c = 0; *(uint64_t*)0x20004560 = 5; *(uint64_t*)0x20004568 = 8; *(uint64_t*)0x20004570 = 6; *(uint64_t*)0x20004578 = 0x1ff; *(uint64_t*)0x20004580 = 5; *(uint64_t*)0x20004588 = 4; *(uint32_t*)0x20004590 = 4; *(uint32_t*)0x20004594 = 0xe8; *(uint32_t*)0x20004598 = 0x193; *(uint32_t*)0x2000459c = 0x7000; *(uint32_t*)0x200045a0 = 6; *(uint32_t*)0x200045a4 = -1; *(uint32_t*)0x200045a8 = r[4]; *(uint32_t*)0x200045ac = 3; *(uint32_t*)0x200045b0 = 9; *(uint32_t*)0x200045b4 = 0; *(uint64_t*)0x20004d18 = 0x200045c0; *(uint32_t*)0x200045c0 = 0x90; *(uint32_t*)0x200045c4 = 0; *(uint64_t*)0x200045c8 = 0x8612; *(uint64_t*)0x200045d0 = 5; *(uint64_t*)0x200045d8 = 3; *(uint64_t*)0x200045e0 = 0xb2f; *(uint64_t*)0x200045e8 = 0x20; *(uint32_t*)0x200045f0 = 0; *(uint32_t*)0x200045f4 = 7; *(uint64_t*)0x200045f8 = 0; *(uint64_t*)0x20004600 = 0x1ff; *(uint64_t*)0x20004608 = 2; *(uint64_t*)0x20004610 = 2; *(uint64_t*)0x20004618 = 0x1de; *(uint64_t*)0x20004620 = 0x5a; *(uint32_t*)0x20004628 = 9; *(uint32_t*)0x2000462c = 0xc46; *(uint32_t*)0x20004630 = 5; *(uint32_t*)0x20004634 = 0xc000; *(uint32_t*)0x20004638 = 0xddce; *(uint32_t*)0x2000463c = 0xee01; *(uint32_t*)0x20004640 = 0xee00; *(uint32_t*)0x20004644 = 0; *(uint32_t*)0x20004648 = 0x12; *(uint32_t*)0x2000464c = 0; *(uint64_t*)0x20004d20 = 0x20004680; *(uint32_t*)0x20004680 = 0x10; *(uint32_t*)0x20004684 = 0; *(uint64_t*)0x20004688 = 5; *(uint64_t*)0x20004d28 = 0x20004900; *(uint32_t*)0x20004900 = 0x2c0; *(uint32_t*)0x20004904 = 0xfffffff5; *(uint64_t*)0x20004908 = 0x8a; *(uint64_t*)0x20004910 = 4; *(uint64_t*)0x20004918 = 3; *(uint64_t*)0x20004920 = 0xfff; *(uint64_t*)0x20004928 = 6; *(uint32_t*)0x20004930 = -1; *(uint32_t*)0x20004934 = 8; *(uint64_t*)0x20004938 = 5; *(uint64_t*)0x20004940 = 0xca13; *(uint64_t*)0x20004948 = 0x81; *(uint64_t*)0x20004950 = 4; *(uint64_t*)0x20004958 = 0; *(uint64_t*)0x20004960 = 0xbbc; *(uint32_t*)0x20004968 = 0; *(uint32_t*)0x2000496c = 3; *(uint32_t*)0x20004970 = 0x34b; *(uint32_t*)0x20004974 = 0x4000; *(uint32_t*)0x20004978 = 9; *(uint32_t*)0x2000497c = 0; *(uint32_t*)0x20004980 = 0xee01; *(uint32_t*)0x20004984 = 2; *(uint32_t*)0x20004988 = 0x81; *(uint32_t*)0x2000498c = 0; *(uint64_t*)0x20004990 = 3; *(uint64_t*)0x20004998 = 0x80000001; *(uint32_t*)0x200049a0 = 0x16; *(uint32_t*)0x200049a4 = 0xf97; memcpy((void*)0x200049a8, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x200049c0 = 5; *(uint64_t*)0x200049c8 = 3; *(uint64_t*)0x200049d0 = 0x100000001; *(uint64_t*)0x200049d8 = 0x10001; *(uint32_t*)0x200049e0 = 7; *(uint32_t*)0x200049e4 = 0x83; *(uint64_t*)0x200049e8 = 5; *(uint64_t*)0x200049f0 = 5; *(uint64_t*)0x200049f8 = 0x100; *(uint64_t*)0x20004a00 = 6; *(uint64_t*)0x20004a08 = 0xfffffffffffffbff; *(uint64_t*)0x20004a10 = 0xb533; *(uint32_t*)0x20004a18 = 0x800; *(uint32_t*)0x20004a1c = 0xad7; *(uint32_t*)0x20004a20 = 0x32f914fb; *(uint32_t*)0x20004a24 = 0x2000; *(uint32_t*)0x20004a28 = 0xe0; *(uint32_t*)0x20004a2c = r[6]; *(uint32_t*)0x20004a30 = 0xee01; *(uint32_t*)0x20004a34 = 4; *(uint32_t*)0x20004a38 = 0x64; *(uint32_t*)0x20004a3c = 0; *(uint64_t*)0x20004a40 = 4; *(uint64_t*)0x20004a48 = 0xfffffffffffffffc; *(uint32_t*)0x20004a50 = 0x16; *(uint32_t*)0x20004a54 = 6; memcpy((void*)0x20004a58, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004a70 = 2; *(uint64_t*)0x20004a78 = 2; *(uint64_t*)0x20004a80 = 7; *(uint64_t*)0x20004a88 = 0x8000; *(uint32_t*)0x20004a90 = 9; *(uint32_t*)0x20004a94 = 3; *(uint64_t*)0x20004a98 = 2; *(uint64_t*)0x20004aa0 = 7; *(uint64_t*)0x20004aa8 = 0x80000000; *(uint64_t*)0x20004ab0 = 8; *(uint64_t*)0x20004ab8 = 6; *(uint64_t*)0x20004ac0 = 0x400; *(uint32_t*)0x20004ac8 = 0xc932; *(uint32_t*)0x20004acc = 0x81; *(uint32_t*)0x20004ad0 = 5; *(uint32_t*)0x20004ad4 = 0x1000; *(uint32_t*)0x20004ad8 = 0xf841; *(uint32_t*)0x20004adc = r[7]; *(uint32_t*)0x20004ae0 = 0xee00; *(uint32_t*)0x20004ae4 = 0xff; *(uint32_t*)0x20004ae8 = 5; *(uint32_t*)0x20004aec = 0; *(uint64_t*)0x20004af0 = 4; *(uint64_t*)0x20004af8 = 0xffffffffffff3232; *(uint32_t*)0x20004b00 = 0x16; *(uint32_t*)0x20004b04 = 5; memcpy((void*)0x20004b08, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004b20 = 4; *(uint64_t*)0x20004b28 = 0; *(uint64_t*)0x20004b30 = 0; *(uint64_t*)0x20004b38 = 7; *(uint32_t*)0x20004b40 = 0x200; *(uint32_t*)0x20004b44 = 6; *(uint64_t*)0x20004b48 = 5; *(uint64_t*)0x20004b50 = 0x1020000; *(uint64_t*)0x20004b58 = 6; *(uint64_t*)0x20004b60 = 0x7f; *(uint64_t*)0x20004b68 = 0xce; *(uint64_t*)0x20004b70 = 0; *(uint32_t*)0x20004b78 = 0xa9fb; *(uint32_t*)0x20004b7c = 0xffffff81; *(uint32_t*)0x20004b80 = 0x3ff; *(uint32_t*)0x20004b84 = 0x1000; *(uint32_t*)0x20004b88 = 0; *(uint32_t*)0x20004b8c = 0; *(uint32_t*)0x20004b90 = r[8]; *(uint32_t*)0x20004b94 = 0x8de6; *(uint32_t*)0x20004b98 = 3; *(uint32_t*)0x20004b9c = 0; *(uint64_t*)0x20004ba0 = 2; *(uint64_t*)0x20004ba8 = 0xffffffff; *(uint32_t*)0x20004bb0 = 1; *(uint32_t*)0x20004bb4 = 5; memcpy((void*)0x20004bb8, "/", 1); *(uint64_t*)0x20004d30 = 0x20004bc0; *(uint32_t*)0x20004bc0 = 0xa0; *(uint32_t*)0x20004bc4 = 0; *(uint64_t*)0x20004bc8 = 0x3f; *(uint64_t*)0x20004bd0 = 5; *(uint64_t*)0x20004bd8 = 2; *(uint64_t*)0x20004be0 = 0; *(uint64_t*)0x20004be8 = 7; *(uint32_t*)0x20004bf0 = 6; *(uint32_t*)0x20004bf4 = 3; *(uint64_t*)0x20004bf8 = 2; *(uint64_t*)0x20004c00 = 0xf51e; *(uint64_t*)0x20004c08 = 0x65; *(uint64_t*)0x20004c10 = 1; *(uint64_t*)0x20004c18 = 0x8b; *(uint64_t*)0x20004c20 = 0x7f; *(uint32_t*)0x20004c28 = 0x100; *(uint32_t*)0x20004c2c = 9; *(uint32_t*)0x20004c30 = 0x24; *(uint32_t*)0x20004c34 = 0xa000; *(uint32_t*)0x20004c38 = 0x3f; *(uint32_t*)0x20004c3c = 0; *(uint32_t*)0x20004c40 = -1; *(uint32_t*)0x20004c44 = 0x40; *(uint32_t*)0x20004c48 = 3; *(uint32_t*)0x20004c4c = 0; *(uint64_t*)0x20004c50 = 0; *(uint32_t*)0x20004c58 = 1; *(uint32_t*)0x20004c5c = 0; *(uint64_t*)0x20004d38 = 0x20004c80; *(uint32_t*)0x20004c80 = 0x20; *(uint32_t*)0x20004c84 = 0xfffffff5; *(uint64_t*)0x20004c88 = 0x401; *(uint32_t*)0x20004c90 = 0x5b2; *(uint32_t*)0x20004c94 = 0; *(uint32_t*)0x20004c98 = 9; *(uint32_t*)0x20004c9c = 2; syz_fuse_handle_req(r[3], 0x20000200, 0x2000, 0x20004cc0); break; case 21: memcpy((void*)0x20004d40, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004d40); break; case 22: res = -1; res = syz_init_net_socket(3, 2, 1); if (res != -1) r[9] = res; break; case 23: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[10] = res; break; case 24: *(uint32_t*)0x20004d84 = 0xb8ca; *(uint32_t*)0x20004d88 = 0x20; *(uint32_t*)0x20004d8c = 0xe7c; *(uint32_t*)0x20004d90 = 0x26b; *(uint32_t*)0x20004d98 = r[10]; *(uint32_t*)0x20004d9c = 0; *(uint32_t*)0x20004da0 = 0; *(uint32_t*)0x20004da4 = 0; syz_io_uring_setup(0x3e79, 0x20004d80, 0x20ffc000, 0x20ffb000, 0x20004e00, 0x20004e40); break; case 25: *(uint32_t*)0x20004e84 = 0x29dc; *(uint32_t*)0x20004e88 = 2; *(uint32_t*)0x20004e8c = 1; *(uint32_t*)0x20004e90 = 0x3d6; *(uint32_t*)0x20004e98 = r[3]; *(uint32_t*)0x20004e9c = 0; *(uint32_t*)0x20004ea0 = 0; *(uint32_t*)0x20004ea4 = 0; res = -1; res = syz_io_uring_setup(0x5336, 0x20004e80, 0x20ffd000, 0x20ffb000, 0x20004f00, 0x20004f40); if (res != -1) { r[11] = *(uint64_t*)0x20004f00; r[12] = *(uint64_t*)0x20004f40; } break; case 26: memcpy((void*)0x20004f80, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20004f80, 0xfffffffffffffff8, 0x240); if (res != -1) r[13] = res; break; case 27: *(uint8_t*)0x20004fc0 = 6; *(uint8_t*)0x20004fc1 = 0; *(uint16_t*)0x20004fc2 = 0; *(uint32_t*)0x20004fc4 = r[13]; *(uint64_t*)0x20004fc8 = 0; *(uint64_t*)0x20004fd0 = 0; *(uint32_t*)0x20004fd8 = 0; *(uint16_t*)0x20004fdc = 0x4404; *(uint16_t*)0x20004fde = 0; *(uint64_t*)0x20004fe0 = 0; *(uint16_t*)0x20004fe8 = 0; *(uint16_t*)0x20004fea = 0; *(uint8_t*)0x20004fec = 0; *(uint8_t*)0x20004fed = 0; *(uint8_t*)0x20004fee = 0; *(uint8_t*)0x20004fef = 0; *(uint8_t*)0x20004ff0 = 0; *(uint8_t*)0x20004ff1 = 0; *(uint8_t*)0x20004ff2 = 0; *(uint8_t*)0x20004ff3 = 0; *(uint8_t*)0x20004ff4 = 0; *(uint8_t*)0x20004ff5 = 0; *(uint8_t*)0x20004ff6 = 0; *(uint8_t*)0x20004ff7 = 0; *(uint8_t*)0x20004ff8 = 0; *(uint8_t*)0x20004ff9 = 0; *(uint8_t*)0x20004ffa = 0; *(uint8_t*)0x20004ffb = 0; *(uint8_t*)0x20004ffc = 0; *(uint8_t*)0x20004ffd = 0; *(uint8_t*)0x20004ffe = 0; *(uint8_t*)0x20004fff = 0; syz_io_uring_submit(0, r[12], 0x20004fc0, 8); break; case 28: memcpy((void*)0x20005000, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20005000, 0x1000, 0x8600); if (res != -1) r[14] = res; break; case 29: *(uint64_t*)0x20005080 = 0; *(uint64_t*)0x20005088 = 0x20005040; memcpy((void*)0x20005040, "\x48\xd5\xa3\x40\x0d\x13\x5d\xd4\x91\x01\x61\x86\x7c\x99\x1f\xc7\xd6\x8d\x55\x14\x5f\xbb\xc5\xc4\x98\xb5\x8f\xba\x49\xbd\x01\xb6\x83\x86\x47\x33\x65\xa9\x13\x12\x72\xed\xe1\xd5\x3b\xc2\x85\x05\x1b\x85", 50); *(uint64_t*)0x20005090 = 0x32; *(uint64_t*)0x200050c0 = 1; *(uint64_t*)0x200050c8 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x20005080, 1, 0, 0x200050c0, 1); break; case 30: *(uint32_t*)0x20005100 = 1; syz_memcpy_off(r[11], 0x114, 0x20005100, 0, 4); break; case 31: memcpy((void*)0x20005140, "afs\000", 4); memcpy((void*)0x20005180, "./file0\000", 8); *(uint64_t*)0x20006640 = 0x200051c0; memcpy((void*)0x200051c0, "\xc5\xf6\xf4\x20\xae\xec\x38\x8c\xed\xec\x2b\x59\x7c\x81\x56\x53\x8c\xd4\x58\x60\x34\x19\x9f\x56\xf5\x94\x4d\xa0\x3d\x8c\xa8\x29\xf6\xc6\xb6", 35); *(uint64_t*)0x20006648 = 0x23; *(uint64_t*)0x20006650 = 1; *(uint64_t*)0x20006658 = 0x20005200; memcpy((void*)0x20005200, "\xf4\xee\x9e\xdc\x1b\xe2\xc2\xd8\x62\xa4\x80\xf3\x0a\xe3\x0d\xaf\xad\xfd\xf8\x69\xf7\x78\x9a\x45\x49\xf5\xa8\xda\xc0\x6f\xe4\xc5\xd5\xd2\xcf\x00\x66\xd8\x8b\xfc\xa6\xaf\x40\x74\x5e\xd6\x17\xb7\xa1\x46\xc9\x40\xde\x37\x50\x5c\xb9\x65\xea\xa1\x98\x2c\x8c\xa0\xec\x21\x06\xf4\x7e\x4e\x26\x5f\x1e\x19\x28\x5b\xba\x7e\xb5\x77\xf6\x00\x66\xb5\xf4\x6c\x62\xd2\xec\x00\x68\xed\xcb\xe6\x30\x0e\x4f\x1e\x3c\xce\x42\x9e\x45\xa7\xdf\x28\x7e\x80\x09\x84\x1d\xb1\x01\x51\x34\xee\xaa\x72\x43\x11\xe5\x51\x81\xcb\x7a\xfe\x7d\xfd\xc7\x94\x6b\xd1\x45\x23\xea\x66\x80\xea\x42\xca\x9f\x7b\x0e\xaa\xab\xe1\xd0\x54\x27\x7e\xff\x60\x7e\xf4\xf8\x40\x2e\x5d\xc3\x7e\x6a\x52\x8e\xc3\x56\x58\x23\xc0\x31\xa8\x46\x0e\x8b\x5f\x67\x06\x68\xf8\x6b\x90\xa0\x26\x04\x3a", 184); *(uint64_t*)0x20006660 = 0xb8; *(uint64_t*)0x20006668 = 2; *(uint64_t*)0x20006670 = 0x200052c0; memcpy((void*)0x200052c0, "\xba\xee\xde\x48\x17\x36\xd9\x0f\x0a\xa3\x6f\xb3\x27\x95\x6d\xd7\x63\x57\x8e\x20\x19\x9f\x0d\xc8\x5f\x18\x5c\x93\x06\x86\x6b\xa3\x3c\x93\xd2\xaf\x96\x13\xc9\x29\x09\xc6\x51\x25\x4e\x6a\x63\x50\x3d\xbf\x31\x7b\x02\x1c\x4b\x3c\x8d\xe3\x05\xd3\xde\x39\xa1\xad\x9a\xc1\xb0\xab\x3f\x51\xf6\x8c\x1a\xe1\xda\x3e\x4c\xc7\x44\xfd\x00\xdf\xa6\xd1\xb9\x6e\x21\x13\x40\x07\xd3\x1c\x93\x01\x38\x54\xed\x32\x55\x0f\x1b\x82\xa4\xc0\x3c\xa6\x74\x40\xd8\x65\x45\xdc\xd2\x9e\xea\x99\x27\x4f\x65\x57\x37\xad\x5a\x54\xd9\xe7\xf9\xde\xc4\x91\x29\xbb\x84\xbe\xb6\x2b\x18\x53\xf6\x9e\x6a\x07\x72\x09\xf7\xe5\x5c\xe0\xd5\x16\x86\xca\x76\x4d\x2c\xe3\x34\xcd\x6d\x09\xb5\xd9\x23\x57\xbd\xef\x60\xa6\x35", 169); *(uint64_t*)0x20006678 = 0xa9; *(uint64_t*)0x20006680 = 0; *(uint64_t*)0x20006688 = 0x20005380; memcpy((void*)0x20005380, "\x31\xf1\xfb\xee\x4b\x48\xe6\xe6\x9c\xb6\x1b\xd1\xcc\xc1\xe2\x13\xaf\x5a\x28\xe7\x4c\xff\xc2\xe5\xe8\x2f\xbb\xcd\x1c\x34\x00\xfa\xf3\x79\xd1\xa1\x94\xd5\x2a\x36\x67\xe2\x01\x9b\x9a\xec\x0e\x14\xfe\xed\x8f\xea\x77\x0a\x9a\x1b\xfb\xbc\x30\x99\x73\x21\xbc\xbb\xcf\x4d\x11\x5b\xb3\xd3\x26\x9e\x50\xbe\xca\x59\x82\xef\x1d\x22\xc9\x83\xd7\x86\x21\xdb\xaa\x93\xe8\x39\x5e\xfe\x31\xdf\xad\xed\xca\xde\xd0\x97\x6f\x5f\x0c\x7d\x4f\x17\xb6\xcc\x88\xb8\x97\xce\x5d\xdf\xf1\xad\xe8\xef\x2d\x62\xdc\xbe\xd4\x21\x58\x9e\x3c\xfb\x5d\x85\x50\xd3\x65\x1a\x99\x11\x5d\x6e", 138); *(uint64_t*)0x20006690 = 0x8a; *(uint64_t*)0x20006698 = 2; *(uint64_t*)0x200066a0 = 0x20005440; memcpy((void*)0x20005440, "\x78\x81\xb6\x81\x1e\xa2\xae\xc8\xf2\x7f\x7f\x7f\x52\x3c\xc4\xba\xca\x36\x52\xf7\x30\x3c\xd7\x48\xfb\x4e\xd8\xcc\x78\x3a\xc5\x78\xa9\xe8\x53\xa9\x90\x6a", 38); *(uint64_t*)0x200066a8 = 0x26; *(uint64_t*)0x200066b0 = 1; *(uint64_t*)0x200066b8 = 0x20005480; memcpy((void*)0x20005480, "\xc5\x05\xe1\x80\x5e\x72\xc2\x3f\x48\x9b\xb4\x5d\x55\x60\x79\x64\x53\x32\x08\x2b\x1b\x6b\xef\x7a\xdc\x39\xb0\x98\xe1\x73\xf4\x2f\xdd\x8d\x2c\x65\xce\xb6\x64\xad\xb4\x7d\xe1\x73\xdb\x5b\x34\x23\xe0\x2b\xfe\xe5\x83\x39\xfc\xb7\xd8\x5f\x2d\x1a\xcd\x1f\xed\x18\xda\x1c\xb7\xb3\xd2\x8d\x4e\x36\x8a\xa5\xf0\x2a\x89\x50\xaf\xd1\x9b\x0d\x60\x03\xc1\xfc\x54\x24\xd3\xe2\x8d\x4b\xf7\x90\x2f\xa3\xd9\x99\xb4\xf6\x23\x68\xc5\x84\x4f\x1e\x9e\x4d\x19\x5c\x65\x48\xc1\xa0\xe6\x14\x80\xc6\x1f\xe3\xfc\x89\x54\x81\x0a\x5c\x55\x19\xa2\x85\x0a\xff\x54\x44\xdf\xe3\x6d\x6c\x08\xfb\x25\x1d\x64\x59\x51\xca\x0a\xee\x8a\xe0\x9d\x52\x18\xce\x7d\x78\x3d\x4a\x62\x07\x0c\xce\x23\x1a\xb7\xc6\x30\x93\x1f\xbc\x78\x39\xba\x29\x79\x30\x5c\xab\xb4\x5f\x4a\xa2\xdc\x92\x49\x72\xfe\x3a\x5a\x80\x6c\x03\xc7\x41\x79\x3e\xb0\x46\xd5\x66\xef\x8d\xe1\xd0\xb7\x14\x50\xb5\x61\xba\x65\xb0\x14\x14\x29\xbd\x3e\x5a\x42\x06\xb4\x7e\xf0\x97\x27\x5e\xad\x1f\xe3\x12\x57\xa7\x23\xdd\xc5\x85\xc7\x03\xf5\xd0\xfc\xf7\xb2\x98\x13\x4d\x89\xd0\x3f\x47\x7a\xb7\xaf\x75\x6e\x3a\x4f\x9e\x1d\x06\xca\x01\xf2\xb7\x59\xc9\x55\xb8\xe8\xbf\xc1\xb8\x07\x01\x98\xb3\x30\xf5\x85\x8c\x69\x51\x61\x06\x82\xa3\xcb\xdc\xb5\x91\xf1\x39\xa7\x1e\x88\x3b\xb7\x69\x1c\xb5\x6b\xc0\xad\x95\xdd\x77\x4f\xdc\x11\x0d\x07\x5b\x3a\xcf\x5f\xbb\xb2\x27\x22\x79\x21\xe1\x0a\xa5\xb7\x3d\xa8\x1d\xca\x19\x66\x00\x37\x61\x20\x26\x6c\xc8\x4f\x0c\xc2\xee\x0f\xf3\xf6\xc7\x4b\x65\x6a\x61\xb5\xf5\xae\x6d\xab\x4a\x9c\xe8\x4c\xb9\x7c\x0b\x90\xe7\xa0\xd0\x78\x28\x81\x9e\x2b\xdd\xb1\xa7\x27\x7c\xaf\x68\x71\x95\xec\x83\x64\xd8\x52\xb9\x86\x43\xf5\x55\xdc\xa6\xad\x72\xd6\x80\x64\x3f\x29\xc3\x22\x57\x5f\x2e\x57\x11\x34\x3f\x8a\xa2\x4d\x7d\xeb\x87\xd3\xac\xe4\x82\xbc\x05\xdc\xd5\x28\x83\x38\xb5\x84\x99\x4a\x09\x0c\x45\x1a\xbb\x28\x4c\x01\x04\xc5\xf3\x79\x08\xeb\x33\x07\xd6\x5e\x79\x2b\x4f\x25\x86\x00\xde\x77\x07\xc8\xb1\x54\xff\xd5\xf5\x6d\x7a\x17\xc6\x2f\x09\x28\x28\x51\x6f\x82\xea\x4a\x12\x6a\x2a\x36\x0c\x70\x31\x08\x77\x0c\xc7\xe7\x50\x5c\x8e\x18\x0c\x5f\x37\x6d\x0d\xba\xf1\xe1\x85\xa5\x04\xed\x01\x3b\x0b\x16\x24\x83\xf9\xe2\xa3\xbe\xc7\xd6\x83\x30\x82\xac\x95\x4e\x8f\x5e\x31\x84\x37\x2e\x05\x08\xad\x7e\x0f\xb4\xb2\xf1\x20\x1a\x35\x88\x2a\xda\x41\x5d\xfd\xb3\x65\x87\xe8\x87\x95\x10\x1f\x9d\xc6\xc0\xd2\x6b\xbb\x64\x24\x21\xdb\x09\x73\xef\x28\x3c\x2b\xea\x7f\x5c\x9c\x35\xeb\x13\xea\x5a\x97\x42\x85\x2f\x08\x3e\x44\x32\x82\xcb\xad\x94\x7e\xa0\x5d\x3f\x99\x8b\xf3\xf8\x60\xcd\x12\x5b\x26\x6e\x1f\x3b\x84\xc4\xe6\x2b\x4e\x49\xae\x7f\x85\x2d\x57\x8e\xab\x24\xa0\xc5\xe4\xc6\x09\x28\xb6\x99\xc7\xb6\x8c\x63\x28\xf3\x2c\xa3\x71\x5b\x94\x00\x55\xb6\xad\x04\xf9\x94\x16\x55\xdc\xfa\x91\xdc\x4d\xf0\x21\xa7\x45\x04\x51\x9f\x0a\x7d\xf1\x0d\xb5\x05\xda\x8c\xa4\xa0\x52\x58\x04\xdf\xd9\x0a\x31\xbb\xa6\x48\xbe\xe5\x7b\xcc\xd6\xcd\x9a\x59\x6e\xb9\x45\x86\x7e\x02\x31\xfa\xfb\x66\xc5\x01\x7b\x29\x79\xad\xe5\xdf\xcf\xb2\x4c\xb5\xc7\x88\x15\x11\x18\x56\x04\x90\x6d\x1f\x20\x1a\x12\x64\xa5\x4c\x20\xc1\x73\x90\x1d\x32\x5f\x5c\x2b\x0e\x0f\xff\x22\xc6\x83\x4d\x07\x0c\xbe\xdc\x8a\xe6\x6f\x2f\xce\x84\x88\xd7\x7b\x1f\x92\x57\xa9\x1a\x00\x1e\xda\x07\x55\x56\xc2\x3e\x7a\xdb\xde\x0c\x99\x4b\xd6\x98\x0c\xbd\xb3\x44\xd0\x4e\xfd\x2a\x3f\x4e\x73\x26\x20\x26\x0d\x15\xf6\x08\x4c\xca\xb9\xb2\xf1\x3b\xf5\x47\x82\xeb\x2f\x56\x89\x19\xe0\xae\xfc\x06\x3f\x3f\x2a\xf6\xbe\xb8\x19\x15\x9c\xfd\xb0\x53\x4e\x79\xe0\xcd\x74\x51\x5b\x52\x8c\x82\xce\xfa\xec\x85\x47\xd0\x5f\x08\xb0\x04\x24\xa0\x2a\xbb\x0f\xe2\x0d\x30\x55\xd3\xb9\xd9\x7e\x8b\xad\x3a\x7b\x22\x02\xb8\xef\xfc\x5d\xa0\x55\xf4\xeb\x18\x27\xdc\xb1\xde\x57\xde\xfc\x3c\xcb\xe7\xc3\x02\x79\xa3\x04\x11\x96\xa9\xf0\xb1\xa7\x44\x91\xc0\x7b\x9a\x1a\xf0\x40\xe5\x3e\xc7\x1a\x91\x10\xe2\x0f\x32\x09\x2a\xdd\xcd\x05\x8a\x15\x07\x9b\x71\x8f\xac\x59\x4d\x8e\x75\x13\x9b\xc9\x26\x0f\xf6\x56\x47\x25\x0f\xd7\xce\x6b\xdb\xc3\x05\xc0\x79\xc5\xcc\x2f\xe6\xcd\x1f\xca\x99\x3e\x85\x30\xe0\x37\x38\x83\x90\x08\xdc\x65\x8f\x22\x66\x4e\xea\x77\x06\xf6\xad\xa2\x4c\xa1\xa2\x2e\x83\x0a\xad\x64\xf4\xdc\x44\x38\x7d\x83\xad\x42\x88\xf4\x46\x72\xd9\xa0\x55\x59\xfb\x29\xc6\x6f\xe6\x67\x9e\x97\x9f\x86\xee\x31\x67\x5f\x50\x1d\x95\x81\x47\x96\x61\x29\x08\xd1\xf7\x03\x7b\x69\x0b\x94\x81\xfb\x68\x7f\x2d\x52\xb5\xa3\x73\x51\x5f\x62\x07\x59\x36\x04\x2a\x0e\x9d\x10\xc9\x11\x14\xa9\xe7\x4c\xa7\xac\x76\x55\x8f\x73\xfa\x26\xfe\x9d\x14\xde\xa8\x5d\x4c\x9f\xae\x1f\x6c\x53\xbb\x76\x8b\x14\x57\xa7\xf8\x9b\xcb\xf9\x0e\x70\x69\x75\x37\x67\xf0\xc1\x90\x21\x63\xe4\x00\xaf\xdd\x91\xec\x2d\xac\xbe\x68\x0c\x7d\x64\x54\xa0\xf1\x73\x49\x0b\x6b\x1e\xd4\x88\x1e\x82\xcd\x79\xd6\xb8\x91\x61\xd8\x7f\x4f\x27\x0d\xea\xde\xbe\xb3\x51\x07\xc1\x9c\x7a\x6d\x54\x08\xe6\x0b\x32\x5c\x64\xdb\xb9\x98\x3b\xfa\xf0\x30\x6f\xac\x8a\x0f\xb3\x24\xaf\x5d\x69\xc2\x1c\x62\xa8\xb5\xe2\x57\xa4\x8d\xe0\x69\x22\x6a\xb2\x9a\xee\xad\x17\xfa\x45\xf3\x84\x75\x0f\x8b\xba\x1d\x46\xe0\xa4\x12\x78\x07\xe1\x0d\x15\x70\xda\x63\xb2\x02\xee\xb7\x15\x38\x6a\xfe\x3d\x8b\x17\x47\xca\xa6\xa4\x14\x16\xdd\x65\x52\x4d\x22\x28\xea\xaa\xd1\xa6\x1b\xff\x8d\xb8\xbe\x75\x2c\x45\xae\xca\x76\xde\xa3\xaa\x68\x08\x36\x4c\xf7\x58\xdc\x87\x03\x41\x7a\x49\xb9\x3e\xca\x5a\xd0\x9d\x63\x30\x3a\x4a\xc3\x78\xaa\xd3\x4a\x08\xde\xcc\x4a\x72\x0c\x3e\xea\xf8\x8a\xce\x0a\x72\x90\x0b\xc3\xdd\x40\x2c\x12\x2d\x00\xd5\x6b\x51\x72\x35\xae\x91\x12\x83\x2d\x63\x7b\x93\x17\xb6\x1f\x9d\xcb\x0c\x48\xe7\x28\xe8\x50\xdf\xd5\x26\x26\xdb\x29\x6a\xad\x77\xb9\xc7\xcd\x91\x67\xf3\x19\x47\x47\xc0\x11\xa5\xfb\xda\xbc\xa9\xca\xbd\x2f\x6b\x75\x81\xf9\xd9\x1c\x63\x66\xd5\x26\xb1\x68\x3e\x3f\xee\xfd\x0f\xe3\x0f\x53\xe7\xcb\x7d\xe4\x1e\x89\xe4\xe7\x43\xef\xea\x39\x44\xea\x8a\xfd\x9f\x77\x8a\x7f\x06\xbf\xb0\xef\x23\x86\x48\xc2\x1c\xed\xfd\xd8\xb7\x6e\xed\x76\x57\x74\xd7\xa4\x90\xb0\xee\x46\x4e\x44\x88\xa9\xc3\xdd\x21\xc7\xba\x2e\x63\xa3\x1a\xe3\x8f\xfa\xb2\x09\x46\x0b\xa9\x3a\x62\x02\x9d\x8f\x2a\xde\x13\x77\xb5\x34\x38\xb0\x51\x90\x12\x27\x39\x82\x72\x63\x9f\x12\x4d\x42\xb5\x55\xd5\x91\xa6\x65\x5f\x73\xf6\xc4\x6c\x51\x4c\xf3\x2a\xe4\xc6\x04\x6c\x38\x04\x07\xf7\xd9\xcf\x3c\x14\x1b\xdd\x94\x69\x13\x84\x95\x8e\x67\x17\x8f\x81\x6a\x63\xe4\xcc\x18\x9c\x52\x16\x38\xdc\x7a\x28\xd2\xaf\xb6\x12\x84\x76\xe4\x08\xee\x85\xb9\x9a\x12\x61\x29\xc5\x5e\x67\x9c\x0b\xdc\xeb\xd9\x66\x98\x17\xe9\x45\xb0\xff\xfa\x61\x5a\xb9\xce\xf2\xf8\x59\xe0\xac\x38\x25\x36\x11\xfe\x63\xbd\x57\xfd\xf0\x3f\xb0\xd6\x5c\x1c\xc6\x5d\xf2\x65\x38\x59\xfc\x59\x4f\x9a\x3e\xb3\x79\xd1\x17\xda\x82\x8a\xc5\x58\x6b\x3f\x6d\x3b\xcc\xf1\xd5\x4c\x45\xbc\x1a\x5f\xa4\x5e\xd7\xad\x36\x6c\xff\x39\xa6\x32\xbd\x4d\x14\x70\x0d\x30\xf7\x0c\x99\x72\x5c\x2f\xb8\xee\x97\xcb\xc5\x9f\x8e\x5b\x64\xfa\xc8\xfe\x2f\x83\x60\x41\xbb\x57\x08\xa3\x64\x0b\xbc\x67\xf9\xd0\x9a\xc1\xfd\x36\x46\xa6\xf7\x44\x6f\x48\x15\x98\x9b\xb0\x41\x9c\x94\xb0\xa6\xfc\x97\xd0\xfd\x9e\x51\x90\xe7\x24\xd7\x54\x82\xcc\x1e\xb4\xc0\x77\x53\xb0\x1c\x42\x02\xc4\xd0\x9d\x00\x6b\xd6\xbd\x92\xb3\x3c\xd4\x0d\x8f\x1b\xf7\xea\x73\x9a\x68\x6f\x8d\x3a\x12\xdf\x2f\x7c\x57\x8a\xd2\xe0\xc1\xb2\x9c\x04\xf2\x82\x85\x70\x45\xed\x90\x38\x28\x30\xcf\x0f\x2f\x2c\x8d\x22\x07\x3e\xde\xc3\x1d\xd2\x57\x30\x0b\xa6\x7b\xec\x88\xa1\xe7\xa5\x58\x0f\xdd\xe5\x01\x98\x79\xf6\x96\x2d\xa5\x0d\x75\xc6\xfd\x13\xa1\x9e\x35\x8e\x13\x41\x35\xdb\xb8\xb4\xbe\xed\xbe\xd1\xcc\x5f\x8f\x20\x34\xee\x29\x7f\xf6\x9b\x9d\xb3\xe0\x05\xe5\x9f\xd5\xea\x22\xba\x51\xbd\x8f\xeb\xde\x9f\xf9\xf6\x5a\x21\xda\x5e\x13\x5c\xa8\x86\x07\x31\xc4\xde\xe9\xc3\x3c\x7e\xdb\xa5\x08\xd2\x6d\xdb\x55\x92\xfd\xf9\x85\x06\x70\x2f\x99\x80\x37\xe6\xb4\x18\xc5\xc7\x83\x62\x43\x48\xf5\x7d\x2c\xf2\xcd\x8f\xb8\x37\xc6\x18\x53\xf5\x16\xc6\x8e\x76\x58\x29\xfe\x2f\x74\x11\x66\xa7\x4a\xfd\x1e\xdc\x90\x97\x1c\x4e\xda\x7a\x6a\x18\xd8\x5d\x54\xba\x87\xf9\x09\x5b\xd1\x62\x6b\x9b\x90\x0c\xf6\xfe\x05\xee\xb1\xb4\xf0\x05\x99\xb6\xe8\x38\x1f\xe2\x8d\xe8\x51\xe1\x9a\x02\x52\xef\xde\x6c\x57\x99\xf5\x6e\xc2\xd6\x1c\xc6\xff\x5d\x1e\xb6\x5e\x9d\x8e\x05\x45\xa9\x2e\x6b\x98\x66\x27\xc7\xf9\x71\x69\x42\x10\xe0\x88\xb7\x84\xbe\xaa\xba\x64\xd2\xab\xe4\x44\x1c\x7b\x14\xfc\x8d\x2a\xda\xfa\xc7\x82\x34\xed\x72\x59\x9c\xc4\x16\xc0\x47\x75\x0b\x24\xac\x3c\x9a\xa4\x69\x0c\x05\x77\x04\x9d\x80\x5b\xae\x79\x92\x2c\x1d\x29\x66\xd9\x75\x2c\x55\x1a\x91\xa9\xfb\xc0\xbb\x95\xc2\x3a\xcc\x2a\x90\x68\x35\x31\xa5\x9f\x30\xfc\x1d\x10\x79\xbd\x9f\xc0\x7f\x0d\x09\xbd\xdc\x01\x37\x2b\xa2\x6c\x13\xef\x30\x6a\xf3\x25\x6f\x23\x5d\x72\xb7\x59\xb6\x61\x8c\x1e\x09\xe8\xdf\x69\x35\xdb\x77\x45\x3b\x49\x96\xb0\x15\x2a\xe1\x37\xd1\xca\xdd\xbd\x5f\x8e\x12\x62\x1a\x54\x81\x55\x43\x45\xdf\xbb\x7e\x2c\x50\x03\x71\x34\x6f\xea\xfd\x5d\xc0\xf6\xe2\xc5\x9e\xa2\xc2\x45\xd1\x5d\xb2\x0e\x87\xc7\x7b\xd9\x08\xd9\x28\x50\xe4\x03\xe5\x8c\xdf\xf0\xe2\xfc\x25\x7f\xf0\x00\xf3\xb2\x68\xdc\xf1\x41\xe7\x75\x25\x10\x61\x08\xa4\xb6\xed\xcf\x89\xf1\xfc\xfb\x12\xa0\xa0\x2a\xd7\xc0\x12\x12\x84\xea\x49\x0c\xa7\xbf\x87\x61\xee\xff\x5b\x37\x5e\xeb\x0a\x03\x8a\x44\x4d\x2f\xb9\x50\xf9\x65\x17\xad\xa9\x4c\xd9\x6f\x8d\xbb\xd0\x42\xa4\xde\xb1\x88\x21\x7b\x7b\x9d\xad\x94\x8b\xb5\x98\x43\xc0\xc3\x92\xbd\x9e\x79\xc8\x5d\x34\x61\x6b\xcd\x99\xfb\xff\x77\x53\x7d\x23\x4c\x05\x1e\x5e\x9a\xa9\x13\xc7\x7c\xbd\xcf\x53\x96\xce\x3f\x06\x83\xe9\x2e\xbd\x0c\x1b\x99\xfb\x5c\x66\x3f\xb9\x7b\x6d\xc2\xd4\x35\x54\xaa\xa9\x9a\x27\xab\x99\x17\x2b\xac\x17\xe3\xbc\x04\x4d\x3d\x2e\xf8\xf8\x73\xcf\x52\x21\x4e\x71\xd7\xd7\xc5\xff\x9d\xc7\x91\xd4\x0c\xee\x37\x53\x6d\xd1\x2b\xa0\x95\xb4\x8a\x34\x19\x75\x78\x4a\x16\x14\x17\x5a\x1f\xc4\x9d\xc2\x10\x2b\xa5\xc2\x74\x16\xdf\xf8\x27\x9e\xa3\xf2\xc4\x47\x39\xb8\xef\x99\x61\x69\x9a\x4c\x79\x28\x59\xce\xe8\x81\x11\x43\x78\x46\xc9\x45\x01\x75\xb8\xba\x2a\x32\x67\x57\xdc\xbf\xd5\x51\xac\xd1\x5d\x78\x37\x32\x83\x8b\x9c\x92\x4e\x09\x23\xfb\x79\x5b\x77\x04\xbf\x1c\x84\xdb\xe6\x56\x9c\x0d\xf7\x02\xa7\x47\x7f\xa0\x99\x6d\xe5\xd6\x81\xd1\x0f\xa2\xaa\x52\xb1\x42\x53\xba\x91\x3a\xde\xcf\x47\xea\xbf\x1b\x01\x5e\x73\xd6\xba\xb5\xdb\xe5\xd5\xdd\x1e\x06\x7c\xc9\xe4\x80\x60\x40\xdb\x09\xa1\x44\x8e\xd2\x1d\x98\xdc\x6f\x45\x9f\x22\xc9\x51\xc7\xb0\x72\x01\x46\x77\x91\x09\x7b\x39\x04\x10\x36\xa5\x0e\xc5\x59\x6b\x6d\x28\xe1\x4b\x79\xaa\x12\xbe\xfa\x32\xff\x95\x62\x9d\x53\x2a\xda\xed\x53\x42\xc8\x4d\x39\xc8\x22\x53\x82\xf9\x81\xae\x4f\x85\xb7\xa1\xae\x6b\x90\xa8\x18\xb6\x2d\x71\xbf\x59\x2f\x84\x27\x3f\xa2\xcc\xbb\xa6\x5d\xfc\x34\xfd\xaf\x56\x1e\x26\xd3\x07\xb7\x43\xf8\x2b\xc7\x6f\x99\x85\xc9\x50\x76\xc8\x3a\x1d\x28\x65\x32\xb8\xd5\x95\x20\xbf\x6c\x40\xbc\x63\x5f\x51\x60\x8f\x49\xbd\x47\x82\xf6\xa6\xb7\xd3\x7c\x6f\xe8\xe5\x27\x2e\xc0\x8f\x85\xfb\x9b\xaa\x66\xbd\x70\xb1\xdb\x70\xdf\x0b\x12\xce\x35\xd8\xe1\x5c\x18\x7f\xec\xfd\x9f\xa3\x41\x72\x1f\xf6\xb2\x4a\x1b\xb6\x8b\xd0\x74\xc2\xa5\x7d\x74\x60\x91\x7d\xd2\xff\x0d\x08\x04\x11\x2b\x05\x20\xf0\x5c\xd7\x07\x87\xd8\xdc\xe6\xcb\x69\x71\x1e\xf7\x45\x3b\x40\x67\x9e\xc9\x7a\xac\x90\x0e\x69\x8c\xe1\xf8\xe5\x8b\xa7\x38\x59\x0d\xf5\xc4\x58\x8e\xc6\x50\x68\x80\x02\xa2\xc1\x4e\xc6\x0c\x58\x38\x5b\x68\xdb\x23\x8b\x8c\x5b\x18\x9b\x2f\xd5\xfd\x21\x36\x55\xe0\xc8\x19\x00\x94\x97\x64\x02\x2d\x22\x77\xb0\x38\xce\x7d\xbd\x00\xd1\xec\x66\xe2\x31\x95\x63\x6a\x39\x21\x53\x26\xea\x45\x2a\xd0\x89\x9a\x52\x2a\x7a\x77\x96\x5b\x2a\xe6\x0d\x5b\x25\xff\xc6\x4d\x1d\xd5\x04\xd2\x8c\x61\x1f\x38\xce\x5c\x3a\xa3\x4c\x4f\x6c\xdd\x1b\xd7\xe9\x65\xe3\x68\x77\x11\x89\x34\x65\x06\xe3\xcb\xba\xf7\x45\x3f\x03\x9c\x6a\xeb\xdf\x77\xa1\x38\x75\x49\x9d\x7d\xb3\xe0\x8f\x9c\x31\xd3\x53\x07\x49\x0e\x6d\x3c\x11\xee\x69\x77\xe6\x69\xcb\x1a\xa6\x42\x0d\x46\x19\x55\x05\x0e\x0c\xfb\xe0\xbb\x23\xd1\x31\x9e\xf3\x54\x21\xd8\x0e\x56\x5e\x5f\xc9\xb3\x0d\x6d\x0a\x4d\xa0\x54\x40\x61\xe6\x44\xeb\xa5\xb4\x7b\xc4\x8e\xce\x8b\x7f\x85\xd8\x23\xc9\x8c\x4b\xd6\xcd\x46\x4a\xcc\x49\xa2\x9b\xb6\x92\x6d\x2a\x95\x97\xc6\x4e\xdb\x8a\x4b\xa2\xca\x2d\xd7\xba\xd8\x0d\xa3\xba\x9d\xf1\x43\xb2\xb3\xcb\x44\xd6\xe5\xce\x04\xaf\xf3\x97\xf5\xfc\x4b\x0f\x5a\xf4\xaa\x07\x87\x61\x1e\xfc\x52\x11\xbb\xb4\x8b\x7e\xb3\xe1\xd4\xcb\x54\xac\x2b\x9d\x0d\x9d\xa7\xff\xbd\x18\x51\x35\x94\x67\x4b\x53\x0e\x8a\x20\x6f\x9b\x04\x2b\xe8\x13\x86\x81\x92\x29\x50\x5d\x35\xce\x04\xa1\xe1\xe0\x30\x4a\xb5\xdb\x61\x88\x47\x20\xf5\xbf\x6a\xe9\x10\xd4\x8b\x9a\xaf\xe2\xbc\x5a\x1a\x4f\x4e\xda\x0f\x61\x5c\x8d\x0d\x68\x2a\x55\xa5\x2f\x0d\x40\xe1\x38\xc8\x8c\x42\x99\xaa\x1b\x10\x04\x40\x01\x68\xde\x6a\xc8\xaa\x18\xfe\x60\x29\xbf\x63\xc6\x40\xef\x7f\xb9\x1b\x56\xa5\xab\xc2\x43\x97\xd1\xb2\xcf\x3b\xc0\x87\x7e\x8d\x52\x19\xe5\x67\x23\xa6\xc4\x98\x89\xcd\xd5\xba\x03\xc8\x4f\xbc\x41\x5a\x3e\x9b\x65\x2d\x26\xe2\xd6\x13\xc3\xdc\xce\x41\x4e\x1f\xa3\xe2\x20\xb3\xc2\xe3\x53\x91\xac\x65\x20\xed\x1f\x05\x14\x88\x05\xa4\x6e\x99\x34\xe5\xfe\xbf\x84\xe1\xbb\xa2\x5b\xa1\x30\xa9\xe0\x58\x4b\x62\x5d\xf2\xc2\xee\x4e\xc0\xd1\x0a\xff\xfa\x19\x17\x73\xd4\xf4\x12\xf5\xca\x22\x51\x93\xca\x27\x88\x7f\xd4\x7c\x9c\x69\xf2\x1d\xa9\x52\xf9\x8a\x99\xf2\x05\x31\x4c\x18\x2b\x00\x14\xdd\xe7\x56\x3d\xed\x90\xe3\x38\xda\x5d\x5e\x83\x6f\x16\x2b\x96\x37\x75\x17\xc2\xf6\x75\x8d\x9b\xb4\x1e\x8b\xc9\xdd\x8f\x2e\xb5\x21\xad\x81\x4e\xac\x65\x1a\x48\xef\x64\xbc\x45\xab\x60\xbf\xf9\xd2\xe6\x7f\x03\x18\x3d\x04\x4e\xd4\x37\xa8\xbd\x73\x04\x3d\x6a\x8a\x51\x90\xfb\x5c\xd5\x2c\xfe\x06\x89\xe2\xda\x08\xcd\x11\xaa\xe6\xf2\x5c\x50\xd6\xcc\xbd\x5f\x4e\xa7\xce\x9b\x51\xb5\x79\x46\xaa\x92\xf4\x1e\xfd\xc2\xb9\x19\xc8\x87\xa0\x70\xc5\x19\xef\x60\x0f\xe1\x4d\x67\x66\x4e\xd7\xfc\x21\x1a\x09\xe9\x12\x9b\x13\xa7\x02\x4f\x2f\xeb\xc3\x01\x05\x81\xda\x84\xb4\x4b\xbe\xdf\xdc\x1f\x54\xb6\x3c\x8c\xfa\x8c\x8b\x5c\x98\x66\x49\x33\x3e\xee\xaa\xf5\x3e\x8b\xe8\x63\x24\x23\x78\xb0\xff\x6c\xff\x6b\x1d\x6e\x02\x70\x10\x68\x44\x84\xc6\x36\xb7\xc1\x34\x01\x8e\x3a\x73\x2a\x6b\x35\x2c\xfe\x08\x1f\x79\x0f\x00\x29\x96\x7f\xf1\x82\x0d\x57\xd3\x70\xc2\xa9\xf1\xbe\x05\x11\x00\xd5\xa8\xea\xc4\x24\x1a\x6c\x2b\x64\x0f\xe7\x3b\x16\x1d\x54\x38\x01\xf1\xeb\x2a\xbd\xea\x76\x9c\x51\x8c\xbd\x72\x71\xc6\xd6\x5a\xbe\x83\x66\x1d\x2f\xd2\x8e\x41\xb9\xad\x57\x5b\x95\x8f\xbb\xc5\xa4\x3f\x34\x12\x78\x65\x6d\x30\x0f\x21\xd8\xc7\x11\x61\xbf\xc2\x81\x2b\x2f\x7f\x36\x92\xc5\x75\x8a\x5f\xea\x82\x84\xcc\x43\x15\xe2\xdc\x16\x05\xd0\xb5\x82\x43\xa9\x79\xaf\x7c\x0c\xce\x31\x3e\x3e\x12\x7b\xaf\x93\x13\xf1\xab\x8c\x43\x75\x81\x36\x95\x86\x68\x9a\xe6\x9b\x86\x84\x47\xbf\xa6\x07\x98\x62\x0c\x68\x08\x00\x90\xc9\xf0\x49\x3c\x95\xa6\x4c\xa4\xf6\x78\xea\xa1\x4f\xe8\xcb\xc9\x08\x6e\xa9\x9c\x78\xa3\xd8\x16\x98\x42\xfc\xa3\xb0\xd2\x89\x40\x6c\xfa\x9d\x52\xf4\x1d\xf0\xb7\xfc\xfe\xb6\xe1\x0b\x7f\xb8\x84\x6b\x64\x6c\x6e\x17\x73\x32\x0a\xaf\xac\x2d\x38\x42\x72\x44\x93\x2e\xd2\x37\xb9\x83\x4f\x60\xc0\xbc\x4f\x9f\x6b\x18\xee\x82\xd4\xab\x52\x57\xd0\x33\x43\x13\x7a\x44\xa5\x21\x48\x42\x7e\x74\x72\x52\xc0\x61\xc8\x8c\x78\x85\x98\x58\x16\x3f\x76\x85\x65\xfe\xfe\x43\x03\xce\xab\xa9\x4b\x78\x6b\x6d\x9d\x0b\x69\xd0\xca\x92\x0e\x61\x52\x55\xe2\xb8\xc3\xfd\xd7\x8d\x8c\x19\x4e\x9c\x80\x49\xa9\xd1\x87\x77\x26\x85\xac\x98\xfa\x7e\x7d\xf5\x4f\x5e\xbc\xe1\xec\xc1\xcf\xc7\xa6\x2e\x85\x39\x32\xde\xac\xcb\x58\xd7\x9f\xec\xb9\x31\xd1\x46\x43\xec\x70\x20\xad\xe4\x9c\xce\x0a\x1e\x78\xe3\x4d\x71\x09\x60\x22\x31\x7d\x7a\xf5\x36\xb3\x8f\x72\xfb\xf6\x5f\x7e\x47\x63\xe6\xd1\xda\xd8\xc2\x6f\x56\xe2\xab\x4c\xdf\x77\x8e\x32\x64\xa2\xad\x20\x04\xcb\xce\x99\xb7\x7e\x6e\xc2\x72\xd6\xf0\x83\xd2\x08\x3a\x04\x2f\x67\x90\x8e\x14\x7e\x60\x1e\xd4\x2f\x20\x1f\x5b\x9f\x18\xe8\x9e\xaf\x48\xd3\x84\xee\xef\xa0\xf9\xf9\xec\x38\x6a\x27\x4e\xcd\xab\xac\xd1\xe2\xdb\x6b\x90\xad\x98\xc4\x75\x66\x7d\x27\xfa\x72\x79\x08\xd2\x8e\x37\x45\xc3\x4b\x50\x15\xed\xd1\x30\xd0\xb7\xe3\xfd\x54\xdd\xea\x89\xe3\x7d\xba\xfa\x49\x84\x07\x59\xa3\x0d\x29\xe2\x1b\xb0\x9d\x95\x00\x3c\x28\x95\x18\x9e\x43\x9a\xb7\xb4\x12\xc2\x51\x61\x0a\xa7\xaf\xab\xef\x41\xe5\xab\xe2\x23\x53\x21\xf3\x22\xe8\xbd\x59\x24\xd7\x9a\x40\x46\x05\x37\x8e\x3b\xda\x60\xd2\x8e\xa5\x67\xe6\xa7\x39\x64\xa6\xdd\xd4\x3c\xfa\x1f\x5e\x0c\xb8\xbe\x45\x5e\x1f\x6d\xbc\xcc\xf7\x2c\xd1\xcf\x14\xe8\xe5\x07\xa1\xa1\x97\x9f\x1c\x2b\x43\xc8\xa6\x49\x29\x0b\xa5\x41\x37\xd1\xaa\x64\x73\x56\x8e\x39\x0a\x66\x59\x73\x82\x34\x92\xec\x2d\xce\x33\xc3\x9c\x88\xaa\x42\x47\xf1\x4f\x1f\x0e\x56\xad\xee\x32\x60\x80\xb7\x16\xdc\x55\xda\xe2\xa5\xed\x84\x2d\x79\x0d\xe3\xf1\xfb\xe3\x2f\x89\x51\xea\xb8\xdf\xa5\x4d\x77\x0d\xf7\x34\x27\x31\x27\x0b\xeb\x47\x04\x27\x7f\x3e\x1d\xc1\x69\x34\xaf\x90\x23\x50\xcd\x6b\x0b\x7a\x67\x1f\x26\x75\xf0\xdf\x88\x48\x31\xae\x06\x39\x26\x69\xd6\xbd\xa8\x49\x3b\x6b\xda\xf5\xae\x90\xf4\xc4\x5f\x8f\xb1\x91\x4e\x0b\xe0\x57\xf4\x5d\xb5\x01\x01\xb8\xbc\x6e\x64\x9a\xa6\x85\x60\x71\x22\x5c\x42\xc6\xee\x15\x7a\xdb\xda\x58\x42\x94\x2c\xca\x28\xfc\x4c\x7c\x08\xe7\xc2\xcf\x19\x81\x54\x2b\xe4\xab\x7f\x4b\xf6\xef\xff\x69\x2d\xfe\x65\xb4\x50\x80\xb2\x1e\xee\xf5\x29\x91\x71\xa1\xc2\xb7\x36\xf7\x0d\xa4\x31", 4096); *(uint64_t*)0x200066c0 = 0x1000; *(uint64_t*)0x200066c8 = 0xff00000000000000; *(uint64_t*)0x200066d0 = 0x20006480; memcpy((void*)0x20006480, "\x82\x92\x51\xfb\xd7\x0c\xae\xb4\x51\xcc\xf0\x9a\x96\xfb\xfe\x55\x9b\x21\x7a\x4a\x12\xcf\x46\xa3\x89\xd8\x2c\x55\xef\x7f\x5c\x64\xe4\x5e\x1b\x6f\x26\x95\x59\xa8\x5e\x8b\xcc\x23\x2b\xf1\x50\x0d\xcb\x9a\xf4\x0f\x69\x71\x65\xfd\xe6\x20\x9f\x8b\xf0\x01\x58\x5b\x6c\xca\xaf\xe1\x94\xcc\xfd\xb7\xf8\x99\x08\x04\xee\x77\xed\x9a\x34\x5b\x52\xa8\xd7\xe8\xf4", 87); *(uint64_t*)0x200066d8 = 0x57; *(uint64_t*)0x200066e0 = 8; *(uint64_t*)0x200066e8 = 0x20006500; memcpy((void*)0x20006500, "\x34\xe0\xc0\x82\xbd\x77\xb5\x1d\x0c\x9a\xb1\xbc\xde\x0a\xcc\x30\x81\x49\xf3\xe6\x4c\x75\xb7\x17\x3c\xda\x5f\x39\xd3\xb4\xa6\x2c\x60\xde\x76\xd1\x2d\x41\xce\xc1\xb7\xc9\xbc\x9e\x57\xac\xb7\x83\x42\x82\xa5\x75\x8d\x7c\x7e\x4b\x21\x71\x5f\xeb\xf6\xfb\xf1\x44\xad\x46\xcb\xf2\xce\xc8\x7f\x74\x01", 73); *(uint64_t*)0x200066f0 = 0x49; *(uint64_t*)0x200066f8 = 0x8001; *(uint64_t*)0x20006700 = 0x20006580; memcpy((void*)0x20006580, "\xe6\x09\x76\xf8\x6d\x91\xdd\x66\xce\xc0\xb1\xe3\x0e\xc8\x01\x16\x0b\x84\xcf\xb1\xf8\x60\x37\x03\xd1\x4a\x6b\x81\x5d\x22\xe1\x78\x3e\xed\x12\xce\x8c\x08\x0e\x3f\xfb\xf0\xb5\x30\x95\xf6\x96\x03\xfa\x76\xa9\x34\xa6\x0a\x05\x26\x34\x1e\xaf\xaf\xb3\x86\x7d\x13\xe8\x8d\x1d\x39\xe3\x70\xa0\x0d\xbe\x06\xdd\xc8\x40\xba\x74\x46\xa6\x25\x97\x06\x9e\x1d\xcd\x13\x8f\x82\xb2\x9f\xf7\x8a\xf1\xd1\xc3\x13\x3f\xe9\xc0\x4d\x73\x2c\xdb\x4b\x3f\x6a\xa2\x69\x89\x36\x9b\x5f\x6d\xca\x60\x00\xa0\x76\x73\x41\xbc\x2a\xaa\xcd\x69\xe6\x48\x62\x19\x15\xb8\xaa\x9c\xb2\x4c\x6b\xb5\xae\x3f", 141); *(uint64_t*)0x20006708 = 0x8d; *(uint64_t*)0x20006710 = 3; memcpy((void*)0x20006740, "flock=strict", 12); *(uint8_t*)0x2000674c = 0x2c; memcpy((void*)0x2000674d, "obj_type", 8); *(uint8_t*)0x20006755 = 0x3d; memcpy((void*)0x20006756, "/dev/vcsa#\000", 11); *(uint8_t*)0x20006761 = 0x2c; memcpy((void*)0x20006762, "obj_role", 8); *(uint8_t*)0x2000676a = 0x3d; memcpy((void*)0x2000676b, "bpf_lsm_unix_may_send\000", 22); *(uint8_t*)0x20006781 = 0x2c; *(uint8_t*)0x20006782 = 0; syz_mount_image(0x20005140, 0x20005180, 0, 9, 0x20006640, 0x10000, 0x20006740); break; case 32: memcpy((void*)0x200067c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200067c0, 4, 0x4800); break; case 33: memcpy((void*)0x20006800, "net/icmp\000", 9); syz_open_procfs(r[5], 0x20006800); break; case 34: syz_open_pts(r[9], 0x258102); break; case 35: *(uint64_t*)0x20007d00 = 0x20006840; memcpy((void*)0x20006840, "\xb3\xde\x0d\x9f\x2e\x1e\xba\x98\x79\xee\xf0\x8d\xbd\x42\xed\xd7\xd6\x22\xf0\x95\xe0\xce\x34\x29\xb6\x4c\x46\x70\x8b\xf7\xfa\x26\xe6\x9e\xc1\x57\xca\xa3\xe1\x6d\x60\xb3\xba\xf5\xb0\xd2\x46\xbf\xef\x95\x5e\x35\xf8\x55\x56\xc9\x61\x4a\x60\xb6\x5c\xae\x7c\x02\x3c\x99\x31\x8f\xc8\x5b\xc0\xab\xfd\x16\xbc\x78\xeb\x56\x31\x7c\xd8\xb8\x0c\x5f\x5a\x87\x85\x6c\x5c\xd0\xb9\x7f\xc2\x83\xcb\xc9\xd8\x35\xff\x9d\x70\x97\x2b\xd4\x20\x11\x69\xa3\x5c\x26\x99\xbf\x5a\x8b\x31\xad\x36\x07\x12\x10\x19\xe7\x33\x98\xb2\x28\xb9\xc5\x9a\xa5\xb5\xc0\x07\x16\x67\x66\xee\xe5\x91\x1d\x5d\x2f\x86\x4c\xb4\x2b\x84\x21\xf3\x8c\xb2\x1a\xa9\x36\x97\xe5\xad\x16\x6a\x96\x6a\xc9\x8a\xa7\x76\xfd\x27\x50\x02\x94\xc4\xdd\x1b\xac\xf4\x1f\xd0\x70\xe9\xe4\xa9\xe5\xeb\x70\xd2\xa9\x8f\x91\x5c\x13\x91\xfd\x75\xf5\xff\xec\xfa\xb4\x24\x25\xeb\x01\x6c\x33\xec\x19\xae\x67\xf4\xb1\x00\x08\x8e\x09\x0f\x03\x5d\x78\x14\x3b\x35\x94\x4f\x30\xa4\x9a\x77\xb8\xc5\xe2\xa0\x8e\x9f\x38\x1a\x8a\xfb\xcf\x48\xeb\xad\x84\x11\x45\x5f\xf2\xcb\x76\xa4\xa1\xb5\x57\xd1\x21", 254); *(uint64_t*)0x20007d08 = 0xfe; *(uint64_t*)0x20007d10 = 0x7fffffff; *(uint64_t*)0x20007d18 = 0x20006940; memcpy((void*)0x20006940, "\x33\x0e\xa7\x46\xd7\xdf\xb4\xa5\xe9\xf3\x3a\x32\x5a\x96\x88\xca\x04\xcd\x59\xaf\x72\x4b\x34\xf7\x0a\xe3\x70\xd4\xac\x73\xea\x9a\x65\xab\x00\x3f\x2c\xbc\x01\xaf\x11\x62\xc0\xfe\xfb\x2b\x7e\x4a\x0d\xcd\x3f\x2a\x8c\x23\xf2\xa1", 56); *(uint64_t*)0x20007d20 = 0x38; *(uint64_t*)0x20007d28 = 0x2eed; *(uint64_t*)0x20007d30 = 0x20006980; memcpy((void*)0x20006980, "\xef\xd5\x43\xd9\x2d\xc8\x23\xae\xf9\x1d\x85\xc4\x4c\x05\x58\x44\xe2\xaf\x47\xb4\xd5\xa6\x7e\x3a\x39\x59\xdc\x6d\x61\x7c\xd8\xe9\xb6\xc3\xf5\xbb\xf0\x5d\xa7\x3f\x04\xbf\x4f\x54\xa6\xf3\xd5\x36\x1d\xee\x72\x0d\x1f\xf9\xf6\x5d\x5d\x7c\x18\xb8\x65\x34\xf2\x91\x26\x21\xaa\x81\xb4\xc2\xd3\xda\xa1\xa6\x75\x38\xac\x5e\xfc\xf2\xe0\x08\xc7\x91\xd5\x91\x52\xdb\x5f\xa2\xd0\xa2\x3f\x39\x97\xbd\x1e\x25\x02\xe6\xfa\xdb\x36\x78\x88\x91\x84\x3e\x3d\xe1\xc4\x48\x3a\xea\x75\x22\x4b\x12\xed\xe3\x00\x6b\x96\x48\xdc\x76\x61\xa4\x6d\xa2\xd1\x46\xd3\xdf\x70\xa1\xd0\x4b\x2c\x64\x57\x8d\xaf\x21\x9d\xcb\xa1\xb6\x7a\xae\x08\x6a\x25\x41\xc4\xb9\xb4\xdc\x6d\x43\xc0\x76\x54\x4b\x4c\xf9\xcd\x57\xe6\xe2\x6d\x74\x21\x7d\x1d\x85\x46\x22\x4d\x85\xf6\x50\xa0\xad\x3a\xac\x78\xc0\xcf\x1d\x83\xa4\xad\xcc\x11\xc2\xe8\x4d\xf1\x88\x9c\x79\x20\x34\x7f\xe4\x04\x20\x19\x14\x72\x78\x62\xb4\x60\x22\x9c\xe6\x7a\x1a\x88\xde\x34\xaa\x73\xd3\x9b\xe6\x7f\xe9\x22\x10\x69\x92\x21\x10\x3a\xc5\xb4\x9a\x07\xff\x0b\x35\x48\x36\x3c\x87\x80\x66\xd5\xa0\xca\x8f\x56\x5a\x61\x6a\x04\x9a\x5d\x7b\x6e\x70\xba\xdf\x46\x49\xc5\x1a\xec\x86\x71\xfa\xa4\x44\xd7\xe0\xa6\x30\x4e\x27\x3c\x40\x5c\xc6\xf3\x48\xd1\x9f\xf1\x34\x8b\xac\xc9\x6e\xcf\x1a\x28\x11\x96\x18\xc9\x1e\x59\x42\xbb\xf0\xe2\xd7\xfc\x69\x97\xcf\x63\x30\xc1\x06\xa7\x90\x2c\xcd\xc1\xb9\xcd\x0e\x8f\x55\x93\x55\xd2\x6f\x81\xc7\x7e\x52\x48\x82\xd0\x27\x83\xf1\x5b\x05\x69\x69\x02\x36\xe3\xaa\x74\xb9\x6b\xcc\x5e\xf9\x0e\xae\x4a\x5e\x3a\xba\x2a\x56\x0f\x9b\x0a\x51\x3c\xe1\xa8\xce\xb0\xd2\x10\x36\x15\xf8\x28\xb0\x12\x5d\xf3\x2e\xec\x97\x11\x0e\xe2\xa5\x9e\x1f\x91\x37\x72\xa8\x59\xf6\x5d\x95\x3c\x20\xca\x8a\x0c\x6e\x85\x26\x61\xd8\x62\x93\xcb\x46\x72\x41\x3f\xfa\xfa\x27\x03\x2e\xda\x8d\x8b\x19\xce\x77\xd3\x5d\x13\x04\x29\x6d\x8d\xbe\xe1\xb7\xc3\x58\xfe\x5d\xdf\x94\xc4\x24\x11\xe2\x63\x62\xcf\x42\xa5\xc7\xc1\x89\x91\xe3\x92\x63\x31\xa2\xc7\x12\x36\x09\xe0\xa3\xc0\x5e\x42\xf1\x75\x97\x2e\x44\x5a\x6a\xe5\x71\x54\x06\x2e\x21\xe0\x56\x66\x60\x2a\x2b\xf0\x89\x1e\xe6\x56\x48\xe5\xa9\x67\xea\x16\x24\x84\x99\xc8\x2e\x74\xc1\x9e\xda\xfe\xcf\x24\x02\xce\x53\x21\xf5\xbb\x4e\xcd\xe0\x58\xa1\x17\x6f\x31\x0b\xb1\x33\x8b\x11\xdd\xc6\x0d\xce\x03\xc4\x72\x7f\x7d\xd3\xc2\x33\x5d\x50\xae\x49\x2d\xca\x1b\xd9\x8b\xe4\xaf\x07\x44\x29\x1f\xa2\xba\x1c\xd3\xe9\x3e\x6f\x1d\x9d\x1b\x43\x05\xc2\x76\x41\x18\x09\x4a\x16\x43\x6a\x01\x45\x98\xfb\x64\xc3\x4e\xad\x3e\x8f\x45\xd1\x1c\x4f\xc0\x62\xc1\x44\xc8\xe0\x52\x20\xfb\xdf\x4a\x8c\xab\x6e\x28\x8b\x5c\xfd\xef\xa7\xa0\x54\x23\xef\x2d\x4f\x3b\x3b\xee\x57\x68\xb2\x80\x34\xa0\x8d\xe8\x83\xb8\x17\x27\x8b\xd3\xe7\x85\xc1\x14\x32\x9d\x99\x2c\x58\x12\x15\xf5\x64\x4c\xcf\xa4\xe8\x94\x10\x1d\x5f\xa4\x30\x08\xd8\x03\xfb\x9b\xaa\xef\xd7\xdd\x4b\x88\x83\xb6\xe7\xa1\x7f\x4d\xdf\x48\x26\xcd\xd7\x11\x0f\xf2\xc8\x39\x53\x49\x06\x8c\xd0\xb9\x55\x0a\x3a\x2f\x5c\xbc\x0d\xb0\x6b\x1b\x31\x29\x2c\x54\x87\x9a\x17\x2f\x4b\xe9\x83\x9b\x1d\x76\x89\x6c\x4c\xcc\xd8\x84\x1a\x55\x92\xaa\xc1\xf5\x27\x2b\x6f\xda\x92\x46\x34\xb5\x07\x50\xb3\x82\x31\xff\x13\x3d\xa1\xfc\x86\xd1\x09\x8c\x82\x3d\xf5\xbc\xa8\xcf\xe8\xc0\x8b\xa2\xee\xe5\xa4\x65\x8b\x29\x17\xbf\x3a\xf4\xb4\xe4\xe4\x7c\x6b\x7c\x35\xa3\x96\x3e\xbc\x60\x44\xf2\x72\x88\xc5\xa3\xc1\xa2\xf5\xfa\x45\xa1\x28\xbe\x9a\x13\xde\xd8\xc2\xf6\x74\x5e\xcf\x4f\xa9\x47\x23\xf9\xf1\x63\x82\xf4\xdb\x48\xd0\xc8\x11\xfe\x8e\xed\xb8\xbf\x05\xff\x38\xe5\x78\xd4\x93\x76\x55\x02\x53\xd2\x61\x7f\x86\x30\x3c\x54\x3f\x88\x2a\xdc\x20\x08\x56\x4c\x8b\xa1\x3e\xcd\x19\x61\x3a\x63\x19\x3d\x94\xe9\xa7\x3b\x21\xea\x1d\xdd\x30\xb4\x82\xc0\x98\x69\xc0\xfa\x37\x13\x1c\x69\xcc\xd0\x33\xdd\x96\xd8\xee\x7c\x5f\x2f\x8a\x15\x2e\x84\xc0\xf6\x59\xe6\x0c\xe1\x69\xfc\xb8\x9d\xe0\x28\xbe\xa3\x9d\x05\xdf\x03\xcf\x22\x80\x70\x29\xc1\xaa\xe4\x59\x94\x0d\xd5\x4b\x78\xc0\xde\xde\x18\x72\x3f\x97\x2d\x96\x51\x6e\x19\x71\x9e\x5c\x9e\xd0\x06\x86\x0f\x24\x71\xa8\xe5\xb1\x8f\xcf\x0e\xf4\xba\x66\x81\xa4\x1f\xa8\x00\x9b\x7e\x03\xb4\x44\xf4\x5a\xb3\xcc\xa9\xbb\xbc\x58\x13\xd1\xfa\x05\x5a\xaa\x4d\x45\x44\x12\x33\xae\x7b\x69\xb7\x59\xe3\xdd\xe7\x66\xc0\xf3\xb1\x3b\xf9\x68\xcf\x85\x65\x38\x28\x83\x55\x7f\x92\x5c\x21\x07\x58\x61\xec\x9f\x35\xc7\xcd\x44\x4b\xcc\x7d\x38\x1d\xc0\xd7\xaa\x75\x4b\xa5\x70\x66\xb9\x02\x78\x8f\x53\x85\x4c\xf9\xd5\x6c\xa7\x3c\x7a\xc8\x5c\xca\x67\xba\x50\x9e\xc3\xa7\xc1\xb4\x2d\x8c\x65\x4b\x34\xd8\x8d\xa8\xd2\xca\x85\xad\x4a\xe8\xb8\x65\xb6\xd2\xa0\xc1\xc4\x40\x76\x68\x53\x5c\x49\xf3\x49\xe2\x76\xf1\xa8\x67\x64\xef\x18\xe3\xb0\x8f\x1d\x1e\x3c\xc1\xb9\x3c\xde\x3f\x19\x78\x57\xfb\x48\xb5\xa5\xfe\xf3\x1a\x86\xfa\x00\x22\xd6\xa9\x6d\x81\x5c\x8c\x9a\xf9\xba\xdb\x7b\x88\x6e\xa0\x9a\xda\xc7\x32\xc8\xe4\xea\xfe\xb8\x47\x32\x18\xe7\x94\xbc\x6a\x71\x6d\x17\x16\xfe\xfe\xf8\x6f\x63\xd3\x2b\x66\x73\xb4\x35\xd1\x3e\xdd\xca\x42\x25\x7c\xfe\x07\x17\xfc\xa3\xa3\x9f\x00\xbc\xa6\x50\xf5\x46\x3a\x24\xc5\x09\x24\x25\x6d\x32\x07\xd2\x9c\x1b\x1c\x95\x10\x9e\x40\xda\xb6\x07\x78\x7f\xb7\x4c\x4e\x64\xfe\x4a\xca\xc6\x5c\x62\x83\xff\xcc\x11\xfd\x08\xa0\xbd\x1f\x49\x30\xa8\xbe\xea\x57\xa0\xdd\xa0\x28\x67\x86\x6c\x5b\x1c\xe5\x86\xb3\x2e\x7c\xd1\x8a\xb1\x6a\x27\x5d\x6c\xc0\x43\xa9\x90\xe1\xd7\x97\x0f\x79\xd5\xb8\x88\x0e\xef\x3f\xc4\xef\x4d\xe5\xe8\x40\xac\xd0\xed\xbc\xde\x6b\xf6\xfe\xdf\x3c\x6a\x2d\x25\x39\xfd\xaf\x27\x8f\x06\x97\x94\xd3\x0a\x09\xd6\x15\xe1\xe4\xa5\xa7\x61\x7e\x16\x24\x1d\xaa\xb8\x7f\xda\xd4\x93\xed\x9c\xf3\x26\xfe\x64\x7a\x40\xf0\x27\x9d\x6a\x9b\x2c\xdc\x0a\xbf\x36\x26\x41\x5b\x04\xfc\x83\x65\x10\xba\x62\x51\x38\x6c\xe7\xe8\xd2\xb4\xfe\x66\x3c\xfc\x3a\x5d\xe9\xcc\x31\x3e\x9e\x1f\xc1\x91\x27\xf0\x92\x07\xc9\x55\xf5\xa8\x48\x54\x81\xf4\x31\x92\x24\xfd\xf4\xc2\x78\x7d\x58\x3c\x3c\xaf\x7a\xcb\xec\x73\xab\x9b\x4d\x2f\x24\x52\x87\xdf\x9a\xe2\x9a\x16\x9c\x4d\x79\x5c\xd0\x3c\x90\x98\x33\x94\x46\xdc\x40\x23\x7b\x69\x89\x98\xb2\x42\x36\x28\x14\x8c\xec\xb0\x2f\x69\xd2\x64\x4c\xec\x88\xc9\x48\x94\xe0\x1e\x15\x87\xfc\x85\x37\x54\x50\xe3\x2c\xca\xdc\xdc\xae\xa6\x41\xd2\xdb\x62\x92\x22\x86\x60\xd0\x4c\x44\x67\x86\xc2\x58\xb6\xfb\xbc\x1d\x0b\x6a\x8a\x38\x18\x20\x0d\x48\x9c\x12\x67\x33\x92\x2c\x96\x61\x95\xa4\x00\x7a\x68\xd0\x47\x35\x78\xb4\x69\xb4\x43\x3e\xac\xbe\x09\x25\x20\x24\x4d\x84\xda\x89\x24\xb9\x0d\x7f\xa1\xad\x31\xdb\x50\x1f\x16\xa5\x9d\x3d\x9e\xb7\x22\x10\xd0\x58\xb3\xd1\xfa\x4d\x87\x6d\x5b\x40\xbc\xff\x5a\xdf\x08\x6e\xbd\xc2\x64\x7b\x1b\x6f\x88\x21\x1b\xbd\xf5\x47\xf1\x69\x8e\x11\xab\xb7\x3d\xd3\xa5\x88\xd9\xca\x26\xd9\xff\x5b\x2d\x28\xd1\xe1\x76\xbe\x8a\x7a\xdf\x2e\x3e\x3a\xe1\x37\x39\x31\x12\xf5\xaa\xa8\x81\x81\x48\x82\x93\x9d\xfe\x71\x72\x1f\xa9\x2b\x89\x62\xbb\x8d\x94\x0f\xe1\xe3\x94\x8d\xef\x40\x33\xa0\x9e\x9c\x04\xca\x7e\xa8\xb5\x49\x69\x5c\x5f\xf6\x6c\x07\x73\x95\x02\x6d\x82\x57\x6d\x37\x9b\xd9\xcd\xed\x06\xff\xcc\x3a\x6f\x8b\xd5\x48\xc0\xf6\x8d\x4d\x3d\x72\xae\x27\xd8\x28\xb2\x7a\x58\x2b\x14\x88\x6d\xad\x1f\xc3\xe6\x35\x31\xc2\x87\x0f\x31\x59\xf8\xd4\xbd\x44\x94\x80\xc4\x5d\xd2\x7a\x29\x34\xdf\x90\x79\x7c\x04\x94\xe0\xf8\xef\x82\x89\xae\x41\x06\x26\xd4\xfa\x96\x6d\x82\x44\x3a\xdc\x52\x43\xfd\xb2\xc4\xdd\xff\x85\x50\xaf\x53\x38\xef\x2d\x1c\x41\x3b\x4b\xd4\xb3\x08\x20\x9c\x20\xe9\xc3\xa0\x08\x0a\x23\xd1\x6a\x31\x08\xa1\x05\x07\x83\xd4\x4b\xa9\x2a\x95\x59\x05\x08\xd3\xa5\xcf\x44\xfc\x6a\x4a\xf2\x47\x7f\x86\x64\x28\xbc\x11\x3c\x1c\xc8\xf1\x23\xda\x46\xca\x0a\x03\xc5\xdb\xd1\xf6\xe5\x75\x45\x84\xd8\xa4\x10\x3b\xd2\x3f\xa5\xe1\xf6\xf3\xac\xb1\x54\xff\xed\x12\x8d\x0a\x64\x58\x29\xd3\x34\x1a\x25\xe8\x7a\xe7\x81\x86\x2a\xbc\x7a\x15\x90\x21\x12\x4c\xfb\x03\x57\x1a\x73\xce\xef\x60\x36\x81\xf5\xe5\xe1\xe1\x57\x4d\xb3\x01\x6f\xf5\xa1\x3d\x9b\xfe\x7e\x8a\xc8\x1a\x09\xa9\x05\x23\x7e\x39\x0a\x57\x72\xd3\x61\xed\xbe\x58\x08\xe9\xd8\x59\x4f\x77\x6b\x00\x05\xe0\xc3\xd0\xf7\x1d\x66\x6c\x9d\x4d\xc4\x93\xd0\x16\x3d\x88\x54\x72\x32\x75\xd8\x50\xac\x1b\xf7\x81\x83\xa7\x75\x18\xf0\x1b\xb3\xa2\x80\xf3\x9b\xbf\x60\x6d\xef\x4f\x89\xb1\x1e\x2b\xb8\xd9\x9f\x8a\x32\x98\x5e\xd9\xbc\xb4\x2f\x11\x0b\xd2\xbd\xda\x26\x37\x6d\x9d\xaa\x70\xe1\xe6\x57\x5f\x11\xba\x7e\xf2\x69\x90\x8e\x10\x19\x48\xf5\x70\xb7\x69\x0e\x0b\x5d\x35\xed\x98\xcb\xdd\x2f\x36\x37\xb9\xf8\xf7\x8b\x2f\xfb\xc2\x93\x18\x8f\xf2\x77\x7d\xb0\x50\xaa\x21\x9d\xde\x78\x8a\x77\x0c\xb6\x24\xd6\x61\x70\x01\x81\x7d\x6d\x5c\x7a\x5b\xd3\x9c\x51\xff\x12\x8e\xac\x71\x2b\x9d\xb9\xc6\x0a\x74\xbd\xb7\x82\x0a\x35\x72\xa5\x09\x1c\x30\x84\x33\x92\x86\x27\x9d\x9c\xeb\x24\x41\x48\x90\x6d\xab\x1d\xed\xb6\x23\x79\xb1\x45\x97\xb7\x34\x89\x07\xfb\xa5\x54\x24\xe8\x78\xc1\x94\x98\x5c\xdc\xb2\x11\xb7\x1b\xdf\x38\x06\x33\x9a\x53\x00\x6a\x90\x06\xc7\x46\xbc\x49\x10\x8c\x81\x00\x93\x8d\xc2\x4a\x08\xd5\x7b\x01\x3f\x41\x03\xd8\x7d\xf3\x10\x85\x84\x05\xd0\x6f\x05\x9b\x65\xcd\x54\xae\xa1\xd0\xf1\x5c\xb2\xa4\x1b\xc8\x67\xd2\x2c\xb9\xd6\x7c\x31\x0b\x05\xa4\xf9\x40\xbd\x2e\x7a\x58\x63\xc8\xe1\xc8\x0d\x3a\xd0\x7b\x21\x50\x4b\xf2\x13\xda\x5c\xb3\x8f\xb6\x52\xa4\x7c\xcd\x7a\x5c\xfa\xfa\x0c\x3f\xfe\x2a\xac\x76\x25\xa9\x55\x88\xec\xd7\x7a\x95\x93\xd0\xbf\x2e\x7d\xf7\x99\x9f\x02\x44\x33\x5a\x9f\xac\x01\x5c\x32\x27\x30\x09\xd1\xf8\x65\xdf\xb8\x73\xc6\x5f\x52\xe9\x08\x1b\x02\x2b\x99\xb0\x15\x86\xf5\xfb\x15\x84\xfd\x9b\x1f\xda\xf8\x6c\x78\x3f\x61\x77\x2a\xff\x11\x78\xe0\x8d\x5b\xd0\x67\xb6\xfd\x23\x3d\xb8\xc4\x32\xfa\xbb\xd0\x0a\x53\x0f\x1c\x40\xb5\xf0\x5f\x78\x83\x49\x50\x59\xd1\xb5\x8b\x95\x23\xd1\xf5\x25\x57\x36\xb2\x3f\xf5\x6c\xab\xb4\xcb\x71\x0e\x43\xa7\x0f\x71\xcf\xfd\x17\xe3\xfa\xe9\x04\x36\x34\x86\x9f\x16\x6a\x95\x8c\xa5\xde\xc6\x39\xb8\x5b\x21\x34\x09\x6e\x69\x7c\x24\xe3\xb0\xa8\xcf\xb1\x94\x22\xff\x01\xf4\xeb\xef\x24\xb7\x23\x3d\xe1\xa0\xf8\x9c\x80\xe2\x31\xb8\x45\x9f\x53\x1a\xc2\x3e\xb1\xa2\x37\x3b\x3c\x58\x07\xee\x65\x52\x70\x71\x52\xa3\x16\x95\x55\xa6\x63\xd1\xbf\xb4\x53\xc8\xc3\x80\xc5\xa5\x2c\x95\x8e\x30\x2d\x4d\x75\x28\xaa\xb5\xd0\xa6\x68\x92\x30\x80\x98\xb5\x66\xa1\x36\x7c\xbf\xd9\xa3\xa4\x6c\x5f\xb7\x72\x25\xb7\xb6\xf9\xf9\x2e\xd0\xbc\x85\xbc\xbc\xf1\xb4\xfd\x27\x60\xb9\xf5\x09\xd2\xd1\x1c\xd0\x55\x71\x44\xb1\xc8\x9f\x9f\x7f\x24\x95\xd0\xc9\xea\x6c\x76\x7f\x1f\x92\x57\x07\x01\xa3\x3c\xed\x47\x70\x36\xd0\x6b\xbe\xad\x08\xc0\xb4\xa8\xab\x4a\x57\xd8\xd9\xb7\x58\xce\x05\x89\x1e\xc7\x29\x01\x4e\xb7\x12\xc3\x3d\xcb\x52\xef\xe8\xde\xd2\x23\xb6\x17\x82\x24\x43\xbf\xa9\x55\x14\xd9\xa8\x2f\x6b\x9f\xed\x17\xb2\x24\x45\xf6\x92\xfc\x87\x03\x74\xc0\x82\x6a\x9f\xa4\x31\x53\x84\x93\x68\xaa\x1f\x93\x05\x2e\x48\xf8\x8e\x8f\xe9\xaa\x1b\xa8\x29\x15\x85\xe5\x9d\xa0\xf6\x8f\xd0\x4b\x8f\xa4\x50\xe9\x65\x4d\x92\x0c\x2b\x82\xc9\xc2\x9a\x79\x01\x5d\x0e\x30\x2b\xef\x5a\xbc\x9f\x42\x92\xfd\x4b\x58\x2d\x58\x83\x0d\xfc\x71\x72\x53\x19\xbf\x39\x69\x2b\x0f\x3d\x72\xa3\x20\x4d\x62\xe4\xcd\x21\x9f\xd2\x64\x7a\x9b\xc3\xda\x61\xb7\x02\x69\x9d\x01\x5f\x9f\x15\xbf\xfb\x27\xb6\x13\x3e\xc4\x31\xe4\xad\x67\xf5\xc1\xb4\x6f\xc6\x2e\x29\xd4\xae\x4b\x07\xfa\xb0\x7f\x01\x43\xe8\xe5\x4f\xea\x1e\x62\x90\x51\xd6\xd7\xc1\x9a\xf8\x93\x16\x61\xd8\x49\x57\xad\x2a\xe7\xb5\x21\xbd\x62\x46\x8a\xa0\xa8\x51\x65\x39\x04\xbb\x93\x25\x37\x6f\xd2\xd8\x31\x34\x03\x56\xd9\xbd\x27\x82\xbb\xc4\x6e\x1c\x03\x06\x95\x53\xd2\xb0\x5d\x17\xbb\x4d\x86\x44\xa0\xdf\xc0\x28\x6d\x4e\xbd\xfb\xf1\xfa\x85\xf0\x01\x5d\xa2\x66\x70\x90\x9c\xe8\x40\x27\x2d\x1d\x62\xc8\xd0\x27\x87\xd5\x65\x20\xd3\x09\xe4\xbc\xfc\xc8\x46\x47\x4d\x42\x82\x64\x17\x98\xda\xd1\x77\x9c\xce\x11\x39\x2a\xc5\x37\x91\x73\x35\xb4\xf9\x12\x4e\xd1\xe2\x54\x05\x29\x66\xab\x2c\x15\xdc\xd1\xbc\x1c\x3c\x52\x0f\xef\x4b\x3b\x17\xfe\x6f\x63\x60\xd0\x7b\x2c\x08\xac\x64\xc7\x5f\xcd\xf5\xf9\xea\xc2\x11\xdb\x24\x7a\x22\x7a\x65\x9e\x10\x67\x55\xe1\xba\x53\xab\xa6\x7c\x83\x16\x62\x19\x02\x26\x98\x4d\xc0\x36\x98\xdc\x56\x7a\xa9\x6b\x51\xd2\xe6\x9f\x53\x0a\xdd\xd9\xb4\xfd\xbf\x3a\x0b\x20\xaf\x2a\x18\x4c\xba\xf5\x3a\x35\x63\x4c\x8f\xe3\xd6\x3e\xc1\x5c\x50\x6b\xf0\x2c\x35\x30\x27\x59\xfe\x32\xad\x28\xc1\xd4\xb4\x9e\x94\x81\x6b\xb0\xf3\x28\x22\x81\x6b\x40\x55\x7c\x65\x0d\xa4\xae\x59\xca\x64\x5d\x5a\x4d\x61\x72\x90\x3c\x25\xe0\x0a\x22\x9e\xaa\x0c\x52\x6c\xff\xba\x53\xfc\xa4\x4a\xa1\x63\xc7\xf5\xfb\x49\x59\xa2\x16\xd6\xda\xd9\xe1\x9f\x28\x2b\x99\x45\xd2\x47\x6b\xbc\x01\x33\x78\x51\x31\x11\x8a\xd4\x6c\x3f\x93\x31\xc4\x15\xe7\x0d\x35\xe0\x6f\xa7\x1c\x2a\xa8\x78\x13\x2e\xd7\x70\xa0\x4f\x07\x21\xa5\x66\x55\x02\xdd\xed\x28\x3f\x70\xae\x9a\xb7\x2e\x48\xcf\x03\xc0\x1d\x80\xf6\x8e\xce\x54\xde\x88\xaa\xcb\x2c\x41\xc5\xd7\x46\x2f\x9b\x73\xf6\xc2\x74\x17\x09\xc8\x3e\x20\x08\x4d\xd8\xf9\xd8\x55\xc4\x1a\x0b\xfb\xe1\x07\xe6\xe4\x7a\x65\xc2\xb1\xee\x50\x07\xe9\xd5\xf2\x51\x18\xa2\x95\xfc\x63\x13\x24\x3d\xf5\x4c\xdd\x92\xab\x4d\xce\xdb\x21\x0d\xd8\x3b\xe1\xb0\x58\xae\x1e\x37\xa7\xac\x51\xb9\xc8\x9b\xf9\xec\xa4\x23\xc9\x1d\xb0\xd4\xa4\x21\x34\xa9\x3c\x89\x79\xa0\x3a\x2d\xe5\x3e\x45\xe6\x41\xa2\xd4\x0f\x41\x0b\xc1\x1a\x96\x82\x04\xf7\x2c\x96\xe5\x06\x64\xdc\x29\xbe\x41\xa4\xaa\xc4\xe0\x7e\x9c\xdf\x23\x9f\x59\xc9\x68\x7b\xd7\xdc\x65\xce\xab\x07\x6b\x13\x19\x41\xbb\x15\xc4\xf9\xf4\xc1\x7d\x73\x50\x78\x05\x88\xfa\xcf\xfd\xbc\x1e\xaa\xeb\x44\x06\xb9\x56\xda\x73\x3e\xd0\x9e\xb4\x86\x04\xa0\xed\x4a\xad\xcb\xbd\x94\xa8\xee\x07\x93\x10\xfe\x26\x12\xa6\x69\xe5\x62\x39\x17\xee\xc2\xb1\x2a\xd9\xc8\x6a\xf9\x75\x7a\x51\x75\x9d\xbb\x00\xdf\x2e\x03\xe3\xd3\xa7\x0b\xd2\xc0\x2f\x9f\x08\x44\x4f\x4e\x06\x50\xed\xfb\x27\x86\xca\x57\xd3\x63\x09\x43\x55\x68\x32\xa3\x28\x92\x30\x1b\x58\x85\x9e\xf2\x40\x07\xf7\xa7\xd9\xb4\xaf\xc2\x37\x03\xc4\xfb\x90\x77\xa0\x7d\x2e\xa8\xd3\xa2\xb4\xf0\x15\xde\x7f\x31\xfc\x30\x65\x45\x81\x6b\x6b\x67\x0a\x45\xcf\xf4\xa9\x1b\x60\xa1\xfb\x47\x8b\x08\x9c\x67\xf4\x59\xca\xaf\x5f\xce\x92\x65\xfe\xa0\xc7\xec\x06\x52\xcd\x11\x30\x56\x23\xb0\x4c\x0a\x9d\x1a\xec\x65\x71\xc6\xa4\x66\xdc\x7a\x7b\xec\x75\xfc\xf9\x84\xd6\xa9\x63\x69\x86\xbe\xce\xf1\x41\x8b\x69\x4e\x82\x0e\xe2\x46\x2f\x26\x87\xe0\xb6\x8b\xa5\x1c\xbd\x03\xba\x76\xb4\x3f\xd7\xcb\xa0\x1a\xf2\x3f\xf9\x8f\x74\xb7\x64\x46\x35\x27\xc6\xc3\x97\xe1\xc8\xe8\xb2\x22\x58\x74\xcc\x74\xf9\x58\xa3\x1a\x28\x41\x4f\x17\x0c\x2b\x4c\xbd\x90\xc8\x49\xcc\xd5\x4f\x91\xbc\xe2\x90\x8e\x3b\xbc\x21\xb3\xd5\x60\x4a\xa3\x37\xc7\xfb\x1f\x81\x0c\x10\x32\x16\xbf\x44\x43\x39\x04\x3d\x52\x33\x30\xee\xe7\x3b\xf0\x86\x6d\xa3\xf3\xf7\x28\x87\x7f\xbb\x54\xe2\xf9\x28\x42\x3a\x16\x72\xcc\x9b\xa3\x1b\xc6\x86\xa6\xd1\x98\xef\xeb\x36\x18\xd5\xe9\xa1\xb0\x81\x9c\xf6\xb9\x33\x8c\x56\xc4\xb7\x88\x46\x9f\x53\x2c\xdf\x92\x30\x66\xd1\xba\x46\xa5\x69\x60\x34\x2b\x79\xb0\x9e\xc8\x67\x9e\xa3\xca\xa4\x33\x65\xb8\x11\x25\x7a\x24\x49\xff\x92\x74\xf6\x61\x2c\xb0\x53\x0d\xd8\x67\x8c\xf1\x8b\xc1\xf9\x1f\x44\x7f\xad\x7b\x95\x8f\x3d\x0a\x19\x77\xce\x78\xd1\x02\x82\x9f\xe4\xb8\x3b\x56\x59\xc8\x15\x5a\xf4\xd2\xc0\x5d\x73\x15\xd1\x48\x63\x00\xe6\xda\x08\x46\xa5\x94\xd5\x10\x67\x3b\x0e\x74\x72\x78\x85\x59\x00\x9d\x74\x49\x0e\xc9\x87\x1d\x9f\x0f\x73\x69\x9d\x97\xfb\xe3\x03\xcb\x4d\x63\x5f\x54\x2e\x95\xc7\x84\xa5\x38\x71\x27\xdc\x45\x44\x83\xf9\x50\xf7\x65\xa8\xe9\x04\x63\x9e\xf4\x13\xc7\xd5\x81\xaf\x20\xdf\xb2\x85\x95\x58\x01\xab\x7e\xc4\xbe\x4d\x1b\x28\x79\xde\x66\x2d\xde\x2c\xfc\xd6\x60\x4e\xc0\xaa\x07\xa5\xa6\x71\xf5\x4a\x4f\x28\x53\xee\xdc\xa5\x6b\xaf\x00\xf0\x79\x27\x09\x59\x58\xdb\x7d\x32\x5e\x86\x3f\x64\xa9\x05\x6b\xd8\xe1\x03\x85\x99\x21\x46\x3d\x17\x54\x04\x2b\x85\xdc\xd9\x4d\x93\x3e\xf2\x08\x7d\xbe\xf5\x7d\x9a\x3a\xd9\xfe\x8c\x64\xa8\x79\x95\x87\xa3\xec\x23\xb9\xb2\x52\xf0\x3b\xfc\xe4\x2f\x01\x7e\xad\xfd\xbe\x97\x3e\x84\xe9\x02\xe3\x6b\x96\x61\xef\xae\xf4\x09\xc9\x15\x30\x8d\xce\x9a\x22\x2a\x9c\xb1\xdb\x52\x15\xc0\x00\xfc\x44\xd3\x72\xfb\x18\x64\x25\xcd\x07\x8b\xee\x77\x70\xf1\xfa\x60\xff\x2d\x0e\x34\x47\x25\xa5\x1a\x5f\x47\x8f\xe9\x6b\xfb\x9a\x18\xb6\xcb\x54\x2b\xf3\x94\xbe\xd0\x22\x18\x51\x8f\x1d\x38\x1d\x5a\xa2\x1f\xdc\xd4\x43\xce\x84\xc1\x80\xa6\xa8\xcf\x65\x47\xef\xfa\x46\x27\xca\xe9\x35\x51\xa7\x56\x4f\x0d\xac\x6e\x37\xc5\xf0\x68\xed\xda\x00\xb4\x7a\x6f\x2d\x33\xb5\x4c\x36\x81\x12\x8e\x83\xad\x17\xb0\xf0\x98\x45\x6b\x9e\x97\xf3\xe0\x2c\xe3\x91\x51\x5f\xfb\x0c\x05\x11\xa3\xd8\x31\x21\x15\x38\x2c\x15\xb0\x98\x61\xef\x75\x0c\x00\x06\xe9\x6c\x91\x84\xe1\x7d\xb2\x45\xb0\x25\x5c\x44\x07\xfe\x4b\xd6\xee\xa4\x3f\xd8\xc5\xe8\x03\x48\xcb\x91\x6e\x9d\x04\xb4\x9c\x24\x83\x91\x1b\x6d\xee\xce\x26\xd2\xb6\x57\x62\x64\x3a\xa0\x41\x7b\xe2\x76\x8b\x67\x3a\x22\xad\x58\xe6\x67\xf5\xef\x4e\x22\x28\xdb\x9b\x79\x39\xd8\xf9\x12\xde\x32\x47\x43\x25\x15\x50\x90\xb1\xd9\x74\x1a\xce\x41\x55\xd6\x45\x83\xec\xfb\x57\x00\x30\x1d\x73\xed\x2a\xbd\x15\x64\x08\xca\x5e\x1b\x88\xba\x75\xf8\x4a\x4b\x83\x4d\x4f\x53\x20\x15\x77\x3e\x9f\x8d\x4a\x36\x50\xf8\x98\x41\x91\x11\x4f\x0f\xdb\xaa\x54\x40\x5b\xf5\x1f\x8b\x1a\xfe\x53\x2f\x74\xc1\x5a\x37\x08\xeb\x93\x70\xfa\x83\x16\xfe\xef\xac\x4e\x43\xf8\x55\x50\x6f\x5d\x98\x72\xb6\x03\x63\x56\x70\x11\xcc\x33\x08\xa2\x02\x6d\x00", 4096); *(uint64_t*)0x20007d38 = 0x1000; *(uint64_t*)0x20007d40 = 0x4065ebb7; *(uint64_t*)0x20007d48 = 0x20007980; memcpy((void*)0x20007980, "\x11\x2a\x65\x7c\x27\x70\xad\x17\xf2\xe7\x77\x62\x16\x0b\xb1\x4f\x2f\x71\xa1\x7b\x88\xfd\xb9\x46\xf9\x19\xb2\xdf\xd3\xef\xd6\x16\xe3\x11\x24\xff\x47\xee\x66\x8f\x60\x65\xa0\x43\x5a\x79\x1a\x74\x39\xd8\xaa\x10\xdc\xc4\x18\x19\x2d\x82\x1e\x36\xfc\x08\x20\xd7\xcc\x0f\x88\xb0\x88\x91\x6d\x78\x6f\x01\x42\x6f\xa4\x6b\x21\x4d\xe8\x22\xd2\x4e\x4d\x6c\x78\x5f\xea\xc4\x58\xd9\x86\x35\xc4\x80\x16\x72\xbd\x4e\x74\xfd\x40\x75\x39\x32\x12\x11\x52\xae\x0e\xad\x77\x1e\x3a\xbc\x7f\x74\x1e\x39\x3b\x32\x85\x26\xe5\xec\x29\xe8\xe0\xd9\xb3\xa2\xbe\xbc\xd0\xeb\x34\x72\xa4\xbd\x8e\x50\xf9\x53\xed\x17\x3b\xa2\x71\xfb\xe9\xf9\xd9\xc4\x63\xc7\x9f\x44\xd0\x93\x15\x4f\xfe\xf5\x9c\x93\xad\xa7\x83\xb4\x72\x7f\xc3\x5b\xa6\xc0\xdb\x25\x18\x93\x9c\xb3\x5f\xb3\x30\x1d\x4c\xf7\x2d\x25\x24\xf8\x3a\xc4\xab\x57\xa8\xac\xfc\x93\xa9\x9c\x26\xcc\xae\xe0\x56\x63\x71\x22\x94\x96\xe9\x30\x21\xe8\x6b\x95\x60\x21\xa4\x67\xf3\x4b\xe6\x6e", 226); *(uint64_t*)0x20007d50 = 0xe2; *(uint64_t*)0x20007d58 = 0x6d69; *(uint64_t*)0x20007d60 = 0x20007a80; memcpy((void*)0x20007a80, "\x62\x98\x25\xe3\xcb\x9c\x42\x73\x28\x10\xeb\x62\xf1\xff\x47\x85\x71\x8f\x7a\x30\xc6\x39\x40\xf2\xea\xdf\x19\xda\xe8\x20\xfe\xb9\xb7\xb3\x58\xf7\x41\xb8\x34\x16\x4a\x9a\x4a\xc8\xce\x39\x8c\x23\x16\x07\xf5\x23\xa2\x6d\xb9\xe0\xae\xca\xc1\xd1\xe8\x90\x22\xd1\xcd\x50\xd6\x44\xf2\x46\x6b\x25\xec\x09\xc6\xd6\xef\x4f\x0b\x3e\xf5\x92\xd1\x40\x8d\x04\x9d\xa4\x9b\x95\x3b\x32\x7e\x12\x3c\x6f\x19\x63\xc2\xf7\xa9\xe3\xcc\x7e\x0c\x52\xed\x1e\x17\xd0\xa8\xb7\x94\x66\x68\x75\xb2\x0b\x07\xa0\xf5\xc2\xc7\x6d\x96\x32\x90\x9f\x76\x9e\xb2\x5b\x16\x27\x37\xbe\xa1\x31\xf5\xc2\x70\xb3\x24\x9f\xd6\x5c\x25\x5e\x68\xb6\x80\x27\x1d\x0c\x11\x19\x67\x15\x17\x77\x44\xe7", 162); *(uint64_t*)0x20007d68 = 0xa2; *(uint64_t*)0x20007d70 = 9; *(uint64_t*)0x20007d78 = 0x20007b40; memcpy((void*)0x20007b40, "\xd1\x09\x17\x49\x23\x3d\x1e\x7e\xc5\x06\x53\xf3\x01\xa7\x34\xf5\xdd\x67\xac\x1e\x74\x89\x23\xe4\x4c\xce\xde\xeb\x3e\xa2\x34\x74\x58\x96\xab\xcb\x80\x03\xed\x61\x60\x5b\x5d\xff\xa8\xa9\xaf\x0a\xa1\x2e\xd9\x02\xd4\xa3\x5a\x92\x60\xc5\x3a\xb6\xa6\x21\xe2\x10\xe6\x1e\x40\x02\x83\x8d\xc2\x9e\x2f\x79\x8b\x4c\xbe\x0e\xd0\xc1\x2a\x33\xc6\x9d\xdd\xa4\x46\xb9\xb8\x84\xfc\xbf\xe2\x81\x99\x18\x4b\xd4\xae\xb0\x97\xd0\xd9\xa3\x93\xb6\x99\xd1\xf5\x5a\x57\xd8\x30\xda\x49\x7d\x79\xb9\xbd\x7d\xbc\xdb\xfe\x7e\x16\x8d\x60\x07\x61\x1d\xb9\x67\x33\x57\x4f\xb1\x50\xf4\xe9\x09\x91\xc7\x0f\xc1\x9e\xdb\xa6\xbe\xed\xc5\xa7\x21\x69\x36\x6a\xe5\xfc\xa5\xc1\xcb\x41\x3b\xbc\x54\xff\x8f\x12\x7d\x1b\x94\xcf\x99\x42\xb5\xc9\xbe\x5f\xbf\xc9\x39\x46\xbf\x1d\x0b\x28\x9a\x74\x42\xfb\x05\x7a\xdb\x0a\xe7\xfa\x41\x89\xd5\xe5\xfe\xfc\x75\xed\x5d\x26\x0b\x3c\x2c\x24\x45\xd4\x95\x79\xe6\xb3\x69\xe3\x96\xda\x16\x2d\x94\x05\x59", 224); *(uint64_t*)0x20007d80 = 0xe0; *(uint64_t*)0x20007d88 = 6; *(uint64_t*)0x20007d90 = 0x20007c40; memcpy((void*)0x20007c40, "\x76\x8d\x82\xc4\x7f\x16\x6e\x25\x25\x30\x91\x5b\x63\xb4\x0d\x9e\xba\x4b\x95\xfe\x08\x78\x93\x45\x3f\x37\x3a\x94\x38\x9e\x11\x20\x98\x1c\xb4\x45\x76\xa2\x05\x1c\x41\x58\x40\x0a\x59\xb9\xc8\xa9\x40\xcc\xae\x28\x26\x41\x4e\x14\xad\x55\xc7\x2b\x04\xf8\xfa\xbf\xe8\x64\x62\x40\x9b\x3a\xb2\xa0\x75\xea\x92\xc8\xbd\xdc\xd2\xb2\xfc\x0f\xd7\x7a\x97\xbc\x27\x1e\xcd\x43\xdd\x60\x5f\x29\xb9\x90\x83\x7b\x40\x9e\xed\x59\x65\xdd\xb3\xfb\x1b\x91\xe5\xbf\x12\xdd\xbc\xf2\x1c\x90\xc7\xef\x2f\x0a\xb9\xbb\x03\xf7\x2a\x64\x7c\xe8", 128); *(uint64_t*)0x20007d98 = 0x80; *(uint64_t*)0x20007da0 = 0xfffffffffffffff7; *(uint64_t*)0x20007da8 = 0x20007cc0; memcpy((void*)0x20007cc0, "\x46\xc0\xce\x89\x20\x30\x5b\x2c\x7f\x63\x6e\xdb\xb1\x65\x92\x0d\xb7\x8c\x61\xf8", 20); *(uint64_t*)0x20007db0 = 0x14; *(uint64_t*)0x20007db8 = 0xfffffffffffffffa; syz_read_part_table(9, 8, 0x20007d00); break; case 36: *(uint8_t*)0x20007dc0 = 0x12; *(uint8_t*)0x20007dc1 = 1; *(uint16_t*)0x20007dc2 = 0x300; *(uint8_t*)0x20007dc4 = 0x94; *(uint8_t*)0x20007dc5 = 0xe8; *(uint8_t*)0x20007dc6 = 0x2e; *(uint8_t*)0x20007dc7 = 0x40; *(uint16_t*)0x20007dc8 = 0x789; *(uint16_t*)0x20007dca = 0x160; *(uint16_t*)0x20007dcc = 0xf578; *(uint8_t*)0x20007dce = 1; *(uint8_t*)0x20007dcf = 2; *(uint8_t*)0x20007dd0 = 3; *(uint8_t*)0x20007dd1 = 1; *(uint8_t*)0x20007dd2 = 9; *(uint8_t*)0x20007dd3 = 2; *(uint16_t*)0x20007dd4 = 0x764; *(uint8_t*)0x20007dd6 = 2; *(uint8_t*)0x20007dd7 = 4; *(uint8_t*)0x20007dd8 = 0x8f; *(uint8_t*)0x20007dd9 = 0; *(uint8_t*)0x20007dda = 0x7f; *(uint8_t*)0x20007ddb = 9; *(uint8_t*)0x20007ddc = 4; *(uint8_t*)0x20007ddd = 0x40; *(uint8_t*)0x20007dde = 0x3f; *(uint8_t*)0x20007ddf = 0xe; *(uint8_t*)0x20007de0 = 0xbb; *(uint8_t*)0x20007de1 = 0x18; *(uint8_t*)0x20007de2 = 0xf3; *(uint8_t*)0x20007de3 = 0x20; *(uint8_t*)0x20007de4 = 0xa; *(uint8_t*)0x20007de5 = 0x24; *(uint8_t*)0x20007de6 = 6; *(uint8_t*)0x20007de7 = 0; *(uint8_t*)0x20007de8 = 0; memcpy((void*)0x20007de9, "\xc1\xb0\xc9\x81\xcc", 5); *(uint8_t*)0x20007dee = 5; *(uint8_t*)0x20007def = 0x24; *(uint8_t*)0x20007df0 = 0; *(uint16_t*)0x20007df1 = 7; *(uint8_t*)0x20007df3 = 0xd; *(uint8_t*)0x20007df4 = 0x24; *(uint8_t*)0x20007df5 = 0xf; *(uint8_t*)0x20007df6 = 1; *(uint32_t*)0x20007df7 = 9; *(uint16_t*)0x20007dfb = 0xfff; *(uint16_t*)0x20007dfd = 5; *(uint8_t*)0x20007dff = 0; *(uint8_t*)0x20007e00 = 0x15; *(uint8_t*)0x20007e01 = 0x24; *(uint8_t*)0x20007e02 = 0x12; *(uint16_t*)0x20007e03 = 0xaa4; *(uint64_t*)0x20007e05 = 0x14f5e048ba817a3; *(uint64_t*)0x20007e0d = 0x2a397ecbffc007a6; *(uint8_t*)0x20007e15 = 4; *(uint8_t*)0x20007e16 = 0x24; *(uint8_t*)0x20007e17 = 2; *(uint8_t*)0x20007e18 = 9; *(uint8_t*)0x20007e19 = 9; *(uint8_t*)0x20007e1a = 0x21; *(uint16_t*)0x20007e1b = 0x7ff; *(uint8_t*)0x20007e1d = 8; *(uint8_t*)0x20007e1e = 1; *(uint8_t*)0x20007e1f = 0x22; *(uint16_t*)0x20007e20 = 0xd44; *(uint8_t*)0x20007e22 = 9; *(uint8_t*)0x20007e23 = 5; *(uint8_t*)0x20007e24 = 3; *(uint8_t*)0x20007e25 = 3; *(uint16_t*)0x20007e26 = 0x40; *(uint8_t*)0x20007e28 = 6; *(uint8_t*)0x20007e29 = 6; *(uint8_t*)0x20007e2a = 0x80; *(uint8_t*)0x20007e2b = 9; *(uint8_t*)0x20007e2c = 5; *(uint8_t*)0x20007e2d = 5; *(uint8_t*)0x20007e2e = 8; *(uint16_t*)0x20007e2f = 0x20; *(uint8_t*)0x20007e31 = 0x34; *(uint8_t*)0x20007e32 = 7; *(uint8_t*)0x20007e33 = 0xd1; *(uint8_t*)0x20007e34 = 7; *(uint8_t*)0x20007e35 = 0x25; *(uint8_t*)0x20007e36 = 1; *(uint8_t*)0x20007e37 = 0x81; *(uint8_t*)0x20007e38 = 1; *(uint16_t*)0x20007e39 = 0x20; *(uint8_t*)0x20007e3b = 0x65; *(uint8_t*)0x20007e3c = 0x30; memcpy((void*)0x20007e3d, "\xda\xc1\x6e\x84\x5b\x14\x9d\xaf\xe6\x66\x63\xcc\x3a\xcf\x39\x3f\xa7\xb0\xae\x46\xcb\xb8\xcf\x20\x7b\xdb\x0d\x3d\x6c\xf6\x81\x66\x1f\xa0\x0e\xd5\x8d\x70\x3c\x22\x64\x70\xa8\x4e\xaa\x26\x4b\xe5\x1e\x68\x10\x87\x52\x48\xed\xe7\x94\xe2\x20\x7e\x60\xb0\x45\x85\x60\x3c\xd0\x55\xc6\x34\x8f\x0e\xb4\xf3\x3f\x2a\x83\x3f\x4a\xee\x88\x84\xd7\x77\x3b\xe2\xf4\x51\x77\xad\x4c\x03\x72\x8f\xf4\xdd\x8e\x40\xfd", 99); *(uint8_t*)0x20007ea0 = 9; *(uint8_t*)0x20007ea1 = 5; *(uint8_t*)0x20007ea2 = 2; *(uint8_t*)0x20007ea3 = 4; *(uint16_t*)0x20007ea4 = 0x3ff; *(uint8_t*)0x20007ea6 = 0x1f; *(uint8_t*)0x20007ea7 = 2; *(uint8_t*)0x20007ea8 = -1; *(uint8_t*)0x20007ea9 = 7; *(uint8_t*)0x20007eaa = 0x25; *(uint8_t*)0x20007eab = 1; *(uint8_t*)0x20007eac = 0x82; *(uint8_t*)0x20007ead = 9; *(uint16_t*)0x20007eae = 2; *(uint8_t*)0x20007eb0 = 9; *(uint8_t*)0x20007eb1 = 5; *(uint8_t*)0x20007eb2 = 6; *(uint8_t*)0x20007eb3 = 0; *(uint16_t*)0x20007eb4 = 0x40; *(uint8_t*)0x20007eb6 = 0; *(uint8_t*)0x20007eb7 = 0x40; *(uint8_t*)0x20007eb8 = 0xfd; *(uint8_t*)0x20007eb9 = 7; *(uint8_t*)0x20007eba = 0x25; *(uint8_t*)0x20007ebb = 1; *(uint8_t*)0x20007ebc = 0x83; *(uint8_t*)0x20007ebd = 0x1f; *(uint16_t*)0x20007ebe = 0x1000; *(uint8_t*)0x20007ec0 = 9; *(uint8_t*)0x20007ec1 = 5; *(uint8_t*)0x20007ec2 = 0xd; *(uint8_t*)0x20007ec3 = 1; *(uint16_t*)0x20007ec4 = 0x3ff; *(uint8_t*)0x20007ec6 = 3; *(uint8_t*)0x20007ec7 = 1; *(uint8_t*)0x20007ec8 = 0x80; *(uint8_t*)0x20007ec9 = 7; *(uint8_t*)0x20007eca = 0x25; *(uint8_t*)0x20007ecb = 1; *(uint8_t*)0x20007ecc = 1; *(uint8_t*)0x20007ecd = 4; *(uint16_t*)0x20007ece = 3; *(uint8_t*)0x20007ed0 = 9; *(uint8_t*)0x20007ed1 = 5; *(uint8_t*)0x20007ed2 = 5; *(uint8_t*)0x20007ed3 = 4; *(uint16_t*)0x20007ed4 = 8; *(uint8_t*)0x20007ed6 = 8; *(uint8_t*)0x20007ed7 = -1; *(uint8_t*)0x20007ed8 = 0x80; *(uint8_t*)0x20007ed9 = 9; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 0xf; *(uint8_t*)0x20007edc = 1; *(uint16_t*)0x20007edd = 8; *(uint8_t*)0x20007edf = 0xae; *(uint8_t*)0x20007ee0 = 9; *(uint8_t*)0x20007ee1 = 0xf6; *(uint8_t*)0x20007ee2 = 7; *(uint8_t*)0x20007ee3 = 0x25; *(uint8_t*)0x20007ee4 = 1; *(uint8_t*)0x20007ee5 = 0; *(uint8_t*)0x20007ee6 = 0x95; *(uint16_t*)0x20007ee7 = 6; *(uint8_t*)0x20007ee9 = 0x7a; *(uint8_t*)0x20007eea = 6; memcpy((void*)0x20007eeb, "\x3f\x8f\x5c\x31\x8c\x80\xe5\xa9\x36\x08\x9f\xa5\xbe\x9d\xc3\x64\xd3\xa8\xff\x22\x23\x8b\x92\x00\x64\x2b\xb7\x96\x9b\x9c\x09\x89\x51\x0d\xf3\xf2\x67\x38\x46\xf3\xfe\x68\xee\xc4\x87\x47\x6d\x9d\x8e\xa3\x7c\x9e\x7e\xc2\x93\x9c\x3a\x85\x84\x2c\xad\x50\x0b\xf7\x7a\xed\x1d\x92\x90\xeb\x85\x0a\xf4\x62\x1c\xaf\xed\x03\xc0\x8a\x55\xc4\x22\xc7\x12\x2f\x6e\xc0\x70\x3a\x47\xdf\xcb\x27\x9c\x0b\x03\x55\x8b\x39\xc7\x23\x1b\x38\xe5\x59\xd0\x54\x6a\x29\xca\x32\x28\x0a\x8c\xe4\x70\x80\xaa\x8d", 120); *(uint8_t*)0x20007f63 = 9; *(uint8_t*)0x20007f64 = 5; *(uint8_t*)0x20007f65 = 7; *(uint8_t*)0x20007f66 = 4; *(uint16_t*)0x20007f67 = 0x8938; *(uint8_t*)0x20007f69 = 1; *(uint8_t*)0x20007f6a = 0x8c; *(uint8_t*)0x20007f6b = 4; *(uint8_t*)0x20007f6c = 9; *(uint8_t*)0x20007f6d = 5; *(uint8_t*)0x20007f6e = 7; *(uint8_t*)0x20007f6f = 0x10; *(uint16_t*)0x20007f70 = 0x20; *(uint8_t*)0x20007f72 = 6; *(uint8_t*)0x20007f73 = 1; *(uint8_t*)0x20007f74 = 0x81; *(uint8_t*)0x20007f75 = 9; *(uint8_t*)0x20007f76 = 5; *(uint8_t*)0x20007f77 = 0xe; *(uint8_t*)0x20007f78 = 0x10; *(uint16_t*)0x20007f79 = 0x200; *(uint8_t*)0x20007f7b = 0x80; *(uint8_t*)0x20007f7c = 3; *(uint8_t*)0x20007f7d = 0x23; *(uint8_t*)0x20007f7e = 7; *(uint8_t*)0x20007f7f = 0x25; *(uint8_t*)0x20007f80 = 1; *(uint8_t*)0x20007f81 = 0x81; *(uint8_t*)0x20007f82 = 1; *(uint16_t*)0x20007f83 = 5; *(uint8_t*)0x20007f85 = 7; *(uint8_t*)0x20007f86 = 0x25; *(uint8_t*)0x20007f87 = 1; *(uint8_t*)0x20007f88 = 0x81; *(uint8_t*)0x20007f89 = 7; *(uint16_t*)0x20007f8a = 0xb5a; *(uint8_t*)0x20007f8c = 9; *(uint8_t*)0x20007f8d = 5; *(uint8_t*)0x20007f8e = 8; *(uint8_t*)0x20007f8f = 2; *(uint16_t*)0x20007f90 = 8; *(uint8_t*)0x20007f92 = 0x1f; *(uint8_t*)0x20007f93 = 8; *(uint8_t*)0x20007f94 = 0x1f; *(uint8_t*)0x20007f95 = 7; *(uint8_t*)0x20007f96 = 0x25; *(uint8_t*)0x20007f97 = 1; *(uint8_t*)0x20007f98 = 3; *(uint8_t*)0x20007f99 = 3; *(uint16_t*)0x20007f9a = 0x200; *(uint8_t*)0x20007f9c = 7; *(uint8_t*)0x20007f9d = 0x25; *(uint8_t*)0x20007f9e = 1; *(uint8_t*)0x20007f9f = 3; *(uint8_t*)0x20007fa0 = 0x7f; *(uint16_t*)0x20007fa1 = 3; *(uint8_t*)0x20007fa3 = 9; *(uint8_t*)0x20007fa4 = 5; *(uint8_t*)0x20007fa5 = 0xd; *(uint8_t*)0x20007fa6 = 0xc; *(uint16_t*)0x20007fa7 = 0x3ff; *(uint8_t*)0x20007fa9 = 0x12; *(uint8_t*)0x20007faa = 9; *(uint8_t*)0x20007fab = 4; *(uint8_t*)0x20007fac = 0xe; *(uint8_t*)0x20007fad = 5; memcpy((void*)0x20007fae, "\xa9\xb9\x7b\xc2\x4d\xe6\x2c\x3b\xcf\x2b\xfa\x13", 12); *(uint8_t*)0x20007fba = 0x44; *(uint8_t*)0x20007fbb = 0x30; memcpy((void*)0x20007fbc, "\x9f\x0d\x5e\xa2\x42\x68\xb8\xa3\x21\x17\x65\x24\x6b\x1a\x83\x4a\xf6\x41\xe8\xcd\x6e\xa3\xef\x9b\x1f\xe1\x0f\x16\xbe\xd6\xb0\x6c\xc3\xa1\x65\x92\x0c\x9d\x73\x90\x9a\xb9\xac\x8b\x2a\x7a\x8a\x5d\xae\x5d\x4a\xcf\x31\x6d\x0b\x35\xd4\xb6\x44\xd3\x68\xa0\x6e\x0e\xff\x85", 66); *(uint8_t*)0x20007ffe = 9; *(uint8_t*)0x20007fff = 5; *(uint8_t*)0x20008000 = 0x80; *(uint8_t*)0x20008001 = 8; *(uint16_t*)0x20008002 = 8; *(uint8_t*)0x20008004 = 3; *(uint8_t*)0x20008005 = -1; *(uint8_t*)0x20008006 = 6; *(uint8_t*)0x20008007 = 9; *(uint8_t*)0x20008008 = 5; *(uint8_t*)0x20008009 = 0; *(uint8_t*)0x2000800a = 0; *(uint16_t*)0x2000800b = 0x20; *(uint8_t*)0x2000800d = 6; *(uint8_t*)0x2000800e = 0x2e; *(uint8_t*)0x2000800f = 0; *(uint8_t*)0x20008010 = 9; *(uint8_t*)0x20008011 = 4; *(uint8_t*)0x20008012 = 7; *(uint8_t*)0x20008013 = 0; *(uint8_t*)0x20008014 = 0xd; *(uint8_t*)0x20008015 = 0x29; *(uint8_t*)0x20008016 = 0xcb; *(uint8_t*)0x20008017 = 0x7c; *(uint8_t*)0x20008018 = 9; *(uint8_t*)0x20008019 = 9; *(uint8_t*)0x2000801a = 0x21; *(uint16_t*)0x2000801b = 7; *(uint8_t*)0x2000801d = 1; *(uint8_t*)0x2000801e = 1; *(uint8_t*)0x2000801f = 0x22; *(uint16_t*)0x20008020 = 0xbd9; *(uint8_t*)0x20008022 = 0xd; *(uint8_t*)0x20008023 = 0x24; *(uint8_t*)0x20008024 = 2; *(uint8_t*)0x20008025 = 1; *(uint8_t*)0x20008026 = 0x43; *(uint8_t*)0x20008027 = 1; *(uint8_t*)0x20008028 = 0; *(uint8_t*)0x20008029 = 9; memcpy((void*)0x2000802a, "d\"", 2); memcpy((void*)0x2000802c, "\x37\x09\xdb", 3); *(uint8_t*)0x2000802f = 0x11; *(uint8_t*)0x20008030 = 0x24; *(uint8_t*)0x20008031 = 2; *(uint8_t*)0x20008032 = 1; *(uint8_t*)0x20008033 = 0xf8; *(uint8_t*)0x20008034 = 2; *(uint8_t*)0x20008035 = 7; *(uint8_t*)0x20008036 = 0x40; memcpy((void*)0x20008037, "\x5e\x58\xdf\xf9\xa0\xd0\x1e\x41\x09", 9); *(uint8_t*)0x20008040 = 0xb; *(uint8_t*)0x20008041 = 0x24; *(uint8_t*)0x20008042 = 2; *(uint8_t*)0x20008043 = 2; *(uint16_t*)0x20008044 = 0xffec; *(uint16_t*)0x20008046 = 6; *(uint8_t*)0x20008048 = 0x15; memcpy((void*)0x20008049, "?w", 2); *(uint8_t*)0x2000804b = 7; *(uint8_t*)0x2000804c = 0x24; *(uint8_t*)0x2000804d = 1; *(uint8_t*)0x2000804e = 0xe1; *(uint8_t*)0x2000804f = 3; *(uint16_t*)0x20008050 = 2; *(uint8_t*)0x20008052 = 9; *(uint8_t*)0x20008053 = 5; *(uint8_t*)0x20008054 = 0xc; *(uint8_t*)0x20008055 = 8; *(uint16_t*)0x20008056 = 8; *(uint8_t*)0x20008058 = 4; *(uint8_t*)0x20008059 = 8; *(uint8_t*)0x2000805a = 8; *(uint8_t*)0x2000805b = 9; *(uint8_t*)0x2000805c = 5; *(uint8_t*)0x2000805d = 6; *(uint8_t*)0x2000805e = 8; *(uint16_t*)0x2000805f = 8; *(uint8_t*)0x20008061 = 0; *(uint8_t*)0x20008062 = 2; *(uint8_t*)0x20008063 = 2; *(uint8_t*)0x20008064 = 7; *(uint8_t*)0x20008065 = 0x25; *(uint8_t*)0x20008066 = 1; *(uint8_t*)0x20008067 = 0x81; *(uint8_t*)0x20008068 = 6; *(uint16_t*)0x20008069 = 0x18; *(uint8_t*)0x2000806b = 9; *(uint8_t*)0x2000806c = 5; *(uint8_t*)0x2000806d = 7; *(uint8_t*)0x2000806e = 0x10; *(uint16_t*)0x2000806f = 0x3ff; *(uint8_t*)0x20008071 = 0x39; *(uint8_t*)0x20008072 = 0; *(uint8_t*)0x20008073 = 6; *(uint8_t*)0x20008074 = 0x80; *(uint8_t*)0x20008075 = 0x23; memcpy((void*)0x20008076, "\xeb\xa3\xe2\xd4\x84\x8f\x84\xd0\xe6\xde\xd4\x6e\x24\xd1\x0b\xf9\xf8\xb0\x73\x89\x10\xe2\x9f\x31\x9e\x94\x25\x46\xe9\xcd\xa8\x63\x82\x57\xf5\x5d\x00\x49\x67\x2a\x13\x37\x06\x7a\xf7\x3c\x1c\x29\xe0\xbd\x77\x2a\x1c\xd5\xe1\x6d\x24\x9e\xd1\x5c\xdd\x3d\x85\xa4\x39\x9a\xef\x69\xe3\xf5\xa5\x06\xea\x0e\x05\x59\x30\x6f\xe1\xf4\x2d\xfc\x10\x92\x20\x62\xe2\xbc\x06\x2c\x34\xa1\xad\xc4\xbc\x46\xb0\x80\x25\x9a\xd2\x0b\x37\xcd\xe1\xeb\xa7\x17\x8f\xb5\x14\xb2\xef\x73\x97\x71\x5b\x0e\xae\x34\xd5\xef\xd5\x27\x49\x00", 126); *(uint8_t*)0x200080f4 = 0xa1; *(uint8_t*)0x200080f5 = 0x21; memcpy((void*)0x200080f6, "\x1c\x02\x0b\x38\x9a\x4c\x59\xd1\xf2\x6d\xa8\x57\xb2\x22\xa6\xf6\x61\x8a\xdb\x04\x11\xbb\x24\x47\x8e\x68\xff\xe7\x58\x46\x9d\x4b\xb3\x4d\xf6\xaa\x95\x77\xce\xd5\x53\x83\xdf\xf0\x1c\x05\x2a\xbb\xde\x70\x46\x8c\xe3\x11\x00\xca\x31\x84\xd1\xd5\xf8\x03\xdc\x28\x0d\xf3\xb7\xae\x47\x38\xad\x05\x03\x67\x01\xe2\xe3\x8c\xe8\x44\xa7\xd3\x01\xd8\x6e\x05\x97\xc5\xbc\x1b\x67\xe7\xc6\xa5\xf7\xdf\xbc\x33\x11\xdb\xd2\x34\x68\x8e\x85\xe9\xa7\xd5\x02\x1e\x51\xe2\xd0\xdd\x41\x80\x38\x15\x3d\xb6\x5b\x7f\xc2\x68\xf9\x8d\xdf\xd9\xe5\x03\x6f\x24\x49\x7d\x2f\x04\xcd\xcc\x75\x21\x78\x99\x19\x58\xf7\x24\x3f\xf4\xdd\x5a\xef\xcf\x75\x9a\x3f\xe7\xfb\x34\xc8", 159); *(uint8_t*)0x20008195 = 9; *(uint8_t*)0x20008196 = 5; *(uint8_t*)0x20008197 = 0xf; *(uint8_t*)0x20008198 = 0x10; *(uint16_t*)0x20008199 = 0x240; *(uint8_t*)0x2000819b = 2; *(uint8_t*)0x2000819c = 1; *(uint8_t*)0x2000819d = 0; *(uint8_t*)0x2000819e = 0x26; *(uint8_t*)0x2000819f = 3; memcpy((void*)0x200081a0, "\xb4\x51\xe2\x4f\x69\x72\xcd\x64\x29\xf8\x1c\xa1\x73\xd1\x3f\xb2\xc7\xf5\x28\x47\x51\x63\x8b\xbc\x4f\x0b\x3d\xe0\x20\x91\xfb\xb4\xf4\x45\x33\xd9", 36); *(uint8_t*)0x200081c4 = 9; *(uint8_t*)0x200081c5 = 5; *(uint8_t*)0x200081c6 = 7; *(uint8_t*)0x200081c7 = 2; *(uint16_t*)0x200081c8 = 0x400; *(uint8_t*)0x200081ca = 7; *(uint8_t*)0x200081cb = 0x3f; *(uint8_t*)0x200081cc = 0xdb; *(uint8_t*)0x200081cd = 0xc0; *(uint8_t*)0x200081ce = 0; memcpy((void*)0x200081cf, "\xba\x73\xf7\x70\xa4\x27\xb8\x43\x83\x13\xcb\x7e\x9d\x9d\x53\xa7\xe3\x11\x03\x66\xc8\x78\xe3\xc0\xf6\xe6\x29\xeb\xb2\xa0\x84\xa9\x0b\x2d\xef\x4b\x66\x95\x0f\xdf\xd6\x06\xe0\x83\x42\x29\xe6\x30\x28\x87\x54\x89\x67\x8b\xc9\x36\x98\xed\x86\x13\x88\x42\x54\x70\x3c\x31\x5f\x1e\xe5\x29\xd1\xbc\xbf\xaf\x8d\x86\x5e\x73\x8b\x9e\x08\xcb\xc4\xa2\x11\xd4\x80\xbd\xc2\xa6\xe6\x9e\x17\x2b\x1c\x73\x63\x94\x74\xf1\xf0\x11\x5b\x5f\x49\x18\xd0\x37\x45\x1c\x99\xde\xe8\x85\x47\x56\x25\x82\xd5\x71\x71\xaa\x19\x69\x13\xf1\x19\x15\xd1\xfd\xc1\xa5\x13\xb1\x6c\x0b\x9c\x1f\xa0\x71\x57\x42\x10\x46\xf4\xf3\x37\x2d\x00\xd4\xa2\x7e\xb9\x3e\xcd\x79\xb6\x85\xe1\x4f\x3e\xba\x64\x7e\x7b\x20\xae\xfd\xf9\x2e\xd0\x5b\xef\x68\x93\x52\x65\xce\x00\x35\xe3\xb6\x24\x85\x23\x50\xd1\x23\x4e\xf9", 190); *(uint8_t*)0x2000828d = 0xa; *(uint8_t*)0x2000828e = 5; memcpy((void*)0x2000828f, "\x29\x0a\x54\x8e\x96\x26\x66\xdf", 8); *(uint8_t*)0x20008297 = 9; *(uint8_t*)0x20008298 = 5; *(uint8_t*)0x20008299 = 7; *(uint8_t*)0x2000829a = 4; *(uint16_t*)0x2000829b = 0x7d7; *(uint8_t*)0x2000829d = 0; *(uint8_t*)0x2000829e = 7; *(uint8_t*)0x2000829f = 0xf9; *(uint8_t*)0x200082a0 = 0xcd; *(uint8_t*)0x200082a1 = 2; memcpy((void*)0x200082a2, "\x74\xcd\x60\x07\xae\x0e\xa1\x29\x7f\x07\x01\x8c\xbd\xaa\xa0\xc8\x78\x51\xa0\x13\x08\xad\x71\x7f\x23\x5e\x9e\xff\x80\x10\xad\x10\x46\xa5\x14\x8d\x35\x2a\x70\x76\x0b\xc4\xbe\xbd\xd7\x52\x8b\xf7\xd5\x06\xda\x1b\xaa\xc2\xcf\x49\x9d\x52\xde\x51\xd7\x1b\x05\x18\x5d\x7c\xd2\x68\x02\x3d\xe5\x96\x13\x04\x52\x1b\x5f\x56\x7c\x74\xcc\xab\x78\xb6\x1c\x3f\x64\x16\x62\xaf\x2d\x55\xd5\x15\x7a\x0d\xdc\x80\xc7\x59\x62\xe9\xbd\xa9\xff\x2d\x3b\x63\xdf\x6a\x6a\x0e\x2a\xeb\xbf\xc6\x64\xde\x3f\x3a\x34\xd6\x62\x00\xfa\x09\x24\x75\x68\x59\x57\xf0\xb3\x59\x42\x47\xa2\x1d\x46\x3c\xfe\x0c\xcd\x80\x44\xf9\x53\x19\xb4\xd4\x0c\x7f\x02\x2d\x5a\x9c\xe9\xe3\x48\xcd\x62\x3d\xc4\xc5\x90\xbe\xe5\xa1\x04\x72\x70\x95\x42\x14\x61\x1a\x8d\x98\xe6\x0a\xa6\x97\xa5\xce\x30\xee\xac\xd2\x39\x70\x94\xe5\x07\x16\x73\x99\x11\xa4\x47\x8b\x49\x5f\x02", 203); *(uint8_t*)0x2000836d = 0x2b; *(uint8_t*)0x2000836e = 3; memcpy((void*)0x2000836f, "\x9b\xc9\xf5\x80\x75\x06\x30\x3f\xbf\xd7\x12\x82\xa8\x20\x58\x56\x0f\xe8\x18\x0b\x20\x5f\x6f\x47\xf9\xd7\xcf\x05\x28\x0b\x7e\xb9\x6d\x6d\x15\x89\x97\x2f\x40\x2e\xf4", 41); *(uint8_t*)0x20008398 = 9; *(uint8_t*)0x20008399 = 5; *(uint8_t*)0x2000839a = 7; *(uint8_t*)0x2000839b = 0x1a; *(uint16_t*)0x2000839c = 8; *(uint8_t*)0x2000839e = 7; *(uint8_t*)0x2000839f = 3; *(uint8_t*)0x200083a0 = 0x86; *(uint8_t*)0x200083a1 = 0x35; *(uint8_t*)0x200083a2 = 0xb; memcpy((void*)0x200083a3, "\x01\x8a\x3d\x5f\xb9\x4d\x26\xc6\xa6\x89\xe9\x1e\xb6\xa9\xe4\x9b\xf1\xb8\x83\xb9\xe3\xda\x0a\x42\xbf\x45\x63\x9b\xc1\xb1\x9a\x0d\x8e\x78\xba\xbd\x76\x9b\x27\xa4\x3d\xd0\x91\xce\x83\xb4\xa9\x1c\xf5\xd1\x19", 51); *(uint8_t*)0x200083d6 = 7; *(uint8_t*)0x200083d7 = 0x25; *(uint8_t*)0x200083d8 = 1; *(uint8_t*)0x200083d9 = 0x80; *(uint8_t*)0x200083da = 0x40; *(uint16_t*)0x200083db = 6; *(uint8_t*)0x200083dd = 9; *(uint8_t*)0x200083de = 5; *(uint8_t*)0x200083df = 3; *(uint8_t*)0x200083e0 = 2; *(uint16_t*)0x200083e1 = 0x200; *(uint8_t*)0x200083e3 = 8; *(uint8_t*)0x200083e4 = 0x55; *(uint8_t*)0x200083e5 = 7; *(uint8_t*)0x200083e6 = 0xc; *(uint8_t*)0x200083e7 = 0x21; memcpy((void*)0x200083e8, "\xf2\xae\x0c\x70\x73\x12\x45\x83\x53\x64", 10); *(uint8_t*)0x200083f2 = 9; *(uint8_t*)0x200083f3 = 5; *(uint8_t*)0x200083f4 = 0xc; *(uint8_t*)0x200083f5 = 0; *(uint16_t*)0x200083f6 = 0x400; *(uint8_t*)0x200083f8 = -1; *(uint8_t*)0x200083f9 = 9; *(uint8_t*)0x200083fa = 0x7f; *(uint8_t*)0x200083fb = 9; *(uint8_t*)0x200083fc = 5; *(uint8_t*)0x200083fd = 3; *(uint8_t*)0x200083fe = 4; *(uint16_t*)0x200083ff = 0x3ff; *(uint8_t*)0x20008401 = 3; *(uint8_t*)0x20008402 = 0x81; *(uint8_t*)0x20008403 = 0x1f; *(uint8_t*)0x20008404 = 2; *(uint8_t*)0x20008405 = 0xb; memcpy((void*)0x20008406, "\x15\xf5\x29\x48\x16\x89\x69\xa7\x87\x9f\x68\x6a\x66\x44\x59\xf3\x1f\xa9\xc1\x46\xda\x65\xea\xa1\x87\x8b\x39\x96\xe0\x99\xdd\x1e\xc6\x89\x00\xa2\x57\xc0\x11\x39\x7b\xcf\xc1\x0b\xc4\x28\x59\x19\x72\xae\x5e\xb7\x0e\x65\xd2\x00\x24\x8c\x43\x3d\x8b\x1e\xaf\xe5\xdf\x95\xa1\x96\xb5\x8e\xd5\x0a\x74\xd4\x8f\x9c\x07\xf5\x08\x58\xdd\x07\xd9\x4e\xc7\x66\x26\xb5\xb4\x7c\x9a\xcd\x4f\xdb\xec\xde\x35\x6c\xab\xab\xc4\x3c\x31\x44\xfc\x2e\x52\x4b\x71\xbb\x4e\x8b\xb5\x35\xda\xa0\x71\xe2\x42\xc5\x85\x84\xdb\xdd\x6c\x1e\x75\x8e\x33\xfe\xcd\x91\xaa\xc9\x6d\x22\x88\x32\x2e\xd4\x8a\xcf\xda\xab\x53\x6e\xa5\x12\x98\xe1\x6c\x60\x33\xac\x2b\x91\x75\x84\x82\x71\x9c\xc7\xd7\x64\x37\x3c\xed\xf5\xd0\x39\xe7\x5f\x0b\xe3\x5a\xcd\xac\x46\xbf\xf1\x29\xaf\x0a\xd8\x17\xe1\x40\x64\x39\x8b\xe6\x49\x33\xb6\x76\xfa\xb4\xff\x8b\x8d\x37\xcd\x74\x2e\x41\xfd\x64\xf8\x7b\x7f\x7d\xf8\x73\xb3\xd4\xc1\xca\x44\x0e\x20\xa8\x29\xe3\x4c\x69\x77\x05\x4f\xd5\x97\x5e\x34\x94\x1c\x4c\xa2\x4d\xca\xf0\x7e\x3b\x99\x50\x28\x0b\x30\xfb\x2c\x43\x56\xee\xda\xb3\xe5\x18\x4e", 256); *(uint8_t*)0x20008506 = 7; *(uint8_t*)0x20008507 = 0x25; *(uint8_t*)0x20008508 = 1; *(uint8_t*)0x20008509 = 0; *(uint8_t*)0x2000850a = 0x1f; *(uint16_t*)0x2000850b = 0x200; *(uint8_t*)0x2000850d = 9; *(uint8_t*)0x2000850e = 5; *(uint8_t*)0x2000850f = 5; *(uint8_t*)0x20008510 = 0x10; *(uint16_t*)0x20008511 = 0x400; *(uint8_t*)0x20008513 = 0x81; *(uint8_t*)0x20008514 = 1; *(uint8_t*)0x20008515 = 5; *(uint8_t*)0x20008516 = 7; *(uint8_t*)0x20008517 = 0x25; *(uint8_t*)0x20008518 = 1; *(uint8_t*)0x20008519 = 2; *(uint8_t*)0x2000851a = 8; *(uint16_t*)0x2000851b = 0x101; *(uint8_t*)0x2000851d = 7; *(uint8_t*)0x2000851e = 0x25; *(uint8_t*)0x2000851f = 1; *(uint8_t*)0x20008520 = 3; *(uint8_t*)0x20008521 = 2; *(uint16_t*)0x20008522 = 8; *(uint8_t*)0x20008524 = 9; *(uint8_t*)0x20008525 = 5; *(uint8_t*)0x20008526 = 0; *(uint8_t*)0x20008527 = 4; *(uint16_t*)0x20008528 = 0x80; *(uint8_t*)0x2000852a = 9; *(uint8_t*)0x2000852b = 6; *(uint8_t*)0x2000852c = 7; *(uint8_t*)0x2000852d = 9; *(uint8_t*)0x2000852e = 5; *(uint8_t*)0x2000852f = 3; *(uint8_t*)0x20008530 = 0; *(uint16_t*)0x20008531 = 0x7ff; *(uint8_t*)0x20008533 = 1; *(uint8_t*)0x20008534 = -1; *(uint8_t*)0x20008535 = 0x1f; *(uint32_t*)0x20008640 = 0xa; *(uint64_t*)0x20008644 = 0x20008540; *(uint8_t*)0x20008540 = 0xa; *(uint8_t*)0x20008541 = 6; *(uint16_t*)0x20008542 = 0; *(uint8_t*)0x20008544 = 2; *(uint8_t*)0x20008545 = 0x86; *(uint8_t*)0x20008546 = 0x80; *(uint8_t*)0x20008547 = 0x10; *(uint8_t*)0x20008548 = 2; *(uint8_t*)0x20008549 = 0; *(uint32_t*)0x2000864c = 0x42; *(uint64_t*)0x20008650 = 0x20008580; *(uint8_t*)0x20008580 = 5; *(uint8_t*)0x20008581 = 0xf; *(uint16_t*)0x20008582 = 0x42; *(uint8_t*)0x20008584 = 5; *(uint8_t*)0x20008585 = 0xa; *(uint8_t*)0x20008586 = 0x10; *(uint8_t*)0x20008587 = 3; *(uint8_t*)0x20008588 = 0; *(uint16_t*)0x20008589 = 3; *(uint8_t*)0x2000858b = 0x73; *(uint8_t*)0x2000858c = 4; *(uint16_t*)0x2000858d = 0; *(uint8_t*)0x2000858f = 3; *(uint8_t*)0x20008590 = 0x10; *(uint8_t*)0x20008591 = 0xb; *(uint8_t*)0x20008592 = 0xa; *(uint8_t*)0x20008593 = 0x10; *(uint8_t*)0x20008594 = 3; *(uint8_t*)0x20008595 = 0; *(uint16_t*)0x20008596 = 8; *(uint8_t*)0x20008598 = 0xeb; *(uint8_t*)0x20008599 = 0x3f; *(uint16_t*)0x2000859a = 2; *(uint8_t*)0x2000859c = 7; *(uint8_t*)0x2000859d = 0x10; *(uint8_t*)0x2000859e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000859f, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 0xf, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a1, 5, 0, 16); *(uint8_t*)0x200085a3 = 0x1f; *(uint8_t*)0x200085a4 = 0x10; *(uint8_t*)0x200085a5 = 1; memcpy((void*)0x200085a6, "\x61\x40\x8d\x3d\x2e\x18\x72\x46\x92\x26\xd4\xd9\xbe\xfe\xcd\xac\x20\x8d\xfd\xaa\x38\x51\x78\xf4\x8c\xa7\x56\x50", 28); *(uint32_t*)0x20008658 = 1; *(uint32_t*)0x2000865c = 4; *(uint64_t*)0x20008660 = 0x20008600; *(uint8_t*)0x20008600 = 4; *(uint8_t*)0x20008601 = 3; *(uint16_t*)0x20008602 = 0x41a; res = -1; res = syz_usb_connect(5, 0x776, 0x20007dc0, 0x20008640); if (res != -1) r[15] = res; break; case 37: *(uint8_t*)0x20008680 = 0x12; *(uint8_t*)0x20008681 = 1; *(uint16_t*)0x20008682 = 0x200; *(uint8_t*)0x20008684 = -1; *(uint8_t*)0x20008685 = -1; *(uint8_t*)0x20008686 = -1; *(uint8_t*)0x20008687 = 0x40; *(uint16_t*)0x20008688 = 0xcf3; *(uint16_t*)0x2000868a = 0x9271; *(uint16_t*)0x2000868c = 0x108; *(uint8_t*)0x2000868e = 1; *(uint8_t*)0x2000868f = 2; *(uint8_t*)0x20008690 = 3; *(uint8_t*)0x20008691 = 1; *(uint8_t*)0x20008692 = 9; *(uint8_t*)0x20008693 = 2; *(uint16_t*)0x20008694 = 0x48; *(uint8_t*)0x20008696 = 1; *(uint8_t*)0x20008697 = 1; *(uint8_t*)0x20008698 = 0; *(uint8_t*)0x20008699 = 0x80; *(uint8_t*)0x2000869a = 0xfa; *(uint8_t*)0x2000869b = 9; *(uint8_t*)0x2000869c = 4; *(uint8_t*)0x2000869d = 0; *(uint8_t*)0x2000869e = 0; *(uint8_t*)0x2000869f = 6; *(uint8_t*)0x200086a0 = -1; *(uint8_t*)0x200086a1 = 0; *(uint8_t*)0x200086a2 = 0; *(uint8_t*)0x200086a3 = 0; *(uint8_t*)0x200086a4 = 9; *(uint8_t*)0x200086a5 = 5; *(uint8_t*)0x200086a6 = 1; *(uint8_t*)0x200086a7 = 2; *(uint16_t*)0x200086a8 = 0x200; *(uint8_t*)0x200086aa = 0; *(uint8_t*)0x200086ab = 0; *(uint8_t*)0x200086ac = 0; *(uint8_t*)0x200086ad = 9; *(uint8_t*)0x200086ae = 5; *(uint8_t*)0x200086af = 0x82; *(uint8_t*)0x200086b0 = 2; *(uint16_t*)0x200086b1 = 0x200; *(uint8_t*)0x200086b3 = 0; *(uint8_t*)0x200086b4 = 0; *(uint8_t*)0x200086b5 = 0; *(uint8_t*)0x200086b6 = 9; *(uint8_t*)0x200086b7 = 5; *(uint8_t*)0x200086b8 = 0x83; *(uint8_t*)0x200086b9 = 3; *(uint16_t*)0x200086ba = 0x40; *(uint8_t*)0x200086bc = 1; *(uint8_t*)0x200086bd = 0; *(uint8_t*)0x200086be = 0; *(uint8_t*)0x200086bf = 9; *(uint8_t*)0x200086c0 = 5; *(uint8_t*)0x200086c1 = 4; *(uint8_t*)0x200086c2 = 3; *(uint16_t*)0x200086c3 = 0x40; *(uint8_t*)0x200086c5 = 1; *(uint8_t*)0x200086c6 = 0; *(uint8_t*)0x200086c7 = 0; *(uint8_t*)0x200086c8 = 9; *(uint8_t*)0x200086c9 = 5; *(uint8_t*)0x200086ca = 5; *(uint8_t*)0x200086cb = 2; *(uint16_t*)0x200086cc = 0x200; *(uint8_t*)0x200086ce = 0; *(uint8_t*)0x200086cf = 0; *(uint8_t*)0x200086d0 = 0; *(uint8_t*)0x200086d1 = 9; *(uint8_t*)0x200086d2 = 5; *(uint8_t*)0x200086d3 = 6; *(uint8_t*)0x200086d4 = 2; *(uint16_t*)0x200086d5 = 0x200; *(uint8_t*)0x200086d7 = 0; *(uint8_t*)0x200086d8 = 0; *(uint8_t*)0x200086d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20008680, 0); if (res != -1) r[16] = res; break; case 38: *(uint32_t*)0x20008900 = 0x2c; *(uint64_t*)0x20008904 = 0x20008700; *(uint8_t*)0x20008700 = 0x20; *(uint8_t*)0x20008701 = 0x21; *(uint32_t*)0x20008702 = 0xdb; *(uint8_t*)0x20008706 = 0xdb; *(uint8_t*)0x20008707 = 0x24; memcpy((void*)0x20008708, "\xb5\x01\xb9\xa6\x76\xdf\xcb\x3e\x98\xc6\x6e\x8b\x68\x77\xca\xc3\x0d\xfb\x98\x56\xc7\x20\x94\xee\x90\xf2\x31\x70\xf3\x3d\xc0\x41\x69\x19\x14\x6a\x8a\x2a\xd6\x05\xce\x54\xf3\xd4\x43\xec\x59\x7b\x33\x7b\x1b\x4d\x39\xc4\x42\x89\xbb\xfc\x62\x1a\x00\x86\x26\x48\xfe\x2d\xf7\x54\xe4\x63\x45\x5e\xf8\x8f\x55\xfb\x63\xb4\xb7\x71\x9d\xd8\xd3\xe6\x84\x6c\x4d\x25\x4a\xfb\x2e\x40\x11\x6d\x2b\x5f\xcd\x88\x3a\x84\x21\x22\x17\xe0\x65\xcd\x44\x66\x68\x01\x15\x4e\x7b\x43\xe3\xd1\x62\x9d\xc7\x6f\x3a\x71\x10\xe8\x07\x90\xce\x65\xee\x44\x96\x1d\x30\x65\x21\xe9\x4e\x6e\xe9\x41\xa9\x7e\x0e\xab\x0e\x80\x37\xfe\xf7\x68\x90\x28\x91\xbb\x41\x05\xd8\xba\xf0\xa3\x5f\x93\xd2\xa5\x63\x59\x35\x79\x9c\x87\xeb\x91\xb5\xe5\xff\x7a\xe9\x1c\xbe\x9c\xda\xdd\x65\x3a\x48\x6d\x72\xd6\x7d\xc3\xb3\x71\xe4\xe5\xfa\x61\x87\x59\xde\x87\xeb\xe1\xec\x27\x8d\x14\x08\x34\x59\x0f\x6c\x51\x3e\x4c\x95\xcb\xb3", 217); *(uint64_t*)0x2000890c = 0x20008800; *(uint8_t*)0x20008800 = 0; *(uint8_t*)0x20008801 = 3; *(uint32_t*)0x20008802 = 0x18; *(uint8_t*)0x20008806 = 0x18; *(uint8_t*)0x20008807 = 3; memcpy((void*)0x20008808, "\x2c\x5d\xdd\x5f\xc6\x32\x36\xd4\x7a\xf3\x16\x42\x23\xe9\xb4\x23\xe1\x3b\x85\x60\xf2\x8a", 22); *(uint64_t*)0x20008914 = 0x20008840; *(uint8_t*)0x20008840 = 0; *(uint8_t*)0x20008841 = 0xf; *(uint32_t*)0x20008842 = 0x35; *(uint8_t*)0x20008846 = 5; *(uint8_t*)0x20008847 = 0xf; *(uint16_t*)0x20008848 = 0x35; *(uint8_t*)0x2000884a = 4; *(uint8_t*)0x2000884b = 7; *(uint8_t*)0x2000884c = 0x10; *(uint8_t*)0x2000884d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000884e, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 0xa, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008850, 1, 0, 16); *(uint8_t*)0x20008852 = 0xb; *(uint8_t*)0x20008853 = 0x10; *(uint8_t*)0x20008854 = 1; *(uint8_t*)0x20008855 = 0xc; *(uint16_t*)0x20008856 = 8; *(uint8_t*)0x20008858 = 0x3f; *(uint8_t*)0x20008859 = 1; *(uint16_t*)0x2000885a = 4; *(uint8_t*)0x2000885c = 6; *(uint8_t*)0x2000885d = 0x14; *(uint8_t*)0x2000885e = 0x10; *(uint8_t*)0x2000885f = 4; *(uint8_t*)0x20008860 = 0x80; memcpy((void*)0x20008861, "\xd0\xd1\xe2\xd8\x68\xe0\xfa\x99\x17\x77\xca\xc1\xb7\x94\x82\x58", 16); *(uint8_t*)0x20008871 = 0xa; *(uint8_t*)0x20008872 = 0x10; *(uint8_t*)0x20008873 = 3; *(uint8_t*)0x20008874 = 2; *(uint16_t*)0x20008875 = 3; *(uint8_t*)0x20008877 = 4; *(uint8_t*)0x20008878 = 0; *(uint16_t*)0x20008879 = 8; *(uint64_t*)0x2000891c = 0x20008880; *(uint8_t*)0x20008880 = 0x20; *(uint8_t*)0x20008881 = 0x29; *(uint32_t*)0x20008882 = 0xf; *(uint8_t*)0x20008886 = 0xf; *(uint8_t*)0x20008887 = 0x29; *(uint8_t*)0x20008888 = 0; *(uint16_t*)0x20008889 = 4; *(uint8_t*)0x2000888b = 0xc1; *(uint8_t*)0x2000888c = 0x7f; memcpy((void*)0x2000888d, "\x1b\xc1\x9f\x6f", 4); memcpy((void*)0x20008891, "\x0c\xd3\xa1\x96", 4); *(uint64_t*)0x20008924 = 0x200088c0; *(uint8_t*)0x200088c0 = 0x20; *(uint8_t*)0x200088c1 = 0x2a; *(uint32_t*)0x200088c2 = 0xc; *(uint8_t*)0x200088c6 = 0xc; *(uint8_t*)0x200088c7 = 0x2a; *(uint8_t*)0x200088c8 = -1; *(uint16_t*)0x200088c9 = 8; *(uint8_t*)0x200088cb = 0x20; *(uint8_t*)0x200088cc = 2; *(uint8_t*)0x200088cd = 6; *(uint16_t*)0x200088ce = 0x800; *(uint16_t*)0x200088d0 = 9; *(uint32_t*)0x20008e00 = 0x84; *(uint64_t*)0x20008e04 = 0x20008940; *(uint8_t*)0x20008940 = 0; *(uint8_t*)0x20008941 = 0xb; *(uint32_t*)0x20008942 = 0xe5; memcpy((void*)0x20008946, "\xea\x88\xbc\xa9\xc1\xe3\xf5\xbd\xf6\x07\xf7\x25\x25\x73\xdd\x87\x56\xe9\xf3\x2a\x7c\x4a\xee\xa5\xb3\xe1\xae\x6f\xdb\xe3\x19\x4c\x19\x18\xd9\xd9\xa3\xaa\x13\xdb\xbc\x47\xe1\x43\x0d\x7b\xe6\xa1\x80\xc7\x38\x84\x56\xd1\x2a\x5c\x32\x7b\x71\x6d\x23\x41\xbc\xd0\xef\x82\xa4\xa3\x46\x10\xe2\x8f\xc7\xb2\xe1\x72\xdf\xa0\x56\xc6\x35\x3d\xa1\x66\x49\x6c\xa2\x54\x0e\x60\xbb\x52\x06\x6e\xf4\x77\x36\x67\x40\x9a\x68\xef\xf5\x2e\x75\xff\x93\x46\x9e\x4f\xf5\xd6\x99\x66\xb8\x1e\x03\x4c\x68\x8a\x2f\x6f\xd9\x45\xec\xd0\x5f\x33\x65\x73\x58\x68\x23\xfd\x9f\x6d\x40\xbb\x48\x3d\xd2\x7a\xd4\x6b\x84\x14\x55\xac\x07\xfc\x31\x9b\x8c\xb5\xf5\xe2\xda\xa6\x4a\x6c\x5f\x3b\xc0\x99\x27\x0c\xd3\x76\x66\x0e\xf3\x45\x65\x71\xaa\x6d\x2f\xe4\x86\x67\x83\x8d\x81\x11\x26\xca\xce\xed\xae\xbe\xf9\x60\x81\x92\xb6\x03\x32\x7f\x6e\xe9\xed\x42\x57\x2b\x6e\xb3\xc6\x63\x0e\x90\x17\x42\x8e\xd3\x70\xbd\x03\x24\xda\x01\xea\xe4\xa7\x88\x1a\x6b\x88\xaa\x1a", 229); *(uint64_t*)0x20008e0c = 0x20008a40; *(uint8_t*)0x20008a40 = 0; *(uint8_t*)0x20008a41 = 0xa; *(uint32_t*)0x20008a42 = 1; *(uint8_t*)0x20008a46 = 5; *(uint64_t*)0x20008e14 = 0x20008a80; *(uint8_t*)0x20008a80 = 0; *(uint8_t*)0x20008a81 = 8; *(uint32_t*)0x20008a82 = 1; *(uint8_t*)0x20008a86 = 0x1f; *(uint64_t*)0x20008e1c = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x20; *(uint8_t*)0x20008ac1 = 0; *(uint32_t*)0x20008ac2 = 4; *(uint16_t*)0x20008ac6 = 2; *(uint16_t*)0x20008ac8 = 3; *(uint64_t*)0x20008e24 = 0x20008b00; *(uint8_t*)0x20008b00 = 0x20; *(uint8_t*)0x20008b01 = 0; *(uint32_t*)0x20008b02 = 4; *(uint16_t*)0x20008b06 = 0x100; *(uint16_t*)0x20008b08 = 1; *(uint64_t*)0x20008e2c = 0x20008b40; *(uint8_t*)0x20008b40 = 0x40; *(uint8_t*)0x20008b41 = 7; *(uint32_t*)0x20008b42 = 2; *(uint16_t*)0x20008b46 = -1; *(uint64_t*)0x20008e34 = 0x20008b80; *(uint8_t*)0x20008b80 = 0x40; *(uint8_t*)0x20008b81 = 9; *(uint32_t*)0x20008b82 = 1; *(uint8_t*)0x20008b86 = 0x7f; *(uint64_t*)0x20008e3c = 0x20008bc0; *(uint8_t*)0x20008bc0 = 0x40; *(uint8_t*)0x20008bc1 = 0xb; *(uint32_t*)0x20008bc2 = 2; memcpy((void*)0x20008bc6, "\xa6\xab", 2); *(uint64_t*)0x20008e44 = 0x20008c00; *(uint8_t*)0x20008c00 = 0x40; *(uint8_t*)0x20008c01 = 0xf; *(uint32_t*)0x20008c02 = 2; *(uint16_t*)0x20008c06 = 0; *(uint64_t*)0x20008e4c = 0x20008c40; *(uint8_t*)0x20008c40 = 0x40; *(uint8_t*)0x20008c41 = 0x13; *(uint32_t*)0x20008c42 = 6; *(uint8_t*)0x20008c46 = 0; *(uint8_t*)0x20008c47 = 0; *(uint8_t*)0x20008c48 = 0; *(uint8_t*)0x20008c49 = 0; *(uint8_t*)0x20008c4a = 0; *(uint8_t*)0x20008c4b = 0; *(uint64_t*)0x20008e54 = 0x20008c80; *(uint8_t*)0x20008c80 = 0x40; *(uint8_t*)0x20008c81 = 0x17; *(uint32_t*)0x20008c82 = 6; *(uint8_t*)0x20008c86 = 1; *(uint8_t*)0x20008c87 = 0x80; *(uint8_t*)0x20008c88 = 0xc2; *(uint8_t*)0x20008c89 = 0; *(uint8_t*)0x20008c8a = 0; *(uint8_t*)0x20008c8b = 1; *(uint64_t*)0x20008e5c = 0x20008cc0; *(uint8_t*)0x20008cc0 = 0x40; *(uint8_t*)0x20008cc1 = 0x19; *(uint32_t*)0x20008cc2 = 2; memcpy((void*)0x20008cc6, "rN", 2); *(uint64_t*)0x20008e64 = 0x20008d00; *(uint8_t*)0x20008d00 = 0x40; *(uint8_t*)0x20008d01 = 0x1a; *(uint32_t*)0x20008d02 = 2; *(uint16_t*)0x20008d06 = 0xb81; *(uint64_t*)0x20008e6c = 0x20008d40; *(uint8_t*)0x20008d40 = 0x40; *(uint8_t*)0x20008d41 = 0x1c; *(uint32_t*)0x20008d42 = 1; *(uint8_t*)0x20008d46 = 0x40; *(uint64_t*)0x20008e74 = 0x20008d80; *(uint8_t*)0x20008d80 = 0x40; *(uint8_t*)0x20008d81 = 0x1e; *(uint32_t*)0x20008d82 = 1; *(uint8_t*)0x20008d86 = 0x80; *(uint64_t*)0x20008e7c = 0x20008dc0; *(uint8_t*)0x20008dc0 = 0x40; *(uint8_t*)0x20008dc1 = 0x21; *(uint32_t*)0x20008dc2 = 1; *(uint8_t*)0x20008dc6 = 0x92; syz_usb_control_io(r[15], 0x20008900, 0x20008e00); break; case 39: syz_usb_disconnect(r[15]); break; case 40: syz_usb_ep_read(r[16], 0x1f, 0x80, 0x20008ec0); break; case 41: memcpy((void*)0x20008f40, "\x05\x9c\xba\xeb\x68\x64\xbc\xc9\x3a\x17\x64\x09\x36\xd2\xe5\x45\x0d\xeb\x6a\x94\xa3\xcd\x8d\xba\xc2\xfb\xcf\xac\x93\x2f\x8d\xd2\x22\x05\xe7\xae\x58\x9b\x0f\x01\x72\xe7\x51\xe3\x08\xa2\x36\xce\xa8\x57\x11\xd7\x4b\x54\x6d\x98\xb4\xd7\x5a\xfc\xc6\x5f\xd0\x46\x33\xc1\xfb\xed\x7c\xfe\x4d\x04\x9d", 73); syz_usb_ep_write(r[15], -1, 0x49, 0x20008f40); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :236:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :236:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor054719575 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/7 (4.55s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox: Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: socket$nl_netfilter(0x10, 0x3, 0xc) r0 = open(&(0x7f0000000000)='./file0\x00', 0x2000, 0x163) recvfrom(r0, &(0x7f0000000040)=""/238, 0xee, 0x1, &(0x7f0000000140)=@llc={0x1a, 0x10f, 0x7, 0xc7, 0x6, 0xff, @broadcast}, 0x80) r1 = socket$inet_sctp(0x2, 0x5, 0x84) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r1, 0x84, 0xa, &(0x7f00000001c0)={0x7ff, 0x1ff, 0x204, 0x0, 0x803, 0x0, 0x5, 0x800}, 0x20) execveat(r0, &(0x7f0000000200)='./file0\x00', &(0x7f0000000400)=[&(0x7f0000000240)='^\x00', &(0x7f0000000280)='*,+\x00', &(0x7f00000002c0)='-{$(%![\x00', &(0x7f0000000300)='\\[\x00', &(0x7f0000000340)='\x00', &(0x7f0000000380)='\x00', &(0x7f00000003c0)='\xb1$}\x00'], &(0x7f0000000640)=[&(0x7f0000000440)='\x00', &(0x7f0000000480)='*/%}\\\\\x00', &(0x7f00000004c0)='@[\x00', &(0x7f0000000500)='\x00', &(0x7f0000000540)=':\'\x9f^(\x00', &(0x7f0000000580)='],-.$\xfb\\}{)@-&/[\\!\x00', &(0x7f00000005c0)='\x00', &(0x7f0000000600)='{{\'$(+-(}{}]?/--)\x00'], 0x1000) r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000680)='/dev/hwrng\x00', 0x40000, 0x0) ioctl$HIDIOCGPHYS(r2, 0x80404812, &(0x7f00000006c0)) ioctl$TIOCGICOUNT(r2, 0x545d, 0x0) io_uring_setup(0x509f, &(0x7f0000000700)={0x0, 0x9c76, 0x8, 0x3, 0x309, 0x0, r0}) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_unix_may_send\x00') syz_emit_ethernet(0x2e, &(0x7f0000000040)={@dev={[], 0x29}, @local, @void, {@ipx={0x8137, {0xffff, 0x20, 0x2, 0x0, {@random=0x3, @random="67516965f015", 0x3}, {@random=0xa0, @current, 0x8ca}, "d18e"}}}}, &(0x7f0000000080)={0x1, 0x3, [0x6f3, 0xd92, 0xd18, 0x98a]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_EVENT_PKT={0x4, @hci_ev_pkt_type_change={{0x1d, 0x5}, {0x1, 0xc9, 0x800}}}, 0x8) syz_execute_func(&(0x7f0000000100)="c4017c5a50f2c4a1637c7a862ef04230b50d00000041d9f93e420fb7bcaeb0000000c4c2a5291498c482c9bdac33de7941f1c401fc2e0666400f38241f670fecfb") syz_extract_tcp_res(&(0x7f0000000180), 0x8, 0x47) r3 = openat$selinux_policy(0xffffffffffffff9c, &(0x7f00000001c0)='/selinux/policy\x00', 0x0, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002500)={0x2020, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x2020) lstat(&(0x7f00000046c0)='\x00', &(0x7f0000004700)={0x0, 0x0, 0x0, 0x0, 0x0}) stat(&(0x7f0000004780)='./file0\x00', &(0x7f00000047c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000004840)=0x0, &(0x7f0000004880), &(0x7f00000048c0)) syz_fuse_handle_req(r3, &(0x7f0000000200)="2692d623148a34aee968f5552fef58adeb13835131afc9602c0eba53a139392d140b6eeb571984017fbc1a936aca427ad0e740524f6307f18e1c7d954a0ba7442367d45bae5150e12543dc5dd03aa5699039f2f627b3d104e00ffaea4263fc86953e5e3ab976c9f66a213d67573b6044bf6faa8c17d51b5550438f9ac6589d2cb2bc4e11cbf8a254594a82ab8987f8ade20d8542ac71ff847b22e67d2ddda8f4ba5f53fbf177009132baa5786a7be31ec6c592cba53c5c8a7ba19db0286bff1d0178da1e4ea10819439ace537ac5f47a1c8b74fa67fc4e1bf92292a9ec657b5e3003146a1c5690855b05cf75a0b11ab9ba738a3dc177d5f7e7fa6b465d05e513a219481089265f566e6bd0cc9ee1fb100f851286e65721f601c83f7a740979b3848f57fb0081efca45720ccfd8a4904f248151b242132a4b45530ae5442ff7a51bb5c599cda7e10e1b4de5c80f52cc3ddac7513fe148bdbc5da2e0c2b39190d8f90fcd459503a4cb8fece55182cf7272a522e5626120c7335c5a37c72d400fedc58873c5960f6cab807ac239d0246aba2e844b68b1ac4ad6d2bbcedcb35a67486471e445af55990270ae097968da00157dd221dea2438d16623c52820f0d24e39c0424ee40484fb0d96419f5e281d0e9e178366820dd5ca4a0c45deeb36cb9e246be6714ceb0347b0c309cc53022374f73303536e593c57588b883903ea58133773600201a7b55dd5c01af52e90ec524abd9f47b3d7185c48259bf5aa76fea9da982b2c4a61065df2b066732103503969eefaa23141c8becb35caf7602e981c30673991b46d54ab2764bf5ecc3f1a8e000b116b769d82625ae9418b523af00f3cfb0eb65c916f6a62452f810b20c3e7cec7d61fef55f63d1da4a3f868bbcfd867e130d3c7ce52246ef76eda2916fbbdfd506dbc2289d00fbc8fd100c4578698d2203dffab9018d6f19ae199f1659c3f78157680cf980597a126b994bdd64609653dc0ddb556c3af838a0a4a9bd7051e45247913cc35b9d9ff368ffdf4e7fad83a52f8a0261c331b6ef226fe676ac1a9cf0cb001385ce35b09df3aecaa3d816f2afc62c27aee525f72f2d31ee0b21c447f80901a65c7706d07ff9b2d7bde92bc79d85f8431d468ac85e51ac3a209cea07281e7d19c1f52b5f01bdb053978c933399b35ac77aa4a1e6f182d250271ca33c3791b15a931bcd32ace19253f1a9044afa49c1a0ddc82e95907f60b7971ec01078e137d1bceb0cf86f64cd6c192cbfc30b4478617fe52aa943e61a182b1b0b2107d0c54f4fa731679af95c32d18914d6959b9fa96a0aac1c49adc61f5f11b544557342c14276beea12fa71cd30a731bd064e9cfd0f9e4be966f7bd1c1b4fd706b8393e6efb1c9f97526f67d2e9cd5e176dc60c274b30061e1ab6a2d004b83adb08f1983baeab990472beff2341def47e0dd411b0691fd0a65ea66d16a4a4ee94c4d1a5ce6b3cfc873481b041fb3005614c1cf841eeab27e03598ef94598ed30c3fd3ee19207aea2a8dbc3f60a6d97e30c58f324bcaf571388f9e83e076cfdc0663cfe93f5a3f19299e741210f6a8501a7238b1cbd6e9f829345c337c62b7cdb024efc4ff11628cb1ee4fda072782bb69932ba6dee122cb37fed696dea11cc25eb2b5678c7d0bd1dd05f35d1d02addf1295a1eb0b259959a7b290e61f2479691588ac520981902f5ab06162e9cf5f0585f540d90cd8381de33d0a0a24da6f231d3a684c925d736f2534a57e48d919d55519c575bb541d638e0e4011f841a5ac331d488935c44c2bce1c2ac3e8486e465cdee8eb513d3c1bb3b38c5d157c04d576d675e00b30c299e211f8f24a7a053b4270d2acfa3aa6343428d92b6db14c1558a8dd58bb9c8c4b1b4935773d140611793ccad54fdc5230da4dfda3b60cc0766efcc6a3b71900a50e2c3e6827b98cc18ccd8ff798247f374857d0621e32bbf0482474de0d42ddba7823e633f1658e7f6a361c32e2459c2beb029a8afaa31289e487104567d40c81ccf5ae2a2e6b344f5c110d7ce2301ff2c25fd8438439a5ea16a446fc7e27f2cb068944e4d8c929c4645f494c2fd1b025bfda1119f9088f707d662c1195f8e4308c470b76245099332f61b2c9cc77871cb20c4ebeaa63e53add25df15c5628585fe886a73e382567c41cebdf2f33f7168747ce24a22fafeb29cd021a92ec8fc272dad24598ebdaec2dcc47373efa97cacffdace150e99510bf37baf40a817d93d87a48fab153a1064821eb504a4eba3ab66d1ec057cf64ee11a6ad40584fa7656a3984c20e494013f83430d760cd6eaa604b599550dcba720855e735d62d420076cca07115d4e371c3d641cb6cdb969bdef10137b8d7f399abe3e2436535c30c7b9a842fb31d322434e73b95c0f5d4545116b788ea0fd473ab32cfb4cd7224948913772e8392d89bf5c4e5511d267201cff62bdc0468f96d9e85323495e925e61140fb419417bc3f803a80d0af3b8c31c2f63dee9174113f8e6e5c93f47d8486422a5696bc05843f7d07f10eb3b5fbc2c378f6e8a975deb6c04ed20c673846ecc19d6dfcb1982ff83a7dca92e8167e5df6437b84834fde1cbfc441105d06218a2e0a55917ee276fa725b9f16a94c67b684bc7b688edbae74382cba7eac9f01772c89194d44eea3cabc002562643c01529092ff6629de96a7716f92318a6cf70cdb8fda8e3d01306ea91580b6d970808552f45f575c3aa638fc51abdd8535a0584072588518f9391b2d789147312a58d0a15b64bf908f249913f141671751003547150d49f472dbed408432493705759929f619a901bf41ed2e4d12d6354af219840e696ae26d40f010f0586068efbbd4a63af99aebd5305a88013ed74de00399011dd8d0d544b907009f361ac6f66ca0ac4fae8eea56542599b167b8f132d2bc2b57c734653c0214fcb4e3a509823aa2ea62aefd8d3a8f27cead3ee3f276698712770addc99cd31112daf0ede7c577fcbae2e64047bd3624dcc04cfb6cd194b79f1b53b990a443628123fbe9b2a3b598beeabdbb7cf4d9cd87be2ac84ee3fe743d72e8984204bab463c896d13c1227b70a88712b77d221efa654098b38571468ff9bff10bb0d30fe6ae7a1f62c4f6066b55f32b0547de75ab1cac8e986d89fc30a362d7308d0932cdd44d8a234860b608090aa5e16bef4e44327ba18667915ec65ca772f8df52105b370087fb1cbd6d11a95362232e5f6fce3f343cd962bec277f3a6aacb82df97531b3a6ffdd224454bfc8a6c2e0b9c86449c043f39ceb9af5c4236e3221c2e259fa8f1284df6334a2a24733dbad6ea990aa3ef9798e2f785be3d5a44305497a1f525f7dee1f7ea82c7d50559c51dacc617f6f7ee56b6c5bca2701899245cbecb33ccddf00a16894682085f40d2f6f6b03a163206311f98077261cd76f439ced044b525112debd31e4c7a9077bd820217a88b4d8e3e76dac45b15019e01deedc943b357ab2d7900d99157af47dfc5971791b25665e953db69cefceac87aef838936ae73d2d25983b2066099c4741af88048c7f86531f2b82d6e05b2ee75f472d9df9c3ee9398f6fe68e0b521c36a242e2d675f4d9da552142743631a4f2b6c011475753a74f7fefc9d72d3f9fb2bdcc71d66732abe50dd578b69bd029b45bca708e87c098af90284b4fbddcc6fe163a000970d6547cfd18cc8a11ba22638ee6eba91029f52594a042e96ed7080184593f2109126cbde1317a94a56213ad11ae1ccf0a58a45dbc81d0809c59073f8a9e17674a476d0337414bfcff7ca6949218467c8850839e55c9c7ad9d51a64a9d2b4bbb17a3653894834545bc286c108bb31345579a2b0b96f6a57389790519d4413a9648820e7846c57aca4792495223fcc029d070f18f24ac665879d7a197c78c5c05185af7c11140c78a35e91de5c0c53fbcd1350c27536d28d5f518696b97136d3f2035f26faad5ffe04dfd5dcc09b129905195579dd15c8c98676236ebd02b6c2ef3e6eb15d87c206c39046f2dbcef9a4523f255f445c3dd82c140b295a4a90fa30a2847ff41efeea8f630d4a5512795380af7d1713a6b2976dd74de50c3feb42bdd4c0258e45617358f18a28be11bad5b5b79103ee1277c761e12901e4997f3b9d4499172176cdd12b6807b236daf3dc05872956437816c706f3c367d7e2c23e96b1fe96596db880507e282fbe23f2171b2f6855d22174a1a4b15ed8abd51ca093d46f0e2d05298168c239e62d89f740674388c24018c47832a87644048d436d65cd7a210282b1fc826f0ccdb6697d0112b2a88e395308d421aada7a0e7d76eca0a6073830218c83ed79419485960572097cb626c6f8467579095dc22632043dce6b67eaa793a2a89822fdc266f5a611aa1c6b845998a828005fe7989253c37613e892348ad7332e334afb5a7087e89ace2f361d66f277dfafa126677e833fd0b2ce4d227937cdf60a882669411d4450b7e859b8247ad2e45742ecb605752f2148d075e1d145add184748c6ece9ba267b7a6df9229a62bb9bee7d7e925d6eb9ae96adef937c030c7d2b919fc4636ad6331360457d06d8c4f6dc10e3065522602b841fb3678e9dabf07d5fc3fe39da21d461e1a4ac64a0d3356f93622800f007be4ee13cc4654c8947ffd11bf7598f50bf27df75f8daefd9bd19cc3b6a06b253e8b590621c66da76496a87be3353fb1cc564366b0979a88c52b8ddaeee8993f6a0a3a543a931ea4eaee9d9e7001e2349144cd746a256df92a46024c7a3b3cb607a749987c9856015b86a23e4394f64f909974ab076b5d64928fc9d1b4cba75bda9e1d4620cac6f08cbf757de6f2911c34ea08481a383201447c2de6e37c07d0338f16a9a73fe671a684ae45c874ff1981506e3fca4e1f1dc9e58f9de6b96f85e31a3c16d3a11880bb1cbc223d0b9f3a6c4a6671e29fea67ae9f109e263c31795b38016b829d41d0d540f7f9bc522027dbca4945d958e0b14c9020e7e0d962d93f61df353bb1842b289b5ebb7d0d83eb05f31e3457346d1bcf883354e9a247c78bcdf11450bd362f4e09f9bc81ea9282305df3aed8534b1f5c15f58127b851e045a0c54193b5b11be1875563f868efe9a6ad830ca4436786d79364e1930d455faa6ebefe86ece76a8b8952dff2d3b83dd8ba4fd7c1cf912a22f6511c3cc11bd2f04690acdb38f7e1420bc15e574ad129655754440d29013c69861d47a42906ceeaa051e2efadeaea997779e05dd912297a4ffa9af33fe81e72067c36e81c48653d69f2a2ba91714d5104e0ea1e6e920a440240598dc628e8205c3313a0b03b7fed3a8788fb2a6de07226c589ef337082214381c9800d703638183dadff31714170bc402b271ef6c235c12c9fa67c7bda80d631715ee1ed4dda107347d143f91ec470c2077c277524fe78a23fab205fab08b1c258f4be49759d1f183a21e400a53a72493a17c23dfa1732122574b55a7f2663bb0017ddb2f472eabd87e407695bce84c15f43091bfc06d4a524672bf2515218561e7c25ea733c185d09806df8e6c921c071ae2f76f5c0db6234517c72e83933ad413465b1bd0cdfe6a046f07a4b239fbb8ed71bddfc2b07148d49965da803a824bc185da70530abb3e42b8a9f19c0c3d86723594133951434bfdbde6be90ea214fa0e17f603cd1ad695b5b5ba7c986148711454c6a5a7a5da2a1631dc7069e582a1c12d2ba25ca01da8f5e703b41147fd38f9668f16cad66df622fe4b02a1eefc0a69363cc0b7c56f034916025ee4bcfd05126772985a9632a043608e65692af2b4a7568f13c41f16c86bec99aae30a2d54f6469f1eb68518d48c421bec6f83b8228308838a9a4819f2fed79e99d105a8f6b1ac08eb9fc1962a8577f27f5eecc91883a024eb743a399ed6aef38e1f533ca6dba255388d25d4eef412f03944bcc0a8c4e94ec31bb65c89eca35cc888fe8530f6f581a3346233ef0936da10e8b69c5fd23ea2a58f9fe8b79a9ef60806c296aba90fb8329e838bb6c7d3c867d4109baa26c4837439e6307170e7b15c2f9f5ee03305f9481f8e793dd086ef2fc3eca555aa2581202bb4ed8e431cf0b710bbd8625fac17b519c6806b7218008e040bd2f078e185011d471d46026b53887c9481b6abea838dc598af7d61eb10566125168adb4b5fa2f49db9e3608ee06baff0b3eddf0537013a89a8f60bec6ecafe74c3ad62667cc736e42318060d939ca8afaeef4189cab94bb6d7c07f7aa21f60027707d8aee9d2fc0319677e8e86c6e020f4353ff8d523542669e4bf2649fc4fe1ac21651527e257a55006c304b83aab8de6e87b02d366052debd14f4712833c340ead1eb9f9f48df1ea27f67282a8a5ba05df68ee2aa98a34b44fe38cf058206cd112d19372e45afb9d0c24c0ca9189948239c99dba444f9c1a91fdf3dffa9fdcd09355e4b30618063eb02e4ac212bf8f7b8c617811bc2740423724a0c5046f3577e0b006b14850ddbabbf60121d151ec730649ba251a2551f6e9246e54623a819e9fce91fe40a8ac2e55332c57b8b7b9a63adf91f10748dec7c0153cff4a412292751b0ab793a148229edd1f908012fbadcd13e18d479d94ea56065100357ba4ba18258e4a828eaaca20d671d986dc6d17997f5b3744693eb36cd7fce3fff1d2d59b9bcf1c99427aeec5c158d12d066d469267f423de676079dc48def127be63b079f0fe8d7dae2f20eab8ddd0f388d52ac059179589c6242c7f9fe8e1d1857ec2998f8dc9aed3b3d38aeed70b0fab5d13bcb536cbf01a2fda811f14fa0f5e4a4d57131860d60aac2607354abc58f9151dd788e787f7685be537e6f86bbac94bef4dbb042da14c1007dcd62aa8cbc705d120e078394fcbdc94729fce6905f1ed8699cacd2e5f0055d377d0d5ca83f18971c195c7ea1dcf11e9feec124c2ba56d0f506060c22cbc366d0aed05f400062984f22122bfd16a31b3a4a6ed9d949be5ec16ae98f2aa8eaadaecc169e97cda0d5b5602a91c101b2e283c0be6c83abbe2e7e2e4cefe3be2231213ebb85883e0a5b0b4a0d2c04722eb60fab23023cf91ca0ab908e4bb6ac29a788fe9ec6b99d75d52f203cba7d92485ef90555aed41060fdd036f42fa818cdf8b9afe26afc1f279a4029254b12dd54da882a138d34af1577e78c1dd1923a56a369d85d74fa59d4532b859f67e65f3e67d654e57dde88cf7c23c9182ec15e95283dbba79911164df2b483be5adb7e6006feb69c672c938a818b2b4636c943b68e8c9335a5fe2aa7427402785117deb2ae7c16ba0d05a50d21cd7b658ce02140dd20849ae250bbb10e960c8721cf96d0e7d81bbb21a53358e0a44f8d26b10bf24eda9b5d8ceef710eec25c0c3b3180c85940f5b15cc13fe68ad19f7f0e9b4cc39735b68639f8fe4622dc784d5d6470ab9e32740db02a9b6732acbbf5876719f557a4e0a42c036bb3f972eaa862c58ffbce08ee0ea21e74e817578705e4e2683feb6c6123ee1b9ae1da94c5ea68763b0303c6397e21691a4d8154fd1aefdf398c41369eb8255d9b847f9d67cf5bb80841f468f7c870f0e194dcf23a6e7642c9514d126432f4b66bdb7b81b54370ca23a05c223c49c5b26803768bad60594817bb98b5ec274d62e264c54cde9806376b405e9f7de3d59ae3ce7db4a68985b1c1a11222d1c2809c96f7eb9a5bf4e50266df935c900a568fe579a6ea474f623591964db43ac647de15916aefacd322236fd53977d682eeeb0dcf798b6f2ff22b36dd00d64e51599bdad703a42d1d20eb8d6a6385f6db49f34fce3b28e2856f2828d77c4d03d34eb08c33b754bfe7f39d0a3430a213b97e75c2c975635c79d30aaf3daa9a1e8ca56fbe499e778118c7e5954ac2ac2bcea69adac96009e1b5cd27986c254282bf0760747559cb612a1f610df09bec5aa1f41f7a3b2f0f2cb28508e2b0caf206be810d65b6c4fc2ef5ec098b274b53681306041669abb175e4ec88981c5a0c05a646e5d90343a0b1f873379cf144c3c8795cfd77594b516ab02a408e0faa37fdf2de2e6f37fa03540d70e5f0297767084ea0086c131ab5b28ab543978f1d4f04291b6dddd72d2aa9a22ae19697950351a2f3da68971d9636e29c66d9fd61cdac7c81189350447c03c146d0dde55a17915b56ffa9fba47e09bafe412b6a8ae720d92b04a55e6548b0035506f80faf9708247982096dd806e1e698fe8f590fcb009fa87586b08cd27097aa53d3087e9f4c7a4ee556491b3df68fb413a92d7f783365c6a5e1fca5d9563e193ed2379f994f32e9a2c7a72215c1e891385765947b9086a560d373ae19b88e781503b1b8b801a8dcf5f67d0e4b0212d854487694ac76572fa1e6f1fe719cde5b278c9ce3938b271060335a5741baa0d7adc3de28e37beed6f781f6f7b321c56933828377a2ff6de2bfc24b2a3472ca5039373d3cdc9afc040ce4e894cff82254d9e4f4b25998c9dc84705463da8a03ea419c2e4c812a9f04d53f2de4fc2e3c1a08a7389ddfb0821764e71105eb0588720871f0082cd911f8edf694950072eebc6421bfc71af27669107e4b48ac971339e69c46c4ea5d50028f14735d84da040a08d3c9d0e64dee8bb645003bfc0162c3e131d3dfccf1a51628bd59ed495b177b417d0cb376537d5816741c25885ec56742154e84a26d9de376d67ffbe2fdb4869b6d8708a7350efc672a48d60a928c992753ad4bd745a7189b3f94f48f64c9f86d9f0b22bf7a1df2096b46fadf266906f394b1de6552928785d68d26b96bda02e49d5eca8284700d5033b0062366a6ce4be44c767d60817b48768748582a5ed3db608291a5efa1011b758f990ab3e4abedf53f01b700dfaeb587b4f414d3fe3a8732e1f215fa869c7b2f8b7f4eac597da81751709bd18eb0869ce11459f8766e6332e957107a791a64011049488a273254f33e0ecb440ee446e8ab76f24ec1f4cf7d314a158c512b6a2731099367766ae40535967d63ce071f068a7d3fbd4833a0c78cea712748a4bf2361d8f6035959a6ab08f3d44f7f81fe74d964d58bb3cb6051c5e68dc6e71fece4ae85ddc895b316f47d520847dd848317b61a47a13ce06c30d14d9852938c6ee45ad2eb1f19dda19b1f83562441c2d306111f511e40a8d82b334b2d983c354f2cf8a2e7a2fc135a4a31da5b0929d0e0c3e1c9bfb2debcd2fc9d0577263c7771c684d34a6b02b31c52f42e07fc1f42e70d740035e80f0c3889d8d28cdf1140e210dff5aeb5aaabfd655ac46e03d17e1e72273ea014158cff2c8ef37008b44e73d2c616862349afa5a16ec6f10d7f85fe4d95df416bdf001748a698a7942192549a4b8600f5380291fecab374b590266a980b2d38d0817e111ca31447ff7a33ee300b7583c83050a591cfb8c38320369b54b9624ae5bfbe7a657323e64bb890ff4abd85fbe8c59a68a616b044ddc977336041335fe1d29e87dfc563a0f7d393ca8353b31caa641d1140109d3f3d68bc4ac8d1a32e039a5a5aae4e95d7d37d5737ef2b997e178682be27b0d5b9cb7bb30bce28da9f9c299880e152d90f6a0590fa289aeb5c4b4c050f7f48744a1e3ed8b706bb1437146370522775b4a824ef29ae2d0854279fef03a0ea673e251f6697166f36996089b88f485c30dd49df1021b1ce794ba447e361704ca20c53f284fdc4fa1a1f40e5f7240f273213b6920e9bfb8ee69f932616ccf656495d998743d61a088e6059fe2fc03572f1dfadfb510c55f5185ada914e2a96628d3ee5d6b001cfd045646ef93694828fe8e0333d9e8537ab9e02ec721713b2b9743e68f42fff78abc0afd4bddc95179af12c3c9508349e656ad59bd64cb6a4bc7642c66efef29a5500937064de05e49e2a81c587e228e0aba0c8a6875c410663a222e557557bcb1054012532e3e6d4830d3d9ca0eb6897ba5405a335503f8cfe345a20edee88a8b143e28c982bb836e0cde0c6deabadbc11d8a63350f1050b71abcbd8eae7c22fc04d59726748c82ed43595d66255b6c30f111e3b5c9c12d97a368be672b0f0e5929838fd8204b55d0e511a32906af5c349cd648a4398147704563a10d5d5f5a86f8f1c88a2324e56cf28d63daac725e7f9fe3d1504aa2d26903760e27e796f7f7d33b96ef01e4e572456fe479a2523d396e6cc88b8a8dc35f155daedb3c29dd2cd8adf6dcc732e5c58511bd389878399c432c1a40dc06e94e24d66e1cdbb73cca992a3a61c545dd347d0be4141a1ec23a6ca845ba1b58396b456ee05e6be7d7c9a0deaad6646d7a77986886d9ee755c5889650e9ebcc4b8dea33521b65171ec9d9eeb4e776d3d71f5261d451f481b90cfc655f8cf1b63df8467e0c1e2f9af5758eb506aaceab4bb35907829e55411eb25b59cb70f9ea06efdeaaef6151156184eceab1ba65f41df32b5346f5ec03ab19807df48449881334a6829c39716921fb7e5d0578eeb3eb3becb8ff5e00fe8422b0c3b7bc77a5d338bd0d4ef6a341dd941d925ec6cd93f289566d803ff2a02a3ef8c8d80052518f9afa30aaf0cb97ea1eedb527b180dcb80368050b6dfb4ebe2cb96d1e0684986a85a6b6eba21660a18c28248cc0d4cdf5e085c1fb6133da1169e5036d35f547ebc06186b695f24271bd680a397d923538127f948a2ba36bf5291a9cfa5dc57af9901bb7ef7c9c9d600086376a0dc680e4e67e1770e72499b58333af898a332c7894959428424fe61c0e0d8fd6c46af79bdb23c8449401587ba116565c8e060fb1af557cecdaf3d10d2f065d7ffd53dfbe8afd1c46904cbaad1bd8f18ee70aa4811b27857433e475ab5c5c620a8daf02bef40286497be51f2532d425905669f3be5ce7b790e945c22e446f0a361e043fd4a76e53e3b04b5905eda63bcebb62e06c6cc0e254f2f0e386bdd730c55a0407af9dec14633b5ac15a33ec523f6a4a9454bc5aa216e143f0f72ebbd6f5c038d2ee39ad7cf3956a3c479a8a653a906a01f48618e6a47adba3598e9c9e725d53439e0f175fcd51ba151607a33593f1256e6b29685a813dee403ec2b4fa09c6d0f4d651e2378b78041f37243347dc77ce3514c634e4f83ea297665f16d656a6df9100bf6553d669e43c0ac2d891eb7779ee8d4f3211cd2a527fd415af0004c2d5ddb62a36dee98ac1489696c556476aca9f6da9bd4f37aca86b83860a8dd904bbe2c3d37cfcd768b59d82a8c1bceffc44edfb04730ea57916da94b4e8dbcf5f01b5a718646a56e62a64748a9e3b7b2f080a2fb3515db535c6acdef1d858f633b080d398c006d740f59bfc063acbb40fe2183c5520894dd5a47bbdd991f2ca2e1d35d04075590016dfc813a8f272926d660b0bac47fc7297d748d1642de82c08245c8a4af39826971b06e25256759fc4aee3de9840c14f99e8a53404bccae613cedd72d32e74c87d8cad6cf72fd2018d5f3a797c08cddaa2d9a5ac5f49bf07b045c4169a8830462c19b4004b62830c4bedca5161451ce9c8ac56f973cc120f7eadb2010de4bc3d719647a8efb1a95dc93cce6ed2e2255b852821491dcd30640eebae86ecc02e365b465defb73694170d3033775968a53f274fd1ab8f3897815af3dfc81fcdb7a3a6d1917cab0a4469", 0x2000, &(0x7f0000004cc0)={&(0x7f0000002200)={0x50, 0x0, 0x8b20, {0x7, 0x1f, 0x4, 0x0, 0x6, 0x2, 0x7fffffff, 0x2}}, &(0x7f0000002280)={0x18, 0xfffffffffffffff5, 0x55}, &(0x7f00000022c0)={0x18, 0x0, 0x2, {0x9}}, &(0x7f0000002300)={0x18, 0x0, 0x40, {0xe62}}, &(0x7f0000002340)={0x18, 0x0, 0x80000001, {0x787}}, &(0x7f0000002380)={0x28, 0x0, 0x3, {{0x9, 0x101, 0x0, 0xffffffffffffffff}}}, &(0x7f00000023c0)={0x60, 0x0, 0x9, {{0xf652, 0x8d, 0x0, 0x3f, 0x80000000, 0x0, 0x3}}}, &(0x7f0000002440)={0x18, 0x0, 0x2, {0xa8f}}, &(0x7f0000002480)={0x26, 0x0, 0x8, {'bpf_lsm_unix_may_send\x00'}}, &(0x7f00000024c0)={0x20, 0x0, 0x6, {0x0, 0x12}}, &(0x7f0000004540)={0x78, 0xfffffffffffffff5, 0x81, {0x1, 0x7, 0x0, {0x5, 0x8, 0x6, 0x1ff, 0x5, 0x4, 0x4, 0xe8, 0x193, 0x7000, 0x6, 0xffffffffffffffff, r4, 0x3, 0x9}}}, &(0x7f00000045c0)={0x90, 0x0, 0x8612, {0x5, 0x3, 0xb2f, 0x20, 0x0, 0x7, {0x0, 0x1ff, 0x2, 0x2, 0x1de, 0x5a, 0x9, 0xc46, 0x5, 0xc000, 0xddce, 0xee01, 0xee00, 0x0, 0x12}}}, &(0x7f0000004680)={0x10, 0x0, 0x5}, &(0x7f0000004900)={0x2c0, 0xfffffffffffffff5, 0x8a, [{{0x4, 0x3, 0xfff, 0x6, 0xffffffff, 0x8, {0x5, 0xca13, 0x81, 0x4, 0x0, 0xbbc, 0x0, 0x3, 0x34b, 0x4000, 0x9, 0x0, 0xee01, 0x2, 0x81}}, {0x3, 0x80000001, 0x16, 0xf97, 'bpf_lsm_unix_may_send\x00'}}, {{0x5, 0x3, 0x100000001, 0x10001, 0x7, 0x83, {0x5, 0x5, 0x100, 0x6, 0xfffffffffffffbff, 0xb533, 0x800, 0xad7, 0x32f914fb, 0x2000, 0xe0, r6, 0xee01, 0x4, 0x64}}, {0x4, 0xfffffffffffffffc, 0x16, 0x6, 'bpf_lsm_unix_may_send\x00'}}, {{0x2, 0x2, 0x7, 0x8000, 0x9, 0x3, {0x2, 0x7, 0x80000000, 0x8, 0x6, 0x400, 0xc932, 0x81, 0x5, 0x1000, 0xf841, r7, 0xee00, 0xff, 0x5}}, {0x4, 0xffffffffffff3232, 0x16, 0x5, 'bpf_lsm_unix_may_send\x00'}}, {{0x4, 0x0, 0x0, 0x7, 0x200, 0x6, {0x5, 0x1020000, 0x6, 0x7f, 0xce, 0x0, 0xa9fb, 0xffffff81, 0x3ff, 0x1000, 0x0, 0x0, r8, 0x8de6, 0x3}}, {0x2, 0xffffffff, 0x1, 0x5, '/'}}]}, &(0x7f0000004bc0)={0xa0, 0x0, 0x3f, {{0x5, 0x2, 0x0, 0x7, 0x6, 0x3, {0x2, 0xf51e, 0x65, 0x1, 0x8b, 0x7f, 0x100, 0x9, 0x24, 0xa000, 0x3f, 0x0, 0xffffffffffffffff, 0x40, 0x3}}, {0x0, 0x1}}}, &(0x7f0000004c80)={0x20, 0xfffffffffffffff5, 0x401, {0x5b2, 0x0, 0x9, 0x2}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004d40)='SEG6\x00') r9 = syz_init_net_socket$ax25(0x3, 0x2, 0x1) r10 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x3e79, &(0x7f0000004d80)={0x0, 0xb8ca, 0x20, 0xe7c, 0x26b, 0x0, r10}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004e00), &(0x7f0000004e40)) syz_io_uring_setup(0x5336, &(0x7f0000004e80)={0x0, 0x29dc, 0x2, 0x1, 0x3d6, 0x0, r3}, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004f00)=0x0, &(0x7f0000004f40)=0x0) r13 = syz_open_dev$vcsa(&(0x7f0000004f80)='/dev/vcsa#\x00', 0xfffffffffffffff8, 0x240) syz_io_uring_submit(0x0, r12, &(0x7f0000004fc0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd=r13, 0x0, 0x0, 0x0, {0x4404}}, 0x8) r14 = syz_open_dev$vcsa(&(0x7f0000005000)='/dev/vcsa#\x00', 0x1000, 0x8600) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005080)=[{0x0, &(0x7f0000005040)="48d5a3400d135dd4910161867c991fc7d68d55145fbbc5c498b58fba49bd01b68386473365a9131272ede1d53bc285051b85", 0x32}], 0x1, 0x0, &(0x7f00000050c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000005100)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000005140)='afs\x00', &(0x7f0000005180)='./file0\x00', 0x0, 0x9, &(0x7f0000006640)=[{&(0x7f00000051c0)="c5f6f420aeec388cedec2b597c8156538cd4586034199f56f5944da03d8ca829f6c6b6", 0x23, 0x1}, {&(0x7f0000005200)="f4ee9edc1be2c2d862a480f30ae30dafadfdf869f7789a4549f5a8dac06fe4c5d5d2cf0066d88bfca6af40745ed617b7a146c940de37505cb965eaa1982c8ca0ec2106f47e4e265f1e19285bba7eb577f60066b5f46c62d2ec0068edcbe6300e4f1e3cce429e45a7df287e8009841db1015134eeaa724311e55181cb7afe7dfdc7946bd14523ea6680ea42ca9f7b0eaaabe1d054277eff607ef4f8402e5dc37e6a528ec3565823c031a8460e8b5f670668f86b90a026043a", 0xb8, 0x2}, {&(0x7f00000052c0)="baeede481736d90f0aa36fb327956dd763578e20199f0dc85f185c9306866ba33c93d2af9613c92909c651254e6a63503dbf317b021c4b3c8de305d3de39a1ad9ac1b0ab3f51f68c1ae1da3e4cc744fd00dfa6d1b96e21134007d31c93013854ed32550f1b82a4c03ca67440d86545dcd29eea99274f655737ad5a54d9e7f9dec49129bb84beb62b1853f69e6a077209f7e55ce0d51686ca764d2ce334cd6d09b5d92357bdef60a635", 0xa9}, {&(0x7f0000005380)="31f1fbee4b48e6e69cb61bd1ccc1e213af5a28e74cffc2e5e82fbbcd1c3400faf379d1a194d52a3667e2019b9aec0e14feed8fea770a9a1bfbbc30997321bcbbcf4d115bb3d3269e50beca5982ef1d22c983d78621dbaa93e8395efe31dfadedcaded0976f5f0c7d4f17b6cc88b897ce5ddff1ade8ef2d62dcbed421589e3cfb5d8550d3651a99115d6e", 0x8a, 0x2}, {&(0x7f0000005440)="7881b6811ea2aec8f27f7f7f523cc4baca3652f7303cd748fb4ed8cc783ac578a9e853a9906a", 0x26, 0x1}, {&(0x7f0000005480)="c505e1805e72c23f489bb45d556079645332082b1b6bef7adc39b098e173f42fdd8d2c65ceb664adb47de173db5b3423e02bfee58339fcb7d85f2d1acd1fed18da1cb7b3d28d4e368aa5f02a8950afd19b0d6003c1fc5424d3e28d4bf7902fa3d999b4f62368c5844f1e9e4d195c6548c1a0e61480c61fe3fc8954810a5c5519a2850aff5444dfe36d6c08fb251d645951ca0aee8ae09d5218ce7d783d4a62070cce231ab7c630931fbc7839ba2979305cabb45f4aa2dc924972fe3a5a806c03c741793eb046d566ef8de1d0b71450b561ba65b0141429bd3e5a4206b47ef097275ead1fe31257a723ddc585c703f5d0fcf7b298134d89d03f477ab7af756e3a4f9e1d06ca01f2b759c955b8e8bfc1b8070198b330f5858c6951610682a3cbdcb591f139a71e883bb7691cb56bc0ad95dd774fdc110d075b3acf5fbbb227227921e10aa5b73da81dca196600376120266cc84f0cc2ee0ff3f6c74b656a61b5f5ae6dab4a9ce84cb97c0b90e7a0d07828819e2bddb1a7277caf687195ec8364d852b98643f555dca6ad72d680643f29c322575f2e5711343f8aa24d7deb87d3ace482bc05dcd5288338b584994a090c451abb284c0104c5f37908eb3307d65e792b4f258600de7707c8b154ffd5f56d7a17c62f092828516f82ea4a126a2a360c703108770cc7e7505c8e180c5f376d0dbaf1e185a504ed013b0b162483f9e2a3bec7d6833082ac954e8f5e3184372e0508ad7e0fb4b2f1201a35882ada415dfdb36587e88795101f9dc6c0d26bbb642421db0973ef283c2bea7f5c9c35eb13ea5a9742852f083e443282cbad947ea05d3f998bf3f860cd125b266e1f3b84c4e62b4e49ae7f852d578eab24a0c5e4c60928b699c7b68c6328f32ca3715b940055b6ad04f9941655dcfa91dc4df021a74504519f0a7df10db505da8ca4a0525804dfd90a31bba648bee57bccd6cd9a596eb945867e0231fafb66c5017b2979ade5dfcfb24cb5c7881511185604906d1f201a1264a54c20c173901d325f5c2b0e0fff22c6834d070cbedc8ae66f2fce8488d77b1f9257a91a001eda075556c23e7adbde0c994bd6980cbdb344d04efd2a3f4e732620260d15f6084ccab9b2f13bf54782eb2f568919e0aefc063f3f2af6beb819159cfdb0534e79e0cd74515b528c82cefaec8547d05f08b00424a02abb0fe20d3055d3b9d97e8bad3a7b2202b8effc5da055f4eb1827dcb1de57defc3ccbe7c30279a3041196a9f0b1a74491c07b9a1af040e53ec71a9110e20f32092addcd058a15079b718fac594d8e75139bc9260ff65647250fd7ce6bdbc305c079c5cc2fe6cd1fca993e8530e03738839008dc658f22664eea7706f6ada24ca1a22e830aad64f4dc44387d83ad4288f44672d9a05559fb29c66fe6679e979f86ee31675f501d95814796612908d1f7037b690b9481fb687f2d52b5a373515f62075936042a0e9d10c91114a9e74ca7ac76558f73fa26fe9d14dea85d4c9fae1f6c53bb768b1457a7f89bcbf90e7069753767f0c1902163e400afdd91ec2dacbe680c7d6454a0f173490b6b1ed4881e82cd79d6b89161d87f4f270deadebeb35107c19c7a6d5408e60b325c64dbb9983bfaf0306fac8a0fb324af5d69c21c62a8b5e257a48de069226ab29aeead17fa45f384750f8bba1d46e0a4127807e10d1570da63b202eeb715386afe3d8b1747caa6a41416dd65524d2228eaaad1a61bff8db8be752c45aeca76dea3aa6808364cf758dc8703417a49b93eca5ad09d63303a4ac378aad34a08decc4a720c3eeaf88ace0a72900bc3dd402c122d00d56b517235ae9112832d637b9317b61f9dcb0c48e728e850dfd52626db296aad77b9c7cd9167f3194747c011a5fbdabca9cabd2f6b7581f9d91c6366d526b1683e3feefd0fe30f53e7cb7de41e89e4e743efea3944ea8afd9f778a7f06bfb0ef238648c21cedfdd8b76eed765774d7a490b0ee464e4488a9c3dd21c7ba2e63a31ae38ffab209460ba93a62029d8f2ade1377b53438b051901227398272639f124d42b555d591a6655f73f6c46c514cf32ae4c6046c380407f7d9cf3c141bdd94691384958e67178f816a63e4cc189c521638dc7a28d2afb6128476e408ee85b99a126129c55e679c0bdcebd9669817e945b0fffa615ab9cef2f859e0ac38253611fe63bd57fdf03fb0d65c1cc65df2653859fc594f9a3eb379d117da828ac5586b3f6d3bccf1d54c45bc1a5fa45ed7ad366cff39a632bd4d14700d30f70c99725c2fb8ee97cbc59f8e5b64fac8fe2f836041bb5708a3640bbc67f9d09ac1fd3646a6f7446f4815989bb0419c94b0a6fc97d0fd9e5190e724d75482cc1eb4c07753b01c4202c4d09d006bd6bd92b33cd40d8f1bf7ea739a686f8d3a12df2f7c578ad2e0c1b29c04f282857045ed90382830cf0f2f2c8d22073edec31dd257300ba67bec88a1e7a5580fdde5019879f6962da50d75c6fd13a19e358e134135dbb8b4beedbed1cc5f8f2034ee297ff69b9db3e005e59fd5ea22ba51bd8febde9ff9f65a21da5e135ca8860731c4dee9c33c7edba508d26ddb5592fdf98506702f998037e6b418c5c783624348f57d2cf2cd8fb837c61853f516c68e765829fe2f741166a74afd1edc90971c4eda7a6a18d85d54ba87f9095bd1626b9b900cf6fe05eeb1b4f00599b6e8381fe28de851e19a0252efde6c5799f56ec2d61cc6ff5d1eb65e9d8e0545a92e6b986627c7f971694210e088b784beaaba64d2abe4441c7b14fc8d2adafac78234ed72599cc416c047750b24ac3c9aa4690c0577049d805bae79922c1d2966d9752c551a91a9fbc0bb95c23acc2a90683531a59f30fc1d1079bd9fc07f0d09bddc01372ba26c13ef306af3256f235d72b759b6618c1e09e8df6935db77453b4996b0152ae137d1caddbd5f8e12621a5481554345dfbb7e2c500371346feafd5dc0f6e2c59ea2c245d15db20e87c77bd908d92850e403e58cdff0e2fc257ff000f3b268dcf141e77525106108a4b6edcf89f1fcfb12a0a02ad7c0121284ea490ca7bf8761eeff5b375eeb0a038a444d2fb950f96517ada94cd96f8dbbd042a4deb188217b7b9dad948bb59843c0c392bd9e79c85d34616bcd99fbff77537d234c051e5e9aa913c77cbdcf5396ce3f0683e92ebd0c1b99fb5c663fb97b6dc2d43554aaa99a27ab99172bac17e3bc044d3d2ef8f873cf52214e71d7d7c5ff9dc791d40cee37536dd12ba095b48a341975784a1614175a1fc49dc2102ba5c27416dff8279ea3f2c44739b8ef9961699a4c792859cee88111437846c9450175b8ba2a326757dcbfd551acd15d783732838b9c924e0923fb795b7704bf1c84dbe6569c0df702a7477fa0996de5d681d10fa2aa52b14253ba913adecf47eabf1b015e73d6bab5dbe5d5dd1e067cc9e4806040db09a1448ed21d98dc6f459f22c951c7b07201467791097b39041036a50ec5596b6d28e14b79aa12befa32ff95629d532adaed5342c84d39c8225382f981ae4f85b7a1ae6b90a818b62d71bf592f84273fa2ccbba65dfc34fdaf561e26d307b743f82bc76f9985c95076c83a1d286532b8d59520bf6c40bc635f51608f49bd4782f6a6b7d37c6fe8e5272ec08f85fb9baa66bd70b1db70df0b12ce35d8e15c187fecfd9fa341721ff6b24a1bb68bd074c2a57d7460917dd2ff0d0804112b0520f05cd70787d8dce6cb69711ef7453b40679ec97aac900e698ce1f8e58ba738590df5c4588ec650688002a2c14ec60c58385b68db238b8c5b189b2fd5fd213655e0c81900949764022d2277b038ce7dbd00d1ec66e23195636a39215326ea452ad0899a522a7a77965b2ae60d5b25ffc64d1dd504d28c611f38ce5c3aa34c4f6cdd1bd7e965e368771189346506e3cbbaf7453f039c6aebdf77a13875499d7db3e08f9c31d35307490e6d3c11ee6977e669cb1aa6420d461955050e0cfbe0bb23d1319ef35421d80e565e5fc9b30d6d0a4da0544061e644eba5b47bc48ece8b7f85d823c98c4bd6cd464acc49a29bb6926d2a9597c64edb8a4ba2ca2dd7bad80da3ba9df143b2b3cb44d6e5ce04aff397f5fc4b0f5af4aa0787611efc5211bbb48b7eb3e1d4cb54ac2b9d0d9da7ffbd18513594674b530e8a206f9b042be81386819229505d35ce04a1e1e0304ab5db61884720f5bf6ae910d48b9aafe2bc5a1a4f4eda0f615c8d0d682a55a52f0d40e138c88c4299aa1b1004400168de6ac8aa18fe6029bf63c640ef7fb91b56a5abc24397d1b2cf3bc0877e8d5219e56723a6c49889cdd5ba03c84fbc415a3e9b652d26e2d613c3dcce414e1fa3e220b3c2e35391ac6520ed1f05148805a46e9934e5febf84e1bba25ba130a9e0584b625df2c2ee4ec0d10afffa191773d4f412f5ca225193ca27887fd47c9c69f21da952f98a99f205314c182b0014dde7563ded90e338da5d5e836f162b96377517c2f6758d9bb41e8bc9dd8f2eb521ad814eac651a48ef64bc45ab60bff9d2e67f03183d044ed437a8bd73043d6a8a5190fb5cd52cfe0689e2da08cd11aae6f25c50d6ccbd5f4ea7ce9b51b57946aa92f41efdc2b919c887a070c519ef600fe14d67664ed7fc211a09e9129b13a7024f2febc3010581da84b44bbedfdc1f54b63c8cfa8c8b5c986649333eeeaaf53e8be863242378b0ff6cff6b1d6e027010684484c636b7c134018e3a732a6b352cfe081f790f0029967ff1820d57d370c2a9f1be051100d5a8eac4241a6c2b640fe73b161d543801f1eb2abdea769c518cbd7271c6d65abe83661d2fd28e41b9ad575b958fbbc5a43f341278656d300f21d8c71161bfc2812b2f7f3692c5758a5fea8284cc4315e2dc1605d0b58243a979af7c0cce313e3e127baf9313f1ab8c437581369586689ae69b868447bfa60798620c68080090c9f0493c95a64ca4f678eaa14fe8cbc9086ea99c78a3d8169842fca3b0d289406cfa9d52f41df0b7fcfeb6e10b7fb8846b646c6e1773320aafac2d38427244932ed237b9834f60c0bc4f9f6b18ee82d4ab5257d03343137a44a52148427e747252c061c88c78859858163f768565fefe4303ceaba94b786b6d9d0b69d0ca920e615255e2b8c3fdd78d8c194e9c8049a9d187772685ac98fa7e7df54f5ebce1ecc1cfc7a62e853932deaccb58d79fecb931d14643ec7020ade49cce0a1e78e34d71096022317d7af536b38f72fbf65f7e4763e6d1dad8c26f56e2ab4cdf778e3264a2ad2004cbce99b77e6ec272d6f083d2083a042f67908e147e601ed42f201f5b9f18e89eaf48d384eeefa0f9f9ec386a274ecdabacd1e2db6b90ad98c475667d27fa727908d28e3745c34b5015edd130d0b7e3fd54ddea89e37dbafa49840759a30d29e21bb09d95003c2895189e439ab7b412c251610aa7afabef41e5abe2235321f322e8bd5924d79a404605378e3bda60d28ea567e6a73964a6ddd43cfa1f5e0cb8be455e1f6dbcccf72cd1cf14e8e507a1a1979f1c2b43c8a649290ba54137d1aa6473568e390a665973823492ec2dce33c39c88aa4247f14f1f0e56adee326080b716dc55dae2a5ed842d790de3f1fbe32f8951eab8dfa54d770df7342731270beb4704277f3e1dc16934af902350cd6b0b7a671f2675f0df884831ae06392669d6bda8493b6bdaf5ae90f4c45f8fb1914e0be057f45db50101b8bc6e649aa6856071225c42c6ee157adbda5842942cca28fc4c7c08e7c2cf1981542be4ab7f4bf6efff692dfe65b45080b21eeef5299171a1c2b736f70da431", 0x1000, 0xff00000000000000}, {&(0x7f0000006480)="829251fbd70caeb451ccf09a96fbfe559b217a4a12cf46a389d82c55ef7f5c64e45e1b6f269559a85e8bcc232bf1500dcb9af40f697165fde6209f8bf001585b6ccaafe194ccfdb7f8990804ee77ed9a345b52a8d7e8f4", 0x57, 0x8}, {&(0x7f0000006500)="34e0c082bd77b51d0c9ab1bcde0acc308149f3e64c75b7173cda5f39d3b4a62c60de76d12d41cec1b7c9bc9e57acb7834282a5758d7c7e4b21715febf6fbf144ad46cbf2cec87f7401", 0x49, 0x8001}, {&(0x7f0000006580)="e60976f86d91dd66cec0b1e30ec801160b84cfb1f8603703d14a6b815d22e1783eed12ce8c080e3ffbf0b53095f69603fa76a934a60a0526341eafafb3867d13e88d1d39e370a00dbe06ddc840ba7446a62597069e1dcd138f82b29ff78af1d1c3133fe9c04d732cdb4b3f6aa26989369b5f6dca6000a0767341bc2aaacd69e648621915b8aa9cb24c6bb5ae3f", 0x8d, 0x3}], 0x10000, &(0x7f0000006740)={[{@flock_strict='flock=strict'}], [{@obj_type={'obj_type', 0x3d, '/dev/vcsa#\x00'}}, {@obj_role={'obj_role', 0x3d, 'bpf_lsm_unix_may_send\x00'}}]}) syz_open_dev$I2C(&(0x7f00000067c0)='/dev/i2c-#\x00', 0x4, 0x4800) syz_open_procfs(r5, &(0x7f0000006800)='net/icmp\x00') syz_open_pts(r9, 0x258102) syz_read_part_table(0x9, 0x8, &(0x7f0000007d00)=[{&(0x7f0000006840)="b3de0d9f2e1eba9879eef08dbd42edd7d622f095e0ce3429b64c46708bf7fa26e69ec157caa3e16d60b3baf5b0d246bfef955e35f85556c9614a60b65cae7c023c99318fc85bc0abfd16bc78eb56317cd8b80c5f5a87856c5cd0b97fc283cbc9d835ff9d70972bd4201169a35c2699bf5a8b31ad3607121019e73398b228b9c59aa5b5c007166766eee5911d5d2f864cb42b8421f38cb21aa93697e5ad166a966ac98aa776fd27500294c4dd1bacf41fd070e9e4a9e5eb70d2a98f915c1391fd75f5ffecfab42425eb016c33ec19ae67f4b100088e090f035d78143b35944f30a49a77b8c5e2a08e9f381a8afbcf48ebad8411455ff2cb76a4a1b557d121", 0xfe, 0x7fffffff}, {&(0x7f0000006940)="330ea746d7dfb4a5e9f33a325a9688ca04cd59af724b34f70ae370d4ac73ea9a65ab003f2cbc01af1162c0fefb2b7e4a0dcd3f2a8c23f2a1", 0x38, 0x2eed}, {&(0x7f0000006980)="efd543d92dc823aef91d85c44c055844e2af47b4d5a67e3a3959dc6d617cd8e9b6c3f5bbf05da73f04bf4f54a6f3d5361dee720d1ff9f65d5d7c18b86534f2912621aa81b4c2d3daa1a67538ac5efcf2e008c791d59152db5fa2d0a23f3997bd1e2502e6fadb36788891843e3de1c4483aea75224b12ede3006b9648dc7661a46da2d146d3df70a1d04b2c64578daf219dcba1b67aae086a2541c4b9b4dc6d43c076544b4cf9cd57e6e26d74217d1d8546224d85f650a0ad3aac78c0cf1d83a4adcc11c2e84df1889c7920347fe404201914727862b460229ce67a1a88de34aa73d39be67fe92210699221103ac5b49a07ff0b3548363c878066d5a0ca8f565a616a049a5d7b6e70badf4649c51aec8671faa444d7e0a6304e273c405cc6f348d19ff1348bacc96ecf1a28119618c91e5942bbf0e2d7fc6997cf6330c106a7902ccdc1b9cd0e8f559355d26f81c77e524882d02783f15b0569690236e3aa74b96bcc5ef90eae4a5e3aba2a560f9b0a513ce1a8ceb0d2103615f828b0125df32eec97110ee2a59e1f913772a859f65d953c20ca8a0c6e852661d86293cb4672413ffafa27032eda8d8b19ce77d35d1304296d8dbee1b7c358fe5ddf94c42411e26362cf42a5c7c18991e3926331a2c7123609e0a3c05e42f175972e445a6ae57154062e21e05666602a2bf0891ee65648e5a967ea16248499c82e74c19edafecf2402ce5321f5bb4ecde058a1176f310bb1338b11ddc60dce03c4727f7dd3c2335d50ae492dca1bd98be4af0744291fa2ba1cd3e93e6f1d9d1b4305c2764118094a16436a014598fb64c34ead3e8f45d11c4fc062c144c8e05220fbdf4a8cab6e288b5cfdefa7a05423ef2d4f3b3bee5768b28034a08de883b817278bd3e785c114329d992c581215f5644ccfa4e894101d5fa43008d803fb9baaefd7dd4b8883b6e7a17f4ddf4826cdd7110ff2c8395349068cd0b9550a3a2f5cbc0db06b1b31292c54879a172f4be9839b1d76896c4cccd8841a5592aac1f5272b6fda924634b50750b38231ff133da1fc86d1098c823df5bca8cfe8c08ba2eee5a4658b2917bf3af4b4e4e47c6b7c35a3963ebc6044f27288c5a3c1a2f5fa45a128be9a13ded8c2f6745ecf4fa94723f9f16382f4db48d0c811fe8eedb8bf05ff38e578d49376550253d2617f86303c543f882adc2008564c8ba13ecd19613a63193d94e9a73b21ea1ddd30b482c09869c0fa37131c69ccd033dd96d8ee7c5f2f8a152e84c0f659e60ce169fcb89de028bea39d05df03cf22807029c1aae459940dd54b78c0dede18723f972d96516e19719e5c9ed006860f2471a8e5b18fcf0ef4ba6681a41fa8009b7e03b444f45ab3cca9bbbc5813d1fa055aaa4d45441233ae7b69b759e3dde766c0f3b13bf968cf8565382883557f925c21075861ec9f35c7cd444bcc7d381dc0d7aa754ba57066b902788f53854cf9d56ca73c7ac85cca67ba509ec3a7c1b42d8c654b34d88da8d2ca85ad4ae8b865b6d2a0c1c4407668535c49f349e276f1a86764ef18e3b08f1d1e3cc1b93cde3f197857fb48b5a5fef31a86fa0022d6a96d815c8c9af9badb7b886ea09adac732c8e4eafeb8473218e794bc6a716d1716fefef86f63d32b6673b435d13eddca42257cfe0717fca3a39f00bca650f5463a24c50924256d3207d29c1b1c95109e40dab607787fb74c4e64fe4acac65c6283ffcc11fd08a0bd1f4930a8beea57a0dda02867866c5b1ce586b32e7cd18ab16a275d6cc043a990e1d7970f79d5b8880eef3fc4ef4de5e840acd0edbcde6bf6fedf3c6a2d2539fdaf278f069794d30a09d615e1e4a5a7617e16241daab87fdad493ed9cf326fe647a40f0279d6a9b2cdc0abf3626415b04fc836510ba6251386ce7e8d2b4fe663cfc3a5de9cc313e9e1fc19127f09207c955f5a8485481f4319224fdf4c2787d583c3caf7acbec73ab9b4d2f245287df9ae29a169c4d795cd03c9098339446dc40237b698998b2423628148cecb02f69d2644cec88c94894e01e1587fc85375450e32ccadcdcaea641d2db6292228660d04c446786c258b6fbbc1d0b6a8a3818200d489c126733922c966195a4007a68d0473578b469b4433eacbe092520244d84da8924b90d7fa1ad31db501f16a59d3d9eb72210d058b3d1fa4d876d5b40bcff5adf086ebdc2647b1b6f88211bbdf547f1698e11abb73dd3a588d9ca26d9ff5b2d28d1e176be8a7adf2e3e3ae137393112f5aaa881814882939dfe71721fa92b8962bb8d940fe1e3948def4033a09e9c04ca7ea8b549695c5ff66c077395026d82576d379bd9cded06ffcc3a6f8bd548c0f68d4d3d72ae27d828b27a582b14886dad1fc3e63531c2870f3159f8d4bd449480c45dd27a2934df90797c0494e0f8ef8289ae410626d4fa966d82443adc5243fdb2c4ddff8550af5338ef2d1c413b4bd4b308209c20e9c3a0080a23d16a3108a1050783d44ba92a95590508d3a5cf44fc6a4af2477f866428bc113c1cc8f123da46ca0a03c5dbd1f6e5754584d8a4103bd23fa5e1f6f3acb154ffed128d0a645829d3341a25e87ae781862abc7a159021124cfb03571a73ceef603681f5e5e1e1574db3016ff5a13d9bfe7e8ac81a09a905237e390a5772d361edbe5808e9d8594f776b0005e0c3d0f71d666c9d4dc493d0163d8854723275d850ac1bf78183a77518f01bb3a280f39bbf606def4f89b11e2bb8d99f8a32985ed9bcb42f110bd2bdda26376d9daa70e1e6575f11ba7ef269908e101948f570b7690e0b5d35ed98cbdd2f3637b9f8f78b2ffbc293188ff2777db050aa219dde788a770cb624d6617001817d6d5c7a5bd39c51ff128eac712b9db9c60a74bdb7820a3572a5091c3084339286279d9ceb244148906dab1dedb62379b14597b7348907fba55424e878c194985cdcb211b71bdf3806339a53006a9006c746bc49108c8100938dc24a08d57b013f4103d87df310858405d06f059b65cd54aea1d0f15cb2a41bc867d22cb9d67c310b05a4f940bd2e7a5863c8e1c80d3ad07b21504bf213da5cb38fb652a47ccd7a5cfafa0c3ffe2aac7625a95588ecd77a9593d0bf2e7df7999f0244335a9fac015c32273009d1f865dfb873c65f52e9081b022b99b01586f5fb1584fd9b1fdaf86c783f61772aff1178e08d5bd067b6fd233db8c432fabbd00a530f1c40b5f05f7883495059d1b58b9523d1f5255736b23ff56cabb4cb710e43a70f71cffd17e3fae9043634869f166a958ca5dec639b85b2134096e697c24e3b0a8cfb19422ff01f4ebef24b7233de1a0f89c80e231b8459f531ac23eb1a2373b3c5807ee6552707152a3169555a663d1bfb453c8c380c5a52c958e302d4d7528aab5d0a66892308098b566a1367cbfd9a3a46c5fb77225b7b6f9f92ed0bc85bcbcf1b4fd2760b9f509d2d11cd0557144b1c89f9f7f2495d0c9ea6c767f1f92570701a33ced477036d06bbead08c0b4a8ab4a57d8d9b758ce05891ec729014eb712c33dcb52efe8ded223b617822443bfa95514d9a82f6b9fed17b22445f692fc870374c0826a9fa43153849368aa1f93052e48f88e8fe9aa1ba8291585e59da0f68fd04b8fa450e9654d920c2b82c9c29a79015d0e302bef5abc9f4292fd4b582d58830dfc71725319bf39692b0f3d72a3204d62e4cd219fd2647a9bc3da61b702699d015f9f15bffb27b6133ec431e4ad67f5c1b46fc62e29d4ae4b07fab07f0143e8e54fea1e629051d6d7c19af8931661d84957ad2ae7b521bd62468aa0a851653904bb9325376fd2d831340356d9bd2782bbc46e1c03069553d2b05d17bb4d8644a0dfc0286d4ebdfbf1fa85f0015da26670909ce840272d1d62c8d02787d56520d309e4bcfcc846474d4282641798dad1779cce11392ac537917335b4f9124ed1e254052966ab2c15dcd1bc1c3c520fef4b3b17fe6f6360d07b2c08ac64c75fcdf5f9eac211db247a227a659e106755e1ba53aba67c831662190226984dc03698dc567aa96b51d2e69f530addd9b4fdbf3a0b20af2a184cbaf53a35634c8fe3d63ec15c506bf02c35302759fe32ad28c1d4b49e94816bb0f32822816b40557c650da4ae59ca645d5a4d6172903c25e00a229eaa0c526cffba53fca44aa163c7f5fb4959a216d6dad9e19f282b9945d2476bbc0133785131118ad46c3f9331c415e70d35e06fa71c2aa878132ed770a04f0721a5665502dded283f70ae9ab72e48cf03c01d80f68ece54de88aacb2c41c5d7462f9b73f6c2741709c83e20084dd8f9d855c41a0bfbe107e6e47a65c2b1ee5007e9d5f25118a295fc6313243df54cdd92ab4dcedb210dd83be1b058ae1e37a7ac51b9c89bf9eca423c91db0d4a42134a93c8979a03a2de53e45e641a2d40f410bc11a968204f72c96e50664dc29be41a4aac4e07e9cdf239f59c9687bd7dc65ceab076b131941bb15c4f9f4c17d7350780588facffdbc1eaaeb4406b956da733ed09eb48604a0ed4aadcbbd94a8ee079310fe2612a669e5623917eec2b12ad9c86af9757a51759dbb00df2e03e3d3a70bd2c02f9f08444f4e0650edfb2786ca57d3630943556832a32892301b58859ef24007f7a7d9b4afc23703c4fb9077a07d2ea8d3a2b4f015de7f31fc306545816b6b670a45cff4a91b60a1fb478b089c67f459caaf5fce9265fea0c7ec0652cd11305623b04c0a9d1aec6571c6a466dc7a7bec75fcf984d6a9636986becef1418b694e820ee2462f2687e0b68ba51cbd03ba76b43fd7cba01af23ff98f74b764463527c6c397e1c8e8b2225874cc74f958a31a28414f170c2b4cbd90c849ccd54f91bce2908e3bbc21b3d5604aa337c7fb1f810c103216bf444339043d523330eee73bf0866da3f3f728877fbb54e2f928423a1672cc9ba31bc686a6d198efeb3618d5e9a1b0819cf6b9338c56c4b788469f532cdf923066d1ba46a56960342b79b09ec8679ea3caa43365b811257a2449ff9274f6612cb0530dd8678cf18bc1f91f447fad7b958f3d0a1977ce78d102829fe4b83b5659c8155af4d2c05d7315d1486300e6da0846a594d510673b0e7472788559009d74490ec9871d9f0f73699d97fbe303cb4d635f542e95c784a5387127dc454483f950f765a8e904639ef413c7d581af20dfb285955801ab7ec4be4d1b2879de662dde2cfcd6604ec0aa07a5a671f54a4f2853eedca56baf00f07927095958db7d325e863f64a9056bd8e103859921463d1754042b85dcd94d933ef2087dbef57d9a3ad9fe8c64a8799587a3ec23b9b252f03bfce42f017eadfdbe973e84e902e36b9661efaef409c915308dce9a222a9cb1db5215c000fc44d372fb186425cd078bee7770f1fa60ff2d0e344725a51a5f478fe96bfb9a18b6cb542bf394bed02218518f1d381d5aa21fdcd443ce84c180a6a8cf6547effa4627cae93551a7564f0dac6e37c5f068edda00b47a6f2d33b54c3681128e83ad17b0f098456b9e97f3e02ce391515ffb0c0511a3d8312115382c15b09861ef750c0006e96c9184e17db245b0255c4407fe4bd6eea43fd8c5e80348cb916e9d04b49c2483911b6deece26d2b65762643aa0417be2768b673a22ad58e667f5ef4e2228db9b7939d8f912de32474325155090b1d9741ace4155d64583ecfb5700301d73ed2abd156408ca5e1b88ba75f84a4b834d4f532015773e9f8d4a3650f8984191114f0fdbaa54405bf51f8b1afe532f74c15a3708eb9370fa8316feefac4e43f855506f5d9872b60363567011cc3308a2026d00", 0x1000, 0x4065ebb7}, {&(0x7f0000007980)="112a657c2770ad17f2e77762160bb14f2f71a17b88fdb946f919b2dfd3efd616e31124ff47ee668f6065a0435a791a7439d8aa10dcc418192d821e36fc0820d7cc0f88b088916d786f01426fa46b214de822d24e4d6c785feac458d98635c4801672bd4e74fd40753932121152ae0ead771e3abc7f741e393b328526e5ec29e8e0d9b3a2bebcd0eb3472a4bd8e50f953ed173ba271fbe9f9d9c463c79f44d093154ffef59c93ada783b4727fc35ba6c0db2518939cb35fb3301d4cf72d2524f83ac4ab57a8acfc93a99c26ccaee0566371229496e93021e86b956021a467f34be66e", 0xe2, 0x6d69}, {&(0x7f0000007a80)="629825e3cb9c42732810eb62f1ff4785718f7a30c63940f2eadf19dae820feb9b7b358f741b834164a9a4ac8ce398c231607f523a26db9e0aecac1d1e89022d1cd50d644f2466b25ec09c6d6ef4f0b3ef592d1408d049da49b953b327e123c6f1963c2f7a9e3cc7e0c52ed1e17d0a8b794666875b20b07a0f5c2c76d9632909f769eb25b162737bea131f5c270b3249fd65c255e68b680271d0c11196715177744e7", 0xa2, 0x9}, {&(0x7f0000007b40)="d1091749233d1e7ec50653f301a734f5dd67ac1e748923e44ccedeeb3ea234745896abcb8003ed61605b5dffa8a9af0aa12ed902d4a35a9260c53ab6a621e210e61e4002838dc29e2f798b4cbe0ed0c12a33c69ddda446b9b884fcbfe28199184bd4aeb097d0d9a393b699d1f55a57d830da497d79b9bd7dbcdbfe7e168d6007611db96733574fb150f4e90991c70fc19edba6beedc5a72169366ae5fca5c1cb413bbc54ff8f127d1b94cf9942b5c9be5fbfc93946bf1d0b289a7442fb057adb0ae7fa4189d5e5fefc75ed5d260b3c2c2445d49579e6b369e396da162d940559", 0xe0, 0x6}, {&(0x7f0000007c40)="768d82c47f166e252530915b63b40d9eba4b95fe087893453f373a94389e1120981cb44576a2051c4158400a59b9c8a940ccae2826414e14ad55c72b04f8fabfe86462409b3ab2a075ea92c8bddcd2b2fc0fd77a97bc271ecd43dd605f29b990837b409eed5965ddb3fb1b91e5bf12ddbcf21c90c7ef2f0ab9bb03f72a647ce8", 0x80, 0xfffffffffffffff7}, {&(0x7f0000007cc0)="46c0ce8920305b2c7f636edbb165920db78c61f8", 0x14, 0xfffffffffffffffa}]) r15 = syz_usb_connect(0x5, 0x776, &(0x7f0000007dc0)={{0x12, 0x1, 0x300, 0x94, 0xe8, 0x2e, 0x40, 0x789, 0x160, 0xf578, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x764, 0x2, 0x4, 0x8f, 0x0, 0x7f, [{{0x9, 0x4, 0x40, 0x3f, 0xe, 0xbb, 0x18, 0xf3, 0x20, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "c1b0c981cc"}, {0x5, 0x24, 0x0, 0x7}, {0xd, 0x24, 0xf, 0x1, 0x9, 0xfff, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0xaa4}, @acm={0x4, 0x24, 0x2, 0x9}]}, @hid_hid={0x9, 0x21, 0x7ff, 0x8, 0x1, {0x22, 0xd44}}], [{{0x9, 0x5, 0x3, 0x3, 0x40, 0x6, 0x6, 0x80}}, {{0x9, 0x5, 0x5, 0x8, 0x20, 0x34, 0x7, 0xd1, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x20}, @generic={0x65, 0x30, "dac16e845b149dafe66663cc3acf393fa7b0ae46cbb8cf207bdb0d3d6cf681661fa00ed58d703c226470a84eaa264be51e6810875248ede794e2207e60b04585603cd055c6348f0eb4f33f2a833f4aee8884d7773be2f45177ad4c03728ff4dd8e40fd"}]}}, {{0x9, 0x5, 0x2, 0x4, 0x3ff, 0x1f, 0x2, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x9, 0x2}]}}, {{0x9, 0x5, 0x6, 0x0, 0x40, 0x0, 0x40, 0xfd, [@uac_iso={0x7, 0x25, 0x1, 0x83, 0x1f, 0x1000}]}}, {{0x9, 0x5, 0xd, 0x1, 0x3ff, 0x3, 0x1, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x4, 0x3}]}}, {{0x9, 0x5, 0x5, 0x4, 0x8, 0x8, 0xff, 0x80}}, {{0x9, 0x5, 0xf, 0x1, 0x8, 0xae, 0x9, 0xf6, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x95, 0x6}, @generic={0x7a, 0x6, "3f8f5c318c80e5a936089fa5be9dc364d3a8ff22238b9200642bb7969b9c0989510df3f2673846f3fe68eec487476d9d8ea37c9e7ec2939c3a85842cad500bf77aed1d9290eb850af4621cafed03c08a55c422c7122f6ec0703a47dfcb279c0b03558b39c7231b38e559d0546a29ca32280a8ce47080aa8d"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x58982e9dfc588938, 0x1, 0x8c, 0x4}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x6, 0x1, 0x81}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0x80, 0x3, 0x23, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0xb5a}]}}, {{0x9, 0x5, 0x8, 0x2, 0x8, 0x1f, 0x8, 0x1f, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x7f, 0x3}]}}, {{0x9, 0x5, 0xd, 0xc, 0x3ff, 0x12, 0x9, 0x4, [@generic={0xe, 0x5, "a9b97bc24de62c3bcf2bfa13"}, @generic={0x44, 0x30, "9f0d5ea24268b8a3211765246b1a834af641e8cd6ea3ef9b1fe10f16bed6b06cc3a165920c9d73909ab9ac8b2a7a8a5dae5d4acf316d0b35d4b644d368a06e0eff85"}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x3, 0xff, 0x6}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x6, 0x2e}}]}}, {{0x9, 0x4, 0x7, 0x0, 0xd, 0x29, 0xcb, 0x7c, 0x9, [@hid_hid={0x9, 0x21, 0x7, 0x1, 0x1, {0x22, 0xbd9}}, @uac_as={[@format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x43, 0x1, 0x0, 0x9, 'd\"', "3709db"}, @format_type_i_discrete={0x11, 0x24, 0x2, 0x1, 0xf8, 0x2, 0x7, 0x40, "5e58dff9a0d01e4109"}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0xffec, 0x6, 0x15, '?w'}, @as_header={0x7, 0x24, 0x1, 0xe1, 0x3, 0x2}]}], [{{0x9, 0x5, 0xc, 0x8, 0x8, 0x4, 0x8, 0x8}}, {{0x9, 0x5, 0x6, 0x8, 0x8, 0x0, 0x2, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x6, 0x18}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x39, 0x0, 0x6, [@generic={0x80, 0x23, "eba3e2d4848f84d0e6ded46e24d10bf9f8b0738910e29f319e942546e9cda8638257f55d0049672a1337067af73c1c29e0bd772a1cd5e16d249ed15cdd3d85a4399aef69e3f5a506ea0e0559306fe1f42dfc10922062e2bc062c34a1adc4bc46b080259ad20b37cde1eba7178fb514b2ef7397715b0eae34d5efd5274900"}, @generic={0xa1, 0x21, "1c020b389a4c59d1f26da857b222a6f6618adb0411bb24478e68ffe758469d4bb34df6aa9577ced55383dff01c052abbde70468ce31100ca3184d1d5f803dc280df3b7ae4738ad05036701e2e38ce844a7d301d86e0597c5bc1b67e7c6a5f7dfbc3311dbd234688e85e9a7d5021e51e2d0dd418038153db65b7fc268f98ddfd9e5036f24497d2f04cdcc752178991958f7243ff4dd5aefcf759a3fe7fb34c8"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x240, 0x2, 0x1, 0x0, [@generic={0x26, 0x3, "b451e24f6972cd6429f81ca173d13fb2c7f5284751638bbc4f0b3de02091fbb4f44533d9"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x7, 0x3f, 0xdb, [@generic={0xc0, 0x0, "ba73f770a427b8438313cb7e9d9d53a7e3110366c878e3c0f6e629ebb2a084a90b2def4b66950fdfd606e0834229e63028875489678bc93698ed8613884254703c315f1ee529d1bcbfaf8d865e738b9e08cbc4a211d480bdc2a6e69e172b1c73639474f1f0115b5f4918d037451c99dee88547562582d57171aa196913f11915d1fdc1a513b16c0b9c1fa07157421046f4f3372d00d4a27eb93ecd79b685e14f3eba647e7b20aefdf92ed05bef68935265ce0035e3b624852350d1234ef9"}, @generic={0xa, 0x5, "290a548e962666df"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x7d7, 0x0, 0x7, 0xf9, [@generic={0xcd, 0x2, "74cd6007ae0ea1297f07018cbdaaa0c87851a01308ad717f235e9eff8010ad1046a5148d352a70760bc4bebdd7528bf7d506da1baac2cf499d52de51d71b05185d7cd268023de5961304521b5f567c74ccab78b61c3f641662af2d55d5157a0ddc80c75962e9bda9ff2d3b63df6a6a0e2aebbfc664de3f3a34d66200fa092475685957f0b3594247a21d463cfe0ccd8044f95319b4d40c7f022d5a9ce9e348cd623dc4c590bee5a1047270954214611a8d98e60aa697a5ce30eeacd2397094e50716739911a4478b495f02"}, @generic={0x2b, 0x3, "9bc9f5807506303fbfd71282a82058560fe8180b205f6f47f9d7cf05280b7eb96d6d1589972f402ef4"}]}}, {{0x9, 0x5, 0x7, 0x1a, 0x8, 0x7, 0x3, 0x86, [@generic={0x35, 0xb, "018a3d5fb94d26c6a689e91eb6a9e49bf1b883b9e3da0a42bf45639bc1b19a0d8e78babd769b27a43dd091ce83b4a91cf5d119"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x6}]}}, {{0x9, 0x5, 0x3, 0x2, 0x200, 0x8, 0x55, 0x7, [@generic={0xc, 0x21, "f2ae0c70731245835364"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x400, 0xff, 0x9, 0x7f}}, {{0x9, 0x5, 0x3, 0x4, 0x3ff, 0x3, 0x81, 0x1f, [@generic={0x102, 0xb, "15f52948168969a7879f686a664459f31fa9c146da65eaa1878b3996e099dd1ec68900a257c011397bcfc10bc428591972ae5eb70e65d200248c433d8b1eafe5df95a196b58ed50a74d48f9c07f50858dd07d94ec76626b5b47c9acd4fdbecde356cababc43c3144fc2e524b71bb4e8bb535daa071e242c58584dbdd6c1e758e33fecd91aac96d2288322ed48acfdaab536ea51298e16c6033ac2b91758482719cc7d764373cedf5d039e75f0be35acdac46bff129af0ad817e14064398be64933b676fab4ff8b8d37cd742e41fd64f87b7f7df873b3d4c1ca440e20a829e34c6977054fd5975e34941c4ca24dcaf07e3b9950280b30fb2c4356eedab3e5184e"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x200}]}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x81, 0x1, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x8, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x8}]}}, {{0x9, 0x5, 0x0, 0x4, 0x80, 0x9, 0x6, 0x7}}, {{0x9, 0x5, 0x3, 0x0, 0x7ff, 0x1, 0xff, 0x1f}}]}}]}}]}}, &(0x7f0000008640)={0xa, &(0x7f0000008540)={0xa, 0x6, 0x0, 0x2, 0x86, 0x80, 0x10, 0x2}, 0x42, &(0x7f0000008580)={0x5, 0xf, 0x42, 0x5, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x3, 0x73, 0x4}, @ptm_cap={0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0xeb, 0x3f, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x8, 0xf, 0x6, 0x5}, @generic={0x1f, 0x10, 0x1, "61408d3d2e1872469226d4d9befecdac208dfdaa385178f48ca75650"}]}, 0x1, [{0x4, &(0x7f0000008600)=@lang_id={0x4, 0x3, 0x41a}}]}) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000008680)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r15, &(0x7f0000008900)={0x2c, &(0x7f0000008700)={0x20, 0x21, 0xdb, {0xdb, 0x24, "b501b9a676dfcb3e98c66e8b6877cac30dfb9856c72094ee90f23170f33dc0416919146a8a2ad605ce54f3d443ec597b337b1b4d39c44289bbfc621a00862648fe2df754e463455ef88f55fb63b4b7719dd8d3e6846c4d254afb2e40116d2b5fcd883a84212217e065cd44666801154e7b43e3d1629dc76f3a7110e80790ce65ee44961d306521e94e6ee941a97e0eab0e8037fef768902891bb4105d8baf0a35f93d2a5635935799c87eb91b5e5ff7ae91cbe9cdadd653a486d72d67dc3b371e4e5fa618759de87ebe1ec278d140834590f6c513e4c95cbb3"}}, &(0x7f0000008800)={0x0, 0x3, 0x18, @string={0x18, 0x3, "2c5ddd5fc63236d47af3164223e9b423e13b8560f28a"}}, &(0x7f0000008840)={0x0, 0xf, 0x35, {0x5, 0xf, 0x35, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x8, 0x2, 0xa, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x8, 0x3f, 0x1, 0x4, 0x6}, @ss_container_id={0x14, 0x10, 0x4, 0x80, "d0d1e2d868e0fa991777cac1b7948258"}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x3, 0x4, 0x0, 0x8}]}}, &(0x7f0000008880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x4, 0xc1, 0x7f, "1bc19f6f", "0cd3a196"}}, &(0x7f00000088c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xff, 0x8, 0x20, 0x2, 0x6, 0x800, 0x9}}}, &(0x7f0000008e00)={0x84, &(0x7f0000008940)={0x0, 0xb, 0xe5, "ea88bca9c1e3f5bdf607f7252573dd8756e9f32a7c4aeea5b3e1ae6fdbe3194c1918d9d9a3aa13dbbc47e1430d7be6a180c7388456d12a5c327b716d2341bcd0ef82a4a34610e28fc7b2e172dfa056c6353da166496ca2540e60bb52066ef4773667409a68eff52e75ff93469e4ff5d69966b81e034c688a2f6fd945ecd05f336573586823fd9f6d40bb483dd27ad46b841455ac07fc319b8cb5f5e2daa64a6c5f3bc099270cd376660ef3456571aa6d2fe48667838d811126caceedaebef9608192b603327f6ee9ed42572b6eb3c6630e9017428ed370bd0324da01eae4a7881a6b88aa1a"}, &(0x7f0000008a40)={0x0, 0xa, 0x1, 0x5}, &(0x7f0000008a80)={0x0, 0x8, 0x1, 0x1f}, &(0x7f0000008ac0)={0x20, 0x0, 0x4, {0x2, 0x3}}, &(0x7f0000008b00)={0x20, 0x0, 0x4, {0x100, 0x1}}, &(0x7f0000008b40)={0x40, 0x7, 0x2, 0xffff}, &(0x7f0000008b80)={0x40, 0x9, 0x1, 0x7f}, &(0x7f0000008bc0)={0x40, 0xb, 0x2, "a6ab"}, &(0x7f0000008c00)={0x40, 0xf, 0x2}, &(0x7f0000008c40)={0x40, 0x13, 0x6}, &(0x7f0000008c80)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}, &(0x7f0000008cc0)={0x40, 0x19, 0x2, 'rN'}, &(0x7f0000008d00)={0x40, 0x1a, 0x2, 0xb81}, &(0x7f0000008d40)={0x40, 0x1c, 0x1, 0x40}, &(0x7f0000008d80)={0x40, 0x1e, 0x1, 0x80}, &(0x7f0000008dc0)={0x40, 0x21, 0x1, 0x92}}) syz_usb_disconnect(r15) syz_usb_ep_read(r16, 0x1f, 0x80, &(0x7f0000008ec0)=""/128) syz_usb_ep_write(r15, 0xff, 0x49, &(0x7f0000008f40)="059cbaeb6864bcc93a17640936d2e5450deb6a94a3cd8dbac2fbcfac932f8dd22205e7ae589b0f0172e751e308a236cea85711d74b546d98b4d75afcc65fd04633c1fbed7cfe4d049d") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 42; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 31 ? 50 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_execveat #define __NR_execveat 322 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_socket, 0x10ul, 3ul, 0xc); break; case 1: memcpy((void*)0x20000000, "./file0\000", 8); res = syscall(__NR_open, 0x20000000ul, 0x2000ul, 0x163ul); if (res != -1) r[0] = res; break; case 2: *(uint16_t*)0x20000140 = 0x1a; *(uint16_t*)0x20000142 = 0x10f; *(uint8_t*)0x20000144 = 7; *(uint8_t*)0x20000145 = 0xc7; *(uint8_t*)0x20000146 = 6; *(uint8_t*)0x20000147 = -1; *(uint8_t*)0x20000148 = -1; *(uint8_t*)0x20000149 = -1; *(uint8_t*)0x2000014a = -1; *(uint8_t*)0x2000014b = -1; *(uint8_t*)0x2000014c = -1; *(uint8_t*)0x2000014d = -1; syscall(__NR_recvfrom, r[0], 0x20000040ul, 0xeeul, 1ul, 0x20000140ul, 0x80ul); break; case 3: res = syscall(__NR_socket, 2ul, 5ul, 0x84); if (res != -1) r[1] = res; break; case 4: *(uint16_t*)0x200001c0 = 0x7ff; *(uint16_t*)0x200001c2 = 0x1ff; *(uint16_t*)0x200001c4 = 0x204; *(uint32_t*)0x200001c8 = 0; *(uint32_t*)0x200001cc = 0x803; *(uint32_t*)0x200001d0 = 0; *(uint32_t*)0x200001d4 = 5; *(uint32_t*)0x200001d8 = 0x800; *(uint32_t*)0x200001dc = 0; syscall(__NR_setsockopt, r[1], 0x84, 0xa, 0x200001c0ul, 0x20ul); break; case 5: memcpy((void*)0x20000200, "./file0\000", 8); *(uint64_t*)0x20000400 = 0x20000240; memcpy((void*)0x20000240, "^\000", 2); *(uint64_t*)0x20000408 = 0x20000280; memcpy((void*)0x20000280, "*,+\000", 4); *(uint64_t*)0x20000410 = 0x200002c0; memcpy((void*)0x200002c0, "-{$(%![\000", 8); *(uint64_t*)0x20000418 = 0x20000300; memcpy((void*)0x20000300, "\\[\000", 3); *(uint64_t*)0x20000420 = 0x20000340; memcpy((void*)0x20000340, "\000", 1); *(uint64_t*)0x20000428 = 0x20000380; memcpy((void*)0x20000380, "\000", 1); *(uint64_t*)0x20000430 = 0x200003c0; memcpy((void*)0x200003c0, "\261$}\000", 4); *(uint64_t*)0x20000640 = 0x20000440; memcpy((void*)0x20000440, "\000", 1); *(uint64_t*)0x20000648 = 0x20000480; memcpy((void*)0x20000480, "*/%}\\\\\000", 7); *(uint64_t*)0x20000650 = 0x200004c0; memcpy((void*)0x200004c0, "@[\000", 3); *(uint64_t*)0x20000658 = 0x20000500; memcpy((void*)0x20000500, "\000", 1); *(uint64_t*)0x20000660 = 0x20000540; memcpy((void*)0x20000540, ":\'\237^(\000", 6); *(uint64_t*)0x20000668 = 0x20000580; memcpy((void*)0x20000580, "],-.$\373\\}{)@-&/[\\!\000", 18); *(uint64_t*)0x20000670 = 0x200005c0; memcpy((void*)0x200005c0, "\000", 1); *(uint64_t*)0x20000678 = 0x20000600; memcpy((void*)0x20000600, "{{\'$(+-(}{}]?/--)\000", 18); syscall(__NR_execveat, r[0], 0x20000200ul, 0x20000400ul, 0x20000640ul, 0x1000ul); break; case 6: memcpy((void*)0x20000680, "/dev/hwrng\000", 11); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000680ul, 0x40000ul, 0ul); if (res != -1) r[2] = res; break; case 7: syscall(__NR_ioctl, r[2], 0x80404812, 0x200006c0ul); break; case 8: syscall(__NR_ioctl, r[2], 0x545d, 0ul); break; case 9: *(uint32_t*)0x20000704 = 0x9c76; *(uint32_t*)0x20000708 = 8; *(uint32_t*)0x2000070c = 3; *(uint32_t*)0x20000710 = 0x309; *(uint32_t*)0x20000718 = r[0]; *(uint32_t*)0x2000071c = 0; *(uint32_t*)0x20000720 = 0; *(uint32_t*)0x20000724 = 0; syscall(__NR_io_uring_setup, 0x509f, 0x20000700ul); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_unix_may_send\000", 22); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xaa; *(uint8_t*)0x20000041 = 0xaa; *(uint8_t*)0x20000042 = 0xaa; *(uint8_t*)0x20000043 = 0xaa; *(uint8_t*)0x20000044 = 0xaa; *(uint8_t*)0x20000045 = 0x29; *(uint8_t*)0x20000046 = 0xaa; *(uint8_t*)0x20000047 = 0xaa; *(uint8_t*)0x20000048 = 0xaa; *(uint8_t*)0x20000049 = 0xaa; *(uint8_t*)0x2000004a = 0xaa; *(uint8_t*)0x2000004b = 0xaa; *(uint16_t*)0x2000004c = htobe16(0x8137); *(uint16_t*)0x2000004e = htobe16(-1); *(uint16_t*)0x20000050 = htobe16(0x20); *(uint8_t*)0x20000052 = 2; *(uint8_t*)0x20000053 = 0; *(uint32_t*)0x20000054 = htobe32(3); memcpy((void*)0x20000058, "\x67\x51\x69\x65\xf0\x15", 6); *(uint16_t*)0x2000005e = htobe16(3); *(uint32_t*)0x20000060 = htobe32(0xa0); *(uint8_t*)0x20000064 = 0; *(uint8_t*)0x20000065 = 0; *(uint8_t*)0x20000066 = 0; *(uint8_t*)0x20000067 = 0; *(uint8_t*)0x20000068 = 0; *(uint8_t*)0x20000069 = 0; *(uint16_t*)0x2000006a = htobe16(0x8ca); memcpy((void*)0x2000006c, "\xd1\x8e", 2); *(uint32_t*)0x20000080 = 1; *(uint32_t*)0x20000084 = 3; *(uint32_t*)0x20000088 = 0x6f3; *(uint32_t*)0x2000008c = 0xd92; *(uint32_t*)0x20000090 = 0xd18; *(uint32_t*)0x20000094 = 0x98a; break; case 12: *(uint8_t*)0x200000c0 = 4; *(uint8_t*)0x200000c1 = 0x1d; *(uint8_t*)0x200000c2 = 5; *(uint8_t*)0x200000c3 = 1; *(uint16_t*)0x200000c4 = 0xc9; *(uint16_t*)0x200000c6 = 0x800; break; case 13: memcpy((void*)0x20000100, "\xc4\x01\x7c\x5a\x50\xf2\xc4\xa1\x63\x7c\x7a\x86\x2e\xf0\x42\x30\xb5\x0d\x00\x00\x00\x41\xd9\xf9\x3e\x42\x0f\xb7\xbc\xae\xb0\x00\x00\x00\xc4\xc2\xa5\x29\x14\x98\xc4\x82\xc9\xbd\xac\x33\xde\x79\x41\xf1\xc4\x01\xfc\x2e\x06\x66\x40\x0f\x38\x24\x1f\x67\x0f\xec\xfb", 65); syz_execute_func(0x20000100); break; case 14: break; case 15: memcpy((void*)0x200001c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x200001c0ul, 0ul, 0ul); if (res != -1) r[3] = res; break; case 16: res = syscall(__NR_read, -1, 0x20002500ul, 0x2020ul); if (res != -1) { r[4] = *(uint32_t*)0x20002514; r[5] = *(uint32_t*)0x20002518; } break; case 17: memcpy((void*)0x200046c0, "\000", 1); res = syscall(__NR_lstat, 0x200046c0ul, 0x20004700ul); if (res != -1) r[6] = *(uint32_t*)0x20004718; break; case 18: memcpy((void*)0x20004780, "./file0\000", 8); res = syscall(__NR_stat, 0x20004780ul, 0x200047c0ul); if (res != -1) r[7] = *(uint32_t*)0x200047d8; break; case 19: res = syscall(__NR_getresgid, 0x20004840ul, 0x20004880ul, 0x200048c0ul); if (res != -1) r[8] = *(uint32_t*)0x20004840; break; case 20: memcpy((void*)0x20000200, "\x26\x92\xd6\x23\x14\x8a\x34\xae\xe9\x68\xf5\x55\x2f\xef\x58\xad\xeb\x13\x83\x51\x31\xaf\xc9\x60\x2c\x0e\xba\x53\xa1\x39\x39\x2d\x14\x0b\x6e\xeb\x57\x19\x84\x01\x7f\xbc\x1a\x93\x6a\xca\x42\x7a\xd0\xe7\x40\x52\x4f\x63\x07\xf1\x8e\x1c\x7d\x95\x4a\x0b\xa7\x44\x23\x67\xd4\x5b\xae\x51\x50\xe1\x25\x43\xdc\x5d\xd0\x3a\xa5\x69\x90\x39\xf2\xf6\x27\xb3\xd1\x04\xe0\x0f\xfa\xea\x42\x63\xfc\x86\x95\x3e\x5e\x3a\xb9\x76\xc9\xf6\x6a\x21\x3d\x67\x57\x3b\x60\x44\xbf\x6f\xaa\x8c\x17\xd5\x1b\x55\x50\x43\x8f\x9a\xc6\x58\x9d\x2c\xb2\xbc\x4e\x11\xcb\xf8\xa2\x54\x59\x4a\x82\xab\x89\x87\xf8\xad\xe2\x0d\x85\x42\xac\x71\xff\x84\x7b\x22\xe6\x7d\x2d\xdd\xa8\xf4\xba\x5f\x53\xfb\xf1\x77\x00\x91\x32\xba\xa5\x78\x6a\x7b\xe3\x1e\xc6\xc5\x92\xcb\xa5\x3c\x5c\x8a\x7b\xa1\x9d\xb0\x28\x6b\xff\x1d\x01\x78\xda\x1e\x4e\xa1\x08\x19\x43\x9a\xce\x53\x7a\xc5\xf4\x7a\x1c\x8b\x74\xfa\x67\xfc\x4e\x1b\xf9\x22\x92\xa9\xec\x65\x7b\x5e\x30\x03\x14\x6a\x1c\x56\x90\x85\x5b\x05\xcf\x75\xa0\xb1\x1a\xb9\xba\x73\x8a\x3d\xc1\x77\xd5\xf7\xe7\xfa\x6b\x46\x5d\x05\xe5\x13\xa2\x19\x48\x10\x89\x26\x5f\x56\x6e\x6b\xd0\xcc\x9e\xe1\xfb\x10\x0f\x85\x12\x86\xe6\x57\x21\xf6\x01\xc8\x3f\x7a\x74\x09\x79\xb3\x84\x8f\x57\xfb\x00\x81\xef\xca\x45\x72\x0c\xcf\xd8\xa4\x90\x4f\x24\x81\x51\xb2\x42\x13\x2a\x4b\x45\x53\x0a\xe5\x44\x2f\xf7\xa5\x1b\xb5\xc5\x99\xcd\xa7\xe1\x0e\x1b\x4d\xe5\xc8\x0f\x52\xcc\x3d\xda\xc7\x51\x3f\xe1\x48\xbd\xbc\x5d\xa2\xe0\xc2\xb3\x91\x90\xd8\xf9\x0f\xcd\x45\x95\x03\xa4\xcb\x8f\xec\xe5\x51\x82\xcf\x72\x72\xa5\x22\xe5\x62\x61\x20\xc7\x33\x5c\x5a\x37\xc7\x2d\x40\x0f\xed\xc5\x88\x73\xc5\x96\x0f\x6c\xab\x80\x7a\xc2\x39\xd0\x24\x6a\xba\x2e\x84\x4b\x68\xb1\xac\x4a\xd6\xd2\xbb\xce\xdc\xb3\x5a\x67\x48\x64\x71\xe4\x45\xaf\x55\x99\x02\x70\xae\x09\x79\x68\xda\x00\x15\x7d\xd2\x21\xde\xa2\x43\x8d\x16\x62\x3c\x52\x82\x0f\x0d\x24\xe3\x9c\x04\x24\xee\x40\x48\x4f\xb0\xd9\x64\x19\xf5\xe2\x81\xd0\xe9\xe1\x78\x36\x68\x20\xdd\x5c\xa4\xa0\xc4\x5d\xee\xb3\x6c\xb9\xe2\x46\xbe\x67\x14\xce\xb0\x34\x7b\x0c\x30\x9c\xc5\x30\x22\x37\x4f\x73\x30\x35\x36\xe5\x93\xc5\x75\x88\xb8\x83\x90\x3e\xa5\x81\x33\x77\x36\x00\x20\x1a\x7b\x55\xdd\x5c\x01\xaf\x52\xe9\x0e\xc5\x24\xab\xd9\xf4\x7b\x3d\x71\x85\xc4\x82\x59\xbf\x5a\xa7\x6f\xea\x9d\xa9\x82\xb2\xc4\xa6\x10\x65\xdf\x2b\x06\x67\x32\x10\x35\x03\x96\x9e\xef\xaa\x23\x14\x1c\x8b\xec\xb3\x5c\xaf\x76\x02\xe9\x81\xc3\x06\x73\x99\x1b\x46\xd5\x4a\xb2\x76\x4b\xf5\xec\xc3\xf1\xa8\xe0\x00\xb1\x16\xb7\x69\xd8\x26\x25\xae\x94\x18\xb5\x23\xaf\x00\xf3\xcf\xb0\xeb\x65\xc9\x16\xf6\xa6\x24\x52\xf8\x10\xb2\x0c\x3e\x7c\xec\x7d\x61\xfe\xf5\x5f\x63\xd1\xda\x4a\x3f\x86\x8b\xbc\xfd\x86\x7e\x13\x0d\x3c\x7c\xe5\x22\x46\xef\x76\xed\xa2\x91\x6f\xbb\xdf\xd5\x06\xdb\xc2\x28\x9d\x00\xfb\xc8\xfd\x10\x0c\x45\x78\x69\x8d\x22\x03\xdf\xfa\xb9\x01\x8d\x6f\x19\xae\x19\x9f\x16\x59\xc3\xf7\x81\x57\x68\x0c\xf9\x80\x59\x7a\x12\x6b\x99\x4b\xdd\x64\x60\x96\x53\xdc\x0d\xdb\x55\x6c\x3a\xf8\x38\xa0\xa4\xa9\xbd\x70\x51\xe4\x52\x47\x91\x3c\xc3\x5b\x9d\x9f\xf3\x68\xff\xdf\x4e\x7f\xad\x83\xa5\x2f\x8a\x02\x61\xc3\x31\xb6\xef\x22\x6f\xe6\x76\xac\x1a\x9c\xf0\xcb\x00\x13\x85\xce\x35\xb0\x9d\xf3\xae\xca\xa3\xd8\x16\xf2\xaf\xc6\x2c\x27\xae\xe5\x25\xf7\x2f\x2d\x31\xee\x0b\x21\xc4\x47\xf8\x09\x01\xa6\x5c\x77\x06\xd0\x7f\xf9\xb2\xd7\xbd\xe9\x2b\xc7\x9d\x85\xf8\x43\x1d\x46\x8a\xc8\x5e\x51\xac\x3a\x20\x9c\xea\x07\x28\x1e\x7d\x19\xc1\xf5\x2b\x5f\x01\xbd\xb0\x53\x97\x8c\x93\x33\x99\xb3\x5a\xc7\x7a\xa4\xa1\xe6\xf1\x82\xd2\x50\x27\x1c\xa3\x3c\x37\x91\xb1\x5a\x93\x1b\xcd\x32\xac\xe1\x92\x53\xf1\xa9\x04\x4a\xfa\x49\xc1\xa0\xdd\xc8\x2e\x95\x90\x7f\x60\xb7\x97\x1e\xc0\x10\x78\xe1\x37\xd1\xbc\xeb\x0c\xf8\x6f\x64\xcd\x6c\x19\x2c\xbf\xc3\x0b\x44\x78\x61\x7f\xe5\x2a\xa9\x43\xe6\x1a\x18\x2b\x1b\x0b\x21\x07\xd0\xc5\x4f\x4f\xa7\x31\x67\x9a\xf9\x5c\x32\xd1\x89\x14\xd6\x95\x9b\x9f\xa9\x6a\x0a\xac\x1c\x49\xad\xc6\x1f\x5f\x11\xb5\x44\x55\x73\x42\xc1\x42\x76\xbe\xea\x12\xfa\x71\xcd\x30\xa7\x31\xbd\x06\x4e\x9c\xfd\x0f\x9e\x4b\xe9\x66\xf7\xbd\x1c\x1b\x4f\xd7\x06\xb8\x39\x3e\x6e\xfb\x1c\x9f\x97\x52\x6f\x67\xd2\xe9\xcd\x5e\x17\x6d\xc6\x0c\x27\x4b\x30\x06\x1e\x1a\xb6\xa2\xd0\x04\xb8\x3a\xdb\x08\xf1\x98\x3b\xae\xab\x99\x04\x72\xbe\xff\x23\x41\xde\xf4\x7e\x0d\xd4\x11\xb0\x69\x1f\xd0\xa6\x5e\xa6\x6d\x16\xa4\xa4\xee\x94\xc4\xd1\xa5\xce\x6b\x3c\xfc\x87\x34\x81\xb0\x41\xfb\x30\x05\x61\x4c\x1c\xf8\x41\xee\xab\x27\xe0\x35\x98\xef\x94\x59\x8e\xd3\x0c\x3f\xd3\xee\x19\x20\x7a\xea\x2a\x8d\xbc\x3f\x60\xa6\xd9\x7e\x30\xc5\x8f\x32\x4b\xca\xf5\x71\x38\x8f\x9e\x83\xe0\x76\xcf\xdc\x06\x63\xcf\xe9\x3f\x5a\x3f\x19\x29\x9e\x74\x12\x10\xf6\xa8\x50\x1a\x72\x38\xb1\xcb\xd6\xe9\xf8\x29\x34\x5c\x33\x7c\x62\xb7\xcd\xb0\x24\xef\xc4\xff\x11\x62\x8c\xb1\xee\x4f\xda\x07\x27\x82\xbb\x69\x93\x2b\xa6\xde\xe1\x22\xcb\x37\xfe\xd6\x96\xde\xa1\x1c\xc2\x5e\xb2\xb5\x67\x8c\x7d\x0b\xd1\xdd\x05\xf3\x5d\x1d\x02\xad\xdf\x12\x95\xa1\xeb\x0b\x25\x99\x59\xa7\xb2\x90\xe6\x1f\x24\x79\x69\x15\x88\xac\x52\x09\x81\x90\x2f\x5a\xb0\x61\x62\xe9\xcf\x5f\x05\x85\xf5\x40\xd9\x0c\xd8\x38\x1d\xe3\x3d\x0a\x0a\x24\xda\x6f\x23\x1d\x3a\x68\x4c\x92\x5d\x73\x6f\x25\x34\xa5\x7e\x48\xd9\x19\xd5\x55\x19\xc5\x75\xbb\x54\x1d\x63\x8e\x0e\x40\x11\xf8\x41\xa5\xac\x33\x1d\x48\x89\x35\xc4\x4c\x2b\xce\x1c\x2a\xc3\xe8\x48\x6e\x46\x5c\xde\xe8\xeb\x51\x3d\x3c\x1b\xb3\xb3\x8c\x5d\x15\x7c\x04\xd5\x76\xd6\x75\xe0\x0b\x30\xc2\x99\xe2\x11\xf8\xf2\x4a\x7a\x05\x3b\x42\x70\xd2\xac\xfa\x3a\xa6\x34\x34\x28\xd9\x2b\x6d\xb1\x4c\x15\x58\xa8\xdd\x58\xbb\x9c\x8c\x4b\x1b\x49\x35\x77\x3d\x14\x06\x11\x79\x3c\xca\xd5\x4f\xdc\x52\x30\xda\x4d\xfd\xa3\xb6\x0c\xc0\x76\x6e\xfc\xc6\xa3\xb7\x19\x00\xa5\x0e\x2c\x3e\x68\x27\xb9\x8c\xc1\x8c\xcd\x8f\xf7\x98\x24\x7f\x37\x48\x57\xd0\x62\x1e\x32\xbb\xf0\x48\x24\x74\xde\x0d\x42\xdd\xba\x78\x23\xe6\x33\xf1\x65\x8e\x7f\x6a\x36\x1c\x32\xe2\x45\x9c\x2b\xeb\x02\x9a\x8a\xfa\xa3\x12\x89\xe4\x87\x10\x45\x67\xd4\x0c\x81\xcc\xf5\xae\x2a\x2e\x6b\x34\x4f\x5c\x11\x0d\x7c\xe2\x30\x1f\xf2\xc2\x5f\xd8\x43\x84\x39\xa5\xea\x16\xa4\x46\xfc\x7e\x27\xf2\xcb\x06\x89\x44\xe4\xd8\xc9\x29\xc4\x64\x5f\x49\x4c\x2f\xd1\xb0\x25\xbf\xda\x11\x19\xf9\x08\x8f\x70\x7d\x66\x2c\x11\x95\xf8\xe4\x30\x8c\x47\x0b\x76\x24\x50\x99\x33\x2f\x61\xb2\xc9\xcc\x77\x87\x1c\xb2\x0c\x4e\xbe\xaa\x63\xe5\x3a\xdd\x25\xdf\x15\xc5\x62\x85\x85\xfe\x88\x6a\x73\xe3\x82\x56\x7c\x41\xce\xbd\xf2\xf3\x3f\x71\x68\x74\x7c\xe2\x4a\x22\xfa\xfe\xb2\x9c\xd0\x21\xa9\x2e\xc8\xfc\x27\x2d\xad\x24\x59\x8e\xbd\xae\xc2\xdc\xc4\x73\x73\xef\xa9\x7c\xac\xff\xda\xce\x15\x0e\x99\x51\x0b\xf3\x7b\xaf\x40\xa8\x17\xd9\x3d\x87\xa4\x8f\xab\x15\x3a\x10\x64\x82\x1e\xb5\x04\xa4\xeb\xa3\xab\x66\xd1\xec\x05\x7c\xf6\x4e\xe1\x1a\x6a\xd4\x05\x84\xfa\x76\x56\xa3\x98\x4c\x20\xe4\x94\x01\x3f\x83\x43\x0d\x76\x0c\xd6\xea\xa6\x04\xb5\x99\x55\x0d\xcb\xa7\x20\x85\x5e\x73\x5d\x62\xd4\x20\x07\x6c\xca\x07\x11\x5d\x4e\x37\x1c\x3d\x64\x1c\xb6\xcd\xb9\x69\xbd\xef\x10\x13\x7b\x8d\x7f\x39\x9a\xbe\x3e\x24\x36\x53\x5c\x30\xc7\xb9\xa8\x42\xfb\x31\xd3\x22\x43\x4e\x73\xb9\x5c\x0f\x5d\x45\x45\x11\x6b\x78\x8e\xa0\xfd\x47\x3a\xb3\x2c\xfb\x4c\xd7\x22\x49\x48\x91\x37\x72\xe8\x39\x2d\x89\xbf\x5c\x4e\x55\x11\xd2\x67\x20\x1c\xff\x62\xbd\xc0\x46\x8f\x96\xd9\xe8\x53\x23\x49\x5e\x92\x5e\x61\x14\x0f\xb4\x19\x41\x7b\xc3\xf8\x03\xa8\x0d\x0a\xf3\xb8\xc3\x1c\x2f\x63\xde\xe9\x17\x41\x13\xf8\xe6\xe5\xc9\x3f\x47\xd8\x48\x64\x22\xa5\x69\x6b\xc0\x58\x43\xf7\xd0\x7f\x10\xeb\x3b\x5f\xbc\x2c\x37\x8f\x6e\x8a\x97\x5d\xeb\x6c\x04\xed\x20\xc6\x73\x84\x6e\xcc\x19\xd6\xdf\xcb\x19\x82\xff\x83\xa7\xdc\xa9\x2e\x81\x67\xe5\xdf\x64\x37\xb8\x48\x34\xfd\xe1\xcb\xfc\x44\x11\x05\xd0\x62\x18\xa2\xe0\xa5\x59\x17\xee\x27\x6f\xa7\x25\xb9\xf1\x6a\x94\xc6\x7b\x68\x4b\xc7\xb6\x88\xed\xba\xe7\x43\x82\xcb\xa7\xea\xc9\xf0\x17\x72\xc8\x91\x94\xd4\x4e\xea\x3c\xab\xc0\x02\x56\x26\x43\xc0\x15\x29\x09\x2f\xf6\x62\x9d\xe9\x6a\x77\x16\xf9\x23\x18\xa6\xcf\x70\xcd\xb8\xfd\xa8\xe3\xd0\x13\x06\xea\x91\x58\x0b\x6d\x97\x08\x08\x55\x2f\x45\xf5\x75\xc3\xaa\x63\x8f\xc5\x1a\xbd\xd8\x53\x5a\x05\x84\x07\x25\x88\x51\x8f\x93\x91\xb2\xd7\x89\x14\x73\x12\xa5\x8d\x0a\x15\xb6\x4b\xf9\x08\xf2\x49\x91\x3f\x14\x16\x71\x75\x10\x03\x54\x71\x50\xd4\x9f\x47\x2d\xbe\xd4\x08\x43\x24\x93\x70\x57\x59\x92\x9f\x61\x9a\x90\x1b\xf4\x1e\xd2\xe4\xd1\x2d\x63\x54\xaf\x21\x98\x40\xe6\x96\xae\x26\xd4\x0f\x01\x0f\x05\x86\x06\x8e\xfb\xbd\x4a\x63\xaf\x99\xae\xbd\x53\x05\xa8\x80\x13\xed\x74\xde\x00\x39\x90\x11\xdd\x8d\x0d\x54\x4b\x90\x70\x09\xf3\x61\xac\x6f\x66\xca\x0a\xc4\xfa\xe8\xee\xa5\x65\x42\x59\x9b\x16\x7b\x8f\x13\x2d\x2b\xc2\xb5\x7c\x73\x46\x53\xc0\x21\x4f\xcb\x4e\x3a\x50\x98\x23\xaa\x2e\xa6\x2a\xef\xd8\xd3\xa8\xf2\x7c\xea\xd3\xee\x3f\x27\x66\x98\x71\x27\x70\xad\xdc\x99\xcd\x31\x11\x2d\xaf\x0e\xde\x7c\x57\x7f\xcb\xae\x2e\x64\x04\x7b\xd3\x62\x4d\xcc\x04\xcf\xb6\xcd\x19\x4b\x79\xf1\xb5\x3b\x99\x0a\x44\x36\x28\x12\x3f\xbe\x9b\x2a\x3b\x59\x8b\xee\xab\xdb\xb7\xcf\x4d\x9c\xd8\x7b\xe2\xac\x84\xee\x3f\xe7\x43\xd7\x2e\x89\x84\x20\x4b\xab\x46\x3c\x89\x6d\x13\xc1\x22\x7b\x70\xa8\x87\x12\xb7\x7d\x22\x1e\xfa\x65\x40\x98\xb3\x85\x71\x46\x8f\xf9\xbf\xf1\x0b\xb0\xd3\x0f\xe6\xae\x7a\x1f\x62\xc4\xf6\x06\x6b\x55\xf3\x2b\x05\x47\xde\x75\xab\x1c\xac\x8e\x98\x6d\x89\xfc\x30\xa3\x62\xd7\x30\x8d\x09\x32\xcd\xd4\x4d\x8a\x23\x48\x60\xb6\x08\x09\x0a\xa5\xe1\x6b\xef\x4e\x44\x32\x7b\xa1\x86\x67\x91\x5e\xc6\x5c\xa7\x72\xf8\xdf\x52\x10\x5b\x37\x00\x87\xfb\x1c\xbd\x6d\x11\xa9\x53\x62\x23\x2e\x5f\x6f\xce\x3f\x34\x3c\xd9\x62\xbe\xc2\x77\xf3\xa6\xaa\xcb\x82\xdf\x97\x53\x1b\x3a\x6f\xfd\xd2\x24\x45\x4b\xfc\x8a\x6c\x2e\x0b\x9c\x86\x44\x9c\x04\x3f\x39\xce\xb9\xaf\x5c\x42\x36\xe3\x22\x1c\x2e\x25\x9f\xa8\xf1\x28\x4d\xf6\x33\x4a\x2a\x24\x73\x3d\xba\xd6\xea\x99\x0a\xa3\xef\x97\x98\xe2\xf7\x85\xbe\x3d\x5a\x44\x30\x54\x97\xa1\xf5\x25\xf7\xde\xe1\xf7\xea\x82\xc7\xd5\x05\x59\xc5\x1d\xac\xc6\x17\xf6\xf7\xee\x56\xb6\xc5\xbc\xa2\x70\x18\x99\x24\x5c\xbe\xcb\x33\xcc\xdd\xf0\x0a\x16\x89\x46\x82\x08\x5f\x40\xd2\xf6\xf6\xb0\x3a\x16\x32\x06\x31\x1f\x98\x07\x72\x61\xcd\x76\xf4\x39\xce\xd0\x44\xb5\x25\x11\x2d\xeb\xd3\x1e\x4c\x7a\x90\x77\xbd\x82\x02\x17\xa8\x8b\x4d\x8e\x3e\x76\xda\xc4\x5b\x15\x01\x9e\x01\xde\xed\xc9\x43\xb3\x57\xab\x2d\x79\x00\xd9\x91\x57\xaf\x47\xdf\xc5\x97\x17\x91\xb2\x56\x65\xe9\x53\xdb\x69\xce\xfc\xea\xc8\x7a\xef\x83\x89\x36\xae\x73\xd2\xd2\x59\x83\xb2\x06\x60\x99\xc4\x74\x1a\xf8\x80\x48\xc7\xf8\x65\x31\xf2\xb8\x2d\x6e\x05\xb2\xee\x75\xf4\x72\xd9\xdf\x9c\x3e\xe9\x39\x8f\x6f\xe6\x8e\x0b\x52\x1c\x36\xa2\x42\xe2\xd6\x75\xf4\xd9\xda\x55\x21\x42\x74\x36\x31\xa4\xf2\xb6\xc0\x11\x47\x57\x53\xa7\x4f\x7f\xef\xc9\xd7\x2d\x3f\x9f\xb2\xbd\xcc\x71\xd6\x67\x32\xab\xe5\x0d\xd5\x78\xb6\x9b\xd0\x29\xb4\x5b\xca\x70\x8e\x87\xc0\x98\xaf\x90\x28\x4b\x4f\xbd\xdc\xc6\xfe\x16\x3a\x00\x09\x70\xd6\x54\x7c\xfd\x18\xcc\x8a\x11\xba\x22\x63\x8e\xe6\xeb\xa9\x10\x29\xf5\x25\x94\xa0\x42\xe9\x6e\xd7\x08\x01\x84\x59\x3f\x21\x09\x12\x6c\xbd\xe1\x31\x7a\x94\xa5\x62\x13\xad\x11\xae\x1c\xcf\x0a\x58\xa4\x5d\xbc\x81\xd0\x80\x9c\x59\x07\x3f\x8a\x9e\x17\x67\x4a\x47\x6d\x03\x37\x41\x4b\xfc\xff\x7c\xa6\x94\x92\x18\x46\x7c\x88\x50\x83\x9e\x55\xc9\xc7\xad\x9d\x51\xa6\x4a\x9d\x2b\x4b\xbb\x17\xa3\x65\x38\x94\x83\x45\x45\xbc\x28\x6c\x10\x8b\xb3\x13\x45\x57\x9a\x2b\x0b\x96\xf6\xa5\x73\x89\x79\x05\x19\xd4\x41\x3a\x96\x48\x82\x0e\x78\x46\xc5\x7a\xca\x47\x92\x49\x52\x23\xfc\xc0\x29\xd0\x70\xf1\x8f\x24\xac\x66\x58\x79\xd7\xa1\x97\xc7\x8c\x5c\x05\x18\x5a\xf7\xc1\x11\x40\xc7\x8a\x35\xe9\x1d\xe5\xc0\xc5\x3f\xbc\xd1\x35\x0c\x27\x53\x6d\x28\xd5\xf5\x18\x69\x6b\x97\x13\x6d\x3f\x20\x35\xf2\x6f\xaa\xd5\xff\xe0\x4d\xfd\x5d\xcc\x09\xb1\x29\x90\x51\x95\x57\x9d\xd1\x5c\x8c\x98\x67\x62\x36\xeb\xd0\x2b\x6c\x2e\xf3\xe6\xeb\x15\xd8\x7c\x20\x6c\x39\x04\x6f\x2d\xbc\xef\x9a\x45\x23\xf2\x55\xf4\x45\xc3\xdd\x82\xc1\x40\xb2\x95\xa4\xa9\x0f\xa3\x0a\x28\x47\xff\x41\xef\xee\xa8\xf6\x30\xd4\xa5\x51\x27\x95\x38\x0a\xf7\xd1\x71\x3a\x6b\x29\x76\xdd\x74\xde\x50\xc3\xfe\xb4\x2b\xdd\x4c\x02\x58\xe4\x56\x17\x35\x8f\x18\xa2\x8b\xe1\x1b\xad\x5b\x5b\x79\x10\x3e\xe1\x27\x7c\x76\x1e\x12\x90\x1e\x49\x97\xf3\xb9\xd4\x49\x91\x72\x17\x6c\xdd\x12\xb6\x80\x7b\x23\x6d\xaf\x3d\xc0\x58\x72\x95\x64\x37\x81\x6c\x70\x6f\x3c\x36\x7d\x7e\x2c\x23\xe9\x6b\x1f\xe9\x65\x96\xdb\x88\x05\x07\xe2\x82\xfb\xe2\x3f\x21\x71\xb2\xf6\x85\x5d\x22\x17\x4a\x1a\x4b\x15\xed\x8a\xbd\x51\xca\x09\x3d\x46\xf0\xe2\xd0\x52\x98\x16\x8c\x23\x9e\x62\xd8\x9f\x74\x06\x74\x38\x8c\x24\x01\x8c\x47\x83\x2a\x87\x64\x40\x48\xd4\x36\xd6\x5c\xd7\xa2\x10\x28\x2b\x1f\xc8\x26\xf0\xcc\xdb\x66\x97\xd0\x11\x2b\x2a\x88\xe3\x95\x30\x8d\x42\x1a\xad\xa7\xa0\xe7\xd7\x6e\xca\x0a\x60\x73\x83\x02\x18\xc8\x3e\xd7\x94\x19\x48\x59\x60\x57\x20\x97\xcb\x62\x6c\x6f\x84\x67\x57\x90\x95\xdc\x22\x63\x20\x43\xdc\xe6\xb6\x7e\xaa\x79\x3a\x2a\x89\x82\x2f\xdc\x26\x6f\x5a\x61\x1a\xa1\xc6\xb8\x45\x99\x8a\x82\x80\x05\xfe\x79\x89\x25\x3c\x37\x61\x3e\x89\x23\x48\xad\x73\x32\xe3\x34\xaf\xb5\xa7\x08\x7e\x89\xac\xe2\xf3\x61\xd6\x6f\x27\x7d\xfa\xfa\x12\x66\x77\xe8\x33\xfd\x0b\x2c\xe4\xd2\x27\x93\x7c\xdf\x60\xa8\x82\x66\x94\x11\xd4\x45\x0b\x7e\x85\x9b\x82\x47\xad\x2e\x45\x74\x2e\xcb\x60\x57\x52\xf2\x14\x8d\x07\x5e\x1d\x14\x5a\xdd\x18\x47\x48\xc6\xec\xe9\xba\x26\x7b\x7a\x6d\xf9\x22\x9a\x62\xbb\x9b\xee\x7d\x7e\x92\x5d\x6e\xb9\xae\x96\xad\xef\x93\x7c\x03\x0c\x7d\x2b\x91\x9f\xc4\x63\x6a\xd6\x33\x13\x60\x45\x7d\x06\xd8\xc4\xf6\xdc\x10\xe3\x06\x55\x22\x60\x2b\x84\x1f\xb3\x67\x8e\x9d\xab\xf0\x7d\x5f\xc3\xfe\x39\xda\x21\xd4\x61\xe1\xa4\xac\x64\xa0\xd3\x35\x6f\x93\x62\x28\x00\xf0\x07\xbe\x4e\xe1\x3c\xc4\x65\x4c\x89\x47\xff\xd1\x1b\xf7\x59\x8f\x50\xbf\x27\xdf\x75\xf8\xda\xef\xd9\xbd\x19\xcc\x3b\x6a\x06\xb2\x53\xe8\xb5\x90\x62\x1c\x66\xda\x76\x49\x6a\x87\xbe\x33\x53\xfb\x1c\xc5\x64\x36\x6b\x09\x79\xa8\x8c\x52\xb8\xdd\xae\xee\x89\x93\xf6\xa0\xa3\xa5\x43\xa9\x31\xea\x4e\xae\xe9\xd9\xe7\x00\x1e\x23\x49\x14\x4c\xd7\x46\xa2\x56\xdf\x92\xa4\x60\x24\xc7\xa3\xb3\xcb\x60\x7a\x74\x99\x87\xc9\x85\x60\x15\xb8\x6a\x23\xe4\x39\x4f\x64\xf9\x09\x97\x4a\xb0\x76\xb5\xd6\x49\x28\xfc\x9d\x1b\x4c\xba\x75\xbd\xa9\xe1\xd4\x62\x0c\xac\x6f\x08\xcb\xf7\x57\xde\x6f\x29\x11\xc3\x4e\xa0\x84\x81\xa3\x83\x20\x14\x47\xc2\xde\x6e\x37\xc0\x7d\x03\x38\xf1\x6a\x9a\x73\xfe\x67\x1a\x68\x4a\xe4\x5c\x87\x4f\xf1\x98\x15\x06\xe3\xfc\xa4\xe1\xf1\xdc\x9e\x58\xf9\xde\x6b\x96\xf8\x5e\x31\xa3\xc1\x6d\x3a\x11\x88\x0b\xb1\xcb\xc2\x23\xd0\xb9\xf3\xa6\xc4\xa6\x67\x1e\x29\xfe\xa6\x7a\xe9\xf1\x09\xe2\x63\xc3\x17\x95\xb3\x80\x16\xb8\x29\xd4\x1d\x0d\x54\x0f\x7f\x9b\xc5\x22\x02\x7d\xbc\xa4\x94\x5d\x95\x8e\x0b\x14\xc9\x02\x0e\x7e\x0d\x96\x2d\x93\xf6\x1d\xf3\x53\xbb\x18\x42\xb2\x89\xb5\xeb\xb7\xd0\xd8\x3e\xb0\x5f\x31\xe3\x45\x73\x46\xd1\xbc\xf8\x83\x35\x4e\x9a\x24\x7c\x78\xbc\xdf\x11\x45\x0b\xd3\x62\xf4\xe0\x9f\x9b\xc8\x1e\xa9\x28\x23\x05\xdf\x3a\xed\x85\x34\xb1\xf5\xc1\x5f\x58\x12\x7b\x85\x1e\x04\x5a\x0c\x54\x19\x3b\x5b\x11\xbe\x18\x75\x56\x3f\x86\x8e\xfe\x9a\x6a\xd8\x30\xca\x44\x36\x78\x6d\x79\x36\x4e\x19\x30\xd4\x55\xfa\xa6\xeb\xef\xe8\x6e\xce\x76\xa8\xb8\x95\x2d\xff\x2d\x3b\x83\xdd\x8b\xa4\xfd\x7c\x1c\xf9\x12\xa2\x2f\x65\x11\xc3\xcc\x11\xbd\x2f\x04\x69\x0a\xcd\xb3\x8f\x7e\x14\x20\xbc\x15\xe5\x74\xad\x12\x96\x55\x75\x44\x40\xd2\x90\x13\xc6\x98\x61\xd4\x7a\x42\x90\x6c\xee\xaa\x05\x1e\x2e\xfa\xde\xae\xa9\x97\x77\x9e\x05\xdd\x91\x22\x97\xa4\xff\xa9\xaf\x33\xfe\x81\xe7\x20\x67\xc3\x6e\x81\xc4\x86\x53\xd6\x9f\x2a\x2b\xa9\x17\x14\xd5\x10\x4e\x0e\xa1\xe6\xe9\x20\xa4\x40\x24\x05\x98\xdc\x62\x8e\x82\x05\xc3\x31\x3a\x0b\x03\xb7\xfe\xd3\xa8\x78\x8f\xb2\xa6\xde\x07\x22\x6c\x58\x9e\xf3\x37\x08\x22\x14\x38\x1c\x98\x00\xd7\x03\x63\x81\x83\xda\xdf\xf3\x17\x14\x17\x0b\xc4\x02\xb2\x71\xef\x6c\x23\x5c\x12\xc9\xfa\x67\xc7\xbd\xa8\x0d\x63\x17\x15\xee\x1e\xd4\xdd\xa1\x07\x34\x7d\x14\x3f\x91\xec\x47\x0c\x20\x77\xc2\x77\x52\x4f\xe7\x8a\x23\xfa\xb2\x05\xfa\xb0\x8b\x1c\x25\x8f\x4b\xe4\x97\x59\xd1\xf1\x83\xa2\x1e\x40\x0a\x53\xa7\x24\x93\xa1\x7c\x23\xdf\xa1\x73\x21\x22\x57\x4b\x55\xa7\xf2\x66\x3b\xb0\x01\x7d\xdb\x2f\x47\x2e\xab\xd8\x7e\x40\x76\x95\xbc\xe8\x4c\x15\xf4\x30\x91\xbf\xc0\x6d\x4a\x52\x46\x72\xbf\x25\x15\x21\x85\x61\xe7\xc2\x5e\xa7\x33\xc1\x85\xd0\x98\x06\xdf\x8e\x6c\x92\x1c\x07\x1a\xe2\xf7\x6f\x5c\x0d\xb6\x23\x45\x17\xc7\x2e\x83\x93\x3a\xd4\x13\x46\x5b\x1b\xd0\xcd\xfe\x6a\x04\x6f\x07\xa4\xb2\x39\xfb\xb8\xed\x71\xbd\xdf\xc2\xb0\x71\x48\xd4\x99\x65\xda\x80\x3a\x82\x4b\xc1\x85\xda\x70\x53\x0a\xbb\x3e\x42\xb8\xa9\xf1\x9c\x0c\x3d\x86\x72\x35\x94\x13\x39\x51\x43\x4b\xfd\xbd\xe6\xbe\x90\xea\x21\x4f\xa0\xe1\x7f\x60\x3c\xd1\xad\x69\x5b\x5b\x5b\xa7\xc9\x86\x14\x87\x11\x45\x4c\x6a\x5a\x7a\x5d\xa2\xa1\x63\x1d\xc7\x06\x9e\x58\x2a\x1c\x12\xd2\xba\x25\xca\x01\xda\x8f\x5e\x70\x3b\x41\x14\x7f\xd3\x8f\x96\x68\xf1\x6c\xad\x66\xdf\x62\x2f\xe4\xb0\x2a\x1e\xef\xc0\xa6\x93\x63\xcc\x0b\x7c\x56\xf0\x34\x91\x60\x25\xee\x4b\xcf\xd0\x51\x26\x77\x29\x85\xa9\x63\x2a\x04\x36\x08\xe6\x56\x92\xaf\x2b\x4a\x75\x68\xf1\x3c\x41\xf1\x6c\x86\xbe\xc9\x9a\xae\x30\xa2\xd5\x4f\x64\x69\xf1\xeb\x68\x51\x8d\x48\xc4\x21\xbe\xc6\xf8\x3b\x82\x28\x30\x88\x38\xa9\xa4\x81\x9f\x2f\xed\x79\xe9\x9d\x10\x5a\x8f\x6b\x1a\xc0\x8e\xb9\xfc\x19\x62\xa8\x57\x7f\x27\xf5\xee\xcc\x91\x88\x3a\x02\x4e\xb7\x43\xa3\x99\xed\x6a\xef\x38\xe1\xf5\x33\xca\x6d\xba\x25\x53\x88\xd2\x5d\x4e\xef\x41\x2f\x03\x94\x4b\xcc\x0a\x8c\x4e\x94\xec\x31\xbb\x65\xc8\x9e\xca\x35\xcc\x88\x8f\xe8\x53\x0f\x6f\x58\x1a\x33\x46\x23\x3e\xf0\x93\x6d\xa1\x0e\x8b\x69\xc5\xfd\x23\xea\x2a\x58\xf9\xfe\x8b\x79\xa9\xef\x60\x80\x6c\x29\x6a\xba\x90\xfb\x83\x29\xe8\x38\xbb\x6c\x7d\x3c\x86\x7d\x41\x09\xba\xa2\x6c\x48\x37\x43\x9e\x63\x07\x17\x0e\x7b\x15\xc2\xf9\xf5\xee\x03\x30\x5f\x94\x81\xf8\xe7\x93\xdd\x08\x6e\xf2\xfc\x3e\xca\x55\x5a\xa2\x58\x12\x02\xbb\x4e\xd8\xe4\x31\xcf\x0b\x71\x0b\xbd\x86\x25\xfa\xc1\x7b\x51\x9c\x68\x06\xb7\x21\x80\x08\xe0\x40\xbd\x2f\x07\x8e\x18\x50\x11\xd4\x71\xd4\x60\x26\xb5\x38\x87\xc9\x48\x1b\x6a\xbe\xa8\x38\xdc\x59\x8a\xf7\xd6\x1e\xb1\x05\x66\x12\x51\x68\xad\xb4\xb5\xfa\x2f\x49\xdb\x9e\x36\x08\xee\x06\xba\xff\x0b\x3e\xdd\xf0\x53\x70\x13\xa8\x9a\x8f\x60\xbe\xc6\xec\xaf\xe7\x4c\x3a\xd6\x26\x67\xcc\x73\x6e\x42\x31\x80\x60\xd9\x39\xca\x8a\xfa\xee\xf4\x18\x9c\xab\x94\xbb\x6d\x7c\x07\xf7\xaa\x21\xf6\x00\x27\x70\x7d\x8a\xee\x9d\x2f\xc0\x31\x96\x77\xe8\xe8\x6c\x6e\x02\x0f\x43\x53\xff\x8d\x52\x35\x42\x66\x9e\x4b\xf2\x64\x9f\xc4\xfe\x1a\xc2\x16\x51\x52\x7e\x25\x7a\x55\x00\x6c\x30\x4b\x83\xaa\xb8\xde\x6e\x87\xb0\x2d\x36\x60\x52\xde\xbd\x14\xf4\x71\x28\x33\xc3\x40\xea\xd1\xeb\x9f\x9f\x48\xdf\x1e\xa2\x7f\x67\x28\x2a\x8a\x5b\xa0\x5d\xf6\x8e\xe2\xaa\x98\xa3\x4b\x44\xfe\x38\xcf\x05\x82\x06\xcd\x11\x2d\x19\x37\x2e\x45\xaf\xb9\xd0\xc2\x4c\x0c\xa9\x18\x99\x48\x23\x9c\x99\xdb\xa4\x44\xf9\xc1\xa9\x1f\xdf\x3d\xff\xa9\xfd\xcd\x09\x35\x5e\x4b\x30\x61\x80\x63\xeb\x02\xe4\xac\x21\x2b\xf8\xf7\xb8\xc6\x17\x81\x1b\xc2\x74\x04\x23\x72\x4a\x0c\x50\x46\xf3\x57\x7e\x0b\x00\x6b\x14\x85\x0d\xdb\xab\xbf\x60\x12\x1d\x15\x1e\xc7\x30\x64\x9b\xa2\x51\xa2\x55\x1f\x6e\x92\x46\xe5\x46\x23\xa8\x19\xe9\xfc\xe9\x1f\xe4\x0a\x8a\xc2\xe5\x53\x32\xc5\x7b\x8b\x7b\x9a\x63\xad\xf9\x1f\x10\x74\x8d\xec\x7c\x01\x53\xcf\xf4\xa4\x12\x29\x27\x51\xb0\xab\x79\x3a\x14\x82\x29\xed\xd1\xf9\x08\x01\x2f\xba\xdc\xd1\x3e\x18\xd4\x79\xd9\x4e\xa5\x60\x65\x10\x03\x57\xba\x4b\xa1\x82\x58\xe4\xa8\x28\xea\xac\xa2\x0d\x67\x1d\x98\x6d\xc6\xd1\x79\x97\xf5\xb3\x74\x46\x93\xeb\x36\xcd\x7f\xce\x3f\xff\x1d\x2d\x59\xb9\xbc\xf1\xc9\x94\x27\xae\xec\x5c\x15\x8d\x12\xd0\x66\xd4\x69\x26\x7f\x42\x3d\xe6\x76\x07\x9d\xc4\x8d\xef\x12\x7b\xe6\x3b\x07\x9f\x0f\xe8\xd7\xda\xe2\xf2\x0e\xab\x8d\xdd\x0f\x38\x8d\x52\xac\x05\x91\x79\x58\x9c\x62\x42\xc7\xf9\xfe\x8e\x1d\x18\x57\xec\x29\x98\xf8\xdc\x9a\xed\x3b\x3d\x38\xae\xed\x70\xb0\xfa\xb5\xd1\x3b\xcb\x53\x6c\xbf\x01\xa2\xfd\xa8\x11\xf1\x4f\xa0\xf5\xe4\xa4\xd5\x71\x31\x86\x0d\x60\xaa\xc2\x60\x73\x54\xab\xc5\x8f\x91\x51\xdd\x78\x8e\x78\x7f\x76\x85\xbe\x53\x7e\x6f\x86\xbb\xac\x94\xbe\xf4\xdb\xb0\x42\xda\x14\xc1\x00\x7d\xcd\x62\xaa\x8c\xbc\x70\x5d\x12\x0e\x07\x83\x94\xfc\xbd\xc9\x47\x29\xfc\xe6\x90\x5f\x1e\xd8\x69\x9c\xac\xd2\xe5\xf0\x05\x5d\x37\x7d\x0d\x5c\xa8\x3f\x18\x97\x1c\x19\x5c\x7e\xa1\xdc\xf1\x1e\x9f\xee\xc1\x24\xc2\xba\x56\xd0\xf5\x06\x06\x0c\x22\xcb\xc3\x66\xd0\xae\xd0\x5f\x40\x00\x62\x98\x4f\x22\x12\x2b\xfd\x16\xa3\x1b\x3a\x4a\x6e\xd9\xd9\x49\xbe\x5e\xc1\x6a\xe9\x8f\x2a\xa8\xea\xad\xae\xcc\x16\x9e\x97\xcd\xa0\xd5\xb5\x60\x2a\x91\xc1\x01\xb2\xe2\x83\xc0\xbe\x6c\x83\xab\xbe\x2e\x7e\x2e\x4c\xef\xe3\xbe\x22\x31\x21\x3e\xbb\x85\x88\x3e\x0a\x5b\x0b\x4a\x0d\x2c\x04\x72\x2e\xb6\x0f\xab\x23\x02\x3c\xf9\x1c\xa0\xab\x90\x8e\x4b\xb6\xac\x29\xa7\x88\xfe\x9e\xc6\xb9\x9d\x75\xd5\x2f\x20\x3c\xba\x7d\x92\x48\x5e\xf9\x05\x55\xae\xd4\x10\x60\xfd\xd0\x36\xf4\x2f\xa8\x18\xcd\xf8\xb9\xaf\xe2\x6a\xfc\x1f\x27\x9a\x40\x29\x25\x4b\x12\xdd\x54\xda\x88\x2a\x13\x8d\x34\xaf\x15\x77\xe7\x8c\x1d\xd1\x92\x3a\x56\xa3\x69\xd8\x5d\x74\xfa\x59\xd4\x53\x2b\x85\x9f\x67\xe6\x5f\x3e\x67\xd6\x54\xe5\x7d\xde\x88\xcf\x7c\x23\xc9\x18\x2e\xc1\x5e\x95\x28\x3d\xbb\xa7\x99\x11\x16\x4d\xf2\xb4\x83\xbe\x5a\xdb\x7e\x60\x06\xfe\xb6\x9c\x67\x2c\x93\x8a\x81\x8b\x2b\x46\x36\xc9\x43\xb6\x8e\x8c\x93\x35\xa5\xfe\x2a\xa7\x42\x74\x02\x78\x51\x17\xde\xb2\xae\x7c\x16\xba\x0d\x05\xa5\x0d\x21\xcd\x7b\x65\x8c\xe0\x21\x40\xdd\x20\x84\x9a\xe2\x50\xbb\xb1\x0e\x96\x0c\x87\x21\xcf\x96\xd0\xe7\xd8\x1b\xbb\x21\xa5\x33\x58\xe0\xa4\x4f\x8d\x26\xb1\x0b\xf2\x4e\xda\x9b\x5d\x8c\xee\xf7\x10\xee\xc2\x5c\x0c\x3b\x31\x80\xc8\x59\x40\xf5\xb1\x5c\xc1\x3f\xe6\x8a\xd1\x9f\x7f\x0e\x9b\x4c\xc3\x97\x35\xb6\x86\x39\xf8\xfe\x46\x22\xdc\x78\x4d\x5d\x64\x70\xab\x9e\x32\x74\x0d\xb0\x2a\x9b\x67\x32\xac\xbb\xf5\x87\x67\x19\xf5\x57\xa4\xe0\xa4\x2c\x03\x6b\xb3\xf9\x72\xea\xa8\x62\xc5\x8f\xfb\xce\x08\xee\x0e\xa2\x1e\x74\xe8\x17\x57\x87\x05\xe4\xe2\x68\x3f\xeb\x6c\x61\x23\xee\x1b\x9a\xe1\xda\x94\xc5\xea\x68\x76\x3b\x03\x03\xc6\x39\x7e\x21\x69\x1a\x4d\x81\x54\xfd\x1a\xef\xdf\x39\x8c\x41\x36\x9e\xb8\x25\x5d\x9b\x84\x7f\x9d\x67\xcf\x5b\xb8\x08\x41\xf4\x68\xf7\xc8\x70\xf0\xe1\x94\xdc\xf2\x3a\x6e\x76\x42\xc9\x51\x4d\x12\x64\x32\xf4\xb6\x6b\xdb\x7b\x81\xb5\x43\x70\xca\x23\xa0\x5c\x22\x3c\x49\xc5\xb2\x68\x03\x76\x8b\xad\x60\x59\x48\x17\xbb\x98\xb5\xec\x27\x4d\x62\xe2\x64\xc5\x4c\xde\x98\x06\x37\x6b\x40\x5e\x9f\x7d\xe3\xd5\x9a\xe3\xce\x7d\xb4\xa6\x89\x85\xb1\xc1\xa1\x12\x22\xd1\xc2\x80\x9c\x96\xf7\xeb\x9a\x5b\xf4\xe5\x02\x66\xdf\x93\x5c\x90\x0a\x56\x8f\xe5\x79\xa6\xea\x47\x4f\x62\x35\x91\x96\x4d\xb4\x3a\xc6\x47\xde\x15\x91\x6a\xef\xac\xd3\x22\x23\x6f\xd5\x39\x77\xd6\x82\xee\xeb\x0d\xcf\x79\x8b\x6f\x2f\xf2\x2b\x36\xdd\x00\xd6\x4e\x51\x59\x9b\xda\xd7\x03\xa4\x2d\x1d\x20\xeb\x8d\x6a\x63\x85\xf6\xdb\x49\xf3\x4f\xce\x3b\x28\xe2\x85\x6f\x28\x28\xd7\x7c\x4d\x03\xd3\x4e\xb0\x8c\x33\xb7\x54\xbf\xe7\xf3\x9d\x0a\x34\x30\xa2\x13\xb9\x7e\x75\xc2\xc9\x75\x63\x5c\x79\xd3\x0a\xaf\x3d\xaa\x9a\x1e\x8c\xa5\x6f\xbe\x49\x9e\x77\x81\x18\xc7\xe5\x95\x4a\xc2\xac\x2b\xce\xa6\x9a\xda\xc9\x60\x09\xe1\xb5\xcd\x27\x98\x6c\x25\x42\x82\xbf\x07\x60\x74\x75\x59\xcb\x61\x2a\x1f\x61\x0d\xf0\x9b\xec\x5a\xa1\xf4\x1f\x7a\x3b\x2f\x0f\x2c\xb2\x85\x08\xe2\xb0\xca\xf2\x06\xbe\x81\x0d\x65\xb6\xc4\xfc\x2e\xf5\xec\x09\x8b\x27\x4b\x53\x68\x13\x06\x04\x16\x69\xab\xb1\x75\xe4\xec\x88\x98\x1c\x5a\x0c\x05\xa6\x46\xe5\xd9\x03\x43\xa0\xb1\xf8\x73\x37\x9c\xf1\x44\xc3\xc8\x79\x5c\xfd\x77\x59\x4b\x51\x6a\xb0\x2a\x40\x8e\x0f\xaa\x37\xfd\xf2\xde\x2e\x6f\x37\xfa\x03\x54\x0d\x70\xe5\xf0\x29\x77\x67\x08\x4e\xa0\x08\x6c\x13\x1a\xb5\xb2\x8a\xb5\x43\x97\x8f\x1d\x4f\x04\x29\x1b\x6d\xdd\xd7\x2d\x2a\xa9\xa2\x2a\xe1\x96\x97\x95\x03\x51\xa2\xf3\xda\x68\x97\x1d\x96\x36\xe2\x9c\x66\xd9\xfd\x61\xcd\xac\x7c\x81\x18\x93\x50\x44\x7c\x03\xc1\x46\xd0\xdd\xe5\x5a\x17\x91\x5b\x56\xff\xa9\xfb\xa4\x7e\x09\xba\xfe\x41\x2b\x6a\x8a\xe7\x20\xd9\x2b\x04\xa5\x5e\x65\x48\xb0\x03\x55\x06\xf8\x0f\xaf\x97\x08\x24\x79\x82\x09\x6d\xd8\x06\xe1\xe6\x98\xfe\x8f\x59\x0f\xcb\x00\x9f\xa8\x75\x86\xb0\x8c\xd2\x70\x97\xaa\x53\xd3\x08\x7e\x9f\x4c\x7a\x4e\xe5\x56\x49\x1b\x3d\xf6\x8f\xb4\x13\xa9\x2d\x7f\x78\x33\x65\xc6\xa5\xe1\xfc\xa5\xd9\x56\x3e\x19\x3e\xd2\x37\x9f\x99\x4f\x32\xe9\xa2\xc7\xa7\x22\x15\xc1\xe8\x91\x38\x57\x65\x94\x7b\x90\x86\xa5\x60\xd3\x73\xae\x19\xb8\x8e\x78\x15\x03\xb1\xb8\xb8\x01\xa8\xdc\xf5\xf6\x7d\x0e\x4b\x02\x12\xd8\x54\x48\x76\x94\xac\x76\x57\x2f\xa1\xe6\xf1\xfe\x71\x9c\xde\x5b\x27\x8c\x9c\xe3\x93\x8b\x27\x10\x60\x33\x5a\x57\x41\xba\xa0\xd7\xad\xc3\xde\x28\xe3\x7b\xee\xd6\xf7\x81\xf6\xf7\xb3\x21\xc5\x69\x33\x82\x83\x77\xa2\xff\x6d\xe2\xbf\xc2\x4b\x2a\x34\x72\xca\x50\x39\x37\x3d\x3c\xdc\x9a\xfc\x04\x0c\xe4\xe8\x94\xcf\xf8\x22\x54\xd9\xe4\xf4\xb2\x59\x98\xc9\xdc\x84\x70\x54\x63\xda\x8a\x03\xea\x41\x9c\x2e\x4c\x81\x2a\x9f\x04\xd5\x3f\x2d\xe4\xfc\x2e\x3c\x1a\x08\xa7\x38\x9d\xdf\xb0\x82\x17\x64\xe7\x11\x05\xeb\x05\x88\x72\x08\x71\xf0\x08\x2c\xd9\x11\xf8\xed\xf6\x94\x95\x00\x72\xee\xbc\x64\x21\xbf\xc7\x1a\xf2\x76\x69\x10\x7e\x4b\x48\xac\x97\x13\x39\xe6\x9c\x46\xc4\xea\x5d\x50\x02\x8f\x14\x73\x5d\x84\xda\x04\x0a\x08\xd3\xc9\xd0\xe6\x4d\xee\x8b\xb6\x45\x00\x3b\xfc\x01\x62\xc3\xe1\x31\xd3\xdf\xcc\xf1\xa5\x16\x28\xbd\x59\xed\x49\x5b\x17\x7b\x41\x7d\x0c\xb3\x76\x53\x7d\x58\x16\x74\x1c\x25\x88\x5e\xc5\x67\x42\x15\x4e\x84\xa2\x6d\x9d\xe3\x76\xd6\x7f\xfb\xe2\xfd\xb4\x86\x9b\x6d\x87\x08\xa7\x35\x0e\xfc\x67\x2a\x48\xd6\x0a\x92\x8c\x99\x27\x53\xad\x4b\xd7\x45\xa7\x18\x9b\x3f\x94\xf4\x8f\x64\xc9\xf8\x6d\x9f\x0b\x22\xbf\x7a\x1d\xf2\x09\x6b\x46\xfa\xdf\x26\x69\x06\xf3\x94\xb1\xde\x65\x52\x92\x87\x85\xd6\x8d\x26\xb9\x6b\xda\x02\xe4\x9d\x5e\xca\x82\x84\x70\x0d\x50\x33\xb0\x06\x23\x66\xa6\xce\x4b\xe4\x4c\x76\x7d\x60\x81\x7b\x48\x76\x87\x48\x58\x2a\x5e\xd3\xdb\x60\x82\x91\xa5\xef\xa1\x01\x1b\x75\x8f\x99\x0a\xb3\xe4\xab\xed\xf5\x3f\x01\xb7\x00\xdf\xae\xb5\x87\xb4\xf4\x14\xd3\xfe\x3a\x87\x32\xe1\xf2\x15\xfa\x86\x9c\x7b\x2f\x8b\x7f\x4e\xac\x59\x7d\xa8\x17\x51\x70\x9b\xd1\x8e\xb0\x86\x9c\xe1\x14\x59\xf8\x76\x6e\x63\x32\xe9\x57\x10\x7a\x79\x1a\x64\x01\x10\x49\x48\x8a\x27\x32\x54\xf3\x3e\x0e\xcb\x44\x0e\xe4\x46\xe8\xab\x76\xf2\x4e\xc1\xf4\xcf\x7d\x31\x4a\x15\x8c\x51\x2b\x6a\x27\x31\x09\x93\x67\x76\x6a\xe4\x05\x35\x96\x7d\x63\xce\x07\x1f\x06\x8a\x7d\x3f\xbd\x48\x33\xa0\xc7\x8c\xea\x71\x27\x48\xa4\xbf\x23\x61\xd8\xf6\x03\x59\x59\xa6\xab\x08\xf3\xd4\x4f\x7f\x81\xfe\x74\xd9\x64\xd5\x8b\xb3\xcb\x60\x51\xc5\xe6\x8d\xc6\xe7\x1f\xec\xe4\xae\x85\xdd\xc8\x95\xb3\x16\xf4\x7d\x52\x08\x47\xdd\x84\x83\x17\xb6\x1a\x47\xa1\x3c\xe0\x6c\x30\xd1\x4d\x98\x52\x93\x8c\x6e\xe4\x5a\xd2\xeb\x1f\x19\xdd\xa1\x9b\x1f\x83\x56\x24\x41\xc2\xd3\x06\x11\x1f\x51\x1e\x40\xa8\xd8\x2b\x33\x4b\x2d\x98\x3c\x35\x4f\x2c\xf8\xa2\xe7\xa2\xfc\x13\x5a\x4a\x31\xda\x5b\x09\x29\xd0\xe0\xc3\xe1\xc9\xbf\xb2\xde\xbc\xd2\xfc\x9d\x05\x77\x26\x3c\x77\x71\xc6\x84\xd3\x4a\x6b\x02\xb3\x1c\x52\xf4\x2e\x07\xfc\x1f\x42\xe7\x0d\x74\x00\x35\xe8\x0f\x0c\x38\x89\xd8\xd2\x8c\xdf\x11\x40\xe2\x10\xdf\xf5\xae\xb5\xaa\xab\xfd\x65\x5a\xc4\x6e\x03\xd1\x7e\x1e\x72\x27\x3e\xa0\x14\x15\x8c\xff\x2c\x8e\xf3\x70\x08\xb4\x4e\x73\xd2\xc6\x16\x86\x23\x49\xaf\xa5\xa1\x6e\xc6\xf1\x0d\x7f\x85\xfe\x4d\x95\xdf\x41\x6b\xdf\x00\x17\x48\xa6\x98\xa7\x94\x21\x92\x54\x9a\x4b\x86\x00\xf5\x38\x02\x91\xfe\xca\xb3\x74\xb5\x90\x26\x6a\x98\x0b\x2d\x38\xd0\x81\x7e\x11\x1c\xa3\x14\x47\xff\x7a\x33\xee\x30\x0b\x75\x83\xc8\x30\x50\xa5\x91\xcf\xb8\xc3\x83\x20\x36\x9b\x54\xb9\x62\x4a\xe5\xbf\xbe\x7a\x65\x73\x23\xe6\x4b\xb8\x90\xff\x4a\xbd\x85\xfb\xe8\xc5\x9a\x68\xa6\x16\xb0\x44\xdd\xc9\x77\x33\x60\x41\x33\x5f\xe1\xd2\x9e\x87\xdf\xc5\x63\xa0\xf7\xd3\x93\xca\x83\x53\xb3\x1c\xaa\x64\x1d\x11\x40\x10\x9d\x3f\x3d\x68\xbc\x4a\xc8\xd1\xa3\x2e\x03\x9a\x5a\x5a\xae\x4e\x95\xd7\xd3\x7d\x57\x37\xef\x2b\x99\x7e\x17\x86\x82\xbe\x27\xb0\xd5\xb9\xcb\x7b\xb3\x0b\xce\x28\xda\x9f\x9c\x29\x98\x80\xe1\x52\xd9\x0f\x6a\x05\x90\xfa\x28\x9a\xeb\x5c\x4b\x4c\x05\x0f\x7f\x48\x74\x4a\x1e\x3e\xd8\xb7\x06\xbb\x14\x37\x14\x63\x70\x52\x27\x75\xb4\xa8\x24\xef\x29\xae\x2d\x08\x54\x27\x9f\xef\x03\xa0\xea\x67\x3e\x25\x1f\x66\x97\x16\x6f\x36\x99\x60\x89\xb8\x8f\x48\x5c\x30\xdd\x49\xdf\x10\x21\xb1\xce\x79\x4b\xa4\x47\xe3\x61\x70\x4c\xa2\x0c\x53\xf2\x84\xfd\xc4\xfa\x1a\x1f\x40\xe5\xf7\x24\x0f\x27\x32\x13\xb6\x92\x0e\x9b\xfb\x8e\xe6\x9f\x93\x26\x16\xcc\xf6\x56\x49\x5d\x99\x87\x43\xd6\x1a\x08\x8e\x60\x59\xfe\x2f\xc0\x35\x72\xf1\xdf\xad\xfb\x51\x0c\x55\xf5\x18\x5a\xda\x91\x4e\x2a\x96\x62\x8d\x3e\xe5\xd6\xb0\x01\xcf\xd0\x45\x64\x6e\xf9\x36\x94\x82\x8f\xe8\xe0\x33\x3d\x9e\x85\x37\xab\x9e\x02\xec\x72\x17\x13\xb2\xb9\x74\x3e\x68\xf4\x2f\xff\x78\xab\xc0\xaf\xd4\xbd\xdc\x95\x17\x9a\xf1\x2c\x3c\x95\x08\x34\x9e\x65\x6a\xd5\x9b\xd6\x4c\xb6\xa4\xbc\x76\x42\xc6\x6e\xfe\xf2\x9a\x55\x00\x93\x70\x64\xde\x05\xe4\x9e\x2a\x81\xc5\x87\xe2\x28\xe0\xab\xa0\xc8\xa6\x87\x5c\x41\x06\x63\xa2\x22\xe5\x57\x55\x7b\xcb\x10\x54\x01\x25\x32\xe3\xe6\xd4\x83\x0d\x3d\x9c\xa0\xeb\x68\x97\xba\x54\x05\xa3\x35\x50\x3f\x8c\xfe\x34\x5a\x20\xed\xee\x88\xa8\xb1\x43\xe2\x8c\x98\x2b\xb8\x36\xe0\xcd\xe0\xc6\xde\xab\xad\xbc\x11\xd8\xa6\x33\x50\xf1\x05\x0b\x71\xab\xcb\xd8\xea\xe7\xc2\x2f\xc0\x4d\x59\x72\x67\x48\xc8\x2e\xd4\x35\x95\xd6\x62\x55\xb6\xc3\x0f\x11\x1e\x3b\x5c\x9c\x12\xd9\x7a\x36\x8b\xe6\x72\xb0\xf0\xe5\x92\x98\x38\xfd\x82\x04\xb5\x5d\x0e\x51\x1a\x32\x90\x6a\xf5\xc3\x49\xcd\x64\x8a\x43\x98\x14\x77\x04\x56\x3a\x10\xd5\xd5\xf5\xa8\x6f\x8f\x1c\x88\xa2\x32\x4e\x56\xcf\x28\xd6\x3d\xaa\xc7\x25\xe7\xf9\xfe\x3d\x15\x04\xaa\x2d\x26\x90\x37\x60\xe2\x7e\x79\x6f\x7f\x7d\x33\xb9\x6e\xf0\x1e\x4e\x57\x24\x56\xfe\x47\x9a\x25\x23\xd3\x96\xe6\xcc\x88\xb8\xa8\xdc\x35\xf1\x55\xda\xed\xb3\xc2\x9d\xd2\xcd\x8a\xdf\x6d\xcc\x73\x2e\x5c\x58\x51\x1b\xd3\x89\x87\x83\x99\xc4\x32\xc1\xa4\x0d\xc0\x6e\x94\xe2\x4d\x66\xe1\xcd\xbb\x73\xcc\xa9\x92\xa3\xa6\x1c\x54\x5d\xd3\x47\xd0\xbe\x41\x41\xa1\xec\x23\xa6\xca\x84\x5b\xa1\xb5\x83\x96\xb4\x56\xee\x05\xe6\xbe\x7d\x7c\x9a\x0d\xea\xad\x66\x46\xd7\xa7\x79\x86\x88\x6d\x9e\xe7\x55\xc5\x88\x96\x50\xe9\xeb\xcc\x4b\x8d\xea\x33\x52\x1b\x65\x17\x1e\xc9\xd9\xee\xb4\xe7\x76\xd3\xd7\x1f\x52\x61\xd4\x51\xf4\x81\xb9\x0c\xfc\x65\x5f\x8c\xf1\xb6\x3d\xf8\x46\x7e\x0c\x1e\x2f\x9a\xf5\x75\x8e\xb5\x06\xaa\xce\xab\x4b\xb3\x59\x07\x82\x9e\x55\x41\x1e\xb2\x5b\x59\xcb\x70\xf9\xea\x06\xef\xde\xaa\xef\x61\x51\x15\x61\x84\xec\xea\xb1\xba\x65\xf4\x1d\xf3\x2b\x53\x46\xf5\xec\x03\xab\x19\x80\x7d\xf4\x84\x49\x88\x13\x34\xa6\x82\x9c\x39\x71\x69\x21\xfb\x7e\x5d\x05\x78\xee\xb3\xeb\x3b\xec\xb8\xff\x5e\x00\xfe\x84\x22\xb0\xc3\xb7\xbc\x77\xa5\xd3\x38\xbd\x0d\x4e\xf6\xa3\x41\xdd\x94\x1d\x92\x5e\xc6\xcd\x93\xf2\x89\x56\x6d\x80\x3f\xf2\xa0\x2a\x3e\xf8\xc8\xd8\x00\x52\x51\x8f\x9a\xfa\x30\xaa\xf0\xcb\x97\xea\x1e\xed\xb5\x27\xb1\x80\xdc\xb8\x03\x68\x05\x0b\x6d\xfb\x4e\xbe\x2c\xb9\x6d\x1e\x06\x84\x98\x6a\x85\xa6\xb6\xeb\xa2\x16\x60\xa1\x8c\x28\x24\x8c\xc0\xd4\xcd\xf5\xe0\x85\xc1\xfb\x61\x33\xda\x11\x69\xe5\x03\x6d\x35\xf5\x47\xeb\xc0\x61\x86\xb6\x95\xf2\x42\x71\xbd\x68\x0a\x39\x7d\x92\x35\x38\x12\x7f\x94\x8a\x2b\xa3\x6b\xf5\x29\x1a\x9c\xfa\x5d\xc5\x7a\xf9\x90\x1b\xb7\xef\x7c\x9c\x9d\x60\x00\x86\x37\x6a\x0d\xc6\x80\xe4\xe6\x7e\x17\x70\xe7\x24\x99\xb5\x83\x33\xaf\x89\x8a\x33\x2c\x78\x94\x95\x94\x28\x42\x4f\xe6\x1c\x0e\x0d\x8f\xd6\xc4\x6a\xf7\x9b\xdb\x23\xc8\x44\x94\x01\x58\x7b\xa1\x16\x56\x5c\x8e\x06\x0f\xb1\xaf\x55\x7c\xec\xda\xf3\xd1\x0d\x2f\x06\x5d\x7f\xfd\x53\xdf\xbe\x8a\xfd\x1c\x46\x90\x4c\xba\xad\x1b\xd8\xf1\x8e\xe7\x0a\xa4\x81\x1b\x27\x85\x74\x33\xe4\x75\xab\x5c\x5c\x62\x0a\x8d\xaf\x02\xbe\xf4\x02\x86\x49\x7b\xe5\x1f\x25\x32\xd4\x25\x90\x56\x69\xf3\xbe\x5c\xe7\xb7\x90\xe9\x45\xc2\x2e\x44\x6f\x0a\x36\x1e\x04\x3f\xd4\xa7\x6e\x53\xe3\xb0\x4b\x59\x05\xed\xa6\x3b\xce\xbb\x62\xe0\x6c\x6c\xc0\xe2\x54\xf2\xf0\xe3\x86\xbd\xd7\x30\xc5\x5a\x04\x07\xaf\x9d\xec\x14\x63\x3b\x5a\xc1\x5a\x33\xec\x52\x3f\x6a\x4a\x94\x54\xbc\x5a\xa2\x16\xe1\x43\xf0\xf7\x2e\xbb\xd6\xf5\xc0\x38\xd2\xee\x39\xad\x7c\xf3\x95\x6a\x3c\x47\x9a\x8a\x65\x3a\x90\x6a\x01\xf4\x86\x18\xe6\xa4\x7a\xdb\xa3\x59\x8e\x9c\x9e\x72\x5d\x53\x43\x9e\x0f\x17\x5f\xcd\x51\xba\x15\x16\x07\xa3\x35\x93\xf1\x25\x6e\x6b\x29\x68\x5a\x81\x3d\xee\x40\x3e\xc2\xb4\xfa\x09\xc6\xd0\xf4\xd6\x51\xe2\x37\x8b\x78\x04\x1f\x37\x24\x33\x47\xdc\x77\xce\x35\x14\xc6\x34\xe4\xf8\x3e\xa2\x97\x66\x5f\x16\xd6\x56\xa6\xdf\x91\x00\xbf\x65\x53\xd6\x69\xe4\x3c\x0a\xc2\xd8\x91\xeb\x77\x79\xee\x8d\x4f\x32\x11\xcd\x2a\x52\x7f\xd4\x15\xaf\x00\x04\xc2\xd5\xdd\xb6\x2a\x36\xde\xe9\x8a\xc1\x48\x96\x96\xc5\x56\x47\x6a\xca\x9f\x6d\xa9\xbd\x4f\x37\xac\xa8\x6b\x83\x86\x0a\x8d\xd9\x04\xbb\xe2\xc3\xd3\x7c\xfc\xd7\x68\xb5\x9d\x82\xa8\xc1\xbc\xef\xfc\x44\xed\xfb\x04\x73\x0e\xa5\x79\x16\xda\x94\xb4\xe8\xdb\xcf\x5f\x01\xb5\xa7\x18\x64\x6a\x56\xe6\x2a\x64\x74\x8a\x9e\x3b\x7b\x2f\x08\x0a\x2f\xb3\x51\x5d\xb5\x35\xc6\xac\xde\xf1\xd8\x58\xf6\x33\xb0\x80\xd3\x98\xc0\x06\xd7\x40\xf5\x9b\xfc\x06\x3a\xcb\xb4\x0f\xe2\x18\x3c\x55\x20\x89\x4d\xd5\xa4\x7b\xbd\xd9\x91\xf2\xca\x2e\x1d\x35\xd0\x40\x75\x59\x00\x16\xdf\xc8\x13\xa8\xf2\x72\x92\x6d\x66\x0b\x0b\xac\x47\xfc\x72\x97\xd7\x48\xd1\x64\x2d\xe8\x2c\x08\x24\x5c\x8a\x4a\xf3\x98\x26\x97\x1b\x06\xe2\x52\x56\x75\x9f\xc4\xae\xe3\xde\x98\x40\xc1\x4f\x99\xe8\xa5\x34\x04\xbc\xca\xe6\x13\xce\xdd\x72\xd3\x2e\x74\xc8\x7d\x8c\xad\x6c\xf7\x2f\xd2\x01\x8d\x5f\x3a\x79\x7c\x08\xcd\xda\xa2\xd9\xa5\xac\x5f\x49\xbf\x07\xb0\x45\xc4\x16\x9a\x88\x30\x46\x2c\x19\xb4\x00\x4b\x62\x83\x0c\x4b\xed\xca\x51\x61\x45\x1c\xe9\xc8\xac\x56\xf9\x73\xcc\x12\x0f\x7e\xad\xb2\x01\x0d\xe4\xbc\x3d\x71\x96\x47\xa8\xef\xb1\xa9\x5d\xc9\x3c\xce\x6e\xd2\xe2\x25\x5b\x85\x28\x21\x49\x1d\xcd\x30\x64\x0e\xeb\xae\x86\xec\xc0\x2e\x36\x5b\x46\x5d\xef\xb7\x36\x94\x17\x0d\x30\x33\x77\x59\x68\xa5\x3f\x27\x4f\xd1\xab\x8f\x38\x97\x81\x5a\xf3\xdf\xc8\x1f\xcd\xb7\xa3\xa6\xd1\x91\x7c\xab\x0a\x44\x69", 8192); *(uint64_t*)0x20004cc0 = 0x20002200; *(uint32_t*)0x20002200 = 0x50; *(uint32_t*)0x20002204 = 0; *(uint64_t*)0x20002208 = 0x8b20; *(uint32_t*)0x20002210 = 7; *(uint32_t*)0x20002214 = 0x1f; *(uint32_t*)0x20002218 = 4; *(uint32_t*)0x2000221c = 0; *(uint16_t*)0x20002220 = 6; *(uint16_t*)0x20002222 = 2; *(uint32_t*)0x20002224 = 0x7fffffff; *(uint32_t*)0x20002228 = 2; *(uint16_t*)0x2000222c = 0; *(uint16_t*)0x2000222e = 0; *(uint32_t*)0x20002230 = 0; *(uint32_t*)0x20002234 = 0; *(uint32_t*)0x20002238 = 0; *(uint32_t*)0x2000223c = 0; *(uint32_t*)0x20002240 = 0; *(uint32_t*)0x20002244 = 0; *(uint32_t*)0x20002248 = 0; *(uint32_t*)0x2000224c = 0; *(uint64_t*)0x20004cc8 = 0x20002280; *(uint32_t*)0x20002280 = 0x18; *(uint32_t*)0x20002284 = 0xfffffff5; *(uint64_t*)0x20002288 = 0x55; *(uint64_t*)0x20002290 = 0; *(uint64_t*)0x20004cd0 = 0x200022c0; *(uint32_t*)0x200022c0 = 0x18; *(uint32_t*)0x200022c4 = 0; *(uint64_t*)0x200022c8 = 2; *(uint64_t*)0x200022d0 = 9; *(uint64_t*)0x20004cd8 = 0x20002300; *(uint32_t*)0x20002300 = 0x18; *(uint32_t*)0x20002304 = 0; *(uint64_t*)0x20002308 = 0x40; *(uint32_t*)0x20002310 = 0xe62; *(uint32_t*)0x20002314 = 0; *(uint64_t*)0x20004ce0 = 0x20002340; *(uint32_t*)0x20002340 = 0x18; *(uint32_t*)0x20002344 = 0; *(uint64_t*)0x20002348 = 0x80000001; *(uint32_t*)0x20002350 = 0x787; *(uint32_t*)0x20002354 = 0; *(uint64_t*)0x20004ce8 = 0x20002380; *(uint32_t*)0x20002380 = 0x28; *(uint32_t*)0x20002384 = 0; *(uint64_t*)0x20002388 = 3; *(uint64_t*)0x20002390 = 9; *(uint64_t*)0x20002398 = 0x101; *(uint32_t*)0x200023a0 = 0; *(uint32_t*)0x200023a4 = -1; *(uint64_t*)0x20004cf0 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x60; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 9; *(uint64_t*)0x200023d0 = 0xf652; *(uint64_t*)0x200023d8 = 0x8d; *(uint64_t*)0x200023e0 = 0; *(uint64_t*)0x200023e8 = 0x3f; *(uint64_t*)0x200023f0 = 0x80000000; *(uint32_t*)0x200023f8 = 0; *(uint32_t*)0x200023fc = 3; *(uint32_t*)0x20002400 = 0; *(uint32_t*)0x20002404 = 0; *(uint32_t*)0x20002408 = 0; *(uint32_t*)0x2000240c = 0; *(uint32_t*)0x20002410 = 0; *(uint32_t*)0x20002414 = 0; *(uint32_t*)0x20002418 = 0; *(uint32_t*)0x2000241c = 0; *(uint64_t*)0x20004cf8 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 2; *(uint32_t*)0x20002450 = 0xa8f; *(uint32_t*)0x20002454 = 0; *(uint64_t*)0x20004d00 = 0x20002480; *(uint32_t*)0x20002480 = 0x26; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 8; memcpy((void*)0x20002490, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004d08 = 0x200024c0; *(uint32_t*)0x200024c0 = 0x20; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 6; *(uint64_t*)0x200024d0 = 0; *(uint32_t*)0x200024d8 = 0x12; *(uint32_t*)0x200024dc = 0; *(uint64_t*)0x20004d10 = 0x20004540; *(uint32_t*)0x20004540 = 0x78; *(uint32_t*)0x20004544 = 0xfffffff5; *(uint64_t*)0x20004548 = 0x81; *(uint64_t*)0x20004550 = 1; *(uint32_t*)0x20004558 = 7; *(uint32_t*)0x2000455c = 0; *(uint64_t*)0x20004560 = 5; *(uint64_t*)0x20004568 = 8; *(uint64_t*)0x20004570 = 6; *(uint64_t*)0x20004578 = 0x1ff; *(uint64_t*)0x20004580 = 5; *(uint64_t*)0x20004588 = 4; *(uint32_t*)0x20004590 = 4; *(uint32_t*)0x20004594 = 0xe8; *(uint32_t*)0x20004598 = 0x193; *(uint32_t*)0x2000459c = 0x7000; *(uint32_t*)0x200045a0 = 6; *(uint32_t*)0x200045a4 = -1; *(uint32_t*)0x200045a8 = r[4]; *(uint32_t*)0x200045ac = 3; *(uint32_t*)0x200045b0 = 9; *(uint32_t*)0x200045b4 = 0; *(uint64_t*)0x20004d18 = 0x200045c0; *(uint32_t*)0x200045c0 = 0x90; *(uint32_t*)0x200045c4 = 0; *(uint64_t*)0x200045c8 = 0x8612; *(uint64_t*)0x200045d0 = 5; *(uint64_t*)0x200045d8 = 3; *(uint64_t*)0x200045e0 = 0xb2f; *(uint64_t*)0x200045e8 = 0x20; *(uint32_t*)0x200045f0 = 0; *(uint32_t*)0x200045f4 = 7; *(uint64_t*)0x200045f8 = 0; *(uint64_t*)0x20004600 = 0x1ff; *(uint64_t*)0x20004608 = 2; *(uint64_t*)0x20004610 = 2; *(uint64_t*)0x20004618 = 0x1de; *(uint64_t*)0x20004620 = 0x5a; *(uint32_t*)0x20004628 = 9; *(uint32_t*)0x2000462c = 0xc46; *(uint32_t*)0x20004630 = 5; *(uint32_t*)0x20004634 = 0xc000; *(uint32_t*)0x20004638 = 0xddce; *(uint32_t*)0x2000463c = 0xee01; *(uint32_t*)0x20004640 = 0xee00; *(uint32_t*)0x20004644 = 0; *(uint32_t*)0x20004648 = 0x12; *(uint32_t*)0x2000464c = 0; *(uint64_t*)0x20004d20 = 0x20004680; *(uint32_t*)0x20004680 = 0x10; *(uint32_t*)0x20004684 = 0; *(uint64_t*)0x20004688 = 5; *(uint64_t*)0x20004d28 = 0x20004900; *(uint32_t*)0x20004900 = 0x2c0; *(uint32_t*)0x20004904 = 0xfffffff5; *(uint64_t*)0x20004908 = 0x8a; *(uint64_t*)0x20004910 = 4; *(uint64_t*)0x20004918 = 3; *(uint64_t*)0x20004920 = 0xfff; *(uint64_t*)0x20004928 = 6; *(uint32_t*)0x20004930 = -1; *(uint32_t*)0x20004934 = 8; *(uint64_t*)0x20004938 = 5; *(uint64_t*)0x20004940 = 0xca13; *(uint64_t*)0x20004948 = 0x81; *(uint64_t*)0x20004950 = 4; *(uint64_t*)0x20004958 = 0; *(uint64_t*)0x20004960 = 0xbbc; *(uint32_t*)0x20004968 = 0; *(uint32_t*)0x2000496c = 3; *(uint32_t*)0x20004970 = 0x34b; *(uint32_t*)0x20004974 = 0x4000; *(uint32_t*)0x20004978 = 9; *(uint32_t*)0x2000497c = 0; *(uint32_t*)0x20004980 = 0xee01; *(uint32_t*)0x20004984 = 2; *(uint32_t*)0x20004988 = 0x81; *(uint32_t*)0x2000498c = 0; *(uint64_t*)0x20004990 = 3; *(uint64_t*)0x20004998 = 0x80000001; *(uint32_t*)0x200049a0 = 0x16; *(uint32_t*)0x200049a4 = 0xf97; memcpy((void*)0x200049a8, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x200049c0 = 5; *(uint64_t*)0x200049c8 = 3; *(uint64_t*)0x200049d0 = 0x100000001; *(uint64_t*)0x200049d8 = 0x10001; *(uint32_t*)0x200049e0 = 7; *(uint32_t*)0x200049e4 = 0x83; *(uint64_t*)0x200049e8 = 5; *(uint64_t*)0x200049f0 = 5; *(uint64_t*)0x200049f8 = 0x100; *(uint64_t*)0x20004a00 = 6; *(uint64_t*)0x20004a08 = 0xfffffffffffffbff; *(uint64_t*)0x20004a10 = 0xb533; *(uint32_t*)0x20004a18 = 0x800; *(uint32_t*)0x20004a1c = 0xad7; *(uint32_t*)0x20004a20 = 0x32f914fb; *(uint32_t*)0x20004a24 = 0x2000; *(uint32_t*)0x20004a28 = 0xe0; *(uint32_t*)0x20004a2c = r[6]; *(uint32_t*)0x20004a30 = 0xee01; *(uint32_t*)0x20004a34 = 4; *(uint32_t*)0x20004a38 = 0x64; *(uint32_t*)0x20004a3c = 0; *(uint64_t*)0x20004a40 = 4; *(uint64_t*)0x20004a48 = 0xfffffffffffffffc; *(uint32_t*)0x20004a50 = 0x16; *(uint32_t*)0x20004a54 = 6; memcpy((void*)0x20004a58, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004a70 = 2; *(uint64_t*)0x20004a78 = 2; *(uint64_t*)0x20004a80 = 7; *(uint64_t*)0x20004a88 = 0x8000; *(uint32_t*)0x20004a90 = 9; *(uint32_t*)0x20004a94 = 3; *(uint64_t*)0x20004a98 = 2; *(uint64_t*)0x20004aa0 = 7; *(uint64_t*)0x20004aa8 = 0x80000000; *(uint64_t*)0x20004ab0 = 8; *(uint64_t*)0x20004ab8 = 6; *(uint64_t*)0x20004ac0 = 0x400; *(uint32_t*)0x20004ac8 = 0xc932; *(uint32_t*)0x20004acc = 0x81; *(uint32_t*)0x20004ad0 = 5; *(uint32_t*)0x20004ad4 = 0x1000; *(uint32_t*)0x20004ad8 = 0xf841; *(uint32_t*)0x20004adc = r[7]; *(uint32_t*)0x20004ae0 = 0xee00; *(uint32_t*)0x20004ae4 = 0xff; *(uint32_t*)0x20004ae8 = 5; *(uint32_t*)0x20004aec = 0; *(uint64_t*)0x20004af0 = 4; *(uint64_t*)0x20004af8 = 0xffffffffffff3232; *(uint32_t*)0x20004b00 = 0x16; *(uint32_t*)0x20004b04 = 5; memcpy((void*)0x20004b08, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004b20 = 4; *(uint64_t*)0x20004b28 = 0; *(uint64_t*)0x20004b30 = 0; *(uint64_t*)0x20004b38 = 7; *(uint32_t*)0x20004b40 = 0x200; *(uint32_t*)0x20004b44 = 6; *(uint64_t*)0x20004b48 = 5; *(uint64_t*)0x20004b50 = 0x1020000; *(uint64_t*)0x20004b58 = 6; *(uint64_t*)0x20004b60 = 0x7f; *(uint64_t*)0x20004b68 = 0xce; *(uint64_t*)0x20004b70 = 0; *(uint32_t*)0x20004b78 = 0xa9fb; *(uint32_t*)0x20004b7c = 0xffffff81; *(uint32_t*)0x20004b80 = 0x3ff; *(uint32_t*)0x20004b84 = 0x1000; *(uint32_t*)0x20004b88 = 0; *(uint32_t*)0x20004b8c = 0; *(uint32_t*)0x20004b90 = r[8]; *(uint32_t*)0x20004b94 = 0x8de6; *(uint32_t*)0x20004b98 = 3; *(uint32_t*)0x20004b9c = 0; *(uint64_t*)0x20004ba0 = 2; *(uint64_t*)0x20004ba8 = 0xffffffff; *(uint32_t*)0x20004bb0 = 1; *(uint32_t*)0x20004bb4 = 5; memcpy((void*)0x20004bb8, "/", 1); *(uint64_t*)0x20004d30 = 0x20004bc0; *(uint32_t*)0x20004bc0 = 0xa0; *(uint32_t*)0x20004bc4 = 0; *(uint64_t*)0x20004bc8 = 0x3f; *(uint64_t*)0x20004bd0 = 5; *(uint64_t*)0x20004bd8 = 2; *(uint64_t*)0x20004be0 = 0; *(uint64_t*)0x20004be8 = 7; *(uint32_t*)0x20004bf0 = 6; *(uint32_t*)0x20004bf4 = 3; *(uint64_t*)0x20004bf8 = 2; *(uint64_t*)0x20004c00 = 0xf51e; *(uint64_t*)0x20004c08 = 0x65; *(uint64_t*)0x20004c10 = 1; *(uint64_t*)0x20004c18 = 0x8b; *(uint64_t*)0x20004c20 = 0x7f; *(uint32_t*)0x20004c28 = 0x100; *(uint32_t*)0x20004c2c = 9; *(uint32_t*)0x20004c30 = 0x24; *(uint32_t*)0x20004c34 = 0xa000; *(uint32_t*)0x20004c38 = 0x3f; *(uint32_t*)0x20004c3c = 0; *(uint32_t*)0x20004c40 = -1; *(uint32_t*)0x20004c44 = 0x40; *(uint32_t*)0x20004c48 = 3; *(uint32_t*)0x20004c4c = 0; *(uint64_t*)0x20004c50 = 0; *(uint32_t*)0x20004c58 = 1; *(uint32_t*)0x20004c5c = 0; *(uint64_t*)0x20004d38 = 0x20004c80; *(uint32_t*)0x20004c80 = 0x20; *(uint32_t*)0x20004c84 = 0xfffffff5; *(uint64_t*)0x20004c88 = 0x401; *(uint32_t*)0x20004c90 = 0x5b2; *(uint32_t*)0x20004c94 = 0; *(uint32_t*)0x20004c98 = 9; *(uint32_t*)0x20004c9c = 2; syz_fuse_handle_req(r[3], 0x20000200, 0x2000, 0x20004cc0); break; case 21: memcpy((void*)0x20004d40, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004d40); break; case 22: res = -1; res = syz_init_net_socket(3, 2, 1); if (res != -1) r[9] = res; break; case 23: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[10] = res; break; case 24: *(uint32_t*)0x20004d84 = 0xb8ca; *(uint32_t*)0x20004d88 = 0x20; *(uint32_t*)0x20004d8c = 0xe7c; *(uint32_t*)0x20004d90 = 0x26b; *(uint32_t*)0x20004d98 = r[10]; *(uint32_t*)0x20004d9c = 0; *(uint32_t*)0x20004da0 = 0; *(uint32_t*)0x20004da4 = 0; syz_io_uring_setup(0x3e79, 0x20004d80, 0x20ffc000, 0x20ffb000, 0x20004e00, 0x20004e40); break; case 25: *(uint32_t*)0x20004e84 = 0x29dc; *(uint32_t*)0x20004e88 = 2; *(uint32_t*)0x20004e8c = 1; *(uint32_t*)0x20004e90 = 0x3d6; *(uint32_t*)0x20004e98 = r[3]; *(uint32_t*)0x20004e9c = 0; *(uint32_t*)0x20004ea0 = 0; *(uint32_t*)0x20004ea4 = 0; res = -1; res = syz_io_uring_setup(0x5336, 0x20004e80, 0x20ffd000, 0x20ffb000, 0x20004f00, 0x20004f40); if (res != -1) { r[11] = *(uint64_t*)0x20004f00; r[12] = *(uint64_t*)0x20004f40; } break; case 26: memcpy((void*)0x20004f80, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20004f80, 0xfffffffffffffff8, 0x240); if (res != -1) r[13] = res; break; case 27: *(uint8_t*)0x20004fc0 = 6; *(uint8_t*)0x20004fc1 = 0; *(uint16_t*)0x20004fc2 = 0; *(uint32_t*)0x20004fc4 = r[13]; *(uint64_t*)0x20004fc8 = 0; *(uint64_t*)0x20004fd0 = 0; *(uint32_t*)0x20004fd8 = 0; *(uint16_t*)0x20004fdc = 0x4404; *(uint16_t*)0x20004fde = 0; *(uint64_t*)0x20004fe0 = 0; *(uint16_t*)0x20004fe8 = 0; *(uint16_t*)0x20004fea = 0; *(uint8_t*)0x20004fec = 0; *(uint8_t*)0x20004fed = 0; *(uint8_t*)0x20004fee = 0; *(uint8_t*)0x20004fef = 0; *(uint8_t*)0x20004ff0 = 0; *(uint8_t*)0x20004ff1 = 0; *(uint8_t*)0x20004ff2 = 0; *(uint8_t*)0x20004ff3 = 0; *(uint8_t*)0x20004ff4 = 0; *(uint8_t*)0x20004ff5 = 0; *(uint8_t*)0x20004ff6 = 0; *(uint8_t*)0x20004ff7 = 0; *(uint8_t*)0x20004ff8 = 0; *(uint8_t*)0x20004ff9 = 0; *(uint8_t*)0x20004ffa = 0; *(uint8_t*)0x20004ffb = 0; *(uint8_t*)0x20004ffc = 0; *(uint8_t*)0x20004ffd = 0; *(uint8_t*)0x20004ffe = 0; *(uint8_t*)0x20004fff = 0; syz_io_uring_submit(0, r[12], 0x20004fc0, 8); break; case 28: memcpy((void*)0x20005000, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20005000, 0x1000, 0x8600); if (res != -1) r[14] = res; break; case 29: *(uint64_t*)0x20005080 = 0; *(uint64_t*)0x20005088 = 0x20005040; memcpy((void*)0x20005040, "\x48\xd5\xa3\x40\x0d\x13\x5d\xd4\x91\x01\x61\x86\x7c\x99\x1f\xc7\xd6\x8d\x55\x14\x5f\xbb\xc5\xc4\x98\xb5\x8f\xba\x49\xbd\x01\xb6\x83\x86\x47\x33\x65\xa9\x13\x12\x72\xed\xe1\xd5\x3b\xc2\x85\x05\x1b\x85", 50); *(uint64_t*)0x20005090 = 0x32; *(uint64_t*)0x200050c0 = 1; *(uint64_t*)0x200050c8 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x20005080, 1, 0, 0x200050c0, 1); break; case 30: *(uint32_t*)0x20005100 = 1; syz_memcpy_off(r[11], 0x114, 0x20005100, 0, 4); break; case 31: memcpy((void*)0x20005140, "afs\000", 4); memcpy((void*)0x20005180, "./file0\000", 8); *(uint64_t*)0x20006640 = 0x200051c0; memcpy((void*)0x200051c0, "\xc5\xf6\xf4\x20\xae\xec\x38\x8c\xed\xec\x2b\x59\x7c\x81\x56\x53\x8c\xd4\x58\x60\x34\x19\x9f\x56\xf5\x94\x4d\xa0\x3d\x8c\xa8\x29\xf6\xc6\xb6", 35); *(uint64_t*)0x20006648 = 0x23; *(uint64_t*)0x20006650 = 1; *(uint64_t*)0x20006658 = 0x20005200; memcpy((void*)0x20005200, "\xf4\xee\x9e\xdc\x1b\xe2\xc2\xd8\x62\xa4\x80\xf3\x0a\xe3\x0d\xaf\xad\xfd\xf8\x69\xf7\x78\x9a\x45\x49\xf5\xa8\xda\xc0\x6f\xe4\xc5\xd5\xd2\xcf\x00\x66\xd8\x8b\xfc\xa6\xaf\x40\x74\x5e\xd6\x17\xb7\xa1\x46\xc9\x40\xde\x37\x50\x5c\xb9\x65\xea\xa1\x98\x2c\x8c\xa0\xec\x21\x06\xf4\x7e\x4e\x26\x5f\x1e\x19\x28\x5b\xba\x7e\xb5\x77\xf6\x00\x66\xb5\xf4\x6c\x62\xd2\xec\x00\x68\xed\xcb\xe6\x30\x0e\x4f\x1e\x3c\xce\x42\x9e\x45\xa7\xdf\x28\x7e\x80\x09\x84\x1d\xb1\x01\x51\x34\xee\xaa\x72\x43\x11\xe5\x51\x81\xcb\x7a\xfe\x7d\xfd\xc7\x94\x6b\xd1\x45\x23\xea\x66\x80\xea\x42\xca\x9f\x7b\x0e\xaa\xab\xe1\xd0\x54\x27\x7e\xff\x60\x7e\xf4\xf8\x40\x2e\x5d\xc3\x7e\x6a\x52\x8e\xc3\x56\x58\x23\xc0\x31\xa8\x46\x0e\x8b\x5f\x67\x06\x68\xf8\x6b\x90\xa0\x26\x04\x3a", 184); *(uint64_t*)0x20006660 = 0xb8; *(uint64_t*)0x20006668 = 2; *(uint64_t*)0x20006670 = 0x200052c0; memcpy((void*)0x200052c0, "\xba\xee\xde\x48\x17\x36\xd9\x0f\x0a\xa3\x6f\xb3\x27\x95\x6d\xd7\x63\x57\x8e\x20\x19\x9f\x0d\xc8\x5f\x18\x5c\x93\x06\x86\x6b\xa3\x3c\x93\xd2\xaf\x96\x13\xc9\x29\x09\xc6\x51\x25\x4e\x6a\x63\x50\x3d\xbf\x31\x7b\x02\x1c\x4b\x3c\x8d\xe3\x05\xd3\xde\x39\xa1\xad\x9a\xc1\xb0\xab\x3f\x51\xf6\x8c\x1a\xe1\xda\x3e\x4c\xc7\x44\xfd\x00\xdf\xa6\xd1\xb9\x6e\x21\x13\x40\x07\xd3\x1c\x93\x01\x38\x54\xed\x32\x55\x0f\x1b\x82\xa4\xc0\x3c\xa6\x74\x40\xd8\x65\x45\xdc\xd2\x9e\xea\x99\x27\x4f\x65\x57\x37\xad\x5a\x54\xd9\xe7\xf9\xde\xc4\x91\x29\xbb\x84\xbe\xb6\x2b\x18\x53\xf6\x9e\x6a\x07\x72\x09\xf7\xe5\x5c\xe0\xd5\x16\x86\xca\x76\x4d\x2c\xe3\x34\xcd\x6d\x09\xb5\xd9\x23\x57\xbd\xef\x60\xa6\x35", 169); *(uint64_t*)0x20006678 = 0xa9; *(uint64_t*)0x20006680 = 0; *(uint64_t*)0x20006688 = 0x20005380; memcpy((void*)0x20005380, "\x31\xf1\xfb\xee\x4b\x48\xe6\xe6\x9c\xb6\x1b\xd1\xcc\xc1\xe2\x13\xaf\x5a\x28\xe7\x4c\xff\xc2\xe5\xe8\x2f\xbb\xcd\x1c\x34\x00\xfa\xf3\x79\xd1\xa1\x94\xd5\x2a\x36\x67\xe2\x01\x9b\x9a\xec\x0e\x14\xfe\xed\x8f\xea\x77\x0a\x9a\x1b\xfb\xbc\x30\x99\x73\x21\xbc\xbb\xcf\x4d\x11\x5b\xb3\xd3\x26\x9e\x50\xbe\xca\x59\x82\xef\x1d\x22\xc9\x83\xd7\x86\x21\xdb\xaa\x93\xe8\x39\x5e\xfe\x31\xdf\xad\xed\xca\xde\xd0\x97\x6f\x5f\x0c\x7d\x4f\x17\xb6\xcc\x88\xb8\x97\xce\x5d\xdf\xf1\xad\xe8\xef\x2d\x62\xdc\xbe\xd4\x21\x58\x9e\x3c\xfb\x5d\x85\x50\xd3\x65\x1a\x99\x11\x5d\x6e", 138); *(uint64_t*)0x20006690 = 0x8a; *(uint64_t*)0x20006698 = 2; *(uint64_t*)0x200066a0 = 0x20005440; memcpy((void*)0x20005440, "\x78\x81\xb6\x81\x1e\xa2\xae\xc8\xf2\x7f\x7f\x7f\x52\x3c\xc4\xba\xca\x36\x52\xf7\x30\x3c\xd7\x48\xfb\x4e\xd8\xcc\x78\x3a\xc5\x78\xa9\xe8\x53\xa9\x90\x6a", 38); *(uint64_t*)0x200066a8 = 0x26; *(uint64_t*)0x200066b0 = 1; *(uint64_t*)0x200066b8 = 0x20005480; memcpy((void*)0x20005480, "\xc5\x05\xe1\x80\x5e\x72\xc2\x3f\x48\x9b\xb4\x5d\x55\x60\x79\x64\x53\x32\x08\x2b\x1b\x6b\xef\x7a\xdc\x39\xb0\x98\xe1\x73\xf4\x2f\xdd\x8d\x2c\x65\xce\xb6\x64\xad\xb4\x7d\xe1\x73\xdb\x5b\x34\x23\xe0\x2b\xfe\xe5\x83\x39\xfc\xb7\xd8\x5f\x2d\x1a\xcd\x1f\xed\x18\xda\x1c\xb7\xb3\xd2\x8d\x4e\x36\x8a\xa5\xf0\x2a\x89\x50\xaf\xd1\x9b\x0d\x60\x03\xc1\xfc\x54\x24\xd3\xe2\x8d\x4b\xf7\x90\x2f\xa3\xd9\x99\xb4\xf6\x23\x68\xc5\x84\x4f\x1e\x9e\x4d\x19\x5c\x65\x48\xc1\xa0\xe6\x14\x80\xc6\x1f\xe3\xfc\x89\x54\x81\x0a\x5c\x55\x19\xa2\x85\x0a\xff\x54\x44\xdf\xe3\x6d\x6c\x08\xfb\x25\x1d\x64\x59\x51\xca\x0a\xee\x8a\xe0\x9d\x52\x18\xce\x7d\x78\x3d\x4a\x62\x07\x0c\xce\x23\x1a\xb7\xc6\x30\x93\x1f\xbc\x78\x39\xba\x29\x79\x30\x5c\xab\xb4\x5f\x4a\xa2\xdc\x92\x49\x72\xfe\x3a\x5a\x80\x6c\x03\xc7\x41\x79\x3e\xb0\x46\xd5\x66\xef\x8d\xe1\xd0\xb7\x14\x50\xb5\x61\xba\x65\xb0\x14\x14\x29\xbd\x3e\x5a\x42\x06\xb4\x7e\xf0\x97\x27\x5e\xad\x1f\xe3\x12\x57\xa7\x23\xdd\xc5\x85\xc7\x03\xf5\xd0\xfc\xf7\xb2\x98\x13\x4d\x89\xd0\x3f\x47\x7a\xb7\xaf\x75\x6e\x3a\x4f\x9e\x1d\x06\xca\x01\xf2\xb7\x59\xc9\x55\xb8\xe8\xbf\xc1\xb8\x07\x01\x98\xb3\x30\xf5\x85\x8c\x69\x51\x61\x06\x82\xa3\xcb\xdc\xb5\x91\xf1\x39\xa7\x1e\x88\x3b\xb7\x69\x1c\xb5\x6b\xc0\xad\x95\xdd\x77\x4f\xdc\x11\x0d\x07\x5b\x3a\xcf\x5f\xbb\xb2\x27\x22\x79\x21\xe1\x0a\xa5\xb7\x3d\xa8\x1d\xca\x19\x66\x00\x37\x61\x20\x26\x6c\xc8\x4f\x0c\xc2\xee\x0f\xf3\xf6\xc7\x4b\x65\x6a\x61\xb5\xf5\xae\x6d\xab\x4a\x9c\xe8\x4c\xb9\x7c\x0b\x90\xe7\xa0\xd0\x78\x28\x81\x9e\x2b\xdd\xb1\xa7\x27\x7c\xaf\x68\x71\x95\xec\x83\x64\xd8\x52\xb9\x86\x43\xf5\x55\xdc\xa6\xad\x72\xd6\x80\x64\x3f\x29\xc3\x22\x57\x5f\x2e\x57\x11\x34\x3f\x8a\xa2\x4d\x7d\xeb\x87\xd3\xac\xe4\x82\xbc\x05\xdc\xd5\x28\x83\x38\xb5\x84\x99\x4a\x09\x0c\x45\x1a\xbb\x28\x4c\x01\x04\xc5\xf3\x79\x08\xeb\x33\x07\xd6\x5e\x79\x2b\x4f\x25\x86\x00\xde\x77\x07\xc8\xb1\x54\xff\xd5\xf5\x6d\x7a\x17\xc6\x2f\x09\x28\x28\x51\x6f\x82\xea\x4a\x12\x6a\x2a\x36\x0c\x70\x31\x08\x77\x0c\xc7\xe7\x50\x5c\x8e\x18\x0c\x5f\x37\x6d\x0d\xba\xf1\xe1\x85\xa5\x04\xed\x01\x3b\x0b\x16\x24\x83\xf9\xe2\xa3\xbe\xc7\xd6\x83\x30\x82\xac\x95\x4e\x8f\x5e\x31\x84\x37\x2e\x05\x08\xad\x7e\x0f\xb4\xb2\xf1\x20\x1a\x35\x88\x2a\xda\x41\x5d\xfd\xb3\x65\x87\xe8\x87\x95\x10\x1f\x9d\xc6\xc0\xd2\x6b\xbb\x64\x24\x21\xdb\x09\x73\xef\x28\x3c\x2b\xea\x7f\x5c\x9c\x35\xeb\x13\xea\x5a\x97\x42\x85\x2f\x08\x3e\x44\x32\x82\xcb\xad\x94\x7e\xa0\x5d\x3f\x99\x8b\xf3\xf8\x60\xcd\x12\x5b\x26\x6e\x1f\x3b\x84\xc4\xe6\x2b\x4e\x49\xae\x7f\x85\x2d\x57\x8e\xab\x24\xa0\xc5\xe4\xc6\x09\x28\xb6\x99\xc7\xb6\x8c\x63\x28\xf3\x2c\xa3\x71\x5b\x94\x00\x55\xb6\xad\x04\xf9\x94\x16\x55\xdc\xfa\x91\xdc\x4d\xf0\x21\xa7\x45\x04\x51\x9f\x0a\x7d\xf1\x0d\xb5\x05\xda\x8c\xa4\xa0\x52\x58\x04\xdf\xd9\x0a\x31\xbb\xa6\x48\xbe\xe5\x7b\xcc\xd6\xcd\x9a\x59\x6e\xb9\x45\x86\x7e\x02\x31\xfa\xfb\x66\xc5\x01\x7b\x29\x79\xad\xe5\xdf\xcf\xb2\x4c\xb5\xc7\x88\x15\x11\x18\x56\x04\x90\x6d\x1f\x20\x1a\x12\x64\xa5\x4c\x20\xc1\x73\x90\x1d\x32\x5f\x5c\x2b\x0e\x0f\xff\x22\xc6\x83\x4d\x07\x0c\xbe\xdc\x8a\xe6\x6f\x2f\xce\x84\x88\xd7\x7b\x1f\x92\x57\xa9\x1a\x00\x1e\xda\x07\x55\x56\xc2\x3e\x7a\xdb\xde\x0c\x99\x4b\xd6\x98\x0c\xbd\xb3\x44\xd0\x4e\xfd\x2a\x3f\x4e\x73\x26\x20\x26\x0d\x15\xf6\x08\x4c\xca\xb9\xb2\xf1\x3b\xf5\x47\x82\xeb\x2f\x56\x89\x19\xe0\xae\xfc\x06\x3f\x3f\x2a\xf6\xbe\xb8\x19\x15\x9c\xfd\xb0\x53\x4e\x79\xe0\xcd\x74\x51\x5b\x52\x8c\x82\xce\xfa\xec\x85\x47\xd0\x5f\x08\xb0\x04\x24\xa0\x2a\xbb\x0f\xe2\x0d\x30\x55\xd3\xb9\xd9\x7e\x8b\xad\x3a\x7b\x22\x02\xb8\xef\xfc\x5d\xa0\x55\xf4\xeb\x18\x27\xdc\xb1\xde\x57\xde\xfc\x3c\xcb\xe7\xc3\x02\x79\xa3\x04\x11\x96\xa9\xf0\xb1\xa7\x44\x91\xc0\x7b\x9a\x1a\xf0\x40\xe5\x3e\xc7\x1a\x91\x10\xe2\x0f\x32\x09\x2a\xdd\xcd\x05\x8a\x15\x07\x9b\x71\x8f\xac\x59\x4d\x8e\x75\x13\x9b\xc9\x26\x0f\xf6\x56\x47\x25\x0f\xd7\xce\x6b\xdb\xc3\x05\xc0\x79\xc5\xcc\x2f\xe6\xcd\x1f\xca\x99\x3e\x85\x30\xe0\x37\x38\x83\x90\x08\xdc\x65\x8f\x22\x66\x4e\xea\x77\x06\xf6\xad\xa2\x4c\xa1\xa2\x2e\x83\x0a\xad\x64\xf4\xdc\x44\x38\x7d\x83\xad\x42\x88\xf4\x46\x72\xd9\xa0\x55\x59\xfb\x29\xc6\x6f\xe6\x67\x9e\x97\x9f\x86\xee\x31\x67\x5f\x50\x1d\x95\x81\x47\x96\x61\x29\x08\xd1\xf7\x03\x7b\x69\x0b\x94\x81\xfb\x68\x7f\x2d\x52\xb5\xa3\x73\x51\x5f\x62\x07\x59\x36\x04\x2a\x0e\x9d\x10\xc9\x11\x14\xa9\xe7\x4c\xa7\xac\x76\x55\x8f\x73\xfa\x26\xfe\x9d\x14\xde\xa8\x5d\x4c\x9f\xae\x1f\x6c\x53\xbb\x76\x8b\x14\x57\xa7\xf8\x9b\xcb\xf9\x0e\x70\x69\x75\x37\x67\xf0\xc1\x90\x21\x63\xe4\x00\xaf\xdd\x91\xec\x2d\xac\xbe\x68\x0c\x7d\x64\x54\xa0\xf1\x73\x49\x0b\x6b\x1e\xd4\x88\x1e\x82\xcd\x79\xd6\xb8\x91\x61\xd8\x7f\x4f\x27\x0d\xea\xde\xbe\xb3\x51\x07\xc1\x9c\x7a\x6d\x54\x08\xe6\x0b\x32\x5c\x64\xdb\xb9\x98\x3b\xfa\xf0\x30\x6f\xac\x8a\x0f\xb3\x24\xaf\x5d\x69\xc2\x1c\x62\xa8\xb5\xe2\x57\xa4\x8d\xe0\x69\x22\x6a\xb2\x9a\xee\xad\x17\xfa\x45\xf3\x84\x75\x0f\x8b\xba\x1d\x46\xe0\xa4\x12\x78\x07\xe1\x0d\x15\x70\xda\x63\xb2\x02\xee\xb7\x15\x38\x6a\xfe\x3d\x8b\x17\x47\xca\xa6\xa4\x14\x16\xdd\x65\x52\x4d\x22\x28\xea\xaa\xd1\xa6\x1b\xff\x8d\xb8\xbe\x75\x2c\x45\xae\xca\x76\xde\xa3\xaa\x68\x08\x36\x4c\xf7\x58\xdc\x87\x03\x41\x7a\x49\xb9\x3e\xca\x5a\xd0\x9d\x63\x30\x3a\x4a\xc3\x78\xaa\xd3\x4a\x08\xde\xcc\x4a\x72\x0c\x3e\xea\xf8\x8a\xce\x0a\x72\x90\x0b\xc3\xdd\x40\x2c\x12\x2d\x00\xd5\x6b\x51\x72\x35\xae\x91\x12\x83\x2d\x63\x7b\x93\x17\xb6\x1f\x9d\xcb\x0c\x48\xe7\x28\xe8\x50\xdf\xd5\x26\x26\xdb\x29\x6a\xad\x77\xb9\xc7\xcd\x91\x67\xf3\x19\x47\x47\xc0\x11\xa5\xfb\xda\xbc\xa9\xca\xbd\x2f\x6b\x75\x81\xf9\xd9\x1c\x63\x66\xd5\x26\xb1\x68\x3e\x3f\xee\xfd\x0f\xe3\x0f\x53\xe7\xcb\x7d\xe4\x1e\x89\xe4\xe7\x43\xef\xea\x39\x44\xea\x8a\xfd\x9f\x77\x8a\x7f\x06\xbf\xb0\xef\x23\x86\x48\xc2\x1c\xed\xfd\xd8\xb7\x6e\xed\x76\x57\x74\xd7\xa4\x90\xb0\xee\x46\x4e\x44\x88\xa9\xc3\xdd\x21\xc7\xba\x2e\x63\xa3\x1a\xe3\x8f\xfa\xb2\x09\x46\x0b\xa9\x3a\x62\x02\x9d\x8f\x2a\xde\x13\x77\xb5\x34\x38\xb0\x51\x90\x12\x27\x39\x82\x72\x63\x9f\x12\x4d\x42\xb5\x55\xd5\x91\xa6\x65\x5f\x73\xf6\xc4\x6c\x51\x4c\xf3\x2a\xe4\xc6\x04\x6c\x38\x04\x07\xf7\xd9\xcf\x3c\x14\x1b\xdd\x94\x69\x13\x84\x95\x8e\x67\x17\x8f\x81\x6a\x63\xe4\xcc\x18\x9c\x52\x16\x38\xdc\x7a\x28\xd2\xaf\xb6\x12\x84\x76\xe4\x08\xee\x85\xb9\x9a\x12\x61\x29\xc5\x5e\x67\x9c\x0b\xdc\xeb\xd9\x66\x98\x17\xe9\x45\xb0\xff\xfa\x61\x5a\xb9\xce\xf2\xf8\x59\xe0\xac\x38\x25\x36\x11\xfe\x63\xbd\x57\xfd\xf0\x3f\xb0\xd6\x5c\x1c\xc6\x5d\xf2\x65\x38\x59\xfc\x59\x4f\x9a\x3e\xb3\x79\xd1\x17\xda\x82\x8a\xc5\x58\x6b\x3f\x6d\x3b\xcc\xf1\xd5\x4c\x45\xbc\x1a\x5f\xa4\x5e\xd7\xad\x36\x6c\xff\x39\xa6\x32\xbd\x4d\x14\x70\x0d\x30\xf7\x0c\x99\x72\x5c\x2f\xb8\xee\x97\xcb\xc5\x9f\x8e\x5b\x64\xfa\xc8\xfe\x2f\x83\x60\x41\xbb\x57\x08\xa3\x64\x0b\xbc\x67\xf9\xd0\x9a\xc1\xfd\x36\x46\xa6\xf7\x44\x6f\x48\x15\x98\x9b\xb0\x41\x9c\x94\xb0\xa6\xfc\x97\xd0\xfd\x9e\x51\x90\xe7\x24\xd7\x54\x82\xcc\x1e\xb4\xc0\x77\x53\xb0\x1c\x42\x02\xc4\xd0\x9d\x00\x6b\xd6\xbd\x92\xb3\x3c\xd4\x0d\x8f\x1b\xf7\xea\x73\x9a\x68\x6f\x8d\x3a\x12\xdf\x2f\x7c\x57\x8a\xd2\xe0\xc1\xb2\x9c\x04\xf2\x82\x85\x70\x45\xed\x90\x38\x28\x30\xcf\x0f\x2f\x2c\x8d\x22\x07\x3e\xde\xc3\x1d\xd2\x57\x30\x0b\xa6\x7b\xec\x88\xa1\xe7\xa5\x58\x0f\xdd\xe5\x01\x98\x79\xf6\x96\x2d\xa5\x0d\x75\xc6\xfd\x13\xa1\x9e\x35\x8e\x13\x41\x35\xdb\xb8\xb4\xbe\xed\xbe\xd1\xcc\x5f\x8f\x20\x34\xee\x29\x7f\xf6\x9b\x9d\xb3\xe0\x05\xe5\x9f\xd5\xea\x22\xba\x51\xbd\x8f\xeb\xde\x9f\xf9\xf6\x5a\x21\xda\x5e\x13\x5c\xa8\x86\x07\x31\xc4\xde\xe9\xc3\x3c\x7e\xdb\xa5\x08\xd2\x6d\xdb\x55\x92\xfd\xf9\x85\x06\x70\x2f\x99\x80\x37\xe6\xb4\x18\xc5\xc7\x83\x62\x43\x48\xf5\x7d\x2c\xf2\xcd\x8f\xb8\x37\xc6\x18\x53\xf5\x16\xc6\x8e\x76\x58\x29\xfe\x2f\x74\x11\x66\xa7\x4a\xfd\x1e\xdc\x90\x97\x1c\x4e\xda\x7a\x6a\x18\xd8\x5d\x54\xba\x87\xf9\x09\x5b\xd1\x62\x6b\x9b\x90\x0c\xf6\xfe\x05\xee\xb1\xb4\xf0\x05\x99\xb6\xe8\x38\x1f\xe2\x8d\xe8\x51\xe1\x9a\x02\x52\xef\xde\x6c\x57\x99\xf5\x6e\xc2\xd6\x1c\xc6\xff\x5d\x1e\xb6\x5e\x9d\x8e\x05\x45\xa9\x2e\x6b\x98\x66\x27\xc7\xf9\x71\x69\x42\x10\xe0\x88\xb7\x84\xbe\xaa\xba\x64\xd2\xab\xe4\x44\x1c\x7b\x14\xfc\x8d\x2a\xda\xfa\xc7\x82\x34\xed\x72\x59\x9c\xc4\x16\xc0\x47\x75\x0b\x24\xac\x3c\x9a\xa4\x69\x0c\x05\x77\x04\x9d\x80\x5b\xae\x79\x92\x2c\x1d\x29\x66\xd9\x75\x2c\x55\x1a\x91\xa9\xfb\xc0\xbb\x95\xc2\x3a\xcc\x2a\x90\x68\x35\x31\xa5\x9f\x30\xfc\x1d\x10\x79\xbd\x9f\xc0\x7f\x0d\x09\xbd\xdc\x01\x37\x2b\xa2\x6c\x13\xef\x30\x6a\xf3\x25\x6f\x23\x5d\x72\xb7\x59\xb6\x61\x8c\x1e\x09\xe8\xdf\x69\x35\xdb\x77\x45\x3b\x49\x96\xb0\x15\x2a\xe1\x37\xd1\xca\xdd\xbd\x5f\x8e\x12\x62\x1a\x54\x81\x55\x43\x45\xdf\xbb\x7e\x2c\x50\x03\x71\x34\x6f\xea\xfd\x5d\xc0\xf6\xe2\xc5\x9e\xa2\xc2\x45\xd1\x5d\xb2\x0e\x87\xc7\x7b\xd9\x08\xd9\x28\x50\xe4\x03\xe5\x8c\xdf\xf0\xe2\xfc\x25\x7f\xf0\x00\xf3\xb2\x68\xdc\xf1\x41\xe7\x75\x25\x10\x61\x08\xa4\xb6\xed\xcf\x89\xf1\xfc\xfb\x12\xa0\xa0\x2a\xd7\xc0\x12\x12\x84\xea\x49\x0c\xa7\xbf\x87\x61\xee\xff\x5b\x37\x5e\xeb\x0a\x03\x8a\x44\x4d\x2f\xb9\x50\xf9\x65\x17\xad\xa9\x4c\xd9\x6f\x8d\xbb\xd0\x42\xa4\xde\xb1\x88\x21\x7b\x7b\x9d\xad\x94\x8b\xb5\x98\x43\xc0\xc3\x92\xbd\x9e\x79\xc8\x5d\x34\x61\x6b\xcd\x99\xfb\xff\x77\x53\x7d\x23\x4c\x05\x1e\x5e\x9a\xa9\x13\xc7\x7c\xbd\xcf\x53\x96\xce\x3f\x06\x83\xe9\x2e\xbd\x0c\x1b\x99\xfb\x5c\x66\x3f\xb9\x7b\x6d\xc2\xd4\x35\x54\xaa\xa9\x9a\x27\xab\x99\x17\x2b\xac\x17\xe3\xbc\x04\x4d\x3d\x2e\xf8\xf8\x73\xcf\x52\x21\x4e\x71\xd7\xd7\xc5\xff\x9d\xc7\x91\xd4\x0c\xee\x37\x53\x6d\xd1\x2b\xa0\x95\xb4\x8a\x34\x19\x75\x78\x4a\x16\x14\x17\x5a\x1f\xc4\x9d\xc2\x10\x2b\xa5\xc2\x74\x16\xdf\xf8\x27\x9e\xa3\xf2\xc4\x47\x39\xb8\xef\x99\x61\x69\x9a\x4c\x79\x28\x59\xce\xe8\x81\x11\x43\x78\x46\xc9\x45\x01\x75\xb8\xba\x2a\x32\x67\x57\xdc\xbf\xd5\x51\xac\xd1\x5d\x78\x37\x32\x83\x8b\x9c\x92\x4e\x09\x23\xfb\x79\x5b\x77\x04\xbf\x1c\x84\xdb\xe6\x56\x9c\x0d\xf7\x02\xa7\x47\x7f\xa0\x99\x6d\xe5\xd6\x81\xd1\x0f\xa2\xaa\x52\xb1\x42\x53\xba\x91\x3a\xde\xcf\x47\xea\xbf\x1b\x01\x5e\x73\xd6\xba\xb5\xdb\xe5\xd5\xdd\x1e\x06\x7c\xc9\xe4\x80\x60\x40\xdb\x09\xa1\x44\x8e\xd2\x1d\x98\xdc\x6f\x45\x9f\x22\xc9\x51\xc7\xb0\x72\x01\x46\x77\x91\x09\x7b\x39\x04\x10\x36\xa5\x0e\xc5\x59\x6b\x6d\x28\xe1\x4b\x79\xaa\x12\xbe\xfa\x32\xff\x95\x62\x9d\x53\x2a\xda\xed\x53\x42\xc8\x4d\x39\xc8\x22\x53\x82\xf9\x81\xae\x4f\x85\xb7\xa1\xae\x6b\x90\xa8\x18\xb6\x2d\x71\xbf\x59\x2f\x84\x27\x3f\xa2\xcc\xbb\xa6\x5d\xfc\x34\xfd\xaf\x56\x1e\x26\xd3\x07\xb7\x43\xf8\x2b\xc7\x6f\x99\x85\xc9\x50\x76\xc8\x3a\x1d\x28\x65\x32\xb8\xd5\x95\x20\xbf\x6c\x40\xbc\x63\x5f\x51\x60\x8f\x49\xbd\x47\x82\xf6\xa6\xb7\xd3\x7c\x6f\xe8\xe5\x27\x2e\xc0\x8f\x85\xfb\x9b\xaa\x66\xbd\x70\xb1\xdb\x70\xdf\x0b\x12\xce\x35\xd8\xe1\x5c\x18\x7f\xec\xfd\x9f\xa3\x41\x72\x1f\xf6\xb2\x4a\x1b\xb6\x8b\xd0\x74\xc2\xa5\x7d\x74\x60\x91\x7d\xd2\xff\x0d\x08\x04\x11\x2b\x05\x20\xf0\x5c\xd7\x07\x87\xd8\xdc\xe6\xcb\x69\x71\x1e\xf7\x45\x3b\x40\x67\x9e\xc9\x7a\xac\x90\x0e\x69\x8c\xe1\xf8\xe5\x8b\xa7\x38\x59\x0d\xf5\xc4\x58\x8e\xc6\x50\x68\x80\x02\xa2\xc1\x4e\xc6\x0c\x58\x38\x5b\x68\xdb\x23\x8b\x8c\x5b\x18\x9b\x2f\xd5\xfd\x21\x36\x55\xe0\xc8\x19\x00\x94\x97\x64\x02\x2d\x22\x77\xb0\x38\xce\x7d\xbd\x00\xd1\xec\x66\xe2\x31\x95\x63\x6a\x39\x21\x53\x26\xea\x45\x2a\xd0\x89\x9a\x52\x2a\x7a\x77\x96\x5b\x2a\xe6\x0d\x5b\x25\xff\xc6\x4d\x1d\xd5\x04\xd2\x8c\x61\x1f\x38\xce\x5c\x3a\xa3\x4c\x4f\x6c\xdd\x1b\xd7\xe9\x65\xe3\x68\x77\x11\x89\x34\x65\x06\xe3\xcb\xba\xf7\x45\x3f\x03\x9c\x6a\xeb\xdf\x77\xa1\x38\x75\x49\x9d\x7d\xb3\xe0\x8f\x9c\x31\xd3\x53\x07\x49\x0e\x6d\x3c\x11\xee\x69\x77\xe6\x69\xcb\x1a\xa6\x42\x0d\x46\x19\x55\x05\x0e\x0c\xfb\xe0\xbb\x23\xd1\x31\x9e\xf3\x54\x21\xd8\x0e\x56\x5e\x5f\xc9\xb3\x0d\x6d\x0a\x4d\xa0\x54\x40\x61\xe6\x44\xeb\xa5\xb4\x7b\xc4\x8e\xce\x8b\x7f\x85\xd8\x23\xc9\x8c\x4b\xd6\xcd\x46\x4a\xcc\x49\xa2\x9b\xb6\x92\x6d\x2a\x95\x97\xc6\x4e\xdb\x8a\x4b\xa2\xca\x2d\xd7\xba\xd8\x0d\xa3\xba\x9d\xf1\x43\xb2\xb3\xcb\x44\xd6\xe5\xce\x04\xaf\xf3\x97\xf5\xfc\x4b\x0f\x5a\xf4\xaa\x07\x87\x61\x1e\xfc\x52\x11\xbb\xb4\x8b\x7e\xb3\xe1\xd4\xcb\x54\xac\x2b\x9d\x0d\x9d\xa7\xff\xbd\x18\x51\x35\x94\x67\x4b\x53\x0e\x8a\x20\x6f\x9b\x04\x2b\xe8\x13\x86\x81\x92\x29\x50\x5d\x35\xce\x04\xa1\xe1\xe0\x30\x4a\xb5\xdb\x61\x88\x47\x20\xf5\xbf\x6a\xe9\x10\xd4\x8b\x9a\xaf\xe2\xbc\x5a\x1a\x4f\x4e\xda\x0f\x61\x5c\x8d\x0d\x68\x2a\x55\xa5\x2f\x0d\x40\xe1\x38\xc8\x8c\x42\x99\xaa\x1b\x10\x04\x40\x01\x68\xde\x6a\xc8\xaa\x18\xfe\x60\x29\xbf\x63\xc6\x40\xef\x7f\xb9\x1b\x56\xa5\xab\xc2\x43\x97\xd1\xb2\xcf\x3b\xc0\x87\x7e\x8d\x52\x19\xe5\x67\x23\xa6\xc4\x98\x89\xcd\xd5\xba\x03\xc8\x4f\xbc\x41\x5a\x3e\x9b\x65\x2d\x26\xe2\xd6\x13\xc3\xdc\xce\x41\x4e\x1f\xa3\xe2\x20\xb3\xc2\xe3\x53\x91\xac\x65\x20\xed\x1f\x05\x14\x88\x05\xa4\x6e\x99\x34\xe5\xfe\xbf\x84\xe1\xbb\xa2\x5b\xa1\x30\xa9\xe0\x58\x4b\x62\x5d\xf2\xc2\xee\x4e\xc0\xd1\x0a\xff\xfa\x19\x17\x73\xd4\xf4\x12\xf5\xca\x22\x51\x93\xca\x27\x88\x7f\xd4\x7c\x9c\x69\xf2\x1d\xa9\x52\xf9\x8a\x99\xf2\x05\x31\x4c\x18\x2b\x00\x14\xdd\xe7\x56\x3d\xed\x90\xe3\x38\xda\x5d\x5e\x83\x6f\x16\x2b\x96\x37\x75\x17\xc2\xf6\x75\x8d\x9b\xb4\x1e\x8b\xc9\xdd\x8f\x2e\xb5\x21\xad\x81\x4e\xac\x65\x1a\x48\xef\x64\xbc\x45\xab\x60\xbf\xf9\xd2\xe6\x7f\x03\x18\x3d\x04\x4e\xd4\x37\xa8\xbd\x73\x04\x3d\x6a\x8a\x51\x90\xfb\x5c\xd5\x2c\xfe\x06\x89\xe2\xda\x08\xcd\x11\xaa\xe6\xf2\x5c\x50\xd6\xcc\xbd\x5f\x4e\xa7\xce\x9b\x51\xb5\x79\x46\xaa\x92\xf4\x1e\xfd\xc2\xb9\x19\xc8\x87\xa0\x70\xc5\x19\xef\x60\x0f\xe1\x4d\x67\x66\x4e\xd7\xfc\x21\x1a\x09\xe9\x12\x9b\x13\xa7\x02\x4f\x2f\xeb\xc3\x01\x05\x81\xda\x84\xb4\x4b\xbe\xdf\xdc\x1f\x54\xb6\x3c\x8c\xfa\x8c\x8b\x5c\x98\x66\x49\x33\x3e\xee\xaa\xf5\x3e\x8b\xe8\x63\x24\x23\x78\xb0\xff\x6c\xff\x6b\x1d\x6e\x02\x70\x10\x68\x44\x84\xc6\x36\xb7\xc1\x34\x01\x8e\x3a\x73\x2a\x6b\x35\x2c\xfe\x08\x1f\x79\x0f\x00\x29\x96\x7f\xf1\x82\x0d\x57\xd3\x70\xc2\xa9\xf1\xbe\x05\x11\x00\xd5\xa8\xea\xc4\x24\x1a\x6c\x2b\x64\x0f\xe7\x3b\x16\x1d\x54\x38\x01\xf1\xeb\x2a\xbd\xea\x76\x9c\x51\x8c\xbd\x72\x71\xc6\xd6\x5a\xbe\x83\x66\x1d\x2f\xd2\x8e\x41\xb9\xad\x57\x5b\x95\x8f\xbb\xc5\xa4\x3f\x34\x12\x78\x65\x6d\x30\x0f\x21\xd8\xc7\x11\x61\xbf\xc2\x81\x2b\x2f\x7f\x36\x92\xc5\x75\x8a\x5f\xea\x82\x84\xcc\x43\x15\xe2\xdc\x16\x05\xd0\xb5\x82\x43\xa9\x79\xaf\x7c\x0c\xce\x31\x3e\x3e\x12\x7b\xaf\x93\x13\xf1\xab\x8c\x43\x75\x81\x36\x95\x86\x68\x9a\xe6\x9b\x86\x84\x47\xbf\xa6\x07\x98\x62\x0c\x68\x08\x00\x90\xc9\xf0\x49\x3c\x95\xa6\x4c\xa4\xf6\x78\xea\xa1\x4f\xe8\xcb\xc9\x08\x6e\xa9\x9c\x78\xa3\xd8\x16\x98\x42\xfc\xa3\xb0\xd2\x89\x40\x6c\xfa\x9d\x52\xf4\x1d\xf0\xb7\xfc\xfe\xb6\xe1\x0b\x7f\xb8\x84\x6b\x64\x6c\x6e\x17\x73\x32\x0a\xaf\xac\x2d\x38\x42\x72\x44\x93\x2e\xd2\x37\xb9\x83\x4f\x60\xc0\xbc\x4f\x9f\x6b\x18\xee\x82\xd4\xab\x52\x57\xd0\x33\x43\x13\x7a\x44\xa5\x21\x48\x42\x7e\x74\x72\x52\xc0\x61\xc8\x8c\x78\x85\x98\x58\x16\x3f\x76\x85\x65\xfe\xfe\x43\x03\xce\xab\xa9\x4b\x78\x6b\x6d\x9d\x0b\x69\xd0\xca\x92\x0e\x61\x52\x55\xe2\xb8\xc3\xfd\xd7\x8d\x8c\x19\x4e\x9c\x80\x49\xa9\xd1\x87\x77\x26\x85\xac\x98\xfa\x7e\x7d\xf5\x4f\x5e\xbc\xe1\xec\xc1\xcf\xc7\xa6\x2e\x85\x39\x32\xde\xac\xcb\x58\xd7\x9f\xec\xb9\x31\xd1\x46\x43\xec\x70\x20\xad\xe4\x9c\xce\x0a\x1e\x78\xe3\x4d\x71\x09\x60\x22\x31\x7d\x7a\xf5\x36\xb3\x8f\x72\xfb\xf6\x5f\x7e\x47\x63\xe6\xd1\xda\xd8\xc2\x6f\x56\xe2\xab\x4c\xdf\x77\x8e\x32\x64\xa2\xad\x20\x04\xcb\xce\x99\xb7\x7e\x6e\xc2\x72\xd6\xf0\x83\xd2\x08\x3a\x04\x2f\x67\x90\x8e\x14\x7e\x60\x1e\xd4\x2f\x20\x1f\x5b\x9f\x18\xe8\x9e\xaf\x48\xd3\x84\xee\xef\xa0\xf9\xf9\xec\x38\x6a\x27\x4e\xcd\xab\xac\xd1\xe2\xdb\x6b\x90\xad\x98\xc4\x75\x66\x7d\x27\xfa\x72\x79\x08\xd2\x8e\x37\x45\xc3\x4b\x50\x15\xed\xd1\x30\xd0\xb7\xe3\xfd\x54\xdd\xea\x89\xe3\x7d\xba\xfa\x49\x84\x07\x59\xa3\x0d\x29\xe2\x1b\xb0\x9d\x95\x00\x3c\x28\x95\x18\x9e\x43\x9a\xb7\xb4\x12\xc2\x51\x61\x0a\xa7\xaf\xab\xef\x41\xe5\xab\xe2\x23\x53\x21\xf3\x22\xe8\xbd\x59\x24\xd7\x9a\x40\x46\x05\x37\x8e\x3b\xda\x60\xd2\x8e\xa5\x67\xe6\xa7\x39\x64\xa6\xdd\xd4\x3c\xfa\x1f\x5e\x0c\xb8\xbe\x45\x5e\x1f\x6d\xbc\xcc\xf7\x2c\xd1\xcf\x14\xe8\xe5\x07\xa1\xa1\x97\x9f\x1c\x2b\x43\xc8\xa6\x49\x29\x0b\xa5\x41\x37\xd1\xaa\x64\x73\x56\x8e\x39\x0a\x66\x59\x73\x82\x34\x92\xec\x2d\xce\x33\xc3\x9c\x88\xaa\x42\x47\xf1\x4f\x1f\x0e\x56\xad\xee\x32\x60\x80\xb7\x16\xdc\x55\xda\xe2\xa5\xed\x84\x2d\x79\x0d\xe3\xf1\xfb\xe3\x2f\x89\x51\xea\xb8\xdf\xa5\x4d\x77\x0d\xf7\x34\x27\x31\x27\x0b\xeb\x47\x04\x27\x7f\x3e\x1d\xc1\x69\x34\xaf\x90\x23\x50\xcd\x6b\x0b\x7a\x67\x1f\x26\x75\xf0\xdf\x88\x48\x31\xae\x06\x39\x26\x69\xd6\xbd\xa8\x49\x3b\x6b\xda\xf5\xae\x90\xf4\xc4\x5f\x8f\xb1\x91\x4e\x0b\xe0\x57\xf4\x5d\xb5\x01\x01\xb8\xbc\x6e\x64\x9a\xa6\x85\x60\x71\x22\x5c\x42\xc6\xee\x15\x7a\xdb\xda\x58\x42\x94\x2c\xca\x28\xfc\x4c\x7c\x08\xe7\xc2\xcf\x19\x81\x54\x2b\xe4\xab\x7f\x4b\xf6\xef\xff\x69\x2d\xfe\x65\xb4\x50\x80\xb2\x1e\xee\xf5\x29\x91\x71\xa1\xc2\xb7\x36\xf7\x0d\xa4\x31", 4096); *(uint64_t*)0x200066c0 = 0x1000; *(uint64_t*)0x200066c8 = 0xff00000000000000; *(uint64_t*)0x200066d0 = 0x20006480; memcpy((void*)0x20006480, "\x82\x92\x51\xfb\xd7\x0c\xae\xb4\x51\xcc\xf0\x9a\x96\xfb\xfe\x55\x9b\x21\x7a\x4a\x12\xcf\x46\xa3\x89\xd8\x2c\x55\xef\x7f\x5c\x64\xe4\x5e\x1b\x6f\x26\x95\x59\xa8\x5e\x8b\xcc\x23\x2b\xf1\x50\x0d\xcb\x9a\xf4\x0f\x69\x71\x65\xfd\xe6\x20\x9f\x8b\xf0\x01\x58\x5b\x6c\xca\xaf\xe1\x94\xcc\xfd\xb7\xf8\x99\x08\x04\xee\x77\xed\x9a\x34\x5b\x52\xa8\xd7\xe8\xf4", 87); *(uint64_t*)0x200066d8 = 0x57; *(uint64_t*)0x200066e0 = 8; *(uint64_t*)0x200066e8 = 0x20006500; memcpy((void*)0x20006500, "\x34\xe0\xc0\x82\xbd\x77\xb5\x1d\x0c\x9a\xb1\xbc\xde\x0a\xcc\x30\x81\x49\xf3\xe6\x4c\x75\xb7\x17\x3c\xda\x5f\x39\xd3\xb4\xa6\x2c\x60\xde\x76\xd1\x2d\x41\xce\xc1\xb7\xc9\xbc\x9e\x57\xac\xb7\x83\x42\x82\xa5\x75\x8d\x7c\x7e\x4b\x21\x71\x5f\xeb\xf6\xfb\xf1\x44\xad\x46\xcb\xf2\xce\xc8\x7f\x74\x01", 73); *(uint64_t*)0x200066f0 = 0x49; *(uint64_t*)0x200066f8 = 0x8001; *(uint64_t*)0x20006700 = 0x20006580; memcpy((void*)0x20006580, "\xe6\x09\x76\xf8\x6d\x91\xdd\x66\xce\xc0\xb1\xe3\x0e\xc8\x01\x16\x0b\x84\xcf\xb1\xf8\x60\x37\x03\xd1\x4a\x6b\x81\x5d\x22\xe1\x78\x3e\xed\x12\xce\x8c\x08\x0e\x3f\xfb\xf0\xb5\x30\x95\xf6\x96\x03\xfa\x76\xa9\x34\xa6\x0a\x05\x26\x34\x1e\xaf\xaf\xb3\x86\x7d\x13\xe8\x8d\x1d\x39\xe3\x70\xa0\x0d\xbe\x06\xdd\xc8\x40\xba\x74\x46\xa6\x25\x97\x06\x9e\x1d\xcd\x13\x8f\x82\xb2\x9f\xf7\x8a\xf1\xd1\xc3\x13\x3f\xe9\xc0\x4d\x73\x2c\xdb\x4b\x3f\x6a\xa2\x69\x89\x36\x9b\x5f\x6d\xca\x60\x00\xa0\x76\x73\x41\xbc\x2a\xaa\xcd\x69\xe6\x48\x62\x19\x15\xb8\xaa\x9c\xb2\x4c\x6b\xb5\xae\x3f", 141); *(uint64_t*)0x20006708 = 0x8d; *(uint64_t*)0x20006710 = 3; memcpy((void*)0x20006740, "flock=strict", 12); *(uint8_t*)0x2000674c = 0x2c; memcpy((void*)0x2000674d, "obj_type", 8); *(uint8_t*)0x20006755 = 0x3d; memcpy((void*)0x20006756, "/dev/vcsa#\000", 11); *(uint8_t*)0x20006761 = 0x2c; memcpy((void*)0x20006762, "obj_role", 8); *(uint8_t*)0x2000676a = 0x3d; memcpy((void*)0x2000676b, "bpf_lsm_unix_may_send\000", 22); *(uint8_t*)0x20006781 = 0x2c; *(uint8_t*)0x20006782 = 0; syz_mount_image(0x20005140, 0x20005180, 0, 9, 0x20006640, 0x10000, 0x20006740); break; case 32: memcpy((void*)0x200067c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200067c0, 4, 0x4800); break; case 33: memcpy((void*)0x20006800, "net/icmp\000", 9); syz_open_procfs(r[5], 0x20006800); break; case 34: syz_open_pts(r[9], 0x258102); break; case 35: *(uint64_t*)0x20007d00 = 0x20006840; memcpy((void*)0x20006840, "\xb3\xde\x0d\x9f\x2e\x1e\xba\x98\x79\xee\xf0\x8d\xbd\x42\xed\xd7\xd6\x22\xf0\x95\xe0\xce\x34\x29\xb6\x4c\x46\x70\x8b\xf7\xfa\x26\xe6\x9e\xc1\x57\xca\xa3\xe1\x6d\x60\xb3\xba\xf5\xb0\xd2\x46\xbf\xef\x95\x5e\x35\xf8\x55\x56\xc9\x61\x4a\x60\xb6\x5c\xae\x7c\x02\x3c\x99\x31\x8f\xc8\x5b\xc0\xab\xfd\x16\xbc\x78\xeb\x56\x31\x7c\xd8\xb8\x0c\x5f\x5a\x87\x85\x6c\x5c\xd0\xb9\x7f\xc2\x83\xcb\xc9\xd8\x35\xff\x9d\x70\x97\x2b\xd4\x20\x11\x69\xa3\x5c\x26\x99\xbf\x5a\x8b\x31\xad\x36\x07\x12\x10\x19\xe7\x33\x98\xb2\x28\xb9\xc5\x9a\xa5\xb5\xc0\x07\x16\x67\x66\xee\xe5\x91\x1d\x5d\x2f\x86\x4c\xb4\x2b\x84\x21\xf3\x8c\xb2\x1a\xa9\x36\x97\xe5\xad\x16\x6a\x96\x6a\xc9\x8a\xa7\x76\xfd\x27\x50\x02\x94\xc4\xdd\x1b\xac\xf4\x1f\xd0\x70\xe9\xe4\xa9\xe5\xeb\x70\xd2\xa9\x8f\x91\x5c\x13\x91\xfd\x75\xf5\xff\xec\xfa\xb4\x24\x25\xeb\x01\x6c\x33\xec\x19\xae\x67\xf4\xb1\x00\x08\x8e\x09\x0f\x03\x5d\x78\x14\x3b\x35\x94\x4f\x30\xa4\x9a\x77\xb8\xc5\xe2\xa0\x8e\x9f\x38\x1a\x8a\xfb\xcf\x48\xeb\xad\x84\x11\x45\x5f\xf2\xcb\x76\xa4\xa1\xb5\x57\xd1\x21", 254); *(uint64_t*)0x20007d08 = 0xfe; *(uint64_t*)0x20007d10 = 0x7fffffff; *(uint64_t*)0x20007d18 = 0x20006940; memcpy((void*)0x20006940, "\x33\x0e\xa7\x46\xd7\xdf\xb4\xa5\xe9\xf3\x3a\x32\x5a\x96\x88\xca\x04\xcd\x59\xaf\x72\x4b\x34\xf7\x0a\xe3\x70\xd4\xac\x73\xea\x9a\x65\xab\x00\x3f\x2c\xbc\x01\xaf\x11\x62\xc0\xfe\xfb\x2b\x7e\x4a\x0d\xcd\x3f\x2a\x8c\x23\xf2\xa1", 56); *(uint64_t*)0x20007d20 = 0x38; *(uint64_t*)0x20007d28 = 0x2eed; *(uint64_t*)0x20007d30 = 0x20006980; memcpy((void*)0x20006980, "\xef\xd5\x43\xd9\x2d\xc8\x23\xae\xf9\x1d\x85\xc4\x4c\x05\x58\x44\xe2\xaf\x47\xb4\xd5\xa6\x7e\x3a\x39\x59\xdc\x6d\x61\x7c\xd8\xe9\xb6\xc3\xf5\xbb\xf0\x5d\xa7\x3f\x04\xbf\x4f\x54\xa6\xf3\xd5\x36\x1d\xee\x72\x0d\x1f\xf9\xf6\x5d\x5d\x7c\x18\xb8\x65\x34\xf2\x91\x26\x21\xaa\x81\xb4\xc2\xd3\xda\xa1\xa6\x75\x38\xac\x5e\xfc\xf2\xe0\x08\xc7\x91\xd5\x91\x52\xdb\x5f\xa2\xd0\xa2\x3f\x39\x97\xbd\x1e\x25\x02\xe6\xfa\xdb\x36\x78\x88\x91\x84\x3e\x3d\xe1\xc4\x48\x3a\xea\x75\x22\x4b\x12\xed\xe3\x00\x6b\x96\x48\xdc\x76\x61\xa4\x6d\xa2\xd1\x46\xd3\xdf\x70\xa1\xd0\x4b\x2c\x64\x57\x8d\xaf\x21\x9d\xcb\xa1\xb6\x7a\xae\x08\x6a\x25\x41\xc4\xb9\xb4\xdc\x6d\x43\xc0\x76\x54\x4b\x4c\xf9\xcd\x57\xe6\xe2\x6d\x74\x21\x7d\x1d\x85\x46\x22\x4d\x85\xf6\x50\xa0\xad\x3a\xac\x78\xc0\xcf\x1d\x83\xa4\xad\xcc\x11\xc2\xe8\x4d\xf1\x88\x9c\x79\x20\x34\x7f\xe4\x04\x20\x19\x14\x72\x78\x62\xb4\x60\x22\x9c\xe6\x7a\x1a\x88\xde\x34\xaa\x73\xd3\x9b\xe6\x7f\xe9\x22\x10\x69\x92\x21\x10\x3a\xc5\xb4\x9a\x07\xff\x0b\x35\x48\x36\x3c\x87\x80\x66\xd5\xa0\xca\x8f\x56\x5a\x61\x6a\x04\x9a\x5d\x7b\x6e\x70\xba\xdf\x46\x49\xc5\x1a\xec\x86\x71\xfa\xa4\x44\xd7\xe0\xa6\x30\x4e\x27\x3c\x40\x5c\xc6\xf3\x48\xd1\x9f\xf1\x34\x8b\xac\xc9\x6e\xcf\x1a\x28\x11\x96\x18\xc9\x1e\x59\x42\xbb\xf0\xe2\xd7\xfc\x69\x97\xcf\x63\x30\xc1\x06\xa7\x90\x2c\xcd\xc1\xb9\xcd\x0e\x8f\x55\x93\x55\xd2\x6f\x81\xc7\x7e\x52\x48\x82\xd0\x27\x83\xf1\x5b\x05\x69\x69\x02\x36\xe3\xaa\x74\xb9\x6b\xcc\x5e\xf9\x0e\xae\x4a\x5e\x3a\xba\x2a\x56\x0f\x9b\x0a\x51\x3c\xe1\xa8\xce\xb0\xd2\x10\x36\x15\xf8\x28\xb0\x12\x5d\xf3\x2e\xec\x97\x11\x0e\xe2\xa5\x9e\x1f\x91\x37\x72\xa8\x59\xf6\x5d\x95\x3c\x20\xca\x8a\x0c\x6e\x85\x26\x61\xd8\x62\x93\xcb\x46\x72\x41\x3f\xfa\xfa\x27\x03\x2e\xda\x8d\x8b\x19\xce\x77\xd3\x5d\x13\x04\x29\x6d\x8d\xbe\xe1\xb7\xc3\x58\xfe\x5d\xdf\x94\xc4\x24\x11\xe2\x63\x62\xcf\x42\xa5\xc7\xc1\x89\x91\xe3\x92\x63\x31\xa2\xc7\x12\x36\x09\xe0\xa3\xc0\x5e\x42\xf1\x75\x97\x2e\x44\x5a\x6a\xe5\x71\x54\x06\x2e\x21\xe0\x56\x66\x60\x2a\x2b\xf0\x89\x1e\xe6\x56\x48\xe5\xa9\x67\xea\x16\x24\x84\x99\xc8\x2e\x74\xc1\x9e\xda\xfe\xcf\x24\x02\xce\x53\x21\xf5\xbb\x4e\xcd\xe0\x58\xa1\x17\x6f\x31\x0b\xb1\x33\x8b\x11\xdd\xc6\x0d\xce\x03\xc4\x72\x7f\x7d\xd3\xc2\x33\x5d\x50\xae\x49\x2d\xca\x1b\xd9\x8b\xe4\xaf\x07\x44\x29\x1f\xa2\xba\x1c\xd3\xe9\x3e\x6f\x1d\x9d\x1b\x43\x05\xc2\x76\x41\x18\x09\x4a\x16\x43\x6a\x01\x45\x98\xfb\x64\xc3\x4e\xad\x3e\x8f\x45\xd1\x1c\x4f\xc0\x62\xc1\x44\xc8\xe0\x52\x20\xfb\xdf\x4a\x8c\xab\x6e\x28\x8b\x5c\xfd\xef\xa7\xa0\x54\x23\xef\x2d\x4f\x3b\x3b\xee\x57\x68\xb2\x80\x34\xa0\x8d\xe8\x83\xb8\x17\x27\x8b\xd3\xe7\x85\xc1\x14\x32\x9d\x99\x2c\x58\x12\x15\xf5\x64\x4c\xcf\xa4\xe8\x94\x10\x1d\x5f\xa4\x30\x08\xd8\x03\xfb\x9b\xaa\xef\xd7\xdd\x4b\x88\x83\xb6\xe7\xa1\x7f\x4d\xdf\x48\x26\xcd\xd7\x11\x0f\xf2\xc8\x39\x53\x49\x06\x8c\xd0\xb9\x55\x0a\x3a\x2f\x5c\xbc\x0d\xb0\x6b\x1b\x31\x29\x2c\x54\x87\x9a\x17\x2f\x4b\xe9\x83\x9b\x1d\x76\x89\x6c\x4c\xcc\xd8\x84\x1a\x55\x92\xaa\xc1\xf5\x27\x2b\x6f\xda\x92\x46\x34\xb5\x07\x50\xb3\x82\x31\xff\x13\x3d\xa1\xfc\x86\xd1\x09\x8c\x82\x3d\xf5\xbc\xa8\xcf\xe8\xc0\x8b\xa2\xee\xe5\xa4\x65\x8b\x29\x17\xbf\x3a\xf4\xb4\xe4\xe4\x7c\x6b\x7c\x35\xa3\x96\x3e\xbc\x60\x44\xf2\x72\x88\xc5\xa3\xc1\xa2\xf5\xfa\x45\xa1\x28\xbe\x9a\x13\xde\xd8\xc2\xf6\x74\x5e\xcf\x4f\xa9\x47\x23\xf9\xf1\x63\x82\xf4\xdb\x48\xd0\xc8\x11\xfe\x8e\xed\xb8\xbf\x05\xff\x38\xe5\x78\xd4\x93\x76\x55\x02\x53\xd2\x61\x7f\x86\x30\x3c\x54\x3f\x88\x2a\xdc\x20\x08\x56\x4c\x8b\xa1\x3e\xcd\x19\x61\x3a\x63\x19\x3d\x94\xe9\xa7\x3b\x21\xea\x1d\xdd\x30\xb4\x82\xc0\x98\x69\xc0\xfa\x37\x13\x1c\x69\xcc\xd0\x33\xdd\x96\xd8\xee\x7c\x5f\x2f\x8a\x15\x2e\x84\xc0\xf6\x59\xe6\x0c\xe1\x69\xfc\xb8\x9d\xe0\x28\xbe\xa3\x9d\x05\xdf\x03\xcf\x22\x80\x70\x29\xc1\xaa\xe4\x59\x94\x0d\xd5\x4b\x78\xc0\xde\xde\x18\x72\x3f\x97\x2d\x96\x51\x6e\x19\x71\x9e\x5c\x9e\xd0\x06\x86\x0f\x24\x71\xa8\xe5\xb1\x8f\xcf\x0e\xf4\xba\x66\x81\xa4\x1f\xa8\x00\x9b\x7e\x03\xb4\x44\xf4\x5a\xb3\xcc\xa9\xbb\xbc\x58\x13\xd1\xfa\x05\x5a\xaa\x4d\x45\x44\x12\x33\xae\x7b\x69\xb7\x59\xe3\xdd\xe7\x66\xc0\xf3\xb1\x3b\xf9\x68\xcf\x85\x65\x38\x28\x83\x55\x7f\x92\x5c\x21\x07\x58\x61\xec\x9f\x35\xc7\xcd\x44\x4b\xcc\x7d\x38\x1d\xc0\xd7\xaa\x75\x4b\xa5\x70\x66\xb9\x02\x78\x8f\x53\x85\x4c\xf9\xd5\x6c\xa7\x3c\x7a\xc8\x5c\xca\x67\xba\x50\x9e\xc3\xa7\xc1\xb4\x2d\x8c\x65\x4b\x34\xd8\x8d\xa8\xd2\xca\x85\xad\x4a\xe8\xb8\x65\xb6\xd2\xa0\xc1\xc4\x40\x76\x68\x53\x5c\x49\xf3\x49\xe2\x76\xf1\xa8\x67\x64\xef\x18\xe3\xb0\x8f\x1d\x1e\x3c\xc1\xb9\x3c\xde\x3f\x19\x78\x57\xfb\x48\xb5\xa5\xfe\xf3\x1a\x86\xfa\x00\x22\xd6\xa9\x6d\x81\x5c\x8c\x9a\xf9\xba\xdb\x7b\x88\x6e\xa0\x9a\xda\xc7\x32\xc8\xe4\xea\xfe\xb8\x47\x32\x18\xe7\x94\xbc\x6a\x71\x6d\x17\x16\xfe\xfe\xf8\x6f\x63\xd3\x2b\x66\x73\xb4\x35\xd1\x3e\xdd\xca\x42\x25\x7c\xfe\x07\x17\xfc\xa3\xa3\x9f\x00\xbc\xa6\x50\xf5\x46\x3a\x24\xc5\x09\x24\x25\x6d\x32\x07\xd2\x9c\x1b\x1c\x95\x10\x9e\x40\xda\xb6\x07\x78\x7f\xb7\x4c\x4e\x64\xfe\x4a\xca\xc6\x5c\x62\x83\xff\xcc\x11\xfd\x08\xa0\xbd\x1f\x49\x30\xa8\xbe\xea\x57\xa0\xdd\xa0\x28\x67\x86\x6c\x5b\x1c\xe5\x86\xb3\x2e\x7c\xd1\x8a\xb1\x6a\x27\x5d\x6c\xc0\x43\xa9\x90\xe1\xd7\x97\x0f\x79\xd5\xb8\x88\x0e\xef\x3f\xc4\xef\x4d\xe5\xe8\x40\xac\xd0\xed\xbc\xde\x6b\xf6\xfe\xdf\x3c\x6a\x2d\x25\x39\xfd\xaf\x27\x8f\x06\x97\x94\xd3\x0a\x09\xd6\x15\xe1\xe4\xa5\xa7\x61\x7e\x16\x24\x1d\xaa\xb8\x7f\xda\xd4\x93\xed\x9c\xf3\x26\xfe\x64\x7a\x40\xf0\x27\x9d\x6a\x9b\x2c\xdc\x0a\xbf\x36\x26\x41\x5b\x04\xfc\x83\x65\x10\xba\x62\x51\x38\x6c\xe7\xe8\xd2\xb4\xfe\x66\x3c\xfc\x3a\x5d\xe9\xcc\x31\x3e\x9e\x1f\xc1\x91\x27\xf0\x92\x07\xc9\x55\xf5\xa8\x48\x54\x81\xf4\x31\x92\x24\xfd\xf4\xc2\x78\x7d\x58\x3c\x3c\xaf\x7a\xcb\xec\x73\xab\x9b\x4d\x2f\x24\x52\x87\xdf\x9a\xe2\x9a\x16\x9c\x4d\x79\x5c\xd0\x3c\x90\x98\x33\x94\x46\xdc\x40\x23\x7b\x69\x89\x98\xb2\x42\x36\x28\x14\x8c\xec\xb0\x2f\x69\xd2\x64\x4c\xec\x88\xc9\x48\x94\xe0\x1e\x15\x87\xfc\x85\x37\x54\x50\xe3\x2c\xca\xdc\xdc\xae\xa6\x41\xd2\xdb\x62\x92\x22\x86\x60\xd0\x4c\x44\x67\x86\xc2\x58\xb6\xfb\xbc\x1d\x0b\x6a\x8a\x38\x18\x20\x0d\x48\x9c\x12\x67\x33\x92\x2c\x96\x61\x95\xa4\x00\x7a\x68\xd0\x47\x35\x78\xb4\x69\xb4\x43\x3e\xac\xbe\x09\x25\x20\x24\x4d\x84\xda\x89\x24\xb9\x0d\x7f\xa1\xad\x31\xdb\x50\x1f\x16\xa5\x9d\x3d\x9e\xb7\x22\x10\xd0\x58\xb3\xd1\xfa\x4d\x87\x6d\x5b\x40\xbc\xff\x5a\xdf\x08\x6e\xbd\xc2\x64\x7b\x1b\x6f\x88\x21\x1b\xbd\xf5\x47\xf1\x69\x8e\x11\xab\xb7\x3d\xd3\xa5\x88\xd9\xca\x26\xd9\xff\x5b\x2d\x28\xd1\xe1\x76\xbe\x8a\x7a\xdf\x2e\x3e\x3a\xe1\x37\x39\x31\x12\xf5\xaa\xa8\x81\x81\x48\x82\x93\x9d\xfe\x71\x72\x1f\xa9\x2b\x89\x62\xbb\x8d\x94\x0f\xe1\xe3\x94\x8d\xef\x40\x33\xa0\x9e\x9c\x04\xca\x7e\xa8\xb5\x49\x69\x5c\x5f\xf6\x6c\x07\x73\x95\x02\x6d\x82\x57\x6d\x37\x9b\xd9\xcd\xed\x06\xff\xcc\x3a\x6f\x8b\xd5\x48\xc0\xf6\x8d\x4d\x3d\x72\xae\x27\xd8\x28\xb2\x7a\x58\x2b\x14\x88\x6d\xad\x1f\xc3\xe6\x35\x31\xc2\x87\x0f\x31\x59\xf8\xd4\xbd\x44\x94\x80\xc4\x5d\xd2\x7a\x29\x34\xdf\x90\x79\x7c\x04\x94\xe0\xf8\xef\x82\x89\xae\x41\x06\x26\xd4\xfa\x96\x6d\x82\x44\x3a\xdc\x52\x43\xfd\xb2\xc4\xdd\xff\x85\x50\xaf\x53\x38\xef\x2d\x1c\x41\x3b\x4b\xd4\xb3\x08\x20\x9c\x20\xe9\xc3\xa0\x08\x0a\x23\xd1\x6a\x31\x08\xa1\x05\x07\x83\xd4\x4b\xa9\x2a\x95\x59\x05\x08\xd3\xa5\xcf\x44\xfc\x6a\x4a\xf2\x47\x7f\x86\x64\x28\xbc\x11\x3c\x1c\xc8\xf1\x23\xda\x46\xca\x0a\x03\xc5\xdb\xd1\xf6\xe5\x75\x45\x84\xd8\xa4\x10\x3b\xd2\x3f\xa5\xe1\xf6\xf3\xac\xb1\x54\xff\xed\x12\x8d\x0a\x64\x58\x29\xd3\x34\x1a\x25\xe8\x7a\xe7\x81\x86\x2a\xbc\x7a\x15\x90\x21\x12\x4c\xfb\x03\x57\x1a\x73\xce\xef\x60\x36\x81\xf5\xe5\xe1\xe1\x57\x4d\xb3\x01\x6f\xf5\xa1\x3d\x9b\xfe\x7e\x8a\xc8\x1a\x09\xa9\x05\x23\x7e\x39\x0a\x57\x72\xd3\x61\xed\xbe\x58\x08\xe9\xd8\x59\x4f\x77\x6b\x00\x05\xe0\xc3\xd0\xf7\x1d\x66\x6c\x9d\x4d\xc4\x93\xd0\x16\x3d\x88\x54\x72\x32\x75\xd8\x50\xac\x1b\xf7\x81\x83\xa7\x75\x18\xf0\x1b\xb3\xa2\x80\xf3\x9b\xbf\x60\x6d\xef\x4f\x89\xb1\x1e\x2b\xb8\xd9\x9f\x8a\x32\x98\x5e\xd9\xbc\xb4\x2f\x11\x0b\xd2\xbd\xda\x26\x37\x6d\x9d\xaa\x70\xe1\xe6\x57\x5f\x11\xba\x7e\xf2\x69\x90\x8e\x10\x19\x48\xf5\x70\xb7\x69\x0e\x0b\x5d\x35\xed\x98\xcb\xdd\x2f\x36\x37\xb9\xf8\xf7\x8b\x2f\xfb\xc2\x93\x18\x8f\xf2\x77\x7d\xb0\x50\xaa\x21\x9d\xde\x78\x8a\x77\x0c\xb6\x24\xd6\x61\x70\x01\x81\x7d\x6d\x5c\x7a\x5b\xd3\x9c\x51\xff\x12\x8e\xac\x71\x2b\x9d\xb9\xc6\x0a\x74\xbd\xb7\x82\x0a\x35\x72\xa5\x09\x1c\x30\x84\x33\x92\x86\x27\x9d\x9c\xeb\x24\x41\x48\x90\x6d\xab\x1d\xed\xb6\x23\x79\xb1\x45\x97\xb7\x34\x89\x07\xfb\xa5\x54\x24\xe8\x78\xc1\x94\x98\x5c\xdc\xb2\x11\xb7\x1b\xdf\x38\x06\x33\x9a\x53\x00\x6a\x90\x06\xc7\x46\xbc\x49\x10\x8c\x81\x00\x93\x8d\xc2\x4a\x08\xd5\x7b\x01\x3f\x41\x03\xd8\x7d\xf3\x10\x85\x84\x05\xd0\x6f\x05\x9b\x65\xcd\x54\xae\xa1\xd0\xf1\x5c\xb2\xa4\x1b\xc8\x67\xd2\x2c\xb9\xd6\x7c\x31\x0b\x05\xa4\xf9\x40\xbd\x2e\x7a\x58\x63\xc8\xe1\xc8\x0d\x3a\xd0\x7b\x21\x50\x4b\xf2\x13\xda\x5c\xb3\x8f\xb6\x52\xa4\x7c\xcd\x7a\x5c\xfa\xfa\x0c\x3f\xfe\x2a\xac\x76\x25\xa9\x55\x88\xec\xd7\x7a\x95\x93\xd0\xbf\x2e\x7d\xf7\x99\x9f\x02\x44\x33\x5a\x9f\xac\x01\x5c\x32\x27\x30\x09\xd1\xf8\x65\xdf\xb8\x73\xc6\x5f\x52\xe9\x08\x1b\x02\x2b\x99\xb0\x15\x86\xf5\xfb\x15\x84\xfd\x9b\x1f\xda\xf8\x6c\x78\x3f\x61\x77\x2a\xff\x11\x78\xe0\x8d\x5b\xd0\x67\xb6\xfd\x23\x3d\xb8\xc4\x32\xfa\xbb\xd0\x0a\x53\x0f\x1c\x40\xb5\xf0\x5f\x78\x83\x49\x50\x59\xd1\xb5\x8b\x95\x23\xd1\xf5\x25\x57\x36\xb2\x3f\xf5\x6c\xab\xb4\xcb\x71\x0e\x43\xa7\x0f\x71\xcf\xfd\x17\xe3\xfa\xe9\x04\x36\x34\x86\x9f\x16\x6a\x95\x8c\xa5\xde\xc6\x39\xb8\x5b\x21\x34\x09\x6e\x69\x7c\x24\xe3\xb0\xa8\xcf\xb1\x94\x22\xff\x01\xf4\xeb\xef\x24\xb7\x23\x3d\xe1\xa0\xf8\x9c\x80\xe2\x31\xb8\x45\x9f\x53\x1a\xc2\x3e\xb1\xa2\x37\x3b\x3c\x58\x07\xee\x65\x52\x70\x71\x52\xa3\x16\x95\x55\xa6\x63\xd1\xbf\xb4\x53\xc8\xc3\x80\xc5\xa5\x2c\x95\x8e\x30\x2d\x4d\x75\x28\xaa\xb5\xd0\xa6\x68\x92\x30\x80\x98\xb5\x66\xa1\x36\x7c\xbf\xd9\xa3\xa4\x6c\x5f\xb7\x72\x25\xb7\xb6\xf9\xf9\x2e\xd0\xbc\x85\xbc\xbc\xf1\xb4\xfd\x27\x60\xb9\xf5\x09\xd2\xd1\x1c\xd0\x55\x71\x44\xb1\xc8\x9f\x9f\x7f\x24\x95\xd0\xc9\xea\x6c\x76\x7f\x1f\x92\x57\x07\x01\xa3\x3c\xed\x47\x70\x36\xd0\x6b\xbe\xad\x08\xc0\xb4\xa8\xab\x4a\x57\xd8\xd9\xb7\x58\xce\x05\x89\x1e\xc7\x29\x01\x4e\xb7\x12\xc3\x3d\xcb\x52\xef\xe8\xde\xd2\x23\xb6\x17\x82\x24\x43\xbf\xa9\x55\x14\xd9\xa8\x2f\x6b\x9f\xed\x17\xb2\x24\x45\xf6\x92\xfc\x87\x03\x74\xc0\x82\x6a\x9f\xa4\x31\x53\x84\x93\x68\xaa\x1f\x93\x05\x2e\x48\xf8\x8e\x8f\xe9\xaa\x1b\xa8\x29\x15\x85\xe5\x9d\xa0\xf6\x8f\xd0\x4b\x8f\xa4\x50\xe9\x65\x4d\x92\x0c\x2b\x82\xc9\xc2\x9a\x79\x01\x5d\x0e\x30\x2b\xef\x5a\xbc\x9f\x42\x92\xfd\x4b\x58\x2d\x58\x83\x0d\xfc\x71\x72\x53\x19\xbf\x39\x69\x2b\x0f\x3d\x72\xa3\x20\x4d\x62\xe4\xcd\x21\x9f\xd2\x64\x7a\x9b\xc3\xda\x61\xb7\x02\x69\x9d\x01\x5f\x9f\x15\xbf\xfb\x27\xb6\x13\x3e\xc4\x31\xe4\xad\x67\xf5\xc1\xb4\x6f\xc6\x2e\x29\xd4\xae\x4b\x07\xfa\xb0\x7f\x01\x43\xe8\xe5\x4f\xea\x1e\x62\x90\x51\xd6\xd7\xc1\x9a\xf8\x93\x16\x61\xd8\x49\x57\xad\x2a\xe7\xb5\x21\xbd\x62\x46\x8a\xa0\xa8\x51\x65\x39\x04\xbb\x93\x25\x37\x6f\xd2\xd8\x31\x34\x03\x56\xd9\xbd\x27\x82\xbb\xc4\x6e\x1c\x03\x06\x95\x53\xd2\xb0\x5d\x17\xbb\x4d\x86\x44\xa0\xdf\xc0\x28\x6d\x4e\xbd\xfb\xf1\xfa\x85\xf0\x01\x5d\xa2\x66\x70\x90\x9c\xe8\x40\x27\x2d\x1d\x62\xc8\xd0\x27\x87\xd5\x65\x20\xd3\x09\xe4\xbc\xfc\xc8\x46\x47\x4d\x42\x82\x64\x17\x98\xda\xd1\x77\x9c\xce\x11\x39\x2a\xc5\x37\x91\x73\x35\xb4\xf9\x12\x4e\xd1\xe2\x54\x05\x29\x66\xab\x2c\x15\xdc\xd1\xbc\x1c\x3c\x52\x0f\xef\x4b\x3b\x17\xfe\x6f\x63\x60\xd0\x7b\x2c\x08\xac\x64\xc7\x5f\xcd\xf5\xf9\xea\xc2\x11\xdb\x24\x7a\x22\x7a\x65\x9e\x10\x67\x55\xe1\xba\x53\xab\xa6\x7c\x83\x16\x62\x19\x02\x26\x98\x4d\xc0\x36\x98\xdc\x56\x7a\xa9\x6b\x51\xd2\xe6\x9f\x53\x0a\xdd\xd9\xb4\xfd\xbf\x3a\x0b\x20\xaf\x2a\x18\x4c\xba\xf5\x3a\x35\x63\x4c\x8f\xe3\xd6\x3e\xc1\x5c\x50\x6b\xf0\x2c\x35\x30\x27\x59\xfe\x32\xad\x28\xc1\xd4\xb4\x9e\x94\x81\x6b\xb0\xf3\x28\x22\x81\x6b\x40\x55\x7c\x65\x0d\xa4\xae\x59\xca\x64\x5d\x5a\x4d\x61\x72\x90\x3c\x25\xe0\x0a\x22\x9e\xaa\x0c\x52\x6c\xff\xba\x53\xfc\xa4\x4a\xa1\x63\xc7\xf5\xfb\x49\x59\xa2\x16\xd6\xda\xd9\xe1\x9f\x28\x2b\x99\x45\xd2\x47\x6b\xbc\x01\x33\x78\x51\x31\x11\x8a\xd4\x6c\x3f\x93\x31\xc4\x15\xe7\x0d\x35\xe0\x6f\xa7\x1c\x2a\xa8\x78\x13\x2e\xd7\x70\xa0\x4f\x07\x21\xa5\x66\x55\x02\xdd\xed\x28\x3f\x70\xae\x9a\xb7\x2e\x48\xcf\x03\xc0\x1d\x80\xf6\x8e\xce\x54\xde\x88\xaa\xcb\x2c\x41\xc5\xd7\x46\x2f\x9b\x73\xf6\xc2\x74\x17\x09\xc8\x3e\x20\x08\x4d\xd8\xf9\xd8\x55\xc4\x1a\x0b\xfb\xe1\x07\xe6\xe4\x7a\x65\xc2\xb1\xee\x50\x07\xe9\xd5\xf2\x51\x18\xa2\x95\xfc\x63\x13\x24\x3d\xf5\x4c\xdd\x92\xab\x4d\xce\xdb\x21\x0d\xd8\x3b\xe1\xb0\x58\xae\x1e\x37\xa7\xac\x51\xb9\xc8\x9b\xf9\xec\xa4\x23\xc9\x1d\xb0\xd4\xa4\x21\x34\xa9\x3c\x89\x79\xa0\x3a\x2d\xe5\x3e\x45\xe6\x41\xa2\xd4\x0f\x41\x0b\xc1\x1a\x96\x82\x04\xf7\x2c\x96\xe5\x06\x64\xdc\x29\xbe\x41\xa4\xaa\xc4\xe0\x7e\x9c\xdf\x23\x9f\x59\xc9\x68\x7b\xd7\xdc\x65\xce\xab\x07\x6b\x13\x19\x41\xbb\x15\xc4\xf9\xf4\xc1\x7d\x73\x50\x78\x05\x88\xfa\xcf\xfd\xbc\x1e\xaa\xeb\x44\x06\xb9\x56\xda\x73\x3e\xd0\x9e\xb4\x86\x04\xa0\xed\x4a\xad\xcb\xbd\x94\xa8\xee\x07\x93\x10\xfe\x26\x12\xa6\x69\xe5\x62\x39\x17\xee\xc2\xb1\x2a\xd9\xc8\x6a\xf9\x75\x7a\x51\x75\x9d\xbb\x00\xdf\x2e\x03\xe3\xd3\xa7\x0b\xd2\xc0\x2f\x9f\x08\x44\x4f\x4e\x06\x50\xed\xfb\x27\x86\xca\x57\xd3\x63\x09\x43\x55\x68\x32\xa3\x28\x92\x30\x1b\x58\x85\x9e\xf2\x40\x07\xf7\xa7\xd9\xb4\xaf\xc2\x37\x03\xc4\xfb\x90\x77\xa0\x7d\x2e\xa8\xd3\xa2\xb4\xf0\x15\xde\x7f\x31\xfc\x30\x65\x45\x81\x6b\x6b\x67\x0a\x45\xcf\xf4\xa9\x1b\x60\xa1\xfb\x47\x8b\x08\x9c\x67\xf4\x59\xca\xaf\x5f\xce\x92\x65\xfe\xa0\xc7\xec\x06\x52\xcd\x11\x30\x56\x23\xb0\x4c\x0a\x9d\x1a\xec\x65\x71\xc6\xa4\x66\xdc\x7a\x7b\xec\x75\xfc\xf9\x84\xd6\xa9\x63\x69\x86\xbe\xce\xf1\x41\x8b\x69\x4e\x82\x0e\xe2\x46\x2f\x26\x87\xe0\xb6\x8b\xa5\x1c\xbd\x03\xba\x76\xb4\x3f\xd7\xcb\xa0\x1a\xf2\x3f\xf9\x8f\x74\xb7\x64\x46\x35\x27\xc6\xc3\x97\xe1\xc8\xe8\xb2\x22\x58\x74\xcc\x74\xf9\x58\xa3\x1a\x28\x41\x4f\x17\x0c\x2b\x4c\xbd\x90\xc8\x49\xcc\xd5\x4f\x91\xbc\xe2\x90\x8e\x3b\xbc\x21\xb3\xd5\x60\x4a\xa3\x37\xc7\xfb\x1f\x81\x0c\x10\x32\x16\xbf\x44\x43\x39\x04\x3d\x52\x33\x30\xee\xe7\x3b\xf0\x86\x6d\xa3\xf3\xf7\x28\x87\x7f\xbb\x54\xe2\xf9\x28\x42\x3a\x16\x72\xcc\x9b\xa3\x1b\xc6\x86\xa6\xd1\x98\xef\xeb\x36\x18\xd5\xe9\xa1\xb0\x81\x9c\xf6\xb9\x33\x8c\x56\xc4\xb7\x88\x46\x9f\x53\x2c\xdf\x92\x30\x66\xd1\xba\x46\xa5\x69\x60\x34\x2b\x79\xb0\x9e\xc8\x67\x9e\xa3\xca\xa4\x33\x65\xb8\x11\x25\x7a\x24\x49\xff\x92\x74\xf6\x61\x2c\xb0\x53\x0d\xd8\x67\x8c\xf1\x8b\xc1\xf9\x1f\x44\x7f\xad\x7b\x95\x8f\x3d\x0a\x19\x77\xce\x78\xd1\x02\x82\x9f\xe4\xb8\x3b\x56\x59\xc8\x15\x5a\xf4\xd2\xc0\x5d\x73\x15\xd1\x48\x63\x00\xe6\xda\x08\x46\xa5\x94\xd5\x10\x67\x3b\x0e\x74\x72\x78\x85\x59\x00\x9d\x74\x49\x0e\xc9\x87\x1d\x9f\x0f\x73\x69\x9d\x97\xfb\xe3\x03\xcb\x4d\x63\x5f\x54\x2e\x95\xc7\x84\xa5\x38\x71\x27\xdc\x45\x44\x83\xf9\x50\xf7\x65\xa8\xe9\x04\x63\x9e\xf4\x13\xc7\xd5\x81\xaf\x20\xdf\xb2\x85\x95\x58\x01\xab\x7e\xc4\xbe\x4d\x1b\x28\x79\xde\x66\x2d\xde\x2c\xfc\xd6\x60\x4e\xc0\xaa\x07\xa5\xa6\x71\xf5\x4a\x4f\x28\x53\xee\xdc\xa5\x6b\xaf\x00\xf0\x79\x27\x09\x59\x58\xdb\x7d\x32\x5e\x86\x3f\x64\xa9\x05\x6b\xd8\xe1\x03\x85\x99\x21\x46\x3d\x17\x54\x04\x2b\x85\xdc\xd9\x4d\x93\x3e\xf2\x08\x7d\xbe\xf5\x7d\x9a\x3a\xd9\xfe\x8c\x64\xa8\x79\x95\x87\xa3\xec\x23\xb9\xb2\x52\xf0\x3b\xfc\xe4\x2f\x01\x7e\xad\xfd\xbe\x97\x3e\x84\xe9\x02\xe3\x6b\x96\x61\xef\xae\xf4\x09\xc9\x15\x30\x8d\xce\x9a\x22\x2a\x9c\xb1\xdb\x52\x15\xc0\x00\xfc\x44\xd3\x72\xfb\x18\x64\x25\xcd\x07\x8b\xee\x77\x70\xf1\xfa\x60\xff\x2d\x0e\x34\x47\x25\xa5\x1a\x5f\x47\x8f\xe9\x6b\xfb\x9a\x18\xb6\xcb\x54\x2b\xf3\x94\xbe\xd0\x22\x18\x51\x8f\x1d\x38\x1d\x5a\xa2\x1f\xdc\xd4\x43\xce\x84\xc1\x80\xa6\xa8\xcf\x65\x47\xef\xfa\x46\x27\xca\xe9\x35\x51\xa7\x56\x4f\x0d\xac\x6e\x37\xc5\xf0\x68\xed\xda\x00\xb4\x7a\x6f\x2d\x33\xb5\x4c\x36\x81\x12\x8e\x83\xad\x17\xb0\xf0\x98\x45\x6b\x9e\x97\xf3\xe0\x2c\xe3\x91\x51\x5f\xfb\x0c\x05\x11\xa3\xd8\x31\x21\x15\x38\x2c\x15\xb0\x98\x61\xef\x75\x0c\x00\x06\xe9\x6c\x91\x84\xe1\x7d\xb2\x45\xb0\x25\x5c\x44\x07\xfe\x4b\xd6\xee\xa4\x3f\xd8\xc5\xe8\x03\x48\xcb\x91\x6e\x9d\x04\xb4\x9c\x24\x83\x91\x1b\x6d\xee\xce\x26\xd2\xb6\x57\x62\x64\x3a\xa0\x41\x7b\xe2\x76\x8b\x67\x3a\x22\xad\x58\xe6\x67\xf5\xef\x4e\x22\x28\xdb\x9b\x79\x39\xd8\xf9\x12\xde\x32\x47\x43\x25\x15\x50\x90\xb1\xd9\x74\x1a\xce\x41\x55\xd6\x45\x83\xec\xfb\x57\x00\x30\x1d\x73\xed\x2a\xbd\x15\x64\x08\xca\x5e\x1b\x88\xba\x75\xf8\x4a\x4b\x83\x4d\x4f\x53\x20\x15\x77\x3e\x9f\x8d\x4a\x36\x50\xf8\x98\x41\x91\x11\x4f\x0f\xdb\xaa\x54\x40\x5b\xf5\x1f\x8b\x1a\xfe\x53\x2f\x74\xc1\x5a\x37\x08\xeb\x93\x70\xfa\x83\x16\xfe\xef\xac\x4e\x43\xf8\x55\x50\x6f\x5d\x98\x72\xb6\x03\x63\x56\x70\x11\xcc\x33\x08\xa2\x02\x6d\x00", 4096); *(uint64_t*)0x20007d38 = 0x1000; *(uint64_t*)0x20007d40 = 0x4065ebb7; *(uint64_t*)0x20007d48 = 0x20007980; memcpy((void*)0x20007980, "\x11\x2a\x65\x7c\x27\x70\xad\x17\xf2\xe7\x77\x62\x16\x0b\xb1\x4f\x2f\x71\xa1\x7b\x88\xfd\xb9\x46\xf9\x19\xb2\xdf\xd3\xef\xd6\x16\xe3\x11\x24\xff\x47\xee\x66\x8f\x60\x65\xa0\x43\x5a\x79\x1a\x74\x39\xd8\xaa\x10\xdc\xc4\x18\x19\x2d\x82\x1e\x36\xfc\x08\x20\xd7\xcc\x0f\x88\xb0\x88\x91\x6d\x78\x6f\x01\x42\x6f\xa4\x6b\x21\x4d\xe8\x22\xd2\x4e\x4d\x6c\x78\x5f\xea\xc4\x58\xd9\x86\x35\xc4\x80\x16\x72\xbd\x4e\x74\xfd\x40\x75\x39\x32\x12\x11\x52\xae\x0e\xad\x77\x1e\x3a\xbc\x7f\x74\x1e\x39\x3b\x32\x85\x26\xe5\xec\x29\xe8\xe0\xd9\xb3\xa2\xbe\xbc\xd0\xeb\x34\x72\xa4\xbd\x8e\x50\xf9\x53\xed\x17\x3b\xa2\x71\xfb\xe9\xf9\xd9\xc4\x63\xc7\x9f\x44\xd0\x93\x15\x4f\xfe\xf5\x9c\x93\xad\xa7\x83\xb4\x72\x7f\xc3\x5b\xa6\xc0\xdb\x25\x18\x93\x9c\xb3\x5f\xb3\x30\x1d\x4c\xf7\x2d\x25\x24\xf8\x3a\xc4\xab\x57\xa8\xac\xfc\x93\xa9\x9c\x26\xcc\xae\xe0\x56\x63\x71\x22\x94\x96\xe9\x30\x21\xe8\x6b\x95\x60\x21\xa4\x67\xf3\x4b\xe6\x6e", 226); *(uint64_t*)0x20007d50 = 0xe2; *(uint64_t*)0x20007d58 = 0x6d69; *(uint64_t*)0x20007d60 = 0x20007a80; memcpy((void*)0x20007a80, "\x62\x98\x25\xe3\xcb\x9c\x42\x73\x28\x10\xeb\x62\xf1\xff\x47\x85\x71\x8f\x7a\x30\xc6\x39\x40\xf2\xea\xdf\x19\xda\xe8\x20\xfe\xb9\xb7\xb3\x58\xf7\x41\xb8\x34\x16\x4a\x9a\x4a\xc8\xce\x39\x8c\x23\x16\x07\xf5\x23\xa2\x6d\xb9\xe0\xae\xca\xc1\xd1\xe8\x90\x22\xd1\xcd\x50\xd6\x44\xf2\x46\x6b\x25\xec\x09\xc6\xd6\xef\x4f\x0b\x3e\xf5\x92\xd1\x40\x8d\x04\x9d\xa4\x9b\x95\x3b\x32\x7e\x12\x3c\x6f\x19\x63\xc2\xf7\xa9\xe3\xcc\x7e\x0c\x52\xed\x1e\x17\xd0\xa8\xb7\x94\x66\x68\x75\xb2\x0b\x07\xa0\xf5\xc2\xc7\x6d\x96\x32\x90\x9f\x76\x9e\xb2\x5b\x16\x27\x37\xbe\xa1\x31\xf5\xc2\x70\xb3\x24\x9f\xd6\x5c\x25\x5e\x68\xb6\x80\x27\x1d\x0c\x11\x19\x67\x15\x17\x77\x44\xe7", 162); *(uint64_t*)0x20007d68 = 0xa2; *(uint64_t*)0x20007d70 = 9; *(uint64_t*)0x20007d78 = 0x20007b40; memcpy((void*)0x20007b40, "\xd1\x09\x17\x49\x23\x3d\x1e\x7e\xc5\x06\x53\xf3\x01\xa7\x34\xf5\xdd\x67\xac\x1e\x74\x89\x23\xe4\x4c\xce\xde\xeb\x3e\xa2\x34\x74\x58\x96\xab\xcb\x80\x03\xed\x61\x60\x5b\x5d\xff\xa8\xa9\xaf\x0a\xa1\x2e\xd9\x02\xd4\xa3\x5a\x92\x60\xc5\x3a\xb6\xa6\x21\xe2\x10\xe6\x1e\x40\x02\x83\x8d\xc2\x9e\x2f\x79\x8b\x4c\xbe\x0e\xd0\xc1\x2a\x33\xc6\x9d\xdd\xa4\x46\xb9\xb8\x84\xfc\xbf\xe2\x81\x99\x18\x4b\xd4\xae\xb0\x97\xd0\xd9\xa3\x93\xb6\x99\xd1\xf5\x5a\x57\xd8\x30\xda\x49\x7d\x79\xb9\xbd\x7d\xbc\xdb\xfe\x7e\x16\x8d\x60\x07\x61\x1d\xb9\x67\x33\x57\x4f\xb1\x50\xf4\xe9\x09\x91\xc7\x0f\xc1\x9e\xdb\xa6\xbe\xed\xc5\xa7\x21\x69\x36\x6a\xe5\xfc\xa5\xc1\xcb\x41\x3b\xbc\x54\xff\x8f\x12\x7d\x1b\x94\xcf\x99\x42\xb5\xc9\xbe\x5f\xbf\xc9\x39\x46\xbf\x1d\x0b\x28\x9a\x74\x42\xfb\x05\x7a\xdb\x0a\xe7\xfa\x41\x89\xd5\xe5\xfe\xfc\x75\xed\x5d\x26\x0b\x3c\x2c\x24\x45\xd4\x95\x79\xe6\xb3\x69\xe3\x96\xda\x16\x2d\x94\x05\x59", 224); *(uint64_t*)0x20007d80 = 0xe0; *(uint64_t*)0x20007d88 = 6; *(uint64_t*)0x20007d90 = 0x20007c40; memcpy((void*)0x20007c40, "\x76\x8d\x82\xc4\x7f\x16\x6e\x25\x25\x30\x91\x5b\x63\xb4\x0d\x9e\xba\x4b\x95\xfe\x08\x78\x93\x45\x3f\x37\x3a\x94\x38\x9e\x11\x20\x98\x1c\xb4\x45\x76\xa2\x05\x1c\x41\x58\x40\x0a\x59\xb9\xc8\xa9\x40\xcc\xae\x28\x26\x41\x4e\x14\xad\x55\xc7\x2b\x04\xf8\xfa\xbf\xe8\x64\x62\x40\x9b\x3a\xb2\xa0\x75\xea\x92\xc8\xbd\xdc\xd2\xb2\xfc\x0f\xd7\x7a\x97\xbc\x27\x1e\xcd\x43\xdd\x60\x5f\x29\xb9\x90\x83\x7b\x40\x9e\xed\x59\x65\xdd\xb3\xfb\x1b\x91\xe5\xbf\x12\xdd\xbc\xf2\x1c\x90\xc7\xef\x2f\x0a\xb9\xbb\x03\xf7\x2a\x64\x7c\xe8", 128); *(uint64_t*)0x20007d98 = 0x80; *(uint64_t*)0x20007da0 = 0xfffffffffffffff7; *(uint64_t*)0x20007da8 = 0x20007cc0; memcpy((void*)0x20007cc0, "\x46\xc0\xce\x89\x20\x30\x5b\x2c\x7f\x63\x6e\xdb\xb1\x65\x92\x0d\xb7\x8c\x61\xf8", 20); *(uint64_t*)0x20007db0 = 0x14; *(uint64_t*)0x20007db8 = 0xfffffffffffffffa; syz_read_part_table(9, 8, 0x20007d00); break; case 36: *(uint8_t*)0x20007dc0 = 0x12; *(uint8_t*)0x20007dc1 = 1; *(uint16_t*)0x20007dc2 = 0x300; *(uint8_t*)0x20007dc4 = 0x94; *(uint8_t*)0x20007dc5 = 0xe8; *(uint8_t*)0x20007dc6 = 0x2e; *(uint8_t*)0x20007dc7 = 0x40; *(uint16_t*)0x20007dc8 = 0x789; *(uint16_t*)0x20007dca = 0x160; *(uint16_t*)0x20007dcc = 0xf578; *(uint8_t*)0x20007dce = 1; *(uint8_t*)0x20007dcf = 2; *(uint8_t*)0x20007dd0 = 3; *(uint8_t*)0x20007dd1 = 1; *(uint8_t*)0x20007dd2 = 9; *(uint8_t*)0x20007dd3 = 2; *(uint16_t*)0x20007dd4 = 0x764; *(uint8_t*)0x20007dd6 = 2; *(uint8_t*)0x20007dd7 = 4; *(uint8_t*)0x20007dd8 = 0x8f; *(uint8_t*)0x20007dd9 = 0; *(uint8_t*)0x20007dda = 0x7f; *(uint8_t*)0x20007ddb = 9; *(uint8_t*)0x20007ddc = 4; *(uint8_t*)0x20007ddd = 0x40; *(uint8_t*)0x20007dde = 0x3f; *(uint8_t*)0x20007ddf = 0xe; *(uint8_t*)0x20007de0 = 0xbb; *(uint8_t*)0x20007de1 = 0x18; *(uint8_t*)0x20007de2 = 0xf3; *(uint8_t*)0x20007de3 = 0x20; *(uint8_t*)0x20007de4 = 0xa; *(uint8_t*)0x20007de5 = 0x24; *(uint8_t*)0x20007de6 = 6; *(uint8_t*)0x20007de7 = 0; *(uint8_t*)0x20007de8 = 0; memcpy((void*)0x20007de9, "\xc1\xb0\xc9\x81\xcc", 5); *(uint8_t*)0x20007dee = 5; *(uint8_t*)0x20007def = 0x24; *(uint8_t*)0x20007df0 = 0; *(uint16_t*)0x20007df1 = 7; *(uint8_t*)0x20007df3 = 0xd; *(uint8_t*)0x20007df4 = 0x24; *(uint8_t*)0x20007df5 = 0xf; *(uint8_t*)0x20007df6 = 1; *(uint32_t*)0x20007df7 = 9; *(uint16_t*)0x20007dfb = 0xfff; *(uint16_t*)0x20007dfd = 5; *(uint8_t*)0x20007dff = 0; *(uint8_t*)0x20007e00 = 0x15; *(uint8_t*)0x20007e01 = 0x24; *(uint8_t*)0x20007e02 = 0x12; *(uint16_t*)0x20007e03 = 0xaa4; *(uint64_t*)0x20007e05 = 0x14f5e048ba817a3; *(uint64_t*)0x20007e0d = 0x2a397ecbffc007a6; *(uint8_t*)0x20007e15 = 4; *(uint8_t*)0x20007e16 = 0x24; *(uint8_t*)0x20007e17 = 2; *(uint8_t*)0x20007e18 = 9; *(uint8_t*)0x20007e19 = 9; *(uint8_t*)0x20007e1a = 0x21; *(uint16_t*)0x20007e1b = 0x7ff; *(uint8_t*)0x20007e1d = 8; *(uint8_t*)0x20007e1e = 1; *(uint8_t*)0x20007e1f = 0x22; *(uint16_t*)0x20007e20 = 0xd44; *(uint8_t*)0x20007e22 = 9; *(uint8_t*)0x20007e23 = 5; *(uint8_t*)0x20007e24 = 3; *(uint8_t*)0x20007e25 = 3; *(uint16_t*)0x20007e26 = 0x40; *(uint8_t*)0x20007e28 = 6; *(uint8_t*)0x20007e29 = 6; *(uint8_t*)0x20007e2a = 0x80; *(uint8_t*)0x20007e2b = 9; *(uint8_t*)0x20007e2c = 5; *(uint8_t*)0x20007e2d = 5; *(uint8_t*)0x20007e2e = 8; *(uint16_t*)0x20007e2f = 0x20; *(uint8_t*)0x20007e31 = 0x34; *(uint8_t*)0x20007e32 = 7; *(uint8_t*)0x20007e33 = 0xd1; *(uint8_t*)0x20007e34 = 7; *(uint8_t*)0x20007e35 = 0x25; *(uint8_t*)0x20007e36 = 1; *(uint8_t*)0x20007e37 = 0x81; *(uint8_t*)0x20007e38 = 1; *(uint16_t*)0x20007e39 = 0x20; *(uint8_t*)0x20007e3b = 0x65; *(uint8_t*)0x20007e3c = 0x30; memcpy((void*)0x20007e3d, "\xda\xc1\x6e\x84\x5b\x14\x9d\xaf\xe6\x66\x63\xcc\x3a\xcf\x39\x3f\xa7\xb0\xae\x46\xcb\xb8\xcf\x20\x7b\xdb\x0d\x3d\x6c\xf6\x81\x66\x1f\xa0\x0e\xd5\x8d\x70\x3c\x22\x64\x70\xa8\x4e\xaa\x26\x4b\xe5\x1e\x68\x10\x87\x52\x48\xed\xe7\x94\xe2\x20\x7e\x60\xb0\x45\x85\x60\x3c\xd0\x55\xc6\x34\x8f\x0e\xb4\xf3\x3f\x2a\x83\x3f\x4a\xee\x88\x84\xd7\x77\x3b\xe2\xf4\x51\x77\xad\x4c\x03\x72\x8f\xf4\xdd\x8e\x40\xfd", 99); *(uint8_t*)0x20007ea0 = 9; *(uint8_t*)0x20007ea1 = 5; *(uint8_t*)0x20007ea2 = 2; *(uint8_t*)0x20007ea3 = 4; *(uint16_t*)0x20007ea4 = 0x3ff; *(uint8_t*)0x20007ea6 = 0x1f; *(uint8_t*)0x20007ea7 = 2; *(uint8_t*)0x20007ea8 = -1; *(uint8_t*)0x20007ea9 = 7; *(uint8_t*)0x20007eaa = 0x25; *(uint8_t*)0x20007eab = 1; *(uint8_t*)0x20007eac = 0x82; *(uint8_t*)0x20007ead = 9; *(uint16_t*)0x20007eae = 2; *(uint8_t*)0x20007eb0 = 9; *(uint8_t*)0x20007eb1 = 5; *(uint8_t*)0x20007eb2 = 6; *(uint8_t*)0x20007eb3 = 0; *(uint16_t*)0x20007eb4 = 0x40; *(uint8_t*)0x20007eb6 = 0; *(uint8_t*)0x20007eb7 = 0x40; *(uint8_t*)0x20007eb8 = 0xfd; *(uint8_t*)0x20007eb9 = 7; *(uint8_t*)0x20007eba = 0x25; *(uint8_t*)0x20007ebb = 1; *(uint8_t*)0x20007ebc = 0x83; *(uint8_t*)0x20007ebd = 0x1f; *(uint16_t*)0x20007ebe = 0x1000; *(uint8_t*)0x20007ec0 = 9; *(uint8_t*)0x20007ec1 = 5; *(uint8_t*)0x20007ec2 = 0xd; *(uint8_t*)0x20007ec3 = 1; *(uint16_t*)0x20007ec4 = 0x3ff; *(uint8_t*)0x20007ec6 = 3; *(uint8_t*)0x20007ec7 = 1; *(uint8_t*)0x20007ec8 = 0x80; *(uint8_t*)0x20007ec9 = 7; *(uint8_t*)0x20007eca = 0x25; *(uint8_t*)0x20007ecb = 1; *(uint8_t*)0x20007ecc = 1; *(uint8_t*)0x20007ecd = 4; *(uint16_t*)0x20007ece = 3; *(uint8_t*)0x20007ed0 = 9; *(uint8_t*)0x20007ed1 = 5; *(uint8_t*)0x20007ed2 = 5; *(uint8_t*)0x20007ed3 = 4; *(uint16_t*)0x20007ed4 = 8; *(uint8_t*)0x20007ed6 = 8; *(uint8_t*)0x20007ed7 = -1; *(uint8_t*)0x20007ed8 = 0x80; *(uint8_t*)0x20007ed9 = 9; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 0xf; *(uint8_t*)0x20007edc = 1; *(uint16_t*)0x20007edd = 8; *(uint8_t*)0x20007edf = 0xae; *(uint8_t*)0x20007ee0 = 9; *(uint8_t*)0x20007ee1 = 0xf6; *(uint8_t*)0x20007ee2 = 7; *(uint8_t*)0x20007ee3 = 0x25; *(uint8_t*)0x20007ee4 = 1; *(uint8_t*)0x20007ee5 = 0; *(uint8_t*)0x20007ee6 = 0x95; *(uint16_t*)0x20007ee7 = 6; *(uint8_t*)0x20007ee9 = 0x7a; *(uint8_t*)0x20007eea = 6; memcpy((void*)0x20007eeb, "\x3f\x8f\x5c\x31\x8c\x80\xe5\xa9\x36\x08\x9f\xa5\xbe\x9d\xc3\x64\xd3\xa8\xff\x22\x23\x8b\x92\x00\x64\x2b\xb7\x96\x9b\x9c\x09\x89\x51\x0d\xf3\xf2\x67\x38\x46\xf3\xfe\x68\xee\xc4\x87\x47\x6d\x9d\x8e\xa3\x7c\x9e\x7e\xc2\x93\x9c\x3a\x85\x84\x2c\xad\x50\x0b\xf7\x7a\xed\x1d\x92\x90\xeb\x85\x0a\xf4\x62\x1c\xaf\xed\x03\xc0\x8a\x55\xc4\x22\xc7\x12\x2f\x6e\xc0\x70\x3a\x47\xdf\xcb\x27\x9c\x0b\x03\x55\x8b\x39\xc7\x23\x1b\x38\xe5\x59\xd0\x54\x6a\x29\xca\x32\x28\x0a\x8c\xe4\x70\x80\xaa\x8d", 120); *(uint8_t*)0x20007f63 = 9; *(uint8_t*)0x20007f64 = 5; *(uint8_t*)0x20007f65 = 7; *(uint8_t*)0x20007f66 = 4; *(uint16_t*)0x20007f67 = 0x8938; *(uint8_t*)0x20007f69 = 1; *(uint8_t*)0x20007f6a = 0x8c; *(uint8_t*)0x20007f6b = 4; *(uint8_t*)0x20007f6c = 9; *(uint8_t*)0x20007f6d = 5; *(uint8_t*)0x20007f6e = 7; *(uint8_t*)0x20007f6f = 0x10; *(uint16_t*)0x20007f70 = 0x20; *(uint8_t*)0x20007f72 = 6; *(uint8_t*)0x20007f73 = 1; *(uint8_t*)0x20007f74 = 0x81; *(uint8_t*)0x20007f75 = 9; *(uint8_t*)0x20007f76 = 5; *(uint8_t*)0x20007f77 = 0xe; *(uint8_t*)0x20007f78 = 0x10; *(uint16_t*)0x20007f79 = 0x200; *(uint8_t*)0x20007f7b = 0x80; *(uint8_t*)0x20007f7c = 3; *(uint8_t*)0x20007f7d = 0x23; *(uint8_t*)0x20007f7e = 7; *(uint8_t*)0x20007f7f = 0x25; *(uint8_t*)0x20007f80 = 1; *(uint8_t*)0x20007f81 = 0x81; *(uint8_t*)0x20007f82 = 1; *(uint16_t*)0x20007f83 = 5; *(uint8_t*)0x20007f85 = 7; *(uint8_t*)0x20007f86 = 0x25; *(uint8_t*)0x20007f87 = 1; *(uint8_t*)0x20007f88 = 0x81; *(uint8_t*)0x20007f89 = 7; *(uint16_t*)0x20007f8a = 0xb5a; *(uint8_t*)0x20007f8c = 9; *(uint8_t*)0x20007f8d = 5; *(uint8_t*)0x20007f8e = 8; *(uint8_t*)0x20007f8f = 2; *(uint16_t*)0x20007f90 = 8; *(uint8_t*)0x20007f92 = 0x1f; *(uint8_t*)0x20007f93 = 8; *(uint8_t*)0x20007f94 = 0x1f; *(uint8_t*)0x20007f95 = 7; *(uint8_t*)0x20007f96 = 0x25; *(uint8_t*)0x20007f97 = 1; *(uint8_t*)0x20007f98 = 3; *(uint8_t*)0x20007f99 = 3; *(uint16_t*)0x20007f9a = 0x200; *(uint8_t*)0x20007f9c = 7; *(uint8_t*)0x20007f9d = 0x25; *(uint8_t*)0x20007f9e = 1; *(uint8_t*)0x20007f9f = 3; *(uint8_t*)0x20007fa0 = 0x7f; *(uint16_t*)0x20007fa1 = 3; *(uint8_t*)0x20007fa3 = 9; *(uint8_t*)0x20007fa4 = 5; *(uint8_t*)0x20007fa5 = 0xd; *(uint8_t*)0x20007fa6 = 0xc; *(uint16_t*)0x20007fa7 = 0x3ff; *(uint8_t*)0x20007fa9 = 0x12; *(uint8_t*)0x20007faa = 9; *(uint8_t*)0x20007fab = 4; *(uint8_t*)0x20007fac = 0xe; *(uint8_t*)0x20007fad = 5; memcpy((void*)0x20007fae, "\xa9\xb9\x7b\xc2\x4d\xe6\x2c\x3b\xcf\x2b\xfa\x13", 12); *(uint8_t*)0x20007fba = 0x44; *(uint8_t*)0x20007fbb = 0x30; memcpy((void*)0x20007fbc, "\x9f\x0d\x5e\xa2\x42\x68\xb8\xa3\x21\x17\x65\x24\x6b\x1a\x83\x4a\xf6\x41\xe8\xcd\x6e\xa3\xef\x9b\x1f\xe1\x0f\x16\xbe\xd6\xb0\x6c\xc3\xa1\x65\x92\x0c\x9d\x73\x90\x9a\xb9\xac\x8b\x2a\x7a\x8a\x5d\xae\x5d\x4a\xcf\x31\x6d\x0b\x35\xd4\xb6\x44\xd3\x68\xa0\x6e\x0e\xff\x85", 66); *(uint8_t*)0x20007ffe = 9; *(uint8_t*)0x20007fff = 5; *(uint8_t*)0x20008000 = 0x80; *(uint8_t*)0x20008001 = 8; *(uint16_t*)0x20008002 = 8; *(uint8_t*)0x20008004 = 3; *(uint8_t*)0x20008005 = -1; *(uint8_t*)0x20008006 = 6; *(uint8_t*)0x20008007 = 9; *(uint8_t*)0x20008008 = 5; *(uint8_t*)0x20008009 = 0; *(uint8_t*)0x2000800a = 0; *(uint16_t*)0x2000800b = 0x20; *(uint8_t*)0x2000800d = 6; *(uint8_t*)0x2000800e = 0x2e; *(uint8_t*)0x2000800f = 0; *(uint8_t*)0x20008010 = 9; *(uint8_t*)0x20008011 = 4; *(uint8_t*)0x20008012 = 7; *(uint8_t*)0x20008013 = 0; *(uint8_t*)0x20008014 = 0xd; *(uint8_t*)0x20008015 = 0x29; *(uint8_t*)0x20008016 = 0xcb; *(uint8_t*)0x20008017 = 0x7c; *(uint8_t*)0x20008018 = 9; *(uint8_t*)0x20008019 = 9; *(uint8_t*)0x2000801a = 0x21; *(uint16_t*)0x2000801b = 7; *(uint8_t*)0x2000801d = 1; *(uint8_t*)0x2000801e = 1; *(uint8_t*)0x2000801f = 0x22; *(uint16_t*)0x20008020 = 0xbd9; *(uint8_t*)0x20008022 = 0xd; *(uint8_t*)0x20008023 = 0x24; *(uint8_t*)0x20008024 = 2; *(uint8_t*)0x20008025 = 1; *(uint8_t*)0x20008026 = 0x43; *(uint8_t*)0x20008027 = 1; *(uint8_t*)0x20008028 = 0; *(uint8_t*)0x20008029 = 9; memcpy((void*)0x2000802a, "d\"", 2); memcpy((void*)0x2000802c, "\x37\x09\xdb", 3); *(uint8_t*)0x2000802f = 0x11; *(uint8_t*)0x20008030 = 0x24; *(uint8_t*)0x20008031 = 2; *(uint8_t*)0x20008032 = 1; *(uint8_t*)0x20008033 = 0xf8; *(uint8_t*)0x20008034 = 2; *(uint8_t*)0x20008035 = 7; *(uint8_t*)0x20008036 = 0x40; memcpy((void*)0x20008037, "\x5e\x58\xdf\xf9\xa0\xd0\x1e\x41\x09", 9); *(uint8_t*)0x20008040 = 0xb; *(uint8_t*)0x20008041 = 0x24; *(uint8_t*)0x20008042 = 2; *(uint8_t*)0x20008043 = 2; *(uint16_t*)0x20008044 = 0xffec; *(uint16_t*)0x20008046 = 6; *(uint8_t*)0x20008048 = 0x15; memcpy((void*)0x20008049, "?w", 2); *(uint8_t*)0x2000804b = 7; *(uint8_t*)0x2000804c = 0x24; *(uint8_t*)0x2000804d = 1; *(uint8_t*)0x2000804e = 0xe1; *(uint8_t*)0x2000804f = 3; *(uint16_t*)0x20008050 = 2; *(uint8_t*)0x20008052 = 9; *(uint8_t*)0x20008053 = 5; *(uint8_t*)0x20008054 = 0xc; *(uint8_t*)0x20008055 = 8; *(uint16_t*)0x20008056 = 8; *(uint8_t*)0x20008058 = 4; *(uint8_t*)0x20008059 = 8; *(uint8_t*)0x2000805a = 8; *(uint8_t*)0x2000805b = 9; *(uint8_t*)0x2000805c = 5; *(uint8_t*)0x2000805d = 6; *(uint8_t*)0x2000805e = 8; *(uint16_t*)0x2000805f = 8; *(uint8_t*)0x20008061 = 0; *(uint8_t*)0x20008062 = 2; *(uint8_t*)0x20008063 = 2; *(uint8_t*)0x20008064 = 7; *(uint8_t*)0x20008065 = 0x25; *(uint8_t*)0x20008066 = 1; *(uint8_t*)0x20008067 = 0x81; *(uint8_t*)0x20008068 = 6; *(uint16_t*)0x20008069 = 0x18; *(uint8_t*)0x2000806b = 9; *(uint8_t*)0x2000806c = 5; *(uint8_t*)0x2000806d = 7; *(uint8_t*)0x2000806e = 0x10; *(uint16_t*)0x2000806f = 0x3ff; *(uint8_t*)0x20008071 = 0x39; *(uint8_t*)0x20008072 = 0; *(uint8_t*)0x20008073 = 6; *(uint8_t*)0x20008074 = 0x80; *(uint8_t*)0x20008075 = 0x23; memcpy((void*)0x20008076, "\xeb\xa3\xe2\xd4\x84\x8f\x84\xd0\xe6\xde\xd4\x6e\x24\xd1\x0b\xf9\xf8\xb0\x73\x89\x10\xe2\x9f\x31\x9e\x94\x25\x46\xe9\xcd\xa8\x63\x82\x57\xf5\x5d\x00\x49\x67\x2a\x13\x37\x06\x7a\xf7\x3c\x1c\x29\xe0\xbd\x77\x2a\x1c\xd5\xe1\x6d\x24\x9e\xd1\x5c\xdd\x3d\x85\xa4\x39\x9a\xef\x69\xe3\xf5\xa5\x06\xea\x0e\x05\x59\x30\x6f\xe1\xf4\x2d\xfc\x10\x92\x20\x62\xe2\xbc\x06\x2c\x34\xa1\xad\xc4\xbc\x46\xb0\x80\x25\x9a\xd2\x0b\x37\xcd\xe1\xeb\xa7\x17\x8f\xb5\x14\xb2\xef\x73\x97\x71\x5b\x0e\xae\x34\xd5\xef\xd5\x27\x49\x00", 126); *(uint8_t*)0x200080f4 = 0xa1; *(uint8_t*)0x200080f5 = 0x21; memcpy((void*)0x200080f6, "\x1c\x02\x0b\x38\x9a\x4c\x59\xd1\xf2\x6d\xa8\x57\xb2\x22\xa6\xf6\x61\x8a\xdb\x04\x11\xbb\x24\x47\x8e\x68\xff\xe7\x58\x46\x9d\x4b\xb3\x4d\xf6\xaa\x95\x77\xce\xd5\x53\x83\xdf\xf0\x1c\x05\x2a\xbb\xde\x70\x46\x8c\xe3\x11\x00\xca\x31\x84\xd1\xd5\xf8\x03\xdc\x28\x0d\xf3\xb7\xae\x47\x38\xad\x05\x03\x67\x01\xe2\xe3\x8c\xe8\x44\xa7\xd3\x01\xd8\x6e\x05\x97\xc5\xbc\x1b\x67\xe7\xc6\xa5\xf7\xdf\xbc\x33\x11\xdb\xd2\x34\x68\x8e\x85\xe9\xa7\xd5\x02\x1e\x51\xe2\xd0\xdd\x41\x80\x38\x15\x3d\xb6\x5b\x7f\xc2\x68\xf9\x8d\xdf\xd9\xe5\x03\x6f\x24\x49\x7d\x2f\x04\xcd\xcc\x75\x21\x78\x99\x19\x58\xf7\x24\x3f\xf4\xdd\x5a\xef\xcf\x75\x9a\x3f\xe7\xfb\x34\xc8", 159); *(uint8_t*)0x20008195 = 9; *(uint8_t*)0x20008196 = 5; *(uint8_t*)0x20008197 = 0xf; *(uint8_t*)0x20008198 = 0x10; *(uint16_t*)0x20008199 = 0x240; *(uint8_t*)0x2000819b = 2; *(uint8_t*)0x2000819c = 1; *(uint8_t*)0x2000819d = 0; *(uint8_t*)0x2000819e = 0x26; *(uint8_t*)0x2000819f = 3; memcpy((void*)0x200081a0, "\xb4\x51\xe2\x4f\x69\x72\xcd\x64\x29\xf8\x1c\xa1\x73\xd1\x3f\xb2\xc7\xf5\x28\x47\x51\x63\x8b\xbc\x4f\x0b\x3d\xe0\x20\x91\xfb\xb4\xf4\x45\x33\xd9", 36); *(uint8_t*)0x200081c4 = 9; *(uint8_t*)0x200081c5 = 5; *(uint8_t*)0x200081c6 = 7; *(uint8_t*)0x200081c7 = 2; *(uint16_t*)0x200081c8 = 0x400; *(uint8_t*)0x200081ca = 7; *(uint8_t*)0x200081cb = 0x3f; *(uint8_t*)0x200081cc = 0xdb; *(uint8_t*)0x200081cd = 0xc0; *(uint8_t*)0x200081ce = 0; memcpy((void*)0x200081cf, "\xba\x73\xf7\x70\xa4\x27\xb8\x43\x83\x13\xcb\x7e\x9d\x9d\x53\xa7\xe3\x11\x03\x66\xc8\x78\xe3\xc0\xf6\xe6\x29\xeb\xb2\xa0\x84\xa9\x0b\x2d\xef\x4b\x66\x95\x0f\xdf\xd6\x06\xe0\x83\x42\x29\xe6\x30\x28\x87\x54\x89\x67\x8b\xc9\x36\x98\xed\x86\x13\x88\x42\x54\x70\x3c\x31\x5f\x1e\xe5\x29\xd1\xbc\xbf\xaf\x8d\x86\x5e\x73\x8b\x9e\x08\xcb\xc4\xa2\x11\xd4\x80\xbd\xc2\xa6\xe6\x9e\x17\x2b\x1c\x73\x63\x94\x74\xf1\xf0\x11\x5b\x5f\x49\x18\xd0\x37\x45\x1c\x99\xde\xe8\x85\x47\x56\x25\x82\xd5\x71\x71\xaa\x19\x69\x13\xf1\x19\x15\xd1\xfd\xc1\xa5\x13\xb1\x6c\x0b\x9c\x1f\xa0\x71\x57\x42\x10\x46\xf4\xf3\x37\x2d\x00\xd4\xa2\x7e\xb9\x3e\xcd\x79\xb6\x85\xe1\x4f\x3e\xba\x64\x7e\x7b\x20\xae\xfd\xf9\x2e\xd0\x5b\xef\x68\x93\x52\x65\xce\x00\x35\xe3\xb6\x24\x85\x23\x50\xd1\x23\x4e\xf9", 190); *(uint8_t*)0x2000828d = 0xa; *(uint8_t*)0x2000828e = 5; memcpy((void*)0x2000828f, "\x29\x0a\x54\x8e\x96\x26\x66\xdf", 8); *(uint8_t*)0x20008297 = 9; *(uint8_t*)0x20008298 = 5; *(uint8_t*)0x20008299 = 7; *(uint8_t*)0x2000829a = 4; *(uint16_t*)0x2000829b = 0x7d7; *(uint8_t*)0x2000829d = 0; *(uint8_t*)0x2000829e = 7; *(uint8_t*)0x2000829f = 0xf9; *(uint8_t*)0x200082a0 = 0xcd; *(uint8_t*)0x200082a1 = 2; memcpy((void*)0x200082a2, "\x74\xcd\x60\x07\xae\x0e\xa1\x29\x7f\x07\x01\x8c\xbd\xaa\xa0\xc8\x78\x51\xa0\x13\x08\xad\x71\x7f\x23\x5e\x9e\xff\x80\x10\xad\x10\x46\xa5\x14\x8d\x35\x2a\x70\x76\x0b\xc4\xbe\xbd\xd7\x52\x8b\xf7\xd5\x06\xda\x1b\xaa\xc2\xcf\x49\x9d\x52\xde\x51\xd7\x1b\x05\x18\x5d\x7c\xd2\x68\x02\x3d\xe5\x96\x13\x04\x52\x1b\x5f\x56\x7c\x74\xcc\xab\x78\xb6\x1c\x3f\x64\x16\x62\xaf\x2d\x55\xd5\x15\x7a\x0d\xdc\x80\xc7\x59\x62\xe9\xbd\xa9\xff\x2d\x3b\x63\xdf\x6a\x6a\x0e\x2a\xeb\xbf\xc6\x64\xde\x3f\x3a\x34\xd6\x62\x00\xfa\x09\x24\x75\x68\x59\x57\xf0\xb3\x59\x42\x47\xa2\x1d\x46\x3c\xfe\x0c\xcd\x80\x44\xf9\x53\x19\xb4\xd4\x0c\x7f\x02\x2d\x5a\x9c\xe9\xe3\x48\xcd\x62\x3d\xc4\xc5\x90\xbe\xe5\xa1\x04\x72\x70\x95\x42\x14\x61\x1a\x8d\x98\xe6\x0a\xa6\x97\xa5\xce\x30\xee\xac\xd2\x39\x70\x94\xe5\x07\x16\x73\x99\x11\xa4\x47\x8b\x49\x5f\x02", 203); *(uint8_t*)0x2000836d = 0x2b; *(uint8_t*)0x2000836e = 3; memcpy((void*)0x2000836f, "\x9b\xc9\xf5\x80\x75\x06\x30\x3f\xbf\xd7\x12\x82\xa8\x20\x58\x56\x0f\xe8\x18\x0b\x20\x5f\x6f\x47\xf9\xd7\xcf\x05\x28\x0b\x7e\xb9\x6d\x6d\x15\x89\x97\x2f\x40\x2e\xf4", 41); *(uint8_t*)0x20008398 = 9; *(uint8_t*)0x20008399 = 5; *(uint8_t*)0x2000839a = 7; *(uint8_t*)0x2000839b = 0x1a; *(uint16_t*)0x2000839c = 8; *(uint8_t*)0x2000839e = 7; *(uint8_t*)0x2000839f = 3; *(uint8_t*)0x200083a0 = 0x86; *(uint8_t*)0x200083a1 = 0x35; *(uint8_t*)0x200083a2 = 0xb; memcpy((void*)0x200083a3, "\x01\x8a\x3d\x5f\xb9\x4d\x26\xc6\xa6\x89\xe9\x1e\xb6\xa9\xe4\x9b\xf1\xb8\x83\xb9\xe3\xda\x0a\x42\xbf\x45\x63\x9b\xc1\xb1\x9a\x0d\x8e\x78\xba\xbd\x76\x9b\x27\xa4\x3d\xd0\x91\xce\x83\xb4\xa9\x1c\xf5\xd1\x19", 51); *(uint8_t*)0x200083d6 = 7; *(uint8_t*)0x200083d7 = 0x25; *(uint8_t*)0x200083d8 = 1; *(uint8_t*)0x200083d9 = 0x80; *(uint8_t*)0x200083da = 0x40; *(uint16_t*)0x200083db = 6; *(uint8_t*)0x200083dd = 9; *(uint8_t*)0x200083de = 5; *(uint8_t*)0x200083df = 3; *(uint8_t*)0x200083e0 = 2; *(uint16_t*)0x200083e1 = 0x200; *(uint8_t*)0x200083e3 = 8; *(uint8_t*)0x200083e4 = 0x55; *(uint8_t*)0x200083e5 = 7; *(uint8_t*)0x200083e6 = 0xc; *(uint8_t*)0x200083e7 = 0x21; memcpy((void*)0x200083e8, "\xf2\xae\x0c\x70\x73\x12\x45\x83\x53\x64", 10); *(uint8_t*)0x200083f2 = 9; *(uint8_t*)0x200083f3 = 5; *(uint8_t*)0x200083f4 = 0xc; *(uint8_t*)0x200083f5 = 0; *(uint16_t*)0x200083f6 = 0x400; *(uint8_t*)0x200083f8 = -1; *(uint8_t*)0x200083f9 = 9; *(uint8_t*)0x200083fa = 0x7f; *(uint8_t*)0x200083fb = 9; *(uint8_t*)0x200083fc = 5; *(uint8_t*)0x200083fd = 3; *(uint8_t*)0x200083fe = 4; *(uint16_t*)0x200083ff = 0x3ff; *(uint8_t*)0x20008401 = 3; *(uint8_t*)0x20008402 = 0x81; *(uint8_t*)0x20008403 = 0x1f; *(uint8_t*)0x20008404 = 2; *(uint8_t*)0x20008405 = 0xb; memcpy((void*)0x20008406, "\x15\xf5\x29\x48\x16\x89\x69\xa7\x87\x9f\x68\x6a\x66\x44\x59\xf3\x1f\xa9\xc1\x46\xda\x65\xea\xa1\x87\x8b\x39\x96\xe0\x99\xdd\x1e\xc6\x89\x00\xa2\x57\xc0\x11\x39\x7b\xcf\xc1\x0b\xc4\x28\x59\x19\x72\xae\x5e\xb7\x0e\x65\xd2\x00\x24\x8c\x43\x3d\x8b\x1e\xaf\xe5\xdf\x95\xa1\x96\xb5\x8e\xd5\x0a\x74\xd4\x8f\x9c\x07\xf5\x08\x58\xdd\x07\xd9\x4e\xc7\x66\x26\xb5\xb4\x7c\x9a\xcd\x4f\xdb\xec\xde\x35\x6c\xab\xab\xc4\x3c\x31\x44\xfc\x2e\x52\x4b\x71\xbb\x4e\x8b\xb5\x35\xda\xa0\x71\xe2\x42\xc5\x85\x84\xdb\xdd\x6c\x1e\x75\x8e\x33\xfe\xcd\x91\xaa\xc9\x6d\x22\x88\x32\x2e\xd4\x8a\xcf\xda\xab\x53\x6e\xa5\x12\x98\xe1\x6c\x60\x33\xac\x2b\x91\x75\x84\x82\x71\x9c\xc7\xd7\x64\x37\x3c\xed\xf5\xd0\x39\xe7\x5f\x0b\xe3\x5a\xcd\xac\x46\xbf\xf1\x29\xaf\x0a\xd8\x17\xe1\x40\x64\x39\x8b\xe6\x49\x33\xb6\x76\xfa\xb4\xff\x8b\x8d\x37\xcd\x74\x2e\x41\xfd\x64\xf8\x7b\x7f\x7d\xf8\x73\xb3\xd4\xc1\xca\x44\x0e\x20\xa8\x29\xe3\x4c\x69\x77\x05\x4f\xd5\x97\x5e\x34\x94\x1c\x4c\xa2\x4d\xca\xf0\x7e\x3b\x99\x50\x28\x0b\x30\xfb\x2c\x43\x56\xee\xda\xb3\xe5\x18\x4e", 256); *(uint8_t*)0x20008506 = 7; *(uint8_t*)0x20008507 = 0x25; *(uint8_t*)0x20008508 = 1; *(uint8_t*)0x20008509 = 0; *(uint8_t*)0x2000850a = 0x1f; *(uint16_t*)0x2000850b = 0x200; *(uint8_t*)0x2000850d = 9; *(uint8_t*)0x2000850e = 5; *(uint8_t*)0x2000850f = 5; *(uint8_t*)0x20008510 = 0x10; *(uint16_t*)0x20008511 = 0x400; *(uint8_t*)0x20008513 = 0x81; *(uint8_t*)0x20008514 = 1; *(uint8_t*)0x20008515 = 5; *(uint8_t*)0x20008516 = 7; *(uint8_t*)0x20008517 = 0x25; *(uint8_t*)0x20008518 = 1; *(uint8_t*)0x20008519 = 2; *(uint8_t*)0x2000851a = 8; *(uint16_t*)0x2000851b = 0x101; *(uint8_t*)0x2000851d = 7; *(uint8_t*)0x2000851e = 0x25; *(uint8_t*)0x2000851f = 1; *(uint8_t*)0x20008520 = 3; *(uint8_t*)0x20008521 = 2; *(uint16_t*)0x20008522 = 8; *(uint8_t*)0x20008524 = 9; *(uint8_t*)0x20008525 = 5; *(uint8_t*)0x20008526 = 0; *(uint8_t*)0x20008527 = 4; *(uint16_t*)0x20008528 = 0x80; *(uint8_t*)0x2000852a = 9; *(uint8_t*)0x2000852b = 6; *(uint8_t*)0x2000852c = 7; *(uint8_t*)0x2000852d = 9; *(uint8_t*)0x2000852e = 5; *(uint8_t*)0x2000852f = 3; *(uint8_t*)0x20008530 = 0; *(uint16_t*)0x20008531 = 0x7ff; *(uint8_t*)0x20008533 = 1; *(uint8_t*)0x20008534 = -1; *(uint8_t*)0x20008535 = 0x1f; *(uint32_t*)0x20008640 = 0xa; *(uint64_t*)0x20008644 = 0x20008540; *(uint8_t*)0x20008540 = 0xa; *(uint8_t*)0x20008541 = 6; *(uint16_t*)0x20008542 = 0; *(uint8_t*)0x20008544 = 2; *(uint8_t*)0x20008545 = 0x86; *(uint8_t*)0x20008546 = 0x80; *(uint8_t*)0x20008547 = 0x10; *(uint8_t*)0x20008548 = 2; *(uint8_t*)0x20008549 = 0; *(uint32_t*)0x2000864c = 0x42; *(uint64_t*)0x20008650 = 0x20008580; *(uint8_t*)0x20008580 = 5; *(uint8_t*)0x20008581 = 0xf; *(uint16_t*)0x20008582 = 0x42; *(uint8_t*)0x20008584 = 5; *(uint8_t*)0x20008585 = 0xa; *(uint8_t*)0x20008586 = 0x10; *(uint8_t*)0x20008587 = 3; *(uint8_t*)0x20008588 = 0; *(uint16_t*)0x20008589 = 3; *(uint8_t*)0x2000858b = 0x73; *(uint8_t*)0x2000858c = 4; *(uint16_t*)0x2000858d = 0; *(uint8_t*)0x2000858f = 3; *(uint8_t*)0x20008590 = 0x10; *(uint8_t*)0x20008591 = 0xb; *(uint8_t*)0x20008592 = 0xa; *(uint8_t*)0x20008593 = 0x10; *(uint8_t*)0x20008594 = 3; *(uint8_t*)0x20008595 = 0; *(uint16_t*)0x20008596 = 8; *(uint8_t*)0x20008598 = 0xeb; *(uint8_t*)0x20008599 = 0x3f; *(uint16_t*)0x2000859a = 2; *(uint8_t*)0x2000859c = 7; *(uint8_t*)0x2000859d = 0x10; *(uint8_t*)0x2000859e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000859f, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 0xf, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a1, 5, 0, 16); *(uint8_t*)0x200085a3 = 0x1f; *(uint8_t*)0x200085a4 = 0x10; *(uint8_t*)0x200085a5 = 1; memcpy((void*)0x200085a6, "\x61\x40\x8d\x3d\x2e\x18\x72\x46\x92\x26\xd4\xd9\xbe\xfe\xcd\xac\x20\x8d\xfd\xaa\x38\x51\x78\xf4\x8c\xa7\x56\x50", 28); *(uint32_t*)0x20008658 = 1; *(uint32_t*)0x2000865c = 4; *(uint64_t*)0x20008660 = 0x20008600; *(uint8_t*)0x20008600 = 4; *(uint8_t*)0x20008601 = 3; *(uint16_t*)0x20008602 = 0x41a; res = -1; res = syz_usb_connect(5, 0x776, 0x20007dc0, 0x20008640); if (res != -1) r[15] = res; break; case 37: *(uint8_t*)0x20008680 = 0x12; *(uint8_t*)0x20008681 = 1; *(uint16_t*)0x20008682 = 0x200; *(uint8_t*)0x20008684 = -1; *(uint8_t*)0x20008685 = -1; *(uint8_t*)0x20008686 = -1; *(uint8_t*)0x20008687 = 0x40; *(uint16_t*)0x20008688 = 0xcf3; *(uint16_t*)0x2000868a = 0x9271; *(uint16_t*)0x2000868c = 0x108; *(uint8_t*)0x2000868e = 1; *(uint8_t*)0x2000868f = 2; *(uint8_t*)0x20008690 = 3; *(uint8_t*)0x20008691 = 1; *(uint8_t*)0x20008692 = 9; *(uint8_t*)0x20008693 = 2; *(uint16_t*)0x20008694 = 0x48; *(uint8_t*)0x20008696 = 1; *(uint8_t*)0x20008697 = 1; *(uint8_t*)0x20008698 = 0; *(uint8_t*)0x20008699 = 0x80; *(uint8_t*)0x2000869a = 0xfa; *(uint8_t*)0x2000869b = 9; *(uint8_t*)0x2000869c = 4; *(uint8_t*)0x2000869d = 0; *(uint8_t*)0x2000869e = 0; *(uint8_t*)0x2000869f = 6; *(uint8_t*)0x200086a0 = -1; *(uint8_t*)0x200086a1 = 0; *(uint8_t*)0x200086a2 = 0; *(uint8_t*)0x200086a3 = 0; *(uint8_t*)0x200086a4 = 9; *(uint8_t*)0x200086a5 = 5; *(uint8_t*)0x200086a6 = 1; *(uint8_t*)0x200086a7 = 2; *(uint16_t*)0x200086a8 = 0x200; *(uint8_t*)0x200086aa = 0; *(uint8_t*)0x200086ab = 0; *(uint8_t*)0x200086ac = 0; *(uint8_t*)0x200086ad = 9; *(uint8_t*)0x200086ae = 5; *(uint8_t*)0x200086af = 0x82; *(uint8_t*)0x200086b0 = 2; *(uint16_t*)0x200086b1 = 0x200; *(uint8_t*)0x200086b3 = 0; *(uint8_t*)0x200086b4 = 0; *(uint8_t*)0x200086b5 = 0; *(uint8_t*)0x200086b6 = 9; *(uint8_t*)0x200086b7 = 5; *(uint8_t*)0x200086b8 = 0x83; *(uint8_t*)0x200086b9 = 3; *(uint16_t*)0x200086ba = 0x40; *(uint8_t*)0x200086bc = 1; *(uint8_t*)0x200086bd = 0; *(uint8_t*)0x200086be = 0; *(uint8_t*)0x200086bf = 9; *(uint8_t*)0x200086c0 = 5; *(uint8_t*)0x200086c1 = 4; *(uint8_t*)0x200086c2 = 3; *(uint16_t*)0x200086c3 = 0x40; *(uint8_t*)0x200086c5 = 1; *(uint8_t*)0x200086c6 = 0; *(uint8_t*)0x200086c7 = 0; *(uint8_t*)0x200086c8 = 9; *(uint8_t*)0x200086c9 = 5; *(uint8_t*)0x200086ca = 5; *(uint8_t*)0x200086cb = 2; *(uint16_t*)0x200086cc = 0x200; *(uint8_t*)0x200086ce = 0; *(uint8_t*)0x200086cf = 0; *(uint8_t*)0x200086d0 = 0; *(uint8_t*)0x200086d1 = 9; *(uint8_t*)0x200086d2 = 5; *(uint8_t*)0x200086d3 = 6; *(uint8_t*)0x200086d4 = 2; *(uint16_t*)0x200086d5 = 0x200; *(uint8_t*)0x200086d7 = 0; *(uint8_t*)0x200086d8 = 0; *(uint8_t*)0x200086d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20008680, 0); if (res != -1) r[16] = res; break; case 38: *(uint32_t*)0x20008900 = 0x2c; *(uint64_t*)0x20008904 = 0x20008700; *(uint8_t*)0x20008700 = 0x20; *(uint8_t*)0x20008701 = 0x21; *(uint32_t*)0x20008702 = 0xdb; *(uint8_t*)0x20008706 = 0xdb; *(uint8_t*)0x20008707 = 0x24; memcpy((void*)0x20008708, "\xb5\x01\xb9\xa6\x76\xdf\xcb\x3e\x98\xc6\x6e\x8b\x68\x77\xca\xc3\x0d\xfb\x98\x56\xc7\x20\x94\xee\x90\xf2\x31\x70\xf3\x3d\xc0\x41\x69\x19\x14\x6a\x8a\x2a\xd6\x05\xce\x54\xf3\xd4\x43\xec\x59\x7b\x33\x7b\x1b\x4d\x39\xc4\x42\x89\xbb\xfc\x62\x1a\x00\x86\x26\x48\xfe\x2d\xf7\x54\xe4\x63\x45\x5e\xf8\x8f\x55\xfb\x63\xb4\xb7\x71\x9d\xd8\xd3\xe6\x84\x6c\x4d\x25\x4a\xfb\x2e\x40\x11\x6d\x2b\x5f\xcd\x88\x3a\x84\x21\x22\x17\xe0\x65\xcd\x44\x66\x68\x01\x15\x4e\x7b\x43\xe3\xd1\x62\x9d\xc7\x6f\x3a\x71\x10\xe8\x07\x90\xce\x65\xee\x44\x96\x1d\x30\x65\x21\xe9\x4e\x6e\xe9\x41\xa9\x7e\x0e\xab\x0e\x80\x37\xfe\xf7\x68\x90\x28\x91\xbb\x41\x05\xd8\xba\xf0\xa3\x5f\x93\xd2\xa5\x63\x59\x35\x79\x9c\x87\xeb\x91\xb5\xe5\xff\x7a\xe9\x1c\xbe\x9c\xda\xdd\x65\x3a\x48\x6d\x72\xd6\x7d\xc3\xb3\x71\xe4\xe5\xfa\x61\x87\x59\xde\x87\xeb\xe1\xec\x27\x8d\x14\x08\x34\x59\x0f\x6c\x51\x3e\x4c\x95\xcb\xb3", 217); *(uint64_t*)0x2000890c = 0x20008800; *(uint8_t*)0x20008800 = 0; *(uint8_t*)0x20008801 = 3; *(uint32_t*)0x20008802 = 0x18; *(uint8_t*)0x20008806 = 0x18; *(uint8_t*)0x20008807 = 3; memcpy((void*)0x20008808, "\x2c\x5d\xdd\x5f\xc6\x32\x36\xd4\x7a\xf3\x16\x42\x23\xe9\xb4\x23\xe1\x3b\x85\x60\xf2\x8a", 22); *(uint64_t*)0x20008914 = 0x20008840; *(uint8_t*)0x20008840 = 0; *(uint8_t*)0x20008841 = 0xf; *(uint32_t*)0x20008842 = 0x35; *(uint8_t*)0x20008846 = 5; *(uint8_t*)0x20008847 = 0xf; *(uint16_t*)0x20008848 = 0x35; *(uint8_t*)0x2000884a = 4; *(uint8_t*)0x2000884b = 7; *(uint8_t*)0x2000884c = 0x10; *(uint8_t*)0x2000884d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000884e, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 0xa, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008850, 1, 0, 16); *(uint8_t*)0x20008852 = 0xb; *(uint8_t*)0x20008853 = 0x10; *(uint8_t*)0x20008854 = 1; *(uint8_t*)0x20008855 = 0xc; *(uint16_t*)0x20008856 = 8; *(uint8_t*)0x20008858 = 0x3f; *(uint8_t*)0x20008859 = 1; *(uint16_t*)0x2000885a = 4; *(uint8_t*)0x2000885c = 6; *(uint8_t*)0x2000885d = 0x14; *(uint8_t*)0x2000885e = 0x10; *(uint8_t*)0x2000885f = 4; *(uint8_t*)0x20008860 = 0x80; memcpy((void*)0x20008861, "\xd0\xd1\xe2\xd8\x68\xe0\xfa\x99\x17\x77\xca\xc1\xb7\x94\x82\x58", 16); *(uint8_t*)0x20008871 = 0xa; *(uint8_t*)0x20008872 = 0x10; *(uint8_t*)0x20008873 = 3; *(uint8_t*)0x20008874 = 2; *(uint16_t*)0x20008875 = 3; *(uint8_t*)0x20008877 = 4; *(uint8_t*)0x20008878 = 0; *(uint16_t*)0x20008879 = 8; *(uint64_t*)0x2000891c = 0x20008880; *(uint8_t*)0x20008880 = 0x20; *(uint8_t*)0x20008881 = 0x29; *(uint32_t*)0x20008882 = 0xf; *(uint8_t*)0x20008886 = 0xf; *(uint8_t*)0x20008887 = 0x29; *(uint8_t*)0x20008888 = 0; *(uint16_t*)0x20008889 = 4; *(uint8_t*)0x2000888b = 0xc1; *(uint8_t*)0x2000888c = 0x7f; memcpy((void*)0x2000888d, "\x1b\xc1\x9f\x6f", 4); memcpy((void*)0x20008891, "\x0c\xd3\xa1\x96", 4); *(uint64_t*)0x20008924 = 0x200088c0; *(uint8_t*)0x200088c0 = 0x20; *(uint8_t*)0x200088c1 = 0x2a; *(uint32_t*)0x200088c2 = 0xc; *(uint8_t*)0x200088c6 = 0xc; *(uint8_t*)0x200088c7 = 0x2a; *(uint8_t*)0x200088c8 = -1; *(uint16_t*)0x200088c9 = 8; *(uint8_t*)0x200088cb = 0x20; *(uint8_t*)0x200088cc = 2; *(uint8_t*)0x200088cd = 6; *(uint16_t*)0x200088ce = 0x800; *(uint16_t*)0x200088d0 = 9; *(uint32_t*)0x20008e00 = 0x84; *(uint64_t*)0x20008e04 = 0x20008940; *(uint8_t*)0x20008940 = 0; *(uint8_t*)0x20008941 = 0xb; *(uint32_t*)0x20008942 = 0xe5; memcpy((void*)0x20008946, "\xea\x88\xbc\xa9\xc1\xe3\xf5\xbd\xf6\x07\xf7\x25\x25\x73\xdd\x87\x56\xe9\xf3\x2a\x7c\x4a\xee\xa5\xb3\xe1\xae\x6f\xdb\xe3\x19\x4c\x19\x18\xd9\xd9\xa3\xaa\x13\xdb\xbc\x47\xe1\x43\x0d\x7b\xe6\xa1\x80\xc7\x38\x84\x56\xd1\x2a\x5c\x32\x7b\x71\x6d\x23\x41\xbc\xd0\xef\x82\xa4\xa3\x46\x10\xe2\x8f\xc7\xb2\xe1\x72\xdf\xa0\x56\xc6\x35\x3d\xa1\x66\x49\x6c\xa2\x54\x0e\x60\xbb\x52\x06\x6e\xf4\x77\x36\x67\x40\x9a\x68\xef\xf5\x2e\x75\xff\x93\x46\x9e\x4f\xf5\xd6\x99\x66\xb8\x1e\x03\x4c\x68\x8a\x2f\x6f\xd9\x45\xec\xd0\x5f\x33\x65\x73\x58\x68\x23\xfd\x9f\x6d\x40\xbb\x48\x3d\xd2\x7a\xd4\x6b\x84\x14\x55\xac\x07\xfc\x31\x9b\x8c\xb5\xf5\xe2\xda\xa6\x4a\x6c\x5f\x3b\xc0\x99\x27\x0c\xd3\x76\x66\x0e\xf3\x45\x65\x71\xaa\x6d\x2f\xe4\x86\x67\x83\x8d\x81\x11\x26\xca\xce\xed\xae\xbe\xf9\x60\x81\x92\xb6\x03\x32\x7f\x6e\xe9\xed\x42\x57\x2b\x6e\xb3\xc6\x63\x0e\x90\x17\x42\x8e\xd3\x70\xbd\x03\x24\xda\x01\xea\xe4\xa7\x88\x1a\x6b\x88\xaa\x1a", 229); *(uint64_t*)0x20008e0c = 0x20008a40; *(uint8_t*)0x20008a40 = 0; *(uint8_t*)0x20008a41 = 0xa; *(uint32_t*)0x20008a42 = 1; *(uint8_t*)0x20008a46 = 5; *(uint64_t*)0x20008e14 = 0x20008a80; *(uint8_t*)0x20008a80 = 0; *(uint8_t*)0x20008a81 = 8; *(uint32_t*)0x20008a82 = 1; *(uint8_t*)0x20008a86 = 0x1f; *(uint64_t*)0x20008e1c = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x20; *(uint8_t*)0x20008ac1 = 0; *(uint32_t*)0x20008ac2 = 4; *(uint16_t*)0x20008ac6 = 2; *(uint16_t*)0x20008ac8 = 3; *(uint64_t*)0x20008e24 = 0x20008b00; *(uint8_t*)0x20008b00 = 0x20; *(uint8_t*)0x20008b01 = 0; *(uint32_t*)0x20008b02 = 4; *(uint16_t*)0x20008b06 = 0x100; *(uint16_t*)0x20008b08 = 1; *(uint64_t*)0x20008e2c = 0x20008b40; *(uint8_t*)0x20008b40 = 0x40; *(uint8_t*)0x20008b41 = 7; *(uint32_t*)0x20008b42 = 2; *(uint16_t*)0x20008b46 = -1; *(uint64_t*)0x20008e34 = 0x20008b80; *(uint8_t*)0x20008b80 = 0x40; *(uint8_t*)0x20008b81 = 9; *(uint32_t*)0x20008b82 = 1; *(uint8_t*)0x20008b86 = 0x7f; *(uint64_t*)0x20008e3c = 0x20008bc0; *(uint8_t*)0x20008bc0 = 0x40; *(uint8_t*)0x20008bc1 = 0xb; *(uint32_t*)0x20008bc2 = 2; memcpy((void*)0x20008bc6, "\xa6\xab", 2); *(uint64_t*)0x20008e44 = 0x20008c00; *(uint8_t*)0x20008c00 = 0x40; *(uint8_t*)0x20008c01 = 0xf; *(uint32_t*)0x20008c02 = 2; *(uint16_t*)0x20008c06 = 0; *(uint64_t*)0x20008e4c = 0x20008c40; *(uint8_t*)0x20008c40 = 0x40; *(uint8_t*)0x20008c41 = 0x13; *(uint32_t*)0x20008c42 = 6; *(uint8_t*)0x20008c46 = 0; *(uint8_t*)0x20008c47 = 0; *(uint8_t*)0x20008c48 = 0; *(uint8_t*)0x20008c49 = 0; *(uint8_t*)0x20008c4a = 0; *(uint8_t*)0x20008c4b = 0; *(uint64_t*)0x20008e54 = 0x20008c80; *(uint8_t*)0x20008c80 = 0x40; *(uint8_t*)0x20008c81 = 0x17; *(uint32_t*)0x20008c82 = 6; *(uint8_t*)0x20008c86 = 1; *(uint8_t*)0x20008c87 = 0x80; *(uint8_t*)0x20008c88 = 0xc2; *(uint8_t*)0x20008c89 = 0; *(uint8_t*)0x20008c8a = 0; *(uint8_t*)0x20008c8b = 1; *(uint64_t*)0x20008e5c = 0x20008cc0; *(uint8_t*)0x20008cc0 = 0x40; *(uint8_t*)0x20008cc1 = 0x19; *(uint32_t*)0x20008cc2 = 2; memcpy((void*)0x20008cc6, "rN", 2); *(uint64_t*)0x20008e64 = 0x20008d00; *(uint8_t*)0x20008d00 = 0x40; *(uint8_t*)0x20008d01 = 0x1a; *(uint32_t*)0x20008d02 = 2; *(uint16_t*)0x20008d06 = 0xb81; *(uint64_t*)0x20008e6c = 0x20008d40; *(uint8_t*)0x20008d40 = 0x40; *(uint8_t*)0x20008d41 = 0x1c; *(uint32_t*)0x20008d42 = 1; *(uint8_t*)0x20008d46 = 0x40; *(uint64_t*)0x20008e74 = 0x20008d80; *(uint8_t*)0x20008d80 = 0x40; *(uint8_t*)0x20008d81 = 0x1e; *(uint32_t*)0x20008d82 = 1; *(uint8_t*)0x20008d86 = 0x80; *(uint64_t*)0x20008e7c = 0x20008dc0; *(uint8_t*)0x20008dc0 = 0x40; *(uint8_t*)0x20008dc1 = 0x21; *(uint32_t*)0x20008dc2 = 1; *(uint8_t*)0x20008dc6 = 0x92; syz_usb_control_io(r[15], 0x20008900, 0x20008e00); break; case 39: syz_usb_disconnect(r[15]); break; case 40: syz_usb_ep_read(r[16], 0x1f, 0x80, 0x20008ec0); break; case 41: memcpy((void*)0x20008f40, "\x05\x9c\xba\xeb\x68\x64\xbc\xc9\x3a\x17\x64\x09\x36\xd2\xe5\x45\x0d\xeb\x6a\x94\xa3\xcd\x8d\xba\xc2\xfb\xcf\xac\x93\x2f\x8d\xd2\x22\x05\xe7\xae\x58\x9b\x0f\x01\x72\xe7\x51\xe3\x08\xa2\x36\xce\xa8\x57\x11\xd7\x4b\x54\x6d\x98\xb4\xd7\x5a\xfc\xc6\x5f\xd0\x46\x33\xc1\xfb\xed\x7c\xfe\x4d\x04\x9d", 73); syz_usb_ep_write(r[15], -1, 0x49, 0x20008f40); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); use_temporary_dir(); loop(); return 0; } : In function ‘syz_io_uring_setup’: :244:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :244:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor577535434 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/0 (4.64s) csource_test.go:122: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: socket$nl_netfilter(0x10, 0x3, 0xc) r0 = open(&(0x7f0000000000)='./file0\x00', 0x2000, 0x163) recvfrom(r0, &(0x7f0000000040)=""/238, 0xee, 0x1, &(0x7f0000000140)=@llc={0x1a, 0x10f, 0x7, 0xc7, 0x6, 0xff, @broadcast}, 0x80) r1 = socket$inet_sctp(0x2, 0x5, 0x84) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r1, 0x84, 0xa, &(0x7f00000001c0)={0x7ff, 0x1ff, 0x204, 0x0, 0x803, 0x0, 0x5, 0x800}, 0x20) execveat(r0, &(0x7f0000000200)='./file0\x00', &(0x7f0000000400)=[&(0x7f0000000240)='^\x00', &(0x7f0000000280)='*,+\x00', &(0x7f00000002c0)='-{$(%![\x00', &(0x7f0000000300)='\\[\x00', &(0x7f0000000340)='\x00', &(0x7f0000000380)='\x00', &(0x7f00000003c0)='\xb1$}\x00'], &(0x7f0000000640)=[&(0x7f0000000440)='\x00', &(0x7f0000000480)='*/%}\\\\\x00', &(0x7f00000004c0)='@[\x00', &(0x7f0000000500)='\x00', &(0x7f0000000540)=':\'\x9f^(\x00', &(0x7f0000000580)='],-.$\xfb\\}{)@-&/[\\!\x00', &(0x7f00000005c0)='\x00', &(0x7f0000000600)='{{\'$(+-(}{}]?/--)\x00'], 0x1000) r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000680)='/dev/hwrng\x00', 0x40000, 0x0) ioctl$HIDIOCGPHYS(r2, 0x80404812, &(0x7f00000006c0)) ioctl$TIOCGICOUNT(r2, 0x545d, 0x0) io_uring_setup(0x509f, &(0x7f0000000700)={0x0, 0x9c76, 0x8, 0x3, 0x309, 0x0, r0}) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_unix_may_send\x00') syz_emit_ethernet(0x2e, &(0x7f0000000040)={@dev={[], 0x29}, @local, @void, {@ipx={0x8137, {0xffff, 0x20, 0x2, 0x0, {@random=0x3, @random="67516965f015", 0x3}, {@random=0xa0, @current, 0x8ca}, "d18e"}}}}, &(0x7f0000000080)={0x1, 0x3, [0x6f3, 0xd92, 0xd18, 0x98a]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_EVENT_PKT={0x4, @hci_ev_pkt_type_change={{0x1d, 0x5}, {0x1, 0xc9, 0x800}}}, 0x8) syz_execute_func(&(0x7f0000000100)="c4017c5a50f2c4a1637c7a862ef04230b50d00000041d9f93e420fb7bcaeb0000000c4c2a5291498c482c9bdac33de7941f1c401fc2e0666400f38241f670fecfb") syz_extract_tcp_res(&(0x7f0000000180), 0x8, 0x47) r3 = openat$selinux_policy(0xffffffffffffff9c, &(0x7f00000001c0)='/selinux/policy\x00', 0x0, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002500)={0x2020, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x2020) lstat(&(0x7f00000046c0)='\x00', &(0x7f0000004700)={0x0, 0x0, 0x0, 0x0, 0x0}) stat(&(0x7f0000004780)='./file0\x00', &(0x7f00000047c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000004840)=0x0, &(0x7f0000004880), &(0x7f00000048c0)) syz_fuse_handle_req(r3, &(0x7f0000000200)="2692d623148a34aee968f5552fef58adeb13835131afc9602c0eba53a139392d140b6eeb571984017fbc1a936aca427ad0e740524f6307f18e1c7d954a0ba7442367d45bae5150e12543dc5dd03aa5699039f2f627b3d104e00ffaea4263fc86953e5e3ab976c9f66a213d67573b6044bf6faa8c17d51b5550438f9ac6589d2cb2bc4e11cbf8a254594a82ab8987f8ade20d8542ac71ff847b22e67d2ddda8f4ba5f53fbf177009132baa5786a7be31ec6c592cba53c5c8a7ba19db0286bff1d0178da1e4ea10819439ace537ac5f47a1c8b74fa67fc4e1bf92292a9ec657b5e3003146a1c5690855b05cf75a0b11ab9ba738a3dc177d5f7e7fa6b465d05e513a219481089265f566e6bd0cc9ee1fb100f851286e65721f601c83f7a740979b3848f57fb0081efca45720ccfd8a4904f248151b242132a4b45530ae5442ff7a51bb5c599cda7e10e1b4de5c80f52cc3ddac7513fe148bdbc5da2e0c2b39190d8f90fcd459503a4cb8fece55182cf7272a522e5626120c7335c5a37c72d400fedc58873c5960f6cab807ac239d0246aba2e844b68b1ac4ad6d2bbcedcb35a67486471e445af55990270ae097968da00157dd221dea2438d16623c52820f0d24e39c0424ee40484fb0d96419f5e281d0e9e178366820dd5ca4a0c45deeb36cb9e246be6714ceb0347b0c309cc53022374f73303536e593c57588b883903ea58133773600201a7b55dd5c01af52e90ec524abd9f47b3d7185c48259bf5aa76fea9da982b2c4a61065df2b066732103503969eefaa23141c8becb35caf7602e981c30673991b46d54ab2764bf5ecc3f1a8e000b116b769d82625ae9418b523af00f3cfb0eb65c916f6a62452f810b20c3e7cec7d61fef55f63d1da4a3f868bbcfd867e130d3c7ce52246ef76eda2916fbbdfd506dbc2289d00fbc8fd100c4578698d2203dffab9018d6f19ae199f1659c3f78157680cf980597a126b994bdd64609653dc0ddb556c3af838a0a4a9bd7051e45247913cc35b9d9ff368ffdf4e7fad83a52f8a0261c331b6ef226fe676ac1a9cf0cb001385ce35b09df3aecaa3d816f2afc62c27aee525f72f2d31ee0b21c447f80901a65c7706d07ff9b2d7bde92bc79d85f8431d468ac85e51ac3a209cea07281e7d19c1f52b5f01bdb053978c933399b35ac77aa4a1e6f182d250271ca33c3791b15a931bcd32ace19253f1a9044afa49c1a0ddc82e95907f60b7971ec01078e137d1bceb0cf86f64cd6c192cbfc30b4478617fe52aa943e61a182b1b0b2107d0c54f4fa731679af95c32d18914d6959b9fa96a0aac1c49adc61f5f11b544557342c14276beea12fa71cd30a731bd064e9cfd0f9e4be966f7bd1c1b4fd706b8393e6efb1c9f97526f67d2e9cd5e176dc60c274b30061e1ab6a2d004b83adb08f1983baeab990472beff2341def47e0dd411b0691fd0a65ea66d16a4a4ee94c4d1a5ce6b3cfc873481b041fb3005614c1cf841eeab27e03598ef94598ed30c3fd3ee19207aea2a8dbc3f60a6d97e30c58f324bcaf571388f9e83e076cfdc0663cfe93f5a3f19299e741210f6a8501a7238b1cbd6e9f829345c337c62b7cdb024efc4ff11628cb1ee4fda072782bb69932ba6dee122cb37fed696dea11cc25eb2b5678c7d0bd1dd05f35d1d02addf1295a1eb0b259959a7b290e61f2479691588ac520981902f5ab06162e9cf5f0585f540d90cd8381de33d0a0a24da6f231d3a684c925d736f2534a57e48d919d55519c575bb541d638e0e4011f841a5ac331d488935c44c2bce1c2ac3e8486e465cdee8eb513d3c1bb3b38c5d157c04d576d675e00b30c299e211f8f24a7a053b4270d2acfa3aa6343428d92b6db14c1558a8dd58bb9c8c4b1b4935773d140611793ccad54fdc5230da4dfda3b60cc0766efcc6a3b71900a50e2c3e6827b98cc18ccd8ff798247f374857d0621e32bbf0482474de0d42ddba7823e633f1658e7f6a361c32e2459c2beb029a8afaa31289e487104567d40c81ccf5ae2a2e6b344f5c110d7ce2301ff2c25fd8438439a5ea16a446fc7e27f2cb068944e4d8c929c4645f494c2fd1b025bfda1119f9088f707d662c1195f8e4308c470b76245099332f61b2c9cc77871cb20c4ebeaa63e53add25df15c5628585fe886a73e382567c41cebdf2f33f7168747ce24a22fafeb29cd021a92ec8fc272dad24598ebdaec2dcc47373efa97cacffdace150e99510bf37baf40a817d93d87a48fab153a1064821eb504a4eba3ab66d1ec057cf64ee11a6ad40584fa7656a3984c20e494013f83430d760cd6eaa604b599550dcba720855e735d62d420076cca07115d4e371c3d641cb6cdb969bdef10137b8d7f399abe3e2436535c30c7b9a842fb31d322434e73b95c0f5d4545116b788ea0fd473ab32cfb4cd7224948913772e8392d89bf5c4e5511d267201cff62bdc0468f96d9e85323495e925e61140fb419417bc3f803a80d0af3b8c31c2f63dee9174113f8e6e5c93f47d8486422a5696bc05843f7d07f10eb3b5fbc2c378f6e8a975deb6c04ed20c673846ecc19d6dfcb1982ff83a7dca92e8167e5df6437b84834fde1cbfc441105d06218a2e0a55917ee276fa725b9f16a94c67b684bc7b688edbae74382cba7eac9f01772c89194d44eea3cabc002562643c01529092ff6629de96a7716f92318a6cf70cdb8fda8e3d01306ea91580b6d970808552f45f575c3aa638fc51abdd8535a0584072588518f9391b2d789147312a58d0a15b64bf908f249913f141671751003547150d49f472dbed408432493705759929f619a901bf41ed2e4d12d6354af219840e696ae26d40f010f0586068efbbd4a63af99aebd5305a88013ed74de00399011dd8d0d544b907009f361ac6f66ca0ac4fae8eea56542599b167b8f132d2bc2b57c734653c0214fcb4e3a509823aa2ea62aefd8d3a8f27cead3ee3f276698712770addc99cd31112daf0ede7c577fcbae2e64047bd3624dcc04cfb6cd194b79f1b53b990a443628123fbe9b2a3b598beeabdbb7cf4d9cd87be2ac84ee3fe743d72e8984204bab463c896d13c1227b70a88712b77d221efa654098b38571468ff9bff10bb0d30fe6ae7a1f62c4f6066b55f32b0547de75ab1cac8e986d89fc30a362d7308d0932cdd44d8a234860b608090aa5e16bef4e44327ba18667915ec65ca772f8df52105b370087fb1cbd6d11a95362232e5f6fce3f343cd962bec277f3a6aacb82df97531b3a6ffdd224454bfc8a6c2e0b9c86449c043f39ceb9af5c4236e3221c2e259fa8f1284df6334a2a24733dbad6ea990aa3ef9798e2f785be3d5a44305497a1f525f7dee1f7ea82c7d50559c51dacc617f6f7ee56b6c5bca2701899245cbecb33ccddf00a16894682085f40d2f6f6b03a163206311f98077261cd76f439ced044b525112debd31e4c7a9077bd820217a88b4d8e3e76dac45b15019e01deedc943b357ab2d7900d99157af47dfc5971791b25665e953db69cefceac87aef838936ae73d2d25983b2066099c4741af88048c7f86531f2b82d6e05b2ee75f472d9df9c3ee9398f6fe68e0b521c36a242e2d675f4d9da552142743631a4f2b6c011475753a74f7fefc9d72d3f9fb2bdcc71d66732abe50dd578b69bd029b45bca708e87c098af90284b4fbddcc6fe163a000970d6547cfd18cc8a11ba22638ee6eba91029f52594a042e96ed7080184593f2109126cbde1317a94a56213ad11ae1ccf0a58a45dbc81d0809c59073f8a9e17674a476d0337414bfcff7ca6949218467c8850839e55c9c7ad9d51a64a9d2b4bbb17a3653894834545bc286c108bb31345579a2b0b96f6a57389790519d4413a9648820e7846c57aca4792495223fcc029d070f18f24ac665879d7a197c78c5c05185af7c11140c78a35e91de5c0c53fbcd1350c27536d28d5f518696b97136d3f2035f26faad5ffe04dfd5dcc09b129905195579dd15c8c98676236ebd02b6c2ef3e6eb15d87c206c39046f2dbcef9a4523f255f445c3dd82c140b295a4a90fa30a2847ff41efeea8f630d4a5512795380af7d1713a6b2976dd74de50c3feb42bdd4c0258e45617358f18a28be11bad5b5b79103ee1277c761e12901e4997f3b9d4499172176cdd12b6807b236daf3dc05872956437816c706f3c367d7e2c23e96b1fe96596db880507e282fbe23f2171b2f6855d22174a1a4b15ed8abd51ca093d46f0e2d05298168c239e62d89f740674388c24018c47832a87644048d436d65cd7a210282b1fc826f0ccdb6697d0112b2a88e395308d421aada7a0e7d76eca0a6073830218c83ed79419485960572097cb626c6f8467579095dc22632043dce6b67eaa793a2a89822fdc266f5a611aa1c6b845998a828005fe7989253c37613e892348ad7332e334afb5a7087e89ace2f361d66f277dfafa126677e833fd0b2ce4d227937cdf60a882669411d4450b7e859b8247ad2e45742ecb605752f2148d075e1d145add184748c6ece9ba267b7a6df9229a62bb9bee7d7e925d6eb9ae96adef937c030c7d2b919fc4636ad6331360457d06d8c4f6dc10e3065522602b841fb3678e9dabf07d5fc3fe39da21d461e1a4ac64a0d3356f93622800f007be4ee13cc4654c8947ffd11bf7598f50bf27df75f8daefd9bd19cc3b6a06b253e8b590621c66da76496a87be3353fb1cc564366b0979a88c52b8ddaeee8993f6a0a3a543a931ea4eaee9d9e7001e2349144cd746a256df92a46024c7a3b3cb607a749987c9856015b86a23e4394f64f909974ab076b5d64928fc9d1b4cba75bda9e1d4620cac6f08cbf757de6f2911c34ea08481a383201447c2de6e37c07d0338f16a9a73fe671a684ae45c874ff1981506e3fca4e1f1dc9e58f9de6b96f85e31a3c16d3a11880bb1cbc223d0b9f3a6c4a6671e29fea67ae9f109e263c31795b38016b829d41d0d540f7f9bc522027dbca4945d958e0b14c9020e7e0d962d93f61df353bb1842b289b5ebb7d0d83eb05f31e3457346d1bcf883354e9a247c78bcdf11450bd362f4e09f9bc81ea9282305df3aed8534b1f5c15f58127b851e045a0c54193b5b11be1875563f868efe9a6ad830ca4436786d79364e1930d455faa6ebefe86ece76a8b8952dff2d3b83dd8ba4fd7c1cf912a22f6511c3cc11bd2f04690acdb38f7e1420bc15e574ad129655754440d29013c69861d47a42906ceeaa051e2efadeaea997779e05dd912297a4ffa9af33fe81e72067c36e81c48653d69f2a2ba91714d5104e0ea1e6e920a440240598dc628e8205c3313a0b03b7fed3a8788fb2a6de07226c589ef337082214381c9800d703638183dadff31714170bc402b271ef6c235c12c9fa67c7bda80d631715ee1ed4dda107347d143f91ec470c2077c277524fe78a23fab205fab08b1c258f4be49759d1f183a21e400a53a72493a17c23dfa1732122574b55a7f2663bb0017ddb2f472eabd87e407695bce84c15f43091bfc06d4a524672bf2515218561e7c25ea733c185d09806df8e6c921c071ae2f76f5c0db6234517c72e83933ad413465b1bd0cdfe6a046f07a4b239fbb8ed71bddfc2b07148d49965da803a824bc185da70530abb3e42b8a9f19c0c3d86723594133951434bfdbde6be90ea214fa0e17f603cd1ad695b5b5ba7c986148711454c6a5a7a5da2a1631dc7069e582a1c12d2ba25ca01da8f5e703b41147fd38f9668f16cad66df622fe4b02a1eefc0a69363cc0b7c56f034916025ee4bcfd05126772985a9632a043608e65692af2b4a7568f13c41f16c86bec99aae30a2d54f6469f1eb68518d48c421bec6f83b8228308838a9a4819f2fed79e99d105a8f6b1ac08eb9fc1962a8577f27f5eecc91883a024eb743a399ed6aef38e1f533ca6dba255388d25d4eef412f03944bcc0a8c4e94ec31bb65c89eca35cc888fe8530f6f581a3346233ef0936da10e8b69c5fd23ea2a58f9fe8b79a9ef60806c296aba90fb8329e838bb6c7d3c867d4109baa26c4837439e6307170e7b15c2f9f5ee03305f9481f8e793dd086ef2fc3eca555aa2581202bb4ed8e431cf0b710bbd8625fac17b519c6806b7218008e040bd2f078e185011d471d46026b53887c9481b6abea838dc598af7d61eb10566125168adb4b5fa2f49db9e3608ee06baff0b3eddf0537013a89a8f60bec6ecafe74c3ad62667cc736e42318060d939ca8afaeef4189cab94bb6d7c07f7aa21f60027707d8aee9d2fc0319677e8e86c6e020f4353ff8d523542669e4bf2649fc4fe1ac21651527e257a55006c304b83aab8de6e87b02d366052debd14f4712833c340ead1eb9f9f48df1ea27f67282a8a5ba05df68ee2aa98a34b44fe38cf058206cd112d19372e45afb9d0c24c0ca9189948239c99dba444f9c1a91fdf3dffa9fdcd09355e4b30618063eb02e4ac212bf8f7b8c617811bc2740423724a0c5046f3577e0b006b14850ddbabbf60121d151ec730649ba251a2551f6e9246e54623a819e9fce91fe40a8ac2e55332c57b8b7b9a63adf91f10748dec7c0153cff4a412292751b0ab793a148229edd1f908012fbadcd13e18d479d94ea56065100357ba4ba18258e4a828eaaca20d671d986dc6d17997f5b3744693eb36cd7fce3fff1d2d59b9bcf1c99427aeec5c158d12d066d469267f423de676079dc48def127be63b079f0fe8d7dae2f20eab8ddd0f388d52ac059179589c6242c7f9fe8e1d1857ec2998f8dc9aed3b3d38aeed70b0fab5d13bcb536cbf01a2fda811f14fa0f5e4a4d57131860d60aac2607354abc58f9151dd788e787f7685be537e6f86bbac94bef4dbb042da14c1007dcd62aa8cbc705d120e078394fcbdc94729fce6905f1ed8699cacd2e5f0055d377d0d5ca83f18971c195c7ea1dcf11e9feec124c2ba56d0f506060c22cbc366d0aed05f400062984f22122bfd16a31b3a4a6ed9d949be5ec16ae98f2aa8eaadaecc169e97cda0d5b5602a91c101b2e283c0be6c83abbe2e7e2e4cefe3be2231213ebb85883e0a5b0b4a0d2c04722eb60fab23023cf91ca0ab908e4bb6ac29a788fe9ec6b99d75d52f203cba7d92485ef90555aed41060fdd036f42fa818cdf8b9afe26afc1f279a4029254b12dd54da882a138d34af1577e78c1dd1923a56a369d85d74fa59d4532b859f67e65f3e67d654e57dde88cf7c23c9182ec15e95283dbba79911164df2b483be5adb7e6006feb69c672c938a818b2b4636c943b68e8c9335a5fe2aa7427402785117deb2ae7c16ba0d05a50d21cd7b658ce02140dd20849ae250bbb10e960c8721cf96d0e7d81bbb21a53358e0a44f8d26b10bf24eda9b5d8ceef710eec25c0c3b3180c85940f5b15cc13fe68ad19f7f0e9b4cc39735b68639f8fe4622dc784d5d6470ab9e32740db02a9b6732acbbf5876719f557a4e0a42c036bb3f972eaa862c58ffbce08ee0ea21e74e817578705e4e2683feb6c6123ee1b9ae1da94c5ea68763b0303c6397e21691a4d8154fd1aefdf398c41369eb8255d9b847f9d67cf5bb80841f468f7c870f0e194dcf23a6e7642c9514d126432f4b66bdb7b81b54370ca23a05c223c49c5b26803768bad60594817bb98b5ec274d62e264c54cde9806376b405e9f7de3d59ae3ce7db4a68985b1c1a11222d1c2809c96f7eb9a5bf4e50266df935c900a568fe579a6ea474f623591964db43ac647de15916aefacd322236fd53977d682eeeb0dcf798b6f2ff22b36dd00d64e51599bdad703a42d1d20eb8d6a6385f6db49f34fce3b28e2856f2828d77c4d03d34eb08c33b754bfe7f39d0a3430a213b97e75c2c975635c79d30aaf3daa9a1e8ca56fbe499e778118c7e5954ac2ac2bcea69adac96009e1b5cd27986c254282bf0760747559cb612a1f610df09bec5aa1f41f7a3b2f0f2cb28508e2b0caf206be810d65b6c4fc2ef5ec098b274b53681306041669abb175e4ec88981c5a0c05a646e5d90343a0b1f873379cf144c3c8795cfd77594b516ab02a408e0faa37fdf2de2e6f37fa03540d70e5f0297767084ea0086c131ab5b28ab543978f1d4f04291b6dddd72d2aa9a22ae19697950351a2f3da68971d9636e29c66d9fd61cdac7c81189350447c03c146d0dde55a17915b56ffa9fba47e09bafe412b6a8ae720d92b04a55e6548b0035506f80faf9708247982096dd806e1e698fe8f590fcb009fa87586b08cd27097aa53d3087e9f4c7a4ee556491b3df68fb413a92d7f783365c6a5e1fca5d9563e193ed2379f994f32e9a2c7a72215c1e891385765947b9086a560d373ae19b88e781503b1b8b801a8dcf5f67d0e4b0212d854487694ac76572fa1e6f1fe719cde5b278c9ce3938b271060335a5741baa0d7adc3de28e37beed6f781f6f7b321c56933828377a2ff6de2bfc24b2a3472ca5039373d3cdc9afc040ce4e894cff82254d9e4f4b25998c9dc84705463da8a03ea419c2e4c812a9f04d53f2de4fc2e3c1a08a7389ddfb0821764e71105eb0588720871f0082cd911f8edf694950072eebc6421bfc71af27669107e4b48ac971339e69c46c4ea5d50028f14735d84da040a08d3c9d0e64dee8bb645003bfc0162c3e131d3dfccf1a51628bd59ed495b177b417d0cb376537d5816741c25885ec56742154e84a26d9de376d67ffbe2fdb4869b6d8708a7350efc672a48d60a928c992753ad4bd745a7189b3f94f48f64c9f86d9f0b22bf7a1df2096b46fadf266906f394b1de6552928785d68d26b96bda02e49d5eca8284700d5033b0062366a6ce4be44c767d60817b48768748582a5ed3db608291a5efa1011b758f990ab3e4abedf53f01b700dfaeb587b4f414d3fe3a8732e1f215fa869c7b2f8b7f4eac597da81751709bd18eb0869ce11459f8766e6332e957107a791a64011049488a273254f33e0ecb440ee446e8ab76f24ec1f4cf7d314a158c512b6a2731099367766ae40535967d63ce071f068a7d3fbd4833a0c78cea712748a4bf2361d8f6035959a6ab08f3d44f7f81fe74d964d58bb3cb6051c5e68dc6e71fece4ae85ddc895b316f47d520847dd848317b61a47a13ce06c30d14d9852938c6ee45ad2eb1f19dda19b1f83562441c2d306111f511e40a8d82b334b2d983c354f2cf8a2e7a2fc135a4a31da5b0929d0e0c3e1c9bfb2debcd2fc9d0577263c7771c684d34a6b02b31c52f42e07fc1f42e70d740035e80f0c3889d8d28cdf1140e210dff5aeb5aaabfd655ac46e03d17e1e72273ea014158cff2c8ef37008b44e73d2c616862349afa5a16ec6f10d7f85fe4d95df416bdf001748a698a7942192549a4b8600f5380291fecab374b590266a980b2d38d0817e111ca31447ff7a33ee300b7583c83050a591cfb8c38320369b54b9624ae5bfbe7a657323e64bb890ff4abd85fbe8c59a68a616b044ddc977336041335fe1d29e87dfc563a0f7d393ca8353b31caa641d1140109d3f3d68bc4ac8d1a32e039a5a5aae4e95d7d37d5737ef2b997e178682be27b0d5b9cb7bb30bce28da9f9c299880e152d90f6a0590fa289aeb5c4b4c050f7f48744a1e3ed8b706bb1437146370522775b4a824ef29ae2d0854279fef03a0ea673e251f6697166f36996089b88f485c30dd49df1021b1ce794ba447e361704ca20c53f284fdc4fa1a1f40e5f7240f273213b6920e9bfb8ee69f932616ccf656495d998743d61a088e6059fe2fc03572f1dfadfb510c55f5185ada914e2a96628d3ee5d6b001cfd045646ef93694828fe8e0333d9e8537ab9e02ec721713b2b9743e68f42fff78abc0afd4bddc95179af12c3c9508349e656ad59bd64cb6a4bc7642c66efef29a5500937064de05e49e2a81c587e228e0aba0c8a6875c410663a222e557557bcb1054012532e3e6d4830d3d9ca0eb6897ba5405a335503f8cfe345a20edee88a8b143e28c982bb836e0cde0c6deabadbc11d8a63350f1050b71abcbd8eae7c22fc04d59726748c82ed43595d66255b6c30f111e3b5c9c12d97a368be672b0f0e5929838fd8204b55d0e511a32906af5c349cd648a4398147704563a10d5d5f5a86f8f1c88a2324e56cf28d63daac725e7f9fe3d1504aa2d26903760e27e796f7f7d33b96ef01e4e572456fe479a2523d396e6cc88b8a8dc35f155daedb3c29dd2cd8adf6dcc732e5c58511bd389878399c432c1a40dc06e94e24d66e1cdbb73cca992a3a61c545dd347d0be4141a1ec23a6ca845ba1b58396b456ee05e6be7d7c9a0deaad6646d7a77986886d9ee755c5889650e9ebcc4b8dea33521b65171ec9d9eeb4e776d3d71f5261d451f481b90cfc655f8cf1b63df8467e0c1e2f9af5758eb506aaceab4bb35907829e55411eb25b59cb70f9ea06efdeaaef6151156184eceab1ba65f41df32b5346f5ec03ab19807df48449881334a6829c39716921fb7e5d0578eeb3eb3becb8ff5e00fe8422b0c3b7bc77a5d338bd0d4ef6a341dd941d925ec6cd93f289566d803ff2a02a3ef8c8d80052518f9afa30aaf0cb97ea1eedb527b180dcb80368050b6dfb4ebe2cb96d1e0684986a85a6b6eba21660a18c28248cc0d4cdf5e085c1fb6133da1169e5036d35f547ebc06186b695f24271bd680a397d923538127f948a2ba36bf5291a9cfa5dc57af9901bb7ef7c9c9d600086376a0dc680e4e67e1770e72499b58333af898a332c7894959428424fe61c0e0d8fd6c46af79bdb23c8449401587ba116565c8e060fb1af557cecdaf3d10d2f065d7ffd53dfbe8afd1c46904cbaad1bd8f18ee70aa4811b27857433e475ab5c5c620a8daf02bef40286497be51f2532d425905669f3be5ce7b790e945c22e446f0a361e043fd4a76e53e3b04b5905eda63bcebb62e06c6cc0e254f2f0e386bdd730c55a0407af9dec14633b5ac15a33ec523f6a4a9454bc5aa216e143f0f72ebbd6f5c038d2ee39ad7cf3956a3c479a8a653a906a01f48618e6a47adba3598e9c9e725d53439e0f175fcd51ba151607a33593f1256e6b29685a813dee403ec2b4fa09c6d0f4d651e2378b78041f37243347dc77ce3514c634e4f83ea297665f16d656a6df9100bf6553d669e43c0ac2d891eb7779ee8d4f3211cd2a527fd415af0004c2d5ddb62a36dee98ac1489696c556476aca9f6da9bd4f37aca86b83860a8dd904bbe2c3d37cfcd768b59d82a8c1bceffc44edfb04730ea57916da94b4e8dbcf5f01b5a718646a56e62a64748a9e3b7b2f080a2fb3515db535c6acdef1d858f633b080d398c006d740f59bfc063acbb40fe2183c5520894dd5a47bbdd991f2ca2e1d35d04075590016dfc813a8f272926d660b0bac47fc7297d748d1642de82c08245c8a4af39826971b06e25256759fc4aee3de9840c14f99e8a53404bccae613cedd72d32e74c87d8cad6cf72fd2018d5f3a797c08cddaa2d9a5ac5f49bf07b045c4169a8830462c19b4004b62830c4bedca5161451ce9c8ac56f973cc120f7eadb2010de4bc3d719647a8efb1a95dc93cce6ed2e2255b852821491dcd30640eebae86ecc02e365b465defb73694170d3033775968a53f274fd1ab8f3897815af3dfc81fcdb7a3a6d1917cab0a4469", 0x2000, &(0x7f0000004cc0)={&(0x7f0000002200)={0x50, 0x0, 0x8b20, {0x7, 0x1f, 0x4, 0x0, 0x6, 0x2, 0x7fffffff, 0x2}}, &(0x7f0000002280)={0x18, 0xfffffffffffffff5, 0x55}, &(0x7f00000022c0)={0x18, 0x0, 0x2, {0x9}}, &(0x7f0000002300)={0x18, 0x0, 0x40, {0xe62}}, &(0x7f0000002340)={0x18, 0x0, 0x80000001, {0x787}}, &(0x7f0000002380)={0x28, 0x0, 0x3, {{0x9, 0x101, 0x0, 0xffffffffffffffff}}}, &(0x7f00000023c0)={0x60, 0x0, 0x9, {{0xf652, 0x8d, 0x0, 0x3f, 0x80000000, 0x0, 0x3}}}, &(0x7f0000002440)={0x18, 0x0, 0x2, {0xa8f}}, &(0x7f0000002480)={0x26, 0x0, 0x8, {'bpf_lsm_unix_may_send\x00'}}, &(0x7f00000024c0)={0x20, 0x0, 0x6, {0x0, 0x12}}, &(0x7f0000004540)={0x78, 0xfffffffffffffff5, 0x81, {0x1, 0x7, 0x0, {0x5, 0x8, 0x6, 0x1ff, 0x5, 0x4, 0x4, 0xe8, 0x193, 0x7000, 0x6, 0xffffffffffffffff, r4, 0x3, 0x9}}}, &(0x7f00000045c0)={0x90, 0x0, 0x8612, {0x5, 0x3, 0xb2f, 0x20, 0x0, 0x7, {0x0, 0x1ff, 0x2, 0x2, 0x1de, 0x5a, 0x9, 0xc46, 0x5, 0xc000, 0xddce, 0xee01, 0xee00, 0x0, 0x12}}}, &(0x7f0000004680)={0x10, 0x0, 0x5}, &(0x7f0000004900)={0x2c0, 0xfffffffffffffff5, 0x8a, [{{0x4, 0x3, 0xfff, 0x6, 0xffffffff, 0x8, {0x5, 0xca13, 0x81, 0x4, 0x0, 0xbbc, 0x0, 0x3, 0x34b, 0x4000, 0x9, 0x0, 0xee01, 0x2, 0x81}}, {0x3, 0x80000001, 0x16, 0xf97, 'bpf_lsm_unix_may_send\x00'}}, {{0x5, 0x3, 0x100000001, 0x10001, 0x7, 0x83, {0x5, 0x5, 0x100, 0x6, 0xfffffffffffffbff, 0xb533, 0x800, 0xad7, 0x32f914fb, 0x2000, 0xe0, r6, 0xee01, 0x4, 0x64}}, {0x4, 0xfffffffffffffffc, 0x16, 0x6, 'bpf_lsm_unix_may_send\x00'}}, {{0x2, 0x2, 0x7, 0x8000, 0x9, 0x3, {0x2, 0x7, 0x80000000, 0x8, 0x6, 0x400, 0xc932, 0x81, 0x5, 0x1000, 0xf841, r7, 0xee00, 0xff, 0x5}}, {0x4, 0xffffffffffff3232, 0x16, 0x5, 'bpf_lsm_unix_may_send\x00'}}, {{0x4, 0x0, 0x0, 0x7, 0x200, 0x6, {0x5, 0x1020000, 0x6, 0x7f, 0xce, 0x0, 0xa9fb, 0xffffff81, 0x3ff, 0x1000, 0x0, 0x0, r8, 0x8de6, 0x3}}, {0x2, 0xffffffff, 0x1, 0x5, '/'}}]}, &(0x7f0000004bc0)={0xa0, 0x0, 0x3f, {{0x5, 0x2, 0x0, 0x7, 0x6, 0x3, {0x2, 0xf51e, 0x65, 0x1, 0x8b, 0x7f, 0x100, 0x9, 0x24, 0xa000, 0x3f, 0x0, 0xffffffffffffffff, 0x40, 0x3}}, {0x0, 0x1}}}, &(0x7f0000004c80)={0x20, 0xfffffffffffffff5, 0x401, {0x5b2, 0x0, 0x9, 0x2}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004d40)='SEG6\x00') r9 = syz_init_net_socket$ax25(0x3, 0x2, 0x1) r10 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x3e79, &(0x7f0000004d80)={0x0, 0xb8ca, 0x20, 0xe7c, 0x26b, 0x0, r10}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004e00), &(0x7f0000004e40)) syz_io_uring_setup(0x5336, &(0x7f0000004e80)={0x0, 0x29dc, 0x2, 0x1, 0x3d6, 0x0, r3}, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004f00)=0x0, &(0x7f0000004f40)=0x0) r13 = syz_open_dev$vcsa(&(0x7f0000004f80)='/dev/vcsa#\x00', 0xfffffffffffffff8, 0x240) syz_io_uring_submit(0x0, r12, &(0x7f0000004fc0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd=r13, 0x0, 0x0, 0x0, {0x4404}}, 0x8) r14 = syz_open_dev$vcsa(&(0x7f0000005000)='/dev/vcsa#\x00', 0x1000, 0x8600) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005080)=[{0x0, &(0x7f0000005040)="48d5a3400d135dd4910161867c991fc7d68d55145fbbc5c498b58fba49bd01b68386473365a9131272ede1d53bc285051b85", 0x32}], 0x1, 0x0, &(0x7f00000050c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000005100)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000005140)='afs\x00', &(0x7f0000005180)='./file0\x00', 0x0, 0x9, &(0x7f0000006640)=[{&(0x7f00000051c0)="c5f6f420aeec388cedec2b597c8156538cd4586034199f56f5944da03d8ca829f6c6b6", 0x23, 0x1}, {&(0x7f0000005200)="f4ee9edc1be2c2d862a480f30ae30dafadfdf869f7789a4549f5a8dac06fe4c5d5d2cf0066d88bfca6af40745ed617b7a146c940de37505cb965eaa1982c8ca0ec2106f47e4e265f1e19285bba7eb577f60066b5f46c62d2ec0068edcbe6300e4f1e3cce429e45a7df287e8009841db1015134eeaa724311e55181cb7afe7dfdc7946bd14523ea6680ea42ca9f7b0eaaabe1d054277eff607ef4f8402e5dc37e6a528ec3565823c031a8460e8b5f670668f86b90a026043a", 0xb8, 0x2}, {&(0x7f00000052c0)="baeede481736d90f0aa36fb327956dd763578e20199f0dc85f185c9306866ba33c93d2af9613c92909c651254e6a63503dbf317b021c4b3c8de305d3de39a1ad9ac1b0ab3f51f68c1ae1da3e4cc744fd00dfa6d1b96e21134007d31c93013854ed32550f1b82a4c03ca67440d86545dcd29eea99274f655737ad5a54d9e7f9dec49129bb84beb62b1853f69e6a077209f7e55ce0d51686ca764d2ce334cd6d09b5d92357bdef60a635", 0xa9}, {&(0x7f0000005380)="31f1fbee4b48e6e69cb61bd1ccc1e213af5a28e74cffc2e5e82fbbcd1c3400faf379d1a194d52a3667e2019b9aec0e14feed8fea770a9a1bfbbc30997321bcbbcf4d115bb3d3269e50beca5982ef1d22c983d78621dbaa93e8395efe31dfadedcaded0976f5f0c7d4f17b6cc88b897ce5ddff1ade8ef2d62dcbed421589e3cfb5d8550d3651a99115d6e", 0x8a, 0x2}, {&(0x7f0000005440)="7881b6811ea2aec8f27f7f7f523cc4baca3652f7303cd748fb4ed8cc783ac578a9e853a9906a", 0x26, 0x1}, {&(0x7f0000005480)="c505e1805e72c23f489bb45d556079645332082b1b6bef7adc39b098e173f42fdd8d2c65ceb664adb47de173db5b3423e02bfee58339fcb7d85f2d1acd1fed18da1cb7b3d28d4e368aa5f02a8950afd19b0d6003c1fc5424d3e28d4bf7902fa3d999b4f62368c5844f1e9e4d195c6548c1a0e61480c61fe3fc8954810a5c5519a2850aff5444dfe36d6c08fb251d645951ca0aee8ae09d5218ce7d783d4a62070cce231ab7c630931fbc7839ba2979305cabb45f4aa2dc924972fe3a5a806c03c741793eb046d566ef8de1d0b71450b561ba65b0141429bd3e5a4206b47ef097275ead1fe31257a723ddc585c703f5d0fcf7b298134d89d03f477ab7af756e3a4f9e1d06ca01f2b759c955b8e8bfc1b8070198b330f5858c6951610682a3cbdcb591f139a71e883bb7691cb56bc0ad95dd774fdc110d075b3acf5fbbb227227921e10aa5b73da81dca196600376120266cc84f0cc2ee0ff3f6c74b656a61b5f5ae6dab4a9ce84cb97c0b90e7a0d07828819e2bddb1a7277caf687195ec8364d852b98643f555dca6ad72d680643f29c322575f2e5711343f8aa24d7deb87d3ace482bc05dcd5288338b584994a090c451abb284c0104c5f37908eb3307d65e792b4f258600de7707c8b154ffd5f56d7a17c62f092828516f82ea4a126a2a360c703108770cc7e7505c8e180c5f376d0dbaf1e185a504ed013b0b162483f9e2a3bec7d6833082ac954e8f5e3184372e0508ad7e0fb4b2f1201a35882ada415dfdb36587e88795101f9dc6c0d26bbb642421db0973ef283c2bea7f5c9c35eb13ea5a9742852f083e443282cbad947ea05d3f998bf3f860cd125b266e1f3b84c4e62b4e49ae7f852d578eab24a0c5e4c60928b699c7b68c6328f32ca3715b940055b6ad04f9941655dcfa91dc4df021a74504519f0a7df10db505da8ca4a0525804dfd90a31bba648bee57bccd6cd9a596eb945867e0231fafb66c5017b2979ade5dfcfb24cb5c7881511185604906d1f201a1264a54c20c173901d325f5c2b0e0fff22c6834d070cbedc8ae66f2fce8488d77b1f9257a91a001eda075556c23e7adbde0c994bd6980cbdb344d04efd2a3f4e732620260d15f6084ccab9b2f13bf54782eb2f568919e0aefc063f3f2af6beb819159cfdb0534e79e0cd74515b528c82cefaec8547d05f08b00424a02abb0fe20d3055d3b9d97e8bad3a7b2202b8effc5da055f4eb1827dcb1de57defc3ccbe7c30279a3041196a9f0b1a74491c07b9a1af040e53ec71a9110e20f32092addcd058a15079b718fac594d8e75139bc9260ff65647250fd7ce6bdbc305c079c5cc2fe6cd1fca993e8530e03738839008dc658f22664eea7706f6ada24ca1a22e830aad64f4dc44387d83ad4288f44672d9a05559fb29c66fe6679e979f86ee31675f501d95814796612908d1f7037b690b9481fb687f2d52b5a373515f62075936042a0e9d10c91114a9e74ca7ac76558f73fa26fe9d14dea85d4c9fae1f6c53bb768b1457a7f89bcbf90e7069753767f0c1902163e400afdd91ec2dacbe680c7d6454a0f173490b6b1ed4881e82cd79d6b89161d87f4f270deadebeb35107c19c7a6d5408e60b325c64dbb9983bfaf0306fac8a0fb324af5d69c21c62a8b5e257a48de069226ab29aeead17fa45f384750f8bba1d46e0a4127807e10d1570da63b202eeb715386afe3d8b1747caa6a41416dd65524d2228eaaad1a61bff8db8be752c45aeca76dea3aa6808364cf758dc8703417a49b93eca5ad09d63303a4ac378aad34a08decc4a720c3eeaf88ace0a72900bc3dd402c122d00d56b517235ae9112832d637b9317b61f9dcb0c48e728e850dfd52626db296aad77b9c7cd9167f3194747c011a5fbdabca9cabd2f6b7581f9d91c6366d526b1683e3feefd0fe30f53e7cb7de41e89e4e743efea3944ea8afd9f778a7f06bfb0ef238648c21cedfdd8b76eed765774d7a490b0ee464e4488a9c3dd21c7ba2e63a31ae38ffab209460ba93a62029d8f2ade1377b53438b051901227398272639f124d42b555d591a6655f73f6c46c514cf32ae4c6046c380407f7d9cf3c141bdd94691384958e67178f816a63e4cc189c521638dc7a28d2afb6128476e408ee85b99a126129c55e679c0bdcebd9669817e945b0fffa615ab9cef2f859e0ac38253611fe63bd57fdf03fb0d65c1cc65df2653859fc594f9a3eb379d117da828ac5586b3f6d3bccf1d54c45bc1a5fa45ed7ad366cff39a632bd4d14700d30f70c99725c2fb8ee97cbc59f8e5b64fac8fe2f836041bb5708a3640bbc67f9d09ac1fd3646a6f7446f4815989bb0419c94b0a6fc97d0fd9e5190e724d75482cc1eb4c07753b01c4202c4d09d006bd6bd92b33cd40d8f1bf7ea739a686f8d3a12df2f7c578ad2e0c1b29c04f282857045ed90382830cf0f2f2c8d22073edec31dd257300ba67bec88a1e7a5580fdde5019879f6962da50d75c6fd13a19e358e134135dbb8b4beedbed1cc5f8f2034ee297ff69b9db3e005e59fd5ea22ba51bd8febde9ff9f65a21da5e135ca8860731c4dee9c33c7edba508d26ddb5592fdf98506702f998037e6b418c5c783624348f57d2cf2cd8fb837c61853f516c68e765829fe2f741166a74afd1edc90971c4eda7a6a18d85d54ba87f9095bd1626b9b900cf6fe05eeb1b4f00599b6e8381fe28de851e19a0252efde6c5799f56ec2d61cc6ff5d1eb65e9d8e0545a92e6b986627c7f971694210e088b784beaaba64d2abe4441c7b14fc8d2adafac78234ed72599cc416c047750b24ac3c9aa4690c0577049d805bae79922c1d2966d9752c551a91a9fbc0bb95c23acc2a90683531a59f30fc1d1079bd9fc07f0d09bddc01372ba26c13ef306af3256f235d72b759b6618c1e09e8df6935db77453b4996b0152ae137d1caddbd5f8e12621a5481554345dfbb7e2c500371346feafd5dc0f6e2c59ea2c245d15db20e87c77bd908d92850e403e58cdff0e2fc257ff000f3b268dcf141e77525106108a4b6edcf89f1fcfb12a0a02ad7c0121284ea490ca7bf8761eeff5b375eeb0a038a444d2fb950f96517ada94cd96f8dbbd042a4deb188217b7b9dad948bb59843c0c392bd9e79c85d34616bcd99fbff77537d234c051e5e9aa913c77cbdcf5396ce3f0683e92ebd0c1b99fb5c663fb97b6dc2d43554aaa99a27ab99172bac17e3bc044d3d2ef8f873cf52214e71d7d7c5ff9dc791d40cee37536dd12ba095b48a341975784a1614175a1fc49dc2102ba5c27416dff8279ea3f2c44739b8ef9961699a4c792859cee88111437846c9450175b8ba2a326757dcbfd551acd15d783732838b9c924e0923fb795b7704bf1c84dbe6569c0df702a7477fa0996de5d681d10fa2aa52b14253ba913adecf47eabf1b015e73d6bab5dbe5d5dd1e067cc9e4806040db09a1448ed21d98dc6f459f22c951c7b07201467791097b39041036a50ec5596b6d28e14b79aa12befa32ff95629d532adaed5342c84d39c8225382f981ae4f85b7a1ae6b90a818b62d71bf592f84273fa2ccbba65dfc34fdaf561e26d307b743f82bc76f9985c95076c83a1d286532b8d59520bf6c40bc635f51608f49bd4782f6a6b7d37c6fe8e5272ec08f85fb9baa66bd70b1db70df0b12ce35d8e15c187fecfd9fa341721ff6b24a1bb68bd074c2a57d7460917dd2ff0d0804112b0520f05cd70787d8dce6cb69711ef7453b40679ec97aac900e698ce1f8e58ba738590df5c4588ec650688002a2c14ec60c58385b68db238b8c5b189b2fd5fd213655e0c81900949764022d2277b038ce7dbd00d1ec66e23195636a39215326ea452ad0899a522a7a77965b2ae60d5b25ffc64d1dd504d28c611f38ce5c3aa34c4f6cdd1bd7e965e368771189346506e3cbbaf7453f039c6aebdf77a13875499d7db3e08f9c31d35307490e6d3c11ee6977e669cb1aa6420d461955050e0cfbe0bb23d1319ef35421d80e565e5fc9b30d6d0a4da0544061e644eba5b47bc48ece8b7f85d823c98c4bd6cd464acc49a29bb6926d2a9597c64edb8a4ba2ca2dd7bad80da3ba9df143b2b3cb44d6e5ce04aff397f5fc4b0f5af4aa0787611efc5211bbb48b7eb3e1d4cb54ac2b9d0d9da7ffbd18513594674b530e8a206f9b042be81386819229505d35ce04a1e1e0304ab5db61884720f5bf6ae910d48b9aafe2bc5a1a4f4eda0f615c8d0d682a55a52f0d40e138c88c4299aa1b1004400168de6ac8aa18fe6029bf63c640ef7fb91b56a5abc24397d1b2cf3bc0877e8d5219e56723a6c49889cdd5ba03c84fbc415a3e9b652d26e2d613c3dcce414e1fa3e220b3c2e35391ac6520ed1f05148805a46e9934e5febf84e1bba25ba130a9e0584b625df2c2ee4ec0d10afffa191773d4f412f5ca225193ca27887fd47c9c69f21da952f98a99f205314c182b0014dde7563ded90e338da5d5e836f162b96377517c2f6758d9bb41e8bc9dd8f2eb521ad814eac651a48ef64bc45ab60bff9d2e67f03183d044ed437a8bd73043d6a8a5190fb5cd52cfe0689e2da08cd11aae6f25c50d6ccbd5f4ea7ce9b51b57946aa92f41efdc2b919c887a070c519ef600fe14d67664ed7fc211a09e9129b13a7024f2febc3010581da84b44bbedfdc1f54b63c8cfa8c8b5c986649333eeeaaf53e8be863242378b0ff6cff6b1d6e027010684484c636b7c134018e3a732a6b352cfe081f790f0029967ff1820d57d370c2a9f1be051100d5a8eac4241a6c2b640fe73b161d543801f1eb2abdea769c518cbd7271c6d65abe83661d2fd28e41b9ad575b958fbbc5a43f341278656d300f21d8c71161bfc2812b2f7f3692c5758a5fea8284cc4315e2dc1605d0b58243a979af7c0cce313e3e127baf9313f1ab8c437581369586689ae69b868447bfa60798620c68080090c9f0493c95a64ca4f678eaa14fe8cbc9086ea99c78a3d8169842fca3b0d289406cfa9d52f41df0b7fcfeb6e10b7fb8846b646c6e1773320aafac2d38427244932ed237b9834f60c0bc4f9f6b18ee82d4ab5257d03343137a44a52148427e747252c061c88c78859858163f768565fefe4303ceaba94b786b6d9d0b69d0ca920e615255e2b8c3fdd78d8c194e9c8049a9d187772685ac98fa7e7df54f5ebce1ecc1cfc7a62e853932deaccb58d79fecb931d14643ec7020ade49cce0a1e78e34d71096022317d7af536b38f72fbf65f7e4763e6d1dad8c26f56e2ab4cdf778e3264a2ad2004cbce99b77e6ec272d6f083d2083a042f67908e147e601ed42f201f5b9f18e89eaf48d384eeefa0f9f9ec386a274ecdabacd1e2db6b90ad98c475667d27fa727908d28e3745c34b5015edd130d0b7e3fd54ddea89e37dbafa49840759a30d29e21bb09d95003c2895189e439ab7b412c251610aa7afabef41e5abe2235321f322e8bd5924d79a404605378e3bda60d28ea567e6a73964a6ddd43cfa1f5e0cb8be455e1f6dbcccf72cd1cf14e8e507a1a1979f1c2b43c8a649290ba54137d1aa6473568e390a665973823492ec2dce33c39c88aa4247f14f1f0e56adee326080b716dc55dae2a5ed842d790de3f1fbe32f8951eab8dfa54d770df7342731270beb4704277f3e1dc16934af902350cd6b0b7a671f2675f0df884831ae06392669d6bda8493b6bdaf5ae90f4c45f8fb1914e0be057f45db50101b8bc6e649aa6856071225c42c6ee157adbda5842942cca28fc4c7c08e7c2cf1981542be4ab7f4bf6efff692dfe65b45080b21eeef5299171a1c2b736f70da431", 0x1000, 0xff00000000000000}, {&(0x7f0000006480)="829251fbd70caeb451ccf09a96fbfe559b217a4a12cf46a389d82c55ef7f5c64e45e1b6f269559a85e8bcc232bf1500dcb9af40f697165fde6209f8bf001585b6ccaafe194ccfdb7f8990804ee77ed9a345b52a8d7e8f4", 0x57, 0x8}, {&(0x7f0000006500)="34e0c082bd77b51d0c9ab1bcde0acc308149f3e64c75b7173cda5f39d3b4a62c60de76d12d41cec1b7c9bc9e57acb7834282a5758d7c7e4b21715febf6fbf144ad46cbf2cec87f7401", 0x49, 0x8001}, {&(0x7f0000006580)="e60976f86d91dd66cec0b1e30ec801160b84cfb1f8603703d14a6b815d22e1783eed12ce8c080e3ffbf0b53095f69603fa76a934a60a0526341eafafb3867d13e88d1d39e370a00dbe06ddc840ba7446a62597069e1dcd138f82b29ff78af1d1c3133fe9c04d732cdb4b3f6aa26989369b5f6dca6000a0767341bc2aaacd69e648621915b8aa9cb24c6bb5ae3f", 0x8d, 0x3}], 0x10000, &(0x7f0000006740)={[{@flock_strict='flock=strict'}], [{@obj_type={'obj_type', 0x3d, '/dev/vcsa#\x00'}}, {@obj_role={'obj_role', 0x3d, 'bpf_lsm_unix_may_send\x00'}}]}) syz_open_dev$I2C(&(0x7f00000067c0)='/dev/i2c-#\x00', 0x4, 0x4800) syz_open_procfs(r5, &(0x7f0000006800)='net/icmp\x00') syz_open_pts(r9, 0x258102) syz_read_part_table(0x9, 0x8, &(0x7f0000007d00)=[{&(0x7f0000006840)="b3de0d9f2e1eba9879eef08dbd42edd7d622f095e0ce3429b64c46708bf7fa26e69ec157caa3e16d60b3baf5b0d246bfef955e35f85556c9614a60b65cae7c023c99318fc85bc0abfd16bc78eb56317cd8b80c5f5a87856c5cd0b97fc283cbc9d835ff9d70972bd4201169a35c2699bf5a8b31ad3607121019e73398b228b9c59aa5b5c007166766eee5911d5d2f864cb42b8421f38cb21aa93697e5ad166a966ac98aa776fd27500294c4dd1bacf41fd070e9e4a9e5eb70d2a98f915c1391fd75f5ffecfab42425eb016c33ec19ae67f4b100088e090f035d78143b35944f30a49a77b8c5e2a08e9f381a8afbcf48ebad8411455ff2cb76a4a1b557d121", 0xfe, 0x7fffffff}, {&(0x7f0000006940)="330ea746d7dfb4a5e9f33a325a9688ca04cd59af724b34f70ae370d4ac73ea9a65ab003f2cbc01af1162c0fefb2b7e4a0dcd3f2a8c23f2a1", 0x38, 0x2eed}, {&(0x7f0000006980)="efd543d92dc823aef91d85c44c055844e2af47b4d5a67e3a3959dc6d617cd8e9b6c3f5bbf05da73f04bf4f54a6f3d5361dee720d1ff9f65d5d7c18b86534f2912621aa81b4c2d3daa1a67538ac5efcf2e008c791d59152db5fa2d0a23f3997bd1e2502e6fadb36788891843e3de1c4483aea75224b12ede3006b9648dc7661a46da2d146d3df70a1d04b2c64578daf219dcba1b67aae086a2541c4b9b4dc6d43c076544b4cf9cd57e6e26d74217d1d8546224d85f650a0ad3aac78c0cf1d83a4adcc11c2e84df1889c7920347fe404201914727862b460229ce67a1a88de34aa73d39be67fe92210699221103ac5b49a07ff0b3548363c878066d5a0ca8f565a616a049a5d7b6e70badf4649c51aec8671faa444d7e0a6304e273c405cc6f348d19ff1348bacc96ecf1a28119618c91e5942bbf0e2d7fc6997cf6330c106a7902ccdc1b9cd0e8f559355d26f81c77e524882d02783f15b0569690236e3aa74b96bcc5ef90eae4a5e3aba2a560f9b0a513ce1a8ceb0d2103615f828b0125df32eec97110ee2a59e1f913772a859f65d953c20ca8a0c6e852661d86293cb4672413ffafa27032eda8d8b19ce77d35d1304296d8dbee1b7c358fe5ddf94c42411e26362cf42a5c7c18991e3926331a2c7123609e0a3c05e42f175972e445a6ae57154062e21e05666602a2bf0891ee65648e5a967ea16248499c82e74c19edafecf2402ce5321f5bb4ecde058a1176f310bb1338b11ddc60dce03c4727f7dd3c2335d50ae492dca1bd98be4af0744291fa2ba1cd3e93e6f1d9d1b4305c2764118094a16436a014598fb64c34ead3e8f45d11c4fc062c144c8e05220fbdf4a8cab6e288b5cfdefa7a05423ef2d4f3b3bee5768b28034a08de883b817278bd3e785c114329d992c581215f5644ccfa4e894101d5fa43008d803fb9baaefd7dd4b8883b6e7a17f4ddf4826cdd7110ff2c8395349068cd0b9550a3a2f5cbc0db06b1b31292c54879a172f4be9839b1d76896c4cccd8841a5592aac1f5272b6fda924634b50750b38231ff133da1fc86d1098c823df5bca8cfe8c08ba2eee5a4658b2917bf3af4b4e4e47c6b7c35a3963ebc6044f27288c5a3c1a2f5fa45a128be9a13ded8c2f6745ecf4fa94723f9f16382f4db48d0c811fe8eedb8bf05ff38e578d49376550253d2617f86303c543f882adc2008564c8ba13ecd19613a63193d94e9a73b21ea1ddd30b482c09869c0fa37131c69ccd033dd96d8ee7c5f2f8a152e84c0f659e60ce169fcb89de028bea39d05df03cf22807029c1aae459940dd54b78c0dede18723f972d96516e19719e5c9ed006860f2471a8e5b18fcf0ef4ba6681a41fa8009b7e03b444f45ab3cca9bbbc5813d1fa055aaa4d45441233ae7b69b759e3dde766c0f3b13bf968cf8565382883557f925c21075861ec9f35c7cd444bcc7d381dc0d7aa754ba57066b902788f53854cf9d56ca73c7ac85cca67ba509ec3a7c1b42d8c654b34d88da8d2ca85ad4ae8b865b6d2a0c1c4407668535c49f349e276f1a86764ef18e3b08f1d1e3cc1b93cde3f197857fb48b5a5fef31a86fa0022d6a96d815c8c9af9badb7b886ea09adac732c8e4eafeb8473218e794bc6a716d1716fefef86f63d32b6673b435d13eddca42257cfe0717fca3a39f00bca650f5463a24c50924256d3207d29c1b1c95109e40dab607787fb74c4e64fe4acac65c6283ffcc11fd08a0bd1f4930a8beea57a0dda02867866c5b1ce586b32e7cd18ab16a275d6cc043a990e1d7970f79d5b8880eef3fc4ef4de5e840acd0edbcde6bf6fedf3c6a2d2539fdaf278f069794d30a09d615e1e4a5a7617e16241daab87fdad493ed9cf326fe647a40f0279d6a9b2cdc0abf3626415b04fc836510ba6251386ce7e8d2b4fe663cfc3a5de9cc313e9e1fc19127f09207c955f5a8485481f4319224fdf4c2787d583c3caf7acbec73ab9b4d2f245287df9ae29a169c4d795cd03c9098339446dc40237b698998b2423628148cecb02f69d2644cec88c94894e01e1587fc85375450e32ccadcdcaea641d2db6292228660d04c446786c258b6fbbc1d0b6a8a3818200d489c126733922c966195a4007a68d0473578b469b4433eacbe092520244d84da8924b90d7fa1ad31db501f16a59d3d9eb72210d058b3d1fa4d876d5b40bcff5adf086ebdc2647b1b6f88211bbdf547f1698e11abb73dd3a588d9ca26d9ff5b2d28d1e176be8a7adf2e3e3ae137393112f5aaa881814882939dfe71721fa92b8962bb8d940fe1e3948def4033a09e9c04ca7ea8b549695c5ff66c077395026d82576d379bd9cded06ffcc3a6f8bd548c0f68d4d3d72ae27d828b27a582b14886dad1fc3e63531c2870f3159f8d4bd449480c45dd27a2934df90797c0494e0f8ef8289ae410626d4fa966d82443adc5243fdb2c4ddff8550af5338ef2d1c413b4bd4b308209c20e9c3a0080a23d16a3108a1050783d44ba92a95590508d3a5cf44fc6a4af2477f866428bc113c1cc8f123da46ca0a03c5dbd1f6e5754584d8a4103bd23fa5e1f6f3acb154ffed128d0a645829d3341a25e87ae781862abc7a159021124cfb03571a73ceef603681f5e5e1e1574db3016ff5a13d9bfe7e8ac81a09a905237e390a5772d361edbe5808e9d8594f776b0005e0c3d0f71d666c9d4dc493d0163d8854723275d850ac1bf78183a77518f01bb3a280f39bbf606def4f89b11e2bb8d99f8a32985ed9bcb42f110bd2bdda26376d9daa70e1e6575f11ba7ef269908e101948f570b7690e0b5d35ed98cbdd2f3637b9f8f78b2ffbc293188ff2777db050aa219dde788a770cb624d6617001817d6d5c7a5bd39c51ff128eac712b9db9c60a74bdb7820a3572a5091c3084339286279d9ceb244148906dab1dedb62379b14597b7348907fba55424e878c194985cdcb211b71bdf3806339a53006a9006c746bc49108c8100938dc24a08d57b013f4103d87df310858405d06f059b65cd54aea1d0f15cb2a41bc867d22cb9d67c310b05a4f940bd2e7a5863c8e1c80d3ad07b21504bf213da5cb38fb652a47ccd7a5cfafa0c3ffe2aac7625a95588ecd77a9593d0bf2e7df7999f0244335a9fac015c32273009d1f865dfb873c65f52e9081b022b99b01586f5fb1584fd9b1fdaf86c783f61772aff1178e08d5bd067b6fd233db8c432fabbd00a530f1c40b5f05f7883495059d1b58b9523d1f5255736b23ff56cabb4cb710e43a70f71cffd17e3fae9043634869f166a958ca5dec639b85b2134096e697c24e3b0a8cfb19422ff01f4ebef24b7233de1a0f89c80e231b8459f531ac23eb1a2373b3c5807ee6552707152a3169555a663d1bfb453c8c380c5a52c958e302d4d7528aab5d0a66892308098b566a1367cbfd9a3a46c5fb77225b7b6f9f92ed0bc85bcbcf1b4fd2760b9f509d2d11cd0557144b1c89f9f7f2495d0c9ea6c767f1f92570701a33ced477036d06bbead08c0b4a8ab4a57d8d9b758ce05891ec729014eb712c33dcb52efe8ded223b617822443bfa95514d9a82f6b9fed17b22445f692fc870374c0826a9fa43153849368aa1f93052e48f88e8fe9aa1ba8291585e59da0f68fd04b8fa450e9654d920c2b82c9c29a79015d0e302bef5abc9f4292fd4b582d58830dfc71725319bf39692b0f3d72a3204d62e4cd219fd2647a9bc3da61b702699d015f9f15bffb27b6133ec431e4ad67f5c1b46fc62e29d4ae4b07fab07f0143e8e54fea1e629051d6d7c19af8931661d84957ad2ae7b521bd62468aa0a851653904bb9325376fd2d831340356d9bd2782bbc46e1c03069553d2b05d17bb4d8644a0dfc0286d4ebdfbf1fa85f0015da26670909ce840272d1d62c8d02787d56520d309e4bcfcc846474d4282641798dad1779cce11392ac537917335b4f9124ed1e254052966ab2c15dcd1bc1c3c520fef4b3b17fe6f6360d07b2c08ac64c75fcdf5f9eac211db247a227a659e106755e1ba53aba67c831662190226984dc03698dc567aa96b51d2e69f530addd9b4fdbf3a0b20af2a184cbaf53a35634c8fe3d63ec15c506bf02c35302759fe32ad28c1d4b49e94816bb0f32822816b40557c650da4ae59ca645d5a4d6172903c25e00a229eaa0c526cffba53fca44aa163c7f5fb4959a216d6dad9e19f282b9945d2476bbc0133785131118ad46c3f9331c415e70d35e06fa71c2aa878132ed770a04f0721a5665502dded283f70ae9ab72e48cf03c01d80f68ece54de88aacb2c41c5d7462f9b73f6c2741709c83e20084dd8f9d855c41a0bfbe107e6e47a65c2b1ee5007e9d5f25118a295fc6313243df54cdd92ab4dcedb210dd83be1b058ae1e37a7ac51b9c89bf9eca423c91db0d4a42134a93c8979a03a2de53e45e641a2d40f410bc11a968204f72c96e50664dc29be41a4aac4e07e9cdf239f59c9687bd7dc65ceab076b131941bb15c4f9f4c17d7350780588facffdbc1eaaeb4406b956da733ed09eb48604a0ed4aadcbbd94a8ee079310fe2612a669e5623917eec2b12ad9c86af9757a51759dbb00df2e03e3d3a70bd2c02f9f08444f4e0650edfb2786ca57d3630943556832a32892301b58859ef24007f7a7d9b4afc23703c4fb9077a07d2ea8d3a2b4f015de7f31fc306545816b6b670a45cff4a91b60a1fb478b089c67f459caaf5fce9265fea0c7ec0652cd11305623b04c0a9d1aec6571c6a466dc7a7bec75fcf984d6a9636986becef1418b694e820ee2462f2687e0b68ba51cbd03ba76b43fd7cba01af23ff98f74b764463527c6c397e1c8e8b2225874cc74f958a31a28414f170c2b4cbd90c849ccd54f91bce2908e3bbc21b3d5604aa337c7fb1f810c103216bf444339043d523330eee73bf0866da3f3f728877fbb54e2f928423a1672cc9ba31bc686a6d198efeb3618d5e9a1b0819cf6b9338c56c4b788469f532cdf923066d1ba46a56960342b79b09ec8679ea3caa43365b811257a2449ff9274f6612cb0530dd8678cf18bc1f91f447fad7b958f3d0a1977ce78d102829fe4b83b5659c8155af4d2c05d7315d1486300e6da0846a594d510673b0e7472788559009d74490ec9871d9f0f73699d97fbe303cb4d635f542e95c784a5387127dc454483f950f765a8e904639ef413c7d581af20dfb285955801ab7ec4be4d1b2879de662dde2cfcd6604ec0aa07a5a671f54a4f2853eedca56baf00f07927095958db7d325e863f64a9056bd8e103859921463d1754042b85dcd94d933ef2087dbef57d9a3ad9fe8c64a8799587a3ec23b9b252f03bfce42f017eadfdbe973e84e902e36b9661efaef409c915308dce9a222a9cb1db5215c000fc44d372fb186425cd078bee7770f1fa60ff2d0e344725a51a5f478fe96bfb9a18b6cb542bf394bed02218518f1d381d5aa21fdcd443ce84c180a6a8cf6547effa4627cae93551a7564f0dac6e37c5f068edda00b47a6f2d33b54c3681128e83ad17b0f098456b9e97f3e02ce391515ffb0c0511a3d8312115382c15b09861ef750c0006e96c9184e17db245b0255c4407fe4bd6eea43fd8c5e80348cb916e9d04b49c2483911b6deece26d2b65762643aa0417be2768b673a22ad58e667f5ef4e2228db9b7939d8f912de32474325155090b1d9741ace4155d64583ecfb5700301d73ed2abd156408ca5e1b88ba75f84a4b834d4f532015773e9f8d4a3650f8984191114f0fdbaa54405bf51f8b1afe532f74c15a3708eb9370fa8316feefac4e43f855506f5d9872b60363567011cc3308a2026d00", 0x1000, 0x4065ebb7}, {&(0x7f0000007980)="112a657c2770ad17f2e77762160bb14f2f71a17b88fdb946f919b2dfd3efd616e31124ff47ee668f6065a0435a791a7439d8aa10dcc418192d821e36fc0820d7cc0f88b088916d786f01426fa46b214de822d24e4d6c785feac458d98635c4801672bd4e74fd40753932121152ae0ead771e3abc7f741e393b328526e5ec29e8e0d9b3a2bebcd0eb3472a4bd8e50f953ed173ba271fbe9f9d9c463c79f44d093154ffef59c93ada783b4727fc35ba6c0db2518939cb35fb3301d4cf72d2524f83ac4ab57a8acfc93a99c26ccaee0566371229496e93021e86b956021a467f34be66e", 0xe2, 0x6d69}, {&(0x7f0000007a80)="629825e3cb9c42732810eb62f1ff4785718f7a30c63940f2eadf19dae820feb9b7b358f741b834164a9a4ac8ce398c231607f523a26db9e0aecac1d1e89022d1cd50d644f2466b25ec09c6d6ef4f0b3ef592d1408d049da49b953b327e123c6f1963c2f7a9e3cc7e0c52ed1e17d0a8b794666875b20b07a0f5c2c76d9632909f769eb25b162737bea131f5c270b3249fd65c255e68b680271d0c11196715177744e7", 0xa2, 0x9}, {&(0x7f0000007b40)="d1091749233d1e7ec50653f301a734f5dd67ac1e748923e44ccedeeb3ea234745896abcb8003ed61605b5dffa8a9af0aa12ed902d4a35a9260c53ab6a621e210e61e4002838dc29e2f798b4cbe0ed0c12a33c69ddda446b9b884fcbfe28199184bd4aeb097d0d9a393b699d1f55a57d830da497d79b9bd7dbcdbfe7e168d6007611db96733574fb150f4e90991c70fc19edba6beedc5a72169366ae5fca5c1cb413bbc54ff8f127d1b94cf9942b5c9be5fbfc93946bf1d0b289a7442fb057adb0ae7fa4189d5e5fefc75ed5d260b3c2c2445d49579e6b369e396da162d940559", 0xe0, 0x6}, {&(0x7f0000007c40)="768d82c47f166e252530915b63b40d9eba4b95fe087893453f373a94389e1120981cb44576a2051c4158400a59b9c8a940ccae2826414e14ad55c72b04f8fabfe86462409b3ab2a075ea92c8bddcd2b2fc0fd77a97bc271ecd43dd605f29b990837b409eed5965ddb3fb1b91e5bf12ddbcf21c90c7ef2f0ab9bb03f72a647ce8", 0x80, 0xfffffffffffffff7}, {&(0x7f0000007cc0)="46c0ce8920305b2c7f636edbb165920db78c61f8", 0x14, 0xfffffffffffffffa}]) r15 = syz_usb_connect(0x5, 0x776, &(0x7f0000007dc0)={{0x12, 0x1, 0x300, 0x94, 0xe8, 0x2e, 0x40, 0x789, 0x160, 0xf578, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x764, 0x2, 0x4, 0x8f, 0x0, 0x7f, [{{0x9, 0x4, 0x40, 0x3f, 0xe, 0xbb, 0x18, 0xf3, 0x20, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "c1b0c981cc"}, {0x5, 0x24, 0x0, 0x7}, {0xd, 0x24, 0xf, 0x1, 0x9, 0xfff, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0xaa4}, @acm={0x4, 0x24, 0x2, 0x9}]}, @hid_hid={0x9, 0x21, 0x7ff, 0x8, 0x1, {0x22, 0xd44}}], [{{0x9, 0x5, 0x3, 0x3, 0x40, 0x6, 0x6, 0x80}}, {{0x9, 0x5, 0x5, 0x8, 0x20, 0x34, 0x7, 0xd1, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x20}, @generic={0x65, 0x30, "dac16e845b149dafe66663cc3acf393fa7b0ae46cbb8cf207bdb0d3d6cf681661fa00ed58d703c226470a84eaa264be51e6810875248ede794e2207e60b04585603cd055c6348f0eb4f33f2a833f4aee8884d7773be2f45177ad4c03728ff4dd8e40fd"}]}}, {{0x9, 0x5, 0x2, 0x4, 0x3ff, 0x1f, 0x2, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x9, 0x2}]}}, {{0x9, 0x5, 0x6, 0x0, 0x40, 0x0, 0x40, 0xfd, [@uac_iso={0x7, 0x25, 0x1, 0x83, 0x1f, 0x1000}]}}, {{0x9, 0x5, 0xd, 0x1, 0x3ff, 0x3, 0x1, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x4, 0x3}]}}, {{0x9, 0x5, 0x5, 0x4, 0x8, 0x8, 0xff, 0x80}}, {{0x9, 0x5, 0xf, 0x1, 0x8, 0xae, 0x9, 0xf6, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x95, 0x6}, @generic={0x7a, 0x6, "3f8f5c318c80e5a936089fa5be9dc364d3a8ff22238b9200642bb7969b9c0989510df3f2673846f3fe68eec487476d9d8ea37c9e7ec2939c3a85842cad500bf77aed1d9290eb850af4621cafed03c08a55c422c7122f6ec0703a47dfcb279c0b03558b39c7231b38e559d0546a29ca32280a8ce47080aa8d"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x58982e9dfc588938, 0x1, 0x8c, 0x4}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x6, 0x1, 0x81}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0x80, 0x3, 0x23, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0xb5a}]}}, {{0x9, 0x5, 0x8, 0x2, 0x8, 0x1f, 0x8, 0x1f, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x7f, 0x3}]}}, {{0x9, 0x5, 0xd, 0xc, 0x3ff, 0x12, 0x9, 0x4, [@generic={0xe, 0x5, "a9b97bc24de62c3bcf2bfa13"}, @generic={0x44, 0x30, "9f0d5ea24268b8a3211765246b1a834af641e8cd6ea3ef9b1fe10f16bed6b06cc3a165920c9d73909ab9ac8b2a7a8a5dae5d4acf316d0b35d4b644d368a06e0eff85"}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x3, 0xff, 0x6}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x6, 0x2e}}]}}, {{0x9, 0x4, 0x7, 0x0, 0xd, 0x29, 0xcb, 0x7c, 0x9, [@hid_hid={0x9, 0x21, 0x7, 0x1, 0x1, {0x22, 0xbd9}}, @uac_as={[@format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x43, 0x1, 0x0, 0x9, 'd\"', "3709db"}, @format_type_i_discrete={0x11, 0x24, 0x2, 0x1, 0xf8, 0x2, 0x7, 0x40, "5e58dff9a0d01e4109"}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0xffec, 0x6, 0x15, '?w'}, @as_header={0x7, 0x24, 0x1, 0xe1, 0x3, 0x2}]}], [{{0x9, 0x5, 0xc, 0x8, 0x8, 0x4, 0x8, 0x8}}, {{0x9, 0x5, 0x6, 0x8, 0x8, 0x0, 0x2, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x6, 0x18}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x39, 0x0, 0x6, [@generic={0x80, 0x23, "eba3e2d4848f84d0e6ded46e24d10bf9f8b0738910e29f319e942546e9cda8638257f55d0049672a1337067af73c1c29e0bd772a1cd5e16d249ed15cdd3d85a4399aef69e3f5a506ea0e0559306fe1f42dfc10922062e2bc062c34a1adc4bc46b080259ad20b37cde1eba7178fb514b2ef7397715b0eae34d5efd5274900"}, @generic={0xa1, 0x21, "1c020b389a4c59d1f26da857b222a6f6618adb0411bb24478e68ffe758469d4bb34df6aa9577ced55383dff01c052abbde70468ce31100ca3184d1d5f803dc280df3b7ae4738ad05036701e2e38ce844a7d301d86e0597c5bc1b67e7c6a5f7dfbc3311dbd234688e85e9a7d5021e51e2d0dd418038153db65b7fc268f98ddfd9e5036f24497d2f04cdcc752178991958f7243ff4dd5aefcf759a3fe7fb34c8"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x240, 0x2, 0x1, 0x0, [@generic={0x26, 0x3, "b451e24f6972cd6429f81ca173d13fb2c7f5284751638bbc4f0b3de02091fbb4f44533d9"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x7, 0x3f, 0xdb, [@generic={0xc0, 0x0, "ba73f770a427b8438313cb7e9d9d53a7e3110366c878e3c0f6e629ebb2a084a90b2def4b66950fdfd606e0834229e63028875489678bc93698ed8613884254703c315f1ee529d1bcbfaf8d865e738b9e08cbc4a211d480bdc2a6e69e172b1c73639474f1f0115b5f4918d037451c99dee88547562582d57171aa196913f11915d1fdc1a513b16c0b9c1fa07157421046f4f3372d00d4a27eb93ecd79b685e14f3eba647e7b20aefdf92ed05bef68935265ce0035e3b624852350d1234ef9"}, @generic={0xa, 0x5, "290a548e962666df"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x7d7, 0x0, 0x7, 0xf9, [@generic={0xcd, 0x2, "74cd6007ae0ea1297f07018cbdaaa0c87851a01308ad717f235e9eff8010ad1046a5148d352a70760bc4bebdd7528bf7d506da1baac2cf499d52de51d71b05185d7cd268023de5961304521b5f567c74ccab78b61c3f641662af2d55d5157a0ddc80c75962e9bda9ff2d3b63df6a6a0e2aebbfc664de3f3a34d66200fa092475685957f0b3594247a21d463cfe0ccd8044f95319b4d40c7f022d5a9ce9e348cd623dc4c590bee5a1047270954214611a8d98e60aa697a5ce30eeacd2397094e50716739911a4478b495f02"}, @generic={0x2b, 0x3, "9bc9f5807506303fbfd71282a82058560fe8180b205f6f47f9d7cf05280b7eb96d6d1589972f402ef4"}]}}, {{0x9, 0x5, 0x7, 0x1a, 0x8, 0x7, 0x3, 0x86, [@generic={0x35, 0xb, "018a3d5fb94d26c6a689e91eb6a9e49bf1b883b9e3da0a42bf45639bc1b19a0d8e78babd769b27a43dd091ce83b4a91cf5d119"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x6}]}}, {{0x9, 0x5, 0x3, 0x2, 0x200, 0x8, 0x55, 0x7, [@generic={0xc, 0x21, "f2ae0c70731245835364"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x400, 0xff, 0x9, 0x7f}}, {{0x9, 0x5, 0x3, 0x4, 0x3ff, 0x3, 0x81, 0x1f, [@generic={0x102, 0xb, "15f52948168969a7879f686a664459f31fa9c146da65eaa1878b3996e099dd1ec68900a257c011397bcfc10bc428591972ae5eb70e65d200248c433d8b1eafe5df95a196b58ed50a74d48f9c07f50858dd07d94ec76626b5b47c9acd4fdbecde356cababc43c3144fc2e524b71bb4e8bb535daa071e242c58584dbdd6c1e758e33fecd91aac96d2288322ed48acfdaab536ea51298e16c6033ac2b91758482719cc7d764373cedf5d039e75f0be35acdac46bff129af0ad817e14064398be64933b676fab4ff8b8d37cd742e41fd64f87b7f7df873b3d4c1ca440e20a829e34c6977054fd5975e34941c4ca24dcaf07e3b9950280b30fb2c4356eedab3e5184e"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x200}]}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x81, 0x1, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x8, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x8}]}}, {{0x9, 0x5, 0x0, 0x4, 0x80, 0x9, 0x6, 0x7}}, {{0x9, 0x5, 0x3, 0x0, 0x7ff, 0x1, 0xff, 0x1f}}]}}]}}]}}, &(0x7f0000008640)={0xa, &(0x7f0000008540)={0xa, 0x6, 0x0, 0x2, 0x86, 0x80, 0x10, 0x2}, 0x42, &(0x7f0000008580)={0x5, 0xf, 0x42, 0x5, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x3, 0x73, 0x4}, @ptm_cap={0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0xeb, 0x3f, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x8, 0xf, 0x6, 0x5}, @generic={0x1f, 0x10, 0x1, "61408d3d2e1872469226d4d9befecdac208dfdaa385178f48ca75650"}]}, 0x1, [{0x4, &(0x7f0000008600)=@lang_id={0x4, 0x3, 0x41a}}]}) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000008680)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r15, &(0x7f0000008900)={0x2c, &(0x7f0000008700)={0x20, 0x21, 0xdb, {0xdb, 0x24, "b501b9a676dfcb3e98c66e8b6877cac30dfb9856c72094ee90f23170f33dc0416919146a8a2ad605ce54f3d443ec597b337b1b4d39c44289bbfc621a00862648fe2df754e463455ef88f55fb63b4b7719dd8d3e6846c4d254afb2e40116d2b5fcd883a84212217e065cd44666801154e7b43e3d1629dc76f3a7110e80790ce65ee44961d306521e94e6ee941a97e0eab0e8037fef768902891bb4105d8baf0a35f93d2a5635935799c87eb91b5e5ff7ae91cbe9cdadd653a486d72d67dc3b371e4e5fa618759de87ebe1ec278d140834590f6c513e4c95cbb3"}}, &(0x7f0000008800)={0x0, 0x3, 0x18, @string={0x18, 0x3, "2c5ddd5fc63236d47af3164223e9b423e13b8560f28a"}}, &(0x7f0000008840)={0x0, 0xf, 0x35, {0x5, 0xf, 0x35, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x8, 0x2, 0xa, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x8, 0x3f, 0x1, 0x4, 0x6}, @ss_container_id={0x14, 0x10, 0x4, 0x80, "d0d1e2d868e0fa991777cac1b7948258"}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x3, 0x4, 0x0, 0x8}]}}, &(0x7f0000008880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x4, 0xc1, 0x7f, "1bc19f6f", "0cd3a196"}}, &(0x7f00000088c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xff, 0x8, 0x20, 0x2, 0x6, 0x800, 0x9}}}, &(0x7f0000008e00)={0x84, &(0x7f0000008940)={0x0, 0xb, 0xe5, "ea88bca9c1e3f5bdf607f7252573dd8756e9f32a7c4aeea5b3e1ae6fdbe3194c1918d9d9a3aa13dbbc47e1430d7be6a180c7388456d12a5c327b716d2341bcd0ef82a4a34610e28fc7b2e172dfa056c6353da166496ca2540e60bb52066ef4773667409a68eff52e75ff93469e4ff5d69966b81e034c688a2f6fd945ecd05f336573586823fd9f6d40bb483dd27ad46b841455ac07fc319b8cb5f5e2daa64a6c5f3bc099270cd376660ef3456571aa6d2fe48667838d811126caceedaebef9608192b603327f6ee9ed42572b6eb3c6630e9017428ed370bd0324da01eae4a7881a6b88aa1a"}, &(0x7f0000008a40)={0x0, 0xa, 0x1, 0x5}, &(0x7f0000008a80)={0x0, 0x8, 0x1, 0x1f}, &(0x7f0000008ac0)={0x20, 0x0, 0x4, {0x2, 0x3}}, &(0x7f0000008b00)={0x20, 0x0, 0x4, {0x100, 0x1}}, &(0x7f0000008b40)={0x40, 0x7, 0x2, 0xffff}, &(0x7f0000008b80)={0x40, 0x9, 0x1, 0x7f}, &(0x7f0000008bc0)={0x40, 0xb, 0x2, "a6ab"}, &(0x7f0000008c00)={0x40, 0xf, 0x2}, &(0x7f0000008c40)={0x40, 0x13, 0x6}, &(0x7f0000008c80)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}, &(0x7f0000008cc0)={0x40, 0x19, 0x2, 'rN'}, &(0x7f0000008d00)={0x40, 0x1a, 0x2, 0xb81}, &(0x7f0000008d40)={0x40, 0x1c, 0x1, 0x40}, &(0x7f0000008d80)={0x40, 0x1e, 0x1, 0x80}, &(0x7f0000008dc0)={0x40, 0x21, 0x1, 0x92}}) syz_usb_disconnect(r15) syz_usb_ep_read(r16, 0x1f, 0x80, &(0x7f0000008ec0)=""/128) syz_usb_ep_write(r15, 0xff, 0x49, &(0x7f0000008f40)="059cbaeb6864bcc93a17640936d2e5450deb6a94a3cd8dbac2fbcfac932f8dd22205e7ae589b0f0172e751e308a236cea85711d74b546d98b4d75afcc65fd04633c1fbed7cfe4d049d") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_execveat #define __NR_execveat 322 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; syscall(__NR_socket, 0x10ul, 3ul, 0xc); memcpy((void*)0x20000000, "./file0\000", 8); res = syscall(__NR_open, 0x20000000ul, 0x2000ul, 0x163ul); if (res != -1) r[0] = res; *(uint16_t*)0x20000140 = 0x1a; *(uint16_t*)0x20000142 = 0x10f; *(uint8_t*)0x20000144 = 7; *(uint8_t*)0x20000145 = 0xc7; *(uint8_t*)0x20000146 = 6; *(uint8_t*)0x20000147 = -1; *(uint8_t*)0x20000148 = -1; *(uint8_t*)0x20000149 = -1; *(uint8_t*)0x2000014a = -1; *(uint8_t*)0x2000014b = -1; *(uint8_t*)0x2000014c = -1; *(uint8_t*)0x2000014d = -1; syscall(__NR_recvfrom, r[0], 0x20000040ul, 0xeeul, 1ul, 0x20000140ul, 0x80ul); res = syscall(__NR_socket, 2ul, 5ul, 0x84); if (res != -1) r[1] = res; *(uint16_t*)0x200001c0 = 0x7ff; *(uint16_t*)0x200001c2 = 0x1ff; *(uint16_t*)0x200001c4 = 0x204; *(uint32_t*)0x200001c8 = 0; *(uint32_t*)0x200001cc = 0x803; *(uint32_t*)0x200001d0 = 0; *(uint32_t*)0x200001d4 = 5; *(uint32_t*)0x200001d8 = 0x800; *(uint32_t*)0x200001dc = 0; syscall(__NR_setsockopt, r[1], 0x84, 0xa, 0x200001c0ul, 0x20ul); memcpy((void*)0x20000200, "./file0\000", 8); *(uint64_t*)0x20000400 = 0x20000240; memcpy((void*)0x20000240, "^\000", 2); *(uint64_t*)0x20000408 = 0x20000280; memcpy((void*)0x20000280, "*,+\000", 4); *(uint64_t*)0x20000410 = 0x200002c0; memcpy((void*)0x200002c0, "-{$(%![\000", 8); *(uint64_t*)0x20000418 = 0x20000300; memcpy((void*)0x20000300, "\\[\000", 3); *(uint64_t*)0x20000420 = 0x20000340; memcpy((void*)0x20000340, "\000", 1); *(uint64_t*)0x20000428 = 0x20000380; memcpy((void*)0x20000380, "\000", 1); *(uint64_t*)0x20000430 = 0x200003c0; memcpy((void*)0x200003c0, "\261$}\000", 4); *(uint64_t*)0x20000640 = 0x20000440; memcpy((void*)0x20000440, "\000", 1); *(uint64_t*)0x20000648 = 0x20000480; memcpy((void*)0x20000480, "*/%}\\\\\000", 7); *(uint64_t*)0x20000650 = 0x200004c0; memcpy((void*)0x200004c0, "@[\000", 3); *(uint64_t*)0x20000658 = 0x20000500; memcpy((void*)0x20000500, "\000", 1); *(uint64_t*)0x20000660 = 0x20000540; memcpy((void*)0x20000540, ":\'\237^(\000", 6); *(uint64_t*)0x20000668 = 0x20000580; memcpy((void*)0x20000580, "],-.$\373\\}{)@-&/[\\!\000", 18); *(uint64_t*)0x20000670 = 0x200005c0; memcpy((void*)0x200005c0, "\000", 1); *(uint64_t*)0x20000678 = 0x20000600; memcpy((void*)0x20000600, "{{\'$(+-(}{}]?/--)\000", 18); syscall(__NR_execveat, r[0], 0x20000200ul, 0x20000400ul, 0x20000640ul, 0x1000ul); memcpy((void*)0x20000680, "/dev/hwrng\000", 11); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000680ul, 0x40000ul, 0ul); if (res != -1) r[2] = res; syscall(__NR_ioctl, r[2], 0x80404812, 0x200006c0ul); syscall(__NR_ioctl, r[2], 0x545d, 0ul); *(uint32_t*)0x20000704 = 0x9c76; *(uint32_t*)0x20000708 = 8; *(uint32_t*)0x2000070c = 3; *(uint32_t*)0x20000710 = 0x309; *(uint32_t*)0x20000718 = r[0]; *(uint32_t*)0x2000071c = 0; *(uint32_t*)0x20000720 = 0; *(uint32_t*)0x20000724 = 0; syscall(__NR_io_uring_setup, 0x509f, 0x20000700ul); memcpy((void*)0x20000000, "bpf_lsm_unix_may_send\000", 22); syz_btf_id_by_name(0x20000000); *(uint8_t*)0x20000040 = 0xaa; *(uint8_t*)0x20000041 = 0xaa; *(uint8_t*)0x20000042 = 0xaa; *(uint8_t*)0x20000043 = 0xaa; *(uint8_t*)0x20000044 = 0xaa; *(uint8_t*)0x20000045 = 0x29; *(uint8_t*)0x20000046 = 0xaa; *(uint8_t*)0x20000047 = 0xaa; *(uint8_t*)0x20000048 = 0xaa; *(uint8_t*)0x20000049 = 0xaa; *(uint8_t*)0x2000004a = 0xaa; *(uint8_t*)0x2000004b = 0xaa; *(uint16_t*)0x2000004c = htobe16(0x8137); *(uint16_t*)0x2000004e = htobe16(-1); *(uint16_t*)0x20000050 = htobe16(0x20); *(uint8_t*)0x20000052 = 2; *(uint8_t*)0x20000053 = 0; *(uint32_t*)0x20000054 = htobe32(3); memcpy((void*)0x20000058, "\x67\x51\x69\x65\xf0\x15", 6); *(uint16_t*)0x2000005e = htobe16(3); *(uint32_t*)0x20000060 = htobe32(0xa0); *(uint8_t*)0x20000064 = 0; *(uint8_t*)0x20000065 = 0; *(uint8_t*)0x20000066 = 0; *(uint8_t*)0x20000067 = 0; *(uint8_t*)0x20000068 = 0; *(uint8_t*)0x20000069 = 0; *(uint16_t*)0x2000006a = htobe16(0x8ca); memcpy((void*)0x2000006c, "\xd1\x8e", 2); *(uint32_t*)0x20000080 = 1; *(uint32_t*)0x20000084 = 3; *(uint32_t*)0x20000088 = 0x6f3; *(uint32_t*)0x2000008c = 0xd92; *(uint32_t*)0x20000090 = 0xd18; *(uint32_t*)0x20000094 = 0x98a; *(uint8_t*)0x200000c0 = 4; *(uint8_t*)0x200000c1 = 0x1d; *(uint8_t*)0x200000c2 = 5; *(uint8_t*)0x200000c3 = 1; *(uint16_t*)0x200000c4 = 0xc9; *(uint16_t*)0x200000c6 = 0x800; memcpy((void*)0x20000100, "\xc4\x01\x7c\x5a\x50\xf2\xc4\xa1\x63\x7c\x7a\x86\x2e\xf0\x42\x30\xb5\x0d\x00\x00\x00\x41\xd9\xf9\x3e\x42\x0f\xb7\xbc\xae\xb0\x00\x00\x00\xc4\xc2\xa5\x29\x14\x98\xc4\x82\xc9\xbd\xac\x33\xde\x79\x41\xf1\xc4\x01\xfc\x2e\x06\x66\x40\x0f\x38\x24\x1f\x67\x0f\xec\xfb", 65); syz_execute_func(0x20000100); memcpy((void*)0x200001c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x200001c0ul, 0ul, 0ul); if (res != -1) r[3] = res; res = syscall(__NR_read, -1, 0x20002500ul, 0x2020ul); if (res != -1) { r[4] = *(uint32_t*)0x20002514; r[5] = *(uint32_t*)0x20002518; } memcpy((void*)0x200046c0, "\000", 1); res = syscall(__NR_lstat, 0x200046c0ul, 0x20004700ul); if (res != -1) r[6] = *(uint32_t*)0x20004718; memcpy((void*)0x20004780, "./file0\000", 8); res = syscall(__NR_stat, 0x20004780ul, 0x200047c0ul); if (res != -1) r[7] = *(uint32_t*)0x200047d8; res = syscall(__NR_getresgid, 0x20004840ul, 0x20004880ul, 0x200048c0ul); if (res != -1) r[8] = *(uint32_t*)0x20004840; memcpy((void*)0x20000200, "\x26\x92\xd6\x23\x14\x8a\x34\xae\xe9\x68\xf5\x55\x2f\xef\x58\xad\xeb\x13\x83\x51\x31\xaf\xc9\x60\x2c\x0e\xba\x53\xa1\x39\x39\x2d\x14\x0b\x6e\xeb\x57\x19\x84\x01\x7f\xbc\x1a\x93\x6a\xca\x42\x7a\xd0\xe7\x40\x52\x4f\x63\x07\xf1\x8e\x1c\x7d\x95\x4a\x0b\xa7\x44\x23\x67\xd4\x5b\xae\x51\x50\xe1\x25\x43\xdc\x5d\xd0\x3a\xa5\x69\x90\x39\xf2\xf6\x27\xb3\xd1\x04\xe0\x0f\xfa\xea\x42\x63\xfc\x86\x95\x3e\x5e\x3a\xb9\x76\xc9\xf6\x6a\x21\x3d\x67\x57\x3b\x60\x44\xbf\x6f\xaa\x8c\x17\xd5\x1b\x55\x50\x43\x8f\x9a\xc6\x58\x9d\x2c\xb2\xbc\x4e\x11\xcb\xf8\xa2\x54\x59\x4a\x82\xab\x89\x87\xf8\xad\xe2\x0d\x85\x42\xac\x71\xff\x84\x7b\x22\xe6\x7d\x2d\xdd\xa8\xf4\xba\x5f\x53\xfb\xf1\x77\x00\x91\x32\xba\xa5\x78\x6a\x7b\xe3\x1e\xc6\xc5\x92\xcb\xa5\x3c\x5c\x8a\x7b\xa1\x9d\xb0\x28\x6b\xff\x1d\x01\x78\xda\x1e\x4e\xa1\x08\x19\x43\x9a\xce\x53\x7a\xc5\xf4\x7a\x1c\x8b\x74\xfa\x67\xfc\x4e\x1b\xf9\x22\x92\xa9\xec\x65\x7b\x5e\x30\x03\x14\x6a\x1c\x56\x90\x85\x5b\x05\xcf\x75\xa0\xb1\x1a\xb9\xba\x73\x8a\x3d\xc1\x77\xd5\xf7\xe7\xfa\x6b\x46\x5d\x05\xe5\x13\xa2\x19\x48\x10\x89\x26\x5f\x56\x6e\x6b\xd0\xcc\x9e\xe1\xfb\x10\x0f\x85\x12\x86\xe6\x57\x21\xf6\x01\xc8\x3f\x7a\x74\x09\x79\xb3\x84\x8f\x57\xfb\x00\x81\xef\xca\x45\x72\x0c\xcf\xd8\xa4\x90\x4f\x24\x81\x51\xb2\x42\x13\x2a\x4b\x45\x53\x0a\xe5\x44\x2f\xf7\xa5\x1b\xb5\xc5\x99\xcd\xa7\xe1\x0e\x1b\x4d\xe5\xc8\x0f\x52\xcc\x3d\xda\xc7\x51\x3f\xe1\x48\xbd\xbc\x5d\xa2\xe0\xc2\xb3\x91\x90\xd8\xf9\x0f\xcd\x45\x95\x03\xa4\xcb\x8f\xec\xe5\x51\x82\xcf\x72\x72\xa5\x22\xe5\x62\x61\x20\xc7\x33\x5c\x5a\x37\xc7\x2d\x40\x0f\xed\xc5\x88\x73\xc5\x96\x0f\x6c\xab\x80\x7a\xc2\x39\xd0\x24\x6a\xba\x2e\x84\x4b\x68\xb1\xac\x4a\xd6\xd2\xbb\xce\xdc\xb3\x5a\x67\x48\x64\x71\xe4\x45\xaf\x55\x99\x02\x70\xae\x09\x79\x68\xda\x00\x15\x7d\xd2\x21\xde\xa2\x43\x8d\x16\x62\x3c\x52\x82\x0f\x0d\x24\xe3\x9c\x04\x24\xee\x40\x48\x4f\xb0\xd9\x64\x19\xf5\xe2\x81\xd0\xe9\xe1\x78\x36\x68\x20\xdd\x5c\xa4\xa0\xc4\x5d\xee\xb3\x6c\xb9\xe2\x46\xbe\x67\x14\xce\xb0\x34\x7b\x0c\x30\x9c\xc5\x30\x22\x37\x4f\x73\x30\x35\x36\xe5\x93\xc5\x75\x88\xb8\x83\x90\x3e\xa5\x81\x33\x77\x36\x00\x20\x1a\x7b\x55\xdd\x5c\x01\xaf\x52\xe9\x0e\xc5\x24\xab\xd9\xf4\x7b\x3d\x71\x85\xc4\x82\x59\xbf\x5a\xa7\x6f\xea\x9d\xa9\x82\xb2\xc4\xa6\x10\x65\xdf\x2b\x06\x67\x32\x10\x35\x03\x96\x9e\xef\xaa\x23\x14\x1c\x8b\xec\xb3\x5c\xaf\x76\x02\xe9\x81\xc3\x06\x73\x99\x1b\x46\xd5\x4a\xb2\x76\x4b\xf5\xec\xc3\xf1\xa8\xe0\x00\xb1\x16\xb7\x69\xd8\x26\x25\xae\x94\x18\xb5\x23\xaf\x00\xf3\xcf\xb0\xeb\x65\xc9\x16\xf6\xa6\x24\x52\xf8\x10\xb2\x0c\x3e\x7c\xec\x7d\x61\xfe\xf5\x5f\x63\xd1\xda\x4a\x3f\x86\x8b\xbc\xfd\x86\x7e\x13\x0d\x3c\x7c\xe5\x22\x46\xef\x76\xed\xa2\x91\x6f\xbb\xdf\xd5\x06\xdb\xc2\x28\x9d\x00\xfb\xc8\xfd\x10\x0c\x45\x78\x69\x8d\x22\x03\xdf\xfa\xb9\x01\x8d\x6f\x19\xae\x19\x9f\x16\x59\xc3\xf7\x81\x57\x68\x0c\xf9\x80\x59\x7a\x12\x6b\x99\x4b\xdd\x64\x60\x96\x53\xdc\x0d\xdb\x55\x6c\x3a\xf8\x38\xa0\xa4\xa9\xbd\x70\x51\xe4\x52\x47\x91\x3c\xc3\x5b\x9d\x9f\xf3\x68\xff\xdf\x4e\x7f\xad\x83\xa5\x2f\x8a\x02\x61\xc3\x31\xb6\xef\x22\x6f\xe6\x76\xac\x1a\x9c\xf0\xcb\x00\x13\x85\xce\x35\xb0\x9d\xf3\xae\xca\xa3\xd8\x16\xf2\xaf\xc6\x2c\x27\xae\xe5\x25\xf7\x2f\x2d\x31\xee\x0b\x21\xc4\x47\xf8\x09\x01\xa6\x5c\x77\x06\xd0\x7f\xf9\xb2\xd7\xbd\xe9\x2b\xc7\x9d\x85\xf8\x43\x1d\x46\x8a\xc8\x5e\x51\xac\x3a\x20\x9c\xea\x07\x28\x1e\x7d\x19\xc1\xf5\x2b\x5f\x01\xbd\xb0\x53\x97\x8c\x93\x33\x99\xb3\x5a\xc7\x7a\xa4\xa1\xe6\xf1\x82\xd2\x50\x27\x1c\xa3\x3c\x37\x91\xb1\x5a\x93\x1b\xcd\x32\xac\xe1\x92\x53\xf1\xa9\x04\x4a\xfa\x49\xc1\xa0\xdd\xc8\x2e\x95\x90\x7f\x60\xb7\x97\x1e\xc0\x10\x78\xe1\x37\xd1\xbc\xeb\x0c\xf8\x6f\x64\xcd\x6c\x19\x2c\xbf\xc3\x0b\x44\x78\x61\x7f\xe5\x2a\xa9\x43\xe6\x1a\x18\x2b\x1b\x0b\x21\x07\xd0\xc5\x4f\x4f\xa7\x31\x67\x9a\xf9\x5c\x32\xd1\x89\x14\xd6\x95\x9b\x9f\xa9\x6a\x0a\xac\x1c\x49\xad\xc6\x1f\x5f\x11\xb5\x44\x55\x73\x42\xc1\x42\x76\xbe\xea\x12\xfa\x71\xcd\x30\xa7\x31\xbd\x06\x4e\x9c\xfd\x0f\x9e\x4b\xe9\x66\xf7\xbd\x1c\x1b\x4f\xd7\x06\xb8\x39\x3e\x6e\xfb\x1c\x9f\x97\x52\x6f\x67\xd2\xe9\xcd\x5e\x17\x6d\xc6\x0c\x27\x4b\x30\x06\x1e\x1a\xb6\xa2\xd0\x04\xb8\x3a\xdb\x08\xf1\x98\x3b\xae\xab\x99\x04\x72\xbe\xff\x23\x41\xde\xf4\x7e\x0d\xd4\x11\xb0\x69\x1f\xd0\xa6\x5e\xa6\x6d\x16\xa4\xa4\xee\x94\xc4\xd1\xa5\xce\x6b\x3c\xfc\x87\x34\x81\xb0\x41\xfb\x30\x05\x61\x4c\x1c\xf8\x41\xee\xab\x27\xe0\x35\x98\xef\x94\x59\x8e\xd3\x0c\x3f\xd3\xee\x19\x20\x7a\xea\x2a\x8d\xbc\x3f\x60\xa6\xd9\x7e\x30\xc5\x8f\x32\x4b\xca\xf5\x71\x38\x8f\x9e\x83\xe0\x76\xcf\xdc\x06\x63\xcf\xe9\x3f\x5a\x3f\x19\x29\x9e\x74\x12\x10\xf6\xa8\x50\x1a\x72\x38\xb1\xcb\xd6\xe9\xf8\x29\x34\x5c\x33\x7c\x62\xb7\xcd\xb0\x24\xef\xc4\xff\x11\x62\x8c\xb1\xee\x4f\xda\x07\x27\x82\xbb\x69\x93\x2b\xa6\xde\xe1\x22\xcb\x37\xfe\xd6\x96\xde\xa1\x1c\xc2\x5e\xb2\xb5\x67\x8c\x7d\x0b\xd1\xdd\x05\xf3\x5d\x1d\x02\xad\xdf\x12\x95\xa1\xeb\x0b\x25\x99\x59\xa7\xb2\x90\xe6\x1f\x24\x79\x69\x15\x88\xac\x52\x09\x81\x90\x2f\x5a\xb0\x61\x62\xe9\xcf\x5f\x05\x85\xf5\x40\xd9\x0c\xd8\x38\x1d\xe3\x3d\x0a\x0a\x24\xda\x6f\x23\x1d\x3a\x68\x4c\x92\x5d\x73\x6f\x25\x34\xa5\x7e\x48\xd9\x19\xd5\x55\x19\xc5\x75\xbb\x54\x1d\x63\x8e\x0e\x40\x11\xf8\x41\xa5\xac\x33\x1d\x48\x89\x35\xc4\x4c\x2b\xce\x1c\x2a\xc3\xe8\x48\x6e\x46\x5c\xde\xe8\xeb\x51\x3d\x3c\x1b\xb3\xb3\x8c\x5d\x15\x7c\x04\xd5\x76\xd6\x75\xe0\x0b\x30\xc2\x99\xe2\x11\xf8\xf2\x4a\x7a\x05\x3b\x42\x70\xd2\xac\xfa\x3a\xa6\x34\x34\x28\xd9\x2b\x6d\xb1\x4c\x15\x58\xa8\xdd\x58\xbb\x9c\x8c\x4b\x1b\x49\x35\x77\x3d\x14\x06\x11\x79\x3c\xca\xd5\x4f\xdc\x52\x30\xda\x4d\xfd\xa3\xb6\x0c\xc0\x76\x6e\xfc\xc6\xa3\xb7\x19\x00\xa5\x0e\x2c\x3e\x68\x27\xb9\x8c\xc1\x8c\xcd\x8f\xf7\x98\x24\x7f\x37\x48\x57\xd0\x62\x1e\x32\xbb\xf0\x48\x24\x74\xde\x0d\x42\xdd\xba\x78\x23\xe6\x33\xf1\x65\x8e\x7f\x6a\x36\x1c\x32\xe2\x45\x9c\x2b\xeb\x02\x9a\x8a\xfa\xa3\x12\x89\xe4\x87\x10\x45\x67\xd4\x0c\x81\xcc\xf5\xae\x2a\x2e\x6b\x34\x4f\x5c\x11\x0d\x7c\xe2\x30\x1f\xf2\xc2\x5f\xd8\x43\x84\x39\xa5\xea\x16\xa4\x46\xfc\x7e\x27\xf2\xcb\x06\x89\x44\xe4\xd8\xc9\x29\xc4\x64\x5f\x49\x4c\x2f\xd1\xb0\x25\xbf\xda\x11\x19\xf9\x08\x8f\x70\x7d\x66\x2c\x11\x95\xf8\xe4\x30\x8c\x47\x0b\x76\x24\x50\x99\x33\x2f\x61\xb2\xc9\xcc\x77\x87\x1c\xb2\x0c\x4e\xbe\xaa\x63\xe5\x3a\xdd\x25\xdf\x15\xc5\x62\x85\x85\xfe\x88\x6a\x73\xe3\x82\x56\x7c\x41\xce\xbd\xf2\xf3\x3f\x71\x68\x74\x7c\xe2\x4a\x22\xfa\xfe\xb2\x9c\xd0\x21\xa9\x2e\xc8\xfc\x27\x2d\xad\x24\x59\x8e\xbd\xae\xc2\xdc\xc4\x73\x73\xef\xa9\x7c\xac\xff\xda\xce\x15\x0e\x99\x51\x0b\xf3\x7b\xaf\x40\xa8\x17\xd9\x3d\x87\xa4\x8f\xab\x15\x3a\x10\x64\x82\x1e\xb5\x04\xa4\xeb\xa3\xab\x66\xd1\xec\x05\x7c\xf6\x4e\xe1\x1a\x6a\xd4\x05\x84\xfa\x76\x56\xa3\x98\x4c\x20\xe4\x94\x01\x3f\x83\x43\x0d\x76\x0c\xd6\xea\xa6\x04\xb5\x99\x55\x0d\xcb\xa7\x20\x85\x5e\x73\x5d\x62\xd4\x20\x07\x6c\xca\x07\x11\x5d\x4e\x37\x1c\x3d\x64\x1c\xb6\xcd\xb9\x69\xbd\xef\x10\x13\x7b\x8d\x7f\x39\x9a\xbe\x3e\x24\x36\x53\x5c\x30\xc7\xb9\xa8\x42\xfb\x31\xd3\x22\x43\x4e\x73\xb9\x5c\x0f\x5d\x45\x45\x11\x6b\x78\x8e\xa0\xfd\x47\x3a\xb3\x2c\xfb\x4c\xd7\x22\x49\x48\x91\x37\x72\xe8\x39\x2d\x89\xbf\x5c\x4e\x55\x11\xd2\x67\x20\x1c\xff\x62\xbd\xc0\x46\x8f\x96\xd9\xe8\x53\x23\x49\x5e\x92\x5e\x61\x14\x0f\xb4\x19\x41\x7b\xc3\xf8\x03\xa8\x0d\x0a\xf3\xb8\xc3\x1c\x2f\x63\xde\xe9\x17\x41\x13\xf8\xe6\xe5\xc9\x3f\x47\xd8\x48\x64\x22\xa5\x69\x6b\xc0\x58\x43\xf7\xd0\x7f\x10\xeb\x3b\x5f\xbc\x2c\x37\x8f\x6e\x8a\x97\x5d\xeb\x6c\x04\xed\x20\xc6\x73\x84\x6e\xcc\x19\xd6\xdf\xcb\x19\x82\xff\x83\xa7\xdc\xa9\x2e\x81\x67\xe5\xdf\x64\x37\xb8\x48\x34\xfd\xe1\xcb\xfc\x44\x11\x05\xd0\x62\x18\xa2\xe0\xa5\x59\x17\xee\x27\x6f\xa7\x25\xb9\xf1\x6a\x94\xc6\x7b\x68\x4b\xc7\xb6\x88\xed\xba\xe7\x43\x82\xcb\xa7\xea\xc9\xf0\x17\x72\xc8\x91\x94\xd4\x4e\xea\x3c\xab\xc0\x02\x56\x26\x43\xc0\x15\x29\x09\x2f\xf6\x62\x9d\xe9\x6a\x77\x16\xf9\x23\x18\xa6\xcf\x70\xcd\xb8\xfd\xa8\xe3\xd0\x13\x06\xea\x91\x58\x0b\x6d\x97\x08\x08\x55\x2f\x45\xf5\x75\xc3\xaa\x63\x8f\xc5\x1a\xbd\xd8\x53\x5a\x05\x84\x07\x25\x88\x51\x8f\x93\x91\xb2\xd7\x89\x14\x73\x12\xa5\x8d\x0a\x15\xb6\x4b\xf9\x08\xf2\x49\x91\x3f\x14\x16\x71\x75\x10\x03\x54\x71\x50\xd4\x9f\x47\x2d\xbe\xd4\x08\x43\x24\x93\x70\x57\x59\x92\x9f\x61\x9a\x90\x1b\xf4\x1e\xd2\xe4\xd1\x2d\x63\x54\xaf\x21\x98\x40\xe6\x96\xae\x26\xd4\x0f\x01\x0f\x05\x86\x06\x8e\xfb\xbd\x4a\x63\xaf\x99\xae\xbd\x53\x05\xa8\x80\x13\xed\x74\xde\x00\x39\x90\x11\xdd\x8d\x0d\x54\x4b\x90\x70\x09\xf3\x61\xac\x6f\x66\xca\x0a\xc4\xfa\xe8\xee\xa5\x65\x42\x59\x9b\x16\x7b\x8f\x13\x2d\x2b\xc2\xb5\x7c\x73\x46\x53\xc0\x21\x4f\xcb\x4e\x3a\x50\x98\x23\xaa\x2e\xa6\x2a\xef\xd8\xd3\xa8\xf2\x7c\xea\xd3\xee\x3f\x27\x66\x98\x71\x27\x70\xad\xdc\x99\xcd\x31\x11\x2d\xaf\x0e\xde\x7c\x57\x7f\xcb\xae\x2e\x64\x04\x7b\xd3\x62\x4d\xcc\x04\xcf\xb6\xcd\x19\x4b\x79\xf1\xb5\x3b\x99\x0a\x44\x36\x28\x12\x3f\xbe\x9b\x2a\x3b\x59\x8b\xee\xab\xdb\xb7\xcf\x4d\x9c\xd8\x7b\xe2\xac\x84\xee\x3f\xe7\x43\xd7\x2e\x89\x84\x20\x4b\xab\x46\x3c\x89\x6d\x13\xc1\x22\x7b\x70\xa8\x87\x12\xb7\x7d\x22\x1e\xfa\x65\x40\x98\xb3\x85\x71\x46\x8f\xf9\xbf\xf1\x0b\xb0\xd3\x0f\xe6\xae\x7a\x1f\x62\xc4\xf6\x06\x6b\x55\xf3\x2b\x05\x47\xde\x75\xab\x1c\xac\x8e\x98\x6d\x89\xfc\x30\xa3\x62\xd7\x30\x8d\x09\x32\xcd\xd4\x4d\x8a\x23\x48\x60\xb6\x08\x09\x0a\xa5\xe1\x6b\xef\x4e\x44\x32\x7b\xa1\x86\x67\x91\x5e\xc6\x5c\xa7\x72\xf8\xdf\x52\x10\x5b\x37\x00\x87\xfb\x1c\xbd\x6d\x11\xa9\x53\x62\x23\x2e\x5f\x6f\xce\x3f\x34\x3c\xd9\x62\xbe\xc2\x77\xf3\xa6\xaa\xcb\x82\xdf\x97\x53\x1b\x3a\x6f\xfd\xd2\x24\x45\x4b\xfc\x8a\x6c\x2e\x0b\x9c\x86\x44\x9c\x04\x3f\x39\xce\xb9\xaf\x5c\x42\x36\xe3\x22\x1c\x2e\x25\x9f\xa8\xf1\x28\x4d\xf6\x33\x4a\x2a\x24\x73\x3d\xba\xd6\xea\x99\x0a\xa3\xef\x97\x98\xe2\xf7\x85\xbe\x3d\x5a\x44\x30\x54\x97\xa1\xf5\x25\xf7\xde\xe1\xf7\xea\x82\xc7\xd5\x05\x59\xc5\x1d\xac\xc6\x17\xf6\xf7\xee\x56\xb6\xc5\xbc\xa2\x70\x18\x99\x24\x5c\xbe\xcb\x33\xcc\xdd\xf0\x0a\x16\x89\x46\x82\x08\x5f\x40\xd2\xf6\xf6\xb0\x3a\x16\x32\x06\x31\x1f\x98\x07\x72\x61\xcd\x76\xf4\x39\xce\xd0\x44\xb5\x25\x11\x2d\xeb\xd3\x1e\x4c\x7a\x90\x77\xbd\x82\x02\x17\xa8\x8b\x4d\x8e\x3e\x76\xda\xc4\x5b\x15\x01\x9e\x01\xde\xed\xc9\x43\xb3\x57\xab\x2d\x79\x00\xd9\x91\x57\xaf\x47\xdf\xc5\x97\x17\x91\xb2\x56\x65\xe9\x53\xdb\x69\xce\xfc\xea\xc8\x7a\xef\x83\x89\x36\xae\x73\xd2\xd2\x59\x83\xb2\x06\x60\x99\xc4\x74\x1a\xf8\x80\x48\xc7\xf8\x65\x31\xf2\xb8\x2d\x6e\x05\xb2\xee\x75\xf4\x72\xd9\xdf\x9c\x3e\xe9\x39\x8f\x6f\xe6\x8e\x0b\x52\x1c\x36\xa2\x42\xe2\xd6\x75\xf4\xd9\xda\x55\x21\x42\x74\x36\x31\xa4\xf2\xb6\xc0\x11\x47\x57\x53\xa7\x4f\x7f\xef\xc9\xd7\x2d\x3f\x9f\xb2\xbd\xcc\x71\xd6\x67\x32\xab\xe5\x0d\xd5\x78\xb6\x9b\xd0\x29\xb4\x5b\xca\x70\x8e\x87\xc0\x98\xaf\x90\x28\x4b\x4f\xbd\xdc\xc6\xfe\x16\x3a\x00\x09\x70\xd6\x54\x7c\xfd\x18\xcc\x8a\x11\xba\x22\x63\x8e\xe6\xeb\xa9\x10\x29\xf5\x25\x94\xa0\x42\xe9\x6e\xd7\x08\x01\x84\x59\x3f\x21\x09\x12\x6c\xbd\xe1\x31\x7a\x94\xa5\x62\x13\xad\x11\xae\x1c\xcf\x0a\x58\xa4\x5d\xbc\x81\xd0\x80\x9c\x59\x07\x3f\x8a\x9e\x17\x67\x4a\x47\x6d\x03\x37\x41\x4b\xfc\xff\x7c\xa6\x94\x92\x18\x46\x7c\x88\x50\x83\x9e\x55\xc9\xc7\xad\x9d\x51\xa6\x4a\x9d\x2b\x4b\xbb\x17\xa3\x65\x38\x94\x83\x45\x45\xbc\x28\x6c\x10\x8b\xb3\x13\x45\x57\x9a\x2b\x0b\x96\xf6\xa5\x73\x89\x79\x05\x19\xd4\x41\x3a\x96\x48\x82\x0e\x78\x46\xc5\x7a\xca\x47\x92\x49\x52\x23\xfc\xc0\x29\xd0\x70\xf1\x8f\x24\xac\x66\x58\x79\xd7\xa1\x97\xc7\x8c\x5c\x05\x18\x5a\xf7\xc1\x11\x40\xc7\x8a\x35\xe9\x1d\xe5\xc0\xc5\x3f\xbc\xd1\x35\x0c\x27\x53\x6d\x28\xd5\xf5\x18\x69\x6b\x97\x13\x6d\x3f\x20\x35\xf2\x6f\xaa\xd5\xff\xe0\x4d\xfd\x5d\xcc\x09\xb1\x29\x90\x51\x95\x57\x9d\xd1\x5c\x8c\x98\x67\x62\x36\xeb\xd0\x2b\x6c\x2e\xf3\xe6\xeb\x15\xd8\x7c\x20\x6c\x39\x04\x6f\x2d\xbc\xef\x9a\x45\x23\xf2\x55\xf4\x45\xc3\xdd\x82\xc1\x40\xb2\x95\xa4\xa9\x0f\xa3\x0a\x28\x47\xff\x41\xef\xee\xa8\xf6\x30\xd4\xa5\x51\x27\x95\x38\x0a\xf7\xd1\x71\x3a\x6b\x29\x76\xdd\x74\xde\x50\xc3\xfe\xb4\x2b\xdd\x4c\x02\x58\xe4\x56\x17\x35\x8f\x18\xa2\x8b\xe1\x1b\xad\x5b\x5b\x79\x10\x3e\xe1\x27\x7c\x76\x1e\x12\x90\x1e\x49\x97\xf3\xb9\xd4\x49\x91\x72\x17\x6c\xdd\x12\xb6\x80\x7b\x23\x6d\xaf\x3d\xc0\x58\x72\x95\x64\x37\x81\x6c\x70\x6f\x3c\x36\x7d\x7e\x2c\x23\xe9\x6b\x1f\xe9\x65\x96\xdb\x88\x05\x07\xe2\x82\xfb\xe2\x3f\x21\x71\xb2\xf6\x85\x5d\x22\x17\x4a\x1a\x4b\x15\xed\x8a\xbd\x51\xca\x09\x3d\x46\xf0\xe2\xd0\x52\x98\x16\x8c\x23\x9e\x62\xd8\x9f\x74\x06\x74\x38\x8c\x24\x01\x8c\x47\x83\x2a\x87\x64\x40\x48\xd4\x36\xd6\x5c\xd7\xa2\x10\x28\x2b\x1f\xc8\x26\xf0\xcc\xdb\x66\x97\xd0\x11\x2b\x2a\x88\xe3\x95\x30\x8d\x42\x1a\xad\xa7\xa0\xe7\xd7\x6e\xca\x0a\x60\x73\x83\x02\x18\xc8\x3e\xd7\x94\x19\x48\x59\x60\x57\x20\x97\xcb\x62\x6c\x6f\x84\x67\x57\x90\x95\xdc\x22\x63\x20\x43\xdc\xe6\xb6\x7e\xaa\x79\x3a\x2a\x89\x82\x2f\xdc\x26\x6f\x5a\x61\x1a\xa1\xc6\xb8\x45\x99\x8a\x82\x80\x05\xfe\x79\x89\x25\x3c\x37\x61\x3e\x89\x23\x48\xad\x73\x32\xe3\x34\xaf\xb5\xa7\x08\x7e\x89\xac\xe2\xf3\x61\xd6\x6f\x27\x7d\xfa\xfa\x12\x66\x77\xe8\x33\xfd\x0b\x2c\xe4\xd2\x27\x93\x7c\xdf\x60\xa8\x82\x66\x94\x11\xd4\x45\x0b\x7e\x85\x9b\x82\x47\xad\x2e\x45\x74\x2e\xcb\x60\x57\x52\xf2\x14\x8d\x07\x5e\x1d\x14\x5a\xdd\x18\x47\x48\xc6\xec\xe9\xba\x26\x7b\x7a\x6d\xf9\x22\x9a\x62\xbb\x9b\xee\x7d\x7e\x92\x5d\x6e\xb9\xae\x96\xad\xef\x93\x7c\x03\x0c\x7d\x2b\x91\x9f\xc4\x63\x6a\xd6\x33\x13\x60\x45\x7d\x06\xd8\xc4\xf6\xdc\x10\xe3\x06\x55\x22\x60\x2b\x84\x1f\xb3\x67\x8e\x9d\xab\xf0\x7d\x5f\xc3\xfe\x39\xda\x21\xd4\x61\xe1\xa4\xac\x64\xa0\xd3\x35\x6f\x93\x62\x28\x00\xf0\x07\xbe\x4e\xe1\x3c\xc4\x65\x4c\x89\x47\xff\xd1\x1b\xf7\x59\x8f\x50\xbf\x27\xdf\x75\xf8\xda\xef\xd9\xbd\x19\xcc\x3b\x6a\x06\xb2\x53\xe8\xb5\x90\x62\x1c\x66\xda\x76\x49\x6a\x87\xbe\x33\x53\xfb\x1c\xc5\x64\x36\x6b\x09\x79\xa8\x8c\x52\xb8\xdd\xae\xee\x89\x93\xf6\xa0\xa3\xa5\x43\xa9\x31\xea\x4e\xae\xe9\xd9\xe7\x00\x1e\x23\x49\x14\x4c\xd7\x46\xa2\x56\xdf\x92\xa4\x60\x24\xc7\xa3\xb3\xcb\x60\x7a\x74\x99\x87\xc9\x85\x60\x15\xb8\x6a\x23\xe4\x39\x4f\x64\xf9\x09\x97\x4a\xb0\x76\xb5\xd6\x49\x28\xfc\x9d\x1b\x4c\xba\x75\xbd\xa9\xe1\xd4\x62\x0c\xac\x6f\x08\xcb\xf7\x57\xde\x6f\x29\x11\xc3\x4e\xa0\x84\x81\xa3\x83\x20\x14\x47\xc2\xde\x6e\x37\xc0\x7d\x03\x38\xf1\x6a\x9a\x73\xfe\x67\x1a\x68\x4a\xe4\x5c\x87\x4f\xf1\x98\x15\x06\xe3\xfc\xa4\xe1\xf1\xdc\x9e\x58\xf9\xde\x6b\x96\xf8\x5e\x31\xa3\xc1\x6d\x3a\x11\x88\x0b\xb1\xcb\xc2\x23\xd0\xb9\xf3\xa6\xc4\xa6\x67\x1e\x29\xfe\xa6\x7a\xe9\xf1\x09\xe2\x63\xc3\x17\x95\xb3\x80\x16\xb8\x29\xd4\x1d\x0d\x54\x0f\x7f\x9b\xc5\x22\x02\x7d\xbc\xa4\x94\x5d\x95\x8e\x0b\x14\xc9\x02\x0e\x7e\x0d\x96\x2d\x93\xf6\x1d\xf3\x53\xbb\x18\x42\xb2\x89\xb5\xeb\xb7\xd0\xd8\x3e\xb0\x5f\x31\xe3\x45\x73\x46\xd1\xbc\xf8\x83\x35\x4e\x9a\x24\x7c\x78\xbc\xdf\x11\x45\x0b\xd3\x62\xf4\xe0\x9f\x9b\xc8\x1e\xa9\x28\x23\x05\xdf\x3a\xed\x85\x34\xb1\xf5\xc1\x5f\x58\x12\x7b\x85\x1e\x04\x5a\x0c\x54\x19\x3b\x5b\x11\xbe\x18\x75\x56\x3f\x86\x8e\xfe\x9a\x6a\xd8\x30\xca\x44\x36\x78\x6d\x79\x36\x4e\x19\x30\xd4\x55\xfa\xa6\xeb\xef\xe8\x6e\xce\x76\xa8\xb8\x95\x2d\xff\x2d\x3b\x83\xdd\x8b\xa4\xfd\x7c\x1c\xf9\x12\xa2\x2f\x65\x11\xc3\xcc\x11\xbd\x2f\x04\x69\x0a\xcd\xb3\x8f\x7e\x14\x20\xbc\x15\xe5\x74\xad\x12\x96\x55\x75\x44\x40\xd2\x90\x13\xc6\x98\x61\xd4\x7a\x42\x90\x6c\xee\xaa\x05\x1e\x2e\xfa\xde\xae\xa9\x97\x77\x9e\x05\xdd\x91\x22\x97\xa4\xff\xa9\xaf\x33\xfe\x81\xe7\x20\x67\xc3\x6e\x81\xc4\x86\x53\xd6\x9f\x2a\x2b\xa9\x17\x14\xd5\x10\x4e\x0e\xa1\xe6\xe9\x20\xa4\x40\x24\x05\x98\xdc\x62\x8e\x82\x05\xc3\x31\x3a\x0b\x03\xb7\xfe\xd3\xa8\x78\x8f\xb2\xa6\xde\x07\x22\x6c\x58\x9e\xf3\x37\x08\x22\x14\x38\x1c\x98\x00\xd7\x03\x63\x81\x83\xda\xdf\xf3\x17\x14\x17\x0b\xc4\x02\xb2\x71\xef\x6c\x23\x5c\x12\xc9\xfa\x67\xc7\xbd\xa8\x0d\x63\x17\x15\xee\x1e\xd4\xdd\xa1\x07\x34\x7d\x14\x3f\x91\xec\x47\x0c\x20\x77\xc2\x77\x52\x4f\xe7\x8a\x23\xfa\xb2\x05\xfa\xb0\x8b\x1c\x25\x8f\x4b\xe4\x97\x59\xd1\xf1\x83\xa2\x1e\x40\x0a\x53\xa7\x24\x93\xa1\x7c\x23\xdf\xa1\x73\x21\x22\x57\x4b\x55\xa7\xf2\x66\x3b\xb0\x01\x7d\xdb\x2f\x47\x2e\xab\xd8\x7e\x40\x76\x95\xbc\xe8\x4c\x15\xf4\x30\x91\xbf\xc0\x6d\x4a\x52\x46\x72\xbf\x25\x15\x21\x85\x61\xe7\xc2\x5e\xa7\x33\xc1\x85\xd0\x98\x06\xdf\x8e\x6c\x92\x1c\x07\x1a\xe2\xf7\x6f\x5c\x0d\xb6\x23\x45\x17\xc7\x2e\x83\x93\x3a\xd4\x13\x46\x5b\x1b\xd0\xcd\xfe\x6a\x04\x6f\x07\xa4\xb2\x39\xfb\xb8\xed\x71\xbd\xdf\xc2\xb0\x71\x48\xd4\x99\x65\xda\x80\x3a\x82\x4b\xc1\x85\xda\x70\x53\x0a\xbb\x3e\x42\xb8\xa9\xf1\x9c\x0c\x3d\x86\x72\x35\x94\x13\x39\x51\x43\x4b\xfd\xbd\xe6\xbe\x90\xea\x21\x4f\xa0\xe1\x7f\x60\x3c\xd1\xad\x69\x5b\x5b\x5b\xa7\xc9\x86\x14\x87\x11\x45\x4c\x6a\x5a\x7a\x5d\xa2\xa1\x63\x1d\xc7\x06\x9e\x58\x2a\x1c\x12\xd2\xba\x25\xca\x01\xda\x8f\x5e\x70\x3b\x41\x14\x7f\xd3\x8f\x96\x68\xf1\x6c\xad\x66\xdf\x62\x2f\xe4\xb0\x2a\x1e\xef\xc0\xa6\x93\x63\xcc\x0b\x7c\x56\xf0\x34\x91\x60\x25\xee\x4b\xcf\xd0\x51\x26\x77\x29\x85\xa9\x63\x2a\x04\x36\x08\xe6\x56\x92\xaf\x2b\x4a\x75\x68\xf1\x3c\x41\xf1\x6c\x86\xbe\xc9\x9a\xae\x30\xa2\xd5\x4f\x64\x69\xf1\xeb\x68\x51\x8d\x48\xc4\x21\xbe\xc6\xf8\x3b\x82\x28\x30\x88\x38\xa9\xa4\x81\x9f\x2f\xed\x79\xe9\x9d\x10\x5a\x8f\x6b\x1a\xc0\x8e\xb9\xfc\x19\x62\xa8\x57\x7f\x27\xf5\xee\xcc\x91\x88\x3a\x02\x4e\xb7\x43\xa3\x99\xed\x6a\xef\x38\xe1\xf5\x33\xca\x6d\xba\x25\x53\x88\xd2\x5d\x4e\xef\x41\x2f\x03\x94\x4b\xcc\x0a\x8c\x4e\x94\xec\x31\xbb\x65\xc8\x9e\xca\x35\xcc\x88\x8f\xe8\x53\x0f\x6f\x58\x1a\x33\x46\x23\x3e\xf0\x93\x6d\xa1\x0e\x8b\x69\xc5\xfd\x23\xea\x2a\x58\xf9\xfe\x8b\x79\xa9\xef\x60\x80\x6c\x29\x6a\xba\x90\xfb\x83\x29\xe8\x38\xbb\x6c\x7d\x3c\x86\x7d\x41\x09\xba\xa2\x6c\x48\x37\x43\x9e\x63\x07\x17\x0e\x7b\x15\xc2\xf9\xf5\xee\x03\x30\x5f\x94\x81\xf8\xe7\x93\xdd\x08\x6e\xf2\xfc\x3e\xca\x55\x5a\xa2\x58\x12\x02\xbb\x4e\xd8\xe4\x31\xcf\x0b\x71\x0b\xbd\x86\x25\xfa\xc1\x7b\x51\x9c\x68\x06\xb7\x21\x80\x08\xe0\x40\xbd\x2f\x07\x8e\x18\x50\x11\xd4\x71\xd4\x60\x26\xb5\x38\x87\xc9\x48\x1b\x6a\xbe\xa8\x38\xdc\x59\x8a\xf7\xd6\x1e\xb1\x05\x66\x12\x51\x68\xad\xb4\xb5\xfa\x2f\x49\xdb\x9e\x36\x08\xee\x06\xba\xff\x0b\x3e\xdd\xf0\x53\x70\x13\xa8\x9a\x8f\x60\xbe\xc6\xec\xaf\xe7\x4c\x3a\xd6\x26\x67\xcc\x73\x6e\x42\x31\x80\x60\xd9\x39\xca\x8a\xfa\xee\xf4\x18\x9c\xab\x94\xbb\x6d\x7c\x07\xf7\xaa\x21\xf6\x00\x27\x70\x7d\x8a\xee\x9d\x2f\xc0\x31\x96\x77\xe8\xe8\x6c\x6e\x02\x0f\x43\x53\xff\x8d\x52\x35\x42\x66\x9e\x4b\xf2\x64\x9f\xc4\xfe\x1a\xc2\x16\x51\x52\x7e\x25\x7a\x55\x00\x6c\x30\x4b\x83\xaa\xb8\xde\x6e\x87\xb0\x2d\x36\x60\x52\xde\xbd\x14\xf4\x71\x28\x33\xc3\x40\xea\xd1\xeb\x9f\x9f\x48\xdf\x1e\xa2\x7f\x67\x28\x2a\x8a\x5b\xa0\x5d\xf6\x8e\xe2\xaa\x98\xa3\x4b\x44\xfe\x38\xcf\x05\x82\x06\xcd\x11\x2d\x19\x37\x2e\x45\xaf\xb9\xd0\xc2\x4c\x0c\xa9\x18\x99\x48\x23\x9c\x99\xdb\xa4\x44\xf9\xc1\xa9\x1f\xdf\x3d\xff\xa9\xfd\xcd\x09\x35\x5e\x4b\x30\x61\x80\x63\xeb\x02\xe4\xac\x21\x2b\xf8\xf7\xb8\xc6\x17\x81\x1b\xc2\x74\x04\x23\x72\x4a\x0c\x50\x46\xf3\x57\x7e\x0b\x00\x6b\x14\x85\x0d\xdb\xab\xbf\x60\x12\x1d\x15\x1e\xc7\x30\x64\x9b\xa2\x51\xa2\x55\x1f\x6e\x92\x46\xe5\x46\x23\xa8\x19\xe9\xfc\xe9\x1f\xe4\x0a\x8a\xc2\xe5\x53\x32\xc5\x7b\x8b\x7b\x9a\x63\xad\xf9\x1f\x10\x74\x8d\xec\x7c\x01\x53\xcf\xf4\xa4\x12\x29\x27\x51\xb0\xab\x79\x3a\x14\x82\x29\xed\xd1\xf9\x08\x01\x2f\xba\xdc\xd1\x3e\x18\xd4\x79\xd9\x4e\xa5\x60\x65\x10\x03\x57\xba\x4b\xa1\x82\x58\xe4\xa8\x28\xea\xac\xa2\x0d\x67\x1d\x98\x6d\xc6\xd1\x79\x97\xf5\xb3\x74\x46\x93\xeb\x36\xcd\x7f\xce\x3f\xff\x1d\x2d\x59\xb9\xbc\xf1\xc9\x94\x27\xae\xec\x5c\x15\x8d\x12\xd0\x66\xd4\x69\x26\x7f\x42\x3d\xe6\x76\x07\x9d\xc4\x8d\xef\x12\x7b\xe6\x3b\x07\x9f\x0f\xe8\xd7\xda\xe2\xf2\x0e\xab\x8d\xdd\x0f\x38\x8d\x52\xac\x05\x91\x79\x58\x9c\x62\x42\xc7\xf9\xfe\x8e\x1d\x18\x57\xec\x29\x98\xf8\xdc\x9a\xed\x3b\x3d\x38\xae\xed\x70\xb0\xfa\xb5\xd1\x3b\xcb\x53\x6c\xbf\x01\xa2\xfd\xa8\x11\xf1\x4f\xa0\xf5\xe4\xa4\xd5\x71\x31\x86\x0d\x60\xaa\xc2\x60\x73\x54\xab\xc5\x8f\x91\x51\xdd\x78\x8e\x78\x7f\x76\x85\xbe\x53\x7e\x6f\x86\xbb\xac\x94\xbe\xf4\xdb\xb0\x42\xda\x14\xc1\x00\x7d\xcd\x62\xaa\x8c\xbc\x70\x5d\x12\x0e\x07\x83\x94\xfc\xbd\xc9\x47\x29\xfc\xe6\x90\x5f\x1e\xd8\x69\x9c\xac\xd2\xe5\xf0\x05\x5d\x37\x7d\x0d\x5c\xa8\x3f\x18\x97\x1c\x19\x5c\x7e\xa1\xdc\xf1\x1e\x9f\xee\xc1\x24\xc2\xba\x56\xd0\xf5\x06\x06\x0c\x22\xcb\xc3\x66\xd0\xae\xd0\x5f\x40\x00\x62\x98\x4f\x22\x12\x2b\xfd\x16\xa3\x1b\x3a\x4a\x6e\xd9\xd9\x49\xbe\x5e\xc1\x6a\xe9\x8f\x2a\xa8\xea\xad\xae\xcc\x16\x9e\x97\xcd\xa0\xd5\xb5\x60\x2a\x91\xc1\x01\xb2\xe2\x83\xc0\xbe\x6c\x83\xab\xbe\x2e\x7e\x2e\x4c\xef\xe3\xbe\x22\x31\x21\x3e\xbb\x85\x88\x3e\x0a\x5b\x0b\x4a\x0d\x2c\x04\x72\x2e\xb6\x0f\xab\x23\x02\x3c\xf9\x1c\xa0\xab\x90\x8e\x4b\xb6\xac\x29\xa7\x88\xfe\x9e\xc6\xb9\x9d\x75\xd5\x2f\x20\x3c\xba\x7d\x92\x48\x5e\xf9\x05\x55\xae\xd4\x10\x60\xfd\xd0\x36\xf4\x2f\xa8\x18\xcd\xf8\xb9\xaf\xe2\x6a\xfc\x1f\x27\x9a\x40\x29\x25\x4b\x12\xdd\x54\xda\x88\x2a\x13\x8d\x34\xaf\x15\x77\xe7\x8c\x1d\xd1\x92\x3a\x56\xa3\x69\xd8\x5d\x74\xfa\x59\xd4\x53\x2b\x85\x9f\x67\xe6\x5f\x3e\x67\xd6\x54\xe5\x7d\xde\x88\xcf\x7c\x23\xc9\x18\x2e\xc1\x5e\x95\x28\x3d\xbb\xa7\x99\x11\x16\x4d\xf2\xb4\x83\xbe\x5a\xdb\x7e\x60\x06\xfe\xb6\x9c\x67\x2c\x93\x8a\x81\x8b\x2b\x46\x36\xc9\x43\xb6\x8e\x8c\x93\x35\xa5\xfe\x2a\xa7\x42\x74\x02\x78\x51\x17\xde\xb2\xae\x7c\x16\xba\x0d\x05\xa5\x0d\x21\xcd\x7b\x65\x8c\xe0\x21\x40\xdd\x20\x84\x9a\xe2\x50\xbb\xb1\x0e\x96\x0c\x87\x21\xcf\x96\xd0\xe7\xd8\x1b\xbb\x21\xa5\x33\x58\xe0\xa4\x4f\x8d\x26\xb1\x0b\xf2\x4e\xda\x9b\x5d\x8c\xee\xf7\x10\xee\xc2\x5c\x0c\x3b\x31\x80\xc8\x59\x40\xf5\xb1\x5c\xc1\x3f\xe6\x8a\xd1\x9f\x7f\x0e\x9b\x4c\xc3\x97\x35\xb6\x86\x39\xf8\xfe\x46\x22\xdc\x78\x4d\x5d\x64\x70\xab\x9e\x32\x74\x0d\xb0\x2a\x9b\x67\x32\xac\xbb\xf5\x87\x67\x19\xf5\x57\xa4\xe0\xa4\x2c\x03\x6b\xb3\xf9\x72\xea\xa8\x62\xc5\x8f\xfb\xce\x08\xee\x0e\xa2\x1e\x74\xe8\x17\x57\x87\x05\xe4\xe2\x68\x3f\xeb\x6c\x61\x23\xee\x1b\x9a\xe1\xda\x94\xc5\xea\x68\x76\x3b\x03\x03\xc6\x39\x7e\x21\x69\x1a\x4d\x81\x54\xfd\x1a\xef\xdf\x39\x8c\x41\x36\x9e\xb8\x25\x5d\x9b\x84\x7f\x9d\x67\xcf\x5b\xb8\x08\x41\xf4\x68\xf7\xc8\x70\xf0\xe1\x94\xdc\xf2\x3a\x6e\x76\x42\xc9\x51\x4d\x12\x64\x32\xf4\xb6\x6b\xdb\x7b\x81\xb5\x43\x70\xca\x23\xa0\x5c\x22\x3c\x49\xc5\xb2\x68\x03\x76\x8b\xad\x60\x59\x48\x17\xbb\x98\xb5\xec\x27\x4d\x62\xe2\x64\xc5\x4c\xde\x98\x06\x37\x6b\x40\x5e\x9f\x7d\xe3\xd5\x9a\xe3\xce\x7d\xb4\xa6\x89\x85\xb1\xc1\xa1\x12\x22\xd1\xc2\x80\x9c\x96\xf7\xeb\x9a\x5b\xf4\xe5\x02\x66\xdf\x93\x5c\x90\x0a\x56\x8f\xe5\x79\xa6\xea\x47\x4f\x62\x35\x91\x96\x4d\xb4\x3a\xc6\x47\xde\x15\x91\x6a\xef\xac\xd3\x22\x23\x6f\xd5\x39\x77\xd6\x82\xee\xeb\x0d\xcf\x79\x8b\x6f\x2f\xf2\x2b\x36\xdd\x00\xd6\x4e\x51\x59\x9b\xda\xd7\x03\xa4\x2d\x1d\x20\xeb\x8d\x6a\x63\x85\xf6\xdb\x49\xf3\x4f\xce\x3b\x28\xe2\x85\x6f\x28\x28\xd7\x7c\x4d\x03\xd3\x4e\xb0\x8c\x33\xb7\x54\xbf\xe7\xf3\x9d\x0a\x34\x30\xa2\x13\xb9\x7e\x75\xc2\xc9\x75\x63\x5c\x79\xd3\x0a\xaf\x3d\xaa\x9a\x1e\x8c\xa5\x6f\xbe\x49\x9e\x77\x81\x18\xc7\xe5\x95\x4a\xc2\xac\x2b\xce\xa6\x9a\xda\xc9\x60\x09\xe1\xb5\xcd\x27\x98\x6c\x25\x42\x82\xbf\x07\x60\x74\x75\x59\xcb\x61\x2a\x1f\x61\x0d\xf0\x9b\xec\x5a\xa1\xf4\x1f\x7a\x3b\x2f\x0f\x2c\xb2\x85\x08\xe2\xb0\xca\xf2\x06\xbe\x81\x0d\x65\xb6\xc4\xfc\x2e\xf5\xec\x09\x8b\x27\x4b\x53\x68\x13\x06\x04\x16\x69\xab\xb1\x75\xe4\xec\x88\x98\x1c\x5a\x0c\x05\xa6\x46\xe5\xd9\x03\x43\xa0\xb1\xf8\x73\x37\x9c\xf1\x44\xc3\xc8\x79\x5c\xfd\x77\x59\x4b\x51\x6a\xb0\x2a\x40\x8e\x0f\xaa\x37\xfd\xf2\xde\x2e\x6f\x37\xfa\x03\x54\x0d\x70\xe5\xf0\x29\x77\x67\x08\x4e\xa0\x08\x6c\x13\x1a\xb5\xb2\x8a\xb5\x43\x97\x8f\x1d\x4f\x04\x29\x1b\x6d\xdd\xd7\x2d\x2a\xa9\xa2\x2a\xe1\x96\x97\x95\x03\x51\xa2\xf3\xda\x68\x97\x1d\x96\x36\xe2\x9c\x66\xd9\xfd\x61\xcd\xac\x7c\x81\x18\x93\x50\x44\x7c\x03\xc1\x46\xd0\xdd\xe5\x5a\x17\x91\x5b\x56\xff\xa9\xfb\xa4\x7e\x09\xba\xfe\x41\x2b\x6a\x8a\xe7\x20\xd9\x2b\x04\xa5\x5e\x65\x48\xb0\x03\x55\x06\xf8\x0f\xaf\x97\x08\x24\x79\x82\x09\x6d\xd8\x06\xe1\xe6\x98\xfe\x8f\x59\x0f\xcb\x00\x9f\xa8\x75\x86\xb0\x8c\xd2\x70\x97\xaa\x53\xd3\x08\x7e\x9f\x4c\x7a\x4e\xe5\x56\x49\x1b\x3d\xf6\x8f\xb4\x13\xa9\x2d\x7f\x78\x33\x65\xc6\xa5\xe1\xfc\xa5\xd9\x56\x3e\x19\x3e\xd2\x37\x9f\x99\x4f\x32\xe9\xa2\xc7\xa7\x22\x15\xc1\xe8\x91\x38\x57\x65\x94\x7b\x90\x86\xa5\x60\xd3\x73\xae\x19\xb8\x8e\x78\x15\x03\xb1\xb8\xb8\x01\xa8\xdc\xf5\xf6\x7d\x0e\x4b\x02\x12\xd8\x54\x48\x76\x94\xac\x76\x57\x2f\xa1\xe6\xf1\xfe\x71\x9c\xde\x5b\x27\x8c\x9c\xe3\x93\x8b\x27\x10\x60\x33\x5a\x57\x41\xba\xa0\xd7\xad\xc3\xde\x28\xe3\x7b\xee\xd6\xf7\x81\xf6\xf7\xb3\x21\xc5\x69\x33\x82\x83\x77\xa2\xff\x6d\xe2\xbf\xc2\x4b\x2a\x34\x72\xca\x50\x39\x37\x3d\x3c\xdc\x9a\xfc\x04\x0c\xe4\xe8\x94\xcf\xf8\x22\x54\xd9\xe4\xf4\xb2\x59\x98\xc9\xdc\x84\x70\x54\x63\xda\x8a\x03\xea\x41\x9c\x2e\x4c\x81\x2a\x9f\x04\xd5\x3f\x2d\xe4\xfc\x2e\x3c\x1a\x08\xa7\x38\x9d\xdf\xb0\x82\x17\x64\xe7\x11\x05\xeb\x05\x88\x72\x08\x71\xf0\x08\x2c\xd9\x11\xf8\xed\xf6\x94\x95\x00\x72\xee\xbc\x64\x21\xbf\xc7\x1a\xf2\x76\x69\x10\x7e\x4b\x48\xac\x97\x13\x39\xe6\x9c\x46\xc4\xea\x5d\x50\x02\x8f\x14\x73\x5d\x84\xda\x04\x0a\x08\xd3\xc9\xd0\xe6\x4d\xee\x8b\xb6\x45\x00\x3b\xfc\x01\x62\xc3\xe1\x31\xd3\xdf\xcc\xf1\xa5\x16\x28\xbd\x59\xed\x49\x5b\x17\x7b\x41\x7d\x0c\xb3\x76\x53\x7d\x58\x16\x74\x1c\x25\x88\x5e\xc5\x67\x42\x15\x4e\x84\xa2\x6d\x9d\xe3\x76\xd6\x7f\xfb\xe2\xfd\xb4\x86\x9b\x6d\x87\x08\xa7\x35\x0e\xfc\x67\x2a\x48\xd6\x0a\x92\x8c\x99\x27\x53\xad\x4b\xd7\x45\xa7\x18\x9b\x3f\x94\xf4\x8f\x64\xc9\xf8\x6d\x9f\x0b\x22\xbf\x7a\x1d\xf2\x09\x6b\x46\xfa\xdf\x26\x69\x06\xf3\x94\xb1\xde\x65\x52\x92\x87\x85\xd6\x8d\x26\xb9\x6b\xda\x02\xe4\x9d\x5e\xca\x82\x84\x70\x0d\x50\x33\xb0\x06\x23\x66\xa6\xce\x4b\xe4\x4c\x76\x7d\x60\x81\x7b\x48\x76\x87\x48\x58\x2a\x5e\xd3\xdb\x60\x82\x91\xa5\xef\xa1\x01\x1b\x75\x8f\x99\x0a\xb3\xe4\xab\xed\xf5\x3f\x01\xb7\x00\xdf\xae\xb5\x87\xb4\xf4\x14\xd3\xfe\x3a\x87\x32\xe1\xf2\x15\xfa\x86\x9c\x7b\x2f\x8b\x7f\x4e\xac\x59\x7d\xa8\x17\x51\x70\x9b\xd1\x8e\xb0\x86\x9c\xe1\x14\x59\xf8\x76\x6e\x63\x32\xe9\x57\x10\x7a\x79\x1a\x64\x01\x10\x49\x48\x8a\x27\x32\x54\xf3\x3e\x0e\xcb\x44\x0e\xe4\x46\xe8\xab\x76\xf2\x4e\xc1\xf4\xcf\x7d\x31\x4a\x15\x8c\x51\x2b\x6a\x27\x31\x09\x93\x67\x76\x6a\xe4\x05\x35\x96\x7d\x63\xce\x07\x1f\x06\x8a\x7d\x3f\xbd\x48\x33\xa0\xc7\x8c\xea\x71\x27\x48\xa4\xbf\x23\x61\xd8\xf6\x03\x59\x59\xa6\xab\x08\xf3\xd4\x4f\x7f\x81\xfe\x74\xd9\x64\xd5\x8b\xb3\xcb\x60\x51\xc5\xe6\x8d\xc6\xe7\x1f\xec\xe4\xae\x85\xdd\xc8\x95\xb3\x16\xf4\x7d\x52\x08\x47\xdd\x84\x83\x17\xb6\x1a\x47\xa1\x3c\xe0\x6c\x30\xd1\x4d\x98\x52\x93\x8c\x6e\xe4\x5a\xd2\xeb\x1f\x19\xdd\xa1\x9b\x1f\x83\x56\x24\x41\xc2\xd3\x06\x11\x1f\x51\x1e\x40\xa8\xd8\x2b\x33\x4b\x2d\x98\x3c\x35\x4f\x2c\xf8\xa2\xe7\xa2\xfc\x13\x5a\x4a\x31\xda\x5b\x09\x29\xd0\xe0\xc3\xe1\xc9\xbf\xb2\xde\xbc\xd2\xfc\x9d\x05\x77\x26\x3c\x77\x71\xc6\x84\xd3\x4a\x6b\x02\xb3\x1c\x52\xf4\x2e\x07\xfc\x1f\x42\xe7\x0d\x74\x00\x35\xe8\x0f\x0c\x38\x89\xd8\xd2\x8c\xdf\x11\x40\xe2\x10\xdf\xf5\xae\xb5\xaa\xab\xfd\x65\x5a\xc4\x6e\x03\xd1\x7e\x1e\x72\x27\x3e\xa0\x14\x15\x8c\xff\x2c\x8e\xf3\x70\x08\xb4\x4e\x73\xd2\xc6\x16\x86\x23\x49\xaf\xa5\xa1\x6e\xc6\xf1\x0d\x7f\x85\xfe\x4d\x95\xdf\x41\x6b\xdf\x00\x17\x48\xa6\x98\xa7\x94\x21\x92\x54\x9a\x4b\x86\x00\xf5\x38\x02\x91\xfe\xca\xb3\x74\xb5\x90\x26\x6a\x98\x0b\x2d\x38\xd0\x81\x7e\x11\x1c\xa3\x14\x47\xff\x7a\x33\xee\x30\x0b\x75\x83\xc8\x30\x50\xa5\x91\xcf\xb8\xc3\x83\x20\x36\x9b\x54\xb9\x62\x4a\xe5\xbf\xbe\x7a\x65\x73\x23\xe6\x4b\xb8\x90\xff\x4a\xbd\x85\xfb\xe8\xc5\x9a\x68\xa6\x16\xb0\x44\xdd\xc9\x77\x33\x60\x41\x33\x5f\xe1\xd2\x9e\x87\xdf\xc5\x63\xa0\xf7\xd3\x93\xca\x83\x53\xb3\x1c\xaa\x64\x1d\x11\x40\x10\x9d\x3f\x3d\x68\xbc\x4a\xc8\xd1\xa3\x2e\x03\x9a\x5a\x5a\xae\x4e\x95\xd7\xd3\x7d\x57\x37\xef\x2b\x99\x7e\x17\x86\x82\xbe\x27\xb0\xd5\xb9\xcb\x7b\xb3\x0b\xce\x28\xda\x9f\x9c\x29\x98\x80\xe1\x52\xd9\x0f\x6a\x05\x90\xfa\x28\x9a\xeb\x5c\x4b\x4c\x05\x0f\x7f\x48\x74\x4a\x1e\x3e\xd8\xb7\x06\xbb\x14\x37\x14\x63\x70\x52\x27\x75\xb4\xa8\x24\xef\x29\xae\x2d\x08\x54\x27\x9f\xef\x03\xa0\xea\x67\x3e\x25\x1f\x66\x97\x16\x6f\x36\x99\x60\x89\xb8\x8f\x48\x5c\x30\xdd\x49\xdf\x10\x21\xb1\xce\x79\x4b\xa4\x47\xe3\x61\x70\x4c\xa2\x0c\x53\xf2\x84\xfd\xc4\xfa\x1a\x1f\x40\xe5\xf7\x24\x0f\x27\x32\x13\xb6\x92\x0e\x9b\xfb\x8e\xe6\x9f\x93\x26\x16\xcc\xf6\x56\x49\x5d\x99\x87\x43\xd6\x1a\x08\x8e\x60\x59\xfe\x2f\xc0\x35\x72\xf1\xdf\xad\xfb\x51\x0c\x55\xf5\x18\x5a\xda\x91\x4e\x2a\x96\x62\x8d\x3e\xe5\xd6\xb0\x01\xcf\xd0\x45\x64\x6e\xf9\x36\x94\x82\x8f\xe8\xe0\x33\x3d\x9e\x85\x37\xab\x9e\x02\xec\x72\x17\x13\xb2\xb9\x74\x3e\x68\xf4\x2f\xff\x78\xab\xc0\xaf\xd4\xbd\xdc\x95\x17\x9a\xf1\x2c\x3c\x95\x08\x34\x9e\x65\x6a\xd5\x9b\xd6\x4c\xb6\xa4\xbc\x76\x42\xc6\x6e\xfe\xf2\x9a\x55\x00\x93\x70\x64\xde\x05\xe4\x9e\x2a\x81\xc5\x87\xe2\x28\xe0\xab\xa0\xc8\xa6\x87\x5c\x41\x06\x63\xa2\x22\xe5\x57\x55\x7b\xcb\x10\x54\x01\x25\x32\xe3\xe6\xd4\x83\x0d\x3d\x9c\xa0\xeb\x68\x97\xba\x54\x05\xa3\x35\x50\x3f\x8c\xfe\x34\x5a\x20\xed\xee\x88\xa8\xb1\x43\xe2\x8c\x98\x2b\xb8\x36\xe0\xcd\xe0\xc6\xde\xab\xad\xbc\x11\xd8\xa6\x33\x50\xf1\x05\x0b\x71\xab\xcb\xd8\xea\xe7\xc2\x2f\xc0\x4d\x59\x72\x67\x48\xc8\x2e\xd4\x35\x95\xd6\x62\x55\xb6\xc3\x0f\x11\x1e\x3b\x5c\x9c\x12\xd9\x7a\x36\x8b\xe6\x72\xb0\xf0\xe5\x92\x98\x38\xfd\x82\x04\xb5\x5d\x0e\x51\x1a\x32\x90\x6a\xf5\xc3\x49\xcd\x64\x8a\x43\x98\x14\x77\x04\x56\x3a\x10\xd5\xd5\xf5\xa8\x6f\x8f\x1c\x88\xa2\x32\x4e\x56\xcf\x28\xd6\x3d\xaa\xc7\x25\xe7\xf9\xfe\x3d\x15\x04\xaa\x2d\x26\x90\x37\x60\xe2\x7e\x79\x6f\x7f\x7d\x33\xb9\x6e\xf0\x1e\x4e\x57\x24\x56\xfe\x47\x9a\x25\x23\xd3\x96\xe6\xcc\x88\xb8\xa8\xdc\x35\xf1\x55\xda\xed\xb3\xc2\x9d\xd2\xcd\x8a\xdf\x6d\xcc\x73\x2e\x5c\x58\x51\x1b\xd3\x89\x87\x83\x99\xc4\x32\xc1\xa4\x0d\xc0\x6e\x94\xe2\x4d\x66\xe1\xcd\xbb\x73\xcc\xa9\x92\xa3\xa6\x1c\x54\x5d\xd3\x47\xd0\xbe\x41\x41\xa1\xec\x23\xa6\xca\x84\x5b\xa1\xb5\x83\x96\xb4\x56\xee\x05\xe6\xbe\x7d\x7c\x9a\x0d\xea\xad\x66\x46\xd7\xa7\x79\x86\x88\x6d\x9e\xe7\x55\xc5\x88\x96\x50\xe9\xeb\xcc\x4b\x8d\xea\x33\x52\x1b\x65\x17\x1e\xc9\xd9\xee\xb4\xe7\x76\xd3\xd7\x1f\x52\x61\xd4\x51\xf4\x81\xb9\x0c\xfc\x65\x5f\x8c\xf1\xb6\x3d\xf8\x46\x7e\x0c\x1e\x2f\x9a\xf5\x75\x8e\xb5\x06\xaa\xce\xab\x4b\xb3\x59\x07\x82\x9e\x55\x41\x1e\xb2\x5b\x59\xcb\x70\xf9\xea\x06\xef\xde\xaa\xef\x61\x51\x15\x61\x84\xec\xea\xb1\xba\x65\xf4\x1d\xf3\x2b\x53\x46\xf5\xec\x03\xab\x19\x80\x7d\xf4\x84\x49\x88\x13\x34\xa6\x82\x9c\x39\x71\x69\x21\xfb\x7e\x5d\x05\x78\xee\xb3\xeb\x3b\xec\xb8\xff\x5e\x00\xfe\x84\x22\xb0\xc3\xb7\xbc\x77\xa5\xd3\x38\xbd\x0d\x4e\xf6\xa3\x41\xdd\x94\x1d\x92\x5e\xc6\xcd\x93\xf2\x89\x56\x6d\x80\x3f\xf2\xa0\x2a\x3e\xf8\xc8\xd8\x00\x52\x51\x8f\x9a\xfa\x30\xaa\xf0\xcb\x97\xea\x1e\xed\xb5\x27\xb1\x80\xdc\xb8\x03\x68\x05\x0b\x6d\xfb\x4e\xbe\x2c\xb9\x6d\x1e\x06\x84\x98\x6a\x85\xa6\xb6\xeb\xa2\x16\x60\xa1\x8c\x28\x24\x8c\xc0\xd4\xcd\xf5\xe0\x85\xc1\xfb\x61\x33\xda\x11\x69\xe5\x03\x6d\x35\xf5\x47\xeb\xc0\x61\x86\xb6\x95\xf2\x42\x71\xbd\x68\x0a\x39\x7d\x92\x35\x38\x12\x7f\x94\x8a\x2b\xa3\x6b\xf5\x29\x1a\x9c\xfa\x5d\xc5\x7a\xf9\x90\x1b\xb7\xef\x7c\x9c\x9d\x60\x00\x86\x37\x6a\x0d\xc6\x80\xe4\xe6\x7e\x17\x70\xe7\x24\x99\xb5\x83\x33\xaf\x89\x8a\x33\x2c\x78\x94\x95\x94\x28\x42\x4f\xe6\x1c\x0e\x0d\x8f\xd6\xc4\x6a\xf7\x9b\xdb\x23\xc8\x44\x94\x01\x58\x7b\xa1\x16\x56\x5c\x8e\x06\x0f\xb1\xaf\x55\x7c\xec\xda\xf3\xd1\x0d\x2f\x06\x5d\x7f\xfd\x53\xdf\xbe\x8a\xfd\x1c\x46\x90\x4c\xba\xad\x1b\xd8\xf1\x8e\xe7\x0a\xa4\x81\x1b\x27\x85\x74\x33\xe4\x75\xab\x5c\x5c\x62\x0a\x8d\xaf\x02\xbe\xf4\x02\x86\x49\x7b\xe5\x1f\x25\x32\xd4\x25\x90\x56\x69\xf3\xbe\x5c\xe7\xb7\x90\xe9\x45\xc2\x2e\x44\x6f\x0a\x36\x1e\x04\x3f\xd4\xa7\x6e\x53\xe3\xb0\x4b\x59\x05\xed\xa6\x3b\xce\xbb\x62\xe0\x6c\x6c\xc0\xe2\x54\xf2\xf0\xe3\x86\xbd\xd7\x30\xc5\x5a\x04\x07\xaf\x9d\xec\x14\x63\x3b\x5a\xc1\x5a\x33\xec\x52\x3f\x6a\x4a\x94\x54\xbc\x5a\xa2\x16\xe1\x43\xf0\xf7\x2e\xbb\xd6\xf5\xc0\x38\xd2\xee\x39\xad\x7c\xf3\x95\x6a\x3c\x47\x9a\x8a\x65\x3a\x90\x6a\x01\xf4\x86\x18\xe6\xa4\x7a\xdb\xa3\x59\x8e\x9c\x9e\x72\x5d\x53\x43\x9e\x0f\x17\x5f\xcd\x51\xba\x15\x16\x07\xa3\x35\x93\xf1\x25\x6e\x6b\x29\x68\x5a\x81\x3d\xee\x40\x3e\xc2\xb4\xfa\x09\xc6\xd0\xf4\xd6\x51\xe2\x37\x8b\x78\x04\x1f\x37\x24\x33\x47\xdc\x77\xce\x35\x14\xc6\x34\xe4\xf8\x3e\xa2\x97\x66\x5f\x16\xd6\x56\xa6\xdf\x91\x00\xbf\x65\x53\xd6\x69\xe4\x3c\x0a\xc2\xd8\x91\xeb\x77\x79\xee\x8d\x4f\x32\x11\xcd\x2a\x52\x7f\xd4\x15\xaf\x00\x04\xc2\xd5\xdd\xb6\x2a\x36\xde\xe9\x8a\xc1\x48\x96\x96\xc5\x56\x47\x6a\xca\x9f\x6d\xa9\xbd\x4f\x37\xac\xa8\x6b\x83\x86\x0a\x8d\xd9\x04\xbb\xe2\xc3\xd3\x7c\xfc\xd7\x68\xb5\x9d\x82\xa8\xc1\xbc\xef\xfc\x44\xed\xfb\x04\x73\x0e\xa5\x79\x16\xda\x94\xb4\xe8\xdb\xcf\x5f\x01\xb5\xa7\x18\x64\x6a\x56\xe6\x2a\x64\x74\x8a\x9e\x3b\x7b\x2f\x08\x0a\x2f\xb3\x51\x5d\xb5\x35\xc6\xac\xde\xf1\xd8\x58\xf6\x33\xb0\x80\xd3\x98\xc0\x06\xd7\x40\xf5\x9b\xfc\x06\x3a\xcb\xb4\x0f\xe2\x18\x3c\x55\x20\x89\x4d\xd5\xa4\x7b\xbd\xd9\x91\xf2\xca\x2e\x1d\x35\xd0\x40\x75\x59\x00\x16\xdf\xc8\x13\xa8\xf2\x72\x92\x6d\x66\x0b\x0b\xac\x47\xfc\x72\x97\xd7\x48\xd1\x64\x2d\xe8\x2c\x08\x24\x5c\x8a\x4a\xf3\x98\x26\x97\x1b\x06\xe2\x52\x56\x75\x9f\xc4\xae\xe3\xde\x98\x40\xc1\x4f\x99\xe8\xa5\x34\x04\xbc\xca\xe6\x13\xce\xdd\x72\xd3\x2e\x74\xc8\x7d\x8c\xad\x6c\xf7\x2f\xd2\x01\x8d\x5f\x3a\x79\x7c\x08\xcd\xda\xa2\xd9\xa5\xac\x5f\x49\xbf\x07\xb0\x45\xc4\x16\x9a\x88\x30\x46\x2c\x19\xb4\x00\x4b\x62\x83\x0c\x4b\xed\xca\x51\x61\x45\x1c\xe9\xc8\xac\x56\xf9\x73\xcc\x12\x0f\x7e\xad\xb2\x01\x0d\xe4\xbc\x3d\x71\x96\x47\xa8\xef\xb1\xa9\x5d\xc9\x3c\xce\x6e\xd2\xe2\x25\x5b\x85\x28\x21\x49\x1d\xcd\x30\x64\x0e\xeb\xae\x86\xec\xc0\x2e\x36\x5b\x46\x5d\xef\xb7\x36\x94\x17\x0d\x30\x33\x77\x59\x68\xa5\x3f\x27\x4f\xd1\xab\x8f\x38\x97\x81\x5a\xf3\xdf\xc8\x1f\xcd\xb7\xa3\xa6\xd1\x91\x7c\xab\x0a\x44\x69", 8192); *(uint64_t*)0x20004cc0 = 0x20002200; *(uint32_t*)0x20002200 = 0x50; *(uint32_t*)0x20002204 = 0; *(uint64_t*)0x20002208 = 0x8b20; *(uint32_t*)0x20002210 = 7; *(uint32_t*)0x20002214 = 0x1f; *(uint32_t*)0x20002218 = 4; *(uint32_t*)0x2000221c = 0; *(uint16_t*)0x20002220 = 6; *(uint16_t*)0x20002222 = 2; *(uint32_t*)0x20002224 = 0x7fffffff; *(uint32_t*)0x20002228 = 2; *(uint16_t*)0x2000222c = 0; *(uint16_t*)0x2000222e = 0; *(uint32_t*)0x20002230 = 0; *(uint32_t*)0x20002234 = 0; *(uint32_t*)0x20002238 = 0; *(uint32_t*)0x2000223c = 0; *(uint32_t*)0x20002240 = 0; *(uint32_t*)0x20002244 = 0; *(uint32_t*)0x20002248 = 0; *(uint32_t*)0x2000224c = 0; *(uint64_t*)0x20004cc8 = 0x20002280; *(uint32_t*)0x20002280 = 0x18; *(uint32_t*)0x20002284 = 0xfffffff5; *(uint64_t*)0x20002288 = 0x55; *(uint64_t*)0x20002290 = 0; *(uint64_t*)0x20004cd0 = 0x200022c0; *(uint32_t*)0x200022c0 = 0x18; *(uint32_t*)0x200022c4 = 0; *(uint64_t*)0x200022c8 = 2; *(uint64_t*)0x200022d0 = 9; *(uint64_t*)0x20004cd8 = 0x20002300; *(uint32_t*)0x20002300 = 0x18; *(uint32_t*)0x20002304 = 0; *(uint64_t*)0x20002308 = 0x40; *(uint32_t*)0x20002310 = 0xe62; *(uint32_t*)0x20002314 = 0; *(uint64_t*)0x20004ce0 = 0x20002340; *(uint32_t*)0x20002340 = 0x18; *(uint32_t*)0x20002344 = 0; *(uint64_t*)0x20002348 = 0x80000001; *(uint32_t*)0x20002350 = 0x787; *(uint32_t*)0x20002354 = 0; *(uint64_t*)0x20004ce8 = 0x20002380; *(uint32_t*)0x20002380 = 0x28; *(uint32_t*)0x20002384 = 0; *(uint64_t*)0x20002388 = 3; *(uint64_t*)0x20002390 = 9; *(uint64_t*)0x20002398 = 0x101; *(uint32_t*)0x200023a0 = 0; *(uint32_t*)0x200023a4 = -1; *(uint64_t*)0x20004cf0 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x60; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 9; *(uint64_t*)0x200023d0 = 0xf652; *(uint64_t*)0x200023d8 = 0x8d; *(uint64_t*)0x200023e0 = 0; *(uint64_t*)0x200023e8 = 0x3f; *(uint64_t*)0x200023f0 = 0x80000000; *(uint32_t*)0x200023f8 = 0; *(uint32_t*)0x200023fc = 3; *(uint32_t*)0x20002400 = 0; *(uint32_t*)0x20002404 = 0; *(uint32_t*)0x20002408 = 0; *(uint32_t*)0x2000240c = 0; *(uint32_t*)0x20002410 = 0; *(uint32_t*)0x20002414 = 0; *(uint32_t*)0x20002418 = 0; *(uint32_t*)0x2000241c = 0; *(uint64_t*)0x20004cf8 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 2; *(uint32_t*)0x20002450 = 0xa8f; *(uint32_t*)0x20002454 = 0; *(uint64_t*)0x20004d00 = 0x20002480; *(uint32_t*)0x20002480 = 0x26; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 8; memcpy((void*)0x20002490, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004d08 = 0x200024c0; *(uint32_t*)0x200024c0 = 0x20; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 6; *(uint64_t*)0x200024d0 = 0; *(uint32_t*)0x200024d8 = 0x12; *(uint32_t*)0x200024dc = 0; *(uint64_t*)0x20004d10 = 0x20004540; *(uint32_t*)0x20004540 = 0x78; *(uint32_t*)0x20004544 = 0xfffffff5; *(uint64_t*)0x20004548 = 0x81; *(uint64_t*)0x20004550 = 1; *(uint32_t*)0x20004558 = 7; *(uint32_t*)0x2000455c = 0; *(uint64_t*)0x20004560 = 5; *(uint64_t*)0x20004568 = 8; *(uint64_t*)0x20004570 = 6; *(uint64_t*)0x20004578 = 0x1ff; *(uint64_t*)0x20004580 = 5; *(uint64_t*)0x20004588 = 4; *(uint32_t*)0x20004590 = 4; *(uint32_t*)0x20004594 = 0xe8; *(uint32_t*)0x20004598 = 0x193; *(uint32_t*)0x2000459c = 0x7000; *(uint32_t*)0x200045a0 = 6; *(uint32_t*)0x200045a4 = -1; *(uint32_t*)0x200045a8 = r[4]; *(uint32_t*)0x200045ac = 3; *(uint32_t*)0x200045b0 = 9; *(uint32_t*)0x200045b4 = 0; *(uint64_t*)0x20004d18 = 0x200045c0; *(uint32_t*)0x200045c0 = 0x90; *(uint32_t*)0x200045c4 = 0; *(uint64_t*)0x200045c8 = 0x8612; *(uint64_t*)0x200045d0 = 5; *(uint64_t*)0x200045d8 = 3; *(uint64_t*)0x200045e0 = 0xb2f; *(uint64_t*)0x200045e8 = 0x20; *(uint32_t*)0x200045f0 = 0; *(uint32_t*)0x200045f4 = 7; *(uint64_t*)0x200045f8 = 0; *(uint64_t*)0x20004600 = 0x1ff; *(uint64_t*)0x20004608 = 2; *(uint64_t*)0x20004610 = 2; *(uint64_t*)0x20004618 = 0x1de; *(uint64_t*)0x20004620 = 0x5a; *(uint32_t*)0x20004628 = 9; *(uint32_t*)0x2000462c = 0xc46; *(uint32_t*)0x20004630 = 5; *(uint32_t*)0x20004634 = 0xc000; *(uint32_t*)0x20004638 = 0xddce; *(uint32_t*)0x2000463c = 0xee01; *(uint32_t*)0x20004640 = 0xee00; *(uint32_t*)0x20004644 = 0; *(uint32_t*)0x20004648 = 0x12; *(uint32_t*)0x2000464c = 0; *(uint64_t*)0x20004d20 = 0x20004680; *(uint32_t*)0x20004680 = 0x10; *(uint32_t*)0x20004684 = 0; *(uint64_t*)0x20004688 = 5; *(uint64_t*)0x20004d28 = 0x20004900; *(uint32_t*)0x20004900 = 0x2c0; *(uint32_t*)0x20004904 = 0xfffffff5; *(uint64_t*)0x20004908 = 0x8a; *(uint64_t*)0x20004910 = 4; *(uint64_t*)0x20004918 = 3; *(uint64_t*)0x20004920 = 0xfff; *(uint64_t*)0x20004928 = 6; *(uint32_t*)0x20004930 = -1; *(uint32_t*)0x20004934 = 8; *(uint64_t*)0x20004938 = 5; *(uint64_t*)0x20004940 = 0xca13; *(uint64_t*)0x20004948 = 0x81; *(uint64_t*)0x20004950 = 4; *(uint64_t*)0x20004958 = 0; *(uint64_t*)0x20004960 = 0xbbc; *(uint32_t*)0x20004968 = 0; *(uint32_t*)0x2000496c = 3; *(uint32_t*)0x20004970 = 0x34b; *(uint32_t*)0x20004974 = 0x4000; *(uint32_t*)0x20004978 = 9; *(uint32_t*)0x2000497c = 0; *(uint32_t*)0x20004980 = 0xee01; *(uint32_t*)0x20004984 = 2; *(uint32_t*)0x20004988 = 0x81; *(uint32_t*)0x2000498c = 0; *(uint64_t*)0x20004990 = 3; *(uint64_t*)0x20004998 = 0x80000001; *(uint32_t*)0x200049a0 = 0x16; *(uint32_t*)0x200049a4 = 0xf97; memcpy((void*)0x200049a8, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x200049c0 = 5; *(uint64_t*)0x200049c8 = 3; *(uint64_t*)0x200049d0 = 0x100000001; *(uint64_t*)0x200049d8 = 0x10001; *(uint32_t*)0x200049e0 = 7; *(uint32_t*)0x200049e4 = 0x83; *(uint64_t*)0x200049e8 = 5; *(uint64_t*)0x200049f0 = 5; *(uint64_t*)0x200049f8 = 0x100; *(uint64_t*)0x20004a00 = 6; *(uint64_t*)0x20004a08 = 0xfffffffffffffbff; *(uint64_t*)0x20004a10 = 0xb533; *(uint32_t*)0x20004a18 = 0x800; *(uint32_t*)0x20004a1c = 0xad7; *(uint32_t*)0x20004a20 = 0x32f914fb; *(uint32_t*)0x20004a24 = 0x2000; *(uint32_t*)0x20004a28 = 0xe0; *(uint32_t*)0x20004a2c = r[6]; *(uint32_t*)0x20004a30 = 0xee01; *(uint32_t*)0x20004a34 = 4; *(uint32_t*)0x20004a38 = 0x64; *(uint32_t*)0x20004a3c = 0; *(uint64_t*)0x20004a40 = 4; *(uint64_t*)0x20004a48 = 0xfffffffffffffffc; *(uint32_t*)0x20004a50 = 0x16; *(uint32_t*)0x20004a54 = 6; memcpy((void*)0x20004a58, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004a70 = 2; *(uint64_t*)0x20004a78 = 2; *(uint64_t*)0x20004a80 = 7; *(uint64_t*)0x20004a88 = 0x8000; *(uint32_t*)0x20004a90 = 9; *(uint32_t*)0x20004a94 = 3; *(uint64_t*)0x20004a98 = 2; *(uint64_t*)0x20004aa0 = 7; *(uint64_t*)0x20004aa8 = 0x80000000; *(uint64_t*)0x20004ab0 = 8; *(uint64_t*)0x20004ab8 = 6; *(uint64_t*)0x20004ac0 = 0x400; *(uint32_t*)0x20004ac8 = 0xc932; *(uint32_t*)0x20004acc = 0x81; *(uint32_t*)0x20004ad0 = 5; *(uint32_t*)0x20004ad4 = 0x1000; *(uint32_t*)0x20004ad8 = 0xf841; *(uint32_t*)0x20004adc = r[7]; *(uint32_t*)0x20004ae0 = 0xee00; *(uint32_t*)0x20004ae4 = 0xff; *(uint32_t*)0x20004ae8 = 5; *(uint32_t*)0x20004aec = 0; *(uint64_t*)0x20004af0 = 4; *(uint64_t*)0x20004af8 = 0xffffffffffff3232; *(uint32_t*)0x20004b00 = 0x16; *(uint32_t*)0x20004b04 = 5; memcpy((void*)0x20004b08, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004b20 = 4; *(uint64_t*)0x20004b28 = 0; *(uint64_t*)0x20004b30 = 0; *(uint64_t*)0x20004b38 = 7; *(uint32_t*)0x20004b40 = 0x200; *(uint32_t*)0x20004b44 = 6; *(uint64_t*)0x20004b48 = 5; *(uint64_t*)0x20004b50 = 0x1020000; *(uint64_t*)0x20004b58 = 6; *(uint64_t*)0x20004b60 = 0x7f; *(uint64_t*)0x20004b68 = 0xce; *(uint64_t*)0x20004b70 = 0; *(uint32_t*)0x20004b78 = 0xa9fb; *(uint32_t*)0x20004b7c = 0xffffff81; *(uint32_t*)0x20004b80 = 0x3ff; *(uint32_t*)0x20004b84 = 0x1000; *(uint32_t*)0x20004b88 = 0; *(uint32_t*)0x20004b8c = 0; *(uint32_t*)0x20004b90 = r[8]; *(uint32_t*)0x20004b94 = 0x8de6; *(uint32_t*)0x20004b98 = 3; *(uint32_t*)0x20004b9c = 0; *(uint64_t*)0x20004ba0 = 2; *(uint64_t*)0x20004ba8 = 0xffffffff; *(uint32_t*)0x20004bb0 = 1; *(uint32_t*)0x20004bb4 = 5; memcpy((void*)0x20004bb8, "/", 1); *(uint64_t*)0x20004d30 = 0x20004bc0; *(uint32_t*)0x20004bc0 = 0xa0; *(uint32_t*)0x20004bc4 = 0; *(uint64_t*)0x20004bc8 = 0x3f; *(uint64_t*)0x20004bd0 = 5; *(uint64_t*)0x20004bd8 = 2; *(uint64_t*)0x20004be0 = 0; *(uint64_t*)0x20004be8 = 7; *(uint32_t*)0x20004bf0 = 6; *(uint32_t*)0x20004bf4 = 3; *(uint64_t*)0x20004bf8 = 2; *(uint64_t*)0x20004c00 = 0xf51e; *(uint64_t*)0x20004c08 = 0x65; *(uint64_t*)0x20004c10 = 1; *(uint64_t*)0x20004c18 = 0x8b; *(uint64_t*)0x20004c20 = 0x7f; *(uint32_t*)0x20004c28 = 0x100; *(uint32_t*)0x20004c2c = 9; *(uint32_t*)0x20004c30 = 0x24; *(uint32_t*)0x20004c34 = 0xa000; *(uint32_t*)0x20004c38 = 0x3f; *(uint32_t*)0x20004c3c = 0; *(uint32_t*)0x20004c40 = -1; *(uint32_t*)0x20004c44 = 0x40; *(uint32_t*)0x20004c48 = 3; *(uint32_t*)0x20004c4c = 0; *(uint64_t*)0x20004c50 = 0; *(uint32_t*)0x20004c58 = 1; *(uint32_t*)0x20004c5c = 0; *(uint64_t*)0x20004d38 = 0x20004c80; *(uint32_t*)0x20004c80 = 0x20; *(uint32_t*)0x20004c84 = 0xfffffff5; *(uint64_t*)0x20004c88 = 0x401; *(uint32_t*)0x20004c90 = 0x5b2; *(uint32_t*)0x20004c94 = 0; *(uint32_t*)0x20004c98 = 9; *(uint32_t*)0x20004c9c = 2; syz_fuse_handle_req(r[3], 0x20000200, 0x2000, 0x20004cc0); memcpy((void*)0x20004d40, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004d40); res = -1; res = syz_init_net_socket(3, 2, 1); if (res != -1) r[9] = res; res = -1; res = syz_io_uring_complete(0); if (res != -1) r[10] = res; *(uint32_t*)0x20004d84 = 0xb8ca; *(uint32_t*)0x20004d88 = 0x20; *(uint32_t*)0x20004d8c = 0xe7c; *(uint32_t*)0x20004d90 = 0x26b; *(uint32_t*)0x20004d98 = r[10]; *(uint32_t*)0x20004d9c = 0; *(uint32_t*)0x20004da0 = 0; *(uint32_t*)0x20004da4 = 0; syz_io_uring_setup(0x3e79, 0x20004d80, 0x20ffc000, 0x20ffb000, 0x20004e00, 0x20004e40); *(uint32_t*)0x20004e84 = 0x29dc; *(uint32_t*)0x20004e88 = 2; *(uint32_t*)0x20004e8c = 1; *(uint32_t*)0x20004e90 = 0x3d6; *(uint32_t*)0x20004e98 = r[3]; *(uint32_t*)0x20004e9c = 0; *(uint32_t*)0x20004ea0 = 0; *(uint32_t*)0x20004ea4 = 0; res = -1; res = syz_io_uring_setup(0x5336, 0x20004e80, 0x20ffd000, 0x20ffb000, 0x20004f00, 0x20004f40); if (res != -1) { r[11] = *(uint64_t*)0x20004f00; r[12] = *(uint64_t*)0x20004f40; } memcpy((void*)0x20004f80, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20004f80, 0xfffffffffffffff8, 0x240); if (res != -1) r[13] = res; *(uint8_t*)0x20004fc0 = 6; *(uint8_t*)0x20004fc1 = 0; *(uint16_t*)0x20004fc2 = 0; *(uint32_t*)0x20004fc4 = r[13]; *(uint64_t*)0x20004fc8 = 0; *(uint64_t*)0x20004fd0 = 0; *(uint32_t*)0x20004fd8 = 0; *(uint16_t*)0x20004fdc = 0x4404; *(uint16_t*)0x20004fde = 0; *(uint64_t*)0x20004fe0 = 0; *(uint16_t*)0x20004fe8 = 0; *(uint16_t*)0x20004fea = 0; *(uint8_t*)0x20004fec = 0; *(uint8_t*)0x20004fed = 0; *(uint8_t*)0x20004fee = 0; *(uint8_t*)0x20004fef = 0; *(uint8_t*)0x20004ff0 = 0; *(uint8_t*)0x20004ff1 = 0; *(uint8_t*)0x20004ff2 = 0; *(uint8_t*)0x20004ff3 = 0; *(uint8_t*)0x20004ff4 = 0; *(uint8_t*)0x20004ff5 = 0; *(uint8_t*)0x20004ff6 = 0; *(uint8_t*)0x20004ff7 = 0; *(uint8_t*)0x20004ff8 = 0; *(uint8_t*)0x20004ff9 = 0; *(uint8_t*)0x20004ffa = 0; *(uint8_t*)0x20004ffb = 0; *(uint8_t*)0x20004ffc = 0; *(uint8_t*)0x20004ffd = 0; *(uint8_t*)0x20004ffe = 0; *(uint8_t*)0x20004fff = 0; syz_io_uring_submit(0, r[12], 0x20004fc0, 8); memcpy((void*)0x20005000, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20005000, 0x1000, 0x8600); if (res != -1) r[14] = res; *(uint64_t*)0x20005080 = 0; *(uint64_t*)0x20005088 = 0x20005040; memcpy((void*)0x20005040, "\x48\xd5\xa3\x40\x0d\x13\x5d\xd4\x91\x01\x61\x86\x7c\x99\x1f\xc7\xd6\x8d\x55\x14\x5f\xbb\xc5\xc4\x98\xb5\x8f\xba\x49\xbd\x01\xb6\x83\x86\x47\x33\x65\xa9\x13\x12\x72\xed\xe1\xd5\x3b\xc2\x85\x05\x1b\x85", 50); *(uint64_t*)0x20005090 = 0x32; *(uint64_t*)0x200050c0 = 1; *(uint64_t*)0x200050c8 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x20005080, 1, 0, 0x200050c0, 1); *(uint32_t*)0x20005100 = 1; syz_memcpy_off(r[11], 0x114, 0x20005100, 0, 4); memcpy((void*)0x20005140, "afs\000", 4); memcpy((void*)0x20005180, "./file0\000", 8); *(uint64_t*)0x20006640 = 0x200051c0; memcpy((void*)0x200051c0, "\xc5\xf6\xf4\x20\xae\xec\x38\x8c\xed\xec\x2b\x59\x7c\x81\x56\x53\x8c\xd4\x58\x60\x34\x19\x9f\x56\xf5\x94\x4d\xa0\x3d\x8c\xa8\x29\xf6\xc6\xb6", 35); *(uint64_t*)0x20006648 = 0x23; *(uint64_t*)0x20006650 = 1; *(uint64_t*)0x20006658 = 0x20005200; memcpy((void*)0x20005200, "\xf4\xee\x9e\xdc\x1b\xe2\xc2\xd8\x62\xa4\x80\xf3\x0a\xe3\x0d\xaf\xad\xfd\xf8\x69\xf7\x78\x9a\x45\x49\xf5\xa8\xda\xc0\x6f\xe4\xc5\xd5\xd2\xcf\x00\x66\xd8\x8b\xfc\xa6\xaf\x40\x74\x5e\xd6\x17\xb7\xa1\x46\xc9\x40\xde\x37\x50\x5c\xb9\x65\xea\xa1\x98\x2c\x8c\xa0\xec\x21\x06\xf4\x7e\x4e\x26\x5f\x1e\x19\x28\x5b\xba\x7e\xb5\x77\xf6\x00\x66\xb5\xf4\x6c\x62\xd2\xec\x00\x68\xed\xcb\xe6\x30\x0e\x4f\x1e\x3c\xce\x42\x9e\x45\xa7\xdf\x28\x7e\x80\x09\x84\x1d\xb1\x01\x51\x34\xee\xaa\x72\x43\x11\xe5\x51\x81\xcb\x7a\xfe\x7d\xfd\xc7\x94\x6b\xd1\x45\x23\xea\x66\x80\xea\x42\xca\x9f\x7b\x0e\xaa\xab\xe1\xd0\x54\x27\x7e\xff\x60\x7e\xf4\xf8\x40\x2e\x5d\xc3\x7e\x6a\x52\x8e\xc3\x56\x58\x23\xc0\x31\xa8\x46\x0e\x8b\x5f\x67\x06\x68\xf8\x6b\x90\xa0\x26\x04\x3a", 184); *(uint64_t*)0x20006660 = 0xb8; *(uint64_t*)0x20006668 = 2; *(uint64_t*)0x20006670 = 0x200052c0; memcpy((void*)0x200052c0, "\xba\xee\xde\x48\x17\x36\xd9\x0f\x0a\xa3\x6f\xb3\x27\x95\x6d\xd7\x63\x57\x8e\x20\x19\x9f\x0d\xc8\x5f\x18\x5c\x93\x06\x86\x6b\xa3\x3c\x93\xd2\xaf\x96\x13\xc9\x29\x09\xc6\x51\x25\x4e\x6a\x63\x50\x3d\xbf\x31\x7b\x02\x1c\x4b\x3c\x8d\xe3\x05\xd3\xde\x39\xa1\xad\x9a\xc1\xb0\xab\x3f\x51\xf6\x8c\x1a\xe1\xda\x3e\x4c\xc7\x44\xfd\x00\xdf\xa6\xd1\xb9\x6e\x21\x13\x40\x07\xd3\x1c\x93\x01\x38\x54\xed\x32\x55\x0f\x1b\x82\xa4\xc0\x3c\xa6\x74\x40\xd8\x65\x45\xdc\xd2\x9e\xea\x99\x27\x4f\x65\x57\x37\xad\x5a\x54\xd9\xe7\xf9\xde\xc4\x91\x29\xbb\x84\xbe\xb6\x2b\x18\x53\xf6\x9e\x6a\x07\x72\x09\xf7\xe5\x5c\xe0\xd5\x16\x86\xca\x76\x4d\x2c\xe3\x34\xcd\x6d\x09\xb5\xd9\x23\x57\xbd\xef\x60\xa6\x35", 169); *(uint64_t*)0x20006678 = 0xa9; *(uint64_t*)0x20006680 = 0; *(uint64_t*)0x20006688 = 0x20005380; memcpy((void*)0x20005380, "\x31\xf1\xfb\xee\x4b\x48\xe6\xe6\x9c\xb6\x1b\xd1\xcc\xc1\xe2\x13\xaf\x5a\x28\xe7\x4c\xff\xc2\xe5\xe8\x2f\xbb\xcd\x1c\x34\x00\xfa\xf3\x79\xd1\xa1\x94\xd5\x2a\x36\x67\xe2\x01\x9b\x9a\xec\x0e\x14\xfe\xed\x8f\xea\x77\x0a\x9a\x1b\xfb\xbc\x30\x99\x73\x21\xbc\xbb\xcf\x4d\x11\x5b\xb3\xd3\x26\x9e\x50\xbe\xca\x59\x82\xef\x1d\x22\xc9\x83\xd7\x86\x21\xdb\xaa\x93\xe8\x39\x5e\xfe\x31\xdf\xad\xed\xca\xde\xd0\x97\x6f\x5f\x0c\x7d\x4f\x17\xb6\xcc\x88\xb8\x97\xce\x5d\xdf\xf1\xad\xe8\xef\x2d\x62\xdc\xbe\xd4\x21\x58\x9e\x3c\xfb\x5d\x85\x50\xd3\x65\x1a\x99\x11\x5d\x6e", 138); *(uint64_t*)0x20006690 = 0x8a; *(uint64_t*)0x20006698 = 2; *(uint64_t*)0x200066a0 = 0x20005440; memcpy((void*)0x20005440, "\x78\x81\xb6\x81\x1e\xa2\xae\xc8\xf2\x7f\x7f\x7f\x52\x3c\xc4\xba\xca\x36\x52\xf7\x30\x3c\xd7\x48\xfb\x4e\xd8\xcc\x78\x3a\xc5\x78\xa9\xe8\x53\xa9\x90\x6a", 38); *(uint64_t*)0x200066a8 = 0x26; *(uint64_t*)0x200066b0 = 1; *(uint64_t*)0x200066b8 = 0x20005480; memcpy((void*)0x20005480, "\xc5\x05\xe1\x80\x5e\x72\xc2\x3f\x48\x9b\xb4\x5d\x55\x60\x79\x64\x53\x32\x08\x2b\x1b\x6b\xef\x7a\xdc\x39\xb0\x98\xe1\x73\xf4\x2f\xdd\x8d\x2c\x65\xce\xb6\x64\xad\xb4\x7d\xe1\x73\xdb\x5b\x34\x23\xe0\x2b\xfe\xe5\x83\x39\xfc\xb7\xd8\x5f\x2d\x1a\xcd\x1f\xed\x18\xda\x1c\xb7\xb3\xd2\x8d\x4e\x36\x8a\xa5\xf0\x2a\x89\x50\xaf\xd1\x9b\x0d\x60\x03\xc1\xfc\x54\x24\xd3\xe2\x8d\x4b\xf7\x90\x2f\xa3\xd9\x99\xb4\xf6\x23\x68\xc5\x84\x4f\x1e\x9e\x4d\x19\x5c\x65\x48\xc1\xa0\xe6\x14\x80\xc6\x1f\xe3\xfc\x89\x54\x81\x0a\x5c\x55\x19\xa2\x85\x0a\xff\x54\x44\xdf\xe3\x6d\x6c\x08\xfb\x25\x1d\x64\x59\x51\xca\x0a\xee\x8a\xe0\x9d\x52\x18\xce\x7d\x78\x3d\x4a\x62\x07\x0c\xce\x23\x1a\xb7\xc6\x30\x93\x1f\xbc\x78\x39\xba\x29\x79\x30\x5c\xab\xb4\x5f\x4a\xa2\xdc\x92\x49\x72\xfe\x3a\x5a\x80\x6c\x03\xc7\x41\x79\x3e\xb0\x46\xd5\x66\xef\x8d\xe1\xd0\xb7\x14\x50\xb5\x61\xba\x65\xb0\x14\x14\x29\xbd\x3e\x5a\x42\x06\xb4\x7e\xf0\x97\x27\x5e\xad\x1f\xe3\x12\x57\xa7\x23\xdd\xc5\x85\xc7\x03\xf5\xd0\xfc\xf7\xb2\x98\x13\x4d\x89\xd0\x3f\x47\x7a\xb7\xaf\x75\x6e\x3a\x4f\x9e\x1d\x06\xca\x01\xf2\xb7\x59\xc9\x55\xb8\xe8\xbf\xc1\xb8\x07\x01\x98\xb3\x30\xf5\x85\x8c\x69\x51\x61\x06\x82\xa3\xcb\xdc\xb5\x91\xf1\x39\xa7\x1e\x88\x3b\xb7\x69\x1c\xb5\x6b\xc0\xad\x95\xdd\x77\x4f\xdc\x11\x0d\x07\x5b\x3a\xcf\x5f\xbb\xb2\x27\x22\x79\x21\xe1\x0a\xa5\xb7\x3d\xa8\x1d\xca\x19\x66\x00\x37\x61\x20\x26\x6c\xc8\x4f\x0c\xc2\xee\x0f\xf3\xf6\xc7\x4b\x65\x6a\x61\xb5\xf5\xae\x6d\xab\x4a\x9c\xe8\x4c\xb9\x7c\x0b\x90\xe7\xa0\xd0\x78\x28\x81\x9e\x2b\xdd\xb1\xa7\x27\x7c\xaf\x68\x71\x95\xec\x83\x64\xd8\x52\xb9\x86\x43\xf5\x55\xdc\xa6\xad\x72\xd6\x80\x64\x3f\x29\xc3\x22\x57\x5f\x2e\x57\x11\x34\x3f\x8a\xa2\x4d\x7d\xeb\x87\xd3\xac\xe4\x82\xbc\x05\xdc\xd5\x28\x83\x38\xb5\x84\x99\x4a\x09\x0c\x45\x1a\xbb\x28\x4c\x01\x04\xc5\xf3\x79\x08\xeb\x33\x07\xd6\x5e\x79\x2b\x4f\x25\x86\x00\xde\x77\x07\xc8\xb1\x54\xff\xd5\xf5\x6d\x7a\x17\xc6\x2f\x09\x28\x28\x51\x6f\x82\xea\x4a\x12\x6a\x2a\x36\x0c\x70\x31\x08\x77\x0c\xc7\xe7\x50\x5c\x8e\x18\x0c\x5f\x37\x6d\x0d\xba\xf1\xe1\x85\xa5\x04\xed\x01\x3b\x0b\x16\x24\x83\xf9\xe2\xa3\xbe\xc7\xd6\x83\x30\x82\xac\x95\x4e\x8f\x5e\x31\x84\x37\x2e\x05\x08\xad\x7e\x0f\xb4\xb2\xf1\x20\x1a\x35\x88\x2a\xda\x41\x5d\xfd\xb3\x65\x87\xe8\x87\x95\x10\x1f\x9d\xc6\xc0\xd2\x6b\xbb\x64\x24\x21\xdb\x09\x73\xef\x28\x3c\x2b\xea\x7f\x5c\x9c\x35\xeb\x13\xea\x5a\x97\x42\x85\x2f\x08\x3e\x44\x32\x82\xcb\xad\x94\x7e\xa0\x5d\x3f\x99\x8b\xf3\xf8\x60\xcd\x12\x5b\x26\x6e\x1f\x3b\x84\xc4\xe6\x2b\x4e\x49\xae\x7f\x85\x2d\x57\x8e\xab\x24\xa0\xc5\xe4\xc6\x09\x28\xb6\x99\xc7\xb6\x8c\x63\x28\xf3\x2c\xa3\x71\x5b\x94\x00\x55\xb6\xad\x04\xf9\x94\x16\x55\xdc\xfa\x91\xdc\x4d\xf0\x21\xa7\x45\x04\x51\x9f\x0a\x7d\xf1\x0d\xb5\x05\xda\x8c\xa4\xa0\x52\x58\x04\xdf\xd9\x0a\x31\xbb\xa6\x48\xbe\xe5\x7b\xcc\xd6\xcd\x9a\x59\x6e\xb9\x45\x86\x7e\x02\x31\xfa\xfb\x66\xc5\x01\x7b\x29\x79\xad\xe5\xdf\xcf\xb2\x4c\xb5\xc7\x88\x15\x11\x18\x56\x04\x90\x6d\x1f\x20\x1a\x12\x64\xa5\x4c\x20\xc1\x73\x90\x1d\x32\x5f\x5c\x2b\x0e\x0f\xff\x22\xc6\x83\x4d\x07\x0c\xbe\xdc\x8a\xe6\x6f\x2f\xce\x84\x88\xd7\x7b\x1f\x92\x57\xa9\x1a\x00\x1e\xda\x07\x55\x56\xc2\x3e\x7a\xdb\xde\x0c\x99\x4b\xd6\x98\x0c\xbd\xb3\x44\xd0\x4e\xfd\x2a\x3f\x4e\x73\x26\x20\x26\x0d\x15\xf6\x08\x4c\xca\xb9\xb2\xf1\x3b\xf5\x47\x82\xeb\x2f\x56\x89\x19\xe0\xae\xfc\x06\x3f\x3f\x2a\xf6\xbe\xb8\x19\x15\x9c\xfd\xb0\x53\x4e\x79\xe0\xcd\x74\x51\x5b\x52\x8c\x82\xce\xfa\xec\x85\x47\xd0\x5f\x08\xb0\x04\x24\xa0\x2a\xbb\x0f\xe2\x0d\x30\x55\xd3\xb9\xd9\x7e\x8b\xad\x3a\x7b\x22\x02\xb8\xef\xfc\x5d\xa0\x55\xf4\xeb\x18\x27\xdc\xb1\xde\x57\xde\xfc\x3c\xcb\xe7\xc3\x02\x79\xa3\x04\x11\x96\xa9\xf0\xb1\xa7\x44\x91\xc0\x7b\x9a\x1a\xf0\x40\xe5\x3e\xc7\x1a\x91\x10\xe2\x0f\x32\x09\x2a\xdd\xcd\x05\x8a\x15\x07\x9b\x71\x8f\xac\x59\x4d\x8e\x75\x13\x9b\xc9\x26\x0f\xf6\x56\x47\x25\x0f\xd7\xce\x6b\xdb\xc3\x05\xc0\x79\xc5\xcc\x2f\xe6\xcd\x1f\xca\x99\x3e\x85\x30\xe0\x37\x38\x83\x90\x08\xdc\x65\x8f\x22\x66\x4e\xea\x77\x06\xf6\xad\xa2\x4c\xa1\xa2\x2e\x83\x0a\xad\x64\xf4\xdc\x44\x38\x7d\x83\xad\x42\x88\xf4\x46\x72\xd9\xa0\x55\x59\xfb\x29\xc6\x6f\xe6\x67\x9e\x97\x9f\x86\xee\x31\x67\x5f\x50\x1d\x95\x81\x47\x96\x61\x29\x08\xd1\xf7\x03\x7b\x69\x0b\x94\x81\xfb\x68\x7f\x2d\x52\xb5\xa3\x73\x51\x5f\x62\x07\x59\x36\x04\x2a\x0e\x9d\x10\xc9\x11\x14\xa9\xe7\x4c\xa7\xac\x76\x55\x8f\x73\xfa\x26\xfe\x9d\x14\xde\xa8\x5d\x4c\x9f\xae\x1f\x6c\x53\xbb\x76\x8b\x14\x57\xa7\xf8\x9b\xcb\xf9\x0e\x70\x69\x75\x37\x67\xf0\xc1\x90\x21\x63\xe4\x00\xaf\xdd\x91\xec\x2d\xac\xbe\x68\x0c\x7d\x64\x54\xa0\xf1\x73\x49\x0b\x6b\x1e\xd4\x88\x1e\x82\xcd\x79\xd6\xb8\x91\x61\xd8\x7f\x4f\x27\x0d\xea\xde\xbe\xb3\x51\x07\xc1\x9c\x7a\x6d\x54\x08\xe6\x0b\x32\x5c\x64\xdb\xb9\x98\x3b\xfa\xf0\x30\x6f\xac\x8a\x0f\xb3\x24\xaf\x5d\x69\xc2\x1c\x62\xa8\xb5\xe2\x57\xa4\x8d\xe0\x69\x22\x6a\xb2\x9a\xee\xad\x17\xfa\x45\xf3\x84\x75\x0f\x8b\xba\x1d\x46\xe0\xa4\x12\x78\x07\xe1\x0d\x15\x70\xda\x63\xb2\x02\xee\xb7\x15\x38\x6a\xfe\x3d\x8b\x17\x47\xca\xa6\xa4\x14\x16\xdd\x65\x52\x4d\x22\x28\xea\xaa\xd1\xa6\x1b\xff\x8d\xb8\xbe\x75\x2c\x45\xae\xca\x76\xde\xa3\xaa\x68\x08\x36\x4c\xf7\x58\xdc\x87\x03\x41\x7a\x49\xb9\x3e\xca\x5a\xd0\x9d\x63\x30\x3a\x4a\xc3\x78\xaa\xd3\x4a\x08\xde\xcc\x4a\x72\x0c\x3e\xea\xf8\x8a\xce\x0a\x72\x90\x0b\xc3\xdd\x40\x2c\x12\x2d\x00\xd5\x6b\x51\x72\x35\xae\x91\x12\x83\x2d\x63\x7b\x93\x17\xb6\x1f\x9d\xcb\x0c\x48\xe7\x28\xe8\x50\xdf\xd5\x26\x26\xdb\x29\x6a\xad\x77\xb9\xc7\xcd\x91\x67\xf3\x19\x47\x47\xc0\x11\xa5\xfb\xda\xbc\xa9\xca\xbd\x2f\x6b\x75\x81\xf9\xd9\x1c\x63\x66\xd5\x26\xb1\x68\x3e\x3f\xee\xfd\x0f\xe3\x0f\x53\xe7\xcb\x7d\xe4\x1e\x89\xe4\xe7\x43\xef\xea\x39\x44\xea\x8a\xfd\x9f\x77\x8a\x7f\x06\xbf\xb0\xef\x23\x86\x48\xc2\x1c\xed\xfd\xd8\xb7\x6e\xed\x76\x57\x74\xd7\xa4\x90\xb0\xee\x46\x4e\x44\x88\xa9\xc3\xdd\x21\xc7\xba\x2e\x63\xa3\x1a\xe3\x8f\xfa\xb2\x09\x46\x0b\xa9\x3a\x62\x02\x9d\x8f\x2a\xde\x13\x77\xb5\x34\x38\xb0\x51\x90\x12\x27\x39\x82\x72\x63\x9f\x12\x4d\x42\xb5\x55\xd5\x91\xa6\x65\x5f\x73\xf6\xc4\x6c\x51\x4c\xf3\x2a\xe4\xc6\x04\x6c\x38\x04\x07\xf7\xd9\xcf\x3c\x14\x1b\xdd\x94\x69\x13\x84\x95\x8e\x67\x17\x8f\x81\x6a\x63\xe4\xcc\x18\x9c\x52\x16\x38\xdc\x7a\x28\xd2\xaf\xb6\x12\x84\x76\xe4\x08\xee\x85\xb9\x9a\x12\x61\x29\xc5\x5e\x67\x9c\x0b\xdc\xeb\xd9\x66\x98\x17\xe9\x45\xb0\xff\xfa\x61\x5a\xb9\xce\xf2\xf8\x59\xe0\xac\x38\x25\x36\x11\xfe\x63\xbd\x57\xfd\xf0\x3f\xb0\xd6\x5c\x1c\xc6\x5d\xf2\x65\x38\x59\xfc\x59\x4f\x9a\x3e\xb3\x79\xd1\x17\xda\x82\x8a\xc5\x58\x6b\x3f\x6d\x3b\xcc\xf1\xd5\x4c\x45\xbc\x1a\x5f\xa4\x5e\xd7\xad\x36\x6c\xff\x39\xa6\x32\xbd\x4d\x14\x70\x0d\x30\xf7\x0c\x99\x72\x5c\x2f\xb8\xee\x97\xcb\xc5\x9f\x8e\x5b\x64\xfa\xc8\xfe\x2f\x83\x60\x41\xbb\x57\x08\xa3\x64\x0b\xbc\x67\xf9\xd0\x9a\xc1\xfd\x36\x46\xa6\xf7\x44\x6f\x48\x15\x98\x9b\xb0\x41\x9c\x94\xb0\xa6\xfc\x97\xd0\xfd\x9e\x51\x90\xe7\x24\xd7\x54\x82\xcc\x1e\xb4\xc0\x77\x53\xb0\x1c\x42\x02\xc4\xd0\x9d\x00\x6b\xd6\xbd\x92\xb3\x3c\xd4\x0d\x8f\x1b\xf7\xea\x73\x9a\x68\x6f\x8d\x3a\x12\xdf\x2f\x7c\x57\x8a\xd2\xe0\xc1\xb2\x9c\x04\xf2\x82\x85\x70\x45\xed\x90\x38\x28\x30\xcf\x0f\x2f\x2c\x8d\x22\x07\x3e\xde\xc3\x1d\xd2\x57\x30\x0b\xa6\x7b\xec\x88\xa1\xe7\xa5\x58\x0f\xdd\xe5\x01\x98\x79\xf6\x96\x2d\xa5\x0d\x75\xc6\xfd\x13\xa1\x9e\x35\x8e\x13\x41\x35\xdb\xb8\xb4\xbe\xed\xbe\xd1\xcc\x5f\x8f\x20\x34\xee\x29\x7f\xf6\x9b\x9d\xb3\xe0\x05\xe5\x9f\xd5\xea\x22\xba\x51\xbd\x8f\xeb\xde\x9f\xf9\xf6\x5a\x21\xda\x5e\x13\x5c\xa8\x86\x07\x31\xc4\xde\xe9\xc3\x3c\x7e\xdb\xa5\x08\xd2\x6d\xdb\x55\x92\xfd\xf9\x85\x06\x70\x2f\x99\x80\x37\xe6\xb4\x18\xc5\xc7\x83\x62\x43\x48\xf5\x7d\x2c\xf2\xcd\x8f\xb8\x37\xc6\x18\x53\xf5\x16\xc6\x8e\x76\x58\x29\xfe\x2f\x74\x11\x66\xa7\x4a\xfd\x1e\xdc\x90\x97\x1c\x4e\xda\x7a\x6a\x18\xd8\x5d\x54\xba\x87\xf9\x09\x5b\xd1\x62\x6b\x9b\x90\x0c\xf6\xfe\x05\xee\xb1\xb4\xf0\x05\x99\xb6\xe8\x38\x1f\xe2\x8d\xe8\x51\xe1\x9a\x02\x52\xef\xde\x6c\x57\x99\xf5\x6e\xc2\xd6\x1c\xc6\xff\x5d\x1e\xb6\x5e\x9d\x8e\x05\x45\xa9\x2e\x6b\x98\x66\x27\xc7\xf9\x71\x69\x42\x10\xe0\x88\xb7\x84\xbe\xaa\xba\x64\xd2\xab\xe4\x44\x1c\x7b\x14\xfc\x8d\x2a\xda\xfa\xc7\x82\x34\xed\x72\x59\x9c\xc4\x16\xc0\x47\x75\x0b\x24\xac\x3c\x9a\xa4\x69\x0c\x05\x77\x04\x9d\x80\x5b\xae\x79\x92\x2c\x1d\x29\x66\xd9\x75\x2c\x55\x1a\x91\xa9\xfb\xc0\xbb\x95\xc2\x3a\xcc\x2a\x90\x68\x35\x31\xa5\x9f\x30\xfc\x1d\x10\x79\xbd\x9f\xc0\x7f\x0d\x09\xbd\xdc\x01\x37\x2b\xa2\x6c\x13\xef\x30\x6a\xf3\x25\x6f\x23\x5d\x72\xb7\x59\xb6\x61\x8c\x1e\x09\xe8\xdf\x69\x35\xdb\x77\x45\x3b\x49\x96\xb0\x15\x2a\xe1\x37\xd1\xca\xdd\xbd\x5f\x8e\x12\x62\x1a\x54\x81\x55\x43\x45\xdf\xbb\x7e\x2c\x50\x03\x71\x34\x6f\xea\xfd\x5d\xc0\xf6\xe2\xc5\x9e\xa2\xc2\x45\xd1\x5d\xb2\x0e\x87\xc7\x7b\xd9\x08\xd9\x28\x50\xe4\x03\xe5\x8c\xdf\xf0\xe2\xfc\x25\x7f\xf0\x00\xf3\xb2\x68\xdc\xf1\x41\xe7\x75\x25\x10\x61\x08\xa4\xb6\xed\xcf\x89\xf1\xfc\xfb\x12\xa0\xa0\x2a\xd7\xc0\x12\x12\x84\xea\x49\x0c\xa7\xbf\x87\x61\xee\xff\x5b\x37\x5e\xeb\x0a\x03\x8a\x44\x4d\x2f\xb9\x50\xf9\x65\x17\xad\xa9\x4c\xd9\x6f\x8d\xbb\xd0\x42\xa4\xde\xb1\x88\x21\x7b\x7b\x9d\xad\x94\x8b\xb5\x98\x43\xc0\xc3\x92\xbd\x9e\x79\xc8\x5d\x34\x61\x6b\xcd\x99\xfb\xff\x77\x53\x7d\x23\x4c\x05\x1e\x5e\x9a\xa9\x13\xc7\x7c\xbd\xcf\x53\x96\xce\x3f\x06\x83\xe9\x2e\xbd\x0c\x1b\x99\xfb\x5c\x66\x3f\xb9\x7b\x6d\xc2\xd4\x35\x54\xaa\xa9\x9a\x27\xab\x99\x17\x2b\xac\x17\xe3\xbc\x04\x4d\x3d\x2e\xf8\xf8\x73\xcf\x52\x21\x4e\x71\xd7\xd7\xc5\xff\x9d\xc7\x91\xd4\x0c\xee\x37\x53\x6d\xd1\x2b\xa0\x95\xb4\x8a\x34\x19\x75\x78\x4a\x16\x14\x17\x5a\x1f\xc4\x9d\xc2\x10\x2b\xa5\xc2\x74\x16\xdf\xf8\x27\x9e\xa3\xf2\xc4\x47\x39\xb8\xef\x99\x61\x69\x9a\x4c\x79\x28\x59\xce\xe8\x81\x11\x43\x78\x46\xc9\x45\x01\x75\xb8\xba\x2a\x32\x67\x57\xdc\xbf\xd5\x51\xac\xd1\x5d\x78\x37\x32\x83\x8b\x9c\x92\x4e\x09\x23\xfb\x79\x5b\x77\x04\xbf\x1c\x84\xdb\xe6\x56\x9c\x0d\xf7\x02\xa7\x47\x7f\xa0\x99\x6d\xe5\xd6\x81\xd1\x0f\xa2\xaa\x52\xb1\x42\x53\xba\x91\x3a\xde\xcf\x47\xea\xbf\x1b\x01\x5e\x73\xd6\xba\xb5\xdb\xe5\xd5\xdd\x1e\x06\x7c\xc9\xe4\x80\x60\x40\xdb\x09\xa1\x44\x8e\xd2\x1d\x98\xdc\x6f\x45\x9f\x22\xc9\x51\xc7\xb0\x72\x01\x46\x77\x91\x09\x7b\x39\x04\x10\x36\xa5\x0e\xc5\x59\x6b\x6d\x28\xe1\x4b\x79\xaa\x12\xbe\xfa\x32\xff\x95\x62\x9d\x53\x2a\xda\xed\x53\x42\xc8\x4d\x39\xc8\x22\x53\x82\xf9\x81\xae\x4f\x85\xb7\xa1\xae\x6b\x90\xa8\x18\xb6\x2d\x71\xbf\x59\x2f\x84\x27\x3f\xa2\xcc\xbb\xa6\x5d\xfc\x34\xfd\xaf\x56\x1e\x26\xd3\x07\xb7\x43\xf8\x2b\xc7\x6f\x99\x85\xc9\x50\x76\xc8\x3a\x1d\x28\x65\x32\xb8\xd5\x95\x20\xbf\x6c\x40\xbc\x63\x5f\x51\x60\x8f\x49\xbd\x47\x82\xf6\xa6\xb7\xd3\x7c\x6f\xe8\xe5\x27\x2e\xc0\x8f\x85\xfb\x9b\xaa\x66\xbd\x70\xb1\xdb\x70\xdf\x0b\x12\xce\x35\xd8\xe1\x5c\x18\x7f\xec\xfd\x9f\xa3\x41\x72\x1f\xf6\xb2\x4a\x1b\xb6\x8b\xd0\x74\xc2\xa5\x7d\x74\x60\x91\x7d\xd2\xff\x0d\x08\x04\x11\x2b\x05\x20\xf0\x5c\xd7\x07\x87\xd8\xdc\xe6\xcb\x69\x71\x1e\xf7\x45\x3b\x40\x67\x9e\xc9\x7a\xac\x90\x0e\x69\x8c\xe1\xf8\xe5\x8b\xa7\x38\x59\x0d\xf5\xc4\x58\x8e\xc6\x50\x68\x80\x02\xa2\xc1\x4e\xc6\x0c\x58\x38\x5b\x68\xdb\x23\x8b\x8c\x5b\x18\x9b\x2f\xd5\xfd\x21\x36\x55\xe0\xc8\x19\x00\x94\x97\x64\x02\x2d\x22\x77\xb0\x38\xce\x7d\xbd\x00\xd1\xec\x66\xe2\x31\x95\x63\x6a\x39\x21\x53\x26\xea\x45\x2a\xd0\x89\x9a\x52\x2a\x7a\x77\x96\x5b\x2a\xe6\x0d\x5b\x25\xff\xc6\x4d\x1d\xd5\x04\xd2\x8c\x61\x1f\x38\xce\x5c\x3a\xa3\x4c\x4f\x6c\xdd\x1b\xd7\xe9\x65\xe3\x68\x77\x11\x89\x34\x65\x06\xe3\xcb\xba\xf7\x45\x3f\x03\x9c\x6a\xeb\xdf\x77\xa1\x38\x75\x49\x9d\x7d\xb3\xe0\x8f\x9c\x31\xd3\x53\x07\x49\x0e\x6d\x3c\x11\xee\x69\x77\xe6\x69\xcb\x1a\xa6\x42\x0d\x46\x19\x55\x05\x0e\x0c\xfb\xe0\xbb\x23\xd1\x31\x9e\xf3\x54\x21\xd8\x0e\x56\x5e\x5f\xc9\xb3\x0d\x6d\x0a\x4d\xa0\x54\x40\x61\xe6\x44\xeb\xa5\xb4\x7b\xc4\x8e\xce\x8b\x7f\x85\xd8\x23\xc9\x8c\x4b\xd6\xcd\x46\x4a\xcc\x49\xa2\x9b\xb6\x92\x6d\x2a\x95\x97\xc6\x4e\xdb\x8a\x4b\xa2\xca\x2d\xd7\xba\xd8\x0d\xa3\xba\x9d\xf1\x43\xb2\xb3\xcb\x44\xd6\xe5\xce\x04\xaf\xf3\x97\xf5\xfc\x4b\x0f\x5a\xf4\xaa\x07\x87\x61\x1e\xfc\x52\x11\xbb\xb4\x8b\x7e\xb3\xe1\xd4\xcb\x54\xac\x2b\x9d\x0d\x9d\xa7\xff\xbd\x18\x51\x35\x94\x67\x4b\x53\x0e\x8a\x20\x6f\x9b\x04\x2b\xe8\x13\x86\x81\x92\x29\x50\x5d\x35\xce\x04\xa1\xe1\xe0\x30\x4a\xb5\xdb\x61\x88\x47\x20\xf5\xbf\x6a\xe9\x10\xd4\x8b\x9a\xaf\xe2\xbc\x5a\x1a\x4f\x4e\xda\x0f\x61\x5c\x8d\x0d\x68\x2a\x55\xa5\x2f\x0d\x40\xe1\x38\xc8\x8c\x42\x99\xaa\x1b\x10\x04\x40\x01\x68\xde\x6a\xc8\xaa\x18\xfe\x60\x29\xbf\x63\xc6\x40\xef\x7f\xb9\x1b\x56\xa5\xab\xc2\x43\x97\xd1\xb2\xcf\x3b\xc0\x87\x7e\x8d\x52\x19\xe5\x67\x23\xa6\xc4\x98\x89\xcd\xd5\xba\x03\xc8\x4f\xbc\x41\x5a\x3e\x9b\x65\x2d\x26\xe2\xd6\x13\xc3\xdc\xce\x41\x4e\x1f\xa3\xe2\x20\xb3\xc2\xe3\x53\x91\xac\x65\x20\xed\x1f\x05\x14\x88\x05\xa4\x6e\x99\x34\xe5\xfe\xbf\x84\xe1\xbb\xa2\x5b\xa1\x30\xa9\xe0\x58\x4b\x62\x5d\xf2\xc2\xee\x4e\xc0\xd1\x0a\xff\xfa\x19\x17\x73\xd4\xf4\x12\xf5\xca\x22\x51\x93\xca\x27\x88\x7f\xd4\x7c\x9c\x69\xf2\x1d\xa9\x52\xf9\x8a\x99\xf2\x05\x31\x4c\x18\x2b\x00\x14\xdd\xe7\x56\x3d\xed\x90\xe3\x38\xda\x5d\x5e\x83\x6f\x16\x2b\x96\x37\x75\x17\xc2\xf6\x75\x8d\x9b\xb4\x1e\x8b\xc9\xdd\x8f\x2e\xb5\x21\xad\x81\x4e\xac\x65\x1a\x48\xef\x64\xbc\x45\xab\x60\xbf\xf9\xd2\xe6\x7f\x03\x18\x3d\x04\x4e\xd4\x37\xa8\xbd\x73\x04\x3d\x6a\x8a\x51\x90\xfb\x5c\xd5\x2c\xfe\x06\x89\xe2\xda\x08\xcd\x11\xaa\xe6\xf2\x5c\x50\xd6\xcc\xbd\x5f\x4e\xa7\xce\x9b\x51\xb5\x79\x46\xaa\x92\xf4\x1e\xfd\xc2\xb9\x19\xc8\x87\xa0\x70\xc5\x19\xef\x60\x0f\xe1\x4d\x67\x66\x4e\xd7\xfc\x21\x1a\x09\xe9\x12\x9b\x13\xa7\x02\x4f\x2f\xeb\xc3\x01\x05\x81\xda\x84\xb4\x4b\xbe\xdf\xdc\x1f\x54\xb6\x3c\x8c\xfa\x8c\x8b\x5c\x98\x66\x49\x33\x3e\xee\xaa\xf5\x3e\x8b\xe8\x63\x24\x23\x78\xb0\xff\x6c\xff\x6b\x1d\x6e\x02\x70\x10\x68\x44\x84\xc6\x36\xb7\xc1\x34\x01\x8e\x3a\x73\x2a\x6b\x35\x2c\xfe\x08\x1f\x79\x0f\x00\x29\x96\x7f\xf1\x82\x0d\x57\xd3\x70\xc2\xa9\xf1\xbe\x05\x11\x00\xd5\xa8\xea\xc4\x24\x1a\x6c\x2b\x64\x0f\xe7\x3b\x16\x1d\x54\x38\x01\xf1\xeb\x2a\xbd\xea\x76\x9c\x51\x8c\xbd\x72\x71\xc6\xd6\x5a\xbe\x83\x66\x1d\x2f\xd2\x8e\x41\xb9\xad\x57\x5b\x95\x8f\xbb\xc5\xa4\x3f\x34\x12\x78\x65\x6d\x30\x0f\x21\xd8\xc7\x11\x61\xbf\xc2\x81\x2b\x2f\x7f\x36\x92\xc5\x75\x8a\x5f\xea\x82\x84\xcc\x43\x15\xe2\xdc\x16\x05\xd0\xb5\x82\x43\xa9\x79\xaf\x7c\x0c\xce\x31\x3e\x3e\x12\x7b\xaf\x93\x13\xf1\xab\x8c\x43\x75\x81\x36\x95\x86\x68\x9a\xe6\x9b\x86\x84\x47\xbf\xa6\x07\x98\x62\x0c\x68\x08\x00\x90\xc9\xf0\x49\x3c\x95\xa6\x4c\xa4\xf6\x78\xea\xa1\x4f\xe8\xcb\xc9\x08\x6e\xa9\x9c\x78\xa3\xd8\x16\x98\x42\xfc\xa3\xb0\xd2\x89\x40\x6c\xfa\x9d\x52\xf4\x1d\xf0\xb7\xfc\xfe\xb6\xe1\x0b\x7f\xb8\x84\x6b\x64\x6c\x6e\x17\x73\x32\x0a\xaf\xac\x2d\x38\x42\x72\x44\x93\x2e\xd2\x37\xb9\x83\x4f\x60\xc0\xbc\x4f\x9f\x6b\x18\xee\x82\xd4\xab\x52\x57\xd0\x33\x43\x13\x7a\x44\xa5\x21\x48\x42\x7e\x74\x72\x52\xc0\x61\xc8\x8c\x78\x85\x98\x58\x16\x3f\x76\x85\x65\xfe\xfe\x43\x03\xce\xab\xa9\x4b\x78\x6b\x6d\x9d\x0b\x69\xd0\xca\x92\x0e\x61\x52\x55\xe2\xb8\xc3\xfd\xd7\x8d\x8c\x19\x4e\x9c\x80\x49\xa9\xd1\x87\x77\x26\x85\xac\x98\xfa\x7e\x7d\xf5\x4f\x5e\xbc\xe1\xec\xc1\xcf\xc7\xa6\x2e\x85\x39\x32\xde\xac\xcb\x58\xd7\x9f\xec\xb9\x31\xd1\x46\x43\xec\x70\x20\xad\xe4\x9c\xce\x0a\x1e\x78\xe3\x4d\x71\x09\x60\x22\x31\x7d\x7a\xf5\x36\xb3\x8f\x72\xfb\xf6\x5f\x7e\x47\x63\xe6\xd1\xda\xd8\xc2\x6f\x56\xe2\xab\x4c\xdf\x77\x8e\x32\x64\xa2\xad\x20\x04\xcb\xce\x99\xb7\x7e\x6e\xc2\x72\xd6\xf0\x83\xd2\x08\x3a\x04\x2f\x67\x90\x8e\x14\x7e\x60\x1e\xd4\x2f\x20\x1f\x5b\x9f\x18\xe8\x9e\xaf\x48\xd3\x84\xee\xef\xa0\xf9\xf9\xec\x38\x6a\x27\x4e\xcd\xab\xac\xd1\xe2\xdb\x6b\x90\xad\x98\xc4\x75\x66\x7d\x27\xfa\x72\x79\x08\xd2\x8e\x37\x45\xc3\x4b\x50\x15\xed\xd1\x30\xd0\xb7\xe3\xfd\x54\xdd\xea\x89\xe3\x7d\xba\xfa\x49\x84\x07\x59\xa3\x0d\x29\xe2\x1b\xb0\x9d\x95\x00\x3c\x28\x95\x18\x9e\x43\x9a\xb7\xb4\x12\xc2\x51\x61\x0a\xa7\xaf\xab\xef\x41\xe5\xab\xe2\x23\x53\x21\xf3\x22\xe8\xbd\x59\x24\xd7\x9a\x40\x46\x05\x37\x8e\x3b\xda\x60\xd2\x8e\xa5\x67\xe6\xa7\x39\x64\xa6\xdd\xd4\x3c\xfa\x1f\x5e\x0c\xb8\xbe\x45\x5e\x1f\x6d\xbc\xcc\xf7\x2c\xd1\xcf\x14\xe8\xe5\x07\xa1\xa1\x97\x9f\x1c\x2b\x43\xc8\xa6\x49\x29\x0b\xa5\x41\x37\xd1\xaa\x64\x73\x56\x8e\x39\x0a\x66\x59\x73\x82\x34\x92\xec\x2d\xce\x33\xc3\x9c\x88\xaa\x42\x47\xf1\x4f\x1f\x0e\x56\xad\xee\x32\x60\x80\xb7\x16\xdc\x55\xda\xe2\xa5\xed\x84\x2d\x79\x0d\xe3\xf1\xfb\xe3\x2f\x89\x51\xea\xb8\xdf\xa5\x4d\x77\x0d\xf7\x34\x27\x31\x27\x0b\xeb\x47\x04\x27\x7f\x3e\x1d\xc1\x69\x34\xaf\x90\x23\x50\xcd\x6b\x0b\x7a\x67\x1f\x26\x75\xf0\xdf\x88\x48\x31\xae\x06\x39\x26\x69\xd6\xbd\xa8\x49\x3b\x6b\xda\xf5\xae\x90\xf4\xc4\x5f\x8f\xb1\x91\x4e\x0b\xe0\x57\xf4\x5d\xb5\x01\x01\xb8\xbc\x6e\x64\x9a\xa6\x85\x60\x71\x22\x5c\x42\xc6\xee\x15\x7a\xdb\xda\x58\x42\x94\x2c\xca\x28\xfc\x4c\x7c\x08\xe7\xc2\xcf\x19\x81\x54\x2b\xe4\xab\x7f\x4b\xf6\xef\xff\x69\x2d\xfe\x65\xb4\x50\x80\xb2\x1e\xee\xf5\x29\x91\x71\xa1\xc2\xb7\x36\xf7\x0d\xa4\x31", 4096); *(uint64_t*)0x200066c0 = 0x1000; *(uint64_t*)0x200066c8 = 0xff00000000000000; *(uint64_t*)0x200066d0 = 0x20006480; memcpy((void*)0x20006480, "\x82\x92\x51\xfb\xd7\x0c\xae\xb4\x51\xcc\xf0\x9a\x96\xfb\xfe\x55\x9b\x21\x7a\x4a\x12\xcf\x46\xa3\x89\xd8\x2c\x55\xef\x7f\x5c\x64\xe4\x5e\x1b\x6f\x26\x95\x59\xa8\x5e\x8b\xcc\x23\x2b\xf1\x50\x0d\xcb\x9a\xf4\x0f\x69\x71\x65\xfd\xe6\x20\x9f\x8b\xf0\x01\x58\x5b\x6c\xca\xaf\xe1\x94\xcc\xfd\xb7\xf8\x99\x08\x04\xee\x77\xed\x9a\x34\x5b\x52\xa8\xd7\xe8\xf4", 87); *(uint64_t*)0x200066d8 = 0x57; *(uint64_t*)0x200066e0 = 8; *(uint64_t*)0x200066e8 = 0x20006500; memcpy((void*)0x20006500, "\x34\xe0\xc0\x82\xbd\x77\xb5\x1d\x0c\x9a\xb1\xbc\xde\x0a\xcc\x30\x81\x49\xf3\xe6\x4c\x75\xb7\x17\x3c\xda\x5f\x39\xd3\xb4\xa6\x2c\x60\xde\x76\xd1\x2d\x41\xce\xc1\xb7\xc9\xbc\x9e\x57\xac\xb7\x83\x42\x82\xa5\x75\x8d\x7c\x7e\x4b\x21\x71\x5f\xeb\xf6\xfb\xf1\x44\xad\x46\xcb\xf2\xce\xc8\x7f\x74\x01", 73); *(uint64_t*)0x200066f0 = 0x49; *(uint64_t*)0x200066f8 = 0x8001; *(uint64_t*)0x20006700 = 0x20006580; memcpy((void*)0x20006580, "\xe6\x09\x76\xf8\x6d\x91\xdd\x66\xce\xc0\xb1\xe3\x0e\xc8\x01\x16\x0b\x84\xcf\xb1\xf8\x60\x37\x03\xd1\x4a\x6b\x81\x5d\x22\xe1\x78\x3e\xed\x12\xce\x8c\x08\x0e\x3f\xfb\xf0\xb5\x30\x95\xf6\x96\x03\xfa\x76\xa9\x34\xa6\x0a\x05\x26\x34\x1e\xaf\xaf\xb3\x86\x7d\x13\xe8\x8d\x1d\x39\xe3\x70\xa0\x0d\xbe\x06\xdd\xc8\x40\xba\x74\x46\xa6\x25\x97\x06\x9e\x1d\xcd\x13\x8f\x82\xb2\x9f\xf7\x8a\xf1\xd1\xc3\x13\x3f\xe9\xc0\x4d\x73\x2c\xdb\x4b\x3f\x6a\xa2\x69\x89\x36\x9b\x5f\x6d\xca\x60\x00\xa0\x76\x73\x41\xbc\x2a\xaa\xcd\x69\xe6\x48\x62\x19\x15\xb8\xaa\x9c\xb2\x4c\x6b\xb5\xae\x3f", 141); *(uint64_t*)0x20006708 = 0x8d; *(uint64_t*)0x20006710 = 3; memcpy((void*)0x20006740, "flock=strict", 12); *(uint8_t*)0x2000674c = 0x2c; memcpy((void*)0x2000674d, "obj_type", 8); *(uint8_t*)0x20006755 = 0x3d; memcpy((void*)0x20006756, "/dev/vcsa#\000", 11); *(uint8_t*)0x20006761 = 0x2c; memcpy((void*)0x20006762, "obj_role", 8); *(uint8_t*)0x2000676a = 0x3d; memcpy((void*)0x2000676b, "bpf_lsm_unix_may_send\000", 22); *(uint8_t*)0x20006781 = 0x2c; *(uint8_t*)0x20006782 = 0; syz_mount_image(0x20005140, 0x20005180, 0, 9, 0x20006640, 0x10000, 0x20006740); memcpy((void*)0x200067c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200067c0, 4, 0x4800); memcpy((void*)0x20006800, "net/icmp\000", 9); syz_open_procfs(r[5], 0x20006800); syz_open_pts(r[9], 0x258102); *(uint64_t*)0x20007d00 = 0x20006840; memcpy((void*)0x20006840, "\xb3\xde\x0d\x9f\x2e\x1e\xba\x98\x79\xee\xf0\x8d\xbd\x42\xed\xd7\xd6\x22\xf0\x95\xe0\xce\x34\x29\xb6\x4c\x46\x70\x8b\xf7\xfa\x26\xe6\x9e\xc1\x57\xca\xa3\xe1\x6d\x60\xb3\xba\xf5\xb0\xd2\x46\xbf\xef\x95\x5e\x35\xf8\x55\x56\xc9\x61\x4a\x60\xb6\x5c\xae\x7c\x02\x3c\x99\x31\x8f\xc8\x5b\xc0\xab\xfd\x16\xbc\x78\xeb\x56\x31\x7c\xd8\xb8\x0c\x5f\x5a\x87\x85\x6c\x5c\xd0\xb9\x7f\xc2\x83\xcb\xc9\xd8\x35\xff\x9d\x70\x97\x2b\xd4\x20\x11\x69\xa3\x5c\x26\x99\xbf\x5a\x8b\x31\xad\x36\x07\x12\x10\x19\xe7\x33\x98\xb2\x28\xb9\xc5\x9a\xa5\xb5\xc0\x07\x16\x67\x66\xee\xe5\x91\x1d\x5d\x2f\x86\x4c\xb4\x2b\x84\x21\xf3\x8c\xb2\x1a\xa9\x36\x97\xe5\xad\x16\x6a\x96\x6a\xc9\x8a\xa7\x76\xfd\x27\x50\x02\x94\xc4\xdd\x1b\xac\xf4\x1f\xd0\x70\xe9\xe4\xa9\xe5\xeb\x70\xd2\xa9\x8f\x91\x5c\x13\x91\xfd\x75\xf5\xff\xec\xfa\xb4\x24\x25\xeb\x01\x6c\x33\xec\x19\xae\x67\xf4\xb1\x00\x08\x8e\x09\x0f\x03\x5d\x78\x14\x3b\x35\x94\x4f\x30\xa4\x9a\x77\xb8\xc5\xe2\xa0\x8e\x9f\x38\x1a\x8a\xfb\xcf\x48\xeb\xad\x84\x11\x45\x5f\xf2\xcb\x76\xa4\xa1\xb5\x57\xd1\x21", 254); *(uint64_t*)0x20007d08 = 0xfe; *(uint64_t*)0x20007d10 = 0x7fffffff; *(uint64_t*)0x20007d18 = 0x20006940; memcpy((void*)0x20006940, "\x33\x0e\xa7\x46\xd7\xdf\xb4\xa5\xe9\xf3\x3a\x32\x5a\x96\x88\xca\x04\xcd\x59\xaf\x72\x4b\x34\xf7\x0a\xe3\x70\xd4\xac\x73\xea\x9a\x65\xab\x00\x3f\x2c\xbc\x01\xaf\x11\x62\xc0\xfe\xfb\x2b\x7e\x4a\x0d\xcd\x3f\x2a\x8c\x23\xf2\xa1", 56); *(uint64_t*)0x20007d20 = 0x38; *(uint64_t*)0x20007d28 = 0x2eed; *(uint64_t*)0x20007d30 = 0x20006980; memcpy((void*)0x20006980, "\xef\xd5\x43\xd9\x2d\xc8\x23\xae\xf9\x1d\x85\xc4\x4c\x05\x58\x44\xe2\xaf\x47\xb4\xd5\xa6\x7e\x3a\x39\x59\xdc\x6d\x61\x7c\xd8\xe9\xb6\xc3\xf5\xbb\xf0\x5d\xa7\x3f\x04\xbf\x4f\x54\xa6\xf3\xd5\x36\x1d\xee\x72\x0d\x1f\xf9\xf6\x5d\x5d\x7c\x18\xb8\x65\x34\xf2\x91\x26\x21\xaa\x81\xb4\xc2\xd3\xda\xa1\xa6\x75\x38\xac\x5e\xfc\xf2\xe0\x08\xc7\x91\xd5\x91\x52\xdb\x5f\xa2\xd0\xa2\x3f\x39\x97\xbd\x1e\x25\x02\xe6\xfa\xdb\x36\x78\x88\x91\x84\x3e\x3d\xe1\xc4\x48\x3a\xea\x75\x22\x4b\x12\xed\xe3\x00\x6b\x96\x48\xdc\x76\x61\xa4\x6d\xa2\xd1\x46\xd3\xdf\x70\xa1\xd0\x4b\x2c\x64\x57\x8d\xaf\x21\x9d\xcb\xa1\xb6\x7a\xae\x08\x6a\x25\x41\xc4\xb9\xb4\xdc\x6d\x43\xc0\x76\x54\x4b\x4c\xf9\xcd\x57\xe6\xe2\x6d\x74\x21\x7d\x1d\x85\x46\x22\x4d\x85\xf6\x50\xa0\xad\x3a\xac\x78\xc0\xcf\x1d\x83\xa4\xad\xcc\x11\xc2\xe8\x4d\xf1\x88\x9c\x79\x20\x34\x7f\xe4\x04\x20\x19\x14\x72\x78\x62\xb4\x60\x22\x9c\xe6\x7a\x1a\x88\xde\x34\xaa\x73\xd3\x9b\xe6\x7f\xe9\x22\x10\x69\x92\x21\x10\x3a\xc5\xb4\x9a\x07\xff\x0b\x35\x48\x36\x3c\x87\x80\x66\xd5\xa0\xca\x8f\x56\x5a\x61\x6a\x04\x9a\x5d\x7b\x6e\x70\xba\xdf\x46\x49\xc5\x1a\xec\x86\x71\xfa\xa4\x44\xd7\xe0\xa6\x30\x4e\x27\x3c\x40\x5c\xc6\xf3\x48\xd1\x9f\xf1\x34\x8b\xac\xc9\x6e\xcf\x1a\x28\x11\x96\x18\xc9\x1e\x59\x42\xbb\xf0\xe2\xd7\xfc\x69\x97\xcf\x63\x30\xc1\x06\xa7\x90\x2c\xcd\xc1\xb9\xcd\x0e\x8f\x55\x93\x55\xd2\x6f\x81\xc7\x7e\x52\x48\x82\xd0\x27\x83\xf1\x5b\x05\x69\x69\x02\x36\xe3\xaa\x74\xb9\x6b\xcc\x5e\xf9\x0e\xae\x4a\x5e\x3a\xba\x2a\x56\x0f\x9b\x0a\x51\x3c\xe1\xa8\xce\xb0\xd2\x10\x36\x15\xf8\x28\xb0\x12\x5d\xf3\x2e\xec\x97\x11\x0e\xe2\xa5\x9e\x1f\x91\x37\x72\xa8\x59\xf6\x5d\x95\x3c\x20\xca\x8a\x0c\x6e\x85\x26\x61\xd8\x62\x93\xcb\x46\x72\x41\x3f\xfa\xfa\x27\x03\x2e\xda\x8d\x8b\x19\xce\x77\xd3\x5d\x13\x04\x29\x6d\x8d\xbe\xe1\xb7\xc3\x58\xfe\x5d\xdf\x94\xc4\x24\x11\xe2\x63\x62\xcf\x42\xa5\xc7\xc1\x89\x91\xe3\x92\x63\x31\xa2\xc7\x12\x36\x09\xe0\xa3\xc0\x5e\x42\xf1\x75\x97\x2e\x44\x5a\x6a\xe5\x71\x54\x06\x2e\x21\xe0\x56\x66\x60\x2a\x2b\xf0\x89\x1e\xe6\x56\x48\xe5\xa9\x67\xea\x16\x24\x84\x99\xc8\x2e\x74\xc1\x9e\xda\xfe\xcf\x24\x02\xce\x53\x21\xf5\xbb\x4e\xcd\xe0\x58\xa1\x17\x6f\x31\x0b\xb1\x33\x8b\x11\xdd\xc6\x0d\xce\x03\xc4\x72\x7f\x7d\xd3\xc2\x33\x5d\x50\xae\x49\x2d\xca\x1b\xd9\x8b\xe4\xaf\x07\x44\x29\x1f\xa2\xba\x1c\xd3\xe9\x3e\x6f\x1d\x9d\x1b\x43\x05\xc2\x76\x41\x18\x09\x4a\x16\x43\x6a\x01\x45\x98\xfb\x64\xc3\x4e\xad\x3e\x8f\x45\xd1\x1c\x4f\xc0\x62\xc1\x44\xc8\xe0\x52\x20\xfb\xdf\x4a\x8c\xab\x6e\x28\x8b\x5c\xfd\xef\xa7\xa0\x54\x23\xef\x2d\x4f\x3b\x3b\xee\x57\x68\xb2\x80\x34\xa0\x8d\xe8\x83\xb8\x17\x27\x8b\xd3\xe7\x85\xc1\x14\x32\x9d\x99\x2c\x58\x12\x15\xf5\x64\x4c\xcf\xa4\xe8\x94\x10\x1d\x5f\xa4\x30\x08\xd8\x03\xfb\x9b\xaa\xef\xd7\xdd\x4b\x88\x83\xb6\xe7\xa1\x7f\x4d\xdf\x48\x26\xcd\xd7\x11\x0f\xf2\xc8\x39\x53\x49\x06\x8c\xd0\xb9\x55\x0a\x3a\x2f\x5c\xbc\x0d\xb0\x6b\x1b\x31\x29\x2c\x54\x87\x9a\x17\x2f\x4b\xe9\x83\x9b\x1d\x76\x89\x6c\x4c\xcc\xd8\x84\x1a\x55\x92\xaa\xc1\xf5\x27\x2b\x6f\xda\x92\x46\x34\xb5\x07\x50\xb3\x82\x31\xff\x13\x3d\xa1\xfc\x86\xd1\x09\x8c\x82\x3d\xf5\xbc\xa8\xcf\xe8\xc0\x8b\xa2\xee\xe5\xa4\x65\x8b\x29\x17\xbf\x3a\xf4\xb4\xe4\xe4\x7c\x6b\x7c\x35\xa3\x96\x3e\xbc\x60\x44\xf2\x72\x88\xc5\xa3\xc1\xa2\xf5\xfa\x45\xa1\x28\xbe\x9a\x13\xde\xd8\xc2\xf6\x74\x5e\xcf\x4f\xa9\x47\x23\xf9\xf1\x63\x82\xf4\xdb\x48\xd0\xc8\x11\xfe\x8e\xed\xb8\xbf\x05\xff\x38\xe5\x78\xd4\x93\x76\x55\x02\x53\xd2\x61\x7f\x86\x30\x3c\x54\x3f\x88\x2a\xdc\x20\x08\x56\x4c\x8b\xa1\x3e\xcd\x19\x61\x3a\x63\x19\x3d\x94\xe9\xa7\x3b\x21\xea\x1d\xdd\x30\xb4\x82\xc0\x98\x69\xc0\xfa\x37\x13\x1c\x69\xcc\xd0\x33\xdd\x96\xd8\xee\x7c\x5f\x2f\x8a\x15\x2e\x84\xc0\xf6\x59\xe6\x0c\xe1\x69\xfc\xb8\x9d\xe0\x28\xbe\xa3\x9d\x05\xdf\x03\xcf\x22\x80\x70\x29\xc1\xaa\xe4\x59\x94\x0d\xd5\x4b\x78\xc0\xde\xde\x18\x72\x3f\x97\x2d\x96\x51\x6e\x19\x71\x9e\x5c\x9e\xd0\x06\x86\x0f\x24\x71\xa8\xe5\xb1\x8f\xcf\x0e\xf4\xba\x66\x81\xa4\x1f\xa8\x00\x9b\x7e\x03\xb4\x44\xf4\x5a\xb3\xcc\xa9\xbb\xbc\x58\x13\xd1\xfa\x05\x5a\xaa\x4d\x45\x44\x12\x33\xae\x7b\x69\xb7\x59\xe3\xdd\xe7\x66\xc0\xf3\xb1\x3b\xf9\x68\xcf\x85\x65\x38\x28\x83\x55\x7f\x92\x5c\x21\x07\x58\x61\xec\x9f\x35\xc7\xcd\x44\x4b\xcc\x7d\x38\x1d\xc0\xd7\xaa\x75\x4b\xa5\x70\x66\xb9\x02\x78\x8f\x53\x85\x4c\xf9\xd5\x6c\xa7\x3c\x7a\xc8\x5c\xca\x67\xba\x50\x9e\xc3\xa7\xc1\xb4\x2d\x8c\x65\x4b\x34\xd8\x8d\xa8\xd2\xca\x85\xad\x4a\xe8\xb8\x65\xb6\xd2\xa0\xc1\xc4\x40\x76\x68\x53\x5c\x49\xf3\x49\xe2\x76\xf1\xa8\x67\x64\xef\x18\xe3\xb0\x8f\x1d\x1e\x3c\xc1\xb9\x3c\xde\x3f\x19\x78\x57\xfb\x48\xb5\xa5\xfe\xf3\x1a\x86\xfa\x00\x22\xd6\xa9\x6d\x81\x5c\x8c\x9a\xf9\xba\xdb\x7b\x88\x6e\xa0\x9a\xda\xc7\x32\xc8\xe4\xea\xfe\xb8\x47\x32\x18\xe7\x94\xbc\x6a\x71\x6d\x17\x16\xfe\xfe\xf8\x6f\x63\xd3\x2b\x66\x73\xb4\x35\xd1\x3e\xdd\xca\x42\x25\x7c\xfe\x07\x17\xfc\xa3\xa3\x9f\x00\xbc\xa6\x50\xf5\x46\x3a\x24\xc5\x09\x24\x25\x6d\x32\x07\xd2\x9c\x1b\x1c\x95\x10\x9e\x40\xda\xb6\x07\x78\x7f\xb7\x4c\x4e\x64\xfe\x4a\xca\xc6\x5c\x62\x83\xff\xcc\x11\xfd\x08\xa0\xbd\x1f\x49\x30\xa8\xbe\xea\x57\xa0\xdd\xa0\x28\x67\x86\x6c\x5b\x1c\xe5\x86\xb3\x2e\x7c\xd1\x8a\xb1\x6a\x27\x5d\x6c\xc0\x43\xa9\x90\xe1\xd7\x97\x0f\x79\xd5\xb8\x88\x0e\xef\x3f\xc4\xef\x4d\xe5\xe8\x40\xac\xd0\xed\xbc\xde\x6b\xf6\xfe\xdf\x3c\x6a\x2d\x25\x39\xfd\xaf\x27\x8f\x06\x97\x94\xd3\x0a\x09\xd6\x15\xe1\xe4\xa5\xa7\x61\x7e\x16\x24\x1d\xaa\xb8\x7f\xda\xd4\x93\xed\x9c\xf3\x26\xfe\x64\x7a\x40\xf0\x27\x9d\x6a\x9b\x2c\xdc\x0a\xbf\x36\x26\x41\x5b\x04\xfc\x83\x65\x10\xba\x62\x51\x38\x6c\xe7\xe8\xd2\xb4\xfe\x66\x3c\xfc\x3a\x5d\xe9\xcc\x31\x3e\x9e\x1f\xc1\x91\x27\xf0\x92\x07\xc9\x55\xf5\xa8\x48\x54\x81\xf4\x31\x92\x24\xfd\xf4\xc2\x78\x7d\x58\x3c\x3c\xaf\x7a\xcb\xec\x73\xab\x9b\x4d\x2f\x24\x52\x87\xdf\x9a\xe2\x9a\x16\x9c\x4d\x79\x5c\xd0\x3c\x90\x98\x33\x94\x46\xdc\x40\x23\x7b\x69\x89\x98\xb2\x42\x36\x28\x14\x8c\xec\xb0\x2f\x69\xd2\x64\x4c\xec\x88\xc9\x48\x94\xe0\x1e\x15\x87\xfc\x85\x37\x54\x50\xe3\x2c\xca\xdc\xdc\xae\xa6\x41\xd2\xdb\x62\x92\x22\x86\x60\xd0\x4c\x44\x67\x86\xc2\x58\xb6\xfb\xbc\x1d\x0b\x6a\x8a\x38\x18\x20\x0d\x48\x9c\x12\x67\x33\x92\x2c\x96\x61\x95\xa4\x00\x7a\x68\xd0\x47\x35\x78\xb4\x69\xb4\x43\x3e\xac\xbe\x09\x25\x20\x24\x4d\x84\xda\x89\x24\xb9\x0d\x7f\xa1\xad\x31\xdb\x50\x1f\x16\xa5\x9d\x3d\x9e\xb7\x22\x10\xd0\x58\xb3\xd1\xfa\x4d\x87\x6d\x5b\x40\xbc\xff\x5a\xdf\x08\x6e\xbd\xc2\x64\x7b\x1b\x6f\x88\x21\x1b\xbd\xf5\x47\xf1\x69\x8e\x11\xab\xb7\x3d\xd3\xa5\x88\xd9\xca\x26\xd9\xff\x5b\x2d\x28\xd1\xe1\x76\xbe\x8a\x7a\xdf\x2e\x3e\x3a\xe1\x37\x39\x31\x12\xf5\xaa\xa8\x81\x81\x48\x82\x93\x9d\xfe\x71\x72\x1f\xa9\x2b\x89\x62\xbb\x8d\x94\x0f\xe1\xe3\x94\x8d\xef\x40\x33\xa0\x9e\x9c\x04\xca\x7e\xa8\xb5\x49\x69\x5c\x5f\xf6\x6c\x07\x73\x95\x02\x6d\x82\x57\x6d\x37\x9b\xd9\xcd\xed\x06\xff\xcc\x3a\x6f\x8b\xd5\x48\xc0\xf6\x8d\x4d\x3d\x72\xae\x27\xd8\x28\xb2\x7a\x58\x2b\x14\x88\x6d\xad\x1f\xc3\xe6\x35\x31\xc2\x87\x0f\x31\x59\xf8\xd4\xbd\x44\x94\x80\xc4\x5d\xd2\x7a\x29\x34\xdf\x90\x79\x7c\x04\x94\xe0\xf8\xef\x82\x89\xae\x41\x06\x26\xd4\xfa\x96\x6d\x82\x44\x3a\xdc\x52\x43\xfd\xb2\xc4\xdd\xff\x85\x50\xaf\x53\x38\xef\x2d\x1c\x41\x3b\x4b\xd4\xb3\x08\x20\x9c\x20\xe9\xc3\xa0\x08\x0a\x23\xd1\x6a\x31\x08\xa1\x05\x07\x83\xd4\x4b\xa9\x2a\x95\x59\x05\x08\xd3\xa5\xcf\x44\xfc\x6a\x4a\xf2\x47\x7f\x86\x64\x28\xbc\x11\x3c\x1c\xc8\xf1\x23\xda\x46\xca\x0a\x03\xc5\xdb\xd1\xf6\xe5\x75\x45\x84\xd8\xa4\x10\x3b\xd2\x3f\xa5\xe1\xf6\xf3\xac\xb1\x54\xff\xed\x12\x8d\x0a\x64\x58\x29\xd3\x34\x1a\x25\xe8\x7a\xe7\x81\x86\x2a\xbc\x7a\x15\x90\x21\x12\x4c\xfb\x03\x57\x1a\x73\xce\xef\x60\x36\x81\xf5\xe5\xe1\xe1\x57\x4d\xb3\x01\x6f\xf5\xa1\x3d\x9b\xfe\x7e\x8a\xc8\x1a\x09\xa9\x05\x23\x7e\x39\x0a\x57\x72\xd3\x61\xed\xbe\x58\x08\xe9\xd8\x59\x4f\x77\x6b\x00\x05\xe0\xc3\xd0\xf7\x1d\x66\x6c\x9d\x4d\xc4\x93\xd0\x16\x3d\x88\x54\x72\x32\x75\xd8\x50\xac\x1b\xf7\x81\x83\xa7\x75\x18\xf0\x1b\xb3\xa2\x80\xf3\x9b\xbf\x60\x6d\xef\x4f\x89\xb1\x1e\x2b\xb8\xd9\x9f\x8a\x32\x98\x5e\xd9\xbc\xb4\x2f\x11\x0b\xd2\xbd\xda\x26\x37\x6d\x9d\xaa\x70\xe1\xe6\x57\x5f\x11\xba\x7e\xf2\x69\x90\x8e\x10\x19\x48\xf5\x70\xb7\x69\x0e\x0b\x5d\x35\xed\x98\xcb\xdd\x2f\x36\x37\xb9\xf8\xf7\x8b\x2f\xfb\xc2\x93\x18\x8f\xf2\x77\x7d\xb0\x50\xaa\x21\x9d\xde\x78\x8a\x77\x0c\xb6\x24\xd6\x61\x70\x01\x81\x7d\x6d\x5c\x7a\x5b\xd3\x9c\x51\xff\x12\x8e\xac\x71\x2b\x9d\xb9\xc6\x0a\x74\xbd\xb7\x82\x0a\x35\x72\xa5\x09\x1c\x30\x84\x33\x92\x86\x27\x9d\x9c\xeb\x24\x41\x48\x90\x6d\xab\x1d\xed\xb6\x23\x79\xb1\x45\x97\xb7\x34\x89\x07\xfb\xa5\x54\x24\xe8\x78\xc1\x94\x98\x5c\xdc\xb2\x11\xb7\x1b\xdf\x38\x06\x33\x9a\x53\x00\x6a\x90\x06\xc7\x46\xbc\x49\x10\x8c\x81\x00\x93\x8d\xc2\x4a\x08\xd5\x7b\x01\x3f\x41\x03\xd8\x7d\xf3\x10\x85\x84\x05\xd0\x6f\x05\x9b\x65\xcd\x54\xae\xa1\xd0\xf1\x5c\xb2\xa4\x1b\xc8\x67\xd2\x2c\xb9\xd6\x7c\x31\x0b\x05\xa4\xf9\x40\xbd\x2e\x7a\x58\x63\xc8\xe1\xc8\x0d\x3a\xd0\x7b\x21\x50\x4b\xf2\x13\xda\x5c\xb3\x8f\xb6\x52\xa4\x7c\xcd\x7a\x5c\xfa\xfa\x0c\x3f\xfe\x2a\xac\x76\x25\xa9\x55\x88\xec\xd7\x7a\x95\x93\xd0\xbf\x2e\x7d\xf7\x99\x9f\x02\x44\x33\x5a\x9f\xac\x01\x5c\x32\x27\x30\x09\xd1\xf8\x65\xdf\xb8\x73\xc6\x5f\x52\xe9\x08\x1b\x02\x2b\x99\xb0\x15\x86\xf5\xfb\x15\x84\xfd\x9b\x1f\xda\xf8\x6c\x78\x3f\x61\x77\x2a\xff\x11\x78\xe0\x8d\x5b\xd0\x67\xb6\xfd\x23\x3d\xb8\xc4\x32\xfa\xbb\xd0\x0a\x53\x0f\x1c\x40\xb5\xf0\x5f\x78\x83\x49\x50\x59\xd1\xb5\x8b\x95\x23\xd1\xf5\x25\x57\x36\xb2\x3f\xf5\x6c\xab\xb4\xcb\x71\x0e\x43\xa7\x0f\x71\xcf\xfd\x17\xe3\xfa\xe9\x04\x36\x34\x86\x9f\x16\x6a\x95\x8c\xa5\xde\xc6\x39\xb8\x5b\x21\x34\x09\x6e\x69\x7c\x24\xe3\xb0\xa8\xcf\xb1\x94\x22\xff\x01\xf4\xeb\xef\x24\xb7\x23\x3d\xe1\xa0\xf8\x9c\x80\xe2\x31\xb8\x45\x9f\x53\x1a\xc2\x3e\xb1\xa2\x37\x3b\x3c\x58\x07\xee\x65\x52\x70\x71\x52\xa3\x16\x95\x55\xa6\x63\xd1\xbf\xb4\x53\xc8\xc3\x80\xc5\xa5\x2c\x95\x8e\x30\x2d\x4d\x75\x28\xaa\xb5\xd0\xa6\x68\x92\x30\x80\x98\xb5\x66\xa1\x36\x7c\xbf\xd9\xa3\xa4\x6c\x5f\xb7\x72\x25\xb7\xb6\xf9\xf9\x2e\xd0\xbc\x85\xbc\xbc\xf1\xb4\xfd\x27\x60\xb9\xf5\x09\xd2\xd1\x1c\xd0\x55\x71\x44\xb1\xc8\x9f\x9f\x7f\x24\x95\xd0\xc9\xea\x6c\x76\x7f\x1f\x92\x57\x07\x01\xa3\x3c\xed\x47\x70\x36\xd0\x6b\xbe\xad\x08\xc0\xb4\xa8\xab\x4a\x57\xd8\xd9\xb7\x58\xce\x05\x89\x1e\xc7\x29\x01\x4e\xb7\x12\xc3\x3d\xcb\x52\xef\xe8\xde\xd2\x23\xb6\x17\x82\x24\x43\xbf\xa9\x55\x14\xd9\xa8\x2f\x6b\x9f\xed\x17\xb2\x24\x45\xf6\x92\xfc\x87\x03\x74\xc0\x82\x6a\x9f\xa4\x31\x53\x84\x93\x68\xaa\x1f\x93\x05\x2e\x48\xf8\x8e\x8f\xe9\xaa\x1b\xa8\x29\x15\x85\xe5\x9d\xa0\xf6\x8f\xd0\x4b\x8f\xa4\x50\xe9\x65\x4d\x92\x0c\x2b\x82\xc9\xc2\x9a\x79\x01\x5d\x0e\x30\x2b\xef\x5a\xbc\x9f\x42\x92\xfd\x4b\x58\x2d\x58\x83\x0d\xfc\x71\x72\x53\x19\xbf\x39\x69\x2b\x0f\x3d\x72\xa3\x20\x4d\x62\xe4\xcd\x21\x9f\xd2\x64\x7a\x9b\xc3\xda\x61\xb7\x02\x69\x9d\x01\x5f\x9f\x15\xbf\xfb\x27\xb6\x13\x3e\xc4\x31\xe4\xad\x67\xf5\xc1\xb4\x6f\xc6\x2e\x29\xd4\xae\x4b\x07\xfa\xb0\x7f\x01\x43\xe8\xe5\x4f\xea\x1e\x62\x90\x51\xd6\xd7\xc1\x9a\xf8\x93\x16\x61\xd8\x49\x57\xad\x2a\xe7\xb5\x21\xbd\x62\x46\x8a\xa0\xa8\x51\x65\x39\x04\xbb\x93\x25\x37\x6f\xd2\xd8\x31\x34\x03\x56\xd9\xbd\x27\x82\xbb\xc4\x6e\x1c\x03\x06\x95\x53\xd2\xb0\x5d\x17\xbb\x4d\x86\x44\xa0\xdf\xc0\x28\x6d\x4e\xbd\xfb\xf1\xfa\x85\xf0\x01\x5d\xa2\x66\x70\x90\x9c\xe8\x40\x27\x2d\x1d\x62\xc8\xd0\x27\x87\xd5\x65\x20\xd3\x09\xe4\xbc\xfc\xc8\x46\x47\x4d\x42\x82\x64\x17\x98\xda\xd1\x77\x9c\xce\x11\x39\x2a\xc5\x37\x91\x73\x35\xb4\xf9\x12\x4e\xd1\xe2\x54\x05\x29\x66\xab\x2c\x15\xdc\xd1\xbc\x1c\x3c\x52\x0f\xef\x4b\x3b\x17\xfe\x6f\x63\x60\xd0\x7b\x2c\x08\xac\x64\xc7\x5f\xcd\xf5\xf9\xea\xc2\x11\xdb\x24\x7a\x22\x7a\x65\x9e\x10\x67\x55\xe1\xba\x53\xab\xa6\x7c\x83\x16\x62\x19\x02\x26\x98\x4d\xc0\x36\x98\xdc\x56\x7a\xa9\x6b\x51\xd2\xe6\x9f\x53\x0a\xdd\xd9\xb4\xfd\xbf\x3a\x0b\x20\xaf\x2a\x18\x4c\xba\xf5\x3a\x35\x63\x4c\x8f\xe3\xd6\x3e\xc1\x5c\x50\x6b\xf0\x2c\x35\x30\x27\x59\xfe\x32\xad\x28\xc1\xd4\xb4\x9e\x94\x81\x6b\xb0\xf3\x28\x22\x81\x6b\x40\x55\x7c\x65\x0d\xa4\xae\x59\xca\x64\x5d\x5a\x4d\x61\x72\x90\x3c\x25\xe0\x0a\x22\x9e\xaa\x0c\x52\x6c\xff\xba\x53\xfc\xa4\x4a\xa1\x63\xc7\xf5\xfb\x49\x59\xa2\x16\xd6\xda\xd9\xe1\x9f\x28\x2b\x99\x45\xd2\x47\x6b\xbc\x01\x33\x78\x51\x31\x11\x8a\xd4\x6c\x3f\x93\x31\xc4\x15\xe7\x0d\x35\xe0\x6f\xa7\x1c\x2a\xa8\x78\x13\x2e\xd7\x70\xa0\x4f\x07\x21\xa5\x66\x55\x02\xdd\xed\x28\x3f\x70\xae\x9a\xb7\x2e\x48\xcf\x03\xc0\x1d\x80\xf6\x8e\xce\x54\xde\x88\xaa\xcb\x2c\x41\xc5\xd7\x46\x2f\x9b\x73\xf6\xc2\x74\x17\x09\xc8\x3e\x20\x08\x4d\xd8\xf9\xd8\x55\xc4\x1a\x0b\xfb\xe1\x07\xe6\xe4\x7a\x65\xc2\xb1\xee\x50\x07\xe9\xd5\xf2\x51\x18\xa2\x95\xfc\x63\x13\x24\x3d\xf5\x4c\xdd\x92\xab\x4d\xce\xdb\x21\x0d\xd8\x3b\xe1\xb0\x58\xae\x1e\x37\xa7\xac\x51\xb9\xc8\x9b\xf9\xec\xa4\x23\xc9\x1d\xb0\xd4\xa4\x21\x34\xa9\x3c\x89\x79\xa0\x3a\x2d\xe5\x3e\x45\xe6\x41\xa2\xd4\x0f\x41\x0b\xc1\x1a\x96\x82\x04\xf7\x2c\x96\xe5\x06\x64\xdc\x29\xbe\x41\xa4\xaa\xc4\xe0\x7e\x9c\xdf\x23\x9f\x59\xc9\x68\x7b\xd7\xdc\x65\xce\xab\x07\x6b\x13\x19\x41\xbb\x15\xc4\xf9\xf4\xc1\x7d\x73\x50\x78\x05\x88\xfa\xcf\xfd\xbc\x1e\xaa\xeb\x44\x06\xb9\x56\xda\x73\x3e\xd0\x9e\xb4\x86\x04\xa0\xed\x4a\xad\xcb\xbd\x94\xa8\xee\x07\x93\x10\xfe\x26\x12\xa6\x69\xe5\x62\x39\x17\xee\xc2\xb1\x2a\xd9\xc8\x6a\xf9\x75\x7a\x51\x75\x9d\xbb\x00\xdf\x2e\x03\xe3\xd3\xa7\x0b\xd2\xc0\x2f\x9f\x08\x44\x4f\x4e\x06\x50\xed\xfb\x27\x86\xca\x57\xd3\x63\x09\x43\x55\x68\x32\xa3\x28\x92\x30\x1b\x58\x85\x9e\xf2\x40\x07\xf7\xa7\xd9\xb4\xaf\xc2\x37\x03\xc4\xfb\x90\x77\xa0\x7d\x2e\xa8\xd3\xa2\xb4\xf0\x15\xde\x7f\x31\xfc\x30\x65\x45\x81\x6b\x6b\x67\x0a\x45\xcf\xf4\xa9\x1b\x60\xa1\xfb\x47\x8b\x08\x9c\x67\xf4\x59\xca\xaf\x5f\xce\x92\x65\xfe\xa0\xc7\xec\x06\x52\xcd\x11\x30\x56\x23\xb0\x4c\x0a\x9d\x1a\xec\x65\x71\xc6\xa4\x66\xdc\x7a\x7b\xec\x75\xfc\xf9\x84\xd6\xa9\x63\x69\x86\xbe\xce\xf1\x41\x8b\x69\x4e\x82\x0e\xe2\x46\x2f\x26\x87\xe0\xb6\x8b\xa5\x1c\xbd\x03\xba\x76\xb4\x3f\xd7\xcb\xa0\x1a\xf2\x3f\xf9\x8f\x74\xb7\x64\x46\x35\x27\xc6\xc3\x97\xe1\xc8\xe8\xb2\x22\x58\x74\xcc\x74\xf9\x58\xa3\x1a\x28\x41\x4f\x17\x0c\x2b\x4c\xbd\x90\xc8\x49\xcc\xd5\x4f\x91\xbc\xe2\x90\x8e\x3b\xbc\x21\xb3\xd5\x60\x4a\xa3\x37\xc7\xfb\x1f\x81\x0c\x10\x32\x16\xbf\x44\x43\x39\x04\x3d\x52\x33\x30\xee\xe7\x3b\xf0\x86\x6d\xa3\xf3\xf7\x28\x87\x7f\xbb\x54\xe2\xf9\x28\x42\x3a\x16\x72\xcc\x9b\xa3\x1b\xc6\x86\xa6\xd1\x98\xef\xeb\x36\x18\xd5\xe9\xa1\xb0\x81\x9c\xf6\xb9\x33\x8c\x56\xc4\xb7\x88\x46\x9f\x53\x2c\xdf\x92\x30\x66\xd1\xba\x46\xa5\x69\x60\x34\x2b\x79\xb0\x9e\xc8\x67\x9e\xa3\xca\xa4\x33\x65\xb8\x11\x25\x7a\x24\x49\xff\x92\x74\xf6\x61\x2c\xb0\x53\x0d\xd8\x67\x8c\xf1\x8b\xc1\xf9\x1f\x44\x7f\xad\x7b\x95\x8f\x3d\x0a\x19\x77\xce\x78\xd1\x02\x82\x9f\xe4\xb8\x3b\x56\x59\xc8\x15\x5a\xf4\xd2\xc0\x5d\x73\x15\xd1\x48\x63\x00\xe6\xda\x08\x46\xa5\x94\xd5\x10\x67\x3b\x0e\x74\x72\x78\x85\x59\x00\x9d\x74\x49\x0e\xc9\x87\x1d\x9f\x0f\x73\x69\x9d\x97\xfb\xe3\x03\xcb\x4d\x63\x5f\x54\x2e\x95\xc7\x84\xa5\x38\x71\x27\xdc\x45\x44\x83\xf9\x50\xf7\x65\xa8\xe9\x04\x63\x9e\xf4\x13\xc7\xd5\x81\xaf\x20\xdf\xb2\x85\x95\x58\x01\xab\x7e\xc4\xbe\x4d\x1b\x28\x79\xde\x66\x2d\xde\x2c\xfc\xd6\x60\x4e\xc0\xaa\x07\xa5\xa6\x71\xf5\x4a\x4f\x28\x53\xee\xdc\xa5\x6b\xaf\x00\xf0\x79\x27\x09\x59\x58\xdb\x7d\x32\x5e\x86\x3f\x64\xa9\x05\x6b\xd8\xe1\x03\x85\x99\x21\x46\x3d\x17\x54\x04\x2b\x85\xdc\xd9\x4d\x93\x3e\xf2\x08\x7d\xbe\xf5\x7d\x9a\x3a\xd9\xfe\x8c\x64\xa8\x79\x95\x87\xa3\xec\x23\xb9\xb2\x52\xf0\x3b\xfc\xe4\x2f\x01\x7e\xad\xfd\xbe\x97\x3e\x84\xe9\x02\xe3\x6b\x96\x61\xef\xae\xf4\x09\xc9\x15\x30\x8d\xce\x9a\x22\x2a\x9c\xb1\xdb\x52\x15\xc0\x00\xfc\x44\xd3\x72\xfb\x18\x64\x25\xcd\x07\x8b\xee\x77\x70\xf1\xfa\x60\xff\x2d\x0e\x34\x47\x25\xa5\x1a\x5f\x47\x8f\xe9\x6b\xfb\x9a\x18\xb6\xcb\x54\x2b\xf3\x94\xbe\xd0\x22\x18\x51\x8f\x1d\x38\x1d\x5a\xa2\x1f\xdc\xd4\x43\xce\x84\xc1\x80\xa6\xa8\xcf\x65\x47\xef\xfa\x46\x27\xca\xe9\x35\x51\xa7\x56\x4f\x0d\xac\x6e\x37\xc5\xf0\x68\xed\xda\x00\xb4\x7a\x6f\x2d\x33\xb5\x4c\x36\x81\x12\x8e\x83\xad\x17\xb0\xf0\x98\x45\x6b\x9e\x97\xf3\xe0\x2c\xe3\x91\x51\x5f\xfb\x0c\x05\x11\xa3\xd8\x31\x21\x15\x38\x2c\x15\xb0\x98\x61\xef\x75\x0c\x00\x06\xe9\x6c\x91\x84\xe1\x7d\xb2\x45\xb0\x25\x5c\x44\x07\xfe\x4b\xd6\xee\xa4\x3f\xd8\xc5\xe8\x03\x48\xcb\x91\x6e\x9d\x04\xb4\x9c\x24\x83\x91\x1b\x6d\xee\xce\x26\xd2\xb6\x57\x62\x64\x3a\xa0\x41\x7b\xe2\x76\x8b\x67\x3a\x22\xad\x58\xe6\x67\xf5\xef\x4e\x22\x28\xdb\x9b\x79\x39\xd8\xf9\x12\xde\x32\x47\x43\x25\x15\x50\x90\xb1\xd9\x74\x1a\xce\x41\x55\xd6\x45\x83\xec\xfb\x57\x00\x30\x1d\x73\xed\x2a\xbd\x15\x64\x08\xca\x5e\x1b\x88\xba\x75\xf8\x4a\x4b\x83\x4d\x4f\x53\x20\x15\x77\x3e\x9f\x8d\x4a\x36\x50\xf8\x98\x41\x91\x11\x4f\x0f\xdb\xaa\x54\x40\x5b\xf5\x1f\x8b\x1a\xfe\x53\x2f\x74\xc1\x5a\x37\x08\xeb\x93\x70\xfa\x83\x16\xfe\xef\xac\x4e\x43\xf8\x55\x50\x6f\x5d\x98\x72\xb6\x03\x63\x56\x70\x11\xcc\x33\x08\xa2\x02\x6d\x00", 4096); *(uint64_t*)0x20007d38 = 0x1000; *(uint64_t*)0x20007d40 = 0x4065ebb7; *(uint64_t*)0x20007d48 = 0x20007980; memcpy((void*)0x20007980, "\x11\x2a\x65\x7c\x27\x70\xad\x17\xf2\xe7\x77\x62\x16\x0b\xb1\x4f\x2f\x71\xa1\x7b\x88\xfd\xb9\x46\xf9\x19\xb2\xdf\xd3\xef\xd6\x16\xe3\x11\x24\xff\x47\xee\x66\x8f\x60\x65\xa0\x43\x5a\x79\x1a\x74\x39\xd8\xaa\x10\xdc\xc4\x18\x19\x2d\x82\x1e\x36\xfc\x08\x20\xd7\xcc\x0f\x88\xb0\x88\x91\x6d\x78\x6f\x01\x42\x6f\xa4\x6b\x21\x4d\xe8\x22\xd2\x4e\x4d\x6c\x78\x5f\xea\xc4\x58\xd9\x86\x35\xc4\x80\x16\x72\xbd\x4e\x74\xfd\x40\x75\x39\x32\x12\x11\x52\xae\x0e\xad\x77\x1e\x3a\xbc\x7f\x74\x1e\x39\x3b\x32\x85\x26\xe5\xec\x29\xe8\xe0\xd9\xb3\xa2\xbe\xbc\xd0\xeb\x34\x72\xa4\xbd\x8e\x50\xf9\x53\xed\x17\x3b\xa2\x71\xfb\xe9\xf9\xd9\xc4\x63\xc7\x9f\x44\xd0\x93\x15\x4f\xfe\xf5\x9c\x93\xad\xa7\x83\xb4\x72\x7f\xc3\x5b\xa6\xc0\xdb\x25\x18\x93\x9c\xb3\x5f\xb3\x30\x1d\x4c\xf7\x2d\x25\x24\xf8\x3a\xc4\xab\x57\xa8\xac\xfc\x93\xa9\x9c\x26\xcc\xae\xe0\x56\x63\x71\x22\x94\x96\xe9\x30\x21\xe8\x6b\x95\x60\x21\xa4\x67\xf3\x4b\xe6\x6e", 226); *(uint64_t*)0x20007d50 = 0xe2; *(uint64_t*)0x20007d58 = 0x6d69; *(uint64_t*)0x20007d60 = 0x20007a80; memcpy((void*)0x20007a80, "\x62\x98\x25\xe3\xcb\x9c\x42\x73\x28\x10\xeb\x62\xf1\xff\x47\x85\x71\x8f\x7a\x30\xc6\x39\x40\xf2\xea\xdf\x19\xda\xe8\x20\xfe\xb9\xb7\xb3\x58\xf7\x41\xb8\x34\x16\x4a\x9a\x4a\xc8\xce\x39\x8c\x23\x16\x07\xf5\x23\xa2\x6d\xb9\xe0\xae\xca\xc1\xd1\xe8\x90\x22\xd1\xcd\x50\xd6\x44\xf2\x46\x6b\x25\xec\x09\xc6\xd6\xef\x4f\x0b\x3e\xf5\x92\xd1\x40\x8d\x04\x9d\xa4\x9b\x95\x3b\x32\x7e\x12\x3c\x6f\x19\x63\xc2\xf7\xa9\xe3\xcc\x7e\x0c\x52\xed\x1e\x17\xd0\xa8\xb7\x94\x66\x68\x75\xb2\x0b\x07\xa0\xf5\xc2\xc7\x6d\x96\x32\x90\x9f\x76\x9e\xb2\x5b\x16\x27\x37\xbe\xa1\x31\xf5\xc2\x70\xb3\x24\x9f\xd6\x5c\x25\x5e\x68\xb6\x80\x27\x1d\x0c\x11\x19\x67\x15\x17\x77\x44\xe7", 162); *(uint64_t*)0x20007d68 = 0xa2; *(uint64_t*)0x20007d70 = 9; *(uint64_t*)0x20007d78 = 0x20007b40; memcpy((void*)0x20007b40, "\xd1\x09\x17\x49\x23\x3d\x1e\x7e\xc5\x06\x53\xf3\x01\xa7\x34\xf5\xdd\x67\xac\x1e\x74\x89\x23\xe4\x4c\xce\xde\xeb\x3e\xa2\x34\x74\x58\x96\xab\xcb\x80\x03\xed\x61\x60\x5b\x5d\xff\xa8\xa9\xaf\x0a\xa1\x2e\xd9\x02\xd4\xa3\x5a\x92\x60\xc5\x3a\xb6\xa6\x21\xe2\x10\xe6\x1e\x40\x02\x83\x8d\xc2\x9e\x2f\x79\x8b\x4c\xbe\x0e\xd0\xc1\x2a\x33\xc6\x9d\xdd\xa4\x46\xb9\xb8\x84\xfc\xbf\xe2\x81\x99\x18\x4b\xd4\xae\xb0\x97\xd0\xd9\xa3\x93\xb6\x99\xd1\xf5\x5a\x57\xd8\x30\xda\x49\x7d\x79\xb9\xbd\x7d\xbc\xdb\xfe\x7e\x16\x8d\x60\x07\x61\x1d\xb9\x67\x33\x57\x4f\xb1\x50\xf4\xe9\x09\x91\xc7\x0f\xc1\x9e\xdb\xa6\xbe\xed\xc5\xa7\x21\x69\x36\x6a\xe5\xfc\xa5\xc1\xcb\x41\x3b\xbc\x54\xff\x8f\x12\x7d\x1b\x94\xcf\x99\x42\xb5\xc9\xbe\x5f\xbf\xc9\x39\x46\xbf\x1d\x0b\x28\x9a\x74\x42\xfb\x05\x7a\xdb\x0a\xe7\xfa\x41\x89\xd5\xe5\xfe\xfc\x75\xed\x5d\x26\x0b\x3c\x2c\x24\x45\xd4\x95\x79\xe6\xb3\x69\xe3\x96\xda\x16\x2d\x94\x05\x59", 224); *(uint64_t*)0x20007d80 = 0xe0; *(uint64_t*)0x20007d88 = 6; *(uint64_t*)0x20007d90 = 0x20007c40; memcpy((void*)0x20007c40, "\x76\x8d\x82\xc4\x7f\x16\x6e\x25\x25\x30\x91\x5b\x63\xb4\x0d\x9e\xba\x4b\x95\xfe\x08\x78\x93\x45\x3f\x37\x3a\x94\x38\x9e\x11\x20\x98\x1c\xb4\x45\x76\xa2\x05\x1c\x41\x58\x40\x0a\x59\xb9\xc8\xa9\x40\xcc\xae\x28\x26\x41\x4e\x14\xad\x55\xc7\x2b\x04\xf8\xfa\xbf\xe8\x64\x62\x40\x9b\x3a\xb2\xa0\x75\xea\x92\xc8\xbd\xdc\xd2\xb2\xfc\x0f\xd7\x7a\x97\xbc\x27\x1e\xcd\x43\xdd\x60\x5f\x29\xb9\x90\x83\x7b\x40\x9e\xed\x59\x65\xdd\xb3\xfb\x1b\x91\xe5\xbf\x12\xdd\xbc\xf2\x1c\x90\xc7\xef\x2f\x0a\xb9\xbb\x03\xf7\x2a\x64\x7c\xe8", 128); *(uint64_t*)0x20007d98 = 0x80; *(uint64_t*)0x20007da0 = 0xfffffffffffffff7; *(uint64_t*)0x20007da8 = 0x20007cc0; memcpy((void*)0x20007cc0, "\x46\xc0\xce\x89\x20\x30\x5b\x2c\x7f\x63\x6e\xdb\xb1\x65\x92\x0d\xb7\x8c\x61\xf8", 20); *(uint64_t*)0x20007db0 = 0x14; *(uint64_t*)0x20007db8 = 0xfffffffffffffffa; syz_read_part_table(9, 8, 0x20007d00); *(uint8_t*)0x20007dc0 = 0x12; *(uint8_t*)0x20007dc1 = 1; *(uint16_t*)0x20007dc2 = 0x300; *(uint8_t*)0x20007dc4 = 0x94; *(uint8_t*)0x20007dc5 = 0xe8; *(uint8_t*)0x20007dc6 = 0x2e; *(uint8_t*)0x20007dc7 = 0x40; *(uint16_t*)0x20007dc8 = 0x789; *(uint16_t*)0x20007dca = 0x160; *(uint16_t*)0x20007dcc = 0xf578; *(uint8_t*)0x20007dce = 1; *(uint8_t*)0x20007dcf = 2; *(uint8_t*)0x20007dd0 = 3; *(uint8_t*)0x20007dd1 = 1; *(uint8_t*)0x20007dd2 = 9; *(uint8_t*)0x20007dd3 = 2; *(uint16_t*)0x20007dd4 = 0x764; *(uint8_t*)0x20007dd6 = 2; *(uint8_t*)0x20007dd7 = 4; *(uint8_t*)0x20007dd8 = 0x8f; *(uint8_t*)0x20007dd9 = 0; *(uint8_t*)0x20007dda = 0x7f; *(uint8_t*)0x20007ddb = 9; *(uint8_t*)0x20007ddc = 4; *(uint8_t*)0x20007ddd = 0x40; *(uint8_t*)0x20007dde = 0x3f; *(uint8_t*)0x20007ddf = 0xe; *(uint8_t*)0x20007de0 = 0xbb; *(uint8_t*)0x20007de1 = 0x18; *(uint8_t*)0x20007de2 = 0xf3; *(uint8_t*)0x20007de3 = 0x20; *(uint8_t*)0x20007de4 = 0xa; *(uint8_t*)0x20007de5 = 0x24; *(uint8_t*)0x20007de6 = 6; *(uint8_t*)0x20007de7 = 0; *(uint8_t*)0x20007de8 = 0; memcpy((void*)0x20007de9, "\xc1\xb0\xc9\x81\xcc", 5); *(uint8_t*)0x20007dee = 5; *(uint8_t*)0x20007def = 0x24; *(uint8_t*)0x20007df0 = 0; *(uint16_t*)0x20007df1 = 7; *(uint8_t*)0x20007df3 = 0xd; *(uint8_t*)0x20007df4 = 0x24; *(uint8_t*)0x20007df5 = 0xf; *(uint8_t*)0x20007df6 = 1; *(uint32_t*)0x20007df7 = 9; *(uint16_t*)0x20007dfb = 0xfff; *(uint16_t*)0x20007dfd = 5; *(uint8_t*)0x20007dff = 0; *(uint8_t*)0x20007e00 = 0x15; *(uint8_t*)0x20007e01 = 0x24; *(uint8_t*)0x20007e02 = 0x12; *(uint16_t*)0x20007e03 = 0xaa4; *(uint64_t*)0x20007e05 = 0x14f5e048ba817a3; *(uint64_t*)0x20007e0d = 0x2a397ecbffc007a6; *(uint8_t*)0x20007e15 = 4; *(uint8_t*)0x20007e16 = 0x24; *(uint8_t*)0x20007e17 = 2; *(uint8_t*)0x20007e18 = 9; *(uint8_t*)0x20007e19 = 9; *(uint8_t*)0x20007e1a = 0x21; *(uint16_t*)0x20007e1b = 0x7ff; *(uint8_t*)0x20007e1d = 8; *(uint8_t*)0x20007e1e = 1; *(uint8_t*)0x20007e1f = 0x22; *(uint16_t*)0x20007e20 = 0xd44; *(uint8_t*)0x20007e22 = 9; *(uint8_t*)0x20007e23 = 5; *(uint8_t*)0x20007e24 = 3; *(uint8_t*)0x20007e25 = 3; *(uint16_t*)0x20007e26 = 0x40; *(uint8_t*)0x20007e28 = 6; *(uint8_t*)0x20007e29 = 6; *(uint8_t*)0x20007e2a = 0x80; *(uint8_t*)0x20007e2b = 9; *(uint8_t*)0x20007e2c = 5; *(uint8_t*)0x20007e2d = 5; *(uint8_t*)0x20007e2e = 8; *(uint16_t*)0x20007e2f = 0x20; *(uint8_t*)0x20007e31 = 0x34; *(uint8_t*)0x20007e32 = 7; *(uint8_t*)0x20007e33 = 0xd1; *(uint8_t*)0x20007e34 = 7; *(uint8_t*)0x20007e35 = 0x25; *(uint8_t*)0x20007e36 = 1; *(uint8_t*)0x20007e37 = 0x81; *(uint8_t*)0x20007e38 = 1; *(uint16_t*)0x20007e39 = 0x20; *(uint8_t*)0x20007e3b = 0x65; *(uint8_t*)0x20007e3c = 0x30; memcpy((void*)0x20007e3d, "\xda\xc1\x6e\x84\x5b\x14\x9d\xaf\xe6\x66\x63\xcc\x3a\xcf\x39\x3f\xa7\xb0\xae\x46\xcb\xb8\xcf\x20\x7b\xdb\x0d\x3d\x6c\xf6\x81\x66\x1f\xa0\x0e\xd5\x8d\x70\x3c\x22\x64\x70\xa8\x4e\xaa\x26\x4b\xe5\x1e\x68\x10\x87\x52\x48\xed\xe7\x94\xe2\x20\x7e\x60\xb0\x45\x85\x60\x3c\xd0\x55\xc6\x34\x8f\x0e\xb4\xf3\x3f\x2a\x83\x3f\x4a\xee\x88\x84\xd7\x77\x3b\xe2\xf4\x51\x77\xad\x4c\x03\x72\x8f\xf4\xdd\x8e\x40\xfd", 99); *(uint8_t*)0x20007ea0 = 9; *(uint8_t*)0x20007ea1 = 5; *(uint8_t*)0x20007ea2 = 2; *(uint8_t*)0x20007ea3 = 4; *(uint16_t*)0x20007ea4 = 0x3ff; *(uint8_t*)0x20007ea6 = 0x1f; *(uint8_t*)0x20007ea7 = 2; *(uint8_t*)0x20007ea8 = -1; *(uint8_t*)0x20007ea9 = 7; *(uint8_t*)0x20007eaa = 0x25; *(uint8_t*)0x20007eab = 1; *(uint8_t*)0x20007eac = 0x82; *(uint8_t*)0x20007ead = 9; *(uint16_t*)0x20007eae = 2; *(uint8_t*)0x20007eb0 = 9; *(uint8_t*)0x20007eb1 = 5; *(uint8_t*)0x20007eb2 = 6; *(uint8_t*)0x20007eb3 = 0; *(uint16_t*)0x20007eb4 = 0x40; *(uint8_t*)0x20007eb6 = 0; *(uint8_t*)0x20007eb7 = 0x40; *(uint8_t*)0x20007eb8 = 0xfd; *(uint8_t*)0x20007eb9 = 7; *(uint8_t*)0x20007eba = 0x25; *(uint8_t*)0x20007ebb = 1; *(uint8_t*)0x20007ebc = 0x83; *(uint8_t*)0x20007ebd = 0x1f; *(uint16_t*)0x20007ebe = 0x1000; *(uint8_t*)0x20007ec0 = 9; *(uint8_t*)0x20007ec1 = 5; *(uint8_t*)0x20007ec2 = 0xd; *(uint8_t*)0x20007ec3 = 1; *(uint16_t*)0x20007ec4 = 0x3ff; *(uint8_t*)0x20007ec6 = 3; *(uint8_t*)0x20007ec7 = 1; *(uint8_t*)0x20007ec8 = 0x80; *(uint8_t*)0x20007ec9 = 7; *(uint8_t*)0x20007eca = 0x25; *(uint8_t*)0x20007ecb = 1; *(uint8_t*)0x20007ecc = 1; *(uint8_t*)0x20007ecd = 4; *(uint16_t*)0x20007ece = 3; *(uint8_t*)0x20007ed0 = 9; *(uint8_t*)0x20007ed1 = 5; *(uint8_t*)0x20007ed2 = 5; *(uint8_t*)0x20007ed3 = 4; *(uint16_t*)0x20007ed4 = 8; *(uint8_t*)0x20007ed6 = 8; *(uint8_t*)0x20007ed7 = -1; *(uint8_t*)0x20007ed8 = 0x80; *(uint8_t*)0x20007ed9 = 9; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 0xf; *(uint8_t*)0x20007edc = 1; *(uint16_t*)0x20007edd = 8; *(uint8_t*)0x20007edf = 0xae; *(uint8_t*)0x20007ee0 = 9; *(uint8_t*)0x20007ee1 = 0xf6; *(uint8_t*)0x20007ee2 = 7; *(uint8_t*)0x20007ee3 = 0x25; *(uint8_t*)0x20007ee4 = 1; *(uint8_t*)0x20007ee5 = 0; *(uint8_t*)0x20007ee6 = 0x95; *(uint16_t*)0x20007ee7 = 6; *(uint8_t*)0x20007ee9 = 0x7a; *(uint8_t*)0x20007eea = 6; memcpy((void*)0x20007eeb, "\x3f\x8f\x5c\x31\x8c\x80\xe5\xa9\x36\x08\x9f\xa5\xbe\x9d\xc3\x64\xd3\xa8\xff\x22\x23\x8b\x92\x00\x64\x2b\xb7\x96\x9b\x9c\x09\x89\x51\x0d\xf3\xf2\x67\x38\x46\xf3\xfe\x68\xee\xc4\x87\x47\x6d\x9d\x8e\xa3\x7c\x9e\x7e\xc2\x93\x9c\x3a\x85\x84\x2c\xad\x50\x0b\xf7\x7a\xed\x1d\x92\x90\xeb\x85\x0a\xf4\x62\x1c\xaf\xed\x03\xc0\x8a\x55\xc4\x22\xc7\x12\x2f\x6e\xc0\x70\x3a\x47\xdf\xcb\x27\x9c\x0b\x03\x55\x8b\x39\xc7\x23\x1b\x38\xe5\x59\xd0\x54\x6a\x29\xca\x32\x28\x0a\x8c\xe4\x70\x80\xaa\x8d", 120); *(uint8_t*)0x20007f63 = 9; *(uint8_t*)0x20007f64 = 5; *(uint8_t*)0x20007f65 = 7; *(uint8_t*)0x20007f66 = 4; *(uint16_t*)0x20007f67 = 0x8938; *(uint8_t*)0x20007f69 = 1; *(uint8_t*)0x20007f6a = 0x8c; *(uint8_t*)0x20007f6b = 4; *(uint8_t*)0x20007f6c = 9; *(uint8_t*)0x20007f6d = 5; *(uint8_t*)0x20007f6e = 7; *(uint8_t*)0x20007f6f = 0x10; *(uint16_t*)0x20007f70 = 0x20; *(uint8_t*)0x20007f72 = 6; *(uint8_t*)0x20007f73 = 1; *(uint8_t*)0x20007f74 = 0x81; *(uint8_t*)0x20007f75 = 9; *(uint8_t*)0x20007f76 = 5; *(uint8_t*)0x20007f77 = 0xe; *(uint8_t*)0x20007f78 = 0x10; *(uint16_t*)0x20007f79 = 0x200; *(uint8_t*)0x20007f7b = 0x80; *(uint8_t*)0x20007f7c = 3; *(uint8_t*)0x20007f7d = 0x23; *(uint8_t*)0x20007f7e = 7; *(uint8_t*)0x20007f7f = 0x25; *(uint8_t*)0x20007f80 = 1; *(uint8_t*)0x20007f81 = 0x81; *(uint8_t*)0x20007f82 = 1; *(uint16_t*)0x20007f83 = 5; *(uint8_t*)0x20007f85 = 7; *(uint8_t*)0x20007f86 = 0x25; *(uint8_t*)0x20007f87 = 1; *(uint8_t*)0x20007f88 = 0x81; *(uint8_t*)0x20007f89 = 7; *(uint16_t*)0x20007f8a = 0xb5a; *(uint8_t*)0x20007f8c = 9; *(uint8_t*)0x20007f8d = 5; *(uint8_t*)0x20007f8e = 8; *(uint8_t*)0x20007f8f = 2; *(uint16_t*)0x20007f90 = 8; *(uint8_t*)0x20007f92 = 0x1f; *(uint8_t*)0x20007f93 = 8; *(uint8_t*)0x20007f94 = 0x1f; *(uint8_t*)0x20007f95 = 7; *(uint8_t*)0x20007f96 = 0x25; *(uint8_t*)0x20007f97 = 1; *(uint8_t*)0x20007f98 = 3; *(uint8_t*)0x20007f99 = 3; *(uint16_t*)0x20007f9a = 0x200; *(uint8_t*)0x20007f9c = 7; *(uint8_t*)0x20007f9d = 0x25; *(uint8_t*)0x20007f9e = 1; *(uint8_t*)0x20007f9f = 3; *(uint8_t*)0x20007fa0 = 0x7f; *(uint16_t*)0x20007fa1 = 3; *(uint8_t*)0x20007fa3 = 9; *(uint8_t*)0x20007fa4 = 5; *(uint8_t*)0x20007fa5 = 0xd; *(uint8_t*)0x20007fa6 = 0xc; *(uint16_t*)0x20007fa7 = 0x3ff; *(uint8_t*)0x20007fa9 = 0x12; *(uint8_t*)0x20007faa = 9; *(uint8_t*)0x20007fab = 4; *(uint8_t*)0x20007fac = 0xe; *(uint8_t*)0x20007fad = 5; memcpy((void*)0x20007fae, "\xa9\xb9\x7b\xc2\x4d\xe6\x2c\x3b\xcf\x2b\xfa\x13", 12); *(uint8_t*)0x20007fba = 0x44; *(uint8_t*)0x20007fbb = 0x30; memcpy((void*)0x20007fbc, "\x9f\x0d\x5e\xa2\x42\x68\xb8\xa3\x21\x17\x65\x24\x6b\x1a\x83\x4a\xf6\x41\xe8\xcd\x6e\xa3\xef\x9b\x1f\xe1\x0f\x16\xbe\xd6\xb0\x6c\xc3\xa1\x65\x92\x0c\x9d\x73\x90\x9a\xb9\xac\x8b\x2a\x7a\x8a\x5d\xae\x5d\x4a\xcf\x31\x6d\x0b\x35\xd4\xb6\x44\xd3\x68\xa0\x6e\x0e\xff\x85", 66); *(uint8_t*)0x20007ffe = 9; *(uint8_t*)0x20007fff = 5; *(uint8_t*)0x20008000 = 0x80; *(uint8_t*)0x20008001 = 8; *(uint16_t*)0x20008002 = 8; *(uint8_t*)0x20008004 = 3; *(uint8_t*)0x20008005 = -1; *(uint8_t*)0x20008006 = 6; *(uint8_t*)0x20008007 = 9; *(uint8_t*)0x20008008 = 5; *(uint8_t*)0x20008009 = 0; *(uint8_t*)0x2000800a = 0; *(uint16_t*)0x2000800b = 0x20; *(uint8_t*)0x2000800d = 6; *(uint8_t*)0x2000800e = 0x2e; *(uint8_t*)0x2000800f = 0; *(uint8_t*)0x20008010 = 9; *(uint8_t*)0x20008011 = 4; *(uint8_t*)0x20008012 = 7; *(uint8_t*)0x20008013 = 0; *(uint8_t*)0x20008014 = 0xd; *(uint8_t*)0x20008015 = 0x29; *(uint8_t*)0x20008016 = 0xcb; *(uint8_t*)0x20008017 = 0x7c; *(uint8_t*)0x20008018 = 9; *(uint8_t*)0x20008019 = 9; *(uint8_t*)0x2000801a = 0x21; *(uint16_t*)0x2000801b = 7; *(uint8_t*)0x2000801d = 1; *(uint8_t*)0x2000801e = 1; *(uint8_t*)0x2000801f = 0x22; *(uint16_t*)0x20008020 = 0xbd9; *(uint8_t*)0x20008022 = 0xd; *(uint8_t*)0x20008023 = 0x24; *(uint8_t*)0x20008024 = 2; *(uint8_t*)0x20008025 = 1; *(uint8_t*)0x20008026 = 0x43; *(uint8_t*)0x20008027 = 1; *(uint8_t*)0x20008028 = 0; *(uint8_t*)0x20008029 = 9; memcpy((void*)0x2000802a, "d\"", 2); memcpy((void*)0x2000802c, "\x37\x09\xdb", 3); *(uint8_t*)0x2000802f = 0x11; *(uint8_t*)0x20008030 = 0x24; *(uint8_t*)0x20008031 = 2; *(uint8_t*)0x20008032 = 1; *(uint8_t*)0x20008033 = 0xf8; *(uint8_t*)0x20008034 = 2; *(uint8_t*)0x20008035 = 7; *(uint8_t*)0x20008036 = 0x40; memcpy((void*)0x20008037, "\x5e\x58\xdf\xf9\xa0\xd0\x1e\x41\x09", 9); *(uint8_t*)0x20008040 = 0xb; *(uint8_t*)0x20008041 = 0x24; *(uint8_t*)0x20008042 = 2; *(uint8_t*)0x20008043 = 2; *(uint16_t*)0x20008044 = 0xffec; *(uint16_t*)0x20008046 = 6; *(uint8_t*)0x20008048 = 0x15; memcpy((void*)0x20008049, "?w", 2); *(uint8_t*)0x2000804b = 7; *(uint8_t*)0x2000804c = 0x24; *(uint8_t*)0x2000804d = 1; *(uint8_t*)0x2000804e = 0xe1; *(uint8_t*)0x2000804f = 3; *(uint16_t*)0x20008050 = 2; *(uint8_t*)0x20008052 = 9; *(uint8_t*)0x20008053 = 5; *(uint8_t*)0x20008054 = 0xc; *(uint8_t*)0x20008055 = 8; *(uint16_t*)0x20008056 = 8; *(uint8_t*)0x20008058 = 4; *(uint8_t*)0x20008059 = 8; *(uint8_t*)0x2000805a = 8; *(uint8_t*)0x2000805b = 9; *(uint8_t*)0x2000805c = 5; *(uint8_t*)0x2000805d = 6; *(uint8_t*)0x2000805e = 8; *(uint16_t*)0x2000805f = 8; *(uint8_t*)0x20008061 = 0; *(uint8_t*)0x20008062 = 2; *(uint8_t*)0x20008063 = 2; *(uint8_t*)0x20008064 = 7; *(uint8_t*)0x20008065 = 0x25; *(uint8_t*)0x20008066 = 1; *(uint8_t*)0x20008067 = 0x81; *(uint8_t*)0x20008068 = 6; *(uint16_t*)0x20008069 = 0x18; *(uint8_t*)0x2000806b = 9; *(uint8_t*)0x2000806c = 5; *(uint8_t*)0x2000806d = 7; *(uint8_t*)0x2000806e = 0x10; *(uint16_t*)0x2000806f = 0x3ff; *(uint8_t*)0x20008071 = 0x39; *(uint8_t*)0x20008072 = 0; *(uint8_t*)0x20008073 = 6; *(uint8_t*)0x20008074 = 0x80; *(uint8_t*)0x20008075 = 0x23; memcpy((void*)0x20008076, "\xeb\xa3\xe2\xd4\x84\x8f\x84\xd0\xe6\xde\xd4\x6e\x24\xd1\x0b\xf9\xf8\xb0\x73\x89\x10\xe2\x9f\x31\x9e\x94\x25\x46\xe9\xcd\xa8\x63\x82\x57\xf5\x5d\x00\x49\x67\x2a\x13\x37\x06\x7a\xf7\x3c\x1c\x29\xe0\xbd\x77\x2a\x1c\xd5\xe1\x6d\x24\x9e\xd1\x5c\xdd\x3d\x85\xa4\x39\x9a\xef\x69\xe3\xf5\xa5\x06\xea\x0e\x05\x59\x30\x6f\xe1\xf4\x2d\xfc\x10\x92\x20\x62\xe2\xbc\x06\x2c\x34\xa1\xad\xc4\xbc\x46\xb0\x80\x25\x9a\xd2\x0b\x37\xcd\xe1\xeb\xa7\x17\x8f\xb5\x14\xb2\xef\x73\x97\x71\x5b\x0e\xae\x34\xd5\xef\xd5\x27\x49\x00", 126); *(uint8_t*)0x200080f4 = 0xa1; *(uint8_t*)0x200080f5 = 0x21; memcpy((void*)0x200080f6, "\x1c\x02\x0b\x38\x9a\x4c\x59\xd1\xf2\x6d\xa8\x57\xb2\x22\xa6\xf6\x61\x8a\xdb\x04\x11\xbb\x24\x47\x8e\x68\xff\xe7\x58\x46\x9d\x4b\xb3\x4d\xf6\xaa\x95\x77\xce\xd5\x53\x83\xdf\xf0\x1c\x05\x2a\xbb\xde\x70\x46\x8c\xe3\x11\x00\xca\x31\x84\xd1\xd5\xf8\x03\xdc\x28\x0d\xf3\xb7\xae\x47\x38\xad\x05\x03\x67\x01\xe2\xe3\x8c\xe8\x44\xa7\xd3\x01\xd8\x6e\x05\x97\xc5\xbc\x1b\x67\xe7\xc6\xa5\xf7\xdf\xbc\x33\x11\xdb\xd2\x34\x68\x8e\x85\xe9\xa7\xd5\x02\x1e\x51\xe2\xd0\xdd\x41\x80\x38\x15\x3d\xb6\x5b\x7f\xc2\x68\xf9\x8d\xdf\xd9\xe5\x03\x6f\x24\x49\x7d\x2f\x04\xcd\xcc\x75\x21\x78\x99\x19\x58\xf7\x24\x3f\xf4\xdd\x5a\xef\xcf\x75\x9a\x3f\xe7\xfb\x34\xc8", 159); *(uint8_t*)0x20008195 = 9; *(uint8_t*)0x20008196 = 5; *(uint8_t*)0x20008197 = 0xf; *(uint8_t*)0x20008198 = 0x10; *(uint16_t*)0x20008199 = 0x240; *(uint8_t*)0x2000819b = 2; *(uint8_t*)0x2000819c = 1; *(uint8_t*)0x2000819d = 0; *(uint8_t*)0x2000819e = 0x26; *(uint8_t*)0x2000819f = 3; memcpy((void*)0x200081a0, "\xb4\x51\xe2\x4f\x69\x72\xcd\x64\x29\xf8\x1c\xa1\x73\xd1\x3f\xb2\xc7\xf5\x28\x47\x51\x63\x8b\xbc\x4f\x0b\x3d\xe0\x20\x91\xfb\xb4\xf4\x45\x33\xd9", 36); *(uint8_t*)0x200081c4 = 9; *(uint8_t*)0x200081c5 = 5; *(uint8_t*)0x200081c6 = 7; *(uint8_t*)0x200081c7 = 2; *(uint16_t*)0x200081c8 = 0x400; *(uint8_t*)0x200081ca = 7; *(uint8_t*)0x200081cb = 0x3f; *(uint8_t*)0x200081cc = 0xdb; *(uint8_t*)0x200081cd = 0xc0; *(uint8_t*)0x200081ce = 0; memcpy((void*)0x200081cf, "\xba\x73\xf7\x70\xa4\x27\xb8\x43\x83\x13\xcb\x7e\x9d\x9d\x53\xa7\xe3\x11\x03\x66\xc8\x78\xe3\xc0\xf6\xe6\x29\xeb\xb2\xa0\x84\xa9\x0b\x2d\xef\x4b\x66\x95\x0f\xdf\xd6\x06\xe0\x83\x42\x29\xe6\x30\x28\x87\x54\x89\x67\x8b\xc9\x36\x98\xed\x86\x13\x88\x42\x54\x70\x3c\x31\x5f\x1e\xe5\x29\xd1\xbc\xbf\xaf\x8d\x86\x5e\x73\x8b\x9e\x08\xcb\xc4\xa2\x11\xd4\x80\xbd\xc2\xa6\xe6\x9e\x17\x2b\x1c\x73\x63\x94\x74\xf1\xf0\x11\x5b\x5f\x49\x18\xd0\x37\x45\x1c\x99\xde\xe8\x85\x47\x56\x25\x82\xd5\x71\x71\xaa\x19\x69\x13\xf1\x19\x15\xd1\xfd\xc1\xa5\x13\xb1\x6c\x0b\x9c\x1f\xa0\x71\x57\x42\x10\x46\xf4\xf3\x37\x2d\x00\xd4\xa2\x7e\xb9\x3e\xcd\x79\xb6\x85\xe1\x4f\x3e\xba\x64\x7e\x7b\x20\xae\xfd\xf9\x2e\xd0\x5b\xef\x68\x93\x52\x65\xce\x00\x35\xe3\xb6\x24\x85\x23\x50\xd1\x23\x4e\xf9", 190); *(uint8_t*)0x2000828d = 0xa; *(uint8_t*)0x2000828e = 5; memcpy((void*)0x2000828f, "\x29\x0a\x54\x8e\x96\x26\x66\xdf", 8); *(uint8_t*)0x20008297 = 9; *(uint8_t*)0x20008298 = 5; *(uint8_t*)0x20008299 = 7; *(uint8_t*)0x2000829a = 4; *(uint16_t*)0x2000829b = 0x7d7; *(uint8_t*)0x2000829d = 0; *(uint8_t*)0x2000829e = 7; *(uint8_t*)0x2000829f = 0xf9; *(uint8_t*)0x200082a0 = 0xcd; *(uint8_t*)0x200082a1 = 2; memcpy((void*)0x200082a2, "\x74\xcd\x60\x07\xae\x0e\xa1\x29\x7f\x07\x01\x8c\xbd\xaa\xa0\xc8\x78\x51\xa0\x13\x08\xad\x71\x7f\x23\x5e\x9e\xff\x80\x10\xad\x10\x46\xa5\x14\x8d\x35\x2a\x70\x76\x0b\xc4\xbe\xbd\xd7\x52\x8b\xf7\xd5\x06\xda\x1b\xaa\xc2\xcf\x49\x9d\x52\xde\x51\xd7\x1b\x05\x18\x5d\x7c\xd2\x68\x02\x3d\xe5\x96\x13\x04\x52\x1b\x5f\x56\x7c\x74\xcc\xab\x78\xb6\x1c\x3f\x64\x16\x62\xaf\x2d\x55\xd5\x15\x7a\x0d\xdc\x80\xc7\x59\x62\xe9\xbd\xa9\xff\x2d\x3b\x63\xdf\x6a\x6a\x0e\x2a\xeb\xbf\xc6\x64\xde\x3f\x3a\x34\xd6\x62\x00\xfa\x09\x24\x75\x68\x59\x57\xf0\xb3\x59\x42\x47\xa2\x1d\x46\x3c\xfe\x0c\xcd\x80\x44\xf9\x53\x19\xb4\xd4\x0c\x7f\x02\x2d\x5a\x9c\xe9\xe3\x48\xcd\x62\x3d\xc4\xc5\x90\xbe\xe5\xa1\x04\x72\x70\x95\x42\x14\x61\x1a\x8d\x98\xe6\x0a\xa6\x97\xa5\xce\x30\xee\xac\xd2\x39\x70\x94\xe5\x07\x16\x73\x99\x11\xa4\x47\x8b\x49\x5f\x02", 203); *(uint8_t*)0x2000836d = 0x2b; *(uint8_t*)0x2000836e = 3; memcpy((void*)0x2000836f, "\x9b\xc9\xf5\x80\x75\x06\x30\x3f\xbf\xd7\x12\x82\xa8\x20\x58\x56\x0f\xe8\x18\x0b\x20\x5f\x6f\x47\xf9\xd7\xcf\x05\x28\x0b\x7e\xb9\x6d\x6d\x15\x89\x97\x2f\x40\x2e\xf4", 41); *(uint8_t*)0x20008398 = 9; *(uint8_t*)0x20008399 = 5; *(uint8_t*)0x2000839a = 7; *(uint8_t*)0x2000839b = 0x1a; *(uint16_t*)0x2000839c = 8; *(uint8_t*)0x2000839e = 7; *(uint8_t*)0x2000839f = 3; *(uint8_t*)0x200083a0 = 0x86; *(uint8_t*)0x200083a1 = 0x35; *(uint8_t*)0x200083a2 = 0xb; memcpy((void*)0x200083a3, "\x01\x8a\x3d\x5f\xb9\x4d\x26\xc6\xa6\x89\xe9\x1e\xb6\xa9\xe4\x9b\xf1\xb8\x83\xb9\xe3\xda\x0a\x42\xbf\x45\x63\x9b\xc1\xb1\x9a\x0d\x8e\x78\xba\xbd\x76\x9b\x27\xa4\x3d\xd0\x91\xce\x83\xb4\xa9\x1c\xf5\xd1\x19", 51); *(uint8_t*)0x200083d6 = 7; *(uint8_t*)0x200083d7 = 0x25; *(uint8_t*)0x200083d8 = 1; *(uint8_t*)0x200083d9 = 0x80; *(uint8_t*)0x200083da = 0x40; *(uint16_t*)0x200083db = 6; *(uint8_t*)0x200083dd = 9; *(uint8_t*)0x200083de = 5; *(uint8_t*)0x200083df = 3; *(uint8_t*)0x200083e0 = 2; *(uint16_t*)0x200083e1 = 0x200; *(uint8_t*)0x200083e3 = 8; *(uint8_t*)0x200083e4 = 0x55; *(uint8_t*)0x200083e5 = 7; *(uint8_t*)0x200083e6 = 0xc; *(uint8_t*)0x200083e7 = 0x21; memcpy((void*)0x200083e8, "\xf2\xae\x0c\x70\x73\x12\x45\x83\x53\x64", 10); *(uint8_t*)0x200083f2 = 9; *(uint8_t*)0x200083f3 = 5; *(uint8_t*)0x200083f4 = 0xc; *(uint8_t*)0x200083f5 = 0; *(uint16_t*)0x200083f6 = 0x400; *(uint8_t*)0x200083f8 = -1; *(uint8_t*)0x200083f9 = 9; *(uint8_t*)0x200083fa = 0x7f; *(uint8_t*)0x200083fb = 9; *(uint8_t*)0x200083fc = 5; *(uint8_t*)0x200083fd = 3; *(uint8_t*)0x200083fe = 4; *(uint16_t*)0x200083ff = 0x3ff; *(uint8_t*)0x20008401 = 3; *(uint8_t*)0x20008402 = 0x81; *(uint8_t*)0x20008403 = 0x1f; *(uint8_t*)0x20008404 = 2; *(uint8_t*)0x20008405 = 0xb; memcpy((void*)0x20008406, "\x15\xf5\x29\x48\x16\x89\x69\xa7\x87\x9f\x68\x6a\x66\x44\x59\xf3\x1f\xa9\xc1\x46\xda\x65\xea\xa1\x87\x8b\x39\x96\xe0\x99\xdd\x1e\xc6\x89\x00\xa2\x57\xc0\x11\x39\x7b\xcf\xc1\x0b\xc4\x28\x59\x19\x72\xae\x5e\xb7\x0e\x65\xd2\x00\x24\x8c\x43\x3d\x8b\x1e\xaf\xe5\xdf\x95\xa1\x96\xb5\x8e\xd5\x0a\x74\xd4\x8f\x9c\x07\xf5\x08\x58\xdd\x07\xd9\x4e\xc7\x66\x26\xb5\xb4\x7c\x9a\xcd\x4f\xdb\xec\xde\x35\x6c\xab\xab\xc4\x3c\x31\x44\xfc\x2e\x52\x4b\x71\xbb\x4e\x8b\xb5\x35\xda\xa0\x71\xe2\x42\xc5\x85\x84\xdb\xdd\x6c\x1e\x75\x8e\x33\xfe\xcd\x91\xaa\xc9\x6d\x22\x88\x32\x2e\xd4\x8a\xcf\xda\xab\x53\x6e\xa5\x12\x98\xe1\x6c\x60\x33\xac\x2b\x91\x75\x84\x82\x71\x9c\xc7\xd7\x64\x37\x3c\xed\xf5\xd0\x39\xe7\x5f\x0b\xe3\x5a\xcd\xac\x46\xbf\xf1\x29\xaf\x0a\xd8\x17\xe1\x40\x64\x39\x8b\xe6\x49\x33\xb6\x76\xfa\xb4\xff\x8b\x8d\x37\xcd\x74\x2e\x41\xfd\x64\xf8\x7b\x7f\x7d\xf8\x73\xb3\xd4\xc1\xca\x44\x0e\x20\xa8\x29\xe3\x4c\x69\x77\x05\x4f\xd5\x97\x5e\x34\x94\x1c\x4c\xa2\x4d\xca\xf0\x7e\x3b\x99\x50\x28\x0b\x30\xfb\x2c\x43\x56\xee\xda\xb3\xe5\x18\x4e", 256); *(uint8_t*)0x20008506 = 7; *(uint8_t*)0x20008507 = 0x25; *(uint8_t*)0x20008508 = 1; *(uint8_t*)0x20008509 = 0; *(uint8_t*)0x2000850a = 0x1f; *(uint16_t*)0x2000850b = 0x200; *(uint8_t*)0x2000850d = 9; *(uint8_t*)0x2000850e = 5; *(uint8_t*)0x2000850f = 5; *(uint8_t*)0x20008510 = 0x10; *(uint16_t*)0x20008511 = 0x400; *(uint8_t*)0x20008513 = 0x81; *(uint8_t*)0x20008514 = 1; *(uint8_t*)0x20008515 = 5; *(uint8_t*)0x20008516 = 7; *(uint8_t*)0x20008517 = 0x25; *(uint8_t*)0x20008518 = 1; *(uint8_t*)0x20008519 = 2; *(uint8_t*)0x2000851a = 8; *(uint16_t*)0x2000851b = 0x101; *(uint8_t*)0x2000851d = 7; *(uint8_t*)0x2000851e = 0x25; *(uint8_t*)0x2000851f = 1; *(uint8_t*)0x20008520 = 3; *(uint8_t*)0x20008521 = 2; *(uint16_t*)0x20008522 = 8; *(uint8_t*)0x20008524 = 9; *(uint8_t*)0x20008525 = 5; *(uint8_t*)0x20008526 = 0; *(uint8_t*)0x20008527 = 4; *(uint16_t*)0x20008528 = 0x80; *(uint8_t*)0x2000852a = 9; *(uint8_t*)0x2000852b = 6; *(uint8_t*)0x2000852c = 7; *(uint8_t*)0x2000852d = 9; *(uint8_t*)0x2000852e = 5; *(uint8_t*)0x2000852f = 3; *(uint8_t*)0x20008530 = 0; *(uint16_t*)0x20008531 = 0x7ff; *(uint8_t*)0x20008533 = 1; *(uint8_t*)0x20008534 = -1; *(uint8_t*)0x20008535 = 0x1f; *(uint32_t*)0x20008640 = 0xa; *(uint64_t*)0x20008644 = 0x20008540; *(uint8_t*)0x20008540 = 0xa; *(uint8_t*)0x20008541 = 6; *(uint16_t*)0x20008542 = 0; *(uint8_t*)0x20008544 = 2; *(uint8_t*)0x20008545 = 0x86; *(uint8_t*)0x20008546 = 0x80; *(uint8_t*)0x20008547 = 0x10; *(uint8_t*)0x20008548 = 2; *(uint8_t*)0x20008549 = 0; *(uint32_t*)0x2000864c = 0x42; *(uint64_t*)0x20008650 = 0x20008580; *(uint8_t*)0x20008580 = 5; *(uint8_t*)0x20008581 = 0xf; *(uint16_t*)0x20008582 = 0x42; *(uint8_t*)0x20008584 = 5; *(uint8_t*)0x20008585 = 0xa; *(uint8_t*)0x20008586 = 0x10; *(uint8_t*)0x20008587 = 3; *(uint8_t*)0x20008588 = 0; *(uint16_t*)0x20008589 = 3; *(uint8_t*)0x2000858b = 0x73; *(uint8_t*)0x2000858c = 4; *(uint16_t*)0x2000858d = 0; *(uint8_t*)0x2000858f = 3; *(uint8_t*)0x20008590 = 0x10; *(uint8_t*)0x20008591 = 0xb; *(uint8_t*)0x20008592 = 0xa; *(uint8_t*)0x20008593 = 0x10; *(uint8_t*)0x20008594 = 3; *(uint8_t*)0x20008595 = 0; *(uint16_t*)0x20008596 = 8; *(uint8_t*)0x20008598 = 0xeb; *(uint8_t*)0x20008599 = 0x3f; *(uint16_t*)0x2000859a = 2; *(uint8_t*)0x2000859c = 7; *(uint8_t*)0x2000859d = 0x10; *(uint8_t*)0x2000859e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000859f, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 0xf, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a1, 5, 0, 16); *(uint8_t*)0x200085a3 = 0x1f; *(uint8_t*)0x200085a4 = 0x10; *(uint8_t*)0x200085a5 = 1; memcpy((void*)0x200085a6, "\x61\x40\x8d\x3d\x2e\x18\x72\x46\x92\x26\xd4\xd9\xbe\xfe\xcd\xac\x20\x8d\xfd\xaa\x38\x51\x78\xf4\x8c\xa7\x56\x50", 28); *(uint32_t*)0x20008658 = 1; *(uint32_t*)0x2000865c = 4; *(uint64_t*)0x20008660 = 0x20008600; *(uint8_t*)0x20008600 = 4; *(uint8_t*)0x20008601 = 3; *(uint16_t*)0x20008602 = 0x41a; res = -1; res = syz_usb_connect(5, 0x776, 0x20007dc0, 0x20008640); if (res != -1) r[15] = res; *(uint8_t*)0x20008680 = 0x12; *(uint8_t*)0x20008681 = 1; *(uint16_t*)0x20008682 = 0x200; *(uint8_t*)0x20008684 = -1; *(uint8_t*)0x20008685 = -1; *(uint8_t*)0x20008686 = -1; *(uint8_t*)0x20008687 = 0x40; *(uint16_t*)0x20008688 = 0xcf3; *(uint16_t*)0x2000868a = 0x9271; *(uint16_t*)0x2000868c = 0x108; *(uint8_t*)0x2000868e = 1; *(uint8_t*)0x2000868f = 2; *(uint8_t*)0x20008690 = 3; *(uint8_t*)0x20008691 = 1; *(uint8_t*)0x20008692 = 9; *(uint8_t*)0x20008693 = 2; *(uint16_t*)0x20008694 = 0x48; *(uint8_t*)0x20008696 = 1; *(uint8_t*)0x20008697 = 1; *(uint8_t*)0x20008698 = 0; *(uint8_t*)0x20008699 = 0x80; *(uint8_t*)0x2000869a = 0xfa; *(uint8_t*)0x2000869b = 9; *(uint8_t*)0x2000869c = 4; *(uint8_t*)0x2000869d = 0; *(uint8_t*)0x2000869e = 0; *(uint8_t*)0x2000869f = 6; *(uint8_t*)0x200086a0 = -1; *(uint8_t*)0x200086a1 = 0; *(uint8_t*)0x200086a2 = 0; *(uint8_t*)0x200086a3 = 0; *(uint8_t*)0x200086a4 = 9; *(uint8_t*)0x200086a5 = 5; *(uint8_t*)0x200086a6 = 1; *(uint8_t*)0x200086a7 = 2; *(uint16_t*)0x200086a8 = 0x200; *(uint8_t*)0x200086aa = 0; *(uint8_t*)0x200086ab = 0; *(uint8_t*)0x200086ac = 0; *(uint8_t*)0x200086ad = 9; *(uint8_t*)0x200086ae = 5; *(uint8_t*)0x200086af = 0x82; *(uint8_t*)0x200086b0 = 2; *(uint16_t*)0x200086b1 = 0x200; *(uint8_t*)0x200086b3 = 0; *(uint8_t*)0x200086b4 = 0; *(uint8_t*)0x200086b5 = 0; *(uint8_t*)0x200086b6 = 9; *(uint8_t*)0x200086b7 = 5; *(uint8_t*)0x200086b8 = 0x83; *(uint8_t*)0x200086b9 = 3; *(uint16_t*)0x200086ba = 0x40; *(uint8_t*)0x200086bc = 1; *(uint8_t*)0x200086bd = 0; *(uint8_t*)0x200086be = 0; *(uint8_t*)0x200086bf = 9; *(uint8_t*)0x200086c0 = 5; *(uint8_t*)0x200086c1 = 4; *(uint8_t*)0x200086c2 = 3; *(uint16_t*)0x200086c3 = 0x40; *(uint8_t*)0x200086c5 = 1; *(uint8_t*)0x200086c6 = 0; *(uint8_t*)0x200086c7 = 0; *(uint8_t*)0x200086c8 = 9; *(uint8_t*)0x200086c9 = 5; *(uint8_t*)0x200086ca = 5; *(uint8_t*)0x200086cb = 2; *(uint16_t*)0x200086cc = 0x200; *(uint8_t*)0x200086ce = 0; *(uint8_t*)0x200086cf = 0; *(uint8_t*)0x200086d0 = 0; *(uint8_t*)0x200086d1 = 9; *(uint8_t*)0x200086d2 = 5; *(uint8_t*)0x200086d3 = 6; *(uint8_t*)0x200086d4 = 2; *(uint16_t*)0x200086d5 = 0x200; *(uint8_t*)0x200086d7 = 0; *(uint8_t*)0x200086d8 = 0; *(uint8_t*)0x200086d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20008680, 0); if (res != -1) r[16] = res; *(uint32_t*)0x20008900 = 0x2c; *(uint64_t*)0x20008904 = 0x20008700; *(uint8_t*)0x20008700 = 0x20; *(uint8_t*)0x20008701 = 0x21; *(uint32_t*)0x20008702 = 0xdb; *(uint8_t*)0x20008706 = 0xdb; *(uint8_t*)0x20008707 = 0x24; memcpy((void*)0x20008708, "\xb5\x01\xb9\xa6\x76\xdf\xcb\x3e\x98\xc6\x6e\x8b\x68\x77\xca\xc3\x0d\xfb\x98\x56\xc7\x20\x94\xee\x90\xf2\x31\x70\xf3\x3d\xc0\x41\x69\x19\x14\x6a\x8a\x2a\xd6\x05\xce\x54\xf3\xd4\x43\xec\x59\x7b\x33\x7b\x1b\x4d\x39\xc4\x42\x89\xbb\xfc\x62\x1a\x00\x86\x26\x48\xfe\x2d\xf7\x54\xe4\x63\x45\x5e\xf8\x8f\x55\xfb\x63\xb4\xb7\x71\x9d\xd8\xd3\xe6\x84\x6c\x4d\x25\x4a\xfb\x2e\x40\x11\x6d\x2b\x5f\xcd\x88\x3a\x84\x21\x22\x17\xe0\x65\xcd\x44\x66\x68\x01\x15\x4e\x7b\x43\xe3\xd1\x62\x9d\xc7\x6f\x3a\x71\x10\xe8\x07\x90\xce\x65\xee\x44\x96\x1d\x30\x65\x21\xe9\x4e\x6e\xe9\x41\xa9\x7e\x0e\xab\x0e\x80\x37\xfe\xf7\x68\x90\x28\x91\xbb\x41\x05\xd8\xba\xf0\xa3\x5f\x93\xd2\xa5\x63\x59\x35\x79\x9c\x87\xeb\x91\xb5\xe5\xff\x7a\xe9\x1c\xbe\x9c\xda\xdd\x65\x3a\x48\x6d\x72\xd6\x7d\xc3\xb3\x71\xe4\xe5\xfa\x61\x87\x59\xde\x87\xeb\xe1\xec\x27\x8d\x14\x08\x34\x59\x0f\x6c\x51\x3e\x4c\x95\xcb\xb3", 217); *(uint64_t*)0x2000890c = 0x20008800; *(uint8_t*)0x20008800 = 0; *(uint8_t*)0x20008801 = 3; *(uint32_t*)0x20008802 = 0x18; *(uint8_t*)0x20008806 = 0x18; *(uint8_t*)0x20008807 = 3; memcpy((void*)0x20008808, "\x2c\x5d\xdd\x5f\xc6\x32\x36\xd4\x7a\xf3\x16\x42\x23\xe9\xb4\x23\xe1\x3b\x85\x60\xf2\x8a", 22); *(uint64_t*)0x20008914 = 0x20008840; *(uint8_t*)0x20008840 = 0; *(uint8_t*)0x20008841 = 0xf; *(uint32_t*)0x20008842 = 0x35; *(uint8_t*)0x20008846 = 5; *(uint8_t*)0x20008847 = 0xf; *(uint16_t*)0x20008848 = 0x35; *(uint8_t*)0x2000884a = 4; *(uint8_t*)0x2000884b = 7; *(uint8_t*)0x2000884c = 0x10; *(uint8_t*)0x2000884d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000884e, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 0xa, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008850, 1, 0, 16); *(uint8_t*)0x20008852 = 0xb; *(uint8_t*)0x20008853 = 0x10; *(uint8_t*)0x20008854 = 1; *(uint8_t*)0x20008855 = 0xc; *(uint16_t*)0x20008856 = 8; *(uint8_t*)0x20008858 = 0x3f; *(uint8_t*)0x20008859 = 1; *(uint16_t*)0x2000885a = 4; *(uint8_t*)0x2000885c = 6; *(uint8_t*)0x2000885d = 0x14; *(uint8_t*)0x2000885e = 0x10; *(uint8_t*)0x2000885f = 4; *(uint8_t*)0x20008860 = 0x80; memcpy((void*)0x20008861, "\xd0\xd1\xe2\xd8\x68\xe0\xfa\x99\x17\x77\xca\xc1\xb7\x94\x82\x58", 16); *(uint8_t*)0x20008871 = 0xa; *(uint8_t*)0x20008872 = 0x10; *(uint8_t*)0x20008873 = 3; *(uint8_t*)0x20008874 = 2; *(uint16_t*)0x20008875 = 3; *(uint8_t*)0x20008877 = 4; *(uint8_t*)0x20008878 = 0; *(uint16_t*)0x20008879 = 8; *(uint64_t*)0x2000891c = 0x20008880; *(uint8_t*)0x20008880 = 0x20; *(uint8_t*)0x20008881 = 0x29; *(uint32_t*)0x20008882 = 0xf; *(uint8_t*)0x20008886 = 0xf; *(uint8_t*)0x20008887 = 0x29; *(uint8_t*)0x20008888 = 0; *(uint16_t*)0x20008889 = 4; *(uint8_t*)0x2000888b = 0xc1; *(uint8_t*)0x2000888c = 0x7f; memcpy((void*)0x2000888d, "\x1b\xc1\x9f\x6f", 4); memcpy((void*)0x20008891, "\x0c\xd3\xa1\x96", 4); *(uint64_t*)0x20008924 = 0x200088c0; *(uint8_t*)0x200088c0 = 0x20; *(uint8_t*)0x200088c1 = 0x2a; *(uint32_t*)0x200088c2 = 0xc; *(uint8_t*)0x200088c6 = 0xc; *(uint8_t*)0x200088c7 = 0x2a; *(uint8_t*)0x200088c8 = -1; *(uint16_t*)0x200088c9 = 8; *(uint8_t*)0x200088cb = 0x20; *(uint8_t*)0x200088cc = 2; *(uint8_t*)0x200088cd = 6; *(uint16_t*)0x200088ce = 0x800; *(uint16_t*)0x200088d0 = 9; *(uint32_t*)0x20008e00 = 0x84; *(uint64_t*)0x20008e04 = 0x20008940; *(uint8_t*)0x20008940 = 0; *(uint8_t*)0x20008941 = 0xb; *(uint32_t*)0x20008942 = 0xe5; memcpy((void*)0x20008946, "\xea\x88\xbc\xa9\xc1\xe3\xf5\xbd\xf6\x07\xf7\x25\x25\x73\xdd\x87\x56\xe9\xf3\x2a\x7c\x4a\xee\xa5\xb3\xe1\xae\x6f\xdb\xe3\x19\x4c\x19\x18\xd9\xd9\xa3\xaa\x13\xdb\xbc\x47\xe1\x43\x0d\x7b\xe6\xa1\x80\xc7\x38\x84\x56\xd1\x2a\x5c\x32\x7b\x71\x6d\x23\x41\xbc\xd0\xef\x82\xa4\xa3\x46\x10\xe2\x8f\xc7\xb2\xe1\x72\xdf\xa0\x56\xc6\x35\x3d\xa1\x66\x49\x6c\xa2\x54\x0e\x60\xbb\x52\x06\x6e\xf4\x77\x36\x67\x40\x9a\x68\xef\xf5\x2e\x75\xff\x93\x46\x9e\x4f\xf5\xd6\x99\x66\xb8\x1e\x03\x4c\x68\x8a\x2f\x6f\xd9\x45\xec\xd0\x5f\x33\x65\x73\x58\x68\x23\xfd\x9f\x6d\x40\xbb\x48\x3d\xd2\x7a\xd4\x6b\x84\x14\x55\xac\x07\xfc\x31\x9b\x8c\xb5\xf5\xe2\xda\xa6\x4a\x6c\x5f\x3b\xc0\x99\x27\x0c\xd3\x76\x66\x0e\xf3\x45\x65\x71\xaa\x6d\x2f\xe4\x86\x67\x83\x8d\x81\x11\x26\xca\xce\xed\xae\xbe\xf9\x60\x81\x92\xb6\x03\x32\x7f\x6e\xe9\xed\x42\x57\x2b\x6e\xb3\xc6\x63\x0e\x90\x17\x42\x8e\xd3\x70\xbd\x03\x24\xda\x01\xea\xe4\xa7\x88\x1a\x6b\x88\xaa\x1a", 229); *(uint64_t*)0x20008e0c = 0x20008a40; *(uint8_t*)0x20008a40 = 0; *(uint8_t*)0x20008a41 = 0xa; *(uint32_t*)0x20008a42 = 1; *(uint8_t*)0x20008a46 = 5; *(uint64_t*)0x20008e14 = 0x20008a80; *(uint8_t*)0x20008a80 = 0; *(uint8_t*)0x20008a81 = 8; *(uint32_t*)0x20008a82 = 1; *(uint8_t*)0x20008a86 = 0x1f; *(uint64_t*)0x20008e1c = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x20; *(uint8_t*)0x20008ac1 = 0; *(uint32_t*)0x20008ac2 = 4; *(uint16_t*)0x20008ac6 = 2; *(uint16_t*)0x20008ac8 = 3; *(uint64_t*)0x20008e24 = 0x20008b00; *(uint8_t*)0x20008b00 = 0x20; *(uint8_t*)0x20008b01 = 0; *(uint32_t*)0x20008b02 = 4; *(uint16_t*)0x20008b06 = 0x100; *(uint16_t*)0x20008b08 = 1; *(uint64_t*)0x20008e2c = 0x20008b40; *(uint8_t*)0x20008b40 = 0x40; *(uint8_t*)0x20008b41 = 7; *(uint32_t*)0x20008b42 = 2; *(uint16_t*)0x20008b46 = -1; *(uint64_t*)0x20008e34 = 0x20008b80; *(uint8_t*)0x20008b80 = 0x40; *(uint8_t*)0x20008b81 = 9; *(uint32_t*)0x20008b82 = 1; *(uint8_t*)0x20008b86 = 0x7f; *(uint64_t*)0x20008e3c = 0x20008bc0; *(uint8_t*)0x20008bc0 = 0x40; *(uint8_t*)0x20008bc1 = 0xb; *(uint32_t*)0x20008bc2 = 2; memcpy((void*)0x20008bc6, "\xa6\xab", 2); *(uint64_t*)0x20008e44 = 0x20008c00; *(uint8_t*)0x20008c00 = 0x40; *(uint8_t*)0x20008c01 = 0xf; *(uint32_t*)0x20008c02 = 2; *(uint16_t*)0x20008c06 = 0; *(uint64_t*)0x20008e4c = 0x20008c40; *(uint8_t*)0x20008c40 = 0x40; *(uint8_t*)0x20008c41 = 0x13; *(uint32_t*)0x20008c42 = 6; *(uint8_t*)0x20008c46 = 0; *(uint8_t*)0x20008c47 = 0; *(uint8_t*)0x20008c48 = 0; *(uint8_t*)0x20008c49 = 0; *(uint8_t*)0x20008c4a = 0; *(uint8_t*)0x20008c4b = 0; *(uint64_t*)0x20008e54 = 0x20008c80; *(uint8_t*)0x20008c80 = 0x40; *(uint8_t*)0x20008c81 = 0x17; *(uint32_t*)0x20008c82 = 6; *(uint8_t*)0x20008c86 = 1; *(uint8_t*)0x20008c87 = 0x80; *(uint8_t*)0x20008c88 = 0xc2; *(uint8_t*)0x20008c89 = 0; *(uint8_t*)0x20008c8a = 0; *(uint8_t*)0x20008c8b = 1; *(uint64_t*)0x20008e5c = 0x20008cc0; *(uint8_t*)0x20008cc0 = 0x40; *(uint8_t*)0x20008cc1 = 0x19; *(uint32_t*)0x20008cc2 = 2; memcpy((void*)0x20008cc6, "rN", 2); *(uint64_t*)0x20008e64 = 0x20008d00; *(uint8_t*)0x20008d00 = 0x40; *(uint8_t*)0x20008d01 = 0x1a; *(uint32_t*)0x20008d02 = 2; *(uint16_t*)0x20008d06 = 0xb81; *(uint64_t*)0x20008e6c = 0x20008d40; *(uint8_t*)0x20008d40 = 0x40; *(uint8_t*)0x20008d41 = 0x1c; *(uint32_t*)0x20008d42 = 1; *(uint8_t*)0x20008d46 = 0x40; *(uint64_t*)0x20008e74 = 0x20008d80; *(uint8_t*)0x20008d80 = 0x40; *(uint8_t*)0x20008d81 = 0x1e; *(uint32_t*)0x20008d82 = 1; *(uint8_t*)0x20008d86 = 0x80; *(uint64_t*)0x20008e7c = 0x20008dc0; *(uint8_t*)0x20008dc0 = 0x40; *(uint8_t*)0x20008dc1 = 0x21; *(uint32_t*)0x20008dc2 = 1; *(uint8_t*)0x20008dc6 = 0x92; syz_usb_control_io(r[15], 0x20008900, 0x20008e00); syz_usb_disconnect(r[15]); syz_usb_ep_read(r[16], 0x1f, 0x80, 0x20008ec0); memcpy((void*)0x20008f40, "\x05\x9c\xba\xeb\x68\x64\xbc\xc9\x3a\x17\x64\x09\x36\xd2\xe5\x45\x0d\xeb\x6a\x94\xa3\xcd\x8d\xba\xc2\xfb\xcf\xac\x93\x2f\x8d\xd2\x22\x05\xe7\xae\x58\x9b\x0f\x01\x72\xe7\x51\xe3\x08\xa2\x36\xce\xa8\x57\x11\xd7\x4b\x54\x6d\x98\xb4\xd7\x5a\xfc\xc6\x5f\xd0\x46\x33\xc1\xfb\xed\x7c\xfe\x4d\x04\x9d", 73); syz_usb_ep_write(r[15], -1, 0x49, 0x20008f40); } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :174:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :174:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor651287768 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/22 (4.87s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:true UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: socket$nl_netfilter(0x10, 0x3, 0xc) r0 = open(&(0x7f0000000000)='./file0\x00', 0x2000, 0x163) recvfrom(r0, &(0x7f0000000040)=""/238, 0xee, 0x1, &(0x7f0000000140)=@llc={0x1a, 0x10f, 0x7, 0xc7, 0x6, 0xff, @broadcast}, 0x80) r1 = socket$inet_sctp(0x2, 0x5, 0x84) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r1, 0x84, 0xa, &(0x7f00000001c0)={0x7ff, 0x1ff, 0x204, 0x0, 0x803, 0x0, 0x5, 0x800}, 0x20) execveat(r0, &(0x7f0000000200)='./file0\x00', &(0x7f0000000400)=[&(0x7f0000000240)='^\x00', &(0x7f0000000280)='*,+\x00', &(0x7f00000002c0)='-{$(%![\x00', &(0x7f0000000300)='\\[\x00', &(0x7f0000000340)='\x00', &(0x7f0000000380)='\x00', &(0x7f00000003c0)='\xb1$}\x00'], &(0x7f0000000640)=[&(0x7f0000000440)='\x00', &(0x7f0000000480)='*/%}\\\\\x00', &(0x7f00000004c0)='@[\x00', &(0x7f0000000500)='\x00', &(0x7f0000000540)=':\'\x9f^(\x00', &(0x7f0000000580)='],-.$\xfb\\}{)@-&/[\\!\x00', &(0x7f00000005c0)='\x00', &(0x7f0000000600)='{{\'$(+-(}{}]?/--)\x00'], 0x1000) r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000680)='/dev/hwrng\x00', 0x40000, 0x0) ioctl$HIDIOCGPHYS(r2, 0x80404812, &(0x7f00000006c0)) ioctl$TIOCGICOUNT(r2, 0x545d, 0x0) io_uring_setup(0x509f, &(0x7f0000000700)={0x0, 0x9c76, 0x8, 0x3, 0x309, 0x0, r0}) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_unix_may_send\x00') syz_emit_ethernet(0x2e, &(0x7f0000000040)={@dev={[], 0x29}, @local, @void, {@ipx={0x8137, {0xffff, 0x20, 0x2, 0x0, {@random=0x3, @random="67516965f015", 0x3}, {@random=0xa0, @current, 0x8ca}, "d18e"}}}}, &(0x7f0000000080)={0x1, 0x3, [0x6f3, 0xd92, 0xd18, 0x98a]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_EVENT_PKT={0x4, @hci_ev_pkt_type_change={{0x1d, 0x5}, {0x1, 0xc9, 0x800}}}, 0x8) syz_execute_func(&(0x7f0000000100)="c4017c5a50f2c4a1637c7a862ef04230b50d00000041d9f93e420fb7bcaeb0000000c4c2a5291498c482c9bdac33de7941f1c401fc2e0666400f38241f670fecfb") syz_extract_tcp_res(&(0x7f0000000180), 0x8, 0x47) r3 = openat$selinux_policy(0xffffffffffffff9c, &(0x7f00000001c0)='/selinux/policy\x00', 0x0, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002500)={0x2020, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x2020) lstat(&(0x7f00000046c0)='\x00', &(0x7f0000004700)={0x0, 0x0, 0x0, 0x0, 0x0}) stat(&(0x7f0000004780)='./file0\x00', &(0x7f00000047c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000004840)=0x0, &(0x7f0000004880), &(0x7f00000048c0)) syz_fuse_handle_req(r3, &(0x7f0000000200)="2692d623148a34aee968f5552fef58adeb13835131afc9602c0eba53a139392d140b6eeb571984017fbc1a936aca427ad0e740524f6307f18e1c7d954a0ba7442367d45bae5150e12543dc5dd03aa5699039f2f627b3d104e00ffaea4263fc86953e5e3ab976c9f66a213d67573b6044bf6faa8c17d51b5550438f9ac6589d2cb2bc4e11cbf8a254594a82ab8987f8ade20d8542ac71ff847b22e67d2ddda8f4ba5f53fbf177009132baa5786a7be31ec6c592cba53c5c8a7ba19db0286bff1d0178da1e4ea10819439ace537ac5f47a1c8b74fa67fc4e1bf92292a9ec657b5e3003146a1c5690855b05cf75a0b11ab9ba738a3dc177d5f7e7fa6b465d05e513a219481089265f566e6bd0cc9ee1fb100f851286e65721f601c83f7a740979b3848f57fb0081efca45720ccfd8a4904f248151b242132a4b45530ae5442ff7a51bb5c599cda7e10e1b4de5c80f52cc3ddac7513fe148bdbc5da2e0c2b39190d8f90fcd459503a4cb8fece55182cf7272a522e5626120c7335c5a37c72d400fedc58873c5960f6cab807ac239d0246aba2e844b68b1ac4ad6d2bbcedcb35a67486471e445af55990270ae097968da00157dd221dea2438d16623c52820f0d24e39c0424ee40484fb0d96419f5e281d0e9e178366820dd5ca4a0c45deeb36cb9e246be6714ceb0347b0c309cc53022374f73303536e593c57588b883903ea58133773600201a7b55dd5c01af52e90ec524abd9f47b3d7185c48259bf5aa76fea9da982b2c4a61065df2b066732103503969eefaa23141c8becb35caf7602e981c30673991b46d54ab2764bf5ecc3f1a8e000b116b769d82625ae9418b523af00f3cfb0eb65c916f6a62452f810b20c3e7cec7d61fef55f63d1da4a3f868bbcfd867e130d3c7ce52246ef76eda2916fbbdfd506dbc2289d00fbc8fd100c4578698d2203dffab9018d6f19ae199f1659c3f78157680cf980597a126b994bdd64609653dc0ddb556c3af838a0a4a9bd7051e45247913cc35b9d9ff368ffdf4e7fad83a52f8a0261c331b6ef226fe676ac1a9cf0cb001385ce35b09df3aecaa3d816f2afc62c27aee525f72f2d31ee0b21c447f80901a65c7706d07ff9b2d7bde92bc79d85f8431d468ac85e51ac3a209cea07281e7d19c1f52b5f01bdb053978c933399b35ac77aa4a1e6f182d250271ca33c3791b15a931bcd32ace19253f1a9044afa49c1a0ddc82e95907f60b7971ec01078e137d1bceb0cf86f64cd6c192cbfc30b4478617fe52aa943e61a182b1b0b2107d0c54f4fa731679af95c32d18914d6959b9fa96a0aac1c49adc61f5f11b544557342c14276beea12fa71cd30a731bd064e9cfd0f9e4be966f7bd1c1b4fd706b8393e6efb1c9f97526f67d2e9cd5e176dc60c274b30061e1ab6a2d004b83adb08f1983baeab990472beff2341def47e0dd411b0691fd0a65ea66d16a4a4ee94c4d1a5ce6b3cfc873481b041fb3005614c1cf841eeab27e03598ef94598ed30c3fd3ee19207aea2a8dbc3f60a6d97e30c58f324bcaf571388f9e83e076cfdc0663cfe93f5a3f19299e741210f6a8501a7238b1cbd6e9f829345c337c62b7cdb024efc4ff11628cb1ee4fda072782bb69932ba6dee122cb37fed696dea11cc25eb2b5678c7d0bd1dd05f35d1d02addf1295a1eb0b259959a7b290e61f2479691588ac520981902f5ab06162e9cf5f0585f540d90cd8381de33d0a0a24da6f231d3a684c925d736f2534a57e48d919d55519c575bb541d638e0e4011f841a5ac331d488935c44c2bce1c2ac3e8486e465cdee8eb513d3c1bb3b38c5d157c04d576d675e00b30c299e211f8f24a7a053b4270d2acfa3aa6343428d92b6db14c1558a8dd58bb9c8c4b1b4935773d140611793ccad54fdc5230da4dfda3b60cc0766efcc6a3b71900a50e2c3e6827b98cc18ccd8ff798247f374857d0621e32bbf0482474de0d42ddba7823e633f1658e7f6a361c32e2459c2beb029a8afaa31289e487104567d40c81ccf5ae2a2e6b344f5c110d7ce2301ff2c25fd8438439a5ea16a446fc7e27f2cb068944e4d8c929c4645f494c2fd1b025bfda1119f9088f707d662c1195f8e4308c470b76245099332f61b2c9cc77871cb20c4ebeaa63e53add25df15c5628585fe886a73e382567c41cebdf2f33f7168747ce24a22fafeb29cd021a92ec8fc272dad24598ebdaec2dcc47373efa97cacffdace150e99510bf37baf40a817d93d87a48fab153a1064821eb504a4eba3ab66d1ec057cf64ee11a6ad40584fa7656a3984c20e494013f83430d760cd6eaa604b599550dcba720855e735d62d420076cca07115d4e371c3d641cb6cdb969bdef10137b8d7f399abe3e2436535c30c7b9a842fb31d322434e73b95c0f5d4545116b788ea0fd473ab32cfb4cd7224948913772e8392d89bf5c4e5511d267201cff62bdc0468f96d9e85323495e925e61140fb419417bc3f803a80d0af3b8c31c2f63dee9174113f8e6e5c93f47d8486422a5696bc05843f7d07f10eb3b5fbc2c378f6e8a975deb6c04ed20c673846ecc19d6dfcb1982ff83a7dca92e8167e5df6437b84834fde1cbfc441105d06218a2e0a55917ee276fa725b9f16a94c67b684bc7b688edbae74382cba7eac9f01772c89194d44eea3cabc002562643c01529092ff6629de96a7716f92318a6cf70cdb8fda8e3d01306ea91580b6d970808552f45f575c3aa638fc51abdd8535a0584072588518f9391b2d789147312a58d0a15b64bf908f249913f141671751003547150d49f472dbed408432493705759929f619a901bf41ed2e4d12d6354af219840e696ae26d40f010f0586068efbbd4a63af99aebd5305a88013ed74de00399011dd8d0d544b907009f361ac6f66ca0ac4fae8eea56542599b167b8f132d2bc2b57c734653c0214fcb4e3a509823aa2ea62aefd8d3a8f27cead3ee3f276698712770addc99cd31112daf0ede7c577fcbae2e64047bd3624dcc04cfb6cd194b79f1b53b990a443628123fbe9b2a3b598beeabdbb7cf4d9cd87be2ac84ee3fe743d72e8984204bab463c896d13c1227b70a88712b77d221efa654098b38571468ff9bff10bb0d30fe6ae7a1f62c4f6066b55f32b0547de75ab1cac8e986d89fc30a362d7308d0932cdd44d8a234860b608090aa5e16bef4e44327ba18667915ec65ca772f8df52105b370087fb1cbd6d11a95362232e5f6fce3f343cd962bec277f3a6aacb82df97531b3a6ffdd224454bfc8a6c2e0b9c86449c043f39ceb9af5c4236e3221c2e259fa8f1284df6334a2a24733dbad6ea990aa3ef9798e2f785be3d5a44305497a1f525f7dee1f7ea82c7d50559c51dacc617f6f7ee56b6c5bca2701899245cbecb33ccddf00a16894682085f40d2f6f6b03a163206311f98077261cd76f439ced044b525112debd31e4c7a9077bd820217a88b4d8e3e76dac45b15019e01deedc943b357ab2d7900d99157af47dfc5971791b25665e953db69cefceac87aef838936ae73d2d25983b2066099c4741af88048c7f86531f2b82d6e05b2ee75f472d9df9c3ee9398f6fe68e0b521c36a242e2d675f4d9da552142743631a4f2b6c011475753a74f7fefc9d72d3f9fb2bdcc71d66732abe50dd578b69bd029b45bca708e87c098af90284b4fbddcc6fe163a000970d6547cfd18cc8a11ba22638ee6eba91029f52594a042e96ed7080184593f2109126cbde1317a94a56213ad11ae1ccf0a58a45dbc81d0809c59073f8a9e17674a476d0337414bfcff7ca6949218467c8850839e55c9c7ad9d51a64a9d2b4bbb17a3653894834545bc286c108bb31345579a2b0b96f6a57389790519d4413a9648820e7846c57aca4792495223fcc029d070f18f24ac665879d7a197c78c5c05185af7c11140c78a35e91de5c0c53fbcd1350c27536d28d5f518696b97136d3f2035f26faad5ffe04dfd5dcc09b129905195579dd15c8c98676236ebd02b6c2ef3e6eb15d87c206c39046f2dbcef9a4523f255f445c3dd82c140b295a4a90fa30a2847ff41efeea8f630d4a5512795380af7d1713a6b2976dd74de50c3feb42bdd4c0258e45617358f18a28be11bad5b5b79103ee1277c761e12901e4997f3b9d4499172176cdd12b6807b236daf3dc05872956437816c706f3c367d7e2c23e96b1fe96596db880507e282fbe23f2171b2f6855d22174a1a4b15ed8abd51ca093d46f0e2d05298168c239e62d89f740674388c24018c47832a87644048d436d65cd7a210282b1fc826f0ccdb6697d0112b2a88e395308d421aada7a0e7d76eca0a6073830218c83ed79419485960572097cb626c6f8467579095dc22632043dce6b67eaa793a2a89822fdc266f5a611aa1c6b845998a828005fe7989253c37613e892348ad7332e334afb5a7087e89ace2f361d66f277dfafa126677e833fd0b2ce4d227937cdf60a882669411d4450b7e859b8247ad2e45742ecb605752f2148d075e1d145add184748c6ece9ba267b7a6df9229a62bb9bee7d7e925d6eb9ae96adef937c030c7d2b919fc4636ad6331360457d06d8c4f6dc10e3065522602b841fb3678e9dabf07d5fc3fe39da21d461e1a4ac64a0d3356f93622800f007be4ee13cc4654c8947ffd11bf7598f50bf27df75f8daefd9bd19cc3b6a06b253e8b590621c66da76496a87be3353fb1cc564366b0979a88c52b8ddaeee8993f6a0a3a543a931ea4eaee9d9e7001e2349144cd746a256df92a46024c7a3b3cb607a749987c9856015b86a23e4394f64f909974ab076b5d64928fc9d1b4cba75bda9e1d4620cac6f08cbf757de6f2911c34ea08481a383201447c2de6e37c07d0338f16a9a73fe671a684ae45c874ff1981506e3fca4e1f1dc9e58f9de6b96f85e31a3c16d3a11880bb1cbc223d0b9f3a6c4a6671e29fea67ae9f109e263c31795b38016b829d41d0d540f7f9bc522027dbca4945d958e0b14c9020e7e0d962d93f61df353bb1842b289b5ebb7d0d83eb05f31e3457346d1bcf883354e9a247c78bcdf11450bd362f4e09f9bc81ea9282305df3aed8534b1f5c15f58127b851e045a0c54193b5b11be1875563f868efe9a6ad830ca4436786d79364e1930d455faa6ebefe86ece76a8b8952dff2d3b83dd8ba4fd7c1cf912a22f6511c3cc11bd2f04690acdb38f7e1420bc15e574ad129655754440d29013c69861d47a42906ceeaa051e2efadeaea997779e05dd912297a4ffa9af33fe81e72067c36e81c48653d69f2a2ba91714d5104e0ea1e6e920a440240598dc628e8205c3313a0b03b7fed3a8788fb2a6de07226c589ef337082214381c9800d703638183dadff31714170bc402b271ef6c235c12c9fa67c7bda80d631715ee1ed4dda107347d143f91ec470c2077c277524fe78a23fab205fab08b1c258f4be49759d1f183a21e400a53a72493a17c23dfa1732122574b55a7f2663bb0017ddb2f472eabd87e407695bce84c15f43091bfc06d4a524672bf2515218561e7c25ea733c185d09806df8e6c921c071ae2f76f5c0db6234517c72e83933ad413465b1bd0cdfe6a046f07a4b239fbb8ed71bddfc2b07148d49965da803a824bc185da70530abb3e42b8a9f19c0c3d86723594133951434bfdbde6be90ea214fa0e17f603cd1ad695b5b5ba7c986148711454c6a5a7a5da2a1631dc7069e582a1c12d2ba25ca01da8f5e703b41147fd38f9668f16cad66df622fe4b02a1eefc0a69363cc0b7c56f034916025ee4bcfd05126772985a9632a043608e65692af2b4a7568f13c41f16c86bec99aae30a2d54f6469f1eb68518d48c421bec6f83b8228308838a9a4819f2fed79e99d105a8f6b1ac08eb9fc1962a8577f27f5eecc91883a024eb743a399ed6aef38e1f533ca6dba255388d25d4eef412f03944bcc0a8c4e94ec31bb65c89eca35cc888fe8530f6f581a3346233ef0936da10e8b69c5fd23ea2a58f9fe8b79a9ef60806c296aba90fb8329e838bb6c7d3c867d4109baa26c4837439e6307170e7b15c2f9f5ee03305f9481f8e793dd086ef2fc3eca555aa2581202bb4ed8e431cf0b710bbd8625fac17b519c6806b7218008e040bd2f078e185011d471d46026b53887c9481b6abea838dc598af7d61eb10566125168adb4b5fa2f49db9e3608ee06baff0b3eddf0537013a89a8f60bec6ecafe74c3ad62667cc736e42318060d939ca8afaeef4189cab94bb6d7c07f7aa21f60027707d8aee9d2fc0319677e8e86c6e020f4353ff8d523542669e4bf2649fc4fe1ac21651527e257a55006c304b83aab8de6e87b02d366052debd14f4712833c340ead1eb9f9f48df1ea27f67282a8a5ba05df68ee2aa98a34b44fe38cf058206cd112d19372e45afb9d0c24c0ca9189948239c99dba444f9c1a91fdf3dffa9fdcd09355e4b30618063eb02e4ac212bf8f7b8c617811bc2740423724a0c5046f3577e0b006b14850ddbabbf60121d151ec730649ba251a2551f6e9246e54623a819e9fce91fe40a8ac2e55332c57b8b7b9a63adf91f10748dec7c0153cff4a412292751b0ab793a148229edd1f908012fbadcd13e18d479d94ea56065100357ba4ba18258e4a828eaaca20d671d986dc6d17997f5b3744693eb36cd7fce3fff1d2d59b9bcf1c99427aeec5c158d12d066d469267f423de676079dc48def127be63b079f0fe8d7dae2f20eab8ddd0f388d52ac059179589c6242c7f9fe8e1d1857ec2998f8dc9aed3b3d38aeed70b0fab5d13bcb536cbf01a2fda811f14fa0f5e4a4d57131860d60aac2607354abc58f9151dd788e787f7685be537e6f86bbac94bef4dbb042da14c1007dcd62aa8cbc705d120e078394fcbdc94729fce6905f1ed8699cacd2e5f0055d377d0d5ca83f18971c195c7ea1dcf11e9feec124c2ba56d0f506060c22cbc366d0aed05f400062984f22122bfd16a31b3a4a6ed9d949be5ec16ae98f2aa8eaadaecc169e97cda0d5b5602a91c101b2e283c0be6c83abbe2e7e2e4cefe3be2231213ebb85883e0a5b0b4a0d2c04722eb60fab23023cf91ca0ab908e4bb6ac29a788fe9ec6b99d75d52f203cba7d92485ef90555aed41060fdd036f42fa818cdf8b9afe26afc1f279a4029254b12dd54da882a138d34af1577e78c1dd1923a56a369d85d74fa59d4532b859f67e65f3e67d654e57dde88cf7c23c9182ec15e95283dbba79911164df2b483be5adb7e6006feb69c672c938a818b2b4636c943b68e8c9335a5fe2aa7427402785117deb2ae7c16ba0d05a50d21cd7b658ce02140dd20849ae250bbb10e960c8721cf96d0e7d81bbb21a53358e0a44f8d26b10bf24eda9b5d8ceef710eec25c0c3b3180c85940f5b15cc13fe68ad19f7f0e9b4cc39735b68639f8fe4622dc784d5d6470ab9e32740db02a9b6732acbbf5876719f557a4e0a42c036bb3f972eaa862c58ffbce08ee0ea21e74e817578705e4e2683feb6c6123ee1b9ae1da94c5ea68763b0303c6397e21691a4d8154fd1aefdf398c41369eb8255d9b847f9d67cf5bb80841f468f7c870f0e194dcf23a6e7642c9514d126432f4b66bdb7b81b54370ca23a05c223c49c5b26803768bad60594817bb98b5ec274d62e264c54cde9806376b405e9f7de3d59ae3ce7db4a68985b1c1a11222d1c2809c96f7eb9a5bf4e50266df935c900a568fe579a6ea474f623591964db43ac647de15916aefacd322236fd53977d682eeeb0dcf798b6f2ff22b36dd00d64e51599bdad703a42d1d20eb8d6a6385f6db49f34fce3b28e2856f2828d77c4d03d34eb08c33b754bfe7f39d0a3430a213b97e75c2c975635c79d30aaf3daa9a1e8ca56fbe499e778118c7e5954ac2ac2bcea69adac96009e1b5cd27986c254282bf0760747559cb612a1f610df09bec5aa1f41f7a3b2f0f2cb28508e2b0caf206be810d65b6c4fc2ef5ec098b274b53681306041669abb175e4ec88981c5a0c05a646e5d90343a0b1f873379cf144c3c8795cfd77594b516ab02a408e0faa37fdf2de2e6f37fa03540d70e5f0297767084ea0086c131ab5b28ab543978f1d4f04291b6dddd72d2aa9a22ae19697950351a2f3da68971d9636e29c66d9fd61cdac7c81189350447c03c146d0dde55a17915b56ffa9fba47e09bafe412b6a8ae720d92b04a55e6548b0035506f80faf9708247982096dd806e1e698fe8f590fcb009fa87586b08cd27097aa53d3087e9f4c7a4ee556491b3df68fb413a92d7f783365c6a5e1fca5d9563e193ed2379f994f32e9a2c7a72215c1e891385765947b9086a560d373ae19b88e781503b1b8b801a8dcf5f67d0e4b0212d854487694ac76572fa1e6f1fe719cde5b278c9ce3938b271060335a5741baa0d7adc3de28e37beed6f781f6f7b321c56933828377a2ff6de2bfc24b2a3472ca5039373d3cdc9afc040ce4e894cff82254d9e4f4b25998c9dc84705463da8a03ea419c2e4c812a9f04d53f2de4fc2e3c1a08a7389ddfb0821764e71105eb0588720871f0082cd911f8edf694950072eebc6421bfc71af27669107e4b48ac971339e69c46c4ea5d50028f14735d84da040a08d3c9d0e64dee8bb645003bfc0162c3e131d3dfccf1a51628bd59ed495b177b417d0cb376537d5816741c25885ec56742154e84a26d9de376d67ffbe2fdb4869b6d8708a7350efc672a48d60a928c992753ad4bd745a7189b3f94f48f64c9f86d9f0b22bf7a1df2096b46fadf266906f394b1de6552928785d68d26b96bda02e49d5eca8284700d5033b0062366a6ce4be44c767d60817b48768748582a5ed3db608291a5efa1011b758f990ab3e4abedf53f01b700dfaeb587b4f414d3fe3a8732e1f215fa869c7b2f8b7f4eac597da81751709bd18eb0869ce11459f8766e6332e957107a791a64011049488a273254f33e0ecb440ee446e8ab76f24ec1f4cf7d314a158c512b6a2731099367766ae40535967d63ce071f068a7d3fbd4833a0c78cea712748a4bf2361d8f6035959a6ab08f3d44f7f81fe74d964d58bb3cb6051c5e68dc6e71fece4ae85ddc895b316f47d520847dd848317b61a47a13ce06c30d14d9852938c6ee45ad2eb1f19dda19b1f83562441c2d306111f511e40a8d82b334b2d983c354f2cf8a2e7a2fc135a4a31da5b0929d0e0c3e1c9bfb2debcd2fc9d0577263c7771c684d34a6b02b31c52f42e07fc1f42e70d740035e80f0c3889d8d28cdf1140e210dff5aeb5aaabfd655ac46e03d17e1e72273ea014158cff2c8ef37008b44e73d2c616862349afa5a16ec6f10d7f85fe4d95df416bdf001748a698a7942192549a4b8600f5380291fecab374b590266a980b2d38d0817e111ca31447ff7a33ee300b7583c83050a591cfb8c38320369b54b9624ae5bfbe7a657323e64bb890ff4abd85fbe8c59a68a616b044ddc977336041335fe1d29e87dfc563a0f7d393ca8353b31caa641d1140109d3f3d68bc4ac8d1a32e039a5a5aae4e95d7d37d5737ef2b997e178682be27b0d5b9cb7bb30bce28da9f9c299880e152d90f6a0590fa289aeb5c4b4c050f7f48744a1e3ed8b706bb1437146370522775b4a824ef29ae2d0854279fef03a0ea673e251f6697166f36996089b88f485c30dd49df1021b1ce794ba447e361704ca20c53f284fdc4fa1a1f40e5f7240f273213b6920e9bfb8ee69f932616ccf656495d998743d61a088e6059fe2fc03572f1dfadfb510c55f5185ada914e2a96628d3ee5d6b001cfd045646ef93694828fe8e0333d9e8537ab9e02ec721713b2b9743e68f42fff78abc0afd4bddc95179af12c3c9508349e656ad59bd64cb6a4bc7642c66efef29a5500937064de05e49e2a81c587e228e0aba0c8a6875c410663a222e557557bcb1054012532e3e6d4830d3d9ca0eb6897ba5405a335503f8cfe345a20edee88a8b143e28c982bb836e0cde0c6deabadbc11d8a63350f1050b71abcbd8eae7c22fc04d59726748c82ed43595d66255b6c30f111e3b5c9c12d97a368be672b0f0e5929838fd8204b55d0e511a32906af5c349cd648a4398147704563a10d5d5f5a86f8f1c88a2324e56cf28d63daac725e7f9fe3d1504aa2d26903760e27e796f7f7d33b96ef01e4e572456fe479a2523d396e6cc88b8a8dc35f155daedb3c29dd2cd8adf6dcc732e5c58511bd389878399c432c1a40dc06e94e24d66e1cdbb73cca992a3a61c545dd347d0be4141a1ec23a6ca845ba1b58396b456ee05e6be7d7c9a0deaad6646d7a77986886d9ee755c5889650e9ebcc4b8dea33521b65171ec9d9eeb4e776d3d71f5261d451f481b90cfc655f8cf1b63df8467e0c1e2f9af5758eb506aaceab4bb35907829e55411eb25b59cb70f9ea06efdeaaef6151156184eceab1ba65f41df32b5346f5ec03ab19807df48449881334a6829c39716921fb7e5d0578eeb3eb3becb8ff5e00fe8422b0c3b7bc77a5d338bd0d4ef6a341dd941d925ec6cd93f289566d803ff2a02a3ef8c8d80052518f9afa30aaf0cb97ea1eedb527b180dcb80368050b6dfb4ebe2cb96d1e0684986a85a6b6eba21660a18c28248cc0d4cdf5e085c1fb6133da1169e5036d35f547ebc06186b695f24271bd680a397d923538127f948a2ba36bf5291a9cfa5dc57af9901bb7ef7c9c9d600086376a0dc680e4e67e1770e72499b58333af898a332c7894959428424fe61c0e0d8fd6c46af79bdb23c8449401587ba116565c8e060fb1af557cecdaf3d10d2f065d7ffd53dfbe8afd1c46904cbaad1bd8f18ee70aa4811b27857433e475ab5c5c620a8daf02bef40286497be51f2532d425905669f3be5ce7b790e945c22e446f0a361e043fd4a76e53e3b04b5905eda63bcebb62e06c6cc0e254f2f0e386bdd730c55a0407af9dec14633b5ac15a33ec523f6a4a9454bc5aa216e143f0f72ebbd6f5c038d2ee39ad7cf3956a3c479a8a653a906a01f48618e6a47adba3598e9c9e725d53439e0f175fcd51ba151607a33593f1256e6b29685a813dee403ec2b4fa09c6d0f4d651e2378b78041f37243347dc77ce3514c634e4f83ea297665f16d656a6df9100bf6553d669e43c0ac2d891eb7779ee8d4f3211cd2a527fd415af0004c2d5ddb62a36dee98ac1489696c556476aca9f6da9bd4f37aca86b83860a8dd904bbe2c3d37cfcd768b59d82a8c1bceffc44edfb04730ea57916da94b4e8dbcf5f01b5a718646a56e62a64748a9e3b7b2f080a2fb3515db535c6acdef1d858f633b080d398c006d740f59bfc063acbb40fe2183c5520894dd5a47bbdd991f2ca2e1d35d04075590016dfc813a8f272926d660b0bac47fc7297d748d1642de82c08245c8a4af39826971b06e25256759fc4aee3de9840c14f99e8a53404bccae613cedd72d32e74c87d8cad6cf72fd2018d5f3a797c08cddaa2d9a5ac5f49bf07b045c4169a8830462c19b4004b62830c4bedca5161451ce9c8ac56f973cc120f7eadb2010de4bc3d719647a8efb1a95dc93cce6ed2e2255b852821491dcd30640eebae86ecc02e365b465defb73694170d3033775968a53f274fd1ab8f3897815af3dfc81fcdb7a3a6d1917cab0a4469", 0x2000, &(0x7f0000004cc0)={&(0x7f0000002200)={0x50, 0x0, 0x8b20, {0x7, 0x1f, 0x4, 0x0, 0x6, 0x2, 0x7fffffff, 0x2}}, &(0x7f0000002280)={0x18, 0xfffffffffffffff5, 0x55}, &(0x7f00000022c0)={0x18, 0x0, 0x2, {0x9}}, &(0x7f0000002300)={0x18, 0x0, 0x40, {0xe62}}, &(0x7f0000002340)={0x18, 0x0, 0x80000001, {0x787}}, &(0x7f0000002380)={0x28, 0x0, 0x3, {{0x9, 0x101, 0x0, 0xffffffffffffffff}}}, &(0x7f00000023c0)={0x60, 0x0, 0x9, {{0xf652, 0x8d, 0x0, 0x3f, 0x80000000, 0x0, 0x3}}}, &(0x7f0000002440)={0x18, 0x0, 0x2, {0xa8f}}, &(0x7f0000002480)={0x26, 0x0, 0x8, {'bpf_lsm_unix_may_send\x00'}}, &(0x7f00000024c0)={0x20, 0x0, 0x6, {0x0, 0x12}}, &(0x7f0000004540)={0x78, 0xfffffffffffffff5, 0x81, {0x1, 0x7, 0x0, {0x5, 0x8, 0x6, 0x1ff, 0x5, 0x4, 0x4, 0xe8, 0x193, 0x7000, 0x6, 0xffffffffffffffff, r4, 0x3, 0x9}}}, &(0x7f00000045c0)={0x90, 0x0, 0x8612, {0x5, 0x3, 0xb2f, 0x20, 0x0, 0x7, {0x0, 0x1ff, 0x2, 0x2, 0x1de, 0x5a, 0x9, 0xc46, 0x5, 0xc000, 0xddce, 0xee01, 0xee00, 0x0, 0x12}}}, &(0x7f0000004680)={0x10, 0x0, 0x5}, &(0x7f0000004900)={0x2c0, 0xfffffffffffffff5, 0x8a, [{{0x4, 0x3, 0xfff, 0x6, 0xffffffff, 0x8, {0x5, 0xca13, 0x81, 0x4, 0x0, 0xbbc, 0x0, 0x3, 0x34b, 0x4000, 0x9, 0x0, 0xee01, 0x2, 0x81}}, {0x3, 0x80000001, 0x16, 0xf97, 'bpf_lsm_unix_may_send\x00'}}, {{0x5, 0x3, 0x100000001, 0x10001, 0x7, 0x83, {0x5, 0x5, 0x100, 0x6, 0xfffffffffffffbff, 0xb533, 0x800, 0xad7, 0x32f914fb, 0x2000, 0xe0, r6, 0xee01, 0x4, 0x64}}, {0x4, 0xfffffffffffffffc, 0x16, 0x6, 'bpf_lsm_unix_may_send\x00'}}, {{0x2, 0x2, 0x7, 0x8000, 0x9, 0x3, {0x2, 0x7, 0x80000000, 0x8, 0x6, 0x400, 0xc932, 0x81, 0x5, 0x1000, 0xf841, r7, 0xee00, 0xff, 0x5}}, {0x4, 0xffffffffffff3232, 0x16, 0x5, 'bpf_lsm_unix_may_send\x00'}}, {{0x4, 0x0, 0x0, 0x7, 0x200, 0x6, {0x5, 0x1020000, 0x6, 0x7f, 0xce, 0x0, 0xa9fb, 0xffffff81, 0x3ff, 0x1000, 0x0, 0x0, r8, 0x8de6, 0x3}}, {0x2, 0xffffffff, 0x1, 0x5, '/'}}]}, &(0x7f0000004bc0)={0xa0, 0x0, 0x3f, {{0x5, 0x2, 0x0, 0x7, 0x6, 0x3, {0x2, 0xf51e, 0x65, 0x1, 0x8b, 0x7f, 0x100, 0x9, 0x24, 0xa000, 0x3f, 0x0, 0xffffffffffffffff, 0x40, 0x3}}, {0x0, 0x1}}}, &(0x7f0000004c80)={0x20, 0xfffffffffffffff5, 0x401, {0x5b2, 0x0, 0x9, 0x2}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004d40)='SEG6\x00') r9 = syz_init_net_socket$ax25(0x3, 0x2, 0x1) r10 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x3e79, &(0x7f0000004d80)={0x0, 0xb8ca, 0x20, 0xe7c, 0x26b, 0x0, r10}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004e00), &(0x7f0000004e40)) syz_io_uring_setup(0x5336, &(0x7f0000004e80)={0x0, 0x29dc, 0x2, 0x1, 0x3d6, 0x0, r3}, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004f00)=0x0, &(0x7f0000004f40)=0x0) r13 = syz_open_dev$vcsa(&(0x7f0000004f80)='/dev/vcsa#\x00', 0xfffffffffffffff8, 0x240) syz_io_uring_submit(0x0, r12, &(0x7f0000004fc0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd=r13, 0x0, 0x0, 0x0, {0x4404}}, 0x8) r14 = syz_open_dev$vcsa(&(0x7f0000005000)='/dev/vcsa#\x00', 0x1000, 0x8600) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005080)=[{0x0, &(0x7f0000005040)="48d5a3400d135dd4910161867c991fc7d68d55145fbbc5c498b58fba49bd01b68386473365a9131272ede1d53bc285051b85", 0x32}], 0x1, 0x0, &(0x7f00000050c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000005100)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000005140)='afs\x00', &(0x7f0000005180)='./file0\x00', 0x0, 0x9, &(0x7f0000006640)=[{&(0x7f00000051c0)="c5f6f420aeec388cedec2b597c8156538cd4586034199f56f5944da03d8ca829f6c6b6", 0x23, 0x1}, {&(0x7f0000005200)="f4ee9edc1be2c2d862a480f30ae30dafadfdf869f7789a4549f5a8dac06fe4c5d5d2cf0066d88bfca6af40745ed617b7a146c940de37505cb965eaa1982c8ca0ec2106f47e4e265f1e19285bba7eb577f60066b5f46c62d2ec0068edcbe6300e4f1e3cce429e45a7df287e8009841db1015134eeaa724311e55181cb7afe7dfdc7946bd14523ea6680ea42ca9f7b0eaaabe1d054277eff607ef4f8402e5dc37e6a528ec3565823c031a8460e8b5f670668f86b90a026043a", 0xb8, 0x2}, {&(0x7f00000052c0)="baeede481736d90f0aa36fb327956dd763578e20199f0dc85f185c9306866ba33c93d2af9613c92909c651254e6a63503dbf317b021c4b3c8de305d3de39a1ad9ac1b0ab3f51f68c1ae1da3e4cc744fd00dfa6d1b96e21134007d31c93013854ed32550f1b82a4c03ca67440d86545dcd29eea99274f655737ad5a54d9e7f9dec49129bb84beb62b1853f69e6a077209f7e55ce0d51686ca764d2ce334cd6d09b5d92357bdef60a635", 0xa9}, {&(0x7f0000005380)="31f1fbee4b48e6e69cb61bd1ccc1e213af5a28e74cffc2e5e82fbbcd1c3400faf379d1a194d52a3667e2019b9aec0e14feed8fea770a9a1bfbbc30997321bcbbcf4d115bb3d3269e50beca5982ef1d22c983d78621dbaa93e8395efe31dfadedcaded0976f5f0c7d4f17b6cc88b897ce5ddff1ade8ef2d62dcbed421589e3cfb5d8550d3651a99115d6e", 0x8a, 0x2}, {&(0x7f0000005440)="7881b6811ea2aec8f27f7f7f523cc4baca3652f7303cd748fb4ed8cc783ac578a9e853a9906a", 0x26, 0x1}, {&(0x7f0000005480)="c505e1805e72c23f489bb45d556079645332082b1b6bef7adc39b098e173f42fdd8d2c65ceb664adb47de173db5b3423e02bfee58339fcb7d85f2d1acd1fed18da1cb7b3d28d4e368aa5f02a8950afd19b0d6003c1fc5424d3e28d4bf7902fa3d999b4f62368c5844f1e9e4d195c6548c1a0e61480c61fe3fc8954810a5c5519a2850aff5444dfe36d6c08fb251d645951ca0aee8ae09d5218ce7d783d4a62070cce231ab7c630931fbc7839ba2979305cabb45f4aa2dc924972fe3a5a806c03c741793eb046d566ef8de1d0b71450b561ba65b0141429bd3e5a4206b47ef097275ead1fe31257a723ddc585c703f5d0fcf7b298134d89d03f477ab7af756e3a4f9e1d06ca01f2b759c955b8e8bfc1b8070198b330f5858c6951610682a3cbdcb591f139a71e883bb7691cb56bc0ad95dd774fdc110d075b3acf5fbbb227227921e10aa5b73da81dca196600376120266cc84f0cc2ee0ff3f6c74b656a61b5f5ae6dab4a9ce84cb97c0b90e7a0d07828819e2bddb1a7277caf687195ec8364d852b98643f555dca6ad72d680643f29c322575f2e5711343f8aa24d7deb87d3ace482bc05dcd5288338b584994a090c451abb284c0104c5f37908eb3307d65e792b4f258600de7707c8b154ffd5f56d7a17c62f092828516f82ea4a126a2a360c703108770cc7e7505c8e180c5f376d0dbaf1e185a504ed013b0b162483f9e2a3bec7d6833082ac954e8f5e3184372e0508ad7e0fb4b2f1201a35882ada415dfdb36587e88795101f9dc6c0d26bbb642421db0973ef283c2bea7f5c9c35eb13ea5a9742852f083e443282cbad947ea05d3f998bf3f860cd125b266e1f3b84c4e62b4e49ae7f852d578eab24a0c5e4c60928b699c7b68c6328f32ca3715b940055b6ad04f9941655dcfa91dc4df021a74504519f0a7df10db505da8ca4a0525804dfd90a31bba648bee57bccd6cd9a596eb945867e0231fafb66c5017b2979ade5dfcfb24cb5c7881511185604906d1f201a1264a54c20c173901d325f5c2b0e0fff22c6834d070cbedc8ae66f2fce8488d77b1f9257a91a001eda075556c23e7adbde0c994bd6980cbdb344d04efd2a3f4e732620260d15f6084ccab9b2f13bf54782eb2f568919e0aefc063f3f2af6beb819159cfdb0534e79e0cd74515b528c82cefaec8547d05f08b00424a02abb0fe20d3055d3b9d97e8bad3a7b2202b8effc5da055f4eb1827dcb1de57defc3ccbe7c30279a3041196a9f0b1a74491c07b9a1af040e53ec71a9110e20f32092addcd058a15079b718fac594d8e75139bc9260ff65647250fd7ce6bdbc305c079c5cc2fe6cd1fca993e8530e03738839008dc658f22664eea7706f6ada24ca1a22e830aad64f4dc44387d83ad4288f44672d9a05559fb29c66fe6679e979f86ee31675f501d95814796612908d1f7037b690b9481fb687f2d52b5a373515f62075936042a0e9d10c91114a9e74ca7ac76558f73fa26fe9d14dea85d4c9fae1f6c53bb768b1457a7f89bcbf90e7069753767f0c1902163e400afdd91ec2dacbe680c7d6454a0f173490b6b1ed4881e82cd79d6b89161d87f4f270deadebeb35107c19c7a6d5408e60b325c64dbb9983bfaf0306fac8a0fb324af5d69c21c62a8b5e257a48de069226ab29aeead17fa45f384750f8bba1d46e0a4127807e10d1570da63b202eeb715386afe3d8b1747caa6a41416dd65524d2228eaaad1a61bff8db8be752c45aeca76dea3aa6808364cf758dc8703417a49b93eca5ad09d63303a4ac378aad34a08decc4a720c3eeaf88ace0a72900bc3dd402c122d00d56b517235ae9112832d637b9317b61f9dcb0c48e728e850dfd52626db296aad77b9c7cd9167f3194747c011a5fbdabca9cabd2f6b7581f9d91c6366d526b1683e3feefd0fe30f53e7cb7de41e89e4e743efea3944ea8afd9f778a7f06bfb0ef238648c21cedfdd8b76eed765774d7a490b0ee464e4488a9c3dd21c7ba2e63a31ae38ffab209460ba93a62029d8f2ade1377b53438b051901227398272639f124d42b555d591a6655f73f6c46c514cf32ae4c6046c380407f7d9cf3c141bdd94691384958e67178f816a63e4cc189c521638dc7a28d2afb6128476e408ee85b99a126129c55e679c0bdcebd9669817e945b0fffa615ab9cef2f859e0ac38253611fe63bd57fdf03fb0d65c1cc65df2653859fc594f9a3eb379d117da828ac5586b3f6d3bccf1d54c45bc1a5fa45ed7ad366cff39a632bd4d14700d30f70c99725c2fb8ee97cbc59f8e5b64fac8fe2f836041bb5708a3640bbc67f9d09ac1fd3646a6f7446f4815989bb0419c94b0a6fc97d0fd9e5190e724d75482cc1eb4c07753b01c4202c4d09d006bd6bd92b33cd40d8f1bf7ea739a686f8d3a12df2f7c578ad2e0c1b29c04f282857045ed90382830cf0f2f2c8d22073edec31dd257300ba67bec88a1e7a5580fdde5019879f6962da50d75c6fd13a19e358e134135dbb8b4beedbed1cc5f8f2034ee297ff69b9db3e005e59fd5ea22ba51bd8febde9ff9f65a21da5e135ca8860731c4dee9c33c7edba508d26ddb5592fdf98506702f998037e6b418c5c783624348f57d2cf2cd8fb837c61853f516c68e765829fe2f741166a74afd1edc90971c4eda7a6a18d85d54ba87f9095bd1626b9b900cf6fe05eeb1b4f00599b6e8381fe28de851e19a0252efde6c5799f56ec2d61cc6ff5d1eb65e9d8e0545a92e6b986627c7f971694210e088b784beaaba64d2abe4441c7b14fc8d2adafac78234ed72599cc416c047750b24ac3c9aa4690c0577049d805bae79922c1d2966d9752c551a91a9fbc0bb95c23acc2a90683531a59f30fc1d1079bd9fc07f0d09bddc01372ba26c13ef306af3256f235d72b759b6618c1e09e8df6935db77453b4996b0152ae137d1caddbd5f8e12621a5481554345dfbb7e2c500371346feafd5dc0f6e2c59ea2c245d15db20e87c77bd908d92850e403e58cdff0e2fc257ff000f3b268dcf141e77525106108a4b6edcf89f1fcfb12a0a02ad7c0121284ea490ca7bf8761eeff5b375eeb0a038a444d2fb950f96517ada94cd96f8dbbd042a4deb188217b7b9dad948bb59843c0c392bd9e79c85d34616bcd99fbff77537d234c051e5e9aa913c77cbdcf5396ce3f0683e92ebd0c1b99fb5c663fb97b6dc2d43554aaa99a27ab99172bac17e3bc044d3d2ef8f873cf52214e71d7d7c5ff9dc791d40cee37536dd12ba095b48a341975784a1614175a1fc49dc2102ba5c27416dff8279ea3f2c44739b8ef9961699a4c792859cee88111437846c9450175b8ba2a326757dcbfd551acd15d783732838b9c924e0923fb795b7704bf1c84dbe6569c0df702a7477fa0996de5d681d10fa2aa52b14253ba913adecf47eabf1b015e73d6bab5dbe5d5dd1e067cc9e4806040db09a1448ed21d98dc6f459f22c951c7b07201467791097b39041036a50ec5596b6d28e14b79aa12befa32ff95629d532adaed5342c84d39c8225382f981ae4f85b7a1ae6b90a818b62d71bf592f84273fa2ccbba65dfc34fdaf561e26d307b743f82bc76f9985c95076c83a1d286532b8d59520bf6c40bc635f51608f49bd4782f6a6b7d37c6fe8e5272ec08f85fb9baa66bd70b1db70df0b12ce35d8e15c187fecfd9fa341721ff6b24a1bb68bd074c2a57d7460917dd2ff0d0804112b0520f05cd70787d8dce6cb69711ef7453b40679ec97aac900e698ce1f8e58ba738590df5c4588ec650688002a2c14ec60c58385b68db238b8c5b189b2fd5fd213655e0c81900949764022d2277b038ce7dbd00d1ec66e23195636a39215326ea452ad0899a522a7a77965b2ae60d5b25ffc64d1dd504d28c611f38ce5c3aa34c4f6cdd1bd7e965e368771189346506e3cbbaf7453f039c6aebdf77a13875499d7db3e08f9c31d35307490e6d3c11ee6977e669cb1aa6420d461955050e0cfbe0bb23d1319ef35421d80e565e5fc9b30d6d0a4da0544061e644eba5b47bc48ece8b7f85d823c98c4bd6cd464acc49a29bb6926d2a9597c64edb8a4ba2ca2dd7bad80da3ba9df143b2b3cb44d6e5ce04aff397f5fc4b0f5af4aa0787611efc5211bbb48b7eb3e1d4cb54ac2b9d0d9da7ffbd18513594674b530e8a206f9b042be81386819229505d35ce04a1e1e0304ab5db61884720f5bf6ae910d48b9aafe2bc5a1a4f4eda0f615c8d0d682a55a52f0d40e138c88c4299aa1b1004400168de6ac8aa18fe6029bf63c640ef7fb91b56a5abc24397d1b2cf3bc0877e8d5219e56723a6c49889cdd5ba03c84fbc415a3e9b652d26e2d613c3dcce414e1fa3e220b3c2e35391ac6520ed1f05148805a46e9934e5febf84e1bba25ba130a9e0584b625df2c2ee4ec0d10afffa191773d4f412f5ca225193ca27887fd47c9c69f21da952f98a99f205314c182b0014dde7563ded90e338da5d5e836f162b96377517c2f6758d9bb41e8bc9dd8f2eb521ad814eac651a48ef64bc45ab60bff9d2e67f03183d044ed437a8bd73043d6a8a5190fb5cd52cfe0689e2da08cd11aae6f25c50d6ccbd5f4ea7ce9b51b57946aa92f41efdc2b919c887a070c519ef600fe14d67664ed7fc211a09e9129b13a7024f2febc3010581da84b44bbedfdc1f54b63c8cfa8c8b5c986649333eeeaaf53e8be863242378b0ff6cff6b1d6e027010684484c636b7c134018e3a732a6b352cfe081f790f0029967ff1820d57d370c2a9f1be051100d5a8eac4241a6c2b640fe73b161d543801f1eb2abdea769c518cbd7271c6d65abe83661d2fd28e41b9ad575b958fbbc5a43f341278656d300f21d8c71161bfc2812b2f7f3692c5758a5fea8284cc4315e2dc1605d0b58243a979af7c0cce313e3e127baf9313f1ab8c437581369586689ae69b868447bfa60798620c68080090c9f0493c95a64ca4f678eaa14fe8cbc9086ea99c78a3d8169842fca3b0d289406cfa9d52f41df0b7fcfeb6e10b7fb8846b646c6e1773320aafac2d38427244932ed237b9834f60c0bc4f9f6b18ee82d4ab5257d03343137a44a52148427e747252c061c88c78859858163f768565fefe4303ceaba94b786b6d9d0b69d0ca920e615255e2b8c3fdd78d8c194e9c8049a9d187772685ac98fa7e7df54f5ebce1ecc1cfc7a62e853932deaccb58d79fecb931d14643ec7020ade49cce0a1e78e34d71096022317d7af536b38f72fbf65f7e4763e6d1dad8c26f56e2ab4cdf778e3264a2ad2004cbce99b77e6ec272d6f083d2083a042f67908e147e601ed42f201f5b9f18e89eaf48d384eeefa0f9f9ec386a274ecdabacd1e2db6b90ad98c475667d27fa727908d28e3745c34b5015edd130d0b7e3fd54ddea89e37dbafa49840759a30d29e21bb09d95003c2895189e439ab7b412c251610aa7afabef41e5abe2235321f322e8bd5924d79a404605378e3bda60d28ea567e6a73964a6ddd43cfa1f5e0cb8be455e1f6dbcccf72cd1cf14e8e507a1a1979f1c2b43c8a649290ba54137d1aa6473568e390a665973823492ec2dce33c39c88aa4247f14f1f0e56adee326080b716dc55dae2a5ed842d790de3f1fbe32f8951eab8dfa54d770df7342731270beb4704277f3e1dc16934af902350cd6b0b7a671f2675f0df884831ae06392669d6bda8493b6bdaf5ae90f4c45f8fb1914e0be057f45db50101b8bc6e649aa6856071225c42c6ee157adbda5842942cca28fc4c7c08e7c2cf1981542be4ab7f4bf6efff692dfe65b45080b21eeef5299171a1c2b736f70da431", 0x1000, 0xff00000000000000}, {&(0x7f0000006480)="829251fbd70caeb451ccf09a96fbfe559b217a4a12cf46a389d82c55ef7f5c64e45e1b6f269559a85e8bcc232bf1500dcb9af40f697165fde6209f8bf001585b6ccaafe194ccfdb7f8990804ee77ed9a345b52a8d7e8f4", 0x57, 0x8}, {&(0x7f0000006500)="34e0c082bd77b51d0c9ab1bcde0acc308149f3e64c75b7173cda5f39d3b4a62c60de76d12d41cec1b7c9bc9e57acb7834282a5758d7c7e4b21715febf6fbf144ad46cbf2cec87f7401", 0x49, 0x8001}, {&(0x7f0000006580)="e60976f86d91dd66cec0b1e30ec801160b84cfb1f8603703d14a6b815d22e1783eed12ce8c080e3ffbf0b53095f69603fa76a934a60a0526341eafafb3867d13e88d1d39e370a00dbe06ddc840ba7446a62597069e1dcd138f82b29ff78af1d1c3133fe9c04d732cdb4b3f6aa26989369b5f6dca6000a0767341bc2aaacd69e648621915b8aa9cb24c6bb5ae3f", 0x8d, 0x3}], 0x10000, &(0x7f0000006740)={[{@flock_strict='flock=strict'}], [{@obj_type={'obj_type', 0x3d, '/dev/vcsa#\x00'}}, {@obj_role={'obj_role', 0x3d, 'bpf_lsm_unix_may_send\x00'}}]}) syz_open_dev$I2C(&(0x7f00000067c0)='/dev/i2c-#\x00', 0x4, 0x4800) syz_open_procfs(r5, &(0x7f0000006800)='net/icmp\x00') syz_open_pts(r9, 0x258102) syz_read_part_table(0x9, 0x8, &(0x7f0000007d00)=[{&(0x7f0000006840)="b3de0d9f2e1eba9879eef08dbd42edd7d622f095e0ce3429b64c46708bf7fa26e69ec157caa3e16d60b3baf5b0d246bfef955e35f85556c9614a60b65cae7c023c99318fc85bc0abfd16bc78eb56317cd8b80c5f5a87856c5cd0b97fc283cbc9d835ff9d70972bd4201169a35c2699bf5a8b31ad3607121019e73398b228b9c59aa5b5c007166766eee5911d5d2f864cb42b8421f38cb21aa93697e5ad166a966ac98aa776fd27500294c4dd1bacf41fd070e9e4a9e5eb70d2a98f915c1391fd75f5ffecfab42425eb016c33ec19ae67f4b100088e090f035d78143b35944f30a49a77b8c5e2a08e9f381a8afbcf48ebad8411455ff2cb76a4a1b557d121", 0xfe, 0x7fffffff}, {&(0x7f0000006940)="330ea746d7dfb4a5e9f33a325a9688ca04cd59af724b34f70ae370d4ac73ea9a65ab003f2cbc01af1162c0fefb2b7e4a0dcd3f2a8c23f2a1", 0x38, 0x2eed}, {&(0x7f0000006980)="efd543d92dc823aef91d85c44c055844e2af47b4d5a67e3a3959dc6d617cd8e9b6c3f5bbf05da73f04bf4f54a6f3d5361dee720d1ff9f65d5d7c18b86534f2912621aa81b4c2d3daa1a67538ac5efcf2e008c791d59152db5fa2d0a23f3997bd1e2502e6fadb36788891843e3de1c4483aea75224b12ede3006b9648dc7661a46da2d146d3df70a1d04b2c64578daf219dcba1b67aae086a2541c4b9b4dc6d43c076544b4cf9cd57e6e26d74217d1d8546224d85f650a0ad3aac78c0cf1d83a4adcc11c2e84df1889c7920347fe404201914727862b460229ce67a1a88de34aa73d39be67fe92210699221103ac5b49a07ff0b3548363c878066d5a0ca8f565a616a049a5d7b6e70badf4649c51aec8671faa444d7e0a6304e273c405cc6f348d19ff1348bacc96ecf1a28119618c91e5942bbf0e2d7fc6997cf6330c106a7902ccdc1b9cd0e8f559355d26f81c77e524882d02783f15b0569690236e3aa74b96bcc5ef90eae4a5e3aba2a560f9b0a513ce1a8ceb0d2103615f828b0125df32eec97110ee2a59e1f913772a859f65d953c20ca8a0c6e852661d86293cb4672413ffafa27032eda8d8b19ce77d35d1304296d8dbee1b7c358fe5ddf94c42411e26362cf42a5c7c18991e3926331a2c7123609e0a3c05e42f175972e445a6ae57154062e21e05666602a2bf0891ee65648e5a967ea16248499c82e74c19edafecf2402ce5321f5bb4ecde058a1176f310bb1338b11ddc60dce03c4727f7dd3c2335d50ae492dca1bd98be4af0744291fa2ba1cd3e93e6f1d9d1b4305c2764118094a16436a014598fb64c34ead3e8f45d11c4fc062c144c8e05220fbdf4a8cab6e288b5cfdefa7a05423ef2d4f3b3bee5768b28034a08de883b817278bd3e785c114329d992c581215f5644ccfa4e894101d5fa43008d803fb9baaefd7dd4b8883b6e7a17f4ddf4826cdd7110ff2c8395349068cd0b9550a3a2f5cbc0db06b1b31292c54879a172f4be9839b1d76896c4cccd8841a5592aac1f5272b6fda924634b50750b38231ff133da1fc86d1098c823df5bca8cfe8c08ba2eee5a4658b2917bf3af4b4e4e47c6b7c35a3963ebc6044f27288c5a3c1a2f5fa45a128be9a13ded8c2f6745ecf4fa94723f9f16382f4db48d0c811fe8eedb8bf05ff38e578d49376550253d2617f86303c543f882adc2008564c8ba13ecd19613a63193d94e9a73b21ea1ddd30b482c09869c0fa37131c69ccd033dd96d8ee7c5f2f8a152e84c0f659e60ce169fcb89de028bea39d05df03cf22807029c1aae459940dd54b78c0dede18723f972d96516e19719e5c9ed006860f2471a8e5b18fcf0ef4ba6681a41fa8009b7e03b444f45ab3cca9bbbc5813d1fa055aaa4d45441233ae7b69b759e3dde766c0f3b13bf968cf8565382883557f925c21075861ec9f35c7cd444bcc7d381dc0d7aa754ba57066b902788f53854cf9d56ca73c7ac85cca67ba509ec3a7c1b42d8c654b34d88da8d2ca85ad4ae8b865b6d2a0c1c4407668535c49f349e276f1a86764ef18e3b08f1d1e3cc1b93cde3f197857fb48b5a5fef31a86fa0022d6a96d815c8c9af9badb7b886ea09adac732c8e4eafeb8473218e794bc6a716d1716fefef86f63d32b6673b435d13eddca42257cfe0717fca3a39f00bca650f5463a24c50924256d3207d29c1b1c95109e40dab607787fb74c4e64fe4acac65c6283ffcc11fd08a0bd1f4930a8beea57a0dda02867866c5b1ce586b32e7cd18ab16a275d6cc043a990e1d7970f79d5b8880eef3fc4ef4de5e840acd0edbcde6bf6fedf3c6a2d2539fdaf278f069794d30a09d615e1e4a5a7617e16241daab87fdad493ed9cf326fe647a40f0279d6a9b2cdc0abf3626415b04fc836510ba6251386ce7e8d2b4fe663cfc3a5de9cc313e9e1fc19127f09207c955f5a8485481f4319224fdf4c2787d583c3caf7acbec73ab9b4d2f245287df9ae29a169c4d795cd03c9098339446dc40237b698998b2423628148cecb02f69d2644cec88c94894e01e1587fc85375450e32ccadcdcaea641d2db6292228660d04c446786c258b6fbbc1d0b6a8a3818200d489c126733922c966195a4007a68d0473578b469b4433eacbe092520244d84da8924b90d7fa1ad31db501f16a59d3d9eb72210d058b3d1fa4d876d5b40bcff5adf086ebdc2647b1b6f88211bbdf547f1698e11abb73dd3a588d9ca26d9ff5b2d28d1e176be8a7adf2e3e3ae137393112f5aaa881814882939dfe71721fa92b8962bb8d940fe1e3948def4033a09e9c04ca7ea8b549695c5ff66c077395026d82576d379bd9cded06ffcc3a6f8bd548c0f68d4d3d72ae27d828b27a582b14886dad1fc3e63531c2870f3159f8d4bd449480c45dd27a2934df90797c0494e0f8ef8289ae410626d4fa966d82443adc5243fdb2c4ddff8550af5338ef2d1c413b4bd4b308209c20e9c3a0080a23d16a3108a1050783d44ba92a95590508d3a5cf44fc6a4af2477f866428bc113c1cc8f123da46ca0a03c5dbd1f6e5754584d8a4103bd23fa5e1f6f3acb154ffed128d0a645829d3341a25e87ae781862abc7a159021124cfb03571a73ceef603681f5e5e1e1574db3016ff5a13d9bfe7e8ac81a09a905237e390a5772d361edbe5808e9d8594f776b0005e0c3d0f71d666c9d4dc493d0163d8854723275d850ac1bf78183a77518f01bb3a280f39bbf606def4f89b11e2bb8d99f8a32985ed9bcb42f110bd2bdda26376d9daa70e1e6575f11ba7ef269908e101948f570b7690e0b5d35ed98cbdd2f3637b9f8f78b2ffbc293188ff2777db050aa219dde788a770cb624d6617001817d6d5c7a5bd39c51ff128eac712b9db9c60a74bdb7820a3572a5091c3084339286279d9ceb244148906dab1dedb62379b14597b7348907fba55424e878c194985cdcb211b71bdf3806339a53006a9006c746bc49108c8100938dc24a08d57b013f4103d87df310858405d06f059b65cd54aea1d0f15cb2a41bc867d22cb9d67c310b05a4f940bd2e7a5863c8e1c80d3ad07b21504bf213da5cb38fb652a47ccd7a5cfafa0c3ffe2aac7625a95588ecd77a9593d0bf2e7df7999f0244335a9fac015c32273009d1f865dfb873c65f52e9081b022b99b01586f5fb1584fd9b1fdaf86c783f61772aff1178e08d5bd067b6fd233db8c432fabbd00a530f1c40b5f05f7883495059d1b58b9523d1f5255736b23ff56cabb4cb710e43a70f71cffd17e3fae9043634869f166a958ca5dec639b85b2134096e697c24e3b0a8cfb19422ff01f4ebef24b7233de1a0f89c80e231b8459f531ac23eb1a2373b3c5807ee6552707152a3169555a663d1bfb453c8c380c5a52c958e302d4d7528aab5d0a66892308098b566a1367cbfd9a3a46c5fb77225b7b6f9f92ed0bc85bcbcf1b4fd2760b9f509d2d11cd0557144b1c89f9f7f2495d0c9ea6c767f1f92570701a33ced477036d06bbead08c0b4a8ab4a57d8d9b758ce05891ec729014eb712c33dcb52efe8ded223b617822443bfa95514d9a82f6b9fed17b22445f692fc870374c0826a9fa43153849368aa1f93052e48f88e8fe9aa1ba8291585e59da0f68fd04b8fa450e9654d920c2b82c9c29a79015d0e302bef5abc9f4292fd4b582d58830dfc71725319bf39692b0f3d72a3204d62e4cd219fd2647a9bc3da61b702699d015f9f15bffb27b6133ec431e4ad67f5c1b46fc62e29d4ae4b07fab07f0143e8e54fea1e629051d6d7c19af8931661d84957ad2ae7b521bd62468aa0a851653904bb9325376fd2d831340356d9bd2782bbc46e1c03069553d2b05d17bb4d8644a0dfc0286d4ebdfbf1fa85f0015da26670909ce840272d1d62c8d02787d56520d309e4bcfcc846474d4282641798dad1779cce11392ac537917335b4f9124ed1e254052966ab2c15dcd1bc1c3c520fef4b3b17fe6f6360d07b2c08ac64c75fcdf5f9eac211db247a227a659e106755e1ba53aba67c831662190226984dc03698dc567aa96b51d2e69f530addd9b4fdbf3a0b20af2a184cbaf53a35634c8fe3d63ec15c506bf02c35302759fe32ad28c1d4b49e94816bb0f32822816b40557c650da4ae59ca645d5a4d6172903c25e00a229eaa0c526cffba53fca44aa163c7f5fb4959a216d6dad9e19f282b9945d2476bbc0133785131118ad46c3f9331c415e70d35e06fa71c2aa878132ed770a04f0721a5665502dded283f70ae9ab72e48cf03c01d80f68ece54de88aacb2c41c5d7462f9b73f6c2741709c83e20084dd8f9d855c41a0bfbe107e6e47a65c2b1ee5007e9d5f25118a295fc6313243df54cdd92ab4dcedb210dd83be1b058ae1e37a7ac51b9c89bf9eca423c91db0d4a42134a93c8979a03a2de53e45e641a2d40f410bc11a968204f72c96e50664dc29be41a4aac4e07e9cdf239f59c9687bd7dc65ceab076b131941bb15c4f9f4c17d7350780588facffdbc1eaaeb4406b956da733ed09eb48604a0ed4aadcbbd94a8ee079310fe2612a669e5623917eec2b12ad9c86af9757a51759dbb00df2e03e3d3a70bd2c02f9f08444f4e0650edfb2786ca57d3630943556832a32892301b58859ef24007f7a7d9b4afc23703c4fb9077a07d2ea8d3a2b4f015de7f31fc306545816b6b670a45cff4a91b60a1fb478b089c67f459caaf5fce9265fea0c7ec0652cd11305623b04c0a9d1aec6571c6a466dc7a7bec75fcf984d6a9636986becef1418b694e820ee2462f2687e0b68ba51cbd03ba76b43fd7cba01af23ff98f74b764463527c6c397e1c8e8b2225874cc74f958a31a28414f170c2b4cbd90c849ccd54f91bce2908e3bbc21b3d5604aa337c7fb1f810c103216bf444339043d523330eee73bf0866da3f3f728877fbb54e2f928423a1672cc9ba31bc686a6d198efeb3618d5e9a1b0819cf6b9338c56c4b788469f532cdf923066d1ba46a56960342b79b09ec8679ea3caa43365b811257a2449ff9274f6612cb0530dd8678cf18bc1f91f447fad7b958f3d0a1977ce78d102829fe4b83b5659c8155af4d2c05d7315d1486300e6da0846a594d510673b0e7472788559009d74490ec9871d9f0f73699d97fbe303cb4d635f542e95c784a5387127dc454483f950f765a8e904639ef413c7d581af20dfb285955801ab7ec4be4d1b2879de662dde2cfcd6604ec0aa07a5a671f54a4f2853eedca56baf00f07927095958db7d325e863f64a9056bd8e103859921463d1754042b85dcd94d933ef2087dbef57d9a3ad9fe8c64a8799587a3ec23b9b252f03bfce42f017eadfdbe973e84e902e36b9661efaef409c915308dce9a222a9cb1db5215c000fc44d372fb186425cd078bee7770f1fa60ff2d0e344725a51a5f478fe96bfb9a18b6cb542bf394bed02218518f1d381d5aa21fdcd443ce84c180a6a8cf6547effa4627cae93551a7564f0dac6e37c5f068edda00b47a6f2d33b54c3681128e83ad17b0f098456b9e97f3e02ce391515ffb0c0511a3d8312115382c15b09861ef750c0006e96c9184e17db245b0255c4407fe4bd6eea43fd8c5e80348cb916e9d04b49c2483911b6deece26d2b65762643aa0417be2768b673a22ad58e667f5ef4e2228db9b7939d8f912de32474325155090b1d9741ace4155d64583ecfb5700301d73ed2abd156408ca5e1b88ba75f84a4b834d4f532015773e9f8d4a3650f8984191114f0fdbaa54405bf51f8b1afe532f74c15a3708eb9370fa8316feefac4e43f855506f5d9872b60363567011cc3308a2026d00", 0x1000, 0x4065ebb7}, {&(0x7f0000007980)="112a657c2770ad17f2e77762160bb14f2f71a17b88fdb946f919b2dfd3efd616e31124ff47ee668f6065a0435a791a7439d8aa10dcc418192d821e36fc0820d7cc0f88b088916d786f01426fa46b214de822d24e4d6c785feac458d98635c4801672bd4e74fd40753932121152ae0ead771e3abc7f741e393b328526e5ec29e8e0d9b3a2bebcd0eb3472a4bd8e50f953ed173ba271fbe9f9d9c463c79f44d093154ffef59c93ada783b4727fc35ba6c0db2518939cb35fb3301d4cf72d2524f83ac4ab57a8acfc93a99c26ccaee0566371229496e93021e86b956021a467f34be66e", 0xe2, 0x6d69}, {&(0x7f0000007a80)="629825e3cb9c42732810eb62f1ff4785718f7a30c63940f2eadf19dae820feb9b7b358f741b834164a9a4ac8ce398c231607f523a26db9e0aecac1d1e89022d1cd50d644f2466b25ec09c6d6ef4f0b3ef592d1408d049da49b953b327e123c6f1963c2f7a9e3cc7e0c52ed1e17d0a8b794666875b20b07a0f5c2c76d9632909f769eb25b162737bea131f5c270b3249fd65c255e68b680271d0c11196715177744e7", 0xa2, 0x9}, {&(0x7f0000007b40)="d1091749233d1e7ec50653f301a734f5dd67ac1e748923e44ccedeeb3ea234745896abcb8003ed61605b5dffa8a9af0aa12ed902d4a35a9260c53ab6a621e210e61e4002838dc29e2f798b4cbe0ed0c12a33c69ddda446b9b884fcbfe28199184bd4aeb097d0d9a393b699d1f55a57d830da497d79b9bd7dbcdbfe7e168d6007611db96733574fb150f4e90991c70fc19edba6beedc5a72169366ae5fca5c1cb413bbc54ff8f127d1b94cf9942b5c9be5fbfc93946bf1d0b289a7442fb057adb0ae7fa4189d5e5fefc75ed5d260b3c2c2445d49579e6b369e396da162d940559", 0xe0, 0x6}, {&(0x7f0000007c40)="768d82c47f166e252530915b63b40d9eba4b95fe087893453f373a94389e1120981cb44576a2051c4158400a59b9c8a940ccae2826414e14ad55c72b04f8fabfe86462409b3ab2a075ea92c8bddcd2b2fc0fd77a97bc271ecd43dd605f29b990837b409eed5965ddb3fb1b91e5bf12ddbcf21c90c7ef2f0ab9bb03f72a647ce8", 0x80, 0xfffffffffffffff7}, {&(0x7f0000007cc0)="46c0ce8920305b2c7f636edbb165920db78c61f8", 0x14, 0xfffffffffffffffa}]) r15 = syz_usb_connect(0x5, 0x776, &(0x7f0000007dc0)={{0x12, 0x1, 0x300, 0x94, 0xe8, 0x2e, 0x40, 0x789, 0x160, 0xf578, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x764, 0x2, 0x4, 0x8f, 0x0, 0x7f, [{{0x9, 0x4, 0x40, 0x3f, 0xe, 0xbb, 0x18, 0xf3, 0x20, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "c1b0c981cc"}, {0x5, 0x24, 0x0, 0x7}, {0xd, 0x24, 0xf, 0x1, 0x9, 0xfff, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0xaa4}, @acm={0x4, 0x24, 0x2, 0x9}]}, @hid_hid={0x9, 0x21, 0x7ff, 0x8, 0x1, {0x22, 0xd44}}], [{{0x9, 0x5, 0x3, 0x3, 0x40, 0x6, 0x6, 0x80}}, {{0x9, 0x5, 0x5, 0x8, 0x20, 0x34, 0x7, 0xd1, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x20}, @generic={0x65, 0x30, "dac16e845b149dafe66663cc3acf393fa7b0ae46cbb8cf207bdb0d3d6cf681661fa00ed58d703c226470a84eaa264be51e6810875248ede794e2207e60b04585603cd055c6348f0eb4f33f2a833f4aee8884d7773be2f45177ad4c03728ff4dd8e40fd"}]}}, {{0x9, 0x5, 0x2, 0x4, 0x3ff, 0x1f, 0x2, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x9, 0x2}]}}, {{0x9, 0x5, 0x6, 0x0, 0x40, 0x0, 0x40, 0xfd, [@uac_iso={0x7, 0x25, 0x1, 0x83, 0x1f, 0x1000}]}}, {{0x9, 0x5, 0xd, 0x1, 0x3ff, 0x3, 0x1, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x4, 0x3}]}}, {{0x9, 0x5, 0x5, 0x4, 0x8, 0x8, 0xff, 0x80}}, {{0x9, 0x5, 0xf, 0x1, 0x8, 0xae, 0x9, 0xf6, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x95, 0x6}, @generic={0x7a, 0x6, "3f8f5c318c80e5a936089fa5be9dc364d3a8ff22238b9200642bb7969b9c0989510df3f2673846f3fe68eec487476d9d8ea37c9e7ec2939c3a85842cad500bf77aed1d9290eb850af4621cafed03c08a55c422c7122f6ec0703a47dfcb279c0b03558b39c7231b38e559d0546a29ca32280a8ce47080aa8d"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x58982e9dfc588938, 0x1, 0x8c, 0x4}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x6, 0x1, 0x81}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0x80, 0x3, 0x23, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0xb5a}]}}, {{0x9, 0x5, 0x8, 0x2, 0x8, 0x1f, 0x8, 0x1f, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x7f, 0x3}]}}, {{0x9, 0x5, 0xd, 0xc, 0x3ff, 0x12, 0x9, 0x4, [@generic={0xe, 0x5, "a9b97bc24de62c3bcf2bfa13"}, @generic={0x44, 0x30, "9f0d5ea24268b8a3211765246b1a834af641e8cd6ea3ef9b1fe10f16bed6b06cc3a165920c9d73909ab9ac8b2a7a8a5dae5d4acf316d0b35d4b644d368a06e0eff85"}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x3, 0xff, 0x6}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x6, 0x2e}}]}}, {{0x9, 0x4, 0x7, 0x0, 0xd, 0x29, 0xcb, 0x7c, 0x9, [@hid_hid={0x9, 0x21, 0x7, 0x1, 0x1, {0x22, 0xbd9}}, @uac_as={[@format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x43, 0x1, 0x0, 0x9, 'd\"', "3709db"}, @format_type_i_discrete={0x11, 0x24, 0x2, 0x1, 0xf8, 0x2, 0x7, 0x40, "5e58dff9a0d01e4109"}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0xffec, 0x6, 0x15, '?w'}, @as_header={0x7, 0x24, 0x1, 0xe1, 0x3, 0x2}]}], [{{0x9, 0x5, 0xc, 0x8, 0x8, 0x4, 0x8, 0x8}}, {{0x9, 0x5, 0x6, 0x8, 0x8, 0x0, 0x2, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x6, 0x18}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x39, 0x0, 0x6, [@generic={0x80, 0x23, "eba3e2d4848f84d0e6ded46e24d10bf9f8b0738910e29f319e942546e9cda8638257f55d0049672a1337067af73c1c29e0bd772a1cd5e16d249ed15cdd3d85a4399aef69e3f5a506ea0e0559306fe1f42dfc10922062e2bc062c34a1adc4bc46b080259ad20b37cde1eba7178fb514b2ef7397715b0eae34d5efd5274900"}, @generic={0xa1, 0x21, "1c020b389a4c59d1f26da857b222a6f6618adb0411bb24478e68ffe758469d4bb34df6aa9577ced55383dff01c052abbde70468ce31100ca3184d1d5f803dc280df3b7ae4738ad05036701e2e38ce844a7d301d86e0597c5bc1b67e7c6a5f7dfbc3311dbd234688e85e9a7d5021e51e2d0dd418038153db65b7fc268f98ddfd9e5036f24497d2f04cdcc752178991958f7243ff4dd5aefcf759a3fe7fb34c8"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x240, 0x2, 0x1, 0x0, [@generic={0x26, 0x3, "b451e24f6972cd6429f81ca173d13fb2c7f5284751638bbc4f0b3de02091fbb4f44533d9"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x7, 0x3f, 0xdb, [@generic={0xc0, 0x0, "ba73f770a427b8438313cb7e9d9d53a7e3110366c878e3c0f6e629ebb2a084a90b2def4b66950fdfd606e0834229e63028875489678bc93698ed8613884254703c315f1ee529d1bcbfaf8d865e738b9e08cbc4a211d480bdc2a6e69e172b1c73639474f1f0115b5f4918d037451c99dee88547562582d57171aa196913f11915d1fdc1a513b16c0b9c1fa07157421046f4f3372d00d4a27eb93ecd79b685e14f3eba647e7b20aefdf92ed05bef68935265ce0035e3b624852350d1234ef9"}, @generic={0xa, 0x5, "290a548e962666df"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x7d7, 0x0, 0x7, 0xf9, [@generic={0xcd, 0x2, "74cd6007ae0ea1297f07018cbdaaa0c87851a01308ad717f235e9eff8010ad1046a5148d352a70760bc4bebdd7528bf7d506da1baac2cf499d52de51d71b05185d7cd268023de5961304521b5f567c74ccab78b61c3f641662af2d55d5157a0ddc80c75962e9bda9ff2d3b63df6a6a0e2aebbfc664de3f3a34d66200fa092475685957f0b3594247a21d463cfe0ccd8044f95319b4d40c7f022d5a9ce9e348cd623dc4c590bee5a1047270954214611a8d98e60aa697a5ce30eeacd2397094e50716739911a4478b495f02"}, @generic={0x2b, 0x3, "9bc9f5807506303fbfd71282a82058560fe8180b205f6f47f9d7cf05280b7eb96d6d1589972f402ef4"}]}}, {{0x9, 0x5, 0x7, 0x1a, 0x8, 0x7, 0x3, 0x86, [@generic={0x35, 0xb, "018a3d5fb94d26c6a689e91eb6a9e49bf1b883b9e3da0a42bf45639bc1b19a0d8e78babd769b27a43dd091ce83b4a91cf5d119"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x6}]}}, {{0x9, 0x5, 0x3, 0x2, 0x200, 0x8, 0x55, 0x7, [@generic={0xc, 0x21, "f2ae0c70731245835364"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x400, 0xff, 0x9, 0x7f}}, {{0x9, 0x5, 0x3, 0x4, 0x3ff, 0x3, 0x81, 0x1f, [@generic={0x102, 0xb, "15f52948168969a7879f686a664459f31fa9c146da65eaa1878b3996e099dd1ec68900a257c011397bcfc10bc428591972ae5eb70e65d200248c433d8b1eafe5df95a196b58ed50a74d48f9c07f50858dd07d94ec76626b5b47c9acd4fdbecde356cababc43c3144fc2e524b71bb4e8bb535daa071e242c58584dbdd6c1e758e33fecd91aac96d2288322ed48acfdaab536ea51298e16c6033ac2b91758482719cc7d764373cedf5d039e75f0be35acdac46bff129af0ad817e14064398be64933b676fab4ff8b8d37cd742e41fd64f87b7f7df873b3d4c1ca440e20a829e34c6977054fd5975e34941c4ca24dcaf07e3b9950280b30fb2c4356eedab3e5184e"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x200}]}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x81, 0x1, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x8, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x8}]}}, {{0x9, 0x5, 0x0, 0x4, 0x80, 0x9, 0x6, 0x7}}, {{0x9, 0x5, 0x3, 0x0, 0x7ff, 0x1, 0xff, 0x1f}}]}}]}}]}}, &(0x7f0000008640)={0xa, &(0x7f0000008540)={0xa, 0x6, 0x0, 0x2, 0x86, 0x80, 0x10, 0x2}, 0x42, &(0x7f0000008580)={0x5, 0xf, 0x42, 0x5, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x3, 0x73, 0x4}, @ptm_cap={0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0xeb, 0x3f, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x8, 0xf, 0x6, 0x5}, @generic={0x1f, 0x10, 0x1, "61408d3d2e1872469226d4d9befecdac208dfdaa385178f48ca75650"}]}, 0x1, [{0x4, &(0x7f0000008600)=@lang_id={0x4, 0x3, 0x41a}}]}) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000008680)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r15, &(0x7f0000008900)={0x2c, &(0x7f0000008700)={0x20, 0x21, 0xdb, {0xdb, 0x24, "b501b9a676dfcb3e98c66e8b6877cac30dfb9856c72094ee90f23170f33dc0416919146a8a2ad605ce54f3d443ec597b337b1b4d39c44289bbfc621a00862648fe2df754e463455ef88f55fb63b4b7719dd8d3e6846c4d254afb2e40116d2b5fcd883a84212217e065cd44666801154e7b43e3d1629dc76f3a7110e80790ce65ee44961d306521e94e6ee941a97e0eab0e8037fef768902891bb4105d8baf0a35f93d2a5635935799c87eb91b5e5ff7ae91cbe9cdadd653a486d72d67dc3b371e4e5fa618759de87ebe1ec278d140834590f6c513e4c95cbb3"}}, &(0x7f0000008800)={0x0, 0x3, 0x18, @string={0x18, 0x3, "2c5ddd5fc63236d47af3164223e9b423e13b8560f28a"}}, &(0x7f0000008840)={0x0, 0xf, 0x35, {0x5, 0xf, 0x35, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x8, 0x2, 0xa, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x8, 0x3f, 0x1, 0x4, 0x6}, @ss_container_id={0x14, 0x10, 0x4, 0x80, "d0d1e2d868e0fa991777cac1b7948258"}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x3, 0x4, 0x0, 0x8}]}}, &(0x7f0000008880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x4, 0xc1, 0x7f, "1bc19f6f", "0cd3a196"}}, &(0x7f00000088c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xff, 0x8, 0x20, 0x2, 0x6, 0x800, 0x9}}}, &(0x7f0000008e00)={0x84, &(0x7f0000008940)={0x0, 0xb, 0xe5, "ea88bca9c1e3f5bdf607f7252573dd8756e9f32a7c4aeea5b3e1ae6fdbe3194c1918d9d9a3aa13dbbc47e1430d7be6a180c7388456d12a5c327b716d2341bcd0ef82a4a34610e28fc7b2e172dfa056c6353da166496ca2540e60bb52066ef4773667409a68eff52e75ff93469e4ff5d69966b81e034c688a2f6fd945ecd05f336573586823fd9f6d40bb483dd27ad46b841455ac07fc319b8cb5f5e2daa64a6c5f3bc099270cd376660ef3456571aa6d2fe48667838d811126caceedaebef9608192b603327f6ee9ed42572b6eb3c6630e9017428ed370bd0324da01eae4a7881a6b88aa1a"}, &(0x7f0000008a40)={0x0, 0xa, 0x1, 0x5}, &(0x7f0000008a80)={0x0, 0x8, 0x1, 0x1f}, &(0x7f0000008ac0)={0x20, 0x0, 0x4, {0x2, 0x3}}, &(0x7f0000008b00)={0x20, 0x0, 0x4, {0x100, 0x1}}, &(0x7f0000008b40)={0x40, 0x7, 0x2, 0xffff}, &(0x7f0000008b80)={0x40, 0x9, 0x1, 0x7f}, &(0x7f0000008bc0)={0x40, 0xb, 0x2, "a6ab"}, &(0x7f0000008c00)={0x40, 0xf, 0x2}, &(0x7f0000008c40)={0x40, 0x13, 0x6}, &(0x7f0000008c80)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}, &(0x7f0000008cc0)={0x40, 0x19, 0x2, 'rN'}, &(0x7f0000008d00)={0x40, 0x1a, 0x2, 0xb81}, &(0x7f0000008d40)={0x40, 0x1c, 0x1, 0x40}, &(0x7f0000008d80)={0x40, 0x1e, 0x1, 0x80}, &(0x7f0000008dc0)={0x40, 0x21, 0x1, 0x92}}) syz_usb_disconnect(r15) syz_usb_ep_read(r16, 0x1f, 0x80, &(0x7f0000008ec0)=""/128) syz_usb_ep_write(r15, 0xff, 0x49, &(0x7f0000008f40)="059cbaeb6864bcc93a17640936d2e5450deb6a94a3cd8dbac2fbcfac932f8dd22205e7ae589b0f0172e751e308a236cea85711d74b546d98b4d75afcc65fd04633c1fbed7cfe4d049d") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } #define BTPROTO_HCI 1 #define ACL_LINK 1 #define SCAN_PAGE 2 typedef struct { uint8_t b[6]; } __attribute__((packed)) bdaddr_t; #define HCI_COMMAND_PKT 1 #define HCI_EVENT_PKT 4 #define HCI_VENDOR_PKT 0xff struct hci_command_hdr { uint16_t opcode; uint8_t plen; } __attribute__((packed)); struct hci_event_hdr { uint8_t evt; uint8_t plen; } __attribute__((packed)); #define HCI_EV_CONN_COMPLETE 0x03 struct hci_ev_conn_complete { uint8_t status; uint16_t handle; bdaddr_t bdaddr; uint8_t link_type; uint8_t encr_mode; } __attribute__((packed)); #define HCI_EV_CONN_REQUEST 0x04 struct hci_ev_conn_request { bdaddr_t bdaddr; uint8_t dev_class[3]; uint8_t link_type; } __attribute__((packed)); #define HCI_EV_REMOTE_FEATURES 0x0b struct hci_ev_remote_features { uint8_t status; uint16_t handle; uint8_t features[8]; } __attribute__((packed)); #define HCI_EV_CMD_COMPLETE 0x0e struct hci_ev_cmd_complete { uint8_t ncmd; uint16_t opcode; } __attribute__((packed)); #define HCI_OP_WRITE_SCAN_ENABLE 0x0c1a #define HCI_OP_READ_BUFFER_SIZE 0x1005 struct hci_rp_read_buffer_size { uint8_t status; uint16_t acl_mtu; uint8_t sco_mtu; uint16_t acl_max_pkt; uint16_t sco_max_pkt; } __attribute__((packed)); #define HCI_OP_READ_BD_ADDR 0x1009 struct hci_rp_read_bd_addr { uint8_t status; bdaddr_t bdaddr; } __attribute__((packed)); #define HCI_EV_LE_META 0x3e struct hci_ev_le_meta { uint8_t subevent; } __attribute__((packed)); #define HCI_EV_LE_CONN_COMPLETE 0x01 struct hci_ev_le_conn_complete { uint8_t status; uint16_t handle; uint8_t role; uint8_t bdaddr_type; bdaddr_t bdaddr; uint16_t interval; uint16_t latency; uint16_t supervision_timeout; uint8_t clk_accurancy; } __attribute__((packed)); struct hci_dev_req { uint16_t dev_id; uint32_t dev_opt; }; struct vhci_vendor_pkt { uint8_t type; uint8_t opcode; uint16_t id; }; #define HCIDEVUP _IOW('H', 201, int) #define HCISETSCAN _IOW('H', 221, int) static int vhci_fd = -1; static void rfkill_unblock_all() { int fd = open("/dev/rfkill", O_WRONLY); if (fd < 0) exit(1); struct rfkill_event event = {0}; event.idx = 0; event.type = RFKILL_TYPE_ALL; event.op = RFKILL_OP_CHANGE_ALL; event.soft = 0; event.hard = 0; if (write(fd, &event, sizeof(event)) < 0) exit(1); close(fd); } static void hci_send_event_packet(int fd, uint8_t evt, void* data, size_t data_len) { struct iovec iv[3]; struct hci_event_hdr hdr; hdr.evt = evt; hdr.plen = data_len; uint8_t type = HCI_EVENT_PKT; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = sizeof(hdr); iv[2].iov_base = data; iv[2].iov_len = data_len; if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0) exit(1); } static void hci_send_event_cmd_complete(int fd, uint16_t opcode, void* data, size_t data_len) { struct iovec iv[4]; struct hci_event_hdr hdr; hdr.evt = HCI_EV_CMD_COMPLETE; hdr.plen = sizeof(struct hci_ev_cmd_complete) + data_len; struct hci_ev_cmd_complete evt_hdr; evt_hdr.ncmd = 1; evt_hdr.opcode = opcode; uint8_t type = HCI_EVENT_PKT; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = sizeof(hdr); iv[2].iov_base = &evt_hdr; iv[2].iov_len = sizeof(evt_hdr); iv[3].iov_base = data; iv[3].iov_len = data_len; if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0) exit(1); } static bool process_command_pkt(int fd, char* buf, ssize_t buf_size) { struct hci_command_hdr* hdr = (struct hci_command_hdr*)buf; if (buf_size < (ssize_t)sizeof(struct hci_command_hdr) || hdr->plen != buf_size - sizeof(struct hci_command_hdr)) { exit(1); } switch (hdr->opcode) { case HCI_OP_WRITE_SCAN_ENABLE: { uint8_t status = 0; hci_send_event_cmd_complete(fd, hdr->opcode, &status, sizeof(status)); return true; } case HCI_OP_READ_BD_ADDR: { struct hci_rp_read_bd_addr rp = {0}; rp.status = 0; memset(&rp.bdaddr, 0xaa, 6); hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp)); return false; } case HCI_OP_READ_BUFFER_SIZE: { struct hci_rp_read_buffer_size rp = {0}; rp.status = 0; rp.acl_mtu = 1021; rp.sco_mtu = 96; rp.acl_max_pkt = 4; rp.sco_max_pkt = 6; hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp)); return false; } } char dummy[0xf9] = {0}; hci_send_event_cmd_complete(fd, hdr->opcode, dummy, sizeof(dummy)); return false; } static void* event_thread(void* arg) { while (1) { char buf[1024] = {0}; ssize_t buf_size = read(vhci_fd, buf, sizeof(buf)); if (buf_size < 0) exit(1); if (buf_size > 0 && buf[0] == HCI_COMMAND_PKT) { if (process_command_pkt(vhci_fd, buf + 1, buf_size - 1)) break; } } return NULL; } #define HCI_HANDLE_1 200 #define HCI_HANDLE_2 201 static void initialize_vhci() { int hci_sock = socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI); if (hci_sock < 0) exit(1); vhci_fd = open("/dev/vhci", O_RDWR); if (vhci_fd == -1) exit(1); const int kVhciFd = 241; if (dup2(vhci_fd, kVhciFd) < 0) exit(1); close(vhci_fd); vhci_fd = kVhciFd; struct vhci_vendor_pkt vendor_pkt; if (read(vhci_fd, &vendor_pkt, sizeof(vendor_pkt)) != sizeof(vendor_pkt)) exit(1); if (vendor_pkt.type != HCI_VENDOR_PKT) exit(1); pthread_t th; if (pthread_create(&th, NULL, event_thread, NULL)) exit(1); int ret = ioctl(hci_sock, HCIDEVUP, vendor_pkt.id); if (ret) { if (errno == ERFKILL) { rfkill_unblock_all(); ret = ioctl(hci_sock, HCIDEVUP, vendor_pkt.id); } if (ret && errno != EALREADY) exit(1); } struct hci_dev_req dr = {0}; dr.dev_id = vendor_pkt.id; dr.dev_opt = SCAN_PAGE; if (ioctl(hci_sock, HCISETSCAN, &dr)) exit(1); struct hci_ev_conn_request request; memset(&request, 0, sizeof(request)); memset(&request.bdaddr, 0xaa, 6); *(uint8_t*)&request.bdaddr.b[5] = 0x10; request.link_type = ACL_LINK; hci_send_event_packet(vhci_fd, HCI_EV_CONN_REQUEST, &request, sizeof(request)); struct hci_ev_conn_complete complete; memset(&complete, 0, sizeof(complete)); complete.status = 0; complete.handle = HCI_HANDLE_1; memset(&complete.bdaddr, 0xaa, 6); *(uint8_t*)&complete.bdaddr.b[5] = 0x10; complete.link_type = ACL_LINK; complete.encr_mode = 0; hci_send_event_packet(vhci_fd, HCI_EV_CONN_COMPLETE, &complete, sizeof(complete)); struct hci_ev_remote_features features; memset(&features, 0, sizeof(features)); features.status = 0; features.handle = HCI_HANDLE_1; hci_send_event_packet(vhci_fd, HCI_EV_REMOTE_FEATURES, &features, sizeof(features)); struct { struct hci_ev_le_meta le_meta; struct hci_ev_le_conn_complete le_conn; } le_conn; memset(&le_conn, 0, sizeof(le_conn)); le_conn.le_meta.subevent = HCI_EV_LE_CONN_COMPLETE; memset(&le_conn.le_conn.bdaddr, 0xaa, 6); *(uint8_t*)&le_conn.le_conn.bdaddr.b[5] = 0x11; le_conn.le_conn.role = 1; le_conn.le_conn.handle = HCI_HANDLE_2; hci_send_event_packet(vhci_fd, HCI_EV_LE_META, &le_conn, sizeof(le_conn)); pthread_join(th, NULL); close(hci_sock); } static long syz_emit_vhci(volatile long a0, volatile long a1) { if (vhci_fd < 0) return (uintptr_t)-1; char* data = (char*)a0; uint32_t length = a1; return write(vhci_fd, data, length); } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); initialize_vhci(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 42; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 31 ? 50 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_execveat #define __NR_execveat 322 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_socket, 0x10ul, 3ul, 0xc); break; case 1: memcpy((void*)0x20000000, "./file0\000", 8); res = syscall(__NR_open, 0x20000000ul, 0x2000ul, 0x163ul); if (res != -1) r[0] = res; break; case 2: *(uint16_t*)0x20000140 = 0x1a; *(uint16_t*)0x20000142 = 0x10f; *(uint8_t*)0x20000144 = 7; *(uint8_t*)0x20000145 = 0xc7; *(uint8_t*)0x20000146 = 6; *(uint8_t*)0x20000147 = -1; *(uint8_t*)0x20000148 = -1; *(uint8_t*)0x20000149 = -1; *(uint8_t*)0x2000014a = -1; *(uint8_t*)0x2000014b = -1; *(uint8_t*)0x2000014c = -1; *(uint8_t*)0x2000014d = -1; syscall(__NR_recvfrom, r[0], 0x20000040ul, 0xeeul, 1ul, 0x20000140ul, 0x80ul); break; case 3: res = syscall(__NR_socket, 2ul, 5ul, 0x84); if (res != -1) r[1] = res; break; case 4: *(uint16_t*)0x200001c0 = 0x7ff; *(uint16_t*)0x200001c2 = 0x1ff; *(uint16_t*)0x200001c4 = 0x204; *(uint32_t*)0x200001c8 = 0; *(uint32_t*)0x200001cc = 0x803; *(uint32_t*)0x200001d0 = 0; *(uint32_t*)0x200001d4 = 5; *(uint32_t*)0x200001d8 = 0x800; *(uint32_t*)0x200001dc = 0; syscall(__NR_setsockopt, r[1], 0x84, 0xa, 0x200001c0ul, 0x20ul); break; case 5: memcpy((void*)0x20000200, "./file0\000", 8); *(uint64_t*)0x20000400 = 0x20000240; memcpy((void*)0x20000240, "^\000", 2); *(uint64_t*)0x20000408 = 0x20000280; memcpy((void*)0x20000280, "*,+\000", 4); *(uint64_t*)0x20000410 = 0x200002c0; memcpy((void*)0x200002c0, "-{$(%![\000", 8); *(uint64_t*)0x20000418 = 0x20000300; memcpy((void*)0x20000300, "\\[\000", 3); *(uint64_t*)0x20000420 = 0x20000340; memcpy((void*)0x20000340, "\000", 1); *(uint64_t*)0x20000428 = 0x20000380; memcpy((void*)0x20000380, "\000", 1); *(uint64_t*)0x20000430 = 0x200003c0; memcpy((void*)0x200003c0, "\261$}\000", 4); *(uint64_t*)0x20000640 = 0x20000440; memcpy((void*)0x20000440, "\000", 1); *(uint64_t*)0x20000648 = 0x20000480; memcpy((void*)0x20000480, "*/%}\\\\\000", 7); *(uint64_t*)0x20000650 = 0x200004c0; memcpy((void*)0x200004c0, "@[\000", 3); *(uint64_t*)0x20000658 = 0x20000500; memcpy((void*)0x20000500, "\000", 1); *(uint64_t*)0x20000660 = 0x20000540; memcpy((void*)0x20000540, ":\'\237^(\000", 6); *(uint64_t*)0x20000668 = 0x20000580; memcpy((void*)0x20000580, "],-.$\373\\}{)@-&/[\\!\000", 18); *(uint64_t*)0x20000670 = 0x200005c0; memcpy((void*)0x200005c0, "\000", 1); *(uint64_t*)0x20000678 = 0x20000600; memcpy((void*)0x20000600, "{{\'$(+-(}{}]?/--)\000", 18); syscall(__NR_execveat, r[0], 0x20000200ul, 0x20000400ul, 0x20000640ul, 0x1000ul); break; case 6: memcpy((void*)0x20000680, "/dev/hwrng\000", 11); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000680ul, 0x40000ul, 0ul); if (res != -1) r[2] = res; break; case 7: syscall(__NR_ioctl, r[2], 0x80404812, 0x200006c0ul); break; case 8: syscall(__NR_ioctl, r[2], 0x545d, 0ul); break; case 9: *(uint32_t*)0x20000704 = 0x9c76; *(uint32_t*)0x20000708 = 8; *(uint32_t*)0x2000070c = 3; *(uint32_t*)0x20000710 = 0x309; *(uint32_t*)0x20000718 = r[0]; *(uint32_t*)0x2000071c = 0; *(uint32_t*)0x20000720 = 0; *(uint32_t*)0x20000724 = 0; syscall(__NR_io_uring_setup, 0x509f, 0x20000700ul); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_unix_may_send\000", 22); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xaa; *(uint8_t*)0x20000041 = 0xaa; *(uint8_t*)0x20000042 = 0xaa; *(uint8_t*)0x20000043 = 0xaa; *(uint8_t*)0x20000044 = 0xaa; *(uint8_t*)0x20000045 = 0x29; *(uint8_t*)0x20000046 = 0xaa; *(uint8_t*)0x20000047 = 0xaa; *(uint8_t*)0x20000048 = 0xaa; *(uint8_t*)0x20000049 = 0xaa; *(uint8_t*)0x2000004a = 0xaa; *(uint8_t*)0x2000004b = 0xaa; *(uint16_t*)0x2000004c = htobe16(0x8137); *(uint16_t*)0x2000004e = htobe16(-1); *(uint16_t*)0x20000050 = htobe16(0x20); *(uint8_t*)0x20000052 = 2; *(uint8_t*)0x20000053 = 0; *(uint32_t*)0x20000054 = htobe32(3); memcpy((void*)0x20000058, "\x67\x51\x69\x65\xf0\x15", 6); *(uint16_t*)0x2000005e = htobe16(3); *(uint32_t*)0x20000060 = htobe32(0xa0); *(uint8_t*)0x20000064 = 0; *(uint8_t*)0x20000065 = 0; *(uint8_t*)0x20000066 = 0; *(uint8_t*)0x20000067 = 0; *(uint8_t*)0x20000068 = 0; *(uint8_t*)0x20000069 = 0; *(uint16_t*)0x2000006a = htobe16(0x8ca); memcpy((void*)0x2000006c, "\xd1\x8e", 2); *(uint32_t*)0x20000080 = 1; *(uint32_t*)0x20000084 = 3; *(uint32_t*)0x20000088 = 0x6f3; *(uint32_t*)0x2000008c = 0xd92; *(uint32_t*)0x20000090 = 0xd18; *(uint32_t*)0x20000094 = 0x98a; break; case 12: *(uint8_t*)0x200000c0 = 4; *(uint8_t*)0x200000c1 = 0x1d; *(uint8_t*)0x200000c2 = 5; *(uint8_t*)0x200000c3 = 1; *(uint16_t*)0x200000c4 = 0xc9; *(uint16_t*)0x200000c6 = 0x800; syz_emit_vhci(0x200000c0, 8); break; case 13: memcpy((void*)0x20000100, "\xc4\x01\x7c\x5a\x50\xf2\xc4\xa1\x63\x7c\x7a\x86\x2e\xf0\x42\x30\xb5\x0d\x00\x00\x00\x41\xd9\xf9\x3e\x42\x0f\xb7\xbc\xae\xb0\x00\x00\x00\xc4\xc2\xa5\x29\x14\x98\xc4\x82\xc9\xbd\xac\x33\xde\x79\x41\xf1\xc4\x01\xfc\x2e\x06\x66\x40\x0f\x38\x24\x1f\x67\x0f\xec\xfb", 65); syz_execute_func(0x20000100); break; case 14: break; case 15: memcpy((void*)0x200001c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x200001c0ul, 0ul, 0ul); if (res != -1) r[3] = res; break; case 16: res = syscall(__NR_read, -1, 0x20002500ul, 0x2020ul); if (res != -1) { r[4] = *(uint32_t*)0x20002514; r[5] = *(uint32_t*)0x20002518; } break; case 17: memcpy((void*)0x200046c0, "\000", 1); res = syscall(__NR_lstat, 0x200046c0ul, 0x20004700ul); if (res != -1) r[6] = *(uint32_t*)0x20004718; break; case 18: memcpy((void*)0x20004780, "./file0\000", 8); res = syscall(__NR_stat, 0x20004780ul, 0x200047c0ul); if (res != -1) r[7] = *(uint32_t*)0x200047d8; break; case 19: res = syscall(__NR_getresgid, 0x20004840ul, 0x20004880ul, 0x200048c0ul); if (res != -1) r[8] = *(uint32_t*)0x20004840; break; case 20: memcpy((void*)0x20000200, "\x26\x92\xd6\x23\x14\x8a\x34\xae\xe9\x68\xf5\x55\x2f\xef\x58\xad\xeb\x13\x83\x51\x31\xaf\xc9\x60\x2c\x0e\xba\x53\xa1\x39\x39\x2d\x14\x0b\x6e\xeb\x57\x19\x84\x01\x7f\xbc\x1a\x93\x6a\xca\x42\x7a\xd0\xe7\x40\x52\x4f\x63\x07\xf1\x8e\x1c\x7d\x95\x4a\x0b\xa7\x44\x23\x67\xd4\x5b\xae\x51\x50\xe1\x25\x43\xdc\x5d\xd0\x3a\xa5\x69\x90\x39\xf2\xf6\x27\xb3\xd1\x04\xe0\x0f\xfa\xea\x42\x63\xfc\x86\x95\x3e\x5e\x3a\xb9\x76\xc9\xf6\x6a\x21\x3d\x67\x57\x3b\x60\x44\xbf\x6f\xaa\x8c\x17\xd5\x1b\x55\x50\x43\x8f\x9a\xc6\x58\x9d\x2c\xb2\xbc\x4e\x11\xcb\xf8\xa2\x54\x59\x4a\x82\xab\x89\x87\xf8\xad\xe2\x0d\x85\x42\xac\x71\xff\x84\x7b\x22\xe6\x7d\x2d\xdd\xa8\xf4\xba\x5f\x53\xfb\xf1\x77\x00\x91\x32\xba\xa5\x78\x6a\x7b\xe3\x1e\xc6\xc5\x92\xcb\xa5\x3c\x5c\x8a\x7b\xa1\x9d\xb0\x28\x6b\xff\x1d\x01\x78\xda\x1e\x4e\xa1\x08\x19\x43\x9a\xce\x53\x7a\xc5\xf4\x7a\x1c\x8b\x74\xfa\x67\xfc\x4e\x1b\xf9\x22\x92\xa9\xec\x65\x7b\x5e\x30\x03\x14\x6a\x1c\x56\x90\x85\x5b\x05\xcf\x75\xa0\xb1\x1a\xb9\xba\x73\x8a\x3d\xc1\x77\xd5\xf7\xe7\xfa\x6b\x46\x5d\x05\xe5\x13\xa2\x19\x48\x10\x89\x26\x5f\x56\x6e\x6b\xd0\xcc\x9e\xe1\xfb\x10\x0f\x85\x12\x86\xe6\x57\x21\xf6\x01\xc8\x3f\x7a\x74\x09\x79\xb3\x84\x8f\x57\xfb\x00\x81\xef\xca\x45\x72\x0c\xcf\xd8\xa4\x90\x4f\x24\x81\x51\xb2\x42\x13\x2a\x4b\x45\x53\x0a\xe5\x44\x2f\xf7\xa5\x1b\xb5\xc5\x99\xcd\xa7\xe1\x0e\x1b\x4d\xe5\xc8\x0f\x52\xcc\x3d\xda\xc7\x51\x3f\xe1\x48\xbd\xbc\x5d\xa2\xe0\xc2\xb3\x91\x90\xd8\xf9\x0f\xcd\x45\x95\x03\xa4\xcb\x8f\xec\xe5\x51\x82\xcf\x72\x72\xa5\x22\xe5\x62\x61\x20\xc7\x33\x5c\x5a\x37\xc7\x2d\x40\x0f\xed\xc5\x88\x73\xc5\x96\x0f\x6c\xab\x80\x7a\xc2\x39\xd0\x24\x6a\xba\x2e\x84\x4b\x68\xb1\xac\x4a\xd6\xd2\xbb\xce\xdc\xb3\x5a\x67\x48\x64\x71\xe4\x45\xaf\x55\x99\x02\x70\xae\x09\x79\x68\xda\x00\x15\x7d\xd2\x21\xde\xa2\x43\x8d\x16\x62\x3c\x52\x82\x0f\x0d\x24\xe3\x9c\x04\x24\xee\x40\x48\x4f\xb0\xd9\x64\x19\xf5\xe2\x81\xd0\xe9\xe1\x78\x36\x68\x20\xdd\x5c\xa4\xa0\xc4\x5d\xee\xb3\x6c\xb9\xe2\x46\xbe\x67\x14\xce\xb0\x34\x7b\x0c\x30\x9c\xc5\x30\x22\x37\x4f\x73\x30\x35\x36\xe5\x93\xc5\x75\x88\xb8\x83\x90\x3e\xa5\x81\x33\x77\x36\x00\x20\x1a\x7b\x55\xdd\x5c\x01\xaf\x52\xe9\x0e\xc5\x24\xab\xd9\xf4\x7b\x3d\x71\x85\xc4\x82\x59\xbf\x5a\xa7\x6f\xea\x9d\xa9\x82\xb2\xc4\xa6\x10\x65\xdf\x2b\x06\x67\x32\x10\x35\x03\x96\x9e\xef\xaa\x23\x14\x1c\x8b\xec\xb3\x5c\xaf\x76\x02\xe9\x81\xc3\x06\x73\x99\x1b\x46\xd5\x4a\xb2\x76\x4b\xf5\xec\xc3\xf1\xa8\xe0\x00\xb1\x16\xb7\x69\xd8\x26\x25\xae\x94\x18\xb5\x23\xaf\x00\xf3\xcf\xb0\xeb\x65\xc9\x16\xf6\xa6\x24\x52\xf8\x10\xb2\x0c\x3e\x7c\xec\x7d\x61\xfe\xf5\x5f\x63\xd1\xda\x4a\x3f\x86\x8b\xbc\xfd\x86\x7e\x13\x0d\x3c\x7c\xe5\x22\x46\xef\x76\xed\xa2\x91\x6f\xbb\xdf\xd5\x06\xdb\xc2\x28\x9d\x00\xfb\xc8\xfd\x10\x0c\x45\x78\x69\x8d\x22\x03\xdf\xfa\xb9\x01\x8d\x6f\x19\xae\x19\x9f\x16\x59\xc3\xf7\x81\x57\x68\x0c\xf9\x80\x59\x7a\x12\x6b\x99\x4b\xdd\x64\x60\x96\x53\xdc\x0d\xdb\x55\x6c\x3a\xf8\x38\xa0\xa4\xa9\xbd\x70\x51\xe4\x52\x47\x91\x3c\xc3\x5b\x9d\x9f\xf3\x68\xff\xdf\x4e\x7f\xad\x83\xa5\x2f\x8a\x02\x61\xc3\x31\xb6\xef\x22\x6f\xe6\x76\xac\x1a\x9c\xf0\xcb\x00\x13\x85\xce\x35\xb0\x9d\xf3\xae\xca\xa3\xd8\x16\xf2\xaf\xc6\x2c\x27\xae\xe5\x25\xf7\x2f\x2d\x31\xee\x0b\x21\xc4\x47\xf8\x09\x01\xa6\x5c\x77\x06\xd0\x7f\xf9\xb2\xd7\xbd\xe9\x2b\xc7\x9d\x85\xf8\x43\x1d\x46\x8a\xc8\x5e\x51\xac\x3a\x20\x9c\xea\x07\x28\x1e\x7d\x19\xc1\xf5\x2b\x5f\x01\xbd\xb0\x53\x97\x8c\x93\x33\x99\xb3\x5a\xc7\x7a\xa4\xa1\xe6\xf1\x82\xd2\x50\x27\x1c\xa3\x3c\x37\x91\xb1\x5a\x93\x1b\xcd\x32\xac\xe1\x92\x53\xf1\xa9\x04\x4a\xfa\x49\xc1\xa0\xdd\xc8\x2e\x95\x90\x7f\x60\xb7\x97\x1e\xc0\x10\x78\xe1\x37\xd1\xbc\xeb\x0c\xf8\x6f\x64\xcd\x6c\x19\x2c\xbf\xc3\x0b\x44\x78\x61\x7f\xe5\x2a\xa9\x43\xe6\x1a\x18\x2b\x1b\x0b\x21\x07\xd0\xc5\x4f\x4f\xa7\x31\x67\x9a\xf9\x5c\x32\xd1\x89\x14\xd6\x95\x9b\x9f\xa9\x6a\x0a\xac\x1c\x49\xad\xc6\x1f\x5f\x11\xb5\x44\x55\x73\x42\xc1\x42\x76\xbe\xea\x12\xfa\x71\xcd\x30\xa7\x31\xbd\x06\x4e\x9c\xfd\x0f\x9e\x4b\xe9\x66\xf7\xbd\x1c\x1b\x4f\xd7\x06\xb8\x39\x3e\x6e\xfb\x1c\x9f\x97\x52\x6f\x67\xd2\xe9\xcd\x5e\x17\x6d\xc6\x0c\x27\x4b\x30\x06\x1e\x1a\xb6\xa2\xd0\x04\xb8\x3a\xdb\x08\xf1\x98\x3b\xae\xab\x99\x04\x72\xbe\xff\x23\x41\xde\xf4\x7e\x0d\xd4\x11\xb0\x69\x1f\xd0\xa6\x5e\xa6\x6d\x16\xa4\xa4\xee\x94\xc4\xd1\xa5\xce\x6b\x3c\xfc\x87\x34\x81\xb0\x41\xfb\x30\x05\x61\x4c\x1c\xf8\x41\xee\xab\x27\xe0\x35\x98\xef\x94\x59\x8e\xd3\x0c\x3f\xd3\xee\x19\x20\x7a\xea\x2a\x8d\xbc\x3f\x60\xa6\xd9\x7e\x30\xc5\x8f\x32\x4b\xca\xf5\x71\x38\x8f\x9e\x83\xe0\x76\xcf\xdc\x06\x63\xcf\xe9\x3f\x5a\x3f\x19\x29\x9e\x74\x12\x10\xf6\xa8\x50\x1a\x72\x38\xb1\xcb\xd6\xe9\xf8\x29\x34\x5c\x33\x7c\x62\xb7\xcd\xb0\x24\xef\xc4\xff\x11\x62\x8c\xb1\xee\x4f\xda\x07\x27\x82\xbb\x69\x93\x2b\xa6\xde\xe1\x22\xcb\x37\xfe\xd6\x96\xde\xa1\x1c\xc2\x5e\xb2\xb5\x67\x8c\x7d\x0b\xd1\xdd\x05\xf3\x5d\x1d\x02\xad\xdf\x12\x95\xa1\xeb\x0b\x25\x99\x59\xa7\xb2\x90\xe6\x1f\x24\x79\x69\x15\x88\xac\x52\x09\x81\x90\x2f\x5a\xb0\x61\x62\xe9\xcf\x5f\x05\x85\xf5\x40\xd9\x0c\xd8\x38\x1d\xe3\x3d\x0a\x0a\x24\xda\x6f\x23\x1d\x3a\x68\x4c\x92\x5d\x73\x6f\x25\x34\xa5\x7e\x48\xd9\x19\xd5\x55\x19\xc5\x75\xbb\x54\x1d\x63\x8e\x0e\x40\x11\xf8\x41\xa5\xac\x33\x1d\x48\x89\x35\xc4\x4c\x2b\xce\x1c\x2a\xc3\xe8\x48\x6e\x46\x5c\xde\xe8\xeb\x51\x3d\x3c\x1b\xb3\xb3\x8c\x5d\x15\x7c\x04\xd5\x76\xd6\x75\xe0\x0b\x30\xc2\x99\xe2\x11\xf8\xf2\x4a\x7a\x05\x3b\x42\x70\xd2\xac\xfa\x3a\xa6\x34\x34\x28\xd9\x2b\x6d\xb1\x4c\x15\x58\xa8\xdd\x58\xbb\x9c\x8c\x4b\x1b\x49\x35\x77\x3d\x14\x06\x11\x79\x3c\xca\xd5\x4f\xdc\x52\x30\xda\x4d\xfd\xa3\xb6\x0c\xc0\x76\x6e\xfc\xc6\xa3\xb7\x19\x00\xa5\x0e\x2c\x3e\x68\x27\xb9\x8c\xc1\x8c\xcd\x8f\xf7\x98\x24\x7f\x37\x48\x57\xd0\x62\x1e\x32\xbb\xf0\x48\x24\x74\xde\x0d\x42\xdd\xba\x78\x23\xe6\x33\xf1\x65\x8e\x7f\x6a\x36\x1c\x32\xe2\x45\x9c\x2b\xeb\x02\x9a\x8a\xfa\xa3\x12\x89\xe4\x87\x10\x45\x67\xd4\x0c\x81\xcc\xf5\xae\x2a\x2e\x6b\x34\x4f\x5c\x11\x0d\x7c\xe2\x30\x1f\xf2\xc2\x5f\xd8\x43\x84\x39\xa5\xea\x16\xa4\x46\xfc\x7e\x27\xf2\xcb\x06\x89\x44\xe4\xd8\xc9\x29\xc4\x64\x5f\x49\x4c\x2f\xd1\xb0\x25\xbf\xda\x11\x19\xf9\x08\x8f\x70\x7d\x66\x2c\x11\x95\xf8\xe4\x30\x8c\x47\x0b\x76\x24\x50\x99\x33\x2f\x61\xb2\xc9\xcc\x77\x87\x1c\xb2\x0c\x4e\xbe\xaa\x63\xe5\x3a\xdd\x25\xdf\x15\xc5\x62\x85\x85\xfe\x88\x6a\x73\xe3\x82\x56\x7c\x41\xce\xbd\xf2\xf3\x3f\x71\x68\x74\x7c\xe2\x4a\x22\xfa\xfe\xb2\x9c\xd0\x21\xa9\x2e\xc8\xfc\x27\x2d\xad\x24\x59\x8e\xbd\xae\xc2\xdc\xc4\x73\x73\xef\xa9\x7c\xac\xff\xda\xce\x15\x0e\x99\x51\x0b\xf3\x7b\xaf\x40\xa8\x17\xd9\x3d\x87\xa4\x8f\xab\x15\x3a\x10\x64\x82\x1e\xb5\x04\xa4\xeb\xa3\xab\x66\xd1\xec\x05\x7c\xf6\x4e\xe1\x1a\x6a\xd4\x05\x84\xfa\x76\x56\xa3\x98\x4c\x20\xe4\x94\x01\x3f\x83\x43\x0d\x76\x0c\xd6\xea\xa6\x04\xb5\x99\x55\x0d\xcb\xa7\x20\x85\x5e\x73\x5d\x62\xd4\x20\x07\x6c\xca\x07\x11\x5d\x4e\x37\x1c\x3d\x64\x1c\xb6\xcd\xb9\x69\xbd\xef\x10\x13\x7b\x8d\x7f\x39\x9a\xbe\x3e\x24\x36\x53\x5c\x30\xc7\xb9\xa8\x42\xfb\x31\xd3\x22\x43\x4e\x73\xb9\x5c\x0f\x5d\x45\x45\x11\x6b\x78\x8e\xa0\xfd\x47\x3a\xb3\x2c\xfb\x4c\xd7\x22\x49\x48\x91\x37\x72\xe8\x39\x2d\x89\xbf\x5c\x4e\x55\x11\xd2\x67\x20\x1c\xff\x62\xbd\xc0\x46\x8f\x96\xd9\xe8\x53\x23\x49\x5e\x92\x5e\x61\x14\x0f\xb4\x19\x41\x7b\xc3\xf8\x03\xa8\x0d\x0a\xf3\xb8\xc3\x1c\x2f\x63\xde\xe9\x17\x41\x13\xf8\xe6\xe5\xc9\x3f\x47\xd8\x48\x64\x22\xa5\x69\x6b\xc0\x58\x43\xf7\xd0\x7f\x10\xeb\x3b\x5f\xbc\x2c\x37\x8f\x6e\x8a\x97\x5d\xeb\x6c\x04\xed\x20\xc6\x73\x84\x6e\xcc\x19\xd6\xdf\xcb\x19\x82\xff\x83\xa7\xdc\xa9\x2e\x81\x67\xe5\xdf\x64\x37\xb8\x48\x34\xfd\xe1\xcb\xfc\x44\x11\x05\xd0\x62\x18\xa2\xe0\xa5\x59\x17\xee\x27\x6f\xa7\x25\xb9\xf1\x6a\x94\xc6\x7b\x68\x4b\xc7\xb6\x88\xed\xba\xe7\x43\x82\xcb\xa7\xea\xc9\xf0\x17\x72\xc8\x91\x94\xd4\x4e\xea\x3c\xab\xc0\x02\x56\x26\x43\xc0\x15\x29\x09\x2f\xf6\x62\x9d\xe9\x6a\x77\x16\xf9\x23\x18\xa6\xcf\x70\xcd\xb8\xfd\xa8\xe3\xd0\x13\x06\xea\x91\x58\x0b\x6d\x97\x08\x08\x55\x2f\x45\xf5\x75\xc3\xaa\x63\x8f\xc5\x1a\xbd\xd8\x53\x5a\x05\x84\x07\x25\x88\x51\x8f\x93\x91\xb2\xd7\x89\x14\x73\x12\xa5\x8d\x0a\x15\xb6\x4b\xf9\x08\xf2\x49\x91\x3f\x14\x16\x71\x75\x10\x03\x54\x71\x50\xd4\x9f\x47\x2d\xbe\xd4\x08\x43\x24\x93\x70\x57\x59\x92\x9f\x61\x9a\x90\x1b\xf4\x1e\xd2\xe4\xd1\x2d\x63\x54\xaf\x21\x98\x40\xe6\x96\xae\x26\xd4\x0f\x01\x0f\x05\x86\x06\x8e\xfb\xbd\x4a\x63\xaf\x99\xae\xbd\x53\x05\xa8\x80\x13\xed\x74\xde\x00\x39\x90\x11\xdd\x8d\x0d\x54\x4b\x90\x70\x09\xf3\x61\xac\x6f\x66\xca\x0a\xc4\xfa\xe8\xee\xa5\x65\x42\x59\x9b\x16\x7b\x8f\x13\x2d\x2b\xc2\xb5\x7c\x73\x46\x53\xc0\x21\x4f\xcb\x4e\x3a\x50\x98\x23\xaa\x2e\xa6\x2a\xef\xd8\xd3\xa8\xf2\x7c\xea\xd3\xee\x3f\x27\x66\x98\x71\x27\x70\xad\xdc\x99\xcd\x31\x11\x2d\xaf\x0e\xde\x7c\x57\x7f\xcb\xae\x2e\x64\x04\x7b\xd3\x62\x4d\xcc\x04\xcf\xb6\xcd\x19\x4b\x79\xf1\xb5\x3b\x99\x0a\x44\x36\x28\x12\x3f\xbe\x9b\x2a\x3b\x59\x8b\xee\xab\xdb\xb7\xcf\x4d\x9c\xd8\x7b\xe2\xac\x84\xee\x3f\xe7\x43\xd7\x2e\x89\x84\x20\x4b\xab\x46\x3c\x89\x6d\x13\xc1\x22\x7b\x70\xa8\x87\x12\xb7\x7d\x22\x1e\xfa\x65\x40\x98\xb3\x85\x71\x46\x8f\xf9\xbf\xf1\x0b\xb0\xd3\x0f\xe6\xae\x7a\x1f\x62\xc4\xf6\x06\x6b\x55\xf3\x2b\x05\x47\xde\x75\xab\x1c\xac\x8e\x98\x6d\x89\xfc\x30\xa3\x62\xd7\x30\x8d\x09\x32\xcd\xd4\x4d\x8a\x23\x48\x60\xb6\x08\x09\x0a\xa5\xe1\x6b\xef\x4e\x44\x32\x7b\xa1\x86\x67\x91\x5e\xc6\x5c\xa7\x72\xf8\xdf\x52\x10\x5b\x37\x00\x87\xfb\x1c\xbd\x6d\x11\xa9\x53\x62\x23\x2e\x5f\x6f\xce\x3f\x34\x3c\xd9\x62\xbe\xc2\x77\xf3\xa6\xaa\xcb\x82\xdf\x97\x53\x1b\x3a\x6f\xfd\xd2\x24\x45\x4b\xfc\x8a\x6c\x2e\x0b\x9c\x86\x44\x9c\x04\x3f\x39\xce\xb9\xaf\x5c\x42\x36\xe3\x22\x1c\x2e\x25\x9f\xa8\xf1\x28\x4d\xf6\x33\x4a\x2a\x24\x73\x3d\xba\xd6\xea\x99\x0a\xa3\xef\x97\x98\xe2\xf7\x85\xbe\x3d\x5a\x44\x30\x54\x97\xa1\xf5\x25\xf7\xde\xe1\xf7\xea\x82\xc7\xd5\x05\x59\xc5\x1d\xac\xc6\x17\xf6\xf7\xee\x56\xb6\xc5\xbc\xa2\x70\x18\x99\x24\x5c\xbe\xcb\x33\xcc\xdd\xf0\x0a\x16\x89\x46\x82\x08\x5f\x40\xd2\xf6\xf6\xb0\x3a\x16\x32\x06\x31\x1f\x98\x07\x72\x61\xcd\x76\xf4\x39\xce\xd0\x44\xb5\x25\x11\x2d\xeb\xd3\x1e\x4c\x7a\x90\x77\xbd\x82\x02\x17\xa8\x8b\x4d\x8e\x3e\x76\xda\xc4\x5b\x15\x01\x9e\x01\xde\xed\xc9\x43\xb3\x57\xab\x2d\x79\x00\xd9\x91\x57\xaf\x47\xdf\xc5\x97\x17\x91\xb2\x56\x65\xe9\x53\xdb\x69\xce\xfc\xea\xc8\x7a\xef\x83\x89\x36\xae\x73\xd2\xd2\x59\x83\xb2\x06\x60\x99\xc4\x74\x1a\xf8\x80\x48\xc7\xf8\x65\x31\xf2\xb8\x2d\x6e\x05\xb2\xee\x75\xf4\x72\xd9\xdf\x9c\x3e\xe9\x39\x8f\x6f\xe6\x8e\x0b\x52\x1c\x36\xa2\x42\xe2\xd6\x75\xf4\xd9\xda\x55\x21\x42\x74\x36\x31\xa4\xf2\xb6\xc0\x11\x47\x57\x53\xa7\x4f\x7f\xef\xc9\xd7\x2d\x3f\x9f\xb2\xbd\xcc\x71\xd6\x67\x32\xab\xe5\x0d\xd5\x78\xb6\x9b\xd0\x29\xb4\x5b\xca\x70\x8e\x87\xc0\x98\xaf\x90\x28\x4b\x4f\xbd\xdc\xc6\xfe\x16\x3a\x00\x09\x70\xd6\x54\x7c\xfd\x18\xcc\x8a\x11\xba\x22\x63\x8e\xe6\xeb\xa9\x10\x29\xf5\x25\x94\xa0\x42\xe9\x6e\xd7\x08\x01\x84\x59\x3f\x21\x09\x12\x6c\xbd\xe1\x31\x7a\x94\xa5\x62\x13\xad\x11\xae\x1c\xcf\x0a\x58\xa4\x5d\xbc\x81\xd0\x80\x9c\x59\x07\x3f\x8a\x9e\x17\x67\x4a\x47\x6d\x03\x37\x41\x4b\xfc\xff\x7c\xa6\x94\x92\x18\x46\x7c\x88\x50\x83\x9e\x55\xc9\xc7\xad\x9d\x51\xa6\x4a\x9d\x2b\x4b\xbb\x17\xa3\x65\x38\x94\x83\x45\x45\xbc\x28\x6c\x10\x8b\xb3\x13\x45\x57\x9a\x2b\x0b\x96\xf6\xa5\x73\x89\x79\x05\x19\xd4\x41\x3a\x96\x48\x82\x0e\x78\x46\xc5\x7a\xca\x47\x92\x49\x52\x23\xfc\xc0\x29\xd0\x70\xf1\x8f\x24\xac\x66\x58\x79\xd7\xa1\x97\xc7\x8c\x5c\x05\x18\x5a\xf7\xc1\x11\x40\xc7\x8a\x35\xe9\x1d\xe5\xc0\xc5\x3f\xbc\xd1\x35\x0c\x27\x53\x6d\x28\xd5\xf5\x18\x69\x6b\x97\x13\x6d\x3f\x20\x35\xf2\x6f\xaa\xd5\xff\xe0\x4d\xfd\x5d\xcc\x09\xb1\x29\x90\x51\x95\x57\x9d\xd1\x5c\x8c\x98\x67\x62\x36\xeb\xd0\x2b\x6c\x2e\xf3\xe6\xeb\x15\xd8\x7c\x20\x6c\x39\x04\x6f\x2d\xbc\xef\x9a\x45\x23\xf2\x55\xf4\x45\xc3\xdd\x82\xc1\x40\xb2\x95\xa4\xa9\x0f\xa3\x0a\x28\x47\xff\x41\xef\xee\xa8\xf6\x30\xd4\xa5\x51\x27\x95\x38\x0a\xf7\xd1\x71\x3a\x6b\x29\x76\xdd\x74\xde\x50\xc3\xfe\xb4\x2b\xdd\x4c\x02\x58\xe4\x56\x17\x35\x8f\x18\xa2\x8b\xe1\x1b\xad\x5b\x5b\x79\x10\x3e\xe1\x27\x7c\x76\x1e\x12\x90\x1e\x49\x97\xf3\xb9\xd4\x49\x91\x72\x17\x6c\xdd\x12\xb6\x80\x7b\x23\x6d\xaf\x3d\xc0\x58\x72\x95\x64\x37\x81\x6c\x70\x6f\x3c\x36\x7d\x7e\x2c\x23\xe9\x6b\x1f\xe9\x65\x96\xdb\x88\x05\x07\xe2\x82\xfb\xe2\x3f\x21\x71\xb2\xf6\x85\x5d\x22\x17\x4a\x1a\x4b\x15\xed\x8a\xbd\x51\xca\x09\x3d\x46\xf0\xe2\xd0\x52\x98\x16\x8c\x23\x9e\x62\xd8\x9f\x74\x06\x74\x38\x8c\x24\x01\x8c\x47\x83\x2a\x87\x64\x40\x48\xd4\x36\xd6\x5c\xd7\xa2\x10\x28\x2b\x1f\xc8\x26\xf0\xcc\xdb\x66\x97\xd0\x11\x2b\x2a\x88\xe3\x95\x30\x8d\x42\x1a\xad\xa7\xa0\xe7\xd7\x6e\xca\x0a\x60\x73\x83\x02\x18\xc8\x3e\xd7\x94\x19\x48\x59\x60\x57\x20\x97\xcb\x62\x6c\x6f\x84\x67\x57\x90\x95\xdc\x22\x63\x20\x43\xdc\xe6\xb6\x7e\xaa\x79\x3a\x2a\x89\x82\x2f\xdc\x26\x6f\x5a\x61\x1a\xa1\xc6\xb8\x45\x99\x8a\x82\x80\x05\xfe\x79\x89\x25\x3c\x37\x61\x3e\x89\x23\x48\xad\x73\x32\xe3\x34\xaf\xb5\xa7\x08\x7e\x89\xac\xe2\xf3\x61\xd6\x6f\x27\x7d\xfa\xfa\x12\x66\x77\xe8\x33\xfd\x0b\x2c\xe4\xd2\x27\x93\x7c\xdf\x60\xa8\x82\x66\x94\x11\xd4\x45\x0b\x7e\x85\x9b\x82\x47\xad\x2e\x45\x74\x2e\xcb\x60\x57\x52\xf2\x14\x8d\x07\x5e\x1d\x14\x5a\xdd\x18\x47\x48\xc6\xec\xe9\xba\x26\x7b\x7a\x6d\xf9\x22\x9a\x62\xbb\x9b\xee\x7d\x7e\x92\x5d\x6e\xb9\xae\x96\xad\xef\x93\x7c\x03\x0c\x7d\x2b\x91\x9f\xc4\x63\x6a\xd6\x33\x13\x60\x45\x7d\x06\xd8\xc4\xf6\xdc\x10\xe3\x06\x55\x22\x60\x2b\x84\x1f\xb3\x67\x8e\x9d\xab\xf0\x7d\x5f\xc3\xfe\x39\xda\x21\xd4\x61\xe1\xa4\xac\x64\xa0\xd3\x35\x6f\x93\x62\x28\x00\xf0\x07\xbe\x4e\xe1\x3c\xc4\x65\x4c\x89\x47\xff\xd1\x1b\xf7\x59\x8f\x50\xbf\x27\xdf\x75\xf8\xda\xef\xd9\xbd\x19\xcc\x3b\x6a\x06\xb2\x53\xe8\xb5\x90\x62\x1c\x66\xda\x76\x49\x6a\x87\xbe\x33\x53\xfb\x1c\xc5\x64\x36\x6b\x09\x79\xa8\x8c\x52\xb8\xdd\xae\xee\x89\x93\xf6\xa0\xa3\xa5\x43\xa9\x31\xea\x4e\xae\xe9\xd9\xe7\x00\x1e\x23\x49\x14\x4c\xd7\x46\xa2\x56\xdf\x92\xa4\x60\x24\xc7\xa3\xb3\xcb\x60\x7a\x74\x99\x87\xc9\x85\x60\x15\xb8\x6a\x23\xe4\x39\x4f\x64\xf9\x09\x97\x4a\xb0\x76\xb5\xd6\x49\x28\xfc\x9d\x1b\x4c\xba\x75\xbd\xa9\xe1\xd4\x62\x0c\xac\x6f\x08\xcb\xf7\x57\xde\x6f\x29\x11\xc3\x4e\xa0\x84\x81\xa3\x83\x20\x14\x47\xc2\xde\x6e\x37\xc0\x7d\x03\x38\xf1\x6a\x9a\x73\xfe\x67\x1a\x68\x4a\xe4\x5c\x87\x4f\xf1\x98\x15\x06\xe3\xfc\xa4\xe1\xf1\xdc\x9e\x58\xf9\xde\x6b\x96\xf8\x5e\x31\xa3\xc1\x6d\x3a\x11\x88\x0b\xb1\xcb\xc2\x23\xd0\xb9\xf3\xa6\xc4\xa6\x67\x1e\x29\xfe\xa6\x7a\xe9\xf1\x09\xe2\x63\xc3\x17\x95\xb3\x80\x16\xb8\x29\xd4\x1d\x0d\x54\x0f\x7f\x9b\xc5\x22\x02\x7d\xbc\xa4\x94\x5d\x95\x8e\x0b\x14\xc9\x02\x0e\x7e\x0d\x96\x2d\x93\xf6\x1d\xf3\x53\xbb\x18\x42\xb2\x89\xb5\xeb\xb7\xd0\xd8\x3e\xb0\x5f\x31\xe3\x45\x73\x46\xd1\xbc\xf8\x83\x35\x4e\x9a\x24\x7c\x78\xbc\xdf\x11\x45\x0b\xd3\x62\xf4\xe0\x9f\x9b\xc8\x1e\xa9\x28\x23\x05\xdf\x3a\xed\x85\x34\xb1\xf5\xc1\x5f\x58\x12\x7b\x85\x1e\x04\x5a\x0c\x54\x19\x3b\x5b\x11\xbe\x18\x75\x56\x3f\x86\x8e\xfe\x9a\x6a\xd8\x30\xca\x44\x36\x78\x6d\x79\x36\x4e\x19\x30\xd4\x55\xfa\xa6\xeb\xef\xe8\x6e\xce\x76\xa8\xb8\x95\x2d\xff\x2d\x3b\x83\xdd\x8b\xa4\xfd\x7c\x1c\xf9\x12\xa2\x2f\x65\x11\xc3\xcc\x11\xbd\x2f\x04\x69\x0a\xcd\xb3\x8f\x7e\x14\x20\xbc\x15\xe5\x74\xad\x12\x96\x55\x75\x44\x40\xd2\x90\x13\xc6\x98\x61\xd4\x7a\x42\x90\x6c\xee\xaa\x05\x1e\x2e\xfa\xde\xae\xa9\x97\x77\x9e\x05\xdd\x91\x22\x97\xa4\xff\xa9\xaf\x33\xfe\x81\xe7\x20\x67\xc3\x6e\x81\xc4\x86\x53\xd6\x9f\x2a\x2b\xa9\x17\x14\xd5\x10\x4e\x0e\xa1\xe6\xe9\x20\xa4\x40\x24\x05\x98\xdc\x62\x8e\x82\x05\xc3\x31\x3a\x0b\x03\xb7\xfe\xd3\xa8\x78\x8f\xb2\xa6\xde\x07\x22\x6c\x58\x9e\xf3\x37\x08\x22\x14\x38\x1c\x98\x00\xd7\x03\x63\x81\x83\xda\xdf\xf3\x17\x14\x17\x0b\xc4\x02\xb2\x71\xef\x6c\x23\x5c\x12\xc9\xfa\x67\xc7\xbd\xa8\x0d\x63\x17\x15\xee\x1e\xd4\xdd\xa1\x07\x34\x7d\x14\x3f\x91\xec\x47\x0c\x20\x77\xc2\x77\x52\x4f\xe7\x8a\x23\xfa\xb2\x05\xfa\xb0\x8b\x1c\x25\x8f\x4b\xe4\x97\x59\xd1\xf1\x83\xa2\x1e\x40\x0a\x53\xa7\x24\x93\xa1\x7c\x23\xdf\xa1\x73\x21\x22\x57\x4b\x55\xa7\xf2\x66\x3b\xb0\x01\x7d\xdb\x2f\x47\x2e\xab\xd8\x7e\x40\x76\x95\xbc\xe8\x4c\x15\xf4\x30\x91\xbf\xc0\x6d\x4a\x52\x46\x72\xbf\x25\x15\x21\x85\x61\xe7\xc2\x5e\xa7\x33\xc1\x85\xd0\x98\x06\xdf\x8e\x6c\x92\x1c\x07\x1a\xe2\xf7\x6f\x5c\x0d\xb6\x23\x45\x17\xc7\x2e\x83\x93\x3a\xd4\x13\x46\x5b\x1b\xd0\xcd\xfe\x6a\x04\x6f\x07\xa4\xb2\x39\xfb\xb8\xed\x71\xbd\xdf\xc2\xb0\x71\x48\xd4\x99\x65\xda\x80\x3a\x82\x4b\xc1\x85\xda\x70\x53\x0a\xbb\x3e\x42\xb8\xa9\xf1\x9c\x0c\x3d\x86\x72\x35\x94\x13\x39\x51\x43\x4b\xfd\xbd\xe6\xbe\x90\xea\x21\x4f\xa0\xe1\x7f\x60\x3c\xd1\xad\x69\x5b\x5b\x5b\xa7\xc9\x86\x14\x87\x11\x45\x4c\x6a\x5a\x7a\x5d\xa2\xa1\x63\x1d\xc7\x06\x9e\x58\x2a\x1c\x12\xd2\xba\x25\xca\x01\xda\x8f\x5e\x70\x3b\x41\x14\x7f\xd3\x8f\x96\x68\xf1\x6c\xad\x66\xdf\x62\x2f\xe4\xb0\x2a\x1e\xef\xc0\xa6\x93\x63\xcc\x0b\x7c\x56\xf0\x34\x91\x60\x25\xee\x4b\xcf\xd0\x51\x26\x77\x29\x85\xa9\x63\x2a\x04\x36\x08\xe6\x56\x92\xaf\x2b\x4a\x75\x68\xf1\x3c\x41\xf1\x6c\x86\xbe\xc9\x9a\xae\x30\xa2\xd5\x4f\x64\x69\xf1\xeb\x68\x51\x8d\x48\xc4\x21\xbe\xc6\xf8\x3b\x82\x28\x30\x88\x38\xa9\xa4\x81\x9f\x2f\xed\x79\xe9\x9d\x10\x5a\x8f\x6b\x1a\xc0\x8e\xb9\xfc\x19\x62\xa8\x57\x7f\x27\xf5\xee\xcc\x91\x88\x3a\x02\x4e\xb7\x43\xa3\x99\xed\x6a\xef\x38\xe1\xf5\x33\xca\x6d\xba\x25\x53\x88\xd2\x5d\x4e\xef\x41\x2f\x03\x94\x4b\xcc\x0a\x8c\x4e\x94\xec\x31\xbb\x65\xc8\x9e\xca\x35\xcc\x88\x8f\xe8\x53\x0f\x6f\x58\x1a\x33\x46\x23\x3e\xf0\x93\x6d\xa1\x0e\x8b\x69\xc5\xfd\x23\xea\x2a\x58\xf9\xfe\x8b\x79\xa9\xef\x60\x80\x6c\x29\x6a\xba\x90\xfb\x83\x29\xe8\x38\xbb\x6c\x7d\x3c\x86\x7d\x41\x09\xba\xa2\x6c\x48\x37\x43\x9e\x63\x07\x17\x0e\x7b\x15\xc2\xf9\xf5\xee\x03\x30\x5f\x94\x81\xf8\xe7\x93\xdd\x08\x6e\xf2\xfc\x3e\xca\x55\x5a\xa2\x58\x12\x02\xbb\x4e\xd8\xe4\x31\xcf\x0b\x71\x0b\xbd\x86\x25\xfa\xc1\x7b\x51\x9c\x68\x06\xb7\x21\x80\x08\xe0\x40\xbd\x2f\x07\x8e\x18\x50\x11\xd4\x71\xd4\x60\x26\xb5\x38\x87\xc9\x48\x1b\x6a\xbe\xa8\x38\xdc\x59\x8a\xf7\xd6\x1e\xb1\x05\x66\x12\x51\x68\xad\xb4\xb5\xfa\x2f\x49\xdb\x9e\x36\x08\xee\x06\xba\xff\x0b\x3e\xdd\xf0\x53\x70\x13\xa8\x9a\x8f\x60\xbe\xc6\xec\xaf\xe7\x4c\x3a\xd6\x26\x67\xcc\x73\x6e\x42\x31\x80\x60\xd9\x39\xca\x8a\xfa\xee\xf4\x18\x9c\xab\x94\xbb\x6d\x7c\x07\xf7\xaa\x21\xf6\x00\x27\x70\x7d\x8a\xee\x9d\x2f\xc0\x31\x96\x77\xe8\xe8\x6c\x6e\x02\x0f\x43\x53\xff\x8d\x52\x35\x42\x66\x9e\x4b\xf2\x64\x9f\xc4\xfe\x1a\xc2\x16\x51\x52\x7e\x25\x7a\x55\x00\x6c\x30\x4b\x83\xaa\xb8\xde\x6e\x87\xb0\x2d\x36\x60\x52\xde\xbd\x14\xf4\x71\x28\x33\xc3\x40\xea\xd1\xeb\x9f\x9f\x48\xdf\x1e\xa2\x7f\x67\x28\x2a\x8a\x5b\xa0\x5d\xf6\x8e\xe2\xaa\x98\xa3\x4b\x44\xfe\x38\xcf\x05\x82\x06\xcd\x11\x2d\x19\x37\x2e\x45\xaf\xb9\xd0\xc2\x4c\x0c\xa9\x18\x99\x48\x23\x9c\x99\xdb\xa4\x44\xf9\xc1\xa9\x1f\xdf\x3d\xff\xa9\xfd\xcd\x09\x35\x5e\x4b\x30\x61\x80\x63\xeb\x02\xe4\xac\x21\x2b\xf8\xf7\xb8\xc6\x17\x81\x1b\xc2\x74\x04\x23\x72\x4a\x0c\x50\x46\xf3\x57\x7e\x0b\x00\x6b\x14\x85\x0d\xdb\xab\xbf\x60\x12\x1d\x15\x1e\xc7\x30\x64\x9b\xa2\x51\xa2\x55\x1f\x6e\x92\x46\xe5\x46\x23\xa8\x19\xe9\xfc\xe9\x1f\xe4\x0a\x8a\xc2\xe5\x53\x32\xc5\x7b\x8b\x7b\x9a\x63\xad\xf9\x1f\x10\x74\x8d\xec\x7c\x01\x53\xcf\xf4\xa4\x12\x29\x27\x51\xb0\xab\x79\x3a\x14\x82\x29\xed\xd1\xf9\x08\x01\x2f\xba\xdc\xd1\x3e\x18\xd4\x79\xd9\x4e\xa5\x60\x65\x10\x03\x57\xba\x4b\xa1\x82\x58\xe4\xa8\x28\xea\xac\xa2\x0d\x67\x1d\x98\x6d\xc6\xd1\x79\x97\xf5\xb3\x74\x46\x93\xeb\x36\xcd\x7f\xce\x3f\xff\x1d\x2d\x59\xb9\xbc\xf1\xc9\x94\x27\xae\xec\x5c\x15\x8d\x12\xd0\x66\xd4\x69\x26\x7f\x42\x3d\xe6\x76\x07\x9d\xc4\x8d\xef\x12\x7b\xe6\x3b\x07\x9f\x0f\xe8\xd7\xda\xe2\xf2\x0e\xab\x8d\xdd\x0f\x38\x8d\x52\xac\x05\x91\x79\x58\x9c\x62\x42\xc7\xf9\xfe\x8e\x1d\x18\x57\xec\x29\x98\xf8\xdc\x9a\xed\x3b\x3d\x38\xae\xed\x70\xb0\xfa\xb5\xd1\x3b\xcb\x53\x6c\xbf\x01\xa2\xfd\xa8\x11\xf1\x4f\xa0\xf5\xe4\xa4\xd5\x71\x31\x86\x0d\x60\xaa\xc2\x60\x73\x54\xab\xc5\x8f\x91\x51\xdd\x78\x8e\x78\x7f\x76\x85\xbe\x53\x7e\x6f\x86\xbb\xac\x94\xbe\xf4\xdb\xb0\x42\xda\x14\xc1\x00\x7d\xcd\x62\xaa\x8c\xbc\x70\x5d\x12\x0e\x07\x83\x94\xfc\xbd\xc9\x47\x29\xfc\xe6\x90\x5f\x1e\xd8\x69\x9c\xac\xd2\xe5\xf0\x05\x5d\x37\x7d\x0d\x5c\xa8\x3f\x18\x97\x1c\x19\x5c\x7e\xa1\xdc\xf1\x1e\x9f\xee\xc1\x24\xc2\xba\x56\xd0\xf5\x06\x06\x0c\x22\xcb\xc3\x66\xd0\xae\xd0\x5f\x40\x00\x62\x98\x4f\x22\x12\x2b\xfd\x16\xa3\x1b\x3a\x4a\x6e\xd9\xd9\x49\xbe\x5e\xc1\x6a\xe9\x8f\x2a\xa8\xea\xad\xae\xcc\x16\x9e\x97\xcd\xa0\xd5\xb5\x60\x2a\x91\xc1\x01\xb2\xe2\x83\xc0\xbe\x6c\x83\xab\xbe\x2e\x7e\x2e\x4c\xef\xe3\xbe\x22\x31\x21\x3e\xbb\x85\x88\x3e\x0a\x5b\x0b\x4a\x0d\x2c\x04\x72\x2e\xb6\x0f\xab\x23\x02\x3c\xf9\x1c\xa0\xab\x90\x8e\x4b\xb6\xac\x29\xa7\x88\xfe\x9e\xc6\xb9\x9d\x75\xd5\x2f\x20\x3c\xba\x7d\x92\x48\x5e\xf9\x05\x55\xae\xd4\x10\x60\xfd\xd0\x36\xf4\x2f\xa8\x18\xcd\xf8\xb9\xaf\xe2\x6a\xfc\x1f\x27\x9a\x40\x29\x25\x4b\x12\xdd\x54\xda\x88\x2a\x13\x8d\x34\xaf\x15\x77\xe7\x8c\x1d\xd1\x92\x3a\x56\xa3\x69\xd8\x5d\x74\xfa\x59\xd4\x53\x2b\x85\x9f\x67\xe6\x5f\x3e\x67\xd6\x54\xe5\x7d\xde\x88\xcf\x7c\x23\xc9\x18\x2e\xc1\x5e\x95\x28\x3d\xbb\xa7\x99\x11\x16\x4d\xf2\xb4\x83\xbe\x5a\xdb\x7e\x60\x06\xfe\xb6\x9c\x67\x2c\x93\x8a\x81\x8b\x2b\x46\x36\xc9\x43\xb6\x8e\x8c\x93\x35\xa5\xfe\x2a\xa7\x42\x74\x02\x78\x51\x17\xde\xb2\xae\x7c\x16\xba\x0d\x05\xa5\x0d\x21\xcd\x7b\x65\x8c\xe0\x21\x40\xdd\x20\x84\x9a\xe2\x50\xbb\xb1\x0e\x96\x0c\x87\x21\xcf\x96\xd0\xe7\xd8\x1b\xbb\x21\xa5\x33\x58\xe0\xa4\x4f\x8d\x26\xb1\x0b\xf2\x4e\xda\x9b\x5d\x8c\xee\xf7\x10\xee\xc2\x5c\x0c\x3b\x31\x80\xc8\x59\x40\xf5\xb1\x5c\xc1\x3f\xe6\x8a\xd1\x9f\x7f\x0e\x9b\x4c\xc3\x97\x35\xb6\x86\x39\xf8\xfe\x46\x22\xdc\x78\x4d\x5d\x64\x70\xab\x9e\x32\x74\x0d\xb0\x2a\x9b\x67\x32\xac\xbb\xf5\x87\x67\x19\xf5\x57\xa4\xe0\xa4\x2c\x03\x6b\xb3\xf9\x72\xea\xa8\x62\xc5\x8f\xfb\xce\x08\xee\x0e\xa2\x1e\x74\xe8\x17\x57\x87\x05\xe4\xe2\x68\x3f\xeb\x6c\x61\x23\xee\x1b\x9a\xe1\xda\x94\xc5\xea\x68\x76\x3b\x03\x03\xc6\x39\x7e\x21\x69\x1a\x4d\x81\x54\xfd\x1a\xef\xdf\x39\x8c\x41\x36\x9e\xb8\x25\x5d\x9b\x84\x7f\x9d\x67\xcf\x5b\xb8\x08\x41\xf4\x68\xf7\xc8\x70\xf0\xe1\x94\xdc\xf2\x3a\x6e\x76\x42\xc9\x51\x4d\x12\x64\x32\xf4\xb6\x6b\xdb\x7b\x81\xb5\x43\x70\xca\x23\xa0\x5c\x22\x3c\x49\xc5\xb2\x68\x03\x76\x8b\xad\x60\x59\x48\x17\xbb\x98\xb5\xec\x27\x4d\x62\xe2\x64\xc5\x4c\xde\x98\x06\x37\x6b\x40\x5e\x9f\x7d\xe3\xd5\x9a\xe3\xce\x7d\xb4\xa6\x89\x85\xb1\xc1\xa1\x12\x22\xd1\xc2\x80\x9c\x96\xf7\xeb\x9a\x5b\xf4\xe5\x02\x66\xdf\x93\x5c\x90\x0a\x56\x8f\xe5\x79\xa6\xea\x47\x4f\x62\x35\x91\x96\x4d\xb4\x3a\xc6\x47\xde\x15\x91\x6a\xef\xac\xd3\x22\x23\x6f\xd5\x39\x77\xd6\x82\xee\xeb\x0d\xcf\x79\x8b\x6f\x2f\xf2\x2b\x36\xdd\x00\xd6\x4e\x51\x59\x9b\xda\xd7\x03\xa4\x2d\x1d\x20\xeb\x8d\x6a\x63\x85\xf6\xdb\x49\xf3\x4f\xce\x3b\x28\xe2\x85\x6f\x28\x28\xd7\x7c\x4d\x03\xd3\x4e\xb0\x8c\x33\xb7\x54\xbf\xe7\xf3\x9d\x0a\x34\x30\xa2\x13\xb9\x7e\x75\xc2\xc9\x75\x63\x5c\x79\xd3\x0a\xaf\x3d\xaa\x9a\x1e\x8c\xa5\x6f\xbe\x49\x9e\x77\x81\x18\xc7\xe5\x95\x4a\xc2\xac\x2b\xce\xa6\x9a\xda\xc9\x60\x09\xe1\xb5\xcd\x27\x98\x6c\x25\x42\x82\xbf\x07\x60\x74\x75\x59\xcb\x61\x2a\x1f\x61\x0d\xf0\x9b\xec\x5a\xa1\xf4\x1f\x7a\x3b\x2f\x0f\x2c\xb2\x85\x08\xe2\xb0\xca\xf2\x06\xbe\x81\x0d\x65\xb6\xc4\xfc\x2e\xf5\xec\x09\x8b\x27\x4b\x53\x68\x13\x06\x04\x16\x69\xab\xb1\x75\xe4\xec\x88\x98\x1c\x5a\x0c\x05\xa6\x46\xe5\xd9\x03\x43\xa0\xb1\xf8\x73\x37\x9c\xf1\x44\xc3\xc8\x79\x5c\xfd\x77\x59\x4b\x51\x6a\xb0\x2a\x40\x8e\x0f\xaa\x37\xfd\xf2\xde\x2e\x6f\x37\xfa\x03\x54\x0d\x70\xe5\xf0\x29\x77\x67\x08\x4e\xa0\x08\x6c\x13\x1a\xb5\xb2\x8a\xb5\x43\x97\x8f\x1d\x4f\x04\x29\x1b\x6d\xdd\xd7\x2d\x2a\xa9\xa2\x2a\xe1\x96\x97\x95\x03\x51\xa2\xf3\xda\x68\x97\x1d\x96\x36\xe2\x9c\x66\xd9\xfd\x61\xcd\xac\x7c\x81\x18\x93\x50\x44\x7c\x03\xc1\x46\xd0\xdd\xe5\x5a\x17\x91\x5b\x56\xff\xa9\xfb\xa4\x7e\x09\xba\xfe\x41\x2b\x6a\x8a\xe7\x20\xd9\x2b\x04\xa5\x5e\x65\x48\xb0\x03\x55\x06\xf8\x0f\xaf\x97\x08\x24\x79\x82\x09\x6d\xd8\x06\xe1\xe6\x98\xfe\x8f\x59\x0f\xcb\x00\x9f\xa8\x75\x86\xb0\x8c\xd2\x70\x97\xaa\x53\xd3\x08\x7e\x9f\x4c\x7a\x4e\xe5\x56\x49\x1b\x3d\xf6\x8f\xb4\x13\xa9\x2d\x7f\x78\x33\x65\xc6\xa5\xe1\xfc\xa5\xd9\x56\x3e\x19\x3e\xd2\x37\x9f\x99\x4f\x32\xe9\xa2\xc7\xa7\x22\x15\xc1\xe8\x91\x38\x57\x65\x94\x7b\x90\x86\xa5\x60\xd3\x73\xae\x19\xb8\x8e\x78\x15\x03\xb1\xb8\xb8\x01\xa8\xdc\xf5\xf6\x7d\x0e\x4b\x02\x12\xd8\x54\x48\x76\x94\xac\x76\x57\x2f\xa1\xe6\xf1\xfe\x71\x9c\xde\x5b\x27\x8c\x9c\xe3\x93\x8b\x27\x10\x60\x33\x5a\x57\x41\xba\xa0\xd7\xad\xc3\xde\x28\xe3\x7b\xee\xd6\xf7\x81\xf6\xf7\xb3\x21\xc5\x69\x33\x82\x83\x77\xa2\xff\x6d\xe2\xbf\xc2\x4b\x2a\x34\x72\xca\x50\x39\x37\x3d\x3c\xdc\x9a\xfc\x04\x0c\xe4\xe8\x94\xcf\xf8\x22\x54\xd9\xe4\xf4\xb2\x59\x98\xc9\xdc\x84\x70\x54\x63\xda\x8a\x03\xea\x41\x9c\x2e\x4c\x81\x2a\x9f\x04\xd5\x3f\x2d\xe4\xfc\x2e\x3c\x1a\x08\xa7\x38\x9d\xdf\xb0\x82\x17\x64\xe7\x11\x05\xeb\x05\x88\x72\x08\x71\xf0\x08\x2c\xd9\x11\xf8\xed\xf6\x94\x95\x00\x72\xee\xbc\x64\x21\xbf\xc7\x1a\xf2\x76\x69\x10\x7e\x4b\x48\xac\x97\x13\x39\xe6\x9c\x46\xc4\xea\x5d\x50\x02\x8f\x14\x73\x5d\x84\xda\x04\x0a\x08\xd3\xc9\xd0\xe6\x4d\xee\x8b\xb6\x45\x00\x3b\xfc\x01\x62\xc3\xe1\x31\xd3\xdf\xcc\xf1\xa5\x16\x28\xbd\x59\xed\x49\x5b\x17\x7b\x41\x7d\x0c\xb3\x76\x53\x7d\x58\x16\x74\x1c\x25\x88\x5e\xc5\x67\x42\x15\x4e\x84\xa2\x6d\x9d\xe3\x76\xd6\x7f\xfb\xe2\xfd\xb4\x86\x9b\x6d\x87\x08\xa7\x35\x0e\xfc\x67\x2a\x48\xd6\x0a\x92\x8c\x99\x27\x53\xad\x4b\xd7\x45\xa7\x18\x9b\x3f\x94\xf4\x8f\x64\xc9\xf8\x6d\x9f\x0b\x22\xbf\x7a\x1d\xf2\x09\x6b\x46\xfa\xdf\x26\x69\x06\xf3\x94\xb1\xde\x65\x52\x92\x87\x85\xd6\x8d\x26\xb9\x6b\xda\x02\xe4\x9d\x5e\xca\x82\x84\x70\x0d\x50\x33\xb0\x06\x23\x66\xa6\xce\x4b\xe4\x4c\x76\x7d\x60\x81\x7b\x48\x76\x87\x48\x58\x2a\x5e\xd3\xdb\x60\x82\x91\xa5\xef\xa1\x01\x1b\x75\x8f\x99\x0a\xb3\xe4\xab\xed\xf5\x3f\x01\xb7\x00\xdf\xae\xb5\x87\xb4\xf4\x14\xd3\xfe\x3a\x87\x32\xe1\xf2\x15\xfa\x86\x9c\x7b\x2f\x8b\x7f\x4e\xac\x59\x7d\xa8\x17\x51\x70\x9b\xd1\x8e\xb0\x86\x9c\xe1\x14\x59\xf8\x76\x6e\x63\x32\xe9\x57\x10\x7a\x79\x1a\x64\x01\x10\x49\x48\x8a\x27\x32\x54\xf3\x3e\x0e\xcb\x44\x0e\xe4\x46\xe8\xab\x76\xf2\x4e\xc1\xf4\xcf\x7d\x31\x4a\x15\x8c\x51\x2b\x6a\x27\x31\x09\x93\x67\x76\x6a\xe4\x05\x35\x96\x7d\x63\xce\x07\x1f\x06\x8a\x7d\x3f\xbd\x48\x33\xa0\xc7\x8c\xea\x71\x27\x48\xa4\xbf\x23\x61\xd8\xf6\x03\x59\x59\xa6\xab\x08\xf3\xd4\x4f\x7f\x81\xfe\x74\xd9\x64\xd5\x8b\xb3\xcb\x60\x51\xc5\xe6\x8d\xc6\xe7\x1f\xec\xe4\xae\x85\xdd\xc8\x95\xb3\x16\xf4\x7d\x52\x08\x47\xdd\x84\x83\x17\xb6\x1a\x47\xa1\x3c\xe0\x6c\x30\xd1\x4d\x98\x52\x93\x8c\x6e\xe4\x5a\xd2\xeb\x1f\x19\xdd\xa1\x9b\x1f\x83\x56\x24\x41\xc2\xd3\x06\x11\x1f\x51\x1e\x40\xa8\xd8\x2b\x33\x4b\x2d\x98\x3c\x35\x4f\x2c\xf8\xa2\xe7\xa2\xfc\x13\x5a\x4a\x31\xda\x5b\x09\x29\xd0\xe0\xc3\xe1\xc9\xbf\xb2\xde\xbc\xd2\xfc\x9d\x05\x77\x26\x3c\x77\x71\xc6\x84\xd3\x4a\x6b\x02\xb3\x1c\x52\xf4\x2e\x07\xfc\x1f\x42\xe7\x0d\x74\x00\x35\xe8\x0f\x0c\x38\x89\xd8\xd2\x8c\xdf\x11\x40\xe2\x10\xdf\xf5\xae\xb5\xaa\xab\xfd\x65\x5a\xc4\x6e\x03\xd1\x7e\x1e\x72\x27\x3e\xa0\x14\x15\x8c\xff\x2c\x8e\xf3\x70\x08\xb4\x4e\x73\xd2\xc6\x16\x86\x23\x49\xaf\xa5\xa1\x6e\xc6\xf1\x0d\x7f\x85\xfe\x4d\x95\xdf\x41\x6b\xdf\x00\x17\x48\xa6\x98\xa7\x94\x21\x92\x54\x9a\x4b\x86\x00\xf5\x38\x02\x91\xfe\xca\xb3\x74\xb5\x90\x26\x6a\x98\x0b\x2d\x38\xd0\x81\x7e\x11\x1c\xa3\x14\x47\xff\x7a\x33\xee\x30\x0b\x75\x83\xc8\x30\x50\xa5\x91\xcf\xb8\xc3\x83\x20\x36\x9b\x54\xb9\x62\x4a\xe5\xbf\xbe\x7a\x65\x73\x23\xe6\x4b\xb8\x90\xff\x4a\xbd\x85\xfb\xe8\xc5\x9a\x68\xa6\x16\xb0\x44\xdd\xc9\x77\x33\x60\x41\x33\x5f\xe1\xd2\x9e\x87\xdf\xc5\x63\xa0\xf7\xd3\x93\xca\x83\x53\xb3\x1c\xaa\x64\x1d\x11\x40\x10\x9d\x3f\x3d\x68\xbc\x4a\xc8\xd1\xa3\x2e\x03\x9a\x5a\x5a\xae\x4e\x95\xd7\xd3\x7d\x57\x37\xef\x2b\x99\x7e\x17\x86\x82\xbe\x27\xb0\xd5\xb9\xcb\x7b\xb3\x0b\xce\x28\xda\x9f\x9c\x29\x98\x80\xe1\x52\xd9\x0f\x6a\x05\x90\xfa\x28\x9a\xeb\x5c\x4b\x4c\x05\x0f\x7f\x48\x74\x4a\x1e\x3e\xd8\xb7\x06\xbb\x14\x37\x14\x63\x70\x52\x27\x75\xb4\xa8\x24\xef\x29\xae\x2d\x08\x54\x27\x9f\xef\x03\xa0\xea\x67\x3e\x25\x1f\x66\x97\x16\x6f\x36\x99\x60\x89\xb8\x8f\x48\x5c\x30\xdd\x49\xdf\x10\x21\xb1\xce\x79\x4b\xa4\x47\xe3\x61\x70\x4c\xa2\x0c\x53\xf2\x84\xfd\xc4\xfa\x1a\x1f\x40\xe5\xf7\x24\x0f\x27\x32\x13\xb6\x92\x0e\x9b\xfb\x8e\xe6\x9f\x93\x26\x16\xcc\xf6\x56\x49\x5d\x99\x87\x43\xd6\x1a\x08\x8e\x60\x59\xfe\x2f\xc0\x35\x72\xf1\xdf\xad\xfb\x51\x0c\x55\xf5\x18\x5a\xda\x91\x4e\x2a\x96\x62\x8d\x3e\xe5\xd6\xb0\x01\xcf\xd0\x45\x64\x6e\xf9\x36\x94\x82\x8f\xe8\xe0\x33\x3d\x9e\x85\x37\xab\x9e\x02\xec\x72\x17\x13\xb2\xb9\x74\x3e\x68\xf4\x2f\xff\x78\xab\xc0\xaf\xd4\xbd\xdc\x95\x17\x9a\xf1\x2c\x3c\x95\x08\x34\x9e\x65\x6a\xd5\x9b\xd6\x4c\xb6\xa4\xbc\x76\x42\xc6\x6e\xfe\xf2\x9a\x55\x00\x93\x70\x64\xde\x05\xe4\x9e\x2a\x81\xc5\x87\xe2\x28\xe0\xab\xa0\xc8\xa6\x87\x5c\x41\x06\x63\xa2\x22\xe5\x57\x55\x7b\xcb\x10\x54\x01\x25\x32\xe3\xe6\xd4\x83\x0d\x3d\x9c\xa0\xeb\x68\x97\xba\x54\x05\xa3\x35\x50\x3f\x8c\xfe\x34\x5a\x20\xed\xee\x88\xa8\xb1\x43\xe2\x8c\x98\x2b\xb8\x36\xe0\xcd\xe0\xc6\xde\xab\xad\xbc\x11\xd8\xa6\x33\x50\xf1\x05\x0b\x71\xab\xcb\xd8\xea\xe7\xc2\x2f\xc0\x4d\x59\x72\x67\x48\xc8\x2e\xd4\x35\x95\xd6\x62\x55\xb6\xc3\x0f\x11\x1e\x3b\x5c\x9c\x12\xd9\x7a\x36\x8b\xe6\x72\xb0\xf0\xe5\x92\x98\x38\xfd\x82\x04\xb5\x5d\x0e\x51\x1a\x32\x90\x6a\xf5\xc3\x49\xcd\x64\x8a\x43\x98\x14\x77\x04\x56\x3a\x10\xd5\xd5\xf5\xa8\x6f\x8f\x1c\x88\xa2\x32\x4e\x56\xcf\x28\xd6\x3d\xaa\xc7\x25\xe7\xf9\xfe\x3d\x15\x04\xaa\x2d\x26\x90\x37\x60\xe2\x7e\x79\x6f\x7f\x7d\x33\xb9\x6e\xf0\x1e\x4e\x57\x24\x56\xfe\x47\x9a\x25\x23\xd3\x96\xe6\xcc\x88\xb8\xa8\xdc\x35\xf1\x55\xda\xed\xb3\xc2\x9d\xd2\xcd\x8a\xdf\x6d\xcc\x73\x2e\x5c\x58\x51\x1b\xd3\x89\x87\x83\x99\xc4\x32\xc1\xa4\x0d\xc0\x6e\x94\xe2\x4d\x66\xe1\xcd\xbb\x73\xcc\xa9\x92\xa3\xa6\x1c\x54\x5d\xd3\x47\xd0\xbe\x41\x41\xa1\xec\x23\xa6\xca\x84\x5b\xa1\xb5\x83\x96\xb4\x56\xee\x05\xe6\xbe\x7d\x7c\x9a\x0d\xea\xad\x66\x46\xd7\xa7\x79\x86\x88\x6d\x9e\xe7\x55\xc5\x88\x96\x50\xe9\xeb\xcc\x4b\x8d\xea\x33\x52\x1b\x65\x17\x1e\xc9\xd9\xee\xb4\xe7\x76\xd3\xd7\x1f\x52\x61\xd4\x51\xf4\x81\xb9\x0c\xfc\x65\x5f\x8c\xf1\xb6\x3d\xf8\x46\x7e\x0c\x1e\x2f\x9a\xf5\x75\x8e\xb5\x06\xaa\xce\xab\x4b\xb3\x59\x07\x82\x9e\x55\x41\x1e\xb2\x5b\x59\xcb\x70\xf9\xea\x06\xef\xde\xaa\xef\x61\x51\x15\x61\x84\xec\xea\xb1\xba\x65\xf4\x1d\xf3\x2b\x53\x46\xf5\xec\x03\xab\x19\x80\x7d\xf4\x84\x49\x88\x13\x34\xa6\x82\x9c\x39\x71\x69\x21\xfb\x7e\x5d\x05\x78\xee\xb3\xeb\x3b\xec\xb8\xff\x5e\x00\xfe\x84\x22\xb0\xc3\xb7\xbc\x77\xa5\xd3\x38\xbd\x0d\x4e\xf6\xa3\x41\xdd\x94\x1d\x92\x5e\xc6\xcd\x93\xf2\x89\x56\x6d\x80\x3f\xf2\xa0\x2a\x3e\xf8\xc8\xd8\x00\x52\x51\x8f\x9a\xfa\x30\xaa\xf0\xcb\x97\xea\x1e\xed\xb5\x27\xb1\x80\xdc\xb8\x03\x68\x05\x0b\x6d\xfb\x4e\xbe\x2c\xb9\x6d\x1e\x06\x84\x98\x6a\x85\xa6\xb6\xeb\xa2\x16\x60\xa1\x8c\x28\x24\x8c\xc0\xd4\xcd\xf5\xe0\x85\xc1\xfb\x61\x33\xda\x11\x69\xe5\x03\x6d\x35\xf5\x47\xeb\xc0\x61\x86\xb6\x95\xf2\x42\x71\xbd\x68\x0a\x39\x7d\x92\x35\x38\x12\x7f\x94\x8a\x2b\xa3\x6b\xf5\x29\x1a\x9c\xfa\x5d\xc5\x7a\xf9\x90\x1b\xb7\xef\x7c\x9c\x9d\x60\x00\x86\x37\x6a\x0d\xc6\x80\xe4\xe6\x7e\x17\x70\xe7\x24\x99\xb5\x83\x33\xaf\x89\x8a\x33\x2c\x78\x94\x95\x94\x28\x42\x4f\xe6\x1c\x0e\x0d\x8f\xd6\xc4\x6a\xf7\x9b\xdb\x23\xc8\x44\x94\x01\x58\x7b\xa1\x16\x56\x5c\x8e\x06\x0f\xb1\xaf\x55\x7c\xec\xda\xf3\xd1\x0d\x2f\x06\x5d\x7f\xfd\x53\xdf\xbe\x8a\xfd\x1c\x46\x90\x4c\xba\xad\x1b\xd8\xf1\x8e\xe7\x0a\xa4\x81\x1b\x27\x85\x74\x33\xe4\x75\xab\x5c\x5c\x62\x0a\x8d\xaf\x02\xbe\xf4\x02\x86\x49\x7b\xe5\x1f\x25\x32\xd4\x25\x90\x56\x69\xf3\xbe\x5c\xe7\xb7\x90\xe9\x45\xc2\x2e\x44\x6f\x0a\x36\x1e\x04\x3f\xd4\xa7\x6e\x53\xe3\xb0\x4b\x59\x05\xed\xa6\x3b\xce\xbb\x62\xe0\x6c\x6c\xc0\xe2\x54\xf2\xf0\xe3\x86\xbd\xd7\x30\xc5\x5a\x04\x07\xaf\x9d\xec\x14\x63\x3b\x5a\xc1\x5a\x33\xec\x52\x3f\x6a\x4a\x94\x54\xbc\x5a\xa2\x16\xe1\x43\xf0\xf7\x2e\xbb\xd6\xf5\xc0\x38\xd2\xee\x39\xad\x7c\xf3\x95\x6a\x3c\x47\x9a\x8a\x65\x3a\x90\x6a\x01\xf4\x86\x18\xe6\xa4\x7a\xdb\xa3\x59\x8e\x9c\x9e\x72\x5d\x53\x43\x9e\x0f\x17\x5f\xcd\x51\xba\x15\x16\x07\xa3\x35\x93\xf1\x25\x6e\x6b\x29\x68\x5a\x81\x3d\xee\x40\x3e\xc2\xb4\xfa\x09\xc6\xd0\xf4\xd6\x51\xe2\x37\x8b\x78\x04\x1f\x37\x24\x33\x47\xdc\x77\xce\x35\x14\xc6\x34\xe4\xf8\x3e\xa2\x97\x66\x5f\x16\xd6\x56\xa6\xdf\x91\x00\xbf\x65\x53\xd6\x69\xe4\x3c\x0a\xc2\xd8\x91\xeb\x77\x79\xee\x8d\x4f\x32\x11\xcd\x2a\x52\x7f\xd4\x15\xaf\x00\x04\xc2\xd5\xdd\xb6\x2a\x36\xde\xe9\x8a\xc1\x48\x96\x96\xc5\x56\x47\x6a\xca\x9f\x6d\xa9\xbd\x4f\x37\xac\xa8\x6b\x83\x86\x0a\x8d\xd9\x04\xbb\xe2\xc3\xd3\x7c\xfc\xd7\x68\xb5\x9d\x82\xa8\xc1\xbc\xef\xfc\x44\xed\xfb\x04\x73\x0e\xa5\x79\x16\xda\x94\xb4\xe8\xdb\xcf\x5f\x01\xb5\xa7\x18\x64\x6a\x56\xe6\x2a\x64\x74\x8a\x9e\x3b\x7b\x2f\x08\x0a\x2f\xb3\x51\x5d\xb5\x35\xc6\xac\xde\xf1\xd8\x58\xf6\x33\xb0\x80\xd3\x98\xc0\x06\xd7\x40\xf5\x9b\xfc\x06\x3a\xcb\xb4\x0f\xe2\x18\x3c\x55\x20\x89\x4d\xd5\xa4\x7b\xbd\xd9\x91\xf2\xca\x2e\x1d\x35\xd0\x40\x75\x59\x00\x16\xdf\xc8\x13\xa8\xf2\x72\x92\x6d\x66\x0b\x0b\xac\x47\xfc\x72\x97\xd7\x48\xd1\x64\x2d\xe8\x2c\x08\x24\x5c\x8a\x4a\xf3\x98\x26\x97\x1b\x06\xe2\x52\x56\x75\x9f\xc4\xae\xe3\xde\x98\x40\xc1\x4f\x99\xe8\xa5\x34\x04\xbc\xca\xe6\x13\xce\xdd\x72\xd3\x2e\x74\xc8\x7d\x8c\xad\x6c\xf7\x2f\xd2\x01\x8d\x5f\x3a\x79\x7c\x08\xcd\xda\xa2\xd9\xa5\xac\x5f\x49\xbf\x07\xb0\x45\xc4\x16\x9a\x88\x30\x46\x2c\x19\xb4\x00\x4b\x62\x83\x0c\x4b\xed\xca\x51\x61\x45\x1c\xe9\xc8\xac\x56\xf9\x73\xcc\x12\x0f\x7e\xad\xb2\x01\x0d\xe4\xbc\x3d\x71\x96\x47\xa8\xef\xb1\xa9\x5d\xc9\x3c\xce\x6e\xd2\xe2\x25\x5b\x85\x28\x21\x49\x1d\xcd\x30\x64\x0e\xeb\xae\x86\xec\xc0\x2e\x36\x5b\x46\x5d\xef\xb7\x36\x94\x17\x0d\x30\x33\x77\x59\x68\xa5\x3f\x27\x4f\xd1\xab\x8f\x38\x97\x81\x5a\xf3\xdf\xc8\x1f\xcd\xb7\xa3\xa6\xd1\x91\x7c\xab\x0a\x44\x69", 8192); *(uint64_t*)0x20004cc0 = 0x20002200; *(uint32_t*)0x20002200 = 0x50; *(uint32_t*)0x20002204 = 0; *(uint64_t*)0x20002208 = 0x8b20; *(uint32_t*)0x20002210 = 7; *(uint32_t*)0x20002214 = 0x1f; *(uint32_t*)0x20002218 = 4; *(uint32_t*)0x2000221c = 0; *(uint16_t*)0x20002220 = 6; *(uint16_t*)0x20002222 = 2; *(uint32_t*)0x20002224 = 0x7fffffff; *(uint32_t*)0x20002228 = 2; *(uint16_t*)0x2000222c = 0; *(uint16_t*)0x2000222e = 0; *(uint32_t*)0x20002230 = 0; *(uint32_t*)0x20002234 = 0; *(uint32_t*)0x20002238 = 0; *(uint32_t*)0x2000223c = 0; *(uint32_t*)0x20002240 = 0; *(uint32_t*)0x20002244 = 0; *(uint32_t*)0x20002248 = 0; *(uint32_t*)0x2000224c = 0; *(uint64_t*)0x20004cc8 = 0x20002280; *(uint32_t*)0x20002280 = 0x18; *(uint32_t*)0x20002284 = 0xfffffff5; *(uint64_t*)0x20002288 = 0x55; *(uint64_t*)0x20002290 = 0; *(uint64_t*)0x20004cd0 = 0x200022c0; *(uint32_t*)0x200022c0 = 0x18; *(uint32_t*)0x200022c4 = 0; *(uint64_t*)0x200022c8 = 2; *(uint64_t*)0x200022d0 = 9; *(uint64_t*)0x20004cd8 = 0x20002300; *(uint32_t*)0x20002300 = 0x18; *(uint32_t*)0x20002304 = 0; *(uint64_t*)0x20002308 = 0x40; *(uint32_t*)0x20002310 = 0xe62; *(uint32_t*)0x20002314 = 0; *(uint64_t*)0x20004ce0 = 0x20002340; *(uint32_t*)0x20002340 = 0x18; *(uint32_t*)0x20002344 = 0; *(uint64_t*)0x20002348 = 0x80000001; *(uint32_t*)0x20002350 = 0x787; *(uint32_t*)0x20002354 = 0; *(uint64_t*)0x20004ce8 = 0x20002380; *(uint32_t*)0x20002380 = 0x28; *(uint32_t*)0x20002384 = 0; *(uint64_t*)0x20002388 = 3; *(uint64_t*)0x20002390 = 9; *(uint64_t*)0x20002398 = 0x101; *(uint32_t*)0x200023a0 = 0; *(uint32_t*)0x200023a4 = -1; *(uint64_t*)0x20004cf0 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x60; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 9; *(uint64_t*)0x200023d0 = 0xf652; *(uint64_t*)0x200023d8 = 0x8d; *(uint64_t*)0x200023e0 = 0; *(uint64_t*)0x200023e8 = 0x3f; *(uint64_t*)0x200023f0 = 0x80000000; *(uint32_t*)0x200023f8 = 0; *(uint32_t*)0x200023fc = 3; *(uint32_t*)0x20002400 = 0; *(uint32_t*)0x20002404 = 0; *(uint32_t*)0x20002408 = 0; *(uint32_t*)0x2000240c = 0; *(uint32_t*)0x20002410 = 0; *(uint32_t*)0x20002414 = 0; *(uint32_t*)0x20002418 = 0; *(uint32_t*)0x2000241c = 0; *(uint64_t*)0x20004cf8 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 2; *(uint32_t*)0x20002450 = 0xa8f; *(uint32_t*)0x20002454 = 0; *(uint64_t*)0x20004d00 = 0x20002480; *(uint32_t*)0x20002480 = 0x26; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 8; memcpy((void*)0x20002490, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004d08 = 0x200024c0; *(uint32_t*)0x200024c0 = 0x20; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 6; *(uint64_t*)0x200024d0 = 0; *(uint32_t*)0x200024d8 = 0x12; *(uint32_t*)0x200024dc = 0; *(uint64_t*)0x20004d10 = 0x20004540; *(uint32_t*)0x20004540 = 0x78; *(uint32_t*)0x20004544 = 0xfffffff5; *(uint64_t*)0x20004548 = 0x81; *(uint64_t*)0x20004550 = 1; *(uint32_t*)0x20004558 = 7; *(uint32_t*)0x2000455c = 0; *(uint64_t*)0x20004560 = 5; *(uint64_t*)0x20004568 = 8; *(uint64_t*)0x20004570 = 6; *(uint64_t*)0x20004578 = 0x1ff; *(uint64_t*)0x20004580 = 5; *(uint64_t*)0x20004588 = 4; *(uint32_t*)0x20004590 = 4; *(uint32_t*)0x20004594 = 0xe8; *(uint32_t*)0x20004598 = 0x193; *(uint32_t*)0x2000459c = 0x7000; *(uint32_t*)0x200045a0 = 6; *(uint32_t*)0x200045a4 = -1; *(uint32_t*)0x200045a8 = r[4]; *(uint32_t*)0x200045ac = 3; *(uint32_t*)0x200045b0 = 9; *(uint32_t*)0x200045b4 = 0; *(uint64_t*)0x20004d18 = 0x200045c0; *(uint32_t*)0x200045c0 = 0x90; *(uint32_t*)0x200045c4 = 0; *(uint64_t*)0x200045c8 = 0x8612; *(uint64_t*)0x200045d0 = 5; *(uint64_t*)0x200045d8 = 3; *(uint64_t*)0x200045e0 = 0xb2f; *(uint64_t*)0x200045e8 = 0x20; *(uint32_t*)0x200045f0 = 0; *(uint32_t*)0x200045f4 = 7; *(uint64_t*)0x200045f8 = 0; *(uint64_t*)0x20004600 = 0x1ff; *(uint64_t*)0x20004608 = 2; *(uint64_t*)0x20004610 = 2; *(uint64_t*)0x20004618 = 0x1de; *(uint64_t*)0x20004620 = 0x5a; *(uint32_t*)0x20004628 = 9; *(uint32_t*)0x2000462c = 0xc46; *(uint32_t*)0x20004630 = 5; *(uint32_t*)0x20004634 = 0xc000; *(uint32_t*)0x20004638 = 0xddce; *(uint32_t*)0x2000463c = 0xee01; *(uint32_t*)0x20004640 = 0xee00; *(uint32_t*)0x20004644 = 0; *(uint32_t*)0x20004648 = 0x12; *(uint32_t*)0x2000464c = 0; *(uint64_t*)0x20004d20 = 0x20004680; *(uint32_t*)0x20004680 = 0x10; *(uint32_t*)0x20004684 = 0; *(uint64_t*)0x20004688 = 5; *(uint64_t*)0x20004d28 = 0x20004900; *(uint32_t*)0x20004900 = 0x2c0; *(uint32_t*)0x20004904 = 0xfffffff5; *(uint64_t*)0x20004908 = 0x8a; *(uint64_t*)0x20004910 = 4; *(uint64_t*)0x20004918 = 3; *(uint64_t*)0x20004920 = 0xfff; *(uint64_t*)0x20004928 = 6; *(uint32_t*)0x20004930 = -1; *(uint32_t*)0x20004934 = 8; *(uint64_t*)0x20004938 = 5; *(uint64_t*)0x20004940 = 0xca13; *(uint64_t*)0x20004948 = 0x81; *(uint64_t*)0x20004950 = 4; *(uint64_t*)0x20004958 = 0; *(uint64_t*)0x20004960 = 0xbbc; *(uint32_t*)0x20004968 = 0; *(uint32_t*)0x2000496c = 3; *(uint32_t*)0x20004970 = 0x34b; *(uint32_t*)0x20004974 = 0x4000; *(uint32_t*)0x20004978 = 9; *(uint32_t*)0x2000497c = 0; *(uint32_t*)0x20004980 = 0xee01; *(uint32_t*)0x20004984 = 2; *(uint32_t*)0x20004988 = 0x81; *(uint32_t*)0x2000498c = 0; *(uint64_t*)0x20004990 = 3; *(uint64_t*)0x20004998 = 0x80000001; *(uint32_t*)0x200049a0 = 0x16; *(uint32_t*)0x200049a4 = 0xf97; memcpy((void*)0x200049a8, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x200049c0 = 5; *(uint64_t*)0x200049c8 = 3; *(uint64_t*)0x200049d0 = 0x100000001; *(uint64_t*)0x200049d8 = 0x10001; *(uint32_t*)0x200049e0 = 7; *(uint32_t*)0x200049e4 = 0x83; *(uint64_t*)0x200049e8 = 5; *(uint64_t*)0x200049f0 = 5; *(uint64_t*)0x200049f8 = 0x100; *(uint64_t*)0x20004a00 = 6; *(uint64_t*)0x20004a08 = 0xfffffffffffffbff; *(uint64_t*)0x20004a10 = 0xb533; *(uint32_t*)0x20004a18 = 0x800; *(uint32_t*)0x20004a1c = 0xad7; *(uint32_t*)0x20004a20 = 0x32f914fb; *(uint32_t*)0x20004a24 = 0x2000; *(uint32_t*)0x20004a28 = 0xe0; *(uint32_t*)0x20004a2c = r[6]; *(uint32_t*)0x20004a30 = 0xee01; *(uint32_t*)0x20004a34 = 4; *(uint32_t*)0x20004a38 = 0x64; *(uint32_t*)0x20004a3c = 0; *(uint64_t*)0x20004a40 = 4; *(uint64_t*)0x20004a48 = 0xfffffffffffffffc; *(uint32_t*)0x20004a50 = 0x16; *(uint32_t*)0x20004a54 = 6; memcpy((void*)0x20004a58, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004a70 = 2; *(uint64_t*)0x20004a78 = 2; *(uint64_t*)0x20004a80 = 7; *(uint64_t*)0x20004a88 = 0x8000; *(uint32_t*)0x20004a90 = 9; *(uint32_t*)0x20004a94 = 3; *(uint64_t*)0x20004a98 = 2; *(uint64_t*)0x20004aa0 = 7; *(uint64_t*)0x20004aa8 = 0x80000000; *(uint64_t*)0x20004ab0 = 8; *(uint64_t*)0x20004ab8 = 6; *(uint64_t*)0x20004ac0 = 0x400; *(uint32_t*)0x20004ac8 = 0xc932; *(uint32_t*)0x20004acc = 0x81; *(uint32_t*)0x20004ad0 = 5; *(uint32_t*)0x20004ad4 = 0x1000; *(uint32_t*)0x20004ad8 = 0xf841; *(uint32_t*)0x20004adc = r[7]; *(uint32_t*)0x20004ae0 = 0xee00; *(uint32_t*)0x20004ae4 = 0xff; *(uint32_t*)0x20004ae8 = 5; *(uint32_t*)0x20004aec = 0; *(uint64_t*)0x20004af0 = 4; *(uint64_t*)0x20004af8 = 0xffffffffffff3232; *(uint32_t*)0x20004b00 = 0x16; *(uint32_t*)0x20004b04 = 5; memcpy((void*)0x20004b08, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004b20 = 4; *(uint64_t*)0x20004b28 = 0; *(uint64_t*)0x20004b30 = 0; *(uint64_t*)0x20004b38 = 7; *(uint32_t*)0x20004b40 = 0x200; *(uint32_t*)0x20004b44 = 6; *(uint64_t*)0x20004b48 = 5; *(uint64_t*)0x20004b50 = 0x1020000; *(uint64_t*)0x20004b58 = 6; *(uint64_t*)0x20004b60 = 0x7f; *(uint64_t*)0x20004b68 = 0xce; *(uint64_t*)0x20004b70 = 0; *(uint32_t*)0x20004b78 = 0xa9fb; *(uint32_t*)0x20004b7c = 0xffffff81; *(uint32_t*)0x20004b80 = 0x3ff; *(uint32_t*)0x20004b84 = 0x1000; *(uint32_t*)0x20004b88 = 0; *(uint32_t*)0x20004b8c = 0; *(uint32_t*)0x20004b90 = r[8]; *(uint32_t*)0x20004b94 = 0x8de6; *(uint32_t*)0x20004b98 = 3; *(uint32_t*)0x20004b9c = 0; *(uint64_t*)0x20004ba0 = 2; *(uint64_t*)0x20004ba8 = 0xffffffff; *(uint32_t*)0x20004bb0 = 1; *(uint32_t*)0x20004bb4 = 5; memcpy((void*)0x20004bb8, "/", 1); *(uint64_t*)0x20004d30 = 0x20004bc0; *(uint32_t*)0x20004bc0 = 0xa0; *(uint32_t*)0x20004bc4 = 0; *(uint64_t*)0x20004bc8 = 0x3f; *(uint64_t*)0x20004bd0 = 5; *(uint64_t*)0x20004bd8 = 2; *(uint64_t*)0x20004be0 = 0; *(uint64_t*)0x20004be8 = 7; *(uint32_t*)0x20004bf0 = 6; *(uint32_t*)0x20004bf4 = 3; *(uint64_t*)0x20004bf8 = 2; *(uint64_t*)0x20004c00 = 0xf51e; *(uint64_t*)0x20004c08 = 0x65; *(uint64_t*)0x20004c10 = 1; *(uint64_t*)0x20004c18 = 0x8b; *(uint64_t*)0x20004c20 = 0x7f; *(uint32_t*)0x20004c28 = 0x100; *(uint32_t*)0x20004c2c = 9; *(uint32_t*)0x20004c30 = 0x24; *(uint32_t*)0x20004c34 = 0xa000; *(uint32_t*)0x20004c38 = 0x3f; *(uint32_t*)0x20004c3c = 0; *(uint32_t*)0x20004c40 = -1; *(uint32_t*)0x20004c44 = 0x40; *(uint32_t*)0x20004c48 = 3; *(uint32_t*)0x20004c4c = 0; *(uint64_t*)0x20004c50 = 0; *(uint32_t*)0x20004c58 = 1; *(uint32_t*)0x20004c5c = 0; *(uint64_t*)0x20004d38 = 0x20004c80; *(uint32_t*)0x20004c80 = 0x20; *(uint32_t*)0x20004c84 = 0xfffffff5; *(uint64_t*)0x20004c88 = 0x401; *(uint32_t*)0x20004c90 = 0x5b2; *(uint32_t*)0x20004c94 = 0; *(uint32_t*)0x20004c98 = 9; *(uint32_t*)0x20004c9c = 2; syz_fuse_handle_req(r[3], 0x20000200, 0x2000, 0x20004cc0); break; case 21: memcpy((void*)0x20004d40, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004d40); break; case 22: res = -1; res = syz_init_net_socket(3, 2, 1); if (res != -1) r[9] = res; break; case 23: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[10] = res; break; case 24: *(uint32_t*)0x20004d84 = 0xb8ca; *(uint32_t*)0x20004d88 = 0x20; *(uint32_t*)0x20004d8c = 0xe7c; *(uint32_t*)0x20004d90 = 0x26b; *(uint32_t*)0x20004d98 = r[10]; *(uint32_t*)0x20004d9c = 0; *(uint32_t*)0x20004da0 = 0; *(uint32_t*)0x20004da4 = 0; syz_io_uring_setup(0x3e79, 0x20004d80, 0x20ffc000, 0x20ffb000, 0x20004e00, 0x20004e40); break; case 25: *(uint32_t*)0x20004e84 = 0x29dc; *(uint32_t*)0x20004e88 = 2; *(uint32_t*)0x20004e8c = 1; *(uint32_t*)0x20004e90 = 0x3d6; *(uint32_t*)0x20004e98 = r[3]; *(uint32_t*)0x20004e9c = 0; *(uint32_t*)0x20004ea0 = 0; *(uint32_t*)0x20004ea4 = 0; res = -1; res = syz_io_uring_setup(0x5336, 0x20004e80, 0x20ffd000, 0x20ffb000, 0x20004f00, 0x20004f40); if (res != -1) { r[11] = *(uint64_t*)0x20004f00; r[12] = *(uint64_t*)0x20004f40; } break; case 26: memcpy((void*)0x20004f80, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20004f80, 0xfffffffffffffff8, 0x240); if (res != -1) r[13] = res; break; case 27: *(uint8_t*)0x20004fc0 = 6; *(uint8_t*)0x20004fc1 = 0; *(uint16_t*)0x20004fc2 = 0; *(uint32_t*)0x20004fc4 = r[13]; *(uint64_t*)0x20004fc8 = 0; *(uint64_t*)0x20004fd0 = 0; *(uint32_t*)0x20004fd8 = 0; *(uint16_t*)0x20004fdc = 0x4404; *(uint16_t*)0x20004fde = 0; *(uint64_t*)0x20004fe0 = 0; *(uint16_t*)0x20004fe8 = 0; *(uint16_t*)0x20004fea = 0; *(uint8_t*)0x20004fec = 0; *(uint8_t*)0x20004fed = 0; *(uint8_t*)0x20004fee = 0; *(uint8_t*)0x20004fef = 0; *(uint8_t*)0x20004ff0 = 0; *(uint8_t*)0x20004ff1 = 0; *(uint8_t*)0x20004ff2 = 0; *(uint8_t*)0x20004ff3 = 0; *(uint8_t*)0x20004ff4 = 0; *(uint8_t*)0x20004ff5 = 0; *(uint8_t*)0x20004ff6 = 0; *(uint8_t*)0x20004ff7 = 0; *(uint8_t*)0x20004ff8 = 0; *(uint8_t*)0x20004ff9 = 0; *(uint8_t*)0x20004ffa = 0; *(uint8_t*)0x20004ffb = 0; *(uint8_t*)0x20004ffc = 0; *(uint8_t*)0x20004ffd = 0; *(uint8_t*)0x20004ffe = 0; *(uint8_t*)0x20004fff = 0; syz_io_uring_submit(0, r[12], 0x20004fc0, 8); break; case 28: memcpy((void*)0x20005000, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20005000, 0x1000, 0x8600); if (res != -1) r[14] = res; break; case 29: *(uint64_t*)0x20005080 = 0; *(uint64_t*)0x20005088 = 0x20005040; memcpy((void*)0x20005040, "\x48\xd5\xa3\x40\x0d\x13\x5d\xd4\x91\x01\x61\x86\x7c\x99\x1f\xc7\xd6\x8d\x55\x14\x5f\xbb\xc5\xc4\x98\xb5\x8f\xba\x49\xbd\x01\xb6\x83\x86\x47\x33\x65\xa9\x13\x12\x72\xed\xe1\xd5\x3b\xc2\x85\x05\x1b\x85", 50); *(uint64_t*)0x20005090 = 0x32; *(uint64_t*)0x200050c0 = 1; *(uint64_t*)0x200050c8 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x20005080, 1, 0, 0x200050c0, 1); break; case 30: *(uint32_t*)0x20005100 = 1; syz_memcpy_off(r[11], 0x114, 0x20005100, 0, 4); break; case 31: memcpy((void*)0x20005140, "afs\000", 4); memcpy((void*)0x20005180, "./file0\000", 8); *(uint64_t*)0x20006640 = 0x200051c0; memcpy((void*)0x200051c0, "\xc5\xf6\xf4\x20\xae\xec\x38\x8c\xed\xec\x2b\x59\x7c\x81\x56\x53\x8c\xd4\x58\x60\x34\x19\x9f\x56\xf5\x94\x4d\xa0\x3d\x8c\xa8\x29\xf6\xc6\xb6", 35); *(uint64_t*)0x20006648 = 0x23; *(uint64_t*)0x20006650 = 1; *(uint64_t*)0x20006658 = 0x20005200; memcpy((void*)0x20005200, "\xf4\xee\x9e\xdc\x1b\xe2\xc2\xd8\x62\xa4\x80\xf3\x0a\xe3\x0d\xaf\xad\xfd\xf8\x69\xf7\x78\x9a\x45\x49\xf5\xa8\xda\xc0\x6f\xe4\xc5\xd5\xd2\xcf\x00\x66\xd8\x8b\xfc\xa6\xaf\x40\x74\x5e\xd6\x17\xb7\xa1\x46\xc9\x40\xde\x37\x50\x5c\xb9\x65\xea\xa1\x98\x2c\x8c\xa0\xec\x21\x06\xf4\x7e\x4e\x26\x5f\x1e\x19\x28\x5b\xba\x7e\xb5\x77\xf6\x00\x66\xb5\xf4\x6c\x62\xd2\xec\x00\x68\xed\xcb\xe6\x30\x0e\x4f\x1e\x3c\xce\x42\x9e\x45\xa7\xdf\x28\x7e\x80\x09\x84\x1d\xb1\x01\x51\x34\xee\xaa\x72\x43\x11\xe5\x51\x81\xcb\x7a\xfe\x7d\xfd\xc7\x94\x6b\xd1\x45\x23\xea\x66\x80\xea\x42\xca\x9f\x7b\x0e\xaa\xab\xe1\xd0\x54\x27\x7e\xff\x60\x7e\xf4\xf8\x40\x2e\x5d\xc3\x7e\x6a\x52\x8e\xc3\x56\x58\x23\xc0\x31\xa8\x46\x0e\x8b\x5f\x67\x06\x68\xf8\x6b\x90\xa0\x26\x04\x3a", 184); *(uint64_t*)0x20006660 = 0xb8; *(uint64_t*)0x20006668 = 2; *(uint64_t*)0x20006670 = 0x200052c0; memcpy((void*)0x200052c0, "\xba\xee\xde\x48\x17\x36\xd9\x0f\x0a\xa3\x6f\xb3\x27\x95\x6d\xd7\x63\x57\x8e\x20\x19\x9f\x0d\xc8\x5f\x18\x5c\x93\x06\x86\x6b\xa3\x3c\x93\xd2\xaf\x96\x13\xc9\x29\x09\xc6\x51\x25\x4e\x6a\x63\x50\x3d\xbf\x31\x7b\x02\x1c\x4b\x3c\x8d\xe3\x05\xd3\xde\x39\xa1\xad\x9a\xc1\xb0\xab\x3f\x51\xf6\x8c\x1a\xe1\xda\x3e\x4c\xc7\x44\xfd\x00\xdf\xa6\xd1\xb9\x6e\x21\x13\x40\x07\xd3\x1c\x93\x01\x38\x54\xed\x32\x55\x0f\x1b\x82\xa4\xc0\x3c\xa6\x74\x40\xd8\x65\x45\xdc\xd2\x9e\xea\x99\x27\x4f\x65\x57\x37\xad\x5a\x54\xd9\xe7\xf9\xde\xc4\x91\x29\xbb\x84\xbe\xb6\x2b\x18\x53\xf6\x9e\x6a\x07\x72\x09\xf7\xe5\x5c\xe0\xd5\x16\x86\xca\x76\x4d\x2c\xe3\x34\xcd\x6d\x09\xb5\xd9\x23\x57\xbd\xef\x60\xa6\x35", 169); *(uint64_t*)0x20006678 = 0xa9; *(uint64_t*)0x20006680 = 0; *(uint64_t*)0x20006688 = 0x20005380; memcpy((void*)0x20005380, "\x31\xf1\xfb\xee\x4b\x48\xe6\xe6\x9c\xb6\x1b\xd1\xcc\xc1\xe2\x13\xaf\x5a\x28\xe7\x4c\xff\xc2\xe5\xe8\x2f\xbb\xcd\x1c\x34\x00\xfa\xf3\x79\xd1\xa1\x94\xd5\x2a\x36\x67\xe2\x01\x9b\x9a\xec\x0e\x14\xfe\xed\x8f\xea\x77\x0a\x9a\x1b\xfb\xbc\x30\x99\x73\x21\xbc\xbb\xcf\x4d\x11\x5b\xb3\xd3\x26\x9e\x50\xbe\xca\x59\x82\xef\x1d\x22\xc9\x83\xd7\x86\x21\xdb\xaa\x93\xe8\x39\x5e\xfe\x31\xdf\xad\xed\xca\xde\xd0\x97\x6f\x5f\x0c\x7d\x4f\x17\xb6\xcc\x88\xb8\x97\xce\x5d\xdf\xf1\xad\xe8\xef\x2d\x62\xdc\xbe\xd4\x21\x58\x9e\x3c\xfb\x5d\x85\x50\xd3\x65\x1a\x99\x11\x5d\x6e", 138); *(uint64_t*)0x20006690 = 0x8a; *(uint64_t*)0x20006698 = 2; *(uint64_t*)0x200066a0 = 0x20005440; memcpy((void*)0x20005440, "\x78\x81\xb6\x81\x1e\xa2\xae\xc8\xf2\x7f\x7f\x7f\x52\x3c\xc4\xba\xca\x36\x52\xf7\x30\x3c\xd7\x48\xfb\x4e\xd8\xcc\x78\x3a\xc5\x78\xa9\xe8\x53\xa9\x90\x6a", 38); *(uint64_t*)0x200066a8 = 0x26; *(uint64_t*)0x200066b0 = 1; *(uint64_t*)0x200066b8 = 0x20005480; memcpy((void*)0x20005480, "\xc5\x05\xe1\x80\x5e\x72\xc2\x3f\x48\x9b\xb4\x5d\x55\x60\x79\x64\x53\x32\x08\x2b\x1b\x6b\xef\x7a\xdc\x39\xb0\x98\xe1\x73\xf4\x2f\xdd\x8d\x2c\x65\xce\xb6\x64\xad\xb4\x7d\xe1\x73\xdb\x5b\x34\x23\xe0\x2b\xfe\xe5\x83\x39\xfc\xb7\xd8\x5f\x2d\x1a\xcd\x1f\xed\x18\xda\x1c\xb7\xb3\xd2\x8d\x4e\x36\x8a\xa5\xf0\x2a\x89\x50\xaf\xd1\x9b\x0d\x60\x03\xc1\xfc\x54\x24\xd3\xe2\x8d\x4b\xf7\x90\x2f\xa3\xd9\x99\xb4\xf6\x23\x68\xc5\x84\x4f\x1e\x9e\x4d\x19\x5c\x65\x48\xc1\xa0\xe6\x14\x80\xc6\x1f\xe3\xfc\x89\x54\x81\x0a\x5c\x55\x19\xa2\x85\x0a\xff\x54\x44\xdf\xe3\x6d\x6c\x08\xfb\x25\x1d\x64\x59\x51\xca\x0a\xee\x8a\xe0\x9d\x52\x18\xce\x7d\x78\x3d\x4a\x62\x07\x0c\xce\x23\x1a\xb7\xc6\x30\x93\x1f\xbc\x78\x39\xba\x29\x79\x30\x5c\xab\xb4\x5f\x4a\xa2\xdc\x92\x49\x72\xfe\x3a\x5a\x80\x6c\x03\xc7\x41\x79\x3e\xb0\x46\xd5\x66\xef\x8d\xe1\xd0\xb7\x14\x50\xb5\x61\xba\x65\xb0\x14\x14\x29\xbd\x3e\x5a\x42\x06\xb4\x7e\xf0\x97\x27\x5e\xad\x1f\xe3\x12\x57\xa7\x23\xdd\xc5\x85\xc7\x03\xf5\xd0\xfc\xf7\xb2\x98\x13\x4d\x89\xd0\x3f\x47\x7a\xb7\xaf\x75\x6e\x3a\x4f\x9e\x1d\x06\xca\x01\xf2\xb7\x59\xc9\x55\xb8\xe8\xbf\xc1\xb8\x07\x01\x98\xb3\x30\xf5\x85\x8c\x69\x51\x61\x06\x82\xa3\xcb\xdc\xb5\x91\xf1\x39\xa7\x1e\x88\x3b\xb7\x69\x1c\xb5\x6b\xc0\xad\x95\xdd\x77\x4f\xdc\x11\x0d\x07\x5b\x3a\xcf\x5f\xbb\xb2\x27\x22\x79\x21\xe1\x0a\xa5\xb7\x3d\xa8\x1d\xca\x19\x66\x00\x37\x61\x20\x26\x6c\xc8\x4f\x0c\xc2\xee\x0f\xf3\xf6\xc7\x4b\x65\x6a\x61\xb5\xf5\xae\x6d\xab\x4a\x9c\xe8\x4c\xb9\x7c\x0b\x90\xe7\xa0\xd0\x78\x28\x81\x9e\x2b\xdd\xb1\xa7\x27\x7c\xaf\x68\x71\x95\xec\x83\x64\xd8\x52\xb9\x86\x43\xf5\x55\xdc\xa6\xad\x72\xd6\x80\x64\x3f\x29\xc3\x22\x57\x5f\x2e\x57\x11\x34\x3f\x8a\xa2\x4d\x7d\xeb\x87\xd3\xac\xe4\x82\xbc\x05\xdc\xd5\x28\x83\x38\xb5\x84\x99\x4a\x09\x0c\x45\x1a\xbb\x28\x4c\x01\x04\xc5\xf3\x79\x08\xeb\x33\x07\xd6\x5e\x79\x2b\x4f\x25\x86\x00\xde\x77\x07\xc8\xb1\x54\xff\xd5\xf5\x6d\x7a\x17\xc6\x2f\x09\x28\x28\x51\x6f\x82\xea\x4a\x12\x6a\x2a\x36\x0c\x70\x31\x08\x77\x0c\xc7\xe7\x50\x5c\x8e\x18\x0c\x5f\x37\x6d\x0d\xba\xf1\xe1\x85\xa5\x04\xed\x01\x3b\x0b\x16\x24\x83\xf9\xe2\xa3\xbe\xc7\xd6\x83\x30\x82\xac\x95\x4e\x8f\x5e\x31\x84\x37\x2e\x05\x08\xad\x7e\x0f\xb4\xb2\xf1\x20\x1a\x35\x88\x2a\xda\x41\x5d\xfd\xb3\x65\x87\xe8\x87\x95\x10\x1f\x9d\xc6\xc0\xd2\x6b\xbb\x64\x24\x21\xdb\x09\x73\xef\x28\x3c\x2b\xea\x7f\x5c\x9c\x35\xeb\x13\xea\x5a\x97\x42\x85\x2f\x08\x3e\x44\x32\x82\xcb\xad\x94\x7e\xa0\x5d\x3f\x99\x8b\xf3\xf8\x60\xcd\x12\x5b\x26\x6e\x1f\x3b\x84\xc4\xe6\x2b\x4e\x49\xae\x7f\x85\x2d\x57\x8e\xab\x24\xa0\xc5\xe4\xc6\x09\x28\xb6\x99\xc7\xb6\x8c\x63\x28\xf3\x2c\xa3\x71\x5b\x94\x00\x55\xb6\xad\x04\xf9\x94\x16\x55\xdc\xfa\x91\xdc\x4d\xf0\x21\xa7\x45\x04\x51\x9f\x0a\x7d\xf1\x0d\xb5\x05\xda\x8c\xa4\xa0\x52\x58\x04\xdf\xd9\x0a\x31\xbb\xa6\x48\xbe\xe5\x7b\xcc\xd6\xcd\x9a\x59\x6e\xb9\x45\x86\x7e\x02\x31\xfa\xfb\x66\xc5\x01\x7b\x29\x79\xad\xe5\xdf\xcf\xb2\x4c\xb5\xc7\x88\x15\x11\x18\x56\x04\x90\x6d\x1f\x20\x1a\x12\x64\xa5\x4c\x20\xc1\x73\x90\x1d\x32\x5f\x5c\x2b\x0e\x0f\xff\x22\xc6\x83\x4d\x07\x0c\xbe\xdc\x8a\xe6\x6f\x2f\xce\x84\x88\xd7\x7b\x1f\x92\x57\xa9\x1a\x00\x1e\xda\x07\x55\x56\xc2\x3e\x7a\xdb\xde\x0c\x99\x4b\xd6\x98\x0c\xbd\xb3\x44\xd0\x4e\xfd\x2a\x3f\x4e\x73\x26\x20\x26\x0d\x15\xf6\x08\x4c\xca\xb9\xb2\xf1\x3b\xf5\x47\x82\xeb\x2f\x56\x89\x19\xe0\xae\xfc\x06\x3f\x3f\x2a\xf6\xbe\xb8\x19\x15\x9c\xfd\xb0\x53\x4e\x79\xe0\xcd\x74\x51\x5b\x52\x8c\x82\xce\xfa\xec\x85\x47\xd0\x5f\x08\xb0\x04\x24\xa0\x2a\xbb\x0f\xe2\x0d\x30\x55\xd3\xb9\xd9\x7e\x8b\xad\x3a\x7b\x22\x02\xb8\xef\xfc\x5d\xa0\x55\xf4\xeb\x18\x27\xdc\xb1\xde\x57\xde\xfc\x3c\xcb\xe7\xc3\x02\x79\xa3\x04\x11\x96\xa9\xf0\xb1\xa7\x44\x91\xc0\x7b\x9a\x1a\xf0\x40\xe5\x3e\xc7\x1a\x91\x10\xe2\x0f\x32\x09\x2a\xdd\xcd\x05\x8a\x15\x07\x9b\x71\x8f\xac\x59\x4d\x8e\x75\x13\x9b\xc9\x26\x0f\xf6\x56\x47\x25\x0f\xd7\xce\x6b\xdb\xc3\x05\xc0\x79\xc5\xcc\x2f\xe6\xcd\x1f\xca\x99\x3e\x85\x30\xe0\x37\x38\x83\x90\x08\xdc\x65\x8f\x22\x66\x4e\xea\x77\x06\xf6\xad\xa2\x4c\xa1\xa2\x2e\x83\x0a\xad\x64\xf4\xdc\x44\x38\x7d\x83\xad\x42\x88\xf4\x46\x72\xd9\xa0\x55\x59\xfb\x29\xc6\x6f\xe6\x67\x9e\x97\x9f\x86\xee\x31\x67\x5f\x50\x1d\x95\x81\x47\x96\x61\x29\x08\xd1\xf7\x03\x7b\x69\x0b\x94\x81\xfb\x68\x7f\x2d\x52\xb5\xa3\x73\x51\x5f\x62\x07\x59\x36\x04\x2a\x0e\x9d\x10\xc9\x11\x14\xa9\xe7\x4c\xa7\xac\x76\x55\x8f\x73\xfa\x26\xfe\x9d\x14\xde\xa8\x5d\x4c\x9f\xae\x1f\x6c\x53\xbb\x76\x8b\x14\x57\xa7\xf8\x9b\xcb\xf9\x0e\x70\x69\x75\x37\x67\xf0\xc1\x90\x21\x63\xe4\x00\xaf\xdd\x91\xec\x2d\xac\xbe\x68\x0c\x7d\x64\x54\xa0\xf1\x73\x49\x0b\x6b\x1e\xd4\x88\x1e\x82\xcd\x79\xd6\xb8\x91\x61\xd8\x7f\x4f\x27\x0d\xea\xde\xbe\xb3\x51\x07\xc1\x9c\x7a\x6d\x54\x08\xe6\x0b\x32\x5c\x64\xdb\xb9\x98\x3b\xfa\xf0\x30\x6f\xac\x8a\x0f\xb3\x24\xaf\x5d\x69\xc2\x1c\x62\xa8\xb5\xe2\x57\xa4\x8d\xe0\x69\x22\x6a\xb2\x9a\xee\xad\x17\xfa\x45\xf3\x84\x75\x0f\x8b\xba\x1d\x46\xe0\xa4\x12\x78\x07\xe1\x0d\x15\x70\xda\x63\xb2\x02\xee\xb7\x15\x38\x6a\xfe\x3d\x8b\x17\x47\xca\xa6\xa4\x14\x16\xdd\x65\x52\x4d\x22\x28\xea\xaa\xd1\xa6\x1b\xff\x8d\xb8\xbe\x75\x2c\x45\xae\xca\x76\xde\xa3\xaa\x68\x08\x36\x4c\xf7\x58\xdc\x87\x03\x41\x7a\x49\xb9\x3e\xca\x5a\xd0\x9d\x63\x30\x3a\x4a\xc3\x78\xaa\xd3\x4a\x08\xde\xcc\x4a\x72\x0c\x3e\xea\xf8\x8a\xce\x0a\x72\x90\x0b\xc3\xdd\x40\x2c\x12\x2d\x00\xd5\x6b\x51\x72\x35\xae\x91\x12\x83\x2d\x63\x7b\x93\x17\xb6\x1f\x9d\xcb\x0c\x48\xe7\x28\xe8\x50\xdf\xd5\x26\x26\xdb\x29\x6a\xad\x77\xb9\xc7\xcd\x91\x67\xf3\x19\x47\x47\xc0\x11\xa5\xfb\xda\xbc\xa9\xca\xbd\x2f\x6b\x75\x81\xf9\xd9\x1c\x63\x66\xd5\x26\xb1\x68\x3e\x3f\xee\xfd\x0f\xe3\x0f\x53\xe7\xcb\x7d\xe4\x1e\x89\xe4\xe7\x43\xef\xea\x39\x44\xea\x8a\xfd\x9f\x77\x8a\x7f\x06\xbf\xb0\xef\x23\x86\x48\xc2\x1c\xed\xfd\xd8\xb7\x6e\xed\x76\x57\x74\xd7\xa4\x90\xb0\xee\x46\x4e\x44\x88\xa9\xc3\xdd\x21\xc7\xba\x2e\x63\xa3\x1a\xe3\x8f\xfa\xb2\x09\x46\x0b\xa9\x3a\x62\x02\x9d\x8f\x2a\xde\x13\x77\xb5\x34\x38\xb0\x51\x90\x12\x27\x39\x82\x72\x63\x9f\x12\x4d\x42\xb5\x55\xd5\x91\xa6\x65\x5f\x73\xf6\xc4\x6c\x51\x4c\xf3\x2a\xe4\xc6\x04\x6c\x38\x04\x07\xf7\xd9\xcf\x3c\x14\x1b\xdd\x94\x69\x13\x84\x95\x8e\x67\x17\x8f\x81\x6a\x63\xe4\xcc\x18\x9c\x52\x16\x38\xdc\x7a\x28\xd2\xaf\xb6\x12\x84\x76\xe4\x08\xee\x85\xb9\x9a\x12\x61\x29\xc5\x5e\x67\x9c\x0b\xdc\xeb\xd9\x66\x98\x17\xe9\x45\xb0\xff\xfa\x61\x5a\xb9\xce\xf2\xf8\x59\xe0\xac\x38\x25\x36\x11\xfe\x63\xbd\x57\xfd\xf0\x3f\xb0\xd6\x5c\x1c\xc6\x5d\xf2\x65\x38\x59\xfc\x59\x4f\x9a\x3e\xb3\x79\xd1\x17\xda\x82\x8a\xc5\x58\x6b\x3f\x6d\x3b\xcc\xf1\xd5\x4c\x45\xbc\x1a\x5f\xa4\x5e\xd7\xad\x36\x6c\xff\x39\xa6\x32\xbd\x4d\x14\x70\x0d\x30\xf7\x0c\x99\x72\x5c\x2f\xb8\xee\x97\xcb\xc5\x9f\x8e\x5b\x64\xfa\xc8\xfe\x2f\x83\x60\x41\xbb\x57\x08\xa3\x64\x0b\xbc\x67\xf9\xd0\x9a\xc1\xfd\x36\x46\xa6\xf7\x44\x6f\x48\x15\x98\x9b\xb0\x41\x9c\x94\xb0\xa6\xfc\x97\xd0\xfd\x9e\x51\x90\xe7\x24\xd7\x54\x82\xcc\x1e\xb4\xc0\x77\x53\xb0\x1c\x42\x02\xc4\xd0\x9d\x00\x6b\xd6\xbd\x92\xb3\x3c\xd4\x0d\x8f\x1b\xf7\xea\x73\x9a\x68\x6f\x8d\x3a\x12\xdf\x2f\x7c\x57\x8a\xd2\xe0\xc1\xb2\x9c\x04\xf2\x82\x85\x70\x45\xed\x90\x38\x28\x30\xcf\x0f\x2f\x2c\x8d\x22\x07\x3e\xde\xc3\x1d\xd2\x57\x30\x0b\xa6\x7b\xec\x88\xa1\xe7\xa5\x58\x0f\xdd\xe5\x01\x98\x79\xf6\x96\x2d\xa5\x0d\x75\xc6\xfd\x13\xa1\x9e\x35\x8e\x13\x41\x35\xdb\xb8\xb4\xbe\xed\xbe\xd1\xcc\x5f\x8f\x20\x34\xee\x29\x7f\xf6\x9b\x9d\xb3\xe0\x05\xe5\x9f\xd5\xea\x22\xba\x51\xbd\x8f\xeb\xde\x9f\xf9\xf6\x5a\x21\xda\x5e\x13\x5c\xa8\x86\x07\x31\xc4\xde\xe9\xc3\x3c\x7e\xdb\xa5\x08\xd2\x6d\xdb\x55\x92\xfd\xf9\x85\x06\x70\x2f\x99\x80\x37\xe6\xb4\x18\xc5\xc7\x83\x62\x43\x48\xf5\x7d\x2c\xf2\xcd\x8f\xb8\x37\xc6\x18\x53\xf5\x16\xc6\x8e\x76\x58\x29\xfe\x2f\x74\x11\x66\xa7\x4a\xfd\x1e\xdc\x90\x97\x1c\x4e\xda\x7a\x6a\x18\xd8\x5d\x54\xba\x87\xf9\x09\x5b\xd1\x62\x6b\x9b\x90\x0c\xf6\xfe\x05\xee\xb1\xb4\xf0\x05\x99\xb6\xe8\x38\x1f\xe2\x8d\xe8\x51\xe1\x9a\x02\x52\xef\xde\x6c\x57\x99\xf5\x6e\xc2\xd6\x1c\xc6\xff\x5d\x1e\xb6\x5e\x9d\x8e\x05\x45\xa9\x2e\x6b\x98\x66\x27\xc7\xf9\x71\x69\x42\x10\xe0\x88\xb7\x84\xbe\xaa\xba\x64\xd2\xab\xe4\x44\x1c\x7b\x14\xfc\x8d\x2a\xda\xfa\xc7\x82\x34\xed\x72\x59\x9c\xc4\x16\xc0\x47\x75\x0b\x24\xac\x3c\x9a\xa4\x69\x0c\x05\x77\x04\x9d\x80\x5b\xae\x79\x92\x2c\x1d\x29\x66\xd9\x75\x2c\x55\x1a\x91\xa9\xfb\xc0\xbb\x95\xc2\x3a\xcc\x2a\x90\x68\x35\x31\xa5\x9f\x30\xfc\x1d\x10\x79\xbd\x9f\xc0\x7f\x0d\x09\xbd\xdc\x01\x37\x2b\xa2\x6c\x13\xef\x30\x6a\xf3\x25\x6f\x23\x5d\x72\xb7\x59\xb6\x61\x8c\x1e\x09\xe8\xdf\x69\x35\xdb\x77\x45\x3b\x49\x96\xb0\x15\x2a\xe1\x37\xd1\xca\xdd\xbd\x5f\x8e\x12\x62\x1a\x54\x81\x55\x43\x45\xdf\xbb\x7e\x2c\x50\x03\x71\x34\x6f\xea\xfd\x5d\xc0\xf6\xe2\xc5\x9e\xa2\xc2\x45\xd1\x5d\xb2\x0e\x87\xc7\x7b\xd9\x08\xd9\x28\x50\xe4\x03\xe5\x8c\xdf\xf0\xe2\xfc\x25\x7f\xf0\x00\xf3\xb2\x68\xdc\xf1\x41\xe7\x75\x25\x10\x61\x08\xa4\xb6\xed\xcf\x89\xf1\xfc\xfb\x12\xa0\xa0\x2a\xd7\xc0\x12\x12\x84\xea\x49\x0c\xa7\xbf\x87\x61\xee\xff\x5b\x37\x5e\xeb\x0a\x03\x8a\x44\x4d\x2f\xb9\x50\xf9\x65\x17\xad\xa9\x4c\xd9\x6f\x8d\xbb\xd0\x42\xa4\xde\xb1\x88\x21\x7b\x7b\x9d\xad\x94\x8b\xb5\x98\x43\xc0\xc3\x92\xbd\x9e\x79\xc8\x5d\x34\x61\x6b\xcd\x99\xfb\xff\x77\x53\x7d\x23\x4c\x05\x1e\x5e\x9a\xa9\x13\xc7\x7c\xbd\xcf\x53\x96\xce\x3f\x06\x83\xe9\x2e\xbd\x0c\x1b\x99\xfb\x5c\x66\x3f\xb9\x7b\x6d\xc2\xd4\x35\x54\xaa\xa9\x9a\x27\xab\x99\x17\x2b\xac\x17\xe3\xbc\x04\x4d\x3d\x2e\xf8\xf8\x73\xcf\x52\x21\x4e\x71\xd7\xd7\xc5\xff\x9d\xc7\x91\xd4\x0c\xee\x37\x53\x6d\xd1\x2b\xa0\x95\xb4\x8a\x34\x19\x75\x78\x4a\x16\x14\x17\x5a\x1f\xc4\x9d\xc2\x10\x2b\xa5\xc2\x74\x16\xdf\xf8\x27\x9e\xa3\xf2\xc4\x47\x39\xb8\xef\x99\x61\x69\x9a\x4c\x79\x28\x59\xce\xe8\x81\x11\x43\x78\x46\xc9\x45\x01\x75\xb8\xba\x2a\x32\x67\x57\xdc\xbf\xd5\x51\xac\xd1\x5d\x78\x37\x32\x83\x8b\x9c\x92\x4e\x09\x23\xfb\x79\x5b\x77\x04\xbf\x1c\x84\xdb\xe6\x56\x9c\x0d\xf7\x02\xa7\x47\x7f\xa0\x99\x6d\xe5\xd6\x81\xd1\x0f\xa2\xaa\x52\xb1\x42\x53\xba\x91\x3a\xde\xcf\x47\xea\xbf\x1b\x01\x5e\x73\xd6\xba\xb5\xdb\xe5\xd5\xdd\x1e\x06\x7c\xc9\xe4\x80\x60\x40\xdb\x09\xa1\x44\x8e\xd2\x1d\x98\xdc\x6f\x45\x9f\x22\xc9\x51\xc7\xb0\x72\x01\x46\x77\x91\x09\x7b\x39\x04\x10\x36\xa5\x0e\xc5\x59\x6b\x6d\x28\xe1\x4b\x79\xaa\x12\xbe\xfa\x32\xff\x95\x62\x9d\x53\x2a\xda\xed\x53\x42\xc8\x4d\x39\xc8\x22\x53\x82\xf9\x81\xae\x4f\x85\xb7\xa1\xae\x6b\x90\xa8\x18\xb6\x2d\x71\xbf\x59\x2f\x84\x27\x3f\xa2\xcc\xbb\xa6\x5d\xfc\x34\xfd\xaf\x56\x1e\x26\xd3\x07\xb7\x43\xf8\x2b\xc7\x6f\x99\x85\xc9\x50\x76\xc8\x3a\x1d\x28\x65\x32\xb8\xd5\x95\x20\xbf\x6c\x40\xbc\x63\x5f\x51\x60\x8f\x49\xbd\x47\x82\xf6\xa6\xb7\xd3\x7c\x6f\xe8\xe5\x27\x2e\xc0\x8f\x85\xfb\x9b\xaa\x66\xbd\x70\xb1\xdb\x70\xdf\x0b\x12\xce\x35\xd8\xe1\x5c\x18\x7f\xec\xfd\x9f\xa3\x41\x72\x1f\xf6\xb2\x4a\x1b\xb6\x8b\xd0\x74\xc2\xa5\x7d\x74\x60\x91\x7d\xd2\xff\x0d\x08\x04\x11\x2b\x05\x20\xf0\x5c\xd7\x07\x87\xd8\xdc\xe6\xcb\x69\x71\x1e\xf7\x45\x3b\x40\x67\x9e\xc9\x7a\xac\x90\x0e\x69\x8c\xe1\xf8\xe5\x8b\xa7\x38\x59\x0d\xf5\xc4\x58\x8e\xc6\x50\x68\x80\x02\xa2\xc1\x4e\xc6\x0c\x58\x38\x5b\x68\xdb\x23\x8b\x8c\x5b\x18\x9b\x2f\xd5\xfd\x21\x36\x55\xe0\xc8\x19\x00\x94\x97\x64\x02\x2d\x22\x77\xb0\x38\xce\x7d\xbd\x00\xd1\xec\x66\xe2\x31\x95\x63\x6a\x39\x21\x53\x26\xea\x45\x2a\xd0\x89\x9a\x52\x2a\x7a\x77\x96\x5b\x2a\xe6\x0d\x5b\x25\xff\xc6\x4d\x1d\xd5\x04\xd2\x8c\x61\x1f\x38\xce\x5c\x3a\xa3\x4c\x4f\x6c\xdd\x1b\xd7\xe9\x65\xe3\x68\x77\x11\x89\x34\x65\x06\xe3\xcb\xba\xf7\x45\x3f\x03\x9c\x6a\xeb\xdf\x77\xa1\x38\x75\x49\x9d\x7d\xb3\xe0\x8f\x9c\x31\xd3\x53\x07\x49\x0e\x6d\x3c\x11\xee\x69\x77\xe6\x69\xcb\x1a\xa6\x42\x0d\x46\x19\x55\x05\x0e\x0c\xfb\xe0\xbb\x23\xd1\x31\x9e\xf3\x54\x21\xd8\x0e\x56\x5e\x5f\xc9\xb3\x0d\x6d\x0a\x4d\xa0\x54\x40\x61\xe6\x44\xeb\xa5\xb4\x7b\xc4\x8e\xce\x8b\x7f\x85\xd8\x23\xc9\x8c\x4b\xd6\xcd\x46\x4a\xcc\x49\xa2\x9b\xb6\x92\x6d\x2a\x95\x97\xc6\x4e\xdb\x8a\x4b\xa2\xca\x2d\xd7\xba\xd8\x0d\xa3\xba\x9d\xf1\x43\xb2\xb3\xcb\x44\xd6\xe5\xce\x04\xaf\xf3\x97\xf5\xfc\x4b\x0f\x5a\xf4\xaa\x07\x87\x61\x1e\xfc\x52\x11\xbb\xb4\x8b\x7e\xb3\xe1\xd4\xcb\x54\xac\x2b\x9d\x0d\x9d\xa7\xff\xbd\x18\x51\x35\x94\x67\x4b\x53\x0e\x8a\x20\x6f\x9b\x04\x2b\xe8\x13\x86\x81\x92\x29\x50\x5d\x35\xce\x04\xa1\xe1\xe0\x30\x4a\xb5\xdb\x61\x88\x47\x20\xf5\xbf\x6a\xe9\x10\xd4\x8b\x9a\xaf\xe2\xbc\x5a\x1a\x4f\x4e\xda\x0f\x61\x5c\x8d\x0d\x68\x2a\x55\xa5\x2f\x0d\x40\xe1\x38\xc8\x8c\x42\x99\xaa\x1b\x10\x04\x40\x01\x68\xde\x6a\xc8\xaa\x18\xfe\x60\x29\xbf\x63\xc6\x40\xef\x7f\xb9\x1b\x56\xa5\xab\xc2\x43\x97\xd1\xb2\xcf\x3b\xc0\x87\x7e\x8d\x52\x19\xe5\x67\x23\xa6\xc4\x98\x89\xcd\xd5\xba\x03\xc8\x4f\xbc\x41\x5a\x3e\x9b\x65\x2d\x26\xe2\xd6\x13\xc3\xdc\xce\x41\x4e\x1f\xa3\xe2\x20\xb3\xc2\xe3\x53\x91\xac\x65\x20\xed\x1f\x05\x14\x88\x05\xa4\x6e\x99\x34\xe5\xfe\xbf\x84\xe1\xbb\xa2\x5b\xa1\x30\xa9\xe0\x58\x4b\x62\x5d\xf2\xc2\xee\x4e\xc0\xd1\x0a\xff\xfa\x19\x17\x73\xd4\xf4\x12\xf5\xca\x22\x51\x93\xca\x27\x88\x7f\xd4\x7c\x9c\x69\xf2\x1d\xa9\x52\xf9\x8a\x99\xf2\x05\x31\x4c\x18\x2b\x00\x14\xdd\xe7\x56\x3d\xed\x90\xe3\x38\xda\x5d\x5e\x83\x6f\x16\x2b\x96\x37\x75\x17\xc2\xf6\x75\x8d\x9b\xb4\x1e\x8b\xc9\xdd\x8f\x2e\xb5\x21\xad\x81\x4e\xac\x65\x1a\x48\xef\x64\xbc\x45\xab\x60\xbf\xf9\xd2\xe6\x7f\x03\x18\x3d\x04\x4e\xd4\x37\xa8\xbd\x73\x04\x3d\x6a\x8a\x51\x90\xfb\x5c\xd5\x2c\xfe\x06\x89\xe2\xda\x08\xcd\x11\xaa\xe6\xf2\x5c\x50\xd6\xcc\xbd\x5f\x4e\xa7\xce\x9b\x51\xb5\x79\x46\xaa\x92\xf4\x1e\xfd\xc2\xb9\x19\xc8\x87\xa0\x70\xc5\x19\xef\x60\x0f\xe1\x4d\x67\x66\x4e\xd7\xfc\x21\x1a\x09\xe9\x12\x9b\x13\xa7\x02\x4f\x2f\xeb\xc3\x01\x05\x81\xda\x84\xb4\x4b\xbe\xdf\xdc\x1f\x54\xb6\x3c\x8c\xfa\x8c\x8b\x5c\x98\x66\x49\x33\x3e\xee\xaa\xf5\x3e\x8b\xe8\x63\x24\x23\x78\xb0\xff\x6c\xff\x6b\x1d\x6e\x02\x70\x10\x68\x44\x84\xc6\x36\xb7\xc1\x34\x01\x8e\x3a\x73\x2a\x6b\x35\x2c\xfe\x08\x1f\x79\x0f\x00\x29\x96\x7f\xf1\x82\x0d\x57\xd3\x70\xc2\xa9\xf1\xbe\x05\x11\x00\xd5\xa8\xea\xc4\x24\x1a\x6c\x2b\x64\x0f\xe7\x3b\x16\x1d\x54\x38\x01\xf1\xeb\x2a\xbd\xea\x76\x9c\x51\x8c\xbd\x72\x71\xc6\xd6\x5a\xbe\x83\x66\x1d\x2f\xd2\x8e\x41\xb9\xad\x57\x5b\x95\x8f\xbb\xc5\xa4\x3f\x34\x12\x78\x65\x6d\x30\x0f\x21\xd8\xc7\x11\x61\xbf\xc2\x81\x2b\x2f\x7f\x36\x92\xc5\x75\x8a\x5f\xea\x82\x84\xcc\x43\x15\xe2\xdc\x16\x05\xd0\xb5\x82\x43\xa9\x79\xaf\x7c\x0c\xce\x31\x3e\x3e\x12\x7b\xaf\x93\x13\xf1\xab\x8c\x43\x75\x81\x36\x95\x86\x68\x9a\xe6\x9b\x86\x84\x47\xbf\xa6\x07\x98\x62\x0c\x68\x08\x00\x90\xc9\xf0\x49\x3c\x95\xa6\x4c\xa4\xf6\x78\xea\xa1\x4f\xe8\xcb\xc9\x08\x6e\xa9\x9c\x78\xa3\xd8\x16\x98\x42\xfc\xa3\xb0\xd2\x89\x40\x6c\xfa\x9d\x52\xf4\x1d\xf0\xb7\xfc\xfe\xb6\xe1\x0b\x7f\xb8\x84\x6b\x64\x6c\x6e\x17\x73\x32\x0a\xaf\xac\x2d\x38\x42\x72\x44\x93\x2e\xd2\x37\xb9\x83\x4f\x60\xc0\xbc\x4f\x9f\x6b\x18\xee\x82\xd4\xab\x52\x57\xd0\x33\x43\x13\x7a\x44\xa5\x21\x48\x42\x7e\x74\x72\x52\xc0\x61\xc8\x8c\x78\x85\x98\x58\x16\x3f\x76\x85\x65\xfe\xfe\x43\x03\xce\xab\xa9\x4b\x78\x6b\x6d\x9d\x0b\x69\xd0\xca\x92\x0e\x61\x52\x55\xe2\xb8\xc3\xfd\xd7\x8d\x8c\x19\x4e\x9c\x80\x49\xa9\xd1\x87\x77\x26\x85\xac\x98\xfa\x7e\x7d\xf5\x4f\x5e\xbc\xe1\xec\xc1\xcf\xc7\xa6\x2e\x85\x39\x32\xde\xac\xcb\x58\xd7\x9f\xec\xb9\x31\xd1\x46\x43\xec\x70\x20\xad\xe4\x9c\xce\x0a\x1e\x78\xe3\x4d\x71\x09\x60\x22\x31\x7d\x7a\xf5\x36\xb3\x8f\x72\xfb\xf6\x5f\x7e\x47\x63\xe6\xd1\xda\xd8\xc2\x6f\x56\xe2\xab\x4c\xdf\x77\x8e\x32\x64\xa2\xad\x20\x04\xcb\xce\x99\xb7\x7e\x6e\xc2\x72\xd6\xf0\x83\xd2\x08\x3a\x04\x2f\x67\x90\x8e\x14\x7e\x60\x1e\xd4\x2f\x20\x1f\x5b\x9f\x18\xe8\x9e\xaf\x48\xd3\x84\xee\xef\xa0\xf9\xf9\xec\x38\x6a\x27\x4e\xcd\xab\xac\xd1\xe2\xdb\x6b\x90\xad\x98\xc4\x75\x66\x7d\x27\xfa\x72\x79\x08\xd2\x8e\x37\x45\xc3\x4b\x50\x15\xed\xd1\x30\xd0\xb7\xe3\xfd\x54\xdd\xea\x89\xe3\x7d\xba\xfa\x49\x84\x07\x59\xa3\x0d\x29\xe2\x1b\xb0\x9d\x95\x00\x3c\x28\x95\x18\x9e\x43\x9a\xb7\xb4\x12\xc2\x51\x61\x0a\xa7\xaf\xab\xef\x41\xe5\xab\xe2\x23\x53\x21\xf3\x22\xe8\xbd\x59\x24\xd7\x9a\x40\x46\x05\x37\x8e\x3b\xda\x60\xd2\x8e\xa5\x67\xe6\xa7\x39\x64\xa6\xdd\xd4\x3c\xfa\x1f\x5e\x0c\xb8\xbe\x45\x5e\x1f\x6d\xbc\xcc\xf7\x2c\xd1\xcf\x14\xe8\xe5\x07\xa1\xa1\x97\x9f\x1c\x2b\x43\xc8\xa6\x49\x29\x0b\xa5\x41\x37\xd1\xaa\x64\x73\x56\x8e\x39\x0a\x66\x59\x73\x82\x34\x92\xec\x2d\xce\x33\xc3\x9c\x88\xaa\x42\x47\xf1\x4f\x1f\x0e\x56\xad\xee\x32\x60\x80\xb7\x16\xdc\x55\xda\xe2\xa5\xed\x84\x2d\x79\x0d\xe3\xf1\xfb\xe3\x2f\x89\x51\xea\xb8\xdf\xa5\x4d\x77\x0d\xf7\x34\x27\x31\x27\x0b\xeb\x47\x04\x27\x7f\x3e\x1d\xc1\x69\x34\xaf\x90\x23\x50\xcd\x6b\x0b\x7a\x67\x1f\x26\x75\xf0\xdf\x88\x48\x31\xae\x06\x39\x26\x69\xd6\xbd\xa8\x49\x3b\x6b\xda\xf5\xae\x90\xf4\xc4\x5f\x8f\xb1\x91\x4e\x0b\xe0\x57\xf4\x5d\xb5\x01\x01\xb8\xbc\x6e\x64\x9a\xa6\x85\x60\x71\x22\x5c\x42\xc6\xee\x15\x7a\xdb\xda\x58\x42\x94\x2c\xca\x28\xfc\x4c\x7c\x08\xe7\xc2\xcf\x19\x81\x54\x2b\xe4\xab\x7f\x4b\xf6\xef\xff\x69\x2d\xfe\x65\xb4\x50\x80\xb2\x1e\xee\xf5\x29\x91\x71\xa1\xc2\xb7\x36\xf7\x0d\xa4\x31", 4096); *(uint64_t*)0x200066c0 = 0x1000; *(uint64_t*)0x200066c8 = 0xff00000000000000; *(uint64_t*)0x200066d0 = 0x20006480; memcpy((void*)0x20006480, "\x82\x92\x51\xfb\xd7\x0c\xae\xb4\x51\xcc\xf0\x9a\x96\xfb\xfe\x55\x9b\x21\x7a\x4a\x12\xcf\x46\xa3\x89\xd8\x2c\x55\xef\x7f\x5c\x64\xe4\x5e\x1b\x6f\x26\x95\x59\xa8\x5e\x8b\xcc\x23\x2b\xf1\x50\x0d\xcb\x9a\xf4\x0f\x69\x71\x65\xfd\xe6\x20\x9f\x8b\xf0\x01\x58\x5b\x6c\xca\xaf\xe1\x94\xcc\xfd\xb7\xf8\x99\x08\x04\xee\x77\xed\x9a\x34\x5b\x52\xa8\xd7\xe8\xf4", 87); *(uint64_t*)0x200066d8 = 0x57; *(uint64_t*)0x200066e0 = 8; *(uint64_t*)0x200066e8 = 0x20006500; memcpy((void*)0x20006500, "\x34\xe0\xc0\x82\xbd\x77\xb5\x1d\x0c\x9a\xb1\xbc\xde\x0a\xcc\x30\x81\x49\xf3\xe6\x4c\x75\xb7\x17\x3c\xda\x5f\x39\xd3\xb4\xa6\x2c\x60\xde\x76\xd1\x2d\x41\xce\xc1\xb7\xc9\xbc\x9e\x57\xac\xb7\x83\x42\x82\xa5\x75\x8d\x7c\x7e\x4b\x21\x71\x5f\xeb\xf6\xfb\xf1\x44\xad\x46\xcb\xf2\xce\xc8\x7f\x74\x01", 73); *(uint64_t*)0x200066f0 = 0x49; *(uint64_t*)0x200066f8 = 0x8001; *(uint64_t*)0x20006700 = 0x20006580; memcpy((void*)0x20006580, "\xe6\x09\x76\xf8\x6d\x91\xdd\x66\xce\xc0\xb1\xe3\x0e\xc8\x01\x16\x0b\x84\xcf\xb1\xf8\x60\x37\x03\xd1\x4a\x6b\x81\x5d\x22\xe1\x78\x3e\xed\x12\xce\x8c\x08\x0e\x3f\xfb\xf0\xb5\x30\x95\xf6\x96\x03\xfa\x76\xa9\x34\xa6\x0a\x05\x26\x34\x1e\xaf\xaf\xb3\x86\x7d\x13\xe8\x8d\x1d\x39\xe3\x70\xa0\x0d\xbe\x06\xdd\xc8\x40\xba\x74\x46\xa6\x25\x97\x06\x9e\x1d\xcd\x13\x8f\x82\xb2\x9f\xf7\x8a\xf1\xd1\xc3\x13\x3f\xe9\xc0\x4d\x73\x2c\xdb\x4b\x3f\x6a\xa2\x69\x89\x36\x9b\x5f\x6d\xca\x60\x00\xa0\x76\x73\x41\xbc\x2a\xaa\xcd\x69\xe6\x48\x62\x19\x15\xb8\xaa\x9c\xb2\x4c\x6b\xb5\xae\x3f", 141); *(uint64_t*)0x20006708 = 0x8d; *(uint64_t*)0x20006710 = 3; memcpy((void*)0x20006740, "flock=strict", 12); *(uint8_t*)0x2000674c = 0x2c; memcpy((void*)0x2000674d, "obj_type", 8); *(uint8_t*)0x20006755 = 0x3d; memcpy((void*)0x20006756, "/dev/vcsa#\000", 11); *(uint8_t*)0x20006761 = 0x2c; memcpy((void*)0x20006762, "obj_role", 8); *(uint8_t*)0x2000676a = 0x3d; memcpy((void*)0x2000676b, "bpf_lsm_unix_may_send\000", 22); *(uint8_t*)0x20006781 = 0x2c; *(uint8_t*)0x20006782 = 0; syz_mount_image(0x20005140, 0x20005180, 0, 9, 0x20006640, 0x10000, 0x20006740); break; case 32: memcpy((void*)0x200067c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200067c0, 4, 0x4800); break; case 33: memcpy((void*)0x20006800, "net/icmp\000", 9); syz_open_procfs(r[5], 0x20006800); break; case 34: syz_open_pts(r[9], 0x258102); break; case 35: *(uint64_t*)0x20007d00 = 0x20006840; memcpy((void*)0x20006840, "\xb3\xde\x0d\x9f\x2e\x1e\xba\x98\x79\xee\xf0\x8d\xbd\x42\xed\xd7\xd6\x22\xf0\x95\xe0\xce\x34\x29\xb6\x4c\x46\x70\x8b\xf7\xfa\x26\xe6\x9e\xc1\x57\xca\xa3\xe1\x6d\x60\xb3\xba\xf5\xb0\xd2\x46\xbf\xef\x95\x5e\x35\xf8\x55\x56\xc9\x61\x4a\x60\xb6\x5c\xae\x7c\x02\x3c\x99\x31\x8f\xc8\x5b\xc0\xab\xfd\x16\xbc\x78\xeb\x56\x31\x7c\xd8\xb8\x0c\x5f\x5a\x87\x85\x6c\x5c\xd0\xb9\x7f\xc2\x83\xcb\xc9\xd8\x35\xff\x9d\x70\x97\x2b\xd4\x20\x11\x69\xa3\x5c\x26\x99\xbf\x5a\x8b\x31\xad\x36\x07\x12\x10\x19\xe7\x33\x98\xb2\x28\xb9\xc5\x9a\xa5\xb5\xc0\x07\x16\x67\x66\xee\xe5\x91\x1d\x5d\x2f\x86\x4c\xb4\x2b\x84\x21\xf3\x8c\xb2\x1a\xa9\x36\x97\xe5\xad\x16\x6a\x96\x6a\xc9\x8a\xa7\x76\xfd\x27\x50\x02\x94\xc4\xdd\x1b\xac\xf4\x1f\xd0\x70\xe9\xe4\xa9\xe5\xeb\x70\xd2\xa9\x8f\x91\x5c\x13\x91\xfd\x75\xf5\xff\xec\xfa\xb4\x24\x25\xeb\x01\x6c\x33\xec\x19\xae\x67\xf4\xb1\x00\x08\x8e\x09\x0f\x03\x5d\x78\x14\x3b\x35\x94\x4f\x30\xa4\x9a\x77\xb8\xc5\xe2\xa0\x8e\x9f\x38\x1a\x8a\xfb\xcf\x48\xeb\xad\x84\x11\x45\x5f\xf2\xcb\x76\xa4\xa1\xb5\x57\xd1\x21", 254); *(uint64_t*)0x20007d08 = 0xfe; *(uint64_t*)0x20007d10 = 0x7fffffff; *(uint64_t*)0x20007d18 = 0x20006940; memcpy((void*)0x20006940, "\x33\x0e\xa7\x46\xd7\xdf\xb4\xa5\xe9\xf3\x3a\x32\x5a\x96\x88\xca\x04\xcd\x59\xaf\x72\x4b\x34\xf7\x0a\xe3\x70\xd4\xac\x73\xea\x9a\x65\xab\x00\x3f\x2c\xbc\x01\xaf\x11\x62\xc0\xfe\xfb\x2b\x7e\x4a\x0d\xcd\x3f\x2a\x8c\x23\xf2\xa1", 56); *(uint64_t*)0x20007d20 = 0x38; *(uint64_t*)0x20007d28 = 0x2eed; *(uint64_t*)0x20007d30 = 0x20006980; memcpy((void*)0x20006980, "\xef\xd5\x43\xd9\x2d\xc8\x23\xae\xf9\x1d\x85\xc4\x4c\x05\x58\x44\xe2\xaf\x47\xb4\xd5\xa6\x7e\x3a\x39\x59\xdc\x6d\x61\x7c\xd8\xe9\xb6\xc3\xf5\xbb\xf0\x5d\xa7\x3f\x04\xbf\x4f\x54\xa6\xf3\xd5\x36\x1d\xee\x72\x0d\x1f\xf9\xf6\x5d\x5d\x7c\x18\xb8\x65\x34\xf2\x91\x26\x21\xaa\x81\xb4\xc2\xd3\xda\xa1\xa6\x75\x38\xac\x5e\xfc\xf2\xe0\x08\xc7\x91\xd5\x91\x52\xdb\x5f\xa2\xd0\xa2\x3f\x39\x97\xbd\x1e\x25\x02\xe6\xfa\xdb\x36\x78\x88\x91\x84\x3e\x3d\xe1\xc4\x48\x3a\xea\x75\x22\x4b\x12\xed\xe3\x00\x6b\x96\x48\xdc\x76\x61\xa4\x6d\xa2\xd1\x46\xd3\xdf\x70\xa1\xd0\x4b\x2c\x64\x57\x8d\xaf\x21\x9d\xcb\xa1\xb6\x7a\xae\x08\x6a\x25\x41\xc4\xb9\xb4\xdc\x6d\x43\xc0\x76\x54\x4b\x4c\xf9\xcd\x57\xe6\xe2\x6d\x74\x21\x7d\x1d\x85\x46\x22\x4d\x85\xf6\x50\xa0\xad\x3a\xac\x78\xc0\xcf\x1d\x83\xa4\xad\xcc\x11\xc2\xe8\x4d\xf1\x88\x9c\x79\x20\x34\x7f\xe4\x04\x20\x19\x14\x72\x78\x62\xb4\x60\x22\x9c\xe6\x7a\x1a\x88\xde\x34\xaa\x73\xd3\x9b\xe6\x7f\xe9\x22\x10\x69\x92\x21\x10\x3a\xc5\xb4\x9a\x07\xff\x0b\x35\x48\x36\x3c\x87\x80\x66\xd5\xa0\xca\x8f\x56\x5a\x61\x6a\x04\x9a\x5d\x7b\x6e\x70\xba\xdf\x46\x49\xc5\x1a\xec\x86\x71\xfa\xa4\x44\xd7\xe0\xa6\x30\x4e\x27\x3c\x40\x5c\xc6\xf3\x48\xd1\x9f\xf1\x34\x8b\xac\xc9\x6e\xcf\x1a\x28\x11\x96\x18\xc9\x1e\x59\x42\xbb\xf0\xe2\xd7\xfc\x69\x97\xcf\x63\x30\xc1\x06\xa7\x90\x2c\xcd\xc1\xb9\xcd\x0e\x8f\x55\x93\x55\xd2\x6f\x81\xc7\x7e\x52\x48\x82\xd0\x27\x83\xf1\x5b\x05\x69\x69\x02\x36\xe3\xaa\x74\xb9\x6b\xcc\x5e\xf9\x0e\xae\x4a\x5e\x3a\xba\x2a\x56\x0f\x9b\x0a\x51\x3c\xe1\xa8\xce\xb0\xd2\x10\x36\x15\xf8\x28\xb0\x12\x5d\xf3\x2e\xec\x97\x11\x0e\xe2\xa5\x9e\x1f\x91\x37\x72\xa8\x59\xf6\x5d\x95\x3c\x20\xca\x8a\x0c\x6e\x85\x26\x61\xd8\x62\x93\xcb\x46\x72\x41\x3f\xfa\xfa\x27\x03\x2e\xda\x8d\x8b\x19\xce\x77\xd3\x5d\x13\x04\x29\x6d\x8d\xbe\xe1\xb7\xc3\x58\xfe\x5d\xdf\x94\xc4\x24\x11\xe2\x63\x62\xcf\x42\xa5\xc7\xc1\x89\x91\xe3\x92\x63\x31\xa2\xc7\x12\x36\x09\xe0\xa3\xc0\x5e\x42\xf1\x75\x97\x2e\x44\x5a\x6a\xe5\x71\x54\x06\x2e\x21\xe0\x56\x66\x60\x2a\x2b\xf0\x89\x1e\xe6\x56\x48\xe5\xa9\x67\xea\x16\x24\x84\x99\xc8\x2e\x74\xc1\x9e\xda\xfe\xcf\x24\x02\xce\x53\x21\xf5\xbb\x4e\xcd\xe0\x58\xa1\x17\x6f\x31\x0b\xb1\x33\x8b\x11\xdd\xc6\x0d\xce\x03\xc4\x72\x7f\x7d\xd3\xc2\x33\x5d\x50\xae\x49\x2d\xca\x1b\xd9\x8b\xe4\xaf\x07\x44\x29\x1f\xa2\xba\x1c\xd3\xe9\x3e\x6f\x1d\x9d\x1b\x43\x05\xc2\x76\x41\x18\x09\x4a\x16\x43\x6a\x01\x45\x98\xfb\x64\xc3\x4e\xad\x3e\x8f\x45\xd1\x1c\x4f\xc0\x62\xc1\x44\xc8\xe0\x52\x20\xfb\xdf\x4a\x8c\xab\x6e\x28\x8b\x5c\xfd\xef\xa7\xa0\x54\x23\xef\x2d\x4f\x3b\x3b\xee\x57\x68\xb2\x80\x34\xa0\x8d\xe8\x83\xb8\x17\x27\x8b\xd3\xe7\x85\xc1\x14\x32\x9d\x99\x2c\x58\x12\x15\xf5\x64\x4c\xcf\xa4\xe8\x94\x10\x1d\x5f\xa4\x30\x08\xd8\x03\xfb\x9b\xaa\xef\xd7\xdd\x4b\x88\x83\xb6\xe7\xa1\x7f\x4d\xdf\x48\x26\xcd\xd7\x11\x0f\xf2\xc8\x39\x53\x49\x06\x8c\xd0\xb9\x55\x0a\x3a\x2f\x5c\xbc\x0d\xb0\x6b\x1b\x31\x29\x2c\x54\x87\x9a\x17\x2f\x4b\xe9\x83\x9b\x1d\x76\x89\x6c\x4c\xcc\xd8\x84\x1a\x55\x92\xaa\xc1\xf5\x27\x2b\x6f\xda\x92\x46\x34\xb5\x07\x50\xb3\x82\x31\xff\x13\x3d\xa1\xfc\x86\xd1\x09\x8c\x82\x3d\xf5\xbc\xa8\xcf\xe8\xc0\x8b\xa2\xee\xe5\xa4\x65\x8b\x29\x17\xbf\x3a\xf4\xb4\xe4\xe4\x7c\x6b\x7c\x35\xa3\x96\x3e\xbc\x60\x44\xf2\x72\x88\xc5\xa3\xc1\xa2\xf5\xfa\x45\xa1\x28\xbe\x9a\x13\xde\xd8\xc2\xf6\x74\x5e\xcf\x4f\xa9\x47\x23\xf9\xf1\x63\x82\xf4\xdb\x48\xd0\xc8\x11\xfe\x8e\xed\xb8\xbf\x05\xff\x38\xe5\x78\xd4\x93\x76\x55\x02\x53\xd2\x61\x7f\x86\x30\x3c\x54\x3f\x88\x2a\xdc\x20\x08\x56\x4c\x8b\xa1\x3e\xcd\x19\x61\x3a\x63\x19\x3d\x94\xe9\xa7\x3b\x21\xea\x1d\xdd\x30\xb4\x82\xc0\x98\x69\xc0\xfa\x37\x13\x1c\x69\xcc\xd0\x33\xdd\x96\xd8\xee\x7c\x5f\x2f\x8a\x15\x2e\x84\xc0\xf6\x59\xe6\x0c\xe1\x69\xfc\xb8\x9d\xe0\x28\xbe\xa3\x9d\x05\xdf\x03\xcf\x22\x80\x70\x29\xc1\xaa\xe4\x59\x94\x0d\xd5\x4b\x78\xc0\xde\xde\x18\x72\x3f\x97\x2d\x96\x51\x6e\x19\x71\x9e\x5c\x9e\xd0\x06\x86\x0f\x24\x71\xa8\xe5\xb1\x8f\xcf\x0e\xf4\xba\x66\x81\xa4\x1f\xa8\x00\x9b\x7e\x03\xb4\x44\xf4\x5a\xb3\xcc\xa9\xbb\xbc\x58\x13\xd1\xfa\x05\x5a\xaa\x4d\x45\x44\x12\x33\xae\x7b\x69\xb7\x59\xe3\xdd\xe7\x66\xc0\xf3\xb1\x3b\xf9\x68\xcf\x85\x65\x38\x28\x83\x55\x7f\x92\x5c\x21\x07\x58\x61\xec\x9f\x35\xc7\xcd\x44\x4b\xcc\x7d\x38\x1d\xc0\xd7\xaa\x75\x4b\xa5\x70\x66\xb9\x02\x78\x8f\x53\x85\x4c\xf9\xd5\x6c\xa7\x3c\x7a\xc8\x5c\xca\x67\xba\x50\x9e\xc3\xa7\xc1\xb4\x2d\x8c\x65\x4b\x34\xd8\x8d\xa8\xd2\xca\x85\xad\x4a\xe8\xb8\x65\xb6\xd2\xa0\xc1\xc4\x40\x76\x68\x53\x5c\x49\xf3\x49\xe2\x76\xf1\xa8\x67\x64\xef\x18\xe3\xb0\x8f\x1d\x1e\x3c\xc1\xb9\x3c\xde\x3f\x19\x78\x57\xfb\x48\xb5\xa5\xfe\xf3\x1a\x86\xfa\x00\x22\xd6\xa9\x6d\x81\x5c\x8c\x9a\xf9\xba\xdb\x7b\x88\x6e\xa0\x9a\xda\xc7\x32\xc8\xe4\xea\xfe\xb8\x47\x32\x18\xe7\x94\xbc\x6a\x71\x6d\x17\x16\xfe\xfe\xf8\x6f\x63\xd3\x2b\x66\x73\xb4\x35\xd1\x3e\xdd\xca\x42\x25\x7c\xfe\x07\x17\xfc\xa3\xa3\x9f\x00\xbc\xa6\x50\xf5\x46\x3a\x24\xc5\x09\x24\x25\x6d\x32\x07\xd2\x9c\x1b\x1c\x95\x10\x9e\x40\xda\xb6\x07\x78\x7f\xb7\x4c\x4e\x64\xfe\x4a\xca\xc6\x5c\x62\x83\xff\xcc\x11\xfd\x08\xa0\xbd\x1f\x49\x30\xa8\xbe\xea\x57\xa0\xdd\xa0\x28\x67\x86\x6c\x5b\x1c\xe5\x86\xb3\x2e\x7c\xd1\x8a\xb1\x6a\x27\x5d\x6c\xc0\x43\xa9\x90\xe1\xd7\x97\x0f\x79\xd5\xb8\x88\x0e\xef\x3f\xc4\xef\x4d\xe5\xe8\x40\xac\xd0\xed\xbc\xde\x6b\xf6\xfe\xdf\x3c\x6a\x2d\x25\x39\xfd\xaf\x27\x8f\x06\x97\x94\xd3\x0a\x09\xd6\x15\xe1\xe4\xa5\xa7\x61\x7e\x16\x24\x1d\xaa\xb8\x7f\xda\xd4\x93\xed\x9c\xf3\x26\xfe\x64\x7a\x40\xf0\x27\x9d\x6a\x9b\x2c\xdc\x0a\xbf\x36\x26\x41\x5b\x04\xfc\x83\x65\x10\xba\x62\x51\x38\x6c\xe7\xe8\xd2\xb4\xfe\x66\x3c\xfc\x3a\x5d\xe9\xcc\x31\x3e\x9e\x1f\xc1\x91\x27\xf0\x92\x07\xc9\x55\xf5\xa8\x48\x54\x81\xf4\x31\x92\x24\xfd\xf4\xc2\x78\x7d\x58\x3c\x3c\xaf\x7a\xcb\xec\x73\xab\x9b\x4d\x2f\x24\x52\x87\xdf\x9a\xe2\x9a\x16\x9c\x4d\x79\x5c\xd0\x3c\x90\x98\x33\x94\x46\xdc\x40\x23\x7b\x69\x89\x98\xb2\x42\x36\x28\x14\x8c\xec\xb0\x2f\x69\xd2\x64\x4c\xec\x88\xc9\x48\x94\xe0\x1e\x15\x87\xfc\x85\x37\x54\x50\xe3\x2c\xca\xdc\xdc\xae\xa6\x41\xd2\xdb\x62\x92\x22\x86\x60\xd0\x4c\x44\x67\x86\xc2\x58\xb6\xfb\xbc\x1d\x0b\x6a\x8a\x38\x18\x20\x0d\x48\x9c\x12\x67\x33\x92\x2c\x96\x61\x95\xa4\x00\x7a\x68\xd0\x47\x35\x78\xb4\x69\xb4\x43\x3e\xac\xbe\x09\x25\x20\x24\x4d\x84\xda\x89\x24\xb9\x0d\x7f\xa1\xad\x31\xdb\x50\x1f\x16\xa5\x9d\x3d\x9e\xb7\x22\x10\xd0\x58\xb3\xd1\xfa\x4d\x87\x6d\x5b\x40\xbc\xff\x5a\xdf\x08\x6e\xbd\xc2\x64\x7b\x1b\x6f\x88\x21\x1b\xbd\xf5\x47\xf1\x69\x8e\x11\xab\xb7\x3d\xd3\xa5\x88\xd9\xca\x26\xd9\xff\x5b\x2d\x28\xd1\xe1\x76\xbe\x8a\x7a\xdf\x2e\x3e\x3a\xe1\x37\x39\x31\x12\xf5\xaa\xa8\x81\x81\x48\x82\x93\x9d\xfe\x71\x72\x1f\xa9\x2b\x89\x62\xbb\x8d\x94\x0f\xe1\xe3\x94\x8d\xef\x40\x33\xa0\x9e\x9c\x04\xca\x7e\xa8\xb5\x49\x69\x5c\x5f\xf6\x6c\x07\x73\x95\x02\x6d\x82\x57\x6d\x37\x9b\xd9\xcd\xed\x06\xff\xcc\x3a\x6f\x8b\xd5\x48\xc0\xf6\x8d\x4d\x3d\x72\xae\x27\xd8\x28\xb2\x7a\x58\x2b\x14\x88\x6d\xad\x1f\xc3\xe6\x35\x31\xc2\x87\x0f\x31\x59\xf8\xd4\xbd\x44\x94\x80\xc4\x5d\xd2\x7a\x29\x34\xdf\x90\x79\x7c\x04\x94\xe0\xf8\xef\x82\x89\xae\x41\x06\x26\xd4\xfa\x96\x6d\x82\x44\x3a\xdc\x52\x43\xfd\xb2\xc4\xdd\xff\x85\x50\xaf\x53\x38\xef\x2d\x1c\x41\x3b\x4b\xd4\xb3\x08\x20\x9c\x20\xe9\xc3\xa0\x08\x0a\x23\xd1\x6a\x31\x08\xa1\x05\x07\x83\xd4\x4b\xa9\x2a\x95\x59\x05\x08\xd3\xa5\xcf\x44\xfc\x6a\x4a\xf2\x47\x7f\x86\x64\x28\xbc\x11\x3c\x1c\xc8\xf1\x23\xda\x46\xca\x0a\x03\xc5\xdb\xd1\xf6\xe5\x75\x45\x84\xd8\xa4\x10\x3b\xd2\x3f\xa5\xe1\xf6\xf3\xac\xb1\x54\xff\xed\x12\x8d\x0a\x64\x58\x29\xd3\x34\x1a\x25\xe8\x7a\xe7\x81\x86\x2a\xbc\x7a\x15\x90\x21\x12\x4c\xfb\x03\x57\x1a\x73\xce\xef\x60\x36\x81\xf5\xe5\xe1\xe1\x57\x4d\xb3\x01\x6f\xf5\xa1\x3d\x9b\xfe\x7e\x8a\xc8\x1a\x09\xa9\x05\x23\x7e\x39\x0a\x57\x72\xd3\x61\xed\xbe\x58\x08\xe9\xd8\x59\x4f\x77\x6b\x00\x05\xe0\xc3\xd0\xf7\x1d\x66\x6c\x9d\x4d\xc4\x93\xd0\x16\x3d\x88\x54\x72\x32\x75\xd8\x50\xac\x1b\xf7\x81\x83\xa7\x75\x18\xf0\x1b\xb3\xa2\x80\xf3\x9b\xbf\x60\x6d\xef\x4f\x89\xb1\x1e\x2b\xb8\xd9\x9f\x8a\x32\x98\x5e\xd9\xbc\xb4\x2f\x11\x0b\xd2\xbd\xda\x26\x37\x6d\x9d\xaa\x70\xe1\xe6\x57\x5f\x11\xba\x7e\xf2\x69\x90\x8e\x10\x19\x48\xf5\x70\xb7\x69\x0e\x0b\x5d\x35\xed\x98\xcb\xdd\x2f\x36\x37\xb9\xf8\xf7\x8b\x2f\xfb\xc2\x93\x18\x8f\xf2\x77\x7d\xb0\x50\xaa\x21\x9d\xde\x78\x8a\x77\x0c\xb6\x24\xd6\x61\x70\x01\x81\x7d\x6d\x5c\x7a\x5b\xd3\x9c\x51\xff\x12\x8e\xac\x71\x2b\x9d\xb9\xc6\x0a\x74\xbd\xb7\x82\x0a\x35\x72\xa5\x09\x1c\x30\x84\x33\x92\x86\x27\x9d\x9c\xeb\x24\x41\x48\x90\x6d\xab\x1d\xed\xb6\x23\x79\xb1\x45\x97\xb7\x34\x89\x07\xfb\xa5\x54\x24\xe8\x78\xc1\x94\x98\x5c\xdc\xb2\x11\xb7\x1b\xdf\x38\x06\x33\x9a\x53\x00\x6a\x90\x06\xc7\x46\xbc\x49\x10\x8c\x81\x00\x93\x8d\xc2\x4a\x08\xd5\x7b\x01\x3f\x41\x03\xd8\x7d\xf3\x10\x85\x84\x05\xd0\x6f\x05\x9b\x65\xcd\x54\xae\xa1\xd0\xf1\x5c\xb2\xa4\x1b\xc8\x67\xd2\x2c\xb9\xd6\x7c\x31\x0b\x05\xa4\xf9\x40\xbd\x2e\x7a\x58\x63\xc8\xe1\xc8\x0d\x3a\xd0\x7b\x21\x50\x4b\xf2\x13\xda\x5c\xb3\x8f\xb6\x52\xa4\x7c\xcd\x7a\x5c\xfa\xfa\x0c\x3f\xfe\x2a\xac\x76\x25\xa9\x55\x88\xec\xd7\x7a\x95\x93\xd0\xbf\x2e\x7d\xf7\x99\x9f\x02\x44\x33\x5a\x9f\xac\x01\x5c\x32\x27\x30\x09\xd1\xf8\x65\xdf\xb8\x73\xc6\x5f\x52\xe9\x08\x1b\x02\x2b\x99\xb0\x15\x86\xf5\xfb\x15\x84\xfd\x9b\x1f\xda\xf8\x6c\x78\x3f\x61\x77\x2a\xff\x11\x78\xe0\x8d\x5b\xd0\x67\xb6\xfd\x23\x3d\xb8\xc4\x32\xfa\xbb\xd0\x0a\x53\x0f\x1c\x40\xb5\xf0\x5f\x78\x83\x49\x50\x59\xd1\xb5\x8b\x95\x23\xd1\xf5\x25\x57\x36\xb2\x3f\xf5\x6c\xab\xb4\xcb\x71\x0e\x43\xa7\x0f\x71\xcf\xfd\x17\xe3\xfa\xe9\x04\x36\x34\x86\x9f\x16\x6a\x95\x8c\xa5\xde\xc6\x39\xb8\x5b\x21\x34\x09\x6e\x69\x7c\x24\xe3\xb0\xa8\xcf\xb1\x94\x22\xff\x01\xf4\xeb\xef\x24\xb7\x23\x3d\xe1\xa0\xf8\x9c\x80\xe2\x31\xb8\x45\x9f\x53\x1a\xc2\x3e\xb1\xa2\x37\x3b\x3c\x58\x07\xee\x65\x52\x70\x71\x52\xa3\x16\x95\x55\xa6\x63\xd1\xbf\xb4\x53\xc8\xc3\x80\xc5\xa5\x2c\x95\x8e\x30\x2d\x4d\x75\x28\xaa\xb5\xd0\xa6\x68\x92\x30\x80\x98\xb5\x66\xa1\x36\x7c\xbf\xd9\xa3\xa4\x6c\x5f\xb7\x72\x25\xb7\xb6\xf9\xf9\x2e\xd0\xbc\x85\xbc\xbc\xf1\xb4\xfd\x27\x60\xb9\xf5\x09\xd2\xd1\x1c\xd0\x55\x71\x44\xb1\xc8\x9f\x9f\x7f\x24\x95\xd0\xc9\xea\x6c\x76\x7f\x1f\x92\x57\x07\x01\xa3\x3c\xed\x47\x70\x36\xd0\x6b\xbe\xad\x08\xc0\xb4\xa8\xab\x4a\x57\xd8\xd9\xb7\x58\xce\x05\x89\x1e\xc7\x29\x01\x4e\xb7\x12\xc3\x3d\xcb\x52\xef\xe8\xde\xd2\x23\xb6\x17\x82\x24\x43\xbf\xa9\x55\x14\xd9\xa8\x2f\x6b\x9f\xed\x17\xb2\x24\x45\xf6\x92\xfc\x87\x03\x74\xc0\x82\x6a\x9f\xa4\x31\x53\x84\x93\x68\xaa\x1f\x93\x05\x2e\x48\xf8\x8e\x8f\xe9\xaa\x1b\xa8\x29\x15\x85\xe5\x9d\xa0\xf6\x8f\xd0\x4b\x8f\xa4\x50\xe9\x65\x4d\x92\x0c\x2b\x82\xc9\xc2\x9a\x79\x01\x5d\x0e\x30\x2b\xef\x5a\xbc\x9f\x42\x92\xfd\x4b\x58\x2d\x58\x83\x0d\xfc\x71\x72\x53\x19\xbf\x39\x69\x2b\x0f\x3d\x72\xa3\x20\x4d\x62\xe4\xcd\x21\x9f\xd2\x64\x7a\x9b\xc3\xda\x61\xb7\x02\x69\x9d\x01\x5f\x9f\x15\xbf\xfb\x27\xb6\x13\x3e\xc4\x31\xe4\xad\x67\xf5\xc1\xb4\x6f\xc6\x2e\x29\xd4\xae\x4b\x07\xfa\xb0\x7f\x01\x43\xe8\xe5\x4f\xea\x1e\x62\x90\x51\xd6\xd7\xc1\x9a\xf8\x93\x16\x61\xd8\x49\x57\xad\x2a\xe7\xb5\x21\xbd\x62\x46\x8a\xa0\xa8\x51\x65\x39\x04\xbb\x93\x25\x37\x6f\xd2\xd8\x31\x34\x03\x56\xd9\xbd\x27\x82\xbb\xc4\x6e\x1c\x03\x06\x95\x53\xd2\xb0\x5d\x17\xbb\x4d\x86\x44\xa0\xdf\xc0\x28\x6d\x4e\xbd\xfb\xf1\xfa\x85\xf0\x01\x5d\xa2\x66\x70\x90\x9c\xe8\x40\x27\x2d\x1d\x62\xc8\xd0\x27\x87\xd5\x65\x20\xd3\x09\xe4\xbc\xfc\xc8\x46\x47\x4d\x42\x82\x64\x17\x98\xda\xd1\x77\x9c\xce\x11\x39\x2a\xc5\x37\x91\x73\x35\xb4\xf9\x12\x4e\xd1\xe2\x54\x05\x29\x66\xab\x2c\x15\xdc\xd1\xbc\x1c\x3c\x52\x0f\xef\x4b\x3b\x17\xfe\x6f\x63\x60\xd0\x7b\x2c\x08\xac\x64\xc7\x5f\xcd\xf5\xf9\xea\xc2\x11\xdb\x24\x7a\x22\x7a\x65\x9e\x10\x67\x55\xe1\xba\x53\xab\xa6\x7c\x83\x16\x62\x19\x02\x26\x98\x4d\xc0\x36\x98\xdc\x56\x7a\xa9\x6b\x51\xd2\xe6\x9f\x53\x0a\xdd\xd9\xb4\xfd\xbf\x3a\x0b\x20\xaf\x2a\x18\x4c\xba\xf5\x3a\x35\x63\x4c\x8f\xe3\xd6\x3e\xc1\x5c\x50\x6b\xf0\x2c\x35\x30\x27\x59\xfe\x32\xad\x28\xc1\xd4\xb4\x9e\x94\x81\x6b\xb0\xf3\x28\x22\x81\x6b\x40\x55\x7c\x65\x0d\xa4\xae\x59\xca\x64\x5d\x5a\x4d\x61\x72\x90\x3c\x25\xe0\x0a\x22\x9e\xaa\x0c\x52\x6c\xff\xba\x53\xfc\xa4\x4a\xa1\x63\xc7\xf5\xfb\x49\x59\xa2\x16\xd6\xda\xd9\xe1\x9f\x28\x2b\x99\x45\xd2\x47\x6b\xbc\x01\x33\x78\x51\x31\x11\x8a\xd4\x6c\x3f\x93\x31\xc4\x15\xe7\x0d\x35\xe0\x6f\xa7\x1c\x2a\xa8\x78\x13\x2e\xd7\x70\xa0\x4f\x07\x21\xa5\x66\x55\x02\xdd\xed\x28\x3f\x70\xae\x9a\xb7\x2e\x48\xcf\x03\xc0\x1d\x80\xf6\x8e\xce\x54\xde\x88\xaa\xcb\x2c\x41\xc5\xd7\x46\x2f\x9b\x73\xf6\xc2\x74\x17\x09\xc8\x3e\x20\x08\x4d\xd8\xf9\xd8\x55\xc4\x1a\x0b\xfb\xe1\x07\xe6\xe4\x7a\x65\xc2\xb1\xee\x50\x07\xe9\xd5\xf2\x51\x18\xa2\x95\xfc\x63\x13\x24\x3d\xf5\x4c\xdd\x92\xab\x4d\xce\xdb\x21\x0d\xd8\x3b\xe1\xb0\x58\xae\x1e\x37\xa7\xac\x51\xb9\xc8\x9b\xf9\xec\xa4\x23\xc9\x1d\xb0\xd4\xa4\x21\x34\xa9\x3c\x89\x79\xa0\x3a\x2d\xe5\x3e\x45\xe6\x41\xa2\xd4\x0f\x41\x0b\xc1\x1a\x96\x82\x04\xf7\x2c\x96\xe5\x06\x64\xdc\x29\xbe\x41\xa4\xaa\xc4\xe0\x7e\x9c\xdf\x23\x9f\x59\xc9\x68\x7b\xd7\xdc\x65\xce\xab\x07\x6b\x13\x19\x41\xbb\x15\xc4\xf9\xf4\xc1\x7d\x73\x50\x78\x05\x88\xfa\xcf\xfd\xbc\x1e\xaa\xeb\x44\x06\xb9\x56\xda\x73\x3e\xd0\x9e\xb4\x86\x04\xa0\xed\x4a\xad\xcb\xbd\x94\xa8\xee\x07\x93\x10\xfe\x26\x12\xa6\x69\xe5\x62\x39\x17\xee\xc2\xb1\x2a\xd9\xc8\x6a\xf9\x75\x7a\x51\x75\x9d\xbb\x00\xdf\x2e\x03\xe3\xd3\xa7\x0b\xd2\xc0\x2f\x9f\x08\x44\x4f\x4e\x06\x50\xed\xfb\x27\x86\xca\x57\xd3\x63\x09\x43\x55\x68\x32\xa3\x28\x92\x30\x1b\x58\x85\x9e\xf2\x40\x07\xf7\xa7\xd9\xb4\xaf\xc2\x37\x03\xc4\xfb\x90\x77\xa0\x7d\x2e\xa8\xd3\xa2\xb4\xf0\x15\xde\x7f\x31\xfc\x30\x65\x45\x81\x6b\x6b\x67\x0a\x45\xcf\xf4\xa9\x1b\x60\xa1\xfb\x47\x8b\x08\x9c\x67\xf4\x59\xca\xaf\x5f\xce\x92\x65\xfe\xa0\xc7\xec\x06\x52\xcd\x11\x30\x56\x23\xb0\x4c\x0a\x9d\x1a\xec\x65\x71\xc6\xa4\x66\xdc\x7a\x7b\xec\x75\xfc\xf9\x84\xd6\xa9\x63\x69\x86\xbe\xce\xf1\x41\x8b\x69\x4e\x82\x0e\xe2\x46\x2f\x26\x87\xe0\xb6\x8b\xa5\x1c\xbd\x03\xba\x76\xb4\x3f\xd7\xcb\xa0\x1a\xf2\x3f\xf9\x8f\x74\xb7\x64\x46\x35\x27\xc6\xc3\x97\xe1\xc8\xe8\xb2\x22\x58\x74\xcc\x74\xf9\x58\xa3\x1a\x28\x41\x4f\x17\x0c\x2b\x4c\xbd\x90\xc8\x49\xcc\xd5\x4f\x91\xbc\xe2\x90\x8e\x3b\xbc\x21\xb3\xd5\x60\x4a\xa3\x37\xc7\xfb\x1f\x81\x0c\x10\x32\x16\xbf\x44\x43\x39\x04\x3d\x52\x33\x30\xee\xe7\x3b\xf0\x86\x6d\xa3\xf3\xf7\x28\x87\x7f\xbb\x54\xe2\xf9\x28\x42\x3a\x16\x72\xcc\x9b\xa3\x1b\xc6\x86\xa6\xd1\x98\xef\xeb\x36\x18\xd5\xe9\xa1\xb0\x81\x9c\xf6\xb9\x33\x8c\x56\xc4\xb7\x88\x46\x9f\x53\x2c\xdf\x92\x30\x66\xd1\xba\x46\xa5\x69\x60\x34\x2b\x79\xb0\x9e\xc8\x67\x9e\xa3\xca\xa4\x33\x65\xb8\x11\x25\x7a\x24\x49\xff\x92\x74\xf6\x61\x2c\xb0\x53\x0d\xd8\x67\x8c\xf1\x8b\xc1\xf9\x1f\x44\x7f\xad\x7b\x95\x8f\x3d\x0a\x19\x77\xce\x78\xd1\x02\x82\x9f\xe4\xb8\x3b\x56\x59\xc8\x15\x5a\xf4\xd2\xc0\x5d\x73\x15\xd1\x48\x63\x00\xe6\xda\x08\x46\xa5\x94\xd5\x10\x67\x3b\x0e\x74\x72\x78\x85\x59\x00\x9d\x74\x49\x0e\xc9\x87\x1d\x9f\x0f\x73\x69\x9d\x97\xfb\xe3\x03\xcb\x4d\x63\x5f\x54\x2e\x95\xc7\x84\xa5\x38\x71\x27\xdc\x45\x44\x83\xf9\x50\xf7\x65\xa8\xe9\x04\x63\x9e\xf4\x13\xc7\xd5\x81\xaf\x20\xdf\xb2\x85\x95\x58\x01\xab\x7e\xc4\xbe\x4d\x1b\x28\x79\xde\x66\x2d\xde\x2c\xfc\xd6\x60\x4e\xc0\xaa\x07\xa5\xa6\x71\xf5\x4a\x4f\x28\x53\xee\xdc\xa5\x6b\xaf\x00\xf0\x79\x27\x09\x59\x58\xdb\x7d\x32\x5e\x86\x3f\x64\xa9\x05\x6b\xd8\xe1\x03\x85\x99\x21\x46\x3d\x17\x54\x04\x2b\x85\xdc\xd9\x4d\x93\x3e\xf2\x08\x7d\xbe\xf5\x7d\x9a\x3a\xd9\xfe\x8c\x64\xa8\x79\x95\x87\xa3\xec\x23\xb9\xb2\x52\xf0\x3b\xfc\xe4\x2f\x01\x7e\xad\xfd\xbe\x97\x3e\x84\xe9\x02\xe3\x6b\x96\x61\xef\xae\xf4\x09\xc9\x15\x30\x8d\xce\x9a\x22\x2a\x9c\xb1\xdb\x52\x15\xc0\x00\xfc\x44\xd3\x72\xfb\x18\x64\x25\xcd\x07\x8b\xee\x77\x70\xf1\xfa\x60\xff\x2d\x0e\x34\x47\x25\xa5\x1a\x5f\x47\x8f\xe9\x6b\xfb\x9a\x18\xb6\xcb\x54\x2b\xf3\x94\xbe\xd0\x22\x18\x51\x8f\x1d\x38\x1d\x5a\xa2\x1f\xdc\xd4\x43\xce\x84\xc1\x80\xa6\xa8\xcf\x65\x47\xef\xfa\x46\x27\xca\xe9\x35\x51\xa7\x56\x4f\x0d\xac\x6e\x37\xc5\xf0\x68\xed\xda\x00\xb4\x7a\x6f\x2d\x33\xb5\x4c\x36\x81\x12\x8e\x83\xad\x17\xb0\xf0\x98\x45\x6b\x9e\x97\xf3\xe0\x2c\xe3\x91\x51\x5f\xfb\x0c\x05\x11\xa3\xd8\x31\x21\x15\x38\x2c\x15\xb0\x98\x61\xef\x75\x0c\x00\x06\xe9\x6c\x91\x84\xe1\x7d\xb2\x45\xb0\x25\x5c\x44\x07\xfe\x4b\xd6\xee\xa4\x3f\xd8\xc5\xe8\x03\x48\xcb\x91\x6e\x9d\x04\xb4\x9c\x24\x83\x91\x1b\x6d\xee\xce\x26\xd2\xb6\x57\x62\x64\x3a\xa0\x41\x7b\xe2\x76\x8b\x67\x3a\x22\xad\x58\xe6\x67\xf5\xef\x4e\x22\x28\xdb\x9b\x79\x39\xd8\xf9\x12\xde\x32\x47\x43\x25\x15\x50\x90\xb1\xd9\x74\x1a\xce\x41\x55\xd6\x45\x83\xec\xfb\x57\x00\x30\x1d\x73\xed\x2a\xbd\x15\x64\x08\xca\x5e\x1b\x88\xba\x75\xf8\x4a\x4b\x83\x4d\x4f\x53\x20\x15\x77\x3e\x9f\x8d\x4a\x36\x50\xf8\x98\x41\x91\x11\x4f\x0f\xdb\xaa\x54\x40\x5b\xf5\x1f\x8b\x1a\xfe\x53\x2f\x74\xc1\x5a\x37\x08\xeb\x93\x70\xfa\x83\x16\xfe\xef\xac\x4e\x43\xf8\x55\x50\x6f\x5d\x98\x72\xb6\x03\x63\x56\x70\x11\xcc\x33\x08\xa2\x02\x6d\x00", 4096); *(uint64_t*)0x20007d38 = 0x1000; *(uint64_t*)0x20007d40 = 0x4065ebb7; *(uint64_t*)0x20007d48 = 0x20007980; memcpy((void*)0x20007980, "\x11\x2a\x65\x7c\x27\x70\xad\x17\xf2\xe7\x77\x62\x16\x0b\xb1\x4f\x2f\x71\xa1\x7b\x88\xfd\xb9\x46\xf9\x19\xb2\xdf\xd3\xef\xd6\x16\xe3\x11\x24\xff\x47\xee\x66\x8f\x60\x65\xa0\x43\x5a\x79\x1a\x74\x39\xd8\xaa\x10\xdc\xc4\x18\x19\x2d\x82\x1e\x36\xfc\x08\x20\xd7\xcc\x0f\x88\xb0\x88\x91\x6d\x78\x6f\x01\x42\x6f\xa4\x6b\x21\x4d\xe8\x22\xd2\x4e\x4d\x6c\x78\x5f\xea\xc4\x58\xd9\x86\x35\xc4\x80\x16\x72\xbd\x4e\x74\xfd\x40\x75\x39\x32\x12\x11\x52\xae\x0e\xad\x77\x1e\x3a\xbc\x7f\x74\x1e\x39\x3b\x32\x85\x26\xe5\xec\x29\xe8\xe0\xd9\xb3\xa2\xbe\xbc\xd0\xeb\x34\x72\xa4\xbd\x8e\x50\xf9\x53\xed\x17\x3b\xa2\x71\xfb\xe9\xf9\xd9\xc4\x63\xc7\x9f\x44\xd0\x93\x15\x4f\xfe\xf5\x9c\x93\xad\xa7\x83\xb4\x72\x7f\xc3\x5b\xa6\xc0\xdb\x25\x18\x93\x9c\xb3\x5f\xb3\x30\x1d\x4c\xf7\x2d\x25\x24\xf8\x3a\xc4\xab\x57\xa8\xac\xfc\x93\xa9\x9c\x26\xcc\xae\xe0\x56\x63\x71\x22\x94\x96\xe9\x30\x21\xe8\x6b\x95\x60\x21\xa4\x67\xf3\x4b\xe6\x6e", 226); *(uint64_t*)0x20007d50 = 0xe2; *(uint64_t*)0x20007d58 = 0x6d69; *(uint64_t*)0x20007d60 = 0x20007a80; memcpy((void*)0x20007a80, "\x62\x98\x25\xe3\xcb\x9c\x42\x73\x28\x10\xeb\x62\xf1\xff\x47\x85\x71\x8f\x7a\x30\xc6\x39\x40\xf2\xea\xdf\x19\xda\xe8\x20\xfe\xb9\xb7\xb3\x58\xf7\x41\xb8\x34\x16\x4a\x9a\x4a\xc8\xce\x39\x8c\x23\x16\x07\xf5\x23\xa2\x6d\xb9\xe0\xae\xca\xc1\xd1\xe8\x90\x22\xd1\xcd\x50\xd6\x44\xf2\x46\x6b\x25\xec\x09\xc6\xd6\xef\x4f\x0b\x3e\xf5\x92\xd1\x40\x8d\x04\x9d\xa4\x9b\x95\x3b\x32\x7e\x12\x3c\x6f\x19\x63\xc2\xf7\xa9\xe3\xcc\x7e\x0c\x52\xed\x1e\x17\xd0\xa8\xb7\x94\x66\x68\x75\xb2\x0b\x07\xa0\xf5\xc2\xc7\x6d\x96\x32\x90\x9f\x76\x9e\xb2\x5b\x16\x27\x37\xbe\xa1\x31\xf5\xc2\x70\xb3\x24\x9f\xd6\x5c\x25\x5e\x68\xb6\x80\x27\x1d\x0c\x11\x19\x67\x15\x17\x77\x44\xe7", 162); *(uint64_t*)0x20007d68 = 0xa2; *(uint64_t*)0x20007d70 = 9; *(uint64_t*)0x20007d78 = 0x20007b40; memcpy((void*)0x20007b40, "\xd1\x09\x17\x49\x23\x3d\x1e\x7e\xc5\x06\x53\xf3\x01\xa7\x34\xf5\xdd\x67\xac\x1e\x74\x89\x23\xe4\x4c\xce\xde\xeb\x3e\xa2\x34\x74\x58\x96\xab\xcb\x80\x03\xed\x61\x60\x5b\x5d\xff\xa8\xa9\xaf\x0a\xa1\x2e\xd9\x02\xd4\xa3\x5a\x92\x60\xc5\x3a\xb6\xa6\x21\xe2\x10\xe6\x1e\x40\x02\x83\x8d\xc2\x9e\x2f\x79\x8b\x4c\xbe\x0e\xd0\xc1\x2a\x33\xc6\x9d\xdd\xa4\x46\xb9\xb8\x84\xfc\xbf\xe2\x81\x99\x18\x4b\xd4\xae\xb0\x97\xd0\xd9\xa3\x93\xb6\x99\xd1\xf5\x5a\x57\xd8\x30\xda\x49\x7d\x79\xb9\xbd\x7d\xbc\xdb\xfe\x7e\x16\x8d\x60\x07\x61\x1d\xb9\x67\x33\x57\x4f\xb1\x50\xf4\xe9\x09\x91\xc7\x0f\xc1\x9e\xdb\xa6\xbe\xed\xc5\xa7\x21\x69\x36\x6a\xe5\xfc\xa5\xc1\xcb\x41\x3b\xbc\x54\xff\x8f\x12\x7d\x1b\x94\xcf\x99\x42\xb5\xc9\xbe\x5f\xbf\xc9\x39\x46\xbf\x1d\x0b\x28\x9a\x74\x42\xfb\x05\x7a\xdb\x0a\xe7\xfa\x41\x89\xd5\xe5\xfe\xfc\x75\xed\x5d\x26\x0b\x3c\x2c\x24\x45\xd4\x95\x79\xe6\xb3\x69\xe3\x96\xda\x16\x2d\x94\x05\x59", 224); *(uint64_t*)0x20007d80 = 0xe0; *(uint64_t*)0x20007d88 = 6; *(uint64_t*)0x20007d90 = 0x20007c40; memcpy((void*)0x20007c40, "\x76\x8d\x82\xc4\x7f\x16\x6e\x25\x25\x30\x91\x5b\x63\xb4\x0d\x9e\xba\x4b\x95\xfe\x08\x78\x93\x45\x3f\x37\x3a\x94\x38\x9e\x11\x20\x98\x1c\xb4\x45\x76\xa2\x05\x1c\x41\x58\x40\x0a\x59\xb9\xc8\xa9\x40\xcc\xae\x28\x26\x41\x4e\x14\xad\x55\xc7\x2b\x04\xf8\xfa\xbf\xe8\x64\x62\x40\x9b\x3a\xb2\xa0\x75\xea\x92\xc8\xbd\xdc\xd2\xb2\xfc\x0f\xd7\x7a\x97\xbc\x27\x1e\xcd\x43\xdd\x60\x5f\x29\xb9\x90\x83\x7b\x40\x9e\xed\x59\x65\xdd\xb3\xfb\x1b\x91\xe5\xbf\x12\xdd\xbc\xf2\x1c\x90\xc7\xef\x2f\x0a\xb9\xbb\x03\xf7\x2a\x64\x7c\xe8", 128); *(uint64_t*)0x20007d98 = 0x80; *(uint64_t*)0x20007da0 = 0xfffffffffffffff7; *(uint64_t*)0x20007da8 = 0x20007cc0; memcpy((void*)0x20007cc0, "\x46\xc0\xce\x89\x20\x30\x5b\x2c\x7f\x63\x6e\xdb\xb1\x65\x92\x0d\xb7\x8c\x61\xf8", 20); *(uint64_t*)0x20007db0 = 0x14; *(uint64_t*)0x20007db8 = 0xfffffffffffffffa; syz_read_part_table(9, 8, 0x20007d00); break; case 36: *(uint8_t*)0x20007dc0 = 0x12; *(uint8_t*)0x20007dc1 = 1; *(uint16_t*)0x20007dc2 = 0x300; *(uint8_t*)0x20007dc4 = 0x94; *(uint8_t*)0x20007dc5 = 0xe8; *(uint8_t*)0x20007dc6 = 0x2e; *(uint8_t*)0x20007dc7 = 0x40; *(uint16_t*)0x20007dc8 = 0x789; *(uint16_t*)0x20007dca = 0x160; *(uint16_t*)0x20007dcc = 0xf578; *(uint8_t*)0x20007dce = 1; *(uint8_t*)0x20007dcf = 2; *(uint8_t*)0x20007dd0 = 3; *(uint8_t*)0x20007dd1 = 1; *(uint8_t*)0x20007dd2 = 9; *(uint8_t*)0x20007dd3 = 2; *(uint16_t*)0x20007dd4 = 0x764; *(uint8_t*)0x20007dd6 = 2; *(uint8_t*)0x20007dd7 = 4; *(uint8_t*)0x20007dd8 = 0x8f; *(uint8_t*)0x20007dd9 = 0; *(uint8_t*)0x20007dda = 0x7f; *(uint8_t*)0x20007ddb = 9; *(uint8_t*)0x20007ddc = 4; *(uint8_t*)0x20007ddd = 0x40; *(uint8_t*)0x20007dde = 0x3f; *(uint8_t*)0x20007ddf = 0xe; *(uint8_t*)0x20007de0 = 0xbb; *(uint8_t*)0x20007de1 = 0x18; *(uint8_t*)0x20007de2 = 0xf3; *(uint8_t*)0x20007de3 = 0x20; *(uint8_t*)0x20007de4 = 0xa; *(uint8_t*)0x20007de5 = 0x24; *(uint8_t*)0x20007de6 = 6; *(uint8_t*)0x20007de7 = 0; *(uint8_t*)0x20007de8 = 0; memcpy((void*)0x20007de9, "\xc1\xb0\xc9\x81\xcc", 5); *(uint8_t*)0x20007dee = 5; *(uint8_t*)0x20007def = 0x24; *(uint8_t*)0x20007df0 = 0; *(uint16_t*)0x20007df1 = 7; *(uint8_t*)0x20007df3 = 0xd; *(uint8_t*)0x20007df4 = 0x24; *(uint8_t*)0x20007df5 = 0xf; *(uint8_t*)0x20007df6 = 1; *(uint32_t*)0x20007df7 = 9; *(uint16_t*)0x20007dfb = 0xfff; *(uint16_t*)0x20007dfd = 5; *(uint8_t*)0x20007dff = 0; *(uint8_t*)0x20007e00 = 0x15; *(uint8_t*)0x20007e01 = 0x24; *(uint8_t*)0x20007e02 = 0x12; *(uint16_t*)0x20007e03 = 0xaa4; *(uint64_t*)0x20007e05 = 0x14f5e048ba817a3; *(uint64_t*)0x20007e0d = 0x2a397ecbffc007a6; *(uint8_t*)0x20007e15 = 4; *(uint8_t*)0x20007e16 = 0x24; *(uint8_t*)0x20007e17 = 2; *(uint8_t*)0x20007e18 = 9; *(uint8_t*)0x20007e19 = 9; *(uint8_t*)0x20007e1a = 0x21; *(uint16_t*)0x20007e1b = 0x7ff; *(uint8_t*)0x20007e1d = 8; *(uint8_t*)0x20007e1e = 1; *(uint8_t*)0x20007e1f = 0x22; *(uint16_t*)0x20007e20 = 0xd44; *(uint8_t*)0x20007e22 = 9; *(uint8_t*)0x20007e23 = 5; *(uint8_t*)0x20007e24 = 3; *(uint8_t*)0x20007e25 = 3; *(uint16_t*)0x20007e26 = 0x40; *(uint8_t*)0x20007e28 = 6; *(uint8_t*)0x20007e29 = 6; *(uint8_t*)0x20007e2a = 0x80; *(uint8_t*)0x20007e2b = 9; *(uint8_t*)0x20007e2c = 5; *(uint8_t*)0x20007e2d = 5; *(uint8_t*)0x20007e2e = 8; *(uint16_t*)0x20007e2f = 0x20; *(uint8_t*)0x20007e31 = 0x34; *(uint8_t*)0x20007e32 = 7; *(uint8_t*)0x20007e33 = 0xd1; *(uint8_t*)0x20007e34 = 7; *(uint8_t*)0x20007e35 = 0x25; *(uint8_t*)0x20007e36 = 1; *(uint8_t*)0x20007e37 = 0x81; *(uint8_t*)0x20007e38 = 1; *(uint16_t*)0x20007e39 = 0x20; *(uint8_t*)0x20007e3b = 0x65; *(uint8_t*)0x20007e3c = 0x30; memcpy((void*)0x20007e3d, "\xda\xc1\x6e\x84\x5b\x14\x9d\xaf\xe6\x66\x63\xcc\x3a\xcf\x39\x3f\xa7\xb0\xae\x46\xcb\xb8\xcf\x20\x7b\xdb\x0d\x3d\x6c\xf6\x81\x66\x1f\xa0\x0e\xd5\x8d\x70\x3c\x22\x64\x70\xa8\x4e\xaa\x26\x4b\xe5\x1e\x68\x10\x87\x52\x48\xed\xe7\x94\xe2\x20\x7e\x60\xb0\x45\x85\x60\x3c\xd0\x55\xc6\x34\x8f\x0e\xb4\xf3\x3f\x2a\x83\x3f\x4a\xee\x88\x84\xd7\x77\x3b\xe2\xf4\x51\x77\xad\x4c\x03\x72\x8f\xf4\xdd\x8e\x40\xfd", 99); *(uint8_t*)0x20007ea0 = 9; *(uint8_t*)0x20007ea1 = 5; *(uint8_t*)0x20007ea2 = 2; *(uint8_t*)0x20007ea3 = 4; *(uint16_t*)0x20007ea4 = 0x3ff; *(uint8_t*)0x20007ea6 = 0x1f; *(uint8_t*)0x20007ea7 = 2; *(uint8_t*)0x20007ea8 = -1; *(uint8_t*)0x20007ea9 = 7; *(uint8_t*)0x20007eaa = 0x25; *(uint8_t*)0x20007eab = 1; *(uint8_t*)0x20007eac = 0x82; *(uint8_t*)0x20007ead = 9; *(uint16_t*)0x20007eae = 2; *(uint8_t*)0x20007eb0 = 9; *(uint8_t*)0x20007eb1 = 5; *(uint8_t*)0x20007eb2 = 6; *(uint8_t*)0x20007eb3 = 0; *(uint16_t*)0x20007eb4 = 0x40; *(uint8_t*)0x20007eb6 = 0; *(uint8_t*)0x20007eb7 = 0x40; *(uint8_t*)0x20007eb8 = 0xfd; *(uint8_t*)0x20007eb9 = 7; *(uint8_t*)0x20007eba = 0x25; *(uint8_t*)0x20007ebb = 1; *(uint8_t*)0x20007ebc = 0x83; *(uint8_t*)0x20007ebd = 0x1f; *(uint16_t*)0x20007ebe = 0x1000; *(uint8_t*)0x20007ec0 = 9; *(uint8_t*)0x20007ec1 = 5; *(uint8_t*)0x20007ec2 = 0xd; *(uint8_t*)0x20007ec3 = 1; *(uint16_t*)0x20007ec4 = 0x3ff; *(uint8_t*)0x20007ec6 = 3; *(uint8_t*)0x20007ec7 = 1; *(uint8_t*)0x20007ec8 = 0x80; *(uint8_t*)0x20007ec9 = 7; *(uint8_t*)0x20007eca = 0x25; *(uint8_t*)0x20007ecb = 1; *(uint8_t*)0x20007ecc = 1; *(uint8_t*)0x20007ecd = 4; *(uint16_t*)0x20007ece = 3; *(uint8_t*)0x20007ed0 = 9; *(uint8_t*)0x20007ed1 = 5; *(uint8_t*)0x20007ed2 = 5; *(uint8_t*)0x20007ed3 = 4; *(uint16_t*)0x20007ed4 = 8; *(uint8_t*)0x20007ed6 = 8; *(uint8_t*)0x20007ed7 = -1; *(uint8_t*)0x20007ed8 = 0x80; *(uint8_t*)0x20007ed9 = 9; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 0xf; *(uint8_t*)0x20007edc = 1; *(uint16_t*)0x20007edd = 8; *(uint8_t*)0x20007edf = 0xae; *(uint8_t*)0x20007ee0 = 9; *(uint8_t*)0x20007ee1 = 0xf6; *(uint8_t*)0x20007ee2 = 7; *(uint8_t*)0x20007ee3 = 0x25; *(uint8_t*)0x20007ee4 = 1; *(uint8_t*)0x20007ee5 = 0; *(uint8_t*)0x20007ee6 = 0x95; *(uint16_t*)0x20007ee7 = 6; *(uint8_t*)0x20007ee9 = 0x7a; *(uint8_t*)0x20007eea = 6; memcpy((void*)0x20007eeb, "\x3f\x8f\x5c\x31\x8c\x80\xe5\xa9\x36\x08\x9f\xa5\xbe\x9d\xc3\x64\xd3\xa8\xff\x22\x23\x8b\x92\x00\x64\x2b\xb7\x96\x9b\x9c\x09\x89\x51\x0d\xf3\xf2\x67\x38\x46\xf3\xfe\x68\xee\xc4\x87\x47\x6d\x9d\x8e\xa3\x7c\x9e\x7e\xc2\x93\x9c\x3a\x85\x84\x2c\xad\x50\x0b\xf7\x7a\xed\x1d\x92\x90\xeb\x85\x0a\xf4\x62\x1c\xaf\xed\x03\xc0\x8a\x55\xc4\x22\xc7\x12\x2f\x6e\xc0\x70\x3a\x47\xdf\xcb\x27\x9c\x0b\x03\x55\x8b\x39\xc7\x23\x1b\x38\xe5\x59\xd0\x54\x6a\x29\xca\x32\x28\x0a\x8c\xe4\x70\x80\xaa\x8d", 120); *(uint8_t*)0x20007f63 = 9; *(uint8_t*)0x20007f64 = 5; *(uint8_t*)0x20007f65 = 7; *(uint8_t*)0x20007f66 = 4; *(uint16_t*)0x20007f67 = 0x8938; *(uint8_t*)0x20007f69 = 1; *(uint8_t*)0x20007f6a = 0x8c; *(uint8_t*)0x20007f6b = 4; *(uint8_t*)0x20007f6c = 9; *(uint8_t*)0x20007f6d = 5; *(uint8_t*)0x20007f6e = 7; *(uint8_t*)0x20007f6f = 0x10; *(uint16_t*)0x20007f70 = 0x20; *(uint8_t*)0x20007f72 = 6; *(uint8_t*)0x20007f73 = 1; *(uint8_t*)0x20007f74 = 0x81; *(uint8_t*)0x20007f75 = 9; *(uint8_t*)0x20007f76 = 5; *(uint8_t*)0x20007f77 = 0xe; *(uint8_t*)0x20007f78 = 0x10; *(uint16_t*)0x20007f79 = 0x200; *(uint8_t*)0x20007f7b = 0x80; *(uint8_t*)0x20007f7c = 3; *(uint8_t*)0x20007f7d = 0x23; *(uint8_t*)0x20007f7e = 7; *(uint8_t*)0x20007f7f = 0x25; *(uint8_t*)0x20007f80 = 1; *(uint8_t*)0x20007f81 = 0x81; *(uint8_t*)0x20007f82 = 1; *(uint16_t*)0x20007f83 = 5; *(uint8_t*)0x20007f85 = 7; *(uint8_t*)0x20007f86 = 0x25; *(uint8_t*)0x20007f87 = 1; *(uint8_t*)0x20007f88 = 0x81; *(uint8_t*)0x20007f89 = 7; *(uint16_t*)0x20007f8a = 0xb5a; *(uint8_t*)0x20007f8c = 9; *(uint8_t*)0x20007f8d = 5; *(uint8_t*)0x20007f8e = 8; *(uint8_t*)0x20007f8f = 2; *(uint16_t*)0x20007f90 = 8; *(uint8_t*)0x20007f92 = 0x1f; *(uint8_t*)0x20007f93 = 8; *(uint8_t*)0x20007f94 = 0x1f; *(uint8_t*)0x20007f95 = 7; *(uint8_t*)0x20007f96 = 0x25; *(uint8_t*)0x20007f97 = 1; *(uint8_t*)0x20007f98 = 3; *(uint8_t*)0x20007f99 = 3; *(uint16_t*)0x20007f9a = 0x200; *(uint8_t*)0x20007f9c = 7; *(uint8_t*)0x20007f9d = 0x25; *(uint8_t*)0x20007f9e = 1; *(uint8_t*)0x20007f9f = 3; *(uint8_t*)0x20007fa0 = 0x7f; *(uint16_t*)0x20007fa1 = 3; *(uint8_t*)0x20007fa3 = 9; *(uint8_t*)0x20007fa4 = 5; *(uint8_t*)0x20007fa5 = 0xd; *(uint8_t*)0x20007fa6 = 0xc; *(uint16_t*)0x20007fa7 = 0x3ff; *(uint8_t*)0x20007fa9 = 0x12; *(uint8_t*)0x20007faa = 9; *(uint8_t*)0x20007fab = 4; *(uint8_t*)0x20007fac = 0xe; *(uint8_t*)0x20007fad = 5; memcpy((void*)0x20007fae, "\xa9\xb9\x7b\xc2\x4d\xe6\x2c\x3b\xcf\x2b\xfa\x13", 12); *(uint8_t*)0x20007fba = 0x44; *(uint8_t*)0x20007fbb = 0x30; memcpy((void*)0x20007fbc, "\x9f\x0d\x5e\xa2\x42\x68\xb8\xa3\x21\x17\x65\x24\x6b\x1a\x83\x4a\xf6\x41\xe8\xcd\x6e\xa3\xef\x9b\x1f\xe1\x0f\x16\xbe\xd6\xb0\x6c\xc3\xa1\x65\x92\x0c\x9d\x73\x90\x9a\xb9\xac\x8b\x2a\x7a\x8a\x5d\xae\x5d\x4a\xcf\x31\x6d\x0b\x35\xd4\xb6\x44\xd3\x68\xa0\x6e\x0e\xff\x85", 66); *(uint8_t*)0x20007ffe = 9; *(uint8_t*)0x20007fff = 5; *(uint8_t*)0x20008000 = 0x80; *(uint8_t*)0x20008001 = 8; *(uint16_t*)0x20008002 = 8; *(uint8_t*)0x20008004 = 3; *(uint8_t*)0x20008005 = -1; *(uint8_t*)0x20008006 = 6; *(uint8_t*)0x20008007 = 9; *(uint8_t*)0x20008008 = 5; *(uint8_t*)0x20008009 = 0; *(uint8_t*)0x2000800a = 0; *(uint16_t*)0x2000800b = 0x20; *(uint8_t*)0x2000800d = 6; *(uint8_t*)0x2000800e = 0x2e; *(uint8_t*)0x2000800f = 0; *(uint8_t*)0x20008010 = 9; *(uint8_t*)0x20008011 = 4; *(uint8_t*)0x20008012 = 7; *(uint8_t*)0x20008013 = 0; *(uint8_t*)0x20008014 = 0xd; *(uint8_t*)0x20008015 = 0x29; *(uint8_t*)0x20008016 = 0xcb; *(uint8_t*)0x20008017 = 0x7c; *(uint8_t*)0x20008018 = 9; *(uint8_t*)0x20008019 = 9; *(uint8_t*)0x2000801a = 0x21; *(uint16_t*)0x2000801b = 7; *(uint8_t*)0x2000801d = 1; *(uint8_t*)0x2000801e = 1; *(uint8_t*)0x2000801f = 0x22; *(uint16_t*)0x20008020 = 0xbd9; *(uint8_t*)0x20008022 = 0xd; *(uint8_t*)0x20008023 = 0x24; *(uint8_t*)0x20008024 = 2; *(uint8_t*)0x20008025 = 1; *(uint8_t*)0x20008026 = 0x43; *(uint8_t*)0x20008027 = 1; *(uint8_t*)0x20008028 = 0; *(uint8_t*)0x20008029 = 9; memcpy((void*)0x2000802a, "d\"", 2); memcpy((void*)0x2000802c, "\x37\x09\xdb", 3); *(uint8_t*)0x2000802f = 0x11; *(uint8_t*)0x20008030 = 0x24; *(uint8_t*)0x20008031 = 2; *(uint8_t*)0x20008032 = 1; *(uint8_t*)0x20008033 = 0xf8; *(uint8_t*)0x20008034 = 2; *(uint8_t*)0x20008035 = 7; *(uint8_t*)0x20008036 = 0x40; memcpy((void*)0x20008037, "\x5e\x58\xdf\xf9\xa0\xd0\x1e\x41\x09", 9); *(uint8_t*)0x20008040 = 0xb; *(uint8_t*)0x20008041 = 0x24; *(uint8_t*)0x20008042 = 2; *(uint8_t*)0x20008043 = 2; *(uint16_t*)0x20008044 = 0xffec; *(uint16_t*)0x20008046 = 6; *(uint8_t*)0x20008048 = 0x15; memcpy((void*)0x20008049, "?w", 2); *(uint8_t*)0x2000804b = 7; *(uint8_t*)0x2000804c = 0x24; *(uint8_t*)0x2000804d = 1; *(uint8_t*)0x2000804e = 0xe1; *(uint8_t*)0x2000804f = 3; *(uint16_t*)0x20008050 = 2; *(uint8_t*)0x20008052 = 9; *(uint8_t*)0x20008053 = 5; *(uint8_t*)0x20008054 = 0xc; *(uint8_t*)0x20008055 = 8; *(uint16_t*)0x20008056 = 8; *(uint8_t*)0x20008058 = 4; *(uint8_t*)0x20008059 = 8; *(uint8_t*)0x2000805a = 8; *(uint8_t*)0x2000805b = 9; *(uint8_t*)0x2000805c = 5; *(uint8_t*)0x2000805d = 6; *(uint8_t*)0x2000805e = 8; *(uint16_t*)0x2000805f = 8; *(uint8_t*)0x20008061 = 0; *(uint8_t*)0x20008062 = 2; *(uint8_t*)0x20008063 = 2; *(uint8_t*)0x20008064 = 7; *(uint8_t*)0x20008065 = 0x25; *(uint8_t*)0x20008066 = 1; *(uint8_t*)0x20008067 = 0x81; *(uint8_t*)0x20008068 = 6; *(uint16_t*)0x20008069 = 0x18; *(uint8_t*)0x2000806b = 9; *(uint8_t*)0x2000806c = 5; *(uint8_t*)0x2000806d = 7; *(uint8_t*)0x2000806e = 0x10; *(uint16_t*)0x2000806f = 0x3ff; *(uint8_t*)0x20008071 = 0x39; *(uint8_t*)0x20008072 = 0; *(uint8_t*)0x20008073 = 6; *(uint8_t*)0x20008074 = 0x80; *(uint8_t*)0x20008075 = 0x23; memcpy((void*)0x20008076, "\xeb\xa3\xe2\xd4\x84\x8f\x84\xd0\xe6\xde\xd4\x6e\x24\xd1\x0b\xf9\xf8\xb0\x73\x89\x10\xe2\x9f\x31\x9e\x94\x25\x46\xe9\xcd\xa8\x63\x82\x57\xf5\x5d\x00\x49\x67\x2a\x13\x37\x06\x7a\xf7\x3c\x1c\x29\xe0\xbd\x77\x2a\x1c\xd5\xe1\x6d\x24\x9e\xd1\x5c\xdd\x3d\x85\xa4\x39\x9a\xef\x69\xe3\xf5\xa5\x06\xea\x0e\x05\x59\x30\x6f\xe1\xf4\x2d\xfc\x10\x92\x20\x62\xe2\xbc\x06\x2c\x34\xa1\xad\xc4\xbc\x46\xb0\x80\x25\x9a\xd2\x0b\x37\xcd\xe1\xeb\xa7\x17\x8f\xb5\x14\xb2\xef\x73\x97\x71\x5b\x0e\xae\x34\xd5\xef\xd5\x27\x49\x00", 126); *(uint8_t*)0x200080f4 = 0xa1; *(uint8_t*)0x200080f5 = 0x21; memcpy((void*)0x200080f6, "\x1c\x02\x0b\x38\x9a\x4c\x59\xd1\xf2\x6d\xa8\x57\xb2\x22\xa6\xf6\x61\x8a\xdb\x04\x11\xbb\x24\x47\x8e\x68\xff\xe7\x58\x46\x9d\x4b\xb3\x4d\xf6\xaa\x95\x77\xce\xd5\x53\x83\xdf\xf0\x1c\x05\x2a\xbb\xde\x70\x46\x8c\xe3\x11\x00\xca\x31\x84\xd1\xd5\xf8\x03\xdc\x28\x0d\xf3\xb7\xae\x47\x38\xad\x05\x03\x67\x01\xe2\xe3\x8c\xe8\x44\xa7\xd3\x01\xd8\x6e\x05\x97\xc5\xbc\x1b\x67\xe7\xc6\xa5\xf7\xdf\xbc\x33\x11\xdb\xd2\x34\x68\x8e\x85\xe9\xa7\xd5\x02\x1e\x51\xe2\xd0\xdd\x41\x80\x38\x15\x3d\xb6\x5b\x7f\xc2\x68\xf9\x8d\xdf\xd9\xe5\x03\x6f\x24\x49\x7d\x2f\x04\xcd\xcc\x75\x21\x78\x99\x19\x58\xf7\x24\x3f\xf4\xdd\x5a\xef\xcf\x75\x9a\x3f\xe7\xfb\x34\xc8", 159); *(uint8_t*)0x20008195 = 9; *(uint8_t*)0x20008196 = 5; *(uint8_t*)0x20008197 = 0xf; *(uint8_t*)0x20008198 = 0x10; *(uint16_t*)0x20008199 = 0x240; *(uint8_t*)0x2000819b = 2; *(uint8_t*)0x2000819c = 1; *(uint8_t*)0x2000819d = 0; *(uint8_t*)0x2000819e = 0x26; *(uint8_t*)0x2000819f = 3; memcpy((void*)0x200081a0, "\xb4\x51\xe2\x4f\x69\x72\xcd\x64\x29\xf8\x1c\xa1\x73\xd1\x3f\xb2\xc7\xf5\x28\x47\x51\x63\x8b\xbc\x4f\x0b\x3d\xe0\x20\x91\xfb\xb4\xf4\x45\x33\xd9", 36); *(uint8_t*)0x200081c4 = 9; *(uint8_t*)0x200081c5 = 5; *(uint8_t*)0x200081c6 = 7; *(uint8_t*)0x200081c7 = 2; *(uint16_t*)0x200081c8 = 0x400; *(uint8_t*)0x200081ca = 7; *(uint8_t*)0x200081cb = 0x3f; *(uint8_t*)0x200081cc = 0xdb; *(uint8_t*)0x200081cd = 0xc0; *(uint8_t*)0x200081ce = 0; memcpy((void*)0x200081cf, "\xba\x73\xf7\x70\xa4\x27\xb8\x43\x83\x13\xcb\x7e\x9d\x9d\x53\xa7\xe3\x11\x03\x66\xc8\x78\xe3\xc0\xf6\xe6\x29\xeb\xb2\xa0\x84\xa9\x0b\x2d\xef\x4b\x66\x95\x0f\xdf\xd6\x06\xe0\x83\x42\x29\xe6\x30\x28\x87\x54\x89\x67\x8b\xc9\x36\x98\xed\x86\x13\x88\x42\x54\x70\x3c\x31\x5f\x1e\xe5\x29\xd1\xbc\xbf\xaf\x8d\x86\x5e\x73\x8b\x9e\x08\xcb\xc4\xa2\x11\xd4\x80\xbd\xc2\xa6\xe6\x9e\x17\x2b\x1c\x73\x63\x94\x74\xf1\xf0\x11\x5b\x5f\x49\x18\xd0\x37\x45\x1c\x99\xde\xe8\x85\x47\x56\x25\x82\xd5\x71\x71\xaa\x19\x69\x13\xf1\x19\x15\xd1\xfd\xc1\xa5\x13\xb1\x6c\x0b\x9c\x1f\xa0\x71\x57\x42\x10\x46\xf4\xf3\x37\x2d\x00\xd4\xa2\x7e\xb9\x3e\xcd\x79\xb6\x85\xe1\x4f\x3e\xba\x64\x7e\x7b\x20\xae\xfd\xf9\x2e\xd0\x5b\xef\x68\x93\x52\x65\xce\x00\x35\xe3\xb6\x24\x85\x23\x50\xd1\x23\x4e\xf9", 190); *(uint8_t*)0x2000828d = 0xa; *(uint8_t*)0x2000828e = 5; memcpy((void*)0x2000828f, "\x29\x0a\x54\x8e\x96\x26\x66\xdf", 8); *(uint8_t*)0x20008297 = 9; *(uint8_t*)0x20008298 = 5; *(uint8_t*)0x20008299 = 7; *(uint8_t*)0x2000829a = 4; *(uint16_t*)0x2000829b = 0x7d7; *(uint8_t*)0x2000829d = 0; *(uint8_t*)0x2000829e = 7; *(uint8_t*)0x2000829f = 0xf9; *(uint8_t*)0x200082a0 = 0xcd; *(uint8_t*)0x200082a1 = 2; memcpy((void*)0x200082a2, "\x74\xcd\x60\x07\xae\x0e\xa1\x29\x7f\x07\x01\x8c\xbd\xaa\xa0\xc8\x78\x51\xa0\x13\x08\xad\x71\x7f\x23\x5e\x9e\xff\x80\x10\xad\x10\x46\xa5\x14\x8d\x35\x2a\x70\x76\x0b\xc4\xbe\xbd\xd7\x52\x8b\xf7\xd5\x06\xda\x1b\xaa\xc2\xcf\x49\x9d\x52\xde\x51\xd7\x1b\x05\x18\x5d\x7c\xd2\x68\x02\x3d\xe5\x96\x13\x04\x52\x1b\x5f\x56\x7c\x74\xcc\xab\x78\xb6\x1c\x3f\x64\x16\x62\xaf\x2d\x55\xd5\x15\x7a\x0d\xdc\x80\xc7\x59\x62\xe9\xbd\xa9\xff\x2d\x3b\x63\xdf\x6a\x6a\x0e\x2a\xeb\xbf\xc6\x64\xde\x3f\x3a\x34\xd6\x62\x00\xfa\x09\x24\x75\x68\x59\x57\xf0\xb3\x59\x42\x47\xa2\x1d\x46\x3c\xfe\x0c\xcd\x80\x44\xf9\x53\x19\xb4\xd4\x0c\x7f\x02\x2d\x5a\x9c\xe9\xe3\x48\xcd\x62\x3d\xc4\xc5\x90\xbe\xe5\xa1\x04\x72\x70\x95\x42\x14\x61\x1a\x8d\x98\xe6\x0a\xa6\x97\xa5\xce\x30\xee\xac\xd2\x39\x70\x94\xe5\x07\x16\x73\x99\x11\xa4\x47\x8b\x49\x5f\x02", 203); *(uint8_t*)0x2000836d = 0x2b; *(uint8_t*)0x2000836e = 3; memcpy((void*)0x2000836f, "\x9b\xc9\xf5\x80\x75\x06\x30\x3f\xbf\xd7\x12\x82\xa8\x20\x58\x56\x0f\xe8\x18\x0b\x20\x5f\x6f\x47\xf9\xd7\xcf\x05\x28\x0b\x7e\xb9\x6d\x6d\x15\x89\x97\x2f\x40\x2e\xf4", 41); *(uint8_t*)0x20008398 = 9; *(uint8_t*)0x20008399 = 5; *(uint8_t*)0x2000839a = 7; *(uint8_t*)0x2000839b = 0x1a; *(uint16_t*)0x2000839c = 8; *(uint8_t*)0x2000839e = 7; *(uint8_t*)0x2000839f = 3; *(uint8_t*)0x200083a0 = 0x86; *(uint8_t*)0x200083a1 = 0x35; *(uint8_t*)0x200083a2 = 0xb; memcpy((void*)0x200083a3, "\x01\x8a\x3d\x5f\xb9\x4d\x26\xc6\xa6\x89\xe9\x1e\xb6\xa9\xe4\x9b\xf1\xb8\x83\xb9\xe3\xda\x0a\x42\xbf\x45\x63\x9b\xc1\xb1\x9a\x0d\x8e\x78\xba\xbd\x76\x9b\x27\xa4\x3d\xd0\x91\xce\x83\xb4\xa9\x1c\xf5\xd1\x19", 51); *(uint8_t*)0x200083d6 = 7; *(uint8_t*)0x200083d7 = 0x25; *(uint8_t*)0x200083d8 = 1; *(uint8_t*)0x200083d9 = 0x80; *(uint8_t*)0x200083da = 0x40; *(uint16_t*)0x200083db = 6; *(uint8_t*)0x200083dd = 9; *(uint8_t*)0x200083de = 5; *(uint8_t*)0x200083df = 3; *(uint8_t*)0x200083e0 = 2; *(uint16_t*)0x200083e1 = 0x200; *(uint8_t*)0x200083e3 = 8; *(uint8_t*)0x200083e4 = 0x55; *(uint8_t*)0x200083e5 = 7; *(uint8_t*)0x200083e6 = 0xc; *(uint8_t*)0x200083e7 = 0x21; memcpy((void*)0x200083e8, "\xf2\xae\x0c\x70\x73\x12\x45\x83\x53\x64", 10); *(uint8_t*)0x200083f2 = 9; *(uint8_t*)0x200083f3 = 5; *(uint8_t*)0x200083f4 = 0xc; *(uint8_t*)0x200083f5 = 0; *(uint16_t*)0x200083f6 = 0x400; *(uint8_t*)0x200083f8 = -1; *(uint8_t*)0x200083f9 = 9; *(uint8_t*)0x200083fa = 0x7f; *(uint8_t*)0x200083fb = 9; *(uint8_t*)0x200083fc = 5; *(uint8_t*)0x200083fd = 3; *(uint8_t*)0x200083fe = 4; *(uint16_t*)0x200083ff = 0x3ff; *(uint8_t*)0x20008401 = 3; *(uint8_t*)0x20008402 = 0x81; *(uint8_t*)0x20008403 = 0x1f; *(uint8_t*)0x20008404 = 2; *(uint8_t*)0x20008405 = 0xb; memcpy((void*)0x20008406, "\x15\xf5\x29\x48\x16\x89\x69\xa7\x87\x9f\x68\x6a\x66\x44\x59\xf3\x1f\xa9\xc1\x46\xda\x65\xea\xa1\x87\x8b\x39\x96\xe0\x99\xdd\x1e\xc6\x89\x00\xa2\x57\xc0\x11\x39\x7b\xcf\xc1\x0b\xc4\x28\x59\x19\x72\xae\x5e\xb7\x0e\x65\xd2\x00\x24\x8c\x43\x3d\x8b\x1e\xaf\xe5\xdf\x95\xa1\x96\xb5\x8e\xd5\x0a\x74\xd4\x8f\x9c\x07\xf5\x08\x58\xdd\x07\xd9\x4e\xc7\x66\x26\xb5\xb4\x7c\x9a\xcd\x4f\xdb\xec\xde\x35\x6c\xab\xab\xc4\x3c\x31\x44\xfc\x2e\x52\x4b\x71\xbb\x4e\x8b\xb5\x35\xda\xa0\x71\xe2\x42\xc5\x85\x84\xdb\xdd\x6c\x1e\x75\x8e\x33\xfe\xcd\x91\xaa\xc9\x6d\x22\x88\x32\x2e\xd4\x8a\xcf\xda\xab\x53\x6e\xa5\x12\x98\xe1\x6c\x60\x33\xac\x2b\x91\x75\x84\x82\x71\x9c\xc7\xd7\x64\x37\x3c\xed\xf5\xd0\x39\xe7\x5f\x0b\xe3\x5a\xcd\xac\x46\xbf\xf1\x29\xaf\x0a\xd8\x17\xe1\x40\x64\x39\x8b\xe6\x49\x33\xb6\x76\xfa\xb4\xff\x8b\x8d\x37\xcd\x74\x2e\x41\xfd\x64\xf8\x7b\x7f\x7d\xf8\x73\xb3\xd4\xc1\xca\x44\x0e\x20\xa8\x29\xe3\x4c\x69\x77\x05\x4f\xd5\x97\x5e\x34\x94\x1c\x4c\xa2\x4d\xca\xf0\x7e\x3b\x99\x50\x28\x0b\x30\xfb\x2c\x43\x56\xee\xda\xb3\xe5\x18\x4e", 256); *(uint8_t*)0x20008506 = 7; *(uint8_t*)0x20008507 = 0x25; *(uint8_t*)0x20008508 = 1; *(uint8_t*)0x20008509 = 0; *(uint8_t*)0x2000850a = 0x1f; *(uint16_t*)0x2000850b = 0x200; *(uint8_t*)0x2000850d = 9; *(uint8_t*)0x2000850e = 5; *(uint8_t*)0x2000850f = 5; *(uint8_t*)0x20008510 = 0x10; *(uint16_t*)0x20008511 = 0x400; *(uint8_t*)0x20008513 = 0x81; *(uint8_t*)0x20008514 = 1; *(uint8_t*)0x20008515 = 5; *(uint8_t*)0x20008516 = 7; *(uint8_t*)0x20008517 = 0x25; *(uint8_t*)0x20008518 = 1; *(uint8_t*)0x20008519 = 2; *(uint8_t*)0x2000851a = 8; *(uint16_t*)0x2000851b = 0x101; *(uint8_t*)0x2000851d = 7; *(uint8_t*)0x2000851e = 0x25; *(uint8_t*)0x2000851f = 1; *(uint8_t*)0x20008520 = 3; *(uint8_t*)0x20008521 = 2; *(uint16_t*)0x20008522 = 8; *(uint8_t*)0x20008524 = 9; *(uint8_t*)0x20008525 = 5; *(uint8_t*)0x20008526 = 0; *(uint8_t*)0x20008527 = 4; *(uint16_t*)0x20008528 = 0x80; *(uint8_t*)0x2000852a = 9; *(uint8_t*)0x2000852b = 6; *(uint8_t*)0x2000852c = 7; *(uint8_t*)0x2000852d = 9; *(uint8_t*)0x2000852e = 5; *(uint8_t*)0x2000852f = 3; *(uint8_t*)0x20008530 = 0; *(uint16_t*)0x20008531 = 0x7ff; *(uint8_t*)0x20008533 = 1; *(uint8_t*)0x20008534 = -1; *(uint8_t*)0x20008535 = 0x1f; *(uint32_t*)0x20008640 = 0xa; *(uint64_t*)0x20008644 = 0x20008540; *(uint8_t*)0x20008540 = 0xa; *(uint8_t*)0x20008541 = 6; *(uint16_t*)0x20008542 = 0; *(uint8_t*)0x20008544 = 2; *(uint8_t*)0x20008545 = 0x86; *(uint8_t*)0x20008546 = 0x80; *(uint8_t*)0x20008547 = 0x10; *(uint8_t*)0x20008548 = 2; *(uint8_t*)0x20008549 = 0; *(uint32_t*)0x2000864c = 0x42; *(uint64_t*)0x20008650 = 0x20008580; *(uint8_t*)0x20008580 = 5; *(uint8_t*)0x20008581 = 0xf; *(uint16_t*)0x20008582 = 0x42; *(uint8_t*)0x20008584 = 5; *(uint8_t*)0x20008585 = 0xa; *(uint8_t*)0x20008586 = 0x10; *(uint8_t*)0x20008587 = 3; *(uint8_t*)0x20008588 = 0; *(uint16_t*)0x20008589 = 3; *(uint8_t*)0x2000858b = 0x73; *(uint8_t*)0x2000858c = 4; *(uint16_t*)0x2000858d = 0; *(uint8_t*)0x2000858f = 3; *(uint8_t*)0x20008590 = 0x10; *(uint8_t*)0x20008591 = 0xb; *(uint8_t*)0x20008592 = 0xa; *(uint8_t*)0x20008593 = 0x10; *(uint8_t*)0x20008594 = 3; *(uint8_t*)0x20008595 = 0; *(uint16_t*)0x20008596 = 8; *(uint8_t*)0x20008598 = 0xeb; *(uint8_t*)0x20008599 = 0x3f; *(uint16_t*)0x2000859a = 2; *(uint8_t*)0x2000859c = 7; *(uint8_t*)0x2000859d = 0x10; *(uint8_t*)0x2000859e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000859f, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 0xf, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a1, 5, 0, 16); *(uint8_t*)0x200085a3 = 0x1f; *(uint8_t*)0x200085a4 = 0x10; *(uint8_t*)0x200085a5 = 1; memcpy((void*)0x200085a6, "\x61\x40\x8d\x3d\x2e\x18\x72\x46\x92\x26\xd4\xd9\xbe\xfe\xcd\xac\x20\x8d\xfd\xaa\x38\x51\x78\xf4\x8c\xa7\x56\x50", 28); *(uint32_t*)0x20008658 = 1; *(uint32_t*)0x2000865c = 4; *(uint64_t*)0x20008660 = 0x20008600; *(uint8_t*)0x20008600 = 4; *(uint8_t*)0x20008601 = 3; *(uint16_t*)0x20008602 = 0x41a; res = -1; res = syz_usb_connect(5, 0x776, 0x20007dc0, 0x20008640); if (res != -1) r[15] = res; break; case 37: *(uint8_t*)0x20008680 = 0x12; *(uint8_t*)0x20008681 = 1; *(uint16_t*)0x20008682 = 0x200; *(uint8_t*)0x20008684 = -1; *(uint8_t*)0x20008685 = -1; *(uint8_t*)0x20008686 = -1; *(uint8_t*)0x20008687 = 0x40; *(uint16_t*)0x20008688 = 0xcf3; *(uint16_t*)0x2000868a = 0x9271; *(uint16_t*)0x2000868c = 0x108; *(uint8_t*)0x2000868e = 1; *(uint8_t*)0x2000868f = 2; *(uint8_t*)0x20008690 = 3; *(uint8_t*)0x20008691 = 1; *(uint8_t*)0x20008692 = 9; *(uint8_t*)0x20008693 = 2; *(uint16_t*)0x20008694 = 0x48; *(uint8_t*)0x20008696 = 1; *(uint8_t*)0x20008697 = 1; *(uint8_t*)0x20008698 = 0; *(uint8_t*)0x20008699 = 0x80; *(uint8_t*)0x2000869a = 0xfa; *(uint8_t*)0x2000869b = 9; *(uint8_t*)0x2000869c = 4; *(uint8_t*)0x2000869d = 0; *(uint8_t*)0x2000869e = 0; *(uint8_t*)0x2000869f = 6; *(uint8_t*)0x200086a0 = -1; *(uint8_t*)0x200086a1 = 0; *(uint8_t*)0x200086a2 = 0; *(uint8_t*)0x200086a3 = 0; *(uint8_t*)0x200086a4 = 9; *(uint8_t*)0x200086a5 = 5; *(uint8_t*)0x200086a6 = 1; *(uint8_t*)0x200086a7 = 2; *(uint16_t*)0x200086a8 = 0x200; *(uint8_t*)0x200086aa = 0; *(uint8_t*)0x200086ab = 0; *(uint8_t*)0x200086ac = 0; *(uint8_t*)0x200086ad = 9; *(uint8_t*)0x200086ae = 5; *(uint8_t*)0x200086af = 0x82; *(uint8_t*)0x200086b0 = 2; *(uint16_t*)0x200086b1 = 0x200; *(uint8_t*)0x200086b3 = 0; *(uint8_t*)0x200086b4 = 0; *(uint8_t*)0x200086b5 = 0; *(uint8_t*)0x200086b6 = 9; *(uint8_t*)0x200086b7 = 5; *(uint8_t*)0x200086b8 = 0x83; *(uint8_t*)0x200086b9 = 3; *(uint16_t*)0x200086ba = 0x40; *(uint8_t*)0x200086bc = 1; *(uint8_t*)0x200086bd = 0; *(uint8_t*)0x200086be = 0; *(uint8_t*)0x200086bf = 9; *(uint8_t*)0x200086c0 = 5; *(uint8_t*)0x200086c1 = 4; *(uint8_t*)0x200086c2 = 3; *(uint16_t*)0x200086c3 = 0x40; *(uint8_t*)0x200086c5 = 1; *(uint8_t*)0x200086c6 = 0; *(uint8_t*)0x200086c7 = 0; *(uint8_t*)0x200086c8 = 9; *(uint8_t*)0x200086c9 = 5; *(uint8_t*)0x200086ca = 5; *(uint8_t*)0x200086cb = 2; *(uint16_t*)0x200086cc = 0x200; *(uint8_t*)0x200086ce = 0; *(uint8_t*)0x200086cf = 0; *(uint8_t*)0x200086d0 = 0; *(uint8_t*)0x200086d1 = 9; *(uint8_t*)0x200086d2 = 5; *(uint8_t*)0x200086d3 = 6; *(uint8_t*)0x200086d4 = 2; *(uint16_t*)0x200086d5 = 0x200; *(uint8_t*)0x200086d7 = 0; *(uint8_t*)0x200086d8 = 0; *(uint8_t*)0x200086d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20008680, 0); if (res != -1) r[16] = res; break; case 38: *(uint32_t*)0x20008900 = 0x2c; *(uint64_t*)0x20008904 = 0x20008700; *(uint8_t*)0x20008700 = 0x20; *(uint8_t*)0x20008701 = 0x21; *(uint32_t*)0x20008702 = 0xdb; *(uint8_t*)0x20008706 = 0xdb; *(uint8_t*)0x20008707 = 0x24; memcpy((void*)0x20008708, "\xb5\x01\xb9\xa6\x76\xdf\xcb\x3e\x98\xc6\x6e\x8b\x68\x77\xca\xc3\x0d\xfb\x98\x56\xc7\x20\x94\xee\x90\xf2\x31\x70\xf3\x3d\xc0\x41\x69\x19\x14\x6a\x8a\x2a\xd6\x05\xce\x54\xf3\xd4\x43\xec\x59\x7b\x33\x7b\x1b\x4d\x39\xc4\x42\x89\xbb\xfc\x62\x1a\x00\x86\x26\x48\xfe\x2d\xf7\x54\xe4\x63\x45\x5e\xf8\x8f\x55\xfb\x63\xb4\xb7\x71\x9d\xd8\xd3\xe6\x84\x6c\x4d\x25\x4a\xfb\x2e\x40\x11\x6d\x2b\x5f\xcd\x88\x3a\x84\x21\x22\x17\xe0\x65\xcd\x44\x66\x68\x01\x15\x4e\x7b\x43\xe3\xd1\x62\x9d\xc7\x6f\x3a\x71\x10\xe8\x07\x90\xce\x65\xee\x44\x96\x1d\x30\x65\x21\xe9\x4e\x6e\xe9\x41\xa9\x7e\x0e\xab\x0e\x80\x37\xfe\xf7\x68\x90\x28\x91\xbb\x41\x05\xd8\xba\xf0\xa3\x5f\x93\xd2\xa5\x63\x59\x35\x79\x9c\x87\xeb\x91\xb5\xe5\xff\x7a\xe9\x1c\xbe\x9c\xda\xdd\x65\x3a\x48\x6d\x72\xd6\x7d\xc3\xb3\x71\xe4\xe5\xfa\x61\x87\x59\xde\x87\xeb\xe1\xec\x27\x8d\x14\x08\x34\x59\x0f\x6c\x51\x3e\x4c\x95\xcb\xb3", 217); *(uint64_t*)0x2000890c = 0x20008800; *(uint8_t*)0x20008800 = 0; *(uint8_t*)0x20008801 = 3; *(uint32_t*)0x20008802 = 0x18; *(uint8_t*)0x20008806 = 0x18; *(uint8_t*)0x20008807 = 3; memcpy((void*)0x20008808, "\x2c\x5d\xdd\x5f\xc6\x32\x36\xd4\x7a\xf3\x16\x42\x23\xe9\xb4\x23\xe1\x3b\x85\x60\xf2\x8a", 22); *(uint64_t*)0x20008914 = 0x20008840; *(uint8_t*)0x20008840 = 0; *(uint8_t*)0x20008841 = 0xf; *(uint32_t*)0x20008842 = 0x35; *(uint8_t*)0x20008846 = 5; *(uint8_t*)0x20008847 = 0xf; *(uint16_t*)0x20008848 = 0x35; *(uint8_t*)0x2000884a = 4; *(uint8_t*)0x2000884b = 7; *(uint8_t*)0x2000884c = 0x10; *(uint8_t*)0x2000884d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000884e, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 0xa, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008850, 1, 0, 16); *(uint8_t*)0x20008852 = 0xb; *(uint8_t*)0x20008853 = 0x10; *(uint8_t*)0x20008854 = 1; *(uint8_t*)0x20008855 = 0xc; *(uint16_t*)0x20008856 = 8; *(uint8_t*)0x20008858 = 0x3f; *(uint8_t*)0x20008859 = 1; *(uint16_t*)0x2000885a = 4; *(uint8_t*)0x2000885c = 6; *(uint8_t*)0x2000885d = 0x14; *(uint8_t*)0x2000885e = 0x10; *(uint8_t*)0x2000885f = 4; *(uint8_t*)0x20008860 = 0x80; memcpy((void*)0x20008861, "\xd0\xd1\xe2\xd8\x68\xe0\xfa\x99\x17\x77\xca\xc1\xb7\x94\x82\x58", 16); *(uint8_t*)0x20008871 = 0xa; *(uint8_t*)0x20008872 = 0x10; *(uint8_t*)0x20008873 = 3; *(uint8_t*)0x20008874 = 2; *(uint16_t*)0x20008875 = 3; *(uint8_t*)0x20008877 = 4; *(uint8_t*)0x20008878 = 0; *(uint16_t*)0x20008879 = 8; *(uint64_t*)0x2000891c = 0x20008880; *(uint8_t*)0x20008880 = 0x20; *(uint8_t*)0x20008881 = 0x29; *(uint32_t*)0x20008882 = 0xf; *(uint8_t*)0x20008886 = 0xf; *(uint8_t*)0x20008887 = 0x29; *(uint8_t*)0x20008888 = 0; *(uint16_t*)0x20008889 = 4; *(uint8_t*)0x2000888b = 0xc1; *(uint8_t*)0x2000888c = 0x7f; memcpy((void*)0x2000888d, "\x1b\xc1\x9f\x6f", 4); memcpy((void*)0x20008891, "\x0c\xd3\xa1\x96", 4); *(uint64_t*)0x20008924 = 0x200088c0; *(uint8_t*)0x200088c0 = 0x20; *(uint8_t*)0x200088c1 = 0x2a; *(uint32_t*)0x200088c2 = 0xc; *(uint8_t*)0x200088c6 = 0xc; *(uint8_t*)0x200088c7 = 0x2a; *(uint8_t*)0x200088c8 = -1; *(uint16_t*)0x200088c9 = 8; *(uint8_t*)0x200088cb = 0x20; *(uint8_t*)0x200088cc = 2; *(uint8_t*)0x200088cd = 6; *(uint16_t*)0x200088ce = 0x800; *(uint16_t*)0x200088d0 = 9; *(uint32_t*)0x20008e00 = 0x84; *(uint64_t*)0x20008e04 = 0x20008940; *(uint8_t*)0x20008940 = 0; *(uint8_t*)0x20008941 = 0xb; *(uint32_t*)0x20008942 = 0xe5; memcpy((void*)0x20008946, "\xea\x88\xbc\xa9\xc1\xe3\xf5\xbd\xf6\x07\xf7\x25\x25\x73\xdd\x87\x56\xe9\xf3\x2a\x7c\x4a\xee\xa5\xb3\xe1\xae\x6f\xdb\xe3\x19\x4c\x19\x18\xd9\xd9\xa3\xaa\x13\xdb\xbc\x47\xe1\x43\x0d\x7b\xe6\xa1\x80\xc7\x38\x84\x56\xd1\x2a\x5c\x32\x7b\x71\x6d\x23\x41\xbc\xd0\xef\x82\xa4\xa3\x46\x10\xe2\x8f\xc7\xb2\xe1\x72\xdf\xa0\x56\xc6\x35\x3d\xa1\x66\x49\x6c\xa2\x54\x0e\x60\xbb\x52\x06\x6e\xf4\x77\x36\x67\x40\x9a\x68\xef\xf5\x2e\x75\xff\x93\x46\x9e\x4f\xf5\xd6\x99\x66\xb8\x1e\x03\x4c\x68\x8a\x2f\x6f\xd9\x45\xec\xd0\x5f\x33\x65\x73\x58\x68\x23\xfd\x9f\x6d\x40\xbb\x48\x3d\xd2\x7a\xd4\x6b\x84\x14\x55\xac\x07\xfc\x31\x9b\x8c\xb5\xf5\xe2\xda\xa6\x4a\x6c\x5f\x3b\xc0\x99\x27\x0c\xd3\x76\x66\x0e\xf3\x45\x65\x71\xaa\x6d\x2f\xe4\x86\x67\x83\x8d\x81\x11\x26\xca\xce\xed\xae\xbe\xf9\x60\x81\x92\xb6\x03\x32\x7f\x6e\xe9\xed\x42\x57\x2b\x6e\xb3\xc6\x63\x0e\x90\x17\x42\x8e\xd3\x70\xbd\x03\x24\xda\x01\xea\xe4\xa7\x88\x1a\x6b\x88\xaa\x1a", 229); *(uint64_t*)0x20008e0c = 0x20008a40; *(uint8_t*)0x20008a40 = 0; *(uint8_t*)0x20008a41 = 0xa; *(uint32_t*)0x20008a42 = 1; *(uint8_t*)0x20008a46 = 5; *(uint64_t*)0x20008e14 = 0x20008a80; *(uint8_t*)0x20008a80 = 0; *(uint8_t*)0x20008a81 = 8; *(uint32_t*)0x20008a82 = 1; *(uint8_t*)0x20008a86 = 0x1f; *(uint64_t*)0x20008e1c = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x20; *(uint8_t*)0x20008ac1 = 0; *(uint32_t*)0x20008ac2 = 4; *(uint16_t*)0x20008ac6 = 2; *(uint16_t*)0x20008ac8 = 3; *(uint64_t*)0x20008e24 = 0x20008b00; *(uint8_t*)0x20008b00 = 0x20; *(uint8_t*)0x20008b01 = 0; *(uint32_t*)0x20008b02 = 4; *(uint16_t*)0x20008b06 = 0x100; *(uint16_t*)0x20008b08 = 1; *(uint64_t*)0x20008e2c = 0x20008b40; *(uint8_t*)0x20008b40 = 0x40; *(uint8_t*)0x20008b41 = 7; *(uint32_t*)0x20008b42 = 2; *(uint16_t*)0x20008b46 = -1; *(uint64_t*)0x20008e34 = 0x20008b80; *(uint8_t*)0x20008b80 = 0x40; *(uint8_t*)0x20008b81 = 9; *(uint32_t*)0x20008b82 = 1; *(uint8_t*)0x20008b86 = 0x7f; *(uint64_t*)0x20008e3c = 0x20008bc0; *(uint8_t*)0x20008bc0 = 0x40; *(uint8_t*)0x20008bc1 = 0xb; *(uint32_t*)0x20008bc2 = 2; memcpy((void*)0x20008bc6, "\xa6\xab", 2); *(uint64_t*)0x20008e44 = 0x20008c00; *(uint8_t*)0x20008c00 = 0x40; *(uint8_t*)0x20008c01 = 0xf; *(uint32_t*)0x20008c02 = 2; *(uint16_t*)0x20008c06 = 0; *(uint64_t*)0x20008e4c = 0x20008c40; *(uint8_t*)0x20008c40 = 0x40; *(uint8_t*)0x20008c41 = 0x13; *(uint32_t*)0x20008c42 = 6; *(uint8_t*)0x20008c46 = 0; *(uint8_t*)0x20008c47 = 0; *(uint8_t*)0x20008c48 = 0; *(uint8_t*)0x20008c49 = 0; *(uint8_t*)0x20008c4a = 0; *(uint8_t*)0x20008c4b = 0; *(uint64_t*)0x20008e54 = 0x20008c80; *(uint8_t*)0x20008c80 = 0x40; *(uint8_t*)0x20008c81 = 0x17; *(uint32_t*)0x20008c82 = 6; *(uint8_t*)0x20008c86 = 1; *(uint8_t*)0x20008c87 = 0x80; *(uint8_t*)0x20008c88 = 0xc2; *(uint8_t*)0x20008c89 = 0; *(uint8_t*)0x20008c8a = 0; *(uint8_t*)0x20008c8b = 1; *(uint64_t*)0x20008e5c = 0x20008cc0; *(uint8_t*)0x20008cc0 = 0x40; *(uint8_t*)0x20008cc1 = 0x19; *(uint32_t*)0x20008cc2 = 2; memcpy((void*)0x20008cc6, "rN", 2); *(uint64_t*)0x20008e64 = 0x20008d00; *(uint8_t*)0x20008d00 = 0x40; *(uint8_t*)0x20008d01 = 0x1a; *(uint32_t*)0x20008d02 = 2; *(uint16_t*)0x20008d06 = 0xb81; *(uint64_t*)0x20008e6c = 0x20008d40; *(uint8_t*)0x20008d40 = 0x40; *(uint8_t*)0x20008d41 = 0x1c; *(uint32_t*)0x20008d42 = 1; *(uint8_t*)0x20008d46 = 0x40; *(uint64_t*)0x20008e74 = 0x20008d80; *(uint8_t*)0x20008d80 = 0x40; *(uint8_t*)0x20008d81 = 0x1e; *(uint32_t*)0x20008d82 = 1; *(uint8_t*)0x20008d86 = 0x80; *(uint64_t*)0x20008e7c = 0x20008dc0; *(uint8_t*)0x20008dc0 = 0x40; *(uint8_t*)0x20008dc1 = 0x21; *(uint32_t*)0x20008dc2 = 1; *(uint8_t*)0x20008dc6 = 0x92; syz_usb_control_io(r[15], 0x20008900, 0x20008e00); break; case 39: syz_usb_disconnect(r[15]); break; case 40: syz_usb_ep_read(r[16], 0x1f, 0x80, 0x20008ec0); break; case 41: memcpy((void*)0x20008f40, "\x05\x9c\xba\xeb\x68\x64\xbc\xc9\x3a\x17\x64\x09\x36\xd2\xe5\x45\x0d\xeb\x6a\x94\xa3\xcd\x8d\xba\xc2\xfb\xcf\xac\x93\x2f\x8d\xd2\x22\x05\xe7\xae\x58\x9b\x0f\x01\x72\xe7\x51\xe3\x08\xa2\x36\xce\xa8\x57\x11\xd7\x4b\x54\x6d\x98\xb4\xd7\x5a\xfc\xc6\x5f\xd0\x46\x33\xc1\xfb\xed\x7c\xfe\x4d\x04\x9d", 73); syz_usb_ep_write(r[15], -1, 0x49, 0x20008f40); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :251:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :251:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor521355954 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/9 (4.87s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:namespace Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: socket$nl_netfilter(0x10, 0x3, 0xc) r0 = open(&(0x7f0000000000)='./file0\x00', 0x2000, 0x163) recvfrom(r0, &(0x7f0000000040)=""/238, 0xee, 0x1, &(0x7f0000000140)=@llc={0x1a, 0x10f, 0x7, 0xc7, 0x6, 0xff, @broadcast}, 0x80) r1 = socket$inet_sctp(0x2, 0x5, 0x84) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r1, 0x84, 0xa, &(0x7f00000001c0)={0x7ff, 0x1ff, 0x204, 0x0, 0x803, 0x0, 0x5, 0x800}, 0x20) execveat(r0, &(0x7f0000000200)='./file0\x00', &(0x7f0000000400)=[&(0x7f0000000240)='^\x00', &(0x7f0000000280)='*,+\x00', &(0x7f00000002c0)='-{$(%![\x00', &(0x7f0000000300)='\\[\x00', &(0x7f0000000340)='\x00', &(0x7f0000000380)='\x00', &(0x7f00000003c0)='\xb1$}\x00'], &(0x7f0000000640)=[&(0x7f0000000440)='\x00', &(0x7f0000000480)='*/%}\\\\\x00', &(0x7f00000004c0)='@[\x00', &(0x7f0000000500)='\x00', &(0x7f0000000540)=':\'\x9f^(\x00', &(0x7f0000000580)='],-.$\xfb\\}{)@-&/[\\!\x00', &(0x7f00000005c0)='\x00', &(0x7f0000000600)='{{\'$(+-(}{}]?/--)\x00'], 0x1000) r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000680)='/dev/hwrng\x00', 0x40000, 0x0) ioctl$HIDIOCGPHYS(r2, 0x80404812, &(0x7f00000006c0)) ioctl$TIOCGICOUNT(r2, 0x545d, 0x0) io_uring_setup(0x509f, &(0x7f0000000700)={0x0, 0x9c76, 0x8, 0x3, 0x309, 0x0, r0}) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_unix_may_send\x00') syz_emit_ethernet(0x2e, &(0x7f0000000040)={@dev={[], 0x29}, @local, @void, {@ipx={0x8137, {0xffff, 0x20, 0x2, 0x0, {@random=0x3, @random="67516965f015", 0x3}, {@random=0xa0, @current, 0x8ca}, "d18e"}}}}, &(0x7f0000000080)={0x1, 0x3, [0x6f3, 0xd92, 0xd18, 0x98a]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_EVENT_PKT={0x4, @hci_ev_pkt_type_change={{0x1d, 0x5}, {0x1, 0xc9, 0x800}}}, 0x8) syz_execute_func(&(0x7f0000000100)="c4017c5a50f2c4a1637c7a862ef04230b50d00000041d9f93e420fb7bcaeb0000000c4c2a5291498c482c9bdac33de7941f1c401fc2e0666400f38241f670fecfb") syz_extract_tcp_res(&(0x7f0000000180), 0x8, 0x47) r3 = openat$selinux_policy(0xffffffffffffff9c, &(0x7f00000001c0)='/selinux/policy\x00', 0x0, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002500)={0x2020, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x2020) lstat(&(0x7f00000046c0)='\x00', &(0x7f0000004700)={0x0, 0x0, 0x0, 0x0, 0x0}) stat(&(0x7f0000004780)='./file0\x00', &(0x7f00000047c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000004840)=0x0, &(0x7f0000004880), &(0x7f00000048c0)) syz_fuse_handle_req(r3, &(0x7f0000000200)="2692d623148a34aee968f5552fef58adeb13835131afc9602c0eba53a139392d140b6eeb571984017fbc1a936aca427ad0e740524f6307f18e1c7d954a0ba7442367d45bae5150e12543dc5dd03aa5699039f2f627b3d104e00ffaea4263fc86953e5e3ab976c9f66a213d67573b6044bf6faa8c17d51b5550438f9ac6589d2cb2bc4e11cbf8a254594a82ab8987f8ade20d8542ac71ff847b22e67d2ddda8f4ba5f53fbf177009132baa5786a7be31ec6c592cba53c5c8a7ba19db0286bff1d0178da1e4ea10819439ace537ac5f47a1c8b74fa67fc4e1bf92292a9ec657b5e3003146a1c5690855b05cf75a0b11ab9ba738a3dc177d5f7e7fa6b465d05e513a219481089265f566e6bd0cc9ee1fb100f851286e65721f601c83f7a740979b3848f57fb0081efca45720ccfd8a4904f248151b242132a4b45530ae5442ff7a51bb5c599cda7e10e1b4de5c80f52cc3ddac7513fe148bdbc5da2e0c2b39190d8f90fcd459503a4cb8fece55182cf7272a522e5626120c7335c5a37c72d400fedc58873c5960f6cab807ac239d0246aba2e844b68b1ac4ad6d2bbcedcb35a67486471e445af55990270ae097968da00157dd221dea2438d16623c52820f0d24e39c0424ee40484fb0d96419f5e281d0e9e178366820dd5ca4a0c45deeb36cb9e246be6714ceb0347b0c309cc53022374f73303536e593c57588b883903ea58133773600201a7b55dd5c01af52e90ec524abd9f47b3d7185c48259bf5aa76fea9da982b2c4a61065df2b066732103503969eefaa23141c8becb35caf7602e981c30673991b46d54ab2764bf5ecc3f1a8e000b116b769d82625ae9418b523af00f3cfb0eb65c916f6a62452f810b20c3e7cec7d61fef55f63d1da4a3f868bbcfd867e130d3c7ce52246ef76eda2916fbbdfd506dbc2289d00fbc8fd100c4578698d2203dffab9018d6f19ae199f1659c3f78157680cf980597a126b994bdd64609653dc0ddb556c3af838a0a4a9bd7051e45247913cc35b9d9ff368ffdf4e7fad83a52f8a0261c331b6ef226fe676ac1a9cf0cb001385ce35b09df3aecaa3d816f2afc62c27aee525f72f2d31ee0b21c447f80901a65c7706d07ff9b2d7bde92bc79d85f8431d468ac85e51ac3a209cea07281e7d19c1f52b5f01bdb053978c933399b35ac77aa4a1e6f182d250271ca33c3791b15a931bcd32ace19253f1a9044afa49c1a0ddc82e95907f60b7971ec01078e137d1bceb0cf86f64cd6c192cbfc30b4478617fe52aa943e61a182b1b0b2107d0c54f4fa731679af95c32d18914d6959b9fa96a0aac1c49adc61f5f11b544557342c14276beea12fa71cd30a731bd064e9cfd0f9e4be966f7bd1c1b4fd706b8393e6efb1c9f97526f67d2e9cd5e176dc60c274b30061e1ab6a2d004b83adb08f1983baeab990472beff2341def47e0dd411b0691fd0a65ea66d16a4a4ee94c4d1a5ce6b3cfc873481b041fb3005614c1cf841eeab27e03598ef94598ed30c3fd3ee19207aea2a8dbc3f60a6d97e30c58f324bcaf571388f9e83e076cfdc0663cfe93f5a3f19299e741210f6a8501a7238b1cbd6e9f829345c337c62b7cdb024efc4ff11628cb1ee4fda072782bb69932ba6dee122cb37fed696dea11cc25eb2b5678c7d0bd1dd05f35d1d02addf1295a1eb0b259959a7b290e61f2479691588ac520981902f5ab06162e9cf5f0585f540d90cd8381de33d0a0a24da6f231d3a684c925d736f2534a57e48d919d55519c575bb541d638e0e4011f841a5ac331d488935c44c2bce1c2ac3e8486e465cdee8eb513d3c1bb3b38c5d157c04d576d675e00b30c299e211f8f24a7a053b4270d2acfa3aa6343428d92b6db14c1558a8dd58bb9c8c4b1b4935773d140611793ccad54fdc5230da4dfda3b60cc0766efcc6a3b71900a50e2c3e6827b98cc18ccd8ff798247f374857d0621e32bbf0482474de0d42ddba7823e633f1658e7f6a361c32e2459c2beb029a8afaa31289e487104567d40c81ccf5ae2a2e6b344f5c110d7ce2301ff2c25fd8438439a5ea16a446fc7e27f2cb068944e4d8c929c4645f494c2fd1b025bfda1119f9088f707d662c1195f8e4308c470b76245099332f61b2c9cc77871cb20c4ebeaa63e53add25df15c5628585fe886a73e382567c41cebdf2f33f7168747ce24a22fafeb29cd021a92ec8fc272dad24598ebdaec2dcc47373efa97cacffdace150e99510bf37baf40a817d93d87a48fab153a1064821eb504a4eba3ab66d1ec057cf64ee11a6ad40584fa7656a3984c20e494013f83430d760cd6eaa604b599550dcba720855e735d62d420076cca07115d4e371c3d641cb6cdb969bdef10137b8d7f399abe3e2436535c30c7b9a842fb31d322434e73b95c0f5d4545116b788ea0fd473ab32cfb4cd7224948913772e8392d89bf5c4e5511d267201cff62bdc0468f96d9e85323495e925e61140fb419417bc3f803a80d0af3b8c31c2f63dee9174113f8e6e5c93f47d8486422a5696bc05843f7d07f10eb3b5fbc2c378f6e8a975deb6c04ed20c673846ecc19d6dfcb1982ff83a7dca92e8167e5df6437b84834fde1cbfc441105d06218a2e0a55917ee276fa725b9f16a94c67b684bc7b688edbae74382cba7eac9f01772c89194d44eea3cabc002562643c01529092ff6629de96a7716f92318a6cf70cdb8fda8e3d01306ea91580b6d970808552f45f575c3aa638fc51abdd8535a0584072588518f9391b2d789147312a58d0a15b64bf908f249913f141671751003547150d49f472dbed408432493705759929f619a901bf41ed2e4d12d6354af219840e696ae26d40f010f0586068efbbd4a63af99aebd5305a88013ed74de00399011dd8d0d544b907009f361ac6f66ca0ac4fae8eea56542599b167b8f132d2bc2b57c734653c0214fcb4e3a509823aa2ea62aefd8d3a8f27cead3ee3f276698712770addc99cd31112daf0ede7c577fcbae2e64047bd3624dcc04cfb6cd194b79f1b53b990a443628123fbe9b2a3b598beeabdbb7cf4d9cd87be2ac84ee3fe743d72e8984204bab463c896d13c1227b70a88712b77d221efa654098b38571468ff9bff10bb0d30fe6ae7a1f62c4f6066b55f32b0547de75ab1cac8e986d89fc30a362d7308d0932cdd44d8a234860b608090aa5e16bef4e44327ba18667915ec65ca772f8df52105b370087fb1cbd6d11a95362232e5f6fce3f343cd962bec277f3a6aacb82df97531b3a6ffdd224454bfc8a6c2e0b9c86449c043f39ceb9af5c4236e3221c2e259fa8f1284df6334a2a24733dbad6ea990aa3ef9798e2f785be3d5a44305497a1f525f7dee1f7ea82c7d50559c51dacc617f6f7ee56b6c5bca2701899245cbecb33ccddf00a16894682085f40d2f6f6b03a163206311f98077261cd76f439ced044b525112debd31e4c7a9077bd820217a88b4d8e3e76dac45b15019e01deedc943b357ab2d7900d99157af47dfc5971791b25665e953db69cefceac87aef838936ae73d2d25983b2066099c4741af88048c7f86531f2b82d6e05b2ee75f472d9df9c3ee9398f6fe68e0b521c36a242e2d675f4d9da552142743631a4f2b6c011475753a74f7fefc9d72d3f9fb2bdcc71d66732abe50dd578b69bd029b45bca708e87c098af90284b4fbddcc6fe163a000970d6547cfd18cc8a11ba22638ee6eba91029f52594a042e96ed7080184593f2109126cbde1317a94a56213ad11ae1ccf0a58a45dbc81d0809c59073f8a9e17674a476d0337414bfcff7ca6949218467c8850839e55c9c7ad9d51a64a9d2b4bbb17a3653894834545bc286c108bb31345579a2b0b96f6a57389790519d4413a9648820e7846c57aca4792495223fcc029d070f18f24ac665879d7a197c78c5c05185af7c11140c78a35e91de5c0c53fbcd1350c27536d28d5f518696b97136d3f2035f26faad5ffe04dfd5dcc09b129905195579dd15c8c98676236ebd02b6c2ef3e6eb15d87c206c39046f2dbcef9a4523f255f445c3dd82c140b295a4a90fa30a2847ff41efeea8f630d4a5512795380af7d1713a6b2976dd74de50c3feb42bdd4c0258e45617358f18a28be11bad5b5b79103ee1277c761e12901e4997f3b9d4499172176cdd12b6807b236daf3dc05872956437816c706f3c367d7e2c23e96b1fe96596db880507e282fbe23f2171b2f6855d22174a1a4b15ed8abd51ca093d46f0e2d05298168c239e62d89f740674388c24018c47832a87644048d436d65cd7a210282b1fc826f0ccdb6697d0112b2a88e395308d421aada7a0e7d76eca0a6073830218c83ed79419485960572097cb626c6f8467579095dc22632043dce6b67eaa793a2a89822fdc266f5a611aa1c6b845998a828005fe7989253c37613e892348ad7332e334afb5a7087e89ace2f361d66f277dfafa126677e833fd0b2ce4d227937cdf60a882669411d4450b7e859b8247ad2e45742ecb605752f2148d075e1d145add184748c6ece9ba267b7a6df9229a62bb9bee7d7e925d6eb9ae96adef937c030c7d2b919fc4636ad6331360457d06d8c4f6dc10e3065522602b841fb3678e9dabf07d5fc3fe39da21d461e1a4ac64a0d3356f93622800f007be4ee13cc4654c8947ffd11bf7598f50bf27df75f8daefd9bd19cc3b6a06b253e8b590621c66da76496a87be3353fb1cc564366b0979a88c52b8ddaeee8993f6a0a3a543a931ea4eaee9d9e7001e2349144cd746a256df92a46024c7a3b3cb607a749987c9856015b86a23e4394f64f909974ab076b5d64928fc9d1b4cba75bda9e1d4620cac6f08cbf757de6f2911c34ea08481a383201447c2de6e37c07d0338f16a9a73fe671a684ae45c874ff1981506e3fca4e1f1dc9e58f9de6b96f85e31a3c16d3a11880bb1cbc223d0b9f3a6c4a6671e29fea67ae9f109e263c31795b38016b829d41d0d540f7f9bc522027dbca4945d958e0b14c9020e7e0d962d93f61df353bb1842b289b5ebb7d0d83eb05f31e3457346d1bcf883354e9a247c78bcdf11450bd362f4e09f9bc81ea9282305df3aed8534b1f5c15f58127b851e045a0c54193b5b11be1875563f868efe9a6ad830ca4436786d79364e1930d455faa6ebefe86ece76a8b8952dff2d3b83dd8ba4fd7c1cf912a22f6511c3cc11bd2f04690acdb38f7e1420bc15e574ad129655754440d29013c69861d47a42906ceeaa051e2efadeaea997779e05dd912297a4ffa9af33fe81e72067c36e81c48653d69f2a2ba91714d5104e0ea1e6e920a440240598dc628e8205c3313a0b03b7fed3a8788fb2a6de07226c589ef337082214381c9800d703638183dadff31714170bc402b271ef6c235c12c9fa67c7bda80d631715ee1ed4dda107347d143f91ec470c2077c277524fe78a23fab205fab08b1c258f4be49759d1f183a21e400a53a72493a17c23dfa1732122574b55a7f2663bb0017ddb2f472eabd87e407695bce84c15f43091bfc06d4a524672bf2515218561e7c25ea733c185d09806df8e6c921c071ae2f76f5c0db6234517c72e83933ad413465b1bd0cdfe6a046f07a4b239fbb8ed71bddfc2b07148d49965da803a824bc185da70530abb3e42b8a9f19c0c3d86723594133951434bfdbde6be90ea214fa0e17f603cd1ad695b5b5ba7c986148711454c6a5a7a5da2a1631dc7069e582a1c12d2ba25ca01da8f5e703b41147fd38f9668f16cad66df622fe4b02a1eefc0a69363cc0b7c56f034916025ee4bcfd05126772985a9632a043608e65692af2b4a7568f13c41f16c86bec99aae30a2d54f6469f1eb68518d48c421bec6f83b8228308838a9a4819f2fed79e99d105a8f6b1ac08eb9fc1962a8577f27f5eecc91883a024eb743a399ed6aef38e1f533ca6dba255388d25d4eef412f03944bcc0a8c4e94ec31bb65c89eca35cc888fe8530f6f581a3346233ef0936da10e8b69c5fd23ea2a58f9fe8b79a9ef60806c296aba90fb8329e838bb6c7d3c867d4109baa26c4837439e6307170e7b15c2f9f5ee03305f9481f8e793dd086ef2fc3eca555aa2581202bb4ed8e431cf0b710bbd8625fac17b519c6806b7218008e040bd2f078e185011d471d46026b53887c9481b6abea838dc598af7d61eb10566125168adb4b5fa2f49db9e3608ee06baff0b3eddf0537013a89a8f60bec6ecafe74c3ad62667cc736e42318060d939ca8afaeef4189cab94bb6d7c07f7aa21f60027707d8aee9d2fc0319677e8e86c6e020f4353ff8d523542669e4bf2649fc4fe1ac21651527e257a55006c304b83aab8de6e87b02d366052debd14f4712833c340ead1eb9f9f48df1ea27f67282a8a5ba05df68ee2aa98a34b44fe38cf058206cd112d19372e45afb9d0c24c0ca9189948239c99dba444f9c1a91fdf3dffa9fdcd09355e4b30618063eb02e4ac212bf8f7b8c617811bc2740423724a0c5046f3577e0b006b14850ddbabbf60121d151ec730649ba251a2551f6e9246e54623a819e9fce91fe40a8ac2e55332c57b8b7b9a63adf91f10748dec7c0153cff4a412292751b0ab793a148229edd1f908012fbadcd13e18d479d94ea56065100357ba4ba18258e4a828eaaca20d671d986dc6d17997f5b3744693eb36cd7fce3fff1d2d59b9bcf1c99427aeec5c158d12d066d469267f423de676079dc48def127be63b079f0fe8d7dae2f20eab8ddd0f388d52ac059179589c6242c7f9fe8e1d1857ec2998f8dc9aed3b3d38aeed70b0fab5d13bcb536cbf01a2fda811f14fa0f5e4a4d57131860d60aac2607354abc58f9151dd788e787f7685be537e6f86bbac94bef4dbb042da14c1007dcd62aa8cbc705d120e078394fcbdc94729fce6905f1ed8699cacd2e5f0055d377d0d5ca83f18971c195c7ea1dcf11e9feec124c2ba56d0f506060c22cbc366d0aed05f400062984f22122bfd16a31b3a4a6ed9d949be5ec16ae98f2aa8eaadaecc169e97cda0d5b5602a91c101b2e283c0be6c83abbe2e7e2e4cefe3be2231213ebb85883e0a5b0b4a0d2c04722eb60fab23023cf91ca0ab908e4bb6ac29a788fe9ec6b99d75d52f203cba7d92485ef90555aed41060fdd036f42fa818cdf8b9afe26afc1f279a4029254b12dd54da882a138d34af1577e78c1dd1923a56a369d85d74fa59d4532b859f67e65f3e67d654e57dde88cf7c23c9182ec15e95283dbba79911164df2b483be5adb7e6006feb69c672c938a818b2b4636c943b68e8c9335a5fe2aa7427402785117deb2ae7c16ba0d05a50d21cd7b658ce02140dd20849ae250bbb10e960c8721cf96d0e7d81bbb21a53358e0a44f8d26b10bf24eda9b5d8ceef710eec25c0c3b3180c85940f5b15cc13fe68ad19f7f0e9b4cc39735b68639f8fe4622dc784d5d6470ab9e32740db02a9b6732acbbf5876719f557a4e0a42c036bb3f972eaa862c58ffbce08ee0ea21e74e817578705e4e2683feb6c6123ee1b9ae1da94c5ea68763b0303c6397e21691a4d8154fd1aefdf398c41369eb8255d9b847f9d67cf5bb80841f468f7c870f0e194dcf23a6e7642c9514d126432f4b66bdb7b81b54370ca23a05c223c49c5b26803768bad60594817bb98b5ec274d62e264c54cde9806376b405e9f7de3d59ae3ce7db4a68985b1c1a11222d1c2809c96f7eb9a5bf4e50266df935c900a568fe579a6ea474f623591964db43ac647de15916aefacd322236fd53977d682eeeb0dcf798b6f2ff22b36dd00d64e51599bdad703a42d1d20eb8d6a6385f6db49f34fce3b28e2856f2828d77c4d03d34eb08c33b754bfe7f39d0a3430a213b97e75c2c975635c79d30aaf3daa9a1e8ca56fbe499e778118c7e5954ac2ac2bcea69adac96009e1b5cd27986c254282bf0760747559cb612a1f610df09bec5aa1f41f7a3b2f0f2cb28508e2b0caf206be810d65b6c4fc2ef5ec098b274b53681306041669abb175e4ec88981c5a0c05a646e5d90343a0b1f873379cf144c3c8795cfd77594b516ab02a408e0faa37fdf2de2e6f37fa03540d70e5f0297767084ea0086c131ab5b28ab543978f1d4f04291b6dddd72d2aa9a22ae19697950351a2f3da68971d9636e29c66d9fd61cdac7c81189350447c03c146d0dde55a17915b56ffa9fba47e09bafe412b6a8ae720d92b04a55e6548b0035506f80faf9708247982096dd806e1e698fe8f590fcb009fa87586b08cd27097aa53d3087e9f4c7a4ee556491b3df68fb413a92d7f783365c6a5e1fca5d9563e193ed2379f994f32e9a2c7a72215c1e891385765947b9086a560d373ae19b88e781503b1b8b801a8dcf5f67d0e4b0212d854487694ac76572fa1e6f1fe719cde5b278c9ce3938b271060335a5741baa0d7adc3de28e37beed6f781f6f7b321c56933828377a2ff6de2bfc24b2a3472ca5039373d3cdc9afc040ce4e894cff82254d9e4f4b25998c9dc84705463da8a03ea419c2e4c812a9f04d53f2de4fc2e3c1a08a7389ddfb0821764e71105eb0588720871f0082cd911f8edf694950072eebc6421bfc71af27669107e4b48ac971339e69c46c4ea5d50028f14735d84da040a08d3c9d0e64dee8bb645003bfc0162c3e131d3dfccf1a51628bd59ed495b177b417d0cb376537d5816741c25885ec56742154e84a26d9de376d67ffbe2fdb4869b6d8708a7350efc672a48d60a928c992753ad4bd745a7189b3f94f48f64c9f86d9f0b22bf7a1df2096b46fadf266906f394b1de6552928785d68d26b96bda02e49d5eca8284700d5033b0062366a6ce4be44c767d60817b48768748582a5ed3db608291a5efa1011b758f990ab3e4abedf53f01b700dfaeb587b4f414d3fe3a8732e1f215fa869c7b2f8b7f4eac597da81751709bd18eb0869ce11459f8766e6332e957107a791a64011049488a273254f33e0ecb440ee446e8ab76f24ec1f4cf7d314a158c512b6a2731099367766ae40535967d63ce071f068a7d3fbd4833a0c78cea712748a4bf2361d8f6035959a6ab08f3d44f7f81fe74d964d58bb3cb6051c5e68dc6e71fece4ae85ddc895b316f47d520847dd848317b61a47a13ce06c30d14d9852938c6ee45ad2eb1f19dda19b1f83562441c2d306111f511e40a8d82b334b2d983c354f2cf8a2e7a2fc135a4a31da5b0929d0e0c3e1c9bfb2debcd2fc9d0577263c7771c684d34a6b02b31c52f42e07fc1f42e70d740035e80f0c3889d8d28cdf1140e210dff5aeb5aaabfd655ac46e03d17e1e72273ea014158cff2c8ef37008b44e73d2c616862349afa5a16ec6f10d7f85fe4d95df416bdf001748a698a7942192549a4b8600f5380291fecab374b590266a980b2d38d0817e111ca31447ff7a33ee300b7583c83050a591cfb8c38320369b54b9624ae5bfbe7a657323e64bb890ff4abd85fbe8c59a68a616b044ddc977336041335fe1d29e87dfc563a0f7d393ca8353b31caa641d1140109d3f3d68bc4ac8d1a32e039a5a5aae4e95d7d37d5737ef2b997e178682be27b0d5b9cb7bb30bce28da9f9c299880e152d90f6a0590fa289aeb5c4b4c050f7f48744a1e3ed8b706bb1437146370522775b4a824ef29ae2d0854279fef03a0ea673e251f6697166f36996089b88f485c30dd49df1021b1ce794ba447e361704ca20c53f284fdc4fa1a1f40e5f7240f273213b6920e9bfb8ee69f932616ccf656495d998743d61a088e6059fe2fc03572f1dfadfb510c55f5185ada914e2a96628d3ee5d6b001cfd045646ef93694828fe8e0333d9e8537ab9e02ec721713b2b9743e68f42fff78abc0afd4bddc95179af12c3c9508349e656ad59bd64cb6a4bc7642c66efef29a5500937064de05e49e2a81c587e228e0aba0c8a6875c410663a222e557557bcb1054012532e3e6d4830d3d9ca0eb6897ba5405a335503f8cfe345a20edee88a8b143e28c982bb836e0cde0c6deabadbc11d8a63350f1050b71abcbd8eae7c22fc04d59726748c82ed43595d66255b6c30f111e3b5c9c12d97a368be672b0f0e5929838fd8204b55d0e511a32906af5c349cd648a4398147704563a10d5d5f5a86f8f1c88a2324e56cf28d63daac725e7f9fe3d1504aa2d26903760e27e796f7f7d33b96ef01e4e572456fe479a2523d396e6cc88b8a8dc35f155daedb3c29dd2cd8adf6dcc732e5c58511bd389878399c432c1a40dc06e94e24d66e1cdbb73cca992a3a61c545dd347d0be4141a1ec23a6ca845ba1b58396b456ee05e6be7d7c9a0deaad6646d7a77986886d9ee755c5889650e9ebcc4b8dea33521b65171ec9d9eeb4e776d3d71f5261d451f481b90cfc655f8cf1b63df8467e0c1e2f9af5758eb506aaceab4bb35907829e55411eb25b59cb70f9ea06efdeaaef6151156184eceab1ba65f41df32b5346f5ec03ab19807df48449881334a6829c39716921fb7e5d0578eeb3eb3becb8ff5e00fe8422b0c3b7bc77a5d338bd0d4ef6a341dd941d925ec6cd93f289566d803ff2a02a3ef8c8d80052518f9afa30aaf0cb97ea1eedb527b180dcb80368050b6dfb4ebe2cb96d1e0684986a85a6b6eba21660a18c28248cc0d4cdf5e085c1fb6133da1169e5036d35f547ebc06186b695f24271bd680a397d923538127f948a2ba36bf5291a9cfa5dc57af9901bb7ef7c9c9d600086376a0dc680e4e67e1770e72499b58333af898a332c7894959428424fe61c0e0d8fd6c46af79bdb23c8449401587ba116565c8e060fb1af557cecdaf3d10d2f065d7ffd53dfbe8afd1c46904cbaad1bd8f18ee70aa4811b27857433e475ab5c5c620a8daf02bef40286497be51f2532d425905669f3be5ce7b790e945c22e446f0a361e043fd4a76e53e3b04b5905eda63bcebb62e06c6cc0e254f2f0e386bdd730c55a0407af9dec14633b5ac15a33ec523f6a4a9454bc5aa216e143f0f72ebbd6f5c038d2ee39ad7cf3956a3c479a8a653a906a01f48618e6a47adba3598e9c9e725d53439e0f175fcd51ba151607a33593f1256e6b29685a813dee403ec2b4fa09c6d0f4d651e2378b78041f37243347dc77ce3514c634e4f83ea297665f16d656a6df9100bf6553d669e43c0ac2d891eb7779ee8d4f3211cd2a527fd415af0004c2d5ddb62a36dee98ac1489696c556476aca9f6da9bd4f37aca86b83860a8dd904bbe2c3d37cfcd768b59d82a8c1bceffc44edfb04730ea57916da94b4e8dbcf5f01b5a718646a56e62a64748a9e3b7b2f080a2fb3515db535c6acdef1d858f633b080d398c006d740f59bfc063acbb40fe2183c5520894dd5a47bbdd991f2ca2e1d35d04075590016dfc813a8f272926d660b0bac47fc7297d748d1642de82c08245c8a4af39826971b06e25256759fc4aee3de9840c14f99e8a53404bccae613cedd72d32e74c87d8cad6cf72fd2018d5f3a797c08cddaa2d9a5ac5f49bf07b045c4169a8830462c19b4004b62830c4bedca5161451ce9c8ac56f973cc120f7eadb2010de4bc3d719647a8efb1a95dc93cce6ed2e2255b852821491dcd30640eebae86ecc02e365b465defb73694170d3033775968a53f274fd1ab8f3897815af3dfc81fcdb7a3a6d1917cab0a4469", 0x2000, &(0x7f0000004cc0)={&(0x7f0000002200)={0x50, 0x0, 0x8b20, {0x7, 0x1f, 0x4, 0x0, 0x6, 0x2, 0x7fffffff, 0x2}}, &(0x7f0000002280)={0x18, 0xfffffffffffffff5, 0x55}, &(0x7f00000022c0)={0x18, 0x0, 0x2, {0x9}}, &(0x7f0000002300)={0x18, 0x0, 0x40, {0xe62}}, &(0x7f0000002340)={0x18, 0x0, 0x80000001, {0x787}}, &(0x7f0000002380)={0x28, 0x0, 0x3, {{0x9, 0x101, 0x0, 0xffffffffffffffff}}}, &(0x7f00000023c0)={0x60, 0x0, 0x9, {{0xf652, 0x8d, 0x0, 0x3f, 0x80000000, 0x0, 0x3}}}, &(0x7f0000002440)={0x18, 0x0, 0x2, {0xa8f}}, &(0x7f0000002480)={0x26, 0x0, 0x8, {'bpf_lsm_unix_may_send\x00'}}, &(0x7f00000024c0)={0x20, 0x0, 0x6, {0x0, 0x12}}, &(0x7f0000004540)={0x78, 0xfffffffffffffff5, 0x81, {0x1, 0x7, 0x0, {0x5, 0x8, 0x6, 0x1ff, 0x5, 0x4, 0x4, 0xe8, 0x193, 0x7000, 0x6, 0xffffffffffffffff, r4, 0x3, 0x9}}}, &(0x7f00000045c0)={0x90, 0x0, 0x8612, {0x5, 0x3, 0xb2f, 0x20, 0x0, 0x7, {0x0, 0x1ff, 0x2, 0x2, 0x1de, 0x5a, 0x9, 0xc46, 0x5, 0xc000, 0xddce, 0xee01, 0xee00, 0x0, 0x12}}}, &(0x7f0000004680)={0x10, 0x0, 0x5}, &(0x7f0000004900)={0x2c0, 0xfffffffffffffff5, 0x8a, [{{0x4, 0x3, 0xfff, 0x6, 0xffffffff, 0x8, {0x5, 0xca13, 0x81, 0x4, 0x0, 0xbbc, 0x0, 0x3, 0x34b, 0x4000, 0x9, 0x0, 0xee01, 0x2, 0x81}}, {0x3, 0x80000001, 0x16, 0xf97, 'bpf_lsm_unix_may_send\x00'}}, {{0x5, 0x3, 0x100000001, 0x10001, 0x7, 0x83, {0x5, 0x5, 0x100, 0x6, 0xfffffffffffffbff, 0xb533, 0x800, 0xad7, 0x32f914fb, 0x2000, 0xe0, r6, 0xee01, 0x4, 0x64}}, {0x4, 0xfffffffffffffffc, 0x16, 0x6, 'bpf_lsm_unix_may_send\x00'}}, {{0x2, 0x2, 0x7, 0x8000, 0x9, 0x3, {0x2, 0x7, 0x80000000, 0x8, 0x6, 0x400, 0xc932, 0x81, 0x5, 0x1000, 0xf841, r7, 0xee00, 0xff, 0x5}}, {0x4, 0xffffffffffff3232, 0x16, 0x5, 'bpf_lsm_unix_may_send\x00'}}, {{0x4, 0x0, 0x0, 0x7, 0x200, 0x6, {0x5, 0x1020000, 0x6, 0x7f, 0xce, 0x0, 0xa9fb, 0xffffff81, 0x3ff, 0x1000, 0x0, 0x0, r8, 0x8de6, 0x3}}, {0x2, 0xffffffff, 0x1, 0x5, '/'}}]}, &(0x7f0000004bc0)={0xa0, 0x0, 0x3f, {{0x5, 0x2, 0x0, 0x7, 0x6, 0x3, {0x2, 0xf51e, 0x65, 0x1, 0x8b, 0x7f, 0x100, 0x9, 0x24, 0xa000, 0x3f, 0x0, 0xffffffffffffffff, 0x40, 0x3}}, {0x0, 0x1}}}, &(0x7f0000004c80)={0x20, 0xfffffffffffffff5, 0x401, {0x5b2, 0x0, 0x9, 0x2}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004d40)='SEG6\x00') r9 = syz_init_net_socket$ax25(0x3, 0x2, 0x1) r10 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x3e79, &(0x7f0000004d80)={0x0, 0xb8ca, 0x20, 0xe7c, 0x26b, 0x0, r10}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004e00), &(0x7f0000004e40)) syz_io_uring_setup(0x5336, &(0x7f0000004e80)={0x0, 0x29dc, 0x2, 0x1, 0x3d6, 0x0, r3}, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004f00)=0x0, &(0x7f0000004f40)=0x0) r13 = syz_open_dev$vcsa(&(0x7f0000004f80)='/dev/vcsa#\x00', 0xfffffffffffffff8, 0x240) syz_io_uring_submit(0x0, r12, &(0x7f0000004fc0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd=r13, 0x0, 0x0, 0x0, {0x4404}}, 0x8) r14 = syz_open_dev$vcsa(&(0x7f0000005000)='/dev/vcsa#\x00', 0x1000, 0x8600) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005080)=[{0x0, &(0x7f0000005040)="48d5a3400d135dd4910161867c991fc7d68d55145fbbc5c498b58fba49bd01b68386473365a9131272ede1d53bc285051b85", 0x32}], 0x1, 0x0, &(0x7f00000050c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000005100)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000005140)='afs\x00', &(0x7f0000005180)='./file0\x00', 0x0, 0x9, &(0x7f0000006640)=[{&(0x7f00000051c0)="c5f6f420aeec388cedec2b597c8156538cd4586034199f56f5944da03d8ca829f6c6b6", 0x23, 0x1}, {&(0x7f0000005200)="f4ee9edc1be2c2d862a480f30ae30dafadfdf869f7789a4549f5a8dac06fe4c5d5d2cf0066d88bfca6af40745ed617b7a146c940de37505cb965eaa1982c8ca0ec2106f47e4e265f1e19285bba7eb577f60066b5f46c62d2ec0068edcbe6300e4f1e3cce429e45a7df287e8009841db1015134eeaa724311e55181cb7afe7dfdc7946bd14523ea6680ea42ca9f7b0eaaabe1d054277eff607ef4f8402e5dc37e6a528ec3565823c031a8460e8b5f670668f86b90a026043a", 0xb8, 0x2}, {&(0x7f00000052c0)="baeede481736d90f0aa36fb327956dd763578e20199f0dc85f185c9306866ba33c93d2af9613c92909c651254e6a63503dbf317b021c4b3c8de305d3de39a1ad9ac1b0ab3f51f68c1ae1da3e4cc744fd00dfa6d1b96e21134007d31c93013854ed32550f1b82a4c03ca67440d86545dcd29eea99274f655737ad5a54d9e7f9dec49129bb84beb62b1853f69e6a077209f7e55ce0d51686ca764d2ce334cd6d09b5d92357bdef60a635", 0xa9}, {&(0x7f0000005380)="31f1fbee4b48e6e69cb61bd1ccc1e213af5a28e74cffc2e5e82fbbcd1c3400faf379d1a194d52a3667e2019b9aec0e14feed8fea770a9a1bfbbc30997321bcbbcf4d115bb3d3269e50beca5982ef1d22c983d78621dbaa93e8395efe31dfadedcaded0976f5f0c7d4f17b6cc88b897ce5ddff1ade8ef2d62dcbed421589e3cfb5d8550d3651a99115d6e", 0x8a, 0x2}, {&(0x7f0000005440)="7881b6811ea2aec8f27f7f7f523cc4baca3652f7303cd748fb4ed8cc783ac578a9e853a9906a", 0x26, 0x1}, {&(0x7f0000005480)="c505e1805e72c23f489bb45d556079645332082b1b6bef7adc39b098e173f42fdd8d2c65ceb664adb47de173db5b3423e02bfee58339fcb7d85f2d1acd1fed18da1cb7b3d28d4e368aa5f02a8950afd19b0d6003c1fc5424d3e28d4bf7902fa3d999b4f62368c5844f1e9e4d195c6548c1a0e61480c61fe3fc8954810a5c5519a2850aff5444dfe36d6c08fb251d645951ca0aee8ae09d5218ce7d783d4a62070cce231ab7c630931fbc7839ba2979305cabb45f4aa2dc924972fe3a5a806c03c741793eb046d566ef8de1d0b71450b561ba65b0141429bd3e5a4206b47ef097275ead1fe31257a723ddc585c703f5d0fcf7b298134d89d03f477ab7af756e3a4f9e1d06ca01f2b759c955b8e8bfc1b8070198b330f5858c6951610682a3cbdcb591f139a71e883bb7691cb56bc0ad95dd774fdc110d075b3acf5fbbb227227921e10aa5b73da81dca196600376120266cc84f0cc2ee0ff3f6c74b656a61b5f5ae6dab4a9ce84cb97c0b90e7a0d07828819e2bddb1a7277caf687195ec8364d852b98643f555dca6ad72d680643f29c322575f2e5711343f8aa24d7deb87d3ace482bc05dcd5288338b584994a090c451abb284c0104c5f37908eb3307d65e792b4f258600de7707c8b154ffd5f56d7a17c62f092828516f82ea4a126a2a360c703108770cc7e7505c8e180c5f376d0dbaf1e185a504ed013b0b162483f9e2a3bec7d6833082ac954e8f5e3184372e0508ad7e0fb4b2f1201a35882ada415dfdb36587e88795101f9dc6c0d26bbb642421db0973ef283c2bea7f5c9c35eb13ea5a9742852f083e443282cbad947ea05d3f998bf3f860cd125b266e1f3b84c4e62b4e49ae7f852d578eab24a0c5e4c60928b699c7b68c6328f32ca3715b940055b6ad04f9941655dcfa91dc4df021a74504519f0a7df10db505da8ca4a0525804dfd90a31bba648bee57bccd6cd9a596eb945867e0231fafb66c5017b2979ade5dfcfb24cb5c7881511185604906d1f201a1264a54c20c173901d325f5c2b0e0fff22c6834d070cbedc8ae66f2fce8488d77b1f9257a91a001eda075556c23e7adbde0c994bd6980cbdb344d04efd2a3f4e732620260d15f6084ccab9b2f13bf54782eb2f568919e0aefc063f3f2af6beb819159cfdb0534e79e0cd74515b528c82cefaec8547d05f08b00424a02abb0fe20d3055d3b9d97e8bad3a7b2202b8effc5da055f4eb1827dcb1de57defc3ccbe7c30279a3041196a9f0b1a74491c07b9a1af040e53ec71a9110e20f32092addcd058a15079b718fac594d8e75139bc9260ff65647250fd7ce6bdbc305c079c5cc2fe6cd1fca993e8530e03738839008dc658f22664eea7706f6ada24ca1a22e830aad64f4dc44387d83ad4288f44672d9a05559fb29c66fe6679e979f86ee31675f501d95814796612908d1f7037b690b9481fb687f2d52b5a373515f62075936042a0e9d10c91114a9e74ca7ac76558f73fa26fe9d14dea85d4c9fae1f6c53bb768b1457a7f89bcbf90e7069753767f0c1902163e400afdd91ec2dacbe680c7d6454a0f173490b6b1ed4881e82cd79d6b89161d87f4f270deadebeb35107c19c7a6d5408e60b325c64dbb9983bfaf0306fac8a0fb324af5d69c21c62a8b5e257a48de069226ab29aeead17fa45f384750f8bba1d46e0a4127807e10d1570da63b202eeb715386afe3d8b1747caa6a41416dd65524d2228eaaad1a61bff8db8be752c45aeca76dea3aa6808364cf758dc8703417a49b93eca5ad09d63303a4ac378aad34a08decc4a720c3eeaf88ace0a72900bc3dd402c122d00d56b517235ae9112832d637b9317b61f9dcb0c48e728e850dfd52626db296aad77b9c7cd9167f3194747c011a5fbdabca9cabd2f6b7581f9d91c6366d526b1683e3feefd0fe30f53e7cb7de41e89e4e743efea3944ea8afd9f778a7f06bfb0ef238648c21cedfdd8b76eed765774d7a490b0ee464e4488a9c3dd21c7ba2e63a31ae38ffab209460ba93a62029d8f2ade1377b53438b051901227398272639f124d42b555d591a6655f73f6c46c514cf32ae4c6046c380407f7d9cf3c141bdd94691384958e67178f816a63e4cc189c521638dc7a28d2afb6128476e408ee85b99a126129c55e679c0bdcebd9669817e945b0fffa615ab9cef2f859e0ac38253611fe63bd57fdf03fb0d65c1cc65df2653859fc594f9a3eb379d117da828ac5586b3f6d3bccf1d54c45bc1a5fa45ed7ad366cff39a632bd4d14700d30f70c99725c2fb8ee97cbc59f8e5b64fac8fe2f836041bb5708a3640bbc67f9d09ac1fd3646a6f7446f4815989bb0419c94b0a6fc97d0fd9e5190e724d75482cc1eb4c07753b01c4202c4d09d006bd6bd92b33cd40d8f1bf7ea739a686f8d3a12df2f7c578ad2e0c1b29c04f282857045ed90382830cf0f2f2c8d22073edec31dd257300ba67bec88a1e7a5580fdde5019879f6962da50d75c6fd13a19e358e134135dbb8b4beedbed1cc5f8f2034ee297ff69b9db3e005e59fd5ea22ba51bd8febde9ff9f65a21da5e135ca8860731c4dee9c33c7edba508d26ddb5592fdf98506702f998037e6b418c5c783624348f57d2cf2cd8fb837c61853f516c68e765829fe2f741166a74afd1edc90971c4eda7a6a18d85d54ba87f9095bd1626b9b900cf6fe05eeb1b4f00599b6e8381fe28de851e19a0252efde6c5799f56ec2d61cc6ff5d1eb65e9d8e0545a92e6b986627c7f971694210e088b784beaaba64d2abe4441c7b14fc8d2adafac78234ed72599cc416c047750b24ac3c9aa4690c0577049d805bae79922c1d2966d9752c551a91a9fbc0bb95c23acc2a90683531a59f30fc1d1079bd9fc07f0d09bddc01372ba26c13ef306af3256f235d72b759b6618c1e09e8df6935db77453b4996b0152ae137d1caddbd5f8e12621a5481554345dfbb7e2c500371346feafd5dc0f6e2c59ea2c245d15db20e87c77bd908d92850e403e58cdff0e2fc257ff000f3b268dcf141e77525106108a4b6edcf89f1fcfb12a0a02ad7c0121284ea490ca7bf8761eeff5b375eeb0a038a444d2fb950f96517ada94cd96f8dbbd042a4deb188217b7b9dad948bb59843c0c392bd9e79c85d34616bcd99fbff77537d234c051e5e9aa913c77cbdcf5396ce3f0683e92ebd0c1b99fb5c663fb97b6dc2d43554aaa99a27ab99172bac17e3bc044d3d2ef8f873cf52214e71d7d7c5ff9dc791d40cee37536dd12ba095b48a341975784a1614175a1fc49dc2102ba5c27416dff8279ea3f2c44739b8ef9961699a4c792859cee88111437846c9450175b8ba2a326757dcbfd551acd15d783732838b9c924e0923fb795b7704bf1c84dbe6569c0df702a7477fa0996de5d681d10fa2aa52b14253ba913adecf47eabf1b015e73d6bab5dbe5d5dd1e067cc9e4806040db09a1448ed21d98dc6f459f22c951c7b07201467791097b39041036a50ec5596b6d28e14b79aa12befa32ff95629d532adaed5342c84d39c8225382f981ae4f85b7a1ae6b90a818b62d71bf592f84273fa2ccbba65dfc34fdaf561e26d307b743f82bc76f9985c95076c83a1d286532b8d59520bf6c40bc635f51608f49bd4782f6a6b7d37c6fe8e5272ec08f85fb9baa66bd70b1db70df0b12ce35d8e15c187fecfd9fa341721ff6b24a1bb68bd074c2a57d7460917dd2ff0d0804112b0520f05cd70787d8dce6cb69711ef7453b40679ec97aac900e698ce1f8e58ba738590df5c4588ec650688002a2c14ec60c58385b68db238b8c5b189b2fd5fd213655e0c81900949764022d2277b038ce7dbd00d1ec66e23195636a39215326ea452ad0899a522a7a77965b2ae60d5b25ffc64d1dd504d28c611f38ce5c3aa34c4f6cdd1bd7e965e368771189346506e3cbbaf7453f039c6aebdf77a13875499d7db3e08f9c31d35307490e6d3c11ee6977e669cb1aa6420d461955050e0cfbe0bb23d1319ef35421d80e565e5fc9b30d6d0a4da0544061e644eba5b47bc48ece8b7f85d823c98c4bd6cd464acc49a29bb6926d2a9597c64edb8a4ba2ca2dd7bad80da3ba9df143b2b3cb44d6e5ce04aff397f5fc4b0f5af4aa0787611efc5211bbb48b7eb3e1d4cb54ac2b9d0d9da7ffbd18513594674b530e8a206f9b042be81386819229505d35ce04a1e1e0304ab5db61884720f5bf6ae910d48b9aafe2bc5a1a4f4eda0f615c8d0d682a55a52f0d40e138c88c4299aa1b1004400168de6ac8aa18fe6029bf63c640ef7fb91b56a5abc24397d1b2cf3bc0877e8d5219e56723a6c49889cdd5ba03c84fbc415a3e9b652d26e2d613c3dcce414e1fa3e220b3c2e35391ac6520ed1f05148805a46e9934e5febf84e1bba25ba130a9e0584b625df2c2ee4ec0d10afffa191773d4f412f5ca225193ca27887fd47c9c69f21da952f98a99f205314c182b0014dde7563ded90e338da5d5e836f162b96377517c2f6758d9bb41e8bc9dd8f2eb521ad814eac651a48ef64bc45ab60bff9d2e67f03183d044ed437a8bd73043d6a8a5190fb5cd52cfe0689e2da08cd11aae6f25c50d6ccbd5f4ea7ce9b51b57946aa92f41efdc2b919c887a070c519ef600fe14d67664ed7fc211a09e9129b13a7024f2febc3010581da84b44bbedfdc1f54b63c8cfa8c8b5c986649333eeeaaf53e8be863242378b0ff6cff6b1d6e027010684484c636b7c134018e3a732a6b352cfe081f790f0029967ff1820d57d370c2a9f1be051100d5a8eac4241a6c2b640fe73b161d543801f1eb2abdea769c518cbd7271c6d65abe83661d2fd28e41b9ad575b958fbbc5a43f341278656d300f21d8c71161bfc2812b2f7f3692c5758a5fea8284cc4315e2dc1605d0b58243a979af7c0cce313e3e127baf9313f1ab8c437581369586689ae69b868447bfa60798620c68080090c9f0493c95a64ca4f678eaa14fe8cbc9086ea99c78a3d8169842fca3b0d289406cfa9d52f41df0b7fcfeb6e10b7fb8846b646c6e1773320aafac2d38427244932ed237b9834f60c0bc4f9f6b18ee82d4ab5257d03343137a44a52148427e747252c061c88c78859858163f768565fefe4303ceaba94b786b6d9d0b69d0ca920e615255e2b8c3fdd78d8c194e9c8049a9d187772685ac98fa7e7df54f5ebce1ecc1cfc7a62e853932deaccb58d79fecb931d14643ec7020ade49cce0a1e78e34d71096022317d7af536b38f72fbf65f7e4763e6d1dad8c26f56e2ab4cdf778e3264a2ad2004cbce99b77e6ec272d6f083d2083a042f67908e147e601ed42f201f5b9f18e89eaf48d384eeefa0f9f9ec386a274ecdabacd1e2db6b90ad98c475667d27fa727908d28e3745c34b5015edd130d0b7e3fd54ddea89e37dbafa49840759a30d29e21bb09d95003c2895189e439ab7b412c251610aa7afabef41e5abe2235321f322e8bd5924d79a404605378e3bda60d28ea567e6a73964a6ddd43cfa1f5e0cb8be455e1f6dbcccf72cd1cf14e8e507a1a1979f1c2b43c8a649290ba54137d1aa6473568e390a665973823492ec2dce33c39c88aa4247f14f1f0e56adee326080b716dc55dae2a5ed842d790de3f1fbe32f8951eab8dfa54d770df7342731270beb4704277f3e1dc16934af902350cd6b0b7a671f2675f0df884831ae06392669d6bda8493b6bdaf5ae90f4c45f8fb1914e0be057f45db50101b8bc6e649aa6856071225c42c6ee157adbda5842942cca28fc4c7c08e7c2cf1981542be4ab7f4bf6efff692dfe65b45080b21eeef5299171a1c2b736f70da431", 0x1000, 0xff00000000000000}, {&(0x7f0000006480)="829251fbd70caeb451ccf09a96fbfe559b217a4a12cf46a389d82c55ef7f5c64e45e1b6f269559a85e8bcc232bf1500dcb9af40f697165fde6209f8bf001585b6ccaafe194ccfdb7f8990804ee77ed9a345b52a8d7e8f4", 0x57, 0x8}, {&(0x7f0000006500)="34e0c082bd77b51d0c9ab1bcde0acc308149f3e64c75b7173cda5f39d3b4a62c60de76d12d41cec1b7c9bc9e57acb7834282a5758d7c7e4b21715febf6fbf144ad46cbf2cec87f7401", 0x49, 0x8001}, {&(0x7f0000006580)="e60976f86d91dd66cec0b1e30ec801160b84cfb1f8603703d14a6b815d22e1783eed12ce8c080e3ffbf0b53095f69603fa76a934a60a0526341eafafb3867d13e88d1d39e370a00dbe06ddc840ba7446a62597069e1dcd138f82b29ff78af1d1c3133fe9c04d732cdb4b3f6aa26989369b5f6dca6000a0767341bc2aaacd69e648621915b8aa9cb24c6bb5ae3f", 0x8d, 0x3}], 0x10000, &(0x7f0000006740)={[{@flock_strict='flock=strict'}], [{@obj_type={'obj_type', 0x3d, '/dev/vcsa#\x00'}}, {@obj_role={'obj_role', 0x3d, 'bpf_lsm_unix_may_send\x00'}}]}) syz_open_dev$I2C(&(0x7f00000067c0)='/dev/i2c-#\x00', 0x4, 0x4800) syz_open_procfs(r5, &(0x7f0000006800)='net/icmp\x00') syz_open_pts(r9, 0x258102) syz_read_part_table(0x9, 0x8, &(0x7f0000007d00)=[{&(0x7f0000006840)="b3de0d9f2e1eba9879eef08dbd42edd7d622f095e0ce3429b64c46708bf7fa26e69ec157caa3e16d60b3baf5b0d246bfef955e35f85556c9614a60b65cae7c023c99318fc85bc0abfd16bc78eb56317cd8b80c5f5a87856c5cd0b97fc283cbc9d835ff9d70972bd4201169a35c2699bf5a8b31ad3607121019e73398b228b9c59aa5b5c007166766eee5911d5d2f864cb42b8421f38cb21aa93697e5ad166a966ac98aa776fd27500294c4dd1bacf41fd070e9e4a9e5eb70d2a98f915c1391fd75f5ffecfab42425eb016c33ec19ae67f4b100088e090f035d78143b35944f30a49a77b8c5e2a08e9f381a8afbcf48ebad8411455ff2cb76a4a1b557d121", 0xfe, 0x7fffffff}, {&(0x7f0000006940)="330ea746d7dfb4a5e9f33a325a9688ca04cd59af724b34f70ae370d4ac73ea9a65ab003f2cbc01af1162c0fefb2b7e4a0dcd3f2a8c23f2a1", 0x38, 0x2eed}, {&(0x7f0000006980)="efd543d92dc823aef91d85c44c055844e2af47b4d5a67e3a3959dc6d617cd8e9b6c3f5bbf05da73f04bf4f54a6f3d5361dee720d1ff9f65d5d7c18b86534f2912621aa81b4c2d3daa1a67538ac5efcf2e008c791d59152db5fa2d0a23f3997bd1e2502e6fadb36788891843e3de1c4483aea75224b12ede3006b9648dc7661a46da2d146d3df70a1d04b2c64578daf219dcba1b67aae086a2541c4b9b4dc6d43c076544b4cf9cd57e6e26d74217d1d8546224d85f650a0ad3aac78c0cf1d83a4adcc11c2e84df1889c7920347fe404201914727862b460229ce67a1a88de34aa73d39be67fe92210699221103ac5b49a07ff0b3548363c878066d5a0ca8f565a616a049a5d7b6e70badf4649c51aec8671faa444d7e0a6304e273c405cc6f348d19ff1348bacc96ecf1a28119618c91e5942bbf0e2d7fc6997cf6330c106a7902ccdc1b9cd0e8f559355d26f81c77e524882d02783f15b0569690236e3aa74b96bcc5ef90eae4a5e3aba2a560f9b0a513ce1a8ceb0d2103615f828b0125df32eec97110ee2a59e1f913772a859f65d953c20ca8a0c6e852661d86293cb4672413ffafa27032eda8d8b19ce77d35d1304296d8dbee1b7c358fe5ddf94c42411e26362cf42a5c7c18991e3926331a2c7123609e0a3c05e42f175972e445a6ae57154062e21e05666602a2bf0891ee65648e5a967ea16248499c82e74c19edafecf2402ce5321f5bb4ecde058a1176f310bb1338b11ddc60dce03c4727f7dd3c2335d50ae492dca1bd98be4af0744291fa2ba1cd3e93e6f1d9d1b4305c2764118094a16436a014598fb64c34ead3e8f45d11c4fc062c144c8e05220fbdf4a8cab6e288b5cfdefa7a05423ef2d4f3b3bee5768b28034a08de883b817278bd3e785c114329d992c581215f5644ccfa4e894101d5fa43008d803fb9baaefd7dd4b8883b6e7a17f4ddf4826cdd7110ff2c8395349068cd0b9550a3a2f5cbc0db06b1b31292c54879a172f4be9839b1d76896c4cccd8841a5592aac1f5272b6fda924634b50750b38231ff133da1fc86d1098c823df5bca8cfe8c08ba2eee5a4658b2917bf3af4b4e4e47c6b7c35a3963ebc6044f27288c5a3c1a2f5fa45a128be9a13ded8c2f6745ecf4fa94723f9f16382f4db48d0c811fe8eedb8bf05ff38e578d49376550253d2617f86303c543f882adc2008564c8ba13ecd19613a63193d94e9a73b21ea1ddd30b482c09869c0fa37131c69ccd033dd96d8ee7c5f2f8a152e84c0f659e60ce169fcb89de028bea39d05df03cf22807029c1aae459940dd54b78c0dede18723f972d96516e19719e5c9ed006860f2471a8e5b18fcf0ef4ba6681a41fa8009b7e03b444f45ab3cca9bbbc5813d1fa055aaa4d45441233ae7b69b759e3dde766c0f3b13bf968cf8565382883557f925c21075861ec9f35c7cd444bcc7d381dc0d7aa754ba57066b902788f53854cf9d56ca73c7ac85cca67ba509ec3a7c1b42d8c654b34d88da8d2ca85ad4ae8b865b6d2a0c1c4407668535c49f349e276f1a86764ef18e3b08f1d1e3cc1b93cde3f197857fb48b5a5fef31a86fa0022d6a96d815c8c9af9badb7b886ea09adac732c8e4eafeb8473218e794bc6a716d1716fefef86f63d32b6673b435d13eddca42257cfe0717fca3a39f00bca650f5463a24c50924256d3207d29c1b1c95109e40dab607787fb74c4e64fe4acac65c6283ffcc11fd08a0bd1f4930a8beea57a0dda02867866c5b1ce586b32e7cd18ab16a275d6cc043a990e1d7970f79d5b8880eef3fc4ef4de5e840acd0edbcde6bf6fedf3c6a2d2539fdaf278f069794d30a09d615e1e4a5a7617e16241daab87fdad493ed9cf326fe647a40f0279d6a9b2cdc0abf3626415b04fc836510ba6251386ce7e8d2b4fe663cfc3a5de9cc313e9e1fc19127f09207c955f5a8485481f4319224fdf4c2787d583c3caf7acbec73ab9b4d2f245287df9ae29a169c4d795cd03c9098339446dc40237b698998b2423628148cecb02f69d2644cec88c94894e01e1587fc85375450e32ccadcdcaea641d2db6292228660d04c446786c258b6fbbc1d0b6a8a3818200d489c126733922c966195a4007a68d0473578b469b4433eacbe092520244d84da8924b90d7fa1ad31db501f16a59d3d9eb72210d058b3d1fa4d876d5b40bcff5adf086ebdc2647b1b6f88211bbdf547f1698e11abb73dd3a588d9ca26d9ff5b2d28d1e176be8a7adf2e3e3ae137393112f5aaa881814882939dfe71721fa92b8962bb8d940fe1e3948def4033a09e9c04ca7ea8b549695c5ff66c077395026d82576d379bd9cded06ffcc3a6f8bd548c0f68d4d3d72ae27d828b27a582b14886dad1fc3e63531c2870f3159f8d4bd449480c45dd27a2934df90797c0494e0f8ef8289ae410626d4fa966d82443adc5243fdb2c4ddff8550af5338ef2d1c413b4bd4b308209c20e9c3a0080a23d16a3108a1050783d44ba92a95590508d3a5cf44fc6a4af2477f866428bc113c1cc8f123da46ca0a03c5dbd1f6e5754584d8a4103bd23fa5e1f6f3acb154ffed128d0a645829d3341a25e87ae781862abc7a159021124cfb03571a73ceef603681f5e5e1e1574db3016ff5a13d9bfe7e8ac81a09a905237e390a5772d361edbe5808e9d8594f776b0005e0c3d0f71d666c9d4dc493d0163d8854723275d850ac1bf78183a77518f01bb3a280f39bbf606def4f89b11e2bb8d99f8a32985ed9bcb42f110bd2bdda26376d9daa70e1e6575f11ba7ef269908e101948f570b7690e0b5d35ed98cbdd2f3637b9f8f78b2ffbc293188ff2777db050aa219dde788a770cb624d6617001817d6d5c7a5bd39c51ff128eac712b9db9c60a74bdb7820a3572a5091c3084339286279d9ceb244148906dab1dedb62379b14597b7348907fba55424e878c194985cdcb211b71bdf3806339a53006a9006c746bc49108c8100938dc24a08d57b013f4103d87df310858405d06f059b65cd54aea1d0f15cb2a41bc867d22cb9d67c310b05a4f940bd2e7a5863c8e1c80d3ad07b21504bf213da5cb38fb652a47ccd7a5cfafa0c3ffe2aac7625a95588ecd77a9593d0bf2e7df7999f0244335a9fac015c32273009d1f865dfb873c65f52e9081b022b99b01586f5fb1584fd9b1fdaf86c783f61772aff1178e08d5bd067b6fd233db8c432fabbd00a530f1c40b5f05f7883495059d1b58b9523d1f5255736b23ff56cabb4cb710e43a70f71cffd17e3fae9043634869f166a958ca5dec639b85b2134096e697c24e3b0a8cfb19422ff01f4ebef24b7233de1a0f89c80e231b8459f531ac23eb1a2373b3c5807ee6552707152a3169555a663d1bfb453c8c380c5a52c958e302d4d7528aab5d0a66892308098b566a1367cbfd9a3a46c5fb77225b7b6f9f92ed0bc85bcbcf1b4fd2760b9f509d2d11cd0557144b1c89f9f7f2495d0c9ea6c767f1f92570701a33ced477036d06bbead08c0b4a8ab4a57d8d9b758ce05891ec729014eb712c33dcb52efe8ded223b617822443bfa95514d9a82f6b9fed17b22445f692fc870374c0826a9fa43153849368aa1f93052e48f88e8fe9aa1ba8291585e59da0f68fd04b8fa450e9654d920c2b82c9c29a79015d0e302bef5abc9f4292fd4b582d58830dfc71725319bf39692b0f3d72a3204d62e4cd219fd2647a9bc3da61b702699d015f9f15bffb27b6133ec431e4ad67f5c1b46fc62e29d4ae4b07fab07f0143e8e54fea1e629051d6d7c19af8931661d84957ad2ae7b521bd62468aa0a851653904bb9325376fd2d831340356d9bd2782bbc46e1c03069553d2b05d17bb4d8644a0dfc0286d4ebdfbf1fa85f0015da26670909ce840272d1d62c8d02787d56520d309e4bcfcc846474d4282641798dad1779cce11392ac537917335b4f9124ed1e254052966ab2c15dcd1bc1c3c520fef4b3b17fe6f6360d07b2c08ac64c75fcdf5f9eac211db247a227a659e106755e1ba53aba67c831662190226984dc03698dc567aa96b51d2e69f530addd9b4fdbf3a0b20af2a184cbaf53a35634c8fe3d63ec15c506bf02c35302759fe32ad28c1d4b49e94816bb0f32822816b40557c650da4ae59ca645d5a4d6172903c25e00a229eaa0c526cffba53fca44aa163c7f5fb4959a216d6dad9e19f282b9945d2476bbc0133785131118ad46c3f9331c415e70d35e06fa71c2aa878132ed770a04f0721a5665502dded283f70ae9ab72e48cf03c01d80f68ece54de88aacb2c41c5d7462f9b73f6c2741709c83e20084dd8f9d855c41a0bfbe107e6e47a65c2b1ee5007e9d5f25118a295fc6313243df54cdd92ab4dcedb210dd83be1b058ae1e37a7ac51b9c89bf9eca423c91db0d4a42134a93c8979a03a2de53e45e641a2d40f410bc11a968204f72c96e50664dc29be41a4aac4e07e9cdf239f59c9687bd7dc65ceab076b131941bb15c4f9f4c17d7350780588facffdbc1eaaeb4406b956da733ed09eb48604a0ed4aadcbbd94a8ee079310fe2612a669e5623917eec2b12ad9c86af9757a51759dbb00df2e03e3d3a70bd2c02f9f08444f4e0650edfb2786ca57d3630943556832a32892301b58859ef24007f7a7d9b4afc23703c4fb9077a07d2ea8d3a2b4f015de7f31fc306545816b6b670a45cff4a91b60a1fb478b089c67f459caaf5fce9265fea0c7ec0652cd11305623b04c0a9d1aec6571c6a466dc7a7bec75fcf984d6a9636986becef1418b694e820ee2462f2687e0b68ba51cbd03ba76b43fd7cba01af23ff98f74b764463527c6c397e1c8e8b2225874cc74f958a31a28414f170c2b4cbd90c849ccd54f91bce2908e3bbc21b3d5604aa337c7fb1f810c103216bf444339043d523330eee73bf0866da3f3f728877fbb54e2f928423a1672cc9ba31bc686a6d198efeb3618d5e9a1b0819cf6b9338c56c4b788469f532cdf923066d1ba46a56960342b79b09ec8679ea3caa43365b811257a2449ff9274f6612cb0530dd8678cf18bc1f91f447fad7b958f3d0a1977ce78d102829fe4b83b5659c8155af4d2c05d7315d1486300e6da0846a594d510673b0e7472788559009d74490ec9871d9f0f73699d97fbe303cb4d635f542e95c784a5387127dc454483f950f765a8e904639ef413c7d581af20dfb285955801ab7ec4be4d1b2879de662dde2cfcd6604ec0aa07a5a671f54a4f2853eedca56baf00f07927095958db7d325e863f64a9056bd8e103859921463d1754042b85dcd94d933ef2087dbef57d9a3ad9fe8c64a8799587a3ec23b9b252f03bfce42f017eadfdbe973e84e902e36b9661efaef409c915308dce9a222a9cb1db5215c000fc44d372fb186425cd078bee7770f1fa60ff2d0e344725a51a5f478fe96bfb9a18b6cb542bf394bed02218518f1d381d5aa21fdcd443ce84c180a6a8cf6547effa4627cae93551a7564f0dac6e37c5f068edda00b47a6f2d33b54c3681128e83ad17b0f098456b9e97f3e02ce391515ffb0c0511a3d8312115382c15b09861ef750c0006e96c9184e17db245b0255c4407fe4bd6eea43fd8c5e80348cb916e9d04b49c2483911b6deece26d2b65762643aa0417be2768b673a22ad58e667f5ef4e2228db9b7939d8f912de32474325155090b1d9741ace4155d64583ecfb5700301d73ed2abd156408ca5e1b88ba75f84a4b834d4f532015773e9f8d4a3650f8984191114f0fdbaa54405bf51f8b1afe532f74c15a3708eb9370fa8316feefac4e43f855506f5d9872b60363567011cc3308a2026d00", 0x1000, 0x4065ebb7}, {&(0x7f0000007980)="112a657c2770ad17f2e77762160bb14f2f71a17b88fdb946f919b2dfd3efd616e31124ff47ee668f6065a0435a791a7439d8aa10dcc418192d821e36fc0820d7cc0f88b088916d786f01426fa46b214de822d24e4d6c785feac458d98635c4801672bd4e74fd40753932121152ae0ead771e3abc7f741e393b328526e5ec29e8e0d9b3a2bebcd0eb3472a4bd8e50f953ed173ba271fbe9f9d9c463c79f44d093154ffef59c93ada783b4727fc35ba6c0db2518939cb35fb3301d4cf72d2524f83ac4ab57a8acfc93a99c26ccaee0566371229496e93021e86b956021a467f34be66e", 0xe2, 0x6d69}, {&(0x7f0000007a80)="629825e3cb9c42732810eb62f1ff4785718f7a30c63940f2eadf19dae820feb9b7b358f741b834164a9a4ac8ce398c231607f523a26db9e0aecac1d1e89022d1cd50d644f2466b25ec09c6d6ef4f0b3ef592d1408d049da49b953b327e123c6f1963c2f7a9e3cc7e0c52ed1e17d0a8b794666875b20b07a0f5c2c76d9632909f769eb25b162737bea131f5c270b3249fd65c255e68b680271d0c11196715177744e7", 0xa2, 0x9}, {&(0x7f0000007b40)="d1091749233d1e7ec50653f301a734f5dd67ac1e748923e44ccedeeb3ea234745896abcb8003ed61605b5dffa8a9af0aa12ed902d4a35a9260c53ab6a621e210e61e4002838dc29e2f798b4cbe0ed0c12a33c69ddda446b9b884fcbfe28199184bd4aeb097d0d9a393b699d1f55a57d830da497d79b9bd7dbcdbfe7e168d6007611db96733574fb150f4e90991c70fc19edba6beedc5a72169366ae5fca5c1cb413bbc54ff8f127d1b94cf9942b5c9be5fbfc93946bf1d0b289a7442fb057adb0ae7fa4189d5e5fefc75ed5d260b3c2c2445d49579e6b369e396da162d940559", 0xe0, 0x6}, {&(0x7f0000007c40)="768d82c47f166e252530915b63b40d9eba4b95fe087893453f373a94389e1120981cb44576a2051c4158400a59b9c8a940ccae2826414e14ad55c72b04f8fabfe86462409b3ab2a075ea92c8bddcd2b2fc0fd77a97bc271ecd43dd605f29b990837b409eed5965ddb3fb1b91e5bf12ddbcf21c90c7ef2f0ab9bb03f72a647ce8", 0x80, 0xfffffffffffffff7}, {&(0x7f0000007cc0)="46c0ce8920305b2c7f636edbb165920db78c61f8", 0x14, 0xfffffffffffffffa}]) r15 = syz_usb_connect(0x5, 0x776, &(0x7f0000007dc0)={{0x12, 0x1, 0x300, 0x94, 0xe8, 0x2e, 0x40, 0x789, 0x160, 0xf578, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x764, 0x2, 0x4, 0x8f, 0x0, 0x7f, [{{0x9, 0x4, 0x40, 0x3f, 0xe, 0xbb, 0x18, 0xf3, 0x20, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "c1b0c981cc"}, {0x5, 0x24, 0x0, 0x7}, {0xd, 0x24, 0xf, 0x1, 0x9, 0xfff, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0xaa4}, @acm={0x4, 0x24, 0x2, 0x9}]}, @hid_hid={0x9, 0x21, 0x7ff, 0x8, 0x1, {0x22, 0xd44}}], [{{0x9, 0x5, 0x3, 0x3, 0x40, 0x6, 0x6, 0x80}}, {{0x9, 0x5, 0x5, 0x8, 0x20, 0x34, 0x7, 0xd1, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x20}, @generic={0x65, 0x30, "dac16e845b149dafe66663cc3acf393fa7b0ae46cbb8cf207bdb0d3d6cf681661fa00ed58d703c226470a84eaa264be51e6810875248ede794e2207e60b04585603cd055c6348f0eb4f33f2a833f4aee8884d7773be2f45177ad4c03728ff4dd8e40fd"}]}}, {{0x9, 0x5, 0x2, 0x4, 0x3ff, 0x1f, 0x2, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x9, 0x2}]}}, {{0x9, 0x5, 0x6, 0x0, 0x40, 0x0, 0x40, 0xfd, [@uac_iso={0x7, 0x25, 0x1, 0x83, 0x1f, 0x1000}]}}, {{0x9, 0x5, 0xd, 0x1, 0x3ff, 0x3, 0x1, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x4, 0x3}]}}, {{0x9, 0x5, 0x5, 0x4, 0x8, 0x8, 0xff, 0x80}}, {{0x9, 0x5, 0xf, 0x1, 0x8, 0xae, 0x9, 0xf6, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x95, 0x6}, @generic={0x7a, 0x6, "3f8f5c318c80e5a936089fa5be9dc364d3a8ff22238b9200642bb7969b9c0989510df3f2673846f3fe68eec487476d9d8ea37c9e7ec2939c3a85842cad500bf77aed1d9290eb850af4621cafed03c08a55c422c7122f6ec0703a47dfcb279c0b03558b39c7231b38e559d0546a29ca32280a8ce47080aa8d"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x58982e9dfc588938, 0x1, 0x8c, 0x4}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x6, 0x1, 0x81}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0x80, 0x3, 0x23, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0xb5a}]}}, {{0x9, 0x5, 0x8, 0x2, 0x8, 0x1f, 0x8, 0x1f, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x7f, 0x3}]}}, {{0x9, 0x5, 0xd, 0xc, 0x3ff, 0x12, 0x9, 0x4, [@generic={0xe, 0x5, "a9b97bc24de62c3bcf2bfa13"}, @generic={0x44, 0x30, "9f0d5ea24268b8a3211765246b1a834af641e8cd6ea3ef9b1fe10f16bed6b06cc3a165920c9d73909ab9ac8b2a7a8a5dae5d4acf316d0b35d4b644d368a06e0eff85"}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x3, 0xff, 0x6}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x6, 0x2e}}]}}, {{0x9, 0x4, 0x7, 0x0, 0xd, 0x29, 0xcb, 0x7c, 0x9, [@hid_hid={0x9, 0x21, 0x7, 0x1, 0x1, {0x22, 0xbd9}}, @uac_as={[@format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x43, 0x1, 0x0, 0x9, 'd\"', "3709db"}, @format_type_i_discrete={0x11, 0x24, 0x2, 0x1, 0xf8, 0x2, 0x7, 0x40, "5e58dff9a0d01e4109"}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0xffec, 0x6, 0x15, '?w'}, @as_header={0x7, 0x24, 0x1, 0xe1, 0x3, 0x2}]}], [{{0x9, 0x5, 0xc, 0x8, 0x8, 0x4, 0x8, 0x8}}, {{0x9, 0x5, 0x6, 0x8, 0x8, 0x0, 0x2, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x6, 0x18}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x39, 0x0, 0x6, [@generic={0x80, 0x23, "eba3e2d4848f84d0e6ded46e24d10bf9f8b0738910e29f319e942546e9cda8638257f55d0049672a1337067af73c1c29e0bd772a1cd5e16d249ed15cdd3d85a4399aef69e3f5a506ea0e0559306fe1f42dfc10922062e2bc062c34a1adc4bc46b080259ad20b37cde1eba7178fb514b2ef7397715b0eae34d5efd5274900"}, @generic={0xa1, 0x21, "1c020b389a4c59d1f26da857b222a6f6618adb0411bb24478e68ffe758469d4bb34df6aa9577ced55383dff01c052abbde70468ce31100ca3184d1d5f803dc280df3b7ae4738ad05036701e2e38ce844a7d301d86e0597c5bc1b67e7c6a5f7dfbc3311dbd234688e85e9a7d5021e51e2d0dd418038153db65b7fc268f98ddfd9e5036f24497d2f04cdcc752178991958f7243ff4dd5aefcf759a3fe7fb34c8"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x240, 0x2, 0x1, 0x0, [@generic={0x26, 0x3, "b451e24f6972cd6429f81ca173d13fb2c7f5284751638bbc4f0b3de02091fbb4f44533d9"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x7, 0x3f, 0xdb, [@generic={0xc0, 0x0, "ba73f770a427b8438313cb7e9d9d53a7e3110366c878e3c0f6e629ebb2a084a90b2def4b66950fdfd606e0834229e63028875489678bc93698ed8613884254703c315f1ee529d1bcbfaf8d865e738b9e08cbc4a211d480bdc2a6e69e172b1c73639474f1f0115b5f4918d037451c99dee88547562582d57171aa196913f11915d1fdc1a513b16c0b9c1fa07157421046f4f3372d00d4a27eb93ecd79b685e14f3eba647e7b20aefdf92ed05bef68935265ce0035e3b624852350d1234ef9"}, @generic={0xa, 0x5, "290a548e962666df"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x7d7, 0x0, 0x7, 0xf9, [@generic={0xcd, 0x2, "74cd6007ae0ea1297f07018cbdaaa0c87851a01308ad717f235e9eff8010ad1046a5148d352a70760bc4bebdd7528bf7d506da1baac2cf499d52de51d71b05185d7cd268023de5961304521b5f567c74ccab78b61c3f641662af2d55d5157a0ddc80c75962e9bda9ff2d3b63df6a6a0e2aebbfc664de3f3a34d66200fa092475685957f0b3594247a21d463cfe0ccd8044f95319b4d40c7f022d5a9ce9e348cd623dc4c590bee5a1047270954214611a8d98e60aa697a5ce30eeacd2397094e50716739911a4478b495f02"}, @generic={0x2b, 0x3, "9bc9f5807506303fbfd71282a82058560fe8180b205f6f47f9d7cf05280b7eb96d6d1589972f402ef4"}]}}, {{0x9, 0x5, 0x7, 0x1a, 0x8, 0x7, 0x3, 0x86, [@generic={0x35, 0xb, "018a3d5fb94d26c6a689e91eb6a9e49bf1b883b9e3da0a42bf45639bc1b19a0d8e78babd769b27a43dd091ce83b4a91cf5d119"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x6}]}}, {{0x9, 0x5, 0x3, 0x2, 0x200, 0x8, 0x55, 0x7, [@generic={0xc, 0x21, "f2ae0c70731245835364"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x400, 0xff, 0x9, 0x7f}}, {{0x9, 0x5, 0x3, 0x4, 0x3ff, 0x3, 0x81, 0x1f, [@generic={0x102, 0xb, "15f52948168969a7879f686a664459f31fa9c146da65eaa1878b3996e099dd1ec68900a257c011397bcfc10bc428591972ae5eb70e65d200248c433d8b1eafe5df95a196b58ed50a74d48f9c07f50858dd07d94ec76626b5b47c9acd4fdbecde356cababc43c3144fc2e524b71bb4e8bb535daa071e242c58584dbdd6c1e758e33fecd91aac96d2288322ed48acfdaab536ea51298e16c6033ac2b91758482719cc7d764373cedf5d039e75f0be35acdac46bff129af0ad817e14064398be64933b676fab4ff8b8d37cd742e41fd64f87b7f7df873b3d4c1ca440e20a829e34c6977054fd5975e34941c4ca24dcaf07e3b9950280b30fb2c4356eedab3e5184e"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x200}]}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x81, 0x1, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x8, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x8}]}}, {{0x9, 0x5, 0x0, 0x4, 0x80, 0x9, 0x6, 0x7}}, {{0x9, 0x5, 0x3, 0x0, 0x7ff, 0x1, 0xff, 0x1f}}]}}]}}]}}, &(0x7f0000008640)={0xa, &(0x7f0000008540)={0xa, 0x6, 0x0, 0x2, 0x86, 0x80, 0x10, 0x2}, 0x42, &(0x7f0000008580)={0x5, 0xf, 0x42, 0x5, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x3, 0x73, 0x4}, @ptm_cap={0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0xeb, 0x3f, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x8, 0xf, 0x6, 0x5}, @generic={0x1f, 0x10, 0x1, "61408d3d2e1872469226d4d9befecdac208dfdaa385178f48ca75650"}]}, 0x1, [{0x4, &(0x7f0000008600)=@lang_id={0x4, 0x3, 0x41a}}]}) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000008680)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r15, &(0x7f0000008900)={0x2c, &(0x7f0000008700)={0x20, 0x21, 0xdb, {0xdb, 0x24, "b501b9a676dfcb3e98c66e8b6877cac30dfb9856c72094ee90f23170f33dc0416919146a8a2ad605ce54f3d443ec597b337b1b4d39c44289bbfc621a00862648fe2df754e463455ef88f55fb63b4b7719dd8d3e6846c4d254afb2e40116d2b5fcd883a84212217e065cd44666801154e7b43e3d1629dc76f3a7110e80790ce65ee44961d306521e94e6ee941a97e0eab0e8037fef768902891bb4105d8baf0a35f93d2a5635935799c87eb91b5e5ff7ae91cbe9cdadd653a486d72d67dc3b371e4e5fa618759de87ebe1ec278d140834590f6c513e4c95cbb3"}}, &(0x7f0000008800)={0x0, 0x3, 0x18, @string={0x18, 0x3, "2c5ddd5fc63236d47af3164223e9b423e13b8560f28a"}}, &(0x7f0000008840)={0x0, 0xf, 0x35, {0x5, 0xf, 0x35, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x8, 0x2, 0xa, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x8, 0x3f, 0x1, 0x4, 0x6}, @ss_container_id={0x14, 0x10, 0x4, 0x80, "d0d1e2d868e0fa991777cac1b7948258"}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x3, 0x4, 0x0, 0x8}]}}, &(0x7f0000008880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x4, 0xc1, 0x7f, "1bc19f6f", "0cd3a196"}}, &(0x7f00000088c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xff, 0x8, 0x20, 0x2, 0x6, 0x800, 0x9}}}, &(0x7f0000008e00)={0x84, &(0x7f0000008940)={0x0, 0xb, 0xe5, "ea88bca9c1e3f5bdf607f7252573dd8756e9f32a7c4aeea5b3e1ae6fdbe3194c1918d9d9a3aa13dbbc47e1430d7be6a180c7388456d12a5c327b716d2341bcd0ef82a4a34610e28fc7b2e172dfa056c6353da166496ca2540e60bb52066ef4773667409a68eff52e75ff93469e4ff5d69966b81e034c688a2f6fd945ecd05f336573586823fd9f6d40bb483dd27ad46b841455ac07fc319b8cb5f5e2daa64a6c5f3bc099270cd376660ef3456571aa6d2fe48667838d811126caceedaebef9608192b603327f6ee9ed42572b6eb3c6630e9017428ed370bd0324da01eae4a7881a6b88aa1a"}, &(0x7f0000008a40)={0x0, 0xa, 0x1, 0x5}, &(0x7f0000008a80)={0x0, 0x8, 0x1, 0x1f}, &(0x7f0000008ac0)={0x20, 0x0, 0x4, {0x2, 0x3}}, &(0x7f0000008b00)={0x20, 0x0, 0x4, {0x100, 0x1}}, &(0x7f0000008b40)={0x40, 0x7, 0x2, 0xffff}, &(0x7f0000008b80)={0x40, 0x9, 0x1, 0x7f}, &(0x7f0000008bc0)={0x40, 0xb, 0x2, "a6ab"}, &(0x7f0000008c00)={0x40, 0xf, 0x2}, &(0x7f0000008c40)={0x40, 0x13, 0x6}, &(0x7f0000008c80)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}, &(0x7f0000008cc0)={0x40, 0x19, 0x2, 'rN'}, &(0x7f0000008d00)={0x40, 0x1a, 0x2, 0xb81}, &(0x7f0000008d40)={0x40, 0x1c, 0x1, 0x40}, &(0x7f0000008d80)={0x40, 0x1e, 0x1, 0x80}, &(0x7f0000008dc0)={0x40, 0x21, 0x1, 0x92}}) syz_usb_disconnect(r15) syz_usb_ep_read(r16, 0x1f, 0x80, &(0x7f0000008ec0)=""/128) syz_usb_ep_write(r15, 0xff, 0x49, &(0x7f0000008f40)="059cbaeb6864bcc93a17640936d2e5450deb6a94a3cd8dbac2fbcfac932f8dd22205e7ae589b0f0172e751e308a236cea85711d74b546d98b4d75afcc65fd04633c1fbed7cfe4d049d") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int real_uid; static int real_gid; __attribute__((aligned(64 << 10))) static char sandbox_stack[1 << 20]; static int namespace_sandbox_proc(void* arg) { sandbox_common(); write_file("/proc/self/setgroups", "deny"); if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) exit(1); if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) exit(1); if (unshare(CLONE_NEWNET)) exit(1); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount(NULL, "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); drop_caps(); loop(); exit(1); } static int do_sandbox_namespace(void) { setup_common(); real_uid = getuid(); real_gid = getgid(); mprotect(sandbox_stack, 4096, PROT_NONE); int pid = clone(namespace_sandbox_proc, &sandbox_stack[sizeof(sandbox_stack) - 64], CLONE_NEWUSER | CLONE_NEWPID, 0); return wait_for_loop(pid); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 42; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 31 ? 50 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_execveat #define __NR_execveat 322 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_socket, 0x10ul, 3ul, 0xc); break; case 1: memcpy((void*)0x20000000, "./file0\000", 8); res = syscall(__NR_open, 0x20000000ul, 0x2000ul, 0x163ul); if (res != -1) r[0] = res; break; case 2: *(uint16_t*)0x20000140 = 0x1a; *(uint16_t*)0x20000142 = 0x10f; *(uint8_t*)0x20000144 = 7; *(uint8_t*)0x20000145 = 0xc7; *(uint8_t*)0x20000146 = 6; *(uint8_t*)0x20000147 = -1; *(uint8_t*)0x20000148 = -1; *(uint8_t*)0x20000149 = -1; *(uint8_t*)0x2000014a = -1; *(uint8_t*)0x2000014b = -1; *(uint8_t*)0x2000014c = -1; *(uint8_t*)0x2000014d = -1; syscall(__NR_recvfrom, r[0], 0x20000040ul, 0xeeul, 1ul, 0x20000140ul, 0x80ul); break; case 3: res = syscall(__NR_socket, 2ul, 5ul, 0x84); if (res != -1) r[1] = res; break; case 4: *(uint16_t*)0x200001c0 = 0x7ff; *(uint16_t*)0x200001c2 = 0x1ff; *(uint16_t*)0x200001c4 = 0x204; *(uint32_t*)0x200001c8 = 0; *(uint32_t*)0x200001cc = 0x803; *(uint32_t*)0x200001d0 = 0; *(uint32_t*)0x200001d4 = 5; *(uint32_t*)0x200001d8 = 0x800; *(uint32_t*)0x200001dc = 0; syscall(__NR_setsockopt, r[1], 0x84, 0xa, 0x200001c0ul, 0x20ul); break; case 5: memcpy((void*)0x20000200, "./file0\000", 8); *(uint64_t*)0x20000400 = 0x20000240; memcpy((void*)0x20000240, "^\000", 2); *(uint64_t*)0x20000408 = 0x20000280; memcpy((void*)0x20000280, "*,+\000", 4); *(uint64_t*)0x20000410 = 0x200002c0; memcpy((void*)0x200002c0, "-{$(%![\000", 8); *(uint64_t*)0x20000418 = 0x20000300; memcpy((void*)0x20000300, "\\[\000", 3); *(uint64_t*)0x20000420 = 0x20000340; memcpy((void*)0x20000340, "\000", 1); *(uint64_t*)0x20000428 = 0x20000380; memcpy((void*)0x20000380, "\000", 1); *(uint64_t*)0x20000430 = 0x200003c0; memcpy((void*)0x200003c0, "\261$}\000", 4); *(uint64_t*)0x20000640 = 0x20000440; memcpy((void*)0x20000440, "\000", 1); *(uint64_t*)0x20000648 = 0x20000480; memcpy((void*)0x20000480, "*/%}\\\\\000", 7); *(uint64_t*)0x20000650 = 0x200004c0; memcpy((void*)0x200004c0, "@[\000", 3); *(uint64_t*)0x20000658 = 0x20000500; memcpy((void*)0x20000500, "\000", 1); *(uint64_t*)0x20000660 = 0x20000540; memcpy((void*)0x20000540, ":\'\237^(\000", 6); *(uint64_t*)0x20000668 = 0x20000580; memcpy((void*)0x20000580, "],-.$\373\\}{)@-&/[\\!\000", 18); *(uint64_t*)0x20000670 = 0x200005c0; memcpy((void*)0x200005c0, "\000", 1); *(uint64_t*)0x20000678 = 0x20000600; memcpy((void*)0x20000600, "{{\'$(+-(}{}]?/--)\000", 18); syscall(__NR_execveat, r[0], 0x20000200ul, 0x20000400ul, 0x20000640ul, 0x1000ul); break; case 6: memcpy((void*)0x20000680, "/dev/hwrng\000", 11); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000680ul, 0x40000ul, 0ul); if (res != -1) r[2] = res; break; case 7: syscall(__NR_ioctl, r[2], 0x80404812, 0x200006c0ul); break; case 8: syscall(__NR_ioctl, r[2], 0x545d, 0ul); break; case 9: *(uint32_t*)0x20000704 = 0x9c76; *(uint32_t*)0x20000708 = 8; *(uint32_t*)0x2000070c = 3; *(uint32_t*)0x20000710 = 0x309; *(uint32_t*)0x20000718 = r[0]; *(uint32_t*)0x2000071c = 0; *(uint32_t*)0x20000720 = 0; *(uint32_t*)0x20000724 = 0; syscall(__NR_io_uring_setup, 0x509f, 0x20000700ul); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_unix_may_send\000", 22); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xaa; *(uint8_t*)0x20000041 = 0xaa; *(uint8_t*)0x20000042 = 0xaa; *(uint8_t*)0x20000043 = 0xaa; *(uint8_t*)0x20000044 = 0xaa; *(uint8_t*)0x20000045 = 0x29; *(uint8_t*)0x20000046 = 0xaa; *(uint8_t*)0x20000047 = 0xaa; *(uint8_t*)0x20000048 = 0xaa; *(uint8_t*)0x20000049 = 0xaa; *(uint8_t*)0x2000004a = 0xaa; *(uint8_t*)0x2000004b = 0xaa; *(uint16_t*)0x2000004c = htobe16(0x8137); *(uint16_t*)0x2000004e = htobe16(-1); *(uint16_t*)0x20000050 = htobe16(0x20); *(uint8_t*)0x20000052 = 2; *(uint8_t*)0x20000053 = 0; *(uint32_t*)0x20000054 = htobe32(3); memcpy((void*)0x20000058, "\x67\x51\x69\x65\xf0\x15", 6); *(uint16_t*)0x2000005e = htobe16(3); *(uint32_t*)0x20000060 = htobe32(0xa0); *(uint8_t*)0x20000064 = 0; *(uint8_t*)0x20000065 = 0; *(uint8_t*)0x20000066 = 0; *(uint8_t*)0x20000067 = 0; *(uint8_t*)0x20000068 = 0; *(uint8_t*)0x20000069 = 0; *(uint16_t*)0x2000006a = htobe16(0x8ca); memcpy((void*)0x2000006c, "\xd1\x8e", 2); *(uint32_t*)0x20000080 = 1; *(uint32_t*)0x20000084 = 3; *(uint32_t*)0x20000088 = 0x6f3; *(uint32_t*)0x2000008c = 0xd92; *(uint32_t*)0x20000090 = 0xd18; *(uint32_t*)0x20000094 = 0x98a; break; case 12: *(uint8_t*)0x200000c0 = 4; *(uint8_t*)0x200000c1 = 0x1d; *(uint8_t*)0x200000c2 = 5; *(uint8_t*)0x200000c3 = 1; *(uint16_t*)0x200000c4 = 0xc9; *(uint16_t*)0x200000c6 = 0x800; break; case 13: memcpy((void*)0x20000100, "\xc4\x01\x7c\x5a\x50\xf2\xc4\xa1\x63\x7c\x7a\x86\x2e\xf0\x42\x30\xb5\x0d\x00\x00\x00\x41\xd9\xf9\x3e\x42\x0f\xb7\xbc\xae\xb0\x00\x00\x00\xc4\xc2\xa5\x29\x14\x98\xc4\x82\xc9\xbd\xac\x33\xde\x79\x41\xf1\xc4\x01\xfc\x2e\x06\x66\x40\x0f\x38\x24\x1f\x67\x0f\xec\xfb", 65); syz_execute_func(0x20000100); break; case 14: break; case 15: memcpy((void*)0x200001c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x200001c0ul, 0ul, 0ul); if (res != -1) r[3] = res; break; case 16: res = syscall(__NR_read, -1, 0x20002500ul, 0x2020ul); if (res != -1) { r[4] = *(uint32_t*)0x20002514; r[5] = *(uint32_t*)0x20002518; } break; case 17: memcpy((void*)0x200046c0, "\000", 1); res = syscall(__NR_lstat, 0x200046c0ul, 0x20004700ul); if (res != -1) r[6] = *(uint32_t*)0x20004718; break; case 18: memcpy((void*)0x20004780, "./file0\000", 8); res = syscall(__NR_stat, 0x20004780ul, 0x200047c0ul); if (res != -1) r[7] = *(uint32_t*)0x200047d8; break; case 19: res = syscall(__NR_getresgid, 0x20004840ul, 0x20004880ul, 0x200048c0ul); if (res != -1) r[8] = *(uint32_t*)0x20004840; break; case 20: memcpy((void*)0x20000200, "\x26\x92\xd6\x23\x14\x8a\x34\xae\xe9\x68\xf5\x55\x2f\xef\x58\xad\xeb\x13\x83\x51\x31\xaf\xc9\x60\x2c\x0e\xba\x53\xa1\x39\x39\x2d\x14\x0b\x6e\xeb\x57\x19\x84\x01\x7f\xbc\x1a\x93\x6a\xca\x42\x7a\xd0\xe7\x40\x52\x4f\x63\x07\xf1\x8e\x1c\x7d\x95\x4a\x0b\xa7\x44\x23\x67\xd4\x5b\xae\x51\x50\xe1\x25\x43\xdc\x5d\xd0\x3a\xa5\x69\x90\x39\xf2\xf6\x27\xb3\xd1\x04\xe0\x0f\xfa\xea\x42\x63\xfc\x86\x95\x3e\x5e\x3a\xb9\x76\xc9\xf6\x6a\x21\x3d\x67\x57\x3b\x60\x44\xbf\x6f\xaa\x8c\x17\xd5\x1b\x55\x50\x43\x8f\x9a\xc6\x58\x9d\x2c\xb2\xbc\x4e\x11\xcb\xf8\xa2\x54\x59\x4a\x82\xab\x89\x87\xf8\xad\xe2\x0d\x85\x42\xac\x71\xff\x84\x7b\x22\xe6\x7d\x2d\xdd\xa8\xf4\xba\x5f\x53\xfb\xf1\x77\x00\x91\x32\xba\xa5\x78\x6a\x7b\xe3\x1e\xc6\xc5\x92\xcb\xa5\x3c\x5c\x8a\x7b\xa1\x9d\xb0\x28\x6b\xff\x1d\x01\x78\xda\x1e\x4e\xa1\x08\x19\x43\x9a\xce\x53\x7a\xc5\xf4\x7a\x1c\x8b\x74\xfa\x67\xfc\x4e\x1b\xf9\x22\x92\xa9\xec\x65\x7b\x5e\x30\x03\x14\x6a\x1c\x56\x90\x85\x5b\x05\xcf\x75\xa0\xb1\x1a\xb9\xba\x73\x8a\x3d\xc1\x77\xd5\xf7\xe7\xfa\x6b\x46\x5d\x05\xe5\x13\xa2\x19\x48\x10\x89\x26\x5f\x56\x6e\x6b\xd0\xcc\x9e\xe1\xfb\x10\x0f\x85\x12\x86\xe6\x57\x21\xf6\x01\xc8\x3f\x7a\x74\x09\x79\xb3\x84\x8f\x57\xfb\x00\x81\xef\xca\x45\x72\x0c\xcf\xd8\xa4\x90\x4f\x24\x81\x51\xb2\x42\x13\x2a\x4b\x45\x53\x0a\xe5\x44\x2f\xf7\xa5\x1b\xb5\xc5\x99\xcd\xa7\xe1\x0e\x1b\x4d\xe5\xc8\x0f\x52\xcc\x3d\xda\xc7\x51\x3f\xe1\x48\xbd\xbc\x5d\xa2\xe0\xc2\xb3\x91\x90\xd8\xf9\x0f\xcd\x45\x95\x03\xa4\xcb\x8f\xec\xe5\x51\x82\xcf\x72\x72\xa5\x22\xe5\x62\x61\x20\xc7\x33\x5c\x5a\x37\xc7\x2d\x40\x0f\xed\xc5\x88\x73\xc5\x96\x0f\x6c\xab\x80\x7a\xc2\x39\xd0\x24\x6a\xba\x2e\x84\x4b\x68\xb1\xac\x4a\xd6\xd2\xbb\xce\xdc\xb3\x5a\x67\x48\x64\x71\xe4\x45\xaf\x55\x99\x02\x70\xae\x09\x79\x68\xda\x00\x15\x7d\xd2\x21\xde\xa2\x43\x8d\x16\x62\x3c\x52\x82\x0f\x0d\x24\xe3\x9c\x04\x24\xee\x40\x48\x4f\xb0\xd9\x64\x19\xf5\xe2\x81\xd0\xe9\xe1\x78\x36\x68\x20\xdd\x5c\xa4\xa0\xc4\x5d\xee\xb3\x6c\xb9\xe2\x46\xbe\x67\x14\xce\xb0\x34\x7b\x0c\x30\x9c\xc5\x30\x22\x37\x4f\x73\x30\x35\x36\xe5\x93\xc5\x75\x88\xb8\x83\x90\x3e\xa5\x81\x33\x77\x36\x00\x20\x1a\x7b\x55\xdd\x5c\x01\xaf\x52\xe9\x0e\xc5\x24\xab\xd9\xf4\x7b\x3d\x71\x85\xc4\x82\x59\xbf\x5a\xa7\x6f\xea\x9d\xa9\x82\xb2\xc4\xa6\x10\x65\xdf\x2b\x06\x67\x32\x10\x35\x03\x96\x9e\xef\xaa\x23\x14\x1c\x8b\xec\xb3\x5c\xaf\x76\x02\xe9\x81\xc3\x06\x73\x99\x1b\x46\xd5\x4a\xb2\x76\x4b\xf5\xec\xc3\xf1\xa8\xe0\x00\xb1\x16\xb7\x69\xd8\x26\x25\xae\x94\x18\xb5\x23\xaf\x00\xf3\xcf\xb0\xeb\x65\xc9\x16\xf6\xa6\x24\x52\xf8\x10\xb2\x0c\x3e\x7c\xec\x7d\x61\xfe\xf5\x5f\x63\xd1\xda\x4a\x3f\x86\x8b\xbc\xfd\x86\x7e\x13\x0d\x3c\x7c\xe5\x22\x46\xef\x76\xed\xa2\x91\x6f\xbb\xdf\xd5\x06\xdb\xc2\x28\x9d\x00\xfb\xc8\xfd\x10\x0c\x45\x78\x69\x8d\x22\x03\xdf\xfa\xb9\x01\x8d\x6f\x19\xae\x19\x9f\x16\x59\xc3\xf7\x81\x57\x68\x0c\xf9\x80\x59\x7a\x12\x6b\x99\x4b\xdd\x64\x60\x96\x53\xdc\x0d\xdb\x55\x6c\x3a\xf8\x38\xa0\xa4\xa9\xbd\x70\x51\xe4\x52\x47\x91\x3c\xc3\x5b\x9d\x9f\xf3\x68\xff\xdf\x4e\x7f\xad\x83\xa5\x2f\x8a\x02\x61\xc3\x31\xb6\xef\x22\x6f\xe6\x76\xac\x1a\x9c\xf0\xcb\x00\x13\x85\xce\x35\xb0\x9d\xf3\xae\xca\xa3\xd8\x16\xf2\xaf\xc6\x2c\x27\xae\xe5\x25\xf7\x2f\x2d\x31\xee\x0b\x21\xc4\x47\xf8\x09\x01\xa6\x5c\x77\x06\xd0\x7f\xf9\xb2\xd7\xbd\xe9\x2b\xc7\x9d\x85\xf8\x43\x1d\x46\x8a\xc8\x5e\x51\xac\x3a\x20\x9c\xea\x07\x28\x1e\x7d\x19\xc1\xf5\x2b\x5f\x01\xbd\xb0\x53\x97\x8c\x93\x33\x99\xb3\x5a\xc7\x7a\xa4\xa1\xe6\xf1\x82\xd2\x50\x27\x1c\xa3\x3c\x37\x91\xb1\x5a\x93\x1b\xcd\x32\xac\xe1\x92\x53\xf1\xa9\x04\x4a\xfa\x49\xc1\xa0\xdd\xc8\x2e\x95\x90\x7f\x60\xb7\x97\x1e\xc0\x10\x78\xe1\x37\xd1\xbc\xeb\x0c\xf8\x6f\x64\xcd\x6c\x19\x2c\xbf\xc3\x0b\x44\x78\x61\x7f\xe5\x2a\xa9\x43\xe6\x1a\x18\x2b\x1b\x0b\x21\x07\xd0\xc5\x4f\x4f\xa7\x31\x67\x9a\xf9\x5c\x32\xd1\x89\x14\xd6\x95\x9b\x9f\xa9\x6a\x0a\xac\x1c\x49\xad\xc6\x1f\x5f\x11\xb5\x44\x55\x73\x42\xc1\x42\x76\xbe\xea\x12\xfa\x71\xcd\x30\xa7\x31\xbd\x06\x4e\x9c\xfd\x0f\x9e\x4b\xe9\x66\xf7\xbd\x1c\x1b\x4f\xd7\x06\xb8\x39\x3e\x6e\xfb\x1c\x9f\x97\x52\x6f\x67\xd2\xe9\xcd\x5e\x17\x6d\xc6\x0c\x27\x4b\x30\x06\x1e\x1a\xb6\xa2\xd0\x04\xb8\x3a\xdb\x08\xf1\x98\x3b\xae\xab\x99\x04\x72\xbe\xff\x23\x41\xde\xf4\x7e\x0d\xd4\x11\xb0\x69\x1f\xd0\xa6\x5e\xa6\x6d\x16\xa4\xa4\xee\x94\xc4\xd1\xa5\xce\x6b\x3c\xfc\x87\x34\x81\xb0\x41\xfb\x30\x05\x61\x4c\x1c\xf8\x41\xee\xab\x27\xe0\x35\x98\xef\x94\x59\x8e\xd3\x0c\x3f\xd3\xee\x19\x20\x7a\xea\x2a\x8d\xbc\x3f\x60\xa6\xd9\x7e\x30\xc5\x8f\x32\x4b\xca\xf5\x71\x38\x8f\x9e\x83\xe0\x76\xcf\xdc\x06\x63\xcf\xe9\x3f\x5a\x3f\x19\x29\x9e\x74\x12\x10\xf6\xa8\x50\x1a\x72\x38\xb1\xcb\xd6\xe9\xf8\x29\x34\x5c\x33\x7c\x62\xb7\xcd\xb0\x24\xef\xc4\xff\x11\x62\x8c\xb1\xee\x4f\xda\x07\x27\x82\xbb\x69\x93\x2b\xa6\xde\xe1\x22\xcb\x37\xfe\xd6\x96\xde\xa1\x1c\xc2\x5e\xb2\xb5\x67\x8c\x7d\x0b\xd1\xdd\x05\xf3\x5d\x1d\x02\xad\xdf\x12\x95\xa1\xeb\x0b\x25\x99\x59\xa7\xb2\x90\xe6\x1f\x24\x79\x69\x15\x88\xac\x52\x09\x81\x90\x2f\x5a\xb0\x61\x62\xe9\xcf\x5f\x05\x85\xf5\x40\xd9\x0c\xd8\x38\x1d\xe3\x3d\x0a\x0a\x24\xda\x6f\x23\x1d\x3a\x68\x4c\x92\x5d\x73\x6f\x25\x34\xa5\x7e\x48\xd9\x19\xd5\x55\x19\xc5\x75\xbb\x54\x1d\x63\x8e\x0e\x40\x11\xf8\x41\xa5\xac\x33\x1d\x48\x89\x35\xc4\x4c\x2b\xce\x1c\x2a\xc3\xe8\x48\x6e\x46\x5c\xde\xe8\xeb\x51\x3d\x3c\x1b\xb3\xb3\x8c\x5d\x15\x7c\x04\xd5\x76\xd6\x75\xe0\x0b\x30\xc2\x99\xe2\x11\xf8\xf2\x4a\x7a\x05\x3b\x42\x70\xd2\xac\xfa\x3a\xa6\x34\x34\x28\xd9\x2b\x6d\xb1\x4c\x15\x58\xa8\xdd\x58\xbb\x9c\x8c\x4b\x1b\x49\x35\x77\x3d\x14\x06\x11\x79\x3c\xca\xd5\x4f\xdc\x52\x30\xda\x4d\xfd\xa3\xb6\x0c\xc0\x76\x6e\xfc\xc6\xa3\xb7\x19\x00\xa5\x0e\x2c\x3e\x68\x27\xb9\x8c\xc1\x8c\xcd\x8f\xf7\x98\x24\x7f\x37\x48\x57\xd0\x62\x1e\x32\xbb\xf0\x48\x24\x74\xde\x0d\x42\xdd\xba\x78\x23\xe6\x33\xf1\x65\x8e\x7f\x6a\x36\x1c\x32\xe2\x45\x9c\x2b\xeb\x02\x9a\x8a\xfa\xa3\x12\x89\xe4\x87\x10\x45\x67\xd4\x0c\x81\xcc\xf5\xae\x2a\x2e\x6b\x34\x4f\x5c\x11\x0d\x7c\xe2\x30\x1f\xf2\xc2\x5f\xd8\x43\x84\x39\xa5\xea\x16\xa4\x46\xfc\x7e\x27\xf2\xcb\x06\x89\x44\xe4\xd8\xc9\x29\xc4\x64\x5f\x49\x4c\x2f\xd1\xb0\x25\xbf\xda\x11\x19\xf9\x08\x8f\x70\x7d\x66\x2c\x11\x95\xf8\xe4\x30\x8c\x47\x0b\x76\x24\x50\x99\x33\x2f\x61\xb2\xc9\xcc\x77\x87\x1c\xb2\x0c\x4e\xbe\xaa\x63\xe5\x3a\xdd\x25\xdf\x15\xc5\x62\x85\x85\xfe\x88\x6a\x73\xe3\x82\x56\x7c\x41\xce\xbd\xf2\xf3\x3f\x71\x68\x74\x7c\xe2\x4a\x22\xfa\xfe\xb2\x9c\xd0\x21\xa9\x2e\xc8\xfc\x27\x2d\xad\x24\x59\x8e\xbd\xae\xc2\xdc\xc4\x73\x73\xef\xa9\x7c\xac\xff\xda\xce\x15\x0e\x99\x51\x0b\xf3\x7b\xaf\x40\xa8\x17\xd9\x3d\x87\xa4\x8f\xab\x15\x3a\x10\x64\x82\x1e\xb5\x04\xa4\xeb\xa3\xab\x66\xd1\xec\x05\x7c\xf6\x4e\xe1\x1a\x6a\xd4\x05\x84\xfa\x76\x56\xa3\x98\x4c\x20\xe4\x94\x01\x3f\x83\x43\x0d\x76\x0c\xd6\xea\xa6\x04\xb5\x99\x55\x0d\xcb\xa7\x20\x85\x5e\x73\x5d\x62\xd4\x20\x07\x6c\xca\x07\x11\x5d\x4e\x37\x1c\x3d\x64\x1c\xb6\xcd\xb9\x69\xbd\xef\x10\x13\x7b\x8d\x7f\x39\x9a\xbe\x3e\x24\x36\x53\x5c\x30\xc7\xb9\xa8\x42\xfb\x31\xd3\x22\x43\x4e\x73\xb9\x5c\x0f\x5d\x45\x45\x11\x6b\x78\x8e\xa0\xfd\x47\x3a\xb3\x2c\xfb\x4c\xd7\x22\x49\x48\x91\x37\x72\xe8\x39\x2d\x89\xbf\x5c\x4e\x55\x11\xd2\x67\x20\x1c\xff\x62\xbd\xc0\x46\x8f\x96\xd9\xe8\x53\x23\x49\x5e\x92\x5e\x61\x14\x0f\xb4\x19\x41\x7b\xc3\xf8\x03\xa8\x0d\x0a\xf3\xb8\xc3\x1c\x2f\x63\xde\xe9\x17\x41\x13\xf8\xe6\xe5\xc9\x3f\x47\xd8\x48\x64\x22\xa5\x69\x6b\xc0\x58\x43\xf7\xd0\x7f\x10\xeb\x3b\x5f\xbc\x2c\x37\x8f\x6e\x8a\x97\x5d\xeb\x6c\x04\xed\x20\xc6\x73\x84\x6e\xcc\x19\xd6\xdf\xcb\x19\x82\xff\x83\xa7\xdc\xa9\x2e\x81\x67\xe5\xdf\x64\x37\xb8\x48\x34\xfd\xe1\xcb\xfc\x44\x11\x05\xd0\x62\x18\xa2\xe0\xa5\x59\x17\xee\x27\x6f\xa7\x25\xb9\xf1\x6a\x94\xc6\x7b\x68\x4b\xc7\xb6\x88\xed\xba\xe7\x43\x82\xcb\xa7\xea\xc9\xf0\x17\x72\xc8\x91\x94\xd4\x4e\xea\x3c\xab\xc0\x02\x56\x26\x43\xc0\x15\x29\x09\x2f\xf6\x62\x9d\xe9\x6a\x77\x16\xf9\x23\x18\xa6\xcf\x70\xcd\xb8\xfd\xa8\xe3\xd0\x13\x06\xea\x91\x58\x0b\x6d\x97\x08\x08\x55\x2f\x45\xf5\x75\xc3\xaa\x63\x8f\xc5\x1a\xbd\xd8\x53\x5a\x05\x84\x07\x25\x88\x51\x8f\x93\x91\xb2\xd7\x89\x14\x73\x12\xa5\x8d\x0a\x15\xb6\x4b\xf9\x08\xf2\x49\x91\x3f\x14\x16\x71\x75\x10\x03\x54\x71\x50\xd4\x9f\x47\x2d\xbe\xd4\x08\x43\x24\x93\x70\x57\x59\x92\x9f\x61\x9a\x90\x1b\xf4\x1e\xd2\xe4\xd1\x2d\x63\x54\xaf\x21\x98\x40\xe6\x96\xae\x26\xd4\x0f\x01\x0f\x05\x86\x06\x8e\xfb\xbd\x4a\x63\xaf\x99\xae\xbd\x53\x05\xa8\x80\x13\xed\x74\xde\x00\x39\x90\x11\xdd\x8d\x0d\x54\x4b\x90\x70\x09\xf3\x61\xac\x6f\x66\xca\x0a\xc4\xfa\xe8\xee\xa5\x65\x42\x59\x9b\x16\x7b\x8f\x13\x2d\x2b\xc2\xb5\x7c\x73\x46\x53\xc0\x21\x4f\xcb\x4e\x3a\x50\x98\x23\xaa\x2e\xa6\x2a\xef\xd8\xd3\xa8\xf2\x7c\xea\xd3\xee\x3f\x27\x66\x98\x71\x27\x70\xad\xdc\x99\xcd\x31\x11\x2d\xaf\x0e\xde\x7c\x57\x7f\xcb\xae\x2e\x64\x04\x7b\xd3\x62\x4d\xcc\x04\xcf\xb6\xcd\x19\x4b\x79\xf1\xb5\x3b\x99\x0a\x44\x36\x28\x12\x3f\xbe\x9b\x2a\x3b\x59\x8b\xee\xab\xdb\xb7\xcf\x4d\x9c\xd8\x7b\xe2\xac\x84\xee\x3f\xe7\x43\xd7\x2e\x89\x84\x20\x4b\xab\x46\x3c\x89\x6d\x13\xc1\x22\x7b\x70\xa8\x87\x12\xb7\x7d\x22\x1e\xfa\x65\x40\x98\xb3\x85\x71\x46\x8f\xf9\xbf\xf1\x0b\xb0\xd3\x0f\xe6\xae\x7a\x1f\x62\xc4\xf6\x06\x6b\x55\xf3\x2b\x05\x47\xde\x75\xab\x1c\xac\x8e\x98\x6d\x89\xfc\x30\xa3\x62\xd7\x30\x8d\x09\x32\xcd\xd4\x4d\x8a\x23\x48\x60\xb6\x08\x09\x0a\xa5\xe1\x6b\xef\x4e\x44\x32\x7b\xa1\x86\x67\x91\x5e\xc6\x5c\xa7\x72\xf8\xdf\x52\x10\x5b\x37\x00\x87\xfb\x1c\xbd\x6d\x11\xa9\x53\x62\x23\x2e\x5f\x6f\xce\x3f\x34\x3c\xd9\x62\xbe\xc2\x77\xf3\xa6\xaa\xcb\x82\xdf\x97\x53\x1b\x3a\x6f\xfd\xd2\x24\x45\x4b\xfc\x8a\x6c\x2e\x0b\x9c\x86\x44\x9c\x04\x3f\x39\xce\xb9\xaf\x5c\x42\x36\xe3\x22\x1c\x2e\x25\x9f\xa8\xf1\x28\x4d\xf6\x33\x4a\x2a\x24\x73\x3d\xba\xd6\xea\x99\x0a\xa3\xef\x97\x98\xe2\xf7\x85\xbe\x3d\x5a\x44\x30\x54\x97\xa1\xf5\x25\xf7\xde\xe1\xf7\xea\x82\xc7\xd5\x05\x59\xc5\x1d\xac\xc6\x17\xf6\xf7\xee\x56\xb6\xc5\xbc\xa2\x70\x18\x99\x24\x5c\xbe\xcb\x33\xcc\xdd\xf0\x0a\x16\x89\x46\x82\x08\x5f\x40\xd2\xf6\xf6\xb0\x3a\x16\x32\x06\x31\x1f\x98\x07\x72\x61\xcd\x76\xf4\x39\xce\xd0\x44\xb5\x25\x11\x2d\xeb\xd3\x1e\x4c\x7a\x90\x77\xbd\x82\x02\x17\xa8\x8b\x4d\x8e\x3e\x76\xda\xc4\x5b\x15\x01\x9e\x01\xde\xed\xc9\x43\xb3\x57\xab\x2d\x79\x00\xd9\x91\x57\xaf\x47\xdf\xc5\x97\x17\x91\xb2\x56\x65\xe9\x53\xdb\x69\xce\xfc\xea\xc8\x7a\xef\x83\x89\x36\xae\x73\xd2\xd2\x59\x83\xb2\x06\x60\x99\xc4\x74\x1a\xf8\x80\x48\xc7\xf8\x65\x31\xf2\xb8\x2d\x6e\x05\xb2\xee\x75\xf4\x72\xd9\xdf\x9c\x3e\xe9\x39\x8f\x6f\xe6\x8e\x0b\x52\x1c\x36\xa2\x42\xe2\xd6\x75\xf4\xd9\xda\x55\x21\x42\x74\x36\x31\xa4\xf2\xb6\xc0\x11\x47\x57\x53\xa7\x4f\x7f\xef\xc9\xd7\x2d\x3f\x9f\xb2\xbd\xcc\x71\xd6\x67\x32\xab\xe5\x0d\xd5\x78\xb6\x9b\xd0\x29\xb4\x5b\xca\x70\x8e\x87\xc0\x98\xaf\x90\x28\x4b\x4f\xbd\xdc\xc6\xfe\x16\x3a\x00\x09\x70\xd6\x54\x7c\xfd\x18\xcc\x8a\x11\xba\x22\x63\x8e\xe6\xeb\xa9\x10\x29\xf5\x25\x94\xa0\x42\xe9\x6e\xd7\x08\x01\x84\x59\x3f\x21\x09\x12\x6c\xbd\xe1\x31\x7a\x94\xa5\x62\x13\xad\x11\xae\x1c\xcf\x0a\x58\xa4\x5d\xbc\x81\xd0\x80\x9c\x59\x07\x3f\x8a\x9e\x17\x67\x4a\x47\x6d\x03\x37\x41\x4b\xfc\xff\x7c\xa6\x94\x92\x18\x46\x7c\x88\x50\x83\x9e\x55\xc9\xc7\xad\x9d\x51\xa6\x4a\x9d\x2b\x4b\xbb\x17\xa3\x65\x38\x94\x83\x45\x45\xbc\x28\x6c\x10\x8b\xb3\x13\x45\x57\x9a\x2b\x0b\x96\xf6\xa5\x73\x89\x79\x05\x19\xd4\x41\x3a\x96\x48\x82\x0e\x78\x46\xc5\x7a\xca\x47\x92\x49\x52\x23\xfc\xc0\x29\xd0\x70\xf1\x8f\x24\xac\x66\x58\x79\xd7\xa1\x97\xc7\x8c\x5c\x05\x18\x5a\xf7\xc1\x11\x40\xc7\x8a\x35\xe9\x1d\xe5\xc0\xc5\x3f\xbc\xd1\x35\x0c\x27\x53\x6d\x28\xd5\xf5\x18\x69\x6b\x97\x13\x6d\x3f\x20\x35\xf2\x6f\xaa\xd5\xff\xe0\x4d\xfd\x5d\xcc\x09\xb1\x29\x90\x51\x95\x57\x9d\xd1\x5c\x8c\x98\x67\x62\x36\xeb\xd0\x2b\x6c\x2e\xf3\xe6\xeb\x15\xd8\x7c\x20\x6c\x39\x04\x6f\x2d\xbc\xef\x9a\x45\x23\xf2\x55\xf4\x45\xc3\xdd\x82\xc1\x40\xb2\x95\xa4\xa9\x0f\xa3\x0a\x28\x47\xff\x41\xef\xee\xa8\xf6\x30\xd4\xa5\x51\x27\x95\x38\x0a\xf7\xd1\x71\x3a\x6b\x29\x76\xdd\x74\xde\x50\xc3\xfe\xb4\x2b\xdd\x4c\x02\x58\xe4\x56\x17\x35\x8f\x18\xa2\x8b\xe1\x1b\xad\x5b\x5b\x79\x10\x3e\xe1\x27\x7c\x76\x1e\x12\x90\x1e\x49\x97\xf3\xb9\xd4\x49\x91\x72\x17\x6c\xdd\x12\xb6\x80\x7b\x23\x6d\xaf\x3d\xc0\x58\x72\x95\x64\x37\x81\x6c\x70\x6f\x3c\x36\x7d\x7e\x2c\x23\xe9\x6b\x1f\xe9\x65\x96\xdb\x88\x05\x07\xe2\x82\xfb\xe2\x3f\x21\x71\xb2\xf6\x85\x5d\x22\x17\x4a\x1a\x4b\x15\xed\x8a\xbd\x51\xca\x09\x3d\x46\xf0\xe2\xd0\x52\x98\x16\x8c\x23\x9e\x62\xd8\x9f\x74\x06\x74\x38\x8c\x24\x01\x8c\x47\x83\x2a\x87\x64\x40\x48\xd4\x36\xd6\x5c\xd7\xa2\x10\x28\x2b\x1f\xc8\x26\xf0\xcc\xdb\x66\x97\xd0\x11\x2b\x2a\x88\xe3\x95\x30\x8d\x42\x1a\xad\xa7\xa0\xe7\xd7\x6e\xca\x0a\x60\x73\x83\x02\x18\xc8\x3e\xd7\x94\x19\x48\x59\x60\x57\x20\x97\xcb\x62\x6c\x6f\x84\x67\x57\x90\x95\xdc\x22\x63\x20\x43\xdc\xe6\xb6\x7e\xaa\x79\x3a\x2a\x89\x82\x2f\xdc\x26\x6f\x5a\x61\x1a\xa1\xc6\xb8\x45\x99\x8a\x82\x80\x05\xfe\x79\x89\x25\x3c\x37\x61\x3e\x89\x23\x48\xad\x73\x32\xe3\x34\xaf\xb5\xa7\x08\x7e\x89\xac\xe2\xf3\x61\xd6\x6f\x27\x7d\xfa\xfa\x12\x66\x77\xe8\x33\xfd\x0b\x2c\xe4\xd2\x27\x93\x7c\xdf\x60\xa8\x82\x66\x94\x11\xd4\x45\x0b\x7e\x85\x9b\x82\x47\xad\x2e\x45\x74\x2e\xcb\x60\x57\x52\xf2\x14\x8d\x07\x5e\x1d\x14\x5a\xdd\x18\x47\x48\xc6\xec\xe9\xba\x26\x7b\x7a\x6d\xf9\x22\x9a\x62\xbb\x9b\xee\x7d\x7e\x92\x5d\x6e\xb9\xae\x96\xad\xef\x93\x7c\x03\x0c\x7d\x2b\x91\x9f\xc4\x63\x6a\xd6\x33\x13\x60\x45\x7d\x06\xd8\xc4\xf6\xdc\x10\xe3\x06\x55\x22\x60\x2b\x84\x1f\xb3\x67\x8e\x9d\xab\xf0\x7d\x5f\xc3\xfe\x39\xda\x21\xd4\x61\xe1\xa4\xac\x64\xa0\xd3\x35\x6f\x93\x62\x28\x00\xf0\x07\xbe\x4e\xe1\x3c\xc4\x65\x4c\x89\x47\xff\xd1\x1b\xf7\x59\x8f\x50\xbf\x27\xdf\x75\xf8\xda\xef\xd9\xbd\x19\xcc\x3b\x6a\x06\xb2\x53\xe8\xb5\x90\x62\x1c\x66\xda\x76\x49\x6a\x87\xbe\x33\x53\xfb\x1c\xc5\x64\x36\x6b\x09\x79\xa8\x8c\x52\xb8\xdd\xae\xee\x89\x93\xf6\xa0\xa3\xa5\x43\xa9\x31\xea\x4e\xae\xe9\xd9\xe7\x00\x1e\x23\x49\x14\x4c\xd7\x46\xa2\x56\xdf\x92\xa4\x60\x24\xc7\xa3\xb3\xcb\x60\x7a\x74\x99\x87\xc9\x85\x60\x15\xb8\x6a\x23\xe4\x39\x4f\x64\xf9\x09\x97\x4a\xb0\x76\xb5\xd6\x49\x28\xfc\x9d\x1b\x4c\xba\x75\xbd\xa9\xe1\xd4\x62\x0c\xac\x6f\x08\xcb\xf7\x57\xde\x6f\x29\x11\xc3\x4e\xa0\x84\x81\xa3\x83\x20\x14\x47\xc2\xde\x6e\x37\xc0\x7d\x03\x38\xf1\x6a\x9a\x73\xfe\x67\x1a\x68\x4a\xe4\x5c\x87\x4f\xf1\x98\x15\x06\xe3\xfc\xa4\xe1\xf1\xdc\x9e\x58\xf9\xde\x6b\x96\xf8\x5e\x31\xa3\xc1\x6d\x3a\x11\x88\x0b\xb1\xcb\xc2\x23\xd0\xb9\xf3\xa6\xc4\xa6\x67\x1e\x29\xfe\xa6\x7a\xe9\xf1\x09\xe2\x63\xc3\x17\x95\xb3\x80\x16\xb8\x29\xd4\x1d\x0d\x54\x0f\x7f\x9b\xc5\x22\x02\x7d\xbc\xa4\x94\x5d\x95\x8e\x0b\x14\xc9\x02\x0e\x7e\x0d\x96\x2d\x93\xf6\x1d\xf3\x53\xbb\x18\x42\xb2\x89\xb5\xeb\xb7\xd0\xd8\x3e\xb0\x5f\x31\xe3\x45\x73\x46\xd1\xbc\xf8\x83\x35\x4e\x9a\x24\x7c\x78\xbc\xdf\x11\x45\x0b\xd3\x62\xf4\xe0\x9f\x9b\xc8\x1e\xa9\x28\x23\x05\xdf\x3a\xed\x85\x34\xb1\xf5\xc1\x5f\x58\x12\x7b\x85\x1e\x04\x5a\x0c\x54\x19\x3b\x5b\x11\xbe\x18\x75\x56\x3f\x86\x8e\xfe\x9a\x6a\xd8\x30\xca\x44\x36\x78\x6d\x79\x36\x4e\x19\x30\xd4\x55\xfa\xa6\xeb\xef\xe8\x6e\xce\x76\xa8\xb8\x95\x2d\xff\x2d\x3b\x83\xdd\x8b\xa4\xfd\x7c\x1c\xf9\x12\xa2\x2f\x65\x11\xc3\xcc\x11\xbd\x2f\x04\x69\x0a\xcd\xb3\x8f\x7e\x14\x20\xbc\x15\xe5\x74\xad\x12\x96\x55\x75\x44\x40\xd2\x90\x13\xc6\x98\x61\xd4\x7a\x42\x90\x6c\xee\xaa\x05\x1e\x2e\xfa\xde\xae\xa9\x97\x77\x9e\x05\xdd\x91\x22\x97\xa4\xff\xa9\xaf\x33\xfe\x81\xe7\x20\x67\xc3\x6e\x81\xc4\x86\x53\xd6\x9f\x2a\x2b\xa9\x17\x14\xd5\x10\x4e\x0e\xa1\xe6\xe9\x20\xa4\x40\x24\x05\x98\xdc\x62\x8e\x82\x05\xc3\x31\x3a\x0b\x03\xb7\xfe\xd3\xa8\x78\x8f\xb2\xa6\xde\x07\x22\x6c\x58\x9e\xf3\x37\x08\x22\x14\x38\x1c\x98\x00\xd7\x03\x63\x81\x83\xda\xdf\xf3\x17\x14\x17\x0b\xc4\x02\xb2\x71\xef\x6c\x23\x5c\x12\xc9\xfa\x67\xc7\xbd\xa8\x0d\x63\x17\x15\xee\x1e\xd4\xdd\xa1\x07\x34\x7d\x14\x3f\x91\xec\x47\x0c\x20\x77\xc2\x77\x52\x4f\xe7\x8a\x23\xfa\xb2\x05\xfa\xb0\x8b\x1c\x25\x8f\x4b\xe4\x97\x59\xd1\xf1\x83\xa2\x1e\x40\x0a\x53\xa7\x24\x93\xa1\x7c\x23\xdf\xa1\x73\x21\x22\x57\x4b\x55\xa7\xf2\x66\x3b\xb0\x01\x7d\xdb\x2f\x47\x2e\xab\xd8\x7e\x40\x76\x95\xbc\xe8\x4c\x15\xf4\x30\x91\xbf\xc0\x6d\x4a\x52\x46\x72\xbf\x25\x15\x21\x85\x61\xe7\xc2\x5e\xa7\x33\xc1\x85\xd0\x98\x06\xdf\x8e\x6c\x92\x1c\x07\x1a\xe2\xf7\x6f\x5c\x0d\xb6\x23\x45\x17\xc7\x2e\x83\x93\x3a\xd4\x13\x46\x5b\x1b\xd0\xcd\xfe\x6a\x04\x6f\x07\xa4\xb2\x39\xfb\xb8\xed\x71\xbd\xdf\xc2\xb0\x71\x48\xd4\x99\x65\xda\x80\x3a\x82\x4b\xc1\x85\xda\x70\x53\x0a\xbb\x3e\x42\xb8\xa9\xf1\x9c\x0c\x3d\x86\x72\x35\x94\x13\x39\x51\x43\x4b\xfd\xbd\xe6\xbe\x90\xea\x21\x4f\xa0\xe1\x7f\x60\x3c\xd1\xad\x69\x5b\x5b\x5b\xa7\xc9\x86\x14\x87\x11\x45\x4c\x6a\x5a\x7a\x5d\xa2\xa1\x63\x1d\xc7\x06\x9e\x58\x2a\x1c\x12\xd2\xba\x25\xca\x01\xda\x8f\x5e\x70\x3b\x41\x14\x7f\xd3\x8f\x96\x68\xf1\x6c\xad\x66\xdf\x62\x2f\xe4\xb0\x2a\x1e\xef\xc0\xa6\x93\x63\xcc\x0b\x7c\x56\xf0\x34\x91\x60\x25\xee\x4b\xcf\xd0\x51\x26\x77\x29\x85\xa9\x63\x2a\x04\x36\x08\xe6\x56\x92\xaf\x2b\x4a\x75\x68\xf1\x3c\x41\xf1\x6c\x86\xbe\xc9\x9a\xae\x30\xa2\xd5\x4f\x64\x69\xf1\xeb\x68\x51\x8d\x48\xc4\x21\xbe\xc6\xf8\x3b\x82\x28\x30\x88\x38\xa9\xa4\x81\x9f\x2f\xed\x79\xe9\x9d\x10\x5a\x8f\x6b\x1a\xc0\x8e\xb9\xfc\x19\x62\xa8\x57\x7f\x27\xf5\xee\xcc\x91\x88\x3a\x02\x4e\xb7\x43\xa3\x99\xed\x6a\xef\x38\xe1\xf5\x33\xca\x6d\xba\x25\x53\x88\xd2\x5d\x4e\xef\x41\x2f\x03\x94\x4b\xcc\x0a\x8c\x4e\x94\xec\x31\xbb\x65\xc8\x9e\xca\x35\xcc\x88\x8f\xe8\x53\x0f\x6f\x58\x1a\x33\x46\x23\x3e\xf0\x93\x6d\xa1\x0e\x8b\x69\xc5\xfd\x23\xea\x2a\x58\xf9\xfe\x8b\x79\xa9\xef\x60\x80\x6c\x29\x6a\xba\x90\xfb\x83\x29\xe8\x38\xbb\x6c\x7d\x3c\x86\x7d\x41\x09\xba\xa2\x6c\x48\x37\x43\x9e\x63\x07\x17\x0e\x7b\x15\xc2\xf9\xf5\xee\x03\x30\x5f\x94\x81\xf8\xe7\x93\xdd\x08\x6e\xf2\xfc\x3e\xca\x55\x5a\xa2\x58\x12\x02\xbb\x4e\xd8\xe4\x31\xcf\x0b\x71\x0b\xbd\x86\x25\xfa\xc1\x7b\x51\x9c\x68\x06\xb7\x21\x80\x08\xe0\x40\xbd\x2f\x07\x8e\x18\x50\x11\xd4\x71\xd4\x60\x26\xb5\x38\x87\xc9\x48\x1b\x6a\xbe\xa8\x38\xdc\x59\x8a\xf7\xd6\x1e\xb1\x05\x66\x12\x51\x68\xad\xb4\xb5\xfa\x2f\x49\xdb\x9e\x36\x08\xee\x06\xba\xff\x0b\x3e\xdd\xf0\x53\x70\x13\xa8\x9a\x8f\x60\xbe\xc6\xec\xaf\xe7\x4c\x3a\xd6\x26\x67\xcc\x73\x6e\x42\x31\x80\x60\xd9\x39\xca\x8a\xfa\xee\xf4\x18\x9c\xab\x94\xbb\x6d\x7c\x07\xf7\xaa\x21\xf6\x00\x27\x70\x7d\x8a\xee\x9d\x2f\xc0\x31\x96\x77\xe8\xe8\x6c\x6e\x02\x0f\x43\x53\xff\x8d\x52\x35\x42\x66\x9e\x4b\xf2\x64\x9f\xc4\xfe\x1a\xc2\x16\x51\x52\x7e\x25\x7a\x55\x00\x6c\x30\x4b\x83\xaa\xb8\xde\x6e\x87\xb0\x2d\x36\x60\x52\xde\xbd\x14\xf4\x71\x28\x33\xc3\x40\xea\xd1\xeb\x9f\x9f\x48\xdf\x1e\xa2\x7f\x67\x28\x2a\x8a\x5b\xa0\x5d\xf6\x8e\xe2\xaa\x98\xa3\x4b\x44\xfe\x38\xcf\x05\x82\x06\xcd\x11\x2d\x19\x37\x2e\x45\xaf\xb9\xd0\xc2\x4c\x0c\xa9\x18\x99\x48\x23\x9c\x99\xdb\xa4\x44\xf9\xc1\xa9\x1f\xdf\x3d\xff\xa9\xfd\xcd\x09\x35\x5e\x4b\x30\x61\x80\x63\xeb\x02\xe4\xac\x21\x2b\xf8\xf7\xb8\xc6\x17\x81\x1b\xc2\x74\x04\x23\x72\x4a\x0c\x50\x46\xf3\x57\x7e\x0b\x00\x6b\x14\x85\x0d\xdb\xab\xbf\x60\x12\x1d\x15\x1e\xc7\x30\x64\x9b\xa2\x51\xa2\x55\x1f\x6e\x92\x46\xe5\x46\x23\xa8\x19\xe9\xfc\xe9\x1f\xe4\x0a\x8a\xc2\xe5\x53\x32\xc5\x7b\x8b\x7b\x9a\x63\xad\xf9\x1f\x10\x74\x8d\xec\x7c\x01\x53\xcf\xf4\xa4\x12\x29\x27\x51\xb0\xab\x79\x3a\x14\x82\x29\xed\xd1\xf9\x08\x01\x2f\xba\xdc\xd1\x3e\x18\xd4\x79\xd9\x4e\xa5\x60\x65\x10\x03\x57\xba\x4b\xa1\x82\x58\xe4\xa8\x28\xea\xac\xa2\x0d\x67\x1d\x98\x6d\xc6\xd1\x79\x97\xf5\xb3\x74\x46\x93\xeb\x36\xcd\x7f\xce\x3f\xff\x1d\x2d\x59\xb9\xbc\xf1\xc9\x94\x27\xae\xec\x5c\x15\x8d\x12\xd0\x66\xd4\x69\x26\x7f\x42\x3d\xe6\x76\x07\x9d\xc4\x8d\xef\x12\x7b\xe6\x3b\x07\x9f\x0f\xe8\xd7\xda\xe2\xf2\x0e\xab\x8d\xdd\x0f\x38\x8d\x52\xac\x05\x91\x79\x58\x9c\x62\x42\xc7\xf9\xfe\x8e\x1d\x18\x57\xec\x29\x98\xf8\xdc\x9a\xed\x3b\x3d\x38\xae\xed\x70\xb0\xfa\xb5\xd1\x3b\xcb\x53\x6c\xbf\x01\xa2\xfd\xa8\x11\xf1\x4f\xa0\xf5\xe4\xa4\xd5\x71\x31\x86\x0d\x60\xaa\xc2\x60\x73\x54\xab\xc5\x8f\x91\x51\xdd\x78\x8e\x78\x7f\x76\x85\xbe\x53\x7e\x6f\x86\xbb\xac\x94\xbe\xf4\xdb\xb0\x42\xda\x14\xc1\x00\x7d\xcd\x62\xaa\x8c\xbc\x70\x5d\x12\x0e\x07\x83\x94\xfc\xbd\xc9\x47\x29\xfc\xe6\x90\x5f\x1e\xd8\x69\x9c\xac\xd2\xe5\xf0\x05\x5d\x37\x7d\x0d\x5c\xa8\x3f\x18\x97\x1c\x19\x5c\x7e\xa1\xdc\xf1\x1e\x9f\xee\xc1\x24\xc2\xba\x56\xd0\xf5\x06\x06\x0c\x22\xcb\xc3\x66\xd0\xae\xd0\x5f\x40\x00\x62\x98\x4f\x22\x12\x2b\xfd\x16\xa3\x1b\x3a\x4a\x6e\xd9\xd9\x49\xbe\x5e\xc1\x6a\xe9\x8f\x2a\xa8\xea\xad\xae\xcc\x16\x9e\x97\xcd\xa0\xd5\xb5\x60\x2a\x91\xc1\x01\xb2\xe2\x83\xc0\xbe\x6c\x83\xab\xbe\x2e\x7e\x2e\x4c\xef\xe3\xbe\x22\x31\x21\x3e\xbb\x85\x88\x3e\x0a\x5b\x0b\x4a\x0d\x2c\x04\x72\x2e\xb6\x0f\xab\x23\x02\x3c\xf9\x1c\xa0\xab\x90\x8e\x4b\xb6\xac\x29\xa7\x88\xfe\x9e\xc6\xb9\x9d\x75\xd5\x2f\x20\x3c\xba\x7d\x92\x48\x5e\xf9\x05\x55\xae\xd4\x10\x60\xfd\xd0\x36\xf4\x2f\xa8\x18\xcd\xf8\xb9\xaf\xe2\x6a\xfc\x1f\x27\x9a\x40\x29\x25\x4b\x12\xdd\x54\xda\x88\x2a\x13\x8d\x34\xaf\x15\x77\xe7\x8c\x1d\xd1\x92\x3a\x56\xa3\x69\xd8\x5d\x74\xfa\x59\xd4\x53\x2b\x85\x9f\x67\xe6\x5f\x3e\x67\xd6\x54\xe5\x7d\xde\x88\xcf\x7c\x23\xc9\x18\x2e\xc1\x5e\x95\x28\x3d\xbb\xa7\x99\x11\x16\x4d\xf2\xb4\x83\xbe\x5a\xdb\x7e\x60\x06\xfe\xb6\x9c\x67\x2c\x93\x8a\x81\x8b\x2b\x46\x36\xc9\x43\xb6\x8e\x8c\x93\x35\xa5\xfe\x2a\xa7\x42\x74\x02\x78\x51\x17\xde\xb2\xae\x7c\x16\xba\x0d\x05\xa5\x0d\x21\xcd\x7b\x65\x8c\xe0\x21\x40\xdd\x20\x84\x9a\xe2\x50\xbb\xb1\x0e\x96\x0c\x87\x21\xcf\x96\xd0\xe7\xd8\x1b\xbb\x21\xa5\x33\x58\xe0\xa4\x4f\x8d\x26\xb1\x0b\xf2\x4e\xda\x9b\x5d\x8c\xee\xf7\x10\xee\xc2\x5c\x0c\x3b\x31\x80\xc8\x59\x40\xf5\xb1\x5c\xc1\x3f\xe6\x8a\xd1\x9f\x7f\x0e\x9b\x4c\xc3\x97\x35\xb6\x86\x39\xf8\xfe\x46\x22\xdc\x78\x4d\x5d\x64\x70\xab\x9e\x32\x74\x0d\xb0\x2a\x9b\x67\x32\xac\xbb\xf5\x87\x67\x19\xf5\x57\xa4\xe0\xa4\x2c\x03\x6b\xb3\xf9\x72\xea\xa8\x62\xc5\x8f\xfb\xce\x08\xee\x0e\xa2\x1e\x74\xe8\x17\x57\x87\x05\xe4\xe2\x68\x3f\xeb\x6c\x61\x23\xee\x1b\x9a\xe1\xda\x94\xc5\xea\x68\x76\x3b\x03\x03\xc6\x39\x7e\x21\x69\x1a\x4d\x81\x54\xfd\x1a\xef\xdf\x39\x8c\x41\x36\x9e\xb8\x25\x5d\x9b\x84\x7f\x9d\x67\xcf\x5b\xb8\x08\x41\xf4\x68\xf7\xc8\x70\xf0\xe1\x94\xdc\xf2\x3a\x6e\x76\x42\xc9\x51\x4d\x12\x64\x32\xf4\xb6\x6b\xdb\x7b\x81\xb5\x43\x70\xca\x23\xa0\x5c\x22\x3c\x49\xc5\xb2\x68\x03\x76\x8b\xad\x60\x59\x48\x17\xbb\x98\xb5\xec\x27\x4d\x62\xe2\x64\xc5\x4c\xde\x98\x06\x37\x6b\x40\x5e\x9f\x7d\xe3\xd5\x9a\xe3\xce\x7d\xb4\xa6\x89\x85\xb1\xc1\xa1\x12\x22\xd1\xc2\x80\x9c\x96\xf7\xeb\x9a\x5b\xf4\xe5\x02\x66\xdf\x93\x5c\x90\x0a\x56\x8f\xe5\x79\xa6\xea\x47\x4f\x62\x35\x91\x96\x4d\xb4\x3a\xc6\x47\xde\x15\x91\x6a\xef\xac\xd3\x22\x23\x6f\xd5\x39\x77\xd6\x82\xee\xeb\x0d\xcf\x79\x8b\x6f\x2f\xf2\x2b\x36\xdd\x00\xd6\x4e\x51\x59\x9b\xda\xd7\x03\xa4\x2d\x1d\x20\xeb\x8d\x6a\x63\x85\xf6\xdb\x49\xf3\x4f\xce\x3b\x28\xe2\x85\x6f\x28\x28\xd7\x7c\x4d\x03\xd3\x4e\xb0\x8c\x33\xb7\x54\xbf\xe7\xf3\x9d\x0a\x34\x30\xa2\x13\xb9\x7e\x75\xc2\xc9\x75\x63\x5c\x79\xd3\x0a\xaf\x3d\xaa\x9a\x1e\x8c\xa5\x6f\xbe\x49\x9e\x77\x81\x18\xc7\xe5\x95\x4a\xc2\xac\x2b\xce\xa6\x9a\xda\xc9\x60\x09\xe1\xb5\xcd\x27\x98\x6c\x25\x42\x82\xbf\x07\x60\x74\x75\x59\xcb\x61\x2a\x1f\x61\x0d\xf0\x9b\xec\x5a\xa1\xf4\x1f\x7a\x3b\x2f\x0f\x2c\xb2\x85\x08\xe2\xb0\xca\xf2\x06\xbe\x81\x0d\x65\xb6\xc4\xfc\x2e\xf5\xec\x09\x8b\x27\x4b\x53\x68\x13\x06\x04\x16\x69\xab\xb1\x75\xe4\xec\x88\x98\x1c\x5a\x0c\x05\xa6\x46\xe5\xd9\x03\x43\xa0\xb1\xf8\x73\x37\x9c\xf1\x44\xc3\xc8\x79\x5c\xfd\x77\x59\x4b\x51\x6a\xb0\x2a\x40\x8e\x0f\xaa\x37\xfd\xf2\xde\x2e\x6f\x37\xfa\x03\x54\x0d\x70\xe5\xf0\x29\x77\x67\x08\x4e\xa0\x08\x6c\x13\x1a\xb5\xb2\x8a\xb5\x43\x97\x8f\x1d\x4f\x04\x29\x1b\x6d\xdd\xd7\x2d\x2a\xa9\xa2\x2a\xe1\x96\x97\x95\x03\x51\xa2\xf3\xda\x68\x97\x1d\x96\x36\xe2\x9c\x66\xd9\xfd\x61\xcd\xac\x7c\x81\x18\x93\x50\x44\x7c\x03\xc1\x46\xd0\xdd\xe5\x5a\x17\x91\x5b\x56\xff\xa9\xfb\xa4\x7e\x09\xba\xfe\x41\x2b\x6a\x8a\xe7\x20\xd9\x2b\x04\xa5\x5e\x65\x48\xb0\x03\x55\x06\xf8\x0f\xaf\x97\x08\x24\x79\x82\x09\x6d\xd8\x06\xe1\xe6\x98\xfe\x8f\x59\x0f\xcb\x00\x9f\xa8\x75\x86\xb0\x8c\xd2\x70\x97\xaa\x53\xd3\x08\x7e\x9f\x4c\x7a\x4e\xe5\x56\x49\x1b\x3d\xf6\x8f\xb4\x13\xa9\x2d\x7f\x78\x33\x65\xc6\xa5\xe1\xfc\xa5\xd9\x56\x3e\x19\x3e\xd2\x37\x9f\x99\x4f\x32\xe9\xa2\xc7\xa7\x22\x15\xc1\xe8\x91\x38\x57\x65\x94\x7b\x90\x86\xa5\x60\xd3\x73\xae\x19\xb8\x8e\x78\x15\x03\xb1\xb8\xb8\x01\xa8\xdc\xf5\xf6\x7d\x0e\x4b\x02\x12\xd8\x54\x48\x76\x94\xac\x76\x57\x2f\xa1\xe6\xf1\xfe\x71\x9c\xde\x5b\x27\x8c\x9c\xe3\x93\x8b\x27\x10\x60\x33\x5a\x57\x41\xba\xa0\xd7\xad\xc3\xde\x28\xe3\x7b\xee\xd6\xf7\x81\xf6\xf7\xb3\x21\xc5\x69\x33\x82\x83\x77\xa2\xff\x6d\xe2\xbf\xc2\x4b\x2a\x34\x72\xca\x50\x39\x37\x3d\x3c\xdc\x9a\xfc\x04\x0c\xe4\xe8\x94\xcf\xf8\x22\x54\xd9\xe4\xf4\xb2\x59\x98\xc9\xdc\x84\x70\x54\x63\xda\x8a\x03\xea\x41\x9c\x2e\x4c\x81\x2a\x9f\x04\xd5\x3f\x2d\xe4\xfc\x2e\x3c\x1a\x08\xa7\x38\x9d\xdf\xb0\x82\x17\x64\xe7\x11\x05\xeb\x05\x88\x72\x08\x71\xf0\x08\x2c\xd9\x11\xf8\xed\xf6\x94\x95\x00\x72\xee\xbc\x64\x21\xbf\xc7\x1a\xf2\x76\x69\x10\x7e\x4b\x48\xac\x97\x13\x39\xe6\x9c\x46\xc4\xea\x5d\x50\x02\x8f\x14\x73\x5d\x84\xda\x04\x0a\x08\xd3\xc9\xd0\xe6\x4d\xee\x8b\xb6\x45\x00\x3b\xfc\x01\x62\xc3\xe1\x31\xd3\xdf\xcc\xf1\xa5\x16\x28\xbd\x59\xed\x49\x5b\x17\x7b\x41\x7d\x0c\xb3\x76\x53\x7d\x58\x16\x74\x1c\x25\x88\x5e\xc5\x67\x42\x15\x4e\x84\xa2\x6d\x9d\xe3\x76\xd6\x7f\xfb\xe2\xfd\xb4\x86\x9b\x6d\x87\x08\xa7\x35\x0e\xfc\x67\x2a\x48\xd6\x0a\x92\x8c\x99\x27\x53\xad\x4b\xd7\x45\xa7\x18\x9b\x3f\x94\xf4\x8f\x64\xc9\xf8\x6d\x9f\x0b\x22\xbf\x7a\x1d\xf2\x09\x6b\x46\xfa\xdf\x26\x69\x06\xf3\x94\xb1\xde\x65\x52\x92\x87\x85\xd6\x8d\x26\xb9\x6b\xda\x02\xe4\x9d\x5e\xca\x82\x84\x70\x0d\x50\x33\xb0\x06\x23\x66\xa6\xce\x4b\xe4\x4c\x76\x7d\x60\x81\x7b\x48\x76\x87\x48\x58\x2a\x5e\xd3\xdb\x60\x82\x91\xa5\xef\xa1\x01\x1b\x75\x8f\x99\x0a\xb3\xe4\xab\xed\xf5\x3f\x01\xb7\x00\xdf\xae\xb5\x87\xb4\xf4\x14\xd3\xfe\x3a\x87\x32\xe1\xf2\x15\xfa\x86\x9c\x7b\x2f\x8b\x7f\x4e\xac\x59\x7d\xa8\x17\x51\x70\x9b\xd1\x8e\xb0\x86\x9c\xe1\x14\x59\xf8\x76\x6e\x63\x32\xe9\x57\x10\x7a\x79\x1a\x64\x01\x10\x49\x48\x8a\x27\x32\x54\xf3\x3e\x0e\xcb\x44\x0e\xe4\x46\xe8\xab\x76\xf2\x4e\xc1\xf4\xcf\x7d\x31\x4a\x15\x8c\x51\x2b\x6a\x27\x31\x09\x93\x67\x76\x6a\xe4\x05\x35\x96\x7d\x63\xce\x07\x1f\x06\x8a\x7d\x3f\xbd\x48\x33\xa0\xc7\x8c\xea\x71\x27\x48\xa4\xbf\x23\x61\xd8\xf6\x03\x59\x59\xa6\xab\x08\xf3\xd4\x4f\x7f\x81\xfe\x74\xd9\x64\xd5\x8b\xb3\xcb\x60\x51\xc5\xe6\x8d\xc6\xe7\x1f\xec\xe4\xae\x85\xdd\xc8\x95\xb3\x16\xf4\x7d\x52\x08\x47\xdd\x84\x83\x17\xb6\x1a\x47\xa1\x3c\xe0\x6c\x30\xd1\x4d\x98\x52\x93\x8c\x6e\xe4\x5a\xd2\xeb\x1f\x19\xdd\xa1\x9b\x1f\x83\x56\x24\x41\xc2\xd3\x06\x11\x1f\x51\x1e\x40\xa8\xd8\x2b\x33\x4b\x2d\x98\x3c\x35\x4f\x2c\xf8\xa2\xe7\xa2\xfc\x13\x5a\x4a\x31\xda\x5b\x09\x29\xd0\xe0\xc3\xe1\xc9\xbf\xb2\xde\xbc\xd2\xfc\x9d\x05\x77\x26\x3c\x77\x71\xc6\x84\xd3\x4a\x6b\x02\xb3\x1c\x52\xf4\x2e\x07\xfc\x1f\x42\xe7\x0d\x74\x00\x35\xe8\x0f\x0c\x38\x89\xd8\xd2\x8c\xdf\x11\x40\xe2\x10\xdf\xf5\xae\xb5\xaa\xab\xfd\x65\x5a\xc4\x6e\x03\xd1\x7e\x1e\x72\x27\x3e\xa0\x14\x15\x8c\xff\x2c\x8e\xf3\x70\x08\xb4\x4e\x73\xd2\xc6\x16\x86\x23\x49\xaf\xa5\xa1\x6e\xc6\xf1\x0d\x7f\x85\xfe\x4d\x95\xdf\x41\x6b\xdf\x00\x17\x48\xa6\x98\xa7\x94\x21\x92\x54\x9a\x4b\x86\x00\xf5\x38\x02\x91\xfe\xca\xb3\x74\xb5\x90\x26\x6a\x98\x0b\x2d\x38\xd0\x81\x7e\x11\x1c\xa3\x14\x47\xff\x7a\x33\xee\x30\x0b\x75\x83\xc8\x30\x50\xa5\x91\xcf\xb8\xc3\x83\x20\x36\x9b\x54\xb9\x62\x4a\xe5\xbf\xbe\x7a\x65\x73\x23\xe6\x4b\xb8\x90\xff\x4a\xbd\x85\xfb\xe8\xc5\x9a\x68\xa6\x16\xb0\x44\xdd\xc9\x77\x33\x60\x41\x33\x5f\xe1\xd2\x9e\x87\xdf\xc5\x63\xa0\xf7\xd3\x93\xca\x83\x53\xb3\x1c\xaa\x64\x1d\x11\x40\x10\x9d\x3f\x3d\x68\xbc\x4a\xc8\xd1\xa3\x2e\x03\x9a\x5a\x5a\xae\x4e\x95\xd7\xd3\x7d\x57\x37\xef\x2b\x99\x7e\x17\x86\x82\xbe\x27\xb0\xd5\xb9\xcb\x7b\xb3\x0b\xce\x28\xda\x9f\x9c\x29\x98\x80\xe1\x52\xd9\x0f\x6a\x05\x90\xfa\x28\x9a\xeb\x5c\x4b\x4c\x05\x0f\x7f\x48\x74\x4a\x1e\x3e\xd8\xb7\x06\xbb\x14\x37\x14\x63\x70\x52\x27\x75\xb4\xa8\x24\xef\x29\xae\x2d\x08\x54\x27\x9f\xef\x03\xa0\xea\x67\x3e\x25\x1f\x66\x97\x16\x6f\x36\x99\x60\x89\xb8\x8f\x48\x5c\x30\xdd\x49\xdf\x10\x21\xb1\xce\x79\x4b\xa4\x47\xe3\x61\x70\x4c\xa2\x0c\x53\xf2\x84\xfd\xc4\xfa\x1a\x1f\x40\xe5\xf7\x24\x0f\x27\x32\x13\xb6\x92\x0e\x9b\xfb\x8e\xe6\x9f\x93\x26\x16\xcc\xf6\x56\x49\x5d\x99\x87\x43\xd6\x1a\x08\x8e\x60\x59\xfe\x2f\xc0\x35\x72\xf1\xdf\xad\xfb\x51\x0c\x55\xf5\x18\x5a\xda\x91\x4e\x2a\x96\x62\x8d\x3e\xe5\xd6\xb0\x01\xcf\xd0\x45\x64\x6e\xf9\x36\x94\x82\x8f\xe8\xe0\x33\x3d\x9e\x85\x37\xab\x9e\x02\xec\x72\x17\x13\xb2\xb9\x74\x3e\x68\xf4\x2f\xff\x78\xab\xc0\xaf\xd4\xbd\xdc\x95\x17\x9a\xf1\x2c\x3c\x95\x08\x34\x9e\x65\x6a\xd5\x9b\xd6\x4c\xb6\xa4\xbc\x76\x42\xc6\x6e\xfe\xf2\x9a\x55\x00\x93\x70\x64\xde\x05\xe4\x9e\x2a\x81\xc5\x87\xe2\x28\xe0\xab\xa0\xc8\xa6\x87\x5c\x41\x06\x63\xa2\x22\xe5\x57\x55\x7b\xcb\x10\x54\x01\x25\x32\xe3\xe6\xd4\x83\x0d\x3d\x9c\xa0\xeb\x68\x97\xba\x54\x05\xa3\x35\x50\x3f\x8c\xfe\x34\x5a\x20\xed\xee\x88\xa8\xb1\x43\xe2\x8c\x98\x2b\xb8\x36\xe0\xcd\xe0\xc6\xde\xab\xad\xbc\x11\xd8\xa6\x33\x50\xf1\x05\x0b\x71\xab\xcb\xd8\xea\xe7\xc2\x2f\xc0\x4d\x59\x72\x67\x48\xc8\x2e\xd4\x35\x95\xd6\x62\x55\xb6\xc3\x0f\x11\x1e\x3b\x5c\x9c\x12\xd9\x7a\x36\x8b\xe6\x72\xb0\xf0\xe5\x92\x98\x38\xfd\x82\x04\xb5\x5d\x0e\x51\x1a\x32\x90\x6a\xf5\xc3\x49\xcd\x64\x8a\x43\x98\x14\x77\x04\x56\x3a\x10\xd5\xd5\xf5\xa8\x6f\x8f\x1c\x88\xa2\x32\x4e\x56\xcf\x28\xd6\x3d\xaa\xc7\x25\xe7\xf9\xfe\x3d\x15\x04\xaa\x2d\x26\x90\x37\x60\xe2\x7e\x79\x6f\x7f\x7d\x33\xb9\x6e\xf0\x1e\x4e\x57\x24\x56\xfe\x47\x9a\x25\x23\xd3\x96\xe6\xcc\x88\xb8\xa8\xdc\x35\xf1\x55\xda\xed\xb3\xc2\x9d\xd2\xcd\x8a\xdf\x6d\xcc\x73\x2e\x5c\x58\x51\x1b\xd3\x89\x87\x83\x99\xc4\x32\xc1\xa4\x0d\xc0\x6e\x94\xe2\x4d\x66\xe1\xcd\xbb\x73\xcc\xa9\x92\xa3\xa6\x1c\x54\x5d\xd3\x47\xd0\xbe\x41\x41\xa1\xec\x23\xa6\xca\x84\x5b\xa1\xb5\x83\x96\xb4\x56\xee\x05\xe6\xbe\x7d\x7c\x9a\x0d\xea\xad\x66\x46\xd7\xa7\x79\x86\x88\x6d\x9e\xe7\x55\xc5\x88\x96\x50\xe9\xeb\xcc\x4b\x8d\xea\x33\x52\x1b\x65\x17\x1e\xc9\xd9\xee\xb4\xe7\x76\xd3\xd7\x1f\x52\x61\xd4\x51\xf4\x81\xb9\x0c\xfc\x65\x5f\x8c\xf1\xb6\x3d\xf8\x46\x7e\x0c\x1e\x2f\x9a\xf5\x75\x8e\xb5\x06\xaa\xce\xab\x4b\xb3\x59\x07\x82\x9e\x55\x41\x1e\xb2\x5b\x59\xcb\x70\xf9\xea\x06\xef\xde\xaa\xef\x61\x51\x15\x61\x84\xec\xea\xb1\xba\x65\xf4\x1d\xf3\x2b\x53\x46\xf5\xec\x03\xab\x19\x80\x7d\xf4\x84\x49\x88\x13\x34\xa6\x82\x9c\x39\x71\x69\x21\xfb\x7e\x5d\x05\x78\xee\xb3\xeb\x3b\xec\xb8\xff\x5e\x00\xfe\x84\x22\xb0\xc3\xb7\xbc\x77\xa5\xd3\x38\xbd\x0d\x4e\xf6\xa3\x41\xdd\x94\x1d\x92\x5e\xc6\xcd\x93\xf2\x89\x56\x6d\x80\x3f\xf2\xa0\x2a\x3e\xf8\xc8\xd8\x00\x52\x51\x8f\x9a\xfa\x30\xaa\xf0\xcb\x97\xea\x1e\xed\xb5\x27\xb1\x80\xdc\xb8\x03\x68\x05\x0b\x6d\xfb\x4e\xbe\x2c\xb9\x6d\x1e\x06\x84\x98\x6a\x85\xa6\xb6\xeb\xa2\x16\x60\xa1\x8c\x28\x24\x8c\xc0\xd4\xcd\xf5\xe0\x85\xc1\xfb\x61\x33\xda\x11\x69\xe5\x03\x6d\x35\xf5\x47\xeb\xc0\x61\x86\xb6\x95\xf2\x42\x71\xbd\x68\x0a\x39\x7d\x92\x35\x38\x12\x7f\x94\x8a\x2b\xa3\x6b\xf5\x29\x1a\x9c\xfa\x5d\xc5\x7a\xf9\x90\x1b\xb7\xef\x7c\x9c\x9d\x60\x00\x86\x37\x6a\x0d\xc6\x80\xe4\xe6\x7e\x17\x70\xe7\x24\x99\xb5\x83\x33\xaf\x89\x8a\x33\x2c\x78\x94\x95\x94\x28\x42\x4f\xe6\x1c\x0e\x0d\x8f\xd6\xc4\x6a\xf7\x9b\xdb\x23\xc8\x44\x94\x01\x58\x7b\xa1\x16\x56\x5c\x8e\x06\x0f\xb1\xaf\x55\x7c\xec\xda\xf3\xd1\x0d\x2f\x06\x5d\x7f\xfd\x53\xdf\xbe\x8a\xfd\x1c\x46\x90\x4c\xba\xad\x1b\xd8\xf1\x8e\xe7\x0a\xa4\x81\x1b\x27\x85\x74\x33\xe4\x75\xab\x5c\x5c\x62\x0a\x8d\xaf\x02\xbe\xf4\x02\x86\x49\x7b\xe5\x1f\x25\x32\xd4\x25\x90\x56\x69\xf3\xbe\x5c\xe7\xb7\x90\xe9\x45\xc2\x2e\x44\x6f\x0a\x36\x1e\x04\x3f\xd4\xa7\x6e\x53\xe3\xb0\x4b\x59\x05\xed\xa6\x3b\xce\xbb\x62\xe0\x6c\x6c\xc0\xe2\x54\xf2\xf0\xe3\x86\xbd\xd7\x30\xc5\x5a\x04\x07\xaf\x9d\xec\x14\x63\x3b\x5a\xc1\x5a\x33\xec\x52\x3f\x6a\x4a\x94\x54\xbc\x5a\xa2\x16\xe1\x43\xf0\xf7\x2e\xbb\xd6\xf5\xc0\x38\xd2\xee\x39\xad\x7c\xf3\x95\x6a\x3c\x47\x9a\x8a\x65\x3a\x90\x6a\x01\xf4\x86\x18\xe6\xa4\x7a\xdb\xa3\x59\x8e\x9c\x9e\x72\x5d\x53\x43\x9e\x0f\x17\x5f\xcd\x51\xba\x15\x16\x07\xa3\x35\x93\xf1\x25\x6e\x6b\x29\x68\x5a\x81\x3d\xee\x40\x3e\xc2\xb4\xfa\x09\xc6\xd0\xf4\xd6\x51\xe2\x37\x8b\x78\x04\x1f\x37\x24\x33\x47\xdc\x77\xce\x35\x14\xc6\x34\xe4\xf8\x3e\xa2\x97\x66\x5f\x16\xd6\x56\xa6\xdf\x91\x00\xbf\x65\x53\xd6\x69\xe4\x3c\x0a\xc2\xd8\x91\xeb\x77\x79\xee\x8d\x4f\x32\x11\xcd\x2a\x52\x7f\xd4\x15\xaf\x00\x04\xc2\xd5\xdd\xb6\x2a\x36\xde\xe9\x8a\xc1\x48\x96\x96\xc5\x56\x47\x6a\xca\x9f\x6d\xa9\xbd\x4f\x37\xac\xa8\x6b\x83\x86\x0a\x8d\xd9\x04\xbb\xe2\xc3\xd3\x7c\xfc\xd7\x68\xb5\x9d\x82\xa8\xc1\xbc\xef\xfc\x44\xed\xfb\x04\x73\x0e\xa5\x79\x16\xda\x94\xb4\xe8\xdb\xcf\x5f\x01\xb5\xa7\x18\x64\x6a\x56\xe6\x2a\x64\x74\x8a\x9e\x3b\x7b\x2f\x08\x0a\x2f\xb3\x51\x5d\xb5\x35\xc6\xac\xde\xf1\xd8\x58\xf6\x33\xb0\x80\xd3\x98\xc0\x06\xd7\x40\xf5\x9b\xfc\x06\x3a\xcb\xb4\x0f\xe2\x18\x3c\x55\x20\x89\x4d\xd5\xa4\x7b\xbd\xd9\x91\xf2\xca\x2e\x1d\x35\xd0\x40\x75\x59\x00\x16\xdf\xc8\x13\xa8\xf2\x72\x92\x6d\x66\x0b\x0b\xac\x47\xfc\x72\x97\xd7\x48\xd1\x64\x2d\xe8\x2c\x08\x24\x5c\x8a\x4a\xf3\x98\x26\x97\x1b\x06\xe2\x52\x56\x75\x9f\xc4\xae\xe3\xde\x98\x40\xc1\x4f\x99\xe8\xa5\x34\x04\xbc\xca\xe6\x13\xce\xdd\x72\xd3\x2e\x74\xc8\x7d\x8c\xad\x6c\xf7\x2f\xd2\x01\x8d\x5f\x3a\x79\x7c\x08\xcd\xda\xa2\xd9\xa5\xac\x5f\x49\xbf\x07\xb0\x45\xc4\x16\x9a\x88\x30\x46\x2c\x19\xb4\x00\x4b\x62\x83\x0c\x4b\xed\xca\x51\x61\x45\x1c\xe9\xc8\xac\x56\xf9\x73\xcc\x12\x0f\x7e\xad\xb2\x01\x0d\xe4\xbc\x3d\x71\x96\x47\xa8\xef\xb1\xa9\x5d\xc9\x3c\xce\x6e\xd2\xe2\x25\x5b\x85\x28\x21\x49\x1d\xcd\x30\x64\x0e\xeb\xae\x86\xec\xc0\x2e\x36\x5b\x46\x5d\xef\xb7\x36\x94\x17\x0d\x30\x33\x77\x59\x68\xa5\x3f\x27\x4f\xd1\xab\x8f\x38\x97\x81\x5a\xf3\xdf\xc8\x1f\xcd\xb7\xa3\xa6\xd1\x91\x7c\xab\x0a\x44\x69", 8192); *(uint64_t*)0x20004cc0 = 0x20002200; *(uint32_t*)0x20002200 = 0x50; *(uint32_t*)0x20002204 = 0; *(uint64_t*)0x20002208 = 0x8b20; *(uint32_t*)0x20002210 = 7; *(uint32_t*)0x20002214 = 0x1f; *(uint32_t*)0x20002218 = 4; *(uint32_t*)0x2000221c = 0; *(uint16_t*)0x20002220 = 6; *(uint16_t*)0x20002222 = 2; *(uint32_t*)0x20002224 = 0x7fffffff; *(uint32_t*)0x20002228 = 2; *(uint16_t*)0x2000222c = 0; *(uint16_t*)0x2000222e = 0; *(uint32_t*)0x20002230 = 0; *(uint32_t*)0x20002234 = 0; *(uint32_t*)0x20002238 = 0; *(uint32_t*)0x2000223c = 0; *(uint32_t*)0x20002240 = 0; *(uint32_t*)0x20002244 = 0; *(uint32_t*)0x20002248 = 0; *(uint32_t*)0x2000224c = 0; *(uint64_t*)0x20004cc8 = 0x20002280; *(uint32_t*)0x20002280 = 0x18; *(uint32_t*)0x20002284 = 0xfffffff5; *(uint64_t*)0x20002288 = 0x55; *(uint64_t*)0x20002290 = 0; *(uint64_t*)0x20004cd0 = 0x200022c0; *(uint32_t*)0x200022c0 = 0x18; *(uint32_t*)0x200022c4 = 0; *(uint64_t*)0x200022c8 = 2; *(uint64_t*)0x200022d0 = 9; *(uint64_t*)0x20004cd8 = 0x20002300; *(uint32_t*)0x20002300 = 0x18; *(uint32_t*)0x20002304 = 0; *(uint64_t*)0x20002308 = 0x40; *(uint32_t*)0x20002310 = 0xe62; *(uint32_t*)0x20002314 = 0; *(uint64_t*)0x20004ce0 = 0x20002340; *(uint32_t*)0x20002340 = 0x18; *(uint32_t*)0x20002344 = 0; *(uint64_t*)0x20002348 = 0x80000001; *(uint32_t*)0x20002350 = 0x787; *(uint32_t*)0x20002354 = 0; *(uint64_t*)0x20004ce8 = 0x20002380; *(uint32_t*)0x20002380 = 0x28; *(uint32_t*)0x20002384 = 0; *(uint64_t*)0x20002388 = 3; *(uint64_t*)0x20002390 = 9; *(uint64_t*)0x20002398 = 0x101; *(uint32_t*)0x200023a0 = 0; *(uint32_t*)0x200023a4 = -1; *(uint64_t*)0x20004cf0 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x60; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 9; *(uint64_t*)0x200023d0 = 0xf652; *(uint64_t*)0x200023d8 = 0x8d; *(uint64_t*)0x200023e0 = 0; *(uint64_t*)0x200023e8 = 0x3f; *(uint64_t*)0x200023f0 = 0x80000000; *(uint32_t*)0x200023f8 = 0; *(uint32_t*)0x200023fc = 3; *(uint32_t*)0x20002400 = 0; *(uint32_t*)0x20002404 = 0; *(uint32_t*)0x20002408 = 0; *(uint32_t*)0x2000240c = 0; *(uint32_t*)0x20002410 = 0; *(uint32_t*)0x20002414 = 0; *(uint32_t*)0x20002418 = 0; *(uint32_t*)0x2000241c = 0; *(uint64_t*)0x20004cf8 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 2; *(uint32_t*)0x20002450 = 0xa8f; *(uint32_t*)0x20002454 = 0; *(uint64_t*)0x20004d00 = 0x20002480; *(uint32_t*)0x20002480 = 0x26; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 8; memcpy((void*)0x20002490, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004d08 = 0x200024c0; *(uint32_t*)0x200024c0 = 0x20; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 6; *(uint64_t*)0x200024d0 = 0; *(uint32_t*)0x200024d8 = 0x12; *(uint32_t*)0x200024dc = 0; *(uint64_t*)0x20004d10 = 0x20004540; *(uint32_t*)0x20004540 = 0x78; *(uint32_t*)0x20004544 = 0xfffffff5; *(uint64_t*)0x20004548 = 0x81; *(uint64_t*)0x20004550 = 1; *(uint32_t*)0x20004558 = 7; *(uint32_t*)0x2000455c = 0; *(uint64_t*)0x20004560 = 5; *(uint64_t*)0x20004568 = 8; *(uint64_t*)0x20004570 = 6; *(uint64_t*)0x20004578 = 0x1ff; *(uint64_t*)0x20004580 = 5; *(uint64_t*)0x20004588 = 4; *(uint32_t*)0x20004590 = 4; *(uint32_t*)0x20004594 = 0xe8; *(uint32_t*)0x20004598 = 0x193; *(uint32_t*)0x2000459c = 0x7000; *(uint32_t*)0x200045a0 = 6; *(uint32_t*)0x200045a4 = -1; *(uint32_t*)0x200045a8 = r[4]; *(uint32_t*)0x200045ac = 3; *(uint32_t*)0x200045b0 = 9; *(uint32_t*)0x200045b4 = 0; *(uint64_t*)0x20004d18 = 0x200045c0; *(uint32_t*)0x200045c0 = 0x90; *(uint32_t*)0x200045c4 = 0; *(uint64_t*)0x200045c8 = 0x8612; *(uint64_t*)0x200045d0 = 5; *(uint64_t*)0x200045d8 = 3; *(uint64_t*)0x200045e0 = 0xb2f; *(uint64_t*)0x200045e8 = 0x20; *(uint32_t*)0x200045f0 = 0; *(uint32_t*)0x200045f4 = 7; *(uint64_t*)0x200045f8 = 0; *(uint64_t*)0x20004600 = 0x1ff; *(uint64_t*)0x20004608 = 2; *(uint64_t*)0x20004610 = 2; *(uint64_t*)0x20004618 = 0x1de; *(uint64_t*)0x20004620 = 0x5a; *(uint32_t*)0x20004628 = 9; *(uint32_t*)0x2000462c = 0xc46; *(uint32_t*)0x20004630 = 5; *(uint32_t*)0x20004634 = 0xc000; *(uint32_t*)0x20004638 = 0xddce; *(uint32_t*)0x2000463c = 0xee01; *(uint32_t*)0x20004640 = 0xee00; *(uint32_t*)0x20004644 = 0; *(uint32_t*)0x20004648 = 0x12; *(uint32_t*)0x2000464c = 0; *(uint64_t*)0x20004d20 = 0x20004680; *(uint32_t*)0x20004680 = 0x10; *(uint32_t*)0x20004684 = 0; *(uint64_t*)0x20004688 = 5; *(uint64_t*)0x20004d28 = 0x20004900; *(uint32_t*)0x20004900 = 0x2c0; *(uint32_t*)0x20004904 = 0xfffffff5; *(uint64_t*)0x20004908 = 0x8a; *(uint64_t*)0x20004910 = 4; *(uint64_t*)0x20004918 = 3; *(uint64_t*)0x20004920 = 0xfff; *(uint64_t*)0x20004928 = 6; *(uint32_t*)0x20004930 = -1; *(uint32_t*)0x20004934 = 8; *(uint64_t*)0x20004938 = 5; *(uint64_t*)0x20004940 = 0xca13; *(uint64_t*)0x20004948 = 0x81; *(uint64_t*)0x20004950 = 4; *(uint64_t*)0x20004958 = 0; *(uint64_t*)0x20004960 = 0xbbc; *(uint32_t*)0x20004968 = 0; *(uint32_t*)0x2000496c = 3; *(uint32_t*)0x20004970 = 0x34b; *(uint32_t*)0x20004974 = 0x4000; *(uint32_t*)0x20004978 = 9; *(uint32_t*)0x2000497c = 0; *(uint32_t*)0x20004980 = 0xee01; *(uint32_t*)0x20004984 = 2; *(uint32_t*)0x20004988 = 0x81; *(uint32_t*)0x2000498c = 0; *(uint64_t*)0x20004990 = 3; *(uint64_t*)0x20004998 = 0x80000001; *(uint32_t*)0x200049a0 = 0x16; *(uint32_t*)0x200049a4 = 0xf97; memcpy((void*)0x200049a8, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x200049c0 = 5; *(uint64_t*)0x200049c8 = 3; *(uint64_t*)0x200049d0 = 0x100000001; *(uint64_t*)0x200049d8 = 0x10001; *(uint32_t*)0x200049e0 = 7; *(uint32_t*)0x200049e4 = 0x83; *(uint64_t*)0x200049e8 = 5; *(uint64_t*)0x200049f0 = 5; *(uint64_t*)0x200049f8 = 0x100; *(uint64_t*)0x20004a00 = 6; *(uint64_t*)0x20004a08 = 0xfffffffffffffbff; *(uint64_t*)0x20004a10 = 0xb533; *(uint32_t*)0x20004a18 = 0x800; *(uint32_t*)0x20004a1c = 0xad7; *(uint32_t*)0x20004a20 = 0x32f914fb; *(uint32_t*)0x20004a24 = 0x2000; *(uint32_t*)0x20004a28 = 0xe0; *(uint32_t*)0x20004a2c = r[6]; *(uint32_t*)0x20004a30 = 0xee01; *(uint32_t*)0x20004a34 = 4; *(uint32_t*)0x20004a38 = 0x64; *(uint32_t*)0x20004a3c = 0; *(uint64_t*)0x20004a40 = 4; *(uint64_t*)0x20004a48 = 0xfffffffffffffffc; *(uint32_t*)0x20004a50 = 0x16; *(uint32_t*)0x20004a54 = 6; memcpy((void*)0x20004a58, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004a70 = 2; *(uint64_t*)0x20004a78 = 2; *(uint64_t*)0x20004a80 = 7; *(uint64_t*)0x20004a88 = 0x8000; *(uint32_t*)0x20004a90 = 9; *(uint32_t*)0x20004a94 = 3; *(uint64_t*)0x20004a98 = 2; *(uint64_t*)0x20004aa0 = 7; *(uint64_t*)0x20004aa8 = 0x80000000; *(uint64_t*)0x20004ab0 = 8; *(uint64_t*)0x20004ab8 = 6; *(uint64_t*)0x20004ac0 = 0x400; *(uint32_t*)0x20004ac8 = 0xc932; *(uint32_t*)0x20004acc = 0x81; *(uint32_t*)0x20004ad0 = 5; *(uint32_t*)0x20004ad4 = 0x1000; *(uint32_t*)0x20004ad8 = 0xf841; *(uint32_t*)0x20004adc = r[7]; *(uint32_t*)0x20004ae0 = 0xee00; *(uint32_t*)0x20004ae4 = 0xff; *(uint32_t*)0x20004ae8 = 5; *(uint32_t*)0x20004aec = 0; *(uint64_t*)0x20004af0 = 4; *(uint64_t*)0x20004af8 = 0xffffffffffff3232; *(uint32_t*)0x20004b00 = 0x16; *(uint32_t*)0x20004b04 = 5; memcpy((void*)0x20004b08, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004b20 = 4; *(uint64_t*)0x20004b28 = 0; *(uint64_t*)0x20004b30 = 0; *(uint64_t*)0x20004b38 = 7; *(uint32_t*)0x20004b40 = 0x200; *(uint32_t*)0x20004b44 = 6; *(uint64_t*)0x20004b48 = 5; *(uint64_t*)0x20004b50 = 0x1020000; *(uint64_t*)0x20004b58 = 6; *(uint64_t*)0x20004b60 = 0x7f; *(uint64_t*)0x20004b68 = 0xce; *(uint64_t*)0x20004b70 = 0; *(uint32_t*)0x20004b78 = 0xa9fb; *(uint32_t*)0x20004b7c = 0xffffff81; *(uint32_t*)0x20004b80 = 0x3ff; *(uint32_t*)0x20004b84 = 0x1000; *(uint32_t*)0x20004b88 = 0; *(uint32_t*)0x20004b8c = 0; *(uint32_t*)0x20004b90 = r[8]; *(uint32_t*)0x20004b94 = 0x8de6; *(uint32_t*)0x20004b98 = 3; *(uint32_t*)0x20004b9c = 0; *(uint64_t*)0x20004ba0 = 2; *(uint64_t*)0x20004ba8 = 0xffffffff; *(uint32_t*)0x20004bb0 = 1; *(uint32_t*)0x20004bb4 = 5; memcpy((void*)0x20004bb8, "/", 1); *(uint64_t*)0x20004d30 = 0x20004bc0; *(uint32_t*)0x20004bc0 = 0xa0; *(uint32_t*)0x20004bc4 = 0; *(uint64_t*)0x20004bc8 = 0x3f; *(uint64_t*)0x20004bd0 = 5; *(uint64_t*)0x20004bd8 = 2; *(uint64_t*)0x20004be0 = 0; *(uint64_t*)0x20004be8 = 7; *(uint32_t*)0x20004bf0 = 6; *(uint32_t*)0x20004bf4 = 3; *(uint64_t*)0x20004bf8 = 2; *(uint64_t*)0x20004c00 = 0xf51e; *(uint64_t*)0x20004c08 = 0x65; *(uint64_t*)0x20004c10 = 1; *(uint64_t*)0x20004c18 = 0x8b; *(uint64_t*)0x20004c20 = 0x7f; *(uint32_t*)0x20004c28 = 0x100; *(uint32_t*)0x20004c2c = 9; *(uint32_t*)0x20004c30 = 0x24; *(uint32_t*)0x20004c34 = 0xa000; *(uint32_t*)0x20004c38 = 0x3f; *(uint32_t*)0x20004c3c = 0; *(uint32_t*)0x20004c40 = -1; *(uint32_t*)0x20004c44 = 0x40; *(uint32_t*)0x20004c48 = 3; *(uint32_t*)0x20004c4c = 0; *(uint64_t*)0x20004c50 = 0; *(uint32_t*)0x20004c58 = 1; *(uint32_t*)0x20004c5c = 0; *(uint64_t*)0x20004d38 = 0x20004c80; *(uint32_t*)0x20004c80 = 0x20; *(uint32_t*)0x20004c84 = 0xfffffff5; *(uint64_t*)0x20004c88 = 0x401; *(uint32_t*)0x20004c90 = 0x5b2; *(uint32_t*)0x20004c94 = 0; *(uint32_t*)0x20004c98 = 9; *(uint32_t*)0x20004c9c = 2; syz_fuse_handle_req(r[3], 0x20000200, 0x2000, 0x20004cc0); break; case 21: memcpy((void*)0x20004d40, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004d40); break; case 22: res = -1; res = syz_init_net_socket(3, 2, 1); if (res != -1) r[9] = res; break; case 23: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[10] = res; break; case 24: *(uint32_t*)0x20004d84 = 0xb8ca; *(uint32_t*)0x20004d88 = 0x20; *(uint32_t*)0x20004d8c = 0xe7c; *(uint32_t*)0x20004d90 = 0x26b; *(uint32_t*)0x20004d98 = r[10]; *(uint32_t*)0x20004d9c = 0; *(uint32_t*)0x20004da0 = 0; *(uint32_t*)0x20004da4 = 0; syz_io_uring_setup(0x3e79, 0x20004d80, 0x20ffc000, 0x20ffb000, 0x20004e00, 0x20004e40); break; case 25: *(uint32_t*)0x20004e84 = 0x29dc; *(uint32_t*)0x20004e88 = 2; *(uint32_t*)0x20004e8c = 1; *(uint32_t*)0x20004e90 = 0x3d6; *(uint32_t*)0x20004e98 = r[3]; *(uint32_t*)0x20004e9c = 0; *(uint32_t*)0x20004ea0 = 0; *(uint32_t*)0x20004ea4 = 0; res = -1; res = syz_io_uring_setup(0x5336, 0x20004e80, 0x20ffd000, 0x20ffb000, 0x20004f00, 0x20004f40); if (res != -1) { r[11] = *(uint64_t*)0x20004f00; r[12] = *(uint64_t*)0x20004f40; } break; case 26: memcpy((void*)0x20004f80, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20004f80, 0xfffffffffffffff8, 0x240); if (res != -1) r[13] = res; break; case 27: *(uint8_t*)0x20004fc0 = 6; *(uint8_t*)0x20004fc1 = 0; *(uint16_t*)0x20004fc2 = 0; *(uint32_t*)0x20004fc4 = r[13]; *(uint64_t*)0x20004fc8 = 0; *(uint64_t*)0x20004fd0 = 0; *(uint32_t*)0x20004fd8 = 0; *(uint16_t*)0x20004fdc = 0x4404; *(uint16_t*)0x20004fde = 0; *(uint64_t*)0x20004fe0 = 0; *(uint16_t*)0x20004fe8 = 0; *(uint16_t*)0x20004fea = 0; *(uint8_t*)0x20004fec = 0; *(uint8_t*)0x20004fed = 0; *(uint8_t*)0x20004fee = 0; *(uint8_t*)0x20004fef = 0; *(uint8_t*)0x20004ff0 = 0; *(uint8_t*)0x20004ff1 = 0; *(uint8_t*)0x20004ff2 = 0; *(uint8_t*)0x20004ff3 = 0; *(uint8_t*)0x20004ff4 = 0; *(uint8_t*)0x20004ff5 = 0; *(uint8_t*)0x20004ff6 = 0; *(uint8_t*)0x20004ff7 = 0; *(uint8_t*)0x20004ff8 = 0; *(uint8_t*)0x20004ff9 = 0; *(uint8_t*)0x20004ffa = 0; *(uint8_t*)0x20004ffb = 0; *(uint8_t*)0x20004ffc = 0; *(uint8_t*)0x20004ffd = 0; *(uint8_t*)0x20004ffe = 0; *(uint8_t*)0x20004fff = 0; syz_io_uring_submit(0, r[12], 0x20004fc0, 8); break; case 28: memcpy((void*)0x20005000, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20005000, 0x1000, 0x8600); if (res != -1) r[14] = res; break; case 29: *(uint64_t*)0x20005080 = 0; *(uint64_t*)0x20005088 = 0x20005040; memcpy((void*)0x20005040, "\x48\xd5\xa3\x40\x0d\x13\x5d\xd4\x91\x01\x61\x86\x7c\x99\x1f\xc7\xd6\x8d\x55\x14\x5f\xbb\xc5\xc4\x98\xb5\x8f\xba\x49\xbd\x01\xb6\x83\x86\x47\x33\x65\xa9\x13\x12\x72\xed\xe1\xd5\x3b\xc2\x85\x05\x1b\x85", 50); *(uint64_t*)0x20005090 = 0x32; *(uint64_t*)0x200050c0 = 1; *(uint64_t*)0x200050c8 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x20005080, 1, 0, 0x200050c0, 1); break; case 30: *(uint32_t*)0x20005100 = 1; syz_memcpy_off(r[11], 0x114, 0x20005100, 0, 4); break; case 31: memcpy((void*)0x20005140, "afs\000", 4); memcpy((void*)0x20005180, "./file0\000", 8); *(uint64_t*)0x20006640 = 0x200051c0; memcpy((void*)0x200051c0, "\xc5\xf6\xf4\x20\xae\xec\x38\x8c\xed\xec\x2b\x59\x7c\x81\x56\x53\x8c\xd4\x58\x60\x34\x19\x9f\x56\xf5\x94\x4d\xa0\x3d\x8c\xa8\x29\xf6\xc6\xb6", 35); *(uint64_t*)0x20006648 = 0x23; *(uint64_t*)0x20006650 = 1; *(uint64_t*)0x20006658 = 0x20005200; memcpy((void*)0x20005200, "\xf4\xee\x9e\xdc\x1b\xe2\xc2\xd8\x62\xa4\x80\xf3\x0a\xe3\x0d\xaf\xad\xfd\xf8\x69\xf7\x78\x9a\x45\x49\xf5\xa8\xda\xc0\x6f\xe4\xc5\xd5\xd2\xcf\x00\x66\xd8\x8b\xfc\xa6\xaf\x40\x74\x5e\xd6\x17\xb7\xa1\x46\xc9\x40\xde\x37\x50\x5c\xb9\x65\xea\xa1\x98\x2c\x8c\xa0\xec\x21\x06\xf4\x7e\x4e\x26\x5f\x1e\x19\x28\x5b\xba\x7e\xb5\x77\xf6\x00\x66\xb5\xf4\x6c\x62\xd2\xec\x00\x68\xed\xcb\xe6\x30\x0e\x4f\x1e\x3c\xce\x42\x9e\x45\xa7\xdf\x28\x7e\x80\x09\x84\x1d\xb1\x01\x51\x34\xee\xaa\x72\x43\x11\xe5\x51\x81\xcb\x7a\xfe\x7d\xfd\xc7\x94\x6b\xd1\x45\x23\xea\x66\x80\xea\x42\xca\x9f\x7b\x0e\xaa\xab\xe1\xd0\x54\x27\x7e\xff\x60\x7e\xf4\xf8\x40\x2e\x5d\xc3\x7e\x6a\x52\x8e\xc3\x56\x58\x23\xc0\x31\xa8\x46\x0e\x8b\x5f\x67\x06\x68\xf8\x6b\x90\xa0\x26\x04\x3a", 184); *(uint64_t*)0x20006660 = 0xb8; *(uint64_t*)0x20006668 = 2; *(uint64_t*)0x20006670 = 0x200052c0; memcpy((void*)0x200052c0, "\xba\xee\xde\x48\x17\x36\xd9\x0f\x0a\xa3\x6f\xb3\x27\x95\x6d\xd7\x63\x57\x8e\x20\x19\x9f\x0d\xc8\x5f\x18\x5c\x93\x06\x86\x6b\xa3\x3c\x93\xd2\xaf\x96\x13\xc9\x29\x09\xc6\x51\x25\x4e\x6a\x63\x50\x3d\xbf\x31\x7b\x02\x1c\x4b\x3c\x8d\xe3\x05\xd3\xde\x39\xa1\xad\x9a\xc1\xb0\xab\x3f\x51\xf6\x8c\x1a\xe1\xda\x3e\x4c\xc7\x44\xfd\x00\xdf\xa6\xd1\xb9\x6e\x21\x13\x40\x07\xd3\x1c\x93\x01\x38\x54\xed\x32\x55\x0f\x1b\x82\xa4\xc0\x3c\xa6\x74\x40\xd8\x65\x45\xdc\xd2\x9e\xea\x99\x27\x4f\x65\x57\x37\xad\x5a\x54\xd9\xe7\xf9\xde\xc4\x91\x29\xbb\x84\xbe\xb6\x2b\x18\x53\xf6\x9e\x6a\x07\x72\x09\xf7\xe5\x5c\xe0\xd5\x16\x86\xca\x76\x4d\x2c\xe3\x34\xcd\x6d\x09\xb5\xd9\x23\x57\xbd\xef\x60\xa6\x35", 169); *(uint64_t*)0x20006678 = 0xa9; *(uint64_t*)0x20006680 = 0; *(uint64_t*)0x20006688 = 0x20005380; memcpy((void*)0x20005380, "\x31\xf1\xfb\xee\x4b\x48\xe6\xe6\x9c\xb6\x1b\xd1\xcc\xc1\xe2\x13\xaf\x5a\x28\xe7\x4c\xff\xc2\xe5\xe8\x2f\xbb\xcd\x1c\x34\x00\xfa\xf3\x79\xd1\xa1\x94\xd5\x2a\x36\x67\xe2\x01\x9b\x9a\xec\x0e\x14\xfe\xed\x8f\xea\x77\x0a\x9a\x1b\xfb\xbc\x30\x99\x73\x21\xbc\xbb\xcf\x4d\x11\x5b\xb3\xd3\x26\x9e\x50\xbe\xca\x59\x82\xef\x1d\x22\xc9\x83\xd7\x86\x21\xdb\xaa\x93\xe8\x39\x5e\xfe\x31\xdf\xad\xed\xca\xde\xd0\x97\x6f\x5f\x0c\x7d\x4f\x17\xb6\xcc\x88\xb8\x97\xce\x5d\xdf\xf1\xad\xe8\xef\x2d\x62\xdc\xbe\xd4\x21\x58\x9e\x3c\xfb\x5d\x85\x50\xd3\x65\x1a\x99\x11\x5d\x6e", 138); *(uint64_t*)0x20006690 = 0x8a; *(uint64_t*)0x20006698 = 2; *(uint64_t*)0x200066a0 = 0x20005440; memcpy((void*)0x20005440, "\x78\x81\xb6\x81\x1e\xa2\xae\xc8\xf2\x7f\x7f\x7f\x52\x3c\xc4\xba\xca\x36\x52\xf7\x30\x3c\xd7\x48\xfb\x4e\xd8\xcc\x78\x3a\xc5\x78\xa9\xe8\x53\xa9\x90\x6a", 38); *(uint64_t*)0x200066a8 = 0x26; *(uint64_t*)0x200066b0 = 1; *(uint64_t*)0x200066b8 = 0x20005480; memcpy((void*)0x20005480, "\xc5\x05\xe1\x80\x5e\x72\xc2\x3f\x48\x9b\xb4\x5d\x55\x60\x79\x64\x53\x32\x08\x2b\x1b\x6b\xef\x7a\xdc\x39\xb0\x98\xe1\x73\xf4\x2f\xdd\x8d\x2c\x65\xce\xb6\x64\xad\xb4\x7d\xe1\x73\xdb\x5b\x34\x23\xe0\x2b\xfe\xe5\x83\x39\xfc\xb7\xd8\x5f\x2d\x1a\xcd\x1f\xed\x18\xda\x1c\xb7\xb3\xd2\x8d\x4e\x36\x8a\xa5\xf0\x2a\x89\x50\xaf\xd1\x9b\x0d\x60\x03\xc1\xfc\x54\x24\xd3\xe2\x8d\x4b\xf7\x90\x2f\xa3\xd9\x99\xb4\xf6\x23\x68\xc5\x84\x4f\x1e\x9e\x4d\x19\x5c\x65\x48\xc1\xa0\xe6\x14\x80\xc6\x1f\xe3\xfc\x89\x54\x81\x0a\x5c\x55\x19\xa2\x85\x0a\xff\x54\x44\xdf\xe3\x6d\x6c\x08\xfb\x25\x1d\x64\x59\x51\xca\x0a\xee\x8a\xe0\x9d\x52\x18\xce\x7d\x78\x3d\x4a\x62\x07\x0c\xce\x23\x1a\xb7\xc6\x30\x93\x1f\xbc\x78\x39\xba\x29\x79\x30\x5c\xab\xb4\x5f\x4a\xa2\xdc\x92\x49\x72\xfe\x3a\x5a\x80\x6c\x03\xc7\x41\x79\x3e\xb0\x46\xd5\x66\xef\x8d\xe1\xd0\xb7\x14\x50\xb5\x61\xba\x65\xb0\x14\x14\x29\xbd\x3e\x5a\x42\x06\xb4\x7e\xf0\x97\x27\x5e\xad\x1f\xe3\x12\x57\xa7\x23\xdd\xc5\x85\xc7\x03\xf5\xd0\xfc\xf7\xb2\x98\x13\x4d\x89\xd0\x3f\x47\x7a\xb7\xaf\x75\x6e\x3a\x4f\x9e\x1d\x06\xca\x01\xf2\xb7\x59\xc9\x55\xb8\xe8\xbf\xc1\xb8\x07\x01\x98\xb3\x30\xf5\x85\x8c\x69\x51\x61\x06\x82\xa3\xcb\xdc\xb5\x91\xf1\x39\xa7\x1e\x88\x3b\xb7\x69\x1c\xb5\x6b\xc0\xad\x95\xdd\x77\x4f\xdc\x11\x0d\x07\x5b\x3a\xcf\x5f\xbb\xb2\x27\x22\x79\x21\xe1\x0a\xa5\xb7\x3d\xa8\x1d\xca\x19\x66\x00\x37\x61\x20\x26\x6c\xc8\x4f\x0c\xc2\xee\x0f\xf3\xf6\xc7\x4b\x65\x6a\x61\xb5\xf5\xae\x6d\xab\x4a\x9c\xe8\x4c\xb9\x7c\x0b\x90\xe7\xa0\xd0\x78\x28\x81\x9e\x2b\xdd\xb1\xa7\x27\x7c\xaf\x68\x71\x95\xec\x83\x64\xd8\x52\xb9\x86\x43\xf5\x55\xdc\xa6\xad\x72\xd6\x80\x64\x3f\x29\xc3\x22\x57\x5f\x2e\x57\x11\x34\x3f\x8a\xa2\x4d\x7d\xeb\x87\xd3\xac\xe4\x82\xbc\x05\xdc\xd5\x28\x83\x38\xb5\x84\x99\x4a\x09\x0c\x45\x1a\xbb\x28\x4c\x01\x04\xc5\xf3\x79\x08\xeb\x33\x07\xd6\x5e\x79\x2b\x4f\x25\x86\x00\xde\x77\x07\xc8\xb1\x54\xff\xd5\xf5\x6d\x7a\x17\xc6\x2f\x09\x28\x28\x51\x6f\x82\xea\x4a\x12\x6a\x2a\x36\x0c\x70\x31\x08\x77\x0c\xc7\xe7\x50\x5c\x8e\x18\x0c\x5f\x37\x6d\x0d\xba\xf1\xe1\x85\xa5\x04\xed\x01\x3b\x0b\x16\x24\x83\xf9\xe2\xa3\xbe\xc7\xd6\x83\x30\x82\xac\x95\x4e\x8f\x5e\x31\x84\x37\x2e\x05\x08\xad\x7e\x0f\xb4\xb2\xf1\x20\x1a\x35\x88\x2a\xda\x41\x5d\xfd\xb3\x65\x87\xe8\x87\x95\x10\x1f\x9d\xc6\xc0\xd2\x6b\xbb\x64\x24\x21\xdb\x09\x73\xef\x28\x3c\x2b\xea\x7f\x5c\x9c\x35\xeb\x13\xea\x5a\x97\x42\x85\x2f\x08\x3e\x44\x32\x82\xcb\xad\x94\x7e\xa0\x5d\x3f\x99\x8b\xf3\xf8\x60\xcd\x12\x5b\x26\x6e\x1f\x3b\x84\xc4\xe6\x2b\x4e\x49\xae\x7f\x85\x2d\x57\x8e\xab\x24\xa0\xc5\xe4\xc6\x09\x28\xb6\x99\xc7\xb6\x8c\x63\x28\xf3\x2c\xa3\x71\x5b\x94\x00\x55\xb6\xad\x04\xf9\x94\x16\x55\xdc\xfa\x91\xdc\x4d\xf0\x21\xa7\x45\x04\x51\x9f\x0a\x7d\xf1\x0d\xb5\x05\xda\x8c\xa4\xa0\x52\x58\x04\xdf\xd9\x0a\x31\xbb\xa6\x48\xbe\xe5\x7b\xcc\xd6\xcd\x9a\x59\x6e\xb9\x45\x86\x7e\x02\x31\xfa\xfb\x66\xc5\x01\x7b\x29\x79\xad\xe5\xdf\xcf\xb2\x4c\xb5\xc7\x88\x15\x11\x18\x56\x04\x90\x6d\x1f\x20\x1a\x12\x64\xa5\x4c\x20\xc1\x73\x90\x1d\x32\x5f\x5c\x2b\x0e\x0f\xff\x22\xc6\x83\x4d\x07\x0c\xbe\xdc\x8a\xe6\x6f\x2f\xce\x84\x88\xd7\x7b\x1f\x92\x57\xa9\x1a\x00\x1e\xda\x07\x55\x56\xc2\x3e\x7a\xdb\xde\x0c\x99\x4b\xd6\x98\x0c\xbd\xb3\x44\xd0\x4e\xfd\x2a\x3f\x4e\x73\x26\x20\x26\x0d\x15\xf6\x08\x4c\xca\xb9\xb2\xf1\x3b\xf5\x47\x82\xeb\x2f\x56\x89\x19\xe0\xae\xfc\x06\x3f\x3f\x2a\xf6\xbe\xb8\x19\x15\x9c\xfd\xb0\x53\x4e\x79\xe0\xcd\x74\x51\x5b\x52\x8c\x82\xce\xfa\xec\x85\x47\xd0\x5f\x08\xb0\x04\x24\xa0\x2a\xbb\x0f\xe2\x0d\x30\x55\xd3\xb9\xd9\x7e\x8b\xad\x3a\x7b\x22\x02\xb8\xef\xfc\x5d\xa0\x55\xf4\xeb\x18\x27\xdc\xb1\xde\x57\xde\xfc\x3c\xcb\xe7\xc3\x02\x79\xa3\x04\x11\x96\xa9\xf0\xb1\xa7\x44\x91\xc0\x7b\x9a\x1a\xf0\x40\xe5\x3e\xc7\x1a\x91\x10\xe2\x0f\x32\x09\x2a\xdd\xcd\x05\x8a\x15\x07\x9b\x71\x8f\xac\x59\x4d\x8e\x75\x13\x9b\xc9\x26\x0f\xf6\x56\x47\x25\x0f\xd7\xce\x6b\xdb\xc3\x05\xc0\x79\xc5\xcc\x2f\xe6\xcd\x1f\xca\x99\x3e\x85\x30\xe0\x37\x38\x83\x90\x08\xdc\x65\x8f\x22\x66\x4e\xea\x77\x06\xf6\xad\xa2\x4c\xa1\xa2\x2e\x83\x0a\xad\x64\xf4\xdc\x44\x38\x7d\x83\xad\x42\x88\xf4\x46\x72\xd9\xa0\x55\x59\xfb\x29\xc6\x6f\xe6\x67\x9e\x97\x9f\x86\xee\x31\x67\x5f\x50\x1d\x95\x81\x47\x96\x61\x29\x08\xd1\xf7\x03\x7b\x69\x0b\x94\x81\xfb\x68\x7f\x2d\x52\xb5\xa3\x73\x51\x5f\x62\x07\x59\x36\x04\x2a\x0e\x9d\x10\xc9\x11\x14\xa9\xe7\x4c\xa7\xac\x76\x55\x8f\x73\xfa\x26\xfe\x9d\x14\xde\xa8\x5d\x4c\x9f\xae\x1f\x6c\x53\xbb\x76\x8b\x14\x57\xa7\xf8\x9b\xcb\xf9\x0e\x70\x69\x75\x37\x67\xf0\xc1\x90\x21\x63\xe4\x00\xaf\xdd\x91\xec\x2d\xac\xbe\x68\x0c\x7d\x64\x54\xa0\xf1\x73\x49\x0b\x6b\x1e\xd4\x88\x1e\x82\xcd\x79\xd6\xb8\x91\x61\xd8\x7f\x4f\x27\x0d\xea\xde\xbe\xb3\x51\x07\xc1\x9c\x7a\x6d\x54\x08\xe6\x0b\x32\x5c\x64\xdb\xb9\x98\x3b\xfa\xf0\x30\x6f\xac\x8a\x0f\xb3\x24\xaf\x5d\x69\xc2\x1c\x62\xa8\xb5\xe2\x57\xa4\x8d\xe0\x69\x22\x6a\xb2\x9a\xee\xad\x17\xfa\x45\xf3\x84\x75\x0f\x8b\xba\x1d\x46\xe0\xa4\x12\x78\x07\xe1\x0d\x15\x70\xda\x63\xb2\x02\xee\xb7\x15\x38\x6a\xfe\x3d\x8b\x17\x47\xca\xa6\xa4\x14\x16\xdd\x65\x52\x4d\x22\x28\xea\xaa\xd1\xa6\x1b\xff\x8d\xb8\xbe\x75\x2c\x45\xae\xca\x76\xde\xa3\xaa\x68\x08\x36\x4c\xf7\x58\xdc\x87\x03\x41\x7a\x49\xb9\x3e\xca\x5a\xd0\x9d\x63\x30\x3a\x4a\xc3\x78\xaa\xd3\x4a\x08\xde\xcc\x4a\x72\x0c\x3e\xea\xf8\x8a\xce\x0a\x72\x90\x0b\xc3\xdd\x40\x2c\x12\x2d\x00\xd5\x6b\x51\x72\x35\xae\x91\x12\x83\x2d\x63\x7b\x93\x17\xb6\x1f\x9d\xcb\x0c\x48\xe7\x28\xe8\x50\xdf\xd5\x26\x26\xdb\x29\x6a\xad\x77\xb9\xc7\xcd\x91\x67\xf3\x19\x47\x47\xc0\x11\xa5\xfb\xda\xbc\xa9\xca\xbd\x2f\x6b\x75\x81\xf9\xd9\x1c\x63\x66\xd5\x26\xb1\x68\x3e\x3f\xee\xfd\x0f\xe3\x0f\x53\xe7\xcb\x7d\xe4\x1e\x89\xe4\xe7\x43\xef\xea\x39\x44\xea\x8a\xfd\x9f\x77\x8a\x7f\x06\xbf\xb0\xef\x23\x86\x48\xc2\x1c\xed\xfd\xd8\xb7\x6e\xed\x76\x57\x74\xd7\xa4\x90\xb0\xee\x46\x4e\x44\x88\xa9\xc3\xdd\x21\xc7\xba\x2e\x63\xa3\x1a\xe3\x8f\xfa\xb2\x09\x46\x0b\xa9\x3a\x62\x02\x9d\x8f\x2a\xde\x13\x77\xb5\x34\x38\xb0\x51\x90\x12\x27\x39\x82\x72\x63\x9f\x12\x4d\x42\xb5\x55\xd5\x91\xa6\x65\x5f\x73\xf6\xc4\x6c\x51\x4c\xf3\x2a\xe4\xc6\x04\x6c\x38\x04\x07\xf7\xd9\xcf\x3c\x14\x1b\xdd\x94\x69\x13\x84\x95\x8e\x67\x17\x8f\x81\x6a\x63\xe4\xcc\x18\x9c\x52\x16\x38\xdc\x7a\x28\xd2\xaf\xb6\x12\x84\x76\xe4\x08\xee\x85\xb9\x9a\x12\x61\x29\xc5\x5e\x67\x9c\x0b\xdc\xeb\xd9\x66\x98\x17\xe9\x45\xb0\xff\xfa\x61\x5a\xb9\xce\xf2\xf8\x59\xe0\xac\x38\x25\x36\x11\xfe\x63\xbd\x57\xfd\xf0\x3f\xb0\xd6\x5c\x1c\xc6\x5d\xf2\x65\x38\x59\xfc\x59\x4f\x9a\x3e\xb3\x79\xd1\x17\xda\x82\x8a\xc5\x58\x6b\x3f\x6d\x3b\xcc\xf1\xd5\x4c\x45\xbc\x1a\x5f\xa4\x5e\xd7\xad\x36\x6c\xff\x39\xa6\x32\xbd\x4d\x14\x70\x0d\x30\xf7\x0c\x99\x72\x5c\x2f\xb8\xee\x97\xcb\xc5\x9f\x8e\x5b\x64\xfa\xc8\xfe\x2f\x83\x60\x41\xbb\x57\x08\xa3\x64\x0b\xbc\x67\xf9\xd0\x9a\xc1\xfd\x36\x46\xa6\xf7\x44\x6f\x48\x15\x98\x9b\xb0\x41\x9c\x94\xb0\xa6\xfc\x97\xd0\xfd\x9e\x51\x90\xe7\x24\xd7\x54\x82\xcc\x1e\xb4\xc0\x77\x53\xb0\x1c\x42\x02\xc4\xd0\x9d\x00\x6b\xd6\xbd\x92\xb3\x3c\xd4\x0d\x8f\x1b\xf7\xea\x73\x9a\x68\x6f\x8d\x3a\x12\xdf\x2f\x7c\x57\x8a\xd2\xe0\xc1\xb2\x9c\x04\xf2\x82\x85\x70\x45\xed\x90\x38\x28\x30\xcf\x0f\x2f\x2c\x8d\x22\x07\x3e\xde\xc3\x1d\xd2\x57\x30\x0b\xa6\x7b\xec\x88\xa1\xe7\xa5\x58\x0f\xdd\xe5\x01\x98\x79\xf6\x96\x2d\xa5\x0d\x75\xc6\xfd\x13\xa1\x9e\x35\x8e\x13\x41\x35\xdb\xb8\xb4\xbe\xed\xbe\xd1\xcc\x5f\x8f\x20\x34\xee\x29\x7f\xf6\x9b\x9d\xb3\xe0\x05\xe5\x9f\xd5\xea\x22\xba\x51\xbd\x8f\xeb\xde\x9f\xf9\xf6\x5a\x21\xda\x5e\x13\x5c\xa8\x86\x07\x31\xc4\xde\xe9\xc3\x3c\x7e\xdb\xa5\x08\xd2\x6d\xdb\x55\x92\xfd\xf9\x85\x06\x70\x2f\x99\x80\x37\xe6\xb4\x18\xc5\xc7\x83\x62\x43\x48\xf5\x7d\x2c\xf2\xcd\x8f\xb8\x37\xc6\x18\x53\xf5\x16\xc6\x8e\x76\x58\x29\xfe\x2f\x74\x11\x66\xa7\x4a\xfd\x1e\xdc\x90\x97\x1c\x4e\xda\x7a\x6a\x18\xd8\x5d\x54\xba\x87\xf9\x09\x5b\xd1\x62\x6b\x9b\x90\x0c\xf6\xfe\x05\xee\xb1\xb4\xf0\x05\x99\xb6\xe8\x38\x1f\xe2\x8d\xe8\x51\xe1\x9a\x02\x52\xef\xde\x6c\x57\x99\xf5\x6e\xc2\xd6\x1c\xc6\xff\x5d\x1e\xb6\x5e\x9d\x8e\x05\x45\xa9\x2e\x6b\x98\x66\x27\xc7\xf9\x71\x69\x42\x10\xe0\x88\xb7\x84\xbe\xaa\xba\x64\xd2\xab\xe4\x44\x1c\x7b\x14\xfc\x8d\x2a\xda\xfa\xc7\x82\x34\xed\x72\x59\x9c\xc4\x16\xc0\x47\x75\x0b\x24\xac\x3c\x9a\xa4\x69\x0c\x05\x77\x04\x9d\x80\x5b\xae\x79\x92\x2c\x1d\x29\x66\xd9\x75\x2c\x55\x1a\x91\xa9\xfb\xc0\xbb\x95\xc2\x3a\xcc\x2a\x90\x68\x35\x31\xa5\x9f\x30\xfc\x1d\x10\x79\xbd\x9f\xc0\x7f\x0d\x09\xbd\xdc\x01\x37\x2b\xa2\x6c\x13\xef\x30\x6a\xf3\x25\x6f\x23\x5d\x72\xb7\x59\xb6\x61\x8c\x1e\x09\xe8\xdf\x69\x35\xdb\x77\x45\x3b\x49\x96\xb0\x15\x2a\xe1\x37\xd1\xca\xdd\xbd\x5f\x8e\x12\x62\x1a\x54\x81\x55\x43\x45\xdf\xbb\x7e\x2c\x50\x03\x71\x34\x6f\xea\xfd\x5d\xc0\xf6\xe2\xc5\x9e\xa2\xc2\x45\xd1\x5d\xb2\x0e\x87\xc7\x7b\xd9\x08\xd9\x28\x50\xe4\x03\xe5\x8c\xdf\xf0\xe2\xfc\x25\x7f\xf0\x00\xf3\xb2\x68\xdc\xf1\x41\xe7\x75\x25\x10\x61\x08\xa4\xb6\xed\xcf\x89\xf1\xfc\xfb\x12\xa0\xa0\x2a\xd7\xc0\x12\x12\x84\xea\x49\x0c\xa7\xbf\x87\x61\xee\xff\x5b\x37\x5e\xeb\x0a\x03\x8a\x44\x4d\x2f\xb9\x50\xf9\x65\x17\xad\xa9\x4c\xd9\x6f\x8d\xbb\xd0\x42\xa4\xde\xb1\x88\x21\x7b\x7b\x9d\xad\x94\x8b\xb5\x98\x43\xc0\xc3\x92\xbd\x9e\x79\xc8\x5d\x34\x61\x6b\xcd\x99\xfb\xff\x77\x53\x7d\x23\x4c\x05\x1e\x5e\x9a\xa9\x13\xc7\x7c\xbd\xcf\x53\x96\xce\x3f\x06\x83\xe9\x2e\xbd\x0c\x1b\x99\xfb\x5c\x66\x3f\xb9\x7b\x6d\xc2\xd4\x35\x54\xaa\xa9\x9a\x27\xab\x99\x17\x2b\xac\x17\xe3\xbc\x04\x4d\x3d\x2e\xf8\xf8\x73\xcf\x52\x21\x4e\x71\xd7\xd7\xc5\xff\x9d\xc7\x91\xd4\x0c\xee\x37\x53\x6d\xd1\x2b\xa0\x95\xb4\x8a\x34\x19\x75\x78\x4a\x16\x14\x17\x5a\x1f\xc4\x9d\xc2\x10\x2b\xa5\xc2\x74\x16\xdf\xf8\x27\x9e\xa3\xf2\xc4\x47\x39\xb8\xef\x99\x61\x69\x9a\x4c\x79\x28\x59\xce\xe8\x81\x11\x43\x78\x46\xc9\x45\x01\x75\xb8\xba\x2a\x32\x67\x57\xdc\xbf\xd5\x51\xac\xd1\x5d\x78\x37\x32\x83\x8b\x9c\x92\x4e\x09\x23\xfb\x79\x5b\x77\x04\xbf\x1c\x84\xdb\xe6\x56\x9c\x0d\xf7\x02\xa7\x47\x7f\xa0\x99\x6d\xe5\xd6\x81\xd1\x0f\xa2\xaa\x52\xb1\x42\x53\xba\x91\x3a\xde\xcf\x47\xea\xbf\x1b\x01\x5e\x73\xd6\xba\xb5\xdb\xe5\xd5\xdd\x1e\x06\x7c\xc9\xe4\x80\x60\x40\xdb\x09\xa1\x44\x8e\xd2\x1d\x98\xdc\x6f\x45\x9f\x22\xc9\x51\xc7\xb0\x72\x01\x46\x77\x91\x09\x7b\x39\x04\x10\x36\xa5\x0e\xc5\x59\x6b\x6d\x28\xe1\x4b\x79\xaa\x12\xbe\xfa\x32\xff\x95\x62\x9d\x53\x2a\xda\xed\x53\x42\xc8\x4d\x39\xc8\x22\x53\x82\xf9\x81\xae\x4f\x85\xb7\xa1\xae\x6b\x90\xa8\x18\xb6\x2d\x71\xbf\x59\x2f\x84\x27\x3f\xa2\xcc\xbb\xa6\x5d\xfc\x34\xfd\xaf\x56\x1e\x26\xd3\x07\xb7\x43\xf8\x2b\xc7\x6f\x99\x85\xc9\x50\x76\xc8\x3a\x1d\x28\x65\x32\xb8\xd5\x95\x20\xbf\x6c\x40\xbc\x63\x5f\x51\x60\x8f\x49\xbd\x47\x82\xf6\xa6\xb7\xd3\x7c\x6f\xe8\xe5\x27\x2e\xc0\x8f\x85\xfb\x9b\xaa\x66\xbd\x70\xb1\xdb\x70\xdf\x0b\x12\xce\x35\xd8\xe1\x5c\x18\x7f\xec\xfd\x9f\xa3\x41\x72\x1f\xf6\xb2\x4a\x1b\xb6\x8b\xd0\x74\xc2\xa5\x7d\x74\x60\x91\x7d\xd2\xff\x0d\x08\x04\x11\x2b\x05\x20\xf0\x5c\xd7\x07\x87\xd8\xdc\xe6\xcb\x69\x71\x1e\xf7\x45\x3b\x40\x67\x9e\xc9\x7a\xac\x90\x0e\x69\x8c\xe1\xf8\xe5\x8b\xa7\x38\x59\x0d\xf5\xc4\x58\x8e\xc6\x50\x68\x80\x02\xa2\xc1\x4e\xc6\x0c\x58\x38\x5b\x68\xdb\x23\x8b\x8c\x5b\x18\x9b\x2f\xd5\xfd\x21\x36\x55\xe0\xc8\x19\x00\x94\x97\x64\x02\x2d\x22\x77\xb0\x38\xce\x7d\xbd\x00\xd1\xec\x66\xe2\x31\x95\x63\x6a\x39\x21\x53\x26\xea\x45\x2a\xd0\x89\x9a\x52\x2a\x7a\x77\x96\x5b\x2a\xe6\x0d\x5b\x25\xff\xc6\x4d\x1d\xd5\x04\xd2\x8c\x61\x1f\x38\xce\x5c\x3a\xa3\x4c\x4f\x6c\xdd\x1b\xd7\xe9\x65\xe3\x68\x77\x11\x89\x34\x65\x06\xe3\xcb\xba\xf7\x45\x3f\x03\x9c\x6a\xeb\xdf\x77\xa1\x38\x75\x49\x9d\x7d\xb3\xe0\x8f\x9c\x31\xd3\x53\x07\x49\x0e\x6d\x3c\x11\xee\x69\x77\xe6\x69\xcb\x1a\xa6\x42\x0d\x46\x19\x55\x05\x0e\x0c\xfb\xe0\xbb\x23\xd1\x31\x9e\xf3\x54\x21\xd8\x0e\x56\x5e\x5f\xc9\xb3\x0d\x6d\x0a\x4d\xa0\x54\x40\x61\xe6\x44\xeb\xa5\xb4\x7b\xc4\x8e\xce\x8b\x7f\x85\xd8\x23\xc9\x8c\x4b\xd6\xcd\x46\x4a\xcc\x49\xa2\x9b\xb6\x92\x6d\x2a\x95\x97\xc6\x4e\xdb\x8a\x4b\xa2\xca\x2d\xd7\xba\xd8\x0d\xa3\xba\x9d\xf1\x43\xb2\xb3\xcb\x44\xd6\xe5\xce\x04\xaf\xf3\x97\xf5\xfc\x4b\x0f\x5a\xf4\xaa\x07\x87\x61\x1e\xfc\x52\x11\xbb\xb4\x8b\x7e\xb3\xe1\xd4\xcb\x54\xac\x2b\x9d\x0d\x9d\xa7\xff\xbd\x18\x51\x35\x94\x67\x4b\x53\x0e\x8a\x20\x6f\x9b\x04\x2b\xe8\x13\x86\x81\x92\x29\x50\x5d\x35\xce\x04\xa1\xe1\xe0\x30\x4a\xb5\xdb\x61\x88\x47\x20\xf5\xbf\x6a\xe9\x10\xd4\x8b\x9a\xaf\xe2\xbc\x5a\x1a\x4f\x4e\xda\x0f\x61\x5c\x8d\x0d\x68\x2a\x55\xa5\x2f\x0d\x40\xe1\x38\xc8\x8c\x42\x99\xaa\x1b\x10\x04\x40\x01\x68\xde\x6a\xc8\xaa\x18\xfe\x60\x29\xbf\x63\xc6\x40\xef\x7f\xb9\x1b\x56\xa5\xab\xc2\x43\x97\xd1\xb2\xcf\x3b\xc0\x87\x7e\x8d\x52\x19\xe5\x67\x23\xa6\xc4\x98\x89\xcd\xd5\xba\x03\xc8\x4f\xbc\x41\x5a\x3e\x9b\x65\x2d\x26\xe2\xd6\x13\xc3\xdc\xce\x41\x4e\x1f\xa3\xe2\x20\xb3\xc2\xe3\x53\x91\xac\x65\x20\xed\x1f\x05\x14\x88\x05\xa4\x6e\x99\x34\xe5\xfe\xbf\x84\xe1\xbb\xa2\x5b\xa1\x30\xa9\xe0\x58\x4b\x62\x5d\xf2\xc2\xee\x4e\xc0\xd1\x0a\xff\xfa\x19\x17\x73\xd4\xf4\x12\xf5\xca\x22\x51\x93\xca\x27\x88\x7f\xd4\x7c\x9c\x69\xf2\x1d\xa9\x52\xf9\x8a\x99\xf2\x05\x31\x4c\x18\x2b\x00\x14\xdd\xe7\x56\x3d\xed\x90\xe3\x38\xda\x5d\x5e\x83\x6f\x16\x2b\x96\x37\x75\x17\xc2\xf6\x75\x8d\x9b\xb4\x1e\x8b\xc9\xdd\x8f\x2e\xb5\x21\xad\x81\x4e\xac\x65\x1a\x48\xef\x64\xbc\x45\xab\x60\xbf\xf9\xd2\xe6\x7f\x03\x18\x3d\x04\x4e\xd4\x37\xa8\xbd\x73\x04\x3d\x6a\x8a\x51\x90\xfb\x5c\xd5\x2c\xfe\x06\x89\xe2\xda\x08\xcd\x11\xaa\xe6\xf2\x5c\x50\xd6\xcc\xbd\x5f\x4e\xa7\xce\x9b\x51\xb5\x79\x46\xaa\x92\xf4\x1e\xfd\xc2\xb9\x19\xc8\x87\xa0\x70\xc5\x19\xef\x60\x0f\xe1\x4d\x67\x66\x4e\xd7\xfc\x21\x1a\x09\xe9\x12\x9b\x13\xa7\x02\x4f\x2f\xeb\xc3\x01\x05\x81\xda\x84\xb4\x4b\xbe\xdf\xdc\x1f\x54\xb6\x3c\x8c\xfa\x8c\x8b\x5c\x98\x66\x49\x33\x3e\xee\xaa\xf5\x3e\x8b\xe8\x63\x24\x23\x78\xb0\xff\x6c\xff\x6b\x1d\x6e\x02\x70\x10\x68\x44\x84\xc6\x36\xb7\xc1\x34\x01\x8e\x3a\x73\x2a\x6b\x35\x2c\xfe\x08\x1f\x79\x0f\x00\x29\x96\x7f\xf1\x82\x0d\x57\xd3\x70\xc2\xa9\xf1\xbe\x05\x11\x00\xd5\xa8\xea\xc4\x24\x1a\x6c\x2b\x64\x0f\xe7\x3b\x16\x1d\x54\x38\x01\xf1\xeb\x2a\xbd\xea\x76\x9c\x51\x8c\xbd\x72\x71\xc6\xd6\x5a\xbe\x83\x66\x1d\x2f\xd2\x8e\x41\xb9\xad\x57\x5b\x95\x8f\xbb\xc5\xa4\x3f\x34\x12\x78\x65\x6d\x30\x0f\x21\xd8\xc7\x11\x61\xbf\xc2\x81\x2b\x2f\x7f\x36\x92\xc5\x75\x8a\x5f\xea\x82\x84\xcc\x43\x15\xe2\xdc\x16\x05\xd0\xb5\x82\x43\xa9\x79\xaf\x7c\x0c\xce\x31\x3e\x3e\x12\x7b\xaf\x93\x13\xf1\xab\x8c\x43\x75\x81\x36\x95\x86\x68\x9a\xe6\x9b\x86\x84\x47\xbf\xa6\x07\x98\x62\x0c\x68\x08\x00\x90\xc9\xf0\x49\x3c\x95\xa6\x4c\xa4\xf6\x78\xea\xa1\x4f\xe8\xcb\xc9\x08\x6e\xa9\x9c\x78\xa3\xd8\x16\x98\x42\xfc\xa3\xb0\xd2\x89\x40\x6c\xfa\x9d\x52\xf4\x1d\xf0\xb7\xfc\xfe\xb6\xe1\x0b\x7f\xb8\x84\x6b\x64\x6c\x6e\x17\x73\x32\x0a\xaf\xac\x2d\x38\x42\x72\x44\x93\x2e\xd2\x37\xb9\x83\x4f\x60\xc0\xbc\x4f\x9f\x6b\x18\xee\x82\xd4\xab\x52\x57\xd0\x33\x43\x13\x7a\x44\xa5\x21\x48\x42\x7e\x74\x72\x52\xc0\x61\xc8\x8c\x78\x85\x98\x58\x16\x3f\x76\x85\x65\xfe\xfe\x43\x03\xce\xab\xa9\x4b\x78\x6b\x6d\x9d\x0b\x69\xd0\xca\x92\x0e\x61\x52\x55\xe2\xb8\xc3\xfd\xd7\x8d\x8c\x19\x4e\x9c\x80\x49\xa9\xd1\x87\x77\x26\x85\xac\x98\xfa\x7e\x7d\xf5\x4f\x5e\xbc\xe1\xec\xc1\xcf\xc7\xa6\x2e\x85\x39\x32\xde\xac\xcb\x58\xd7\x9f\xec\xb9\x31\xd1\x46\x43\xec\x70\x20\xad\xe4\x9c\xce\x0a\x1e\x78\xe3\x4d\x71\x09\x60\x22\x31\x7d\x7a\xf5\x36\xb3\x8f\x72\xfb\xf6\x5f\x7e\x47\x63\xe6\xd1\xda\xd8\xc2\x6f\x56\xe2\xab\x4c\xdf\x77\x8e\x32\x64\xa2\xad\x20\x04\xcb\xce\x99\xb7\x7e\x6e\xc2\x72\xd6\xf0\x83\xd2\x08\x3a\x04\x2f\x67\x90\x8e\x14\x7e\x60\x1e\xd4\x2f\x20\x1f\x5b\x9f\x18\xe8\x9e\xaf\x48\xd3\x84\xee\xef\xa0\xf9\xf9\xec\x38\x6a\x27\x4e\xcd\xab\xac\xd1\xe2\xdb\x6b\x90\xad\x98\xc4\x75\x66\x7d\x27\xfa\x72\x79\x08\xd2\x8e\x37\x45\xc3\x4b\x50\x15\xed\xd1\x30\xd0\xb7\xe3\xfd\x54\xdd\xea\x89\xe3\x7d\xba\xfa\x49\x84\x07\x59\xa3\x0d\x29\xe2\x1b\xb0\x9d\x95\x00\x3c\x28\x95\x18\x9e\x43\x9a\xb7\xb4\x12\xc2\x51\x61\x0a\xa7\xaf\xab\xef\x41\xe5\xab\xe2\x23\x53\x21\xf3\x22\xe8\xbd\x59\x24\xd7\x9a\x40\x46\x05\x37\x8e\x3b\xda\x60\xd2\x8e\xa5\x67\xe6\xa7\x39\x64\xa6\xdd\xd4\x3c\xfa\x1f\x5e\x0c\xb8\xbe\x45\x5e\x1f\x6d\xbc\xcc\xf7\x2c\xd1\xcf\x14\xe8\xe5\x07\xa1\xa1\x97\x9f\x1c\x2b\x43\xc8\xa6\x49\x29\x0b\xa5\x41\x37\xd1\xaa\x64\x73\x56\x8e\x39\x0a\x66\x59\x73\x82\x34\x92\xec\x2d\xce\x33\xc3\x9c\x88\xaa\x42\x47\xf1\x4f\x1f\x0e\x56\xad\xee\x32\x60\x80\xb7\x16\xdc\x55\xda\xe2\xa5\xed\x84\x2d\x79\x0d\xe3\xf1\xfb\xe3\x2f\x89\x51\xea\xb8\xdf\xa5\x4d\x77\x0d\xf7\x34\x27\x31\x27\x0b\xeb\x47\x04\x27\x7f\x3e\x1d\xc1\x69\x34\xaf\x90\x23\x50\xcd\x6b\x0b\x7a\x67\x1f\x26\x75\xf0\xdf\x88\x48\x31\xae\x06\x39\x26\x69\xd6\xbd\xa8\x49\x3b\x6b\xda\xf5\xae\x90\xf4\xc4\x5f\x8f\xb1\x91\x4e\x0b\xe0\x57\xf4\x5d\xb5\x01\x01\xb8\xbc\x6e\x64\x9a\xa6\x85\x60\x71\x22\x5c\x42\xc6\xee\x15\x7a\xdb\xda\x58\x42\x94\x2c\xca\x28\xfc\x4c\x7c\x08\xe7\xc2\xcf\x19\x81\x54\x2b\xe4\xab\x7f\x4b\xf6\xef\xff\x69\x2d\xfe\x65\xb4\x50\x80\xb2\x1e\xee\xf5\x29\x91\x71\xa1\xc2\xb7\x36\xf7\x0d\xa4\x31", 4096); *(uint64_t*)0x200066c0 = 0x1000; *(uint64_t*)0x200066c8 = 0xff00000000000000; *(uint64_t*)0x200066d0 = 0x20006480; memcpy((void*)0x20006480, "\x82\x92\x51\xfb\xd7\x0c\xae\xb4\x51\xcc\xf0\x9a\x96\xfb\xfe\x55\x9b\x21\x7a\x4a\x12\xcf\x46\xa3\x89\xd8\x2c\x55\xef\x7f\x5c\x64\xe4\x5e\x1b\x6f\x26\x95\x59\xa8\x5e\x8b\xcc\x23\x2b\xf1\x50\x0d\xcb\x9a\xf4\x0f\x69\x71\x65\xfd\xe6\x20\x9f\x8b\xf0\x01\x58\x5b\x6c\xca\xaf\xe1\x94\xcc\xfd\xb7\xf8\x99\x08\x04\xee\x77\xed\x9a\x34\x5b\x52\xa8\xd7\xe8\xf4", 87); *(uint64_t*)0x200066d8 = 0x57; *(uint64_t*)0x200066e0 = 8; *(uint64_t*)0x200066e8 = 0x20006500; memcpy((void*)0x20006500, "\x34\xe0\xc0\x82\xbd\x77\xb5\x1d\x0c\x9a\xb1\xbc\xde\x0a\xcc\x30\x81\x49\xf3\xe6\x4c\x75\xb7\x17\x3c\xda\x5f\x39\xd3\xb4\xa6\x2c\x60\xde\x76\xd1\x2d\x41\xce\xc1\xb7\xc9\xbc\x9e\x57\xac\xb7\x83\x42\x82\xa5\x75\x8d\x7c\x7e\x4b\x21\x71\x5f\xeb\xf6\xfb\xf1\x44\xad\x46\xcb\xf2\xce\xc8\x7f\x74\x01", 73); *(uint64_t*)0x200066f0 = 0x49; *(uint64_t*)0x200066f8 = 0x8001; *(uint64_t*)0x20006700 = 0x20006580; memcpy((void*)0x20006580, "\xe6\x09\x76\xf8\x6d\x91\xdd\x66\xce\xc0\xb1\xe3\x0e\xc8\x01\x16\x0b\x84\xcf\xb1\xf8\x60\x37\x03\xd1\x4a\x6b\x81\x5d\x22\xe1\x78\x3e\xed\x12\xce\x8c\x08\x0e\x3f\xfb\xf0\xb5\x30\x95\xf6\x96\x03\xfa\x76\xa9\x34\xa6\x0a\x05\x26\x34\x1e\xaf\xaf\xb3\x86\x7d\x13\xe8\x8d\x1d\x39\xe3\x70\xa0\x0d\xbe\x06\xdd\xc8\x40\xba\x74\x46\xa6\x25\x97\x06\x9e\x1d\xcd\x13\x8f\x82\xb2\x9f\xf7\x8a\xf1\xd1\xc3\x13\x3f\xe9\xc0\x4d\x73\x2c\xdb\x4b\x3f\x6a\xa2\x69\x89\x36\x9b\x5f\x6d\xca\x60\x00\xa0\x76\x73\x41\xbc\x2a\xaa\xcd\x69\xe6\x48\x62\x19\x15\xb8\xaa\x9c\xb2\x4c\x6b\xb5\xae\x3f", 141); *(uint64_t*)0x20006708 = 0x8d; *(uint64_t*)0x20006710 = 3; memcpy((void*)0x20006740, "flock=strict", 12); *(uint8_t*)0x2000674c = 0x2c; memcpy((void*)0x2000674d, "obj_type", 8); *(uint8_t*)0x20006755 = 0x3d; memcpy((void*)0x20006756, "/dev/vcsa#\000", 11); *(uint8_t*)0x20006761 = 0x2c; memcpy((void*)0x20006762, "obj_role", 8); *(uint8_t*)0x2000676a = 0x3d; memcpy((void*)0x2000676b, "bpf_lsm_unix_may_send\000", 22); *(uint8_t*)0x20006781 = 0x2c; *(uint8_t*)0x20006782 = 0; syz_mount_image(0x20005140, 0x20005180, 0, 9, 0x20006640, 0x10000, 0x20006740); break; case 32: memcpy((void*)0x200067c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200067c0, 4, 0x4800); break; case 33: memcpy((void*)0x20006800, "net/icmp\000", 9); syz_open_procfs(r[5], 0x20006800); break; case 34: syz_open_pts(r[9], 0x258102); break; case 35: *(uint64_t*)0x20007d00 = 0x20006840; memcpy((void*)0x20006840, "\xb3\xde\x0d\x9f\x2e\x1e\xba\x98\x79\xee\xf0\x8d\xbd\x42\xed\xd7\xd6\x22\xf0\x95\xe0\xce\x34\x29\xb6\x4c\x46\x70\x8b\xf7\xfa\x26\xe6\x9e\xc1\x57\xca\xa3\xe1\x6d\x60\xb3\xba\xf5\xb0\xd2\x46\xbf\xef\x95\x5e\x35\xf8\x55\x56\xc9\x61\x4a\x60\xb6\x5c\xae\x7c\x02\x3c\x99\x31\x8f\xc8\x5b\xc0\xab\xfd\x16\xbc\x78\xeb\x56\x31\x7c\xd8\xb8\x0c\x5f\x5a\x87\x85\x6c\x5c\xd0\xb9\x7f\xc2\x83\xcb\xc9\xd8\x35\xff\x9d\x70\x97\x2b\xd4\x20\x11\x69\xa3\x5c\x26\x99\xbf\x5a\x8b\x31\xad\x36\x07\x12\x10\x19\xe7\x33\x98\xb2\x28\xb9\xc5\x9a\xa5\xb5\xc0\x07\x16\x67\x66\xee\xe5\x91\x1d\x5d\x2f\x86\x4c\xb4\x2b\x84\x21\xf3\x8c\xb2\x1a\xa9\x36\x97\xe5\xad\x16\x6a\x96\x6a\xc9\x8a\xa7\x76\xfd\x27\x50\x02\x94\xc4\xdd\x1b\xac\xf4\x1f\xd0\x70\xe9\xe4\xa9\xe5\xeb\x70\xd2\xa9\x8f\x91\x5c\x13\x91\xfd\x75\xf5\xff\xec\xfa\xb4\x24\x25\xeb\x01\x6c\x33\xec\x19\xae\x67\xf4\xb1\x00\x08\x8e\x09\x0f\x03\x5d\x78\x14\x3b\x35\x94\x4f\x30\xa4\x9a\x77\xb8\xc5\xe2\xa0\x8e\x9f\x38\x1a\x8a\xfb\xcf\x48\xeb\xad\x84\x11\x45\x5f\xf2\xcb\x76\xa4\xa1\xb5\x57\xd1\x21", 254); *(uint64_t*)0x20007d08 = 0xfe; *(uint64_t*)0x20007d10 = 0x7fffffff; *(uint64_t*)0x20007d18 = 0x20006940; memcpy((void*)0x20006940, "\x33\x0e\xa7\x46\xd7\xdf\xb4\xa5\xe9\xf3\x3a\x32\x5a\x96\x88\xca\x04\xcd\x59\xaf\x72\x4b\x34\xf7\x0a\xe3\x70\xd4\xac\x73\xea\x9a\x65\xab\x00\x3f\x2c\xbc\x01\xaf\x11\x62\xc0\xfe\xfb\x2b\x7e\x4a\x0d\xcd\x3f\x2a\x8c\x23\xf2\xa1", 56); *(uint64_t*)0x20007d20 = 0x38; *(uint64_t*)0x20007d28 = 0x2eed; *(uint64_t*)0x20007d30 = 0x20006980; memcpy((void*)0x20006980, "\xef\xd5\x43\xd9\x2d\xc8\x23\xae\xf9\x1d\x85\xc4\x4c\x05\x58\x44\xe2\xaf\x47\xb4\xd5\xa6\x7e\x3a\x39\x59\xdc\x6d\x61\x7c\xd8\xe9\xb6\xc3\xf5\xbb\xf0\x5d\xa7\x3f\x04\xbf\x4f\x54\xa6\xf3\xd5\x36\x1d\xee\x72\x0d\x1f\xf9\xf6\x5d\x5d\x7c\x18\xb8\x65\x34\xf2\x91\x26\x21\xaa\x81\xb4\xc2\xd3\xda\xa1\xa6\x75\x38\xac\x5e\xfc\xf2\xe0\x08\xc7\x91\xd5\x91\x52\xdb\x5f\xa2\xd0\xa2\x3f\x39\x97\xbd\x1e\x25\x02\xe6\xfa\xdb\x36\x78\x88\x91\x84\x3e\x3d\xe1\xc4\x48\x3a\xea\x75\x22\x4b\x12\xed\xe3\x00\x6b\x96\x48\xdc\x76\x61\xa4\x6d\xa2\xd1\x46\xd3\xdf\x70\xa1\xd0\x4b\x2c\x64\x57\x8d\xaf\x21\x9d\xcb\xa1\xb6\x7a\xae\x08\x6a\x25\x41\xc4\xb9\xb4\xdc\x6d\x43\xc0\x76\x54\x4b\x4c\xf9\xcd\x57\xe6\xe2\x6d\x74\x21\x7d\x1d\x85\x46\x22\x4d\x85\xf6\x50\xa0\xad\x3a\xac\x78\xc0\xcf\x1d\x83\xa4\xad\xcc\x11\xc2\xe8\x4d\xf1\x88\x9c\x79\x20\x34\x7f\xe4\x04\x20\x19\x14\x72\x78\x62\xb4\x60\x22\x9c\xe6\x7a\x1a\x88\xde\x34\xaa\x73\xd3\x9b\xe6\x7f\xe9\x22\x10\x69\x92\x21\x10\x3a\xc5\xb4\x9a\x07\xff\x0b\x35\x48\x36\x3c\x87\x80\x66\xd5\xa0\xca\x8f\x56\x5a\x61\x6a\x04\x9a\x5d\x7b\x6e\x70\xba\xdf\x46\x49\xc5\x1a\xec\x86\x71\xfa\xa4\x44\xd7\xe0\xa6\x30\x4e\x27\x3c\x40\x5c\xc6\xf3\x48\xd1\x9f\xf1\x34\x8b\xac\xc9\x6e\xcf\x1a\x28\x11\x96\x18\xc9\x1e\x59\x42\xbb\xf0\xe2\xd7\xfc\x69\x97\xcf\x63\x30\xc1\x06\xa7\x90\x2c\xcd\xc1\xb9\xcd\x0e\x8f\x55\x93\x55\xd2\x6f\x81\xc7\x7e\x52\x48\x82\xd0\x27\x83\xf1\x5b\x05\x69\x69\x02\x36\xe3\xaa\x74\xb9\x6b\xcc\x5e\xf9\x0e\xae\x4a\x5e\x3a\xba\x2a\x56\x0f\x9b\x0a\x51\x3c\xe1\xa8\xce\xb0\xd2\x10\x36\x15\xf8\x28\xb0\x12\x5d\xf3\x2e\xec\x97\x11\x0e\xe2\xa5\x9e\x1f\x91\x37\x72\xa8\x59\xf6\x5d\x95\x3c\x20\xca\x8a\x0c\x6e\x85\x26\x61\xd8\x62\x93\xcb\x46\x72\x41\x3f\xfa\xfa\x27\x03\x2e\xda\x8d\x8b\x19\xce\x77\xd3\x5d\x13\x04\x29\x6d\x8d\xbe\xe1\xb7\xc3\x58\xfe\x5d\xdf\x94\xc4\x24\x11\xe2\x63\x62\xcf\x42\xa5\xc7\xc1\x89\x91\xe3\x92\x63\x31\xa2\xc7\x12\x36\x09\xe0\xa3\xc0\x5e\x42\xf1\x75\x97\x2e\x44\x5a\x6a\xe5\x71\x54\x06\x2e\x21\xe0\x56\x66\x60\x2a\x2b\xf0\x89\x1e\xe6\x56\x48\xe5\xa9\x67\xea\x16\x24\x84\x99\xc8\x2e\x74\xc1\x9e\xda\xfe\xcf\x24\x02\xce\x53\x21\xf5\xbb\x4e\xcd\xe0\x58\xa1\x17\x6f\x31\x0b\xb1\x33\x8b\x11\xdd\xc6\x0d\xce\x03\xc4\x72\x7f\x7d\xd3\xc2\x33\x5d\x50\xae\x49\x2d\xca\x1b\xd9\x8b\xe4\xaf\x07\x44\x29\x1f\xa2\xba\x1c\xd3\xe9\x3e\x6f\x1d\x9d\x1b\x43\x05\xc2\x76\x41\x18\x09\x4a\x16\x43\x6a\x01\x45\x98\xfb\x64\xc3\x4e\xad\x3e\x8f\x45\xd1\x1c\x4f\xc0\x62\xc1\x44\xc8\xe0\x52\x20\xfb\xdf\x4a\x8c\xab\x6e\x28\x8b\x5c\xfd\xef\xa7\xa0\x54\x23\xef\x2d\x4f\x3b\x3b\xee\x57\x68\xb2\x80\x34\xa0\x8d\xe8\x83\xb8\x17\x27\x8b\xd3\xe7\x85\xc1\x14\x32\x9d\x99\x2c\x58\x12\x15\xf5\x64\x4c\xcf\xa4\xe8\x94\x10\x1d\x5f\xa4\x30\x08\xd8\x03\xfb\x9b\xaa\xef\xd7\xdd\x4b\x88\x83\xb6\xe7\xa1\x7f\x4d\xdf\x48\x26\xcd\xd7\x11\x0f\xf2\xc8\x39\x53\x49\x06\x8c\xd0\xb9\x55\x0a\x3a\x2f\x5c\xbc\x0d\xb0\x6b\x1b\x31\x29\x2c\x54\x87\x9a\x17\x2f\x4b\xe9\x83\x9b\x1d\x76\x89\x6c\x4c\xcc\xd8\x84\x1a\x55\x92\xaa\xc1\xf5\x27\x2b\x6f\xda\x92\x46\x34\xb5\x07\x50\xb3\x82\x31\xff\x13\x3d\xa1\xfc\x86\xd1\x09\x8c\x82\x3d\xf5\xbc\xa8\xcf\xe8\xc0\x8b\xa2\xee\xe5\xa4\x65\x8b\x29\x17\xbf\x3a\xf4\xb4\xe4\xe4\x7c\x6b\x7c\x35\xa3\x96\x3e\xbc\x60\x44\xf2\x72\x88\xc5\xa3\xc1\xa2\xf5\xfa\x45\xa1\x28\xbe\x9a\x13\xde\xd8\xc2\xf6\x74\x5e\xcf\x4f\xa9\x47\x23\xf9\xf1\x63\x82\xf4\xdb\x48\xd0\xc8\x11\xfe\x8e\xed\xb8\xbf\x05\xff\x38\xe5\x78\xd4\x93\x76\x55\x02\x53\xd2\x61\x7f\x86\x30\x3c\x54\x3f\x88\x2a\xdc\x20\x08\x56\x4c\x8b\xa1\x3e\xcd\x19\x61\x3a\x63\x19\x3d\x94\xe9\xa7\x3b\x21\xea\x1d\xdd\x30\xb4\x82\xc0\x98\x69\xc0\xfa\x37\x13\x1c\x69\xcc\xd0\x33\xdd\x96\xd8\xee\x7c\x5f\x2f\x8a\x15\x2e\x84\xc0\xf6\x59\xe6\x0c\xe1\x69\xfc\xb8\x9d\xe0\x28\xbe\xa3\x9d\x05\xdf\x03\xcf\x22\x80\x70\x29\xc1\xaa\xe4\x59\x94\x0d\xd5\x4b\x78\xc0\xde\xde\x18\x72\x3f\x97\x2d\x96\x51\x6e\x19\x71\x9e\x5c\x9e\xd0\x06\x86\x0f\x24\x71\xa8\xe5\xb1\x8f\xcf\x0e\xf4\xba\x66\x81\xa4\x1f\xa8\x00\x9b\x7e\x03\xb4\x44\xf4\x5a\xb3\xcc\xa9\xbb\xbc\x58\x13\xd1\xfa\x05\x5a\xaa\x4d\x45\x44\x12\x33\xae\x7b\x69\xb7\x59\xe3\xdd\xe7\x66\xc0\xf3\xb1\x3b\xf9\x68\xcf\x85\x65\x38\x28\x83\x55\x7f\x92\x5c\x21\x07\x58\x61\xec\x9f\x35\xc7\xcd\x44\x4b\xcc\x7d\x38\x1d\xc0\xd7\xaa\x75\x4b\xa5\x70\x66\xb9\x02\x78\x8f\x53\x85\x4c\xf9\xd5\x6c\xa7\x3c\x7a\xc8\x5c\xca\x67\xba\x50\x9e\xc3\xa7\xc1\xb4\x2d\x8c\x65\x4b\x34\xd8\x8d\xa8\xd2\xca\x85\xad\x4a\xe8\xb8\x65\xb6\xd2\xa0\xc1\xc4\x40\x76\x68\x53\x5c\x49\xf3\x49\xe2\x76\xf1\xa8\x67\x64\xef\x18\xe3\xb0\x8f\x1d\x1e\x3c\xc1\xb9\x3c\xde\x3f\x19\x78\x57\xfb\x48\xb5\xa5\xfe\xf3\x1a\x86\xfa\x00\x22\xd6\xa9\x6d\x81\x5c\x8c\x9a\xf9\xba\xdb\x7b\x88\x6e\xa0\x9a\xda\xc7\x32\xc8\xe4\xea\xfe\xb8\x47\x32\x18\xe7\x94\xbc\x6a\x71\x6d\x17\x16\xfe\xfe\xf8\x6f\x63\xd3\x2b\x66\x73\xb4\x35\xd1\x3e\xdd\xca\x42\x25\x7c\xfe\x07\x17\xfc\xa3\xa3\x9f\x00\xbc\xa6\x50\xf5\x46\x3a\x24\xc5\x09\x24\x25\x6d\x32\x07\xd2\x9c\x1b\x1c\x95\x10\x9e\x40\xda\xb6\x07\x78\x7f\xb7\x4c\x4e\x64\xfe\x4a\xca\xc6\x5c\x62\x83\xff\xcc\x11\xfd\x08\xa0\xbd\x1f\x49\x30\xa8\xbe\xea\x57\xa0\xdd\xa0\x28\x67\x86\x6c\x5b\x1c\xe5\x86\xb3\x2e\x7c\xd1\x8a\xb1\x6a\x27\x5d\x6c\xc0\x43\xa9\x90\xe1\xd7\x97\x0f\x79\xd5\xb8\x88\x0e\xef\x3f\xc4\xef\x4d\xe5\xe8\x40\xac\xd0\xed\xbc\xde\x6b\xf6\xfe\xdf\x3c\x6a\x2d\x25\x39\xfd\xaf\x27\x8f\x06\x97\x94\xd3\x0a\x09\xd6\x15\xe1\xe4\xa5\xa7\x61\x7e\x16\x24\x1d\xaa\xb8\x7f\xda\xd4\x93\xed\x9c\xf3\x26\xfe\x64\x7a\x40\xf0\x27\x9d\x6a\x9b\x2c\xdc\x0a\xbf\x36\x26\x41\x5b\x04\xfc\x83\x65\x10\xba\x62\x51\x38\x6c\xe7\xe8\xd2\xb4\xfe\x66\x3c\xfc\x3a\x5d\xe9\xcc\x31\x3e\x9e\x1f\xc1\x91\x27\xf0\x92\x07\xc9\x55\xf5\xa8\x48\x54\x81\xf4\x31\x92\x24\xfd\xf4\xc2\x78\x7d\x58\x3c\x3c\xaf\x7a\xcb\xec\x73\xab\x9b\x4d\x2f\x24\x52\x87\xdf\x9a\xe2\x9a\x16\x9c\x4d\x79\x5c\xd0\x3c\x90\x98\x33\x94\x46\xdc\x40\x23\x7b\x69\x89\x98\xb2\x42\x36\x28\x14\x8c\xec\xb0\x2f\x69\xd2\x64\x4c\xec\x88\xc9\x48\x94\xe0\x1e\x15\x87\xfc\x85\x37\x54\x50\xe3\x2c\xca\xdc\xdc\xae\xa6\x41\xd2\xdb\x62\x92\x22\x86\x60\xd0\x4c\x44\x67\x86\xc2\x58\xb6\xfb\xbc\x1d\x0b\x6a\x8a\x38\x18\x20\x0d\x48\x9c\x12\x67\x33\x92\x2c\x96\x61\x95\xa4\x00\x7a\x68\xd0\x47\x35\x78\xb4\x69\xb4\x43\x3e\xac\xbe\x09\x25\x20\x24\x4d\x84\xda\x89\x24\xb9\x0d\x7f\xa1\xad\x31\xdb\x50\x1f\x16\xa5\x9d\x3d\x9e\xb7\x22\x10\xd0\x58\xb3\xd1\xfa\x4d\x87\x6d\x5b\x40\xbc\xff\x5a\xdf\x08\x6e\xbd\xc2\x64\x7b\x1b\x6f\x88\x21\x1b\xbd\xf5\x47\xf1\x69\x8e\x11\xab\xb7\x3d\xd3\xa5\x88\xd9\xca\x26\xd9\xff\x5b\x2d\x28\xd1\xe1\x76\xbe\x8a\x7a\xdf\x2e\x3e\x3a\xe1\x37\x39\x31\x12\xf5\xaa\xa8\x81\x81\x48\x82\x93\x9d\xfe\x71\x72\x1f\xa9\x2b\x89\x62\xbb\x8d\x94\x0f\xe1\xe3\x94\x8d\xef\x40\x33\xa0\x9e\x9c\x04\xca\x7e\xa8\xb5\x49\x69\x5c\x5f\xf6\x6c\x07\x73\x95\x02\x6d\x82\x57\x6d\x37\x9b\xd9\xcd\xed\x06\xff\xcc\x3a\x6f\x8b\xd5\x48\xc0\xf6\x8d\x4d\x3d\x72\xae\x27\xd8\x28\xb2\x7a\x58\x2b\x14\x88\x6d\xad\x1f\xc3\xe6\x35\x31\xc2\x87\x0f\x31\x59\xf8\xd4\xbd\x44\x94\x80\xc4\x5d\xd2\x7a\x29\x34\xdf\x90\x79\x7c\x04\x94\xe0\xf8\xef\x82\x89\xae\x41\x06\x26\xd4\xfa\x96\x6d\x82\x44\x3a\xdc\x52\x43\xfd\xb2\xc4\xdd\xff\x85\x50\xaf\x53\x38\xef\x2d\x1c\x41\x3b\x4b\xd4\xb3\x08\x20\x9c\x20\xe9\xc3\xa0\x08\x0a\x23\xd1\x6a\x31\x08\xa1\x05\x07\x83\xd4\x4b\xa9\x2a\x95\x59\x05\x08\xd3\xa5\xcf\x44\xfc\x6a\x4a\xf2\x47\x7f\x86\x64\x28\xbc\x11\x3c\x1c\xc8\xf1\x23\xda\x46\xca\x0a\x03\xc5\xdb\xd1\xf6\xe5\x75\x45\x84\xd8\xa4\x10\x3b\xd2\x3f\xa5\xe1\xf6\xf3\xac\xb1\x54\xff\xed\x12\x8d\x0a\x64\x58\x29\xd3\x34\x1a\x25\xe8\x7a\xe7\x81\x86\x2a\xbc\x7a\x15\x90\x21\x12\x4c\xfb\x03\x57\x1a\x73\xce\xef\x60\x36\x81\xf5\xe5\xe1\xe1\x57\x4d\xb3\x01\x6f\xf5\xa1\x3d\x9b\xfe\x7e\x8a\xc8\x1a\x09\xa9\x05\x23\x7e\x39\x0a\x57\x72\xd3\x61\xed\xbe\x58\x08\xe9\xd8\x59\x4f\x77\x6b\x00\x05\xe0\xc3\xd0\xf7\x1d\x66\x6c\x9d\x4d\xc4\x93\xd0\x16\x3d\x88\x54\x72\x32\x75\xd8\x50\xac\x1b\xf7\x81\x83\xa7\x75\x18\xf0\x1b\xb3\xa2\x80\xf3\x9b\xbf\x60\x6d\xef\x4f\x89\xb1\x1e\x2b\xb8\xd9\x9f\x8a\x32\x98\x5e\xd9\xbc\xb4\x2f\x11\x0b\xd2\xbd\xda\x26\x37\x6d\x9d\xaa\x70\xe1\xe6\x57\x5f\x11\xba\x7e\xf2\x69\x90\x8e\x10\x19\x48\xf5\x70\xb7\x69\x0e\x0b\x5d\x35\xed\x98\xcb\xdd\x2f\x36\x37\xb9\xf8\xf7\x8b\x2f\xfb\xc2\x93\x18\x8f\xf2\x77\x7d\xb0\x50\xaa\x21\x9d\xde\x78\x8a\x77\x0c\xb6\x24\xd6\x61\x70\x01\x81\x7d\x6d\x5c\x7a\x5b\xd3\x9c\x51\xff\x12\x8e\xac\x71\x2b\x9d\xb9\xc6\x0a\x74\xbd\xb7\x82\x0a\x35\x72\xa5\x09\x1c\x30\x84\x33\x92\x86\x27\x9d\x9c\xeb\x24\x41\x48\x90\x6d\xab\x1d\xed\xb6\x23\x79\xb1\x45\x97\xb7\x34\x89\x07\xfb\xa5\x54\x24\xe8\x78\xc1\x94\x98\x5c\xdc\xb2\x11\xb7\x1b\xdf\x38\x06\x33\x9a\x53\x00\x6a\x90\x06\xc7\x46\xbc\x49\x10\x8c\x81\x00\x93\x8d\xc2\x4a\x08\xd5\x7b\x01\x3f\x41\x03\xd8\x7d\xf3\x10\x85\x84\x05\xd0\x6f\x05\x9b\x65\xcd\x54\xae\xa1\xd0\xf1\x5c\xb2\xa4\x1b\xc8\x67\xd2\x2c\xb9\xd6\x7c\x31\x0b\x05\xa4\xf9\x40\xbd\x2e\x7a\x58\x63\xc8\xe1\xc8\x0d\x3a\xd0\x7b\x21\x50\x4b\xf2\x13\xda\x5c\xb3\x8f\xb6\x52\xa4\x7c\xcd\x7a\x5c\xfa\xfa\x0c\x3f\xfe\x2a\xac\x76\x25\xa9\x55\x88\xec\xd7\x7a\x95\x93\xd0\xbf\x2e\x7d\xf7\x99\x9f\x02\x44\x33\x5a\x9f\xac\x01\x5c\x32\x27\x30\x09\xd1\xf8\x65\xdf\xb8\x73\xc6\x5f\x52\xe9\x08\x1b\x02\x2b\x99\xb0\x15\x86\xf5\xfb\x15\x84\xfd\x9b\x1f\xda\xf8\x6c\x78\x3f\x61\x77\x2a\xff\x11\x78\xe0\x8d\x5b\xd0\x67\xb6\xfd\x23\x3d\xb8\xc4\x32\xfa\xbb\xd0\x0a\x53\x0f\x1c\x40\xb5\xf0\x5f\x78\x83\x49\x50\x59\xd1\xb5\x8b\x95\x23\xd1\xf5\x25\x57\x36\xb2\x3f\xf5\x6c\xab\xb4\xcb\x71\x0e\x43\xa7\x0f\x71\xcf\xfd\x17\xe3\xfa\xe9\x04\x36\x34\x86\x9f\x16\x6a\x95\x8c\xa5\xde\xc6\x39\xb8\x5b\x21\x34\x09\x6e\x69\x7c\x24\xe3\xb0\xa8\xcf\xb1\x94\x22\xff\x01\xf4\xeb\xef\x24\xb7\x23\x3d\xe1\xa0\xf8\x9c\x80\xe2\x31\xb8\x45\x9f\x53\x1a\xc2\x3e\xb1\xa2\x37\x3b\x3c\x58\x07\xee\x65\x52\x70\x71\x52\xa3\x16\x95\x55\xa6\x63\xd1\xbf\xb4\x53\xc8\xc3\x80\xc5\xa5\x2c\x95\x8e\x30\x2d\x4d\x75\x28\xaa\xb5\xd0\xa6\x68\x92\x30\x80\x98\xb5\x66\xa1\x36\x7c\xbf\xd9\xa3\xa4\x6c\x5f\xb7\x72\x25\xb7\xb6\xf9\xf9\x2e\xd0\xbc\x85\xbc\xbc\xf1\xb4\xfd\x27\x60\xb9\xf5\x09\xd2\xd1\x1c\xd0\x55\x71\x44\xb1\xc8\x9f\x9f\x7f\x24\x95\xd0\xc9\xea\x6c\x76\x7f\x1f\x92\x57\x07\x01\xa3\x3c\xed\x47\x70\x36\xd0\x6b\xbe\xad\x08\xc0\xb4\xa8\xab\x4a\x57\xd8\xd9\xb7\x58\xce\x05\x89\x1e\xc7\x29\x01\x4e\xb7\x12\xc3\x3d\xcb\x52\xef\xe8\xde\xd2\x23\xb6\x17\x82\x24\x43\xbf\xa9\x55\x14\xd9\xa8\x2f\x6b\x9f\xed\x17\xb2\x24\x45\xf6\x92\xfc\x87\x03\x74\xc0\x82\x6a\x9f\xa4\x31\x53\x84\x93\x68\xaa\x1f\x93\x05\x2e\x48\xf8\x8e\x8f\xe9\xaa\x1b\xa8\x29\x15\x85\xe5\x9d\xa0\xf6\x8f\xd0\x4b\x8f\xa4\x50\xe9\x65\x4d\x92\x0c\x2b\x82\xc9\xc2\x9a\x79\x01\x5d\x0e\x30\x2b\xef\x5a\xbc\x9f\x42\x92\xfd\x4b\x58\x2d\x58\x83\x0d\xfc\x71\x72\x53\x19\xbf\x39\x69\x2b\x0f\x3d\x72\xa3\x20\x4d\x62\xe4\xcd\x21\x9f\xd2\x64\x7a\x9b\xc3\xda\x61\xb7\x02\x69\x9d\x01\x5f\x9f\x15\xbf\xfb\x27\xb6\x13\x3e\xc4\x31\xe4\xad\x67\xf5\xc1\xb4\x6f\xc6\x2e\x29\xd4\xae\x4b\x07\xfa\xb0\x7f\x01\x43\xe8\xe5\x4f\xea\x1e\x62\x90\x51\xd6\xd7\xc1\x9a\xf8\x93\x16\x61\xd8\x49\x57\xad\x2a\xe7\xb5\x21\xbd\x62\x46\x8a\xa0\xa8\x51\x65\x39\x04\xbb\x93\x25\x37\x6f\xd2\xd8\x31\x34\x03\x56\xd9\xbd\x27\x82\xbb\xc4\x6e\x1c\x03\x06\x95\x53\xd2\xb0\x5d\x17\xbb\x4d\x86\x44\xa0\xdf\xc0\x28\x6d\x4e\xbd\xfb\xf1\xfa\x85\xf0\x01\x5d\xa2\x66\x70\x90\x9c\xe8\x40\x27\x2d\x1d\x62\xc8\xd0\x27\x87\xd5\x65\x20\xd3\x09\xe4\xbc\xfc\xc8\x46\x47\x4d\x42\x82\x64\x17\x98\xda\xd1\x77\x9c\xce\x11\x39\x2a\xc5\x37\x91\x73\x35\xb4\xf9\x12\x4e\xd1\xe2\x54\x05\x29\x66\xab\x2c\x15\xdc\xd1\xbc\x1c\x3c\x52\x0f\xef\x4b\x3b\x17\xfe\x6f\x63\x60\xd0\x7b\x2c\x08\xac\x64\xc7\x5f\xcd\xf5\xf9\xea\xc2\x11\xdb\x24\x7a\x22\x7a\x65\x9e\x10\x67\x55\xe1\xba\x53\xab\xa6\x7c\x83\x16\x62\x19\x02\x26\x98\x4d\xc0\x36\x98\xdc\x56\x7a\xa9\x6b\x51\xd2\xe6\x9f\x53\x0a\xdd\xd9\xb4\xfd\xbf\x3a\x0b\x20\xaf\x2a\x18\x4c\xba\xf5\x3a\x35\x63\x4c\x8f\xe3\xd6\x3e\xc1\x5c\x50\x6b\xf0\x2c\x35\x30\x27\x59\xfe\x32\xad\x28\xc1\xd4\xb4\x9e\x94\x81\x6b\xb0\xf3\x28\x22\x81\x6b\x40\x55\x7c\x65\x0d\xa4\xae\x59\xca\x64\x5d\x5a\x4d\x61\x72\x90\x3c\x25\xe0\x0a\x22\x9e\xaa\x0c\x52\x6c\xff\xba\x53\xfc\xa4\x4a\xa1\x63\xc7\xf5\xfb\x49\x59\xa2\x16\xd6\xda\xd9\xe1\x9f\x28\x2b\x99\x45\xd2\x47\x6b\xbc\x01\x33\x78\x51\x31\x11\x8a\xd4\x6c\x3f\x93\x31\xc4\x15\xe7\x0d\x35\xe0\x6f\xa7\x1c\x2a\xa8\x78\x13\x2e\xd7\x70\xa0\x4f\x07\x21\xa5\x66\x55\x02\xdd\xed\x28\x3f\x70\xae\x9a\xb7\x2e\x48\xcf\x03\xc0\x1d\x80\xf6\x8e\xce\x54\xde\x88\xaa\xcb\x2c\x41\xc5\xd7\x46\x2f\x9b\x73\xf6\xc2\x74\x17\x09\xc8\x3e\x20\x08\x4d\xd8\xf9\xd8\x55\xc4\x1a\x0b\xfb\xe1\x07\xe6\xe4\x7a\x65\xc2\xb1\xee\x50\x07\xe9\xd5\xf2\x51\x18\xa2\x95\xfc\x63\x13\x24\x3d\xf5\x4c\xdd\x92\xab\x4d\xce\xdb\x21\x0d\xd8\x3b\xe1\xb0\x58\xae\x1e\x37\xa7\xac\x51\xb9\xc8\x9b\xf9\xec\xa4\x23\xc9\x1d\xb0\xd4\xa4\x21\x34\xa9\x3c\x89\x79\xa0\x3a\x2d\xe5\x3e\x45\xe6\x41\xa2\xd4\x0f\x41\x0b\xc1\x1a\x96\x82\x04\xf7\x2c\x96\xe5\x06\x64\xdc\x29\xbe\x41\xa4\xaa\xc4\xe0\x7e\x9c\xdf\x23\x9f\x59\xc9\x68\x7b\xd7\xdc\x65\xce\xab\x07\x6b\x13\x19\x41\xbb\x15\xc4\xf9\xf4\xc1\x7d\x73\x50\x78\x05\x88\xfa\xcf\xfd\xbc\x1e\xaa\xeb\x44\x06\xb9\x56\xda\x73\x3e\xd0\x9e\xb4\x86\x04\xa0\xed\x4a\xad\xcb\xbd\x94\xa8\xee\x07\x93\x10\xfe\x26\x12\xa6\x69\xe5\x62\x39\x17\xee\xc2\xb1\x2a\xd9\xc8\x6a\xf9\x75\x7a\x51\x75\x9d\xbb\x00\xdf\x2e\x03\xe3\xd3\xa7\x0b\xd2\xc0\x2f\x9f\x08\x44\x4f\x4e\x06\x50\xed\xfb\x27\x86\xca\x57\xd3\x63\x09\x43\x55\x68\x32\xa3\x28\x92\x30\x1b\x58\x85\x9e\xf2\x40\x07\xf7\xa7\xd9\xb4\xaf\xc2\x37\x03\xc4\xfb\x90\x77\xa0\x7d\x2e\xa8\xd3\xa2\xb4\xf0\x15\xde\x7f\x31\xfc\x30\x65\x45\x81\x6b\x6b\x67\x0a\x45\xcf\xf4\xa9\x1b\x60\xa1\xfb\x47\x8b\x08\x9c\x67\xf4\x59\xca\xaf\x5f\xce\x92\x65\xfe\xa0\xc7\xec\x06\x52\xcd\x11\x30\x56\x23\xb0\x4c\x0a\x9d\x1a\xec\x65\x71\xc6\xa4\x66\xdc\x7a\x7b\xec\x75\xfc\xf9\x84\xd6\xa9\x63\x69\x86\xbe\xce\xf1\x41\x8b\x69\x4e\x82\x0e\xe2\x46\x2f\x26\x87\xe0\xb6\x8b\xa5\x1c\xbd\x03\xba\x76\xb4\x3f\xd7\xcb\xa0\x1a\xf2\x3f\xf9\x8f\x74\xb7\x64\x46\x35\x27\xc6\xc3\x97\xe1\xc8\xe8\xb2\x22\x58\x74\xcc\x74\xf9\x58\xa3\x1a\x28\x41\x4f\x17\x0c\x2b\x4c\xbd\x90\xc8\x49\xcc\xd5\x4f\x91\xbc\xe2\x90\x8e\x3b\xbc\x21\xb3\xd5\x60\x4a\xa3\x37\xc7\xfb\x1f\x81\x0c\x10\x32\x16\xbf\x44\x43\x39\x04\x3d\x52\x33\x30\xee\xe7\x3b\xf0\x86\x6d\xa3\xf3\xf7\x28\x87\x7f\xbb\x54\xe2\xf9\x28\x42\x3a\x16\x72\xcc\x9b\xa3\x1b\xc6\x86\xa6\xd1\x98\xef\xeb\x36\x18\xd5\xe9\xa1\xb0\x81\x9c\xf6\xb9\x33\x8c\x56\xc4\xb7\x88\x46\x9f\x53\x2c\xdf\x92\x30\x66\xd1\xba\x46\xa5\x69\x60\x34\x2b\x79\xb0\x9e\xc8\x67\x9e\xa3\xca\xa4\x33\x65\xb8\x11\x25\x7a\x24\x49\xff\x92\x74\xf6\x61\x2c\xb0\x53\x0d\xd8\x67\x8c\xf1\x8b\xc1\xf9\x1f\x44\x7f\xad\x7b\x95\x8f\x3d\x0a\x19\x77\xce\x78\xd1\x02\x82\x9f\xe4\xb8\x3b\x56\x59\xc8\x15\x5a\xf4\xd2\xc0\x5d\x73\x15\xd1\x48\x63\x00\xe6\xda\x08\x46\xa5\x94\xd5\x10\x67\x3b\x0e\x74\x72\x78\x85\x59\x00\x9d\x74\x49\x0e\xc9\x87\x1d\x9f\x0f\x73\x69\x9d\x97\xfb\xe3\x03\xcb\x4d\x63\x5f\x54\x2e\x95\xc7\x84\xa5\x38\x71\x27\xdc\x45\x44\x83\xf9\x50\xf7\x65\xa8\xe9\x04\x63\x9e\xf4\x13\xc7\xd5\x81\xaf\x20\xdf\xb2\x85\x95\x58\x01\xab\x7e\xc4\xbe\x4d\x1b\x28\x79\xde\x66\x2d\xde\x2c\xfc\xd6\x60\x4e\xc0\xaa\x07\xa5\xa6\x71\xf5\x4a\x4f\x28\x53\xee\xdc\xa5\x6b\xaf\x00\xf0\x79\x27\x09\x59\x58\xdb\x7d\x32\x5e\x86\x3f\x64\xa9\x05\x6b\xd8\xe1\x03\x85\x99\x21\x46\x3d\x17\x54\x04\x2b\x85\xdc\xd9\x4d\x93\x3e\xf2\x08\x7d\xbe\xf5\x7d\x9a\x3a\xd9\xfe\x8c\x64\xa8\x79\x95\x87\xa3\xec\x23\xb9\xb2\x52\xf0\x3b\xfc\xe4\x2f\x01\x7e\xad\xfd\xbe\x97\x3e\x84\xe9\x02\xe3\x6b\x96\x61\xef\xae\xf4\x09\xc9\x15\x30\x8d\xce\x9a\x22\x2a\x9c\xb1\xdb\x52\x15\xc0\x00\xfc\x44\xd3\x72\xfb\x18\x64\x25\xcd\x07\x8b\xee\x77\x70\xf1\xfa\x60\xff\x2d\x0e\x34\x47\x25\xa5\x1a\x5f\x47\x8f\xe9\x6b\xfb\x9a\x18\xb6\xcb\x54\x2b\xf3\x94\xbe\xd0\x22\x18\x51\x8f\x1d\x38\x1d\x5a\xa2\x1f\xdc\xd4\x43\xce\x84\xc1\x80\xa6\xa8\xcf\x65\x47\xef\xfa\x46\x27\xca\xe9\x35\x51\xa7\x56\x4f\x0d\xac\x6e\x37\xc5\xf0\x68\xed\xda\x00\xb4\x7a\x6f\x2d\x33\xb5\x4c\x36\x81\x12\x8e\x83\xad\x17\xb0\xf0\x98\x45\x6b\x9e\x97\xf3\xe0\x2c\xe3\x91\x51\x5f\xfb\x0c\x05\x11\xa3\xd8\x31\x21\x15\x38\x2c\x15\xb0\x98\x61\xef\x75\x0c\x00\x06\xe9\x6c\x91\x84\xe1\x7d\xb2\x45\xb0\x25\x5c\x44\x07\xfe\x4b\xd6\xee\xa4\x3f\xd8\xc5\xe8\x03\x48\xcb\x91\x6e\x9d\x04\xb4\x9c\x24\x83\x91\x1b\x6d\xee\xce\x26\xd2\xb6\x57\x62\x64\x3a\xa0\x41\x7b\xe2\x76\x8b\x67\x3a\x22\xad\x58\xe6\x67\xf5\xef\x4e\x22\x28\xdb\x9b\x79\x39\xd8\xf9\x12\xde\x32\x47\x43\x25\x15\x50\x90\xb1\xd9\x74\x1a\xce\x41\x55\xd6\x45\x83\xec\xfb\x57\x00\x30\x1d\x73\xed\x2a\xbd\x15\x64\x08\xca\x5e\x1b\x88\xba\x75\xf8\x4a\x4b\x83\x4d\x4f\x53\x20\x15\x77\x3e\x9f\x8d\x4a\x36\x50\xf8\x98\x41\x91\x11\x4f\x0f\xdb\xaa\x54\x40\x5b\xf5\x1f\x8b\x1a\xfe\x53\x2f\x74\xc1\x5a\x37\x08\xeb\x93\x70\xfa\x83\x16\xfe\xef\xac\x4e\x43\xf8\x55\x50\x6f\x5d\x98\x72\xb6\x03\x63\x56\x70\x11\xcc\x33\x08\xa2\x02\x6d\x00", 4096); *(uint64_t*)0x20007d38 = 0x1000; *(uint64_t*)0x20007d40 = 0x4065ebb7; *(uint64_t*)0x20007d48 = 0x20007980; memcpy((void*)0x20007980, "\x11\x2a\x65\x7c\x27\x70\xad\x17\xf2\xe7\x77\x62\x16\x0b\xb1\x4f\x2f\x71\xa1\x7b\x88\xfd\xb9\x46\xf9\x19\xb2\xdf\xd3\xef\xd6\x16\xe3\x11\x24\xff\x47\xee\x66\x8f\x60\x65\xa0\x43\x5a\x79\x1a\x74\x39\xd8\xaa\x10\xdc\xc4\x18\x19\x2d\x82\x1e\x36\xfc\x08\x20\xd7\xcc\x0f\x88\xb0\x88\x91\x6d\x78\x6f\x01\x42\x6f\xa4\x6b\x21\x4d\xe8\x22\xd2\x4e\x4d\x6c\x78\x5f\xea\xc4\x58\xd9\x86\x35\xc4\x80\x16\x72\xbd\x4e\x74\xfd\x40\x75\x39\x32\x12\x11\x52\xae\x0e\xad\x77\x1e\x3a\xbc\x7f\x74\x1e\x39\x3b\x32\x85\x26\xe5\xec\x29\xe8\xe0\xd9\xb3\xa2\xbe\xbc\xd0\xeb\x34\x72\xa4\xbd\x8e\x50\xf9\x53\xed\x17\x3b\xa2\x71\xfb\xe9\xf9\xd9\xc4\x63\xc7\x9f\x44\xd0\x93\x15\x4f\xfe\xf5\x9c\x93\xad\xa7\x83\xb4\x72\x7f\xc3\x5b\xa6\xc0\xdb\x25\x18\x93\x9c\xb3\x5f\xb3\x30\x1d\x4c\xf7\x2d\x25\x24\xf8\x3a\xc4\xab\x57\xa8\xac\xfc\x93\xa9\x9c\x26\xcc\xae\xe0\x56\x63\x71\x22\x94\x96\xe9\x30\x21\xe8\x6b\x95\x60\x21\xa4\x67\xf3\x4b\xe6\x6e", 226); *(uint64_t*)0x20007d50 = 0xe2; *(uint64_t*)0x20007d58 = 0x6d69; *(uint64_t*)0x20007d60 = 0x20007a80; memcpy((void*)0x20007a80, "\x62\x98\x25\xe3\xcb\x9c\x42\x73\x28\x10\xeb\x62\xf1\xff\x47\x85\x71\x8f\x7a\x30\xc6\x39\x40\xf2\xea\xdf\x19\xda\xe8\x20\xfe\xb9\xb7\xb3\x58\xf7\x41\xb8\x34\x16\x4a\x9a\x4a\xc8\xce\x39\x8c\x23\x16\x07\xf5\x23\xa2\x6d\xb9\xe0\xae\xca\xc1\xd1\xe8\x90\x22\xd1\xcd\x50\xd6\x44\xf2\x46\x6b\x25\xec\x09\xc6\xd6\xef\x4f\x0b\x3e\xf5\x92\xd1\x40\x8d\x04\x9d\xa4\x9b\x95\x3b\x32\x7e\x12\x3c\x6f\x19\x63\xc2\xf7\xa9\xe3\xcc\x7e\x0c\x52\xed\x1e\x17\xd0\xa8\xb7\x94\x66\x68\x75\xb2\x0b\x07\xa0\xf5\xc2\xc7\x6d\x96\x32\x90\x9f\x76\x9e\xb2\x5b\x16\x27\x37\xbe\xa1\x31\xf5\xc2\x70\xb3\x24\x9f\xd6\x5c\x25\x5e\x68\xb6\x80\x27\x1d\x0c\x11\x19\x67\x15\x17\x77\x44\xe7", 162); *(uint64_t*)0x20007d68 = 0xa2; *(uint64_t*)0x20007d70 = 9; *(uint64_t*)0x20007d78 = 0x20007b40; memcpy((void*)0x20007b40, "\xd1\x09\x17\x49\x23\x3d\x1e\x7e\xc5\x06\x53\xf3\x01\xa7\x34\xf5\xdd\x67\xac\x1e\x74\x89\x23\xe4\x4c\xce\xde\xeb\x3e\xa2\x34\x74\x58\x96\xab\xcb\x80\x03\xed\x61\x60\x5b\x5d\xff\xa8\xa9\xaf\x0a\xa1\x2e\xd9\x02\xd4\xa3\x5a\x92\x60\xc5\x3a\xb6\xa6\x21\xe2\x10\xe6\x1e\x40\x02\x83\x8d\xc2\x9e\x2f\x79\x8b\x4c\xbe\x0e\xd0\xc1\x2a\x33\xc6\x9d\xdd\xa4\x46\xb9\xb8\x84\xfc\xbf\xe2\x81\x99\x18\x4b\xd4\xae\xb0\x97\xd0\xd9\xa3\x93\xb6\x99\xd1\xf5\x5a\x57\xd8\x30\xda\x49\x7d\x79\xb9\xbd\x7d\xbc\xdb\xfe\x7e\x16\x8d\x60\x07\x61\x1d\xb9\x67\x33\x57\x4f\xb1\x50\xf4\xe9\x09\x91\xc7\x0f\xc1\x9e\xdb\xa6\xbe\xed\xc5\xa7\x21\x69\x36\x6a\xe5\xfc\xa5\xc1\xcb\x41\x3b\xbc\x54\xff\x8f\x12\x7d\x1b\x94\xcf\x99\x42\xb5\xc9\xbe\x5f\xbf\xc9\x39\x46\xbf\x1d\x0b\x28\x9a\x74\x42\xfb\x05\x7a\xdb\x0a\xe7\xfa\x41\x89\xd5\xe5\xfe\xfc\x75\xed\x5d\x26\x0b\x3c\x2c\x24\x45\xd4\x95\x79\xe6\xb3\x69\xe3\x96\xda\x16\x2d\x94\x05\x59", 224); *(uint64_t*)0x20007d80 = 0xe0; *(uint64_t*)0x20007d88 = 6; *(uint64_t*)0x20007d90 = 0x20007c40; memcpy((void*)0x20007c40, "\x76\x8d\x82\xc4\x7f\x16\x6e\x25\x25\x30\x91\x5b\x63\xb4\x0d\x9e\xba\x4b\x95\xfe\x08\x78\x93\x45\x3f\x37\x3a\x94\x38\x9e\x11\x20\x98\x1c\xb4\x45\x76\xa2\x05\x1c\x41\x58\x40\x0a\x59\xb9\xc8\xa9\x40\xcc\xae\x28\x26\x41\x4e\x14\xad\x55\xc7\x2b\x04\xf8\xfa\xbf\xe8\x64\x62\x40\x9b\x3a\xb2\xa0\x75\xea\x92\xc8\xbd\xdc\xd2\xb2\xfc\x0f\xd7\x7a\x97\xbc\x27\x1e\xcd\x43\xdd\x60\x5f\x29\xb9\x90\x83\x7b\x40\x9e\xed\x59\x65\xdd\xb3\xfb\x1b\x91\xe5\xbf\x12\xdd\xbc\xf2\x1c\x90\xc7\xef\x2f\x0a\xb9\xbb\x03\xf7\x2a\x64\x7c\xe8", 128); *(uint64_t*)0x20007d98 = 0x80; *(uint64_t*)0x20007da0 = 0xfffffffffffffff7; *(uint64_t*)0x20007da8 = 0x20007cc0; memcpy((void*)0x20007cc0, "\x46\xc0\xce\x89\x20\x30\x5b\x2c\x7f\x63\x6e\xdb\xb1\x65\x92\x0d\xb7\x8c\x61\xf8", 20); *(uint64_t*)0x20007db0 = 0x14; *(uint64_t*)0x20007db8 = 0xfffffffffffffffa; syz_read_part_table(9, 8, 0x20007d00); break; case 36: *(uint8_t*)0x20007dc0 = 0x12; *(uint8_t*)0x20007dc1 = 1; *(uint16_t*)0x20007dc2 = 0x300; *(uint8_t*)0x20007dc4 = 0x94; *(uint8_t*)0x20007dc5 = 0xe8; *(uint8_t*)0x20007dc6 = 0x2e; *(uint8_t*)0x20007dc7 = 0x40; *(uint16_t*)0x20007dc8 = 0x789; *(uint16_t*)0x20007dca = 0x160; *(uint16_t*)0x20007dcc = 0xf578; *(uint8_t*)0x20007dce = 1; *(uint8_t*)0x20007dcf = 2; *(uint8_t*)0x20007dd0 = 3; *(uint8_t*)0x20007dd1 = 1; *(uint8_t*)0x20007dd2 = 9; *(uint8_t*)0x20007dd3 = 2; *(uint16_t*)0x20007dd4 = 0x764; *(uint8_t*)0x20007dd6 = 2; *(uint8_t*)0x20007dd7 = 4; *(uint8_t*)0x20007dd8 = 0x8f; *(uint8_t*)0x20007dd9 = 0; *(uint8_t*)0x20007dda = 0x7f; *(uint8_t*)0x20007ddb = 9; *(uint8_t*)0x20007ddc = 4; *(uint8_t*)0x20007ddd = 0x40; *(uint8_t*)0x20007dde = 0x3f; *(uint8_t*)0x20007ddf = 0xe; *(uint8_t*)0x20007de0 = 0xbb; *(uint8_t*)0x20007de1 = 0x18; *(uint8_t*)0x20007de2 = 0xf3; *(uint8_t*)0x20007de3 = 0x20; *(uint8_t*)0x20007de4 = 0xa; *(uint8_t*)0x20007de5 = 0x24; *(uint8_t*)0x20007de6 = 6; *(uint8_t*)0x20007de7 = 0; *(uint8_t*)0x20007de8 = 0; memcpy((void*)0x20007de9, "\xc1\xb0\xc9\x81\xcc", 5); *(uint8_t*)0x20007dee = 5; *(uint8_t*)0x20007def = 0x24; *(uint8_t*)0x20007df0 = 0; *(uint16_t*)0x20007df1 = 7; *(uint8_t*)0x20007df3 = 0xd; *(uint8_t*)0x20007df4 = 0x24; *(uint8_t*)0x20007df5 = 0xf; *(uint8_t*)0x20007df6 = 1; *(uint32_t*)0x20007df7 = 9; *(uint16_t*)0x20007dfb = 0xfff; *(uint16_t*)0x20007dfd = 5; *(uint8_t*)0x20007dff = 0; *(uint8_t*)0x20007e00 = 0x15; *(uint8_t*)0x20007e01 = 0x24; *(uint8_t*)0x20007e02 = 0x12; *(uint16_t*)0x20007e03 = 0xaa4; *(uint64_t*)0x20007e05 = 0x14f5e048ba817a3; *(uint64_t*)0x20007e0d = 0x2a397ecbffc007a6; *(uint8_t*)0x20007e15 = 4; *(uint8_t*)0x20007e16 = 0x24; *(uint8_t*)0x20007e17 = 2; *(uint8_t*)0x20007e18 = 9; *(uint8_t*)0x20007e19 = 9; *(uint8_t*)0x20007e1a = 0x21; *(uint16_t*)0x20007e1b = 0x7ff; *(uint8_t*)0x20007e1d = 8; *(uint8_t*)0x20007e1e = 1; *(uint8_t*)0x20007e1f = 0x22; *(uint16_t*)0x20007e20 = 0xd44; *(uint8_t*)0x20007e22 = 9; *(uint8_t*)0x20007e23 = 5; *(uint8_t*)0x20007e24 = 3; *(uint8_t*)0x20007e25 = 3; *(uint16_t*)0x20007e26 = 0x40; *(uint8_t*)0x20007e28 = 6; *(uint8_t*)0x20007e29 = 6; *(uint8_t*)0x20007e2a = 0x80; *(uint8_t*)0x20007e2b = 9; *(uint8_t*)0x20007e2c = 5; *(uint8_t*)0x20007e2d = 5; *(uint8_t*)0x20007e2e = 8; *(uint16_t*)0x20007e2f = 0x20; *(uint8_t*)0x20007e31 = 0x34; *(uint8_t*)0x20007e32 = 7; *(uint8_t*)0x20007e33 = 0xd1; *(uint8_t*)0x20007e34 = 7; *(uint8_t*)0x20007e35 = 0x25; *(uint8_t*)0x20007e36 = 1; *(uint8_t*)0x20007e37 = 0x81; *(uint8_t*)0x20007e38 = 1; *(uint16_t*)0x20007e39 = 0x20; *(uint8_t*)0x20007e3b = 0x65; *(uint8_t*)0x20007e3c = 0x30; memcpy((void*)0x20007e3d, "\xda\xc1\x6e\x84\x5b\x14\x9d\xaf\xe6\x66\x63\xcc\x3a\xcf\x39\x3f\xa7\xb0\xae\x46\xcb\xb8\xcf\x20\x7b\xdb\x0d\x3d\x6c\xf6\x81\x66\x1f\xa0\x0e\xd5\x8d\x70\x3c\x22\x64\x70\xa8\x4e\xaa\x26\x4b\xe5\x1e\x68\x10\x87\x52\x48\xed\xe7\x94\xe2\x20\x7e\x60\xb0\x45\x85\x60\x3c\xd0\x55\xc6\x34\x8f\x0e\xb4\xf3\x3f\x2a\x83\x3f\x4a\xee\x88\x84\xd7\x77\x3b\xe2\xf4\x51\x77\xad\x4c\x03\x72\x8f\xf4\xdd\x8e\x40\xfd", 99); *(uint8_t*)0x20007ea0 = 9; *(uint8_t*)0x20007ea1 = 5; *(uint8_t*)0x20007ea2 = 2; *(uint8_t*)0x20007ea3 = 4; *(uint16_t*)0x20007ea4 = 0x3ff; *(uint8_t*)0x20007ea6 = 0x1f; *(uint8_t*)0x20007ea7 = 2; *(uint8_t*)0x20007ea8 = -1; *(uint8_t*)0x20007ea9 = 7; *(uint8_t*)0x20007eaa = 0x25; *(uint8_t*)0x20007eab = 1; *(uint8_t*)0x20007eac = 0x82; *(uint8_t*)0x20007ead = 9; *(uint16_t*)0x20007eae = 2; *(uint8_t*)0x20007eb0 = 9; *(uint8_t*)0x20007eb1 = 5; *(uint8_t*)0x20007eb2 = 6; *(uint8_t*)0x20007eb3 = 0; *(uint16_t*)0x20007eb4 = 0x40; *(uint8_t*)0x20007eb6 = 0; *(uint8_t*)0x20007eb7 = 0x40; *(uint8_t*)0x20007eb8 = 0xfd; *(uint8_t*)0x20007eb9 = 7; *(uint8_t*)0x20007eba = 0x25; *(uint8_t*)0x20007ebb = 1; *(uint8_t*)0x20007ebc = 0x83; *(uint8_t*)0x20007ebd = 0x1f; *(uint16_t*)0x20007ebe = 0x1000; *(uint8_t*)0x20007ec0 = 9; *(uint8_t*)0x20007ec1 = 5; *(uint8_t*)0x20007ec2 = 0xd; *(uint8_t*)0x20007ec3 = 1; *(uint16_t*)0x20007ec4 = 0x3ff; *(uint8_t*)0x20007ec6 = 3; *(uint8_t*)0x20007ec7 = 1; *(uint8_t*)0x20007ec8 = 0x80; *(uint8_t*)0x20007ec9 = 7; *(uint8_t*)0x20007eca = 0x25; *(uint8_t*)0x20007ecb = 1; *(uint8_t*)0x20007ecc = 1; *(uint8_t*)0x20007ecd = 4; *(uint16_t*)0x20007ece = 3; *(uint8_t*)0x20007ed0 = 9; *(uint8_t*)0x20007ed1 = 5; *(uint8_t*)0x20007ed2 = 5; *(uint8_t*)0x20007ed3 = 4; *(uint16_t*)0x20007ed4 = 8; *(uint8_t*)0x20007ed6 = 8; *(uint8_t*)0x20007ed7 = -1; *(uint8_t*)0x20007ed8 = 0x80; *(uint8_t*)0x20007ed9 = 9; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 0xf; *(uint8_t*)0x20007edc = 1; *(uint16_t*)0x20007edd = 8; *(uint8_t*)0x20007edf = 0xae; *(uint8_t*)0x20007ee0 = 9; *(uint8_t*)0x20007ee1 = 0xf6; *(uint8_t*)0x20007ee2 = 7; *(uint8_t*)0x20007ee3 = 0x25; *(uint8_t*)0x20007ee4 = 1; *(uint8_t*)0x20007ee5 = 0; *(uint8_t*)0x20007ee6 = 0x95; *(uint16_t*)0x20007ee7 = 6; *(uint8_t*)0x20007ee9 = 0x7a; *(uint8_t*)0x20007eea = 6; memcpy((void*)0x20007eeb, "\x3f\x8f\x5c\x31\x8c\x80\xe5\xa9\x36\x08\x9f\xa5\xbe\x9d\xc3\x64\xd3\xa8\xff\x22\x23\x8b\x92\x00\x64\x2b\xb7\x96\x9b\x9c\x09\x89\x51\x0d\xf3\xf2\x67\x38\x46\xf3\xfe\x68\xee\xc4\x87\x47\x6d\x9d\x8e\xa3\x7c\x9e\x7e\xc2\x93\x9c\x3a\x85\x84\x2c\xad\x50\x0b\xf7\x7a\xed\x1d\x92\x90\xeb\x85\x0a\xf4\x62\x1c\xaf\xed\x03\xc0\x8a\x55\xc4\x22\xc7\x12\x2f\x6e\xc0\x70\x3a\x47\xdf\xcb\x27\x9c\x0b\x03\x55\x8b\x39\xc7\x23\x1b\x38\xe5\x59\xd0\x54\x6a\x29\xca\x32\x28\x0a\x8c\xe4\x70\x80\xaa\x8d", 120); *(uint8_t*)0x20007f63 = 9; *(uint8_t*)0x20007f64 = 5; *(uint8_t*)0x20007f65 = 7; *(uint8_t*)0x20007f66 = 4; *(uint16_t*)0x20007f67 = 0x8938; *(uint8_t*)0x20007f69 = 1; *(uint8_t*)0x20007f6a = 0x8c; *(uint8_t*)0x20007f6b = 4; *(uint8_t*)0x20007f6c = 9; *(uint8_t*)0x20007f6d = 5; *(uint8_t*)0x20007f6e = 7; *(uint8_t*)0x20007f6f = 0x10; *(uint16_t*)0x20007f70 = 0x20; *(uint8_t*)0x20007f72 = 6; *(uint8_t*)0x20007f73 = 1; *(uint8_t*)0x20007f74 = 0x81; *(uint8_t*)0x20007f75 = 9; *(uint8_t*)0x20007f76 = 5; *(uint8_t*)0x20007f77 = 0xe; *(uint8_t*)0x20007f78 = 0x10; *(uint16_t*)0x20007f79 = 0x200; *(uint8_t*)0x20007f7b = 0x80; *(uint8_t*)0x20007f7c = 3; *(uint8_t*)0x20007f7d = 0x23; *(uint8_t*)0x20007f7e = 7; *(uint8_t*)0x20007f7f = 0x25; *(uint8_t*)0x20007f80 = 1; *(uint8_t*)0x20007f81 = 0x81; *(uint8_t*)0x20007f82 = 1; *(uint16_t*)0x20007f83 = 5; *(uint8_t*)0x20007f85 = 7; *(uint8_t*)0x20007f86 = 0x25; *(uint8_t*)0x20007f87 = 1; *(uint8_t*)0x20007f88 = 0x81; *(uint8_t*)0x20007f89 = 7; *(uint16_t*)0x20007f8a = 0xb5a; *(uint8_t*)0x20007f8c = 9; *(uint8_t*)0x20007f8d = 5; *(uint8_t*)0x20007f8e = 8; *(uint8_t*)0x20007f8f = 2; *(uint16_t*)0x20007f90 = 8; *(uint8_t*)0x20007f92 = 0x1f; *(uint8_t*)0x20007f93 = 8; *(uint8_t*)0x20007f94 = 0x1f; *(uint8_t*)0x20007f95 = 7; *(uint8_t*)0x20007f96 = 0x25; *(uint8_t*)0x20007f97 = 1; *(uint8_t*)0x20007f98 = 3; *(uint8_t*)0x20007f99 = 3; *(uint16_t*)0x20007f9a = 0x200; *(uint8_t*)0x20007f9c = 7; *(uint8_t*)0x20007f9d = 0x25; *(uint8_t*)0x20007f9e = 1; *(uint8_t*)0x20007f9f = 3; *(uint8_t*)0x20007fa0 = 0x7f; *(uint16_t*)0x20007fa1 = 3; *(uint8_t*)0x20007fa3 = 9; *(uint8_t*)0x20007fa4 = 5; *(uint8_t*)0x20007fa5 = 0xd; *(uint8_t*)0x20007fa6 = 0xc; *(uint16_t*)0x20007fa7 = 0x3ff; *(uint8_t*)0x20007fa9 = 0x12; *(uint8_t*)0x20007faa = 9; *(uint8_t*)0x20007fab = 4; *(uint8_t*)0x20007fac = 0xe; *(uint8_t*)0x20007fad = 5; memcpy((void*)0x20007fae, "\xa9\xb9\x7b\xc2\x4d\xe6\x2c\x3b\xcf\x2b\xfa\x13", 12); *(uint8_t*)0x20007fba = 0x44; *(uint8_t*)0x20007fbb = 0x30; memcpy((void*)0x20007fbc, "\x9f\x0d\x5e\xa2\x42\x68\xb8\xa3\x21\x17\x65\x24\x6b\x1a\x83\x4a\xf6\x41\xe8\xcd\x6e\xa3\xef\x9b\x1f\xe1\x0f\x16\xbe\xd6\xb0\x6c\xc3\xa1\x65\x92\x0c\x9d\x73\x90\x9a\xb9\xac\x8b\x2a\x7a\x8a\x5d\xae\x5d\x4a\xcf\x31\x6d\x0b\x35\xd4\xb6\x44\xd3\x68\xa0\x6e\x0e\xff\x85", 66); *(uint8_t*)0x20007ffe = 9; *(uint8_t*)0x20007fff = 5; *(uint8_t*)0x20008000 = 0x80; *(uint8_t*)0x20008001 = 8; *(uint16_t*)0x20008002 = 8; *(uint8_t*)0x20008004 = 3; *(uint8_t*)0x20008005 = -1; *(uint8_t*)0x20008006 = 6; *(uint8_t*)0x20008007 = 9; *(uint8_t*)0x20008008 = 5; *(uint8_t*)0x20008009 = 0; *(uint8_t*)0x2000800a = 0; *(uint16_t*)0x2000800b = 0x20; *(uint8_t*)0x2000800d = 6; *(uint8_t*)0x2000800e = 0x2e; *(uint8_t*)0x2000800f = 0; *(uint8_t*)0x20008010 = 9; *(uint8_t*)0x20008011 = 4; *(uint8_t*)0x20008012 = 7; *(uint8_t*)0x20008013 = 0; *(uint8_t*)0x20008014 = 0xd; *(uint8_t*)0x20008015 = 0x29; *(uint8_t*)0x20008016 = 0xcb; *(uint8_t*)0x20008017 = 0x7c; *(uint8_t*)0x20008018 = 9; *(uint8_t*)0x20008019 = 9; *(uint8_t*)0x2000801a = 0x21; *(uint16_t*)0x2000801b = 7; *(uint8_t*)0x2000801d = 1; *(uint8_t*)0x2000801e = 1; *(uint8_t*)0x2000801f = 0x22; *(uint16_t*)0x20008020 = 0xbd9; *(uint8_t*)0x20008022 = 0xd; *(uint8_t*)0x20008023 = 0x24; *(uint8_t*)0x20008024 = 2; *(uint8_t*)0x20008025 = 1; *(uint8_t*)0x20008026 = 0x43; *(uint8_t*)0x20008027 = 1; *(uint8_t*)0x20008028 = 0; *(uint8_t*)0x20008029 = 9; memcpy((void*)0x2000802a, "d\"", 2); memcpy((void*)0x2000802c, "\x37\x09\xdb", 3); *(uint8_t*)0x2000802f = 0x11; *(uint8_t*)0x20008030 = 0x24; *(uint8_t*)0x20008031 = 2; *(uint8_t*)0x20008032 = 1; *(uint8_t*)0x20008033 = 0xf8; *(uint8_t*)0x20008034 = 2; *(uint8_t*)0x20008035 = 7; *(uint8_t*)0x20008036 = 0x40; memcpy((void*)0x20008037, "\x5e\x58\xdf\xf9\xa0\xd0\x1e\x41\x09", 9); *(uint8_t*)0x20008040 = 0xb; *(uint8_t*)0x20008041 = 0x24; *(uint8_t*)0x20008042 = 2; *(uint8_t*)0x20008043 = 2; *(uint16_t*)0x20008044 = 0xffec; *(uint16_t*)0x20008046 = 6; *(uint8_t*)0x20008048 = 0x15; memcpy((void*)0x20008049, "?w", 2); *(uint8_t*)0x2000804b = 7; *(uint8_t*)0x2000804c = 0x24; *(uint8_t*)0x2000804d = 1; *(uint8_t*)0x2000804e = 0xe1; *(uint8_t*)0x2000804f = 3; *(uint16_t*)0x20008050 = 2; *(uint8_t*)0x20008052 = 9; *(uint8_t*)0x20008053 = 5; *(uint8_t*)0x20008054 = 0xc; *(uint8_t*)0x20008055 = 8; *(uint16_t*)0x20008056 = 8; *(uint8_t*)0x20008058 = 4; *(uint8_t*)0x20008059 = 8; *(uint8_t*)0x2000805a = 8; *(uint8_t*)0x2000805b = 9; *(uint8_t*)0x2000805c = 5; *(uint8_t*)0x2000805d = 6; *(uint8_t*)0x2000805e = 8; *(uint16_t*)0x2000805f = 8; *(uint8_t*)0x20008061 = 0; *(uint8_t*)0x20008062 = 2; *(uint8_t*)0x20008063 = 2; *(uint8_t*)0x20008064 = 7; *(uint8_t*)0x20008065 = 0x25; *(uint8_t*)0x20008066 = 1; *(uint8_t*)0x20008067 = 0x81; *(uint8_t*)0x20008068 = 6; *(uint16_t*)0x20008069 = 0x18; *(uint8_t*)0x2000806b = 9; *(uint8_t*)0x2000806c = 5; *(uint8_t*)0x2000806d = 7; *(uint8_t*)0x2000806e = 0x10; *(uint16_t*)0x2000806f = 0x3ff; *(uint8_t*)0x20008071 = 0x39; *(uint8_t*)0x20008072 = 0; *(uint8_t*)0x20008073 = 6; *(uint8_t*)0x20008074 = 0x80; *(uint8_t*)0x20008075 = 0x23; memcpy((void*)0x20008076, "\xeb\xa3\xe2\xd4\x84\x8f\x84\xd0\xe6\xde\xd4\x6e\x24\xd1\x0b\xf9\xf8\xb0\x73\x89\x10\xe2\x9f\x31\x9e\x94\x25\x46\xe9\xcd\xa8\x63\x82\x57\xf5\x5d\x00\x49\x67\x2a\x13\x37\x06\x7a\xf7\x3c\x1c\x29\xe0\xbd\x77\x2a\x1c\xd5\xe1\x6d\x24\x9e\xd1\x5c\xdd\x3d\x85\xa4\x39\x9a\xef\x69\xe3\xf5\xa5\x06\xea\x0e\x05\x59\x30\x6f\xe1\xf4\x2d\xfc\x10\x92\x20\x62\xe2\xbc\x06\x2c\x34\xa1\xad\xc4\xbc\x46\xb0\x80\x25\x9a\xd2\x0b\x37\xcd\xe1\xeb\xa7\x17\x8f\xb5\x14\xb2\xef\x73\x97\x71\x5b\x0e\xae\x34\xd5\xef\xd5\x27\x49\x00", 126); *(uint8_t*)0x200080f4 = 0xa1; *(uint8_t*)0x200080f5 = 0x21; memcpy((void*)0x200080f6, "\x1c\x02\x0b\x38\x9a\x4c\x59\xd1\xf2\x6d\xa8\x57\xb2\x22\xa6\xf6\x61\x8a\xdb\x04\x11\xbb\x24\x47\x8e\x68\xff\xe7\x58\x46\x9d\x4b\xb3\x4d\xf6\xaa\x95\x77\xce\xd5\x53\x83\xdf\xf0\x1c\x05\x2a\xbb\xde\x70\x46\x8c\xe3\x11\x00\xca\x31\x84\xd1\xd5\xf8\x03\xdc\x28\x0d\xf3\xb7\xae\x47\x38\xad\x05\x03\x67\x01\xe2\xe3\x8c\xe8\x44\xa7\xd3\x01\xd8\x6e\x05\x97\xc5\xbc\x1b\x67\xe7\xc6\xa5\xf7\xdf\xbc\x33\x11\xdb\xd2\x34\x68\x8e\x85\xe9\xa7\xd5\x02\x1e\x51\xe2\xd0\xdd\x41\x80\x38\x15\x3d\xb6\x5b\x7f\xc2\x68\xf9\x8d\xdf\xd9\xe5\x03\x6f\x24\x49\x7d\x2f\x04\xcd\xcc\x75\x21\x78\x99\x19\x58\xf7\x24\x3f\xf4\xdd\x5a\xef\xcf\x75\x9a\x3f\xe7\xfb\x34\xc8", 159); *(uint8_t*)0x20008195 = 9; *(uint8_t*)0x20008196 = 5; *(uint8_t*)0x20008197 = 0xf; *(uint8_t*)0x20008198 = 0x10; *(uint16_t*)0x20008199 = 0x240; *(uint8_t*)0x2000819b = 2; *(uint8_t*)0x2000819c = 1; *(uint8_t*)0x2000819d = 0; *(uint8_t*)0x2000819e = 0x26; *(uint8_t*)0x2000819f = 3; memcpy((void*)0x200081a0, "\xb4\x51\xe2\x4f\x69\x72\xcd\x64\x29\xf8\x1c\xa1\x73\xd1\x3f\xb2\xc7\xf5\x28\x47\x51\x63\x8b\xbc\x4f\x0b\x3d\xe0\x20\x91\xfb\xb4\xf4\x45\x33\xd9", 36); *(uint8_t*)0x200081c4 = 9; *(uint8_t*)0x200081c5 = 5; *(uint8_t*)0x200081c6 = 7; *(uint8_t*)0x200081c7 = 2; *(uint16_t*)0x200081c8 = 0x400; *(uint8_t*)0x200081ca = 7; *(uint8_t*)0x200081cb = 0x3f; *(uint8_t*)0x200081cc = 0xdb; *(uint8_t*)0x200081cd = 0xc0; *(uint8_t*)0x200081ce = 0; memcpy((void*)0x200081cf, "\xba\x73\xf7\x70\xa4\x27\xb8\x43\x83\x13\xcb\x7e\x9d\x9d\x53\xa7\xe3\x11\x03\x66\xc8\x78\xe3\xc0\xf6\xe6\x29\xeb\xb2\xa0\x84\xa9\x0b\x2d\xef\x4b\x66\x95\x0f\xdf\xd6\x06\xe0\x83\x42\x29\xe6\x30\x28\x87\x54\x89\x67\x8b\xc9\x36\x98\xed\x86\x13\x88\x42\x54\x70\x3c\x31\x5f\x1e\xe5\x29\xd1\xbc\xbf\xaf\x8d\x86\x5e\x73\x8b\x9e\x08\xcb\xc4\xa2\x11\xd4\x80\xbd\xc2\xa6\xe6\x9e\x17\x2b\x1c\x73\x63\x94\x74\xf1\xf0\x11\x5b\x5f\x49\x18\xd0\x37\x45\x1c\x99\xde\xe8\x85\x47\x56\x25\x82\xd5\x71\x71\xaa\x19\x69\x13\xf1\x19\x15\xd1\xfd\xc1\xa5\x13\xb1\x6c\x0b\x9c\x1f\xa0\x71\x57\x42\x10\x46\xf4\xf3\x37\x2d\x00\xd4\xa2\x7e\xb9\x3e\xcd\x79\xb6\x85\xe1\x4f\x3e\xba\x64\x7e\x7b\x20\xae\xfd\xf9\x2e\xd0\x5b\xef\x68\x93\x52\x65\xce\x00\x35\xe3\xb6\x24\x85\x23\x50\xd1\x23\x4e\xf9", 190); *(uint8_t*)0x2000828d = 0xa; *(uint8_t*)0x2000828e = 5; memcpy((void*)0x2000828f, "\x29\x0a\x54\x8e\x96\x26\x66\xdf", 8); *(uint8_t*)0x20008297 = 9; *(uint8_t*)0x20008298 = 5; *(uint8_t*)0x20008299 = 7; *(uint8_t*)0x2000829a = 4; *(uint16_t*)0x2000829b = 0x7d7; *(uint8_t*)0x2000829d = 0; *(uint8_t*)0x2000829e = 7; *(uint8_t*)0x2000829f = 0xf9; *(uint8_t*)0x200082a0 = 0xcd; *(uint8_t*)0x200082a1 = 2; memcpy((void*)0x200082a2, "\x74\xcd\x60\x07\xae\x0e\xa1\x29\x7f\x07\x01\x8c\xbd\xaa\xa0\xc8\x78\x51\xa0\x13\x08\xad\x71\x7f\x23\x5e\x9e\xff\x80\x10\xad\x10\x46\xa5\x14\x8d\x35\x2a\x70\x76\x0b\xc4\xbe\xbd\xd7\x52\x8b\xf7\xd5\x06\xda\x1b\xaa\xc2\xcf\x49\x9d\x52\xde\x51\xd7\x1b\x05\x18\x5d\x7c\xd2\x68\x02\x3d\xe5\x96\x13\x04\x52\x1b\x5f\x56\x7c\x74\xcc\xab\x78\xb6\x1c\x3f\x64\x16\x62\xaf\x2d\x55\xd5\x15\x7a\x0d\xdc\x80\xc7\x59\x62\xe9\xbd\xa9\xff\x2d\x3b\x63\xdf\x6a\x6a\x0e\x2a\xeb\xbf\xc6\x64\xde\x3f\x3a\x34\xd6\x62\x00\xfa\x09\x24\x75\x68\x59\x57\xf0\xb3\x59\x42\x47\xa2\x1d\x46\x3c\xfe\x0c\xcd\x80\x44\xf9\x53\x19\xb4\xd4\x0c\x7f\x02\x2d\x5a\x9c\xe9\xe3\x48\xcd\x62\x3d\xc4\xc5\x90\xbe\xe5\xa1\x04\x72\x70\x95\x42\x14\x61\x1a\x8d\x98\xe6\x0a\xa6\x97\xa5\xce\x30\xee\xac\xd2\x39\x70\x94\xe5\x07\x16\x73\x99\x11\xa4\x47\x8b\x49\x5f\x02", 203); *(uint8_t*)0x2000836d = 0x2b; *(uint8_t*)0x2000836e = 3; memcpy((void*)0x2000836f, "\x9b\xc9\xf5\x80\x75\x06\x30\x3f\xbf\xd7\x12\x82\xa8\x20\x58\x56\x0f\xe8\x18\x0b\x20\x5f\x6f\x47\xf9\xd7\xcf\x05\x28\x0b\x7e\xb9\x6d\x6d\x15\x89\x97\x2f\x40\x2e\xf4", 41); *(uint8_t*)0x20008398 = 9; *(uint8_t*)0x20008399 = 5; *(uint8_t*)0x2000839a = 7; *(uint8_t*)0x2000839b = 0x1a; *(uint16_t*)0x2000839c = 8; *(uint8_t*)0x2000839e = 7; *(uint8_t*)0x2000839f = 3; *(uint8_t*)0x200083a0 = 0x86; *(uint8_t*)0x200083a1 = 0x35; *(uint8_t*)0x200083a2 = 0xb; memcpy((void*)0x200083a3, "\x01\x8a\x3d\x5f\xb9\x4d\x26\xc6\xa6\x89\xe9\x1e\xb6\xa9\xe4\x9b\xf1\xb8\x83\xb9\xe3\xda\x0a\x42\xbf\x45\x63\x9b\xc1\xb1\x9a\x0d\x8e\x78\xba\xbd\x76\x9b\x27\xa4\x3d\xd0\x91\xce\x83\xb4\xa9\x1c\xf5\xd1\x19", 51); *(uint8_t*)0x200083d6 = 7; *(uint8_t*)0x200083d7 = 0x25; *(uint8_t*)0x200083d8 = 1; *(uint8_t*)0x200083d9 = 0x80; *(uint8_t*)0x200083da = 0x40; *(uint16_t*)0x200083db = 6; *(uint8_t*)0x200083dd = 9; *(uint8_t*)0x200083de = 5; *(uint8_t*)0x200083df = 3; *(uint8_t*)0x200083e0 = 2; *(uint16_t*)0x200083e1 = 0x200; *(uint8_t*)0x200083e3 = 8; *(uint8_t*)0x200083e4 = 0x55; *(uint8_t*)0x200083e5 = 7; *(uint8_t*)0x200083e6 = 0xc; *(uint8_t*)0x200083e7 = 0x21; memcpy((void*)0x200083e8, "\xf2\xae\x0c\x70\x73\x12\x45\x83\x53\x64", 10); *(uint8_t*)0x200083f2 = 9; *(uint8_t*)0x200083f3 = 5; *(uint8_t*)0x200083f4 = 0xc; *(uint8_t*)0x200083f5 = 0; *(uint16_t*)0x200083f6 = 0x400; *(uint8_t*)0x200083f8 = -1; *(uint8_t*)0x200083f9 = 9; *(uint8_t*)0x200083fa = 0x7f; *(uint8_t*)0x200083fb = 9; *(uint8_t*)0x200083fc = 5; *(uint8_t*)0x200083fd = 3; *(uint8_t*)0x200083fe = 4; *(uint16_t*)0x200083ff = 0x3ff; *(uint8_t*)0x20008401 = 3; *(uint8_t*)0x20008402 = 0x81; *(uint8_t*)0x20008403 = 0x1f; *(uint8_t*)0x20008404 = 2; *(uint8_t*)0x20008405 = 0xb; memcpy((void*)0x20008406, "\x15\xf5\x29\x48\x16\x89\x69\xa7\x87\x9f\x68\x6a\x66\x44\x59\xf3\x1f\xa9\xc1\x46\xda\x65\xea\xa1\x87\x8b\x39\x96\xe0\x99\xdd\x1e\xc6\x89\x00\xa2\x57\xc0\x11\x39\x7b\xcf\xc1\x0b\xc4\x28\x59\x19\x72\xae\x5e\xb7\x0e\x65\xd2\x00\x24\x8c\x43\x3d\x8b\x1e\xaf\xe5\xdf\x95\xa1\x96\xb5\x8e\xd5\x0a\x74\xd4\x8f\x9c\x07\xf5\x08\x58\xdd\x07\xd9\x4e\xc7\x66\x26\xb5\xb4\x7c\x9a\xcd\x4f\xdb\xec\xde\x35\x6c\xab\xab\xc4\x3c\x31\x44\xfc\x2e\x52\x4b\x71\xbb\x4e\x8b\xb5\x35\xda\xa0\x71\xe2\x42\xc5\x85\x84\xdb\xdd\x6c\x1e\x75\x8e\x33\xfe\xcd\x91\xaa\xc9\x6d\x22\x88\x32\x2e\xd4\x8a\xcf\xda\xab\x53\x6e\xa5\x12\x98\xe1\x6c\x60\x33\xac\x2b\x91\x75\x84\x82\x71\x9c\xc7\xd7\x64\x37\x3c\xed\xf5\xd0\x39\xe7\x5f\x0b\xe3\x5a\xcd\xac\x46\xbf\xf1\x29\xaf\x0a\xd8\x17\xe1\x40\x64\x39\x8b\xe6\x49\x33\xb6\x76\xfa\xb4\xff\x8b\x8d\x37\xcd\x74\x2e\x41\xfd\x64\xf8\x7b\x7f\x7d\xf8\x73\xb3\xd4\xc1\xca\x44\x0e\x20\xa8\x29\xe3\x4c\x69\x77\x05\x4f\xd5\x97\x5e\x34\x94\x1c\x4c\xa2\x4d\xca\xf0\x7e\x3b\x99\x50\x28\x0b\x30\xfb\x2c\x43\x56\xee\xda\xb3\xe5\x18\x4e", 256); *(uint8_t*)0x20008506 = 7; *(uint8_t*)0x20008507 = 0x25; *(uint8_t*)0x20008508 = 1; *(uint8_t*)0x20008509 = 0; *(uint8_t*)0x2000850a = 0x1f; *(uint16_t*)0x2000850b = 0x200; *(uint8_t*)0x2000850d = 9; *(uint8_t*)0x2000850e = 5; *(uint8_t*)0x2000850f = 5; *(uint8_t*)0x20008510 = 0x10; *(uint16_t*)0x20008511 = 0x400; *(uint8_t*)0x20008513 = 0x81; *(uint8_t*)0x20008514 = 1; *(uint8_t*)0x20008515 = 5; *(uint8_t*)0x20008516 = 7; *(uint8_t*)0x20008517 = 0x25; *(uint8_t*)0x20008518 = 1; *(uint8_t*)0x20008519 = 2; *(uint8_t*)0x2000851a = 8; *(uint16_t*)0x2000851b = 0x101; *(uint8_t*)0x2000851d = 7; *(uint8_t*)0x2000851e = 0x25; *(uint8_t*)0x2000851f = 1; *(uint8_t*)0x20008520 = 3; *(uint8_t*)0x20008521 = 2; *(uint16_t*)0x20008522 = 8; *(uint8_t*)0x20008524 = 9; *(uint8_t*)0x20008525 = 5; *(uint8_t*)0x20008526 = 0; *(uint8_t*)0x20008527 = 4; *(uint16_t*)0x20008528 = 0x80; *(uint8_t*)0x2000852a = 9; *(uint8_t*)0x2000852b = 6; *(uint8_t*)0x2000852c = 7; *(uint8_t*)0x2000852d = 9; *(uint8_t*)0x2000852e = 5; *(uint8_t*)0x2000852f = 3; *(uint8_t*)0x20008530 = 0; *(uint16_t*)0x20008531 = 0x7ff; *(uint8_t*)0x20008533 = 1; *(uint8_t*)0x20008534 = -1; *(uint8_t*)0x20008535 = 0x1f; *(uint32_t*)0x20008640 = 0xa; *(uint64_t*)0x20008644 = 0x20008540; *(uint8_t*)0x20008540 = 0xa; *(uint8_t*)0x20008541 = 6; *(uint16_t*)0x20008542 = 0; *(uint8_t*)0x20008544 = 2; *(uint8_t*)0x20008545 = 0x86; *(uint8_t*)0x20008546 = 0x80; *(uint8_t*)0x20008547 = 0x10; *(uint8_t*)0x20008548 = 2; *(uint8_t*)0x20008549 = 0; *(uint32_t*)0x2000864c = 0x42; *(uint64_t*)0x20008650 = 0x20008580; *(uint8_t*)0x20008580 = 5; *(uint8_t*)0x20008581 = 0xf; *(uint16_t*)0x20008582 = 0x42; *(uint8_t*)0x20008584 = 5; *(uint8_t*)0x20008585 = 0xa; *(uint8_t*)0x20008586 = 0x10; *(uint8_t*)0x20008587 = 3; *(uint8_t*)0x20008588 = 0; *(uint16_t*)0x20008589 = 3; *(uint8_t*)0x2000858b = 0x73; *(uint8_t*)0x2000858c = 4; *(uint16_t*)0x2000858d = 0; *(uint8_t*)0x2000858f = 3; *(uint8_t*)0x20008590 = 0x10; *(uint8_t*)0x20008591 = 0xb; *(uint8_t*)0x20008592 = 0xa; *(uint8_t*)0x20008593 = 0x10; *(uint8_t*)0x20008594 = 3; *(uint8_t*)0x20008595 = 0; *(uint16_t*)0x20008596 = 8; *(uint8_t*)0x20008598 = 0xeb; *(uint8_t*)0x20008599 = 0x3f; *(uint16_t*)0x2000859a = 2; *(uint8_t*)0x2000859c = 7; *(uint8_t*)0x2000859d = 0x10; *(uint8_t*)0x2000859e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000859f, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 0xf, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a1, 5, 0, 16); *(uint8_t*)0x200085a3 = 0x1f; *(uint8_t*)0x200085a4 = 0x10; *(uint8_t*)0x200085a5 = 1; memcpy((void*)0x200085a6, "\x61\x40\x8d\x3d\x2e\x18\x72\x46\x92\x26\xd4\xd9\xbe\xfe\xcd\xac\x20\x8d\xfd\xaa\x38\x51\x78\xf4\x8c\xa7\x56\x50", 28); *(uint32_t*)0x20008658 = 1; *(uint32_t*)0x2000865c = 4; *(uint64_t*)0x20008660 = 0x20008600; *(uint8_t*)0x20008600 = 4; *(uint8_t*)0x20008601 = 3; *(uint16_t*)0x20008602 = 0x41a; res = -1; res = syz_usb_connect(5, 0x776, 0x20007dc0, 0x20008640); if (res != -1) r[15] = res; break; case 37: *(uint8_t*)0x20008680 = 0x12; *(uint8_t*)0x20008681 = 1; *(uint16_t*)0x20008682 = 0x200; *(uint8_t*)0x20008684 = -1; *(uint8_t*)0x20008685 = -1; *(uint8_t*)0x20008686 = -1; *(uint8_t*)0x20008687 = 0x40; *(uint16_t*)0x20008688 = 0xcf3; *(uint16_t*)0x2000868a = 0x9271; *(uint16_t*)0x2000868c = 0x108; *(uint8_t*)0x2000868e = 1; *(uint8_t*)0x2000868f = 2; *(uint8_t*)0x20008690 = 3; *(uint8_t*)0x20008691 = 1; *(uint8_t*)0x20008692 = 9; *(uint8_t*)0x20008693 = 2; *(uint16_t*)0x20008694 = 0x48; *(uint8_t*)0x20008696 = 1; *(uint8_t*)0x20008697 = 1; *(uint8_t*)0x20008698 = 0; *(uint8_t*)0x20008699 = 0x80; *(uint8_t*)0x2000869a = 0xfa; *(uint8_t*)0x2000869b = 9; *(uint8_t*)0x2000869c = 4; *(uint8_t*)0x2000869d = 0; *(uint8_t*)0x2000869e = 0; *(uint8_t*)0x2000869f = 6; *(uint8_t*)0x200086a0 = -1; *(uint8_t*)0x200086a1 = 0; *(uint8_t*)0x200086a2 = 0; *(uint8_t*)0x200086a3 = 0; *(uint8_t*)0x200086a4 = 9; *(uint8_t*)0x200086a5 = 5; *(uint8_t*)0x200086a6 = 1; *(uint8_t*)0x200086a7 = 2; *(uint16_t*)0x200086a8 = 0x200; *(uint8_t*)0x200086aa = 0; *(uint8_t*)0x200086ab = 0; *(uint8_t*)0x200086ac = 0; *(uint8_t*)0x200086ad = 9; *(uint8_t*)0x200086ae = 5; *(uint8_t*)0x200086af = 0x82; *(uint8_t*)0x200086b0 = 2; *(uint16_t*)0x200086b1 = 0x200; *(uint8_t*)0x200086b3 = 0; *(uint8_t*)0x200086b4 = 0; *(uint8_t*)0x200086b5 = 0; *(uint8_t*)0x200086b6 = 9; *(uint8_t*)0x200086b7 = 5; *(uint8_t*)0x200086b8 = 0x83; *(uint8_t*)0x200086b9 = 3; *(uint16_t*)0x200086ba = 0x40; *(uint8_t*)0x200086bc = 1; *(uint8_t*)0x200086bd = 0; *(uint8_t*)0x200086be = 0; *(uint8_t*)0x200086bf = 9; *(uint8_t*)0x200086c0 = 5; *(uint8_t*)0x200086c1 = 4; *(uint8_t*)0x200086c2 = 3; *(uint16_t*)0x200086c3 = 0x40; *(uint8_t*)0x200086c5 = 1; *(uint8_t*)0x200086c6 = 0; *(uint8_t*)0x200086c7 = 0; *(uint8_t*)0x200086c8 = 9; *(uint8_t*)0x200086c9 = 5; *(uint8_t*)0x200086ca = 5; *(uint8_t*)0x200086cb = 2; *(uint16_t*)0x200086cc = 0x200; *(uint8_t*)0x200086ce = 0; *(uint8_t*)0x200086cf = 0; *(uint8_t*)0x200086d0 = 0; *(uint8_t*)0x200086d1 = 9; *(uint8_t*)0x200086d2 = 5; *(uint8_t*)0x200086d3 = 6; *(uint8_t*)0x200086d4 = 2; *(uint16_t*)0x200086d5 = 0x200; *(uint8_t*)0x200086d7 = 0; *(uint8_t*)0x200086d8 = 0; *(uint8_t*)0x200086d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20008680, 0); if (res != -1) r[16] = res; break; case 38: *(uint32_t*)0x20008900 = 0x2c; *(uint64_t*)0x20008904 = 0x20008700; *(uint8_t*)0x20008700 = 0x20; *(uint8_t*)0x20008701 = 0x21; *(uint32_t*)0x20008702 = 0xdb; *(uint8_t*)0x20008706 = 0xdb; *(uint8_t*)0x20008707 = 0x24; memcpy((void*)0x20008708, "\xb5\x01\xb9\xa6\x76\xdf\xcb\x3e\x98\xc6\x6e\x8b\x68\x77\xca\xc3\x0d\xfb\x98\x56\xc7\x20\x94\xee\x90\xf2\x31\x70\xf3\x3d\xc0\x41\x69\x19\x14\x6a\x8a\x2a\xd6\x05\xce\x54\xf3\xd4\x43\xec\x59\x7b\x33\x7b\x1b\x4d\x39\xc4\x42\x89\xbb\xfc\x62\x1a\x00\x86\x26\x48\xfe\x2d\xf7\x54\xe4\x63\x45\x5e\xf8\x8f\x55\xfb\x63\xb4\xb7\x71\x9d\xd8\xd3\xe6\x84\x6c\x4d\x25\x4a\xfb\x2e\x40\x11\x6d\x2b\x5f\xcd\x88\x3a\x84\x21\x22\x17\xe0\x65\xcd\x44\x66\x68\x01\x15\x4e\x7b\x43\xe3\xd1\x62\x9d\xc7\x6f\x3a\x71\x10\xe8\x07\x90\xce\x65\xee\x44\x96\x1d\x30\x65\x21\xe9\x4e\x6e\xe9\x41\xa9\x7e\x0e\xab\x0e\x80\x37\xfe\xf7\x68\x90\x28\x91\xbb\x41\x05\xd8\xba\xf0\xa3\x5f\x93\xd2\xa5\x63\x59\x35\x79\x9c\x87\xeb\x91\xb5\xe5\xff\x7a\xe9\x1c\xbe\x9c\xda\xdd\x65\x3a\x48\x6d\x72\xd6\x7d\xc3\xb3\x71\xe4\xe5\xfa\x61\x87\x59\xde\x87\xeb\xe1\xec\x27\x8d\x14\x08\x34\x59\x0f\x6c\x51\x3e\x4c\x95\xcb\xb3", 217); *(uint64_t*)0x2000890c = 0x20008800; *(uint8_t*)0x20008800 = 0; *(uint8_t*)0x20008801 = 3; *(uint32_t*)0x20008802 = 0x18; *(uint8_t*)0x20008806 = 0x18; *(uint8_t*)0x20008807 = 3; memcpy((void*)0x20008808, "\x2c\x5d\xdd\x5f\xc6\x32\x36\xd4\x7a\xf3\x16\x42\x23\xe9\xb4\x23\xe1\x3b\x85\x60\xf2\x8a", 22); *(uint64_t*)0x20008914 = 0x20008840; *(uint8_t*)0x20008840 = 0; *(uint8_t*)0x20008841 = 0xf; *(uint32_t*)0x20008842 = 0x35; *(uint8_t*)0x20008846 = 5; *(uint8_t*)0x20008847 = 0xf; *(uint16_t*)0x20008848 = 0x35; *(uint8_t*)0x2000884a = 4; *(uint8_t*)0x2000884b = 7; *(uint8_t*)0x2000884c = 0x10; *(uint8_t*)0x2000884d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000884e, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 0xa, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008850, 1, 0, 16); *(uint8_t*)0x20008852 = 0xb; *(uint8_t*)0x20008853 = 0x10; *(uint8_t*)0x20008854 = 1; *(uint8_t*)0x20008855 = 0xc; *(uint16_t*)0x20008856 = 8; *(uint8_t*)0x20008858 = 0x3f; *(uint8_t*)0x20008859 = 1; *(uint16_t*)0x2000885a = 4; *(uint8_t*)0x2000885c = 6; *(uint8_t*)0x2000885d = 0x14; *(uint8_t*)0x2000885e = 0x10; *(uint8_t*)0x2000885f = 4; *(uint8_t*)0x20008860 = 0x80; memcpy((void*)0x20008861, "\xd0\xd1\xe2\xd8\x68\xe0\xfa\x99\x17\x77\xca\xc1\xb7\x94\x82\x58", 16); *(uint8_t*)0x20008871 = 0xa; *(uint8_t*)0x20008872 = 0x10; *(uint8_t*)0x20008873 = 3; *(uint8_t*)0x20008874 = 2; *(uint16_t*)0x20008875 = 3; *(uint8_t*)0x20008877 = 4; *(uint8_t*)0x20008878 = 0; *(uint16_t*)0x20008879 = 8; *(uint64_t*)0x2000891c = 0x20008880; *(uint8_t*)0x20008880 = 0x20; *(uint8_t*)0x20008881 = 0x29; *(uint32_t*)0x20008882 = 0xf; *(uint8_t*)0x20008886 = 0xf; *(uint8_t*)0x20008887 = 0x29; *(uint8_t*)0x20008888 = 0; *(uint16_t*)0x20008889 = 4; *(uint8_t*)0x2000888b = 0xc1; *(uint8_t*)0x2000888c = 0x7f; memcpy((void*)0x2000888d, "\x1b\xc1\x9f\x6f", 4); memcpy((void*)0x20008891, "\x0c\xd3\xa1\x96", 4); *(uint64_t*)0x20008924 = 0x200088c0; *(uint8_t*)0x200088c0 = 0x20; *(uint8_t*)0x200088c1 = 0x2a; *(uint32_t*)0x200088c2 = 0xc; *(uint8_t*)0x200088c6 = 0xc; *(uint8_t*)0x200088c7 = 0x2a; *(uint8_t*)0x200088c8 = -1; *(uint16_t*)0x200088c9 = 8; *(uint8_t*)0x200088cb = 0x20; *(uint8_t*)0x200088cc = 2; *(uint8_t*)0x200088cd = 6; *(uint16_t*)0x200088ce = 0x800; *(uint16_t*)0x200088d0 = 9; *(uint32_t*)0x20008e00 = 0x84; *(uint64_t*)0x20008e04 = 0x20008940; *(uint8_t*)0x20008940 = 0; *(uint8_t*)0x20008941 = 0xb; *(uint32_t*)0x20008942 = 0xe5; memcpy((void*)0x20008946, "\xea\x88\xbc\xa9\xc1\xe3\xf5\xbd\xf6\x07\xf7\x25\x25\x73\xdd\x87\x56\xe9\xf3\x2a\x7c\x4a\xee\xa5\xb3\xe1\xae\x6f\xdb\xe3\x19\x4c\x19\x18\xd9\xd9\xa3\xaa\x13\xdb\xbc\x47\xe1\x43\x0d\x7b\xe6\xa1\x80\xc7\x38\x84\x56\xd1\x2a\x5c\x32\x7b\x71\x6d\x23\x41\xbc\xd0\xef\x82\xa4\xa3\x46\x10\xe2\x8f\xc7\xb2\xe1\x72\xdf\xa0\x56\xc6\x35\x3d\xa1\x66\x49\x6c\xa2\x54\x0e\x60\xbb\x52\x06\x6e\xf4\x77\x36\x67\x40\x9a\x68\xef\xf5\x2e\x75\xff\x93\x46\x9e\x4f\xf5\xd6\x99\x66\xb8\x1e\x03\x4c\x68\x8a\x2f\x6f\xd9\x45\xec\xd0\x5f\x33\x65\x73\x58\x68\x23\xfd\x9f\x6d\x40\xbb\x48\x3d\xd2\x7a\xd4\x6b\x84\x14\x55\xac\x07\xfc\x31\x9b\x8c\xb5\xf5\xe2\xda\xa6\x4a\x6c\x5f\x3b\xc0\x99\x27\x0c\xd3\x76\x66\x0e\xf3\x45\x65\x71\xaa\x6d\x2f\xe4\x86\x67\x83\x8d\x81\x11\x26\xca\xce\xed\xae\xbe\xf9\x60\x81\x92\xb6\x03\x32\x7f\x6e\xe9\xed\x42\x57\x2b\x6e\xb3\xc6\x63\x0e\x90\x17\x42\x8e\xd3\x70\xbd\x03\x24\xda\x01\xea\xe4\xa7\x88\x1a\x6b\x88\xaa\x1a", 229); *(uint64_t*)0x20008e0c = 0x20008a40; *(uint8_t*)0x20008a40 = 0; *(uint8_t*)0x20008a41 = 0xa; *(uint32_t*)0x20008a42 = 1; *(uint8_t*)0x20008a46 = 5; *(uint64_t*)0x20008e14 = 0x20008a80; *(uint8_t*)0x20008a80 = 0; *(uint8_t*)0x20008a81 = 8; *(uint32_t*)0x20008a82 = 1; *(uint8_t*)0x20008a86 = 0x1f; *(uint64_t*)0x20008e1c = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x20; *(uint8_t*)0x20008ac1 = 0; *(uint32_t*)0x20008ac2 = 4; *(uint16_t*)0x20008ac6 = 2; *(uint16_t*)0x20008ac8 = 3; *(uint64_t*)0x20008e24 = 0x20008b00; *(uint8_t*)0x20008b00 = 0x20; *(uint8_t*)0x20008b01 = 0; *(uint32_t*)0x20008b02 = 4; *(uint16_t*)0x20008b06 = 0x100; *(uint16_t*)0x20008b08 = 1; *(uint64_t*)0x20008e2c = 0x20008b40; *(uint8_t*)0x20008b40 = 0x40; *(uint8_t*)0x20008b41 = 7; *(uint32_t*)0x20008b42 = 2; *(uint16_t*)0x20008b46 = -1; *(uint64_t*)0x20008e34 = 0x20008b80; *(uint8_t*)0x20008b80 = 0x40; *(uint8_t*)0x20008b81 = 9; *(uint32_t*)0x20008b82 = 1; *(uint8_t*)0x20008b86 = 0x7f; *(uint64_t*)0x20008e3c = 0x20008bc0; *(uint8_t*)0x20008bc0 = 0x40; *(uint8_t*)0x20008bc1 = 0xb; *(uint32_t*)0x20008bc2 = 2; memcpy((void*)0x20008bc6, "\xa6\xab", 2); *(uint64_t*)0x20008e44 = 0x20008c00; *(uint8_t*)0x20008c00 = 0x40; *(uint8_t*)0x20008c01 = 0xf; *(uint32_t*)0x20008c02 = 2; *(uint16_t*)0x20008c06 = 0; *(uint64_t*)0x20008e4c = 0x20008c40; *(uint8_t*)0x20008c40 = 0x40; *(uint8_t*)0x20008c41 = 0x13; *(uint32_t*)0x20008c42 = 6; *(uint8_t*)0x20008c46 = 0; *(uint8_t*)0x20008c47 = 0; *(uint8_t*)0x20008c48 = 0; *(uint8_t*)0x20008c49 = 0; *(uint8_t*)0x20008c4a = 0; *(uint8_t*)0x20008c4b = 0; *(uint64_t*)0x20008e54 = 0x20008c80; *(uint8_t*)0x20008c80 = 0x40; *(uint8_t*)0x20008c81 = 0x17; *(uint32_t*)0x20008c82 = 6; *(uint8_t*)0x20008c86 = 1; *(uint8_t*)0x20008c87 = 0x80; *(uint8_t*)0x20008c88 = 0xc2; *(uint8_t*)0x20008c89 = 0; *(uint8_t*)0x20008c8a = 0; *(uint8_t*)0x20008c8b = 1; *(uint64_t*)0x20008e5c = 0x20008cc0; *(uint8_t*)0x20008cc0 = 0x40; *(uint8_t*)0x20008cc1 = 0x19; *(uint32_t*)0x20008cc2 = 2; memcpy((void*)0x20008cc6, "rN", 2); *(uint64_t*)0x20008e64 = 0x20008d00; *(uint8_t*)0x20008d00 = 0x40; *(uint8_t*)0x20008d01 = 0x1a; *(uint32_t*)0x20008d02 = 2; *(uint16_t*)0x20008d06 = 0xb81; *(uint64_t*)0x20008e6c = 0x20008d40; *(uint8_t*)0x20008d40 = 0x40; *(uint8_t*)0x20008d41 = 0x1c; *(uint32_t*)0x20008d42 = 1; *(uint8_t*)0x20008d46 = 0x40; *(uint64_t*)0x20008e74 = 0x20008d80; *(uint8_t*)0x20008d80 = 0x40; *(uint8_t*)0x20008d81 = 0x1e; *(uint32_t*)0x20008d82 = 1; *(uint8_t*)0x20008d86 = 0x80; *(uint64_t*)0x20008e7c = 0x20008dc0; *(uint8_t*)0x20008dc0 = 0x40; *(uint8_t*)0x20008dc1 = 0x21; *(uint32_t*)0x20008dc2 = 1; *(uint8_t*)0x20008dc6 = 0x92; syz_usb_control_io(r[15], 0x20008900, 0x20008e00); break; case 39: syz_usb_disconnect(r[15]); break; case 40: syz_usb_ep_read(r[16], 0x1f, 0x80, 0x20008ec0); break; case 41: memcpy((void*)0x20008f40, "\x05\x9c\xba\xeb\x68\x64\xbc\xc9\x3a\x17\x64\x09\x36\xd2\xe5\x45\x0d\xeb\x6a\x94\xa3\xcd\x8d\xba\xc2\xfb\xcf\xac\x93\x2f\x8d\xd2\x22\x05\xe7\xae\x58\x9b\x0f\x01\x72\xe7\x51\xe3\x08\xa2\x36\xce\xa8\x57\x11\xd7\x4b\x54\x6d\x98\xb4\xd7\x5a\xfc\xc6\x5f\xd0\x46\x33\xc1\xfb\xed\x7c\xfe\x4d\x04\x9d", 73); syz_usb_ep_write(r[15], -1, 0x49, 0x20008f40); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); use_temporary_dir(); do_sandbox_namespace(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor270839454 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/13 (4.87s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: socket$nl_netfilter(0x10, 0x3, 0xc) r0 = open(&(0x7f0000000000)='./file0\x00', 0x2000, 0x163) recvfrom(r0, &(0x7f0000000040)=""/238, 0xee, 0x1, &(0x7f0000000140)=@llc={0x1a, 0x10f, 0x7, 0xc7, 0x6, 0xff, @broadcast}, 0x80) r1 = socket$inet_sctp(0x2, 0x5, 0x84) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r1, 0x84, 0xa, &(0x7f00000001c0)={0x7ff, 0x1ff, 0x204, 0x0, 0x803, 0x0, 0x5, 0x800}, 0x20) execveat(r0, &(0x7f0000000200)='./file0\x00', &(0x7f0000000400)=[&(0x7f0000000240)='^\x00', &(0x7f0000000280)='*,+\x00', &(0x7f00000002c0)='-{$(%![\x00', &(0x7f0000000300)='\\[\x00', &(0x7f0000000340)='\x00', &(0x7f0000000380)='\x00', &(0x7f00000003c0)='\xb1$}\x00'], &(0x7f0000000640)=[&(0x7f0000000440)='\x00', &(0x7f0000000480)='*/%}\\\\\x00', &(0x7f00000004c0)='@[\x00', &(0x7f0000000500)='\x00', &(0x7f0000000540)=':\'\x9f^(\x00', &(0x7f0000000580)='],-.$\xfb\\}{)@-&/[\\!\x00', &(0x7f00000005c0)='\x00', &(0x7f0000000600)='{{\'$(+-(}{}]?/--)\x00'], 0x1000) r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000680)='/dev/hwrng\x00', 0x40000, 0x0) ioctl$HIDIOCGPHYS(r2, 0x80404812, &(0x7f00000006c0)) ioctl$TIOCGICOUNT(r2, 0x545d, 0x0) io_uring_setup(0x509f, &(0x7f0000000700)={0x0, 0x9c76, 0x8, 0x3, 0x309, 0x0, r0}) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_unix_may_send\x00') syz_emit_ethernet(0x2e, &(0x7f0000000040)={@dev={[], 0x29}, @local, @void, {@ipx={0x8137, {0xffff, 0x20, 0x2, 0x0, {@random=0x3, @random="67516965f015", 0x3}, {@random=0xa0, @current, 0x8ca}, "d18e"}}}}, &(0x7f0000000080)={0x1, 0x3, [0x6f3, 0xd92, 0xd18, 0x98a]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_EVENT_PKT={0x4, @hci_ev_pkt_type_change={{0x1d, 0x5}, {0x1, 0xc9, 0x800}}}, 0x8) syz_execute_func(&(0x7f0000000100)="c4017c5a50f2c4a1637c7a862ef04230b50d00000041d9f93e420fb7bcaeb0000000c4c2a5291498c482c9bdac33de7941f1c401fc2e0666400f38241f670fecfb") syz_extract_tcp_res(&(0x7f0000000180), 0x8, 0x47) r3 = openat$selinux_policy(0xffffffffffffff9c, &(0x7f00000001c0)='/selinux/policy\x00', 0x0, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002500)={0x2020, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x2020) lstat(&(0x7f00000046c0)='\x00', &(0x7f0000004700)={0x0, 0x0, 0x0, 0x0, 0x0}) stat(&(0x7f0000004780)='./file0\x00', &(0x7f00000047c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000004840)=0x0, &(0x7f0000004880), &(0x7f00000048c0)) syz_fuse_handle_req(r3, &(0x7f0000000200)="2692d623148a34aee968f5552fef58adeb13835131afc9602c0eba53a139392d140b6eeb571984017fbc1a936aca427ad0e740524f6307f18e1c7d954a0ba7442367d45bae5150e12543dc5dd03aa5699039f2f627b3d104e00ffaea4263fc86953e5e3ab976c9f66a213d67573b6044bf6faa8c17d51b5550438f9ac6589d2cb2bc4e11cbf8a254594a82ab8987f8ade20d8542ac71ff847b22e67d2ddda8f4ba5f53fbf177009132baa5786a7be31ec6c592cba53c5c8a7ba19db0286bff1d0178da1e4ea10819439ace537ac5f47a1c8b74fa67fc4e1bf92292a9ec657b5e3003146a1c5690855b05cf75a0b11ab9ba738a3dc177d5f7e7fa6b465d05e513a219481089265f566e6bd0cc9ee1fb100f851286e65721f601c83f7a740979b3848f57fb0081efca45720ccfd8a4904f248151b242132a4b45530ae5442ff7a51bb5c599cda7e10e1b4de5c80f52cc3ddac7513fe148bdbc5da2e0c2b39190d8f90fcd459503a4cb8fece55182cf7272a522e5626120c7335c5a37c72d400fedc58873c5960f6cab807ac239d0246aba2e844b68b1ac4ad6d2bbcedcb35a67486471e445af55990270ae097968da00157dd221dea2438d16623c52820f0d24e39c0424ee40484fb0d96419f5e281d0e9e178366820dd5ca4a0c45deeb36cb9e246be6714ceb0347b0c309cc53022374f73303536e593c57588b883903ea58133773600201a7b55dd5c01af52e90ec524abd9f47b3d7185c48259bf5aa76fea9da982b2c4a61065df2b066732103503969eefaa23141c8becb35caf7602e981c30673991b46d54ab2764bf5ecc3f1a8e000b116b769d82625ae9418b523af00f3cfb0eb65c916f6a62452f810b20c3e7cec7d61fef55f63d1da4a3f868bbcfd867e130d3c7ce52246ef76eda2916fbbdfd506dbc2289d00fbc8fd100c4578698d2203dffab9018d6f19ae199f1659c3f78157680cf980597a126b994bdd64609653dc0ddb556c3af838a0a4a9bd7051e45247913cc35b9d9ff368ffdf4e7fad83a52f8a0261c331b6ef226fe676ac1a9cf0cb001385ce35b09df3aecaa3d816f2afc62c27aee525f72f2d31ee0b21c447f80901a65c7706d07ff9b2d7bde92bc79d85f8431d468ac85e51ac3a209cea07281e7d19c1f52b5f01bdb053978c933399b35ac77aa4a1e6f182d250271ca33c3791b15a931bcd32ace19253f1a9044afa49c1a0ddc82e95907f60b7971ec01078e137d1bceb0cf86f64cd6c192cbfc30b4478617fe52aa943e61a182b1b0b2107d0c54f4fa731679af95c32d18914d6959b9fa96a0aac1c49adc61f5f11b544557342c14276beea12fa71cd30a731bd064e9cfd0f9e4be966f7bd1c1b4fd706b8393e6efb1c9f97526f67d2e9cd5e176dc60c274b30061e1ab6a2d004b83adb08f1983baeab990472beff2341def47e0dd411b0691fd0a65ea66d16a4a4ee94c4d1a5ce6b3cfc873481b041fb3005614c1cf841eeab27e03598ef94598ed30c3fd3ee19207aea2a8dbc3f60a6d97e30c58f324bcaf571388f9e83e076cfdc0663cfe93f5a3f19299e741210f6a8501a7238b1cbd6e9f829345c337c62b7cdb024efc4ff11628cb1ee4fda072782bb69932ba6dee122cb37fed696dea11cc25eb2b5678c7d0bd1dd05f35d1d02addf1295a1eb0b259959a7b290e61f2479691588ac520981902f5ab06162e9cf5f0585f540d90cd8381de33d0a0a24da6f231d3a684c925d736f2534a57e48d919d55519c575bb541d638e0e4011f841a5ac331d488935c44c2bce1c2ac3e8486e465cdee8eb513d3c1bb3b38c5d157c04d576d675e00b30c299e211f8f24a7a053b4270d2acfa3aa6343428d92b6db14c1558a8dd58bb9c8c4b1b4935773d140611793ccad54fdc5230da4dfda3b60cc0766efcc6a3b71900a50e2c3e6827b98cc18ccd8ff798247f374857d0621e32bbf0482474de0d42ddba7823e633f1658e7f6a361c32e2459c2beb029a8afaa31289e487104567d40c81ccf5ae2a2e6b344f5c110d7ce2301ff2c25fd8438439a5ea16a446fc7e27f2cb068944e4d8c929c4645f494c2fd1b025bfda1119f9088f707d662c1195f8e4308c470b76245099332f61b2c9cc77871cb20c4ebeaa63e53add25df15c5628585fe886a73e382567c41cebdf2f33f7168747ce24a22fafeb29cd021a92ec8fc272dad24598ebdaec2dcc47373efa97cacffdace150e99510bf37baf40a817d93d87a48fab153a1064821eb504a4eba3ab66d1ec057cf64ee11a6ad40584fa7656a3984c20e494013f83430d760cd6eaa604b599550dcba720855e735d62d420076cca07115d4e371c3d641cb6cdb969bdef10137b8d7f399abe3e2436535c30c7b9a842fb31d322434e73b95c0f5d4545116b788ea0fd473ab32cfb4cd7224948913772e8392d89bf5c4e5511d267201cff62bdc0468f96d9e85323495e925e61140fb419417bc3f803a80d0af3b8c31c2f63dee9174113f8e6e5c93f47d8486422a5696bc05843f7d07f10eb3b5fbc2c378f6e8a975deb6c04ed20c673846ecc19d6dfcb1982ff83a7dca92e8167e5df6437b84834fde1cbfc441105d06218a2e0a55917ee276fa725b9f16a94c67b684bc7b688edbae74382cba7eac9f01772c89194d44eea3cabc002562643c01529092ff6629de96a7716f92318a6cf70cdb8fda8e3d01306ea91580b6d970808552f45f575c3aa638fc51abdd8535a0584072588518f9391b2d789147312a58d0a15b64bf908f249913f141671751003547150d49f472dbed408432493705759929f619a901bf41ed2e4d12d6354af219840e696ae26d40f010f0586068efbbd4a63af99aebd5305a88013ed74de00399011dd8d0d544b907009f361ac6f66ca0ac4fae8eea56542599b167b8f132d2bc2b57c734653c0214fcb4e3a509823aa2ea62aefd8d3a8f27cead3ee3f276698712770addc99cd31112daf0ede7c577fcbae2e64047bd3624dcc04cfb6cd194b79f1b53b990a443628123fbe9b2a3b598beeabdbb7cf4d9cd87be2ac84ee3fe743d72e8984204bab463c896d13c1227b70a88712b77d221efa654098b38571468ff9bff10bb0d30fe6ae7a1f62c4f6066b55f32b0547de75ab1cac8e986d89fc30a362d7308d0932cdd44d8a234860b608090aa5e16bef4e44327ba18667915ec65ca772f8df52105b370087fb1cbd6d11a95362232e5f6fce3f343cd962bec277f3a6aacb82df97531b3a6ffdd224454bfc8a6c2e0b9c86449c043f39ceb9af5c4236e3221c2e259fa8f1284df6334a2a24733dbad6ea990aa3ef9798e2f785be3d5a44305497a1f525f7dee1f7ea82c7d50559c51dacc617f6f7ee56b6c5bca2701899245cbecb33ccddf00a16894682085f40d2f6f6b03a163206311f98077261cd76f439ced044b525112debd31e4c7a9077bd820217a88b4d8e3e76dac45b15019e01deedc943b357ab2d7900d99157af47dfc5971791b25665e953db69cefceac87aef838936ae73d2d25983b2066099c4741af88048c7f86531f2b82d6e05b2ee75f472d9df9c3ee9398f6fe68e0b521c36a242e2d675f4d9da552142743631a4f2b6c011475753a74f7fefc9d72d3f9fb2bdcc71d66732abe50dd578b69bd029b45bca708e87c098af90284b4fbddcc6fe163a000970d6547cfd18cc8a11ba22638ee6eba91029f52594a042e96ed7080184593f2109126cbde1317a94a56213ad11ae1ccf0a58a45dbc81d0809c59073f8a9e17674a476d0337414bfcff7ca6949218467c8850839e55c9c7ad9d51a64a9d2b4bbb17a3653894834545bc286c108bb31345579a2b0b96f6a57389790519d4413a9648820e7846c57aca4792495223fcc029d070f18f24ac665879d7a197c78c5c05185af7c11140c78a35e91de5c0c53fbcd1350c27536d28d5f518696b97136d3f2035f26faad5ffe04dfd5dcc09b129905195579dd15c8c98676236ebd02b6c2ef3e6eb15d87c206c39046f2dbcef9a4523f255f445c3dd82c140b295a4a90fa30a2847ff41efeea8f630d4a5512795380af7d1713a6b2976dd74de50c3feb42bdd4c0258e45617358f18a28be11bad5b5b79103ee1277c761e12901e4997f3b9d4499172176cdd12b6807b236daf3dc05872956437816c706f3c367d7e2c23e96b1fe96596db880507e282fbe23f2171b2f6855d22174a1a4b15ed8abd51ca093d46f0e2d05298168c239e62d89f740674388c24018c47832a87644048d436d65cd7a210282b1fc826f0ccdb6697d0112b2a88e395308d421aada7a0e7d76eca0a6073830218c83ed79419485960572097cb626c6f8467579095dc22632043dce6b67eaa793a2a89822fdc266f5a611aa1c6b845998a828005fe7989253c37613e892348ad7332e334afb5a7087e89ace2f361d66f277dfafa126677e833fd0b2ce4d227937cdf60a882669411d4450b7e859b8247ad2e45742ecb605752f2148d075e1d145add184748c6ece9ba267b7a6df9229a62bb9bee7d7e925d6eb9ae96adef937c030c7d2b919fc4636ad6331360457d06d8c4f6dc10e3065522602b841fb3678e9dabf07d5fc3fe39da21d461e1a4ac64a0d3356f93622800f007be4ee13cc4654c8947ffd11bf7598f50bf27df75f8daefd9bd19cc3b6a06b253e8b590621c66da76496a87be3353fb1cc564366b0979a88c52b8ddaeee8993f6a0a3a543a931ea4eaee9d9e7001e2349144cd746a256df92a46024c7a3b3cb607a749987c9856015b86a23e4394f64f909974ab076b5d64928fc9d1b4cba75bda9e1d4620cac6f08cbf757de6f2911c34ea08481a383201447c2de6e37c07d0338f16a9a73fe671a684ae45c874ff1981506e3fca4e1f1dc9e58f9de6b96f85e31a3c16d3a11880bb1cbc223d0b9f3a6c4a6671e29fea67ae9f109e263c31795b38016b829d41d0d540f7f9bc522027dbca4945d958e0b14c9020e7e0d962d93f61df353bb1842b289b5ebb7d0d83eb05f31e3457346d1bcf883354e9a247c78bcdf11450bd362f4e09f9bc81ea9282305df3aed8534b1f5c15f58127b851e045a0c54193b5b11be1875563f868efe9a6ad830ca4436786d79364e1930d455faa6ebefe86ece76a8b8952dff2d3b83dd8ba4fd7c1cf912a22f6511c3cc11bd2f04690acdb38f7e1420bc15e574ad129655754440d29013c69861d47a42906ceeaa051e2efadeaea997779e05dd912297a4ffa9af33fe81e72067c36e81c48653d69f2a2ba91714d5104e0ea1e6e920a440240598dc628e8205c3313a0b03b7fed3a8788fb2a6de07226c589ef337082214381c9800d703638183dadff31714170bc402b271ef6c235c12c9fa67c7bda80d631715ee1ed4dda107347d143f91ec470c2077c277524fe78a23fab205fab08b1c258f4be49759d1f183a21e400a53a72493a17c23dfa1732122574b55a7f2663bb0017ddb2f472eabd87e407695bce84c15f43091bfc06d4a524672bf2515218561e7c25ea733c185d09806df8e6c921c071ae2f76f5c0db6234517c72e83933ad413465b1bd0cdfe6a046f07a4b239fbb8ed71bddfc2b07148d49965da803a824bc185da70530abb3e42b8a9f19c0c3d86723594133951434bfdbde6be90ea214fa0e17f603cd1ad695b5b5ba7c986148711454c6a5a7a5da2a1631dc7069e582a1c12d2ba25ca01da8f5e703b41147fd38f9668f16cad66df622fe4b02a1eefc0a69363cc0b7c56f034916025ee4bcfd05126772985a9632a043608e65692af2b4a7568f13c41f16c86bec99aae30a2d54f6469f1eb68518d48c421bec6f83b8228308838a9a4819f2fed79e99d105a8f6b1ac08eb9fc1962a8577f27f5eecc91883a024eb743a399ed6aef38e1f533ca6dba255388d25d4eef412f03944bcc0a8c4e94ec31bb65c89eca35cc888fe8530f6f581a3346233ef0936da10e8b69c5fd23ea2a58f9fe8b79a9ef60806c296aba90fb8329e838bb6c7d3c867d4109baa26c4837439e6307170e7b15c2f9f5ee03305f9481f8e793dd086ef2fc3eca555aa2581202bb4ed8e431cf0b710bbd8625fac17b519c6806b7218008e040bd2f078e185011d471d46026b53887c9481b6abea838dc598af7d61eb10566125168adb4b5fa2f49db9e3608ee06baff0b3eddf0537013a89a8f60bec6ecafe74c3ad62667cc736e42318060d939ca8afaeef4189cab94bb6d7c07f7aa21f60027707d8aee9d2fc0319677e8e86c6e020f4353ff8d523542669e4bf2649fc4fe1ac21651527e257a55006c304b83aab8de6e87b02d366052debd14f4712833c340ead1eb9f9f48df1ea27f67282a8a5ba05df68ee2aa98a34b44fe38cf058206cd112d19372e45afb9d0c24c0ca9189948239c99dba444f9c1a91fdf3dffa9fdcd09355e4b30618063eb02e4ac212bf8f7b8c617811bc2740423724a0c5046f3577e0b006b14850ddbabbf60121d151ec730649ba251a2551f6e9246e54623a819e9fce91fe40a8ac2e55332c57b8b7b9a63adf91f10748dec7c0153cff4a412292751b0ab793a148229edd1f908012fbadcd13e18d479d94ea56065100357ba4ba18258e4a828eaaca20d671d986dc6d17997f5b3744693eb36cd7fce3fff1d2d59b9bcf1c99427aeec5c158d12d066d469267f423de676079dc48def127be63b079f0fe8d7dae2f20eab8ddd0f388d52ac059179589c6242c7f9fe8e1d1857ec2998f8dc9aed3b3d38aeed70b0fab5d13bcb536cbf01a2fda811f14fa0f5e4a4d57131860d60aac2607354abc58f9151dd788e787f7685be537e6f86bbac94bef4dbb042da14c1007dcd62aa8cbc705d120e078394fcbdc94729fce6905f1ed8699cacd2e5f0055d377d0d5ca83f18971c195c7ea1dcf11e9feec124c2ba56d0f506060c22cbc366d0aed05f400062984f22122bfd16a31b3a4a6ed9d949be5ec16ae98f2aa8eaadaecc169e97cda0d5b5602a91c101b2e283c0be6c83abbe2e7e2e4cefe3be2231213ebb85883e0a5b0b4a0d2c04722eb60fab23023cf91ca0ab908e4bb6ac29a788fe9ec6b99d75d52f203cba7d92485ef90555aed41060fdd036f42fa818cdf8b9afe26afc1f279a4029254b12dd54da882a138d34af1577e78c1dd1923a56a369d85d74fa59d4532b859f67e65f3e67d654e57dde88cf7c23c9182ec15e95283dbba79911164df2b483be5adb7e6006feb69c672c938a818b2b4636c943b68e8c9335a5fe2aa7427402785117deb2ae7c16ba0d05a50d21cd7b658ce02140dd20849ae250bbb10e960c8721cf96d0e7d81bbb21a53358e0a44f8d26b10bf24eda9b5d8ceef710eec25c0c3b3180c85940f5b15cc13fe68ad19f7f0e9b4cc39735b68639f8fe4622dc784d5d6470ab9e32740db02a9b6732acbbf5876719f557a4e0a42c036bb3f972eaa862c58ffbce08ee0ea21e74e817578705e4e2683feb6c6123ee1b9ae1da94c5ea68763b0303c6397e21691a4d8154fd1aefdf398c41369eb8255d9b847f9d67cf5bb80841f468f7c870f0e194dcf23a6e7642c9514d126432f4b66bdb7b81b54370ca23a05c223c49c5b26803768bad60594817bb98b5ec274d62e264c54cde9806376b405e9f7de3d59ae3ce7db4a68985b1c1a11222d1c2809c96f7eb9a5bf4e50266df935c900a568fe579a6ea474f623591964db43ac647de15916aefacd322236fd53977d682eeeb0dcf798b6f2ff22b36dd00d64e51599bdad703a42d1d20eb8d6a6385f6db49f34fce3b28e2856f2828d77c4d03d34eb08c33b754bfe7f39d0a3430a213b97e75c2c975635c79d30aaf3daa9a1e8ca56fbe499e778118c7e5954ac2ac2bcea69adac96009e1b5cd27986c254282bf0760747559cb612a1f610df09bec5aa1f41f7a3b2f0f2cb28508e2b0caf206be810d65b6c4fc2ef5ec098b274b53681306041669abb175e4ec88981c5a0c05a646e5d90343a0b1f873379cf144c3c8795cfd77594b516ab02a408e0faa37fdf2de2e6f37fa03540d70e5f0297767084ea0086c131ab5b28ab543978f1d4f04291b6dddd72d2aa9a22ae19697950351a2f3da68971d9636e29c66d9fd61cdac7c81189350447c03c146d0dde55a17915b56ffa9fba47e09bafe412b6a8ae720d92b04a55e6548b0035506f80faf9708247982096dd806e1e698fe8f590fcb009fa87586b08cd27097aa53d3087e9f4c7a4ee556491b3df68fb413a92d7f783365c6a5e1fca5d9563e193ed2379f994f32e9a2c7a72215c1e891385765947b9086a560d373ae19b88e781503b1b8b801a8dcf5f67d0e4b0212d854487694ac76572fa1e6f1fe719cde5b278c9ce3938b271060335a5741baa0d7adc3de28e37beed6f781f6f7b321c56933828377a2ff6de2bfc24b2a3472ca5039373d3cdc9afc040ce4e894cff82254d9e4f4b25998c9dc84705463da8a03ea419c2e4c812a9f04d53f2de4fc2e3c1a08a7389ddfb0821764e71105eb0588720871f0082cd911f8edf694950072eebc6421bfc71af27669107e4b48ac971339e69c46c4ea5d50028f14735d84da040a08d3c9d0e64dee8bb645003bfc0162c3e131d3dfccf1a51628bd59ed495b177b417d0cb376537d5816741c25885ec56742154e84a26d9de376d67ffbe2fdb4869b6d8708a7350efc672a48d60a928c992753ad4bd745a7189b3f94f48f64c9f86d9f0b22bf7a1df2096b46fadf266906f394b1de6552928785d68d26b96bda02e49d5eca8284700d5033b0062366a6ce4be44c767d60817b48768748582a5ed3db608291a5efa1011b758f990ab3e4abedf53f01b700dfaeb587b4f414d3fe3a8732e1f215fa869c7b2f8b7f4eac597da81751709bd18eb0869ce11459f8766e6332e957107a791a64011049488a273254f33e0ecb440ee446e8ab76f24ec1f4cf7d314a158c512b6a2731099367766ae40535967d63ce071f068a7d3fbd4833a0c78cea712748a4bf2361d8f6035959a6ab08f3d44f7f81fe74d964d58bb3cb6051c5e68dc6e71fece4ae85ddc895b316f47d520847dd848317b61a47a13ce06c30d14d9852938c6ee45ad2eb1f19dda19b1f83562441c2d306111f511e40a8d82b334b2d983c354f2cf8a2e7a2fc135a4a31da5b0929d0e0c3e1c9bfb2debcd2fc9d0577263c7771c684d34a6b02b31c52f42e07fc1f42e70d740035e80f0c3889d8d28cdf1140e210dff5aeb5aaabfd655ac46e03d17e1e72273ea014158cff2c8ef37008b44e73d2c616862349afa5a16ec6f10d7f85fe4d95df416bdf001748a698a7942192549a4b8600f5380291fecab374b590266a980b2d38d0817e111ca31447ff7a33ee300b7583c83050a591cfb8c38320369b54b9624ae5bfbe7a657323e64bb890ff4abd85fbe8c59a68a616b044ddc977336041335fe1d29e87dfc563a0f7d393ca8353b31caa641d1140109d3f3d68bc4ac8d1a32e039a5a5aae4e95d7d37d5737ef2b997e178682be27b0d5b9cb7bb30bce28da9f9c299880e152d90f6a0590fa289aeb5c4b4c050f7f48744a1e3ed8b706bb1437146370522775b4a824ef29ae2d0854279fef03a0ea673e251f6697166f36996089b88f485c30dd49df1021b1ce794ba447e361704ca20c53f284fdc4fa1a1f40e5f7240f273213b6920e9bfb8ee69f932616ccf656495d998743d61a088e6059fe2fc03572f1dfadfb510c55f5185ada914e2a96628d3ee5d6b001cfd045646ef93694828fe8e0333d9e8537ab9e02ec721713b2b9743e68f42fff78abc0afd4bddc95179af12c3c9508349e656ad59bd64cb6a4bc7642c66efef29a5500937064de05e49e2a81c587e228e0aba0c8a6875c410663a222e557557bcb1054012532e3e6d4830d3d9ca0eb6897ba5405a335503f8cfe345a20edee88a8b143e28c982bb836e0cde0c6deabadbc11d8a63350f1050b71abcbd8eae7c22fc04d59726748c82ed43595d66255b6c30f111e3b5c9c12d97a368be672b0f0e5929838fd8204b55d0e511a32906af5c349cd648a4398147704563a10d5d5f5a86f8f1c88a2324e56cf28d63daac725e7f9fe3d1504aa2d26903760e27e796f7f7d33b96ef01e4e572456fe479a2523d396e6cc88b8a8dc35f155daedb3c29dd2cd8adf6dcc732e5c58511bd389878399c432c1a40dc06e94e24d66e1cdbb73cca992a3a61c545dd347d0be4141a1ec23a6ca845ba1b58396b456ee05e6be7d7c9a0deaad6646d7a77986886d9ee755c5889650e9ebcc4b8dea33521b65171ec9d9eeb4e776d3d71f5261d451f481b90cfc655f8cf1b63df8467e0c1e2f9af5758eb506aaceab4bb35907829e55411eb25b59cb70f9ea06efdeaaef6151156184eceab1ba65f41df32b5346f5ec03ab19807df48449881334a6829c39716921fb7e5d0578eeb3eb3becb8ff5e00fe8422b0c3b7bc77a5d338bd0d4ef6a341dd941d925ec6cd93f289566d803ff2a02a3ef8c8d80052518f9afa30aaf0cb97ea1eedb527b180dcb80368050b6dfb4ebe2cb96d1e0684986a85a6b6eba21660a18c28248cc0d4cdf5e085c1fb6133da1169e5036d35f547ebc06186b695f24271bd680a397d923538127f948a2ba36bf5291a9cfa5dc57af9901bb7ef7c9c9d600086376a0dc680e4e67e1770e72499b58333af898a332c7894959428424fe61c0e0d8fd6c46af79bdb23c8449401587ba116565c8e060fb1af557cecdaf3d10d2f065d7ffd53dfbe8afd1c46904cbaad1bd8f18ee70aa4811b27857433e475ab5c5c620a8daf02bef40286497be51f2532d425905669f3be5ce7b790e945c22e446f0a361e043fd4a76e53e3b04b5905eda63bcebb62e06c6cc0e254f2f0e386bdd730c55a0407af9dec14633b5ac15a33ec523f6a4a9454bc5aa216e143f0f72ebbd6f5c038d2ee39ad7cf3956a3c479a8a653a906a01f48618e6a47adba3598e9c9e725d53439e0f175fcd51ba151607a33593f1256e6b29685a813dee403ec2b4fa09c6d0f4d651e2378b78041f37243347dc77ce3514c634e4f83ea297665f16d656a6df9100bf6553d669e43c0ac2d891eb7779ee8d4f3211cd2a527fd415af0004c2d5ddb62a36dee98ac1489696c556476aca9f6da9bd4f37aca86b83860a8dd904bbe2c3d37cfcd768b59d82a8c1bceffc44edfb04730ea57916da94b4e8dbcf5f01b5a718646a56e62a64748a9e3b7b2f080a2fb3515db535c6acdef1d858f633b080d398c006d740f59bfc063acbb40fe2183c5520894dd5a47bbdd991f2ca2e1d35d04075590016dfc813a8f272926d660b0bac47fc7297d748d1642de82c08245c8a4af39826971b06e25256759fc4aee3de9840c14f99e8a53404bccae613cedd72d32e74c87d8cad6cf72fd2018d5f3a797c08cddaa2d9a5ac5f49bf07b045c4169a8830462c19b4004b62830c4bedca5161451ce9c8ac56f973cc120f7eadb2010de4bc3d719647a8efb1a95dc93cce6ed2e2255b852821491dcd30640eebae86ecc02e365b465defb73694170d3033775968a53f274fd1ab8f3897815af3dfc81fcdb7a3a6d1917cab0a4469", 0x2000, &(0x7f0000004cc0)={&(0x7f0000002200)={0x50, 0x0, 0x8b20, {0x7, 0x1f, 0x4, 0x0, 0x6, 0x2, 0x7fffffff, 0x2}}, &(0x7f0000002280)={0x18, 0xfffffffffffffff5, 0x55}, &(0x7f00000022c0)={0x18, 0x0, 0x2, {0x9}}, &(0x7f0000002300)={0x18, 0x0, 0x40, {0xe62}}, &(0x7f0000002340)={0x18, 0x0, 0x80000001, {0x787}}, &(0x7f0000002380)={0x28, 0x0, 0x3, {{0x9, 0x101, 0x0, 0xffffffffffffffff}}}, &(0x7f00000023c0)={0x60, 0x0, 0x9, {{0xf652, 0x8d, 0x0, 0x3f, 0x80000000, 0x0, 0x3}}}, &(0x7f0000002440)={0x18, 0x0, 0x2, {0xa8f}}, &(0x7f0000002480)={0x26, 0x0, 0x8, {'bpf_lsm_unix_may_send\x00'}}, &(0x7f00000024c0)={0x20, 0x0, 0x6, {0x0, 0x12}}, &(0x7f0000004540)={0x78, 0xfffffffffffffff5, 0x81, {0x1, 0x7, 0x0, {0x5, 0x8, 0x6, 0x1ff, 0x5, 0x4, 0x4, 0xe8, 0x193, 0x7000, 0x6, 0xffffffffffffffff, r4, 0x3, 0x9}}}, &(0x7f00000045c0)={0x90, 0x0, 0x8612, {0x5, 0x3, 0xb2f, 0x20, 0x0, 0x7, {0x0, 0x1ff, 0x2, 0x2, 0x1de, 0x5a, 0x9, 0xc46, 0x5, 0xc000, 0xddce, 0xee01, 0xee00, 0x0, 0x12}}}, &(0x7f0000004680)={0x10, 0x0, 0x5}, &(0x7f0000004900)={0x2c0, 0xfffffffffffffff5, 0x8a, [{{0x4, 0x3, 0xfff, 0x6, 0xffffffff, 0x8, {0x5, 0xca13, 0x81, 0x4, 0x0, 0xbbc, 0x0, 0x3, 0x34b, 0x4000, 0x9, 0x0, 0xee01, 0x2, 0x81}}, {0x3, 0x80000001, 0x16, 0xf97, 'bpf_lsm_unix_may_send\x00'}}, {{0x5, 0x3, 0x100000001, 0x10001, 0x7, 0x83, {0x5, 0x5, 0x100, 0x6, 0xfffffffffffffbff, 0xb533, 0x800, 0xad7, 0x32f914fb, 0x2000, 0xe0, r6, 0xee01, 0x4, 0x64}}, {0x4, 0xfffffffffffffffc, 0x16, 0x6, 'bpf_lsm_unix_may_send\x00'}}, {{0x2, 0x2, 0x7, 0x8000, 0x9, 0x3, {0x2, 0x7, 0x80000000, 0x8, 0x6, 0x400, 0xc932, 0x81, 0x5, 0x1000, 0xf841, r7, 0xee00, 0xff, 0x5}}, {0x4, 0xffffffffffff3232, 0x16, 0x5, 'bpf_lsm_unix_may_send\x00'}}, {{0x4, 0x0, 0x0, 0x7, 0x200, 0x6, {0x5, 0x1020000, 0x6, 0x7f, 0xce, 0x0, 0xa9fb, 0xffffff81, 0x3ff, 0x1000, 0x0, 0x0, r8, 0x8de6, 0x3}}, {0x2, 0xffffffff, 0x1, 0x5, '/'}}]}, &(0x7f0000004bc0)={0xa0, 0x0, 0x3f, {{0x5, 0x2, 0x0, 0x7, 0x6, 0x3, {0x2, 0xf51e, 0x65, 0x1, 0x8b, 0x7f, 0x100, 0x9, 0x24, 0xa000, 0x3f, 0x0, 0xffffffffffffffff, 0x40, 0x3}}, {0x0, 0x1}}}, &(0x7f0000004c80)={0x20, 0xfffffffffffffff5, 0x401, {0x5b2, 0x0, 0x9, 0x2}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004d40)='SEG6\x00') r9 = syz_init_net_socket$ax25(0x3, 0x2, 0x1) r10 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x3e79, &(0x7f0000004d80)={0x0, 0xb8ca, 0x20, 0xe7c, 0x26b, 0x0, r10}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004e00), &(0x7f0000004e40)) syz_io_uring_setup(0x5336, &(0x7f0000004e80)={0x0, 0x29dc, 0x2, 0x1, 0x3d6, 0x0, r3}, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004f00)=0x0, &(0x7f0000004f40)=0x0) r13 = syz_open_dev$vcsa(&(0x7f0000004f80)='/dev/vcsa#\x00', 0xfffffffffffffff8, 0x240) syz_io_uring_submit(0x0, r12, &(0x7f0000004fc0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd=r13, 0x0, 0x0, 0x0, {0x4404}}, 0x8) r14 = syz_open_dev$vcsa(&(0x7f0000005000)='/dev/vcsa#\x00', 0x1000, 0x8600) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005080)=[{0x0, &(0x7f0000005040)="48d5a3400d135dd4910161867c991fc7d68d55145fbbc5c498b58fba49bd01b68386473365a9131272ede1d53bc285051b85", 0x32}], 0x1, 0x0, &(0x7f00000050c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000005100)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000005140)='afs\x00', &(0x7f0000005180)='./file0\x00', 0x0, 0x9, &(0x7f0000006640)=[{&(0x7f00000051c0)="c5f6f420aeec388cedec2b597c8156538cd4586034199f56f5944da03d8ca829f6c6b6", 0x23, 0x1}, {&(0x7f0000005200)="f4ee9edc1be2c2d862a480f30ae30dafadfdf869f7789a4549f5a8dac06fe4c5d5d2cf0066d88bfca6af40745ed617b7a146c940de37505cb965eaa1982c8ca0ec2106f47e4e265f1e19285bba7eb577f60066b5f46c62d2ec0068edcbe6300e4f1e3cce429e45a7df287e8009841db1015134eeaa724311e55181cb7afe7dfdc7946bd14523ea6680ea42ca9f7b0eaaabe1d054277eff607ef4f8402e5dc37e6a528ec3565823c031a8460e8b5f670668f86b90a026043a", 0xb8, 0x2}, {&(0x7f00000052c0)="baeede481736d90f0aa36fb327956dd763578e20199f0dc85f185c9306866ba33c93d2af9613c92909c651254e6a63503dbf317b021c4b3c8de305d3de39a1ad9ac1b0ab3f51f68c1ae1da3e4cc744fd00dfa6d1b96e21134007d31c93013854ed32550f1b82a4c03ca67440d86545dcd29eea99274f655737ad5a54d9e7f9dec49129bb84beb62b1853f69e6a077209f7e55ce0d51686ca764d2ce334cd6d09b5d92357bdef60a635", 0xa9}, {&(0x7f0000005380)="31f1fbee4b48e6e69cb61bd1ccc1e213af5a28e74cffc2e5e82fbbcd1c3400faf379d1a194d52a3667e2019b9aec0e14feed8fea770a9a1bfbbc30997321bcbbcf4d115bb3d3269e50beca5982ef1d22c983d78621dbaa93e8395efe31dfadedcaded0976f5f0c7d4f17b6cc88b897ce5ddff1ade8ef2d62dcbed421589e3cfb5d8550d3651a99115d6e", 0x8a, 0x2}, {&(0x7f0000005440)="7881b6811ea2aec8f27f7f7f523cc4baca3652f7303cd748fb4ed8cc783ac578a9e853a9906a", 0x26, 0x1}, {&(0x7f0000005480)="c505e1805e72c23f489bb45d556079645332082b1b6bef7adc39b098e173f42fdd8d2c65ceb664adb47de173db5b3423e02bfee58339fcb7d85f2d1acd1fed18da1cb7b3d28d4e368aa5f02a8950afd19b0d6003c1fc5424d3e28d4bf7902fa3d999b4f62368c5844f1e9e4d195c6548c1a0e61480c61fe3fc8954810a5c5519a2850aff5444dfe36d6c08fb251d645951ca0aee8ae09d5218ce7d783d4a62070cce231ab7c630931fbc7839ba2979305cabb45f4aa2dc924972fe3a5a806c03c741793eb046d566ef8de1d0b71450b561ba65b0141429bd3e5a4206b47ef097275ead1fe31257a723ddc585c703f5d0fcf7b298134d89d03f477ab7af756e3a4f9e1d06ca01f2b759c955b8e8bfc1b8070198b330f5858c6951610682a3cbdcb591f139a71e883bb7691cb56bc0ad95dd774fdc110d075b3acf5fbbb227227921e10aa5b73da81dca196600376120266cc84f0cc2ee0ff3f6c74b656a61b5f5ae6dab4a9ce84cb97c0b90e7a0d07828819e2bddb1a7277caf687195ec8364d852b98643f555dca6ad72d680643f29c322575f2e5711343f8aa24d7deb87d3ace482bc05dcd5288338b584994a090c451abb284c0104c5f37908eb3307d65e792b4f258600de7707c8b154ffd5f56d7a17c62f092828516f82ea4a126a2a360c703108770cc7e7505c8e180c5f376d0dbaf1e185a504ed013b0b162483f9e2a3bec7d6833082ac954e8f5e3184372e0508ad7e0fb4b2f1201a35882ada415dfdb36587e88795101f9dc6c0d26bbb642421db0973ef283c2bea7f5c9c35eb13ea5a9742852f083e443282cbad947ea05d3f998bf3f860cd125b266e1f3b84c4e62b4e49ae7f852d578eab24a0c5e4c60928b699c7b68c6328f32ca3715b940055b6ad04f9941655dcfa91dc4df021a74504519f0a7df10db505da8ca4a0525804dfd90a31bba648bee57bccd6cd9a596eb945867e0231fafb66c5017b2979ade5dfcfb24cb5c7881511185604906d1f201a1264a54c20c173901d325f5c2b0e0fff22c6834d070cbedc8ae66f2fce8488d77b1f9257a91a001eda075556c23e7adbde0c994bd6980cbdb344d04efd2a3f4e732620260d15f6084ccab9b2f13bf54782eb2f568919e0aefc063f3f2af6beb819159cfdb0534e79e0cd74515b528c82cefaec8547d05f08b00424a02abb0fe20d3055d3b9d97e8bad3a7b2202b8effc5da055f4eb1827dcb1de57defc3ccbe7c30279a3041196a9f0b1a74491c07b9a1af040e53ec71a9110e20f32092addcd058a15079b718fac594d8e75139bc9260ff65647250fd7ce6bdbc305c079c5cc2fe6cd1fca993e8530e03738839008dc658f22664eea7706f6ada24ca1a22e830aad64f4dc44387d83ad4288f44672d9a05559fb29c66fe6679e979f86ee31675f501d95814796612908d1f7037b690b9481fb687f2d52b5a373515f62075936042a0e9d10c91114a9e74ca7ac76558f73fa26fe9d14dea85d4c9fae1f6c53bb768b1457a7f89bcbf90e7069753767f0c1902163e400afdd91ec2dacbe680c7d6454a0f173490b6b1ed4881e82cd79d6b89161d87f4f270deadebeb35107c19c7a6d5408e60b325c64dbb9983bfaf0306fac8a0fb324af5d69c21c62a8b5e257a48de069226ab29aeead17fa45f384750f8bba1d46e0a4127807e10d1570da63b202eeb715386afe3d8b1747caa6a41416dd65524d2228eaaad1a61bff8db8be752c45aeca76dea3aa6808364cf758dc8703417a49b93eca5ad09d63303a4ac378aad34a08decc4a720c3eeaf88ace0a72900bc3dd402c122d00d56b517235ae9112832d637b9317b61f9dcb0c48e728e850dfd52626db296aad77b9c7cd9167f3194747c011a5fbdabca9cabd2f6b7581f9d91c6366d526b1683e3feefd0fe30f53e7cb7de41e89e4e743efea3944ea8afd9f778a7f06bfb0ef238648c21cedfdd8b76eed765774d7a490b0ee464e4488a9c3dd21c7ba2e63a31ae38ffab209460ba93a62029d8f2ade1377b53438b051901227398272639f124d42b555d591a6655f73f6c46c514cf32ae4c6046c380407f7d9cf3c141bdd94691384958e67178f816a63e4cc189c521638dc7a28d2afb6128476e408ee85b99a126129c55e679c0bdcebd9669817e945b0fffa615ab9cef2f859e0ac38253611fe63bd57fdf03fb0d65c1cc65df2653859fc594f9a3eb379d117da828ac5586b3f6d3bccf1d54c45bc1a5fa45ed7ad366cff39a632bd4d14700d30f70c99725c2fb8ee97cbc59f8e5b64fac8fe2f836041bb5708a3640bbc67f9d09ac1fd3646a6f7446f4815989bb0419c94b0a6fc97d0fd9e5190e724d75482cc1eb4c07753b01c4202c4d09d006bd6bd92b33cd40d8f1bf7ea739a686f8d3a12df2f7c578ad2e0c1b29c04f282857045ed90382830cf0f2f2c8d22073edec31dd257300ba67bec88a1e7a5580fdde5019879f6962da50d75c6fd13a19e358e134135dbb8b4beedbed1cc5f8f2034ee297ff69b9db3e005e59fd5ea22ba51bd8febde9ff9f65a21da5e135ca8860731c4dee9c33c7edba508d26ddb5592fdf98506702f998037e6b418c5c783624348f57d2cf2cd8fb837c61853f516c68e765829fe2f741166a74afd1edc90971c4eda7a6a18d85d54ba87f9095bd1626b9b900cf6fe05eeb1b4f00599b6e8381fe28de851e19a0252efde6c5799f56ec2d61cc6ff5d1eb65e9d8e0545a92e6b986627c7f971694210e088b784beaaba64d2abe4441c7b14fc8d2adafac78234ed72599cc416c047750b24ac3c9aa4690c0577049d805bae79922c1d2966d9752c551a91a9fbc0bb95c23acc2a90683531a59f30fc1d1079bd9fc07f0d09bddc01372ba26c13ef306af3256f235d72b759b6618c1e09e8df6935db77453b4996b0152ae137d1caddbd5f8e12621a5481554345dfbb7e2c500371346feafd5dc0f6e2c59ea2c245d15db20e87c77bd908d92850e403e58cdff0e2fc257ff000f3b268dcf141e77525106108a4b6edcf89f1fcfb12a0a02ad7c0121284ea490ca7bf8761eeff5b375eeb0a038a444d2fb950f96517ada94cd96f8dbbd042a4deb188217b7b9dad948bb59843c0c392bd9e79c85d34616bcd99fbff77537d234c051e5e9aa913c77cbdcf5396ce3f0683e92ebd0c1b99fb5c663fb97b6dc2d43554aaa99a27ab99172bac17e3bc044d3d2ef8f873cf52214e71d7d7c5ff9dc791d40cee37536dd12ba095b48a341975784a1614175a1fc49dc2102ba5c27416dff8279ea3f2c44739b8ef9961699a4c792859cee88111437846c9450175b8ba2a326757dcbfd551acd15d783732838b9c924e0923fb795b7704bf1c84dbe6569c0df702a7477fa0996de5d681d10fa2aa52b14253ba913adecf47eabf1b015e73d6bab5dbe5d5dd1e067cc9e4806040db09a1448ed21d98dc6f459f22c951c7b07201467791097b39041036a50ec5596b6d28e14b79aa12befa32ff95629d532adaed5342c84d39c8225382f981ae4f85b7a1ae6b90a818b62d71bf592f84273fa2ccbba65dfc34fdaf561e26d307b743f82bc76f9985c95076c83a1d286532b8d59520bf6c40bc635f51608f49bd4782f6a6b7d37c6fe8e5272ec08f85fb9baa66bd70b1db70df0b12ce35d8e15c187fecfd9fa341721ff6b24a1bb68bd074c2a57d7460917dd2ff0d0804112b0520f05cd70787d8dce6cb69711ef7453b40679ec97aac900e698ce1f8e58ba738590df5c4588ec650688002a2c14ec60c58385b68db238b8c5b189b2fd5fd213655e0c81900949764022d2277b038ce7dbd00d1ec66e23195636a39215326ea452ad0899a522a7a77965b2ae60d5b25ffc64d1dd504d28c611f38ce5c3aa34c4f6cdd1bd7e965e368771189346506e3cbbaf7453f039c6aebdf77a13875499d7db3e08f9c31d35307490e6d3c11ee6977e669cb1aa6420d461955050e0cfbe0bb23d1319ef35421d80e565e5fc9b30d6d0a4da0544061e644eba5b47bc48ece8b7f85d823c98c4bd6cd464acc49a29bb6926d2a9597c64edb8a4ba2ca2dd7bad80da3ba9df143b2b3cb44d6e5ce04aff397f5fc4b0f5af4aa0787611efc5211bbb48b7eb3e1d4cb54ac2b9d0d9da7ffbd18513594674b530e8a206f9b042be81386819229505d35ce04a1e1e0304ab5db61884720f5bf6ae910d48b9aafe2bc5a1a4f4eda0f615c8d0d682a55a52f0d40e138c88c4299aa1b1004400168de6ac8aa18fe6029bf63c640ef7fb91b56a5abc24397d1b2cf3bc0877e8d5219e56723a6c49889cdd5ba03c84fbc415a3e9b652d26e2d613c3dcce414e1fa3e220b3c2e35391ac6520ed1f05148805a46e9934e5febf84e1bba25ba130a9e0584b625df2c2ee4ec0d10afffa191773d4f412f5ca225193ca27887fd47c9c69f21da952f98a99f205314c182b0014dde7563ded90e338da5d5e836f162b96377517c2f6758d9bb41e8bc9dd8f2eb521ad814eac651a48ef64bc45ab60bff9d2e67f03183d044ed437a8bd73043d6a8a5190fb5cd52cfe0689e2da08cd11aae6f25c50d6ccbd5f4ea7ce9b51b57946aa92f41efdc2b919c887a070c519ef600fe14d67664ed7fc211a09e9129b13a7024f2febc3010581da84b44bbedfdc1f54b63c8cfa8c8b5c986649333eeeaaf53e8be863242378b0ff6cff6b1d6e027010684484c636b7c134018e3a732a6b352cfe081f790f0029967ff1820d57d370c2a9f1be051100d5a8eac4241a6c2b640fe73b161d543801f1eb2abdea769c518cbd7271c6d65abe83661d2fd28e41b9ad575b958fbbc5a43f341278656d300f21d8c71161bfc2812b2f7f3692c5758a5fea8284cc4315e2dc1605d0b58243a979af7c0cce313e3e127baf9313f1ab8c437581369586689ae69b868447bfa60798620c68080090c9f0493c95a64ca4f678eaa14fe8cbc9086ea99c78a3d8169842fca3b0d289406cfa9d52f41df0b7fcfeb6e10b7fb8846b646c6e1773320aafac2d38427244932ed237b9834f60c0bc4f9f6b18ee82d4ab5257d03343137a44a52148427e747252c061c88c78859858163f768565fefe4303ceaba94b786b6d9d0b69d0ca920e615255e2b8c3fdd78d8c194e9c8049a9d187772685ac98fa7e7df54f5ebce1ecc1cfc7a62e853932deaccb58d79fecb931d14643ec7020ade49cce0a1e78e34d71096022317d7af536b38f72fbf65f7e4763e6d1dad8c26f56e2ab4cdf778e3264a2ad2004cbce99b77e6ec272d6f083d2083a042f67908e147e601ed42f201f5b9f18e89eaf48d384eeefa0f9f9ec386a274ecdabacd1e2db6b90ad98c475667d27fa727908d28e3745c34b5015edd130d0b7e3fd54ddea89e37dbafa49840759a30d29e21bb09d95003c2895189e439ab7b412c251610aa7afabef41e5abe2235321f322e8bd5924d79a404605378e3bda60d28ea567e6a73964a6ddd43cfa1f5e0cb8be455e1f6dbcccf72cd1cf14e8e507a1a1979f1c2b43c8a649290ba54137d1aa6473568e390a665973823492ec2dce33c39c88aa4247f14f1f0e56adee326080b716dc55dae2a5ed842d790de3f1fbe32f8951eab8dfa54d770df7342731270beb4704277f3e1dc16934af902350cd6b0b7a671f2675f0df884831ae06392669d6bda8493b6bdaf5ae90f4c45f8fb1914e0be057f45db50101b8bc6e649aa6856071225c42c6ee157adbda5842942cca28fc4c7c08e7c2cf1981542be4ab7f4bf6efff692dfe65b45080b21eeef5299171a1c2b736f70da431", 0x1000, 0xff00000000000000}, {&(0x7f0000006480)="829251fbd70caeb451ccf09a96fbfe559b217a4a12cf46a389d82c55ef7f5c64e45e1b6f269559a85e8bcc232bf1500dcb9af40f697165fde6209f8bf001585b6ccaafe194ccfdb7f8990804ee77ed9a345b52a8d7e8f4", 0x57, 0x8}, {&(0x7f0000006500)="34e0c082bd77b51d0c9ab1bcde0acc308149f3e64c75b7173cda5f39d3b4a62c60de76d12d41cec1b7c9bc9e57acb7834282a5758d7c7e4b21715febf6fbf144ad46cbf2cec87f7401", 0x49, 0x8001}, {&(0x7f0000006580)="e60976f86d91dd66cec0b1e30ec801160b84cfb1f8603703d14a6b815d22e1783eed12ce8c080e3ffbf0b53095f69603fa76a934a60a0526341eafafb3867d13e88d1d39e370a00dbe06ddc840ba7446a62597069e1dcd138f82b29ff78af1d1c3133fe9c04d732cdb4b3f6aa26989369b5f6dca6000a0767341bc2aaacd69e648621915b8aa9cb24c6bb5ae3f", 0x8d, 0x3}], 0x10000, &(0x7f0000006740)={[{@flock_strict='flock=strict'}], [{@obj_type={'obj_type', 0x3d, '/dev/vcsa#\x00'}}, {@obj_role={'obj_role', 0x3d, 'bpf_lsm_unix_may_send\x00'}}]}) syz_open_dev$I2C(&(0x7f00000067c0)='/dev/i2c-#\x00', 0x4, 0x4800) syz_open_procfs(r5, &(0x7f0000006800)='net/icmp\x00') syz_open_pts(r9, 0x258102) syz_read_part_table(0x9, 0x8, &(0x7f0000007d00)=[{&(0x7f0000006840)="b3de0d9f2e1eba9879eef08dbd42edd7d622f095e0ce3429b64c46708bf7fa26e69ec157caa3e16d60b3baf5b0d246bfef955e35f85556c9614a60b65cae7c023c99318fc85bc0abfd16bc78eb56317cd8b80c5f5a87856c5cd0b97fc283cbc9d835ff9d70972bd4201169a35c2699bf5a8b31ad3607121019e73398b228b9c59aa5b5c007166766eee5911d5d2f864cb42b8421f38cb21aa93697e5ad166a966ac98aa776fd27500294c4dd1bacf41fd070e9e4a9e5eb70d2a98f915c1391fd75f5ffecfab42425eb016c33ec19ae67f4b100088e090f035d78143b35944f30a49a77b8c5e2a08e9f381a8afbcf48ebad8411455ff2cb76a4a1b557d121", 0xfe, 0x7fffffff}, {&(0x7f0000006940)="330ea746d7dfb4a5e9f33a325a9688ca04cd59af724b34f70ae370d4ac73ea9a65ab003f2cbc01af1162c0fefb2b7e4a0dcd3f2a8c23f2a1", 0x38, 0x2eed}, {&(0x7f0000006980)="efd543d92dc823aef91d85c44c055844e2af47b4d5a67e3a3959dc6d617cd8e9b6c3f5bbf05da73f04bf4f54a6f3d5361dee720d1ff9f65d5d7c18b86534f2912621aa81b4c2d3daa1a67538ac5efcf2e008c791d59152db5fa2d0a23f3997bd1e2502e6fadb36788891843e3de1c4483aea75224b12ede3006b9648dc7661a46da2d146d3df70a1d04b2c64578daf219dcba1b67aae086a2541c4b9b4dc6d43c076544b4cf9cd57e6e26d74217d1d8546224d85f650a0ad3aac78c0cf1d83a4adcc11c2e84df1889c7920347fe404201914727862b460229ce67a1a88de34aa73d39be67fe92210699221103ac5b49a07ff0b3548363c878066d5a0ca8f565a616a049a5d7b6e70badf4649c51aec8671faa444d7e0a6304e273c405cc6f348d19ff1348bacc96ecf1a28119618c91e5942bbf0e2d7fc6997cf6330c106a7902ccdc1b9cd0e8f559355d26f81c77e524882d02783f15b0569690236e3aa74b96bcc5ef90eae4a5e3aba2a560f9b0a513ce1a8ceb0d2103615f828b0125df32eec97110ee2a59e1f913772a859f65d953c20ca8a0c6e852661d86293cb4672413ffafa27032eda8d8b19ce77d35d1304296d8dbee1b7c358fe5ddf94c42411e26362cf42a5c7c18991e3926331a2c7123609e0a3c05e42f175972e445a6ae57154062e21e05666602a2bf0891ee65648e5a967ea16248499c82e74c19edafecf2402ce5321f5bb4ecde058a1176f310bb1338b11ddc60dce03c4727f7dd3c2335d50ae492dca1bd98be4af0744291fa2ba1cd3e93e6f1d9d1b4305c2764118094a16436a014598fb64c34ead3e8f45d11c4fc062c144c8e05220fbdf4a8cab6e288b5cfdefa7a05423ef2d4f3b3bee5768b28034a08de883b817278bd3e785c114329d992c581215f5644ccfa4e894101d5fa43008d803fb9baaefd7dd4b8883b6e7a17f4ddf4826cdd7110ff2c8395349068cd0b9550a3a2f5cbc0db06b1b31292c54879a172f4be9839b1d76896c4cccd8841a5592aac1f5272b6fda924634b50750b38231ff133da1fc86d1098c823df5bca8cfe8c08ba2eee5a4658b2917bf3af4b4e4e47c6b7c35a3963ebc6044f27288c5a3c1a2f5fa45a128be9a13ded8c2f6745ecf4fa94723f9f16382f4db48d0c811fe8eedb8bf05ff38e578d49376550253d2617f86303c543f882adc2008564c8ba13ecd19613a63193d94e9a73b21ea1ddd30b482c09869c0fa37131c69ccd033dd96d8ee7c5f2f8a152e84c0f659e60ce169fcb89de028bea39d05df03cf22807029c1aae459940dd54b78c0dede18723f972d96516e19719e5c9ed006860f2471a8e5b18fcf0ef4ba6681a41fa8009b7e03b444f45ab3cca9bbbc5813d1fa055aaa4d45441233ae7b69b759e3dde766c0f3b13bf968cf8565382883557f925c21075861ec9f35c7cd444bcc7d381dc0d7aa754ba57066b902788f53854cf9d56ca73c7ac85cca67ba509ec3a7c1b42d8c654b34d88da8d2ca85ad4ae8b865b6d2a0c1c4407668535c49f349e276f1a86764ef18e3b08f1d1e3cc1b93cde3f197857fb48b5a5fef31a86fa0022d6a96d815c8c9af9badb7b886ea09adac732c8e4eafeb8473218e794bc6a716d1716fefef86f63d32b6673b435d13eddca42257cfe0717fca3a39f00bca650f5463a24c50924256d3207d29c1b1c95109e40dab607787fb74c4e64fe4acac65c6283ffcc11fd08a0bd1f4930a8beea57a0dda02867866c5b1ce586b32e7cd18ab16a275d6cc043a990e1d7970f79d5b8880eef3fc4ef4de5e840acd0edbcde6bf6fedf3c6a2d2539fdaf278f069794d30a09d615e1e4a5a7617e16241daab87fdad493ed9cf326fe647a40f0279d6a9b2cdc0abf3626415b04fc836510ba6251386ce7e8d2b4fe663cfc3a5de9cc313e9e1fc19127f09207c955f5a8485481f4319224fdf4c2787d583c3caf7acbec73ab9b4d2f245287df9ae29a169c4d795cd03c9098339446dc40237b698998b2423628148cecb02f69d2644cec88c94894e01e1587fc85375450e32ccadcdcaea641d2db6292228660d04c446786c258b6fbbc1d0b6a8a3818200d489c126733922c966195a4007a68d0473578b469b4433eacbe092520244d84da8924b90d7fa1ad31db501f16a59d3d9eb72210d058b3d1fa4d876d5b40bcff5adf086ebdc2647b1b6f88211bbdf547f1698e11abb73dd3a588d9ca26d9ff5b2d28d1e176be8a7adf2e3e3ae137393112f5aaa881814882939dfe71721fa92b8962bb8d940fe1e3948def4033a09e9c04ca7ea8b549695c5ff66c077395026d82576d379bd9cded06ffcc3a6f8bd548c0f68d4d3d72ae27d828b27a582b14886dad1fc3e63531c2870f3159f8d4bd449480c45dd27a2934df90797c0494e0f8ef8289ae410626d4fa966d82443adc5243fdb2c4ddff8550af5338ef2d1c413b4bd4b308209c20e9c3a0080a23d16a3108a1050783d44ba92a95590508d3a5cf44fc6a4af2477f866428bc113c1cc8f123da46ca0a03c5dbd1f6e5754584d8a4103bd23fa5e1f6f3acb154ffed128d0a645829d3341a25e87ae781862abc7a159021124cfb03571a73ceef603681f5e5e1e1574db3016ff5a13d9bfe7e8ac81a09a905237e390a5772d361edbe5808e9d8594f776b0005e0c3d0f71d666c9d4dc493d0163d8854723275d850ac1bf78183a77518f01bb3a280f39bbf606def4f89b11e2bb8d99f8a32985ed9bcb42f110bd2bdda26376d9daa70e1e6575f11ba7ef269908e101948f570b7690e0b5d35ed98cbdd2f3637b9f8f78b2ffbc293188ff2777db050aa219dde788a770cb624d6617001817d6d5c7a5bd39c51ff128eac712b9db9c60a74bdb7820a3572a5091c3084339286279d9ceb244148906dab1dedb62379b14597b7348907fba55424e878c194985cdcb211b71bdf3806339a53006a9006c746bc49108c8100938dc24a08d57b013f4103d87df310858405d06f059b65cd54aea1d0f15cb2a41bc867d22cb9d67c310b05a4f940bd2e7a5863c8e1c80d3ad07b21504bf213da5cb38fb652a47ccd7a5cfafa0c3ffe2aac7625a95588ecd77a9593d0bf2e7df7999f0244335a9fac015c32273009d1f865dfb873c65f52e9081b022b99b01586f5fb1584fd9b1fdaf86c783f61772aff1178e08d5bd067b6fd233db8c432fabbd00a530f1c40b5f05f7883495059d1b58b9523d1f5255736b23ff56cabb4cb710e43a70f71cffd17e3fae9043634869f166a958ca5dec639b85b2134096e697c24e3b0a8cfb19422ff01f4ebef24b7233de1a0f89c80e231b8459f531ac23eb1a2373b3c5807ee6552707152a3169555a663d1bfb453c8c380c5a52c958e302d4d7528aab5d0a66892308098b566a1367cbfd9a3a46c5fb77225b7b6f9f92ed0bc85bcbcf1b4fd2760b9f509d2d11cd0557144b1c89f9f7f2495d0c9ea6c767f1f92570701a33ced477036d06bbead08c0b4a8ab4a57d8d9b758ce05891ec729014eb712c33dcb52efe8ded223b617822443bfa95514d9a82f6b9fed17b22445f692fc870374c0826a9fa43153849368aa1f93052e48f88e8fe9aa1ba8291585e59da0f68fd04b8fa450e9654d920c2b82c9c29a79015d0e302bef5abc9f4292fd4b582d58830dfc71725319bf39692b0f3d72a3204d62e4cd219fd2647a9bc3da61b702699d015f9f15bffb27b6133ec431e4ad67f5c1b46fc62e29d4ae4b07fab07f0143e8e54fea1e629051d6d7c19af8931661d84957ad2ae7b521bd62468aa0a851653904bb9325376fd2d831340356d9bd2782bbc46e1c03069553d2b05d17bb4d8644a0dfc0286d4ebdfbf1fa85f0015da26670909ce840272d1d62c8d02787d56520d309e4bcfcc846474d4282641798dad1779cce11392ac537917335b4f9124ed1e254052966ab2c15dcd1bc1c3c520fef4b3b17fe6f6360d07b2c08ac64c75fcdf5f9eac211db247a227a659e106755e1ba53aba67c831662190226984dc03698dc567aa96b51d2e69f530addd9b4fdbf3a0b20af2a184cbaf53a35634c8fe3d63ec15c506bf02c35302759fe32ad28c1d4b49e94816bb0f32822816b40557c650da4ae59ca645d5a4d6172903c25e00a229eaa0c526cffba53fca44aa163c7f5fb4959a216d6dad9e19f282b9945d2476bbc0133785131118ad46c3f9331c415e70d35e06fa71c2aa878132ed770a04f0721a5665502dded283f70ae9ab72e48cf03c01d80f68ece54de88aacb2c41c5d7462f9b73f6c2741709c83e20084dd8f9d855c41a0bfbe107e6e47a65c2b1ee5007e9d5f25118a295fc6313243df54cdd92ab4dcedb210dd83be1b058ae1e37a7ac51b9c89bf9eca423c91db0d4a42134a93c8979a03a2de53e45e641a2d40f410bc11a968204f72c96e50664dc29be41a4aac4e07e9cdf239f59c9687bd7dc65ceab076b131941bb15c4f9f4c17d7350780588facffdbc1eaaeb4406b956da733ed09eb48604a0ed4aadcbbd94a8ee079310fe2612a669e5623917eec2b12ad9c86af9757a51759dbb00df2e03e3d3a70bd2c02f9f08444f4e0650edfb2786ca57d3630943556832a32892301b58859ef24007f7a7d9b4afc23703c4fb9077a07d2ea8d3a2b4f015de7f31fc306545816b6b670a45cff4a91b60a1fb478b089c67f459caaf5fce9265fea0c7ec0652cd11305623b04c0a9d1aec6571c6a466dc7a7bec75fcf984d6a9636986becef1418b694e820ee2462f2687e0b68ba51cbd03ba76b43fd7cba01af23ff98f74b764463527c6c397e1c8e8b2225874cc74f958a31a28414f170c2b4cbd90c849ccd54f91bce2908e3bbc21b3d5604aa337c7fb1f810c103216bf444339043d523330eee73bf0866da3f3f728877fbb54e2f928423a1672cc9ba31bc686a6d198efeb3618d5e9a1b0819cf6b9338c56c4b788469f532cdf923066d1ba46a56960342b79b09ec8679ea3caa43365b811257a2449ff9274f6612cb0530dd8678cf18bc1f91f447fad7b958f3d0a1977ce78d102829fe4b83b5659c8155af4d2c05d7315d1486300e6da0846a594d510673b0e7472788559009d74490ec9871d9f0f73699d97fbe303cb4d635f542e95c784a5387127dc454483f950f765a8e904639ef413c7d581af20dfb285955801ab7ec4be4d1b2879de662dde2cfcd6604ec0aa07a5a671f54a4f2853eedca56baf00f07927095958db7d325e863f64a9056bd8e103859921463d1754042b85dcd94d933ef2087dbef57d9a3ad9fe8c64a8799587a3ec23b9b252f03bfce42f017eadfdbe973e84e902e36b9661efaef409c915308dce9a222a9cb1db5215c000fc44d372fb186425cd078bee7770f1fa60ff2d0e344725a51a5f478fe96bfb9a18b6cb542bf394bed02218518f1d381d5aa21fdcd443ce84c180a6a8cf6547effa4627cae93551a7564f0dac6e37c5f068edda00b47a6f2d33b54c3681128e83ad17b0f098456b9e97f3e02ce391515ffb0c0511a3d8312115382c15b09861ef750c0006e96c9184e17db245b0255c4407fe4bd6eea43fd8c5e80348cb916e9d04b49c2483911b6deece26d2b65762643aa0417be2768b673a22ad58e667f5ef4e2228db9b7939d8f912de32474325155090b1d9741ace4155d64583ecfb5700301d73ed2abd156408ca5e1b88ba75f84a4b834d4f532015773e9f8d4a3650f8984191114f0fdbaa54405bf51f8b1afe532f74c15a3708eb9370fa8316feefac4e43f855506f5d9872b60363567011cc3308a2026d00", 0x1000, 0x4065ebb7}, {&(0x7f0000007980)="112a657c2770ad17f2e77762160bb14f2f71a17b88fdb946f919b2dfd3efd616e31124ff47ee668f6065a0435a791a7439d8aa10dcc418192d821e36fc0820d7cc0f88b088916d786f01426fa46b214de822d24e4d6c785feac458d98635c4801672bd4e74fd40753932121152ae0ead771e3abc7f741e393b328526e5ec29e8e0d9b3a2bebcd0eb3472a4bd8e50f953ed173ba271fbe9f9d9c463c79f44d093154ffef59c93ada783b4727fc35ba6c0db2518939cb35fb3301d4cf72d2524f83ac4ab57a8acfc93a99c26ccaee0566371229496e93021e86b956021a467f34be66e", 0xe2, 0x6d69}, {&(0x7f0000007a80)="629825e3cb9c42732810eb62f1ff4785718f7a30c63940f2eadf19dae820feb9b7b358f741b834164a9a4ac8ce398c231607f523a26db9e0aecac1d1e89022d1cd50d644f2466b25ec09c6d6ef4f0b3ef592d1408d049da49b953b327e123c6f1963c2f7a9e3cc7e0c52ed1e17d0a8b794666875b20b07a0f5c2c76d9632909f769eb25b162737bea131f5c270b3249fd65c255e68b680271d0c11196715177744e7", 0xa2, 0x9}, {&(0x7f0000007b40)="d1091749233d1e7ec50653f301a734f5dd67ac1e748923e44ccedeeb3ea234745896abcb8003ed61605b5dffa8a9af0aa12ed902d4a35a9260c53ab6a621e210e61e4002838dc29e2f798b4cbe0ed0c12a33c69ddda446b9b884fcbfe28199184bd4aeb097d0d9a393b699d1f55a57d830da497d79b9bd7dbcdbfe7e168d6007611db96733574fb150f4e90991c70fc19edba6beedc5a72169366ae5fca5c1cb413bbc54ff8f127d1b94cf9942b5c9be5fbfc93946bf1d0b289a7442fb057adb0ae7fa4189d5e5fefc75ed5d260b3c2c2445d49579e6b369e396da162d940559", 0xe0, 0x6}, {&(0x7f0000007c40)="768d82c47f166e252530915b63b40d9eba4b95fe087893453f373a94389e1120981cb44576a2051c4158400a59b9c8a940ccae2826414e14ad55c72b04f8fabfe86462409b3ab2a075ea92c8bddcd2b2fc0fd77a97bc271ecd43dd605f29b990837b409eed5965ddb3fb1b91e5bf12ddbcf21c90c7ef2f0ab9bb03f72a647ce8", 0x80, 0xfffffffffffffff7}, {&(0x7f0000007cc0)="46c0ce8920305b2c7f636edbb165920db78c61f8", 0x14, 0xfffffffffffffffa}]) r15 = syz_usb_connect(0x5, 0x776, &(0x7f0000007dc0)={{0x12, 0x1, 0x300, 0x94, 0xe8, 0x2e, 0x40, 0x789, 0x160, 0xf578, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x764, 0x2, 0x4, 0x8f, 0x0, 0x7f, [{{0x9, 0x4, 0x40, 0x3f, 0xe, 0xbb, 0x18, 0xf3, 0x20, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "c1b0c981cc"}, {0x5, 0x24, 0x0, 0x7}, {0xd, 0x24, 0xf, 0x1, 0x9, 0xfff, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0xaa4}, @acm={0x4, 0x24, 0x2, 0x9}]}, @hid_hid={0x9, 0x21, 0x7ff, 0x8, 0x1, {0x22, 0xd44}}], [{{0x9, 0x5, 0x3, 0x3, 0x40, 0x6, 0x6, 0x80}}, {{0x9, 0x5, 0x5, 0x8, 0x20, 0x34, 0x7, 0xd1, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x20}, @generic={0x65, 0x30, "dac16e845b149dafe66663cc3acf393fa7b0ae46cbb8cf207bdb0d3d6cf681661fa00ed58d703c226470a84eaa264be51e6810875248ede794e2207e60b04585603cd055c6348f0eb4f33f2a833f4aee8884d7773be2f45177ad4c03728ff4dd8e40fd"}]}}, {{0x9, 0x5, 0x2, 0x4, 0x3ff, 0x1f, 0x2, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x9, 0x2}]}}, {{0x9, 0x5, 0x6, 0x0, 0x40, 0x0, 0x40, 0xfd, [@uac_iso={0x7, 0x25, 0x1, 0x83, 0x1f, 0x1000}]}}, {{0x9, 0x5, 0xd, 0x1, 0x3ff, 0x3, 0x1, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x4, 0x3}]}}, {{0x9, 0x5, 0x5, 0x4, 0x8, 0x8, 0xff, 0x80}}, {{0x9, 0x5, 0xf, 0x1, 0x8, 0xae, 0x9, 0xf6, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x95, 0x6}, @generic={0x7a, 0x6, "3f8f5c318c80e5a936089fa5be9dc364d3a8ff22238b9200642bb7969b9c0989510df3f2673846f3fe68eec487476d9d8ea37c9e7ec2939c3a85842cad500bf77aed1d9290eb850af4621cafed03c08a55c422c7122f6ec0703a47dfcb279c0b03558b39c7231b38e559d0546a29ca32280a8ce47080aa8d"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x58982e9dfc588938, 0x1, 0x8c, 0x4}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x6, 0x1, 0x81}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0x80, 0x3, 0x23, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0xb5a}]}}, {{0x9, 0x5, 0x8, 0x2, 0x8, 0x1f, 0x8, 0x1f, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x7f, 0x3}]}}, {{0x9, 0x5, 0xd, 0xc, 0x3ff, 0x12, 0x9, 0x4, [@generic={0xe, 0x5, "a9b97bc24de62c3bcf2bfa13"}, @generic={0x44, 0x30, "9f0d5ea24268b8a3211765246b1a834af641e8cd6ea3ef9b1fe10f16bed6b06cc3a165920c9d73909ab9ac8b2a7a8a5dae5d4acf316d0b35d4b644d368a06e0eff85"}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x3, 0xff, 0x6}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x6, 0x2e}}]}}, {{0x9, 0x4, 0x7, 0x0, 0xd, 0x29, 0xcb, 0x7c, 0x9, [@hid_hid={0x9, 0x21, 0x7, 0x1, 0x1, {0x22, 0xbd9}}, @uac_as={[@format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x43, 0x1, 0x0, 0x9, 'd\"', "3709db"}, @format_type_i_discrete={0x11, 0x24, 0x2, 0x1, 0xf8, 0x2, 0x7, 0x40, "5e58dff9a0d01e4109"}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0xffec, 0x6, 0x15, '?w'}, @as_header={0x7, 0x24, 0x1, 0xe1, 0x3, 0x2}]}], [{{0x9, 0x5, 0xc, 0x8, 0x8, 0x4, 0x8, 0x8}}, {{0x9, 0x5, 0x6, 0x8, 0x8, 0x0, 0x2, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x6, 0x18}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x39, 0x0, 0x6, [@generic={0x80, 0x23, "eba3e2d4848f84d0e6ded46e24d10bf9f8b0738910e29f319e942546e9cda8638257f55d0049672a1337067af73c1c29e0bd772a1cd5e16d249ed15cdd3d85a4399aef69e3f5a506ea0e0559306fe1f42dfc10922062e2bc062c34a1adc4bc46b080259ad20b37cde1eba7178fb514b2ef7397715b0eae34d5efd5274900"}, @generic={0xa1, 0x21, "1c020b389a4c59d1f26da857b222a6f6618adb0411bb24478e68ffe758469d4bb34df6aa9577ced55383dff01c052abbde70468ce31100ca3184d1d5f803dc280df3b7ae4738ad05036701e2e38ce844a7d301d86e0597c5bc1b67e7c6a5f7dfbc3311dbd234688e85e9a7d5021e51e2d0dd418038153db65b7fc268f98ddfd9e5036f24497d2f04cdcc752178991958f7243ff4dd5aefcf759a3fe7fb34c8"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x240, 0x2, 0x1, 0x0, [@generic={0x26, 0x3, "b451e24f6972cd6429f81ca173d13fb2c7f5284751638bbc4f0b3de02091fbb4f44533d9"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x7, 0x3f, 0xdb, [@generic={0xc0, 0x0, "ba73f770a427b8438313cb7e9d9d53a7e3110366c878e3c0f6e629ebb2a084a90b2def4b66950fdfd606e0834229e63028875489678bc93698ed8613884254703c315f1ee529d1bcbfaf8d865e738b9e08cbc4a211d480bdc2a6e69e172b1c73639474f1f0115b5f4918d037451c99dee88547562582d57171aa196913f11915d1fdc1a513b16c0b9c1fa07157421046f4f3372d00d4a27eb93ecd79b685e14f3eba647e7b20aefdf92ed05bef68935265ce0035e3b624852350d1234ef9"}, @generic={0xa, 0x5, "290a548e962666df"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x7d7, 0x0, 0x7, 0xf9, [@generic={0xcd, 0x2, "74cd6007ae0ea1297f07018cbdaaa0c87851a01308ad717f235e9eff8010ad1046a5148d352a70760bc4bebdd7528bf7d506da1baac2cf499d52de51d71b05185d7cd268023de5961304521b5f567c74ccab78b61c3f641662af2d55d5157a0ddc80c75962e9bda9ff2d3b63df6a6a0e2aebbfc664de3f3a34d66200fa092475685957f0b3594247a21d463cfe0ccd8044f95319b4d40c7f022d5a9ce9e348cd623dc4c590bee5a1047270954214611a8d98e60aa697a5ce30eeacd2397094e50716739911a4478b495f02"}, @generic={0x2b, 0x3, "9bc9f5807506303fbfd71282a82058560fe8180b205f6f47f9d7cf05280b7eb96d6d1589972f402ef4"}]}}, {{0x9, 0x5, 0x7, 0x1a, 0x8, 0x7, 0x3, 0x86, [@generic={0x35, 0xb, "018a3d5fb94d26c6a689e91eb6a9e49bf1b883b9e3da0a42bf45639bc1b19a0d8e78babd769b27a43dd091ce83b4a91cf5d119"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x6}]}}, {{0x9, 0x5, 0x3, 0x2, 0x200, 0x8, 0x55, 0x7, [@generic={0xc, 0x21, "f2ae0c70731245835364"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x400, 0xff, 0x9, 0x7f}}, {{0x9, 0x5, 0x3, 0x4, 0x3ff, 0x3, 0x81, 0x1f, [@generic={0x102, 0xb, "15f52948168969a7879f686a664459f31fa9c146da65eaa1878b3996e099dd1ec68900a257c011397bcfc10bc428591972ae5eb70e65d200248c433d8b1eafe5df95a196b58ed50a74d48f9c07f50858dd07d94ec76626b5b47c9acd4fdbecde356cababc43c3144fc2e524b71bb4e8bb535daa071e242c58584dbdd6c1e758e33fecd91aac96d2288322ed48acfdaab536ea51298e16c6033ac2b91758482719cc7d764373cedf5d039e75f0be35acdac46bff129af0ad817e14064398be64933b676fab4ff8b8d37cd742e41fd64f87b7f7df873b3d4c1ca440e20a829e34c6977054fd5975e34941c4ca24dcaf07e3b9950280b30fb2c4356eedab3e5184e"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x200}]}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x81, 0x1, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x8, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x8}]}}, {{0x9, 0x5, 0x0, 0x4, 0x80, 0x9, 0x6, 0x7}}, {{0x9, 0x5, 0x3, 0x0, 0x7ff, 0x1, 0xff, 0x1f}}]}}]}}]}}, &(0x7f0000008640)={0xa, &(0x7f0000008540)={0xa, 0x6, 0x0, 0x2, 0x86, 0x80, 0x10, 0x2}, 0x42, &(0x7f0000008580)={0x5, 0xf, 0x42, 0x5, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x3, 0x73, 0x4}, @ptm_cap={0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0xeb, 0x3f, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x8, 0xf, 0x6, 0x5}, @generic={0x1f, 0x10, 0x1, "61408d3d2e1872469226d4d9befecdac208dfdaa385178f48ca75650"}]}, 0x1, [{0x4, &(0x7f0000008600)=@lang_id={0x4, 0x3, 0x41a}}]}) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000008680)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r15, &(0x7f0000008900)={0x2c, &(0x7f0000008700)={0x20, 0x21, 0xdb, {0xdb, 0x24, "b501b9a676dfcb3e98c66e8b6877cac30dfb9856c72094ee90f23170f33dc0416919146a8a2ad605ce54f3d443ec597b337b1b4d39c44289bbfc621a00862648fe2df754e463455ef88f55fb63b4b7719dd8d3e6846c4d254afb2e40116d2b5fcd883a84212217e065cd44666801154e7b43e3d1629dc76f3a7110e80790ce65ee44961d306521e94e6ee941a97e0eab0e8037fef768902891bb4105d8baf0a35f93d2a5635935799c87eb91b5e5ff7ae91cbe9cdadd653a486d72d67dc3b371e4e5fa618759de87ebe1ec278d140834590f6c513e4c95cbb3"}}, &(0x7f0000008800)={0x0, 0x3, 0x18, @string={0x18, 0x3, "2c5ddd5fc63236d47af3164223e9b423e13b8560f28a"}}, &(0x7f0000008840)={0x0, 0xf, 0x35, {0x5, 0xf, 0x35, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x8, 0x2, 0xa, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x8, 0x3f, 0x1, 0x4, 0x6}, @ss_container_id={0x14, 0x10, 0x4, 0x80, "d0d1e2d868e0fa991777cac1b7948258"}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x3, 0x4, 0x0, 0x8}]}}, &(0x7f0000008880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x4, 0xc1, 0x7f, "1bc19f6f", "0cd3a196"}}, &(0x7f00000088c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xff, 0x8, 0x20, 0x2, 0x6, 0x800, 0x9}}}, &(0x7f0000008e00)={0x84, &(0x7f0000008940)={0x0, 0xb, 0xe5, "ea88bca9c1e3f5bdf607f7252573dd8756e9f32a7c4aeea5b3e1ae6fdbe3194c1918d9d9a3aa13dbbc47e1430d7be6a180c7388456d12a5c327b716d2341bcd0ef82a4a34610e28fc7b2e172dfa056c6353da166496ca2540e60bb52066ef4773667409a68eff52e75ff93469e4ff5d69966b81e034c688a2f6fd945ecd05f336573586823fd9f6d40bb483dd27ad46b841455ac07fc319b8cb5f5e2daa64a6c5f3bc099270cd376660ef3456571aa6d2fe48667838d811126caceedaebef9608192b603327f6ee9ed42572b6eb3c6630e9017428ed370bd0324da01eae4a7881a6b88aa1a"}, &(0x7f0000008a40)={0x0, 0xa, 0x1, 0x5}, &(0x7f0000008a80)={0x0, 0x8, 0x1, 0x1f}, &(0x7f0000008ac0)={0x20, 0x0, 0x4, {0x2, 0x3}}, &(0x7f0000008b00)={0x20, 0x0, 0x4, {0x100, 0x1}}, &(0x7f0000008b40)={0x40, 0x7, 0x2, 0xffff}, &(0x7f0000008b80)={0x40, 0x9, 0x1, 0x7f}, &(0x7f0000008bc0)={0x40, 0xb, 0x2, "a6ab"}, &(0x7f0000008c00)={0x40, 0xf, 0x2}, &(0x7f0000008c40)={0x40, 0x13, 0x6}, &(0x7f0000008c80)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}, &(0x7f0000008cc0)={0x40, 0x19, 0x2, 'rN'}, &(0x7f0000008d00)={0x40, 0x1a, 0x2, 0xb81}, &(0x7f0000008d40)={0x40, 0x1c, 0x1, 0x40}, &(0x7f0000008d80)={0x40, 0x1e, 0x1, 0x80}, &(0x7f0000008dc0)={0x40, 0x21, 0x1, 0x92}}) syz_usb_disconnect(r15) syz_usb_ep_read(r16, 0x1f, 0x80, &(0x7f0000008ec0)=""/128) syz_usb_ep_write(r15, 0xff, 0x49, &(0x7f0000008f40)="059cbaeb6864bcc93a17640936d2e5450deb6a94a3cd8dbac2fbcfac932f8dd22205e7ae589b0f0172e751e308a236cea85711d74b546d98b4d75afcc65fd04633c1fbed7cfe4d049d") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[1024]; }; static struct nlmsg nlmsg; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; unsigned n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != hdr->nlmsg_len) exit(1); n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (n < sizeof(struct nlmsghdr)) exit(1); if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) exit(1); if (hdr->nlmsg_type != NLMSG_ERROR) exit(1); return -((struct nlmsgerr*)(hdr + 1))->error; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL); } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize); netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize); return netlink_send(nlmsg, sock); } static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr)); (void)err; } static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr)); (void)err; } static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name, const void* addr, int addrsize, const void* mac, int macsize) { struct ndmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ndm_ifindex = if_nametoindex(name); hdr.ndm_state = NUD_PERMANENT; netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, NDA_DST, addr, addrsize); netlink_attr(nlmsg, NDA_LLADDR, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } static int tunfd = -1; #define TUN_IFACE "syz_tun" #define LOCAL_MAC 0xaaaaaaaaaaaa #define REMOTE_MAC 0xaaaaaaaaaabb #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 240; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { exit(1); } char sysctl[64]; sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE); write_file(sysctl, "0"); sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE); write_file(sysctl, "0"); int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4); netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6); uint64_t macaddr = REMOTE_MAC; struct in_addr in_addr; inet_pton(AF_INET, REMOTE_IPV4, &in_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN); struct in6_addr in6_addr; inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN); macaddr = LOCAL_MAC; netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN, NULL); close(sock); } const int kInitNetNsFd = 239; static int read_tun(char* data, int size) { if (tunfd < 0) return -1; int rv = read(tunfd, data, size); if (rv < 0) { if (errno == EAGAIN || errno == EBADFD) return -1; exit(1); } return rv; } static long syz_emit_ethernet(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) return (uintptr_t)-1; uint32_t length = a0; char* data = (char*)a1; return write(tunfd, data, length); } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static void flush_tun() { char data[1000]; while (read_tun(&data[0], sizeof(data)) != -1) { } } struct ipv6hdr { __u8 priority : 4, version : 4; __u8 flow_lbl[3]; __be16 payload_len; __u8 nexthdr; __u8 hop_limit; struct in6_addr saddr; struct in6_addr daddr; }; struct tcp_resources { uint32_t seq; uint32_t ack; }; static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) return (uintptr_t)-1; char data[1000]; int rv = read_tun(&data[0], sizeof(data)); if (rv == -1) return (uintptr_t)-1; size_t length = rv; if (length < sizeof(struct ethhdr)) return (uintptr_t)-1; struct ethhdr* ethhdr = (struct ethhdr*)&data[0]; struct tcphdr* tcphdr = 0; if (ethhdr->h_proto == htons(ETH_P_IP)) { if (length < sizeof(struct ethhdr) + sizeof(struct iphdr)) return (uintptr_t)-1; struct iphdr* iphdr = (struct iphdr*)&data[sizeof(struct ethhdr)]; if (iphdr->protocol != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ethhdr) + iphdr->ihl * 4 + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + iphdr->ihl * 4]; } else { if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr)) return (uintptr_t)-1; struct ipv6hdr* ipv6hdr = (struct ipv6hdr*)&data[sizeof(struct ethhdr)]; if (ipv6hdr->nexthdr != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr) + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + sizeof(struct ipv6hdr)]; } struct tcp_resources* res = (struct tcp_resources*)a0; res->seq = htonl((ntohl(tcphdr->seq) + (uint32_t)a1)); res->ack = htonl((ntohl(tcphdr->ack_seq) + (uint32_t)a2)); return 0; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } initialize_tun(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); flush_tun(); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 42; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 31 ? 50 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_execveat #define __NR_execveat 322 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_socket, 0x10ul, 3ul, 0xc); break; case 1: memcpy((void*)0x20000000, "./file0\000", 8); res = syscall(__NR_open, 0x20000000ul, 0x2000ul, 0x163ul); if (res != -1) r[0] = res; break; case 2: *(uint16_t*)0x20000140 = 0x1a; *(uint16_t*)0x20000142 = 0x10f; *(uint8_t*)0x20000144 = 7; *(uint8_t*)0x20000145 = 0xc7; *(uint8_t*)0x20000146 = 6; *(uint8_t*)0x20000147 = -1; *(uint8_t*)0x20000148 = -1; *(uint8_t*)0x20000149 = -1; *(uint8_t*)0x2000014a = -1; *(uint8_t*)0x2000014b = -1; *(uint8_t*)0x2000014c = -1; *(uint8_t*)0x2000014d = -1; syscall(__NR_recvfrom, r[0], 0x20000040ul, 0xeeul, 1ul, 0x20000140ul, 0x80ul); break; case 3: res = syscall(__NR_socket, 2ul, 5ul, 0x84); if (res != -1) r[1] = res; break; case 4: *(uint16_t*)0x200001c0 = 0x7ff; *(uint16_t*)0x200001c2 = 0x1ff; *(uint16_t*)0x200001c4 = 0x204; *(uint32_t*)0x200001c8 = 0; *(uint32_t*)0x200001cc = 0x803; *(uint32_t*)0x200001d0 = 0; *(uint32_t*)0x200001d4 = 5; *(uint32_t*)0x200001d8 = 0x800; *(uint32_t*)0x200001dc = 0; syscall(__NR_setsockopt, r[1], 0x84, 0xa, 0x200001c0ul, 0x20ul); break; case 5: memcpy((void*)0x20000200, "./file0\000", 8); *(uint64_t*)0x20000400 = 0x20000240; memcpy((void*)0x20000240, "^\000", 2); *(uint64_t*)0x20000408 = 0x20000280; memcpy((void*)0x20000280, "*,+\000", 4); *(uint64_t*)0x20000410 = 0x200002c0; memcpy((void*)0x200002c0, "-{$(%![\000", 8); *(uint64_t*)0x20000418 = 0x20000300; memcpy((void*)0x20000300, "\\[\000", 3); *(uint64_t*)0x20000420 = 0x20000340; memcpy((void*)0x20000340, "\000", 1); *(uint64_t*)0x20000428 = 0x20000380; memcpy((void*)0x20000380, "\000", 1); *(uint64_t*)0x20000430 = 0x200003c0; memcpy((void*)0x200003c0, "\261$}\000", 4); *(uint64_t*)0x20000640 = 0x20000440; memcpy((void*)0x20000440, "\000", 1); *(uint64_t*)0x20000648 = 0x20000480; memcpy((void*)0x20000480, "*/%}\\\\\000", 7); *(uint64_t*)0x20000650 = 0x200004c0; memcpy((void*)0x200004c0, "@[\000", 3); *(uint64_t*)0x20000658 = 0x20000500; memcpy((void*)0x20000500, "\000", 1); *(uint64_t*)0x20000660 = 0x20000540; memcpy((void*)0x20000540, ":\'\237^(\000", 6); *(uint64_t*)0x20000668 = 0x20000580; memcpy((void*)0x20000580, "],-.$\373\\}{)@-&/[\\!\000", 18); *(uint64_t*)0x20000670 = 0x200005c0; memcpy((void*)0x200005c0, "\000", 1); *(uint64_t*)0x20000678 = 0x20000600; memcpy((void*)0x20000600, "{{\'$(+-(}{}]?/--)\000", 18); syscall(__NR_execveat, r[0], 0x20000200ul, 0x20000400ul, 0x20000640ul, 0x1000ul); break; case 6: memcpy((void*)0x20000680, "/dev/hwrng\000", 11); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000680ul, 0x40000ul, 0ul); if (res != -1) r[2] = res; break; case 7: syscall(__NR_ioctl, r[2], 0x80404812, 0x200006c0ul); break; case 8: syscall(__NR_ioctl, r[2], 0x545d, 0ul); break; case 9: *(uint32_t*)0x20000704 = 0x9c76; *(uint32_t*)0x20000708 = 8; *(uint32_t*)0x2000070c = 3; *(uint32_t*)0x20000710 = 0x309; *(uint32_t*)0x20000718 = r[0]; *(uint32_t*)0x2000071c = 0; *(uint32_t*)0x20000720 = 0; *(uint32_t*)0x20000724 = 0; syscall(__NR_io_uring_setup, 0x509f, 0x20000700ul); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_unix_may_send\000", 22); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xaa; *(uint8_t*)0x20000041 = 0xaa; *(uint8_t*)0x20000042 = 0xaa; *(uint8_t*)0x20000043 = 0xaa; *(uint8_t*)0x20000044 = 0xaa; *(uint8_t*)0x20000045 = 0x29; *(uint8_t*)0x20000046 = 0xaa; *(uint8_t*)0x20000047 = 0xaa; *(uint8_t*)0x20000048 = 0xaa; *(uint8_t*)0x20000049 = 0xaa; *(uint8_t*)0x2000004a = 0xaa; *(uint8_t*)0x2000004b = 0xaa; *(uint16_t*)0x2000004c = htobe16(0x8137); *(uint16_t*)0x2000004e = htobe16(-1); *(uint16_t*)0x20000050 = htobe16(0x20); *(uint8_t*)0x20000052 = 2; *(uint8_t*)0x20000053 = 0; *(uint32_t*)0x20000054 = htobe32(3); memcpy((void*)0x20000058, "\x67\x51\x69\x65\xf0\x15", 6); *(uint16_t*)0x2000005e = htobe16(3); *(uint32_t*)0x20000060 = htobe32(0xa0); *(uint8_t*)0x20000064 = 0; *(uint8_t*)0x20000065 = 0; *(uint8_t*)0x20000066 = 0; *(uint8_t*)0x20000067 = 0; *(uint8_t*)0x20000068 = 0; *(uint8_t*)0x20000069 = 0; *(uint16_t*)0x2000006a = htobe16(0x8ca); memcpy((void*)0x2000006c, "\xd1\x8e", 2); *(uint32_t*)0x20000080 = 1; *(uint32_t*)0x20000084 = 3; *(uint32_t*)0x20000088 = 0x6f3; *(uint32_t*)0x2000008c = 0xd92; *(uint32_t*)0x20000090 = 0xd18; *(uint32_t*)0x20000094 = 0x98a; syz_emit_ethernet(0x2e, 0x20000040, 0x20000080); break; case 12: *(uint8_t*)0x200000c0 = 4; *(uint8_t*)0x200000c1 = 0x1d; *(uint8_t*)0x200000c2 = 5; *(uint8_t*)0x200000c3 = 1; *(uint16_t*)0x200000c4 = 0xc9; *(uint16_t*)0x200000c6 = 0x800; break; case 13: memcpy((void*)0x20000100, "\xc4\x01\x7c\x5a\x50\xf2\xc4\xa1\x63\x7c\x7a\x86\x2e\xf0\x42\x30\xb5\x0d\x00\x00\x00\x41\xd9\xf9\x3e\x42\x0f\xb7\xbc\xae\xb0\x00\x00\x00\xc4\xc2\xa5\x29\x14\x98\xc4\x82\xc9\xbd\xac\x33\xde\x79\x41\xf1\xc4\x01\xfc\x2e\x06\x66\x40\x0f\x38\x24\x1f\x67\x0f\xec\xfb", 65); syz_execute_func(0x20000100); break; case 14: syz_extract_tcp_res(0x20000180, 8, 0x47); break; case 15: memcpy((void*)0x200001c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x200001c0ul, 0ul, 0ul); if (res != -1) r[3] = res; break; case 16: res = syscall(__NR_read, -1, 0x20002500ul, 0x2020ul); if (res != -1) { r[4] = *(uint32_t*)0x20002514; r[5] = *(uint32_t*)0x20002518; } break; case 17: memcpy((void*)0x200046c0, "\000", 1); res = syscall(__NR_lstat, 0x200046c0ul, 0x20004700ul); if (res != -1) r[6] = *(uint32_t*)0x20004718; break; case 18: memcpy((void*)0x20004780, "./file0\000", 8); res = syscall(__NR_stat, 0x20004780ul, 0x200047c0ul); if (res != -1) r[7] = *(uint32_t*)0x200047d8; break; case 19: res = syscall(__NR_getresgid, 0x20004840ul, 0x20004880ul, 0x200048c0ul); if (res != -1) r[8] = *(uint32_t*)0x20004840; break; case 20: memcpy((void*)0x20000200, "\x26\x92\xd6\x23\x14\x8a\x34\xae\xe9\x68\xf5\x55\x2f\xef\x58\xad\xeb\x13\x83\x51\x31\xaf\xc9\x60\x2c\x0e\xba\x53\xa1\x39\x39\x2d\x14\x0b\x6e\xeb\x57\x19\x84\x01\x7f\xbc\x1a\x93\x6a\xca\x42\x7a\xd0\xe7\x40\x52\x4f\x63\x07\xf1\x8e\x1c\x7d\x95\x4a\x0b\xa7\x44\x23\x67\xd4\x5b\xae\x51\x50\xe1\x25\x43\xdc\x5d\xd0\x3a\xa5\x69\x90\x39\xf2\xf6\x27\xb3\xd1\x04\xe0\x0f\xfa\xea\x42\x63\xfc\x86\x95\x3e\x5e\x3a\xb9\x76\xc9\xf6\x6a\x21\x3d\x67\x57\x3b\x60\x44\xbf\x6f\xaa\x8c\x17\xd5\x1b\x55\x50\x43\x8f\x9a\xc6\x58\x9d\x2c\xb2\xbc\x4e\x11\xcb\xf8\xa2\x54\x59\x4a\x82\xab\x89\x87\xf8\xad\xe2\x0d\x85\x42\xac\x71\xff\x84\x7b\x22\xe6\x7d\x2d\xdd\xa8\xf4\xba\x5f\x53\xfb\xf1\x77\x00\x91\x32\xba\xa5\x78\x6a\x7b\xe3\x1e\xc6\xc5\x92\xcb\xa5\x3c\x5c\x8a\x7b\xa1\x9d\xb0\x28\x6b\xff\x1d\x01\x78\xda\x1e\x4e\xa1\x08\x19\x43\x9a\xce\x53\x7a\xc5\xf4\x7a\x1c\x8b\x74\xfa\x67\xfc\x4e\x1b\xf9\x22\x92\xa9\xec\x65\x7b\x5e\x30\x03\x14\x6a\x1c\x56\x90\x85\x5b\x05\xcf\x75\xa0\xb1\x1a\xb9\xba\x73\x8a\x3d\xc1\x77\xd5\xf7\xe7\xfa\x6b\x46\x5d\x05\xe5\x13\xa2\x19\x48\x10\x89\x26\x5f\x56\x6e\x6b\xd0\xcc\x9e\xe1\xfb\x10\x0f\x85\x12\x86\xe6\x57\x21\xf6\x01\xc8\x3f\x7a\x74\x09\x79\xb3\x84\x8f\x57\xfb\x00\x81\xef\xca\x45\x72\x0c\xcf\xd8\xa4\x90\x4f\x24\x81\x51\xb2\x42\x13\x2a\x4b\x45\x53\x0a\xe5\x44\x2f\xf7\xa5\x1b\xb5\xc5\x99\xcd\xa7\xe1\x0e\x1b\x4d\xe5\xc8\x0f\x52\xcc\x3d\xda\xc7\x51\x3f\xe1\x48\xbd\xbc\x5d\xa2\xe0\xc2\xb3\x91\x90\xd8\xf9\x0f\xcd\x45\x95\x03\xa4\xcb\x8f\xec\xe5\x51\x82\xcf\x72\x72\xa5\x22\xe5\x62\x61\x20\xc7\x33\x5c\x5a\x37\xc7\x2d\x40\x0f\xed\xc5\x88\x73\xc5\x96\x0f\x6c\xab\x80\x7a\xc2\x39\xd0\x24\x6a\xba\x2e\x84\x4b\x68\xb1\xac\x4a\xd6\xd2\xbb\xce\xdc\xb3\x5a\x67\x48\x64\x71\xe4\x45\xaf\x55\x99\x02\x70\xae\x09\x79\x68\xda\x00\x15\x7d\xd2\x21\xde\xa2\x43\x8d\x16\x62\x3c\x52\x82\x0f\x0d\x24\xe3\x9c\x04\x24\xee\x40\x48\x4f\xb0\xd9\x64\x19\xf5\xe2\x81\xd0\xe9\xe1\x78\x36\x68\x20\xdd\x5c\xa4\xa0\xc4\x5d\xee\xb3\x6c\xb9\xe2\x46\xbe\x67\x14\xce\xb0\x34\x7b\x0c\x30\x9c\xc5\x30\x22\x37\x4f\x73\x30\x35\x36\xe5\x93\xc5\x75\x88\xb8\x83\x90\x3e\xa5\x81\x33\x77\x36\x00\x20\x1a\x7b\x55\xdd\x5c\x01\xaf\x52\xe9\x0e\xc5\x24\xab\xd9\xf4\x7b\x3d\x71\x85\xc4\x82\x59\xbf\x5a\xa7\x6f\xea\x9d\xa9\x82\xb2\xc4\xa6\x10\x65\xdf\x2b\x06\x67\x32\x10\x35\x03\x96\x9e\xef\xaa\x23\x14\x1c\x8b\xec\xb3\x5c\xaf\x76\x02\xe9\x81\xc3\x06\x73\x99\x1b\x46\xd5\x4a\xb2\x76\x4b\xf5\xec\xc3\xf1\xa8\xe0\x00\xb1\x16\xb7\x69\xd8\x26\x25\xae\x94\x18\xb5\x23\xaf\x00\xf3\xcf\xb0\xeb\x65\xc9\x16\xf6\xa6\x24\x52\xf8\x10\xb2\x0c\x3e\x7c\xec\x7d\x61\xfe\xf5\x5f\x63\xd1\xda\x4a\x3f\x86\x8b\xbc\xfd\x86\x7e\x13\x0d\x3c\x7c\xe5\x22\x46\xef\x76\xed\xa2\x91\x6f\xbb\xdf\xd5\x06\xdb\xc2\x28\x9d\x00\xfb\xc8\xfd\x10\x0c\x45\x78\x69\x8d\x22\x03\xdf\xfa\xb9\x01\x8d\x6f\x19\xae\x19\x9f\x16\x59\xc3\xf7\x81\x57\x68\x0c\xf9\x80\x59\x7a\x12\x6b\x99\x4b\xdd\x64\x60\x96\x53\xdc\x0d\xdb\x55\x6c\x3a\xf8\x38\xa0\xa4\xa9\xbd\x70\x51\xe4\x52\x47\x91\x3c\xc3\x5b\x9d\x9f\xf3\x68\xff\xdf\x4e\x7f\xad\x83\xa5\x2f\x8a\x02\x61\xc3\x31\xb6\xef\x22\x6f\xe6\x76\xac\x1a\x9c\xf0\xcb\x00\x13\x85\xce\x35\xb0\x9d\xf3\xae\xca\xa3\xd8\x16\xf2\xaf\xc6\x2c\x27\xae\xe5\x25\xf7\x2f\x2d\x31\xee\x0b\x21\xc4\x47\xf8\x09\x01\xa6\x5c\x77\x06\xd0\x7f\xf9\xb2\xd7\xbd\xe9\x2b\xc7\x9d\x85\xf8\x43\x1d\x46\x8a\xc8\x5e\x51\xac\x3a\x20\x9c\xea\x07\x28\x1e\x7d\x19\xc1\xf5\x2b\x5f\x01\xbd\xb0\x53\x97\x8c\x93\x33\x99\xb3\x5a\xc7\x7a\xa4\xa1\xe6\xf1\x82\xd2\x50\x27\x1c\xa3\x3c\x37\x91\xb1\x5a\x93\x1b\xcd\x32\xac\xe1\x92\x53\xf1\xa9\x04\x4a\xfa\x49\xc1\xa0\xdd\xc8\x2e\x95\x90\x7f\x60\xb7\x97\x1e\xc0\x10\x78\xe1\x37\xd1\xbc\xeb\x0c\xf8\x6f\x64\xcd\x6c\x19\x2c\xbf\xc3\x0b\x44\x78\x61\x7f\xe5\x2a\xa9\x43\xe6\x1a\x18\x2b\x1b\x0b\x21\x07\xd0\xc5\x4f\x4f\xa7\x31\x67\x9a\xf9\x5c\x32\xd1\x89\x14\xd6\x95\x9b\x9f\xa9\x6a\x0a\xac\x1c\x49\xad\xc6\x1f\x5f\x11\xb5\x44\x55\x73\x42\xc1\x42\x76\xbe\xea\x12\xfa\x71\xcd\x30\xa7\x31\xbd\x06\x4e\x9c\xfd\x0f\x9e\x4b\xe9\x66\xf7\xbd\x1c\x1b\x4f\xd7\x06\xb8\x39\x3e\x6e\xfb\x1c\x9f\x97\x52\x6f\x67\xd2\xe9\xcd\x5e\x17\x6d\xc6\x0c\x27\x4b\x30\x06\x1e\x1a\xb6\xa2\xd0\x04\xb8\x3a\xdb\x08\xf1\x98\x3b\xae\xab\x99\x04\x72\xbe\xff\x23\x41\xde\xf4\x7e\x0d\xd4\x11\xb0\x69\x1f\xd0\xa6\x5e\xa6\x6d\x16\xa4\xa4\xee\x94\xc4\xd1\xa5\xce\x6b\x3c\xfc\x87\x34\x81\xb0\x41\xfb\x30\x05\x61\x4c\x1c\xf8\x41\xee\xab\x27\xe0\x35\x98\xef\x94\x59\x8e\xd3\x0c\x3f\xd3\xee\x19\x20\x7a\xea\x2a\x8d\xbc\x3f\x60\xa6\xd9\x7e\x30\xc5\x8f\x32\x4b\xca\xf5\x71\x38\x8f\x9e\x83\xe0\x76\xcf\xdc\x06\x63\xcf\xe9\x3f\x5a\x3f\x19\x29\x9e\x74\x12\x10\xf6\xa8\x50\x1a\x72\x38\xb1\xcb\xd6\xe9\xf8\x29\x34\x5c\x33\x7c\x62\xb7\xcd\xb0\x24\xef\xc4\xff\x11\x62\x8c\xb1\xee\x4f\xda\x07\x27\x82\xbb\x69\x93\x2b\xa6\xde\xe1\x22\xcb\x37\xfe\xd6\x96\xde\xa1\x1c\xc2\x5e\xb2\xb5\x67\x8c\x7d\x0b\xd1\xdd\x05\xf3\x5d\x1d\x02\xad\xdf\x12\x95\xa1\xeb\x0b\x25\x99\x59\xa7\xb2\x90\xe6\x1f\x24\x79\x69\x15\x88\xac\x52\x09\x81\x90\x2f\x5a\xb0\x61\x62\xe9\xcf\x5f\x05\x85\xf5\x40\xd9\x0c\xd8\x38\x1d\xe3\x3d\x0a\x0a\x24\xda\x6f\x23\x1d\x3a\x68\x4c\x92\x5d\x73\x6f\x25\x34\xa5\x7e\x48\xd9\x19\xd5\x55\x19\xc5\x75\xbb\x54\x1d\x63\x8e\x0e\x40\x11\xf8\x41\xa5\xac\x33\x1d\x48\x89\x35\xc4\x4c\x2b\xce\x1c\x2a\xc3\xe8\x48\x6e\x46\x5c\xde\xe8\xeb\x51\x3d\x3c\x1b\xb3\xb3\x8c\x5d\x15\x7c\x04\xd5\x76\xd6\x75\xe0\x0b\x30\xc2\x99\xe2\x11\xf8\xf2\x4a\x7a\x05\x3b\x42\x70\xd2\xac\xfa\x3a\xa6\x34\x34\x28\xd9\x2b\x6d\xb1\x4c\x15\x58\xa8\xdd\x58\xbb\x9c\x8c\x4b\x1b\x49\x35\x77\x3d\x14\x06\x11\x79\x3c\xca\xd5\x4f\xdc\x52\x30\xda\x4d\xfd\xa3\xb6\x0c\xc0\x76\x6e\xfc\xc6\xa3\xb7\x19\x00\xa5\x0e\x2c\x3e\x68\x27\xb9\x8c\xc1\x8c\xcd\x8f\xf7\x98\x24\x7f\x37\x48\x57\xd0\x62\x1e\x32\xbb\xf0\x48\x24\x74\xde\x0d\x42\xdd\xba\x78\x23\xe6\x33\xf1\x65\x8e\x7f\x6a\x36\x1c\x32\xe2\x45\x9c\x2b\xeb\x02\x9a\x8a\xfa\xa3\x12\x89\xe4\x87\x10\x45\x67\xd4\x0c\x81\xcc\xf5\xae\x2a\x2e\x6b\x34\x4f\x5c\x11\x0d\x7c\xe2\x30\x1f\xf2\xc2\x5f\xd8\x43\x84\x39\xa5\xea\x16\xa4\x46\xfc\x7e\x27\xf2\xcb\x06\x89\x44\xe4\xd8\xc9\x29\xc4\x64\x5f\x49\x4c\x2f\xd1\xb0\x25\xbf\xda\x11\x19\xf9\x08\x8f\x70\x7d\x66\x2c\x11\x95\xf8\xe4\x30\x8c\x47\x0b\x76\x24\x50\x99\x33\x2f\x61\xb2\xc9\xcc\x77\x87\x1c\xb2\x0c\x4e\xbe\xaa\x63\xe5\x3a\xdd\x25\xdf\x15\xc5\x62\x85\x85\xfe\x88\x6a\x73\xe3\x82\x56\x7c\x41\xce\xbd\xf2\xf3\x3f\x71\x68\x74\x7c\xe2\x4a\x22\xfa\xfe\xb2\x9c\xd0\x21\xa9\x2e\xc8\xfc\x27\x2d\xad\x24\x59\x8e\xbd\xae\xc2\xdc\xc4\x73\x73\xef\xa9\x7c\xac\xff\xda\xce\x15\x0e\x99\x51\x0b\xf3\x7b\xaf\x40\xa8\x17\xd9\x3d\x87\xa4\x8f\xab\x15\x3a\x10\x64\x82\x1e\xb5\x04\xa4\xeb\xa3\xab\x66\xd1\xec\x05\x7c\xf6\x4e\xe1\x1a\x6a\xd4\x05\x84\xfa\x76\x56\xa3\x98\x4c\x20\xe4\x94\x01\x3f\x83\x43\x0d\x76\x0c\xd6\xea\xa6\x04\xb5\x99\x55\x0d\xcb\xa7\x20\x85\x5e\x73\x5d\x62\xd4\x20\x07\x6c\xca\x07\x11\x5d\x4e\x37\x1c\x3d\x64\x1c\xb6\xcd\xb9\x69\xbd\xef\x10\x13\x7b\x8d\x7f\x39\x9a\xbe\x3e\x24\x36\x53\x5c\x30\xc7\xb9\xa8\x42\xfb\x31\xd3\x22\x43\x4e\x73\xb9\x5c\x0f\x5d\x45\x45\x11\x6b\x78\x8e\xa0\xfd\x47\x3a\xb3\x2c\xfb\x4c\xd7\x22\x49\x48\x91\x37\x72\xe8\x39\x2d\x89\xbf\x5c\x4e\x55\x11\xd2\x67\x20\x1c\xff\x62\xbd\xc0\x46\x8f\x96\xd9\xe8\x53\x23\x49\x5e\x92\x5e\x61\x14\x0f\xb4\x19\x41\x7b\xc3\xf8\x03\xa8\x0d\x0a\xf3\xb8\xc3\x1c\x2f\x63\xde\xe9\x17\x41\x13\xf8\xe6\xe5\xc9\x3f\x47\xd8\x48\x64\x22\xa5\x69\x6b\xc0\x58\x43\xf7\xd0\x7f\x10\xeb\x3b\x5f\xbc\x2c\x37\x8f\x6e\x8a\x97\x5d\xeb\x6c\x04\xed\x20\xc6\x73\x84\x6e\xcc\x19\xd6\xdf\xcb\x19\x82\xff\x83\xa7\xdc\xa9\x2e\x81\x67\xe5\xdf\x64\x37\xb8\x48\x34\xfd\xe1\xcb\xfc\x44\x11\x05\xd0\x62\x18\xa2\xe0\xa5\x59\x17\xee\x27\x6f\xa7\x25\xb9\xf1\x6a\x94\xc6\x7b\x68\x4b\xc7\xb6\x88\xed\xba\xe7\x43\x82\xcb\xa7\xea\xc9\xf0\x17\x72\xc8\x91\x94\xd4\x4e\xea\x3c\xab\xc0\x02\x56\x26\x43\xc0\x15\x29\x09\x2f\xf6\x62\x9d\xe9\x6a\x77\x16\xf9\x23\x18\xa6\xcf\x70\xcd\xb8\xfd\xa8\xe3\xd0\x13\x06\xea\x91\x58\x0b\x6d\x97\x08\x08\x55\x2f\x45\xf5\x75\xc3\xaa\x63\x8f\xc5\x1a\xbd\xd8\x53\x5a\x05\x84\x07\x25\x88\x51\x8f\x93\x91\xb2\xd7\x89\x14\x73\x12\xa5\x8d\x0a\x15\xb6\x4b\xf9\x08\xf2\x49\x91\x3f\x14\x16\x71\x75\x10\x03\x54\x71\x50\xd4\x9f\x47\x2d\xbe\xd4\x08\x43\x24\x93\x70\x57\x59\x92\x9f\x61\x9a\x90\x1b\xf4\x1e\xd2\xe4\xd1\x2d\x63\x54\xaf\x21\x98\x40\xe6\x96\xae\x26\xd4\x0f\x01\x0f\x05\x86\x06\x8e\xfb\xbd\x4a\x63\xaf\x99\xae\xbd\x53\x05\xa8\x80\x13\xed\x74\xde\x00\x39\x90\x11\xdd\x8d\x0d\x54\x4b\x90\x70\x09\xf3\x61\xac\x6f\x66\xca\x0a\xc4\xfa\xe8\xee\xa5\x65\x42\x59\x9b\x16\x7b\x8f\x13\x2d\x2b\xc2\xb5\x7c\x73\x46\x53\xc0\x21\x4f\xcb\x4e\x3a\x50\x98\x23\xaa\x2e\xa6\x2a\xef\xd8\xd3\xa8\xf2\x7c\xea\xd3\xee\x3f\x27\x66\x98\x71\x27\x70\xad\xdc\x99\xcd\x31\x11\x2d\xaf\x0e\xde\x7c\x57\x7f\xcb\xae\x2e\x64\x04\x7b\xd3\x62\x4d\xcc\x04\xcf\xb6\xcd\x19\x4b\x79\xf1\xb5\x3b\x99\x0a\x44\x36\x28\x12\x3f\xbe\x9b\x2a\x3b\x59\x8b\xee\xab\xdb\xb7\xcf\x4d\x9c\xd8\x7b\xe2\xac\x84\xee\x3f\xe7\x43\xd7\x2e\x89\x84\x20\x4b\xab\x46\x3c\x89\x6d\x13\xc1\x22\x7b\x70\xa8\x87\x12\xb7\x7d\x22\x1e\xfa\x65\x40\x98\xb3\x85\x71\x46\x8f\xf9\xbf\xf1\x0b\xb0\xd3\x0f\xe6\xae\x7a\x1f\x62\xc4\xf6\x06\x6b\x55\xf3\x2b\x05\x47\xde\x75\xab\x1c\xac\x8e\x98\x6d\x89\xfc\x30\xa3\x62\xd7\x30\x8d\x09\x32\xcd\xd4\x4d\x8a\x23\x48\x60\xb6\x08\x09\x0a\xa5\xe1\x6b\xef\x4e\x44\x32\x7b\xa1\x86\x67\x91\x5e\xc6\x5c\xa7\x72\xf8\xdf\x52\x10\x5b\x37\x00\x87\xfb\x1c\xbd\x6d\x11\xa9\x53\x62\x23\x2e\x5f\x6f\xce\x3f\x34\x3c\xd9\x62\xbe\xc2\x77\xf3\xa6\xaa\xcb\x82\xdf\x97\x53\x1b\x3a\x6f\xfd\xd2\x24\x45\x4b\xfc\x8a\x6c\x2e\x0b\x9c\x86\x44\x9c\x04\x3f\x39\xce\xb9\xaf\x5c\x42\x36\xe3\x22\x1c\x2e\x25\x9f\xa8\xf1\x28\x4d\xf6\x33\x4a\x2a\x24\x73\x3d\xba\xd6\xea\x99\x0a\xa3\xef\x97\x98\xe2\xf7\x85\xbe\x3d\x5a\x44\x30\x54\x97\xa1\xf5\x25\xf7\xde\xe1\xf7\xea\x82\xc7\xd5\x05\x59\xc5\x1d\xac\xc6\x17\xf6\xf7\xee\x56\xb6\xc5\xbc\xa2\x70\x18\x99\x24\x5c\xbe\xcb\x33\xcc\xdd\xf0\x0a\x16\x89\x46\x82\x08\x5f\x40\xd2\xf6\xf6\xb0\x3a\x16\x32\x06\x31\x1f\x98\x07\x72\x61\xcd\x76\xf4\x39\xce\xd0\x44\xb5\x25\x11\x2d\xeb\xd3\x1e\x4c\x7a\x90\x77\xbd\x82\x02\x17\xa8\x8b\x4d\x8e\x3e\x76\xda\xc4\x5b\x15\x01\x9e\x01\xde\xed\xc9\x43\xb3\x57\xab\x2d\x79\x00\xd9\x91\x57\xaf\x47\xdf\xc5\x97\x17\x91\xb2\x56\x65\xe9\x53\xdb\x69\xce\xfc\xea\xc8\x7a\xef\x83\x89\x36\xae\x73\xd2\xd2\x59\x83\xb2\x06\x60\x99\xc4\x74\x1a\xf8\x80\x48\xc7\xf8\x65\x31\xf2\xb8\x2d\x6e\x05\xb2\xee\x75\xf4\x72\xd9\xdf\x9c\x3e\xe9\x39\x8f\x6f\xe6\x8e\x0b\x52\x1c\x36\xa2\x42\xe2\xd6\x75\xf4\xd9\xda\x55\x21\x42\x74\x36\x31\xa4\xf2\xb6\xc0\x11\x47\x57\x53\xa7\x4f\x7f\xef\xc9\xd7\x2d\x3f\x9f\xb2\xbd\xcc\x71\xd6\x67\x32\xab\xe5\x0d\xd5\x78\xb6\x9b\xd0\x29\xb4\x5b\xca\x70\x8e\x87\xc0\x98\xaf\x90\x28\x4b\x4f\xbd\xdc\xc6\xfe\x16\x3a\x00\x09\x70\xd6\x54\x7c\xfd\x18\xcc\x8a\x11\xba\x22\x63\x8e\xe6\xeb\xa9\x10\x29\xf5\x25\x94\xa0\x42\xe9\x6e\xd7\x08\x01\x84\x59\x3f\x21\x09\x12\x6c\xbd\xe1\x31\x7a\x94\xa5\x62\x13\xad\x11\xae\x1c\xcf\x0a\x58\xa4\x5d\xbc\x81\xd0\x80\x9c\x59\x07\x3f\x8a\x9e\x17\x67\x4a\x47\x6d\x03\x37\x41\x4b\xfc\xff\x7c\xa6\x94\x92\x18\x46\x7c\x88\x50\x83\x9e\x55\xc9\xc7\xad\x9d\x51\xa6\x4a\x9d\x2b\x4b\xbb\x17\xa3\x65\x38\x94\x83\x45\x45\xbc\x28\x6c\x10\x8b\xb3\x13\x45\x57\x9a\x2b\x0b\x96\xf6\xa5\x73\x89\x79\x05\x19\xd4\x41\x3a\x96\x48\x82\x0e\x78\x46\xc5\x7a\xca\x47\x92\x49\x52\x23\xfc\xc0\x29\xd0\x70\xf1\x8f\x24\xac\x66\x58\x79\xd7\xa1\x97\xc7\x8c\x5c\x05\x18\x5a\xf7\xc1\x11\x40\xc7\x8a\x35\xe9\x1d\xe5\xc0\xc5\x3f\xbc\xd1\x35\x0c\x27\x53\x6d\x28\xd5\xf5\x18\x69\x6b\x97\x13\x6d\x3f\x20\x35\xf2\x6f\xaa\xd5\xff\xe0\x4d\xfd\x5d\xcc\x09\xb1\x29\x90\x51\x95\x57\x9d\xd1\x5c\x8c\x98\x67\x62\x36\xeb\xd0\x2b\x6c\x2e\xf3\xe6\xeb\x15\xd8\x7c\x20\x6c\x39\x04\x6f\x2d\xbc\xef\x9a\x45\x23\xf2\x55\xf4\x45\xc3\xdd\x82\xc1\x40\xb2\x95\xa4\xa9\x0f\xa3\x0a\x28\x47\xff\x41\xef\xee\xa8\xf6\x30\xd4\xa5\x51\x27\x95\x38\x0a\xf7\xd1\x71\x3a\x6b\x29\x76\xdd\x74\xde\x50\xc3\xfe\xb4\x2b\xdd\x4c\x02\x58\xe4\x56\x17\x35\x8f\x18\xa2\x8b\xe1\x1b\xad\x5b\x5b\x79\x10\x3e\xe1\x27\x7c\x76\x1e\x12\x90\x1e\x49\x97\xf3\xb9\xd4\x49\x91\x72\x17\x6c\xdd\x12\xb6\x80\x7b\x23\x6d\xaf\x3d\xc0\x58\x72\x95\x64\x37\x81\x6c\x70\x6f\x3c\x36\x7d\x7e\x2c\x23\xe9\x6b\x1f\xe9\x65\x96\xdb\x88\x05\x07\xe2\x82\xfb\xe2\x3f\x21\x71\xb2\xf6\x85\x5d\x22\x17\x4a\x1a\x4b\x15\xed\x8a\xbd\x51\xca\x09\x3d\x46\xf0\xe2\xd0\x52\x98\x16\x8c\x23\x9e\x62\xd8\x9f\x74\x06\x74\x38\x8c\x24\x01\x8c\x47\x83\x2a\x87\x64\x40\x48\xd4\x36\xd6\x5c\xd7\xa2\x10\x28\x2b\x1f\xc8\x26\xf0\xcc\xdb\x66\x97\xd0\x11\x2b\x2a\x88\xe3\x95\x30\x8d\x42\x1a\xad\xa7\xa0\xe7\xd7\x6e\xca\x0a\x60\x73\x83\x02\x18\xc8\x3e\xd7\x94\x19\x48\x59\x60\x57\x20\x97\xcb\x62\x6c\x6f\x84\x67\x57\x90\x95\xdc\x22\x63\x20\x43\xdc\xe6\xb6\x7e\xaa\x79\x3a\x2a\x89\x82\x2f\xdc\x26\x6f\x5a\x61\x1a\xa1\xc6\xb8\x45\x99\x8a\x82\x80\x05\xfe\x79\x89\x25\x3c\x37\x61\x3e\x89\x23\x48\xad\x73\x32\xe3\x34\xaf\xb5\xa7\x08\x7e\x89\xac\xe2\xf3\x61\xd6\x6f\x27\x7d\xfa\xfa\x12\x66\x77\xe8\x33\xfd\x0b\x2c\xe4\xd2\x27\x93\x7c\xdf\x60\xa8\x82\x66\x94\x11\xd4\x45\x0b\x7e\x85\x9b\x82\x47\xad\x2e\x45\x74\x2e\xcb\x60\x57\x52\xf2\x14\x8d\x07\x5e\x1d\x14\x5a\xdd\x18\x47\x48\xc6\xec\xe9\xba\x26\x7b\x7a\x6d\xf9\x22\x9a\x62\xbb\x9b\xee\x7d\x7e\x92\x5d\x6e\xb9\xae\x96\xad\xef\x93\x7c\x03\x0c\x7d\x2b\x91\x9f\xc4\x63\x6a\xd6\x33\x13\x60\x45\x7d\x06\xd8\xc4\xf6\xdc\x10\xe3\x06\x55\x22\x60\x2b\x84\x1f\xb3\x67\x8e\x9d\xab\xf0\x7d\x5f\xc3\xfe\x39\xda\x21\xd4\x61\xe1\xa4\xac\x64\xa0\xd3\x35\x6f\x93\x62\x28\x00\xf0\x07\xbe\x4e\xe1\x3c\xc4\x65\x4c\x89\x47\xff\xd1\x1b\xf7\x59\x8f\x50\xbf\x27\xdf\x75\xf8\xda\xef\xd9\xbd\x19\xcc\x3b\x6a\x06\xb2\x53\xe8\xb5\x90\x62\x1c\x66\xda\x76\x49\x6a\x87\xbe\x33\x53\xfb\x1c\xc5\x64\x36\x6b\x09\x79\xa8\x8c\x52\xb8\xdd\xae\xee\x89\x93\xf6\xa0\xa3\xa5\x43\xa9\x31\xea\x4e\xae\xe9\xd9\xe7\x00\x1e\x23\x49\x14\x4c\xd7\x46\xa2\x56\xdf\x92\xa4\x60\x24\xc7\xa3\xb3\xcb\x60\x7a\x74\x99\x87\xc9\x85\x60\x15\xb8\x6a\x23\xe4\x39\x4f\x64\xf9\x09\x97\x4a\xb0\x76\xb5\xd6\x49\x28\xfc\x9d\x1b\x4c\xba\x75\xbd\xa9\xe1\xd4\x62\x0c\xac\x6f\x08\xcb\xf7\x57\xde\x6f\x29\x11\xc3\x4e\xa0\x84\x81\xa3\x83\x20\x14\x47\xc2\xde\x6e\x37\xc0\x7d\x03\x38\xf1\x6a\x9a\x73\xfe\x67\x1a\x68\x4a\xe4\x5c\x87\x4f\xf1\x98\x15\x06\xe3\xfc\xa4\xe1\xf1\xdc\x9e\x58\xf9\xde\x6b\x96\xf8\x5e\x31\xa3\xc1\x6d\x3a\x11\x88\x0b\xb1\xcb\xc2\x23\xd0\xb9\xf3\xa6\xc4\xa6\x67\x1e\x29\xfe\xa6\x7a\xe9\xf1\x09\xe2\x63\xc3\x17\x95\xb3\x80\x16\xb8\x29\xd4\x1d\x0d\x54\x0f\x7f\x9b\xc5\x22\x02\x7d\xbc\xa4\x94\x5d\x95\x8e\x0b\x14\xc9\x02\x0e\x7e\x0d\x96\x2d\x93\xf6\x1d\xf3\x53\xbb\x18\x42\xb2\x89\xb5\xeb\xb7\xd0\xd8\x3e\xb0\x5f\x31\xe3\x45\x73\x46\xd1\xbc\xf8\x83\x35\x4e\x9a\x24\x7c\x78\xbc\xdf\x11\x45\x0b\xd3\x62\xf4\xe0\x9f\x9b\xc8\x1e\xa9\x28\x23\x05\xdf\x3a\xed\x85\x34\xb1\xf5\xc1\x5f\x58\x12\x7b\x85\x1e\x04\x5a\x0c\x54\x19\x3b\x5b\x11\xbe\x18\x75\x56\x3f\x86\x8e\xfe\x9a\x6a\xd8\x30\xca\x44\x36\x78\x6d\x79\x36\x4e\x19\x30\xd4\x55\xfa\xa6\xeb\xef\xe8\x6e\xce\x76\xa8\xb8\x95\x2d\xff\x2d\x3b\x83\xdd\x8b\xa4\xfd\x7c\x1c\xf9\x12\xa2\x2f\x65\x11\xc3\xcc\x11\xbd\x2f\x04\x69\x0a\xcd\xb3\x8f\x7e\x14\x20\xbc\x15\xe5\x74\xad\x12\x96\x55\x75\x44\x40\xd2\x90\x13\xc6\x98\x61\xd4\x7a\x42\x90\x6c\xee\xaa\x05\x1e\x2e\xfa\xde\xae\xa9\x97\x77\x9e\x05\xdd\x91\x22\x97\xa4\xff\xa9\xaf\x33\xfe\x81\xe7\x20\x67\xc3\x6e\x81\xc4\x86\x53\xd6\x9f\x2a\x2b\xa9\x17\x14\xd5\x10\x4e\x0e\xa1\xe6\xe9\x20\xa4\x40\x24\x05\x98\xdc\x62\x8e\x82\x05\xc3\x31\x3a\x0b\x03\xb7\xfe\xd3\xa8\x78\x8f\xb2\xa6\xde\x07\x22\x6c\x58\x9e\xf3\x37\x08\x22\x14\x38\x1c\x98\x00\xd7\x03\x63\x81\x83\xda\xdf\xf3\x17\x14\x17\x0b\xc4\x02\xb2\x71\xef\x6c\x23\x5c\x12\xc9\xfa\x67\xc7\xbd\xa8\x0d\x63\x17\x15\xee\x1e\xd4\xdd\xa1\x07\x34\x7d\x14\x3f\x91\xec\x47\x0c\x20\x77\xc2\x77\x52\x4f\xe7\x8a\x23\xfa\xb2\x05\xfa\xb0\x8b\x1c\x25\x8f\x4b\xe4\x97\x59\xd1\xf1\x83\xa2\x1e\x40\x0a\x53\xa7\x24\x93\xa1\x7c\x23\xdf\xa1\x73\x21\x22\x57\x4b\x55\xa7\xf2\x66\x3b\xb0\x01\x7d\xdb\x2f\x47\x2e\xab\xd8\x7e\x40\x76\x95\xbc\xe8\x4c\x15\xf4\x30\x91\xbf\xc0\x6d\x4a\x52\x46\x72\xbf\x25\x15\x21\x85\x61\xe7\xc2\x5e\xa7\x33\xc1\x85\xd0\x98\x06\xdf\x8e\x6c\x92\x1c\x07\x1a\xe2\xf7\x6f\x5c\x0d\xb6\x23\x45\x17\xc7\x2e\x83\x93\x3a\xd4\x13\x46\x5b\x1b\xd0\xcd\xfe\x6a\x04\x6f\x07\xa4\xb2\x39\xfb\xb8\xed\x71\xbd\xdf\xc2\xb0\x71\x48\xd4\x99\x65\xda\x80\x3a\x82\x4b\xc1\x85\xda\x70\x53\x0a\xbb\x3e\x42\xb8\xa9\xf1\x9c\x0c\x3d\x86\x72\x35\x94\x13\x39\x51\x43\x4b\xfd\xbd\xe6\xbe\x90\xea\x21\x4f\xa0\xe1\x7f\x60\x3c\xd1\xad\x69\x5b\x5b\x5b\xa7\xc9\x86\x14\x87\x11\x45\x4c\x6a\x5a\x7a\x5d\xa2\xa1\x63\x1d\xc7\x06\x9e\x58\x2a\x1c\x12\xd2\xba\x25\xca\x01\xda\x8f\x5e\x70\x3b\x41\x14\x7f\xd3\x8f\x96\x68\xf1\x6c\xad\x66\xdf\x62\x2f\xe4\xb0\x2a\x1e\xef\xc0\xa6\x93\x63\xcc\x0b\x7c\x56\xf0\x34\x91\x60\x25\xee\x4b\xcf\xd0\x51\x26\x77\x29\x85\xa9\x63\x2a\x04\x36\x08\xe6\x56\x92\xaf\x2b\x4a\x75\x68\xf1\x3c\x41\xf1\x6c\x86\xbe\xc9\x9a\xae\x30\xa2\xd5\x4f\x64\x69\xf1\xeb\x68\x51\x8d\x48\xc4\x21\xbe\xc6\xf8\x3b\x82\x28\x30\x88\x38\xa9\xa4\x81\x9f\x2f\xed\x79\xe9\x9d\x10\x5a\x8f\x6b\x1a\xc0\x8e\xb9\xfc\x19\x62\xa8\x57\x7f\x27\xf5\xee\xcc\x91\x88\x3a\x02\x4e\xb7\x43\xa3\x99\xed\x6a\xef\x38\xe1\xf5\x33\xca\x6d\xba\x25\x53\x88\xd2\x5d\x4e\xef\x41\x2f\x03\x94\x4b\xcc\x0a\x8c\x4e\x94\xec\x31\xbb\x65\xc8\x9e\xca\x35\xcc\x88\x8f\xe8\x53\x0f\x6f\x58\x1a\x33\x46\x23\x3e\xf0\x93\x6d\xa1\x0e\x8b\x69\xc5\xfd\x23\xea\x2a\x58\xf9\xfe\x8b\x79\xa9\xef\x60\x80\x6c\x29\x6a\xba\x90\xfb\x83\x29\xe8\x38\xbb\x6c\x7d\x3c\x86\x7d\x41\x09\xba\xa2\x6c\x48\x37\x43\x9e\x63\x07\x17\x0e\x7b\x15\xc2\xf9\xf5\xee\x03\x30\x5f\x94\x81\xf8\xe7\x93\xdd\x08\x6e\xf2\xfc\x3e\xca\x55\x5a\xa2\x58\x12\x02\xbb\x4e\xd8\xe4\x31\xcf\x0b\x71\x0b\xbd\x86\x25\xfa\xc1\x7b\x51\x9c\x68\x06\xb7\x21\x80\x08\xe0\x40\xbd\x2f\x07\x8e\x18\x50\x11\xd4\x71\xd4\x60\x26\xb5\x38\x87\xc9\x48\x1b\x6a\xbe\xa8\x38\xdc\x59\x8a\xf7\xd6\x1e\xb1\x05\x66\x12\x51\x68\xad\xb4\xb5\xfa\x2f\x49\xdb\x9e\x36\x08\xee\x06\xba\xff\x0b\x3e\xdd\xf0\x53\x70\x13\xa8\x9a\x8f\x60\xbe\xc6\xec\xaf\xe7\x4c\x3a\xd6\x26\x67\xcc\x73\x6e\x42\x31\x80\x60\xd9\x39\xca\x8a\xfa\xee\xf4\x18\x9c\xab\x94\xbb\x6d\x7c\x07\xf7\xaa\x21\xf6\x00\x27\x70\x7d\x8a\xee\x9d\x2f\xc0\x31\x96\x77\xe8\xe8\x6c\x6e\x02\x0f\x43\x53\xff\x8d\x52\x35\x42\x66\x9e\x4b\xf2\x64\x9f\xc4\xfe\x1a\xc2\x16\x51\x52\x7e\x25\x7a\x55\x00\x6c\x30\x4b\x83\xaa\xb8\xde\x6e\x87\xb0\x2d\x36\x60\x52\xde\xbd\x14\xf4\x71\x28\x33\xc3\x40\xea\xd1\xeb\x9f\x9f\x48\xdf\x1e\xa2\x7f\x67\x28\x2a\x8a\x5b\xa0\x5d\xf6\x8e\xe2\xaa\x98\xa3\x4b\x44\xfe\x38\xcf\x05\x82\x06\xcd\x11\x2d\x19\x37\x2e\x45\xaf\xb9\xd0\xc2\x4c\x0c\xa9\x18\x99\x48\x23\x9c\x99\xdb\xa4\x44\xf9\xc1\xa9\x1f\xdf\x3d\xff\xa9\xfd\xcd\x09\x35\x5e\x4b\x30\x61\x80\x63\xeb\x02\xe4\xac\x21\x2b\xf8\xf7\xb8\xc6\x17\x81\x1b\xc2\x74\x04\x23\x72\x4a\x0c\x50\x46\xf3\x57\x7e\x0b\x00\x6b\x14\x85\x0d\xdb\xab\xbf\x60\x12\x1d\x15\x1e\xc7\x30\x64\x9b\xa2\x51\xa2\x55\x1f\x6e\x92\x46\xe5\x46\x23\xa8\x19\xe9\xfc\xe9\x1f\xe4\x0a\x8a\xc2\xe5\x53\x32\xc5\x7b\x8b\x7b\x9a\x63\xad\xf9\x1f\x10\x74\x8d\xec\x7c\x01\x53\xcf\xf4\xa4\x12\x29\x27\x51\xb0\xab\x79\x3a\x14\x82\x29\xed\xd1\xf9\x08\x01\x2f\xba\xdc\xd1\x3e\x18\xd4\x79\xd9\x4e\xa5\x60\x65\x10\x03\x57\xba\x4b\xa1\x82\x58\xe4\xa8\x28\xea\xac\xa2\x0d\x67\x1d\x98\x6d\xc6\xd1\x79\x97\xf5\xb3\x74\x46\x93\xeb\x36\xcd\x7f\xce\x3f\xff\x1d\x2d\x59\xb9\xbc\xf1\xc9\x94\x27\xae\xec\x5c\x15\x8d\x12\xd0\x66\xd4\x69\x26\x7f\x42\x3d\xe6\x76\x07\x9d\xc4\x8d\xef\x12\x7b\xe6\x3b\x07\x9f\x0f\xe8\xd7\xda\xe2\xf2\x0e\xab\x8d\xdd\x0f\x38\x8d\x52\xac\x05\x91\x79\x58\x9c\x62\x42\xc7\xf9\xfe\x8e\x1d\x18\x57\xec\x29\x98\xf8\xdc\x9a\xed\x3b\x3d\x38\xae\xed\x70\xb0\xfa\xb5\xd1\x3b\xcb\x53\x6c\xbf\x01\xa2\xfd\xa8\x11\xf1\x4f\xa0\xf5\xe4\xa4\xd5\x71\x31\x86\x0d\x60\xaa\xc2\x60\x73\x54\xab\xc5\x8f\x91\x51\xdd\x78\x8e\x78\x7f\x76\x85\xbe\x53\x7e\x6f\x86\xbb\xac\x94\xbe\xf4\xdb\xb0\x42\xda\x14\xc1\x00\x7d\xcd\x62\xaa\x8c\xbc\x70\x5d\x12\x0e\x07\x83\x94\xfc\xbd\xc9\x47\x29\xfc\xe6\x90\x5f\x1e\xd8\x69\x9c\xac\xd2\xe5\xf0\x05\x5d\x37\x7d\x0d\x5c\xa8\x3f\x18\x97\x1c\x19\x5c\x7e\xa1\xdc\xf1\x1e\x9f\xee\xc1\x24\xc2\xba\x56\xd0\xf5\x06\x06\x0c\x22\xcb\xc3\x66\xd0\xae\xd0\x5f\x40\x00\x62\x98\x4f\x22\x12\x2b\xfd\x16\xa3\x1b\x3a\x4a\x6e\xd9\xd9\x49\xbe\x5e\xc1\x6a\xe9\x8f\x2a\xa8\xea\xad\xae\xcc\x16\x9e\x97\xcd\xa0\xd5\xb5\x60\x2a\x91\xc1\x01\xb2\xe2\x83\xc0\xbe\x6c\x83\xab\xbe\x2e\x7e\x2e\x4c\xef\xe3\xbe\x22\x31\x21\x3e\xbb\x85\x88\x3e\x0a\x5b\x0b\x4a\x0d\x2c\x04\x72\x2e\xb6\x0f\xab\x23\x02\x3c\xf9\x1c\xa0\xab\x90\x8e\x4b\xb6\xac\x29\xa7\x88\xfe\x9e\xc6\xb9\x9d\x75\xd5\x2f\x20\x3c\xba\x7d\x92\x48\x5e\xf9\x05\x55\xae\xd4\x10\x60\xfd\xd0\x36\xf4\x2f\xa8\x18\xcd\xf8\xb9\xaf\xe2\x6a\xfc\x1f\x27\x9a\x40\x29\x25\x4b\x12\xdd\x54\xda\x88\x2a\x13\x8d\x34\xaf\x15\x77\xe7\x8c\x1d\xd1\x92\x3a\x56\xa3\x69\xd8\x5d\x74\xfa\x59\xd4\x53\x2b\x85\x9f\x67\xe6\x5f\x3e\x67\xd6\x54\xe5\x7d\xde\x88\xcf\x7c\x23\xc9\x18\x2e\xc1\x5e\x95\x28\x3d\xbb\xa7\x99\x11\x16\x4d\xf2\xb4\x83\xbe\x5a\xdb\x7e\x60\x06\xfe\xb6\x9c\x67\x2c\x93\x8a\x81\x8b\x2b\x46\x36\xc9\x43\xb6\x8e\x8c\x93\x35\xa5\xfe\x2a\xa7\x42\x74\x02\x78\x51\x17\xde\xb2\xae\x7c\x16\xba\x0d\x05\xa5\x0d\x21\xcd\x7b\x65\x8c\xe0\x21\x40\xdd\x20\x84\x9a\xe2\x50\xbb\xb1\x0e\x96\x0c\x87\x21\xcf\x96\xd0\xe7\xd8\x1b\xbb\x21\xa5\x33\x58\xe0\xa4\x4f\x8d\x26\xb1\x0b\xf2\x4e\xda\x9b\x5d\x8c\xee\xf7\x10\xee\xc2\x5c\x0c\x3b\x31\x80\xc8\x59\x40\xf5\xb1\x5c\xc1\x3f\xe6\x8a\xd1\x9f\x7f\x0e\x9b\x4c\xc3\x97\x35\xb6\x86\x39\xf8\xfe\x46\x22\xdc\x78\x4d\x5d\x64\x70\xab\x9e\x32\x74\x0d\xb0\x2a\x9b\x67\x32\xac\xbb\xf5\x87\x67\x19\xf5\x57\xa4\xe0\xa4\x2c\x03\x6b\xb3\xf9\x72\xea\xa8\x62\xc5\x8f\xfb\xce\x08\xee\x0e\xa2\x1e\x74\xe8\x17\x57\x87\x05\xe4\xe2\x68\x3f\xeb\x6c\x61\x23\xee\x1b\x9a\xe1\xda\x94\xc5\xea\x68\x76\x3b\x03\x03\xc6\x39\x7e\x21\x69\x1a\x4d\x81\x54\xfd\x1a\xef\xdf\x39\x8c\x41\x36\x9e\xb8\x25\x5d\x9b\x84\x7f\x9d\x67\xcf\x5b\xb8\x08\x41\xf4\x68\xf7\xc8\x70\xf0\xe1\x94\xdc\xf2\x3a\x6e\x76\x42\xc9\x51\x4d\x12\x64\x32\xf4\xb6\x6b\xdb\x7b\x81\xb5\x43\x70\xca\x23\xa0\x5c\x22\x3c\x49\xc5\xb2\x68\x03\x76\x8b\xad\x60\x59\x48\x17\xbb\x98\xb5\xec\x27\x4d\x62\xe2\x64\xc5\x4c\xde\x98\x06\x37\x6b\x40\x5e\x9f\x7d\xe3\xd5\x9a\xe3\xce\x7d\xb4\xa6\x89\x85\xb1\xc1\xa1\x12\x22\xd1\xc2\x80\x9c\x96\xf7\xeb\x9a\x5b\xf4\xe5\x02\x66\xdf\x93\x5c\x90\x0a\x56\x8f\xe5\x79\xa6\xea\x47\x4f\x62\x35\x91\x96\x4d\xb4\x3a\xc6\x47\xde\x15\x91\x6a\xef\xac\xd3\x22\x23\x6f\xd5\x39\x77\xd6\x82\xee\xeb\x0d\xcf\x79\x8b\x6f\x2f\xf2\x2b\x36\xdd\x00\xd6\x4e\x51\x59\x9b\xda\xd7\x03\xa4\x2d\x1d\x20\xeb\x8d\x6a\x63\x85\xf6\xdb\x49\xf3\x4f\xce\x3b\x28\xe2\x85\x6f\x28\x28\xd7\x7c\x4d\x03\xd3\x4e\xb0\x8c\x33\xb7\x54\xbf\xe7\xf3\x9d\x0a\x34\x30\xa2\x13\xb9\x7e\x75\xc2\xc9\x75\x63\x5c\x79\xd3\x0a\xaf\x3d\xaa\x9a\x1e\x8c\xa5\x6f\xbe\x49\x9e\x77\x81\x18\xc7\xe5\x95\x4a\xc2\xac\x2b\xce\xa6\x9a\xda\xc9\x60\x09\xe1\xb5\xcd\x27\x98\x6c\x25\x42\x82\xbf\x07\x60\x74\x75\x59\xcb\x61\x2a\x1f\x61\x0d\xf0\x9b\xec\x5a\xa1\xf4\x1f\x7a\x3b\x2f\x0f\x2c\xb2\x85\x08\xe2\xb0\xca\xf2\x06\xbe\x81\x0d\x65\xb6\xc4\xfc\x2e\xf5\xec\x09\x8b\x27\x4b\x53\x68\x13\x06\x04\x16\x69\xab\xb1\x75\xe4\xec\x88\x98\x1c\x5a\x0c\x05\xa6\x46\xe5\xd9\x03\x43\xa0\xb1\xf8\x73\x37\x9c\xf1\x44\xc3\xc8\x79\x5c\xfd\x77\x59\x4b\x51\x6a\xb0\x2a\x40\x8e\x0f\xaa\x37\xfd\xf2\xde\x2e\x6f\x37\xfa\x03\x54\x0d\x70\xe5\xf0\x29\x77\x67\x08\x4e\xa0\x08\x6c\x13\x1a\xb5\xb2\x8a\xb5\x43\x97\x8f\x1d\x4f\x04\x29\x1b\x6d\xdd\xd7\x2d\x2a\xa9\xa2\x2a\xe1\x96\x97\x95\x03\x51\xa2\xf3\xda\x68\x97\x1d\x96\x36\xe2\x9c\x66\xd9\xfd\x61\xcd\xac\x7c\x81\x18\x93\x50\x44\x7c\x03\xc1\x46\xd0\xdd\xe5\x5a\x17\x91\x5b\x56\xff\xa9\xfb\xa4\x7e\x09\xba\xfe\x41\x2b\x6a\x8a\xe7\x20\xd9\x2b\x04\xa5\x5e\x65\x48\xb0\x03\x55\x06\xf8\x0f\xaf\x97\x08\x24\x79\x82\x09\x6d\xd8\x06\xe1\xe6\x98\xfe\x8f\x59\x0f\xcb\x00\x9f\xa8\x75\x86\xb0\x8c\xd2\x70\x97\xaa\x53\xd3\x08\x7e\x9f\x4c\x7a\x4e\xe5\x56\x49\x1b\x3d\xf6\x8f\xb4\x13\xa9\x2d\x7f\x78\x33\x65\xc6\xa5\xe1\xfc\xa5\xd9\x56\x3e\x19\x3e\xd2\x37\x9f\x99\x4f\x32\xe9\xa2\xc7\xa7\x22\x15\xc1\xe8\x91\x38\x57\x65\x94\x7b\x90\x86\xa5\x60\xd3\x73\xae\x19\xb8\x8e\x78\x15\x03\xb1\xb8\xb8\x01\xa8\xdc\xf5\xf6\x7d\x0e\x4b\x02\x12\xd8\x54\x48\x76\x94\xac\x76\x57\x2f\xa1\xe6\xf1\xfe\x71\x9c\xde\x5b\x27\x8c\x9c\xe3\x93\x8b\x27\x10\x60\x33\x5a\x57\x41\xba\xa0\xd7\xad\xc3\xde\x28\xe3\x7b\xee\xd6\xf7\x81\xf6\xf7\xb3\x21\xc5\x69\x33\x82\x83\x77\xa2\xff\x6d\xe2\xbf\xc2\x4b\x2a\x34\x72\xca\x50\x39\x37\x3d\x3c\xdc\x9a\xfc\x04\x0c\xe4\xe8\x94\xcf\xf8\x22\x54\xd9\xe4\xf4\xb2\x59\x98\xc9\xdc\x84\x70\x54\x63\xda\x8a\x03\xea\x41\x9c\x2e\x4c\x81\x2a\x9f\x04\xd5\x3f\x2d\xe4\xfc\x2e\x3c\x1a\x08\xa7\x38\x9d\xdf\xb0\x82\x17\x64\xe7\x11\x05\xeb\x05\x88\x72\x08\x71\xf0\x08\x2c\xd9\x11\xf8\xed\xf6\x94\x95\x00\x72\xee\xbc\x64\x21\xbf\xc7\x1a\xf2\x76\x69\x10\x7e\x4b\x48\xac\x97\x13\x39\xe6\x9c\x46\xc4\xea\x5d\x50\x02\x8f\x14\x73\x5d\x84\xda\x04\x0a\x08\xd3\xc9\xd0\xe6\x4d\xee\x8b\xb6\x45\x00\x3b\xfc\x01\x62\xc3\xe1\x31\xd3\xdf\xcc\xf1\xa5\x16\x28\xbd\x59\xed\x49\x5b\x17\x7b\x41\x7d\x0c\xb3\x76\x53\x7d\x58\x16\x74\x1c\x25\x88\x5e\xc5\x67\x42\x15\x4e\x84\xa2\x6d\x9d\xe3\x76\xd6\x7f\xfb\xe2\xfd\xb4\x86\x9b\x6d\x87\x08\xa7\x35\x0e\xfc\x67\x2a\x48\xd6\x0a\x92\x8c\x99\x27\x53\xad\x4b\xd7\x45\xa7\x18\x9b\x3f\x94\xf4\x8f\x64\xc9\xf8\x6d\x9f\x0b\x22\xbf\x7a\x1d\xf2\x09\x6b\x46\xfa\xdf\x26\x69\x06\xf3\x94\xb1\xde\x65\x52\x92\x87\x85\xd6\x8d\x26\xb9\x6b\xda\x02\xe4\x9d\x5e\xca\x82\x84\x70\x0d\x50\x33\xb0\x06\x23\x66\xa6\xce\x4b\xe4\x4c\x76\x7d\x60\x81\x7b\x48\x76\x87\x48\x58\x2a\x5e\xd3\xdb\x60\x82\x91\xa5\xef\xa1\x01\x1b\x75\x8f\x99\x0a\xb3\xe4\xab\xed\xf5\x3f\x01\xb7\x00\xdf\xae\xb5\x87\xb4\xf4\x14\xd3\xfe\x3a\x87\x32\xe1\xf2\x15\xfa\x86\x9c\x7b\x2f\x8b\x7f\x4e\xac\x59\x7d\xa8\x17\x51\x70\x9b\xd1\x8e\xb0\x86\x9c\xe1\x14\x59\xf8\x76\x6e\x63\x32\xe9\x57\x10\x7a\x79\x1a\x64\x01\x10\x49\x48\x8a\x27\x32\x54\xf3\x3e\x0e\xcb\x44\x0e\xe4\x46\xe8\xab\x76\xf2\x4e\xc1\xf4\xcf\x7d\x31\x4a\x15\x8c\x51\x2b\x6a\x27\x31\x09\x93\x67\x76\x6a\xe4\x05\x35\x96\x7d\x63\xce\x07\x1f\x06\x8a\x7d\x3f\xbd\x48\x33\xa0\xc7\x8c\xea\x71\x27\x48\xa4\xbf\x23\x61\xd8\xf6\x03\x59\x59\xa6\xab\x08\xf3\xd4\x4f\x7f\x81\xfe\x74\xd9\x64\xd5\x8b\xb3\xcb\x60\x51\xc5\xe6\x8d\xc6\xe7\x1f\xec\xe4\xae\x85\xdd\xc8\x95\xb3\x16\xf4\x7d\x52\x08\x47\xdd\x84\x83\x17\xb6\x1a\x47\xa1\x3c\xe0\x6c\x30\xd1\x4d\x98\x52\x93\x8c\x6e\xe4\x5a\xd2\xeb\x1f\x19\xdd\xa1\x9b\x1f\x83\x56\x24\x41\xc2\xd3\x06\x11\x1f\x51\x1e\x40\xa8\xd8\x2b\x33\x4b\x2d\x98\x3c\x35\x4f\x2c\xf8\xa2\xe7\xa2\xfc\x13\x5a\x4a\x31\xda\x5b\x09\x29\xd0\xe0\xc3\xe1\xc9\xbf\xb2\xde\xbc\xd2\xfc\x9d\x05\x77\x26\x3c\x77\x71\xc6\x84\xd3\x4a\x6b\x02\xb3\x1c\x52\xf4\x2e\x07\xfc\x1f\x42\xe7\x0d\x74\x00\x35\xe8\x0f\x0c\x38\x89\xd8\xd2\x8c\xdf\x11\x40\xe2\x10\xdf\xf5\xae\xb5\xaa\xab\xfd\x65\x5a\xc4\x6e\x03\xd1\x7e\x1e\x72\x27\x3e\xa0\x14\x15\x8c\xff\x2c\x8e\xf3\x70\x08\xb4\x4e\x73\xd2\xc6\x16\x86\x23\x49\xaf\xa5\xa1\x6e\xc6\xf1\x0d\x7f\x85\xfe\x4d\x95\xdf\x41\x6b\xdf\x00\x17\x48\xa6\x98\xa7\x94\x21\x92\x54\x9a\x4b\x86\x00\xf5\x38\x02\x91\xfe\xca\xb3\x74\xb5\x90\x26\x6a\x98\x0b\x2d\x38\xd0\x81\x7e\x11\x1c\xa3\x14\x47\xff\x7a\x33\xee\x30\x0b\x75\x83\xc8\x30\x50\xa5\x91\xcf\xb8\xc3\x83\x20\x36\x9b\x54\xb9\x62\x4a\xe5\xbf\xbe\x7a\x65\x73\x23\xe6\x4b\xb8\x90\xff\x4a\xbd\x85\xfb\xe8\xc5\x9a\x68\xa6\x16\xb0\x44\xdd\xc9\x77\x33\x60\x41\x33\x5f\xe1\xd2\x9e\x87\xdf\xc5\x63\xa0\xf7\xd3\x93\xca\x83\x53\xb3\x1c\xaa\x64\x1d\x11\x40\x10\x9d\x3f\x3d\x68\xbc\x4a\xc8\xd1\xa3\x2e\x03\x9a\x5a\x5a\xae\x4e\x95\xd7\xd3\x7d\x57\x37\xef\x2b\x99\x7e\x17\x86\x82\xbe\x27\xb0\xd5\xb9\xcb\x7b\xb3\x0b\xce\x28\xda\x9f\x9c\x29\x98\x80\xe1\x52\xd9\x0f\x6a\x05\x90\xfa\x28\x9a\xeb\x5c\x4b\x4c\x05\x0f\x7f\x48\x74\x4a\x1e\x3e\xd8\xb7\x06\xbb\x14\x37\x14\x63\x70\x52\x27\x75\xb4\xa8\x24\xef\x29\xae\x2d\x08\x54\x27\x9f\xef\x03\xa0\xea\x67\x3e\x25\x1f\x66\x97\x16\x6f\x36\x99\x60\x89\xb8\x8f\x48\x5c\x30\xdd\x49\xdf\x10\x21\xb1\xce\x79\x4b\xa4\x47\xe3\x61\x70\x4c\xa2\x0c\x53\xf2\x84\xfd\xc4\xfa\x1a\x1f\x40\xe5\xf7\x24\x0f\x27\x32\x13\xb6\x92\x0e\x9b\xfb\x8e\xe6\x9f\x93\x26\x16\xcc\xf6\x56\x49\x5d\x99\x87\x43\xd6\x1a\x08\x8e\x60\x59\xfe\x2f\xc0\x35\x72\xf1\xdf\xad\xfb\x51\x0c\x55\xf5\x18\x5a\xda\x91\x4e\x2a\x96\x62\x8d\x3e\xe5\xd6\xb0\x01\xcf\xd0\x45\x64\x6e\xf9\x36\x94\x82\x8f\xe8\xe0\x33\x3d\x9e\x85\x37\xab\x9e\x02\xec\x72\x17\x13\xb2\xb9\x74\x3e\x68\xf4\x2f\xff\x78\xab\xc0\xaf\xd4\xbd\xdc\x95\x17\x9a\xf1\x2c\x3c\x95\x08\x34\x9e\x65\x6a\xd5\x9b\xd6\x4c\xb6\xa4\xbc\x76\x42\xc6\x6e\xfe\xf2\x9a\x55\x00\x93\x70\x64\xde\x05\xe4\x9e\x2a\x81\xc5\x87\xe2\x28\xe0\xab\xa0\xc8\xa6\x87\x5c\x41\x06\x63\xa2\x22\xe5\x57\x55\x7b\xcb\x10\x54\x01\x25\x32\xe3\xe6\xd4\x83\x0d\x3d\x9c\xa0\xeb\x68\x97\xba\x54\x05\xa3\x35\x50\x3f\x8c\xfe\x34\x5a\x20\xed\xee\x88\xa8\xb1\x43\xe2\x8c\x98\x2b\xb8\x36\xe0\xcd\xe0\xc6\xde\xab\xad\xbc\x11\xd8\xa6\x33\x50\xf1\x05\x0b\x71\xab\xcb\xd8\xea\xe7\xc2\x2f\xc0\x4d\x59\x72\x67\x48\xc8\x2e\xd4\x35\x95\xd6\x62\x55\xb6\xc3\x0f\x11\x1e\x3b\x5c\x9c\x12\xd9\x7a\x36\x8b\xe6\x72\xb0\xf0\xe5\x92\x98\x38\xfd\x82\x04\xb5\x5d\x0e\x51\x1a\x32\x90\x6a\xf5\xc3\x49\xcd\x64\x8a\x43\x98\x14\x77\x04\x56\x3a\x10\xd5\xd5\xf5\xa8\x6f\x8f\x1c\x88\xa2\x32\x4e\x56\xcf\x28\xd6\x3d\xaa\xc7\x25\xe7\xf9\xfe\x3d\x15\x04\xaa\x2d\x26\x90\x37\x60\xe2\x7e\x79\x6f\x7f\x7d\x33\xb9\x6e\xf0\x1e\x4e\x57\x24\x56\xfe\x47\x9a\x25\x23\xd3\x96\xe6\xcc\x88\xb8\xa8\xdc\x35\xf1\x55\xda\xed\xb3\xc2\x9d\xd2\xcd\x8a\xdf\x6d\xcc\x73\x2e\x5c\x58\x51\x1b\xd3\x89\x87\x83\x99\xc4\x32\xc1\xa4\x0d\xc0\x6e\x94\xe2\x4d\x66\xe1\xcd\xbb\x73\xcc\xa9\x92\xa3\xa6\x1c\x54\x5d\xd3\x47\xd0\xbe\x41\x41\xa1\xec\x23\xa6\xca\x84\x5b\xa1\xb5\x83\x96\xb4\x56\xee\x05\xe6\xbe\x7d\x7c\x9a\x0d\xea\xad\x66\x46\xd7\xa7\x79\x86\x88\x6d\x9e\xe7\x55\xc5\x88\x96\x50\xe9\xeb\xcc\x4b\x8d\xea\x33\x52\x1b\x65\x17\x1e\xc9\xd9\xee\xb4\xe7\x76\xd3\xd7\x1f\x52\x61\xd4\x51\xf4\x81\xb9\x0c\xfc\x65\x5f\x8c\xf1\xb6\x3d\xf8\x46\x7e\x0c\x1e\x2f\x9a\xf5\x75\x8e\xb5\x06\xaa\xce\xab\x4b\xb3\x59\x07\x82\x9e\x55\x41\x1e\xb2\x5b\x59\xcb\x70\xf9\xea\x06\xef\xde\xaa\xef\x61\x51\x15\x61\x84\xec\xea\xb1\xba\x65\xf4\x1d\xf3\x2b\x53\x46\xf5\xec\x03\xab\x19\x80\x7d\xf4\x84\x49\x88\x13\x34\xa6\x82\x9c\x39\x71\x69\x21\xfb\x7e\x5d\x05\x78\xee\xb3\xeb\x3b\xec\xb8\xff\x5e\x00\xfe\x84\x22\xb0\xc3\xb7\xbc\x77\xa5\xd3\x38\xbd\x0d\x4e\xf6\xa3\x41\xdd\x94\x1d\x92\x5e\xc6\xcd\x93\xf2\x89\x56\x6d\x80\x3f\xf2\xa0\x2a\x3e\xf8\xc8\xd8\x00\x52\x51\x8f\x9a\xfa\x30\xaa\xf0\xcb\x97\xea\x1e\xed\xb5\x27\xb1\x80\xdc\xb8\x03\x68\x05\x0b\x6d\xfb\x4e\xbe\x2c\xb9\x6d\x1e\x06\x84\x98\x6a\x85\xa6\xb6\xeb\xa2\x16\x60\xa1\x8c\x28\x24\x8c\xc0\xd4\xcd\xf5\xe0\x85\xc1\xfb\x61\x33\xda\x11\x69\xe5\x03\x6d\x35\xf5\x47\xeb\xc0\x61\x86\xb6\x95\xf2\x42\x71\xbd\x68\x0a\x39\x7d\x92\x35\x38\x12\x7f\x94\x8a\x2b\xa3\x6b\xf5\x29\x1a\x9c\xfa\x5d\xc5\x7a\xf9\x90\x1b\xb7\xef\x7c\x9c\x9d\x60\x00\x86\x37\x6a\x0d\xc6\x80\xe4\xe6\x7e\x17\x70\xe7\x24\x99\xb5\x83\x33\xaf\x89\x8a\x33\x2c\x78\x94\x95\x94\x28\x42\x4f\xe6\x1c\x0e\x0d\x8f\xd6\xc4\x6a\xf7\x9b\xdb\x23\xc8\x44\x94\x01\x58\x7b\xa1\x16\x56\x5c\x8e\x06\x0f\xb1\xaf\x55\x7c\xec\xda\xf3\xd1\x0d\x2f\x06\x5d\x7f\xfd\x53\xdf\xbe\x8a\xfd\x1c\x46\x90\x4c\xba\xad\x1b\xd8\xf1\x8e\xe7\x0a\xa4\x81\x1b\x27\x85\x74\x33\xe4\x75\xab\x5c\x5c\x62\x0a\x8d\xaf\x02\xbe\xf4\x02\x86\x49\x7b\xe5\x1f\x25\x32\xd4\x25\x90\x56\x69\xf3\xbe\x5c\xe7\xb7\x90\xe9\x45\xc2\x2e\x44\x6f\x0a\x36\x1e\x04\x3f\xd4\xa7\x6e\x53\xe3\xb0\x4b\x59\x05\xed\xa6\x3b\xce\xbb\x62\xe0\x6c\x6c\xc0\xe2\x54\xf2\xf0\xe3\x86\xbd\xd7\x30\xc5\x5a\x04\x07\xaf\x9d\xec\x14\x63\x3b\x5a\xc1\x5a\x33\xec\x52\x3f\x6a\x4a\x94\x54\xbc\x5a\xa2\x16\xe1\x43\xf0\xf7\x2e\xbb\xd6\xf5\xc0\x38\xd2\xee\x39\xad\x7c\xf3\x95\x6a\x3c\x47\x9a\x8a\x65\x3a\x90\x6a\x01\xf4\x86\x18\xe6\xa4\x7a\xdb\xa3\x59\x8e\x9c\x9e\x72\x5d\x53\x43\x9e\x0f\x17\x5f\xcd\x51\xba\x15\x16\x07\xa3\x35\x93\xf1\x25\x6e\x6b\x29\x68\x5a\x81\x3d\xee\x40\x3e\xc2\xb4\xfa\x09\xc6\xd0\xf4\xd6\x51\xe2\x37\x8b\x78\x04\x1f\x37\x24\x33\x47\xdc\x77\xce\x35\x14\xc6\x34\xe4\xf8\x3e\xa2\x97\x66\x5f\x16\xd6\x56\xa6\xdf\x91\x00\xbf\x65\x53\xd6\x69\xe4\x3c\x0a\xc2\xd8\x91\xeb\x77\x79\xee\x8d\x4f\x32\x11\xcd\x2a\x52\x7f\xd4\x15\xaf\x00\x04\xc2\xd5\xdd\xb6\x2a\x36\xde\xe9\x8a\xc1\x48\x96\x96\xc5\x56\x47\x6a\xca\x9f\x6d\xa9\xbd\x4f\x37\xac\xa8\x6b\x83\x86\x0a\x8d\xd9\x04\xbb\xe2\xc3\xd3\x7c\xfc\xd7\x68\xb5\x9d\x82\xa8\xc1\xbc\xef\xfc\x44\xed\xfb\x04\x73\x0e\xa5\x79\x16\xda\x94\xb4\xe8\xdb\xcf\x5f\x01\xb5\xa7\x18\x64\x6a\x56\xe6\x2a\x64\x74\x8a\x9e\x3b\x7b\x2f\x08\x0a\x2f\xb3\x51\x5d\xb5\x35\xc6\xac\xde\xf1\xd8\x58\xf6\x33\xb0\x80\xd3\x98\xc0\x06\xd7\x40\xf5\x9b\xfc\x06\x3a\xcb\xb4\x0f\xe2\x18\x3c\x55\x20\x89\x4d\xd5\xa4\x7b\xbd\xd9\x91\xf2\xca\x2e\x1d\x35\xd0\x40\x75\x59\x00\x16\xdf\xc8\x13\xa8\xf2\x72\x92\x6d\x66\x0b\x0b\xac\x47\xfc\x72\x97\xd7\x48\xd1\x64\x2d\xe8\x2c\x08\x24\x5c\x8a\x4a\xf3\x98\x26\x97\x1b\x06\xe2\x52\x56\x75\x9f\xc4\xae\xe3\xde\x98\x40\xc1\x4f\x99\xe8\xa5\x34\x04\xbc\xca\xe6\x13\xce\xdd\x72\xd3\x2e\x74\xc8\x7d\x8c\xad\x6c\xf7\x2f\xd2\x01\x8d\x5f\x3a\x79\x7c\x08\xcd\xda\xa2\xd9\xa5\xac\x5f\x49\xbf\x07\xb0\x45\xc4\x16\x9a\x88\x30\x46\x2c\x19\xb4\x00\x4b\x62\x83\x0c\x4b\xed\xca\x51\x61\x45\x1c\xe9\xc8\xac\x56\xf9\x73\xcc\x12\x0f\x7e\xad\xb2\x01\x0d\xe4\xbc\x3d\x71\x96\x47\xa8\xef\xb1\xa9\x5d\xc9\x3c\xce\x6e\xd2\xe2\x25\x5b\x85\x28\x21\x49\x1d\xcd\x30\x64\x0e\xeb\xae\x86\xec\xc0\x2e\x36\x5b\x46\x5d\xef\xb7\x36\x94\x17\x0d\x30\x33\x77\x59\x68\xa5\x3f\x27\x4f\xd1\xab\x8f\x38\x97\x81\x5a\xf3\xdf\xc8\x1f\xcd\xb7\xa3\xa6\xd1\x91\x7c\xab\x0a\x44\x69", 8192); *(uint64_t*)0x20004cc0 = 0x20002200; *(uint32_t*)0x20002200 = 0x50; *(uint32_t*)0x20002204 = 0; *(uint64_t*)0x20002208 = 0x8b20; *(uint32_t*)0x20002210 = 7; *(uint32_t*)0x20002214 = 0x1f; *(uint32_t*)0x20002218 = 4; *(uint32_t*)0x2000221c = 0; *(uint16_t*)0x20002220 = 6; *(uint16_t*)0x20002222 = 2; *(uint32_t*)0x20002224 = 0x7fffffff; *(uint32_t*)0x20002228 = 2; *(uint16_t*)0x2000222c = 0; *(uint16_t*)0x2000222e = 0; *(uint32_t*)0x20002230 = 0; *(uint32_t*)0x20002234 = 0; *(uint32_t*)0x20002238 = 0; *(uint32_t*)0x2000223c = 0; *(uint32_t*)0x20002240 = 0; *(uint32_t*)0x20002244 = 0; *(uint32_t*)0x20002248 = 0; *(uint32_t*)0x2000224c = 0; *(uint64_t*)0x20004cc8 = 0x20002280; *(uint32_t*)0x20002280 = 0x18; *(uint32_t*)0x20002284 = 0xfffffff5; *(uint64_t*)0x20002288 = 0x55; *(uint64_t*)0x20002290 = 0; *(uint64_t*)0x20004cd0 = 0x200022c0; *(uint32_t*)0x200022c0 = 0x18; *(uint32_t*)0x200022c4 = 0; *(uint64_t*)0x200022c8 = 2; *(uint64_t*)0x200022d0 = 9; *(uint64_t*)0x20004cd8 = 0x20002300; *(uint32_t*)0x20002300 = 0x18; *(uint32_t*)0x20002304 = 0; *(uint64_t*)0x20002308 = 0x40; *(uint32_t*)0x20002310 = 0xe62; *(uint32_t*)0x20002314 = 0; *(uint64_t*)0x20004ce0 = 0x20002340; *(uint32_t*)0x20002340 = 0x18; *(uint32_t*)0x20002344 = 0; *(uint64_t*)0x20002348 = 0x80000001; *(uint32_t*)0x20002350 = 0x787; *(uint32_t*)0x20002354 = 0; *(uint64_t*)0x20004ce8 = 0x20002380; *(uint32_t*)0x20002380 = 0x28; *(uint32_t*)0x20002384 = 0; *(uint64_t*)0x20002388 = 3; *(uint64_t*)0x20002390 = 9; *(uint64_t*)0x20002398 = 0x101; *(uint32_t*)0x200023a0 = 0; *(uint32_t*)0x200023a4 = -1; *(uint64_t*)0x20004cf0 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x60; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 9; *(uint64_t*)0x200023d0 = 0xf652; *(uint64_t*)0x200023d8 = 0x8d; *(uint64_t*)0x200023e0 = 0; *(uint64_t*)0x200023e8 = 0x3f; *(uint64_t*)0x200023f0 = 0x80000000; *(uint32_t*)0x200023f8 = 0; *(uint32_t*)0x200023fc = 3; *(uint32_t*)0x20002400 = 0; *(uint32_t*)0x20002404 = 0; *(uint32_t*)0x20002408 = 0; *(uint32_t*)0x2000240c = 0; *(uint32_t*)0x20002410 = 0; *(uint32_t*)0x20002414 = 0; *(uint32_t*)0x20002418 = 0; *(uint32_t*)0x2000241c = 0; *(uint64_t*)0x20004cf8 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 2; *(uint32_t*)0x20002450 = 0xa8f; *(uint32_t*)0x20002454 = 0; *(uint64_t*)0x20004d00 = 0x20002480; *(uint32_t*)0x20002480 = 0x26; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 8; memcpy((void*)0x20002490, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004d08 = 0x200024c0; *(uint32_t*)0x200024c0 = 0x20; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 6; *(uint64_t*)0x200024d0 = 0; *(uint32_t*)0x200024d8 = 0x12; *(uint32_t*)0x200024dc = 0; *(uint64_t*)0x20004d10 = 0x20004540; *(uint32_t*)0x20004540 = 0x78; *(uint32_t*)0x20004544 = 0xfffffff5; *(uint64_t*)0x20004548 = 0x81; *(uint64_t*)0x20004550 = 1; *(uint32_t*)0x20004558 = 7; *(uint32_t*)0x2000455c = 0; *(uint64_t*)0x20004560 = 5; *(uint64_t*)0x20004568 = 8; *(uint64_t*)0x20004570 = 6; *(uint64_t*)0x20004578 = 0x1ff; *(uint64_t*)0x20004580 = 5; *(uint64_t*)0x20004588 = 4; *(uint32_t*)0x20004590 = 4; *(uint32_t*)0x20004594 = 0xe8; *(uint32_t*)0x20004598 = 0x193; *(uint32_t*)0x2000459c = 0x7000; *(uint32_t*)0x200045a0 = 6; *(uint32_t*)0x200045a4 = -1; *(uint32_t*)0x200045a8 = r[4]; *(uint32_t*)0x200045ac = 3; *(uint32_t*)0x200045b0 = 9; *(uint32_t*)0x200045b4 = 0; *(uint64_t*)0x20004d18 = 0x200045c0; *(uint32_t*)0x200045c0 = 0x90; *(uint32_t*)0x200045c4 = 0; *(uint64_t*)0x200045c8 = 0x8612; *(uint64_t*)0x200045d0 = 5; *(uint64_t*)0x200045d8 = 3; *(uint64_t*)0x200045e0 = 0xb2f; *(uint64_t*)0x200045e8 = 0x20; *(uint32_t*)0x200045f0 = 0; *(uint32_t*)0x200045f4 = 7; *(uint64_t*)0x200045f8 = 0; *(uint64_t*)0x20004600 = 0x1ff; *(uint64_t*)0x20004608 = 2; *(uint64_t*)0x20004610 = 2; *(uint64_t*)0x20004618 = 0x1de; *(uint64_t*)0x20004620 = 0x5a; *(uint32_t*)0x20004628 = 9; *(uint32_t*)0x2000462c = 0xc46; *(uint32_t*)0x20004630 = 5; *(uint32_t*)0x20004634 = 0xc000; *(uint32_t*)0x20004638 = 0xddce; *(uint32_t*)0x2000463c = 0xee01; *(uint32_t*)0x20004640 = 0xee00; *(uint32_t*)0x20004644 = 0; *(uint32_t*)0x20004648 = 0x12; *(uint32_t*)0x2000464c = 0; *(uint64_t*)0x20004d20 = 0x20004680; *(uint32_t*)0x20004680 = 0x10; *(uint32_t*)0x20004684 = 0; *(uint64_t*)0x20004688 = 5; *(uint64_t*)0x20004d28 = 0x20004900; *(uint32_t*)0x20004900 = 0x2c0; *(uint32_t*)0x20004904 = 0xfffffff5; *(uint64_t*)0x20004908 = 0x8a; *(uint64_t*)0x20004910 = 4; *(uint64_t*)0x20004918 = 3; *(uint64_t*)0x20004920 = 0xfff; *(uint64_t*)0x20004928 = 6; *(uint32_t*)0x20004930 = -1; *(uint32_t*)0x20004934 = 8; *(uint64_t*)0x20004938 = 5; *(uint64_t*)0x20004940 = 0xca13; *(uint64_t*)0x20004948 = 0x81; *(uint64_t*)0x20004950 = 4; *(uint64_t*)0x20004958 = 0; *(uint64_t*)0x20004960 = 0xbbc; *(uint32_t*)0x20004968 = 0; *(uint32_t*)0x2000496c = 3; *(uint32_t*)0x20004970 = 0x34b; *(uint32_t*)0x20004974 = 0x4000; *(uint32_t*)0x20004978 = 9; *(uint32_t*)0x2000497c = 0; *(uint32_t*)0x20004980 = 0xee01; *(uint32_t*)0x20004984 = 2; *(uint32_t*)0x20004988 = 0x81; *(uint32_t*)0x2000498c = 0; *(uint64_t*)0x20004990 = 3; *(uint64_t*)0x20004998 = 0x80000001; *(uint32_t*)0x200049a0 = 0x16; *(uint32_t*)0x200049a4 = 0xf97; memcpy((void*)0x200049a8, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x200049c0 = 5; *(uint64_t*)0x200049c8 = 3; *(uint64_t*)0x200049d0 = 0x100000001; *(uint64_t*)0x200049d8 = 0x10001; *(uint32_t*)0x200049e0 = 7; *(uint32_t*)0x200049e4 = 0x83; *(uint64_t*)0x200049e8 = 5; *(uint64_t*)0x200049f0 = 5; *(uint64_t*)0x200049f8 = 0x100; *(uint64_t*)0x20004a00 = 6; *(uint64_t*)0x20004a08 = 0xfffffffffffffbff; *(uint64_t*)0x20004a10 = 0xb533; *(uint32_t*)0x20004a18 = 0x800; *(uint32_t*)0x20004a1c = 0xad7; *(uint32_t*)0x20004a20 = 0x32f914fb; *(uint32_t*)0x20004a24 = 0x2000; *(uint32_t*)0x20004a28 = 0xe0; *(uint32_t*)0x20004a2c = r[6]; *(uint32_t*)0x20004a30 = 0xee01; *(uint32_t*)0x20004a34 = 4; *(uint32_t*)0x20004a38 = 0x64; *(uint32_t*)0x20004a3c = 0; *(uint64_t*)0x20004a40 = 4; *(uint64_t*)0x20004a48 = 0xfffffffffffffffc; *(uint32_t*)0x20004a50 = 0x16; *(uint32_t*)0x20004a54 = 6; memcpy((void*)0x20004a58, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004a70 = 2; *(uint64_t*)0x20004a78 = 2; *(uint64_t*)0x20004a80 = 7; *(uint64_t*)0x20004a88 = 0x8000; *(uint32_t*)0x20004a90 = 9; *(uint32_t*)0x20004a94 = 3; *(uint64_t*)0x20004a98 = 2; *(uint64_t*)0x20004aa0 = 7; *(uint64_t*)0x20004aa8 = 0x80000000; *(uint64_t*)0x20004ab0 = 8; *(uint64_t*)0x20004ab8 = 6; *(uint64_t*)0x20004ac0 = 0x400; *(uint32_t*)0x20004ac8 = 0xc932; *(uint32_t*)0x20004acc = 0x81; *(uint32_t*)0x20004ad0 = 5; *(uint32_t*)0x20004ad4 = 0x1000; *(uint32_t*)0x20004ad8 = 0xf841; *(uint32_t*)0x20004adc = r[7]; *(uint32_t*)0x20004ae0 = 0xee00; *(uint32_t*)0x20004ae4 = 0xff; *(uint32_t*)0x20004ae8 = 5; *(uint32_t*)0x20004aec = 0; *(uint64_t*)0x20004af0 = 4; *(uint64_t*)0x20004af8 = 0xffffffffffff3232; *(uint32_t*)0x20004b00 = 0x16; *(uint32_t*)0x20004b04 = 5; memcpy((void*)0x20004b08, "bpf_lsm_unix_may_send\000", 22); *(uint64_t*)0x20004b20 = 4; *(uint64_t*)0x20004b28 = 0; *(uint64_t*)0x20004b30 = 0; *(uint64_t*)0x20004b38 = 7; *(uint32_t*)0x20004b40 = 0x200; *(uint32_t*)0x20004b44 = 6; *(uint64_t*)0x20004b48 = 5; *(uint64_t*)0x20004b50 = 0x1020000; *(uint64_t*)0x20004b58 = 6; *(uint64_t*)0x20004b60 = 0x7f; *(uint64_t*)0x20004b68 = 0xce; *(uint64_t*)0x20004b70 = 0; *(uint32_t*)0x20004b78 = 0xa9fb; *(uint32_t*)0x20004b7c = 0xffffff81; *(uint32_t*)0x20004b80 = 0x3ff; *(uint32_t*)0x20004b84 = 0x1000; *(uint32_t*)0x20004b88 = 0; *(uint32_t*)0x20004b8c = 0; *(uint32_t*)0x20004b90 = r[8]; *(uint32_t*)0x20004b94 = 0x8de6; *(uint32_t*)0x20004b98 = 3; *(uint32_t*)0x20004b9c = 0; *(uint64_t*)0x20004ba0 = 2; *(uint64_t*)0x20004ba8 = 0xffffffff; *(uint32_t*)0x20004bb0 = 1; *(uint32_t*)0x20004bb4 = 5; memcpy((void*)0x20004bb8, "/", 1); *(uint64_t*)0x20004d30 = 0x20004bc0; *(uint32_t*)0x20004bc0 = 0xa0; *(uint32_t*)0x20004bc4 = 0; *(uint64_t*)0x20004bc8 = 0x3f; *(uint64_t*)0x20004bd0 = 5; *(uint64_t*)0x20004bd8 = 2; *(uint64_t*)0x20004be0 = 0; *(uint64_t*)0x20004be8 = 7; *(uint32_t*)0x20004bf0 = 6; *(uint32_t*)0x20004bf4 = 3; *(uint64_t*)0x20004bf8 = 2; *(uint64_t*)0x20004c00 = 0xf51e; *(uint64_t*)0x20004c08 = 0x65; *(uint64_t*)0x20004c10 = 1; *(uint64_t*)0x20004c18 = 0x8b; *(uint64_t*)0x20004c20 = 0x7f; *(uint32_t*)0x20004c28 = 0x100; *(uint32_t*)0x20004c2c = 9; *(uint32_t*)0x20004c30 = 0x24; *(uint32_t*)0x20004c34 = 0xa000; *(uint32_t*)0x20004c38 = 0x3f; *(uint32_t*)0x20004c3c = 0; *(uint32_t*)0x20004c40 = -1; *(uint32_t*)0x20004c44 = 0x40; *(uint32_t*)0x20004c48 = 3; *(uint32_t*)0x20004c4c = 0; *(uint64_t*)0x20004c50 = 0; *(uint32_t*)0x20004c58 = 1; *(uint32_t*)0x20004c5c = 0; *(uint64_t*)0x20004d38 = 0x20004c80; *(uint32_t*)0x20004c80 = 0x20; *(uint32_t*)0x20004c84 = 0xfffffff5; *(uint64_t*)0x20004c88 = 0x401; *(uint32_t*)0x20004c90 = 0x5b2; *(uint32_t*)0x20004c94 = 0; *(uint32_t*)0x20004c98 = 9; *(uint32_t*)0x20004c9c = 2; syz_fuse_handle_req(r[3], 0x20000200, 0x2000, 0x20004cc0); break; case 21: memcpy((void*)0x20004d40, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004d40); break; case 22: res = -1; res = syz_init_net_socket(3, 2, 1); if (res != -1) r[9] = res; break; case 23: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[10] = res; break; case 24: *(uint32_t*)0x20004d84 = 0xb8ca; *(uint32_t*)0x20004d88 = 0x20; *(uint32_t*)0x20004d8c = 0xe7c; *(uint32_t*)0x20004d90 = 0x26b; *(uint32_t*)0x20004d98 = r[10]; *(uint32_t*)0x20004d9c = 0; *(uint32_t*)0x20004da0 = 0; *(uint32_t*)0x20004da4 = 0; syz_io_uring_setup(0x3e79, 0x20004d80, 0x20ffc000, 0x20ffb000, 0x20004e00, 0x20004e40); break; case 25: *(uint32_t*)0x20004e84 = 0x29dc; *(uint32_t*)0x20004e88 = 2; *(uint32_t*)0x20004e8c = 1; *(uint32_t*)0x20004e90 = 0x3d6; *(uint32_t*)0x20004e98 = r[3]; *(uint32_t*)0x20004e9c = 0; *(uint32_t*)0x20004ea0 = 0; *(uint32_t*)0x20004ea4 = 0; res = -1; res = syz_io_uring_setup(0x5336, 0x20004e80, 0x20ffd000, 0x20ffb000, 0x20004f00, 0x20004f40); if (res != -1) { r[11] = *(uint64_t*)0x20004f00; r[12] = *(uint64_t*)0x20004f40; } break; case 26: memcpy((void*)0x20004f80, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20004f80, 0xfffffffffffffff8, 0x240); if (res != -1) r[13] = res; break; case 27: *(uint8_t*)0x20004fc0 = 6; *(uint8_t*)0x20004fc1 = 0; *(uint16_t*)0x20004fc2 = 0; *(uint32_t*)0x20004fc4 = r[13]; *(uint64_t*)0x20004fc8 = 0; *(uint64_t*)0x20004fd0 = 0; *(uint32_t*)0x20004fd8 = 0; *(uint16_t*)0x20004fdc = 0x4404; *(uint16_t*)0x20004fde = 0; *(uint64_t*)0x20004fe0 = 0; *(uint16_t*)0x20004fe8 = 0; *(uint16_t*)0x20004fea = 0; *(uint8_t*)0x20004fec = 0; *(uint8_t*)0x20004fed = 0; *(uint8_t*)0x20004fee = 0; *(uint8_t*)0x20004fef = 0; *(uint8_t*)0x20004ff0 = 0; *(uint8_t*)0x20004ff1 = 0; *(uint8_t*)0x20004ff2 = 0; *(uint8_t*)0x20004ff3 = 0; *(uint8_t*)0x20004ff4 = 0; *(uint8_t*)0x20004ff5 = 0; *(uint8_t*)0x20004ff6 = 0; *(uint8_t*)0x20004ff7 = 0; *(uint8_t*)0x20004ff8 = 0; *(uint8_t*)0x20004ff9 = 0; *(uint8_t*)0x20004ffa = 0; *(uint8_t*)0x20004ffb = 0; *(uint8_t*)0x20004ffc = 0; *(uint8_t*)0x20004ffd = 0; *(uint8_t*)0x20004ffe = 0; *(uint8_t*)0x20004fff = 0; syz_io_uring_submit(0, r[12], 0x20004fc0, 8); break; case 28: memcpy((void*)0x20005000, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20005000, 0x1000, 0x8600); if (res != -1) r[14] = res; break; case 29: *(uint64_t*)0x20005080 = 0; *(uint64_t*)0x20005088 = 0x20005040; memcpy((void*)0x20005040, "\x48\xd5\xa3\x40\x0d\x13\x5d\xd4\x91\x01\x61\x86\x7c\x99\x1f\xc7\xd6\x8d\x55\x14\x5f\xbb\xc5\xc4\x98\xb5\x8f\xba\x49\xbd\x01\xb6\x83\x86\x47\x33\x65\xa9\x13\x12\x72\xed\xe1\xd5\x3b\xc2\x85\x05\x1b\x85", 50); *(uint64_t*)0x20005090 = 0x32; *(uint64_t*)0x200050c0 = 1; *(uint64_t*)0x200050c8 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x20005080, 1, 0, 0x200050c0, 1); break; case 30: *(uint32_t*)0x20005100 = 1; syz_memcpy_off(r[11], 0x114, 0x20005100, 0, 4); break; case 31: memcpy((void*)0x20005140, "afs\000", 4); memcpy((void*)0x20005180, "./file0\000", 8); *(uint64_t*)0x20006640 = 0x200051c0; memcpy((void*)0x200051c0, "\xc5\xf6\xf4\x20\xae\xec\x38\x8c\xed\xec\x2b\x59\x7c\x81\x56\x53\x8c\xd4\x58\x60\x34\x19\x9f\x56\xf5\x94\x4d\xa0\x3d\x8c\xa8\x29\xf6\xc6\xb6", 35); *(uint64_t*)0x20006648 = 0x23; *(uint64_t*)0x20006650 = 1; *(uint64_t*)0x20006658 = 0x20005200; memcpy((void*)0x20005200, "\xf4\xee\x9e\xdc\x1b\xe2\xc2\xd8\x62\xa4\x80\xf3\x0a\xe3\x0d\xaf\xad\xfd\xf8\x69\xf7\x78\x9a\x45\x49\xf5\xa8\xda\xc0\x6f\xe4\xc5\xd5\xd2\xcf\x00\x66\xd8\x8b\xfc\xa6\xaf\x40\x74\x5e\xd6\x17\xb7\xa1\x46\xc9\x40\xde\x37\x50\x5c\xb9\x65\xea\xa1\x98\x2c\x8c\xa0\xec\x21\x06\xf4\x7e\x4e\x26\x5f\x1e\x19\x28\x5b\xba\x7e\xb5\x77\xf6\x00\x66\xb5\xf4\x6c\x62\xd2\xec\x00\x68\xed\xcb\xe6\x30\x0e\x4f\x1e\x3c\xce\x42\x9e\x45\xa7\xdf\x28\x7e\x80\x09\x84\x1d\xb1\x01\x51\x34\xee\xaa\x72\x43\x11\xe5\x51\x81\xcb\x7a\xfe\x7d\xfd\xc7\x94\x6b\xd1\x45\x23\xea\x66\x80\xea\x42\xca\x9f\x7b\x0e\xaa\xab\xe1\xd0\x54\x27\x7e\xff\x60\x7e\xf4\xf8\x40\x2e\x5d\xc3\x7e\x6a\x52\x8e\xc3\x56\x58\x23\xc0\x31\xa8\x46\x0e\x8b\x5f\x67\x06\x68\xf8\x6b\x90\xa0\x26\x04\x3a", 184); *(uint64_t*)0x20006660 = 0xb8; *(uint64_t*)0x20006668 = 2; *(uint64_t*)0x20006670 = 0x200052c0; memcpy((void*)0x200052c0, "\xba\xee\xde\x48\x17\x36\xd9\x0f\x0a\xa3\x6f\xb3\x27\x95\x6d\xd7\x63\x57\x8e\x20\x19\x9f\x0d\xc8\x5f\x18\x5c\x93\x06\x86\x6b\xa3\x3c\x93\xd2\xaf\x96\x13\xc9\x29\x09\xc6\x51\x25\x4e\x6a\x63\x50\x3d\xbf\x31\x7b\x02\x1c\x4b\x3c\x8d\xe3\x05\xd3\xde\x39\xa1\xad\x9a\xc1\xb0\xab\x3f\x51\xf6\x8c\x1a\xe1\xda\x3e\x4c\xc7\x44\xfd\x00\xdf\xa6\xd1\xb9\x6e\x21\x13\x40\x07\xd3\x1c\x93\x01\x38\x54\xed\x32\x55\x0f\x1b\x82\xa4\xc0\x3c\xa6\x74\x40\xd8\x65\x45\xdc\xd2\x9e\xea\x99\x27\x4f\x65\x57\x37\xad\x5a\x54\xd9\xe7\xf9\xde\xc4\x91\x29\xbb\x84\xbe\xb6\x2b\x18\x53\xf6\x9e\x6a\x07\x72\x09\xf7\xe5\x5c\xe0\xd5\x16\x86\xca\x76\x4d\x2c\xe3\x34\xcd\x6d\x09\xb5\xd9\x23\x57\xbd\xef\x60\xa6\x35", 169); *(uint64_t*)0x20006678 = 0xa9; *(uint64_t*)0x20006680 = 0; *(uint64_t*)0x20006688 = 0x20005380; memcpy((void*)0x20005380, "\x31\xf1\xfb\xee\x4b\x48\xe6\xe6\x9c\xb6\x1b\xd1\xcc\xc1\xe2\x13\xaf\x5a\x28\xe7\x4c\xff\xc2\xe5\xe8\x2f\xbb\xcd\x1c\x34\x00\xfa\xf3\x79\xd1\xa1\x94\xd5\x2a\x36\x67\xe2\x01\x9b\x9a\xec\x0e\x14\xfe\xed\x8f\xea\x77\x0a\x9a\x1b\xfb\xbc\x30\x99\x73\x21\xbc\xbb\xcf\x4d\x11\x5b\xb3\xd3\x26\x9e\x50\xbe\xca\x59\x82\xef\x1d\x22\xc9\x83\xd7\x86\x21\xdb\xaa\x93\xe8\x39\x5e\xfe\x31\xdf\xad\xed\xca\xde\xd0\x97\x6f\x5f\x0c\x7d\x4f\x17\xb6\xcc\x88\xb8\x97\xce\x5d\xdf\xf1\xad\xe8\xef\x2d\x62\xdc\xbe\xd4\x21\x58\x9e\x3c\xfb\x5d\x85\x50\xd3\x65\x1a\x99\x11\x5d\x6e", 138); *(uint64_t*)0x20006690 = 0x8a; *(uint64_t*)0x20006698 = 2; *(uint64_t*)0x200066a0 = 0x20005440; memcpy((void*)0x20005440, "\x78\x81\xb6\x81\x1e\xa2\xae\xc8\xf2\x7f\x7f\x7f\x52\x3c\xc4\xba\xca\x36\x52\xf7\x30\x3c\xd7\x48\xfb\x4e\xd8\xcc\x78\x3a\xc5\x78\xa9\xe8\x53\xa9\x90\x6a", 38); *(uint64_t*)0x200066a8 = 0x26; *(uint64_t*)0x200066b0 = 1; *(uint64_t*)0x200066b8 = 0x20005480; memcpy((void*)0x20005480, "\xc5\x05\xe1\x80\x5e\x72\xc2\x3f\x48\x9b\xb4\x5d\x55\x60\x79\x64\x53\x32\x08\x2b\x1b\x6b\xef\x7a\xdc\x39\xb0\x98\xe1\x73\xf4\x2f\xdd\x8d\x2c\x65\xce\xb6\x64\xad\xb4\x7d\xe1\x73\xdb\x5b\x34\x23\xe0\x2b\xfe\xe5\x83\x39\xfc\xb7\xd8\x5f\x2d\x1a\xcd\x1f\xed\x18\xda\x1c\xb7\xb3\xd2\x8d\x4e\x36\x8a\xa5\xf0\x2a\x89\x50\xaf\xd1\x9b\x0d\x60\x03\xc1\xfc\x54\x24\xd3\xe2\x8d\x4b\xf7\x90\x2f\xa3\xd9\x99\xb4\xf6\x23\x68\xc5\x84\x4f\x1e\x9e\x4d\x19\x5c\x65\x48\xc1\xa0\xe6\x14\x80\xc6\x1f\xe3\xfc\x89\x54\x81\x0a\x5c\x55\x19\xa2\x85\x0a\xff\x54\x44\xdf\xe3\x6d\x6c\x08\xfb\x25\x1d\x64\x59\x51\xca\x0a\xee\x8a\xe0\x9d\x52\x18\xce\x7d\x78\x3d\x4a\x62\x07\x0c\xce\x23\x1a\xb7\xc6\x30\x93\x1f\xbc\x78\x39\xba\x29\x79\x30\x5c\xab\xb4\x5f\x4a\xa2\xdc\x92\x49\x72\xfe\x3a\x5a\x80\x6c\x03\xc7\x41\x79\x3e\xb0\x46\xd5\x66\xef\x8d\xe1\xd0\xb7\x14\x50\xb5\x61\xba\x65\xb0\x14\x14\x29\xbd\x3e\x5a\x42\x06\xb4\x7e\xf0\x97\x27\x5e\xad\x1f\xe3\x12\x57\xa7\x23\xdd\xc5\x85\xc7\x03\xf5\xd0\xfc\xf7\xb2\x98\x13\x4d\x89\xd0\x3f\x47\x7a\xb7\xaf\x75\x6e\x3a\x4f\x9e\x1d\x06\xca\x01\xf2\xb7\x59\xc9\x55\xb8\xe8\xbf\xc1\xb8\x07\x01\x98\xb3\x30\xf5\x85\x8c\x69\x51\x61\x06\x82\xa3\xcb\xdc\xb5\x91\xf1\x39\xa7\x1e\x88\x3b\xb7\x69\x1c\xb5\x6b\xc0\xad\x95\xdd\x77\x4f\xdc\x11\x0d\x07\x5b\x3a\xcf\x5f\xbb\xb2\x27\x22\x79\x21\xe1\x0a\xa5\xb7\x3d\xa8\x1d\xca\x19\x66\x00\x37\x61\x20\x26\x6c\xc8\x4f\x0c\xc2\xee\x0f\xf3\xf6\xc7\x4b\x65\x6a\x61\xb5\xf5\xae\x6d\xab\x4a\x9c\xe8\x4c\xb9\x7c\x0b\x90\xe7\xa0\xd0\x78\x28\x81\x9e\x2b\xdd\xb1\xa7\x27\x7c\xaf\x68\x71\x95\xec\x83\x64\xd8\x52\xb9\x86\x43\xf5\x55\xdc\xa6\xad\x72\xd6\x80\x64\x3f\x29\xc3\x22\x57\x5f\x2e\x57\x11\x34\x3f\x8a\xa2\x4d\x7d\xeb\x87\xd3\xac\xe4\x82\xbc\x05\xdc\xd5\x28\x83\x38\xb5\x84\x99\x4a\x09\x0c\x45\x1a\xbb\x28\x4c\x01\x04\xc5\xf3\x79\x08\xeb\x33\x07\xd6\x5e\x79\x2b\x4f\x25\x86\x00\xde\x77\x07\xc8\xb1\x54\xff\xd5\xf5\x6d\x7a\x17\xc6\x2f\x09\x28\x28\x51\x6f\x82\xea\x4a\x12\x6a\x2a\x36\x0c\x70\x31\x08\x77\x0c\xc7\xe7\x50\x5c\x8e\x18\x0c\x5f\x37\x6d\x0d\xba\xf1\xe1\x85\xa5\x04\xed\x01\x3b\x0b\x16\x24\x83\xf9\xe2\xa3\xbe\xc7\xd6\x83\x30\x82\xac\x95\x4e\x8f\x5e\x31\x84\x37\x2e\x05\x08\xad\x7e\x0f\xb4\xb2\xf1\x20\x1a\x35\x88\x2a\xda\x41\x5d\xfd\xb3\x65\x87\xe8\x87\x95\x10\x1f\x9d\xc6\xc0\xd2\x6b\xbb\x64\x24\x21\xdb\x09\x73\xef\x28\x3c\x2b\xea\x7f\x5c\x9c\x35\xeb\x13\xea\x5a\x97\x42\x85\x2f\x08\x3e\x44\x32\x82\xcb\xad\x94\x7e\xa0\x5d\x3f\x99\x8b\xf3\xf8\x60\xcd\x12\x5b\x26\x6e\x1f\x3b\x84\xc4\xe6\x2b\x4e\x49\xae\x7f\x85\x2d\x57\x8e\xab\x24\xa0\xc5\xe4\xc6\x09\x28\xb6\x99\xc7\xb6\x8c\x63\x28\xf3\x2c\xa3\x71\x5b\x94\x00\x55\xb6\xad\x04\xf9\x94\x16\x55\xdc\xfa\x91\xdc\x4d\xf0\x21\xa7\x45\x04\x51\x9f\x0a\x7d\xf1\x0d\xb5\x05\xda\x8c\xa4\xa0\x52\x58\x04\xdf\xd9\x0a\x31\xbb\xa6\x48\xbe\xe5\x7b\xcc\xd6\xcd\x9a\x59\x6e\xb9\x45\x86\x7e\x02\x31\xfa\xfb\x66\xc5\x01\x7b\x29\x79\xad\xe5\xdf\xcf\xb2\x4c\xb5\xc7\x88\x15\x11\x18\x56\x04\x90\x6d\x1f\x20\x1a\x12\x64\xa5\x4c\x20\xc1\x73\x90\x1d\x32\x5f\x5c\x2b\x0e\x0f\xff\x22\xc6\x83\x4d\x07\x0c\xbe\xdc\x8a\xe6\x6f\x2f\xce\x84\x88\xd7\x7b\x1f\x92\x57\xa9\x1a\x00\x1e\xda\x07\x55\x56\xc2\x3e\x7a\xdb\xde\x0c\x99\x4b\xd6\x98\x0c\xbd\xb3\x44\xd0\x4e\xfd\x2a\x3f\x4e\x73\x26\x20\x26\x0d\x15\xf6\x08\x4c\xca\xb9\xb2\xf1\x3b\xf5\x47\x82\xeb\x2f\x56\x89\x19\xe0\xae\xfc\x06\x3f\x3f\x2a\xf6\xbe\xb8\x19\x15\x9c\xfd\xb0\x53\x4e\x79\xe0\xcd\x74\x51\x5b\x52\x8c\x82\xce\xfa\xec\x85\x47\xd0\x5f\x08\xb0\x04\x24\xa0\x2a\xbb\x0f\xe2\x0d\x30\x55\xd3\xb9\xd9\x7e\x8b\xad\x3a\x7b\x22\x02\xb8\xef\xfc\x5d\xa0\x55\xf4\xeb\x18\x27\xdc\xb1\xde\x57\xde\xfc\x3c\xcb\xe7\xc3\x02\x79\xa3\x04\x11\x96\xa9\xf0\xb1\xa7\x44\x91\xc0\x7b\x9a\x1a\xf0\x40\xe5\x3e\xc7\x1a\x91\x10\xe2\x0f\x32\x09\x2a\xdd\xcd\x05\x8a\x15\x07\x9b\x71\x8f\xac\x59\x4d\x8e\x75\x13\x9b\xc9\x26\x0f\xf6\x56\x47\x25\x0f\xd7\xce\x6b\xdb\xc3\x05\xc0\x79\xc5\xcc\x2f\xe6\xcd\x1f\xca\x99\x3e\x85\x30\xe0\x37\x38\x83\x90\x08\xdc\x65\x8f\x22\x66\x4e\xea\x77\x06\xf6\xad\xa2\x4c\xa1\xa2\x2e\x83\x0a\xad\x64\xf4\xdc\x44\x38\x7d\x83\xad\x42\x88\xf4\x46\x72\xd9\xa0\x55\x59\xfb\x29\xc6\x6f\xe6\x67\x9e\x97\x9f\x86\xee\x31\x67\x5f\x50\x1d\x95\x81\x47\x96\x61\x29\x08\xd1\xf7\x03\x7b\x69\x0b\x94\x81\xfb\x68\x7f\x2d\x52\xb5\xa3\x73\x51\x5f\x62\x07\x59\x36\x04\x2a\x0e\x9d\x10\xc9\x11\x14\xa9\xe7\x4c\xa7\xac\x76\x55\x8f\x73\xfa\x26\xfe\x9d\x14\xde\xa8\x5d\x4c\x9f\xae\x1f\x6c\x53\xbb\x76\x8b\x14\x57\xa7\xf8\x9b\xcb\xf9\x0e\x70\x69\x75\x37\x67\xf0\xc1\x90\x21\x63\xe4\x00\xaf\xdd\x91\xec\x2d\xac\xbe\x68\x0c\x7d\x64\x54\xa0\xf1\x73\x49\x0b\x6b\x1e\xd4\x88\x1e\x82\xcd\x79\xd6\xb8\x91\x61\xd8\x7f\x4f\x27\x0d\xea\xde\xbe\xb3\x51\x07\xc1\x9c\x7a\x6d\x54\x08\xe6\x0b\x32\x5c\x64\xdb\xb9\x98\x3b\xfa\xf0\x30\x6f\xac\x8a\x0f\xb3\x24\xaf\x5d\x69\xc2\x1c\x62\xa8\xb5\xe2\x57\xa4\x8d\xe0\x69\x22\x6a\xb2\x9a\xee\xad\x17\xfa\x45\xf3\x84\x75\x0f\x8b\xba\x1d\x46\xe0\xa4\x12\x78\x07\xe1\x0d\x15\x70\xda\x63\xb2\x02\xee\xb7\x15\x38\x6a\xfe\x3d\x8b\x17\x47\xca\xa6\xa4\x14\x16\xdd\x65\x52\x4d\x22\x28\xea\xaa\xd1\xa6\x1b\xff\x8d\xb8\xbe\x75\x2c\x45\xae\xca\x76\xde\xa3\xaa\x68\x08\x36\x4c\xf7\x58\xdc\x87\x03\x41\x7a\x49\xb9\x3e\xca\x5a\xd0\x9d\x63\x30\x3a\x4a\xc3\x78\xaa\xd3\x4a\x08\xde\xcc\x4a\x72\x0c\x3e\xea\xf8\x8a\xce\x0a\x72\x90\x0b\xc3\xdd\x40\x2c\x12\x2d\x00\xd5\x6b\x51\x72\x35\xae\x91\x12\x83\x2d\x63\x7b\x93\x17\xb6\x1f\x9d\xcb\x0c\x48\xe7\x28\xe8\x50\xdf\xd5\x26\x26\xdb\x29\x6a\xad\x77\xb9\xc7\xcd\x91\x67\xf3\x19\x47\x47\xc0\x11\xa5\xfb\xda\xbc\xa9\xca\xbd\x2f\x6b\x75\x81\xf9\xd9\x1c\x63\x66\xd5\x26\xb1\x68\x3e\x3f\xee\xfd\x0f\xe3\x0f\x53\xe7\xcb\x7d\xe4\x1e\x89\xe4\xe7\x43\xef\xea\x39\x44\xea\x8a\xfd\x9f\x77\x8a\x7f\x06\xbf\xb0\xef\x23\x86\x48\xc2\x1c\xed\xfd\xd8\xb7\x6e\xed\x76\x57\x74\xd7\xa4\x90\xb0\xee\x46\x4e\x44\x88\xa9\xc3\xdd\x21\xc7\xba\x2e\x63\xa3\x1a\xe3\x8f\xfa\xb2\x09\x46\x0b\xa9\x3a\x62\x02\x9d\x8f\x2a\xde\x13\x77\xb5\x34\x38\xb0\x51\x90\x12\x27\x39\x82\x72\x63\x9f\x12\x4d\x42\xb5\x55\xd5\x91\xa6\x65\x5f\x73\xf6\xc4\x6c\x51\x4c\xf3\x2a\xe4\xc6\x04\x6c\x38\x04\x07\xf7\xd9\xcf\x3c\x14\x1b\xdd\x94\x69\x13\x84\x95\x8e\x67\x17\x8f\x81\x6a\x63\xe4\xcc\x18\x9c\x52\x16\x38\xdc\x7a\x28\xd2\xaf\xb6\x12\x84\x76\xe4\x08\xee\x85\xb9\x9a\x12\x61\x29\xc5\x5e\x67\x9c\x0b\xdc\xeb\xd9\x66\x98\x17\xe9\x45\xb0\xff\xfa\x61\x5a\xb9\xce\xf2\xf8\x59\xe0\xac\x38\x25\x36\x11\xfe\x63\xbd\x57\xfd\xf0\x3f\xb0\xd6\x5c\x1c\xc6\x5d\xf2\x65\x38\x59\xfc\x59\x4f\x9a\x3e\xb3\x79\xd1\x17\xda\x82\x8a\xc5\x58\x6b\x3f\x6d\x3b\xcc\xf1\xd5\x4c\x45\xbc\x1a\x5f\xa4\x5e\xd7\xad\x36\x6c\xff\x39\xa6\x32\xbd\x4d\x14\x70\x0d\x30\xf7\x0c\x99\x72\x5c\x2f\xb8\xee\x97\xcb\xc5\x9f\x8e\x5b\x64\xfa\xc8\xfe\x2f\x83\x60\x41\xbb\x57\x08\xa3\x64\x0b\xbc\x67\xf9\xd0\x9a\xc1\xfd\x36\x46\xa6\xf7\x44\x6f\x48\x15\x98\x9b\xb0\x41\x9c\x94\xb0\xa6\xfc\x97\xd0\xfd\x9e\x51\x90\xe7\x24\xd7\x54\x82\xcc\x1e\xb4\xc0\x77\x53\xb0\x1c\x42\x02\xc4\xd0\x9d\x00\x6b\xd6\xbd\x92\xb3\x3c\xd4\x0d\x8f\x1b\xf7\xea\x73\x9a\x68\x6f\x8d\x3a\x12\xdf\x2f\x7c\x57\x8a\xd2\xe0\xc1\xb2\x9c\x04\xf2\x82\x85\x70\x45\xed\x90\x38\x28\x30\xcf\x0f\x2f\x2c\x8d\x22\x07\x3e\xde\xc3\x1d\xd2\x57\x30\x0b\xa6\x7b\xec\x88\xa1\xe7\xa5\x58\x0f\xdd\xe5\x01\x98\x79\xf6\x96\x2d\xa5\x0d\x75\xc6\xfd\x13\xa1\x9e\x35\x8e\x13\x41\x35\xdb\xb8\xb4\xbe\xed\xbe\xd1\xcc\x5f\x8f\x20\x34\xee\x29\x7f\xf6\x9b\x9d\xb3\xe0\x05\xe5\x9f\xd5\xea\x22\xba\x51\xbd\x8f\xeb\xde\x9f\xf9\xf6\x5a\x21\xda\x5e\x13\x5c\xa8\x86\x07\x31\xc4\xde\xe9\xc3\x3c\x7e\xdb\xa5\x08\xd2\x6d\xdb\x55\x92\xfd\xf9\x85\x06\x70\x2f\x99\x80\x37\xe6\xb4\x18\xc5\xc7\x83\x62\x43\x48\xf5\x7d\x2c\xf2\xcd\x8f\xb8\x37\xc6\x18\x53\xf5\x16\xc6\x8e\x76\x58\x29\xfe\x2f\x74\x11\x66\xa7\x4a\xfd\x1e\xdc\x90\x97\x1c\x4e\xda\x7a\x6a\x18\xd8\x5d\x54\xba\x87\xf9\x09\x5b\xd1\x62\x6b\x9b\x90\x0c\xf6\xfe\x05\xee\xb1\xb4\xf0\x05\x99\xb6\xe8\x38\x1f\xe2\x8d\xe8\x51\xe1\x9a\x02\x52\xef\xde\x6c\x57\x99\xf5\x6e\xc2\xd6\x1c\xc6\xff\x5d\x1e\xb6\x5e\x9d\x8e\x05\x45\xa9\x2e\x6b\x98\x66\x27\xc7\xf9\x71\x69\x42\x10\xe0\x88\xb7\x84\xbe\xaa\xba\x64\xd2\xab\xe4\x44\x1c\x7b\x14\xfc\x8d\x2a\xda\xfa\xc7\x82\x34\xed\x72\x59\x9c\xc4\x16\xc0\x47\x75\x0b\x24\xac\x3c\x9a\xa4\x69\x0c\x05\x77\x04\x9d\x80\x5b\xae\x79\x92\x2c\x1d\x29\x66\xd9\x75\x2c\x55\x1a\x91\xa9\xfb\xc0\xbb\x95\xc2\x3a\xcc\x2a\x90\x68\x35\x31\xa5\x9f\x30\xfc\x1d\x10\x79\xbd\x9f\xc0\x7f\x0d\x09\xbd\xdc\x01\x37\x2b\xa2\x6c\x13\xef\x30\x6a\xf3\x25\x6f\x23\x5d\x72\xb7\x59\xb6\x61\x8c\x1e\x09\xe8\xdf\x69\x35\xdb\x77\x45\x3b\x49\x96\xb0\x15\x2a\xe1\x37\xd1\xca\xdd\xbd\x5f\x8e\x12\x62\x1a\x54\x81\x55\x43\x45\xdf\xbb\x7e\x2c\x50\x03\x71\x34\x6f\xea\xfd\x5d\xc0\xf6\xe2\xc5\x9e\xa2\xc2\x45\xd1\x5d\xb2\x0e\x87\xc7\x7b\xd9\x08\xd9\x28\x50\xe4\x03\xe5\x8c\xdf\xf0\xe2\xfc\x25\x7f\xf0\x00\xf3\xb2\x68\xdc\xf1\x41\xe7\x75\x25\x10\x61\x08\xa4\xb6\xed\xcf\x89\xf1\xfc\xfb\x12\xa0\xa0\x2a\xd7\xc0\x12\x12\x84\xea\x49\x0c\xa7\xbf\x87\x61\xee\xff\x5b\x37\x5e\xeb\x0a\x03\x8a\x44\x4d\x2f\xb9\x50\xf9\x65\x17\xad\xa9\x4c\xd9\x6f\x8d\xbb\xd0\x42\xa4\xde\xb1\x88\x21\x7b\x7b\x9d\xad\x94\x8b\xb5\x98\x43\xc0\xc3\x92\xbd\x9e\x79\xc8\x5d\x34\x61\x6b\xcd\x99\xfb\xff\x77\x53\x7d\x23\x4c\x05\x1e\x5e\x9a\xa9\x13\xc7\x7c\xbd\xcf\x53\x96\xce\x3f\x06\x83\xe9\x2e\xbd\x0c\x1b\x99\xfb\x5c\x66\x3f\xb9\x7b\x6d\xc2\xd4\x35\x54\xaa\xa9\x9a\x27\xab\x99\x17\x2b\xac\x17\xe3\xbc\x04\x4d\x3d\x2e\xf8\xf8\x73\xcf\x52\x21\x4e\x71\xd7\xd7\xc5\xff\x9d\xc7\x91\xd4\x0c\xee\x37\x53\x6d\xd1\x2b\xa0\x95\xb4\x8a\x34\x19\x75\x78\x4a\x16\x14\x17\x5a\x1f\xc4\x9d\xc2\x10\x2b\xa5\xc2\x74\x16\xdf\xf8\x27\x9e\xa3\xf2\xc4\x47\x39\xb8\xef\x99\x61\x69\x9a\x4c\x79\x28\x59\xce\xe8\x81\x11\x43\x78\x46\xc9\x45\x01\x75\xb8\xba\x2a\x32\x67\x57\xdc\xbf\xd5\x51\xac\xd1\x5d\x78\x37\x32\x83\x8b\x9c\x92\x4e\x09\x23\xfb\x79\x5b\x77\x04\xbf\x1c\x84\xdb\xe6\x56\x9c\x0d\xf7\x02\xa7\x47\x7f\xa0\x99\x6d\xe5\xd6\x81\xd1\x0f\xa2\xaa\x52\xb1\x42\x53\xba\x91\x3a\xde\xcf\x47\xea\xbf\x1b\x01\x5e\x73\xd6\xba\xb5\xdb\xe5\xd5\xdd\x1e\x06\x7c\xc9\xe4\x80\x60\x40\xdb\x09\xa1\x44\x8e\xd2\x1d\x98\xdc\x6f\x45\x9f\x22\xc9\x51\xc7\xb0\x72\x01\x46\x77\x91\x09\x7b\x39\x04\x10\x36\xa5\x0e\xc5\x59\x6b\x6d\x28\xe1\x4b\x79\xaa\x12\xbe\xfa\x32\xff\x95\x62\x9d\x53\x2a\xda\xed\x53\x42\xc8\x4d\x39\xc8\x22\x53\x82\xf9\x81\xae\x4f\x85\xb7\xa1\xae\x6b\x90\xa8\x18\xb6\x2d\x71\xbf\x59\x2f\x84\x27\x3f\xa2\xcc\xbb\xa6\x5d\xfc\x34\xfd\xaf\x56\x1e\x26\xd3\x07\xb7\x43\xf8\x2b\xc7\x6f\x99\x85\xc9\x50\x76\xc8\x3a\x1d\x28\x65\x32\xb8\xd5\x95\x20\xbf\x6c\x40\xbc\x63\x5f\x51\x60\x8f\x49\xbd\x47\x82\xf6\xa6\xb7\xd3\x7c\x6f\xe8\xe5\x27\x2e\xc0\x8f\x85\xfb\x9b\xaa\x66\xbd\x70\xb1\xdb\x70\xdf\x0b\x12\xce\x35\xd8\xe1\x5c\x18\x7f\xec\xfd\x9f\xa3\x41\x72\x1f\xf6\xb2\x4a\x1b\xb6\x8b\xd0\x74\xc2\xa5\x7d\x74\x60\x91\x7d\xd2\xff\x0d\x08\x04\x11\x2b\x05\x20\xf0\x5c\xd7\x07\x87\xd8\xdc\xe6\xcb\x69\x71\x1e\xf7\x45\x3b\x40\x67\x9e\xc9\x7a\xac\x90\x0e\x69\x8c\xe1\xf8\xe5\x8b\xa7\x38\x59\x0d\xf5\xc4\x58\x8e\xc6\x50\x68\x80\x02\xa2\xc1\x4e\xc6\x0c\x58\x38\x5b\x68\xdb\x23\x8b\x8c\x5b\x18\x9b\x2f\xd5\xfd\x21\x36\x55\xe0\xc8\x19\x00\x94\x97\x64\x02\x2d\x22\x77\xb0\x38\xce\x7d\xbd\x00\xd1\xec\x66\xe2\x31\x95\x63\x6a\x39\x21\x53\x26\xea\x45\x2a\xd0\x89\x9a\x52\x2a\x7a\x77\x96\x5b\x2a\xe6\x0d\x5b\x25\xff\xc6\x4d\x1d\xd5\x04\xd2\x8c\x61\x1f\x38\xce\x5c\x3a\xa3\x4c\x4f\x6c\xdd\x1b\xd7\xe9\x65\xe3\x68\x77\x11\x89\x34\x65\x06\xe3\xcb\xba\xf7\x45\x3f\x03\x9c\x6a\xeb\xdf\x77\xa1\x38\x75\x49\x9d\x7d\xb3\xe0\x8f\x9c\x31\xd3\x53\x07\x49\x0e\x6d\x3c\x11\xee\x69\x77\xe6\x69\xcb\x1a\xa6\x42\x0d\x46\x19\x55\x05\x0e\x0c\xfb\xe0\xbb\x23\xd1\x31\x9e\xf3\x54\x21\xd8\x0e\x56\x5e\x5f\xc9\xb3\x0d\x6d\x0a\x4d\xa0\x54\x40\x61\xe6\x44\xeb\xa5\xb4\x7b\xc4\x8e\xce\x8b\x7f\x85\xd8\x23\xc9\x8c\x4b\xd6\xcd\x46\x4a\xcc\x49\xa2\x9b\xb6\x92\x6d\x2a\x95\x97\xc6\x4e\xdb\x8a\x4b\xa2\xca\x2d\xd7\xba\xd8\x0d\xa3\xba\x9d\xf1\x43\xb2\xb3\xcb\x44\xd6\xe5\xce\x04\xaf\xf3\x97\xf5\xfc\x4b\x0f\x5a\xf4\xaa\x07\x87\x61\x1e\xfc\x52\x11\xbb\xb4\x8b\x7e\xb3\xe1\xd4\xcb\x54\xac\x2b\x9d\x0d\x9d\xa7\xff\xbd\x18\x51\x35\x94\x67\x4b\x53\x0e\x8a\x20\x6f\x9b\x04\x2b\xe8\x13\x86\x81\x92\x29\x50\x5d\x35\xce\x04\xa1\xe1\xe0\x30\x4a\xb5\xdb\x61\x88\x47\x20\xf5\xbf\x6a\xe9\x10\xd4\x8b\x9a\xaf\xe2\xbc\x5a\x1a\x4f\x4e\xda\x0f\x61\x5c\x8d\x0d\x68\x2a\x55\xa5\x2f\x0d\x40\xe1\x38\xc8\x8c\x42\x99\xaa\x1b\x10\x04\x40\x01\x68\xde\x6a\xc8\xaa\x18\xfe\x60\x29\xbf\x63\xc6\x40\xef\x7f\xb9\x1b\x56\xa5\xab\xc2\x43\x97\xd1\xb2\xcf\x3b\xc0\x87\x7e\x8d\x52\x19\xe5\x67\x23\xa6\xc4\x98\x89\xcd\xd5\xba\x03\xc8\x4f\xbc\x41\x5a\x3e\x9b\x65\x2d\x26\xe2\xd6\x13\xc3\xdc\xce\x41\x4e\x1f\xa3\xe2\x20\xb3\xc2\xe3\x53\x91\xac\x65\x20\xed\x1f\x05\x14\x88\x05\xa4\x6e\x99\x34\xe5\xfe\xbf\x84\xe1\xbb\xa2\x5b\xa1\x30\xa9\xe0\x58\x4b\x62\x5d\xf2\xc2\xee\x4e\xc0\xd1\x0a\xff\xfa\x19\x17\x73\xd4\xf4\x12\xf5\xca\x22\x51\x93\xca\x27\x88\x7f\xd4\x7c\x9c\x69\xf2\x1d\xa9\x52\xf9\x8a\x99\xf2\x05\x31\x4c\x18\x2b\x00\x14\xdd\xe7\x56\x3d\xed\x90\xe3\x38\xda\x5d\x5e\x83\x6f\x16\x2b\x96\x37\x75\x17\xc2\xf6\x75\x8d\x9b\xb4\x1e\x8b\xc9\xdd\x8f\x2e\xb5\x21\xad\x81\x4e\xac\x65\x1a\x48\xef\x64\xbc\x45\xab\x60\xbf\xf9\xd2\xe6\x7f\x03\x18\x3d\x04\x4e\xd4\x37\xa8\xbd\x73\x04\x3d\x6a\x8a\x51\x90\xfb\x5c\xd5\x2c\xfe\x06\x89\xe2\xda\x08\xcd\x11\xaa\xe6\xf2\x5c\x50\xd6\xcc\xbd\x5f\x4e\xa7\xce\x9b\x51\xb5\x79\x46\xaa\x92\xf4\x1e\xfd\xc2\xb9\x19\xc8\x87\xa0\x70\xc5\x19\xef\x60\x0f\xe1\x4d\x67\x66\x4e\xd7\xfc\x21\x1a\x09\xe9\x12\x9b\x13\xa7\x02\x4f\x2f\xeb\xc3\x01\x05\x81\xda\x84\xb4\x4b\xbe\xdf\xdc\x1f\x54\xb6\x3c\x8c\xfa\x8c\x8b\x5c\x98\x66\x49\x33\x3e\xee\xaa\xf5\x3e\x8b\xe8\x63\x24\x23\x78\xb0\xff\x6c\xff\x6b\x1d\x6e\x02\x70\x10\x68\x44\x84\xc6\x36\xb7\xc1\x34\x01\x8e\x3a\x73\x2a\x6b\x35\x2c\xfe\x08\x1f\x79\x0f\x00\x29\x96\x7f\xf1\x82\x0d\x57\xd3\x70\xc2\xa9\xf1\xbe\x05\x11\x00\xd5\xa8\xea\xc4\x24\x1a\x6c\x2b\x64\x0f\xe7\x3b\x16\x1d\x54\x38\x01\xf1\xeb\x2a\xbd\xea\x76\x9c\x51\x8c\xbd\x72\x71\xc6\xd6\x5a\xbe\x83\x66\x1d\x2f\xd2\x8e\x41\xb9\xad\x57\x5b\x95\x8f\xbb\xc5\xa4\x3f\x34\x12\x78\x65\x6d\x30\x0f\x21\xd8\xc7\x11\x61\xbf\xc2\x81\x2b\x2f\x7f\x36\x92\xc5\x75\x8a\x5f\xea\x82\x84\xcc\x43\x15\xe2\xdc\x16\x05\xd0\xb5\x82\x43\xa9\x79\xaf\x7c\x0c\xce\x31\x3e\x3e\x12\x7b\xaf\x93\x13\xf1\xab\x8c\x43\x75\x81\x36\x95\x86\x68\x9a\xe6\x9b\x86\x84\x47\xbf\xa6\x07\x98\x62\x0c\x68\x08\x00\x90\xc9\xf0\x49\x3c\x95\xa6\x4c\xa4\xf6\x78\xea\xa1\x4f\xe8\xcb\xc9\x08\x6e\xa9\x9c\x78\xa3\xd8\x16\x98\x42\xfc\xa3\xb0\xd2\x89\x40\x6c\xfa\x9d\x52\xf4\x1d\xf0\xb7\xfc\xfe\xb6\xe1\x0b\x7f\xb8\x84\x6b\x64\x6c\x6e\x17\x73\x32\x0a\xaf\xac\x2d\x38\x42\x72\x44\x93\x2e\xd2\x37\xb9\x83\x4f\x60\xc0\xbc\x4f\x9f\x6b\x18\xee\x82\xd4\xab\x52\x57\xd0\x33\x43\x13\x7a\x44\xa5\x21\x48\x42\x7e\x74\x72\x52\xc0\x61\xc8\x8c\x78\x85\x98\x58\x16\x3f\x76\x85\x65\xfe\xfe\x43\x03\xce\xab\xa9\x4b\x78\x6b\x6d\x9d\x0b\x69\xd0\xca\x92\x0e\x61\x52\x55\xe2\xb8\xc3\xfd\xd7\x8d\x8c\x19\x4e\x9c\x80\x49\xa9\xd1\x87\x77\x26\x85\xac\x98\xfa\x7e\x7d\xf5\x4f\x5e\xbc\xe1\xec\xc1\xcf\xc7\xa6\x2e\x85\x39\x32\xde\xac\xcb\x58\xd7\x9f\xec\xb9\x31\xd1\x46\x43\xec\x70\x20\xad\xe4\x9c\xce\x0a\x1e\x78\xe3\x4d\x71\x09\x60\x22\x31\x7d\x7a\xf5\x36\xb3\x8f\x72\xfb\xf6\x5f\x7e\x47\x63\xe6\xd1\xda\xd8\xc2\x6f\x56\xe2\xab\x4c\xdf\x77\x8e\x32\x64\xa2\xad\x20\x04\xcb\xce\x99\xb7\x7e\x6e\xc2\x72\xd6\xf0\x83\xd2\x08\x3a\x04\x2f\x67\x90\x8e\x14\x7e\x60\x1e\xd4\x2f\x20\x1f\x5b\x9f\x18\xe8\x9e\xaf\x48\xd3\x84\xee\xef\xa0\xf9\xf9\xec\x38\x6a\x27\x4e\xcd\xab\xac\xd1\xe2\xdb\x6b\x90\xad\x98\xc4\x75\x66\x7d\x27\xfa\x72\x79\x08\xd2\x8e\x37\x45\xc3\x4b\x50\x15\xed\xd1\x30\xd0\xb7\xe3\xfd\x54\xdd\xea\x89\xe3\x7d\xba\xfa\x49\x84\x07\x59\xa3\x0d\x29\xe2\x1b\xb0\x9d\x95\x00\x3c\x28\x95\x18\x9e\x43\x9a\xb7\xb4\x12\xc2\x51\x61\x0a\xa7\xaf\xab\xef\x41\xe5\xab\xe2\x23\x53\x21\xf3\x22\xe8\xbd\x59\x24\xd7\x9a\x40\x46\x05\x37\x8e\x3b\xda\x60\xd2\x8e\xa5\x67\xe6\xa7\x39\x64\xa6\xdd\xd4\x3c\xfa\x1f\x5e\x0c\xb8\xbe\x45\x5e\x1f\x6d\xbc\xcc\xf7\x2c\xd1\xcf\x14\xe8\xe5\x07\xa1\xa1\x97\x9f\x1c\x2b\x43\xc8\xa6\x49\x29\x0b\xa5\x41\x37\xd1\xaa\x64\x73\x56\x8e\x39\x0a\x66\x59\x73\x82\x34\x92\xec\x2d\xce\x33\xc3\x9c\x88\xaa\x42\x47\xf1\x4f\x1f\x0e\x56\xad\xee\x32\x60\x80\xb7\x16\xdc\x55\xda\xe2\xa5\xed\x84\x2d\x79\x0d\xe3\xf1\xfb\xe3\x2f\x89\x51\xea\xb8\xdf\xa5\x4d\x77\x0d\xf7\x34\x27\x31\x27\x0b\xeb\x47\x04\x27\x7f\x3e\x1d\xc1\x69\x34\xaf\x90\x23\x50\xcd\x6b\x0b\x7a\x67\x1f\x26\x75\xf0\xdf\x88\x48\x31\xae\x06\x39\x26\x69\xd6\xbd\xa8\x49\x3b\x6b\xda\xf5\xae\x90\xf4\xc4\x5f\x8f\xb1\x91\x4e\x0b\xe0\x57\xf4\x5d\xb5\x01\x01\xb8\xbc\x6e\x64\x9a\xa6\x85\x60\x71\x22\x5c\x42\xc6\xee\x15\x7a\xdb\xda\x58\x42\x94\x2c\xca\x28\xfc\x4c\x7c\x08\xe7\xc2\xcf\x19\x81\x54\x2b\xe4\xab\x7f\x4b\xf6\xef\xff\x69\x2d\xfe\x65\xb4\x50\x80\xb2\x1e\xee\xf5\x29\x91\x71\xa1\xc2\xb7\x36\xf7\x0d\xa4\x31", 4096); *(uint64_t*)0x200066c0 = 0x1000; *(uint64_t*)0x200066c8 = 0xff00000000000000; *(uint64_t*)0x200066d0 = 0x20006480; memcpy((void*)0x20006480, "\x82\x92\x51\xfb\xd7\x0c\xae\xb4\x51\xcc\xf0\x9a\x96\xfb\xfe\x55\x9b\x21\x7a\x4a\x12\xcf\x46\xa3\x89\xd8\x2c\x55\xef\x7f\x5c\x64\xe4\x5e\x1b\x6f\x26\x95\x59\xa8\x5e\x8b\xcc\x23\x2b\xf1\x50\x0d\xcb\x9a\xf4\x0f\x69\x71\x65\xfd\xe6\x20\x9f\x8b\xf0\x01\x58\x5b\x6c\xca\xaf\xe1\x94\xcc\xfd\xb7\xf8\x99\x08\x04\xee\x77\xed\x9a\x34\x5b\x52\xa8\xd7\xe8\xf4", 87); *(uint64_t*)0x200066d8 = 0x57; *(uint64_t*)0x200066e0 = 8; *(uint64_t*)0x200066e8 = 0x20006500; memcpy((void*)0x20006500, "\x34\xe0\xc0\x82\xbd\x77\xb5\x1d\x0c\x9a\xb1\xbc\xde\x0a\xcc\x30\x81\x49\xf3\xe6\x4c\x75\xb7\x17\x3c\xda\x5f\x39\xd3\xb4\xa6\x2c\x60\xde\x76\xd1\x2d\x41\xce\xc1\xb7\xc9\xbc\x9e\x57\xac\xb7\x83\x42\x82\xa5\x75\x8d\x7c\x7e\x4b\x21\x71\x5f\xeb\xf6\xfb\xf1\x44\xad\x46\xcb\xf2\xce\xc8\x7f\x74\x01", 73); *(uint64_t*)0x200066f0 = 0x49; *(uint64_t*)0x200066f8 = 0x8001; *(uint64_t*)0x20006700 = 0x20006580; memcpy((void*)0x20006580, "\xe6\x09\x76\xf8\x6d\x91\xdd\x66\xce\xc0\xb1\xe3\x0e\xc8\x01\x16\x0b\x84\xcf\xb1\xf8\x60\x37\x03\xd1\x4a\x6b\x81\x5d\x22\xe1\x78\x3e\xed\x12\xce\x8c\x08\x0e\x3f\xfb\xf0\xb5\x30\x95\xf6\x96\x03\xfa\x76\xa9\x34\xa6\x0a\x05\x26\x34\x1e\xaf\xaf\xb3\x86\x7d\x13\xe8\x8d\x1d\x39\xe3\x70\xa0\x0d\xbe\x06\xdd\xc8\x40\xba\x74\x46\xa6\x25\x97\x06\x9e\x1d\xcd\x13\x8f\x82\xb2\x9f\xf7\x8a\xf1\xd1\xc3\x13\x3f\xe9\xc0\x4d\x73\x2c\xdb\x4b\x3f\x6a\xa2\x69\x89\x36\x9b\x5f\x6d\xca\x60\x00\xa0\x76\x73\x41\xbc\x2a\xaa\xcd\x69\xe6\x48\x62\x19\x15\xb8\xaa\x9c\xb2\x4c\x6b\xb5\xae\x3f", 141); *(uint64_t*)0x20006708 = 0x8d; *(uint64_t*)0x20006710 = 3; memcpy((void*)0x20006740, "flock=strict", 12); *(uint8_t*)0x2000674c = 0x2c; memcpy((void*)0x2000674d, "obj_type", 8); *(uint8_t*)0x20006755 = 0x3d; memcpy((void*)0x20006756, "/dev/vcsa#\000", 11); *(uint8_t*)0x20006761 = 0x2c; memcpy((void*)0x20006762, "obj_role", 8); *(uint8_t*)0x2000676a = 0x3d; memcpy((void*)0x2000676b, "bpf_lsm_unix_may_send\000", 22); *(uint8_t*)0x20006781 = 0x2c; *(uint8_t*)0x20006782 = 0; syz_mount_image(0x20005140, 0x20005180, 0, 9, 0x20006640, 0x10000, 0x20006740); break; case 32: memcpy((void*)0x200067c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200067c0, 4, 0x4800); break; case 33: memcpy((void*)0x20006800, "net/icmp\000", 9); syz_open_procfs(r[5], 0x20006800); break; case 34: syz_open_pts(r[9], 0x258102); break; case 35: *(uint64_t*)0x20007d00 = 0x20006840; memcpy((void*)0x20006840, "\xb3\xde\x0d\x9f\x2e\x1e\xba\x98\x79\xee\xf0\x8d\xbd\x42\xed\xd7\xd6\x22\xf0\x95\xe0\xce\x34\x29\xb6\x4c\x46\x70\x8b\xf7\xfa\x26\xe6\x9e\xc1\x57\xca\xa3\xe1\x6d\x60\xb3\xba\xf5\xb0\xd2\x46\xbf\xef\x95\x5e\x35\xf8\x55\x56\xc9\x61\x4a\x60\xb6\x5c\xae\x7c\x02\x3c\x99\x31\x8f\xc8\x5b\xc0\xab\xfd\x16\xbc\x78\xeb\x56\x31\x7c\xd8\xb8\x0c\x5f\x5a\x87\x85\x6c\x5c\xd0\xb9\x7f\xc2\x83\xcb\xc9\xd8\x35\xff\x9d\x70\x97\x2b\xd4\x20\x11\x69\xa3\x5c\x26\x99\xbf\x5a\x8b\x31\xad\x36\x07\x12\x10\x19\xe7\x33\x98\xb2\x28\xb9\xc5\x9a\xa5\xb5\xc0\x07\x16\x67\x66\xee\xe5\x91\x1d\x5d\x2f\x86\x4c\xb4\x2b\x84\x21\xf3\x8c\xb2\x1a\xa9\x36\x97\xe5\xad\x16\x6a\x96\x6a\xc9\x8a\xa7\x76\xfd\x27\x50\x02\x94\xc4\xdd\x1b\xac\xf4\x1f\xd0\x70\xe9\xe4\xa9\xe5\xeb\x70\xd2\xa9\x8f\x91\x5c\x13\x91\xfd\x75\xf5\xff\xec\xfa\xb4\x24\x25\xeb\x01\x6c\x33\xec\x19\xae\x67\xf4\xb1\x00\x08\x8e\x09\x0f\x03\x5d\x78\x14\x3b\x35\x94\x4f\x30\xa4\x9a\x77\xb8\xc5\xe2\xa0\x8e\x9f\x38\x1a\x8a\xfb\xcf\x48\xeb\xad\x84\x11\x45\x5f\xf2\xcb\x76\xa4\xa1\xb5\x57\xd1\x21", 254); *(uint64_t*)0x20007d08 = 0xfe; *(uint64_t*)0x20007d10 = 0x7fffffff; *(uint64_t*)0x20007d18 = 0x20006940; memcpy((void*)0x20006940, "\x33\x0e\xa7\x46\xd7\xdf\xb4\xa5\xe9\xf3\x3a\x32\x5a\x96\x88\xca\x04\xcd\x59\xaf\x72\x4b\x34\xf7\x0a\xe3\x70\xd4\xac\x73\xea\x9a\x65\xab\x00\x3f\x2c\xbc\x01\xaf\x11\x62\xc0\xfe\xfb\x2b\x7e\x4a\x0d\xcd\x3f\x2a\x8c\x23\xf2\xa1", 56); *(uint64_t*)0x20007d20 = 0x38; *(uint64_t*)0x20007d28 = 0x2eed; *(uint64_t*)0x20007d30 = 0x20006980; memcpy((void*)0x20006980, "\xef\xd5\x43\xd9\x2d\xc8\x23\xae\xf9\x1d\x85\xc4\x4c\x05\x58\x44\xe2\xaf\x47\xb4\xd5\xa6\x7e\x3a\x39\x59\xdc\x6d\x61\x7c\xd8\xe9\xb6\xc3\xf5\xbb\xf0\x5d\xa7\x3f\x04\xbf\x4f\x54\xa6\xf3\xd5\x36\x1d\xee\x72\x0d\x1f\xf9\xf6\x5d\x5d\x7c\x18\xb8\x65\x34\xf2\x91\x26\x21\xaa\x81\xb4\xc2\xd3\xda\xa1\xa6\x75\x38\xac\x5e\xfc\xf2\xe0\x08\xc7\x91\xd5\x91\x52\xdb\x5f\xa2\xd0\xa2\x3f\x39\x97\xbd\x1e\x25\x02\xe6\xfa\xdb\x36\x78\x88\x91\x84\x3e\x3d\xe1\xc4\x48\x3a\xea\x75\x22\x4b\x12\xed\xe3\x00\x6b\x96\x48\xdc\x76\x61\xa4\x6d\xa2\xd1\x46\xd3\xdf\x70\xa1\xd0\x4b\x2c\x64\x57\x8d\xaf\x21\x9d\xcb\xa1\xb6\x7a\xae\x08\x6a\x25\x41\xc4\xb9\xb4\xdc\x6d\x43\xc0\x76\x54\x4b\x4c\xf9\xcd\x57\xe6\xe2\x6d\x74\x21\x7d\x1d\x85\x46\x22\x4d\x85\xf6\x50\xa0\xad\x3a\xac\x78\xc0\xcf\x1d\x83\xa4\xad\xcc\x11\xc2\xe8\x4d\xf1\x88\x9c\x79\x20\x34\x7f\xe4\x04\x20\x19\x14\x72\x78\x62\xb4\x60\x22\x9c\xe6\x7a\x1a\x88\xde\x34\xaa\x73\xd3\x9b\xe6\x7f\xe9\x22\x10\x69\x92\x21\x10\x3a\xc5\xb4\x9a\x07\xff\x0b\x35\x48\x36\x3c\x87\x80\x66\xd5\xa0\xca\x8f\x56\x5a\x61\x6a\x04\x9a\x5d\x7b\x6e\x70\xba\xdf\x46\x49\xc5\x1a\xec\x86\x71\xfa\xa4\x44\xd7\xe0\xa6\x30\x4e\x27\x3c\x40\x5c\xc6\xf3\x48\xd1\x9f\xf1\x34\x8b\xac\xc9\x6e\xcf\x1a\x28\x11\x96\x18\xc9\x1e\x59\x42\xbb\xf0\xe2\xd7\xfc\x69\x97\xcf\x63\x30\xc1\x06\xa7\x90\x2c\xcd\xc1\xb9\xcd\x0e\x8f\x55\x93\x55\xd2\x6f\x81\xc7\x7e\x52\x48\x82\xd0\x27\x83\xf1\x5b\x05\x69\x69\x02\x36\xe3\xaa\x74\xb9\x6b\xcc\x5e\xf9\x0e\xae\x4a\x5e\x3a\xba\x2a\x56\x0f\x9b\x0a\x51\x3c\xe1\xa8\xce\xb0\xd2\x10\x36\x15\xf8\x28\xb0\x12\x5d\xf3\x2e\xec\x97\x11\x0e\xe2\xa5\x9e\x1f\x91\x37\x72\xa8\x59\xf6\x5d\x95\x3c\x20\xca\x8a\x0c\x6e\x85\x26\x61\xd8\x62\x93\xcb\x46\x72\x41\x3f\xfa\xfa\x27\x03\x2e\xda\x8d\x8b\x19\xce\x77\xd3\x5d\x13\x04\x29\x6d\x8d\xbe\xe1\xb7\xc3\x58\xfe\x5d\xdf\x94\xc4\x24\x11\xe2\x63\x62\xcf\x42\xa5\xc7\xc1\x89\x91\xe3\x92\x63\x31\xa2\xc7\x12\x36\x09\xe0\xa3\xc0\x5e\x42\xf1\x75\x97\x2e\x44\x5a\x6a\xe5\x71\x54\x06\x2e\x21\xe0\x56\x66\x60\x2a\x2b\xf0\x89\x1e\xe6\x56\x48\xe5\xa9\x67\xea\x16\x24\x84\x99\xc8\x2e\x74\xc1\x9e\xda\xfe\xcf\x24\x02\xce\x53\x21\xf5\xbb\x4e\xcd\xe0\x58\xa1\x17\x6f\x31\x0b\xb1\x33\x8b\x11\xdd\xc6\x0d\xce\x03\xc4\x72\x7f\x7d\xd3\xc2\x33\x5d\x50\xae\x49\x2d\xca\x1b\xd9\x8b\xe4\xaf\x07\x44\x29\x1f\xa2\xba\x1c\xd3\xe9\x3e\x6f\x1d\x9d\x1b\x43\x05\xc2\x76\x41\x18\x09\x4a\x16\x43\x6a\x01\x45\x98\xfb\x64\xc3\x4e\xad\x3e\x8f\x45\xd1\x1c\x4f\xc0\x62\xc1\x44\xc8\xe0\x52\x20\xfb\xdf\x4a\x8c\xab\x6e\x28\x8b\x5c\xfd\xef\xa7\xa0\x54\x23\xef\x2d\x4f\x3b\x3b\xee\x57\x68\xb2\x80\x34\xa0\x8d\xe8\x83\xb8\x17\x27\x8b\xd3\xe7\x85\xc1\x14\x32\x9d\x99\x2c\x58\x12\x15\xf5\x64\x4c\xcf\xa4\xe8\x94\x10\x1d\x5f\xa4\x30\x08\xd8\x03\xfb\x9b\xaa\xef\xd7\xdd\x4b\x88\x83\xb6\xe7\xa1\x7f\x4d\xdf\x48\x26\xcd\xd7\x11\x0f\xf2\xc8\x39\x53\x49\x06\x8c\xd0\xb9\x55\x0a\x3a\x2f\x5c\xbc\x0d\xb0\x6b\x1b\x31\x29\x2c\x54\x87\x9a\x17\x2f\x4b\xe9\x83\x9b\x1d\x76\x89\x6c\x4c\xcc\xd8\x84\x1a\x55\x92\xaa\xc1\xf5\x27\x2b\x6f\xda\x92\x46\x34\xb5\x07\x50\xb3\x82\x31\xff\x13\x3d\xa1\xfc\x86\xd1\x09\x8c\x82\x3d\xf5\xbc\xa8\xcf\xe8\xc0\x8b\xa2\xee\xe5\xa4\x65\x8b\x29\x17\xbf\x3a\xf4\xb4\xe4\xe4\x7c\x6b\x7c\x35\xa3\x96\x3e\xbc\x60\x44\xf2\x72\x88\xc5\xa3\xc1\xa2\xf5\xfa\x45\xa1\x28\xbe\x9a\x13\xde\xd8\xc2\xf6\x74\x5e\xcf\x4f\xa9\x47\x23\xf9\xf1\x63\x82\xf4\xdb\x48\xd0\xc8\x11\xfe\x8e\xed\xb8\xbf\x05\xff\x38\xe5\x78\xd4\x93\x76\x55\x02\x53\xd2\x61\x7f\x86\x30\x3c\x54\x3f\x88\x2a\xdc\x20\x08\x56\x4c\x8b\xa1\x3e\xcd\x19\x61\x3a\x63\x19\x3d\x94\xe9\xa7\x3b\x21\xea\x1d\xdd\x30\xb4\x82\xc0\x98\x69\xc0\xfa\x37\x13\x1c\x69\xcc\xd0\x33\xdd\x96\xd8\xee\x7c\x5f\x2f\x8a\x15\x2e\x84\xc0\xf6\x59\xe6\x0c\xe1\x69\xfc\xb8\x9d\xe0\x28\xbe\xa3\x9d\x05\xdf\x03\xcf\x22\x80\x70\x29\xc1\xaa\xe4\x59\x94\x0d\xd5\x4b\x78\xc0\xde\xde\x18\x72\x3f\x97\x2d\x96\x51\x6e\x19\x71\x9e\x5c\x9e\xd0\x06\x86\x0f\x24\x71\xa8\xe5\xb1\x8f\xcf\x0e\xf4\xba\x66\x81\xa4\x1f\xa8\x00\x9b\x7e\x03\xb4\x44\xf4\x5a\xb3\xcc\xa9\xbb\xbc\x58\x13\xd1\xfa\x05\x5a\xaa\x4d\x45\x44\x12\x33\xae\x7b\x69\xb7\x59\xe3\xdd\xe7\x66\xc0\xf3\xb1\x3b\xf9\x68\xcf\x85\x65\x38\x28\x83\x55\x7f\x92\x5c\x21\x07\x58\x61\xec\x9f\x35\xc7\xcd\x44\x4b\xcc\x7d\x38\x1d\xc0\xd7\xaa\x75\x4b\xa5\x70\x66\xb9\x02\x78\x8f\x53\x85\x4c\xf9\xd5\x6c\xa7\x3c\x7a\xc8\x5c\xca\x67\xba\x50\x9e\xc3\xa7\xc1\xb4\x2d\x8c\x65\x4b\x34\xd8\x8d\xa8\xd2\xca\x85\xad\x4a\xe8\xb8\x65\xb6\xd2\xa0\xc1\xc4\x40\x76\x68\x53\x5c\x49\xf3\x49\xe2\x76\xf1\xa8\x67\x64\xef\x18\xe3\xb0\x8f\x1d\x1e\x3c\xc1\xb9\x3c\xde\x3f\x19\x78\x57\xfb\x48\xb5\xa5\xfe\xf3\x1a\x86\xfa\x00\x22\xd6\xa9\x6d\x81\x5c\x8c\x9a\xf9\xba\xdb\x7b\x88\x6e\xa0\x9a\xda\xc7\x32\xc8\xe4\xea\xfe\xb8\x47\x32\x18\xe7\x94\xbc\x6a\x71\x6d\x17\x16\xfe\xfe\xf8\x6f\x63\xd3\x2b\x66\x73\xb4\x35\xd1\x3e\xdd\xca\x42\x25\x7c\xfe\x07\x17\xfc\xa3\xa3\x9f\x00\xbc\xa6\x50\xf5\x46\x3a\x24\xc5\x09\x24\x25\x6d\x32\x07\xd2\x9c\x1b\x1c\x95\x10\x9e\x40\xda\xb6\x07\x78\x7f\xb7\x4c\x4e\x64\xfe\x4a\xca\xc6\x5c\x62\x83\xff\xcc\x11\xfd\x08\xa0\xbd\x1f\x49\x30\xa8\xbe\xea\x57\xa0\xdd\xa0\x28\x67\x86\x6c\x5b\x1c\xe5\x86\xb3\x2e\x7c\xd1\x8a\xb1\x6a\x27\x5d\x6c\xc0\x43\xa9\x90\xe1\xd7\x97\x0f\x79\xd5\xb8\x88\x0e\xef\x3f\xc4\xef\x4d\xe5\xe8\x40\xac\xd0\xed\xbc\xde\x6b\xf6\xfe\xdf\x3c\x6a\x2d\x25\x39\xfd\xaf\x27\x8f\x06\x97\x94\xd3\x0a\x09\xd6\x15\xe1\xe4\xa5\xa7\x61\x7e\x16\x24\x1d\xaa\xb8\x7f\xda\xd4\x93\xed\x9c\xf3\x26\xfe\x64\x7a\x40\xf0\x27\x9d\x6a\x9b\x2c\xdc\x0a\xbf\x36\x26\x41\x5b\x04\xfc\x83\x65\x10\xba\x62\x51\x38\x6c\xe7\xe8\xd2\xb4\xfe\x66\x3c\xfc\x3a\x5d\xe9\xcc\x31\x3e\x9e\x1f\xc1\x91\x27\xf0\x92\x07\xc9\x55\xf5\xa8\x48\x54\x81\xf4\x31\x92\x24\xfd\xf4\xc2\x78\x7d\x58\x3c\x3c\xaf\x7a\xcb\xec\x73\xab\x9b\x4d\x2f\x24\x52\x87\xdf\x9a\xe2\x9a\x16\x9c\x4d\x79\x5c\xd0\x3c\x90\x98\x33\x94\x46\xdc\x40\x23\x7b\x69\x89\x98\xb2\x42\x36\x28\x14\x8c\xec\xb0\x2f\x69\xd2\x64\x4c\xec\x88\xc9\x48\x94\xe0\x1e\x15\x87\xfc\x85\x37\x54\x50\xe3\x2c\xca\xdc\xdc\xae\xa6\x41\xd2\xdb\x62\x92\x22\x86\x60\xd0\x4c\x44\x67\x86\xc2\x58\xb6\xfb\xbc\x1d\x0b\x6a\x8a\x38\x18\x20\x0d\x48\x9c\x12\x67\x33\x92\x2c\x96\x61\x95\xa4\x00\x7a\x68\xd0\x47\x35\x78\xb4\x69\xb4\x43\x3e\xac\xbe\x09\x25\x20\x24\x4d\x84\xda\x89\x24\xb9\x0d\x7f\xa1\xad\x31\xdb\x50\x1f\x16\xa5\x9d\x3d\x9e\xb7\x22\x10\xd0\x58\xb3\xd1\xfa\x4d\x87\x6d\x5b\x40\xbc\xff\x5a\xdf\x08\x6e\xbd\xc2\x64\x7b\x1b\x6f\x88\x21\x1b\xbd\xf5\x47\xf1\x69\x8e\x11\xab\xb7\x3d\xd3\xa5\x88\xd9\xca\x26\xd9\xff\x5b\x2d\x28\xd1\xe1\x76\xbe\x8a\x7a\xdf\x2e\x3e\x3a\xe1\x37\x39\x31\x12\xf5\xaa\xa8\x81\x81\x48\x82\x93\x9d\xfe\x71\x72\x1f\xa9\x2b\x89\x62\xbb\x8d\x94\x0f\xe1\xe3\x94\x8d\xef\x40\x33\xa0\x9e\x9c\x04\xca\x7e\xa8\xb5\x49\x69\x5c\x5f\xf6\x6c\x07\x73\x95\x02\x6d\x82\x57\x6d\x37\x9b\xd9\xcd\xed\x06\xff\xcc\x3a\x6f\x8b\xd5\x48\xc0\xf6\x8d\x4d\x3d\x72\xae\x27\xd8\x28\xb2\x7a\x58\x2b\x14\x88\x6d\xad\x1f\xc3\xe6\x35\x31\xc2\x87\x0f\x31\x59\xf8\xd4\xbd\x44\x94\x80\xc4\x5d\xd2\x7a\x29\x34\xdf\x90\x79\x7c\x04\x94\xe0\xf8\xef\x82\x89\xae\x41\x06\x26\xd4\xfa\x96\x6d\x82\x44\x3a\xdc\x52\x43\xfd\xb2\xc4\xdd\xff\x85\x50\xaf\x53\x38\xef\x2d\x1c\x41\x3b\x4b\xd4\xb3\x08\x20\x9c\x20\xe9\xc3\xa0\x08\x0a\x23\xd1\x6a\x31\x08\xa1\x05\x07\x83\xd4\x4b\xa9\x2a\x95\x59\x05\x08\xd3\xa5\xcf\x44\xfc\x6a\x4a\xf2\x47\x7f\x86\x64\x28\xbc\x11\x3c\x1c\xc8\xf1\x23\xda\x46\xca\x0a\x03\xc5\xdb\xd1\xf6\xe5\x75\x45\x84\xd8\xa4\x10\x3b\xd2\x3f\xa5\xe1\xf6\xf3\xac\xb1\x54\xff\xed\x12\x8d\x0a\x64\x58\x29\xd3\x34\x1a\x25\xe8\x7a\xe7\x81\x86\x2a\xbc\x7a\x15\x90\x21\x12\x4c\xfb\x03\x57\x1a\x73\xce\xef\x60\x36\x81\xf5\xe5\xe1\xe1\x57\x4d\xb3\x01\x6f\xf5\xa1\x3d\x9b\xfe\x7e\x8a\xc8\x1a\x09\xa9\x05\x23\x7e\x39\x0a\x57\x72\xd3\x61\xed\xbe\x58\x08\xe9\xd8\x59\x4f\x77\x6b\x00\x05\xe0\xc3\xd0\xf7\x1d\x66\x6c\x9d\x4d\xc4\x93\xd0\x16\x3d\x88\x54\x72\x32\x75\xd8\x50\xac\x1b\xf7\x81\x83\xa7\x75\x18\xf0\x1b\xb3\xa2\x80\xf3\x9b\xbf\x60\x6d\xef\x4f\x89\xb1\x1e\x2b\xb8\xd9\x9f\x8a\x32\x98\x5e\xd9\xbc\xb4\x2f\x11\x0b\xd2\xbd\xda\x26\x37\x6d\x9d\xaa\x70\xe1\xe6\x57\x5f\x11\xba\x7e\xf2\x69\x90\x8e\x10\x19\x48\xf5\x70\xb7\x69\x0e\x0b\x5d\x35\xed\x98\xcb\xdd\x2f\x36\x37\xb9\xf8\xf7\x8b\x2f\xfb\xc2\x93\x18\x8f\xf2\x77\x7d\xb0\x50\xaa\x21\x9d\xde\x78\x8a\x77\x0c\xb6\x24\xd6\x61\x70\x01\x81\x7d\x6d\x5c\x7a\x5b\xd3\x9c\x51\xff\x12\x8e\xac\x71\x2b\x9d\xb9\xc6\x0a\x74\xbd\xb7\x82\x0a\x35\x72\xa5\x09\x1c\x30\x84\x33\x92\x86\x27\x9d\x9c\xeb\x24\x41\x48\x90\x6d\xab\x1d\xed\xb6\x23\x79\xb1\x45\x97\xb7\x34\x89\x07\xfb\xa5\x54\x24\xe8\x78\xc1\x94\x98\x5c\xdc\xb2\x11\xb7\x1b\xdf\x38\x06\x33\x9a\x53\x00\x6a\x90\x06\xc7\x46\xbc\x49\x10\x8c\x81\x00\x93\x8d\xc2\x4a\x08\xd5\x7b\x01\x3f\x41\x03\xd8\x7d\xf3\x10\x85\x84\x05\xd0\x6f\x05\x9b\x65\xcd\x54\xae\xa1\xd0\xf1\x5c\xb2\xa4\x1b\xc8\x67\xd2\x2c\xb9\xd6\x7c\x31\x0b\x05\xa4\xf9\x40\xbd\x2e\x7a\x58\x63\xc8\xe1\xc8\x0d\x3a\xd0\x7b\x21\x50\x4b\xf2\x13\xda\x5c\xb3\x8f\xb6\x52\xa4\x7c\xcd\x7a\x5c\xfa\xfa\x0c\x3f\xfe\x2a\xac\x76\x25\xa9\x55\x88\xec\xd7\x7a\x95\x93\xd0\xbf\x2e\x7d\xf7\x99\x9f\x02\x44\x33\x5a\x9f\xac\x01\x5c\x32\x27\x30\x09\xd1\xf8\x65\xdf\xb8\x73\xc6\x5f\x52\xe9\x08\x1b\x02\x2b\x99\xb0\x15\x86\xf5\xfb\x15\x84\xfd\x9b\x1f\xda\xf8\x6c\x78\x3f\x61\x77\x2a\xff\x11\x78\xe0\x8d\x5b\xd0\x67\xb6\xfd\x23\x3d\xb8\xc4\x32\xfa\xbb\xd0\x0a\x53\x0f\x1c\x40\xb5\xf0\x5f\x78\x83\x49\x50\x59\xd1\xb5\x8b\x95\x23\xd1\xf5\x25\x57\x36\xb2\x3f\xf5\x6c\xab\xb4\xcb\x71\x0e\x43\xa7\x0f\x71\xcf\xfd\x17\xe3\xfa\xe9\x04\x36\x34\x86\x9f\x16\x6a\x95\x8c\xa5\xde\xc6\x39\xb8\x5b\x21\x34\x09\x6e\x69\x7c\x24\xe3\xb0\xa8\xcf\xb1\x94\x22\xff\x01\xf4\xeb\xef\x24\xb7\x23\x3d\xe1\xa0\xf8\x9c\x80\xe2\x31\xb8\x45\x9f\x53\x1a\xc2\x3e\xb1\xa2\x37\x3b\x3c\x58\x07\xee\x65\x52\x70\x71\x52\xa3\x16\x95\x55\xa6\x63\xd1\xbf\xb4\x53\xc8\xc3\x80\xc5\xa5\x2c\x95\x8e\x30\x2d\x4d\x75\x28\xaa\xb5\xd0\xa6\x68\x92\x30\x80\x98\xb5\x66\xa1\x36\x7c\xbf\xd9\xa3\xa4\x6c\x5f\xb7\x72\x25\xb7\xb6\xf9\xf9\x2e\xd0\xbc\x85\xbc\xbc\xf1\xb4\xfd\x27\x60\xb9\xf5\x09\xd2\xd1\x1c\xd0\x55\x71\x44\xb1\xc8\x9f\x9f\x7f\x24\x95\xd0\xc9\xea\x6c\x76\x7f\x1f\x92\x57\x07\x01\xa3\x3c\xed\x47\x70\x36\xd0\x6b\xbe\xad\x08\xc0\xb4\xa8\xab\x4a\x57\xd8\xd9\xb7\x58\xce\x05\x89\x1e\xc7\x29\x01\x4e\xb7\x12\xc3\x3d\xcb\x52\xef\xe8\xde\xd2\x23\xb6\x17\x82\x24\x43\xbf\xa9\x55\x14\xd9\xa8\x2f\x6b\x9f\xed\x17\xb2\x24\x45\xf6\x92\xfc\x87\x03\x74\xc0\x82\x6a\x9f\xa4\x31\x53\x84\x93\x68\xaa\x1f\x93\x05\x2e\x48\xf8\x8e\x8f\xe9\xaa\x1b\xa8\x29\x15\x85\xe5\x9d\xa0\xf6\x8f\xd0\x4b\x8f\xa4\x50\xe9\x65\x4d\x92\x0c\x2b\x82\xc9\xc2\x9a\x79\x01\x5d\x0e\x30\x2b\xef\x5a\xbc\x9f\x42\x92\xfd\x4b\x58\x2d\x58\x83\x0d\xfc\x71\x72\x53\x19\xbf\x39\x69\x2b\x0f\x3d\x72\xa3\x20\x4d\x62\xe4\xcd\x21\x9f\xd2\x64\x7a\x9b\xc3\xda\x61\xb7\x02\x69\x9d\x01\x5f\x9f\x15\xbf\xfb\x27\xb6\x13\x3e\xc4\x31\xe4\xad\x67\xf5\xc1\xb4\x6f\xc6\x2e\x29\xd4\xae\x4b\x07\xfa\xb0\x7f\x01\x43\xe8\xe5\x4f\xea\x1e\x62\x90\x51\xd6\xd7\xc1\x9a\xf8\x93\x16\x61\xd8\x49\x57\xad\x2a\xe7\xb5\x21\xbd\x62\x46\x8a\xa0\xa8\x51\x65\x39\x04\xbb\x93\x25\x37\x6f\xd2\xd8\x31\x34\x03\x56\xd9\xbd\x27\x82\xbb\xc4\x6e\x1c\x03\x06\x95\x53\xd2\xb0\x5d\x17\xbb\x4d\x86\x44\xa0\xdf\xc0\x28\x6d\x4e\xbd\xfb\xf1\xfa\x85\xf0\x01\x5d\xa2\x66\x70\x90\x9c\xe8\x40\x27\x2d\x1d\x62\xc8\xd0\x27\x87\xd5\x65\x20\xd3\x09\xe4\xbc\xfc\xc8\x46\x47\x4d\x42\x82\x64\x17\x98\xda\xd1\x77\x9c\xce\x11\x39\x2a\xc5\x37\x91\x73\x35\xb4\xf9\x12\x4e\xd1\xe2\x54\x05\x29\x66\xab\x2c\x15\xdc\xd1\xbc\x1c\x3c\x52\x0f\xef\x4b\x3b\x17\xfe\x6f\x63\x60\xd0\x7b\x2c\x08\xac\x64\xc7\x5f\xcd\xf5\xf9\xea\xc2\x11\xdb\x24\x7a\x22\x7a\x65\x9e\x10\x67\x55\xe1\xba\x53\xab\xa6\x7c\x83\x16\x62\x19\x02\x26\x98\x4d\xc0\x36\x98\xdc\x56\x7a\xa9\x6b\x51\xd2\xe6\x9f\x53\x0a\xdd\xd9\xb4\xfd\xbf\x3a\x0b\x20\xaf\x2a\x18\x4c\xba\xf5\x3a\x35\x63\x4c\x8f\xe3\xd6\x3e\xc1\x5c\x50\x6b\xf0\x2c\x35\x30\x27\x59\xfe\x32\xad\x28\xc1\xd4\xb4\x9e\x94\x81\x6b\xb0\xf3\x28\x22\x81\x6b\x40\x55\x7c\x65\x0d\xa4\xae\x59\xca\x64\x5d\x5a\x4d\x61\x72\x90\x3c\x25\xe0\x0a\x22\x9e\xaa\x0c\x52\x6c\xff\xba\x53\xfc\xa4\x4a\xa1\x63\xc7\xf5\xfb\x49\x59\xa2\x16\xd6\xda\xd9\xe1\x9f\x28\x2b\x99\x45\xd2\x47\x6b\xbc\x01\x33\x78\x51\x31\x11\x8a\xd4\x6c\x3f\x93\x31\xc4\x15\xe7\x0d\x35\xe0\x6f\xa7\x1c\x2a\xa8\x78\x13\x2e\xd7\x70\xa0\x4f\x07\x21\xa5\x66\x55\x02\xdd\xed\x28\x3f\x70\xae\x9a\xb7\x2e\x48\xcf\x03\xc0\x1d\x80\xf6\x8e\xce\x54\xde\x88\xaa\xcb\x2c\x41\xc5\xd7\x46\x2f\x9b\x73\xf6\xc2\x74\x17\x09\xc8\x3e\x20\x08\x4d\xd8\xf9\xd8\x55\xc4\x1a\x0b\xfb\xe1\x07\xe6\xe4\x7a\x65\xc2\xb1\xee\x50\x07\xe9\xd5\xf2\x51\x18\xa2\x95\xfc\x63\x13\x24\x3d\xf5\x4c\xdd\x92\xab\x4d\xce\xdb\x21\x0d\xd8\x3b\xe1\xb0\x58\xae\x1e\x37\xa7\xac\x51\xb9\xc8\x9b\xf9\xec\xa4\x23\xc9\x1d\xb0\xd4\xa4\x21\x34\xa9\x3c\x89\x79\xa0\x3a\x2d\xe5\x3e\x45\xe6\x41\xa2\xd4\x0f\x41\x0b\xc1\x1a\x96\x82\x04\xf7\x2c\x96\xe5\x06\x64\xdc\x29\xbe\x41\xa4\xaa\xc4\xe0\x7e\x9c\xdf\x23\x9f\x59\xc9\x68\x7b\xd7\xdc\x65\xce\xab\x07\x6b\x13\x19\x41\xbb\x15\xc4\xf9\xf4\xc1\x7d\x73\x50\x78\x05\x88\xfa\xcf\xfd\xbc\x1e\xaa\xeb\x44\x06\xb9\x56\xda\x73\x3e\xd0\x9e\xb4\x86\x04\xa0\xed\x4a\xad\xcb\xbd\x94\xa8\xee\x07\x93\x10\xfe\x26\x12\xa6\x69\xe5\x62\x39\x17\xee\xc2\xb1\x2a\xd9\xc8\x6a\xf9\x75\x7a\x51\x75\x9d\xbb\x00\xdf\x2e\x03\xe3\xd3\xa7\x0b\xd2\xc0\x2f\x9f\x08\x44\x4f\x4e\x06\x50\xed\xfb\x27\x86\xca\x57\xd3\x63\x09\x43\x55\x68\x32\xa3\x28\x92\x30\x1b\x58\x85\x9e\xf2\x40\x07\xf7\xa7\xd9\xb4\xaf\xc2\x37\x03\xc4\xfb\x90\x77\xa0\x7d\x2e\xa8\xd3\xa2\xb4\xf0\x15\xde\x7f\x31\xfc\x30\x65\x45\x81\x6b\x6b\x67\x0a\x45\xcf\xf4\xa9\x1b\x60\xa1\xfb\x47\x8b\x08\x9c\x67\xf4\x59\xca\xaf\x5f\xce\x92\x65\xfe\xa0\xc7\xec\x06\x52\xcd\x11\x30\x56\x23\xb0\x4c\x0a\x9d\x1a\xec\x65\x71\xc6\xa4\x66\xdc\x7a\x7b\xec\x75\xfc\xf9\x84\xd6\xa9\x63\x69\x86\xbe\xce\xf1\x41\x8b\x69\x4e\x82\x0e\xe2\x46\x2f\x26\x87\xe0\xb6\x8b\xa5\x1c\xbd\x03\xba\x76\xb4\x3f\xd7\xcb\xa0\x1a\xf2\x3f\xf9\x8f\x74\xb7\x64\x46\x35\x27\xc6\xc3\x97\xe1\xc8\xe8\xb2\x22\x58\x74\xcc\x74\xf9\x58\xa3\x1a\x28\x41\x4f\x17\x0c\x2b\x4c\xbd\x90\xc8\x49\xcc\xd5\x4f\x91\xbc\xe2\x90\x8e\x3b\xbc\x21\xb3\xd5\x60\x4a\xa3\x37\xc7\xfb\x1f\x81\x0c\x10\x32\x16\xbf\x44\x43\x39\x04\x3d\x52\x33\x30\xee\xe7\x3b\xf0\x86\x6d\xa3\xf3\xf7\x28\x87\x7f\xbb\x54\xe2\xf9\x28\x42\x3a\x16\x72\xcc\x9b\xa3\x1b\xc6\x86\xa6\xd1\x98\xef\xeb\x36\x18\xd5\xe9\xa1\xb0\x81\x9c\xf6\xb9\x33\x8c\x56\xc4\xb7\x88\x46\x9f\x53\x2c\xdf\x92\x30\x66\xd1\xba\x46\xa5\x69\x60\x34\x2b\x79\xb0\x9e\xc8\x67\x9e\xa3\xca\xa4\x33\x65\xb8\x11\x25\x7a\x24\x49\xff\x92\x74\xf6\x61\x2c\xb0\x53\x0d\xd8\x67\x8c\xf1\x8b\xc1\xf9\x1f\x44\x7f\xad\x7b\x95\x8f\x3d\x0a\x19\x77\xce\x78\xd1\x02\x82\x9f\xe4\xb8\x3b\x56\x59\xc8\x15\x5a\xf4\xd2\xc0\x5d\x73\x15\xd1\x48\x63\x00\xe6\xda\x08\x46\xa5\x94\xd5\x10\x67\x3b\x0e\x74\x72\x78\x85\x59\x00\x9d\x74\x49\x0e\xc9\x87\x1d\x9f\x0f\x73\x69\x9d\x97\xfb\xe3\x03\xcb\x4d\x63\x5f\x54\x2e\x95\xc7\x84\xa5\x38\x71\x27\xdc\x45\x44\x83\xf9\x50\xf7\x65\xa8\xe9\x04\x63\x9e\xf4\x13\xc7\xd5\x81\xaf\x20\xdf\xb2\x85\x95\x58\x01\xab\x7e\xc4\xbe\x4d\x1b\x28\x79\xde\x66\x2d\xde\x2c\xfc\xd6\x60\x4e\xc0\xaa\x07\xa5\xa6\x71\xf5\x4a\x4f\x28\x53\xee\xdc\xa5\x6b\xaf\x00\xf0\x79\x27\x09\x59\x58\xdb\x7d\x32\x5e\x86\x3f\x64\xa9\x05\x6b\xd8\xe1\x03\x85\x99\x21\x46\x3d\x17\x54\x04\x2b\x85\xdc\xd9\x4d\x93\x3e\xf2\x08\x7d\xbe\xf5\x7d\x9a\x3a\xd9\xfe\x8c\x64\xa8\x79\x95\x87\xa3\xec\x23\xb9\xb2\x52\xf0\x3b\xfc\xe4\x2f\x01\x7e\xad\xfd\xbe\x97\x3e\x84\xe9\x02\xe3\x6b\x96\x61\xef\xae\xf4\x09\xc9\x15\x30\x8d\xce\x9a\x22\x2a\x9c\xb1\xdb\x52\x15\xc0\x00\xfc\x44\xd3\x72\xfb\x18\x64\x25\xcd\x07\x8b\xee\x77\x70\xf1\xfa\x60\xff\x2d\x0e\x34\x47\x25\xa5\x1a\x5f\x47\x8f\xe9\x6b\xfb\x9a\x18\xb6\xcb\x54\x2b\xf3\x94\xbe\xd0\x22\x18\x51\x8f\x1d\x38\x1d\x5a\xa2\x1f\xdc\xd4\x43\xce\x84\xc1\x80\xa6\xa8\xcf\x65\x47\xef\xfa\x46\x27\xca\xe9\x35\x51\xa7\x56\x4f\x0d\xac\x6e\x37\xc5\xf0\x68\xed\xda\x00\xb4\x7a\x6f\x2d\x33\xb5\x4c\x36\x81\x12\x8e\x83\xad\x17\xb0\xf0\x98\x45\x6b\x9e\x97\xf3\xe0\x2c\xe3\x91\x51\x5f\xfb\x0c\x05\x11\xa3\xd8\x31\x21\x15\x38\x2c\x15\xb0\x98\x61\xef\x75\x0c\x00\x06\xe9\x6c\x91\x84\xe1\x7d\xb2\x45\xb0\x25\x5c\x44\x07\xfe\x4b\xd6\xee\xa4\x3f\xd8\xc5\xe8\x03\x48\xcb\x91\x6e\x9d\x04\xb4\x9c\x24\x83\x91\x1b\x6d\xee\xce\x26\xd2\xb6\x57\x62\x64\x3a\xa0\x41\x7b\xe2\x76\x8b\x67\x3a\x22\xad\x58\xe6\x67\xf5\xef\x4e\x22\x28\xdb\x9b\x79\x39\xd8\xf9\x12\xde\x32\x47\x43\x25\x15\x50\x90\xb1\xd9\x74\x1a\xce\x41\x55\xd6\x45\x83\xec\xfb\x57\x00\x30\x1d\x73\xed\x2a\xbd\x15\x64\x08\xca\x5e\x1b\x88\xba\x75\xf8\x4a\x4b\x83\x4d\x4f\x53\x20\x15\x77\x3e\x9f\x8d\x4a\x36\x50\xf8\x98\x41\x91\x11\x4f\x0f\xdb\xaa\x54\x40\x5b\xf5\x1f\x8b\x1a\xfe\x53\x2f\x74\xc1\x5a\x37\x08\xeb\x93\x70\xfa\x83\x16\xfe\xef\xac\x4e\x43\xf8\x55\x50\x6f\x5d\x98\x72\xb6\x03\x63\x56\x70\x11\xcc\x33\x08\xa2\x02\x6d\x00", 4096); *(uint64_t*)0x20007d38 = 0x1000; *(uint64_t*)0x20007d40 = 0x4065ebb7; *(uint64_t*)0x20007d48 = 0x20007980; memcpy((void*)0x20007980, "\x11\x2a\x65\x7c\x27\x70\xad\x17\xf2\xe7\x77\x62\x16\x0b\xb1\x4f\x2f\x71\xa1\x7b\x88\xfd\xb9\x46\xf9\x19\xb2\xdf\xd3\xef\xd6\x16\xe3\x11\x24\xff\x47\xee\x66\x8f\x60\x65\xa0\x43\x5a\x79\x1a\x74\x39\xd8\xaa\x10\xdc\xc4\x18\x19\x2d\x82\x1e\x36\xfc\x08\x20\xd7\xcc\x0f\x88\xb0\x88\x91\x6d\x78\x6f\x01\x42\x6f\xa4\x6b\x21\x4d\xe8\x22\xd2\x4e\x4d\x6c\x78\x5f\xea\xc4\x58\xd9\x86\x35\xc4\x80\x16\x72\xbd\x4e\x74\xfd\x40\x75\x39\x32\x12\x11\x52\xae\x0e\xad\x77\x1e\x3a\xbc\x7f\x74\x1e\x39\x3b\x32\x85\x26\xe5\xec\x29\xe8\xe0\xd9\xb3\xa2\xbe\xbc\xd0\xeb\x34\x72\xa4\xbd\x8e\x50\xf9\x53\xed\x17\x3b\xa2\x71\xfb\xe9\xf9\xd9\xc4\x63\xc7\x9f\x44\xd0\x93\x15\x4f\xfe\xf5\x9c\x93\xad\xa7\x83\xb4\x72\x7f\xc3\x5b\xa6\xc0\xdb\x25\x18\x93\x9c\xb3\x5f\xb3\x30\x1d\x4c\xf7\x2d\x25\x24\xf8\x3a\xc4\xab\x57\xa8\xac\xfc\x93\xa9\x9c\x26\xcc\xae\xe0\x56\x63\x71\x22\x94\x96\xe9\x30\x21\xe8\x6b\x95\x60\x21\xa4\x67\xf3\x4b\xe6\x6e", 226); *(uint64_t*)0x20007d50 = 0xe2; *(uint64_t*)0x20007d58 = 0x6d69; *(uint64_t*)0x20007d60 = 0x20007a80; memcpy((void*)0x20007a80, "\x62\x98\x25\xe3\xcb\x9c\x42\x73\x28\x10\xeb\x62\xf1\xff\x47\x85\x71\x8f\x7a\x30\xc6\x39\x40\xf2\xea\xdf\x19\xda\xe8\x20\xfe\xb9\xb7\xb3\x58\xf7\x41\xb8\x34\x16\x4a\x9a\x4a\xc8\xce\x39\x8c\x23\x16\x07\xf5\x23\xa2\x6d\xb9\xe0\xae\xca\xc1\xd1\xe8\x90\x22\xd1\xcd\x50\xd6\x44\xf2\x46\x6b\x25\xec\x09\xc6\xd6\xef\x4f\x0b\x3e\xf5\x92\xd1\x40\x8d\x04\x9d\xa4\x9b\x95\x3b\x32\x7e\x12\x3c\x6f\x19\x63\xc2\xf7\xa9\xe3\xcc\x7e\x0c\x52\xed\x1e\x17\xd0\xa8\xb7\x94\x66\x68\x75\xb2\x0b\x07\xa0\xf5\xc2\xc7\x6d\x96\x32\x90\x9f\x76\x9e\xb2\x5b\x16\x27\x37\xbe\xa1\x31\xf5\xc2\x70\xb3\x24\x9f\xd6\x5c\x25\x5e\x68\xb6\x80\x27\x1d\x0c\x11\x19\x67\x15\x17\x77\x44\xe7", 162); *(uint64_t*)0x20007d68 = 0xa2; *(uint64_t*)0x20007d70 = 9; *(uint64_t*)0x20007d78 = 0x20007b40; memcpy((void*)0x20007b40, "\xd1\x09\x17\x49\x23\x3d\x1e\x7e\xc5\x06\x53\xf3\x01\xa7\x34\xf5\xdd\x67\xac\x1e\x74\x89\x23\xe4\x4c\xce\xde\xeb\x3e\xa2\x34\x74\x58\x96\xab\xcb\x80\x03\xed\x61\x60\x5b\x5d\xff\xa8\xa9\xaf\x0a\xa1\x2e\xd9\x02\xd4\xa3\x5a\x92\x60\xc5\x3a\xb6\xa6\x21\xe2\x10\xe6\x1e\x40\x02\x83\x8d\xc2\x9e\x2f\x79\x8b\x4c\xbe\x0e\xd0\xc1\x2a\x33\xc6\x9d\xdd\xa4\x46\xb9\xb8\x84\xfc\xbf\xe2\x81\x99\x18\x4b\xd4\xae\xb0\x97\xd0\xd9\xa3\x93\xb6\x99\xd1\xf5\x5a\x57\xd8\x30\xda\x49\x7d\x79\xb9\xbd\x7d\xbc\xdb\xfe\x7e\x16\x8d\x60\x07\x61\x1d\xb9\x67\x33\x57\x4f\xb1\x50\xf4\xe9\x09\x91\xc7\x0f\xc1\x9e\xdb\xa6\xbe\xed\xc5\xa7\x21\x69\x36\x6a\xe5\xfc\xa5\xc1\xcb\x41\x3b\xbc\x54\xff\x8f\x12\x7d\x1b\x94\xcf\x99\x42\xb5\xc9\xbe\x5f\xbf\xc9\x39\x46\xbf\x1d\x0b\x28\x9a\x74\x42\xfb\x05\x7a\xdb\x0a\xe7\xfa\x41\x89\xd5\xe5\xfe\xfc\x75\xed\x5d\x26\x0b\x3c\x2c\x24\x45\xd4\x95\x79\xe6\xb3\x69\xe3\x96\xda\x16\x2d\x94\x05\x59", 224); *(uint64_t*)0x20007d80 = 0xe0; *(uint64_t*)0x20007d88 = 6; *(uint64_t*)0x20007d90 = 0x20007c40; memcpy((void*)0x20007c40, "\x76\x8d\x82\xc4\x7f\x16\x6e\x25\x25\x30\x91\x5b\x63\xb4\x0d\x9e\xba\x4b\x95\xfe\x08\x78\x93\x45\x3f\x37\x3a\x94\x38\x9e\x11\x20\x98\x1c\xb4\x45\x76\xa2\x05\x1c\x41\x58\x40\x0a\x59\xb9\xc8\xa9\x40\xcc\xae\x28\x26\x41\x4e\x14\xad\x55\xc7\x2b\x04\xf8\xfa\xbf\xe8\x64\x62\x40\x9b\x3a\xb2\xa0\x75\xea\x92\xc8\xbd\xdc\xd2\xb2\xfc\x0f\xd7\x7a\x97\xbc\x27\x1e\xcd\x43\xdd\x60\x5f\x29\xb9\x90\x83\x7b\x40\x9e\xed\x59\x65\xdd\xb3\xfb\x1b\x91\xe5\xbf\x12\xdd\xbc\xf2\x1c\x90\xc7\xef\x2f\x0a\xb9\xbb\x03\xf7\x2a\x64\x7c\xe8", 128); *(uint64_t*)0x20007d98 = 0x80; *(uint64_t*)0x20007da0 = 0xfffffffffffffff7; *(uint64_t*)0x20007da8 = 0x20007cc0; memcpy((void*)0x20007cc0, "\x46\xc0\xce\x89\x20\x30\x5b\x2c\x7f\x63\x6e\xdb\xb1\x65\x92\x0d\xb7\x8c\x61\xf8", 20); *(uint64_t*)0x20007db0 = 0x14; *(uint64_t*)0x20007db8 = 0xfffffffffffffffa; syz_read_part_table(9, 8, 0x20007d00); break; case 36: *(uint8_t*)0x20007dc0 = 0x12; *(uint8_t*)0x20007dc1 = 1; *(uint16_t*)0x20007dc2 = 0x300; *(uint8_t*)0x20007dc4 = 0x94; *(uint8_t*)0x20007dc5 = 0xe8; *(uint8_t*)0x20007dc6 = 0x2e; *(uint8_t*)0x20007dc7 = 0x40; *(uint16_t*)0x20007dc8 = 0x789; *(uint16_t*)0x20007dca = 0x160; *(uint16_t*)0x20007dcc = 0xf578; *(uint8_t*)0x20007dce = 1; *(uint8_t*)0x20007dcf = 2; *(uint8_t*)0x20007dd0 = 3; *(uint8_t*)0x20007dd1 = 1; *(uint8_t*)0x20007dd2 = 9; *(uint8_t*)0x20007dd3 = 2; *(uint16_t*)0x20007dd4 = 0x764; *(uint8_t*)0x20007dd6 = 2; *(uint8_t*)0x20007dd7 = 4; *(uint8_t*)0x20007dd8 = 0x8f; *(uint8_t*)0x20007dd9 = 0; *(uint8_t*)0x20007dda = 0x7f; *(uint8_t*)0x20007ddb = 9; *(uint8_t*)0x20007ddc = 4; *(uint8_t*)0x20007ddd = 0x40; *(uint8_t*)0x20007dde = 0x3f; *(uint8_t*)0x20007ddf = 0xe; *(uint8_t*)0x20007de0 = 0xbb; *(uint8_t*)0x20007de1 = 0x18; *(uint8_t*)0x20007de2 = 0xf3; *(uint8_t*)0x20007de3 = 0x20; *(uint8_t*)0x20007de4 = 0xa; *(uint8_t*)0x20007de5 = 0x24; *(uint8_t*)0x20007de6 = 6; *(uint8_t*)0x20007de7 = 0; *(uint8_t*)0x20007de8 = 0; memcpy((void*)0x20007de9, "\xc1\xb0\xc9\x81\xcc", 5); *(uint8_t*)0x20007dee = 5; *(uint8_t*)0x20007def = 0x24; *(uint8_t*)0x20007df0 = 0; *(uint16_t*)0x20007df1 = 7; *(uint8_t*)0x20007df3 = 0xd; *(uint8_t*)0x20007df4 = 0x24; *(uint8_t*)0x20007df5 = 0xf; *(uint8_t*)0x20007df6 = 1; *(uint32_t*)0x20007df7 = 9; *(uint16_t*)0x20007dfb = 0xfff; *(uint16_t*)0x20007dfd = 5; *(uint8_t*)0x20007dff = 0; *(uint8_t*)0x20007e00 = 0x15; *(uint8_t*)0x20007e01 = 0x24; *(uint8_t*)0x20007e02 = 0x12; *(uint16_t*)0x20007e03 = 0xaa4; *(uint64_t*)0x20007e05 = 0x14f5e048ba817a3; *(uint64_t*)0x20007e0d = 0x2a397ecbffc007a6; *(uint8_t*)0x20007e15 = 4; *(uint8_t*)0x20007e16 = 0x24; *(uint8_t*)0x20007e17 = 2; *(uint8_t*)0x20007e18 = 9; *(uint8_t*)0x20007e19 = 9; *(uint8_t*)0x20007e1a = 0x21; *(uint16_t*)0x20007e1b = 0x7ff; *(uint8_t*)0x20007e1d = 8; *(uint8_t*)0x20007e1e = 1; *(uint8_t*)0x20007e1f = 0x22; *(uint16_t*)0x20007e20 = 0xd44; *(uint8_t*)0x20007e22 = 9; *(uint8_t*)0x20007e23 = 5; *(uint8_t*)0x20007e24 = 3; *(uint8_t*)0x20007e25 = 3; *(uint16_t*)0x20007e26 = 0x40; *(uint8_t*)0x20007e28 = 6; *(uint8_t*)0x20007e29 = 6; *(uint8_t*)0x20007e2a = 0x80; *(uint8_t*)0x20007e2b = 9; *(uint8_t*)0x20007e2c = 5; *(uint8_t*)0x20007e2d = 5; *(uint8_t*)0x20007e2e = 8; *(uint16_t*)0x20007e2f = 0x20; *(uint8_t*)0x20007e31 = 0x34; *(uint8_t*)0x20007e32 = 7; *(uint8_t*)0x20007e33 = 0xd1; *(uint8_t*)0x20007e34 = 7; *(uint8_t*)0x20007e35 = 0x25; *(uint8_t*)0x20007e36 = 1; *(uint8_t*)0x20007e37 = 0x81; *(uint8_t*)0x20007e38 = 1; *(uint16_t*)0x20007e39 = 0x20; *(uint8_t*)0x20007e3b = 0x65; *(uint8_t*)0x20007e3c = 0x30; memcpy((void*)0x20007e3d, "\xda\xc1\x6e\x84\x5b\x14\x9d\xaf\xe6\x66\x63\xcc\x3a\xcf\x39\x3f\xa7\xb0\xae\x46\xcb\xb8\xcf\x20\x7b\xdb\x0d\x3d\x6c\xf6\x81\x66\x1f\xa0\x0e\xd5\x8d\x70\x3c\x22\x64\x70\xa8\x4e\xaa\x26\x4b\xe5\x1e\x68\x10\x87\x52\x48\xed\xe7\x94\xe2\x20\x7e\x60\xb0\x45\x85\x60\x3c\xd0\x55\xc6\x34\x8f\x0e\xb4\xf3\x3f\x2a\x83\x3f\x4a\xee\x88\x84\xd7\x77\x3b\xe2\xf4\x51\x77\xad\x4c\x03\x72\x8f\xf4\xdd\x8e\x40\xfd", 99); *(uint8_t*)0x20007ea0 = 9; *(uint8_t*)0x20007ea1 = 5; *(uint8_t*)0x20007ea2 = 2; *(uint8_t*)0x20007ea3 = 4; *(uint16_t*)0x20007ea4 = 0x3ff; *(uint8_t*)0x20007ea6 = 0x1f; *(uint8_t*)0x20007ea7 = 2; *(uint8_t*)0x20007ea8 = -1; *(uint8_t*)0x20007ea9 = 7; *(uint8_t*)0x20007eaa = 0x25; *(uint8_t*)0x20007eab = 1; *(uint8_t*)0x20007eac = 0x82; *(uint8_t*)0x20007ead = 9; *(uint16_t*)0x20007eae = 2; *(uint8_t*)0x20007eb0 = 9; *(uint8_t*)0x20007eb1 = 5; *(uint8_t*)0x20007eb2 = 6; *(uint8_t*)0x20007eb3 = 0; *(uint16_t*)0x20007eb4 = 0x40; *(uint8_t*)0x20007eb6 = 0; *(uint8_t*)0x20007eb7 = 0x40; *(uint8_t*)0x20007eb8 = 0xfd; *(uint8_t*)0x20007eb9 = 7; *(uint8_t*)0x20007eba = 0x25; *(uint8_t*)0x20007ebb = 1; *(uint8_t*)0x20007ebc = 0x83; *(uint8_t*)0x20007ebd = 0x1f; *(uint16_t*)0x20007ebe = 0x1000; *(uint8_t*)0x20007ec0 = 9; *(uint8_t*)0x20007ec1 = 5; *(uint8_t*)0x20007ec2 = 0xd; *(uint8_t*)0x20007ec3 = 1; *(uint16_t*)0x20007ec4 = 0x3ff; *(uint8_t*)0x20007ec6 = 3; *(uint8_t*)0x20007ec7 = 1; *(uint8_t*)0x20007ec8 = 0x80; *(uint8_t*)0x20007ec9 = 7; *(uint8_t*)0x20007eca = 0x25; *(uint8_t*)0x20007ecb = 1; *(uint8_t*)0x20007ecc = 1; *(uint8_t*)0x20007ecd = 4; *(uint16_t*)0x20007ece = 3; *(uint8_t*)0x20007ed0 = 9; *(uint8_t*)0x20007ed1 = 5; *(uint8_t*)0x20007ed2 = 5; *(uint8_t*)0x20007ed3 = 4; *(uint16_t*)0x20007ed4 = 8; *(uint8_t*)0x20007ed6 = 8; *(uint8_t*)0x20007ed7 = -1; *(uint8_t*)0x20007ed8 = 0x80; *(uint8_t*)0x20007ed9 = 9; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 0xf; *(uint8_t*)0x20007edc = 1; *(uint16_t*)0x20007edd = 8; *(uint8_t*)0x20007edf = 0xae; *(uint8_t*)0x20007ee0 = 9; *(uint8_t*)0x20007ee1 = 0xf6; *(uint8_t*)0x20007ee2 = 7; *(uint8_t*)0x20007ee3 = 0x25; *(uint8_t*)0x20007ee4 = 1; *(uint8_t*)0x20007ee5 = 0; *(uint8_t*)0x20007ee6 = 0x95; *(uint16_t*)0x20007ee7 = 6; *(uint8_t*)0x20007ee9 = 0x7a; *(uint8_t*)0x20007eea = 6; memcpy((void*)0x20007eeb, "\x3f\x8f\x5c\x31\x8c\x80\xe5\xa9\x36\x08\x9f\xa5\xbe\x9d\xc3\x64\xd3\xa8\xff\x22\x23\x8b\x92\x00\x64\x2b\xb7\x96\x9b\x9c\x09\x89\x51\x0d\xf3\xf2\x67\x38\x46\xf3\xfe\x68\xee\xc4\x87\x47\x6d\x9d\x8e\xa3\x7c\x9e\x7e\xc2\x93\x9c\x3a\x85\x84\x2c\xad\x50\x0b\xf7\x7a\xed\x1d\x92\x90\xeb\x85\x0a\xf4\x62\x1c\xaf\xed\x03\xc0\x8a\x55\xc4\x22\xc7\x12\x2f\x6e\xc0\x70\x3a\x47\xdf\xcb\x27\x9c\x0b\x03\x55\x8b\x39\xc7\x23\x1b\x38\xe5\x59\xd0\x54\x6a\x29\xca\x32\x28\x0a\x8c\xe4\x70\x80\xaa\x8d", 120); *(uint8_t*)0x20007f63 = 9; *(uint8_t*)0x20007f64 = 5; *(uint8_t*)0x20007f65 = 7; *(uint8_t*)0x20007f66 = 4; *(uint16_t*)0x20007f67 = 0x8938; *(uint8_t*)0x20007f69 = 1; *(uint8_t*)0x20007f6a = 0x8c; *(uint8_t*)0x20007f6b = 4; *(uint8_t*)0x20007f6c = 9; *(uint8_t*)0x20007f6d = 5; *(uint8_t*)0x20007f6e = 7; *(uint8_t*)0x20007f6f = 0x10; *(uint16_t*)0x20007f70 = 0x20; *(uint8_t*)0x20007f72 = 6; *(uint8_t*)0x20007f73 = 1; *(uint8_t*)0x20007f74 = 0x81; *(uint8_t*)0x20007f75 = 9; *(uint8_t*)0x20007f76 = 5; *(uint8_t*)0x20007f77 = 0xe; *(uint8_t*)0x20007f78 = 0x10; *(uint16_t*)0x20007f79 = 0x200; *(uint8_t*)0x20007f7b = 0x80; *(uint8_t*)0x20007f7c = 3; *(uint8_t*)0x20007f7d = 0x23; *(uint8_t*)0x20007f7e = 7; *(uint8_t*)0x20007f7f = 0x25; *(uint8_t*)0x20007f80 = 1; *(uint8_t*)0x20007f81 = 0x81; *(uint8_t*)0x20007f82 = 1; *(uint16_t*)0x20007f83 = 5; *(uint8_t*)0x20007f85 = 7; *(uint8_t*)0x20007f86 = 0x25; *(uint8_t*)0x20007f87 = 1; *(uint8_t*)0x20007f88 = 0x81; *(uint8_t*)0x20007f89 = 7; *(uint16_t*)0x20007f8a = 0xb5a; *(uint8_t*)0x20007f8c = 9; *(uint8_t*)0x20007f8d = 5; *(uint8_t*)0x20007f8e = 8; *(uint8_t*)0x20007f8f = 2; *(uint16_t*)0x20007f90 = 8; *(uint8_t*)0x20007f92 = 0x1f; *(uint8_t*)0x20007f93 = 8; *(uint8_t*)0x20007f94 = 0x1f; *(uint8_t*)0x20007f95 = 7; *(uint8_t*)0x20007f96 = 0x25; *(uint8_t*)0x20007f97 = 1; *(uint8_t*)0x20007f98 = 3; *(uint8_t*)0x20007f99 = 3; *(uint16_t*)0x20007f9a = 0x200; *(uint8_t*)0x20007f9c = 7; *(uint8_t*)0x20007f9d = 0x25; *(uint8_t*)0x20007f9e = 1; *(uint8_t*)0x20007f9f = 3; *(uint8_t*)0x20007fa0 = 0x7f; *(uint16_t*)0x20007fa1 = 3; *(uint8_t*)0x20007fa3 = 9; *(uint8_t*)0x20007fa4 = 5; *(uint8_t*)0x20007fa5 = 0xd; *(uint8_t*)0x20007fa6 = 0xc; *(uint16_t*)0x20007fa7 = 0x3ff; *(uint8_t*)0x20007fa9 = 0x12; *(uint8_t*)0x20007faa = 9; *(uint8_t*)0x20007fab = 4; *(uint8_t*)0x20007fac = 0xe; *(uint8_t*)0x20007fad = 5; memcpy((void*)0x20007fae, "\xa9\xb9\x7b\xc2\x4d\xe6\x2c\x3b\xcf\x2b\xfa\x13", 12); *(uint8_t*)0x20007fba = 0x44; *(uint8_t*)0x20007fbb = 0x30; memcpy((void*)0x20007fbc, "\x9f\x0d\x5e\xa2\x42\x68\xb8\xa3\x21\x17\x65\x24\x6b\x1a\x83\x4a\xf6\x41\xe8\xcd\x6e\xa3\xef\x9b\x1f\xe1\x0f\x16\xbe\xd6\xb0\x6c\xc3\xa1\x65\x92\x0c\x9d\x73\x90\x9a\xb9\xac\x8b\x2a\x7a\x8a\x5d\xae\x5d\x4a\xcf\x31\x6d\x0b\x35\xd4\xb6\x44\xd3\x68\xa0\x6e\x0e\xff\x85", 66); *(uint8_t*)0x20007ffe = 9; *(uint8_t*)0x20007fff = 5; *(uint8_t*)0x20008000 = 0x80; *(uint8_t*)0x20008001 = 8; *(uint16_t*)0x20008002 = 8; *(uint8_t*)0x20008004 = 3; *(uint8_t*)0x20008005 = -1; *(uint8_t*)0x20008006 = 6; *(uint8_t*)0x20008007 = 9; *(uint8_t*)0x20008008 = 5; *(uint8_t*)0x20008009 = 0; *(uint8_t*)0x2000800a = 0; *(uint16_t*)0x2000800b = 0x20; *(uint8_t*)0x2000800d = 6; *(uint8_t*)0x2000800e = 0x2e; *(uint8_t*)0x2000800f = 0; *(uint8_t*)0x20008010 = 9; *(uint8_t*)0x20008011 = 4; *(uint8_t*)0x20008012 = 7; *(uint8_t*)0x20008013 = 0; *(uint8_t*)0x20008014 = 0xd; *(uint8_t*)0x20008015 = 0x29; *(uint8_t*)0x20008016 = 0xcb; *(uint8_t*)0x20008017 = 0x7c; *(uint8_t*)0x20008018 = 9; *(uint8_t*)0x20008019 = 9; *(uint8_t*)0x2000801a = 0x21; *(uint16_t*)0x2000801b = 7; *(uint8_t*)0x2000801d = 1; *(uint8_t*)0x2000801e = 1; *(uint8_t*)0x2000801f = 0x22; *(uint16_t*)0x20008020 = 0xbd9; *(uint8_t*)0x20008022 = 0xd; *(uint8_t*)0x20008023 = 0x24; *(uint8_t*)0x20008024 = 2; *(uint8_t*)0x20008025 = 1; *(uint8_t*)0x20008026 = 0x43; *(uint8_t*)0x20008027 = 1; *(uint8_t*)0x20008028 = 0; *(uint8_t*)0x20008029 = 9; memcpy((void*)0x2000802a, "d\"", 2); memcpy((void*)0x2000802c, "\x37\x09\xdb", 3); *(uint8_t*)0x2000802f = 0x11; *(uint8_t*)0x20008030 = 0x24; *(uint8_t*)0x20008031 = 2; *(uint8_t*)0x20008032 = 1; *(uint8_t*)0x20008033 = 0xf8; *(uint8_t*)0x20008034 = 2; *(uint8_t*)0x20008035 = 7; *(uint8_t*)0x20008036 = 0x40; memcpy((void*)0x20008037, "\x5e\x58\xdf\xf9\xa0\xd0\x1e\x41\x09", 9); *(uint8_t*)0x20008040 = 0xb; *(uint8_t*)0x20008041 = 0x24; *(uint8_t*)0x20008042 = 2; *(uint8_t*)0x20008043 = 2; *(uint16_t*)0x20008044 = 0xffec; *(uint16_t*)0x20008046 = 6; *(uint8_t*)0x20008048 = 0x15; memcpy((void*)0x20008049, "?w", 2); *(uint8_t*)0x2000804b = 7; *(uint8_t*)0x2000804c = 0x24; *(uint8_t*)0x2000804d = 1; *(uint8_t*)0x2000804e = 0xe1; *(uint8_t*)0x2000804f = 3; *(uint16_t*)0x20008050 = 2; *(uint8_t*)0x20008052 = 9; *(uint8_t*)0x20008053 = 5; *(uint8_t*)0x20008054 = 0xc; *(uint8_t*)0x20008055 = 8; *(uint16_t*)0x20008056 = 8; *(uint8_t*)0x20008058 = 4; *(uint8_t*)0x20008059 = 8; *(uint8_t*)0x2000805a = 8; *(uint8_t*)0x2000805b = 9; *(uint8_t*)0x2000805c = 5; *(uint8_t*)0x2000805d = 6; *(uint8_t*)0x2000805e = 8; *(uint16_t*)0x2000805f = 8; *(uint8_t*)0x20008061 = 0; *(uint8_t*)0x20008062 = 2; *(uint8_t*)0x20008063 = 2; *(uint8_t*)0x20008064 = 7; *(uint8_t*)0x20008065 = 0x25; *(uint8_t*)0x20008066 = 1; *(uint8_t*)0x20008067 = 0x81; *(uint8_t*)0x20008068 = 6; *(uint16_t*)0x20008069 = 0x18; *(uint8_t*)0x2000806b = 9; *(uint8_t*)0x2000806c = 5; *(uint8_t*)0x2000806d = 7; *(uint8_t*)0x2000806e = 0x10; *(uint16_t*)0x2000806f = 0x3ff; *(uint8_t*)0x20008071 = 0x39; *(uint8_t*)0x20008072 = 0; *(uint8_t*)0x20008073 = 6; *(uint8_t*)0x20008074 = 0x80; *(uint8_t*)0x20008075 = 0x23; memcpy((void*)0x20008076, "\xeb\xa3\xe2\xd4\x84\x8f\x84\xd0\xe6\xde\xd4\x6e\x24\xd1\x0b\xf9\xf8\xb0\x73\x89\x10\xe2\x9f\x31\x9e\x94\x25\x46\xe9\xcd\xa8\x63\x82\x57\xf5\x5d\x00\x49\x67\x2a\x13\x37\x06\x7a\xf7\x3c\x1c\x29\xe0\xbd\x77\x2a\x1c\xd5\xe1\x6d\x24\x9e\xd1\x5c\xdd\x3d\x85\xa4\x39\x9a\xef\x69\xe3\xf5\xa5\x06\xea\x0e\x05\x59\x30\x6f\xe1\xf4\x2d\xfc\x10\x92\x20\x62\xe2\xbc\x06\x2c\x34\xa1\xad\xc4\xbc\x46\xb0\x80\x25\x9a\xd2\x0b\x37\xcd\xe1\xeb\xa7\x17\x8f\xb5\x14\xb2\xef\x73\x97\x71\x5b\x0e\xae\x34\xd5\xef\xd5\x27\x49\x00", 126); *(uint8_t*)0x200080f4 = 0xa1; *(uint8_t*)0x200080f5 = 0x21; memcpy((void*)0x200080f6, "\x1c\x02\x0b\x38\x9a\x4c\x59\xd1\xf2\x6d\xa8\x57\xb2\x22\xa6\xf6\x61\x8a\xdb\x04\x11\xbb\x24\x47\x8e\x68\xff\xe7\x58\x46\x9d\x4b\xb3\x4d\xf6\xaa\x95\x77\xce\xd5\x53\x83\xdf\xf0\x1c\x05\x2a\xbb\xde\x70\x46\x8c\xe3\x11\x00\xca\x31\x84\xd1\xd5\xf8\x03\xdc\x28\x0d\xf3\xb7\xae\x47\x38\xad\x05\x03\x67\x01\xe2\xe3\x8c\xe8\x44\xa7\xd3\x01\xd8\x6e\x05\x97\xc5\xbc\x1b\x67\xe7\xc6\xa5\xf7\xdf\xbc\x33\x11\xdb\xd2\x34\x68\x8e\x85\xe9\xa7\xd5\x02\x1e\x51\xe2\xd0\xdd\x41\x80\x38\x15\x3d\xb6\x5b\x7f\xc2\x68\xf9\x8d\xdf\xd9\xe5\x03\x6f\x24\x49\x7d\x2f\x04\xcd\xcc\x75\x21\x78\x99\x19\x58\xf7\x24\x3f\xf4\xdd\x5a\xef\xcf\x75\x9a\x3f\xe7\xfb\x34\xc8", 159); *(uint8_t*)0x20008195 = 9; *(uint8_t*)0x20008196 = 5; *(uint8_t*)0x20008197 = 0xf; *(uint8_t*)0x20008198 = 0x10; *(uint16_t*)0x20008199 = 0x240; *(uint8_t*)0x2000819b = 2; *(uint8_t*)0x2000819c = 1; *(uint8_t*)0x2000819d = 0; *(uint8_t*)0x2000819e = 0x26; *(uint8_t*)0x2000819f = 3; memcpy((void*)0x200081a0, "\xb4\x51\xe2\x4f\x69\x72\xcd\x64\x29\xf8\x1c\xa1\x73\xd1\x3f\xb2\xc7\xf5\x28\x47\x51\x63\x8b\xbc\x4f\x0b\x3d\xe0\x20\x91\xfb\xb4\xf4\x45\x33\xd9", 36); *(uint8_t*)0x200081c4 = 9; *(uint8_t*)0x200081c5 = 5; *(uint8_t*)0x200081c6 = 7; *(uint8_t*)0x200081c7 = 2; *(uint16_t*)0x200081c8 = 0x400; *(uint8_t*)0x200081ca = 7; *(uint8_t*)0x200081cb = 0x3f; *(uint8_t*)0x200081cc = 0xdb; *(uint8_t*)0x200081cd = 0xc0; *(uint8_t*)0x200081ce = 0; memcpy((void*)0x200081cf, "\xba\x73\xf7\x70\xa4\x27\xb8\x43\x83\x13\xcb\x7e\x9d\x9d\x53\xa7\xe3\x11\x03\x66\xc8\x78\xe3\xc0\xf6\xe6\x29\xeb\xb2\xa0\x84\xa9\x0b\x2d\xef\x4b\x66\x95\x0f\xdf\xd6\x06\xe0\x83\x42\x29\xe6\x30\x28\x87\x54\x89\x67\x8b\xc9\x36\x98\xed\x86\x13\x88\x42\x54\x70\x3c\x31\x5f\x1e\xe5\x29\xd1\xbc\xbf\xaf\x8d\x86\x5e\x73\x8b\x9e\x08\xcb\xc4\xa2\x11\xd4\x80\xbd\xc2\xa6\xe6\x9e\x17\x2b\x1c\x73\x63\x94\x74\xf1\xf0\x11\x5b\x5f\x49\x18\xd0\x37\x45\x1c\x99\xde\xe8\x85\x47\x56\x25\x82\xd5\x71\x71\xaa\x19\x69\x13\xf1\x19\x15\xd1\xfd\xc1\xa5\x13\xb1\x6c\x0b\x9c\x1f\xa0\x71\x57\x42\x10\x46\xf4\xf3\x37\x2d\x00\xd4\xa2\x7e\xb9\x3e\xcd\x79\xb6\x85\xe1\x4f\x3e\xba\x64\x7e\x7b\x20\xae\xfd\xf9\x2e\xd0\x5b\xef\x68\x93\x52\x65\xce\x00\x35\xe3\xb6\x24\x85\x23\x50\xd1\x23\x4e\xf9", 190); *(uint8_t*)0x2000828d = 0xa; *(uint8_t*)0x2000828e = 5; memcpy((void*)0x2000828f, "\x29\x0a\x54\x8e\x96\x26\x66\xdf", 8); *(uint8_t*)0x20008297 = 9; *(uint8_t*)0x20008298 = 5; *(uint8_t*)0x20008299 = 7; *(uint8_t*)0x2000829a = 4; *(uint16_t*)0x2000829b = 0x7d7; *(uint8_t*)0x2000829d = 0; *(uint8_t*)0x2000829e = 7; *(uint8_t*)0x2000829f = 0xf9; *(uint8_t*)0x200082a0 = 0xcd; *(uint8_t*)0x200082a1 = 2; memcpy((void*)0x200082a2, "\x74\xcd\x60\x07\xae\x0e\xa1\x29\x7f\x07\x01\x8c\xbd\xaa\xa0\xc8\x78\x51\xa0\x13\x08\xad\x71\x7f\x23\x5e\x9e\xff\x80\x10\xad\x10\x46\xa5\x14\x8d\x35\x2a\x70\x76\x0b\xc4\xbe\xbd\xd7\x52\x8b\xf7\xd5\x06\xda\x1b\xaa\xc2\xcf\x49\x9d\x52\xde\x51\xd7\x1b\x05\x18\x5d\x7c\xd2\x68\x02\x3d\xe5\x96\x13\x04\x52\x1b\x5f\x56\x7c\x74\xcc\xab\x78\xb6\x1c\x3f\x64\x16\x62\xaf\x2d\x55\xd5\x15\x7a\x0d\xdc\x80\xc7\x59\x62\xe9\xbd\xa9\xff\x2d\x3b\x63\xdf\x6a\x6a\x0e\x2a\xeb\xbf\xc6\x64\xde\x3f\x3a\x34\xd6\x62\x00\xfa\x09\x24\x75\x68\x59\x57\xf0\xb3\x59\x42\x47\xa2\x1d\x46\x3c\xfe\x0c\xcd\x80\x44\xf9\x53\x19\xb4\xd4\x0c\x7f\x02\x2d\x5a\x9c\xe9\xe3\x48\xcd\x62\x3d\xc4\xc5\x90\xbe\xe5\xa1\x04\x72\x70\x95\x42\x14\x61\x1a\x8d\x98\xe6\x0a\xa6\x97\xa5\xce\x30\xee\xac\xd2\x39\x70\x94\xe5\x07\x16\x73\x99\x11\xa4\x47\x8b\x49\x5f\x02", 203); *(uint8_t*)0x2000836d = 0x2b; *(uint8_t*)0x2000836e = 3; memcpy((void*)0x2000836f, "\x9b\xc9\xf5\x80\x75\x06\x30\x3f\xbf\xd7\x12\x82\xa8\x20\x58\x56\x0f\xe8\x18\x0b\x20\x5f\x6f\x47\xf9\xd7\xcf\x05\x28\x0b\x7e\xb9\x6d\x6d\x15\x89\x97\x2f\x40\x2e\xf4", 41); *(uint8_t*)0x20008398 = 9; *(uint8_t*)0x20008399 = 5; *(uint8_t*)0x2000839a = 7; *(uint8_t*)0x2000839b = 0x1a; *(uint16_t*)0x2000839c = 8; *(uint8_t*)0x2000839e = 7; *(uint8_t*)0x2000839f = 3; *(uint8_t*)0x200083a0 = 0x86; *(uint8_t*)0x200083a1 = 0x35; *(uint8_t*)0x200083a2 = 0xb; memcpy((void*)0x200083a3, "\x01\x8a\x3d\x5f\xb9\x4d\x26\xc6\xa6\x89\xe9\x1e\xb6\xa9\xe4\x9b\xf1\xb8\x83\xb9\xe3\xda\x0a\x42\xbf\x45\x63\x9b\xc1\xb1\x9a\x0d\x8e\x78\xba\xbd\x76\x9b\x27\xa4\x3d\xd0\x91\xce\x83\xb4\xa9\x1c\xf5\xd1\x19", 51); *(uint8_t*)0x200083d6 = 7; *(uint8_t*)0x200083d7 = 0x25; *(uint8_t*)0x200083d8 = 1; *(uint8_t*)0x200083d9 = 0x80; *(uint8_t*)0x200083da = 0x40; *(uint16_t*)0x200083db = 6; *(uint8_t*)0x200083dd = 9; *(uint8_t*)0x200083de = 5; *(uint8_t*)0x200083df = 3; *(uint8_t*)0x200083e0 = 2; *(uint16_t*)0x200083e1 = 0x200; *(uint8_t*)0x200083e3 = 8; *(uint8_t*)0x200083e4 = 0x55; *(uint8_t*)0x200083e5 = 7; *(uint8_t*)0x200083e6 = 0xc; *(uint8_t*)0x200083e7 = 0x21; memcpy((void*)0x200083e8, "\xf2\xae\x0c\x70\x73\x12\x45\x83\x53\x64", 10); *(uint8_t*)0x200083f2 = 9; *(uint8_t*)0x200083f3 = 5; *(uint8_t*)0x200083f4 = 0xc; *(uint8_t*)0x200083f5 = 0; *(uint16_t*)0x200083f6 = 0x400; *(uint8_t*)0x200083f8 = -1; *(uint8_t*)0x200083f9 = 9; *(uint8_t*)0x200083fa = 0x7f; *(uint8_t*)0x200083fb = 9; *(uint8_t*)0x200083fc = 5; *(uint8_t*)0x200083fd = 3; *(uint8_t*)0x200083fe = 4; *(uint16_t*)0x200083ff = 0x3ff; *(uint8_t*)0x20008401 = 3; *(uint8_t*)0x20008402 = 0x81; *(uint8_t*)0x20008403 = 0x1f; *(uint8_t*)0x20008404 = 2; *(uint8_t*)0x20008405 = 0xb; memcpy((void*)0x20008406, "\x15\xf5\x29\x48\x16\x89\x69\xa7\x87\x9f\x68\x6a\x66\x44\x59\xf3\x1f\xa9\xc1\x46\xda\x65\xea\xa1\x87\x8b\x39\x96\xe0\x99\xdd\x1e\xc6\x89\x00\xa2\x57\xc0\x11\x39\x7b\xcf\xc1\x0b\xc4\x28\x59\x19\x72\xae\x5e\xb7\x0e\x65\xd2\x00\x24\x8c\x43\x3d\x8b\x1e\xaf\xe5\xdf\x95\xa1\x96\xb5\x8e\xd5\x0a\x74\xd4\x8f\x9c\x07\xf5\x08\x58\xdd\x07\xd9\x4e\xc7\x66\x26\xb5\xb4\x7c\x9a\xcd\x4f\xdb\xec\xde\x35\x6c\xab\xab\xc4\x3c\x31\x44\xfc\x2e\x52\x4b\x71\xbb\x4e\x8b\xb5\x35\xda\xa0\x71\xe2\x42\xc5\x85\x84\xdb\xdd\x6c\x1e\x75\x8e\x33\xfe\xcd\x91\xaa\xc9\x6d\x22\x88\x32\x2e\xd4\x8a\xcf\xda\xab\x53\x6e\xa5\x12\x98\xe1\x6c\x60\x33\xac\x2b\x91\x75\x84\x82\x71\x9c\xc7\xd7\x64\x37\x3c\xed\xf5\xd0\x39\xe7\x5f\x0b\xe3\x5a\xcd\xac\x46\xbf\xf1\x29\xaf\x0a\xd8\x17\xe1\x40\x64\x39\x8b\xe6\x49\x33\xb6\x76\xfa\xb4\xff\x8b\x8d\x37\xcd\x74\x2e\x41\xfd\x64\xf8\x7b\x7f\x7d\xf8\x73\xb3\xd4\xc1\xca\x44\x0e\x20\xa8\x29\xe3\x4c\x69\x77\x05\x4f\xd5\x97\x5e\x34\x94\x1c\x4c\xa2\x4d\xca\xf0\x7e\x3b\x99\x50\x28\x0b\x30\xfb\x2c\x43\x56\xee\xda\xb3\xe5\x18\x4e", 256); *(uint8_t*)0x20008506 = 7; *(uint8_t*)0x20008507 = 0x25; *(uint8_t*)0x20008508 = 1; *(uint8_t*)0x20008509 = 0; *(uint8_t*)0x2000850a = 0x1f; *(uint16_t*)0x2000850b = 0x200; *(uint8_t*)0x2000850d = 9; *(uint8_t*)0x2000850e = 5; *(uint8_t*)0x2000850f = 5; *(uint8_t*)0x20008510 = 0x10; *(uint16_t*)0x20008511 = 0x400; *(uint8_t*)0x20008513 = 0x81; *(uint8_t*)0x20008514 = 1; *(uint8_t*)0x20008515 = 5; *(uint8_t*)0x20008516 = 7; *(uint8_t*)0x20008517 = 0x25; *(uint8_t*)0x20008518 = 1; *(uint8_t*)0x20008519 = 2; *(uint8_t*)0x2000851a = 8; *(uint16_t*)0x2000851b = 0x101; *(uint8_t*)0x2000851d = 7; *(uint8_t*)0x2000851e = 0x25; *(uint8_t*)0x2000851f = 1; *(uint8_t*)0x20008520 = 3; *(uint8_t*)0x20008521 = 2; *(uint16_t*)0x20008522 = 8; *(uint8_t*)0x20008524 = 9; *(uint8_t*)0x20008525 = 5; *(uint8_t*)0x20008526 = 0; *(uint8_t*)0x20008527 = 4; *(uint16_t*)0x20008528 = 0x80; *(uint8_t*)0x2000852a = 9; *(uint8_t*)0x2000852b = 6; *(uint8_t*)0x2000852c = 7; *(uint8_t*)0x2000852d = 9; *(uint8_t*)0x2000852e = 5; *(uint8_t*)0x2000852f = 3; *(uint8_t*)0x20008530 = 0; *(uint16_t*)0x20008531 = 0x7ff; *(uint8_t*)0x20008533 = 1; *(uint8_t*)0x20008534 = -1; *(uint8_t*)0x20008535 = 0x1f; *(uint32_t*)0x20008640 = 0xa; *(uint64_t*)0x20008644 = 0x20008540; *(uint8_t*)0x20008540 = 0xa; *(uint8_t*)0x20008541 = 6; *(uint16_t*)0x20008542 = 0; *(uint8_t*)0x20008544 = 2; *(uint8_t*)0x20008545 = 0x86; *(uint8_t*)0x20008546 = 0x80; *(uint8_t*)0x20008547 = 0x10; *(uint8_t*)0x20008548 = 2; *(uint8_t*)0x20008549 = 0; *(uint32_t*)0x2000864c = 0x42; *(uint64_t*)0x20008650 = 0x20008580; *(uint8_t*)0x20008580 = 5; *(uint8_t*)0x20008581 = 0xf; *(uint16_t*)0x20008582 = 0x42; *(uint8_t*)0x20008584 = 5; *(uint8_t*)0x20008585 = 0xa; *(uint8_t*)0x20008586 = 0x10; *(uint8_t*)0x20008587 = 3; *(uint8_t*)0x20008588 = 0; *(uint16_t*)0x20008589 = 3; *(uint8_t*)0x2000858b = 0x73; *(uint8_t*)0x2000858c = 4; *(uint16_t*)0x2000858d = 0; *(uint8_t*)0x2000858f = 3; *(uint8_t*)0x20008590 = 0x10; *(uint8_t*)0x20008591 = 0xb; *(uint8_t*)0x20008592 = 0xa; *(uint8_t*)0x20008593 = 0x10; *(uint8_t*)0x20008594 = 3; *(uint8_t*)0x20008595 = 0; *(uint16_t*)0x20008596 = 8; *(uint8_t*)0x20008598 = 0xeb; *(uint8_t*)0x20008599 = 0x3f; *(uint16_t*)0x2000859a = 2; *(uint8_t*)0x2000859c = 7; *(uint8_t*)0x2000859d = 0x10; *(uint8_t*)0x2000859e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000859f, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 0xf, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a0, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200085a1, 5, 0, 16); *(uint8_t*)0x200085a3 = 0x1f; *(uint8_t*)0x200085a4 = 0x10; *(uint8_t*)0x200085a5 = 1; memcpy((void*)0x200085a6, "\x61\x40\x8d\x3d\x2e\x18\x72\x46\x92\x26\xd4\xd9\xbe\xfe\xcd\xac\x20\x8d\xfd\xaa\x38\x51\x78\xf4\x8c\xa7\x56\x50", 28); *(uint32_t*)0x20008658 = 1; *(uint32_t*)0x2000865c = 4; *(uint64_t*)0x20008660 = 0x20008600; *(uint8_t*)0x20008600 = 4; *(uint8_t*)0x20008601 = 3; *(uint16_t*)0x20008602 = 0x41a; res = -1; res = syz_usb_connect(5, 0x776, 0x20007dc0, 0x20008640); if (res != -1) r[15] = res; break; case 37: *(uint8_t*)0x20008680 = 0x12; *(uint8_t*)0x20008681 = 1; *(uint16_t*)0x20008682 = 0x200; *(uint8_t*)0x20008684 = -1; *(uint8_t*)0x20008685 = -1; *(uint8_t*)0x20008686 = -1; *(uint8_t*)0x20008687 = 0x40; *(uint16_t*)0x20008688 = 0xcf3; *(uint16_t*)0x2000868a = 0x9271; *(uint16_t*)0x2000868c = 0x108; *(uint8_t*)0x2000868e = 1; *(uint8_t*)0x2000868f = 2; *(uint8_t*)0x20008690 = 3; *(uint8_t*)0x20008691 = 1; *(uint8_t*)0x20008692 = 9; *(uint8_t*)0x20008693 = 2; *(uint16_t*)0x20008694 = 0x48; *(uint8_t*)0x20008696 = 1; *(uint8_t*)0x20008697 = 1; *(uint8_t*)0x20008698 = 0; *(uint8_t*)0x20008699 = 0x80; *(uint8_t*)0x2000869a = 0xfa; *(uint8_t*)0x2000869b = 9; *(uint8_t*)0x2000869c = 4; *(uint8_t*)0x2000869d = 0; *(uint8_t*)0x2000869e = 0; *(uint8_t*)0x2000869f = 6; *(uint8_t*)0x200086a0 = -1; *(uint8_t*)0x200086a1 = 0; *(uint8_t*)0x200086a2 = 0; *(uint8_t*)0x200086a3 = 0; *(uint8_t*)0x200086a4 = 9; *(uint8_t*)0x200086a5 = 5; *(uint8_t*)0x200086a6 = 1; *(uint8_t*)0x200086a7 = 2; *(uint16_t*)0x200086a8 = 0x200; *(uint8_t*)0x200086aa = 0; *(uint8_t*)0x200086ab = 0; *(uint8_t*)0x200086ac = 0; *(uint8_t*)0x200086ad = 9; *(uint8_t*)0x200086ae = 5; *(uint8_t*)0x200086af = 0x82; *(uint8_t*)0x200086b0 = 2; *(uint16_t*)0x200086b1 = 0x200; *(uint8_t*)0x200086b3 = 0; *(uint8_t*)0x200086b4 = 0; *(uint8_t*)0x200086b5 = 0; *(uint8_t*)0x200086b6 = 9; *(uint8_t*)0x200086b7 = 5; *(uint8_t*)0x200086b8 = 0x83; *(uint8_t*)0x200086b9 = 3; *(uint16_t*)0x200086ba = 0x40; *(uint8_t*)0x200086bc = 1; *(uint8_t*)0x200086bd = 0; *(uint8_t*)0x200086be = 0; *(uint8_t*)0x200086bf = 9; *(uint8_t*)0x200086c0 = 5; *(uint8_t*)0x200086c1 = 4; *(uint8_t*)0x200086c2 = 3; *(uint16_t*)0x200086c3 = 0x40; *(uint8_t*)0x200086c5 = 1; *(uint8_t*)0x200086c6 = 0; *(uint8_t*)0x200086c7 = 0; *(uint8_t*)0x200086c8 = 9; *(uint8_t*)0x200086c9 = 5; *(uint8_t*)0x200086ca = 5; *(uint8_t*)0x200086cb = 2; *(uint16_t*)0x200086cc = 0x200; *(uint8_t*)0x200086ce = 0; *(uint8_t*)0x200086cf = 0; *(uint8_t*)0x200086d0 = 0; *(uint8_t*)0x200086d1 = 9; *(uint8_t*)0x200086d2 = 5; *(uint8_t*)0x200086d3 = 6; *(uint8_t*)0x200086d4 = 2; *(uint16_t*)0x200086d5 = 0x200; *(uint8_t*)0x200086d7 = 0; *(uint8_t*)0x200086d8 = 0; *(uint8_t*)0x200086d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20008680, 0); if (res != -1) r[16] = res; break; case 38: *(uint32_t*)0x20008900 = 0x2c; *(uint64_t*)0x20008904 = 0x20008700; *(uint8_t*)0x20008700 = 0x20; *(uint8_t*)0x20008701 = 0x21; *(uint32_t*)0x20008702 = 0xdb; *(uint8_t*)0x20008706 = 0xdb; *(uint8_t*)0x20008707 = 0x24; memcpy((void*)0x20008708, "\xb5\x01\xb9\xa6\x76\xdf\xcb\x3e\x98\xc6\x6e\x8b\x68\x77\xca\xc3\x0d\xfb\x98\x56\xc7\x20\x94\xee\x90\xf2\x31\x70\xf3\x3d\xc0\x41\x69\x19\x14\x6a\x8a\x2a\xd6\x05\xce\x54\xf3\xd4\x43\xec\x59\x7b\x33\x7b\x1b\x4d\x39\xc4\x42\x89\xbb\xfc\x62\x1a\x00\x86\x26\x48\xfe\x2d\xf7\x54\xe4\x63\x45\x5e\xf8\x8f\x55\xfb\x63\xb4\xb7\x71\x9d\xd8\xd3\xe6\x84\x6c\x4d\x25\x4a\xfb\x2e\x40\x11\x6d\x2b\x5f\xcd\x88\x3a\x84\x21\x22\x17\xe0\x65\xcd\x44\x66\x68\x01\x15\x4e\x7b\x43\xe3\xd1\x62\x9d\xc7\x6f\x3a\x71\x10\xe8\x07\x90\xce\x65\xee\x44\x96\x1d\x30\x65\x21\xe9\x4e\x6e\xe9\x41\xa9\x7e\x0e\xab\x0e\x80\x37\xfe\xf7\x68\x90\x28\x91\xbb\x41\x05\xd8\xba\xf0\xa3\x5f\x93\xd2\xa5\x63\x59\x35\x79\x9c\x87\xeb\x91\xb5\xe5\xff\x7a\xe9\x1c\xbe\x9c\xda\xdd\x65\x3a\x48\x6d\x72\xd6\x7d\xc3\xb3\x71\xe4\xe5\xfa\x61\x87\x59\xde\x87\xeb\xe1\xec\x27\x8d\x14\x08\x34\x59\x0f\x6c\x51\x3e\x4c\x95\xcb\xb3", 217); *(uint64_t*)0x2000890c = 0x20008800; *(uint8_t*)0x20008800 = 0; *(uint8_t*)0x20008801 = 3; *(uint32_t*)0x20008802 = 0x18; *(uint8_t*)0x20008806 = 0x18; *(uint8_t*)0x20008807 = 3; memcpy((void*)0x20008808, "\x2c\x5d\xdd\x5f\xc6\x32\x36\xd4\x7a\xf3\x16\x42\x23\xe9\xb4\x23\xe1\x3b\x85\x60\xf2\x8a", 22); *(uint64_t*)0x20008914 = 0x20008840; *(uint8_t*)0x20008840 = 0; *(uint8_t*)0x20008841 = 0xf; *(uint32_t*)0x20008842 = 0x35; *(uint8_t*)0x20008846 = 5; *(uint8_t*)0x20008847 = 0xf; *(uint16_t*)0x20008848 = 0x35; *(uint8_t*)0x2000884a = 4; *(uint8_t*)0x2000884b = 7; *(uint8_t*)0x2000884c = 0x10; *(uint8_t*)0x2000884d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000884e, 8, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000884f, 0xa, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008850, 1, 0, 16); *(uint8_t*)0x20008852 = 0xb; *(uint8_t*)0x20008853 = 0x10; *(uint8_t*)0x20008854 = 1; *(uint8_t*)0x20008855 = 0xc; *(uint16_t*)0x20008856 = 8; *(uint8_t*)0x20008858 = 0x3f; *(uint8_t*)0x20008859 = 1; *(uint16_t*)0x2000885a = 4; *(uint8_t*)0x2000885c = 6; *(uint8_t*)0x2000885d = 0x14; *(uint8_t*)0x2000885e = 0x10; *(uint8_t*)0x2000885f = 4; *(uint8_t*)0x20008860 = 0x80; memcpy((void*)0x20008861, "\xd0\xd1\xe2\xd8\x68\xe0\xfa\x99\x17\x77\xca\xc1\xb7\x94\x82\x58", 16); *(uint8_t*)0x20008871 = 0xa; *(uint8_t*)0x20008872 = 0x10; *(uint8_t*)0x20008873 = 3; *(uint8_t*)0x20008874 = 2; *(uint16_t*)0x20008875 = 3; *(uint8_t*)0x20008877 = 4; *(uint8_t*)0x20008878 = 0; *(uint16_t*)0x20008879 = 8; *(uint64_t*)0x2000891c = 0x20008880; *(uint8_t*)0x20008880 = 0x20; *(uint8_t*)0x20008881 = 0x29; *(uint32_t*)0x20008882 = 0xf; *(uint8_t*)0x20008886 = 0xf; *(uint8_t*)0x20008887 = 0x29; *(uint8_t*)0x20008888 = 0; *(uint16_t*)0x20008889 = 4; *(uint8_t*)0x2000888b = 0xc1; *(uint8_t*)0x2000888c = 0x7f; memcpy((void*)0x2000888d, "\x1b\xc1\x9f\x6f", 4); memcpy((void*)0x20008891, "\x0c\xd3\xa1\x96", 4); *(uint64_t*)0x20008924 = 0x200088c0; *(uint8_t*)0x200088c0 = 0x20; *(uint8_t*)0x200088c1 = 0x2a; *(uint32_t*)0x200088c2 = 0xc; *(uint8_t*)0x200088c6 = 0xc; *(uint8_t*)0x200088c7 = 0x2a; *(uint8_t*)0x200088c8 = -1; *(uint16_t*)0x200088c9 = 8; *(uint8_t*)0x200088cb = 0x20; *(uint8_t*)0x200088cc = 2; *(uint8_t*)0x200088cd = 6; *(uint16_t*)0x200088ce = 0x800; *(uint16_t*)0x200088d0 = 9; *(uint32_t*)0x20008e00 = 0x84; *(uint64_t*)0x20008e04 = 0x20008940; *(uint8_t*)0x20008940 = 0; *(uint8_t*)0x20008941 = 0xb; *(uint32_t*)0x20008942 = 0xe5; memcpy((void*)0x20008946, "\xea\x88\xbc\xa9\xc1\xe3\xf5\xbd\xf6\x07\xf7\x25\x25\x73\xdd\x87\x56\xe9\xf3\x2a\x7c\x4a\xee\xa5\xb3\xe1\xae\x6f\xdb\xe3\x19\x4c\x19\x18\xd9\xd9\xa3\xaa\x13\xdb\xbc\x47\xe1\x43\x0d\x7b\xe6\xa1\x80\xc7\x38\x84\x56\xd1\x2a\x5c\x32\x7b\x71\x6d\x23\x41\xbc\xd0\xef\x82\xa4\xa3\x46\x10\xe2\x8f\xc7\xb2\xe1\x72\xdf\xa0\x56\xc6\x35\x3d\xa1\x66\x49\x6c\xa2\x54\x0e\x60\xbb\x52\x06\x6e\xf4\x77\x36\x67\x40\x9a\x68\xef\xf5\x2e\x75\xff\x93\x46\x9e\x4f\xf5\xd6\x99\x66\xb8\x1e\x03\x4c\x68\x8a\x2f\x6f\xd9\x45\xec\xd0\x5f\x33\x65\x73\x58\x68\x23\xfd\x9f\x6d\x40\xbb\x48\x3d\xd2\x7a\xd4\x6b\x84\x14\x55\xac\x07\xfc\x31\x9b\x8c\xb5\xf5\xe2\xda\xa6\x4a\x6c\x5f\x3b\xc0\x99\x27\x0c\xd3\x76\x66\x0e\xf3\x45\x65\x71\xaa\x6d\x2f\xe4\x86\x67\x83\x8d\x81\x11\x26\xca\xce\xed\xae\xbe\xf9\x60\x81\x92\xb6\x03\x32\x7f\x6e\xe9\xed\x42\x57\x2b\x6e\xb3\xc6\x63\x0e\x90\x17\x42\x8e\xd3\x70\xbd\x03\x24\xda\x01\xea\xe4\xa7\x88\x1a\x6b\x88\xaa\x1a", 229); *(uint64_t*)0x20008e0c = 0x20008a40; *(uint8_t*)0x20008a40 = 0; *(uint8_t*)0x20008a41 = 0xa; *(uint32_t*)0x20008a42 = 1; *(uint8_t*)0x20008a46 = 5; *(uint64_t*)0x20008e14 = 0x20008a80; *(uint8_t*)0x20008a80 = 0; *(uint8_t*)0x20008a81 = 8; *(uint32_t*)0x20008a82 = 1; *(uint8_t*)0x20008a86 = 0x1f; *(uint64_t*)0x20008e1c = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x20; *(uint8_t*)0x20008ac1 = 0; *(uint32_t*)0x20008ac2 = 4; *(uint16_t*)0x20008ac6 = 2; *(uint16_t*)0x20008ac8 = 3; *(uint64_t*)0x20008e24 = 0x20008b00; *(uint8_t*)0x20008b00 = 0x20; *(uint8_t*)0x20008b01 = 0; *(uint32_t*)0x20008b02 = 4; *(uint16_t*)0x20008b06 = 0x100; *(uint16_t*)0x20008b08 = 1; *(uint64_t*)0x20008e2c = 0x20008b40; *(uint8_t*)0x20008b40 = 0x40; *(uint8_t*)0x20008b41 = 7; *(uint32_t*)0x20008b42 = 2; *(uint16_t*)0x20008b46 = -1; *(uint64_t*)0x20008e34 = 0x20008b80; *(uint8_t*)0x20008b80 = 0x40; *(uint8_t*)0x20008b81 = 9; *(uint32_t*)0x20008b82 = 1; *(uint8_t*)0x20008b86 = 0x7f; *(uint64_t*)0x20008e3c = 0x20008bc0; *(uint8_t*)0x20008bc0 = 0x40; *(uint8_t*)0x20008bc1 = 0xb; *(uint32_t*)0x20008bc2 = 2; memcpy((void*)0x20008bc6, "\xa6\xab", 2); *(uint64_t*)0x20008e44 = 0x20008c00; *(uint8_t*)0x20008c00 = 0x40; *(uint8_t*)0x20008c01 = 0xf; *(uint32_t*)0x20008c02 = 2; *(uint16_t*)0x20008c06 = 0; *(uint64_t*)0x20008e4c = 0x20008c40; *(uint8_t*)0x20008c40 = 0x40; *(uint8_t*)0x20008c41 = 0x13; *(uint32_t*)0x20008c42 = 6; *(uint8_t*)0x20008c46 = 0; *(uint8_t*)0x20008c47 = 0; *(uint8_t*)0x20008c48 = 0; *(uint8_t*)0x20008c49 = 0; *(uint8_t*)0x20008c4a = 0; *(uint8_t*)0x20008c4b = 0; *(uint64_t*)0x20008e54 = 0x20008c80; *(uint8_t*)0x20008c80 = 0x40; *(uint8_t*)0x20008c81 = 0x17; *(uint32_t*)0x20008c82 = 6; *(uint8_t*)0x20008c86 = 1; *(uint8_t*)0x20008c87 = 0x80; *(uint8_t*)0x20008c88 = 0xc2; *(uint8_t*)0x20008c89 = 0; *(uint8_t*)0x20008c8a = 0; *(uint8_t*)0x20008c8b = 1; *(uint64_t*)0x20008e5c = 0x20008cc0; *(uint8_t*)0x20008cc0 = 0x40; *(uint8_t*)0x20008cc1 = 0x19; *(uint32_t*)0x20008cc2 = 2; memcpy((void*)0x20008cc6, "rN", 2); *(uint64_t*)0x20008e64 = 0x20008d00; *(uint8_t*)0x20008d00 = 0x40; *(uint8_t*)0x20008d01 = 0x1a; *(uint32_t*)0x20008d02 = 2; *(uint16_t*)0x20008d06 = 0xb81; *(uint64_t*)0x20008e6c = 0x20008d40; *(uint8_t*)0x20008d40 = 0x40; *(uint8_t*)0x20008d41 = 0x1c; *(uint32_t*)0x20008d42 = 1; *(uint8_t*)0x20008d46 = 0x40; *(uint64_t*)0x20008e74 = 0x20008d80; *(uint8_t*)0x20008d80 = 0x40; *(uint8_t*)0x20008d81 = 0x1e; *(uint32_t*)0x20008d82 = 1; *(uint8_t*)0x20008d86 = 0x80; *(uint64_t*)0x20008e7c = 0x20008dc0; *(uint8_t*)0x20008dc0 = 0x40; *(uint8_t*)0x20008dc1 = 0x21; *(uint32_t*)0x20008dc2 = 1; *(uint8_t*)0x20008dc6 = 0x92; syz_usb_control_io(r[15], 0x20008900, 0x20008e00); break; case 39: syz_usb_disconnect(r[15]); break; case 40: syz_usb_ep_read(r[16], 0x1f, 0x80, 0x20008ec0); break; case 41: memcpy((void*)0x20008f40, "\x05\x9c\xba\xeb\x68\x64\xbc\xc9\x3a\x17\x64\x09\x36\xd2\xe5\x45\x0d\xeb\x6a\x94\xa3\xcd\x8d\xba\xc2\xfb\xcf\xac\x93\x2f\x8d\xd2\x22\x05\xe7\xae\x58\x9b\x0f\x01\x72\xe7\x51\xe3\x08\xa2\x36\xce\xa8\x57\x11\xd7\x4b\x54\x6d\x98\xb4\xd7\x5a\xfc\xc6\x5f\xd0\x46\x33\xc1\xfb\xed\x7c\xfe\x4d\x04\x9d", 73); syz_usb_ep_write(r[15], -1, 0x49, 0x20008f40); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :476:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :476:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor524994444 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/21 (4.88s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:true VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: socket$nl_netfilter(0x10, 0x3, 0xc) r0 = open(&(0x7f0000000000)='./file0\x00', 0x2000, 0x163) recvfrom(r0, &(0x7f0000000040)=""/238, 0xee, 0x1, &(0x7f0000000140)=@llc={0x1a, 0x10f, 0x7, 0xc7, 0x6, 0xff, @broadcast}, 0x80) r1 = socket$inet_sctp(0x2, 0x5, 0x84) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r1, 0x84, 0xa, &(0x7f00000001c0)={0x7ff, 0x1ff, 0x204, 0x0, 0x803, 0x0, 0x5, 0x800}, 0x20) execveat(r0, &(0x7f0000000200)='./file0\x00', &(0x7f0000000400)=[&(0x7f0000000240)='^\x00', &(0x7f0000000280)='*,+\x00', &(0x7f00000002c0)='-{$(%![\x00', &(0x7f0000000300)='\\[\x00', &(0x7f0000000340)='\x00', &(0x7f0000000380)='\x00', &(0x7f00000003c0)='\xb1$}\x00'], &(0x7f0000000640)=[&(0x7f0000000440)='\x00', &(0x7f0000000480)='*/%}\\\\\x00', &(0x7f00000004c0)='@[\x00', &(0x7f0000000500)='\x00', &(0x7f0000000540)=':\'\x9f^(\x00', &(0x7f0000000580)='],-.$\xfb\\}{)@-&/[\\!\x00', &(0x7f00000005c0)='\x00', &(0x7f0000000600)='{{\'$(+-(}{}]?/--)\x00'], 0x1000) r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000680)='/dev/hwrng\x00', 0x40000, 0x0) ioctl$HIDIOCGPHYS(r2, 0x80404812, &(0x7f00000006c0)) ioctl$TIOCGICOUNT(r2, 0x545d, 0x0) io_uring_setup(0x509f, &(0x7f0000000700)={0x0, 0x9c76, 0x8, 0x3, 0x309, 0x0, r0}) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_unix_may_send\x00') syz_emit_ethernet(0x2e, &(0x7f0000000040)={@dev={[], 0x29}, @local, @void, {@ipx={0x8137, {0xffff, 0x20, 0x2, 0x0, {@random=0x3, @random="67516965f015", 0x3}, {@random=0xa0, @current, 0x8ca}, "d18e"}}}}, &(0x7f0000000080)={0x1, 0x3, [0x6f3, 0xd92, 0xd18, 0x98a]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_EVENT_PKT={0x4, @hci_ev_pkt_type_change={{0x1d, 0x5}, {0x1, 0xc9, 0x800}}}, 0x8) syz_execute_func(&(0x7f0000000100)="c4017c5a50f2c4a1637c7a862ef04230b50d00000041d9f93e420fb7bcaeb0000000c4c2a5291498c482c9bdac33de7941f1c401fc2e0666400f38241f670fecfb") syz_extract_tcp_res(&(0x7f0000000180), 0x8, 0x47) r3 = openat$selinux_policy(0xffffffffffffff9c, &(0x7f00000001c0)='/selinux/policy\x00', 0x0, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002500)={0x2020, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x2020) lstat(&(0x7f00000046c0)='\x00', &(0x7f0000004700)={0x0, 0x0, 0x0, 0x0, 0x0}) stat(&(0x7f0000004780)='./file0\x00', &(0x7f00000047c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000004840)=0x0, &(0x7f0000004880), &(0x7f00000048c0)) syz_fuse_handle_req(r3, &(0x7f0000000200)="2692d623148a34aee968f5552fef58adeb13835131afc9602c0eba53a139392d140b6eeb571984017fbc1a936aca427ad0e740524f6307f18e1c7d954a0ba7442367d45bae5150e12543dc5dd03aa5699039f2f627b3d104e00ffaea4263fc86953e5e3ab976c9f66a213d67573b6044bf6faa8c17d51b5550438f9ac6589d2cb2bc4e11cbf8a254594a82ab8987f8ade20d8542ac71ff847b22e67d2ddda8f4ba5f53fbf177009132baa5786a7be31ec6c592cba53c5c8a7ba19db0286bff1d0178da1e4ea10819439ace537ac5f47a1c8b74fa67fc4e1bf92292a9ec657b5e3003146a1c5690855b05cf75a0b11ab9ba738a3dc177d5f7e7fa6b465d05e513a219481089265f566e6bd0cc9ee1fb100f851286e65721f601c83f7a740979b3848f57fb0081efca45720ccfd8a4904f248151b242132a4b45530ae5442ff7a51bb5c599cda7e10e1b4de5c80f52cc3ddac7513fe148bdbc5da2e0c2b39190d8f90fcd459503a4cb8fece55182cf7272a522e5626120c7335c5a37c72d400fedc58873c5960f6cab807ac239d0246aba2e844b68b1ac4ad6d2bbcedcb35a67486471e445af55990270ae097968da00157dd221dea2438d16623c52820f0d24e39c0424ee40484fb0d96419f5e281d0e9e178366820dd5ca4a0c45deeb36cb9e246be6714ceb0347b0c309cc53022374f73303536e593c57588b883903ea58133773600201a7b55dd5c01af52e90ec524abd9f47b3d7185c48259bf5aa76fea9da982b2c4a61065df2b066732103503969eefaa23141c8becb35caf7602e981c30673991b46d54ab2764bf5ecc3f1a8e000b116b769d82625ae9418b523af00f3cfb0eb65c916f6a62452f810b20c3e7cec7d61fef55f63d1da4a3f868bbcfd867e130d3c7ce52246ef76eda2916fbbdfd506dbc2289d00fbc8fd100c4578698d2203dffab9018d6f19ae199f1659c3f78157680cf980597a126b994bdd64609653dc0ddb556c3af838a0a4a9bd7051e45247913cc35b9d9ff368ffdf4e7fad83a52f8a0261c331b6ef226fe676ac1a9cf0cb001385ce35b09df3aecaa3d816f2afc62c27aee525f72f2d31ee0b21c447f80901a65c7706d07ff9b2d7bde92bc79d85f8431d468ac85e51ac3a209cea07281e7d19c1f52b5f01bdb053978c933399b35ac77aa4a1e6f182d250271ca33c3791b15a931bcd32ace19253f1a9044afa49c1a0ddc82e95907f60b7971ec01078e137d1bceb0cf86f64cd6c192cbfc30b4478617fe52aa943e61a182b1b0b2107d0c54f4fa731679af95c32d18914d6959b9fa96a0aac1c49adc61f5f11b544557342c14276beea12fa71cd30a731bd064e9cfd0f9e4be966f7bd1c1b4fd706b8393e6efb1c9f97526f67d2e9cd5e176dc60c274b30061e1ab6a2d004b83adb08f1983baeab990472beff2341def47e0dd411b0691fd0a65ea66d16a4a4ee94c4d1a5ce6b3cfc873481b041fb3005614c1cf841eeab27e03598ef94598ed30c3fd3ee19207aea2a8dbc3f60a6d97e30c58f324bcaf571388f9e83e076cfdc0663cfe93f5a3f19299e741210f6a8501a7238b1cbd6e9f829345c337c62b7cdb024efc4ff11628cb1ee4fda072782bb69932ba6dee122cb37fed696dea11cc25eb2b5678c7d0bd1dd05f35d1d02addf1295a1eb0b259959a7b290e61f2479691588ac520981902f5ab06162e9cf5f0585f540d90cd8381de33d0a0a24da6f231d3a684c925d736f2534a57e48d919d55519c575bb541d638e0e4011f841a5ac331d488935c44c2bce1c2ac3e8486e465cdee8eb513d3c1bb3b38c5d157c04d576d675e00b30c299e211f8f24a7a053b4270d2acfa3aa6343428d92b6db14c1558a8dd58bb9c8c4b1b4935773d140611793ccad54fdc5230da4dfda3b60cc0766efcc6a3b71900a50e2c3e6827b98cc18ccd8ff798247f374857d0621e32bbf0482474de0d42ddba7823e633f1658e7f6a361c32e2459c2beb029a8afaa31289e487104567d40c81ccf5ae2a2e6b344f5c110d7ce2301ff2c25fd8438439a5ea16a446fc7e27f2cb068944e4d8c929c4645f494c2fd1b025bfda1119f9088f707d662c1195f8e4308c470b76245099332f61b2c9cc77871cb20c4ebeaa63e53add25df15c5628585fe886a73e382567c41cebdf2f33f7168747ce24a22fafeb29cd021a92ec8fc272dad24598ebdaec2dcc47373efa97cacffdace150e99510bf37baf40a817d93d87a48fab153a1064821eb504a4eba3ab66d1ec057cf64ee11a6ad40584fa7656a3984c20e494013f83430d760cd6eaa604b599550dcba720855e735d62d420076cca07115d4e371c3d641cb6cdb969bdef10137b8d7f399abe3e2436535c30c7b9a842fb31d322434e73b95c0f5d4545116b788ea0fd473ab32cfb4cd7224948913772e8392d89bf5c4e5511d267201cff62bdc0468f96d9e85323495e925e61140fb419417bc3f803a80d0af3b8c31c2f63dee9174113f8e6e5c93f47d8486422a5696bc05843f7d07f10eb3b5fbc2c378f6e8a975deb6c04ed20c673846ecc19d6dfcb1982ff83a7dca92e8167e5df6437b84834fde1cbfc441105d06218a2e0a55917ee276fa725b9f16a94c67b684bc7b688edbae74382cba7eac9f01772c89194d44eea3cabc002562643c01529092ff6629de96a7716f92318a6cf70cdb8fda8e3d01306ea91580b6d970808552f45f575c3aa638fc51abdd8535a0584072588518f9391b2d789147312a58d0a15b64bf908f249913f141671751003547150d49f472dbed408432493705759929f619a901bf41ed2e4d12d6354af219840e696ae26d40f010f0586068efbbd4a63af99aebd5305a88013ed74de00399011dd8d0d544b907009f361ac6f66ca0ac4fae8eea56542599b167b8f132d2bc2b57c734653c0214fcb4e3a509823aa2ea62aefd8d3a8f27cead3ee3f276698712770addc99cd31112daf0ede7c577fcbae2e64047bd3624dcc04cfb6cd194b79f1b53b990a443628123fbe9b2a3b598beeabdbb7cf4d9cd87be2ac84ee3fe743d72e8984204bab463c896d13c1227b70a88712b77d221efa654098b38571468ff9bff10bb0d30fe6ae7a1f62c4f6066b55f32b0547de75ab1cac8e986d89fc30a362d7308d0932cdd44d8a234860b608090aa5e16bef4e44327ba18667915ec65ca772f8df52105b370087fb1cbd6d11a95362232e5f6fce3f343cd962bec277f3a6aacb82df97531b3a6ffdd224454bfc8a6c2e0b9c86449c043f39ceb9af5c4236e3221c2e259fa8f1284df6334a2a24733dbad6ea990aa3ef9798e2f785be3d5a44305497a1f525f7dee1f7ea82c7d50559c51dacc617f6f7ee56b6c5bca2701899245cbecb33ccddf00a16894682085f40d2f6f6b03a163206311f98077261cd76f439ced044b525112debd31e4c7a9077bd820217a88b4d8e3e76dac45b15019e01deedc943b357ab2d7900d99157af47dfc5971791b25665e953db69cefceac87aef838936ae73d2d25983b2066099c4741af88048c7f86531f2b82d6e05b2ee75f472d9df9c3ee9398f6fe68e0b521c36a242e2d675f4d9da552142743631a4f2b6c011475753a74f7fefc9d72d3f9fb2bdcc71d66732abe50dd578b69bd029b45bca708e87c098af90284b4fbddcc6fe163a000970d6547cfd18cc8a11ba22638ee6eba91029f52594a042e96ed7080184593f2109126cbde1317a94a56213ad11ae1ccf0a58a45dbc81d0809c59073f8a9e17674a476d0337414bfcff7ca6949218467c8850839e55c9c7ad9d51a64a9d2b4bbb17a3653894834545bc286c108bb31345579a2b0b96f6a57389790519d4413a9648820e7846c57aca4792495223fcc029d070f18f24ac665879d7a197c78c5c05185af7c11140c78a35e91de5c0c53fbcd1350c27536d28d5f518696b97136d3f2035f26faad5ffe04dfd5dcc09b129905195579dd15c8c98676236ebd02b6c2ef3e6eb15d87c206c39046f2dbcef9a4523f255f445c3dd82c140b295a4a90fa30a2847ff41efeea8f630d4a5512795380af7d1713a6b2976dd74de50c3feb42bdd4c0258e45617358f18a28be11bad5b5b79103ee1277c761e12901e4997f3b9d4499172176cdd12b6807b236daf3dc05872956437816c706f3c367d7e2c23e96b1fe96596db880507e282fbe23f2171b2f6855d22174a1a4b15ed8abd51ca093d46f0e2d05298168c239e62d89f740674388c24018c47832a87644048d436d65cd7a210282b1fc826f0ccdb6697d0112b2a88e395308d421aada7a0e7d76eca0a6073830218c83ed79419485960572097cb626c6f8467579095dc22632043dce6b67eaa793a2a89822fdc266f5a611aa1c6b845998a828005fe7989253c37613e892348ad7332e334afb5a7087e89ace2f361d66f277dfafa126677e833fd0b2ce4d227937cdf60a882669411d4450b7e859b8247ad2e45742ecb605752f2148d075e1d145add184748c6ece9ba267b7a6df9229a62bb9bee7d7e925d6eb9ae96adef937c030c7d2b919fc4636ad6331360457d06d8c4f6dc10e3065522602b841fb3678e9dabf07d5fc3fe39da21d461e1a4ac64a0d3356f93622800f007be4ee13cc4654c8947ffd11bf7598f50bf27df75f8daefd9bd19cc3b6a06b253e8b590621c66da76496a87be3353fb1cc564366b0979a88c52b8ddaeee8993f6a0a3a543a931ea4eaee9d9e7001e2349144cd746a256df92a46024c7a3b3cb607a749987c9856015b86a23e4394f64f909974ab076b5d64928fc9d1b4cba75bda9e1d4620cac6f08cbf757de6f2911c34ea08481a383201447c2de6e37c07d0338f16a9a73fe671a684ae45c874ff1981506e3fca4e1f1dc9e58f9de6b96f85e31a3c16d3a11880bb1cbc223d0b9f3a6c4a6671e29fea67ae9f109e263c31795b38016b829d41d0d540f7f9bc522027dbca4945d958e0b14c9020e7e0d962d93f61df353bb1842b289b5ebb7d0d83eb05f31e3457346d1bcf883354e9a247c78bcdf11450bd362f4e09f9bc81ea9282305df3aed8534b1f5c15f58127b851e045a0c54193b5b11be1875563f868efe9a6ad830ca4436786d79364e1930d455faa6ebefe86ece76a8b8952dff2d3b83dd8ba4fd7c1cf912a22f6511c3cc11bd2f04690acdb38f7e1420bc15e574ad129655754440d29013c69861d47a42906ceeaa051e2efadeaea997779e05dd912297a4ffa9af33fe81e72067c36e81c48653d69f2a2ba91714d5104e0ea1e6e920a440240598dc628e8205c3313a0b03b7fed3a8788fb2a6de07226c589ef337082214381c9800d703638183dadff31714170bc402b271ef6c235c12c9fa67c7bda80d631715ee1ed4dda107347d143f91ec470c2077c277524fe78a23fab205fab08b1c258f4be49759d1f183a21e400a53a72493a17c23dfa1732122574b55a7f2663bb0017ddb2f472eabd87e407695bce84c15f43091bfc06d4a524672bf2515218561e7c25ea733c185d09806df8e6c921c071ae2f76f5c0db6234517c72e83933ad413465b1bd0cdfe6a046f07a4b239fbb8ed71bddfc2b07148d49965da803a824bc185da70530abb3e42b8a9f19c0c3d86723594133951434bfdbde6be90ea214fa0e17f603cd1ad695b5b5ba7c986148711454c6a5a7a5da2a1631dc7069e582a1c12d2ba25ca01da8f5e703b41147fd38f9668f16cad66df622fe4b02a1eefc0a69363cc0b7c56f034916025ee4bcfd05126772985a9632a043608e65692af2b4a7568f13c41f16c86bec99aae30a2d54f6469f1eb68518d48c421bec6f83b8228308838a9a4819f2fed79e99d105a8f6b1ac08eb9fc1962a8577f27f5eecc91883a024eb743a399ed6aef38e1f533ca6dba255388d25d4eef412f03944bcc0a8c4e94ec31bb65c89eca35cc888fe8530f6f581a3346233ef0936da10e8b69c5fd23ea2a58f9fe8b79a9ef60806c296aba90fb8329e838bb6c7d3c867d4109baa26c4837439e6307170e7b15c2f9f5ee03305f9481f8e793dd086ef2fc3eca555aa2581202bb4ed8e431cf0b710bbd8625fac17b519c6806b7218008e040bd2f078e185011d471d46026b53887c9481b6abea838dc598af7d61eb10566125168adb4b5fa2f49db9e3608ee06baff0b3eddf0537013a89a8f60bec6ecafe74c3ad62667cc736e42318060d939ca8afaeef4189cab94bb6d7c07f7aa21f60027707d8aee9d2fc0319677e8e86c6e020f4353ff8d523542669e4bf2649fc4fe1ac21651527e257a55006c304b83aab8de6e87b02d366052debd14f4712833c340ead1eb9f9f48df1ea27f67282a8a5ba05df68ee2aa98a34b44fe38cf058206cd112d19372e45afb9d0c24c0ca9189948239c99dba444f9c1a91fdf3dffa9fdcd09355e4b30618063eb02e4ac212bf8f7b8c617811bc2740423724a0c5046f3577e0b006b14850ddbabbf60121d151ec730649ba251a2551f6e9246e54623a819e9fce91fe40a8ac2e55332c57b8b7b9a63adf91f10748dec7c0153cff4a412292751b0ab793a148229edd1f908012fbadcd13e18d479d94ea56065100357ba4ba18258e4a828eaaca20d671d986dc6d17997f5b3744693eb36cd7fce3fff1d2d59b9bcf1c99427aeec5c158d12d066d469267f423de676079dc48def127be63b079f0fe8d7dae2f20eab8ddd0f388d52ac059179589c6242c7f9fe8e1d1857ec2998f8dc9aed3b3d38aeed70b0fab5d13bcb536cbf01a2fda811f14fa0f5e4a4d57131860d60aac2607354abc58f9151dd788e787f7685be537e6f86bbac94bef4dbb042da14c1007dcd62aa8cbc705d120e078394fcbdc94729fce6905f1ed8699cacd2e5f0055d377d0d5ca83f18971c195c7ea1dcf11e9feec124c2ba56d0f506060c22cbc366d0aed05f400062984f22122bfd16a31b3a4a6ed9d949be5ec16ae98f2aa8eaadaecc169e97cda0d5b5602a91c101b2e283c0be6c83abbe2e7e2e4cefe3be2231213ebb85883e0a5b0b4a0d2c04722eb60fab23023cf91ca0ab908e4bb6ac29a788fe9ec6b99d75d52f203cba7d92485ef90555aed41060fdd036f42fa818cdf8b9afe26afc1f279a4029254b12dd54da882a138d34af1577e78c1dd1923a56a369d85d74fa59d4532b859f67e65f3e67d654e57dde88cf7c23c9182ec15e95283dbba79911164df2b483be5adb7e6006feb69c672c938a818b2b4636c943b68e8c9335a5fe2aa7427402785117deb2ae7c16ba0d05a50d21cd7b658ce02140dd20849ae250bbb10e960c8721cf96d0e7d81bbb21a53358e0a44f8d26b10bf24eda9b5d8ceef710eec25c0c3b3180c85940f5b15cc13fe68ad19f7f0e9b4cc39735b68639f8fe4622dc784d5d6470ab9e32740db02a9b6732acbbf5876719f557a4e0a42c036bb3f972eaa862c58ffbce08ee0ea21e74e817578705e4e2683feb6c6123ee1b9ae1da94c5ea68763b0303c6397e21691a4d8154fd1aefdf398c41369eb8255d9b847f9d67cf5bb80841f468f7c870f0e194dcf23a6e7642c9514d126432f4b66bdb7b81b54370ca23a05c223c49c5b26803768bad60594817bb98b5ec274d62e264c54cde9806376b405e9f7de3d59ae3ce7db4a68985b1c1a11222d1c2809c96f7eb9a5bf4e50266df935c900a568fe579a6ea474f623591964db43ac647de15916aefacd322236fd53977d682eeeb0dcf798b6f2ff22b36dd00d64e51599bdad703a42d1d20eb8d6a6385f6db49f34fce3b28e2856f2828d77c4d03d34eb08c33b754bfe7f39d0a3430a213b97e75c2c975635c79d30aaf3daa9a1e8ca56fbe499e778118c7e5954ac2ac2bcea69adac96009e1b5cd27986c254282bf0760747559cb612a1f610df09bec5aa1f41f7a3b2f0f2cb28508e2b0caf206be810d65b6c4fc2ef5ec098b274b53681306041669abb175e4ec88981c5a0c05a646e5d90343a0b1f873379cf144c3c8795cfd77594b516ab02a408e0faa37fdf2de2e6f37fa03540d70e5f0297767084ea0086c131ab5b28ab543978f1d4f04291b6dddd72d2aa9a22ae19697950351a2f3da68971d9636e29c66d9fd61cdac7c81189350447c03c146d0dde55a17915b56ffa9fba47e09bafe412b6a8ae720d92b04a55e6548b0035506f80faf9708247982096dd806e1e698fe8f590fcb009fa87586b08cd27097aa53d3087e9f4c7a4ee556491b3df68fb413a92d7f783365c6a5e1fca5d9563e193ed2379f994f32e9a2c7a72215c1e891385765947b9086a560d373ae19b88e781503b1b8b801a8dcf5f67d0e4b0212d854487694ac76572fa1e6f1fe719cde5b278c9ce3938b271060335a5741baa0d7adc3de28e37beed6f781f6f7b321c56933828377a2ff6de2bfc24b2a3472ca5039373d3cdc9afc040ce4e894cff82254d9e4f4b25998c9dc84705463da8a03ea419c2e4c812a9f04d53f2de4fc2e3c1a08a7389ddfb0821764e71105eb0588720871f0082cd911f8edf694950072eebc6421bfc71af27669107e4b48ac971339e69c46c4ea5d50028f14735d84da040a08d3c9d0e64dee8bb645003bfc0162c3e131d3dfccf1a51628bd59ed495b177b417d0cb376537d5816741c25885ec56742154e84a26d9de376d67ffbe2fdb4869b6d8708a7350efc672a48d60a928c992753ad4bd745a7189b3f94f48f64c9f86d9f0b22bf7a1df2096b46fadf266906f394b1de6552928785d68d26b96bda02e49d5eca8284700d5033b0062366a6ce4be44c767d60817b48768748582a5ed3db608291a5efa1011b758f990ab3e4abedf53f01b700dfaeb587b4f414d3fe3a8732e1f215fa869c7b2f8b7f4eac597da81751709bd18eb0869ce11459f8766e6332e957107a791a64011049488a273254f33e0ecb440ee446e8ab76f24ec1f4cf7d314a158c512b6a2731099367766ae40535967d63ce071f068a7d3fbd4833a0c78cea712748a4bf2361d8f6035959a6ab08f3d44f7f81fe74d964d58bb3cb6051c5e68dc6e71fece4ae85ddc895b316f47d520847dd848317b61a47a13ce06c30d14d9852938c6ee45ad2eb1f19dda19b1f83562441c2d306111f511e40a8d82b334b2d983c354f2cf8a2e7a2fc135a4a31da5b0929d0e0c3e1c9bfb2debcd2fc9d0577263c7771c684d34a6b02b31c52f42e07fc1f42e70d740035e80f0c3889d8d28cdf1140e210dff5aeb5aaabfd655ac46e03d17e1e72273ea014158cff2c8ef37008b44e73d2c616862349afa5a16ec6f10d7f85fe4d95df416bdf001748a698a7942192549a4b8600f5380291fecab374b590266a980b2d38d0817e111ca31447ff7a33ee300b7583c83050a591cfb8c38320369b54b9624ae5bfbe7a657323e64bb890ff4abd85fbe8c59a68a616b044ddc977336041335fe1d29e87dfc563a0f7d393ca8353b31caa641d1140109d3f3d68bc4ac8d1a32e039a5a5aae4e95d7d37d5737ef2b997e178682be27b0d5b9cb7bb30bce28da9f9c299880e152d90f6a0590fa289aeb5c4b4c050f7f48744a1e3ed8b706bb1437146370522775b4a824ef29ae2d0854279fef03a0ea673e251f6697166f36996089b88f485c30dd49df1021b1ce794ba447e361704ca20c53f284fdc4fa1a1f40e5f7240f273213b6920e9bfb8ee69f932616ccf656495d998743d61a088e6059fe2fc03572f1dfadfb510c55f5185ada914e2a96628d3ee5d6b001cfd045646ef93694828fe8e0333d9e8537ab9e02ec721713b2b9743e68f42fff78abc0afd4bddc95179af12c3c9508349e656ad59bd64cb6a4bc7642c66efef29a5500937064de05e49e2a81c587e228e0aba0c8a6875c410663a222e557557bcb1054012532e3e6d4830d3d9ca0eb6897ba5405a335503f8cfe345a20edee88a8b143e28c982bb836e0cde0c6deabadbc11d8a63350f1050b71abcbd8eae7c22fc04d59726748c82ed43595d66255b6c30f111e3b5c9c12d97a368be672b0f0e5929838fd8204b55d0e511a32906af5c349cd648a4398147704563a10d5d5f5a86f8f1c88a2324e56cf28d63daac725e7f9fe3d1504aa2d26903760e27e796f7f7d33b96ef01e4e572456fe479a2523d396e6cc88b8a8dc35f155daedb3c29dd2cd8adf6dcc732e5c58511bd389878399c432c1a40dc06e94e24d66e1cdbb73cca992a3a61c545dd347d0be4141a1ec23a6ca845ba1b58396b456ee05e6be7d7c9a0deaad6646d7a77986886d9ee755c5889650e9ebcc4b8dea33521b65171ec9d9eeb4e776d3d71f5261d451f481b90cfc655f8cf1b63df8467e0c1e2f9af5758eb506aaceab4bb35907829e55411eb25b59cb70f9ea06efdeaaef6151156184eceab1ba65f41df32b5346f5ec03ab19807df48449881334a6829c39716921fb7e5d0578eeb3eb3becb8ff5e00fe8422b0c3b7bc77a5d338bd0d4ef6a341dd941d925ec6cd93f289566d803ff2a02a3ef8c8d80052518f9afa30aaf0cb97ea1eedb527b180dcb80368050b6dfb4ebe2cb96d1e0684986a85a6b6eba21660a18c28248cc0d4cdf5e085c1fb6133da1169e5036d35f547ebc06186b695f24271bd680a397d923538127f948a2ba36bf5291a9cfa5dc57af9901bb7ef7c9c9d600086376a0dc680e4e67e1770e72499b58333af898a332c7894959428424fe61c0e0d8fd6c46af79bdb23c8449401587ba116565c8e060fb1af557cecdaf3d10d2f065d7ffd53dfbe8afd1c46904cbaad1bd8f18ee70aa4811b27857433e475ab5c5c620a8daf02bef40286497be51f2532d425905669f3be5ce7b790e945c22e446f0a361e043fd4a76e53e3b04b5905eda63bcebb62e06c6cc0e254f2f0e386bdd730c55a0407af9dec14633b5ac15a33ec523f6a4a9454bc5aa216e143f0f72ebbd6f5c038d2ee39ad7cf3956a3c479a8a653a906a01f48618e6a47adba3598e9c9e725d53439e0f175fcd51ba151607a33593f1256e6b29685a813dee403ec2b4fa09c6d0f4d651e2378b78041f37243347dc77ce3514c634e4f83ea297665f16d656a6df9100bf6553d669e43c0ac2d891eb7779ee8d4f3211cd2a527fd415af0004c2d5ddb62a36dee98ac1489696c556476aca9f6da9bd4f37aca86b83860a8dd904bbe2c3d37cfcd768b59d82a8c1bceffc44edfb04730ea57916da94b4e8dbcf5f01b5a718646a56e62a64748a9e3b7b2f080a2fb3515db535c6acdef1d858f633b080d398c006d740f59bfc063acbb40fe2183c5520894dd5a47bbdd991f2ca2e1d35d04075590016dfc813a8f272926d660b0bac47fc7297d748d1642de82c08245c8a4af39826971b06e25256759fc4aee3de9840c14f99e8a53404bccae613cedd72d32e74c87d8cad6cf72fd2018d5f3a797c08cddaa2d9a5ac5f49bf07b045c4169a8830462c19b4004b62830c4bedca5161451ce9c8ac56f973cc120f7eadb2010de4bc3d719647a8efb1a95dc93cce6ed2e2255b852821491dcd30640eebae86ecc02e365b465defb73694170d3033775968a53f274fd1ab8f3897815af3dfc81fcdb7a3a6d1917cab0a4469", 0x2000, &(0x7f0000004cc0)={&(0x7f0000002200)={0x50, 0x0, 0x8b20, {0x7, 0x1f, 0x4, 0x0, 0x6, 0x2, 0x7fffffff, 0x2}}, &(0x7f0000002280)={0x18, 0xfffffffffffffff5, 0x55}, &(0x7f00000022c0)={0x18, 0x0, 0x2, {0x9}}, &(0x7f0000002300)={0x18, 0x0, 0x40, {0xe62}}, &(0x7f0000002340)={0x18, 0x0, 0x80000001, {0x787}}, &(0x7f0000002380)={0x28, 0x0, 0x3, {{0x9, 0x101, 0x0, 0xffffffffffffffff}}}, &(0x7f00000023c0)={0x60, 0x0, 0x9, {{0xf652, 0x8d, 0x0, 0x3f, 0x80000000, 0x0, 0x3}}}, &(0x7f0000002440)={0x18, 0x0, 0x2, {0xa8f}}, &(0x7f0000002480)={0x26, 0x0, 0x8, {'bpf_lsm_unix_may_send\x00'}}, &(0x7f00000024c0)={0x20, 0x0, 0x6, {0x0, 0x12}}, &(0x7f0000004540)={0x78, 0xfffffffffffffff5, 0x81, {0x1, 0x7, 0x0, {0x5, 0x8, 0x6, 0x1ff, 0x5, 0x4, 0x4, 0xe8, 0x193, 0x7000, 0x6, 0xffffffffffffffff, r4, 0x3, 0x9}}}, &(0x7f00000045c0)={0x90, 0x0, 0x8612, {0x5, 0x3, 0xb2f, 0x20, 0x0, 0x7, {0x0, 0x1ff, 0x2, 0x2, 0x1de, 0x5a, 0x9, 0xc46, 0x5, 0xc000, 0xddce, 0xee01, 0xee00, 0x0, 0x12}}}, &(0x7f0000004680)={0x10, 0x0, 0x5}, &(0x7f0000004900)={0x2c0, 0xfffffffffffffff5, 0x8a, [{{0x4, 0x3, 0xfff, 0x6, 0xffffffff, 0x8, {0x5, 0xca13, 0x81, 0x4, 0x0, 0xbbc, 0x0, 0x3, 0x34b, 0x4000, 0x9, 0x0, 0xee01, 0x2, 0x81}}, {0x3, 0x80000001, 0x16, 0xf97, 'bpf_lsm_unix_may_send\x00'}}, {{0x5, 0x3, 0x100000001, 0x10001, 0x7, 0x83, {0x5, 0x5, 0x100, 0x6, 0xfffffffffffffbff, 0xb533, 0x800, 0xad7, 0x32f914fb, 0x2000, 0xe0, r6, 0xee01, 0x4, 0x64}}, {0x4, 0xfffffffffffffffc, 0x16, 0x6, 'bpf_lsm_unix_may_send\x00'}}, {{0x2, 0x2, 0x7, 0x8000, 0x9, 0x3, {0x2, 0x7, 0x80000000, 0x8, 0x6, 0x400, 0xc932, 0x81, 0x5, 0x1000, 0xf841, r7, 0xee00, 0xff, 0x5}}, {0x4, 0xffffffffffff3232, 0x16, 0x5, 'bpf_lsm_unix_may_send\x00'}}, {{0x4, 0x0, 0x0, 0x7, 0x200, 0x6, {0x5, 0x1020000, 0x6, 0x7f, 0xce, 0x0, 0xa9fb, 0xffffff81, 0x3ff, 0x1000, 0x0, 0x0, r8, 0x8de6, 0x3}}, {0x2, 0xffffffff, 0x1, 0x5, '/'}}]}, &(0x7f0000004bc0)={0xa0, 0x0, 0x3f, {{0x5, 0x2, 0x0, 0x7, 0x6, 0x3, {0x2, 0xf51e, 0x65, 0x1, 0x8b, 0x7f, 0x100, 0x9, 0x24, 0xa000, 0x3f, 0x0, 0xffffffffffffffff, 0x40, 0x3}}, {0x0, 0x1}}}, &(0x7f0000004c80)={0x20, 0xfffffffffffffff5, 0x401, {0x5b2, 0x0, 0x9, 0x2}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004d40)='SEG6\x00') r9 = syz_init_net_socket$ax25(0x3, 0x2, 0x1) r10 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x3e79, &(0x7f0000004d80)={0x0, 0xb8ca, 0x20, 0xe7c, 0x26b, 0x0, r10}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004e00), &(0x7f0000004e40)) syz_io_uring_setup(0x5336, &(0x7f0000004e80)={0x0, 0x29dc, 0x2, 0x1, 0x3d6, 0x0, r3}, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000004f00)=0x0, &(0x7f0000004f40)=0x0) r13 = syz_open_dev$vcsa(&(0x7f0000004f80)='/dev/vcsa#\x00', 0xfffffffffffffff8, 0x240) syz_io_uring_submit(0x0, r12, &(0x7f0000004fc0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd=r13, 0x0, 0x0, 0x0, {0x4404}}, 0x8) r14 = syz_open_dev$vcsa(&(0x7f0000005000)='/dev/vcsa#\x00', 0x1000, 0x8600) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005080)=[{0x0, &(0x7f0000005040)="48d5a3400d135dd4910161867c991fc7d68d55145fbbc5c498b58fba49bd01b68386473365a9131272ede1d53bc285051b85", 0x32}], 0x1, 0x0, &(0x7f00000050c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000005100)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000005140)='afs\x00', &(0x7f0000005180)='./file0\x00', 0x0, 0x9, &(0x7f0000006640)=[{&(0x7f00000051c0)="c5f6f420aeec388cedec2b597c8156538cd4586034199f56f5944da03d8ca829f6c6b6", 0x23, 0x1}, {&(0x7f0000005200)="f4ee9edc1be2c2d862a480f30ae30dafadfdf869f7789a4549f5a8dac06fe4c5d5d2cf0066d88bfca6af40745ed617b7a146c940de37505cb965eaa1982c8ca0ec2106f47e4e265f1e19285bba7eb577f60066b5f46c62d2ec0068edcbe6300e4f1e3cce429e45a7df287e8009841db1015134eeaa724311e55181cb7afe7dfdc7946bd14523ea6680ea42ca9f7b0eaaabe1d054277eff607ef4f8402e5dc37e6a528ec3565823c031a8460e8b5f670668f86b90a026043a", 0xb8, 0x2}, {&(0x7f00000052c0)="baeede481736d90f0aa36fb327956dd763578e20199f0dc85f185c9306866ba33c93d2af9613c92909c651254e6a63503dbf317b021c4b3c8de305d3de39a1ad9ac1b0ab3f51f68c1ae1da3e4cc744fd00dfa6d1b96e21134007d31c93013854ed32550f1b82a4c03ca67440d86545dcd29eea99274f655737ad5a54d9e7f9dec49129bb84beb62b1853f69e6a077209f7e55ce0d51686ca764d2ce334cd6d09b5d92357bdef60a635", 0xa9}, {&(0x7f0000005380)="31f1fbee4b48e6e69cb61bd1ccc1e213af5a28e74cffc2e5e82fbbcd1c3400faf379d1a194d52a3667e2019b9aec0e14feed8fea770a9a1bfbbc30997321bcbbcf4d115bb3d3269e50beca5982ef1d22c983d78621dbaa93e8395efe31dfadedcaded0976f5f0c7d4f17b6cc88b897ce5ddff1ade8ef2d62dcbed421589e3cfb5d8550d3651a99115d6e", 0x8a, 0x2}, {&(0x7f0000005440)="7881b6811ea2aec8f27f7f7f523cc4baca3652f7303cd748fb4ed8cc783ac578a9e853a9906a", 0x26, 0x1}, {&(0x7f0000005480)="c505e1805e72c23f489bb45d556079645332082b1b6bef7adc39b098e173f42fdd8d2c65ceb664adb47de173db5b3423e02bfee58339fcb7d85f2d1acd1fed18da1cb7b3d28d4e368aa5f02a8950afd19b0d6003c1fc5424d3e28d4bf7902fa3d999b4f62368c5844f1e9e4d195c6548c1a0e61480c61fe3fc8954810a5c5519a2850aff5444dfe36d6c08fb251d645951ca0aee8ae09d5218ce7d783d4a62070cce231ab7c630931fbc7839ba2979305cabb45f4aa2dc924972fe3a5a806c03c741793eb046d566ef8de1d0b71450b561ba65b0141429bd3e5a4206b47ef097275ead1fe31257a723ddc585c703f5d0fcf7b298134d89d03f477ab7af756e3a4f9e1d06ca01f2b759c955b8e8bfc1b8070198b330f5858c6951610682a3cbdcb591f139a71e883bb7691cb56bc0ad95dd774fdc110d075b3acf5fbbb227227921e10aa5b73da81dca196600376120266cc84f0cc2ee0ff3f6c74b656a61b5f5ae6dab4a9ce84cb97c0b90e7a0d07828819e2bddb1a7277caf687195ec8364d852b98643f555dca6ad72d680643f29c322575f2e5711343f8aa24d7deb87d3ace482bc05dcd5288338b584994a090c451abb284c0104c5f37908eb3307d65e792b4f258600de7707c8b154ffd5f56d7a17c62f092828516f82ea4a126a2a360c703108770cc7e7505c8e180c5f376d0dbaf1e185a504ed013b0b162483f9e2a3bec7d6833082ac954e8f5e3184372e0508ad7e0fb4b2f1201a35882ada415dfdb36587e88795101f9dc6c0d26bbb642421db0973ef283c2bea7f5c9c35eb13ea5a9742852f083e443282cbad947ea05d3f998bf3f860cd125b266e1f3b84c4e62b4e49ae7f852d578eab24a0c5e4c60928b699c7b68c6328f32ca3715b940055b6ad04f9941655dcfa91dc4df021a74504519f0a7df10db505da8ca4a0525804dfd90a31bba648bee57bccd6cd9a596eb945867e0231fafb66c5017b2979ade5dfcfb24cb5c7881511185604906d1f201a1264a54c20c173901d325f5c2b0e0fff22c6834d070cbedc8ae66f2fce8488d77b1f9257a91a001eda075556c23e7adbde0c994bd6980cbdb344d04efd2a3f4e732620260d15f6084ccab9b2f13bf54782eb2f568919e0aefc063f3f2af6beb819159cfdb0534e79e0cd74515b528c82cefaec8547d05f08b00424a02abb0fe20d3055d3b9d97e8bad3a7b2202b8effc5da055f4eb1827dcb1de57defc3ccbe7c30279a3041196a9f0b1a74491c07b9a1af040e53ec71a9110e20f32092addcd058a15079b718fac594d8e75139bc9260ff65647250fd7ce6bdbc305c079c5cc2fe6cd1fca993e8530e03738839008dc658f22664eea7706f6ada24ca1a22e830aad64f4dc44387d83ad4288f44672d9a05559fb29c66fe6679e979f86ee31675f501d95814796612908d1f7037b690b9481fb687f2d52b5a373515f62075936042a0e9d10c91114a9e74ca7ac76558f73fa26fe9d14dea85d4c9fae1f6c53bb768b1457a7f89bcbf90e7069753767f0c1902163e400afdd91ec2dacbe680c7d6454a0f173490b6b1ed4881e82cd79d6b89161d87f4f270deadebeb35107c19c7a6d5408e60b325c64dbb9983bfaf0306fac8a0fb324af5d69c21c62a8b5e257a48de069226ab29aeead17fa45f384750f8bba1d46e0a4127807e10d1570da63b202eeb715386afe3d8b1747caa6a41416dd65524d2228eaaad1a61bff8db8be752c45aeca76dea3aa6808364cf758dc8703417a49b93eca5ad09d63303a4ac378aad34a08decc4a720c3eeaf88ace0a72900bc3dd402c122d00d56b517235ae9112832d637b9317b61f9dcb0c48e728e850dfd52626db296aad77b9c7cd9167f3194747c011a5fbdabca9cabd2f6b7581f9d91c6366d526b1683e3feefd0fe30f53e7cb7de41e89e4e743efea3944ea8afd9f778a7f06bfb0ef238648c21cedfdd8b76eed765774d7a490b0ee464e4488a9c3dd21c7ba2e63a31ae38ffab209460ba93a62029d8f2ade1377b53438b051901227398272639f124d42b555d591a6655f73f6c46c514cf32ae4c6046c380407f7d9cf3c141bdd94691384958e67178f816a63e4cc189c521638dc7a28d2afb6128476e408ee85b99a126129c55e679c0bdcebd9669817e945b0fffa615ab9cef2f859e0ac38253611fe63bd57fdf03fb0d65c1cc65df2653859fc594f9a3eb379d117da828ac5586b3f6d3bccf1d54c45bc1a5fa45ed7ad366cff39a632bd4d14700d30f70c99725c2fb8ee97cbc59f8e5b64fac8fe2f836041bb5708a3640bbc67f9d09ac1fd3646a6f7446f4815989bb0419c94b0a6fc97d0fd9e5190e724d75482cc1eb4c07753b01c4202c4d09d006bd6bd92b33cd40d8f1bf7ea739a686f8d3a12df2f7c578ad2e0c1b29c04f282857045ed90382830cf0f2f2c8d22073edec31dd257300ba67bec88a1e7a5580fdde5019879f6962da50d75c6fd13a19e358e134135dbb8b4beedbed1cc5f8f2034ee297ff69b9db3e005e59fd5ea22ba51bd8febde9ff9f65a21da5e135ca8860731c4dee9c33c7edba508d26ddb5592fdf98506702f998037e6b418c5c783624348f57d2cf2cd8fb837c61853f516c68e765829fe2f741166a74afd1edc90971c4eda7a6a18d85d54ba87f9095bd1626b9b900cf6fe05eeb1b4f00599b6e8381fe28de851e19a0252efde6c5799f56ec2d61cc6ff5d1eb65e9d8e0545a92e6b986627c7f971694210e088b784beaaba64d2abe4441c7b14fc8d2adafac78234ed72599cc416c047750b24ac3c9aa4690c0577049d805bae79922c1d2966d9752c551a91a9fbc0bb95c23acc2a90683531a59f30fc1d1079bd9fc07f0d09bddc01372ba26c13ef306af3256f235d72b759b6618c1e09e8df6935db77453b4996b0152ae137d1caddbd5f8e12621a5481554345dfbb7e2c500371346feafd5dc0f6e2c59ea2c245d15db20e87c77bd908d92850e403e58cdff0e2fc257ff000f3b268dcf141e77525106108a4b6edcf89f1fcfb12a0a02ad7c0121284ea490ca7bf8761eeff5b375eeb0a038a444d2fb950f96517ada94cd96f8dbbd042a4deb188217b7b9dad948bb59843c0c392bd9e79c85d34616bcd99fbff77537d234c051e5e9aa913c77cbdcf5396ce3f0683e92ebd0c1b99fb5c663fb97b6dc2d43554aaa99a27ab99172bac17e3bc044d3d2ef8f873cf52214e71d7d7c5ff9dc791d40cee37536dd12ba095b48a341975784a1614175a1fc49dc2102ba5c27416dff8279ea3f2c44739b8ef9961699a4c792859cee88111437846c9450175b8ba2a326757dcbfd551acd15d783732838b9c924e0923fb795b7704bf1c84dbe6569c0df702a7477fa0996de5d681d10fa2aa52b14253ba913adecf47eabf1b015e73d6bab5dbe5d5dd1e067cc9e4806040db09a1448ed21d98dc6f459f22c951c7b07201467791097b39041036a50ec5596b6d28e14b79aa12befa32ff95629d532adaed5342c84d39c8225382f981ae4f85b7a1ae6b90a818b62d71bf592f84273fa2ccbba65dfc34fdaf561e26d307b743f82bc76f9985c95076c83a1d286532b8d59520bf6c40bc635f51608f49bd4782f6a6b7d37c6fe8e5272ec08f85fb9baa66bd70b1db70df0b12ce35d8e15c187fecfd9fa341721ff6b24a1bb68bd074c2a57d7460917dd2ff0d0804112b0520f05cd70787d8dce6cb69711ef7453b40679ec97aac900e698ce1f8e58ba738590df5c4588ec650688002a2c14ec60c58385b68db238b8c5b189b2fd5fd213655e0c81900949764022d2277b038ce7dbd00d1ec66e23195636a39215326ea452ad0899a522a7a77965b2ae60d5b25ffc64d1dd504d28c611f38ce5c3aa34c4f6cdd1bd7e965e368771189346506e3cbbaf7453f039c6aebdf77a13875499d7db3e08f9c31d35307490e6d3c11ee6977e669cb1aa6420d461955050e0cfbe0bb23d1319ef35421d80e565e5fc9b30d6d0a4da0544061e644eba5b47bc48ece8b7f85d823c98c4bd6cd464acc49a29bb6926d2a9597c64edb8a4ba2ca2dd7bad80da3ba9df143b2b3cb44d6e5ce04aff397f5fc4b0f5af4aa0787611efc5211bbb48b7eb3e1d4cb54ac2b9d0d9da7ffbd18513594674b530e8a206f9b042be81386819229505d35ce04a1e1e0304ab5db61884720f5bf6ae910d48b9aafe2bc5a1a4f4eda0f615c8d0d682a55a52f0d40e138c88c4299aa1b1004400168de6ac8aa18fe6029bf63c640ef7fb91b56a5abc24397d1b2cf3bc0877e8d5219e56723a6c49889cdd5ba03c84fbc415a3e9b652d26e2d613c3dcce414e1fa3e220b3c2e35391ac6520ed1f05148805a46e9934e5febf84e1bba25ba130a9e0584b625df2c2ee4ec0d10afffa191773d4f412f5ca225193ca27887fd47c9c69f21da952f98a99f205314c182b0014dde7563ded90e338da5d5e836f162b96377517c2f6758d9bb41e8bc9dd8f2eb521ad814eac651a48ef64bc45ab60bff9d2e67f03183d044ed437a8bd73043d6a8a5190fb5cd52cfe0689e2da08cd11aae6f25c50d6ccbd5f4ea7ce9b51b57946aa92f41efdc2b919c887a070c519ef600fe14d67664ed7fc211a09e9129b13a7024f2febc3010581da84b44bbedfdc1f54b63c8cfa8c8b5c986649333eeeaaf53e8be863242378b0ff6cff6b1d6e027010684484c636b7c134018e3a732a6b352cfe081f790f0029967ff1820d57d370c2a9f1be051100d5a8eac4241a6c2b640fe73b161d543801f1eb2abdea769c518cbd7271c6d65abe83661d2fd28e41b9ad575b958fbbc5a43f341278656d300f21d8c71161bfc2812b2f7f3692c5758a5fea8284cc4315e2dc1605d0b58243a979af7c0cce313e3e127baf9313f1ab8c437581369586689ae69b868447bfa60798620c68080090c9f0493c95a64ca4f678eaa14fe8cbc9086ea99c78a3d8169842fca3b0d289406cfa9d52f41df0b7fcfeb6e10b7fb8846b646c6e1773320aafac2d38427244932ed237b9834f60c0bc4f9f6b18ee82d4ab5257d03343137a44a52148427e747252c061c88c78859858163f768565fefe4303ceaba94b786b6d9d0b69d0ca920e615255e2b8c3fdd78d8c194e9c8049a9d187772685ac98fa7e7df54f5ebce1ecc1cfc7a62e853932deaccb58d79fecb931d14643ec7020ade49cce0a1e78e34d71096022317d7af536b38f72fbf65f7e4763e6d1dad8c26f56e2ab4cdf778e3264a2ad2004cbce99b77e6ec272d6f083d2083a042f67908e147e601ed42f201f5b9f18e89eaf48d384eeefa0f9f9ec386a274ecdabacd1e2db6b90ad98c475667d27fa727908d28e3745c34b5015edd130d0b7e3fd54ddea89e37dbafa49840759a30d29e21bb09d95003c2895189e439ab7b412c251610aa7afabef41e5abe2235321f322e8bd5924d79a404605378e3bda60d28ea567e6a73964a6ddd43cfa1f5e0cb8be455e1f6dbcccf72cd1cf14e8e507a1a1979f1c2b43c8a649290ba54137d1aa6473568e390a665973823492ec2dce33c39c88aa4247f14f1f0e56adee326080b716dc55dae2a5ed842d790de3f1fbe32f8951eab8dfa54d770df7342731270beb4704277f3e1dc16934af902350cd6b0b7a671f2675f0df884831ae06392669d6bda8493b6bdaf5ae90f4c45f8fb1914e0be057f45db50101b8bc6e649aa6856071225c42c6ee157adbda5842942cca28fc4c7c08e7c2cf1981542be4ab7f4bf6efff692dfe65b45080b21eeef5299171a1c2b736f70da431", 0x1000, 0xff00000000000000}, {&(0x7f0000006480)="829251fbd70caeb451ccf09a96fbfe559b217a4a12cf46a389d82c55ef7f5c64e45e1b6f269559a85e8bcc232bf1500dcb9af40f697165fde6209f8bf001585b6ccaafe194ccfdb7f8990804ee77ed9a345b52a8d7e8f4", 0x57, 0x8}, {&(0x7f0000006500)="34e0c082bd77b51d0c9ab1bcde0acc308149f3e64c75b7173cda5f39d3b4a62c60de76d12d41cec1b7c9bc9e57acb7834282a5758d7c7e4b21715febf6fbf144ad46cbf2cec87f7401", 0x49, 0x8001}, {&(0x7f0000006580)="e60976f86d91dd66cec0b1e30ec801160b84cfb1f8603703d14a6b815d22e1783eed12ce8c080e3ffbf0b53095f69603fa76a934a60a0526341eafafb3867d13e88d1d39e370a00dbe06ddc840ba7446a62597069e1dcd138f82b29ff78af1d1c3133fe9c04d732cdb4b3f6aa26989369b5f6dca6000a0767341bc2aaacd69e648621915b8aa9cb24c6bb5ae3f", 0x8d, 0x3}], 0x10000, &(0x7f0000006740)={[{@flock_strict='flock=strict'}], [{@obj_type={'obj_type', 0x3d, '/dev/vcsa#\x00'}}, {@obj_role={'obj_role', 0x3d, 'bpf_lsm_unix_may_send\x00'}}]}) syz_open_dev$I2C(&(0x7f00000067c0)='/dev/i2c-#\x00', 0x4, 0x4800) syz_open_procfs(r5, &(0x7f0000006800)='net/icmp\x00') syz_open_pts(r9, 0x258102) syz_read_part_table(0x9, 0x8, &(0x7f0000007d00)=[{&(0x7f0000006840)="b3de0d9f2e1eba9879eef08dbd42edd7d622f095e0ce3429b64c46708bf7fa26e69ec157caa3e16d60b3baf5b0d246bfef955e35f85556c9614a60b65cae7c023c99318fc85bc0abfd16bc78eb56317cd8b80c5f5a87856c5cd0b97fc283cbc9d835ff9d70972bd4201169a35c2699bf5a8b31ad3607121019e73398b228b9c59aa5b5c007166766eee5911d5d2f864cb42b8421f38cb21aa93697e5ad166a966ac98aa776fd27500294c4dd1bacf41fd070e9e4a9e5eb70d2a98f915c1391fd75f5ffecfab42425eb016c33ec19ae67f4b100088e090f035d78143b35944f30a49a77b8c5e2a08e9f381a8afbcf48ebad8411455ff2cb76a4a1b557d121", 0xfe, 0x7fffffff}, {&(0x7f0000006940)="330ea746d7dfb4a5e9f33a325a9688ca04cd59af724b34f70ae370d4ac73ea9a65ab003f2cbc01af1162c0fefb2b7e4a0dcd3f2a8c23f2a1", 0x38, 0x2eed}, {&(0x7f0000006980)="efd543d92dc823aef91d85c44c055844e2af47b4d5a67e3a3959dc6d617cd8e9b6c3f5bbf05da73f04bf4f54a6f3d5361dee720d1ff9f65d5d7c18b86534f2912621aa81b4c2d3daa1a67538ac5efcf2e008c791d59152db5fa2d0a23f3997bd1e2502e6fadb36788891843e3de1c4483aea75224b12ede3006b9648dc7661a46da2d146d3df70a1d04b2c64578daf219dcba1b67aae086a2541c4b9b4dc6d43c076544b4cf9cd57e6e26d74217d1d8546224d85f650a0ad3aac78c0cf1d83a4adcc11c2e84df1889c7920347fe404201914727862b460229ce67a1a88de34aa73d39be67fe92210699221103ac5b49a07ff0b3548363c878066d5a0ca8f565a616a049a5d7b6e70badf4649c51aec8671faa444d7e0a6304e273c405cc6f348d19ff1348bacc96ecf1a28119618c91e5942bbf0e2d7fc6997cf6330c106a7902ccdc1b9cd0e8f559355d26f81c77e524882d02783f15b0569690236e3aa74b96bcc5ef90eae4a5e3aba2a560f9b0a513ce1a8ceb0d2103615f828b0125df32eec97110ee2a59e1f913772a859f65d953c20ca8a0c6e852661d86293cb4672413ffafa27032eda8d8b19ce77d35d1304296d8dbee1b7c358fe5ddf94c42411e26362cf42a5c7c18991e3926331a2c7123609e0a3c05e42f175972e445a6ae57154062e21e05666602a2bf0891ee65648e5a967ea16248499c82e74c19edafecf2402ce5321f5bb4ecde058a1176f310bb1338b11ddc60dce03c4727f7dd3c2335d50ae492dca1bd98be4af0744291fa2ba1cd3e93e6f1d9d1b4305c2764118094a16436a014598fb64c34ead3e8f45d11c4fc062c144c8e05220fbdf4a8cab6e288b5cfdefa7a05423ef2d4f3b3bee5768b28034a08de883b817278bd3e785c114329d992c581215f5644ccfa4e894101d5fa43008d803fb9baaefd7dd4b8883b6e7a17f4ddf4826cdd7110ff2c8395349068cd0b9550a3a2f5cbc0db06b1b31292c54879a172f4be9839b1d76896c4cccd8841a5592aac1f5272b6fda924634b50750b38231ff133da1fc86d1098c823df5bca8cfe8c08ba2eee5a4658b2917bf3af4b4e4e47c6b7c35a3963ebc6044f27288c5a3c1a2f5fa45a128be9a13ded8c2f6745ecf4fa94723f9f16382f4db48d0c811fe8eedb8bf05ff38e578d49376550253d2617f86303c543f882adc2008564c8ba13ecd19613a63193d94e9a73b21ea1ddd30b482c09869c0fa37131c69ccd033dd96d8ee7c5f2f8a152e84c0f659e60ce169fcb89de028bea39d05df03cf22807029c1aae459940dd54b78c0dede18723f972d96516e19719e5c9ed006860f2471a8e5b18fcf0ef4ba6681a41fa8009b7e03b444f45ab3cca9bbbc5813d1fa055aaa4d45441233ae7b69b759e3dde766c0f3b13bf968cf8565382883557f925c21075861ec9f35c7cd444bcc7d381dc0d7aa754ba57066b902788f53854cf9d56ca73c7ac85cca67ba509ec3a7c1b42d8c654b34d88da8d2ca85ad4ae8b865b6d2a0c1c4407668535c49f349e276f1a86764ef18e3b08f1d1e3cc1b93cde3f197857fb48b5a5fef31a86fa0022d6a96d815c8c9af9badb7b886ea09adac732c8e4eafeb8473218e794bc6a716d1716fefef86f63d32b6673b435d13eddca42257cfe0717fca3a39f00bca650f5463a24c50924256d3207d29c1b1c95109e40dab607787fb74c4e64fe4acac65c6283ffcc11fd08a0bd1f4930a8beea57a0dda02867866c5b1ce586b32e7cd18ab16a275d6cc043a990e1d7970f79d5b8880eef3fc4ef4de5e840acd0edbcde6bf6fedf3c6a2d2539fdaf278f069794d30a09d615e1e4a5a7617e16241daab87fdad493ed9cf326fe647a40f0279d6a9b2cdc0abf3626415b04fc836510ba6251386ce7e8d2b4fe663cfc3a5de9cc313e9e1fc19127f09207c955f5a8485481f4319224fdf4c2787d583c3caf7acbec73ab9b4d2f245287df9ae29a169c4d795cd03c9098339446dc40237b698998b2423628148cecb02f69d2644cec88c94894e01e1587fc85375450e32ccadcdcaea641d2db6292228660d04c446786c258b6fbbc1d0b6a8a3818200d489c126733922c966195a4007a68d0473578b469b4433eacbe092520244d84da8924b90d7fa1ad31db501f16a59d3d9eb72210d058b3d1fa4d876d5b40bcff5adf086ebdc2647b1b6f88211bbdf547f1698e11abb73dd3a588d9ca26d9ff5b2d28d1e176be8a7adf2e3e3ae137393112f5aaa881814882939dfe71721fa92b8962bb8d940fe1e3948def4033a09e9c04ca7ea8b549695c5ff66c077395026d82576d379bd9cded06ffcc3a6f8bd548c0f68d4d3d72ae27d828b27a582b14886dad1fc3e63531c2870f3159f8d4bd449480c45dd27a2934df90797c0494e0f8ef8289ae410626d4fa966d82443adc5243fdb2c4ddff8550af5338ef2d1c413b4bd4b308209c20e9c3a0080a23d16a3108a1050783d44ba92a95590508d3a5cf44fc6a4af2477f866428bc113c1cc8f123da46ca0a03c5dbd1f6e5754584d8a4103bd23fa5e1f6f3acb154ffed128d0a645829d3341a25e87ae781862abc7a159021124cfb03571a73ceef603681f5e5e1e1574db3016ff5a13d9bfe7e8ac81a09a905237e390a5772d361edbe5808e9d8594f776b0005e0c3d0f71d666c9d4dc493d0163d8854723275d850ac1bf78183a77518f01bb3a280f39bbf606def4f89b11e2bb8d99f8a32985ed9bcb42f110bd2bdda26376d9daa70e1e6575f11ba7ef269908e101948f570b7690e0b5d35ed98cbdd2f3637b9f8f78b2ffbc293188ff2777db050aa219dde788a770cb624d6617001817d6d5c7a5bd39c51ff128eac712b9db9c60a74bdb7820a3572a5091c3084339286279d9ceb244148906dab1dedb62379b14597b7348907fba55424e878c194985cdcb211b71bdf3806339a53006a9006c746bc49108c8100938dc24a08d57b013f4103d87df310858405d06f059b65cd54aea1d0f15cb2a41bc867d22cb9d67c310b05a4f940bd2e7a5863c8e1c80d3ad07b21504bf213da5cb38fb652a47ccd7a5cfafa0c3ffe2aac7625a95588ecd77a9593d0bf2e7df7999f0244335a9fac015c32273009d1f865dfb873c65f52e9081b022b99b01586f5fb1584fd9b1fdaf86c783f61772aff1178e08d5bd067b6fd233db8c432fabbd00a530f1c40b5f05f7883495059d1b58b9523d1f5255736b23ff56cabb4cb710e43a70f71cffd17e3fae9043634869f166a958ca5dec639b85b2134096e697c24e3b0a8cfb19422ff01f4ebef24b7233de1a0f89c80e231b8459f531ac23eb1a2373b3c5807ee6552707152a3169555a663d1bfb453c8c380c5a52c958e302d4d7528aab5d0a66892308098b566a1367cbfd9a3a46c5fb77225b7b6f9f92ed0bc85bcbcf1b4fd2760b9f509d2d11cd0557144b1c89f9f7f2495d0c9ea6c767f1f92570701a33ced477036d06bbead08c0b4a8ab4a57d8d9b758ce05891ec729014eb712c33dcb52efe8ded223b617822443bfa95514d9a82f6b9fed17b22445f692fc870374c0826a9fa43153849368aa1f93052e48f88e8fe9aa1ba8291585e59da0f68fd04b8fa450e9654d920c2b82c9c29a79015d0e302bef5abc9f4292fd4b582d58830dfc71725319bf39692b0f3d72a3204d62e4cd219fd2647a9bc3da61b702699d015f9f15bffb27b6133ec431e4ad67f5c1b46fc62e29d4ae4b07fab07f0143e8e54fea1e629051d6d7c19af8931661d84957ad2ae7b521bd62468aa0a851653904bb9325376fd2d831340356d9bd2782bbc46e1c03069553d2b05d17bb4d8644a0dfc0286d4ebdfbf1fa85f0015da26670909ce840272d1d62c8d02787d56520d309e4bcfcc846474d4282641798dad1779cce11392ac537917335b4f9124ed1e254052966ab2c15dcd1bc1c3c520fef4b3b17fe6f6360d07b2c08ac64c75fcdf5f9eac211db247a227a659e106755e1ba53aba67c831662190226984dc03698dc567aa96b51d2e69f530addd9b4fdbf3a0b20af2a184cbaf53a35634c8fe3d63ec15c506bf02c35302759fe32ad28c1d4b49e94816bb0f32822816b40557c650da4ae59ca645d5a4d6172903c25e00a229eaa0c526cffba53fca44aa163c7f5fb4959a216d6dad9e19f282b9945d2476bbc0133785131118ad46c3f9331c415e70d35e06fa71c2aa878132ed770a04f0721a5665502dded283f70ae9ab72e48cf03c01d80f68ece54de88aacb2c41c5d7462f9b73f6c2741709c83e20084dd8f9d855c41a0bfbe107e6e47a65c2b1ee5007e9d5f25118a295fc6313243df54cdd92ab4dcedb210dd83be1b058ae1e37a7ac51b9c89bf9eca423c91db0d4a42134a93c8979a03a2de53e45e641a2d40f410bc11a968204f72c96e50664dc29be41a4aac4e07e9cdf239f59c9687bd7dc65ceab076b131941bb15c4f9f4c17d7350780588facffdbc1eaaeb4406b956da733ed09eb48604a0ed4aadcbbd94a8ee079310fe2612a669e5623917eec2b12ad9c86af9757a51759dbb00df2e03e3d3a70bd2c02f9f08444f4e0650edfb2786ca57d3630943556832a32892301b58859ef24007f7a7d9b4afc23703c4fb9077a07d2ea8d3a2b4f015de7f31fc306545816b6b670a45cff4a91b60a1fb478b089c67f459caaf5fce9265fea0c7ec0652cd11305623b04c0a9d1aec6571c6a466dc7a7bec75fcf984d6a9636986becef1418b694e820ee2462f2687e0b68ba51cbd03ba76b43fd7cba01af23ff98f74b764463527c6c397e1c8e8b2225874cc74f958a31a28414f170c2b4cbd90c849ccd54f91bce2908e3bbc21b3d5604aa337c7fb1f810c103216bf444339043d523330eee73bf0866da3f3f728877fbb54e2f928423a1672cc9ba31bc686a6d198efeb3618d5e9a1b0819cf6b9338c56c4b788469f532cdf923066d1ba46a56960342b79b09ec8679ea3caa43365b811257a2449ff9274f6612cb0530dd8678cf18bc1f91f447fad7b958f3d0a1977ce78d102829fe4b83b5659c8155af4d2c05d7315d1486300e6da0846a594d510673b0e7472788559009d74490ec9871d9f0f73699d97fbe303cb4d635f542e95c784a5387127dc454483f950f765a8e904639ef413c7d581af20dfb285955801ab7ec4be4d1b2879de662dde2cfcd6604ec0aa07a5a671f54a4f2853eedca56baf00f07927095958db7d325e863f64a9056bd8e103859921463d1754042b85dcd94d933ef2087dbef57d9a3ad9fe8c64a8799587a3ec23b9b252f03bfce42f017eadfdbe973e84e902e36b9661efaef409c915308dce9a222a9cb1db5215c000fc44d372fb186425cd078bee7770f1fa60ff2d0e344725a51a5f478fe96bfb9a18b6cb542bf394bed02218518f1d381d5aa21fdcd443ce84c180a6a8cf6547effa4627cae93551a7564f0dac6e37c5f068edda00b47a6f2d33b54c3681128e83ad17b0f098456b9e97f3e02ce391515ffb0c0511a3d8312115382c15b09861ef750c0006e96c9184e17db245b0255c4407fe4bd6eea43fd8c5e80348cb916e9d04b49c2483911b6deece26d2b65762643aa0417be2768b673a22ad58e667f5ef4e2228db9b7939d8f912de32474325155090b1d9741ace4155d64583ecfb5700301d73ed2abd156408ca5e1b88ba75f84a4b834d4f532015773e9f8d4a3650f8984191114f0fdbaa54405bf51f8b1afe532f74c15a3708eb9370fa8316feefac4e43f855506f5d9872b60363567011cc3308a2026d00", 0x1000, 0x4065ebb7}, {&(0x7f0000007980)="112a657c2770ad17f2e77762160bb14f2f71a17b88fdb946f919b2dfd3efd616e31124ff47ee668f6065a0435a791a7439d8aa10dcc418192d821e36fc0820d7cc0f88b088916d786f01426fa46b214de822d24e4d6c785feac458d98635c4801672bd4e74fd40753932121152ae0ead771e3abc7f741e393b328526e5ec29e8e0d9b3a2bebcd0eb3472a4bd8e50f953ed173ba271fbe9f9d9c463c79f44d093154ffef59c93ada783b4727fc35ba6c0db2518939cb35fb3301d4cf72d2524f83ac4ab57a8acfc93a99c26ccaee0566371229496e93021e86b956021a467f34be66e", 0xe2, 0x6d69}, {&(0x7f0000007a80)="629825e3cb9c42732810eb62f1ff4785718f7a30c63940f2eadf19dae820feb9b7b358f741b834164a9a4ac8ce398c231607f523a26db9e0aecac1d1e89022d1cd50d644f2466b25ec09c6d6ef4f0b3ef592d1408d049da49b953b327e123c6f1963c2f7a9e3cc7e0c52ed1e17d0a8b794666875b20b07a0f5c2c76d9632909f769eb25b162737bea131f5c270b3249fd65c255e68b680271d0c11196715177744e7", 0xa2, 0x9}, {&(0x7f0000007b40)="d1091749233d1e7ec50653f301a734f5dd67ac1e748923e44ccedeeb3ea234745896abcb8003ed61605b5dffa8a9af0aa12ed902d4a35a9260c53ab6a621e210e61e4002838dc29e2f798b4cbe0ed0c12a33c69ddda446b9b884fcbfe28199184bd4aeb097d0d9a393b699d1f55a57d830da497d79b9bd7dbcdbfe7e168d6007611db96733574fb150f4e90991c70fc19edba6beedc5a72169366ae5fca5c1cb413bbc54ff8f127d1b94cf9942b5c9be5fbfc93946bf1d0b289a7442fb057adb0ae7fa4189d5e5fefc75ed5d260b3c2c2445d49579e6b369e396da162d940559", 0xe0, 0x6}, {&(0x7f0000007c40)="768d82c47f166e252530915b63b40d9eba4b95fe087893453f373a94389e1120981cb44576a2051c4158400a59b9c8a940ccae2826414e14ad55c72b04f8fabfe86462409b3ab2a075ea92c8bddcd2b2fc0fd77a97bc271ecd43dd605f29b990837b409eed5965ddb3fb1b91e5bf12ddbcf21c90c7ef2f0ab9bb03f72a647ce8", 0x80, 0xfffffffffffffff7}, {&(0x7f0000007cc0)="46c0ce8920305b2c7f636edbb165920db78c61f8", 0x14, 0xfffffffffffffffa}]) r15 = syz_usb_connect(0x5, 0x776, &(0x7f0000007dc0)={{0x12, 0x1, 0x300, 0x94, 0xe8, 0x2e, 0x40, 0x789, 0x160, 0xf578, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x764, 0x2, 0x4, 0x8f, 0x0, 0x7f, [{{0x9, 0x4, 0x40, 0x3f, 0xe, 0xbb, 0x18, 0xf3, 0x20, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "c1b0c981cc"}, {0x5, 0x24, 0x0, 0x7}, {0xd, 0x24, 0xf, 0x1, 0x9, 0xfff, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0xaa4}, @acm={0x4, 0x24, 0x2, 0x9}]}, @hid_hid={0x9, 0x21, 0x7ff, 0x8, 0x1, {0x22, 0xd44}}], [{{0x9, 0x5, 0x3, 0x3, 0x40, 0x6, 0x6, 0x80}}, {{0x9, 0x5, 0x5, 0x8, 0x20, 0x34, 0x7, 0xd1, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x20}, @generic={0x65, 0x30, "dac16e845b149dafe66663cc3acf393fa7b0ae46cbb8cf207bdb0d3d6cf681661fa00ed58d703c226470a84eaa264be51e6810875248ede794e2207e60b04585603cd055c6348f0eb4f33f2a833f4aee8884d7773be2f45177ad4c03728ff4dd8e40fd"}]}}, {{0x9, 0x5, 0x2, 0x4, 0x3ff, 0x1f, 0x2, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x9, 0x2}]}}, {{0x9, 0x5, 0x6, 0x0, 0x40, 0x0, 0x40, 0xfd, [@uac_iso={0x7, 0x25, 0x1, 0x83, 0x1f, 0x1000}]}}, {{0x9, 0x5, 0xd, 0x1, 0x3ff, 0x3, 0x1, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x4, 0x3}]}}, {{0x9, 0x5, 0x5, 0x4, 0x8, 0x8, 0xff, 0x80}}, {{0x9, 0x5, 0xf, 0x1, 0x8, 0xae, 0x9, 0xf6, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x95, 0x6}, @generic={0x7a, 0x6, "3f8f5c318c80e5a936089fa5be9dc364d3a8ff22238b9200642bb7969b9c0989510df3f2673846f3fe68eec487476d9d8ea37c9e7ec2939c3a85842cad500bf77aed1d9290eb850af4621cafed03c08a55c422c7122f6ec0703a47dfcb279c0b03558b39c7231b38e559d0546a29ca32280a8ce47080aa8d"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x58982e9dfc588938, 0x1, 0x8c, 0x4}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x6, 0x1, 0x81}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0x80, 0x3, 0x23, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0xb5a}]}}, {{0x9, 0x5, 0x8, 0x2, 0x8, 0x1f, 0x8, 0x1f, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x7f, 0x3}]}}, {{0x9, 0x5, 0xd, 0xc, 0x3ff, 0x12, 0x9, 0x4, [@generic={0xe, 0x5, "a9b97bc24de62c3bcf2bfa13"}, @generic={0x44, 0x30, "9f0d5ea24268b8a3211765246b1a834af641e8cd6ea3ef9b1fe10f16bed6b06cc3a165920c9d73909ab9ac8b2a7a8a5dae5d4acf316d0b35d4b644d368a06e0eff85"}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x3, 0xff, 0x6}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x6, 0x2e}}]}}, {{0x9, 0x4, 0x7, 0x0, 0xd, 0x29, 0xcb, 0x7c, 0x9, [@hid_hid={0x9, 0x21, 0x7, 0x1, 0x1, {0x22, 0xbd9}}, @uac_as={[@format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x43, 0x1, 0x0, 0x9, 'd\"', "3709db"}, @format_type_i_discrete={0x11, 0x24, 0x2, 0x1, 0xf8, 0x2, 0x7, 0x40, "5e58dff9a0d01e4109"}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0xffec, 0x6, 0x15, '?w'}, @as_header={0x7, 0x24, 0x1, 0xe1, 0x3, 0x2}]}], [{{0x9, 0x5, 0xc, 0x8, 0x8, 0x4, 0x8, 0x8}}, {{0x9, 0x5, 0x6, 0x8, 0x8, 0x0, 0x2, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x6, 0x18}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x39, 0x0, 0x6, [@generic={0x80, 0x23, "eba3e2d4848f84d0e6ded46e24d10bf9f8b0738910e29f319e942546e9cda8638257f55d0049672a1337067af73c1c29e0bd772a1cd5e16d249ed15cdd3d85a4399aef69e3f5a506ea0e0559306fe1f42dfc10922062e2bc062c34a1adc4bc46b080259ad20b37cde1eba7178fb514b2ef7397715b0eae34d5efd5274900"}, @generic={0xa1, 0x21, "1c020b389a4c59d1f26da857b222a6f6618adb0411bb24478e68ffe758469d4bb34df6aa9577ced55383dff01c052abbde70468ce31100ca3184d1d5f803dc280df3b7ae4738ad05036701e2e38ce844a7d301d86e0597c5bc1b67e7c6a5f7dfbc3311dbd234688e85e9a7d5021e51e2d0dd418038153db65b7fc268f98ddfd9e5036f24497d2f04cdcc752178991958f7243ff4dd5aefcf759a3fe7fb34c8"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x240, 0x2, 0x1, 0x0, [@generic={0x26, 0x3, "b451e24f6972cd6429f81ca173d13fb2c7f5284751638bbc4f0b3de02091fbb4f44533d9"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x7, 0x3f, 0xdb, [@generic={0xc0, 0x0, "ba73f770a427b8438313cb7e9d9d53a7e3110366c878e3c0f6e629ebb2a084a90b2def4b66950fdfd606e0834229e63028875489678bc93698ed8613884254703c315f1ee529d1bcbfaf8d865e738b9e08cbc4a211d480bdc2a6e69e172b1c73639474f1f0115b5f4918d037451c99dee88547562582d57171aa196913f11915d1fdc1a513b16c0b9c1fa07157421046f4f3372d00d4a27eb93ecd79b685e14f3eba647e7b20aefdf92ed05bef68935265ce0035e3b624852350d1234ef9"}, @generic={0xa, 0x5, "290a548e962666df"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x7d7, 0x0, 0x7, 0xf9, [@generic={0xcd, 0x2, "74cd6007ae0ea1297f07018cbdaaa0c87851a01308ad717f235e9eff8010ad1046a5148d352a70760bc4bebdd7528bf7d506da1baac2cf499d52de51d71b05185d7cd268023de5961304521b5f567c74ccab78b61c3f641662af2d55d5157a0ddc80c75962e9bda9ff2d3b63df6a6a0e2aebbfc664de3f3a34d66200fa092475685957f0b3594247a21d463cfe0ccd8044f95319b4d40c7f022d5a9ce9e348cd623dc4c590bee5a1047270954214611a8d98e60aa697a5ce30eeacd2397094e50716739911a4478b495f02"}, @generic={0x2b, 0x3, "9bc9f5807506303fbfd71282a82058560fe8180b205f6f47f9d7cf05280b7eb96d6d1589972f402ef4"}]}}, {{0x9, 0x5, 0x7, 0x1a, 0x8, 0x7, 0x3, 0x86, [@generic={0x35, 0xb, "018a3d5fb94d26c6a689e91eb6a9e49bf1b883b9e3da0a42bf45639bc1b19a0d8e78babd769b27a43dd091ce83b4a91cf5d119"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x6}]}}, {{0x9, 0x5, 0x3, 0x2, 0x200, 0x8, 0x55, 0x7, [@generic={0xc, 0x21, "f2ae0c70731245835364"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x400, 0xff, 0x9, 0x7f}}, {{0x9, 0x5, 0x3, 0x4, 0x3ff, 0x3, 0x81, 0x1f, [@generic={0x102, 0xb, "15f52948168969a7879f686a664459f31fa9c146da65eaa1878b3996e099dd1ec68900a257c011397bcfc10bc428591972ae5eb70e65d200248c433d8b1eafe5df95a196b58ed50a74d48f9c07f50858dd07d94ec76626b5b47c9acd4fdbecde356cababc43c3144fc2e524b71bb4e8bb535daa071e242c58584dbdd6c1e758e33fecd91aac96d2288322ed48acfdaab536ea51298e16c6033ac2b91758482719cc7d764373cedf5d039e75f0be35acdac46bff129af0ad817e14064398be64933b676fab4ff8b8d37cd742e41fd64f87b7f7df873b3d4c1ca440e20a829e34c6977054fd5975e34941c4ca24dcaf07e3b9950280b30fb2c4356eedab3e5184e"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x200}]}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x81, 0x1, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x8, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x8}]}}, {{0x9, 0x5, 0x0, 0x4, 0x80, 0x9, 0x6, 0x7}}, {{0x9, 0x5, 0x3, 0x0, 0x7ff, 0x1, 0xff, 0x1f}}]}}]}}]}}, &(0x7f0000008640)={0xa, &(0x7f0000008540)={0xa, 0x6, 0x0, 0x2, 0x86, 0x80, 0x10, 0x2}, 0x42, &(0x7f0000008580)={0x5, 0xf, 0x42, 0x5, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x3, 0x73, 0x4}, @ptm_cap={0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0xeb, 0x3f, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x8, 0xf, 0x6, 0x5}, @generic={0x1f, 0x10, 0x1, "61408d3d2e1872469226d4d9befecdac208dfdaa385178f48ca75650"}]}, 0x1, [{0x4, &(0x7f0000008600)=@lang_id={0x4, 0x3, 0x41a}}]}) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000008680)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r15, &(0x7f0000008900)={0x2c, &(0x7f0000008700)={0x20, 0x21, 0xdb, {0xdb, 0x24, "b501b9a676dfcb3e98c66e8b6877cac30dfb9856c72094ee90f23170f33dc0416919146a8a2ad605ce54f3d443ec597b337b1b4d39c44289bbfc621a00862648fe2df754e463455ef88f55fb63b4b7719dd8d3e6846c4d254afb2e40116d2b5fcd883a84212217e065cd44666801154e7b43e3d1629dc76f3a7110e80790ce65ee44961d306521e94e6ee941a97e0eab0e8037fef768902891bb4105d8baf0a35f93d2a5635935799c87eb91b5e5ff7ae91cbe9cdadd653a486d72d67dc3b371e4e5fa618759de87ebe1ec278d140834590f6c513e4c95cbb3"}}, &(0x7f0000008800)={0x0, 0x3, 0x18, @string={0x18, 0x3, "2c5ddd5fc63236d47af3164223e9b423e13b8560f28a"}}, &(0x7f0000008840)={0x0, 0xf, 0x35, {0x5, 0xf, 0x35, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x8, 0x2, 0xa, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x8, 0x3f, 0x1, 0x4, 0x6}, @ss_container_id={0x14, 0x10, 0x4, 0x80, "d0d1e2d868e0fa991777cac1b7948258"}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x3, 0x4, 0x0, 0x8}]}}, &(0x7f0000008880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x4, 0xc1, 0x7f, "1bc19f6f", "0cd3a196"}}, &(0x7f00000088c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xff, 0x8, 0x20, 0x2, 0x6, 0x800, 0x9}}}, &(0x7f0000008e00)={0x84, &(0x7f0000008940)={0x0, 0xb, 0xe5, "ea88bca9c1e3f5bdf607f7252573dd8756e9f32a7c4aeea5b3e1ae6fdbe3194c1918d9d9a3aa13dbbc47e1430d7be6a180c7388456d12a5c327b716d2341bcd0ef82a4a34610e28fc7b2e172dfa056c6353da166496ca2540e60bb52066ef4773667409a68eff52e75ff93469e4ff5d69966b81e034c688a2f6fd945ecd05f336573586823fd9f6d40bb483dd27ad46b841455ac07fc319b8cb5f5e2daa64a6c5f3bc099270cd376660ef3456571aa6d2fe48667838d811126caceedaebef9608192b603327f6ee9ed42572b6eb3c6630e9017428ed370bd0324da01eae4a7881a6b88aa1a"}, &(0x7f0000008a40)={0x0, 0xa, 0x1, 0x5}, &(0x7f0000008a80)={0x0, 0x8, 0x1, 0x1f}, &(0x7f0000008ac0)={0x20, 0x0, 0x4, {0x2, 0x3}}, &(0x7f0000008b00)={0x20, 0x0, 0x4, {0x100, 0x1}}, &(0x7f0000008b40)={0x40, 0x7, 0x2, 0xffff}, &(0x7f0000008b80)={0x40, 0x9, 0x1, 0x7f}, &(0x7f0000008bc0)={0x40, 0xb, 0x2, "a6ab"}, &(0x7f0000008c00)={0x40, 0xf, 0x2}, &(0x7f0000008c40)={0x40, 0x13, 0x6}, &(0x7f0000008c80)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}, &(0x7f0000008cc0)={0x40, 0x19, 0x2, 'rN'}, &(0x7f0000008d00)={0x40, 0x1a, 0x2, 0xb81}, &(0x7f0000008d40)={0x40, 0x1c, 0x1, 0x40}, &(0x7f0000008d80)={0x40, 0x1e, 0x1, 0x80}, &(0x7f0000008dc0)={0x40, 0x21, 0x1, 0x92}}) syz_usb_disconnect(r15) syz_usb_ep_read(r16, 0x1f, 0x80, &(0x7f0000008ec0)=""/128) syz_usb_ep_write(r15, 0xff, 0x49, &(0x7f0000008f40)="059cbaeb6864bcc93a17640936d2e5450deb6a94a3cd8dbac2fbcfac932f8dd22205e7ae589b0f0172e751e308a236cea85711d74b546d98b4d75afcc65fd04633c1fbed7cfe4d049d") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info)