ok github.com/google/syzkaller/dashboard/app (cached) ? github.com/google/syzkaller/dashboard/dashapi [no test files] ? github.com/google/syzkaller/executor [no test files] ok github.com/google/syzkaller/pkg/ast 0.938s ok github.com/google/syzkaller/pkg/bisect 4.024s ok github.com/google/syzkaller/pkg/build 3.491s ? github.com/google/syzkaller/pkg/cmdprof [no test files] ok github.com/google/syzkaller/pkg/compiler 2.283s ok github.com/google/syzkaller/pkg/config (cached) ok github.com/google/syzkaller/pkg/cover 4.531s --- FAIL: TestGenerate (5.16s) --- FAIL: TestGenerate/linux/386 (1.29s) csource_test.go:66: seed=1596707570395226896 --- FAIL: TestGenerate/linux/386/22 (0.22s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:true UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$zero(0xffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x161000, 0x0) ioctl$SNAPSHOT_FREE(r0, 0x3305) syz_genetlink_get_family_id$l2tp(&(0x7f0000000040)='l2tp\x00') openat$dlm_control(0xffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x20000, 0x0) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0x2, &(0x7f00000000c0)=0x17, 0x4) r1 = mmap$IORING_OFF_SQES(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x2000000, 0x1010, r0, 0x10000000) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) r3 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(0x0, r1, &(0x7f00000003c0)=@IORING_OP_RECVMSG={0xa, 0x4, 0x0, r2, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=@x25={0x9, @remote}, 0x80, &(0x7f0000000240)=[{&(0x7f0000000180)=""/147, 0x93}], 0x1, &(0x7f0000000280)=""/202, 0xca}, 0x0, 0x0, 0x1, {0x3, r3}}, 0x10001) ioctl$KDSKBMETA(0xffffffffffffffff, 0x4b63, &(0x7f0000000440)=0x4) syz_emit_ethernet(0x56, &(0x7f0000000000)={@local, @remote, @void, {@canfd={0xd, {{0x3, 0x0, 0x1, 0x1}, 0x11, 0x2, 0x0, 0x0, "f4ebe40216fede5ef6c5310f0413c5d41b32fc23e07fd332a8a5c5f966821da091f47b7b9cf9228727ff7412c2e4a3a1573bb295482d7b4a3effd863cc60f5d8"}}}}, &(0x7f0000000080)={0x0, 0x4, [0xd2d, 0xc61, 0x6d3, 0xbe2]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x1, 0xa}, @l2cap_cid_le_signaling={{0x6}, @l2cap_conn_param_update_rsp={{0x13, 0x7f, 0x2}}}}, 0xf) syz_execute_func(&(0x7f0000000100)="c4c2cd45f18fe800edb85c2f009ee96436360f2811c4c3c90b6b0787c4c2f1a603f30fa6d0f36f650ffa0ec4c21d2f9f5aac384f3e65f3ab") syz_extract_tcp_res(&(0x7f0000000140), 0x2c, 0x9f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000180)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x3, 0xcc) r4 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x3000001, 0x80000, 0xffffffffffffffff, 0x0) r5 = syz_io_uring_complete(r4) r6 = io_uring_setup(0x3a3b, &(0x7f00000001c0)={0x0, 0xd9fd, 0x20, 0x0, 0x308, 0x0, 0xffffffffffffffff}) r8 = syz_io_uring_setup(0x17a8, &(0x7f0000000240)={0x0, 0xb18d, 0x15b3e67cab3a8d6e, 0x2, 0x158, 0x0, r7}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f00000002c0), &(0x7f0000000300)) syz_io_uring_setup(0x6b11, &(0x7f0000000340)={0x0, 0x15f8, 0x20, 0x2, 0xd2}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f00000003c0)=0x0, &(0x7f0000000400)=0x0) r11 = socket$bt_rfcomm(0x1f, 0x3, 0x3) r12 = io_uring_register$IORING_REGISTER_PERSONALITY(r5, 0x9, 0x0, 0x0) syz_io_uring_submit(r4, r10, &(0x7f0000001700)=@IORING_OP_RECVMSG={0xa, 0x2, 0x0, r11, 0x0, &(0x7f00000016c0)={&(0x7f0000000440)=@nl=@proc, 0x80, &(0x7f00000015c0)=[{&(0x7f00000004c0)=""/44, 0x2c}, {&(0x7f0000000500)=""/4096, 0x1000}, {&(0x7f0000001500)=""/40, 0x28}, {&(0x7f0000001540)=""/74, 0x4a}], 0x4, &(0x7f0000001600)=""/185, 0xb9}, 0x0, 0x2000, 0x1, {0x3, r12}}, 0xad23946) r13 = fsmount(r5, 0x1, 0x84) ioctl$F2FS_IOC_MOVE_RANGE(r8, 0xc01cf509, &(0x7f0000001740)={r6, 0x3, 0x6, 0x1000}) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000017c0)=[{0x0, &(0x7f0000001780)="e7bed238547695a78957b574bacb6dbc567a3232e76559b4ea3931b608578a24da4c749795975b0ae51da8a86dde75b1d684", 0x32}], 0x1, 0x0, &(0x7f0000001800), 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r9, 0x114, &(0x7f0000001840), 0x0, 0x4) syz_mount_image$afs(&(0x7f0000001880)='afs\x00', &(0x7f00000018c0)='./file0\x00', 0x5, 0x1, &(0x7f0000002900)=[{&(0x7f0000001900)="f1fd85c46a07345a8813287b13f21a0840903926aef8fa2cb5f6e010d14f7030376797115fff5a948041348d827dbd678e20928dc4b224e0ec33e50bf699f1ed1e39df43d899eb1a37c8d11631e7b775fc82611901ef7db3714e0ef59b98d9d7d9114ba1ba76a72edc93803359b9994b504f9e7790375fa50fceab9c0f210385722f2a054c09fecf4a04ccfacaac9d40bebb2e2bcc948d327263b0fa735b753fa367f55313bd6df7476a9961bef3e5806ae53bf7233474b637266e9fd694fb30a503fba053c46562936bb3b8fdd38da23e7225868f8cf1e7d27cacb69075657b3ca80f8be0b8e043db620f0872231b8a3108c4a10b8b723b646b3c6d5f370558640924a93ba25db1746cf2ea141b0385ac0cf9e7acc8fddd8ee32fb988491e454564eb142ec8402438ddb1d0bed6d285a2a408a9edc52776e3ae7021c10943eef0af0270372213627dd4253d95a36acd29f8095c6428f1c46c3eb21227d04606b5c92254e9ce3e220a8b8a281c8d8e9c83079ea1df4a90db9f08a58c803d8ec2bfcc99f1acd5f0625043eb4a83179e2d37c07657e4b747adcb0979a230dea4f079f220848709f2bb38c34a22c5b3caf94a02fc5f1c4d013c165abf74bed9d028a5d84ec150377f498ee0e2a86bf04b97ee40af9882bfadecf5e125fc909d250d92a31166d61121b5364524b6351e0b6a66dcdeeb5249ebabb865f1f4a1a80ada5d695d3a37b214c9f0d92507db1b8d808a96f08902ef8c97e22b75497538f54ff944a19142b6ae1b8636500e2f3920a3ab341d8d1db22dc64e1d68382162b489eaade668ba38e6e7ecf61626c719378a8ebf08ec3d5da6716461e206869b335ccbafbc7364998379d894b9c60441d98797eff0d04ce3fbf419eb9c5c778dbdc6031b19fea13adf111dd49628093da41ce252595ea3d0b6dd96364fe2e37504bc6617044ff1d0d27f759d1faa8ae854a172da0b227305bc630a46b8e5bb9f8aa40b95a4b6d5c37bddd0968e192d57242078434fdef9afdc8f18397df1ca6e76bdc71845fba2818ef8f1c1dbf0a92ddee3c8c1cfddfb64439419e63f9811ab5dafd15b2ff2a9c041331651c7afe7862875bf9961806fac694bef5f78fb9cd64c33848637444e6752200395e3731d02db34c21fca311d339e819732ede18394b45c4cbbbffd45fdf508285d26da5b3cede692af4ef2f42c734b522864755dcd719c93b268438f9b0f1add574cf7218921df68c496683c6276115c074d420f23861eeb82031e998c0833d1cbbb5b334a13606a0bc406c4c8b1c2bf8df557324d2c94cbe4c29080b63234b1bb74e5854e422eb46f736978e2943ebd28af467bd0ee096b952ff5f0b228c7ef946fd472493b0eaca9378401669f1be675230e56bc19e4ec1234fcb4ea122dd204830109689cad7e3d702ab3e92e59016a640cce4e1e57d6e94556e7ee1f7c586309044bdca4a7b2cebb4b3fabfd578ed6c68589b8afcd4d0e5ab1b7eef6f82cd208e3ece76e3b73331fba03fb5447012992741042106ed7d386a1433fe8d4c6bce822ff8ffe1b382aa7124731a9ad6e1a52c78266174a4fefe986a508f6642577303f91ea4efb32843c6b331b32f24553a0c13016d91a230a55d81feb7dfc48ad157c7c2fc63253081021d1c65356513903ddbde8d3fd0d51747f3eaaaf9db9d6b4bd7069d8ba53d4d100ee2727979594c2fa80b9aa0edd70e3d702fb5b6cd277eeb487555886f85b657cd9eba641b28bf1e762300f3e29c5a8d8bfe077bdef7c9e2c4cfad8fc364670d7cd6ac7a86322e667760e2403c4838d61fa8669a4f62114eef423f09132e20bb95ba3522ac31049c4a3d581af3c5784910fba88cdee1ceff4ddaed827119ced5361947d0e31a9c4d25263a53654b82fc13b91f44508dd193ca1ef26d930a6b0810586d402ba0554face5c3ed077671d50d28865bfff35ca3a4dabdbd6e3b07059320f53e5c49d73cc16dd1ed2816ac98ad3853c368829c7bec40c4a9b39ee3b730bbd6c152f358e9911308c12ed1206561fc7cf7cb477145f1aaace66ac5c4468acb2f601c61e4b118be2056b6dbc18609bfd4105eee18be384a19913d274d92039790cb87420b9fdd70e734309fc7afe09e11f780d6ee6243175907a4aeecb6ca070a3374be5d3d07a788ea4e1f9d6f18eff9e7964d7076cb5b93cd97338ec05448ec527cca66790bfe32c5b2662d7fc6b836b41bf32e5bc0ddfe42d5973db86f8aed56e43112b45b0f792c5394599a13e73c25012b5aacd3aef112473c4e2e3ab6aebf5af6de9e78ac047fcc276fd976f25022c65c30a9fd67203f19e33b35cfbcfdff395c5bb53f2fd7928e43e622847280780b8cc815fb485189105a124cd8627cc3d5f1a9dd800d47a226ebf907eb2f49133d117588d280f4cc43d95254d88c8753d96073f97c531f51e5596e2e971a2161b78f75edcfbd9de38f0a9284b7cceef87598fa3bcfa5dbcbd1d284cf80cb7755465899d362d9e40c64c1a1e4cc45c3871b2104ca40c05729dccbf6d0a17500e5d0dffa3443a5233e279b2f9c518b697340d26d2872660c71a495710ee009ffb989ebb5befe5176925b78cdeb1e811c51ecdb01a47ec1d1d0ef2024c9a666f6bc5ebe13e773f89f4c80baa1d660c051c2672f91c21db5ff2d5a70126dc69140ee216c45bdd0a7b5279dece2f583bc24fc63cae88ae755722404823c5c216849dcd1085ba9902cb248ac5d192c3bdc537392a7c9ed3c359bb6d4934625f5f7a6dd51b78573fc726adabc91f41960586f64c39261126ea67dfc32c5ae5f7d6ed88747360418d42a008d9cfc5ef15f9c588dbb9ecc374ba19ab60a3ba33fbd1b80477b0204e67c845f9f6ab589c58b578cca58af322ae66b9b12ed953703d1393d8ece9c670664fdb6b1ffa10271abc0e51d57b59102e2640bea09e911294c35abc8616990a5729bf739a8e22774a680d5770b858b932fe595b7322328ae792078ad28db4d54cbd7c9868fcbe6eed0b0aa7b7abbfb1b8efce2dd5c1e29bac66ab7f80fe7a65d2da1838660e94066a6b2e3bdb897e551bc037d779dbb6cb9bdca7030ef8226b968d5a857cb424a9bd71ecf3e0df3bca6b9195905ed05e73d0367f1649eed549d9c3d47e2f312c170dc94a701d420460e1000e237021c6b7b1bc08b35c1043c6e899ed587ef7dfb6e1c7b6e11e3a2fb4348abcc9ed1831ee373d004540a73a4c78f9d3abb101c787ba239df663924ef84e3b436868b63cd74f4d47ac9ebce3814bbdb37eeec3fea1f90688d16ff3285d359745f9c1b6dcfa98bcd32acaccd9350c070579af49c6dd8e62b3e11616b95605b5e67c90c3db1b8301de61bdfa558ee6d13f20a78d407e4f44ca793ce3d958e1522f1a64276ac8863d1a68b5b64e03ec0b22b0a787bba7b462fddf8da7d1018b32a13282bd1e83060a67c7da96e46e3b322a5d8e05ba67b3aca1c5d1bf136a57b3aa68777f00bf102dddb1dec21db309f4855d9c08edc580d652a689420bf62538b5aa263057098121d82d87e29ee26b5d5288023e501ff2730bcef00b98f13c40bc2da1a1bca1cd666484f1a3f5c8b6ffaf468fbeaaf5abfd74396fbc460e0fd2b440f5e56327e634907311dce98ec075e9ee3287f7d2dcd64493e5c5ce096bb29d77aa49a9f677e68efd44cf35b5a0d69f1ec887a5f1f35e44afe3b6904ef026b3651c697dc2af46662b923664201e4baedc28e85f33d0fcce83ecb01d04f5a0826df9fbfe7d92e31db76202533fa8bdbd4f14744f8485948ff0e40ec77d2a2ccac34f389a4f6b0e1f84f527b1282b4ba53cc0a53468eb1362d87f334f176d948d9d7fc190a1fabb36745385945f27d44c136436eeedca1ad4945c9d73d6a2d7225a1f7fa49a2b2b56d3a403a8ddd03d701bb8ba36c275b05db3b60638b9a2a234cb63b809ebfc9a771ac712762f7e96c538e1c54a7912b95944632d6d60594b900e17ee327b2b2b13be2844061fd1e350e47121fd71f130a5aeb5153ccb8ece99590ff93ea98ee589a0a4288bb6a3590b1c6e89008bbd2dc7ad38748369405c9f8c37fa75dd2ff4a384561d030948c3d16466e4f037e54d3dcabde02fb35c62b3169265c0af8018a86c3fcf3268c1a91e7131f89cf7841bb58cab8a5f89d7edb67f05f16fe84059be5abdbe44d3852fa5790c161628b21eef359aaf7db7de11c835ff9cc0b86ac9751fd2d5c135e8acb4352bc03fdfe6c43473582cde76b157eeb03acfff742be5838a4aaba160e1c588c9e1da2758fc290ae37a7605340f726ff3d8d73d3dccdc7737499b7473eccc00c3d01d20bd989e6049d9da7dcee229fe3db7e2845ba6ef6b380680e07754dfa92d1605b3b2527ed19d01333b2b58868d7614c92b7f93c95e2c9054f7a728e0569b986018311d9ab379ac3d19c7f65f87acbd2a2bcdf122b1b9502d3c3a69efa32f4be1ef20daa42e13409d2b12dbfd03c64aca0bd66c76c04ea6a76ef0294650e59e8a379c85c5ac8e310ed99e1a5f20c9bbdbee13de1218f95be040ff5f760c7f07abe362468508a2114e0c34f93895c1e28ad8c56f1949816cffd09c028deef01e5fcf91b4384c62d0efd9b7d66b1aae302a3ed2c3037c9675ac6c86336fa603258a538409bad567981128cb8cab88d7027b2a92671cad000a2c9f317fb4ae30980d3f28512fb5f66a98b2e2077a6a7f8461bf1a78cf12b3ce6e3aa4a22f3c6373a5d04f767b83c7d57a56834f7639c9acbb9fdedea85276a0aa100b68c8a246314a8ca02ff07d1532c90d9a4a5dacba53a24c14cb94b57a8c236c985ebc98697108a43e874b6715e6be8d9685fafdba1d7e5d1b4ced62565847bdfcf62be175e8483cfd0711247664e273fcbec29f60dedd34c6810f6650b6bdc47df7267b8f53bc66ac41a5c0506edf4a805cff0343797c881256ea095fbf145754f7cb9dfba6d3c2bd12ace307629cb22dfeb5a48155de0e50a95da58b3202589b60f5dd4ca6cd22c2ed788f2721d5354374e9efacf4947294ddc8149225dce5adfb322595ed18a4dcb0565148b087e37d4247eaaecc58c5aaf1c64e87cc2cce9b8ebcaf963fc441a6dfac426be0ace4ecfb91df7732721afb34f905ce7377db3849d7401ba3d3149c08e98bcdeca6de207ed8bc7b1d6e88597da628c6b0a73cf9674a207dd8745fe5b32bdd8f5509f14fc15cf9504bf6634b2df2836e95c736e2762f2714bfd130af991d8b648a9372158383a2f53e14c7cfc7663db5ca5c8a9cdd155e38c1f70e51613588128dd085bbdd7ed239b97e8958cef35f117eab19b370ff2e4e25689d62b684fd4afceb263251fa92e8c6b2aa2e34d3fb8aaed18cdc734f9b420c8d7b931555ebd7990ca073fb81be982794e000d50572eb0761d495ba8068f657d7f7b919e66a25e03211dfe690f4081fc5de14f5f9d8be478024e60a3138080d9ce97ae23e291e77a6e4a507a96ae0c07d9604a95b43b8174c33175ba295050186f723b50a609ee09b4267e4d2af4296ce657bb8b5e996f98bd75ed42d0954895d97d988329d925f62894474d1caa5de988ed7b5c6deacfd90ad947efebf6cf61b45d9c7b1ba59e9ec4b8559aff8d3d05fb00f57ec942b0e9b9fdbde26cad340cbb4f7c0447b707ed8f6d4f989d0b1da0d0cdae617b01436fa68e37775e844415ebd11a3350846cf0b419fad6db94ccc8283e95019db5591b9e81c5d32707b3002afb24058495f6c21cd4b9e12af7a1f4054fda37ba6a2945e899899761012548e4122a69556e0ca51e23194bdc4e272", 0x1000, 0x9}], 0x20005, &(0x7f0000002940)={[{@flock_openafs='flock=openafs'}, {@dyn='dyn'}, {@autocell='autocell'}, {@dyn='dyn'}, {@flock_openafs='flock=openafs'}, {@source={'source', 0x3d, '&'}}, {@source={'source', 0x3d, 'SEG6\x00'}}], [{@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@subj_user={'subj_user', 0x3d, 'SEG6\x00'}}, {@smackfstransmute={'smackfstransmute', 0x3d, ':'}}, {@seclabel='seclabel'}]}) syz_open_dev$I2C(&(0x7f0000002a00)='/dev/i2c-#\x00', 0xad8, 0x2a2000) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000002a40)=0x0) syz_open_procfs(r15, &(0x7f0000002a80)='net\x00') syz_open_pts(r13, 0x0) syz_read_part_table(0x1, 0x7, &(0x7f0000002e80)=[{&(0x7f0000002ac0)="7ad3cd802dd0c424945d99ca9ca6e4fbb8f8e3b980d2ec", 0x17, 0x1000}, {&(0x7f0000002b00)="329de80b2b17bbd25d1f1907a9263af3bf05c4a7061e28492a3f71c6343aa5aaea0327a3", 0x24, 0x5}, {&(0x7f0000002b40)="82791dfd311d07db7d65e803ce6ca00028af8ff8d276187e0e14bbf7beab60fc4b70722e91b6322b8e3472191a66176bb0ca91dee60f1506a6d48be4055230c30be94a1043a1d2a06d42166069d8033d6c524c8610b8c4bb63af0ce6d6207137f1be1b62b002e8c35e6467c2423cc6597d1ca58ee31589f0248ac762e24a286a41a761912d34bb56f07db88ca52fce8d128762394fa00faac8451a42c3144bdec7e97296c9eac7c9f63110a3d405c16b0428880024e8c9c8af490b8cfad84cbb637878d634cd84346b60c9132c09660cdc616a0b", 0xd4, 0x7fff}, {&(0x7f0000002c40)="904bbcee2b46daa1ac643b7b6b8ea0ff462feabee541b411a885e470a496cbbdc729ffdebc50807f719cbe808d8b598b4767c7a852d9ce0c880a9b078b0187deac926bd4687a44f092bb", 0x4a, 0x5}, {&(0x7f0000002cc0)="3531ae257e7e0877cde340c42edbfc91dcffaff1284ef08a451e4c76e0cd83b2c0ea10d86bcefa93bbaef5fffbfe7dc70b73b89c55fc3851110d1bd0d1da31753320b111fe7060537e8f65f3c2f05adcb3d66bd2abe6b08aaae0d0eedca9937707ec4cb4874cdfd05800812ab53f9550b25a28ee69e62a0f790fe5233fc8645fc3fe6cae055f2aa1729125170151e86eeab67bb20bc884a1214c2d3d969c34fb239b45feec93ac209721bae7271251c613cea9379c1521", 0xb7, 0x4}, {&(0x7f0000002d80)="c3f04f26929b7a4d6342841fa53a9a8cb8006a97f428", 0x16, 0x6}, {&(0x7f0000002dc0)="c9871275e3269ff1bdcd67fb523e1ceb5151b0ede9e032634e36d486046bc31cd978bda59247355316319e768e7ac6be0648bf0fecd13cdad45f713e0e3b74e95eec77063c02a233ea97d338f4b1e9bc5a7cce85528742632ed59cec016f3914dd02ca6b1dc833224895277350cf1f21d6c78f8592717e91233f9026927e0cc3d80cdc57714763a0fcb091f5c69051b55cd2e1fcc33b13d597c5caeeb271c542978a1e17", 0xa4, 0x9c}]) r16 = syz_usb_connect(0x4, 0x384, &(0x7f0000002f00)={{0x12, 0x1, 0x201, 0xa4, 0x61, 0x1e, 0x40, 0xacd, 0x300, 0xc0df, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x372, 0x2, 0x4, 0x1f, 0x0, 0x1, [{{0x9, 0x4, 0x5d, 0xb3, 0x1, 0xad, 0x49, 0x76, 0x20, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x80}]}], [{{0x9, 0x5, 0xd, 0x0, 0x230, 0x5d, 0x1, 0x3f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x2}, @generic={0xba, 0xe, "f4e6e5762883c34df04f356099f1d34bdbc9f5324da648053fd690211b897119c4f3ac197f2aa93f2f3be05f836b1644d5b2327648b30816ed192f943dfce225f69d77c51565e177fd889c9c9d8c85b92ee4bead0e889446bbc320a40fa24807f476bfd1f1b3096e3370f755c94aa01c3be4ddc7952a5694bcad4beb4065bf5ea96066c43e9507e6220c47bc0271adcbaffce6ac90cb3c8b1cf748c6bbf97108dfa2cac4b87d3420428434397e07f17a87ed6233b39e32f0"}]}}]}}, {{0x9, 0x4, 0x5d, 0x27, 0x7, 0x3f, 0x84, 0xfd, 0x3, [@uac_as={[@format_type_i_discrete={0x10, 0x24, 0x2, 0x1, 0xe2, 0x2, 0x63, 0x40, "e721cc44acca8938"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x1, 0x0, "9ef42f"}, @as_header={0x7, 0x24, 0x1, 0x4, 0x1, 0x4}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x19, 0x6, "9e", "6983"}]}, @uac_as], [{{0x9, 0x5, 0xf, 0x0, 0x3ff, 0xf6, 0x5, 0x80}}, {{0x9, 0x5, 0x1, 0x10, 0x10, 0x0, 0x40, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x20, 0x6}]}}, {{0x9, 0x5, 0xb, 0x8, 0x10, 0x1, 0x2}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x4, 0x8, 0xc0, [@generic={0xbb, 0x31, "215ce6ab8f3c72caa3ab1326f18838908ac60bffb3b50748144aa2cbc4d7cac56f4a7bb2bd6c969674a5e4040861bb21ba5ccf0f822c1032e7e3729f8c171fc7a89b5340b5067108d597f178aa651a98aca4d012fa555a695683b527e6031f1f7f20494b250e3a6cd8b4de9647e150049867097c47cc237c612cefe698332f1fe7f02e6f53e845b1f5e7b4b24ad8629b78ce7630e2d40120fbc3f49375a4a086dedd2a27f06b3ed3d756a819b97f759aa54aef83df4868a9e9"}]}}, {{0x9, 0x5, 0x3, 0x12, 0x3ff, 0x0, 0x1, 0xff, [@generic={0xad, 0x31, "0c921d3f980f4e53147a46bd5856da03081660fbed7b8b2d389be8a038e95c2958a477ed5faf9ef38c82c3abea254459edb0f2cf286235034087adb7907ff192640b936886bd48d3a51215406b3aa0b6d8f8d91d830f5236a9a8be03c2215f012131968c6a80860ae81193059468108efd4f1305379d0115c7ec667b0359940e5664bf7b3c4a5f04ca3c51db9d2cd417e9099bff628b8e1a8ed0f596149357a08abd1177eb977353eb8932"}, @generic={0x93, 0x11, "a8e22d542ae3d831f337211bb5be12a5c46e5cf9b556d84d5af4caca8742ad216140562b7e5421e2642471e8f50eb8aef06212b46c644ae58463e18b3e72bd3eca6060fa8b94031796e55eb41d3f318affbf081eeb1708851e72fadd887e0330134319f0a5967eda657bc1101f74deba42e78aff20fb5d3c1fe49d9a054657b6f1af3d015fc16ff80873f326690843df81"}]}}, {{0x9, 0x5, 0xf, 0x4, 0x200, 0x0, 0x1f, 0x1, [@generic={0x11, 0x6, "824b7d0957bc552d224fdf6bff63a8"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x6}]}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x1f, 0xfd, 0x3}}]}}]}}]}}, &(0x7f0000003400)={0xa, &(0x7f00000032c0)={0xa, 0x6, 0x110, 0x4d, 0x80, 0x80, 0x20, 0xc1}, 0x46, &(0x7f0000003300)={0x5, 0xf, 0x46, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x35, 0x0, 0xdf, 0x9, 0xf7}, @ext_cap={0x7, 0x10, 0x2, 0xe, 0xb, 0x6, 0x9}, @ssp_cap={0x18, 0x10, 0xa, 0x1, 0x3, 0x7fffffe, 0xff0f, 0x101, [0xffc0a0, 0x0, 0xffff0f]}, @ssp_cap={0x10, 0x10, 0xa, 0x3, 0x1, 0x200, 0xff00, 0x1, [0x0]}, @ext_cap={0x7, 0x10, 0x2, 0x16, 0x8, 0xe, 0x7}]}, 0x2, [{0x4, &(0x7f0000003380)=@lang_id={0x4, 0x3, 0x380a}}, {0x4, &(0x7f00000033c0)=@lang_id={0x4, 0x3, 0x42f}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000003440)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r16, &(0x7f00000036c0)={0x18, &(0x7f00000034c0)={0x20, 0x8, 0xd4, {0xd4, 0x31, "dd9fe1d6f8ee76d6289246b5277cc19f3c4621add821a7f3d1aae994dbf4b1bd89e8770734768ade97e51d248f53cd530b31119aaccf53b6f6eddf4b8bfe6a1a859c3dc286f8335c9d15e5d5169b244155391062ff885d40be3707b6d1ea252a96d97ab24fb675f54557cfa24d805b0795708af5065d4b6662dfd54dd59cfce1673ab356a254f6b5bce44c619a17ffce8ebb96e083c082450062bd71a206ca921e0b77f517c1619586b3bca3e2490821016cc76caf96c0ec9068b45e2334ed9a6ff06a6343ae01f0aef6127ebaf5b52d69e3"}}, &(0x7f00000035c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x40e}}, &(0x7f0000003600)={0x0, 0xf, 0x28, {0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @generic={0x20, 0x10, 0xa, "195fa2f324c0be96da3db26afa5677530ac0faf4c682be7c15e9a58666"}]}}, &(0x7f0000003640)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x1, 0x0, 0x9, "057c417e", "8da436c4"}}, &(0x7f0000003680)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x20, 0x10, 0x80, 0x40, 0x1f, 0x0, 0x5}}}, &(0x7f0000003b40)={0x44, &(0x7f0000003700)={0x60, 0x8, 0x54, "85f988045278f97532a667cbee9b821d6554fb1c6d18dffb785196d90727e1b4615c86ee049a1696b1668f000e62d539e081cf07e360171ce61ca2f95644b9ad8e9211a1b19c4399bdfd6d533bf8955242725bb4"}, &(0x7f0000003780)={0x0, 0xa, 0x1, 0x1}, &(0x7f00000037c0)={0x0, 0x8, 0x1, 0x81}, &(0x7f0000003800)={0x20, 0x0, 0x4, {0x2}}, &(0x7f0000003840)={0x20, 0x0, 0x8, {0x200, 0x40, [0xff]}}, &(0x7f0000003880)={0x40, 0x7, 0x2, 0x1}, &(0x7f00000038c0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000003900)={0x40, 0xb, 0x2, "8eaf"}, &(0x7f0000003940)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000003980)={0x40, 0x13, 0x6, @dev={[], 0x38}}, &(0x7f00000039c0)={0x40, 0x17, 0x6, @broadcast}, &(0x7f0000003a00)={0x40, 0x19, 0x2, '{k'}, &(0x7f0000003a40)={0x40, 0x1a, 0x2, 0x40}, &(0x7f0000003a80)={0x40, 0x1c, 0x1}, &(0x7f0000003ac0)={0x40, 0x1e, 0x1, 0xfe}, &(0x7f0000003b00)={0x40, 0x21, 0x1, 0xfa}}) r17 = syz_usb_connect$hid(0x4, 0x3f, &(0x7f0000003bc0)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x46d, 0xc22d, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x10, 0x2, [{{0x9, 0x4, 0x0, 0x2f, 0x2, 0x3, 0x1, 0x1, 0xfd, {0x9, 0x21, 0x9, 0x1, 0x1, {0x22, 0x2ff}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0x6, 0xff, 0x4}}, [{{0x9, 0x5, 0x2, 0x3, 0x8, 0x4, 0x6, 0x7f}}]}}}]}}]}}, &(0x7f0000003cc0)={0xa, &(0x7f0000003c00)={0xa, 0x6, 0x300, 0x3, 0x2, 0xfa, 0x8, 0x74}, 0x28, &(0x7f0000003c40)={0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @ssp_cap={0x20, 0x10, 0xa, 0x3, 0x5, 0x8, 0xf00, 0xf831, [0xc0, 0xc0a0, 0xff000f, 0x7, 0xc0f0]}]}, 0x1, [{0x4, &(0x7f0000003c80)=@lang_id={0x4, 0x3, 0x436}}]}) syz_usb_disconnect(r17) syz_usb_ep_read(0xffffffffffffffff, 0x80, 0xc4, &(0x7f0000003d00)=""/196) syz_usb_ep_write(r16, 0x7f, 0x63, &(0x7f0000003e00)="5074fa81f3f373da2799cafb26b4497cb3c87bc0f82fa7885468bd41232065aa9561d24ae0f1d0e036ac714ac5af89c69d8861cad713fcb8bacb8c4b10dc3b6ec2044c01f371b124c0a0f4bace7d5179872cdd205e09c3eeb7d5577b26e98f84554ed6") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } #define BTPROTO_HCI 1 #define ACL_LINK 1 #define SCAN_PAGE 2 typedef struct { uint8_t b[6]; } __attribute__((packed)) bdaddr_t; #define HCI_COMMAND_PKT 1 #define HCI_EVENT_PKT 4 #define HCI_VENDOR_PKT 0xff struct hci_command_hdr { uint16_t opcode; uint8_t plen; } __attribute__((packed)); struct hci_event_hdr { uint8_t evt; uint8_t plen; } __attribute__((packed)); #define HCI_EV_CONN_COMPLETE 0x03 struct hci_ev_conn_complete { uint8_t status; uint16_t handle; bdaddr_t bdaddr; uint8_t link_type; uint8_t encr_mode; } __attribute__((packed)); #define HCI_EV_CONN_REQUEST 0x04 struct hci_ev_conn_request { bdaddr_t bdaddr; uint8_t dev_class[3]; uint8_t link_type; } __attribute__((packed)); #define HCI_EV_REMOTE_FEATURES 0x0b struct hci_ev_remote_features { uint8_t status; uint16_t handle; uint8_t features[8]; } __attribute__((packed)); #define HCI_EV_CMD_COMPLETE 0x0e struct hci_ev_cmd_complete { uint8_t ncmd; uint16_t opcode; } __attribute__((packed)); #define HCI_OP_WRITE_SCAN_ENABLE 0x0c1a #define HCI_OP_READ_BUFFER_SIZE 0x1005 struct hci_rp_read_buffer_size { uint8_t status; uint16_t acl_mtu; uint8_t sco_mtu; uint16_t acl_max_pkt; uint16_t sco_max_pkt; } __attribute__((packed)); #define HCI_OP_READ_BD_ADDR 0x1009 struct hci_rp_read_bd_addr { uint8_t status; bdaddr_t bdaddr; } __attribute__((packed)); #define HCI_EV_LE_META 0x3e struct hci_ev_le_meta { uint8_t subevent; } __attribute__((packed)); #define HCI_EV_LE_CONN_COMPLETE 0x01 struct hci_ev_le_conn_complete { uint8_t status; uint16_t handle; uint8_t role; uint8_t bdaddr_type; bdaddr_t bdaddr; uint16_t interval; uint16_t latency; uint16_t supervision_timeout; uint8_t clk_accurancy; } __attribute__((packed)); struct hci_dev_req { uint16_t dev_id; uint32_t dev_opt; }; struct vhci_vendor_pkt { uint8_t type; uint8_t opcode; uint16_t id; }; #define HCIDEVUP _IOW('H', 201, int) #define HCISETSCAN _IOW('H', 221, int) static int vhci_fd = -1; static void hci_send_event_packet(int fd, uint8_t evt, void* data, size_t data_len) { struct iovec iv[3]; struct hci_event_hdr hdr; hdr.evt = evt; hdr.plen = data_len; uint8_t type = HCI_EVENT_PKT; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = sizeof(hdr); iv[2].iov_base = data; iv[2].iov_len = data_len; if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0) exit(1); } static void hci_send_event_cmd_complete(int fd, uint16_t opcode, void* data, size_t data_len) { struct iovec iv[4]; struct hci_event_hdr hdr; hdr.evt = HCI_EV_CMD_COMPLETE; hdr.plen = sizeof(struct hci_ev_cmd_complete) + data_len; struct hci_ev_cmd_complete evt_hdr; evt_hdr.ncmd = 1; evt_hdr.opcode = opcode; uint8_t type = HCI_EVENT_PKT; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = sizeof(hdr); iv[2].iov_base = &evt_hdr; iv[2].iov_len = sizeof(evt_hdr); iv[3].iov_base = data; iv[3].iov_len = data_len; if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0) exit(1); } static bool process_command_pkt(int fd, char* buf, ssize_t buf_size) { struct hci_command_hdr* hdr = (struct hci_command_hdr*)buf; if (buf_size < (ssize_t)sizeof(struct hci_command_hdr) || hdr->plen != buf_size - sizeof(struct hci_command_hdr)) { exit(1); } switch (hdr->opcode) { case HCI_OP_WRITE_SCAN_ENABLE: { uint8_t status = 0; hci_send_event_cmd_complete(fd, hdr->opcode, &status, sizeof(status)); return true; } case HCI_OP_READ_BD_ADDR: { struct hci_rp_read_bd_addr rp = {0}; rp.status = 0; memset(&rp.bdaddr, 0xaa, 6); hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp)); return false; } case HCI_OP_READ_BUFFER_SIZE: { struct hci_rp_read_buffer_size rp = {0}; rp.status = 0; rp.acl_mtu = 1021; rp.sco_mtu = 96; rp.acl_max_pkt = 4; rp.sco_max_pkt = 6; hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp)); return false; } } char dummy[0xf9] = {0}; hci_send_event_cmd_complete(fd, hdr->opcode, dummy, sizeof(dummy)); return false; } static void* event_thread(void* arg) { while (1) { char buf[1024] = {0}; ssize_t buf_size = read(vhci_fd, buf, sizeof(buf)); if (buf_size < 0) exit(1); if (buf_size > 0 && buf[0] == HCI_COMMAND_PKT) { if (process_command_pkt(vhci_fd, buf + 1, buf_size - 1)) break; } } return NULL; } #define HCI_HANDLE_1 200 #define HCI_HANDLE_2 201 static void initialize_vhci() { int hci_sock = syz_init_net_socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI); if (hci_sock < 0) exit(1); vhci_fd = open("/dev/vhci", O_RDWR); if (vhci_fd == -1) exit(1); const int kVhciFd = 241; if (dup2(vhci_fd, kVhciFd) < 0) exit(1); close(vhci_fd); vhci_fd = kVhciFd; struct vhci_vendor_pkt vendor_pkt; if (read(vhci_fd, &vendor_pkt, sizeof(vendor_pkt)) != sizeof(vendor_pkt)) exit(1); if (vendor_pkt.type != HCI_VENDOR_PKT) exit(1); pthread_t th; if (pthread_create(&th, NULL, event_thread, NULL)) exit(1); if (ioctl(hci_sock, HCIDEVUP, vendor_pkt.id) && errno != EALREADY) exit(1); struct hci_dev_req dr = {0}; dr.dev_id = vendor_pkt.id; dr.dev_opt = SCAN_PAGE; if (ioctl(hci_sock, HCISETSCAN, &dr)) exit(1); struct hci_ev_conn_request request; memset(&request, 0, sizeof(request)); memset(&request.bdaddr, 0xaa, 6); *(uint8_t*)&request.bdaddr.b[5] = 0x10; request.link_type = ACL_LINK; hci_send_event_packet(vhci_fd, HCI_EV_CONN_REQUEST, &request, sizeof(request)); struct hci_ev_conn_complete complete; memset(&complete, 0, sizeof(complete)); complete.status = 0; complete.handle = HCI_HANDLE_1; memset(&complete.bdaddr, 0xaa, 6); *(uint8_t*)&complete.bdaddr.b[5] = 0x10; complete.link_type = ACL_LINK; complete.encr_mode = 0; hci_send_event_packet(vhci_fd, HCI_EV_CONN_COMPLETE, &complete, sizeof(complete)); struct hci_ev_remote_features features; memset(&features, 0, sizeof(features)); features.status = 0; features.handle = HCI_HANDLE_1; hci_send_event_packet(vhci_fd, HCI_EV_REMOTE_FEATURES, &features, sizeof(features)); struct { struct hci_ev_le_meta le_meta; struct hci_ev_le_conn_complete le_conn; } le_conn; memset(&le_conn, 0, sizeof(le_conn)); le_conn.le_meta.subevent = HCI_EV_LE_CONN_COMPLETE; memset(&le_conn.le_conn.bdaddr, 0xaa, 6); *(uint8_t*)&le_conn.le_conn.bdaddr.b[5] = 0x11; le_conn.le_conn.role = 1; le_conn.le_conn.handle = HCI_HANDLE_2; hci_send_event_packet(vhci_fd, HCI_EV_LE_META, &le_conn, sizeof(le_conn)); pthread_join(th, NULL); close(hci_sock); } static long syz_emit_vhci(volatile long a0, volatile long a1) { if (vhci_fd < 0) return (uintptr_t)-1; char* data = (char*)a0; uint32_t length = a1; return write(vhci_fd, data, length); } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } initialize_vhci(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 41; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_fsmount #define __NR_fsmount 432 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[18] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/zero\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x161000, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, (intptr_t)r[0], 0x3305, 0); break; case 2: memcpy((void*)0x20000040, "l2tp\000", 5); syz_genetlink_get_family_id(0x20000040); break; case 3: memcpy((void*)0x20000080, "/dev/dlm-control\000", 17); syscall(__NR_openat, 0xffffff9c, 0x20000080, 0x20000, 0); break; case 4: *(uint32_t*)0x200000c0 = 0x17; syscall(__NR_setsockopt, (intptr_t)r[0], 0x10e, 2, 0x200000c0, 4); break; case 5: res = syscall(__NR_mmap, 0x20ffa000, 0x4000, 0x2000000, 0x1010, (intptr_t)r[0], 0x10000000); if (res != -1) r[1] = res; break; case 6: res = syscall(__NR_socket, 0x23, 5, 2); if (res != -1) r[2] = res; break; case 7: res = syscall(__NR_io_uring_register, -1, 9, 0, 0); if (res != -1) r[3] = res; break; case 8: *(uint8_t*)0x200003c0 = 0xa; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0; *(uint32_t*)0x200003c4 = r[2]; *(uint64_t*)0x200003c8 = 0; *(uint32_t*)0x200003d0 = 0x20000380; *(uint32_t*)0x20000380 = 0x20000100; *(uint32_t*)0x20000384 = 0x80; *(uint32_t*)0x20000388 = 0x20000240; *(uint32_t*)0x20000240 = 0x20000180; *(uint32_t*)0x20000244 = 0x93; *(uint32_t*)0x2000038c = 1; *(uint32_t*)0x20000390 = 0x20000280; *(uint32_t*)0x20000394 = 0xca; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x200003d4 = 0; *(uint32_t*)0x200003d8 = 0; *(uint64_t*)0x200003dc = 1; *(uint16_t*)0x200003e4 = 3; *(uint16_t*)0x200003e6 = r[3]; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; syz_io_uring_submit(0, r[1], 0x200003c0, 0x10001); break; case 9: *(uint32_t*)0x20000440 = 4; syscall(__NR_ioctl, -1, 0x4b63, 0x20000440); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0xaa; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 3, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 31, 1); *(uint8_t*)0x20000012 = 0x11; *(uint8_t*)0x20000013 = 2; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; memcpy((void*)0x20000016, "\xf4\xeb\xe4\x02\x16\xfe\xde\x5e\xf6\xc5\x31\x0f\x04\x13\xc5\xd4\x1b\x32\xfc\x23\xe0\x7f\xd3\x32\xa8\xa5\xc5\xf9\x66\x82\x1d\xa0\x91\xf4\x7b\x7b\x9c\xf9\x22\x87\x27\xff\x74\x12\xc2\xe4\xa3\xa1\x57\x3b\xb2\x95\x48\x2d\x7b\x4a\x3e\xff\xd8\x63\xcc\x60\xf5\xd8", 64); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 0xd2d; *(uint32_t*)0x2000008c = 0xc61; *(uint32_t*)0x20000090 = 0x6d3; *(uint32_t*)0x20000094 = 0xbe2; break; case 11: *(uint8_t*)0x200000c0 = 2; STORE_BY_BITMASK(uint16_t, , 0x200000c1, 0xc9, 0, 12); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 3, 4, 2); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 1, 6, 2); *(uint16_t*)0x200000c3 = 0xa; *(uint16_t*)0x200000c5 = 6; *(uint16_t*)0x200000c7 = 5; *(uint8_t*)0x200000c9 = 0x13; *(uint8_t*)0x200000ca = 0x7f; *(uint16_t*)0x200000cb = 2; *(uint16_t*)0x200000cd = 0; syz_emit_vhci(0x200000c0, 0xf); break; case 12: memcpy((void*)0x20000100, "\xc4\xc2\xcd\x45\xf1\x8f\xe8\x00\xed\xb8\x5c\x2f\x00\x9e\xe9\x64\x36\x36\x0f\x28\x11\xc4\xc3\xc9\x0b\x6b\x07\x87\xc4\xc2\xf1\xa6\x03\xf3\x0f\xa6\xd0\xf3\x6f\x65\x0f\xfa\x0e\xc4\xc2\x1d\x2f\x9f\x5a\xac\x38\x4f\x3e\x65\xf3\xab", 56); syz_execute_func(0x20000100); break; case 13: break; case 14: memcpy((void*)0x20000180, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000180); break; case 15: syz_init_net_socket(3, 3, 0xcc); break; case 16: res = syscall(__NR_mmap, 0x20ffd000, 0x2000, 0x3000001, 0x80000, -1, 0); if (res != -1) r[4] = res; break; case 17: res = -1; res = syz_io_uring_complete(r[4]); if (res != -1) r[5] = res; break; case 18: *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0xd9fd; *(uint32_t*)0x200001c8 = 0x20; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0x308; *(uint32_t*)0x200001d4 = 0; *(uint32_t*)0x200001d8 = -1; *(uint32_t*)0x200001dc = 0; *(uint32_t*)0x200001e0 = 0; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint32_t*)0x200001f8 = 0; *(uint32_t*)0x200001fc = 0; *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; res = syscall(__NR_io_uring_setup, 0x3a3b, 0x200001c0); if (res != -1) { r[6] = res; r[7] = *(uint32_t*)0x200001d8; } break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xb18d; *(uint32_t*)0x20000248 = 0xab3a8d6e; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000250 = 0x158; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = r[7]; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = -1; res = syz_io_uring_setup(0x17a8, 0x20000240, 0x20ffb000, 0x20ffd000, 0x200002c0, 0x20000300); if (res != -1) r[8] = res; break; case 20: *(uint32_t*)0x20000340 = 0; *(uint32_t*)0x20000344 = 0x15f8; *(uint32_t*)0x20000348 = 0x20; *(uint32_t*)0x2000034c = 2; *(uint32_t*)0x20000350 = 0xd2; *(uint32_t*)0x20000354 = 0; *(uint32_t*)0x20000358 = -1; *(uint32_t*)0x2000035c = 0; *(uint32_t*)0x20000360 = 0; *(uint32_t*)0x20000364 = 0; *(uint32_t*)0x20000368 = 0; *(uint32_t*)0x2000036c = 0; *(uint32_t*)0x20000370 = 0; *(uint32_t*)0x20000374 = 0; *(uint32_t*)0x20000378 = 0; *(uint32_t*)0x2000037c = 0; *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 0; *(uint32_t*)0x20000388 = 0; *(uint32_t*)0x2000038c = 0; *(uint32_t*)0x20000390 = 0; *(uint32_t*)0x20000394 = 0; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x2000039c = 0; *(uint32_t*)0x200003a0 = 0; *(uint32_t*)0x200003a4 = 0; *(uint32_t*)0x200003a8 = 0; *(uint32_t*)0x200003ac = 0; *(uint32_t*)0x200003b0 = 0; *(uint32_t*)0x200003b4 = 0; res = -1; res = syz_io_uring_setup(0x6b11, 0x20000340, 0x20ffb000, 0x20ffb000, 0x200003c0, 0x20000400); if (res != -1) { r[9] = *(uint64_t*)0x200003c0; r[10] = *(uint64_t*)0x20000400; } break; case 21: res = syscall(__NR_socket, 0x1f, 3, 3); if (res != -1) r[11] = res; break; case 22: res = syscall(__NR_io_uring_register, (intptr_t)r[5], 9, 0, 0); if (res != -1) r[12] = res; break; case 23: *(uint8_t*)0x20001700 = 0xa; *(uint8_t*)0x20001701 = 2; *(uint16_t*)0x20001702 = 0; *(uint32_t*)0x20001704 = r[11]; *(uint64_t*)0x20001708 = 0; *(uint32_t*)0x20001710 = 0x200016c0; *(uint32_t*)0x200016c0 = 0x20000440; *(uint32_t*)0x200016c4 = 0x80; *(uint32_t*)0x200016c8 = 0x200015c0; *(uint32_t*)0x200015c0 = 0x200004c0; *(uint32_t*)0x200015c4 = 0x2c; *(uint32_t*)0x200015c8 = 0x20000500; *(uint32_t*)0x200015cc = 0x1000; *(uint32_t*)0x200015d0 = 0x20001500; *(uint32_t*)0x200015d4 = 0x28; *(uint32_t*)0x200015d8 = 0x20001540; *(uint32_t*)0x200015dc = 0x4a; *(uint32_t*)0x200016cc = 4; *(uint32_t*)0x200016d0 = 0x20001600; *(uint32_t*)0x200016d4 = 0xb9; *(uint32_t*)0x200016d8 = 0; *(uint32_t*)0x20001714 = 0; *(uint32_t*)0x20001718 = 0x2000; *(uint64_t*)0x2000171c = 1; *(uint16_t*)0x20001724 = 3; *(uint16_t*)0x20001726 = r[12]; *(uint8_t*)0x20001728 = 0; *(uint8_t*)0x20001729 = 0; *(uint8_t*)0x2000172a = 0; *(uint8_t*)0x2000172b = 0; *(uint8_t*)0x2000172c = 0; *(uint8_t*)0x2000172d = 0; *(uint8_t*)0x2000172e = 0; *(uint8_t*)0x2000172f = 0; *(uint8_t*)0x20001730 = 0; *(uint8_t*)0x20001731 = 0; *(uint8_t*)0x20001732 = 0; *(uint8_t*)0x20001733 = 0; *(uint8_t*)0x20001734 = 0; *(uint8_t*)0x20001735 = 0; *(uint8_t*)0x20001736 = 0; *(uint8_t*)0x20001737 = 0; *(uint8_t*)0x20001738 = 0; *(uint8_t*)0x20001739 = 0; *(uint8_t*)0x2000173a = 0; *(uint8_t*)0x2000173b = 0; syz_io_uring_submit(r[4], r[10], 0x20001700, 0xad23946); break; case 24: res = syscall(__NR_fsmount, (intptr_t)r[5], 1, 0x84); if (res != -1) r[13] = res; break; case 25: *(uint32_t*)0x20001740 = r[6]; *(uint64_t*)0x20001744 = 3; *(uint64_t*)0x2000174c = 6; *(uint64_t*)0x20001754 = 0x1000; res = syscall(__NR_ioctl, (intptr_t)r[8], 0xc01cf509, 0x20001740); if (res != -1) r[14] = *(uint32_t*)0x20001740; break; case 26: *(uint32_t*)0x200017c0 = 0; *(uint32_t*)0x200017c4 = 0x20001780; memcpy((void*)0x20001780, "\xe7\xbe\xd2\x38\x54\x76\x95\xa7\x89\x57\xb5\x74\xba\xcb\x6d\xbc\x56\x7a\x32\x32\xe7\x65\x59\xb4\xea\x39\x31\xb6\x08\x57\x8a\x24\xda\x4c\x74\x97\x95\x97\x5b\x0a\xe5\x1d\xa8\xa8\x6d\xde\x75\xb1\xd6\x84", 50); *(uint32_t*)0x200017c8 = 0x32; *(uint64_t*)0x20001800 = 1; *(uint64_t*)0x20001808 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x200017c0, 1, 0, 0x20001800, 1); break; case 27: *(uint32_t*)0x20001840 = 0; syz_memcpy_off(r[9], 0x114, 0x20001840, 0, 4); break; case 28: memcpy((void*)0x20001880, "afs\000", 4); memcpy((void*)0x200018c0, "./file0\000", 8); *(uint32_t*)0x20002900 = 0x20001900; memcpy((void*)0x20001900, "\xf1\xfd\x85\xc4\x6a\x07\x34\x5a\x88\x13\x28\x7b\x13\xf2\x1a\x08\x40\x90\x39\x26\xae\xf8\xfa\x2c\xb5\xf6\xe0\x10\xd1\x4f\x70\x30\x37\x67\x97\x11\x5f\xff\x5a\x94\x80\x41\x34\x8d\x82\x7d\xbd\x67\x8e\x20\x92\x8d\xc4\xb2\x24\xe0\xec\x33\xe5\x0b\xf6\x99\xf1\xed\x1e\x39\xdf\x43\xd8\x99\xeb\x1a\x37\xc8\xd1\x16\x31\xe7\xb7\x75\xfc\x82\x61\x19\x01\xef\x7d\xb3\x71\x4e\x0e\xf5\x9b\x98\xd9\xd7\xd9\x11\x4b\xa1\xba\x76\xa7\x2e\xdc\x93\x80\x33\x59\xb9\x99\x4b\x50\x4f\x9e\x77\x90\x37\x5f\xa5\x0f\xce\xab\x9c\x0f\x21\x03\x85\x72\x2f\x2a\x05\x4c\x09\xfe\xcf\x4a\x04\xcc\xfa\xca\xac\x9d\x40\xbe\xbb\x2e\x2b\xcc\x94\x8d\x32\x72\x63\xb0\xfa\x73\x5b\x75\x3f\xa3\x67\xf5\x53\x13\xbd\x6d\xf7\x47\x6a\x99\x61\xbe\xf3\xe5\x80\x6a\xe5\x3b\xf7\x23\x34\x74\xb6\x37\x26\x6e\x9f\xd6\x94\xfb\x30\xa5\x03\xfb\xa0\x53\xc4\x65\x62\x93\x6b\xb3\xb8\xfd\xd3\x8d\xa2\x3e\x72\x25\x86\x8f\x8c\xf1\xe7\xd2\x7c\xac\xb6\x90\x75\x65\x7b\x3c\xa8\x0f\x8b\xe0\xb8\xe0\x43\xdb\x62\x0f\x08\x72\x23\x1b\x8a\x31\x08\xc4\xa1\x0b\x8b\x72\x3b\x64\x6b\x3c\x6d\x5f\x37\x05\x58\x64\x09\x24\xa9\x3b\xa2\x5d\xb1\x74\x6c\xf2\xea\x14\x1b\x03\x85\xac\x0c\xf9\xe7\xac\xc8\xfd\xdd\x8e\xe3\x2f\xb9\x88\x49\x1e\x45\x45\x64\xeb\x14\x2e\xc8\x40\x24\x38\xdd\xb1\xd0\xbe\xd6\xd2\x85\xa2\xa4\x08\xa9\xed\xc5\x27\x76\xe3\xae\x70\x21\xc1\x09\x43\xee\xf0\xaf\x02\x70\x37\x22\x13\x62\x7d\xd4\x25\x3d\x95\xa3\x6a\xcd\x29\xf8\x09\x5c\x64\x28\xf1\xc4\x6c\x3e\xb2\x12\x27\xd0\x46\x06\xb5\xc9\x22\x54\xe9\xce\x3e\x22\x0a\x8b\x8a\x28\x1c\x8d\x8e\x9c\x83\x07\x9e\xa1\xdf\x4a\x90\xdb\x9f\x08\xa5\x8c\x80\x3d\x8e\xc2\xbf\xcc\x99\xf1\xac\xd5\xf0\x62\x50\x43\xeb\x4a\x83\x17\x9e\x2d\x37\xc0\x76\x57\xe4\xb7\x47\xad\xcb\x09\x79\xa2\x30\xde\xa4\xf0\x79\xf2\x20\x84\x87\x09\xf2\xbb\x38\xc3\x4a\x22\xc5\xb3\xca\xf9\x4a\x02\xfc\x5f\x1c\x4d\x01\x3c\x16\x5a\xbf\x74\xbe\xd9\xd0\x28\xa5\xd8\x4e\xc1\x50\x37\x7f\x49\x8e\xe0\xe2\xa8\x6b\xf0\x4b\x97\xee\x40\xaf\x98\x82\xbf\xad\xec\xf5\xe1\x25\xfc\x90\x9d\x25\x0d\x92\xa3\x11\x66\xd6\x11\x21\xb5\x36\x45\x24\xb6\x35\x1e\x0b\x6a\x66\xdc\xde\xeb\x52\x49\xeb\xab\xb8\x65\xf1\xf4\xa1\xa8\x0a\xda\x5d\x69\x5d\x3a\x37\xb2\x14\xc9\xf0\xd9\x25\x07\xdb\x1b\x8d\x80\x8a\x96\xf0\x89\x02\xef\x8c\x97\xe2\x2b\x75\x49\x75\x38\xf5\x4f\xf9\x44\xa1\x91\x42\xb6\xae\x1b\x86\x36\x50\x0e\x2f\x39\x20\xa3\xab\x34\x1d\x8d\x1d\xb2\x2d\xc6\x4e\x1d\x68\x38\x21\x62\xb4\x89\xea\xad\xe6\x68\xba\x38\xe6\xe7\xec\xf6\x16\x26\xc7\x19\x37\x8a\x8e\xbf\x08\xec\x3d\x5d\xa6\x71\x64\x61\xe2\x06\x86\x9b\x33\x5c\xcb\xaf\xbc\x73\x64\x99\x83\x79\xd8\x94\xb9\xc6\x04\x41\xd9\x87\x97\xef\xf0\xd0\x4c\xe3\xfb\xf4\x19\xeb\x9c\x5c\x77\x8d\xbd\xc6\x03\x1b\x19\xfe\xa1\x3a\xdf\x11\x1d\xd4\x96\x28\x09\x3d\xa4\x1c\xe2\x52\x59\x5e\xa3\xd0\xb6\xdd\x96\x36\x4f\xe2\xe3\x75\x04\xbc\x66\x17\x04\x4f\xf1\xd0\xd2\x7f\x75\x9d\x1f\xaa\x8a\xe8\x54\xa1\x72\xda\x0b\x22\x73\x05\xbc\x63\x0a\x46\xb8\xe5\xbb\x9f\x8a\xa4\x0b\x95\xa4\xb6\xd5\xc3\x7b\xdd\xd0\x96\x8e\x19\x2d\x57\x24\x20\x78\x43\x4f\xde\xf9\xaf\xdc\x8f\x18\x39\x7d\xf1\xca\x6e\x76\xbd\xc7\x18\x45\xfb\xa2\x81\x8e\xf8\xf1\xc1\xdb\xf0\xa9\x2d\xde\xe3\xc8\xc1\xcf\xdd\xfb\x64\x43\x94\x19\xe6\x3f\x98\x11\xab\x5d\xaf\xd1\x5b\x2f\xf2\xa9\xc0\x41\x33\x16\x51\xc7\xaf\xe7\x86\x28\x75\xbf\x99\x61\x80\x6f\xac\x69\x4b\xef\x5f\x78\xfb\x9c\xd6\x4c\x33\x84\x86\x37\x44\x4e\x67\x52\x20\x03\x95\xe3\x73\x1d\x02\xdb\x34\xc2\x1f\xca\x31\x1d\x33\x9e\x81\x97\x32\xed\xe1\x83\x94\xb4\x5c\x4c\xbb\xbf\xfd\x45\xfd\xf5\x08\x28\x5d\x26\xda\x5b\x3c\xed\xe6\x92\xaf\x4e\xf2\xf4\x2c\x73\x4b\x52\x28\x64\x75\x5d\xcd\x71\x9c\x93\xb2\x68\x43\x8f\x9b\x0f\x1a\xdd\x57\x4c\xf7\x21\x89\x21\xdf\x68\xc4\x96\x68\x3c\x62\x76\x11\x5c\x07\x4d\x42\x0f\x23\x86\x1e\xeb\x82\x03\x1e\x99\x8c\x08\x33\xd1\xcb\xbb\x5b\x33\x4a\x13\x60\x6a\x0b\xc4\x06\xc4\xc8\xb1\xc2\xbf\x8d\xf5\x57\x32\x4d\x2c\x94\xcb\xe4\xc2\x90\x80\xb6\x32\x34\xb1\xbb\x74\xe5\x85\x4e\x42\x2e\xb4\x6f\x73\x69\x78\xe2\x94\x3e\xbd\x28\xaf\x46\x7b\xd0\xee\x09\x6b\x95\x2f\xf5\xf0\xb2\x28\xc7\xef\x94\x6f\xd4\x72\x49\x3b\x0e\xac\xa9\x37\x84\x01\x66\x9f\x1b\xe6\x75\x23\x0e\x56\xbc\x19\xe4\xec\x12\x34\xfc\xb4\xea\x12\x2d\xd2\x04\x83\x01\x09\x68\x9c\xad\x7e\x3d\x70\x2a\xb3\xe9\x2e\x59\x01\x6a\x64\x0c\xce\x4e\x1e\x57\xd6\xe9\x45\x56\xe7\xee\x1f\x7c\x58\x63\x09\x04\x4b\xdc\xa4\xa7\xb2\xce\xbb\x4b\x3f\xab\xfd\x57\x8e\xd6\xc6\x85\x89\xb8\xaf\xcd\x4d\x0e\x5a\xb1\xb7\xee\xf6\xf8\x2c\xd2\x08\xe3\xec\xe7\x6e\x3b\x73\x33\x1f\xba\x03\xfb\x54\x47\x01\x29\x92\x74\x10\x42\x10\x6e\xd7\xd3\x86\xa1\x43\x3f\xe8\xd4\xc6\xbc\xe8\x22\xff\x8f\xfe\x1b\x38\x2a\xa7\x12\x47\x31\xa9\xad\x6e\x1a\x52\xc7\x82\x66\x17\x4a\x4f\xef\xe9\x86\xa5\x08\xf6\x64\x25\x77\x30\x3f\x91\xea\x4e\xfb\x32\x84\x3c\x6b\x33\x1b\x32\xf2\x45\x53\xa0\xc1\x30\x16\xd9\x1a\x23\x0a\x55\xd8\x1f\xeb\x7d\xfc\x48\xad\x15\x7c\x7c\x2f\xc6\x32\x53\x08\x10\x21\xd1\xc6\x53\x56\x51\x39\x03\xdd\xbd\xe8\xd3\xfd\x0d\x51\x74\x7f\x3e\xaa\xaf\x9d\xb9\xd6\xb4\xbd\x70\x69\xd8\xba\x53\xd4\xd1\x00\xee\x27\x27\x97\x95\x94\xc2\xfa\x80\xb9\xaa\x0e\xdd\x70\xe3\xd7\x02\xfb\x5b\x6c\xd2\x77\xee\xb4\x87\x55\x58\x86\xf8\x5b\x65\x7c\xd9\xeb\xa6\x41\xb2\x8b\xf1\xe7\x62\x30\x0f\x3e\x29\xc5\xa8\xd8\xbf\xe0\x77\xbd\xef\x7c\x9e\x2c\x4c\xfa\xd8\xfc\x36\x46\x70\xd7\xcd\x6a\xc7\xa8\x63\x22\xe6\x67\x76\x0e\x24\x03\xc4\x83\x8d\x61\xfa\x86\x69\xa4\xf6\x21\x14\xee\xf4\x23\xf0\x91\x32\xe2\x0b\xb9\x5b\xa3\x52\x2a\xc3\x10\x49\xc4\xa3\xd5\x81\xaf\x3c\x57\x84\x91\x0f\xba\x88\xcd\xee\x1c\xef\xf4\xdd\xae\xd8\x27\x11\x9c\xed\x53\x61\x94\x7d\x0e\x31\xa9\xc4\xd2\x52\x63\xa5\x36\x54\xb8\x2f\xc1\x3b\x91\xf4\x45\x08\xdd\x19\x3c\xa1\xef\x26\xd9\x30\xa6\xb0\x81\x05\x86\xd4\x02\xba\x05\x54\xfa\xce\x5c\x3e\xd0\x77\x67\x1d\x50\xd2\x88\x65\xbf\xff\x35\xca\x3a\x4d\xab\xdb\xd6\xe3\xb0\x70\x59\x32\x0f\x53\xe5\xc4\x9d\x73\xcc\x16\xdd\x1e\xd2\x81\x6a\xc9\x8a\xd3\x85\x3c\x36\x88\x29\xc7\xbe\xc4\x0c\x4a\x9b\x39\xee\x3b\x73\x0b\xbd\x6c\x15\x2f\x35\x8e\x99\x11\x30\x8c\x12\xed\x12\x06\x56\x1f\xc7\xcf\x7c\xb4\x77\x14\x5f\x1a\xaa\xce\x66\xac\x5c\x44\x68\xac\xb2\xf6\x01\xc6\x1e\x4b\x11\x8b\xe2\x05\x6b\x6d\xbc\x18\x60\x9b\xfd\x41\x05\xee\xe1\x8b\xe3\x84\xa1\x99\x13\xd2\x74\xd9\x20\x39\x79\x0c\xb8\x74\x20\xb9\xfd\xd7\x0e\x73\x43\x09\xfc\x7a\xfe\x09\xe1\x1f\x78\x0d\x6e\xe6\x24\x31\x75\x90\x7a\x4a\xee\xcb\x6c\xa0\x70\xa3\x37\x4b\xe5\xd3\xd0\x7a\x78\x8e\xa4\xe1\xf9\xd6\xf1\x8e\xff\x9e\x79\x64\xd7\x07\x6c\xb5\xb9\x3c\xd9\x73\x38\xec\x05\x44\x8e\xc5\x27\xcc\xa6\x67\x90\xbf\xe3\x2c\x5b\x26\x62\xd7\xfc\x6b\x83\x6b\x41\xbf\x32\xe5\xbc\x0d\xdf\xe4\x2d\x59\x73\xdb\x86\xf8\xae\xd5\x6e\x43\x11\x2b\x45\xb0\xf7\x92\xc5\x39\x45\x99\xa1\x3e\x73\xc2\x50\x12\xb5\xaa\xcd\x3a\xef\x11\x24\x73\xc4\xe2\xe3\xab\x6a\xeb\xf5\xaf\x6d\xe9\xe7\x8a\xc0\x47\xfc\xc2\x76\xfd\x97\x6f\x25\x02\x2c\x65\xc3\x0a\x9f\xd6\x72\x03\xf1\x9e\x33\xb3\x5c\xfb\xcf\xdf\xf3\x95\xc5\xbb\x53\xf2\xfd\x79\x28\xe4\x3e\x62\x28\x47\x28\x07\x80\xb8\xcc\x81\x5f\xb4\x85\x18\x91\x05\xa1\x24\xcd\x86\x27\xcc\x3d\x5f\x1a\x9d\xd8\x00\xd4\x7a\x22\x6e\xbf\x90\x7e\xb2\xf4\x91\x33\xd1\x17\x58\x8d\x28\x0f\x4c\xc4\x3d\x95\x25\x4d\x88\xc8\x75\x3d\x96\x07\x3f\x97\xc5\x31\xf5\x1e\x55\x96\xe2\xe9\x71\xa2\x16\x1b\x78\xf7\x5e\xdc\xfb\xd9\xde\x38\xf0\xa9\x28\x4b\x7c\xce\xef\x87\x59\x8f\xa3\xbc\xfa\x5d\xbc\xbd\x1d\x28\x4c\xf8\x0c\xb7\x75\x54\x65\x89\x9d\x36\x2d\x9e\x40\xc6\x4c\x1a\x1e\x4c\xc4\x5c\x38\x71\xb2\x10\x4c\xa4\x0c\x05\x72\x9d\xcc\xbf\x6d\x0a\x17\x50\x0e\x5d\x0d\xff\xa3\x44\x3a\x52\x33\xe2\x79\xb2\xf9\xc5\x18\xb6\x97\x34\x0d\x26\xd2\x87\x26\x60\xc7\x1a\x49\x57\x10\xee\x00\x9f\xfb\x98\x9e\xbb\x5b\xef\xe5\x17\x69\x25\xb7\x8c\xde\xb1\xe8\x11\xc5\x1e\xcd\xb0\x1a\x47\xec\x1d\x1d\x0e\xf2\x02\x4c\x9a\x66\x6f\x6b\xc5\xeb\xe1\x3e\x77\x3f\x89\xf4\xc8\x0b\xaa\x1d\x66\x0c\x05\x1c\x26\x72\xf9\x1c\x21\xdb\x5f\xf2\xd5\xa7\x01\x26\xdc\x69\x14\x0e\xe2\x16\xc4\x5b\xdd\x0a\x7b\x52\x79\xde\xce\x2f\x58\x3b\xc2\x4f\xc6\x3c\xae\x88\xae\x75\x57\x22\x40\x48\x23\xc5\xc2\x16\x84\x9d\xcd\x10\x85\xba\x99\x02\xcb\x24\x8a\xc5\xd1\x92\xc3\xbd\xc5\x37\x39\x2a\x7c\x9e\xd3\xc3\x59\xbb\x6d\x49\x34\x62\x5f\x5f\x7a\x6d\xd5\x1b\x78\x57\x3f\xc7\x26\xad\xab\xc9\x1f\x41\x96\x05\x86\xf6\x4c\x39\x26\x11\x26\xea\x67\xdf\xc3\x2c\x5a\xe5\xf7\xd6\xed\x88\x74\x73\x60\x41\x8d\x42\xa0\x08\xd9\xcf\xc5\xef\x15\xf9\xc5\x88\xdb\xb9\xec\xc3\x74\xba\x19\xab\x60\xa3\xba\x33\xfb\xd1\xb8\x04\x77\xb0\x20\x4e\x67\xc8\x45\xf9\xf6\xab\x58\x9c\x58\xb5\x78\xcc\xa5\x8a\xf3\x22\xae\x66\xb9\xb1\x2e\xd9\x53\x70\x3d\x13\x93\xd8\xec\xe9\xc6\x70\x66\x4f\xdb\x6b\x1f\xfa\x10\x27\x1a\xbc\x0e\x51\xd5\x7b\x59\x10\x2e\x26\x40\xbe\xa0\x9e\x91\x12\x94\xc3\x5a\xbc\x86\x16\x99\x0a\x57\x29\xbf\x73\x9a\x8e\x22\x77\x4a\x68\x0d\x57\x70\xb8\x58\xb9\x32\xfe\x59\x5b\x73\x22\x32\x8a\xe7\x92\x07\x8a\xd2\x8d\xb4\xd5\x4c\xbd\x7c\x98\x68\xfc\xbe\x6e\xed\x0b\x0a\xa7\xb7\xab\xbf\xb1\xb8\xef\xce\x2d\xd5\xc1\xe2\x9b\xac\x66\xab\x7f\x80\xfe\x7a\x65\xd2\xda\x18\x38\x66\x0e\x94\x06\x6a\x6b\x2e\x3b\xdb\x89\x7e\x55\x1b\xc0\x37\xd7\x79\xdb\xb6\xcb\x9b\xdc\xa7\x03\x0e\xf8\x22\x6b\x96\x8d\x5a\x85\x7c\xb4\x24\xa9\xbd\x71\xec\xf3\xe0\xdf\x3b\xca\x6b\x91\x95\x90\x5e\xd0\x5e\x73\xd0\x36\x7f\x16\x49\xee\xd5\x49\xd9\xc3\xd4\x7e\x2f\x31\x2c\x17\x0d\xc9\x4a\x70\x1d\x42\x04\x60\xe1\x00\x0e\x23\x70\x21\xc6\xb7\xb1\xbc\x08\xb3\x5c\x10\x43\xc6\xe8\x99\xed\x58\x7e\xf7\xdf\xb6\xe1\xc7\xb6\xe1\x1e\x3a\x2f\xb4\x34\x8a\xbc\xc9\xed\x18\x31\xee\x37\x3d\x00\x45\x40\xa7\x3a\x4c\x78\xf9\xd3\xab\xb1\x01\xc7\x87\xba\x23\x9d\xf6\x63\x92\x4e\xf8\x4e\x3b\x43\x68\x68\xb6\x3c\xd7\x4f\x4d\x47\xac\x9e\xbc\xe3\x81\x4b\xbd\xb3\x7e\xee\xc3\xfe\xa1\xf9\x06\x88\xd1\x6f\xf3\x28\x5d\x35\x97\x45\xf9\xc1\xb6\xdc\xfa\x98\xbc\xd3\x2a\xca\xcc\xd9\x35\x0c\x07\x05\x79\xaf\x49\xc6\xdd\x8e\x62\xb3\xe1\x16\x16\xb9\x56\x05\xb5\xe6\x7c\x90\xc3\xdb\x1b\x83\x01\xde\x61\xbd\xfa\x55\x8e\xe6\xd1\x3f\x20\xa7\x8d\x40\x7e\x4f\x44\xca\x79\x3c\xe3\xd9\x58\xe1\x52\x2f\x1a\x64\x27\x6a\xc8\x86\x3d\x1a\x68\xb5\xb6\x4e\x03\xec\x0b\x22\xb0\xa7\x87\xbb\xa7\xb4\x62\xfd\xdf\x8d\xa7\xd1\x01\x8b\x32\xa1\x32\x82\xbd\x1e\x83\x06\x0a\x67\xc7\xda\x96\xe4\x6e\x3b\x32\x2a\x5d\x8e\x05\xba\x67\xb3\xac\xa1\xc5\xd1\xbf\x13\x6a\x57\xb3\xaa\x68\x77\x7f\x00\xbf\x10\x2d\xdd\xb1\xde\xc2\x1d\xb3\x09\xf4\x85\x5d\x9c\x08\xed\xc5\x80\xd6\x52\xa6\x89\x42\x0b\xf6\x25\x38\xb5\xaa\x26\x30\x57\x09\x81\x21\xd8\x2d\x87\xe2\x9e\xe2\x6b\x5d\x52\x88\x02\x3e\x50\x1f\xf2\x73\x0b\xce\xf0\x0b\x98\xf1\x3c\x40\xbc\x2d\xa1\xa1\xbc\xa1\xcd\x66\x64\x84\xf1\xa3\xf5\xc8\xb6\xff\xaf\x46\x8f\xbe\xaa\xf5\xab\xfd\x74\x39\x6f\xbc\x46\x0e\x0f\xd2\xb4\x40\xf5\xe5\x63\x27\xe6\x34\x90\x73\x11\xdc\xe9\x8e\xc0\x75\xe9\xee\x32\x87\xf7\xd2\xdc\xd6\x44\x93\xe5\xc5\xce\x09\x6b\xb2\x9d\x77\xaa\x49\xa9\xf6\x77\xe6\x8e\xfd\x44\xcf\x35\xb5\xa0\xd6\x9f\x1e\xc8\x87\xa5\xf1\xf3\x5e\x44\xaf\xe3\xb6\x90\x4e\xf0\x26\xb3\x65\x1c\x69\x7d\xc2\xaf\x46\x66\x2b\x92\x36\x64\x20\x1e\x4b\xae\xdc\x28\xe8\x5f\x33\xd0\xfc\xce\x83\xec\xb0\x1d\x04\xf5\xa0\x82\x6d\xf9\xfb\xfe\x7d\x92\xe3\x1d\xb7\x62\x02\x53\x3f\xa8\xbd\xbd\x4f\x14\x74\x4f\x84\x85\x94\x8f\xf0\xe4\x0e\xc7\x7d\x2a\x2c\xca\xc3\x4f\x38\x9a\x4f\x6b\x0e\x1f\x84\xf5\x27\xb1\x28\x2b\x4b\xa5\x3c\xc0\xa5\x34\x68\xeb\x13\x62\xd8\x7f\x33\x4f\x17\x6d\x94\x8d\x9d\x7f\xc1\x90\xa1\xfa\xbb\x36\x74\x53\x85\x94\x5f\x27\xd4\x4c\x13\x64\x36\xee\xed\xca\x1a\xd4\x94\x5c\x9d\x73\xd6\xa2\xd7\x22\x5a\x1f\x7f\xa4\x9a\x2b\x2b\x56\xd3\xa4\x03\xa8\xdd\xd0\x3d\x70\x1b\xb8\xba\x36\xc2\x75\xb0\x5d\xb3\xb6\x06\x38\xb9\xa2\xa2\x34\xcb\x63\xb8\x09\xeb\xfc\x9a\x77\x1a\xc7\x12\x76\x2f\x7e\x96\xc5\x38\xe1\xc5\x4a\x79\x12\xb9\x59\x44\x63\x2d\x6d\x60\x59\x4b\x90\x0e\x17\xee\x32\x7b\x2b\x2b\x13\xbe\x28\x44\x06\x1f\xd1\xe3\x50\xe4\x71\x21\xfd\x71\xf1\x30\xa5\xae\xb5\x15\x3c\xcb\x8e\xce\x99\x59\x0f\xf9\x3e\xa9\x8e\xe5\x89\xa0\xa4\x28\x8b\xb6\xa3\x59\x0b\x1c\x6e\x89\x00\x8b\xbd\x2d\xc7\xad\x38\x74\x83\x69\x40\x5c\x9f\x8c\x37\xfa\x75\xdd\x2f\xf4\xa3\x84\x56\x1d\x03\x09\x48\xc3\xd1\x64\x66\xe4\xf0\x37\xe5\x4d\x3d\xca\xbd\xe0\x2f\xb3\x5c\x62\xb3\x16\x92\x65\xc0\xaf\x80\x18\xa8\x6c\x3f\xcf\x32\x68\xc1\xa9\x1e\x71\x31\xf8\x9c\xf7\x84\x1b\xb5\x8c\xab\x8a\x5f\x89\xd7\xed\xb6\x7f\x05\xf1\x6f\xe8\x40\x59\xbe\x5a\xbd\xbe\x44\xd3\x85\x2f\xa5\x79\x0c\x16\x16\x28\xb2\x1e\xef\x35\x9a\xaf\x7d\xb7\xde\x11\xc8\x35\xff\x9c\xc0\xb8\x6a\xc9\x75\x1f\xd2\xd5\xc1\x35\xe8\xac\xb4\x35\x2b\xc0\x3f\xdf\xe6\xc4\x34\x73\x58\x2c\xde\x76\xb1\x57\xee\xb0\x3a\xcf\xff\x74\x2b\xe5\x83\x8a\x4a\xab\xa1\x60\xe1\xc5\x88\xc9\xe1\xda\x27\x58\xfc\x29\x0a\xe3\x7a\x76\x05\x34\x0f\x72\x6f\xf3\xd8\xd7\x3d\x3d\xcc\xdc\x77\x37\x49\x9b\x74\x73\xec\xcc\x00\xc3\xd0\x1d\x20\xbd\x98\x9e\x60\x49\xd9\xda\x7d\xce\xe2\x29\xfe\x3d\xb7\xe2\x84\x5b\xa6\xef\x6b\x38\x06\x80\xe0\x77\x54\xdf\xa9\x2d\x16\x05\xb3\xb2\x52\x7e\xd1\x9d\x01\x33\x3b\x2b\x58\x86\x8d\x76\x14\xc9\x2b\x7f\x93\xc9\x5e\x2c\x90\x54\xf7\xa7\x28\xe0\x56\x9b\x98\x60\x18\x31\x1d\x9a\xb3\x79\xac\x3d\x19\xc7\xf6\x5f\x87\xac\xbd\x2a\x2b\xcd\xf1\x22\xb1\xb9\x50\x2d\x3c\x3a\x69\xef\xa3\x2f\x4b\xe1\xef\x20\xda\xa4\x2e\x13\x40\x9d\x2b\x12\xdb\xfd\x03\xc6\x4a\xca\x0b\xd6\x6c\x76\xc0\x4e\xa6\xa7\x6e\xf0\x29\x46\x50\xe5\x9e\x8a\x37\x9c\x85\xc5\xac\x8e\x31\x0e\xd9\x9e\x1a\x5f\x20\xc9\xbb\xdb\xee\x13\xde\x12\x18\xf9\x5b\xe0\x40\xff\x5f\x76\x0c\x7f\x07\xab\xe3\x62\x46\x85\x08\xa2\x11\x4e\x0c\x34\xf9\x38\x95\xc1\xe2\x8a\xd8\xc5\x6f\x19\x49\x81\x6c\xff\xd0\x9c\x02\x8d\xee\xf0\x1e\x5f\xcf\x91\xb4\x38\x4c\x62\xd0\xef\xd9\xb7\xd6\x6b\x1a\xae\x30\x2a\x3e\xd2\xc3\x03\x7c\x96\x75\xac\x6c\x86\x33\x6f\xa6\x03\x25\x8a\x53\x84\x09\xba\xd5\x67\x98\x11\x28\xcb\x8c\xab\x88\xd7\x02\x7b\x2a\x92\x67\x1c\xad\x00\x0a\x2c\x9f\x31\x7f\xb4\xae\x30\x98\x0d\x3f\x28\x51\x2f\xb5\xf6\x6a\x98\xb2\xe2\x07\x7a\x6a\x7f\x84\x61\xbf\x1a\x78\xcf\x12\xb3\xce\x6e\x3a\xa4\xa2\x2f\x3c\x63\x73\xa5\xd0\x4f\x76\x7b\x83\xc7\xd5\x7a\x56\x83\x4f\x76\x39\xc9\xac\xbb\x9f\xde\xde\xa8\x52\x76\xa0\xaa\x10\x0b\x68\xc8\xa2\x46\x31\x4a\x8c\xa0\x2f\xf0\x7d\x15\x32\xc9\x0d\x9a\x4a\x5d\xac\xba\x53\xa2\x4c\x14\xcb\x94\xb5\x7a\x8c\x23\x6c\x98\x5e\xbc\x98\x69\x71\x08\xa4\x3e\x87\x4b\x67\x15\xe6\xbe\x8d\x96\x85\xfa\xfd\xba\x1d\x7e\x5d\x1b\x4c\xed\x62\x56\x58\x47\xbd\xfc\xf6\x2b\xe1\x75\xe8\x48\x3c\xfd\x07\x11\x24\x76\x64\xe2\x73\xfc\xbe\xc2\x9f\x60\xde\xdd\x34\xc6\x81\x0f\x66\x50\xb6\xbd\xc4\x7d\xf7\x26\x7b\x8f\x53\xbc\x66\xac\x41\xa5\xc0\x50\x6e\xdf\x4a\x80\x5c\xff\x03\x43\x79\x7c\x88\x12\x56\xea\x09\x5f\xbf\x14\x57\x54\xf7\xcb\x9d\xfb\xa6\xd3\xc2\xbd\x12\xac\xe3\x07\x62\x9c\xb2\x2d\xfe\xb5\xa4\x81\x55\xde\x0e\x50\xa9\x5d\xa5\x8b\x32\x02\x58\x9b\x60\xf5\xdd\x4c\xa6\xcd\x22\xc2\xed\x78\x8f\x27\x21\xd5\x35\x43\x74\xe9\xef\xac\xf4\x94\x72\x94\xdd\xc8\x14\x92\x25\xdc\xe5\xad\xfb\x32\x25\x95\xed\x18\xa4\xdc\xb0\x56\x51\x48\xb0\x87\xe3\x7d\x42\x47\xea\xae\xcc\x58\xc5\xaa\xf1\xc6\x4e\x87\xcc\x2c\xce\x9b\x8e\xbc\xaf\x96\x3f\xc4\x41\xa6\xdf\xac\x42\x6b\xe0\xac\xe4\xec\xfb\x91\xdf\x77\x32\x72\x1a\xfb\x34\xf9\x05\xce\x73\x77\xdb\x38\x49\xd7\x40\x1b\xa3\xd3\x14\x9c\x08\xe9\x8b\xcd\xec\xa6\xde\x20\x7e\xd8\xbc\x7b\x1d\x6e\x88\x59\x7d\xa6\x28\xc6\xb0\xa7\x3c\xf9\x67\x4a\x20\x7d\xd8\x74\x5f\xe5\xb3\x2b\xdd\x8f\x55\x09\xf1\x4f\xc1\x5c\xf9\x50\x4b\xf6\x63\x4b\x2d\xf2\x83\x6e\x95\xc7\x36\xe2\x76\x2f\x27\x14\xbf\xd1\x30\xaf\x99\x1d\x8b\x64\x8a\x93\x72\x15\x83\x83\xa2\xf5\x3e\x14\xc7\xcf\xc7\x66\x3d\xb5\xca\x5c\x8a\x9c\xdd\x15\x5e\x38\xc1\xf7\x0e\x51\x61\x35\x88\x12\x8d\xd0\x85\xbb\xdd\x7e\xd2\x39\xb9\x7e\x89\x58\xce\xf3\x5f\x11\x7e\xab\x19\xb3\x70\xff\x2e\x4e\x25\x68\x9d\x62\xb6\x84\xfd\x4a\xfc\xeb\x26\x32\x51\xfa\x92\xe8\xc6\xb2\xaa\x2e\x34\xd3\xfb\x8a\xae\xd1\x8c\xdc\x73\x4f\x9b\x42\x0c\x8d\x7b\x93\x15\x55\xeb\xd7\x99\x0c\xa0\x73\xfb\x81\xbe\x98\x27\x94\xe0\x00\xd5\x05\x72\xeb\x07\x61\xd4\x95\xba\x80\x68\xf6\x57\xd7\xf7\xb9\x19\xe6\x6a\x25\xe0\x32\x11\xdf\xe6\x90\xf4\x08\x1f\xc5\xde\x14\xf5\xf9\xd8\xbe\x47\x80\x24\xe6\x0a\x31\x38\x08\x0d\x9c\xe9\x7a\xe2\x3e\x29\x1e\x77\xa6\xe4\xa5\x07\xa9\x6a\xe0\xc0\x7d\x96\x04\xa9\x5b\x43\xb8\x17\x4c\x33\x17\x5b\xa2\x95\x05\x01\x86\xf7\x23\xb5\x0a\x60\x9e\xe0\x9b\x42\x67\xe4\xd2\xaf\x42\x96\xce\x65\x7b\xb8\xb5\xe9\x96\xf9\x8b\xd7\x5e\xd4\x2d\x09\x54\x89\x5d\x97\xd9\x88\x32\x9d\x92\x5f\x62\x89\x44\x74\xd1\xca\xa5\xde\x98\x8e\xd7\xb5\xc6\xde\xac\xfd\x90\xad\x94\x7e\xfe\xbf\x6c\xf6\x1b\x45\xd9\xc7\xb1\xba\x59\xe9\xec\x4b\x85\x59\xaf\xf8\xd3\xd0\x5f\xb0\x0f\x57\xec\x94\x2b\x0e\x9b\x9f\xdb\xde\x26\xca\xd3\x40\xcb\xb4\xf7\xc0\x44\x7b\x70\x7e\xd8\xf6\xd4\xf9\x89\xd0\xb1\xda\x0d\x0c\xda\xe6\x17\xb0\x14\x36\xfa\x68\xe3\x77\x75\xe8\x44\x41\x5e\xbd\x11\xa3\x35\x08\x46\xcf\x0b\x41\x9f\xad\x6d\xb9\x4c\xcc\x82\x83\xe9\x50\x19\xdb\x55\x91\xb9\xe8\x1c\x5d\x32\x70\x7b\x30\x02\xaf\xb2\x40\x58\x49\x5f\x6c\x21\xcd\x4b\x9e\x12\xaf\x7a\x1f\x40\x54\xfd\xa3\x7b\xa6\xa2\x94\x5e\x89\x98\x99\x76\x10\x12\x54\x8e\x41\x22\xa6\x95\x56\xe0\xca\x51\xe2\x31\x94\xbd\xc4\xe2\x72", 4096); *(uint32_t*)0x20002904 = 0x1000; *(uint32_t*)0x20002908 = 9; memcpy((void*)0x20002940, "flock=openafs", 13); *(uint8_t*)0x2000294d = 0x2c; memcpy((void*)0x2000294e, "dyn", 3); *(uint8_t*)0x20002951 = 0x2c; memcpy((void*)0x20002952, "autocell", 8); *(uint8_t*)0x2000295a = 0x2c; memcpy((void*)0x2000295b, "dyn", 3); *(uint8_t*)0x2000295e = 0x2c; memcpy((void*)0x2000295f, "flock=openafs", 13); *(uint8_t*)0x2000296c = 0x2c; memcpy((void*)0x2000296d, "source", 6); *(uint8_t*)0x20002973 = 0x3d; memcpy((void*)0x20002974, "&", 1); *(uint8_t*)0x20002975 = 0x2c; memcpy((void*)0x20002976, "source", 6); *(uint8_t*)0x2000297c = 0x3d; memcpy((void*)0x2000297d, "SEG6\000", 5); *(uint8_t*)0x20002982 = 0x2c; memcpy((void*)0x20002983, "smackfsdef", 10); *(uint8_t*)0x2000298d = 0x3d; memcpy((void*)0x2000298e, "SEG6\000", 5); *(uint8_t*)0x20002993 = 0x2c; memcpy((void*)0x20002994, "smackfsdef", 10); *(uint8_t*)0x2000299e = 0x3d; memcpy((void*)0x2000299f, "SEG6\000", 5); *(uint8_t*)0x200029a4 = 0x2c; memcpy((void*)0x200029a5, "subj_user", 9); *(uint8_t*)0x200029ae = 0x3d; memcpy((void*)0x200029af, "SEG6\000", 5); *(uint8_t*)0x200029b4 = 0x2c; memcpy((void*)0x200029b5, "smackfstransmute", 16); *(uint8_t*)0x200029c5 = 0x3d; memcpy((void*)0x200029c6, ":", 1); *(uint8_t*)0x200029c7 = 0x2c; memcpy((void*)0x200029c8, "seclabel", 8); *(uint8_t*)0x200029d0 = 0x2c; *(uint8_t*)0x200029d1 = 0; syz_mount_image(0x20001880, 0x200018c0, 5, 1, 0x20002900, 0x20005, 0x20002940); break; case 29: memcpy((void*)0x20002a00, "/dev/i2c-#\000", 11); syz_open_dev(0x20002a00, 0xad8, 0x2a2000); break; case 30: res = syscall(__NR_ioctl, -1, 0x5429, 0x20002a40); if (res != -1) r[15] = *(uint32_t*)0x20002a40; break; case 31: memcpy((void*)0x20002a80, "net\000", 4); syz_open_procfs(r[15], 0x20002a80); break; case 32: syz_open_pts(r[13], 0); break; case 33: *(uint32_t*)0x20002e80 = 0x20002ac0; memcpy((void*)0x20002ac0, "\x7a\xd3\xcd\x80\x2d\xd0\xc4\x24\x94\x5d\x99\xca\x9c\xa6\xe4\xfb\xb8\xf8\xe3\xb9\x80\xd2\xec", 23); *(uint32_t*)0x20002e84 = 0x17; *(uint32_t*)0x20002e88 = 0x1000; *(uint32_t*)0x20002e8c = 0x20002b00; memcpy((void*)0x20002b00, "\x32\x9d\xe8\x0b\x2b\x17\xbb\xd2\x5d\x1f\x19\x07\xa9\x26\x3a\xf3\xbf\x05\xc4\xa7\x06\x1e\x28\x49\x2a\x3f\x71\xc6\x34\x3a\xa5\xaa\xea\x03\x27\xa3", 36); *(uint32_t*)0x20002e90 = 0x24; *(uint32_t*)0x20002e94 = 5; *(uint32_t*)0x20002e98 = 0x20002b40; memcpy((void*)0x20002b40, "\x82\x79\x1d\xfd\x31\x1d\x07\xdb\x7d\x65\xe8\x03\xce\x6c\xa0\x00\x28\xaf\x8f\xf8\xd2\x76\x18\x7e\x0e\x14\xbb\xf7\xbe\xab\x60\xfc\x4b\x70\x72\x2e\x91\xb6\x32\x2b\x8e\x34\x72\x19\x1a\x66\x17\x6b\xb0\xca\x91\xde\xe6\x0f\x15\x06\xa6\xd4\x8b\xe4\x05\x52\x30\xc3\x0b\xe9\x4a\x10\x43\xa1\xd2\xa0\x6d\x42\x16\x60\x69\xd8\x03\x3d\x6c\x52\x4c\x86\x10\xb8\xc4\xbb\x63\xaf\x0c\xe6\xd6\x20\x71\x37\xf1\xbe\x1b\x62\xb0\x02\xe8\xc3\x5e\x64\x67\xc2\x42\x3c\xc6\x59\x7d\x1c\xa5\x8e\xe3\x15\x89\xf0\x24\x8a\xc7\x62\xe2\x4a\x28\x6a\x41\xa7\x61\x91\x2d\x34\xbb\x56\xf0\x7d\xb8\x8c\xa5\x2f\xce\x8d\x12\x87\x62\x39\x4f\xa0\x0f\xaa\xc8\x45\x1a\x42\xc3\x14\x4b\xde\xc7\xe9\x72\x96\xc9\xea\xc7\xc9\xf6\x31\x10\xa3\xd4\x05\xc1\x6b\x04\x28\x88\x00\x24\xe8\xc9\xc8\xaf\x49\x0b\x8c\xfa\xd8\x4c\xbb\x63\x78\x78\xd6\x34\xcd\x84\x34\x6b\x60\xc9\x13\x2c\x09\x66\x0c\xdc\x61\x6a\x0b", 212); *(uint32_t*)0x20002e9c = 0xd4; *(uint32_t*)0x20002ea0 = 0x7fff; *(uint32_t*)0x20002ea4 = 0x20002c40; memcpy((void*)0x20002c40, "\x90\x4b\xbc\xee\x2b\x46\xda\xa1\xac\x64\x3b\x7b\x6b\x8e\xa0\xff\x46\x2f\xea\xbe\xe5\x41\xb4\x11\xa8\x85\xe4\x70\xa4\x96\xcb\xbd\xc7\x29\xff\xde\xbc\x50\x80\x7f\x71\x9c\xbe\x80\x8d\x8b\x59\x8b\x47\x67\xc7\xa8\x52\xd9\xce\x0c\x88\x0a\x9b\x07\x8b\x01\x87\xde\xac\x92\x6b\xd4\x68\x7a\x44\xf0\x92\xbb", 74); *(uint32_t*)0x20002ea8 = 0x4a; *(uint32_t*)0x20002eac = 5; *(uint32_t*)0x20002eb0 = 0x20002cc0; memcpy((void*)0x20002cc0, "\x35\x31\xae\x25\x7e\x7e\x08\x77\xcd\xe3\x40\xc4\x2e\xdb\xfc\x91\xdc\xff\xaf\xf1\x28\x4e\xf0\x8a\x45\x1e\x4c\x76\xe0\xcd\x83\xb2\xc0\xea\x10\xd8\x6b\xce\xfa\x93\xbb\xae\xf5\xff\xfb\xfe\x7d\xc7\x0b\x73\xb8\x9c\x55\xfc\x38\x51\x11\x0d\x1b\xd0\xd1\xda\x31\x75\x33\x20\xb1\x11\xfe\x70\x60\x53\x7e\x8f\x65\xf3\xc2\xf0\x5a\xdc\xb3\xd6\x6b\xd2\xab\xe6\xb0\x8a\xaa\xe0\xd0\xee\xdc\xa9\x93\x77\x07\xec\x4c\xb4\x87\x4c\xdf\xd0\x58\x00\x81\x2a\xb5\x3f\x95\x50\xb2\x5a\x28\xee\x69\xe6\x2a\x0f\x79\x0f\xe5\x23\x3f\xc8\x64\x5f\xc3\xfe\x6c\xae\x05\x5f\x2a\xa1\x72\x91\x25\x17\x01\x51\xe8\x6e\xea\xb6\x7b\xb2\x0b\xc8\x84\xa1\x21\x4c\x2d\x3d\x96\x9c\x34\xfb\x23\x9b\x45\xfe\xec\x93\xac\x20\x97\x21\xba\xe7\x27\x12\x51\xc6\x13\xce\xa9\x37\x9c\x15\x21", 183); *(uint32_t*)0x20002eb4 = 0xb7; *(uint32_t*)0x20002eb8 = 4; *(uint32_t*)0x20002ebc = 0x20002d80; memcpy((void*)0x20002d80, "\xc3\xf0\x4f\x26\x92\x9b\x7a\x4d\x63\x42\x84\x1f\xa5\x3a\x9a\x8c\xb8\x00\x6a\x97\xf4\x28", 22); *(uint32_t*)0x20002ec0 = 0x16; *(uint32_t*)0x20002ec4 = 6; *(uint32_t*)0x20002ec8 = 0x20002dc0; memcpy((void*)0x20002dc0, "\xc9\x87\x12\x75\xe3\x26\x9f\xf1\xbd\xcd\x67\xfb\x52\x3e\x1c\xeb\x51\x51\xb0\xed\xe9\xe0\x32\x63\x4e\x36\xd4\x86\x04\x6b\xc3\x1c\xd9\x78\xbd\xa5\x92\x47\x35\x53\x16\x31\x9e\x76\x8e\x7a\xc6\xbe\x06\x48\xbf\x0f\xec\xd1\x3c\xda\xd4\x5f\x71\x3e\x0e\x3b\x74\xe9\x5e\xec\x77\x06\x3c\x02\xa2\x33\xea\x97\xd3\x38\xf4\xb1\xe9\xbc\x5a\x7c\xce\x85\x52\x87\x42\x63\x2e\xd5\x9c\xec\x01\x6f\x39\x14\xdd\x02\xca\x6b\x1d\xc8\x33\x22\x48\x95\x27\x73\x50\xcf\x1f\x21\xd6\xc7\x8f\x85\x92\x71\x7e\x91\x23\x3f\x90\x26\x92\x7e\x0c\xc3\xd8\x0c\xdc\x57\x71\x47\x63\xa0\xfc\xb0\x91\xf5\xc6\x90\x51\xb5\x5c\xd2\xe1\xfc\xc3\x3b\x13\xd5\x97\xc5\xca\xee\xb2\x71\xc5\x42\x97\x8a\x1e\x17", 164); *(uint32_t*)0x20002ecc = 0xa4; *(uint32_t*)0x20002ed0 = 0x9c; syz_read_part_table(1, 7, 0x20002e80); break; case 34: *(uint8_t*)0x20002f00 = 0x12; *(uint8_t*)0x20002f01 = 1; *(uint16_t*)0x20002f02 = 0x201; *(uint8_t*)0x20002f04 = 0xa4; *(uint8_t*)0x20002f05 = 0x61; *(uint8_t*)0x20002f06 = 0x1e; *(uint8_t*)0x20002f07 = 0x40; *(uint16_t*)0x20002f08 = 0xacd; *(uint16_t*)0x20002f0a = 0x300; *(uint16_t*)0x20002f0c = 0xc0df; *(uint8_t*)0x20002f0e = 1; *(uint8_t*)0x20002f0f = 2; *(uint8_t*)0x20002f10 = 3; *(uint8_t*)0x20002f11 = 1; *(uint8_t*)0x20002f12 = 9; *(uint8_t*)0x20002f13 = 2; *(uint16_t*)0x20002f14 = 0x372; *(uint8_t*)0x20002f16 = 2; *(uint8_t*)0x20002f17 = 4; *(uint8_t*)0x20002f18 = 0x1f; *(uint8_t*)0x20002f19 = 0; *(uint8_t*)0x20002f1a = 1; *(uint8_t*)0x20002f1b = 9; *(uint8_t*)0x20002f1c = 4; *(uint8_t*)0x20002f1d = 0x5d; *(uint8_t*)0x20002f1e = 0xb3; *(uint8_t*)0x20002f1f = 1; *(uint8_t*)0x20002f20 = 0xad; *(uint8_t*)0x20002f21 = 0x49; *(uint8_t*)0x20002f22 = 0x76; *(uint8_t*)0x20002f23 = 0x20; *(uint8_t*)0x20002f24 = 7; *(uint8_t*)0x20002f25 = 0x24; *(uint8_t*)0x20002f26 = 1; *(uint8_t*)0x20002f27 = 0; *(uint8_t*)0x20002f28 = 0x80; *(uint16_t*)0x20002f29 = 0; *(uint8_t*)0x20002f2b = 9; *(uint8_t*)0x20002f2c = 5; *(uint8_t*)0x20002f2d = 0xd; *(uint8_t*)0x20002f2e = 0; *(uint16_t*)0x20002f2f = 0x230; *(uint8_t*)0x20002f31 = 0x5d; *(uint8_t*)0x20002f32 = 1; *(uint8_t*)0x20002f33 = 0x3f; *(uint8_t*)0x20002f34 = 7; *(uint8_t*)0x20002f35 = 0x25; *(uint8_t*)0x20002f36 = 1; *(uint8_t*)0x20002f37 = 0; *(uint8_t*)0x20002f38 = 0x1f; *(uint16_t*)0x20002f39 = 2; *(uint8_t*)0x20002f3b = 0xba; *(uint8_t*)0x20002f3c = 0xe; memcpy((void*)0x20002f3d, "\xf4\xe6\xe5\x76\x28\x83\xc3\x4d\xf0\x4f\x35\x60\x99\xf1\xd3\x4b\xdb\xc9\xf5\x32\x4d\xa6\x48\x05\x3f\xd6\x90\x21\x1b\x89\x71\x19\xc4\xf3\xac\x19\x7f\x2a\xa9\x3f\x2f\x3b\xe0\x5f\x83\x6b\x16\x44\xd5\xb2\x32\x76\x48\xb3\x08\x16\xed\x19\x2f\x94\x3d\xfc\xe2\x25\xf6\x9d\x77\xc5\x15\x65\xe1\x77\xfd\x88\x9c\x9c\x9d\x8c\x85\xb9\x2e\xe4\xbe\xad\x0e\x88\x94\x46\xbb\xc3\x20\xa4\x0f\xa2\x48\x07\xf4\x76\xbf\xd1\xf1\xb3\x09\x6e\x33\x70\xf7\x55\xc9\x4a\xa0\x1c\x3b\xe4\xdd\xc7\x95\x2a\x56\x94\xbc\xad\x4b\xeb\x40\x65\xbf\x5e\xa9\x60\x66\xc4\x3e\x95\x07\xe6\x22\x0c\x47\xbc\x02\x71\xad\xcb\xaf\xfc\xe6\xac\x90\xcb\x3c\x8b\x1c\xf7\x48\xc6\xbb\xf9\x71\x08\xdf\xa2\xca\xc4\xb8\x7d\x34\x20\x42\x84\x34\x39\x7e\x07\xf1\x7a\x87\xed\x62\x33\xb3\x9e\x32\xf0", 184); *(uint8_t*)0x20002ff5 = 9; *(uint8_t*)0x20002ff6 = 4; *(uint8_t*)0x20002ff7 = 0x5d; *(uint8_t*)0x20002ff8 = 0x27; *(uint8_t*)0x20002ff9 = 7; *(uint8_t*)0x20002ffa = 0x3f; *(uint8_t*)0x20002ffb = 0x84; *(uint8_t*)0x20002ffc = 0xfd; *(uint8_t*)0x20002ffd = 3; *(uint8_t*)0x20002ffe = 0x10; *(uint8_t*)0x20002fff = 0x24; *(uint8_t*)0x20003000 = 2; *(uint8_t*)0x20003001 = 1; *(uint8_t*)0x20003002 = 0xe2; *(uint8_t*)0x20003003 = 2; *(uint8_t*)0x20003004 = 0x63; *(uint8_t*)0x20003005 = 0x40; memcpy((void*)0x20003006, "\xe7\x21\xcc\x44\xac\xca\x89\x38", 8); *(uint8_t*)0x2000300e = 0xb; *(uint8_t*)0x2000300f = 0x24; *(uint8_t*)0x20003010 = 2; *(uint8_t*)0x20003011 = 1; *(uint8_t*)0x20003012 = 0; *(uint8_t*)0x20003013 = 3; *(uint8_t*)0x20003014 = 1; *(uint8_t*)0x20003015 = 0; memcpy((void*)0x20003016, "\x9e\xf4\x2f", 3); *(uint8_t*)0x20003019 = 7; *(uint8_t*)0x2000301a = 0x24; *(uint8_t*)0x2000301b = 1; *(uint8_t*)0x2000301c = 4; *(uint8_t*)0x2000301d = 1; *(uint16_t*)0x2000301e = 4; *(uint8_t*)0x20003020 = 0xb; *(uint8_t*)0x20003021 = 0x24; *(uint8_t*)0x20003022 = 2; *(uint8_t*)0x20003023 = 1; *(uint8_t*)0x20003024 = 0; *(uint8_t*)0x20003025 = 3; *(uint8_t*)0x20003026 = 0x19; *(uint8_t*)0x20003027 = 6; memcpy((void*)0x20003028, "\x9e", 1); memcpy((void*)0x20003029, "\x69\x83", 2); *(uint8_t*)0x2000302b = 9; *(uint8_t*)0x2000302c = 5; *(uint8_t*)0x2000302d = 0xf; *(uint8_t*)0x2000302e = 0; *(uint16_t*)0x2000302f = 0x3ff; *(uint8_t*)0x20003031 = 0xf6; *(uint8_t*)0x20003032 = 5; *(uint8_t*)0x20003033 = 0x80; *(uint8_t*)0x20003034 = 9; *(uint8_t*)0x20003035 = 5; *(uint8_t*)0x20003036 = 1; *(uint8_t*)0x20003037 = 0x10; *(uint16_t*)0x20003038 = 0x10; *(uint8_t*)0x2000303a = 0; *(uint8_t*)0x2000303b = 0x40; *(uint8_t*)0x2000303c = 6; *(uint8_t*)0x2000303d = 7; *(uint8_t*)0x2000303e = 0x25; *(uint8_t*)0x2000303f = 1; *(uint8_t*)0x20003040 = 2; *(uint8_t*)0x20003041 = 0x20; *(uint16_t*)0x20003042 = 6; *(uint8_t*)0x20003044 = 9; *(uint8_t*)0x20003045 = 5; *(uint8_t*)0x20003046 = 0xb; *(uint8_t*)0x20003047 = 8; *(uint16_t*)0x20003048 = 0x10; *(uint8_t*)0x2000304a = 1; *(uint8_t*)0x2000304b = 2; *(uint8_t*)0x2000304c = 0; *(uint8_t*)0x2000304d = 9; *(uint8_t*)0x2000304e = 5; *(uint8_t*)0x2000304f = 0xd; *(uint8_t*)0x20003050 = 0x10; *(uint16_t*)0x20003051 = 0x200; *(uint8_t*)0x20003053 = 4; *(uint8_t*)0x20003054 = 8; *(uint8_t*)0x20003055 = 0xc0; *(uint8_t*)0x20003056 = 0xbb; *(uint8_t*)0x20003057 = 0x31; memcpy((void*)0x20003058, "\x21\x5c\xe6\xab\x8f\x3c\x72\xca\xa3\xab\x13\x26\xf1\x88\x38\x90\x8a\xc6\x0b\xff\xb3\xb5\x07\x48\x14\x4a\xa2\xcb\xc4\xd7\xca\xc5\x6f\x4a\x7b\xb2\xbd\x6c\x96\x96\x74\xa5\xe4\x04\x08\x61\xbb\x21\xba\x5c\xcf\x0f\x82\x2c\x10\x32\xe7\xe3\x72\x9f\x8c\x17\x1f\xc7\xa8\x9b\x53\x40\xb5\x06\x71\x08\xd5\x97\xf1\x78\xaa\x65\x1a\x98\xac\xa4\xd0\x12\xfa\x55\x5a\x69\x56\x83\xb5\x27\xe6\x03\x1f\x1f\x7f\x20\x49\x4b\x25\x0e\x3a\x6c\xd8\xb4\xde\x96\x47\xe1\x50\x04\x98\x67\x09\x7c\x47\xcc\x23\x7c\x61\x2c\xef\xe6\x98\x33\x2f\x1f\xe7\xf0\x2e\x6f\x53\xe8\x45\xb1\xf5\xe7\xb4\xb2\x4a\xd8\x62\x9b\x78\xce\x76\x30\xe2\xd4\x01\x20\xfb\xc3\xf4\x93\x75\xa4\xa0\x86\xde\xdd\x2a\x27\xf0\x6b\x3e\xd3\xd7\x56\xa8\x19\xb9\x7f\x75\x9a\xa5\x4a\xef\x83\xdf\x48\x68\xa9\xe9", 185); *(uint8_t*)0x20003111 = 9; *(uint8_t*)0x20003112 = 5; *(uint8_t*)0x20003113 = 3; *(uint8_t*)0x20003114 = 0x12; *(uint16_t*)0x20003115 = 0x3ff; *(uint8_t*)0x20003117 = 0; *(uint8_t*)0x20003118 = 1; *(uint8_t*)0x20003119 = -1; *(uint8_t*)0x2000311a = 0xad; *(uint8_t*)0x2000311b = 0x31; memcpy((void*)0x2000311c, "\x0c\x92\x1d\x3f\x98\x0f\x4e\x53\x14\x7a\x46\xbd\x58\x56\xda\x03\x08\x16\x60\xfb\xed\x7b\x8b\x2d\x38\x9b\xe8\xa0\x38\xe9\x5c\x29\x58\xa4\x77\xed\x5f\xaf\x9e\xf3\x8c\x82\xc3\xab\xea\x25\x44\x59\xed\xb0\xf2\xcf\x28\x62\x35\x03\x40\x87\xad\xb7\x90\x7f\xf1\x92\x64\x0b\x93\x68\x86\xbd\x48\xd3\xa5\x12\x15\x40\x6b\x3a\xa0\xb6\xd8\xf8\xd9\x1d\x83\x0f\x52\x36\xa9\xa8\xbe\x03\xc2\x21\x5f\x01\x21\x31\x96\x8c\x6a\x80\x86\x0a\xe8\x11\x93\x05\x94\x68\x10\x8e\xfd\x4f\x13\x05\x37\x9d\x01\x15\xc7\xec\x66\x7b\x03\x59\x94\x0e\x56\x64\xbf\x7b\x3c\x4a\x5f\x04\xca\x3c\x51\xdb\x9d\x2c\xd4\x17\xe9\x09\x9b\xff\x62\x8b\x8e\x1a\x8e\xd0\xf5\x96\x14\x93\x57\xa0\x8a\xbd\x11\x77\xeb\x97\x73\x53\xeb\x89\x32", 171); *(uint8_t*)0x200031c7 = 0x93; *(uint8_t*)0x200031c8 = 0x11; memcpy((void*)0x200031c9, "\xa8\xe2\x2d\x54\x2a\xe3\xd8\x31\xf3\x37\x21\x1b\xb5\xbe\x12\xa5\xc4\x6e\x5c\xf9\xb5\x56\xd8\x4d\x5a\xf4\xca\xca\x87\x42\xad\x21\x61\x40\x56\x2b\x7e\x54\x21\xe2\x64\x24\x71\xe8\xf5\x0e\xb8\xae\xf0\x62\x12\xb4\x6c\x64\x4a\xe5\x84\x63\xe1\x8b\x3e\x72\xbd\x3e\xca\x60\x60\xfa\x8b\x94\x03\x17\x96\xe5\x5e\xb4\x1d\x3f\x31\x8a\xff\xbf\x08\x1e\xeb\x17\x08\x85\x1e\x72\xfa\xdd\x88\x7e\x03\x30\x13\x43\x19\xf0\xa5\x96\x7e\xda\x65\x7b\xc1\x10\x1f\x74\xde\xba\x42\xe7\x8a\xff\x20\xfb\x5d\x3c\x1f\xe4\x9d\x9a\x05\x46\x57\xb6\xf1\xaf\x3d\x01\x5f\xc1\x6f\xf8\x08\x73\xf3\x26\x69\x08\x43\xdf\x81", 145); *(uint8_t*)0x2000325a = 9; *(uint8_t*)0x2000325b = 5; *(uint8_t*)0x2000325c = 0xf; *(uint8_t*)0x2000325d = 4; *(uint16_t*)0x2000325e = 0x200; *(uint8_t*)0x20003260 = 0; *(uint8_t*)0x20003261 = 0x1f; *(uint8_t*)0x20003262 = 1; *(uint8_t*)0x20003263 = 0x11; *(uint8_t*)0x20003264 = 6; memcpy((void*)0x20003265, "\x82\x4b\x7d\x09\x57\xbc\x55\x2d\x22\x4f\xdf\x6b\xff\x63\xa8", 15); *(uint8_t*)0x20003274 = 7; *(uint8_t*)0x20003275 = 0x25; *(uint8_t*)0x20003276 = 1; *(uint8_t*)0x20003277 = 0x80; *(uint8_t*)0x20003278 = 0xfd; *(uint16_t*)0x20003279 = 6; *(uint8_t*)0x2000327b = 9; *(uint8_t*)0x2000327c = 5; *(uint8_t*)0x2000327d = 0; *(uint8_t*)0x2000327e = 0; *(uint16_t*)0x2000327f = 0x20; *(uint8_t*)0x20003281 = 0x1f; *(uint8_t*)0x20003282 = 0xfd; *(uint8_t*)0x20003283 = 3; *(uint32_t*)0x20003400 = 0xa; *(uint32_t*)0x20003404 = 0x200032c0; *(uint8_t*)0x200032c0 = 0xa; *(uint8_t*)0x200032c1 = 6; *(uint16_t*)0x200032c2 = 0x110; *(uint8_t*)0x200032c4 = 0x4d; *(uint8_t*)0x200032c5 = 0x80; *(uint8_t*)0x200032c6 = 0x80; *(uint8_t*)0x200032c7 = 0x20; *(uint8_t*)0x200032c8 = 0xc1; *(uint8_t*)0x200032c9 = 0; *(uint32_t*)0x20003408 = 0x46; *(uint32_t*)0x2000340c = 0x20003300; *(uint8_t*)0x20003300 = 5; *(uint8_t*)0x20003301 = 0xf; *(uint16_t*)0x20003302 = 0x46; *(uint8_t*)0x20003304 = 5; *(uint8_t*)0x20003305 = 0xb; *(uint8_t*)0x20003306 = 0x10; *(uint8_t*)0x20003307 = 1; *(uint8_t*)0x20003308 = 0xc; *(uint16_t*)0x20003309 = 0x35; *(uint8_t*)0x2000330b = 0; *(uint8_t*)0x2000330c = 0xdf; *(uint16_t*)0x2000330d = 9; *(uint8_t*)0x2000330f = 0xf7; *(uint8_t*)0x20003310 = 7; *(uint8_t*)0x20003311 = 0x10; *(uint8_t*)0x20003312 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003313, 0xe, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003314, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003314, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003315, 9, 0, 16); *(uint8_t*)0x20003317 = 0x18; *(uint8_t*)0x20003318 = 0x10; *(uint8_t*)0x20003319 = 0xa; *(uint8_t*)0x2000331a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000331b, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000331b, 0x7fffffe, 5, 27); *(uint16_t*)0x2000331f = 0xff0f; *(uint16_t*)0x20003321 = 0x101; *(uint32_t*)0x20003323 = 0xffc0a0; *(uint32_t*)0x20003327 = 0; *(uint32_t*)0x2000332b = 0xffff0f; *(uint8_t*)0x2000332f = 0x10; *(uint8_t*)0x20003330 = 0x10; *(uint8_t*)0x20003331 = 0xa; *(uint8_t*)0x20003332 = 3; STORE_BY_BITMASK(uint32_t, , 0x20003333, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003333, 0x200, 5, 27); *(uint16_t*)0x20003337 = 0xff00; *(uint16_t*)0x20003339 = 1; *(uint32_t*)0x2000333b = 0; *(uint8_t*)0x2000333f = 7; *(uint8_t*)0x20003340 = 0x10; *(uint8_t*)0x20003341 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003342, 0x16, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003343, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003343, 0xe, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003344, 7, 0, 16); *(uint32_t*)0x20003410 = 2; *(uint32_t*)0x20003414 = 4; *(uint32_t*)0x20003418 = 0x20003380; *(uint8_t*)0x20003380 = 4; *(uint8_t*)0x20003381 = 3; *(uint16_t*)0x20003382 = 0x380a; *(uint32_t*)0x2000341c = 4; *(uint32_t*)0x20003420 = 0x200033c0; *(uint8_t*)0x200033c0 = 4; *(uint8_t*)0x200033c1 = 3; *(uint16_t*)0x200033c2 = 0x42f; res = -1; res = syz_usb_connect(4, 0x384, 0x20002f00, 0x20003400); if (res != -1) r[16] = res; break; case 35: *(uint8_t*)0x20003440 = 0x12; *(uint8_t*)0x20003441 = 1; *(uint16_t*)0x20003442 = 0x200; *(uint8_t*)0x20003444 = -1; *(uint8_t*)0x20003445 = -1; *(uint8_t*)0x20003446 = -1; *(uint8_t*)0x20003447 = 0x40; *(uint16_t*)0x20003448 = 0xcf3; *(uint16_t*)0x2000344a = 0x9271; *(uint16_t*)0x2000344c = 0x108; *(uint8_t*)0x2000344e = 1; *(uint8_t*)0x2000344f = 2; *(uint8_t*)0x20003450 = 3; *(uint8_t*)0x20003451 = 1; *(uint8_t*)0x20003452 = 9; *(uint8_t*)0x20003453 = 2; *(uint16_t*)0x20003454 = 0x48; *(uint8_t*)0x20003456 = 1; *(uint8_t*)0x20003457 = 1; *(uint8_t*)0x20003458 = 0; *(uint8_t*)0x20003459 = 0x80; *(uint8_t*)0x2000345a = 0xfa; *(uint8_t*)0x2000345b = 9; *(uint8_t*)0x2000345c = 4; *(uint8_t*)0x2000345d = 0; *(uint8_t*)0x2000345e = 0; *(uint8_t*)0x2000345f = 6; *(uint8_t*)0x20003460 = -1; *(uint8_t*)0x20003461 = 0; *(uint8_t*)0x20003462 = 0; *(uint8_t*)0x20003463 = 0; *(uint8_t*)0x20003464 = 9; *(uint8_t*)0x20003465 = 5; *(uint8_t*)0x20003466 = 1; *(uint8_t*)0x20003467 = 2; *(uint16_t*)0x20003468 = 0x200; *(uint8_t*)0x2000346a = 0; *(uint8_t*)0x2000346b = 0; *(uint8_t*)0x2000346c = 0; *(uint8_t*)0x2000346d = 9; *(uint8_t*)0x2000346e = 5; *(uint8_t*)0x2000346f = 0x82; *(uint8_t*)0x20003470 = 2; *(uint16_t*)0x20003471 = 0x200; *(uint8_t*)0x20003473 = 0; *(uint8_t*)0x20003474 = 0; *(uint8_t*)0x20003475 = 0; *(uint8_t*)0x20003476 = 9; *(uint8_t*)0x20003477 = 5; *(uint8_t*)0x20003478 = 0x83; *(uint8_t*)0x20003479 = 3; *(uint16_t*)0x2000347a = 0x40; *(uint8_t*)0x2000347c = 1; *(uint8_t*)0x2000347d = 0; *(uint8_t*)0x2000347e = 0; *(uint8_t*)0x2000347f = 9; *(uint8_t*)0x20003480 = 5; *(uint8_t*)0x20003481 = 4; *(uint8_t*)0x20003482 = 3; *(uint16_t*)0x20003483 = 0x40; *(uint8_t*)0x20003485 = 1; *(uint8_t*)0x20003486 = 0; *(uint8_t*)0x20003487 = 0; *(uint8_t*)0x20003488 = 9; *(uint8_t*)0x20003489 = 5; *(uint8_t*)0x2000348a = 5; *(uint8_t*)0x2000348b = 2; *(uint16_t*)0x2000348c = 0x200; *(uint8_t*)0x2000348e = 0; *(uint8_t*)0x2000348f = 0; *(uint8_t*)0x20003490 = 0; *(uint8_t*)0x20003491 = 9; *(uint8_t*)0x20003492 = 5; *(uint8_t*)0x20003493 = 6; *(uint8_t*)0x20003494 = 2; *(uint16_t*)0x20003495 = 0x200; *(uint8_t*)0x20003497 = 0; *(uint8_t*)0x20003498 = 0; *(uint8_t*)0x20003499 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20003440, 0); break; case 36: *(uint32_t*)0x200036c0 = 0x18; *(uint32_t*)0x200036c4 = 0x200034c0; *(uint8_t*)0x200034c0 = 0x20; *(uint8_t*)0x200034c1 = 8; *(uint32_t*)0x200034c2 = 0xd4; *(uint8_t*)0x200034c6 = 0xd4; *(uint8_t*)0x200034c7 = 0x31; memcpy((void*)0x200034c8, "\xdd\x9f\xe1\xd6\xf8\xee\x76\xd6\x28\x92\x46\xb5\x27\x7c\xc1\x9f\x3c\x46\x21\xad\xd8\x21\xa7\xf3\xd1\xaa\xe9\x94\xdb\xf4\xb1\xbd\x89\xe8\x77\x07\x34\x76\x8a\xde\x97\xe5\x1d\x24\x8f\x53\xcd\x53\x0b\x31\x11\x9a\xac\xcf\x53\xb6\xf6\xed\xdf\x4b\x8b\xfe\x6a\x1a\x85\x9c\x3d\xc2\x86\xf8\x33\x5c\x9d\x15\xe5\xd5\x16\x9b\x24\x41\x55\x39\x10\x62\xff\x88\x5d\x40\xbe\x37\x07\xb6\xd1\xea\x25\x2a\x96\xd9\x7a\xb2\x4f\xb6\x75\xf5\x45\x57\xcf\xa2\x4d\x80\x5b\x07\x95\x70\x8a\xf5\x06\x5d\x4b\x66\x62\xdf\xd5\x4d\xd5\x9c\xfc\xe1\x67\x3a\xb3\x56\xa2\x54\xf6\xb5\xbc\xe4\x4c\x61\x9a\x17\xff\xce\x8e\xbb\x96\xe0\x83\xc0\x82\x45\x00\x62\xbd\x71\xa2\x06\xca\x92\x1e\x0b\x77\xf5\x17\xc1\x61\x95\x86\xb3\xbc\xa3\xe2\x49\x08\x21\x01\x6c\xc7\x6c\xaf\x96\xc0\xec\x90\x68\xb4\x5e\x23\x34\xed\x9a\x6f\xf0\x6a\x63\x43\xae\x01\xf0\xae\xf6\x12\x7e\xba\xf5\xb5\x2d\x69\xe3", 210); *(uint32_t*)0x200036c8 = 0x200035c0; *(uint8_t*)0x200035c0 = 0; *(uint8_t*)0x200035c1 = 3; *(uint32_t*)0x200035c2 = 4; *(uint8_t*)0x200035c6 = 4; *(uint8_t*)0x200035c7 = 3; *(uint16_t*)0x200035c8 = 0x40e; *(uint32_t*)0x200036cc = 0x20003600; *(uint8_t*)0x20003600 = 0; *(uint8_t*)0x20003601 = 0xf; *(uint32_t*)0x20003602 = 0x28; *(uint8_t*)0x20003606 = 5; *(uint8_t*)0x20003607 = 0xf; *(uint16_t*)0x20003608 = 0x28; *(uint8_t*)0x2000360a = 2; *(uint8_t*)0x2000360b = 3; *(uint8_t*)0x2000360c = 0x10; *(uint8_t*)0x2000360d = 0xb; *(uint8_t*)0x2000360e = 0x20; *(uint8_t*)0x2000360f = 0x10; *(uint8_t*)0x20003610 = 0xa; memcpy((void*)0x20003611, "\x19\x5f\xa2\xf3\x24\xc0\xbe\x96\xda\x3d\xb2\x6a\xfa\x56\x77\x53\x0a\xc0\xfa\xf4\xc6\x82\xbe\x7c\x15\xe9\xa5\x86\x66", 29); *(uint32_t*)0x200036d0 = 0x20003640; *(uint8_t*)0x20003640 = 0x20; *(uint8_t*)0x20003641 = 0x29; *(uint32_t*)0x20003642 = 0xf; *(uint8_t*)0x20003646 = 0xf; *(uint8_t*)0x20003647 = 0x29; *(uint8_t*)0x20003648 = 9; *(uint16_t*)0x20003649 = 1; *(uint8_t*)0x2000364b = 0; *(uint8_t*)0x2000364c = 9; memcpy((void*)0x2000364d, "\x05\x7c\x41\x7e", 4); memcpy((void*)0x20003651, "\x8d\xa4\x36\xc4", 4); *(uint32_t*)0x200036d4 = 0x20003680; *(uint8_t*)0x20003680 = 0x20; *(uint8_t*)0x20003681 = 0x2a; *(uint32_t*)0x20003682 = 0xc; *(uint8_t*)0x20003686 = 0xc; *(uint8_t*)0x20003687 = 0x2a; *(uint8_t*)0x20003688 = 0x20; *(uint16_t*)0x20003689 = 0x10; *(uint8_t*)0x2000368b = 0x80; *(uint8_t*)0x2000368c = 0x40; *(uint8_t*)0x2000368d = 0x1f; *(uint16_t*)0x2000368e = 0; *(uint16_t*)0x20003690 = 5; *(uint32_t*)0x20003b40 = 0x44; *(uint32_t*)0x20003b44 = 0x20003700; *(uint8_t*)0x20003700 = 0x60; *(uint8_t*)0x20003701 = 8; *(uint32_t*)0x20003702 = 0x54; memcpy((void*)0x20003706, "\x85\xf9\x88\x04\x52\x78\xf9\x75\x32\xa6\x67\xcb\xee\x9b\x82\x1d\x65\x54\xfb\x1c\x6d\x18\xdf\xfb\x78\x51\x96\xd9\x07\x27\xe1\xb4\x61\x5c\x86\xee\x04\x9a\x16\x96\xb1\x66\x8f\x00\x0e\x62\xd5\x39\xe0\x81\xcf\x07\xe3\x60\x17\x1c\xe6\x1c\xa2\xf9\x56\x44\xb9\xad\x8e\x92\x11\xa1\xb1\x9c\x43\x99\xbd\xfd\x6d\x53\x3b\xf8\x95\x52\x42\x72\x5b\xb4", 84); *(uint32_t*)0x20003b48 = 0x20003780; *(uint8_t*)0x20003780 = 0; *(uint8_t*)0x20003781 = 0xa; *(uint32_t*)0x20003782 = 1; *(uint8_t*)0x20003786 = 1; *(uint32_t*)0x20003b4c = 0x200037c0; *(uint8_t*)0x200037c0 = 0; *(uint8_t*)0x200037c1 = 8; *(uint32_t*)0x200037c2 = 1; *(uint8_t*)0x200037c6 = 0x81; *(uint32_t*)0x20003b50 = 0x20003800; *(uint8_t*)0x20003800 = 0x20; *(uint8_t*)0x20003801 = 0; *(uint32_t*)0x20003802 = 4; *(uint16_t*)0x20003806 = 2; *(uint16_t*)0x20003808 = 0; *(uint32_t*)0x20003b54 = 0x20003840; *(uint8_t*)0x20003840 = 0x20; *(uint8_t*)0x20003841 = 0; *(uint32_t*)0x20003842 = 8; *(uint16_t*)0x20003846 = 0x200; *(uint16_t*)0x20003848 = 0x40; *(uint32_t*)0x2000384a = 0xff; *(uint32_t*)0x20003b58 = 0x20003880; *(uint8_t*)0x20003880 = 0x40; *(uint8_t*)0x20003881 = 7; *(uint32_t*)0x20003882 = 2; *(uint16_t*)0x20003886 = 1; *(uint32_t*)0x20003b5c = 0x200038c0; *(uint8_t*)0x200038c0 = 0x40; *(uint8_t*)0x200038c1 = 9; *(uint32_t*)0x200038c2 = 1; *(uint8_t*)0x200038c6 = 0x81; *(uint32_t*)0x20003b60 = 0x20003900; *(uint8_t*)0x20003900 = 0x40; *(uint8_t*)0x20003901 = 0xb; *(uint32_t*)0x20003902 = 2; memcpy((void*)0x20003906, "\x8e\xaf", 2); *(uint32_t*)0x20003b64 = 0x20003940; *(uint8_t*)0x20003940 = 0x40; *(uint8_t*)0x20003941 = 0xf; *(uint32_t*)0x20003942 = 2; *(uint16_t*)0x20003946 = 9; *(uint32_t*)0x20003b68 = 0x20003980; *(uint8_t*)0x20003980 = 0x40; *(uint8_t*)0x20003981 = 0x13; *(uint32_t*)0x20003982 = 6; *(uint8_t*)0x20003986 = 0xaa; *(uint8_t*)0x20003987 = 0xaa; *(uint8_t*)0x20003988 = 0xaa; *(uint8_t*)0x20003989 = 0xaa; *(uint8_t*)0x2000398a = 0xaa; *(uint8_t*)0x2000398b = 0x38; *(uint32_t*)0x20003b6c = 0x200039c0; *(uint8_t*)0x200039c0 = 0x40; *(uint8_t*)0x200039c1 = 0x17; *(uint32_t*)0x200039c2 = 6; *(uint8_t*)0x200039c6 = -1; *(uint8_t*)0x200039c7 = -1; *(uint8_t*)0x200039c8 = -1; *(uint8_t*)0x200039c9 = -1; *(uint8_t*)0x200039ca = -1; *(uint8_t*)0x200039cb = -1; *(uint32_t*)0x20003b70 = 0x20003a00; *(uint8_t*)0x20003a00 = 0x40; *(uint8_t*)0x20003a01 = 0x19; *(uint32_t*)0x20003a02 = 2; memcpy((void*)0x20003a06, "{k", 2); *(uint32_t*)0x20003b74 = 0x20003a40; *(uint8_t*)0x20003a40 = 0x40; *(uint8_t*)0x20003a41 = 0x1a; *(uint32_t*)0x20003a42 = 2; *(uint16_t*)0x20003a46 = 0x40; *(uint32_t*)0x20003b78 = 0x20003a80; *(uint8_t*)0x20003a80 = 0x40; *(uint8_t*)0x20003a81 = 0x1c; *(uint32_t*)0x20003a82 = 1; *(uint8_t*)0x20003a86 = 0; *(uint32_t*)0x20003b7c = 0x20003ac0; *(uint8_t*)0x20003ac0 = 0x40; *(uint8_t*)0x20003ac1 = 0x1e; *(uint32_t*)0x20003ac2 = 1; *(uint8_t*)0x20003ac6 = 0xfe; *(uint32_t*)0x20003b80 = 0x20003b00; *(uint8_t*)0x20003b00 = 0x40; *(uint8_t*)0x20003b01 = 0x21; *(uint32_t*)0x20003b02 = 1; *(uint8_t*)0x20003b06 = 0xfa; syz_usb_control_io(r[16], 0x200036c0, 0x20003b40); break; case 37: *(uint8_t*)0x20003bc0 = 0x12; *(uint8_t*)0x20003bc1 = 1; *(uint16_t*)0x20003bc2 = 0x201; *(uint8_t*)0x20003bc4 = 0; *(uint8_t*)0x20003bc5 = 0; *(uint8_t*)0x20003bc6 = 0; *(uint8_t*)0x20003bc7 = 0x10; *(uint16_t*)0x20003bc8 = 0x46d; *(uint16_t*)0x20003bca = 0xc22d; *(uint16_t*)0x20003bcc = 0x40; *(uint8_t*)0x20003bce = 1; *(uint8_t*)0x20003bcf = 2; *(uint8_t*)0x20003bd0 = 3; *(uint8_t*)0x20003bd1 = 1; *(uint8_t*)0x20003bd2 = 9; *(uint8_t*)0x20003bd3 = 2; *(uint16_t*)0x20003bd4 = 0x2d; *(uint8_t*)0x20003bd6 = 1; *(uint8_t*)0x20003bd7 = 1; *(uint8_t*)0x20003bd8 = 0; *(uint8_t*)0x20003bd9 = 0x10; *(uint8_t*)0x20003bda = 2; *(uint8_t*)0x20003bdb = 9; *(uint8_t*)0x20003bdc = 4; *(uint8_t*)0x20003bdd = 0; *(uint8_t*)0x20003bde = 0x2f; *(uint8_t*)0x20003bdf = 2; *(uint8_t*)0x20003be0 = 3; *(uint8_t*)0x20003be1 = 1; *(uint8_t*)0x20003be2 = 1; *(uint8_t*)0x20003be3 = 0xfd; *(uint8_t*)0x20003be4 = 9; *(uint8_t*)0x20003be5 = 0x21; *(uint16_t*)0x20003be6 = 9; *(uint8_t*)0x20003be8 = 1; *(uint8_t*)0x20003be9 = 1; *(uint8_t*)0x20003bea = 0x22; *(uint16_t*)0x20003beb = 0x2ff; *(uint8_t*)0x20003bed = 9; *(uint8_t*)0x20003bee = 5; *(uint8_t*)0x20003bef = 0x81; *(uint8_t*)0x20003bf0 = 3; *(uint16_t*)0x20003bf1 = 0x10; *(uint8_t*)0x20003bf3 = 6; *(uint8_t*)0x20003bf4 = -1; *(uint8_t*)0x20003bf5 = 4; *(uint8_t*)0x20003bf6 = 9; *(uint8_t*)0x20003bf7 = 5; *(uint8_t*)0x20003bf8 = 2; *(uint8_t*)0x20003bf9 = 3; *(uint16_t*)0x20003bfa = 8; *(uint8_t*)0x20003bfc = 4; *(uint8_t*)0x20003bfd = 6; *(uint8_t*)0x20003bfe = 0x7f; *(uint32_t*)0x20003cc0 = 0xa; *(uint32_t*)0x20003cc4 = 0x20003c00; *(uint8_t*)0x20003c00 = 0xa; *(uint8_t*)0x20003c01 = 6; *(uint16_t*)0x20003c02 = 0x300; *(uint8_t*)0x20003c04 = 3; *(uint8_t*)0x20003c05 = 2; *(uint8_t*)0x20003c06 = 0xfa; *(uint8_t*)0x20003c07 = 8; *(uint8_t*)0x20003c08 = 0x74; *(uint8_t*)0x20003c09 = 0; *(uint32_t*)0x20003cc8 = 0x28; *(uint32_t*)0x20003ccc = 0x20003c40; *(uint8_t*)0x20003c40 = 5; *(uint8_t*)0x20003c41 = 0xf; *(uint16_t*)0x20003c42 = 0x28; *(uint8_t*)0x20003c44 = 2; *(uint8_t*)0x20003c45 = 3; *(uint8_t*)0x20003c46 = 0x10; *(uint8_t*)0x20003c47 = 0xb; *(uint8_t*)0x20003c48 = 0x20; *(uint8_t*)0x20003c49 = 0x10; *(uint8_t*)0x20003c4a = 0xa; *(uint8_t*)0x20003c4b = 3; STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 8, 5, 27); *(uint16_t*)0x20003c50 = 0xf00; *(uint16_t*)0x20003c52 = 0xf831; *(uint32_t*)0x20003c54 = 0xc0; *(uint32_t*)0x20003c58 = 0xc0a0; *(uint32_t*)0x20003c5c = 0xff000f; *(uint32_t*)0x20003c60 = 7; *(uint32_t*)0x20003c64 = 0xc0f0; *(uint32_t*)0x20003cd0 = 1; *(uint32_t*)0x20003cd4 = 4; *(uint32_t*)0x20003cd8 = 0x20003c80; *(uint8_t*)0x20003c80 = 4; *(uint8_t*)0x20003c81 = 3; *(uint16_t*)0x20003c82 = 0x436; res = -1; res = syz_usb_connect(4, 0x3f, 0x20003bc0, 0x20003cc0); if (res != -1) r[17] = res; break; case 38: syz_usb_disconnect(r[17]); break; case 39: syz_usb_ep_read(-1, 0x80, 0xc4, 0x20003d00); break; case 40: memcpy((void*)0x20003e00, "\x50\x74\xfa\x81\xf3\xf3\x73\xda\x27\x99\xca\xfb\x26\xb4\x49\x7c\xb3\xc8\x7b\xc0\xf8\x2f\xa7\x88\x54\x68\xbd\x41\x23\x20\x65\xaa\x95\x61\xd2\x4a\xe0\xf1\xd0\xe0\x36\xac\x71\x4a\xc5\xaf\x89\xc6\x9d\x88\x61\xca\xd7\x13\xfc\xb8\xba\xcb\x8c\x4b\x10\xdc\x3b\x6e\xc2\x04\x4c\x01\xf3\x71\xb1\x24\xc0\xa0\xf4\xba\xce\x7d\x51\x79\x87\x2c\xdd\x20\x5e\x09\xc3\xee\xb7\xd5\x57\x7b\x26\xe9\x8f\x84\x55\x4e\xd6", 99); syz_usb_ep_write(r[16], 0x7f, 0x63, 0x20003e00); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :250:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :250:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor702840787 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/1 (0.23s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$zero(0xffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x161000, 0x0) ioctl$SNAPSHOT_FREE(r0, 0x3305) syz_genetlink_get_family_id$l2tp(&(0x7f0000000040)='l2tp\x00') openat$dlm_control(0xffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x20000, 0x0) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0x2, &(0x7f00000000c0)=0x17, 0x4) r1 = mmap$IORING_OFF_SQES(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x2000000, 0x1010, r0, 0x10000000) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) r3 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(0x0, r1, &(0x7f00000003c0)=@IORING_OP_RECVMSG={0xa, 0x4, 0x0, r2, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=@x25={0x9, @remote}, 0x80, &(0x7f0000000240)=[{&(0x7f0000000180)=""/147, 0x93}], 0x1, &(0x7f0000000280)=""/202, 0xca}, 0x0, 0x0, 0x1, {0x3, r3}}, 0x10001) ioctl$KDSKBMETA(0xffffffffffffffff, 0x4b63, &(0x7f0000000440)=0x4) syz_emit_ethernet(0x56, &(0x7f0000000000)={@local, @remote, @void, {@canfd={0xd, {{0x3, 0x0, 0x1, 0x1}, 0x11, 0x2, 0x0, 0x0, "f4ebe40216fede5ef6c5310f0413c5d41b32fc23e07fd332a8a5c5f966821da091f47b7b9cf9228727ff7412c2e4a3a1573bb295482d7b4a3effd863cc60f5d8"}}}}, &(0x7f0000000080)={0x0, 0x4, [0xd2d, 0xc61, 0x6d3, 0xbe2]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x1, 0xa}, @l2cap_cid_le_signaling={{0x6}, @l2cap_conn_param_update_rsp={{0x13, 0x7f, 0x2}}}}, 0xf) syz_execute_func(&(0x7f0000000100)="c4c2cd45f18fe800edb85c2f009ee96436360f2811c4c3c90b6b0787c4c2f1a603f30fa6d0f36f650ffa0ec4c21d2f9f5aac384f3e65f3ab") syz_extract_tcp_res(&(0x7f0000000140), 0x2c, 0x9f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000180)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x3, 0xcc) r4 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x3000001, 0x80000, 0xffffffffffffffff, 0x0) r5 = syz_io_uring_complete(r4) r6 = io_uring_setup(0x3a3b, &(0x7f00000001c0)={0x0, 0xd9fd, 0x20, 0x0, 0x308, 0x0, 0xffffffffffffffff}) r8 = syz_io_uring_setup(0x17a8, &(0x7f0000000240)={0x0, 0xb18d, 0x15b3e67cab3a8d6e, 0x2, 0x158, 0x0, r7}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f00000002c0), &(0x7f0000000300)) syz_io_uring_setup(0x6b11, &(0x7f0000000340)={0x0, 0x15f8, 0x20, 0x2, 0xd2}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f00000003c0)=0x0, &(0x7f0000000400)=0x0) r11 = socket$bt_rfcomm(0x1f, 0x3, 0x3) r12 = io_uring_register$IORING_REGISTER_PERSONALITY(r5, 0x9, 0x0, 0x0) syz_io_uring_submit(r4, r10, &(0x7f0000001700)=@IORING_OP_RECVMSG={0xa, 0x2, 0x0, r11, 0x0, &(0x7f00000016c0)={&(0x7f0000000440)=@nl=@proc, 0x80, &(0x7f00000015c0)=[{&(0x7f00000004c0)=""/44, 0x2c}, {&(0x7f0000000500)=""/4096, 0x1000}, {&(0x7f0000001500)=""/40, 0x28}, {&(0x7f0000001540)=""/74, 0x4a}], 0x4, &(0x7f0000001600)=""/185, 0xb9}, 0x0, 0x2000, 0x1, {0x3, r12}}, 0xad23946) r13 = fsmount(r5, 0x1, 0x84) ioctl$F2FS_IOC_MOVE_RANGE(r8, 0xc01cf509, &(0x7f0000001740)={r6, 0x3, 0x6, 0x1000}) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000017c0)=[{0x0, &(0x7f0000001780)="e7bed238547695a78957b574bacb6dbc567a3232e76559b4ea3931b608578a24da4c749795975b0ae51da8a86dde75b1d684", 0x32}], 0x1, 0x0, &(0x7f0000001800), 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r9, 0x114, &(0x7f0000001840), 0x0, 0x4) syz_mount_image$afs(&(0x7f0000001880)='afs\x00', &(0x7f00000018c0)='./file0\x00', 0x5, 0x1, &(0x7f0000002900)=[{&(0x7f0000001900)="f1fd85c46a07345a8813287b13f21a0840903926aef8fa2cb5f6e010d14f7030376797115fff5a948041348d827dbd678e20928dc4b224e0ec33e50bf699f1ed1e39df43d899eb1a37c8d11631e7b775fc82611901ef7db3714e0ef59b98d9d7d9114ba1ba76a72edc93803359b9994b504f9e7790375fa50fceab9c0f210385722f2a054c09fecf4a04ccfacaac9d40bebb2e2bcc948d327263b0fa735b753fa367f55313bd6df7476a9961bef3e5806ae53bf7233474b637266e9fd694fb30a503fba053c46562936bb3b8fdd38da23e7225868f8cf1e7d27cacb69075657b3ca80f8be0b8e043db620f0872231b8a3108c4a10b8b723b646b3c6d5f370558640924a93ba25db1746cf2ea141b0385ac0cf9e7acc8fddd8ee32fb988491e454564eb142ec8402438ddb1d0bed6d285a2a408a9edc52776e3ae7021c10943eef0af0270372213627dd4253d95a36acd29f8095c6428f1c46c3eb21227d04606b5c92254e9ce3e220a8b8a281c8d8e9c83079ea1df4a90db9f08a58c803d8ec2bfcc99f1acd5f0625043eb4a83179e2d37c07657e4b747adcb0979a230dea4f079f220848709f2bb38c34a22c5b3caf94a02fc5f1c4d013c165abf74bed9d028a5d84ec150377f498ee0e2a86bf04b97ee40af9882bfadecf5e125fc909d250d92a31166d61121b5364524b6351e0b6a66dcdeeb5249ebabb865f1f4a1a80ada5d695d3a37b214c9f0d92507db1b8d808a96f08902ef8c97e22b75497538f54ff944a19142b6ae1b8636500e2f3920a3ab341d8d1db22dc64e1d68382162b489eaade668ba38e6e7ecf61626c719378a8ebf08ec3d5da6716461e206869b335ccbafbc7364998379d894b9c60441d98797eff0d04ce3fbf419eb9c5c778dbdc6031b19fea13adf111dd49628093da41ce252595ea3d0b6dd96364fe2e37504bc6617044ff1d0d27f759d1faa8ae854a172da0b227305bc630a46b8e5bb9f8aa40b95a4b6d5c37bddd0968e192d57242078434fdef9afdc8f18397df1ca6e76bdc71845fba2818ef8f1c1dbf0a92ddee3c8c1cfddfb64439419e63f9811ab5dafd15b2ff2a9c041331651c7afe7862875bf9961806fac694bef5f78fb9cd64c33848637444e6752200395e3731d02db34c21fca311d339e819732ede18394b45c4cbbbffd45fdf508285d26da5b3cede692af4ef2f42c734b522864755dcd719c93b268438f9b0f1add574cf7218921df68c496683c6276115c074d420f23861eeb82031e998c0833d1cbbb5b334a13606a0bc406c4c8b1c2bf8df557324d2c94cbe4c29080b63234b1bb74e5854e422eb46f736978e2943ebd28af467bd0ee096b952ff5f0b228c7ef946fd472493b0eaca9378401669f1be675230e56bc19e4ec1234fcb4ea122dd204830109689cad7e3d702ab3e92e59016a640cce4e1e57d6e94556e7ee1f7c586309044bdca4a7b2cebb4b3fabfd578ed6c68589b8afcd4d0e5ab1b7eef6f82cd208e3ece76e3b73331fba03fb5447012992741042106ed7d386a1433fe8d4c6bce822ff8ffe1b382aa7124731a9ad6e1a52c78266174a4fefe986a508f6642577303f91ea4efb32843c6b331b32f24553a0c13016d91a230a55d81feb7dfc48ad157c7c2fc63253081021d1c65356513903ddbde8d3fd0d51747f3eaaaf9db9d6b4bd7069d8ba53d4d100ee2727979594c2fa80b9aa0edd70e3d702fb5b6cd277eeb487555886f85b657cd9eba641b28bf1e762300f3e29c5a8d8bfe077bdef7c9e2c4cfad8fc364670d7cd6ac7a86322e667760e2403c4838d61fa8669a4f62114eef423f09132e20bb95ba3522ac31049c4a3d581af3c5784910fba88cdee1ceff4ddaed827119ced5361947d0e31a9c4d25263a53654b82fc13b91f44508dd193ca1ef26d930a6b0810586d402ba0554face5c3ed077671d50d28865bfff35ca3a4dabdbd6e3b07059320f53e5c49d73cc16dd1ed2816ac98ad3853c368829c7bec40c4a9b39ee3b730bbd6c152f358e9911308c12ed1206561fc7cf7cb477145f1aaace66ac5c4468acb2f601c61e4b118be2056b6dbc18609bfd4105eee18be384a19913d274d92039790cb87420b9fdd70e734309fc7afe09e11f780d6ee6243175907a4aeecb6ca070a3374be5d3d07a788ea4e1f9d6f18eff9e7964d7076cb5b93cd97338ec05448ec527cca66790bfe32c5b2662d7fc6b836b41bf32e5bc0ddfe42d5973db86f8aed56e43112b45b0f792c5394599a13e73c25012b5aacd3aef112473c4e2e3ab6aebf5af6de9e78ac047fcc276fd976f25022c65c30a9fd67203f19e33b35cfbcfdff395c5bb53f2fd7928e43e622847280780b8cc815fb485189105a124cd8627cc3d5f1a9dd800d47a226ebf907eb2f49133d117588d280f4cc43d95254d88c8753d96073f97c531f51e5596e2e971a2161b78f75edcfbd9de38f0a9284b7cceef87598fa3bcfa5dbcbd1d284cf80cb7755465899d362d9e40c64c1a1e4cc45c3871b2104ca40c05729dccbf6d0a17500e5d0dffa3443a5233e279b2f9c518b697340d26d2872660c71a495710ee009ffb989ebb5befe5176925b78cdeb1e811c51ecdb01a47ec1d1d0ef2024c9a666f6bc5ebe13e773f89f4c80baa1d660c051c2672f91c21db5ff2d5a70126dc69140ee216c45bdd0a7b5279dece2f583bc24fc63cae88ae755722404823c5c216849dcd1085ba9902cb248ac5d192c3bdc537392a7c9ed3c359bb6d4934625f5f7a6dd51b78573fc726adabc91f41960586f64c39261126ea67dfc32c5ae5f7d6ed88747360418d42a008d9cfc5ef15f9c588dbb9ecc374ba19ab60a3ba33fbd1b80477b0204e67c845f9f6ab589c58b578cca58af322ae66b9b12ed953703d1393d8ece9c670664fdb6b1ffa10271abc0e51d57b59102e2640bea09e911294c35abc8616990a5729bf739a8e22774a680d5770b858b932fe595b7322328ae792078ad28db4d54cbd7c9868fcbe6eed0b0aa7b7abbfb1b8efce2dd5c1e29bac66ab7f80fe7a65d2da1838660e94066a6b2e3bdb897e551bc037d779dbb6cb9bdca7030ef8226b968d5a857cb424a9bd71ecf3e0df3bca6b9195905ed05e73d0367f1649eed549d9c3d47e2f312c170dc94a701d420460e1000e237021c6b7b1bc08b35c1043c6e899ed587ef7dfb6e1c7b6e11e3a2fb4348abcc9ed1831ee373d004540a73a4c78f9d3abb101c787ba239df663924ef84e3b436868b63cd74f4d47ac9ebce3814bbdb37eeec3fea1f90688d16ff3285d359745f9c1b6dcfa98bcd32acaccd9350c070579af49c6dd8e62b3e11616b95605b5e67c90c3db1b8301de61bdfa558ee6d13f20a78d407e4f44ca793ce3d958e1522f1a64276ac8863d1a68b5b64e03ec0b22b0a787bba7b462fddf8da7d1018b32a13282bd1e83060a67c7da96e46e3b322a5d8e05ba67b3aca1c5d1bf136a57b3aa68777f00bf102dddb1dec21db309f4855d9c08edc580d652a689420bf62538b5aa263057098121d82d87e29ee26b5d5288023e501ff2730bcef00b98f13c40bc2da1a1bca1cd666484f1a3f5c8b6ffaf468fbeaaf5abfd74396fbc460e0fd2b440f5e56327e634907311dce98ec075e9ee3287f7d2dcd64493e5c5ce096bb29d77aa49a9f677e68efd44cf35b5a0d69f1ec887a5f1f35e44afe3b6904ef026b3651c697dc2af46662b923664201e4baedc28e85f33d0fcce83ecb01d04f5a0826df9fbfe7d92e31db76202533fa8bdbd4f14744f8485948ff0e40ec77d2a2ccac34f389a4f6b0e1f84f527b1282b4ba53cc0a53468eb1362d87f334f176d948d9d7fc190a1fabb36745385945f27d44c136436eeedca1ad4945c9d73d6a2d7225a1f7fa49a2b2b56d3a403a8ddd03d701bb8ba36c275b05db3b60638b9a2a234cb63b809ebfc9a771ac712762f7e96c538e1c54a7912b95944632d6d60594b900e17ee327b2b2b13be2844061fd1e350e47121fd71f130a5aeb5153ccb8ece99590ff93ea98ee589a0a4288bb6a3590b1c6e89008bbd2dc7ad38748369405c9f8c37fa75dd2ff4a384561d030948c3d16466e4f037e54d3dcabde02fb35c62b3169265c0af8018a86c3fcf3268c1a91e7131f89cf7841bb58cab8a5f89d7edb67f05f16fe84059be5abdbe44d3852fa5790c161628b21eef359aaf7db7de11c835ff9cc0b86ac9751fd2d5c135e8acb4352bc03fdfe6c43473582cde76b157eeb03acfff742be5838a4aaba160e1c588c9e1da2758fc290ae37a7605340f726ff3d8d73d3dccdc7737499b7473eccc00c3d01d20bd989e6049d9da7dcee229fe3db7e2845ba6ef6b380680e07754dfa92d1605b3b2527ed19d01333b2b58868d7614c92b7f93c95e2c9054f7a728e0569b986018311d9ab379ac3d19c7f65f87acbd2a2bcdf122b1b9502d3c3a69efa32f4be1ef20daa42e13409d2b12dbfd03c64aca0bd66c76c04ea6a76ef0294650e59e8a379c85c5ac8e310ed99e1a5f20c9bbdbee13de1218f95be040ff5f760c7f07abe362468508a2114e0c34f93895c1e28ad8c56f1949816cffd09c028deef01e5fcf91b4384c62d0efd9b7d66b1aae302a3ed2c3037c9675ac6c86336fa603258a538409bad567981128cb8cab88d7027b2a92671cad000a2c9f317fb4ae30980d3f28512fb5f66a98b2e2077a6a7f8461bf1a78cf12b3ce6e3aa4a22f3c6373a5d04f767b83c7d57a56834f7639c9acbb9fdedea85276a0aa100b68c8a246314a8ca02ff07d1532c90d9a4a5dacba53a24c14cb94b57a8c236c985ebc98697108a43e874b6715e6be8d9685fafdba1d7e5d1b4ced62565847bdfcf62be175e8483cfd0711247664e273fcbec29f60dedd34c6810f6650b6bdc47df7267b8f53bc66ac41a5c0506edf4a805cff0343797c881256ea095fbf145754f7cb9dfba6d3c2bd12ace307629cb22dfeb5a48155de0e50a95da58b3202589b60f5dd4ca6cd22c2ed788f2721d5354374e9efacf4947294ddc8149225dce5adfb322595ed18a4dcb0565148b087e37d4247eaaecc58c5aaf1c64e87cc2cce9b8ebcaf963fc441a6dfac426be0ace4ecfb91df7732721afb34f905ce7377db3849d7401ba3d3149c08e98bcdeca6de207ed8bc7b1d6e88597da628c6b0a73cf9674a207dd8745fe5b32bdd8f5509f14fc15cf9504bf6634b2df2836e95c736e2762f2714bfd130af991d8b648a9372158383a2f53e14c7cfc7663db5ca5c8a9cdd155e38c1f70e51613588128dd085bbdd7ed239b97e8958cef35f117eab19b370ff2e4e25689d62b684fd4afceb263251fa92e8c6b2aa2e34d3fb8aaed18cdc734f9b420c8d7b931555ebd7990ca073fb81be982794e000d50572eb0761d495ba8068f657d7f7b919e66a25e03211dfe690f4081fc5de14f5f9d8be478024e60a3138080d9ce97ae23e291e77a6e4a507a96ae0c07d9604a95b43b8174c33175ba295050186f723b50a609ee09b4267e4d2af4296ce657bb8b5e996f98bd75ed42d0954895d97d988329d925f62894474d1caa5de988ed7b5c6deacfd90ad947efebf6cf61b45d9c7b1ba59e9ec4b8559aff8d3d05fb00f57ec942b0e9b9fdbde26cad340cbb4f7c0447b707ed8f6d4f989d0b1da0d0cdae617b01436fa68e37775e844415ebd11a3350846cf0b419fad6db94ccc8283e95019db5591b9e81c5d32707b3002afb24058495f6c21cd4b9e12af7a1f4054fda37ba6a2945e899899761012548e4122a69556e0ca51e23194bdc4e272", 0x1000, 0x9}], 0x20005, &(0x7f0000002940)={[{@flock_openafs='flock=openafs'}, {@dyn='dyn'}, {@autocell='autocell'}, {@dyn='dyn'}, {@flock_openafs='flock=openafs'}, {@source={'source', 0x3d, '&'}}, {@source={'source', 0x3d, 'SEG6\x00'}}], [{@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@subj_user={'subj_user', 0x3d, 'SEG6\x00'}}, {@smackfstransmute={'smackfstransmute', 0x3d, ':'}}, {@seclabel='seclabel'}]}) syz_open_dev$I2C(&(0x7f0000002a00)='/dev/i2c-#\x00', 0xad8, 0x2a2000) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000002a40)=0x0) syz_open_procfs(r15, &(0x7f0000002a80)='net\x00') syz_open_pts(r13, 0x0) syz_read_part_table(0x1, 0x7, &(0x7f0000002e80)=[{&(0x7f0000002ac0)="7ad3cd802dd0c424945d99ca9ca6e4fbb8f8e3b980d2ec", 0x17, 0x1000}, {&(0x7f0000002b00)="329de80b2b17bbd25d1f1907a9263af3bf05c4a7061e28492a3f71c6343aa5aaea0327a3", 0x24, 0x5}, {&(0x7f0000002b40)="82791dfd311d07db7d65e803ce6ca00028af8ff8d276187e0e14bbf7beab60fc4b70722e91b6322b8e3472191a66176bb0ca91dee60f1506a6d48be4055230c30be94a1043a1d2a06d42166069d8033d6c524c8610b8c4bb63af0ce6d6207137f1be1b62b002e8c35e6467c2423cc6597d1ca58ee31589f0248ac762e24a286a41a761912d34bb56f07db88ca52fce8d128762394fa00faac8451a42c3144bdec7e97296c9eac7c9f63110a3d405c16b0428880024e8c9c8af490b8cfad84cbb637878d634cd84346b60c9132c09660cdc616a0b", 0xd4, 0x7fff}, {&(0x7f0000002c40)="904bbcee2b46daa1ac643b7b6b8ea0ff462feabee541b411a885e470a496cbbdc729ffdebc50807f719cbe808d8b598b4767c7a852d9ce0c880a9b078b0187deac926bd4687a44f092bb", 0x4a, 0x5}, {&(0x7f0000002cc0)="3531ae257e7e0877cde340c42edbfc91dcffaff1284ef08a451e4c76e0cd83b2c0ea10d86bcefa93bbaef5fffbfe7dc70b73b89c55fc3851110d1bd0d1da31753320b111fe7060537e8f65f3c2f05adcb3d66bd2abe6b08aaae0d0eedca9937707ec4cb4874cdfd05800812ab53f9550b25a28ee69e62a0f790fe5233fc8645fc3fe6cae055f2aa1729125170151e86eeab67bb20bc884a1214c2d3d969c34fb239b45feec93ac209721bae7271251c613cea9379c1521", 0xb7, 0x4}, {&(0x7f0000002d80)="c3f04f26929b7a4d6342841fa53a9a8cb8006a97f428", 0x16, 0x6}, {&(0x7f0000002dc0)="c9871275e3269ff1bdcd67fb523e1ceb5151b0ede9e032634e36d486046bc31cd978bda59247355316319e768e7ac6be0648bf0fecd13cdad45f713e0e3b74e95eec77063c02a233ea97d338f4b1e9bc5a7cce85528742632ed59cec016f3914dd02ca6b1dc833224895277350cf1f21d6c78f8592717e91233f9026927e0cc3d80cdc57714763a0fcb091f5c69051b55cd2e1fcc33b13d597c5caeeb271c542978a1e17", 0xa4, 0x9c}]) r16 = syz_usb_connect(0x4, 0x384, &(0x7f0000002f00)={{0x12, 0x1, 0x201, 0xa4, 0x61, 0x1e, 0x40, 0xacd, 0x300, 0xc0df, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x372, 0x2, 0x4, 0x1f, 0x0, 0x1, [{{0x9, 0x4, 0x5d, 0xb3, 0x1, 0xad, 0x49, 0x76, 0x20, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x80}]}], [{{0x9, 0x5, 0xd, 0x0, 0x230, 0x5d, 0x1, 0x3f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x2}, @generic={0xba, 0xe, "f4e6e5762883c34df04f356099f1d34bdbc9f5324da648053fd690211b897119c4f3ac197f2aa93f2f3be05f836b1644d5b2327648b30816ed192f943dfce225f69d77c51565e177fd889c9c9d8c85b92ee4bead0e889446bbc320a40fa24807f476bfd1f1b3096e3370f755c94aa01c3be4ddc7952a5694bcad4beb4065bf5ea96066c43e9507e6220c47bc0271adcbaffce6ac90cb3c8b1cf748c6bbf97108dfa2cac4b87d3420428434397e07f17a87ed6233b39e32f0"}]}}]}}, {{0x9, 0x4, 0x5d, 0x27, 0x7, 0x3f, 0x84, 0xfd, 0x3, [@uac_as={[@format_type_i_discrete={0x10, 0x24, 0x2, 0x1, 0xe2, 0x2, 0x63, 0x40, "e721cc44acca8938"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x1, 0x0, "9ef42f"}, @as_header={0x7, 0x24, 0x1, 0x4, 0x1, 0x4}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x19, 0x6, "9e", "6983"}]}, @uac_as], [{{0x9, 0x5, 0xf, 0x0, 0x3ff, 0xf6, 0x5, 0x80}}, {{0x9, 0x5, 0x1, 0x10, 0x10, 0x0, 0x40, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x20, 0x6}]}}, {{0x9, 0x5, 0xb, 0x8, 0x10, 0x1, 0x2}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x4, 0x8, 0xc0, [@generic={0xbb, 0x31, "215ce6ab8f3c72caa3ab1326f18838908ac60bffb3b50748144aa2cbc4d7cac56f4a7bb2bd6c969674a5e4040861bb21ba5ccf0f822c1032e7e3729f8c171fc7a89b5340b5067108d597f178aa651a98aca4d012fa555a695683b527e6031f1f7f20494b250e3a6cd8b4de9647e150049867097c47cc237c612cefe698332f1fe7f02e6f53e845b1f5e7b4b24ad8629b78ce7630e2d40120fbc3f49375a4a086dedd2a27f06b3ed3d756a819b97f759aa54aef83df4868a9e9"}]}}, {{0x9, 0x5, 0x3, 0x12, 0x3ff, 0x0, 0x1, 0xff, [@generic={0xad, 0x31, "0c921d3f980f4e53147a46bd5856da03081660fbed7b8b2d389be8a038e95c2958a477ed5faf9ef38c82c3abea254459edb0f2cf286235034087adb7907ff192640b936886bd48d3a51215406b3aa0b6d8f8d91d830f5236a9a8be03c2215f012131968c6a80860ae81193059468108efd4f1305379d0115c7ec667b0359940e5664bf7b3c4a5f04ca3c51db9d2cd417e9099bff628b8e1a8ed0f596149357a08abd1177eb977353eb8932"}, @generic={0x93, 0x11, "a8e22d542ae3d831f337211bb5be12a5c46e5cf9b556d84d5af4caca8742ad216140562b7e5421e2642471e8f50eb8aef06212b46c644ae58463e18b3e72bd3eca6060fa8b94031796e55eb41d3f318affbf081eeb1708851e72fadd887e0330134319f0a5967eda657bc1101f74deba42e78aff20fb5d3c1fe49d9a054657b6f1af3d015fc16ff80873f326690843df81"}]}}, {{0x9, 0x5, 0xf, 0x4, 0x200, 0x0, 0x1f, 0x1, [@generic={0x11, 0x6, "824b7d0957bc552d224fdf6bff63a8"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x6}]}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x1f, 0xfd, 0x3}}]}}]}}]}}, &(0x7f0000003400)={0xa, &(0x7f00000032c0)={0xa, 0x6, 0x110, 0x4d, 0x80, 0x80, 0x20, 0xc1}, 0x46, &(0x7f0000003300)={0x5, 0xf, 0x46, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x35, 0x0, 0xdf, 0x9, 0xf7}, @ext_cap={0x7, 0x10, 0x2, 0xe, 0xb, 0x6, 0x9}, @ssp_cap={0x18, 0x10, 0xa, 0x1, 0x3, 0x7fffffe, 0xff0f, 0x101, [0xffc0a0, 0x0, 0xffff0f]}, @ssp_cap={0x10, 0x10, 0xa, 0x3, 0x1, 0x200, 0xff00, 0x1, [0x0]}, @ext_cap={0x7, 0x10, 0x2, 0x16, 0x8, 0xe, 0x7}]}, 0x2, [{0x4, &(0x7f0000003380)=@lang_id={0x4, 0x3, 0x380a}}, {0x4, &(0x7f00000033c0)=@lang_id={0x4, 0x3, 0x42f}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000003440)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r16, &(0x7f00000036c0)={0x18, &(0x7f00000034c0)={0x20, 0x8, 0xd4, {0xd4, 0x31, "dd9fe1d6f8ee76d6289246b5277cc19f3c4621add821a7f3d1aae994dbf4b1bd89e8770734768ade97e51d248f53cd530b31119aaccf53b6f6eddf4b8bfe6a1a859c3dc286f8335c9d15e5d5169b244155391062ff885d40be3707b6d1ea252a96d97ab24fb675f54557cfa24d805b0795708af5065d4b6662dfd54dd59cfce1673ab356a254f6b5bce44c619a17ffce8ebb96e083c082450062bd71a206ca921e0b77f517c1619586b3bca3e2490821016cc76caf96c0ec9068b45e2334ed9a6ff06a6343ae01f0aef6127ebaf5b52d69e3"}}, &(0x7f00000035c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x40e}}, &(0x7f0000003600)={0x0, 0xf, 0x28, {0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @generic={0x20, 0x10, 0xa, "195fa2f324c0be96da3db26afa5677530ac0faf4c682be7c15e9a58666"}]}}, &(0x7f0000003640)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x1, 0x0, 0x9, "057c417e", "8da436c4"}}, &(0x7f0000003680)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x20, 0x10, 0x80, 0x40, 0x1f, 0x0, 0x5}}}, &(0x7f0000003b40)={0x44, &(0x7f0000003700)={0x60, 0x8, 0x54, "85f988045278f97532a667cbee9b821d6554fb1c6d18dffb785196d90727e1b4615c86ee049a1696b1668f000e62d539e081cf07e360171ce61ca2f95644b9ad8e9211a1b19c4399bdfd6d533bf8955242725bb4"}, &(0x7f0000003780)={0x0, 0xa, 0x1, 0x1}, &(0x7f00000037c0)={0x0, 0x8, 0x1, 0x81}, &(0x7f0000003800)={0x20, 0x0, 0x4, {0x2}}, &(0x7f0000003840)={0x20, 0x0, 0x8, {0x200, 0x40, [0xff]}}, &(0x7f0000003880)={0x40, 0x7, 0x2, 0x1}, &(0x7f00000038c0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000003900)={0x40, 0xb, 0x2, "8eaf"}, &(0x7f0000003940)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000003980)={0x40, 0x13, 0x6, @dev={[], 0x38}}, &(0x7f00000039c0)={0x40, 0x17, 0x6, @broadcast}, &(0x7f0000003a00)={0x40, 0x19, 0x2, '{k'}, &(0x7f0000003a40)={0x40, 0x1a, 0x2, 0x40}, &(0x7f0000003a80)={0x40, 0x1c, 0x1}, &(0x7f0000003ac0)={0x40, 0x1e, 0x1, 0xfe}, &(0x7f0000003b00)={0x40, 0x21, 0x1, 0xfa}}) r17 = syz_usb_connect$hid(0x4, 0x3f, &(0x7f0000003bc0)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x46d, 0xc22d, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x10, 0x2, [{{0x9, 0x4, 0x0, 0x2f, 0x2, 0x3, 0x1, 0x1, 0xfd, {0x9, 0x21, 0x9, 0x1, 0x1, {0x22, 0x2ff}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0x6, 0xff, 0x4}}, [{{0x9, 0x5, 0x2, 0x3, 0x8, 0x4, 0x6, 0x7f}}]}}}]}}]}}, &(0x7f0000003cc0)={0xa, &(0x7f0000003c00)={0xa, 0x6, 0x300, 0x3, 0x2, 0xfa, 0x8, 0x74}, 0x28, &(0x7f0000003c40)={0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @ssp_cap={0x20, 0x10, 0xa, 0x3, 0x5, 0x8, 0xf00, 0xf831, [0xc0, 0xc0a0, 0xff000f, 0x7, 0xc0f0]}]}, 0x1, [{0x4, &(0x7f0000003c80)=@lang_id={0x4, 0x3, 0x436}}]}) syz_usb_disconnect(r17) syz_usb_ep_read(0xffffffffffffffff, 0x80, 0xc4, &(0x7f0000003d00)=""/196) syz_usb_ep_write(r16, 0x7f, 0x63, &(0x7f0000003e00)="5074fa81f3f373da2799cafb26b4497cb3c87bc0f82fa7885468bd41232065aa9561d24ae0f1d0e036ac714ac5af89c69d8861cad713fcb8bacb8c4b10dc3b6ec2044c01f371b124c0a0f4bace7d5179872cdd205e09c3eeb7d5577b26e98f84554ed6") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 41; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_fsmount #define __NR_fsmount 432 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[18] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/zero\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x161000, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, (intptr_t)r[0], 0x3305, 0); break; case 2: memcpy((void*)0x20000040, "l2tp\000", 5); syz_genetlink_get_family_id(0x20000040); break; case 3: memcpy((void*)0x20000080, "/dev/dlm-control\000", 17); syscall(__NR_openat, 0xffffff9c, 0x20000080, 0x20000, 0); break; case 4: *(uint32_t*)0x200000c0 = 0x17; syscall(__NR_setsockopt, (intptr_t)r[0], 0x10e, 2, 0x200000c0, 4); break; case 5: res = syscall(__NR_mmap, 0x20ffa000, 0x4000, 0x2000000, 0x1010, (intptr_t)r[0], 0x10000000); if (res != -1) r[1] = res; break; case 6: res = syscall(__NR_socket, 0x23, 5, 2); if (res != -1) r[2] = res; break; case 7: res = syscall(__NR_io_uring_register, -1, 9, 0, 0); if (res != -1) r[3] = res; break; case 8: *(uint8_t*)0x200003c0 = 0xa; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0; *(uint32_t*)0x200003c4 = r[2]; *(uint64_t*)0x200003c8 = 0; *(uint32_t*)0x200003d0 = 0x20000380; *(uint32_t*)0x20000380 = 0x20000100; *(uint32_t*)0x20000384 = 0x80; *(uint32_t*)0x20000388 = 0x20000240; *(uint32_t*)0x20000240 = 0x20000180; *(uint32_t*)0x20000244 = 0x93; *(uint32_t*)0x2000038c = 1; *(uint32_t*)0x20000390 = 0x20000280; *(uint32_t*)0x20000394 = 0xca; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x200003d4 = 0; *(uint32_t*)0x200003d8 = 0; *(uint64_t*)0x200003dc = 1; *(uint16_t*)0x200003e4 = 3; *(uint16_t*)0x200003e6 = r[3]; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; syz_io_uring_submit(0, r[1], 0x200003c0, 0x10001); break; case 9: *(uint32_t*)0x20000440 = 4; syscall(__NR_ioctl, -1, 0x4b63, 0x20000440); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0xaa; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 3, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 31, 1); *(uint8_t*)0x20000012 = 0x11; *(uint8_t*)0x20000013 = 2; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; memcpy((void*)0x20000016, "\xf4\xeb\xe4\x02\x16\xfe\xde\x5e\xf6\xc5\x31\x0f\x04\x13\xc5\xd4\x1b\x32\xfc\x23\xe0\x7f\xd3\x32\xa8\xa5\xc5\xf9\x66\x82\x1d\xa0\x91\xf4\x7b\x7b\x9c\xf9\x22\x87\x27\xff\x74\x12\xc2\xe4\xa3\xa1\x57\x3b\xb2\x95\x48\x2d\x7b\x4a\x3e\xff\xd8\x63\xcc\x60\xf5\xd8", 64); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 0xd2d; *(uint32_t*)0x2000008c = 0xc61; *(uint32_t*)0x20000090 = 0x6d3; *(uint32_t*)0x20000094 = 0xbe2; break; case 11: *(uint8_t*)0x200000c0 = 2; STORE_BY_BITMASK(uint16_t, , 0x200000c1, 0xc9, 0, 12); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 3, 4, 2); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 1, 6, 2); *(uint16_t*)0x200000c3 = 0xa; *(uint16_t*)0x200000c5 = 6; *(uint16_t*)0x200000c7 = 5; *(uint8_t*)0x200000c9 = 0x13; *(uint8_t*)0x200000ca = 0x7f; *(uint16_t*)0x200000cb = 2; *(uint16_t*)0x200000cd = 0; break; case 12: memcpy((void*)0x20000100, "\xc4\xc2\xcd\x45\xf1\x8f\xe8\x00\xed\xb8\x5c\x2f\x00\x9e\xe9\x64\x36\x36\x0f\x28\x11\xc4\xc3\xc9\x0b\x6b\x07\x87\xc4\xc2\xf1\xa6\x03\xf3\x0f\xa6\xd0\xf3\x6f\x65\x0f\xfa\x0e\xc4\xc2\x1d\x2f\x9f\x5a\xac\x38\x4f\x3e\x65\xf3\xab", 56); syz_execute_func(0x20000100); break; case 13: break; case 14: memcpy((void*)0x20000180, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000180); break; case 15: syz_init_net_socket(3, 3, 0xcc); break; case 16: res = syscall(__NR_mmap, 0x20ffd000, 0x2000, 0x3000001, 0x80000, -1, 0); if (res != -1) r[4] = res; break; case 17: res = -1; res = syz_io_uring_complete(r[4]); if (res != -1) r[5] = res; break; case 18: *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0xd9fd; *(uint32_t*)0x200001c8 = 0x20; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0x308; *(uint32_t*)0x200001d4 = 0; *(uint32_t*)0x200001d8 = -1; *(uint32_t*)0x200001dc = 0; *(uint32_t*)0x200001e0 = 0; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint32_t*)0x200001f8 = 0; *(uint32_t*)0x200001fc = 0; *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; res = syscall(__NR_io_uring_setup, 0x3a3b, 0x200001c0); if (res != -1) { r[6] = res; r[7] = *(uint32_t*)0x200001d8; } break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xb18d; *(uint32_t*)0x20000248 = 0xab3a8d6e; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000250 = 0x158; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = r[7]; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = -1; res = syz_io_uring_setup(0x17a8, 0x20000240, 0x20ffb000, 0x20ffd000, 0x200002c0, 0x20000300); if (res != -1) r[8] = res; break; case 20: *(uint32_t*)0x20000340 = 0; *(uint32_t*)0x20000344 = 0x15f8; *(uint32_t*)0x20000348 = 0x20; *(uint32_t*)0x2000034c = 2; *(uint32_t*)0x20000350 = 0xd2; *(uint32_t*)0x20000354 = 0; *(uint32_t*)0x20000358 = -1; *(uint32_t*)0x2000035c = 0; *(uint32_t*)0x20000360 = 0; *(uint32_t*)0x20000364 = 0; *(uint32_t*)0x20000368 = 0; *(uint32_t*)0x2000036c = 0; *(uint32_t*)0x20000370 = 0; *(uint32_t*)0x20000374 = 0; *(uint32_t*)0x20000378 = 0; *(uint32_t*)0x2000037c = 0; *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 0; *(uint32_t*)0x20000388 = 0; *(uint32_t*)0x2000038c = 0; *(uint32_t*)0x20000390 = 0; *(uint32_t*)0x20000394 = 0; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x2000039c = 0; *(uint32_t*)0x200003a0 = 0; *(uint32_t*)0x200003a4 = 0; *(uint32_t*)0x200003a8 = 0; *(uint32_t*)0x200003ac = 0; *(uint32_t*)0x200003b0 = 0; *(uint32_t*)0x200003b4 = 0; res = -1; res = syz_io_uring_setup(0x6b11, 0x20000340, 0x20ffb000, 0x20ffb000, 0x200003c0, 0x20000400); if (res != -1) { r[9] = *(uint64_t*)0x200003c0; r[10] = *(uint64_t*)0x20000400; } break; case 21: res = syscall(__NR_socket, 0x1f, 3, 3); if (res != -1) r[11] = res; break; case 22: res = syscall(__NR_io_uring_register, (intptr_t)r[5], 9, 0, 0); if (res != -1) r[12] = res; break; case 23: *(uint8_t*)0x20001700 = 0xa; *(uint8_t*)0x20001701 = 2; *(uint16_t*)0x20001702 = 0; *(uint32_t*)0x20001704 = r[11]; *(uint64_t*)0x20001708 = 0; *(uint32_t*)0x20001710 = 0x200016c0; *(uint32_t*)0x200016c0 = 0x20000440; *(uint32_t*)0x200016c4 = 0x80; *(uint32_t*)0x200016c8 = 0x200015c0; *(uint32_t*)0x200015c0 = 0x200004c0; *(uint32_t*)0x200015c4 = 0x2c; *(uint32_t*)0x200015c8 = 0x20000500; *(uint32_t*)0x200015cc = 0x1000; *(uint32_t*)0x200015d0 = 0x20001500; *(uint32_t*)0x200015d4 = 0x28; *(uint32_t*)0x200015d8 = 0x20001540; *(uint32_t*)0x200015dc = 0x4a; *(uint32_t*)0x200016cc = 4; *(uint32_t*)0x200016d0 = 0x20001600; *(uint32_t*)0x200016d4 = 0xb9; *(uint32_t*)0x200016d8 = 0; *(uint32_t*)0x20001714 = 0; *(uint32_t*)0x20001718 = 0x2000; *(uint64_t*)0x2000171c = 1; *(uint16_t*)0x20001724 = 3; *(uint16_t*)0x20001726 = r[12]; *(uint8_t*)0x20001728 = 0; *(uint8_t*)0x20001729 = 0; *(uint8_t*)0x2000172a = 0; *(uint8_t*)0x2000172b = 0; *(uint8_t*)0x2000172c = 0; *(uint8_t*)0x2000172d = 0; *(uint8_t*)0x2000172e = 0; *(uint8_t*)0x2000172f = 0; *(uint8_t*)0x20001730 = 0; *(uint8_t*)0x20001731 = 0; *(uint8_t*)0x20001732 = 0; *(uint8_t*)0x20001733 = 0; *(uint8_t*)0x20001734 = 0; *(uint8_t*)0x20001735 = 0; *(uint8_t*)0x20001736 = 0; *(uint8_t*)0x20001737 = 0; *(uint8_t*)0x20001738 = 0; *(uint8_t*)0x20001739 = 0; *(uint8_t*)0x2000173a = 0; *(uint8_t*)0x2000173b = 0; syz_io_uring_submit(r[4], r[10], 0x20001700, 0xad23946); break; case 24: res = syscall(__NR_fsmount, (intptr_t)r[5], 1, 0x84); if (res != -1) r[13] = res; break; case 25: *(uint32_t*)0x20001740 = r[6]; *(uint64_t*)0x20001744 = 3; *(uint64_t*)0x2000174c = 6; *(uint64_t*)0x20001754 = 0x1000; res = syscall(__NR_ioctl, (intptr_t)r[8], 0xc01cf509, 0x20001740); if (res != -1) r[14] = *(uint32_t*)0x20001740; break; case 26: *(uint32_t*)0x200017c0 = 0; *(uint32_t*)0x200017c4 = 0x20001780; memcpy((void*)0x20001780, "\xe7\xbe\xd2\x38\x54\x76\x95\xa7\x89\x57\xb5\x74\xba\xcb\x6d\xbc\x56\x7a\x32\x32\xe7\x65\x59\xb4\xea\x39\x31\xb6\x08\x57\x8a\x24\xda\x4c\x74\x97\x95\x97\x5b\x0a\xe5\x1d\xa8\xa8\x6d\xde\x75\xb1\xd6\x84", 50); *(uint32_t*)0x200017c8 = 0x32; *(uint64_t*)0x20001800 = 1; *(uint64_t*)0x20001808 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x200017c0, 1, 0, 0x20001800, 1); break; case 27: *(uint32_t*)0x20001840 = 0; syz_memcpy_off(r[9], 0x114, 0x20001840, 0, 4); break; case 28: memcpy((void*)0x20001880, "afs\000", 4); memcpy((void*)0x200018c0, "./file0\000", 8); *(uint32_t*)0x20002900 = 0x20001900; memcpy((void*)0x20001900, "\xf1\xfd\x85\xc4\x6a\x07\x34\x5a\x88\x13\x28\x7b\x13\xf2\x1a\x08\x40\x90\x39\x26\xae\xf8\xfa\x2c\xb5\xf6\xe0\x10\xd1\x4f\x70\x30\x37\x67\x97\x11\x5f\xff\x5a\x94\x80\x41\x34\x8d\x82\x7d\xbd\x67\x8e\x20\x92\x8d\xc4\xb2\x24\xe0\xec\x33\xe5\x0b\xf6\x99\xf1\xed\x1e\x39\xdf\x43\xd8\x99\xeb\x1a\x37\xc8\xd1\x16\x31\xe7\xb7\x75\xfc\x82\x61\x19\x01\xef\x7d\xb3\x71\x4e\x0e\xf5\x9b\x98\xd9\xd7\xd9\x11\x4b\xa1\xba\x76\xa7\x2e\xdc\x93\x80\x33\x59\xb9\x99\x4b\x50\x4f\x9e\x77\x90\x37\x5f\xa5\x0f\xce\xab\x9c\x0f\x21\x03\x85\x72\x2f\x2a\x05\x4c\x09\xfe\xcf\x4a\x04\xcc\xfa\xca\xac\x9d\x40\xbe\xbb\x2e\x2b\xcc\x94\x8d\x32\x72\x63\xb0\xfa\x73\x5b\x75\x3f\xa3\x67\xf5\x53\x13\xbd\x6d\xf7\x47\x6a\x99\x61\xbe\xf3\xe5\x80\x6a\xe5\x3b\xf7\x23\x34\x74\xb6\x37\x26\x6e\x9f\xd6\x94\xfb\x30\xa5\x03\xfb\xa0\x53\xc4\x65\x62\x93\x6b\xb3\xb8\xfd\xd3\x8d\xa2\x3e\x72\x25\x86\x8f\x8c\xf1\xe7\xd2\x7c\xac\xb6\x90\x75\x65\x7b\x3c\xa8\x0f\x8b\xe0\xb8\xe0\x43\xdb\x62\x0f\x08\x72\x23\x1b\x8a\x31\x08\xc4\xa1\x0b\x8b\x72\x3b\x64\x6b\x3c\x6d\x5f\x37\x05\x58\x64\x09\x24\xa9\x3b\xa2\x5d\xb1\x74\x6c\xf2\xea\x14\x1b\x03\x85\xac\x0c\xf9\xe7\xac\xc8\xfd\xdd\x8e\xe3\x2f\xb9\x88\x49\x1e\x45\x45\x64\xeb\x14\x2e\xc8\x40\x24\x38\xdd\xb1\xd0\xbe\xd6\xd2\x85\xa2\xa4\x08\xa9\xed\xc5\x27\x76\xe3\xae\x70\x21\xc1\x09\x43\xee\xf0\xaf\x02\x70\x37\x22\x13\x62\x7d\xd4\x25\x3d\x95\xa3\x6a\xcd\x29\xf8\x09\x5c\x64\x28\xf1\xc4\x6c\x3e\xb2\x12\x27\xd0\x46\x06\xb5\xc9\x22\x54\xe9\xce\x3e\x22\x0a\x8b\x8a\x28\x1c\x8d\x8e\x9c\x83\x07\x9e\xa1\xdf\x4a\x90\xdb\x9f\x08\xa5\x8c\x80\x3d\x8e\xc2\xbf\xcc\x99\xf1\xac\xd5\xf0\x62\x50\x43\xeb\x4a\x83\x17\x9e\x2d\x37\xc0\x76\x57\xe4\xb7\x47\xad\xcb\x09\x79\xa2\x30\xde\xa4\xf0\x79\xf2\x20\x84\x87\x09\xf2\xbb\x38\xc3\x4a\x22\xc5\xb3\xca\xf9\x4a\x02\xfc\x5f\x1c\x4d\x01\x3c\x16\x5a\xbf\x74\xbe\xd9\xd0\x28\xa5\xd8\x4e\xc1\x50\x37\x7f\x49\x8e\xe0\xe2\xa8\x6b\xf0\x4b\x97\xee\x40\xaf\x98\x82\xbf\xad\xec\xf5\xe1\x25\xfc\x90\x9d\x25\x0d\x92\xa3\x11\x66\xd6\x11\x21\xb5\x36\x45\x24\xb6\x35\x1e\x0b\x6a\x66\xdc\xde\xeb\x52\x49\xeb\xab\xb8\x65\xf1\xf4\xa1\xa8\x0a\xda\x5d\x69\x5d\x3a\x37\xb2\x14\xc9\xf0\xd9\x25\x07\xdb\x1b\x8d\x80\x8a\x96\xf0\x89\x02\xef\x8c\x97\xe2\x2b\x75\x49\x75\x38\xf5\x4f\xf9\x44\xa1\x91\x42\xb6\xae\x1b\x86\x36\x50\x0e\x2f\x39\x20\xa3\xab\x34\x1d\x8d\x1d\xb2\x2d\xc6\x4e\x1d\x68\x38\x21\x62\xb4\x89\xea\xad\xe6\x68\xba\x38\xe6\xe7\xec\xf6\x16\x26\xc7\x19\x37\x8a\x8e\xbf\x08\xec\x3d\x5d\xa6\x71\x64\x61\xe2\x06\x86\x9b\x33\x5c\xcb\xaf\xbc\x73\x64\x99\x83\x79\xd8\x94\xb9\xc6\x04\x41\xd9\x87\x97\xef\xf0\xd0\x4c\xe3\xfb\xf4\x19\xeb\x9c\x5c\x77\x8d\xbd\xc6\x03\x1b\x19\xfe\xa1\x3a\xdf\x11\x1d\xd4\x96\x28\x09\x3d\xa4\x1c\xe2\x52\x59\x5e\xa3\xd0\xb6\xdd\x96\x36\x4f\xe2\xe3\x75\x04\xbc\x66\x17\x04\x4f\xf1\xd0\xd2\x7f\x75\x9d\x1f\xaa\x8a\xe8\x54\xa1\x72\xda\x0b\x22\x73\x05\xbc\x63\x0a\x46\xb8\xe5\xbb\x9f\x8a\xa4\x0b\x95\xa4\xb6\xd5\xc3\x7b\xdd\xd0\x96\x8e\x19\x2d\x57\x24\x20\x78\x43\x4f\xde\xf9\xaf\xdc\x8f\x18\x39\x7d\xf1\xca\x6e\x76\xbd\xc7\x18\x45\xfb\xa2\x81\x8e\xf8\xf1\xc1\xdb\xf0\xa9\x2d\xde\xe3\xc8\xc1\xcf\xdd\xfb\x64\x43\x94\x19\xe6\x3f\x98\x11\xab\x5d\xaf\xd1\x5b\x2f\xf2\xa9\xc0\x41\x33\x16\x51\xc7\xaf\xe7\x86\x28\x75\xbf\x99\x61\x80\x6f\xac\x69\x4b\xef\x5f\x78\xfb\x9c\xd6\x4c\x33\x84\x86\x37\x44\x4e\x67\x52\x20\x03\x95\xe3\x73\x1d\x02\xdb\x34\xc2\x1f\xca\x31\x1d\x33\x9e\x81\x97\x32\xed\xe1\x83\x94\xb4\x5c\x4c\xbb\xbf\xfd\x45\xfd\xf5\x08\x28\x5d\x26\xda\x5b\x3c\xed\xe6\x92\xaf\x4e\xf2\xf4\x2c\x73\x4b\x52\x28\x64\x75\x5d\xcd\x71\x9c\x93\xb2\x68\x43\x8f\x9b\x0f\x1a\xdd\x57\x4c\xf7\x21\x89\x21\xdf\x68\xc4\x96\x68\x3c\x62\x76\x11\x5c\x07\x4d\x42\x0f\x23\x86\x1e\xeb\x82\x03\x1e\x99\x8c\x08\x33\xd1\xcb\xbb\x5b\x33\x4a\x13\x60\x6a\x0b\xc4\x06\xc4\xc8\xb1\xc2\xbf\x8d\xf5\x57\x32\x4d\x2c\x94\xcb\xe4\xc2\x90\x80\xb6\x32\x34\xb1\xbb\x74\xe5\x85\x4e\x42\x2e\xb4\x6f\x73\x69\x78\xe2\x94\x3e\xbd\x28\xaf\x46\x7b\xd0\xee\x09\x6b\x95\x2f\xf5\xf0\xb2\x28\xc7\xef\x94\x6f\xd4\x72\x49\x3b\x0e\xac\xa9\x37\x84\x01\x66\x9f\x1b\xe6\x75\x23\x0e\x56\xbc\x19\xe4\xec\x12\x34\xfc\xb4\xea\x12\x2d\xd2\x04\x83\x01\x09\x68\x9c\xad\x7e\x3d\x70\x2a\xb3\xe9\x2e\x59\x01\x6a\x64\x0c\xce\x4e\x1e\x57\xd6\xe9\x45\x56\xe7\xee\x1f\x7c\x58\x63\x09\x04\x4b\xdc\xa4\xa7\xb2\xce\xbb\x4b\x3f\xab\xfd\x57\x8e\xd6\xc6\x85\x89\xb8\xaf\xcd\x4d\x0e\x5a\xb1\xb7\xee\xf6\xf8\x2c\xd2\x08\xe3\xec\xe7\x6e\x3b\x73\x33\x1f\xba\x03\xfb\x54\x47\x01\x29\x92\x74\x10\x42\x10\x6e\xd7\xd3\x86\xa1\x43\x3f\xe8\xd4\xc6\xbc\xe8\x22\xff\x8f\xfe\x1b\x38\x2a\xa7\x12\x47\x31\xa9\xad\x6e\x1a\x52\xc7\x82\x66\x17\x4a\x4f\xef\xe9\x86\xa5\x08\xf6\x64\x25\x77\x30\x3f\x91\xea\x4e\xfb\x32\x84\x3c\x6b\x33\x1b\x32\xf2\x45\x53\xa0\xc1\x30\x16\xd9\x1a\x23\x0a\x55\xd8\x1f\xeb\x7d\xfc\x48\xad\x15\x7c\x7c\x2f\xc6\x32\x53\x08\x10\x21\xd1\xc6\x53\x56\x51\x39\x03\xdd\xbd\xe8\xd3\xfd\x0d\x51\x74\x7f\x3e\xaa\xaf\x9d\xb9\xd6\xb4\xbd\x70\x69\xd8\xba\x53\xd4\xd1\x00\xee\x27\x27\x97\x95\x94\xc2\xfa\x80\xb9\xaa\x0e\xdd\x70\xe3\xd7\x02\xfb\x5b\x6c\xd2\x77\xee\xb4\x87\x55\x58\x86\xf8\x5b\x65\x7c\xd9\xeb\xa6\x41\xb2\x8b\xf1\xe7\x62\x30\x0f\x3e\x29\xc5\xa8\xd8\xbf\xe0\x77\xbd\xef\x7c\x9e\x2c\x4c\xfa\xd8\xfc\x36\x46\x70\xd7\xcd\x6a\xc7\xa8\x63\x22\xe6\x67\x76\x0e\x24\x03\xc4\x83\x8d\x61\xfa\x86\x69\xa4\xf6\x21\x14\xee\xf4\x23\xf0\x91\x32\xe2\x0b\xb9\x5b\xa3\x52\x2a\xc3\x10\x49\xc4\xa3\xd5\x81\xaf\x3c\x57\x84\x91\x0f\xba\x88\xcd\xee\x1c\xef\xf4\xdd\xae\xd8\x27\x11\x9c\xed\x53\x61\x94\x7d\x0e\x31\xa9\xc4\xd2\x52\x63\xa5\x36\x54\xb8\x2f\xc1\x3b\x91\xf4\x45\x08\xdd\x19\x3c\xa1\xef\x26\xd9\x30\xa6\xb0\x81\x05\x86\xd4\x02\xba\x05\x54\xfa\xce\x5c\x3e\xd0\x77\x67\x1d\x50\xd2\x88\x65\xbf\xff\x35\xca\x3a\x4d\xab\xdb\xd6\xe3\xb0\x70\x59\x32\x0f\x53\xe5\xc4\x9d\x73\xcc\x16\xdd\x1e\xd2\x81\x6a\xc9\x8a\xd3\x85\x3c\x36\x88\x29\xc7\xbe\xc4\x0c\x4a\x9b\x39\xee\x3b\x73\x0b\xbd\x6c\x15\x2f\x35\x8e\x99\x11\x30\x8c\x12\xed\x12\x06\x56\x1f\xc7\xcf\x7c\xb4\x77\x14\x5f\x1a\xaa\xce\x66\xac\x5c\x44\x68\xac\xb2\xf6\x01\xc6\x1e\x4b\x11\x8b\xe2\x05\x6b\x6d\xbc\x18\x60\x9b\xfd\x41\x05\xee\xe1\x8b\xe3\x84\xa1\x99\x13\xd2\x74\xd9\x20\x39\x79\x0c\xb8\x74\x20\xb9\xfd\xd7\x0e\x73\x43\x09\xfc\x7a\xfe\x09\xe1\x1f\x78\x0d\x6e\xe6\x24\x31\x75\x90\x7a\x4a\xee\xcb\x6c\xa0\x70\xa3\x37\x4b\xe5\xd3\xd0\x7a\x78\x8e\xa4\xe1\xf9\xd6\xf1\x8e\xff\x9e\x79\x64\xd7\x07\x6c\xb5\xb9\x3c\xd9\x73\x38\xec\x05\x44\x8e\xc5\x27\xcc\xa6\x67\x90\xbf\xe3\x2c\x5b\x26\x62\xd7\xfc\x6b\x83\x6b\x41\xbf\x32\xe5\xbc\x0d\xdf\xe4\x2d\x59\x73\xdb\x86\xf8\xae\xd5\x6e\x43\x11\x2b\x45\xb0\xf7\x92\xc5\x39\x45\x99\xa1\x3e\x73\xc2\x50\x12\xb5\xaa\xcd\x3a\xef\x11\x24\x73\xc4\xe2\xe3\xab\x6a\xeb\xf5\xaf\x6d\xe9\xe7\x8a\xc0\x47\xfc\xc2\x76\xfd\x97\x6f\x25\x02\x2c\x65\xc3\x0a\x9f\xd6\x72\x03\xf1\x9e\x33\xb3\x5c\xfb\xcf\xdf\xf3\x95\xc5\xbb\x53\xf2\xfd\x79\x28\xe4\x3e\x62\x28\x47\x28\x07\x80\xb8\xcc\x81\x5f\xb4\x85\x18\x91\x05\xa1\x24\xcd\x86\x27\xcc\x3d\x5f\x1a\x9d\xd8\x00\xd4\x7a\x22\x6e\xbf\x90\x7e\xb2\xf4\x91\x33\xd1\x17\x58\x8d\x28\x0f\x4c\xc4\x3d\x95\x25\x4d\x88\xc8\x75\x3d\x96\x07\x3f\x97\xc5\x31\xf5\x1e\x55\x96\xe2\xe9\x71\xa2\x16\x1b\x78\xf7\x5e\xdc\xfb\xd9\xde\x38\xf0\xa9\x28\x4b\x7c\xce\xef\x87\x59\x8f\xa3\xbc\xfa\x5d\xbc\xbd\x1d\x28\x4c\xf8\x0c\xb7\x75\x54\x65\x89\x9d\x36\x2d\x9e\x40\xc6\x4c\x1a\x1e\x4c\xc4\x5c\x38\x71\xb2\x10\x4c\xa4\x0c\x05\x72\x9d\xcc\xbf\x6d\x0a\x17\x50\x0e\x5d\x0d\xff\xa3\x44\x3a\x52\x33\xe2\x79\xb2\xf9\xc5\x18\xb6\x97\x34\x0d\x26\xd2\x87\x26\x60\xc7\x1a\x49\x57\x10\xee\x00\x9f\xfb\x98\x9e\xbb\x5b\xef\xe5\x17\x69\x25\xb7\x8c\xde\xb1\xe8\x11\xc5\x1e\xcd\xb0\x1a\x47\xec\x1d\x1d\x0e\xf2\x02\x4c\x9a\x66\x6f\x6b\xc5\xeb\xe1\x3e\x77\x3f\x89\xf4\xc8\x0b\xaa\x1d\x66\x0c\x05\x1c\x26\x72\xf9\x1c\x21\xdb\x5f\xf2\xd5\xa7\x01\x26\xdc\x69\x14\x0e\xe2\x16\xc4\x5b\xdd\x0a\x7b\x52\x79\xde\xce\x2f\x58\x3b\xc2\x4f\xc6\x3c\xae\x88\xae\x75\x57\x22\x40\x48\x23\xc5\xc2\x16\x84\x9d\xcd\x10\x85\xba\x99\x02\xcb\x24\x8a\xc5\xd1\x92\xc3\xbd\xc5\x37\x39\x2a\x7c\x9e\xd3\xc3\x59\xbb\x6d\x49\x34\x62\x5f\x5f\x7a\x6d\xd5\x1b\x78\x57\x3f\xc7\x26\xad\xab\xc9\x1f\x41\x96\x05\x86\xf6\x4c\x39\x26\x11\x26\xea\x67\xdf\xc3\x2c\x5a\xe5\xf7\xd6\xed\x88\x74\x73\x60\x41\x8d\x42\xa0\x08\xd9\xcf\xc5\xef\x15\xf9\xc5\x88\xdb\xb9\xec\xc3\x74\xba\x19\xab\x60\xa3\xba\x33\xfb\xd1\xb8\x04\x77\xb0\x20\x4e\x67\xc8\x45\xf9\xf6\xab\x58\x9c\x58\xb5\x78\xcc\xa5\x8a\xf3\x22\xae\x66\xb9\xb1\x2e\xd9\x53\x70\x3d\x13\x93\xd8\xec\xe9\xc6\x70\x66\x4f\xdb\x6b\x1f\xfa\x10\x27\x1a\xbc\x0e\x51\xd5\x7b\x59\x10\x2e\x26\x40\xbe\xa0\x9e\x91\x12\x94\xc3\x5a\xbc\x86\x16\x99\x0a\x57\x29\xbf\x73\x9a\x8e\x22\x77\x4a\x68\x0d\x57\x70\xb8\x58\xb9\x32\xfe\x59\x5b\x73\x22\x32\x8a\xe7\x92\x07\x8a\xd2\x8d\xb4\xd5\x4c\xbd\x7c\x98\x68\xfc\xbe\x6e\xed\x0b\x0a\xa7\xb7\xab\xbf\xb1\xb8\xef\xce\x2d\xd5\xc1\xe2\x9b\xac\x66\xab\x7f\x80\xfe\x7a\x65\xd2\xda\x18\x38\x66\x0e\x94\x06\x6a\x6b\x2e\x3b\xdb\x89\x7e\x55\x1b\xc0\x37\xd7\x79\xdb\xb6\xcb\x9b\xdc\xa7\x03\x0e\xf8\x22\x6b\x96\x8d\x5a\x85\x7c\xb4\x24\xa9\xbd\x71\xec\xf3\xe0\xdf\x3b\xca\x6b\x91\x95\x90\x5e\xd0\x5e\x73\xd0\x36\x7f\x16\x49\xee\xd5\x49\xd9\xc3\xd4\x7e\x2f\x31\x2c\x17\x0d\xc9\x4a\x70\x1d\x42\x04\x60\xe1\x00\x0e\x23\x70\x21\xc6\xb7\xb1\xbc\x08\xb3\x5c\x10\x43\xc6\xe8\x99\xed\x58\x7e\xf7\xdf\xb6\xe1\xc7\xb6\xe1\x1e\x3a\x2f\xb4\x34\x8a\xbc\xc9\xed\x18\x31\xee\x37\x3d\x00\x45\x40\xa7\x3a\x4c\x78\xf9\xd3\xab\xb1\x01\xc7\x87\xba\x23\x9d\xf6\x63\x92\x4e\xf8\x4e\x3b\x43\x68\x68\xb6\x3c\xd7\x4f\x4d\x47\xac\x9e\xbc\xe3\x81\x4b\xbd\xb3\x7e\xee\xc3\xfe\xa1\xf9\x06\x88\xd1\x6f\xf3\x28\x5d\x35\x97\x45\xf9\xc1\xb6\xdc\xfa\x98\xbc\xd3\x2a\xca\xcc\xd9\x35\x0c\x07\x05\x79\xaf\x49\xc6\xdd\x8e\x62\xb3\xe1\x16\x16\xb9\x56\x05\xb5\xe6\x7c\x90\xc3\xdb\x1b\x83\x01\xde\x61\xbd\xfa\x55\x8e\xe6\xd1\x3f\x20\xa7\x8d\x40\x7e\x4f\x44\xca\x79\x3c\xe3\xd9\x58\xe1\x52\x2f\x1a\x64\x27\x6a\xc8\x86\x3d\x1a\x68\xb5\xb6\x4e\x03\xec\x0b\x22\xb0\xa7\x87\xbb\xa7\xb4\x62\xfd\xdf\x8d\xa7\xd1\x01\x8b\x32\xa1\x32\x82\xbd\x1e\x83\x06\x0a\x67\xc7\xda\x96\xe4\x6e\x3b\x32\x2a\x5d\x8e\x05\xba\x67\xb3\xac\xa1\xc5\xd1\xbf\x13\x6a\x57\xb3\xaa\x68\x77\x7f\x00\xbf\x10\x2d\xdd\xb1\xde\xc2\x1d\xb3\x09\xf4\x85\x5d\x9c\x08\xed\xc5\x80\xd6\x52\xa6\x89\x42\x0b\xf6\x25\x38\xb5\xaa\x26\x30\x57\x09\x81\x21\xd8\x2d\x87\xe2\x9e\xe2\x6b\x5d\x52\x88\x02\x3e\x50\x1f\xf2\x73\x0b\xce\xf0\x0b\x98\xf1\x3c\x40\xbc\x2d\xa1\xa1\xbc\xa1\xcd\x66\x64\x84\xf1\xa3\xf5\xc8\xb6\xff\xaf\x46\x8f\xbe\xaa\xf5\xab\xfd\x74\x39\x6f\xbc\x46\x0e\x0f\xd2\xb4\x40\xf5\xe5\x63\x27\xe6\x34\x90\x73\x11\xdc\xe9\x8e\xc0\x75\xe9\xee\x32\x87\xf7\xd2\xdc\xd6\x44\x93\xe5\xc5\xce\x09\x6b\xb2\x9d\x77\xaa\x49\xa9\xf6\x77\xe6\x8e\xfd\x44\xcf\x35\xb5\xa0\xd6\x9f\x1e\xc8\x87\xa5\xf1\xf3\x5e\x44\xaf\xe3\xb6\x90\x4e\xf0\x26\xb3\x65\x1c\x69\x7d\xc2\xaf\x46\x66\x2b\x92\x36\x64\x20\x1e\x4b\xae\xdc\x28\xe8\x5f\x33\xd0\xfc\xce\x83\xec\xb0\x1d\x04\xf5\xa0\x82\x6d\xf9\xfb\xfe\x7d\x92\xe3\x1d\xb7\x62\x02\x53\x3f\xa8\xbd\xbd\x4f\x14\x74\x4f\x84\x85\x94\x8f\xf0\xe4\x0e\xc7\x7d\x2a\x2c\xca\xc3\x4f\x38\x9a\x4f\x6b\x0e\x1f\x84\xf5\x27\xb1\x28\x2b\x4b\xa5\x3c\xc0\xa5\x34\x68\xeb\x13\x62\xd8\x7f\x33\x4f\x17\x6d\x94\x8d\x9d\x7f\xc1\x90\xa1\xfa\xbb\x36\x74\x53\x85\x94\x5f\x27\xd4\x4c\x13\x64\x36\xee\xed\xca\x1a\xd4\x94\x5c\x9d\x73\xd6\xa2\xd7\x22\x5a\x1f\x7f\xa4\x9a\x2b\x2b\x56\xd3\xa4\x03\xa8\xdd\xd0\x3d\x70\x1b\xb8\xba\x36\xc2\x75\xb0\x5d\xb3\xb6\x06\x38\xb9\xa2\xa2\x34\xcb\x63\xb8\x09\xeb\xfc\x9a\x77\x1a\xc7\x12\x76\x2f\x7e\x96\xc5\x38\xe1\xc5\x4a\x79\x12\xb9\x59\x44\x63\x2d\x6d\x60\x59\x4b\x90\x0e\x17\xee\x32\x7b\x2b\x2b\x13\xbe\x28\x44\x06\x1f\xd1\xe3\x50\xe4\x71\x21\xfd\x71\xf1\x30\xa5\xae\xb5\x15\x3c\xcb\x8e\xce\x99\x59\x0f\xf9\x3e\xa9\x8e\xe5\x89\xa0\xa4\x28\x8b\xb6\xa3\x59\x0b\x1c\x6e\x89\x00\x8b\xbd\x2d\xc7\xad\x38\x74\x83\x69\x40\x5c\x9f\x8c\x37\xfa\x75\xdd\x2f\xf4\xa3\x84\x56\x1d\x03\x09\x48\xc3\xd1\x64\x66\xe4\xf0\x37\xe5\x4d\x3d\xca\xbd\xe0\x2f\xb3\x5c\x62\xb3\x16\x92\x65\xc0\xaf\x80\x18\xa8\x6c\x3f\xcf\x32\x68\xc1\xa9\x1e\x71\x31\xf8\x9c\xf7\x84\x1b\xb5\x8c\xab\x8a\x5f\x89\xd7\xed\xb6\x7f\x05\xf1\x6f\xe8\x40\x59\xbe\x5a\xbd\xbe\x44\xd3\x85\x2f\xa5\x79\x0c\x16\x16\x28\xb2\x1e\xef\x35\x9a\xaf\x7d\xb7\xde\x11\xc8\x35\xff\x9c\xc0\xb8\x6a\xc9\x75\x1f\xd2\xd5\xc1\x35\xe8\xac\xb4\x35\x2b\xc0\x3f\xdf\xe6\xc4\x34\x73\x58\x2c\xde\x76\xb1\x57\xee\xb0\x3a\xcf\xff\x74\x2b\xe5\x83\x8a\x4a\xab\xa1\x60\xe1\xc5\x88\xc9\xe1\xda\x27\x58\xfc\x29\x0a\xe3\x7a\x76\x05\x34\x0f\x72\x6f\xf3\xd8\xd7\x3d\x3d\xcc\xdc\x77\x37\x49\x9b\x74\x73\xec\xcc\x00\xc3\xd0\x1d\x20\xbd\x98\x9e\x60\x49\xd9\xda\x7d\xce\xe2\x29\xfe\x3d\xb7\xe2\x84\x5b\xa6\xef\x6b\x38\x06\x80\xe0\x77\x54\xdf\xa9\x2d\x16\x05\xb3\xb2\x52\x7e\xd1\x9d\x01\x33\x3b\x2b\x58\x86\x8d\x76\x14\xc9\x2b\x7f\x93\xc9\x5e\x2c\x90\x54\xf7\xa7\x28\xe0\x56\x9b\x98\x60\x18\x31\x1d\x9a\xb3\x79\xac\x3d\x19\xc7\xf6\x5f\x87\xac\xbd\x2a\x2b\xcd\xf1\x22\xb1\xb9\x50\x2d\x3c\x3a\x69\xef\xa3\x2f\x4b\xe1\xef\x20\xda\xa4\x2e\x13\x40\x9d\x2b\x12\xdb\xfd\x03\xc6\x4a\xca\x0b\xd6\x6c\x76\xc0\x4e\xa6\xa7\x6e\xf0\x29\x46\x50\xe5\x9e\x8a\x37\x9c\x85\xc5\xac\x8e\x31\x0e\xd9\x9e\x1a\x5f\x20\xc9\xbb\xdb\xee\x13\xde\x12\x18\xf9\x5b\xe0\x40\xff\x5f\x76\x0c\x7f\x07\xab\xe3\x62\x46\x85\x08\xa2\x11\x4e\x0c\x34\xf9\x38\x95\xc1\xe2\x8a\xd8\xc5\x6f\x19\x49\x81\x6c\xff\xd0\x9c\x02\x8d\xee\xf0\x1e\x5f\xcf\x91\xb4\x38\x4c\x62\xd0\xef\xd9\xb7\xd6\x6b\x1a\xae\x30\x2a\x3e\xd2\xc3\x03\x7c\x96\x75\xac\x6c\x86\x33\x6f\xa6\x03\x25\x8a\x53\x84\x09\xba\xd5\x67\x98\x11\x28\xcb\x8c\xab\x88\xd7\x02\x7b\x2a\x92\x67\x1c\xad\x00\x0a\x2c\x9f\x31\x7f\xb4\xae\x30\x98\x0d\x3f\x28\x51\x2f\xb5\xf6\x6a\x98\xb2\xe2\x07\x7a\x6a\x7f\x84\x61\xbf\x1a\x78\xcf\x12\xb3\xce\x6e\x3a\xa4\xa2\x2f\x3c\x63\x73\xa5\xd0\x4f\x76\x7b\x83\xc7\xd5\x7a\x56\x83\x4f\x76\x39\xc9\xac\xbb\x9f\xde\xde\xa8\x52\x76\xa0\xaa\x10\x0b\x68\xc8\xa2\x46\x31\x4a\x8c\xa0\x2f\xf0\x7d\x15\x32\xc9\x0d\x9a\x4a\x5d\xac\xba\x53\xa2\x4c\x14\xcb\x94\xb5\x7a\x8c\x23\x6c\x98\x5e\xbc\x98\x69\x71\x08\xa4\x3e\x87\x4b\x67\x15\xe6\xbe\x8d\x96\x85\xfa\xfd\xba\x1d\x7e\x5d\x1b\x4c\xed\x62\x56\x58\x47\xbd\xfc\xf6\x2b\xe1\x75\xe8\x48\x3c\xfd\x07\x11\x24\x76\x64\xe2\x73\xfc\xbe\xc2\x9f\x60\xde\xdd\x34\xc6\x81\x0f\x66\x50\xb6\xbd\xc4\x7d\xf7\x26\x7b\x8f\x53\xbc\x66\xac\x41\xa5\xc0\x50\x6e\xdf\x4a\x80\x5c\xff\x03\x43\x79\x7c\x88\x12\x56\xea\x09\x5f\xbf\x14\x57\x54\xf7\xcb\x9d\xfb\xa6\xd3\xc2\xbd\x12\xac\xe3\x07\x62\x9c\xb2\x2d\xfe\xb5\xa4\x81\x55\xde\x0e\x50\xa9\x5d\xa5\x8b\x32\x02\x58\x9b\x60\xf5\xdd\x4c\xa6\xcd\x22\xc2\xed\x78\x8f\x27\x21\xd5\x35\x43\x74\xe9\xef\xac\xf4\x94\x72\x94\xdd\xc8\x14\x92\x25\xdc\xe5\xad\xfb\x32\x25\x95\xed\x18\xa4\xdc\xb0\x56\x51\x48\xb0\x87\xe3\x7d\x42\x47\xea\xae\xcc\x58\xc5\xaa\xf1\xc6\x4e\x87\xcc\x2c\xce\x9b\x8e\xbc\xaf\x96\x3f\xc4\x41\xa6\xdf\xac\x42\x6b\xe0\xac\xe4\xec\xfb\x91\xdf\x77\x32\x72\x1a\xfb\x34\xf9\x05\xce\x73\x77\xdb\x38\x49\xd7\x40\x1b\xa3\xd3\x14\x9c\x08\xe9\x8b\xcd\xec\xa6\xde\x20\x7e\xd8\xbc\x7b\x1d\x6e\x88\x59\x7d\xa6\x28\xc6\xb0\xa7\x3c\xf9\x67\x4a\x20\x7d\xd8\x74\x5f\xe5\xb3\x2b\xdd\x8f\x55\x09\xf1\x4f\xc1\x5c\xf9\x50\x4b\xf6\x63\x4b\x2d\xf2\x83\x6e\x95\xc7\x36\xe2\x76\x2f\x27\x14\xbf\xd1\x30\xaf\x99\x1d\x8b\x64\x8a\x93\x72\x15\x83\x83\xa2\xf5\x3e\x14\xc7\xcf\xc7\x66\x3d\xb5\xca\x5c\x8a\x9c\xdd\x15\x5e\x38\xc1\xf7\x0e\x51\x61\x35\x88\x12\x8d\xd0\x85\xbb\xdd\x7e\xd2\x39\xb9\x7e\x89\x58\xce\xf3\x5f\x11\x7e\xab\x19\xb3\x70\xff\x2e\x4e\x25\x68\x9d\x62\xb6\x84\xfd\x4a\xfc\xeb\x26\x32\x51\xfa\x92\xe8\xc6\xb2\xaa\x2e\x34\xd3\xfb\x8a\xae\xd1\x8c\xdc\x73\x4f\x9b\x42\x0c\x8d\x7b\x93\x15\x55\xeb\xd7\x99\x0c\xa0\x73\xfb\x81\xbe\x98\x27\x94\xe0\x00\xd5\x05\x72\xeb\x07\x61\xd4\x95\xba\x80\x68\xf6\x57\xd7\xf7\xb9\x19\xe6\x6a\x25\xe0\x32\x11\xdf\xe6\x90\xf4\x08\x1f\xc5\xde\x14\xf5\xf9\xd8\xbe\x47\x80\x24\xe6\x0a\x31\x38\x08\x0d\x9c\xe9\x7a\xe2\x3e\x29\x1e\x77\xa6\xe4\xa5\x07\xa9\x6a\xe0\xc0\x7d\x96\x04\xa9\x5b\x43\xb8\x17\x4c\x33\x17\x5b\xa2\x95\x05\x01\x86\xf7\x23\xb5\x0a\x60\x9e\xe0\x9b\x42\x67\xe4\xd2\xaf\x42\x96\xce\x65\x7b\xb8\xb5\xe9\x96\xf9\x8b\xd7\x5e\xd4\x2d\x09\x54\x89\x5d\x97\xd9\x88\x32\x9d\x92\x5f\x62\x89\x44\x74\xd1\xca\xa5\xde\x98\x8e\xd7\xb5\xc6\xde\xac\xfd\x90\xad\x94\x7e\xfe\xbf\x6c\xf6\x1b\x45\xd9\xc7\xb1\xba\x59\xe9\xec\x4b\x85\x59\xaf\xf8\xd3\xd0\x5f\xb0\x0f\x57\xec\x94\x2b\x0e\x9b\x9f\xdb\xde\x26\xca\xd3\x40\xcb\xb4\xf7\xc0\x44\x7b\x70\x7e\xd8\xf6\xd4\xf9\x89\xd0\xb1\xda\x0d\x0c\xda\xe6\x17\xb0\x14\x36\xfa\x68\xe3\x77\x75\xe8\x44\x41\x5e\xbd\x11\xa3\x35\x08\x46\xcf\x0b\x41\x9f\xad\x6d\xb9\x4c\xcc\x82\x83\xe9\x50\x19\xdb\x55\x91\xb9\xe8\x1c\x5d\x32\x70\x7b\x30\x02\xaf\xb2\x40\x58\x49\x5f\x6c\x21\xcd\x4b\x9e\x12\xaf\x7a\x1f\x40\x54\xfd\xa3\x7b\xa6\xa2\x94\x5e\x89\x98\x99\x76\x10\x12\x54\x8e\x41\x22\xa6\x95\x56\xe0\xca\x51\xe2\x31\x94\xbd\xc4\xe2\x72", 4096); *(uint32_t*)0x20002904 = 0x1000; *(uint32_t*)0x20002908 = 9; memcpy((void*)0x20002940, "flock=openafs", 13); *(uint8_t*)0x2000294d = 0x2c; memcpy((void*)0x2000294e, "dyn", 3); *(uint8_t*)0x20002951 = 0x2c; memcpy((void*)0x20002952, "autocell", 8); *(uint8_t*)0x2000295a = 0x2c; memcpy((void*)0x2000295b, "dyn", 3); *(uint8_t*)0x2000295e = 0x2c; memcpy((void*)0x2000295f, "flock=openafs", 13); *(uint8_t*)0x2000296c = 0x2c; memcpy((void*)0x2000296d, "source", 6); *(uint8_t*)0x20002973 = 0x3d; memcpy((void*)0x20002974, "&", 1); *(uint8_t*)0x20002975 = 0x2c; memcpy((void*)0x20002976, "source", 6); *(uint8_t*)0x2000297c = 0x3d; memcpy((void*)0x2000297d, "SEG6\000", 5); *(uint8_t*)0x20002982 = 0x2c; memcpy((void*)0x20002983, "smackfsdef", 10); *(uint8_t*)0x2000298d = 0x3d; memcpy((void*)0x2000298e, "SEG6\000", 5); *(uint8_t*)0x20002993 = 0x2c; memcpy((void*)0x20002994, "smackfsdef", 10); *(uint8_t*)0x2000299e = 0x3d; memcpy((void*)0x2000299f, "SEG6\000", 5); *(uint8_t*)0x200029a4 = 0x2c; memcpy((void*)0x200029a5, "subj_user", 9); *(uint8_t*)0x200029ae = 0x3d; memcpy((void*)0x200029af, "SEG6\000", 5); *(uint8_t*)0x200029b4 = 0x2c; memcpy((void*)0x200029b5, "smackfstransmute", 16); *(uint8_t*)0x200029c5 = 0x3d; memcpy((void*)0x200029c6, ":", 1); *(uint8_t*)0x200029c7 = 0x2c; memcpy((void*)0x200029c8, "seclabel", 8); *(uint8_t*)0x200029d0 = 0x2c; *(uint8_t*)0x200029d1 = 0; syz_mount_image(0x20001880, 0x200018c0, 5, 1, 0x20002900, 0x20005, 0x20002940); break; case 29: memcpy((void*)0x20002a00, "/dev/i2c-#\000", 11); syz_open_dev(0x20002a00, 0xad8, 0x2a2000); break; case 30: res = syscall(__NR_ioctl, -1, 0x5429, 0x20002a40); if (res != -1) r[15] = *(uint32_t*)0x20002a40; break; case 31: memcpy((void*)0x20002a80, "net\000", 4); syz_open_procfs(r[15], 0x20002a80); break; case 32: syz_open_pts(r[13], 0); break; case 33: *(uint32_t*)0x20002e80 = 0x20002ac0; memcpy((void*)0x20002ac0, "\x7a\xd3\xcd\x80\x2d\xd0\xc4\x24\x94\x5d\x99\xca\x9c\xa6\xe4\xfb\xb8\xf8\xe3\xb9\x80\xd2\xec", 23); *(uint32_t*)0x20002e84 = 0x17; *(uint32_t*)0x20002e88 = 0x1000; *(uint32_t*)0x20002e8c = 0x20002b00; memcpy((void*)0x20002b00, "\x32\x9d\xe8\x0b\x2b\x17\xbb\xd2\x5d\x1f\x19\x07\xa9\x26\x3a\xf3\xbf\x05\xc4\xa7\x06\x1e\x28\x49\x2a\x3f\x71\xc6\x34\x3a\xa5\xaa\xea\x03\x27\xa3", 36); *(uint32_t*)0x20002e90 = 0x24; *(uint32_t*)0x20002e94 = 5; *(uint32_t*)0x20002e98 = 0x20002b40; memcpy((void*)0x20002b40, "\x82\x79\x1d\xfd\x31\x1d\x07\xdb\x7d\x65\xe8\x03\xce\x6c\xa0\x00\x28\xaf\x8f\xf8\xd2\x76\x18\x7e\x0e\x14\xbb\xf7\xbe\xab\x60\xfc\x4b\x70\x72\x2e\x91\xb6\x32\x2b\x8e\x34\x72\x19\x1a\x66\x17\x6b\xb0\xca\x91\xde\xe6\x0f\x15\x06\xa6\xd4\x8b\xe4\x05\x52\x30\xc3\x0b\xe9\x4a\x10\x43\xa1\xd2\xa0\x6d\x42\x16\x60\x69\xd8\x03\x3d\x6c\x52\x4c\x86\x10\xb8\xc4\xbb\x63\xaf\x0c\xe6\xd6\x20\x71\x37\xf1\xbe\x1b\x62\xb0\x02\xe8\xc3\x5e\x64\x67\xc2\x42\x3c\xc6\x59\x7d\x1c\xa5\x8e\xe3\x15\x89\xf0\x24\x8a\xc7\x62\xe2\x4a\x28\x6a\x41\xa7\x61\x91\x2d\x34\xbb\x56\xf0\x7d\xb8\x8c\xa5\x2f\xce\x8d\x12\x87\x62\x39\x4f\xa0\x0f\xaa\xc8\x45\x1a\x42\xc3\x14\x4b\xde\xc7\xe9\x72\x96\xc9\xea\xc7\xc9\xf6\x31\x10\xa3\xd4\x05\xc1\x6b\x04\x28\x88\x00\x24\xe8\xc9\xc8\xaf\x49\x0b\x8c\xfa\xd8\x4c\xbb\x63\x78\x78\xd6\x34\xcd\x84\x34\x6b\x60\xc9\x13\x2c\x09\x66\x0c\xdc\x61\x6a\x0b", 212); *(uint32_t*)0x20002e9c = 0xd4; *(uint32_t*)0x20002ea0 = 0x7fff; *(uint32_t*)0x20002ea4 = 0x20002c40; memcpy((void*)0x20002c40, "\x90\x4b\xbc\xee\x2b\x46\xda\xa1\xac\x64\x3b\x7b\x6b\x8e\xa0\xff\x46\x2f\xea\xbe\xe5\x41\xb4\x11\xa8\x85\xe4\x70\xa4\x96\xcb\xbd\xc7\x29\xff\xde\xbc\x50\x80\x7f\x71\x9c\xbe\x80\x8d\x8b\x59\x8b\x47\x67\xc7\xa8\x52\xd9\xce\x0c\x88\x0a\x9b\x07\x8b\x01\x87\xde\xac\x92\x6b\xd4\x68\x7a\x44\xf0\x92\xbb", 74); *(uint32_t*)0x20002ea8 = 0x4a; *(uint32_t*)0x20002eac = 5; *(uint32_t*)0x20002eb0 = 0x20002cc0; memcpy((void*)0x20002cc0, "\x35\x31\xae\x25\x7e\x7e\x08\x77\xcd\xe3\x40\xc4\x2e\xdb\xfc\x91\xdc\xff\xaf\xf1\x28\x4e\xf0\x8a\x45\x1e\x4c\x76\xe0\xcd\x83\xb2\xc0\xea\x10\xd8\x6b\xce\xfa\x93\xbb\xae\xf5\xff\xfb\xfe\x7d\xc7\x0b\x73\xb8\x9c\x55\xfc\x38\x51\x11\x0d\x1b\xd0\xd1\xda\x31\x75\x33\x20\xb1\x11\xfe\x70\x60\x53\x7e\x8f\x65\xf3\xc2\xf0\x5a\xdc\xb3\xd6\x6b\xd2\xab\xe6\xb0\x8a\xaa\xe0\xd0\xee\xdc\xa9\x93\x77\x07\xec\x4c\xb4\x87\x4c\xdf\xd0\x58\x00\x81\x2a\xb5\x3f\x95\x50\xb2\x5a\x28\xee\x69\xe6\x2a\x0f\x79\x0f\xe5\x23\x3f\xc8\x64\x5f\xc3\xfe\x6c\xae\x05\x5f\x2a\xa1\x72\x91\x25\x17\x01\x51\xe8\x6e\xea\xb6\x7b\xb2\x0b\xc8\x84\xa1\x21\x4c\x2d\x3d\x96\x9c\x34\xfb\x23\x9b\x45\xfe\xec\x93\xac\x20\x97\x21\xba\xe7\x27\x12\x51\xc6\x13\xce\xa9\x37\x9c\x15\x21", 183); *(uint32_t*)0x20002eb4 = 0xb7; *(uint32_t*)0x20002eb8 = 4; *(uint32_t*)0x20002ebc = 0x20002d80; memcpy((void*)0x20002d80, "\xc3\xf0\x4f\x26\x92\x9b\x7a\x4d\x63\x42\x84\x1f\xa5\x3a\x9a\x8c\xb8\x00\x6a\x97\xf4\x28", 22); *(uint32_t*)0x20002ec0 = 0x16; *(uint32_t*)0x20002ec4 = 6; *(uint32_t*)0x20002ec8 = 0x20002dc0; memcpy((void*)0x20002dc0, "\xc9\x87\x12\x75\xe3\x26\x9f\xf1\xbd\xcd\x67\xfb\x52\x3e\x1c\xeb\x51\x51\xb0\xed\xe9\xe0\x32\x63\x4e\x36\xd4\x86\x04\x6b\xc3\x1c\xd9\x78\xbd\xa5\x92\x47\x35\x53\x16\x31\x9e\x76\x8e\x7a\xc6\xbe\x06\x48\xbf\x0f\xec\xd1\x3c\xda\xd4\x5f\x71\x3e\x0e\x3b\x74\xe9\x5e\xec\x77\x06\x3c\x02\xa2\x33\xea\x97\xd3\x38\xf4\xb1\xe9\xbc\x5a\x7c\xce\x85\x52\x87\x42\x63\x2e\xd5\x9c\xec\x01\x6f\x39\x14\xdd\x02\xca\x6b\x1d\xc8\x33\x22\x48\x95\x27\x73\x50\xcf\x1f\x21\xd6\xc7\x8f\x85\x92\x71\x7e\x91\x23\x3f\x90\x26\x92\x7e\x0c\xc3\xd8\x0c\xdc\x57\x71\x47\x63\xa0\xfc\xb0\x91\xf5\xc6\x90\x51\xb5\x5c\xd2\xe1\xfc\xc3\x3b\x13\xd5\x97\xc5\xca\xee\xb2\x71\xc5\x42\x97\x8a\x1e\x17", 164); *(uint32_t*)0x20002ecc = 0xa4; *(uint32_t*)0x20002ed0 = 0x9c; syz_read_part_table(1, 7, 0x20002e80); break; case 34: *(uint8_t*)0x20002f00 = 0x12; *(uint8_t*)0x20002f01 = 1; *(uint16_t*)0x20002f02 = 0x201; *(uint8_t*)0x20002f04 = 0xa4; *(uint8_t*)0x20002f05 = 0x61; *(uint8_t*)0x20002f06 = 0x1e; *(uint8_t*)0x20002f07 = 0x40; *(uint16_t*)0x20002f08 = 0xacd; *(uint16_t*)0x20002f0a = 0x300; *(uint16_t*)0x20002f0c = 0xc0df; *(uint8_t*)0x20002f0e = 1; *(uint8_t*)0x20002f0f = 2; *(uint8_t*)0x20002f10 = 3; *(uint8_t*)0x20002f11 = 1; *(uint8_t*)0x20002f12 = 9; *(uint8_t*)0x20002f13 = 2; *(uint16_t*)0x20002f14 = 0x372; *(uint8_t*)0x20002f16 = 2; *(uint8_t*)0x20002f17 = 4; *(uint8_t*)0x20002f18 = 0x1f; *(uint8_t*)0x20002f19 = 0; *(uint8_t*)0x20002f1a = 1; *(uint8_t*)0x20002f1b = 9; *(uint8_t*)0x20002f1c = 4; *(uint8_t*)0x20002f1d = 0x5d; *(uint8_t*)0x20002f1e = 0xb3; *(uint8_t*)0x20002f1f = 1; *(uint8_t*)0x20002f20 = 0xad; *(uint8_t*)0x20002f21 = 0x49; *(uint8_t*)0x20002f22 = 0x76; *(uint8_t*)0x20002f23 = 0x20; *(uint8_t*)0x20002f24 = 7; *(uint8_t*)0x20002f25 = 0x24; *(uint8_t*)0x20002f26 = 1; *(uint8_t*)0x20002f27 = 0; *(uint8_t*)0x20002f28 = 0x80; *(uint16_t*)0x20002f29 = 0; *(uint8_t*)0x20002f2b = 9; *(uint8_t*)0x20002f2c = 5; *(uint8_t*)0x20002f2d = 0xd; *(uint8_t*)0x20002f2e = 0; *(uint16_t*)0x20002f2f = 0x230; *(uint8_t*)0x20002f31 = 0x5d; *(uint8_t*)0x20002f32 = 1; *(uint8_t*)0x20002f33 = 0x3f; *(uint8_t*)0x20002f34 = 7; *(uint8_t*)0x20002f35 = 0x25; *(uint8_t*)0x20002f36 = 1; *(uint8_t*)0x20002f37 = 0; *(uint8_t*)0x20002f38 = 0x1f; *(uint16_t*)0x20002f39 = 2; *(uint8_t*)0x20002f3b = 0xba; *(uint8_t*)0x20002f3c = 0xe; memcpy((void*)0x20002f3d, "\xf4\xe6\xe5\x76\x28\x83\xc3\x4d\xf0\x4f\x35\x60\x99\xf1\xd3\x4b\xdb\xc9\xf5\x32\x4d\xa6\x48\x05\x3f\xd6\x90\x21\x1b\x89\x71\x19\xc4\xf3\xac\x19\x7f\x2a\xa9\x3f\x2f\x3b\xe0\x5f\x83\x6b\x16\x44\xd5\xb2\x32\x76\x48\xb3\x08\x16\xed\x19\x2f\x94\x3d\xfc\xe2\x25\xf6\x9d\x77\xc5\x15\x65\xe1\x77\xfd\x88\x9c\x9c\x9d\x8c\x85\xb9\x2e\xe4\xbe\xad\x0e\x88\x94\x46\xbb\xc3\x20\xa4\x0f\xa2\x48\x07\xf4\x76\xbf\xd1\xf1\xb3\x09\x6e\x33\x70\xf7\x55\xc9\x4a\xa0\x1c\x3b\xe4\xdd\xc7\x95\x2a\x56\x94\xbc\xad\x4b\xeb\x40\x65\xbf\x5e\xa9\x60\x66\xc4\x3e\x95\x07\xe6\x22\x0c\x47\xbc\x02\x71\xad\xcb\xaf\xfc\xe6\xac\x90\xcb\x3c\x8b\x1c\xf7\x48\xc6\xbb\xf9\x71\x08\xdf\xa2\xca\xc4\xb8\x7d\x34\x20\x42\x84\x34\x39\x7e\x07\xf1\x7a\x87\xed\x62\x33\xb3\x9e\x32\xf0", 184); *(uint8_t*)0x20002ff5 = 9; *(uint8_t*)0x20002ff6 = 4; *(uint8_t*)0x20002ff7 = 0x5d; *(uint8_t*)0x20002ff8 = 0x27; *(uint8_t*)0x20002ff9 = 7; *(uint8_t*)0x20002ffa = 0x3f; *(uint8_t*)0x20002ffb = 0x84; *(uint8_t*)0x20002ffc = 0xfd; *(uint8_t*)0x20002ffd = 3; *(uint8_t*)0x20002ffe = 0x10; *(uint8_t*)0x20002fff = 0x24; *(uint8_t*)0x20003000 = 2; *(uint8_t*)0x20003001 = 1; *(uint8_t*)0x20003002 = 0xe2; *(uint8_t*)0x20003003 = 2; *(uint8_t*)0x20003004 = 0x63; *(uint8_t*)0x20003005 = 0x40; memcpy((void*)0x20003006, "\xe7\x21\xcc\x44\xac\xca\x89\x38", 8); *(uint8_t*)0x2000300e = 0xb; *(uint8_t*)0x2000300f = 0x24; *(uint8_t*)0x20003010 = 2; *(uint8_t*)0x20003011 = 1; *(uint8_t*)0x20003012 = 0; *(uint8_t*)0x20003013 = 3; *(uint8_t*)0x20003014 = 1; *(uint8_t*)0x20003015 = 0; memcpy((void*)0x20003016, "\x9e\xf4\x2f", 3); *(uint8_t*)0x20003019 = 7; *(uint8_t*)0x2000301a = 0x24; *(uint8_t*)0x2000301b = 1; *(uint8_t*)0x2000301c = 4; *(uint8_t*)0x2000301d = 1; *(uint16_t*)0x2000301e = 4; *(uint8_t*)0x20003020 = 0xb; *(uint8_t*)0x20003021 = 0x24; *(uint8_t*)0x20003022 = 2; *(uint8_t*)0x20003023 = 1; *(uint8_t*)0x20003024 = 0; *(uint8_t*)0x20003025 = 3; *(uint8_t*)0x20003026 = 0x19; *(uint8_t*)0x20003027 = 6; memcpy((void*)0x20003028, "\x9e", 1); memcpy((void*)0x20003029, "\x69\x83", 2); *(uint8_t*)0x2000302b = 9; *(uint8_t*)0x2000302c = 5; *(uint8_t*)0x2000302d = 0xf; *(uint8_t*)0x2000302e = 0; *(uint16_t*)0x2000302f = 0x3ff; *(uint8_t*)0x20003031 = 0xf6; *(uint8_t*)0x20003032 = 5; *(uint8_t*)0x20003033 = 0x80; *(uint8_t*)0x20003034 = 9; *(uint8_t*)0x20003035 = 5; *(uint8_t*)0x20003036 = 1; *(uint8_t*)0x20003037 = 0x10; *(uint16_t*)0x20003038 = 0x10; *(uint8_t*)0x2000303a = 0; *(uint8_t*)0x2000303b = 0x40; *(uint8_t*)0x2000303c = 6; *(uint8_t*)0x2000303d = 7; *(uint8_t*)0x2000303e = 0x25; *(uint8_t*)0x2000303f = 1; *(uint8_t*)0x20003040 = 2; *(uint8_t*)0x20003041 = 0x20; *(uint16_t*)0x20003042 = 6; *(uint8_t*)0x20003044 = 9; *(uint8_t*)0x20003045 = 5; *(uint8_t*)0x20003046 = 0xb; *(uint8_t*)0x20003047 = 8; *(uint16_t*)0x20003048 = 0x10; *(uint8_t*)0x2000304a = 1; *(uint8_t*)0x2000304b = 2; *(uint8_t*)0x2000304c = 0; *(uint8_t*)0x2000304d = 9; *(uint8_t*)0x2000304e = 5; *(uint8_t*)0x2000304f = 0xd; *(uint8_t*)0x20003050 = 0x10; *(uint16_t*)0x20003051 = 0x200; *(uint8_t*)0x20003053 = 4; *(uint8_t*)0x20003054 = 8; *(uint8_t*)0x20003055 = 0xc0; *(uint8_t*)0x20003056 = 0xbb; *(uint8_t*)0x20003057 = 0x31; memcpy((void*)0x20003058, "\x21\x5c\xe6\xab\x8f\x3c\x72\xca\xa3\xab\x13\x26\xf1\x88\x38\x90\x8a\xc6\x0b\xff\xb3\xb5\x07\x48\x14\x4a\xa2\xcb\xc4\xd7\xca\xc5\x6f\x4a\x7b\xb2\xbd\x6c\x96\x96\x74\xa5\xe4\x04\x08\x61\xbb\x21\xba\x5c\xcf\x0f\x82\x2c\x10\x32\xe7\xe3\x72\x9f\x8c\x17\x1f\xc7\xa8\x9b\x53\x40\xb5\x06\x71\x08\xd5\x97\xf1\x78\xaa\x65\x1a\x98\xac\xa4\xd0\x12\xfa\x55\x5a\x69\x56\x83\xb5\x27\xe6\x03\x1f\x1f\x7f\x20\x49\x4b\x25\x0e\x3a\x6c\xd8\xb4\xde\x96\x47\xe1\x50\x04\x98\x67\x09\x7c\x47\xcc\x23\x7c\x61\x2c\xef\xe6\x98\x33\x2f\x1f\xe7\xf0\x2e\x6f\x53\xe8\x45\xb1\xf5\xe7\xb4\xb2\x4a\xd8\x62\x9b\x78\xce\x76\x30\xe2\xd4\x01\x20\xfb\xc3\xf4\x93\x75\xa4\xa0\x86\xde\xdd\x2a\x27\xf0\x6b\x3e\xd3\xd7\x56\xa8\x19\xb9\x7f\x75\x9a\xa5\x4a\xef\x83\xdf\x48\x68\xa9\xe9", 185); *(uint8_t*)0x20003111 = 9; *(uint8_t*)0x20003112 = 5; *(uint8_t*)0x20003113 = 3; *(uint8_t*)0x20003114 = 0x12; *(uint16_t*)0x20003115 = 0x3ff; *(uint8_t*)0x20003117 = 0; *(uint8_t*)0x20003118 = 1; *(uint8_t*)0x20003119 = -1; *(uint8_t*)0x2000311a = 0xad; *(uint8_t*)0x2000311b = 0x31; memcpy((void*)0x2000311c, "\x0c\x92\x1d\x3f\x98\x0f\x4e\x53\x14\x7a\x46\xbd\x58\x56\xda\x03\x08\x16\x60\xfb\xed\x7b\x8b\x2d\x38\x9b\xe8\xa0\x38\xe9\x5c\x29\x58\xa4\x77\xed\x5f\xaf\x9e\xf3\x8c\x82\xc3\xab\xea\x25\x44\x59\xed\xb0\xf2\xcf\x28\x62\x35\x03\x40\x87\xad\xb7\x90\x7f\xf1\x92\x64\x0b\x93\x68\x86\xbd\x48\xd3\xa5\x12\x15\x40\x6b\x3a\xa0\xb6\xd8\xf8\xd9\x1d\x83\x0f\x52\x36\xa9\xa8\xbe\x03\xc2\x21\x5f\x01\x21\x31\x96\x8c\x6a\x80\x86\x0a\xe8\x11\x93\x05\x94\x68\x10\x8e\xfd\x4f\x13\x05\x37\x9d\x01\x15\xc7\xec\x66\x7b\x03\x59\x94\x0e\x56\x64\xbf\x7b\x3c\x4a\x5f\x04\xca\x3c\x51\xdb\x9d\x2c\xd4\x17\xe9\x09\x9b\xff\x62\x8b\x8e\x1a\x8e\xd0\xf5\x96\x14\x93\x57\xa0\x8a\xbd\x11\x77\xeb\x97\x73\x53\xeb\x89\x32", 171); *(uint8_t*)0x200031c7 = 0x93; *(uint8_t*)0x200031c8 = 0x11; memcpy((void*)0x200031c9, "\xa8\xe2\x2d\x54\x2a\xe3\xd8\x31\xf3\x37\x21\x1b\xb5\xbe\x12\xa5\xc4\x6e\x5c\xf9\xb5\x56\xd8\x4d\x5a\xf4\xca\xca\x87\x42\xad\x21\x61\x40\x56\x2b\x7e\x54\x21\xe2\x64\x24\x71\xe8\xf5\x0e\xb8\xae\xf0\x62\x12\xb4\x6c\x64\x4a\xe5\x84\x63\xe1\x8b\x3e\x72\xbd\x3e\xca\x60\x60\xfa\x8b\x94\x03\x17\x96\xe5\x5e\xb4\x1d\x3f\x31\x8a\xff\xbf\x08\x1e\xeb\x17\x08\x85\x1e\x72\xfa\xdd\x88\x7e\x03\x30\x13\x43\x19\xf0\xa5\x96\x7e\xda\x65\x7b\xc1\x10\x1f\x74\xde\xba\x42\xe7\x8a\xff\x20\xfb\x5d\x3c\x1f\xe4\x9d\x9a\x05\x46\x57\xb6\xf1\xaf\x3d\x01\x5f\xc1\x6f\xf8\x08\x73\xf3\x26\x69\x08\x43\xdf\x81", 145); *(uint8_t*)0x2000325a = 9; *(uint8_t*)0x2000325b = 5; *(uint8_t*)0x2000325c = 0xf; *(uint8_t*)0x2000325d = 4; *(uint16_t*)0x2000325e = 0x200; *(uint8_t*)0x20003260 = 0; *(uint8_t*)0x20003261 = 0x1f; *(uint8_t*)0x20003262 = 1; *(uint8_t*)0x20003263 = 0x11; *(uint8_t*)0x20003264 = 6; memcpy((void*)0x20003265, "\x82\x4b\x7d\x09\x57\xbc\x55\x2d\x22\x4f\xdf\x6b\xff\x63\xa8", 15); *(uint8_t*)0x20003274 = 7; *(uint8_t*)0x20003275 = 0x25; *(uint8_t*)0x20003276 = 1; *(uint8_t*)0x20003277 = 0x80; *(uint8_t*)0x20003278 = 0xfd; *(uint16_t*)0x20003279 = 6; *(uint8_t*)0x2000327b = 9; *(uint8_t*)0x2000327c = 5; *(uint8_t*)0x2000327d = 0; *(uint8_t*)0x2000327e = 0; *(uint16_t*)0x2000327f = 0x20; *(uint8_t*)0x20003281 = 0x1f; *(uint8_t*)0x20003282 = 0xfd; *(uint8_t*)0x20003283 = 3; *(uint32_t*)0x20003400 = 0xa; *(uint32_t*)0x20003404 = 0x200032c0; *(uint8_t*)0x200032c0 = 0xa; *(uint8_t*)0x200032c1 = 6; *(uint16_t*)0x200032c2 = 0x110; *(uint8_t*)0x200032c4 = 0x4d; *(uint8_t*)0x200032c5 = 0x80; *(uint8_t*)0x200032c6 = 0x80; *(uint8_t*)0x200032c7 = 0x20; *(uint8_t*)0x200032c8 = 0xc1; *(uint8_t*)0x200032c9 = 0; *(uint32_t*)0x20003408 = 0x46; *(uint32_t*)0x2000340c = 0x20003300; *(uint8_t*)0x20003300 = 5; *(uint8_t*)0x20003301 = 0xf; *(uint16_t*)0x20003302 = 0x46; *(uint8_t*)0x20003304 = 5; *(uint8_t*)0x20003305 = 0xb; *(uint8_t*)0x20003306 = 0x10; *(uint8_t*)0x20003307 = 1; *(uint8_t*)0x20003308 = 0xc; *(uint16_t*)0x20003309 = 0x35; *(uint8_t*)0x2000330b = 0; *(uint8_t*)0x2000330c = 0xdf; *(uint16_t*)0x2000330d = 9; *(uint8_t*)0x2000330f = 0xf7; *(uint8_t*)0x20003310 = 7; *(uint8_t*)0x20003311 = 0x10; *(uint8_t*)0x20003312 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003313, 0xe, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003314, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003314, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003315, 9, 0, 16); *(uint8_t*)0x20003317 = 0x18; *(uint8_t*)0x20003318 = 0x10; *(uint8_t*)0x20003319 = 0xa; *(uint8_t*)0x2000331a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000331b, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000331b, 0x7fffffe, 5, 27); *(uint16_t*)0x2000331f = 0xff0f; *(uint16_t*)0x20003321 = 0x101; *(uint32_t*)0x20003323 = 0xffc0a0; *(uint32_t*)0x20003327 = 0; *(uint32_t*)0x2000332b = 0xffff0f; *(uint8_t*)0x2000332f = 0x10; *(uint8_t*)0x20003330 = 0x10; *(uint8_t*)0x20003331 = 0xa; *(uint8_t*)0x20003332 = 3; STORE_BY_BITMASK(uint32_t, , 0x20003333, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003333, 0x200, 5, 27); *(uint16_t*)0x20003337 = 0xff00; *(uint16_t*)0x20003339 = 1; *(uint32_t*)0x2000333b = 0; *(uint8_t*)0x2000333f = 7; *(uint8_t*)0x20003340 = 0x10; *(uint8_t*)0x20003341 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003342, 0x16, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003343, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003343, 0xe, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003344, 7, 0, 16); *(uint32_t*)0x20003410 = 2; *(uint32_t*)0x20003414 = 4; *(uint32_t*)0x20003418 = 0x20003380; *(uint8_t*)0x20003380 = 4; *(uint8_t*)0x20003381 = 3; *(uint16_t*)0x20003382 = 0x380a; *(uint32_t*)0x2000341c = 4; *(uint32_t*)0x20003420 = 0x200033c0; *(uint8_t*)0x200033c0 = 4; *(uint8_t*)0x200033c1 = 3; *(uint16_t*)0x200033c2 = 0x42f; res = -1; res = syz_usb_connect(4, 0x384, 0x20002f00, 0x20003400); if (res != -1) r[16] = res; break; case 35: *(uint8_t*)0x20003440 = 0x12; *(uint8_t*)0x20003441 = 1; *(uint16_t*)0x20003442 = 0x200; *(uint8_t*)0x20003444 = -1; *(uint8_t*)0x20003445 = -1; *(uint8_t*)0x20003446 = -1; *(uint8_t*)0x20003447 = 0x40; *(uint16_t*)0x20003448 = 0xcf3; *(uint16_t*)0x2000344a = 0x9271; *(uint16_t*)0x2000344c = 0x108; *(uint8_t*)0x2000344e = 1; *(uint8_t*)0x2000344f = 2; *(uint8_t*)0x20003450 = 3; *(uint8_t*)0x20003451 = 1; *(uint8_t*)0x20003452 = 9; *(uint8_t*)0x20003453 = 2; *(uint16_t*)0x20003454 = 0x48; *(uint8_t*)0x20003456 = 1; *(uint8_t*)0x20003457 = 1; *(uint8_t*)0x20003458 = 0; *(uint8_t*)0x20003459 = 0x80; *(uint8_t*)0x2000345a = 0xfa; *(uint8_t*)0x2000345b = 9; *(uint8_t*)0x2000345c = 4; *(uint8_t*)0x2000345d = 0; *(uint8_t*)0x2000345e = 0; *(uint8_t*)0x2000345f = 6; *(uint8_t*)0x20003460 = -1; *(uint8_t*)0x20003461 = 0; *(uint8_t*)0x20003462 = 0; *(uint8_t*)0x20003463 = 0; *(uint8_t*)0x20003464 = 9; *(uint8_t*)0x20003465 = 5; *(uint8_t*)0x20003466 = 1; *(uint8_t*)0x20003467 = 2; *(uint16_t*)0x20003468 = 0x200; *(uint8_t*)0x2000346a = 0; *(uint8_t*)0x2000346b = 0; *(uint8_t*)0x2000346c = 0; *(uint8_t*)0x2000346d = 9; *(uint8_t*)0x2000346e = 5; *(uint8_t*)0x2000346f = 0x82; *(uint8_t*)0x20003470 = 2; *(uint16_t*)0x20003471 = 0x200; *(uint8_t*)0x20003473 = 0; *(uint8_t*)0x20003474 = 0; *(uint8_t*)0x20003475 = 0; *(uint8_t*)0x20003476 = 9; *(uint8_t*)0x20003477 = 5; *(uint8_t*)0x20003478 = 0x83; *(uint8_t*)0x20003479 = 3; *(uint16_t*)0x2000347a = 0x40; *(uint8_t*)0x2000347c = 1; *(uint8_t*)0x2000347d = 0; *(uint8_t*)0x2000347e = 0; *(uint8_t*)0x2000347f = 9; *(uint8_t*)0x20003480 = 5; *(uint8_t*)0x20003481 = 4; *(uint8_t*)0x20003482 = 3; *(uint16_t*)0x20003483 = 0x40; *(uint8_t*)0x20003485 = 1; *(uint8_t*)0x20003486 = 0; *(uint8_t*)0x20003487 = 0; *(uint8_t*)0x20003488 = 9; *(uint8_t*)0x20003489 = 5; *(uint8_t*)0x2000348a = 5; *(uint8_t*)0x2000348b = 2; *(uint16_t*)0x2000348c = 0x200; *(uint8_t*)0x2000348e = 0; *(uint8_t*)0x2000348f = 0; *(uint8_t*)0x20003490 = 0; *(uint8_t*)0x20003491 = 9; *(uint8_t*)0x20003492 = 5; *(uint8_t*)0x20003493 = 6; *(uint8_t*)0x20003494 = 2; *(uint16_t*)0x20003495 = 0x200; *(uint8_t*)0x20003497 = 0; *(uint8_t*)0x20003498 = 0; *(uint8_t*)0x20003499 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20003440, 0); break; case 36: *(uint32_t*)0x200036c0 = 0x18; *(uint32_t*)0x200036c4 = 0x200034c0; *(uint8_t*)0x200034c0 = 0x20; *(uint8_t*)0x200034c1 = 8; *(uint32_t*)0x200034c2 = 0xd4; *(uint8_t*)0x200034c6 = 0xd4; *(uint8_t*)0x200034c7 = 0x31; memcpy((void*)0x200034c8, "\xdd\x9f\xe1\xd6\xf8\xee\x76\xd6\x28\x92\x46\xb5\x27\x7c\xc1\x9f\x3c\x46\x21\xad\xd8\x21\xa7\xf3\xd1\xaa\xe9\x94\xdb\xf4\xb1\xbd\x89\xe8\x77\x07\x34\x76\x8a\xde\x97\xe5\x1d\x24\x8f\x53\xcd\x53\x0b\x31\x11\x9a\xac\xcf\x53\xb6\xf6\xed\xdf\x4b\x8b\xfe\x6a\x1a\x85\x9c\x3d\xc2\x86\xf8\x33\x5c\x9d\x15\xe5\xd5\x16\x9b\x24\x41\x55\x39\x10\x62\xff\x88\x5d\x40\xbe\x37\x07\xb6\xd1\xea\x25\x2a\x96\xd9\x7a\xb2\x4f\xb6\x75\xf5\x45\x57\xcf\xa2\x4d\x80\x5b\x07\x95\x70\x8a\xf5\x06\x5d\x4b\x66\x62\xdf\xd5\x4d\xd5\x9c\xfc\xe1\x67\x3a\xb3\x56\xa2\x54\xf6\xb5\xbc\xe4\x4c\x61\x9a\x17\xff\xce\x8e\xbb\x96\xe0\x83\xc0\x82\x45\x00\x62\xbd\x71\xa2\x06\xca\x92\x1e\x0b\x77\xf5\x17\xc1\x61\x95\x86\xb3\xbc\xa3\xe2\x49\x08\x21\x01\x6c\xc7\x6c\xaf\x96\xc0\xec\x90\x68\xb4\x5e\x23\x34\xed\x9a\x6f\xf0\x6a\x63\x43\xae\x01\xf0\xae\xf6\x12\x7e\xba\xf5\xb5\x2d\x69\xe3", 210); *(uint32_t*)0x200036c8 = 0x200035c0; *(uint8_t*)0x200035c0 = 0; *(uint8_t*)0x200035c1 = 3; *(uint32_t*)0x200035c2 = 4; *(uint8_t*)0x200035c6 = 4; *(uint8_t*)0x200035c7 = 3; *(uint16_t*)0x200035c8 = 0x40e; *(uint32_t*)0x200036cc = 0x20003600; *(uint8_t*)0x20003600 = 0; *(uint8_t*)0x20003601 = 0xf; *(uint32_t*)0x20003602 = 0x28; *(uint8_t*)0x20003606 = 5; *(uint8_t*)0x20003607 = 0xf; *(uint16_t*)0x20003608 = 0x28; *(uint8_t*)0x2000360a = 2; *(uint8_t*)0x2000360b = 3; *(uint8_t*)0x2000360c = 0x10; *(uint8_t*)0x2000360d = 0xb; *(uint8_t*)0x2000360e = 0x20; *(uint8_t*)0x2000360f = 0x10; *(uint8_t*)0x20003610 = 0xa; memcpy((void*)0x20003611, "\x19\x5f\xa2\xf3\x24\xc0\xbe\x96\xda\x3d\xb2\x6a\xfa\x56\x77\x53\x0a\xc0\xfa\xf4\xc6\x82\xbe\x7c\x15\xe9\xa5\x86\x66", 29); *(uint32_t*)0x200036d0 = 0x20003640; *(uint8_t*)0x20003640 = 0x20; *(uint8_t*)0x20003641 = 0x29; *(uint32_t*)0x20003642 = 0xf; *(uint8_t*)0x20003646 = 0xf; *(uint8_t*)0x20003647 = 0x29; *(uint8_t*)0x20003648 = 9; *(uint16_t*)0x20003649 = 1; *(uint8_t*)0x2000364b = 0; *(uint8_t*)0x2000364c = 9; memcpy((void*)0x2000364d, "\x05\x7c\x41\x7e", 4); memcpy((void*)0x20003651, "\x8d\xa4\x36\xc4", 4); *(uint32_t*)0x200036d4 = 0x20003680; *(uint8_t*)0x20003680 = 0x20; *(uint8_t*)0x20003681 = 0x2a; *(uint32_t*)0x20003682 = 0xc; *(uint8_t*)0x20003686 = 0xc; *(uint8_t*)0x20003687 = 0x2a; *(uint8_t*)0x20003688 = 0x20; *(uint16_t*)0x20003689 = 0x10; *(uint8_t*)0x2000368b = 0x80; *(uint8_t*)0x2000368c = 0x40; *(uint8_t*)0x2000368d = 0x1f; *(uint16_t*)0x2000368e = 0; *(uint16_t*)0x20003690 = 5; *(uint32_t*)0x20003b40 = 0x44; *(uint32_t*)0x20003b44 = 0x20003700; *(uint8_t*)0x20003700 = 0x60; *(uint8_t*)0x20003701 = 8; *(uint32_t*)0x20003702 = 0x54; memcpy((void*)0x20003706, "\x85\xf9\x88\x04\x52\x78\xf9\x75\x32\xa6\x67\xcb\xee\x9b\x82\x1d\x65\x54\xfb\x1c\x6d\x18\xdf\xfb\x78\x51\x96\xd9\x07\x27\xe1\xb4\x61\x5c\x86\xee\x04\x9a\x16\x96\xb1\x66\x8f\x00\x0e\x62\xd5\x39\xe0\x81\xcf\x07\xe3\x60\x17\x1c\xe6\x1c\xa2\xf9\x56\x44\xb9\xad\x8e\x92\x11\xa1\xb1\x9c\x43\x99\xbd\xfd\x6d\x53\x3b\xf8\x95\x52\x42\x72\x5b\xb4", 84); *(uint32_t*)0x20003b48 = 0x20003780; *(uint8_t*)0x20003780 = 0; *(uint8_t*)0x20003781 = 0xa; *(uint32_t*)0x20003782 = 1; *(uint8_t*)0x20003786 = 1; *(uint32_t*)0x20003b4c = 0x200037c0; *(uint8_t*)0x200037c0 = 0; *(uint8_t*)0x200037c1 = 8; *(uint32_t*)0x200037c2 = 1; *(uint8_t*)0x200037c6 = 0x81; *(uint32_t*)0x20003b50 = 0x20003800; *(uint8_t*)0x20003800 = 0x20; *(uint8_t*)0x20003801 = 0; *(uint32_t*)0x20003802 = 4; *(uint16_t*)0x20003806 = 2; *(uint16_t*)0x20003808 = 0; *(uint32_t*)0x20003b54 = 0x20003840; *(uint8_t*)0x20003840 = 0x20; *(uint8_t*)0x20003841 = 0; *(uint32_t*)0x20003842 = 8; *(uint16_t*)0x20003846 = 0x200; *(uint16_t*)0x20003848 = 0x40; *(uint32_t*)0x2000384a = 0xff; *(uint32_t*)0x20003b58 = 0x20003880; *(uint8_t*)0x20003880 = 0x40; *(uint8_t*)0x20003881 = 7; *(uint32_t*)0x20003882 = 2; *(uint16_t*)0x20003886 = 1; *(uint32_t*)0x20003b5c = 0x200038c0; *(uint8_t*)0x200038c0 = 0x40; *(uint8_t*)0x200038c1 = 9; *(uint32_t*)0x200038c2 = 1; *(uint8_t*)0x200038c6 = 0x81; *(uint32_t*)0x20003b60 = 0x20003900; *(uint8_t*)0x20003900 = 0x40; *(uint8_t*)0x20003901 = 0xb; *(uint32_t*)0x20003902 = 2; memcpy((void*)0x20003906, "\x8e\xaf", 2); *(uint32_t*)0x20003b64 = 0x20003940; *(uint8_t*)0x20003940 = 0x40; *(uint8_t*)0x20003941 = 0xf; *(uint32_t*)0x20003942 = 2; *(uint16_t*)0x20003946 = 9; *(uint32_t*)0x20003b68 = 0x20003980; *(uint8_t*)0x20003980 = 0x40; *(uint8_t*)0x20003981 = 0x13; *(uint32_t*)0x20003982 = 6; *(uint8_t*)0x20003986 = 0xaa; *(uint8_t*)0x20003987 = 0xaa; *(uint8_t*)0x20003988 = 0xaa; *(uint8_t*)0x20003989 = 0xaa; *(uint8_t*)0x2000398a = 0xaa; *(uint8_t*)0x2000398b = 0x38; *(uint32_t*)0x20003b6c = 0x200039c0; *(uint8_t*)0x200039c0 = 0x40; *(uint8_t*)0x200039c1 = 0x17; *(uint32_t*)0x200039c2 = 6; *(uint8_t*)0x200039c6 = -1; *(uint8_t*)0x200039c7 = -1; *(uint8_t*)0x200039c8 = -1; *(uint8_t*)0x200039c9 = -1; *(uint8_t*)0x200039ca = -1; *(uint8_t*)0x200039cb = -1; *(uint32_t*)0x20003b70 = 0x20003a00; *(uint8_t*)0x20003a00 = 0x40; *(uint8_t*)0x20003a01 = 0x19; *(uint32_t*)0x20003a02 = 2; memcpy((void*)0x20003a06, "{k", 2); *(uint32_t*)0x20003b74 = 0x20003a40; *(uint8_t*)0x20003a40 = 0x40; *(uint8_t*)0x20003a41 = 0x1a; *(uint32_t*)0x20003a42 = 2; *(uint16_t*)0x20003a46 = 0x40; *(uint32_t*)0x20003b78 = 0x20003a80; *(uint8_t*)0x20003a80 = 0x40; *(uint8_t*)0x20003a81 = 0x1c; *(uint32_t*)0x20003a82 = 1; *(uint8_t*)0x20003a86 = 0; *(uint32_t*)0x20003b7c = 0x20003ac0; *(uint8_t*)0x20003ac0 = 0x40; *(uint8_t*)0x20003ac1 = 0x1e; *(uint32_t*)0x20003ac2 = 1; *(uint8_t*)0x20003ac6 = 0xfe; *(uint32_t*)0x20003b80 = 0x20003b00; *(uint8_t*)0x20003b00 = 0x40; *(uint8_t*)0x20003b01 = 0x21; *(uint32_t*)0x20003b02 = 1; *(uint8_t*)0x20003b06 = 0xfa; syz_usb_control_io(r[16], 0x200036c0, 0x20003b40); break; case 37: *(uint8_t*)0x20003bc0 = 0x12; *(uint8_t*)0x20003bc1 = 1; *(uint16_t*)0x20003bc2 = 0x201; *(uint8_t*)0x20003bc4 = 0; *(uint8_t*)0x20003bc5 = 0; *(uint8_t*)0x20003bc6 = 0; *(uint8_t*)0x20003bc7 = 0x10; *(uint16_t*)0x20003bc8 = 0x46d; *(uint16_t*)0x20003bca = 0xc22d; *(uint16_t*)0x20003bcc = 0x40; *(uint8_t*)0x20003bce = 1; *(uint8_t*)0x20003bcf = 2; *(uint8_t*)0x20003bd0 = 3; *(uint8_t*)0x20003bd1 = 1; *(uint8_t*)0x20003bd2 = 9; *(uint8_t*)0x20003bd3 = 2; *(uint16_t*)0x20003bd4 = 0x2d; *(uint8_t*)0x20003bd6 = 1; *(uint8_t*)0x20003bd7 = 1; *(uint8_t*)0x20003bd8 = 0; *(uint8_t*)0x20003bd9 = 0x10; *(uint8_t*)0x20003bda = 2; *(uint8_t*)0x20003bdb = 9; *(uint8_t*)0x20003bdc = 4; *(uint8_t*)0x20003bdd = 0; *(uint8_t*)0x20003bde = 0x2f; *(uint8_t*)0x20003bdf = 2; *(uint8_t*)0x20003be0 = 3; *(uint8_t*)0x20003be1 = 1; *(uint8_t*)0x20003be2 = 1; *(uint8_t*)0x20003be3 = 0xfd; *(uint8_t*)0x20003be4 = 9; *(uint8_t*)0x20003be5 = 0x21; *(uint16_t*)0x20003be6 = 9; *(uint8_t*)0x20003be8 = 1; *(uint8_t*)0x20003be9 = 1; *(uint8_t*)0x20003bea = 0x22; *(uint16_t*)0x20003beb = 0x2ff; *(uint8_t*)0x20003bed = 9; *(uint8_t*)0x20003bee = 5; *(uint8_t*)0x20003bef = 0x81; *(uint8_t*)0x20003bf0 = 3; *(uint16_t*)0x20003bf1 = 0x10; *(uint8_t*)0x20003bf3 = 6; *(uint8_t*)0x20003bf4 = -1; *(uint8_t*)0x20003bf5 = 4; *(uint8_t*)0x20003bf6 = 9; *(uint8_t*)0x20003bf7 = 5; *(uint8_t*)0x20003bf8 = 2; *(uint8_t*)0x20003bf9 = 3; *(uint16_t*)0x20003bfa = 8; *(uint8_t*)0x20003bfc = 4; *(uint8_t*)0x20003bfd = 6; *(uint8_t*)0x20003bfe = 0x7f; *(uint32_t*)0x20003cc0 = 0xa; *(uint32_t*)0x20003cc4 = 0x20003c00; *(uint8_t*)0x20003c00 = 0xa; *(uint8_t*)0x20003c01 = 6; *(uint16_t*)0x20003c02 = 0x300; *(uint8_t*)0x20003c04 = 3; *(uint8_t*)0x20003c05 = 2; *(uint8_t*)0x20003c06 = 0xfa; *(uint8_t*)0x20003c07 = 8; *(uint8_t*)0x20003c08 = 0x74; *(uint8_t*)0x20003c09 = 0; *(uint32_t*)0x20003cc8 = 0x28; *(uint32_t*)0x20003ccc = 0x20003c40; *(uint8_t*)0x20003c40 = 5; *(uint8_t*)0x20003c41 = 0xf; *(uint16_t*)0x20003c42 = 0x28; *(uint8_t*)0x20003c44 = 2; *(uint8_t*)0x20003c45 = 3; *(uint8_t*)0x20003c46 = 0x10; *(uint8_t*)0x20003c47 = 0xb; *(uint8_t*)0x20003c48 = 0x20; *(uint8_t*)0x20003c49 = 0x10; *(uint8_t*)0x20003c4a = 0xa; *(uint8_t*)0x20003c4b = 3; STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 8, 5, 27); *(uint16_t*)0x20003c50 = 0xf00; *(uint16_t*)0x20003c52 = 0xf831; *(uint32_t*)0x20003c54 = 0xc0; *(uint32_t*)0x20003c58 = 0xc0a0; *(uint32_t*)0x20003c5c = 0xff000f; *(uint32_t*)0x20003c60 = 7; *(uint32_t*)0x20003c64 = 0xc0f0; *(uint32_t*)0x20003cd0 = 1; *(uint32_t*)0x20003cd4 = 4; *(uint32_t*)0x20003cd8 = 0x20003c80; *(uint8_t*)0x20003c80 = 4; *(uint8_t*)0x20003c81 = 3; *(uint16_t*)0x20003c82 = 0x436; res = -1; res = syz_usb_connect(4, 0x3f, 0x20003bc0, 0x20003cc0); if (res != -1) r[17] = res; break; case 38: syz_usb_disconnect(r[17]); break; case 39: syz_usb_ep_read(-1, 0x80, 0xc4, 0x20003d00); break; case 40: memcpy((void*)0x20003e00, "\x50\x74\xfa\x81\xf3\xf3\x73\xda\x27\x99\xca\xfb\x26\xb4\x49\x7c\xb3\xc8\x7b\xc0\xf8\x2f\xa7\x88\x54\x68\xbd\x41\x23\x20\x65\xaa\x95\x61\xd2\x4a\xe0\xf1\xd0\xe0\x36\xac\x71\x4a\xc5\xaf\x89\xc6\x9d\x88\x61\xca\xd7\x13\xfc\xb8\xba\xcb\x8c\x4b\x10\xdc\x3b\x6e\xc2\x04\x4c\x01\xf3\x71\xb1\x24\xc0\xa0\xf4\xba\xce\x7d\x51\x79\x87\x2c\xdd\x20\x5e\x09\xc3\xee\xb7\xd5\x57\x7b\x26\xe9\x8f\x84\x55\x4e\xd6", 99); syz_usb_ep_write(r[16], 0x7f, 0x63, 0x20003e00); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor787278021 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/5 (0.23s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$zero(0xffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x161000, 0x0) ioctl$SNAPSHOT_FREE(r0, 0x3305) syz_genetlink_get_family_id$l2tp(&(0x7f0000000040)='l2tp\x00') openat$dlm_control(0xffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x20000, 0x0) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0x2, &(0x7f00000000c0)=0x17, 0x4) r1 = mmap$IORING_OFF_SQES(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x2000000, 0x1010, r0, 0x10000000) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) r3 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(0x0, r1, &(0x7f00000003c0)=@IORING_OP_RECVMSG={0xa, 0x4, 0x0, r2, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=@x25={0x9, @remote}, 0x80, &(0x7f0000000240)=[{&(0x7f0000000180)=""/147, 0x93}], 0x1, &(0x7f0000000280)=""/202, 0xca}, 0x0, 0x0, 0x1, {0x3, r3}}, 0x10001) ioctl$KDSKBMETA(0xffffffffffffffff, 0x4b63, &(0x7f0000000440)=0x4) syz_emit_ethernet(0x56, &(0x7f0000000000)={@local, @remote, @void, {@canfd={0xd, {{0x3, 0x0, 0x1, 0x1}, 0x11, 0x2, 0x0, 0x0, "f4ebe40216fede5ef6c5310f0413c5d41b32fc23e07fd332a8a5c5f966821da091f47b7b9cf9228727ff7412c2e4a3a1573bb295482d7b4a3effd863cc60f5d8"}}}}, &(0x7f0000000080)={0x0, 0x4, [0xd2d, 0xc61, 0x6d3, 0xbe2]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x1, 0xa}, @l2cap_cid_le_signaling={{0x6}, @l2cap_conn_param_update_rsp={{0x13, 0x7f, 0x2}}}}, 0xf) syz_execute_func(&(0x7f0000000100)="c4c2cd45f18fe800edb85c2f009ee96436360f2811c4c3c90b6b0787c4c2f1a603f30fa6d0f36f650ffa0ec4c21d2f9f5aac384f3e65f3ab") syz_extract_tcp_res(&(0x7f0000000140), 0x2c, 0x9f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000180)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x3, 0xcc) r4 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x3000001, 0x80000, 0xffffffffffffffff, 0x0) r5 = syz_io_uring_complete(r4) r6 = io_uring_setup(0x3a3b, &(0x7f00000001c0)={0x0, 0xd9fd, 0x20, 0x0, 0x308, 0x0, 0xffffffffffffffff}) r8 = syz_io_uring_setup(0x17a8, &(0x7f0000000240)={0x0, 0xb18d, 0x15b3e67cab3a8d6e, 0x2, 0x158, 0x0, r7}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f00000002c0), &(0x7f0000000300)) syz_io_uring_setup(0x6b11, &(0x7f0000000340)={0x0, 0x15f8, 0x20, 0x2, 0xd2}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f00000003c0)=0x0, &(0x7f0000000400)=0x0) r11 = socket$bt_rfcomm(0x1f, 0x3, 0x3) r12 = io_uring_register$IORING_REGISTER_PERSONALITY(r5, 0x9, 0x0, 0x0) syz_io_uring_submit(r4, r10, &(0x7f0000001700)=@IORING_OP_RECVMSG={0xa, 0x2, 0x0, r11, 0x0, &(0x7f00000016c0)={&(0x7f0000000440)=@nl=@proc, 0x80, &(0x7f00000015c0)=[{&(0x7f00000004c0)=""/44, 0x2c}, {&(0x7f0000000500)=""/4096, 0x1000}, {&(0x7f0000001500)=""/40, 0x28}, {&(0x7f0000001540)=""/74, 0x4a}], 0x4, &(0x7f0000001600)=""/185, 0xb9}, 0x0, 0x2000, 0x1, {0x3, r12}}, 0xad23946) r13 = fsmount(r5, 0x1, 0x84) ioctl$F2FS_IOC_MOVE_RANGE(r8, 0xc01cf509, &(0x7f0000001740)={r6, 0x3, 0x6, 0x1000}) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000017c0)=[{0x0, &(0x7f0000001780)="e7bed238547695a78957b574bacb6dbc567a3232e76559b4ea3931b608578a24da4c749795975b0ae51da8a86dde75b1d684", 0x32}], 0x1, 0x0, &(0x7f0000001800), 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r9, 0x114, &(0x7f0000001840), 0x0, 0x4) syz_mount_image$afs(&(0x7f0000001880)='afs\x00', &(0x7f00000018c0)='./file0\x00', 0x5, 0x1, &(0x7f0000002900)=[{&(0x7f0000001900)="f1fd85c46a07345a8813287b13f21a0840903926aef8fa2cb5f6e010d14f7030376797115fff5a948041348d827dbd678e20928dc4b224e0ec33e50bf699f1ed1e39df43d899eb1a37c8d11631e7b775fc82611901ef7db3714e0ef59b98d9d7d9114ba1ba76a72edc93803359b9994b504f9e7790375fa50fceab9c0f210385722f2a054c09fecf4a04ccfacaac9d40bebb2e2bcc948d327263b0fa735b753fa367f55313bd6df7476a9961bef3e5806ae53bf7233474b637266e9fd694fb30a503fba053c46562936bb3b8fdd38da23e7225868f8cf1e7d27cacb69075657b3ca80f8be0b8e043db620f0872231b8a3108c4a10b8b723b646b3c6d5f370558640924a93ba25db1746cf2ea141b0385ac0cf9e7acc8fddd8ee32fb988491e454564eb142ec8402438ddb1d0bed6d285a2a408a9edc52776e3ae7021c10943eef0af0270372213627dd4253d95a36acd29f8095c6428f1c46c3eb21227d04606b5c92254e9ce3e220a8b8a281c8d8e9c83079ea1df4a90db9f08a58c803d8ec2bfcc99f1acd5f0625043eb4a83179e2d37c07657e4b747adcb0979a230dea4f079f220848709f2bb38c34a22c5b3caf94a02fc5f1c4d013c165abf74bed9d028a5d84ec150377f498ee0e2a86bf04b97ee40af9882bfadecf5e125fc909d250d92a31166d61121b5364524b6351e0b6a66dcdeeb5249ebabb865f1f4a1a80ada5d695d3a37b214c9f0d92507db1b8d808a96f08902ef8c97e22b75497538f54ff944a19142b6ae1b8636500e2f3920a3ab341d8d1db22dc64e1d68382162b489eaade668ba38e6e7ecf61626c719378a8ebf08ec3d5da6716461e206869b335ccbafbc7364998379d894b9c60441d98797eff0d04ce3fbf419eb9c5c778dbdc6031b19fea13adf111dd49628093da41ce252595ea3d0b6dd96364fe2e37504bc6617044ff1d0d27f759d1faa8ae854a172da0b227305bc630a46b8e5bb9f8aa40b95a4b6d5c37bddd0968e192d57242078434fdef9afdc8f18397df1ca6e76bdc71845fba2818ef8f1c1dbf0a92ddee3c8c1cfddfb64439419e63f9811ab5dafd15b2ff2a9c041331651c7afe7862875bf9961806fac694bef5f78fb9cd64c33848637444e6752200395e3731d02db34c21fca311d339e819732ede18394b45c4cbbbffd45fdf508285d26da5b3cede692af4ef2f42c734b522864755dcd719c93b268438f9b0f1add574cf7218921df68c496683c6276115c074d420f23861eeb82031e998c0833d1cbbb5b334a13606a0bc406c4c8b1c2bf8df557324d2c94cbe4c29080b63234b1bb74e5854e422eb46f736978e2943ebd28af467bd0ee096b952ff5f0b228c7ef946fd472493b0eaca9378401669f1be675230e56bc19e4ec1234fcb4ea122dd204830109689cad7e3d702ab3e92e59016a640cce4e1e57d6e94556e7ee1f7c586309044bdca4a7b2cebb4b3fabfd578ed6c68589b8afcd4d0e5ab1b7eef6f82cd208e3ece76e3b73331fba03fb5447012992741042106ed7d386a1433fe8d4c6bce822ff8ffe1b382aa7124731a9ad6e1a52c78266174a4fefe986a508f6642577303f91ea4efb32843c6b331b32f24553a0c13016d91a230a55d81feb7dfc48ad157c7c2fc63253081021d1c65356513903ddbde8d3fd0d51747f3eaaaf9db9d6b4bd7069d8ba53d4d100ee2727979594c2fa80b9aa0edd70e3d702fb5b6cd277eeb487555886f85b657cd9eba641b28bf1e762300f3e29c5a8d8bfe077bdef7c9e2c4cfad8fc364670d7cd6ac7a86322e667760e2403c4838d61fa8669a4f62114eef423f09132e20bb95ba3522ac31049c4a3d581af3c5784910fba88cdee1ceff4ddaed827119ced5361947d0e31a9c4d25263a53654b82fc13b91f44508dd193ca1ef26d930a6b0810586d402ba0554face5c3ed077671d50d28865bfff35ca3a4dabdbd6e3b07059320f53e5c49d73cc16dd1ed2816ac98ad3853c368829c7bec40c4a9b39ee3b730bbd6c152f358e9911308c12ed1206561fc7cf7cb477145f1aaace66ac5c4468acb2f601c61e4b118be2056b6dbc18609bfd4105eee18be384a19913d274d92039790cb87420b9fdd70e734309fc7afe09e11f780d6ee6243175907a4aeecb6ca070a3374be5d3d07a788ea4e1f9d6f18eff9e7964d7076cb5b93cd97338ec05448ec527cca66790bfe32c5b2662d7fc6b836b41bf32e5bc0ddfe42d5973db86f8aed56e43112b45b0f792c5394599a13e73c25012b5aacd3aef112473c4e2e3ab6aebf5af6de9e78ac047fcc276fd976f25022c65c30a9fd67203f19e33b35cfbcfdff395c5bb53f2fd7928e43e622847280780b8cc815fb485189105a124cd8627cc3d5f1a9dd800d47a226ebf907eb2f49133d117588d280f4cc43d95254d88c8753d96073f97c531f51e5596e2e971a2161b78f75edcfbd9de38f0a9284b7cceef87598fa3bcfa5dbcbd1d284cf80cb7755465899d362d9e40c64c1a1e4cc45c3871b2104ca40c05729dccbf6d0a17500e5d0dffa3443a5233e279b2f9c518b697340d26d2872660c71a495710ee009ffb989ebb5befe5176925b78cdeb1e811c51ecdb01a47ec1d1d0ef2024c9a666f6bc5ebe13e773f89f4c80baa1d660c051c2672f91c21db5ff2d5a70126dc69140ee216c45bdd0a7b5279dece2f583bc24fc63cae88ae755722404823c5c216849dcd1085ba9902cb248ac5d192c3bdc537392a7c9ed3c359bb6d4934625f5f7a6dd51b78573fc726adabc91f41960586f64c39261126ea67dfc32c5ae5f7d6ed88747360418d42a008d9cfc5ef15f9c588dbb9ecc374ba19ab60a3ba33fbd1b80477b0204e67c845f9f6ab589c58b578cca58af322ae66b9b12ed953703d1393d8ece9c670664fdb6b1ffa10271abc0e51d57b59102e2640bea09e911294c35abc8616990a5729bf739a8e22774a680d5770b858b932fe595b7322328ae792078ad28db4d54cbd7c9868fcbe6eed0b0aa7b7abbfb1b8efce2dd5c1e29bac66ab7f80fe7a65d2da1838660e94066a6b2e3bdb897e551bc037d779dbb6cb9bdca7030ef8226b968d5a857cb424a9bd71ecf3e0df3bca6b9195905ed05e73d0367f1649eed549d9c3d47e2f312c170dc94a701d420460e1000e237021c6b7b1bc08b35c1043c6e899ed587ef7dfb6e1c7b6e11e3a2fb4348abcc9ed1831ee373d004540a73a4c78f9d3abb101c787ba239df663924ef84e3b436868b63cd74f4d47ac9ebce3814bbdb37eeec3fea1f90688d16ff3285d359745f9c1b6dcfa98bcd32acaccd9350c070579af49c6dd8e62b3e11616b95605b5e67c90c3db1b8301de61bdfa558ee6d13f20a78d407e4f44ca793ce3d958e1522f1a64276ac8863d1a68b5b64e03ec0b22b0a787bba7b462fddf8da7d1018b32a13282bd1e83060a67c7da96e46e3b322a5d8e05ba67b3aca1c5d1bf136a57b3aa68777f00bf102dddb1dec21db309f4855d9c08edc580d652a689420bf62538b5aa263057098121d82d87e29ee26b5d5288023e501ff2730bcef00b98f13c40bc2da1a1bca1cd666484f1a3f5c8b6ffaf468fbeaaf5abfd74396fbc460e0fd2b440f5e56327e634907311dce98ec075e9ee3287f7d2dcd64493e5c5ce096bb29d77aa49a9f677e68efd44cf35b5a0d69f1ec887a5f1f35e44afe3b6904ef026b3651c697dc2af46662b923664201e4baedc28e85f33d0fcce83ecb01d04f5a0826df9fbfe7d92e31db76202533fa8bdbd4f14744f8485948ff0e40ec77d2a2ccac34f389a4f6b0e1f84f527b1282b4ba53cc0a53468eb1362d87f334f176d948d9d7fc190a1fabb36745385945f27d44c136436eeedca1ad4945c9d73d6a2d7225a1f7fa49a2b2b56d3a403a8ddd03d701bb8ba36c275b05db3b60638b9a2a234cb63b809ebfc9a771ac712762f7e96c538e1c54a7912b95944632d6d60594b900e17ee327b2b2b13be2844061fd1e350e47121fd71f130a5aeb5153ccb8ece99590ff93ea98ee589a0a4288bb6a3590b1c6e89008bbd2dc7ad38748369405c9f8c37fa75dd2ff4a384561d030948c3d16466e4f037e54d3dcabde02fb35c62b3169265c0af8018a86c3fcf3268c1a91e7131f89cf7841bb58cab8a5f89d7edb67f05f16fe84059be5abdbe44d3852fa5790c161628b21eef359aaf7db7de11c835ff9cc0b86ac9751fd2d5c135e8acb4352bc03fdfe6c43473582cde76b157eeb03acfff742be5838a4aaba160e1c588c9e1da2758fc290ae37a7605340f726ff3d8d73d3dccdc7737499b7473eccc00c3d01d20bd989e6049d9da7dcee229fe3db7e2845ba6ef6b380680e07754dfa92d1605b3b2527ed19d01333b2b58868d7614c92b7f93c95e2c9054f7a728e0569b986018311d9ab379ac3d19c7f65f87acbd2a2bcdf122b1b9502d3c3a69efa32f4be1ef20daa42e13409d2b12dbfd03c64aca0bd66c76c04ea6a76ef0294650e59e8a379c85c5ac8e310ed99e1a5f20c9bbdbee13de1218f95be040ff5f760c7f07abe362468508a2114e0c34f93895c1e28ad8c56f1949816cffd09c028deef01e5fcf91b4384c62d0efd9b7d66b1aae302a3ed2c3037c9675ac6c86336fa603258a538409bad567981128cb8cab88d7027b2a92671cad000a2c9f317fb4ae30980d3f28512fb5f66a98b2e2077a6a7f8461bf1a78cf12b3ce6e3aa4a22f3c6373a5d04f767b83c7d57a56834f7639c9acbb9fdedea85276a0aa100b68c8a246314a8ca02ff07d1532c90d9a4a5dacba53a24c14cb94b57a8c236c985ebc98697108a43e874b6715e6be8d9685fafdba1d7e5d1b4ced62565847bdfcf62be175e8483cfd0711247664e273fcbec29f60dedd34c6810f6650b6bdc47df7267b8f53bc66ac41a5c0506edf4a805cff0343797c881256ea095fbf145754f7cb9dfba6d3c2bd12ace307629cb22dfeb5a48155de0e50a95da58b3202589b60f5dd4ca6cd22c2ed788f2721d5354374e9efacf4947294ddc8149225dce5adfb322595ed18a4dcb0565148b087e37d4247eaaecc58c5aaf1c64e87cc2cce9b8ebcaf963fc441a6dfac426be0ace4ecfb91df7732721afb34f905ce7377db3849d7401ba3d3149c08e98bcdeca6de207ed8bc7b1d6e88597da628c6b0a73cf9674a207dd8745fe5b32bdd8f5509f14fc15cf9504bf6634b2df2836e95c736e2762f2714bfd130af991d8b648a9372158383a2f53e14c7cfc7663db5ca5c8a9cdd155e38c1f70e51613588128dd085bbdd7ed239b97e8958cef35f117eab19b370ff2e4e25689d62b684fd4afceb263251fa92e8c6b2aa2e34d3fb8aaed18cdc734f9b420c8d7b931555ebd7990ca073fb81be982794e000d50572eb0761d495ba8068f657d7f7b919e66a25e03211dfe690f4081fc5de14f5f9d8be478024e60a3138080d9ce97ae23e291e77a6e4a507a96ae0c07d9604a95b43b8174c33175ba295050186f723b50a609ee09b4267e4d2af4296ce657bb8b5e996f98bd75ed42d0954895d97d988329d925f62894474d1caa5de988ed7b5c6deacfd90ad947efebf6cf61b45d9c7b1ba59e9ec4b8559aff8d3d05fb00f57ec942b0e9b9fdbde26cad340cbb4f7c0447b707ed8f6d4f989d0b1da0d0cdae617b01436fa68e37775e844415ebd11a3350846cf0b419fad6db94ccc8283e95019db5591b9e81c5d32707b3002afb24058495f6c21cd4b9e12af7a1f4054fda37ba6a2945e899899761012548e4122a69556e0ca51e23194bdc4e272", 0x1000, 0x9}], 0x20005, &(0x7f0000002940)={[{@flock_openafs='flock=openafs'}, {@dyn='dyn'}, {@autocell='autocell'}, {@dyn='dyn'}, {@flock_openafs='flock=openafs'}, {@source={'source', 0x3d, '&'}}, {@source={'source', 0x3d, 'SEG6\x00'}}], [{@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@subj_user={'subj_user', 0x3d, 'SEG6\x00'}}, {@smackfstransmute={'smackfstransmute', 0x3d, ':'}}, {@seclabel='seclabel'}]}) syz_open_dev$I2C(&(0x7f0000002a00)='/dev/i2c-#\x00', 0xad8, 0x2a2000) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000002a40)=0x0) syz_open_procfs(r15, &(0x7f0000002a80)='net\x00') syz_open_pts(r13, 0x0) syz_read_part_table(0x1, 0x7, &(0x7f0000002e80)=[{&(0x7f0000002ac0)="7ad3cd802dd0c424945d99ca9ca6e4fbb8f8e3b980d2ec", 0x17, 0x1000}, {&(0x7f0000002b00)="329de80b2b17bbd25d1f1907a9263af3bf05c4a7061e28492a3f71c6343aa5aaea0327a3", 0x24, 0x5}, {&(0x7f0000002b40)="82791dfd311d07db7d65e803ce6ca00028af8ff8d276187e0e14bbf7beab60fc4b70722e91b6322b8e3472191a66176bb0ca91dee60f1506a6d48be4055230c30be94a1043a1d2a06d42166069d8033d6c524c8610b8c4bb63af0ce6d6207137f1be1b62b002e8c35e6467c2423cc6597d1ca58ee31589f0248ac762e24a286a41a761912d34bb56f07db88ca52fce8d128762394fa00faac8451a42c3144bdec7e97296c9eac7c9f63110a3d405c16b0428880024e8c9c8af490b8cfad84cbb637878d634cd84346b60c9132c09660cdc616a0b", 0xd4, 0x7fff}, {&(0x7f0000002c40)="904bbcee2b46daa1ac643b7b6b8ea0ff462feabee541b411a885e470a496cbbdc729ffdebc50807f719cbe808d8b598b4767c7a852d9ce0c880a9b078b0187deac926bd4687a44f092bb", 0x4a, 0x5}, {&(0x7f0000002cc0)="3531ae257e7e0877cde340c42edbfc91dcffaff1284ef08a451e4c76e0cd83b2c0ea10d86bcefa93bbaef5fffbfe7dc70b73b89c55fc3851110d1bd0d1da31753320b111fe7060537e8f65f3c2f05adcb3d66bd2abe6b08aaae0d0eedca9937707ec4cb4874cdfd05800812ab53f9550b25a28ee69e62a0f790fe5233fc8645fc3fe6cae055f2aa1729125170151e86eeab67bb20bc884a1214c2d3d969c34fb239b45feec93ac209721bae7271251c613cea9379c1521", 0xb7, 0x4}, {&(0x7f0000002d80)="c3f04f26929b7a4d6342841fa53a9a8cb8006a97f428", 0x16, 0x6}, {&(0x7f0000002dc0)="c9871275e3269ff1bdcd67fb523e1ceb5151b0ede9e032634e36d486046bc31cd978bda59247355316319e768e7ac6be0648bf0fecd13cdad45f713e0e3b74e95eec77063c02a233ea97d338f4b1e9bc5a7cce85528742632ed59cec016f3914dd02ca6b1dc833224895277350cf1f21d6c78f8592717e91233f9026927e0cc3d80cdc57714763a0fcb091f5c69051b55cd2e1fcc33b13d597c5caeeb271c542978a1e17", 0xa4, 0x9c}]) r16 = syz_usb_connect(0x4, 0x384, &(0x7f0000002f00)={{0x12, 0x1, 0x201, 0xa4, 0x61, 0x1e, 0x40, 0xacd, 0x300, 0xc0df, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x372, 0x2, 0x4, 0x1f, 0x0, 0x1, [{{0x9, 0x4, 0x5d, 0xb3, 0x1, 0xad, 0x49, 0x76, 0x20, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x80}]}], [{{0x9, 0x5, 0xd, 0x0, 0x230, 0x5d, 0x1, 0x3f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x2}, @generic={0xba, 0xe, "f4e6e5762883c34df04f356099f1d34bdbc9f5324da648053fd690211b897119c4f3ac197f2aa93f2f3be05f836b1644d5b2327648b30816ed192f943dfce225f69d77c51565e177fd889c9c9d8c85b92ee4bead0e889446bbc320a40fa24807f476bfd1f1b3096e3370f755c94aa01c3be4ddc7952a5694bcad4beb4065bf5ea96066c43e9507e6220c47bc0271adcbaffce6ac90cb3c8b1cf748c6bbf97108dfa2cac4b87d3420428434397e07f17a87ed6233b39e32f0"}]}}]}}, {{0x9, 0x4, 0x5d, 0x27, 0x7, 0x3f, 0x84, 0xfd, 0x3, [@uac_as={[@format_type_i_discrete={0x10, 0x24, 0x2, 0x1, 0xe2, 0x2, 0x63, 0x40, "e721cc44acca8938"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x1, 0x0, "9ef42f"}, @as_header={0x7, 0x24, 0x1, 0x4, 0x1, 0x4}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x19, 0x6, "9e", "6983"}]}, @uac_as], [{{0x9, 0x5, 0xf, 0x0, 0x3ff, 0xf6, 0x5, 0x80}}, {{0x9, 0x5, 0x1, 0x10, 0x10, 0x0, 0x40, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x20, 0x6}]}}, {{0x9, 0x5, 0xb, 0x8, 0x10, 0x1, 0x2}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x4, 0x8, 0xc0, [@generic={0xbb, 0x31, "215ce6ab8f3c72caa3ab1326f18838908ac60bffb3b50748144aa2cbc4d7cac56f4a7bb2bd6c969674a5e4040861bb21ba5ccf0f822c1032e7e3729f8c171fc7a89b5340b5067108d597f178aa651a98aca4d012fa555a695683b527e6031f1f7f20494b250e3a6cd8b4de9647e150049867097c47cc237c612cefe698332f1fe7f02e6f53e845b1f5e7b4b24ad8629b78ce7630e2d40120fbc3f49375a4a086dedd2a27f06b3ed3d756a819b97f759aa54aef83df4868a9e9"}]}}, {{0x9, 0x5, 0x3, 0x12, 0x3ff, 0x0, 0x1, 0xff, [@generic={0xad, 0x31, "0c921d3f980f4e53147a46bd5856da03081660fbed7b8b2d389be8a038e95c2958a477ed5faf9ef38c82c3abea254459edb0f2cf286235034087adb7907ff192640b936886bd48d3a51215406b3aa0b6d8f8d91d830f5236a9a8be03c2215f012131968c6a80860ae81193059468108efd4f1305379d0115c7ec667b0359940e5664bf7b3c4a5f04ca3c51db9d2cd417e9099bff628b8e1a8ed0f596149357a08abd1177eb977353eb8932"}, @generic={0x93, 0x11, "a8e22d542ae3d831f337211bb5be12a5c46e5cf9b556d84d5af4caca8742ad216140562b7e5421e2642471e8f50eb8aef06212b46c644ae58463e18b3e72bd3eca6060fa8b94031796e55eb41d3f318affbf081eeb1708851e72fadd887e0330134319f0a5967eda657bc1101f74deba42e78aff20fb5d3c1fe49d9a054657b6f1af3d015fc16ff80873f326690843df81"}]}}, {{0x9, 0x5, 0xf, 0x4, 0x200, 0x0, 0x1f, 0x1, [@generic={0x11, 0x6, "824b7d0957bc552d224fdf6bff63a8"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x6}]}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x1f, 0xfd, 0x3}}]}}]}}]}}, &(0x7f0000003400)={0xa, &(0x7f00000032c0)={0xa, 0x6, 0x110, 0x4d, 0x80, 0x80, 0x20, 0xc1}, 0x46, &(0x7f0000003300)={0x5, 0xf, 0x46, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x35, 0x0, 0xdf, 0x9, 0xf7}, @ext_cap={0x7, 0x10, 0x2, 0xe, 0xb, 0x6, 0x9}, @ssp_cap={0x18, 0x10, 0xa, 0x1, 0x3, 0x7fffffe, 0xff0f, 0x101, [0xffc0a0, 0x0, 0xffff0f]}, @ssp_cap={0x10, 0x10, 0xa, 0x3, 0x1, 0x200, 0xff00, 0x1, [0x0]}, @ext_cap={0x7, 0x10, 0x2, 0x16, 0x8, 0xe, 0x7}]}, 0x2, [{0x4, &(0x7f0000003380)=@lang_id={0x4, 0x3, 0x380a}}, {0x4, &(0x7f00000033c0)=@lang_id={0x4, 0x3, 0x42f}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000003440)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r16, &(0x7f00000036c0)={0x18, &(0x7f00000034c0)={0x20, 0x8, 0xd4, {0xd4, 0x31, "dd9fe1d6f8ee76d6289246b5277cc19f3c4621add821a7f3d1aae994dbf4b1bd89e8770734768ade97e51d248f53cd530b31119aaccf53b6f6eddf4b8bfe6a1a859c3dc286f8335c9d15e5d5169b244155391062ff885d40be3707b6d1ea252a96d97ab24fb675f54557cfa24d805b0795708af5065d4b6662dfd54dd59cfce1673ab356a254f6b5bce44c619a17ffce8ebb96e083c082450062bd71a206ca921e0b77f517c1619586b3bca3e2490821016cc76caf96c0ec9068b45e2334ed9a6ff06a6343ae01f0aef6127ebaf5b52d69e3"}}, &(0x7f00000035c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x40e}}, &(0x7f0000003600)={0x0, 0xf, 0x28, {0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @generic={0x20, 0x10, 0xa, "195fa2f324c0be96da3db26afa5677530ac0faf4c682be7c15e9a58666"}]}}, &(0x7f0000003640)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x1, 0x0, 0x9, "057c417e", "8da436c4"}}, &(0x7f0000003680)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x20, 0x10, 0x80, 0x40, 0x1f, 0x0, 0x5}}}, &(0x7f0000003b40)={0x44, &(0x7f0000003700)={0x60, 0x8, 0x54, "85f988045278f97532a667cbee9b821d6554fb1c6d18dffb785196d90727e1b4615c86ee049a1696b1668f000e62d539e081cf07e360171ce61ca2f95644b9ad8e9211a1b19c4399bdfd6d533bf8955242725bb4"}, &(0x7f0000003780)={0x0, 0xa, 0x1, 0x1}, &(0x7f00000037c0)={0x0, 0x8, 0x1, 0x81}, &(0x7f0000003800)={0x20, 0x0, 0x4, {0x2}}, &(0x7f0000003840)={0x20, 0x0, 0x8, {0x200, 0x40, [0xff]}}, &(0x7f0000003880)={0x40, 0x7, 0x2, 0x1}, &(0x7f00000038c0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000003900)={0x40, 0xb, 0x2, "8eaf"}, &(0x7f0000003940)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000003980)={0x40, 0x13, 0x6, @dev={[], 0x38}}, &(0x7f00000039c0)={0x40, 0x17, 0x6, @broadcast}, &(0x7f0000003a00)={0x40, 0x19, 0x2, '{k'}, &(0x7f0000003a40)={0x40, 0x1a, 0x2, 0x40}, &(0x7f0000003a80)={0x40, 0x1c, 0x1}, &(0x7f0000003ac0)={0x40, 0x1e, 0x1, 0xfe}, &(0x7f0000003b00)={0x40, 0x21, 0x1, 0xfa}}) r17 = syz_usb_connect$hid(0x4, 0x3f, &(0x7f0000003bc0)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x46d, 0xc22d, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x10, 0x2, [{{0x9, 0x4, 0x0, 0x2f, 0x2, 0x3, 0x1, 0x1, 0xfd, {0x9, 0x21, 0x9, 0x1, 0x1, {0x22, 0x2ff}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0x6, 0xff, 0x4}}, [{{0x9, 0x5, 0x2, 0x3, 0x8, 0x4, 0x6, 0x7f}}]}}}]}}]}}, &(0x7f0000003cc0)={0xa, &(0x7f0000003c00)={0xa, 0x6, 0x300, 0x3, 0x2, 0xfa, 0x8, 0x74}, 0x28, &(0x7f0000003c40)={0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @ssp_cap={0x20, 0x10, 0xa, 0x3, 0x5, 0x8, 0xf00, 0xf831, [0xc0, 0xc0a0, 0xff000f, 0x7, 0xc0f0]}]}, 0x1, [{0x4, &(0x7f0000003c80)=@lang_id={0x4, 0x3, 0x436}}]}) syz_usb_disconnect(r17) syz_usb_ep_read(0xffffffffffffffff, 0x80, 0xc4, &(0x7f0000003d00)=""/196) syz_usb_ep_write(r16, 0x7f, 0x63, &(0x7f0000003e00)="5074fa81f3f373da2799cafb26b4497cb3c87bc0f82fa7885468bd41232065aa9561d24ae0f1d0e036ac714ac5af89c69d8861cad713fcb8bacb8c4b10dc3b6ec2044c01f371b124c0a0f4bace7d5179872cdd205e09c3eeb7d5577b26e98f84554ed6") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 41; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_fsmount #define __NR_fsmount 432 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[18] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/zero\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x161000, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, (intptr_t)r[0], 0x3305, 0); break; case 2: memcpy((void*)0x20000040, "l2tp\000", 5); syz_genetlink_get_family_id(0x20000040); break; case 3: memcpy((void*)0x20000080, "/dev/dlm-control\000", 17); syscall(__NR_openat, 0xffffff9c, 0x20000080, 0x20000, 0); break; case 4: *(uint32_t*)0x200000c0 = 0x17; syscall(__NR_setsockopt, (intptr_t)r[0], 0x10e, 2, 0x200000c0, 4); break; case 5: res = syscall(__NR_mmap, 0x20ffa000, 0x4000, 0x2000000, 0x1010, (intptr_t)r[0], 0x10000000); if (res != -1) r[1] = res; break; case 6: res = syscall(__NR_socket, 0x23, 5, 2); if (res != -1) r[2] = res; break; case 7: res = syscall(__NR_io_uring_register, -1, 9, 0, 0); if (res != -1) r[3] = res; break; case 8: *(uint8_t*)0x200003c0 = 0xa; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0; *(uint32_t*)0x200003c4 = r[2]; *(uint64_t*)0x200003c8 = 0; *(uint32_t*)0x200003d0 = 0x20000380; *(uint32_t*)0x20000380 = 0x20000100; *(uint32_t*)0x20000384 = 0x80; *(uint32_t*)0x20000388 = 0x20000240; *(uint32_t*)0x20000240 = 0x20000180; *(uint32_t*)0x20000244 = 0x93; *(uint32_t*)0x2000038c = 1; *(uint32_t*)0x20000390 = 0x20000280; *(uint32_t*)0x20000394 = 0xca; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x200003d4 = 0; *(uint32_t*)0x200003d8 = 0; *(uint64_t*)0x200003dc = 1; *(uint16_t*)0x200003e4 = 3; *(uint16_t*)0x200003e6 = r[3]; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; syz_io_uring_submit(0, r[1], 0x200003c0, 0x10001); break; case 9: *(uint32_t*)0x20000440 = 4; syscall(__NR_ioctl, -1, 0x4b63, 0x20000440); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0xaa; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 3, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 31, 1); *(uint8_t*)0x20000012 = 0x11; *(uint8_t*)0x20000013 = 2; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; memcpy((void*)0x20000016, "\xf4\xeb\xe4\x02\x16\xfe\xde\x5e\xf6\xc5\x31\x0f\x04\x13\xc5\xd4\x1b\x32\xfc\x23\xe0\x7f\xd3\x32\xa8\xa5\xc5\xf9\x66\x82\x1d\xa0\x91\xf4\x7b\x7b\x9c\xf9\x22\x87\x27\xff\x74\x12\xc2\xe4\xa3\xa1\x57\x3b\xb2\x95\x48\x2d\x7b\x4a\x3e\xff\xd8\x63\xcc\x60\xf5\xd8", 64); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 0xd2d; *(uint32_t*)0x2000008c = 0xc61; *(uint32_t*)0x20000090 = 0x6d3; *(uint32_t*)0x20000094 = 0xbe2; break; case 11: *(uint8_t*)0x200000c0 = 2; STORE_BY_BITMASK(uint16_t, , 0x200000c1, 0xc9, 0, 12); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 3, 4, 2); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 1, 6, 2); *(uint16_t*)0x200000c3 = 0xa; *(uint16_t*)0x200000c5 = 6; *(uint16_t*)0x200000c7 = 5; *(uint8_t*)0x200000c9 = 0x13; *(uint8_t*)0x200000ca = 0x7f; *(uint16_t*)0x200000cb = 2; *(uint16_t*)0x200000cd = 0; break; case 12: memcpy((void*)0x20000100, "\xc4\xc2\xcd\x45\xf1\x8f\xe8\x00\xed\xb8\x5c\x2f\x00\x9e\xe9\x64\x36\x36\x0f\x28\x11\xc4\xc3\xc9\x0b\x6b\x07\x87\xc4\xc2\xf1\xa6\x03\xf3\x0f\xa6\xd0\xf3\x6f\x65\x0f\xfa\x0e\xc4\xc2\x1d\x2f\x9f\x5a\xac\x38\x4f\x3e\x65\xf3\xab", 56); syz_execute_func(0x20000100); break; case 13: break; case 14: memcpy((void*)0x20000180, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000180); break; case 15: syz_init_net_socket(3, 3, 0xcc); break; case 16: res = syscall(__NR_mmap, 0x20ffd000, 0x2000, 0x3000001, 0x80000, -1, 0); if (res != -1) r[4] = res; break; case 17: res = -1; res = syz_io_uring_complete(r[4]); if (res != -1) r[5] = res; break; case 18: *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0xd9fd; *(uint32_t*)0x200001c8 = 0x20; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0x308; *(uint32_t*)0x200001d4 = 0; *(uint32_t*)0x200001d8 = -1; *(uint32_t*)0x200001dc = 0; *(uint32_t*)0x200001e0 = 0; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint32_t*)0x200001f8 = 0; *(uint32_t*)0x200001fc = 0; *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; res = syscall(__NR_io_uring_setup, 0x3a3b, 0x200001c0); if (res != -1) { r[6] = res; r[7] = *(uint32_t*)0x200001d8; } break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xb18d; *(uint32_t*)0x20000248 = 0xab3a8d6e; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000250 = 0x158; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = r[7]; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = -1; res = syz_io_uring_setup(0x17a8, 0x20000240, 0x20ffb000, 0x20ffd000, 0x200002c0, 0x20000300); if (res != -1) r[8] = res; break; case 20: *(uint32_t*)0x20000340 = 0; *(uint32_t*)0x20000344 = 0x15f8; *(uint32_t*)0x20000348 = 0x20; *(uint32_t*)0x2000034c = 2; *(uint32_t*)0x20000350 = 0xd2; *(uint32_t*)0x20000354 = 0; *(uint32_t*)0x20000358 = -1; *(uint32_t*)0x2000035c = 0; *(uint32_t*)0x20000360 = 0; *(uint32_t*)0x20000364 = 0; *(uint32_t*)0x20000368 = 0; *(uint32_t*)0x2000036c = 0; *(uint32_t*)0x20000370 = 0; *(uint32_t*)0x20000374 = 0; *(uint32_t*)0x20000378 = 0; *(uint32_t*)0x2000037c = 0; *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 0; *(uint32_t*)0x20000388 = 0; *(uint32_t*)0x2000038c = 0; *(uint32_t*)0x20000390 = 0; *(uint32_t*)0x20000394 = 0; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x2000039c = 0; *(uint32_t*)0x200003a0 = 0; *(uint32_t*)0x200003a4 = 0; *(uint32_t*)0x200003a8 = 0; *(uint32_t*)0x200003ac = 0; *(uint32_t*)0x200003b0 = 0; *(uint32_t*)0x200003b4 = 0; res = -1; res = syz_io_uring_setup(0x6b11, 0x20000340, 0x20ffb000, 0x20ffb000, 0x200003c0, 0x20000400); if (res != -1) { r[9] = *(uint64_t*)0x200003c0; r[10] = *(uint64_t*)0x20000400; } break; case 21: res = syscall(__NR_socket, 0x1f, 3, 3); if (res != -1) r[11] = res; break; case 22: res = syscall(__NR_io_uring_register, (intptr_t)r[5], 9, 0, 0); if (res != -1) r[12] = res; break; case 23: *(uint8_t*)0x20001700 = 0xa; *(uint8_t*)0x20001701 = 2; *(uint16_t*)0x20001702 = 0; *(uint32_t*)0x20001704 = r[11]; *(uint64_t*)0x20001708 = 0; *(uint32_t*)0x20001710 = 0x200016c0; *(uint32_t*)0x200016c0 = 0x20000440; *(uint32_t*)0x200016c4 = 0x80; *(uint32_t*)0x200016c8 = 0x200015c0; *(uint32_t*)0x200015c0 = 0x200004c0; *(uint32_t*)0x200015c4 = 0x2c; *(uint32_t*)0x200015c8 = 0x20000500; *(uint32_t*)0x200015cc = 0x1000; *(uint32_t*)0x200015d0 = 0x20001500; *(uint32_t*)0x200015d4 = 0x28; *(uint32_t*)0x200015d8 = 0x20001540; *(uint32_t*)0x200015dc = 0x4a; *(uint32_t*)0x200016cc = 4; *(uint32_t*)0x200016d0 = 0x20001600; *(uint32_t*)0x200016d4 = 0xb9; *(uint32_t*)0x200016d8 = 0; *(uint32_t*)0x20001714 = 0; *(uint32_t*)0x20001718 = 0x2000; *(uint64_t*)0x2000171c = 1; *(uint16_t*)0x20001724 = 3; *(uint16_t*)0x20001726 = r[12]; *(uint8_t*)0x20001728 = 0; *(uint8_t*)0x20001729 = 0; *(uint8_t*)0x2000172a = 0; *(uint8_t*)0x2000172b = 0; *(uint8_t*)0x2000172c = 0; *(uint8_t*)0x2000172d = 0; *(uint8_t*)0x2000172e = 0; *(uint8_t*)0x2000172f = 0; *(uint8_t*)0x20001730 = 0; *(uint8_t*)0x20001731 = 0; *(uint8_t*)0x20001732 = 0; *(uint8_t*)0x20001733 = 0; *(uint8_t*)0x20001734 = 0; *(uint8_t*)0x20001735 = 0; *(uint8_t*)0x20001736 = 0; *(uint8_t*)0x20001737 = 0; *(uint8_t*)0x20001738 = 0; *(uint8_t*)0x20001739 = 0; *(uint8_t*)0x2000173a = 0; *(uint8_t*)0x2000173b = 0; syz_io_uring_submit(r[4], r[10], 0x20001700, 0xad23946); break; case 24: res = syscall(__NR_fsmount, (intptr_t)r[5], 1, 0x84); if (res != -1) r[13] = res; break; case 25: *(uint32_t*)0x20001740 = r[6]; *(uint64_t*)0x20001744 = 3; *(uint64_t*)0x2000174c = 6; *(uint64_t*)0x20001754 = 0x1000; res = syscall(__NR_ioctl, (intptr_t)r[8], 0xc01cf509, 0x20001740); if (res != -1) r[14] = *(uint32_t*)0x20001740; break; case 26: *(uint32_t*)0x200017c0 = 0; *(uint32_t*)0x200017c4 = 0x20001780; memcpy((void*)0x20001780, "\xe7\xbe\xd2\x38\x54\x76\x95\xa7\x89\x57\xb5\x74\xba\xcb\x6d\xbc\x56\x7a\x32\x32\xe7\x65\x59\xb4\xea\x39\x31\xb6\x08\x57\x8a\x24\xda\x4c\x74\x97\x95\x97\x5b\x0a\xe5\x1d\xa8\xa8\x6d\xde\x75\xb1\xd6\x84", 50); *(uint32_t*)0x200017c8 = 0x32; *(uint64_t*)0x20001800 = 1; *(uint64_t*)0x20001808 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x200017c0, 1, 0, 0x20001800, 1); break; case 27: *(uint32_t*)0x20001840 = 0; syz_memcpy_off(r[9], 0x114, 0x20001840, 0, 4); break; case 28: memcpy((void*)0x20001880, "afs\000", 4); memcpy((void*)0x200018c0, "./file0\000", 8); *(uint32_t*)0x20002900 = 0x20001900; memcpy((void*)0x20001900, "\xf1\xfd\x85\xc4\x6a\x07\x34\x5a\x88\x13\x28\x7b\x13\xf2\x1a\x08\x40\x90\x39\x26\xae\xf8\xfa\x2c\xb5\xf6\xe0\x10\xd1\x4f\x70\x30\x37\x67\x97\x11\x5f\xff\x5a\x94\x80\x41\x34\x8d\x82\x7d\xbd\x67\x8e\x20\x92\x8d\xc4\xb2\x24\xe0\xec\x33\xe5\x0b\xf6\x99\xf1\xed\x1e\x39\xdf\x43\xd8\x99\xeb\x1a\x37\xc8\xd1\x16\x31\xe7\xb7\x75\xfc\x82\x61\x19\x01\xef\x7d\xb3\x71\x4e\x0e\xf5\x9b\x98\xd9\xd7\xd9\x11\x4b\xa1\xba\x76\xa7\x2e\xdc\x93\x80\x33\x59\xb9\x99\x4b\x50\x4f\x9e\x77\x90\x37\x5f\xa5\x0f\xce\xab\x9c\x0f\x21\x03\x85\x72\x2f\x2a\x05\x4c\x09\xfe\xcf\x4a\x04\xcc\xfa\xca\xac\x9d\x40\xbe\xbb\x2e\x2b\xcc\x94\x8d\x32\x72\x63\xb0\xfa\x73\x5b\x75\x3f\xa3\x67\xf5\x53\x13\xbd\x6d\xf7\x47\x6a\x99\x61\xbe\xf3\xe5\x80\x6a\xe5\x3b\xf7\x23\x34\x74\xb6\x37\x26\x6e\x9f\xd6\x94\xfb\x30\xa5\x03\xfb\xa0\x53\xc4\x65\x62\x93\x6b\xb3\xb8\xfd\xd3\x8d\xa2\x3e\x72\x25\x86\x8f\x8c\xf1\xe7\xd2\x7c\xac\xb6\x90\x75\x65\x7b\x3c\xa8\x0f\x8b\xe0\xb8\xe0\x43\xdb\x62\x0f\x08\x72\x23\x1b\x8a\x31\x08\xc4\xa1\x0b\x8b\x72\x3b\x64\x6b\x3c\x6d\x5f\x37\x05\x58\x64\x09\x24\xa9\x3b\xa2\x5d\xb1\x74\x6c\xf2\xea\x14\x1b\x03\x85\xac\x0c\xf9\xe7\xac\xc8\xfd\xdd\x8e\xe3\x2f\xb9\x88\x49\x1e\x45\x45\x64\xeb\x14\x2e\xc8\x40\x24\x38\xdd\xb1\xd0\xbe\xd6\xd2\x85\xa2\xa4\x08\xa9\xed\xc5\x27\x76\xe3\xae\x70\x21\xc1\x09\x43\xee\xf0\xaf\x02\x70\x37\x22\x13\x62\x7d\xd4\x25\x3d\x95\xa3\x6a\xcd\x29\xf8\x09\x5c\x64\x28\xf1\xc4\x6c\x3e\xb2\x12\x27\xd0\x46\x06\xb5\xc9\x22\x54\xe9\xce\x3e\x22\x0a\x8b\x8a\x28\x1c\x8d\x8e\x9c\x83\x07\x9e\xa1\xdf\x4a\x90\xdb\x9f\x08\xa5\x8c\x80\x3d\x8e\xc2\xbf\xcc\x99\xf1\xac\xd5\xf0\x62\x50\x43\xeb\x4a\x83\x17\x9e\x2d\x37\xc0\x76\x57\xe4\xb7\x47\xad\xcb\x09\x79\xa2\x30\xde\xa4\xf0\x79\xf2\x20\x84\x87\x09\xf2\xbb\x38\xc3\x4a\x22\xc5\xb3\xca\xf9\x4a\x02\xfc\x5f\x1c\x4d\x01\x3c\x16\x5a\xbf\x74\xbe\xd9\xd0\x28\xa5\xd8\x4e\xc1\x50\x37\x7f\x49\x8e\xe0\xe2\xa8\x6b\xf0\x4b\x97\xee\x40\xaf\x98\x82\xbf\xad\xec\xf5\xe1\x25\xfc\x90\x9d\x25\x0d\x92\xa3\x11\x66\xd6\x11\x21\xb5\x36\x45\x24\xb6\x35\x1e\x0b\x6a\x66\xdc\xde\xeb\x52\x49\xeb\xab\xb8\x65\xf1\xf4\xa1\xa8\x0a\xda\x5d\x69\x5d\x3a\x37\xb2\x14\xc9\xf0\xd9\x25\x07\xdb\x1b\x8d\x80\x8a\x96\xf0\x89\x02\xef\x8c\x97\xe2\x2b\x75\x49\x75\x38\xf5\x4f\xf9\x44\xa1\x91\x42\xb6\xae\x1b\x86\x36\x50\x0e\x2f\x39\x20\xa3\xab\x34\x1d\x8d\x1d\xb2\x2d\xc6\x4e\x1d\x68\x38\x21\x62\xb4\x89\xea\xad\xe6\x68\xba\x38\xe6\xe7\xec\xf6\x16\x26\xc7\x19\x37\x8a\x8e\xbf\x08\xec\x3d\x5d\xa6\x71\x64\x61\xe2\x06\x86\x9b\x33\x5c\xcb\xaf\xbc\x73\x64\x99\x83\x79\xd8\x94\xb9\xc6\x04\x41\xd9\x87\x97\xef\xf0\xd0\x4c\xe3\xfb\xf4\x19\xeb\x9c\x5c\x77\x8d\xbd\xc6\x03\x1b\x19\xfe\xa1\x3a\xdf\x11\x1d\xd4\x96\x28\x09\x3d\xa4\x1c\xe2\x52\x59\x5e\xa3\xd0\xb6\xdd\x96\x36\x4f\xe2\xe3\x75\x04\xbc\x66\x17\x04\x4f\xf1\xd0\xd2\x7f\x75\x9d\x1f\xaa\x8a\xe8\x54\xa1\x72\xda\x0b\x22\x73\x05\xbc\x63\x0a\x46\xb8\xe5\xbb\x9f\x8a\xa4\x0b\x95\xa4\xb6\xd5\xc3\x7b\xdd\xd0\x96\x8e\x19\x2d\x57\x24\x20\x78\x43\x4f\xde\xf9\xaf\xdc\x8f\x18\x39\x7d\xf1\xca\x6e\x76\xbd\xc7\x18\x45\xfb\xa2\x81\x8e\xf8\xf1\xc1\xdb\xf0\xa9\x2d\xde\xe3\xc8\xc1\xcf\xdd\xfb\x64\x43\x94\x19\xe6\x3f\x98\x11\xab\x5d\xaf\xd1\x5b\x2f\xf2\xa9\xc0\x41\x33\x16\x51\xc7\xaf\xe7\x86\x28\x75\xbf\x99\x61\x80\x6f\xac\x69\x4b\xef\x5f\x78\xfb\x9c\xd6\x4c\x33\x84\x86\x37\x44\x4e\x67\x52\x20\x03\x95\xe3\x73\x1d\x02\xdb\x34\xc2\x1f\xca\x31\x1d\x33\x9e\x81\x97\x32\xed\xe1\x83\x94\xb4\x5c\x4c\xbb\xbf\xfd\x45\xfd\xf5\x08\x28\x5d\x26\xda\x5b\x3c\xed\xe6\x92\xaf\x4e\xf2\xf4\x2c\x73\x4b\x52\x28\x64\x75\x5d\xcd\x71\x9c\x93\xb2\x68\x43\x8f\x9b\x0f\x1a\xdd\x57\x4c\xf7\x21\x89\x21\xdf\x68\xc4\x96\x68\x3c\x62\x76\x11\x5c\x07\x4d\x42\x0f\x23\x86\x1e\xeb\x82\x03\x1e\x99\x8c\x08\x33\xd1\xcb\xbb\x5b\x33\x4a\x13\x60\x6a\x0b\xc4\x06\xc4\xc8\xb1\xc2\xbf\x8d\xf5\x57\x32\x4d\x2c\x94\xcb\xe4\xc2\x90\x80\xb6\x32\x34\xb1\xbb\x74\xe5\x85\x4e\x42\x2e\xb4\x6f\x73\x69\x78\xe2\x94\x3e\xbd\x28\xaf\x46\x7b\xd0\xee\x09\x6b\x95\x2f\xf5\xf0\xb2\x28\xc7\xef\x94\x6f\xd4\x72\x49\x3b\x0e\xac\xa9\x37\x84\x01\x66\x9f\x1b\xe6\x75\x23\x0e\x56\xbc\x19\xe4\xec\x12\x34\xfc\xb4\xea\x12\x2d\xd2\x04\x83\x01\x09\x68\x9c\xad\x7e\x3d\x70\x2a\xb3\xe9\x2e\x59\x01\x6a\x64\x0c\xce\x4e\x1e\x57\xd6\xe9\x45\x56\xe7\xee\x1f\x7c\x58\x63\x09\x04\x4b\xdc\xa4\xa7\xb2\xce\xbb\x4b\x3f\xab\xfd\x57\x8e\xd6\xc6\x85\x89\xb8\xaf\xcd\x4d\x0e\x5a\xb1\xb7\xee\xf6\xf8\x2c\xd2\x08\xe3\xec\xe7\x6e\x3b\x73\x33\x1f\xba\x03\xfb\x54\x47\x01\x29\x92\x74\x10\x42\x10\x6e\xd7\xd3\x86\xa1\x43\x3f\xe8\xd4\xc6\xbc\xe8\x22\xff\x8f\xfe\x1b\x38\x2a\xa7\x12\x47\x31\xa9\xad\x6e\x1a\x52\xc7\x82\x66\x17\x4a\x4f\xef\xe9\x86\xa5\x08\xf6\x64\x25\x77\x30\x3f\x91\xea\x4e\xfb\x32\x84\x3c\x6b\x33\x1b\x32\xf2\x45\x53\xa0\xc1\x30\x16\xd9\x1a\x23\x0a\x55\xd8\x1f\xeb\x7d\xfc\x48\xad\x15\x7c\x7c\x2f\xc6\x32\x53\x08\x10\x21\xd1\xc6\x53\x56\x51\x39\x03\xdd\xbd\xe8\xd3\xfd\x0d\x51\x74\x7f\x3e\xaa\xaf\x9d\xb9\xd6\xb4\xbd\x70\x69\xd8\xba\x53\xd4\xd1\x00\xee\x27\x27\x97\x95\x94\xc2\xfa\x80\xb9\xaa\x0e\xdd\x70\xe3\xd7\x02\xfb\x5b\x6c\xd2\x77\xee\xb4\x87\x55\x58\x86\xf8\x5b\x65\x7c\xd9\xeb\xa6\x41\xb2\x8b\xf1\xe7\x62\x30\x0f\x3e\x29\xc5\xa8\xd8\xbf\xe0\x77\xbd\xef\x7c\x9e\x2c\x4c\xfa\xd8\xfc\x36\x46\x70\xd7\xcd\x6a\xc7\xa8\x63\x22\xe6\x67\x76\x0e\x24\x03\xc4\x83\x8d\x61\xfa\x86\x69\xa4\xf6\x21\x14\xee\xf4\x23\xf0\x91\x32\xe2\x0b\xb9\x5b\xa3\x52\x2a\xc3\x10\x49\xc4\xa3\xd5\x81\xaf\x3c\x57\x84\x91\x0f\xba\x88\xcd\xee\x1c\xef\xf4\xdd\xae\xd8\x27\x11\x9c\xed\x53\x61\x94\x7d\x0e\x31\xa9\xc4\xd2\x52\x63\xa5\x36\x54\xb8\x2f\xc1\x3b\x91\xf4\x45\x08\xdd\x19\x3c\xa1\xef\x26\xd9\x30\xa6\xb0\x81\x05\x86\xd4\x02\xba\x05\x54\xfa\xce\x5c\x3e\xd0\x77\x67\x1d\x50\xd2\x88\x65\xbf\xff\x35\xca\x3a\x4d\xab\xdb\xd6\xe3\xb0\x70\x59\x32\x0f\x53\xe5\xc4\x9d\x73\xcc\x16\xdd\x1e\xd2\x81\x6a\xc9\x8a\xd3\x85\x3c\x36\x88\x29\xc7\xbe\xc4\x0c\x4a\x9b\x39\xee\x3b\x73\x0b\xbd\x6c\x15\x2f\x35\x8e\x99\x11\x30\x8c\x12\xed\x12\x06\x56\x1f\xc7\xcf\x7c\xb4\x77\x14\x5f\x1a\xaa\xce\x66\xac\x5c\x44\x68\xac\xb2\xf6\x01\xc6\x1e\x4b\x11\x8b\xe2\x05\x6b\x6d\xbc\x18\x60\x9b\xfd\x41\x05\xee\xe1\x8b\xe3\x84\xa1\x99\x13\xd2\x74\xd9\x20\x39\x79\x0c\xb8\x74\x20\xb9\xfd\xd7\x0e\x73\x43\x09\xfc\x7a\xfe\x09\xe1\x1f\x78\x0d\x6e\xe6\x24\x31\x75\x90\x7a\x4a\xee\xcb\x6c\xa0\x70\xa3\x37\x4b\xe5\xd3\xd0\x7a\x78\x8e\xa4\xe1\xf9\xd6\xf1\x8e\xff\x9e\x79\x64\xd7\x07\x6c\xb5\xb9\x3c\xd9\x73\x38\xec\x05\x44\x8e\xc5\x27\xcc\xa6\x67\x90\xbf\xe3\x2c\x5b\x26\x62\xd7\xfc\x6b\x83\x6b\x41\xbf\x32\xe5\xbc\x0d\xdf\xe4\x2d\x59\x73\xdb\x86\xf8\xae\xd5\x6e\x43\x11\x2b\x45\xb0\xf7\x92\xc5\x39\x45\x99\xa1\x3e\x73\xc2\x50\x12\xb5\xaa\xcd\x3a\xef\x11\x24\x73\xc4\xe2\xe3\xab\x6a\xeb\xf5\xaf\x6d\xe9\xe7\x8a\xc0\x47\xfc\xc2\x76\xfd\x97\x6f\x25\x02\x2c\x65\xc3\x0a\x9f\xd6\x72\x03\xf1\x9e\x33\xb3\x5c\xfb\xcf\xdf\xf3\x95\xc5\xbb\x53\xf2\xfd\x79\x28\xe4\x3e\x62\x28\x47\x28\x07\x80\xb8\xcc\x81\x5f\xb4\x85\x18\x91\x05\xa1\x24\xcd\x86\x27\xcc\x3d\x5f\x1a\x9d\xd8\x00\xd4\x7a\x22\x6e\xbf\x90\x7e\xb2\xf4\x91\x33\xd1\x17\x58\x8d\x28\x0f\x4c\xc4\x3d\x95\x25\x4d\x88\xc8\x75\x3d\x96\x07\x3f\x97\xc5\x31\xf5\x1e\x55\x96\xe2\xe9\x71\xa2\x16\x1b\x78\xf7\x5e\xdc\xfb\xd9\xde\x38\xf0\xa9\x28\x4b\x7c\xce\xef\x87\x59\x8f\xa3\xbc\xfa\x5d\xbc\xbd\x1d\x28\x4c\xf8\x0c\xb7\x75\x54\x65\x89\x9d\x36\x2d\x9e\x40\xc6\x4c\x1a\x1e\x4c\xc4\x5c\x38\x71\xb2\x10\x4c\xa4\x0c\x05\x72\x9d\xcc\xbf\x6d\x0a\x17\x50\x0e\x5d\x0d\xff\xa3\x44\x3a\x52\x33\xe2\x79\xb2\xf9\xc5\x18\xb6\x97\x34\x0d\x26\xd2\x87\x26\x60\xc7\x1a\x49\x57\x10\xee\x00\x9f\xfb\x98\x9e\xbb\x5b\xef\xe5\x17\x69\x25\xb7\x8c\xde\xb1\xe8\x11\xc5\x1e\xcd\xb0\x1a\x47\xec\x1d\x1d\x0e\xf2\x02\x4c\x9a\x66\x6f\x6b\xc5\xeb\xe1\x3e\x77\x3f\x89\xf4\xc8\x0b\xaa\x1d\x66\x0c\x05\x1c\x26\x72\xf9\x1c\x21\xdb\x5f\xf2\xd5\xa7\x01\x26\xdc\x69\x14\x0e\xe2\x16\xc4\x5b\xdd\x0a\x7b\x52\x79\xde\xce\x2f\x58\x3b\xc2\x4f\xc6\x3c\xae\x88\xae\x75\x57\x22\x40\x48\x23\xc5\xc2\x16\x84\x9d\xcd\x10\x85\xba\x99\x02\xcb\x24\x8a\xc5\xd1\x92\xc3\xbd\xc5\x37\x39\x2a\x7c\x9e\xd3\xc3\x59\xbb\x6d\x49\x34\x62\x5f\x5f\x7a\x6d\xd5\x1b\x78\x57\x3f\xc7\x26\xad\xab\xc9\x1f\x41\x96\x05\x86\xf6\x4c\x39\x26\x11\x26\xea\x67\xdf\xc3\x2c\x5a\xe5\xf7\xd6\xed\x88\x74\x73\x60\x41\x8d\x42\xa0\x08\xd9\xcf\xc5\xef\x15\xf9\xc5\x88\xdb\xb9\xec\xc3\x74\xba\x19\xab\x60\xa3\xba\x33\xfb\xd1\xb8\x04\x77\xb0\x20\x4e\x67\xc8\x45\xf9\xf6\xab\x58\x9c\x58\xb5\x78\xcc\xa5\x8a\xf3\x22\xae\x66\xb9\xb1\x2e\xd9\x53\x70\x3d\x13\x93\xd8\xec\xe9\xc6\x70\x66\x4f\xdb\x6b\x1f\xfa\x10\x27\x1a\xbc\x0e\x51\xd5\x7b\x59\x10\x2e\x26\x40\xbe\xa0\x9e\x91\x12\x94\xc3\x5a\xbc\x86\x16\x99\x0a\x57\x29\xbf\x73\x9a\x8e\x22\x77\x4a\x68\x0d\x57\x70\xb8\x58\xb9\x32\xfe\x59\x5b\x73\x22\x32\x8a\xe7\x92\x07\x8a\xd2\x8d\xb4\xd5\x4c\xbd\x7c\x98\x68\xfc\xbe\x6e\xed\x0b\x0a\xa7\xb7\xab\xbf\xb1\xb8\xef\xce\x2d\xd5\xc1\xe2\x9b\xac\x66\xab\x7f\x80\xfe\x7a\x65\xd2\xda\x18\x38\x66\x0e\x94\x06\x6a\x6b\x2e\x3b\xdb\x89\x7e\x55\x1b\xc0\x37\xd7\x79\xdb\xb6\xcb\x9b\xdc\xa7\x03\x0e\xf8\x22\x6b\x96\x8d\x5a\x85\x7c\xb4\x24\xa9\xbd\x71\xec\xf3\xe0\xdf\x3b\xca\x6b\x91\x95\x90\x5e\xd0\x5e\x73\xd0\x36\x7f\x16\x49\xee\xd5\x49\xd9\xc3\xd4\x7e\x2f\x31\x2c\x17\x0d\xc9\x4a\x70\x1d\x42\x04\x60\xe1\x00\x0e\x23\x70\x21\xc6\xb7\xb1\xbc\x08\xb3\x5c\x10\x43\xc6\xe8\x99\xed\x58\x7e\xf7\xdf\xb6\xe1\xc7\xb6\xe1\x1e\x3a\x2f\xb4\x34\x8a\xbc\xc9\xed\x18\x31\xee\x37\x3d\x00\x45\x40\xa7\x3a\x4c\x78\xf9\xd3\xab\xb1\x01\xc7\x87\xba\x23\x9d\xf6\x63\x92\x4e\xf8\x4e\x3b\x43\x68\x68\xb6\x3c\xd7\x4f\x4d\x47\xac\x9e\xbc\xe3\x81\x4b\xbd\xb3\x7e\xee\xc3\xfe\xa1\xf9\x06\x88\xd1\x6f\xf3\x28\x5d\x35\x97\x45\xf9\xc1\xb6\xdc\xfa\x98\xbc\xd3\x2a\xca\xcc\xd9\x35\x0c\x07\x05\x79\xaf\x49\xc6\xdd\x8e\x62\xb3\xe1\x16\x16\xb9\x56\x05\xb5\xe6\x7c\x90\xc3\xdb\x1b\x83\x01\xde\x61\xbd\xfa\x55\x8e\xe6\xd1\x3f\x20\xa7\x8d\x40\x7e\x4f\x44\xca\x79\x3c\xe3\xd9\x58\xe1\x52\x2f\x1a\x64\x27\x6a\xc8\x86\x3d\x1a\x68\xb5\xb6\x4e\x03\xec\x0b\x22\xb0\xa7\x87\xbb\xa7\xb4\x62\xfd\xdf\x8d\xa7\xd1\x01\x8b\x32\xa1\x32\x82\xbd\x1e\x83\x06\x0a\x67\xc7\xda\x96\xe4\x6e\x3b\x32\x2a\x5d\x8e\x05\xba\x67\xb3\xac\xa1\xc5\xd1\xbf\x13\x6a\x57\xb3\xaa\x68\x77\x7f\x00\xbf\x10\x2d\xdd\xb1\xde\xc2\x1d\xb3\x09\xf4\x85\x5d\x9c\x08\xed\xc5\x80\xd6\x52\xa6\x89\x42\x0b\xf6\x25\x38\xb5\xaa\x26\x30\x57\x09\x81\x21\xd8\x2d\x87\xe2\x9e\xe2\x6b\x5d\x52\x88\x02\x3e\x50\x1f\xf2\x73\x0b\xce\xf0\x0b\x98\xf1\x3c\x40\xbc\x2d\xa1\xa1\xbc\xa1\xcd\x66\x64\x84\xf1\xa3\xf5\xc8\xb6\xff\xaf\x46\x8f\xbe\xaa\xf5\xab\xfd\x74\x39\x6f\xbc\x46\x0e\x0f\xd2\xb4\x40\xf5\xe5\x63\x27\xe6\x34\x90\x73\x11\xdc\xe9\x8e\xc0\x75\xe9\xee\x32\x87\xf7\xd2\xdc\xd6\x44\x93\xe5\xc5\xce\x09\x6b\xb2\x9d\x77\xaa\x49\xa9\xf6\x77\xe6\x8e\xfd\x44\xcf\x35\xb5\xa0\xd6\x9f\x1e\xc8\x87\xa5\xf1\xf3\x5e\x44\xaf\xe3\xb6\x90\x4e\xf0\x26\xb3\x65\x1c\x69\x7d\xc2\xaf\x46\x66\x2b\x92\x36\x64\x20\x1e\x4b\xae\xdc\x28\xe8\x5f\x33\xd0\xfc\xce\x83\xec\xb0\x1d\x04\xf5\xa0\x82\x6d\xf9\xfb\xfe\x7d\x92\xe3\x1d\xb7\x62\x02\x53\x3f\xa8\xbd\xbd\x4f\x14\x74\x4f\x84\x85\x94\x8f\xf0\xe4\x0e\xc7\x7d\x2a\x2c\xca\xc3\x4f\x38\x9a\x4f\x6b\x0e\x1f\x84\xf5\x27\xb1\x28\x2b\x4b\xa5\x3c\xc0\xa5\x34\x68\xeb\x13\x62\xd8\x7f\x33\x4f\x17\x6d\x94\x8d\x9d\x7f\xc1\x90\xa1\xfa\xbb\x36\x74\x53\x85\x94\x5f\x27\xd4\x4c\x13\x64\x36\xee\xed\xca\x1a\xd4\x94\x5c\x9d\x73\xd6\xa2\xd7\x22\x5a\x1f\x7f\xa4\x9a\x2b\x2b\x56\xd3\xa4\x03\xa8\xdd\xd0\x3d\x70\x1b\xb8\xba\x36\xc2\x75\xb0\x5d\xb3\xb6\x06\x38\xb9\xa2\xa2\x34\xcb\x63\xb8\x09\xeb\xfc\x9a\x77\x1a\xc7\x12\x76\x2f\x7e\x96\xc5\x38\xe1\xc5\x4a\x79\x12\xb9\x59\x44\x63\x2d\x6d\x60\x59\x4b\x90\x0e\x17\xee\x32\x7b\x2b\x2b\x13\xbe\x28\x44\x06\x1f\xd1\xe3\x50\xe4\x71\x21\xfd\x71\xf1\x30\xa5\xae\xb5\x15\x3c\xcb\x8e\xce\x99\x59\x0f\xf9\x3e\xa9\x8e\xe5\x89\xa0\xa4\x28\x8b\xb6\xa3\x59\x0b\x1c\x6e\x89\x00\x8b\xbd\x2d\xc7\xad\x38\x74\x83\x69\x40\x5c\x9f\x8c\x37\xfa\x75\xdd\x2f\xf4\xa3\x84\x56\x1d\x03\x09\x48\xc3\xd1\x64\x66\xe4\xf0\x37\xe5\x4d\x3d\xca\xbd\xe0\x2f\xb3\x5c\x62\xb3\x16\x92\x65\xc0\xaf\x80\x18\xa8\x6c\x3f\xcf\x32\x68\xc1\xa9\x1e\x71\x31\xf8\x9c\xf7\x84\x1b\xb5\x8c\xab\x8a\x5f\x89\xd7\xed\xb6\x7f\x05\xf1\x6f\xe8\x40\x59\xbe\x5a\xbd\xbe\x44\xd3\x85\x2f\xa5\x79\x0c\x16\x16\x28\xb2\x1e\xef\x35\x9a\xaf\x7d\xb7\xde\x11\xc8\x35\xff\x9c\xc0\xb8\x6a\xc9\x75\x1f\xd2\xd5\xc1\x35\xe8\xac\xb4\x35\x2b\xc0\x3f\xdf\xe6\xc4\x34\x73\x58\x2c\xde\x76\xb1\x57\xee\xb0\x3a\xcf\xff\x74\x2b\xe5\x83\x8a\x4a\xab\xa1\x60\xe1\xc5\x88\xc9\xe1\xda\x27\x58\xfc\x29\x0a\xe3\x7a\x76\x05\x34\x0f\x72\x6f\xf3\xd8\xd7\x3d\x3d\xcc\xdc\x77\x37\x49\x9b\x74\x73\xec\xcc\x00\xc3\xd0\x1d\x20\xbd\x98\x9e\x60\x49\xd9\xda\x7d\xce\xe2\x29\xfe\x3d\xb7\xe2\x84\x5b\xa6\xef\x6b\x38\x06\x80\xe0\x77\x54\xdf\xa9\x2d\x16\x05\xb3\xb2\x52\x7e\xd1\x9d\x01\x33\x3b\x2b\x58\x86\x8d\x76\x14\xc9\x2b\x7f\x93\xc9\x5e\x2c\x90\x54\xf7\xa7\x28\xe0\x56\x9b\x98\x60\x18\x31\x1d\x9a\xb3\x79\xac\x3d\x19\xc7\xf6\x5f\x87\xac\xbd\x2a\x2b\xcd\xf1\x22\xb1\xb9\x50\x2d\x3c\x3a\x69\xef\xa3\x2f\x4b\xe1\xef\x20\xda\xa4\x2e\x13\x40\x9d\x2b\x12\xdb\xfd\x03\xc6\x4a\xca\x0b\xd6\x6c\x76\xc0\x4e\xa6\xa7\x6e\xf0\x29\x46\x50\xe5\x9e\x8a\x37\x9c\x85\xc5\xac\x8e\x31\x0e\xd9\x9e\x1a\x5f\x20\xc9\xbb\xdb\xee\x13\xde\x12\x18\xf9\x5b\xe0\x40\xff\x5f\x76\x0c\x7f\x07\xab\xe3\x62\x46\x85\x08\xa2\x11\x4e\x0c\x34\xf9\x38\x95\xc1\xe2\x8a\xd8\xc5\x6f\x19\x49\x81\x6c\xff\xd0\x9c\x02\x8d\xee\xf0\x1e\x5f\xcf\x91\xb4\x38\x4c\x62\xd0\xef\xd9\xb7\xd6\x6b\x1a\xae\x30\x2a\x3e\xd2\xc3\x03\x7c\x96\x75\xac\x6c\x86\x33\x6f\xa6\x03\x25\x8a\x53\x84\x09\xba\xd5\x67\x98\x11\x28\xcb\x8c\xab\x88\xd7\x02\x7b\x2a\x92\x67\x1c\xad\x00\x0a\x2c\x9f\x31\x7f\xb4\xae\x30\x98\x0d\x3f\x28\x51\x2f\xb5\xf6\x6a\x98\xb2\xe2\x07\x7a\x6a\x7f\x84\x61\xbf\x1a\x78\xcf\x12\xb3\xce\x6e\x3a\xa4\xa2\x2f\x3c\x63\x73\xa5\xd0\x4f\x76\x7b\x83\xc7\xd5\x7a\x56\x83\x4f\x76\x39\xc9\xac\xbb\x9f\xde\xde\xa8\x52\x76\xa0\xaa\x10\x0b\x68\xc8\xa2\x46\x31\x4a\x8c\xa0\x2f\xf0\x7d\x15\x32\xc9\x0d\x9a\x4a\x5d\xac\xba\x53\xa2\x4c\x14\xcb\x94\xb5\x7a\x8c\x23\x6c\x98\x5e\xbc\x98\x69\x71\x08\xa4\x3e\x87\x4b\x67\x15\xe6\xbe\x8d\x96\x85\xfa\xfd\xba\x1d\x7e\x5d\x1b\x4c\xed\x62\x56\x58\x47\xbd\xfc\xf6\x2b\xe1\x75\xe8\x48\x3c\xfd\x07\x11\x24\x76\x64\xe2\x73\xfc\xbe\xc2\x9f\x60\xde\xdd\x34\xc6\x81\x0f\x66\x50\xb6\xbd\xc4\x7d\xf7\x26\x7b\x8f\x53\xbc\x66\xac\x41\xa5\xc0\x50\x6e\xdf\x4a\x80\x5c\xff\x03\x43\x79\x7c\x88\x12\x56\xea\x09\x5f\xbf\x14\x57\x54\xf7\xcb\x9d\xfb\xa6\xd3\xc2\xbd\x12\xac\xe3\x07\x62\x9c\xb2\x2d\xfe\xb5\xa4\x81\x55\xde\x0e\x50\xa9\x5d\xa5\x8b\x32\x02\x58\x9b\x60\xf5\xdd\x4c\xa6\xcd\x22\xc2\xed\x78\x8f\x27\x21\xd5\x35\x43\x74\xe9\xef\xac\xf4\x94\x72\x94\xdd\xc8\x14\x92\x25\xdc\xe5\xad\xfb\x32\x25\x95\xed\x18\xa4\xdc\xb0\x56\x51\x48\xb0\x87\xe3\x7d\x42\x47\xea\xae\xcc\x58\xc5\xaa\xf1\xc6\x4e\x87\xcc\x2c\xce\x9b\x8e\xbc\xaf\x96\x3f\xc4\x41\xa6\xdf\xac\x42\x6b\xe0\xac\xe4\xec\xfb\x91\xdf\x77\x32\x72\x1a\xfb\x34\xf9\x05\xce\x73\x77\xdb\x38\x49\xd7\x40\x1b\xa3\xd3\x14\x9c\x08\xe9\x8b\xcd\xec\xa6\xde\x20\x7e\xd8\xbc\x7b\x1d\x6e\x88\x59\x7d\xa6\x28\xc6\xb0\xa7\x3c\xf9\x67\x4a\x20\x7d\xd8\x74\x5f\xe5\xb3\x2b\xdd\x8f\x55\x09\xf1\x4f\xc1\x5c\xf9\x50\x4b\xf6\x63\x4b\x2d\xf2\x83\x6e\x95\xc7\x36\xe2\x76\x2f\x27\x14\xbf\xd1\x30\xaf\x99\x1d\x8b\x64\x8a\x93\x72\x15\x83\x83\xa2\xf5\x3e\x14\xc7\xcf\xc7\x66\x3d\xb5\xca\x5c\x8a\x9c\xdd\x15\x5e\x38\xc1\xf7\x0e\x51\x61\x35\x88\x12\x8d\xd0\x85\xbb\xdd\x7e\xd2\x39\xb9\x7e\x89\x58\xce\xf3\x5f\x11\x7e\xab\x19\xb3\x70\xff\x2e\x4e\x25\x68\x9d\x62\xb6\x84\xfd\x4a\xfc\xeb\x26\x32\x51\xfa\x92\xe8\xc6\xb2\xaa\x2e\x34\xd3\xfb\x8a\xae\xd1\x8c\xdc\x73\x4f\x9b\x42\x0c\x8d\x7b\x93\x15\x55\xeb\xd7\x99\x0c\xa0\x73\xfb\x81\xbe\x98\x27\x94\xe0\x00\xd5\x05\x72\xeb\x07\x61\xd4\x95\xba\x80\x68\xf6\x57\xd7\xf7\xb9\x19\xe6\x6a\x25\xe0\x32\x11\xdf\xe6\x90\xf4\x08\x1f\xc5\xde\x14\xf5\xf9\xd8\xbe\x47\x80\x24\xe6\x0a\x31\x38\x08\x0d\x9c\xe9\x7a\xe2\x3e\x29\x1e\x77\xa6\xe4\xa5\x07\xa9\x6a\xe0\xc0\x7d\x96\x04\xa9\x5b\x43\xb8\x17\x4c\x33\x17\x5b\xa2\x95\x05\x01\x86\xf7\x23\xb5\x0a\x60\x9e\xe0\x9b\x42\x67\xe4\xd2\xaf\x42\x96\xce\x65\x7b\xb8\xb5\xe9\x96\xf9\x8b\xd7\x5e\xd4\x2d\x09\x54\x89\x5d\x97\xd9\x88\x32\x9d\x92\x5f\x62\x89\x44\x74\xd1\xca\xa5\xde\x98\x8e\xd7\xb5\xc6\xde\xac\xfd\x90\xad\x94\x7e\xfe\xbf\x6c\xf6\x1b\x45\xd9\xc7\xb1\xba\x59\xe9\xec\x4b\x85\x59\xaf\xf8\xd3\xd0\x5f\xb0\x0f\x57\xec\x94\x2b\x0e\x9b\x9f\xdb\xde\x26\xca\xd3\x40\xcb\xb4\xf7\xc0\x44\x7b\x70\x7e\xd8\xf6\xd4\xf9\x89\xd0\xb1\xda\x0d\x0c\xda\xe6\x17\xb0\x14\x36\xfa\x68\xe3\x77\x75\xe8\x44\x41\x5e\xbd\x11\xa3\x35\x08\x46\xcf\x0b\x41\x9f\xad\x6d\xb9\x4c\xcc\x82\x83\xe9\x50\x19\xdb\x55\x91\xb9\xe8\x1c\x5d\x32\x70\x7b\x30\x02\xaf\xb2\x40\x58\x49\x5f\x6c\x21\xcd\x4b\x9e\x12\xaf\x7a\x1f\x40\x54\xfd\xa3\x7b\xa6\xa2\x94\x5e\x89\x98\x99\x76\x10\x12\x54\x8e\x41\x22\xa6\x95\x56\xe0\xca\x51\xe2\x31\x94\xbd\xc4\xe2\x72", 4096); *(uint32_t*)0x20002904 = 0x1000; *(uint32_t*)0x20002908 = 9; memcpy((void*)0x20002940, "flock=openafs", 13); *(uint8_t*)0x2000294d = 0x2c; memcpy((void*)0x2000294e, "dyn", 3); *(uint8_t*)0x20002951 = 0x2c; memcpy((void*)0x20002952, "autocell", 8); *(uint8_t*)0x2000295a = 0x2c; memcpy((void*)0x2000295b, "dyn", 3); *(uint8_t*)0x2000295e = 0x2c; memcpy((void*)0x2000295f, "flock=openafs", 13); *(uint8_t*)0x2000296c = 0x2c; memcpy((void*)0x2000296d, "source", 6); *(uint8_t*)0x20002973 = 0x3d; memcpy((void*)0x20002974, "&", 1); *(uint8_t*)0x20002975 = 0x2c; memcpy((void*)0x20002976, "source", 6); *(uint8_t*)0x2000297c = 0x3d; memcpy((void*)0x2000297d, "SEG6\000", 5); *(uint8_t*)0x20002982 = 0x2c; memcpy((void*)0x20002983, "smackfsdef", 10); *(uint8_t*)0x2000298d = 0x3d; memcpy((void*)0x2000298e, "SEG6\000", 5); *(uint8_t*)0x20002993 = 0x2c; memcpy((void*)0x20002994, "smackfsdef", 10); *(uint8_t*)0x2000299e = 0x3d; memcpy((void*)0x2000299f, "SEG6\000", 5); *(uint8_t*)0x200029a4 = 0x2c; memcpy((void*)0x200029a5, "subj_user", 9); *(uint8_t*)0x200029ae = 0x3d; memcpy((void*)0x200029af, "SEG6\000", 5); *(uint8_t*)0x200029b4 = 0x2c; memcpy((void*)0x200029b5, "smackfstransmute", 16); *(uint8_t*)0x200029c5 = 0x3d; memcpy((void*)0x200029c6, ":", 1); *(uint8_t*)0x200029c7 = 0x2c; memcpy((void*)0x200029c8, "seclabel", 8); *(uint8_t*)0x200029d0 = 0x2c; *(uint8_t*)0x200029d1 = 0; syz_mount_image(0x20001880, 0x200018c0, 5, 1, 0x20002900, 0x20005, 0x20002940); break; case 29: memcpy((void*)0x20002a00, "/dev/i2c-#\000", 11); syz_open_dev(0x20002a00, 0xad8, 0x2a2000); break; case 30: res = syscall(__NR_ioctl, -1, 0x5429, 0x20002a40); if (res != -1) r[15] = *(uint32_t*)0x20002a40; break; case 31: memcpy((void*)0x20002a80, "net\000", 4); syz_open_procfs(r[15], 0x20002a80); break; case 32: syz_open_pts(r[13], 0); break; case 33: *(uint32_t*)0x20002e80 = 0x20002ac0; memcpy((void*)0x20002ac0, "\x7a\xd3\xcd\x80\x2d\xd0\xc4\x24\x94\x5d\x99\xca\x9c\xa6\xe4\xfb\xb8\xf8\xe3\xb9\x80\xd2\xec", 23); *(uint32_t*)0x20002e84 = 0x17; *(uint32_t*)0x20002e88 = 0x1000; *(uint32_t*)0x20002e8c = 0x20002b00; memcpy((void*)0x20002b00, "\x32\x9d\xe8\x0b\x2b\x17\xbb\xd2\x5d\x1f\x19\x07\xa9\x26\x3a\xf3\xbf\x05\xc4\xa7\x06\x1e\x28\x49\x2a\x3f\x71\xc6\x34\x3a\xa5\xaa\xea\x03\x27\xa3", 36); *(uint32_t*)0x20002e90 = 0x24; *(uint32_t*)0x20002e94 = 5; *(uint32_t*)0x20002e98 = 0x20002b40; memcpy((void*)0x20002b40, "\x82\x79\x1d\xfd\x31\x1d\x07\xdb\x7d\x65\xe8\x03\xce\x6c\xa0\x00\x28\xaf\x8f\xf8\xd2\x76\x18\x7e\x0e\x14\xbb\xf7\xbe\xab\x60\xfc\x4b\x70\x72\x2e\x91\xb6\x32\x2b\x8e\x34\x72\x19\x1a\x66\x17\x6b\xb0\xca\x91\xde\xe6\x0f\x15\x06\xa6\xd4\x8b\xe4\x05\x52\x30\xc3\x0b\xe9\x4a\x10\x43\xa1\xd2\xa0\x6d\x42\x16\x60\x69\xd8\x03\x3d\x6c\x52\x4c\x86\x10\xb8\xc4\xbb\x63\xaf\x0c\xe6\xd6\x20\x71\x37\xf1\xbe\x1b\x62\xb0\x02\xe8\xc3\x5e\x64\x67\xc2\x42\x3c\xc6\x59\x7d\x1c\xa5\x8e\xe3\x15\x89\xf0\x24\x8a\xc7\x62\xe2\x4a\x28\x6a\x41\xa7\x61\x91\x2d\x34\xbb\x56\xf0\x7d\xb8\x8c\xa5\x2f\xce\x8d\x12\x87\x62\x39\x4f\xa0\x0f\xaa\xc8\x45\x1a\x42\xc3\x14\x4b\xde\xc7\xe9\x72\x96\xc9\xea\xc7\xc9\xf6\x31\x10\xa3\xd4\x05\xc1\x6b\x04\x28\x88\x00\x24\xe8\xc9\xc8\xaf\x49\x0b\x8c\xfa\xd8\x4c\xbb\x63\x78\x78\xd6\x34\xcd\x84\x34\x6b\x60\xc9\x13\x2c\x09\x66\x0c\xdc\x61\x6a\x0b", 212); *(uint32_t*)0x20002e9c = 0xd4; *(uint32_t*)0x20002ea0 = 0x7fff; *(uint32_t*)0x20002ea4 = 0x20002c40; memcpy((void*)0x20002c40, "\x90\x4b\xbc\xee\x2b\x46\xda\xa1\xac\x64\x3b\x7b\x6b\x8e\xa0\xff\x46\x2f\xea\xbe\xe5\x41\xb4\x11\xa8\x85\xe4\x70\xa4\x96\xcb\xbd\xc7\x29\xff\xde\xbc\x50\x80\x7f\x71\x9c\xbe\x80\x8d\x8b\x59\x8b\x47\x67\xc7\xa8\x52\xd9\xce\x0c\x88\x0a\x9b\x07\x8b\x01\x87\xde\xac\x92\x6b\xd4\x68\x7a\x44\xf0\x92\xbb", 74); *(uint32_t*)0x20002ea8 = 0x4a; *(uint32_t*)0x20002eac = 5; *(uint32_t*)0x20002eb0 = 0x20002cc0; memcpy((void*)0x20002cc0, "\x35\x31\xae\x25\x7e\x7e\x08\x77\xcd\xe3\x40\xc4\x2e\xdb\xfc\x91\xdc\xff\xaf\xf1\x28\x4e\xf0\x8a\x45\x1e\x4c\x76\xe0\xcd\x83\xb2\xc0\xea\x10\xd8\x6b\xce\xfa\x93\xbb\xae\xf5\xff\xfb\xfe\x7d\xc7\x0b\x73\xb8\x9c\x55\xfc\x38\x51\x11\x0d\x1b\xd0\xd1\xda\x31\x75\x33\x20\xb1\x11\xfe\x70\x60\x53\x7e\x8f\x65\xf3\xc2\xf0\x5a\xdc\xb3\xd6\x6b\xd2\xab\xe6\xb0\x8a\xaa\xe0\xd0\xee\xdc\xa9\x93\x77\x07\xec\x4c\xb4\x87\x4c\xdf\xd0\x58\x00\x81\x2a\xb5\x3f\x95\x50\xb2\x5a\x28\xee\x69\xe6\x2a\x0f\x79\x0f\xe5\x23\x3f\xc8\x64\x5f\xc3\xfe\x6c\xae\x05\x5f\x2a\xa1\x72\x91\x25\x17\x01\x51\xe8\x6e\xea\xb6\x7b\xb2\x0b\xc8\x84\xa1\x21\x4c\x2d\x3d\x96\x9c\x34\xfb\x23\x9b\x45\xfe\xec\x93\xac\x20\x97\x21\xba\xe7\x27\x12\x51\xc6\x13\xce\xa9\x37\x9c\x15\x21", 183); *(uint32_t*)0x20002eb4 = 0xb7; *(uint32_t*)0x20002eb8 = 4; *(uint32_t*)0x20002ebc = 0x20002d80; memcpy((void*)0x20002d80, "\xc3\xf0\x4f\x26\x92\x9b\x7a\x4d\x63\x42\x84\x1f\xa5\x3a\x9a\x8c\xb8\x00\x6a\x97\xf4\x28", 22); *(uint32_t*)0x20002ec0 = 0x16; *(uint32_t*)0x20002ec4 = 6; *(uint32_t*)0x20002ec8 = 0x20002dc0; memcpy((void*)0x20002dc0, "\xc9\x87\x12\x75\xe3\x26\x9f\xf1\xbd\xcd\x67\xfb\x52\x3e\x1c\xeb\x51\x51\xb0\xed\xe9\xe0\x32\x63\x4e\x36\xd4\x86\x04\x6b\xc3\x1c\xd9\x78\xbd\xa5\x92\x47\x35\x53\x16\x31\x9e\x76\x8e\x7a\xc6\xbe\x06\x48\xbf\x0f\xec\xd1\x3c\xda\xd4\x5f\x71\x3e\x0e\x3b\x74\xe9\x5e\xec\x77\x06\x3c\x02\xa2\x33\xea\x97\xd3\x38\xf4\xb1\xe9\xbc\x5a\x7c\xce\x85\x52\x87\x42\x63\x2e\xd5\x9c\xec\x01\x6f\x39\x14\xdd\x02\xca\x6b\x1d\xc8\x33\x22\x48\x95\x27\x73\x50\xcf\x1f\x21\xd6\xc7\x8f\x85\x92\x71\x7e\x91\x23\x3f\x90\x26\x92\x7e\x0c\xc3\xd8\x0c\xdc\x57\x71\x47\x63\xa0\xfc\xb0\x91\xf5\xc6\x90\x51\xb5\x5c\xd2\xe1\xfc\xc3\x3b\x13\xd5\x97\xc5\xca\xee\xb2\x71\xc5\x42\x97\x8a\x1e\x17", 164); *(uint32_t*)0x20002ecc = 0xa4; *(uint32_t*)0x20002ed0 = 0x9c; syz_read_part_table(1, 7, 0x20002e80); break; case 34: *(uint8_t*)0x20002f00 = 0x12; *(uint8_t*)0x20002f01 = 1; *(uint16_t*)0x20002f02 = 0x201; *(uint8_t*)0x20002f04 = 0xa4; *(uint8_t*)0x20002f05 = 0x61; *(uint8_t*)0x20002f06 = 0x1e; *(uint8_t*)0x20002f07 = 0x40; *(uint16_t*)0x20002f08 = 0xacd; *(uint16_t*)0x20002f0a = 0x300; *(uint16_t*)0x20002f0c = 0xc0df; *(uint8_t*)0x20002f0e = 1; *(uint8_t*)0x20002f0f = 2; *(uint8_t*)0x20002f10 = 3; *(uint8_t*)0x20002f11 = 1; *(uint8_t*)0x20002f12 = 9; *(uint8_t*)0x20002f13 = 2; *(uint16_t*)0x20002f14 = 0x372; *(uint8_t*)0x20002f16 = 2; *(uint8_t*)0x20002f17 = 4; *(uint8_t*)0x20002f18 = 0x1f; *(uint8_t*)0x20002f19 = 0; *(uint8_t*)0x20002f1a = 1; *(uint8_t*)0x20002f1b = 9; *(uint8_t*)0x20002f1c = 4; *(uint8_t*)0x20002f1d = 0x5d; *(uint8_t*)0x20002f1e = 0xb3; *(uint8_t*)0x20002f1f = 1; *(uint8_t*)0x20002f20 = 0xad; *(uint8_t*)0x20002f21 = 0x49; *(uint8_t*)0x20002f22 = 0x76; *(uint8_t*)0x20002f23 = 0x20; *(uint8_t*)0x20002f24 = 7; *(uint8_t*)0x20002f25 = 0x24; *(uint8_t*)0x20002f26 = 1; *(uint8_t*)0x20002f27 = 0; *(uint8_t*)0x20002f28 = 0x80; *(uint16_t*)0x20002f29 = 0; *(uint8_t*)0x20002f2b = 9; *(uint8_t*)0x20002f2c = 5; *(uint8_t*)0x20002f2d = 0xd; *(uint8_t*)0x20002f2e = 0; *(uint16_t*)0x20002f2f = 0x230; *(uint8_t*)0x20002f31 = 0x5d; *(uint8_t*)0x20002f32 = 1; *(uint8_t*)0x20002f33 = 0x3f; *(uint8_t*)0x20002f34 = 7; *(uint8_t*)0x20002f35 = 0x25; *(uint8_t*)0x20002f36 = 1; *(uint8_t*)0x20002f37 = 0; *(uint8_t*)0x20002f38 = 0x1f; *(uint16_t*)0x20002f39 = 2; *(uint8_t*)0x20002f3b = 0xba; *(uint8_t*)0x20002f3c = 0xe; memcpy((void*)0x20002f3d, "\xf4\xe6\xe5\x76\x28\x83\xc3\x4d\xf0\x4f\x35\x60\x99\xf1\xd3\x4b\xdb\xc9\xf5\x32\x4d\xa6\x48\x05\x3f\xd6\x90\x21\x1b\x89\x71\x19\xc4\xf3\xac\x19\x7f\x2a\xa9\x3f\x2f\x3b\xe0\x5f\x83\x6b\x16\x44\xd5\xb2\x32\x76\x48\xb3\x08\x16\xed\x19\x2f\x94\x3d\xfc\xe2\x25\xf6\x9d\x77\xc5\x15\x65\xe1\x77\xfd\x88\x9c\x9c\x9d\x8c\x85\xb9\x2e\xe4\xbe\xad\x0e\x88\x94\x46\xbb\xc3\x20\xa4\x0f\xa2\x48\x07\xf4\x76\xbf\xd1\xf1\xb3\x09\x6e\x33\x70\xf7\x55\xc9\x4a\xa0\x1c\x3b\xe4\xdd\xc7\x95\x2a\x56\x94\xbc\xad\x4b\xeb\x40\x65\xbf\x5e\xa9\x60\x66\xc4\x3e\x95\x07\xe6\x22\x0c\x47\xbc\x02\x71\xad\xcb\xaf\xfc\xe6\xac\x90\xcb\x3c\x8b\x1c\xf7\x48\xc6\xbb\xf9\x71\x08\xdf\xa2\xca\xc4\xb8\x7d\x34\x20\x42\x84\x34\x39\x7e\x07\xf1\x7a\x87\xed\x62\x33\xb3\x9e\x32\xf0", 184); *(uint8_t*)0x20002ff5 = 9; *(uint8_t*)0x20002ff6 = 4; *(uint8_t*)0x20002ff7 = 0x5d; *(uint8_t*)0x20002ff8 = 0x27; *(uint8_t*)0x20002ff9 = 7; *(uint8_t*)0x20002ffa = 0x3f; *(uint8_t*)0x20002ffb = 0x84; *(uint8_t*)0x20002ffc = 0xfd; *(uint8_t*)0x20002ffd = 3; *(uint8_t*)0x20002ffe = 0x10; *(uint8_t*)0x20002fff = 0x24; *(uint8_t*)0x20003000 = 2; *(uint8_t*)0x20003001 = 1; *(uint8_t*)0x20003002 = 0xe2; *(uint8_t*)0x20003003 = 2; *(uint8_t*)0x20003004 = 0x63; *(uint8_t*)0x20003005 = 0x40; memcpy((void*)0x20003006, "\xe7\x21\xcc\x44\xac\xca\x89\x38", 8); *(uint8_t*)0x2000300e = 0xb; *(uint8_t*)0x2000300f = 0x24; *(uint8_t*)0x20003010 = 2; *(uint8_t*)0x20003011 = 1; *(uint8_t*)0x20003012 = 0; *(uint8_t*)0x20003013 = 3; *(uint8_t*)0x20003014 = 1; *(uint8_t*)0x20003015 = 0; memcpy((void*)0x20003016, "\x9e\xf4\x2f", 3); *(uint8_t*)0x20003019 = 7; *(uint8_t*)0x2000301a = 0x24; *(uint8_t*)0x2000301b = 1; *(uint8_t*)0x2000301c = 4; *(uint8_t*)0x2000301d = 1; *(uint16_t*)0x2000301e = 4; *(uint8_t*)0x20003020 = 0xb; *(uint8_t*)0x20003021 = 0x24; *(uint8_t*)0x20003022 = 2; *(uint8_t*)0x20003023 = 1; *(uint8_t*)0x20003024 = 0; *(uint8_t*)0x20003025 = 3; *(uint8_t*)0x20003026 = 0x19; *(uint8_t*)0x20003027 = 6; memcpy((void*)0x20003028, "\x9e", 1); memcpy((void*)0x20003029, "\x69\x83", 2); *(uint8_t*)0x2000302b = 9; *(uint8_t*)0x2000302c = 5; *(uint8_t*)0x2000302d = 0xf; *(uint8_t*)0x2000302e = 0; *(uint16_t*)0x2000302f = 0x3ff; *(uint8_t*)0x20003031 = 0xf6; *(uint8_t*)0x20003032 = 5; *(uint8_t*)0x20003033 = 0x80; *(uint8_t*)0x20003034 = 9; *(uint8_t*)0x20003035 = 5; *(uint8_t*)0x20003036 = 1; *(uint8_t*)0x20003037 = 0x10; *(uint16_t*)0x20003038 = 0x10; *(uint8_t*)0x2000303a = 0; *(uint8_t*)0x2000303b = 0x40; *(uint8_t*)0x2000303c = 6; *(uint8_t*)0x2000303d = 7; *(uint8_t*)0x2000303e = 0x25; *(uint8_t*)0x2000303f = 1; *(uint8_t*)0x20003040 = 2; *(uint8_t*)0x20003041 = 0x20; *(uint16_t*)0x20003042 = 6; *(uint8_t*)0x20003044 = 9; *(uint8_t*)0x20003045 = 5; *(uint8_t*)0x20003046 = 0xb; *(uint8_t*)0x20003047 = 8; *(uint16_t*)0x20003048 = 0x10; *(uint8_t*)0x2000304a = 1; *(uint8_t*)0x2000304b = 2; *(uint8_t*)0x2000304c = 0; *(uint8_t*)0x2000304d = 9; *(uint8_t*)0x2000304e = 5; *(uint8_t*)0x2000304f = 0xd; *(uint8_t*)0x20003050 = 0x10; *(uint16_t*)0x20003051 = 0x200; *(uint8_t*)0x20003053 = 4; *(uint8_t*)0x20003054 = 8; *(uint8_t*)0x20003055 = 0xc0; *(uint8_t*)0x20003056 = 0xbb; *(uint8_t*)0x20003057 = 0x31; memcpy((void*)0x20003058, "\x21\x5c\xe6\xab\x8f\x3c\x72\xca\xa3\xab\x13\x26\xf1\x88\x38\x90\x8a\xc6\x0b\xff\xb3\xb5\x07\x48\x14\x4a\xa2\xcb\xc4\xd7\xca\xc5\x6f\x4a\x7b\xb2\xbd\x6c\x96\x96\x74\xa5\xe4\x04\x08\x61\xbb\x21\xba\x5c\xcf\x0f\x82\x2c\x10\x32\xe7\xe3\x72\x9f\x8c\x17\x1f\xc7\xa8\x9b\x53\x40\xb5\x06\x71\x08\xd5\x97\xf1\x78\xaa\x65\x1a\x98\xac\xa4\xd0\x12\xfa\x55\x5a\x69\x56\x83\xb5\x27\xe6\x03\x1f\x1f\x7f\x20\x49\x4b\x25\x0e\x3a\x6c\xd8\xb4\xde\x96\x47\xe1\x50\x04\x98\x67\x09\x7c\x47\xcc\x23\x7c\x61\x2c\xef\xe6\x98\x33\x2f\x1f\xe7\xf0\x2e\x6f\x53\xe8\x45\xb1\xf5\xe7\xb4\xb2\x4a\xd8\x62\x9b\x78\xce\x76\x30\xe2\xd4\x01\x20\xfb\xc3\xf4\x93\x75\xa4\xa0\x86\xde\xdd\x2a\x27\xf0\x6b\x3e\xd3\xd7\x56\xa8\x19\xb9\x7f\x75\x9a\xa5\x4a\xef\x83\xdf\x48\x68\xa9\xe9", 185); *(uint8_t*)0x20003111 = 9; *(uint8_t*)0x20003112 = 5; *(uint8_t*)0x20003113 = 3; *(uint8_t*)0x20003114 = 0x12; *(uint16_t*)0x20003115 = 0x3ff; *(uint8_t*)0x20003117 = 0; *(uint8_t*)0x20003118 = 1; *(uint8_t*)0x20003119 = -1; *(uint8_t*)0x2000311a = 0xad; *(uint8_t*)0x2000311b = 0x31; memcpy((void*)0x2000311c, "\x0c\x92\x1d\x3f\x98\x0f\x4e\x53\x14\x7a\x46\xbd\x58\x56\xda\x03\x08\x16\x60\xfb\xed\x7b\x8b\x2d\x38\x9b\xe8\xa0\x38\xe9\x5c\x29\x58\xa4\x77\xed\x5f\xaf\x9e\xf3\x8c\x82\xc3\xab\xea\x25\x44\x59\xed\xb0\xf2\xcf\x28\x62\x35\x03\x40\x87\xad\xb7\x90\x7f\xf1\x92\x64\x0b\x93\x68\x86\xbd\x48\xd3\xa5\x12\x15\x40\x6b\x3a\xa0\xb6\xd8\xf8\xd9\x1d\x83\x0f\x52\x36\xa9\xa8\xbe\x03\xc2\x21\x5f\x01\x21\x31\x96\x8c\x6a\x80\x86\x0a\xe8\x11\x93\x05\x94\x68\x10\x8e\xfd\x4f\x13\x05\x37\x9d\x01\x15\xc7\xec\x66\x7b\x03\x59\x94\x0e\x56\x64\xbf\x7b\x3c\x4a\x5f\x04\xca\x3c\x51\xdb\x9d\x2c\xd4\x17\xe9\x09\x9b\xff\x62\x8b\x8e\x1a\x8e\xd0\xf5\x96\x14\x93\x57\xa0\x8a\xbd\x11\x77\xeb\x97\x73\x53\xeb\x89\x32", 171); *(uint8_t*)0x200031c7 = 0x93; *(uint8_t*)0x200031c8 = 0x11; memcpy((void*)0x200031c9, "\xa8\xe2\x2d\x54\x2a\xe3\xd8\x31\xf3\x37\x21\x1b\xb5\xbe\x12\xa5\xc4\x6e\x5c\xf9\xb5\x56\xd8\x4d\x5a\xf4\xca\xca\x87\x42\xad\x21\x61\x40\x56\x2b\x7e\x54\x21\xe2\x64\x24\x71\xe8\xf5\x0e\xb8\xae\xf0\x62\x12\xb4\x6c\x64\x4a\xe5\x84\x63\xe1\x8b\x3e\x72\xbd\x3e\xca\x60\x60\xfa\x8b\x94\x03\x17\x96\xe5\x5e\xb4\x1d\x3f\x31\x8a\xff\xbf\x08\x1e\xeb\x17\x08\x85\x1e\x72\xfa\xdd\x88\x7e\x03\x30\x13\x43\x19\xf0\xa5\x96\x7e\xda\x65\x7b\xc1\x10\x1f\x74\xde\xba\x42\xe7\x8a\xff\x20\xfb\x5d\x3c\x1f\xe4\x9d\x9a\x05\x46\x57\xb6\xf1\xaf\x3d\x01\x5f\xc1\x6f\xf8\x08\x73\xf3\x26\x69\x08\x43\xdf\x81", 145); *(uint8_t*)0x2000325a = 9; *(uint8_t*)0x2000325b = 5; *(uint8_t*)0x2000325c = 0xf; *(uint8_t*)0x2000325d = 4; *(uint16_t*)0x2000325e = 0x200; *(uint8_t*)0x20003260 = 0; *(uint8_t*)0x20003261 = 0x1f; *(uint8_t*)0x20003262 = 1; *(uint8_t*)0x20003263 = 0x11; *(uint8_t*)0x20003264 = 6; memcpy((void*)0x20003265, "\x82\x4b\x7d\x09\x57\xbc\x55\x2d\x22\x4f\xdf\x6b\xff\x63\xa8", 15); *(uint8_t*)0x20003274 = 7; *(uint8_t*)0x20003275 = 0x25; *(uint8_t*)0x20003276 = 1; *(uint8_t*)0x20003277 = 0x80; *(uint8_t*)0x20003278 = 0xfd; *(uint16_t*)0x20003279 = 6; *(uint8_t*)0x2000327b = 9; *(uint8_t*)0x2000327c = 5; *(uint8_t*)0x2000327d = 0; *(uint8_t*)0x2000327e = 0; *(uint16_t*)0x2000327f = 0x20; *(uint8_t*)0x20003281 = 0x1f; *(uint8_t*)0x20003282 = 0xfd; *(uint8_t*)0x20003283 = 3; *(uint32_t*)0x20003400 = 0xa; *(uint32_t*)0x20003404 = 0x200032c0; *(uint8_t*)0x200032c0 = 0xa; *(uint8_t*)0x200032c1 = 6; *(uint16_t*)0x200032c2 = 0x110; *(uint8_t*)0x200032c4 = 0x4d; *(uint8_t*)0x200032c5 = 0x80; *(uint8_t*)0x200032c6 = 0x80; *(uint8_t*)0x200032c7 = 0x20; *(uint8_t*)0x200032c8 = 0xc1; *(uint8_t*)0x200032c9 = 0; *(uint32_t*)0x20003408 = 0x46; *(uint32_t*)0x2000340c = 0x20003300; *(uint8_t*)0x20003300 = 5; *(uint8_t*)0x20003301 = 0xf; *(uint16_t*)0x20003302 = 0x46; *(uint8_t*)0x20003304 = 5; *(uint8_t*)0x20003305 = 0xb; *(uint8_t*)0x20003306 = 0x10; *(uint8_t*)0x20003307 = 1; *(uint8_t*)0x20003308 = 0xc; *(uint16_t*)0x20003309 = 0x35; *(uint8_t*)0x2000330b = 0; *(uint8_t*)0x2000330c = 0xdf; *(uint16_t*)0x2000330d = 9; *(uint8_t*)0x2000330f = 0xf7; *(uint8_t*)0x20003310 = 7; *(uint8_t*)0x20003311 = 0x10; *(uint8_t*)0x20003312 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003313, 0xe, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003314, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003314, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003315, 9, 0, 16); *(uint8_t*)0x20003317 = 0x18; *(uint8_t*)0x20003318 = 0x10; *(uint8_t*)0x20003319 = 0xa; *(uint8_t*)0x2000331a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000331b, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000331b, 0x7fffffe, 5, 27); *(uint16_t*)0x2000331f = 0xff0f; *(uint16_t*)0x20003321 = 0x101; *(uint32_t*)0x20003323 = 0xffc0a0; *(uint32_t*)0x20003327 = 0; *(uint32_t*)0x2000332b = 0xffff0f; *(uint8_t*)0x2000332f = 0x10; *(uint8_t*)0x20003330 = 0x10; *(uint8_t*)0x20003331 = 0xa; *(uint8_t*)0x20003332 = 3; STORE_BY_BITMASK(uint32_t, , 0x20003333, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003333, 0x200, 5, 27); *(uint16_t*)0x20003337 = 0xff00; *(uint16_t*)0x20003339 = 1; *(uint32_t*)0x2000333b = 0; *(uint8_t*)0x2000333f = 7; *(uint8_t*)0x20003340 = 0x10; *(uint8_t*)0x20003341 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003342, 0x16, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003343, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003343, 0xe, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003344, 7, 0, 16); *(uint32_t*)0x20003410 = 2; *(uint32_t*)0x20003414 = 4; *(uint32_t*)0x20003418 = 0x20003380; *(uint8_t*)0x20003380 = 4; *(uint8_t*)0x20003381 = 3; *(uint16_t*)0x20003382 = 0x380a; *(uint32_t*)0x2000341c = 4; *(uint32_t*)0x20003420 = 0x200033c0; *(uint8_t*)0x200033c0 = 4; *(uint8_t*)0x200033c1 = 3; *(uint16_t*)0x200033c2 = 0x42f; res = -1; res = syz_usb_connect(4, 0x384, 0x20002f00, 0x20003400); if (res != -1) r[16] = res; break; case 35: *(uint8_t*)0x20003440 = 0x12; *(uint8_t*)0x20003441 = 1; *(uint16_t*)0x20003442 = 0x200; *(uint8_t*)0x20003444 = -1; *(uint8_t*)0x20003445 = -1; *(uint8_t*)0x20003446 = -1; *(uint8_t*)0x20003447 = 0x40; *(uint16_t*)0x20003448 = 0xcf3; *(uint16_t*)0x2000344a = 0x9271; *(uint16_t*)0x2000344c = 0x108; *(uint8_t*)0x2000344e = 1; *(uint8_t*)0x2000344f = 2; *(uint8_t*)0x20003450 = 3; *(uint8_t*)0x20003451 = 1; *(uint8_t*)0x20003452 = 9; *(uint8_t*)0x20003453 = 2; *(uint16_t*)0x20003454 = 0x48; *(uint8_t*)0x20003456 = 1; *(uint8_t*)0x20003457 = 1; *(uint8_t*)0x20003458 = 0; *(uint8_t*)0x20003459 = 0x80; *(uint8_t*)0x2000345a = 0xfa; *(uint8_t*)0x2000345b = 9; *(uint8_t*)0x2000345c = 4; *(uint8_t*)0x2000345d = 0; *(uint8_t*)0x2000345e = 0; *(uint8_t*)0x2000345f = 6; *(uint8_t*)0x20003460 = -1; *(uint8_t*)0x20003461 = 0; *(uint8_t*)0x20003462 = 0; *(uint8_t*)0x20003463 = 0; *(uint8_t*)0x20003464 = 9; *(uint8_t*)0x20003465 = 5; *(uint8_t*)0x20003466 = 1; *(uint8_t*)0x20003467 = 2; *(uint16_t*)0x20003468 = 0x200; *(uint8_t*)0x2000346a = 0; *(uint8_t*)0x2000346b = 0; *(uint8_t*)0x2000346c = 0; *(uint8_t*)0x2000346d = 9; *(uint8_t*)0x2000346e = 5; *(uint8_t*)0x2000346f = 0x82; *(uint8_t*)0x20003470 = 2; *(uint16_t*)0x20003471 = 0x200; *(uint8_t*)0x20003473 = 0; *(uint8_t*)0x20003474 = 0; *(uint8_t*)0x20003475 = 0; *(uint8_t*)0x20003476 = 9; *(uint8_t*)0x20003477 = 5; *(uint8_t*)0x20003478 = 0x83; *(uint8_t*)0x20003479 = 3; *(uint16_t*)0x2000347a = 0x40; *(uint8_t*)0x2000347c = 1; *(uint8_t*)0x2000347d = 0; *(uint8_t*)0x2000347e = 0; *(uint8_t*)0x2000347f = 9; *(uint8_t*)0x20003480 = 5; *(uint8_t*)0x20003481 = 4; *(uint8_t*)0x20003482 = 3; *(uint16_t*)0x20003483 = 0x40; *(uint8_t*)0x20003485 = 1; *(uint8_t*)0x20003486 = 0; *(uint8_t*)0x20003487 = 0; *(uint8_t*)0x20003488 = 9; *(uint8_t*)0x20003489 = 5; *(uint8_t*)0x2000348a = 5; *(uint8_t*)0x2000348b = 2; *(uint16_t*)0x2000348c = 0x200; *(uint8_t*)0x2000348e = 0; *(uint8_t*)0x2000348f = 0; *(uint8_t*)0x20003490 = 0; *(uint8_t*)0x20003491 = 9; *(uint8_t*)0x20003492 = 5; *(uint8_t*)0x20003493 = 6; *(uint8_t*)0x20003494 = 2; *(uint16_t*)0x20003495 = 0x200; *(uint8_t*)0x20003497 = 0; *(uint8_t*)0x20003498 = 0; *(uint8_t*)0x20003499 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20003440, 0); break; case 36: *(uint32_t*)0x200036c0 = 0x18; *(uint32_t*)0x200036c4 = 0x200034c0; *(uint8_t*)0x200034c0 = 0x20; *(uint8_t*)0x200034c1 = 8; *(uint32_t*)0x200034c2 = 0xd4; *(uint8_t*)0x200034c6 = 0xd4; *(uint8_t*)0x200034c7 = 0x31; memcpy((void*)0x200034c8, "\xdd\x9f\xe1\xd6\xf8\xee\x76\xd6\x28\x92\x46\xb5\x27\x7c\xc1\x9f\x3c\x46\x21\xad\xd8\x21\xa7\xf3\xd1\xaa\xe9\x94\xdb\xf4\xb1\xbd\x89\xe8\x77\x07\x34\x76\x8a\xde\x97\xe5\x1d\x24\x8f\x53\xcd\x53\x0b\x31\x11\x9a\xac\xcf\x53\xb6\xf6\xed\xdf\x4b\x8b\xfe\x6a\x1a\x85\x9c\x3d\xc2\x86\xf8\x33\x5c\x9d\x15\xe5\xd5\x16\x9b\x24\x41\x55\x39\x10\x62\xff\x88\x5d\x40\xbe\x37\x07\xb6\xd1\xea\x25\x2a\x96\xd9\x7a\xb2\x4f\xb6\x75\xf5\x45\x57\xcf\xa2\x4d\x80\x5b\x07\x95\x70\x8a\xf5\x06\x5d\x4b\x66\x62\xdf\xd5\x4d\xd5\x9c\xfc\xe1\x67\x3a\xb3\x56\xa2\x54\xf6\xb5\xbc\xe4\x4c\x61\x9a\x17\xff\xce\x8e\xbb\x96\xe0\x83\xc0\x82\x45\x00\x62\xbd\x71\xa2\x06\xca\x92\x1e\x0b\x77\xf5\x17\xc1\x61\x95\x86\xb3\xbc\xa3\xe2\x49\x08\x21\x01\x6c\xc7\x6c\xaf\x96\xc0\xec\x90\x68\xb4\x5e\x23\x34\xed\x9a\x6f\xf0\x6a\x63\x43\xae\x01\xf0\xae\xf6\x12\x7e\xba\xf5\xb5\x2d\x69\xe3", 210); *(uint32_t*)0x200036c8 = 0x200035c0; *(uint8_t*)0x200035c0 = 0; *(uint8_t*)0x200035c1 = 3; *(uint32_t*)0x200035c2 = 4; *(uint8_t*)0x200035c6 = 4; *(uint8_t*)0x200035c7 = 3; *(uint16_t*)0x200035c8 = 0x40e; *(uint32_t*)0x200036cc = 0x20003600; *(uint8_t*)0x20003600 = 0; *(uint8_t*)0x20003601 = 0xf; *(uint32_t*)0x20003602 = 0x28; *(uint8_t*)0x20003606 = 5; *(uint8_t*)0x20003607 = 0xf; *(uint16_t*)0x20003608 = 0x28; *(uint8_t*)0x2000360a = 2; *(uint8_t*)0x2000360b = 3; *(uint8_t*)0x2000360c = 0x10; *(uint8_t*)0x2000360d = 0xb; *(uint8_t*)0x2000360e = 0x20; *(uint8_t*)0x2000360f = 0x10; *(uint8_t*)0x20003610 = 0xa; memcpy((void*)0x20003611, "\x19\x5f\xa2\xf3\x24\xc0\xbe\x96\xda\x3d\xb2\x6a\xfa\x56\x77\x53\x0a\xc0\xfa\xf4\xc6\x82\xbe\x7c\x15\xe9\xa5\x86\x66", 29); *(uint32_t*)0x200036d0 = 0x20003640; *(uint8_t*)0x20003640 = 0x20; *(uint8_t*)0x20003641 = 0x29; *(uint32_t*)0x20003642 = 0xf; *(uint8_t*)0x20003646 = 0xf; *(uint8_t*)0x20003647 = 0x29; *(uint8_t*)0x20003648 = 9; *(uint16_t*)0x20003649 = 1; *(uint8_t*)0x2000364b = 0; *(uint8_t*)0x2000364c = 9; memcpy((void*)0x2000364d, "\x05\x7c\x41\x7e", 4); memcpy((void*)0x20003651, "\x8d\xa4\x36\xc4", 4); *(uint32_t*)0x200036d4 = 0x20003680; *(uint8_t*)0x20003680 = 0x20; *(uint8_t*)0x20003681 = 0x2a; *(uint32_t*)0x20003682 = 0xc; *(uint8_t*)0x20003686 = 0xc; *(uint8_t*)0x20003687 = 0x2a; *(uint8_t*)0x20003688 = 0x20; *(uint16_t*)0x20003689 = 0x10; *(uint8_t*)0x2000368b = 0x80; *(uint8_t*)0x2000368c = 0x40; *(uint8_t*)0x2000368d = 0x1f; *(uint16_t*)0x2000368e = 0; *(uint16_t*)0x20003690 = 5; *(uint32_t*)0x20003b40 = 0x44; *(uint32_t*)0x20003b44 = 0x20003700; *(uint8_t*)0x20003700 = 0x60; *(uint8_t*)0x20003701 = 8; *(uint32_t*)0x20003702 = 0x54; memcpy((void*)0x20003706, "\x85\xf9\x88\x04\x52\x78\xf9\x75\x32\xa6\x67\xcb\xee\x9b\x82\x1d\x65\x54\xfb\x1c\x6d\x18\xdf\xfb\x78\x51\x96\xd9\x07\x27\xe1\xb4\x61\x5c\x86\xee\x04\x9a\x16\x96\xb1\x66\x8f\x00\x0e\x62\xd5\x39\xe0\x81\xcf\x07\xe3\x60\x17\x1c\xe6\x1c\xa2\xf9\x56\x44\xb9\xad\x8e\x92\x11\xa1\xb1\x9c\x43\x99\xbd\xfd\x6d\x53\x3b\xf8\x95\x52\x42\x72\x5b\xb4", 84); *(uint32_t*)0x20003b48 = 0x20003780; *(uint8_t*)0x20003780 = 0; *(uint8_t*)0x20003781 = 0xa; *(uint32_t*)0x20003782 = 1; *(uint8_t*)0x20003786 = 1; *(uint32_t*)0x20003b4c = 0x200037c0; *(uint8_t*)0x200037c0 = 0; *(uint8_t*)0x200037c1 = 8; *(uint32_t*)0x200037c2 = 1; *(uint8_t*)0x200037c6 = 0x81; *(uint32_t*)0x20003b50 = 0x20003800; *(uint8_t*)0x20003800 = 0x20; *(uint8_t*)0x20003801 = 0; *(uint32_t*)0x20003802 = 4; *(uint16_t*)0x20003806 = 2; *(uint16_t*)0x20003808 = 0; *(uint32_t*)0x20003b54 = 0x20003840; *(uint8_t*)0x20003840 = 0x20; *(uint8_t*)0x20003841 = 0; *(uint32_t*)0x20003842 = 8; *(uint16_t*)0x20003846 = 0x200; *(uint16_t*)0x20003848 = 0x40; *(uint32_t*)0x2000384a = 0xff; *(uint32_t*)0x20003b58 = 0x20003880; *(uint8_t*)0x20003880 = 0x40; *(uint8_t*)0x20003881 = 7; *(uint32_t*)0x20003882 = 2; *(uint16_t*)0x20003886 = 1; *(uint32_t*)0x20003b5c = 0x200038c0; *(uint8_t*)0x200038c0 = 0x40; *(uint8_t*)0x200038c1 = 9; *(uint32_t*)0x200038c2 = 1; *(uint8_t*)0x200038c6 = 0x81; *(uint32_t*)0x20003b60 = 0x20003900; *(uint8_t*)0x20003900 = 0x40; *(uint8_t*)0x20003901 = 0xb; *(uint32_t*)0x20003902 = 2; memcpy((void*)0x20003906, "\x8e\xaf", 2); *(uint32_t*)0x20003b64 = 0x20003940; *(uint8_t*)0x20003940 = 0x40; *(uint8_t*)0x20003941 = 0xf; *(uint32_t*)0x20003942 = 2; *(uint16_t*)0x20003946 = 9; *(uint32_t*)0x20003b68 = 0x20003980; *(uint8_t*)0x20003980 = 0x40; *(uint8_t*)0x20003981 = 0x13; *(uint32_t*)0x20003982 = 6; *(uint8_t*)0x20003986 = 0xaa; *(uint8_t*)0x20003987 = 0xaa; *(uint8_t*)0x20003988 = 0xaa; *(uint8_t*)0x20003989 = 0xaa; *(uint8_t*)0x2000398a = 0xaa; *(uint8_t*)0x2000398b = 0x38; *(uint32_t*)0x20003b6c = 0x200039c0; *(uint8_t*)0x200039c0 = 0x40; *(uint8_t*)0x200039c1 = 0x17; *(uint32_t*)0x200039c2 = 6; *(uint8_t*)0x200039c6 = -1; *(uint8_t*)0x200039c7 = -1; *(uint8_t*)0x200039c8 = -1; *(uint8_t*)0x200039c9 = -1; *(uint8_t*)0x200039ca = -1; *(uint8_t*)0x200039cb = -1; *(uint32_t*)0x20003b70 = 0x20003a00; *(uint8_t*)0x20003a00 = 0x40; *(uint8_t*)0x20003a01 = 0x19; *(uint32_t*)0x20003a02 = 2; memcpy((void*)0x20003a06, "{k", 2); *(uint32_t*)0x20003b74 = 0x20003a40; *(uint8_t*)0x20003a40 = 0x40; *(uint8_t*)0x20003a41 = 0x1a; *(uint32_t*)0x20003a42 = 2; *(uint16_t*)0x20003a46 = 0x40; *(uint32_t*)0x20003b78 = 0x20003a80; *(uint8_t*)0x20003a80 = 0x40; *(uint8_t*)0x20003a81 = 0x1c; *(uint32_t*)0x20003a82 = 1; *(uint8_t*)0x20003a86 = 0; *(uint32_t*)0x20003b7c = 0x20003ac0; *(uint8_t*)0x20003ac0 = 0x40; *(uint8_t*)0x20003ac1 = 0x1e; *(uint32_t*)0x20003ac2 = 1; *(uint8_t*)0x20003ac6 = 0xfe; *(uint32_t*)0x20003b80 = 0x20003b00; *(uint8_t*)0x20003b00 = 0x40; *(uint8_t*)0x20003b01 = 0x21; *(uint32_t*)0x20003b02 = 1; *(uint8_t*)0x20003b06 = 0xfa; syz_usb_control_io(r[16], 0x200036c0, 0x20003b40); break; case 37: *(uint8_t*)0x20003bc0 = 0x12; *(uint8_t*)0x20003bc1 = 1; *(uint16_t*)0x20003bc2 = 0x201; *(uint8_t*)0x20003bc4 = 0; *(uint8_t*)0x20003bc5 = 0; *(uint8_t*)0x20003bc6 = 0; *(uint8_t*)0x20003bc7 = 0x10; *(uint16_t*)0x20003bc8 = 0x46d; *(uint16_t*)0x20003bca = 0xc22d; *(uint16_t*)0x20003bcc = 0x40; *(uint8_t*)0x20003bce = 1; *(uint8_t*)0x20003bcf = 2; *(uint8_t*)0x20003bd0 = 3; *(uint8_t*)0x20003bd1 = 1; *(uint8_t*)0x20003bd2 = 9; *(uint8_t*)0x20003bd3 = 2; *(uint16_t*)0x20003bd4 = 0x2d; *(uint8_t*)0x20003bd6 = 1; *(uint8_t*)0x20003bd7 = 1; *(uint8_t*)0x20003bd8 = 0; *(uint8_t*)0x20003bd9 = 0x10; *(uint8_t*)0x20003bda = 2; *(uint8_t*)0x20003bdb = 9; *(uint8_t*)0x20003bdc = 4; *(uint8_t*)0x20003bdd = 0; *(uint8_t*)0x20003bde = 0x2f; *(uint8_t*)0x20003bdf = 2; *(uint8_t*)0x20003be0 = 3; *(uint8_t*)0x20003be1 = 1; *(uint8_t*)0x20003be2 = 1; *(uint8_t*)0x20003be3 = 0xfd; *(uint8_t*)0x20003be4 = 9; *(uint8_t*)0x20003be5 = 0x21; *(uint16_t*)0x20003be6 = 9; *(uint8_t*)0x20003be8 = 1; *(uint8_t*)0x20003be9 = 1; *(uint8_t*)0x20003bea = 0x22; *(uint16_t*)0x20003beb = 0x2ff; *(uint8_t*)0x20003bed = 9; *(uint8_t*)0x20003bee = 5; *(uint8_t*)0x20003bef = 0x81; *(uint8_t*)0x20003bf0 = 3; *(uint16_t*)0x20003bf1 = 0x10; *(uint8_t*)0x20003bf3 = 6; *(uint8_t*)0x20003bf4 = -1; *(uint8_t*)0x20003bf5 = 4; *(uint8_t*)0x20003bf6 = 9; *(uint8_t*)0x20003bf7 = 5; *(uint8_t*)0x20003bf8 = 2; *(uint8_t*)0x20003bf9 = 3; *(uint16_t*)0x20003bfa = 8; *(uint8_t*)0x20003bfc = 4; *(uint8_t*)0x20003bfd = 6; *(uint8_t*)0x20003bfe = 0x7f; *(uint32_t*)0x20003cc0 = 0xa; *(uint32_t*)0x20003cc4 = 0x20003c00; *(uint8_t*)0x20003c00 = 0xa; *(uint8_t*)0x20003c01 = 6; *(uint16_t*)0x20003c02 = 0x300; *(uint8_t*)0x20003c04 = 3; *(uint8_t*)0x20003c05 = 2; *(uint8_t*)0x20003c06 = 0xfa; *(uint8_t*)0x20003c07 = 8; *(uint8_t*)0x20003c08 = 0x74; *(uint8_t*)0x20003c09 = 0; *(uint32_t*)0x20003cc8 = 0x28; *(uint32_t*)0x20003ccc = 0x20003c40; *(uint8_t*)0x20003c40 = 5; *(uint8_t*)0x20003c41 = 0xf; *(uint16_t*)0x20003c42 = 0x28; *(uint8_t*)0x20003c44 = 2; *(uint8_t*)0x20003c45 = 3; *(uint8_t*)0x20003c46 = 0x10; *(uint8_t*)0x20003c47 = 0xb; *(uint8_t*)0x20003c48 = 0x20; *(uint8_t*)0x20003c49 = 0x10; *(uint8_t*)0x20003c4a = 0xa; *(uint8_t*)0x20003c4b = 3; STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 8, 5, 27); *(uint16_t*)0x20003c50 = 0xf00; *(uint16_t*)0x20003c52 = 0xf831; *(uint32_t*)0x20003c54 = 0xc0; *(uint32_t*)0x20003c58 = 0xc0a0; *(uint32_t*)0x20003c5c = 0xff000f; *(uint32_t*)0x20003c60 = 7; *(uint32_t*)0x20003c64 = 0xc0f0; *(uint32_t*)0x20003cd0 = 1; *(uint32_t*)0x20003cd4 = 4; *(uint32_t*)0x20003cd8 = 0x20003c80; *(uint8_t*)0x20003c80 = 4; *(uint8_t*)0x20003c81 = 3; *(uint16_t*)0x20003c82 = 0x436; res = -1; res = syz_usb_connect(4, 0x3f, 0x20003bc0, 0x20003cc0); if (res != -1) r[17] = res; break; case 38: syz_usb_disconnect(r[17]); break; case 39: syz_usb_ep_read(-1, 0x80, 0xc4, 0x20003d00); break; case 40: memcpy((void*)0x20003e00, "\x50\x74\xfa\x81\xf3\xf3\x73\xda\x27\x99\xca\xfb\x26\xb4\x49\x7c\xb3\xc8\x7b\xc0\xf8\x2f\xa7\x88\x54\x68\xbd\x41\x23\x20\x65\xaa\x95\x61\xd2\x4a\xe0\xf1\xd0\xe0\x36\xac\x71\x4a\xc5\xaf\x89\xc6\x9d\x88\x61\xca\xd7\x13\xfc\xb8\xba\xcb\x8c\x4b\x10\xdc\x3b\x6e\xc2\x04\x4c\x01\xf3\x71\xb1\x24\xc0\xa0\xf4\xba\xce\x7d\x51\x79\x87\x2c\xdd\x20\x5e\x09\xc3\xee\xb7\xd5\x57\x7b\x26\xe9\x8f\x84\x55\x4e\xd6", 99); syz_usb_ep_write(r[16], 0x7f, 0x63, 0x20003e00); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor468469650 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/12 (0.23s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:true NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$zero(0xffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x161000, 0x0) ioctl$SNAPSHOT_FREE(r0, 0x3305) syz_genetlink_get_family_id$l2tp(&(0x7f0000000040)='l2tp\x00') openat$dlm_control(0xffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x20000, 0x0) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0x2, &(0x7f00000000c0)=0x17, 0x4) r1 = mmap$IORING_OFF_SQES(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x2000000, 0x1010, r0, 0x10000000) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) r3 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(0x0, r1, &(0x7f00000003c0)=@IORING_OP_RECVMSG={0xa, 0x4, 0x0, r2, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=@x25={0x9, @remote}, 0x80, &(0x7f0000000240)=[{&(0x7f0000000180)=""/147, 0x93}], 0x1, &(0x7f0000000280)=""/202, 0xca}, 0x0, 0x0, 0x1, {0x3, r3}}, 0x10001) ioctl$KDSKBMETA(0xffffffffffffffff, 0x4b63, &(0x7f0000000440)=0x4) syz_emit_ethernet(0x56, &(0x7f0000000000)={@local, @remote, @void, {@canfd={0xd, {{0x3, 0x0, 0x1, 0x1}, 0x11, 0x2, 0x0, 0x0, "f4ebe40216fede5ef6c5310f0413c5d41b32fc23e07fd332a8a5c5f966821da091f47b7b9cf9228727ff7412c2e4a3a1573bb295482d7b4a3effd863cc60f5d8"}}}}, &(0x7f0000000080)={0x0, 0x4, [0xd2d, 0xc61, 0x6d3, 0xbe2]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x1, 0xa}, @l2cap_cid_le_signaling={{0x6}, @l2cap_conn_param_update_rsp={{0x13, 0x7f, 0x2}}}}, 0xf) syz_execute_func(&(0x7f0000000100)="c4c2cd45f18fe800edb85c2f009ee96436360f2811c4c3c90b6b0787c4c2f1a603f30fa6d0f36f650ffa0ec4c21d2f9f5aac384f3e65f3ab") syz_extract_tcp_res(&(0x7f0000000140), 0x2c, 0x9f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000180)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x3, 0xcc) r4 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x3000001, 0x80000, 0xffffffffffffffff, 0x0) r5 = syz_io_uring_complete(r4) r6 = io_uring_setup(0x3a3b, &(0x7f00000001c0)={0x0, 0xd9fd, 0x20, 0x0, 0x308, 0x0, 0xffffffffffffffff}) r8 = syz_io_uring_setup(0x17a8, &(0x7f0000000240)={0x0, 0xb18d, 0x15b3e67cab3a8d6e, 0x2, 0x158, 0x0, r7}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f00000002c0), &(0x7f0000000300)) syz_io_uring_setup(0x6b11, &(0x7f0000000340)={0x0, 0x15f8, 0x20, 0x2, 0xd2}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f00000003c0)=0x0, &(0x7f0000000400)=0x0) r11 = socket$bt_rfcomm(0x1f, 0x3, 0x3) r12 = io_uring_register$IORING_REGISTER_PERSONALITY(r5, 0x9, 0x0, 0x0) syz_io_uring_submit(r4, r10, &(0x7f0000001700)=@IORING_OP_RECVMSG={0xa, 0x2, 0x0, r11, 0x0, &(0x7f00000016c0)={&(0x7f0000000440)=@nl=@proc, 0x80, &(0x7f00000015c0)=[{&(0x7f00000004c0)=""/44, 0x2c}, {&(0x7f0000000500)=""/4096, 0x1000}, {&(0x7f0000001500)=""/40, 0x28}, {&(0x7f0000001540)=""/74, 0x4a}], 0x4, &(0x7f0000001600)=""/185, 0xb9}, 0x0, 0x2000, 0x1, {0x3, r12}}, 0xad23946) r13 = fsmount(r5, 0x1, 0x84) ioctl$F2FS_IOC_MOVE_RANGE(r8, 0xc01cf509, &(0x7f0000001740)={r6, 0x3, 0x6, 0x1000}) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000017c0)=[{0x0, &(0x7f0000001780)="e7bed238547695a78957b574bacb6dbc567a3232e76559b4ea3931b608578a24da4c749795975b0ae51da8a86dde75b1d684", 0x32}], 0x1, 0x0, &(0x7f0000001800), 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r9, 0x114, &(0x7f0000001840), 0x0, 0x4) syz_mount_image$afs(&(0x7f0000001880)='afs\x00', &(0x7f00000018c0)='./file0\x00', 0x5, 0x1, &(0x7f0000002900)=[{&(0x7f0000001900)="f1fd85c46a07345a8813287b13f21a0840903926aef8fa2cb5f6e010d14f7030376797115fff5a948041348d827dbd678e20928dc4b224e0ec33e50bf699f1ed1e39df43d899eb1a37c8d11631e7b775fc82611901ef7db3714e0ef59b98d9d7d9114ba1ba76a72edc93803359b9994b504f9e7790375fa50fceab9c0f210385722f2a054c09fecf4a04ccfacaac9d40bebb2e2bcc948d327263b0fa735b753fa367f55313bd6df7476a9961bef3e5806ae53bf7233474b637266e9fd694fb30a503fba053c46562936bb3b8fdd38da23e7225868f8cf1e7d27cacb69075657b3ca80f8be0b8e043db620f0872231b8a3108c4a10b8b723b646b3c6d5f370558640924a93ba25db1746cf2ea141b0385ac0cf9e7acc8fddd8ee32fb988491e454564eb142ec8402438ddb1d0bed6d285a2a408a9edc52776e3ae7021c10943eef0af0270372213627dd4253d95a36acd29f8095c6428f1c46c3eb21227d04606b5c92254e9ce3e220a8b8a281c8d8e9c83079ea1df4a90db9f08a58c803d8ec2bfcc99f1acd5f0625043eb4a83179e2d37c07657e4b747adcb0979a230dea4f079f220848709f2bb38c34a22c5b3caf94a02fc5f1c4d013c165abf74bed9d028a5d84ec150377f498ee0e2a86bf04b97ee40af9882bfadecf5e125fc909d250d92a31166d61121b5364524b6351e0b6a66dcdeeb5249ebabb865f1f4a1a80ada5d695d3a37b214c9f0d92507db1b8d808a96f08902ef8c97e22b75497538f54ff944a19142b6ae1b8636500e2f3920a3ab341d8d1db22dc64e1d68382162b489eaade668ba38e6e7ecf61626c719378a8ebf08ec3d5da6716461e206869b335ccbafbc7364998379d894b9c60441d98797eff0d04ce3fbf419eb9c5c778dbdc6031b19fea13adf111dd49628093da41ce252595ea3d0b6dd96364fe2e37504bc6617044ff1d0d27f759d1faa8ae854a172da0b227305bc630a46b8e5bb9f8aa40b95a4b6d5c37bddd0968e192d57242078434fdef9afdc8f18397df1ca6e76bdc71845fba2818ef8f1c1dbf0a92ddee3c8c1cfddfb64439419e63f9811ab5dafd15b2ff2a9c041331651c7afe7862875bf9961806fac694bef5f78fb9cd64c33848637444e6752200395e3731d02db34c21fca311d339e819732ede18394b45c4cbbbffd45fdf508285d26da5b3cede692af4ef2f42c734b522864755dcd719c93b268438f9b0f1add574cf7218921df68c496683c6276115c074d420f23861eeb82031e998c0833d1cbbb5b334a13606a0bc406c4c8b1c2bf8df557324d2c94cbe4c29080b63234b1bb74e5854e422eb46f736978e2943ebd28af467bd0ee096b952ff5f0b228c7ef946fd472493b0eaca9378401669f1be675230e56bc19e4ec1234fcb4ea122dd204830109689cad7e3d702ab3e92e59016a640cce4e1e57d6e94556e7ee1f7c586309044bdca4a7b2cebb4b3fabfd578ed6c68589b8afcd4d0e5ab1b7eef6f82cd208e3ece76e3b73331fba03fb5447012992741042106ed7d386a1433fe8d4c6bce822ff8ffe1b382aa7124731a9ad6e1a52c78266174a4fefe986a508f6642577303f91ea4efb32843c6b331b32f24553a0c13016d91a230a55d81feb7dfc48ad157c7c2fc63253081021d1c65356513903ddbde8d3fd0d51747f3eaaaf9db9d6b4bd7069d8ba53d4d100ee2727979594c2fa80b9aa0edd70e3d702fb5b6cd277eeb487555886f85b657cd9eba641b28bf1e762300f3e29c5a8d8bfe077bdef7c9e2c4cfad8fc364670d7cd6ac7a86322e667760e2403c4838d61fa8669a4f62114eef423f09132e20bb95ba3522ac31049c4a3d581af3c5784910fba88cdee1ceff4ddaed827119ced5361947d0e31a9c4d25263a53654b82fc13b91f44508dd193ca1ef26d930a6b0810586d402ba0554face5c3ed077671d50d28865bfff35ca3a4dabdbd6e3b07059320f53e5c49d73cc16dd1ed2816ac98ad3853c368829c7bec40c4a9b39ee3b730bbd6c152f358e9911308c12ed1206561fc7cf7cb477145f1aaace66ac5c4468acb2f601c61e4b118be2056b6dbc18609bfd4105eee18be384a19913d274d92039790cb87420b9fdd70e734309fc7afe09e11f780d6ee6243175907a4aeecb6ca070a3374be5d3d07a788ea4e1f9d6f18eff9e7964d7076cb5b93cd97338ec05448ec527cca66790bfe32c5b2662d7fc6b836b41bf32e5bc0ddfe42d5973db86f8aed56e43112b45b0f792c5394599a13e73c25012b5aacd3aef112473c4e2e3ab6aebf5af6de9e78ac047fcc276fd976f25022c65c30a9fd67203f19e33b35cfbcfdff395c5bb53f2fd7928e43e622847280780b8cc815fb485189105a124cd8627cc3d5f1a9dd800d47a226ebf907eb2f49133d117588d280f4cc43d95254d88c8753d96073f97c531f51e5596e2e971a2161b78f75edcfbd9de38f0a9284b7cceef87598fa3bcfa5dbcbd1d284cf80cb7755465899d362d9e40c64c1a1e4cc45c3871b2104ca40c05729dccbf6d0a17500e5d0dffa3443a5233e279b2f9c518b697340d26d2872660c71a495710ee009ffb989ebb5befe5176925b78cdeb1e811c51ecdb01a47ec1d1d0ef2024c9a666f6bc5ebe13e773f89f4c80baa1d660c051c2672f91c21db5ff2d5a70126dc69140ee216c45bdd0a7b5279dece2f583bc24fc63cae88ae755722404823c5c216849dcd1085ba9902cb248ac5d192c3bdc537392a7c9ed3c359bb6d4934625f5f7a6dd51b78573fc726adabc91f41960586f64c39261126ea67dfc32c5ae5f7d6ed88747360418d42a008d9cfc5ef15f9c588dbb9ecc374ba19ab60a3ba33fbd1b80477b0204e67c845f9f6ab589c58b578cca58af322ae66b9b12ed953703d1393d8ece9c670664fdb6b1ffa10271abc0e51d57b59102e2640bea09e911294c35abc8616990a5729bf739a8e22774a680d5770b858b932fe595b7322328ae792078ad28db4d54cbd7c9868fcbe6eed0b0aa7b7abbfb1b8efce2dd5c1e29bac66ab7f80fe7a65d2da1838660e94066a6b2e3bdb897e551bc037d779dbb6cb9bdca7030ef8226b968d5a857cb424a9bd71ecf3e0df3bca6b9195905ed05e73d0367f1649eed549d9c3d47e2f312c170dc94a701d420460e1000e237021c6b7b1bc08b35c1043c6e899ed587ef7dfb6e1c7b6e11e3a2fb4348abcc9ed1831ee373d004540a73a4c78f9d3abb101c787ba239df663924ef84e3b436868b63cd74f4d47ac9ebce3814bbdb37eeec3fea1f90688d16ff3285d359745f9c1b6dcfa98bcd32acaccd9350c070579af49c6dd8e62b3e11616b95605b5e67c90c3db1b8301de61bdfa558ee6d13f20a78d407e4f44ca793ce3d958e1522f1a64276ac8863d1a68b5b64e03ec0b22b0a787bba7b462fddf8da7d1018b32a13282bd1e83060a67c7da96e46e3b322a5d8e05ba67b3aca1c5d1bf136a57b3aa68777f00bf102dddb1dec21db309f4855d9c08edc580d652a689420bf62538b5aa263057098121d82d87e29ee26b5d5288023e501ff2730bcef00b98f13c40bc2da1a1bca1cd666484f1a3f5c8b6ffaf468fbeaaf5abfd74396fbc460e0fd2b440f5e56327e634907311dce98ec075e9ee3287f7d2dcd64493e5c5ce096bb29d77aa49a9f677e68efd44cf35b5a0d69f1ec887a5f1f35e44afe3b6904ef026b3651c697dc2af46662b923664201e4baedc28e85f33d0fcce83ecb01d04f5a0826df9fbfe7d92e31db76202533fa8bdbd4f14744f8485948ff0e40ec77d2a2ccac34f389a4f6b0e1f84f527b1282b4ba53cc0a53468eb1362d87f334f176d948d9d7fc190a1fabb36745385945f27d44c136436eeedca1ad4945c9d73d6a2d7225a1f7fa49a2b2b56d3a403a8ddd03d701bb8ba36c275b05db3b60638b9a2a234cb63b809ebfc9a771ac712762f7e96c538e1c54a7912b95944632d6d60594b900e17ee327b2b2b13be2844061fd1e350e47121fd71f130a5aeb5153ccb8ece99590ff93ea98ee589a0a4288bb6a3590b1c6e89008bbd2dc7ad38748369405c9f8c37fa75dd2ff4a384561d030948c3d16466e4f037e54d3dcabde02fb35c62b3169265c0af8018a86c3fcf3268c1a91e7131f89cf7841bb58cab8a5f89d7edb67f05f16fe84059be5abdbe44d3852fa5790c161628b21eef359aaf7db7de11c835ff9cc0b86ac9751fd2d5c135e8acb4352bc03fdfe6c43473582cde76b157eeb03acfff742be5838a4aaba160e1c588c9e1da2758fc290ae37a7605340f726ff3d8d73d3dccdc7737499b7473eccc00c3d01d20bd989e6049d9da7dcee229fe3db7e2845ba6ef6b380680e07754dfa92d1605b3b2527ed19d01333b2b58868d7614c92b7f93c95e2c9054f7a728e0569b986018311d9ab379ac3d19c7f65f87acbd2a2bcdf122b1b9502d3c3a69efa32f4be1ef20daa42e13409d2b12dbfd03c64aca0bd66c76c04ea6a76ef0294650e59e8a379c85c5ac8e310ed99e1a5f20c9bbdbee13de1218f95be040ff5f760c7f07abe362468508a2114e0c34f93895c1e28ad8c56f1949816cffd09c028deef01e5fcf91b4384c62d0efd9b7d66b1aae302a3ed2c3037c9675ac6c86336fa603258a538409bad567981128cb8cab88d7027b2a92671cad000a2c9f317fb4ae30980d3f28512fb5f66a98b2e2077a6a7f8461bf1a78cf12b3ce6e3aa4a22f3c6373a5d04f767b83c7d57a56834f7639c9acbb9fdedea85276a0aa100b68c8a246314a8ca02ff07d1532c90d9a4a5dacba53a24c14cb94b57a8c236c985ebc98697108a43e874b6715e6be8d9685fafdba1d7e5d1b4ced62565847bdfcf62be175e8483cfd0711247664e273fcbec29f60dedd34c6810f6650b6bdc47df7267b8f53bc66ac41a5c0506edf4a805cff0343797c881256ea095fbf145754f7cb9dfba6d3c2bd12ace307629cb22dfeb5a48155de0e50a95da58b3202589b60f5dd4ca6cd22c2ed788f2721d5354374e9efacf4947294ddc8149225dce5adfb322595ed18a4dcb0565148b087e37d4247eaaecc58c5aaf1c64e87cc2cce9b8ebcaf963fc441a6dfac426be0ace4ecfb91df7732721afb34f905ce7377db3849d7401ba3d3149c08e98bcdeca6de207ed8bc7b1d6e88597da628c6b0a73cf9674a207dd8745fe5b32bdd8f5509f14fc15cf9504bf6634b2df2836e95c736e2762f2714bfd130af991d8b648a9372158383a2f53e14c7cfc7663db5ca5c8a9cdd155e38c1f70e51613588128dd085bbdd7ed239b97e8958cef35f117eab19b370ff2e4e25689d62b684fd4afceb263251fa92e8c6b2aa2e34d3fb8aaed18cdc734f9b420c8d7b931555ebd7990ca073fb81be982794e000d50572eb0761d495ba8068f657d7f7b919e66a25e03211dfe690f4081fc5de14f5f9d8be478024e60a3138080d9ce97ae23e291e77a6e4a507a96ae0c07d9604a95b43b8174c33175ba295050186f723b50a609ee09b4267e4d2af4296ce657bb8b5e996f98bd75ed42d0954895d97d988329d925f62894474d1caa5de988ed7b5c6deacfd90ad947efebf6cf61b45d9c7b1ba59e9ec4b8559aff8d3d05fb00f57ec942b0e9b9fdbde26cad340cbb4f7c0447b707ed8f6d4f989d0b1da0d0cdae617b01436fa68e37775e844415ebd11a3350846cf0b419fad6db94ccc8283e95019db5591b9e81c5d32707b3002afb24058495f6c21cd4b9e12af7a1f4054fda37ba6a2945e899899761012548e4122a69556e0ca51e23194bdc4e272", 0x1000, 0x9}], 0x20005, &(0x7f0000002940)={[{@flock_openafs='flock=openafs'}, {@dyn='dyn'}, {@autocell='autocell'}, {@dyn='dyn'}, {@flock_openafs='flock=openafs'}, {@source={'source', 0x3d, '&'}}, {@source={'source', 0x3d, 'SEG6\x00'}}], [{@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@subj_user={'subj_user', 0x3d, 'SEG6\x00'}}, {@smackfstransmute={'smackfstransmute', 0x3d, ':'}}, {@seclabel='seclabel'}]}) syz_open_dev$I2C(&(0x7f0000002a00)='/dev/i2c-#\x00', 0xad8, 0x2a2000) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000002a40)=0x0) syz_open_procfs(r15, &(0x7f0000002a80)='net\x00') syz_open_pts(r13, 0x0) syz_read_part_table(0x1, 0x7, &(0x7f0000002e80)=[{&(0x7f0000002ac0)="7ad3cd802dd0c424945d99ca9ca6e4fbb8f8e3b980d2ec", 0x17, 0x1000}, {&(0x7f0000002b00)="329de80b2b17bbd25d1f1907a9263af3bf05c4a7061e28492a3f71c6343aa5aaea0327a3", 0x24, 0x5}, {&(0x7f0000002b40)="82791dfd311d07db7d65e803ce6ca00028af8ff8d276187e0e14bbf7beab60fc4b70722e91b6322b8e3472191a66176bb0ca91dee60f1506a6d48be4055230c30be94a1043a1d2a06d42166069d8033d6c524c8610b8c4bb63af0ce6d6207137f1be1b62b002e8c35e6467c2423cc6597d1ca58ee31589f0248ac762e24a286a41a761912d34bb56f07db88ca52fce8d128762394fa00faac8451a42c3144bdec7e97296c9eac7c9f63110a3d405c16b0428880024e8c9c8af490b8cfad84cbb637878d634cd84346b60c9132c09660cdc616a0b", 0xd4, 0x7fff}, {&(0x7f0000002c40)="904bbcee2b46daa1ac643b7b6b8ea0ff462feabee541b411a885e470a496cbbdc729ffdebc50807f719cbe808d8b598b4767c7a852d9ce0c880a9b078b0187deac926bd4687a44f092bb", 0x4a, 0x5}, {&(0x7f0000002cc0)="3531ae257e7e0877cde340c42edbfc91dcffaff1284ef08a451e4c76e0cd83b2c0ea10d86bcefa93bbaef5fffbfe7dc70b73b89c55fc3851110d1bd0d1da31753320b111fe7060537e8f65f3c2f05adcb3d66bd2abe6b08aaae0d0eedca9937707ec4cb4874cdfd05800812ab53f9550b25a28ee69e62a0f790fe5233fc8645fc3fe6cae055f2aa1729125170151e86eeab67bb20bc884a1214c2d3d969c34fb239b45feec93ac209721bae7271251c613cea9379c1521", 0xb7, 0x4}, {&(0x7f0000002d80)="c3f04f26929b7a4d6342841fa53a9a8cb8006a97f428", 0x16, 0x6}, {&(0x7f0000002dc0)="c9871275e3269ff1bdcd67fb523e1ceb5151b0ede9e032634e36d486046bc31cd978bda59247355316319e768e7ac6be0648bf0fecd13cdad45f713e0e3b74e95eec77063c02a233ea97d338f4b1e9bc5a7cce85528742632ed59cec016f3914dd02ca6b1dc833224895277350cf1f21d6c78f8592717e91233f9026927e0cc3d80cdc57714763a0fcb091f5c69051b55cd2e1fcc33b13d597c5caeeb271c542978a1e17", 0xa4, 0x9c}]) r16 = syz_usb_connect(0x4, 0x384, &(0x7f0000002f00)={{0x12, 0x1, 0x201, 0xa4, 0x61, 0x1e, 0x40, 0xacd, 0x300, 0xc0df, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x372, 0x2, 0x4, 0x1f, 0x0, 0x1, [{{0x9, 0x4, 0x5d, 0xb3, 0x1, 0xad, 0x49, 0x76, 0x20, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x80}]}], [{{0x9, 0x5, 0xd, 0x0, 0x230, 0x5d, 0x1, 0x3f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x2}, @generic={0xba, 0xe, "f4e6e5762883c34df04f356099f1d34bdbc9f5324da648053fd690211b897119c4f3ac197f2aa93f2f3be05f836b1644d5b2327648b30816ed192f943dfce225f69d77c51565e177fd889c9c9d8c85b92ee4bead0e889446bbc320a40fa24807f476bfd1f1b3096e3370f755c94aa01c3be4ddc7952a5694bcad4beb4065bf5ea96066c43e9507e6220c47bc0271adcbaffce6ac90cb3c8b1cf748c6bbf97108dfa2cac4b87d3420428434397e07f17a87ed6233b39e32f0"}]}}]}}, {{0x9, 0x4, 0x5d, 0x27, 0x7, 0x3f, 0x84, 0xfd, 0x3, [@uac_as={[@format_type_i_discrete={0x10, 0x24, 0x2, 0x1, 0xe2, 0x2, 0x63, 0x40, "e721cc44acca8938"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x1, 0x0, "9ef42f"}, @as_header={0x7, 0x24, 0x1, 0x4, 0x1, 0x4}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x19, 0x6, "9e", "6983"}]}, @uac_as], [{{0x9, 0x5, 0xf, 0x0, 0x3ff, 0xf6, 0x5, 0x80}}, {{0x9, 0x5, 0x1, 0x10, 0x10, 0x0, 0x40, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x20, 0x6}]}}, {{0x9, 0x5, 0xb, 0x8, 0x10, 0x1, 0x2}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x4, 0x8, 0xc0, [@generic={0xbb, 0x31, "215ce6ab8f3c72caa3ab1326f18838908ac60bffb3b50748144aa2cbc4d7cac56f4a7bb2bd6c969674a5e4040861bb21ba5ccf0f822c1032e7e3729f8c171fc7a89b5340b5067108d597f178aa651a98aca4d012fa555a695683b527e6031f1f7f20494b250e3a6cd8b4de9647e150049867097c47cc237c612cefe698332f1fe7f02e6f53e845b1f5e7b4b24ad8629b78ce7630e2d40120fbc3f49375a4a086dedd2a27f06b3ed3d756a819b97f759aa54aef83df4868a9e9"}]}}, {{0x9, 0x5, 0x3, 0x12, 0x3ff, 0x0, 0x1, 0xff, [@generic={0xad, 0x31, "0c921d3f980f4e53147a46bd5856da03081660fbed7b8b2d389be8a038e95c2958a477ed5faf9ef38c82c3abea254459edb0f2cf286235034087adb7907ff192640b936886bd48d3a51215406b3aa0b6d8f8d91d830f5236a9a8be03c2215f012131968c6a80860ae81193059468108efd4f1305379d0115c7ec667b0359940e5664bf7b3c4a5f04ca3c51db9d2cd417e9099bff628b8e1a8ed0f596149357a08abd1177eb977353eb8932"}, @generic={0x93, 0x11, "a8e22d542ae3d831f337211bb5be12a5c46e5cf9b556d84d5af4caca8742ad216140562b7e5421e2642471e8f50eb8aef06212b46c644ae58463e18b3e72bd3eca6060fa8b94031796e55eb41d3f318affbf081eeb1708851e72fadd887e0330134319f0a5967eda657bc1101f74deba42e78aff20fb5d3c1fe49d9a054657b6f1af3d015fc16ff80873f326690843df81"}]}}, {{0x9, 0x5, 0xf, 0x4, 0x200, 0x0, 0x1f, 0x1, [@generic={0x11, 0x6, "824b7d0957bc552d224fdf6bff63a8"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x6}]}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x1f, 0xfd, 0x3}}]}}]}}]}}, &(0x7f0000003400)={0xa, &(0x7f00000032c0)={0xa, 0x6, 0x110, 0x4d, 0x80, 0x80, 0x20, 0xc1}, 0x46, &(0x7f0000003300)={0x5, 0xf, 0x46, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x35, 0x0, 0xdf, 0x9, 0xf7}, @ext_cap={0x7, 0x10, 0x2, 0xe, 0xb, 0x6, 0x9}, @ssp_cap={0x18, 0x10, 0xa, 0x1, 0x3, 0x7fffffe, 0xff0f, 0x101, [0xffc0a0, 0x0, 0xffff0f]}, @ssp_cap={0x10, 0x10, 0xa, 0x3, 0x1, 0x200, 0xff00, 0x1, [0x0]}, @ext_cap={0x7, 0x10, 0x2, 0x16, 0x8, 0xe, 0x7}]}, 0x2, [{0x4, &(0x7f0000003380)=@lang_id={0x4, 0x3, 0x380a}}, {0x4, &(0x7f00000033c0)=@lang_id={0x4, 0x3, 0x42f}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000003440)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r16, &(0x7f00000036c0)={0x18, &(0x7f00000034c0)={0x20, 0x8, 0xd4, {0xd4, 0x31, "dd9fe1d6f8ee76d6289246b5277cc19f3c4621add821a7f3d1aae994dbf4b1bd89e8770734768ade97e51d248f53cd530b31119aaccf53b6f6eddf4b8bfe6a1a859c3dc286f8335c9d15e5d5169b244155391062ff885d40be3707b6d1ea252a96d97ab24fb675f54557cfa24d805b0795708af5065d4b6662dfd54dd59cfce1673ab356a254f6b5bce44c619a17ffce8ebb96e083c082450062bd71a206ca921e0b77f517c1619586b3bca3e2490821016cc76caf96c0ec9068b45e2334ed9a6ff06a6343ae01f0aef6127ebaf5b52d69e3"}}, &(0x7f00000035c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x40e}}, &(0x7f0000003600)={0x0, 0xf, 0x28, {0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @generic={0x20, 0x10, 0xa, "195fa2f324c0be96da3db26afa5677530ac0faf4c682be7c15e9a58666"}]}}, &(0x7f0000003640)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x1, 0x0, 0x9, "057c417e", "8da436c4"}}, &(0x7f0000003680)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x20, 0x10, 0x80, 0x40, 0x1f, 0x0, 0x5}}}, &(0x7f0000003b40)={0x44, &(0x7f0000003700)={0x60, 0x8, 0x54, "85f988045278f97532a667cbee9b821d6554fb1c6d18dffb785196d90727e1b4615c86ee049a1696b1668f000e62d539e081cf07e360171ce61ca2f95644b9ad8e9211a1b19c4399bdfd6d533bf8955242725bb4"}, &(0x7f0000003780)={0x0, 0xa, 0x1, 0x1}, &(0x7f00000037c0)={0x0, 0x8, 0x1, 0x81}, &(0x7f0000003800)={0x20, 0x0, 0x4, {0x2}}, &(0x7f0000003840)={0x20, 0x0, 0x8, {0x200, 0x40, [0xff]}}, &(0x7f0000003880)={0x40, 0x7, 0x2, 0x1}, &(0x7f00000038c0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000003900)={0x40, 0xb, 0x2, "8eaf"}, &(0x7f0000003940)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000003980)={0x40, 0x13, 0x6, @dev={[], 0x38}}, &(0x7f00000039c0)={0x40, 0x17, 0x6, @broadcast}, &(0x7f0000003a00)={0x40, 0x19, 0x2, '{k'}, &(0x7f0000003a40)={0x40, 0x1a, 0x2, 0x40}, &(0x7f0000003a80)={0x40, 0x1c, 0x1}, &(0x7f0000003ac0)={0x40, 0x1e, 0x1, 0xfe}, &(0x7f0000003b00)={0x40, 0x21, 0x1, 0xfa}}) r17 = syz_usb_connect$hid(0x4, 0x3f, &(0x7f0000003bc0)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x46d, 0xc22d, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x10, 0x2, [{{0x9, 0x4, 0x0, 0x2f, 0x2, 0x3, 0x1, 0x1, 0xfd, {0x9, 0x21, 0x9, 0x1, 0x1, {0x22, 0x2ff}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0x6, 0xff, 0x4}}, [{{0x9, 0x5, 0x2, 0x3, 0x8, 0x4, 0x6, 0x7f}}]}}}]}}]}}, &(0x7f0000003cc0)={0xa, &(0x7f0000003c00)={0xa, 0x6, 0x300, 0x3, 0x2, 0xfa, 0x8, 0x74}, 0x28, &(0x7f0000003c40)={0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @ssp_cap={0x20, 0x10, 0xa, 0x3, 0x5, 0x8, 0xf00, 0xf831, [0xc0, 0xc0a0, 0xff000f, 0x7, 0xc0f0]}]}, 0x1, [{0x4, &(0x7f0000003c80)=@lang_id={0x4, 0x3, 0x436}}]}) syz_usb_disconnect(r17) syz_usb_ep_read(0xffffffffffffffff, 0x80, 0xc4, &(0x7f0000003d00)=""/196) syz_usb_ep_write(r16, 0x7f, 0x63, &(0x7f0000003e00)="5074fa81f3f373da2799cafb26b4497cb3c87bc0f82fa7885468bd41232065aa9561d24ae0f1d0e036ac714ac5af89c69d8861cad713fcb8bacb8c4b10dc3b6ec2044c01f371b124c0a0f4bace7d5179872cdd205e09c3eeb7d5577b26e98f84554ed6") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } #define KMEMLEAK_FILE "/sys/kernel/debug/kmemleak" static void setup_leak() { if (!write_file(KMEMLEAK_FILE, "scan")) exit(1); sleep(5); if (!write_file(KMEMLEAK_FILE, "scan")) exit(1); if (!write_file(KMEMLEAK_FILE, "clear")) exit(1); } static void check_leaks(void) { int fd = open(KMEMLEAK_FILE, O_RDWR); if (fd == -1) exit(1); uint64_t start = current_time_ms(); if (write(fd, "scan", 4) != 4) exit(1); sleep(1); while (current_time_ms() - start < 4 * 1000) sleep(1); if (write(fd, "scan", 4) != 4) exit(1); static char buf[128 << 10]; ssize_t n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); int nleaks = 0; if (n != 0) { sleep(1); if (write(fd, "scan", 4) != 4) exit(1); if (lseek(fd, 0, SEEK_SET) < 0) exit(1); n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); buf[n] = 0; char* pos = buf; char* end = buf + n; while (pos < end) { char* next = strstr(pos + 1, "unreferenced object"); if (!next) next = end; char prev = *next; *next = 0; fprintf(stderr, "BUG: memory leak\n%s\n", pos); *next = prev; pos = next; nleaks++; } } if (write(fd, "clear", 5) != 5) exit(1); close(fd); if (nleaks) exit(1); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 41; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); check_leaks(); } } #ifndef __NR_fsmount #define __NR_fsmount 432 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[18] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/zero\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x161000, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, (intptr_t)r[0], 0x3305, 0); break; case 2: memcpy((void*)0x20000040, "l2tp\000", 5); syz_genetlink_get_family_id(0x20000040); break; case 3: memcpy((void*)0x20000080, "/dev/dlm-control\000", 17); syscall(__NR_openat, 0xffffff9c, 0x20000080, 0x20000, 0); break; case 4: *(uint32_t*)0x200000c0 = 0x17; syscall(__NR_setsockopt, (intptr_t)r[0], 0x10e, 2, 0x200000c0, 4); break; case 5: res = syscall(__NR_mmap, 0x20ffa000, 0x4000, 0x2000000, 0x1010, (intptr_t)r[0], 0x10000000); if (res != -1) r[1] = res; break; case 6: res = syscall(__NR_socket, 0x23, 5, 2); if (res != -1) r[2] = res; break; case 7: res = syscall(__NR_io_uring_register, -1, 9, 0, 0); if (res != -1) r[3] = res; break; case 8: *(uint8_t*)0x200003c0 = 0xa; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0; *(uint32_t*)0x200003c4 = r[2]; *(uint64_t*)0x200003c8 = 0; *(uint32_t*)0x200003d0 = 0x20000380; *(uint32_t*)0x20000380 = 0x20000100; *(uint32_t*)0x20000384 = 0x80; *(uint32_t*)0x20000388 = 0x20000240; *(uint32_t*)0x20000240 = 0x20000180; *(uint32_t*)0x20000244 = 0x93; *(uint32_t*)0x2000038c = 1; *(uint32_t*)0x20000390 = 0x20000280; *(uint32_t*)0x20000394 = 0xca; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x200003d4 = 0; *(uint32_t*)0x200003d8 = 0; *(uint64_t*)0x200003dc = 1; *(uint16_t*)0x200003e4 = 3; *(uint16_t*)0x200003e6 = r[3]; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; syz_io_uring_submit(0, r[1], 0x200003c0, 0x10001); break; case 9: *(uint32_t*)0x20000440 = 4; syscall(__NR_ioctl, -1, 0x4b63, 0x20000440); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0xaa; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 3, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 31, 1); *(uint8_t*)0x20000012 = 0x11; *(uint8_t*)0x20000013 = 2; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; memcpy((void*)0x20000016, "\xf4\xeb\xe4\x02\x16\xfe\xde\x5e\xf6\xc5\x31\x0f\x04\x13\xc5\xd4\x1b\x32\xfc\x23\xe0\x7f\xd3\x32\xa8\xa5\xc5\xf9\x66\x82\x1d\xa0\x91\xf4\x7b\x7b\x9c\xf9\x22\x87\x27\xff\x74\x12\xc2\xe4\xa3\xa1\x57\x3b\xb2\x95\x48\x2d\x7b\x4a\x3e\xff\xd8\x63\xcc\x60\xf5\xd8", 64); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 0xd2d; *(uint32_t*)0x2000008c = 0xc61; *(uint32_t*)0x20000090 = 0x6d3; *(uint32_t*)0x20000094 = 0xbe2; break; case 11: *(uint8_t*)0x200000c0 = 2; STORE_BY_BITMASK(uint16_t, , 0x200000c1, 0xc9, 0, 12); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 3, 4, 2); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 1, 6, 2); *(uint16_t*)0x200000c3 = 0xa; *(uint16_t*)0x200000c5 = 6; *(uint16_t*)0x200000c7 = 5; *(uint8_t*)0x200000c9 = 0x13; *(uint8_t*)0x200000ca = 0x7f; *(uint16_t*)0x200000cb = 2; *(uint16_t*)0x200000cd = 0; break; case 12: memcpy((void*)0x20000100, "\xc4\xc2\xcd\x45\xf1\x8f\xe8\x00\xed\xb8\x5c\x2f\x00\x9e\xe9\x64\x36\x36\x0f\x28\x11\xc4\xc3\xc9\x0b\x6b\x07\x87\xc4\xc2\xf1\xa6\x03\xf3\x0f\xa6\xd0\xf3\x6f\x65\x0f\xfa\x0e\xc4\xc2\x1d\x2f\x9f\x5a\xac\x38\x4f\x3e\x65\xf3\xab", 56); syz_execute_func(0x20000100); break; case 13: break; case 14: memcpy((void*)0x20000180, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000180); break; case 15: syz_init_net_socket(3, 3, 0xcc); break; case 16: res = syscall(__NR_mmap, 0x20ffd000, 0x2000, 0x3000001, 0x80000, -1, 0); if (res != -1) r[4] = res; break; case 17: res = -1; res = syz_io_uring_complete(r[4]); if (res != -1) r[5] = res; break; case 18: *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0xd9fd; *(uint32_t*)0x200001c8 = 0x20; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0x308; *(uint32_t*)0x200001d4 = 0; *(uint32_t*)0x200001d8 = -1; *(uint32_t*)0x200001dc = 0; *(uint32_t*)0x200001e0 = 0; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint32_t*)0x200001f8 = 0; *(uint32_t*)0x200001fc = 0; *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; res = syscall(__NR_io_uring_setup, 0x3a3b, 0x200001c0); if (res != -1) { r[6] = res; r[7] = *(uint32_t*)0x200001d8; } break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xb18d; *(uint32_t*)0x20000248 = 0xab3a8d6e; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000250 = 0x158; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = r[7]; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = -1; res = syz_io_uring_setup(0x17a8, 0x20000240, 0x20ffb000, 0x20ffd000, 0x200002c0, 0x20000300); if (res != -1) r[8] = res; break; case 20: *(uint32_t*)0x20000340 = 0; *(uint32_t*)0x20000344 = 0x15f8; *(uint32_t*)0x20000348 = 0x20; *(uint32_t*)0x2000034c = 2; *(uint32_t*)0x20000350 = 0xd2; *(uint32_t*)0x20000354 = 0; *(uint32_t*)0x20000358 = -1; *(uint32_t*)0x2000035c = 0; *(uint32_t*)0x20000360 = 0; *(uint32_t*)0x20000364 = 0; *(uint32_t*)0x20000368 = 0; *(uint32_t*)0x2000036c = 0; *(uint32_t*)0x20000370 = 0; *(uint32_t*)0x20000374 = 0; *(uint32_t*)0x20000378 = 0; *(uint32_t*)0x2000037c = 0; *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 0; *(uint32_t*)0x20000388 = 0; *(uint32_t*)0x2000038c = 0; *(uint32_t*)0x20000390 = 0; *(uint32_t*)0x20000394 = 0; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x2000039c = 0; *(uint32_t*)0x200003a0 = 0; *(uint32_t*)0x200003a4 = 0; *(uint32_t*)0x200003a8 = 0; *(uint32_t*)0x200003ac = 0; *(uint32_t*)0x200003b0 = 0; *(uint32_t*)0x200003b4 = 0; res = -1; res = syz_io_uring_setup(0x6b11, 0x20000340, 0x20ffb000, 0x20ffb000, 0x200003c0, 0x20000400); if (res != -1) { r[9] = *(uint64_t*)0x200003c0; r[10] = *(uint64_t*)0x20000400; } break; case 21: res = syscall(__NR_socket, 0x1f, 3, 3); if (res != -1) r[11] = res; break; case 22: res = syscall(__NR_io_uring_register, (intptr_t)r[5], 9, 0, 0); if (res != -1) r[12] = res; break; case 23: *(uint8_t*)0x20001700 = 0xa; *(uint8_t*)0x20001701 = 2; *(uint16_t*)0x20001702 = 0; *(uint32_t*)0x20001704 = r[11]; *(uint64_t*)0x20001708 = 0; *(uint32_t*)0x20001710 = 0x200016c0; *(uint32_t*)0x200016c0 = 0x20000440; *(uint32_t*)0x200016c4 = 0x80; *(uint32_t*)0x200016c8 = 0x200015c0; *(uint32_t*)0x200015c0 = 0x200004c0; *(uint32_t*)0x200015c4 = 0x2c; *(uint32_t*)0x200015c8 = 0x20000500; *(uint32_t*)0x200015cc = 0x1000; *(uint32_t*)0x200015d0 = 0x20001500; *(uint32_t*)0x200015d4 = 0x28; *(uint32_t*)0x200015d8 = 0x20001540; *(uint32_t*)0x200015dc = 0x4a; *(uint32_t*)0x200016cc = 4; *(uint32_t*)0x200016d0 = 0x20001600; *(uint32_t*)0x200016d4 = 0xb9; *(uint32_t*)0x200016d8 = 0; *(uint32_t*)0x20001714 = 0; *(uint32_t*)0x20001718 = 0x2000; *(uint64_t*)0x2000171c = 1; *(uint16_t*)0x20001724 = 3; *(uint16_t*)0x20001726 = r[12]; *(uint8_t*)0x20001728 = 0; *(uint8_t*)0x20001729 = 0; *(uint8_t*)0x2000172a = 0; *(uint8_t*)0x2000172b = 0; *(uint8_t*)0x2000172c = 0; *(uint8_t*)0x2000172d = 0; *(uint8_t*)0x2000172e = 0; *(uint8_t*)0x2000172f = 0; *(uint8_t*)0x20001730 = 0; *(uint8_t*)0x20001731 = 0; *(uint8_t*)0x20001732 = 0; *(uint8_t*)0x20001733 = 0; *(uint8_t*)0x20001734 = 0; *(uint8_t*)0x20001735 = 0; *(uint8_t*)0x20001736 = 0; *(uint8_t*)0x20001737 = 0; *(uint8_t*)0x20001738 = 0; *(uint8_t*)0x20001739 = 0; *(uint8_t*)0x2000173a = 0; *(uint8_t*)0x2000173b = 0; syz_io_uring_submit(r[4], r[10], 0x20001700, 0xad23946); break; case 24: res = syscall(__NR_fsmount, (intptr_t)r[5], 1, 0x84); if (res != -1) r[13] = res; break; case 25: *(uint32_t*)0x20001740 = r[6]; *(uint64_t*)0x20001744 = 3; *(uint64_t*)0x2000174c = 6; *(uint64_t*)0x20001754 = 0x1000; res = syscall(__NR_ioctl, (intptr_t)r[8], 0xc01cf509, 0x20001740); if (res != -1) r[14] = *(uint32_t*)0x20001740; break; case 26: *(uint32_t*)0x200017c0 = 0; *(uint32_t*)0x200017c4 = 0x20001780; memcpy((void*)0x20001780, "\xe7\xbe\xd2\x38\x54\x76\x95\xa7\x89\x57\xb5\x74\xba\xcb\x6d\xbc\x56\x7a\x32\x32\xe7\x65\x59\xb4\xea\x39\x31\xb6\x08\x57\x8a\x24\xda\x4c\x74\x97\x95\x97\x5b\x0a\xe5\x1d\xa8\xa8\x6d\xde\x75\xb1\xd6\x84", 50); *(uint32_t*)0x200017c8 = 0x32; *(uint64_t*)0x20001800 = 1; *(uint64_t*)0x20001808 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x200017c0, 1, 0, 0x20001800, 1); break; case 27: *(uint32_t*)0x20001840 = 0; syz_memcpy_off(r[9], 0x114, 0x20001840, 0, 4); break; case 28: memcpy((void*)0x20001880, "afs\000", 4); memcpy((void*)0x200018c0, "./file0\000", 8); *(uint32_t*)0x20002900 = 0x20001900; memcpy((void*)0x20001900, "\xf1\xfd\x85\xc4\x6a\x07\x34\x5a\x88\x13\x28\x7b\x13\xf2\x1a\x08\x40\x90\x39\x26\xae\xf8\xfa\x2c\xb5\xf6\xe0\x10\xd1\x4f\x70\x30\x37\x67\x97\x11\x5f\xff\x5a\x94\x80\x41\x34\x8d\x82\x7d\xbd\x67\x8e\x20\x92\x8d\xc4\xb2\x24\xe0\xec\x33\xe5\x0b\xf6\x99\xf1\xed\x1e\x39\xdf\x43\xd8\x99\xeb\x1a\x37\xc8\xd1\x16\x31\xe7\xb7\x75\xfc\x82\x61\x19\x01\xef\x7d\xb3\x71\x4e\x0e\xf5\x9b\x98\xd9\xd7\xd9\x11\x4b\xa1\xba\x76\xa7\x2e\xdc\x93\x80\x33\x59\xb9\x99\x4b\x50\x4f\x9e\x77\x90\x37\x5f\xa5\x0f\xce\xab\x9c\x0f\x21\x03\x85\x72\x2f\x2a\x05\x4c\x09\xfe\xcf\x4a\x04\xcc\xfa\xca\xac\x9d\x40\xbe\xbb\x2e\x2b\xcc\x94\x8d\x32\x72\x63\xb0\xfa\x73\x5b\x75\x3f\xa3\x67\xf5\x53\x13\xbd\x6d\xf7\x47\x6a\x99\x61\xbe\xf3\xe5\x80\x6a\xe5\x3b\xf7\x23\x34\x74\xb6\x37\x26\x6e\x9f\xd6\x94\xfb\x30\xa5\x03\xfb\xa0\x53\xc4\x65\x62\x93\x6b\xb3\xb8\xfd\xd3\x8d\xa2\x3e\x72\x25\x86\x8f\x8c\xf1\xe7\xd2\x7c\xac\xb6\x90\x75\x65\x7b\x3c\xa8\x0f\x8b\xe0\xb8\xe0\x43\xdb\x62\x0f\x08\x72\x23\x1b\x8a\x31\x08\xc4\xa1\x0b\x8b\x72\x3b\x64\x6b\x3c\x6d\x5f\x37\x05\x58\x64\x09\x24\xa9\x3b\xa2\x5d\xb1\x74\x6c\xf2\xea\x14\x1b\x03\x85\xac\x0c\xf9\xe7\xac\xc8\xfd\xdd\x8e\xe3\x2f\xb9\x88\x49\x1e\x45\x45\x64\xeb\x14\x2e\xc8\x40\x24\x38\xdd\xb1\xd0\xbe\xd6\xd2\x85\xa2\xa4\x08\xa9\xed\xc5\x27\x76\xe3\xae\x70\x21\xc1\x09\x43\xee\xf0\xaf\x02\x70\x37\x22\x13\x62\x7d\xd4\x25\x3d\x95\xa3\x6a\xcd\x29\xf8\x09\x5c\x64\x28\xf1\xc4\x6c\x3e\xb2\x12\x27\xd0\x46\x06\xb5\xc9\x22\x54\xe9\xce\x3e\x22\x0a\x8b\x8a\x28\x1c\x8d\x8e\x9c\x83\x07\x9e\xa1\xdf\x4a\x90\xdb\x9f\x08\xa5\x8c\x80\x3d\x8e\xc2\xbf\xcc\x99\xf1\xac\xd5\xf0\x62\x50\x43\xeb\x4a\x83\x17\x9e\x2d\x37\xc0\x76\x57\xe4\xb7\x47\xad\xcb\x09\x79\xa2\x30\xde\xa4\xf0\x79\xf2\x20\x84\x87\x09\xf2\xbb\x38\xc3\x4a\x22\xc5\xb3\xca\xf9\x4a\x02\xfc\x5f\x1c\x4d\x01\x3c\x16\x5a\xbf\x74\xbe\xd9\xd0\x28\xa5\xd8\x4e\xc1\x50\x37\x7f\x49\x8e\xe0\xe2\xa8\x6b\xf0\x4b\x97\xee\x40\xaf\x98\x82\xbf\xad\xec\xf5\xe1\x25\xfc\x90\x9d\x25\x0d\x92\xa3\x11\x66\xd6\x11\x21\xb5\x36\x45\x24\xb6\x35\x1e\x0b\x6a\x66\xdc\xde\xeb\x52\x49\xeb\xab\xb8\x65\xf1\xf4\xa1\xa8\x0a\xda\x5d\x69\x5d\x3a\x37\xb2\x14\xc9\xf0\xd9\x25\x07\xdb\x1b\x8d\x80\x8a\x96\xf0\x89\x02\xef\x8c\x97\xe2\x2b\x75\x49\x75\x38\xf5\x4f\xf9\x44\xa1\x91\x42\xb6\xae\x1b\x86\x36\x50\x0e\x2f\x39\x20\xa3\xab\x34\x1d\x8d\x1d\xb2\x2d\xc6\x4e\x1d\x68\x38\x21\x62\xb4\x89\xea\xad\xe6\x68\xba\x38\xe6\xe7\xec\xf6\x16\x26\xc7\x19\x37\x8a\x8e\xbf\x08\xec\x3d\x5d\xa6\x71\x64\x61\xe2\x06\x86\x9b\x33\x5c\xcb\xaf\xbc\x73\x64\x99\x83\x79\xd8\x94\xb9\xc6\x04\x41\xd9\x87\x97\xef\xf0\xd0\x4c\xe3\xfb\xf4\x19\xeb\x9c\x5c\x77\x8d\xbd\xc6\x03\x1b\x19\xfe\xa1\x3a\xdf\x11\x1d\xd4\x96\x28\x09\x3d\xa4\x1c\xe2\x52\x59\x5e\xa3\xd0\xb6\xdd\x96\x36\x4f\xe2\xe3\x75\x04\xbc\x66\x17\x04\x4f\xf1\xd0\xd2\x7f\x75\x9d\x1f\xaa\x8a\xe8\x54\xa1\x72\xda\x0b\x22\x73\x05\xbc\x63\x0a\x46\xb8\xe5\xbb\x9f\x8a\xa4\x0b\x95\xa4\xb6\xd5\xc3\x7b\xdd\xd0\x96\x8e\x19\x2d\x57\x24\x20\x78\x43\x4f\xde\xf9\xaf\xdc\x8f\x18\x39\x7d\xf1\xca\x6e\x76\xbd\xc7\x18\x45\xfb\xa2\x81\x8e\xf8\xf1\xc1\xdb\xf0\xa9\x2d\xde\xe3\xc8\xc1\xcf\xdd\xfb\x64\x43\x94\x19\xe6\x3f\x98\x11\xab\x5d\xaf\xd1\x5b\x2f\xf2\xa9\xc0\x41\x33\x16\x51\xc7\xaf\xe7\x86\x28\x75\xbf\x99\x61\x80\x6f\xac\x69\x4b\xef\x5f\x78\xfb\x9c\xd6\x4c\x33\x84\x86\x37\x44\x4e\x67\x52\x20\x03\x95\xe3\x73\x1d\x02\xdb\x34\xc2\x1f\xca\x31\x1d\x33\x9e\x81\x97\x32\xed\xe1\x83\x94\xb4\x5c\x4c\xbb\xbf\xfd\x45\xfd\xf5\x08\x28\x5d\x26\xda\x5b\x3c\xed\xe6\x92\xaf\x4e\xf2\xf4\x2c\x73\x4b\x52\x28\x64\x75\x5d\xcd\x71\x9c\x93\xb2\x68\x43\x8f\x9b\x0f\x1a\xdd\x57\x4c\xf7\x21\x89\x21\xdf\x68\xc4\x96\x68\x3c\x62\x76\x11\x5c\x07\x4d\x42\x0f\x23\x86\x1e\xeb\x82\x03\x1e\x99\x8c\x08\x33\xd1\xcb\xbb\x5b\x33\x4a\x13\x60\x6a\x0b\xc4\x06\xc4\xc8\xb1\xc2\xbf\x8d\xf5\x57\x32\x4d\x2c\x94\xcb\xe4\xc2\x90\x80\xb6\x32\x34\xb1\xbb\x74\xe5\x85\x4e\x42\x2e\xb4\x6f\x73\x69\x78\xe2\x94\x3e\xbd\x28\xaf\x46\x7b\xd0\xee\x09\x6b\x95\x2f\xf5\xf0\xb2\x28\xc7\xef\x94\x6f\xd4\x72\x49\x3b\x0e\xac\xa9\x37\x84\x01\x66\x9f\x1b\xe6\x75\x23\x0e\x56\xbc\x19\xe4\xec\x12\x34\xfc\xb4\xea\x12\x2d\xd2\x04\x83\x01\x09\x68\x9c\xad\x7e\x3d\x70\x2a\xb3\xe9\x2e\x59\x01\x6a\x64\x0c\xce\x4e\x1e\x57\xd6\xe9\x45\x56\xe7\xee\x1f\x7c\x58\x63\x09\x04\x4b\xdc\xa4\xa7\xb2\xce\xbb\x4b\x3f\xab\xfd\x57\x8e\xd6\xc6\x85\x89\xb8\xaf\xcd\x4d\x0e\x5a\xb1\xb7\xee\xf6\xf8\x2c\xd2\x08\xe3\xec\xe7\x6e\x3b\x73\x33\x1f\xba\x03\xfb\x54\x47\x01\x29\x92\x74\x10\x42\x10\x6e\xd7\xd3\x86\xa1\x43\x3f\xe8\xd4\xc6\xbc\xe8\x22\xff\x8f\xfe\x1b\x38\x2a\xa7\x12\x47\x31\xa9\xad\x6e\x1a\x52\xc7\x82\x66\x17\x4a\x4f\xef\xe9\x86\xa5\x08\xf6\x64\x25\x77\x30\x3f\x91\xea\x4e\xfb\x32\x84\x3c\x6b\x33\x1b\x32\xf2\x45\x53\xa0\xc1\x30\x16\xd9\x1a\x23\x0a\x55\xd8\x1f\xeb\x7d\xfc\x48\xad\x15\x7c\x7c\x2f\xc6\x32\x53\x08\x10\x21\xd1\xc6\x53\x56\x51\x39\x03\xdd\xbd\xe8\xd3\xfd\x0d\x51\x74\x7f\x3e\xaa\xaf\x9d\xb9\xd6\xb4\xbd\x70\x69\xd8\xba\x53\xd4\xd1\x00\xee\x27\x27\x97\x95\x94\xc2\xfa\x80\xb9\xaa\x0e\xdd\x70\xe3\xd7\x02\xfb\x5b\x6c\xd2\x77\xee\xb4\x87\x55\x58\x86\xf8\x5b\x65\x7c\xd9\xeb\xa6\x41\xb2\x8b\xf1\xe7\x62\x30\x0f\x3e\x29\xc5\xa8\xd8\xbf\xe0\x77\xbd\xef\x7c\x9e\x2c\x4c\xfa\xd8\xfc\x36\x46\x70\xd7\xcd\x6a\xc7\xa8\x63\x22\xe6\x67\x76\x0e\x24\x03\xc4\x83\x8d\x61\xfa\x86\x69\xa4\xf6\x21\x14\xee\xf4\x23\xf0\x91\x32\xe2\x0b\xb9\x5b\xa3\x52\x2a\xc3\x10\x49\xc4\xa3\xd5\x81\xaf\x3c\x57\x84\x91\x0f\xba\x88\xcd\xee\x1c\xef\xf4\xdd\xae\xd8\x27\x11\x9c\xed\x53\x61\x94\x7d\x0e\x31\xa9\xc4\xd2\x52\x63\xa5\x36\x54\xb8\x2f\xc1\x3b\x91\xf4\x45\x08\xdd\x19\x3c\xa1\xef\x26\xd9\x30\xa6\xb0\x81\x05\x86\xd4\x02\xba\x05\x54\xfa\xce\x5c\x3e\xd0\x77\x67\x1d\x50\xd2\x88\x65\xbf\xff\x35\xca\x3a\x4d\xab\xdb\xd6\xe3\xb0\x70\x59\x32\x0f\x53\xe5\xc4\x9d\x73\xcc\x16\xdd\x1e\xd2\x81\x6a\xc9\x8a\xd3\x85\x3c\x36\x88\x29\xc7\xbe\xc4\x0c\x4a\x9b\x39\xee\x3b\x73\x0b\xbd\x6c\x15\x2f\x35\x8e\x99\x11\x30\x8c\x12\xed\x12\x06\x56\x1f\xc7\xcf\x7c\xb4\x77\x14\x5f\x1a\xaa\xce\x66\xac\x5c\x44\x68\xac\xb2\xf6\x01\xc6\x1e\x4b\x11\x8b\xe2\x05\x6b\x6d\xbc\x18\x60\x9b\xfd\x41\x05\xee\xe1\x8b\xe3\x84\xa1\x99\x13\xd2\x74\xd9\x20\x39\x79\x0c\xb8\x74\x20\xb9\xfd\xd7\x0e\x73\x43\x09\xfc\x7a\xfe\x09\xe1\x1f\x78\x0d\x6e\xe6\x24\x31\x75\x90\x7a\x4a\xee\xcb\x6c\xa0\x70\xa3\x37\x4b\xe5\xd3\xd0\x7a\x78\x8e\xa4\xe1\xf9\xd6\xf1\x8e\xff\x9e\x79\x64\xd7\x07\x6c\xb5\xb9\x3c\xd9\x73\x38\xec\x05\x44\x8e\xc5\x27\xcc\xa6\x67\x90\xbf\xe3\x2c\x5b\x26\x62\xd7\xfc\x6b\x83\x6b\x41\xbf\x32\xe5\xbc\x0d\xdf\xe4\x2d\x59\x73\xdb\x86\xf8\xae\xd5\x6e\x43\x11\x2b\x45\xb0\xf7\x92\xc5\x39\x45\x99\xa1\x3e\x73\xc2\x50\x12\xb5\xaa\xcd\x3a\xef\x11\x24\x73\xc4\xe2\xe3\xab\x6a\xeb\xf5\xaf\x6d\xe9\xe7\x8a\xc0\x47\xfc\xc2\x76\xfd\x97\x6f\x25\x02\x2c\x65\xc3\x0a\x9f\xd6\x72\x03\xf1\x9e\x33\xb3\x5c\xfb\xcf\xdf\xf3\x95\xc5\xbb\x53\xf2\xfd\x79\x28\xe4\x3e\x62\x28\x47\x28\x07\x80\xb8\xcc\x81\x5f\xb4\x85\x18\x91\x05\xa1\x24\xcd\x86\x27\xcc\x3d\x5f\x1a\x9d\xd8\x00\xd4\x7a\x22\x6e\xbf\x90\x7e\xb2\xf4\x91\x33\xd1\x17\x58\x8d\x28\x0f\x4c\xc4\x3d\x95\x25\x4d\x88\xc8\x75\x3d\x96\x07\x3f\x97\xc5\x31\xf5\x1e\x55\x96\xe2\xe9\x71\xa2\x16\x1b\x78\xf7\x5e\xdc\xfb\xd9\xde\x38\xf0\xa9\x28\x4b\x7c\xce\xef\x87\x59\x8f\xa3\xbc\xfa\x5d\xbc\xbd\x1d\x28\x4c\xf8\x0c\xb7\x75\x54\x65\x89\x9d\x36\x2d\x9e\x40\xc6\x4c\x1a\x1e\x4c\xc4\x5c\x38\x71\xb2\x10\x4c\xa4\x0c\x05\x72\x9d\xcc\xbf\x6d\x0a\x17\x50\x0e\x5d\x0d\xff\xa3\x44\x3a\x52\x33\xe2\x79\xb2\xf9\xc5\x18\xb6\x97\x34\x0d\x26\xd2\x87\x26\x60\xc7\x1a\x49\x57\x10\xee\x00\x9f\xfb\x98\x9e\xbb\x5b\xef\xe5\x17\x69\x25\xb7\x8c\xde\xb1\xe8\x11\xc5\x1e\xcd\xb0\x1a\x47\xec\x1d\x1d\x0e\xf2\x02\x4c\x9a\x66\x6f\x6b\xc5\xeb\xe1\x3e\x77\x3f\x89\xf4\xc8\x0b\xaa\x1d\x66\x0c\x05\x1c\x26\x72\xf9\x1c\x21\xdb\x5f\xf2\xd5\xa7\x01\x26\xdc\x69\x14\x0e\xe2\x16\xc4\x5b\xdd\x0a\x7b\x52\x79\xde\xce\x2f\x58\x3b\xc2\x4f\xc6\x3c\xae\x88\xae\x75\x57\x22\x40\x48\x23\xc5\xc2\x16\x84\x9d\xcd\x10\x85\xba\x99\x02\xcb\x24\x8a\xc5\xd1\x92\xc3\xbd\xc5\x37\x39\x2a\x7c\x9e\xd3\xc3\x59\xbb\x6d\x49\x34\x62\x5f\x5f\x7a\x6d\xd5\x1b\x78\x57\x3f\xc7\x26\xad\xab\xc9\x1f\x41\x96\x05\x86\xf6\x4c\x39\x26\x11\x26\xea\x67\xdf\xc3\x2c\x5a\xe5\xf7\xd6\xed\x88\x74\x73\x60\x41\x8d\x42\xa0\x08\xd9\xcf\xc5\xef\x15\xf9\xc5\x88\xdb\xb9\xec\xc3\x74\xba\x19\xab\x60\xa3\xba\x33\xfb\xd1\xb8\x04\x77\xb0\x20\x4e\x67\xc8\x45\xf9\xf6\xab\x58\x9c\x58\xb5\x78\xcc\xa5\x8a\xf3\x22\xae\x66\xb9\xb1\x2e\xd9\x53\x70\x3d\x13\x93\xd8\xec\xe9\xc6\x70\x66\x4f\xdb\x6b\x1f\xfa\x10\x27\x1a\xbc\x0e\x51\xd5\x7b\x59\x10\x2e\x26\x40\xbe\xa0\x9e\x91\x12\x94\xc3\x5a\xbc\x86\x16\x99\x0a\x57\x29\xbf\x73\x9a\x8e\x22\x77\x4a\x68\x0d\x57\x70\xb8\x58\xb9\x32\xfe\x59\x5b\x73\x22\x32\x8a\xe7\x92\x07\x8a\xd2\x8d\xb4\xd5\x4c\xbd\x7c\x98\x68\xfc\xbe\x6e\xed\x0b\x0a\xa7\xb7\xab\xbf\xb1\xb8\xef\xce\x2d\xd5\xc1\xe2\x9b\xac\x66\xab\x7f\x80\xfe\x7a\x65\xd2\xda\x18\x38\x66\x0e\x94\x06\x6a\x6b\x2e\x3b\xdb\x89\x7e\x55\x1b\xc0\x37\xd7\x79\xdb\xb6\xcb\x9b\xdc\xa7\x03\x0e\xf8\x22\x6b\x96\x8d\x5a\x85\x7c\xb4\x24\xa9\xbd\x71\xec\xf3\xe0\xdf\x3b\xca\x6b\x91\x95\x90\x5e\xd0\x5e\x73\xd0\x36\x7f\x16\x49\xee\xd5\x49\xd9\xc3\xd4\x7e\x2f\x31\x2c\x17\x0d\xc9\x4a\x70\x1d\x42\x04\x60\xe1\x00\x0e\x23\x70\x21\xc6\xb7\xb1\xbc\x08\xb3\x5c\x10\x43\xc6\xe8\x99\xed\x58\x7e\xf7\xdf\xb6\xe1\xc7\xb6\xe1\x1e\x3a\x2f\xb4\x34\x8a\xbc\xc9\xed\x18\x31\xee\x37\x3d\x00\x45\x40\xa7\x3a\x4c\x78\xf9\xd3\xab\xb1\x01\xc7\x87\xba\x23\x9d\xf6\x63\x92\x4e\xf8\x4e\x3b\x43\x68\x68\xb6\x3c\xd7\x4f\x4d\x47\xac\x9e\xbc\xe3\x81\x4b\xbd\xb3\x7e\xee\xc3\xfe\xa1\xf9\x06\x88\xd1\x6f\xf3\x28\x5d\x35\x97\x45\xf9\xc1\xb6\xdc\xfa\x98\xbc\xd3\x2a\xca\xcc\xd9\x35\x0c\x07\x05\x79\xaf\x49\xc6\xdd\x8e\x62\xb3\xe1\x16\x16\xb9\x56\x05\xb5\xe6\x7c\x90\xc3\xdb\x1b\x83\x01\xde\x61\xbd\xfa\x55\x8e\xe6\xd1\x3f\x20\xa7\x8d\x40\x7e\x4f\x44\xca\x79\x3c\xe3\xd9\x58\xe1\x52\x2f\x1a\x64\x27\x6a\xc8\x86\x3d\x1a\x68\xb5\xb6\x4e\x03\xec\x0b\x22\xb0\xa7\x87\xbb\xa7\xb4\x62\xfd\xdf\x8d\xa7\xd1\x01\x8b\x32\xa1\x32\x82\xbd\x1e\x83\x06\x0a\x67\xc7\xda\x96\xe4\x6e\x3b\x32\x2a\x5d\x8e\x05\xba\x67\xb3\xac\xa1\xc5\xd1\xbf\x13\x6a\x57\xb3\xaa\x68\x77\x7f\x00\xbf\x10\x2d\xdd\xb1\xde\xc2\x1d\xb3\x09\xf4\x85\x5d\x9c\x08\xed\xc5\x80\xd6\x52\xa6\x89\x42\x0b\xf6\x25\x38\xb5\xaa\x26\x30\x57\x09\x81\x21\xd8\x2d\x87\xe2\x9e\xe2\x6b\x5d\x52\x88\x02\x3e\x50\x1f\xf2\x73\x0b\xce\xf0\x0b\x98\xf1\x3c\x40\xbc\x2d\xa1\xa1\xbc\xa1\xcd\x66\x64\x84\xf1\xa3\xf5\xc8\xb6\xff\xaf\x46\x8f\xbe\xaa\xf5\xab\xfd\x74\x39\x6f\xbc\x46\x0e\x0f\xd2\xb4\x40\xf5\xe5\x63\x27\xe6\x34\x90\x73\x11\xdc\xe9\x8e\xc0\x75\xe9\xee\x32\x87\xf7\xd2\xdc\xd6\x44\x93\xe5\xc5\xce\x09\x6b\xb2\x9d\x77\xaa\x49\xa9\xf6\x77\xe6\x8e\xfd\x44\xcf\x35\xb5\xa0\xd6\x9f\x1e\xc8\x87\xa5\xf1\xf3\x5e\x44\xaf\xe3\xb6\x90\x4e\xf0\x26\xb3\x65\x1c\x69\x7d\xc2\xaf\x46\x66\x2b\x92\x36\x64\x20\x1e\x4b\xae\xdc\x28\xe8\x5f\x33\xd0\xfc\xce\x83\xec\xb0\x1d\x04\xf5\xa0\x82\x6d\xf9\xfb\xfe\x7d\x92\xe3\x1d\xb7\x62\x02\x53\x3f\xa8\xbd\xbd\x4f\x14\x74\x4f\x84\x85\x94\x8f\xf0\xe4\x0e\xc7\x7d\x2a\x2c\xca\xc3\x4f\x38\x9a\x4f\x6b\x0e\x1f\x84\xf5\x27\xb1\x28\x2b\x4b\xa5\x3c\xc0\xa5\x34\x68\xeb\x13\x62\xd8\x7f\x33\x4f\x17\x6d\x94\x8d\x9d\x7f\xc1\x90\xa1\xfa\xbb\x36\x74\x53\x85\x94\x5f\x27\xd4\x4c\x13\x64\x36\xee\xed\xca\x1a\xd4\x94\x5c\x9d\x73\xd6\xa2\xd7\x22\x5a\x1f\x7f\xa4\x9a\x2b\x2b\x56\xd3\xa4\x03\xa8\xdd\xd0\x3d\x70\x1b\xb8\xba\x36\xc2\x75\xb0\x5d\xb3\xb6\x06\x38\xb9\xa2\xa2\x34\xcb\x63\xb8\x09\xeb\xfc\x9a\x77\x1a\xc7\x12\x76\x2f\x7e\x96\xc5\x38\xe1\xc5\x4a\x79\x12\xb9\x59\x44\x63\x2d\x6d\x60\x59\x4b\x90\x0e\x17\xee\x32\x7b\x2b\x2b\x13\xbe\x28\x44\x06\x1f\xd1\xe3\x50\xe4\x71\x21\xfd\x71\xf1\x30\xa5\xae\xb5\x15\x3c\xcb\x8e\xce\x99\x59\x0f\xf9\x3e\xa9\x8e\xe5\x89\xa0\xa4\x28\x8b\xb6\xa3\x59\x0b\x1c\x6e\x89\x00\x8b\xbd\x2d\xc7\xad\x38\x74\x83\x69\x40\x5c\x9f\x8c\x37\xfa\x75\xdd\x2f\xf4\xa3\x84\x56\x1d\x03\x09\x48\xc3\xd1\x64\x66\xe4\xf0\x37\xe5\x4d\x3d\xca\xbd\xe0\x2f\xb3\x5c\x62\xb3\x16\x92\x65\xc0\xaf\x80\x18\xa8\x6c\x3f\xcf\x32\x68\xc1\xa9\x1e\x71\x31\xf8\x9c\xf7\x84\x1b\xb5\x8c\xab\x8a\x5f\x89\xd7\xed\xb6\x7f\x05\xf1\x6f\xe8\x40\x59\xbe\x5a\xbd\xbe\x44\xd3\x85\x2f\xa5\x79\x0c\x16\x16\x28\xb2\x1e\xef\x35\x9a\xaf\x7d\xb7\xde\x11\xc8\x35\xff\x9c\xc0\xb8\x6a\xc9\x75\x1f\xd2\xd5\xc1\x35\xe8\xac\xb4\x35\x2b\xc0\x3f\xdf\xe6\xc4\x34\x73\x58\x2c\xde\x76\xb1\x57\xee\xb0\x3a\xcf\xff\x74\x2b\xe5\x83\x8a\x4a\xab\xa1\x60\xe1\xc5\x88\xc9\xe1\xda\x27\x58\xfc\x29\x0a\xe3\x7a\x76\x05\x34\x0f\x72\x6f\xf3\xd8\xd7\x3d\x3d\xcc\xdc\x77\x37\x49\x9b\x74\x73\xec\xcc\x00\xc3\xd0\x1d\x20\xbd\x98\x9e\x60\x49\xd9\xda\x7d\xce\xe2\x29\xfe\x3d\xb7\xe2\x84\x5b\xa6\xef\x6b\x38\x06\x80\xe0\x77\x54\xdf\xa9\x2d\x16\x05\xb3\xb2\x52\x7e\xd1\x9d\x01\x33\x3b\x2b\x58\x86\x8d\x76\x14\xc9\x2b\x7f\x93\xc9\x5e\x2c\x90\x54\xf7\xa7\x28\xe0\x56\x9b\x98\x60\x18\x31\x1d\x9a\xb3\x79\xac\x3d\x19\xc7\xf6\x5f\x87\xac\xbd\x2a\x2b\xcd\xf1\x22\xb1\xb9\x50\x2d\x3c\x3a\x69\xef\xa3\x2f\x4b\xe1\xef\x20\xda\xa4\x2e\x13\x40\x9d\x2b\x12\xdb\xfd\x03\xc6\x4a\xca\x0b\xd6\x6c\x76\xc0\x4e\xa6\xa7\x6e\xf0\x29\x46\x50\xe5\x9e\x8a\x37\x9c\x85\xc5\xac\x8e\x31\x0e\xd9\x9e\x1a\x5f\x20\xc9\xbb\xdb\xee\x13\xde\x12\x18\xf9\x5b\xe0\x40\xff\x5f\x76\x0c\x7f\x07\xab\xe3\x62\x46\x85\x08\xa2\x11\x4e\x0c\x34\xf9\x38\x95\xc1\xe2\x8a\xd8\xc5\x6f\x19\x49\x81\x6c\xff\xd0\x9c\x02\x8d\xee\xf0\x1e\x5f\xcf\x91\xb4\x38\x4c\x62\xd0\xef\xd9\xb7\xd6\x6b\x1a\xae\x30\x2a\x3e\xd2\xc3\x03\x7c\x96\x75\xac\x6c\x86\x33\x6f\xa6\x03\x25\x8a\x53\x84\x09\xba\xd5\x67\x98\x11\x28\xcb\x8c\xab\x88\xd7\x02\x7b\x2a\x92\x67\x1c\xad\x00\x0a\x2c\x9f\x31\x7f\xb4\xae\x30\x98\x0d\x3f\x28\x51\x2f\xb5\xf6\x6a\x98\xb2\xe2\x07\x7a\x6a\x7f\x84\x61\xbf\x1a\x78\xcf\x12\xb3\xce\x6e\x3a\xa4\xa2\x2f\x3c\x63\x73\xa5\xd0\x4f\x76\x7b\x83\xc7\xd5\x7a\x56\x83\x4f\x76\x39\xc9\xac\xbb\x9f\xde\xde\xa8\x52\x76\xa0\xaa\x10\x0b\x68\xc8\xa2\x46\x31\x4a\x8c\xa0\x2f\xf0\x7d\x15\x32\xc9\x0d\x9a\x4a\x5d\xac\xba\x53\xa2\x4c\x14\xcb\x94\xb5\x7a\x8c\x23\x6c\x98\x5e\xbc\x98\x69\x71\x08\xa4\x3e\x87\x4b\x67\x15\xe6\xbe\x8d\x96\x85\xfa\xfd\xba\x1d\x7e\x5d\x1b\x4c\xed\x62\x56\x58\x47\xbd\xfc\xf6\x2b\xe1\x75\xe8\x48\x3c\xfd\x07\x11\x24\x76\x64\xe2\x73\xfc\xbe\xc2\x9f\x60\xde\xdd\x34\xc6\x81\x0f\x66\x50\xb6\xbd\xc4\x7d\xf7\x26\x7b\x8f\x53\xbc\x66\xac\x41\xa5\xc0\x50\x6e\xdf\x4a\x80\x5c\xff\x03\x43\x79\x7c\x88\x12\x56\xea\x09\x5f\xbf\x14\x57\x54\xf7\xcb\x9d\xfb\xa6\xd3\xc2\xbd\x12\xac\xe3\x07\x62\x9c\xb2\x2d\xfe\xb5\xa4\x81\x55\xde\x0e\x50\xa9\x5d\xa5\x8b\x32\x02\x58\x9b\x60\xf5\xdd\x4c\xa6\xcd\x22\xc2\xed\x78\x8f\x27\x21\xd5\x35\x43\x74\xe9\xef\xac\xf4\x94\x72\x94\xdd\xc8\x14\x92\x25\xdc\xe5\xad\xfb\x32\x25\x95\xed\x18\xa4\xdc\xb0\x56\x51\x48\xb0\x87\xe3\x7d\x42\x47\xea\xae\xcc\x58\xc5\xaa\xf1\xc6\x4e\x87\xcc\x2c\xce\x9b\x8e\xbc\xaf\x96\x3f\xc4\x41\xa6\xdf\xac\x42\x6b\xe0\xac\xe4\xec\xfb\x91\xdf\x77\x32\x72\x1a\xfb\x34\xf9\x05\xce\x73\x77\xdb\x38\x49\xd7\x40\x1b\xa3\xd3\x14\x9c\x08\xe9\x8b\xcd\xec\xa6\xde\x20\x7e\xd8\xbc\x7b\x1d\x6e\x88\x59\x7d\xa6\x28\xc6\xb0\xa7\x3c\xf9\x67\x4a\x20\x7d\xd8\x74\x5f\xe5\xb3\x2b\xdd\x8f\x55\x09\xf1\x4f\xc1\x5c\xf9\x50\x4b\xf6\x63\x4b\x2d\xf2\x83\x6e\x95\xc7\x36\xe2\x76\x2f\x27\x14\xbf\xd1\x30\xaf\x99\x1d\x8b\x64\x8a\x93\x72\x15\x83\x83\xa2\xf5\x3e\x14\xc7\xcf\xc7\x66\x3d\xb5\xca\x5c\x8a\x9c\xdd\x15\x5e\x38\xc1\xf7\x0e\x51\x61\x35\x88\x12\x8d\xd0\x85\xbb\xdd\x7e\xd2\x39\xb9\x7e\x89\x58\xce\xf3\x5f\x11\x7e\xab\x19\xb3\x70\xff\x2e\x4e\x25\x68\x9d\x62\xb6\x84\xfd\x4a\xfc\xeb\x26\x32\x51\xfa\x92\xe8\xc6\xb2\xaa\x2e\x34\xd3\xfb\x8a\xae\xd1\x8c\xdc\x73\x4f\x9b\x42\x0c\x8d\x7b\x93\x15\x55\xeb\xd7\x99\x0c\xa0\x73\xfb\x81\xbe\x98\x27\x94\xe0\x00\xd5\x05\x72\xeb\x07\x61\xd4\x95\xba\x80\x68\xf6\x57\xd7\xf7\xb9\x19\xe6\x6a\x25\xe0\x32\x11\xdf\xe6\x90\xf4\x08\x1f\xc5\xde\x14\xf5\xf9\xd8\xbe\x47\x80\x24\xe6\x0a\x31\x38\x08\x0d\x9c\xe9\x7a\xe2\x3e\x29\x1e\x77\xa6\xe4\xa5\x07\xa9\x6a\xe0\xc0\x7d\x96\x04\xa9\x5b\x43\xb8\x17\x4c\x33\x17\x5b\xa2\x95\x05\x01\x86\xf7\x23\xb5\x0a\x60\x9e\xe0\x9b\x42\x67\xe4\xd2\xaf\x42\x96\xce\x65\x7b\xb8\xb5\xe9\x96\xf9\x8b\xd7\x5e\xd4\x2d\x09\x54\x89\x5d\x97\xd9\x88\x32\x9d\x92\x5f\x62\x89\x44\x74\xd1\xca\xa5\xde\x98\x8e\xd7\xb5\xc6\xde\xac\xfd\x90\xad\x94\x7e\xfe\xbf\x6c\xf6\x1b\x45\xd9\xc7\xb1\xba\x59\xe9\xec\x4b\x85\x59\xaf\xf8\xd3\xd0\x5f\xb0\x0f\x57\xec\x94\x2b\x0e\x9b\x9f\xdb\xde\x26\xca\xd3\x40\xcb\xb4\xf7\xc0\x44\x7b\x70\x7e\xd8\xf6\xd4\xf9\x89\xd0\xb1\xda\x0d\x0c\xda\xe6\x17\xb0\x14\x36\xfa\x68\xe3\x77\x75\xe8\x44\x41\x5e\xbd\x11\xa3\x35\x08\x46\xcf\x0b\x41\x9f\xad\x6d\xb9\x4c\xcc\x82\x83\xe9\x50\x19\xdb\x55\x91\xb9\xe8\x1c\x5d\x32\x70\x7b\x30\x02\xaf\xb2\x40\x58\x49\x5f\x6c\x21\xcd\x4b\x9e\x12\xaf\x7a\x1f\x40\x54\xfd\xa3\x7b\xa6\xa2\x94\x5e\x89\x98\x99\x76\x10\x12\x54\x8e\x41\x22\xa6\x95\x56\xe0\xca\x51\xe2\x31\x94\xbd\xc4\xe2\x72", 4096); *(uint32_t*)0x20002904 = 0x1000; *(uint32_t*)0x20002908 = 9; memcpy((void*)0x20002940, "flock=openafs", 13); *(uint8_t*)0x2000294d = 0x2c; memcpy((void*)0x2000294e, "dyn", 3); *(uint8_t*)0x20002951 = 0x2c; memcpy((void*)0x20002952, "autocell", 8); *(uint8_t*)0x2000295a = 0x2c; memcpy((void*)0x2000295b, "dyn", 3); *(uint8_t*)0x2000295e = 0x2c; memcpy((void*)0x2000295f, "flock=openafs", 13); *(uint8_t*)0x2000296c = 0x2c; memcpy((void*)0x2000296d, "source", 6); *(uint8_t*)0x20002973 = 0x3d; memcpy((void*)0x20002974, "&", 1); *(uint8_t*)0x20002975 = 0x2c; memcpy((void*)0x20002976, "source", 6); *(uint8_t*)0x2000297c = 0x3d; memcpy((void*)0x2000297d, "SEG6\000", 5); *(uint8_t*)0x20002982 = 0x2c; memcpy((void*)0x20002983, "smackfsdef", 10); *(uint8_t*)0x2000298d = 0x3d; memcpy((void*)0x2000298e, "SEG6\000", 5); *(uint8_t*)0x20002993 = 0x2c; memcpy((void*)0x20002994, "smackfsdef", 10); *(uint8_t*)0x2000299e = 0x3d; memcpy((void*)0x2000299f, "SEG6\000", 5); *(uint8_t*)0x200029a4 = 0x2c; memcpy((void*)0x200029a5, "subj_user", 9); *(uint8_t*)0x200029ae = 0x3d; memcpy((void*)0x200029af, "SEG6\000", 5); *(uint8_t*)0x200029b4 = 0x2c; memcpy((void*)0x200029b5, "smackfstransmute", 16); *(uint8_t*)0x200029c5 = 0x3d; memcpy((void*)0x200029c6, ":", 1); *(uint8_t*)0x200029c7 = 0x2c; memcpy((void*)0x200029c8, "seclabel", 8); *(uint8_t*)0x200029d0 = 0x2c; *(uint8_t*)0x200029d1 = 0; syz_mount_image(0x20001880, 0x200018c0, 5, 1, 0x20002900, 0x20005, 0x20002940); break; case 29: memcpy((void*)0x20002a00, "/dev/i2c-#\000", 11); syz_open_dev(0x20002a00, 0xad8, 0x2a2000); break; case 30: res = syscall(__NR_ioctl, -1, 0x5429, 0x20002a40); if (res != -1) r[15] = *(uint32_t*)0x20002a40; break; case 31: memcpy((void*)0x20002a80, "net\000", 4); syz_open_procfs(r[15], 0x20002a80); break; case 32: syz_open_pts(r[13], 0); break; case 33: *(uint32_t*)0x20002e80 = 0x20002ac0; memcpy((void*)0x20002ac0, "\x7a\xd3\xcd\x80\x2d\xd0\xc4\x24\x94\x5d\x99\xca\x9c\xa6\xe4\xfb\xb8\xf8\xe3\xb9\x80\xd2\xec", 23); *(uint32_t*)0x20002e84 = 0x17; *(uint32_t*)0x20002e88 = 0x1000; *(uint32_t*)0x20002e8c = 0x20002b00; memcpy((void*)0x20002b00, "\x32\x9d\xe8\x0b\x2b\x17\xbb\xd2\x5d\x1f\x19\x07\xa9\x26\x3a\xf3\xbf\x05\xc4\xa7\x06\x1e\x28\x49\x2a\x3f\x71\xc6\x34\x3a\xa5\xaa\xea\x03\x27\xa3", 36); *(uint32_t*)0x20002e90 = 0x24; *(uint32_t*)0x20002e94 = 5; *(uint32_t*)0x20002e98 = 0x20002b40; memcpy((void*)0x20002b40, "\x82\x79\x1d\xfd\x31\x1d\x07\xdb\x7d\x65\xe8\x03\xce\x6c\xa0\x00\x28\xaf\x8f\xf8\xd2\x76\x18\x7e\x0e\x14\xbb\xf7\xbe\xab\x60\xfc\x4b\x70\x72\x2e\x91\xb6\x32\x2b\x8e\x34\x72\x19\x1a\x66\x17\x6b\xb0\xca\x91\xde\xe6\x0f\x15\x06\xa6\xd4\x8b\xe4\x05\x52\x30\xc3\x0b\xe9\x4a\x10\x43\xa1\xd2\xa0\x6d\x42\x16\x60\x69\xd8\x03\x3d\x6c\x52\x4c\x86\x10\xb8\xc4\xbb\x63\xaf\x0c\xe6\xd6\x20\x71\x37\xf1\xbe\x1b\x62\xb0\x02\xe8\xc3\x5e\x64\x67\xc2\x42\x3c\xc6\x59\x7d\x1c\xa5\x8e\xe3\x15\x89\xf0\x24\x8a\xc7\x62\xe2\x4a\x28\x6a\x41\xa7\x61\x91\x2d\x34\xbb\x56\xf0\x7d\xb8\x8c\xa5\x2f\xce\x8d\x12\x87\x62\x39\x4f\xa0\x0f\xaa\xc8\x45\x1a\x42\xc3\x14\x4b\xde\xc7\xe9\x72\x96\xc9\xea\xc7\xc9\xf6\x31\x10\xa3\xd4\x05\xc1\x6b\x04\x28\x88\x00\x24\xe8\xc9\xc8\xaf\x49\x0b\x8c\xfa\xd8\x4c\xbb\x63\x78\x78\xd6\x34\xcd\x84\x34\x6b\x60\xc9\x13\x2c\x09\x66\x0c\xdc\x61\x6a\x0b", 212); *(uint32_t*)0x20002e9c = 0xd4; *(uint32_t*)0x20002ea0 = 0x7fff; *(uint32_t*)0x20002ea4 = 0x20002c40; memcpy((void*)0x20002c40, "\x90\x4b\xbc\xee\x2b\x46\xda\xa1\xac\x64\x3b\x7b\x6b\x8e\xa0\xff\x46\x2f\xea\xbe\xe5\x41\xb4\x11\xa8\x85\xe4\x70\xa4\x96\xcb\xbd\xc7\x29\xff\xde\xbc\x50\x80\x7f\x71\x9c\xbe\x80\x8d\x8b\x59\x8b\x47\x67\xc7\xa8\x52\xd9\xce\x0c\x88\x0a\x9b\x07\x8b\x01\x87\xde\xac\x92\x6b\xd4\x68\x7a\x44\xf0\x92\xbb", 74); *(uint32_t*)0x20002ea8 = 0x4a; *(uint32_t*)0x20002eac = 5; *(uint32_t*)0x20002eb0 = 0x20002cc0; memcpy((void*)0x20002cc0, "\x35\x31\xae\x25\x7e\x7e\x08\x77\xcd\xe3\x40\xc4\x2e\xdb\xfc\x91\xdc\xff\xaf\xf1\x28\x4e\xf0\x8a\x45\x1e\x4c\x76\xe0\xcd\x83\xb2\xc0\xea\x10\xd8\x6b\xce\xfa\x93\xbb\xae\xf5\xff\xfb\xfe\x7d\xc7\x0b\x73\xb8\x9c\x55\xfc\x38\x51\x11\x0d\x1b\xd0\xd1\xda\x31\x75\x33\x20\xb1\x11\xfe\x70\x60\x53\x7e\x8f\x65\xf3\xc2\xf0\x5a\xdc\xb3\xd6\x6b\xd2\xab\xe6\xb0\x8a\xaa\xe0\xd0\xee\xdc\xa9\x93\x77\x07\xec\x4c\xb4\x87\x4c\xdf\xd0\x58\x00\x81\x2a\xb5\x3f\x95\x50\xb2\x5a\x28\xee\x69\xe6\x2a\x0f\x79\x0f\xe5\x23\x3f\xc8\x64\x5f\xc3\xfe\x6c\xae\x05\x5f\x2a\xa1\x72\x91\x25\x17\x01\x51\xe8\x6e\xea\xb6\x7b\xb2\x0b\xc8\x84\xa1\x21\x4c\x2d\x3d\x96\x9c\x34\xfb\x23\x9b\x45\xfe\xec\x93\xac\x20\x97\x21\xba\xe7\x27\x12\x51\xc6\x13\xce\xa9\x37\x9c\x15\x21", 183); *(uint32_t*)0x20002eb4 = 0xb7; *(uint32_t*)0x20002eb8 = 4; *(uint32_t*)0x20002ebc = 0x20002d80; memcpy((void*)0x20002d80, "\xc3\xf0\x4f\x26\x92\x9b\x7a\x4d\x63\x42\x84\x1f\xa5\x3a\x9a\x8c\xb8\x00\x6a\x97\xf4\x28", 22); *(uint32_t*)0x20002ec0 = 0x16; *(uint32_t*)0x20002ec4 = 6; *(uint32_t*)0x20002ec8 = 0x20002dc0; memcpy((void*)0x20002dc0, "\xc9\x87\x12\x75\xe3\x26\x9f\xf1\xbd\xcd\x67\xfb\x52\x3e\x1c\xeb\x51\x51\xb0\xed\xe9\xe0\x32\x63\x4e\x36\xd4\x86\x04\x6b\xc3\x1c\xd9\x78\xbd\xa5\x92\x47\x35\x53\x16\x31\x9e\x76\x8e\x7a\xc6\xbe\x06\x48\xbf\x0f\xec\xd1\x3c\xda\xd4\x5f\x71\x3e\x0e\x3b\x74\xe9\x5e\xec\x77\x06\x3c\x02\xa2\x33\xea\x97\xd3\x38\xf4\xb1\xe9\xbc\x5a\x7c\xce\x85\x52\x87\x42\x63\x2e\xd5\x9c\xec\x01\x6f\x39\x14\xdd\x02\xca\x6b\x1d\xc8\x33\x22\x48\x95\x27\x73\x50\xcf\x1f\x21\xd6\xc7\x8f\x85\x92\x71\x7e\x91\x23\x3f\x90\x26\x92\x7e\x0c\xc3\xd8\x0c\xdc\x57\x71\x47\x63\xa0\xfc\xb0\x91\xf5\xc6\x90\x51\xb5\x5c\xd2\xe1\xfc\xc3\x3b\x13\xd5\x97\xc5\xca\xee\xb2\x71\xc5\x42\x97\x8a\x1e\x17", 164); *(uint32_t*)0x20002ecc = 0xa4; *(uint32_t*)0x20002ed0 = 0x9c; syz_read_part_table(1, 7, 0x20002e80); break; case 34: *(uint8_t*)0x20002f00 = 0x12; *(uint8_t*)0x20002f01 = 1; *(uint16_t*)0x20002f02 = 0x201; *(uint8_t*)0x20002f04 = 0xa4; *(uint8_t*)0x20002f05 = 0x61; *(uint8_t*)0x20002f06 = 0x1e; *(uint8_t*)0x20002f07 = 0x40; *(uint16_t*)0x20002f08 = 0xacd; *(uint16_t*)0x20002f0a = 0x300; *(uint16_t*)0x20002f0c = 0xc0df; *(uint8_t*)0x20002f0e = 1; *(uint8_t*)0x20002f0f = 2; *(uint8_t*)0x20002f10 = 3; *(uint8_t*)0x20002f11 = 1; *(uint8_t*)0x20002f12 = 9; *(uint8_t*)0x20002f13 = 2; *(uint16_t*)0x20002f14 = 0x372; *(uint8_t*)0x20002f16 = 2; *(uint8_t*)0x20002f17 = 4; *(uint8_t*)0x20002f18 = 0x1f; *(uint8_t*)0x20002f19 = 0; *(uint8_t*)0x20002f1a = 1; *(uint8_t*)0x20002f1b = 9; *(uint8_t*)0x20002f1c = 4; *(uint8_t*)0x20002f1d = 0x5d; *(uint8_t*)0x20002f1e = 0xb3; *(uint8_t*)0x20002f1f = 1; *(uint8_t*)0x20002f20 = 0xad; *(uint8_t*)0x20002f21 = 0x49; *(uint8_t*)0x20002f22 = 0x76; *(uint8_t*)0x20002f23 = 0x20; *(uint8_t*)0x20002f24 = 7; *(uint8_t*)0x20002f25 = 0x24; *(uint8_t*)0x20002f26 = 1; *(uint8_t*)0x20002f27 = 0; *(uint8_t*)0x20002f28 = 0x80; *(uint16_t*)0x20002f29 = 0; *(uint8_t*)0x20002f2b = 9; *(uint8_t*)0x20002f2c = 5; *(uint8_t*)0x20002f2d = 0xd; *(uint8_t*)0x20002f2e = 0; *(uint16_t*)0x20002f2f = 0x230; *(uint8_t*)0x20002f31 = 0x5d; *(uint8_t*)0x20002f32 = 1; *(uint8_t*)0x20002f33 = 0x3f; *(uint8_t*)0x20002f34 = 7; *(uint8_t*)0x20002f35 = 0x25; *(uint8_t*)0x20002f36 = 1; *(uint8_t*)0x20002f37 = 0; *(uint8_t*)0x20002f38 = 0x1f; *(uint16_t*)0x20002f39 = 2; *(uint8_t*)0x20002f3b = 0xba; *(uint8_t*)0x20002f3c = 0xe; memcpy((void*)0x20002f3d, "\xf4\xe6\xe5\x76\x28\x83\xc3\x4d\xf0\x4f\x35\x60\x99\xf1\xd3\x4b\xdb\xc9\xf5\x32\x4d\xa6\x48\x05\x3f\xd6\x90\x21\x1b\x89\x71\x19\xc4\xf3\xac\x19\x7f\x2a\xa9\x3f\x2f\x3b\xe0\x5f\x83\x6b\x16\x44\xd5\xb2\x32\x76\x48\xb3\x08\x16\xed\x19\x2f\x94\x3d\xfc\xe2\x25\xf6\x9d\x77\xc5\x15\x65\xe1\x77\xfd\x88\x9c\x9c\x9d\x8c\x85\xb9\x2e\xe4\xbe\xad\x0e\x88\x94\x46\xbb\xc3\x20\xa4\x0f\xa2\x48\x07\xf4\x76\xbf\xd1\xf1\xb3\x09\x6e\x33\x70\xf7\x55\xc9\x4a\xa0\x1c\x3b\xe4\xdd\xc7\x95\x2a\x56\x94\xbc\xad\x4b\xeb\x40\x65\xbf\x5e\xa9\x60\x66\xc4\x3e\x95\x07\xe6\x22\x0c\x47\xbc\x02\x71\xad\xcb\xaf\xfc\xe6\xac\x90\xcb\x3c\x8b\x1c\xf7\x48\xc6\xbb\xf9\x71\x08\xdf\xa2\xca\xc4\xb8\x7d\x34\x20\x42\x84\x34\x39\x7e\x07\xf1\x7a\x87\xed\x62\x33\xb3\x9e\x32\xf0", 184); *(uint8_t*)0x20002ff5 = 9; *(uint8_t*)0x20002ff6 = 4; *(uint8_t*)0x20002ff7 = 0x5d; *(uint8_t*)0x20002ff8 = 0x27; *(uint8_t*)0x20002ff9 = 7; *(uint8_t*)0x20002ffa = 0x3f; *(uint8_t*)0x20002ffb = 0x84; *(uint8_t*)0x20002ffc = 0xfd; *(uint8_t*)0x20002ffd = 3; *(uint8_t*)0x20002ffe = 0x10; *(uint8_t*)0x20002fff = 0x24; *(uint8_t*)0x20003000 = 2; *(uint8_t*)0x20003001 = 1; *(uint8_t*)0x20003002 = 0xe2; *(uint8_t*)0x20003003 = 2; *(uint8_t*)0x20003004 = 0x63; *(uint8_t*)0x20003005 = 0x40; memcpy((void*)0x20003006, "\xe7\x21\xcc\x44\xac\xca\x89\x38", 8); *(uint8_t*)0x2000300e = 0xb; *(uint8_t*)0x2000300f = 0x24; *(uint8_t*)0x20003010 = 2; *(uint8_t*)0x20003011 = 1; *(uint8_t*)0x20003012 = 0; *(uint8_t*)0x20003013 = 3; *(uint8_t*)0x20003014 = 1; *(uint8_t*)0x20003015 = 0; memcpy((void*)0x20003016, "\x9e\xf4\x2f", 3); *(uint8_t*)0x20003019 = 7; *(uint8_t*)0x2000301a = 0x24; *(uint8_t*)0x2000301b = 1; *(uint8_t*)0x2000301c = 4; *(uint8_t*)0x2000301d = 1; *(uint16_t*)0x2000301e = 4; *(uint8_t*)0x20003020 = 0xb; *(uint8_t*)0x20003021 = 0x24; *(uint8_t*)0x20003022 = 2; *(uint8_t*)0x20003023 = 1; *(uint8_t*)0x20003024 = 0; *(uint8_t*)0x20003025 = 3; *(uint8_t*)0x20003026 = 0x19; *(uint8_t*)0x20003027 = 6; memcpy((void*)0x20003028, "\x9e", 1); memcpy((void*)0x20003029, "\x69\x83", 2); *(uint8_t*)0x2000302b = 9; *(uint8_t*)0x2000302c = 5; *(uint8_t*)0x2000302d = 0xf; *(uint8_t*)0x2000302e = 0; *(uint16_t*)0x2000302f = 0x3ff; *(uint8_t*)0x20003031 = 0xf6; *(uint8_t*)0x20003032 = 5; *(uint8_t*)0x20003033 = 0x80; *(uint8_t*)0x20003034 = 9; *(uint8_t*)0x20003035 = 5; *(uint8_t*)0x20003036 = 1; *(uint8_t*)0x20003037 = 0x10; *(uint16_t*)0x20003038 = 0x10; *(uint8_t*)0x2000303a = 0; *(uint8_t*)0x2000303b = 0x40; *(uint8_t*)0x2000303c = 6; *(uint8_t*)0x2000303d = 7; *(uint8_t*)0x2000303e = 0x25; *(uint8_t*)0x2000303f = 1; *(uint8_t*)0x20003040 = 2; *(uint8_t*)0x20003041 = 0x20; *(uint16_t*)0x20003042 = 6; *(uint8_t*)0x20003044 = 9; *(uint8_t*)0x20003045 = 5; *(uint8_t*)0x20003046 = 0xb; *(uint8_t*)0x20003047 = 8; *(uint16_t*)0x20003048 = 0x10; *(uint8_t*)0x2000304a = 1; *(uint8_t*)0x2000304b = 2; *(uint8_t*)0x2000304c = 0; *(uint8_t*)0x2000304d = 9; *(uint8_t*)0x2000304e = 5; *(uint8_t*)0x2000304f = 0xd; *(uint8_t*)0x20003050 = 0x10; *(uint16_t*)0x20003051 = 0x200; *(uint8_t*)0x20003053 = 4; *(uint8_t*)0x20003054 = 8; *(uint8_t*)0x20003055 = 0xc0; *(uint8_t*)0x20003056 = 0xbb; *(uint8_t*)0x20003057 = 0x31; memcpy((void*)0x20003058, "\x21\x5c\xe6\xab\x8f\x3c\x72\xca\xa3\xab\x13\x26\xf1\x88\x38\x90\x8a\xc6\x0b\xff\xb3\xb5\x07\x48\x14\x4a\xa2\xcb\xc4\xd7\xca\xc5\x6f\x4a\x7b\xb2\xbd\x6c\x96\x96\x74\xa5\xe4\x04\x08\x61\xbb\x21\xba\x5c\xcf\x0f\x82\x2c\x10\x32\xe7\xe3\x72\x9f\x8c\x17\x1f\xc7\xa8\x9b\x53\x40\xb5\x06\x71\x08\xd5\x97\xf1\x78\xaa\x65\x1a\x98\xac\xa4\xd0\x12\xfa\x55\x5a\x69\x56\x83\xb5\x27\xe6\x03\x1f\x1f\x7f\x20\x49\x4b\x25\x0e\x3a\x6c\xd8\xb4\xde\x96\x47\xe1\x50\x04\x98\x67\x09\x7c\x47\xcc\x23\x7c\x61\x2c\xef\xe6\x98\x33\x2f\x1f\xe7\xf0\x2e\x6f\x53\xe8\x45\xb1\xf5\xe7\xb4\xb2\x4a\xd8\x62\x9b\x78\xce\x76\x30\xe2\xd4\x01\x20\xfb\xc3\xf4\x93\x75\xa4\xa0\x86\xde\xdd\x2a\x27\xf0\x6b\x3e\xd3\xd7\x56\xa8\x19\xb9\x7f\x75\x9a\xa5\x4a\xef\x83\xdf\x48\x68\xa9\xe9", 185); *(uint8_t*)0x20003111 = 9; *(uint8_t*)0x20003112 = 5; *(uint8_t*)0x20003113 = 3; *(uint8_t*)0x20003114 = 0x12; *(uint16_t*)0x20003115 = 0x3ff; *(uint8_t*)0x20003117 = 0; *(uint8_t*)0x20003118 = 1; *(uint8_t*)0x20003119 = -1; *(uint8_t*)0x2000311a = 0xad; *(uint8_t*)0x2000311b = 0x31; memcpy((void*)0x2000311c, "\x0c\x92\x1d\x3f\x98\x0f\x4e\x53\x14\x7a\x46\xbd\x58\x56\xda\x03\x08\x16\x60\xfb\xed\x7b\x8b\x2d\x38\x9b\xe8\xa0\x38\xe9\x5c\x29\x58\xa4\x77\xed\x5f\xaf\x9e\xf3\x8c\x82\xc3\xab\xea\x25\x44\x59\xed\xb0\xf2\xcf\x28\x62\x35\x03\x40\x87\xad\xb7\x90\x7f\xf1\x92\x64\x0b\x93\x68\x86\xbd\x48\xd3\xa5\x12\x15\x40\x6b\x3a\xa0\xb6\xd8\xf8\xd9\x1d\x83\x0f\x52\x36\xa9\xa8\xbe\x03\xc2\x21\x5f\x01\x21\x31\x96\x8c\x6a\x80\x86\x0a\xe8\x11\x93\x05\x94\x68\x10\x8e\xfd\x4f\x13\x05\x37\x9d\x01\x15\xc7\xec\x66\x7b\x03\x59\x94\x0e\x56\x64\xbf\x7b\x3c\x4a\x5f\x04\xca\x3c\x51\xdb\x9d\x2c\xd4\x17\xe9\x09\x9b\xff\x62\x8b\x8e\x1a\x8e\xd0\xf5\x96\x14\x93\x57\xa0\x8a\xbd\x11\x77\xeb\x97\x73\x53\xeb\x89\x32", 171); *(uint8_t*)0x200031c7 = 0x93; *(uint8_t*)0x200031c8 = 0x11; memcpy((void*)0x200031c9, "\xa8\xe2\x2d\x54\x2a\xe3\xd8\x31\xf3\x37\x21\x1b\xb5\xbe\x12\xa5\xc4\x6e\x5c\xf9\xb5\x56\xd8\x4d\x5a\xf4\xca\xca\x87\x42\xad\x21\x61\x40\x56\x2b\x7e\x54\x21\xe2\x64\x24\x71\xe8\xf5\x0e\xb8\xae\xf0\x62\x12\xb4\x6c\x64\x4a\xe5\x84\x63\xe1\x8b\x3e\x72\xbd\x3e\xca\x60\x60\xfa\x8b\x94\x03\x17\x96\xe5\x5e\xb4\x1d\x3f\x31\x8a\xff\xbf\x08\x1e\xeb\x17\x08\x85\x1e\x72\xfa\xdd\x88\x7e\x03\x30\x13\x43\x19\xf0\xa5\x96\x7e\xda\x65\x7b\xc1\x10\x1f\x74\xde\xba\x42\xe7\x8a\xff\x20\xfb\x5d\x3c\x1f\xe4\x9d\x9a\x05\x46\x57\xb6\xf1\xaf\x3d\x01\x5f\xc1\x6f\xf8\x08\x73\xf3\x26\x69\x08\x43\xdf\x81", 145); *(uint8_t*)0x2000325a = 9; *(uint8_t*)0x2000325b = 5; *(uint8_t*)0x2000325c = 0xf; *(uint8_t*)0x2000325d = 4; *(uint16_t*)0x2000325e = 0x200; *(uint8_t*)0x20003260 = 0; *(uint8_t*)0x20003261 = 0x1f; *(uint8_t*)0x20003262 = 1; *(uint8_t*)0x20003263 = 0x11; *(uint8_t*)0x20003264 = 6; memcpy((void*)0x20003265, "\x82\x4b\x7d\x09\x57\xbc\x55\x2d\x22\x4f\xdf\x6b\xff\x63\xa8", 15); *(uint8_t*)0x20003274 = 7; *(uint8_t*)0x20003275 = 0x25; *(uint8_t*)0x20003276 = 1; *(uint8_t*)0x20003277 = 0x80; *(uint8_t*)0x20003278 = 0xfd; *(uint16_t*)0x20003279 = 6; *(uint8_t*)0x2000327b = 9; *(uint8_t*)0x2000327c = 5; *(uint8_t*)0x2000327d = 0; *(uint8_t*)0x2000327e = 0; *(uint16_t*)0x2000327f = 0x20; *(uint8_t*)0x20003281 = 0x1f; *(uint8_t*)0x20003282 = 0xfd; *(uint8_t*)0x20003283 = 3; *(uint32_t*)0x20003400 = 0xa; *(uint32_t*)0x20003404 = 0x200032c0; *(uint8_t*)0x200032c0 = 0xa; *(uint8_t*)0x200032c1 = 6; *(uint16_t*)0x200032c2 = 0x110; *(uint8_t*)0x200032c4 = 0x4d; *(uint8_t*)0x200032c5 = 0x80; *(uint8_t*)0x200032c6 = 0x80; *(uint8_t*)0x200032c7 = 0x20; *(uint8_t*)0x200032c8 = 0xc1; *(uint8_t*)0x200032c9 = 0; *(uint32_t*)0x20003408 = 0x46; *(uint32_t*)0x2000340c = 0x20003300; *(uint8_t*)0x20003300 = 5; *(uint8_t*)0x20003301 = 0xf; *(uint16_t*)0x20003302 = 0x46; *(uint8_t*)0x20003304 = 5; *(uint8_t*)0x20003305 = 0xb; *(uint8_t*)0x20003306 = 0x10; *(uint8_t*)0x20003307 = 1; *(uint8_t*)0x20003308 = 0xc; *(uint16_t*)0x20003309 = 0x35; *(uint8_t*)0x2000330b = 0; *(uint8_t*)0x2000330c = 0xdf; *(uint16_t*)0x2000330d = 9; *(uint8_t*)0x2000330f = 0xf7; *(uint8_t*)0x20003310 = 7; *(uint8_t*)0x20003311 = 0x10; *(uint8_t*)0x20003312 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003313, 0xe, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003314, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003314, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003315, 9, 0, 16); *(uint8_t*)0x20003317 = 0x18; *(uint8_t*)0x20003318 = 0x10; *(uint8_t*)0x20003319 = 0xa; *(uint8_t*)0x2000331a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000331b, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000331b, 0x7fffffe, 5, 27); *(uint16_t*)0x2000331f = 0xff0f; *(uint16_t*)0x20003321 = 0x101; *(uint32_t*)0x20003323 = 0xffc0a0; *(uint32_t*)0x20003327 = 0; *(uint32_t*)0x2000332b = 0xffff0f; *(uint8_t*)0x2000332f = 0x10; *(uint8_t*)0x20003330 = 0x10; *(uint8_t*)0x20003331 = 0xa; *(uint8_t*)0x20003332 = 3; STORE_BY_BITMASK(uint32_t, , 0x20003333, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003333, 0x200, 5, 27); *(uint16_t*)0x20003337 = 0xff00; *(uint16_t*)0x20003339 = 1; *(uint32_t*)0x2000333b = 0; *(uint8_t*)0x2000333f = 7; *(uint8_t*)0x20003340 = 0x10; *(uint8_t*)0x20003341 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003342, 0x16, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003343, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003343, 0xe, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003344, 7, 0, 16); *(uint32_t*)0x20003410 = 2; *(uint32_t*)0x20003414 = 4; *(uint32_t*)0x20003418 = 0x20003380; *(uint8_t*)0x20003380 = 4; *(uint8_t*)0x20003381 = 3; *(uint16_t*)0x20003382 = 0x380a; *(uint32_t*)0x2000341c = 4; *(uint32_t*)0x20003420 = 0x200033c0; *(uint8_t*)0x200033c0 = 4; *(uint8_t*)0x200033c1 = 3; *(uint16_t*)0x200033c2 = 0x42f; res = -1; res = syz_usb_connect(4, 0x384, 0x20002f00, 0x20003400); if (res != -1) r[16] = res; break; case 35: *(uint8_t*)0x20003440 = 0x12; *(uint8_t*)0x20003441 = 1; *(uint16_t*)0x20003442 = 0x200; *(uint8_t*)0x20003444 = -1; *(uint8_t*)0x20003445 = -1; *(uint8_t*)0x20003446 = -1; *(uint8_t*)0x20003447 = 0x40; *(uint16_t*)0x20003448 = 0xcf3; *(uint16_t*)0x2000344a = 0x9271; *(uint16_t*)0x2000344c = 0x108; *(uint8_t*)0x2000344e = 1; *(uint8_t*)0x2000344f = 2; *(uint8_t*)0x20003450 = 3; *(uint8_t*)0x20003451 = 1; *(uint8_t*)0x20003452 = 9; *(uint8_t*)0x20003453 = 2; *(uint16_t*)0x20003454 = 0x48; *(uint8_t*)0x20003456 = 1; *(uint8_t*)0x20003457 = 1; *(uint8_t*)0x20003458 = 0; *(uint8_t*)0x20003459 = 0x80; *(uint8_t*)0x2000345a = 0xfa; *(uint8_t*)0x2000345b = 9; *(uint8_t*)0x2000345c = 4; *(uint8_t*)0x2000345d = 0; *(uint8_t*)0x2000345e = 0; *(uint8_t*)0x2000345f = 6; *(uint8_t*)0x20003460 = -1; *(uint8_t*)0x20003461 = 0; *(uint8_t*)0x20003462 = 0; *(uint8_t*)0x20003463 = 0; *(uint8_t*)0x20003464 = 9; *(uint8_t*)0x20003465 = 5; *(uint8_t*)0x20003466 = 1; *(uint8_t*)0x20003467 = 2; *(uint16_t*)0x20003468 = 0x200; *(uint8_t*)0x2000346a = 0; *(uint8_t*)0x2000346b = 0; *(uint8_t*)0x2000346c = 0; *(uint8_t*)0x2000346d = 9; *(uint8_t*)0x2000346e = 5; *(uint8_t*)0x2000346f = 0x82; *(uint8_t*)0x20003470 = 2; *(uint16_t*)0x20003471 = 0x200; *(uint8_t*)0x20003473 = 0; *(uint8_t*)0x20003474 = 0; *(uint8_t*)0x20003475 = 0; *(uint8_t*)0x20003476 = 9; *(uint8_t*)0x20003477 = 5; *(uint8_t*)0x20003478 = 0x83; *(uint8_t*)0x20003479 = 3; *(uint16_t*)0x2000347a = 0x40; *(uint8_t*)0x2000347c = 1; *(uint8_t*)0x2000347d = 0; *(uint8_t*)0x2000347e = 0; *(uint8_t*)0x2000347f = 9; *(uint8_t*)0x20003480 = 5; *(uint8_t*)0x20003481 = 4; *(uint8_t*)0x20003482 = 3; *(uint16_t*)0x20003483 = 0x40; *(uint8_t*)0x20003485 = 1; *(uint8_t*)0x20003486 = 0; *(uint8_t*)0x20003487 = 0; *(uint8_t*)0x20003488 = 9; *(uint8_t*)0x20003489 = 5; *(uint8_t*)0x2000348a = 5; *(uint8_t*)0x2000348b = 2; *(uint16_t*)0x2000348c = 0x200; *(uint8_t*)0x2000348e = 0; *(uint8_t*)0x2000348f = 0; *(uint8_t*)0x20003490 = 0; *(uint8_t*)0x20003491 = 9; *(uint8_t*)0x20003492 = 5; *(uint8_t*)0x20003493 = 6; *(uint8_t*)0x20003494 = 2; *(uint16_t*)0x20003495 = 0x200; *(uint8_t*)0x20003497 = 0; *(uint8_t*)0x20003498 = 0; *(uint8_t*)0x20003499 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20003440, 0); break; case 36: *(uint32_t*)0x200036c0 = 0x18; *(uint32_t*)0x200036c4 = 0x200034c0; *(uint8_t*)0x200034c0 = 0x20; *(uint8_t*)0x200034c1 = 8; *(uint32_t*)0x200034c2 = 0xd4; *(uint8_t*)0x200034c6 = 0xd4; *(uint8_t*)0x200034c7 = 0x31; memcpy((void*)0x200034c8, "\xdd\x9f\xe1\xd6\xf8\xee\x76\xd6\x28\x92\x46\xb5\x27\x7c\xc1\x9f\x3c\x46\x21\xad\xd8\x21\xa7\xf3\xd1\xaa\xe9\x94\xdb\xf4\xb1\xbd\x89\xe8\x77\x07\x34\x76\x8a\xde\x97\xe5\x1d\x24\x8f\x53\xcd\x53\x0b\x31\x11\x9a\xac\xcf\x53\xb6\xf6\xed\xdf\x4b\x8b\xfe\x6a\x1a\x85\x9c\x3d\xc2\x86\xf8\x33\x5c\x9d\x15\xe5\xd5\x16\x9b\x24\x41\x55\x39\x10\x62\xff\x88\x5d\x40\xbe\x37\x07\xb6\xd1\xea\x25\x2a\x96\xd9\x7a\xb2\x4f\xb6\x75\xf5\x45\x57\xcf\xa2\x4d\x80\x5b\x07\x95\x70\x8a\xf5\x06\x5d\x4b\x66\x62\xdf\xd5\x4d\xd5\x9c\xfc\xe1\x67\x3a\xb3\x56\xa2\x54\xf6\xb5\xbc\xe4\x4c\x61\x9a\x17\xff\xce\x8e\xbb\x96\xe0\x83\xc0\x82\x45\x00\x62\xbd\x71\xa2\x06\xca\x92\x1e\x0b\x77\xf5\x17\xc1\x61\x95\x86\xb3\xbc\xa3\xe2\x49\x08\x21\x01\x6c\xc7\x6c\xaf\x96\xc0\xec\x90\x68\xb4\x5e\x23\x34\xed\x9a\x6f\xf0\x6a\x63\x43\xae\x01\xf0\xae\xf6\x12\x7e\xba\xf5\xb5\x2d\x69\xe3", 210); *(uint32_t*)0x200036c8 = 0x200035c0; *(uint8_t*)0x200035c0 = 0; *(uint8_t*)0x200035c1 = 3; *(uint32_t*)0x200035c2 = 4; *(uint8_t*)0x200035c6 = 4; *(uint8_t*)0x200035c7 = 3; *(uint16_t*)0x200035c8 = 0x40e; *(uint32_t*)0x200036cc = 0x20003600; *(uint8_t*)0x20003600 = 0; *(uint8_t*)0x20003601 = 0xf; *(uint32_t*)0x20003602 = 0x28; *(uint8_t*)0x20003606 = 5; *(uint8_t*)0x20003607 = 0xf; *(uint16_t*)0x20003608 = 0x28; *(uint8_t*)0x2000360a = 2; *(uint8_t*)0x2000360b = 3; *(uint8_t*)0x2000360c = 0x10; *(uint8_t*)0x2000360d = 0xb; *(uint8_t*)0x2000360e = 0x20; *(uint8_t*)0x2000360f = 0x10; *(uint8_t*)0x20003610 = 0xa; memcpy((void*)0x20003611, "\x19\x5f\xa2\xf3\x24\xc0\xbe\x96\xda\x3d\xb2\x6a\xfa\x56\x77\x53\x0a\xc0\xfa\xf4\xc6\x82\xbe\x7c\x15\xe9\xa5\x86\x66", 29); *(uint32_t*)0x200036d0 = 0x20003640; *(uint8_t*)0x20003640 = 0x20; *(uint8_t*)0x20003641 = 0x29; *(uint32_t*)0x20003642 = 0xf; *(uint8_t*)0x20003646 = 0xf; *(uint8_t*)0x20003647 = 0x29; *(uint8_t*)0x20003648 = 9; *(uint16_t*)0x20003649 = 1; *(uint8_t*)0x2000364b = 0; *(uint8_t*)0x2000364c = 9; memcpy((void*)0x2000364d, "\x05\x7c\x41\x7e", 4); memcpy((void*)0x20003651, "\x8d\xa4\x36\xc4", 4); *(uint32_t*)0x200036d4 = 0x20003680; *(uint8_t*)0x20003680 = 0x20; *(uint8_t*)0x20003681 = 0x2a; *(uint32_t*)0x20003682 = 0xc; *(uint8_t*)0x20003686 = 0xc; *(uint8_t*)0x20003687 = 0x2a; *(uint8_t*)0x20003688 = 0x20; *(uint16_t*)0x20003689 = 0x10; *(uint8_t*)0x2000368b = 0x80; *(uint8_t*)0x2000368c = 0x40; *(uint8_t*)0x2000368d = 0x1f; *(uint16_t*)0x2000368e = 0; *(uint16_t*)0x20003690 = 5; *(uint32_t*)0x20003b40 = 0x44; *(uint32_t*)0x20003b44 = 0x20003700; *(uint8_t*)0x20003700 = 0x60; *(uint8_t*)0x20003701 = 8; *(uint32_t*)0x20003702 = 0x54; memcpy((void*)0x20003706, "\x85\xf9\x88\x04\x52\x78\xf9\x75\x32\xa6\x67\xcb\xee\x9b\x82\x1d\x65\x54\xfb\x1c\x6d\x18\xdf\xfb\x78\x51\x96\xd9\x07\x27\xe1\xb4\x61\x5c\x86\xee\x04\x9a\x16\x96\xb1\x66\x8f\x00\x0e\x62\xd5\x39\xe0\x81\xcf\x07\xe3\x60\x17\x1c\xe6\x1c\xa2\xf9\x56\x44\xb9\xad\x8e\x92\x11\xa1\xb1\x9c\x43\x99\xbd\xfd\x6d\x53\x3b\xf8\x95\x52\x42\x72\x5b\xb4", 84); *(uint32_t*)0x20003b48 = 0x20003780; *(uint8_t*)0x20003780 = 0; *(uint8_t*)0x20003781 = 0xa; *(uint32_t*)0x20003782 = 1; *(uint8_t*)0x20003786 = 1; *(uint32_t*)0x20003b4c = 0x200037c0; *(uint8_t*)0x200037c0 = 0; *(uint8_t*)0x200037c1 = 8; *(uint32_t*)0x200037c2 = 1; *(uint8_t*)0x200037c6 = 0x81; *(uint32_t*)0x20003b50 = 0x20003800; *(uint8_t*)0x20003800 = 0x20; *(uint8_t*)0x20003801 = 0; *(uint32_t*)0x20003802 = 4; *(uint16_t*)0x20003806 = 2; *(uint16_t*)0x20003808 = 0; *(uint32_t*)0x20003b54 = 0x20003840; *(uint8_t*)0x20003840 = 0x20; *(uint8_t*)0x20003841 = 0; *(uint32_t*)0x20003842 = 8; *(uint16_t*)0x20003846 = 0x200; *(uint16_t*)0x20003848 = 0x40; *(uint32_t*)0x2000384a = 0xff; *(uint32_t*)0x20003b58 = 0x20003880; *(uint8_t*)0x20003880 = 0x40; *(uint8_t*)0x20003881 = 7; *(uint32_t*)0x20003882 = 2; *(uint16_t*)0x20003886 = 1; *(uint32_t*)0x20003b5c = 0x200038c0; *(uint8_t*)0x200038c0 = 0x40; *(uint8_t*)0x200038c1 = 9; *(uint32_t*)0x200038c2 = 1; *(uint8_t*)0x200038c6 = 0x81; *(uint32_t*)0x20003b60 = 0x20003900; *(uint8_t*)0x20003900 = 0x40; *(uint8_t*)0x20003901 = 0xb; *(uint32_t*)0x20003902 = 2; memcpy((void*)0x20003906, "\x8e\xaf", 2); *(uint32_t*)0x20003b64 = 0x20003940; *(uint8_t*)0x20003940 = 0x40; *(uint8_t*)0x20003941 = 0xf; *(uint32_t*)0x20003942 = 2; *(uint16_t*)0x20003946 = 9; *(uint32_t*)0x20003b68 = 0x20003980; *(uint8_t*)0x20003980 = 0x40; *(uint8_t*)0x20003981 = 0x13; *(uint32_t*)0x20003982 = 6; *(uint8_t*)0x20003986 = 0xaa; *(uint8_t*)0x20003987 = 0xaa; *(uint8_t*)0x20003988 = 0xaa; *(uint8_t*)0x20003989 = 0xaa; *(uint8_t*)0x2000398a = 0xaa; *(uint8_t*)0x2000398b = 0x38; *(uint32_t*)0x20003b6c = 0x200039c0; *(uint8_t*)0x200039c0 = 0x40; *(uint8_t*)0x200039c1 = 0x17; *(uint32_t*)0x200039c2 = 6; *(uint8_t*)0x200039c6 = -1; *(uint8_t*)0x200039c7 = -1; *(uint8_t*)0x200039c8 = -1; *(uint8_t*)0x200039c9 = -1; *(uint8_t*)0x200039ca = -1; *(uint8_t*)0x200039cb = -1; *(uint32_t*)0x20003b70 = 0x20003a00; *(uint8_t*)0x20003a00 = 0x40; *(uint8_t*)0x20003a01 = 0x19; *(uint32_t*)0x20003a02 = 2; memcpy((void*)0x20003a06, "{k", 2); *(uint32_t*)0x20003b74 = 0x20003a40; *(uint8_t*)0x20003a40 = 0x40; *(uint8_t*)0x20003a41 = 0x1a; *(uint32_t*)0x20003a42 = 2; *(uint16_t*)0x20003a46 = 0x40; *(uint32_t*)0x20003b78 = 0x20003a80; *(uint8_t*)0x20003a80 = 0x40; *(uint8_t*)0x20003a81 = 0x1c; *(uint32_t*)0x20003a82 = 1; *(uint8_t*)0x20003a86 = 0; *(uint32_t*)0x20003b7c = 0x20003ac0; *(uint8_t*)0x20003ac0 = 0x40; *(uint8_t*)0x20003ac1 = 0x1e; *(uint32_t*)0x20003ac2 = 1; *(uint8_t*)0x20003ac6 = 0xfe; *(uint32_t*)0x20003b80 = 0x20003b00; *(uint8_t*)0x20003b00 = 0x40; *(uint8_t*)0x20003b01 = 0x21; *(uint32_t*)0x20003b02 = 1; *(uint8_t*)0x20003b06 = 0xfa; syz_usb_control_io(r[16], 0x200036c0, 0x20003b40); break; case 37: *(uint8_t*)0x20003bc0 = 0x12; *(uint8_t*)0x20003bc1 = 1; *(uint16_t*)0x20003bc2 = 0x201; *(uint8_t*)0x20003bc4 = 0; *(uint8_t*)0x20003bc5 = 0; *(uint8_t*)0x20003bc6 = 0; *(uint8_t*)0x20003bc7 = 0x10; *(uint16_t*)0x20003bc8 = 0x46d; *(uint16_t*)0x20003bca = 0xc22d; *(uint16_t*)0x20003bcc = 0x40; *(uint8_t*)0x20003bce = 1; *(uint8_t*)0x20003bcf = 2; *(uint8_t*)0x20003bd0 = 3; *(uint8_t*)0x20003bd1 = 1; *(uint8_t*)0x20003bd2 = 9; *(uint8_t*)0x20003bd3 = 2; *(uint16_t*)0x20003bd4 = 0x2d; *(uint8_t*)0x20003bd6 = 1; *(uint8_t*)0x20003bd7 = 1; *(uint8_t*)0x20003bd8 = 0; *(uint8_t*)0x20003bd9 = 0x10; *(uint8_t*)0x20003bda = 2; *(uint8_t*)0x20003bdb = 9; *(uint8_t*)0x20003bdc = 4; *(uint8_t*)0x20003bdd = 0; *(uint8_t*)0x20003bde = 0x2f; *(uint8_t*)0x20003bdf = 2; *(uint8_t*)0x20003be0 = 3; *(uint8_t*)0x20003be1 = 1; *(uint8_t*)0x20003be2 = 1; *(uint8_t*)0x20003be3 = 0xfd; *(uint8_t*)0x20003be4 = 9; *(uint8_t*)0x20003be5 = 0x21; *(uint16_t*)0x20003be6 = 9; *(uint8_t*)0x20003be8 = 1; *(uint8_t*)0x20003be9 = 1; *(uint8_t*)0x20003bea = 0x22; *(uint16_t*)0x20003beb = 0x2ff; *(uint8_t*)0x20003bed = 9; *(uint8_t*)0x20003bee = 5; *(uint8_t*)0x20003bef = 0x81; *(uint8_t*)0x20003bf0 = 3; *(uint16_t*)0x20003bf1 = 0x10; *(uint8_t*)0x20003bf3 = 6; *(uint8_t*)0x20003bf4 = -1; *(uint8_t*)0x20003bf5 = 4; *(uint8_t*)0x20003bf6 = 9; *(uint8_t*)0x20003bf7 = 5; *(uint8_t*)0x20003bf8 = 2; *(uint8_t*)0x20003bf9 = 3; *(uint16_t*)0x20003bfa = 8; *(uint8_t*)0x20003bfc = 4; *(uint8_t*)0x20003bfd = 6; *(uint8_t*)0x20003bfe = 0x7f; *(uint32_t*)0x20003cc0 = 0xa; *(uint32_t*)0x20003cc4 = 0x20003c00; *(uint8_t*)0x20003c00 = 0xa; *(uint8_t*)0x20003c01 = 6; *(uint16_t*)0x20003c02 = 0x300; *(uint8_t*)0x20003c04 = 3; *(uint8_t*)0x20003c05 = 2; *(uint8_t*)0x20003c06 = 0xfa; *(uint8_t*)0x20003c07 = 8; *(uint8_t*)0x20003c08 = 0x74; *(uint8_t*)0x20003c09 = 0; *(uint32_t*)0x20003cc8 = 0x28; *(uint32_t*)0x20003ccc = 0x20003c40; *(uint8_t*)0x20003c40 = 5; *(uint8_t*)0x20003c41 = 0xf; *(uint16_t*)0x20003c42 = 0x28; *(uint8_t*)0x20003c44 = 2; *(uint8_t*)0x20003c45 = 3; *(uint8_t*)0x20003c46 = 0x10; *(uint8_t*)0x20003c47 = 0xb; *(uint8_t*)0x20003c48 = 0x20; *(uint8_t*)0x20003c49 = 0x10; *(uint8_t*)0x20003c4a = 0xa; *(uint8_t*)0x20003c4b = 3; STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 8, 5, 27); *(uint16_t*)0x20003c50 = 0xf00; *(uint16_t*)0x20003c52 = 0xf831; *(uint32_t*)0x20003c54 = 0xc0; *(uint32_t*)0x20003c58 = 0xc0a0; *(uint32_t*)0x20003c5c = 0xff000f; *(uint32_t*)0x20003c60 = 7; *(uint32_t*)0x20003c64 = 0xc0f0; *(uint32_t*)0x20003cd0 = 1; *(uint32_t*)0x20003cd4 = 4; *(uint32_t*)0x20003cd8 = 0x20003c80; *(uint8_t*)0x20003c80 = 4; *(uint8_t*)0x20003c81 = 3; *(uint16_t*)0x20003c82 = 0x436; res = -1; res = syz_usb_connect(4, 0x3f, 0x20003bc0, 0x20003cc0); if (res != -1) r[17] = res; break; case 38: syz_usb_disconnect(r[17]); break; case 39: syz_usb_ep_read(-1, 0x80, 0xc4, 0x20003d00); break; case 40: memcpy((void*)0x20003e00, "\x50\x74\xfa\x81\xf3\xf3\x73\xda\x27\x99\xca\xfb\x26\xb4\x49\x7c\xb3\xc8\x7b\xc0\xf8\x2f\xa7\x88\x54\x68\xbd\x41\x23\x20\x65\xaa\x95\x61\xd2\x4a\xe0\xf1\xd0\xe0\x36\xac\x71\x4a\xc5\xaf\x89\xc6\x9d\x88\x61\xca\xd7\x13\xfc\xb8\xba\xcb\x8c\x4b\x10\xdc\x3b\x6e\xc2\x04\x4c\x01\xf3\x71\xb1\x24\xc0\xa0\xf4\xba\xce\x7d\x51\x79\x87\x2c\xdd\x20\x5e\x09\xc3\xee\xb7\xd5\x57\x7b\x26\xe9\x8f\x84\x55\x4e\xd6", 99); syz_usb_ep_write(r[16], 0x7f, 0x63, 0x20003e00); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_leak(); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor870278107 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/4 (0.23s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:10 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$zero(0xffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x161000, 0x0) ioctl$SNAPSHOT_FREE(r0, 0x3305) syz_genetlink_get_family_id$l2tp(&(0x7f0000000040)='l2tp\x00') openat$dlm_control(0xffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x20000, 0x0) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0x2, &(0x7f00000000c0)=0x17, 0x4) r1 = mmap$IORING_OFF_SQES(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x2000000, 0x1010, r0, 0x10000000) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) r3 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(0x0, r1, &(0x7f00000003c0)=@IORING_OP_RECVMSG={0xa, 0x4, 0x0, r2, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=@x25={0x9, @remote}, 0x80, &(0x7f0000000240)=[{&(0x7f0000000180)=""/147, 0x93}], 0x1, &(0x7f0000000280)=""/202, 0xca}, 0x0, 0x0, 0x1, {0x3, r3}}, 0x10001) ioctl$KDSKBMETA(0xffffffffffffffff, 0x4b63, &(0x7f0000000440)=0x4) syz_emit_ethernet(0x56, &(0x7f0000000000)={@local, @remote, @void, {@canfd={0xd, {{0x3, 0x0, 0x1, 0x1}, 0x11, 0x2, 0x0, 0x0, "f4ebe40216fede5ef6c5310f0413c5d41b32fc23e07fd332a8a5c5f966821da091f47b7b9cf9228727ff7412c2e4a3a1573bb295482d7b4a3effd863cc60f5d8"}}}}, &(0x7f0000000080)={0x0, 0x4, [0xd2d, 0xc61, 0x6d3, 0xbe2]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x1, 0xa}, @l2cap_cid_le_signaling={{0x6}, @l2cap_conn_param_update_rsp={{0x13, 0x7f, 0x2}}}}, 0xf) syz_execute_func(&(0x7f0000000100)="c4c2cd45f18fe800edb85c2f009ee96436360f2811c4c3c90b6b0787c4c2f1a603f30fa6d0f36f650ffa0ec4c21d2f9f5aac384f3e65f3ab") syz_extract_tcp_res(&(0x7f0000000140), 0x2c, 0x9f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000180)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x3, 0xcc) r4 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x3000001, 0x80000, 0xffffffffffffffff, 0x0) r5 = syz_io_uring_complete(r4) r6 = io_uring_setup(0x3a3b, &(0x7f00000001c0)={0x0, 0xd9fd, 0x20, 0x0, 0x308, 0x0, 0xffffffffffffffff}) r8 = syz_io_uring_setup(0x17a8, &(0x7f0000000240)={0x0, 0xb18d, 0x15b3e67cab3a8d6e, 0x2, 0x158, 0x0, r7}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f00000002c0), &(0x7f0000000300)) syz_io_uring_setup(0x6b11, &(0x7f0000000340)={0x0, 0x15f8, 0x20, 0x2, 0xd2}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f00000003c0)=0x0, &(0x7f0000000400)=0x0) r11 = socket$bt_rfcomm(0x1f, 0x3, 0x3) r12 = io_uring_register$IORING_REGISTER_PERSONALITY(r5, 0x9, 0x0, 0x0) syz_io_uring_submit(r4, r10, &(0x7f0000001700)=@IORING_OP_RECVMSG={0xa, 0x2, 0x0, r11, 0x0, &(0x7f00000016c0)={&(0x7f0000000440)=@nl=@proc, 0x80, &(0x7f00000015c0)=[{&(0x7f00000004c0)=""/44, 0x2c}, {&(0x7f0000000500)=""/4096, 0x1000}, {&(0x7f0000001500)=""/40, 0x28}, {&(0x7f0000001540)=""/74, 0x4a}], 0x4, &(0x7f0000001600)=""/185, 0xb9}, 0x0, 0x2000, 0x1, {0x3, r12}}, 0xad23946) r13 = fsmount(r5, 0x1, 0x84) ioctl$F2FS_IOC_MOVE_RANGE(r8, 0xc01cf509, &(0x7f0000001740)={r6, 0x3, 0x6, 0x1000}) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000017c0)=[{0x0, &(0x7f0000001780)="e7bed238547695a78957b574bacb6dbc567a3232e76559b4ea3931b608578a24da4c749795975b0ae51da8a86dde75b1d684", 0x32}], 0x1, 0x0, &(0x7f0000001800), 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r9, 0x114, &(0x7f0000001840), 0x0, 0x4) syz_mount_image$afs(&(0x7f0000001880)='afs\x00', &(0x7f00000018c0)='./file0\x00', 0x5, 0x1, &(0x7f0000002900)=[{&(0x7f0000001900)="f1fd85c46a07345a8813287b13f21a0840903926aef8fa2cb5f6e010d14f7030376797115fff5a948041348d827dbd678e20928dc4b224e0ec33e50bf699f1ed1e39df43d899eb1a37c8d11631e7b775fc82611901ef7db3714e0ef59b98d9d7d9114ba1ba76a72edc93803359b9994b504f9e7790375fa50fceab9c0f210385722f2a054c09fecf4a04ccfacaac9d40bebb2e2bcc948d327263b0fa735b753fa367f55313bd6df7476a9961bef3e5806ae53bf7233474b637266e9fd694fb30a503fba053c46562936bb3b8fdd38da23e7225868f8cf1e7d27cacb69075657b3ca80f8be0b8e043db620f0872231b8a3108c4a10b8b723b646b3c6d5f370558640924a93ba25db1746cf2ea141b0385ac0cf9e7acc8fddd8ee32fb988491e454564eb142ec8402438ddb1d0bed6d285a2a408a9edc52776e3ae7021c10943eef0af0270372213627dd4253d95a36acd29f8095c6428f1c46c3eb21227d04606b5c92254e9ce3e220a8b8a281c8d8e9c83079ea1df4a90db9f08a58c803d8ec2bfcc99f1acd5f0625043eb4a83179e2d37c07657e4b747adcb0979a230dea4f079f220848709f2bb38c34a22c5b3caf94a02fc5f1c4d013c165abf74bed9d028a5d84ec150377f498ee0e2a86bf04b97ee40af9882bfadecf5e125fc909d250d92a31166d61121b5364524b6351e0b6a66dcdeeb5249ebabb865f1f4a1a80ada5d695d3a37b214c9f0d92507db1b8d808a96f08902ef8c97e22b75497538f54ff944a19142b6ae1b8636500e2f3920a3ab341d8d1db22dc64e1d68382162b489eaade668ba38e6e7ecf61626c719378a8ebf08ec3d5da6716461e206869b335ccbafbc7364998379d894b9c60441d98797eff0d04ce3fbf419eb9c5c778dbdc6031b19fea13adf111dd49628093da41ce252595ea3d0b6dd96364fe2e37504bc6617044ff1d0d27f759d1faa8ae854a172da0b227305bc630a46b8e5bb9f8aa40b95a4b6d5c37bddd0968e192d57242078434fdef9afdc8f18397df1ca6e76bdc71845fba2818ef8f1c1dbf0a92ddee3c8c1cfddfb64439419e63f9811ab5dafd15b2ff2a9c041331651c7afe7862875bf9961806fac694bef5f78fb9cd64c33848637444e6752200395e3731d02db34c21fca311d339e819732ede18394b45c4cbbbffd45fdf508285d26da5b3cede692af4ef2f42c734b522864755dcd719c93b268438f9b0f1add574cf7218921df68c496683c6276115c074d420f23861eeb82031e998c0833d1cbbb5b334a13606a0bc406c4c8b1c2bf8df557324d2c94cbe4c29080b63234b1bb74e5854e422eb46f736978e2943ebd28af467bd0ee096b952ff5f0b228c7ef946fd472493b0eaca9378401669f1be675230e56bc19e4ec1234fcb4ea122dd204830109689cad7e3d702ab3e92e59016a640cce4e1e57d6e94556e7ee1f7c586309044bdca4a7b2cebb4b3fabfd578ed6c68589b8afcd4d0e5ab1b7eef6f82cd208e3ece76e3b73331fba03fb5447012992741042106ed7d386a1433fe8d4c6bce822ff8ffe1b382aa7124731a9ad6e1a52c78266174a4fefe986a508f6642577303f91ea4efb32843c6b331b32f24553a0c13016d91a230a55d81feb7dfc48ad157c7c2fc63253081021d1c65356513903ddbde8d3fd0d51747f3eaaaf9db9d6b4bd7069d8ba53d4d100ee2727979594c2fa80b9aa0edd70e3d702fb5b6cd277eeb487555886f85b657cd9eba641b28bf1e762300f3e29c5a8d8bfe077bdef7c9e2c4cfad8fc364670d7cd6ac7a86322e667760e2403c4838d61fa8669a4f62114eef423f09132e20bb95ba3522ac31049c4a3d581af3c5784910fba88cdee1ceff4ddaed827119ced5361947d0e31a9c4d25263a53654b82fc13b91f44508dd193ca1ef26d930a6b0810586d402ba0554face5c3ed077671d50d28865bfff35ca3a4dabdbd6e3b07059320f53e5c49d73cc16dd1ed2816ac98ad3853c368829c7bec40c4a9b39ee3b730bbd6c152f358e9911308c12ed1206561fc7cf7cb477145f1aaace66ac5c4468acb2f601c61e4b118be2056b6dbc18609bfd4105eee18be384a19913d274d92039790cb87420b9fdd70e734309fc7afe09e11f780d6ee6243175907a4aeecb6ca070a3374be5d3d07a788ea4e1f9d6f18eff9e7964d7076cb5b93cd97338ec05448ec527cca66790bfe32c5b2662d7fc6b836b41bf32e5bc0ddfe42d5973db86f8aed56e43112b45b0f792c5394599a13e73c25012b5aacd3aef112473c4e2e3ab6aebf5af6de9e78ac047fcc276fd976f25022c65c30a9fd67203f19e33b35cfbcfdff395c5bb53f2fd7928e43e622847280780b8cc815fb485189105a124cd8627cc3d5f1a9dd800d47a226ebf907eb2f49133d117588d280f4cc43d95254d88c8753d96073f97c531f51e5596e2e971a2161b78f75edcfbd9de38f0a9284b7cceef87598fa3bcfa5dbcbd1d284cf80cb7755465899d362d9e40c64c1a1e4cc45c3871b2104ca40c05729dccbf6d0a17500e5d0dffa3443a5233e279b2f9c518b697340d26d2872660c71a495710ee009ffb989ebb5befe5176925b78cdeb1e811c51ecdb01a47ec1d1d0ef2024c9a666f6bc5ebe13e773f89f4c80baa1d660c051c2672f91c21db5ff2d5a70126dc69140ee216c45bdd0a7b5279dece2f583bc24fc63cae88ae755722404823c5c216849dcd1085ba9902cb248ac5d192c3bdc537392a7c9ed3c359bb6d4934625f5f7a6dd51b78573fc726adabc91f41960586f64c39261126ea67dfc32c5ae5f7d6ed88747360418d42a008d9cfc5ef15f9c588dbb9ecc374ba19ab60a3ba33fbd1b80477b0204e67c845f9f6ab589c58b578cca58af322ae66b9b12ed953703d1393d8ece9c670664fdb6b1ffa10271abc0e51d57b59102e2640bea09e911294c35abc8616990a5729bf739a8e22774a680d5770b858b932fe595b7322328ae792078ad28db4d54cbd7c9868fcbe6eed0b0aa7b7abbfb1b8efce2dd5c1e29bac66ab7f80fe7a65d2da1838660e94066a6b2e3bdb897e551bc037d779dbb6cb9bdca7030ef8226b968d5a857cb424a9bd71ecf3e0df3bca6b9195905ed05e73d0367f1649eed549d9c3d47e2f312c170dc94a701d420460e1000e237021c6b7b1bc08b35c1043c6e899ed587ef7dfb6e1c7b6e11e3a2fb4348abcc9ed1831ee373d004540a73a4c78f9d3abb101c787ba239df663924ef84e3b436868b63cd74f4d47ac9ebce3814bbdb37eeec3fea1f90688d16ff3285d359745f9c1b6dcfa98bcd32acaccd9350c070579af49c6dd8e62b3e11616b95605b5e67c90c3db1b8301de61bdfa558ee6d13f20a78d407e4f44ca793ce3d958e1522f1a64276ac8863d1a68b5b64e03ec0b22b0a787bba7b462fddf8da7d1018b32a13282bd1e83060a67c7da96e46e3b322a5d8e05ba67b3aca1c5d1bf136a57b3aa68777f00bf102dddb1dec21db309f4855d9c08edc580d652a689420bf62538b5aa263057098121d82d87e29ee26b5d5288023e501ff2730bcef00b98f13c40bc2da1a1bca1cd666484f1a3f5c8b6ffaf468fbeaaf5abfd74396fbc460e0fd2b440f5e56327e634907311dce98ec075e9ee3287f7d2dcd64493e5c5ce096bb29d77aa49a9f677e68efd44cf35b5a0d69f1ec887a5f1f35e44afe3b6904ef026b3651c697dc2af46662b923664201e4baedc28e85f33d0fcce83ecb01d04f5a0826df9fbfe7d92e31db76202533fa8bdbd4f14744f8485948ff0e40ec77d2a2ccac34f389a4f6b0e1f84f527b1282b4ba53cc0a53468eb1362d87f334f176d948d9d7fc190a1fabb36745385945f27d44c136436eeedca1ad4945c9d73d6a2d7225a1f7fa49a2b2b56d3a403a8ddd03d701bb8ba36c275b05db3b60638b9a2a234cb63b809ebfc9a771ac712762f7e96c538e1c54a7912b95944632d6d60594b900e17ee327b2b2b13be2844061fd1e350e47121fd71f130a5aeb5153ccb8ece99590ff93ea98ee589a0a4288bb6a3590b1c6e89008bbd2dc7ad38748369405c9f8c37fa75dd2ff4a384561d030948c3d16466e4f037e54d3dcabde02fb35c62b3169265c0af8018a86c3fcf3268c1a91e7131f89cf7841bb58cab8a5f89d7edb67f05f16fe84059be5abdbe44d3852fa5790c161628b21eef359aaf7db7de11c835ff9cc0b86ac9751fd2d5c135e8acb4352bc03fdfe6c43473582cde76b157eeb03acfff742be5838a4aaba160e1c588c9e1da2758fc290ae37a7605340f726ff3d8d73d3dccdc7737499b7473eccc00c3d01d20bd989e6049d9da7dcee229fe3db7e2845ba6ef6b380680e07754dfa92d1605b3b2527ed19d01333b2b58868d7614c92b7f93c95e2c9054f7a728e0569b986018311d9ab379ac3d19c7f65f87acbd2a2bcdf122b1b9502d3c3a69efa32f4be1ef20daa42e13409d2b12dbfd03c64aca0bd66c76c04ea6a76ef0294650e59e8a379c85c5ac8e310ed99e1a5f20c9bbdbee13de1218f95be040ff5f760c7f07abe362468508a2114e0c34f93895c1e28ad8c56f1949816cffd09c028deef01e5fcf91b4384c62d0efd9b7d66b1aae302a3ed2c3037c9675ac6c86336fa603258a538409bad567981128cb8cab88d7027b2a92671cad000a2c9f317fb4ae30980d3f28512fb5f66a98b2e2077a6a7f8461bf1a78cf12b3ce6e3aa4a22f3c6373a5d04f767b83c7d57a56834f7639c9acbb9fdedea85276a0aa100b68c8a246314a8ca02ff07d1532c90d9a4a5dacba53a24c14cb94b57a8c236c985ebc98697108a43e874b6715e6be8d9685fafdba1d7e5d1b4ced62565847bdfcf62be175e8483cfd0711247664e273fcbec29f60dedd34c6810f6650b6bdc47df7267b8f53bc66ac41a5c0506edf4a805cff0343797c881256ea095fbf145754f7cb9dfba6d3c2bd12ace307629cb22dfeb5a48155de0e50a95da58b3202589b60f5dd4ca6cd22c2ed788f2721d5354374e9efacf4947294ddc8149225dce5adfb322595ed18a4dcb0565148b087e37d4247eaaecc58c5aaf1c64e87cc2cce9b8ebcaf963fc441a6dfac426be0ace4ecfb91df7732721afb34f905ce7377db3849d7401ba3d3149c08e98bcdeca6de207ed8bc7b1d6e88597da628c6b0a73cf9674a207dd8745fe5b32bdd8f5509f14fc15cf9504bf6634b2df2836e95c736e2762f2714bfd130af991d8b648a9372158383a2f53e14c7cfc7663db5ca5c8a9cdd155e38c1f70e51613588128dd085bbdd7ed239b97e8958cef35f117eab19b370ff2e4e25689d62b684fd4afceb263251fa92e8c6b2aa2e34d3fb8aaed18cdc734f9b420c8d7b931555ebd7990ca073fb81be982794e000d50572eb0761d495ba8068f657d7f7b919e66a25e03211dfe690f4081fc5de14f5f9d8be478024e60a3138080d9ce97ae23e291e77a6e4a507a96ae0c07d9604a95b43b8174c33175ba295050186f723b50a609ee09b4267e4d2af4296ce657bb8b5e996f98bd75ed42d0954895d97d988329d925f62894474d1caa5de988ed7b5c6deacfd90ad947efebf6cf61b45d9c7b1ba59e9ec4b8559aff8d3d05fb00f57ec942b0e9b9fdbde26cad340cbb4f7c0447b707ed8f6d4f989d0b1da0d0cdae617b01436fa68e37775e844415ebd11a3350846cf0b419fad6db94ccc8283e95019db5591b9e81c5d32707b3002afb24058495f6c21cd4b9e12af7a1f4054fda37ba6a2945e899899761012548e4122a69556e0ca51e23194bdc4e272", 0x1000, 0x9}], 0x20005, &(0x7f0000002940)={[{@flock_openafs='flock=openafs'}, {@dyn='dyn'}, {@autocell='autocell'}, {@dyn='dyn'}, {@flock_openafs='flock=openafs'}, {@source={'source', 0x3d, '&'}}, {@source={'source', 0x3d, 'SEG6\x00'}}], [{@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@subj_user={'subj_user', 0x3d, 'SEG6\x00'}}, {@smackfstransmute={'smackfstransmute', 0x3d, ':'}}, {@seclabel='seclabel'}]}) syz_open_dev$I2C(&(0x7f0000002a00)='/dev/i2c-#\x00', 0xad8, 0x2a2000) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000002a40)=0x0) syz_open_procfs(r15, &(0x7f0000002a80)='net\x00') syz_open_pts(r13, 0x0) syz_read_part_table(0x1, 0x7, &(0x7f0000002e80)=[{&(0x7f0000002ac0)="7ad3cd802dd0c424945d99ca9ca6e4fbb8f8e3b980d2ec", 0x17, 0x1000}, {&(0x7f0000002b00)="329de80b2b17bbd25d1f1907a9263af3bf05c4a7061e28492a3f71c6343aa5aaea0327a3", 0x24, 0x5}, {&(0x7f0000002b40)="82791dfd311d07db7d65e803ce6ca00028af8ff8d276187e0e14bbf7beab60fc4b70722e91b6322b8e3472191a66176bb0ca91dee60f1506a6d48be4055230c30be94a1043a1d2a06d42166069d8033d6c524c8610b8c4bb63af0ce6d6207137f1be1b62b002e8c35e6467c2423cc6597d1ca58ee31589f0248ac762e24a286a41a761912d34bb56f07db88ca52fce8d128762394fa00faac8451a42c3144bdec7e97296c9eac7c9f63110a3d405c16b0428880024e8c9c8af490b8cfad84cbb637878d634cd84346b60c9132c09660cdc616a0b", 0xd4, 0x7fff}, {&(0x7f0000002c40)="904bbcee2b46daa1ac643b7b6b8ea0ff462feabee541b411a885e470a496cbbdc729ffdebc50807f719cbe808d8b598b4767c7a852d9ce0c880a9b078b0187deac926bd4687a44f092bb", 0x4a, 0x5}, {&(0x7f0000002cc0)="3531ae257e7e0877cde340c42edbfc91dcffaff1284ef08a451e4c76e0cd83b2c0ea10d86bcefa93bbaef5fffbfe7dc70b73b89c55fc3851110d1bd0d1da31753320b111fe7060537e8f65f3c2f05adcb3d66bd2abe6b08aaae0d0eedca9937707ec4cb4874cdfd05800812ab53f9550b25a28ee69e62a0f790fe5233fc8645fc3fe6cae055f2aa1729125170151e86eeab67bb20bc884a1214c2d3d969c34fb239b45feec93ac209721bae7271251c613cea9379c1521", 0xb7, 0x4}, {&(0x7f0000002d80)="c3f04f26929b7a4d6342841fa53a9a8cb8006a97f428", 0x16, 0x6}, {&(0x7f0000002dc0)="c9871275e3269ff1bdcd67fb523e1ceb5151b0ede9e032634e36d486046bc31cd978bda59247355316319e768e7ac6be0648bf0fecd13cdad45f713e0e3b74e95eec77063c02a233ea97d338f4b1e9bc5a7cce85528742632ed59cec016f3914dd02ca6b1dc833224895277350cf1f21d6c78f8592717e91233f9026927e0cc3d80cdc57714763a0fcb091f5c69051b55cd2e1fcc33b13d597c5caeeb271c542978a1e17", 0xa4, 0x9c}]) r16 = syz_usb_connect(0x4, 0x384, &(0x7f0000002f00)={{0x12, 0x1, 0x201, 0xa4, 0x61, 0x1e, 0x40, 0xacd, 0x300, 0xc0df, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x372, 0x2, 0x4, 0x1f, 0x0, 0x1, [{{0x9, 0x4, 0x5d, 0xb3, 0x1, 0xad, 0x49, 0x76, 0x20, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x80}]}], [{{0x9, 0x5, 0xd, 0x0, 0x230, 0x5d, 0x1, 0x3f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x2}, @generic={0xba, 0xe, "f4e6e5762883c34df04f356099f1d34bdbc9f5324da648053fd690211b897119c4f3ac197f2aa93f2f3be05f836b1644d5b2327648b30816ed192f943dfce225f69d77c51565e177fd889c9c9d8c85b92ee4bead0e889446bbc320a40fa24807f476bfd1f1b3096e3370f755c94aa01c3be4ddc7952a5694bcad4beb4065bf5ea96066c43e9507e6220c47bc0271adcbaffce6ac90cb3c8b1cf748c6bbf97108dfa2cac4b87d3420428434397e07f17a87ed6233b39e32f0"}]}}]}}, {{0x9, 0x4, 0x5d, 0x27, 0x7, 0x3f, 0x84, 0xfd, 0x3, [@uac_as={[@format_type_i_discrete={0x10, 0x24, 0x2, 0x1, 0xe2, 0x2, 0x63, 0x40, "e721cc44acca8938"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x1, 0x0, "9ef42f"}, @as_header={0x7, 0x24, 0x1, 0x4, 0x1, 0x4}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x19, 0x6, "9e", "6983"}]}, @uac_as], [{{0x9, 0x5, 0xf, 0x0, 0x3ff, 0xf6, 0x5, 0x80}}, {{0x9, 0x5, 0x1, 0x10, 0x10, 0x0, 0x40, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x20, 0x6}]}}, {{0x9, 0x5, 0xb, 0x8, 0x10, 0x1, 0x2}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x4, 0x8, 0xc0, [@generic={0xbb, 0x31, "215ce6ab8f3c72caa3ab1326f18838908ac60bffb3b50748144aa2cbc4d7cac56f4a7bb2bd6c969674a5e4040861bb21ba5ccf0f822c1032e7e3729f8c171fc7a89b5340b5067108d597f178aa651a98aca4d012fa555a695683b527e6031f1f7f20494b250e3a6cd8b4de9647e150049867097c47cc237c612cefe698332f1fe7f02e6f53e845b1f5e7b4b24ad8629b78ce7630e2d40120fbc3f49375a4a086dedd2a27f06b3ed3d756a819b97f759aa54aef83df4868a9e9"}]}}, {{0x9, 0x5, 0x3, 0x12, 0x3ff, 0x0, 0x1, 0xff, [@generic={0xad, 0x31, "0c921d3f980f4e53147a46bd5856da03081660fbed7b8b2d389be8a038e95c2958a477ed5faf9ef38c82c3abea254459edb0f2cf286235034087adb7907ff192640b936886bd48d3a51215406b3aa0b6d8f8d91d830f5236a9a8be03c2215f012131968c6a80860ae81193059468108efd4f1305379d0115c7ec667b0359940e5664bf7b3c4a5f04ca3c51db9d2cd417e9099bff628b8e1a8ed0f596149357a08abd1177eb977353eb8932"}, @generic={0x93, 0x11, "a8e22d542ae3d831f337211bb5be12a5c46e5cf9b556d84d5af4caca8742ad216140562b7e5421e2642471e8f50eb8aef06212b46c644ae58463e18b3e72bd3eca6060fa8b94031796e55eb41d3f318affbf081eeb1708851e72fadd887e0330134319f0a5967eda657bc1101f74deba42e78aff20fb5d3c1fe49d9a054657b6f1af3d015fc16ff80873f326690843df81"}]}}, {{0x9, 0x5, 0xf, 0x4, 0x200, 0x0, 0x1f, 0x1, [@generic={0x11, 0x6, "824b7d0957bc552d224fdf6bff63a8"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x6}]}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x1f, 0xfd, 0x3}}]}}]}}]}}, &(0x7f0000003400)={0xa, &(0x7f00000032c0)={0xa, 0x6, 0x110, 0x4d, 0x80, 0x80, 0x20, 0xc1}, 0x46, &(0x7f0000003300)={0x5, 0xf, 0x46, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x35, 0x0, 0xdf, 0x9, 0xf7}, @ext_cap={0x7, 0x10, 0x2, 0xe, 0xb, 0x6, 0x9}, @ssp_cap={0x18, 0x10, 0xa, 0x1, 0x3, 0x7fffffe, 0xff0f, 0x101, [0xffc0a0, 0x0, 0xffff0f]}, @ssp_cap={0x10, 0x10, 0xa, 0x3, 0x1, 0x200, 0xff00, 0x1, [0x0]}, @ext_cap={0x7, 0x10, 0x2, 0x16, 0x8, 0xe, 0x7}]}, 0x2, [{0x4, &(0x7f0000003380)=@lang_id={0x4, 0x3, 0x380a}}, {0x4, &(0x7f00000033c0)=@lang_id={0x4, 0x3, 0x42f}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000003440)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r16, &(0x7f00000036c0)={0x18, &(0x7f00000034c0)={0x20, 0x8, 0xd4, {0xd4, 0x31, "dd9fe1d6f8ee76d6289246b5277cc19f3c4621add821a7f3d1aae994dbf4b1bd89e8770734768ade97e51d248f53cd530b31119aaccf53b6f6eddf4b8bfe6a1a859c3dc286f8335c9d15e5d5169b244155391062ff885d40be3707b6d1ea252a96d97ab24fb675f54557cfa24d805b0795708af5065d4b6662dfd54dd59cfce1673ab356a254f6b5bce44c619a17ffce8ebb96e083c082450062bd71a206ca921e0b77f517c1619586b3bca3e2490821016cc76caf96c0ec9068b45e2334ed9a6ff06a6343ae01f0aef6127ebaf5b52d69e3"}}, &(0x7f00000035c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x40e}}, &(0x7f0000003600)={0x0, 0xf, 0x28, {0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @generic={0x20, 0x10, 0xa, "195fa2f324c0be96da3db26afa5677530ac0faf4c682be7c15e9a58666"}]}}, &(0x7f0000003640)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x1, 0x0, 0x9, "057c417e", "8da436c4"}}, &(0x7f0000003680)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x20, 0x10, 0x80, 0x40, 0x1f, 0x0, 0x5}}}, &(0x7f0000003b40)={0x44, &(0x7f0000003700)={0x60, 0x8, 0x54, "85f988045278f97532a667cbee9b821d6554fb1c6d18dffb785196d90727e1b4615c86ee049a1696b1668f000e62d539e081cf07e360171ce61ca2f95644b9ad8e9211a1b19c4399bdfd6d533bf8955242725bb4"}, &(0x7f0000003780)={0x0, 0xa, 0x1, 0x1}, &(0x7f00000037c0)={0x0, 0x8, 0x1, 0x81}, &(0x7f0000003800)={0x20, 0x0, 0x4, {0x2}}, &(0x7f0000003840)={0x20, 0x0, 0x8, {0x200, 0x40, [0xff]}}, &(0x7f0000003880)={0x40, 0x7, 0x2, 0x1}, &(0x7f00000038c0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000003900)={0x40, 0xb, 0x2, "8eaf"}, &(0x7f0000003940)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000003980)={0x40, 0x13, 0x6, @dev={[], 0x38}}, &(0x7f00000039c0)={0x40, 0x17, 0x6, @broadcast}, &(0x7f0000003a00)={0x40, 0x19, 0x2, '{k'}, &(0x7f0000003a40)={0x40, 0x1a, 0x2, 0x40}, &(0x7f0000003a80)={0x40, 0x1c, 0x1}, &(0x7f0000003ac0)={0x40, 0x1e, 0x1, 0xfe}, &(0x7f0000003b00)={0x40, 0x21, 0x1, 0xfa}}) r17 = syz_usb_connect$hid(0x4, 0x3f, &(0x7f0000003bc0)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x46d, 0xc22d, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x10, 0x2, [{{0x9, 0x4, 0x0, 0x2f, 0x2, 0x3, 0x1, 0x1, 0xfd, {0x9, 0x21, 0x9, 0x1, 0x1, {0x22, 0x2ff}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0x6, 0xff, 0x4}}, [{{0x9, 0x5, 0x2, 0x3, 0x8, 0x4, 0x6, 0x7f}}]}}}]}}]}}, &(0x7f0000003cc0)={0xa, &(0x7f0000003c00)={0xa, 0x6, 0x300, 0x3, 0x2, 0xfa, 0x8, 0x74}, 0x28, &(0x7f0000003c40)={0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @ssp_cap={0x20, 0x10, 0xa, 0x3, 0x5, 0x8, 0xf00, 0xf831, [0xc0, 0xc0a0, 0xff000f, 0x7, 0xc0f0]}]}, 0x1, [{0x4, &(0x7f0000003c80)=@lang_id={0x4, 0x3, 0x436}}]}) syz_usb_disconnect(r17) syz_usb_ep_read(0xffffffffffffffff, 0x80, 0xc4, &(0x7f0000003d00)=""/196) syz_usb_ep_write(r16, 0x7f, 0x63, &(0x7f0000003e00)="5074fa81f3f373da2799cafb26b4497cb3c87bc0f82fa7885468bd41232065aa9561d24ae0f1d0e036ac714ac5af89c69d8861cad713fcb8bacb8c4b10dc3b6ec2044c01f371b124c0a0f4bace7d5179872cdd205e09c3eeb7d5577b26e98f84554ed6") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 41; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0; iter < 10; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_fsmount #define __NR_fsmount 432 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[18] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/zero\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x161000, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, (intptr_t)r[0], 0x3305, 0); break; case 2: memcpy((void*)0x20000040, "l2tp\000", 5); syz_genetlink_get_family_id(0x20000040); break; case 3: memcpy((void*)0x20000080, "/dev/dlm-control\000", 17); syscall(__NR_openat, 0xffffff9c, 0x20000080, 0x20000, 0); break; case 4: *(uint32_t*)0x200000c0 = 0x17; syscall(__NR_setsockopt, (intptr_t)r[0], 0x10e, 2, 0x200000c0, 4); break; case 5: res = syscall(__NR_mmap, 0x20ffa000, 0x4000, 0x2000000, 0x1010, (intptr_t)r[0], 0x10000000); if (res != -1) r[1] = res; break; case 6: res = syscall(__NR_socket, 0x23, 5, 2); if (res != -1) r[2] = res; break; case 7: res = syscall(__NR_io_uring_register, -1, 9, 0, 0); if (res != -1) r[3] = res; break; case 8: *(uint8_t*)0x200003c0 = 0xa; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0; *(uint32_t*)0x200003c4 = r[2]; *(uint64_t*)0x200003c8 = 0; *(uint32_t*)0x200003d0 = 0x20000380; *(uint32_t*)0x20000380 = 0x20000100; *(uint32_t*)0x20000384 = 0x80; *(uint32_t*)0x20000388 = 0x20000240; *(uint32_t*)0x20000240 = 0x20000180; *(uint32_t*)0x20000244 = 0x93; *(uint32_t*)0x2000038c = 1; *(uint32_t*)0x20000390 = 0x20000280; *(uint32_t*)0x20000394 = 0xca; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x200003d4 = 0; *(uint32_t*)0x200003d8 = 0; *(uint64_t*)0x200003dc = 1; *(uint16_t*)0x200003e4 = 3; *(uint16_t*)0x200003e6 = r[3]; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; syz_io_uring_submit(0, r[1], 0x200003c0, 0x10001); break; case 9: *(uint32_t*)0x20000440 = 4; syscall(__NR_ioctl, -1, 0x4b63, 0x20000440); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0xaa; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 3, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 31, 1); *(uint8_t*)0x20000012 = 0x11; *(uint8_t*)0x20000013 = 2; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; memcpy((void*)0x20000016, "\xf4\xeb\xe4\x02\x16\xfe\xde\x5e\xf6\xc5\x31\x0f\x04\x13\xc5\xd4\x1b\x32\xfc\x23\xe0\x7f\xd3\x32\xa8\xa5\xc5\xf9\x66\x82\x1d\xa0\x91\xf4\x7b\x7b\x9c\xf9\x22\x87\x27\xff\x74\x12\xc2\xe4\xa3\xa1\x57\x3b\xb2\x95\x48\x2d\x7b\x4a\x3e\xff\xd8\x63\xcc\x60\xf5\xd8", 64); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 0xd2d; *(uint32_t*)0x2000008c = 0xc61; *(uint32_t*)0x20000090 = 0x6d3; *(uint32_t*)0x20000094 = 0xbe2; break; case 11: *(uint8_t*)0x200000c0 = 2; STORE_BY_BITMASK(uint16_t, , 0x200000c1, 0xc9, 0, 12); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 3, 4, 2); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 1, 6, 2); *(uint16_t*)0x200000c3 = 0xa; *(uint16_t*)0x200000c5 = 6; *(uint16_t*)0x200000c7 = 5; *(uint8_t*)0x200000c9 = 0x13; *(uint8_t*)0x200000ca = 0x7f; *(uint16_t*)0x200000cb = 2; *(uint16_t*)0x200000cd = 0; break; case 12: memcpy((void*)0x20000100, "\xc4\xc2\xcd\x45\xf1\x8f\xe8\x00\xed\xb8\x5c\x2f\x00\x9e\xe9\x64\x36\x36\x0f\x28\x11\xc4\xc3\xc9\x0b\x6b\x07\x87\xc4\xc2\xf1\xa6\x03\xf3\x0f\xa6\xd0\xf3\x6f\x65\x0f\xfa\x0e\xc4\xc2\x1d\x2f\x9f\x5a\xac\x38\x4f\x3e\x65\xf3\xab", 56); syz_execute_func(0x20000100); break; case 13: break; case 14: memcpy((void*)0x20000180, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000180); break; case 15: syz_init_net_socket(3, 3, 0xcc); break; case 16: res = syscall(__NR_mmap, 0x20ffd000, 0x2000, 0x3000001, 0x80000, -1, 0); if (res != -1) r[4] = res; break; case 17: res = -1; res = syz_io_uring_complete(r[4]); if (res != -1) r[5] = res; break; case 18: *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0xd9fd; *(uint32_t*)0x200001c8 = 0x20; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0x308; *(uint32_t*)0x200001d4 = 0; *(uint32_t*)0x200001d8 = -1; *(uint32_t*)0x200001dc = 0; *(uint32_t*)0x200001e0 = 0; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint32_t*)0x200001f8 = 0; *(uint32_t*)0x200001fc = 0; *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; res = syscall(__NR_io_uring_setup, 0x3a3b, 0x200001c0); if (res != -1) { r[6] = res; r[7] = *(uint32_t*)0x200001d8; } break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xb18d; *(uint32_t*)0x20000248 = 0xab3a8d6e; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000250 = 0x158; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = r[7]; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = -1; res = syz_io_uring_setup(0x17a8, 0x20000240, 0x20ffb000, 0x20ffd000, 0x200002c0, 0x20000300); if (res != -1) r[8] = res; break; case 20: *(uint32_t*)0x20000340 = 0; *(uint32_t*)0x20000344 = 0x15f8; *(uint32_t*)0x20000348 = 0x20; *(uint32_t*)0x2000034c = 2; *(uint32_t*)0x20000350 = 0xd2; *(uint32_t*)0x20000354 = 0; *(uint32_t*)0x20000358 = -1; *(uint32_t*)0x2000035c = 0; *(uint32_t*)0x20000360 = 0; *(uint32_t*)0x20000364 = 0; *(uint32_t*)0x20000368 = 0; *(uint32_t*)0x2000036c = 0; *(uint32_t*)0x20000370 = 0; *(uint32_t*)0x20000374 = 0; *(uint32_t*)0x20000378 = 0; *(uint32_t*)0x2000037c = 0; *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 0; *(uint32_t*)0x20000388 = 0; *(uint32_t*)0x2000038c = 0; *(uint32_t*)0x20000390 = 0; *(uint32_t*)0x20000394 = 0; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x2000039c = 0; *(uint32_t*)0x200003a0 = 0; *(uint32_t*)0x200003a4 = 0; *(uint32_t*)0x200003a8 = 0; *(uint32_t*)0x200003ac = 0; *(uint32_t*)0x200003b0 = 0; *(uint32_t*)0x200003b4 = 0; res = -1; res = syz_io_uring_setup(0x6b11, 0x20000340, 0x20ffb000, 0x20ffb000, 0x200003c0, 0x20000400); if (res != -1) { r[9] = *(uint64_t*)0x200003c0; r[10] = *(uint64_t*)0x20000400; } break; case 21: res = syscall(__NR_socket, 0x1f, 3, 3); if (res != -1) r[11] = res; break; case 22: res = syscall(__NR_io_uring_register, (intptr_t)r[5], 9, 0, 0); if (res != -1) r[12] = res; break; case 23: *(uint8_t*)0x20001700 = 0xa; *(uint8_t*)0x20001701 = 2; *(uint16_t*)0x20001702 = 0; *(uint32_t*)0x20001704 = r[11]; *(uint64_t*)0x20001708 = 0; *(uint32_t*)0x20001710 = 0x200016c0; *(uint32_t*)0x200016c0 = 0x20000440; *(uint32_t*)0x200016c4 = 0x80; *(uint32_t*)0x200016c8 = 0x200015c0; *(uint32_t*)0x200015c0 = 0x200004c0; *(uint32_t*)0x200015c4 = 0x2c; *(uint32_t*)0x200015c8 = 0x20000500; *(uint32_t*)0x200015cc = 0x1000; *(uint32_t*)0x200015d0 = 0x20001500; *(uint32_t*)0x200015d4 = 0x28; *(uint32_t*)0x200015d8 = 0x20001540; *(uint32_t*)0x200015dc = 0x4a; *(uint32_t*)0x200016cc = 4; *(uint32_t*)0x200016d0 = 0x20001600; *(uint32_t*)0x200016d4 = 0xb9; *(uint32_t*)0x200016d8 = 0; *(uint32_t*)0x20001714 = 0; *(uint32_t*)0x20001718 = 0x2000; *(uint64_t*)0x2000171c = 1; *(uint16_t*)0x20001724 = 3; *(uint16_t*)0x20001726 = r[12]; *(uint8_t*)0x20001728 = 0; *(uint8_t*)0x20001729 = 0; *(uint8_t*)0x2000172a = 0; *(uint8_t*)0x2000172b = 0; *(uint8_t*)0x2000172c = 0; *(uint8_t*)0x2000172d = 0; *(uint8_t*)0x2000172e = 0; *(uint8_t*)0x2000172f = 0; *(uint8_t*)0x20001730 = 0; *(uint8_t*)0x20001731 = 0; *(uint8_t*)0x20001732 = 0; *(uint8_t*)0x20001733 = 0; *(uint8_t*)0x20001734 = 0; *(uint8_t*)0x20001735 = 0; *(uint8_t*)0x20001736 = 0; *(uint8_t*)0x20001737 = 0; *(uint8_t*)0x20001738 = 0; *(uint8_t*)0x20001739 = 0; *(uint8_t*)0x2000173a = 0; *(uint8_t*)0x2000173b = 0; syz_io_uring_submit(r[4], r[10], 0x20001700, 0xad23946); break; case 24: res = syscall(__NR_fsmount, (intptr_t)r[5], 1, 0x84); if (res != -1) r[13] = res; break; case 25: *(uint32_t*)0x20001740 = r[6]; *(uint64_t*)0x20001744 = 3; *(uint64_t*)0x2000174c = 6; *(uint64_t*)0x20001754 = 0x1000; res = syscall(__NR_ioctl, (intptr_t)r[8], 0xc01cf509, 0x20001740); if (res != -1) r[14] = *(uint32_t*)0x20001740; break; case 26: *(uint32_t*)0x200017c0 = 0; *(uint32_t*)0x200017c4 = 0x20001780; memcpy((void*)0x20001780, "\xe7\xbe\xd2\x38\x54\x76\x95\xa7\x89\x57\xb5\x74\xba\xcb\x6d\xbc\x56\x7a\x32\x32\xe7\x65\x59\xb4\xea\x39\x31\xb6\x08\x57\x8a\x24\xda\x4c\x74\x97\x95\x97\x5b\x0a\xe5\x1d\xa8\xa8\x6d\xde\x75\xb1\xd6\x84", 50); *(uint32_t*)0x200017c8 = 0x32; *(uint64_t*)0x20001800 = 1; *(uint64_t*)0x20001808 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x200017c0, 1, 0, 0x20001800, 1); break; case 27: *(uint32_t*)0x20001840 = 0; syz_memcpy_off(r[9], 0x114, 0x20001840, 0, 4); break; case 28: memcpy((void*)0x20001880, "afs\000", 4); memcpy((void*)0x200018c0, "./file0\000", 8); *(uint32_t*)0x20002900 = 0x20001900; memcpy((void*)0x20001900, "\xf1\xfd\x85\xc4\x6a\x07\x34\x5a\x88\x13\x28\x7b\x13\xf2\x1a\x08\x40\x90\x39\x26\xae\xf8\xfa\x2c\xb5\xf6\xe0\x10\xd1\x4f\x70\x30\x37\x67\x97\x11\x5f\xff\x5a\x94\x80\x41\x34\x8d\x82\x7d\xbd\x67\x8e\x20\x92\x8d\xc4\xb2\x24\xe0\xec\x33\xe5\x0b\xf6\x99\xf1\xed\x1e\x39\xdf\x43\xd8\x99\xeb\x1a\x37\xc8\xd1\x16\x31\xe7\xb7\x75\xfc\x82\x61\x19\x01\xef\x7d\xb3\x71\x4e\x0e\xf5\x9b\x98\xd9\xd7\xd9\x11\x4b\xa1\xba\x76\xa7\x2e\xdc\x93\x80\x33\x59\xb9\x99\x4b\x50\x4f\x9e\x77\x90\x37\x5f\xa5\x0f\xce\xab\x9c\x0f\x21\x03\x85\x72\x2f\x2a\x05\x4c\x09\xfe\xcf\x4a\x04\xcc\xfa\xca\xac\x9d\x40\xbe\xbb\x2e\x2b\xcc\x94\x8d\x32\x72\x63\xb0\xfa\x73\x5b\x75\x3f\xa3\x67\xf5\x53\x13\xbd\x6d\xf7\x47\x6a\x99\x61\xbe\xf3\xe5\x80\x6a\xe5\x3b\xf7\x23\x34\x74\xb6\x37\x26\x6e\x9f\xd6\x94\xfb\x30\xa5\x03\xfb\xa0\x53\xc4\x65\x62\x93\x6b\xb3\xb8\xfd\xd3\x8d\xa2\x3e\x72\x25\x86\x8f\x8c\xf1\xe7\xd2\x7c\xac\xb6\x90\x75\x65\x7b\x3c\xa8\x0f\x8b\xe0\xb8\xe0\x43\xdb\x62\x0f\x08\x72\x23\x1b\x8a\x31\x08\xc4\xa1\x0b\x8b\x72\x3b\x64\x6b\x3c\x6d\x5f\x37\x05\x58\x64\x09\x24\xa9\x3b\xa2\x5d\xb1\x74\x6c\xf2\xea\x14\x1b\x03\x85\xac\x0c\xf9\xe7\xac\xc8\xfd\xdd\x8e\xe3\x2f\xb9\x88\x49\x1e\x45\x45\x64\xeb\x14\x2e\xc8\x40\x24\x38\xdd\xb1\xd0\xbe\xd6\xd2\x85\xa2\xa4\x08\xa9\xed\xc5\x27\x76\xe3\xae\x70\x21\xc1\x09\x43\xee\xf0\xaf\x02\x70\x37\x22\x13\x62\x7d\xd4\x25\x3d\x95\xa3\x6a\xcd\x29\xf8\x09\x5c\x64\x28\xf1\xc4\x6c\x3e\xb2\x12\x27\xd0\x46\x06\xb5\xc9\x22\x54\xe9\xce\x3e\x22\x0a\x8b\x8a\x28\x1c\x8d\x8e\x9c\x83\x07\x9e\xa1\xdf\x4a\x90\xdb\x9f\x08\xa5\x8c\x80\x3d\x8e\xc2\xbf\xcc\x99\xf1\xac\xd5\xf0\x62\x50\x43\xeb\x4a\x83\x17\x9e\x2d\x37\xc0\x76\x57\xe4\xb7\x47\xad\xcb\x09\x79\xa2\x30\xde\xa4\xf0\x79\xf2\x20\x84\x87\x09\xf2\xbb\x38\xc3\x4a\x22\xc5\xb3\xca\xf9\x4a\x02\xfc\x5f\x1c\x4d\x01\x3c\x16\x5a\xbf\x74\xbe\xd9\xd0\x28\xa5\xd8\x4e\xc1\x50\x37\x7f\x49\x8e\xe0\xe2\xa8\x6b\xf0\x4b\x97\xee\x40\xaf\x98\x82\xbf\xad\xec\xf5\xe1\x25\xfc\x90\x9d\x25\x0d\x92\xa3\x11\x66\xd6\x11\x21\xb5\x36\x45\x24\xb6\x35\x1e\x0b\x6a\x66\xdc\xde\xeb\x52\x49\xeb\xab\xb8\x65\xf1\xf4\xa1\xa8\x0a\xda\x5d\x69\x5d\x3a\x37\xb2\x14\xc9\xf0\xd9\x25\x07\xdb\x1b\x8d\x80\x8a\x96\xf0\x89\x02\xef\x8c\x97\xe2\x2b\x75\x49\x75\x38\xf5\x4f\xf9\x44\xa1\x91\x42\xb6\xae\x1b\x86\x36\x50\x0e\x2f\x39\x20\xa3\xab\x34\x1d\x8d\x1d\xb2\x2d\xc6\x4e\x1d\x68\x38\x21\x62\xb4\x89\xea\xad\xe6\x68\xba\x38\xe6\xe7\xec\xf6\x16\x26\xc7\x19\x37\x8a\x8e\xbf\x08\xec\x3d\x5d\xa6\x71\x64\x61\xe2\x06\x86\x9b\x33\x5c\xcb\xaf\xbc\x73\x64\x99\x83\x79\xd8\x94\xb9\xc6\x04\x41\xd9\x87\x97\xef\xf0\xd0\x4c\xe3\xfb\xf4\x19\xeb\x9c\x5c\x77\x8d\xbd\xc6\x03\x1b\x19\xfe\xa1\x3a\xdf\x11\x1d\xd4\x96\x28\x09\x3d\xa4\x1c\xe2\x52\x59\x5e\xa3\xd0\xb6\xdd\x96\x36\x4f\xe2\xe3\x75\x04\xbc\x66\x17\x04\x4f\xf1\xd0\xd2\x7f\x75\x9d\x1f\xaa\x8a\xe8\x54\xa1\x72\xda\x0b\x22\x73\x05\xbc\x63\x0a\x46\xb8\xe5\xbb\x9f\x8a\xa4\x0b\x95\xa4\xb6\xd5\xc3\x7b\xdd\xd0\x96\x8e\x19\x2d\x57\x24\x20\x78\x43\x4f\xde\xf9\xaf\xdc\x8f\x18\x39\x7d\xf1\xca\x6e\x76\xbd\xc7\x18\x45\xfb\xa2\x81\x8e\xf8\xf1\xc1\xdb\xf0\xa9\x2d\xde\xe3\xc8\xc1\xcf\xdd\xfb\x64\x43\x94\x19\xe6\x3f\x98\x11\xab\x5d\xaf\xd1\x5b\x2f\xf2\xa9\xc0\x41\x33\x16\x51\xc7\xaf\xe7\x86\x28\x75\xbf\x99\x61\x80\x6f\xac\x69\x4b\xef\x5f\x78\xfb\x9c\xd6\x4c\x33\x84\x86\x37\x44\x4e\x67\x52\x20\x03\x95\xe3\x73\x1d\x02\xdb\x34\xc2\x1f\xca\x31\x1d\x33\x9e\x81\x97\x32\xed\xe1\x83\x94\xb4\x5c\x4c\xbb\xbf\xfd\x45\xfd\xf5\x08\x28\x5d\x26\xda\x5b\x3c\xed\xe6\x92\xaf\x4e\xf2\xf4\x2c\x73\x4b\x52\x28\x64\x75\x5d\xcd\x71\x9c\x93\xb2\x68\x43\x8f\x9b\x0f\x1a\xdd\x57\x4c\xf7\x21\x89\x21\xdf\x68\xc4\x96\x68\x3c\x62\x76\x11\x5c\x07\x4d\x42\x0f\x23\x86\x1e\xeb\x82\x03\x1e\x99\x8c\x08\x33\xd1\xcb\xbb\x5b\x33\x4a\x13\x60\x6a\x0b\xc4\x06\xc4\xc8\xb1\xc2\xbf\x8d\xf5\x57\x32\x4d\x2c\x94\xcb\xe4\xc2\x90\x80\xb6\x32\x34\xb1\xbb\x74\xe5\x85\x4e\x42\x2e\xb4\x6f\x73\x69\x78\xe2\x94\x3e\xbd\x28\xaf\x46\x7b\xd0\xee\x09\x6b\x95\x2f\xf5\xf0\xb2\x28\xc7\xef\x94\x6f\xd4\x72\x49\x3b\x0e\xac\xa9\x37\x84\x01\x66\x9f\x1b\xe6\x75\x23\x0e\x56\xbc\x19\xe4\xec\x12\x34\xfc\xb4\xea\x12\x2d\xd2\x04\x83\x01\x09\x68\x9c\xad\x7e\x3d\x70\x2a\xb3\xe9\x2e\x59\x01\x6a\x64\x0c\xce\x4e\x1e\x57\xd6\xe9\x45\x56\xe7\xee\x1f\x7c\x58\x63\x09\x04\x4b\xdc\xa4\xa7\xb2\xce\xbb\x4b\x3f\xab\xfd\x57\x8e\xd6\xc6\x85\x89\xb8\xaf\xcd\x4d\x0e\x5a\xb1\xb7\xee\xf6\xf8\x2c\xd2\x08\xe3\xec\xe7\x6e\x3b\x73\x33\x1f\xba\x03\xfb\x54\x47\x01\x29\x92\x74\x10\x42\x10\x6e\xd7\xd3\x86\xa1\x43\x3f\xe8\xd4\xc6\xbc\xe8\x22\xff\x8f\xfe\x1b\x38\x2a\xa7\x12\x47\x31\xa9\xad\x6e\x1a\x52\xc7\x82\x66\x17\x4a\x4f\xef\xe9\x86\xa5\x08\xf6\x64\x25\x77\x30\x3f\x91\xea\x4e\xfb\x32\x84\x3c\x6b\x33\x1b\x32\xf2\x45\x53\xa0\xc1\x30\x16\xd9\x1a\x23\x0a\x55\xd8\x1f\xeb\x7d\xfc\x48\xad\x15\x7c\x7c\x2f\xc6\x32\x53\x08\x10\x21\xd1\xc6\x53\x56\x51\x39\x03\xdd\xbd\xe8\xd3\xfd\x0d\x51\x74\x7f\x3e\xaa\xaf\x9d\xb9\xd6\xb4\xbd\x70\x69\xd8\xba\x53\xd4\xd1\x00\xee\x27\x27\x97\x95\x94\xc2\xfa\x80\xb9\xaa\x0e\xdd\x70\xe3\xd7\x02\xfb\x5b\x6c\xd2\x77\xee\xb4\x87\x55\x58\x86\xf8\x5b\x65\x7c\xd9\xeb\xa6\x41\xb2\x8b\xf1\xe7\x62\x30\x0f\x3e\x29\xc5\xa8\xd8\xbf\xe0\x77\xbd\xef\x7c\x9e\x2c\x4c\xfa\xd8\xfc\x36\x46\x70\xd7\xcd\x6a\xc7\xa8\x63\x22\xe6\x67\x76\x0e\x24\x03\xc4\x83\x8d\x61\xfa\x86\x69\xa4\xf6\x21\x14\xee\xf4\x23\xf0\x91\x32\xe2\x0b\xb9\x5b\xa3\x52\x2a\xc3\x10\x49\xc4\xa3\xd5\x81\xaf\x3c\x57\x84\x91\x0f\xba\x88\xcd\xee\x1c\xef\xf4\xdd\xae\xd8\x27\x11\x9c\xed\x53\x61\x94\x7d\x0e\x31\xa9\xc4\xd2\x52\x63\xa5\x36\x54\xb8\x2f\xc1\x3b\x91\xf4\x45\x08\xdd\x19\x3c\xa1\xef\x26\xd9\x30\xa6\xb0\x81\x05\x86\xd4\x02\xba\x05\x54\xfa\xce\x5c\x3e\xd0\x77\x67\x1d\x50\xd2\x88\x65\xbf\xff\x35\xca\x3a\x4d\xab\xdb\xd6\xe3\xb0\x70\x59\x32\x0f\x53\xe5\xc4\x9d\x73\xcc\x16\xdd\x1e\xd2\x81\x6a\xc9\x8a\xd3\x85\x3c\x36\x88\x29\xc7\xbe\xc4\x0c\x4a\x9b\x39\xee\x3b\x73\x0b\xbd\x6c\x15\x2f\x35\x8e\x99\x11\x30\x8c\x12\xed\x12\x06\x56\x1f\xc7\xcf\x7c\xb4\x77\x14\x5f\x1a\xaa\xce\x66\xac\x5c\x44\x68\xac\xb2\xf6\x01\xc6\x1e\x4b\x11\x8b\xe2\x05\x6b\x6d\xbc\x18\x60\x9b\xfd\x41\x05\xee\xe1\x8b\xe3\x84\xa1\x99\x13\xd2\x74\xd9\x20\x39\x79\x0c\xb8\x74\x20\xb9\xfd\xd7\x0e\x73\x43\x09\xfc\x7a\xfe\x09\xe1\x1f\x78\x0d\x6e\xe6\x24\x31\x75\x90\x7a\x4a\xee\xcb\x6c\xa0\x70\xa3\x37\x4b\xe5\xd3\xd0\x7a\x78\x8e\xa4\xe1\xf9\xd6\xf1\x8e\xff\x9e\x79\x64\xd7\x07\x6c\xb5\xb9\x3c\xd9\x73\x38\xec\x05\x44\x8e\xc5\x27\xcc\xa6\x67\x90\xbf\xe3\x2c\x5b\x26\x62\xd7\xfc\x6b\x83\x6b\x41\xbf\x32\xe5\xbc\x0d\xdf\xe4\x2d\x59\x73\xdb\x86\xf8\xae\xd5\x6e\x43\x11\x2b\x45\xb0\xf7\x92\xc5\x39\x45\x99\xa1\x3e\x73\xc2\x50\x12\xb5\xaa\xcd\x3a\xef\x11\x24\x73\xc4\xe2\xe3\xab\x6a\xeb\xf5\xaf\x6d\xe9\xe7\x8a\xc0\x47\xfc\xc2\x76\xfd\x97\x6f\x25\x02\x2c\x65\xc3\x0a\x9f\xd6\x72\x03\xf1\x9e\x33\xb3\x5c\xfb\xcf\xdf\xf3\x95\xc5\xbb\x53\xf2\xfd\x79\x28\xe4\x3e\x62\x28\x47\x28\x07\x80\xb8\xcc\x81\x5f\xb4\x85\x18\x91\x05\xa1\x24\xcd\x86\x27\xcc\x3d\x5f\x1a\x9d\xd8\x00\xd4\x7a\x22\x6e\xbf\x90\x7e\xb2\xf4\x91\x33\xd1\x17\x58\x8d\x28\x0f\x4c\xc4\x3d\x95\x25\x4d\x88\xc8\x75\x3d\x96\x07\x3f\x97\xc5\x31\xf5\x1e\x55\x96\xe2\xe9\x71\xa2\x16\x1b\x78\xf7\x5e\xdc\xfb\xd9\xde\x38\xf0\xa9\x28\x4b\x7c\xce\xef\x87\x59\x8f\xa3\xbc\xfa\x5d\xbc\xbd\x1d\x28\x4c\xf8\x0c\xb7\x75\x54\x65\x89\x9d\x36\x2d\x9e\x40\xc6\x4c\x1a\x1e\x4c\xc4\x5c\x38\x71\xb2\x10\x4c\xa4\x0c\x05\x72\x9d\xcc\xbf\x6d\x0a\x17\x50\x0e\x5d\x0d\xff\xa3\x44\x3a\x52\x33\xe2\x79\xb2\xf9\xc5\x18\xb6\x97\x34\x0d\x26\xd2\x87\x26\x60\xc7\x1a\x49\x57\x10\xee\x00\x9f\xfb\x98\x9e\xbb\x5b\xef\xe5\x17\x69\x25\xb7\x8c\xde\xb1\xe8\x11\xc5\x1e\xcd\xb0\x1a\x47\xec\x1d\x1d\x0e\xf2\x02\x4c\x9a\x66\x6f\x6b\xc5\xeb\xe1\x3e\x77\x3f\x89\xf4\xc8\x0b\xaa\x1d\x66\x0c\x05\x1c\x26\x72\xf9\x1c\x21\xdb\x5f\xf2\xd5\xa7\x01\x26\xdc\x69\x14\x0e\xe2\x16\xc4\x5b\xdd\x0a\x7b\x52\x79\xde\xce\x2f\x58\x3b\xc2\x4f\xc6\x3c\xae\x88\xae\x75\x57\x22\x40\x48\x23\xc5\xc2\x16\x84\x9d\xcd\x10\x85\xba\x99\x02\xcb\x24\x8a\xc5\xd1\x92\xc3\xbd\xc5\x37\x39\x2a\x7c\x9e\xd3\xc3\x59\xbb\x6d\x49\x34\x62\x5f\x5f\x7a\x6d\xd5\x1b\x78\x57\x3f\xc7\x26\xad\xab\xc9\x1f\x41\x96\x05\x86\xf6\x4c\x39\x26\x11\x26\xea\x67\xdf\xc3\x2c\x5a\xe5\xf7\xd6\xed\x88\x74\x73\x60\x41\x8d\x42\xa0\x08\xd9\xcf\xc5\xef\x15\xf9\xc5\x88\xdb\xb9\xec\xc3\x74\xba\x19\xab\x60\xa3\xba\x33\xfb\xd1\xb8\x04\x77\xb0\x20\x4e\x67\xc8\x45\xf9\xf6\xab\x58\x9c\x58\xb5\x78\xcc\xa5\x8a\xf3\x22\xae\x66\xb9\xb1\x2e\xd9\x53\x70\x3d\x13\x93\xd8\xec\xe9\xc6\x70\x66\x4f\xdb\x6b\x1f\xfa\x10\x27\x1a\xbc\x0e\x51\xd5\x7b\x59\x10\x2e\x26\x40\xbe\xa0\x9e\x91\x12\x94\xc3\x5a\xbc\x86\x16\x99\x0a\x57\x29\xbf\x73\x9a\x8e\x22\x77\x4a\x68\x0d\x57\x70\xb8\x58\xb9\x32\xfe\x59\x5b\x73\x22\x32\x8a\xe7\x92\x07\x8a\xd2\x8d\xb4\xd5\x4c\xbd\x7c\x98\x68\xfc\xbe\x6e\xed\x0b\x0a\xa7\xb7\xab\xbf\xb1\xb8\xef\xce\x2d\xd5\xc1\xe2\x9b\xac\x66\xab\x7f\x80\xfe\x7a\x65\xd2\xda\x18\x38\x66\x0e\x94\x06\x6a\x6b\x2e\x3b\xdb\x89\x7e\x55\x1b\xc0\x37\xd7\x79\xdb\xb6\xcb\x9b\xdc\xa7\x03\x0e\xf8\x22\x6b\x96\x8d\x5a\x85\x7c\xb4\x24\xa9\xbd\x71\xec\xf3\xe0\xdf\x3b\xca\x6b\x91\x95\x90\x5e\xd0\x5e\x73\xd0\x36\x7f\x16\x49\xee\xd5\x49\xd9\xc3\xd4\x7e\x2f\x31\x2c\x17\x0d\xc9\x4a\x70\x1d\x42\x04\x60\xe1\x00\x0e\x23\x70\x21\xc6\xb7\xb1\xbc\x08\xb3\x5c\x10\x43\xc6\xe8\x99\xed\x58\x7e\xf7\xdf\xb6\xe1\xc7\xb6\xe1\x1e\x3a\x2f\xb4\x34\x8a\xbc\xc9\xed\x18\x31\xee\x37\x3d\x00\x45\x40\xa7\x3a\x4c\x78\xf9\xd3\xab\xb1\x01\xc7\x87\xba\x23\x9d\xf6\x63\x92\x4e\xf8\x4e\x3b\x43\x68\x68\xb6\x3c\xd7\x4f\x4d\x47\xac\x9e\xbc\xe3\x81\x4b\xbd\xb3\x7e\xee\xc3\xfe\xa1\xf9\x06\x88\xd1\x6f\xf3\x28\x5d\x35\x97\x45\xf9\xc1\xb6\xdc\xfa\x98\xbc\xd3\x2a\xca\xcc\xd9\x35\x0c\x07\x05\x79\xaf\x49\xc6\xdd\x8e\x62\xb3\xe1\x16\x16\xb9\x56\x05\xb5\xe6\x7c\x90\xc3\xdb\x1b\x83\x01\xde\x61\xbd\xfa\x55\x8e\xe6\xd1\x3f\x20\xa7\x8d\x40\x7e\x4f\x44\xca\x79\x3c\xe3\xd9\x58\xe1\x52\x2f\x1a\x64\x27\x6a\xc8\x86\x3d\x1a\x68\xb5\xb6\x4e\x03\xec\x0b\x22\xb0\xa7\x87\xbb\xa7\xb4\x62\xfd\xdf\x8d\xa7\xd1\x01\x8b\x32\xa1\x32\x82\xbd\x1e\x83\x06\x0a\x67\xc7\xda\x96\xe4\x6e\x3b\x32\x2a\x5d\x8e\x05\xba\x67\xb3\xac\xa1\xc5\xd1\xbf\x13\x6a\x57\xb3\xaa\x68\x77\x7f\x00\xbf\x10\x2d\xdd\xb1\xde\xc2\x1d\xb3\x09\xf4\x85\x5d\x9c\x08\xed\xc5\x80\xd6\x52\xa6\x89\x42\x0b\xf6\x25\x38\xb5\xaa\x26\x30\x57\x09\x81\x21\xd8\x2d\x87\xe2\x9e\xe2\x6b\x5d\x52\x88\x02\x3e\x50\x1f\xf2\x73\x0b\xce\xf0\x0b\x98\xf1\x3c\x40\xbc\x2d\xa1\xa1\xbc\xa1\xcd\x66\x64\x84\xf1\xa3\xf5\xc8\xb6\xff\xaf\x46\x8f\xbe\xaa\xf5\xab\xfd\x74\x39\x6f\xbc\x46\x0e\x0f\xd2\xb4\x40\xf5\xe5\x63\x27\xe6\x34\x90\x73\x11\xdc\xe9\x8e\xc0\x75\xe9\xee\x32\x87\xf7\xd2\xdc\xd6\x44\x93\xe5\xc5\xce\x09\x6b\xb2\x9d\x77\xaa\x49\xa9\xf6\x77\xe6\x8e\xfd\x44\xcf\x35\xb5\xa0\xd6\x9f\x1e\xc8\x87\xa5\xf1\xf3\x5e\x44\xaf\xe3\xb6\x90\x4e\xf0\x26\xb3\x65\x1c\x69\x7d\xc2\xaf\x46\x66\x2b\x92\x36\x64\x20\x1e\x4b\xae\xdc\x28\xe8\x5f\x33\xd0\xfc\xce\x83\xec\xb0\x1d\x04\xf5\xa0\x82\x6d\xf9\xfb\xfe\x7d\x92\xe3\x1d\xb7\x62\x02\x53\x3f\xa8\xbd\xbd\x4f\x14\x74\x4f\x84\x85\x94\x8f\xf0\xe4\x0e\xc7\x7d\x2a\x2c\xca\xc3\x4f\x38\x9a\x4f\x6b\x0e\x1f\x84\xf5\x27\xb1\x28\x2b\x4b\xa5\x3c\xc0\xa5\x34\x68\xeb\x13\x62\xd8\x7f\x33\x4f\x17\x6d\x94\x8d\x9d\x7f\xc1\x90\xa1\xfa\xbb\x36\x74\x53\x85\x94\x5f\x27\xd4\x4c\x13\x64\x36\xee\xed\xca\x1a\xd4\x94\x5c\x9d\x73\xd6\xa2\xd7\x22\x5a\x1f\x7f\xa4\x9a\x2b\x2b\x56\xd3\xa4\x03\xa8\xdd\xd0\x3d\x70\x1b\xb8\xba\x36\xc2\x75\xb0\x5d\xb3\xb6\x06\x38\xb9\xa2\xa2\x34\xcb\x63\xb8\x09\xeb\xfc\x9a\x77\x1a\xc7\x12\x76\x2f\x7e\x96\xc5\x38\xe1\xc5\x4a\x79\x12\xb9\x59\x44\x63\x2d\x6d\x60\x59\x4b\x90\x0e\x17\xee\x32\x7b\x2b\x2b\x13\xbe\x28\x44\x06\x1f\xd1\xe3\x50\xe4\x71\x21\xfd\x71\xf1\x30\xa5\xae\xb5\x15\x3c\xcb\x8e\xce\x99\x59\x0f\xf9\x3e\xa9\x8e\xe5\x89\xa0\xa4\x28\x8b\xb6\xa3\x59\x0b\x1c\x6e\x89\x00\x8b\xbd\x2d\xc7\xad\x38\x74\x83\x69\x40\x5c\x9f\x8c\x37\xfa\x75\xdd\x2f\xf4\xa3\x84\x56\x1d\x03\x09\x48\xc3\xd1\x64\x66\xe4\xf0\x37\xe5\x4d\x3d\xca\xbd\xe0\x2f\xb3\x5c\x62\xb3\x16\x92\x65\xc0\xaf\x80\x18\xa8\x6c\x3f\xcf\x32\x68\xc1\xa9\x1e\x71\x31\xf8\x9c\xf7\x84\x1b\xb5\x8c\xab\x8a\x5f\x89\xd7\xed\xb6\x7f\x05\xf1\x6f\xe8\x40\x59\xbe\x5a\xbd\xbe\x44\xd3\x85\x2f\xa5\x79\x0c\x16\x16\x28\xb2\x1e\xef\x35\x9a\xaf\x7d\xb7\xde\x11\xc8\x35\xff\x9c\xc0\xb8\x6a\xc9\x75\x1f\xd2\xd5\xc1\x35\xe8\xac\xb4\x35\x2b\xc0\x3f\xdf\xe6\xc4\x34\x73\x58\x2c\xde\x76\xb1\x57\xee\xb0\x3a\xcf\xff\x74\x2b\xe5\x83\x8a\x4a\xab\xa1\x60\xe1\xc5\x88\xc9\xe1\xda\x27\x58\xfc\x29\x0a\xe3\x7a\x76\x05\x34\x0f\x72\x6f\xf3\xd8\xd7\x3d\x3d\xcc\xdc\x77\x37\x49\x9b\x74\x73\xec\xcc\x00\xc3\xd0\x1d\x20\xbd\x98\x9e\x60\x49\xd9\xda\x7d\xce\xe2\x29\xfe\x3d\xb7\xe2\x84\x5b\xa6\xef\x6b\x38\x06\x80\xe0\x77\x54\xdf\xa9\x2d\x16\x05\xb3\xb2\x52\x7e\xd1\x9d\x01\x33\x3b\x2b\x58\x86\x8d\x76\x14\xc9\x2b\x7f\x93\xc9\x5e\x2c\x90\x54\xf7\xa7\x28\xe0\x56\x9b\x98\x60\x18\x31\x1d\x9a\xb3\x79\xac\x3d\x19\xc7\xf6\x5f\x87\xac\xbd\x2a\x2b\xcd\xf1\x22\xb1\xb9\x50\x2d\x3c\x3a\x69\xef\xa3\x2f\x4b\xe1\xef\x20\xda\xa4\x2e\x13\x40\x9d\x2b\x12\xdb\xfd\x03\xc6\x4a\xca\x0b\xd6\x6c\x76\xc0\x4e\xa6\xa7\x6e\xf0\x29\x46\x50\xe5\x9e\x8a\x37\x9c\x85\xc5\xac\x8e\x31\x0e\xd9\x9e\x1a\x5f\x20\xc9\xbb\xdb\xee\x13\xde\x12\x18\xf9\x5b\xe0\x40\xff\x5f\x76\x0c\x7f\x07\xab\xe3\x62\x46\x85\x08\xa2\x11\x4e\x0c\x34\xf9\x38\x95\xc1\xe2\x8a\xd8\xc5\x6f\x19\x49\x81\x6c\xff\xd0\x9c\x02\x8d\xee\xf0\x1e\x5f\xcf\x91\xb4\x38\x4c\x62\xd0\xef\xd9\xb7\xd6\x6b\x1a\xae\x30\x2a\x3e\xd2\xc3\x03\x7c\x96\x75\xac\x6c\x86\x33\x6f\xa6\x03\x25\x8a\x53\x84\x09\xba\xd5\x67\x98\x11\x28\xcb\x8c\xab\x88\xd7\x02\x7b\x2a\x92\x67\x1c\xad\x00\x0a\x2c\x9f\x31\x7f\xb4\xae\x30\x98\x0d\x3f\x28\x51\x2f\xb5\xf6\x6a\x98\xb2\xe2\x07\x7a\x6a\x7f\x84\x61\xbf\x1a\x78\xcf\x12\xb3\xce\x6e\x3a\xa4\xa2\x2f\x3c\x63\x73\xa5\xd0\x4f\x76\x7b\x83\xc7\xd5\x7a\x56\x83\x4f\x76\x39\xc9\xac\xbb\x9f\xde\xde\xa8\x52\x76\xa0\xaa\x10\x0b\x68\xc8\xa2\x46\x31\x4a\x8c\xa0\x2f\xf0\x7d\x15\x32\xc9\x0d\x9a\x4a\x5d\xac\xba\x53\xa2\x4c\x14\xcb\x94\xb5\x7a\x8c\x23\x6c\x98\x5e\xbc\x98\x69\x71\x08\xa4\x3e\x87\x4b\x67\x15\xe6\xbe\x8d\x96\x85\xfa\xfd\xba\x1d\x7e\x5d\x1b\x4c\xed\x62\x56\x58\x47\xbd\xfc\xf6\x2b\xe1\x75\xe8\x48\x3c\xfd\x07\x11\x24\x76\x64\xe2\x73\xfc\xbe\xc2\x9f\x60\xde\xdd\x34\xc6\x81\x0f\x66\x50\xb6\xbd\xc4\x7d\xf7\x26\x7b\x8f\x53\xbc\x66\xac\x41\xa5\xc0\x50\x6e\xdf\x4a\x80\x5c\xff\x03\x43\x79\x7c\x88\x12\x56\xea\x09\x5f\xbf\x14\x57\x54\xf7\xcb\x9d\xfb\xa6\xd3\xc2\xbd\x12\xac\xe3\x07\x62\x9c\xb2\x2d\xfe\xb5\xa4\x81\x55\xde\x0e\x50\xa9\x5d\xa5\x8b\x32\x02\x58\x9b\x60\xf5\xdd\x4c\xa6\xcd\x22\xc2\xed\x78\x8f\x27\x21\xd5\x35\x43\x74\xe9\xef\xac\xf4\x94\x72\x94\xdd\xc8\x14\x92\x25\xdc\xe5\xad\xfb\x32\x25\x95\xed\x18\xa4\xdc\xb0\x56\x51\x48\xb0\x87\xe3\x7d\x42\x47\xea\xae\xcc\x58\xc5\xaa\xf1\xc6\x4e\x87\xcc\x2c\xce\x9b\x8e\xbc\xaf\x96\x3f\xc4\x41\xa6\xdf\xac\x42\x6b\xe0\xac\xe4\xec\xfb\x91\xdf\x77\x32\x72\x1a\xfb\x34\xf9\x05\xce\x73\x77\xdb\x38\x49\xd7\x40\x1b\xa3\xd3\x14\x9c\x08\xe9\x8b\xcd\xec\xa6\xde\x20\x7e\xd8\xbc\x7b\x1d\x6e\x88\x59\x7d\xa6\x28\xc6\xb0\xa7\x3c\xf9\x67\x4a\x20\x7d\xd8\x74\x5f\xe5\xb3\x2b\xdd\x8f\x55\x09\xf1\x4f\xc1\x5c\xf9\x50\x4b\xf6\x63\x4b\x2d\xf2\x83\x6e\x95\xc7\x36\xe2\x76\x2f\x27\x14\xbf\xd1\x30\xaf\x99\x1d\x8b\x64\x8a\x93\x72\x15\x83\x83\xa2\xf5\x3e\x14\xc7\xcf\xc7\x66\x3d\xb5\xca\x5c\x8a\x9c\xdd\x15\x5e\x38\xc1\xf7\x0e\x51\x61\x35\x88\x12\x8d\xd0\x85\xbb\xdd\x7e\xd2\x39\xb9\x7e\x89\x58\xce\xf3\x5f\x11\x7e\xab\x19\xb3\x70\xff\x2e\x4e\x25\x68\x9d\x62\xb6\x84\xfd\x4a\xfc\xeb\x26\x32\x51\xfa\x92\xe8\xc6\xb2\xaa\x2e\x34\xd3\xfb\x8a\xae\xd1\x8c\xdc\x73\x4f\x9b\x42\x0c\x8d\x7b\x93\x15\x55\xeb\xd7\x99\x0c\xa0\x73\xfb\x81\xbe\x98\x27\x94\xe0\x00\xd5\x05\x72\xeb\x07\x61\xd4\x95\xba\x80\x68\xf6\x57\xd7\xf7\xb9\x19\xe6\x6a\x25\xe0\x32\x11\xdf\xe6\x90\xf4\x08\x1f\xc5\xde\x14\xf5\xf9\xd8\xbe\x47\x80\x24\xe6\x0a\x31\x38\x08\x0d\x9c\xe9\x7a\xe2\x3e\x29\x1e\x77\xa6\xe4\xa5\x07\xa9\x6a\xe0\xc0\x7d\x96\x04\xa9\x5b\x43\xb8\x17\x4c\x33\x17\x5b\xa2\x95\x05\x01\x86\xf7\x23\xb5\x0a\x60\x9e\xe0\x9b\x42\x67\xe4\xd2\xaf\x42\x96\xce\x65\x7b\xb8\xb5\xe9\x96\xf9\x8b\xd7\x5e\xd4\x2d\x09\x54\x89\x5d\x97\xd9\x88\x32\x9d\x92\x5f\x62\x89\x44\x74\xd1\xca\xa5\xde\x98\x8e\xd7\xb5\xc6\xde\xac\xfd\x90\xad\x94\x7e\xfe\xbf\x6c\xf6\x1b\x45\xd9\xc7\xb1\xba\x59\xe9\xec\x4b\x85\x59\xaf\xf8\xd3\xd0\x5f\xb0\x0f\x57\xec\x94\x2b\x0e\x9b\x9f\xdb\xde\x26\xca\xd3\x40\xcb\xb4\xf7\xc0\x44\x7b\x70\x7e\xd8\xf6\xd4\xf9\x89\xd0\xb1\xda\x0d\x0c\xda\xe6\x17\xb0\x14\x36\xfa\x68\xe3\x77\x75\xe8\x44\x41\x5e\xbd\x11\xa3\x35\x08\x46\xcf\x0b\x41\x9f\xad\x6d\xb9\x4c\xcc\x82\x83\xe9\x50\x19\xdb\x55\x91\xb9\xe8\x1c\x5d\x32\x70\x7b\x30\x02\xaf\xb2\x40\x58\x49\x5f\x6c\x21\xcd\x4b\x9e\x12\xaf\x7a\x1f\x40\x54\xfd\xa3\x7b\xa6\xa2\x94\x5e\x89\x98\x99\x76\x10\x12\x54\x8e\x41\x22\xa6\x95\x56\xe0\xca\x51\xe2\x31\x94\xbd\xc4\xe2\x72", 4096); *(uint32_t*)0x20002904 = 0x1000; *(uint32_t*)0x20002908 = 9; memcpy((void*)0x20002940, "flock=openafs", 13); *(uint8_t*)0x2000294d = 0x2c; memcpy((void*)0x2000294e, "dyn", 3); *(uint8_t*)0x20002951 = 0x2c; memcpy((void*)0x20002952, "autocell", 8); *(uint8_t*)0x2000295a = 0x2c; memcpy((void*)0x2000295b, "dyn", 3); *(uint8_t*)0x2000295e = 0x2c; memcpy((void*)0x2000295f, "flock=openafs", 13); *(uint8_t*)0x2000296c = 0x2c; memcpy((void*)0x2000296d, "source", 6); *(uint8_t*)0x20002973 = 0x3d; memcpy((void*)0x20002974, "&", 1); *(uint8_t*)0x20002975 = 0x2c; memcpy((void*)0x20002976, "source", 6); *(uint8_t*)0x2000297c = 0x3d; memcpy((void*)0x2000297d, "SEG6\000", 5); *(uint8_t*)0x20002982 = 0x2c; memcpy((void*)0x20002983, "smackfsdef", 10); *(uint8_t*)0x2000298d = 0x3d; memcpy((void*)0x2000298e, "SEG6\000", 5); *(uint8_t*)0x20002993 = 0x2c; memcpy((void*)0x20002994, "smackfsdef", 10); *(uint8_t*)0x2000299e = 0x3d; memcpy((void*)0x2000299f, "SEG6\000", 5); *(uint8_t*)0x200029a4 = 0x2c; memcpy((void*)0x200029a5, "subj_user", 9); *(uint8_t*)0x200029ae = 0x3d; memcpy((void*)0x200029af, "SEG6\000", 5); *(uint8_t*)0x200029b4 = 0x2c; memcpy((void*)0x200029b5, "smackfstransmute", 16); *(uint8_t*)0x200029c5 = 0x3d; memcpy((void*)0x200029c6, ":", 1); *(uint8_t*)0x200029c7 = 0x2c; memcpy((void*)0x200029c8, "seclabel", 8); *(uint8_t*)0x200029d0 = 0x2c; *(uint8_t*)0x200029d1 = 0; syz_mount_image(0x20001880, 0x200018c0, 5, 1, 0x20002900, 0x20005, 0x20002940); break; case 29: memcpy((void*)0x20002a00, "/dev/i2c-#\000", 11); syz_open_dev(0x20002a00, 0xad8, 0x2a2000); break; case 30: res = syscall(__NR_ioctl, -1, 0x5429, 0x20002a40); if (res != -1) r[15] = *(uint32_t*)0x20002a40; break; case 31: memcpy((void*)0x20002a80, "net\000", 4); syz_open_procfs(r[15], 0x20002a80); break; case 32: syz_open_pts(r[13], 0); break; case 33: *(uint32_t*)0x20002e80 = 0x20002ac0; memcpy((void*)0x20002ac0, "\x7a\xd3\xcd\x80\x2d\xd0\xc4\x24\x94\x5d\x99\xca\x9c\xa6\xe4\xfb\xb8\xf8\xe3\xb9\x80\xd2\xec", 23); *(uint32_t*)0x20002e84 = 0x17; *(uint32_t*)0x20002e88 = 0x1000; *(uint32_t*)0x20002e8c = 0x20002b00; memcpy((void*)0x20002b00, "\x32\x9d\xe8\x0b\x2b\x17\xbb\xd2\x5d\x1f\x19\x07\xa9\x26\x3a\xf3\xbf\x05\xc4\xa7\x06\x1e\x28\x49\x2a\x3f\x71\xc6\x34\x3a\xa5\xaa\xea\x03\x27\xa3", 36); *(uint32_t*)0x20002e90 = 0x24; *(uint32_t*)0x20002e94 = 5; *(uint32_t*)0x20002e98 = 0x20002b40; memcpy((void*)0x20002b40, "\x82\x79\x1d\xfd\x31\x1d\x07\xdb\x7d\x65\xe8\x03\xce\x6c\xa0\x00\x28\xaf\x8f\xf8\xd2\x76\x18\x7e\x0e\x14\xbb\xf7\xbe\xab\x60\xfc\x4b\x70\x72\x2e\x91\xb6\x32\x2b\x8e\x34\x72\x19\x1a\x66\x17\x6b\xb0\xca\x91\xde\xe6\x0f\x15\x06\xa6\xd4\x8b\xe4\x05\x52\x30\xc3\x0b\xe9\x4a\x10\x43\xa1\xd2\xa0\x6d\x42\x16\x60\x69\xd8\x03\x3d\x6c\x52\x4c\x86\x10\xb8\xc4\xbb\x63\xaf\x0c\xe6\xd6\x20\x71\x37\xf1\xbe\x1b\x62\xb0\x02\xe8\xc3\x5e\x64\x67\xc2\x42\x3c\xc6\x59\x7d\x1c\xa5\x8e\xe3\x15\x89\xf0\x24\x8a\xc7\x62\xe2\x4a\x28\x6a\x41\xa7\x61\x91\x2d\x34\xbb\x56\xf0\x7d\xb8\x8c\xa5\x2f\xce\x8d\x12\x87\x62\x39\x4f\xa0\x0f\xaa\xc8\x45\x1a\x42\xc3\x14\x4b\xde\xc7\xe9\x72\x96\xc9\xea\xc7\xc9\xf6\x31\x10\xa3\xd4\x05\xc1\x6b\x04\x28\x88\x00\x24\xe8\xc9\xc8\xaf\x49\x0b\x8c\xfa\xd8\x4c\xbb\x63\x78\x78\xd6\x34\xcd\x84\x34\x6b\x60\xc9\x13\x2c\x09\x66\x0c\xdc\x61\x6a\x0b", 212); *(uint32_t*)0x20002e9c = 0xd4; *(uint32_t*)0x20002ea0 = 0x7fff; *(uint32_t*)0x20002ea4 = 0x20002c40; memcpy((void*)0x20002c40, "\x90\x4b\xbc\xee\x2b\x46\xda\xa1\xac\x64\x3b\x7b\x6b\x8e\xa0\xff\x46\x2f\xea\xbe\xe5\x41\xb4\x11\xa8\x85\xe4\x70\xa4\x96\xcb\xbd\xc7\x29\xff\xde\xbc\x50\x80\x7f\x71\x9c\xbe\x80\x8d\x8b\x59\x8b\x47\x67\xc7\xa8\x52\xd9\xce\x0c\x88\x0a\x9b\x07\x8b\x01\x87\xde\xac\x92\x6b\xd4\x68\x7a\x44\xf0\x92\xbb", 74); *(uint32_t*)0x20002ea8 = 0x4a; *(uint32_t*)0x20002eac = 5; *(uint32_t*)0x20002eb0 = 0x20002cc0; memcpy((void*)0x20002cc0, "\x35\x31\xae\x25\x7e\x7e\x08\x77\xcd\xe3\x40\xc4\x2e\xdb\xfc\x91\xdc\xff\xaf\xf1\x28\x4e\xf0\x8a\x45\x1e\x4c\x76\xe0\xcd\x83\xb2\xc0\xea\x10\xd8\x6b\xce\xfa\x93\xbb\xae\xf5\xff\xfb\xfe\x7d\xc7\x0b\x73\xb8\x9c\x55\xfc\x38\x51\x11\x0d\x1b\xd0\xd1\xda\x31\x75\x33\x20\xb1\x11\xfe\x70\x60\x53\x7e\x8f\x65\xf3\xc2\xf0\x5a\xdc\xb3\xd6\x6b\xd2\xab\xe6\xb0\x8a\xaa\xe0\xd0\xee\xdc\xa9\x93\x77\x07\xec\x4c\xb4\x87\x4c\xdf\xd0\x58\x00\x81\x2a\xb5\x3f\x95\x50\xb2\x5a\x28\xee\x69\xe6\x2a\x0f\x79\x0f\xe5\x23\x3f\xc8\x64\x5f\xc3\xfe\x6c\xae\x05\x5f\x2a\xa1\x72\x91\x25\x17\x01\x51\xe8\x6e\xea\xb6\x7b\xb2\x0b\xc8\x84\xa1\x21\x4c\x2d\x3d\x96\x9c\x34\xfb\x23\x9b\x45\xfe\xec\x93\xac\x20\x97\x21\xba\xe7\x27\x12\x51\xc6\x13\xce\xa9\x37\x9c\x15\x21", 183); *(uint32_t*)0x20002eb4 = 0xb7; *(uint32_t*)0x20002eb8 = 4; *(uint32_t*)0x20002ebc = 0x20002d80; memcpy((void*)0x20002d80, "\xc3\xf0\x4f\x26\x92\x9b\x7a\x4d\x63\x42\x84\x1f\xa5\x3a\x9a\x8c\xb8\x00\x6a\x97\xf4\x28", 22); *(uint32_t*)0x20002ec0 = 0x16; *(uint32_t*)0x20002ec4 = 6; *(uint32_t*)0x20002ec8 = 0x20002dc0; memcpy((void*)0x20002dc0, "\xc9\x87\x12\x75\xe3\x26\x9f\xf1\xbd\xcd\x67\xfb\x52\x3e\x1c\xeb\x51\x51\xb0\xed\xe9\xe0\x32\x63\x4e\x36\xd4\x86\x04\x6b\xc3\x1c\xd9\x78\xbd\xa5\x92\x47\x35\x53\x16\x31\x9e\x76\x8e\x7a\xc6\xbe\x06\x48\xbf\x0f\xec\xd1\x3c\xda\xd4\x5f\x71\x3e\x0e\x3b\x74\xe9\x5e\xec\x77\x06\x3c\x02\xa2\x33\xea\x97\xd3\x38\xf4\xb1\xe9\xbc\x5a\x7c\xce\x85\x52\x87\x42\x63\x2e\xd5\x9c\xec\x01\x6f\x39\x14\xdd\x02\xca\x6b\x1d\xc8\x33\x22\x48\x95\x27\x73\x50\xcf\x1f\x21\xd6\xc7\x8f\x85\x92\x71\x7e\x91\x23\x3f\x90\x26\x92\x7e\x0c\xc3\xd8\x0c\xdc\x57\x71\x47\x63\xa0\xfc\xb0\x91\xf5\xc6\x90\x51\xb5\x5c\xd2\xe1\xfc\xc3\x3b\x13\xd5\x97\xc5\xca\xee\xb2\x71\xc5\x42\x97\x8a\x1e\x17", 164); *(uint32_t*)0x20002ecc = 0xa4; *(uint32_t*)0x20002ed0 = 0x9c; syz_read_part_table(1, 7, 0x20002e80); break; case 34: *(uint8_t*)0x20002f00 = 0x12; *(uint8_t*)0x20002f01 = 1; *(uint16_t*)0x20002f02 = 0x201; *(uint8_t*)0x20002f04 = 0xa4; *(uint8_t*)0x20002f05 = 0x61; *(uint8_t*)0x20002f06 = 0x1e; *(uint8_t*)0x20002f07 = 0x40; *(uint16_t*)0x20002f08 = 0xacd; *(uint16_t*)0x20002f0a = 0x300; *(uint16_t*)0x20002f0c = 0xc0df; *(uint8_t*)0x20002f0e = 1; *(uint8_t*)0x20002f0f = 2; *(uint8_t*)0x20002f10 = 3; *(uint8_t*)0x20002f11 = 1; *(uint8_t*)0x20002f12 = 9; *(uint8_t*)0x20002f13 = 2; *(uint16_t*)0x20002f14 = 0x372; *(uint8_t*)0x20002f16 = 2; *(uint8_t*)0x20002f17 = 4; *(uint8_t*)0x20002f18 = 0x1f; *(uint8_t*)0x20002f19 = 0; *(uint8_t*)0x20002f1a = 1; *(uint8_t*)0x20002f1b = 9; *(uint8_t*)0x20002f1c = 4; *(uint8_t*)0x20002f1d = 0x5d; *(uint8_t*)0x20002f1e = 0xb3; *(uint8_t*)0x20002f1f = 1; *(uint8_t*)0x20002f20 = 0xad; *(uint8_t*)0x20002f21 = 0x49; *(uint8_t*)0x20002f22 = 0x76; *(uint8_t*)0x20002f23 = 0x20; *(uint8_t*)0x20002f24 = 7; *(uint8_t*)0x20002f25 = 0x24; *(uint8_t*)0x20002f26 = 1; *(uint8_t*)0x20002f27 = 0; *(uint8_t*)0x20002f28 = 0x80; *(uint16_t*)0x20002f29 = 0; *(uint8_t*)0x20002f2b = 9; *(uint8_t*)0x20002f2c = 5; *(uint8_t*)0x20002f2d = 0xd; *(uint8_t*)0x20002f2e = 0; *(uint16_t*)0x20002f2f = 0x230; *(uint8_t*)0x20002f31 = 0x5d; *(uint8_t*)0x20002f32 = 1; *(uint8_t*)0x20002f33 = 0x3f; *(uint8_t*)0x20002f34 = 7; *(uint8_t*)0x20002f35 = 0x25; *(uint8_t*)0x20002f36 = 1; *(uint8_t*)0x20002f37 = 0; *(uint8_t*)0x20002f38 = 0x1f; *(uint16_t*)0x20002f39 = 2; *(uint8_t*)0x20002f3b = 0xba; *(uint8_t*)0x20002f3c = 0xe; memcpy((void*)0x20002f3d, "\xf4\xe6\xe5\x76\x28\x83\xc3\x4d\xf0\x4f\x35\x60\x99\xf1\xd3\x4b\xdb\xc9\xf5\x32\x4d\xa6\x48\x05\x3f\xd6\x90\x21\x1b\x89\x71\x19\xc4\xf3\xac\x19\x7f\x2a\xa9\x3f\x2f\x3b\xe0\x5f\x83\x6b\x16\x44\xd5\xb2\x32\x76\x48\xb3\x08\x16\xed\x19\x2f\x94\x3d\xfc\xe2\x25\xf6\x9d\x77\xc5\x15\x65\xe1\x77\xfd\x88\x9c\x9c\x9d\x8c\x85\xb9\x2e\xe4\xbe\xad\x0e\x88\x94\x46\xbb\xc3\x20\xa4\x0f\xa2\x48\x07\xf4\x76\xbf\xd1\xf1\xb3\x09\x6e\x33\x70\xf7\x55\xc9\x4a\xa0\x1c\x3b\xe4\xdd\xc7\x95\x2a\x56\x94\xbc\xad\x4b\xeb\x40\x65\xbf\x5e\xa9\x60\x66\xc4\x3e\x95\x07\xe6\x22\x0c\x47\xbc\x02\x71\xad\xcb\xaf\xfc\xe6\xac\x90\xcb\x3c\x8b\x1c\xf7\x48\xc6\xbb\xf9\x71\x08\xdf\xa2\xca\xc4\xb8\x7d\x34\x20\x42\x84\x34\x39\x7e\x07\xf1\x7a\x87\xed\x62\x33\xb3\x9e\x32\xf0", 184); *(uint8_t*)0x20002ff5 = 9; *(uint8_t*)0x20002ff6 = 4; *(uint8_t*)0x20002ff7 = 0x5d; *(uint8_t*)0x20002ff8 = 0x27; *(uint8_t*)0x20002ff9 = 7; *(uint8_t*)0x20002ffa = 0x3f; *(uint8_t*)0x20002ffb = 0x84; *(uint8_t*)0x20002ffc = 0xfd; *(uint8_t*)0x20002ffd = 3; *(uint8_t*)0x20002ffe = 0x10; *(uint8_t*)0x20002fff = 0x24; *(uint8_t*)0x20003000 = 2; *(uint8_t*)0x20003001 = 1; *(uint8_t*)0x20003002 = 0xe2; *(uint8_t*)0x20003003 = 2; *(uint8_t*)0x20003004 = 0x63; *(uint8_t*)0x20003005 = 0x40; memcpy((void*)0x20003006, "\xe7\x21\xcc\x44\xac\xca\x89\x38", 8); *(uint8_t*)0x2000300e = 0xb; *(uint8_t*)0x2000300f = 0x24; *(uint8_t*)0x20003010 = 2; *(uint8_t*)0x20003011 = 1; *(uint8_t*)0x20003012 = 0; *(uint8_t*)0x20003013 = 3; *(uint8_t*)0x20003014 = 1; *(uint8_t*)0x20003015 = 0; memcpy((void*)0x20003016, "\x9e\xf4\x2f", 3); *(uint8_t*)0x20003019 = 7; *(uint8_t*)0x2000301a = 0x24; *(uint8_t*)0x2000301b = 1; *(uint8_t*)0x2000301c = 4; *(uint8_t*)0x2000301d = 1; *(uint16_t*)0x2000301e = 4; *(uint8_t*)0x20003020 = 0xb; *(uint8_t*)0x20003021 = 0x24; *(uint8_t*)0x20003022 = 2; *(uint8_t*)0x20003023 = 1; *(uint8_t*)0x20003024 = 0; *(uint8_t*)0x20003025 = 3; *(uint8_t*)0x20003026 = 0x19; *(uint8_t*)0x20003027 = 6; memcpy((void*)0x20003028, "\x9e", 1); memcpy((void*)0x20003029, "\x69\x83", 2); *(uint8_t*)0x2000302b = 9; *(uint8_t*)0x2000302c = 5; *(uint8_t*)0x2000302d = 0xf; *(uint8_t*)0x2000302e = 0; *(uint16_t*)0x2000302f = 0x3ff; *(uint8_t*)0x20003031 = 0xf6; *(uint8_t*)0x20003032 = 5; *(uint8_t*)0x20003033 = 0x80; *(uint8_t*)0x20003034 = 9; *(uint8_t*)0x20003035 = 5; *(uint8_t*)0x20003036 = 1; *(uint8_t*)0x20003037 = 0x10; *(uint16_t*)0x20003038 = 0x10; *(uint8_t*)0x2000303a = 0; *(uint8_t*)0x2000303b = 0x40; *(uint8_t*)0x2000303c = 6; *(uint8_t*)0x2000303d = 7; *(uint8_t*)0x2000303e = 0x25; *(uint8_t*)0x2000303f = 1; *(uint8_t*)0x20003040 = 2; *(uint8_t*)0x20003041 = 0x20; *(uint16_t*)0x20003042 = 6; *(uint8_t*)0x20003044 = 9; *(uint8_t*)0x20003045 = 5; *(uint8_t*)0x20003046 = 0xb; *(uint8_t*)0x20003047 = 8; *(uint16_t*)0x20003048 = 0x10; *(uint8_t*)0x2000304a = 1; *(uint8_t*)0x2000304b = 2; *(uint8_t*)0x2000304c = 0; *(uint8_t*)0x2000304d = 9; *(uint8_t*)0x2000304e = 5; *(uint8_t*)0x2000304f = 0xd; *(uint8_t*)0x20003050 = 0x10; *(uint16_t*)0x20003051 = 0x200; *(uint8_t*)0x20003053 = 4; *(uint8_t*)0x20003054 = 8; *(uint8_t*)0x20003055 = 0xc0; *(uint8_t*)0x20003056 = 0xbb; *(uint8_t*)0x20003057 = 0x31; memcpy((void*)0x20003058, "\x21\x5c\xe6\xab\x8f\x3c\x72\xca\xa3\xab\x13\x26\xf1\x88\x38\x90\x8a\xc6\x0b\xff\xb3\xb5\x07\x48\x14\x4a\xa2\xcb\xc4\xd7\xca\xc5\x6f\x4a\x7b\xb2\xbd\x6c\x96\x96\x74\xa5\xe4\x04\x08\x61\xbb\x21\xba\x5c\xcf\x0f\x82\x2c\x10\x32\xe7\xe3\x72\x9f\x8c\x17\x1f\xc7\xa8\x9b\x53\x40\xb5\x06\x71\x08\xd5\x97\xf1\x78\xaa\x65\x1a\x98\xac\xa4\xd0\x12\xfa\x55\x5a\x69\x56\x83\xb5\x27\xe6\x03\x1f\x1f\x7f\x20\x49\x4b\x25\x0e\x3a\x6c\xd8\xb4\xde\x96\x47\xe1\x50\x04\x98\x67\x09\x7c\x47\xcc\x23\x7c\x61\x2c\xef\xe6\x98\x33\x2f\x1f\xe7\xf0\x2e\x6f\x53\xe8\x45\xb1\xf5\xe7\xb4\xb2\x4a\xd8\x62\x9b\x78\xce\x76\x30\xe2\xd4\x01\x20\xfb\xc3\xf4\x93\x75\xa4\xa0\x86\xde\xdd\x2a\x27\xf0\x6b\x3e\xd3\xd7\x56\xa8\x19\xb9\x7f\x75\x9a\xa5\x4a\xef\x83\xdf\x48\x68\xa9\xe9", 185); *(uint8_t*)0x20003111 = 9; *(uint8_t*)0x20003112 = 5; *(uint8_t*)0x20003113 = 3; *(uint8_t*)0x20003114 = 0x12; *(uint16_t*)0x20003115 = 0x3ff; *(uint8_t*)0x20003117 = 0; *(uint8_t*)0x20003118 = 1; *(uint8_t*)0x20003119 = -1; *(uint8_t*)0x2000311a = 0xad; *(uint8_t*)0x2000311b = 0x31; memcpy((void*)0x2000311c, "\x0c\x92\x1d\x3f\x98\x0f\x4e\x53\x14\x7a\x46\xbd\x58\x56\xda\x03\x08\x16\x60\xfb\xed\x7b\x8b\x2d\x38\x9b\xe8\xa0\x38\xe9\x5c\x29\x58\xa4\x77\xed\x5f\xaf\x9e\xf3\x8c\x82\xc3\xab\xea\x25\x44\x59\xed\xb0\xf2\xcf\x28\x62\x35\x03\x40\x87\xad\xb7\x90\x7f\xf1\x92\x64\x0b\x93\x68\x86\xbd\x48\xd3\xa5\x12\x15\x40\x6b\x3a\xa0\xb6\xd8\xf8\xd9\x1d\x83\x0f\x52\x36\xa9\xa8\xbe\x03\xc2\x21\x5f\x01\x21\x31\x96\x8c\x6a\x80\x86\x0a\xe8\x11\x93\x05\x94\x68\x10\x8e\xfd\x4f\x13\x05\x37\x9d\x01\x15\xc7\xec\x66\x7b\x03\x59\x94\x0e\x56\x64\xbf\x7b\x3c\x4a\x5f\x04\xca\x3c\x51\xdb\x9d\x2c\xd4\x17\xe9\x09\x9b\xff\x62\x8b\x8e\x1a\x8e\xd0\xf5\x96\x14\x93\x57\xa0\x8a\xbd\x11\x77\xeb\x97\x73\x53\xeb\x89\x32", 171); *(uint8_t*)0x200031c7 = 0x93; *(uint8_t*)0x200031c8 = 0x11; memcpy((void*)0x200031c9, "\xa8\xe2\x2d\x54\x2a\xe3\xd8\x31\xf3\x37\x21\x1b\xb5\xbe\x12\xa5\xc4\x6e\x5c\xf9\xb5\x56\xd8\x4d\x5a\xf4\xca\xca\x87\x42\xad\x21\x61\x40\x56\x2b\x7e\x54\x21\xe2\x64\x24\x71\xe8\xf5\x0e\xb8\xae\xf0\x62\x12\xb4\x6c\x64\x4a\xe5\x84\x63\xe1\x8b\x3e\x72\xbd\x3e\xca\x60\x60\xfa\x8b\x94\x03\x17\x96\xe5\x5e\xb4\x1d\x3f\x31\x8a\xff\xbf\x08\x1e\xeb\x17\x08\x85\x1e\x72\xfa\xdd\x88\x7e\x03\x30\x13\x43\x19\xf0\xa5\x96\x7e\xda\x65\x7b\xc1\x10\x1f\x74\xde\xba\x42\xe7\x8a\xff\x20\xfb\x5d\x3c\x1f\xe4\x9d\x9a\x05\x46\x57\xb6\xf1\xaf\x3d\x01\x5f\xc1\x6f\xf8\x08\x73\xf3\x26\x69\x08\x43\xdf\x81", 145); *(uint8_t*)0x2000325a = 9; *(uint8_t*)0x2000325b = 5; *(uint8_t*)0x2000325c = 0xf; *(uint8_t*)0x2000325d = 4; *(uint16_t*)0x2000325e = 0x200; *(uint8_t*)0x20003260 = 0; *(uint8_t*)0x20003261 = 0x1f; *(uint8_t*)0x20003262 = 1; *(uint8_t*)0x20003263 = 0x11; *(uint8_t*)0x20003264 = 6; memcpy((void*)0x20003265, "\x82\x4b\x7d\x09\x57\xbc\x55\x2d\x22\x4f\xdf\x6b\xff\x63\xa8", 15); *(uint8_t*)0x20003274 = 7; *(uint8_t*)0x20003275 = 0x25; *(uint8_t*)0x20003276 = 1; *(uint8_t*)0x20003277 = 0x80; *(uint8_t*)0x20003278 = 0xfd; *(uint16_t*)0x20003279 = 6; *(uint8_t*)0x2000327b = 9; *(uint8_t*)0x2000327c = 5; *(uint8_t*)0x2000327d = 0; *(uint8_t*)0x2000327e = 0; *(uint16_t*)0x2000327f = 0x20; *(uint8_t*)0x20003281 = 0x1f; *(uint8_t*)0x20003282 = 0xfd; *(uint8_t*)0x20003283 = 3; *(uint32_t*)0x20003400 = 0xa; *(uint32_t*)0x20003404 = 0x200032c0; *(uint8_t*)0x200032c0 = 0xa; *(uint8_t*)0x200032c1 = 6; *(uint16_t*)0x200032c2 = 0x110; *(uint8_t*)0x200032c4 = 0x4d; *(uint8_t*)0x200032c5 = 0x80; *(uint8_t*)0x200032c6 = 0x80; *(uint8_t*)0x200032c7 = 0x20; *(uint8_t*)0x200032c8 = 0xc1; *(uint8_t*)0x200032c9 = 0; *(uint32_t*)0x20003408 = 0x46; *(uint32_t*)0x2000340c = 0x20003300; *(uint8_t*)0x20003300 = 5; *(uint8_t*)0x20003301 = 0xf; *(uint16_t*)0x20003302 = 0x46; *(uint8_t*)0x20003304 = 5; *(uint8_t*)0x20003305 = 0xb; *(uint8_t*)0x20003306 = 0x10; *(uint8_t*)0x20003307 = 1; *(uint8_t*)0x20003308 = 0xc; *(uint16_t*)0x20003309 = 0x35; *(uint8_t*)0x2000330b = 0; *(uint8_t*)0x2000330c = 0xdf; *(uint16_t*)0x2000330d = 9; *(uint8_t*)0x2000330f = 0xf7; *(uint8_t*)0x20003310 = 7; *(uint8_t*)0x20003311 = 0x10; *(uint8_t*)0x20003312 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003313, 0xe, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003314, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003314, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003315, 9, 0, 16); *(uint8_t*)0x20003317 = 0x18; *(uint8_t*)0x20003318 = 0x10; *(uint8_t*)0x20003319 = 0xa; *(uint8_t*)0x2000331a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000331b, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000331b, 0x7fffffe, 5, 27); *(uint16_t*)0x2000331f = 0xff0f; *(uint16_t*)0x20003321 = 0x101; *(uint32_t*)0x20003323 = 0xffc0a0; *(uint32_t*)0x20003327 = 0; *(uint32_t*)0x2000332b = 0xffff0f; *(uint8_t*)0x2000332f = 0x10; *(uint8_t*)0x20003330 = 0x10; *(uint8_t*)0x20003331 = 0xa; *(uint8_t*)0x20003332 = 3; STORE_BY_BITMASK(uint32_t, , 0x20003333, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003333, 0x200, 5, 27); *(uint16_t*)0x20003337 = 0xff00; *(uint16_t*)0x20003339 = 1; *(uint32_t*)0x2000333b = 0; *(uint8_t*)0x2000333f = 7; *(uint8_t*)0x20003340 = 0x10; *(uint8_t*)0x20003341 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003342, 0x16, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003343, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003343, 0xe, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003344, 7, 0, 16); *(uint32_t*)0x20003410 = 2; *(uint32_t*)0x20003414 = 4; *(uint32_t*)0x20003418 = 0x20003380; *(uint8_t*)0x20003380 = 4; *(uint8_t*)0x20003381 = 3; *(uint16_t*)0x20003382 = 0x380a; *(uint32_t*)0x2000341c = 4; *(uint32_t*)0x20003420 = 0x200033c0; *(uint8_t*)0x200033c0 = 4; *(uint8_t*)0x200033c1 = 3; *(uint16_t*)0x200033c2 = 0x42f; res = -1; res = syz_usb_connect(4, 0x384, 0x20002f00, 0x20003400); if (res != -1) r[16] = res; break; case 35: *(uint8_t*)0x20003440 = 0x12; *(uint8_t*)0x20003441 = 1; *(uint16_t*)0x20003442 = 0x200; *(uint8_t*)0x20003444 = -1; *(uint8_t*)0x20003445 = -1; *(uint8_t*)0x20003446 = -1; *(uint8_t*)0x20003447 = 0x40; *(uint16_t*)0x20003448 = 0xcf3; *(uint16_t*)0x2000344a = 0x9271; *(uint16_t*)0x2000344c = 0x108; *(uint8_t*)0x2000344e = 1; *(uint8_t*)0x2000344f = 2; *(uint8_t*)0x20003450 = 3; *(uint8_t*)0x20003451 = 1; *(uint8_t*)0x20003452 = 9; *(uint8_t*)0x20003453 = 2; *(uint16_t*)0x20003454 = 0x48; *(uint8_t*)0x20003456 = 1; *(uint8_t*)0x20003457 = 1; *(uint8_t*)0x20003458 = 0; *(uint8_t*)0x20003459 = 0x80; *(uint8_t*)0x2000345a = 0xfa; *(uint8_t*)0x2000345b = 9; *(uint8_t*)0x2000345c = 4; *(uint8_t*)0x2000345d = 0; *(uint8_t*)0x2000345e = 0; *(uint8_t*)0x2000345f = 6; *(uint8_t*)0x20003460 = -1; *(uint8_t*)0x20003461 = 0; *(uint8_t*)0x20003462 = 0; *(uint8_t*)0x20003463 = 0; *(uint8_t*)0x20003464 = 9; *(uint8_t*)0x20003465 = 5; *(uint8_t*)0x20003466 = 1; *(uint8_t*)0x20003467 = 2; *(uint16_t*)0x20003468 = 0x200; *(uint8_t*)0x2000346a = 0; *(uint8_t*)0x2000346b = 0; *(uint8_t*)0x2000346c = 0; *(uint8_t*)0x2000346d = 9; *(uint8_t*)0x2000346e = 5; *(uint8_t*)0x2000346f = 0x82; *(uint8_t*)0x20003470 = 2; *(uint16_t*)0x20003471 = 0x200; *(uint8_t*)0x20003473 = 0; *(uint8_t*)0x20003474 = 0; *(uint8_t*)0x20003475 = 0; *(uint8_t*)0x20003476 = 9; *(uint8_t*)0x20003477 = 5; *(uint8_t*)0x20003478 = 0x83; *(uint8_t*)0x20003479 = 3; *(uint16_t*)0x2000347a = 0x40; *(uint8_t*)0x2000347c = 1; *(uint8_t*)0x2000347d = 0; *(uint8_t*)0x2000347e = 0; *(uint8_t*)0x2000347f = 9; *(uint8_t*)0x20003480 = 5; *(uint8_t*)0x20003481 = 4; *(uint8_t*)0x20003482 = 3; *(uint16_t*)0x20003483 = 0x40; *(uint8_t*)0x20003485 = 1; *(uint8_t*)0x20003486 = 0; *(uint8_t*)0x20003487 = 0; *(uint8_t*)0x20003488 = 9; *(uint8_t*)0x20003489 = 5; *(uint8_t*)0x2000348a = 5; *(uint8_t*)0x2000348b = 2; *(uint16_t*)0x2000348c = 0x200; *(uint8_t*)0x2000348e = 0; *(uint8_t*)0x2000348f = 0; *(uint8_t*)0x20003490 = 0; *(uint8_t*)0x20003491 = 9; *(uint8_t*)0x20003492 = 5; *(uint8_t*)0x20003493 = 6; *(uint8_t*)0x20003494 = 2; *(uint16_t*)0x20003495 = 0x200; *(uint8_t*)0x20003497 = 0; *(uint8_t*)0x20003498 = 0; *(uint8_t*)0x20003499 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20003440, 0); break; case 36: *(uint32_t*)0x200036c0 = 0x18; *(uint32_t*)0x200036c4 = 0x200034c0; *(uint8_t*)0x200034c0 = 0x20; *(uint8_t*)0x200034c1 = 8; *(uint32_t*)0x200034c2 = 0xd4; *(uint8_t*)0x200034c6 = 0xd4; *(uint8_t*)0x200034c7 = 0x31; memcpy((void*)0x200034c8, "\xdd\x9f\xe1\xd6\xf8\xee\x76\xd6\x28\x92\x46\xb5\x27\x7c\xc1\x9f\x3c\x46\x21\xad\xd8\x21\xa7\xf3\xd1\xaa\xe9\x94\xdb\xf4\xb1\xbd\x89\xe8\x77\x07\x34\x76\x8a\xde\x97\xe5\x1d\x24\x8f\x53\xcd\x53\x0b\x31\x11\x9a\xac\xcf\x53\xb6\xf6\xed\xdf\x4b\x8b\xfe\x6a\x1a\x85\x9c\x3d\xc2\x86\xf8\x33\x5c\x9d\x15\xe5\xd5\x16\x9b\x24\x41\x55\x39\x10\x62\xff\x88\x5d\x40\xbe\x37\x07\xb6\xd1\xea\x25\x2a\x96\xd9\x7a\xb2\x4f\xb6\x75\xf5\x45\x57\xcf\xa2\x4d\x80\x5b\x07\x95\x70\x8a\xf5\x06\x5d\x4b\x66\x62\xdf\xd5\x4d\xd5\x9c\xfc\xe1\x67\x3a\xb3\x56\xa2\x54\xf6\xb5\xbc\xe4\x4c\x61\x9a\x17\xff\xce\x8e\xbb\x96\xe0\x83\xc0\x82\x45\x00\x62\xbd\x71\xa2\x06\xca\x92\x1e\x0b\x77\xf5\x17\xc1\x61\x95\x86\xb3\xbc\xa3\xe2\x49\x08\x21\x01\x6c\xc7\x6c\xaf\x96\xc0\xec\x90\x68\xb4\x5e\x23\x34\xed\x9a\x6f\xf0\x6a\x63\x43\xae\x01\xf0\xae\xf6\x12\x7e\xba\xf5\xb5\x2d\x69\xe3", 210); *(uint32_t*)0x200036c8 = 0x200035c0; *(uint8_t*)0x200035c0 = 0; *(uint8_t*)0x200035c1 = 3; *(uint32_t*)0x200035c2 = 4; *(uint8_t*)0x200035c6 = 4; *(uint8_t*)0x200035c7 = 3; *(uint16_t*)0x200035c8 = 0x40e; *(uint32_t*)0x200036cc = 0x20003600; *(uint8_t*)0x20003600 = 0; *(uint8_t*)0x20003601 = 0xf; *(uint32_t*)0x20003602 = 0x28; *(uint8_t*)0x20003606 = 5; *(uint8_t*)0x20003607 = 0xf; *(uint16_t*)0x20003608 = 0x28; *(uint8_t*)0x2000360a = 2; *(uint8_t*)0x2000360b = 3; *(uint8_t*)0x2000360c = 0x10; *(uint8_t*)0x2000360d = 0xb; *(uint8_t*)0x2000360e = 0x20; *(uint8_t*)0x2000360f = 0x10; *(uint8_t*)0x20003610 = 0xa; memcpy((void*)0x20003611, "\x19\x5f\xa2\xf3\x24\xc0\xbe\x96\xda\x3d\xb2\x6a\xfa\x56\x77\x53\x0a\xc0\xfa\xf4\xc6\x82\xbe\x7c\x15\xe9\xa5\x86\x66", 29); *(uint32_t*)0x200036d0 = 0x20003640; *(uint8_t*)0x20003640 = 0x20; *(uint8_t*)0x20003641 = 0x29; *(uint32_t*)0x20003642 = 0xf; *(uint8_t*)0x20003646 = 0xf; *(uint8_t*)0x20003647 = 0x29; *(uint8_t*)0x20003648 = 9; *(uint16_t*)0x20003649 = 1; *(uint8_t*)0x2000364b = 0; *(uint8_t*)0x2000364c = 9; memcpy((void*)0x2000364d, "\x05\x7c\x41\x7e", 4); memcpy((void*)0x20003651, "\x8d\xa4\x36\xc4", 4); *(uint32_t*)0x200036d4 = 0x20003680; *(uint8_t*)0x20003680 = 0x20; *(uint8_t*)0x20003681 = 0x2a; *(uint32_t*)0x20003682 = 0xc; *(uint8_t*)0x20003686 = 0xc; *(uint8_t*)0x20003687 = 0x2a; *(uint8_t*)0x20003688 = 0x20; *(uint16_t*)0x20003689 = 0x10; *(uint8_t*)0x2000368b = 0x80; *(uint8_t*)0x2000368c = 0x40; *(uint8_t*)0x2000368d = 0x1f; *(uint16_t*)0x2000368e = 0; *(uint16_t*)0x20003690 = 5; *(uint32_t*)0x20003b40 = 0x44; *(uint32_t*)0x20003b44 = 0x20003700; *(uint8_t*)0x20003700 = 0x60; *(uint8_t*)0x20003701 = 8; *(uint32_t*)0x20003702 = 0x54; memcpy((void*)0x20003706, "\x85\xf9\x88\x04\x52\x78\xf9\x75\x32\xa6\x67\xcb\xee\x9b\x82\x1d\x65\x54\xfb\x1c\x6d\x18\xdf\xfb\x78\x51\x96\xd9\x07\x27\xe1\xb4\x61\x5c\x86\xee\x04\x9a\x16\x96\xb1\x66\x8f\x00\x0e\x62\xd5\x39\xe0\x81\xcf\x07\xe3\x60\x17\x1c\xe6\x1c\xa2\xf9\x56\x44\xb9\xad\x8e\x92\x11\xa1\xb1\x9c\x43\x99\xbd\xfd\x6d\x53\x3b\xf8\x95\x52\x42\x72\x5b\xb4", 84); *(uint32_t*)0x20003b48 = 0x20003780; *(uint8_t*)0x20003780 = 0; *(uint8_t*)0x20003781 = 0xa; *(uint32_t*)0x20003782 = 1; *(uint8_t*)0x20003786 = 1; *(uint32_t*)0x20003b4c = 0x200037c0; *(uint8_t*)0x200037c0 = 0; *(uint8_t*)0x200037c1 = 8; *(uint32_t*)0x200037c2 = 1; *(uint8_t*)0x200037c6 = 0x81; *(uint32_t*)0x20003b50 = 0x20003800; *(uint8_t*)0x20003800 = 0x20; *(uint8_t*)0x20003801 = 0; *(uint32_t*)0x20003802 = 4; *(uint16_t*)0x20003806 = 2; *(uint16_t*)0x20003808 = 0; *(uint32_t*)0x20003b54 = 0x20003840; *(uint8_t*)0x20003840 = 0x20; *(uint8_t*)0x20003841 = 0; *(uint32_t*)0x20003842 = 8; *(uint16_t*)0x20003846 = 0x200; *(uint16_t*)0x20003848 = 0x40; *(uint32_t*)0x2000384a = 0xff; *(uint32_t*)0x20003b58 = 0x20003880; *(uint8_t*)0x20003880 = 0x40; *(uint8_t*)0x20003881 = 7; *(uint32_t*)0x20003882 = 2; *(uint16_t*)0x20003886 = 1; *(uint32_t*)0x20003b5c = 0x200038c0; *(uint8_t*)0x200038c0 = 0x40; *(uint8_t*)0x200038c1 = 9; *(uint32_t*)0x200038c2 = 1; *(uint8_t*)0x200038c6 = 0x81; *(uint32_t*)0x20003b60 = 0x20003900; *(uint8_t*)0x20003900 = 0x40; *(uint8_t*)0x20003901 = 0xb; *(uint32_t*)0x20003902 = 2; memcpy((void*)0x20003906, "\x8e\xaf", 2); *(uint32_t*)0x20003b64 = 0x20003940; *(uint8_t*)0x20003940 = 0x40; *(uint8_t*)0x20003941 = 0xf; *(uint32_t*)0x20003942 = 2; *(uint16_t*)0x20003946 = 9; *(uint32_t*)0x20003b68 = 0x20003980; *(uint8_t*)0x20003980 = 0x40; *(uint8_t*)0x20003981 = 0x13; *(uint32_t*)0x20003982 = 6; *(uint8_t*)0x20003986 = 0xaa; *(uint8_t*)0x20003987 = 0xaa; *(uint8_t*)0x20003988 = 0xaa; *(uint8_t*)0x20003989 = 0xaa; *(uint8_t*)0x2000398a = 0xaa; *(uint8_t*)0x2000398b = 0x38; *(uint32_t*)0x20003b6c = 0x200039c0; *(uint8_t*)0x200039c0 = 0x40; *(uint8_t*)0x200039c1 = 0x17; *(uint32_t*)0x200039c2 = 6; *(uint8_t*)0x200039c6 = -1; *(uint8_t*)0x200039c7 = -1; *(uint8_t*)0x200039c8 = -1; *(uint8_t*)0x200039c9 = -1; *(uint8_t*)0x200039ca = -1; *(uint8_t*)0x200039cb = -1; *(uint32_t*)0x20003b70 = 0x20003a00; *(uint8_t*)0x20003a00 = 0x40; *(uint8_t*)0x20003a01 = 0x19; *(uint32_t*)0x20003a02 = 2; memcpy((void*)0x20003a06, "{k", 2); *(uint32_t*)0x20003b74 = 0x20003a40; *(uint8_t*)0x20003a40 = 0x40; *(uint8_t*)0x20003a41 = 0x1a; *(uint32_t*)0x20003a42 = 2; *(uint16_t*)0x20003a46 = 0x40; *(uint32_t*)0x20003b78 = 0x20003a80; *(uint8_t*)0x20003a80 = 0x40; *(uint8_t*)0x20003a81 = 0x1c; *(uint32_t*)0x20003a82 = 1; *(uint8_t*)0x20003a86 = 0; *(uint32_t*)0x20003b7c = 0x20003ac0; *(uint8_t*)0x20003ac0 = 0x40; *(uint8_t*)0x20003ac1 = 0x1e; *(uint32_t*)0x20003ac2 = 1; *(uint8_t*)0x20003ac6 = 0xfe; *(uint32_t*)0x20003b80 = 0x20003b00; *(uint8_t*)0x20003b00 = 0x40; *(uint8_t*)0x20003b01 = 0x21; *(uint32_t*)0x20003b02 = 1; *(uint8_t*)0x20003b06 = 0xfa; syz_usb_control_io(r[16], 0x200036c0, 0x20003b40); break; case 37: *(uint8_t*)0x20003bc0 = 0x12; *(uint8_t*)0x20003bc1 = 1; *(uint16_t*)0x20003bc2 = 0x201; *(uint8_t*)0x20003bc4 = 0; *(uint8_t*)0x20003bc5 = 0; *(uint8_t*)0x20003bc6 = 0; *(uint8_t*)0x20003bc7 = 0x10; *(uint16_t*)0x20003bc8 = 0x46d; *(uint16_t*)0x20003bca = 0xc22d; *(uint16_t*)0x20003bcc = 0x40; *(uint8_t*)0x20003bce = 1; *(uint8_t*)0x20003bcf = 2; *(uint8_t*)0x20003bd0 = 3; *(uint8_t*)0x20003bd1 = 1; *(uint8_t*)0x20003bd2 = 9; *(uint8_t*)0x20003bd3 = 2; *(uint16_t*)0x20003bd4 = 0x2d; *(uint8_t*)0x20003bd6 = 1; *(uint8_t*)0x20003bd7 = 1; *(uint8_t*)0x20003bd8 = 0; *(uint8_t*)0x20003bd9 = 0x10; *(uint8_t*)0x20003bda = 2; *(uint8_t*)0x20003bdb = 9; *(uint8_t*)0x20003bdc = 4; *(uint8_t*)0x20003bdd = 0; *(uint8_t*)0x20003bde = 0x2f; *(uint8_t*)0x20003bdf = 2; *(uint8_t*)0x20003be0 = 3; *(uint8_t*)0x20003be1 = 1; *(uint8_t*)0x20003be2 = 1; *(uint8_t*)0x20003be3 = 0xfd; *(uint8_t*)0x20003be4 = 9; *(uint8_t*)0x20003be5 = 0x21; *(uint16_t*)0x20003be6 = 9; *(uint8_t*)0x20003be8 = 1; *(uint8_t*)0x20003be9 = 1; *(uint8_t*)0x20003bea = 0x22; *(uint16_t*)0x20003beb = 0x2ff; *(uint8_t*)0x20003bed = 9; *(uint8_t*)0x20003bee = 5; *(uint8_t*)0x20003bef = 0x81; *(uint8_t*)0x20003bf0 = 3; *(uint16_t*)0x20003bf1 = 0x10; *(uint8_t*)0x20003bf3 = 6; *(uint8_t*)0x20003bf4 = -1; *(uint8_t*)0x20003bf5 = 4; *(uint8_t*)0x20003bf6 = 9; *(uint8_t*)0x20003bf7 = 5; *(uint8_t*)0x20003bf8 = 2; *(uint8_t*)0x20003bf9 = 3; *(uint16_t*)0x20003bfa = 8; *(uint8_t*)0x20003bfc = 4; *(uint8_t*)0x20003bfd = 6; *(uint8_t*)0x20003bfe = 0x7f; *(uint32_t*)0x20003cc0 = 0xa; *(uint32_t*)0x20003cc4 = 0x20003c00; *(uint8_t*)0x20003c00 = 0xa; *(uint8_t*)0x20003c01 = 6; *(uint16_t*)0x20003c02 = 0x300; *(uint8_t*)0x20003c04 = 3; *(uint8_t*)0x20003c05 = 2; *(uint8_t*)0x20003c06 = 0xfa; *(uint8_t*)0x20003c07 = 8; *(uint8_t*)0x20003c08 = 0x74; *(uint8_t*)0x20003c09 = 0; *(uint32_t*)0x20003cc8 = 0x28; *(uint32_t*)0x20003ccc = 0x20003c40; *(uint8_t*)0x20003c40 = 5; *(uint8_t*)0x20003c41 = 0xf; *(uint16_t*)0x20003c42 = 0x28; *(uint8_t*)0x20003c44 = 2; *(uint8_t*)0x20003c45 = 3; *(uint8_t*)0x20003c46 = 0x10; *(uint8_t*)0x20003c47 = 0xb; *(uint8_t*)0x20003c48 = 0x20; *(uint8_t*)0x20003c49 = 0x10; *(uint8_t*)0x20003c4a = 0xa; *(uint8_t*)0x20003c4b = 3; STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 8, 5, 27); *(uint16_t*)0x20003c50 = 0xf00; *(uint16_t*)0x20003c52 = 0xf831; *(uint32_t*)0x20003c54 = 0xc0; *(uint32_t*)0x20003c58 = 0xc0a0; *(uint32_t*)0x20003c5c = 0xff000f; *(uint32_t*)0x20003c60 = 7; *(uint32_t*)0x20003c64 = 0xc0f0; *(uint32_t*)0x20003cd0 = 1; *(uint32_t*)0x20003cd4 = 4; *(uint32_t*)0x20003cd8 = 0x20003c80; *(uint8_t*)0x20003c80 = 4; *(uint8_t*)0x20003c81 = 3; *(uint16_t*)0x20003c82 = 0x436; res = -1; res = syz_usb_connect(4, 0x3f, 0x20003bc0, 0x20003cc0); if (res != -1) r[17] = res; break; case 38: syz_usb_disconnect(r[17]); break; case 39: syz_usb_ep_read(-1, 0x80, 0xc4, 0x20003d00); break; case 40: memcpy((void*)0x20003e00, "\x50\x74\xfa\x81\xf3\xf3\x73\xda\x27\x99\xca\xfb\x26\xb4\x49\x7c\xb3\xc8\x7b\xc0\xf8\x2f\xa7\x88\x54\x68\xbd\x41\x23\x20\x65\xaa\x95\x61\xd2\x4a\xe0\xf1\xd0\xe0\x36\xac\x71\x4a\xc5\xaf\x89\xc6\x9d\x88\x61\xca\xd7\x13\xfc\xb8\xba\xcb\x8c\x4b\x10\xdc\x3b\x6e\xc2\x04\x4c\x01\xf3\x71\xb1\x24\xc0\xa0\xf4\xba\xce\x7d\x51\x79\x87\x2c\xdd\x20\x5e\x09\xc3\xee\xb7\xd5\x57\x7b\x26\xe9\x8f\x84\x55\x4e\xd6", 99); syz_usb_ep_write(r[16], 0x7f, 0x63, 0x20003e00); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor854071053 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/16 (0.24s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$zero(0xffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x161000, 0x0) ioctl$SNAPSHOT_FREE(r0, 0x3305) syz_genetlink_get_family_id$l2tp(&(0x7f0000000040)='l2tp\x00') openat$dlm_control(0xffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x20000, 0x0) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0x2, &(0x7f00000000c0)=0x17, 0x4) r1 = mmap$IORING_OFF_SQES(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x2000000, 0x1010, r0, 0x10000000) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) r3 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(0x0, r1, &(0x7f00000003c0)=@IORING_OP_RECVMSG={0xa, 0x4, 0x0, r2, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=@x25={0x9, @remote}, 0x80, &(0x7f0000000240)=[{&(0x7f0000000180)=""/147, 0x93}], 0x1, &(0x7f0000000280)=""/202, 0xca}, 0x0, 0x0, 0x1, {0x3, r3}}, 0x10001) ioctl$KDSKBMETA(0xffffffffffffffff, 0x4b63, &(0x7f0000000440)=0x4) syz_emit_ethernet(0x56, &(0x7f0000000000)={@local, @remote, @void, {@canfd={0xd, {{0x3, 0x0, 0x1, 0x1}, 0x11, 0x2, 0x0, 0x0, "f4ebe40216fede5ef6c5310f0413c5d41b32fc23e07fd332a8a5c5f966821da091f47b7b9cf9228727ff7412c2e4a3a1573bb295482d7b4a3effd863cc60f5d8"}}}}, &(0x7f0000000080)={0x0, 0x4, [0xd2d, 0xc61, 0x6d3, 0xbe2]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x1, 0xa}, @l2cap_cid_le_signaling={{0x6}, @l2cap_conn_param_update_rsp={{0x13, 0x7f, 0x2}}}}, 0xf) syz_execute_func(&(0x7f0000000100)="c4c2cd45f18fe800edb85c2f009ee96436360f2811c4c3c90b6b0787c4c2f1a603f30fa6d0f36f650ffa0ec4c21d2f9f5aac384f3e65f3ab") syz_extract_tcp_res(&(0x7f0000000140), 0x2c, 0x9f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000180)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x3, 0xcc) r4 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x3000001, 0x80000, 0xffffffffffffffff, 0x0) r5 = syz_io_uring_complete(r4) r6 = io_uring_setup(0x3a3b, &(0x7f00000001c0)={0x0, 0xd9fd, 0x20, 0x0, 0x308, 0x0, 0xffffffffffffffff}) r8 = syz_io_uring_setup(0x17a8, &(0x7f0000000240)={0x0, 0xb18d, 0x15b3e67cab3a8d6e, 0x2, 0x158, 0x0, r7}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f00000002c0), &(0x7f0000000300)) syz_io_uring_setup(0x6b11, &(0x7f0000000340)={0x0, 0x15f8, 0x20, 0x2, 0xd2}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f00000003c0)=0x0, &(0x7f0000000400)=0x0) r11 = socket$bt_rfcomm(0x1f, 0x3, 0x3) r12 = io_uring_register$IORING_REGISTER_PERSONALITY(r5, 0x9, 0x0, 0x0) syz_io_uring_submit(r4, r10, &(0x7f0000001700)=@IORING_OP_RECVMSG={0xa, 0x2, 0x0, r11, 0x0, &(0x7f00000016c0)={&(0x7f0000000440)=@nl=@proc, 0x80, &(0x7f00000015c0)=[{&(0x7f00000004c0)=""/44, 0x2c}, {&(0x7f0000000500)=""/4096, 0x1000}, {&(0x7f0000001500)=""/40, 0x28}, {&(0x7f0000001540)=""/74, 0x4a}], 0x4, &(0x7f0000001600)=""/185, 0xb9}, 0x0, 0x2000, 0x1, {0x3, r12}}, 0xad23946) r13 = fsmount(r5, 0x1, 0x84) ioctl$F2FS_IOC_MOVE_RANGE(r8, 0xc01cf509, &(0x7f0000001740)={r6, 0x3, 0x6, 0x1000}) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000017c0)=[{0x0, &(0x7f0000001780)="e7bed238547695a78957b574bacb6dbc567a3232e76559b4ea3931b608578a24da4c749795975b0ae51da8a86dde75b1d684", 0x32}], 0x1, 0x0, &(0x7f0000001800), 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r9, 0x114, &(0x7f0000001840), 0x0, 0x4) syz_mount_image$afs(&(0x7f0000001880)='afs\x00', &(0x7f00000018c0)='./file0\x00', 0x5, 0x1, &(0x7f0000002900)=[{&(0x7f0000001900)="f1fd85c46a07345a8813287b13f21a0840903926aef8fa2cb5f6e010d14f7030376797115fff5a948041348d827dbd678e20928dc4b224e0ec33e50bf699f1ed1e39df43d899eb1a37c8d11631e7b775fc82611901ef7db3714e0ef59b98d9d7d9114ba1ba76a72edc93803359b9994b504f9e7790375fa50fceab9c0f210385722f2a054c09fecf4a04ccfacaac9d40bebb2e2bcc948d327263b0fa735b753fa367f55313bd6df7476a9961bef3e5806ae53bf7233474b637266e9fd694fb30a503fba053c46562936bb3b8fdd38da23e7225868f8cf1e7d27cacb69075657b3ca80f8be0b8e043db620f0872231b8a3108c4a10b8b723b646b3c6d5f370558640924a93ba25db1746cf2ea141b0385ac0cf9e7acc8fddd8ee32fb988491e454564eb142ec8402438ddb1d0bed6d285a2a408a9edc52776e3ae7021c10943eef0af0270372213627dd4253d95a36acd29f8095c6428f1c46c3eb21227d04606b5c92254e9ce3e220a8b8a281c8d8e9c83079ea1df4a90db9f08a58c803d8ec2bfcc99f1acd5f0625043eb4a83179e2d37c07657e4b747adcb0979a230dea4f079f220848709f2bb38c34a22c5b3caf94a02fc5f1c4d013c165abf74bed9d028a5d84ec150377f498ee0e2a86bf04b97ee40af9882bfadecf5e125fc909d250d92a31166d61121b5364524b6351e0b6a66dcdeeb5249ebabb865f1f4a1a80ada5d695d3a37b214c9f0d92507db1b8d808a96f08902ef8c97e22b75497538f54ff944a19142b6ae1b8636500e2f3920a3ab341d8d1db22dc64e1d68382162b489eaade668ba38e6e7ecf61626c719378a8ebf08ec3d5da6716461e206869b335ccbafbc7364998379d894b9c60441d98797eff0d04ce3fbf419eb9c5c778dbdc6031b19fea13adf111dd49628093da41ce252595ea3d0b6dd96364fe2e37504bc6617044ff1d0d27f759d1faa8ae854a172da0b227305bc630a46b8e5bb9f8aa40b95a4b6d5c37bddd0968e192d57242078434fdef9afdc8f18397df1ca6e76bdc71845fba2818ef8f1c1dbf0a92ddee3c8c1cfddfb64439419e63f9811ab5dafd15b2ff2a9c041331651c7afe7862875bf9961806fac694bef5f78fb9cd64c33848637444e6752200395e3731d02db34c21fca311d339e819732ede18394b45c4cbbbffd45fdf508285d26da5b3cede692af4ef2f42c734b522864755dcd719c93b268438f9b0f1add574cf7218921df68c496683c6276115c074d420f23861eeb82031e998c0833d1cbbb5b334a13606a0bc406c4c8b1c2bf8df557324d2c94cbe4c29080b63234b1bb74e5854e422eb46f736978e2943ebd28af467bd0ee096b952ff5f0b228c7ef946fd472493b0eaca9378401669f1be675230e56bc19e4ec1234fcb4ea122dd204830109689cad7e3d702ab3e92e59016a640cce4e1e57d6e94556e7ee1f7c586309044bdca4a7b2cebb4b3fabfd578ed6c68589b8afcd4d0e5ab1b7eef6f82cd208e3ece76e3b73331fba03fb5447012992741042106ed7d386a1433fe8d4c6bce822ff8ffe1b382aa7124731a9ad6e1a52c78266174a4fefe986a508f6642577303f91ea4efb32843c6b331b32f24553a0c13016d91a230a55d81feb7dfc48ad157c7c2fc63253081021d1c65356513903ddbde8d3fd0d51747f3eaaaf9db9d6b4bd7069d8ba53d4d100ee2727979594c2fa80b9aa0edd70e3d702fb5b6cd277eeb487555886f85b657cd9eba641b28bf1e762300f3e29c5a8d8bfe077bdef7c9e2c4cfad8fc364670d7cd6ac7a86322e667760e2403c4838d61fa8669a4f62114eef423f09132e20bb95ba3522ac31049c4a3d581af3c5784910fba88cdee1ceff4ddaed827119ced5361947d0e31a9c4d25263a53654b82fc13b91f44508dd193ca1ef26d930a6b0810586d402ba0554face5c3ed077671d50d28865bfff35ca3a4dabdbd6e3b07059320f53e5c49d73cc16dd1ed2816ac98ad3853c368829c7bec40c4a9b39ee3b730bbd6c152f358e9911308c12ed1206561fc7cf7cb477145f1aaace66ac5c4468acb2f601c61e4b118be2056b6dbc18609bfd4105eee18be384a19913d274d92039790cb87420b9fdd70e734309fc7afe09e11f780d6ee6243175907a4aeecb6ca070a3374be5d3d07a788ea4e1f9d6f18eff9e7964d7076cb5b93cd97338ec05448ec527cca66790bfe32c5b2662d7fc6b836b41bf32e5bc0ddfe42d5973db86f8aed56e43112b45b0f792c5394599a13e73c25012b5aacd3aef112473c4e2e3ab6aebf5af6de9e78ac047fcc276fd976f25022c65c30a9fd67203f19e33b35cfbcfdff395c5bb53f2fd7928e43e622847280780b8cc815fb485189105a124cd8627cc3d5f1a9dd800d47a226ebf907eb2f49133d117588d280f4cc43d95254d88c8753d96073f97c531f51e5596e2e971a2161b78f75edcfbd9de38f0a9284b7cceef87598fa3bcfa5dbcbd1d284cf80cb7755465899d362d9e40c64c1a1e4cc45c3871b2104ca40c05729dccbf6d0a17500e5d0dffa3443a5233e279b2f9c518b697340d26d2872660c71a495710ee009ffb989ebb5befe5176925b78cdeb1e811c51ecdb01a47ec1d1d0ef2024c9a666f6bc5ebe13e773f89f4c80baa1d660c051c2672f91c21db5ff2d5a70126dc69140ee216c45bdd0a7b5279dece2f583bc24fc63cae88ae755722404823c5c216849dcd1085ba9902cb248ac5d192c3bdc537392a7c9ed3c359bb6d4934625f5f7a6dd51b78573fc726adabc91f41960586f64c39261126ea67dfc32c5ae5f7d6ed88747360418d42a008d9cfc5ef15f9c588dbb9ecc374ba19ab60a3ba33fbd1b80477b0204e67c845f9f6ab589c58b578cca58af322ae66b9b12ed953703d1393d8ece9c670664fdb6b1ffa10271abc0e51d57b59102e2640bea09e911294c35abc8616990a5729bf739a8e22774a680d5770b858b932fe595b7322328ae792078ad28db4d54cbd7c9868fcbe6eed0b0aa7b7abbfb1b8efce2dd5c1e29bac66ab7f80fe7a65d2da1838660e94066a6b2e3bdb897e551bc037d779dbb6cb9bdca7030ef8226b968d5a857cb424a9bd71ecf3e0df3bca6b9195905ed05e73d0367f1649eed549d9c3d47e2f312c170dc94a701d420460e1000e237021c6b7b1bc08b35c1043c6e899ed587ef7dfb6e1c7b6e11e3a2fb4348abcc9ed1831ee373d004540a73a4c78f9d3abb101c787ba239df663924ef84e3b436868b63cd74f4d47ac9ebce3814bbdb37eeec3fea1f90688d16ff3285d359745f9c1b6dcfa98bcd32acaccd9350c070579af49c6dd8e62b3e11616b95605b5e67c90c3db1b8301de61bdfa558ee6d13f20a78d407e4f44ca793ce3d958e1522f1a64276ac8863d1a68b5b64e03ec0b22b0a787bba7b462fddf8da7d1018b32a13282bd1e83060a67c7da96e46e3b322a5d8e05ba67b3aca1c5d1bf136a57b3aa68777f00bf102dddb1dec21db309f4855d9c08edc580d652a689420bf62538b5aa263057098121d82d87e29ee26b5d5288023e501ff2730bcef00b98f13c40bc2da1a1bca1cd666484f1a3f5c8b6ffaf468fbeaaf5abfd74396fbc460e0fd2b440f5e56327e634907311dce98ec075e9ee3287f7d2dcd64493e5c5ce096bb29d77aa49a9f677e68efd44cf35b5a0d69f1ec887a5f1f35e44afe3b6904ef026b3651c697dc2af46662b923664201e4baedc28e85f33d0fcce83ecb01d04f5a0826df9fbfe7d92e31db76202533fa8bdbd4f14744f8485948ff0e40ec77d2a2ccac34f389a4f6b0e1f84f527b1282b4ba53cc0a53468eb1362d87f334f176d948d9d7fc190a1fabb36745385945f27d44c136436eeedca1ad4945c9d73d6a2d7225a1f7fa49a2b2b56d3a403a8ddd03d701bb8ba36c275b05db3b60638b9a2a234cb63b809ebfc9a771ac712762f7e96c538e1c54a7912b95944632d6d60594b900e17ee327b2b2b13be2844061fd1e350e47121fd71f130a5aeb5153ccb8ece99590ff93ea98ee589a0a4288bb6a3590b1c6e89008bbd2dc7ad38748369405c9f8c37fa75dd2ff4a384561d030948c3d16466e4f037e54d3dcabde02fb35c62b3169265c0af8018a86c3fcf3268c1a91e7131f89cf7841bb58cab8a5f89d7edb67f05f16fe84059be5abdbe44d3852fa5790c161628b21eef359aaf7db7de11c835ff9cc0b86ac9751fd2d5c135e8acb4352bc03fdfe6c43473582cde76b157eeb03acfff742be5838a4aaba160e1c588c9e1da2758fc290ae37a7605340f726ff3d8d73d3dccdc7737499b7473eccc00c3d01d20bd989e6049d9da7dcee229fe3db7e2845ba6ef6b380680e07754dfa92d1605b3b2527ed19d01333b2b58868d7614c92b7f93c95e2c9054f7a728e0569b986018311d9ab379ac3d19c7f65f87acbd2a2bcdf122b1b9502d3c3a69efa32f4be1ef20daa42e13409d2b12dbfd03c64aca0bd66c76c04ea6a76ef0294650e59e8a379c85c5ac8e310ed99e1a5f20c9bbdbee13de1218f95be040ff5f760c7f07abe362468508a2114e0c34f93895c1e28ad8c56f1949816cffd09c028deef01e5fcf91b4384c62d0efd9b7d66b1aae302a3ed2c3037c9675ac6c86336fa603258a538409bad567981128cb8cab88d7027b2a92671cad000a2c9f317fb4ae30980d3f28512fb5f66a98b2e2077a6a7f8461bf1a78cf12b3ce6e3aa4a22f3c6373a5d04f767b83c7d57a56834f7639c9acbb9fdedea85276a0aa100b68c8a246314a8ca02ff07d1532c90d9a4a5dacba53a24c14cb94b57a8c236c985ebc98697108a43e874b6715e6be8d9685fafdba1d7e5d1b4ced62565847bdfcf62be175e8483cfd0711247664e273fcbec29f60dedd34c6810f6650b6bdc47df7267b8f53bc66ac41a5c0506edf4a805cff0343797c881256ea095fbf145754f7cb9dfba6d3c2bd12ace307629cb22dfeb5a48155de0e50a95da58b3202589b60f5dd4ca6cd22c2ed788f2721d5354374e9efacf4947294ddc8149225dce5adfb322595ed18a4dcb0565148b087e37d4247eaaecc58c5aaf1c64e87cc2cce9b8ebcaf963fc441a6dfac426be0ace4ecfb91df7732721afb34f905ce7377db3849d7401ba3d3149c08e98bcdeca6de207ed8bc7b1d6e88597da628c6b0a73cf9674a207dd8745fe5b32bdd8f5509f14fc15cf9504bf6634b2df2836e95c736e2762f2714bfd130af991d8b648a9372158383a2f53e14c7cfc7663db5ca5c8a9cdd155e38c1f70e51613588128dd085bbdd7ed239b97e8958cef35f117eab19b370ff2e4e25689d62b684fd4afceb263251fa92e8c6b2aa2e34d3fb8aaed18cdc734f9b420c8d7b931555ebd7990ca073fb81be982794e000d50572eb0761d495ba8068f657d7f7b919e66a25e03211dfe690f4081fc5de14f5f9d8be478024e60a3138080d9ce97ae23e291e77a6e4a507a96ae0c07d9604a95b43b8174c33175ba295050186f723b50a609ee09b4267e4d2af4296ce657bb8b5e996f98bd75ed42d0954895d97d988329d925f62894474d1caa5de988ed7b5c6deacfd90ad947efebf6cf61b45d9c7b1ba59e9ec4b8559aff8d3d05fb00f57ec942b0e9b9fdbde26cad340cbb4f7c0447b707ed8f6d4f989d0b1da0d0cdae617b01436fa68e37775e844415ebd11a3350846cf0b419fad6db94ccc8283e95019db5591b9e81c5d32707b3002afb24058495f6c21cd4b9e12af7a1f4054fda37ba6a2945e899899761012548e4122a69556e0ca51e23194bdc4e272", 0x1000, 0x9}], 0x20005, &(0x7f0000002940)={[{@flock_openafs='flock=openafs'}, {@dyn='dyn'}, {@autocell='autocell'}, {@dyn='dyn'}, {@flock_openafs='flock=openafs'}, {@source={'source', 0x3d, '&'}}, {@source={'source', 0x3d, 'SEG6\x00'}}], [{@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@subj_user={'subj_user', 0x3d, 'SEG6\x00'}}, {@smackfstransmute={'smackfstransmute', 0x3d, ':'}}, {@seclabel='seclabel'}]}) syz_open_dev$I2C(&(0x7f0000002a00)='/dev/i2c-#\x00', 0xad8, 0x2a2000) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000002a40)=0x0) syz_open_procfs(r15, &(0x7f0000002a80)='net\x00') syz_open_pts(r13, 0x0) syz_read_part_table(0x1, 0x7, &(0x7f0000002e80)=[{&(0x7f0000002ac0)="7ad3cd802dd0c424945d99ca9ca6e4fbb8f8e3b980d2ec", 0x17, 0x1000}, {&(0x7f0000002b00)="329de80b2b17bbd25d1f1907a9263af3bf05c4a7061e28492a3f71c6343aa5aaea0327a3", 0x24, 0x5}, {&(0x7f0000002b40)="82791dfd311d07db7d65e803ce6ca00028af8ff8d276187e0e14bbf7beab60fc4b70722e91b6322b8e3472191a66176bb0ca91dee60f1506a6d48be4055230c30be94a1043a1d2a06d42166069d8033d6c524c8610b8c4bb63af0ce6d6207137f1be1b62b002e8c35e6467c2423cc6597d1ca58ee31589f0248ac762e24a286a41a761912d34bb56f07db88ca52fce8d128762394fa00faac8451a42c3144bdec7e97296c9eac7c9f63110a3d405c16b0428880024e8c9c8af490b8cfad84cbb637878d634cd84346b60c9132c09660cdc616a0b", 0xd4, 0x7fff}, {&(0x7f0000002c40)="904bbcee2b46daa1ac643b7b6b8ea0ff462feabee541b411a885e470a496cbbdc729ffdebc50807f719cbe808d8b598b4767c7a852d9ce0c880a9b078b0187deac926bd4687a44f092bb", 0x4a, 0x5}, {&(0x7f0000002cc0)="3531ae257e7e0877cde340c42edbfc91dcffaff1284ef08a451e4c76e0cd83b2c0ea10d86bcefa93bbaef5fffbfe7dc70b73b89c55fc3851110d1bd0d1da31753320b111fe7060537e8f65f3c2f05adcb3d66bd2abe6b08aaae0d0eedca9937707ec4cb4874cdfd05800812ab53f9550b25a28ee69e62a0f790fe5233fc8645fc3fe6cae055f2aa1729125170151e86eeab67bb20bc884a1214c2d3d969c34fb239b45feec93ac209721bae7271251c613cea9379c1521", 0xb7, 0x4}, {&(0x7f0000002d80)="c3f04f26929b7a4d6342841fa53a9a8cb8006a97f428", 0x16, 0x6}, {&(0x7f0000002dc0)="c9871275e3269ff1bdcd67fb523e1ceb5151b0ede9e032634e36d486046bc31cd978bda59247355316319e768e7ac6be0648bf0fecd13cdad45f713e0e3b74e95eec77063c02a233ea97d338f4b1e9bc5a7cce85528742632ed59cec016f3914dd02ca6b1dc833224895277350cf1f21d6c78f8592717e91233f9026927e0cc3d80cdc57714763a0fcb091f5c69051b55cd2e1fcc33b13d597c5caeeb271c542978a1e17", 0xa4, 0x9c}]) r16 = syz_usb_connect(0x4, 0x384, &(0x7f0000002f00)={{0x12, 0x1, 0x201, 0xa4, 0x61, 0x1e, 0x40, 0xacd, 0x300, 0xc0df, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x372, 0x2, 0x4, 0x1f, 0x0, 0x1, [{{0x9, 0x4, 0x5d, 0xb3, 0x1, 0xad, 0x49, 0x76, 0x20, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x80}]}], [{{0x9, 0x5, 0xd, 0x0, 0x230, 0x5d, 0x1, 0x3f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x2}, @generic={0xba, 0xe, "f4e6e5762883c34df04f356099f1d34bdbc9f5324da648053fd690211b897119c4f3ac197f2aa93f2f3be05f836b1644d5b2327648b30816ed192f943dfce225f69d77c51565e177fd889c9c9d8c85b92ee4bead0e889446bbc320a40fa24807f476bfd1f1b3096e3370f755c94aa01c3be4ddc7952a5694bcad4beb4065bf5ea96066c43e9507e6220c47bc0271adcbaffce6ac90cb3c8b1cf748c6bbf97108dfa2cac4b87d3420428434397e07f17a87ed6233b39e32f0"}]}}]}}, {{0x9, 0x4, 0x5d, 0x27, 0x7, 0x3f, 0x84, 0xfd, 0x3, [@uac_as={[@format_type_i_discrete={0x10, 0x24, 0x2, 0x1, 0xe2, 0x2, 0x63, 0x40, "e721cc44acca8938"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x1, 0x0, "9ef42f"}, @as_header={0x7, 0x24, 0x1, 0x4, 0x1, 0x4}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x19, 0x6, "9e", "6983"}]}, @uac_as], [{{0x9, 0x5, 0xf, 0x0, 0x3ff, 0xf6, 0x5, 0x80}}, {{0x9, 0x5, 0x1, 0x10, 0x10, 0x0, 0x40, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x20, 0x6}]}}, {{0x9, 0x5, 0xb, 0x8, 0x10, 0x1, 0x2}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x4, 0x8, 0xc0, [@generic={0xbb, 0x31, "215ce6ab8f3c72caa3ab1326f18838908ac60bffb3b50748144aa2cbc4d7cac56f4a7bb2bd6c969674a5e4040861bb21ba5ccf0f822c1032e7e3729f8c171fc7a89b5340b5067108d597f178aa651a98aca4d012fa555a695683b527e6031f1f7f20494b250e3a6cd8b4de9647e150049867097c47cc237c612cefe698332f1fe7f02e6f53e845b1f5e7b4b24ad8629b78ce7630e2d40120fbc3f49375a4a086dedd2a27f06b3ed3d756a819b97f759aa54aef83df4868a9e9"}]}}, {{0x9, 0x5, 0x3, 0x12, 0x3ff, 0x0, 0x1, 0xff, [@generic={0xad, 0x31, "0c921d3f980f4e53147a46bd5856da03081660fbed7b8b2d389be8a038e95c2958a477ed5faf9ef38c82c3abea254459edb0f2cf286235034087adb7907ff192640b936886bd48d3a51215406b3aa0b6d8f8d91d830f5236a9a8be03c2215f012131968c6a80860ae81193059468108efd4f1305379d0115c7ec667b0359940e5664bf7b3c4a5f04ca3c51db9d2cd417e9099bff628b8e1a8ed0f596149357a08abd1177eb977353eb8932"}, @generic={0x93, 0x11, "a8e22d542ae3d831f337211bb5be12a5c46e5cf9b556d84d5af4caca8742ad216140562b7e5421e2642471e8f50eb8aef06212b46c644ae58463e18b3e72bd3eca6060fa8b94031796e55eb41d3f318affbf081eeb1708851e72fadd887e0330134319f0a5967eda657bc1101f74deba42e78aff20fb5d3c1fe49d9a054657b6f1af3d015fc16ff80873f326690843df81"}]}}, {{0x9, 0x5, 0xf, 0x4, 0x200, 0x0, 0x1f, 0x1, [@generic={0x11, 0x6, "824b7d0957bc552d224fdf6bff63a8"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x6}]}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x1f, 0xfd, 0x3}}]}}]}}]}}, &(0x7f0000003400)={0xa, &(0x7f00000032c0)={0xa, 0x6, 0x110, 0x4d, 0x80, 0x80, 0x20, 0xc1}, 0x46, &(0x7f0000003300)={0x5, 0xf, 0x46, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x35, 0x0, 0xdf, 0x9, 0xf7}, @ext_cap={0x7, 0x10, 0x2, 0xe, 0xb, 0x6, 0x9}, @ssp_cap={0x18, 0x10, 0xa, 0x1, 0x3, 0x7fffffe, 0xff0f, 0x101, [0xffc0a0, 0x0, 0xffff0f]}, @ssp_cap={0x10, 0x10, 0xa, 0x3, 0x1, 0x200, 0xff00, 0x1, [0x0]}, @ext_cap={0x7, 0x10, 0x2, 0x16, 0x8, 0xe, 0x7}]}, 0x2, [{0x4, &(0x7f0000003380)=@lang_id={0x4, 0x3, 0x380a}}, {0x4, &(0x7f00000033c0)=@lang_id={0x4, 0x3, 0x42f}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000003440)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r16, &(0x7f00000036c0)={0x18, &(0x7f00000034c0)={0x20, 0x8, 0xd4, {0xd4, 0x31, "dd9fe1d6f8ee76d6289246b5277cc19f3c4621add821a7f3d1aae994dbf4b1bd89e8770734768ade97e51d248f53cd530b31119aaccf53b6f6eddf4b8bfe6a1a859c3dc286f8335c9d15e5d5169b244155391062ff885d40be3707b6d1ea252a96d97ab24fb675f54557cfa24d805b0795708af5065d4b6662dfd54dd59cfce1673ab356a254f6b5bce44c619a17ffce8ebb96e083c082450062bd71a206ca921e0b77f517c1619586b3bca3e2490821016cc76caf96c0ec9068b45e2334ed9a6ff06a6343ae01f0aef6127ebaf5b52d69e3"}}, &(0x7f00000035c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x40e}}, &(0x7f0000003600)={0x0, 0xf, 0x28, {0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @generic={0x20, 0x10, 0xa, "195fa2f324c0be96da3db26afa5677530ac0faf4c682be7c15e9a58666"}]}}, &(0x7f0000003640)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x1, 0x0, 0x9, "057c417e", "8da436c4"}}, &(0x7f0000003680)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x20, 0x10, 0x80, 0x40, 0x1f, 0x0, 0x5}}}, &(0x7f0000003b40)={0x44, &(0x7f0000003700)={0x60, 0x8, 0x54, "85f988045278f97532a667cbee9b821d6554fb1c6d18dffb785196d90727e1b4615c86ee049a1696b1668f000e62d539e081cf07e360171ce61ca2f95644b9ad8e9211a1b19c4399bdfd6d533bf8955242725bb4"}, &(0x7f0000003780)={0x0, 0xa, 0x1, 0x1}, &(0x7f00000037c0)={0x0, 0x8, 0x1, 0x81}, &(0x7f0000003800)={0x20, 0x0, 0x4, {0x2}}, &(0x7f0000003840)={0x20, 0x0, 0x8, {0x200, 0x40, [0xff]}}, &(0x7f0000003880)={0x40, 0x7, 0x2, 0x1}, &(0x7f00000038c0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000003900)={0x40, 0xb, 0x2, "8eaf"}, &(0x7f0000003940)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000003980)={0x40, 0x13, 0x6, @dev={[], 0x38}}, &(0x7f00000039c0)={0x40, 0x17, 0x6, @broadcast}, &(0x7f0000003a00)={0x40, 0x19, 0x2, '{k'}, &(0x7f0000003a40)={0x40, 0x1a, 0x2, 0x40}, &(0x7f0000003a80)={0x40, 0x1c, 0x1}, &(0x7f0000003ac0)={0x40, 0x1e, 0x1, 0xfe}, &(0x7f0000003b00)={0x40, 0x21, 0x1, 0xfa}}) r17 = syz_usb_connect$hid(0x4, 0x3f, &(0x7f0000003bc0)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x46d, 0xc22d, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x10, 0x2, [{{0x9, 0x4, 0x0, 0x2f, 0x2, 0x3, 0x1, 0x1, 0xfd, {0x9, 0x21, 0x9, 0x1, 0x1, {0x22, 0x2ff}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0x6, 0xff, 0x4}}, [{{0x9, 0x5, 0x2, 0x3, 0x8, 0x4, 0x6, 0x7f}}]}}}]}}]}}, &(0x7f0000003cc0)={0xa, &(0x7f0000003c00)={0xa, 0x6, 0x300, 0x3, 0x2, 0xfa, 0x8, 0x74}, 0x28, &(0x7f0000003c40)={0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @ssp_cap={0x20, 0x10, 0xa, 0x3, 0x5, 0x8, 0xf00, 0xf831, [0xc0, 0xc0a0, 0xff000f, 0x7, 0xc0f0]}]}, 0x1, [{0x4, &(0x7f0000003c80)=@lang_id={0x4, 0x3, 0x436}}]}) syz_usb_disconnect(r17) syz_usb_ep_read(0xffffffffffffffff, 0x80, 0xc4, &(0x7f0000003d00)=""/196) syz_usb_ep_write(r16, 0x7f, 0x63, &(0x7f0000003e00)="5074fa81f3f373da2799cafb26b4497cb3c87bc0f82fa7885468bd41232065aa9561d24ae0f1d0e036ac714ac5af89c69d8861cad713fcb8bacb8c4b10dc3b6ec2044c01f371b124c0a0f4bace7d5179872cdd205e09c3eeb7d5577b26e98f84554ed6") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_cgroups() { if (mkdir("/syzcgroup", 0777)) { } if (mkdir("/syzcgroup/unified", 0777)) { } if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) { } if (chmod("/syzcgroup/unified", 0777)) { } write_file("/syzcgroup/unified/cgroup.subtree_control", "+cpu +memory +io +pids +rdma"); if (mkdir("/syzcgroup/cpu", 0777)) { } if (mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,perf_event,hugetlb")) { } write_file("/syzcgroup/cpu/cgroup.clone_children", "1"); write_file("/syzcgroup/cpu/cpuset.memory_pressure_enabled", "1"); if (chmod("/syzcgroup/cpu", 0777)) { } if (mkdir("/syzcgroup/net", 0777)) { } if (mount("none", "/syzcgroup/net", "cgroup", 0, "net_cls,net_prio,devices,freezer")) { } if (chmod("/syzcgroup/net", 0777)) { } } static void setup_cgroups_loop() { int pid = getpid(); char file[128]; char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/pids.max", cgroupdir); write_file(file, "32"); snprintf(file, sizeof(file), "%s/memory.low", cgroupdir); write_file(file, "%d", 298 << 20); snprintf(file, sizeof(file), "%s/memory.high", cgroupdir); write_file(file, "%d", 299 << 20); snprintf(file, sizeof(file), "%s/memory.max", cgroupdir); write_file(file, "%d", 300 << 20); snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); } static void setup_cgroups_test() { char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); if (symlink(cgroupdir, "./cgroup")) { } snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); if (symlink(cgroupdir, "./cgroup.cpu")) { } snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); if (symlink(cgroupdir, "./cgroup.net")) { } } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } setup_cgroups(); } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_loop() { setup_cgroups_loop(); } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setup_cgroups_test(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 41; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { setup_loop(); int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_fsmount #define __NR_fsmount 432 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[18] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/zero\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x161000, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, (intptr_t)r[0], 0x3305, 0); break; case 2: memcpy((void*)0x20000040, "l2tp\000", 5); syz_genetlink_get_family_id(0x20000040); break; case 3: memcpy((void*)0x20000080, "/dev/dlm-control\000", 17); syscall(__NR_openat, 0xffffff9c, 0x20000080, 0x20000, 0); break; case 4: *(uint32_t*)0x200000c0 = 0x17; syscall(__NR_setsockopt, (intptr_t)r[0], 0x10e, 2, 0x200000c0, 4); break; case 5: res = syscall(__NR_mmap, 0x20ffa000, 0x4000, 0x2000000, 0x1010, (intptr_t)r[0], 0x10000000); if (res != -1) r[1] = res; break; case 6: res = syscall(__NR_socket, 0x23, 5, 2); if (res != -1) r[2] = res; break; case 7: res = syscall(__NR_io_uring_register, -1, 9, 0, 0); if (res != -1) r[3] = res; break; case 8: *(uint8_t*)0x200003c0 = 0xa; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0; *(uint32_t*)0x200003c4 = r[2]; *(uint64_t*)0x200003c8 = 0; *(uint32_t*)0x200003d0 = 0x20000380; *(uint32_t*)0x20000380 = 0x20000100; *(uint32_t*)0x20000384 = 0x80; *(uint32_t*)0x20000388 = 0x20000240; *(uint32_t*)0x20000240 = 0x20000180; *(uint32_t*)0x20000244 = 0x93; *(uint32_t*)0x2000038c = 1; *(uint32_t*)0x20000390 = 0x20000280; *(uint32_t*)0x20000394 = 0xca; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x200003d4 = 0; *(uint32_t*)0x200003d8 = 0; *(uint64_t*)0x200003dc = 1; *(uint16_t*)0x200003e4 = 3; *(uint16_t*)0x200003e6 = r[3]; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; syz_io_uring_submit(0, r[1], 0x200003c0, 0x10001); break; case 9: *(uint32_t*)0x20000440 = 4; syscall(__NR_ioctl, -1, 0x4b63, 0x20000440); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0xaa; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 3, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 31, 1); *(uint8_t*)0x20000012 = 0x11; *(uint8_t*)0x20000013 = 2; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; memcpy((void*)0x20000016, "\xf4\xeb\xe4\x02\x16\xfe\xde\x5e\xf6\xc5\x31\x0f\x04\x13\xc5\xd4\x1b\x32\xfc\x23\xe0\x7f\xd3\x32\xa8\xa5\xc5\xf9\x66\x82\x1d\xa0\x91\xf4\x7b\x7b\x9c\xf9\x22\x87\x27\xff\x74\x12\xc2\xe4\xa3\xa1\x57\x3b\xb2\x95\x48\x2d\x7b\x4a\x3e\xff\xd8\x63\xcc\x60\xf5\xd8", 64); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 0xd2d; *(uint32_t*)0x2000008c = 0xc61; *(uint32_t*)0x20000090 = 0x6d3; *(uint32_t*)0x20000094 = 0xbe2; break; case 11: *(uint8_t*)0x200000c0 = 2; STORE_BY_BITMASK(uint16_t, , 0x200000c1, 0xc9, 0, 12); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 3, 4, 2); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 1, 6, 2); *(uint16_t*)0x200000c3 = 0xa; *(uint16_t*)0x200000c5 = 6; *(uint16_t*)0x200000c7 = 5; *(uint8_t*)0x200000c9 = 0x13; *(uint8_t*)0x200000ca = 0x7f; *(uint16_t*)0x200000cb = 2; *(uint16_t*)0x200000cd = 0; break; case 12: memcpy((void*)0x20000100, "\xc4\xc2\xcd\x45\xf1\x8f\xe8\x00\xed\xb8\x5c\x2f\x00\x9e\xe9\x64\x36\x36\x0f\x28\x11\xc4\xc3\xc9\x0b\x6b\x07\x87\xc4\xc2\xf1\xa6\x03\xf3\x0f\xa6\xd0\xf3\x6f\x65\x0f\xfa\x0e\xc4\xc2\x1d\x2f\x9f\x5a\xac\x38\x4f\x3e\x65\xf3\xab", 56); syz_execute_func(0x20000100); break; case 13: break; case 14: memcpy((void*)0x20000180, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000180); break; case 15: syz_init_net_socket(3, 3, 0xcc); break; case 16: res = syscall(__NR_mmap, 0x20ffd000, 0x2000, 0x3000001, 0x80000, -1, 0); if (res != -1) r[4] = res; break; case 17: res = -1; res = syz_io_uring_complete(r[4]); if (res != -1) r[5] = res; break; case 18: *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0xd9fd; *(uint32_t*)0x200001c8 = 0x20; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0x308; *(uint32_t*)0x200001d4 = 0; *(uint32_t*)0x200001d8 = -1; *(uint32_t*)0x200001dc = 0; *(uint32_t*)0x200001e0 = 0; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint32_t*)0x200001f8 = 0; *(uint32_t*)0x200001fc = 0; *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; res = syscall(__NR_io_uring_setup, 0x3a3b, 0x200001c0); if (res != -1) { r[6] = res; r[7] = *(uint32_t*)0x200001d8; } break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xb18d; *(uint32_t*)0x20000248 = 0xab3a8d6e; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000250 = 0x158; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = r[7]; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = -1; res = syz_io_uring_setup(0x17a8, 0x20000240, 0x20ffb000, 0x20ffd000, 0x200002c0, 0x20000300); if (res != -1) r[8] = res; break; case 20: *(uint32_t*)0x20000340 = 0; *(uint32_t*)0x20000344 = 0x15f8; *(uint32_t*)0x20000348 = 0x20; *(uint32_t*)0x2000034c = 2; *(uint32_t*)0x20000350 = 0xd2; *(uint32_t*)0x20000354 = 0; *(uint32_t*)0x20000358 = -1; *(uint32_t*)0x2000035c = 0; *(uint32_t*)0x20000360 = 0; *(uint32_t*)0x20000364 = 0; *(uint32_t*)0x20000368 = 0; *(uint32_t*)0x2000036c = 0; *(uint32_t*)0x20000370 = 0; *(uint32_t*)0x20000374 = 0; *(uint32_t*)0x20000378 = 0; *(uint32_t*)0x2000037c = 0; *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 0; *(uint32_t*)0x20000388 = 0; *(uint32_t*)0x2000038c = 0; *(uint32_t*)0x20000390 = 0; *(uint32_t*)0x20000394 = 0; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x2000039c = 0; *(uint32_t*)0x200003a0 = 0; *(uint32_t*)0x200003a4 = 0; *(uint32_t*)0x200003a8 = 0; *(uint32_t*)0x200003ac = 0; *(uint32_t*)0x200003b0 = 0; *(uint32_t*)0x200003b4 = 0; res = -1; res = syz_io_uring_setup(0x6b11, 0x20000340, 0x20ffb000, 0x20ffb000, 0x200003c0, 0x20000400); if (res != -1) { r[9] = *(uint64_t*)0x200003c0; r[10] = *(uint64_t*)0x20000400; } break; case 21: res = syscall(__NR_socket, 0x1f, 3, 3); if (res != -1) r[11] = res; break; case 22: res = syscall(__NR_io_uring_register, (intptr_t)r[5], 9, 0, 0); if (res != -1) r[12] = res; break; case 23: *(uint8_t*)0x20001700 = 0xa; *(uint8_t*)0x20001701 = 2; *(uint16_t*)0x20001702 = 0; *(uint32_t*)0x20001704 = r[11]; *(uint64_t*)0x20001708 = 0; *(uint32_t*)0x20001710 = 0x200016c0; *(uint32_t*)0x200016c0 = 0x20000440; *(uint32_t*)0x200016c4 = 0x80; *(uint32_t*)0x200016c8 = 0x200015c0; *(uint32_t*)0x200015c0 = 0x200004c0; *(uint32_t*)0x200015c4 = 0x2c; *(uint32_t*)0x200015c8 = 0x20000500; *(uint32_t*)0x200015cc = 0x1000; *(uint32_t*)0x200015d0 = 0x20001500; *(uint32_t*)0x200015d4 = 0x28; *(uint32_t*)0x200015d8 = 0x20001540; *(uint32_t*)0x200015dc = 0x4a; *(uint32_t*)0x200016cc = 4; *(uint32_t*)0x200016d0 = 0x20001600; *(uint32_t*)0x200016d4 = 0xb9; *(uint32_t*)0x200016d8 = 0; *(uint32_t*)0x20001714 = 0; *(uint32_t*)0x20001718 = 0x2000; *(uint64_t*)0x2000171c = 1; *(uint16_t*)0x20001724 = 3; *(uint16_t*)0x20001726 = r[12]; *(uint8_t*)0x20001728 = 0; *(uint8_t*)0x20001729 = 0; *(uint8_t*)0x2000172a = 0; *(uint8_t*)0x2000172b = 0; *(uint8_t*)0x2000172c = 0; *(uint8_t*)0x2000172d = 0; *(uint8_t*)0x2000172e = 0; *(uint8_t*)0x2000172f = 0; *(uint8_t*)0x20001730 = 0; *(uint8_t*)0x20001731 = 0; *(uint8_t*)0x20001732 = 0; *(uint8_t*)0x20001733 = 0; *(uint8_t*)0x20001734 = 0; *(uint8_t*)0x20001735 = 0; *(uint8_t*)0x20001736 = 0; *(uint8_t*)0x20001737 = 0; *(uint8_t*)0x20001738 = 0; *(uint8_t*)0x20001739 = 0; *(uint8_t*)0x2000173a = 0; *(uint8_t*)0x2000173b = 0; syz_io_uring_submit(r[4], r[10], 0x20001700, 0xad23946); break; case 24: res = syscall(__NR_fsmount, (intptr_t)r[5], 1, 0x84); if (res != -1) r[13] = res; break; case 25: *(uint32_t*)0x20001740 = r[6]; *(uint64_t*)0x20001744 = 3; *(uint64_t*)0x2000174c = 6; *(uint64_t*)0x20001754 = 0x1000; res = syscall(__NR_ioctl, (intptr_t)r[8], 0xc01cf509, 0x20001740); if (res != -1) r[14] = *(uint32_t*)0x20001740; break; case 26: *(uint32_t*)0x200017c0 = 0; *(uint32_t*)0x200017c4 = 0x20001780; memcpy((void*)0x20001780, "\xe7\xbe\xd2\x38\x54\x76\x95\xa7\x89\x57\xb5\x74\xba\xcb\x6d\xbc\x56\x7a\x32\x32\xe7\x65\x59\xb4\xea\x39\x31\xb6\x08\x57\x8a\x24\xda\x4c\x74\x97\x95\x97\x5b\x0a\xe5\x1d\xa8\xa8\x6d\xde\x75\xb1\xd6\x84", 50); *(uint32_t*)0x200017c8 = 0x32; *(uint64_t*)0x20001800 = 1; *(uint64_t*)0x20001808 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x200017c0, 1, 0, 0x20001800, 1); break; case 27: *(uint32_t*)0x20001840 = 0; syz_memcpy_off(r[9], 0x114, 0x20001840, 0, 4); break; case 28: memcpy((void*)0x20001880, "afs\000", 4); memcpy((void*)0x200018c0, "./file0\000", 8); *(uint32_t*)0x20002900 = 0x20001900; memcpy((void*)0x20001900, "\xf1\xfd\x85\xc4\x6a\x07\x34\x5a\x88\x13\x28\x7b\x13\xf2\x1a\x08\x40\x90\x39\x26\xae\xf8\xfa\x2c\xb5\xf6\xe0\x10\xd1\x4f\x70\x30\x37\x67\x97\x11\x5f\xff\x5a\x94\x80\x41\x34\x8d\x82\x7d\xbd\x67\x8e\x20\x92\x8d\xc4\xb2\x24\xe0\xec\x33\xe5\x0b\xf6\x99\xf1\xed\x1e\x39\xdf\x43\xd8\x99\xeb\x1a\x37\xc8\xd1\x16\x31\xe7\xb7\x75\xfc\x82\x61\x19\x01\xef\x7d\xb3\x71\x4e\x0e\xf5\x9b\x98\xd9\xd7\xd9\x11\x4b\xa1\xba\x76\xa7\x2e\xdc\x93\x80\x33\x59\xb9\x99\x4b\x50\x4f\x9e\x77\x90\x37\x5f\xa5\x0f\xce\xab\x9c\x0f\x21\x03\x85\x72\x2f\x2a\x05\x4c\x09\xfe\xcf\x4a\x04\xcc\xfa\xca\xac\x9d\x40\xbe\xbb\x2e\x2b\xcc\x94\x8d\x32\x72\x63\xb0\xfa\x73\x5b\x75\x3f\xa3\x67\xf5\x53\x13\xbd\x6d\xf7\x47\x6a\x99\x61\xbe\xf3\xe5\x80\x6a\xe5\x3b\xf7\x23\x34\x74\xb6\x37\x26\x6e\x9f\xd6\x94\xfb\x30\xa5\x03\xfb\xa0\x53\xc4\x65\x62\x93\x6b\xb3\xb8\xfd\xd3\x8d\xa2\x3e\x72\x25\x86\x8f\x8c\xf1\xe7\xd2\x7c\xac\xb6\x90\x75\x65\x7b\x3c\xa8\x0f\x8b\xe0\xb8\xe0\x43\xdb\x62\x0f\x08\x72\x23\x1b\x8a\x31\x08\xc4\xa1\x0b\x8b\x72\x3b\x64\x6b\x3c\x6d\x5f\x37\x05\x58\x64\x09\x24\xa9\x3b\xa2\x5d\xb1\x74\x6c\xf2\xea\x14\x1b\x03\x85\xac\x0c\xf9\xe7\xac\xc8\xfd\xdd\x8e\xe3\x2f\xb9\x88\x49\x1e\x45\x45\x64\xeb\x14\x2e\xc8\x40\x24\x38\xdd\xb1\xd0\xbe\xd6\xd2\x85\xa2\xa4\x08\xa9\xed\xc5\x27\x76\xe3\xae\x70\x21\xc1\x09\x43\xee\xf0\xaf\x02\x70\x37\x22\x13\x62\x7d\xd4\x25\x3d\x95\xa3\x6a\xcd\x29\xf8\x09\x5c\x64\x28\xf1\xc4\x6c\x3e\xb2\x12\x27\xd0\x46\x06\xb5\xc9\x22\x54\xe9\xce\x3e\x22\x0a\x8b\x8a\x28\x1c\x8d\x8e\x9c\x83\x07\x9e\xa1\xdf\x4a\x90\xdb\x9f\x08\xa5\x8c\x80\x3d\x8e\xc2\xbf\xcc\x99\xf1\xac\xd5\xf0\x62\x50\x43\xeb\x4a\x83\x17\x9e\x2d\x37\xc0\x76\x57\xe4\xb7\x47\xad\xcb\x09\x79\xa2\x30\xde\xa4\xf0\x79\xf2\x20\x84\x87\x09\xf2\xbb\x38\xc3\x4a\x22\xc5\xb3\xca\xf9\x4a\x02\xfc\x5f\x1c\x4d\x01\x3c\x16\x5a\xbf\x74\xbe\xd9\xd0\x28\xa5\xd8\x4e\xc1\x50\x37\x7f\x49\x8e\xe0\xe2\xa8\x6b\xf0\x4b\x97\xee\x40\xaf\x98\x82\xbf\xad\xec\xf5\xe1\x25\xfc\x90\x9d\x25\x0d\x92\xa3\x11\x66\xd6\x11\x21\xb5\x36\x45\x24\xb6\x35\x1e\x0b\x6a\x66\xdc\xde\xeb\x52\x49\xeb\xab\xb8\x65\xf1\xf4\xa1\xa8\x0a\xda\x5d\x69\x5d\x3a\x37\xb2\x14\xc9\xf0\xd9\x25\x07\xdb\x1b\x8d\x80\x8a\x96\xf0\x89\x02\xef\x8c\x97\xe2\x2b\x75\x49\x75\x38\xf5\x4f\xf9\x44\xa1\x91\x42\xb6\xae\x1b\x86\x36\x50\x0e\x2f\x39\x20\xa3\xab\x34\x1d\x8d\x1d\xb2\x2d\xc6\x4e\x1d\x68\x38\x21\x62\xb4\x89\xea\xad\xe6\x68\xba\x38\xe6\xe7\xec\xf6\x16\x26\xc7\x19\x37\x8a\x8e\xbf\x08\xec\x3d\x5d\xa6\x71\x64\x61\xe2\x06\x86\x9b\x33\x5c\xcb\xaf\xbc\x73\x64\x99\x83\x79\xd8\x94\xb9\xc6\x04\x41\xd9\x87\x97\xef\xf0\xd0\x4c\xe3\xfb\xf4\x19\xeb\x9c\x5c\x77\x8d\xbd\xc6\x03\x1b\x19\xfe\xa1\x3a\xdf\x11\x1d\xd4\x96\x28\x09\x3d\xa4\x1c\xe2\x52\x59\x5e\xa3\xd0\xb6\xdd\x96\x36\x4f\xe2\xe3\x75\x04\xbc\x66\x17\x04\x4f\xf1\xd0\xd2\x7f\x75\x9d\x1f\xaa\x8a\xe8\x54\xa1\x72\xda\x0b\x22\x73\x05\xbc\x63\x0a\x46\xb8\xe5\xbb\x9f\x8a\xa4\x0b\x95\xa4\xb6\xd5\xc3\x7b\xdd\xd0\x96\x8e\x19\x2d\x57\x24\x20\x78\x43\x4f\xde\xf9\xaf\xdc\x8f\x18\x39\x7d\xf1\xca\x6e\x76\xbd\xc7\x18\x45\xfb\xa2\x81\x8e\xf8\xf1\xc1\xdb\xf0\xa9\x2d\xde\xe3\xc8\xc1\xcf\xdd\xfb\x64\x43\x94\x19\xe6\x3f\x98\x11\xab\x5d\xaf\xd1\x5b\x2f\xf2\xa9\xc0\x41\x33\x16\x51\xc7\xaf\xe7\x86\x28\x75\xbf\x99\x61\x80\x6f\xac\x69\x4b\xef\x5f\x78\xfb\x9c\xd6\x4c\x33\x84\x86\x37\x44\x4e\x67\x52\x20\x03\x95\xe3\x73\x1d\x02\xdb\x34\xc2\x1f\xca\x31\x1d\x33\x9e\x81\x97\x32\xed\xe1\x83\x94\xb4\x5c\x4c\xbb\xbf\xfd\x45\xfd\xf5\x08\x28\x5d\x26\xda\x5b\x3c\xed\xe6\x92\xaf\x4e\xf2\xf4\x2c\x73\x4b\x52\x28\x64\x75\x5d\xcd\x71\x9c\x93\xb2\x68\x43\x8f\x9b\x0f\x1a\xdd\x57\x4c\xf7\x21\x89\x21\xdf\x68\xc4\x96\x68\x3c\x62\x76\x11\x5c\x07\x4d\x42\x0f\x23\x86\x1e\xeb\x82\x03\x1e\x99\x8c\x08\x33\xd1\xcb\xbb\x5b\x33\x4a\x13\x60\x6a\x0b\xc4\x06\xc4\xc8\xb1\xc2\xbf\x8d\xf5\x57\x32\x4d\x2c\x94\xcb\xe4\xc2\x90\x80\xb6\x32\x34\xb1\xbb\x74\xe5\x85\x4e\x42\x2e\xb4\x6f\x73\x69\x78\xe2\x94\x3e\xbd\x28\xaf\x46\x7b\xd0\xee\x09\x6b\x95\x2f\xf5\xf0\xb2\x28\xc7\xef\x94\x6f\xd4\x72\x49\x3b\x0e\xac\xa9\x37\x84\x01\x66\x9f\x1b\xe6\x75\x23\x0e\x56\xbc\x19\xe4\xec\x12\x34\xfc\xb4\xea\x12\x2d\xd2\x04\x83\x01\x09\x68\x9c\xad\x7e\x3d\x70\x2a\xb3\xe9\x2e\x59\x01\x6a\x64\x0c\xce\x4e\x1e\x57\xd6\xe9\x45\x56\xe7\xee\x1f\x7c\x58\x63\x09\x04\x4b\xdc\xa4\xa7\xb2\xce\xbb\x4b\x3f\xab\xfd\x57\x8e\xd6\xc6\x85\x89\xb8\xaf\xcd\x4d\x0e\x5a\xb1\xb7\xee\xf6\xf8\x2c\xd2\x08\xe3\xec\xe7\x6e\x3b\x73\x33\x1f\xba\x03\xfb\x54\x47\x01\x29\x92\x74\x10\x42\x10\x6e\xd7\xd3\x86\xa1\x43\x3f\xe8\xd4\xc6\xbc\xe8\x22\xff\x8f\xfe\x1b\x38\x2a\xa7\x12\x47\x31\xa9\xad\x6e\x1a\x52\xc7\x82\x66\x17\x4a\x4f\xef\xe9\x86\xa5\x08\xf6\x64\x25\x77\x30\x3f\x91\xea\x4e\xfb\x32\x84\x3c\x6b\x33\x1b\x32\xf2\x45\x53\xa0\xc1\x30\x16\xd9\x1a\x23\x0a\x55\xd8\x1f\xeb\x7d\xfc\x48\xad\x15\x7c\x7c\x2f\xc6\x32\x53\x08\x10\x21\xd1\xc6\x53\x56\x51\x39\x03\xdd\xbd\xe8\xd3\xfd\x0d\x51\x74\x7f\x3e\xaa\xaf\x9d\xb9\xd6\xb4\xbd\x70\x69\xd8\xba\x53\xd4\xd1\x00\xee\x27\x27\x97\x95\x94\xc2\xfa\x80\xb9\xaa\x0e\xdd\x70\xe3\xd7\x02\xfb\x5b\x6c\xd2\x77\xee\xb4\x87\x55\x58\x86\xf8\x5b\x65\x7c\xd9\xeb\xa6\x41\xb2\x8b\xf1\xe7\x62\x30\x0f\x3e\x29\xc5\xa8\xd8\xbf\xe0\x77\xbd\xef\x7c\x9e\x2c\x4c\xfa\xd8\xfc\x36\x46\x70\xd7\xcd\x6a\xc7\xa8\x63\x22\xe6\x67\x76\x0e\x24\x03\xc4\x83\x8d\x61\xfa\x86\x69\xa4\xf6\x21\x14\xee\xf4\x23\xf0\x91\x32\xe2\x0b\xb9\x5b\xa3\x52\x2a\xc3\x10\x49\xc4\xa3\xd5\x81\xaf\x3c\x57\x84\x91\x0f\xba\x88\xcd\xee\x1c\xef\xf4\xdd\xae\xd8\x27\x11\x9c\xed\x53\x61\x94\x7d\x0e\x31\xa9\xc4\xd2\x52\x63\xa5\x36\x54\xb8\x2f\xc1\x3b\x91\xf4\x45\x08\xdd\x19\x3c\xa1\xef\x26\xd9\x30\xa6\xb0\x81\x05\x86\xd4\x02\xba\x05\x54\xfa\xce\x5c\x3e\xd0\x77\x67\x1d\x50\xd2\x88\x65\xbf\xff\x35\xca\x3a\x4d\xab\xdb\xd6\xe3\xb0\x70\x59\x32\x0f\x53\xe5\xc4\x9d\x73\xcc\x16\xdd\x1e\xd2\x81\x6a\xc9\x8a\xd3\x85\x3c\x36\x88\x29\xc7\xbe\xc4\x0c\x4a\x9b\x39\xee\x3b\x73\x0b\xbd\x6c\x15\x2f\x35\x8e\x99\x11\x30\x8c\x12\xed\x12\x06\x56\x1f\xc7\xcf\x7c\xb4\x77\x14\x5f\x1a\xaa\xce\x66\xac\x5c\x44\x68\xac\xb2\xf6\x01\xc6\x1e\x4b\x11\x8b\xe2\x05\x6b\x6d\xbc\x18\x60\x9b\xfd\x41\x05\xee\xe1\x8b\xe3\x84\xa1\x99\x13\xd2\x74\xd9\x20\x39\x79\x0c\xb8\x74\x20\xb9\xfd\xd7\x0e\x73\x43\x09\xfc\x7a\xfe\x09\xe1\x1f\x78\x0d\x6e\xe6\x24\x31\x75\x90\x7a\x4a\xee\xcb\x6c\xa0\x70\xa3\x37\x4b\xe5\xd3\xd0\x7a\x78\x8e\xa4\xe1\xf9\xd6\xf1\x8e\xff\x9e\x79\x64\xd7\x07\x6c\xb5\xb9\x3c\xd9\x73\x38\xec\x05\x44\x8e\xc5\x27\xcc\xa6\x67\x90\xbf\xe3\x2c\x5b\x26\x62\xd7\xfc\x6b\x83\x6b\x41\xbf\x32\xe5\xbc\x0d\xdf\xe4\x2d\x59\x73\xdb\x86\xf8\xae\xd5\x6e\x43\x11\x2b\x45\xb0\xf7\x92\xc5\x39\x45\x99\xa1\x3e\x73\xc2\x50\x12\xb5\xaa\xcd\x3a\xef\x11\x24\x73\xc4\xe2\xe3\xab\x6a\xeb\xf5\xaf\x6d\xe9\xe7\x8a\xc0\x47\xfc\xc2\x76\xfd\x97\x6f\x25\x02\x2c\x65\xc3\x0a\x9f\xd6\x72\x03\xf1\x9e\x33\xb3\x5c\xfb\xcf\xdf\xf3\x95\xc5\xbb\x53\xf2\xfd\x79\x28\xe4\x3e\x62\x28\x47\x28\x07\x80\xb8\xcc\x81\x5f\xb4\x85\x18\x91\x05\xa1\x24\xcd\x86\x27\xcc\x3d\x5f\x1a\x9d\xd8\x00\xd4\x7a\x22\x6e\xbf\x90\x7e\xb2\xf4\x91\x33\xd1\x17\x58\x8d\x28\x0f\x4c\xc4\x3d\x95\x25\x4d\x88\xc8\x75\x3d\x96\x07\x3f\x97\xc5\x31\xf5\x1e\x55\x96\xe2\xe9\x71\xa2\x16\x1b\x78\xf7\x5e\xdc\xfb\xd9\xde\x38\xf0\xa9\x28\x4b\x7c\xce\xef\x87\x59\x8f\xa3\xbc\xfa\x5d\xbc\xbd\x1d\x28\x4c\xf8\x0c\xb7\x75\x54\x65\x89\x9d\x36\x2d\x9e\x40\xc6\x4c\x1a\x1e\x4c\xc4\x5c\x38\x71\xb2\x10\x4c\xa4\x0c\x05\x72\x9d\xcc\xbf\x6d\x0a\x17\x50\x0e\x5d\x0d\xff\xa3\x44\x3a\x52\x33\xe2\x79\xb2\xf9\xc5\x18\xb6\x97\x34\x0d\x26\xd2\x87\x26\x60\xc7\x1a\x49\x57\x10\xee\x00\x9f\xfb\x98\x9e\xbb\x5b\xef\xe5\x17\x69\x25\xb7\x8c\xde\xb1\xe8\x11\xc5\x1e\xcd\xb0\x1a\x47\xec\x1d\x1d\x0e\xf2\x02\x4c\x9a\x66\x6f\x6b\xc5\xeb\xe1\x3e\x77\x3f\x89\xf4\xc8\x0b\xaa\x1d\x66\x0c\x05\x1c\x26\x72\xf9\x1c\x21\xdb\x5f\xf2\xd5\xa7\x01\x26\xdc\x69\x14\x0e\xe2\x16\xc4\x5b\xdd\x0a\x7b\x52\x79\xde\xce\x2f\x58\x3b\xc2\x4f\xc6\x3c\xae\x88\xae\x75\x57\x22\x40\x48\x23\xc5\xc2\x16\x84\x9d\xcd\x10\x85\xba\x99\x02\xcb\x24\x8a\xc5\xd1\x92\xc3\xbd\xc5\x37\x39\x2a\x7c\x9e\xd3\xc3\x59\xbb\x6d\x49\x34\x62\x5f\x5f\x7a\x6d\xd5\x1b\x78\x57\x3f\xc7\x26\xad\xab\xc9\x1f\x41\x96\x05\x86\xf6\x4c\x39\x26\x11\x26\xea\x67\xdf\xc3\x2c\x5a\xe5\xf7\xd6\xed\x88\x74\x73\x60\x41\x8d\x42\xa0\x08\xd9\xcf\xc5\xef\x15\xf9\xc5\x88\xdb\xb9\xec\xc3\x74\xba\x19\xab\x60\xa3\xba\x33\xfb\xd1\xb8\x04\x77\xb0\x20\x4e\x67\xc8\x45\xf9\xf6\xab\x58\x9c\x58\xb5\x78\xcc\xa5\x8a\xf3\x22\xae\x66\xb9\xb1\x2e\xd9\x53\x70\x3d\x13\x93\xd8\xec\xe9\xc6\x70\x66\x4f\xdb\x6b\x1f\xfa\x10\x27\x1a\xbc\x0e\x51\xd5\x7b\x59\x10\x2e\x26\x40\xbe\xa0\x9e\x91\x12\x94\xc3\x5a\xbc\x86\x16\x99\x0a\x57\x29\xbf\x73\x9a\x8e\x22\x77\x4a\x68\x0d\x57\x70\xb8\x58\xb9\x32\xfe\x59\x5b\x73\x22\x32\x8a\xe7\x92\x07\x8a\xd2\x8d\xb4\xd5\x4c\xbd\x7c\x98\x68\xfc\xbe\x6e\xed\x0b\x0a\xa7\xb7\xab\xbf\xb1\xb8\xef\xce\x2d\xd5\xc1\xe2\x9b\xac\x66\xab\x7f\x80\xfe\x7a\x65\xd2\xda\x18\x38\x66\x0e\x94\x06\x6a\x6b\x2e\x3b\xdb\x89\x7e\x55\x1b\xc0\x37\xd7\x79\xdb\xb6\xcb\x9b\xdc\xa7\x03\x0e\xf8\x22\x6b\x96\x8d\x5a\x85\x7c\xb4\x24\xa9\xbd\x71\xec\xf3\xe0\xdf\x3b\xca\x6b\x91\x95\x90\x5e\xd0\x5e\x73\xd0\x36\x7f\x16\x49\xee\xd5\x49\xd9\xc3\xd4\x7e\x2f\x31\x2c\x17\x0d\xc9\x4a\x70\x1d\x42\x04\x60\xe1\x00\x0e\x23\x70\x21\xc6\xb7\xb1\xbc\x08\xb3\x5c\x10\x43\xc6\xe8\x99\xed\x58\x7e\xf7\xdf\xb6\xe1\xc7\xb6\xe1\x1e\x3a\x2f\xb4\x34\x8a\xbc\xc9\xed\x18\x31\xee\x37\x3d\x00\x45\x40\xa7\x3a\x4c\x78\xf9\xd3\xab\xb1\x01\xc7\x87\xba\x23\x9d\xf6\x63\x92\x4e\xf8\x4e\x3b\x43\x68\x68\xb6\x3c\xd7\x4f\x4d\x47\xac\x9e\xbc\xe3\x81\x4b\xbd\xb3\x7e\xee\xc3\xfe\xa1\xf9\x06\x88\xd1\x6f\xf3\x28\x5d\x35\x97\x45\xf9\xc1\xb6\xdc\xfa\x98\xbc\xd3\x2a\xca\xcc\xd9\x35\x0c\x07\x05\x79\xaf\x49\xc6\xdd\x8e\x62\xb3\xe1\x16\x16\xb9\x56\x05\xb5\xe6\x7c\x90\xc3\xdb\x1b\x83\x01\xde\x61\xbd\xfa\x55\x8e\xe6\xd1\x3f\x20\xa7\x8d\x40\x7e\x4f\x44\xca\x79\x3c\xe3\xd9\x58\xe1\x52\x2f\x1a\x64\x27\x6a\xc8\x86\x3d\x1a\x68\xb5\xb6\x4e\x03\xec\x0b\x22\xb0\xa7\x87\xbb\xa7\xb4\x62\xfd\xdf\x8d\xa7\xd1\x01\x8b\x32\xa1\x32\x82\xbd\x1e\x83\x06\x0a\x67\xc7\xda\x96\xe4\x6e\x3b\x32\x2a\x5d\x8e\x05\xba\x67\xb3\xac\xa1\xc5\xd1\xbf\x13\x6a\x57\xb3\xaa\x68\x77\x7f\x00\xbf\x10\x2d\xdd\xb1\xde\xc2\x1d\xb3\x09\xf4\x85\x5d\x9c\x08\xed\xc5\x80\xd6\x52\xa6\x89\x42\x0b\xf6\x25\x38\xb5\xaa\x26\x30\x57\x09\x81\x21\xd8\x2d\x87\xe2\x9e\xe2\x6b\x5d\x52\x88\x02\x3e\x50\x1f\xf2\x73\x0b\xce\xf0\x0b\x98\xf1\x3c\x40\xbc\x2d\xa1\xa1\xbc\xa1\xcd\x66\x64\x84\xf1\xa3\xf5\xc8\xb6\xff\xaf\x46\x8f\xbe\xaa\xf5\xab\xfd\x74\x39\x6f\xbc\x46\x0e\x0f\xd2\xb4\x40\xf5\xe5\x63\x27\xe6\x34\x90\x73\x11\xdc\xe9\x8e\xc0\x75\xe9\xee\x32\x87\xf7\xd2\xdc\xd6\x44\x93\xe5\xc5\xce\x09\x6b\xb2\x9d\x77\xaa\x49\xa9\xf6\x77\xe6\x8e\xfd\x44\xcf\x35\xb5\xa0\xd6\x9f\x1e\xc8\x87\xa5\xf1\xf3\x5e\x44\xaf\xe3\xb6\x90\x4e\xf0\x26\xb3\x65\x1c\x69\x7d\xc2\xaf\x46\x66\x2b\x92\x36\x64\x20\x1e\x4b\xae\xdc\x28\xe8\x5f\x33\xd0\xfc\xce\x83\xec\xb0\x1d\x04\xf5\xa0\x82\x6d\xf9\xfb\xfe\x7d\x92\xe3\x1d\xb7\x62\x02\x53\x3f\xa8\xbd\xbd\x4f\x14\x74\x4f\x84\x85\x94\x8f\xf0\xe4\x0e\xc7\x7d\x2a\x2c\xca\xc3\x4f\x38\x9a\x4f\x6b\x0e\x1f\x84\xf5\x27\xb1\x28\x2b\x4b\xa5\x3c\xc0\xa5\x34\x68\xeb\x13\x62\xd8\x7f\x33\x4f\x17\x6d\x94\x8d\x9d\x7f\xc1\x90\xa1\xfa\xbb\x36\x74\x53\x85\x94\x5f\x27\xd4\x4c\x13\x64\x36\xee\xed\xca\x1a\xd4\x94\x5c\x9d\x73\xd6\xa2\xd7\x22\x5a\x1f\x7f\xa4\x9a\x2b\x2b\x56\xd3\xa4\x03\xa8\xdd\xd0\x3d\x70\x1b\xb8\xba\x36\xc2\x75\xb0\x5d\xb3\xb6\x06\x38\xb9\xa2\xa2\x34\xcb\x63\xb8\x09\xeb\xfc\x9a\x77\x1a\xc7\x12\x76\x2f\x7e\x96\xc5\x38\xe1\xc5\x4a\x79\x12\xb9\x59\x44\x63\x2d\x6d\x60\x59\x4b\x90\x0e\x17\xee\x32\x7b\x2b\x2b\x13\xbe\x28\x44\x06\x1f\xd1\xe3\x50\xe4\x71\x21\xfd\x71\xf1\x30\xa5\xae\xb5\x15\x3c\xcb\x8e\xce\x99\x59\x0f\xf9\x3e\xa9\x8e\xe5\x89\xa0\xa4\x28\x8b\xb6\xa3\x59\x0b\x1c\x6e\x89\x00\x8b\xbd\x2d\xc7\xad\x38\x74\x83\x69\x40\x5c\x9f\x8c\x37\xfa\x75\xdd\x2f\xf4\xa3\x84\x56\x1d\x03\x09\x48\xc3\xd1\x64\x66\xe4\xf0\x37\xe5\x4d\x3d\xca\xbd\xe0\x2f\xb3\x5c\x62\xb3\x16\x92\x65\xc0\xaf\x80\x18\xa8\x6c\x3f\xcf\x32\x68\xc1\xa9\x1e\x71\x31\xf8\x9c\xf7\x84\x1b\xb5\x8c\xab\x8a\x5f\x89\xd7\xed\xb6\x7f\x05\xf1\x6f\xe8\x40\x59\xbe\x5a\xbd\xbe\x44\xd3\x85\x2f\xa5\x79\x0c\x16\x16\x28\xb2\x1e\xef\x35\x9a\xaf\x7d\xb7\xde\x11\xc8\x35\xff\x9c\xc0\xb8\x6a\xc9\x75\x1f\xd2\xd5\xc1\x35\xe8\xac\xb4\x35\x2b\xc0\x3f\xdf\xe6\xc4\x34\x73\x58\x2c\xde\x76\xb1\x57\xee\xb0\x3a\xcf\xff\x74\x2b\xe5\x83\x8a\x4a\xab\xa1\x60\xe1\xc5\x88\xc9\xe1\xda\x27\x58\xfc\x29\x0a\xe3\x7a\x76\x05\x34\x0f\x72\x6f\xf3\xd8\xd7\x3d\x3d\xcc\xdc\x77\x37\x49\x9b\x74\x73\xec\xcc\x00\xc3\xd0\x1d\x20\xbd\x98\x9e\x60\x49\xd9\xda\x7d\xce\xe2\x29\xfe\x3d\xb7\xe2\x84\x5b\xa6\xef\x6b\x38\x06\x80\xe0\x77\x54\xdf\xa9\x2d\x16\x05\xb3\xb2\x52\x7e\xd1\x9d\x01\x33\x3b\x2b\x58\x86\x8d\x76\x14\xc9\x2b\x7f\x93\xc9\x5e\x2c\x90\x54\xf7\xa7\x28\xe0\x56\x9b\x98\x60\x18\x31\x1d\x9a\xb3\x79\xac\x3d\x19\xc7\xf6\x5f\x87\xac\xbd\x2a\x2b\xcd\xf1\x22\xb1\xb9\x50\x2d\x3c\x3a\x69\xef\xa3\x2f\x4b\xe1\xef\x20\xda\xa4\x2e\x13\x40\x9d\x2b\x12\xdb\xfd\x03\xc6\x4a\xca\x0b\xd6\x6c\x76\xc0\x4e\xa6\xa7\x6e\xf0\x29\x46\x50\xe5\x9e\x8a\x37\x9c\x85\xc5\xac\x8e\x31\x0e\xd9\x9e\x1a\x5f\x20\xc9\xbb\xdb\xee\x13\xde\x12\x18\xf9\x5b\xe0\x40\xff\x5f\x76\x0c\x7f\x07\xab\xe3\x62\x46\x85\x08\xa2\x11\x4e\x0c\x34\xf9\x38\x95\xc1\xe2\x8a\xd8\xc5\x6f\x19\x49\x81\x6c\xff\xd0\x9c\x02\x8d\xee\xf0\x1e\x5f\xcf\x91\xb4\x38\x4c\x62\xd0\xef\xd9\xb7\xd6\x6b\x1a\xae\x30\x2a\x3e\xd2\xc3\x03\x7c\x96\x75\xac\x6c\x86\x33\x6f\xa6\x03\x25\x8a\x53\x84\x09\xba\xd5\x67\x98\x11\x28\xcb\x8c\xab\x88\xd7\x02\x7b\x2a\x92\x67\x1c\xad\x00\x0a\x2c\x9f\x31\x7f\xb4\xae\x30\x98\x0d\x3f\x28\x51\x2f\xb5\xf6\x6a\x98\xb2\xe2\x07\x7a\x6a\x7f\x84\x61\xbf\x1a\x78\xcf\x12\xb3\xce\x6e\x3a\xa4\xa2\x2f\x3c\x63\x73\xa5\xd0\x4f\x76\x7b\x83\xc7\xd5\x7a\x56\x83\x4f\x76\x39\xc9\xac\xbb\x9f\xde\xde\xa8\x52\x76\xa0\xaa\x10\x0b\x68\xc8\xa2\x46\x31\x4a\x8c\xa0\x2f\xf0\x7d\x15\x32\xc9\x0d\x9a\x4a\x5d\xac\xba\x53\xa2\x4c\x14\xcb\x94\xb5\x7a\x8c\x23\x6c\x98\x5e\xbc\x98\x69\x71\x08\xa4\x3e\x87\x4b\x67\x15\xe6\xbe\x8d\x96\x85\xfa\xfd\xba\x1d\x7e\x5d\x1b\x4c\xed\x62\x56\x58\x47\xbd\xfc\xf6\x2b\xe1\x75\xe8\x48\x3c\xfd\x07\x11\x24\x76\x64\xe2\x73\xfc\xbe\xc2\x9f\x60\xde\xdd\x34\xc6\x81\x0f\x66\x50\xb6\xbd\xc4\x7d\xf7\x26\x7b\x8f\x53\xbc\x66\xac\x41\xa5\xc0\x50\x6e\xdf\x4a\x80\x5c\xff\x03\x43\x79\x7c\x88\x12\x56\xea\x09\x5f\xbf\x14\x57\x54\xf7\xcb\x9d\xfb\xa6\xd3\xc2\xbd\x12\xac\xe3\x07\x62\x9c\xb2\x2d\xfe\xb5\xa4\x81\x55\xde\x0e\x50\xa9\x5d\xa5\x8b\x32\x02\x58\x9b\x60\xf5\xdd\x4c\xa6\xcd\x22\xc2\xed\x78\x8f\x27\x21\xd5\x35\x43\x74\xe9\xef\xac\xf4\x94\x72\x94\xdd\xc8\x14\x92\x25\xdc\xe5\xad\xfb\x32\x25\x95\xed\x18\xa4\xdc\xb0\x56\x51\x48\xb0\x87\xe3\x7d\x42\x47\xea\xae\xcc\x58\xc5\xaa\xf1\xc6\x4e\x87\xcc\x2c\xce\x9b\x8e\xbc\xaf\x96\x3f\xc4\x41\xa6\xdf\xac\x42\x6b\xe0\xac\xe4\xec\xfb\x91\xdf\x77\x32\x72\x1a\xfb\x34\xf9\x05\xce\x73\x77\xdb\x38\x49\xd7\x40\x1b\xa3\xd3\x14\x9c\x08\xe9\x8b\xcd\xec\xa6\xde\x20\x7e\xd8\xbc\x7b\x1d\x6e\x88\x59\x7d\xa6\x28\xc6\xb0\xa7\x3c\xf9\x67\x4a\x20\x7d\xd8\x74\x5f\xe5\xb3\x2b\xdd\x8f\x55\x09\xf1\x4f\xc1\x5c\xf9\x50\x4b\xf6\x63\x4b\x2d\xf2\x83\x6e\x95\xc7\x36\xe2\x76\x2f\x27\x14\xbf\xd1\x30\xaf\x99\x1d\x8b\x64\x8a\x93\x72\x15\x83\x83\xa2\xf5\x3e\x14\xc7\xcf\xc7\x66\x3d\xb5\xca\x5c\x8a\x9c\xdd\x15\x5e\x38\xc1\xf7\x0e\x51\x61\x35\x88\x12\x8d\xd0\x85\xbb\xdd\x7e\xd2\x39\xb9\x7e\x89\x58\xce\xf3\x5f\x11\x7e\xab\x19\xb3\x70\xff\x2e\x4e\x25\x68\x9d\x62\xb6\x84\xfd\x4a\xfc\xeb\x26\x32\x51\xfa\x92\xe8\xc6\xb2\xaa\x2e\x34\xd3\xfb\x8a\xae\xd1\x8c\xdc\x73\x4f\x9b\x42\x0c\x8d\x7b\x93\x15\x55\xeb\xd7\x99\x0c\xa0\x73\xfb\x81\xbe\x98\x27\x94\xe0\x00\xd5\x05\x72\xeb\x07\x61\xd4\x95\xba\x80\x68\xf6\x57\xd7\xf7\xb9\x19\xe6\x6a\x25\xe0\x32\x11\xdf\xe6\x90\xf4\x08\x1f\xc5\xde\x14\xf5\xf9\xd8\xbe\x47\x80\x24\xe6\x0a\x31\x38\x08\x0d\x9c\xe9\x7a\xe2\x3e\x29\x1e\x77\xa6\xe4\xa5\x07\xa9\x6a\xe0\xc0\x7d\x96\x04\xa9\x5b\x43\xb8\x17\x4c\x33\x17\x5b\xa2\x95\x05\x01\x86\xf7\x23\xb5\x0a\x60\x9e\xe0\x9b\x42\x67\xe4\xd2\xaf\x42\x96\xce\x65\x7b\xb8\xb5\xe9\x96\xf9\x8b\xd7\x5e\xd4\x2d\x09\x54\x89\x5d\x97\xd9\x88\x32\x9d\x92\x5f\x62\x89\x44\x74\xd1\xca\xa5\xde\x98\x8e\xd7\xb5\xc6\xde\xac\xfd\x90\xad\x94\x7e\xfe\xbf\x6c\xf6\x1b\x45\xd9\xc7\xb1\xba\x59\xe9\xec\x4b\x85\x59\xaf\xf8\xd3\xd0\x5f\xb0\x0f\x57\xec\x94\x2b\x0e\x9b\x9f\xdb\xde\x26\xca\xd3\x40\xcb\xb4\xf7\xc0\x44\x7b\x70\x7e\xd8\xf6\xd4\xf9\x89\xd0\xb1\xda\x0d\x0c\xda\xe6\x17\xb0\x14\x36\xfa\x68\xe3\x77\x75\xe8\x44\x41\x5e\xbd\x11\xa3\x35\x08\x46\xcf\x0b\x41\x9f\xad\x6d\xb9\x4c\xcc\x82\x83\xe9\x50\x19\xdb\x55\x91\xb9\xe8\x1c\x5d\x32\x70\x7b\x30\x02\xaf\xb2\x40\x58\x49\x5f\x6c\x21\xcd\x4b\x9e\x12\xaf\x7a\x1f\x40\x54\xfd\xa3\x7b\xa6\xa2\x94\x5e\x89\x98\x99\x76\x10\x12\x54\x8e\x41\x22\xa6\x95\x56\xe0\xca\x51\xe2\x31\x94\xbd\xc4\xe2\x72", 4096); *(uint32_t*)0x20002904 = 0x1000; *(uint32_t*)0x20002908 = 9; memcpy((void*)0x20002940, "flock=openafs", 13); *(uint8_t*)0x2000294d = 0x2c; memcpy((void*)0x2000294e, "dyn", 3); *(uint8_t*)0x20002951 = 0x2c; memcpy((void*)0x20002952, "autocell", 8); *(uint8_t*)0x2000295a = 0x2c; memcpy((void*)0x2000295b, "dyn", 3); *(uint8_t*)0x2000295e = 0x2c; memcpy((void*)0x2000295f, "flock=openafs", 13); *(uint8_t*)0x2000296c = 0x2c; memcpy((void*)0x2000296d, "source", 6); *(uint8_t*)0x20002973 = 0x3d; memcpy((void*)0x20002974, "&", 1); *(uint8_t*)0x20002975 = 0x2c; memcpy((void*)0x20002976, "source", 6); *(uint8_t*)0x2000297c = 0x3d; memcpy((void*)0x2000297d, "SEG6\000", 5); *(uint8_t*)0x20002982 = 0x2c; memcpy((void*)0x20002983, "smackfsdef", 10); *(uint8_t*)0x2000298d = 0x3d; memcpy((void*)0x2000298e, "SEG6\000", 5); *(uint8_t*)0x20002993 = 0x2c; memcpy((void*)0x20002994, "smackfsdef", 10); *(uint8_t*)0x2000299e = 0x3d; memcpy((void*)0x2000299f, "SEG6\000", 5); *(uint8_t*)0x200029a4 = 0x2c; memcpy((void*)0x200029a5, "subj_user", 9); *(uint8_t*)0x200029ae = 0x3d; memcpy((void*)0x200029af, "SEG6\000", 5); *(uint8_t*)0x200029b4 = 0x2c; memcpy((void*)0x200029b5, "smackfstransmute", 16); *(uint8_t*)0x200029c5 = 0x3d; memcpy((void*)0x200029c6, ":", 1); *(uint8_t*)0x200029c7 = 0x2c; memcpy((void*)0x200029c8, "seclabel", 8); *(uint8_t*)0x200029d0 = 0x2c; *(uint8_t*)0x200029d1 = 0; syz_mount_image(0x20001880, 0x200018c0, 5, 1, 0x20002900, 0x20005, 0x20002940); break; case 29: memcpy((void*)0x20002a00, "/dev/i2c-#\000", 11); syz_open_dev(0x20002a00, 0xad8, 0x2a2000); break; case 30: res = syscall(__NR_ioctl, -1, 0x5429, 0x20002a40); if (res != -1) r[15] = *(uint32_t*)0x20002a40; break; case 31: memcpy((void*)0x20002a80, "net\000", 4); syz_open_procfs(r[15], 0x20002a80); break; case 32: syz_open_pts(r[13], 0); break; case 33: *(uint32_t*)0x20002e80 = 0x20002ac0; memcpy((void*)0x20002ac0, "\x7a\xd3\xcd\x80\x2d\xd0\xc4\x24\x94\x5d\x99\xca\x9c\xa6\xe4\xfb\xb8\xf8\xe3\xb9\x80\xd2\xec", 23); *(uint32_t*)0x20002e84 = 0x17; *(uint32_t*)0x20002e88 = 0x1000; *(uint32_t*)0x20002e8c = 0x20002b00; memcpy((void*)0x20002b00, "\x32\x9d\xe8\x0b\x2b\x17\xbb\xd2\x5d\x1f\x19\x07\xa9\x26\x3a\xf3\xbf\x05\xc4\xa7\x06\x1e\x28\x49\x2a\x3f\x71\xc6\x34\x3a\xa5\xaa\xea\x03\x27\xa3", 36); *(uint32_t*)0x20002e90 = 0x24; *(uint32_t*)0x20002e94 = 5; *(uint32_t*)0x20002e98 = 0x20002b40; memcpy((void*)0x20002b40, "\x82\x79\x1d\xfd\x31\x1d\x07\xdb\x7d\x65\xe8\x03\xce\x6c\xa0\x00\x28\xaf\x8f\xf8\xd2\x76\x18\x7e\x0e\x14\xbb\xf7\xbe\xab\x60\xfc\x4b\x70\x72\x2e\x91\xb6\x32\x2b\x8e\x34\x72\x19\x1a\x66\x17\x6b\xb0\xca\x91\xde\xe6\x0f\x15\x06\xa6\xd4\x8b\xe4\x05\x52\x30\xc3\x0b\xe9\x4a\x10\x43\xa1\xd2\xa0\x6d\x42\x16\x60\x69\xd8\x03\x3d\x6c\x52\x4c\x86\x10\xb8\xc4\xbb\x63\xaf\x0c\xe6\xd6\x20\x71\x37\xf1\xbe\x1b\x62\xb0\x02\xe8\xc3\x5e\x64\x67\xc2\x42\x3c\xc6\x59\x7d\x1c\xa5\x8e\xe3\x15\x89\xf0\x24\x8a\xc7\x62\xe2\x4a\x28\x6a\x41\xa7\x61\x91\x2d\x34\xbb\x56\xf0\x7d\xb8\x8c\xa5\x2f\xce\x8d\x12\x87\x62\x39\x4f\xa0\x0f\xaa\xc8\x45\x1a\x42\xc3\x14\x4b\xde\xc7\xe9\x72\x96\xc9\xea\xc7\xc9\xf6\x31\x10\xa3\xd4\x05\xc1\x6b\x04\x28\x88\x00\x24\xe8\xc9\xc8\xaf\x49\x0b\x8c\xfa\xd8\x4c\xbb\x63\x78\x78\xd6\x34\xcd\x84\x34\x6b\x60\xc9\x13\x2c\x09\x66\x0c\xdc\x61\x6a\x0b", 212); *(uint32_t*)0x20002e9c = 0xd4; *(uint32_t*)0x20002ea0 = 0x7fff; *(uint32_t*)0x20002ea4 = 0x20002c40; memcpy((void*)0x20002c40, "\x90\x4b\xbc\xee\x2b\x46\xda\xa1\xac\x64\x3b\x7b\x6b\x8e\xa0\xff\x46\x2f\xea\xbe\xe5\x41\xb4\x11\xa8\x85\xe4\x70\xa4\x96\xcb\xbd\xc7\x29\xff\xde\xbc\x50\x80\x7f\x71\x9c\xbe\x80\x8d\x8b\x59\x8b\x47\x67\xc7\xa8\x52\xd9\xce\x0c\x88\x0a\x9b\x07\x8b\x01\x87\xde\xac\x92\x6b\xd4\x68\x7a\x44\xf0\x92\xbb", 74); *(uint32_t*)0x20002ea8 = 0x4a; *(uint32_t*)0x20002eac = 5; *(uint32_t*)0x20002eb0 = 0x20002cc0; memcpy((void*)0x20002cc0, "\x35\x31\xae\x25\x7e\x7e\x08\x77\xcd\xe3\x40\xc4\x2e\xdb\xfc\x91\xdc\xff\xaf\xf1\x28\x4e\xf0\x8a\x45\x1e\x4c\x76\xe0\xcd\x83\xb2\xc0\xea\x10\xd8\x6b\xce\xfa\x93\xbb\xae\xf5\xff\xfb\xfe\x7d\xc7\x0b\x73\xb8\x9c\x55\xfc\x38\x51\x11\x0d\x1b\xd0\xd1\xda\x31\x75\x33\x20\xb1\x11\xfe\x70\x60\x53\x7e\x8f\x65\xf3\xc2\xf0\x5a\xdc\xb3\xd6\x6b\xd2\xab\xe6\xb0\x8a\xaa\xe0\xd0\xee\xdc\xa9\x93\x77\x07\xec\x4c\xb4\x87\x4c\xdf\xd0\x58\x00\x81\x2a\xb5\x3f\x95\x50\xb2\x5a\x28\xee\x69\xe6\x2a\x0f\x79\x0f\xe5\x23\x3f\xc8\x64\x5f\xc3\xfe\x6c\xae\x05\x5f\x2a\xa1\x72\x91\x25\x17\x01\x51\xe8\x6e\xea\xb6\x7b\xb2\x0b\xc8\x84\xa1\x21\x4c\x2d\x3d\x96\x9c\x34\xfb\x23\x9b\x45\xfe\xec\x93\xac\x20\x97\x21\xba\xe7\x27\x12\x51\xc6\x13\xce\xa9\x37\x9c\x15\x21", 183); *(uint32_t*)0x20002eb4 = 0xb7; *(uint32_t*)0x20002eb8 = 4; *(uint32_t*)0x20002ebc = 0x20002d80; memcpy((void*)0x20002d80, "\xc3\xf0\x4f\x26\x92\x9b\x7a\x4d\x63\x42\x84\x1f\xa5\x3a\x9a\x8c\xb8\x00\x6a\x97\xf4\x28", 22); *(uint32_t*)0x20002ec0 = 0x16; *(uint32_t*)0x20002ec4 = 6; *(uint32_t*)0x20002ec8 = 0x20002dc0; memcpy((void*)0x20002dc0, "\xc9\x87\x12\x75\xe3\x26\x9f\xf1\xbd\xcd\x67\xfb\x52\x3e\x1c\xeb\x51\x51\xb0\xed\xe9\xe0\x32\x63\x4e\x36\xd4\x86\x04\x6b\xc3\x1c\xd9\x78\xbd\xa5\x92\x47\x35\x53\x16\x31\x9e\x76\x8e\x7a\xc6\xbe\x06\x48\xbf\x0f\xec\xd1\x3c\xda\xd4\x5f\x71\x3e\x0e\x3b\x74\xe9\x5e\xec\x77\x06\x3c\x02\xa2\x33\xea\x97\xd3\x38\xf4\xb1\xe9\xbc\x5a\x7c\xce\x85\x52\x87\x42\x63\x2e\xd5\x9c\xec\x01\x6f\x39\x14\xdd\x02\xca\x6b\x1d\xc8\x33\x22\x48\x95\x27\x73\x50\xcf\x1f\x21\xd6\xc7\x8f\x85\x92\x71\x7e\x91\x23\x3f\x90\x26\x92\x7e\x0c\xc3\xd8\x0c\xdc\x57\x71\x47\x63\xa0\xfc\xb0\x91\xf5\xc6\x90\x51\xb5\x5c\xd2\xe1\xfc\xc3\x3b\x13\xd5\x97\xc5\xca\xee\xb2\x71\xc5\x42\x97\x8a\x1e\x17", 164); *(uint32_t*)0x20002ecc = 0xa4; *(uint32_t*)0x20002ed0 = 0x9c; syz_read_part_table(1, 7, 0x20002e80); break; case 34: *(uint8_t*)0x20002f00 = 0x12; *(uint8_t*)0x20002f01 = 1; *(uint16_t*)0x20002f02 = 0x201; *(uint8_t*)0x20002f04 = 0xa4; *(uint8_t*)0x20002f05 = 0x61; *(uint8_t*)0x20002f06 = 0x1e; *(uint8_t*)0x20002f07 = 0x40; *(uint16_t*)0x20002f08 = 0xacd; *(uint16_t*)0x20002f0a = 0x300; *(uint16_t*)0x20002f0c = 0xc0df; *(uint8_t*)0x20002f0e = 1; *(uint8_t*)0x20002f0f = 2; *(uint8_t*)0x20002f10 = 3; *(uint8_t*)0x20002f11 = 1; *(uint8_t*)0x20002f12 = 9; *(uint8_t*)0x20002f13 = 2; *(uint16_t*)0x20002f14 = 0x372; *(uint8_t*)0x20002f16 = 2; *(uint8_t*)0x20002f17 = 4; *(uint8_t*)0x20002f18 = 0x1f; *(uint8_t*)0x20002f19 = 0; *(uint8_t*)0x20002f1a = 1; *(uint8_t*)0x20002f1b = 9; *(uint8_t*)0x20002f1c = 4; *(uint8_t*)0x20002f1d = 0x5d; *(uint8_t*)0x20002f1e = 0xb3; *(uint8_t*)0x20002f1f = 1; *(uint8_t*)0x20002f20 = 0xad; *(uint8_t*)0x20002f21 = 0x49; *(uint8_t*)0x20002f22 = 0x76; *(uint8_t*)0x20002f23 = 0x20; *(uint8_t*)0x20002f24 = 7; *(uint8_t*)0x20002f25 = 0x24; *(uint8_t*)0x20002f26 = 1; *(uint8_t*)0x20002f27 = 0; *(uint8_t*)0x20002f28 = 0x80; *(uint16_t*)0x20002f29 = 0; *(uint8_t*)0x20002f2b = 9; *(uint8_t*)0x20002f2c = 5; *(uint8_t*)0x20002f2d = 0xd; *(uint8_t*)0x20002f2e = 0; *(uint16_t*)0x20002f2f = 0x230; *(uint8_t*)0x20002f31 = 0x5d; *(uint8_t*)0x20002f32 = 1; *(uint8_t*)0x20002f33 = 0x3f; *(uint8_t*)0x20002f34 = 7; *(uint8_t*)0x20002f35 = 0x25; *(uint8_t*)0x20002f36 = 1; *(uint8_t*)0x20002f37 = 0; *(uint8_t*)0x20002f38 = 0x1f; *(uint16_t*)0x20002f39 = 2; *(uint8_t*)0x20002f3b = 0xba; *(uint8_t*)0x20002f3c = 0xe; memcpy((void*)0x20002f3d, "\xf4\xe6\xe5\x76\x28\x83\xc3\x4d\xf0\x4f\x35\x60\x99\xf1\xd3\x4b\xdb\xc9\xf5\x32\x4d\xa6\x48\x05\x3f\xd6\x90\x21\x1b\x89\x71\x19\xc4\xf3\xac\x19\x7f\x2a\xa9\x3f\x2f\x3b\xe0\x5f\x83\x6b\x16\x44\xd5\xb2\x32\x76\x48\xb3\x08\x16\xed\x19\x2f\x94\x3d\xfc\xe2\x25\xf6\x9d\x77\xc5\x15\x65\xe1\x77\xfd\x88\x9c\x9c\x9d\x8c\x85\xb9\x2e\xe4\xbe\xad\x0e\x88\x94\x46\xbb\xc3\x20\xa4\x0f\xa2\x48\x07\xf4\x76\xbf\xd1\xf1\xb3\x09\x6e\x33\x70\xf7\x55\xc9\x4a\xa0\x1c\x3b\xe4\xdd\xc7\x95\x2a\x56\x94\xbc\xad\x4b\xeb\x40\x65\xbf\x5e\xa9\x60\x66\xc4\x3e\x95\x07\xe6\x22\x0c\x47\xbc\x02\x71\xad\xcb\xaf\xfc\xe6\xac\x90\xcb\x3c\x8b\x1c\xf7\x48\xc6\xbb\xf9\x71\x08\xdf\xa2\xca\xc4\xb8\x7d\x34\x20\x42\x84\x34\x39\x7e\x07\xf1\x7a\x87\xed\x62\x33\xb3\x9e\x32\xf0", 184); *(uint8_t*)0x20002ff5 = 9; *(uint8_t*)0x20002ff6 = 4; *(uint8_t*)0x20002ff7 = 0x5d; *(uint8_t*)0x20002ff8 = 0x27; *(uint8_t*)0x20002ff9 = 7; *(uint8_t*)0x20002ffa = 0x3f; *(uint8_t*)0x20002ffb = 0x84; *(uint8_t*)0x20002ffc = 0xfd; *(uint8_t*)0x20002ffd = 3; *(uint8_t*)0x20002ffe = 0x10; *(uint8_t*)0x20002fff = 0x24; *(uint8_t*)0x20003000 = 2; *(uint8_t*)0x20003001 = 1; *(uint8_t*)0x20003002 = 0xe2; *(uint8_t*)0x20003003 = 2; *(uint8_t*)0x20003004 = 0x63; *(uint8_t*)0x20003005 = 0x40; memcpy((void*)0x20003006, "\xe7\x21\xcc\x44\xac\xca\x89\x38", 8); *(uint8_t*)0x2000300e = 0xb; *(uint8_t*)0x2000300f = 0x24; *(uint8_t*)0x20003010 = 2; *(uint8_t*)0x20003011 = 1; *(uint8_t*)0x20003012 = 0; *(uint8_t*)0x20003013 = 3; *(uint8_t*)0x20003014 = 1; *(uint8_t*)0x20003015 = 0; memcpy((void*)0x20003016, "\x9e\xf4\x2f", 3); *(uint8_t*)0x20003019 = 7; *(uint8_t*)0x2000301a = 0x24; *(uint8_t*)0x2000301b = 1; *(uint8_t*)0x2000301c = 4; *(uint8_t*)0x2000301d = 1; *(uint16_t*)0x2000301e = 4; *(uint8_t*)0x20003020 = 0xb; *(uint8_t*)0x20003021 = 0x24; *(uint8_t*)0x20003022 = 2; *(uint8_t*)0x20003023 = 1; *(uint8_t*)0x20003024 = 0; *(uint8_t*)0x20003025 = 3; *(uint8_t*)0x20003026 = 0x19; *(uint8_t*)0x20003027 = 6; memcpy((void*)0x20003028, "\x9e", 1); memcpy((void*)0x20003029, "\x69\x83", 2); *(uint8_t*)0x2000302b = 9; *(uint8_t*)0x2000302c = 5; *(uint8_t*)0x2000302d = 0xf; *(uint8_t*)0x2000302e = 0; *(uint16_t*)0x2000302f = 0x3ff; *(uint8_t*)0x20003031 = 0xf6; *(uint8_t*)0x20003032 = 5; *(uint8_t*)0x20003033 = 0x80; *(uint8_t*)0x20003034 = 9; *(uint8_t*)0x20003035 = 5; *(uint8_t*)0x20003036 = 1; *(uint8_t*)0x20003037 = 0x10; *(uint16_t*)0x20003038 = 0x10; *(uint8_t*)0x2000303a = 0; *(uint8_t*)0x2000303b = 0x40; *(uint8_t*)0x2000303c = 6; *(uint8_t*)0x2000303d = 7; *(uint8_t*)0x2000303e = 0x25; *(uint8_t*)0x2000303f = 1; *(uint8_t*)0x20003040 = 2; *(uint8_t*)0x20003041 = 0x20; *(uint16_t*)0x20003042 = 6; *(uint8_t*)0x20003044 = 9; *(uint8_t*)0x20003045 = 5; *(uint8_t*)0x20003046 = 0xb; *(uint8_t*)0x20003047 = 8; *(uint16_t*)0x20003048 = 0x10; *(uint8_t*)0x2000304a = 1; *(uint8_t*)0x2000304b = 2; *(uint8_t*)0x2000304c = 0; *(uint8_t*)0x2000304d = 9; *(uint8_t*)0x2000304e = 5; *(uint8_t*)0x2000304f = 0xd; *(uint8_t*)0x20003050 = 0x10; *(uint16_t*)0x20003051 = 0x200; *(uint8_t*)0x20003053 = 4; *(uint8_t*)0x20003054 = 8; *(uint8_t*)0x20003055 = 0xc0; *(uint8_t*)0x20003056 = 0xbb; *(uint8_t*)0x20003057 = 0x31; memcpy((void*)0x20003058, "\x21\x5c\xe6\xab\x8f\x3c\x72\xca\xa3\xab\x13\x26\xf1\x88\x38\x90\x8a\xc6\x0b\xff\xb3\xb5\x07\x48\x14\x4a\xa2\xcb\xc4\xd7\xca\xc5\x6f\x4a\x7b\xb2\xbd\x6c\x96\x96\x74\xa5\xe4\x04\x08\x61\xbb\x21\xba\x5c\xcf\x0f\x82\x2c\x10\x32\xe7\xe3\x72\x9f\x8c\x17\x1f\xc7\xa8\x9b\x53\x40\xb5\x06\x71\x08\xd5\x97\xf1\x78\xaa\x65\x1a\x98\xac\xa4\xd0\x12\xfa\x55\x5a\x69\x56\x83\xb5\x27\xe6\x03\x1f\x1f\x7f\x20\x49\x4b\x25\x0e\x3a\x6c\xd8\xb4\xde\x96\x47\xe1\x50\x04\x98\x67\x09\x7c\x47\xcc\x23\x7c\x61\x2c\xef\xe6\x98\x33\x2f\x1f\xe7\xf0\x2e\x6f\x53\xe8\x45\xb1\xf5\xe7\xb4\xb2\x4a\xd8\x62\x9b\x78\xce\x76\x30\xe2\xd4\x01\x20\xfb\xc3\xf4\x93\x75\xa4\xa0\x86\xde\xdd\x2a\x27\xf0\x6b\x3e\xd3\xd7\x56\xa8\x19\xb9\x7f\x75\x9a\xa5\x4a\xef\x83\xdf\x48\x68\xa9\xe9", 185); *(uint8_t*)0x20003111 = 9; *(uint8_t*)0x20003112 = 5; *(uint8_t*)0x20003113 = 3; *(uint8_t*)0x20003114 = 0x12; *(uint16_t*)0x20003115 = 0x3ff; *(uint8_t*)0x20003117 = 0; *(uint8_t*)0x20003118 = 1; *(uint8_t*)0x20003119 = -1; *(uint8_t*)0x2000311a = 0xad; *(uint8_t*)0x2000311b = 0x31; memcpy((void*)0x2000311c, "\x0c\x92\x1d\x3f\x98\x0f\x4e\x53\x14\x7a\x46\xbd\x58\x56\xda\x03\x08\x16\x60\xfb\xed\x7b\x8b\x2d\x38\x9b\xe8\xa0\x38\xe9\x5c\x29\x58\xa4\x77\xed\x5f\xaf\x9e\xf3\x8c\x82\xc3\xab\xea\x25\x44\x59\xed\xb0\xf2\xcf\x28\x62\x35\x03\x40\x87\xad\xb7\x90\x7f\xf1\x92\x64\x0b\x93\x68\x86\xbd\x48\xd3\xa5\x12\x15\x40\x6b\x3a\xa0\xb6\xd8\xf8\xd9\x1d\x83\x0f\x52\x36\xa9\xa8\xbe\x03\xc2\x21\x5f\x01\x21\x31\x96\x8c\x6a\x80\x86\x0a\xe8\x11\x93\x05\x94\x68\x10\x8e\xfd\x4f\x13\x05\x37\x9d\x01\x15\xc7\xec\x66\x7b\x03\x59\x94\x0e\x56\x64\xbf\x7b\x3c\x4a\x5f\x04\xca\x3c\x51\xdb\x9d\x2c\xd4\x17\xe9\x09\x9b\xff\x62\x8b\x8e\x1a\x8e\xd0\xf5\x96\x14\x93\x57\xa0\x8a\xbd\x11\x77\xeb\x97\x73\x53\xeb\x89\x32", 171); *(uint8_t*)0x200031c7 = 0x93; *(uint8_t*)0x200031c8 = 0x11; memcpy((void*)0x200031c9, "\xa8\xe2\x2d\x54\x2a\xe3\xd8\x31\xf3\x37\x21\x1b\xb5\xbe\x12\xa5\xc4\x6e\x5c\xf9\xb5\x56\xd8\x4d\x5a\xf4\xca\xca\x87\x42\xad\x21\x61\x40\x56\x2b\x7e\x54\x21\xe2\x64\x24\x71\xe8\xf5\x0e\xb8\xae\xf0\x62\x12\xb4\x6c\x64\x4a\xe5\x84\x63\xe1\x8b\x3e\x72\xbd\x3e\xca\x60\x60\xfa\x8b\x94\x03\x17\x96\xe5\x5e\xb4\x1d\x3f\x31\x8a\xff\xbf\x08\x1e\xeb\x17\x08\x85\x1e\x72\xfa\xdd\x88\x7e\x03\x30\x13\x43\x19\xf0\xa5\x96\x7e\xda\x65\x7b\xc1\x10\x1f\x74\xde\xba\x42\xe7\x8a\xff\x20\xfb\x5d\x3c\x1f\xe4\x9d\x9a\x05\x46\x57\xb6\xf1\xaf\x3d\x01\x5f\xc1\x6f\xf8\x08\x73\xf3\x26\x69\x08\x43\xdf\x81", 145); *(uint8_t*)0x2000325a = 9; *(uint8_t*)0x2000325b = 5; *(uint8_t*)0x2000325c = 0xf; *(uint8_t*)0x2000325d = 4; *(uint16_t*)0x2000325e = 0x200; *(uint8_t*)0x20003260 = 0; *(uint8_t*)0x20003261 = 0x1f; *(uint8_t*)0x20003262 = 1; *(uint8_t*)0x20003263 = 0x11; *(uint8_t*)0x20003264 = 6; memcpy((void*)0x20003265, "\x82\x4b\x7d\x09\x57\xbc\x55\x2d\x22\x4f\xdf\x6b\xff\x63\xa8", 15); *(uint8_t*)0x20003274 = 7; *(uint8_t*)0x20003275 = 0x25; *(uint8_t*)0x20003276 = 1; *(uint8_t*)0x20003277 = 0x80; *(uint8_t*)0x20003278 = 0xfd; *(uint16_t*)0x20003279 = 6; *(uint8_t*)0x2000327b = 9; *(uint8_t*)0x2000327c = 5; *(uint8_t*)0x2000327d = 0; *(uint8_t*)0x2000327e = 0; *(uint16_t*)0x2000327f = 0x20; *(uint8_t*)0x20003281 = 0x1f; *(uint8_t*)0x20003282 = 0xfd; *(uint8_t*)0x20003283 = 3; *(uint32_t*)0x20003400 = 0xa; *(uint32_t*)0x20003404 = 0x200032c0; *(uint8_t*)0x200032c0 = 0xa; *(uint8_t*)0x200032c1 = 6; *(uint16_t*)0x200032c2 = 0x110; *(uint8_t*)0x200032c4 = 0x4d; *(uint8_t*)0x200032c5 = 0x80; *(uint8_t*)0x200032c6 = 0x80; *(uint8_t*)0x200032c7 = 0x20; *(uint8_t*)0x200032c8 = 0xc1; *(uint8_t*)0x200032c9 = 0; *(uint32_t*)0x20003408 = 0x46; *(uint32_t*)0x2000340c = 0x20003300; *(uint8_t*)0x20003300 = 5; *(uint8_t*)0x20003301 = 0xf; *(uint16_t*)0x20003302 = 0x46; *(uint8_t*)0x20003304 = 5; *(uint8_t*)0x20003305 = 0xb; *(uint8_t*)0x20003306 = 0x10; *(uint8_t*)0x20003307 = 1; *(uint8_t*)0x20003308 = 0xc; *(uint16_t*)0x20003309 = 0x35; *(uint8_t*)0x2000330b = 0; *(uint8_t*)0x2000330c = 0xdf; *(uint16_t*)0x2000330d = 9; *(uint8_t*)0x2000330f = 0xf7; *(uint8_t*)0x20003310 = 7; *(uint8_t*)0x20003311 = 0x10; *(uint8_t*)0x20003312 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003313, 0xe, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003314, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003314, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003315, 9, 0, 16); *(uint8_t*)0x20003317 = 0x18; *(uint8_t*)0x20003318 = 0x10; *(uint8_t*)0x20003319 = 0xa; *(uint8_t*)0x2000331a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000331b, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000331b, 0x7fffffe, 5, 27); *(uint16_t*)0x2000331f = 0xff0f; *(uint16_t*)0x20003321 = 0x101; *(uint32_t*)0x20003323 = 0xffc0a0; *(uint32_t*)0x20003327 = 0; *(uint32_t*)0x2000332b = 0xffff0f; *(uint8_t*)0x2000332f = 0x10; *(uint8_t*)0x20003330 = 0x10; *(uint8_t*)0x20003331 = 0xa; *(uint8_t*)0x20003332 = 3; STORE_BY_BITMASK(uint32_t, , 0x20003333, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003333, 0x200, 5, 27); *(uint16_t*)0x20003337 = 0xff00; *(uint16_t*)0x20003339 = 1; *(uint32_t*)0x2000333b = 0; *(uint8_t*)0x2000333f = 7; *(uint8_t*)0x20003340 = 0x10; *(uint8_t*)0x20003341 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003342, 0x16, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003343, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003343, 0xe, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003344, 7, 0, 16); *(uint32_t*)0x20003410 = 2; *(uint32_t*)0x20003414 = 4; *(uint32_t*)0x20003418 = 0x20003380; *(uint8_t*)0x20003380 = 4; *(uint8_t*)0x20003381 = 3; *(uint16_t*)0x20003382 = 0x380a; *(uint32_t*)0x2000341c = 4; *(uint32_t*)0x20003420 = 0x200033c0; *(uint8_t*)0x200033c0 = 4; *(uint8_t*)0x200033c1 = 3; *(uint16_t*)0x200033c2 = 0x42f; res = -1; res = syz_usb_connect(4, 0x384, 0x20002f00, 0x20003400); if (res != -1) r[16] = res; break; case 35: *(uint8_t*)0x20003440 = 0x12; *(uint8_t*)0x20003441 = 1; *(uint16_t*)0x20003442 = 0x200; *(uint8_t*)0x20003444 = -1; *(uint8_t*)0x20003445 = -1; *(uint8_t*)0x20003446 = -1; *(uint8_t*)0x20003447 = 0x40; *(uint16_t*)0x20003448 = 0xcf3; *(uint16_t*)0x2000344a = 0x9271; *(uint16_t*)0x2000344c = 0x108; *(uint8_t*)0x2000344e = 1; *(uint8_t*)0x2000344f = 2; *(uint8_t*)0x20003450 = 3; *(uint8_t*)0x20003451 = 1; *(uint8_t*)0x20003452 = 9; *(uint8_t*)0x20003453 = 2; *(uint16_t*)0x20003454 = 0x48; *(uint8_t*)0x20003456 = 1; *(uint8_t*)0x20003457 = 1; *(uint8_t*)0x20003458 = 0; *(uint8_t*)0x20003459 = 0x80; *(uint8_t*)0x2000345a = 0xfa; *(uint8_t*)0x2000345b = 9; *(uint8_t*)0x2000345c = 4; *(uint8_t*)0x2000345d = 0; *(uint8_t*)0x2000345e = 0; *(uint8_t*)0x2000345f = 6; *(uint8_t*)0x20003460 = -1; *(uint8_t*)0x20003461 = 0; *(uint8_t*)0x20003462 = 0; *(uint8_t*)0x20003463 = 0; *(uint8_t*)0x20003464 = 9; *(uint8_t*)0x20003465 = 5; *(uint8_t*)0x20003466 = 1; *(uint8_t*)0x20003467 = 2; *(uint16_t*)0x20003468 = 0x200; *(uint8_t*)0x2000346a = 0; *(uint8_t*)0x2000346b = 0; *(uint8_t*)0x2000346c = 0; *(uint8_t*)0x2000346d = 9; *(uint8_t*)0x2000346e = 5; *(uint8_t*)0x2000346f = 0x82; *(uint8_t*)0x20003470 = 2; *(uint16_t*)0x20003471 = 0x200; *(uint8_t*)0x20003473 = 0; *(uint8_t*)0x20003474 = 0; *(uint8_t*)0x20003475 = 0; *(uint8_t*)0x20003476 = 9; *(uint8_t*)0x20003477 = 5; *(uint8_t*)0x20003478 = 0x83; *(uint8_t*)0x20003479 = 3; *(uint16_t*)0x2000347a = 0x40; *(uint8_t*)0x2000347c = 1; *(uint8_t*)0x2000347d = 0; *(uint8_t*)0x2000347e = 0; *(uint8_t*)0x2000347f = 9; *(uint8_t*)0x20003480 = 5; *(uint8_t*)0x20003481 = 4; *(uint8_t*)0x20003482 = 3; *(uint16_t*)0x20003483 = 0x40; *(uint8_t*)0x20003485 = 1; *(uint8_t*)0x20003486 = 0; *(uint8_t*)0x20003487 = 0; *(uint8_t*)0x20003488 = 9; *(uint8_t*)0x20003489 = 5; *(uint8_t*)0x2000348a = 5; *(uint8_t*)0x2000348b = 2; *(uint16_t*)0x2000348c = 0x200; *(uint8_t*)0x2000348e = 0; *(uint8_t*)0x2000348f = 0; *(uint8_t*)0x20003490 = 0; *(uint8_t*)0x20003491 = 9; *(uint8_t*)0x20003492 = 5; *(uint8_t*)0x20003493 = 6; *(uint8_t*)0x20003494 = 2; *(uint16_t*)0x20003495 = 0x200; *(uint8_t*)0x20003497 = 0; *(uint8_t*)0x20003498 = 0; *(uint8_t*)0x20003499 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20003440, 0); break; case 36: *(uint32_t*)0x200036c0 = 0x18; *(uint32_t*)0x200036c4 = 0x200034c0; *(uint8_t*)0x200034c0 = 0x20; *(uint8_t*)0x200034c1 = 8; *(uint32_t*)0x200034c2 = 0xd4; *(uint8_t*)0x200034c6 = 0xd4; *(uint8_t*)0x200034c7 = 0x31; memcpy((void*)0x200034c8, "\xdd\x9f\xe1\xd6\xf8\xee\x76\xd6\x28\x92\x46\xb5\x27\x7c\xc1\x9f\x3c\x46\x21\xad\xd8\x21\xa7\xf3\xd1\xaa\xe9\x94\xdb\xf4\xb1\xbd\x89\xe8\x77\x07\x34\x76\x8a\xde\x97\xe5\x1d\x24\x8f\x53\xcd\x53\x0b\x31\x11\x9a\xac\xcf\x53\xb6\xf6\xed\xdf\x4b\x8b\xfe\x6a\x1a\x85\x9c\x3d\xc2\x86\xf8\x33\x5c\x9d\x15\xe5\xd5\x16\x9b\x24\x41\x55\x39\x10\x62\xff\x88\x5d\x40\xbe\x37\x07\xb6\xd1\xea\x25\x2a\x96\xd9\x7a\xb2\x4f\xb6\x75\xf5\x45\x57\xcf\xa2\x4d\x80\x5b\x07\x95\x70\x8a\xf5\x06\x5d\x4b\x66\x62\xdf\xd5\x4d\xd5\x9c\xfc\xe1\x67\x3a\xb3\x56\xa2\x54\xf6\xb5\xbc\xe4\x4c\x61\x9a\x17\xff\xce\x8e\xbb\x96\xe0\x83\xc0\x82\x45\x00\x62\xbd\x71\xa2\x06\xca\x92\x1e\x0b\x77\xf5\x17\xc1\x61\x95\x86\xb3\xbc\xa3\xe2\x49\x08\x21\x01\x6c\xc7\x6c\xaf\x96\xc0\xec\x90\x68\xb4\x5e\x23\x34\xed\x9a\x6f\xf0\x6a\x63\x43\xae\x01\xf0\xae\xf6\x12\x7e\xba\xf5\xb5\x2d\x69\xe3", 210); *(uint32_t*)0x200036c8 = 0x200035c0; *(uint8_t*)0x200035c0 = 0; *(uint8_t*)0x200035c1 = 3; *(uint32_t*)0x200035c2 = 4; *(uint8_t*)0x200035c6 = 4; *(uint8_t*)0x200035c7 = 3; *(uint16_t*)0x200035c8 = 0x40e; *(uint32_t*)0x200036cc = 0x20003600; *(uint8_t*)0x20003600 = 0; *(uint8_t*)0x20003601 = 0xf; *(uint32_t*)0x20003602 = 0x28; *(uint8_t*)0x20003606 = 5; *(uint8_t*)0x20003607 = 0xf; *(uint16_t*)0x20003608 = 0x28; *(uint8_t*)0x2000360a = 2; *(uint8_t*)0x2000360b = 3; *(uint8_t*)0x2000360c = 0x10; *(uint8_t*)0x2000360d = 0xb; *(uint8_t*)0x2000360e = 0x20; *(uint8_t*)0x2000360f = 0x10; *(uint8_t*)0x20003610 = 0xa; memcpy((void*)0x20003611, "\x19\x5f\xa2\xf3\x24\xc0\xbe\x96\xda\x3d\xb2\x6a\xfa\x56\x77\x53\x0a\xc0\xfa\xf4\xc6\x82\xbe\x7c\x15\xe9\xa5\x86\x66", 29); *(uint32_t*)0x200036d0 = 0x20003640; *(uint8_t*)0x20003640 = 0x20; *(uint8_t*)0x20003641 = 0x29; *(uint32_t*)0x20003642 = 0xf; *(uint8_t*)0x20003646 = 0xf; *(uint8_t*)0x20003647 = 0x29; *(uint8_t*)0x20003648 = 9; *(uint16_t*)0x20003649 = 1; *(uint8_t*)0x2000364b = 0; *(uint8_t*)0x2000364c = 9; memcpy((void*)0x2000364d, "\x05\x7c\x41\x7e", 4); memcpy((void*)0x20003651, "\x8d\xa4\x36\xc4", 4); *(uint32_t*)0x200036d4 = 0x20003680; *(uint8_t*)0x20003680 = 0x20; *(uint8_t*)0x20003681 = 0x2a; *(uint32_t*)0x20003682 = 0xc; *(uint8_t*)0x20003686 = 0xc; *(uint8_t*)0x20003687 = 0x2a; *(uint8_t*)0x20003688 = 0x20; *(uint16_t*)0x20003689 = 0x10; *(uint8_t*)0x2000368b = 0x80; *(uint8_t*)0x2000368c = 0x40; *(uint8_t*)0x2000368d = 0x1f; *(uint16_t*)0x2000368e = 0; *(uint16_t*)0x20003690 = 5; *(uint32_t*)0x20003b40 = 0x44; *(uint32_t*)0x20003b44 = 0x20003700; *(uint8_t*)0x20003700 = 0x60; *(uint8_t*)0x20003701 = 8; *(uint32_t*)0x20003702 = 0x54; memcpy((void*)0x20003706, "\x85\xf9\x88\x04\x52\x78\xf9\x75\x32\xa6\x67\xcb\xee\x9b\x82\x1d\x65\x54\xfb\x1c\x6d\x18\xdf\xfb\x78\x51\x96\xd9\x07\x27\xe1\xb4\x61\x5c\x86\xee\x04\x9a\x16\x96\xb1\x66\x8f\x00\x0e\x62\xd5\x39\xe0\x81\xcf\x07\xe3\x60\x17\x1c\xe6\x1c\xa2\xf9\x56\x44\xb9\xad\x8e\x92\x11\xa1\xb1\x9c\x43\x99\xbd\xfd\x6d\x53\x3b\xf8\x95\x52\x42\x72\x5b\xb4", 84); *(uint32_t*)0x20003b48 = 0x20003780; *(uint8_t*)0x20003780 = 0; *(uint8_t*)0x20003781 = 0xa; *(uint32_t*)0x20003782 = 1; *(uint8_t*)0x20003786 = 1; *(uint32_t*)0x20003b4c = 0x200037c0; *(uint8_t*)0x200037c0 = 0; *(uint8_t*)0x200037c1 = 8; *(uint32_t*)0x200037c2 = 1; *(uint8_t*)0x200037c6 = 0x81; *(uint32_t*)0x20003b50 = 0x20003800; *(uint8_t*)0x20003800 = 0x20; *(uint8_t*)0x20003801 = 0; *(uint32_t*)0x20003802 = 4; *(uint16_t*)0x20003806 = 2; *(uint16_t*)0x20003808 = 0; *(uint32_t*)0x20003b54 = 0x20003840; *(uint8_t*)0x20003840 = 0x20; *(uint8_t*)0x20003841 = 0; *(uint32_t*)0x20003842 = 8; *(uint16_t*)0x20003846 = 0x200; *(uint16_t*)0x20003848 = 0x40; *(uint32_t*)0x2000384a = 0xff; *(uint32_t*)0x20003b58 = 0x20003880; *(uint8_t*)0x20003880 = 0x40; *(uint8_t*)0x20003881 = 7; *(uint32_t*)0x20003882 = 2; *(uint16_t*)0x20003886 = 1; *(uint32_t*)0x20003b5c = 0x200038c0; *(uint8_t*)0x200038c0 = 0x40; *(uint8_t*)0x200038c1 = 9; *(uint32_t*)0x200038c2 = 1; *(uint8_t*)0x200038c6 = 0x81; *(uint32_t*)0x20003b60 = 0x20003900; *(uint8_t*)0x20003900 = 0x40; *(uint8_t*)0x20003901 = 0xb; *(uint32_t*)0x20003902 = 2; memcpy((void*)0x20003906, "\x8e\xaf", 2); *(uint32_t*)0x20003b64 = 0x20003940; *(uint8_t*)0x20003940 = 0x40; *(uint8_t*)0x20003941 = 0xf; *(uint32_t*)0x20003942 = 2; *(uint16_t*)0x20003946 = 9; *(uint32_t*)0x20003b68 = 0x20003980; *(uint8_t*)0x20003980 = 0x40; *(uint8_t*)0x20003981 = 0x13; *(uint32_t*)0x20003982 = 6; *(uint8_t*)0x20003986 = 0xaa; *(uint8_t*)0x20003987 = 0xaa; *(uint8_t*)0x20003988 = 0xaa; *(uint8_t*)0x20003989 = 0xaa; *(uint8_t*)0x2000398a = 0xaa; *(uint8_t*)0x2000398b = 0x38; *(uint32_t*)0x20003b6c = 0x200039c0; *(uint8_t*)0x200039c0 = 0x40; *(uint8_t*)0x200039c1 = 0x17; *(uint32_t*)0x200039c2 = 6; *(uint8_t*)0x200039c6 = -1; *(uint8_t*)0x200039c7 = -1; *(uint8_t*)0x200039c8 = -1; *(uint8_t*)0x200039c9 = -1; *(uint8_t*)0x200039ca = -1; *(uint8_t*)0x200039cb = -1; *(uint32_t*)0x20003b70 = 0x20003a00; *(uint8_t*)0x20003a00 = 0x40; *(uint8_t*)0x20003a01 = 0x19; *(uint32_t*)0x20003a02 = 2; memcpy((void*)0x20003a06, "{k", 2); *(uint32_t*)0x20003b74 = 0x20003a40; *(uint8_t*)0x20003a40 = 0x40; *(uint8_t*)0x20003a41 = 0x1a; *(uint32_t*)0x20003a42 = 2; *(uint16_t*)0x20003a46 = 0x40; *(uint32_t*)0x20003b78 = 0x20003a80; *(uint8_t*)0x20003a80 = 0x40; *(uint8_t*)0x20003a81 = 0x1c; *(uint32_t*)0x20003a82 = 1; *(uint8_t*)0x20003a86 = 0; *(uint32_t*)0x20003b7c = 0x20003ac0; *(uint8_t*)0x20003ac0 = 0x40; *(uint8_t*)0x20003ac1 = 0x1e; *(uint32_t*)0x20003ac2 = 1; *(uint8_t*)0x20003ac6 = 0xfe; *(uint32_t*)0x20003b80 = 0x20003b00; *(uint8_t*)0x20003b00 = 0x40; *(uint8_t*)0x20003b01 = 0x21; *(uint32_t*)0x20003b02 = 1; *(uint8_t*)0x20003b06 = 0xfa; syz_usb_control_io(r[16], 0x200036c0, 0x20003b40); break; case 37: *(uint8_t*)0x20003bc0 = 0x12; *(uint8_t*)0x20003bc1 = 1; *(uint16_t*)0x20003bc2 = 0x201; *(uint8_t*)0x20003bc4 = 0; *(uint8_t*)0x20003bc5 = 0; *(uint8_t*)0x20003bc6 = 0; *(uint8_t*)0x20003bc7 = 0x10; *(uint16_t*)0x20003bc8 = 0x46d; *(uint16_t*)0x20003bca = 0xc22d; *(uint16_t*)0x20003bcc = 0x40; *(uint8_t*)0x20003bce = 1; *(uint8_t*)0x20003bcf = 2; *(uint8_t*)0x20003bd0 = 3; *(uint8_t*)0x20003bd1 = 1; *(uint8_t*)0x20003bd2 = 9; *(uint8_t*)0x20003bd3 = 2; *(uint16_t*)0x20003bd4 = 0x2d; *(uint8_t*)0x20003bd6 = 1; *(uint8_t*)0x20003bd7 = 1; *(uint8_t*)0x20003bd8 = 0; *(uint8_t*)0x20003bd9 = 0x10; *(uint8_t*)0x20003bda = 2; *(uint8_t*)0x20003bdb = 9; *(uint8_t*)0x20003bdc = 4; *(uint8_t*)0x20003bdd = 0; *(uint8_t*)0x20003bde = 0x2f; *(uint8_t*)0x20003bdf = 2; *(uint8_t*)0x20003be0 = 3; *(uint8_t*)0x20003be1 = 1; *(uint8_t*)0x20003be2 = 1; *(uint8_t*)0x20003be3 = 0xfd; *(uint8_t*)0x20003be4 = 9; *(uint8_t*)0x20003be5 = 0x21; *(uint16_t*)0x20003be6 = 9; *(uint8_t*)0x20003be8 = 1; *(uint8_t*)0x20003be9 = 1; *(uint8_t*)0x20003bea = 0x22; *(uint16_t*)0x20003beb = 0x2ff; *(uint8_t*)0x20003bed = 9; *(uint8_t*)0x20003bee = 5; *(uint8_t*)0x20003bef = 0x81; *(uint8_t*)0x20003bf0 = 3; *(uint16_t*)0x20003bf1 = 0x10; *(uint8_t*)0x20003bf3 = 6; *(uint8_t*)0x20003bf4 = -1; *(uint8_t*)0x20003bf5 = 4; *(uint8_t*)0x20003bf6 = 9; *(uint8_t*)0x20003bf7 = 5; *(uint8_t*)0x20003bf8 = 2; *(uint8_t*)0x20003bf9 = 3; *(uint16_t*)0x20003bfa = 8; *(uint8_t*)0x20003bfc = 4; *(uint8_t*)0x20003bfd = 6; *(uint8_t*)0x20003bfe = 0x7f; *(uint32_t*)0x20003cc0 = 0xa; *(uint32_t*)0x20003cc4 = 0x20003c00; *(uint8_t*)0x20003c00 = 0xa; *(uint8_t*)0x20003c01 = 6; *(uint16_t*)0x20003c02 = 0x300; *(uint8_t*)0x20003c04 = 3; *(uint8_t*)0x20003c05 = 2; *(uint8_t*)0x20003c06 = 0xfa; *(uint8_t*)0x20003c07 = 8; *(uint8_t*)0x20003c08 = 0x74; *(uint8_t*)0x20003c09 = 0; *(uint32_t*)0x20003cc8 = 0x28; *(uint32_t*)0x20003ccc = 0x20003c40; *(uint8_t*)0x20003c40 = 5; *(uint8_t*)0x20003c41 = 0xf; *(uint16_t*)0x20003c42 = 0x28; *(uint8_t*)0x20003c44 = 2; *(uint8_t*)0x20003c45 = 3; *(uint8_t*)0x20003c46 = 0x10; *(uint8_t*)0x20003c47 = 0xb; *(uint8_t*)0x20003c48 = 0x20; *(uint8_t*)0x20003c49 = 0x10; *(uint8_t*)0x20003c4a = 0xa; *(uint8_t*)0x20003c4b = 3; STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 8, 5, 27); *(uint16_t*)0x20003c50 = 0xf00; *(uint16_t*)0x20003c52 = 0xf831; *(uint32_t*)0x20003c54 = 0xc0; *(uint32_t*)0x20003c58 = 0xc0a0; *(uint32_t*)0x20003c5c = 0xff000f; *(uint32_t*)0x20003c60 = 7; *(uint32_t*)0x20003c64 = 0xc0f0; *(uint32_t*)0x20003cd0 = 1; *(uint32_t*)0x20003cd4 = 4; *(uint32_t*)0x20003cd8 = 0x20003c80; *(uint8_t*)0x20003c80 = 4; *(uint8_t*)0x20003c81 = 3; *(uint16_t*)0x20003c82 = 0x436; res = -1; res = syz_usb_connect(4, 0x3f, 0x20003bc0, 0x20003cc0); if (res != -1) r[17] = res; break; case 38: syz_usb_disconnect(r[17]); break; case 39: syz_usb_ep_read(-1, 0x80, 0xc4, 0x20003d00); break; case 40: memcpy((void*)0x20003e00, "\x50\x74\xfa\x81\xf3\xf3\x73\xda\x27\x99\xca\xfb\x26\xb4\x49\x7c\xb3\xc8\x7b\xc0\xf8\x2f\xa7\x88\x54\x68\xbd\x41\x23\x20\x65\xaa\x95\x61\xd2\x4a\xe0\xf1\xd0\xe0\x36\xac\x71\x4a\xc5\xaf\x89\xc6\x9d\x88\x61\xca\xd7\x13\xfc\xb8\xba\xcb\x8c\x4b\x10\xdc\x3b\x6e\xc2\x04\x4c\x01\xf3\x71\xb1\x24\xc0\xa0\xf4\xba\xce\x7d\x51\x79\x87\x2c\xdd\x20\x5e\x09\xc3\xee\xb7\xd5\x57\x7b\x26\xe9\x8f\x84\x55\x4e\xd6", 99); syz_usb_ep_write(r[16], 0x7f, 0x63, 0x20003e00); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor569193312 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/3 (0.25s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:false RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$zero(0xffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x161000, 0x0) ioctl$SNAPSHOT_FREE(r0, 0x3305) syz_genetlink_get_family_id$l2tp(&(0x7f0000000040)='l2tp\x00') openat$dlm_control(0xffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x20000, 0x0) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0x2, &(0x7f00000000c0)=0x17, 0x4) r1 = mmap$IORING_OFF_SQES(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x2000000, 0x1010, r0, 0x10000000) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) r3 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(0x0, r1, &(0x7f00000003c0)=@IORING_OP_RECVMSG={0xa, 0x4, 0x0, r2, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=@x25={0x9, @remote}, 0x80, &(0x7f0000000240)=[{&(0x7f0000000180)=""/147, 0x93}], 0x1, &(0x7f0000000280)=""/202, 0xca}, 0x0, 0x0, 0x1, {0x3, r3}}, 0x10001) ioctl$KDSKBMETA(0xffffffffffffffff, 0x4b63, &(0x7f0000000440)=0x4) syz_emit_ethernet(0x56, &(0x7f0000000000)={@local, @remote, @void, {@canfd={0xd, {{0x3, 0x0, 0x1, 0x1}, 0x11, 0x2, 0x0, 0x0, "f4ebe40216fede5ef6c5310f0413c5d41b32fc23e07fd332a8a5c5f966821da091f47b7b9cf9228727ff7412c2e4a3a1573bb295482d7b4a3effd863cc60f5d8"}}}}, &(0x7f0000000080)={0x0, 0x4, [0xd2d, 0xc61, 0x6d3, 0xbe2]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x1, 0xa}, @l2cap_cid_le_signaling={{0x6}, @l2cap_conn_param_update_rsp={{0x13, 0x7f, 0x2}}}}, 0xf) syz_execute_func(&(0x7f0000000100)="c4c2cd45f18fe800edb85c2f009ee96436360f2811c4c3c90b6b0787c4c2f1a603f30fa6d0f36f650ffa0ec4c21d2f9f5aac384f3e65f3ab") syz_extract_tcp_res(&(0x7f0000000140), 0x2c, 0x9f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000180)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x3, 0xcc) r4 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x3000001, 0x80000, 0xffffffffffffffff, 0x0) r5 = syz_io_uring_complete(r4) r6 = io_uring_setup(0x3a3b, &(0x7f00000001c0)={0x0, 0xd9fd, 0x20, 0x0, 0x308, 0x0, 0xffffffffffffffff}) r8 = syz_io_uring_setup(0x17a8, &(0x7f0000000240)={0x0, 0xb18d, 0x15b3e67cab3a8d6e, 0x2, 0x158, 0x0, r7}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f00000002c0), &(0x7f0000000300)) syz_io_uring_setup(0x6b11, &(0x7f0000000340)={0x0, 0x15f8, 0x20, 0x2, 0xd2}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f00000003c0)=0x0, &(0x7f0000000400)=0x0) r11 = socket$bt_rfcomm(0x1f, 0x3, 0x3) r12 = io_uring_register$IORING_REGISTER_PERSONALITY(r5, 0x9, 0x0, 0x0) syz_io_uring_submit(r4, r10, &(0x7f0000001700)=@IORING_OP_RECVMSG={0xa, 0x2, 0x0, r11, 0x0, &(0x7f00000016c0)={&(0x7f0000000440)=@nl=@proc, 0x80, &(0x7f00000015c0)=[{&(0x7f00000004c0)=""/44, 0x2c}, {&(0x7f0000000500)=""/4096, 0x1000}, {&(0x7f0000001500)=""/40, 0x28}, {&(0x7f0000001540)=""/74, 0x4a}], 0x4, &(0x7f0000001600)=""/185, 0xb9}, 0x0, 0x2000, 0x1, {0x3, r12}}, 0xad23946) r13 = fsmount(r5, 0x1, 0x84) ioctl$F2FS_IOC_MOVE_RANGE(r8, 0xc01cf509, &(0x7f0000001740)={r6, 0x3, 0x6, 0x1000}) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000017c0)=[{0x0, &(0x7f0000001780)="e7bed238547695a78957b574bacb6dbc567a3232e76559b4ea3931b608578a24da4c749795975b0ae51da8a86dde75b1d684", 0x32}], 0x1, 0x0, &(0x7f0000001800), 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r9, 0x114, &(0x7f0000001840), 0x0, 0x4) syz_mount_image$afs(&(0x7f0000001880)='afs\x00', &(0x7f00000018c0)='./file0\x00', 0x5, 0x1, &(0x7f0000002900)=[{&(0x7f0000001900)="f1fd85c46a07345a8813287b13f21a0840903926aef8fa2cb5f6e010d14f7030376797115fff5a948041348d827dbd678e20928dc4b224e0ec33e50bf699f1ed1e39df43d899eb1a37c8d11631e7b775fc82611901ef7db3714e0ef59b98d9d7d9114ba1ba76a72edc93803359b9994b504f9e7790375fa50fceab9c0f210385722f2a054c09fecf4a04ccfacaac9d40bebb2e2bcc948d327263b0fa735b753fa367f55313bd6df7476a9961bef3e5806ae53bf7233474b637266e9fd694fb30a503fba053c46562936bb3b8fdd38da23e7225868f8cf1e7d27cacb69075657b3ca80f8be0b8e043db620f0872231b8a3108c4a10b8b723b646b3c6d5f370558640924a93ba25db1746cf2ea141b0385ac0cf9e7acc8fddd8ee32fb988491e454564eb142ec8402438ddb1d0bed6d285a2a408a9edc52776e3ae7021c10943eef0af0270372213627dd4253d95a36acd29f8095c6428f1c46c3eb21227d04606b5c92254e9ce3e220a8b8a281c8d8e9c83079ea1df4a90db9f08a58c803d8ec2bfcc99f1acd5f0625043eb4a83179e2d37c07657e4b747adcb0979a230dea4f079f220848709f2bb38c34a22c5b3caf94a02fc5f1c4d013c165abf74bed9d028a5d84ec150377f498ee0e2a86bf04b97ee40af9882bfadecf5e125fc909d250d92a31166d61121b5364524b6351e0b6a66dcdeeb5249ebabb865f1f4a1a80ada5d695d3a37b214c9f0d92507db1b8d808a96f08902ef8c97e22b75497538f54ff944a19142b6ae1b8636500e2f3920a3ab341d8d1db22dc64e1d68382162b489eaade668ba38e6e7ecf61626c719378a8ebf08ec3d5da6716461e206869b335ccbafbc7364998379d894b9c60441d98797eff0d04ce3fbf419eb9c5c778dbdc6031b19fea13adf111dd49628093da41ce252595ea3d0b6dd96364fe2e37504bc6617044ff1d0d27f759d1faa8ae854a172da0b227305bc630a46b8e5bb9f8aa40b95a4b6d5c37bddd0968e192d57242078434fdef9afdc8f18397df1ca6e76bdc71845fba2818ef8f1c1dbf0a92ddee3c8c1cfddfb64439419e63f9811ab5dafd15b2ff2a9c041331651c7afe7862875bf9961806fac694bef5f78fb9cd64c33848637444e6752200395e3731d02db34c21fca311d339e819732ede18394b45c4cbbbffd45fdf508285d26da5b3cede692af4ef2f42c734b522864755dcd719c93b268438f9b0f1add574cf7218921df68c496683c6276115c074d420f23861eeb82031e998c0833d1cbbb5b334a13606a0bc406c4c8b1c2bf8df557324d2c94cbe4c29080b63234b1bb74e5854e422eb46f736978e2943ebd28af467bd0ee096b952ff5f0b228c7ef946fd472493b0eaca9378401669f1be675230e56bc19e4ec1234fcb4ea122dd204830109689cad7e3d702ab3e92e59016a640cce4e1e57d6e94556e7ee1f7c586309044bdca4a7b2cebb4b3fabfd578ed6c68589b8afcd4d0e5ab1b7eef6f82cd208e3ece76e3b73331fba03fb5447012992741042106ed7d386a1433fe8d4c6bce822ff8ffe1b382aa7124731a9ad6e1a52c78266174a4fefe986a508f6642577303f91ea4efb32843c6b331b32f24553a0c13016d91a230a55d81feb7dfc48ad157c7c2fc63253081021d1c65356513903ddbde8d3fd0d51747f3eaaaf9db9d6b4bd7069d8ba53d4d100ee2727979594c2fa80b9aa0edd70e3d702fb5b6cd277eeb487555886f85b657cd9eba641b28bf1e762300f3e29c5a8d8bfe077bdef7c9e2c4cfad8fc364670d7cd6ac7a86322e667760e2403c4838d61fa8669a4f62114eef423f09132e20bb95ba3522ac31049c4a3d581af3c5784910fba88cdee1ceff4ddaed827119ced5361947d0e31a9c4d25263a53654b82fc13b91f44508dd193ca1ef26d930a6b0810586d402ba0554face5c3ed077671d50d28865bfff35ca3a4dabdbd6e3b07059320f53e5c49d73cc16dd1ed2816ac98ad3853c368829c7bec40c4a9b39ee3b730bbd6c152f358e9911308c12ed1206561fc7cf7cb477145f1aaace66ac5c4468acb2f601c61e4b118be2056b6dbc18609bfd4105eee18be384a19913d274d92039790cb87420b9fdd70e734309fc7afe09e11f780d6ee6243175907a4aeecb6ca070a3374be5d3d07a788ea4e1f9d6f18eff9e7964d7076cb5b93cd97338ec05448ec527cca66790bfe32c5b2662d7fc6b836b41bf32e5bc0ddfe42d5973db86f8aed56e43112b45b0f792c5394599a13e73c25012b5aacd3aef112473c4e2e3ab6aebf5af6de9e78ac047fcc276fd976f25022c65c30a9fd67203f19e33b35cfbcfdff395c5bb53f2fd7928e43e622847280780b8cc815fb485189105a124cd8627cc3d5f1a9dd800d47a226ebf907eb2f49133d117588d280f4cc43d95254d88c8753d96073f97c531f51e5596e2e971a2161b78f75edcfbd9de38f0a9284b7cceef87598fa3bcfa5dbcbd1d284cf80cb7755465899d362d9e40c64c1a1e4cc45c3871b2104ca40c05729dccbf6d0a17500e5d0dffa3443a5233e279b2f9c518b697340d26d2872660c71a495710ee009ffb989ebb5befe5176925b78cdeb1e811c51ecdb01a47ec1d1d0ef2024c9a666f6bc5ebe13e773f89f4c80baa1d660c051c2672f91c21db5ff2d5a70126dc69140ee216c45bdd0a7b5279dece2f583bc24fc63cae88ae755722404823c5c216849dcd1085ba9902cb248ac5d192c3bdc537392a7c9ed3c359bb6d4934625f5f7a6dd51b78573fc726adabc91f41960586f64c39261126ea67dfc32c5ae5f7d6ed88747360418d42a008d9cfc5ef15f9c588dbb9ecc374ba19ab60a3ba33fbd1b80477b0204e67c845f9f6ab589c58b578cca58af322ae66b9b12ed953703d1393d8ece9c670664fdb6b1ffa10271abc0e51d57b59102e2640bea09e911294c35abc8616990a5729bf739a8e22774a680d5770b858b932fe595b7322328ae792078ad28db4d54cbd7c9868fcbe6eed0b0aa7b7abbfb1b8efce2dd5c1e29bac66ab7f80fe7a65d2da1838660e94066a6b2e3bdb897e551bc037d779dbb6cb9bdca7030ef8226b968d5a857cb424a9bd71ecf3e0df3bca6b9195905ed05e73d0367f1649eed549d9c3d47e2f312c170dc94a701d420460e1000e237021c6b7b1bc08b35c1043c6e899ed587ef7dfb6e1c7b6e11e3a2fb4348abcc9ed1831ee373d004540a73a4c78f9d3abb101c787ba239df663924ef84e3b436868b63cd74f4d47ac9ebce3814bbdb37eeec3fea1f90688d16ff3285d359745f9c1b6dcfa98bcd32acaccd9350c070579af49c6dd8e62b3e11616b95605b5e67c90c3db1b8301de61bdfa558ee6d13f20a78d407e4f44ca793ce3d958e1522f1a64276ac8863d1a68b5b64e03ec0b22b0a787bba7b462fddf8da7d1018b32a13282bd1e83060a67c7da96e46e3b322a5d8e05ba67b3aca1c5d1bf136a57b3aa68777f00bf102dddb1dec21db309f4855d9c08edc580d652a689420bf62538b5aa263057098121d82d87e29ee26b5d5288023e501ff2730bcef00b98f13c40bc2da1a1bca1cd666484f1a3f5c8b6ffaf468fbeaaf5abfd74396fbc460e0fd2b440f5e56327e634907311dce98ec075e9ee3287f7d2dcd64493e5c5ce096bb29d77aa49a9f677e68efd44cf35b5a0d69f1ec887a5f1f35e44afe3b6904ef026b3651c697dc2af46662b923664201e4baedc28e85f33d0fcce83ecb01d04f5a0826df9fbfe7d92e31db76202533fa8bdbd4f14744f8485948ff0e40ec77d2a2ccac34f389a4f6b0e1f84f527b1282b4ba53cc0a53468eb1362d87f334f176d948d9d7fc190a1fabb36745385945f27d44c136436eeedca1ad4945c9d73d6a2d7225a1f7fa49a2b2b56d3a403a8ddd03d701bb8ba36c275b05db3b60638b9a2a234cb63b809ebfc9a771ac712762f7e96c538e1c54a7912b95944632d6d60594b900e17ee327b2b2b13be2844061fd1e350e47121fd71f130a5aeb5153ccb8ece99590ff93ea98ee589a0a4288bb6a3590b1c6e89008bbd2dc7ad38748369405c9f8c37fa75dd2ff4a384561d030948c3d16466e4f037e54d3dcabde02fb35c62b3169265c0af8018a86c3fcf3268c1a91e7131f89cf7841bb58cab8a5f89d7edb67f05f16fe84059be5abdbe44d3852fa5790c161628b21eef359aaf7db7de11c835ff9cc0b86ac9751fd2d5c135e8acb4352bc03fdfe6c43473582cde76b157eeb03acfff742be5838a4aaba160e1c588c9e1da2758fc290ae37a7605340f726ff3d8d73d3dccdc7737499b7473eccc00c3d01d20bd989e6049d9da7dcee229fe3db7e2845ba6ef6b380680e07754dfa92d1605b3b2527ed19d01333b2b58868d7614c92b7f93c95e2c9054f7a728e0569b986018311d9ab379ac3d19c7f65f87acbd2a2bcdf122b1b9502d3c3a69efa32f4be1ef20daa42e13409d2b12dbfd03c64aca0bd66c76c04ea6a76ef0294650e59e8a379c85c5ac8e310ed99e1a5f20c9bbdbee13de1218f95be040ff5f760c7f07abe362468508a2114e0c34f93895c1e28ad8c56f1949816cffd09c028deef01e5fcf91b4384c62d0efd9b7d66b1aae302a3ed2c3037c9675ac6c86336fa603258a538409bad567981128cb8cab88d7027b2a92671cad000a2c9f317fb4ae30980d3f28512fb5f66a98b2e2077a6a7f8461bf1a78cf12b3ce6e3aa4a22f3c6373a5d04f767b83c7d57a56834f7639c9acbb9fdedea85276a0aa100b68c8a246314a8ca02ff07d1532c90d9a4a5dacba53a24c14cb94b57a8c236c985ebc98697108a43e874b6715e6be8d9685fafdba1d7e5d1b4ced62565847bdfcf62be175e8483cfd0711247664e273fcbec29f60dedd34c6810f6650b6bdc47df7267b8f53bc66ac41a5c0506edf4a805cff0343797c881256ea095fbf145754f7cb9dfba6d3c2bd12ace307629cb22dfeb5a48155de0e50a95da58b3202589b60f5dd4ca6cd22c2ed788f2721d5354374e9efacf4947294ddc8149225dce5adfb322595ed18a4dcb0565148b087e37d4247eaaecc58c5aaf1c64e87cc2cce9b8ebcaf963fc441a6dfac426be0ace4ecfb91df7732721afb34f905ce7377db3849d7401ba3d3149c08e98bcdeca6de207ed8bc7b1d6e88597da628c6b0a73cf9674a207dd8745fe5b32bdd8f5509f14fc15cf9504bf6634b2df2836e95c736e2762f2714bfd130af991d8b648a9372158383a2f53e14c7cfc7663db5ca5c8a9cdd155e38c1f70e51613588128dd085bbdd7ed239b97e8958cef35f117eab19b370ff2e4e25689d62b684fd4afceb263251fa92e8c6b2aa2e34d3fb8aaed18cdc734f9b420c8d7b931555ebd7990ca073fb81be982794e000d50572eb0761d495ba8068f657d7f7b919e66a25e03211dfe690f4081fc5de14f5f9d8be478024e60a3138080d9ce97ae23e291e77a6e4a507a96ae0c07d9604a95b43b8174c33175ba295050186f723b50a609ee09b4267e4d2af4296ce657bb8b5e996f98bd75ed42d0954895d97d988329d925f62894474d1caa5de988ed7b5c6deacfd90ad947efebf6cf61b45d9c7b1ba59e9ec4b8559aff8d3d05fb00f57ec942b0e9b9fdbde26cad340cbb4f7c0447b707ed8f6d4f989d0b1da0d0cdae617b01436fa68e37775e844415ebd11a3350846cf0b419fad6db94ccc8283e95019db5591b9e81c5d32707b3002afb24058495f6c21cd4b9e12af7a1f4054fda37ba6a2945e899899761012548e4122a69556e0ca51e23194bdc4e272", 0x1000, 0x9}], 0x20005, &(0x7f0000002940)={[{@flock_openafs='flock=openafs'}, {@dyn='dyn'}, {@autocell='autocell'}, {@dyn='dyn'}, {@flock_openafs='flock=openafs'}, {@source={'source', 0x3d, '&'}}, {@source={'source', 0x3d, 'SEG6\x00'}}], [{@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@subj_user={'subj_user', 0x3d, 'SEG6\x00'}}, {@smackfstransmute={'smackfstransmute', 0x3d, ':'}}, {@seclabel='seclabel'}]}) syz_open_dev$I2C(&(0x7f0000002a00)='/dev/i2c-#\x00', 0xad8, 0x2a2000) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000002a40)=0x0) syz_open_procfs(r15, &(0x7f0000002a80)='net\x00') syz_open_pts(r13, 0x0) syz_read_part_table(0x1, 0x7, &(0x7f0000002e80)=[{&(0x7f0000002ac0)="7ad3cd802dd0c424945d99ca9ca6e4fbb8f8e3b980d2ec", 0x17, 0x1000}, {&(0x7f0000002b00)="329de80b2b17bbd25d1f1907a9263af3bf05c4a7061e28492a3f71c6343aa5aaea0327a3", 0x24, 0x5}, {&(0x7f0000002b40)="82791dfd311d07db7d65e803ce6ca00028af8ff8d276187e0e14bbf7beab60fc4b70722e91b6322b8e3472191a66176bb0ca91dee60f1506a6d48be4055230c30be94a1043a1d2a06d42166069d8033d6c524c8610b8c4bb63af0ce6d6207137f1be1b62b002e8c35e6467c2423cc6597d1ca58ee31589f0248ac762e24a286a41a761912d34bb56f07db88ca52fce8d128762394fa00faac8451a42c3144bdec7e97296c9eac7c9f63110a3d405c16b0428880024e8c9c8af490b8cfad84cbb637878d634cd84346b60c9132c09660cdc616a0b", 0xd4, 0x7fff}, {&(0x7f0000002c40)="904bbcee2b46daa1ac643b7b6b8ea0ff462feabee541b411a885e470a496cbbdc729ffdebc50807f719cbe808d8b598b4767c7a852d9ce0c880a9b078b0187deac926bd4687a44f092bb", 0x4a, 0x5}, {&(0x7f0000002cc0)="3531ae257e7e0877cde340c42edbfc91dcffaff1284ef08a451e4c76e0cd83b2c0ea10d86bcefa93bbaef5fffbfe7dc70b73b89c55fc3851110d1bd0d1da31753320b111fe7060537e8f65f3c2f05adcb3d66bd2abe6b08aaae0d0eedca9937707ec4cb4874cdfd05800812ab53f9550b25a28ee69e62a0f790fe5233fc8645fc3fe6cae055f2aa1729125170151e86eeab67bb20bc884a1214c2d3d969c34fb239b45feec93ac209721bae7271251c613cea9379c1521", 0xb7, 0x4}, {&(0x7f0000002d80)="c3f04f26929b7a4d6342841fa53a9a8cb8006a97f428", 0x16, 0x6}, {&(0x7f0000002dc0)="c9871275e3269ff1bdcd67fb523e1ceb5151b0ede9e032634e36d486046bc31cd978bda59247355316319e768e7ac6be0648bf0fecd13cdad45f713e0e3b74e95eec77063c02a233ea97d338f4b1e9bc5a7cce85528742632ed59cec016f3914dd02ca6b1dc833224895277350cf1f21d6c78f8592717e91233f9026927e0cc3d80cdc57714763a0fcb091f5c69051b55cd2e1fcc33b13d597c5caeeb271c542978a1e17", 0xa4, 0x9c}]) r16 = syz_usb_connect(0x4, 0x384, &(0x7f0000002f00)={{0x12, 0x1, 0x201, 0xa4, 0x61, 0x1e, 0x40, 0xacd, 0x300, 0xc0df, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x372, 0x2, 0x4, 0x1f, 0x0, 0x1, [{{0x9, 0x4, 0x5d, 0xb3, 0x1, 0xad, 0x49, 0x76, 0x20, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x80}]}], [{{0x9, 0x5, 0xd, 0x0, 0x230, 0x5d, 0x1, 0x3f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x2}, @generic={0xba, 0xe, "f4e6e5762883c34df04f356099f1d34bdbc9f5324da648053fd690211b897119c4f3ac197f2aa93f2f3be05f836b1644d5b2327648b30816ed192f943dfce225f69d77c51565e177fd889c9c9d8c85b92ee4bead0e889446bbc320a40fa24807f476bfd1f1b3096e3370f755c94aa01c3be4ddc7952a5694bcad4beb4065bf5ea96066c43e9507e6220c47bc0271adcbaffce6ac90cb3c8b1cf748c6bbf97108dfa2cac4b87d3420428434397e07f17a87ed6233b39e32f0"}]}}]}}, {{0x9, 0x4, 0x5d, 0x27, 0x7, 0x3f, 0x84, 0xfd, 0x3, [@uac_as={[@format_type_i_discrete={0x10, 0x24, 0x2, 0x1, 0xe2, 0x2, 0x63, 0x40, "e721cc44acca8938"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x1, 0x0, "9ef42f"}, @as_header={0x7, 0x24, 0x1, 0x4, 0x1, 0x4}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x19, 0x6, "9e", "6983"}]}, @uac_as], [{{0x9, 0x5, 0xf, 0x0, 0x3ff, 0xf6, 0x5, 0x80}}, {{0x9, 0x5, 0x1, 0x10, 0x10, 0x0, 0x40, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x20, 0x6}]}}, {{0x9, 0x5, 0xb, 0x8, 0x10, 0x1, 0x2}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x4, 0x8, 0xc0, [@generic={0xbb, 0x31, "215ce6ab8f3c72caa3ab1326f18838908ac60bffb3b50748144aa2cbc4d7cac56f4a7bb2bd6c969674a5e4040861bb21ba5ccf0f822c1032e7e3729f8c171fc7a89b5340b5067108d597f178aa651a98aca4d012fa555a695683b527e6031f1f7f20494b250e3a6cd8b4de9647e150049867097c47cc237c612cefe698332f1fe7f02e6f53e845b1f5e7b4b24ad8629b78ce7630e2d40120fbc3f49375a4a086dedd2a27f06b3ed3d756a819b97f759aa54aef83df4868a9e9"}]}}, {{0x9, 0x5, 0x3, 0x12, 0x3ff, 0x0, 0x1, 0xff, [@generic={0xad, 0x31, "0c921d3f980f4e53147a46bd5856da03081660fbed7b8b2d389be8a038e95c2958a477ed5faf9ef38c82c3abea254459edb0f2cf286235034087adb7907ff192640b936886bd48d3a51215406b3aa0b6d8f8d91d830f5236a9a8be03c2215f012131968c6a80860ae81193059468108efd4f1305379d0115c7ec667b0359940e5664bf7b3c4a5f04ca3c51db9d2cd417e9099bff628b8e1a8ed0f596149357a08abd1177eb977353eb8932"}, @generic={0x93, 0x11, "a8e22d542ae3d831f337211bb5be12a5c46e5cf9b556d84d5af4caca8742ad216140562b7e5421e2642471e8f50eb8aef06212b46c644ae58463e18b3e72bd3eca6060fa8b94031796e55eb41d3f318affbf081eeb1708851e72fadd887e0330134319f0a5967eda657bc1101f74deba42e78aff20fb5d3c1fe49d9a054657b6f1af3d015fc16ff80873f326690843df81"}]}}, {{0x9, 0x5, 0xf, 0x4, 0x200, 0x0, 0x1f, 0x1, [@generic={0x11, 0x6, "824b7d0957bc552d224fdf6bff63a8"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x6}]}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x1f, 0xfd, 0x3}}]}}]}}]}}, &(0x7f0000003400)={0xa, &(0x7f00000032c0)={0xa, 0x6, 0x110, 0x4d, 0x80, 0x80, 0x20, 0xc1}, 0x46, &(0x7f0000003300)={0x5, 0xf, 0x46, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x35, 0x0, 0xdf, 0x9, 0xf7}, @ext_cap={0x7, 0x10, 0x2, 0xe, 0xb, 0x6, 0x9}, @ssp_cap={0x18, 0x10, 0xa, 0x1, 0x3, 0x7fffffe, 0xff0f, 0x101, [0xffc0a0, 0x0, 0xffff0f]}, @ssp_cap={0x10, 0x10, 0xa, 0x3, 0x1, 0x200, 0xff00, 0x1, [0x0]}, @ext_cap={0x7, 0x10, 0x2, 0x16, 0x8, 0xe, 0x7}]}, 0x2, [{0x4, &(0x7f0000003380)=@lang_id={0x4, 0x3, 0x380a}}, {0x4, &(0x7f00000033c0)=@lang_id={0x4, 0x3, 0x42f}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000003440)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r16, &(0x7f00000036c0)={0x18, &(0x7f00000034c0)={0x20, 0x8, 0xd4, {0xd4, 0x31, "dd9fe1d6f8ee76d6289246b5277cc19f3c4621add821a7f3d1aae994dbf4b1bd89e8770734768ade97e51d248f53cd530b31119aaccf53b6f6eddf4b8bfe6a1a859c3dc286f8335c9d15e5d5169b244155391062ff885d40be3707b6d1ea252a96d97ab24fb675f54557cfa24d805b0795708af5065d4b6662dfd54dd59cfce1673ab356a254f6b5bce44c619a17ffce8ebb96e083c082450062bd71a206ca921e0b77f517c1619586b3bca3e2490821016cc76caf96c0ec9068b45e2334ed9a6ff06a6343ae01f0aef6127ebaf5b52d69e3"}}, &(0x7f00000035c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x40e}}, &(0x7f0000003600)={0x0, 0xf, 0x28, {0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @generic={0x20, 0x10, 0xa, "195fa2f324c0be96da3db26afa5677530ac0faf4c682be7c15e9a58666"}]}}, &(0x7f0000003640)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x1, 0x0, 0x9, "057c417e", "8da436c4"}}, &(0x7f0000003680)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x20, 0x10, 0x80, 0x40, 0x1f, 0x0, 0x5}}}, &(0x7f0000003b40)={0x44, &(0x7f0000003700)={0x60, 0x8, 0x54, "85f988045278f97532a667cbee9b821d6554fb1c6d18dffb785196d90727e1b4615c86ee049a1696b1668f000e62d539e081cf07e360171ce61ca2f95644b9ad8e9211a1b19c4399bdfd6d533bf8955242725bb4"}, &(0x7f0000003780)={0x0, 0xa, 0x1, 0x1}, &(0x7f00000037c0)={0x0, 0x8, 0x1, 0x81}, &(0x7f0000003800)={0x20, 0x0, 0x4, {0x2}}, &(0x7f0000003840)={0x20, 0x0, 0x8, {0x200, 0x40, [0xff]}}, &(0x7f0000003880)={0x40, 0x7, 0x2, 0x1}, &(0x7f00000038c0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000003900)={0x40, 0xb, 0x2, "8eaf"}, &(0x7f0000003940)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000003980)={0x40, 0x13, 0x6, @dev={[], 0x38}}, &(0x7f00000039c0)={0x40, 0x17, 0x6, @broadcast}, &(0x7f0000003a00)={0x40, 0x19, 0x2, '{k'}, &(0x7f0000003a40)={0x40, 0x1a, 0x2, 0x40}, &(0x7f0000003a80)={0x40, 0x1c, 0x1}, &(0x7f0000003ac0)={0x40, 0x1e, 0x1, 0xfe}, &(0x7f0000003b00)={0x40, 0x21, 0x1, 0xfa}}) r17 = syz_usb_connect$hid(0x4, 0x3f, &(0x7f0000003bc0)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x46d, 0xc22d, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x10, 0x2, [{{0x9, 0x4, 0x0, 0x2f, 0x2, 0x3, 0x1, 0x1, 0xfd, {0x9, 0x21, 0x9, 0x1, 0x1, {0x22, 0x2ff}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0x6, 0xff, 0x4}}, [{{0x9, 0x5, 0x2, 0x3, 0x8, 0x4, 0x6, 0x7f}}]}}}]}}]}}, &(0x7f0000003cc0)={0xa, &(0x7f0000003c00)={0xa, 0x6, 0x300, 0x3, 0x2, 0xfa, 0x8, 0x74}, 0x28, &(0x7f0000003c40)={0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @ssp_cap={0x20, 0x10, 0xa, 0x3, 0x5, 0x8, 0xf00, 0xf831, [0xc0, 0xc0a0, 0xff000f, 0x7, 0xc0f0]}]}, 0x1, [{0x4, &(0x7f0000003c80)=@lang_id={0x4, 0x3, 0x436}}]}) syz_usb_disconnect(r17) syz_usb_ep_read(0xffffffffffffffff, 0x80, 0xc4, &(0x7f0000003d00)=""/196) syz_usb_ep_write(r16, 0x7f, 0x63, &(0x7f0000003e00)="5074fa81f3f373da2799cafb26b4497cb3c87bc0f82fa7885468bd41232065aa9561d24ae0f1d0e036ac714ac5af89c69d8861cad713fcb8bacb8c4b10dc3b6ec2044c01f371b124c0a0f4bace7d5179872cdd205e09c3eeb7d5577b26e98f84554ed6") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 41; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } #ifndef __NR_fsmount #define __NR_fsmount 432 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[18] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/zero\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x161000, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, (intptr_t)r[0], 0x3305, 0); break; case 2: memcpy((void*)0x20000040, "l2tp\000", 5); syz_genetlink_get_family_id(0x20000040); break; case 3: memcpy((void*)0x20000080, "/dev/dlm-control\000", 17); syscall(__NR_openat, 0xffffff9c, 0x20000080, 0x20000, 0); break; case 4: *(uint32_t*)0x200000c0 = 0x17; syscall(__NR_setsockopt, (intptr_t)r[0], 0x10e, 2, 0x200000c0, 4); break; case 5: res = syscall(__NR_mmap, 0x20ffa000, 0x4000, 0x2000000, 0x1010, (intptr_t)r[0], 0x10000000); if (res != -1) r[1] = res; break; case 6: res = syscall(__NR_socket, 0x23, 5, 2); if (res != -1) r[2] = res; break; case 7: res = syscall(__NR_io_uring_register, -1, 9, 0, 0); if (res != -1) r[3] = res; break; case 8: *(uint8_t*)0x200003c0 = 0xa; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0; *(uint32_t*)0x200003c4 = r[2]; *(uint64_t*)0x200003c8 = 0; *(uint32_t*)0x200003d0 = 0x20000380; *(uint32_t*)0x20000380 = 0x20000100; *(uint32_t*)0x20000384 = 0x80; *(uint32_t*)0x20000388 = 0x20000240; *(uint32_t*)0x20000240 = 0x20000180; *(uint32_t*)0x20000244 = 0x93; *(uint32_t*)0x2000038c = 1; *(uint32_t*)0x20000390 = 0x20000280; *(uint32_t*)0x20000394 = 0xca; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x200003d4 = 0; *(uint32_t*)0x200003d8 = 0; *(uint64_t*)0x200003dc = 1; *(uint16_t*)0x200003e4 = 3; *(uint16_t*)0x200003e6 = r[3]; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; syz_io_uring_submit(0, r[1], 0x200003c0, 0x10001); break; case 9: *(uint32_t*)0x20000440 = 4; syscall(__NR_ioctl, -1, 0x4b63, 0x20000440); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0xaa; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 3, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 31, 1); *(uint8_t*)0x20000012 = 0x11; *(uint8_t*)0x20000013 = 2; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; memcpy((void*)0x20000016, "\xf4\xeb\xe4\x02\x16\xfe\xde\x5e\xf6\xc5\x31\x0f\x04\x13\xc5\xd4\x1b\x32\xfc\x23\xe0\x7f\xd3\x32\xa8\xa5\xc5\xf9\x66\x82\x1d\xa0\x91\xf4\x7b\x7b\x9c\xf9\x22\x87\x27\xff\x74\x12\xc2\xe4\xa3\xa1\x57\x3b\xb2\x95\x48\x2d\x7b\x4a\x3e\xff\xd8\x63\xcc\x60\xf5\xd8", 64); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 0xd2d; *(uint32_t*)0x2000008c = 0xc61; *(uint32_t*)0x20000090 = 0x6d3; *(uint32_t*)0x20000094 = 0xbe2; break; case 11: *(uint8_t*)0x200000c0 = 2; STORE_BY_BITMASK(uint16_t, , 0x200000c1, 0xc9, 0, 12); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 3, 4, 2); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 1, 6, 2); *(uint16_t*)0x200000c3 = 0xa; *(uint16_t*)0x200000c5 = 6; *(uint16_t*)0x200000c7 = 5; *(uint8_t*)0x200000c9 = 0x13; *(uint8_t*)0x200000ca = 0x7f; *(uint16_t*)0x200000cb = 2; *(uint16_t*)0x200000cd = 0; break; case 12: memcpy((void*)0x20000100, "\xc4\xc2\xcd\x45\xf1\x8f\xe8\x00\xed\xb8\x5c\x2f\x00\x9e\xe9\x64\x36\x36\x0f\x28\x11\xc4\xc3\xc9\x0b\x6b\x07\x87\xc4\xc2\xf1\xa6\x03\xf3\x0f\xa6\xd0\xf3\x6f\x65\x0f\xfa\x0e\xc4\xc2\x1d\x2f\x9f\x5a\xac\x38\x4f\x3e\x65\xf3\xab", 56); syz_execute_func(0x20000100); break; case 13: break; case 14: memcpy((void*)0x20000180, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000180); break; case 15: syz_init_net_socket(3, 3, 0xcc); break; case 16: res = syscall(__NR_mmap, 0x20ffd000, 0x2000, 0x3000001, 0x80000, -1, 0); if (res != -1) r[4] = res; break; case 17: res = -1; res = syz_io_uring_complete(r[4]); if (res != -1) r[5] = res; break; case 18: *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0xd9fd; *(uint32_t*)0x200001c8 = 0x20; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0x308; *(uint32_t*)0x200001d4 = 0; *(uint32_t*)0x200001d8 = -1; *(uint32_t*)0x200001dc = 0; *(uint32_t*)0x200001e0 = 0; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint32_t*)0x200001f8 = 0; *(uint32_t*)0x200001fc = 0; *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; res = syscall(__NR_io_uring_setup, 0x3a3b, 0x200001c0); if (res != -1) { r[6] = res; r[7] = *(uint32_t*)0x200001d8; } break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xb18d; *(uint32_t*)0x20000248 = 0xab3a8d6e; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000250 = 0x158; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = r[7]; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = -1; res = syz_io_uring_setup(0x17a8, 0x20000240, 0x20ffb000, 0x20ffd000, 0x200002c0, 0x20000300); if (res != -1) r[8] = res; break; case 20: *(uint32_t*)0x20000340 = 0; *(uint32_t*)0x20000344 = 0x15f8; *(uint32_t*)0x20000348 = 0x20; *(uint32_t*)0x2000034c = 2; *(uint32_t*)0x20000350 = 0xd2; *(uint32_t*)0x20000354 = 0; *(uint32_t*)0x20000358 = -1; *(uint32_t*)0x2000035c = 0; *(uint32_t*)0x20000360 = 0; *(uint32_t*)0x20000364 = 0; *(uint32_t*)0x20000368 = 0; *(uint32_t*)0x2000036c = 0; *(uint32_t*)0x20000370 = 0; *(uint32_t*)0x20000374 = 0; *(uint32_t*)0x20000378 = 0; *(uint32_t*)0x2000037c = 0; *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 0; *(uint32_t*)0x20000388 = 0; *(uint32_t*)0x2000038c = 0; *(uint32_t*)0x20000390 = 0; *(uint32_t*)0x20000394 = 0; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x2000039c = 0; *(uint32_t*)0x200003a0 = 0; *(uint32_t*)0x200003a4 = 0; *(uint32_t*)0x200003a8 = 0; *(uint32_t*)0x200003ac = 0; *(uint32_t*)0x200003b0 = 0; *(uint32_t*)0x200003b4 = 0; res = -1; res = syz_io_uring_setup(0x6b11, 0x20000340, 0x20ffb000, 0x20ffb000, 0x200003c0, 0x20000400); if (res != -1) { r[9] = *(uint64_t*)0x200003c0; r[10] = *(uint64_t*)0x20000400; } break; case 21: res = syscall(__NR_socket, 0x1f, 3, 3); if (res != -1) r[11] = res; break; case 22: res = syscall(__NR_io_uring_register, (intptr_t)r[5], 9, 0, 0); if (res != -1) r[12] = res; break; case 23: *(uint8_t*)0x20001700 = 0xa; *(uint8_t*)0x20001701 = 2; *(uint16_t*)0x20001702 = 0; *(uint32_t*)0x20001704 = r[11]; *(uint64_t*)0x20001708 = 0; *(uint32_t*)0x20001710 = 0x200016c0; *(uint32_t*)0x200016c0 = 0x20000440; *(uint32_t*)0x200016c4 = 0x80; *(uint32_t*)0x200016c8 = 0x200015c0; *(uint32_t*)0x200015c0 = 0x200004c0; *(uint32_t*)0x200015c4 = 0x2c; *(uint32_t*)0x200015c8 = 0x20000500; *(uint32_t*)0x200015cc = 0x1000; *(uint32_t*)0x200015d0 = 0x20001500; *(uint32_t*)0x200015d4 = 0x28; *(uint32_t*)0x200015d8 = 0x20001540; *(uint32_t*)0x200015dc = 0x4a; *(uint32_t*)0x200016cc = 4; *(uint32_t*)0x200016d0 = 0x20001600; *(uint32_t*)0x200016d4 = 0xb9; *(uint32_t*)0x200016d8 = 0; *(uint32_t*)0x20001714 = 0; *(uint32_t*)0x20001718 = 0x2000; *(uint64_t*)0x2000171c = 1; *(uint16_t*)0x20001724 = 3; *(uint16_t*)0x20001726 = r[12]; *(uint8_t*)0x20001728 = 0; *(uint8_t*)0x20001729 = 0; *(uint8_t*)0x2000172a = 0; *(uint8_t*)0x2000172b = 0; *(uint8_t*)0x2000172c = 0; *(uint8_t*)0x2000172d = 0; *(uint8_t*)0x2000172e = 0; *(uint8_t*)0x2000172f = 0; *(uint8_t*)0x20001730 = 0; *(uint8_t*)0x20001731 = 0; *(uint8_t*)0x20001732 = 0; *(uint8_t*)0x20001733 = 0; *(uint8_t*)0x20001734 = 0; *(uint8_t*)0x20001735 = 0; *(uint8_t*)0x20001736 = 0; *(uint8_t*)0x20001737 = 0; *(uint8_t*)0x20001738 = 0; *(uint8_t*)0x20001739 = 0; *(uint8_t*)0x2000173a = 0; *(uint8_t*)0x2000173b = 0; syz_io_uring_submit(r[4], r[10], 0x20001700, 0xad23946); break; case 24: res = syscall(__NR_fsmount, (intptr_t)r[5], 1, 0x84); if (res != -1) r[13] = res; break; case 25: *(uint32_t*)0x20001740 = r[6]; *(uint64_t*)0x20001744 = 3; *(uint64_t*)0x2000174c = 6; *(uint64_t*)0x20001754 = 0x1000; res = syscall(__NR_ioctl, (intptr_t)r[8], 0xc01cf509, 0x20001740); if (res != -1) r[14] = *(uint32_t*)0x20001740; break; case 26: *(uint32_t*)0x200017c0 = 0; *(uint32_t*)0x200017c4 = 0x20001780; memcpy((void*)0x20001780, "\xe7\xbe\xd2\x38\x54\x76\x95\xa7\x89\x57\xb5\x74\xba\xcb\x6d\xbc\x56\x7a\x32\x32\xe7\x65\x59\xb4\xea\x39\x31\xb6\x08\x57\x8a\x24\xda\x4c\x74\x97\x95\x97\x5b\x0a\xe5\x1d\xa8\xa8\x6d\xde\x75\xb1\xd6\x84", 50); *(uint32_t*)0x200017c8 = 0x32; *(uint64_t*)0x20001800 = 1; *(uint64_t*)0x20001808 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x200017c0, 1, 0, 0x20001800, 1); break; case 27: *(uint32_t*)0x20001840 = 0; syz_memcpy_off(r[9], 0x114, 0x20001840, 0, 4); break; case 28: memcpy((void*)0x20001880, "afs\000", 4); memcpy((void*)0x200018c0, "./file0\000", 8); *(uint32_t*)0x20002900 = 0x20001900; memcpy((void*)0x20001900, "\xf1\xfd\x85\xc4\x6a\x07\x34\x5a\x88\x13\x28\x7b\x13\xf2\x1a\x08\x40\x90\x39\x26\xae\xf8\xfa\x2c\xb5\xf6\xe0\x10\xd1\x4f\x70\x30\x37\x67\x97\x11\x5f\xff\x5a\x94\x80\x41\x34\x8d\x82\x7d\xbd\x67\x8e\x20\x92\x8d\xc4\xb2\x24\xe0\xec\x33\xe5\x0b\xf6\x99\xf1\xed\x1e\x39\xdf\x43\xd8\x99\xeb\x1a\x37\xc8\xd1\x16\x31\xe7\xb7\x75\xfc\x82\x61\x19\x01\xef\x7d\xb3\x71\x4e\x0e\xf5\x9b\x98\xd9\xd7\xd9\x11\x4b\xa1\xba\x76\xa7\x2e\xdc\x93\x80\x33\x59\xb9\x99\x4b\x50\x4f\x9e\x77\x90\x37\x5f\xa5\x0f\xce\xab\x9c\x0f\x21\x03\x85\x72\x2f\x2a\x05\x4c\x09\xfe\xcf\x4a\x04\xcc\xfa\xca\xac\x9d\x40\xbe\xbb\x2e\x2b\xcc\x94\x8d\x32\x72\x63\xb0\xfa\x73\x5b\x75\x3f\xa3\x67\xf5\x53\x13\xbd\x6d\xf7\x47\x6a\x99\x61\xbe\xf3\xe5\x80\x6a\xe5\x3b\xf7\x23\x34\x74\xb6\x37\x26\x6e\x9f\xd6\x94\xfb\x30\xa5\x03\xfb\xa0\x53\xc4\x65\x62\x93\x6b\xb3\xb8\xfd\xd3\x8d\xa2\x3e\x72\x25\x86\x8f\x8c\xf1\xe7\xd2\x7c\xac\xb6\x90\x75\x65\x7b\x3c\xa8\x0f\x8b\xe0\xb8\xe0\x43\xdb\x62\x0f\x08\x72\x23\x1b\x8a\x31\x08\xc4\xa1\x0b\x8b\x72\x3b\x64\x6b\x3c\x6d\x5f\x37\x05\x58\x64\x09\x24\xa9\x3b\xa2\x5d\xb1\x74\x6c\xf2\xea\x14\x1b\x03\x85\xac\x0c\xf9\xe7\xac\xc8\xfd\xdd\x8e\xe3\x2f\xb9\x88\x49\x1e\x45\x45\x64\xeb\x14\x2e\xc8\x40\x24\x38\xdd\xb1\xd0\xbe\xd6\xd2\x85\xa2\xa4\x08\xa9\xed\xc5\x27\x76\xe3\xae\x70\x21\xc1\x09\x43\xee\xf0\xaf\x02\x70\x37\x22\x13\x62\x7d\xd4\x25\x3d\x95\xa3\x6a\xcd\x29\xf8\x09\x5c\x64\x28\xf1\xc4\x6c\x3e\xb2\x12\x27\xd0\x46\x06\xb5\xc9\x22\x54\xe9\xce\x3e\x22\x0a\x8b\x8a\x28\x1c\x8d\x8e\x9c\x83\x07\x9e\xa1\xdf\x4a\x90\xdb\x9f\x08\xa5\x8c\x80\x3d\x8e\xc2\xbf\xcc\x99\xf1\xac\xd5\xf0\x62\x50\x43\xeb\x4a\x83\x17\x9e\x2d\x37\xc0\x76\x57\xe4\xb7\x47\xad\xcb\x09\x79\xa2\x30\xde\xa4\xf0\x79\xf2\x20\x84\x87\x09\xf2\xbb\x38\xc3\x4a\x22\xc5\xb3\xca\xf9\x4a\x02\xfc\x5f\x1c\x4d\x01\x3c\x16\x5a\xbf\x74\xbe\xd9\xd0\x28\xa5\xd8\x4e\xc1\x50\x37\x7f\x49\x8e\xe0\xe2\xa8\x6b\xf0\x4b\x97\xee\x40\xaf\x98\x82\xbf\xad\xec\xf5\xe1\x25\xfc\x90\x9d\x25\x0d\x92\xa3\x11\x66\xd6\x11\x21\xb5\x36\x45\x24\xb6\x35\x1e\x0b\x6a\x66\xdc\xde\xeb\x52\x49\xeb\xab\xb8\x65\xf1\xf4\xa1\xa8\x0a\xda\x5d\x69\x5d\x3a\x37\xb2\x14\xc9\xf0\xd9\x25\x07\xdb\x1b\x8d\x80\x8a\x96\xf0\x89\x02\xef\x8c\x97\xe2\x2b\x75\x49\x75\x38\xf5\x4f\xf9\x44\xa1\x91\x42\xb6\xae\x1b\x86\x36\x50\x0e\x2f\x39\x20\xa3\xab\x34\x1d\x8d\x1d\xb2\x2d\xc6\x4e\x1d\x68\x38\x21\x62\xb4\x89\xea\xad\xe6\x68\xba\x38\xe6\xe7\xec\xf6\x16\x26\xc7\x19\x37\x8a\x8e\xbf\x08\xec\x3d\x5d\xa6\x71\x64\x61\xe2\x06\x86\x9b\x33\x5c\xcb\xaf\xbc\x73\x64\x99\x83\x79\xd8\x94\xb9\xc6\x04\x41\xd9\x87\x97\xef\xf0\xd0\x4c\xe3\xfb\xf4\x19\xeb\x9c\x5c\x77\x8d\xbd\xc6\x03\x1b\x19\xfe\xa1\x3a\xdf\x11\x1d\xd4\x96\x28\x09\x3d\xa4\x1c\xe2\x52\x59\x5e\xa3\xd0\xb6\xdd\x96\x36\x4f\xe2\xe3\x75\x04\xbc\x66\x17\x04\x4f\xf1\xd0\xd2\x7f\x75\x9d\x1f\xaa\x8a\xe8\x54\xa1\x72\xda\x0b\x22\x73\x05\xbc\x63\x0a\x46\xb8\xe5\xbb\x9f\x8a\xa4\x0b\x95\xa4\xb6\xd5\xc3\x7b\xdd\xd0\x96\x8e\x19\x2d\x57\x24\x20\x78\x43\x4f\xde\xf9\xaf\xdc\x8f\x18\x39\x7d\xf1\xca\x6e\x76\xbd\xc7\x18\x45\xfb\xa2\x81\x8e\xf8\xf1\xc1\xdb\xf0\xa9\x2d\xde\xe3\xc8\xc1\xcf\xdd\xfb\x64\x43\x94\x19\xe6\x3f\x98\x11\xab\x5d\xaf\xd1\x5b\x2f\xf2\xa9\xc0\x41\x33\x16\x51\xc7\xaf\xe7\x86\x28\x75\xbf\x99\x61\x80\x6f\xac\x69\x4b\xef\x5f\x78\xfb\x9c\xd6\x4c\x33\x84\x86\x37\x44\x4e\x67\x52\x20\x03\x95\xe3\x73\x1d\x02\xdb\x34\xc2\x1f\xca\x31\x1d\x33\x9e\x81\x97\x32\xed\xe1\x83\x94\xb4\x5c\x4c\xbb\xbf\xfd\x45\xfd\xf5\x08\x28\x5d\x26\xda\x5b\x3c\xed\xe6\x92\xaf\x4e\xf2\xf4\x2c\x73\x4b\x52\x28\x64\x75\x5d\xcd\x71\x9c\x93\xb2\x68\x43\x8f\x9b\x0f\x1a\xdd\x57\x4c\xf7\x21\x89\x21\xdf\x68\xc4\x96\x68\x3c\x62\x76\x11\x5c\x07\x4d\x42\x0f\x23\x86\x1e\xeb\x82\x03\x1e\x99\x8c\x08\x33\xd1\xcb\xbb\x5b\x33\x4a\x13\x60\x6a\x0b\xc4\x06\xc4\xc8\xb1\xc2\xbf\x8d\xf5\x57\x32\x4d\x2c\x94\xcb\xe4\xc2\x90\x80\xb6\x32\x34\xb1\xbb\x74\xe5\x85\x4e\x42\x2e\xb4\x6f\x73\x69\x78\xe2\x94\x3e\xbd\x28\xaf\x46\x7b\xd0\xee\x09\x6b\x95\x2f\xf5\xf0\xb2\x28\xc7\xef\x94\x6f\xd4\x72\x49\x3b\x0e\xac\xa9\x37\x84\x01\x66\x9f\x1b\xe6\x75\x23\x0e\x56\xbc\x19\xe4\xec\x12\x34\xfc\xb4\xea\x12\x2d\xd2\x04\x83\x01\x09\x68\x9c\xad\x7e\x3d\x70\x2a\xb3\xe9\x2e\x59\x01\x6a\x64\x0c\xce\x4e\x1e\x57\xd6\xe9\x45\x56\xe7\xee\x1f\x7c\x58\x63\x09\x04\x4b\xdc\xa4\xa7\xb2\xce\xbb\x4b\x3f\xab\xfd\x57\x8e\xd6\xc6\x85\x89\xb8\xaf\xcd\x4d\x0e\x5a\xb1\xb7\xee\xf6\xf8\x2c\xd2\x08\xe3\xec\xe7\x6e\x3b\x73\x33\x1f\xba\x03\xfb\x54\x47\x01\x29\x92\x74\x10\x42\x10\x6e\xd7\xd3\x86\xa1\x43\x3f\xe8\xd4\xc6\xbc\xe8\x22\xff\x8f\xfe\x1b\x38\x2a\xa7\x12\x47\x31\xa9\xad\x6e\x1a\x52\xc7\x82\x66\x17\x4a\x4f\xef\xe9\x86\xa5\x08\xf6\x64\x25\x77\x30\x3f\x91\xea\x4e\xfb\x32\x84\x3c\x6b\x33\x1b\x32\xf2\x45\x53\xa0\xc1\x30\x16\xd9\x1a\x23\x0a\x55\xd8\x1f\xeb\x7d\xfc\x48\xad\x15\x7c\x7c\x2f\xc6\x32\x53\x08\x10\x21\xd1\xc6\x53\x56\x51\x39\x03\xdd\xbd\xe8\xd3\xfd\x0d\x51\x74\x7f\x3e\xaa\xaf\x9d\xb9\xd6\xb4\xbd\x70\x69\xd8\xba\x53\xd4\xd1\x00\xee\x27\x27\x97\x95\x94\xc2\xfa\x80\xb9\xaa\x0e\xdd\x70\xe3\xd7\x02\xfb\x5b\x6c\xd2\x77\xee\xb4\x87\x55\x58\x86\xf8\x5b\x65\x7c\xd9\xeb\xa6\x41\xb2\x8b\xf1\xe7\x62\x30\x0f\x3e\x29\xc5\xa8\xd8\xbf\xe0\x77\xbd\xef\x7c\x9e\x2c\x4c\xfa\xd8\xfc\x36\x46\x70\xd7\xcd\x6a\xc7\xa8\x63\x22\xe6\x67\x76\x0e\x24\x03\xc4\x83\x8d\x61\xfa\x86\x69\xa4\xf6\x21\x14\xee\xf4\x23\xf0\x91\x32\xe2\x0b\xb9\x5b\xa3\x52\x2a\xc3\x10\x49\xc4\xa3\xd5\x81\xaf\x3c\x57\x84\x91\x0f\xba\x88\xcd\xee\x1c\xef\xf4\xdd\xae\xd8\x27\x11\x9c\xed\x53\x61\x94\x7d\x0e\x31\xa9\xc4\xd2\x52\x63\xa5\x36\x54\xb8\x2f\xc1\x3b\x91\xf4\x45\x08\xdd\x19\x3c\xa1\xef\x26\xd9\x30\xa6\xb0\x81\x05\x86\xd4\x02\xba\x05\x54\xfa\xce\x5c\x3e\xd0\x77\x67\x1d\x50\xd2\x88\x65\xbf\xff\x35\xca\x3a\x4d\xab\xdb\xd6\xe3\xb0\x70\x59\x32\x0f\x53\xe5\xc4\x9d\x73\xcc\x16\xdd\x1e\xd2\x81\x6a\xc9\x8a\xd3\x85\x3c\x36\x88\x29\xc7\xbe\xc4\x0c\x4a\x9b\x39\xee\x3b\x73\x0b\xbd\x6c\x15\x2f\x35\x8e\x99\x11\x30\x8c\x12\xed\x12\x06\x56\x1f\xc7\xcf\x7c\xb4\x77\x14\x5f\x1a\xaa\xce\x66\xac\x5c\x44\x68\xac\xb2\xf6\x01\xc6\x1e\x4b\x11\x8b\xe2\x05\x6b\x6d\xbc\x18\x60\x9b\xfd\x41\x05\xee\xe1\x8b\xe3\x84\xa1\x99\x13\xd2\x74\xd9\x20\x39\x79\x0c\xb8\x74\x20\xb9\xfd\xd7\x0e\x73\x43\x09\xfc\x7a\xfe\x09\xe1\x1f\x78\x0d\x6e\xe6\x24\x31\x75\x90\x7a\x4a\xee\xcb\x6c\xa0\x70\xa3\x37\x4b\xe5\xd3\xd0\x7a\x78\x8e\xa4\xe1\xf9\xd6\xf1\x8e\xff\x9e\x79\x64\xd7\x07\x6c\xb5\xb9\x3c\xd9\x73\x38\xec\x05\x44\x8e\xc5\x27\xcc\xa6\x67\x90\xbf\xe3\x2c\x5b\x26\x62\xd7\xfc\x6b\x83\x6b\x41\xbf\x32\xe5\xbc\x0d\xdf\xe4\x2d\x59\x73\xdb\x86\xf8\xae\xd5\x6e\x43\x11\x2b\x45\xb0\xf7\x92\xc5\x39\x45\x99\xa1\x3e\x73\xc2\x50\x12\xb5\xaa\xcd\x3a\xef\x11\x24\x73\xc4\xe2\xe3\xab\x6a\xeb\xf5\xaf\x6d\xe9\xe7\x8a\xc0\x47\xfc\xc2\x76\xfd\x97\x6f\x25\x02\x2c\x65\xc3\x0a\x9f\xd6\x72\x03\xf1\x9e\x33\xb3\x5c\xfb\xcf\xdf\xf3\x95\xc5\xbb\x53\xf2\xfd\x79\x28\xe4\x3e\x62\x28\x47\x28\x07\x80\xb8\xcc\x81\x5f\xb4\x85\x18\x91\x05\xa1\x24\xcd\x86\x27\xcc\x3d\x5f\x1a\x9d\xd8\x00\xd4\x7a\x22\x6e\xbf\x90\x7e\xb2\xf4\x91\x33\xd1\x17\x58\x8d\x28\x0f\x4c\xc4\x3d\x95\x25\x4d\x88\xc8\x75\x3d\x96\x07\x3f\x97\xc5\x31\xf5\x1e\x55\x96\xe2\xe9\x71\xa2\x16\x1b\x78\xf7\x5e\xdc\xfb\xd9\xde\x38\xf0\xa9\x28\x4b\x7c\xce\xef\x87\x59\x8f\xa3\xbc\xfa\x5d\xbc\xbd\x1d\x28\x4c\xf8\x0c\xb7\x75\x54\x65\x89\x9d\x36\x2d\x9e\x40\xc6\x4c\x1a\x1e\x4c\xc4\x5c\x38\x71\xb2\x10\x4c\xa4\x0c\x05\x72\x9d\xcc\xbf\x6d\x0a\x17\x50\x0e\x5d\x0d\xff\xa3\x44\x3a\x52\x33\xe2\x79\xb2\xf9\xc5\x18\xb6\x97\x34\x0d\x26\xd2\x87\x26\x60\xc7\x1a\x49\x57\x10\xee\x00\x9f\xfb\x98\x9e\xbb\x5b\xef\xe5\x17\x69\x25\xb7\x8c\xde\xb1\xe8\x11\xc5\x1e\xcd\xb0\x1a\x47\xec\x1d\x1d\x0e\xf2\x02\x4c\x9a\x66\x6f\x6b\xc5\xeb\xe1\x3e\x77\x3f\x89\xf4\xc8\x0b\xaa\x1d\x66\x0c\x05\x1c\x26\x72\xf9\x1c\x21\xdb\x5f\xf2\xd5\xa7\x01\x26\xdc\x69\x14\x0e\xe2\x16\xc4\x5b\xdd\x0a\x7b\x52\x79\xde\xce\x2f\x58\x3b\xc2\x4f\xc6\x3c\xae\x88\xae\x75\x57\x22\x40\x48\x23\xc5\xc2\x16\x84\x9d\xcd\x10\x85\xba\x99\x02\xcb\x24\x8a\xc5\xd1\x92\xc3\xbd\xc5\x37\x39\x2a\x7c\x9e\xd3\xc3\x59\xbb\x6d\x49\x34\x62\x5f\x5f\x7a\x6d\xd5\x1b\x78\x57\x3f\xc7\x26\xad\xab\xc9\x1f\x41\x96\x05\x86\xf6\x4c\x39\x26\x11\x26\xea\x67\xdf\xc3\x2c\x5a\xe5\xf7\xd6\xed\x88\x74\x73\x60\x41\x8d\x42\xa0\x08\xd9\xcf\xc5\xef\x15\xf9\xc5\x88\xdb\xb9\xec\xc3\x74\xba\x19\xab\x60\xa3\xba\x33\xfb\xd1\xb8\x04\x77\xb0\x20\x4e\x67\xc8\x45\xf9\xf6\xab\x58\x9c\x58\xb5\x78\xcc\xa5\x8a\xf3\x22\xae\x66\xb9\xb1\x2e\xd9\x53\x70\x3d\x13\x93\xd8\xec\xe9\xc6\x70\x66\x4f\xdb\x6b\x1f\xfa\x10\x27\x1a\xbc\x0e\x51\xd5\x7b\x59\x10\x2e\x26\x40\xbe\xa0\x9e\x91\x12\x94\xc3\x5a\xbc\x86\x16\x99\x0a\x57\x29\xbf\x73\x9a\x8e\x22\x77\x4a\x68\x0d\x57\x70\xb8\x58\xb9\x32\xfe\x59\x5b\x73\x22\x32\x8a\xe7\x92\x07\x8a\xd2\x8d\xb4\xd5\x4c\xbd\x7c\x98\x68\xfc\xbe\x6e\xed\x0b\x0a\xa7\xb7\xab\xbf\xb1\xb8\xef\xce\x2d\xd5\xc1\xe2\x9b\xac\x66\xab\x7f\x80\xfe\x7a\x65\xd2\xda\x18\x38\x66\x0e\x94\x06\x6a\x6b\x2e\x3b\xdb\x89\x7e\x55\x1b\xc0\x37\xd7\x79\xdb\xb6\xcb\x9b\xdc\xa7\x03\x0e\xf8\x22\x6b\x96\x8d\x5a\x85\x7c\xb4\x24\xa9\xbd\x71\xec\xf3\xe0\xdf\x3b\xca\x6b\x91\x95\x90\x5e\xd0\x5e\x73\xd0\x36\x7f\x16\x49\xee\xd5\x49\xd9\xc3\xd4\x7e\x2f\x31\x2c\x17\x0d\xc9\x4a\x70\x1d\x42\x04\x60\xe1\x00\x0e\x23\x70\x21\xc6\xb7\xb1\xbc\x08\xb3\x5c\x10\x43\xc6\xe8\x99\xed\x58\x7e\xf7\xdf\xb6\xe1\xc7\xb6\xe1\x1e\x3a\x2f\xb4\x34\x8a\xbc\xc9\xed\x18\x31\xee\x37\x3d\x00\x45\x40\xa7\x3a\x4c\x78\xf9\xd3\xab\xb1\x01\xc7\x87\xba\x23\x9d\xf6\x63\x92\x4e\xf8\x4e\x3b\x43\x68\x68\xb6\x3c\xd7\x4f\x4d\x47\xac\x9e\xbc\xe3\x81\x4b\xbd\xb3\x7e\xee\xc3\xfe\xa1\xf9\x06\x88\xd1\x6f\xf3\x28\x5d\x35\x97\x45\xf9\xc1\xb6\xdc\xfa\x98\xbc\xd3\x2a\xca\xcc\xd9\x35\x0c\x07\x05\x79\xaf\x49\xc6\xdd\x8e\x62\xb3\xe1\x16\x16\xb9\x56\x05\xb5\xe6\x7c\x90\xc3\xdb\x1b\x83\x01\xde\x61\xbd\xfa\x55\x8e\xe6\xd1\x3f\x20\xa7\x8d\x40\x7e\x4f\x44\xca\x79\x3c\xe3\xd9\x58\xe1\x52\x2f\x1a\x64\x27\x6a\xc8\x86\x3d\x1a\x68\xb5\xb6\x4e\x03\xec\x0b\x22\xb0\xa7\x87\xbb\xa7\xb4\x62\xfd\xdf\x8d\xa7\xd1\x01\x8b\x32\xa1\x32\x82\xbd\x1e\x83\x06\x0a\x67\xc7\xda\x96\xe4\x6e\x3b\x32\x2a\x5d\x8e\x05\xba\x67\xb3\xac\xa1\xc5\xd1\xbf\x13\x6a\x57\xb3\xaa\x68\x77\x7f\x00\xbf\x10\x2d\xdd\xb1\xde\xc2\x1d\xb3\x09\xf4\x85\x5d\x9c\x08\xed\xc5\x80\xd6\x52\xa6\x89\x42\x0b\xf6\x25\x38\xb5\xaa\x26\x30\x57\x09\x81\x21\xd8\x2d\x87\xe2\x9e\xe2\x6b\x5d\x52\x88\x02\x3e\x50\x1f\xf2\x73\x0b\xce\xf0\x0b\x98\xf1\x3c\x40\xbc\x2d\xa1\xa1\xbc\xa1\xcd\x66\x64\x84\xf1\xa3\xf5\xc8\xb6\xff\xaf\x46\x8f\xbe\xaa\xf5\xab\xfd\x74\x39\x6f\xbc\x46\x0e\x0f\xd2\xb4\x40\xf5\xe5\x63\x27\xe6\x34\x90\x73\x11\xdc\xe9\x8e\xc0\x75\xe9\xee\x32\x87\xf7\xd2\xdc\xd6\x44\x93\xe5\xc5\xce\x09\x6b\xb2\x9d\x77\xaa\x49\xa9\xf6\x77\xe6\x8e\xfd\x44\xcf\x35\xb5\xa0\xd6\x9f\x1e\xc8\x87\xa5\xf1\xf3\x5e\x44\xaf\xe3\xb6\x90\x4e\xf0\x26\xb3\x65\x1c\x69\x7d\xc2\xaf\x46\x66\x2b\x92\x36\x64\x20\x1e\x4b\xae\xdc\x28\xe8\x5f\x33\xd0\xfc\xce\x83\xec\xb0\x1d\x04\xf5\xa0\x82\x6d\xf9\xfb\xfe\x7d\x92\xe3\x1d\xb7\x62\x02\x53\x3f\xa8\xbd\xbd\x4f\x14\x74\x4f\x84\x85\x94\x8f\xf0\xe4\x0e\xc7\x7d\x2a\x2c\xca\xc3\x4f\x38\x9a\x4f\x6b\x0e\x1f\x84\xf5\x27\xb1\x28\x2b\x4b\xa5\x3c\xc0\xa5\x34\x68\xeb\x13\x62\xd8\x7f\x33\x4f\x17\x6d\x94\x8d\x9d\x7f\xc1\x90\xa1\xfa\xbb\x36\x74\x53\x85\x94\x5f\x27\xd4\x4c\x13\x64\x36\xee\xed\xca\x1a\xd4\x94\x5c\x9d\x73\xd6\xa2\xd7\x22\x5a\x1f\x7f\xa4\x9a\x2b\x2b\x56\xd3\xa4\x03\xa8\xdd\xd0\x3d\x70\x1b\xb8\xba\x36\xc2\x75\xb0\x5d\xb3\xb6\x06\x38\xb9\xa2\xa2\x34\xcb\x63\xb8\x09\xeb\xfc\x9a\x77\x1a\xc7\x12\x76\x2f\x7e\x96\xc5\x38\xe1\xc5\x4a\x79\x12\xb9\x59\x44\x63\x2d\x6d\x60\x59\x4b\x90\x0e\x17\xee\x32\x7b\x2b\x2b\x13\xbe\x28\x44\x06\x1f\xd1\xe3\x50\xe4\x71\x21\xfd\x71\xf1\x30\xa5\xae\xb5\x15\x3c\xcb\x8e\xce\x99\x59\x0f\xf9\x3e\xa9\x8e\xe5\x89\xa0\xa4\x28\x8b\xb6\xa3\x59\x0b\x1c\x6e\x89\x00\x8b\xbd\x2d\xc7\xad\x38\x74\x83\x69\x40\x5c\x9f\x8c\x37\xfa\x75\xdd\x2f\xf4\xa3\x84\x56\x1d\x03\x09\x48\xc3\xd1\x64\x66\xe4\xf0\x37\xe5\x4d\x3d\xca\xbd\xe0\x2f\xb3\x5c\x62\xb3\x16\x92\x65\xc0\xaf\x80\x18\xa8\x6c\x3f\xcf\x32\x68\xc1\xa9\x1e\x71\x31\xf8\x9c\xf7\x84\x1b\xb5\x8c\xab\x8a\x5f\x89\xd7\xed\xb6\x7f\x05\xf1\x6f\xe8\x40\x59\xbe\x5a\xbd\xbe\x44\xd3\x85\x2f\xa5\x79\x0c\x16\x16\x28\xb2\x1e\xef\x35\x9a\xaf\x7d\xb7\xde\x11\xc8\x35\xff\x9c\xc0\xb8\x6a\xc9\x75\x1f\xd2\xd5\xc1\x35\xe8\xac\xb4\x35\x2b\xc0\x3f\xdf\xe6\xc4\x34\x73\x58\x2c\xde\x76\xb1\x57\xee\xb0\x3a\xcf\xff\x74\x2b\xe5\x83\x8a\x4a\xab\xa1\x60\xe1\xc5\x88\xc9\xe1\xda\x27\x58\xfc\x29\x0a\xe3\x7a\x76\x05\x34\x0f\x72\x6f\xf3\xd8\xd7\x3d\x3d\xcc\xdc\x77\x37\x49\x9b\x74\x73\xec\xcc\x00\xc3\xd0\x1d\x20\xbd\x98\x9e\x60\x49\xd9\xda\x7d\xce\xe2\x29\xfe\x3d\xb7\xe2\x84\x5b\xa6\xef\x6b\x38\x06\x80\xe0\x77\x54\xdf\xa9\x2d\x16\x05\xb3\xb2\x52\x7e\xd1\x9d\x01\x33\x3b\x2b\x58\x86\x8d\x76\x14\xc9\x2b\x7f\x93\xc9\x5e\x2c\x90\x54\xf7\xa7\x28\xe0\x56\x9b\x98\x60\x18\x31\x1d\x9a\xb3\x79\xac\x3d\x19\xc7\xf6\x5f\x87\xac\xbd\x2a\x2b\xcd\xf1\x22\xb1\xb9\x50\x2d\x3c\x3a\x69\xef\xa3\x2f\x4b\xe1\xef\x20\xda\xa4\x2e\x13\x40\x9d\x2b\x12\xdb\xfd\x03\xc6\x4a\xca\x0b\xd6\x6c\x76\xc0\x4e\xa6\xa7\x6e\xf0\x29\x46\x50\xe5\x9e\x8a\x37\x9c\x85\xc5\xac\x8e\x31\x0e\xd9\x9e\x1a\x5f\x20\xc9\xbb\xdb\xee\x13\xde\x12\x18\xf9\x5b\xe0\x40\xff\x5f\x76\x0c\x7f\x07\xab\xe3\x62\x46\x85\x08\xa2\x11\x4e\x0c\x34\xf9\x38\x95\xc1\xe2\x8a\xd8\xc5\x6f\x19\x49\x81\x6c\xff\xd0\x9c\x02\x8d\xee\xf0\x1e\x5f\xcf\x91\xb4\x38\x4c\x62\xd0\xef\xd9\xb7\xd6\x6b\x1a\xae\x30\x2a\x3e\xd2\xc3\x03\x7c\x96\x75\xac\x6c\x86\x33\x6f\xa6\x03\x25\x8a\x53\x84\x09\xba\xd5\x67\x98\x11\x28\xcb\x8c\xab\x88\xd7\x02\x7b\x2a\x92\x67\x1c\xad\x00\x0a\x2c\x9f\x31\x7f\xb4\xae\x30\x98\x0d\x3f\x28\x51\x2f\xb5\xf6\x6a\x98\xb2\xe2\x07\x7a\x6a\x7f\x84\x61\xbf\x1a\x78\xcf\x12\xb3\xce\x6e\x3a\xa4\xa2\x2f\x3c\x63\x73\xa5\xd0\x4f\x76\x7b\x83\xc7\xd5\x7a\x56\x83\x4f\x76\x39\xc9\xac\xbb\x9f\xde\xde\xa8\x52\x76\xa0\xaa\x10\x0b\x68\xc8\xa2\x46\x31\x4a\x8c\xa0\x2f\xf0\x7d\x15\x32\xc9\x0d\x9a\x4a\x5d\xac\xba\x53\xa2\x4c\x14\xcb\x94\xb5\x7a\x8c\x23\x6c\x98\x5e\xbc\x98\x69\x71\x08\xa4\x3e\x87\x4b\x67\x15\xe6\xbe\x8d\x96\x85\xfa\xfd\xba\x1d\x7e\x5d\x1b\x4c\xed\x62\x56\x58\x47\xbd\xfc\xf6\x2b\xe1\x75\xe8\x48\x3c\xfd\x07\x11\x24\x76\x64\xe2\x73\xfc\xbe\xc2\x9f\x60\xde\xdd\x34\xc6\x81\x0f\x66\x50\xb6\xbd\xc4\x7d\xf7\x26\x7b\x8f\x53\xbc\x66\xac\x41\xa5\xc0\x50\x6e\xdf\x4a\x80\x5c\xff\x03\x43\x79\x7c\x88\x12\x56\xea\x09\x5f\xbf\x14\x57\x54\xf7\xcb\x9d\xfb\xa6\xd3\xc2\xbd\x12\xac\xe3\x07\x62\x9c\xb2\x2d\xfe\xb5\xa4\x81\x55\xde\x0e\x50\xa9\x5d\xa5\x8b\x32\x02\x58\x9b\x60\xf5\xdd\x4c\xa6\xcd\x22\xc2\xed\x78\x8f\x27\x21\xd5\x35\x43\x74\xe9\xef\xac\xf4\x94\x72\x94\xdd\xc8\x14\x92\x25\xdc\xe5\xad\xfb\x32\x25\x95\xed\x18\xa4\xdc\xb0\x56\x51\x48\xb0\x87\xe3\x7d\x42\x47\xea\xae\xcc\x58\xc5\xaa\xf1\xc6\x4e\x87\xcc\x2c\xce\x9b\x8e\xbc\xaf\x96\x3f\xc4\x41\xa6\xdf\xac\x42\x6b\xe0\xac\xe4\xec\xfb\x91\xdf\x77\x32\x72\x1a\xfb\x34\xf9\x05\xce\x73\x77\xdb\x38\x49\xd7\x40\x1b\xa3\xd3\x14\x9c\x08\xe9\x8b\xcd\xec\xa6\xde\x20\x7e\xd8\xbc\x7b\x1d\x6e\x88\x59\x7d\xa6\x28\xc6\xb0\xa7\x3c\xf9\x67\x4a\x20\x7d\xd8\x74\x5f\xe5\xb3\x2b\xdd\x8f\x55\x09\xf1\x4f\xc1\x5c\xf9\x50\x4b\xf6\x63\x4b\x2d\xf2\x83\x6e\x95\xc7\x36\xe2\x76\x2f\x27\x14\xbf\xd1\x30\xaf\x99\x1d\x8b\x64\x8a\x93\x72\x15\x83\x83\xa2\xf5\x3e\x14\xc7\xcf\xc7\x66\x3d\xb5\xca\x5c\x8a\x9c\xdd\x15\x5e\x38\xc1\xf7\x0e\x51\x61\x35\x88\x12\x8d\xd0\x85\xbb\xdd\x7e\xd2\x39\xb9\x7e\x89\x58\xce\xf3\x5f\x11\x7e\xab\x19\xb3\x70\xff\x2e\x4e\x25\x68\x9d\x62\xb6\x84\xfd\x4a\xfc\xeb\x26\x32\x51\xfa\x92\xe8\xc6\xb2\xaa\x2e\x34\xd3\xfb\x8a\xae\xd1\x8c\xdc\x73\x4f\x9b\x42\x0c\x8d\x7b\x93\x15\x55\xeb\xd7\x99\x0c\xa0\x73\xfb\x81\xbe\x98\x27\x94\xe0\x00\xd5\x05\x72\xeb\x07\x61\xd4\x95\xba\x80\x68\xf6\x57\xd7\xf7\xb9\x19\xe6\x6a\x25\xe0\x32\x11\xdf\xe6\x90\xf4\x08\x1f\xc5\xde\x14\xf5\xf9\xd8\xbe\x47\x80\x24\xe6\x0a\x31\x38\x08\x0d\x9c\xe9\x7a\xe2\x3e\x29\x1e\x77\xa6\xe4\xa5\x07\xa9\x6a\xe0\xc0\x7d\x96\x04\xa9\x5b\x43\xb8\x17\x4c\x33\x17\x5b\xa2\x95\x05\x01\x86\xf7\x23\xb5\x0a\x60\x9e\xe0\x9b\x42\x67\xe4\xd2\xaf\x42\x96\xce\x65\x7b\xb8\xb5\xe9\x96\xf9\x8b\xd7\x5e\xd4\x2d\x09\x54\x89\x5d\x97\xd9\x88\x32\x9d\x92\x5f\x62\x89\x44\x74\xd1\xca\xa5\xde\x98\x8e\xd7\xb5\xc6\xde\xac\xfd\x90\xad\x94\x7e\xfe\xbf\x6c\xf6\x1b\x45\xd9\xc7\xb1\xba\x59\xe9\xec\x4b\x85\x59\xaf\xf8\xd3\xd0\x5f\xb0\x0f\x57\xec\x94\x2b\x0e\x9b\x9f\xdb\xde\x26\xca\xd3\x40\xcb\xb4\xf7\xc0\x44\x7b\x70\x7e\xd8\xf6\xd4\xf9\x89\xd0\xb1\xda\x0d\x0c\xda\xe6\x17\xb0\x14\x36\xfa\x68\xe3\x77\x75\xe8\x44\x41\x5e\xbd\x11\xa3\x35\x08\x46\xcf\x0b\x41\x9f\xad\x6d\xb9\x4c\xcc\x82\x83\xe9\x50\x19\xdb\x55\x91\xb9\xe8\x1c\x5d\x32\x70\x7b\x30\x02\xaf\xb2\x40\x58\x49\x5f\x6c\x21\xcd\x4b\x9e\x12\xaf\x7a\x1f\x40\x54\xfd\xa3\x7b\xa6\xa2\x94\x5e\x89\x98\x99\x76\x10\x12\x54\x8e\x41\x22\xa6\x95\x56\xe0\xca\x51\xe2\x31\x94\xbd\xc4\xe2\x72", 4096); *(uint32_t*)0x20002904 = 0x1000; *(uint32_t*)0x20002908 = 9; memcpy((void*)0x20002940, "flock=openafs", 13); *(uint8_t*)0x2000294d = 0x2c; memcpy((void*)0x2000294e, "dyn", 3); *(uint8_t*)0x20002951 = 0x2c; memcpy((void*)0x20002952, "autocell", 8); *(uint8_t*)0x2000295a = 0x2c; memcpy((void*)0x2000295b, "dyn", 3); *(uint8_t*)0x2000295e = 0x2c; memcpy((void*)0x2000295f, "flock=openafs", 13); *(uint8_t*)0x2000296c = 0x2c; memcpy((void*)0x2000296d, "source", 6); *(uint8_t*)0x20002973 = 0x3d; memcpy((void*)0x20002974, "&", 1); *(uint8_t*)0x20002975 = 0x2c; memcpy((void*)0x20002976, "source", 6); *(uint8_t*)0x2000297c = 0x3d; memcpy((void*)0x2000297d, "SEG6\000", 5); *(uint8_t*)0x20002982 = 0x2c; memcpy((void*)0x20002983, "smackfsdef", 10); *(uint8_t*)0x2000298d = 0x3d; memcpy((void*)0x2000298e, "SEG6\000", 5); *(uint8_t*)0x20002993 = 0x2c; memcpy((void*)0x20002994, "smackfsdef", 10); *(uint8_t*)0x2000299e = 0x3d; memcpy((void*)0x2000299f, "SEG6\000", 5); *(uint8_t*)0x200029a4 = 0x2c; memcpy((void*)0x200029a5, "subj_user", 9); *(uint8_t*)0x200029ae = 0x3d; memcpy((void*)0x200029af, "SEG6\000", 5); *(uint8_t*)0x200029b4 = 0x2c; memcpy((void*)0x200029b5, "smackfstransmute", 16); *(uint8_t*)0x200029c5 = 0x3d; memcpy((void*)0x200029c6, ":", 1); *(uint8_t*)0x200029c7 = 0x2c; memcpy((void*)0x200029c8, "seclabel", 8); *(uint8_t*)0x200029d0 = 0x2c; *(uint8_t*)0x200029d1 = 0; syz_mount_image(0x20001880, 0x200018c0, 5, 1, 0x20002900, 0x20005, 0x20002940); break; case 29: memcpy((void*)0x20002a00, "/dev/i2c-#\000", 11); syz_open_dev(0x20002a00, 0xad8, 0x2a2000); break; case 30: res = syscall(__NR_ioctl, -1, 0x5429, 0x20002a40); if (res != -1) r[15] = *(uint32_t*)0x20002a40; break; case 31: memcpy((void*)0x20002a80, "net\000", 4); syz_open_procfs(r[15], 0x20002a80); break; case 32: syz_open_pts(r[13], 0); break; case 33: *(uint32_t*)0x20002e80 = 0x20002ac0; memcpy((void*)0x20002ac0, "\x7a\xd3\xcd\x80\x2d\xd0\xc4\x24\x94\x5d\x99\xca\x9c\xa6\xe4\xfb\xb8\xf8\xe3\xb9\x80\xd2\xec", 23); *(uint32_t*)0x20002e84 = 0x17; *(uint32_t*)0x20002e88 = 0x1000; *(uint32_t*)0x20002e8c = 0x20002b00; memcpy((void*)0x20002b00, "\x32\x9d\xe8\x0b\x2b\x17\xbb\xd2\x5d\x1f\x19\x07\xa9\x26\x3a\xf3\xbf\x05\xc4\xa7\x06\x1e\x28\x49\x2a\x3f\x71\xc6\x34\x3a\xa5\xaa\xea\x03\x27\xa3", 36); *(uint32_t*)0x20002e90 = 0x24; *(uint32_t*)0x20002e94 = 5; *(uint32_t*)0x20002e98 = 0x20002b40; memcpy((void*)0x20002b40, "\x82\x79\x1d\xfd\x31\x1d\x07\xdb\x7d\x65\xe8\x03\xce\x6c\xa0\x00\x28\xaf\x8f\xf8\xd2\x76\x18\x7e\x0e\x14\xbb\xf7\xbe\xab\x60\xfc\x4b\x70\x72\x2e\x91\xb6\x32\x2b\x8e\x34\x72\x19\x1a\x66\x17\x6b\xb0\xca\x91\xde\xe6\x0f\x15\x06\xa6\xd4\x8b\xe4\x05\x52\x30\xc3\x0b\xe9\x4a\x10\x43\xa1\xd2\xa0\x6d\x42\x16\x60\x69\xd8\x03\x3d\x6c\x52\x4c\x86\x10\xb8\xc4\xbb\x63\xaf\x0c\xe6\xd6\x20\x71\x37\xf1\xbe\x1b\x62\xb0\x02\xe8\xc3\x5e\x64\x67\xc2\x42\x3c\xc6\x59\x7d\x1c\xa5\x8e\xe3\x15\x89\xf0\x24\x8a\xc7\x62\xe2\x4a\x28\x6a\x41\xa7\x61\x91\x2d\x34\xbb\x56\xf0\x7d\xb8\x8c\xa5\x2f\xce\x8d\x12\x87\x62\x39\x4f\xa0\x0f\xaa\xc8\x45\x1a\x42\xc3\x14\x4b\xde\xc7\xe9\x72\x96\xc9\xea\xc7\xc9\xf6\x31\x10\xa3\xd4\x05\xc1\x6b\x04\x28\x88\x00\x24\xe8\xc9\xc8\xaf\x49\x0b\x8c\xfa\xd8\x4c\xbb\x63\x78\x78\xd6\x34\xcd\x84\x34\x6b\x60\xc9\x13\x2c\x09\x66\x0c\xdc\x61\x6a\x0b", 212); *(uint32_t*)0x20002e9c = 0xd4; *(uint32_t*)0x20002ea0 = 0x7fff; *(uint32_t*)0x20002ea4 = 0x20002c40; memcpy((void*)0x20002c40, "\x90\x4b\xbc\xee\x2b\x46\xda\xa1\xac\x64\x3b\x7b\x6b\x8e\xa0\xff\x46\x2f\xea\xbe\xe5\x41\xb4\x11\xa8\x85\xe4\x70\xa4\x96\xcb\xbd\xc7\x29\xff\xde\xbc\x50\x80\x7f\x71\x9c\xbe\x80\x8d\x8b\x59\x8b\x47\x67\xc7\xa8\x52\xd9\xce\x0c\x88\x0a\x9b\x07\x8b\x01\x87\xde\xac\x92\x6b\xd4\x68\x7a\x44\xf0\x92\xbb", 74); *(uint32_t*)0x20002ea8 = 0x4a; *(uint32_t*)0x20002eac = 5; *(uint32_t*)0x20002eb0 = 0x20002cc0; memcpy((void*)0x20002cc0, "\x35\x31\xae\x25\x7e\x7e\x08\x77\xcd\xe3\x40\xc4\x2e\xdb\xfc\x91\xdc\xff\xaf\xf1\x28\x4e\xf0\x8a\x45\x1e\x4c\x76\xe0\xcd\x83\xb2\xc0\xea\x10\xd8\x6b\xce\xfa\x93\xbb\xae\xf5\xff\xfb\xfe\x7d\xc7\x0b\x73\xb8\x9c\x55\xfc\x38\x51\x11\x0d\x1b\xd0\xd1\xda\x31\x75\x33\x20\xb1\x11\xfe\x70\x60\x53\x7e\x8f\x65\xf3\xc2\xf0\x5a\xdc\xb3\xd6\x6b\xd2\xab\xe6\xb0\x8a\xaa\xe0\xd0\xee\xdc\xa9\x93\x77\x07\xec\x4c\xb4\x87\x4c\xdf\xd0\x58\x00\x81\x2a\xb5\x3f\x95\x50\xb2\x5a\x28\xee\x69\xe6\x2a\x0f\x79\x0f\xe5\x23\x3f\xc8\x64\x5f\xc3\xfe\x6c\xae\x05\x5f\x2a\xa1\x72\x91\x25\x17\x01\x51\xe8\x6e\xea\xb6\x7b\xb2\x0b\xc8\x84\xa1\x21\x4c\x2d\x3d\x96\x9c\x34\xfb\x23\x9b\x45\xfe\xec\x93\xac\x20\x97\x21\xba\xe7\x27\x12\x51\xc6\x13\xce\xa9\x37\x9c\x15\x21", 183); *(uint32_t*)0x20002eb4 = 0xb7; *(uint32_t*)0x20002eb8 = 4; *(uint32_t*)0x20002ebc = 0x20002d80; memcpy((void*)0x20002d80, "\xc3\xf0\x4f\x26\x92\x9b\x7a\x4d\x63\x42\x84\x1f\xa5\x3a\x9a\x8c\xb8\x00\x6a\x97\xf4\x28", 22); *(uint32_t*)0x20002ec0 = 0x16; *(uint32_t*)0x20002ec4 = 6; *(uint32_t*)0x20002ec8 = 0x20002dc0; memcpy((void*)0x20002dc0, "\xc9\x87\x12\x75\xe3\x26\x9f\xf1\xbd\xcd\x67\xfb\x52\x3e\x1c\xeb\x51\x51\xb0\xed\xe9\xe0\x32\x63\x4e\x36\xd4\x86\x04\x6b\xc3\x1c\xd9\x78\xbd\xa5\x92\x47\x35\x53\x16\x31\x9e\x76\x8e\x7a\xc6\xbe\x06\x48\xbf\x0f\xec\xd1\x3c\xda\xd4\x5f\x71\x3e\x0e\x3b\x74\xe9\x5e\xec\x77\x06\x3c\x02\xa2\x33\xea\x97\xd3\x38\xf4\xb1\xe9\xbc\x5a\x7c\xce\x85\x52\x87\x42\x63\x2e\xd5\x9c\xec\x01\x6f\x39\x14\xdd\x02\xca\x6b\x1d\xc8\x33\x22\x48\x95\x27\x73\x50\xcf\x1f\x21\xd6\xc7\x8f\x85\x92\x71\x7e\x91\x23\x3f\x90\x26\x92\x7e\x0c\xc3\xd8\x0c\xdc\x57\x71\x47\x63\xa0\xfc\xb0\x91\xf5\xc6\x90\x51\xb5\x5c\xd2\xe1\xfc\xc3\x3b\x13\xd5\x97\xc5\xca\xee\xb2\x71\xc5\x42\x97\x8a\x1e\x17", 164); *(uint32_t*)0x20002ecc = 0xa4; *(uint32_t*)0x20002ed0 = 0x9c; syz_read_part_table(1, 7, 0x20002e80); break; case 34: *(uint8_t*)0x20002f00 = 0x12; *(uint8_t*)0x20002f01 = 1; *(uint16_t*)0x20002f02 = 0x201; *(uint8_t*)0x20002f04 = 0xa4; *(uint8_t*)0x20002f05 = 0x61; *(uint8_t*)0x20002f06 = 0x1e; *(uint8_t*)0x20002f07 = 0x40; *(uint16_t*)0x20002f08 = 0xacd; *(uint16_t*)0x20002f0a = 0x300; *(uint16_t*)0x20002f0c = 0xc0df; *(uint8_t*)0x20002f0e = 1; *(uint8_t*)0x20002f0f = 2; *(uint8_t*)0x20002f10 = 3; *(uint8_t*)0x20002f11 = 1; *(uint8_t*)0x20002f12 = 9; *(uint8_t*)0x20002f13 = 2; *(uint16_t*)0x20002f14 = 0x372; *(uint8_t*)0x20002f16 = 2; *(uint8_t*)0x20002f17 = 4; *(uint8_t*)0x20002f18 = 0x1f; *(uint8_t*)0x20002f19 = 0; *(uint8_t*)0x20002f1a = 1; *(uint8_t*)0x20002f1b = 9; *(uint8_t*)0x20002f1c = 4; *(uint8_t*)0x20002f1d = 0x5d; *(uint8_t*)0x20002f1e = 0xb3; *(uint8_t*)0x20002f1f = 1; *(uint8_t*)0x20002f20 = 0xad; *(uint8_t*)0x20002f21 = 0x49; *(uint8_t*)0x20002f22 = 0x76; *(uint8_t*)0x20002f23 = 0x20; *(uint8_t*)0x20002f24 = 7; *(uint8_t*)0x20002f25 = 0x24; *(uint8_t*)0x20002f26 = 1; *(uint8_t*)0x20002f27 = 0; *(uint8_t*)0x20002f28 = 0x80; *(uint16_t*)0x20002f29 = 0; *(uint8_t*)0x20002f2b = 9; *(uint8_t*)0x20002f2c = 5; *(uint8_t*)0x20002f2d = 0xd; *(uint8_t*)0x20002f2e = 0; *(uint16_t*)0x20002f2f = 0x230; *(uint8_t*)0x20002f31 = 0x5d; *(uint8_t*)0x20002f32 = 1; *(uint8_t*)0x20002f33 = 0x3f; *(uint8_t*)0x20002f34 = 7; *(uint8_t*)0x20002f35 = 0x25; *(uint8_t*)0x20002f36 = 1; *(uint8_t*)0x20002f37 = 0; *(uint8_t*)0x20002f38 = 0x1f; *(uint16_t*)0x20002f39 = 2; *(uint8_t*)0x20002f3b = 0xba; *(uint8_t*)0x20002f3c = 0xe; memcpy((void*)0x20002f3d, "\xf4\xe6\xe5\x76\x28\x83\xc3\x4d\xf0\x4f\x35\x60\x99\xf1\xd3\x4b\xdb\xc9\xf5\x32\x4d\xa6\x48\x05\x3f\xd6\x90\x21\x1b\x89\x71\x19\xc4\xf3\xac\x19\x7f\x2a\xa9\x3f\x2f\x3b\xe0\x5f\x83\x6b\x16\x44\xd5\xb2\x32\x76\x48\xb3\x08\x16\xed\x19\x2f\x94\x3d\xfc\xe2\x25\xf6\x9d\x77\xc5\x15\x65\xe1\x77\xfd\x88\x9c\x9c\x9d\x8c\x85\xb9\x2e\xe4\xbe\xad\x0e\x88\x94\x46\xbb\xc3\x20\xa4\x0f\xa2\x48\x07\xf4\x76\xbf\xd1\xf1\xb3\x09\x6e\x33\x70\xf7\x55\xc9\x4a\xa0\x1c\x3b\xe4\xdd\xc7\x95\x2a\x56\x94\xbc\xad\x4b\xeb\x40\x65\xbf\x5e\xa9\x60\x66\xc4\x3e\x95\x07\xe6\x22\x0c\x47\xbc\x02\x71\xad\xcb\xaf\xfc\xe6\xac\x90\xcb\x3c\x8b\x1c\xf7\x48\xc6\xbb\xf9\x71\x08\xdf\xa2\xca\xc4\xb8\x7d\x34\x20\x42\x84\x34\x39\x7e\x07\xf1\x7a\x87\xed\x62\x33\xb3\x9e\x32\xf0", 184); *(uint8_t*)0x20002ff5 = 9; *(uint8_t*)0x20002ff6 = 4; *(uint8_t*)0x20002ff7 = 0x5d; *(uint8_t*)0x20002ff8 = 0x27; *(uint8_t*)0x20002ff9 = 7; *(uint8_t*)0x20002ffa = 0x3f; *(uint8_t*)0x20002ffb = 0x84; *(uint8_t*)0x20002ffc = 0xfd; *(uint8_t*)0x20002ffd = 3; *(uint8_t*)0x20002ffe = 0x10; *(uint8_t*)0x20002fff = 0x24; *(uint8_t*)0x20003000 = 2; *(uint8_t*)0x20003001 = 1; *(uint8_t*)0x20003002 = 0xe2; *(uint8_t*)0x20003003 = 2; *(uint8_t*)0x20003004 = 0x63; *(uint8_t*)0x20003005 = 0x40; memcpy((void*)0x20003006, "\xe7\x21\xcc\x44\xac\xca\x89\x38", 8); *(uint8_t*)0x2000300e = 0xb; *(uint8_t*)0x2000300f = 0x24; *(uint8_t*)0x20003010 = 2; *(uint8_t*)0x20003011 = 1; *(uint8_t*)0x20003012 = 0; *(uint8_t*)0x20003013 = 3; *(uint8_t*)0x20003014 = 1; *(uint8_t*)0x20003015 = 0; memcpy((void*)0x20003016, "\x9e\xf4\x2f", 3); *(uint8_t*)0x20003019 = 7; *(uint8_t*)0x2000301a = 0x24; *(uint8_t*)0x2000301b = 1; *(uint8_t*)0x2000301c = 4; *(uint8_t*)0x2000301d = 1; *(uint16_t*)0x2000301e = 4; *(uint8_t*)0x20003020 = 0xb; *(uint8_t*)0x20003021 = 0x24; *(uint8_t*)0x20003022 = 2; *(uint8_t*)0x20003023 = 1; *(uint8_t*)0x20003024 = 0; *(uint8_t*)0x20003025 = 3; *(uint8_t*)0x20003026 = 0x19; *(uint8_t*)0x20003027 = 6; memcpy((void*)0x20003028, "\x9e", 1); memcpy((void*)0x20003029, "\x69\x83", 2); *(uint8_t*)0x2000302b = 9; *(uint8_t*)0x2000302c = 5; *(uint8_t*)0x2000302d = 0xf; *(uint8_t*)0x2000302e = 0; *(uint16_t*)0x2000302f = 0x3ff; *(uint8_t*)0x20003031 = 0xf6; *(uint8_t*)0x20003032 = 5; *(uint8_t*)0x20003033 = 0x80; *(uint8_t*)0x20003034 = 9; *(uint8_t*)0x20003035 = 5; *(uint8_t*)0x20003036 = 1; *(uint8_t*)0x20003037 = 0x10; *(uint16_t*)0x20003038 = 0x10; *(uint8_t*)0x2000303a = 0; *(uint8_t*)0x2000303b = 0x40; *(uint8_t*)0x2000303c = 6; *(uint8_t*)0x2000303d = 7; *(uint8_t*)0x2000303e = 0x25; *(uint8_t*)0x2000303f = 1; *(uint8_t*)0x20003040 = 2; *(uint8_t*)0x20003041 = 0x20; *(uint16_t*)0x20003042 = 6; *(uint8_t*)0x20003044 = 9; *(uint8_t*)0x20003045 = 5; *(uint8_t*)0x20003046 = 0xb; *(uint8_t*)0x20003047 = 8; *(uint16_t*)0x20003048 = 0x10; *(uint8_t*)0x2000304a = 1; *(uint8_t*)0x2000304b = 2; *(uint8_t*)0x2000304c = 0; *(uint8_t*)0x2000304d = 9; *(uint8_t*)0x2000304e = 5; *(uint8_t*)0x2000304f = 0xd; *(uint8_t*)0x20003050 = 0x10; *(uint16_t*)0x20003051 = 0x200; *(uint8_t*)0x20003053 = 4; *(uint8_t*)0x20003054 = 8; *(uint8_t*)0x20003055 = 0xc0; *(uint8_t*)0x20003056 = 0xbb; *(uint8_t*)0x20003057 = 0x31; memcpy((void*)0x20003058, "\x21\x5c\xe6\xab\x8f\x3c\x72\xca\xa3\xab\x13\x26\xf1\x88\x38\x90\x8a\xc6\x0b\xff\xb3\xb5\x07\x48\x14\x4a\xa2\xcb\xc4\xd7\xca\xc5\x6f\x4a\x7b\xb2\xbd\x6c\x96\x96\x74\xa5\xe4\x04\x08\x61\xbb\x21\xba\x5c\xcf\x0f\x82\x2c\x10\x32\xe7\xe3\x72\x9f\x8c\x17\x1f\xc7\xa8\x9b\x53\x40\xb5\x06\x71\x08\xd5\x97\xf1\x78\xaa\x65\x1a\x98\xac\xa4\xd0\x12\xfa\x55\x5a\x69\x56\x83\xb5\x27\xe6\x03\x1f\x1f\x7f\x20\x49\x4b\x25\x0e\x3a\x6c\xd8\xb4\xde\x96\x47\xe1\x50\x04\x98\x67\x09\x7c\x47\xcc\x23\x7c\x61\x2c\xef\xe6\x98\x33\x2f\x1f\xe7\xf0\x2e\x6f\x53\xe8\x45\xb1\xf5\xe7\xb4\xb2\x4a\xd8\x62\x9b\x78\xce\x76\x30\xe2\xd4\x01\x20\xfb\xc3\xf4\x93\x75\xa4\xa0\x86\xde\xdd\x2a\x27\xf0\x6b\x3e\xd3\xd7\x56\xa8\x19\xb9\x7f\x75\x9a\xa5\x4a\xef\x83\xdf\x48\x68\xa9\xe9", 185); *(uint8_t*)0x20003111 = 9; *(uint8_t*)0x20003112 = 5; *(uint8_t*)0x20003113 = 3; *(uint8_t*)0x20003114 = 0x12; *(uint16_t*)0x20003115 = 0x3ff; *(uint8_t*)0x20003117 = 0; *(uint8_t*)0x20003118 = 1; *(uint8_t*)0x20003119 = -1; *(uint8_t*)0x2000311a = 0xad; *(uint8_t*)0x2000311b = 0x31; memcpy((void*)0x2000311c, "\x0c\x92\x1d\x3f\x98\x0f\x4e\x53\x14\x7a\x46\xbd\x58\x56\xda\x03\x08\x16\x60\xfb\xed\x7b\x8b\x2d\x38\x9b\xe8\xa0\x38\xe9\x5c\x29\x58\xa4\x77\xed\x5f\xaf\x9e\xf3\x8c\x82\xc3\xab\xea\x25\x44\x59\xed\xb0\xf2\xcf\x28\x62\x35\x03\x40\x87\xad\xb7\x90\x7f\xf1\x92\x64\x0b\x93\x68\x86\xbd\x48\xd3\xa5\x12\x15\x40\x6b\x3a\xa0\xb6\xd8\xf8\xd9\x1d\x83\x0f\x52\x36\xa9\xa8\xbe\x03\xc2\x21\x5f\x01\x21\x31\x96\x8c\x6a\x80\x86\x0a\xe8\x11\x93\x05\x94\x68\x10\x8e\xfd\x4f\x13\x05\x37\x9d\x01\x15\xc7\xec\x66\x7b\x03\x59\x94\x0e\x56\x64\xbf\x7b\x3c\x4a\x5f\x04\xca\x3c\x51\xdb\x9d\x2c\xd4\x17\xe9\x09\x9b\xff\x62\x8b\x8e\x1a\x8e\xd0\xf5\x96\x14\x93\x57\xa0\x8a\xbd\x11\x77\xeb\x97\x73\x53\xeb\x89\x32", 171); *(uint8_t*)0x200031c7 = 0x93; *(uint8_t*)0x200031c8 = 0x11; memcpy((void*)0x200031c9, "\xa8\xe2\x2d\x54\x2a\xe3\xd8\x31\xf3\x37\x21\x1b\xb5\xbe\x12\xa5\xc4\x6e\x5c\xf9\xb5\x56\xd8\x4d\x5a\xf4\xca\xca\x87\x42\xad\x21\x61\x40\x56\x2b\x7e\x54\x21\xe2\x64\x24\x71\xe8\xf5\x0e\xb8\xae\xf0\x62\x12\xb4\x6c\x64\x4a\xe5\x84\x63\xe1\x8b\x3e\x72\xbd\x3e\xca\x60\x60\xfa\x8b\x94\x03\x17\x96\xe5\x5e\xb4\x1d\x3f\x31\x8a\xff\xbf\x08\x1e\xeb\x17\x08\x85\x1e\x72\xfa\xdd\x88\x7e\x03\x30\x13\x43\x19\xf0\xa5\x96\x7e\xda\x65\x7b\xc1\x10\x1f\x74\xde\xba\x42\xe7\x8a\xff\x20\xfb\x5d\x3c\x1f\xe4\x9d\x9a\x05\x46\x57\xb6\xf1\xaf\x3d\x01\x5f\xc1\x6f\xf8\x08\x73\xf3\x26\x69\x08\x43\xdf\x81", 145); *(uint8_t*)0x2000325a = 9; *(uint8_t*)0x2000325b = 5; *(uint8_t*)0x2000325c = 0xf; *(uint8_t*)0x2000325d = 4; *(uint16_t*)0x2000325e = 0x200; *(uint8_t*)0x20003260 = 0; *(uint8_t*)0x20003261 = 0x1f; *(uint8_t*)0x20003262 = 1; *(uint8_t*)0x20003263 = 0x11; *(uint8_t*)0x20003264 = 6; memcpy((void*)0x20003265, "\x82\x4b\x7d\x09\x57\xbc\x55\x2d\x22\x4f\xdf\x6b\xff\x63\xa8", 15); *(uint8_t*)0x20003274 = 7; *(uint8_t*)0x20003275 = 0x25; *(uint8_t*)0x20003276 = 1; *(uint8_t*)0x20003277 = 0x80; *(uint8_t*)0x20003278 = 0xfd; *(uint16_t*)0x20003279 = 6; *(uint8_t*)0x2000327b = 9; *(uint8_t*)0x2000327c = 5; *(uint8_t*)0x2000327d = 0; *(uint8_t*)0x2000327e = 0; *(uint16_t*)0x2000327f = 0x20; *(uint8_t*)0x20003281 = 0x1f; *(uint8_t*)0x20003282 = 0xfd; *(uint8_t*)0x20003283 = 3; *(uint32_t*)0x20003400 = 0xa; *(uint32_t*)0x20003404 = 0x200032c0; *(uint8_t*)0x200032c0 = 0xa; *(uint8_t*)0x200032c1 = 6; *(uint16_t*)0x200032c2 = 0x110; *(uint8_t*)0x200032c4 = 0x4d; *(uint8_t*)0x200032c5 = 0x80; *(uint8_t*)0x200032c6 = 0x80; *(uint8_t*)0x200032c7 = 0x20; *(uint8_t*)0x200032c8 = 0xc1; *(uint8_t*)0x200032c9 = 0; *(uint32_t*)0x20003408 = 0x46; *(uint32_t*)0x2000340c = 0x20003300; *(uint8_t*)0x20003300 = 5; *(uint8_t*)0x20003301 = 0xf; *(uint16_t*)0x20003302 = 0x46; *(uint8_t*)0x20003304 = 5; *(uint8_t*)0x20003305 = 0xb; *(uint8_t*)0x20003306 = 0x10; *(uint8_t*)0x20003307 = 1; *(uint8_t*)0x20003308 = 0xc; *(uint16_t*)0x20003309 = 0x35; *(uint8_t*)0x2000330b = 0; *(uint8_t*)0x2000330c = 0xdf; *(uint16_t*)0x2000330d = 9; *(uint8_t*)0x2000330f = 0xf7; *(uint8_t*)0x20003310 = 7; *(uint8_t*)0x20003311 = 0x10; *(uint8_t*)0x20003312 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003313, 0xe, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003314, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003314, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003315, 9, 0, 16); *(uint8_t*)0x20003317 = 0x18; *(uint8_t*)0x20003318 = 0x10; *(uint8_t*)0x20003319 = 0xa; *(uint8_t*)0x2000331a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000331b, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000331b, 0x7fffffe, 5, 27); *(uint16_t*)0x2000331f = 0xff0f; *(uint16_t*)0x20003321 = 0x101; *(uint32_t*)0x20003323 = 0xffc0a0; *(uint32_t*)0x20003327 = 0; *(uint32_t*)0x2000332b = 0xffff0f; *(uint8_t*)0x2000332f = 0x10; *(uint8_t*)0x20003330 = 0x10; *(uint8_t*)0x20003331 = 0xa; *(uint8_t*)0x20003332 = 3; STORE_BY_BITMASK(uint32_t, , 0x20003333, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003333, 0x200, 5, 27); *(uint16_t*)0x20003337 = 0xff00; *(uint16_t*)0x20003339 = 1; *(uint32_t*)0x2000333b = 0; *(uint8_t*)0x2000333f = 7; *(uint8_t*)0x20003340 = 0x10; *(uint8_t*)0x20003341 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003342, 0x16, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003343, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003343, 0xe, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003344, 7, 0, 16); *(uint32_t*)0x20003410 = 2; *(uint32_t*)0x20003414 = 4; *(uint32_t*)0x20003418 = 0x20003380; *(uint8_t*)0x20003380 = 4; *(uint8_t*)0x20003381 = 3; *(uint16_t*)0x20003382 = 0x380a; *(uint32_t*)0x2000341c = 4; *(uint32_t*)0x20003420 = 0x200033c0; *(uint8_t*)0x200033c0 = 4; *(uint8_t*)0x200033c1 = 3; *(uint16_t*)0x200033c2 = 0x42f; res = -1; res = syz_usb_connect(4, 0x384, 0x20002f00, 0x20003400); if (res != -1) r[16] = res; break; case 35: *(uint8_t*)0x20003440 = 0x12; *(uint8_t*)0x20003441 = 1; *(uint16_t*)0x20003442 = 0x200; *(uint8_t*)0x20003444 = -1; *(uint8_t*)0x20003445 = -1; *(uint8_t*)0x20003446 = -1; *(uint8_t*)0x20003447 = 0x40; *(uint16_t*)0x20003448 = 0xcf3; *(uint16_t*)0x2000344a = 0x9271; *(uint16_t*)0x2000344c = 0x108; *(uint8_t*)0x2000344e = 1; *(uint8_t*)0x2000344f = 2; *(uint8_t*)0x20003450 = 3; *(uint8_t*)0x20003451 = 1; *(uint8_t*)0x20003452 = 9; *(uint8_t*)0x20003453 = 2; *(uint16_t*)0x20003454 = 0x48; *(uint8_t*)0x20003456 = 1; *(uint8_t*)0x20003457 = 1; *(uint8_t*)0x20003458 = 0; *(uint8_t*)0x20003459 = 0x80; *(uint8_t*)0x2000345a = 0xfa; *(uint8_t*)0x2000345b = 9; *(uint8_t*)0x2000345c = 4; *(uint8_t*)0x2000345d = 0; *(uint8_t*)0x2000345e = 0; *(uint8_t*)0x2000345f = 6; *(uint8_t*)0x20003460 = -1; *(uint8_t*)0x20003461 = 0; *(uint8_t*)0x20003462 = 0; *(uint8_t*)0x20003463 = 0; *(uint8_t*)0x20003464 = 9; *(uint8_t*)0x20003465 = 5; *(uint8_t*)0x20003466 = 1; *(uint8_t*)0x20003467 = 2; *(uint16_t*)0x20003468 = 0x200; *(uint8_t*)0x2000346a = 0; *(uint8_t*)0x2000346b = 0; *(uint8_t*)0x2000346c = 0; *(uint8_t*)0x2000346d = 9; *(uint8_t*)0x2000346e = 5; *(uint8_t*)0x2000346f = 0x82; *(uint8_t*)0x20003470 = 2; *(uint16_t*)0x20003471 = 0x200; *(uint8_t*)0x20003473 = 0; *(uint8_t*)0x20003474 = 0; *(uint8_t*)0x20003475 = 0; *(uint8_t*)0x20003476 = 9; *(uint8_t*)0x20003477 = 5; *(uint8_t*)0x20003478 = 0x83; *(uint8_t*)0x20003479 = 3; *(uint16_t*)0x2000347a = 0x40; *(uint8_t*)0x2000347c = 1; *(uint8_t*)0x2000347d = 0; *(uint8_t*)0x2000347e = 0; *(uint8_t*)0x2000347f = 9; *(uint8_t*)0x20003480 = 5; *(uint8_t*)0x20003481 = 4; *(uint8_t*)0x20003482 = 3; *(uint16_t*)0x20003483 = 0x40; *(uint8_t*)0x20003485 = 1; *(uint8_t*)0x20003486 = 0; *(uint8_t*)0x20003487 = 0; *(uint8_t*)0x20003488 = 9; *(uint8_t*)0x20003489 = 5; *(uint8_t*)0x2000348a = 5; *(uint8_t*)0x2000348b = 2; *(uint16_t*)0x2000348c = 0x200; *(uint8_t*)0x2000348e = 0; *(uint8_t*)0x2000348f = 0; *(uint8_t*)0x20003490 = 0; *(uint8_t*)0x20003491 = 9; *(uint8_t*)0x20003492 = 5; *(uint8_t*)0x20003493 = 6; *(uint8_t*)0x20003494 = 2; *(uint16_t*)0x20003495 = 0x200; *(uint8_t*)0x20003497 = 0; *(uint8_t*)0x20003498 = 0; *(uint8_t*)0x20003499 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20003440, 0); break; case 36: *(uint32_t*)0x200036c0 = 0x18; *(uint32_t*)0x200036c4 = 0x200034c0; *(uint8_t*)0x200034c0 = 0x20; *(uint8_t*)0x200034c1 = 8; *(uint32_t*)0x200034c2 = 0xd4; *(uint8_t*)0x200034c6 = 0xd4; *(uint8_t*)0x200034c7 = 0x31; memcpy((void*)0x200034c8, "\xdd\x9f\xe1\xd6\xf8\xee\x76\xd6\x28\x92\x46\xb5\x27\x7c\xc1\x9f\x3c\x46\x21\xad\xd8\x21\xa7\xf3\xd1\xaa\xe9\x94\xdb\xf4\xb1\xbd\x89\xe8\x77\x07\x34\x76\x8a\xde\x97\xe5\x1d\x24\x8f\x53\xcd\x53\x0b\x31\x11\x9a\xac\xcf\x53\xb6\xf6\xed\xdf\x4b\x8b\xfe\x6a\x1a\x85\x9c\x3d\xc2\x86\xf8\x33\x5c\x9d\x15\xe5\xd5\x16\x9b\x24\x41\x55\x39\x10\x62\xff\x88\x5d\x40\xbe\x37\x07\xb6\xd1\xea\x25\x2a\x96\xd9\x7a\xb2\x4f\xb6\x75\xf5\x45\x57\xcf\xa2\x4d\x80\x5b\x07\x95\x70\x8a\xf5\x06\x5d\x4b\x66\x62\xdf\xd5\x4d\xd5\x9c\xfc\xe1\x67\x3a\xb3\x56\xa2\x54\xf6\xb5\xbc\xe4\x4c\x61\x9a\x17\xff\xce\x8e\xbb\x96\xe0\x83\xc0\x82\x45\x00\x62\xbd\x71\xa2\x06\xca\x92\x1e\x0b\x77\xf5\x17\xc1\x61\x95\x86\xb3\xbc\xa3\xe2\x49\x08\x21\x01\x6c\xc7\x6c\xaf\x96\xc0\xec\x90\x68\xb4\x5e\x23\x34\xed\x9a\x6f\xf0\x6a\x63\x43\xae\x01\xf0\xae\xf6\x12\x7e\xba\xf5\xb5\x2d\x69\xe3", 210); *(uint32_t*)0x200036c8 = 0x200035c0; *(uint8_t*)0x200035c0 = 0; *(uint8_t*)0x200035c1 = 3; *(uint32_t*)0x200035c2 = 4; *(uint8_t*)0x200035c6 = 4; *(uint8_t*)0x200035c7 = 3; *(uint16_t*)0x200035c8 = 0x40e; *(uint32_t*)0x200036cc = 0x20003600; *(uint8_t*)0x20003600 = 0; *(uint8_t*)0x20003601 = 0xf; *(uint32_t*)0x20003602 = 0x28; *(uint8_t*)0x20003606 = 5; *(uint8_t*)0x20003607 = 0xf; *(uint16_t*)0x20003608 = 0x28; *(uint8_t*)0x2000360a = 2; *(uint8_t*)0x2000360b = 3; *(uint8_t*)0x2000360c = 0x10; *(uint8_t*)0x2000360d = 0xb; *(uint8_t*)0x2000360e = 0x20; *(uint8_t*)0x2000360f = 0x10; *(uint8_t*)0x20003610 = 0xa; memcpy((void*)0x20003611, "\x19\x5f\xa2\xf3\x24\xc0\xbe\x96\xda\x3d\xb2\x6a\xfa\x56\x77\x53\x0a\xc0\xfa\xf4\xc6\x82\xbe\x7c\x15\xe9\xa5\x86\x66", 29); *(uint32_t*)0x200036d0 = 0x20003640; *(uint8_t*)0x20003640 = 0x20; *(uint8_t*)0x20003641 = 0x29; *(uint32_t*)0x20003642 = 0xf; *(uint8_t*)0x20003646 = 0xf; *(uint8_t*)0x20003647 = 0x29; *(uint8_t*)0x20003648 = 9; *(uint16_t*)0x20003649 = 1; *(uint8_t*)0x2000364b = 0; *(uint8_t*)0x2000364c = 9; memcpy((void*)0x2000364d, "\x05\x7c\x41\x7e", 4); memcpy((void*)0x20003651, "\x8d\xa4\x36\xc4", 4); *(uint32_t*)0x200036d4 = 0x20003680; *(uint8_t*)0x20003680 = 0x20; *(uint8_t*)0x20003681 = 0x2a; *(uint32_t*)0x20003682 = 0xc; *(uint8_t*)0x20003686 = 0xc; *(uint8_t*)0x20003687 = 0x2a; *(uint8_t*)0x20003688 = 0x20; *(uint16_t*)0x20003689 = 0x10; *(uint8_t*)0x2000368b = 0x80; *(uint8_t*)0x2000368c = 0x40; *(uint8_t*)0x2000368d = 0x1f; *(uint16_t*)0x2000368e = 0; *(uint16_t*)0x20003690 = 5; *(uint32_t*)0x20003b40 = 0x44; *(uint32_t*)0x20003b44 = 0x20003700; *(uint8_t*)0x20003700 = 0x60; *(uint8_t*)0x20003701 = 8; *(uint32_t*)0x20003702 = 0x54; memcpy((void*)0x20003706, "\x85\xf9\x88\x04\x52\x78\xf9\x75\x32\xa6\x67\xcb\xee\x9b\x82\x1d\x65\x54\xfb\x1c\x6d\x18\xdf\xfb\x78\x51\x96\xd9\x07\x27\xe1\xb4\x61\x5c\x86\xee\x04\x9a\x16\x96\xb1\x66\x8f\x00\x0e\x62\xd5\x39\xe0\x81\xcf\x07\xe3\x60\x17\x1c\xe6\x1c\xa2\xf9\x56\x44\xb9\xad\x8e\x92\x11\xa1\xb1\x9c\x43\x99\xbd\xfd\x6d\x53\x3b\xf8\x95\x52\x42\x72\x5b\xb4", 84); *(uint32_t*)0x20003b48 = 0x20003780; *(uint8_t*)0x20003780 = 0; *(uint8_t*)0x20003781 = 0xa; *(uint32_t*)0x20003782 = 1; *(uint8_t*)0x20003786 = 1; *(uint32_t*)0x20003b4c = 0x200037c0; *(uint8_t*)0x200037c0 = 0; *(uint8_t*)0x200037c1 = 8; *(uint32_t*)0x200037c2 = 1; *(uint8_t*)0x200037c6 = 0x81; *(uint32_t*)0x20003b50 = 0x20003800; *(uint8_t*)0x20003800 = 0x20; *(uint8_t*)0x20003801 = 0; *(uint32_t*)0x20003802 = 4; *(uint16_t*)0x20003806 = 2; *(uint16_t*)0x20003808 = 0; *(uint32_t*)0x20003b54 = 0x20003840; *(uint8_t*)0x20003840 = 0x20; *(uint8_t*)0x20003841 = 0; *(uint32_t*)0x20003842 = 8; *(uint16_t*)0x20003846 = 0x200; *(uint16_t*)0x20003848 = 0x40; *(uint32_t*)0x2000384a = 0xff; *(uint32_t*)0x20003b58 = 0x20003880; *(uint8_t*)0x20003880 = 0x40; *(uint8_t*)0x20003881 = 7; *(uint32_t*)0x20003882 = 2; *(uint16_t*)0x20003886 = 1; *(uint32_t*)0x20003b5c = 0x200038c0; *(uint8_t*)0x200038c0 = 0x40; *(uint8_t*)0x200038c1 = 9; *(uint32_t*)0x200038c2 = 1; *(uint8_t*)0x200038c6 = 0x81; *(uint32_t*)0x20003b60 = 0x20003900; *(uint8_t*)0x20003900 = 0x40; *(uint8_t*)0x20003901 = 0xb; *(uint32_t*)0x20003902 = 2; memcpy((void*)0x20003906, "\x8e\xaf", 2); *(uint32_t*)0x20003b64 = 0x20003940; *(uint8_t*)0x20003940 = 0x40; *(uint8_t*)0x20003941 = 0xf; *(uint32_t*)0x20003942 = 2; *(uint16_t*)0x20003946 = 9; *(uint32_t*)0x20003b68 = 0x20003980; *(uint8_t*)0x20003980 = 0x40; *(uint8_t*)0x20003981 = 0x13; *(uint32_t*)0x20003982 = 6; *(uint8_t*)0x20003986 = 0xaa; *(uint8_t*)0x20003987 = 0xaa; *(uint8_t*)0x20003988 = 0xaa; *(uint8_t*)0x20003989 = 0xaa; *(uint8_t*)0x2000398a = 0xaa; *(uint8_t*)0x2000398b = 0x38; *(uint32_t*)0x20003b6c = 0x200039c0; *(uint8_t*)0x200039c0 = 0x40; *(uint8_t*)0x200039c1 = 0x17; *(uint32_t*)0x200039c2 = 6; *(uint8_t*)0x200039c6 = -1; *(uint8_t*)0x200039c7 = -1; *(uint8_t*)0x200039c8 = -1; *(uint8_t*)0x200039c9 = -1; *(uint8_t*)0x200039ca = -1; *(uint8_t*)0x200039cb = -1; *(uint32_t*)0x20003b70 = 0x20003a00; *(uint8_t*)0x20003a00 = 0x40; *(uint8_t*)0x20003a01 = 0x19; *(uint32_t*)0x20003a02 = 2; memcpy((void*)0x20003a06, "{k", 2); *(uint32_t*)0x20003b74 = 0x20003a40; *(uint8_t*)0x20003a40 = 0x40; *(uint8_t*)0x20003a41 = 0x1a; *(uint32_t*)0x20003a42 = 2; *(uint16_t*)0x20003a46 = 0x40; *(uint32_t*)0x20003b78 = 0x20003a80; *(uint8_t*)0x20003a80 = 0x40; *(uint8_t*)0x20003a81 = 0x1c; *(uint32_t*)0x20003a82 = 1; *(uint8_t*)0x20003a86 = 0; *(uint32_t*)0x20003b7c = 0x20003ac0; *(uint8_t*)0x20003ac0 = 0x40; *(uint8_t*)0x20003ac1 = 0x1e; *(uint32_t*)0x20003ac2 = 1; *(uint8_t*)0x20003ac6 = 0xfe; *(uint32_t*)0x20003b80 = 0x20003b00; *(uint8_t*)0x20003b00 = 0x40; *(uint8_t*)0x20003b01 = 0x21; *(uint32_t*)0x20003b02 = 1; *(uint8_t*)0x20003b06 = 0xfa; syz_usb_control_io(r[16], 0x200036c0, 0x20003b40); break; case 37: *(uint8_t*)0x20003bc0 = 0x12; *(uint8_t*)0x20003bc1 = 1; *(uint16_t*)0x20003bc2 = 0x201; *(uint8_t*)0x20003bc4 = 0; *(uint8_t*)0x20003bc5 = 0; *(uint8_t*)0x20003bc6 = 0; *(uint8_t*)0x20003bc7 = 0x10; *(uint16_t*)0x20003bc8 = 0x46d; *(uint16_t*)0x20003bca = 0xc22d; *(uint16_t*)0x20003bcc = 0x40; *(uint8_t*)0x20003bce = 1; *(uint8_t*)0x20003bcf = 2; *(uint8_t*)0x20003bd0 = 3; *(uint8_t*)0x20003bd1 = 1; *(uint8_t*)0x20003bd2 = 9; *(uint8_t*)0x20003bd3 = 2; *(uint16_t*)0x20003bd4 = 0x2d; *(uint8_t*)0x20003bd6 = 1; *(uint8_t*)0x20003bd7 = 1; *(uint8_t*)0x20003bd8 = 0; *(uint8_t*)0x20003bd9 = 0x10; *(uint8_t*)0x20003bda = 2; *(uint8_t*)0x20003bdb = 9; *(uint8_t*)0x20003bdc = 4; *(uint8_t*)0x20003bdd = 0; *(uint8_t*)0x20003bde = 0x2f; *(uint8_t*)0x20003bdf = 2; *(uint8_t*)0x20003be0 = 3; *(uint8_t*)0x20003be1 = 1; *(uint8_t*)0x20003be2 = 1; *(uint8_t*)0x20003be3 = 0xfd; *(uint8_t*)0x20003be4 = 9; *(uint8_t*)0x20003be5 = 0x21; *(uint16_t*)0x20003be6 = 9; *(uint8_t*)0x20003be8 = 1; *(uint8_t*)0x20003be9 = 1; *(uint8_t*)0x20003bea = 0x22; *(uint16_t*)0x20003beb = 0x2ff; *(uint8_t*)0x20003bed = 9; *(uint8_t*)0x20003bee = 5; *(uint8_t*)0x20003bef = 0x81; *(uint8_t*)0x20003bf0 = 3; *(uint16_t*)0x20003bf1 = 0x10; *(uint8_t*)0x20003bf3 = 6; *(uint8_t*)0x20003bf4 = -1; *(uint8_t*)0x20003bf5 = 4; *(uint8_t*)0x20003bf6 = 9; *(uint8_t*)0x20003bf7 = 5; *(uint8_t*)0x20003bf8 = 2; *(uint8_t*)0x20003bf9 = 3; *(uint16_t*)0x20003bfa = 8; *(uint8_t*)0x20003bfc = 4; *(uint8_t*)0x20003bfd = 6; *(uint8_t*)0x20003bfe = 0x7f; *(uint32_t*)0x20003cc0 = 0xa; *(uint32_t*)0x20003cc4 = 0x20003c00; *(uint8_t*)0x20003c00 = 0xa; *(uint8_t*)0x20003c01 = 6; *(uint16_t*)0x20003c02 = 0x300; *(uint8_t*)0x20003c04 = 3; *(uint8_t*)0x20003c05 = 2; *(uint8_t*)0x20003c06 = 0xfa; *(uint8_t*)0x20003c07 = 8; *(uint8_t*)0x20003c08 = 0x74; *(uint8_t*)0x20003c09 = 0; *(uint32_t*)0x20003cc8 = 0x28; *(uint32_t*)0x20003ccc = 0x20003c40; *(uint8_t*)0x20003c40 = 5; *(uint8_t*)0x20003c41 = 0xf; *(uint16_t*)0x20003c42 = 0x28; *(uint8_t*)0x20003c44 = 2; *(uint8_t*)0x20003c45 = 3; *(uint8_t*)0x20003c46 = 0x10; *(uint8_t*)0x20003c47 = 0xb; *(uint8_t*)0x20003c48 = 0x20; *(uint8_t*)0x20003c49 = 0x10; *(uint8_t*)0x20003c4a = 0xa; *(uint8_t*)0x20003c4b = 3; STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 8, 5, 27); *(uint16_t*)0x20003c50 = 0xf00; *(uint16_t*)0x20003c52 = 0xf831; *(uint32_t*)0x20003c54 = 0xc0; *(uint32_t*)0x20003c58 = 0xc0a0; *(uint32_t*)0x20003c5c = 0xff000f; *(uint32_t*)0x20003c60 = 7; *(uint32_t*)0x20003c64 = 0xc0f0; *(uint32_t*)0x20003cd0 = 1; *(uint32_t*)0x20003cd4 = 4; *(uint32_t*)0x20003cd8 = 0x20003c80; *(uint8_t*)0x20003c80 = 4; *(uint8_t*)0x20003c81 = 3; *(uint16_t*)0x20003c82 = 0x436; res = -1; res = syz_usb_connect(4, 0x3f, 0x20003bc0, 0x20003cc0); if (res != -1) r[17] = res; break; case 38: syz_usb_disconnect(r[17]); break; case 39: syz_usb_ep_read(-1, 0x80, 0xc4, 0x20003d00); break; case 40: memcpy((void*)0x20003e00, "\x50\x74\xfa\x81\xf3\xf3\x73\xda\x27\x99\xca\xfb\x26\xb4\x49\x7c\xb3\xc8\x7b\xc0\xf8\x2f\xa7\x88\x54\x68\xbd\x41\x23\x20\x65\xaa\x95\x61\xd2\x4a\xe0\xf1\xd0\xe0\x36\xac\x71\x4a\xc5\xaf\x89\xc6\x9d\x88\x61\xca\xd7\x13\xfc\xb8\xba\xcb\x8c\x4b\x10\xdc\x3b\x6e\xc2\x04\x4c\x01\xf3\x71\xb1\x24\xc0\xa0\xf4\xba\xce\x7d\x51\x79\x87\x2c\xdd\x20\x5e\x09\xc3\xee\xb7\xd5\x57\x7b\x26\xe9\x8f\x84\x55\x4e\xd6", 99); syz_usb_ep_write(r[16], 0x7f, 0x63, 0x20003e00); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :246:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :246:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor375677897 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/13 (0.25s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$zero(0xffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x161000, 0x0) ioctl$SNAPSHOT_FREE(r0, 0x3305) syz_genetlink_get_family_id$l2tp(&(0x7f0000000040)='l2tp\x00') openat$dlm_control(0xffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x20000, 0x0) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0x2, &(0x7f00000000c0)=0x17, 0x4) r1 = mmap$IORING_OFF_SQES(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x2000000, 0x1010, r0, 0x10000000) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) r3 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(0x0, r1, &(0x7f00000003c0)=@IORING_OP_RECVMSG={0xa, 0x4, 0x0, r2, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=@x25={0x9, @remote}, 0x80, &(0x7f0000000240)=[{&(0x7f0000000180)=""/147, 0x93}], 0x1, &(0x7f0000000280)=""/202, 0xca}, 0x0, 0x0, 0x1, {0x3, r3}}, 0x10001) ioctl$KDSKBMETA(0xffffffffffffffff, 0x4b63, &(0x7f0000000440)=0x4) syz_emit_ethernet(0x56, &(0x7f0000000000)={@local, @remote, @void, {@canfd={0xd, {{0x3, 0x0, 0x1, 0x1}, 0x11, 0x2, 0x0, 0x0, "f4ebe40216fede5ef6c5310f0413c5d41b32fc23e07fd332a8a5c5f966821da091f47b7b9cf9228727ff7412c2e4a3a1573bb295482d7b4a3effd863cc60f5d8"}}}}, &(0x7f0000000080)={0x0, 0x4, [0xd2d, 0xc61, 0x6d3, 0xbe2]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x1, 0xa}, @l2cap_cid_le_signaling={{0x6}, @l2cap_conn_param_update_rsp={{0x13, 0x7f, 0x2}}}}, 0xf) syz_execute_func(&(0x7f0000000100)="c4c2cd45f18fe800edb85c2f009ee96436360f2811c4c3c90b6b0787c4c2f1a603f30fa6d0f36f650ffa0ec4c21d2f9f5aac384f3e65f3ab") syz_extract_tcp_res(&(0x7f0000000140), 0x2c, 0x9f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000180)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x3, 0xcc) r4 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x3000001, 0x80000, 0xffffffffffffffff, 0x0) r5 = syz_io_uring_complete(r4) r6 = io_uring_setup(0x3a3b, &(0x7f00000001c0)={0x0, 0xd9fd, 0x20, 0x0, 0x308, 0x0, 0xffffffffffffffff}) r8 = syz_io_uring_setup(0x17a8, &(0x7f0000000240)={0x0, 0xb18d, 0x15b3e67cab3a8d6e, 0x2, 0x158, 0x0, r7}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f00000002c0), &(0x7f0000000300)) syz_io_uring_setup(0x6b11, &(0x7f0000000340)={0x0, 0x15f8, 0x20, 0x2, 0xd2}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f00000003c0)=0x0, &(0x7f0000000400)=0x0) r11 = socket$bt_rfcomm(0x1f, 0x3, 0x3) r12 = io_uring_register$IORING_REGISTER_PERSONALITY(r5, 0x9, 0x0, 0x0) syz_io_uring_submit(r4, r10, &(0x7f0000001700)=@IORING_OP_RECVMSG={0xa, 0x2, 0x0, r11, 0x0, &(0x7f00000016c0)={&(0x7f0000000440)=@nl=@proc, 0x80, &(0x7f00000015c0)=[{&(0x7f00000004c0)=""/44, 0x2c}, {&(0x7f0000000500)=""/4096, 0x1000}, {&(0x7f0000001500)=""/40, 0x28}, {&(0x7f0000001540)=""/74, 0x4a}], 0x4, &(0x7f0000001600)=""/185, 0xb9}, 0x0, 0x2000, 0x1, {0x3, r12}}, 0xad23946) r13 = fsmount(r5, 0x1, 0x84) ioctl$F2FS_IOC_MOVE_RANGE(r8, 0xc01cf509, &(0x7f0000001740)={r6, 0x3, 0x6, 0x1000}) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000017c0)=[{0x0, &(0x7f0000001780)="e7bed238547695a78957b574bacb6dbc567a3232e76559b4ea3931b608578a24da4c749795975b0ae51da8a86dde75b1d684", 0x32}], 0x1, 0x0, &(0x7f0000001800), 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r9, 0x114, &(0x7f0000001840), 0x0, 0x4) syz_mount_image$afs(&(0x7f0000001880)='afs\x00', &(0x7f00000018c0)='./file0\x00', 0x5, 0x1, &(0x7f0000002900)=[{&(0x7f0000001900)="f1fd85c46a07345a8813287b13f21a0840903926aef8fa2cb5f6e010d14f7030376797115fff5a948041348d827dbd678e20928dc4b224e0ec33e50bf699f1ed1e39df43d899eb1a37c8d11631e7b775fc82611901ef7db3714e0ef59b98d9d7d9114ba1ba76a72edc93803359b9994b504f9e7790375fa50fceab9c0f210385722f2a054c09fecf4a04ccfacaac9d40bebb2e2bcc948d327263b0fa735b753fa367f55313bd6df7476a9961bef3e5806ae53bf7233474b637266e9fd694fb30a503fba053c46562936bb3b8fdd38da23e7225868f8cf1e7d27cacb69075657b3ca80f8be0b8e043db620f0872231b8a3108c4a10b8b723b646b3c6d5f370558640924a93ba25db1746cf2ea141b0385ac0cf9e7acc8fddd8ee32fb988491e454564eb142ec8402438ddb1d0bed6d285a2a408a9edc52776e3ae7021c10943eef0af0270372213627dd4253d95a36acd29f8095c6428f1c46c3eb21227d04606b5c92254e9ce3e220a8b8a281c8d8e9c83079ea1df4a90db9f08a58c803d8ec2bfcc99f1acd5f0625043eb4a83179e2d37c07657e4b747adcb0979a230dea4f079f220848709f2bb38c34a22c5b3caf94a02fc5f1c4d013c165abf74bed9d028a5d84ec150377f498ee0e2a86bf04b97ee40af9882bfadecf5e125fc909d250d92a31166d61121b5364524b6351e0b6a66dcdeeb5249ebabb865f1f4a1a80ada5d695d3a37b214c9f0d92507db1b8d808a96f08902ef8c97e22b75497538f54ff944a19142b6ae1b8636500e2f3920a3ab341d8d1db22dc64e1d68382162b489eaade668ba38e6e7ecf61626c719378a8ebf08ec3d5da6716461e206869b335ccbafbc7364998379d894b9c60441d98797eff0d04ce3fbf419eb9c5c778dbdc6031b19fea13adf111dd49628093da41ce252595ea3d0b6dd96364fe2e37504bc6617044ff1d0d27f759d1faa8ae854a172da0b227305bc630a46b8e5bb9f8aa40b95a4b6d5c37bddd0968e192d57242078434fdef9afdc8f18397df1ca6e76bdc71845fba2818ef8f1c1dbf0a92ddee3c8c1cfddfb64439419e63f9811ab5dafd15b2ff2a9c041331651c7afe7862875bf9961806fac694bef5f78fb9cd64c33848637444e6752200395e3731d02db34c21fca311d339e819732ede18394b45c4cbbbffd45fdf508285d26da5b3cede692af4ef2f42c734b522864755dcd719c93b268438f9b0f1add574cf7218921df68c496683c6276115c074d420f23861eeb82031e998c0833d1cbbb5b334a13606a0bc406c4c8b1c2bf8df557324d2c94cbe4c29080b63234b1bb74e5854e422eb46f736978e2943ebd28af467bd0ee096b952ff5f0b228c7ef946fd472493b0eaca9378401669f1be675230e56bc19e4ec1234fcb4ea122dd204830109689cad7e3d702ab3e92e59016a640cce4e1e57d6e94556e7ee1f7c586309044bdca4a7b2cebb4b3fabfd578ed6c68589b8afcd4d0e5ab1b7eef6f82cd208e3ece76e3b73331fba03fb5447012992741042106ed7d386a1433fe8d4c6bce822ff8ffe1b382aa7124731a9ad6e1a52c78266174a4fefe986a508f6642577303f91ea4efb32843c6b331b32f24553a0c13016d91a230a55d81feb7dfc48ad157c7c2fc63253081021d1c65356513903ddbde8d3fd0d51747f3eaaaf9db9d6b4bd7069d8ba53d4d100ee2727979594c2fa80b9aa0edd70e3d702fb5b6cd277eeb487555886f85b657cd9eba641b28bf1e762300f3e29c5a8d8bfe077bdef7c9e2c4cfad8fc364670d7cd6ac7a86322e667760e2403c4838d61fa8669a4f62114eef423f09132e20bb95ba3522ac31049c4a3d581af3c5784910fba88cdee1ceff4ddaed827119ced5361947d0e31a9c4d25263a53654b82fc13b91f44508dd193ca1ef26d930a6b0810586d402ba0554face5c3ed077671d50d28865bfff35ca3a4dabdbd6e3b07059320f53e5c49d73cc16dd1ed2816ac98ad3853c368829c7bec40c4a9b39ee3b730bbd6c152f358e9911308c12ed1206561fc7cf7cb477145f1aaace66ac5c4468acb2f601c61e4b118be2056b6dbc18609bfd4105eee18be384a19913d274d92039790cb87420b9fdd70e734309fc7afe09e11f780d6ee6243175907a4aeecb6ca070a3374be5d3d07a788ea4e1f9d6f18eff9e7964d7076cb5b93cd97338ec05448ec527cca66790bfe32c5b2662d7fc6b836b41bf32e5bc0ddfe42d5973db86f8aed56e43112b45b0f792c5394599a13e73c25012b5aacd3aef112473c4e2e3ab6aebf5af6de9e78ac047fcc276fd976f25022c65c30a9fd67203f19e33b35cfbcfdff395c5bb53f2fd7928e43e622847280780b8cc815fb485189105a124cd8627cc3d5f1a9dd800d47a226ebf907eb2f49133d117588d280f4cc43d95254d88c8753d96073f97c531f51e5596e2e971a2161b78f75edcfbd9de38f0a9284b7cceef87598fa3bcfa5dbcbd1d284cf80cb7755465899d362d9e40c64c1a1e4cc45c3871b2104ca40c05729dccbf6d0a17500e5d0dffa3443a5233e279b2f9c518b697340d26d2872660c71a495710ee009ffb989ebb5befe5176925b78cdeb1e811c51ecdb01a47ec1d1d0ef2024c9a666f6bc5ebe13e773f89f4c80baa1d660c051c2672f91c21db5ff2d5a70126dc69140ee216c45bdd0a7b5279dece2f583bc24fc63cae88ae755722404823c5c216849dcd1085ba9902cb248ac5d192c3bdc537392a7c9ed3c359bb6d4934625f5f7a6dd51b78573fc726adabc91f41960586f64c39261126ea67dfc32c5ae5f7d6ed88747360418d42a008d9cfc5ef15f9c588dbb9ecc374ba19ab60a3ba33fbd1b80477b0204e67c845f9f6ab589c58b578cca58af322ae66b9b12ed953703d1393d8ece9c670664fdb6b1ffa10271abc0e51d57b59102e2640bea09e911294c35abc8616990a5729bf739a8e22774a680d5770b858b932fe595b7322328ae792078ad28db4d54cbd7c9868fcbe6eed0b0aa7b7abbfb1b8efce2dd5c1e29bac66ab7f80fe7a65d2da1838660e94066a6b2e3bdb897e551bc037d779dbb6cb9bdca7030ef8226b968d5a857cb424a9bd71ecf3e0df3bca6b9195905ed05e73d0367f1649eed549d9c3d47e2f312c170dc94a701d420460e1000e237021c6b7b1bc08b35c1043c6e899ed587ef7dfb6e1c7b6e11e3a2fb4348abcc9ed1831ee373d004540a73a4c78f9d3abb101c787ba239df663924ef84e3b436868b63cd74f4d47ac9ebce3814bbdb37eeec3fea1f90688d16ff3285d359745f9c1b6dcfa98bcd32acaccd9350c070579af49c6dd8e62b3e11616b95605b5e67c90c3db1b8301de61bdfa558ee6d13f20a78d407e4f44ca793ce3d958e1522f1a64276ac8863d1a68b5b64e03ec0b22b0a787bba7b462fddf8da7d1018b32a13282bd1e83060a67c7da96e46e3b322a5d8e05ba67b3aca1c5d1bf136a57b3aa68777f00bf102dddb1dec21db309f4855d9c08edc580d652a689420bf62538b5aa263057098121d82d87e29ee26b5d5288023e501ff2730bcef00b98f13c40bc2da1a1bca1cd666484f1a3f5c8b6ffaf468fbeaaf5abfd74396fbc460e0fd2b440f5e56327e634907311dce98ec075e9ee3287f7d2dcd64493e5c5ce096bb29d77aa49a9f677e68efd44cf35b5a0d69f1ec887a5f1f35e44afe3b6904ef026b3651c697dc2af46662b923664201e4baedc28e85f33d0fcce83ecb01d04f5a0826df9fbfe7d92e31db76202533fa8bdbd4f14744f8485948ff0e40ec77d2a2ccac34f389a4f6b0e1f84f527b1282b4ba53cc0a53468eb1362d87f334f176d948d9d7fc190a1fabb36745385945f27d44c136436eeedca1ad4945c9d73d6a2d7225a1f7fa49a2b2b56d3a403a8ddd03d701bb8ba36c275b05db3b60638b9a2a234cb63b809ebfc9a771ac712762f7e96c538e1c54a7912b95944632d6d60594b900e17ee327b2b2b13be2844061fd1e350e47121fd71f130a5aeb5153ccb8ece99590ff93ea98ee589a0a4288bb6a3590b1c6e89008bbd2dc7ad38748369405c9f8c37fa75dd2ff4a384561d030948c3d16466e4f037e54d3dcabde02fb35c62b3169265c0af8018a86c3fcf3268c1a91e7131f89cf7841bb58cab8a5f89d7edb67f05f16fe84059be5abdbe44d3852fa5790c161628b21eef359aaf7db7de11c835ff9cc0b86ac9751fd2d5c135e8acb4352bc03fdfe6c43473582cde76b157eeb03acfff742be5838a4aaba160e1c588c9e1da2758fc290ae37a7605340f726ff3d8d73d3dccdc7737499b7473eccc00c3d01d20bd989e6049d9da7dcee229fe3db7e2845ba6ef6b380680e07754dfa92d1605b3b2527ed19d01333b2b58868d7614c92b7f93c95e2c9054f7a728e0569b986018311d9ab379ac3d19c7f65f87acbd2a2bcdf122b1b9502d3c3a69efa32f4be1ef20daa42e13409d2b12dbfd03c64aca0bd66c76c04ea6a76ef0294650e59e8a379c85c5ac8e310ed99e1a5f20c9bbdbee13de1218f95be040ff5f760c7f07abe362468508a2114e0c34f93895c1e28ad8c56f1949816cffd09c028deef01e5fcf91b4384c62d0efd9b7d66b1aae302a3ed2c3037c9675ac6c86336fa603258a538409bad567981128cb8cab88d7027b2a92671cad000a2c9f317fb4ae30980d3f28512fb5f66a98b2e2077a6a7f8461bf1a78cf12b3ce6e3aa4a22f3c6373a5d04f767b83c7d57a56834f7639c9acbb9fdedea85276a0aa100b68c8a246314a8ca02ff07d1532c90d9a4a5dacba53a24c14cb94b57a8c236c985ebc98697108a43e874b6715e6be8d9685fafdba1d7e5d1b4ced62565847bdfcf62be175e8483cfd0711247664e273fcbec29f60dedd34c6810f6650b6bdc47df7267b8f53bc66ac41a5c0506edf4a805cff0343797c881256ea095fbf145754f7cb9dfba6d3c2bd12ace307629cb22dfeb5a48155de0e50a95da58b3202589b60f5dd4ca6cd22c2ed788f2721d5354374e9efacf4947294ddc8149225dce5adfb322595ed18a4dcb0565148b087e37d4247eaaecc58c5aaf1c64e87cc2cce9b8ebcaf963fc441a6dfac426be0ace4ecfb91df7732721afb34f905ce7377db3849d7401ba3d3149c08e98bcdeca6de207ed8bc7b1d6e88597da628c6b0a73cf9674a207dd8745fe5b32bdd8f5509f14fc15cf9504bf6634b2df2836e95c736e2762f2714bfd130af991d8b648a9372158383a2f53e14c7cfc7663db5ca5c8a9cdd155e38c1f70e51613588128dd085bbdd7ed239b97e8958cef35f117eab19b370ff2e4e25689d62b684fd4afceb263251fa92e8c6b2aa2e34d3fb8aaed18cdc734f9b420c8d7b931555ebd7990ca073fb81be982794e000d50572eb0761d495ba8068f657d7f7b919e66a25e03211dfe690f4081fc5de14f5f9d8be478024e60a3138080d9ce97ae23e291e77a6e4a507a96ae0c07d9604a95b43b8174c33175ba295050186f723b50a609ee09b4267e4d2af4296ce657bb8b5e996f98bd75ed42d0954895d97d988329d925f62894474d1caa5de988ed7b5c6deacfd90ad947efebf6cf61b45d9c7b1ba59e9ec4b8559aff8d3d05fb00f57ec942b0e9b9fdbde26cad340cbb4f7c0447b707ed8f6d4f989d0b1da0d0cdae617b01436fa68e37775e844415ebd11a3350846cf0b419fad6db94ccc8283e95019db5591b9e81c5d32707b3002afb24058495f6c21cd4b9e12af7a1f4054fda37ba6a2945e899899761012548e4122a69556e0ca51e23194bdc4e272", 0x1000, 0x9}], 0x20005, &(0x7f0000002940)={[{@flock_openafs='flock=openafs'}, {@dyn='dyn'}, {@autocell='autocell'}, {@dyn='dyn'}, {@flock_openafs='flock=openafs'}, {@source={'source', 0x3d, '&'}}, {@source={'source', 0x3d, 'SEG6\x00'}}], [{@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@subj_user={'subj_user', 0x3d, 'SEG6\x00'}}, {@smackfstransmute={'smackfstransmute', 0x3d, ':'}}, {@seclabel='seclabel'}]}) syz_open_dev$I2C(&(0x7f0000002a00)='/dev/i2c-#\x00', 0xad8, 0x2a2000) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000002a40)=0x0) syz_open_procfs(r15, &(0x7f0000002a80)='net\x00') syz_open_pts(r13, 0x0) syz_read_part_table(0x1, 0x7, &(0x7f0000002e80)=[{&(0x7f0000002ac0)="7ad3cd802dd0c424945d99ca9ca6e4fbb8f8e3b980d2ec", 0x17, 0x1000}, {&(0x7f0000002b00)="329de80b2b17bbd25d1f1907a9263af3bf05c4a7061e28492a3f71c6343aa5aaea0327a3", 0x24, 0x5}, {&(0x7f0000002b40)="82791dfd311d07db7d65e803ce6ca00028af8ff8d276187e0e14bbf7beab60fc4b70722e91b6322b8e3472191a66176bb0ca91dee60f1506a6d48be4055230c30be94a1043a1d2a06d42166069d8033d6c524c8610b8c4bb63af0ce6d6207137f1be1b62b002e8c35e6467c2423cc6597d1ca58ee31589f0248ac762e24a286a41a761912d34bb56f07db88ca52fce8d128762394fa00faac8451a42c3144bdec7e97296c9eac7c9f63110a3d405c16b0428880024e8c9c8af490b8cfad84cbb637878d634cd84346b60c9132c09660cdc616a0b", 0xd4, 0x7fff}, {&(0x7f0000002c40)="904bbcee2b46daa1ac643b7b6b8ea0ff462feabee541b411a885e470a496cbbdc729ffdebc50807f719cbe808d8b598b4767c7a852d9ce0c880a9b078b0187deac926bd4687a44f092bb", 0x4a, 0x5}, {&(0x7f0000002cc0)="3531ae257e7e0877cde340c42edbfc91dcffaff1284ef08a451e4c76e0cd83b2c0ea10d86bcefa93bbaef5fffbfe7dc70b73b89c55fc3851110d1bd0d1da31753320b111fe7060537e8f65f3c2f05adcb3d66bd2abe6b08aaae0d0eedca9937707ec4cb4874cdfd05800812ab53f9550b25a28ee69e62a0f790fe5233fc8645fc3fe6cae055f2aa1729125170151e86eeab67bb20bc884a1214c2d3d969c34fb239b45feec93ac209721bae7271251c613cea9379c1521", 0xb7, 0x4}, {&(0x7f0000002d80)="c3f04f26929b7a4d6342841fa53a9a8cb8006a97f428", 0x16, 0x6}, {&(0x7f0000002dc0)="c9871275e3269ff1bdcd67fb523e1ceb5151b0ede9e032634e36d486046bc31cd978bda59247355316319e768e7ac6be0648bf0fecd13cdad45f713e0e3b74e95eec77063c02a233ea97d338f4b1e9bc5a7cce85528742632ed59cec016f3914dd02ca6b1dc833224895277350cf1f21d6c78f8592717e91233f9026927e0cc3d80cdc57714763a0fcb091f5c69051b55cd2e1fcc33b13d597c5caeeb271c542978a1e17", 0xa4, 0x9c}]) r16 = syz_usb_connect(0x4, 0x384, &(0x7f0000002f00)={{0x12, 0x1, 0x201, 0xa4, 0x61, 0x1e, 0x40, 0xacd, 0x300, 0xc0df, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x372, 0x2, 0x4, 0x1f, 0x0, 0x1, [{{0x9, 0x4, 0x5d, 0xb3, 0x1, 0xad, 0x49, 0x76, 0x20, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x80}]}], [{{0x9, 0x5, 0xd, 0x0, 0x230, 0x5d, 0x1, 0x3f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x2}, @generic={0xba, 0xe, "f4e6e5762883c34df04f356099f1d34bdbc9f5324da648053fd690211b897119c4f3ac197f2aa93f2f3be05f836b1644d5b2327648b30816ed192f943dfce225f69d77c51565e177fd889c9c9d8c85b92ee4bead0e889446bbc320a40fa24807f476bfd1f1b3096e3370f755c94aa01c3be4ddc7952a5694bcad4beb4065bf5ea96066c43e9507e6220c47bc0271adcbaffce6ac90cb3c8b1cf748c6bbf97108dfa2cac4b87d3420428434397e07f17a87ed6233b39e32f0"}]}}]}}, {{0x9, 0x4, 0x5d, 0x27, 0x7, 0x3f, 0x84, 0xfd, 0x3, [@uac_as={[@format_type_i_discrete={0x10, 0x24, 0x2, 0x1, 0xe2, 0x2, 0x63, 0x40, "e721cc44acca8938"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x1, 0x0, "9ef42f"}, @as_header={0x7, 0x24, 0x1, 0x4, 0x1, 0x4}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x19, 0x6, "9e", "6983"}]}, @uac_as], [{{0x9, 0x5, 0xf, 0x0, 0x3ff, 0xf6, 0x5, 0x80}}, {{0x9, 0x5, 0x1, 0x10, 0x10, 0x0, 0x40, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x20, 0x6}]}}, {{0x9, 0x5, 0xb, 0x8, 0x10, 0x1, 0x2}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x4, 0x8, 0xc0, [@generic={0xbb, 0x31, "215ce6ab8f3c72caa3ab1326f18838908ac60bffb3b50748144aa2cbc4d7cac56f4a7bb2bd6c969674a5e4040861bb21ba5ccf0f822c1032e7e3729f8c171fc7a89b5340b5067108d597f178aa651a98aca4d012fa555a695683b527e6031f1f7f20494b250e3a6cd8b4de9647e150049867097c47cc237c612cefe698332f1fe7f02e6f53e845b1f5e7b4b24ad8629b78ce7630e2d40120fbc3f49375a4a086dedd2a27f06b3ed3d756a819b97f759aa54aef83df4868a9e9"}]}}, {{0x9, 0x5, 0x3, 0x12, 0x3ff, 0x0, 0x1, 0xff, [@generic={0xad, 0x31, "0c921d3f980f4e53147a46bd5856da03081660fbed7b8b2d389be8a038e95c2958a477ed5faf9ef38c82c3abea254459edb0f2cf286235034087adb7907ff192640b936886bd48d3a51215406b3aa0b6d8f8d91d830f5236a9a8be03c2215f012131968c6a80860ae81193059468108efd4f1305379d0115c7ec667b0359940e5664bf7b3c4a5f04ca3c51db9d2cd417e9099bff628b8e1a8ed0f596149357a08abd1177eb977353eb8932"}, @generic={0x93, 0x11, "a8e22d542ae3d831f337211bb5be12a5c46e5cf9b556d84d5af4caca8742ad216140562b7e5421e2642471e8f50eb8aef06212b46c644ae58463e18b3e72bd3eca6060fa8b94031796e55eb41d3f318affbf081eeb1708851e72fadd887e0330134319f0a5967eda657bc1101f74deba42e78aff20fb5d3c1fe49d9a054657b6f1af3d015fc16ff80873f326690843df81"}]}}, {{0x9, 0x5, 0xf, 0x4, 0x200, 0x0, 0x1f, 0x1, [@generic={0x11, 0x6, "824b7d0957bc552d224fdf6bff63a8"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x6}]}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x1f, 0xfd, 0x3}}]}}]}}]}}, &(0x7f0000003400)={0xa, &(0x7f00000032c0)={0xa, 0x6, 0x110, 0x4d, 0x80, 0x80, 0x20, 0xc1}, 0x46, &(0x7f0000003300)={0x5, 0xf, 0x46, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x35, 0x0, 0xdf, 0x9, 0xf7}, @ext_cap={0x7, 0x10, 0x2, 0xe, 0xb, 0x6, 0x9}, @ssp_cap={0x18, 0x10, 0xa, 0x1, 0x3, 0x7fffffe, 0xff0f, 0x101, [0xffc0a0, 0x0, 0xffff0f]}, @ssp_cap={0x10, 0x10, 0xa, 0x3, 0x1, 0x200, 0xff00, 0x1, [0x0]}, @ext_cap={0x7, 0x10, 0x2, 0x16, 0x8, 0xe, 0x7}]}, 0x2, [{0x4, &(0x7f0000003380)=@lang_id={0x4, 0x3, 0x380a}}, {0x4, &(0x7f00000033c0)=@lang_id={0x4, 0x3, 0x42f}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000003440)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r16, &(0x7f00000036c0)={0x18, &(0x7f00000034c0)={0x20, 0x8, 0xd4, {0xd4, 0x31, "dd9fe1d6f8ee76d6289246b5277cc19f3c4621add821a7f3d1aae994dbf4b1bd89e8770734768ade97e51d248f53cd530b31119aaccf53b6f6eddf4b8bfe6a1a859c3dc286f8335c9d15e5d5169b244155391062ff885d40be3707b6d1ea252a96d97ab24fb675f54557cfa24d805b0795708af5065d4b6662dfd54dd59cfce1673ab356a254f6b5bce44c619a17ffce8ebb96e083c082450062bd71a206ca921e0b77f517c1619586b3bca3e2490821016cc76caf96c0ec9068b45e2334ed9a6ff06a6343ae01f0aef6127ebaf5b52d69e3"}}, &(0x7f00000035c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x40e}}, &(0x7f0000003600)={0x0, 0xf, 0x28, {0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @generic={0x20, 0x10, 0xa, "195fa2f324c0be96da3db26afa5677530ac0faf4c682be7c15e9a58666"}]}}, &(0x7f0000003640)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x1, 0x0, 0x9, "057c417e", "8da436c4"}}, &(0x7f0000003680)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x20, 0x10, 0x80, 0x40, 0x1f, 0x0, 0x5}}}, &(0x7f0000003b40)={0x44, &(0x7f0000003700)={0x60, 0x8, 0x54, "85f988045278f97532a667cbee9b821d6554fb1c6d18dffb785196d90727e1b4615c86ee049a1696b1668f000e62d539e081cf07e360171ce61ca2f95644b9ad8e9211a1b19c4399bdfd6d533bf8955242725bb4"}, &(0x7f0000003780)={0x0, 0xa, 0x1, 0x1}, &(0x7f00000037c0)={0x0, 0x8, 0x1, 0x81}, &(0x7f0000003800)={0x20, 0x0, 0x4, {0x2}}, &(0x7f0000003840)={0x20, 0x0, 0x8, {0x200, 0x40, [0xff]}}, &(0x7f0000003880)={0x40, 0x7, 0x2, 0x1}, &(0x7f00000038c0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000003900)={0x40, 0xb, 0x2, "8eaf"}, &(0x7f0000003940)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000003980)={0x40, 0x13, 0x6, @dev={[], 0x38}}, &(0x7f00000039c0)={0x40, 0x17, 0x6, @broadcast}, &(0x7f0000003a00)={0x40, 0x19, 0x2, '{k'}, &(0x7f0000003a40)={0x40, 0x1a, 0x2, 0x40}, &(0x7f0000003a80)={0x40, 0x1c, 0x1}, &(0x7f0000003ac0)={0x40, 0x1e, 0x1, 0xfe}, &(0x7f0000003b00)={0x40, 0x21, 0x1, 0xfa}}) r17 = syz_usb_connect$hid(0x4, 0x3f, &(0x7f0000003bc0)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x46d, 0xc22d, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x10, 0x2, [{{0x9, 0x4, 0x0, 0x2f, 0x2, 0x3, 0x1, 0x1, 0xfd, {0x9, 0x21, 0x9, 0x1, 0x1, {0x22, 0x2ff}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0x6, 0xff, 0x4}}, [{{0x9, 0x5, 0x2, 0x3, 0x8, 0x4, 0x6, 0x7f}}]}}}]}}]}}, &(0x7f0000003cc0)={0xa, &(0x7f0000003c00)={0xa, 0x6, 0x300, 0x3, 0x2, 0xfa, 0x8, 0x74}, 0x28, &(0x7f0000003c40)={0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @ssp_cap={0x20, 0x10, 0xa, 0x3, 0x5, 0x8, 0xf00, 0xf831, [0xc0, 0xc0a0, 0xff000f, 0x7, 0xc0f0]}]}, 0x1, [{0x4, &(0x7f0000003c80)=@lang_id={0x4, 0x3, 0x436}}]}) syz_usb_disconnect(r17) syz_usb_ep_read(0xffffffffffffffff, 0x80, 0xc4, &(0x7f0000003d00)=""/196) syz_usb_ep_write(r16, 0x7f, 0x63, &(0x7f0000003e00)="5074fa81f3f373da2799cafb26b4497cb3c87bc0f82fa7885468bd41232065aa9561d24ae0f1d0e036ac714ac5af89c69d8861cad713fcb8bacb8c4b10dc3b6ec2044c01f371b124c0a0f4bace7d5179872cdd205e09c3eeb7d5577b26e98f84554ed6") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[1024]; }; static struct nlmsg nlmsg; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; unsigned n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != hdr->nlmsg_len) exit(1); n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (n < sizeof(struct nlmsghdr)) exit(1); if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) exit(1); if (hdr->nlmsg_type != NLMSG_ERROR) exit(1); return -((struct nlmsgerr*)(hdr + 1))->error; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL); } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize); netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize); return netlink_send(nlmsg, sock); } static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr)); (void)err; } static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr)); (void)err; } static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name, const void* addr, int addrsize, const void* mac, int macsize) { struct ndmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ndm_ifindex = if_nametoindex(name); hdr.ndm_state = NUD_PERMANENT; netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, NDA_DST, addr, addrsize); netlink_attr(nlmsg, NDA_LLADDR, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } static int tunfd = -1; #define TUN_IFACE "syz_tun" #define LOCAL_MAC 0xaaaaaaaaaaaa #define REMOTE_MAC 0xaaaaaaaaaabb #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 240; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { exit(1); } char sysctl[64]; sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE); write_file(sysctl, "0"); sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE); write_file(sysctl, "0"); int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4); netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6); uint64_t macaddr = REMOTE_MAC; struct in_addr in_addr; inet_pton(AF_INET, REMOTE_IPV4, &in_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN); struct in6_addr in6_addr; inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN); macaddr = LOCAL_MAC; netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN, NULL); close(sock); } const int kInitNetNsFd = 239; static int read_tun(char* data, int size) { if (tunfd < 0) return -1; int rv = read(tunfd, data, size); if (rv < 0) { if (errno == EAGAIN || errno == EBADFD) return -1; exit(1); } return rv; } static long syz_emit_ethernet(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) return (uintptr_t)-1; uint32_t length = a0; char* data = (char*)a1; return write(tunfd, data, length); } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static void flush_tun() { char data[1000]; while (read_tun(&data[0], sizeof(data)) != -1) { } } struct ipv6hdr { __u8 priority : 4, version : 4; __u8 flow_lbl[3]; __be16 payload_len; __u8 nexthdr; __u8 hop_limit; struct in6_addr saddr; struct in6_addr daddr; }; struct tcp_resources { uint32_t seq; uint32_t ack; }; static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) return (uintptr_t)-1; char data[1000]; int rv = read_tun(&data[0], sizeof(data)); if (rv == -1) return (uintptr_t)-1; size_t length = rv; struct tcphdr* tcphdr; if (length < sizeof(struct ethhdr)) return (uintptr_t)-1; struct ethhdr* ethhdr = (struct ethhdr*)&data[0]; if (ethhdr->h_proto == htons(ETH_P_IP)) { if (length < sizeof(struct ethhdr) + sizeof(struct iphdr)) return (uintptr_t)-1; struct iphdr* iphdr = (struct iphdr*)&data[sizeof(struct ethhdr)]; if (iphdr->protocol != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ethhdr) + iphdr->ihl * 4 + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + iphdr->ihl * 4]; } else { if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr)) return (uintptr_t)-1; struct ipv6hdr* ipv6hdr = (struct ipv6hdr*)&data[sizeof(struct ethhdr)]; if (ipv6hdr->nexthdr != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr) + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + sizeof(struct ipv6hdr)]; } struct tcp_resources* res = (struct tcp_resources*)a0; res->seq = htonl((ntohl(tcphdr->seq) + (uint32_t)a1)); res->ack = htonl((ntohl(tcphdr->ack_seq) + (uint32_t)a2)); return 0; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } initialize_tun(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); flush_tun(); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 41; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_fsmount #define __NR_fsmount 432 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[18] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/zero\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x161000, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, (intptr_t)r[0], 0x3305, 0); break; case 2: memcpy((void*)0x20000040, "l2tp\000", 5); syz_genetlink_get_family_id(0x20000040); break; case 3: memcpy((void*)0x20000080, "/dev/dlm-control\000", 17); syscall(__NR_openat, 0xffffff9c, 0x20000080, 0x20000, 0); break; case 4: *(uint32_t*)0x200000c0 = 0x17; syscall(__NR_setsockopt, (intptr_t)r[0], 0x10e, 2, 0x200000c0, 4); break; case 5: res = syscall(__NR_mmap, 0x20ffa000, 0x4000, 0x2000000, 0x1010, (intptr_t)r[0], 0x10000000); if (res != -1) r[1] = res; break; case 6: res = syscall(__NR_socket, 0x23, 5, 2); if (res != -1) r[2] = res; break; case 7: res = syscall(__NR_io_uring_register, -1, 9, 0, 0); if (res != -1) r[3] = res; break; case 8: *(uint8_t*)0x200003c0 = 0xa; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0; *(uint32_t*)0x200003c4 = r[2]; *(uint64_t*)0x200003c8 = 0; *(uint32_t*)0x200003d0 = 0x20000380; *(uint32_t*)0x20000380 = 0x20000100; *(uint32_t*)0x20000384 = 0x80; *(uint32_t*)0x20000388 = 0x20000240; *(uint32_t*)0x20000240 = 0x20000180; *(uint32_t*)0x20000244 = 0x93; *(uint32_t*)0x2000038c = 1; *(uint32_t*)0x20000390 = 0x20000280; *(uint32_t*)0x20000394 = 0xca; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x200003d4 = 0; *(uint32_t*)0x200003d8 = 0; *(uint64_t*)0x200003dc = 1; *(uint16_t*)0x200003e4 = 3; *(uint16_t*)0x200003e6 = r[3]; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; syz_io_uring_submit(0, r[1], 0x200003c0, 0x10001); break; case 9: *(uint32_t*)0x20000440 = 4; syscall(__NR_ioctl, -1, 0x4b63, 0x20000440); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0xaa; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 3, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 31, 1); *(uint8_t*)0x20000012 = 0x11; *(uint8_t*)0x20000013 = 2; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; memcpy((void*)0x20000016, "\xf4\xeb\xe4\x02\x16\xfe\xde\x5e\xf6\xc5\x31\x0f\x04\x13\xc5\xd4\x1b\x32\xfc\x23\xe0\x7f\xd3\x32\xa8\xa5\xc5\xf9\x66\x82\x1d\xa0\x91\xf4\x7b\x7b\x9c\xf9\x22\x87\x27\xff\x74\x12\xc2\xe4\xa3\xa1\x57\x3b\xb2\x95\x48\x2d\x7b\x4a\x3e\xff\xd8\x63\xcc\x60\xf5\xd8", 64); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 0xd2d; *(uint32_t*)0x2000008c = 0xc61; *(uint32_t*)0x20000090 = 0x6d3; *(uint32_t*)0x20000094 = 0xbe2; syz_emit_ethernet(0x56, 0x20000000, 0x20000080); break; case 11: *(uint8_t*)0x200000c0 = 2; STORE_BY_BITMASK(uint16_t, , 0x200000c1, 0xc9, 0, 12); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 3, 4, 2); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 1, 6, 2); *(uint16_t*)0x200000c3 = 0xa; *(uint16_t*)0x200000c5 = 6; *(uint16_t*)0x200000c7 = 5; *(uint8_t*)0x200000c9 = 0x13; *(uint8_t*)0x200000ca = 0x7f; *(uint16_t*)0x200000cb = 2; *(uint16_t*)0x200000cd = 0; break; case 12: memcpy((void*)0x20000100, "\xc4\xc2\xcd\x45\xf1\x8f\xe8\x00\xed\xb8\x5c\x2f\x00\x9e\xe9\x64\x36\x36\x0f\x28\x11\xc4\xc3\xc9\x0b\x6b\x07\x87\xc4\xc2\xf1\xa6\x03\xf3\x0f\xa6\xd0\xf3\x6f\x65\x0f\xfa\x0e\xc4\xc2\x1d\x2f\x9f\x5a\xac\x38\x4f\x3e\x65\xf3\xab", 56); syz_execute_func(0x20000100); break; case 13: syz_extract_tcp_res(0x20000140, 0x2c, 0x9f); break; case 14: memcpy((void*)0x20000180, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000180); break; case 15: syz_init_net_socket(3, 3, 0xcc); break; case 16: res = syscall(__NR_mmap, 0x20ffd000, 0x2000, 0x3000001, 0x80000, -1, 0); if (res != -1) r[4] = res; break; case 17: res = -1; res = syz_io_uring_complete(r[4]); if (res != -1) r[5] = res; break; case 18: *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0xd9fd; *(uint32_t*)0x200001c8 = 0x20; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0x308; *(uint32_t*)0x200001d4 = 0; *(uint32_t*)0x200001d8 = -1; *(uint32_t*)0x200001dc = 0; *(uint32_t*)0x200001e0 = 0; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint32_t*)0x200001f8 = 0; *(uint32_t*)0x200001fc = 0; *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; res = syscall(__NR_io_uring_setup, 0x3a3b, 0x200001c0); if (res != -1) { r[6] = res; r[7] = *(uint32_t*)0x200001d8; } break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xb18d; *(uint32_t*)0x20000248 = 0xab3a8d6e; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000250 = 0x158; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = r[7]; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = -1; res = syz_io_uring_setup(0x17a8, 0x20000240, 0x20ffb000, 0x20ffd000, 0x200002c0, 0x20000300); if (res != -1) r[8] = res; break; case 20: *(uint32_t*)0x20000340 = 0; *(uint32_t*)0x20000344 = 0x15f8; *(uint32_t*)0x20000348 = 0x20; *(uint32_t*)0x2000034c = 2; *(uint32_t*)0x20000350 = 0xd2; *(uint32_t*)0x20000354 = 0; *(uint32_t*)0x20000358 = -1; *(uint32_t*)0x2000035c = 0; *(uint32_t*)0x20000360 = 0; *(uint32_t*)0x20000364 = 0; *(uint32_t*)0x20000368 = 0; *(uint32_t*)0x2000036c = 0; *(uint32_t*)0x20000370 = 0; *(uint32_t*)0x20000374 = 0; *(uint32_t*)0x20000378 = 0; *(uint32_t*)0x2000037c = 0; *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 0; *(uint32_t*)0x20000388 = 0; *(uint32_t*)0x2000038c = 0; *(uint32_t*)0x20000390 = 0; *(uint32_t*)0x20000394 = 0; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x2000039c = 0; *(uint32_t*)0x200003a0 = 0; *(uint32_t*)0x200003a4 = 0; *(uint32_t*)0x200003a8 = 0; *(uint32_t*)0x200003ac = 0; *(uint32_t*)0x200003b0 = 0; *(uint32_t*)0x200003b4 = 0; res = -1; res = syz_io_uring_setup(0x6b11, 0x20000340, 0x20ffb000, 0x20ffb000, 0x200003c0, 0x20000400); if (res != -1) { r[9] = *(uint64_t*)0x200003c0; r[10] = *(uint64_t*)0x20000400; } break; case 21: res = syscall(__NR_socket, 0x1f, 3, 3); if (res != -1) r[11] = res; break; case 22: res = syscall(__NR_io_uring_register, (intptr_t)r[5], 9, 0, 0); if (res != -1) r[12] = res; break; case 23: *(uint8_t*)0x20001700 = 0xa; *(uint8_t*)0x20001701 = 2; *(uint16_t*)0x20001702 = 0; *(uint32_t*)0x20001704 = r[11]; *(uint64_t*)0x20001708 = 0; *(uint32_t*)0x20001710 = 0x200016c0; *(uint32_t*)0x200016c0 = 0x20000440; *(uint32_t*)0x200016c4 = 0x80; *(uint32_t*)0x200016c8 = 0x200015c0; *(uint32_t*)0x200015c0 = 0x200004c0; *(uint32_t*)0x200015c4 = 0x2c; *(uint32_t*)0x200015c8 = 0x20000500; *(uint32_t*)0x200015cc = 0x1000; *(uint32_t*)0x200015d0 = 0x20001500; *(uint32_t*)0x200015d4 = 0x28; *(uint32_t*)0x200015d8 = 0x20001540; *(uint32_t*)0x200015dc = 0x4a; *(uint32_t*)0x200016cc = 4; *(uint32_t*)0x200016d0 = 0x20001600; *(uint32_t*)0x200016d4 = 0xb9; *(uint32_t*)0x200016d8 = 0; *(uint32_t*)0x20001714 = 0; *(uint32_t*)0x20001718 = 0x2000; *(uint64_t*)0x2000171c = 1; *(uint16_t*)0x20001724 = 3; *(uint16_t*)0x20001726 = r[12]; *(uint8_t*)0x20001728 = 0; *(uint8_t*)0x20001729 = 0; *(uint8_t*)0x2000172a = 0; *(uint8_t*)0x2000172b = 0; *(uint8_t*)0x2000172c = 0; *(uint8_t*)0x2000172d = 0; *(uint8_t*)0x2000172e = 0; *(uint8_t*)0x2000172f = 0; *(uint8_t*)0x20001730 = 0; *(uint8_t*)0x20001731 = 0; *(uint8_t*)0x20001732 = 0; *(uint8_t*)0x20001733 = 0; *(uint8_t*)0x20001734 = 0; *(uint8_t*)0x20001735 = 0; *(uint8_t*)0x20001736 = 0; *(uint8_t*)0x20001737 = 0; *(uint8_t*)0x20001738 = 0; *(uint8_t*)0x20001739 = 0; *(uint8_t*)0x2000173a = 0; *(uint8_t*)0x2000173b = 0; syz_io_uring_submit(r[4], r[10], 0x20001700, 0xad23946); break; case 24: res = syscall(__NR_fsmount, (intptr_t)r[5], 1, 0x84); if (res != -1) r[13] = res; break; case 25: *(uint32_t*)0x20001740 = r[6]; *(uint64_t*)0x20001744 = 3; *(uint64_t*)0x2000174c = 6; *(uint64_t*)0x20001754 = 0x1000; res = syscall(__NR_ioctl, (intptr_t)r[8], 0xc01cf509, 0x20001740); if (res != -1) r[14] = *(uint32_t*)0x20001740; break; case 26: *(uint32_t*)0x200017c0 = 0; *(uint32_t*)0x200017c4 = 0x20001780; memcpy((void*)0x20001780, "\xe7\xbe\xd2\x38\x54\x76\x95\xa7\x89\x57\xb5\x74\xba\xcb\x6d\xbc\x56\x7a\x32\x32\xe7\x65\x59\xb4\xea\x39\x31\xb6\x08\x57\x8a\x24\xda\x4c\x74\x97\x95\x97\x5b\x0a\xe5\x1d\xa8\xa8\x6d\xde\x75\xb1\xd6\x84", 50); *(uint32_t*)0x200017c8 = 0x32; *(uint64_t*)0x20001800 = 1; *(uint64_t*)0x20001808 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x200017c0, 1, 0, 0x20001800, 1); break; case 27: *(uint32_t*)0x20001840 = 0; syz_memcpy_off(r[9], 0x114, 0x20001840, 0, 4); break; case 28: memcpy((void*)0x20001880, "afs\000", 4); memcpy((void*)0x200018c0, "./file0\000", 8); *(uint32_t*)0x20002900 = 0x20001900; memcpy((void*)0x20001900, "\xf1\xfd\x85\xc4\x6a\x07\x34\x5a\x88\x13\x28\x7b\x13\xf2\x1a\x08\x40\x90\x39\x26\xae\xf8\xfa\x2c\xb5\xf6\xe0\x10\xd1\x4f\x70\x30\x37\x67\x97\x11\x5f\xff\x5a\x94\x80\x41\x34\x8d\x82\x7d\xbd\x67\x8e\x20\x92\x8d\xc4\xb2\x24\xe0\xec\x33\xe5\x0b\xf6\x99\xf1\xed\x1e\x39\xdf\x43\xd8\x99\xeb\x1a\x37\xc8\xd1\x16\x31\xe7\xb7\x75\xfc\x82\x61\x19\x01\xef\x7d\xb3\x71\x4e\x0e\xf5\x9b\x98\xd9\xd7\xd9\x11\x4b\xa1\xba\x76\xa7\x2e\xdc\x93\x80\x33\x59\xb9\x99\x4b\x50\x4f\x9e\x77\x90\x37\x5f\xa5\x0f\xce\xab\x9c\x0f\x21\x03\x85\x72\x2f\x2a\x05\x4c\x09\xfe\xcf\x4a\x04\xcc\xfa\xca\xac\x9d\x40\xbe\xbb\x2e\x2b\xcc\x94\x8d\x32\x72\x63\xb0\xfa\x73\x5b\x75\x3f\xa3\x67\xf5\x53\x13\xbd\x6d\xf7\x47\x6a\x99\x61\xbe\xf3\xe5\x80\x6a\xe5\x3b\xf7\x23\x34\x74\xb6\x37\x26\x6e\x9f\xd6\x94\xfb\x30\xa5\x03\xfb\xa0\x53\xc4\x65\x62\x93\x6b\xb3\xb8\xfd\xd3\x8d\xa2\x3e\x72\x25\x86\x8f\x8c\xf1\xe7\xd2\x7c\xac\xb6\x90\x75\x65\x7b\x3c\xa8\x0f\x8b\xe0\xb8\xe0\x43\xdb\x62\x0f\x08\x72\x23\x1b\x8a\x31\x08\xc4\xa1\x0b\x8b\x72\x3b\x64\x6b\x3c\x6d\x5f\x37\x05\x58\x64\x09\x24\xa9\x3b\xa2\x5d\xb1\x74\x6c\xf2\xea\x14\x1b\x03\x85\xac\x0c\xf9\xe7\xac\xc8\xfd\xdd\x8e\xe3\x2f\xb9\x88\x49\x1e\x45\x45\x64\xeb\x14\x2e\xc8\x40\x24\x38\xdd\xb1\xd0\xbe\xd6\xd2\x85\xa2\xa4\x08\xa9\xed\xc5\x27\x76\xe3\xae\x70\x21\xc1\x09\x43\xee\xf0\xaf\x02\x70\x37\x22\x13\x62\x7d\xd4\x25\x3d\x95\xa3\x6a\xcd\x29\xf8\x09\x5c\x64\x28\xf1\xc4\x6c\x3e\xb2\x12\x27\xd0\x46\x06\xb5\xc9\x22\x54\xe9\xce\x3e\x22\x0a\x8b\x8a\x28\x1c\x8d\x8e\x9c\x83\x07\x9e\xa1\xdf\x4a\x90\xdb\x9f\x08\xa5\x8c\x80\x3d\x8e\xc2\xbf\xcc\x99\xf1\xac\xd5\xf0\x62\x50\x43\xeb\x4a\x83\x17\x9e\x2d\x37\xc0\x76\x57\xe4\xb7\x47\xad\xcb\x09\x79\xa2\x30\xde\xa4\xf0\x79\xf2\x20\x84\x87\x09\xf2\xbb\x38\xc3\x4a\x22\xc5\xb3\xca\xf9\x4a\x02\xfc\x5f\x1c\x4d\x01\x3c\x16\x5a\xbf\x74\xbe\xd9\xd0\x28\xa5\xd8\x4e\xc1\x50\x37\x7f\x49\x8e\xe0\xe2\xa8\x6b\xf0\x4b\x97\xee\x40\xaf\x98\x82\xbf\xad\xec\xf5\xe1\x25\xfc\x90\x9d\x25\x0d\x92\xa3\x11\x66\xd6\x11\x21\xb5\x36\x45\x24\xb6\x35\x1e\x0b\x6a\x66\xdc\xde\xeb\x52\x49\xeb\xab\xb8\x65\xf1\xf4\xa1\xa8\x0a\xda\x5d\x69\x5d\x3a\x37\xb2\x14\xc9\xf0\xd9\x25\x07\xdb\x1b\x8d\x80\x8a\x96\xf0\x89\x02\xef\x8c\x97\xe2\x2b\x75\x49\x75\x38\xf5\x4f\xf9\x44\xa1\x91\x42\xb6\xae\x1b\x86\x36\x50\x0e\x2f\x39\x20\xa3\xab\x34\x1d\x8d\x1d\xb2\x2d\xc6\x4e\x1d\x68\x38\x21\x62\xb4\x89\xea\xad\xe6\x68\xba\x38\xe6\xe7\xec\xf6\x16\x26\xc7\x19\x37\x8a\x8e\xbf\x08\xec\x3d\x5d\xa6\x71\x64\x61\xe2\x06\x86\x9b\x33\x5c\xcb\xaf\xbc\x73\x64\x99\x83\x79\xd8\x94\xb9\xc6\x04\x41\xd9\x87\x97\xef\xf0\xd0\x4c\xe3\xfb\xf4\x19\xeb\x9c\x5c\x77\x8d\xbd\xc6\x03\x1b\x19\xfe\xa1\x3a\xdf\x11\x1d\xd4\x96\x28\x09\x3d\xa4\x1c\xe2\x52\x59\x5e\xa3\xd0\xb6\xdd\x96\x36\x4f\xe2\xe3\x75\x04\xbc\x66\x17\x04\x4f\xf1\xd0\xd2\x7f\x75\x9d\x1f\xaa\x8a\xe8\x54\xa1\x72\xda\x0b\x22\x73\x05\xbc\x63\x0a\x46\xb8\xe5\xbb\x9f\x8a\xa4\x0b\x95\xa4\xb6\xd5\xc3\x7b\xdd\xd0\x96\x8e\x19\x2d\x57\x24\x20\x78\x43\x4f\xde\xf9\xaf\xdc\x8f\x18\x39\x7d\xf1\xca\x6e\x76\xbd\xc7\x18\x45\xfb\xa2\x81\x8e\xf8\xf1\xc1\xdb\xf0\xa9\x2d\xde\xe3\xc8\xc1\xcf\xdd\xfb\x64\x43\x94\x19\xe6\x3f\x98\x11\xab\x5d\xaf\xd1\x5b\x2f\xf2\xa9\xc0\x41\x33\x16\x51\xc7\xaf\xe7\x86\x28\x75\xbf\x99\x61\x80\x6f\xac\x69\x4b\xef\x5f\x78\xfb\x9c\xd6\x4c\x33\x84\x86\x37\x44\x4e\x67\x52\x20\x03\x95\xe3\x73\x1d\x02\xdb\x34\xc2\x1f\xca\x31\x1d\x33\x9e\x81\x97\x32\xed\xe1\x83\x94\xb4\x5c\x4c\xbb\xbf\xfd\x45\xfd\xf5\x08\x28\x5d\x26\xda\x5b\x3c\xed\xe6\x92\xaf\x4e\xf2\xf4\x2c\x73\x4b\x52\x28\x64\x75\x5d\xcd\x71\x9c\x93\xb2\x68\x43\x8f\x9b\x0f\x1a\xdd\x57\x4c\xf7\x21\x89\x21\xdf\x68\xc4\x96\x68\x3c\x62\x76\x11\x5c\x07\x4d\x42\x0f\x23\x86\x1e\xeb\x82\x03\x1e\x99\x8c\x08\x33\xd1\xcb\xbb\x5b\x33\x4a\x13\x60\x6a\x0b\xc4\x06\xc4\xc8\xb1\xc2\xbf\x8d\xf5\x57\x32\x4d\x2c\x94\xcb\xe4\xc2\x90\x80\xb6\x32\x34\xb1\xbb\x74\xe5\x85\x4e\x42\x2e\xb4\x6f\x73\x69\x78\xe2\x94\x3e\xbd\x28\xaf\x46\x7b\xd0\xee\x09\x6b\x95\x2f\xf5\xf0\xb2\x28\xc7\xef\x94\x6f\xd4\x72\x49\x3b\x0e\xac\xa9\x37\x84\x01\x66\x9f\x1b\xe6\x75\x23\x0e\x56\xbc\x19\xe4\xec\x12\x34\xfc\xb4\xea\x12\x2d\xd2\x04\x83\x01\x09\x68\x9c\xad\x7e\x3d\x70\x2a\xb3\xe9\x2e\x59\x01\x6a\x64\x0c\xce\x4e\x1e\x57\xd6\xe9\x45\x56\xe7\xee\x1f\x7c\x58\x63\x09\x04\x4b\xdc\xa4\xa7\xb2\xce\xbb\x4b\x3f\xab\xfd\x57\x8e\xd6\xc6\x85\x89\xb8\xaf\xcd\x4d\x0e\x5a\xb1\xb7\xee\xf6\xf8\x2c\xd2\x08\xe3\xec\xe7\x6e\x3b\x73\x33\x1f\xba\x03\xfb\x54\x47\x01\x29\x92\x74\x10\x42\x10\x6e\xd7\xd3\x86\xa1\x43\x3f\xe8\xd4\xc6\xbc\xe8\x22\xff\x8f\xfe\x1b\x38\x2a\xa7\x12\x47\x31\xa9\xad\x6e\x1a\x52\xc7\x82\x66\x17\x4a\x4f\xef\xe9\x86\xa5\x08\xf6\x64\x25\x77\x30\x3f\x91\xea\x4e\xfb\x32\x84\x3c\x6b\x33\x1b\x32\xf2\x45\x53\xa0\xc1\x30\x16\xd9\x1a\x23\x0a\x55\xd8\x1f\xeb\x7d\xfc\x48\xad\x15\x7c\x7c\x2f\xc6\x32\x53\x08\x10\x21\xd1\xc6\x53\x56\x51\x39\x03\xdd\xbd\xe8\xd3\xfd\x0d\x51\x74\x7f\x3e\xaa\xaf\x9d\xb9\xd6\xb4\xbd\x70\x69\xd8\xba\x53\xd4\xd1\x00\xee\x27\x27\x97\x95\x94\xc2\xfa\x80\xb9\xaa\x0e\xdd\x70\xe3\xd7\x02\xfb\x5b\x6c\xd2\x77\xee\xb4\x87\x55\x58\x86\xf8\x5b\x65\x7c\xd9\xeb\xa6\x41\xb2\x8b\xf1\xe7\x62\x30\x0f\x3e\x29\xc5\xa8\xd8\xbf\xe0\x77\xbd\xef\x7c\x9e\x2c\x4c\xfa\xd8\xfc\x36\x46\x70\xd7\xcd\x6a\xc7\xa8\x63\x22\xe6\x67\x76\x0e\x24\x03\xc4\x83\x8d\x61\xfa\x86\x69\xa4\xf6\x21\x14\xee\xf4\x23\xf0\x91\x32\xe2\x0b\xb9\x5b\xa3\x52\x2a\xc3\x10\x49\xc4\xa3\xd5\x81\xaf\x3c\x57\x84\x91\x0f\xba\x88\xcd\xee\x1c\xef\xf4\xdd\xae\xd8\x27\x11\x9c\xed\x53\x61\x94\x7d\x0e\x31\xa9\xc4\xd2\x52\x63\xa5\x36\x54\xb8\x2f\xc1\x3b\x91\xf4\x45\x08\xdd\x19\x3c\xa1\xef\x26\xd9\x30\xa6\xb0\x81\x05\x86\xd4\x02\xba\x05\x54\xfa\xce\x5c\x3e\xd0\x77\x67\x1d\x50\xd2\x88\x65\xbf\xff\x35\xca\x3a\x4d\xab\xdb\xd6\xe3\xb0\x70\x59\x32\x0f\x53\xe5\xc4\x9d\x73\xcc\x16\xdd\x1e\xd2\x81\x6a\xc9\x8a\xd3\x85\x3c\x36\x88\x29\xc7\xbe\xc4\x0c\x4a\x9b\x39\xee\x3b\x73\x0b\xbd\x6c\x15\x2f\x35\x8e\x99\x11\x30\x8c\x12\xed\x12\x06\x56\x1f\xc7\xcf\x7c\xb4\x77\x14\x5f\x1a\xaa\xce\x66\xac\x5c\x44\x68\xac\xb2\xf6\x01\xc6\x1e\x4b\x11\x8b\xe2\x05\x6b\x6d\xbc\x18\x60\x9b\xfd\x41\x05\xee\xe1\x8b\xe3\x84\xa1\x99\x13\xd2\x74\xd9\x20\x39\x79\x0c\xb8\x74\x20\xb9\xfd\xd7\x0e\x73\x43\x09\xfc\x7a\xfe\x09\xe1\x1f\x78\x0d\x6e\xe6\x24\x31\x75\x90\x7a\x4a\xee\xcb\x6c\xa0\x70\xa3\x37\x4b\xe5\xd3\xd0\x7a\x78\x8e\xa4\xe1\xf9\xd6\xf1\x8e\xff\x9e\x79\x64\xd7\x07\x6c\xb5\xb9\x3c\xd9\x73\x38\xec\x05\x44\x8e\xc5\x27\xcc\xa6\x67\x90\xbf\xe3\x2c\x5b\x26\x62\xd7\xfc\x6b\x83\x6b\x41\xbf\x32\xe5\xbc\x0d\xdf\xe4\x2d\x59\x73\xdb\x86\xf8\xae\xd5\x6e\x43\x11\x2b\x45\xb0\xf7\x92\xc5\x39\x45\x99\xa1\x3e\x73\xc2\x50\x12\xb5\xaa\xcd\x3a\xef\x11\x24\x73\xc4\xe2\xe3\xab\x6a\xeb\xf5\xaf\x6d\xe9\xe7\x8a\xc0\x47\xfc\xc2\x76\xfd\x97\x6f\x25\x02\x2c\x65\xc3\x0a\x9f\xd6\x72\x03\xf1\x9e\x33\xb3\x5c\xfb\xcf\xdf\xf3\x95\xc5\xbb\x53\xf2\xfd\x79\x28\xe4\x3e\x62\x28\x47\x28\x07\x80\xb8\xcc\x81\x5f\xb4\x85\x18\x91\x05\xa1\x24\xcd\x86\x27\xcc\x3d\x5f\x1a\x9d\xd8\x00\xd4\x7a\x22\x6e\xbf\x90\x7e\xb2\xf4\x91\x33\xd1\x17\x58\x8d\x28\x0f\x4c\xc4\x3d\x95\x25\x4d\x88\xc8\x75\x3d\x96\x07\x3f\x97\xc5\x31\xf5\x1e\x55\x96\xe2\xe9\x71\xa2\x16\x1b\x78\xf7\x5e\xdc\xfb\xd9\xde\x38\xf0\xa9\x28\x4b\x7c\xce\xef\x87\x59\x8f\xa3\xbc\xfa\x5d\xbc\xbd\x1d\x28\x4c\xf8\x0c\xb7\x75\x54\x65\x89\x9d\x36\x2d\x9e\x40\xc6\x4c\x1a\x1e\x4c\xc4\x5c\x38\x71\xb2\x10\x4c\xa4\x0c\x05\x72\x9d\xcc\xbf\x6d\x0a\x17\x50\x0e\x5d\x0d\xff\xa3\x44\x3a\x52\x33\xe2\x79\xb2\xf9\xc5\x18\xb6\x97\x34\x0d\x26\xd2\x87\x26\x60\xc7\x1a\x49\x57\x10\xee\x00\x9f\xfb\x98\x9e\xbb\x5b\xef\xe5\x17\x69\x25\xb7\x8c\xde\xb1\xe8\x11\xc5\x1e\xcd\xb0\x1a\x47\xec\x1d\x1d\x0e\xf2\x02\x4c\x9a\x66\x6f\x6b\xc5\xeb\xe1\x3e\x77\x3f\x89\xf4\xc8\x0b\xaa\x1d\x66\x0c\x05\x1c\x26\x72\xf9\x1c\x21\xdb\x5f\xf2\xd5\xa7\x01\x26\xdc\x69\x14\x0e\xe2\x16\xc4\x5b\xdd\x0a\x7b\x52\x79\xde\xce\x2f\x58\x3b\xc2\x4f\xc6\x3c\xae\x88\xae\x75\x57\x22\x40\x48\x23\xc5\xc2\x16\x84\x9d\xcd\x10\x85\xba\x99\x02\xcb\x24\x8a\xc5\xd1\x92\xc3\xbd\xc5\x37\x39\x2a\x7c\x9e\xd3\xc3\x59\xbb\x6d\x49\x34\x62\x5f\x5f\x7a\x6d\xd5\x1b\x78\x57\x3f\xc7\x26\xad\xab\xc9\x1f\x41\x96\x05\x86\xf6\x4c\x39\x26\x11\x26\xea\x67\xdf\xc3\x2c\x5a\xe5\xf7\xd6\xed\x88\x74\x73\x60\x41\x8d\x42\xa0\x08\xd9\xcf\xc5\xef\x15\xf9\xc5\x88\xdb\xb9\xec\xc3\x74\xba\x19\xab\x60\xa3\xba\x33\xfb\xd1\xb8\x04\x77\xb0\x20\x4e\x67\xc8\x45\xf9\xf6\xab\x58\x9c\x58\xb5\x78\xcc\xa5\x8a\xf3\x22\xae\x66\xb9\xb1\x2e\xd9\x53\x70\x3d\x13\x93\xd8\xec\xe9\xc6\x70\x66\x4f\xdb\x6b\x1f\xfa\x10\x27\x1a\xbc\x0e\x51\xd5\x7b\x59\x10\x2e\x26\x40\xbe\xa0\x9e\x91\x12\x94\xc3\x5a\xbc\x86\x16\x99\x0a\x57\x29\xbf\x73\x9a\x8e\x22\x77\x4a\x68\x0d\x57\x70\xb8\x58\xb9\x32\xfe\x59\x5b\x73\x22\x32\x8a\xe7\x92\x07\x8a\xd2\x8d\xb4\xd5\x4c\xbd\x7c\x98\x68\xfc\xbe\x6e\xed\x0b\x0a\xa7\xb7\xab\xbf\xb1\xb8\xef\xce\x2d\xd5\xc1\xe2\x9b\xac\x66\xab\x7f\x80\xfe\x7a\x65\xd2\xda\x18\x38\x66\x0e\x94\x06\x6a\x6b\x2e\x3b\xdb\x89\x7e\x55\x1b\xc0\x37\xd7\x79\xdb\xb6\xcb\x9b\xdc\xa7\x03\x0e\xf8\x22\x6b\x96\x8d\x5a\x85\x7c\xb4\x24\xa9\xbd\x71\xec\xf3\xe0\xdf\x3b\xca\x6b\x91\x95\x90\x5e\xd0\x5e\x73\xd0\x36\x7f\x16\x49\xee\xd5\x49\xd9\xc3\xd4\x7e\x2f\x31\x2c\x17\x0d\xc9\x4a\x70\x1d\x42\x04\x60\xe1\x00\x0e\x23\x70\x21\xc6\xb7\xb1\xbc\x08\xb3\x5c\x10\x43\xc6\xe8\x99\xed\x58\x7e\xf7\xdf\xb6\xe1\xc7\xb6\xe1\x1e\x3a\x2f\xb4\x34\x8a\xbc\xc9\xed\x18\x31\xee\x37\x3d\x00\x45\x40\xa7\x3a\x4c\x78\xf9\xd3\xab\xb1\x01\xc7\x87\xba\x23\x9d\xf6\x63\x92\x4e\xf8\x4e\x3b\x43\x68\x68\xb6\x3c\xd7\x4f\x4d\x47\xac\x9e\xbc\xe3\x81\x4b\xbd\xb3\x7e\xee\xc3\xfe\xa1\xf9\x06\x88\xd1\x6f\xf3\x28\x5d\x35\x97\x45\xf9\xc1\xb6\xdc\xfa\x98\xbc\xd3\x2a\xca\xcc\xd9\x35\x0c\x07\x05\x79\xaf\x49\xc6\xdd\x8e\x62\xb3\xe1\x16\x16\xb9\x56\x05\xb5\xe6\x7c\x90\xc3\xdb\x1b\x83\x01\xde\x61\xbd\xfa\x55\x8e\xe6\xd1\x3f\x20\xa7\x8d\x40\x7e\x4f\x44\xca\x79\x3c\xe3\xd9\x58\xe1\x52\x2f\x1a\x64\x27\x6a\xc8\x86\x3d\x1a\x68\xb5\xb6\x4e\x03\xec\x0b\x22\xb0\xa7\x87\xbb\xa7\xb4\x62\xfd\xdf\x8d\xa7\xd1\x01\x8b\x32\xa1\x32\x82\xbd\x1e\x83\x06\x0a\x67\xc7\xda\x96\xe4\x6e\x3b\x32\x2a\x5d\x8e\x05\xba\x67\xb3\xac\xa1\xc5\xd1\xbf\x13\x6a\x57\xb3\xaa\x68\x77\x7f\x00\xbf\x10\x2d\xdd\xb1\xde\xc2\x1d\xb3\x09\xf4\x85\x5d\x9c\x08\xed\xc5\x80\xd6\x52\xa6\x89\x42\x0b\xf6\x25\x38\xb5\xaa\x26\x30\x57\x09\x81\x21\xd8\x2d\x87\xe2\x9e\xe2\x6b\x5d\x52\x88\x02\x3e\x50\x1f\xf2\x73\x0b\xce\xf0\x0b\x98\xf1\x3c\x40\xbc\x2d\xa1\xa1\xbc\xa1\xcd\x66\x64\x84\xf1\xa3\xf5\xc8\xb6\xff\xaf\x46\x8f\xbe\xaa\xf5\xab\xfd\x74\x39\x6f\xbc\x46\x0e\x0f\xd2\xb4\x40\xf5\xe5\x63\x27\xe6\x34\x90\x73\x11\xdc\xe9\x8e\xc0\x75\xe9\xee\x32\x87\xf7\xd2\xdc\xd6\x44\x93\xe5\xc5\xce\x09\x6b\xb2\x9d\x77\xaa\x49\xa9\xf6\x77\xe6\x8e\xfd\x44\xcf\x35\xb5\xa0\xd6\x9f\x1e\xc8\x87\xa5\xf1\xf3\x5e\x44\xaf\xe3\xb6\x90\x4e\xf0\x26\xb3\x65\x1c\x69\x7d\xc2\xaf\x46\x66\x2b\x92\x36\x64\x20\x1e\x4b\xae\xdc\x28\xe8\x5f\x33\xd0\xfc\xce\x83\xec\xb0\x1d\x04\xf5\xa0\x82\x6d\xf9\xfb\xfe\x7d\x92\xe3\x1d\xb7\x62\x02\x53\x3f\xa8\xbd\xbd\x4f\x14\x74\x4f\x84\x85\x94\x8f\xf0\xe4\x0e\xc7\x7d\x2a\x2c\xca\xc3\x4f\x38\x9a\x4f\x6b\x0e\x1f\x84\xf5\x27\xb1\x28\x2b\x4b\xa5\x3c\xc0\xa5\x34\x68\xeb\x13\x62\xd8\x7f\x33\x4f\x17\x6d\x94\x8d\x9d\x7f\xc1\x90\xa1\xfa\xbb\x36\x74\x53\x85\x94\x5f\x27\xd4\x4c\x13\x64\x36\xee\xed\xca\x1a\xd4\x94\x5c\x9d\x73\xd6\xa2\xd7\x22\x5a\x1f\x7f\xa4\x9a\x2b\x2b\x56\xd3\xa4\x03\xa8\xdd\xd0\x3d\x70\x1b\xb8\xba\x36\xc2\x75\xb0\x5d\xb3\xb6\x06\x38\xb9\xa2\xa2\x34\xcb\x63\xb8\x09\xeb\xfc\x9a\x77\x1a\xc7\x12\x76\x2f\x7e\x96\xc5\x38\xe1\xc5\x4a\x79\x12\xb9\x59\x44\x63\x2d\x6d\x60\x59\x4b\x90\x0e\x17\xee\x32\x7b\x2b\x2b\x13\xbe\x28\x44\x06\x1f\xd1\xe3\x50\xe4\x71\x21\xfd\x71\xf1\x30\xa5\xae\xb5\x15\x3c\xcb\x8e\xce\x99\x59\x0f\xf9\x3e\xa9\x8e\xe5\x89\xa0\xa4\x28\x8b\xb6\xa3\x59\x0b\x1c\x6e\x89\x00\x8b\xbd\x2d\xc7\xad\x38\x74\x83\x69\x40\x5c\x9f\x8c\x37\xfa\x75\xdd\x2f\xf4\xa3\x84\x56\x1d\x03\x09\x48\xc3\xd1\x64\x66\xe4\xf0\x37\xe5\x4d\x3d\xca\xbd\xe0\x2f\xb3\x5c\x62\xb3\x16\x92\x65\xc0\xaf\x80\x18\xa8\x6c\x3f\xcf\x32\x68\xc1\xa9\x1e\x71\x31\xf8\x9c\xf7\x84\x1b\xb5\x8c\xab\x8a\x5f\x89\xd7\xed\xb6\x7f\x05\xf1\x6f\xe8\x40\x59\xbe\x5a\xbd\xbe\x44\xd3\x85\x2f\xa5\x79\x0c\x16\x16\x28\xb2\x1e\xef\x35\x9a\xaf\x7d\xb7\xde\x11\xc8\x35\xff\x9c\xc0\xb8\x6a\xc9\x75\x1f\xd2\xd5\xc1\x35\xe8\xac\xb4\x35\x2b\xc0\x3f\xdf\xe6\xc4\x34\x73\x58\x2c\xde\x76\xb1\x57\xee\xb0\x3a\xcf\xff\x74\x2b\xe5\x83\x8a\x4a\xab\xa1\x60\xe1\xc5\x88\xc9\xe1\xda\x27\x58\xfc\x29\x0a\xe3\x7a\x76\x05\x34\x0f\x72\x6f\xf3\xd8\xd7\x3d\x3d\xcc\xdc\x77\x37\x49\x9b\x74\x73\xec\xcc\x00\xc3\xd0\x1d\x20\xbd\x98\x9e\x60\x49\xd9\xda\x7d\xce\xe2\x29\xfe\x3d\xb7\xe2\x84\x5b\xa6\xef\x6b\x38\x06\x80\xe0\x77\x54\xdf\xa9\x2d\x16\x05\xb3\xb2\x52\x7e\xd1\x9d\x01\x33\x3b\x2b\x58\x86\x8d\x76\x14\xc9\x2b\x7f\x93\xc9\x5e\x2c\x90\x54\xf7\xa7\x28\xe0\x56\x9b\x98\x60\x18\x31\x1d\x9a\xb3\x79\xac\x3d\x19\xc7\xf6\x5f\x87\xac\xbd\x2a\x2b\xcd\xf1\x22\xb1\xb9\x50\x2d\x3c\x3a\x69\xef\xa3\x2f\x4b\xe1\xef\x20\xda\xa4\x2e\x13\x40\x9d\x2b\x12\xdb\xfd\x03\xc6\x4a\xca\x0b\xd6\x6c\x76\xc0\x4e\xa6\xa7\x6e\xf0\x29\x46\x50\xe5\x9e\x8a\x37\x9c\x85\xc5\xac\x8e\x31\x0e\xd9\x9e\x1a\x5f\x20\xc9\xbb\xdb\xee\x13\xde\x12\x18\xf9\x5b\xe0\x40\xff\x5f\x76\x0c\x7f\x07\xab\xe3\x62\x46\x85\x08\xa2\x11\x4e\x0c\x34\xf9\x38\x95\xc1\xe2\x8a\xd8\xc5\x6f\x19\x49\x81\x6c\xff\xd0\x9c\x02\x8d\xee\xf0\x1e\x5f\xcf\x91\xb4\x38\x4c\x62\xd0\xef\xd9\xb7\xd6\x6b\x1a\xae\x30\x2a\x3e\xd2\xc3\x03\x7c\x96\x75\xac\x6c\x86\x33\x6f\xa6\x03\x25\x8a\x53\x84\x09\xba\xd5\x67\x98\x11\x28\xcb\x8c\xab\x88\xd7\x02\x7b\x2a\x92\x67\x1c\xad\x00\x0a\x2c\x9f\x31\x7f\xb4\xae\x30\x98\x0d\x3f\x28\x51\x2f\xb5\xf6\x6a\x98\xb2\xe2\x07\x7a\x6a\x7f\x84\x61\xbf\x1a\x78\xcf\x12\xb3\xce\x6e\x3a\xa4\xa2\x2f\x3c\x63\x73\xa5\xd0\x4f\x76\x7b\x83\xc7\xd5\x7a\x56\x83\x4f\x76\x39\xc9\xac\xbb\x9f\xde\xde\xa8\x52\x76\xa0\xaa\x10\x0b\x68\xc8\xa2\x46\x31\x4a\x8c\xa0\x2f\xf0\x7d\x15\x32\xc9\x0d\x9a\x4a\x5d\xac\xba\x53\xa2\x4c\x14\xcb\x94\xb5\x7a\x8c\x23\x6c\x98\x5e\xbc\x98\x69\x71\x08\xa4\x3e\x87\x4b\x67\x15\xe6\xbe\x8d\x96\x85\xfa\xfd\xba\x1d\x7e\x5d\x1b\x4c\xed\x62\x56\x58\x47\xbd\xfc\xf6\x2b\xe1\x75\xe8\x48\x3c\xfd\x07\x11\x24\x76\x64\xe2\x73\xfc\xbe\xc2\x9f\x60\xde\xdd\x34\xc6\x81\x0f\x66\x50\xb6\xbd\xc4\x7d\xf7\x26\x7b\x8f\x53\xbc\x66\xac\x41\xa5\xc0\x50\x6e\xdf\x4a\x80\x5c\xff\x03\x43\x79\x7c\x88\x12\x56\xea\x09\x5f\xbf\x14\x57\x54\xf7\xcb\x9d\xfb\xa6\xd3\xc2\xbd\x12\xac\xe3\x07\x62\x9c\xb2\x2d\xfe\xb5\xa4\x81\x55\xde\x0e\x50\xa9\x5d\xa5\x8b\x32\x02\x58\x9b\x60\xf5\xdd\x4c\xa6\xcd\x22\xc2\xed\x78\x8f\x27\x21\xd5\x35\x43\x74\xe9\xef\xac\xf4\x94\x72\x94\xdd\xc8\x14\x92\x25\xdc\xe5\xad\xfb\x32\x25\x95\xed\x18\xa4\xdc\xb0\x56\x51\x48\xb0\x87\xe3\x7d\x42\x47\xea\xae\xcc\x58\xc5\xaa\xf1\xc6\x4e\x87\xcc\x2c\xce\x9b\x8e\xbc\xaf\x96\x3f\xc4\x41\xa6\xdf\xac\x42\x6b\xe0\xac\xe4\xec\xfb\x91\xdf\x77\x32\x72\x1a\xfb\x34\xf9\x05\xce\x73\x77\xdb\x38\x49\xd7\x40\x1b\xa3\xd3\x14\x9c\x08\xe9\x8b\xcd\xec\xa6\xde\x20\x7e\xd8\xbc\x7b\x1d\x6e\x88\x59\x7d\xa6\x28\xc6\xb0\xa7\x3c\xf9\x67\x4a\x20\x7d\xd8\x74\x5f\xe5\xb3\x2b\xdd\x8f\x55\x09\xf1\x4f\xc1\x5c\xf9\x50\x4b\xf6\x63\x4b\x2d\xf2\x83\x6e\x95\xc7\x36\xe2\x76\x2f\x27\x14\xbf\xd1\x30\xaf\x99\x1d\x8b\x64\x8a\x93\x72\x15\x83\x83\xa2\xf5\x3e\x14\xc7\xcf\xc7\x66\x3d\xb5\xca\x5c\x8a\x9c\xdd\x15\x5e\x38\xc1\xf7\x0e\x51\x61\x35\x88\x12\x8d\xd0\x85\xbb\xdd\x7e\xd2\x39\xb9\x7e\x89\x58\xce\xf3\x5f\x11\x7e\xab\x19\xb3\x70\xff\x2e\x4e\x25\x68\x9d\x62\xb6\x84\xfd\x4a\xfc\xeb\x26\x32\x51\xfa\x92\xe8\xc6\xb2\xaa\x2e\x34\xd3\xfb\x8a\xae\xd1\x8c\xdc\x73\x4f\x9b\x42\x0c\x8d\x7b\x93\x15\x55\xeb\xd7\x99\x0c\xa0\x73\xfb\x81\xbe\x98\x27\x94\xe0\x00\xd5\x05\x72\xeb\x07\x61\xd4\x95\xba\x80\x68\xf6\x57\xd7\xf7\xb9\x19\xe6\x6a\x25\xe0\x32\x11\xdf\xe6\x90\xf4\x08\x1f\xc5\xde\x14\xf5\xf9\xd8\xbe\x47\x80\x24\xe6\x0a\x31\x38\x08\x0d\x9c\xe9\x7a\xe2\x3e\x29\x1e\x77\xa6\xe4\xa5\x07\xa9\x6a\xe0\xc0\x7d\x96\x04\xa9\x5b\x43\xb8\x17\x4c\x33\x17\x5b\xa2\x95\x05\x01\x86\xf7\x23\xb5\x0a\x60\x9e\xe0\x9b\x42\x67\xe4\xd2\xaf\x42\x96\xce\x65\x7b\xb8\xb5\xe9\x96\xf9\x8b\xd7\x5e\xd4\x2d\x09\x54\x89\x5d\x97\xd9\x88\x32\x9d\x92\x5f\x62\x89\x44\x74\xd1\xca\xa5\xde\x98\x8e\xd7\xb5\xc6\xde\xac\xfd\x90\xad\x94\x7e\xfe\xbf\x6c\xf6\x1b\x45\xd9\xc7\xb1\xba\x59\xe9\xec\x4b\x85\x59\xaf\xf8\xd3\xd0\x5f\xb0\x0f\x57\xec\x94\x2b\x0e\x9b\x9f\xdb\xde\x26\xca\xd3\x40\xcb\xb4\xf7\xc0\x44\x7b\x70\x7e\xd8\xf6\xd4\xf9\x89\xd0\xb1\xda\x0d\x0c\xda\xe6\x17\xb0\x14\x36\xfa\x68\xe3\x77\x75\xe8\x44\x41\x5e\xbd\x11\xa3\x35\x08\x46\xcf\x0b\x41\x9f\xad\x6d\xb9\x4c\xcc\x82\x83\xe9\x50\x19\xdb\x55\x91\xb9\xe8\x1c\x5d\x32\x70\x7b\x30\x02\xaf\xb2\x40\x58\x49\x5f\x6c\x21\xcd\x4b\x9e\x12\xaf\x7a\x1f\x40\x54\xfd\xa3\x7b\xa6\xa2\x94\x5e\x89\x98\x99\x76\x10\x12\x54\x8e\x41\x22\xa6\x95\x56\xe0\xca\x51\xe2\x31\x94\xbd\xc4\xe2\x72", 4096); *(uint32_t*)0x20002904 = 0x1000; *(uint32_t*)0x20002908 = 9; memcpy((void*)0x20002940, "flock=openafs", 13); *(uint8_t*)0x2000294d = 0x2c; memcpy((void*)0x2000294e, "dyn", 3); *(uint8_t*)0x20002951 = 0x2c; memcpy((void*)0x20002952, "autocell", 8); *(uint8_t*)0x2000295a = 0x2c; memcpy((void*)0x2000295b, "dyn", 3); *(uint8_t*)0x2000295e = 0x2c; memcpy((void*)0x2000295f, "flock=openafs", 13); *(uint8_t*)0x2000296c = 0x2c; memcpy((void*)0x2000296d, "source", 6); *(uint8_t*)0x20002973 = 0x3d; memcpy((void*)0x20002974, "&", 1); *(uint8_t*)0x20002975 = 0x2c; memcpy((void*)0x20002976, "source", 6); *(uint8_t*)0x2000297c = 0x3d; memcpy((void*)0x2000297d, "SEG6\000", 5); *(uint8_t*)0x20002982 = 0x2c; memcpy((void*)0x20002983, "smackfsdef", 10); *(uint8_t*)0x2000298d = 0x3d; memcpy((void*)0x2000298e, "SEG6\000", 5); *(uint8_t*)0x20002993 = 0x2c; memcpy((void*)0x20002994, "smackfsdef", 10); *(uint8_t*)0x2000299e = 0x3d; memcpy((void*)0x2000299f, "SEG6\000", 5); *(uint8_t*)0x200029a4 = 0x2c; memcpy((void*)0x200029a5, "subj_user", 9); *(uint8_t*)0x200029ae = 0x3d; memcpy((void*)0x200029af, "SEG6\000", 5); *(uint8_t*)0x200029b4 = 0x2c; memcpy((void*)0x200029b5, "smackfstransmute", 16); *(uint8_t*)0x200029c5 = 0x3d; memcpy((void*)0x200029c6, ":", 1); *(uint8_t*)0x200029c7 = 0x2c; memcpy((void*)0x200029c8, "seclabel", 8); *(uint8_t*)0x200029d0 = 0x2c; *(uint8_t*)0x200029d1 = 0; syz_mount_image(0x20001880, 0x200018c0, 5, 1, 0x20002900, 0x20005, 0x20002940); break; case 29: memcpy((void*)0x20002a00, "/dev/i2c-#\000", 11); syz_open_dev(0x20002a00, 0xad8, 0x2a2000); break; case 30: res = syscall(__NR_ioctl, -1, 0x5429, 0x20002a40); if (res != -1) r[15] = *(uint32_t*)0x20002a40; break; case 31: memcpy((void*)0x20002a80, "net\000", 4); syz_open_procfs(r[15], 0x20002a80); break; case 32: syz_open_pts(r[13], 0); break; case 33: *(uint32_t*)0x20002e80 = 0x20002ac0; memcpy((void*)0x20002ac0, "\x7a\xd3\xcd\x80\x2d\xd0\xc4\x24\x94\x5d\x99\xca\x9c\xa6\xe4\xfb\xb8\xf8\xe3\xb9\x80\xd2\xec", 23); *(uint32_t*)0x20002e84 = 0x17; *(uint32_t*)0x20002e88 = 0x1000; *(uint32_t*)0x20002e8c = 0x20002b00; memcpy((void*)0x20002b00, "\x32\x9d\xe8\x0b\x2b\x17\xbb\xd2\x5d\x1f\x19\x07\xa9\x26\x3a\xf3\xbf\x05\xc4\xa7\x06\x1e\x28\x49\x2a\x3f\x71\xc6\x34\x3a\xa5\xaa\xea\x03\x27\xa3", 36); *(uint32_t*)0x20002e90 = 0x24; *(uint32_t*)0x20002e94 = 5; *(uint32_t*)0x20002e98 = 0x20002b40; memcpy((void*)0x20002b40, "\x82\x79\x1d\xfd\x31\x1d\x07\xdb\x7d\x65\xe8\x03\xce\x6c\xa0\x00\x28\xaf\x8f\xf8\xd2\x76\x18\x7e\x0e\x14\xbb\xf7\xbe\xab\x60\xfc\x4b\x70\x72\x2e\x91\xb6\x32\x2b\x8e\x34\x72\x19\x1a\x66\x17\x6b\xb0\xca\x91\xde\xe6\x0f\x15\x06\xa6\xd4\x8b\xe4\x05\x52\x30\xc3\x0b\xe9\x4a\x10\x43\xa1\xd2\xa0\x6d\x42\x16\x60\x69\xd8\x03\x3d\x6c\x52\x4c\x86\x10\xb8\xc4\xbb\x63\xaf\x0c\xe6\xd6\x20\x71\x37\xf1\xbe\x1b\x62\xb0\x02\xe8\xc3\x5e\x64\x67\xc2\x42\x3c\xc6\x59\x7d\x1c\xa5\x8e\xe3\x15\x89\xf0\x24\x8a\xc7\x62\xe2\x4a\x28\x6a\x41\xa7\x61\x91\x2d\x34\xbb\x56\xf0\x7d\xb8\x8c\xa5\x2f\xce\x8d\x12\x87\x62\x39\x4f\xa0\x0f\xaa\xc8\x45\x1a\x42\xc3\x14\x4b\xde\xc7\xe9\x72\x96\xc9\xea\xc7\xc9\xf6\x31\x10\xa3\xd4\x05\xc1\x6b\x04\x28\x88\x00\x24\xe8\xc9\xc8\xaf\x49\x0b\x8c\xfa\xd8\x4c\xbb\x63\x78\x78\xd6\x34\xcd\x84\x34\x6b\x60\xc9\x13\x2c\x09\x66\x0c\xdc\x61\x6a\x0b", 212); *(uint32_t*)0x20002e9c = 0xd4; *(uint32_t*)0x20002ea0 = 0x7fff; *(uint32_t*)0x20002ea4 = 0x20002c40; memcpy((void*)0x20002c40, "\x90\x4b\xbc\xee\x2b\x46\xda\xa1\xac\x64\x3b\x7b\x6b\x8e\xa0\xff\x46\x2f\xea\xbe\xe5\x41\xb4\x11\xa8\x85\xe4\x70\xa4\x96\xcb\xbd\xc7\x29\xff\xde\xbc\x50\x80\x7f\x71\x9c\xbe\x80\x8d\x8b\x59\x8b\x47\x67\xc7\xa8\x52\xd9\xce\x0c\x88\x0a\x9b\x07\x8b\x01\x87\xde\xac\x92\x6b\xd4\x68\x7a\x44\xf0\x92\xbb", 74); *(uint32_t*)0x20002ea8 = 0x4a; *(uint32_t*)0x20002eac = 5; *(uint32_t*)0x20002eb0 = 0x20002cc0; memcpy((void*)0x20002cc0, "\x35\x31\xae\x25\x7e\x7e\x08\x77\xcd\xe3\x40\xc4\x2e\xdb\xfc\x91\xdc\xff\xaf\xf1\x28\x4e\xf0\x8a\x45\x1e\x4c\x76\xe0\xcd\x83\xb2\xc0\xea\x10\xd8\x6b\xce\xfa\x93\xbb\xae\xf5\xff\xfb\xfe\x7d\xc7\x0b\x73\xb8\x9c\x55\xfc\x38\x51\x11\x0d\x1b\xd0\xd1\xda\x31\x75\x33\x20\xb1\x11\xfe\x70\x60\x53\x7e\x8f\x65\xf3\xc2\xf0\x5a\xdc\xb3\xd6\x6b\xd2\xab\xe6\xb0\x8a\xaa\xe0\xd0\xee\xdc\xa9\x93\x77\x07\xec\x4c\xb4\x87\x4c\xdf\xd0\x58\x00\x81\x2a\xb5\x3f\x95\x50\xb2\x5a\x28\xee\x69\xe6\x2a\x0f\x79\x0f\xe5\x23\x3f\xc8\x64\x5f\xc3\xfe\x6c\xae\x05\x5f\x2a\xa1\x72\x91\x25\x17\x01\x51\xe8\x6e\xea\xb6\x7b\xb2\x0b\xc8\x84\xa1\x21\x4c\x2d\x3d\x96\x9c\x34\xfb\x23\x9b\x45\xfe\xec\x93\xac\x20\x97\x21\xba\xe7\x27\x12\x51\xc6\x13\xce\xa9\x37\x9c\x15\x21", 183); *(uint32_t*)0x20002eb4 = 0xb7; *(uint32_t*)0x20002eb8 = 4; *(uint32_t*)0x20002ebc = 0x20002d80; memcpy((void*)0x20002d80, "\xc3\xf0\x4f\x26\x92\x9b\x7a\x4d\x63\x42\x84\x1f\xa5\x3a\x9a\x8c\xb8\x00\x6a\x97\xf4\x28", 22); *(uint32_t*)0x20002ec0 = 0x16; *(uint32_t*)0x20002ec4 = 6; *(uint32_t*)0x20002ec8 = 0x20002dc0; memcpy((void*)0x20002dc0, "\xc9\x87\x12\x75\xe3\x26\x9f\xf1\xbd\xcd\x67\xfb\x52\x3e\x1c\xeb\x51\x51\xb0\xed\xe9\xe0\x32\x63\x4e\x36\xd4\x86\x04\x6b\xc3\x1c\xd9\x78\xbd\xa5\x92\x47\x35\x53\x16\x31\x9e\x76\x8e\x7a\xc6\xbe\x06\x48\xbf\x0f\xec\xd1\x3c\xda\xd4\x5f\x71\x3e\x0e\x3b\x74\xe9\x5e\xec\x77\x06\x3c\x02\xa2\x33\xea\x97\xd3\x38\xf4\xb1\xe9\xbc\x5a\x7c\xce\x85\x52\x87\x42\x63\x2e\xd5\x9c\xec\x01\x6f\x39\x14\xdd\x02\xca\x6b\x1d\xc8\x33\x22\x48\x95\x27\x73\x50\xcf\x1f\x21\xd6\xc7\x8f\x85\x92\x71\x7e\x91\x23\x3f\x90\x26\x92\x7e\x0c\xc3\xd8\x0c\xdc\x57\x71\x47\x63\xa0\xfc\xb0\x91\xf5\xc6\x90\x51\xb5\x5c\xd2\xe1\xfc\xc3\x3b\x13\xd5\x97\xc5\xca\xee\xb2\x71\xc5\x42\x97\x8a\x1e\x17", 164); *(uint32_t*)0x20002ecc = 0xa4; *(uint32_t*)0x20002ed0 = 0x9c; syz_read_part_table(1, 7, 0x20002e80); break; case 34: *(uint8_t*)0x20002f00 = 0x12; *(uint8_t*)0x20002f01 = 1; *(uint16_t*)0x20002f02 = 0x201; *(uint8_t*)0x20002f04 = 0xa4; *(uint8_t*)0x20002f05 = 0x61; *(uint8_t*)0x20002f06 = 0x1e; *(uint8_t*)0x20002f07 = 0x40; *(uint16_t*)0x20002f08 = 0xacd; *(uint16_t*)0x20002f0a = 0x300; *(uint16_t*)0x20002f0c = 0xc0df; *(uint8_t*)0x20002f0e = 1; *(uint8_t*)0x20002f0f = 2; *(uint8_t*)0x20002f10 = 3; *(uint8_t*)0x20002f11 = 1; *(uint8_t*)0x20002f12 = 9; *(uint8_t*)0x20002f13 = 2; *(uint16_t*)0x20002f14 = 0x372; *(uint8_t*)0x20002f16 = 2; *(uint8_t*)0x20002f17 = 4; *(uint8_t*)0x20002f18 = 0x1f; *(uint8_t*)0x20002f19 = 0; *(uint8_t*)0x20002f1a = 1; *(uint8_t*)0x20002f1b = 9; *(uint8_t*)0x20002f1c = 4; *(uint8_t*)0x20002f1d = 0x5d; *(uint8_t*)0x20002f1e = 0xb3; *(uint8_t*)0x20002f1f = 1; *(uint8_t*)0x20002f20 = 0xad; *(uint8_t*)0x20002f21 = 0x49; *(uint8_t*)0x20002f22 = 0x76; *(uint8_t*)0x20002f23 = 0x20; *(uint8_t*)0x20002f24 = 7; *(uint8_t*)0x20002f25 = 0x24; *(uint8_t*)0x20002f26 = 1; *(uint8_t*)0x20002f27 = 0; *(uint8_t*)0x20002f28 = 0x80; *(uint16_t*)0x20002f29 = 0; *(uint8_t*)0x20002f2b = 9; *(uint8_t*)0x20002f2c = 5; *(uint8_t*)0x20002f2d = 0xd; *(uint8_t*)0x20002f2e = 0; *(uint16_t*)0x20002f2f = 0x230; *(uint8_t*)0x20002f31 = 0x5d; *(uint8_t*)0x20002f32 = 1; *(uint8_t*)0x20002f33 = 0x3f; *(uint8_t*)0x20002f34 = 7; *(uint8_t*)0x20002f35 = 0x25; *(uint8_t*)0x20002f36 = 1; *(uint8_t*)0x20002f37 = 0; *(uint8_t*)0x20002f38 = 0x1f; *(uint16_t*)0x20002f39 = 2; *(uint8_t*)0x20002f3b = 0xba; *(uint8_t*)0x20002f3c = 0xe; memcpy((void*)0x20002f3d, "\xf4\xe6\xe5\x76\x28\x83\xc3\x4d\xf0\x4f\x35\x60\x99\xf1\xd3\x4b\xdb\xc9\xf5\x32\x4d\xa6\x48\x05\x3f\xd6\x90\x21\x1b\x89\x71\x19\xc4\xf3\xac\x19\x7f\x2a\xa9\x3f\x2f\x3b\xe0\x5f\x83\x6b\x16\x44\xd5\xb2\x32\x76\x48\xb3\x08\x16\xed\x19\x2f\x94\x3d\xfc\xe2\x25\xf6\x9d\x77\xc5\x15\x65\xe1\x77\xfd\x88\x9c\x9c\x9d\x8c\x85\xb9\x2e\xe4\xbe\xad\x0e\x88\x94\x46\xbb\xc3\x20\xa4\x0f\xa2\x48\x07\xf4\x76\xbf\xd1\xf1\xb3\x09\x6e\x33\x70\xf7\x55\xc9\x4a\xa0\x1c\x3b\xe4\xdd\xc7\x95\x2a\x56\x94\xbc\xad\x4b\xeb\x40\x65\xbf\x5e\xa9\x60\x66\xc4\x3e\x95\x07\xe6\x22\x0c\x47\xbc\x02\x71\xad\xcb\xaf\xfc\xe6\xac\x90\xcb\x3c\x8b\x1c\xf7\x48\xc6\xbb\xf9\x71\x08\xdf\xa2\xca\xc4\xb8\x7d\x34\x20\x42\x84\x34\x39\x7e\x07\xf1\x7a\x87\xed\x62\x33\xb3\x9e\x32\xf0", 184); *(uint8_t*)0x20002ff5 = 9; *(uint8_t*)0x20002ff6 = 4; *(uint8_t*)0x20002ff7 = 0x5d; *(uint8_t*)0x20002ff8 = 0x27; *(uint8_t*)0x20002ff9 = 7; *(uint8_t*)0x20002ffa = 0x3f; *(uint8_t*)0x20002ffb = 0x84; *(uint8_t*)0x20002ffc = 0xfd; *(uint8_t*)0x20002ffd = 3; *(uint8_t*)0x20002ffe = 0x10; *(uint8_t*)0x20002fff = 0x24; *(uint8_t*)0x20003000 = 2; *(uint8_t*)0x20003001 = 1; *(uint8_t*)0x20003002 = 0xe2; *(uint8_t*)0x20003003 = 2; *(uint8_t*)0x20003004 = 0x63; *(uint8_t*)0x20003005 = 0x40; memcpy((void*)0x20003006, "\xe7\x21\xcc\x44\xac\xca\x89\x38", 8); *(uint8_t*)0x2000300e = 0xb; *(uint8_t*)0x2000300f = 0x24; *(uint8_t*)0x20003010 = 2; *(uint8_t*)0x20003011 = 1; *(uint8_t*)0x20003012 = 0; *(uint8_t*)0x20003013 = 3; *(uint8_t*)0x20003014 = 1; *(uint8_t*)0x20003015 = 0; memcpy((void*)0x20003016, "\x9e\xf4\x2f", 3); *(uint8_t*)0x20003019 = 7; *(uint8_t*)0x2000301a = 0x24; *(uint8_t*)0x2000301b = 1; *(uint8_t*)0x2000301c = 4; *(uint8_t*)0x2000301d = 1; *(uint16_t*)0x2000301e = 4; *(uint8_t*)0x20003020 = 0xb; *(uint8_t*)0x20003021 = 0x24; *(uint8_t*)0x20003022 = 2; *(uint8_t*)0x20003023 = 1; *(uint8_t*)0x20003024 = 0; *(uint8_t*)0x20003025 = 3; *(uint8_t*)0x20003026 = 0x19; *(uint8_t*)0x20003027 = 6; memcpy((void*)0x20003028, "\x9e", 1); memcpy((void*)0x20003029, "\x69\x83", 2); *(uint8_t*)0x2000302b = 9; *(uint8_t*)0x2000302c = 5; *(uint8_t*)0x2000302d = 0xf; *(uint8_t*)0x2000302e = 0; *(uint16_t*)0x2000302f = 0x3ff; *(uint8_t*)0x20003031 = 0xf6; *(uint8_t*)0x20003032 = 5; *(uint8_t*)0x20003033 = 0x80; *(uint8_t*)0x20003034 = 9; *(uint8_t*)0x20003035 = 5; *(uint8_t*)0x20003036 = 1; *(uint8_t*)0x20003037 = 0x10; *(uint16_t*)0x20003038 = 0x10; *(uint8_t*)0x2000303a = 0; *(uint8_t*)0x2000303b = 0x40; *(uint8_t*)0x2000303c = 6; *(uint8_t*)0x2000303d = 7; *(uint8_t*)0x2000303e = 0x25; *(uint8_t*)0x2000303f = 1; *(uint8_t*)0x20003040 = 2; *(uint8_t*)0x20003041 = 0x20; *(uint16_t*)0x20003042 = 6; *(uint8_t*)0x20003044 = 9; *(uint8_t*)0x20003045 = 5; *(uint8_t*)0x20003046 = 0xb; *(uint8_t*)0x20003047 = 8; *(uint16_t*)0x20003048 = 0x10; *(uint8_t*)0x2000304a = 1; *(uint8_t*)0x2000304b = 2; *(uint8_t*)0x2000304c = 0; *(uint8_t*)0x2000304d = 9; *(uint8_t*)0x2000304e = 5; *(uint8_t*)0x2000304f = 0xd; *(uint8_t*)0x20003050 = 0x10; *(uint16_t*)0x20003051 = 0x200; *(uint8_t*)0x20003053 = 4; *(uint8_t*)0x20003054 = 8; *(uint8_t*)0x20003055 = 0xc0; *(uint8_t*)0x20003056 = 0xbb; *(uint8_t*)0x20003057 = 0x31; memcpy((void*)0x20003058, "\x21\x5c\xe6\xab\x8f\x3c\x72\xca\xa3\xab\x13\x26\xf1\x88\x38\x90\x8a\xc6\x0b\xff\xb3\xb5\x07\x48\x14\x4a\xa2\xcb\xc4\xd7\xca\xc5\x6f\x4a\x7b\xb2\xbd\x6c\x96\x96\x74\xa5\xe4\x04\x08\x61\xbb\x21\xba\x5c\xcf\x0f\x82\x2c\x10\x32\xe7\xe3\x72\x9f\x8c\x17\x1f\xc7\xa8\x9b\x53\x40\xb5\x06\x71\x08\xd5\x97\xf1\x78\xaa\x65\x1a\x98\xac\xa4\xd0\x12\xfa\x55\x5a\x69\x56\x83\xb5\x27\xe6\x03\x1f\x1f\x7f\x20\x49\x4b\x25\x0e\x3a\x6c\xd8\xb4\xde\x96\x47\xe1\x50\x04\x98\x67\x09\x7c\x47\xcc\x23\x7c\x61\x2c\xef\xe6\x98\x33\x2f\x1f\xe7\xf0\x2e\x6f\x53\xe8\x45\xb1\xf5\xe7\xb4\xb2\x4a\xd8\x62\x9b\x78\xce\x76\x30\xe2\xd4\x01\x20\xfb\xc3\xf4\x93\x75\xa4\xa0\x86\xde\xdd\x2a\x27\xf0\x6b\x3e\xd3\xd7\x56\xa8\x19\xb9\x7f\x75\x9a\xa5\x4a\xef\x83\xdf\x48\x68\xa9\xe9", 185); *(uint8_t*)0x20003111 = 9; *(uint8_t*)0x20003112 = 5; *(uint8_t*)0x20003113 = 3; *(uint8_t*)0x20003114 = 0x12; *(uint16_t*)0x20003115 = 0x3ff; *(uint8_t*)0x20003117 = 0; *(uint8_t*)0x20003118 = 1; *(uint8_t*)0x20003119 = -1; *(uint8_t*)0x2000311a = 0xad; *(uint8_t*)0x2000311b = 0x31; memcpy((void*)0x2000311c, "\x0c\x92\x1d\x3f\x98\x0f\x4e\x53\x14\x7a\x46\xbd\x58\x56\xda\x03\x08\x16\x60\xfb\xed\x7b\x8b\x2d\x38\x9b\xe8\xa0\x38\xe9\x5c\x29\x58\xa4\x77\xed\x5f\xaf\x9e\xf3\x8c\x82\xc3\xab\xea\x25\x44\x59\xed\xb0\xf2\xcf\x28\x62\x35\x03\x40\x87\xad\xb7\x90\x7f\xf1\x92\x64\x0b\x93\x68\x86\xbd\x48\xd3\xa5\x12\x15\x40\x6b\x3a\xa0\xb6\xd8\xf8\xd9\x1d\x83\x0f\x52\x36\xa9\xa8\xbe\x03\xc2\x21\x5f\x01\x21\x31\x96\x8c\x6a\x80\x86\x0a\xe8\x11\x93\x05\x94\x68\x10\x8e\xfd\x4f\x13\x05\x37\x9d\x01\x15\xc7\xec\x66\x7b\x03\x59\x94\x0e\x56\x64\xbf\x7b\x3c\x4a\x5f\x04\xca\x3c\x51\xdb\x9d\x2c\xd4\x17\xe9\x09\x9b\xff\x62\x8b\x8e\x1a\x8e\xd0\xf5\x96\x14\x93\x57\xa0\x8a\xbd\x11\x77\xeb\x97\x73\x53\xeb\x89\x32", 171); *(uint8_t*)0x200031c7 = 0x93; *(uint8_t*)0x200031c8 = 0x11; memcpy((void*)0x200031c9, "\xa8\xe2\x2d\x54\x2a\xe3\xd8\x31\xf3\x37\x21\x1b\xb5\xbe\x12\xa5\xc4\x6e\x5c\xf9\xb5\x56\xd8\x4d\x5a\xf4\xca\xca\x87\x42\xad\x21\x61\x40\x56\x2b\x7e\x54\x21\xe2\x64\x24\x71\xe8\xf5\x0e\xb8\xae\xf0\x62\x12\xb4\x6c\x64\x4a\xe5\x84\x63\xe1\x8b\x3e\x72\xbd\x3e\xca\x60\x60\xfa\x8b\x94\x03\x17\x96\xe5\x5e\xb4\x1d\x3f\x31\x8a\xff\xbf\x08\x1e\xeb\x17\x08\x85\x1e\x72\xfa\xdd\x88\x7e\x03\x30\x13\x43\x19\xf0\xa5\x96\x7e\xda\x65\x7b\xc1\x10\x1f\x74\xde\xba\x42\xe7\x8a\xff\x20\xfb\x5d\x3c\x1f\xe4\x9d\x9a\x05\x46\x57\xb6\xf1\xaf\x3d\x01\x5f\xc1\x6f\xf8\x08\x73\xf3\x26\x69\x08\x43\xdf\x81", 145); *(uint8_t*)0x2000325a = 9; *(uint8_t*)0x2000325b = 5; *(uint8_t*)0x2000325c = 0xf; *(uint8_t*)0x2000325d = 4; *(uint16_t*)0x2000325e = 0x200; *(uint8_t*)0x20003260 = 0; *(uint8_t*)0x20003261 = 0x1f; *(uint8_t*)0x20003262 = 1; *(uint8_t*)0x20003263 = 0x11; *(uint8_t*)0x20003264 = 6; memcpy((void*)0x20003265, "\x82\x4b\x7d\x09\x57\xbc\x55\x2d\x22\x4f\xdf\x6b\xff\x63\xa8", 15); *(uint8_t*)0x20003274 = 7; *(uint8_t*)0x20003275 = 0x25; *(uint8_t*)0x20003276 = 1; *(uint8_t*)0x20003277 = 0x80; *(uint8_t*)0x20003278 = 0xfd; *(uint16_t*)0x20003279 = 6; *(uint8_t*)0x2000327b = 9; *(uint8_t*)0x2000327c = 5; *(uint8_t*)0x2000327d = 0; *(uint8_t*)0x2000327e = 0; *(uint16_t*)0x2000327f = 0x20; *(uint8_t*)0x20003281 = 0x1f; *(uint8_t*)0x20003282 = 0xfd; *(uint8_t*)0x20003283 = 3; *(uint32_t*)0x20003400 = 0xa; *(uint32_t*)0x20003404 = 0x200032c0; *(uint8_t*)0x200032c0 = 0xa; *(uint8_t*)0x200032c1 = 6; *(uint16_t*)0x200032c2 = 0x110; *(uint8_t*)0x200032c4 = 0x4d; *(uint8_t*)0x200032c5 = 0x80; *(uint8_t*)0x200032c6 = 0x80; *(uint8_t*)0x200032c7 = 0x20; *(uint8_t*)0x200032c8 = 0xc1; *(uint8_t*)0x200032c9 = 0; *(uint32_t*)0x20003408 = 0x46; *(uint32_t*)0x2000340c = 0x20003300; *(uint8_t*)0x20003300 = 5; *(uint8_t*)0x20003301 = 0xf; *(uint16_t*)0x20003302 = 0x46; *(uint8_t*)0x20003304 = 5; *(uint8_t*)0x20003305 = 0xb; *(uint8_t*)0x20003306 = 0x10; *(uint8_t*)0x20003307 = 1; *(uint8_t*)0x20003308 = 0xc; *(uint16_t*)0x20003309 = 0x35; *(uint8_t*)0x2000330b = 0; *(uint8_t*)0x2000330c = 0xdf; *(uint16_t*)0x2000330d = 9; *(uint8_t*)0x2000330f = 0xf7; *(uint8_t*)0x20003310 = 7; *(uint8_t*)0x20003311 = 0x10; *(uint8_t*)0x20003312 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003313, 0xe, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003314, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003314, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003315, 9, 0, 16); *(uint8_t*)0x20003317 = 0x18; *(uint8_t*)0x20003318 = 0x10; *(uint8_t*)0x20003319 = 0xa; *(uint8_t*)0x2000331a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000331b, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000331b, 0x7fffffe, 5, 27); *(uint16_t*)0x2000331f = 0xff0f; *(uint16_t*)0x20003321 = 0x101; *(uint32_t*)0x20003323 = 0xffc0a0; *(uint32_t*)0x20003327 = 0; *(uint32_t*)0x2000332b = 0xffff0f; *(uint8_t*)0x2000332f = 0x10; *(uint8_t*)0x20003330 = 0x10; *(uint8_t*)0x20003331 = 0xa; *(uint8_t*)0x20003332 = 3; STORE_BY_BITMASK(uint32_t, , 0x20003333, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003333, 0x200, 5, 27); *(uint16_t*)0x20003337 = 0xff00; *(uint16_t*)0x20003339 = 1; *(uint32_t*)0x2000333b = 0; *(uint8_t*)0x2000333f = 7; *(uint8_t*)0x20003340 = 0x10; *(uint8_t*)0x20003341 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003342, 0x16, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003343, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003343, 0xe, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003344, 7, 0, 16); *(uint32_t*)0x20003410 = 2; *(uint32_t*)0x20003414 = 4; *(uint32_t*)0x20003418 = 0x20003380; *(uint8_t*)0x20003380 = 4; *(uint8_t*)0x20003381 = 3; *(uint16_t*)0x20003382 = 0x380a; *(uint32_t*)0x2000341c = 4; *(uint32_t*)0x20003420 = 0x200033c0; *(uint8_t*)0x200033c0 = 4; *(uint8_t*)0x200033c1 = 3; *(uint16_t*)0x200033c2 = 0x42f; res = -1; res = syz_usb_connect(4, 0x384, 0x20002f00, 0x20003400); if (res != -1) r[16] = res; break; case 35: *(uint8_t*)0x20003440 = 0x12; *(uint8_t*)0x20003441 = 1; *(uint16_t*)0x20003442 = 0x200; *(uint8_t*)0x20003444 = -1; *(uint8_t*)0x20003445 = -1; *(uint8_t*)0x20003446 = -1; *(uint8_t*)0x20003447 = 0x40; *(uint16_t*)0x20003448 = 0xcf3; *(uint16_t*)0x2000344a = 0x9271; *(uint16_t*)0x2000344c = 0x108; *(uint8_t*)0x2000344e = 1; *(uint8_t*)0x2000344f = 2; *(uint8_t*)0x20003450 = 3; *(uint8_t*)0x20003451 = 1; *(uint8_t*)0x20003452 = 9; *(uint8_t*)0x20003453 = 2; *(uint16_t*)0x20003454 = 0x48; *(uint8_t*)0x20003456 = 1; *(uint8_t*)0x20003457 = 1; *(uint8_t*)0x20003458 = 0; *(uint8_t*)0x20003459 = 0x80; *(uint8_t*)0x2000345a = 0xfa; *(uint8_t*)0x2000345b = 9; *(uint8_t*)0x2000345c = 4; *(uint8_t*)0x2000345d = 0; *(uint8_t*)0x2000345e = 0; *(uint8_t*)0x2000345f = 6; *(uint8_t*)0x20003460 = -1; *(uint8_t*)0x20003461 = 0; *(uint8_t*)0x20003462 = 0; *(uint8_t*)0x20003463 = 0; *(uint8_t*)0x20003464 = 9; *(uint8_t*)0x20003465 = 5; *(uint8_t*)0x20003466 = 1; *(uint8_t*)0x20003467 = 2; *(uint16_t*)0x20003468 = 0x200; *(uint8_t*)0x2000346a = 0; *(uint8_t*)0x2000346b = 0; *(uint8_t*)0x2000346c = 0; *(uint8_t*)0x2000346d = 9; *(uint8_t*)0x2000346e = 5; *(uint8_t*)0x2000346f = 0x82; *(uint8_t*)0x20003470 = 2; *(uint16_t*)0x20003471 = 0x200; *(uint8_t*)0x20003473 = 0; *(uint8_t*)0x20003474 = 0; *(uint8_t*)0x20003475 = 0; *(uint8_t*)0x20003476 = 9; *(uint8_t*)0x20003477 = 5; *(uint8_t*)0x20003478 = 0x83; *(uint8_t*)0x20003479 = 3; *(uint16_t*)0x2000347a = 0x40; *(uint8_t*)0x2000347c = 1; *(uint8_t*)0x2000347d = 0; *(uint8_t*)0x2000347e = 0; *(uint8_t*)0x2000347f = 9; *(uint8_t*)0x20003480 = 5; *(uint8_t*)0x20003481 = 4; *(uint8_t*)0x20003482 = 3; *(uint16_t*)0x20003483 = 0x40; *(uint8_t*)0x20003485 = 1; *(uint8_t*)0x20003486 = 0; *(uint8_t*)0x20003487 = 0; *(uint8_t*)0x20003488 = 9; *(uint8_t*)0x20003489 = 5; *(uint8_t*)0x2000348a = 5; *(uint8_t*)0x2000348b = 2; *(uint16_t*)0x2000348c = 0x200; *(uint8_t*)0x2000348e = 0; *(uint8_t*)0x2000348f = 0; *(uint8_t*)0x20003490 = 0; *(uint8_t*)0x20003491 = 9; *(uint8_t*)0x20003492 = 5; *(uint8_t*)0x20003493 = 6; *(uint8_t*)0x20003494 = 2; *(uint16_t*)0x20003495 = 0x200; *(uint8_t*)0x20003497 = 0; *(uint8_t*)0x20003498 = 0; *(uint8_t*)0x20003499 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20003440, 0); break; case 36: *(uint32_t*)0x200036c0 = 0x18; *(uint32_t*)0x200036c4 = 0x200034c0; *(uint8_t*)0x200034c0 = 0x20; *(uint8_t*)0x200034c1 = 8; *(uint32_t*)0x200034c2 = 0xd4; *(uint8_t*)0x200034c6 = 0xd4; *(uint8_t*)0x200034c7 = 0x31; memcpy((void*)0x200034c8, "\xdd\x9f\xe1\xd6\xf8\xee\x76\xd6\x28\x92\x46\xb5\x27\x7c\xc1\x9f\x3c\x46\x21\xad\xd8\x21\xa7\xf3\xd1\xaa\xe9\x94\xdb\xf4\xb1\xbd\x89\xe8\x77\x07\x34\x76\x8a\xde\x97\xe5\x1d\x24\x8f\x53\xcd\x53\x0b\x31\x11\x9a\xac\xcf\x53\xb6\xf6\xed\xdf\x4b\x8b\xfe\x6a\x1a\x85\x9c\x3d\xc2\x86\xf8\x33\x5c\x9d\x15\xe5\xd5\x16\x9b\x24\x41\x55\x39\x10\x62\xff\x88\x5d\x40\xbe\x37\x07\xb6\xd1\xea\x25\x2a\x96\xd9\x7a\xb2\x4f\xb6\x75\xf5\x45\x57\xcf\xa2\x4d\x80\x5b\x07\x95\x70\x8a\xf5\x06\x5d\x4b\x66\x62\xdf\xd5\x4d\xd5\x9c\xfc\xe1\x67\x3a\xb3\x56\xa2\x54\xf6\xb5\xbc\xe4\x4c\x61\x9a\x17\xff\xce\x8e\xbb\x96\xe0\x83\xc0\x82\x45\x00\x62\xbd\x71\xa2\x06\xca\x92\x1e\x0b\x77\xf5\x17\xc1\x61\x95\x86\xb3\xbc\xa3\xe2\x49\x08\x21\x01\x6c\xc7\x6c\xaf\x96\xc0\xec\x90\x68\xb4\x5e\x23\x34\xed\x9a\x6f\xf0\x6a\x63\x43\xae\x01\xf0\xae\xf6\x12\x7e\xba\xf5\xb5\x2d\x69\xe3", 210); *(uint32_t*)0x200036c8 = 0x200035c0; *(uint8_t*)0x200035c0 = 0; *(uint8_t*)0x200035c1 = 3; *(uint32_t*)0x200035c2 = 4; *(uint8_t*)0x200035c6 = 4; *(uint8_t*)0x200035c7 = 3; *(uint16_t*)0x200035c8 = 0x40e; *(uint32_t*)0x200036cc = 0x20003600; *(uint8_t*)0x20003600 = 0; *(uint8_t*)0x20003601 = 0xf; *(uint32_t*)0x20003602 = 0x28; *(uint8_t*)0x20003606 = 5; *(uint8_t*)0x20003607 = 0xf; *(uint16_t*)0x20003608 = 0x28; *(uint8_t*)0x2000360a = 2; *(uint8_t*)0x2000360b = 3; *(uint8_t*)0x2000360c = 0x10; *(uint8_t*)0x2000360d = 0xb; *(uint8_t*)0x2000360e = 0x20; *(uint8_t*)0x2000360f = 0x10; *(uint8_t*)0x20003610 = 0xa; memcpy((void*)0x20003611, "\x19\x5f\xa2\xf3\x24\xc0\xbe\x96\xda\x3d\xb2\x6a\xfa\x56\x77\x53\x0a\xc0\xfa\xf4\xc6\x82\xbe\x7c\x15\xe9\xa5\x86\x66", 29); *(uint32_t*)0x200036d0 = 0x20003640; *(uint8_t*)0x20003640 = 0x20; *(uint8_t*)0x20003641 = 0x29; *(uint32_t*)0x20003642 = 0xf; *(uint8_t*)0x20003646 = 0xf; *(uint8_t*)0x20003647 = 0x29; *(uint8_t*)0x20003648 = 9; *(uint16_t*)0x20003649 = 1; *(uint8_t*)0x2000364b = 0; *(uint8_t*)0x2000364c = 9; memcpy((void*)0x2000364d, "\x05\x7c\x41\x7e", 4); memcpy((void*)0x20003651, "\x8d\xa4\x36\xc4", 4); *(uint32_t*)0x200036d4 = 0x20003680; *(uint8_t*)0x20003680 = 0x20; *(uint8_t*)0x20003681 = 0x2a; *(uint32_t*)0x20003682 = 0xc; *(uint8_t*)0x20003686 = 0xc; *(uint8_t*)0x20003687 = 0x2a; *(uint8_t*)0x20003688 = 0x20; *(uint16_t*)0x20003689 = 0x10; *(uint8_t*)0x2000368b = 0x80; *(uint8_t*)0x2000368c = 0x40; *(uint8_t*)0x2000368d = 0x1f; *(uint16_t*)0x2000368e = 0; *(uint16_t*)0x20003690 = 5; *(uint32_t*)0x20003b40 = 0x44; *(uint32_t*)0x20003b44 = 0x20003700; *(uint8_t*)0x20003700 = 0x60; *(uint8_t*)0x20003701 = 8; *(uint32_t*)0x20003702 = 0x54; memcpy((void*)0x20003706, "\x85\xf9\x88\x04\x52\x78\xf9\x75\x32\xa6\x67\xcb\xee\x9b\x82\x1d\x65\x54\xfb\x1c\x6d\x18\xdf\xfb\x78\x51\x96\xd9\x07\x27\xe1\xb4\x61\x5c\x86\xee\x04\x9a\x16\x96\xb1\x66\x8f\x00\x0e\x62\xd5\x39\xe0\x81\xcf\x07\xe3\x60\x17\x1c\xe6\x1c\xa2\xf9\x56\x44\xb9\xad\x8e\x92\x11\xa1\xb1\x9c\x43\x99\xbd\xfd\x6d\x53\x3b\xf8\x95\x52\x42\x72\x5b\xb4", 84); *(uint32_t*)0x20003b48 = 0x20003780; *(uint8_t*)0x20003780 = 0; *(uint8_t*)0x20003781 = 0xa; *(uint32_t*)0x20003782 = 1; *(uint8_t*)0x20003786 = 1; *(uint32_t*)0x20003b4c = 0x200037c0; *(uint8_t*)0x200037c0 = 0; *(uint8_t*)0x200037c1 = 8; *(uint32_t*)0x200037c2 = 1; *(uint8_t*)0x200037c6 = 0x81; *(uint32_t*)0x20003b50 = 0x20003800; *(uint8_t*)0x20003800 = 0x20; *(uint8_t*)0x20003801 = 0; *(uint32_t*)0x20003802 = 4; *(uint16_t*)0x20003806 = 2; *(uint16_t*)0x20003808 = 0; *(uint32_t*)0x20003b54 = 0x20003840; *(uint8_t*)0x20003840 = 0x20; *(uint8_t*)0x20003841 = 0; *(uint32_t*)0x20003842 = 8; *(uint16_t*)0x20003846 = 0x200; *(uint16_t*)0x20003848 = 0x40; *(uint32_t*)0x2000384a = 0xff; *(uint32_t*)0x20003b58 = 0x20003880; *(uint8_t*)0x20003880 = 0x40; *(uint8_t*)0x20003881 = 7; *(uint32_t*)0x20003882 = 2; *(uint16_t*)0x20003886 = 1; *(uint32_t*)0x20003b5c = 0x200038c0; *(uint8_t*)0x200038c0 = 0x40; *(uint8_t*)0x200038c1 = 9; *(uint32_t*)0x200038c2 = 1; *(uint8_t*)0x200038c6 = 0x81; *(uint32_t*)0x20003b60 = 0x20003900; *(uint8_t*)0x20003900 = 0x40; *(uint8_t*)0x20003901 = 0xb; *(uint32_t*)0x20003902 = 2; memcpy((void*)0x20003906, "\x8e\xaf", 2); *(uint32_t*)0x20003b64 = 0x20003940; *(uint8_t*)0x20003940 = 0x40; *(uint8_t*)0x20003941 = 0xf; *(uint32_t*)0x20003942 = 2; *(uint16_t*)0x20003946 = 9; *(uint32_t*)0x20003b68 = 0x20003980; *(uint8_t*)0x20003980 = 0x40; *(uint8_t*)0x20003981 = 0x13; *(uint32_t*)0x20003982 = 6; *(uint8_t*)0x20003986 = 0xaa; *(uint8_t*)0x20003987 = 0xaa; *(uint8_t*)0x20003988 = 0xaa; *(uint8_t*)0x20003989 = 0xaa; *(uint8_t*)0x2000398a = 0xaa; *(uint8_t*)0x2000398b = 0x38; *(uint32_t*)0x20003b6c = 0x200039c0; *(uint8_t*)0x200039c0 = 0x40; *(uint8_t*)0x200039c1 = 0x17; *(uint32_t*)0x200039c2 = 6; *(uint8_t*)0x200039c6 = -1; *(uint8_t*)0x200039c7 = -1; *(uint8_t*)0x200039c8 = -1; *(uint8_t*)0x200039c9 = -1; *(uint8_t*)0x200039ca = -1; *(uint8_t*)0x200039cb = -1; *(uint32_t*)0x20003b70 = 0x20003a00; *(uint8_t*)0x20003a00 = 0x40; *(uint8_t*)0x20003a01 = 0x19; *(uint32_t*)0x20003a02 = 2; memcpy((void*)0x20003a06, "{k", 2); *(uint32_t*)0x20003b74 = 0x20003a40; *(uint8_t*)0x20003a40 = 0x40; *(uint8_t*)0x20003a41 = 0x1a; *(uint32_t*)0x20003a42 = 2; *(uint16_t*)0x20003a46 = 0x40; *(uint32_t*)0x20003b78 = 0x20003a80; *(uint8_t*)0x20003a80 = 0x40; *(uint8_t*)0x20003a81 = 0x1c; *(uint32_t*)0x20003a82 = 1; *(uint8_t*)0x20003a86 = 0; *(uint32_t*)0x20003b7c = 0x20003ac0; *(uint8_t*)0x20003ac0 = 0x40; *(uint8_t*)0x20003ac1 = 0x1e; *(uint32_t*)0x20003ac2 = 1; *(uint8_t*)0x20003ac6 = 0xfe; *(uint32_t*)0x20003b80 = 0x20003b00; *(uint8_t*)0x20003b00 = 0x40; *(uint8_t*)0x20003b01 = 0x21; *(uint32_t*)0x20003b02 = 1; *(uint8_t*)0x20003b06 = 0xfa; syz_usb_control_io(r[16], 0x200036c0, 0x20003b40); break; case 37: *(uint8_t*)0x20003bc0 = 0x12; *(uint8_t*)0x20003bc1 = 1; *(uint16_t*)0x20003bc2 = 0x201; *(uint8_t*)0x20003bc4 = 0; *(uint8_t*)0x20003bc5 = 0; *(uint8_t*)0x20003bc6 = 0; *(uint8_t*)0x20003bc7 = 0x10; *(uint16_t*)0x20003bc8 = 0x46d; *(uint16_t*)0x20003bca = 0xc22d; *(uint16_t*)0x20003bcc = 0x40; *(uint8_t*)0x20003bce = 1; *(uint8_t*)0x20003bcf = 2; *(uint8_t*)0x20003bd0 = 3; *(uint8_t*)0x20003bd1 = 1; *(uint8_t*)0x20003bd2 = 9; *(uint8_t*)0x20003bd3 = 2; *(uint16_t*)0x20003bd4 = 0x2d; *(uint8_t*)0x20003bd6 = 1; *(uint8_t*)0x20003bd7 = 1; *(uint8_t*)0x20003bd8 = 0; *(uint8_t*)0x20003bd9 = 0x10; *(uint8_t*)0x20003bda = 2; *(uint8_t*)0x20003bdb = 9; *(uint8_t*)0x20003bdc = 4; *(uint8_t*)0x20003bdd = 0; *(uint8_t*)0x20003bde = 0x2f; *(uint8_t*)0x20003bdf = 2; *(uint8_t*)0x20003be0 = 3; *(uint8_t*)0x20003be1 = 1; *(uint8_t*)0x20003be2 = 1; *(uint8_t*)0x20003be3 = 0xfd; *(uint8_t*)0x20003be4 = 9; *(uint8_t*)0x20003be5 = 0x21; *(uint16_t*)0x20003be6 = 9; *(uint8_t*)0x20003be8 = 1; *(uint8_t*)0x20003be9 = 1; *(uint8_t*)0x20003bea = 0x22; *(uint16_t*)0x20003beb = 0x2ff; *(uint8_t*)0x20003bed = 9; *(uint8_t*)0x20003bee = 5; *(uint8_t*)0x20003bef = 0x81; *(uint8_t*)0x20003bf0 = 3; *(uint16_t*)0x20003bf1 = 0x10; *(uint8_t*)0x20003bf3 = 6; *(uint8_t*)0x20003bf4 = -1; *(uint8_t*)0x20003bf5 = 4; *(uint8_t*)0x20003bf6 = 9; *(uint8_t*)0x20003bf7 = 5; *(uint8_t*)0x20003bf8 = 2; *(uint8_t*)0x20003bf9 = 3; *(uint16_t*)0x20003bfa = 8; *(uint8_t*)0x20003bfc = 4; *(uint8_t*)0x20003bfd = 6; *(uint8_t*)0x20003bfe = 0x7f; *(uint32_t*)0x20003cc0 = 0xa; *(uint32_t*)0x20003cc4 = 0x20003c00; *(uint8_t*)0x20003c00 = 0xa; *(uint8_t*)0x20003c01 = 6; *(uint16_t*)0x20003c02 = 0x300; *(uint8_t*)0x20003c04 = 3; *(uint8_t*)0x20003c05 = 2; *(uint8_t*)0x20003c06 = 0xfa; *(uint8_t*)0x20003c07 = 8; *(uint8_t*)0x20003c08 = 0x74; *(uint8_t*)0x20003c09 = 0; *(uint32_t*)0x20003cc8 = 0x28; *(uint32_t*)0x20003ccc = 0x20003c40; *(uint8_t*)0x20003c40 = 5; *(uint8_t*)0x20003c41 = 0xf; *(uint16_t*)0x20003c42 = 0x28; *(uint8_t*)0x20003c44 = 2; *(uint8_t*)0x20003c45 = 3; *(uint8_t*)0x20003c46 = 0x10; *(uint8_t*)0x20003c47 = 0xb; *(uint8_t*)0x20003c48 = 0x20; *(uint8_t*)0x20003c49 = 0x10; *(uint8_t*)0x20003c4a = 0xa; *(uint8_t*)0x20003c4b = 3; STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 8, 5, 27); *(uint16_t*)0x20003c50 = 0xf00; *(uint16_t*)0x20003c52 = 0xf831; *(uint32_t*)0x20003c54 = 0xc0; *(uint32_t*)0x20003c58 = 0xc0a0; *(uint32_t*)0x20003c5c = 0xff000f; *(uint32_t*)0x20003c60 = 7; *(uint32_t*)0x20003c64 = 0xc0f0; *(uint32_t*)0x20003cd0 = 1; *(uint32_t*)0x20003cd4 = 4; *(uint32_t*)0x20003cd8 = 0x20003c80; *(uint8_t*)0x20003c80 = 4; *(uint8_t*)0x20003c81 = 3; *(uint16_t*)0x20003c82 = 0x436; res = -1; res = syz_usb_connect(4, 0x3f, 0x20003bc0, 0x20003cc0); if (res != -1) r[17] = res; break; case 38: syz_usb_disconnect(r[17]); break; case 39: syz_usb_ep_read(-1, 0x80, 0xc4, 0x20003d00); break; case 40: memcpy((void*)0x20003e00, "\x50\x74\xfa\x81\xf3\xf3\x73\xda\x27\x99\xca\xfb\x26\xb4\x49\x7c\xb3\xc8\x7b\xc0\xf8\x2f\xa7\x88\x54\x68\xbd\x41\x23\x20\x65\xaa\x95\x61\xd2\x4a\xe0\xf1\xd0\xe0\x36\xac\x71\x4a\xc5\xaf\x89\xc6\x9d\x88\x61\xca\xd7\x13\xfc\xb8\xba\xcb\x8c\x4b\x10\xdc\x3b\x6e\xc2\x04\x4c\x01\xf3\x71\xb1\x24\xc0\xa0\xf4\xba\xce\x7d\x51\x79\x87\x2c\xdd\x20\x5e\x09\xc3\xee\xb7\xd5\x57\x7b\x26\xe9\x8f\x84\x55\x4e\xd6", 99); syz_usb_ep_write(r[16], 0x7f, 0x63, 0x20003e00); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :476:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :476:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor791611110 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/2 (0.25s) csource_test.go:122: opts: {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$zero(0xffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x161000, 0x0) ioctl$SNAPSHOT_FREE(r0, 0x3305) syz_genetlink_get_family_id$l2tp(&(0x7f0000000040)='l2tp\x00') openat$dlm_control(0xffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x20000, 0x0) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0x2, &(0x7f00000000c0)=0x17, 0x4) r1 = mmap$IORING_OFF_SQES(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x2000000, 0x1010, r0, 0x10000000) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) r3 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(0x0, r1, &(0x7f00000003c0)=@IORING_OP_RECVMSG={0xa, 0x4, 0x0, r2, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=@x25={0x9, @remote}, 0x80, &(0x7f0000000240)=[{&(0x7f0000000180)=""/147, 0x93}], 0x1, &(0x7f0000000280)=""/202, 0xca}, 0x0, 0x0, 0x1, {0x3, r3}}, 0x10001) ioctl$KDSKBMETA(0xffffffffffffffff, 0x4b63, &(0x7f0000000440)=0x4) syz_emit_ethernet(0x56, &(0x7f0000000000)={@local, @remote, @void, {@canfd={0xd, {{0x3, 0x0, 0x1, 0x1}, 0x11, 0x2, 0x0, 0x0, "f4ebe40216fede5ef6c5310f0413c5d41b32fc23e07fd332a8a5c5f966821da091f47b7b9cf9228727ff7412c2e4a3a1573bb295482d7b4a3effd863cc60f5d8"}}}}, &(0x7f0000000080)={0x0, 0x4, [0xd2d, 0xc61, 0x6d3, 0xbe2]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x1, 0xa}, @l2cap_cid_le_signaling={{0x6}, @l2cap_conn_param_update_rsp={{0x13, 0x7f, 0x2}}}}, 0xf) syz_execute_func(&(0x7f0000000100)="c4c2cd45f18fe800edb85c2f009ee96436360f2811c4c3c90b6b0787c4c2f1a603f30fa6d0f36f650ffa0ec4c21d2f9f5aac384f3e65f3ab") syz_extract_tcp_res(&(0x7f0000000140), 0x2c, 0x9f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000180)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x3, 0xcc) r4 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x3000001, 0x80000, 0xffffffffffffffff, 0x0) r5 = syz_io_uring_complete(r4) r6 = io_uring_setup(0x3a3b, &(0x7f00000001c0)={0x0, 0xd9fd, 0x20, 0x0, 0x308, 0x0, 0xffffffffffffffff}) r8 = syz_io_uring_setup(0x17a8, &(0x7f0000000240)={0x0, 0xb18d, 0x15b3e67cab3a8d6e, 0x2, 0x158, 0x0, r7}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f00000002c0), &(0x7f0000000300)) syz_io_uring_setup(0x6b11, &(0x7f0000000340)={0x0, 0x15f8, 0x20, 0x2, 0xd2}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f00000003c0)=0x0, &(0x7f0000000400)=0x0) r11 = socket$bt_rfcomm(0x1f, 0x3, 0x3) r12 = io_uring_register$IORING_REGISTER_PERSONALITY(r5, 0x9, 0x0, 0x0) syz_io_uring_submit(r4, r10, &(0x7f0000001700)=@IORING_OP_RECVMSG={0xa, 0x2, 0x0, r11, 0x0, &(0x7f00000016c0)={&(0x7f0000000440)=@nl=@proc, 0x80, &(0x7f00000015c0)=[{&(0x7f00000004c0)=""/44, 0x2c}, {&(0x7f0000000500)=""/4096, 0x1000}, {&(0x7f0000001500)=""/40, 0x28}, {&(0x7f0000001540)=""/74, 0x4a}], 0x4, &(0x7f0000001600)=""/185, 0xb9}, 0x0, 0x2000, 0x1, {0x3, r12}}, 0xad23946) r13 = fsmount(r5, 0x1, 0x84) ioctl$F2FS_IOC_MOVE_RANGE(r8, 0xc01cf509, &(0x7f0000001740)={r6, 0x3, 0x6, 0x1000}) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000017c0)=[{0x0, &(0x7f0000001780)="e7bed238547695a78957b574bacb6dbc567a3232e76559b4ea3931b608578a24da4c749795975b0ae51da8a86dde75b1d684", 0x32}], 0x1, 0x0, &(0x7f0000001800), 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r9, 0x114, &(0x7f0000001840), 0x0, 0x4) syz_mount_image$afs(&(0x7f0000001880)='afs\x00', &(0x7f00000018c0)='./file0\x00', 0x5, 0x1, &(0x7f0000002900)=[{&(0x7f0000001900)="f1fd85c46a07345a8813287b13f21a0840903926aef8fa2cb5f6e010d14f7030376797115fff5a948041348d827dbd678e20928dc4b224e0ec33e50bf699f1ed1e39df43d899eb1a37c8d11631e7b775fc82611901ef7db3714e0ef59b98d9d7d9114ba1ba76a72edc93803359b9994b504f9e7790375fa50fceab9c0f210385722f2a054c09fecf4a04ccfacaac9d40bebb2e2bcc948d327263b0fa735b753fa367f55313bd6df7476a9961bef3e5806ae53bf7233474b637266e9fd694fb30a503fba053c46562936bb3b8fdd38da23e7225868f8cf1e7d27cacb69075657b3ca80f8be0b8e043db620f0872231b8a3108c4a10b8b723b646b3c6d5f370558640924a93ba25db1746cf2ea141b0385ac0cf9e7acc8fddd8ee32fb988491e454564eb142ec8402438ddb1d0bed6d285a2a408a9edc52776e3ae7021c10943eef0af0270372213627dd4253d95a36acd29f8095c6428f1c46c3eb21227d04606b5c92254e9ce3e220a8b8a281c8d8e9c83079ea1df4a90db9f08a58c803d8ec2bfcc99f1acd5f0625043eb4a83179e2d37c07657e4b747adcb0979a230dea4f079f220848709f2bb38c34a22c5b3caf94a02fc5f1c4d013c165abf74bed9d028a5d84ec150377f498ee0e2a86bf04b97ee40af9882bfadecf5e125fc909d250d92a31166d61121b5364524b6351e0b6a66dcdeeb5249ebabb865f1f4a1a80ada5d695d3a37b214c9f0d92507db1b8d808a96f08902ef8c97e22b75497538f54ff944a19142b6ae1b8636500e2f3920a3ab341d8d1db22dc64e1d68382162b489eaade668ba38e6e7ecf61626c719378a8ebf08ec3d5da6716461e206869b335ccbafbc7364998379d894b9c60441d98797eff0d04ce3fbf419eb9c5c778dbdc6031b19fea13adf111dd49628093da41ce252595ea3d0b6dd96364fe2e37504bc6617044ff1d0d27f759d1faa8ae854a172da0b227305bc630a46b8e5bb9f8aa40b95a4b6d5c37bddd0968e192d57242078434fdef9afdc8f18397df1ca6e76bdc71845fba2818ef8f1c1dbf0a92ddee3c8c1cfddfb64439419e63f9811ab5dafd15b2ff2a9c041331651c7afe7862875bf9961806fac694bef5f78fb9cd64c33848637444e6752200395e3731d02db34c21fca311d339e819732ede18394b45c4cbbbffd45fdf508285d26da5b3cede692af4ef2f42c734b522864755dcd719c93b268438f9b0f1add574cf7218921df68c496683c6276115c074d420f23861eeb82031e998c0833d1cbbb5b334a13606a0bc406c4c8b1c2bf8df557324d2c94cbe4c29080b63234b1bb74e5854e422eb46f736978e2943ebd28af467bd0ee096b952ff5f0b228c7ef946fd472493b0eaca9378401669f1be675230e56bc19e4ec1234fcb4ea122dd204830109689cad7e3d702ab3e92e59016a640cce4e1e57d6e94556e7ee1f7c586309044bdca4a7b2cebb4b3fabfd578ed6c68589b8afcd4d0e5ab1b7eef6f82cd208e3ece76e3b73331fba03fb5447012992741042106ed7d386a1433fe8d4c6bce822ff8ffe1b382aa7124731a9ad6e1a52c78266174a4fefe986a508f6642577303f91ea4efb32843c6b331b32f24553a0c13016d91a230a55d81feb7dfc48ad157c7c2fc63253081021d1c65356513903ddbde8d3fd0d51747f3eaaaf9db9d6b4bd7069d8ba53d4d100ee2727979594c2fa80b9aa0edd70e3d702fb5b6cd277eeb487555886f85b657cd9eba641b28bf1e762300f3e29c5a8d8bfe077bdef7c9e2c4cfad8fc364670d7cd6ac7a86322e667760e2403c4838d61fa8669a4f62114eef423f09132e20bb95ba3522ac31049c4a3d581af3c5784910fba88cdee1ceff4ddaed827119ced5361947d0e31a9c4d25263a53654b82fc13b91f44508dd193ca1ef26d930a6b0810586d402ba0554face5c3ed077671d50d28865bfff35ca3a4dabdbd6e3b07059320f53e5c49d73cc16dd1ed2816ac98ad3853c368829c7bec40c4a9b39ee3b730bbd6c152f358e9911308c12ed1206561fc7cf7cb477145f1aaace66ac5c4468acb2f601c61e4b118be2056b6dbc18609bfd4105eee18be384a19913d274d92039790cb87420b9fdd70e734309fc7afe09e11f780d6ee6243175907a4aeecb6ca070a3374be5d3d07a788ea4e1f9d6f18eff9e7964d7076cb5b93cd97338ec05448ec527cca66790bfe32c5b2662d7fc6b836b41bf32e5bc0ddfe42d5973db86f8aed56e43112b45b0f792c5394599a13e73c25012b5aacd3aef112473c4e2e3ab6aebf5af6de9e78ac047fcc276fd976f25022c65c30a9fd67203f19e33b35cfbcfdff395c5bb53f2fd7928e43e622847280780b8cc815fb485189105a124cd8627cc3d5f1a9dd800d47a226ebf907eb2f49133d117588d280f4cc43d95254d88c8753d96073f97c531f51e5596e2e971a2161b78f75edcfbd9de38f0a9284b7cceef87598fa3bcfa5dbcbd1d284cf80cb7755465899d362d9e40c64c1a1e4cc45c3871b2104ca40c05729dccbf6d0a17500e5d0dffa3443a5233e279b2f9c518b697340d26d2872660c71a495710ee009ffb989ebb5befe5176925b78cdeb1e811c51ecdb01a47ec1d1d0ef2024c9a666f6bc5ebe13e773f89f4c80baa1d660c051c2672f91c21db5ff2d5a70126dc69140ee216c45bdd0a7b5279dece2f583bc24fc63cae88ae755722404823c5c216849dcd1085ba9902cb248ac5d192c3bdc537392a7c9ed3c359bb6d4934625f5f7a6dd51b78573fc726adabc91f41960586f64c39261126ea67dfc32c5ae5f7d6ed88747360418d42a008d9cfc5ef15f9c588dbb9ecc374ba19ab60a3ba33fbd1b80477b0204e67c845f9f6ab589c58b578cca58af322ae66b9b12ed953703d1393d8ece9c670664fdb6b1ffa10271abc0e51d57b59102e2640bea09e911294c35abc8616990a5729bf739a8e22774a680d5770b858b932fe595b7322328ae792078ad28db4d54cbd7c9868fcbe6eed0b0aa7b7abbfb1b8efce2dd5c1e29bac66ab7f80fe7a65d2da1838660e94066a6b2e3bdb897e551bc037d779dbb6cb9bdca7030ef8226b968d5a857cb424a9bd71ecf3e0df3bca6b9195905ed05e73d0367f1649eed549d9c3d47e2f312c170dc94a701d420460e1000e237021c6b7b1bc08b35c1043c6e899ed587ef7dfb6e1c7b6e11e3a2fb4348abcc9ed1831ee373d004540a73a4c78f9d3abb101c787ba239df663924ef84e3b436868b63cd74f4d47ac9ebce3814bbdb37eeec3fea1f90688d16ff3285d359745f9c1b6dcfa98bcd32acaccd9350c070579af49c6dd8e62b3e11616b95605b5e67c90c3db1b8301de61bdfa558ee6d13f20a78d407e4f44ca793ce3d958e1522f1a64276ac8863d1a68b5b64e03ec0b22b0a787bba7b462fddf8da7d1018b32a13282bd1e83060a67c7da96e46e3b322a5d8e05ba67b3aca1c5d1bf136a57b3aa68777f00bf102dddb1dec21db309f4855d9c08edc580d652a689420bf62538b5aa263057098121d82d87e29ee26b5d5288023e501ff2730bcef00b98f13c40bc2da1a1bca1cd666484f1a3f5c8b6ffaf468fbeaaf5abfd74396fbc460e0fd2b440f5e56327e634907311dce98ec075e9ee3287f7d2dcd64493e5c5ce096bb29d77aa49a9f677e68efd44cf35b5a0d69f1ec887a5f1f35e44afe3b6904ef026b3651c697dc2af46662b923664201e4baedc28e85f33d0fcce83ecb01d04f5a0826df9fbfe7d92e31db76202533fa8bdbd4f14744f8485948ff0e40ec77d2a2ccac34f389a4f6b0e1f84f527b1282b4ba53cc0a53468eb1362d87f334f176d948d9d7fc190a1fabb36745385945f27d44c136436eeedca1ad4945c9d73d6a2d7225a1f7fa49a2b2b56d3a403a8ddd03d701bb8ba36c275b05db3b60638b9a2a234cb63b809ebfc9a771ac712762f7e96c538e1c54a7912b95944632d6d60594b900e17ee327b2b2b13be2844061fd1e350e47121fd71f130a5aeb5153ccb8ece99590ff93ea98ee589a0a4288bb6a3590b1c6e89008bbd2dc7ad38748369405c9f8c37fa75dd2ff4a384561d030948c3d16466e4f037e54d3dcabde02fb35c62b3169265c0af8018a86c3fcf3268c1a91e7131f89cf7841bb58cab8a5f89d7edb67f05f16fe84059be5abdbe44d3852fa5790c161628b21eef359aaf7db7de11c835ff9cc0b86ac9751fd2d5c135e8acb4352bc03fdfe6c43473582cde76b157eeb03acfff742be5838a4aaba160e1c588c9e1da2758fc290ae37a7605340f726ff3d8d73d3dccdc7737499b7473eccc00c3d01d20bd989e6049d9da7dcee229fe3db7e2845ba6ef6b380680e07754dfa92d1605b3b2527ed19d01333b2b58868d7614c92b7f93c95e2c9054f7a728e0569b986018311d9ab379ac3d19c7f65f87acbd2a2bcdf122b1b9502d3c3a69efa32f4be1ef20daa42e13409d2b12dbfd03c64aca0bd66c76c04ea6a76ef0294650e59e8a379c85c5ac8e310ed99e1a5f20c9bbdbee13de1218f95be040ff5f760c7f07abe362468508a2114e0c34f93895c1e28ad8c56f1949816cffd09c028deef01e5fcf91b4384c62d0efd9b7d66b1aae302a3ed2c3037c9675ac6c86336fa603258a538409bad567981128cb8cab88d7027b2a92671cad000a2c9f317fb4ae30980d3f28512fb5f66a98b2e2077a6a7f8461bf1a78cf12b3ce6e3aa4a22f3c6373a5d04f767b83c7d57a56834f7639c9acbb9fdedea85276a0aa100b68c8a246314a8ca02ff07d1532c90d9a4a5dacba53a24c14cb94b57a8c236c985ebc98697108a43e874b6715e6be8d9685fafdba1d7e5d1b4ced62565847bdfcf62be175e8483cfd0711247664e273fcbec29f60dedd34c6810f6650b6bdc47df7267b8f53bc66ac41a5c0506edf4a805cff0343797c881256ea095fbf145754f7cb9dfba6d3c2bd12ace307629cb22dfeb5a48155de0e50a95da58b3202589b60f5dd4ca6cd22c2ed788f2721d5354374e9efacf4947294ddc8149225dce5adfb322595ed18a4dcb0565148b087e37d4247eaaecc58c5aaf1c64e87cc2cce9b8ebcaf963fc441a6dfac426be0ace4ecfb91df7732721afb34f905ce7377db3849d7401ba3d3149c08e98bcdeca6de207ed8bc7b1d6e88597da628c6b0a73cf9674a207dd8745fe5b32bdd8f5509f14fc15cf9504bf6634b2df2836e95c736e2762f2714bfd130af991d8b648a9372158383a2f53e14c7cfc7663db5ca5c8a9cdd155e38c1f70e51613588128dd085bbdd7ed239b97e8958cef35f117eab19b370ff2e4e25689d62b684fd4afceb263251fa92e8c6b2aa2e34d3fb8aaed18cdc734f9b420c8d7b931555ebd7990ca073fb81be982794e000d50572eb0761d495ba8068f657d7f7b919e66a25e03211dfe690f4081fc5de14f5f9d8be478024e60a3138080d9ce97ae23e291e77a6e4a507a96ae0c07d9604a95b43b8174c33175ba295050186f723b50a609ee09b4267e4d2af4296ce657bb8b5e996f98bd75ed42d0954895d97d988329d925f62894474d1caa5de988ed7b5c6deacfd90ad947efebf6cf61b45d9c7b1ba59e9ec4b8559aff8d3d05fb00f57ec942b0e9b9fdbde26cad340cbb4f7c0447b707ed8f6d4f989d0b1da0d0cdae617b01436fa68e37775e844415ebd11a3350846cf0b419fad6db94ccc8283e95019db5591b9e81c5d32707b3002afb24058495f6c21cd4b9e12af7a1f4054fda37ba6a2945e899899761012548e4122a69556e0ca51e23194bdc4e272", 0x1000, 0x9}], 0x20005, &(0x7f0000002940)={[{@flock_openafs='flock=openafs'}, {@dyn='dyn'}, {@autocell='autocell'}, {@dyn='dyn'}, {@flock_openafs='flock=openafs'}, {@source={'source', 0x3d, '&'}}, {@source={'source', 0x3d, 'SEG6\x00'}}], [{@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@subj_user={'subj_user', 0x3d, 'SEG6\x00'}}, {@smackfstransmute={'smackfstransmute', 0x3d, ':'}}, {@seclabel='seclabel'}]}) syz_open_dev$I2C(&(0x7f0000002a00)='/dev/i2c-#\x00', 0xad8, 0x2a2000) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000002a40)=0x0) syz_open_procfs(r15, &(0x7f0000002a80)='net\x00') syz_open_pts(r13, 0x0) syz_read_part_table(0x1, 0x7, &(0x7f0000002e80)=[{&(0x7f0000002ac0)="7ad3cd802dd0c424945d99ca9ca6e4fbb8f8e3b980d2ec", 0x17, 0x1000}, {&(0x7f0000002b00)="329de80b2b17bbd25d1f1907a9263af3bf05c4a7061e28492a3f71c6343aa5aaea0327a3", 0x24, 0x5}, {&(0x7f0000002b40)="82791dfd311d07db7d65e803ce6ca00028af8ff8d276187e0e14bbf7beab60fc4b70722e91b6322b8e3472191a66176bb0ca91dee60f1506a6d48be4055230c30be94a1043a1d2a06d42166069d8033d6c524c8610b8c4bb63af0ce6d6207137f1be1b62b002e8c35e6467c2423cc6597d1ca58ee31589f0248ac762e24a286a41a761912d34bb56f07db88ca52fce8d128762394fa00faac8451a42c3144bdec7e97296c9eac7c9f63110a3d405c16b0428880024e8c9c8af490b8cfad84cbb637878d634cd84346b60c9132c09660cdc616a0b", 0xd4, 0x7fff}, {&(0x7f0000002c40)="904bbcee2b46daa1ac643b7b6b8ea0ff462feabee541b411a885e470a496cbbdc729ffdebc50807f719cbe808d8b598b4767c7a852d9ce0c880a9b078b0187deac926bd4687a44f092bb", 0x4a, 0x5}, {&(0x7f0000002cc0)="3531ae257e7e0877cde340c42edbfc91dcffaff1284ef08a451e4c76e0cd83b2c0ea10d86bcefa93bbaef5fffbfe7dc70b73b89c55fc3851110d1bd0d1da31753320b111fe7060537e8f65f3c2f05adcb3d66bd2abe6b08aaae0d0eedca9937707ec4cb4874cdfd05800812ab53f9550b25a28ee69e62a0f790fe5233fc8645fc3fe6cae055f2aa1729125170151e86eeab67bb20bc884a1214c2d3d969c34fb239b45feec93ac209721bae7271251c613cea9379c1521", 0xb7, 0x4}, {&(0x7f0000002d80)="c3f04f26929b7a4d6342841fa53a9a8cb8006a97f428", 0x16, 0x6}, {&(0x7f0000002dc0)="c9871275e3269ff1bdcd67fb523e1ceb5151b0ede9e032634e36d486046bc31cd978bda59247355316319e768e7ac6be0648bf0fecd13cdad45f713e0e3b74e95eec77063c02a233ea97d338f4b1e9bc5a7cce85528742632ed59cec016f3914dd02ca6b1dc833224895277350cf1f21d6c78f8592717e91233f9026927e0cc3d80cdc57714763a0fcb091f5c69051b55cd2e1fcc33b13d597c5caeeb271c542978a1e17", 0xa4, 0x9c}]) r16 = syz_usb_connect(0x4, 0x384, &(0x7f0000002f00)={{0x12, 0x1, 0x201, 0xa4, 0x61, 0x1e, 0x40, 0xacd, 0x300, 0xc0df, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x372, 0x2, 0x4, 0x1f, 0x0, 0x1, [{{0x9, 0x4, 0x5d, 0xb3, 0x1, 0xad, 0x49, 0x76, 0x20, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x80}]}], [{{0x9, 0x5, 0xd, 0x0, 0x230, 0x5d, 0x1, 0x3f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x2}, @generic={0xba, 0xe, "f4e6e5762883c34df04f356099f1d34bdbc9f5324da648053fd690211b897119c4f3ac197f2aa93f2f3be05f836b1644d5b2327648b30816ed192f943dfce225f69d77c51565e177fd889c9c9d8c85b92ee4bead0e889446bbc320a40fa24807f476bfd1f1b3096e3370f755c94aa01c3be4ddc7952a5694bcad4beb4065bf5ea96066c43e9507e6220c47bc0271adcbaffce6ac90cb3c8b1cf748c6bbf97108dfa2cac4b87d3420428434397e07f17a87ed6233b39e32f0"}]}}]}}, {{0x9, 0x4, 0x5d, 0x27, 0x7, 0x3f, 0x84, 0xfd, 0x3, [@uac_as={[@format_type_i_discrete={0x10, 0x24, 0x2, 0x1, 0xe2, 0x2, 0x63, 0x40, "e721cc44acca8938"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x1, 0x0, "9ef42f"}, @as_header={0x7, 0x24, 0x1, 0x4, 0x1, 0x4}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x19, 0x6, "9e", "6983"}]}, @uac_as], [{{0x9, 0x5, 0xf, 0x0, 0x3ff, 0xf6, 0x5, 0x80}}, {{0x9, 0x5, 0x1, 0x10, 0x10, 0x0, 0x40, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x20, 0x6}]}}, {{0x9, 0x5, 0xb, 0x8, 0x10, 0x1, 0x2}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x4, 0x8, 0xc0, [@generic={0xbb, 0x31, "215ce6ab8f3c72caa3ab1326f18838908ac60bffb3b50748144aa2cbc4d7cac56f4a7bb2bd6c969674a5e4040861bb21ba5ccf0f822c1032e7e3729f8c171fc7a89b5340b5067108d597f178aa651a98aca4d012fa555a695683b527e6031f1f7f20494b250e3a6cd8b4de9647e150049867097c47cc237c612cefe698332f1fe7f02e6f53e845b1f5e7b4b24ad8629b78ce7630e2d40120fbc3f49375a4a086dedd2a27f06b3ed3d756a819b97f759aa54aef83df4868a9e9"}]}}, {{0x9, 0x5, 0x3, 0x12, 0x3ff, 0x0, 0x1, 0xff, [@generic={0xad, 0x31, "0c921d3f980f4e53147a46bd5856da03081660fbed7b8b2d389be8a038e95c2958a477ed5faf9ef38c82c3abea254459edb0f2cf286235034087adb7907ff192640b936886bd48d3a51215406b3aa0b6d8f8d91d830f5236a9a8be03c2215f012131968c6a80860ae81193059468108efd4f1305379d0115c7ec667b0359940e5664bf7b3c4a5f04ca3c51db9d2cd417e9099bff628b8e1a8ed0f596149357a08abd1177eb977353eb8932"}, @generic={0x93, 0x11, "a8e22d542ae3d831f337211bb5be12a5c46e5cf9b556d84d5af4caca8742ad216140562b7e5421e2642471e8f50eb8aef06212b46c644ae58463e18b3e72bd3eca6060fa8b94031796e55eb41d3f318affbf081eeb1708851e72fadd887e0330134319f0a5967eda657bc1101f74deba42e78aff20fb5d3c1fe49d9a054657b6f1af3d015fc16ff80873f326690843df81"}]}}, {{0x9, 0x5, 0xf, 0x4, 0x200, 0x0, 0x1f, 0x1, [@generic={0x11, 0x6, "824b7d0957bc552d224fdf6bff63a8"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x6}]}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x1f, 0xfd, 0x3}}]}}]}}]}}, &(0x7f0000003400)={0xa, &(0x7f00000032c0)={0xa, 0x6, 0x110, 0x4d, 0x80, 0x80, 0x20, 0xc1}, 0x46, &(0x7f0000003300)={0x5, 0xf, 0x46, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x35, 0x0, 0xdf, 0x9, 0xf7}, @ext_cap={0x7, 0x10, 0x2, 0xe, 0xb, 0x6, 0x9}, @ssp_cap={0x18, 0x10, 0xa, 0x1, 0x3, 0x7fffffe, 0xff0f, 0x101, [0xffc0a0, 0x0, 0xffff0f]}, @ssp_cap={0x10, 0x10, 0xa, 0x3, 0x1, 0x200, 0xff00, 0x1, [0x0]}, @ext_cap={0x7, 0x10, 0x2, 0x16, 0x8, 0xe, 0x7}]}, 0x2, [{0x4, &(0x7f0000003380)=@lang_id={0x4, 0x3, 0x380a}}, {0x4, &(0x7f00000033c0)=@lang_id={0x4, 0x3, 0x42f}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000003440)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r16, &(0x7f00000036c0)={0x18, &(0x7f00000034c0)={0x20, 0x8, 0xd4, {0xd4, 0x31, "dd9fe1d6f8ee76d6289246b5277cc19f3c4621add821a7f3d1aae994dbf4b1bd89e8770734768ade97e51d248f53cd530b31119aaccf53b6f6eddf4b8bfe6a1a859c3dc286f8335c9d15e5d5169b244155391062ff885d40be3707b6d1ea252a96d97ab24fb675f54557cfa24d805b0795708af5065d4b6662dfd54dd59cfce1673ab356a254f6b5bce44c619a17ffce8ebb96e083c082450062bd71a206ca921e0b77f517c1619586b3bca3e2490821016cc76caf96c0ec9068b45e2334ed9a6ff06a6343ae01f0aef6127ebaf5b52d69e3"}}, &(0x7f00000035c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x40e}}, &(0x7f0000003600)={0x0, 0xf, 0x28, {0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @generic={0x20, 0x10, 0xa, "195fa2f324c0be96da3db26afa5677530ac0faf4c682be7c15e9a58666"}]}}, &(0x7f0000003640)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x1, 0x0, 0x9, "057c417e", "8da436c4"}}, &(0x7f0000003680)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x20, 0x10, 0x80, 0x40, 0x1f, 0x0, 0x5}}}, &(0x7f0000003b40)={0x44, &(0x7f0000003700)={0x60, 0x8, 0x54, "85f988045278f97532a667cbee9b821d6554fb1c6d18dffb785196d90727e1b4615c86ee049a1696b1668f000e62d539e081cf07e360171ce61ca2f95644b9ad8e9211a1b19c4399bdfd6d533bf8955242725bb4"}, &(0x7f0000003780)={0x0, 0xa, 0x1, 0x1}, &(0x7f00000037c0)={0x0, 0x8, 0x1, 0x81}, &(0x7f0000003800)={0x20, 0x0, 0x4, {0x2}}, &(0x7f0000003840)={0x20, 0x0, 0x8, {0x200, 0x40, [0xff]}}, &(0x7f0000003880)={0x40, 0x7, 0x2, 0x1}, &(0x7f00000038c0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000003900)={0x40, 0xb, 0x2, "8eaf"}, &(0x7f0000003940)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000003980)={0x40, 0x13, 0x6, @dev={[], 0x38}}, &(0x7f00000039c0)={0x40, 0x17, 0x6, @broadcast}, &(0x7f0000003a00)={0x40, 0x19, 0x2, '{k'}, &(0x7f0000003a40)={0x40, 0x1a, 0x2, 0x40}, &(0x7f0000003a80)={0x40, 0x1c, 0x1}, &(0x7f0000003ac0)={0x40, 0x1e, 0x1, 0xfe}, &(0x7f0000003b00)={0x40, 0x21, 0x1, 0xfa}}) r17 = syz_usb_connect$hid(0x4, 0x3f, &(0x7f0000003bc0)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x46d, 0xc22d, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x10, 0x2, [{{0x9, 0x4, 0x0, 0x2f, 0x2, 0x3, 0x1, 0x1, 0xfd, {0x9, 0x21, 0x9, 0x1, 0x1, {0x22, 0x2ff}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0x6, 0xff, 0x4}}, [{{0x9, 0x5, 0x2, 0x3, 0x8, 0x4, 0x6, 0x7f}}]}}}]}}]}}, &(0x7f0000003cc0)={0xa, &(0x7f0000003c00)={0xa, 0x6, 0x300, 0x3, 0x2, 0xfa, 0x8, 0x74}, 0x28, &(0x7f0000003c40)={0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @ssp_cap={0x20, 0x10, 0xa, 0x3, 0x5, 0x8, 0xf00, 0xf831, [0xc0, 0xc0a0, 0xff000f, 0x7, 0xc0f0]}]}, 0x1, [{0x4, &(0x7f0000003c80)=@lang_id={0x4, 0x3, 0x436}}]}) syz_usb_disconnect(r17) syz_usb_ep_read(0xffffffffffffffff, 0x80, 0xc4, &(0x7f0000003d00)=""/196) syz_usb_ep_write(r16, 0x7f, 0x63, &(0x7f0000003e00)="5074fa81f3f373da2799cafb26b4497cb3c87bc0f82fa7885468bd41232065aa9561d24ae0f1d0e036ac714ac5af89c69d8861cad713fcb8bacb8c4b10dc3b6ec2044c01f371b124c0a0f4bace7d5179872cdd205e09c3eeb7d5577b26e98f84554ed6") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 41; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45 + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_fsmount #define __NR_fsmount 432 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[18] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/zero\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x161000, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, (intptr_t)r[0], 0x3305, 0); break; case 2: memcpy((void*)0x20000040, "l2tp\000", 5); syz_genetlink_get_family_id(0x20000040); break; case 3: memcpy((void*)0x20000080, "/dev/dlm-control\000", 17); syscall(__NR_openat, 0xffffff9c, 0x20000080, 0x20000, 0); break; case 4: *(uint32_t*)0x200000c0 = 0x17; syscall(__NR_setsockopt, (intptr_t)r[0], 0x10e, 2, 0x200000c0, 4); break; case 5: res = syscall(__NR_mmap, 0x20ffa000, 0x4000, 0x2000000, 0x1010, (intptr_t)r[0], 0x10000000); if (res != -1) r[1] = res; break; case 6: res = syscall(__NR_socket, 0x23, 5, 2); if (res != -1) r[2] = res; break; case 7: res = syscall(__NR_io_uring_register, -1, 9, 0, 0); if (res != -1) r[3] = res; break; case 8: *(uint8_t*)0x200003c0 = 0xa; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0; *(uint32_t*)0x200003c4 = r[2]; *(uint64_t*)0x200003c8 = 0; *(uint32_t*)0x200003d0 = 0x20000380; *(uint32_t*)0x20000380 = 0x20000100; *(uint32_t*)0x20000384 = 0x80; *(uint32_t*)0x20000388 = 0x20000240; *(uint32_t*)0x20000240 = 0x20000180; *(uint32_t*)0x20000244 = 0x93; *(uint32_t*)0x2000038c = 1; *(uint32_t*)0x20000390 = 0x20000280; *(uint32_t*)0x20000394 = 0xca; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x200003d4 = 0; *(uint32_t*)0x200003d8 = 0; *(uint64_t*)0x200003dc = 1; *(uint16_t*)0x200003e4 = 3; *(uint16_t*)0x200003e6 = r[3]; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; syz_io_uring_submit(0, r[1], 0x200003c0, 0x10001); break; case 9: *(uint32_t*)0x20000440 = 4; syscall(__NR_ioctl, -1, 0x4b63, 0x20000440); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0xaa; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 3, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 31, 1); *(uint8_t*)0x20000012 = 0x11; *(uint8_t*)0x20000013 = 2; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; memcpy((void*)0x20000016, "\xf4\xeb\xe4\x02\x16\xfe\xde\x5e\xf6\xc5\x31\x0f\x04\x13\xc5\xd4\x1b\x32\xfc\x23\xe0\x7f\xd3\x32\xa8\xa5\xc5\xf9\x66\x82\x1d\xa0\x91\xf4\x7b\x7b\x9c\xf9\x22\x87\x27\xff\x74\x12\xc2\xe4\xa3\xa1\x57\x3b\xb2\x95\x48\x2d\x7b\x4a\x3e\xff\xd8\x63\xcc\x60\xf5\xd8", 64); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 0xd2d; *(uint32_t*)0x2000008c = 0xc61; *(uint32_t*)0x20000090 = 0x6d3; *(uint32_t*)0x20000094 = 0xbe2; break; case 11: *(uint8_t*)0x200000c0 = 2; STORE_BY_BITMASK(uint16_t, , 0x200000c1, 0xc9, 0, 12); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 3, 4, 2); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 1, 6, 2); *(uint16_t*)0x200000c3 = 0xa; *(uint16_t*)0x200000c5 = 6; *(uint16_t*)0x200000c7 = 5; *(uint8_t*)0x200000c9 = 0x13; *(uint8_t*)0x200000ca = 0x7f; *(uint16_t*)0x200000cb = 2; *(uint16_t*)0x200000cd = 0; break; case 12: memcpy((void*)0x20000100, "\xc4\xc2\xcd\x45\xf1\x8f\xe8\x00\xed\xb8\x5c\x2f\x00\x9e\xe9\x64\x36\x36\x0f\x28\x11\xc4\xc3\xc9\x0b\x6b\x07\x87\xc4\xc2\xf1\xa6\x03\xf3\x0f\xa6\xd0\xf3\x6f\x65\x0f\xfa\x0e\xc4\xc2\x1d\x2f\x9f\x5a\xac\x38\x4f\x3e\x65\xf3\xab", 56); syz_execute_func(0x20000100); break; case 13: break; case 14: memcpy((void*)0x20000180, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000180); break; case 15: syz_init_net_socket(3, 3, 0xcc); break; case 16: res = syscall(__NR_mmap, 0x20ffd000, 0x2000, 0x3000001, 0x80000, -1, 0); if (res != -1) r[4] = res; break; case 17: res = -1; res = syz_io_uring_complete(r[4]); if (res != -1) r[5] = res; break; case 18: *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0xd9fd; *(uint32_t*)0x200001c8 = 0x20; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0x308; *(uint32_t*)0x200001d4 = 0; *(uint32_t*)0x200001d8 = -1; *(uint32_t*)0x200001dc = 0; *(uint32_t*)0x200001e0 = 0; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint32_t*)0x200001f8 = 0; *(uint32_t*)0x200001fc = 0; *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; res = syscall(__NR_io_uring_setup, 0x3a3b, 0x200001c0); if (res != -1) { r[6] = res; r[7] = *(uint32_t*)0x200001d8; } break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xb18d; *(uint32_t*)0x20000248 = 0xab3a8d6e; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000250 = 0x158; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = r[7]; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = -1; res = syz_io_uring_setup(0x17a8, 0x20000240, 0x20ffb000, 0x20ffd000, 0x200002c0, 0x20000300); if (res != -1) r[8] = res; break; case 20: *(uint32_t*)0x20000340 = 0; *(uint32_t*)0x20000344 = 0x15f8; *(uint32_t*)0x20000348 = 0x20; *(uint32_t*)0x2000034c = 2; *(uint32_t*)0x20000350 = 0xd2; *(uint32_t*)0x20000354 = 0; *(uint32_t*)0x20000358 = -1; *(uint32_t*)0x2000035c = 0; *(uint32_t*)0x20000360 = 0; *(uint32_t*)0x20000364 = 0; *(uint32_t*)0x20000368 = 0; *(uint32_t*)0x2000036c = 0; *(uint32_t*)0x20000370 = 0; *(uint32_t*)0x20000374 = 0; *(uint32_t*)0x20000378 = 0; *(uint32_t*)0x2000037c = 0; *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 0; *(uint32_t*)0x20000388 = 0; *(uint32_t*)0x2000038c = 0; *(uint32_t*)0x20000390 = 0; *(uint32_t*)0x20000394 = 0; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x2000039c = 0; *(uint32_t*)0x200003a0 = 0; *(uint32_t*)0x200003a4 = 0; *(uint32_t*)0x200003a8 = 0; *(uint32_t*)0x200003ac = 0; *(uint32_t*)0x200003b0 = 0; *(uint32_t*)0x200003b4 = 0; res = -1; res = syz_io_uring_setup(0x6b11, 0x20000340, 0x20ffb000, 0x20ffb000, 0x200003c0, 0x20000400); if (res != -1) { r[9] = *(uint64_t*)0x200003c0; r[10] = *(uint64_t*)0x20000400; } break; case 21: res = syscall(__NR_socket, 0x1f, 3, 3); if (res != -1) r[11] = res; break; case 22: res = syscall(__NR_io_uring_register, (intptr_t)r[5], 9, 0, 0); if (res != -1) r[12] = res; break; case 23: *(uint8_t*)0x20001700 = 0xa; *(uint8_t*)0x20001701 = 2; *(uint16_t*)0x20001702 = 0; *(uint32_t*)0x20001704 = r[11]; *(uint64_t*)0x20001708 = 0; *(uint32_t*)0x20001710 = 0x200016c0; *(uint32_t*)0x200016c0 = 0x20000440; *(uint32_t*)0x200016c4 = 0x80; *(uint32_t*)0x200016c8 = 0x200015c0; *(uint32_t*)0x200015c0 = 0x200004c0; *(uint32_t*)0x200015c4 = 0x2c; *(uint32_t*)0x200015c8 = 0x20000500; *(uint32_t*)0x200015cc = 0x1000; *(uint32_t*)0x200015d0 = 0x20001500; *(uint32_t*)0x200015d4 = 0x28; *(uint32_t*)0x200015d8 = 0x20001540; *(uint32_t*)0x200015dc = 0x4a; *(uint32_t*)0x200016cc = 4; *(uint32_t*)0x200016d0 = 0x20001600; *(uint32_t*)0x200016d4 = 0xb9; *(uint32_t*)0x200016d8 = 0; *(uint32_t*)0x20001714 = 0; *(uint32_t*)0x20001718 = 0x2000; *(uint64_t*)0x2000171c = 1; *(uint16_t*)0x20001724 = 3; *(uint16_t*)0x20001726 = r[12]; *(uint8_t*)0x20001728 = 0; *(uint8_t*)0x20001729 = 0; *(uint8_t*)0x2000172a = 0; *(uint8_t*)0x2000172b = 0; *(uint8_t*)0x2000172c = 0; *(uint8_t*)0x2000172d = 0; *(uint8_t*)0x2000172e = 0; *(uint8_t*)0x2000172f = 0; *(uint8_t*)0x20001730 = 0; *(uint8_t*)0x20001731 = 0; *(uint8_t*)0x20001732 = 0; *(uint8_t*)0x20001733 = 0; *(uint8_t*)0x20001734 = 0; *(uint8_t*)0x20001735 = 0; *(uint8_t*)0x20001736 = 0; *(uint8_t*)0x20001737 = 0; *(uint8_t*)0x20001738 = 0; *(uint8_t*)0x20001739 = 0; *(uint8_t*)0x2000173a = 0; *(uint8_t*)0x2000173b = 0; syz_io_uring_submit(r[4], r[10], 0x20001700, 0xad23946); break; case 24: res = syscall(__NR_fsmount, (intptr_t)r[5], 1, 0x84); if (res != -1) r[13] = res; break; case 25: *(uint32_t*)0x20001740 = r[6]; *(uint64_t*)0x20001744 = 3; *(uint64_t*)0x2000174c = 6; *(uint64_t*)0x20001754 = 0x1000; res = syscall(__NR_ioctl, (intptr_t)r[8], 0xc01cf509, 0x20001740); if (res != -1) r[14] = *(uint32_t*)0x20001740; break; case 26: *(uint32_t*)0x200017c0 = 0; *(uint32_t*)0x200017c4 = 0x20001780; memcpy((void*)0x20001780, "\xe7\xbe\xd2\x38\x54\x76\x95\xa7\x89\x57\xb5\x74\xba\xcb\x6d\xbc\x56\x7a\x32\x32\xe7\x65\x59\xb4\xea\x39\x31\xb6\x08\x57\x8a\x24\xda\x4c\x74\x97\x95\x97\x5b\x0a\xe5\x1d\xa8\xa8\x6d\xde\x75\xb1\xd6\x84", 50); *(uint32_t*)0x200017c8 = 0x32; *(uint64_t*)0x20001800 = 1; *(uint64_t*)0x20001808 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x200017c0, 1, 0, 0x20001800, 1); break; case 27: *(uint32_t*)0x20001840 = 0; syz_memcpy_off(r[9], 0x114, 0x20001840, 0, 4); break; case 28: memcpy((void*)0x20001880, "afs\000", 4); memcpy((void*)0x200018c0, "./file0\000", 8); *(uint32_t*)0x20002900 = 0x20001900; memcpy((void*)0x20001900, "\xf1\xfd\x85\xc4\x6a\x07\x34\x5a\x88\x13\x28\x7b\x13\xf2\x1a\x08\x40\x90\x39\x26\xae\xf8\xfa\x2c\xb5\xf6\xe0\x10\xd1\x4f\x70\x30\x37\x67\x97\x11\x5f\xff\x5a\x94\x80\x41\x34\x8d\x82\x7d\xbd\x67\x8e\x20\x92\x8d\xc4\xb2\x24\xe0\xec\x33\xe5\x0b\xf6\x99\xf1\xed\x1e\x39\xdf\x43\xd8\x99\xeb\x1a\x37\xc8\xd1\x16\x31\xe7\xb7\x75\xfc\x82\x61\x19\x01\xef\x7d\xb3\x71\x4e\x0e\xf5\x9b\x98\xd9\xd7\xd9\x11\x4b\xa1\xba\x76\xa7\x2e\xdc\x93\x80\x33\x59\xb9\x99\x4b\x50\x4f\x9e\x77\x90\x37\x5f\xa5\x0f\xce\xab\x9c\x0f\x21\x03\x85\x72\x2f\x2a\x05\x4c\x09\xfe\xcf\x4a\x04\xcc\xfa\xca\xac\x9d\x40\xbe\xbb\x2e\x2b\xcc\x94\x8d\x32\x72\x63\xb0\xfa\x73\x5b\x75\x3f\xa3\x67\xf5\x53\x13\xbd\x6d\xf7\x47\x6a\x99\x61\xbe\xf3\xe5\x80\x6a\xe5\x3b\xf7\x23\x34\x74\xb6\x37\x26\x6e\x9f\xd6\x94\xfb\x30\xa5\x03\xfb\xa0\x53\xc4\x65\x62\x93\x6b\xb3\xb8\xfd\xd3\x8d\xa2\x3e\x72\x25\x86\x8f\x8c\xf1\xe7\xd2\x7c\xac\xb6\x90\x75\x65\x7b\x3c\xa8\x0f\x8b\xe0\xb8\xe0\x43\xdb\x62\x0f\x08\x72\x23\x1b\x8a\x31\x08\xc4\xa1\x0b\x8b\x72\x3b\x64\x6b\x3c\x6d\x5f\x37\x05\x58\x64\x09\x24\xa9\x3b\xa2\x5d\xb1\x74\x6c\xf2\xea\x14\x1b\x03\x85\xac\x0c\xf9\xe7\xac\xc8\xfd\xdd\x8e\xe3\x2f\xb9\x88\x49\x1e\x45\x45\x64\xeb\x14\x2e\xc8\x40\x24\x38\xdd\xb1\xd0\xbe\xd6\xd2\x85\xa2\xa4\x08\xa9\xed\xc5\x27\x76\xe3\xae\x70\x21\xc1\x09\x43\xee\xf0\xaf\x02\x70\x37\x22\x13\x62\x7d\xd4\x25\x3d\x95\xa3\x6a\xcd\x29\xf8\x09\x5c\x64\x28\xf1\xc4\x6c\x3e\xb2\x12\x27\xd0\x46\x06\xb5\xc9\x22\x54\xe9\xce\x3e\x22\x0a\x8b\x8a\x28\x1c\x8d\x8e\x9c\x83\x07\x9e\xa1\xdf\x4a\x90\xdb\x9f\x08\xa5\x8c\x80\x3d\x8e\xc2\xbf\xcc\x99\xf1\xac\xd5\xf0\x62\x50\x43\xeb\x4a\x83\x17\x9e\x2d\x37\xc0\x76\x57\xe4\xb7\x47\xad\xcb\x09\x79\xa2\x30\xde\xa4\xf0\x79\xf2\x20\x84\x87\x09\xf2\xbb\x38\xc3\x4a\x22\xc5\xb3\xca\xf9\x4a\x02\xfc\x5f\x1c\x4d\x01\x3c\x16\x5a\xbf\x74\xbe\xd9\xd0\x28\xa5\xd8\x4e\xc1\x50\x37\x7f\x49\x8e\xe0\xe2\xa8\x6b\xf0\x4b\x97\xee\x40\xaf\x98\x82\xbf\xad\xec\xf5\xe1\x25\xfc\x90\x9d\x25\x0d\x92\xa3\x11\x66\xd6\x11\x21\xb5\x36\x45\x24\xb6\x35\x1e\x0b\x6a\x66\xdc\xde\xeb\x52\x49\xeb\xab\xb8\x65\xf1\xf4\xa1\xa8\x0a\xda\x5d\x69\x5d\x3a\x37\xb2\x14\xc9\xf0\xd9\x25\x07\xdb\x1b\x8d\x80\x8a\x96\xf0\x89\x02\xef\x8c\x97\xe2\x2b\x75\x49\x75\x38\xf5\x4f\xf9\x44\xa1\x91\x42\xb6\xae\x1b\x86\x36\x50\x0e\x2f\x39\x20\xa3\xab\x34\x1d\x8d\x1d\xb2\x2d\xc6\x4e\x1d\x68\x38\x21\x62\xb4\x89\xea\xad\xe6\x68\xba\x38\xe6\xe7\xec\xf6\x16\x26\xc7\x19\x37\x8a\x8e\xbf\x08\xec\x3d\x5d\xa6\x71\x64\x61\xe2\x06\x86\x9b\x33\x5c\xcb\xaf\xbc\x73\x64\x99\x83\x79\xd8\x94\xb9\xc6\x04\x41\xd9\x87\x97\xef\xf0\xd0\x4c\xe3\xfb\xf4\x19\xeb\x9c\x5c\x77\x8d\xbd\xc6\x03\x1b\x19\xfe\xa1\x3a\xdf\x11\x1d\xd4\x96\x28\x09\x3d\xa4\x1c\xe2\x52\x59\x5e\xa3\xd0\xb6\xdd\x96\x36\x4f\xe2\xe3\x75\x04\xbc\x66\x17\x04\x4f\xf1\xd0\xd2\x7f\x75\x9d\x1f\xaa\x8a\xe8\x54\xa1\x72\xda\x0b\x22\x73\x05\xbc\x63\x0a\x46\xb8\xe5\xbb\x9f\x8a\xa4\x0b\x95\xa4\xb6\xd5\xc3\x7b\xdd\xd0\x96\x8e\x19\x2d\x57\x24\x20\x78\x43\x4f\xde\xf9\xaf\xdc\x8f\x18\x39\x7d\xf1\xca\x6e\x76\xbd\xc7\x18\x45\xfb\xa2\x81\x8e\xf8\xf1\xc1\xdb\xf0\xa9\x2d\xde\xe3\xc8\xc1\xcf\xdd\xfb\x64\x43\x94\x19\xe6\x3f\x98\x11\xab\x5d\xaf\xd1\x5b\x2f\xf2\xa9\xc0\x41\x33\x16\x51\xc7\xaf\xe7\x86\x28\x75\xbf\x99\x61\x80\x6f\xac\x69\x4b\xef\x5f\x78\xfb\x9c\xd6\x4c\x33\x84\x86\x37\x44\x4e\x67\x52\x20\x03\x95\xe3\x73\x1d\x02\xdb\x34\xc2\x1f\xca\x31\x1d\x33\x9e\x81\x97\x32\xed\xe1\x83\x94\xb4\x5c\x4c\xbb\xbf\xfd\x45\xfd\xf5\x08\x28\x5d\x26\xda\x5b\x3c\xed\xe6\x92\xaf\x4e\xf2\xf4\x2c\x73\x4b\x52\x28\x64\x75\x5d\xcd\x71\x9c\x93\xb2\x68\x43\x8f\x9b\x0f\x1a\xdd\x57\x4c\xf7\x21\x89\x21\xdf\x68\xc4\x96\x68\x3c\x62\x76\x11\x5c\x07\x4d\x42\x0f\x23\x86\x1e\xeb\x82\x03\x1e\x99\x8c\x08\x33\xd1\xcb\xbb\x5b\x33\x4a\x13\x60\x6a\x0b\xc4\x06\xc4\xc8\xb1\xc2\xbf\x8d\xf5\x57\x32\x4d\x2c\x94\xcb\xe4\xc2\x90\x80\xb6\x32\x34\xb1\xbb\x74\xe5\x85\x4e\x42\x2e\xb4\x6f\x73\x69\x78\xe2\x94\x3e\xbd\x28\xaf\x46\x7b\xd0\xee\x09\x6b\x95\x2f\xf5\xf0\xb2\x28\xc7\xef\x94\x6f\xd4\x72\x49\x3b\x0e\xac\xa9\x37\x84\x01\x66\x9f\x1b\xe6\x75\x23\x0e\x56\xbc\x19\xe4\xec\x12\x34\xfc\xb4\xea\x12\x2d\xd2\x04\x83\x01\x09\x68\x9c\xad\x7e\x3d\x70\x2a\xb3\xe9\x2e\x59\x01\x6a\x64\x0c\xce\x4e\x1e\x57\xd6\xe9\x45\x56\xe7\xee\x1f\x7c\x58\x63\x09\x04\x4b\xdc\xa4\xa7\xb2\xce\xbb\x4b\x3f\xab\xfd\x57\x8e\xd6\xc6\x85\x89\xb8\xaf\xcd\x4d\x0e\x5a\xb1\xb7\xee\xf6\xf8\x2c\xd2\x08\xe3\xec\xe7\x6e\x3b\x73\x33\x1f\xba\x03\xfb\x54\x47\x01\x29\x92\x74\x10\x42\x10\x6e\xd7\xd3\x86\xa1\x43\x3f\xe8\xd4\xc6\xbc\xe8\x22\xff\x8f\xfe\x1b\x38\x2a\xa7\x12\x47\x31\xa9\xad\x6e\x1a\x52\xc7\x82\x66\x17\x4a\x4f\xef\xe9\x86\xa5\x08\xf6\x64\x25\x77\x30\x3f\x91\xea\x4e\xfb\x32\x84\x3c\x6b\x33\x1b\x32\xf2\x45\x53\xa0\xc1\x30\x16\xd9\x1a\x23\x0a\x55\xd8\x1f\xeb\x7d\xfc\x48\xad\x15\x7c\x7c\x2f\xc6\x32\x53\x08\x10\x21\xd1\xc6\x53\x56\x51\x39\x03\xdd\xbd\xe8\xd3\xfd\x0d\x51\x74\x7f\x3e\xaa\xaf\x9d\xb9\xd6\xb4\xbd\x70\x69\xd8\xba\x53\xd4\xd1\x00\xee\x27\x27\x97\x95\x94\xc2\xfa\x80\xb9\xaa\x0e\xdd\x70\xe3\xd7\x02\xfb\x5b\x6c\xd2\x77\xee\xb4\x87\x55\x58\x86\xf8\x5b\x65\x7c\xd9\xeb\xa6\x41\xb2\x8b\xf1\xe7\x62\x30\x0f\x3e\x29\xc5\xa8\xd8\xbf\xe0\x77\xbd\xef\x7c\x9e\x2c\x4c\xfa\xd8\xfc\x36\x46\x70\xd7\xcd\x6a\xc7\xa8\x63\x22\xe6\x67\x76\x0e\x24\x03\xc4\x83\x8d\x61\xfa\x86\x69\xa4\xf6\x21\x14\xee\xf4\x23\xf0\x91\x32\xe2\x0b\xb9\x5b\xa3\x52\x2a\xc3\x10\x49\xc4\xa3\xd5\x81\xaf\x3c\x57\x84\x91\x0f\xba\x88\xcd\xee\x1c\xef\xf4\xdd\xae\xd8\x27\x11\x9c\xed\x53\x61\x94\x7d\x0e\x31\xa9\xc4\xd2\x52\x63\xa5\x36\x54\xb8\x2f\xc1\x3b\x91\xf4\x45\x08\xdd\x19\x3c\xa1\xef\x26\xd9\x30\xa6\xb0\x81\x05\x86\xd4\x02\xba\x05\x54\xfa\xce\x5c\x3e\xd0\x77\x67\x1d\x50\xd2\x88\x65\xbf\xff\x35\xca\x3a\x4d\xab\xdb\xd6\xe3\xb0\x70\x59\x32\x0f\x53\xe5\xc4\x9d\x73\xcc\x16\xdd\x1e\xd2\x81\x6a\xc9\x8a\xd3\x85\x3c\x36\x88\x29\xc7\xbe\xc4\x0c\x4a\x9b\x39\xee\x3b\x73\x0b\xbd\x6c\x15\x2f\x35\x8e\x99\x11\x30\x8c\x12\xed\x12\x06\x56\x1f\xc7\xcf\x7c\xb4\x77\x14\x5f\x1a\xaa\xce\x66\xac\x5c\x44\x68\xac\xb2\xf6\x01\xc6\x1e\x4b\x11\x8b\xe2\x05\x6b\x6d\xbc\x18\x60\x9b\xfd\x41\x05\xee\xe1\x8b\xe3\x84\xa1\x99\x13\xd2\x74\xd9\x20\x39\x79\x0c\xb8\x74\x20\xb9\xfd\xd7\x0e\x73\x43\x09\xfc\x7a\xfe\x09\xe1\x1f\x78\x0d\x6e\xe6\x24\x31\x75\x90\x7a\x4a\xee\xcb\x6c\xa0\x70\xa3\x37\x4b\xe5\xd3\xd0\x7a\x78\x8e\xa4\xe1\xf9\xd6\xf1\x8e\xff\x9e\x79\x64\xd7\x07\x6c\xb5\xb9\x3c\xd9\x73\x38\xec\x05\x44\x8e\xc5\x27\xcc\xa6\x67\x90\xbf\xe3\x2c\x5b\x26\x62\xd7\xfc\x6b\x83\x6b\x41\xbf\x32\xe5\xbc\x0d\xdf\xe4\x2d\x59\x73\xdb\x86\xf8\xae\xd5\x6e\x43\x11\x2b\x45\xb0\xf7\x92\xc5\x39\x45\x99\xa1\x3e\x73\xc2\x50\x12\xb5\xaa\xcd\x3a\xef\x11\x24\x73\xc4\xe2\xe3\xab\x6a\xeb\xf5\xaf\x6d\xe9\xe7\x8a\xc0\x47\xfc\xc2\x76\xfd\x97\x6f\x25\x02\x2c\x65\xc3\x0a\x9f\xd6\x72\x03\xf1\x9e\x33\xb3\x5c\xfb\xcf\xdf\xf3\x95\xc5\xbb\x53\xf2\xfd\x79\x28\xe4\x3e\x62\x28\x47\x28\x07\x80\xb8\xcc\x81\x5f\xb4\x85\x18\x91\x05\xa1\x24\xcd\x86\x27\xcc\x3d\x5f\x1a\x9d\xd8\x00\xd4\x7a\x22\x6e\xbf\x90\x7e\xb2\xf4\x91\x33\xd1\x17\x58\x8d\x28\x0f\x4c\xc4\x3d\x95\x25\x4d\x88\xc8\x75\x3d\x96\x07\x3f\x97\xc5\x31\xf5\x1e\x55\x96\xe2\xe9\x71\xa2\x16\x1b\x78\xf7\x5e\xdc\xfb\xd9\xde\x38\xf0\xa9\x28\x4b\x7c\xce\xef\x87\x59\x8f\xa3\xbc\xfa\x5d\xbc\xbd\x1d\x28\x4c\xf8\x0c\xb7\x75\x54\x65\x89\x9d\x36\x2d\x9e\x40\xc6\x4c\x1a\x1e\x4c\xc4\x5c\x38\x71\xb2\x10\x4c\xa4\x0c\x05\x72\x9d\xcc\xbf\x6d\x0a\x17\x50\x0e\x5d\x0d\xff\xa3\x44\x3a\x52\x33\xe2\x79\xb2\xf9\xc5\x18\xb6\x97\x34\x0d\x26\xd2\x87\x26\x60\xc7\x1a\x49\x57\x10\xee\x00\x9f\xfb\x98\x9e\xbb\x5b\xef\xe5\x17\x69\x25\xb7\x8c\xde\xb1\xe8\x11\xc5\x1e\xcd\xb0\x1a\x47\xec\x1d\x1d\x0e\xf2\x02\x4c\x9a\x66\x6f\x6b\xc5\xeb\xe1\x3e\x77\x3f\x89\xf4\xc8\x0b\xaa\x1d\x66\x0c\x05\x1c\x26\x72\xf9\x1c\x21\xdb\x5f\xf2\xd5\xa7\x01\x26\xdc\x69\x14\x0e\xe2\x16\xc4\x5b\xdd\x0a\x7b\x52\x79\xde\xce\x2f\x58\x3b\xc2\x4f\xc6\x3c\xae\x88\xae\x75\x57\x22\x40\x48\x23\xc5\xc2\x16\x84\x9d\xcd\x10\x85\xba\x99\x02\xcb\x24\x8a\xc5\xd1\x92\xc3\xbd\xc5\x37\x39\x2a\x7c\x9e\xd3\xc3\x59\xbb\x6d\x49\x34\x62\x5f\x5f\x7a\x6d\xd5\x1b\x78\x57\x3f\xc7\x26\xad\xab\xc9\x1f\x41\x96\x05\x86\xf6\x4c\x39\x26\x11\x26\xea\x67\xdf\xc3\x2c\x5a\xe5\xf7\xd6\xed\x88\x74\x73\x60\x41\x8d\x42\xa0\x08\xd9\xcf\xc5\xef\x15\xf9\xc5\x88\xdb\xb9\xec\xc3\x74\xba\x19\xab\x60\xa3\xba\x33\xfb\xd1\xb8\x04\x77\xb0\x20\x4e\x67\xc8\x45\xf9\xf6\xab\x58\x9c\x58\xb5\x78\xcc\xa5\x8a\xf3\x22\xae\x66\xb9\xb1\x2e\xd9\x53\x70\x3d\x13\x93\xd8\xec\xe9\xc6\x70\x66\x4f\xdb\x6b\x1f\xfa\x10\x27\x1a\xbc\x0e\x51\xd5\x7b\x59\x10\x2e\x26\x40\xbe\xa0\x9e\x91\x12\x94\xc3\x5a\xbc\x86\x16\x99\x0a\x57\x29\xbf\x73\x9a\x8e\x22\x77\x4a\x68\x0d\x57\x70\xb8\x58\xb9\x32\xfe\x59\x5b\x73\x22\x32\x8a\xe7\x92\x07\x8a\xd2\x8d\xb4\xd5\x4c\xbd\x7c\x98\x68\xfc\xbe\x6e\xed\x0b\x0a\xa7\xb7\xab\xbf\xb1\xb8\xef\xce\x2d\xd5\xc1\xe2\x9b\xac\x66\xab\x7f\x80\xfe\x7a\x65\xd2\xda\x18\x38\x66\x0e\x94\x06\x6a\x6b\x2e\x3b\xdb\x89\x7e\x55\x1b\xc0\x37\xd7\x79\xdb\xb6\xcb\x9b\xdc\xa7\x03\x0e\xf8\x22\x6b\x96\x8d\x5a\x85\x7c\xb4\x24\xa9\xbd\x71\xec\xf3\xe0\xdf\x3b\xca\x6b\x91\x95\x90\x5e\xd0\x5e\x73\xd0\x36\x7f\x16\x49\xee\xd5\x49\xd9\xc3\xd4\x7e\x2f\x31\x2c\x17\x0d\xc9\x4a\x70\x1d\x42\x04\x60\xe1\x00\x0e\x23\x70\x21\xc6\xb7\xb1\xbc\x08\xb3\x5c\x10\x43\xc6\xe8\x99\xed\x58\x7e\xf7\xdf\xb6\xe1\xc7\xb6\xe1\x1e\x3a\x2f\xb4\x34\x8a\xbc\xc9\xed\x18\x31\xee\x37\x3d\x00\x45\x40\xa7\x3a\x4c\x78\xf9\xd3\xab\xb1\x01\xc7\x87\xba\x23\x9d\xf6\x63\x92\x4e\xf8\x4e\x3b\x43\x68\x68\xb6\x3c\xd7\x4f\x4d\x47\xac\x9e\xbc\xe3\x81\x4b\xbd\xb3\x7e\xee\xc3\xfe\xa1\xf9\x06\x88\xd1\x6f\xf3\x28\x5d\x35\x97\x45\xf9\xc1\xb6\xdc\xfa\x98\xbc\xd3\x2a\xca\xcc\xd9\x35\x0c\x07\x05\x79\xaf\x49\xc6\xdd\x8e\x62\xb3\xe1\x16\x16\xb9\x56\x05\xb5\xe6\x7c\x90\xc3\xdb\x1b\x83\x01\xde\x61\xbd\xfa\x55\x8e\xe6\xd1\x3f\x20\xa7\x8d\x40\x7e\x4f\x44\xca\x79\x3c\xe3\xd9\x58\xe1\x52\x2f\x1a\x64\x27\x6a\xc8\x86\x3d\x1a\x68\xb5\xb6\x4e\x03\xec\x0b\x22\xb0\xa7\x87\xbb\xa7\xb4\x62\xfd\xdf\x8d\xa7\xd1\x01\x8b\x32\xa1\x32\x82\xbd\x1e\x83\x06\x0a\x67\xc7\xda\x96\xe4\x6e\x3b\x32\x2a\x5d\x8e\x05\xba\x67\xb3\xac\xa1\xc5\xd1\xbf\x13\x6a\x57\xb3\xaa\x68\x77\x7f\x00\xbf\x10\x2d\xdd\xb1\xde\xc2\x1d\xb3\x09\xf4\x85\x5d\x9c\x08\xed\xc5\x80\xd6\x52\xa6\x89\x42\x0b\xf6\x25\x38\xb5\xaa\x26\x30\x57\x09\x81\x21\xd8\x2d\x87\xe2\x9e\xe2\x6b\x5d\x52\x88\x02\x3e\x50\x1f\xf2\x73\x0b\xce\xf0\x0b\x98\xf1\x3c\x40\xbc\x2d\xa1\xa1\xbc\xa1\xcd\x66\x64\x84\xf1\xa3\xf5\xc8\xb6\xff\xaf\x46\x8f\xbe\xaa\xf5\xab\xfd\x74\x39\x6f\xbc\x46\x0e\x0f\xd2\xb4\x40\xf5\xe5\x63\x27\xe6\x34\x90\x73\x11\xdc\xe9\x8e\xc0\x75\xe9\xee\x32\x87\xf7\xd2\xdc\xd6\x44\x93\xe5\xc5\xce\x09\x6b\xb2\x9d\x77\xaa\x49\xa9\xf6\x77\xe6\x8e\xfd\x44\xcf\x35\xb5\xa0\xd6\x9f\x1e\xc8\x87\xa5\xf1\xf3\x5e\x44\xaf\xe3\xb6\x90\x4e\xf0\x26\xb3\x65\x1c\x69\x7d\xc2\xaf\x46\x66\x2b\x92\x36\x64\x20\x1e\x4b\xae\xdc\x28\xe8\x5f\x33\xd0\xfc\xce\x83\xec\xb0\x1d\x04\xf5\xa0\x82\x6d\xf9\xfb\xfe\x7d\x92\xe3\x1d\xb7\x62\x02\x53\x3f\xa8\xbd\xbd\x4f\x14\x74\x4f\x84\x85\x94\x8f\xf0\xe4\x0e\xc7\x7d\x2a\x2c\xca\xc3\x4f\x38\x9a\x4f\x6b\x0e\x1f\x84\xf5\x27\xb1\x28\x2b\x4b\xa5\x3c\xc0\xa5\x34\x68\xeb\x13\x62\xd8\x7f\x33\x4f\x17\x6d\x94\x8d\x9d\x7f\xc1\x90\xa1\xfa\xbb\x36\x74\x53\x85\x94\x5f\x27\xd4\x4c\x13\x64\x36\xee\xed\xca\x1a\xd4\x94\x5c\x9d\x73\xd6\xa2\xd7\x22\x5a\x1f\x7f\xa4\x9a\x2b\x2b\x56\xd3\xa4\x03\xa8\xdd\xd0\x3d\x70\x1b\xb8\xba\x36\xc2\x75\xb0\x5d\xb3\xb6\x06\x38\xb9\xa2\xa2\x34\xcb\x63\xb8\x09\xeb\xfc\x9a\x77\x1a\xc7\x12\x76\x2f\x7e\x96\xc5\x38\xe1\xc5\x4a\x79\x12\xb9\x59\x44\x63\x2d\x6d\x60\x59\x4b\x90\x0e\x17\xee\x32\x7b\x2b\x2b\x13\xbe\x28\x44\x06\x1f\xd1\xe3\x50\xe4\x71\x21\xfd\x71\xf1\x30\xa5\xae\xb5\x15\x3c\xcb\x8e\xce\x99\x59\x0f\xf9\x3e\xa9\x8e\xe5\x89\xa0\xa4\x28\x8b\xb6\xa3\x59\x0b\x1c\x6e\x89\x00\x8b\xbd\x2d\xc7\xad\x38\x74\x83\x69\x40\x5c\x9f\x8c\x37\xfa\x75\xdd\x2f\xf4\xa3\x84\x56\x1d\x03\x09\x48\xc3\xd1\x64\x66\xe4\xf0\x37\xe5\x4d\x3d\xca\xbd\xe0\x2f\xb3\x5c\x62\xb3\x16\x92\x65\xc0\xaf\x80\x18\xa8\x6c\x3f\xcf\x32\x68\xc1\xa9\x1e\x71\x31\xf8\x9c\xf7\x84\x1b\xb5\x8c\xab\x8a\x5f\x89\xd7\xed\xb6\x7f\x05\xf1\x6f\xe8\x40\x59\xbe\x5a\xbd\xbe\x44\xd3\x85\x2f\xa5\x79\x0c\x16\x16\x28\xb2\x1e\xef\x35\x9a\xaf\x7d\xb7\xde\x11\xc8\x35\xff\x9c\xc0\xb8\x6a\xc9\x75\x1f\xd2\xd5\xc1\x35\xe8\xac\xb4\x35\x2b\xc0\x3f\xdf\xe6\xc4\x34\x73\x58\x2c\xde\x76\xb1\x57\xee\xb0\x3a\xcf\xff\x74\x2b\xe5\x83\x8a\x4a\xab\xa1\x60\xe1\xc5\x88\xc9\xe1\xda\x27\x58\xfc\x29\x0a\xe3\x7a\x76\x05\x34\x0f\x72\x6f\xf3\xd8\xd7\x3d\x3d\xcc\xdc\x77\x37\x49\x9b\x74\x73\xec\xcc\x00\xc3\xd0\x1d\x20\xbd\x98\x9e\x60\x49\xd9\xda\x7d\xce\xe2\x29\xfe\x3d\xb7\xe2\x84\x5b\xa6\xef\x6b\x38\x06\x80\xe0\x77\x54\xdf\xa9\x2d\x16\x05\xb3\xb2\x52\x7e\xd1\x9d\x01\x33\x3b\x2b\x58\x86\x8d\x76\x14\xc9\x2b\x7f\x93\xc9\x5e\x2c\x90\x54\xf7\xa7\x28\xe0\x56\x9b\x98\x60\x18\x31\x1d\x9a\xb3\x79\xac\x3d\x19\xc7\xf6\x5f\x87\xac\xbd\x2a\x2b\xcd\xf1\x22\xb1\xb9\x50\x2d\x3c\x3a\x69\xef\xa3\x2f\x4b\xe1\xef\x20\xda\xa4\x2e\x13\x40\x9d\x2b\x12\xdb\xfd\x03\xc6\x4a\xca\x0b\xd6\x6c\x76\xc0\x4e\xa6\xa7\x6e\xf0\x29\x46\x50\xe5\x9e\x8a\x37\x9c\x85\xc5\xac\x8e\x31\x0e\xd9\x9e\x1a\x5f\x20\xc9\xbb\xdb\xee\x13\xde\x12\x18\xf9\x5b\xe0\x40\xff\x5f\x76\x0c\x7f\x07\xab\xe3\x62\x46\x85\x08\xa2\x11\x4e\x0c\x34\xf9\x38\x95\xc1\xe2\x8a\xd8\xc5\x6f\x19\x49\x81\x6c\xff\xd0\x9c\x02\x8d\xee\xf0\x1e\x5f\xcf\x91\xb4\x38\x4c\x62\xd0\xef\xd9\xb7\xd6\x6b\x1a\xae\x30\x2a\x3e\xd2\xc3\x03\x7c\x96\x75\xac\x6c\x86\x33\x6f\xa6\x03\x25\x8a\x53\x84\x09\xba\xd5\x67\x98\x11\x28\xcb\x8c\xab\x88\xd7\x02\x7b\x2a\x92\x67\x1c\xad\x00\x0a\x2c\x9f\x31\x7f\xb4\xae\x30\x98\x0d\x3f\x28\x51\x2f\xb5\xf6\x6a\x98\xb2\xe2\x07\x7a\x6a\x7f\x84\x61\xbf\x1a\x78\xcf\x12\xb3\xce\x6e\x3a\xa4\xa2\x2f\x3c\x63\x73\xa5\xd0\x4f\x76\x7b\x83\xc7\xd5\x7a\x56\x83\x4f\x76\x39\xc9\xac\xbb\x9f\xde\xde\xa8\x52\x76\xa0\xaa\x10\x0b\x68\xc8\xa2\x46\x31\x4a\x8c\xa0\x2f\xf0\x7d\x15\x32\xc9\x0d\x9a\x4a\x5d\xac\xba\x53\xa2\x4c\x14\xcb\x94\xb5\x7a\x8c\x23\x6c\x98\x5e\xbc\x98\x69\x71\x08\xa4\x3e\x87\x4b\x67\x15\xe6\xbe\x8d\x96\x85\xfa\xfd\xba\x1d\x7e\x5d\x1b\x4c\xed\x62\x56\x58\x47\xbd\xfc\xf6\x2b\xe1\x75\xe8\x48\x3c\xfd\x07\x11\x24\x76\x64\xe2\x73\xfc\xbe\xc2\x9f\x60\xde\xdd\x34\xc6\x81\x0f\x66\x50\xb6\xbd\xc4\x7d\xf7\x26\x7b\x8f\x53\xbc\x66\xac\x41\xa5\xc0\x50\x6e\xdf\x4a\x80\x5c\xff\x03\x43\x79\x7c\x88\x12\x56\xea\x09\x5f\xbf\x14\x57\x54\xf7\xcb\x9d\xfb\xa6\xd3\xc2\xbd\x12\xac\xe3\x07\x62\x9c\xb2\x2d\xfe\xb5\xa4\x81\x55\xde\x0e\x50\xa9\x5d\xa5\x8b\x32\x02\x58\x9b\x60\xf5\xdd\x4c\xa6\xcd\x22\xc2\xed\x78\x8f\x27\x21\xd5\x35\x43\x74\xe9\xef\xac\xf4\x94\x72\x94\xdd\xc8\x14\x92\x25\xdc\xe5\xad\xfb\x32\x25\x95\xed\x18\xa4\xdc\xb0\x56\x51\x48\xb0\x87\xe3\x7d\x42\x47\xea\xae\xcc\x58\xc5\xaa\xf1\xc6\x4e\x87\xcc\x2c\xce\x9b\x8e\xbc\xaf\x96\x3f\xc4\x41\xa6\xdf\xac\x42\x6b\xe0\xac\xe4\xec\xfb\x91\xdf\x77\x32\x72\x1a\xfb\x34\xf9\x05\xce\x73\x77\xdb\x38\x49\xd7\x40\x1b\xa3\xd3\x14\x9c\x08\xe9\x8b\xcd\xec\xa6\xde\x20\x7e\xd8\xbc\x7b\x1d\x6e\x88\x59\x7d\xa6\x28\xc6\xb0\xa7\x3c\xf9\x67\x4a\x20\x7d\xd8\x74\x5f\xe5\xb3\x2b\xdd\x8f\x55\x09\xf1\x4f\xc1\x5c\xf9\x50\x4b\xf6\x63\x4b\x2d\xf2\x83\x6e\x95\xc7\x36\xe2\x76\x2f\x27\x14\xbf\xd1\x30\xaf\x99\x1d\x8b\x64\x8a\x93\x72\x15\x83\x83\xa2\xf5\x3e\x14\xc7\xcf\xc7\x66\x3d\xb5\xca\x5c\x8a\x9c\xdd\x15\x5e\x38\xc1\xf7\x0e\x51\x61\x35\x88\x12\x8d\xd0\x85\xbb\xdd\x7e\xd2\x39\xb9\x7e\x89\x58\xce\xf3\x5f\x11\x7e\xab\x19\xb3\x70\xff\x2e\x4e\x25\x68\x9d\x62\xb6\x84\xfd\x4a\xfc\xeb\x26\x32\x51\xfa\x92\xe8\xc6\xb2\xaa\x2e\x34\xd3\xfb\x8a\xae\xd1\x8c\xdc\x73\x4f\x9b\x42\x0c\x8d\x7b\x93\x15\x55\xeb\xd7\x99\x0c\xa0\x73\xfb\x81\xbe\x98\x27\x94\xe0\x00\xd5\x05\x72\xeb\x07\x61\xd4\x95\xba\x80\x68\xf6\x57\xd7\xf7\xb9\x19\xe6\x6a\x25\xe0\x32\x11\xdf\xe6\x90\xf4\x08\x1f\xc5\xde\x14\xf5\xf9\xd8\xbe\x47\x80\x24\xe6\x0a\x31\x38\x08\x0d\x9c\xe9\x7a\xe2\x3e\x29\x1e\x77\xa6\xe4\xa5\x07\xa9\x6a\xe0\xc0\x7d\x96\x04\xa9\x5b\x43\xb8\x17\x4c\x33\x17\x5b\xa2\x95\x05\x01\x86\xf7\x23\xb5\x0a\x60\x9e\xe0\x9b\x42\x67\xe4\xd2\xaf\x42\x96\xce\x65\x7b\xb8\xb5\xe9\x96\xf9\x8b\xd7\x5e\xd4\x2d\x09\x54\x89\x5d\x97\xd9\x88\x32\x9d\x92\x5f\x62\x89\x44\x74\xd1\xca\xa5\xde\x98\x8e\xd7\xb5\xc6\xde\xac\xfd\x90\xad\x94\x7e\xfe\xbf\x6c\xf6\x1b\x45\xd9\xc7\xb1\xba\x59\xe9\xec\x4b\x85\x59\xaf\xf8\xd3\xd0\x5f\xb0\x0f\x57\xec\x94\x2b\x0e\x9b\x9f\xdb\xde\x26\xca\xd3\x40\xcb\xb4\xf7\xc0\x44\x7b\x70\x7e\xd8\xf6\xd4\xf9\x89\xd0\xb1\xda\x0d\x0c\xda\xe6\x17\xb0\x14\x36\xfa\x68\xe3\x77\x75\xe8\x44\x41\x5e\xbd\x11\xa3\x35\x08\x46\xcf\x0b\x41\x9f\xad\x6d\xb9\x4c\xcc\x82\x83\xe9\x50\x19\xdb\x55\x91\xb9\xe8\x1c\x5d\x32\x70\x7b\x30\x02\xaf\xb2\x40\x58\x49\x5f\x6c\x21\xcd\x4b\x9e\x12\xaf\x7a\x1f\x40\x54\xfd\xa3\x7b\xa6\xa2\x94\x5e\x89\x98\x99\x76\x10\x12\x54\x8e\x41\x22\xa6\x95\x56\xe0\xca\x51\xe2\x31\x94\xbd\xc4\xe2\x72", 4096); *(uint32_t*)0x20002904 = 0x1000; *(uint32_t*)0x20002908 = 9; memcpy((void*)0x20002940, "flock=openafs", 13); *(uint8_t*)0x2000294d = 0x2c; memcpy((void*)0x2000294e, "dyn", 3); *(uint8_t*)0x20002951 = 0x2c; memcpy((void*)0x20002952, "autocell", 8); *(uint8_t*)0x2000295a = 0x2c; memcpy((void*)0x2000295b, "dyn", 3); *(uint8_t*)0x2000295e = 0x2c; memcpy((void*)0x2000295f, "flock=openafs", 13); *(uint8_t*)0x2000296c = 0x2c; memcpy((void*)0x2000296d, "source", 6); *(uint8_t*)0x20002973 = 0x3d; memcpy((void*)0x20002974, "&", 1); *(uint8_t*)0x20002975 = 0x2c; memcpy((void*)0x20002976, "source", 6); *(uint8_t*)0x2000297c = 0x3d; memcpy((void*)0x2000297d, "SEG6\000", 5); *(uint8_t*)0x20002982 = 0x2c; memcpy((void*)0x20002983, "smackfsdef", 10); *(uint8_t*)0x2000298d = 0x3d; memcpy((void*)0x2000298e, "SEG6\000", 5); *(uint8_t*)0x20002993 = 0x2c; memcpy((void*)0x20002994, "smackfsdef", 10); *(uint8_t*)0x2000299e = 0x3d; memcpy((void*)0x2000299f, "SEG6\000", 5); *(uint8_t*)0x200029a4 = 0x2c; memcpy((void*)0x200029a5, "subj_user", 9); *(uint8_t*)0x200029ae = 0x3d; memcpy((void*)0x200029af, "SEG6\000", 5); *(uint8_t*)0x200029b4 = 0x2c; memcpy((void*)0x200029b5, "smackfstransmute", 16); *(uint8_t*)0x200029c5 = 0x3d; memcpy((void*)0x200029c6, ":", 1); *(uint8_t*)0x200029c7 = 0x2c; memcpy((void*)0x200029c8, "seclabel", 8); *(uint8_t*)0x200029d0 = 0x2c; *(uint8_t*)0x200029d1 = 0; syz_mount_image(0x20001880, 0x200018c0, 5, 1, 0x20002900, 0x20005, 0x20002940); break; case 29: memcpy((void*)0x20002a00, "/dev/i2c-#\000", 11); syz_open_dev(0x20002a00, 0xad8, 0x2a2000); break; case 30: res = syscall(__NR_ioctl, -1, 0x5429, 0x20002a40); if (res != -1) r[15] = *(uint32_t*)0x20002a40; break; case 31: memcpy((void*)0x20002a80, "net\000", 4); syz_open_procfs(r[15], 0x20002a80); break; case 32: syz_open_pts(r[13], 0); break; case 33: *(uint32_t*)0x20002e80 = 0x20002ac0; memcpy((void*)0x20002ac0, "\x7a\xd3\xcd\x80\x2d\xd0\xc4\x24\x94\x5d\x99\xca\x9c\xa6\xe4\xfb\xb8\xf8\xe3\xb9\x80\xd2\xec", 23); *(uint32_t*)0x20002e84 = 0x17; *(uint32_t*)0x20002e88 = 0x1000; *(uint32_t*)0x20002e8c = 0x20002b00; memcpy((void*)0x20002b00, "\x32\x9d\xe8\x0b\x2b\x17\xbb\xd2\x5d\x1f\x19\x07\xa9\x26\x3a\xf3\xbf\x05\xc4\xa7\x06\x1e\x28\x49\x2a\x3f\x71\xc6\x34\x3a\xa5\xaa\xea\x03\x27\xa3", 36); *(uint32_t*)0x20002e90 = 0x24; *(uint32_t*)0x20002e94 = 5; *(uint32_t*)0x20002e98 = 0x20002b40; memcpy((void*)0x20002b40, "\x82\x79\x1d\xfd\x31\x1d\x07\xdb\x7d\x65\xe8\x03\xce\x6c\xa0\x00\x28\xaf\x8f\xf8\xd2\x76\x18\x7e\x0e\x14\xbb\xf7\xbe\xab\x60\xfc\x4b\x70\x72\x2e\x91\xb6\x32\x2b\x8e\x34\x72\x19\x1a\x66\x17\x6b\xb0\xca\x91\xde\xe6\x0f\x15\x06\xa6\xd4\x8b\xe4\x05\x52\x30\xc3\x0b\xe9\x4a\x10\x43\xa1\xd2\xa0\x6d\x42\x16\x60\x69\xd8\x03\x3d\x6c\x52\x4c\x86\x10\xb8\xc4\xbb\x63\xaf\x0c\xe6\xd6\x20\x71\x37\xf1\xbe\x1b\x62\xb0\x02\xe8\xc3\x5e\x64\x67\xc2\x42\x3c\xc6\x59\x7d\x1c\xa5\x8e\xe3\x15\x89\xf0\x24\x8a\xc7\x62\xe2\x4a\x28\x6a\x41\xa7\x61\x91\x2d\x34\xbb\x56\xf0\x7d\xb8\x8c\xa5\x2f\xce\x8d\x12\x87\x62\x39\x4f\xa0\x0f\xaa\xc8\x45\x1a\x42\xc3\x14\x4b\xde\xc7\xe9\x72\x96\xc9\xea\xc7\xc9\xf6\x31\x10\xa3\xd4\x05\xc1\x6b\x04\x28\x88\x00\x24\xe8\xc9\xc8\xaf\x49\x0b\x8c\xfa\xd8\x4c\xbb\x63\x78\x78\xd6\x34\xcd\x84\x34\x6b\x60\xc9\x13\x2c\x09\x66\x0c\xdc\x61\x6a\x0b", 212); *(uint32_t*)0x20002e9c = 0xd4; *(uint32_t*)0x20002ea0 = 0x7fff; *(uint32_t*)0x20002ea4 = 0x20002c40; memcpy((void*)0x20002c40, "\x90\x4b\xbc\xee\x2b\x46\xda\xa1\xac\x64\x3b\x7b\x6b\x8e\xa0\xff\x46\x2f\xea\xbe\xe5\x41\xb4\x11\xa8\x85\xe4\x70\xa4\x96\xcb\xbd\xc7\x29\xff\xde\xbc\x50\x80\x7f\x71\x9c\xbe\x80\x8d\x8b\x59\x8b\x47\x67\xc7\xa8\x52\xd9\xce\x0c\x88\x0a\x9b\x07\x8b\x01\x87\xde\xac\x92\x6b\xd4\x68\x7a\x44\xf0\x92\xbb", 74); *(uint32_t*)0x20002ea8 = 0x4a; *(uint32_t*)0x20002eac = 5; *(uint32_t*)0x20002eb0 = 0x20002cc0; memcpy((void*)0x20002cc0, "\x35\x31\xae\x25\x7e\x7e\x08\x77\xcd\xe3\x40\xc4\x2e\xdb\xfc\x91\xdc\xff\xaf\xf1\x28\x4e\xf0\x8a\x45\x1e\x4c\x76\xe0\xcd\x83\xb2\xc0\xea\x10\xd8\x6b\xce\xfa\x93\xbb\xae\xf5\xff\xfb\xfe\x7d\xc7\x0b\x73\xb8\x9c\x55\xfc\x38\x51\x11\x0d\x1b\xd0\xd1\xda\x31\x75\x33\x20\xb1\x11\xfe\x70\x60\x53\x7e\x8f\x65\xf3\xc2\xf0\x5a\xdc\xb3\xd6\x6b\xd2\xab\xe6\xb0\x8a\xaa\xe0\xd0\xee\xdc\xa9\x93\x77\x07\xec\x4c\xb4\x87\x4c\xdf\xd0\x58\x00\x81\x2a\xb5\x3f\x95\x50\xb2\x5a\x28\xee\x69\xe6\x2a\x0f\x79\x0f\xe5\x23\x3f\xc8\x64\x5f\xc3\xfe\x6c\xae\x05\x5f\x2a\xa1\x72\x91\x25\x17\x01\x51\xe8\x6e\xea\xb6\x7b\xb2\x0b\xc8\x84\xa1\x21\x4c\x2d\x3d\x96\x9c\x34\xfb\x23\x9b\x45\xfe\xec\x93\xac\x20\x97\x21\xba\xe7\x27\x12\x51\xc6\x13\xce\xa9\x37\x9c\x15\x21", 183); *(uint32_t*)0x20002eb4 = 0xb7; *(uint32_t*)0x20002eb8 = 4; *(uint32_t*)0x20002ebc = 0x20002d80; memcpy((void*)0x20002d80, "\xc3\xf0\x4f\x26\x92\x9b\x7a\x4d\x63\x42\x84\x1f\xa5\x3a\x9a\x8c\xb8\x00\x6a\x97\xf4\x28", 22); *(uint32_t*)0x20002ec0 = 0x16; *(uint32_t*)0x20002ec4 = 6; *(uint32_t*)0x20002ec8 = 0x20002dc0; memcpy((void*)0x20002dc0, "\xc9\x87\x12\x75\xe3\x26\x9f\xf1\xbd\xcd\x67\xfb\x52\x3e\x1c\xeb\x51\x51\xb0\xed\xe9\xe0\x32\x63\x4e\x36\xd4\x86\x04\x6b\xc3\x1c\xd9\x78\xbd\xa5\x92\x47\x35\x53\x16\x31\x9e\x76\x8e\x7a\xc6\xbe\x06\x48\xbf\x0f\xec\xd1\x3c\xda\xd4\x5f\x71\x3e\x0e\x3b\x74\xe9\x5e\xec\x77\x06\x3c\x02\xa2\x33\xea\x97\xd3\x38\xf4\xb1\xe9\xbc\x5a\x7c\xce\x85\x52\x87\x42\x63\x2e\xd5\x9c\xec\x01\x6f\x39\x14\xdd\x02\xca\x6b\x1d\xc8\x33\x22\x48\x95\x27\x73\x50\xcf\x1f\x21\xd6\xc7\x8f\x85\x92\x71\x7e\x91\x23\x3f\x90\x26\x92\x7e\x0c\xc3\xd8\x0c\xdc\x57\x71\x47\x63\xa0\xfc\xb0\x91\xf5\xc6\x90\x51\xb5\x5c\xd2\xe1\xfc\xc3\x3b\x13\xd5\x97\xc5\xca\xee\xb2\x71\xc5\x42\x97\x8a\x1e\x17", 164); *(uint32_t*)0x20002ecc = 0xa4; *(uint32_t*)0x20002ed0 = 0x9c; syz_read_part_table(1, 7, 0x20002e80); break; case 34: *(uint8_t*)0x20002f00 = 0x12; *(uint8_t*)0x20002f01 = 1; *(uint16_t*)0x20002f02 = 0x201; *(uint8_t*)0x20002f04 = 0xa4; *(uint8_t*)0x20002f05 = 0x61; *(uint8_t*)0x20002f06 = 0x1e; *(uint8_t*)0x20002f07 = 0x40; *(uint16_t*)0x20002f08 = 0xacd; *(uint16_t*)0x20002f0a = 0x300; *(uint16_t*)0x20002f0c = 0xc0df; *(uint8_t*)0x20002f0e = 1; *(uint8_t*)0x20002f0f = 2; *(uint8_t*)0x20002f10 = 3; *(uint8_t*)0x20002f11 = 1; *(uint8_t*)0x20002f12 = 9; *(uint8_t*)0x20002f13 = 2; *(uint16_t*)0x20002f14 = 0x372; *(uint8_t*)0x20002f16 = 2; *(uint8_t*)0x20002f17 = 4; *(uint8_t*)0x20002f18 = 0x1f; *(uint8_t*)0x20002f19 = 0; *(uint8_t*)0x20002f1a = 1; *(uint8_t*)0x20002f1b = 9; *(uint8_t*)0x20002f1c = 4; *(uint8_t*)0x20002f1d = 0x5d; *(uint8_t*)0x20002f1e = 0xb3; *(uint8_t*)0x20002f1f = 1; *(uint8_t*)0x20002f20 = 0xad; *(uint8_t*)0x20002f21 = 0x49; *(uint8_t*)0x20002f22 = 0x76; *(uint8_t*)0x20002f23 = 0x20; *(uint8_t*)0x20002f24 = 7; *(uint8_t*)0x20002f25 = 0x24; *(uint8_t*)0x20002f26 = 1; *(uint8_t*)0x20002f27 = 0; *(uint8_t*)0x20002f28 = 0x80; *(uint16_t*)0x20002f29 = 0; *(uint8_t*)0x20002f2b = 9; *(uint8_t*)0x20002f2c = 5; *(uint8_t*)0x20002f2d = 0xd; *(uint8_t*)0x20002f2e = 0; *(uint16_t*)0x20002f2f = 0x230; *(uint8_t*)0x20002f31 = 0x5d; *(uint8_t*)0x20002f32 = 1; *(uint8_t*)0x20002f33 = 0x3f; *(uint8_t*)0x20002f34 = 7; *(uint8_t*)0x20002f35 = 0x25; *(uint8_t*)0x20002f36 = 1; *(uint8_t*)0x20002f37 = 0; *(uint8_t*)0x20002f38 = 0x1f; *(uint16_t*)0x20002f39 = 2; *(uint8_t*)0x20002f3b = 0xba; *(uint8_t*)0x20002f3c = 0xe; memcpy((void*)0x20002f3d, "\xf4\xe6\xe5\x76\x28\x83\xc3\x4d\xf0\x4f\x35\x60\x99\xf1\xd3\x4b\xdb\xc9\xf5\x32\x4d\xa6\x48\x05\x3f\xd6\x90\x21\x1b\x89\x71\x19\xc4\xf3\xac\x19\x7f\x2a\xa9\x3f\x2f\x3b\xe0\x5f\x83\x6b\x16\x44\xd5\xb2\x32\x76\x48\xb3\x08\x16\xed\x19\x2f\x94\x3d\xfc\xe2\x25\xf6\x9d\x77\xc5\x15\x65\xe1\x77\xfd\x88\x9c\x9c\x9d\x8c\x85\xb9\x2e\xe4\xbe\xad\x0e\x88\x94\x46\xbb\xc3\x20\xa4\x0f\xa2\x48\x07\xf4\x76\xbf\xd1\xf1\xb3\x09\x6e\x33\x70\xf7\x55\xc9\x4a\xa0\x1c\x3b\xe4\xdd\xc7\x95\x2a\x56\x94\xbc\xad\x4b\xeb\x40\x65\xbf\x5e\xa9\x60\x66\xc4\x3e\x95\x07\xe6\x22\x0c\x47\xbc\x02\x71\xad\xcb\xaf\xfc\xe6\xac\x90\xcb\x3c\x8b\x1c\xf7\x48\xc6\xbb\xf9\x71\x08\xdf\xa2\xca\xc4\xb8\x7d\x34\x20\x42\x84\x34\x39\x7e\x07\xf1\x7a\x87\xed\x62\x33\xb3\x9e\x32\xf0", 184); *(uint8_t*)0x20002ff5 = 9; *(uint8_t*)0x20002ff6 = 4; *(uint8_t*)0x20002ff7 = 0x5d; *(uint8_t*)0x20002ff8 = 0x27; *(uint8_t*)0x20002ff9 = 7; *(uint8_t*)0x20002ffa = 0x3f; *(uint8_t*)0x20002ffb = 0x84; *(uint8_t*)0x20002ffc = 0xfd; *(uint8_t*)0x20002ffd = 3; *(uint8_t*)0x20002ffe = 0x10; *(uint8_t*)0x20002fff = 0x24; *(uint8_t*)0x20003000 = 2; *(uint8_t*)0x20003001 = 1; *(uint8_t*)0x20003002 = 0xe2; *(uint8_t*)0x20003003 = 2; *(uint8_t*)0x20003004 = 0x63; *(uint8_t*)0x20003005 = 0x40; memcpy((void*)0x20003006, "\xe7\x21\xcc\x44\xac\xca\x89\x38", 8); *(uint8_t*)0x2000300e = 0xb; *(uint8_t*)0x2000300f = 0x24; *(uint8_t*)0x20003010 = 2; *(uint8_t*)0x20003011 = 1; *(uint8_t*)0x20003012 = 0; *(uint8_t*)0x20003013 = 3; *(uint8_t*)0x20003014 = 1; *(uint8_t*)0x20003015 = 0; memcpy((void*)0x20003016, "\x9e\xf4\x2f", 3); *(uint8_t*)0x20003019 = 7; *(uint8_t*)0x2000301a = 0x24; *(uint8_t*)0x2000301b = 1; *(uint8_t*)0x2000301c = 4; *(uint8_t*)0x2000301d = 1; *(uint16_t*)0x2000301e = 4; *(uint8_t*)0x20003020 = 0xb; *(uint8_t*)0x20003021 = 0x24; *(uint8_t*)0x20003022 = 2; *(uint8_t*)0x20003023 = 1; *(uint8_t*)0x20003024 = 0; *(uint8_t*)0x20003025 = 3; *(uint8_t*)0x20003026 = 0x19; *(uint8_t*)0x20003027 = 6; memcpy((void*)0x20003028, "\x9e", 1); memcpy((void*)0x20003029, "\x69\x83", 2); *(uint8_t*)0x2000302b = 9; *(uint8_t*)0x2000302c = 5; *(uint8_t*)0x2000302d = 0xf; *(uint8_t*)0x2000302e = 0; *(uint16_t*)0x2000302f = 0x3ff; *(uint8_t*)0x20003031 = 0xf6; *(uint8_t*)0x20003032 = 5; *(uint8_t*)0x20003033 = 0x80; *(uint8_t*)0x20003034 = 9; *(uint8_t*)0x20003035 = 5; *(uint8_t*)0x20003036 = 1; *(uint8_t*)0x20003037 = 0x10; *(uint16_t*)0x20003038 = 0x10; *(uint8_t*)0x2000303a = 0; *(uint8_t*)0x2000303b = 0x40; *(uint8_t*)0x2000303c = 6; *(uint8_t*)0x2000303d = 7; *(uint8_t*)0x2000303e = 0x25; *(uint8_t*)0x2000303f = 1; *(uint8_t*)0x20003040 = 2; *(uint8_t*)0x20003041 = 0x20; *(uint16_t*)0x20003042 = 6; *(uint8_t*)0x20003044 = 9; *(uint8_t*)0x20003045 = 5; *(uint8_t*)0x20003046 = 0xb; *(uint8_t*)0x20003047 = 8; *(uint16_t*)0x20003048 = 0x10; *(uint8_t*)0x2000304a = 1; *(uint8_t*)0x2000304b = 2; *(uint8_t*)0x2000304c = 0; *(uint8_t*)0x2000304d = 9; *(uint8_t*)0x2000304e = 5; *(uint8_t*)0x2000304f = 0xd; *(uint8_t*)0x20003050 = 0x10; *(uint16_t*)0x20003051 = 0x200; *(uint8_t*)0x20003053 = 4; *(uint8_t*)0x20003054 = 8; *(uint8_t*)0x20003055 = 0xc0; *(uint8_t*)0x20003056 = 0xbb; *(uint8_t*)0x20003057 = 0x31; memcpy((void*)0x20003058, "\x21\x5c\xe6\xab\x8f\x3c\x72\xca\xa3\xab\x13\x26\xf1\x88\x38\x90\x8a\xc6\x0b\xff\xb3\xb5\x07\x48\x14\x4a\xa2\xcb\xc4\xd7\xca\xc5\x6f\x4a\x7b\xb2\xbd\x6c\x96\x96\x74\xa5\xe4\x04\x08\x61\xbb\x21\xba\x5c\xcf\x0f\x82\x2c\x10\x32\xe7\xe3\x72\x9f\x8c\x17\x1f\xc7\xa8\x9b\x53\x40\xb5\x06\x71\x08\xd5\x97\xf1\x78\xaa\x65\x1a\x98\xac\xa4\xd0\x12\xfa\x55\x5a\x69\x56\x83\xb5\x27\xe6\x03\x1f\x1f\x7f\x20\x49\x4b\x25\x0e\x3a\x6c\xd8\xb4\xde\x96\x47\xe1\x50\x04\x98\x67\x09\x7c\x47\xcc\x23\x7c\x61\x2c\xef\xe6\x98\x33\x2f\x1f\xe7\xf0\x2e\x6f\x53\xe8\x45\xb1\xf5\xe7\xb4\xb2\x4a\xd8\x62\x9b\x78\xce\x76\x30\xe2\xd4\x01\x20\xfb\xc3\xf4\x93\x75\xa4\xa0\x86\xde\xdd\x2a\x27\xf0\x6b\x3e\xd3\xd7\x56\xa8\x19\xb9\x7f\x75\x9a\xa5\x4a\xef\x83\xdf\x48\x68\xa9\xe9", 185); *(uint8_t*)0x20003111 = 9; *(uint8_t*)0x20003112 = 5; *(uint8_t*)0x20003113 = 3; *(uint8_t*)0x20003114 = 0x12; *(uint16_t*)0x20003115 = 0x3ff; *(uint8_t*)0x20003117 = 0; *(uint8_t*)0x20003118 = 1; *(uint8_t*)0x20003119 = -1; *(uint8_t*)0x2000311a = 0xad; *(uint8_t*)0x2000311b = 0x31; memcpy((void*)0x2000311c, "\x0c\x92\x1d\x3f\x98\x0f\x4e\x53\x14\x7a\x46\xbd\x58\x56\xda\x03\x08\x16\x60\xfb\xed\x7b\x8b\x2d\x38\x9b\xe8\xa0\x38\xe9\x5c\x29\x58\xa4\x77\xed\x5f\xaf\x9e\xf3\x8c\x82\xc3\xab\xea\x25\x44\x59\xed\xb0\xf2\xcf\x28\x62\x35\x03\x40\x87\xad\xb7\x90\x7f\xf1\x92\x64\x0b\x93\x68\x86\xbd\x48\xd3\xa5\x12\x15\x40\x6b\x3a\xa0\xb6\xd8\xf8\xd9\x1d\x83\x0f\x52\x36\xa9\xa8\xbe\x03\xc2\x21\x5f\x01\x21\x31\x96\x8c\x6a\x80\x86\x0a\xe8\x11\x93\x05\x94\x68\x10\x8e\xfd\x4f\x13\x05\x37\x9d\x01\x15\xc7\xec\x66\x7b\x03\x59\x94\x0e\x56\x64\xbf\x7b\x3c\x4a\x5f\x04\xca\x3c\x51\xdb\x9d\x2c\xd4\x17\xe9\x09\x9b\xff\x62\x8b\x8e\x1a\x8e\xd0\xf5\x96\x14\x93\x57\xa0\x8a\xbd\x11\x77\xeb\x97\x73\x53\xeb\x89\x32", 171); *(uint8_t*)0x200031c7 = 0x93; *(uint8_t*)0x200031c8 = 0x11; memcpy((void*)0x200031c9, "\xa8\xe2\x2d\x54\x2a\xe3\xd8\x31\xf3\x37\x21\x1b\xb5\xbe\x12\xa5\xc4\x6e\x5c\xf9\xb5\x56\xd8\x4d\x5a\xf4\xca\xca\x87\x42\xad\x21\x61\x40\x56\x2b\x7e\x54\x21\xe2\x64\x24\x71\xe8\xf5\x0e\xb8\xae\xf0\x62\x12\xb4\x6c\x64\x4a\xe5\x84\x63\xe1\x8b\x3e\x72\xbd\x3e\xca\x60\x60\xfa\x8b\x94\x03\x17\x96\xe5\x5e\xb4\x1d\x3f\x31\x8a\xff\xbf\x08\x1e\xeb\x17\x08\x85\x1e\x72\xfa\xdd\x88\x7e\x03\x30\x13\x43\x19\xf0\xa5\x96\x7e\xda\x65\x7b\xc1\x10\x1f\x74\xde\xba\x42\xe7\x8a\xff\x20\xfb\x5d\x3c\x1f\xe4\x9d\x9a\x05\x46\x57\xb6\xf1\xaf\x3d\x01\x5f\xc1\x6f\xf8\x08\x73\xf3\x26\x69\x08\x43\xdf\x81", 145); *(uint8_t*)0x2000325a = 9; *(uint8_t*)0x2000325b = 5; *(uint8_t*)0x2000325c = 0xf; *(uint8_t*)0x2000325d = 4; *(uint16_t*)0x2000325e = 0x200; *(uint8_t*)0x20003260 = 0; *(uint8_t*)0x20003261 = 0x1f; *(uint8_t*)0x20003262 = 1; *(uint8_t*)0x20003263 = 0x11; *(uint8_t*)0x20003264 = 6; memcpy((void*)0x20003265, "\x82\x4b\x7d\x09\x57\xbc\x55\x2d\x22\x4f\xdf\x6b\xff\x63\xa8", 15); *(uint8_t*)0x20003274 = 7; *(uint8_t*)0x20003275 = 0x25; *(uint8_t*)0x20003276 = 1; *(uint8_t*)0x20003277 = 0x80; *(uint8_t*)0x20003278 = 0xfd; *(uint16_t*)0x20003279 = 6; *(uint8_t*)0x2000327b = 9; *(uint8_t*)0x2000327c = 5; *(uint8_t*)0x2000327d = 0; *(uint8_t*)0x2000327e = 0; *(uint16_t*)0x2000327f = 0x20; *(uint8_t*)0x20003281 = 0x1f; *(uint8_t*)0x20003282 = 0xfd; *(uint8_t*)0x20003283 = 3; *(uint32_t*)0x20003400 = 0xa; *(uint32_t*)0x20003404 = 0x200032c0; *(uint8_t*)0x200032c0 = 0xa; *(uint8_t*)0x200032c1 = 6; *(uint16_t*)0x200032c2 = 0x110; *(uint8_t*)0x200032c4 = 0x4d; *(uint8_t*)0x200032c5 = 0x80; *(uint8_t*)0x200032c6 = 0x80; *(uint8_t*)0x200032c7 = 0x20; *(uint8_t*)0x200032c8 = 0xc1; *(uint8_t*)0x200032c9 = 0; *(uint32_t*)0x20003408 = 0x46; *(uint32_t*)0x2000340c = 0x20003300; *(uint8_t*)0x20003300 = 5; *(uint8_t*)0x20003301 = 0xf; *(uint16_t*)0x20003302 = 0x46; *(uint8_t*)0x20003304 = 5; *(uint8_t*)0x20003305 = 0xb; *(uint8_t*)0x20003306 = 0x10; *(uint8_t*)0x20003307 = 1; *(uint8_t*)0x20003308 = 0xc; *(uint16_t*)0x20003309 = 0x35; *(uint8_t*)0x2000330b = 0; *(uint8_t*)0x2000330c = 0xdf; *(uint16_t*)0x2000330d = 9; *(uint8_t*)0x2000330f = 0xf7; *(uint8_t*)0x20003310 = 7; *(uint8_t*)0x20003311 = 0x10; *(uint8_t*)0x20003312 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003313, 0xe, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003314, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003314, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003315, 9, 0, 16); *(uint8_t*)0x20003317 = 0x18; *(uint8_t*)0x20003318 = 0x10; *(uint8_t*)0x20003319 = 0xa; *(uint8_t*)0x2000331a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000331b, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000331b, 0x7fffffe, 5, 27); *(uint16_t*)0x2000331f = 0xff0f; *(uint16_t*)0x20003321 = 0x101; *(uint32_t*)0x20003323 = 0xffc0a0; *(uint32_t*)0x20003327 = 0; *(uint32_t*)0x2000332b = 0xffff0f; *(uint8_t*)0x2000332f = 0x10; *(uint8_t*)0x20003330 = 0x10; *(uint8_t*)0x20003331 = 0xa; *(uint8_t*)0x20003332 = 3; STORE_BY_BITMASK(uint32_t, , 0x20003333, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003333, 0x200, 5, 27); *(uint16_t*)0x20003337 = 0xff00; *(uint16_t*)0x20003339 = 1; *(uint32_t*)0x2000333b = 0; *(uint8_t*)0x2000333f = 7; *(uint8_t*)0x20003340 = 0x10; *(uint8_t*)0x20003341 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003342, 0x16, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003343, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003343, 0xe, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003344, 7, 0, 16); *(uint32_t*)0x20003410 = 2; *(uint32_t*)0x20003414 = 4; *(uint32_t*)0x20003418 = 0x20003380; *(uint8_t*)0x20003380 = 4; *(uint8_t*)0x20003381 = 3; *(uint16_t*)0x20003382 = 0x380a; *(uint32_t*)0x2000341c = 4; *(uint32_t*)0x20003420 = 0x200033c0; *(uint8_t*)0x200033c0 = 4; *(uint8_t*)0x200033c1 = 3; *(uint16_t*)0x200033c2 = 0x42f; res = -1; res = syz_usb_connect(4, 0x384, 0x20002f00, 0x20003400); if (res != -1) r[16] = res; break; case 35: *(uint8_t*)0x20003440 = 0x12; *(uint8_t*)0x20003441 = 1; *(uint16_t*)0x20003442 = 0x200; *(uint8_t*)0x20003444 = -1; *(uint8_t*)0x20003445 = -1; *(uint8_t*)0x20003446 = -1; *(uint8_t*)0x20003447 = 0x40; *(uint16_t*)0x20003448 = 0xcf3; *(uint16_t*)0x2000344a = 0x9271; *(uint16_t*)0x2000344c = 0x108; *(uint8_t*)0x2000344e = 1; *(uint8_t*)0x2000344f = 2; *(uint8_t*)0x20003450 = 3; *(uint8_t*)0x20003451 = 1; *(uint8_t*)0x20003452 = 9; *(uint8_t*)0x20003453 = 2; *(uint16_t*)0x20003454 = 0x48; *(uint8_t*)0x20003456 = 1; *(uint8_t*)0x20003457 = 1; *(uint8_t*)0x20003458 = 0; *(uint8_t*)0x20003459 = 0x80; *(uint8_t*)0x2000345a = 0xfa; *(uint8_t*)0x2000345b = 9; *(uint8_t*)0x2000345c = 4; *(uint8_t*)0x2000345d = 0; *(uint8_t*)0x2000345e = 0; *(uint8_t*)0x2000345f = 6; *(uint8_t*)0x20003460 = -1; *(uint8_t*)0x20003461 = 0; *(uint8_t*)0x20003462 = 0; *(uint8_t*)0x20003463 = 0; *(uint8_t*)0x20003464 = 9; *(uint8_t*)0x20003465 = 5; *(uint8_t*)0x20003466 = 1; *(uint8_t*)0x20003467 = 2; *(uint16_t*)0x20003468 = 0x200; *(uint8_t*)0x2000346a = 0; *(uint8_t*)0x2000346b = 0; *(uint8_t*)0x2000346c = 0; *(uint8_t*)0x2000346d = 9; *(uint8_t*)0x2000346e = 5; *(uint8_t*)0x2000346f = 0x82; *(uint8_t*)0x20003470 = 2; *(uint16_t*)0x20003471 = 0x200; *(uint8_t*)0x20003473 = 0; *(uint8_t*)0x20003474 = 0; *(uint8_t*)0x20003475 = 0; *(uint8_t*)0x20003476 = 9; *(uint8_t*)0x20003477 = 5; *(uint8_t*)0x20003478 = 0x83; *(uint8_t*)0x20003479 = 3; *(uint16_t*)0x2000347a = 0x40; *(uint8_t*)0x2000347c = 1; *(uint8_t*)0x2000347d = 0; *(uint8_t*)0x2000347e = 0; *(uint8_t*)0x2000347f = 9; *(uint8_t*)0x20003480 = 5; *(uint8_t*)0x20003481 = 4; *(uint8_t*)0x20003482 = 3; *(uint16_t*)0x20003483 = 0x40; *(uint8_t*)0x20003485 = 1; *(uint8_t*)0x20003486 = 0; *(uint8_t*)0x20003487 = 0; *(uint8_t*)0x20003488 = 9; *(uint8_t*)0x20003489 = 5; *(uint8_t*)0x2000348a = 5; *(uint8_t*)0x2000348b = 2; *(uint16_t*)0x2000348c = 0x200; *(uint8_t*)0x2000348e = 0; *(uint8_t*)0x2000348f = 0; *(uint8_t*)0x20003490 = 0; *(uint8_t*)0x20003491 = 9; *(uint8_t*)0x20003492 = 5; *(uint8_t*)0x20003493 = 6; *(uint8_t*)0x20003494 = 2; *(uint16_t*)0x20003495 = 0x200; *(uint8_t*)0x20003497 = 0; *(uint8_t*)0x20003498 = 0; *(uint8_t*)0x20003499 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20003440, 0); break; case 36: *(uint32_t*)0x200036c0 = 0x18; *(uint32_t*)0x200036c4 = 0x200034c0; *(uint8_t*)0x200034c0 = 0x20; *(uint8_t*)0x200034c1 = 8; *(uint32_t*)0x200034c2 = 0xd4; *(uint8_t*)0x200034c6 = 0xd4; *(uint8_t*)0x200034c7 = 0x31; memcpy((void*)0x200034c8, "\xdd\x9f\xe1\xd6\xf8\xee\x76\xd6\x28\x92\x46\xb5\x27\x7c\xc1\x9f\x3c\x46\x21\xad\xd8\x21\xa7\xf3\xd1\xaa\xe9\x94\xdb\xf4\xb1\xbd\x89\xe8\x77\x07\x34\x76\x8a\xde\x97\xe5\x1d\x24\x8f\x53\xcd\x53\x0b\x31\x11\x9a\xac\xcf\x53\xb6\xf6\xed\xdf\x4b\x8b\xfe\x6a\x1a\x85\x9c\x3d\xc2\x86\xf8\x33\x5c\x9d\x15\xe5\xd5\x16\x9b\x24\x41\x55\x39\x10\x62\xff\x88\x5d\x40\xbe\x37\x07\xb6\xd1\xea\x25\x2a\x96\xd9\x7a\xb2\x4f\xb6\x75\xf5\x45\x57\xcf\xa2\x4d\x80\x5b\x07\x95\x70\x8a\xf5\x06\x5d\x4b\x66\x62\xdf\xd5\x4d\xd5\x9c\xfc\xe1\x67\x3a\xb3\x56\xa2\x54\xf6\xb5\xbc\xe4\x4c\x61\x9a\x17\xff\xce\x8e\xbb\x96\xe0\x83\xc0\x82\x45\x00\x62\xbd\x71\xa2\x06\xca\x92\x1e\x0b\x77\xf5\x17\xc1\x61\x95\x86\xb3\xbc\xa3\xe2\x49\x08\x21\x01\x6c\xc7\x6c\xaf\x96\xc0\xec\x90\x68\xb4\x5e\x23\x34\xed\x9a\x6f\xf0\x6a\x63\x43\xae\x01\xf0\xae\xf6\x12\x7e\xba\xf5\xb5\x2d\x69\xe3", 210); *(uint32_t*)0x200036c8 = 0x200035c0; *(uint8_t*)0x200035c0 = 0; *(uint8_t*)0x200035c1 = 3; *(uint32_t*)0x200035c2 = 4; *(uint8_t*)0x200035c6 = 4; *(uint8_t*)0x200035c7 = 3; *(uint16_t*)0x200035c8 = 0x40e; *(uint32_t*)0x200036cc = 0x20003600; *(uint8_t*)0x20003600 = 0; *(uint8_t*)0x20003601 = 0xf; *(uint32_t*)0x20003602 = 0x28; *(uint8_t*)0x20003606 = 5; *(uint8_t*)0x20003607 = 0xf; *(uint16_t*)0x20003608 = 0x28; *(uint8_t*)0x2000360a = 2; *(uint8_t*)0x2000360b = 3; *(uint8_t*)0x2000360c = 0x10; *(uint8_t*)0x2000360d = 0xb; *(uint8_t*)0x2000360e = 0x20; *(uint8_t*)0x2000360f = 0x10; *(uint8_t*)0x20003610 = 0xa; memcpy((void*)0x20003611, "\x19\x5f\xa2\xf3\x24\xc0\xbe\x96\xda\x3d\xb2\x6a\xfa\x56\x77\x53\x0a\xc0\xfa\xf4\xc6\x82\xbe\x7c\x15\xe9\xa5\x86\x66", 29); *(uint32_t*)0x200036d0 = 0x20003640; *(uint8_t*)0x20003640 = 0x20; *(uint8_t*)0x20003641 = 0x29; *(uint32_t*)0x20003642 = 0xf; *(uint8_t*)0x20003646 = 0xf; *(uint8_t*)0x20003647 = 0x29; *(uint8_t*)0x20003648 = 9; *(uint16_t*)0x20003649 = 1; *(uint8_t*)0x2000364b = 0; *(uint8_t*)0x2000364c = 9; memcpy((void*)0x2000364d, "\x05\x7c\x41\x7e", 4); memcpy((void*)0x20003651, "\x8d\xa4\x36\xc4", 4); *(uint32_t*)0x200036d4 = 0x20003680; *(uint8_t*)0x20003680 = 0x20; *(uint8_t*)0x20003681 = 0x2a; *(uint32_t*)0x20003682 = 0xc; *(uint8_t*)0x20003686 = 0xc; *(uint8_t*)0x20003687 = 0x2a; *(uint8_t*)0x20003688 = 0x20; *(uint16_t*)0x20003689 = 0x10; *(uint8_t*)0x2000368b = 0x80; *(uint8_t*)0x2000368c = 0x40; *(uint8_t*)0x2000368d = 0x1f; *(uint16_t*)0x2000368e = 0; *(uint16_t*)0x20003690 = 5; *(uint32_t*)0x20003b40 = 0x44; *(uint32_t*)0x20003b44 = 0x20003700; *(uint8_t*)0x20003700 = 0x60; *(uint8_t*)0x20003701 = 8; *(uint32_t*)0x20003702 = 0x54; memcpy((void*)0x20003706, "\x85\xf9\x88\x04\x52\x78\xf9\x75\x32\xa6\x67\xcb\xee\x9b\x82\x1d\x65\x54\xfb\x1c\x6d\x18\xdf\xfb\x78\x51\x96\xd9\x07\x27\xe1\xb4\x61\x5c\x86\xee\x04\x9a\x16\x96\xb1\x66\x8f\x00\x0e\x62\xd5\x39\xe0\x81\xcf\x07\xe3\x60\x17\x1c\xe6\x1c\xa2\xf9\x56\x44\xb9\xad\x8e\x92\x11\xa1\xb1\x9c\x43\x99\xbd\xfd\x6d\x53\x3b\xf8\x95\x52\x42\x72\x5b\xb4", 84); *(uint32_t*)0x20003b48 = 0x20003780; *(uint8_t*)0x20003780 = 0; *(uint8_t*)0x20003781 = 0xa; *(uint32_t*)0x20003782 = 1; *(uint8_t*)0x20003786 = 1; *(uint32_t*)0x20003b4c = 0x200037c0; *(uint8_t*)0x200037c0 = 0; *(uint8_t*)0x200037c1 = 8; *(uint32_t*)0x200037c2 = 1; *(uint8_t*)0x200037c6 = 0x81; *(uint32_t*)0x20003b50 = 0x20003800; *(uint8_t*)0x20003800 = 0x20; *(uint8_t*)0x20003801 = 0; *(uint32_t*)0x20003802 = 4; *(uint16_t*)0x20003806 = 2; *(uint16_t*)0x20003808 = 0; *(uint32_t*)0x20003b54 = 0x20003840; *(uint8_t*)0x20003840 = 0x20; *(uint8_t*)0x20003841 = 0; *(uint32_t*)0x20003842 = 8; *(uint16_t*)0x20003846 = 0x200; *(uint16_t*)0x20003848 = 0x40; *(uint32_t*)0x2000384a = 0xff; *(uint32_t*)0x20003b58 = 0x20003880; *(uint8_t*)0x20003880 = 0x40; *(uint8_t*)0x20003881 = 7; *(uint32_t*)0x20003882 = 2; *(uint16_t*)0x20003886 = 1; *(uint32_t*)0x20003b5c = 0x200038c0; *(uint8_t*)0x200038c0 = 0x40; *(uint8_t*)0x200038c1 = 9; *(uint32_t*)0x200038c2 = 1; *(uint8_t*)0x200038c6 = 0x81; *(uint32_t*)0x20003b60 = 0x20003900; *(uint8_t*)0x20003900 = 0x40; *(uint8_t*)0x20003901 = 0xb; *(uint32_t*)0x20003902 = 2; memcpy((void*)0x20003906, "\x8e\xaf", 2); *(uint32_t*)0x20003b64 = 0x20003940; *(uint8_t*)0x20003940 = 0x40; *(uint8_t*)0x20003941 = 0xf; *(uint32_t*)0x20003942 = 2; *(uint16_t*)0x20003946 = 9; *(uint32_t*)0x20003b68 = 0x20003980; *(uint8_t*)0x20003980 = 0x40; *(uint8_t*)0x20003981 = 0x13; *(uint32_t*)0x20003982 = 6; *(uint8_t*)0x20003986 = 0xaa; *(uint8_t*)0x20003987 = 0xaa; *(uint8_t*)0x20003988 = 0xaa; *(uint8_t*)0x20003989 = 0xaa; *(uint8_t*)0x2000398a = 0xaa; *(uint8_t*)0x2000398b = 0x38; *(uint32_t*)0x20003b6c = 0x200039c0; *(uint8_t*)0x200039c0 = 0x40; *(uint8_t*)0x200039c1 = 0x17; *(uint32_t*)0x200039c2 = 6; *(uint8_t*)0x200039c6 = -1; *(uint8_t*)0x200039c7 = -1; *(uint8_t*)0x200039c8 = -1; *(uint8_t*)0x200039c9 = -1; *(uint8_t*)0x200039ca = -1; *(uint8_t*)0x200039cb = -1; *(uint32_t*)0x20003b70 = 0x20003a00; *(uint8_t*)0x20003a00 = 0x40; *(uint8_t*)0x20003a01 = 0x19; *(uint32_t*)0x20003a02 = 2; memcpy((void*)0x20003a06, "{k", 2); *(uint32_t*)0x20003b74 = 0x20003a40; *(uint8_t*)0x20003a40 = 0x40; *(uint8_t*)0x20003a41 = 0x1a; *(uint32_t*)0x20003a42 = 2; *(uint16_t*)0x20003a46 = 0x40; *(uint32_t*)0x20003b78 = 0x20003a80; *(uint8_t*)0x20003a80 = 0x40; *(uint8_t*)0x20003a81 = 0x1c; *(uint32_t*)0x20003a82 = 1; *(uint8_t*)0x20003a86 = 0; *(uint32_t*)0x20003b7c = 0x20003ac0; *(uint8_t*)0x20003ac0 = 0x40; *(uint8_t*)0x20003ac1 = 0x1e; *(uint32_t*)0x20003ac2 = 1; *(uint8_t*)0x20003ac6 = 0xfe; *(uint32_t*)0x20003b80 = 0x20003b00; *(uint8_t*)0x20003b00 = 0x40; *(uint8_t*)0x20003b01 = 0x21; *(uint32_t*)0x20003b02 = 1; *(uint8_t*)0x20003b06 = 0xfa; syz_usb_control_io(r[16], 0x200036c0, 0x20003b40); break; case 37: *(uint8_t*)0x20003bc0 = 0x12; *(uint8_t*)0x20003bc1 = 1; *(uint16_t*)0x20003bc2 = 0x201; *(uint8_t*)0x20003bc4 = 0; *(uint8_t*)0x20003bc5 = 0; *(uint8_t*)0x20003bc6 = 0; *(uint8_t*)0x20003bc7 = 0x10; *(uint16_t*)0x20003bc8 = 0x46d; *(uint16_t*)0x20003bca = 0xc22d; *(uint16_t*)0x20003bcc = 0x40; *(uint8_t*)0x20003bce = 1; *(uint8_t*)0x20003bcf = 2; *(uint8_t*)0x20003bd0 = 3; *(uint8_t*)0x20003bd1 = 1; *(uint8_t*)0x20003bd2 = 9; *(uint8_t*)0x20003bd3 = 2; *(uint16_t*)0x20003bd4 = 0x2d; *(uint8_t*)0x20003bd6 = 1; *(uint8_t*)0x20003bd7 = 1; *(uint8_t*)0x20003bd8 = 0; *(uint8_t*)0x20003bd9 = 0x10; *(uint8_t*)0x20003bda = 2; *(uint8_t*)0x20003bdb = 9; *(uint8_t*)0x20003bdc = 4; *(uint8_t*)0x20003bdd = 0; *(uint8_t*)0x20003bde = 0x2f; *(uint8_t*)0x20003bdf = 2; *(uint8_t*)0x20003be0 = 3; *(uint8_t*)0x20003be1 = 1; *(uint8_t*)0x20003be2 = 1; *(uint8_t*)0x20003be3 = 0xfd; *(uint8_t*)0x20003be4 = 9; *(uint8_t*)0x20003be5 = 0x21; *(uint16_t*)0x20003be6 = 9; *(uint8_t*)0x20003be8 = 1; *(uint8_t*)0x20003be9 = 1; *(uint8_t*)0x20003bea = 0x22; *(uint16_t*)0x20003beb = 0x2ff; *(uint8_t*)0x20003bed = 9; *(uint8_t*)0x20003bee = 5; *(uint8_t*)0x20003bef = 0x81; *(uint8_t*)0x20003bf0 = 3; *(uint16_t*)0x20003bf1 = 0x10; *(uint8_t*)0x20003bf3 = 6; *(uint8_t*)0x20003bf4 = -1; *(uint8_t*)0x20003bf5 = 4; *(uint8_t*)0x20003bf6 = 9; *(uint8_t*)0x20003bf7 = 5; *(uint8_t*)0x20003bf8 = 2; *(uint8_t*)0x20003bf9 = 3; *(uint16_t*)0x20003bfa = 8; *(uint8_t*)0x20003bfc = 4; *(uint8_t*)0x20003bfd = 6; *(uint8_t*)0x20003bfe = 0x7f; *(uint32_t*)0x20003cc0 = 0xa; *(uint32_t*)0x20003cc4 = 0x20003c00; *(uint8_t*)0x20003c00 = 0xa; *(uint8_t*)0x20003c01 = 6; *(uint16_t*)0x20003c02 = 0x300; *(uint8_t*)0x20003c04 = 3; *(uint8_t*)0x20003c05 = 2; *(uint8_t*)0x20003c06 = 0xfa; *(uint8_t*)0x20003c07 = 8; *(uint8_t*)0x20003c08 = 0x74; *(uint8_t*)0x20003c09 = 0; *(uint32_t*)0x20003cc8 = 0x28; *(uint32_t*)0x20003ccc = 0x20003c40; *(uint8_t*)0x20003c40 = 5; *(uint8_t*)0x20003c41 = 0xf; *(uint16_t*)0x20003c42 = 0x28; *(uint8_t*)0x20003c44 = 2; *(uint8_t*)0x20003c45 = 3; *(uint8_t*)0x20003c46 = 0x10; *(uint8_t*)0x20003c47 = 0xb; *(uint8_t*)0x20003c48 = 0x20; *(uint8_t*)0x20003c49 = 0x10; *(uint8_t*)0x20003c4a = 0xa; *(uint8_t*)0x20003c4b = 3; STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 8, 5, 27); *(uint16_t*)0x20003c50 = 0xf00; *(uint16_t*)0x20003c52 = 0xf831; *(uint32_t*)0x20003c54 = 0xc0; *(uint32_t*)0x20003c58 = 0xc0a0; *(uint32_t*)0x20003c5c = 0xff000f; *(uint32_t*)0x20003c60 = 7; *(uint32_t*)0x20003c64 = 0xc0f0; *(uint32_t*)0x20003cd0 = 1; *(uint32_t*)0x20003cd4 = 4; *(uint32_t*)0x20003cd8 = 0x20003c80; *(uint8_t*)0x20003c80 = 4; *(uint8_t*)0x20003c81 = 3; *(uint16_t*)0x20003c82 = 0x436; res = -1; res = syz_usb_connect(4, 0x3f, 0x20003bc0, 0x20003cc0); if (res != -1) r[17] = res; break; case 38: syz_usb_disconnect(r[17]); break; case 39: syz_usb_ep_read(-1, 0x80, 0xc4, 0x20003d00); break; case 40: memcpy((void*)0x20003e00, "\x50\x74\xfa\x81\xf3\xf3\x73\xda\x27\x99\xca\xfb\x26\xb4\x49\x7c\xb3\xc8\x7b\xc0\xf8\x2f\xa7\x88\x54\x68\xbd\x41\x23\x20\x65\xaa\x95\x61\xd2\x4a\xe0\xf1\xd0\xe0\x36\xac\x71\x4a\xc5\xaf\x89\xc6\x9d\x88\x61\xca\xd7\x13\xfc\xb8\xba\xcb\x8c\x4b\x10\xdc\x3b\x6e\xc2\x04\x4c\x01\xf3\x71\xb1\x24\xc0\xa0\xf4\xba\xce\x7d\x51\x79\x87\x2c\xdd\x20\x5e\x09\xc3\xee\xb7\xd5\x57\x7b\x26\xe9\x8f\x84\x55\x4e\xd6", 99); syz_usb_ep_write(r[16], 0x7f, 0x63, 0x20003e00); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor731597078 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/11 (0.26s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:true FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$zero(0xffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x161000, 0x0) ioctl$SNAPSHOT_FREE(r0, 0x3305) syz_genetlink_get_family_id$l2tp(&(0x7f0000000040)='l2tp\x00') openat$dlm_control(0xffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x20000, 0x0) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0x2, &(0x7f00000000c0)=0x17, 0x4) r1 = mmap$IORING_OFF_SQES(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x2000000, 0x1010, r0, 0x10000000) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) r3 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(0x0, r1, &(0x7f00000003c0)=@IORING_OP_RECVMSG={0xa, 0x4, 0x0, r2, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=@x25={0x9, @remote}, 0x80, &(0x7f0000000240)=[{&(0x7f0000000180)=""/147, 0x93}], 0x1, &(0x7f0000000280)=""/202, 0xca}, 0x0, 0x0, 0x1, {0x3, r3}}, 0x10001) ioctl$KDSKBMETA(0xffffffffffffffff, 0x4b63, &(0x7f0000000440)=0x4) syz_emit_ethernet(0x56, &(0x7f0000000000)={@local, @remote, @void, {@canfd={0xd, {{0x3, 0x0, 0x1, 0x1}, 0x11, 0x2, 0x0, 0x0, "f4ebe40216fede5ef6c5310f0413c5d41b32fc23e07fd332a8a5c5f966821da091f47b7b9cf9228727ff7412c2e4a3a1573bb295482d7b4a3effd863cc60f5d8"}}}}, &(0x7f0000000080)={0x0, 0x4, [0xd2d, 0xc61, 0x6d3, 0xbe2]}) syz_emit_vhci(&(0x7f00000000c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x1, 0xa}, @l2cap_cid_le_signaling={{0x6}, @l2cap_conn_param_update_rsp={{0x13, 0x7f, 0x2}}}}, 0xf) syz_execute_func(&(0x7f0000000100)="c4c2cd45f18fe800edb85c2f009ee96436360f2811c4c3c90b6b0787c4c2f1a603f30fa6d0f36f650ffa0ec4c21d2f9f5aac384f3e65f3ab") syz_extract_tcp_res(&(0x7f0000000140), 0x2c, 0x9f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000180)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x3, 0xcc) r4 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x3000001, 0x80000, 0xffffffffffffffff, 0x0) r5 = syz_io_uring_complete(r4) r6 = io_uring_setup(0x3a3b, &(0x7f00000001c0)={0x0, 0xd9fd, 0x20, 0x0, 0x308, 0x0, 0xffffffffffffffff}) r8 = syz_io_uring_setup(0x17a8, &(0x7f0000000240)={0x0, 0xb18d, 0x15b3e67cab3a8d6e, 0x2, 0x158, 0x0, r7}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f00000002c0), &(0x7f0000000300)) syz_io_uring_setup(0x6b11, &(0x7f0000000340)={0x0, 0x15f8, 0x20, 0x2, 0xd2}, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f00000003c0)=0x0, &(0x7f0000000400)=0x0) r11 = socket$bt_rfcomm(0x1f, 0x3, 0x3) r12 = io_uring_register$IORING_REGISTER_PERSONALITY(r5, 0x9, 0x0, 0x0) syz_io_uring_submit(r4, r10, &(0x7f0000001700)=@IORING_OP_RECVMSG={0xa, 0x2, 0x0, r11, 0x0, &(0x7f00000016c0)={&(0x7f0000000440)=@nl=@proc, 0x80, &(0x7f00000015c0)=[{&(0x7f00000004c0)=""/44, 0x2c}, {&(0x7f0000000500)=""/4096, 0x1000}, {&(0x7f0000001500)=""/40, 0x28}, {&(0x7f0000001540)=""/74, 0x4a}], 0x4, &(0x7f0000001600)=""/185, 0xb9}, 0x0, 0x2000, 0x1, {0x3, r12}}, 0xad23946) r13 = fsmount(r5, 0x1, 0x84) ioctl$F2FS_IOC_MOVE_RANGE(r8, 0xc01cf509, &(0x7f0000001740)={r6, 0x3, 0x6, 0x1000}) syz_kvm_setup_cpu$arm64(r13, r14, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000017c0)=[{0x0, &(0x7f0000001780)="e7bed238547695a78957b574bacb6dbc567a3232e76559b4ea3931b608578a24da4c749795975b0ae51da8a86dde75b1d684", 0x32}], 0x1, 0x0, &(0x7f0000001800), 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r9, 0x114, &(0x7f0000001840), 0x0, 0x4) syz_mount_image$afs(&(0x7f0000001880)='afs\x00', &(0x7f00000018c0)='./file0\x00', 0x5, 0x1, &(0x7f0000002900)=[{&(0x7f0000001900)="f1fd85c46a07345a8813287b13f21a0840903926aef8fa2cb5f6e010d14f7030376797115fff5a948041348d827dbd678e20928dc4b224e0ec33e50bf699f1ed1e39df43d899eb1a37c8d11631e7b775fc82611901ef7db3714e0ef59b98d9d7d9114ba1ba76a72edc93803359b9994b504f9e7790375fa50fceab9c0f210385722f2a054c09fecf4a04ccfacaac9d40bebb2e2bcc948d327263b0fa735b753fa367f55313bd6df7476a9961bef3e5806ae53bf7233474b637266e9fd694fb30a503fba053c46562936bb3b8fdd38da23e7225868f8cf1e7d27cacb69075657b3ca80f8be0b8e043db620f0872231b8a3108c4a10b8b723b646b3c6d5f370558640924a93ba25db1746cf2ea141b0385ac0cf9e7acc8fddd8ee32fb988491e454564eb142ec8402438ddb1d0bed6d285a2a408a9edc52776e3ae7021c10943eef0af0270372213627dd4253d95a36acd29f8095c6428f1c46c3eb21227d04606b5c92254e9ce3e220a8b8a281c8d8e9c83079ea1df4a90db9f08a58c803d8ec2bfcc99f1acd5f0625043eb4a83179e2d37c07657e4b747adcb0979a230dea4f079f220848709f2bb38c34a22c5b3caf94a02fc5f1c4d013c165abf74bed9d028a5d84ec150377f498ee0e2a86bf04b97ee40af9882bfadecf5e125fc909d250d92a31166d61121b5364524b6351e0b6a66dcdeeb5249ebabb865f1f4a1a80ada5d695d3a37b214c9f0d92507db1b8d808a96f08902ef8c97e22b75497538f54ff944a19142b6ae1b8636500e2f3920a3ab341d8d1db22dc64e1d68382162b489eaade668ba38e6e7ecf61626c719378a8ebf08ec3d5da6716461e206869b335ccbafbc7364998379d894b9c60441d98797eff0d04ce3fbf419eb9c5c778dbdc6031b19fea13adf111dd49628093da41ce252595ea3d0b6dd96364fe2e37504bc6617044ff1d0d27f759d1faa8ae854a172da0b227305bc630a46b8e5bb9f8aa40b95a4b6d5c37bddd0968e192d57242078434fdef9afdc8f18397df1ca6e76bdc71845fba2818ef8f1c1dbf0a92ddee3c8c1cfddfb64439419e63f9811ab5dafd15b2ff2a9c041331651c7afe7862875bf9961806fac694bef5f78fb9cd64c33848637444e6752200395e3731d02db34c21fca311d339e819732ede18394b45c4cbbbffd45fdf508285d26da5b3cede692af4ef2f42c734b522864755dcd719c93b268438f9b0f1add574cf7218921df68c496683c6276115c074d420f23861eeb82031e998c0833d1cbbb5b334a13606a0bc406c4c8b1c2bf8df557324d2c94cbe4c29080b63234b1bb74e5854e422eb46f736978e2943ebd28af467bd0ee096b952ff5f0b228c7ef946fd472493b0eaca9378401669f1be675230e56bc19e4ec1234fcb4ea122dd204830109689cad7e3d702ab3e92e59016a640cce4e1e57d6e94556e7ee1f7c586309044bdca4a7b2cebb4b3fabfd578ed6c68589b8afcd4d0e5ab1b7eef6f82cd208e3ece76e3b73331fba03fb5447012992741042106ed7d386a1433fe8d4c6bce822ff8ffe1b382aa7124731a9ad6e1a52c78266174a4fefe986a508f6642577303f91ea4efb32843c6b331b32f24553a0c13016d91a230a55d81feb7dfc48ad157c7c2fc63253081021d1c65356513903ddbde8d3fd0d51747f3eaaaf9db9d6b4bd7069d8ba53d4d100ee2727979594c2fa80b9aa0edd70e3d702fb5b6cd277eeb487555886f85b657cd9eba641b28bf1e762300f3e29c5a8d8bfe077bdef7c9e2c4cfad8fc364670d7cd6ac7a86322e667760e2403c4838d61fa8669a4f62114eef423f09132e20bb95ba3522ac31049c4a3d581af3c5784910fba88cdee1ceff4ddaed827119ced5361947d0e31a9c4d25263a53654b82fc13b91f44508dd193ca1ef26d930a6b0810586d402ba0554face5c3ed077671d50d28865bfff35ca3a4dabdbd6e3b07059320f53e5c49d73cc16dd1ed2816ac98ad3853c368829c7bec40c4a9b39ee3b730bbd6c152f358e9911308c12ed1206561fc7cf7cb477145f1aaace66ac5c4468acb2f601c61e4b118be2056b6dbc18609bfd4105eee18be384a19913d274d92039790cb87420b9fdd70e734309fc7afe09e11f780d6ee6243175907a4aeecb6ca070a3374be5d3d07a788ea4e1f9d6f18eff9e7964d7076cb5b93cd97338ec05448ec527cca66790bfe32c5b2662d7fc6b836b41bf32e5bc0ddfe42d5973db86f8aed56e43112b45b0f792c5394599a13e73c25012b5aacd3aef112473c4e2e3ab6aebf5af6de9e78ac047fcc276fd976f25022c65c30a9fd67203f19e33b35cfbcfdff395c5bb53f2fd7928e43e622847280780b8cc815fb485189105a124cd8627cc3d5f1a9dd800d47a226ebf907eb2f49133d117588d280f4cc43d95254d88c8753d96073f97c531f51e5596e2e971a2161b78f75edcfbd9de38f0a9284b7cceef87598fa3bcfa5dbcbd1d284cf80cb7755465899d362d9e40c64c1a1e4cc45c3871b2104ca40c05729dccbf6d0a17500e5d0dffa3443a5233e279b2f9c518b697340d26d2872660c71a495710ee009ffb989ebb5befe5176925b78cdeb1e811c51ecdb01a47ec1d1d0ef2024c9a666f6bc5ebe13e773f89f4c80baa1d660c051c2672f91c21db5ff2d5a70126dc69140ee216c45bdd0a7b5279dece2f583bc24fc63cae88ae755722404823c5c216849dcd1085ba9902cb248ac5d192c3bdc537392a7c9ed3c359bb6d4934625f5f7a6dd51b78573fc726adabc91f41960586f64c39261126ea67dfc32c5ae5f7d6ed88747360418d42a008d9cfc5ef15f9c588dbb9ecc374ba19ab60a3ba33fbd1b80477b0204e67c845f9f6ab589c58b578cca58af322ae66b9b12ed953703d1393d8ece9c670664fdb6b1ffa10271abc0e51d57b59102e2640bea09e911294c35abc8616990a5729bf739a8e22774a680d5770b858b932fe595b7322328ae792078ad28db4d54cbd7c9868fcbe6eed0b0aa7b7abbfb1b8efce2dd5c1e29bac66ab7f80fe7a65d2da1838660e94066a6b2e3bdb897e551bc037d779dbb6cb9bdca7030ef8226b968d5a857cb424a9bd71ecf3e0df3bca6b9195905ed05e73d0367f1649eed549d9c3d47e2f312c170dc94a701d420460e1000e237021c6b7b1bc08b35c1043c6e899ed587ef7dfb6e1c7b6e11e3a2fb4348abcc9ed1831ee373d004540a73a4c78f9d3abb101c787ba239df663924ef84e3b436868b63cd74f4d47ac9ebce3814bbdb37eeec3fea1f90688d16ff3285d359745f9c1b6dcfa98bcd32acaccd9350c070579af49c6dd8e62b3e11616b95605b5e67c90c3db1b8301de61bdfa558ee6d13f20a78d407e4f44ca793ce3d958e1522f1a64276ac8863d1a68b5b64e03ec0b22b0a787bba7b462fddf8da7d1018b32a13282bd1e83060a67c7da96e46e3b322a5d8e05ba67b3aca1c5d1bf136a57b3aa68777f00bf102dddb1dec21db309f4855d9c08edc580d652a689420bf62538b5aa263057098121d82d87e29ee26b5d5288023e501ff2730bcef00b98f13c40bc2da1a1bca1cd666484f1a3f5c8b6ffaf468fbeaaf5abfd74396fbc460e0fd2b440f5e56327e634907311dce98ec075e9ee3287f7d2dcd64493e5c5ce096bb29d77aa49a9f677e68efd44cf35b5a0d69f1ec887a5f1f35e44afe3b6904ef026b3651c697dc2af46662b923664201e4baedc28e85f33d0fcce83ecb01d04f5a0826df9fbfe7d92e31db76202533fa8bdbd4f14744f8485948ff0e40ec77d2a2ccac34f389a4f6b0e1f84f527b1282b4ba53cc0a53468eb1362d87f334f176d948d9d7fc190a1fabb36745385945f27d44c136436eeedca1ad4945c9d73d6a2d7225a1f7fa49a2b2b56d3a403a8ddd03d701bb8ba36c275b05db3b60638b9a2a234cb63b809ebfc9a771ac712762f7e96c538e1c54a7912b95944632d6d60594b900e17ee327b2b2b13be2844061fd1e350e47121fd71f130a5aeb5153ccb8ece99590ff93ea98ee589a0a4288bb6a3590b1c6e89008bbd2dc7ad38748369405c9f8c37fa75dd2ff4a384561d030948c3d16466e4f037e54d3dcabde02fb35c62b3169265c0af8018a86c3fcf3268c1a91e7131f89cf7841bb58cab8a5f89d7edb67f05f16fe84059be5abdbe44d3852fa5790c161628b21eef359aaf7db7de11c835ff9cc0b86ac9751fd2d5c135e8acb4352bc03fdfe6c43473582cde76b157eeb03acfff742be5838a4aaba160e1c588c9e1da2758fc290ae37a7605340f726ff3d8d73d3dccdc7737499b7473eccc00c3d01d20bd989e6049d9da7dcee229fe3db7e2845ba6ef6b380680e07754dfa92d1605b3b2527ed19d01333b2b58868d7614c92b7f93c95e2c9054f7a728e0569b986018311d9ab379ac3d19c7f65f87acbd2a2bcdf122b1b9502d3c3a69efa32f4be1ef20daa42e13409d2b12dbfd03c64aca0bd66c76c04ea6a76ef0294650e59e8a379c85c5ac8e310ed99e1a5f20c9bbdbee13de1218f95be040ff5f760c7f07abe362468508a2114e0c34f93895c1e28ad8c56f1949816cffd09c028deef01e5fcf91b4384c62d0efd9b7d66b1aae302a3ed2c3037c9675ac6c86336fa603258a538409bad567981128cb8cab88d7027b2a92671cad000a2c9f317fb4ae30980d3f28512fb5f66a98b2e2077a6a7f8461bf1a78cf12b3ce6e3aa4a22f3c6373a5d04f767b83c7d57a56834f7639c9acbb9fdedea85276a0aa100b68c8a246314a8ca02ff07d1532c90d9a4a5dacba53a24c14cb94b57a8c236c985ebc98697108a43e874b6715e6be8d9685fafdba1d7e5d1b4ced62565847bdfcf62be175e8483cfd0711247664e273fcbec29f60dedd34c6810f6650b6bdc47df7267b8f53bc66ac41a5c0506edf4a805cff0343797c881256ea095fbf145754f7cb9dfba6d3c2bd12ace307629cb22dfeb5a48155de0e50a95da58b3202589b60f5dd4ca6cd22c2ed788f2721d5354374e9efacf4947294ddc8149225dce5adfb322595ed18a4dcb0565148b087e37d4247eaaecc58c5aaf1c64e87cc2cce9b8ebcaf963fc441a6dfac426be0ace4ecfb91df7732721afb34f905ce7377db3849d7401ba3d3149c08e98bcdeca6de207ed8bc7b1d6e88597da628c6b0a73cf9674a207dd8745fe5b32bdd8f5509f14fc15cf9504bf6634b2df2836e95c736e2762f2714bfd130af991d8b648a9372158383a2f53e14c7cfc7663db5ca5c8a9cdd155e38c1f70e51613588128dd085bbdd7ed239b97e8958cef35f117eab19b370ff2e4e25689d62b684fd4afceb263251fa92e8c6b2aa2e34d3fb8aaed18cdc734f9b420c8d7b931555ebd7990ca073fb81be982794e000d50572eb0761d495ba8068f657d7f7b919e66a25e03211dfe690f4081fc5de14f5f9d8be478024e60a3138080d9ce97ae23e291e77a6e4a507a96ae0c07d9604a95b43b8174c33175ba295050186f723b50a609ee09b4267e4d2af4296ce657bb8b5e996f98bd75ed42d0954895d97d988329d925f62894474d1caa5de988ed7b5c6deacfd90ad947efebf6cf61b45d9c7b1ba59e9ec4b8559aff8d3d05fb00f57ec942b0e9b9fdbde26cad340cbb4f7c0447b707ed8f6d4f989d0b1da0d0cdae617b01436fa68e37775e844415ebd11a3350846cf0b419fad6db94ccc8283e95019db5591b9e81c5d32707b3002afb24058495f6c21cd4b9e12af7a1f4054fda37ba6a2945e899899761012548e4122a69556e0ca51e23194bdc4e272", 0x1000, 0x9}], 0x20005, &(0x7f0000002940)={[{@flock_openafs='flock=openafs'}, {@dyn='dyn'}, {@autocell='autocell'}, {@dyn='dyn'}, {@flock_openafs='flock=openafs'}, {@source={'source', 0x3d, '&'}}, {@source={'source', 0x3d, 'SEG6\x00'}}], [{@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@smackfsdef={'smackfsdef', 0x3d, 'SEG6\x00'}}, {@subj_user={'subj_user', 0x3d, 'SEG6\x00'}}, {@smackfstransmute={'smackfstransmute', 0x3d, ':'}}, {@seclabel='seclabel'}]}) syz_open_dev$I2C(&(0x7f0000002a00)='/dev/i2c-#\x00', 0xad8, 0x2a2000) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000002a40)=0x0) syz_open_procfs(r15, &(0x7f0000002a80)='net\x00') syz_open_pts(r13, 0x0) syz_read_part_table(0x1, 0x7, &(0x7f0000002e80)=[{&(0x7f0000002ac0)="7ad3cd802dd0c424945d99ca9ca6e4fbb8f8e3b980d2ec", 0x17, 0x1000}, {&(0x7f0000002b00)="329de80b2b17bbd25d1f1907a9263af3bf05c4a7061e28492a3f71c6343aa5aaea0327a3", 0x24, 0x5}, {&(0x7f0000002b40)="82791dfd311d07db7d65e803ce6ca00028af8ff8d276187e0e14bbf7beab60fc4b70722e91b6322b8e3472191a66176bb0ca91dee60f1506a6d48be4055230c30be94a1043a1d2a06d42166069d8033d6c524c8610b8c4bb63af0ce6d6207137f1be1b62b002e8c35e6467c2423cc6597d1ca58ee31589f0248ac762e24a286a41a761912d34bb56f07db88ca52fce8d128762394fa00faac8451a42c3144bdec7e97296c9eac7c9f63110a3d405c16b0428880024e8c9c8af490b8cfad84cbb637878d634cd84346b60c9132c09660cdc616a0b", 0xd4, 0x7fff}, {&(0x7f0000002c40)="904bbcee2b46daa1ac643b7b6b8ea0ff462feabee541b411a885e470a496cbbdc729ffdebc50807f719cbe808d8b598b4767c7a852d9ce0c880a9b078b0187deac926bd4687a44f092bb", 0x4a, 0x5}, {&(0x7f0000002cc0)="3531ae257e7e0877cde340c42edbfc91dcffaff1284ef08a451e4c76e0cd83b2c0ea10d86bcefa93bbaef5fffbfe7dc70b73b89c55fc3851110d1bd0d1da31753320b111fe7060537e8f65f3c2f05adcb3d66bd2abe6b08aaae0d0eedca9937707ec4cb4874cdfd05800812ab53f9550b25a28ee69e62a0f790fe5233fc8645fc3fe6cae055f2aa1729125170151e86eeab67bb20bc884a1214c2d3d969c34fb239b45feec93ac209721bae7271251c613cea9379c1521", 0xb7, 0x4}, {&(0x7f0000002d80)="c3f04f26929b7a4d6342841fa53a9a8cb8006a97f428", 0x16, 0x6}, {&(0x7f0000002dc0)="c9871275e3269ff1bdcd67fb523e1ceb5151b0ede9e032634e36d486046bc31cd978bda59247355316319e768e7ac6be0648bf0fecd13cdad45f713e0e3b74e95eec77063c02a233ea97d338f4b1e9bc5a7cce85528742632ed59cec016f3914dd02ca6b1dc833224895277350cf1f21d6c78f8592717e91233f9026927e0cc3d80cdc57714763a0fcb091f5c69051b55cd2e1fcc33b13d597c5caeeb271c542978a1e17", 0xa4, 0x9c}]) r16 = syz_usb_connect(0x4, 0x384, &(0x7f0000002f00)={{0x12, 0x1, 0x201, 0xa4, 0x61, 0x1e, 0x40, 0xacd, 0x300, 0xc0df, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x372, 0x2, 0x4, 0x1f, 0x0, 0x1, [{{0x9, 0x4, 0x5d, 0xb3, 0x1, 0xad, 0x49, 0x76, 0x20, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x80}]}], [{{0x9, 0x5, 0xd, 0x0, 0x230, 0x5d, 0x1, 0x3f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x1f, 0x2}, @generic={0xba, 0xe, "f4e6e5762883c34df04f356099f1d34bdbc9f5324da648053fd690211b897119c4f3ac197f2aa93f2f3be05f836b1644d5b2327648b30816ed192f943dfce225f69d77c51565e177fd889c9c9d8c85b92ee4bead0e889446bbc320a40fa24807f476bfd1f1b3096e3370f755c94aa01c3be4ddc7952a5694bcad4beb4065bf5ea96066c43e9507e6220c47bc0271adcbaffce6ac90cb3c8b1cf748c6bbf97108dfa2cac4b87d3420428434397e07f17a87ed6233b39e32f0"}]}}]}}, {{0x9, 0x4, 0x5d, 0x27, 0x7, 0x3f, 0x84, 0xfd, 0x3, [@uac_as={[@format_type_i_discrete={0x10, 0x24, 0x2, 0x1, 0xe2, 0x2, 0x63, 0x40, "e721cc44acca8938"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x1, 0x0, "9ef42f"}, @as_header={0x7, 0x24, 0x1, 0x4, 0x1, 0x4}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x0, 0x3, 0x19, 0x6, "9e", "6983"}]}, @uac_as], [{{0x9, 0x5, 0xf, 0x0, 0x3ff, 0xf6, 0x5, 0x80}}, {{0x9, 0x5, 0x1, 0x10, 0x10, 0x0, 0x40, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x20, 0x6}]}}, {{0x9, 0x5, 0xb, 0x8, 0x10, 0x1, 0x2}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x4, 0x8, 0xc0, [@generic={0xbb, 0x31, "215ce6ab8f3c72caa3ab1326f18838908ac60bffb3b50748144aa2cbc4d7cac56f4a7bb2bd6c969674a5e4040861bb21ba5ccf0f822c1032e7e3729f8c171fc7a89b5340b5067108d597f178aa651a98aca4d012fa555a695683b527e6031f1f7f20494b250e3a6cd8b4de9647e150049867097c47cc237c612cefe698332f1fe7f02e6f53e845b1f5e7b4b24ad8629b78ce7630e2d40120fbc3f49375a4a086dedd2a27f06b3ed3d756a819b97f759aa54aef83df4868a9e9"}]}}, {{0x9, 0x5, 0x3, 0x12, 0x3ff, 0x0, 0x1, 0xff, [@generic={0xad, 0x31, "0c921d3f980f4e53147a46bd5856da03081660fbed7b8b2d389be8a038e95c2958a477ed5faf9ef38c82c3abea254459edb0f2cf286235034087adb7907ff192640b936886bd48d3a51215406b3aa0b6d8f8d91d830f5236a9a8be03c2215f012131968c6a80860ae81193059468108efd4f1305379d0115c7ec667b0359940e5664bf7b3c4a5f04ca3c51db9d2cd417e9099bff628b8e1a8ed0f596149357a08abd1177eb977353eb8932"}, @generic={0x93, 0x11, "a8e22d542ae3d831f337211bb5be12a5c46e5cf9b556d84d5af4caca8742ad216140562b7e5421e2642471e8f50eb8aef06212b46c644ae58463e18b3e72bd3eca6060fa8b94031796e55eb41d3f318affbf081eeb1708851e72fadd887e0330134319f0a5967eda657bc1101f74deba42e78aff20fb5d3c1fe49d9a054657b6f1af3d015fc16ff80873f326690843df81"}]}}, {{0x9, 0x5, 0xf, 0x4, 0x200, 0x0, 0x1f, 0x1, [@generic={0x11, 0x6, "824b7d0957bc552d224fdf6bff63a8"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x6}]}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x1f, 0xfd, 0x3}}]}}]}}]}}, &(0x7f0000003400)={0xa, &(0x7f00000032c0)={0xa, 0x6, 0x110, 0x4d, 0x80, 0x80, 0x20, 0xc1}, 0x46, &(0x7f0000003300)={0x5, 0xf, 0x46, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x35, 0x0, 0xdf, 0x9, 0xf7}, @ext_cap={0x7, 0x10, 0x2, 0xe, 0xb, 0x6, 0x9}, @ssp_cap={0x18, 0x10, 0xa, 0x1, 0x3, 0x7fffffe, 0xff0f, 0x101, [0xffc0a0, 0x0, 0xffff0f]}, @ssp_cap={0x10, 0x10, 0xa, 0x3, 0x1, 0x200, 0xff00, 0x1, [0x0]}, @ext_cap={0x7, 0x10, 0x2, 0x16, 0x8, 0xe, 0x7}]}, 0x2, [{0x4, &(0x7f0000003380)=@lang_id={0x4, 0x3, 0x380a}}, {0x4, &(0x7f00000033c0)=@lang_id={0x4, 0x3, 0x42f}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000003440)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r16, &(0x7f00000036c0)={0x18, &(0x7f00000034c0)={0x20, 0x8, 0xd4, {0xd4, 0x31, "dd9fe1d6f8ee76d6289246b5277cc19f3c4621add821a7f3d1aae994dbf4b1bd89e8770734768ade97e51d248f53cd530b31119aaccf53b6f6eddf4b8bfe6a1a859c3dc286f8335c9d15e5d5169b244155391062ff885d40be3707b6d1ea252a96d97ab24fb675f54557cfa24d805b0795708af5065d4b6662dfd54dd59cfce1673ab356a254f6b5bce44c619a17ffce8ebb96e083c082450062bd71a206ca921e0b77f517c1619586b3bca3e2490821016cc76caf96c0ec9068b45e2334ed9a6ff06a6343ae01f0aef6127ebaf5b52d69e3"}}, &(0x7f00000035c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x40e}}, &(0x7f0000003600)={0x0, 0xf, 0x28, {0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @generic={0x20, 0x10, 0xa, "195fa2f324c0be96da3db26afa5677530ac0faf4c682be7c15e9a58666"}]}}, &(0x7f0000003640)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x1, 0x0, 0x9, "057c417e", "8da436c4"}}, &(0x7f0000003680)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x20, 0x10, 0x80, 0x40, 0x1f, 0x0, 0x5}}}, &(0x7f0000003b40)={0x44, &(0x7f0000003700)={0x60, 0x8, 0x54, "85f988045278f97532a667cbee9b821d6554fb1c6d18dffb785196d90727e1b4615c86ee049a1696b1668f000e62d539e081cf07e360171ce61ca2f95644b9ad8e9211a1b19c4399bdfd6d533bf8955242725bb4"}, &(0x7f0000003780)={0x0, 0xa, 0x1, 0x1}, &(0x7f00000037c0)={0x0, 0x8, 0x1, 0x81}, &(0x7f0000003800)={0x20, 0x0, 0x4, {0x2}}, &(0x7f0000003840)={0x20, 0x0, 0x8, {0x200, 0x40, [0xff]}}, &(0x7f0000003880)={0x40, 0x7, 0x2, 0x1}, &(0x7f00000038c0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000003900)={0x40, 0xb, 0x2, "8eaf"}, &(0x7f0000003940)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000003980)={0x40, 0x13, 0x6, @dev={[], 0x38}}, &(0x7f00000039c0)={0x40, 0x17, 0x6, @broadcast}, &(0x7f0000003a00)={0x40, 0x19, 0x2, '{k'}, &(0x7f0000003a40)={0x40, 0x1a, 0x2, 0x40}, &(0x7f0000003a80)={0x40, 0x1c, 0x1}, &(0x7f0000003ac0)={0x40, 0x1e, 0x1, 0xfe}, &(0x7f0000003b00)={0x40, 0x21, 0x1, 0xfa}}) r17 = syz_usb_connect$hid(0x4, 0x3f, &(0x7f0000003bc0)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x46d, 0xc22d, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x10, 0x2, [{{0x9, 0x4, 0x0, 0x2f, 0x2, 0x3, 0x1, 0x1, 0xfd, {0x9, 0x21, 0x9, 0x1, 0x1, {0x22, 0x2ff}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0x6, 0xff, 0x4}}, [{{0x9, 0x5, 0x2, 0x3, 0x8, 0x4, 0x6, 0x7f}}]}}}]}}]}}, &(0x7f0000003cc0)={0xa, &(0x7f0000003c00)={0xa, 0x6, 0x300, 0x3, 0x2, 0xfa, 0x8, 0x74}, 0x28, &(0x7f0000003c40)={0x5, 0xf, 0x28, 0x2, [@ptm_cap={0x3}, @ssp_cap={0x20, 0x10, 0xa, 0x3, 0x5, 0x8, 0xf00, 0xf831, [0xc0, 0xc0a0, 0xff000f, 0x7, 0xc0f0]}]}, 0x1, [{0x4, &(0x7f0000003c80)=@lang_id={0x4, 0x3, 0x436}}]}) syz_usb_disconnect(r17) syz_usb_ep_read(0xffffffffffffffff, 0x80, 0xc4, &(0x7f0000003d00)=""/196) syz_usb_ep_write(r16, 0x7f, 0x63, &(0x7f0000003e00)="5074fa81f3f373da2799cafb26b4497cb3c87bc0f82fa7885468bd41232065aa9561d24ae0f1d0e036ac714ac5af89c69d8861cad713fcb8bacb8c4b10dc3b6ec2044c01f371b124c0a0f4bace7d5179872cdd205e09c3eeb7d5577b26e98f84554ed6") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth + 1); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 41; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 3000 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 300 : 0) + (call == 40 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_fsmount #define __NR_fsmount 432 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[18] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/zero\000", 10); inject_fault(0); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x161000, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, (intptr_t)r[0], 0x3305, 0); break; case 2: memcpy((void*)0x20000040, "l2tp\000", 5); syz_genetlink_get_family_id(0x20000040); break; case 3: memcpy((void*)0x20000080, "/dev/dlm-control\000", 17); syscall(__NR_openat, 0xffffff9c, 0x20000080, 0x20000, 0); break; case 4: *(uint32_t*)0x200000c0 = 0x17; syscall(__NR_setsockopt, (intptr_t)r[0], 0x10e, 2, 0x200000c0, 4); break; case 5: res = syscall(__NR_mmap, 0x20ffa000, 0x4000, 0x2000000, 0x1010, (intptr_t)r[0], 0x10000000); if (res != -1) r[1] = res; break; case 6: res = syscall(__NR_socket, 0x23, 5, 2); if (res != -1) r[2] = res; break; case 7: res = syscall(__NR_io_uring_register, -1, 9, 0, 0); if (res != -1) r[3] = res; break; case 8: *(uint8_t*)0x200003c0 = 0xa; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0; *(uint32_t*)0x200003c4 = r[2]; *(uint64_t*)0x200003c8 = 0; *(uint32_t*)0x200003d0 = 0x20000380; *(uint32_t*)0x20000380 = 0x20000100; *(uint32_t*)0x20000384 = 0x80; *(uint32_t*)0x20000388 = 0x20000240; *(uint32_t*)0x20000240 = 0x20000180; *(uint32_t*)0x20000244 = 0x93; *(uint32_t*)0x2000038c = 1; *(uint32_t*)0x20000390 = 0x20000280; *(uint32_t*)0x20000394 = 0xca; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x200003d4 = 0; *(uint32_t*)0x200003d8 = 0; *(uint64_t*)0x200003dc = 1; *(uint16_t*)0x200003e4 = 3; *(uint16_t*)0x200003e6 = r[3]; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; syz_io_uring_submit(0, r[1], 0x200003c0, 0x10001); break; case 9: *(uint32_t*)0x20000440 = 4; syscall(__NR_ioctl, -1, 0x4b63, 0x20000440); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0xaa; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 3, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000000e, 1, 31, 1); *(uint8_t*)0x20000012 = 0x11; *(uint8_t*)0x20000013 = 2; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; memcpy((void*)0x20000016, "\xf4\xeb\xe4\x02\x16\xfe\xde\x5e\xf6\xc5\x31\x0f\x04\x13\xc5\xd4\x1b\x32\xfc\x23\xe0\x7f\xd3\x32\xa8\xa5\xc5\xf9\x66\x82\x1d\xa0\x91\xf4\x7b\x7b\x9c\xf9\x22\x87\x27\xff\x74\x12\xc2\xe4\xa3\xa1\x57\x3b\xb2\x95\x48\x2d\x7b\x4a\x3e\xff\xd8\x63\xcc\x60\xf5\xd8", 64); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 0xd2d; *(uint32_t*)0x2000008c = 0xc61; *(uint32_t*)0x20000090 = 0x6d3; *(uint32_t*)0x20000094 = 0xbe2; break; case 11: *(uint8_t*)0x200000c0 = 2; STORE_BY_BITMASK(uint16_t, , 0x200000c1, 0xc9, 0, 12); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 3, 4, 2); STORE_BY_BITMASK(uint16_t, , 0x200000c2, 1, 6, 2); *(uint16_t*)0x200000c3 = 0xa; *(uint16_t*)0x200000c5 = 6; *(uint16_t*)0x200000c7 = 5; *(uint8_t*)0x200000c9 = 0x13; *(uint8_t*)0x200000ca = 0x7f; *(uint16_t*)0x200000cb = 2; *(uint16_t*)0x200000cd = 0; break; case 12: memcpy((void*)0x20000100, "\xc4\xc2\xcd\x45\xf1\x8f\xe8\x00\xed\xb8\x5c\x2f\x00\x9e\xe9\x64\x36\x36\x0f\x28\x11\xc4\xc3\xc9\x0b\x6b\x07\x87\xc4\xc2\xf1\xa6\x03\xf3\x0f\xa6\xd0\xf3\x6f\x65\x0f\xfa\x0e\xc4\xc2\x1d\x2f\x9f\x5a\xac\x38\x4f\x3e\x65\xf3\xab", 56); syz_execute_func(0x20000100); break; case 13: break; case 14: memcpy((void*)0x20000180, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000180); break; case 15: syz_init_net_socket(3, 3, 0xcc); break; case 16: res = syscall(__NR_mmap, 0x20ffd000, 0x2000, 0x3000001, 0x80000, -1, 0); if (res != -1) r[4] = res; break; case 17: res = -1; res = syz_io_uring_complete(r[4]); if (res != -1) r[5] = res; break; case 18: *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0xd9fd; *(uint32_t*)0x200001c8 = 0x20; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0x308; *(uint32_t*)0x200001d4 = 0; *(uint32_t*)0x200001d8 = -1; *(uint32_t*)0x200001dc = 0; *(uint32_t*)0x200001e0 = 0; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint32_t*)0x200001f8 = 0; *(uint32_t*)0x200001fc = 0; *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; res = syscall(__NR_io_uring_setup, 0x3a3b, 0x200001c0); if (res != -1) { r[6] = res; r[7] = *(uint32_t*)0x200001d8; } break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xb18d; *(uint32_t*)0x20000248 = 0xab3a8d6e; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000250 = 0x158; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = r[7]; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = -1; res = syz_io_uring_setup(0x17a8, 0x20000240, 0x20ffb000, 0x20ffd000, 0x200002c0, 0x20000300); if (res != -1) r[8] = res; break; case 20: *(uint32_t*)0x20000340 = 0; *(uint32_t*)0x20000344 = 0x15f8; *(uint32_t*)0x20000348 = 0x20; *(uint32_t*)0x2000034c = 2; *(uint32_t*)0x20000350 = 0xd2; *(uint32_t*)0x20000354 = 0; *(uint32_t*)0x20000358 = -1; *(uint32_t*)0x2000035c = 0; *(uint32_t*)0x20000360 = 0; *(uint32_t*)0x20000364 = 0; *(uint32_t*)0x20000368 = 0; *(uint32_t*)0x2000036c = 0; *(uint32_t*)0x20000370 = 0; *(uint32_t*)0x20000374 = 0; *(uint32_t*)0x20000378 = 0; *(uint32_t*)0x2000037c = 0; *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 0; *(uint32_t*)0x20000388 = 0; *(uint32_t*)0x2000038c = 0; *(uint32_t*)0x20000390 = 0; *(uint32_t*)0x20000394 = 0; *(uint32_t*)0x20000398 = 0; *(uint32_t*)0x2000039c = 0; *(uint32_t*)0x200003a0 = 0; *(uint32_t*)0x200003a4 = 0; *(uint32_t*)0x200003a8 = 0; *(uint32_t*)0x200003ac = 0; *(uint32_t*)0x200003b0 = 0; *(uint32_t*)0x200003b4 = 0; res = -1; res = syz_io_uring_setup(0x6b11, 0x20000340, 0x20ffb000, 0x20ffb000, 0x200003c0, 0x20000400); if (res != -1) { r[9] = *(uint64_t*)0x200003c0; r[10] = *(uint64_t*)0x20000400; } break; case 21: res = syscall(__NR_socket, 0x1f, 3, 3); if (res != -1) r[11] = res; break; case 22: res = syscall(__NR_io_uring_register, (intptr_t)r[5], 9, 0, 0); if (res != -1) r[12] = res; break; case 23: *(uint8_t*)0x20001700 = 0xa; *(uint8_t*)0x20001701 = 2; *(uint16_t*)0x20001702 = 0; *(uint32_t*)0x20001704 = r[11]; *(uint64_t*)0x20001708 = 0; *(uint32_t*)0x20001710 = 0x200016c0; *(uint32_t*)0x200016c0 = 0x20000440; *(uint32_t*)0x200016c4 = 0x80; *(uint32_t*)0x200016c8 = 0x200015c0; *(uint32_t*)0x200015c0 = 0x200004c0; *(uint32_t*)0x200015c4 = 0x2c; *(uint32_t*)0x200015c8 = 0x20000500; *(uint32_t*)0x200015cc = 0x1000; *(uint32_t*)0x200015d0 = 0x20001500; *(uint32_t*)0x200015d4 = 0x28; *(uint32_t*)0x200015d8 = 0x20001540; *(uint32_t*)0x200015dc = 0x4a; *(uint32_t*)0x200016cc = 4; *(uint32_t*)0x200016d0 = 0x20001600; *(uint32_t*)0x200016d4 = 0xb9; *(uint32_t*)0x200016d8 = 0; *(uint32_t*)0x20001714 = 0; *(uint32_t*)0x20001718 = 0x2000; *(uint64_t*)0x2000171c = 1; *(uint16_t*)0x20001724 = 3; *(uint16_t*)0x20001726 = r[12]; *(uint8_t*)0x20001728 = 0; *(uint8_t*)0x20001729 = 0; *(uint8_t*)0x2000172a = 0; *(uint8_t*)0x2000172b = 0; *(uint8_t*)0x2000172c = 0; *(uint8_t*)0x2000172d = 0; *(uint8_t*)0x2000172e = 0; *(uint8_t*)0x2000172f = 0; *(uint8_t*)0x20001730 = 0; *(uint8_t*)0x20001731 = 0; *(uint8_t*)0x20001732 = 0; *(uint8_t*)0x20001733 = 0; *(uint8_t*)0x20001734 = 0; *(uint8_t*)0x20001735 = 0; *(uint8_t*)0x20001736 = 0; *(uint8_t*)0x20001737 = 0; *(uint8_t*)0x20001738 = 0; *(uint8_t*)0x20001739 = 0; *(uint8_t*)0x2000173a = 0; *(uint8_t*)0x2000173b = 0; syz_io_uring_submit(r[4], r[10], 0x20001700, 0xad23946); break; case 24: res = syscall(__NR_fsmount, (intptr_t)r[5], 1, 0x84); if (res != -1) r[13] = res; break; case 25: *(uint32_t*)0x20001740 = r[6]; *(uint64_t*)0x20001744 = 3; *(uint64_t*)0x2000174c = 6; *(uint64_t*)0x20001754 = 0x1000; res = syscall(__NR_ioctl, (intptr_t)r[8], 0xc01cf509, 0x20001740); if (res != -1) r[14] = *(uint32_t*)0x20001740; break; case 26: *(uint32_t*)0x200017c0 = 0; *(uint32_t*)0x200017c4 = 0x20001780; memcpy((void*)0x20001780, "\xe7\xbe\xd2\x38\x54\x76\x95\xa7\x89\x57\xb5\x74\xba\xcb\x6d\xbc\x56\x7a\x32\x32\xe7\x65\x59\xb4\xea\x39\x31\xb6\x08\x57\x8a\x24\xda\x4c\x74\x97\x95\x97\x5b\x0a\xe5\x1d\xa8\xa8\x6d\xde\x75\xb1\xd6\x84", 50); *(uint32_t*)0x200017c8 = 0x32; *(uint64_t*)0x20001800 = 1; *(uint64_t*)0x20001808 = 0; syz_kvm_setup_cpu(r[13], r[14], 0x20fe8000, 0x200017c0, 1, 0, 0x20001800, 1); break; case 27: *(uint32_t*)0x20001840 = 0; syz_memcpy_off(r[9], 0x114, 0x20001840, 0, 4); break; case 28: memcpy((void*)0x20001880, "afs\000", 4); memcpy((void*)0x200018c0, "./file0\000", 8); *(uint32_t*)0x20002900 = 0x20001900; memcpy((void*)0x20001900, "\xf1\xfd\x85\xc4\x6a\x07\x34\x5a\x88\x13\x28\x7b\x13\xf2\x1a\x08\x40\x90\x39\x26\xae\xf8\xfa\x2c\xb5\xf6\xe0\x10\xd1\x4f\x70\x30\x37\x67\x97\x11\x5f\xff\x5a\x94\x80\x41\x34\x8d\x82\x7d\xbd\x67\x8e\x20\x92\x8d\xc4\xb2\x24\xe0\xec\x33\xe5\x0b\xf6\x99\xf1\xed\x1e\x39\xdf\x43\xd8\x99\xeb\x1a\x37\xc8\xd1\x16\x31\xe7\xb7\x75\xfc\x82\x61\x19\x01\xef\x7d\xb3\x71\x4e\x0e\xf5\x9b\x98\xd9\xd7\xd9\x11\x4b\xa1\xba\x76\xa7\x2e\xdc\x93\x80\x33\x59\xb9\x99\x4b\x50\x4f\x9e\x77\x90\x37\x5f\xa5\x0f\xce\xab\x9c\x0f\x21\x03\x85\x72\x2f\x2a\x05\x4c\x09\xfe\xcf\x4a\x04\xcc\xfa\xca\xac\x9d\x40\xbe\xbb\x2e\x2b\xcc\x94\x8d\x32\x72\x63\xb0\xfa\x73\x5b\x75\x3f\xa3\x67\xf5\x53\x13\xbd\x6d\xf7\x47\x6a\x99\x61\xbe\xf3\xe5\x80\x6a\xe5\x3b\xf7\x23\x34\x74\xb6\x37\x26\x6e\x9f\xd6\x94\xfb\x30\xa5\x03\xfb\xa0\x53\xc4\x65\x62\x93\x6b\xb3\xb8\xfd\xd3\x8d\xa2\x3e\x72\x25\x86\x8f\x8c\xf1\xe7\xd2\x7c\xac\xb6\x90\x75\x65\x7b\x3c\xa8\x0f\x8b\xe0\xb8\xe0\x43\xdb\x62\x0f\x08\x72\x23\x1b\x8a\x31\x08\xc4\xa1\x0b\x8b\x72\x3b\x64\x6b\x3c\x6d\x5f\x37\x05\x58\x64\x09\x24\xa9\x3b\xa2\x5d\xb1\x74\x6c\xf2\xea\x14\x1b\x03\x85\xac\x0c\xf9\xe7\xac\xc8\xfd\xdd\x8e\xe3\x2f\xb9\x88\x49\x1e\x45\x45\x64\xeb\x14\x2e\xc8\x40\x24\x38\xdd\xb1\xd0\xbe\xd6\xd2\x85\xa2\xa4\x08\xa9\xed\xc5\x27\x76\xe3\xae\x70\x21\xc1\x09\x43\xee\xf0\xaf\x02\x70\x37\x22\x13\x62\x7d\xd4\x25\x3d\x95\xa3\x6a\xcd\x29\xf8\x09\x5c\x64\x28\xf1\xc4\x6c\x3e\xb2\x12\x27\xd0\x46\x06\xb5\xc9\x22\x54\xe9\xce\x3e\x22\x0a\x8b\x8a\x28\x1c\x8d\x8e\x9c\x83\x07\x9e\xa1\xdf\x4a\x90\xdb\x9f\x08\xa5\x8c\x80\x3d\x8e\xc2\xbf\xcc\x99\xf1\xac\xd5\xf0\x62\x50\x43\xeb\x4a\x83\x17\x9e\x2d\x37\xc0\x76\x57\xe4\xb7\x47\xad\xcb\x09\x79\xa2\x30\xde\xa4\xf0\x79\xf2\x20\x84\x87\x09\xf2\xbb\x38\xc3\x4a\x22\xc5\xb3\xca\xf9\x4a\x02\xfc\x5f\x1c\x4d\x01\x3c\x16\x5a\xbf\x74\xbe\xd9\xd0\x28\xa5\xd8\x4e\xc1\x50\x37\x7f\x49\x8e\xe0\xe2\xa8\x6b\xf0\x4b\x97\xee\x40\xaf\x98\x82\xbf\xad\xec\xf5\xe1\x25\xfc\x90\x9d\x25\x0d\x92\xa3\x11\x66\xd6\x11\x21\xb5\x36\x45\x24\xb6\x35\x1e\x0b\x6a\x66\xdc\xde\xeb\x52\x49\xeb\xab\xb8\x65\xf1\xf4\xa1\xa8\x0a\xda\x5d\x69\x5d\x3a\x37\xb2\x14\xc9\xf0\xd9\x25\x07\xdb\x1b\x8d\x80\x8a\x96\xf0\x89\x02\xef\x8c\x97\xe2\x2b\x75\x49\x75\x38\xf5\x4f\xf9\x44\xa1\x91\x42\xb6\xae\x1b\x86\x36\x50\x0e\x2f\x39\x20\xa3\xab\x34\x1d\x8d\x1d\xb2\x2d\xc6\x4e\x1d\x68\x38\x21\x62\xb4\x89\xea\xad\xe6\x68\xba\x38\xe6\xe7\xec\xf6\x16\x26\xc7\x19\x37\x8a\x8e\xbf\x08\xec\x3d\x5d\xa6\x71\x64\x61\xe2\x06\x86\x9b\x33\x5c\xcb\xaf\xbc\x73\x64\x99\x83\x79\xd8\x94\xb9\xc6\x04\x41\xd9\x87\x97\xef\xf0\xd0\x4c\xe3\xfb\xf4\x19\xeb\x9c\x5c\x77\x8d\xbd\xc6\x03\x1b\x19\xfe\xa1\x3a\xdf\x11\x1d\xd4\x96\x28\x09\x3d\xa4\x1c\xe2\x52\x59\x5e\xa3\xd0\xb6\xdd\x96\x36\x4f\xe2\xe3\x75\x04\xbc\x66\x17\x04\x4f\xf1\xd0\xd2\x7f\x75\x9d\x1f\xaa\x8a\xe8\x54\xa1\x72\xda\x0b\x22\x73\x05\xbc\x63\x0a\x46\xb8\xe5\xbb\x9f\x8a\xa4\x0b\x95\xa4\xb6\xd5\xc3\x7b\xdd\xd0\x96\x8e\x19\x2d\x57\x24\x20\x78\x43\x4f\xde\xf9\xaf\xdc\x8f\x18\x39\x7d\xf1\xca\x6e\x76\xbd\xc7\x18\x45\xfb\xa2\x81\x8e\xf8\xf1\xc1\xdb\xf0\xa9\x2d\xde\xe3\xc8\xc1\xcf\xdd\xfb\x64\x43\x94\x19\xe6\x3f\x98\x11\xab\x5d\xaf\xd1\x5b\x2f\xf2\xa9\xc0\x41\x33\x16\x51\xc7\xaf\xe7\x86\x28\x75\xbf\x99\x61\x80\x6f\xac\x69\x4b\xef\x5f\x78\xfb\x9c\xd6\x4c\x33\x84\x86\x37\x44\x4e\x67\x52\x20\x03\x95\xe3\x73\x1d\x02\xdb\x34\xc2\x1f\xca\x31\x1d\x33\x9e\x81\x97\x32\xed\xe1\x83\x94\xb4\x5c\x4c\xbb\xbf\xfd\x45\xfd\xf5\x08\x28\x5d\x26\xda\x5b\x3c\xed\xe6\x92\xaf\x4e\xf2\xf4\x2c\x73\x4b\x52\x28\x64\x75\x5d\xcd\x71\x9c\x93\xb2\x68\x43\x8f\x9b\x0f\x1a\xdd\x57\x4c\xf7\x21\x89\x21\xdf\x68\xc4\x96\x68\x3c\x62\x76\x11\x5c\x07\x4d\x42\x0f\x23\x86\x1e\xeb\x82\x03\x1e\x99\x8c\x08\x33\xd1\xcb\xbb\x5b\x33\x4a\x13\x60\x6a\x0b\xc4\x06\xc4\xc8\xb1\xc2\xbf\x8d\xf5\x57\x32\x4d\x2c\x94\xcb\xe4\xc2\x90\x80\xb6\x32\x34\xb1\xbb\x74\xe5\x85\x4e\x42\x2e\xb4\x6f\x73\x69\x78\xe2\x94\x3e\xbd\x28\xaf\x46\x7b\xd0\xee\x09\x6b\x95\x2f\xf5\xf0\xb2\x28\xc7\xef\x94\x6f\xd4\x72\x49\x3b\x0e\xac\xa9\x37\x84\x01\x66\x9f\x1b\xe6\x75\x23\x0e\x56\xbc\x19\xe4\xec\x12\x34\xfc\xb4\xea\x12\x2d\xd2\x04\x83\x01\x09\x68\x9c\xad\x7e\x3d\x70\x2a\xb3\xe9\x2e\x59\x01\x6a\x64\x0c\xce\x4e\x1e\x57\xd6\xe9\x45\x56\xe7\xee\x1f\x7c\x58\x63\x09\x04\x4b\xdc\xa4\xa7\xb2\xce\xbb\x4b\x3f\xab\xfd\x57\x8e\xd6\xc6\x85\x89\xb8\xaf\xcd\x4d\x0e\x5a\xb1\xb7\xee\xf6\xf8\x2c\xd2\x08\xe3\xec\xe7\x6e\x3b\x73\x33\x1f\xba\x03\xfb\x54\x47\x01\x29\x92\x74\x10\x42\x10\x6e\xd7\xd3\x86\xa1\x43\x3f\xe8\xd4\xc6\xbc\xe8\x22\xff\x8f\xfe\x1b\x38\x2a\xa7\x12\x47\x31\xa9\xad\x6e\x1a\x52\xc7\x82\x66\x17\x4a\x4f\xef\xe9\x86\xa5\x08\xf6\x64\x25\x77\x30\x3f\x91\xea\x4e\xfb\x32\x84\x3c\x6b\x33\x1b\x32\xf2\x45\x53\xa0\xc1\x30\x16\xd9\x1a\x23\x0a\x55\xd8\x1f\xeb\x7d\xfc\x48\xad\x15\x7c\x7c\x2f\xc6\x32\x53\x08\x10\x21\xd1\xc6\x53\x56\x51\x39\x03\xdd\xbd\xe8\xd3\xfd\x0d\x51\x74\x7f\x3e\xaa\xaf\x9d\xb9\xd6\xb4\xbd\x70\x69\xd8\xba\x53\xd4\xd1\x00\xee\x27\x27\x97\x95\x94\xc2\xfa\x80\xb9\xaa\x0e\xdd\x70\xe3\xd7\x02\xfb\x5b\x6c\xd2\x77\xee\xb4\x87\x55\x58\x86\xf8\x5b\x65\x7c\xd9\xeb\xa6\x41\xb2\x8b\xf1\xe7\x62\x30\x0f\x3e\x29\xc5\xa8\xd8\xbf\xe0\x77\xbd\xef\x7c\x9e\x2c\x4c\xfa\xd8\xfc\x36\x46\x70\xd7\xcd\x6a\xc7\xa8\x63\x22\xe6\x67\x76\x0e\x24\x03\xc4\x83\x8d\x61\xfa\x86\x69\xa4\xf6\x21\x14\xee\xf4\x23\xf0\x91\x32\xe2\x0b\xb9\x5b\xa3\x52\x2a\xc3\x10\x49\xc4\xa3\xd5\x81\xaf\x3c\x57\x84\x91\x0f\xba\x88\xcd\xee\x1c\xef\xf4\xdd\xae\xd8\x27\x11\x9c\xed\x53\x61\x94\x7d\x0e\x31\xa9\xc4\xd2\x52\x63\xa5\x36\x54\xb8\x2f\xc1\x3b\x91\xf4\x45\x08\xdd\x19\x3c\xa1\xef\x26\xd9\x30\xa6\xb0\x81\x05\x86\xd4\x02\xba\x05\x54\xfa\xce\x5c\x3e\xd0\x77\x67\x1d\x50\xd2\x88\x65\xbf\xff\x35\xca\x3a\x4d\xab\xdb\xd6\xe3\xb0\x70\x59\x32\x0f\x53\xe5\xc4\x9d\x73\xcc\x16\xdd\x1e\xd2\x81\x6a\xc9\x8a\xd3\x85\x3c\x36\x88\x29\xc7\xbe\xc4\x0c\x4a\x9b\x39\xee\x3b\x73\x0b\xbd\x6c\x15\x2f\x35\x8e\x99\x11\x30\x8c\x12\xed\x12\x06\x56\x1f\xc7\xcf\x7c\xb4\x77\x14\x5f\x1a\xaa\xce\x66\xac\x5c\x44\x68\xac\xb2\xf6\x01\xc6\x1e\x4b\x11\x8b\xe2\x05\x6b\x6d\xbc\x18\x60\x9b\xfd\x41\x05\xee\xe1\x8b\xe3\x84\xa1\x99\x13\xd2\x74\xd9\x20\x39\x79\x0c\xb8\x74\x20\xb9\xfd\xd7\x0e\x73\x43\x09\xfc\x7a\xfe\x09\xe1\x1f\x78\x0d\x6e\xe6\x24\x31\x75\x90\x7a\x4a\xee\xcb\x6c\xa0\x70\xa3\x37\x4b\xe5\xd3\xd0\x7a\x78\x8e\xa4\xe1\xf9\xd6\xf1\x8e\xff\x9e\x79\x64\xd7\x07\x6c\xb5\xb9\x3c\xd9\x73\x38\xec\x05\x44\x8e\xc5\x27\xcc\xa6\x67\x90\xbf\xe3\x2c\x5b\x26\x62\xd7\xfc\x6b\x83\x6b\x41\xbf\x32\xe5\xbc\x0d\xdf\xe4\x2d\x59\x73\xdb\x86\xf8\xae\xd5\x6e\x43\x11\x2b\x45\xb0\xf7\x92\xc5\x39\x45\x99\xa1\x3e\x73\xc2\x50\x12\xb5\xaa\xcd\x3a\xef\x11\x24\x73\xc4\xe2\xe3\xab\x6a\xeb\xf5\xaf\x6d\xe9\xe7\x8a\xc0\x47\xfc\xc2\x76\xfd\x97\x6f\x25\x02\x2c\x65\xc3\x0a\x9f\xd6\x72\x03\xf1\x9e\x33\xb3\x5c\xfb\xcf\xdf\xf3\x95\xc5\xbb\x53\xf2\xfd\x79\x28\xe4\x3e\x62\x28\x47\x28\x07\x80\xb8\xcc\x81\x5f\xb4\x85\x18\x91\x05\xa1\x24\xcd\x86\x27\xcc\x3d\x5f\x1a\x9d\xd8\x00\xd4\x7a\x22\x6e\xbf\x90\x7e\xb2\xf4\x91\x33\xd1\x17\x58\x8d\x28\x0f\x4c\xc4\x3d\x95\x25\x4d\x88\xc8\x75\x3d\x96\x07\x3f\x97\xc5\x31\xf5\x1e\x55\x96\xe2\xe9\x71\xa2\x16\x1b\x78\xf7\x5e\xdc\xfb\xd9\xde\x38\xf0\xa9\x28\x4b\x7c\xce\xef\x87\x59\x8f\xa3\xbc\xfa\x5d\xbc\xbd\x1d\x28\x4c\xf8\x0c\xb7\x75\x54\x65\x89\x9d\x36\x2d\x9e\x40\xc6\x4c\x1a\x1e\x4c\xc4\x5c\x38\x71\xb2\x10\x4c\xa4\x0c\x05\x72\x9d\xcc\xbf\x6d\x0a\x17\x50\x0e\x5d\x0d\xff\xa3\x44\x3a\x52\x33\xe2\x79\xb2\xf9\xc5\x18\xb6\x97\x34\x0d\x26\xd2\x87\x26\x60\xc7\x1a\x49\x57\x10\xee\x00\x9f\xfb\x98\x9e\xbb\x5b\xef\xe5\x17\x69\x25\xb7\x8c\xde\xb1\xe8\x11\xc5\x1e\xcd\xb0\x1a\x47\xec\x1d\x1d\x0e\xf2\x02\x4c\x9a\x66\x6f\x6b\xc5\xeb\xe1\x3e\x77\x3f\x89\xf4\xc8\x0b\xaa\x1d\x66\x0c\x05\x1c\x26\x72\xf9\x1c\x21\xdb\x5f\xf2\xd5\xa7\x01\x26\xdc\x69\x14\x0e\xe2\x16\xc4\x5b\xdd\x0a\x7b\x52\x79\xde\xce\x2f\x58\x3b\xc2\x4f\xc6\x3c\xae\x88\xae\x75\x57\x22\x40\x48\x23\xc5\xc2\x16\x84\x9d\xcd\x10\x85\xba\x99\x02\xcb\x24\x8a\xc5\xd1\x92\xc3\xbd\xc5\x37\x39\x2a\x7c\x9e\xd3\xc3\x59\xbb\x6d\x49\x34\x62\x5f\x5f\x7a\x6d\xd5\x1b\x78\x57\x3f\xc7\x26\xad\xab\xc9\x1f\x41\x96\x05\x86\xf6\x4c\x39\x26\x11\x26\xea\x67\xdf\xc3\x2c\x5a\xe5\xf7\xd6\xed\x88\x74\x73\x60\x41\x8d\x42\xa0\x08\xd9\xcf\xc5\xef\x15\xf9\xc5\x88\xdb\xb9\xec\xc3\x74\xba\x19\xab\x60\xa3\xba\x33\xfb\xd1\xb8\x04\x77\xb0\x20\x4e\x67\xc8\x45\xf9\xf6\xab\x58\x9c\x58\xb5\x78\xcc\xa5\x8a\xf3\x22\xae\x66\xb9\xb1\x2e\xd9\x53\x70\x3d\x13\x93\xd8\xec\xe9\xc6\x70\x66\x4f\xdb\x6b\x1f\xfa\x10\x27\x1a\xbc\x0e\x51\xd5\x7b\x59\x10\x2e\x26\x40\xbe\xa0\x9e\x91\x12\x94\xc3\x5a\xbc\x86\x16\x99\x0a\x57\x29\xbf\x73\x9a\x8e\x22\x77\x4a\x68\x0d\x57\x70\xb8\x58\xb9\x32\xfe\x59\x5b\x73\x22\x32\x8a\xe7\x92\x07\x8a\xd2\x8d\xb4\xd5\x4c\xbd\x7c\x98\x68\xfc\xbe\x6e\xed\x0b\x0a\xa7\xb7\xab\xbf\xb1\xb8\xef\xce\x2d\xd5\xc1\xe2\x9b\xac\x66\xab\x7f\x80\xfe\x7a\x65\xd2\xda\x18\x38\x66\x0e\x94\x06\x6a\x6b\x2e\x3b\xdb\x89\x7e\x55\x1b\xc0\x37\xd7\x79\xdb\xb6\xcb\x9b\xdc\xa7\x03\x0e\xf8\x22\x6b\x96\x8d\x5a\x85\x7c\xb4\x24\xa9\xbd\x71\xec\xf3\xe0\xdf\x3b\xca\x6b\x91\x95\x90\x5e\xd0\x5e\x73\xd0\x36\x7f\x16\x49\xee\xd5\x49\xd9\xc3\xd4\x7e\x2f\x31\x2c\x17\x0d\xc9\x4a\x70\x1d\x42\x04\x60\xe1\x00\x0e\x23\x70\x21\xc6\xb7\xb1\xbc\x08\xb3\x5c\x10\x43\xc6\xe8\x99\xed\x58\x7e\xf7\xdf\xb6\xe1\xc7\xb6\xe1\x1e\x3a\x2f\xb4\x34\x8a\xbc\xc9\xed\x18\x31\xee\x37\x3d\x00\x45\x40\xa7\x3a\x4c\x78\xf9\xd3\xab\xb1\x01\xc7\x87\xba\x23\x9d\xf6\x63\x92\x4e\xf8\x4e\x3b\x43\x68\x68\xb6\x3c\xd7\x4f\x4d\x47\xac\x9e\xbc\xe3\x81\x4b\xbd\xb3\x7e\xee\xc3\xfe\xa1\xf9\x06\x88\xd1\x6f\xf3\x28\x5d\x35\x97\x45\xf9\xc1\xb6\xdc\xfa\x98\xbc\xd3\x2a\xca\xcc\xd9\x35\x0c\x07\x05\x79\xaf\x49\xc6\xdd\x8e\x62\xb3\xe1\x16\x16\xb9\x56\x05\xb5\xe6\x7c\x90\xc3\xdb\x1b\x83\x01\xde\x61\xbd\xfa\x55\x8e\xe6\xd1\x3f\x20\xa7\x8d\x40\x7e\x4f\x44\xca\x79\x3c\xe3\xd9\x58\xe1\x52\x2f\x1a\x64\x27\x6a\xc8\x86\x3d\x1a\x68\xb5\xb6\x4e\x03\xec\x0b\x22\xb0\xa7\x87\xbb\xa7\xb4\x62\xfd\xdf\x8d\xa7\xd1\x01\x8b\x32\xa1\x32\x82\xbd\x1e\x83\x06\x0a\x67\xc7\xda\x96\xe4\x6e\x3b\x32\x2a\x5d\x8e\x05\xba\x67\xb3\xac\xa1\xc5\xd1\xbf\x13\x6a\x57\xb3\xaa\x68\x77\x7f\x00\xbf\x10\x2d\xdd\xb1\xde\xc2\x1d\xb3\x09\xf4\x85\x5d\x9c\x08\xed\xc5\x80\xd6\x52\xa6\x89\x42\x0b\xf6\x25\x38\xb5\xaa\x26\x30\x57\x09\x81\x21\xd8\x2d\x87\xe2\x9e\xe2\x6b\x5d\x52\x88\x02\x3e\x50\x1f\xf2\x73\x0b\xce\xf0\x0b\x98\xf1\x3c\x40\xbc\x2d\xa1\xa1\xbc\xa1\xcd\x66\x64\x84\xf1\xa3\xf5\xc8\xb6\xff\xaf\x46\x8f\xbe\xaa\xf5\xab\xfd\x74\x39\x6f\xbc\x46\x0e\x0f\xd2\xb4\x40\xf5\xe5\x63\x27\xe6\x34\x90\x73\x11\xdc\xe9\x8e\xc0\x75\xe9\xee\x32\x87\xf7\xd2\xdc\xd6\x44\x93\xe5\xc5\xce\x09\x6b\xb2\x9d\x77\xaa\x49\xa9\xf6\x77\xe6\x8e\xfd\x44\xcf\x35\xb5\xa0\xd6\x9f\x1e\xc8\x87\xa5\xf1\xf3\x5e\x44\xaf\xe3\xb6\x90\x4e\xf0\x26\xb3\x65\x1c\x69\x7d\xc2\xaf\x46\x66\x2b\x92\x36\x64\x20\x1e\x4b\xae\xdc\x28\xe8\x5f\x33\xd0\xfc\xce\x83\xec\xb0\x1d\x04\xf5\xa0\x82\x6d\xf9\xfb\xfe\x7d\x92\xe3\x1d\xb7\x62\x02\x53\x3f\xa8\xbd\xbd\x4f\x14\x74\x4f\x84\x85\x94\x8f\xf0\xe4\x0e\xc7\x7d\x2a\x2c\xca\xc3\x4f\x38\x9a\x4f\x6b\x0e\x1f\x84\xf5\x27\xb1\x28\x2b\x4b\xa5\x3c\xc0\xa5\x34\x68\xeb\x13\x62\xd8\x7f\x33\x4f\x17\x6d\x94\x8d\x9d\x7f\xc1\x90\xa1\xfa\xbb\x36\x74\x53\x85\x94\x5f\x27\xd4\x4c\x13\x64\x36\xee\xed\xca\x1a\xd4\x94\x5c\x9d\x73\xd6\xa2\xd7\x22\x5a\x1f\x7f\xa4\x9a\x2b\x2b\x56\xd3\xa4\x03\xa8\xdd\xd0\x3d\x70\x1b\xb8\xba\x36\xc2\x75\xb0\x5d\xb3\xb6\x06\x38\xb9\xa2\xa2\x34\xcb\x63\xb8\x09\xeb\xfc\x9a\x77\x1a\xc7\x12\x76\x2f\x7e\x96\xc5\x38\xe1\xc5\x4a\x79\x12\xb9\x59\x44\x63\x2d\x6d\x60\x59\x4b\x90\x0e\x17\xee\x32\x7b\x2b\x2b\x13\xbe\x28\x44\x06\x1f\xd1\xe3\x50\xe4\x71\x21\xfd\x71\xf1\x30\xa5\xae\xb5\x15\x3c\xcb\x8e\xce\x99\x59\x0f\xf9\x3e\xa9\x8e\xe5\x89\xa0\xa4\x28\x8b\xb6\xa3\x59\x0b\x1c\x6e\x89\x00\x8b\xbd\x2d\xc7\xad\x38\x74\x83\x69\x40\x5c\x9f\x8c\x37\xfa\x75\xdd\x2f\xf4\xa3\x84\x56\x1d\x03\x09\x48\xc3\xd1\x64\x66\xe4\xf0\x37\xe5\x4d\x3d\xca\xbd\xe0\x2f\xb3\x5c\x62\xb3\x16\x92\x65\xc0\xaf\x80\x18\xa8\x6c\x3f\xcf\x32\x68\xc1\xa9\x1e\x71\x31\xf8\x9c\xf7\x84\x1b\xb5\x8c\xab\x8a\x5f\x89\xd7\xed\xb6\x7f\x05\xf1\x6f\xe8\x40\x59\xbe\x5a\xbd\xbe\x44\xd3\x85\x2f\xa5\x79\x0c\x16\x16\x28\xb2\x1e\xef\x35\x9a\xaf\x7d\xb7\xde\x11\xc8\x35\xff\x9c\xc0\xb8\x6a\xc9\x75\x1f\xd2\xd5\xc1\x35\xe8\xac\xb4\x35\x2b\xc0\x3f\xdf\xe6\xc4\x34\x73\x58\x2c\xde\x76\xb1\x57\xee\xb0\x3a\xcf\xff\x74\x2b\xe5\x83\x8a\x4a\xab\xa1\x60\xe1\xc5\x88\xc9\xe1\xda\x27\x58\xfc\x29\x0a\xe3\x7a\x76\x05\x34\x0f\x72\x6f\xf3\xd8\xd7\x3d\x3d\xcc\xdc\x77\x37\x49\x9b\x74\x73\xec\xcc\x00\xc3\xd0\x1d\x20\xbd\x98\x9e\x60\x49\xd9\xda\x7d\xce\xe2\x29\xfe\x3d\xb7\xe2\x84\x5b\xa6\xef\x6b\x38\x06\x80\xe0\x77\x54\xdf\xa9\x2d\x16\x05\xb3\xb2\x52\x7e\xd1\x9d\x01\x33\x3b\x2b\x58\x86\x8d\x76\x14\xc9\x2b\x7f\x93\xc9\x5e\x2c\x90\x54\xf7\xa7\x28\xe0\x56\x9b\x98\x60\x18\x31\x1d\x9a\xb3\x79\xac\x3d\x19\xc7\xf6\x5f\x87\xac\xbd\x2a\x2b\xcd\xf1\x22\xb1\xb9\x50\x2d\x3c\x3a\x69\xef\xa3\x2f\x4b\xe1\xef\x20\xda\xa4\x2e\x13\x40\x9d\x2b\x12\xdb\xfd\x03\xc6\x4a\xca\x0b\xd6\x6c\x76\xc0\x4e\xa6\xa7\x6e\xf0\x29\x46\x50\xe5\x9e\x8a\x37\x9c\x85\xc5\xac\x8e\x31\x0e\xd9\x9e\x1a\x5f\x20\xc9\xbb\xdb\xee\x13\xde\x12\x18\xf9\x5b\xe0\x40\xff\x5f\x76\x0c\x7f\x07\xab\xe3\x62\x46\x85\x08\xa2\x11\x4e\x0c\x34\xf9\x38\x95\xc1\xe2\x8a\xd8\xc5\x6f\x19\x49\x81\x6c\xff\xd0\x9c\x02\x8d\xee\xf0\x1e\x5f\xcf\x91\xb4\x38\x4c\x62\xd0\xef\xd9\xb7\xd6\x6b\x1a\xae\x30\x2a\x3e\xd2\xc3\x03\x7c\x96\x75\xac\x6c\x86\x33\x6f\xa6\x03\x25\x8a\x53\x84\x09\xba\xd5\x67\x98\x11\x28\xcb\x8c\xab\x88\xd7\x02\x7b\x2a\x92\x67\x1c\xad\x00\x0a\x2c\x9f\x31\x7f\xb4\xae\x30\x98\x0d\x3f\x28\x51\x2f\xb5\xf6\x6a\x98\xb2\xe2\x07\x7a\x6a\x7f\x84\x61\xbf\x1a\x78\xcf\x12\xb3\xce\x6e\x3a\xa4\xa2\x2f\x3c\x63\x73\xa5\xd0\x4f\x76\x7b\x83\xc7\xd5\x7a\x56\x83\x4f\x76\x39\xc9\xac\xbb\x9f\xde\xde\xa8\x52\x76\xa0\xaa\x10\x0b\x68\xc8\xa2\x46\x31\x4a\x8c\xa0\x2f\xf0\x7d\x15\x32\xc9\x0d\x9a\x4a\x5d\xac\xba\x53\xa2\x4c\x14\xcb\x94\xb5\x7a\x8c\x23\x6c\x98\x5e\xbc\x98\x69\x71\x08\xa4\x3e\x87\x4b\x67\x15\xe6\xbe\x8d\x96\x85\xfa\xfd\xba\x1d\x7e\x5d\x1b\x4c\xed\x62\x56\x58\x47\xbd\xfc\xf6\x2b\xe1\x75\xe8\x48\x3c\xfd\x07\x11\x24\x76\x64\xe2\x73\xfc\xbe\xc2\x9f\x60\xde\xdd\x34\xc6\x81\x0f\x66\x50\xb6\xbd\xc4\x7d\xf7\x26\x7b\x8f\x53\xbc\x66\xac\x41\xa5\xc0\x50\x6e\xdf\x4a\x80\x5c\xff\x03\x43\x79\x7c\x88\x12\x56\xea\x09\x5f\xbf\x14\x57\x54\xf7\xcb\x9d\xfb\xa6\xd3\xc2\xbd\x12\xac\xe3\x07\x62\x9c\xb2\x2d\xfe\xb5\xa4\x81\x55\xde\x0e\x50\xa9\x5d\xa5\x8b\x32\x02\x58\x9b\x60\xf5\xdd\x4c\xa6\xcd\x22\xc2\xed\x78\x8f\x27\x21\xd5\x35\x43\x74\xe9\xef\xac\xf4\x94\x72\x94\xdd\xc8\x14\x92\x25\xdc\xe5\xad\xfb\x32\x25\x95\xed\x18\xa4\xdc\xb0\x56\x51\x48\xb0\x87\xe3\x7d\x42\x47\xea\xae\xcc\x58\xc5\xaa\xf1\xc6\x4e\x87\xcc\x2c\xce\x9b\x8e\xbc\xaf\x96\x3f\xc4\x41\xa6\xdf\xac\x42\x6b\xe0\xac\xe4\xec\xfb\x91\xdf\x77\x32\x72\x1a\xfb\x34\xf9\x05\xce\x73\x77\xdb\x38\x49\xd7\x40\x1b\xa3\xd3\x14\x9c\x08\xe9\x8b\xcd\xec\xa6\xde\x20\x7e\xd8\xbc\x7b\x1d\x6e\x88\x59\x7d\xa6\x28\xc6\xb0\xa7\x3c\xf9\x67\x4a\x20\x7d\xd8\x74\x5f\xe5\xb3\x2b\xdd\x8f\x55\x09\xf1\x4f\xc1\x5c\xf9\x50\x4b\xf6\x63\x4b\x2d\xf2\x83\x6e\x95\xc7\x36\xe2\x76\x2f\x27\x14\xbf\xd1\x30\xaf\x99\x1d\x8b\x64\x8a\x93\x72\x15\x83\x83\xa2\xf5\x3e\x14\xc7\xcf\xc7\x66\x3d\xb5\xca\x5c\x8a\x9c\xdd\x15\x5e\x38\xc1\xf7\x0e\x51\x61\x35\x88\x12\x8d\xd0\x85\xbb\xdd\x7e\xd2\x39\xb9\x7e\x89\x58\xce\xf3\x5f\x11\x7e\xab\x19\xb3\x70\xff\x2e\x4e\x25\x68\x9d\x62\xb6\x84\xfd\x4a\xfc\xeb\x26\x32\x51\xfa\x92\xe8\xc6\xb2\xaa\x2e\x34\xd3\xfb\x8a\xae\xd1\x8c\xdc\x73\x4f\x9b\x42\x0c\x8d\x7b\x93\x15\x55\xeb\xd7\x99\x0c\xa0\x73\xfb\x81\xbe\x98\x27\x94\xe0\x00\xd5\x05\x72\xeb\x07\x61\xd4\x95\xba\x80\x68\xf6\x57\xd7\xf7\xb9\x19\xe6\x6a\x25\xe0\x32\x11\xdf\xe6\x90\xf4\x08\x1f\xc5\xde\x14\xf5\xf9\xd8\xbe\x47\x80\x24\xe6\x0a\x31\x38\x08\x0d\x9c\xe9\x7a\xe2\x3e\x29\x1e\x77\xa6\xe4\xa5\x07\xa9\x6a\xe0\xc0\x7d\x96\x04\xa9\x5b\x43\xb8\x17\x4c\x33\x17\x5b\xa2\x95\x05\x01\x86\xf7\x23\xb5\x0a\x60\x9e\xe0\x9b\x42\x67\xe4\xd2\xaf\x42\x96\xce\x65\x7b\xb8\xb5\xe9\x96\xf9\x8b\xd7\x5e\xd4\x2d\x09\x54\x89\x5d\x97\xd9\x88\x32\x9d\x92\x5f\x62\x89\x44\x74\xd1\xca\xa5\xde\x98\x8e\xd7\xb5\xc6\xde\xac\xfd\x90\xad\x94\x7e\xfe\xbf\x6c\xf6\x1b\x45\xd9\xc7\xb1\xba\x59\xe9\xec\x4b\x85\x59\xaf\xf8\xd3\xd0\x5f\xb0\x0f\x57\xec\x94\x2b\x0e\x9b\x9f\xdb\xde\x26\xca\xd3\x40\xcb\xb4\xf7\xc0\x44\x7b\x70\x7e\xd8\xf6\xd4\xf9\x89\xd0\xb1\xda\x0d\x0c\xda\xe6\x17\xb0\x14\x36\xfa\x68\xe3\x77\x75\xe8\x44\x41\x5e\xbd\x11\xa3\x35\x08\x46\xcf\x0b\x41\x9f\xad\x6d\xb9\x4c\xcc\x82\x83\xe9\x50\x19\xdb\x55\x91\xb9\xe8\x1c\x5d\x32\x70\x7b\x30\x02\xaf\xb2\x40\x58\x49\x5f\x6c\x21\xcd\x4b\x9e\x12\xaf\x7a\x1f\x40\x54\xfd\xa3\x7b\xa6\xa2\x94\x5e\x89\x98\x99\x76\x10\x12\x54\x8e\x41\x22\xa6\x95\x56\xe0\xca\x51\xe2\x31\x94\xbd\xc4\xe2\x72", 4096); *(uint32_t*)0x20002904 = 0x1000; *(uint32_t*)0x20002908 = 9; memcpy((void*)0x20002940, "flock=openafs", 13); *(uint8_t*)0x2000294d = 0x2c; memcpy((void*)0x2000294e, "dyn", 3); *(uint8_t*)0x20002951 = 0x2c; memcpy((void*)0x20002952, "autocell", 8); *(uint8_t*)0x2000295a = 0x2c; memcpy((void*)0x2000295b, "dyn", 3); *(uint8_t*)0x2000295e = 0x2c; memcpy((void*)0x2000295f, "flock=openafs", 13); *(uint8_t*)0x2000296c = 0x2c; memcpy((void*)0x2000296d, "source", 6); *(uint8_t*)0x20002973 = 0x3d; memcpy((void*)0x20002974, "&", 1); *(uint8_t*)0x20002975 = 0x2c; memcpy((void*)0x20002976, "source", 6); *(uint8_t*)0x2000297c = 0x3d; memcpy((void*)0x2000297d, "SEG6\000", 5); *(uint8_t*)0x20002982 = 0x2c; memcpy((void*)0x20002983, "smackfsdef", 10); *(uint8_t*)0x2000298d = 0x3d; memcpy((void*)0x2000298e, "SEG6\000", 5); *(uint8_t*)0x20002993 = 0x2c; memcpy((void*)0x20002994, "smackfsdef", 10); *(uint8_t*)0x2000299e = 0x3d; memcpy((void*)0x2000299f, "SEG6\000", 5); *(uint8_t*)0x200029a4 = 0x2c; memcpy((void*)0x200029a5, "subj_user", 9); *(uint8_t*)0x200029ae = 0x3d; memcpy((void*)0x200029af, "SEG6\000", 5); *(uint8_t*)0x200029b4 = 0x2c; memcpy((void*)0x200029b5, "smackfstransmute", 16); *(uint8_t*)0x200029c5 = 0x3d; memcpy((void*)0x200029c6, ":", 1); *(uint8_t*)0x200029c7 = 0x2c; memcpy((void*)0x200029c8, "seclabel", 8); *(uint8_t*)0x200029d0 = 0x2c; *(uint8_t*)0x200029d1 = 0; syz_mount_image(0x20001880, 0x200018c0, 5, 1, 0x20002900, 0x20005, 0x20002940); break; case 29: memcpy((void*)0x20002a00, "/dev/i2c-#\000", 11); syz_open_dev(0x20002a00, 0xad8, 0x2a2000); break; case 30: res = syscall(__NR_ioctl, -1, 0x5429, 0x20002a40); if (res != -1) r[15] = *(uint32_t*)0x20002a40; break; case 31: memcpy((void*)0x20002a80, "net\000", 4); syz_open_procfs(r[15], 0x20002a80); break; case 32: syz_open_pts(r[13], 0); break; case 33: *(uint32_t*)0x20002e80 = 0x20002ac0; memcpy((void*)0x20002ac0, "\x7a\xd3\xcd\x80\x2d\xd0\xc4\x24\x94\x5d\x99\xca\x9c\xa6\xe4\xfb\xb8\xf8\xe3\xb9\x80\xd2\xec", 23); *(uint32_t*)0x20002e84 = 0x17; *(uint32_t*)0x20002e88 = 0x1000; *(uint32_t*)0x20002e8c = 0x20002b00; memcpy((void*)0x20002b00, "\x32\x9d\xe8\x0b\x2b\x17\xbb\xd2\x5d\x1f\x19\x07\xa9\x26\x3a\xf3\xbf\x05\xc4\xa7\x06\x1e\x28\x49\x2a\x3f\x71\xc6\x34\x3a\xa5\xaa\xea\x03\x27\xa3", 36); *(uint32_t*)0x20002e90 = 0x24; *(uint32_t*)0x20002e94 = 5; *(uint32_t*)0x20002e98 = 0x20002b40; memcpy((void*)0x20002b40, "\x82\x79\x1d\xfd\x31\x1d\x07\xdb\x7d\x65\xe8\x03\xce\x6c\xa0\x00\x28\xaf\x8f\xf8\xd2\x76\x18\x7e\x0e\x14\xbb\xf7\xbe\xab\x60\xfc\x4b\x70\x72\x2e\x91\xb6\x32\x2b\x8e\x34\x72\x19\x1a\x66\x17\x6b\xb0\xca\x91\xde\xe6\x0f\x15\x06\xa6\xd4\x8b\xe4\x05\x52\x30\xc3\x0b\xe9\x4a\x10\x43\xa1\xd2\xa0\x6d\x42\x16\x60\x69\xd8\x03\x3d\x6c\x52\x4c\x86\x10\xb8\xc4\xbb\x63\xaf\x0c\xe6\xd6\x20\x71\x37\xf1\xbe\x1b\x62\xb0\x02\xe8\xc3\x5e\x64\x67\xc2\x42\x3c\xc6\x59\x7d\x1c\xa5\x8e\xe3\x15\x89\xf0\x24\x8a\xc7\x62\xe2\x4a\x28\x6a\x41\xa7\x61\x91\x2d\x34\xbb\x56\xf0\x7d\xb8\x8c\xa5\x2f\xce\x8d\x12\x87\x62\x39\x4f\xa0\x0f\xaa\xc8\x45\x1a\x42\xc3\x14\x4b\xde\xc7\xe9\x72\x96\xc9\xea\xc7\xc9\xf6\x31\x10\xa3\xd4\x05\xc1\x6b\x04\x28\x88\x00\x24\xe8\xc9\xc8\xaf\x49\x0b\x8c\xfa\xd8\x4c\xbb\x63\x78\x78\xd6\x34\xcd\x84\x34\x6b\x60\xc9\x13\x2c\x09\x66\x0c\xdc\x61\x6a\x0b", 212); *(uint32_t*)0x20002e9c = 0xd4; *(uint32_t*)0x20002ea0 = 0x7fff; *(uint32_t*)0x20002ea4 = 0x20002c40; memcpy((void*)0x20002c40, "\x90\x4b\xbc\xee\x2b\x46\xda\xa1\xac\x64\x3b\x7b\x6b\x8e\xa0\xff\x46\x2f\xea\xbe\xe5\x41\xb4\x11\xa8\x85\xe4\x70\xa4\x96\xcb\xbd\xc7\x29\xff\xde\xbc\x50\x80\x7f\x71\x9c\xbe\x80\x8d\x8b\x59\x8b\x47\x67\xc7\xa8\x52\xd9\xce\x0c\x88\x0a\x9b\x07\x8b\x01\x87\xde\xac\x92\x6b\xd4\x68\x7a\x44\xf0\x92\xbb", 74); *(uint32_t*)0x20002ea8 = 0x4a; *(uint32_t*)0x20002eac = 5; *(uint32_t*)0x20002eb0 = 0x20002cc0; memcpy((void*)0x20002cc0, "\x35\x31\xae\x25\x7e\x7e\x08\x77\xcd\xe3\x40\xc4\x2e\xdb\xfc\x91\xdc\xff\xaf\xf1\x28\x4e\xf0\x8a\x45\x1e\x4c\x76\xe0\xcd\x83\xb2\xc0\xea\x10\xd8\x6b\xce\xfa\x93\xbb\xae\xf5\xff\xfb\xfe\x7d\xc7\x0b\x73\xb8\x9c\x55\xfc\x38\x51\x11\x0d\x1b\xd0\xd1\xda\x31\x75\x33\x20\xb1\x11\xfe\x70\x60\x53\x7e\x8f\x65\xf3\xc2\xf0\x5a\xdc\xb3\xd6\x6b\xd2\xab\xe6\xb0\x8a\xaa\xe0\xd0\xee\xdc\xa9\x93\x77\x07\xec\x4c\xb4\x87\x4c\xdf\xd0\x58\x00\x81\x2a\xb5\x3f\x95\x50\xb2\x5a\x28\xee\x69\xe6\x2a\x0f\x79\x0f\xe5\x23\x3f\xc8\x64\x5f\xc3\xfe\x6c\xae\x05\x5f\x2a\xa1\x72\x91\x25\x17\x01\x51\xe8\x6e\xea\xb6\x7b\xb2\x0b\xc8\x84\xa1\x21\x4c\x2d\x3d\x96\x9c\x34\xfb\x23\x9b\x45\xfe\xec\x93\xac\x20\x97\x21\xba\xe7\x27\x12\x51\xc6\x13\xce\xa9\x37\x9c\x15\x21", 183); *(uint32_t*)0x20002eb4 = 0xb7; *(uint32_t*)0x20002eb8 = 4; *(uint32_t*)0x20002ebc = 0x20002d80; memcpy((void*)0x20002d80, "\xc3\xf0\x4f\x26\x92\x9b\x7a\x4d\x63\x42\x84\x1f\xa5\x3a\x9a\x8c\xb8\x00\x6a\x97\xf4\x28", 22); *(uint32_t*)0x20002ec0 = 0x16; *(uint32_t*)0x20002ec4 = 6; *(uint32_t*)0x20002ec8 = 0x20002dc0; memcpy((void*)0x20002dc0, "\xc9\x87\x12\x75\xe3\x26\x9f\xf1\xbd\xcd\x67\xfb\x52\x3e\x1c\xeb\x51\x51\xb0\xed\xe9\xe0\x32\x63\x4e\x36\xd4\x86\x04\x6b\xc3\x1c\xd9\x78\xbd\xa5\x92\x47\x35\x53\x16\x31\x9e\x76\x8e\x7a\xc6\xbe\x06\x48\xbf\x0f\xec\xd1\x3c\xda\xd4\x5f\x71\x3e\x0e\x3b\x74\xe9\x5e\xec\x77\x06\x3c\x02\xa2\x33\xea\x97\xd3\x38\xf4\xb1\xe9\xbc\x5a\x7c\xce\x85\x52\x87\x42\x63\x2e\xd5\x9c\xec\x01\x6f\x39\x14\xdd\x02\xca\x6b\x1d\xc8\x33\x22\x48\x95\x27\x73\x50\xcf\x1f\x21\xd6\xc7\x8f\x85\x92\x71\x7e\x91\x23\x3f\x90\x26\x92\x7e\x0c\xc3\xd8\x0c\xdc\x57\x71\x47\x63\xa0\xfc\xb0\x91\xf5\xc6\x90\x51\xb5\x5c\xd2\xe1\xfc\xc3\x3b\x13\xd5\x97\xc5\xca\xee\xb2\x71\xc5\x42\x97\x8a\x1e\x17", 164); *(uint32_t*)0x20002ecc = 0xa4; *(uint32_t*)0x20002ed0 = 0x9c; syz_read_part_table(1, 7, 0x20002e80); break; case 34: *(uint8_t*)0x20002f00 = 0x12; *(uint8_t*)0x20002f01 = 1; *(uint16_t*)0x20002f02 = 0x201; *(uint8_t*)0x20002f04 = 0xa4; *(uint8_t*)0x20002f05 = 0x61; *(uint8_t*)0x20002f06 = 0x1e; *(uint8_t*)0x20002f07 = 0x40; *(uint16_t*)0x20002f08 = 0xacd; *(uint16_t*)0x20002f0a = 0x300; *(uint16_t*)0x20002f0c = 0xc0df; *(uint8_t*)0x20002f0e = 1; *(uint8_t*)0x20002f0f = 2; *(uint8_t*)0x20002f10 = 3; *(uint8_t*)0x20002f11 = 1; *(uint8_t*)0x20002f12 = 9; *(uint8_t*)0x20002f13 = 2; *(uint16_t*)0x20002f14 = 0x372; *(uint8_t*)0x20002f16 = 2; *(uint8_t*)0x20002f17 = 4; *(uint8_t*)0x20002f18 = 0x1f; *(uint8_t*)0x20002f19 = 0; *(uint8_t*)0x20002f1a = 1; *(uint8_t*)0x20002f1b = 9; *(uint8_t*)0x20002f1c = 4; *(uint8_t*)0x20002f1d = 0x5d; *(uint8_t*)0x20002f1e = 0xb3; *(uint8_t*)0x20002f1f = 1; *(uint8_t*)0x20002f20 = 0xad; *(uint8_t*)0x20002f21 = 0x49; *(uint8_t*)0x20002f22 = 0x76; *(uint8_t*)0x20002f23 = 0x20; *(uint8_t*)0x20002f24 = 7; *(uint8_t*)0x20002f25 = 0x24; *(uint8_t*)0x20002f26 = 1; *(uint8_t*)0x20002f27 = 0; *(uint8_t*)0x20002f28 = 0x80; *(uint16_t*)0x20002f29 = 0; *(uint8_t*)0x20002f2b = 9; *(uint8_t*)0x20002f2c = 5; *(uint8_t*)0x20002f2d = 0xd; *(uint8_t*)0x20002f2e = 0; *(uint16_t*)0x20002f2f = 0x230; *(uint8_t*)0x20002f31 = 0x5d; *(uint8_t*)0x20002f32 = 1; *(uint8_t*)0x20002f33 = 0x3f; *(uint8_t*)0x20002f34 = 7; *(uint8_t*)0x20002f35 = 0x25; *(uint8_t*)0x20002f36 = 1; *(uint8_t*)0x20002f37 = 0; *(uint8_t*)0x20002f38 = 0x1f; *(uint16_t*)0x20002f39 = 2; *(uint8_t*)0x20002f3b = 0xba; *(uint8_t*)0x20002f3c = 0xe; memcpy((void*)0x20002f3d, "\xf4\xe6\xe5\x76\x28\x83\xc3\x4d\xf0\x4f\x35\x60\x99\xf1\xd3\x4b\xdb\xc9\xf5\x32\x4d\xa6\x48\x05\x3f\xd6\x90\x21\x1b\x89\x71\x19\xc4\xf3\xac\x19\x7f\x2a\xa9\x3f\x2f\x3b\xe0\x5f\x83\x6b\x16\x44\xd5\xb2\x32\x76\x48\xb3\x08\x16\xed\x19\x2f\x94\x3d\xfc\xe2\x25\xf6\x9d\x77\xc5\x15\x65\xe1\x77\xfd\x88\x9c\x9c\x9d\x8c\x85\xb9\x2e\xe4\xbe\xad\x0e\x88\x94\x46\xbb\xc3\x20\xa4\x0f\xa2\x48\x07\xf4\x76\xbf\xd1\xf1\xb3\x09\x6e\x33\x70\xf7\x55\xc9\x4a\xa0\x1c\x3b\xe4\xdd\xc7\x95\x2a\x56\x94\xbc\xad\x4b\xeb\x40\x65\xbf\x5e\xa9\x60\x66\xc4\x3e\x95\x07\xe6\x22\x0c\x47\xbc\x02\x71\xad\xcb\xaf\xfc\xe6\xac\x90\xcb\x3c\x8b\x1c\xf7\x48\xc6\xbb\xf9\x71\x08\xdf\xa2\xca\xc4\xb8\x7d\x34\x20\x42\x84\x34\x39\x7e\x07\xf1\x7a\x87\xed\x62\x33\xb3\x9e\x32\xf0", 184); *(uint8_t*)0x20002ff5 = 9; *(uint8_t*)0x20002ff6 = 4; *(uint8_t*)0x20002ff7 = 0x5d; *(uint8_t*)0x20002ff8 = 0x27; *(uint8_t*)0x20002ff9 = 7; *(uint8_t*)0x20002ffa = 0x3f; *(uint8_t*)0x20002ffb = 0x84; *(uint8_t*)0x20002ffc = 0xfd; *(uint8_t*)0x20002ffd = 3; *(uint8_t*)0x20002ffe = 0x10; *(uint8_t*)0x20002fff = 0x24; *(uint8_t*)0x20003000 = 2; *(uint8_t*)0x20003001 = 1; *(uint8_t*)0x20003002 = 0xe2; *(uint8_t*)0x20003003 = 2; *(uint8_t*)0x20003004 = 0x63; *(uint8_t*)0x20003005 = 0x40; memcpy((void*)0x20003006, "\xe7\x21\xcc\x44\xac\xca\x89\x38", 8); *(uint8_t*)0x2000300e = 0xb; *(uint8_t*)0x2000300f = 0x24; *(uint8_t*)0x20003010 = 2; *(uint8_t*)0x20003011 = 1; *(uint8_t*)0x20003012 = 0; *(uint8_t*)0x20003013 = 3; *(uint8_t*)0x20003014 = 1; *(uint8_t*)0x20003015 = 0; memcpy((void*)0x20003016, "\x9e\xf4\x2f", 3); *(uint8_t*)0x20003019 = 7; *(uint8_t*)0x2000301a = 0x24; *(uint8_t*)0x2000301b = 1; *(uint8_t*)0x2000301c = 4; *(uint8_t*)0x2000301d = 1; *(uint16_t*)0x2000301e = 4; *(uint8_t*)0x20003020 = 0xb; *(uint8_t*)0x20003021 = 0x24; *(uint8_t*)0x20003022 = 2; *(uint8_t*)0x20003023 = 1; *(uint8_t*)0x20003024 = 0; *(uint8_t*)0x20003025 = 3; *(uint8_t*)0x20003026 = 0x19; *(uint8_t*)0x20003027 = 6; memcpy((void*)0x20003028, "\x9e", 1); memcpy((void*)0x20003029, "\x69\x83", 2); *(uint8_t*)0x2000302b = 9; *(uint8_t*)0x2000302c = 5; *(uint8_t*)0x2000302d = 0xf; *(uint8_t*)0x2000302e = 0; *(uint16_t*)0x2000302f = 0x3ff; *(uint8_t*)0x20003031 = 0xf6; *(uint8_t*)0x20003032 = 5; *(uint8_t*)0x20003033 = 0x80; *(uint8_t*)0x20003034 = 9; *(uint8_t*)0x20003035 = 5; *(uint8_t*)0x20003036 = 1; *(uint8_t*)0x20003037 = 0x10; *(uint16_t*)0x20003038 = 0x10; *(uint8_t*)0x2000303a = 0; *(uint8_t*)0x2000303b = 0x40; *(uint8_t*)0x2000303c = 6; *(uint8_t*)0x2000303d = 7; *(uint8_t*)0x2000303e = 0x25; *(uint8_t*)0x2000303f = 1; *(uint8_t*)0x20003040 = 2; *(uint8_t*)0x20003041 = 0x20; *(uint16_t*)0x20003042 = 6; *(uint8_t*)0x20003044 = 9; *(uint8_t*)0x20003045 = 5; *(uint8_t*)0x20003046 = 0xb; *(uint8_t*)0x20003047 = 8; *(uint16_t*)0x20003048 = 0x10; *(uint8_t*)0x2000304a = 1; *(uint8_t*)0x2000304b = 2; *(uint8_t*)0x2000304c = 0; *(uint8_t*)0x2000304d = 9; *(uint8_t*)0x2000304e = 5; *(uint8_t*)0x2000304f = 0xd; *(uint8_t*)0x20003050 = 0x10; *(uint16_t*)0x20003051 = 0x200; *(uint8_t*)0x20003053 = 4; *(uint8_t*)0x20003054 = 8; *(uint8_t*)0x20003055 = 0xc0; *(uint8_t*)0x20003056 = 0xbb; *(uint8_t*)0x20003057 = 0x31; memcpy((void*)0x20003058, "\x21\x5c\xe6\xab\x8f\x3c\x72\xca\xa3\xab\x13\x26\xf1\x88\x38\x90\x8a\xc6\x0b\xff\xb3\xb5\x07\x48\x14\x4a\xa2\xcb\xc4\xd7\xca\xc5\x6f\x4a\x7b\xb2\xbd\x6c\x96\x96\x74\xa5\xe4\x04\x08\x61\xbb\x21\xba\x5c\xcf\x0f\x82\x2c\x10\x32\xe7\xe3\x72\x9f\x8c\x17\x1f\xc7\xa8\x9b\x53\x40\xb5\x06\x71\x08\xd5\x97\xf1\x78\xaa\x65\x1a\x98\xac\xa4\xd0\x12\xfa\x55\x5a\x69\x56\x83\xb5\x27\xe6\x03\x1f\x1f\x7f\x20\x49\x4b\x25\x0e\x3a\x6c\xd8\xb4\xde\x96\x47\xe1\x50\x04\x98\x67\x09\x7c\x47\xcc\x23\x7c\x61\x2c\xef\xe6\x98\x33\x2f\x1f\xe7\xf0\x2e\x6f\x53\xe8\x45\xb1\xf5\xe7\xb4\xb2\x4a\xd8\x62\x9b\x78\xce\x76\x30\xe2\xd4\x01\x20\xfb\xc3\xf4\x93\x75\xa4\xa0\x86\xde\xdd\x2a\x27\xf0\x6b\x3e\xd3\xd7\x56\xa8\x19\xb9\x7f\x75\x9a\xa5\x4a\xef\x83\xdf\x48\x68\xa9\xe9", 185); *(uint8_t*)0x20003111 = 9; *(uint8_t*)0x20003112 = 5; *(uint8_t*)0x20003113 = 3; *(uint8_t*)0x20003114 = 0x12; *(uint16_t*)0x20003115 = 0x3ff; *(uint8_t*)0x20003117 = 0; *(uint8_t*)0x20003118 = 1; *(uint8_t*)0x20003119 = -1; *(uint8_t*)0x2000311a = 0xad; *(uint8_t*)0x2000311b = 0x31; memcpy((void*)0x2000311c, "\x0c\x92\x1d\x3f\x98\x0f\x4e\x53\x14\x7a\x46\xbd\x58\x56\xda\x03\x08\x16\x60\xfb\xed\x7b\x8b\x2d\x38\x9b\xe8\xa0\x38\xe9\x5c\x29\x58\xa4\x77\xed\x5f\xaf\x9e\xf3\x8c\x82\xc3\xab\xea\x25\x44\x59\xed\xb0\xf2\xcf\x28\x62\x35\x03\x40\x87\xad\xb7\x90\x7f\xf1\x92\x64\x0b\x93\x68\x86\xbd\x48\xd3\xa5\x12\x15\x40\x6b\x3a\xa0\xb6\xd8\xf8\xd9\x1d\x83\x0f\x52\x36\xa9\xa8\xbe\x03\xc2\x21\x5f\x01\x21\x31\x96\x8c\x6a\x80\x86\x0a\xe8\x11\x93\x05\x94\x68\x10\x8e\xfd\x4f\x13\x05\x37\x9d\x01\x15\xc7\xec\x66\x7b\x03\x59\x94\x0e\x56\x64\xbf\x7b\x3c\x4a\x5f\x04\xca\x3c\x51\xdb\x9d\x2c\xd4\x17\xe9\x09\x9b\xff\x62\x8b\x8e\x1a\x8e\xd0\xf5\x96\x14\x93\x57\xa0\x8a\xbd\x11\x77\xeb\x97\x73\x53\xeb\x89\x32", 171); *(uint8_t*)0x200031c7 = 0x93; *(uint8_t*)0x200031c8 = 0x11; memcpy((void*)0x200031c9, "\xa8\xe2\x2d\x54\x2a\xe3\xd8\x31\xf3\x37\x21\x1b\xb5\xbe\x12\xa5\xc4\x6e\x5c\xf9\xb5\x56\xd8\x4d\x5a\xf4\xca\xca\x87\x42\xad\x21\x61\x40\x56\x2b\x7e\x54\x21\xe2\x64\x24\x71\xe8\xf5\x0e\xb8\xae\xf0\x62\x12\xb4\x6c\x64\x4a\xe5\x84\x63\xe1\x8b\x3e\x72\xbd\x3e\xca\x60\x60\xfa\x8b\x94\x03\x17\x96\xe5\x5e\xb4\x1d\x3f\x31\x8a\xff\xbf\x08\x1e\xeb\x17\x08\x85\x1e\x72\xfa\xdd\x88\x7e\x03\x30\x13\x43\x19\xf0\xa5\x96\x7e\xda\x65\x7b\xc1\x10\x1f\x74\xde\xba\x42\xe7\x8a\xff\x20\xfb\x5d\x3c\x1f\xe4\x9d\x9a\x05\x46\x57\xb6\xf1\xaf\x3d\x01\x5f\xc1\x6f\xf8\x08\x73\xf3\x26\x69\x08\x43\xdf\x81", 145); *(uint8_t*)0x2000325a = 9; *(uint8_t*)0x2000325b = 5; *(uint8_t*)0x2000325c = 0xf; *(uint8_t*)0x2000325d = 4; *(uint16_t*)0x2000325e = 0x200; *(uint8_t*)0x20003260 = 0; *(uint8_t*)0x20003261 = 0x1f; *(uint8_t*)0x20003262 = 1; *(uint8_t*)0x20003263 = 0x11; *(uint8_t*)0x20003264 = 6; memcpy((void*)0x20003265, "\x82\x4b\x7d\x09\x57\xbc\x55\x2d\x22\x4f\xdf\x6b\xff\x63\xa8", 15); *(uint8_t*)0x20003274 = 7; *(uint8_t*)0x20003275 = 0x25; *(uint8_t*)0x20003276 = 1; *(uint8_t*)0x20003277 = 0x80; *(uint8_t*)0x20003278 = 0xfd; *(uint16_t*)0x20003279 = 6; *(uint8_t*)0x2000327b = 9; *(uint8_t*)0x2000327c = 5; *(uint8_t*)0x2000327d = 0; *(uint8_t*)0x2000327e = 0; *(uint16_t*)0x2000327f = 0x20; *(uint8_t*)0x20003281 = 0x1f; *(uint8_t*)0x20003282 = 0xfd; *(uint8_t*)0x20003283 = 3; *(uint32_t*)0x20003400 = 0xa; *(uint32_t*)0x20003404 = 0x200032c0; *(uint8_t*)0x200032c0 = 0xa; *(uint8_t*)0x200032c1 = 6; *(uint16_t*)0x200032c2 = 0x110; *(uint8_t*)0x200032c4 = 0x4d; *(uint8_t*)0x200032c5 = 0x80; *(uint8_t*)0x200032c6 = 0x80; *(uint8_t*)0x200032c7 = 0x20; *(uint8_t*)0x200032c8 = 0xc1; *(uint8_t*)0x200032c9 = 0; *(uint32_t*)0x20003408 = 0x46; *(uint32_t*)0x2000340c = 0x20003300; *(uint8_t*)0x20003300 = 5; *(uint8_t*)0x20003301 = 0xf; *(uint16_t*)0x20003302 = 0x46; *(uint8_t*)0x20003304 = 5; *(uint8_t*)0x20003305 = 0xb; *(uint8_t*)0x20003306 = 0x10; *(uint8_t*)0x20003307 = 1; *(uint8_t*)0x20003308 = 0xc; *(uint16_t*)0x20003309 = 0x35; *(uint8_t*)0x2000330b = 0; *(uint8_t*)0x2000330c = 0xdf; *(uint16_t*)0x2000330d = 9; *(uint8_t*)0x2000330f = 0xf7; *(uint8_t*)0x20003310 = 7; *(uint8_t*)0x20003311 = 0x10; *(uint8_t*)0x20003312 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003313, 0xe, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003314, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003314, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003315, 9, 0, 16); *(uint8_t*)0x20003317 = 0x18; *(uint8_t*)0x20003318 = 0x10; *(uint8_t*)0x20003319 = 0xa; *(uint8_t*)0x2000331a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000331b, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000331b, 0x7fffffe, 5, 27); *(uint16_t*)0x2000331f = 0xff0f; *(uint16_t*)0x20003321 = 0x101; *(uint32_t*)0x20003323 = 0xffc0a0; *(uint32_t*)0x20003327 = 0; *(uint32_t*)0x2000332b = 0xffff0f; *(uint8_t*)0x2000332f = 0x10; *(uint8_t*)0x20003330 = 0x10; *(uint8_t*)0x20003331 = 0xa; *(uint8_t*)0x20003332 = 3; STORE_BY_BITMASK(uint32_t, , 0x20003333, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003333, 0x200, 5, 27); *(uint16_t*)0x20003337 = 0xff00; *(uint16_t*)0x20003339 = 1; *(uint32_t*)0x2000333b = 0; *(uint8_t*)0x2000333f = 7; *(uint8_t*)0x20003340 = 0x10; *(uint8_t*)0x20003341 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003342, 0x16, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003343, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003343, 0xe, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20003344, 7, 0, 16); *(uint32_t*)0x20003410 = 2; *(uint32_t*)0x20003414 = 4; *(uint32_t*)0x20003418 = 0x20003380; *(uint8_t*)0x20003380 = 4; *(uint8_t*)0x20003381 = 3; *(uint16_t*)0x20003382 = 0x380a; *(uint32_t*)0x2000341c = 4; *(uint32_t*)0x20003420 = 0x200033c0; *(uint8_t*)0x200033c0 = 4; *(uint8_t*)0x200033c1 = 3; *(uint16_t*)0x200033c2 = 0x42f; res = -1; res = syz_usb_connect(4, 0x384, 0x20002f00, 0x20003400); if (res != -1) r[16] = res; break; case 35: *(uint8_t*)0x20003440 = 0x12; *(uint8_t*)0x20003441 = 1; *(uint16_t*)0x20003442 = 0x200; *(uint8_t*)0x20003444 = -1; *(uint8_t*)0x20003445 = -1; *(uint8_t*)0x20003446 = -1; *(uint8_t*)0x20003447 = 0x40; *(uint16_t*)0x20003448 = 0xcf3; *(uint16_t*)0x2000344a = 0x9271; *(uint16_t*)0x2000344c = 0x108; *(uint8_t*)0x2000344e = 1; *(uint8_t*)0x2000344f = 2; *(uint8_t*)0x20003450 = 3; *(uint8_t*)0x20003451 = 1; *(uint8_t*)0x20003452 = 9; *(uint8_t*)0x20003453 = 2; *(uint16_t*)0x20003454 = 0x48; *(uint8_t*)0x20003456 = 1; *(uint8_t*)0x20003457 = 1; *(uint8_t*)0x20003458 = 0; *(uint8_t*)0x20003459 = 0x80; *(uint8_t*)0x2000345a = 0xfa; *(uint8_t*)0x2000345b = 9; *(uint8_t*)0x2000345c = 4; *(uint8_t*)0x2000345d = 0; *(uint8_t*)0x2000345e = 0; *(uint8_t*)0x2000345f = 6; *(uint8_t*)0x20003460 = -1; *(uint8_t*)0x20003461 = 0; *(uint8_t*)0x20003462 = 0; *(uint8_t*)0x20003463 = 0; *(uint8_t*)0x20003464 = 9; *(uint8_t*)0x20003465 = 5; *(uint8_t*)0x20003466 = 1; *(uint8_t*)0x20003467 = 2; *(uint16_t*)0x20003468 = 0x200; *(uint8_t*)0x2000346a = 0; *(uint8_t*)0x2000346b = 0; *(uint8_t*)0x2000346c = 0; *(uint8_t*)0x2000346d = 9; *(uint8_t*)0x2000346e = 5; *(uint8_t*)0x2000346f = 0x82; *(uint8_t*)0x20003470 = 2; *(uint16_t*)0x20003471 = 0x200; *(uint8_t*)0x20003473 = 0; *(uint8_t*)0x20003474 = 0; *(uint8_t*)0x20003475 = 0; *(uint8_t*)0x20003476 = 9; *(uint8_t*)0x20003477 = 5; *(uint8_t*)0x20003478 = 0x83; *(uint8_t*)0x20003479 = 3; *(uint16_t*)0x2000347a = 0x40; *(uint8_t*)0x2000347c = 1; *(uint8_t*)0x2000347d = 0; *(uint8_t*)0x2000347e = 0; *(uint8_t*)0x2000347f = 9; *(uint8_t*)0x20003480 = 5; *(uint8_t*)0x20003481 = 4; *(uint8_t*)0x20003482 = 3; *(uint16_t*)0x20003483 = 0x40; *(uint8_t*)0x20003485 = 1; *(uint8_t*)0x20003486 = 0; *(uint8_t*)0x20003487 = 0; *(uint8_t*)0x20003488 = 9; *(uint8_t*)0x20003489 = 5; *(uint8_t*)0x2000348a = 5; *(uint8_t*)0x2000348b = 2; *(uint16_t*)0x2000348c = 0x200; *(uint8_t*)0x2000348e = 0; *(uint8_t*)0x2000348f = 0; *(uint8_t*)0x20003490 = 0; *(uint8_t*)0x20003491 = 9; *(uint8_t*)0x20003492 = 5; *(uint8_t*)0x20003493 = 6; *(uint8_t*)0x20003494 = 2; *(uint16_t*)0x20003495 = 0x200; *(uint8_t*)0x20003497 = 0; *(uint8_t*)0x20003498 = 0; *(uint8_t*)0x20003499 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20003440, 0); break; case 36: *(uint32_t*)0x200036c0 = 0x18; *(uint32_t*)0x200036c4 = 0x200034c0; *(uint8_t*)0x200034c0 = 0x20; *(uint8_t*)0x200034c1 = 8; *(uint32_t*)0x200034c2 = 0xd4; *(uint8_t*)0x200034c6 = 0xd4; *(uint8_t*)0x200034c7 = 0x31; memcpy((void*)0x200034c8, "\xdd\x9f\xe1\xd6\xf8\xee\x76\xd6\x28\x92\x46\xb5\x27\x7c\xc1\x9f\x3c\x46\x21\xad\xd8\x21\xa7\xf3\xd1\xaa\xe9\x94\xdb\xf4\xb1\xbd\x89\xe8\x77\x07\x34\x76\x8a\xde\x97\xe5\x1d\x24\x8f\x53\xcd\x53\x0b\x31\x11\x9a\xac\xcf\x53\xb6\xf6\xed\xdf\x4b\x8b\xfe\x6a\x1a\x85\x9c\x3d\xc2\x86\xf8\x33\x5c\x9d\x15\xe5\xd5\x16\x9b\x24\x41\x55\x39\x10\x62\xff\x88\x5d\x40\xbe\x37\x07\xb6\xd1\xea\x25\x2a\x96\xd9\x7a\xb2\x4f\xb6\x75\xf5\x45\x57\xcf\xa2\x4d\x80\x5b\x07\x95\x70\x8a\xf5\x06\x5d\x4b\x66\x62\xdf\xd5\x4d\xd5\x9c\xfc\xe1\x67\x3a\xb3\x56\xa2\x54\xf6\xb5\xbc\xe4\x4c\x61\x9a\x17\xff\xce\x8e\xbb\x96\xe0\x83\xc0\x82\x45\x00\x62\xbd\x71\xa2\x06\xca\x92\x1e\x0b\x77\xf5\x17\xc1\x61\x95\x86\xb3\xbc\xa3\xe2\x49\x08\x21\x01\x6c\xc7\x6c\xaf\x96\xc0\xec\x90\x68\xb4\x5e\x23\x34\xed\x9a\x6f\xf0\x6a\x63\x43\xae\x01\xf0\xae\xf6\x12\x7e\xba\xf5\xb5\x2d\x69\xe3", 210); *(uint32_t*)0x200036c8 = 0x200035c0; *(uint8_t*)0x200035c0 = 0; *(uint8_t*)0x200035c1 = 3; *(uint32_t*)0x200035c2 = 4; *(uint8_t*)0x200035c6 = 4; *(uint8_t*)0x200035c7 = 3; *(uint16_t*)0x200035c8 = 0x40e; *(uint32_t*)0x200036cc = 0x20003600; *(uint8_t*)0x20003600 = 0; *(uint8_t*)0x20003601 = 0xf; *(uint32_t*)0x20003602 = 0x28; *(uint8_t*)0x20003606 = 5; *(uint8_t*)0x20003607 = 0xf; *(uint16_t*)0x20003608 = 0x28; *(uint8_t*)0x2000360a = 2; *(uint8_t*)0x2000360b = 3; *(uint8_t*)0x2000360c = 0x10; *(uint8_t*)0x2000360d = 0xb; *(uint8_t*)0x2000360e = 0x20; *(uint8_t*)0x2000360f = 0x10; *(uint8_t*)0x20003610 = 0xa; memcpy((void*)0x20003611, "\x19\x5f\xa2\xf3\x24\xc0\xbe\x96\xda\x3d\xb2\x6a\xfa\x56\x77\x53\x0a\xc0\xfa\xf4\xc6\x82\xbe\x7c\x15\xe9\xa5\x86\x66", 29); *(uint32_t*)0x200036d0 = 0x20003640; *(uint8_t*)0x20003640 = 0x20; *(uint8_t*)0x20003641 = 0x29; *(uint32_t*)0x20003642 = 0xf; *(uint8_t*)0x20003646 = 0xf; *(uint8_t*)0x20003647 = 0x29; *(uint8_t*)0x20003648 = 9; *(uint16_t*)0x20003649 = 1; *(uint8_t*)0x2000364b = 0; *(uint8_t*)0x2000364c = 9; memcpy((void*)0x2000364d, "\x05\x7c\x41\x7e", 4); memcpy((void*)0x20003651, "\x8d\xa4\x36\xc4", 4); *(uint32_t*)0x200036d4 = 0x20003680; *(uint8_t*)0x20003680 = 0x20; *(uint8_t*)0x20003681 = 0x2a; *(uint32_t*)0x20003682 = 0xc; *(uint8_t*)0x20003686 = 0xc; *(uint8_t*)0x20003687 = 0x2a; *(uint8_t*)0x20003688 = 0x20; *(uint16_t*)0x20003689 = 0x10; *(uint8_t*)0x2000368b = 0x80; *(uint8_t*)0x2000368c = 0x40; *(uint8_t*)0x2000368d = 0x1f; *(uint16_t*)0x2000368e = 0; *(uint16_t*)0x20003690 = 5; *(uint32_t*)0x20003b40 = 0x44; *(uint32_t*)0x20003b44 = 0x20003700; *(uint8_t*)0x20003700 = 0x60; *(uint8_t*)0x20003701 = 8; *(uint32_t*)0x20003702 = 0x54; memcpy((void*)0x20003706, "\x85\xf9\x88\x04\x52\x78\xf9\x75\x32\xa6\x67\xcb\xee\x9b\x82\x1d\x65\x54\xfb\x1c\x6d\x18\xdf\xfb\x78\x51\x96\xd9\x07\x27\xe1\xb4\x61\x5c\x86\xee\x04\x9a\x16\x96\xb1\x66\x8f\x00\x0e\x62\xd5\x39\xe0\x81\xcf\x07\xe3\x60\x17\x1c\xe6\x1c\xa2\xf9\x56\x44\xb9\xad\x8e\x92\x11\xa1\xb1\x9c\x43\x99\xbd\xfd\x6d\x53\x3b\xf8\x95\x52\x42\x72\x5b\xb4", 84); *(uint32_t*)0x20003b48 = 0x20003780; *(uint8_t*)0x20003780 = 0; *(uint8_t*)0x20003781 = 0xa; *(uint32_t*)0x20003782 = 1; *(uint8_t*)0x20003786 = 1; *(uint32_t*)0x20003b4c = 0x200037c0; *(uint8_t*)0x200037c0 = 0; *(uint8_t*)0x200037c1 = 8; *(uint32_t*)0x200037c2 = 1; *(uint8_t*)0x200037c6 = 0x81; *(uint32_t*)0x20003b50 = 0x20003800; *(uint8_t*)0x20003800 = 0x20; *(uint8_t*)0x20003801 = 0; *(uint32_t*)0x20003802 = 4; *(uint16_t*)0x20003806 = 2; *(uint16_t*)0x20003808 = 0; *(uint32_t*)0x20003b54 = 0x20003840; *(uint8_t*)0x20003840 = 0x20; *(uint8_t*)0x20003841 = 0; *(uint32_t*)0x20003842 = 8; *(uint16_t*)0x20003846 = 0x200; *(uint16_t*)0x20003848 = 0x40; *(uint32_t*)0x2000384a = 0xff; *(uint32_t*)0x20003b58 = 0x20003880; *(uint8_t*)0x20003880 = 0x40; *(uint8_t*)0x20003881 = 7; *(uint32_t*)0x20003882 = 2; *(uint16_t*)0x20003886 = 1; *(uint32_t*)0x20003b5c = 0x200038c0; *(uint8_t*)0x200038c0 = 0x40; *(uint8_t*)0x200038c1 = 9; *(uint32_t*)0x200038c2 = 1; *(uint8_t*)0x200038c6 = 0x81; *(uint32_t*)0x20003b60 = 0x20003900; *(uint8_t*)0x20003900 = 0x40; *(uint8_t*)0x20003901 = 0xb; *(uint32_t*)0x20003902 = 2; memcpy((void*)0x20003906, "\x8e\xaf", 2); *(uint32_t*)0x20003b64 = 0x20003940; *(uint8_t*)0x20003940 = 0x40; *(uint8_t*)0x20003941 = 0xf; *(uint32_t*)0x20003942 = 2; *(uint16_t*)0x20003946 = 9; *(uint32_t*)0x20003b68 = 0x20003980; *(uint8_t*)0x20003980 = 0x40; *(uint8_t*)0x20003981 = 0x13; *(uint32_t*)0x20003982 = 6; *(uint8_t*)0x20003986 = 0xaa; *(uint8_t*)0x20003987 = 0xaa; *(uint8_t*)0x20003988 = 0xaa; *(uint8_t*)0x20003989 = 0xaa; *(uint8_t*)0x2000398a = 0xaa; *(uint8_t*)0x2000398b = 0x38; *(uint32_t*)0x20003b6c = 0x200039c0; *(uint8_t*)0x200039c0 = 0x40; *(uint8_t*)0x200039c1 = 0x17; *(uint32_t*)0x200039c2 = 6; *(uint8_t*)0x200039c6 = -1; *(uint8_t*)0x200039c7 = -1; *(uint8_t*)0x200039c8 = -1; *(uint8_t*)0x200039c9 = -1; *(uint8_t*)0x200039ca = -1; *(uint8_t*)0x200039cb = -1; *(uint32_t*)0x20003b70 = 0x20003a00; *(uint8_t*)0x20003a00 = 0x40; *(uint8_t*)0x20003a01 = 0x19; *(uint32_t*)0x20003a02 = 2; memcpy((void*)0x20003a06, "{k", 2); *(uint32_t*)0x20003b74 = 0x20003a40; *(uint8_t*)0x20003a40 = 0x40; *(uint8_t*)0x20003a41 = 0x1a; *(uint32_t*)0x20003a42 = 2; *(uint16_t*)0x20003a46 = 0x40; *(uint32_t*)0x20003b78 = 0x20003a80; *(uint8_t*)0x20003a80 = 0x40; *(uint8_t*)0x20003a81 = 0x1c; *(uint32_t*)0x20003a82 = 1; *(uint8_t*)0x20003a86 = 0; *(uint32_t*)0x20003b7c = 0x20003ac0; *(uint8_t*)0x20003ac0 = 0x40; *(uint8_t*)0x20003ac1 = 0x1e; *(uint32_t*)0x20003ac2 = 1; *(uint8_t*)0x20003ac6 = 0xfe; *(uint32_t*)0x20003b80 = 0x20003b00; *(uint8_t*)0x20003b00 = 0x40; *(uint8_t*)0x20003b01 = 0x21; *(uint32_t*)0x20003b02 = 1; *(uint8_t*)0x20003b06 = 0xfa; syz_usb_control_io(r[16], 0x200036c0, 0x20003b40); break; case 37: *(uint8_t*)0x20003bc0 = 0x12; *(uint8_t*)0x20003bc1 = 1; *(uint16_t*)0x20003bc2 = 0x201; *(uint8_t*)0x20003bc4 = 0; *(uint8_t*)0x20003bc5 = 0; *(uint8_t*)0x20003bc6 = 0; *(uint8_t*)0x20003bc7 = 0x10; *(uint16_t*)0x20003bc8 = 0x46d; *(uint16_t*)0x20003bca = 0xc22d; *(uint16_t*)0x20003bcc = 0x40; *(uint8_t*)0x20003bce = 1; *(uint8_t*)0x20003bcf = 2; *(uint8_t*)0x20003bd0 = 3; *(uint8_t*)0x20003bd1 = 1; *(uint8_t*)0x20003bd2 = 9; *(uint8_t*)0x20003bd3 = 2; *(uint16_t*)0x20003bd4 = 0x2d; *(uint8_t*)0x20003bd6 = 1; *(uint8_t*)0x20003bd7 = 1; *(uint8_t*)0x20003bd8 = 0; *(uint8_t*)0x20003bd9 = 0x10; *(uint8_t*)0x20003bda = 2; *(uint8_t*)0x20003bdb = 9; *(uint8_t*)0x20003bdc = 4; *(uint8_t*)0x20003bdd = 0; *(uint8_t*)0x20003bde = 0x2f; *(uint8_t*)0x20003bdf = 2; *(uint8_t*)0x20003be0 = 3; *(uint8_t*)0x20003be1 = 1; *(uint8_t*)0x20003be2 = 1; *(uint8_t*)0x20003be3 = 0xfd; *(uint8_t*)0x20003be4 = 9; *(uint8_t*)0x20003be5 = 0x21; *(uint16_t*)0x20003be6 = 9; *(uint8_t*)0x20003be8 = 1; *(uint8_t*)0x20003be9 = 1; *(uint8_t*)0x20003bea = 0x22; *(uint16_t*)0x20003beb = 0x2ff; *(uint8_t*)0x20003bed = 9; *(uint8_t*)0x20003bee = 5; *(uint8_t*)0x20003bef = 0x81; *(uint8_t*)0x20003bf0 = 3; *(uint16_t*)0x20003bf1 = 0x10; *(uint8_t*)0x20003bf3 = 6; *(uint8_t*)0x20003bf4 = -1; *(uint8_t*)0x20003bf5 = 4; *(uint8_t*)0x20003bf6 = 9; *(uint8_t*)0x20003bf7 = 5; *(uint8_t*)0x20003bf8 = 2; *(uint8_t*)0x20003bf9 = 3; *(uint16_t*)0x20003bfa = 8; *(uint8_t*)0x20003bfc = 4; *(uint8_t*)0x20003bfd = 6; *(uint8_t*)0x20003bfe = 0x7f; *(uint32_t*)0x20003cc0 = 0xa; *(uint32_t*)0x20003cc4 = 0x20003c00; *(uint8_t*)0x20003c00 = 0xa; *(uint8_t*)0x20003c01 = 6; *(uint16_t*)0x20003c02 = 0x300; *(uint8_t*)0x20003c04 = 3; *(uint8_t*)0x20003c05 = 2; *(uint8_t*)0x20003c06 = 0xfa; *(uint8_t*)0x20003c07 = 8; *(uint8_t*)0x20003c08 = 0x74; *(uint8_t*)0x20003c09 = 0; *(uint32_t*)0x20003cc8 = 0x28; *(uint32_t*)0x20003ccc = 0x20003c40; *(uint8_t*)0x20003c40 = 5; *(uint8_t*)0x20003c41 = 0xf; *(uint16_t*)0x20003c42 = 0x28; *(uint8_t*)0x20003c44 = 2; *(uint8_t*)0x20003c45 = 3; *(uint8_t*)0x20003c46 = 0x10; *(uint8_t*)0x20003c47 = 0xb; *(uint8_t*)0x20003c48 = 0x20; *(uint8_t*)0x20003c49 = 0x10; *(uint8_t*)0x20003c4a = 0xa; *(uint8_t*)0x20003c4b = 3; STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20003c4c, 8, 5, 27); *(uint16_t*)0x20003c50 = 0xf00; *(uint16_t*)0x20003c52 = 0xf831; *(uint32_t*)0x20003c54 = 0xc0; *(uint32_t*)0x20003c58 = 0xc0a0; *(uint32_t*)0x20003c5c = 0xff000f; *(uint32_t*)0x20003c60 = 7; *(uint32_t*)0x20003c64 = 0xc0f0; *(uint32_t*)0x20003cd0 = 1; *(uint32_t*)0x20003cd4 = 4; *(uint32_t*)0x20003cd8 = 0x20003c80; *(uint8_t*)0x20003c80 = 4; *(uint8_t*)0x20003c81 = 3; *(uint16_t*)0x20003c82 = 0x436; res = -1; res = syz_usb_connect(4, 0x3f, 0x20003bc0, 0x20003cc0); if (res != -1) r[17] = res; break; case 38: syz_usb_disconnect(r[17]); break; case 39: syz_usb_ep_read(-1, 0x80, 0xc4, 0x20003d00); break; case 40: memcpy((void*)0x20003e00, "\x50\x74\xfa\x81\xf3\xf3\x73\xda\x27\x99\xca\xfb\x26\xb4\x49\x7c\xb3\xc8\x7b\xc0\xf8\x2f\xa7\x88\x54\x68\xbd\x41\x23\x20\x65\xaa\x95\x61\xd2\x4a\xe0\xf1\xd0\xe0\x36\xac\x71\x4a\xc5\xaf\x89\xc6\x9d\x88\x61\xca\xd7\x13\xfc\xb8\xba\xcb\x8c\x4b\x10\xdc\x3b\x6e\xc2\x04\x4c\x01\xf3\x71\xb1\x24\xc0\xa0\xf4\xba\xce\x7d\x51\x79\x87\x2c\xdd\x20\x5e\x09\xc3\xee\xb7\xd5\x57\x7b\x26\xe9\x8f\x84\x55\x4e\xd6", 99); syz_usb_ep_write(r[16], 0x7f, 0x63, 0x20003e00); break; } } int main(void) { inject_fault(0); syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor460731562 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/10 (0.27s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/6 (0.27s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/0 (0.27s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/7 (0.28s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/21 (0.28s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/23 (0.28s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/18 (0.28s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/27 (0.28s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/8 (0.29s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/25 (0.29s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/19 (0.29s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/26 (0.30s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/24 (0.29s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/9 (0.30s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/14 (0.31s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/17 (0.31s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/15 (0.32s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/20 (0.32s) csource_test.go:120: FAIL FAIL github.com/google/syzkaller/pkg/csource 7.327s ok github.com/google/syzkaller/pkg/db (cached) ok github.com/google/syzkaller/pkg/email (cached) ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ok github.com/google/syzkaller/pkg/host 7.234s ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ? github.com/google/syzkaller/pkg/ifuzz/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/generated [no test files] ok github.com/google/syzkaller/pkg/instance 2.151s ok github.com/google/syzkaller/pkg/ipc 8.865s ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig (cached) ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report (cached) ok github.com/google/syzkaller/pkg/repro (cached) ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 16.974s ok github.com/google/syzkaller/pkg/serializer (cached) ? github.com/google/syzkaller/pkg/signal [no test files] ok github.com/google/syzkaller/pkg/symbolizer 0.149s ok github.com/google/syzkaller/pkg/vcs 2.208s ok github.com/google/syzkaller/prog (cached) ok github.com/google/syzkaller/prog/test (cached) ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ok github.com/google/syzkaller/sys/linux (cached) ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ok github.com/google/syzkaller/sys/openbsd (cached) ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ok github.com/google/syzkaller/syz-ci (cached) ok github.com/google/syzkaller/syz-fuzzer (cached) ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state (cached) ? github.com/google/syzkaller/syz-manager [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-imagegen [no test files] ok github.com/google/syzkaller/tools/syz-linter 1.242s ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached) ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm (cached) ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated (cached) ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files] FAIL