ok github.com/google/syzkaller/dashboard/app (cached) ? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/executor 0.309s ok github.com/google/syzkaller/pkg/ast 1.667s ok github.com/google/syzkaller/pkg/auth (cached) ok github.com/google/syzkaller/pkg/bisect 22.058s ok github.com/google/syzkaller/pkg/build 3.159s ok github.com/google/syzkaller/pkg/compiler 7.277s ? github.com/google/syzkaller/pkg/config [no test files] ok github.com/google/syzkaller/pkg/cover 9.315s ok github.com/google/syzkaller/pkg/cover/backend (cached) --- FAIL: TestGenerate (10.73s) --- FAIL: TestGenerate/linux/386 (1.83s) csource_test.go:52: seed=1633617601922324109 --- FAIL: TestGenerate/linux/386/4 (1.79s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:10 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffffff}) (fail_nth: 1) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1a, &(0x7f0000000040)={0x0, 0xe6, "f137161ab86c594202b997d9f12d007021870322c8d909748409951ae9800c1e207f98b769c740f867ea14bbf8666a4f98d229aaafbc33c6c52168db8933c4a4a4a3dd3ce0ccea96e71d81ff4aca8331cb01bf35433853d1abd48fd6d0ce1314df6507bae535a2b4e3eaa74c5d23006594148a0fe5b4a884ef8f41346e49cc90474cb17bac301d4797ed05dfc6ccb74bebaabe549172d622a30605a4e49fd3f8537de5272c33ad4f07cd060577bce65e5c80a34168cde68117e4f900e35a3d888e02ee111752213b40d2af258c01f36de50ce8e83d4226a30d6a4cc43a883f6c20e3fada8ad2"}, &(0x7f0000000140)=0xee) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r1, @in6={{0xa, 0x4e22, 0x3, @private2, 0x1}}, [0x7fffffff, 0x1, 0x7fff, 0x4, 0x7, 0x1, 0x3ff, 0x40, 0x5, 0x1, 0x0, 0x7, 0x0, 0x8, 0x1f]}, &(0x7f0000000280)=0xfc) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000002c0)={r2, @in6={{0xa, 0x4e20, 0x9, @private2={0xfc, 0x2, '\x00', 0x1}, 0x3}}}, 0x84) r3 = openat$pktcdvd(0xffffff9c, &(0x7f0000000380), 0x0, 0x0) ioctl$MEDIA_REQUEST_IOC_QUEUE(r3, 0x7c80, 0x0) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f00000003c0)={r1, @in6={{0xa, 0x4e23, 0x7f, @private0, 0x5}}, 0x5, 0x476f}, 0x88) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_SRVCORE_ACQUIREGLOBALEVENTOBJECT(r3, 0xc0206440, &(0x7f0000000500)={0x1, 0x2, &(0x7f0000000480), &(0x7f00000004c0)={0x0}, 0x4, 0x8}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTQ2_RGXTDMSETTRANSFERCONTEXTPROPERTY(r3, 0xc0206440, &(0x7f00000005c0)={0x8a, 0x7, &(0x7f0000000540)={r4, 0x400}, &(0x7f0000000580), 0x10, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXBREAKPOINT_RGXENABLEBREAKPOINT(r3, 0xc0206440, &(0x7f0000000680)={0x83, 0x2, &(0x7f0000000600)={r4}, &(0x7f0000000640), 0x4, 0x4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@deauth={@wo_ht={{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x240}, @broadcast, @device_a, @random="2015d229785b", {0x8}}, 0x27, @val={0x8c, 0x18, {0xc93, "ffe3240f0484", @long="067ecc39a78a3ea47c22246d391b92c4"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_xfrm_policy_alloc_security\x00') syz_emit_ethernet(0xbc, &(0x7f0000000140)={@dev={'\xaa\xaa\xaa\xaa\xaa', 0x3b}, @broadcast, @void, {@mpls_mc={0x8848, {[{0x8, 0x0, 0x1}, {0x1, 0x0, 0x1}, {0x4, 0x0, 0x1}, {}, {0x0, 0x0, 0x1}], @ipv4=@dccp={{0x15, 0x4, 0x2, 0x33, 0x9a, 0x65, 0x0, 0x7, 0x21, 0x0, @dev={0xac, 0x14, 0x14, 0x1e}, @rand_addr=0x64010101, {[@noop, @end, @timestamp_addr={0x44, 0x1c, 0xe9, 0x1, 0x2, [{@dev={0xac, 0x14, 0x14, 0x28}, 0xf7e}, {@loopback, 0x7fff}, {@private=0xa010101, 0x5}]}, @generic={0x83, 0xe, "db10ac96c2cf817c67fc6d7e"}, @rr={0x7, 0x7, 0x87, [@local]}, @end, @ra={0x94, 0x4, 0x7}, @end, @generic={0x44, 0x5, "e0d910"}]}}, {{0x4e20, 0x4e23, 0x4, 0x1, 0xf, 0x0, 0x0, 0x9, 0x5, "d77b5a", 0x7, "c6dd9c"}, "494a1261c05df7372b3c29631b6232d41f19fa8727ecea11ccf1979683ceb144705e12c13fba0e399f08f58397f3ea7bdb746b3dcabe"}}}}}}, &(0x7f0000000200)={0x0, 0x3, [0xf9, 0x208, 0x50c, 0x74d]}) syz_emit_vhci(&(0x7f0000000240)=@HCI_EVENT_PKT={0x4, @HCI_EV_VENDOR={{0xff, 0xc1}, "0626cab051d180b0c2e36c0814bbca7e31d691502e1c7c0eae1a042e7372921a0c6dfccedd81a98f58b9850ba2f68bc25d5cab15a0af010796b5fdfb8a3b35f3eb48ee0c7b2ed287cf469fdec0248e957ef0dd22f3fc6d746e70262c277c016177e56a68031293b56b02c1b6f867d10a3bbf33817b39d487ae0659a68cffb8df46df59a7d104b7c6711d45af1f966d69e635809cf24a70d4c2ea9cc98d37599807148af36b475eb2ce56e027ac751769f8710272d187722ecdf7a8f86d8b977aa8"}}, 0xc4) syz_execute_func(&(0x7f0000000340)="c4c17d6f7072c4e1f9112fc4e3c95d33abc4c2790eb000000000c4e17a12b70c0000000f0156e9c4e10dd55e0cf30f526b000f7e20c4c179e702") syz_extract_tcp_res(&(0x7f0000000380), 0x80000000, 0x100) r5 = dup(0xffffffffffffffff) r6 = fcntl$getown(0xffffffffffffffff, 0x9) lstat(&(0x7f00000026c0)='./file0\x00', &(0x7f0000002700)={0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000002800)=0x0, &(0x7f0000002840), &(0x7f0000002880)=0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002ac0)={0x2020, 0x0, 0x0, 0x0}, 0x2020) statx(0xffffffffffffffff, &(0x7f0000004b00)='./file0\x00', 0x2000, 0x20, &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004d00)={{{@in6=@ipv4={""/10, ""/2, @private}, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@initdev}}, &(0x7f0000004e00)=0xe4) r13 = getgid() syz_fuse_handle_req(r5, &(0x7f00000003c0)="235810537c7f886ca91721045ff7badfae4429b252cd658172c1d0d418ed70057439fc22ffc77b29085c9488ff9340f8a2ade99bf9af14a357257b8aa69b4b8effe7afd6876b3b512b86fa1dff555c6dc6186266c91fa281c9dc72ee17ead0e2a3fe9ff03e7c32d27e267f5be0fd6d1f9efc02af7fe9d68d755519201dea7abe681053ab98f73fc0c6a0684e91b741c8c9451f9459b598ee6f4ec0c91f3e917af1e6646f3c54f8faf0487d8eccf087e28f8768f48ae15d098904b3254285702e308a937d5e23a2aef3c25312516c502d5e0233065229ee4a70dbc414604b7f055eb7a2724803e85e5b4cd05af711ed730fceb81bcae17a4967aa6ccff3c0f4966b7ff3d15f093e94eb0a46b70c0fa5b8628cac3c31019bba6002416fc6661d858fff16a96215b1d18a877d9a534ac40256a3557931ade27f587cce26a20c013dc67f2e922a52689aaefa1b064d03f8f6a39f96b0de1d21394cb6c23010eb9e4a79414735ed9965425f8a01008496dbad0497fa0d65acec59ffa6a280bc58e2d887a10e9665eaeb97436ebdeb2b58a9ae40e449273246fd9967539f212ed8969b6f9a49d65bcad2dd9d8ee42e3205741117e431d443ff3e94c47e7fd627d30511d5fbcec6a758383d31367aca8e3af772a1021105ab2c1b4aa7614dea8cfa4b06f53af373779862c9bdb76ef93c74618eee7347a074d4f71a98233b24b2a25729c9a1983d819c3f42d328d08f0d4dd1642f61b62a89fc300f5066d8e457f5fd49daa79e1b1d43d26f89f2ca990450e860bcc47d5cf4778c37c451ed22d60fe2bcfa2caff75c4170990a2e8e2187197f8638b067854ccf9dbe91586dd42341401c4fb4f31330668acb516eba2227cbca4c8fa2f39a03521bd8032f5e1aedf49c50e601b9fad4e0d6f5b5932ea214fd508485703d0845798d43bdbff9638677e6a996efbbd1936e97282062709f778b455cb4d20013f5fe4c9bba0f7cfc1802e8180fb6d46f5176d1bdbb43d960d494f3a30ed7ab4db07de5ad924b5797b509f96083f4ada9fcebede1eb0fb0dfa2cdc2144b15cf4c280f87d1187e808e37cdef537552e383f46ccfe86215b207153985e6b13196221fdea6c947864d12147d7b01efc3df144e2caa24d1a4782a51a8235c4c0eadf0440c8e434a4d072be5845547175f37c55fddd5e78495ace434c483f28bb3487ad8d68bd74377fd82e17bafeb062b81c68e8a6389c8d81079e4c9faa2a8fcf12415cc21ebcd92de80884550594ca64b56b0b424a65f80cab164b2f6f2f33c7aeaa8b6602e7183b9d0ae153a1703b303675aae133b3dd9c646677f6d8a492da099efb4a7e4dee392818a15d6bf9efb07eead5b40ac25bb0f0092f4b0ecaf0ac3391b3ecfd0635ec496b8b66d7a451c6d10379c15291c4f3682f05fb73944cd1be0f0fa8554358b30deb7386931ae95eb2a16faed245ffcadb394acdf0638a626278233019366e2ecd9db1a4b5ae27ff83d7b571cd7ffc151dc4d0cef1d0300c98a41697751851f8e05249cae19963f812589a7d64cfab846439f471343ba5effac9a57f76d0abfb95e878bee4c9424f0ca1718195eff14060acfb3e0df4cbc560bc2be9ab4f0a0bd686fe213d44947170e68e73baadd982ce2d170a50d1eca0240cd3cece9f74da3a1c1476ff11fa334d72c18506b5c00a441ea2e9c72c76b385037f86ca594aaade987a79bbd3e3c40d0007a7ff8529905b94c5461656292950b41c83443dc84d6fdf52e4497ed6804981af13385649200d893093bf2ea8225b389c4dfd2e815b3bdf9d7084d29009eae4e8822a5b6a52aa76afd951d04afa8e1286396a834dcf8c6b57cc4efbc0c16779d53f0bcd74043c06ecebe59328dcca8bb6105af23565906e5466c7311b1aac6762e4b626036fe31d3e7b0fa2e658ca9351078eeca7b467e118e9b88959de1f41869405a83bdc6ce980c729f7e2a460fa9bee161e54d271a874bb4d0a22cd1a4376de36b5868ca0e10933e5fe2f7385c1af62b86f8e5c3126626b8bc6d568f621da323707ea332d7654439fba4671d0caeb7ef94e25a8286bd9a19a29e4932c7db9b82347da52492b3814a44b92f61559c22654c8b301a8dfe9daeae0cade946c0666e94c4a6353bb0eb2137d36853ad4f7a20a5081e63afeece203fa6eeea7f629d001dabaf5b1a3c6761517bc99a8e63f66c01884927b4bc40bc34190c9e553c690fbc6444dd8bba656874fa804631b56d24541a9bd6fb77db4903769f9d0444d08a21ff59d949659d80b1402d919ac0fb8380ed9115b6693c195f8f1a90a3a42235d8ea782eda2bf194d32fbcc563271afda73d7096a2e9e467541e7667c267c595e123372975267768b8d16cb6130eaebf698be76eefabbeacd59f631cc104f042263e3e2962597969721a6c022aba14112e2f3802ba635391cd1f94323525c816efa9e86552399e79665ff554f586754f72d53a0d9475c655948bd13ec93dd8cc43e5b813ebfea4abcd780eedb682ac4f66e16847f7821fdc40da073f7fc59fe57ca6ad5f4ddd8a41e8aadf3e2178cf4295c85999e2c2d824a08ebb9a9b09e2efbf9b8d0373091ea61ec6af17df1e71aceb403a41d3bafefc56dcff186023e9f289e61b746904b3ce34869b5327c924a27336b216d2206eeba9b1dfdce022e3a13a2617387fb3ff5a1d0f38fbb9063bcb69b5e33ee457efe051df453462b718d7d5e780310471a73d99e2eb1e23236c74b9377c3e0ebb93ea7a6a7b322c425910209f891841d65cb8db3b2b0d51d27cde0ca185bd3bf1f402ff10fc611b93fa6f94ebf6079ac6d5f30ff866a4dbf30729fc3cd003ed9eee6e1c92319a8c6269e1a7dba0491d27b326388bc32d58bf685ec429a8ca7a12b660182308710b5aa61dce0a143fad3bbc1a81a8f814ee37b434c7d729331ce7f72ddf31dca719bdfa04c03aeceb4c640c1cddd0f01137bd6e2f7aefb51b0210b8cdb2ccb0f5d7458d0571927675f1bedb36d0bf30ac68db438ffba74aca623725f27522701bb6c5ca414d2391cd533a82c066724c6d3fd68fe42a834dccf5bf70347429ad8e382215f72fad936ef949bf64dad12577ead0dc6cf271be7ca8e0baabb4397ff063f3ae8e741210c6a3ab3b442ba8fb16f228c5dafeb1b440827defbc48f5cbceb2740755c985d060e82c86c732bbd560883591a1ac058299f17f2e2a128560280ba089e84c3465452a6507a63f884944a83a21d26c8e498ff5dbd489c69ca7853249018e9d03520b23f47b297b8526322b1f6bd54d060ccea301cc8a3a15da2d39b64ea4ddb03c7b6cba605e8dd486d12d8f0c6cd9fb47816112baa0a7ae0eba4f0f89b2143203a119a6bb8545c1ba66788495f4e7dad96df8119b1c11d7ffb07107c0c035a80697a8ed780d9c5561929385085f0aa7bc748f2b5e234e210ce77722c54e80b886c0d614658ffa23408caca9cf013869ef6629f8461640daea869ad4c365530de527815cafee314f8ca7b9879522c42629e3e71296e5f60a84db39d5c9000016ea33f481d80ccb80f085d5ed3f700badc3b4b7d80dd8a778f03817a10d67892d36870a98bdc70cfda4834c7815421fc9727401bd4f8111bbba7686024b4272f5a68a665194afc4f1a9f857af270e3022c18dfc18f67b3977e641c6258f00c1430ea79578f4dc82a0bab52140df4be0adb329195a297df0be6e12349770b4477a4465a81439f22b6bdc677ab86d4edbbdfc7db3cf06d4a94d33c6c11fa163fefb1a87a9b52c1cc409ebede7263c88975edb237fa01b583f79fc7a4f8e8ac89af79308d99b473cf33f3344a4e5523f3e35d388d18ee1185caa1918d23aae4193aedfe125042e16d571865261dd63bf0c9dd8485fa64e2410a26a436c83c9e34556f37c1d69d2fd574278c4b2c8baf3834ee2e0f364b54c36780f28a8ebe56e1d9e1cbdfd773ce8aacdefda09f40dffd847aadf67c44471008cee0776fb068954308f16203d017b290cd1ad9e4cdc49f326352807560ddda490c05c6d5e04f1940083aaba83e029370fd76e7757c73c0543ddff26c3a30762e2c9c556aa282c7f46f3dd8e200168053a03174c5669dc43900a39417c9dff8ed3f10eb07c470a522ec820712ff88259cf7f5ee52cf4ee690bcabd88763f66329f3725a436ca1938d4da48dedffea82dc54a2a0a5cfb64c3e278f41b933cefeb02f982532e98677241d7ec2f8d1427da1711919d672e951b6d1cd8f2c0203fedd521f75a229d996713358136d8b4eb797134fec874e3d38a01cb82a87c8c211e6429efe677173aab0a0fb9f558f4b06f7705bcd177ec1dd80d0445b5448e7dc294538aaecc59610dbe6f2b3b16b275c18d33a78f0c1dcbb07e137628b622f885aee80b82684cdd5fde5a29aadf63d85e95159649adce0f9e57b53b82c75b87a12747ef0f84be50693ccae798e38aaf050666163e6bed48f5f1baf49adea21223bfb089199898dcd2e91b708bd62b61f138cc48bed88b772d14bcc53968aa32fa3f114584752db53278b25f367d52c207ec5459668382aac7ebfdf3a2075cef679bd77ec17a1143de084720085486685ac869733bc07d74246fbf8abb3662be750dddd3b13ecb2d9135f5c68d1fdde549d9c2091d96aa35f84336b4215131f36476ec848d533d7dca1e0aa41eefb8806052a8cdd538b755707f93e048d771505b8890d8f680b880ccb8ee2949e35a63ee48e7b467128b65ffe606ced28a3bc3172bd09f2b58ef6322a3fa31e0fab37a3afe729ad43d5cd02b42be4d8e602b99516dbdbd812e1becaeba14b2b2bfaf0555900251e31d839798141b32abdc558b3bf30edc1145f541798507da329c5acc1ff56d4fd5f6e18c02081222c698b3d0f2b19539a7c2c91f78b1be76481991e241d2ae889d4cb133f90f77d922d984b5a5d1b2aa038fb001f0bac88c14a36f62296ab324d52b5754d4e842889da654143b4bd719f082cbcfa2ec9031b9b4b8bb8ef46bc3ffa52d35385bf27e3ccd86108481ff6640e8b0e309d28b149420f95eb9afa0f6e188b7005f421225385bdea3825ad5fbfc6d9f2997476bc36e5dfe4b686d1a2d402516d4eee990e1ea6a234838103f42d705abf37835673ca78675b5354c2a99130e2b7a64ee26a2ad6c1cd2de64ed5912eb7708db3afbb4a683109b1057298f356e4cf4fab200caf7403c719aa81ab01d3d7f9155073f56495e5116196e9a9de82f10a5c08dfb2f915494df7a0700efb722d3416a5d32bc02297111650847dee676d268772dec413da3a1320989c1be0d5c9c1b6fc4f70fbdad888abb0be8f116f0d7a6f3abaf636bb6b69222daf4ccbd6d07293def59cd5ec908454d079495f27bfaf9e45fb2c99964e6b2fba03af0382d5b60adebbb28fb8f8f8efdd8da65eac29377cf07c62e1bf10f61fa912e6271f2cb9509a7631b7abec3396bebce10bc79e2c49956d127f9d01b73584540cb6c0b52a709e3af1d00c84f6d22fb195dd8823aa336afea898ed87ada2b22d1b8ec508cf6986e93459265ed7c258732c291ca41e7876f1b438b17d36c24a02f200feeee18ace8dc4aad51a42bb9815d82c2a9a37f775cd612e084226942ea0dc6f5d8923349bbbedc2a45cfcfddeda2d52d14f2ff8329aac01d2ec3c37f23c5c90d026280238ce09e00eca9f6c30bdaa5dc91f4342f8af6a3ec1339c47dcae8f9360c32502bfa86e1ffc582d5888f29cac39ef90a3150111f661199faf7e2413b57bb9a72aaa2d5fae32b462884a928d83cea60557025c5de018044345fb083def49bc383319894dad28b5339cbadb6038dc8479f7e4b2f01c1ced3ff854205be93884885b129878bdbb18caa68c30940719a408a03fc61ebea87d9d3ef2162594589654475c2c37eaa8737338acc18b341a351ec39aa94cba171096fd7fb832e3031f4d82ff2328aa189623cd93fce6f4525c2dd013dc9c7b4d19add3bf9c334886e9d1cb4df997d99563a57b66d8321d42152f721705d6c484618ad33cb46b5c1a41ccd397ede50432dc9d41aa8b2fb375af75d332356d7df3d5d439fdebcf8e25b22493c6fe140013e2952321867d12947b1f2dd272a173694a5fddd887fe1ec96df6467630d1449d723ff023ec127b12a2411a096e3129e845d50b146683635d805cf196735828c8a0a004047a19acfcc41b62fe0fbff91881e7613bf7a737195f1858ed7198dcaca13210619d7f7398d812de463f221f0c264874aa3b3416dcdfaed76bf255d7a7a15d6acc9864d1bd900354b3bf0df70bae932c4b82e8aa60d395b939cc60f8964ab755ba50b40a713f68d2e001a2b5abcfdbb821a0a3a7a97cdccc0b05bca8f033fbcd954569cb7c312d4cb9e69275613306679882570726118eb66b4b6f0d236c33e35658ed87f028ca43c55c26968179aed7549c8c2e92672a445106d0429846917c5fc607fa285db9aa61281c1c524a76b3d40de5da9bc7afbae9c03555d056383ea7f5eacf5de95638e11242a420c9aa322c808cf2a14ab479d8135e4ff487b215c8cec44c7290d3459100b2196c54e88ca2841d8a6011c6db1b5c2fbc5135da6053d893d116b9f23d5a0f77f9f64c50a0448552fb3d4002ccfb95ed54c37eae931737bf02bcd226b133b9d27debfae748730a87be8df5c31cddf16c26bc3f3b4df7abcbc52edadb7a7c29e87dd5d6330b761649fc9f098a7b6b68cf5dce767667e8b5a7cd4bb22d1c9229c455169d72edd3bae9c251c0788968f1d13af8e47ba32923c6614c44d5196fa805761dba59a39b893bf0973dabb976edf63f3cb54732d43b90ee7ab0374e10fd722d5c361a4108931e8ee3fa190793f901b18ff7b5ed8c162b37ffcb39c6c0c084c9c76b3964e31351f5112accfe16c6268580ce0b44cd4c33f292171df6af35914225c8b1aff1985cea0ea7349a43a510d5fbf1881a032f96b1f58f4fa94dbcdf98f6b113a2f851e76d4f1cf0686e3b44057c363c849c5700659d7e5a1c2b3ccfd5aaa889c2f99a9b1c8319c3cd348be29b2e9bfefbc28cb774729958c12c9dfa74b893a07745aed2e5144723c8fc0506852f17e6a4a8f599d2c4a1d7c0ba9d77db8416eb10932cdc749cfa99890ee8017c0664084f86489c975255252c3876f8dcd98c00b73611ce2734e1fe0ee5c0a0abb0c50004044f93ad2ff0109bcb19a3a20f186d68e387d34a5b578c4253cd9672614803bf96726e8ab00146d2fe266e62e4865f5e7fe31d41497e7195122fcda825fb4e9fcdd09b421ddb6e925a4d5cb7ff2fa56fe1497ad659cc5b6efd8f883998b7451175f9827547b84195c25fc1631072a55c17e90a3279a54a29697312bfef3eefcba8d3114556a545d18ab0df74df266859151959a1b051f8322f798cb45d5cbe5291bdd71dad665f64dde6954ef00718918fe01727963964642d4c4a5bba9303f44fe97ff99f06748dc863ff0cc17fc82b29fbe0c712c77ed36697f23b4a22a9f248522f9946c3abcd32e165fd66fdbc7b4a0df71a8d2571f32da4ada51c14ca086301d6ed02006c6a38ce4e7671f3d0862a4e3c22b6aa7b7c049a7762287570562e8b452efc78741e7c2822ad0fd435e76a8044b05b388aafc4cf61575760398872364469961e87d14d1795eb627faeda18f9c1228fc994d580508c996d3662799b7237e596910a7c5c7facd47fa3084da48488767f60cfe58ec401415ac66031623320f9fda37c0af9fe4cda1b2893d2df0ac8226013a36ca7b1366032ea7b25a5591bebc8ce489777c0cba28d1f0cafeaeea7d5b4d2009309eebc913078112bb126920ca6e5e2b2210ce5410cce45fc463746cf168f7ee2b91c797b330e0464822a618e457ce39a00367d9cd3d3f5938ce36eb2a31a90d049258c849955e97f08017269b3e5f69e9128195638bc8c1fa735e6eb2435c9587f4f436d9e68a8797bb42100d48e7b26197c65fb8903961382fb0fe229860173068d9429110823bc2ff717a7157054c326bdac3ad358177f9a406d894b842d6d91edb356b06283b329bca6e12290655fef24029ba1daaf45f17ebc834d12e35e39f2e20e2c7362aeb0031f4877b633be1bed36f5d7ba24d0148f846a786f388e2ab79662d559b861a36a4ce60dceb5fdb9f479358fd84a5c7f102f75b8143d3626fffa5469c22072a97d63ff9e0667c2f2db41cd03e5d43914bb590bb1f11f4c3533bcc47ffc99eedf677c9d646c60f99398915891ab67197ddbdc11e03daf03139ceadaf99226875163f11c29027f6ec6ee647c9bb1f7695f1f2918a3285a13eadb73d3e94cb0dbf9273f75e1a8b391cc6e4c14ed5683c2756c7b33d84351e1ce0ba7b02e2305de65b29456b5c55344647c7b0b16cd836dba2711a4cc97738267c462c85fad608a81612d7f89a7fe663bd064354a80f8be0165df5d9bae1c69ea56962b111220cdc136ada90bb1315f865caff1e2526acd2ef4c36a70f266088d7d348e561132971668e91a89004085a5b092f8e28423d16b749cdcbf92a4365e468dd67be241e5dea705b606b28099a5d3d46a07620fc4f731e3d3605debe687042cac937427367c35b546af2dfc094a721dc7fd13df68e9a799ecb107c908bac9f8c4430cc10c6299c794d028d516c3ef3f77f9f64201660949b5ee29a5894d738fa4e4bcdda88fe12bcffe85da7b10d02c80922f3907134fe64605508b6cbe35e97f12f1bb15fce6fac0b0bbed62183ba88b8413c692c1d465376146a5ac69e0f10450f04c8b6f3c90c58ac33604aa811a9b74ebbd07b0684c51a553006da57f4df29df30a64622266b3ec06c435d650521f3ea725a3c8c128c73f0d3447dd1a85b10a061e9ac4469bd8ead5b59cc639b817e67d90ccd773e224aeb67dd2636917436b76475d8e0255cf7d14f2836a50d23fb11b3843548b3a52d8fa10ca8c97e1f0ed7a00cfc8067a5b99a41c07d3ce0a0456b8443bb5f0903db5e7bc16b0d0d4f321a57572d3368d97ab7705830d23ff78ac8d69402c920f7fb91d6efc16ce43993a1a68eb8eda08d7cc55fca8549f40839ac8e5e263e8fcddb10dd20fbedd949c8d3c1e186e9fdd5aa2765a1ef54f9e8b2a7a0b38f1c8f8dafe5fcef0ff0316921dbaab27f6b2e09e49d0a56c9ade5d8cb658699baa984543fde4e720e02e5503e835c7a63effee3dfa58e4ccdbe1943b5921b58fd0ed664ef73df892318e10703234859b565d17de8c925198b448159c8e8d73c8b1e5eb68705e582d5128f207b546f8122e04e37bcc9d1ca9b2c7ae51d4542448b36d6ff16d998eece9f07be341d1d8f989f23446040a4997272c99d45348372fc49b70fb5e0faca975184c6025995f6aa49f1b293df66d51d753d9c7775576d0e770134d3a4fbd53c99b0a7b6afe7337f73248163239a714dfeb285b0b49ef602d62ad6935a83c83bc814bd407b1ff5228292f9bfbbd071c81dc9591a05c9507bff87c9e527b8f14e8ee13d187eb867dc2c95dd903c37692d03e7b00985fbc11313078dec7ff69f2e01a8342399400f98cc66833d9c85ff7f10cbef733213cdae61545f39e85c59302b560a72d0437b266cbae16fad4a000ddea19949408c7477fcb948915323ebb79a55c769ccb18e2f552ab763ba65302ae7bc476e3625eb88a7a6698ceccfac22900ca3c44dec8866b2a114c0831cf653d4c1fba9a7785a1caa2b97343384226b1aced93da71d30b6650645bc113ac62d32d2032ddb65626ee86c3b9dfbbd8d0caeea7453dbea304e34d3f80522cd317b49bcabb869331c7c321852100430423bcb1ec15c50c19b766a7ce471d51b01041b685a29c4bfdb552c866d583b7c3c7fd56cfc73725df784e4d90281567fe8c38d866b06ef13bb30fd23906e662cf9d5113d7b52b014b4aeb3a183524b497be9220ae1e0b2f7674d279942941bbd81ed595a93c2341399b6ac36ff869f894cae291308b21284d398b5fa6ac76b9d59f03e48c275f4f20ce0a5059de69ca9ec999d73202def666b37b3a96a95b12c74331038facacab188da878a860e1b399d6b3bd3c136e0a5e9963c1691889f0d400f34dcc51ef1002ebfee2814605a4d1067ed7396c115e3a94f151c8e4aa2930fd8bc534d579d5d8843bd2029056fc558b9869408b9951f75672433ead19e109cd18308f1c9d6f9ccbc9f767993b59ea2b5046864f5e0c3bde42e7932c56b9fb25289e16ab3bebb692547de1a4dbe119ab2bd71e471cbdf6c6e8519aca77c2cbb8273343c1bed23922e557f87b408d87af78896ed30f0a6178ad98a34ded6148443fddf4a5c00a81ae9df2159fd658c859fb6b274988c848f993e761c263e90d7db8f662c876b7a61ff2d938ba7fed4cb5cd8ee514870b50520e733f21cdc3bd7ed41d297b96dfeff379d37e6071bb1ac84feffab2cdd985fea2fe6c46e6b7569c8c2454591795ccc56511d853fd2a01a1eb0ce2505ab65782b7836ba67844505aabcb5dc6372a313fe7acc7f48b0d2bef79403c2837d88e52fe926ad16d51be7e8c62a5955a61e85270839f36eee946370927eb19841301677e837abac18d709bc84dda60b12107a23eb733543ff32cce5248d0f461921295291837c150a4c1d489d31c5bf5bfc2da1427e1ece74aea7053f1feda64f099fc447a7908ce44b13461549f23ef18c1d8107befb09f9d719a0ac57080f1cdbfd46704d79947aa10c5b0bb226e7f68309747240f773a627536561fb6c1c9b26aa5e23be01f2d3f7aadc995440015d2564b9c16b853d665724f9f722b34ab1d44c27d0e0cb01c49d9e05de91c2e040764f0c212e6d63f7b72493dccbf858164cf48151bbe4f1dc2c91586673431af7b8461d30161c561170dfa31edde2ccc9dddbc7a8e46231752405cf308ecd8d3505636dba7035c94f728623bb87603afb90b5c23e9ac1937b2ea3984d579da29970ef049ffd9705fa283ef62f1a9fbbefbc5f8f3f79bdd8d70f0a893972e5aca3a164e672ba88ebdb6206a4dda5eb5adfd16352d42c4fbddf117f2b0d30e8c39f1bc63f3bc03b452a870117af7a3fd301af714bfa398367a9ac2aa381170bc7ca860144258a9a38a61454c9cdef24f1c662f28e8d1ee7749f61a9c79a9e16593f2d5500deaa730aca4eef3273878431a874b03e44f6495b52ea9b22d9417fb3f2ccbe2c482add308e4a3c55b7532a4e64cf108d833d54abf3cf93b3f9085263d2774c2214dc62e3c6a7886946b7bbb4d0fdd82d502232f891e95e2075b6974fcbc81579fe8eeb7ee221a904cedbbbab2595ef93537fdea03eb93b49680119d996c8e706dfc4d99433954c5367725d4808119b683b59641c4bffd3fbab0c7e125f02bad95cbfc26eab96079f8dfbf6623589d14e0c20d15e07c34bccce36fb927965f96c8cc89b3e51438212a9bec92af4b592ae76e66d531d344385f5568552e37bd25cbe307d839975914f30915d24e8f3d892c8a19fa484c35df1fb92af80edf403340caced5c224767e9e687456563dff29ca86e365855de94057b66c576bec5f5b7fc3f0043336b8a487ae2519b8ff0122e7ac2bf57d29ba64808dd3a20d26e4382ce7bb1fbd34734f5ae6625ee8a7dd56f", 0x2000, &(0x7f0000004f40)={&(0x7f00000023c0)={0x50, 0x0, 0x3f, {0x7, 0x22, 0x8001, 0x1040000, 0x8, 0xf6e1, 0x8, 0x9}}, &(0x7f0000002440)={0x18, 0x0, 0x9, {0x40d}}, &(0x7f0000002480)={0x18, 0x0, 0x7, {0x7}}, &(0x7f00000024c0)={0x18, 0x0, 0xffff, {0x8}}, &(0x7f0000002500)={0x18, 0x0, 0xce0, {0x1c}}, &(0x7f0000002540)={0x28, 0x0, 0x1, {{0x100, 0x5, 0x2, r6}}}, &(0x7f0000002580)={0x60, 0xfffffffffffffffe, 0x8, {{0xcd95, 0x1f, 0x7, 0x48, 0xaac5, 0x6, 0xad, 0x5}}}, &(0x7f0000002600)={0x18, 0xfffffffffffffff5, 0x9, {0x9}}, &(0x7f0000002640)={0x11, 0x0, 0x0, {'\x00'}}, &(0x7f0000002680)={0x20, 0x0, 0x10000}, &(0x7f0000002780)={0x78, 0x0, 0x9, {0x3, 0x0, 0x0, {0x6, 0x0, 0xfffffffffffff20d, 0xfffffffffffffff8, 0x1, 0x3ff, 0x5, 0x9, 0x726, 0x1000, 0x6, r7, 0xee01, 0x7, 0x7}}}, &(0x7f00000028c0)={0x90, 0x0, 0x3, {0x2, 0x2, 0x100000000, 0x61a26b8d, 0x6, 0x2, {0x1, 0x3, 0x1, 0x100000000, 0x3, 0x8f, 0x4, 0x1ff, 0x849, 0x1000, 0x7, r8, 0xffffffffffffffff, 0x5, 0x1f}}}, &(0x7f0000002980)={0x130, 0x0, 0xa00000000000, [{0x4, 0x1, 0x6, 0x9, '\x01\x01\x01\x01\x01\x01'}, {0x6, 0x1, 0x5, 0xfffffffe, '\xaa\xaa\xaa\xaa\xaa'}, {0x1, 0x1ff, 0x3, 0x7, '{#-'}, {0x5, 0x0, 0x2, 0x761, '[#'}, {0x3, 0x0, 0x2, 0x6, '#]'}, {0x1, 0x714, 0x5, 0x3, '*^\\^b'}, {0x5, 0xeb68, 0x4, 0xfffffa80, '--$-'}, {0x6, 0xfffffffffffffeff, 0x1, 0x1, '-'}, {0x1, 0x8, 0x3, 0xf2, '!\\{'}]}, &(0x7f0000004c40)={0xb0, 0x0, 0xcf, [{{0x1, 0x1, 0x3, 0x100000000, 0x4, 0x81, {0x5, 0x7f, 0x5, 0x6, 0xffff, 0x3, 0x1f, 0x3, 0x8, 0xc000, 0xf5c8, r10, r11, 0x2, 0x9}}, {0x4, 0x80, 0x5, 0x2, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000004e40)={0xa0, 0x0, 0x400, {{0x6, 0x2, 0x400, 0x7, 0x4, 0x9, {0x4, 0x1000, 0xffff, 0x6, 0x1, 0xffff, 0x65f, 0x647c2b8f, 0x400, 0x8000, 0x8, r12, r13, 0x3, 0x6b}}, {0x0, 0xd}}}, &(0x7f0000004f00)={0x20, 0x0, 0x800, {0x0, 0x0, 0x10001}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004f80), r5) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r14 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x343, &(0x7f0000004fc0)={0x0, 0x5004, 0x0, 0x1, 0x1de, 0x0, r14}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000005040)=0x0, &(0x7f0000005080)=0x0) r17 = openat$uinput(0xffffff9c, &(0x7f00000050c0), 0x2, 0x0) r18 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000005100), 0x488200, 0x0) syz_io_uring_submit(r15, r16, &(0x7f0000005140)=@IORING_OP_SPLICE={0x1e, 0x3, 0x0, @fd=r14, 0x200, {0x0, r17}, 0x6, 0x1, 0x0, {0x0, 0x0, r18}}, 0x3dd1) r19 = openat$keychord(0xffffff9c, &(0x7f0000005180), 0x171000, 0x0) r20 = openat$ubi_ctrl(0xffffff9c, &(0x7f00000051c0), 0x10400, 0x0) syz_kvm_setup_cpu$arm64(r19, r20, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005240)=[{0x0, &(0x7f0000005200)="4623d8a4ce0217c9e59555c166890679e3e0c1940df5b9fcbf91649ef54d80f0c8bcc80e36b5574c4bc9f943401854f56aa2", 0x32}], 0x1, 0x0, &(0x7f0000005280)=[@featur2], 0x1) r21 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x8000, r18, 0x0) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000052c0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005300), &(0x7f0000005340)='./file0\x00', 0xfd, 0x2, &(0x7f0000005540)=[{&(0x7f0000005380)="873519f25df082b371ba5b45adb5709c00805747c37fe044064595cd4728bf8980302b25b4b083b42b41336e130f1b6ff0a2f172498e522b4fe5826eababf53a9852f93ebeb841e1645f32936127029d68fe73eced89c1b93587012a47c42a583d6975592b3f2cdf4337fc6d5e85e5f5835fafe095935ec90484e9081aa8d22498431301baad4a34368c26c64d85326c7e00682178f8d13e6a8969f15b9d5dbcfec2c0e69680c3928ca015b92e25f5078de354fe32cc7121609a0762e1b73efd8967a2fe235e4d1ef9e5ac88bc1ed706a984641b06470b2294d045ce7eba51c0728938a2c6eeb6d8574429cc24bcb2a784", 0xf1, 0x40}, {&(0x7f0000005480)="62935bfe26e9c9f2dc3c3e9dfb491858efb598369bcca51923989ba943cf447baf56625df0f685ed2d034b37c07563f668728f6dc6833609b1221970e55088869d29c01b2dd05c4820b08042b5074008c9757712c480e25d89b9c48e957e5b5c7b0beccfb1fcccedbcedc83806038075fc2a0f8228beb47f1fece09bddcbbe0021abe9c3d198369b81b67dbd6a7d334b8d28b802cc97d934c164e97d9d7b70dc6c", 0xa1, 0x1ff}], 0x8800, &(0x7f0000005580)={[{'\xaa\xaa\xaa\xaa\xaa'}, {}, {':&-]!'}, {'}'}, {',-V'}, {'\\*})'}, {'*^\\^b'}], [{@appraise}, {@fowner_lt={'fowner<', r8}}, {@smackfshat={'smackfshat', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@obj_type={'obj_type', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@dont_appraise}, {@dont_measure}, {@fowner_lt={'fowner<', r9}}, {@dont_appraise}]}) syz_open_dev$I2C(&(0x7f0000005640), 0x40, 0x300) syz_open_procfs(r6, &(0x7f0000005680)='net/if_inet6\x00') syz_open_pts(r19, 0x800) syz_read_part_table(0x9, 0x9, &(0x7f0000006c40)=[{&(0x7f00000056c0)="46410638b7a128c15c6cb27d2335806da87c0d4915424452cf0ba9eee0a5d49d634f090df26f35bb0433c13a270dcb44cfe9ba62b5ba38d4ae3c65ead2727f1d2a5f02daa270cea6f4f60902e2eda654b16ec6635a1c6cd15d6bd6343214b83422d1a19b5dae439b9fbc3db5c218d4b08acfc9fcdbe5d4e6a5127adadce610d815e8c6d8adc78689eaae29d81a20040aeeef4ee55d7701ea725e91b74f5b37814beed118549979c8a40d0b290977ada4d65874c7dcca030a9a15509bc27e6e87d526912437b86904f742c9c13c1e00bc5e3e943c1430d1cc018f5a4decf24602db5bf2286e64ce751d8df16f280934fb08b619b2b5e931195ad2f7c87ae956c64a2fdac4fd791611acc2a865d994ea90ed158581e80d0386b153f19fab2781b72d1de003b187d2b1195342b3a003bf4483b4d890ab1b2f51e8d58f0a5ad78e0df9d629c22c2a324a982e1fc2738c360db3a8ba5e55ae5c9d58f1c2f6bed0b6de5bb4ee3b5f842ceef91b2056541ff55312ee90a2bd0997066c37f3d8377895921b08021589049ed7b23cebaf9b41d08e759058a3452cb9df2aee1d2b90e510ba9bc948400a69aa13833d1b4c44445129e0af5012fd6a534181fb20426826a4b3694e4a5181199df1ed31de36f2ed49211822ad915d3b71acaecff3c84d4e3bb19fba3219e26145735ff71dceeeee7aa247539ad2731113d3f364426be9006e6b0e358b81d4074549e08ef27613a3715e5e89ba0a71e3995231e99aac5e4ee7078f59e3e7d4fabed26e7507411fbe4b0353106278ac69f3b91ec69fa542eb7c964394062f65c650197fbe733c22832673d066e4ed40073b284ee4e51b1259367d4eb9e172007e6fb80a0a6fe62b3f3d5e5b68fe047ea4d6fbfaa30a00fc29bc58a31cfb8212f2c49c3a2e711ae502bd647bd56bb7cfc1d84d141827be211b5ffbed786bfa1313d2aed534f00019363ac129612ca25c763b077f5a724d61fc7974fa824badc14006f2febfb1e35a3dd72e82334a263756ff4204680cba1c03c55e09dffb5a58e4c55b5bd7a70ee8525929a0ee9f9091e34bb8d2f0af6d2a2670c591186bee6ceddab8e1fe8d4be397a545c483fd684cd812df5e312ab5f4812b4784efaef1c3dbe79094fbabd6ca5f0a45462396f818a5c7bf61c8c3f43366c1265f4638d1dc7bde11461035c7af77e6844c5d47bc1897dfabec7687ed25794a71a3aa2be1665719e7eaf649bfaffcea2492d43bca7f0304210cfca91a0dadf66b7c3c6baf8c5055ef4f3c56aa03bb6e400d7caca69e4243ac71c939ccf27310b73ba59897e2020c717c33db9a4a582912a3a8d7c0a870b12a9f982aafd0cf159575189d8c26886434229fb0c76c56508b638a2509b65847722af197e95cf0cff2368448d42ad62db27ff017a7fbed923bef6283408712c3f04a790338f4f80cf4f3e92faafa3bf6cff5ed3cf3b17b505075e12b6958bf2e5cb40241f672874a0f940fd57e82e9caff113d671da23da3436a31800c2d3487965f87c3f8250610aaff783d78595e1926b77e97b2e3ad09087af919ace3f04fd275887b1fc81ee2f5bad8de1cc35ee0c03adeed9a9197d7a8fa5db59dc500a94bd184a2a80d9704797e76bc0fc43ed57296143dc9d858b14a7bdfb418197f0974b6eee299958051b1d414ab126cef5bc36ae4055c4f19e7e01d2092d99f1d2a5a56614fedf481d578cb851ad73e1829bc350f7e56ee0d2e71fe731c1b30fd845fd82ca0acf029aff4a75e0d38fb7af582a19c0c7deb19544bc7a13c1896032441cba6ae39c35ae880b45a5c97545ac099243a791c6f2eb93556208b8b203542752a673b9df02bf04ad3c18eecaa5eb22d1b65e59c3449b5cc42df350dd4822bcf671df78420689cac22658cd9f0f390e26e0796ac4b7f30b1989f09cf5ba516eb1667ecc1d853739a20e5e78599bda830d002d45eb66d63a778b8412af5d63e3ef26494e21bbcde5b97a94f7978ac903d467c5b6d0717dc4a9d146ed4b58bfe373a5908702f997f1090b4b19093f8905085ecb691107b059e0e1cd0c4a94c9a473af2d12bd5998a8b8b4802f931b90515519f20feeadea5684c064f9adb423935b8de298b03e579abad6a23a86c86edd39c2ed6a4685e69bc715405ab7a3f27664bdb68fef1fcd090f060381f1aa374a074a640f991ec6d8b288b1b0507068560314fe94aeb85c42f4df3adb21485696515da2fa7f441b753d5f8ca4545f2d1dc1eb34e418c043beb518bb35fe30235aabf7ec5f371b3a48c0ea6a613ebb4e4da5b71408aa55774239ac749030a52740cd8535b9e3d28a4e87b4c4f4044c8195c3211f947e5007df7b64e37c414bfd54f7b59823720be00498c18b57dad0043f0c50a75817418c1dbc3db8dc733ceb2b5b6d20bec1e38a2f909aa619480e2ca05d9000b7eaff370c077ed389422890dd426278c63c2ac4285e840e6c7f9da04d69af4482d96ee5824de091614d8b1b4cf49f5a701e4b42ff58a62823c2776fba4c27ec86c24ba103ed01c66729ad602924a5137b718d8ddeeb08339d83c45feca01c393357a676438114363591d31c2ba6fafa5d8571af7c3a3690fdeb099e44192b5871fd0a3365fb2e230c6c03a7473782b303a5be14f038d8ea34a63084300516eb7884e593358e66b3dfb6dac4d0815d58dafb85e8cca4426536a384dc89f7413f14cc92e7377a90938f99ef7f535c218ae2e909acdbfd7eb5b0b47408e3d6d73dda39fbd6b23af18f1a6703ee3b1f75bb7c000a4ca5a7bccaae86c4abac81da293e43f91d2c3dff12ffa5229139a08ae5fc2ec139be978b8182d6a60c7ff39bb0aa820a107d92e38b95e748a184b53f5624f457239f6384dddcb9fd7e8ef295265d79b64c5c0a93bf21635b8c680907810d8e72a581e5aa0e00fbf351e3c841c7d0c51a2636837b27c6a91425b506a22c27d1420d0b13e60de3e9c56667a98983ba9bdd1c5a52dc6127b659e6d80706959f07d3a5fa8b3b88eab05e7a0c04ee12a21372c713f64c6adbeedd7a8b7a692674975bbe55ce402714402f20c7f57ff1f79357d8edabef1d868f0a2b3dd7aa3bbe58e80814970734f7dec70d314e811593a32cc861f4a8a4b3f0d7ceb4ebb32664f5644497ac9562cdd5a54193f2238e65c1874c86421c5cfb43ae156931c7840d10de47a4d0f2f3174c36c8645ac02f544c3690b5137af7d2ced3fb04359bbf22b6720ea94f2e3b5675fb77ade56c977d668064efdd1c615119a528c9ec1353e84103e5dce6a0bd073f9ffbea0819cf6c0cc58ead00c92340298cc094564117f3fb894274ca91d7976459619f544b250586c6d44afba5574b7ef5126b070409a1f5eedc65007b00339f160422fff38d67eaa8d782fc4192a29810879eb12859942fa141a21c39d9eea03eba1aa7b3ac7e2b1daf4f69f475b8e75c5ac7c2efdd777932d403143cdd08902d5e3459301c28c88c4df342ca13910b760e34c40194bb51b82cf14adeed5ae47517d3cbc73bbb5a8899c30e606519989a85d2e15b0e89ebba43f0c8a752f07010380caa70dc409ff805c24574829d06bb9a1495d5a3085df9029e23d92bbc46d7c7c1db7365e92e8d2449aade38926a64368723a0e8a777b3261c9c97bae825b551ba940551a7e15e3013dc09a05229d0c9ac64ee15ee3d46742628924c09e6360cc43006fb9a0e1c06e5584637cee005ee26ceba70295cba5637dfc9821148ed7415003d518368423ae708cfac638f2b8e1d3a71011bda803acd2cfa429ea5fa045fe078f91ebe45e7d51d43f08302d5f3b0ccc3eb7dc03818b33567e86f8e5dc40451569a7954858d26df8554935276f5654afecf240c7e86c92ecba4d3ff75821312d6a3b82e18cc234da5bacc286ef0924ce23bd30708de58132574b548c9628b52d34291d1c4a7ffdfe63de1fa9b5e0fa6e62f3528a80c9cc97a7c515403fce895ab795635266af746d89d2c94058ca38501d86b4d6324d0df0d9c1e47bbf838baa206aa2ec4397828e992fe963b2e83722802627629030106cf20ec98e245147c94426214ddfb979120651adde14a425fef29a20c0cc5460393acbdba57b3c3836627e6a9c19a2344312a9bc661b760285415a2874e2f2187b5c6dbf38b059636f9ed1de1692d3b86504a7c1b668e5aa0f87cf497f0cab266e4db64ec6465580be1d97244947304688cb3576490b8db086b08905820ea9d91dfc8f3b966a9e568d856a9cce3f1731ac16e4cf48714334b6c7ac3597fcae85d17946b0ae2899845e96066e0a648385c98ee5c119391356b204acbd4a5c7cc2cbceece0f58dfb73fc30ef7c1769b4f56ed1b77d76248b0ea2a66db0e5217b5d624237191abe9486ac0bd32e3e7362331441734a8dd9ed983b92bf26472c5021f8bea131ece47c8f45e68a25a8beb4885895c27982306dafa1fac905b276c2f60ccdcabe2a5b325b5c5d8482f305660244c361711f0eed7746c0daf99dfde36caff294051182c5b6589fc0700b751fb2b3807f0bcbd277a844ce82a54558f55cdd25a30b2283abe519c827b10aed612f8aea3cb7aca8b34028c0b363c9acc52ddea9e0c34e8a5c90869fe60d28307e35d3e43582f3773d46669e4313a07b12e7d6d501436f8e6f4bc347b29194144d82c5daa9730fea3466c3167209f09697da034f86ca9e5a7e28c05999f4161dca7518140413504be2aa60ef71b66484fca1b0bb11afd59755b978dd294e3da85655b90f05be0823e262aa693c43bc23f4948a6096ffe1b58e1bcd65b0db70c62a4f85d7dd4be6cddfeaf1383814a6728b4c301eab03b950bac867375d1b6c61eb2f7fde960b16f5948379e2115ab5401356db05a7dc30a2999897b163c73d34807106dfdcf7b7f9b9e7377fc722003c868ca5c14a0e2f1d1940ec6aefcf85fed207622ed38120c6a8aad7b4e9e87d5e4e9a6a55c6e132e9e1e9a3a62b4f7c6ce0093f886547dfc48de1d2e0c85bf01b49f99241a36d324cdbade5377d5aa5733377ec7e97b7ac54387fd29391319d3f3bbcd07b2870b9646bf2835b3abb5121dc20a638c6d0d62b0a05d94a5f1c03bff6e871a84f9a7defa16f30cb8b3ff57cb5a9b8958b592119cb0c802513c14aec2d27cfffbfb4e6a2a840f8b0d746a83fa8bd227021b038f50c411f7922fb38ec89f51d71b7d3d9e241db1be1b4507e5b68fa1ee89c2127445e5d6ed4e7433de7bf4d72b7f7b1c9aa7c408e4c1050ce177427984f5035b51e3ad52b56d8aaf38e567930a711c8dc3488ffcdc1a56fe1b4c5df22673bcc3e9ccdbb3ab670a24547f5ded42decfddd522104075c37ddede460925dcbc6e5ef206028aa7ea0c84d60d990fcd48d76c9a47be6819250d4d10fcefc7a124c6f3faaf51f7b67dcc2b39acf119c8f89b93b58395247fa459c1ffe6fc5a70c32d5196da593b336be0467164ebbc986fc145b32bb91a4c058884c82f5cacda62a4312bb35070e74de2bba07648b7eb9d9fae891648f5432b6a7d5986ef2027872cf9e1a086c576abac8dc401aab0da93abf0ab71ecd9bb96e39180362a10a2185071ebb8ca2ca8d9719d47bfc18b62f9771b97dfed73b982325eb943d785c787500d5ac0d26a9ca90cc73c2acfe872f4e32eb4439083bdb3249701ddddb500df3f896bb1f7a3706d64be16d00f6fdcd6bf41df86535f298d2dd04317774bd6b3903f371d59be719b7ec1d003b3c9705a8f78889b8f7da0d46defdced2df70d8cb4570828bb26549b55011589c73bec4207c8d59ebe1896b3761c185a132", 0x1000, 0x8001}, {&(0x7f00000066c0)="31e3c3fa6d99", 0x6, 0x3ff}, {&(0x7f0000006700)="39de863b7148208e432fcddbd9e9148e716c1b48a3967c870c70145d90ed681b3f8bce849fee7f50091570854e20103723e56454e711543f6e2be92c34090d8cc792260be9b960c1e4", 0x49, 0x9}, {&(0x7f0000006780)="17fad571f80fecd34a59bc03f6c02bbd6d56cd8d958924b4ae4189b88b85897efd4e596e1118bb0c771c2c5ba37ded06d78111390c1c80cf6ea9df8727f88559815ed76b36fa13fb4d08e1ccdad7973b5bec5655a74a671fde99ee92397c56d409dadb10c4c37ee92cb41d03ae6fb164e7f86985039128d38be83b5e16c35ee34eb2b8396c5348028781a0a879f88159740ab89705d637bedafa915f195a152597fa0d7da9b76476602c6eeefca1e80a6d3d0ed1a75b00f7a5e153dd851e2301c8daa7d49b4ad91c62d1a6967f54cf9621c240ed587192f69959e05407850ce3831c4e811e6fff1cdf93cfabde887358316881845356d7", 0xf7, 0x26}, {&(0x7f0000006880)="c286968e2238742a47e0e8d444a6a661b7708222f4eddab97a749dcebe2cc83a314b828795f915a36d873b714aef15ddb1b4f62f06800bbe85eaebcb76abe944719249ee7927c88e78a968e93f45c52013ef97ef6f989b1d1cd30fff88677962c8f3052ad0a4631e4e750ba80f3753916c2dffc6a4023cdb62a1b5f2afbb965b2f78c5dd47af90b002da1a26a24fcb99bf81fb29574a2f98107a7937639873b95f4a569a0406cc358b46efae587e9008be69d711ae202c22e29a2f615fd23dcf", 0xc0}, {&(0x7f0000006940)="97fc4dd9db673e16fd0f0eb9a4a26e2a49f42e1616190b0634dfd6135145f4e451bbbad56dadf266964eba7d1007c0a23f8cf03d4f8fe09a7989152b7cf2ec30f2693a06befdf023d79f48c208d742c7b75915bcc1be583517ced3b826b97075e62a8ed12dbb264807c6ffd0227614491fb9de0d8a925a2638c31608de405bbf79e96f171fd58338b1d6979d33a7dae8ad62f2ba53fefc3c", 0x98, 0x20}, {&(0x7f0000006a00)="77d8d606bfb424e7b995809ab4f559115fd82e972d98b651dfc69b10df600fb4f78efd586f9cc26edc41b1d2fac87efe59e262411f27a94cf796ed31236b457ca0f147530efbd4cfa6b6a0fee46c25abcf7ad8282aae5299e299799cd52d0a58d7ff9dddd0103724c88da92dbefab6248038abef9ec52264afc74825f7ea70b2ca95d6900f9b647a3f986e18287cb2bf4b4c19efc8c218fd905c3727c86c37026bfbde3af078eb07b798e6d3d8f2e4d5d3bc188cdd20f2ebb1461c5e53b05f2989ffac3b168dee56da0fc011974c660e400ae2d8b2c80acb231581ee91763129b2888aeb12", 0xe5, 0x800}, {&(0x7f0000006b00)="560c1bea71b0f97244fa386d26bf6b1b04308e4bc7fffa", 0x17, 0x80000001}, {&(0x7f0000006b40)="14e55a14a7953387ee55333c1d1694ca98c7999b49788642766805d6f5a290eb1e959ee35a740459e13300262f2af9c357f7a8c1cba187e448bc3c8f865cc9be88624fb0f0d0bb885d9cc2abe171a2478a7420db22e8607e3fbec7e2601d9e11086cfa8cf14d99676b679d8d6bf1dd4faab8fe9a5f4e3f695fe2e6abf09f702683802d44cc3a298255c4c59533731ff5b23e053afb716d58cad667686ee647f48e199c9b5c3d0d2d470f2ce1c5b8b5708ae023ad9880caf31d01f96aebbfcc7df95358a016c5471cc2ce2ced6105057c9d22c8167890ca19", 0xd8, 0x400}]) syz_usb_connect(0x2, 0x6c6, &(0x7f0000006cc0)={{0x12, 0x1, 0x200, 0x62, 0xa5, 0xbe, 0x10, 0x2833, 0x211, 0x37a4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6b4, 0x1, 0x20, 0x0, 0xa0, 0x1, [{{0x9, 0x4, 0xdf, 0x0, 0x10, 0xff, 0x1, 0x0, 0x5, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x1, 0x1}]}, @cdc_ecm={{0x9, 0x24, 0x6, 0x0, 0x0, "fd506508"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x40000000, 0x8, 0x4cc5, 0x7f}, [@network_terminal={0x7, 0x24, 0xa, 0x8, 0x3f, 0x0, 0x81}, @country_functional={0x10, 0x24, 0x7, 0x80, 0x5, [0x44, 0x2, 0x800, 0x101, 0x4]}, @acm={0x4, 0x24, 0x2, 0x4}, @mbim_extended={0x8, 0x24, 0x1c, 0x0, 0xc0, 0x5325}, @ncm={0x6, 0x24, 0x1a, 0x7f}]}], [{{0x9, 0x5, 0x5, 0x0, 0xa716c6d63b98b5a2, 0x6, 0x0, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xe9, 0xf000}]}}, {{0x9, 0x5, 0xe, 0x2, 0x200, 0x8, 0x7, 0x40}}, {{0x9, 0x5, 0x0, 0x10605a5c87a92a7e, 0x200, 0x8, 0x3, 0x1, [@generic={0x9b, 0x21, "f2ef0a5c069cdb319138e185061d7e196ae94e535d80f27666fba23b374325f15dc5f20812fe05b0620f6ffcb81003b1f39c5dcd1bff14e2bbeb387335a3534f5adb60ffc4f28595c8f992f77fd5f67a04842b9c4364e3556be9bacb8fd56ed77859291153f6c566026363bfa5f2e6ff2fa6d29317f2d562445364939915a75dd7365f6ab9c15ddbc7c3a45f7eb98fd1fea3551bbd46f20a87"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x3ff, 0x1, 0x20, 0xef, [@generic={0xec, 0x6, "f642246a5372991db97e5824a410e28300d3bd153638f6dac6e1189a0c560a0a0e5f8b15e07879ac95016515202646a7b5b5fc74b7cd40d515b2849d8c1dd9ae4fca16c2e6cf0e8a20ce54f05fa123c019208cb34b5ee561c274ea40a7b34e5813a4a29be40817eb1f7b3e9bef60f7c56657481236b93e2c297f17c776b98f1d0c8f2a56447766c7288ba6b1e385b84a516a98ab729ba70e31fee3aab101d590a4481ae5856326c6825b73c7ae7d3b99cb3c59db31a12726234b900584e8db779352188d12c932d4aacb59eef33d33b9550510cf2b49da747e031c83117b511a1bb93ed76c716e6a0254"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x6, 0x40}]}}, {{0x9, 0x5, 0x1, 0x0, 0x100, 0xfe, 0x8, 0x37, [@generic={0xe9, 0x23, "1a0e3542857d49ea63b7261ebfc19f14272e284d2665d2795e43f6f9ca62776c9ee52d991879d7d67b4d8b270fd51598beac1c0339b2257ad68c1dde54885ae2d219b87cde159a9897c88bda26e08a3691055022739c1fe64adb98639dc25421c449cf364800c4c365062f2488e6901e56e62f4b703eae7af26298a1eee1bfe62d9b2ae35320ae2baf174e94ff55321097be81e0279f5d0aa84dd18ca0864d98d0edbbeaa19ddf3626fd83a2e2b5f676a734d4784b3c6877fd1bb3c9543df7abda9bd9c9be405949747e21073c18957fff0eaac0273cfd3f702cb65597949a172726f7e459536c"}, @generic={0x18, 0x10, "a0289017f3f433f11059489a61115823e1138ae84a34"}]}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0x67, 0x3, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x80, 0x2e6}]}}, {{0x9, 0x5, 0xd, 0x4, 0x200, 0x48, 0x35, 0x8, [@generic={0xe5, 0x5, "30efe9c1a6e5c89c2031214c60fbbeaa4578091e38009c761d15774802934cfd36355b3518ccfe59fa5e7ccee3c13ac4affbe073e0e788c9b5e32216efbf02e35869d7b233a389f812bfd849433c328466eda5e0e3237529cdc65e4eee743d31ffc186a1fe794bdf1364f31eaeff39829e8f6144850d7470cc71572d1f2f23dccdbcdd99e4930de7edbf59b338db3490305fd7710257980b7f76b8daeacb2ad618131fb9b5a3e026c9ddbd69483cd794caad29f2e3b63124a952b462de0cd951d7efd9b3b29107b641417e7783d90159137fa5273a95e0cc46c97c2246e611acb14b4d"}]}}, {{0x9, 0x5, 0x3, 0x10, 0x8, 0x0, 0x33, 0x9}}, {{0x9, 0x5, 0x2, 0xc, 0x400, 0xed, 0x7, 0x9, [@generic={0x84, 0x31, "ee4cd219154df491c4d32aa32112cff407511b06b17f743409ecc216c31e92cefa2b5cc59e634d7aeba2c9e5e36d8efadc0255172518f909b4e1a7daf4d988b1eeaf196c76ee902b657d12fc23c21e176cd149e98a8d8d5755b74fed1a4284bcfd6e6961951ff8216f7bb42f790edd539c1bc5bbac44f767a685c57cbbdec830c52c"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x1, 0xfe01}]}}, {{0x9, 0x5, 0x3, 0x0, 0x40, 0x2, 0x5, 0x3}}, {{0x9, 0x5, 0x0, 0x0, 0x400, 0x0, 0x2f, 0x4}}, {{0x9, 0x5, 0x8f, 0x8, 0x8, 0x81, 0x1, 0x7f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xfb}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0x40, 0x76, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x31, 0x8}]}}, {{0x9, 0x5, 0xf, 0x10, 0x3ff, 0x6, 0xb2, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x80, 0x6}]}}, {{0x9, 0x5, 0xf, 0x10, 0x200, 0x6, 0x6, 0xca, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x20, 0x3}]}}, {{0x9, 0x5, 0x80, 0x10, 0x400, 0x1, 0xfc, 0x4, [@generic={0xd4, 0x21, "28a1dfa1d28f9ae60d0a8e9e3c512db35369d479fa6e6aa099e267e1ced77ca2e180b429779023a872b0ef8807e11f8b8b21b811d4fe5527335ce86e3a95cdf960d1e79e88c276c174d183d2f3bc0862dd7e1d29ac589ceb22024e25a44c3e8123581d1448fd2db5332fe41c23f9aa959564f32db1da14610415ddc293dc57c9d6c775d22151bdab236a5a73592e5518055728ae819e25c080cbb9bf0203b6639b8fd8d716d9c571d6b260ea297733d53c3a05449b9b9221d0f402610c9837189f9c6ab3baaf031d48692690c9981cee1426"}, @generic={0xc3, 0x6, "60ed98576fbbbee3db67d535ea7e1a19d92d689e2f03308a615a5641e72e694d996f76c1111c88c507c39a87f34a3682dafbfe583b79f5b950a30614162c605f7e6c5d452b4f84a145f20bf4470ddf43f06c415dc6c41551fd458ba6aedf57d74cb85a25e43324814b62c3be4108b1ea5b9dd22a78a45cdf5d8f27c11f35026bf7ef10c7d1f0615fe1c44a302a84d88b8d6c2d85049c9f48a04b4e61801c017f609b673fc8290f7362a0ed35882a335b657f835fce8e20100cde82c1a3dc180611"}]}}]}}]}}]}}, &(0x7f0000007740)={0xa, &(0x7f00000073c0)={0xa, 0x6, 0x310, 0x5, 0x80, 0xff, 0xbf, 0x5}, 0x5, &(0x7f0000007400)={0x5, 0xf, 0x5}, 0x5, [{0xa8, &(0x7f0000007440)=@string={0xa8, 0x3, "0584bddc149671f9e6c6cd123b796cafe2eb5d2bd3cf65e3eb0f3a601aba7164713d4042653f2cca182207d4e7ffa8bc71e705aa48bcff03fddd2e3e6bebe11cb61f95faf14afdf29440021e851fb682aa24e624e833952db6d1f96aa7edfc74ce501359694c7583eb5e48dfe227d2105d5e3d2359e3c728a48adff09b1132f928893ceefae67700983be1ca94e818e7a1463c802f1fc2a72d40900933403d7b255a35d9dc33"}}, {0x4, &(0x7f0000007500)=@lang_id={0x4, 0x3, 0x42c}}, {0xf4, &(0x7f0000007540)=@string={0xf4, 0x3, "1c537117dc720af3ccf108687c86cb544bc885379e435dbb861bc9a01550592e6008ae94a1f98317ad9cd804016b079b5ec294dcaf4537cf5b68c3c4353754caf369ba34101cbd21926b15cef67ab63ead40abfbef867b372fe2781866f87a2dccf98ffe66531c1d5021406c69ce84b439130cac71f52564b7c8fa621d71d5ff001517593f059da0cb82f1fd5e327df9abec4946e34e20d3f1df8f4a0422f9bb538949b4a14d1b3afd6793e81d3ba596d16d8cee0e700314e531e602fe5cb832b22c7a2f9f36f39d053876478157d541e8c0977a9acaf691f1234f665d234f82ee90ff8982d9c1371a15ddc8ed2392dd5a96"}}, {0x98, &(0x7f0000007640)=@string={0x98, 0x3, "078cbefd67796b8d00c6a027e5d07bc3b00756acafb9096e3e381a99fdbe8a5161ca19a9628d61baefd6972b48f5e04b0fa6e2b99cca8df5b50dbd97d656c02f8583a58ce8cbd35c69fb3f86de0ddac90f5be8d4f04a3ad4f31293b509959139bea0f3067d0ebfa3c5b210e1993078b0ae929561fc7734869b3dd8d812c00a3035236166a31227ae291e696ab4f81f4e3f02d6b2f334"}}, {0x4, &(0x7f0000007700)=@lang_id={0x4, 0x3, 0x43e}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007780)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f00000079c0)={0x18, &(0x7f0000007800)={0x20, 0x11, 0xb7, {0xb7, 0x9, "72f591ba5c694f16a4d92075ef3ec8bc46920954799ec8d3c0308f3b4779da6e18e9824a86746d013a399afc7f6fceb6c37f7f131c71ebc001f666ea63ed3ade132009735a546622f9e639d481c967cc7b5b747cc5e62fdc41bbb4bb95878a442cc49111c0f57886f17077a1b4b22e3cf28eecb798feed6f168dd9cc2646f8b79ed41bba94de9e304fc845179a7321f04784aa917ba08405b0a95b8303d914ef8e374780dd8e3437c95c35764cd063e7a3ec6d790b"}}, &(0x7f00000078c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x813}}, &(0x7f0000007900)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x18, 0x8, 0x0, 0x3}]}}, &(0x7f0000007940)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7, 0x80, 0x6, 0xe0, "8402487c", "8056a3ff"}}, &(0x7f0000007980)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xa7, 0x2, 0x7d, 0x0, 0x80, 0x7, 0x6}}}, &(0x7f0000007e80)={0x44, &(0x7f0000007a00)={0x40, 0x10, 0x8c, "21b83825059f24506d8e842085d1f2e7f964471b20ed0a8e50a9aa4ef16b5a6f2dbb2b570a4f8d13d60e47bb7821ff912111dee40a78d42b4d13ea812d929ccf3964c5468f89d2d21630ec87067a2d13f45238b446bf57c6b9ec35578fa587fc77fe2108b1590be081681ccc024f1f590be9e5bec9ea86b9803c60299dda1a82f8ff04428671a43bc2c3393a"}, &(0x7f0000007ac0)={0x0, 0xa, 0x1, 0x4}, &(0x7f0000007b00)={0x0, 0x8, 0x1, 0xfb}, &(0x7f0000007b40)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000007b80)={0x20, 0x0, 0x4, {0x140, 0x20}}, &(0x7f0000007bc0)={0x40, 0x7, 0x2, 0x3ff}, &(0x7f0000007c00)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000007c40)={0x40, 0xb, 0x2, "8a02"}, &(0x7f0000007c80)={0x40, 0xf, 0x2, 0x321a}, &(0x7f0000007cc0)={0x40, 0x13, 0x6, @link_local}, &(0x7f0000007d00)={0x40, 0x17, 0x6, @random="b0fe281fa391"}, &(0x7f0000007d40)={0x40, 0x19, 0x2, '#7'}, &(0x7f0000007d80)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000007dc0)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007e00)={0x40, 0x1e, 0x1, 0x6}, &(0x7f0000007e40)={0x40, 0x21, 0x1, 0x9e}}) r23 = syz_usb_connect$cdc_ecm(0x2, 0x5f, &(0x7f0000007f00)={{0x12, 0x1, 0x70, 0x2, 0x0, 0x0, 0x50, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4d, 0x1, 0x1, 0x2, 0x70, 0x40, [{{0x9, 0x4, 0x0, 0xc4, 0x3, 0x2, 0x6, 0x0, 0xe1, {{0x8, 0x24, 0x6, 0x0, 0x0, 'W?s'}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x200, 0x0, 0x200, 0x3}, [@ncm={0x6, 0x24, 0x1a, 0x1000}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x3f, 0x0, 0xd8}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0xff, 0xec, 0x5}}, {{0x9, 0x5, 0x3, 0x2, 0x3cf, 0x81, 0x39, 0x5}}}}}]}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f80)={0xa, 0x6, 0x0, 0x2, 0x20, 0x77, 0xff, 0x2f}, 0x5, &(0x7f0000007fc0)={0x5, 0xf, 0x5}, 0x5, [{0x69, &(0x7f0000008000)=@string={0x69, 0x3, "d25a9c8f1452a3c6ffbfeca8eb777935b58c9b7406775086fff717b54f05ac59f94517ff3cd6f3101dbfa79bb82ae31b1d316d08a71d14fc2c1cfa8c893068bde2bb830ae91fc94288cc232aaac0e64b84007b0e7536c3ec34edef04ded93421a377e0695326aa"}}, {0xac, &(0x7f0000008080)=@string={0xac, 0x3, "7360609ce8300ae4623308d5f8b97bfd50d3d863408b8ea401c86da9d42ce5f3867ce8d721fb2ab5c25f6b4c5e85f5eaf341bd514a16c2dfe3c7a1d7f427ae62c0bff379e84d56637ec1377b8c8ad5b55b099cfaa4a7a6eeb0589f81e7a43300eff53354e1b2bdcdc34d7945d63562e48d5ed93bef75fd0160fcd7c3a6be7f0c642bb6e561e35a1c73110bdcded7699865e25eb238cf8f3b10ad3c10488028c37063c8862f907b06829e"}}, {0x4, &(0x7f0000008140)=@lang_id={0x4, 0x3, 0x81a}}, {0x4, &(0x7f0000008180)=@lang_id={0x4, 0x3, 0x180a}}, {0xb9, &(0x7f00000081c0)=@string={0xb9, 0x3, "37efeb854b4051a46c67aee7eaa0f62fde9f599cd5ba25329d50aee16b30c6c1a514831081afc1dfd2682ff48716a91bf95e084212b0696d43e1c6c43adaf9ed3ef70e62735994d2d0865139604988fac17978d9c05a84f3423831dd1dddc6c94d50ddd674f16525bbf9a8db3bb49001be38a19670abd99f4a2e97cfb20d46c637832a3ec97ff094c6a3304964b72bcf116bf27fedd5521ad3da226297fff849c33c5d849e3e3037527901eef63a599baa54fc46a46ff1"}}]}) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ecm(0x3, 0xc5, &(0x7f00000082c0)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xb3, 0x1, 0x1, 0x6, 0x28, 0xff, [{{0x9, 0x4, 0x0, 0x9, 0x2, 0x2, 0x6, 0x0, 0x4, {{0x6, 0x24, 0x6, 0x0, 0x0, "b1"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9208, 0x2, 0x0, 0x20}, [@mdlm_detail={0x5e, 0x24, 0x13, 0x7, "63b0b95377147ba214d950fc04b22c04be09d9b96f1ab94bb02e8a2a9e23cf7d3acab22a80ed350ec4b17806edcb169e5075373d991780211392eb3d9f1173a539843bf2c3f66a4a6960a55a2207767db3c55a7dd2898b5ccb40"}, @mbim={0xc, 0x24, 0x1b, 0x2a, 0x100, 0xe0, 0x76, 0x0, 0xff}, @acm={0x4, 0x24, 0x2, 0xa}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x73, 0x35, 0x3f}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0x3, 0x1, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x40, 0x2}}}}}]}}]}}, &(0x7f00000087c0)={0xa, &(0x7f00000083c0)={0xa, 0x6, 0x201, 0x79, 0x3, 0x3f, 0x20, 0x6}, 0x37, &(0x7f0000008400)={0x5, 0xf, 0x37, 0x5, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0xa, 0x6, 0x5}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x1, 0x9, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0xa737ee064a5fddc9, 0x7, 0x7, 0x0, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0xc, 0x0, 0x6, 0x6}, @ssp_cap={0x10, 0x10, 0xa, 0x1, 0x1, 0x8001, 0xf00f, 0xfffd, [0x3fc0]}]}, 0x9, [{0x4f, &(0x7f0000008440)=@string={0x4f, 0x3, "c0663b116dab9ba5c0a2f7a2ad486ffc164a4365899565c5e99b015239f378df56db4dc3b0bb08dcd208d958fa3cf08097aa208b2d2865b502cbc94b1a8e33bdd9d6481fbf32d4913422fe189f"}}, {0x85, &(0x7f00000084c0)=@string={0x85, 0x3, "c9c487a90be3d40ef782373d785f86bdfc3db6fb0dd0a7440b2fe4595c3a6bd67aa8518d897a8a757d5f1ceb86e598cabf2345f771c3c7128bd16dd4b1ee9b7dbcaf611e97f6dcb9f171e8f7052b0f33e631bfe99ddc4413e5e5d7b634dcc3b77e4d301f89a8d3b851b02306cabec211127a8e541d162636588ff574de82de8f307d43"}}, {0x4, &(0x7f0000008580)=@lang_id={0x4, 0x3, 0x1407}}, {0x4, &(0x7f00000085c0)=@lang_id={0x4}}, {0xaa, &(0x7f0000008600)=@string={0xaa, 0x3, "ce395e8e9f409a37daeb1c20be9ca4004ae810cf1653eccd6e663dd74f8bc06989b4d1a65c9f480bd37e9dd85349f298ddaddc2cc9e4eda147f231402e116fb594a63718d821d885ebd67eda451558b1fba3093ecbd40cbe5fbe07f94ed927d8e5039a7c497aa8d1f10a4ddac049ad820f8c532c5a3f00947955032423922e95aa5bfee041f7fe8744ecc4424057eec97040b341d0dddcaf206da6431e987f04cfd55802cad3a114"}}, {0x4, &(0x7f00000086c0)=@lang_id={0x4, 0x3, 0x3c01}}, {0x4, &(0x7f0000008700)=@lang_id={0x4, 0x3, 0x1809}}, {0x4, &(0x7f0000008740)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000008780)=@lang_id={0x4, 0x3, 0x1c}}]}) syz_usb_ep_read(r24, 0x8, 0x7d, &(0x7f0000008840)=""/125) r25 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f00000088c0)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x10, 0x56a, 0x62, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0xf0, 0x8e, [{{0x9, 0x4, 0x0, 0x5, 0x1, 0x3, 0x1, 0x2, 0x0, {0x9, 0x21, 0x3, 0xf, 0x1, {0x22, 0xa21}}, {{{0x9, 0x5, 0x81, 0x3, 0x3af, 0x1, 0x40, 0x2}}, [{{0x9, 0x5, 0x2, 0x3, 0x10, 0x6, 0x1, 0x9}}]}}}]}}]}}, &(0x7f0000008c00)={0xa, &(0x7f0000008900)={0xa, 0x6, 0x250, 0x3, 0x1, 0x46, 0xff, 0x20}, 0x34, &(0x7f0000008940)={0x5, 0xf, 0x34, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0xfa, 0x8, 0x80, 0x5, 0x3}, @ssp_cap={0x24, 0x10, 0xa, 0x5, 0x6, 0x9, 0xf00f, 0x0, [0xffc00f, 0xff00c0, 0x101ffc0, 0xff0030, 0x30, 0x30]}]}, 0x4, [{0xed, &(0x7f0000008980)=@string={0xed, 0x3, "e7db914ef4a71a3aba443ee181c272e7fbb63648a997754b81a1938f52b9fd8c2b76ca28ee1fcba280021fbe02ffa03ea753f2d51b71f1cb9391ea31faabf8ed37a9853b87eebaa0a1269696e65e309ea4bf7755ff1b99280fd68230d7d899d097e16ee0b224de57339439c80ad7fbf8bbf32aa00e29802bde1c8c5e6228fa0a54c8350ef997112f763e17428fb8e95a56689595f30a3c16151809b0c6b1d4d4766510c6f066fe4b35a3ea90d388d1b4d4e9c6b30971e237e23fd205f9905ee7d79f4443707adc7f65ce2b15994daac7b954353fb23201844122710531879c6291c7dfbf6be454b9cf2f2e"}}, {0x4, &(0x7f0000008a80)=@lang_id={0x4, 0x3, 0x410}}, {0x64, &(0x7f0000008ac0)=@string={0x64, 0x3, "041c8b1bd143ea1d63829b769ddb886a6aafeedd5f652bc948677c9a6e3acfe04a1519053f95e5fcf79b085362cdac6abbf8f13781a621885257052b120045da2c494a30bc6ae6c4160cf497002af8b77e21689324bd6e75aceda7cf6a50920b2ab1"}}, {0x87, &(0x7f0000008b40)=@string={0x87, 0x3, "150837b1e69e5007398ac02c4a0b25072daa81a64af10bcdc5736333f49c921f86d9cbc6b778f1d21679d847d5b8a9b70fc56bb5a433040afd94377b2515a55cda70db64442adae0905aa90f911d3beef800ab6fd87a5c51fda8faa750d195c2e657249781c6af0523e0492f9a69e227e10ca0310f1a010f8b986a9a0553a5331f9754fc90"}}]}) syz_usb_ep_write(r25, 0x7, 0x72, &(0x7f0000008c40)="a6908c5530814d6a6bfd6d6c7594d4af8a4962d882da657bb402c7d0ae4535168160dbf67b82f223d577b0e16e6ac3c46a4015a6ed7c4fa65d1dbaa268b748dec46774eca92247969449a9f59e9edde4d37e7bd17882eb005e24fe43f57654000eadec3f1de9917eb28c2a877182c47b556d") syz_usbip_server_init(0x4) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 38 ? 50 : 0) + (call == 43 ? 3000 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 300 : 0) + (call == 46 ? 3000 : 0) + (call == 47 ? 300 : 0) + (call == 48 ? 3000 : 0) + (call == 49 ? 300 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (; iter < 10; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_dup #define __NR_dup 41 #endif #ifndef __NR_fcntl #define __NR_fcntl 55 #endif #ifndef __NR_getgid #define __NR_getgid 47 #endif #ifndef __NR_getresuid #define __NR_getresuid 165 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_read #define __NR_read 3 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[26] = {0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000000 = -1; inject_fault(1); res = syscall(__NR_ioctl, -1, 0x89e2, 0x20000000); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xe6; memcpy((void*)0x20000048, "\xf1\x37\x16\x1a\xb8\x6c\x59\x42\x02\xb9\x97\xd9\xf1\x2d\x00\x70\x21\x87\x03\x22\xc8\xd9\x09\x74\x84\x09\x95\x1a\xe9\x80\x0c\x1e\x20\x7f\x98\xb7\x69\xc7\x40\xf8\x67\xea\x14\xbb\xf8\x66\x6a\x4f\x98\xd2\x29\xaa\xaf\xbc\x33\xc6\xc5\x21\x68\xdb\x89\x33\xc4\xa4\xa4\xa3\xdd\x3c\xe0\xcc\xea\x96\xe7\x1d\x81\xff\x4a\xca\x83\x31\xcb\x01\xbf\x35\x43\x38\x53\xd1\xab\xd4\x8f\xd6\xd0\xce\x13\x14\xdf\x65\x07\xba\xe5\x35\xa2\xb4\xe3\xea\xa7\x4c\x5d\x23\x00\x65\x94\x14\x8a\x0f\xe5\xb4\xa8\x84\xef\x8f\x41\x34\x6e\x49\xcc\x90\x47\x4c\xb1\x7b\xac\x30\x1d\x47\x97\xed\x05\xdf\xc6\xcc\xb7\x4b\xeb\xaa\xbe\x54\x91\x72\xd6\x22\xa3\x06\x05\xa4\xe4\x9f\xd3\xf8\x53\x7d\xe5\x27\x2c\x33\xad\x4f\x07\xcd\x06\x05\x77\xbc\xe6\x5e\x5c\x80\xa3\x41\x68\xcd\xe6\x81\x17\xe4\xf9\x00\xe3\x5a\x3d\x88\x8e\x02\xee\x11\x17\x52\x21\x3b\x40\xd2\xaf\x25\x8c\x01\xf3\x6d\xe5\x0c\xe8\xe8\x3d\x42\x26\xa3\x0d\x6a\x4c\xc4\x3a\x88\x3f\x6c\x20\xe3\xfa\xda\x8a\xd2", 230); *(uint32_t*)0x20000140 = 0xee; res = syscall(__NR_getsockopt, -1, 0x84, 0x1a, 0x20000040, 0x20000140); if (res != -1) r[1] = *(uint32_t*)0x20000040; break; case 2: *(uint32_t*)0x20000180 = r[1]; *(uint16_t*)0x20000184 = 0xa; *(uint16_t*)0x20000186 = htobe16(0x4e22); *(uint32_t*)0x20000188 = htobe32(3); *(uint8_t*)0x2000018c = 0xfc; *(uint8_t*)0x2000018d = 2; memset((void*)0x2000018e, 0, 13); *(uint8_t*)0x2000019b = 0; *(uint32_t*)0x2000019c = 1; *(uint64_t*)0x20000204 = 0x7fffffff; *(uint64_t*)0x2000020c = 1; *(uint64_t*)0x20000214 = 0x7fff; *(uint64_t*)0x2000021c = 4; *(uint64_t*)0x20000224 = 7; *(uint64_t*)0x2000022c = 1; *(uint64_t*)0x20000234 = 0x3ff; *(uint64_t*)0x2000023c = 0x40; *(uint64_t*)0x20000244 = 5; *(uint64_t*)0x2000024c = 1; *(uint64_t*)0x20000254 = 0; *(uint64_t*)0x2000025c = 7; *(uint64_t*)0x20000264 = 0; *(uint64_t*)0x2000026c = 8; *(uint64_t*)0x20000274 = 0x1f; *(uint32_t*)0x20000280 = 0xfc; res = syscall(__NR_getsockopt, (intptr_t)r[0], 0x84, 0x70, 0x20000180, 0x20000280); if (res != -1) r[2] = *(uint32_t*)0x20000180; break; case 3: *(uint32_t*)0x200002c0 = r[2]; *(uint16_t*)0x200002c4 = 0xa; *(uint16_t*)0x200002c6 = htobe16(0x4e20); *(uint32_t*)0x200002c8 = htobe32(9); *(uint8_t*)0x200002cc = 0xfc; *(uint8_t*)0x200002cd = 2; memset((void*)0x200002ce, 0, 13); *(uint8_t*)0x200002db = 1; *(uint32_t*)0x200002dc = 3; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 6, 0x200002c0, 0x84); break; case 4: memcpy((void*)0x20000380, "/dev/pktcdvd/control\000", 21); res = syscall(__NR_openat, 0xffffff9c, 0x20000380, 0, 0); if (res != -1) r[3] = res; break; case 5: syscall(__NR_ioctl, (intptr_t)r[3], 0x7c80, 0); break; case 6: *(uint32_t*)0x200003c0 = r[1]; *(uint16_t*)0x200003c4 = 0xa; *(uint16_t*)0x200003c6 = htobe16(0x4e23); *(uint32_t*)0x200003c8 = htobe32(0x7f); *(uint8_t*)0x200003cc = 0xfc; *(uint8_t*)0x200003cd = 0; memset((void*)0x200003ce, 0, 13); *(uint8_t*)0x200003db = 0; *(uint32_t*)0x200003dc = 5; *(uint16_t*)0x20000444 = 5; *(uint16_t*)0x20000446 = 0x476f; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 0x1f, 0x200003c0, 0x88); break; case 7: *(uint32_t*)0x20000500 = 1; *(uint32_t*)0x20000504 = 2; *(uint64_t*)0x20000508 = 0x20000480; *(uint32_t*)0x20000480 = 0; *(uint64_t*)0x20000510 = 0x200004c0; *(uint32_t*)0x20000518 = 4; *(uint32_t*)0x2000051c = 8; res = syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000500); if (res != -1) r[4] = *(uint32_t*)0x200004c0; break; case 8: *(uint32_t*)0x200005c0 = 0x8a; *(uint32_t*)0x200005c4 = 7; *(uint64_t*)0x200005c8 = 0x20000540; *(uint32_t*)0x20000540 = r[4]; *(uint32_t*)0x20000544 = 0x400; *(uint64_t*)0x20000548 = 0; *(uint64_t*)0x200005d0 = 0x20000580; *(uint32_t*)0x200005d8 = 0x10; *(uint32_t*)0x200005dc = 0xc; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x200005c0); break; case 9: *(uint32_t*)0x20000680 = 0x83; *(uint32_t*)0x20000684 = 2; *(uint64_t*)0x20000688 = 0x20000600; *(uint32_t*)0x20000600 = r[4]; *(uint64_t*)0x20000690 = 0x20000640; *(uint32_t*)0x20000698 = 4; *(uint32_t*)0x2000069c = 4; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000680); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 0x240, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); memset((void*)0x20000044, 255, 6); *(uint8_t*)0x2000004a = 8; *(uint8_t*)0x2000004b = 2; *(uint8_t*)0x2000004c = 0x11; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; memcpy((void*)0x20000050, "\x20\x15\xd2\x29\x78\x5b", 6); STORE_BY_BITMASK(uint16_t, , 0x20000056, 8, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0, 4, 12); *(uint16_t*)0x20000058 = 0x27; *(uint8_t*)0x2000005a = 0x8c; *(uint8_t*)0x2000005b = 0x18; *(uint16_t*)0x2000005c = 0xc93; memcpy((void*)0x2000005e, "\xff\xe3\x24\x0f\x04\x84", 6); memcpy((void*)0x20000064, "\x06\x7e\xcc\x39\xa7\x8a\x3e\xa4\x7c\x22\x24\x6d\x39\x1b\x92\xc4", 16); syz_80211_inject_frame(0x20000000, 0x20000040, 0x34); break; case 11: memcpy((void*)0x20000080, "wlan1\000", 6); memset((void*)0x200000c0, 1, 6); syz_80211_join_ibss(0x20000080, 0x200000c0, 6, 2); break; case 12: memcpy((void*)0x20000100, "bpf_lsm_xfrm_policy_alloc_security\000", 35); syz_btf_id_by_name(0x20000100); break; case 13: memcpy((void*)0x20000340, "\xc4\xc1\x7d\x6f\x70\x72\xc4\xe1\xf9\x11\x2f\xc4\xe3\xc9\x5d\x33\xab\xc4\xc2\x79\x0e\xb0\x00\x00\x00\x00\xc4\xe1\x7a\x12\xb7\x0c\x00\x00\x00\x0f\x01\x56\xe9\xc4\xe1\x0d\xd5\x5e\x0c\xf3\x0f\x52\x6b\x00\x0f\x7e\x20\xc4\xc1\x79\xe7\x02", 58); syz_execute_func(0x20000340); break; case 14: res = syscall(__NR_dup, -1); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_fcntl, -1, 9, 0); if (res != -1) r[6] = res; break; case 16: memcpy((void*)0x200026c0, "./file0\000", 8); res = syscall(__NR_lstat, 0x200026c0, 0x20002700); if (res != -1) r[7] = *(uint32_t*)0x20002710; break; case 17: res = syscall(__NR_getresuid, 0x20002800, 0x20002840, 0x20002880); if (res != -1) { r[8] = *(uint32_t*)0x20002800; r[9] = *(uint32_t*)0x20002880; } break; case 18: res = syscall(__NR_read, -1, 0x20002ac0, 0x2020); if (res != -1) r[10] = *(uint32_t*)0x20002ad0; break; case 19: memcpy((void*)0x20004b00, "./file0\000", 8); res = syscall(__NR_statx, -1, 0x20004b00, 0x2000, 0x20, 0x20004b40); if (res != -1) r[11] = *(uint32_t*)0x20004b58; break; case 20: *(uint32_t*)0x20004e00 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004d00, 0x20004e00); if (res != -1) r[12] = *(uint32_t*)0x20004d34; break; case 21: res = syscall(__NR_getgid); if (res != -1) r[13] = res; break; case 22: memcpy((void*)0x200003c0, "\x23\x58\x10\x53\x7c\x7f\x88\x6c\xa9\x17\x21\x04\x5f\xf7\xba\xdf\xae\x44\x29\xb2\x52\xcd\x65\x81\x72\xc1\xd0\xd4\x18\xed\x70\x05\x74\x39\xfc\x22\xff\xc7\x7b\x29\x08\x5c\x94\x88\xff\x93\x40\xf8\xa2\xad\xe9\x9b\xf9\xaf\x14\xa3\x57\x25\x7b\x8a\xa6\x9b\x4b\x8e\xff\xe7\xaf\xd6\x87\x6b\x3b\x51\x2b\x86\xfa\x1d\xff\x55\x5c\x6d\xc6\x18\x62\x66\xc9\x1f\xa2\x81\xc9\xdc\x72\xee\x17\xea\xd0\xe2\xa3\xfe\x9f\xf0\x3e\x7c\x32\xd2\x7e\x26\x7f\x5b\xe0\xfd\x6d\x1f\x9e\xfc\x02\xaf\x7f\xe9\xd6\x8d\x75\x55\x19\x20\x1d\xea\x7a\xbe\x68\x10\x53\xab\x98\xf7\x3f\xc0\xc6\xa0\x68\x4e\x91\xb7\x41\xc8\xc9\x45\x1f\x94\x59\xb5\x98\xee\x6f\x4e\xc0\xc9\x1f\x3e\x91\x7a\xf1\xe6\x64\x6f\x3c\x54\xf8\xfa\xf0\x48\x7d\x8e\xcc\xf0\x87\xe2\x8f\x87\x68\xf4\x8a\xe1\x5d\x09\x89\x04\xb3\x25\x42\x85\x70\x2e\x30\x8a\x93\x7d\x5e\x23\xa2\xae\xf3\xc2\x53\x12\x51\x6c\x50\x2d\x5e\x02\x33\x06\x52\x29\xee\x4a\x70\xdb\xc4\x14\x60\x4b\x7f\x05\x5e\xb7\xa2\x72\x48\x03\xe8\x5e\x5b\x4c\xd0\x5a\xf7\x11\xed\x73\x0f\xce\xb8\x1b\xca\xe1\x7a\x49\x67\xaa\x6c\xcf\xf3\xc0\xf4\x96\x6b\x7f\xf3\xd1\x5f\x09\x3e\x94\xeb\x0a\x46\xb7\x0c\x0f\xa5\xb8\x62\x8c\xac\x3c\x31\x01\x9b\xba\x60\x02\x41\x6f\xc6\x66\x1d\x85\x8f\xff\x16\xa9\x62\x15\xb1\xd1\x8a\x87\x7d\x9a\x53\x4a\xc4\x02\x56\xa3\x55\x79\x31\xad\xe2\x7f\x58\x7c\xce\x26\xa2\x0c\x01\x3d\xc6\x7f\x2e\x92\x2a\x52\x68\x9a\xae\xfa\x1b\x06\x4d\x03\xf8\xf6\xa3\x9f\x96\xb0\xde\x1d\x21\x39\x4c\xb6\xc2\x30\x10\xeb\x9e\x4a\x79\x41\x47\x35\xed\x99\x65\x42\x5f\x8a\x01\x00\x84\x96\xdb\xad\x04\x97\xfa\x0d\x65\xac\xec\x59\xff\xa6\xa2\x80\xbc\x58\xe2\xd8\x87\xa1\x0e\x96\x65\xea\xeb\x97\x43\x6e\xbd\xeb\x2b\x58\xa9\xae\x40\xe4\x49\x27\x32\x46\xfd\x99\x67\x53\x9f\x21\x2e\xd8\x96\x9b\x6f\x9a\x49\xd6\x5b\xca\xd2\xdd\x9d\x8e\xe4\x2e\x32\x05\x74\x11\x17\xe4\x31\xd4\x43\xff\x3e\x94\xc4\x7e\x7f\xd6\x27\xd3\x05\x11\xd5\xfb\xce\xc6\xa7\x58\x38\x3d\x31\x36\x7a\xca\x8e\x3a\xf7\x72\xa1\x02\x11\x05\xab\x2c\x1b\x4a\xa7\x61\x4d\xea\x8c\xfa\x4b\x06\xf5\x3a\xf3\x73\x77\x98\x62\xc9\xbd\xb7\x6e\xf9\x3c\x74\x61\x8e\xee\x73\x47\xa0\x74\xd4\xf7\x1a\x98\x23\x3b\x24\xb2\xa2\x57\x29\xc9\xa1\x98\x3d\x81\x9c\x3f\x42\xd3\x28\xd0\x8f\x0d\x4d\xd1\x64\x2f\x61\xb6\x2a\x89\xfc\x30\x0f\x50\x66\xd8\xe4\x57\xf5\xfd\x49\xda\xa7\x9e\x1b\x1d\x43\xd2\x6f\x89\xf2\xca\x99\x04\x50\xe8\x60\xbc\xc4\x7d\x5c\xf4\x77\x8c\x37\xc4\x51\xed\x22\xd6\x0f\xe2\xbc\xfa\x2c\xaf\xf7\x5c\x41\x70\x99\x0a\x2e\x8e\x21\x87\x19\x7f\x86\x38\xb0\x67\x85\x4c\xcf\x9d\xbe\x91\x58\x6d\xd4\x23\x41\x40\x1c\x4f\xb4\xf3\x13\x30\x66\x8a\xcb\x51\x6e\xba\x22\x27\xcb\xca\x4c\x8f\xa2\xf3\x9a\x03\x52\x1b\xd8\x03\x2f\x5e\x1a\xed\xf4\x9c\x50\xe6\x01\xb9\xfa\xd4\xe0\xd6\xf5\xb5\x93\x2e\xa2\x14\xfd\x50\x84\x85\x70\x3d\x08\x45\x79\x8d\x43\xbd\xbf\xf9\x63\x86\x77\xe6\xa9\x96\xef\xbb\xd1\x93\x6e\x97\x28\x20\x62\x70\x9f\x77\x8b\x45\x5c\xb4\xd2\x00\x13\xf5\xfe\x4c\x9b\xba\x0f\x7c\xfc\x18\x02\xe8\x18\x0f\xb6\xd4\x6f\x51\x76\xd1\xbd\xbb\x43\xd9\x60\xd4\x94\xf3\xa3\x0e\xd7\xab\x4d\xb0\x7d\xe5\xad\x92\x4b\x57\x97\xb5\x09\xf9\x60\x83\xf4\xad\xa9\xfc\xeb\xed\xe1\xeb\x0f\xb0\xdf\xa2\xcd\xc2\x14\x4b\x15\xcf\x4c\x28\x0f\x87\xd1\x18\x7e\x80\x8e\x37\xcd\xef\x53\x75\x52\xe3\x83\xf4\x6c\xcf\xe8\x62\x15\xb2\x07\x15\x39\x85\xe6\xb1\x31\x96\x22\x1f\xde\xa6\xc9\x47\x86\x4d\x12\x14\x7d\x7b\x01\xef\xc3\xdf\x14\x4e\x2c\xaa\x24\xd1\xa4\x78\x2a\x51\xa8\x23\x5c\x4c\x0e\xad\xf0\x44\x0c\x8e\x43\x4a\x4d\x07\x2b\xe5\x84\x55\x47\x17\x5f\x37\xc5\x5f\xdd\xd5\xe7\x84\x95\xac\xe4\x34\xc4\x83\xf2\x8b\xb3\x48\x7a\xd8\xd6\x8b\xd7\x43\x77\xfd\x82\xe1\x7b\xaf\xeb\x06\x2b\x81\xc6\x8e\x8a\x63\x89\xc8\xd8\x10\x79\xe4\xc9\xfa\xa2\xa8\xfc\xf1\x24\x15\xcc\x21\xeb\xcd\x92\xde\x80\x88\x45\x50\x59\x4c\xa6\x4b\x56\xb0\xb4\x24\xa6\x5f\x80\xca\xb1\x64\xb2\xf6\xf2\xf3\x3c\x7a\xea\xa8\xb6\x60\x2e\x71\x83\xb9\xd0\xae\x15\x3a\x17\x03\xb3\x03\x67\x5a\xae\x13\x3b\x3d\xd9\xc6\x46\x67\x7f\x6d\x8a\x49\x2d\xa0\x99\xef\xb4\xa7\xe4\xde\xe3\x92\x81\x8a\x15\xd6\xbf\x9e\xfb\x07\xee\xad\x5b\x40\xac\x25\xbb\x0f\x00\x92\xf4\xb0\xec\xaf\x0a\xc3\x39\x1b\x3e\xcf\xd0\x63\x5e\xc4\x96\xb8\xb6\x6d\x7a\x45\x1c\x6d\x10\x37\x9c\x15\x29\x1c\x4f\x36\x82\xf0\x5f\xb7\x39\x44\xcd\x1b\xe0\xf0\xfa\x85\x54\x35\x8b\x30\xde\xb7\x38\x69\x31\xae\x95\xeb\x2a\x16\xfa\xed\x24\x5f\xfc\xad\xb3\x94\xac\xdf\x06\x38\xa6\x26\x27\x82\x33\x01\x93\x66\xe2\xec\xd9\xdb\x1a\x4b\x5a\xe2\x7f\xf8\x3d\x7b\x57\x1c\xd7\xff\xc1\x51\xdc\x4d\x0c\xef\x1d\x03\x00\xc9\x8a\x41\x69\x77\x51\x85\x1f\x8e\x05\x24\x9c\xae\x19\x96\x3f\x81\x25\x89\xa7\xd6\x4c\xfa\xb8\x46\x43\x9f\x47\x13\x43\xba\x5e\xff\xac\x9a\x57\xf7\x6d\x0a\xbf\xb9\x5e\x87\x8b\xee\x4c\x94\x24\xf0\xca\x17\x18\x19\x5e\xff\x14\x06\x0a\xcf\xb3\xe0\xdf\x4c\xbc\x56\x0b\xc2\xbe\x9a\xb4\xf0\xa0\xbd\x68\x6f\xe2\x13\xd4\x49\x47\x17\x0e\x68\xe7\x3b\xaa\xdd\x98\x2c\xe2\xd1\x70\xa5\x0d\x1e\xca\x02\x40\xcd\x3c\xec\xe9\xf7\x4d\xa3\xa1\xc1\x47\x6f\xf1\x1f\xa3\x34\xd7\x2c\x18\x50\x6b\x5c\x00\xa4\x41\xea\x2e\x9c\x72\xc7\x6b\x38\x50\x37\xf8\x6c\xa5\x94\xaa\xad\xe9\x87\xa7\x9b\xbd\x3e\x3c\x40\xd0\x00\x7a\x7f\xf8\x52\x99\x05\xb9\x4c\x54\x61\x65\x62\x92\x95\x0b\x41\xc8\x34\x43\xdc\x84\xd6\xfd\xf5\x2e\x44\x97\xed\x68\x04\x98\x1a\xf1\x33\x85\x64\x92\x00\xd8\x93\x09\x3b\xf2\xea\x82\x25\xb3\x89\xc4\xdf\xd2\xe8\x15\xb3\xbd\xf9\xd7\x08\x4d\x29\x00\x9e\xae\x4e\x88\x22\xa5\xb6\xa5\x2a\xa7\x6a\xfd\x95\x1d\x04\xaf\xa8\xe1\x28\x63\x96\xa8\x34\xdc\xf8\xc6\xb5\x7c\xc4\xef\xbc\x0c\x16\x77\x9d\x53\xf0\xbc\xd7\x40\x43\xc0\x6e\xce\xbe\x59\x32\x8d\xcc\xa8\xbb\x61\x05\xaf\x23\x56\x59\x06\xe5\x46\x6c\x73\x11\xb1\xaa\xc6\x76\x2e\x4b\x62\x60\x36\xfe\x31\xd3\xe7\xb0\xfa\x2e\x65\x8c\xa9\x35\x10\x78\xee\xca\x7b\x46\x7e\x11\x8e\x9b\x88\x95\x9d\xe1\xf4\x18\x69\x40\x5a\x83\xbd\xc6\xce\x98\x0c\x72\x9f\x7e\x2a\x46\x0f\xa9\xbe\xe1\x61\xe5\x4d\x27\x1a\x87\x4b\xb4\xd0\xa2\x2c\xd1\xa4\x37\x6d\xe3\x6b\x58\x68\xca\x0e\x10\x93\x3e\x5f\xe2\xf7\x38\x5c\x1a\xf6\x2b\x86\xf8\xe5\xc3\x12\x66\x26\xb8\xbc\x6d\x56\x8f\x62\x1d\xa3\x23\x70\x7e\xa3\x32\xd7\x65\x44\x39\xfb\xa4\x67\x1d\x0c\xae\xb7\xef\x94\xe2\x5a\x82\x86\xbd\x9a\x19\xa2\x9e\x49\x32\xc7\xdb\x9b\x82\x34\x7d\xa5\x24\x92\xb3\x81\x4a\x44\xb9\x2f\x61\x55\x9c\x22\x65\x4c\x8b\x30\x1a\x8d\xfe\x9d\xae\xae\x0c\xad\xe9\x46\xc0\x66\x6e\x94\xc4\xa6\x35\x3b\xb0\xeb\x21\x37\xd3\x68\x53\xad\x4f\x7a\x20\xa5\x08\x1e\x63\xaf\xee\xce\x20\x3f\xa6\xee\xea\x7f\x62\x9d\x00\x1d\xab\xaf\x5b\x1a\x3c\x67\x61\x51\x7b\xc9\x9a\x8e\x63\xf6\x6c\x01\x88\x49\x27\xb4\xbc\x40\xbc\x34\x19\x0c\x9e\x55\x3c\x69\x0f\xbc\x64\x44\xdd\x8b\xba\x65\x68\x74\xfa\x80\x46\x31\xb5\x6d\x24\x54\x1a\x9b\xd6\xfb\x77\xdb\x49\x03\x76\x9f\x9d\x04\x44\xd0\x8a\x21\xff\x59\xd9\x49\x65\x9d\x80\xb1\x40\x2d\x91\x9a\xc0\xfb\x83\x80\xed\x91\x15\xb6\x69\x3c\x19\x5f\x8f\x1a\x90\xa3\xa4\x22\x35\xd8\xea\x78\x2e\xda\x2b\xf1\x94\xd3\x2f\xbc\xc5\x63\x27\x1a\xfd\xa7\x3d\x70\x96\xa2\xe9\xe4\x67\x54\x1e\x76\x67\xc2\x67\xc5\x95\xe1\x23\x37\x29\x75\x26\x77\x68\xb8\xd1\x6c\xb6\x13\x0e\xae\xbf\x69\x8b\xe7\x6e\xef\xab\xbe\xac\xd5\x9f\x63\x1c\xc1\x04\xf0\x42\x26\x3e\x3e\x29\x62\x59\x79\x69\x72\x1a\x6c\x02\x2a\xba\x14\x11\x2e\x2f\x38\x02\xba\x63\x53\x91\xcd\x1f\x94\x32\x35\x25\xc8\x16\xef\xa9\xe8\x65\x52\x39\x9e\x79\x66\x5f\xf5\x54\xf5\x86\x75\x4f\x72\xd5\x3a\x0d\x94\x75\xc6\x55\x94\x8b\xd1\x3e\xc9\x3d\xd8\xcc\x43\xe5\xb8\x13\xeb\xfe\xa4\xab\xcd\x78\x0e\xed\xb6\x82\xac\x4f\x66\xe1\x68\x47\xf7\x82\x1f\xdc\x40\xda\x07\x3f\x7f\xc5\x9f\xe5\x7c\xa6\xad\x5f\x4d\xdd\x8a\x41\xe8\xaa\xdf\x3e\x21\x78\xcf\x42\x95\xc8\x59\x99\xe2\xc2\xd8\x24\xa0\x8e\xbb\x9a\x9b\x09\xe2\xef\xbf\x9b\x8d\x03\x73\x09\x1e\xa6\x1e\xc6\xaf\x17\xdf\x1e\x71\xac\xeb\x40\x3a\x41\xd3\xba\xfe\xfc\x56\xdc\xff\x18\x60\x23\xe9\xf2\x89\xe6\x1b\x74\x69\x04\xb3\xce\x34\x86\x9b\x53\x27\xc9\x24\xa2\x73\x36\xb2\x16\xd2\x20\x6e\xeb\xa9\xb1\xdf\xdc\xe0\x22\xe3\xa1\x3a\x26\x17\x38\x7f\xb3\xff\x5a\x1d\x0f\x38\xfb\xb9\x06\x3b\xcb\x69\xb5\xe3\x3e\xe4\x57\xef\xe0\x51\xdf\x45\x34\x62\xb7\x18\xd7\xd5\xe7\x80\x31\x04\x71\xa7\x3d\x99\xe2\xeb\x1e\x23\x23\x6c\x74\xb9\x37\x7c\x3e\x0e\xbb\x93\xea\x7a\x6a\x7b\x32\x2c\x42\x59\x10\x20\x9f\x89\x18\x41\xd6\x5c\xb8\xdb\x3b\x2b\x0d\x51\xd2\x7c\xde\x0c\xa1\x85\xbd\x3b\xf1\xf4\x02\xff\x10\xfc\x61\x1b\x93\xfa\x6f\x94\xeb\xf6\x07\x9a\xc6\xd5\xf3\x0f\xf8\x66\xa4\xdb\xf3\x07\x29\xfc\x3c\xd0\x03\xed\x9e\xee\x6e\x1c\x92\x31\x9a\x8c\x62\x69\xe1\xa7\xdb\xa0\x49\x1d\x27\xb3\x26\x38\x8b\xc3\x2d\x58\xbf\x68\x5e\xc4\x29\xa8\xca\x7a\x12\xb6\x60\x18\x23\x08\x71\x0b\x5a\xa6\x1d\xce\x0a\x14\x3f\xad\x3b\xbc\x1a\x81\xa8\xf8\x14\xee\x37\xb4\x34\xc7\xd7\x29\x33\x1c\xe7\xf7\x2d\xdf\x31\xdc\xa7\x19\xbd\xfa\x04\xc0\x3a\xec\xeb\x4c\x64\x0c\x1c\xdd\xd0\xf0\x11\x37\xbd\x6e\x2f\x7a\xef\xb5\x1b\x02\x10\xb8\xcd\xb2\xcc\xb0\xf5\xd7\x45\x8d\x05\x71\x92\x76\x75\xf1\xbe\xdb\x36\xd0\xbf\x30\xac\x68\xdb\x43\x8f\xfb\xa7\x4a\xca\x62\x37\x25\xf2\x75\x22\x70\x1b\xb6\xc5\xca\x41\x4d\x23\x91\xcd\x53\x3a\x82\xc0\x66\x72\x4c\x6d\x3f\xd6\x8f\xe4\x2a\x83\x4d\xcc\xf5\xbf\x70\x34\x74\x29\xad\x8e\x38\x22\x15\xf7\x2f\xad\x93\x6e\xf9\x49\xbf\x64\xda\xd1\x25\x77\xea\xd0\xdc\x6c\xf2\x71\xbe\x7c\xa8\xe0\xba\xab\xb4\x39\x7f\xf0\x63\xf3\xae\x8e\x74\x12\x10\xc6\xa3\xab\x3b\x44\x2b\xa8\xfb\x16\xf2\x28\xc5\xda\xfe\xb1\xb4\x40\x82\x7d\xef\xbc\x48\xf5\xcb\xce\xb2\x74\x07\x55\xc9\x85\xd0\x60\xe8\x2c\x86\xc7\x32\xbb\xd5\x60\x88\x35\x91\xa1\xac\x05\x82\x99\xf1\x7f\x2e\x2a\x12\x85\x60\x28\x0b\xa0\x89\xe8\x4c\x34\x65\x45\x2a\x65\x07\xa6\x3f\x88\x49\x44\xa8\x3a\x21\xd2\x6c\x8e\x49\x8f\xf5\xdb\xd4\x89\xc6\x9c\xa7\x85\x32\x49\x01\x8e\x9d\x03\x52\x0b\x23\xf4\x7b\x29\x7b\x85\x26\x32\x2b\x1f\x6b\xd5\x4d\x06\x0c\xce\xa3\x01\xcc\x8a\x3a\x15\xda\x2d\x39\xb6\x4e\xa4\xdd\xb0\x3c\x7b\x6c\xba\x60\x5e\x8d\xd4\x86\xd1\x2d\x8f\x0c\x6c\xd9\xfb\x47\x81\x61\x12\xba\xa0\xa7\xae\x0e\xba\x4f\x0f\x89\xb2\x14\x32\x03\xa1\x19\xa6\xbb\x85\x45\xc1\xba\x66\x78\x84\x95\xf4\xe7\xda\xd9\x6d\xf8\x11\x9b\x1c\x11\xd7\xff\xb0\x71\x07\xc0\xc0\x35\xa8\x06\x97\xa8\xed\x78\x0d\x9c\x55\x61\x92\x93\x85\x08\x5f\x0a\xa7\xbc\x74\x8f\x2b\x5e\x23\x4e\x21\x0c\xe7\x77\x22\xc5\x4e\x80\xb8\x86\xc0\xd6\x14\x65\x8f\xfa\x23\x40\x8c\xac\xa9\xcf\x01\x38\x69\xef\x66\x29\xf8\x46\x16\x40\xda\xea\x86\x9a\xd4\xc3\x65\x53\x0d\xe5\x27\x81\x5c\xaf\xee\x31\x4f\x8c\xa7\xb9\x87\x95\x22\xc4\x26\x29\xe3\xe7\x12\x96\xe5\xf6\x0a\x84\xdb\x39\xd5\xc9\x00\x00\x16\xea\x33\xf4\x81\xd8\x0c\xcb\x80\xf0\x85\xd5\xed\x3f\x70\x0b\xad\xc3\xb4\xb7\xd8\x0d\xd8\xa7\x78\xf0\x38\x17\xa1\x0d\x67\x89\x2d\x36\x87\x0a\x98\xbd\xc7\x0c\xfd\xa4\x83\x4c\x78\x15\x42\x1f\xc9\x72\x74\x01\xbd\x4f\x81\x11\xbb\xba\x76\x86\x02\x4b\x42\x72\xf5\xa6\x8a\x66\x51\x94\xaf\xc4\xf1\xa9\xf8\x57\xaf\x27\x0e\x30\x22\xc1\x8d\xfc\x18\xf6\x7b\x39\x77\xe6\x41\xc6\x25\x8f\x00\xc1\x43\x0e\xa7\x95\x78\xf4\xdc\x82\xa0\xba\xb5\x21\x40\xdf\x4b\xe0\xad\xb3\x29\x19\x5a\x29\x7d\xf0\xbe\x6e\x12\x34\x97\x70\xb4\x47\x7a\x44\x65\xa8\x14\x39\xf2\x2b\x6b\xdc\x67\x7a\xb8\x6d\x4e\xdb\xbd\xfc\x7d\xb3\xcf\x06\xd4\xa9\x4d\x33\xc6\xc1\x1f\xa1\x63\xfe\xfb\x1a\x87\xa9\xb5\x2c\x1c\xc4\x09\xeb\xed\xe7\x26\x3c\x88\x97\x5e\xdb\x23\x7f\xa0\x1b\x58\x3f\x79\xfc\x7a\x4f\x8e\x8a\xc8\x9a\xf7\x93\x08\xd9\x9b\x47\x3c\xf3\x3f\x33\x44\xa4\xe5\x52\x3f\x3e\x35\xd3\x88\xd1\x8e\xe1\x18\x5c\xaa\x19\x18\xd2\x3a\xae\x41\x93\xae\xdf\xe1\x25\x04\x2e\x16\xd5\x71\x86\x52\x61\xdd\x63\xbf\x0c\x9d\xd8\x48\x5f\xa6\x4e\x24\x10\xa2\x6a\x43\x6c\x83\xc9\xe3\x45\x56\xf3\x7c\x1d\x69\xd2\xfd\x57\x42\x78\xc4\xb2\xc8\xba\xf3\x83\x4e\xe2\xe0\xf3\x64\xb5\x4c\x36\x78\x0f\x28\xa8\xeb\xe5\x6e\x1d\x9e\x1c\xbd\xfd\x77\x3c\xe8\xaa\xcd\xef\xda\x09\xf4\x0d\xff\xd8\x47\xaa\xdf\x67\xc4\x44\x71\x00\x8c\xee\x07\x76\xfb\x06\x89\x54\x30\x8f\x16\x20\x3d\x01\x7b\x29\x0c\xd1\xad\x9e\x4c\xdc\x49\xf3\x26\x35\x28\x07\x56\x0d\xdd\xa4\x90\xc0\x5c\x6d\x5e\x04\xf1\x94\x00\x83\xaa\xba\x83\xe0\x29\x37\x0f\xd7\x6e\x77\x57\xc7\x3c\x05\x43\xdd\xff\x26\xc3\xa3\x07\x62\xe2\xc9\xc5\x56\xaa\x28\x2c\x7f\x46\xf3\xdd\x8e\x20\x01\x68\x05\x3a\x03\x17\x4c\x56\x69\xdc\x43\x90\x0a\x39\x41\x7c\x9d\xff\x8e\xd3\xf1\x0e\xb0\x7c\x47\x0a\x52\x2e\xc8\x20\x71\x2f\xf8\x82\x59\xcf\x7f\x5e\xe5\x2c\xf4\xee\x69\x0b\xca\xbd\x88\x76\x3f\x66\x32\x9f\x37\x25\xa4\x36\xca\x19\x38\xd4\xda\x48\xde\xdf\xfe\xa8\x2d\xc5\x4a\x2a\x0a\x5c\xfb\x64\xc3\xe2\x78\xf4\x1b\x93\x3c\xef\xeb\x02\xf9\x82\x53\x2e\x98\x67\x72\x41\xd7\xec\x2f\x8d\x14\x27\xda\x17\x11\x91\x9d\x67\x2e\x95\x1b\x6d\x1c\xd8\xf2\xc0\x20\x3f\xed\xd5\x21\xf7\x5a\x22\x9d\x99\x67\x13\x35\x81\x36\xd8\xb4\xeb\x79\x71\x34\xfe\xc8\x74\xe3\xd3\x8a\x01\xcb\x82\xa8\x7c\x8c\x21\x1e\x64\x29\xef\xe6\x77\x17\x3a\xab\x0a\x0f\xb9\xf5\x58\xf4\xb0\x6f\x77\x05\xbc\xd1\x77\xec\x1d\xd8\x0d\x04\x45\xb5\x44\x8e\x7d\xc2\x94\x53\x8a\xae\xcc\x59\x61\x0d\xbe\x6f\x2b\x3b\x16\xb2\x75\xc1\x8d\x33\xa7\x8f\x0c\x1d\xcb\xb0\x7e\x13\x76\x28\xb6\x22\xf8\x85\xae\xe8\x0b\x82\x68\x4c\xdd\x5f\xde\x5a\x29\xaa\xdf\x63\xd8\x5e\x95\x15\x96\x49\xad\xce\x0f\x9e\x57\xb5\x3b\x82\xc7\x5b\x87\xa1\x27\x47\xef\x0f\x84\xbe\x50\x69\x3c\xca\xe7\x98\xe3\x8a\xaf\x05\x06\x66\x16\x3e\x6b\xed\x48\xf5\xf1\xba\xf4\x9a\xde\xa2\x12\x23\xbf\xb0\x89\x19\x98\x98\xdc\xd2\xe9\x1b\x70\x8b\xd6\x2b\x61\xf1\x38\xcc\x48\xbe\xd8\x8b\x77\x2d\x14\xbc\xc5\x39\x68\xaa\x32\xfa\x3f\x11\x45\x84\x75\x2d\xb5\x32\x78\xb2\x5f\x36\x7d\x52\xc2\x07\xec\x54\x59\x66\x83\x82\xaa\xc7\xeb\xfd\xf3\xa2\x07\x5c\xef\x67\x9b\xd7\x7e\xc1\x7a\x11\x43\xde\x08\x47\x20\x08\x54\x86\x68\x5a\xc8\x69\x73\x3b\xc0\x7d\x74\x24\x6f\xbf\x8a\xbb\x36\x62\xbe\x75\x0d\xdd\xd3\xb1\x3e\xcb\x2d\x91\x35\xf5\xc6\x8d\x1f\xdd\xe5\x49\xd9\xc2\x09\x1d\x96\xaa\x35\xf8\x43\x36\xb4\x21\x51\x31\xf3\x64\x76\xec\x84\x8d\x53\x3d\x7d\xca\x1e\x0a\xa4\x1e\xef\xb8\x80\x60\x52\xa8\xcd\xd5\x38\xb7\x55\x70\x7f\x93\xe0\x48\xd7\x71\x50\x5b\x88\x90\xd8\xf6\x80\xb8\x80\xcc\xb8\xee\x29\x49\xe3\x5a\x63\xee\x48\xe7\xb4\x67\x12\x8b\x65\xff\xe6\x06\xce\xd2\x8a\x3b\xc3\x17\x2b\xd0\x9f\x2b\x58\xef\x63\x22\xa3\xfa\x31\xe0\xfa\xb3\x7a\x3a\xfe\x72\x9a\xd4\x3d\x5c\xd0\x2b\x42\xbe\x4d\x8e\x60\x2b\x99\x51\x6d\xbd\xbd\x81\x2e\x1b\xec\xae\xba\x14\xb2\xb2\xbf\xaf\x05\x55\x90\x02\x51\xe3\x1d\x83\x97\x98\x14\x1b\x32\xab\xdc\x55\x8b\x3b\xf3\x0e\xdc\x11\x45\xf5\x41\x79\x85\x07\xda\x32\x9c\x5a\xcc\x1f\xf5\x6d\x4f\xd5\xf6\xe1\x8c\x02\x08\x12\x22\xc6\x98\xb3\xd0\xf2\xb1\x95\x39\xa7\xc2\xc9\x1f\x78\xb1\xbe\x76\x48\x19\x91\xe2\x41\xd2\xae\x88\x9d\x4c\xb1\x33\xf9\x0f\x77\xd9\x22\xd9\x84\xb5\xa5\xd1\xb2\xaa\x03\x8f\xb0\x01\xf0\xba\xc8\x8c\x14\xa3\x6f\x62\x29\x6a\xb3\x24\xd5\x2b\x57\x54\xd4\xe8\x42\x88\x9d\xa6\x54\x14\x3b\x4b\xd7\x19\xf0\x82\xcb\xcf\xa2\xec\x90\x31\xb9\xb4\xb8\xbb\x8e\xf4\x6b\xc3\xff\xa5\x2d\x35\x38\x5b\xf2\x7e\x3c\xcd\x86\x10\x84\x81\xff\x66\x40\xe8\xb0\xe3\x09\xd2\x8b\x14\x94\x20\xf9\x5e\xb9\xaf\xa0\xf6\xe1\x88\xb7\x00\x5f\x42\x12\x25\x38\x5b\xde\xa3\x82\x5a\xd5\xfb\xfc\x6d\x9f\x29\x97\x47\x6b\xc3\x6e\x5d\xfe\x4b\x68\x6d\x1a\x2d\x40\x25\x16\xd4\xee\xe9\x90\xe1\xea\x6a\x23\x48\x38\x10\x3f\x42\xd7\x05\xab\xf3\x78\x35\x67\x3c\xa7\x86\x75\xb5\x35\x4c\x2a\x99\x13\x0e\x2b\x7a\x64\xee\x26\xa2\xad\x6c\x1c\xd2\xde\x64\xed\x59\x12\xeb\x77\x08\xdb\x3a\xfb\xb4\xa6\x83\x10\x9b\x10\x57\x29\x8f\x35\x6e\x4c\xf4\xfa\xb2\x00\xca\xf7\x40\x3c\x71\x9a\xa8\x1a\xb0\x1d\x3d\x7f\x91\x55\x07\x3f\x56\x49\x5e\x51\x16\x19\x6e\x9a\x9d\xe8\x2f\x10\xa5\xc0\x8d\xfb\x2f\x91\x54\x94\xdf\x7a\x07\x00\xef\xb7\x22\xd3\x41\x6a\x5d\x32\xbc\x02\x29\x71\x11\x65\x08\x47\xde\xe6\x76\xd2\x68\x77\x2d\xec\x41\x3d\xa3\xa1\x32\x09\x89\xc1\xbe\x0d\x5c\x9c\x1b\x6f\xc4\xf7\x0f\xbd\xad\x88\x8a\xbb\x0b\xe8\xf1\x16\xf0\xd7\xa6\xf3\xab\xaf\x63\x6b\xb6\xb6\x92\x22\xda\xf4\xcc\xbd\x6d\x07\x29\x3d\xef\x59\xcd\x5e\xc9\x08\x45\x4d\x07\x94\x95\xf2\x7b\xfa\xf9\xe4\x5f\xb2\xc9\x99\x64\xe6\xb2\xfb\xa0\x3a\xf0\x38\x2d\x5b\x60\xad\xeb\xbb\x28\xfb\x8f\x8f\x8e\xfd\xd8\xda\x65\xea\xc2\x93\x77\xcf\x07\xc6\x2e\x1b\xf1\x0f\x61\xfa\x91\x2e\x62\x71\xf2\xcb\x95\x09\xa7\x63\x1b\x7a\xbe\xc3\x39\x6b\xeb\xce\x10\xbc\x79\xe2\xc4\x99\x56\xd1\x27\xf9\xd0\x1b\x73\x58\x45\x40\xcb\x6c\x0b\x52\xa7\x09\xe3\xaf\x1d\x00\xc8\x4f\x6d\x22\xfb\x19\x5d\xd8\x82\x3a\xa3\x36\xaf\xea\x89\x8e\xd8\x7a\xda\x2b\x22\xd1\xb8\xec\x50\x8c\xf6\x98\x6e\x93\x45\x92\x65\xed\x7c\x25\x87\x32\xc2\x91\xca\x41\xe7\x87\x6f\x1b\x43\x8b\x17\xd3\x6c\x24\xa0\x2f\x20\x0f\xee\xee\x18\xac\xe8\xdc\x4a\xad\x51\xa4\x2b\xb9\x81\x5d\x82\xc2\xa9\xa3\x7f\x77\x5c\xd6\x12\xe0\x84\x22\x69\x42\xea\x0d\xc6\xf5\xd8\x92\x33\x49\xbb\xbe\xdc\x2a\x45\xcf\xcf\xdd\xed\xa2\xd5\x2d\x14\xf2\xff\x83\x29\xaa\xc0\x1d\x2e\xc3\xc3\x7f\x23\xc5\xc9\x0d\x02\x62\x80\x23\x8c\xe0\x9e\x00\xec\xa9\xf6\xc3\x0b\xda\xa5\xdc\x91\xf4\x34\x2f\x8a\xf6\xa3\xec\x13\x39\xc4\x7d\xca\xe8\xf9\x36\x0c\x32\x50\x2b\xfa\x86\xe1\xff\xc5\x82\xd5\x88\x8f\x29\xca\xc3\x9e\xf9\x0a\x31\x50\x11\x1f\x66\x11\x99\xfa\xf7\xe2\x41\x3b\x57\xbb\x9a\x72\xaa\xa2\xd5\xfa\xe3\x2b\x46\x28\x84\xa9\x28\xd8\x3c\xea\x60\x55\x70\x25\xc5\xde\x01\x80\x44\x34\x5f\xb0\x83\xde\xf4\x9b\xc3\x83\x31\x98\x94\xda\xd2\x8b\x53\x39\xcb\xad\xb6\x03\x8d\xc8\x47\x9f\x7e\x4b\x2f\x01\xc1\xce\xd3\xff\x85\x42\x05\xbe\x93\x88\x48\x85\xb1\x29\x87\x8b\xdb\xb1\x8c\xaa\x68\xc3\x09\x40\x71\x9a\x40\x8a\x03\xfc\x61\xeb\xea\x87\xd9\xd3\xef\x21\x62\x59\x45\x89\x65\x44\x75\xc2\xc3\x7e\xaa\x87\x37\x33\x8a\xcc\x18\xb3\x41\xa3\x51\xec\x39\xaa\x94\xcb\xa1\x71\x09\x6f\xd7\xfb\x83\x2e\x30\x31\xf4\xd8\x2f\xf2\x32\x8a\xa1\x89\x62\x3c\xd9\x3f\xce\x6f\x45\x25\xc2\xdd\x01\x3d\xc9\xc7\xb4\xd1\x9a\xdd\x3b\xf9\xc3\x34\x88\x6e\x9d\x1c\xb4\xdf\x99\x7d\x99\x56\x3a\x57\xb6\x6d\x83\x21\xd4\x21\x52\xf7\x21\x70\x5d\x6c\x48\x46\x18\xad\x33\xcb\x46\xb5\xc1\xa4\x1c\xcd\x39\x7e\xde\x50\x43\x2d\xc9\xd4\x1a\xa8\xb2\xfb\x37\x5a\xf7\x5d\x33\x23\x56\xd7\xdf\x3d\x5d\x43\x9f\xde\xbc\xf8\xe2\x5b\x22\x49\x3c\x6f\xe1\x40\x01\x3e\x29\x52\x32\x18\x67\xd1\x29\x47\xb1\xf2\xdd\x27\x2a\x17\x36\x94\xa5\xfd\xdd\x88\x7f\xe1\xec\x96\xdf\x64\x67\x63\x0d\x14\x49\xd7\x23\xff\x02\x3e\xc1\x27\xb1\x2a\x24\x11\xa0\x96\xe3\x12\x9e\x84\x5d\x50\xb1\x46\x68\x36\x35\xd8\x05\xcf\x19\x67\x35\x82\x8c\x8a\x0a\x00\x40\x47\xa1\x9a\xcf\xcc\x41\xb6\x2f\xe0\xfb\xff\x91\x88\x1e\x76\x13\xbf\x7a\x73\x71\x95\xf1\x85\x8e\xd7\x19\x8d\xca\xca\x13\x21\x06\x19\xd7\xf7\x39\x8d\x81\x2d\xe4\x63\xf2\x21\xf0\xc2\x64\x87\x4a\xa3\xb3\x41\x6d\xcd\xfa\xed\x76\xbf\x25\x5d\x7a\x7a\x15\xd6\xac\xc9\x86\x4d\x1b\xd9\x00\x35\x4b\x3b\xf0\xdf\x70\xba\xe9\x32\xc4\xb8\x2e\x8a\xa6\x0d\x39\x5b\x93\x9c\xc6\x0f\x89\x64\xab\x75\x5b\xa5\x0b\x40\xa7\x13\xf6\x8d\x2e\x00\x1a\x2b\x5a\xbc\xfd\xbb\x82\x1a\x0a\x3a\x7a\x97\xcd\xcc\xc0\xb0\x5b\xca\x8f\x03\x3f\xbc\xd9\x54\x56\x9c\xb7\xc3\x12\xd4\xcb\x9e\x69\x27\x56\x13\x30\x66\x79\x88\x25\x70\x72\x61\x18\xeb\x66\xb4\xb6\xf0\xd2\x36\xc3\x3e\x35\x65\x8e\xd8\x7f\x02\x8c\xa4\x3c\x55\xc2\x69\x68\x17\x9a\xed\x75\x49\xc8\xc2\xe9\x26\x72\xa4\x45\x10\x6d\x04\x29\x84\x69\x17\xc5\xfc\x60\x7f\xa2\x85\xdb\x9a\xa6\x12\x81\xc1\xc5\x24\xa7\x6b\x3d\x40\xde\x5d\xa9\xbc\x7a\xfb\xae\x9c\x03\x55\x5d\x05\x63\x83\xea\x7f\x5e\xac\xf5\xde\x95\x63\x8e\x11\x24\x2a\x42\x0c\x9a\xa3\x22\xc8\x08\xcf\x2a\x14\xab\x47\x9d\x81\x35\xe4\xff\x48\x7b\x21\x5c\x8c\xec\x44\xc7\x29\x0d\x34\x59\x10\x0b\x21\x96\xc5\x4e\x88\xca\x28\x41\xd8\xa6\x01\x1c\x6d\xb1\xb5\xc2\xfb\xc5\x13\x5d\xa6\x05\x3d\x89\x3d\x11\x6b\x9f\x23\xd5\xa0\xf7\x7f\x9f\x64\xc5\x0a\x04\x48\x55\x2f\xb3\xd4\x00\x2c\xcf\xb9\x5e\xd5\x4c\x37\xea\xe9\x31\x73\x7b\xf0\x2b\xcd\x22\x6b\x13\x3b\x9d\x27\xde\xbf\xae\x74\x87\x30\xa8\x7b\xe8\xdf\x5c\x31\xcd\xdf\x16\xc2\x6b\xc3\xf3\xb4\xdf\x7a\xbc\xbc\x52\xed\xad\xb7\xa7\xc2\x9e\x87\xdd\x5d\x63\x30\xb7\x61\x64\x9f\xc9\xf0\x98\xa7\xb6\xb6\x8c\xf5\xdc\xe7\x67\x66\x7e\x8b\x5a\x7c\xd4\xbb\x22\xd1\xc9\x22\x9c\x45\x51\x69\xd7\x2e\xdd\x3b\xae\x9c\x25\x1c\x07\x88\x96\x8f\x1d\x13\xaf\x8e\x47\xba\x32\x92\x3c\x66\x14\xc4\x4d\x51\x96\xfa\x80\x57\x61\xdb\xa5\x9a\x39\xb8\x93\xbf\x09\x73\xda\xbb\x97\x6e\xdf\x63\xf3\xcb\x54\x73\x2d\x43\xb9\x0e\xe7\xab\x03\x74\xe1\x0f\xd7\x22\xd5\xc3\x61\xa4\x10\x89\x31\xe8\xee\x3f\xa1\x90\x79\x3f\x90\x1b\x18\xff\x7b\x5e\xd8\xc1\x62\xb3\x7f\xfc\xb3\x9c\x6c\x0c\x08\x4c\x9c\x76\xb3\x96\x4e\x31\x35\x1f\x51\x12\xac\xcf\xe1\x6c\x62\x68\x58\x0c\xe0\xb4\x4c\xd4\xc3\x3f\x29\x21\x71\xdf\x6a\xf3\x59\x14\x22\x5c\x8b\x1a\xff\x19\x85\xce\xa0\xea\x73\x49\xa4\x3a\x51\x0d\x5f\xbf\x18\x81\xa0\x32\xf9\x6b\x1f\x58\xf4\xfa\x94\xdb\xcd\xf9\x8f\x6b\x11\x3a\x2f\x85\x1e\x76\xd4\xf1\xcf\x06\x86\xe3\xb4\x40\x57\xc3\x63\xc8\x49\xc5\x70\x06\x59\xd7\xe5\xa1\xc2\xb3\xcc\xfd\x5a\xaa\x88\x9c\x2f\x99\xa9\xb1\xc8\x31\x9c\x3c\xd3\x48\xbe\x29\xb2\xe9\xbf\xef\xbc\x28\xcb\x77\x47\x29\x95\x8c\x12\xc9\xdf\xa7\x4b\x89\x3a\x07\x74\x5a\xed\x2e\x51\x44\x72\x3c\x8f\xc0\x50\x68\x52\xf1\x7e\x6a\x4a\x8f\x59\x9d\x2c\x4a\x1d\x7c\x0b\xa9\xd7\x7d\xb8\x41\x6e\xb1\x09\x32\xcd\xc7\x49\xcf\xa9\x98\x90\xee\x80\x17\xc0\x66\x40\x84\xf8\x64\x89\xc9\x75\x25\x52\x52\xc3\x87\x6f\x8d\xcd\x98\xc0\x0b\x73\x61\x1c\xe2\x73\x4e\x1f\xe0\xee\x5c\x0a\x0a\xbb\x0c\x50\x00\x40\x44\xf9\x3a\xd2\xff\x01\x09\xbc\xb1\x9a\x3a\x20\xf1\x86\xd6\x8e\x38\x7d\x34\xa5\xb5\x78\xc4\x25\x3c\xd9\x67\x26\x14\x80\x3b\xf9\x67\x26\xe8\xab\x00\x14\x6d\x2f\xe2\x66\xe6\x2e\x48\x65\xf5\xe7\xfe\x31\xd4\x14\x97\xe7\x19\x51\x22\xfc\xda\x82\x5f\xb4\xe9\xfc\xdd\x09\xb4\x21\xdd\xb6\xe9\x25\xa4\xd5\xcb\x7f\xf2\xfa\x56\xfe\x14\x97\xad\x65\x9c\xc5\xb6\xef\xd8\xf8\x83\x99\x8b\x74\x51\x17\x5f\x98\x27\x54\x7b\x84\x19\x5c\x25\xfc\x16\x31\x07\x2a\x55\xc1\x7e\x90\xa3\x27\x9a\x54\xa2\x96\x97\x31\x2b\xfe\xf3\xee\xfc\xba\x8d\x31\x14\x55\x6a\x54\x5d\x18\xab\x0d\xf7\x4d\xf2\x66\x85\x91\x51\x95\x9a\x1b\x05\x1f\x83\x22\xf7\x98\xcb\x45\xd5\xcb\xe5\x29\x1b\xdd\x71\xda\xd6\x65\xf6\x4d\xde\x69\x54\xef\x00\x71\x89\x18\xfe\x01\x72\x79\x63\x96\x46\x42\xd4\xc4\xa5\xbb\xa9\x30\x3f\x44\xfe\x97\xff\x99\xf0\x67\x48\xdc\x86\x3f\xf0\xcc\x17\xfc\x82\xb2\x9f\xbe\x0c\x71\x2c\x77\xed\x36\x69\x7f\x23\xb4\xa2\x2a\x9f\x24\x85\x22\xf9\x94\x6c\x3a\xbc\xd3\x2e\x16\x5f\xd6\x6f\xdb\xc7\xb4\xa0\xdf\x71\xa8\xd2\x57\x1f\x32\xda\x4a\xda\x51\xc1\x4c\xa0\x86\x30\x1d\x6e\xd0\x20\x06\xc6\xa3\x8c\xe4\xe7\x67\x1f\x3d\x08\x62\xa4\xe3\xc2\x2b\x6a\xa7\xb7\xc0\x49\xa7\x76\x22\x87\x57\x05\x62\xe8\xb4\x52\xef\xc7\x87\x41\xe7\xc2\x82\x2a\xd0\xfd\x43\x5e\x76\xa8\x04\x4b\x05\xb3\x88\xaa\xfc\x4c\xf6\x15\x75\x76\x03\x98\x87\x23\x64\x46\x99\x61\xe8\x7d\x14\xd1\x79\x5e\xb6\x27\xfa\xed\xa1\x8f\x9c\x12\x28\xfc\x99\x4d\x58\x05\x08\xc9\x96\xd3\x66\x27\x99\xb7\x23\x7e\x59\x69\x10\xa7\xc5\xc7\xfa\xcd\x47\xfa\x30\x84\xda\x48\x48\x87\x67\xf6\x0c\xfe\x58\xec\x40\x14\x15\xac\x66\x03\x16\x23\x32\x0f\x9f\xda\x37\xc0\xaf\x9f\xe4\xcd\xa1\xb2\x89\x3d\x2d\xf0\xac\x82\x26\x01\x3a\x36\xca\x7b\x13\x66\x03\x2e\xa7\xb2\x5a\x55\x91\xbe\xbc\x8c\xe4\x89\x77\x7c\x0c\xba\x28\xd1\xf0\xca\xfe\xae\xea\x7d\x5b\x4d\x20\x09\x30\x9e\xeb\xc9\x13\x07\x81\x12\xbb\x12\x69\x20\xca\x6e\x5e\x2b\x22\x10\xce\x54\x10\xcc\xe4\x5f\xc4\x63\x74\x6c\xf1\x68\xf7\xee\x2b\x91\xc7\x97\xb3\x30\xe0\x46\x48\x22\xa6\x18\xe4\x57\xce\x39\xa0\x03\x67\xd9\xcd\x3d\x3f\x59\x38\xce\x36\xeb\x2a\x31\xa9\x0d\x04\x92\x58\xc8\x49\x95\x5e\x97\xf0\x80\x17\x26\x9b\x3e\x5f\x69\xe9\x12\x81\x95\x63\x8b\xc8\xc1\xfa\x73\x5e\x6e\xb2\x43\x5c\x95\x87\xf4\xf4\x36\xd9\xe6\x8a\x87\x97\xbb\x42\x10\x0d\x48\xe7\xb2\x61\x97\xc6\x5f\xb8\x90\x39\x61\x38\x2f\xb0\xfe\x22\x98\x60\x17\x30\x68\xd9\x42\x91\x10\x82\x3b\xc2\xff\x71\x7a\x71\x57\x05\x4c\x32\x6b\xda\xc3\xad\x35\x81\x77\xf9\xa4\x06\xd8\x94\xb8\x42\xd6\xd9\x1e\xdb\x35\x6b\x06\x28\x3b\x32\x9b\xca\x6e\x12\x29\x06\x55\xfe\xf2\x40\x29\xba\x1d\xaa\xf4\x5f\x17\xeb\xc8\x34\xd1\x2e\x35\xe3\x9f\x2e\x20\xe2\xc7\x36\x2a\xeb\x00\x31\xf4\x87\x7b\x63\x3b\xe1\xbe\xd3\x6f\x5d\x7b\xa2\x4d\x01\x48\xf8\x46\xa7\x86\xf3\x88\xe2\xab\x79\x66\x2d\x55\x9b\x86\x1a\x36\xa4\xce\x60\xdc\xeb\x5f\xdb\x9f\x47\x93\x58\xfd\x84\xa5\xc7\xf1\x02\xf7\x5b\x81\x43\xd3\x62\x6f\xff\xa5\x46\x9c\x22\x07\x2a\x97\xd6\x3f\xf9\xe0\x66\x7c\x2f\x2d\xb4\x1c\xd0\x3e\x5d\x43\x91\x4b\xb5\x90\xbb\x1f\x11\xf4\xc3\x53\x3b\xcc\x47\xff\xc9\x9e\xed\xf6\x77\xc9\xd6\x46\xc6\x0f\x99\x39\x89\x15\x89\x1a\xb6\x71\x97\xdd\xbd\xc1\x1e\x03\xda\xf0\x31\x39\xce\xad\xaf\x99\x22\x68\x75\x16\x3f\x11\xc2\x90\x27\xf6\xec\x6e\xe6\x47\xc9\xbb\x1f\x76\x95\xf1\xf2\x91\x8a\x32\x85\xa1\x3e\xad\xb7\x3d\x3e\x94\xcb\x0d\xbf\x92\x73\xf7\x5e\x1a\x8b\x39\x1c\xc6\xe4\xc1\x4e\xd5\x68\x3c\x27\x56\xc7\xb3\x3d\x84\x35\x1e\x1c\xe0\xba\x7b\x02\xe2\x30\x5d\xe6\x5b\x29\x45\x6b\x5c\x55\x34\x46\x47\xc7\xb0\xb1\x6c\xd8\x36\xdb\xa2\x71\x1a\x4c\xc9\x77\x38\x26\x7c\x46\x2c\x85\xfa\xd6\x08\xa8\x16\x12\xd7\xf8\x9a\x7f\xe6\x63\xbd\x06\x43\x54\xa8\x0f\x8b\xe0\x16\x5d\xf5\xd9\xba\xe1\xc6\x9e\xa5\x69\x62\xb1\x11\x22\x0c\xdc\x13\x6a\xda\x90\xbb\x13\x15\xf8\x65\xca\xff\x1e\x25\x26\xac\xd2\xef\x4c\x36\xa7\x0f\x26\x60\x88\xd7\xd3\x48\xe5\x61\x13\x29\x71\x66\x8e\x91\xa8\x90\x04\x08\x5a\x5b\x09\x2f\x8e\x28\x42\x3d\x16\xb7\x49\xcd\xcb\xf9\x2a\x43\x65\xe4\x68\xdd\x67\xbe\x24\x1e\x5d\xea\x70\x5b\x60\x6b\x28\x09\x9a\x5d\x3d\x46\xa0\x76\x20\xfc\x4f\x73\x1e\x3d\x36\x05\xde\xbe\x68\x70\x42\xca\xc9\x37\x42\x73\x67\xc3\x5b\x54\x6a\xf2\xdf\xc0\x94\xa7\x21\xdc\x7f\xd1\x3d\xf6\x8e\x9a\x79\x9e\xcb\x10\x7c\x90\x8b\xac\x9f\x8c\x44\x30\xcc\x10\xc6\x29\x9c\x79\x4d\x02\x8d\x51\x6c\x3e\xf3\xf7\x7f\x9f\x64\x20\x16\x60\x94\x9b\x5e\xe2\x9a\x58\x94\xd7\x38\xfa\x4e\x4b\xcd\xda\x88\xfe\x12\xbc\xff\xe8\x5d\xa7\xb1\x0d\x02\xc8\x09\x22\xf3\x90\x71\x34\xfe\x64\x60\x55\x08\xb6\xcb\xe3\x5e\x97\xf1\x2f\x1b\xb1\x5f\xce\x6f\xac\x0b\x0b\xbe\xd6\x21\x83\xba\x88\xb8\x41\x3c\x69\x2c\x1d\x46\x53\x76\x14\x6a\x5a\xc6\x9e\x0f\x10\x45\x0f\x04\xc8\xb6\xf3\xc9\x0c\x58\xac\x33\x60\x4a\xa8\x11\xa9\xb7\x4e\xbb\xd0\x7b\x06\x84\xc5\x1a\x55\x30\x06\xda\x57\xf4\xdf\x29\xdf\x30\xa6\x46\x22\x26\x6b\x3e\xc0\x6c\x43\x5d\x65\x05\x21\xf3\xea\x72\x5a\x3c\x8c\x12\x8c\x73\xf0\xd3\x44\x7d\xd1\xa8\x5b\x10\xa0\x61\xe9\xac\x44\x69\xbd\x8e\xad\x5b\x59\xcc\x63\x9b\x81\x7e\x67\xd9\x0c\xcd\x77\x3e\x22\x4a\xeb\x67\xdd\x26\x36\x91\x74\x36\xb7\x64\x75\xd8\xe0\x25\x5c\xf7\xd1\x4f\x28\x36\xa5\x0d\x23\xfb\x11\xb3\x84\x35\x48\xb3\xa5\x2d\x8f\xa1\x0c\xa8\xc9\x7e\x1f\x0e\xd7\xa0\x0c\xfc\x80\x67\xa5\xb9\x9a\x41\xc0\x7d\x3c\xe0\xa0\x45\x6b\x84\x43\xbb\x5f\x09\x03\xdb\x5e\x7b\xc1\x6b\x0d\x0d\x4f\x32\x1a\x57\x57\x2d\x33\x68\xd9\x7a\xb7\x70\x58\x30\xd2\x3f\xf7\x8a\xc8\xd6\x94\x02\xc9\x20\xf7\xfb\x91\xd6\xef\xc1\x6c\xe4\x39\x93\xa1\xa6\x8e\xb8\xed\xa0\x8d\x7c\xc5\x5f\xca\x85\x49\xf4\x08\x39\xac\x8e\x5e\x26\x3e\x8f\xcd\xdb\x10\xdd\x20\xfb\xed\xd9\x49\xc8\xd3\xc1\xe1\x86\xe9\xfd\xd5\xaa\x27\x65\xa1\xef\x54\xf9\xe8\xb2\xa7\xa0\xb3\x8f\x1c\x8f\x8d\xaf\xe5\xfc\xef\x0f\xf0\x31\x69\x21\xdb\xaa\xb2\x7f\x6b\x2e\x09\xe4\x9d\x0a\x56\xc9\xad\xe5\xd8\xcb\x65\x86\x99\xba\xa9\x84\x54\x3f\xde\x4e\x72\x0e\x02\xe5\x50\x3e\x83\x5c\x7a\x63\xef\xfe\xe3\xdf\xa5\x8e\x4c\xcd\xbe\x19\x43\xb5\x92\x1b\x58\xfd\x0e\xd6\x64\xef\x73\xdf\x89\x23\x18\xe1\x07\x03\x23\x48\x59\xb5\x65\xd1\x7d\xe8\xc9\x25\x19\x8b\x44\x81\x59\xc8\xe8\xd7\x3c\x8b\x1e\x5e\xb6\x87\x05\xe5\x82\xd5\x12\x8f\x20\x7b\x54\x6f\x81\x22\xe0\x4e\x37\xbc\xc9\xd1\xca\x9b\x2c\x7a\xe5\x1d\x45\x42\x44\x8b\x36\xd6\xff\x16\xd9\x98\xee\xce\x9f\x07\xbe\x34\x1d\x1d\x8f\x98\x9f\x23\x44\x60\x40\xa4\x99\x72\x72\xc9\x9d\x45\x34\x83\x72\xfc\x49\xb7\x0f\xb5\xe0\xfa\xca\x97\x51\x84\xc6\x02\x59\x95\xf6\xaa\x49\xf1\xb2\x93\xdf\x66\xd5\x1d\x75\x3d\x9c\x77\x75\x57\x6d\x0e\x77\x01\x34\xd3\xa4\xfb\xd5\x3c\x99\xb0\xa7\xb6\xaf\xe7\x33\x7f\x73\x24\x81\x63\x23\x9a\x71\x4d\xfe\xb2\x85\xb0\xb4\x9e\xf6\x02\xd6\x2a\xd6\x93\x5a\x83\xc8\x3b\xc8\x14\xbd\x40\x7b\x1f\xf5\x22\x82\x92\xf9\xbf\xbb\xd0\x71\xc8\x1d\xc9\x59\x1a\x05\xc9\x50\x7b\xff\x87\xc9\xe5\x27\xb8\xf1\x4e\x8e\xe1\x3d\x18\x7e\xb8\x67\xdc\x2c\x95\xdd\x90\x3c\x37\x69\x2d\x03\xe7\xb0\x09\x85\xfb\xc1\x13\x13\x07\x8d\xec\x7f\xf6\x9f\x2e\x01\xa8\x34\x23\x99\x40\x0f\x98\xcc\x66\x83\x3d\x9c\x85\xff\x7f\x10\xcb\xef\x73\x32\x13\xcd\xae\x61\x54\x5f\x39\xe8\x5c\x59\x30\x2b\x56\x0a\x72\xd0\x43\x7b\x26\x6c\xba\xe1\x6f\xad\x4a\x00\x0d\xde\xa1\x99\x49\x40\x8c\x74\x77\xfc\xb9\x48\x91\x53\x23\xeb\xb7\x9a\x55\xc7\x69\xcc\xb1\x8e\x2f\x55\x2a\xb7\x63\xba\x65\x30\x2a\xe7\xbc\x47\x6e\x36\x25\xeb\x88\xa7\xa6\x69\x8c\xec\xcf\xac\x22\x90\x0c\xa3\xc4\x4d\xec\x88\x66\xb2\xa1\x14\xc0\x83\x1c\xf6\x53\xd4\xc1\xfb\xa9\xa7\x78\x5a\x1c\xaa\x2b\x97\x34\x33\x84\x22\x6b\x1a\xce\xd9\x3d\xa7\x1d\x30\xb6\x65\x06\x45\xbc\x11\x3a\xc6\x2d\x32\xd2\x03\x2d\xdb\x65\x62\x6e\xe8\x6c\x3b\x9d\xfb\xbd\x8d\x0c\xae\xea\x74\x53\xdb\xea\x30\x4e\x34\xd3\xf8\x05\x22\xcd\x31\x7b\x49\xbc\xab\xb8\x69\x33\x1c\x7c\x32\x18\x52\x10\x04\x30\x42\x3b\xcb\x1e\xc1\x5c\x50\xc1\x9b\x76\x6a\x7c\xe4\x71\xd5\x1b\x01\x04\x1b\x68\x5a\x29\xc4\xbf\xdb\x55\x2c\x86\x6d\x58\x3b\x7c\x3c\x7f\xd5\x6c\xfc\x73\x72\x5d\xf7\x84\xe4\xd9\x02\x81\x56\x7f\xe8\xc3\x8d\x86\x6b\x06\xef\x13\xbb\x30\xfd\x23\x90\x6e\x66\x2c\xf9\xd5\x11\x3d\x7b\x52\xb0\x14\xb4\xae\xb3\xa1\x83\x52\x4b\x49\x7b\xe9\x22\x0a\xe1\xe0\xb2\xf7\x67\x4d\x27\x99\x42\x94\x1b\xbd\x81\xed\x59\x5a\x93\xc2\x34\x13\x99\xb6\xac\x36\xff\x86\x9f\x89\x4c\xae\x29\x13\x08\xb2\x12\x84\xd3\x98\xb5\xfa\x6a\xc7\x6b\x9d\x59\xf0\x3e\x48\xc2\x75\xf4\xf2\x0c\xe0\xa5\x05\x9d\xe6\x9c\xa9\xec\x99\x9d\x73\x20\x2d\xef\x66\x6b\x37\xb3\xa9\x6a\x95\xb1\x2c\x74\x33\x10\x38\xfa\xca\xca\xb1\x88\xda\x87\x8a\x86\x0e\x1b\x39\x9d\x6b\x3b\xd3\xc1\x36\xe0\xa5\xe9\x96\x3c\x16\x91\x88\x9f\x0d\x40\x0f\x34\xdc\xc5\x1e\xf1\x00\x2e\xbf\xee\x28\x14\x60\x5a\x4d\x10\x67\xed\x73\x96\xc1\x15\xe3\xa9\x4f\x15\x1c\x8e\x4a\xa2\x93\x0f\xd8\xbc\x53\x4d\x57\x9d\x5d\x88\x43\xbd\x20\x29\x05\x6f\xc5\x58\xb9\x86\x94\x08\xb9\x95\x1f\x75\x67\x24\x33\xea\xd1\x9e\x10\x9c\xd1\x83\x08\xf1\xc9\xd6\xf9\xcc\xbc\x9f\x76\x79\x93\xb5\x9e\xa2\xb5\x04\x68\x64\xf5\xe0\xc3\xbd\xe4\x2e\x79\x32\xc5\x6b\x9f\xb2\x52\x89\xe1\x6a\xb3\xbe\xbb\x69\x25\x47\xde\x1a\x4d\xbe\x11\x9a\xb2\xbd\x71\xe4\x71\xcb\xdf\x6c\x6e\x85\x19\xac\xa7\x7c\x2c\xbb\x82\x73\x34\x3c\x1b\xed\x23\x92\x2e\x55\x7f\x87\xb4\x08\xd8\x7a\xf7\x88\x96\xed\x30\xf0\xa6\x17\x8a\xd9\x8a\x34\xde\xd6\x14\x84\x43\xfd\xdf\x4a\x5c\x00\xa8\x1a\xe9\xdf\x21\x59\xfd\x65\x8c\x85\x9f\xb6\xb2\x74\x98\x8c\x84\x8f\x99\x3e\x76\x1c\x26\x3e\x90\xd7\xdb\x8f\x66\x2c\x87\x6b\x7a\x61\xff\x2d\x93\x8b\xa7\xfe\xd4\xcb\x5c\xd8\xee\x51\x48\x70\xb5\x05\x20\xe7\x33\xf2\x1c\xdc\x3b\xd7\xed\x41\xd2\x97\xb9\x6d\xfe\xff\x37\x9d\x37\xe6\x07\x1b\xb1\xac\x84\xfe\xff\xab\x2c\xdd\x98\x5f\xea\x2f\xe6\xc4\x6e\x6b\x75\x69\xc8\xc2\x45\x45\x91\x79\x5c\xcc\x56\x51\x1d\x85\x3f\xd2\xa0\x1a\x1e\xb0\xce\x25\x05\xab\x65\x78\x2b\x78\x36\xba\x67\x84\x45\x05\xaa\xbc\xb5\xdc\x63\x72\xa3\x13\xfe\x7a\xcc\x7f\x48\xb0\xd2\xbe\xf7\x94\x03\xc2\x83\x7d\x88\xe5\x2f\xe9\x26\xad\x16\xd5\x1b\xe7\xe8\xc6\x2a\x59\x55\xa6\x1e\x85\x27\x08\x39\xf3\x6e\xee\x94\x63\x70\x92\x7e\xb1\x98\x41\x30\x16\x77\xe8\x37\xab\xac\x18\xd7\x09\xbc\x84\xdd\xa6\x0b\x12\x10\x7a\x23\xeb\x73\x35\x43\xff\x32\xcc\xe5\x24\x8d\x0f\x46\x19\x21\x29\x52\x91\x83\x7c\x15\x0a\x4c\x1d\x48\x9d\x31\xc5\xbf\x5b\xfc\x2d\xa1\x42\x7e\x1e\xce\x74\xae\xa7\x05\x3f\x1f\xed\xa6\x4f\x09\x9f\xc4\x47\xa7\x90\x8c\xe4\x4b\x13\x46\x15\x49\xf2\x3e\xf1\x8c\x1d\x81\x07\xbe\xfb\x09\xf9\xd7\x19\xa0\xac\x57\x08\x0f\x1c\xdb\xfd\x46\x70\x4d\x79\x94\x7a\xa1\x0c\x5b\x0b\xb2\x26\xe7\xf6\x83\x09\x74\x72\x40\xf7\x73\xa6\x27\x53\x65\x61\xfb\x6c\x1c\x9b\x26\xaa\x5e\x23\xbe\x01\xf2\xd3\xf7\xaa\xdc\x99\x54\x40\x01\x5d\x25\x64\xb9\xc1\x6b\x85\x3d\x66\x57\x24\xf9\xf7\x22\xb3\x4a\xb1\xd4\x4c\x27\xd0\xe0\xcb\x01\xc4\x9d\x9e\x05\xde\x91\xc2\xe0\x40\x76\x4f\x0c\x21\x2e\x6d\x63\xf7\xb7\x24\x93\xdc\xcb\xf8\x58\x16\x4c\xf4\x81\x51\xbb\xe4\xf1\xdc\x2c\x91\x58\x66\x73\x43\x1a\xf7\xb8\x46\x1d\x30\x16\x1c\x56\x11\x70\xdf\xa3\x1e\xdd\xe2\xcc\xc9\xdd\xdb\xc7\xa8\xe4\x62\x31\x75\x24\x05\xcf\x30\x8e\xcd\x8d\x35\x05\x63\x6d\xba\x70\x35\xc9\x4f\x72\x86\x23\xbb\x87\x60\x3a\xfb\x90\xb5\xc2\x3e\x9a\xc1\x93\x7b\x2e\xa3\x98\x4d\x57\x9d\xa2\x99\x70\xef\x04\x9f\xfd\x97\x05\xfa\x28\x3e\xf6\x2f\x1a\x9f\xbb\xef\xbc\x5f\x8f\x3f\x79\xbd\xd8\xd7\x0f\x0a\x89\x39\x72\xe5\xac\xa3\xa1\x64\xe6\x72\xba\x88\xeb\xdb\x62\x06\xa4\xdd\xa5\xeb\x5a\xdf\xd1\x63\x52\xd4\x2c\x4f\xbd\xdf\x11\x7f\x2b\x0d\x30\xe8\xc3\x9f\x1b\xc6\x3f\x3b\xc0\x3b\x45\x2a\x87\x01\x17\xaf\x7a\x3f\xd3\x01\xaf\x71\x4b\xfa\x39\x83\x67\xa9\xac\x2a\xa3\x81\x17\x0b\xc7\xca\x86\x01\x44\x25\x8a\x9a\x38\xa6\x14\x54\xc9\xcd\xef\x24\xf1\xc6\x62\xf2\x8e\x8d\x1e\xe7\x74\x9f\x61\xa9\xc7\x9a\x9e\x16\x59\x3f\x2d\x55\x00\xde\xaa\x73\x0a\xca\x4e\xef\x32\x73\x87\x84\x31\xa8\x74\xb0\x3e\x44\xf6\x49\x5b\x52\xea\x9b\x22\xd9\x41\x7f\xb3\xf2\xcc\xbe\x2c\x48\x2a\xdd\x30\x8e\x4a\x3c\x55\xb7\x53\x2a\x4e\x64\xcf\x10\x8d\x83\x3d\x54\xab\xf3\xcf\x93\xb3\xf9\x08\x52\x63\xd2\x77\x4c\x22\x14\xdc\x62\xe3\xc6\xa7\x88\x69\x46\xb7\xbb\xb4\xd0\xfd\xd8\x2d\x50\x22\x32\xf8\x91\xe9\x5e\x20\x75\xb6\x97\x4f\xcb\xc8\x15\x79\xfe\x8e\xeb\x7e\xe2\x21\xa9\x04\xce\xdb\xbb\xab\x25\x95\xef\x93\x53\x7f\xde\xa0\x3e\xb9\x3b\x49\x68\x01\x19\xd9\x96\xc8\xe7\x06\xdf\xc4\xd9\x94\x33\x95\x4c\x53\x67\x72\x5d\x48\x08\x11\x9b\x68\x3b\x59\x64\x1c\x4b\xff\xd3\xfb\xab\x0c\x7e\x12\x5f\x02\xba\xd9\x5c\xbf\xc2\x6e\xab\x96\x07\x9f\x8d\xfb\xf6\x62\x35\x89\xd1\x4e\x0c\x20\xd1\x5e\x07\xc3\x4b\xcc\xce\x36\xfb\x92\x79\x65\xf9\x6c\x8c\xc8\x9b\x3e\x51\x43\x82\x12\xa9\xbe\xc9\x2a\xf4\xb5\x92\xae\x76\xe6\x6d\x53\x1d\x34\x43\x85\xf5\x56\x85\x52\xe3\x7b\xd2\x5c\xbe\x30\x7d\x83\x99\x75\x91\x4f\x30\x91\x5d\x24\xe8\xf3\xd8\x92\xc8\xa1\x9f\xa4\x84\xc3\x5d\xf1\xfb\x92\xaf\x80\xed\xf4\x03\x34\x0c\xac\xed\x5c\x22\x47\x67\xe9\xe6\x87\x45\x65\x63\xdf\xf2\x9c\xa8\x6e\x36\x58\x55\xde\x94\x05\x7b\x66\xc5\x76\xbe\xc5\xf5\xb7\xfc\x3f\x00\x43\x33\x6b\x8a\x48\x7a\xe2\x51\x9b\x8f\xf0\x12\x2e\x7a\xc2\xbf\x57\xd2\x9b\xa6\x48\x08\xdd\x3a\x20\xd2\x6e\x43\x82\xce\x7b\xb1\xfb\xd3\x47\x34\xf5\xae\x66\x25\xee\x8a\x7d\xd5\x6f", 8192); *(uint32_t*)0x20004f40 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x50; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 0x3f; *(uint32_t*)0x200023d0 = 7; *(uint32_t*)0x200023d4 = 0x22; *(uint32_t*)0x200023d8 = 0x8001; *(uint32_t*)0x200023dc = 0x1040000; *(uint16_t*)0x200023e0 = 8; *(uint16_t*)0x200023e2 = 0xf6e1; *(uint32_t*)0x200023e4 = 8; *(uint32_t*)0x200023e8 = 9; *(uint16_t*)0x200023ec = 0; *(uint16_t*)0x200023ee = 0; memset((void*)0x200023f0, 0, 32); *(uint32_t*)0x20004f44 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 9; *(uint64_t*)0x20002450 = 0x40d; *(uint32_t*)0x20004f48 = 0x20002480; *(uint32_t*)0x20002480 = 0x18; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 7; *(uint64_t*)0x20002490 = 7; *(uint32_t*)0x20004f4c = 0x200024c0; *(uint32_t*)0x200024c0 = 0x18; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 0xffff; *(uint32_t*)0x200024d0 = 8; *(uint32_t*)0x200024d4 = 0; *(uint32_t*)0x20004f50 = 0x20002500; *(uint32_t*)0x20002500 = 0x18; *(uint32_t*)0x20002504 = 0; *(uint64_t*)0x20002508 = 0xce0; *(uint32_t*)0x20002510 = 0x1c; *(uint32_t*)0x20002514 = 0; *(uint32_t*)0x20004f54 = 0x20002540; *(uint32_t*)0x20002540 = 0x28; *(uint32_t*)0x20002544 = 0; *(uint64_t*)0x20002548 = 1; *(uint64_t*)0x20002550 = 0x100; *(uint64_t*)0x20002558 = 5; *(uint32_t*)0x20002560 = 2; *(uint32_t*)0x20002564 = r[6]; *(uint32_t*)0x20004f58 = 0x20002580; *(uint32_t*)0x20002580 = 0x60; *(uint32_t*)0x20002584 = 0xfffffffe; *(uint64_t*)0x20002588 = 8; *(uint64_t*)0x20002590 = 0xcd95; *(uint64_t*)0x20002598 = 0x1f; *(uint64_t*)0x200025a0 = 7; *(uint64_t*)0x200025a8 = 0x48; *(uint64_t*)0x200025b0 = 0xaac5; *(uint32_t*)0x200025b8 = 6; *(uint32_t*)0x200025bc = 0xad; *(uint32_t*)0x200025c0 = 5; *(uint32_t*)0x200025c4 = 0; memset((void*)0x200025c8, 0, 24); *(uint32_t*)0x20004f5c = 0x20002600; *(uint32_t*)0x20002600 = 0x18; *(uint32_t*)0x20002604 = 0xfffffff5; *(uint64_t*)0x20002608 = 9; *(uint32_t*)0x20002610 = 9; *(uint32_t*)0x20002614 = 0; *(uint32_t*)0x20004f60 = 0x20002640; *(uint32_t*)0x20002640 = 0x11; *(uint32_t*)0x20002644 = 0; *(uint64_t*)0x20002648 = 0; memset((void*)0x20002650, 0, 1); *(uint32_t*)0x20004f64 = 0x20002680; *(uint32_t*)0x20002680 = 0x20; *(uint32_t*)0x20002684 = 0; *(uint64_t*)0x20002688 = 0x10000; *(uint64_t*)0x20002690 = 0; *(uint32_t*)0x20002698 = 0; *(uint32_t*)0x2000269c = 0; *(uint32_t*)0x20004f68 = 0x20002780; *(uint32_t*)0x20002780 = 0x78; *(uint32_t*)0x20002784 = 0; *(uint64_t*)0x20002788 = 9; *(uint64_t*)0x20002790 = 3; *(uint32_t*)0x20002798 = 0; *(uint32_t*)0x2000279c = 0; *(uint64_t*)0x200027a0 = 6; *(uint64_t*)0x200027a8 = 0; *(uint64_t*)0x200027b0 = 0xfffffffffffff20d; *(uint64_t*)0x200027b8 = 0xfffffffffffffff8; *(uint64_t*)0x200027c0 = 1; *(uint64_t*)0x200027c8 = 0x3ff; *(uint32_t*)0x200027d0 = 5; *(uint32_t*)0x200027d4 = 9; *(uint32_t*)0x200027d8 = 0x726; *(uint32_t*)0x200027dc = 0x1000; *(uint32_t*)0x200027e0 = 6; *(uint32_t*)0x200027e4 = r[7]; *(uint32_t*)0x200027e8 = 0xee01; *(uint32_t*)0x200027ec = 7; *(uint32_t*)0x200027f0 = 7; *(uint32_t*)0x200027f4 = 0; *(uint32_t*)0x20004f6c = 0x200028c0; *(uint32_t*)0x200028c0 = 0x90; *(uint32_t*)0x200028c4 = 0; *(uint64_t*)0x200028c8 = 3; *(uint64_t*)0x200028d0 = 2; *(uint64_t*)0x200028d8 = 2; *(uint64_t*)0x200028e0 = 0x100000000; *(uint64_t*)0x200028e8 = 0x61a26b8d; *(uint32_t*)0x200028f0 = 6; *(uint32_t*)0x200028f4 = 2; *(uint64_t*)0x200028f8 = 1; *(uint64_t*)0x20002900 = 3; *(uint64_t*)0x20002908 = 1; *(uint64_t*)0x20002910 = 0x100000000; *(uint64_t*)0x20002918 = 3; *(uint64_t*)0x20002920 = 0x8f; *(uint32_t*)0x20002928 = 4; *(uint32_t*)0x2000292c = 0x1ff; *(uint32_t*)0x20002930 = 0x849; *(uint32_t*)0x20002934 = 0x1000; *(uint32_t*)0x20002938 = 7; *(uint32_t*)0x2000293c = r[8]; *(uint32_t*)0x20002940 = -1; *(uint32_t*)0x20002944 = 5; *(uint32_t*)0x20002948 = 0x1f; *(uint32_t*)0x2000294c = 0; *(uint32_t*)0x20004f70 = 0x20002980; *(uint32_t*)0x20002980 = 0x130; *(uint32_t*)0x20002984 = 0; *(uint64_t*)0x20002988 = 0xa00000000000; *(uint64_t*)0x20002990 = 4; *(uint64_t*)0x20002998 = 1; *(uint32_t*)0x200029a0 = 6; *(uint32_t*)0x200029a4 = 9; memset((void*)0x200029a8, 1, 6); *(uint64_t*)0x200029b0 = 6; *(uint64_t*)0x200029b8 = 1; *(uint32_t*)0x200029c0 = 5; *(uint32_t*)0x200029c4 = 0xfffffffe; memset((void*)0x200029c8, 170, 5); *(uint64_t*)0x200029d0 = 1; *(uint64_t*)0x200029d8 = 0x1ff; *(uint32_t*)0x200029e0 = 3; *(uint32_t*)0x200029e4 = 7; memcpy((void*)0x200029e8, "{#-", 3); *(uint64_t*)0x200029f0 = 5; *(uint64_t*)0x200029f8 = 0; *(uint32_t*)0x20002a00 = 2; *(uint32_t*)0x20002a04 = 0x761; memcpy((void*)0x20002a08, "[#", 2); *(uint64_t*)0x20002a10 = 3; *(uint64_t*)0x20002a18 = 0; *(uint32_t*)0x20002a20 = 2; *(uint32_t*)0x20002a24 = 6; memcpy((void*)0x20002a28, "#]", 2); *(uint64_t*)0x20002a30 = 1; *(uint64_t*)0x20002a38 = 0x714; *(uint32_t*)0x20002a40 = 5; *(uint32_t*)0x20002a44 = 3; memcpy((void*)0x20002a48, "*^\\^b", 5); *(uint64_t*)0x20002a50 = 5; *(uint64_t*)0x20002a58 = 0xeb68; *(uint32_t*)0x20002a60 = 4; *(uint32_t*)0x20002a64 = 0xfffffa80; memcpy((void*)0x20002a68, "--$-", 4); *(uint64_t*)0x20002a70 = 6; *(uint64_t*)0x20002a78 = 0xfffffffffffffeff; *(uint32_t*)0x20002a80 = 1; *(uint32_t*)0x20002a84 = 1; memset((void*)0x20002a88, 45, 1); *(uint64_t*)0x20002a90 = 1; *(uint64_t*)0x20002a98 = 8; *(uint32_t*)0x20002aa0 = 3; *(uint32_t*)0x20002aa4 = 0xf2; memcpy((void*)0x20002aa8, "!\\{", 3); *(uint32_t*)0x20004f74 = 0x20004c40; *(uint32_t*)0x20004c40 = 0xb0; *(uint32_t*)0x20004c44 = 0; *(uint64_t*)0x20004c48 = 0xcf; *(uint64_t*)0x20004c50 = 1; *(uint64_t*)0x20004c58 = 1; *(uint64_t*)0x20004c60 = 3; *(uint64_t*)0x20004c68 = 0x100000000; *(uint32_t*)0x20004c70 = 4; *(uint32_t*)0x20004c74 = 0x81; *(uint64_t*)0x20004c78 = 5; *(uint64_t*)0x20004c80 = 0x7f; *(uint64_t*)0x20004c88 = 5; *(uint64_t*)0x20004c90 = 6; *(uint64_t*)0x20004c98 = 0xffff; *(uint64_t*)0x20004ca0 = 3; *(uint32_t*)0x20004ca8 = 0x1f; *(uint32_t*)0x20004cac = 3; *(uint32_t*)0x20004cb0 = 8; *(uint32_t*)0x20004cb4 = 0xc000; *(uint32_t*)0x20004cb8 = 0xf5c8; *(uint32_t*)0x20004cbc = r[10]; *(uint32_t*)0x20004cc0 = r[11]; *(uint32_t*)0x20004cc4 = 2; *(uint32_t*)0x20004cc8 = 9; *(uint32_t*)0x20004ccc = 0; *(uint64_t*)0x20004cd0 = 4; *(uint64_t*)0x20004cd8 = 0x80; *(uint32_t*)0x20004ce0 = 5; *(uint32_t*)0x20004ce4 = 2; memset((void*)0x20004ce8, 170, 5); *(uint32_t*)0x20004f78 = 0x20004e40; *(uint32_t*)0x20004e40 = 0xa0; *(uint32_t*)0x20004e44 = 0; *(uint64_t*)0x20004e48 = 0x400; *(uint64_t*)0x20004e50 = 6; *(uint64_t*)0x20004e58 = 2; *(uint64_t*)0x20004e60 = 0x400; *(uint64_t*)0x20004e68 = 7; *(uint32_t*)0x20004e70 = 4; *(uint32_t*)0x20004e74 = 9; *(uint64_t*)0x20004e78 = 4; *(uint64_t*)0x20004e80 = 0x1000; *(uint64_t*)0x20004e88 = 0xffff; *(uint64_t*)0x20004e90 = 6; *(uint64_t*)0x20004e98 = 1; *(uint64_t*)0x20004ea0 = 0xffff; *(uint32_t*)0x20004ea8 = 0x65f; *(uint32_t*)0x20004eac = 0x647c2b8f; *(uint32_t*)0x20004eb0 = 0x400; *(uint32_t*)0x20004eb4 = 0x8000; *(uint32_t*)0x20004eb8 = 8; *(uint32_t*)0x20004ebc = r[12]; *(uint32_t*)0x20004ec0 = r[13]; *(uint32_t*)0x20004ec4 = 3; *(uint32_t*)0x20004ec8 = 0x6b; *(uint32_t*)0x20004ecc = 0; *(uint64_t*)0x20004ed0 = 0; *(uint32_t*)0x20004ed8 = 0xd; *(uint32_t*)0x20004edc = 0; *(uint32_t*)0x20004f7c = 0x20004f00; *(uint32_t*)0x20004f00 = 0x20; *(uint32_t*)0x20004f04 = 0; *(uint64_t*)0x20004f08 = 0x800; *(uint32_t*)0x20004f10 = 0; *(uint32_t*)0x20004f14 = 0; *(uint32_t*)0x20004f18 = 0x10001; *(uint32_t*)0x20004f1c = 0; syz_fuse_handle_req(r[5], 0x200003c0, 0x2000, 0x20004f40); break; case 23: memcpy((void*)0x20004f80, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004f80, r[5]); break; case 24: syz_init_net_socket(0x24, 2, 0); break; case 25: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[14] = res; break; case 26: *(uint32_t*)0x20004fc4 = 0x5004; *(uint32_t*)0x20004fc8 = 0; *(uint32_t*)0x20004fcc = 1; *(uint32_t*)0x20004fd0 = 0x1de; *(uint32_t*)0x20004fd8 = r[14]; memset((void*)0x20004fdc, 0, 12); res = -1; res = syz_io_uring_setup(0x343, 0x20004fc0, 0x20ffc000, 0x20ffb000, 0x20005040, 0x20005080); if (res != -1) { r[15] = *(uint64_t*)0x20005040; r[16] = *(uint64_t*)0x20005080; } break; case 27: memcpy((void*)0x200050c0, "/dev/uinput\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 2, 0); if (res != -1) r[17] = res; break; case 28: memcpy((void*)0x20005100, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0x488200, 0); if (res != -1) r[18] = res; break; case 29: *(uint8_t*)0x20005140 = 0x1e; *(uint8_t*)0x20005141 = 3; *(uint16_t*)0x20005142 = 0; *(uint32_t*)0x20005144 = r[14]; *(uint64_t*)0x20005148 = 0x200; *(uint32_t*)0x20005150 = 0; *(uint32_t*)0x20005154 = r[17]; *(uint32_t*)0x20005158 = 6; *(uint32_t*)0x2000515c = 1; *(uint64_t*)0x20005160 = 0; *(uint16_t*)0x20005168 = 0; *(uint16_t*)0x2000516a = 0; *(uint32_t*)0x2000516c = r[18]; memset((void*)0x20005170, 0, 16); syz_io_uring_submit(r[15], r[16], 0x20005140, 0x3dd1); break; case 30: memcpy((void*)0x20005180, "/dev/keychord\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x20005180, 0x171000, 0); if (res != -1) r[19] = res; break; case 31: memcpy((void*)0x200051c0, "/dev/ubi_ctrl\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x200051c0, 0x10400, 0); if (res != -1) r[20] = res; break; case 32: *(uint32_t*)0x20005240 = 0; *(uint32_t*)0x20005244 = 0x20005200; memcpy((void*)0x20005200, "\x46\x23\xd8\xa4\xce\x02\x17\xc9\xe5\x95\x55\xc1\x66\x89\x06\x79\xe3\xe0\xc1\x94\x0d\xf5\xb9\xfc\xbf\x91\x64\x9e\xf5\x4d\x80\xf0\xc8\xbc\xc8\x0e\x36\xb5\x57\x4c\x4b\xc9\xf9\x43\x40\x18\x54\xf5\x6a\xa2", 50); *(uint32_t*)0x20005248 = 0x32; *(uint64_t*)0x20005280 = 1; *(uint64_t*)0x20005288 = 0; syz_kvm_setup_cpu(r[19], r[20], 0x20fe8000, 0x20005240, 1, 0, 0x20005280, 1); break; case 33: res = syscall(__NR_mmap, 0x20ffc000, 0x2000, 0x1000000, 0x8000, (intptr_t)r[18], 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x200052c0 = 1; syz_memcpy_off(r[21], 0x114, 0x200052c0, 0, 4); break; case 35: memcpy((void*)0x20005300, "adfs\000", 5); memcpy((void*)0x20005340, "./file0\000", 8); *(uint32_t*)0x20005540 = 0x20005380; memcpy((void*)0x20005380, "\x87\x35\x19\xf2\x5d\xf0\x82\xb3\x71\xba\x5b\x45\xad\xb5\x70\x9c\x00\x80\x57\x47\xc3\x7f\xe0\x44\x06\x45\x95\xcd\x47\x28\xbf\x89\x80\x30\x2b\x25\xb4\xb0\x83\xb4\x2b\x41\x33\x6e\x13\x0f\x1b\x6f\xf0\xa2\xf1\x72\x49\x8e\x52\x2b\x4f\xe5\x82\x6e\xab\xab\xf5\x3a\x98\x52\xf9\x3e\xbe\xb8\x41\xe1\x64\x5f\x32\x93\x61\x27\x02\x9d\x68\xfe\x73\xec\xed\x89\xc1\xb9\x35\x87\x01\x2a\x47\xc4\x2a\x58\x3d\x69\x75\x59\x2b\x3f\x2c\xdf\x43\x37\xfc\x6d\x5e\x85\xe5\xf5\x83\x5f\xaf\xe0\x95\x93\x5e\xc9\x04\x84\xe9\x08\x1a\xa8\xd2\x24\x98\x43\x13\x01\xba\xad\x4a\x34\x36\x8c\x26\xc6\x4d\x85\x32\x6c\x7e\x00\x68\x21\x78\xf8\xd1\x3e\x6a\x89\x69\xf1\x5b\x9d\x5d\xbc\xfe\xc2\xc0\xe6\x96\x80\xc3\x92\x8c\xa0\x15\xb9\x2e\x25\xf5\x07\x8d\xe3\x54\xfe\x32\xcc\x71\x21\x60\x9a\x07\x62\xe1\xb7\x3e\xfd\x89\x67\xa2\xfe\x23\x5e\x4d\x1e\xf9\xe5\xac\x88\xbc\x1e\xd7\x06\xa9\x84\x64\x1b\x06\x47\x0b\x22\x94\xd0\x45\xce\x7e\xba\x51\xc0\x72\x89\x38\xa2\xc6\xee\xb6\xd8\x57\x44\x29\xcc\x24\xbc\xb2\xa7\x84", 241); *(uint32_t*)0x20005544 = 0xf1; *(uint32_t*)0x20005548 = 0x40; *(uint32_t*)0x2000554c = 0x20005480; memcpy((void*)0x20005480, "\x62\x93\x5b\xfe\x26\xe9\xc9\xf2\xdc\x3c\x3e\x9d\xfb\x49\x18\x58\xef\xb5\x98\x36\x9b\xcc\xa5\x19\x23\x98\x9b\xa9\x43\xcf\x44\x7b\xaf\x56\x62\x5d\xf0\xf6\x85\xed\x2d\x03\x4b\x37\xc0\x75\x63\xf6\x68\x72\x8f\x6d\xc6\x83\x36\x09\xb1\x22\x19\x70\xe5\x50\x88\x86\x9d\x29\xc0\x1b\x2d\xd0\x5c\x48\x20\xb0\x80\x42\xb5\x07\x40\x08\xc9\x75\x77\x12\xc4\x80\xe2\x5d\x89\xb9\xc4\x8e\x95\x7e\x5b\x5c\x7b\x0b\xec\xcf\xb1\xfc\xcc\xed\xbc\xed\xc8\x38\x06\x03\x80\x75\xfc\x2a\x0f\x82\x28\xbe\xb4\x7f\x1f\xec\xe0\x9b\xdd\xcb\xbe\x00\x21\xab\xe9\xc3\xd1\x98\x36\x9b\x81\xb6\x7d\xbd\x6a\x7d\x33\x4b\x8d\x28\xb8\x02\xcc\x97\xd9\x34\xc1\x64\xe9\x7d\x9d\x7b\x70\xdc\x6c", 161); *(uint32_t*)0x20005550 = 0xa1; *(uint32_t*)0x20005554 = 0x1ff; memset((void*)0x20005580, 170, 5); *(uint8_t*)0x20005585 = 0x2c; *(uint8_t*)0x20005586 = 0x2c; memcpy((void*)0x20005587, ":&-]!", 5); *(uint8_t*)0x2000558c = 0x2c; memset((void*)0x2000558d, 125, 1); *(uint8_t*)0x2000558e = 0x2c; memcpy((void*)0x2000558f, ",-V", 3); *(uint8_t*)0x20005592 = 0x2c; memcpy((void*)0x20005593, "\\*})", 4); *(uint8_t*)0x20005597 = 0x2c; memcpy((void*)0x20005598, "*^\\^b", 5); *(uint8_t*)0x2000559d = 0x2c; memcpy((void*)0x2000559e, "appraise", 8); *(uint8_t*)0x200055a6 = 0x2c; memcpy((void*)0x200055a7, "fowner<", 7); sprintf((char*)0x200055ae, "%020llu", (long long)r[8]); *(uint8_t*)0x200055c2 = 0x2c; memcpy((void*)0x200055c3, "smackfshat", 10); *(uint8_t*)0x200055cd = 0x3d; memset((void*)0x200055ce, 170, 5); *(uint8_t*)0x200055d3 = 0x2c; memcpy((void*)0x200055d4, "obj_type", 8); *(uint8_t*)0x200055dc = 0x3d; memset((void*)0x200055dd, 170, 5); *(uint8_t*)0x200055e2 = 0x2c; memcpy((void*)0x200055e3, "dont_appraise", 13); *(uint8_t*)0x200055f0 = 0x2c; memcpy((void*)0x200055f1, "dont_measure", 12); *(uint8_t*)0x200055fd = 0x2c; memcpy((void*)0x200055fe, "fowner<", 7); sprintf((char*)0x20005605, "%020llu", (long long)r[9]); *(uint8_t*)0x20005619 = 0x2c; memcpy((void*)0x2000561a, "dont_appraise", 13); *(uint8_t*)0x20005627 = 0x2c; *(uint8_t*)0x20005628 = 0; syz_mount_image(0x20005300, 0x20005340, 0xfd, 2, 0x20005540, 0x8800, 0x20005580); break; case 36: memcpy((void*)0x20005640, "/dev/i2c-#\000", 11); syz_open_dev(0x20005640, 0x40, 0x300); break; case 37: memcpy((void*)0x20005680, "net/if_inet6\000", 13); syz_open_procfs(r[6], 0x20005680); break; case 38: syz_open_pts(r[19], 0x800); break; case 39: *(uint32_t*)0x20006c40 = 0x200056c0; memcpy((void*)0x200056c0, "\x46\x41\x06\x38\xb7\xa1\x28\xc1\x5c\x6c\xb2\x7d\x23\x35\x80\x6d\xa8\x7c\x0d\x49\x15\x42\x44\x52\xcf\x0b\xa9\xee\xe0\xa5\xd4\x9d\x63\x4f\x09\x0d\xf2\x6f\x35\xbb\x04\x33\xc1\x3a\x27\x0d\xcb\x44\xcf\xe9\xba\x62\xb5\xba\x38\xd4\xae\x3c\x65\xea\xd2\x72\x7f\x1d\x2a\x5f\x02\xda\xa2\x70\xce\xa6\xf4\xf6\x09\x02\xe2\xed\xa6\x54\xb1\x6e\xc6\x63\x5a\x1c\x6c\xd1\x5d\x6b\xd6\x34\x32\x14\xb8\x34\x22\xd1\xa1\x9b\x5d\xae\x43\x9b\x9f\xbc\x3d\xb5\xc2\x18\xd4\xb0\x8a\xcf\xc9\xfc\xdb\xe5\xd4\xe6\xa5\x12\x7a\xda\xdc\xe6\x10\xd8\x15\xe8\xc6\xd8\xad\xc7\x86\x89\xea\xae\x29\xd8\x1a\x20\x04\x0a\xee\xef\x4e\xe5\x5d\x77\x01\xea\x72\x5e\x91\xb7\x4f\x5b\x37\x81\x4b\xee\xd1\x18\x54\x99\x79\xc8\xa4\x0d\x0b\x29\x09\x77\xad\xa4\xd6\x58\x74\xc7\xdc\xca\x03\x0a\x9a\x15\x50\x9b\xc2\x7e\x6e\x87\xd5\x26\x91\x24\x37\xb8\x69\x04\xf7\x42\xc9\xc1\x3c\x1e\x00\xbc\x5e\x3e\x94\x3c\x14\x30\xd1\xcc\x01\x8f\x5a\x4d\xec\xf2\x46\x02\xdb\x5b\xf2\x28\x6e\x64\xce\x75\x1d\x8d\xf1\x6f\x28\x09\x34\xfb\x08\xb6\x19\xb2\xb5\xe9\x31\x19\x5a\xd2\xf7\xc8\x7a\xe9\x56\xc6\x4a\x2f\xda\xc4\xfd\x79\x16\x11\xac\xc2\xa8\x65\xd9\x94\xea\x90\xed\x15\x85\x81\xe8\x0d\x03\x86\xb1\x53\xf1\x9f\xab\x27\x81\xb7\x2d\x1d\xe0\x03\xb1\x87\xd2\xb1\x19\x53\x42\xb3\xa0\x03\xbf\x44\x83\xb4\xd8\x90\xab\x1b\x2f\x51\xe8\xd5\x8f\x0a\x5a\xd7\x8e\x0d\xf9\xd6\x29\xc2\x2c\x2a\x32\x4a\x98\x2e\x1f\xc2\x73\x8c\x36\x0d\xb3\xa8\xba\x5e\x55\xae\x5c\x9d\x58\xf1\xc2\xf6\xbe\xd0\xb6\xde\x5b\xb4\xee\x3b\x5f\x84\x2c\xee\xf9\x1b\x20\x56\x54\x1f\xf5\x53\x12\xee\x90\xa2\xbd\x09\x97\x06\x6c\x37\xf3\xd8\x37\x78\x95\x92\x1b\x08\x02\x15\x89\x04\x9e\xd7\xb2\x3c\xeb\xaf\x9b\x41\xd0\x8e\x75\x90\x58\xa3\x45\x2c\xb9\xdf\x2a\xee\x1d\x2b\x90\xe5\x10\xba\x9b\xc9\x48\x40\x0a\x69\xaa\x13\x83\x3d\x1b\x4c\x44\x44\x51\x29\xe0\xaf\x50\x12\xfd\x6a\x53\x41\x81\xfb\x20\x42\x68\x26\xa4\xb3\x69\x4e\x4a\x51\x81\x19\x9d\xf1\xed\x31\xde\x36\xf2\xed\x49\x21\x18\x22\xad\x91\x5d\x3b\x71\xac\xae\xcf\xf3\xc8\x4d\x4e\x3b\xb1\x9f\xba\x32\x19\xe2\x61\x45\x73\x5f\xf7\x1d\xce\xee\xee\x7a\xa2\x47\x53\x9a\xd2\x73\x11\x13\xd3\xf3\x64\x42\x6b\xe9\x00\x6e\x6b\x0e\x35\x8b\x81\xd4\x07\x45\x49\xe0\x8e\xf2\x76\x13\xa3\x71\x5e\x5e\x89\xba\x0a\x71\xe3\x99\x52\x31\xe9\x9a\xac\x5e\x4e\xe7\x07\x8f\x59\xe3\xe7\xd4\xfa\xbe\xd2\x6e\x75\x07\x41\x1f\xbe\x4b\x03\x53\x10\x62\x78\xac\x69\xf3\xb9\x1e\xc6\x9f\xa5\x42\xeb\x7c\x96\x43\x94\x06\x2f\x65\xc6\x50\x19\x7f\xbe\x73\x3c\x22\x83\x26\x73\xd0\x66\xe4\xed\x40\x07\x3b\x28\x4e\xe4\xe5\x1b\x12\x59\x36\x7d\x4e\xb9\xe1\x72\x00\x7e\x6f\xb8\x0a\x0a\x6f\xe6\x2b\x3f\x3d\x5e\x5b\x68\xfe\x04\x7e\xa4\xd6\xfb\xfa\xa3\x0a\x00\xfc\x29\xbc\x58\xa3\x1c\xfb\x82\x12\xf2\xc4\x9c\x3a\x2e\x71\x1a\xe5\x02\xbd\x64\x7b\xd5\x6b\xb7\xcf\xc1\xd8\x4d\x14\x18\x27\xbe\x21\x1b\x5f\xfb\xed\x78\x6b\xfa\x13\x13\xd2\xae\xd5\x34\xf0\x00\x19\x36\x3a\xc1\x29\x61\x2c\xa2\x5c\x76\x3b\x07\x7f\x5a\x72\x4d\x61\xfc\x79\x74\xfa\x82\x4b\xad\xc1\x40\x06\xf2\xfe\xbf\xb1\xe3\x5a\x3d\xd7\x2e\x82\x33\x4a\x26\x37\x56\xff\x42\x04\x68\x0c\xba\x1c\x03\xc5\x5e\x09\xdf\xfb\x5a\x58\xe4\xc5\x5b\x5b\xd7\xa7\x0e\xe8\x52\x59\x29\xa0\xee\x9f\x90\x91\xe3\x4b\xb8\xd2\xf0\xaf\x6d\x2a\x26\x70\xc5\x91\x18\x6b\xee\x6c\xed\xda\xb8\xe1\xfe\x8d\x4b\xe3\x97\xa5\x45\xc4\x83\xfd\x68\x4c\xd8\x12\xdf\x5e\x31\x2a\xb5\xf4\x81\x2b\x47\x84\xef\xae\xf1\xc3\xdb\xe7\x90\x94\xfb\xab\xd6\xca\x5f\x0a\x45\x46\x23\x96\xf8\x18\xa5\xc7\xbf\x61\xc8\xc3\xf4\x33\x66\xc1\x26\x5f\x46\x38\xd1\xdc\x7b\xde\x11\x46\x10\x35\xc7\xaf\x77\xe6\x84\x4c\x5d\x47\xbc\x18\x97\xdf\xab\xec\x76\x87\xed\x25\x79\x4a\x71\xa3\xaa\x2b\xe1\x66\x57\x19\xe7\xea\xf6\x49\xbf\xaf\xfc\xea\x24\x92\xd4\x3b\xca\x7f\x03\x04\x21\x0c\xfc\xa9\x1a\x0d\xad\xf6\x6b\x7c\x3c\x6b\xaf\x8c\x50\x55\xef\x4f\x3c\x56\xaa\x03\xbb\x6e\x40\x0d\x7c\xac\xa6\x9e\x42\x43\xac\x71\xc9\x39\xcc\xf2\x73\x10\xb7\x3b\xa5\x98\x97\xe2\x02\x0c\x71\x7c\x33\xdb\x9a\x4a\x58\x29\x12\xa3\xa8\xd7\xc0\xa8\x70\xb1\x2a\x9f\x98\x2a\xaf\xd0\xcf\x15\x95\x75\x18\x9d\x8c\x26\x88\x64\x34\x22\x9f\xb0\xc7\x6c\x56\x50\x8b\x63\x8a\x25\x09\xb6\x58\x47\x72\x2a\xf1\x97\xe9\x5c\xf0\xcf\xf2\x36\x84\x48\xd4\x2a\xd6\x2d\xb2\x7f\xf0\x17\xa7\xfb\xed\x92\x3b\xef\x62\x83\x40\x87\x12\xc3\xf0\x4a\x79\x03\x38\xf4\xf8\x0c\xf4\xf3\xe9\x2f\xaa\xfa\x3b\xf6\xcf\xf5\xed\x3c\xf3\xb1\x7b\x50\x50\x75\xe1\x2b\x69\x58\xbf\x2e\x5c\xb4\x02\x41\xf6\x72\x87\x4a\x0f\x94\x0f\xd5\x7e\x82\xe9\xca\xff\x11\x3d\x67\x1d\xa2\x3d\xa3\x43\x6a\x31\x80\x0c\x2d\x34\x87\x96\x5f\x87\xc3\xf8\x25\x06\x10\xaa\xff\x78\x3d\x78\x59\x5e\x19\x26\xb7\x7e\x97\xb2\xe3\xad\x09\x08\x7a\xf9\x19\xac\xe3\xf0\x4f\xd2\x75\x88\x7b\x1f\xc8\x1e\xe2\xf5\xba\xd8\xde\x1c\xc3\x5e\xe0\xc0\x3a\xde\xed\x9a\x91\x97\xd7\xa8\xfa\x5d\xb5\x9d\xc5\x00\xa9\x4b\xd1\x84\xa2\xa8\x0d\x97\x04\x79\x7e\x76\xbc\x0f\xc4\x3e\xd5\x72\x96\x14\x3d\xc9\xd8\x58\xb1\x4a\x7b\xdf\xb4\x18\x19\x7f\x09\x74\xb6\xee\xe2\x99\x95\x80\x51\xb1\xd4\x14\xab\x12\x6c\xef\x5b\xc3\x6a\xe4\x05\x5c\x4f\x19\xe7\xe0\x1d\x20\x92\xd9\x9f\x1d\x2a\x5a\x56\x61\x4f\xed\xf4\x81\xd5\x78\xcb\x85\x1a\xd7\x3e\x18\x29\xbc\x35\x0f\x7e\x56\xee\x0d\x2e\x71\xfe\x73\x1c\x1b\x30\xfd\x84\x5f\xd8\x2c\xa0\xac\xf0\x29\xaf\xf4\xa7\x5e\x0d\x38\xfb\x7a\xf5\x82\xa1\x9c\x0c\x7d\xeb\x19\x54\x4b\xc7\xa1\x3c\x18\x96\x03\x24\x41\xcb\xa6\xae\x39\xc3\x5a\xe8\x80\xb4\x5a\x5c\x97\x54\x5a\xc0\x99\x24\x3a\x79\x1c\x6f\x2e\xb9\x35\x56\x20\x8b\x8b\x20\x35\x42\x75\x2a\x67\x3b\x9d\xf0\x2b\xf0\x4a\xd3\xc1\x8e\xec\xaa\x5e\xb2\x2d\x1b\x65\xe5\x9c\x34\x49\xb5\xcc\x42\xdf\x35\x0d\xd4\x82\x2b\xcf\x67\x1d\xf7\x84\x20\x68\x9c\xac\x22\x65\x8c\xd9\xf0\xf3\x90\xe2\x6e\x07\x96\xac\x4b\x7f\x30\xb1\x98\x9f\x09\xcf\x5b\xa5\x16\xeb\x16\x67\xec\xc1\xd8\x53\x73\x9a\x20\xe5\xe7\x85\x99\xbd\xa8\x30\xd0\x02\xd4\x5e\xb6\x6d\x63\xa7\x78\xb8\x41\x2a\xf5\xd6\x3e\x3e\xf2\x64\x94\xe2\x1b\xbc\xde\x5b\x97\xa9\x4f\x79\x78\xac\x90\x3d\x46\x7c\x5b\x6d\x07\x17\xdc\x4a\x9d\x14\x6e\xd4\xb5\x8b\xfe\x37\x3a\x59\x08\x70\x2f\x99\x7f\x10\x90\xb4\xb1\x90\x93\xf8\x90\x50\x85\xec\xb6\x91\x10\x7b\x05\x9e\x0e\x1c\xd0\xc4\xa9\x4c\x9a\x47\x3a\xf2\xd1\x2b\xd5\x99\x8a\x8b\x8b\x48\x02\xf9\x31\xb9\x05\x15\x51\x9f\x20\xfe\xea\xde\xa5\x68\x4c\x06\x4f\x9a\xdb\x42\x39\x35\xb8\xde\x29\x8b\x03\xe5\x79\xab\xad\x6a\x23\xa8\x6c\x86\xed\xd3\x9c\x2e\xd6\xa4\x68\x5e\x69\xbc\x71\x54\x05\xab\x7a\x3f\x27\x66\x4b\xdb\x68\xfe\xf1\xfc\xd0\x90\xf0\x60\x38\x1f\x1a\xa3\x74\xa0\x74\xa6\x40\xf9\x91\xec\x6d\x8b\x28\x8b\x1b\x05\x07\x06\x85\x60\x31\x4f\xe9\x4a\xeb\x85\xc4\x2f\x4d\xf3\xad\xb2\x14\x85\x69\x65\x15\xda\x2f\xa7\xf4\x41\xb7\x53\xd5\xf8\xca\x45\x45\xf2\xd1\xdc\x1e\xb3\x4e\x41\x8c\x04\x3b\xeb\x51\x8b\xb3\x5f\xe3\x02\x35\xaa\xbf\x7e\xc5\xf3\x71\xb3\xa4\x8c\x0e\xa6\xa6\x13\xeb\xb4\xe4\xda\x5b\x71\x40\x8a\xa5\x57\x74\x23\x9a\xc7\x49\x03\x0a\x52\x74\x0c\xd8\x53\x5b\x9e\x3d\x28\xa4\xe8\x7b\x4c\x4f\x40\x44\xc8\x19\x5c\x32\x11\xf9\x47\xe5\x00\x7d\xf7\xb6\x4e\x37\xc4\x14\xbf\xd5\x4f\x7b\x59\x82\x37\x20\xbe\x00\x49\x8c\x18\xb5\x7d\xad\x00\x43\xf0\xc5\x0a\x75\x81\x74\x18\xc1\xdb\xc3\xdb\x8d\xc7\x33\xce\xb2\xb5\xb6\xd2\x0b\xec\x1e\x38\xa2\xf9\x09\xaa\x61\x94\x80\xe2\xca\x05\xd9\x00\x0b\x7e\xaf\xf3\x70\xc0\x77\xed\x38\x94\x22\x89\x0d\xd4\x26\x27\x8c\x63\xc2\xac\x42\x85\xe8\x40\xe6\xc7\xf9\xda\x04\xd6\x9a\xf4\x48\x2d\x96\xee\x58\x24\xde\x09\x16\x14\xd8\xb1\xb4\xcf\x49\xf5\xa7\x01\xe4\xb4\x2f\xf5\x8a\x62\x82\x3c\x27\x76\xfb\xa4\xc2\x7e\xc8\x6c\x24\xba\x10\x3e\xd0\x1c\x66\x72\x9a\xd6\x02\x92\x4a\x51\x37\xb7\x18\xd8\xdd\xee\xb0\x83\x39\xd8\x3c\x45\xfe\xca\x01\xc3\x93\x35\x7a\x67\x64\x38\x11\x43\x63\x59\x1d\x31\xc2\xba\x6f\xaf\xa5\xd8\x57\x1a\xf7\xc3\xa3\x69\x0f\xde\xb0\x99\xe4\x41\x92\xb5\x87\x1f\xd0\xa3\x36\x5f\xb2\xe2\x30\xc6\xc0\x3a\x74\x73\x78\x2b\x30\x3a\x5b\xe1\x4f\x03\x8d\x8e\xa3\x4a\x63\x08\x43\x00\x51\x6e\xb7\x88\x4e\x59\x33\x58\xe6\x6b\x3d\xfb\x6d\xac\x4d\x08\x15\xd5\x8d\xaf\xb8\x5e\x8c\xca\x44\x26\x53\x6a\x38\x4d\xc8\x9f\x74\x13\xf1\x4c\xc9\x2e\x73\x77\xa9\x09\x38\xf9\x9e\xf7\xf5\x35\xc2\x18\xae\x2e\x90\x9a\xcd\xbf\xd7\xeb\x5b\x0b\x47\x40\x8e\x3d\x6d\x73\xdd\xa3\x9f\xbd\x6b\x23\xaf\x18\xf1\xa6\x70\x3e\xe3\xb1\xf7\x5b\xb7\xc0\x00\xa4\xca\x5a\x7b\xcc\xaa\xe8\x6c\x4a\xba\xc8\x1d\xa2\x93\xe4\x3f\x91\xd2\xc3\xdf\xf1\x2f\xfa\x52\x29\x13\x9a\x08\xae\x5f\xc2\xec\x13\x9b\xe9\x78\xb8\x18\x2d\x6a\x60\xc7\xff\x39\xbb\x0a\xa8\x20\xa1\x07\xd9\x2e\x38\xb9\x5e\x74\x8a\x18\x4b\x53\xf5\x62\x4f\x45\x72\x39\xf6\x38\x4d\xdd\xcb\x9f\xd7\xe8\xef\x29\x52\x65\xd7\x9b\x64\xc5\xc0\xa9\x3b\xf2\x16\x35\xb8\xc6\x80\x90\x78\x10\xd8\xe7\x2a\x58\x1e\x5a\xa0\xe0\x0f\xbf\x35\x1e\x3c\x84\x1c\x7d\x0c\x51\xa2\x63\x68\x37\xb2\x7c\x6a\x91\x42\x5b\x50\x6a\x22\xc2\x7d\x14\x20\xd0\xb1\x3e\x60\xde\x3e\x9c\x56\x66\x7a\x98\x98\x3b\xa9\xbd\xd1\xc5\xa5\x2d\xc6\x12\x7b\x65\x9e\x6d\x80\x70\x69\x59\xf0\x7d\x3a\x5f\xa8\xb3\xb8\x8e\xab\x05\xe7\xa0\xc0\x4e\xe1\x2a\x21\x37\x2c\x71\x3f\x64\xc6\xad\xbe\xed\xd7\xa8\xb7\xa6\x92\x67\x49\x75\xbb\xe5\x5c\xe4\x02\x71\x44\x02\xf2\x0c\x7f\x57\xff\x1f\x79\x35\x7d\x8e\xda\xbe\xf1\xd8\x68\xf0\xa2\xb3\xdd\x7a\xa3\xbb\xe5\x8e\x80\x81\x49\x70\x73\x4f\x7d\xec\x70\xd3\x14\xe8\x11\x59\x3a\x32\xcc\x86\x1f\x4a\x8a\x4b\x3f\x0d\x7c\xeb\x4e\xbb\x32\x66\x4f\x56\x44\x49\x7a\xc9\x56\x2c\xdd\x5a\x54\x19\x3f\x22\x38\xe6\x5c\x18\x74\xc8\x64\x21\xc5\xcf\xb4\x3a\xe1\x56\x93\x1c\x78\x40\xd1\x0d\xe4\x7a\x4d\x0f\x2f\x31\x74\xc3\x6c\x86\x45\xac\x02\xf5\x44\xc3\x69\x0b\x51\x37\xaf\x7d\x2c\xed\x3f\xb0\x43\x59\xbb\xf2\x2b\x67\x20\xea\x94\xf2\xe3\xb5\x67\x5f\xb7\x7a\xde\x56\xc9\x77\xd6\x68\x06\x4e\xfd\xd1\xc6\x15\x11\x9a\x52\x8c\x9e\xc1\x35\x3e\x84\x10\x3e\x5d\xce\x6a\x0b\xd0\x73\xf9\xff\xbe\xa0\x81\x9c\xf6\xc0\xcc\x58\xea\xd0\x0c\x92\x34\x02\x98\xcc\x09\x45\x64\x11\x7f\x3f\xb8\x94\x27\x4c\xa9\x1d\x79\x76\x45\x96\x19\xf5\x44\xb2\x50\x58\x6c\x6d\x44\xaf\xba\x55\x74\xb7\xef\x51\x26\xb0\x70\x40\x9a\x1f\x5e\xed\xc6\x50\x07\xb0\x03\x39\xf1\x60\x42\x2f\xff\x38\xd6\x7e\xaa\x8d\x78\x2f\xc4\x19\x2a\x29\x81\x08\x79\xeb\x12\x85\x99\x42\xfa\x14\x1a\x21\xc3\x9d\x9e\xea\x03\xeb\xa1\xaa\x7b\x3a\xc7\xe2\xb1\xda\xf4\xf6\x9f\x47\x5b\x8e\x75\xc5\xac\x7c\x2e\xfd\xd7\x77\x93\x2d\x40\x31\x43\xcd\xd0\x89\x02\xd5\xe3\x45\x93\x01\xc2\x8c\x88\xc4\xdf\x34\x2c\xa1\x39\x10\xb7\x60\xe3\x4c\x40\x19\x4b\xb5\x1b\x82\xcf\x14\xad\xee\xd5\xae\x47\x51\x7d\x3c\xbc\x73\xbb\xb5\xa8\x89\x9c\x30\xe6\x06\x51\x99\x89\xa8\x5d\x2e\x15\xb0\xe8\x9e\xbb\xa4\x3f\x0c\x8a\x75\x2f\x07\x01\x03\x80\xca\xa7\x0d\xc4\x09\xff\x80\x5c\x24\x57\x48\x29\xd0\x6b\xb9\xa1\x49\x5d\x5a\x30\x85\xdf\x90\x29\xe2\x3d\x92\xbb\xc4\x6d\x7c\x7c\x1d\xb7\x36\x5e\x92\xe8\xd2\x44\x9a\xad\xe3\x89\x26\xa6\x43\x68\x72\x3a\x0e\x8a\x77\x7b\x32\x61\xc9\xc9\x7b\xae\x82\x5b\x55\x1b\xa9\x40\x55\x1a\x7e\x15\xe3\x01\x3d\xc0\x9a\x05\x22\x9d\x0c\x9a\xc6\x4e\xe1\x5e\xe3\xd4\x67\x42\x62\x89\x24\xc0\x9e\x63\x60\xcc\x43\x00\x6f\xb9\xa0\xe1\xc0\x6e\x55\x84\x63\x7c\xee\x00\x5e\xe2\x6c\xeb\xa7\x02\x95\xcb\xa5\x63\x7d\xfc\x98\x21\x14\x8e\xd7\x41\x50\x03\xd5\x18\x36\x84\x23\xae\x70\x8c\xfa\xc6\x38\xf2\xb8\xe1\xd3\xa7\x10\x11\xbd\xa8\x03\xac\xd2\xcf\xa4\x29\xea\x5f\xa0\x45\xfe\x07\x8f\x91\xeb\xe4\x5e\x7d\x51\xd4\x3f\x08\x30\x2d\x5f\x3b\x0c\xcc\x3e\xb7\xdc\x03\x81\x8b\x33\x56\x7e\x86\xf8\xe5\xdc\x40\x45\x15\x69\xa7\x95\x48\x58\xd2\x6d\xf8\x55\x49\x35\x27\x6f\x56\x54\xaf\xec\xf2\x40\xc7\xe8\x6c\x92\xec\xba\x4d\x3f\xf7\x58\x21\x31\x2d\x6a\x3b\x82\xe1\x8c\xc2\x34\xda\x5b\xac\xc2\x86\xef\x09\x24\xce\x23\xbd\x30\x70\x8d\xe5\x81\x32\x57\x4b\x54\x8c\x96\x28\xb5\x2d\x34\x29\x1d\x1c\x4a\x7f\xfd\xfe\x63\xde\x1f\xa9\xb5\xe0\xfa\x6e\x62\xf3\x52\x8a\x80\xc9\xcc\x97\xa7\xc5\x15\x40\x3f\xce\x89\x5a\xb7\x95\x63\x52\x66\xaf\x74\x6d\x89\xd2\xc9\x40\x58\xca\x38\x50\x1d\x86\xb4\xd6\x32\x4d\x0d\xf0\xd9\xc1\xe4\x7b\xbf\x83\x8b\xaa\x20\x6a\xa2\xec\x43\x97\x82\x8e\x99\x2f\xe9\x63\xb2\xe8\x37\x22\x80\x26\x27\x62\x90\x30\x10\x6c\xf2\x0e\xc9\x8e\x24\x51\x47\xc9\x44\x26\x21\x4d\xdf\xb9\x79\x12\x06\x51\xad\xde\x14\xa4\x25\xfe\xf2\x9a\x20\xc0\xcc\x54\x60\x39\x3a\xcb\xdb\xa5\x7b\x3c\x38\x36\x62\x7e\x6a\x9c\x19\xa2\x34\x43\x12\xa9\xbc\x66\x1b\x76\x02\x85\x41\x5a\x28\x74\xe2\xf2\x18\x7b\x5c\x6d\xbf\x38\xb0\x59\x63\x6f\x9e\xd1\xde\x16\x92\xd3\xb8\x65\x04\xa7\xc1\xb6\x68\xe5\xaa\x0f\x87\xcf\x49\x7f\x0c\xab\x26\x6e\x4d\xb6\x4e\xc6\x46\x55\x80\xbe\x1d\x97\x24\x49\x47\x30\x46\x88\xcb\x35\x76\x49\x0b\x8d\xb0\x86\xb0\x89\x05\x82\x0e\xa9\xd9\x1d\xfc\x8f\x3b\x96\x6a\x9e\x56\x8d\x85\x6a\x9c\xce\x3f\x17\x31\xac\x16\xe4\xcf\x48\x71\x43\x34\xb6\xc7\xac\x35\x97\xfc\xae\x85\xd1\x79\x46\xb0\xae\x28\x99\x84\x5e\x96\x06\x6e\x0a\x64\x83\x85\xc9\x8e\xe5\xc1\x19\x39\x13\x56\xb2\x04\xac\xbd\x4a\x5c\x7c\xc2\xcb\xce\xec\xe0\xf5\x8d\xfb\x73\xfc\x30\xef\x7c\x17\x69\xb4\xf5\x6e\xd1\xb7\x7d\x76\x24\x8b\x0e\xa2\xa6\x6d\xb0\xe5\x21\x7b\x5d\x62\x42\x37\x19\x1a\xbe\x94\x86\xac\x0b\xd3\x2e\x3e\x73\x62\x33\x14\x41\x73\x4a\x8d\xd9\xed\x98\x3b\x92\xbf\x26\x47\x2c\x50\x21\xf8\xbe\xa1\x31\xec\xe4\x7c\x8f\x45\xe6\x8a\x25\xa8\xbe\xb4\x88\x58\x95\xc2\x79\x82\x30\x6d\xaf\xa1\xfa\xc9\x05\xb2\x76\xc2\xf6\x0c\xcd\xca\xbe\x2a\x5b\x32\x5b\x5c\x5d\x84\x82\xf3\x05\x66\x02\x44\xc3\x61\x71\x1f\x0e\xed\x77\x46\xc0\xda\xf9\x9d\xfd\xe3\x6c\xaf\xf2\x94\x05\x11\x82\xc5\xb6\x58\x9f\xc0\x70\x0b\x75\x1f\xb2\xb3\x80\x7f\x0b\xcb\xd2\x77\xa8\x44\xce\x82\xa5\x45\x58\xf5\x5c\xdd\x25\xa3\x0b\x22\x83\xab\xe5\x19\xc8\x27\xb1\x0a\xed\x61\x2f\x8a\xea\x3c\xb7\xac\xa8\xb3\x40\x28\xc0\xb3\x63\xc9\xac\xc5\x2d\xde\xa9\xe0\xc3\x4e\x8a\x5c\x90\x86\x9f\xe6\x0d\x28\x30\x7e\x35\xd3\xe4\x35\x82\xf3\x77\x3d\x46\x66\x9e\x43\x13\xa0\x7b\x12\xe7\xd6\xd5\x01\x43\x6f\x8e\x6f\x4b\xc3\x47\xb2\x91\x94\x14\x4d\x82\xc5\xda\xa9\x73\x0f\xea\x34\x66\xc3\x16\x72\x09\xf0\x96\x97\xda\x03\x4f\x86\xca\x9e\x5a\x7e\x28\xc0\x59\x99\xf4\x16\x1d\xca\x75\x18\x14\x04\x13\x50\x4b\xe2\xaa\x60\xef\x71\xb6\x64\x84\xfc\xa1\xb0\xbb\x11\xaf\xd5\x97\x55\xb9\x78\xdd\x29\x4e\x3d\xa8\x56\x55\xb9\x0f\x05\xbe\x08\x23\xe2\x62\xaa\x69\x3c\x43\xbc\x23\xf4\x94\x8a\x60\x96\xff\xe1\xb5\x8e\x1b\xcd\x65\xb0\xdb\x70\xc6\x2a\x4f\x85\xd7\xdd\x4b\xe6\xcd\xdf\xea\xf1\x38\x38\x14\xa6\x72\x8b\x4c\x30\x1e\xab\x03\xb9\x50\xba\xc8\x67\x37\x5d\x1b\x6c\x61\xeb\x2f\x7f\xde\x96\x0b\x16\xf5\x94\x83\x79\xe2\x11\x5a\xb5\x40\x13\x56\xdb\x05\xa7\xdc\x30\xa2\x99\x98\x97\xb1\x63\xc7\x3d\x34\x80\x71\x06\xdf\xdc\xf7\xb7\xf9\xb9\xe7\x37\x7f\xc7\x22\x00\x3c\x86\x8c\xa5\xc1\x4a\x0e\x2f\x1d\x19\x40\xec\x6a\xef\xcf\x85\xfe\xd2\x07\x62\x2e\xd3\x81\x20\xc6\xa8\xaa\xd7\xb4\xe9\xe8\x7d\x5e\x4e\x9a\x6a\x55\xc6\xe1\x32\xe9\xe1\xe9\xa3\xa6\x2b\x4f\x7c\x6c\xe0\x09\x3f\x88\x65\x47\xdf\xc4\x8d\xe1\xd2\xe0\xc8\x5b\xf0\x1b\x49\xf9\x92\x41\xa3\x6d\x32\x4c\xdb\xad\xe5\x37\x7d\x5a\xa5\x73\x33\x77\xec\x7e\x97\xb7\xac\x54\x38\x7f\xd2\x93\x91\x31\x9d\x3f\x3b\xbc\xd0\x7b\x28\x70\xb9\x64\x6b\xf2\x83\x5b\x3a\xbb\x51\x21\xdc\x20\xa6\x38\xc6\xd0\xd6\x2b\x0a\x05\xd9\x4a\x5f\x1c\x03\xbf\xf6\xe8\x71\xa8\x4f\x9a\x7d\xef\xa1\x6f\x30\xcb\x8b\x3f\xf5\x7c\xb5\xa9\xb8\x95\x8b\x59\x21\x19\xcb\x0c\x80\x25\x13\xc1\x4a\xec\x2d\x27\xcf\xff\xbf\xb4\xe6\xa2\xa8\x40\xf8\xb0\xd7\x46\xa8\x3f\xa8\xbd\x22\x70\x21\xb0\x38\xf5\x0c\x41\x1f\x79\x22\xfb\x38\xec\x89\xf5\x1d\x71\xb7\xd3\xd9\xe2\x41\xdb\x1b\xe1\xb4\x50\x7e\x5b\x68\xfa\x1e\xe8\x9c\x21\x27\x44\x5e\x5d\x6e\xd4\xe7\x43\x3d\xe7\xbf\x4d\x72\xb7\xf7\xb1\xc9\xaa\x7c\x40\x8e\x4c\x10\x50\xce\x17\x74\x27\x98\x4f\x50\x35\xb5\x1e\x3a\xd5\x2b\x56\xd8\xaa\xf3\x8e\x56\x79\x30\xa7\x11\xc8\xdc\x34\x88\xff\xcd\xc1\xa5\x6f\xe1\xb4\xc5\xdf\x22\x67\x3b\xcc\x3e\x9c\xcd\xbb\x3a\xb6\x70\xa2\x45\x47\xf5\xde\xd4\x2d\xec\xfd\xdd\x52\x21\x04\x07\x5c\x37\xdd\xed\xe4\x60\x92\x5d\xcb\xc6\xe5\xef\x20\x60\x28\xaa\x7e\xa0\xc8\x4d\x60\xd9\x90\xfc\xd4\x8d\x76\xc9\xa4\x7b\xe6\x81\x92\x50\xd4\xd1\x0f\xce\xfc\x7a\x12\x4c\x6f\x3f\xaa\xf5\x1f\x7b\x67\xdc\xc2\xb3\x9a\xcf\x11\x9c\x8f\x89\xb9\x3b\x58\x39\x52\x47\xfa\x45\x9c\x1f\xfe\x6f\xc5\xa7\x0c\x32\xd5\x19\x6d\xa5\x93\xb3\x36\xbe\x04\x67\x16\x4e\xbb\xc9\x86\xfc\x14\x5b\x32\xbb\x91\xa4\xc0\x58\x88\x4c\x82\xf5\xca\xcd\xa6\x2a\x43\x12\xbb\x35\x07\x0e\x74\xde\x2b\xba\x07\x64\x8b\x7e\xb9\xd9\xfa\xe8\x91\x64\x8f\x54\x32\xb6\xa7\xd5\x98\x6e\xf2\x02\x78\x72\xcf\x9e\x1a\x08\x6c\x57\x6a\xba\xc8\xdc\x40\x1a\xab\x0d\xa9\x3a\xbf\x0a\xb7\x1e\xcd\x9b\xb9\x6e\x39\x18\x03\x62\xa1\x0a\x21\x85\x07\x1e\xbb\x8c\xa2\xca\x8d\x97\x19\xd4\x7b\xfc\x18\xb6\x2f\x97\x71\xb9\x7d\xfe\xd7\x3b\x98\x23\x25\xeb\x94\x3d\x78\x5c\x78\x75\x00\xd5\xac\x0d\x26\xa9\xca\x90\xcc\x73\xc2\xac\xfe\x87\x2f\x4e\x32\xeb\x44\x39\x08\x3b\xdb\x32\x49\x70\x1d\xdd\xdb\x50\x0d\xf3\xf8\x96\xbb\x1f\x7a\x37\x06\xd6\x4b\xe1\x6d\x00\xf6\xfd\xcd\x6b\xf4\x1d\xf8\x65\x35\xf2\x98\xd2\xdd\x04\x31\x77\x74\xbd\x6b\x39\x03\xf3\x71\xd5\x9b\xe7\x19\xb7\xec\x1d\x00\x3b\x3c\x97\x05\xa8\xf7\x88\x89\xb8\xf7\xda\x0d\x46\xde\xfd\xce\xd2\xdf\x70\xd8\xcb\x45\x70\x82\x8b\xb2\x65\x49\xb5\x50\x11\x58\x9c\x73\xbe\xc4\x20\x7c\x8d\x59\xeb\xe1\x89\x6b\x37\x61\xc1\x85\xa1\x32", 4096); *(uint32_t*)0x20006c44 = 0x1000; *(uint32_t*)0x20006c48 = 0x8001; *(uint32_t*)0x20006c4c = 0x200066c0; memcpy((void*)0x200066c0, "\x31\xe3\xc3\xfa\x6d\x99", 6); *(uint32_t*)0x20006c50 = 6; *(uint32_t*)0x20006c54 = 0x3ff; *(uint32_t*)0x20006c58 = 0x20006700; memcpy((void*)0x20006700, "\x39\xde\x86\x3b\x71\x48\x20\x8e\x43\x2f\xcd\xdb\xd9\xe9\x14\x8e\x71\x6c\x1b\x48\xa3\x96\x7c\x87\x0c\x70\x14\x5d\x90\xed\x68\x1b\x3f\x8b\xce\x84\x9f\xee\x7f\x50\x09\x15\x70\x85\x4e\x20\x10\x37\x23\xe5\x64\x54\xe7\x11\x54\x3f\x6e\x2b\xe9\x2c\x34\x09\x0d\x8c\xc7\x92\x26\x0b\xe9\xb9\x60\xc1\xe4", 73); *(uint32_t*)0x20006c5c = 0x49; *(uint32_t*)0x20006c60 = 9; *(uint32_t*)0x20006c64 = 0x20006780; memcpy((void*)0x20006780, "\x17\xfa\xd5\x71\xf8\x0f\xec\xd3\x4a\x59\xbc\x03\xf6\xc0\x2b\xbd\x6d\x56\xcd\x8d\x95\x89\x24\xb4\xae\x41\x89\xb8\x8b\x85\x89\x7e\xfd\x4e\x59\x6e\x11\x18\xbb\x0c\x77\x1c\x2c\x5b\xa3\x7d\xed\x06\xd7\x81\x11\x39\x0c\x1c\x80\xcf\x6e\xa9\xdf\x87\x27\xf8\x85\x59\x81\x5e\xd7\x6b\x36\xfa\x13\xfb\x4d\x08\xe1\xcc\xda\xd7\x97\x3b\x5b\xec\x56\x55\xa7\x4a\x67\x1f\xde\x99\xee\x92\x39\x7c\x56\xd4\x09\xda\xdb\x10\xc4\xc3\x7e\xe9\x2c\xb4\x1d\x03\xae\x6f\xb1\x64\xe7\xf8\x69\x85\x03\x91\x28\xd3\x8b\xe8\x3b\x5e\x16\xc3\x5e\xe3\x4e\xb2\xb8\x39\x6c\x53\x48\x02\x87\x81\xa0\xa8\x79\xf8\x81\x59\x74\x0a\xb8\x97\x05\xd6\x37\xbe\xda\xfa\x91\x5f\x19\x5a\x15\x25\x97\xfa\x0d\x7d\xa9\xb7\x64\x76\x60\x2c\x6e\xee\xfc\xa1\xe8\x0a\x6d\x3d\x0e\xd1\xa7\x5b\x00\xf7\xa5\xe1\x53\xdd\x85\x1e\x23\x01\xc8\xda\xa7\xd4\x9b\x4a\xd9\x1c\x62\xd1\xa6\x96\x7f\x54\xcf\x96\x21\xc2\x40\xed\x58\x71\x92\xf6\x99\x59\xe0\x54\x07\x85\x0c\xe3\x83\x1c\x4e\x81\x1e\x6f\xff\x1c\xdf\x93\xcf\xab\xde\x88\x73\x58\x31\x68\x81\x84\x53\x56\xd7", 247); *(uint32_t*)0x20006c68 = 0xf7; *(uint32_t*)0x20006c6c = 0x26; *(uint32_t*)0x20006c70 = 0x20006880; memcpy((void*)0x20006880, "\xc2\x86\x96\x8e\x22\x38\x74\x2a\x47\xe0\xe8\xd4\x44\xa6\xa6\x61\xb7\x70\x82\x22\xf4\xed\xda\xb9\x7a\x74\x9d\xce\xbe\x2c\xc8\x3a\x31\x4b\x82\x87\x95\xf9\x15\xa3\x6d\x87\x3b\x71\x4a\xef\x15\xdd\xb1\xb4\xf6\x2f\x06\x80\x0b\xbe\x85\xea\xeb\xcb\x76\xab\xe9\x44\x71\x92\x49\xee\x79\x27\xc8\x8e\x78\xa9\x68\xe9\x3f\x45\xc5\x20\x13\xef\x97\xef\x6f\x98\x9b\x1d\x1c\xd3\x0f\xff\x88\x67\x79\x62\xc8\xf3\x05\x2a\xd0\xa4\x63\x1e\x4e\x75\x0b\xa8\x0f\x37\x53\x91\x6c\x2d\xff\xc6\xa4\x02\x3c\xdb\x62\xa1\xb5\xf2\xaf\xbb\x96\x5b\x2f\x78\xc5\xdd\x47\xaf\x90\xb0\x02\xda\x1a\x26\xa2\x4f\xcb\x99\xbf\x81\xfb\x29\x57\x4a\x2f\x98\x10\x7a\x79\x37\x63\x98\x73\xb9\x5f\x4a\x56\x9a\x04\x06\xcc\x35\x8b\x46\xef\xae\x58\x7e\x90\x08\xbe\x69\xd7\x11\xae\x20\x2c\x22\xe2\x9a\x2f\x61\x5f\xd2\x3d\xcf", 192); *(uint32_t*)0x20006c74 = 0xc0; *(uint32_t*)0x20006c78 = 0; *(uint32_t*)0x20006c7c = 0x20006940; memcpy((void*)0x20006940, "\x97\xfc\x4d\xd9\xdb\x67\x3e\x16\xfd\x0f\x0e\xb9\xa4\xa2\x6e\x2a\x49\xf4\x2e\x16\x16\x19\x0b\x06\x34\xdf\xd6\x13\x51\x45\xf4\xe4\x51\xbb\xba\xd5\x6d\xad\xf2\x66\x96\x4e\xba\x7d\x10\x07\xc0\xa2\x3f\x8c\xf0\x3d\x4f\x8f\xe0\x9a\x79\x89\x15\x2b\x7c\xf2\xec\x30\xf2\x69\x3a\x06\xbe\xfd\xf0\x23\xd7\x9f\x48\xc2\x08\xd7\x42\xc7\xb7\x59\x15\xbc\xc1\xbe\x58\x35\x17\xce\xd3\xb8\x26\xb9\x70\x75\xe6\x2a\x8e\xd1\x2d\xbb\x26\x48\x07\xc6\xff\xd0\x22\x76\x14\x49\x1f\xb9\xde\x0d\x8a\x92\x5a\x26\x38\xc3\x16\x08\xde\x40\x5b\xbf\x79\xe9\x6f\x17\x1f\xd5\x83\x38\xb1\xd6\x97\x9d\x33\xa7\xda\xe8\xad\x62\xf2\xba\x53\xfe\xfc\x3c", 152); *(uint32_t*)0x20006c80 = 0x98; *(uint32_t*)0x20006c84 = 0x20; *(uint32_t*)0x20006c88 = 0x20006a00; memcpy((void*)0x20006a00, "\x77\xd8\xd6\x06\xbf\xb4\x24\xe7\xb9\x95\x80\x9a\xb4\xf5\x59\x11\x5f\xd8\x2e\x97\x2d\x98\xb6\x51\xdf\xc6\x9b\x10\xdf\x60\x0f\xb4\xf7\x8e\xfd\x58\x6f\x9c\xc2\x6e\xdc\x41\xb1\xd2\xfa\xc8\x7e\xfe\x59\xe2\x62\x41\x1f\x27\xa9\x4c\xf7\x96\xed\x31\x23\x6b\x45\x7c\xa0\xf1\x47\x53\x0e\xfb\xd4\xcf\xa6\xb6\xa0\xfe\xe4\x6c\x25\xab\xcf\x7a\xd8\x28\x2a\xae\x52\x99\xe2\x99\x79\x9c\xd5\x2d\x0a\x58\xd7\xff\x9d\xdd\xd0\x10\x37\x24\xc8\x8d\xa9\x2d\xbe\xfa\xb6\x24\x80\x38\xab\xef\x9e\xc5\x22\x64\xaf\xc7\x48\x25\xf7\xea\x70\xb2\xca\x95\xd6\x90\x0f\x9b\x64\x7a\x3f\x98\x6e\x18\x28\x7c\xb2\xbf\x4b\x4c\x19\xef\xc8\xc2\x18\xfd\x90\x5c\x37\x27\xc8\x6c\x37\x02\x6b\xfb\xde\x3a\xf0\x78\xeb\x07\xb7\x98\xe6\xd3\xd8\xf2\xe4\xd5\xd3\xbc\x18\x8c\xdd\x20\xf2\xeb\xb1\x46\x1c\x5e\x53\xb0\x5f\x29\x89\xff\xac\x3b\x16\x8d\xee\x56\xda\x0f\xc0\x11\x97\x4c\x66\x0e\x40\x0a\xe2\xd8\xb2\xc8\x0a\xcb\x23\x15\x81\xee\x91\x76\x31\x29\xb2\x88\x8a\xeb\x12", 229); *(uint32_t*)0x20006c8c = 0xe5; *(uint32_t*)0x20006c90 = 0x800; *(uint32_t*)0x20006c94 = 0x20006b00; memcpy((void*)0x20006b00, "\x56\x0c\x1b\xea\x71\xb0\xf9\x72\x44\xfa\x38\x6d\x26\xbf\x6b\x1b\x04\x30\x8e\x4b\xc7\xff\xfa", 23); *(uint32_t*)0x20006c98 = 0x17; *(uint32_t*)0x20006c9c = 0x80000001; *(uint32_t*)0x20006ca0 = 0x20006b40; memcpy((void*)0x20006b40, "\x14\xe5\x5a\x14\xa7\x95\x33\x87\xee\x55\x33\x3c\x1d\x16\x94\xca\x98\xc7\x99\x9b\x49\x78\x86\x42\x76\x68\x05\xd6\xf5\xa2\x90\xeb\x1e\x95\x9e\xe3\x5a\x74\x04\x59\xe1\x33\x00\x26\x2f\x2a\xf9\xc3\x57\xf7\xa8\xc1\xcb\xa1\x87\xe4\x48\xbc\x3c\x8f\x86\x5c\xc9\xbe\x88\x62\x4f\xb0\xf0\xd0\xbb\x88\x5d\x9c\xc2\xab\xe1\x71\xa2\x47\x8a\x74\x20\xdb\x22\xe8\x60\x7e\x3f\xbe\xc7\xe2\x60\x1d\x9e\x11\x08\x6c\xfa\x8c\xf1\x4d\x99\x67\x6b\x67\x9d\x8d\x6b\xf1\xdd\x4f\xaa\xb8\xfe\x9a\x5f\x4e\x3f\x69\x5f\xe2\xe6\xab\xf0\x9f\x70\x26\x83\x80\x2d\x44\xcc\x3a\x29\x82\x55\xc4\xc5\x95\x33\x73\x1f\xf5\xb2\x3e\x05\x3a\xfb\x71\x6d\x58\xca\xd6\x67\x68\x6e\xe6\x47\xf4\x8e\x19\x9c\x9b\x5c\x3d\x0d\x2d\x47\x0f\x2c\xe1\xc5\xb8\xb5\x70\x8a\xe0\x23\xad\x98\x80\xca\xf3\x1d\x01\xf9\x6a\xeb\xbf\xcc\x7d\xf9\x53\x58\xa0\x16\xc5\x47\x1c\xc2\xce\x2c\xed\x61\x05\x05\x7c\x9d\x22\xc8\x16\x78\x90\xca\x19", 216); *(uint32_t*)0x20006ca4 = 0xd8; *(uint32_t*)0x20006ca8 = 0x400; syz_read_part_table(9, 9, 0x20006c40); break; case 40: *(uint8_t*)0x20006cc0 = 0x12; *(uint8_t*)0x20006cc1 = 1; *(uint16_t*)0x20006cc2 = 0x200; *(uint8_t*)0x20006cc4 = 0x62; *(uint8_t*)0x20006cc5 = 0xa5; *(uint8_t*)0x20006cc6 = 0xbe; *(uint8_t*)0x20006cc7 = 0x10; *(uint16_t*)0x20006cc8 = 0x2833; *(uint16_t*)0x20006cca = 0x211; *(uint16_t*)0x20006ccc = 0x37a4; *(uint8_t*)0x20006cce = 1; *(uint8_t*)0x20006ccf = 2; *(uint8_t*)0x20006cd0 = 3; *(uint8_t*)0x20006cd1 = 1; *(uint8_t*)0x20006cd2 = 9; *(uint8_t*)0x20006cd3 = 2; *(uint16_t*)0x20006cd4 = 0x6b4; *(uint8_t*)0x20006cd6 = 1; *(uint8_t*)0x20006cd7 = 0x20; *(uint8_t*)0x20006cd8 = 0; *(uint8_t*)0x20006cd9 = 0xa0; *(uint8_t*)0x20006cda = 1; *(uint8_t*)0x20006cdb = 9; *(uint8_t*)0x20006cdc = 4; *(uint8_t*)0x20006cdd = 0xdf; *(uint8_t*)0x20006cde = 0; *(uint8_t*)0x20006cdf = 0x10; *(uint8_t*)0x20006ce0 = -1; *(uint8_t*)0x20006ce1 = 1; *(uint8_t*)0x20006ce2 = 0; *(uint8_t*)0x20006ce3 = 5; *(uint8_t*)0x20006ce4 = 7; *(uint8_t*)0x20006ce5 = 0x24; *(uint8_t*)0x20006ce6 = 1; *(uint8_t*)0x20006ce7 = 1; *(uint8_t*)0x20006ce8 = 1; *(uint16_t*)0x20006ce9 = 1; *(uint8_t*)0x20006ceb = 9; *(uint8_t*)0x20006cec = 0x24; *(uint8_t*)0x20006ced = 6; *(uint8_t*)0x20006cee = 0; *(uint8_t*)0x20006cef = 0; memcpy((void*)0x20006cf0, "\xfd\x50\x65\x08", 4); *(uint8_t*)0x20006cf4 = 5; *(uint8_t*)0x20006cf5 = 0x24; *(uint8_t*)0x20006cf6 = 0; *(uint16_t*)0x20006cf7 = 3; *(uint8_t*)0x20006cf9 = 0xd; *(uint8_t*)0x20006cfa = 0x24; *(uint8_t*)0x20006cfb = 0xf; *(uint8_t*)0x20006cfc = 1; *(uint32_t*)0x20006cfd = 0x40000000; *(uint16_t*)0x20006d01 = 8; *(uint16_t*)0x20006d03 = 0x4cc5; *(uint8_t*)0x20006d05 = 0x7f; *(uint8_t*)0x20006d06 = 7; *(uint8_t*)0x20006d07 = 0x24; *(uint8_t*)0x20006d08 = 0xa; *(uint8_t*)0x20006d09 = 8; *(uint8_t*)0x20006d0a = 0x3f; *(uint8_t*)0x20006d0b = 0; *(uint8_t*)0x20006d0c = 0x81; *(uint8_t*)0x20006d0d = 0x10; *(uint8_t*)0x20006d0e = 0x24; *(uint8_t*)0x20006d0f = 7; *(uint8_t*)0x20006d10 = 0x80; *(uint16_t*)0x20006d11 = 5; *(uint16_t*)0x20006d13 = 0x44; *(uint16_t*)0x20006d15 = 2; *(uint16_t*)0x20006d17 = 0x800; *(uint16_t*)0x20006d19 = 0x101; *(uint16_t*)0x20006d1b = 4; *(uint8_t*)0x20006d1d = 4; *(uint8_t*)0x20006d1e = 0x24; *(uint8_t*)0x20006d1f = 2; *(uint8_t*)0x20006d20 = 4; *(uint8_t*)0x20006d21 = 8; *(uint8_t*)0x20006d22 = 0x24; *(uint8_t*)0x20006d23 = 0x1c; *(uint16_t*)0x20006d24 = 0; *(uint8_t*)0x20006d26 = 0xc0; *(uint16_t*)0x20006d27 = 0x5325; *(uint8_t*)0x20006d29 = 6; *(uint8_t*)0x20006d2a = 0x24; *(uint8_t*)0x20006d2b = 0x1a; *(uint16_t*)0x20006d2c = 0x7f; *(uint8_t*)0x20006d2e = 0; *(uint8_t*)0x20006d2f = 9; *(uint8_t*)0x20006d30 = 5; *(uint8_t*)0x20006d31 = 5; *(uint8_t*)0x20006d32 = 0; *(uint16_t*)0x20006d33 = 0xb5a2; *(uint8_t*)0x20006d35 = 6; *(uint8_t*)0x20006d36 = 0; *(uint8_t*)0x20006d37 = 5; *(uint8_t*)0x20006d38 = 7; *(uint8_t*)0x20006d39 = 0x25; *(uint8_t*)0x20006d3a = 1; *(uint8_t*)0x20006d3b = 0x82; *(uint8_t*)0x20006d3c = 0xe9; *(uint16_t*)0x20006d3d = 0xf000; *(uint8_t*)0x20006d3f = 9; *(uint8_t*)0x20006d40 = 5; *(uint8_t*)0x20006d41 = 0xe; *(uint8_t*)0x20006d42 = 2; *(uint16_t*)0x20006d43 = 0x200; *(uint8_t*)0x20006d45 = 8; *(uint8_t*)0x20006d46 = 7; *(uint8_t*)0x20006d47 = 0x40; *(uint8_t*)0x20006d48 = 9; *(uint8_t*)0x20006d49 = 5; *(uint8_t*)0x20006d4a = 0; *(uint8_t*)0x20006d4b = 0x7e; *(uint16_t*)0x20006d4c = 0x200; *(uint8_t*)0x20006d4e = 8; *(uint8_t*)0x20006d4f = 3; *(uint8_t*)0x20006d50 = 1; *(uint8_t*)0x20006d51 = 0x9b; *(uint8_t*)0x20006d52 = 0x21; memcpy((void*)0x20006d53, "\xf2\xef\x0a\x5c\x06\x9c\xdb\x31\x91\x38\xe1\x85\x06\x1d\x7e\x19\x6a\xe9\x4e\x53\x5d\x80\xf2\x76\x66\xfb\xa2\x3b\x37\x43\x25\xf1\x5d\xc5\xf2\x08\x12\xfe\x05\xb0\x62\x0f\x6f\xfc\xb8\x10\x03\xb1\xf3\x9c\x5d\xcd\x1b\xff\x14\xe2\xbb\xeb\x38\x73\x35\xa3\x53\x4f\x5a\xdb\x60\xff\xc4\xf2\x85\x95\xc8\xf9\x92\xf7\x7f\xd5\xf6\x7a\x04\x84\x2b\x9c\x43\x64\xe3\x55\x6b\xe9\xba\xcb\x8f\xd5\x6e\xd7\x78\x59\x29\x11\x53\xf6\xc5\x66\x02\x63\x63\xbf\xa5\xf2\xe6\xff\x2f\xa6\xd2\x93\x17\xf2\xd5\x62\x44\x53\x64\x93\x99\x15\xa7\x5d\xd7\x36\x5f\x6a\xb9\xc1\x5d\xdb\xc7\xc3\xa4\x5f\x7e\xb9\x8f\xd1\xfe\xa3\x55\x1b\xbd\x46\xf2\x0a\x87", 153); *(uint8_t*)0x20006dec = 9; *(uint8_t*)0x20006ded = 5; *(uint8_t*)0x20006dee = 0x80; *(uint8_t*)0x20006def = 1; *(uint16_t*)0x20006df0 = 0x3ff; *(uint8_t*)0x20006df2 = 1; *(uint8_t*)0x20006df3 = 0x20; *(uint8_t*)0x20006df4 = 0xef; *(uint8_t*)0x20006df5 = 0xec; *(uint8_t*)0x20006df6 = 6; memcpy((void*)0x20006df7, "\xf6\x42\x24\x6a\x53\x72\x99\x1d\xb9\x7e\x58\x24\xa4\x10\xe2\x83\x00\xd3\xbd\x15\x36\x38\xf6\xda\xc6\xe1\x18\x9a\x0c\x56\x0a\x0a\x0e\x5f\x8b\x15\xe0\x78\x79\xac\x95\x01\x65\x15\x20\x26\x46\xa7\xb5\xb5\xfc\x74\xb7\xcd\x40\xd5\x15\xb2\x84\x9d\x8c\x1d\xd9\xae\x4f\xca\x16\xc2\xe6\xcf\x0e\x8a\x20\xce\x54\xf0\x5f\xa1\x23\xc0\x19\x20\x8c\xb3\x4b\x5e\xe5\x61\xc2\x74\xea\x40\xa7\xb3\x4e\x58\x13\xa4\xa2\x9b\xe4\x08\x17\xeb\x1f\x7b\x3e\x9b\xef\x60\xf7\xc5\x66\x57\x48\x12\x36\xb9\x3e\x2c\x29\x7f\x17\xc7\x76\xb9\x8f\x1d\x0c\x8f\x2a\x56\x44\x77\x66\xc7\x28\x8b\xa6\xb1\xe3\x85\xb8\x4a\x51\x6a\x98\xab\x72\x9b\xa7\x0e\x31\xfe\xe3\xaa\xb1\x01\xd5\x90\xa4\x48\x1a\xe5\x85\x63\x26\xc6\x82\x5b\x73\xc7\xae\x7d\x3b\x99\xcb\x3c\x59\xdb\x31\xa1\x27\x26\x23\x4b\x90\x05\x84\xe8\xdb\x77\x93\x52\x18\x8d\x12\xc9\x32\xd4\xaa\xcb\x59\xee\xf3\x3d\x33\xb9\x55\x05\x10\xcf\x2b\x49\xda\x74\x7e\x03\x1c\x83\x11\x7b\x51\x1a\x1b\xb9\x3e\xd7\x6c\x71\x6e\x6a\x02\x54", 234); *(uint8_t*)0x20006ee1 = 7; *(uint8_t*)0x20006ee2 = 0x25; *(uint8_t*)0x20006ee3 = 1; *(uint8_t*)0x20006ee4 = 0; *(uint8_t*)0x20006ee5 = 6; *(uint16_t*)0x20006ee6 = 0x40; *(uint8_t*)0x20006ee8 = 9; *(uint8_t*)0x20006ee9 = 5; *(uint8_t*)0x20006eea = 1; *(uint8_t*)0x20006eeb = 0; *(uint16_t*)0x20006eec = 0x100; *(uint8_t*)0x20006eee = 0xfe; *(uint8_t*)0x20006eef = 8; *(uint8_t*)0x20006ef0 = 0x37; *(uint8_t*)0x20006ef1 = 0xe9; *(uint8_t*)0x20006ef2 = 0x23; memcpy((void*)0x20006ef3, "\x1a\x0e\x35\x42\x85\x7d\x49\xea\x63\xb7\x26\x1e\xbf\xc1\x9f\x14\x27\x2e\x28\x4d\x26\x65\xd2\x79\x5e\x43\xf6\xf9\xca\x62\x77\x6c\x9e\xe5\x2d\x99\x18\x79\xd7\xd6\x7b\x4d\x8b\x27\x0f\xd5\x15\x98\xbe\xac\x1c\x03\x39\xb2\x25\x7a\xd6\x8c\x1d\xde\x54\x88\x5a\xe2\xd2\x19\xb8\x7c\xde\x15\x9a\x98\x97\xc8\x8b\xda\x26\xe0\x8a\x36\x91\x05\x50\x22\x73\x9c\x1f\xe6\x4a\xdb\x98\x63\x9d\xc2\x54\x21\xc4\x49\xcf\x36\x48\x00\xc4\xc3\x65\x06\x2f\x24\x88\xe6\x90\x1e\x56\xe6\x2f\x4b\x70\x3e\xae\x7a\xf2\x62\x98\xa1\xee\xe1\xbf\xe6\x2d\x9b\x2a\xe3\x53\x20\xae\x2b\xaf\x17\x4e\x94\xff\x55\x32\x10\x97\xbe\x81\xe0\x27\x9f\x5d\x0a\xa8\x4d\xd1\x8c\xa0\x86\x4d\x98\xd0\xed\xbb\xea\xa1\x9d\xdf\x36\x26\xfd\x83\xa2\xe2\xb5\xf6\x76\xa7\x34\xd4\x78\x4b\x3c\x68\x77\xfd\x1b\xb3\xc9\x54\x3d\xf7\xab\xda\x9b\xd9\xc9\xbe\x40\x59\x49\x74\x7e\x21\x07\x3c\x18\x95\x7f\xff\x0e\xaa\xc0\x27\x3c\xfd\x3f\x70\x2c\xb6\x55\x97\x94\x9a\x17\x27\x26\xf7\xe4\x59\x53\x6c", 231); *(uint8_t*)0x20006fda = 0x18; *(uint8_t*)0x20006fdb = 0x10; memcpy((void*)0x20006fdc, "\xa0\x28\x90\x17\xf3\xf4\x33\xf1\x10\x59\x48\x9a\x61\x11\x58\x23\xe1\x13\x8a\xe8\x4a\x34", 22); *(uint8_t*)0x20006ff2 = 9; *(uint8_t*)0x20006ff3 = 5; *(uint8_t*)0x20006ff4 = 0xe; *(uint8_t*)0x20006ff5 = 4; *(uint16_t*)0x20006ff6 = 0x10; *(uint8_t*)0x20006ff8 = 0x67; *(uint8_t*)0x20006ff9 = 3; *(uint8_t*)0x20006ffa = 8; *(uint8_t*)0x20006ffb = 7; *(uint8_t*)0x20006ffc = 0x25; *(uint8_t*)0x20006ffd = 1; *(uint8_t*)0x20006ffe = 1; *(uint8_t*)0x20006fff = 0x80; *(uint16_t*)0x20007000 = 0x2e6; *(uint8_t*)0x20007002 = 9; *(uint8_t*)0x20007003 = 5; *(uint8_t*)0x20007004 = 0xd; *(uint8_t*)0x20007005 = 4; *(uint16_t*)0x20007006 = 0x200; *(uint8_t*)0x20007008 = 0x48; *(uint8_t*)0x20007009 = 0x35; *(uint8_t*)0x2000700a = 8; *(uint8_t*)0x2000700b = 0xe5; *(uint8_t*)0x2000700c = 5; memcpy((void*)0x2000700d, "\x30\xef\xe9\xc1\xa6\xe5\xc8\x9c\x20\x31\x21\x4c\x60\xfb\xbe\xaa\x45\x78\x09\x1e\x38\x00\x9c\x76\x1d\x15\x77\x48\x02\x93\x4c\xfd\x36\x35\x5b\x35\x18\xcc\xfe\x59\xfa\x5e\x7c\xce\xe3\xc1\x3a\xc4\xaf\xfb\xe0\x73\xe0\xe7\x88\xc9\xb5\xe3\x22\x16\xef\xbf\x02\xe3\x58\x69\xd7\xb2\x33\xa3\x89\xf8\x12\xbf\xd8\x49\x43\x3c\x32\x84\x66\xed\xa5\xe0\xe3\x23\x75\x29\xcd\xc6\x5e\x4e\xee\x74\x3d\x31\xff\xc1\x86\xa1\xfe\x79\x4b\xdf\x13\x64\xf3\x1e\xae\xff\x39\x82\x9e\x8f\x61\x44\x85\x0d\x74\x70\xcc\x71\x57\x2d\x1f\x2f\x23\xdc\xcd\xbc\xdd\x99\xe4\x93\x0d\xe7\xed\xbf\x59\xb3\x38\xdb\x34\x90\x30\x5f\xd7\x71\x02\x57\x98\x0b\x7f\x76\xb8\xda\xea\xcb\x2a\xd6\x18\x13\x1f\xb9\xb5\xa3\xe0\x26\xc9\xdd\xbd\x69\x48\x3c\xd7\x94\xca\xad\x29\xf2\xe3\xb6\x31\x24\xa9\x52\xb4\x62\xde\x0c\xd9\x51\xd7\xef\xd9\xb3\xb2\x91\x07\xb6\x41\x41\x7e\x77\x83\xd9\x01\x59\x13\x7f\xa5\x27\x3a\x95\xe0\xcc\x46\xc9\x7c\x22\x46\xe6\x11\xac\xb1\x4b\x4d", 227); *(uint8_t*)0x200070f0 = 9; *(uint8_t*)0x200070f1 = 5; *(uint8_t*)0x200070f2 = 3; *(uint8_t*)0x200070f3 = 0x10; *(uint16_t*)0x200070f4 = 8; *(uint8_t*)0x200070f6 = 0; *(uint8_t*)0x200070f7 = 0x33; *(uint8_t*)0x200070f8 = 9; *(uint8_t*)0x200070f9 = 9; *(uint8_t*)0x200070fa = 5; *(uint8_t*)0x200070fb = 2; *(uint8_t*)0x200070fc = 0xc; *(uint16_t*)0x200070fd = 0x400; *(uint8_t*)0x200070ff = 0xed; *(uint8_t*)0x20007100 = 7; *(uint8_t*)0x20007101 = 9; *(uint8_t*)0x20007102 = 0x84; *(uint8_t*)0x20007103 = 0x31; memcpy((void*)0x20007104, "\xee\x4c\xd2\x19\x15\x4d\xf4\x91\xc4\xd3\x2a\xa3\x21\x12\xcf\xf4\x07\x51\x1b\x06\xb1\x7f\x74\x34\x09\xec\xc2\x16\xc3\x1e\x92\xce\xfa\x2b\x5c\xc5\x9e\x63\x4d\x7a\xeb\xa2\xc9\xe5\xe3\x6d\x8e\xfa\xdc\x02\x55\x17\x25\x18\xf9\x09\xb4\xe1\xa7\xda\xf4\xd9\x88\xb1\xee\xaf\x19\x6c\x76\xee\x90\x2b\x65\x7d\x12\xfc\x23\xc2\x1e\x17\x6c\xd1\x49\xe9\x8a\x8d\x8d\x57\x55\xb7\x4f\xed\x1a\x42\x84\xbc\xfd\x6e\x69\x61\x95\x1f\xf8\x21\x6f\x7b\xb4\x2f\x79\x0e\xdd\x53\x9c\x1b\xc5\xbb\xac\x44\xf7\x67\xa6\x85\xc5\x7c\xbb\xde\xc8\x30\xc5\x2c", 130); *(uint8_t*)0x20007186 = 7; *(uint8_t*)0x20007187 = 0x25; *(uint8_t*)0x20007188 = 1; *(uint8_t*)0x20007189 = 0x83; *(uint8_t*)0x2000718a = 1; *(uint16_t*)0x2000718b = 0xfe01; *(uint8_t*)0x2000718d = 9; *(uint8_t*)0x2000718e = 5; *(uint8_t*)0x2000718f = 3; *(uint8_t*)0x20007190 = 0; *(uint16_t*)0x20007191 = 0x40; *(uint8_t*)0x20007193 = 2; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 9; *(uint8_t*)0x20007197 = 5; *(uint8_t*)0x20007198 = 0; *(uint8_t*)0x20007199 = 0; *(uint16_t*)0x2000719a = 0x400; *(uint8_t*)0x2000719c = 0; *(uint8_t*)0x2000719d = 0x2f; *(uint8_t*)0x2000719e = 4; *(uint8_t*)0x2000719f = 9; *(uint8_t*)0x200071a0 = 5; *(uint8_t*)0x200071a1 = 0x8f; *(uint8_t*)0x200071a2 = 8; *(uint16_t*)0x200071a3 = 8; *(uint8_t*)0x200071a5 = 0x81; *(uint8_t*)0x200071a6 = 1; *(uint8_t*)0x200071a7 = 0x7f; *(uint8_t*)0x200071a8 = 7; *(uint8_t*)0x200071a9 = 0x25; *(uint8_t*)0x200071aa = 1; *(uint8_t*)0x200071ab = 0; *(uint8_t*)0x200071ac = 9; *(uint16_t*)0x200071ad = 0xfb; *(uint8_t*)0x200071af = 7; *(uint8_t*)0x200071b0 = 0x25; *(uint8_t*)0x200071b1 = 1; *(uint8_t*)0x200071b2 = 0x81; *(uint8_t*)0x200071b3 = 7; *(uint16_t*)0x200071b4 = 3; *(uint8_t*)0x200071b6 = 9; *(uint8_t*)0x200071b7 = 5; *(uint8_t*)0x200071b8 = 2; *(uint8_t*)0x200071b9 = 0; *(uint16_t*)0x200071ba = 0x400; *(uint8_t*)0x200071bc = 0x40; *(uint8_t*)0x200071bd = 0x76; *(uint8_t*)0x200071be = 3; *(uint8_t*)0x200071bf = 7; *(uint8_t*)0x200071c0 = 0x25; *(uint8_t*)0x200071c1 = 1; *(uint8_t*)0x200071c2 = 0x80; *(uint8_t*)0x200071c3 = 0x31; *(uint16_t*)0x200071c4 = 8; *(uint8_t*)0x200071c6 = 9; *(uint8_t*)0x200071c7 = 5; *(uint8_t*)0x200071c8 = 0xf; *(uint8_t*)0x200071c9 = 0x10; *(uint16_t*)0x200071ca = 0x3ff; *(uint8_t*)0x200071cc = 6; *(uint8_t*)0x200071cd = 0xb2; *(uint8_t*)0x200071ce = 6; *(uint8_t*)0x200071cf = 7; *(uint8_t*)0x200071d0 = 0x25; *(uint8_t*)0x200071d1 = 1; *(uint8_t*)0x200071d2 = 0x82; *(uint8_t*)0x200071d3 = 0x80; *(uint16_t*)0x200071d4 = 6; *(uint8_t*)0x200071d6 = 9; *(uint8_t*)0x200071d7 = 5; *(uint8_t*)0x200071d8 = 0xf; *(uint8_t*)0x200071d9 = 0x10; *(uint16_t*)0x200071da = 0x200; *(uint8_t*)0x200071dc = 6; *(uint8_t*)0x200071dd = 6; *(uint8_t*)0x200071de = 0xca; *(uint8_t*)0x200071df = 7; *(uint8_t*)0x200071e0 = 0x25; *(uint8_t*)0x200071e1 = 1; *(uint8_t*)0x200071e2 = 0x81; *(uint8_t*)0x200071e3 = 0x20; *(uint16_t*)0x200071e4 = 3; *(uint8_t*)0x200071e6 = 9; *(uint8_t*)0x200071e7 = 5; *(uint8_t*)0x200071e8 = 0x80; *(uint8_t*)0x200071e9 = 0x10; *(uint16_t*)0x200071ea = 0x400; *(uint8_t*)0x200071ec = 1; *(uint8_t*)0x200071ed = 0xfc; *(uint8_t*)0x200071ee = 4; *(uint8_t*)0x200071ef = 0xd4; *(uint8_t*)0x200071f0 = 0x21; memcpy((void*)0x200071f1, "\x28\xa1\xdf\xa1\xd2\x8f\x9a\xe6\x0d\x0a\x8e\x9e\x3c\x51\x2d\xb3\x53\x69\xd4\x79\xfa\x6e\x6a\xa0\x99\xe2\x67\xe1\xce\xd7\x7c\xa2\xe1\x80\xb4\x29\x77\x90\x23\xa8\x72\xb0\xef\x88\x07\xe1\x1f\x8b\x8b\x21\xb8\x11\xd4\xfe\x55\x27\x33\x5c\xe8\x6e\x3a\x95\xcd\xf9\x60\xd1\xe7\x9e\x88\xc2\x76\xc1\x74\xd1\x83\xd2\xf3\xbc\x08\x62\xdd\x7e\x1d\x29\xac\x58\x9c\xeb\x22\x02\x4e\x25\xa4\x4c\x3e\x81\x23\x58\x1d\x14\x48\xfd\x2d\xb5\x33\x2f\xe4\x1c\x23\xf9\xaa\x95\x95\x64\xf3\x2d\xb1\xda\x14\x61\x04\x15\xdd\xc2\x93\xdc\x57\xc9\xd6\xc7\x75\xd2\x21\x51\xbd\xab\x23\x6a\x5a\x73\x59\x2e\x55\x18\x05\x57\x28\xae\x81\x9e\x25\xc0\x80\xcb\xb9\xbf\x02\x03\xb6\x63\x9b\x8f\xd8\xd7\x16\xd9\xc5\x71\xd6\xb2\x60\xea\x29\x77\x33\xd5\x3c\x3a\x05\x44\x9b\x9b\x92\x21\xd0\xf4\x02\x61\x0c\x98\x37\x18\x9f\x9c\x6a\xb3\xba\xaf\x03\x1d\x48\x69\x26\x90\xc9\x98\x1c\xee\x14\x26", 210); *(uint8_t*)0x200072c3 = 0xc3; *(uint8_t*)0x200072c4 = 6; memcpy((void*)0x200072c5, "\x60\xed\x98\x57\x6f\xbb\xbe\xe3\xdb\x67\xd5\x35\xea\x7e\x1a\x19\xd9\x2d\x68\x9e\x2f\x03\x30\x8a\x61\x5a\x56\x41\xe7\x2e\x69\x4d\x99\x6f\x76\xc1\x11\x1c\x88\xc5\x07\xc3\x9a\x87\xf3\x4a\x36\x82\xda\xfb\xfe\x58\x3b\x79\xf5\xb9\x50\xa3\x06\x14\x16\x2c\x60\x5f\x7e\x6c\x5d\x45\x2b\x4f\x84\xa1\x45\xf2\x0b\xf4\x47\x0d\xdf\x43\xf0\x6c\x41\x5d\xc6\xc4\x15\x51\xfd\x45\x8b\xa6\xae\xdf\x57\xd7\x4c\xb8\x5a\x25\xe4\x33\x24\x81\x4b\x62\xc3\xbe\x41\x08\xb1\xea\x5b\x9d\xd2\x2a\x78\xa4\x5c\xdf\x5d\x8f\x27\xc1\x1f\x35\x02\x6b\xf7\xef\x10\xc7\xd1\xf0\x61\x5f\xe1\xc4\x4a\x30\x2a\x84\xd8\x8b\x8d\x6c\x2d\x85\x04\x9c\x9f\x48\xa0\x4b\x4e\x61\x80\x1c\x01\x7f\x60\x9b\x67\x3f\xc8\x29\x0f\x73\x62\xa0\xed\x35\x88\x2a\x33\x5b\x65\x7f\x83\x5f\xce\x8e\x20\x10\x0c\xde\x82\xc1\xa3\xdc\x18\x06\x11", 193); *(uint32_t*)0x20007740 = 0xa; *(uint32_t*)0x20007744 = 0x200073c0; *(uint8_t*)0x200073c0 = 0xa; *(uint8_t*)0x200073c1 = 6; *(uint16_t*)0x200073c2 = 0x310; *(uint8_t*)0x200073c4 = 5; *(uint8_t*)0x200073c5 = 0x80; *(uint8_t*)0x200073c6 = -1; *(uint8_t*)0x200073c7 = 0xbf; *(uint8_t*)0x200073c8 = 5; *(uint8_t*)0x200073c9 = 0; *(uint32_t*)0x20007748 = 5; *(uint32_t*)0x2000774c = 0x20007400; *(uint8_t*)0x20007400 = 5; *(uint8_t*)0x20007401 = 0xf; *(uint16_t*)0x20007402 = 5; *(uint8_t*)0x20007404 = 0; *(uint32_t*)0x20007750 = 5; *(uint32_t*)0x20007754 = 0xa8; *(uint32_t*)0x20007758 = 0x20007440; *(uint8_t*)0x20007440 = 0xa8; *(uint8_t*)0x20007441 = 3; memcpy((void*)0x20007442, "\x05\x84\xbd\xdc\x14\x96\x71\xf9\xe6\xc6\xcd\x12\x3b\x79\x6c\xaf\xe2\xeb\x5d\x2b\xd3\xcf\x65\xe3\xeb\x0f\x3a\x60\x1a\xba\x71\x64\x71\x3d\x40\x42\x65\x3f\x2c\xca\x18\x22\x07\xd4\xe7\xff\xa8\xbc\x71\xe7\x05\xaa\x48\xbc\xff\x03\xfd\xdd\x2e\x3e\x6b\xeb\xe1\x1c\xb6\x1f\x95\xfa\xf1\x4a\xfd\xf2\x94\x40\x02\x1e\x85\x1f\xb6\x82\xaa\x24\xe6\x24\xe8\x33\x95\x2d\xb6\xd1\xf9\x6a\xa7\xed\xfc\x74\xce\x50\x13\x59\x69\x4c\x75\x83\xeb\x5e\x48\xdf\xe2\x27\xd2\x10\x5d\x5e\x3d\x23\x59\xe3\xc7\x28\xa4\x8a\xdf\xf0\x9b\x11\x32\xf9\x28\x89\x3c\xee\xfa\xe6\x77\x00\x98\x3b\xe1\xca\x94\xe8\x18\xe7\xa1\x46\x3c\x80\x2f\x1f\xc2\xa7\x2d\x40\x90\x09\x33\x40\x3d\x7b\x25\x5a\x35\xd9\xdc\x33", 166); *(uint32_t*)0x2000775c = 4; *(uint32_t*)0x20007760 = 0x20007500; *(uint8_t*)0x20007500 = 4; *(uint8_t*)0x20007501 = 3; *(uint16_t*)0x20007502 = 0x42c; *(uint32_t*)0x20007764 = 0xf4; *(uint32_t*)0x20007768 = 0x20007540; *(uint8_t*)0x20007540 = 0xf4; *(uint8_t*)0x20007541 = 3; memcpy((void*)0x20007542, "\x1c\x53\x71\x17\xdc\x72\x0a\xf3\xcc\xf1\x08\x68\x7c\x86\xcb\x54\x4b\xc8\x85\x37\x9e\x43\x5d\xbb\x86\x1b\xc9\xa0\x15\x50\x59\x2e\x60\x08\xae\x94\xa1\xf9\x83\x17\xad\x9c\xd8\x04\x01\x6b\x07\x9b\x5e\xc2\x94\xdc\xaf\x45\x37\xcf\x5b\x68\xc3\xc4\x35\x37\x54\xca\xf3\x69\xba\x34\x10\x1c\xbd\x21\x92\x6b\x15\xce\xf6\x7a\xb6\x3e\xad\x40\xab\xfb\xef\x86\x7b\x37\x2f\xe2\x78\x18\x66\xf8\x7a\x2d\xcc\xf9\x8f\xfe\x66\x53\x1c\x1d\x50\x21\x40\x6c\x69\xce\x84\xb4\x39\x13\x0c\xac\x71\xf5\x25\x64\xb7\xc8\xfa\x62\x1d\x71\xd5\xff\x00\x15\x17\x59\x3f\x05\x9d\xa0\xcb\x82\xf1\xfd\x5e\x32\x7d\xf9\xab\xec\x49\x46\xe3\x4e\x20\xd3\xf1\xdf\x8f\x4a\x04\x22\xf9\xbb\x53\x89\x49\xb4\xa1\x4d\x1b\x3a\xfd\x67\x93\xe8\x1d\x3b\xa5\x96\xd1\x6d\x8c\xee\x0e\x70\x03\x14\xe5\x31\xe6\x02\xfe\x5c\xb8\x32\xb2\x2c\x7a\x2f\x9f\x36\xf3\x9d\x05\x38\x76\x47\x81\x57\xd5\x41\xe8\xc0\x97\x7a\x9a\xca\xf6\x91\xf1\x23\x4f\x66\x5d\x23\x4f\x82\xee\x90\xff\x89\x82\xd9\xc1\x37\x1a\x15\xdd\xc8\xed\x23\x92\xdd\x5a\x96", 242); *(uint32_t*)0x2000776c = 0x98; *(uint32_t*)0x20007770 = 0x20007640; *(uint8_t*)0x20007640 = 0x98; *(uint8_t*)0x20007641 = 3; memcpy((void*)0x20007642, "\x07\x8c\xbe\xfd\x67\x79\x6b\x8d\x00\xc6\xa0\x27\xe5\xd0\x7b\xc3\xb0\x07\x56\xac\xaf\xb9\x09\x6e\x3e\x38\x1a\x99\xfd\xbe\x8a\x51\x61\xca\x19\xa9\x62\x8d\x61\xba\xef\xd6\x97\x2b\x48\xf5\xe0\x4b\x0f\xa6\xe2\xb9\x9c\xca\x8d\xf5\xb5\x0d\xbd\x97\xd6\x56\xc0\x2f\x85\x83\xa5\x8c\xe8\xcb\xd3\x5c\x69\xfb\x3f\x86\xde\x0d\xda\xc9\x0f\x5b\xe8\xd4\xf0\x4a\x3a\xd4\xf3\x12\x93\xb5\x09\x95\x91\x39\xbe\xa0\xf3\x06\x7d\x0e\xbf\xa3\xc5\xb2\x10\xe1\x99\x30\x78\xb0\xae\x92\x95\x61\xfc\x77\x34\x86\x9b\x3d\xd8\xd8\x12\xc0\x0a\x30\x35\x23\x61\x66\xa3\x12\x27\xae\x29\x1e\x69\x6a\xb4\xf8\x1f\x4e\x3f\x02\xd6\xb2\xf3\x34", 150); *(uint32_t*)0x20007774 = 4; *(uint32_t*)0x20007778 = 0x20007700; *(uint8_t*)0x20007700 = 4; *(uint8_t*)0x20007701 = 3; *(uint16_t*)0x20007702 = 0x43e; syz_usb_connect(2, 0x6c6, 0x20006cc0, 0x20007740); break; case 41: *(uint8_t*)0x20007780 = 0x12; *(uint8_t*)0x20007781 = 1; *(uint16_t*)0x20007782 = 0x200; *(uint8_t*)0x20007784 = -1; *(uint8_t*)0x20007785 = -1; *(uint8_t*)0x20007786 = -1; *(uint8_t*)0x20007787 = 0x40; *(uint16_t*)0x20007788 = 0xcf3; *(uint16_t*)0x2000778a = 0x9271; *(uint16_t*)0x2000778c = 0x108; *(uint8_t*)0x2000778e = 1; *(uint8_t*)0x2000778f = 2; *(uint8_t*)0x20007790 = 3; *(uint8_t*)0x20007791 = 1; *(uint8_t*)0x20007792 = 9; *(uint8_t*)0x20007793 = 2; *(uint16_t*)0x20007794 = 0x48; *(uint8_t*)0x20007796 = 1; *(uint8_t*)0x20007797 = 1; *(uint8_t*)0x20007798 = 0; *(uint8_t*)0x20007799 = 0x80; *(uint8_t*)0x2000779a = 0xfa; *(uint8_t*)0x2000779b = 9; *(uint8_t*)0x2000779c = 4; *(uint8_t*)0x2000779d = 0; *(uint8_t*)0x2000779e = 0; *(uint8_t*)0x2000779f = 6; *(uint8_t*)0x200077a0 = -1; *(uint8_t*)0x200077a1 = 0; *(uint8_t*)0x200077a2 = 0; *(uint8_t*)0x200077a3 = 0; *(uint8_t*)0x200077a4 = 9; *(uint8_t*)0x200077a5 = 5; *(uint8_t*)0x200077a6 = 1; *(uint8_t*)0x200077a7 = 2; *(uint16_t*)0x200077a8 = 0x200; *(uint8_t*)0x200077aa = 0; *(uint8_t*)0x200077ab = 0; *(uint8_t*)0x200077ac = 0; *(uint8_t*)0x200077ad = 9; *(uint8_t*)0x200077ae = 5; *(uint8_t*)0x200077af = 0x82; *(uint8_t*)0x200077b0 = 2; *(uint16_t*)0x200077b1 = 0x200; *(uint8_t*)0x200077b3 = 0; *(uint8_t*)0x200077b4 = 0; *(uint8_t*)0x200077b5 = 0; *(uint8_t*)0x200077b6 = 9; *(uint8_t*)0x200077b7 = 5; *(uint8_t*)0x200077b8 = 0x83; *(uint8_t*)0x200077b9 = 3; *(uint16_t*)0x200077ba = 0x40; *(uint8_t*)0x200077bc = 1; *(uint8_t*)0x200077bd = 0; *(uint8_t*)0x200077be = 0; *(uint8_t*)0x200077bf = 9; *(uint8_t*)0x200077c0 = 5; *(uint8_t*)0x200077c1 = 4; *(uint8_t*)0x200077c2 = 3; *(uint16_t*)0x200077c3 = 0x40; *(uint8_t*)0x200077c5 = 1; *(uint8_t*)0x200077c6 = 0; *(uint8_t*)0x200077c7 = 0; *(uint8_t*)0x200077c8 = 9; *(uint8_t*)0x200077c9 = 5; *(uint8_t*)0x200077ca = 5; *(uint8_t*)0x200077cb = 2; *(uint16_t*)0x200077cc = 0x200; *(uint8_t*)0x200077ce = 0; *(uint8_t*)0x200077cf = 0; *(uint8_t*)0x200077d0 = 0; *(uint8_t*)0x200077d1 = 9; *(uint8_t*)0x200077d2 = 5; *(uint8_t*)0x200077d3 = 6; *(uint8_t*)0x200077d4 = 2; *(uint16_t*)0x200077d5 = 0x200; *(uint8_t*)0x200077d7 = 0; *(uint8_t*)0x200077d8 = 0; *(uint8_t*)0x200077d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007780, 0); if (res != -1) r[22] = res; break; case 42: *(uint32_t*)0x200079c0 = 0x18; *(uint32_t*)0x200079c4 = 0x20007800; *(uint8_t*)0x20007800 = 0x20; *(uint8_t*)0x20007801 = 0x11; *(uint32_t*)0x20007802 = 0xb7; *(uint8_t*)0x20007806 = 0xb7; *(uint8_t*)0x20007807 = 9; memcpy((void*)0x20007808, "\x72\xf5\x91\xba\x5c\x69\x4f\x16\xa4\xd9\x20\x75\xef\x3e\xc8\xbc\x46\x92\x09\x54\x79\x9e\xc8\xd3\xc0\x30\x8f\x3b\x47\x79\xda\x6e\x18\xe9\x82\x4a\x86\x74\x6d\x01\x3a\x39\x9a\xfc\x7f\x6f\xce\xb6\xc3\x7f\x7f\x13\x1c\x71\xeb\xc0\x01\xf6\x66\xea\x63\xed\x3a\xde\x13\x20\x09\x73\x5a\x54\x66\x22\xf9\xe6\x39\xd4\x81\xc9\x67\xcc\x7b\x5b\x74\x7c\xc5\xe6\x2f\xdc\x41\xbb\xb4\xbb\x95\x87\x8a\x44\x2c\xc4\x91\x11\xc0\xf5\x78\x86\xf1\x70\x77\xa1\xb4\xb2\x2e\x3c\xf2\x8e\xec\xb7\x98\xfe\xed\x6f\x16\x8d\xd9\xcc\x26\x46\xf8\xb7\x9e\xd4\x1b\xba\x94\xde\x9e\x30\x4f\xc8\x45\x17\x9a\x73\x21\xf0\x47\x84\xaa\x91\x7b\xa0\x84\x05\xb0\xa9\x5b\x83\x03\xd9\x14\xef\x8e\x37\x47\x80\xdd\x8e\x34\x37\xc9\x5c\x35\x76\x4c\xd0\x63\xe7\xa3\xec\x6d\x79\x0b", 181); *(uint32_t*)0x200079c8 = 0x200078c0; *(uint8_t*)0x200078c0 = 0; *(uint8_t*)0x200078c1 = 3; *(uint32_t*)0x200078c2 = 4; *(uint8_t*)0x200078c6 = 4; *(uint8_t*)0x200078c7 = 3; *(uint16_t*)0x200078c8 = 0x813; *(uint32_t*)0x200079cc = 0x20007900; *(uint8_t*)0x20007900 = 0; *(uint8_t*)0x20007901 = 0xf; *(uint32_t*)0x20007902 = 0xc; *(uint8_t*)0x20007906 = 5; *(uint8_t*)0x20007907 = 0xf; *(uint16_t*)0x20007908 = 0xc; *(uint8_t*)0x2000790a = 1; *(uint8_t*)0x2000790b = 7; *(uint8_t*)0x2000790c = 0x10; *(uint8_t*)0x2000790d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000790e, 0x18, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20007910, 3, 0, 16); *(uint32_t*)0x200079d0 = 0x20007940; *(uint8_t*)0x20007940 = 0x20; *(uint8_t*)0x20007941 = 0x29; *(uint32_t*)0x20007942 = 0xf; *(uint8_t*)0x20007946 = 0xf; *(uint8_t*)0x20007947 = 0x29; *(uint8_t*)0x20007948 = 7; *(uint16_t*)0x20007949 = 0x80; *(uint8_t*)0x2000794b = 6; *(uint8_t*)0x2000794c = 0xe0; memcpy((void*)0x2000794d, "\x84\x02\x48\x7c", 4); memcpy((void*)0x20007951, "\x80\x56\xa3\xff", 4); *(uint32_t*)0x200079d4 = 0x20007980; *(uint8_t*)0x20007980 = 0x20; *(uint8_t*)0x20007981 = 0x2a; *(uint32_t*)0x20007982 = 0xc; *(uint8_t*)0x20007986 = 0xc; *(uint8_t*)0x20007987 = 0x2a; *(uint8_t*)0x20007988 = 0xa7; *(uint16_t*)0x20007989 = 2; *(uint8_t*)0x2000798b = 0x7d; *(uint8_t*)0x2000798c = 0; *(uint8_t*)0x2000798d = 0x80; *(uint16_t*)0x2000798e = 7; *(uint16_t*)0x20007990 = 6; *(uint32_t*)0x20007e80 = 0x44; *(uint32_t*)0x20007e84 = 0x20007a00; *(uint8_t*)0x20007a00 = 0x40; *(uint8_t*)0x20007a01 = 0x10; *(uint32_t*)0x20007a02 = 0x8c; memcpy((void*)0x20007a06, "\x21\xb8\x38\x25\x05\x9f\x24\x50\x6d\x8e\x84\x20\x85\xd1\xf2\xe7\xf9\x64\x47\x1b\x20\xed\x0a\x8e\x50\xa9\xaa\x4e\xf1\x6b\x5a\x6f\x2d\xbb\x2b\x57\x0a\x4f\x8d\x13\xd6\x0e\x47\xbb\x78\x21\xff\x91\x21\x11\xde\xe4\x0a\x78\xd4\x2b\x4d\x13\xea\x81\x2d\x92\x9c\xcf\x39\x64\xc5\x46\x8f\x89\xd2\xd2\x16\x30\xec\x87\x06\x7a\x2d\x13\xf4\x52\x38\xb4\x46\xbf\x57\xc6\xb9\xec\x35\x57\x8f\xa5\x87\xfc\x77\xfe\x21\x08\xb1\x59\x0b\xe0\x81\x68\x1c\xcc\x02\x4f\x1f\x59\x0b\xe9\xe5\xbe\xc9\xea\x86\xb9\x80\x3c\x60\x29\x9d\xda\x1a\x82\xf8\xff\x04\x42\x86\x71\xa4\x3b\xc2\xc3\x39\x3a", 140); *(uint32_t*)0x20007e88 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0; *(uint8_t*)0x20007ac1 = 0xa; *(uint32_t*)0x20007ac2 = 1; *(uint8_t*)0x20007ac6 = 4; *(uint32_t*)0x20007e8c = 0x20007b00; *(uint8_t*)0x20007b00 = 0; *(uint8_t*)0x20007b01 = 8; *(uint32_t*)0x20007b02 = 1; *(uint8_t*)0x20007b06 = 0xfb; *(uint32_t*)0x20007e90 = 0x20007b40; *(uint8_t*)0x20007b40 = 0x20; *(uint8_t*)0x20007b41 = 0; *(uint32_t*)0x20007b42 = 4; *(uint16_t*)0x20007b46 = 1; *(uint16_t*)0x20007b48 = 1; *(uint32_t*)0x20007e94 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x20; *(uint8_t*)0x20007b81 = 0; *(uint32_t*)0x20007b82 = 4; *(uint16_t*)0x20007b86 = 0x140; *(uint16_t*)0x20007b88 = 0x20; *(uint32_t*)0x20007e98 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 7; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 0x3ff; *(uint32_t*)0x20007e9c = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 9; *(uint32_t*)0x20007c02 = 1; *(uint8_t*)0x20007c06 = 0x81; *(uint32_t*)0x20007ea0 = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0xb; *(uint32_t*)0x20007c42 = 2; memcpy((void*)0x20007c46, "\x8a\x02", 2); *(uint32_t*)0x20007ea4 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0xf; *(uint32_t*)0x20007c82 = 2; *(uint16_t*)0x20007c86 = 0x321a; *(uint32_t*)0x20007ea8 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x13; *(uint32_t*)0x20007cc2 = 6; *(uint8_t*)0x20007cc6 = 1; *(uint8_t*)0x20007cc7 = 0x80; *(uint8_t*)0x20007cc8 = 0xc2; *(uint8_t*)0x20007cc9 = 0; *(uint8_t*)0x20007cca = 0; *(uint8_t*)0x20007ccb = 0; *(uint32_t*)0x20007eac = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x17; *(uint32_t*)0x20007d02 = 6; memcpy((void*)0x20007d06, "\xb0\xfe\x28\x1f\xa3\x91", 6); *(uint32_t*)0x20007eb0 = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x19; *(uint32_t*)0x20007d42 = 2; memcpy((void*)0x20007d46, "#7", 2); *(uint32_t*)0x20007eb4 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x1a; *(uint32_t*)0x20007d82 = 2; *(uint16_t*)0x20007d86 = 6; *(uint32_t*)0x20007eb8 = 0x20007dc0; *(uint8_t*)0x20007dc0 = 0x40; *(uint8_t*)0x20007dc1 = 0x1c; *(uint32_t*)0x20007dc2 = 1; *(uint8_t*)0x20007dc6 = 6; *(uint32_t*)0x20007ebc = 0x20007e00; *(uint8_t*)0x20007e00 = 0x40; *(uint8_t*)0x20007e01 = 0x1e; *(uint32_t*)0x20007e02 = 1; *(uint8_t*)0x20007e06 = 6; *(uint32_t*)0x20007ec0 = 0x20007e40; *(uint8_t*)0x20007e40 = 0x40; *(uint8_t*)0x20007e41 = 0x21; *(uint32_t*)0x20007e42 = 1; *(uint8_t*)0x20007e46 = 0x9e; syz_usb_control_io(r[22], 0x200079c0, 0x20007e80); break; case 43: *(uint8_t*)0x20007f00 = 0x12; *(uint8_t*)0x20007f01 = 1; *(uint16_t*)0x20007f02 = 0x70; *(uint8_t*)0x20007f04 = 2; *(uint8_t*)0x20007f05 = 0; *(uint8_t*)0x20007f06 = 0; *(uint8_t*)0x20007f07 = 0x50; *(uint16_t*)0x20007f08 = 0x525; *(uint16_t*)0x20007f0a = 0xa4a1; *(uint16_t*)0x20007f0c = 0x40; *(uint8_t*)0x20007f0e = 1; *(uint8_t*)0x20007f0f = 2; *(uint8_t*)0x20007f10 = 3; *(uint8_t*)0x20007f11 = 1; *(uint8_t*)0x20007f12 = 9; *(uint8_t*)0x20007f13 = 2; *(uint16_t*)0x20007f14 = 0x4d; *(uint8_t*)0x20007f16 = 1; *(uint8_t*)0x20007f17 = 1; *(uint8_t*)0x20007f18 = 2; *(uint8_t*)0x20007f19 = 0x70; *(uint8_t*)0x20007f1a = 0x40; *(uint8_t*)0x20007f1b = 9; *(uint8_t*)0x20007f1c = 4; *(uint8_t*)0x20007f1d = 0; *(uint8_t*)0x20007f1e = 0xc4; *(uint8_t*)0x20007f1f = 3; *(uint8_t*)0x20007f20 = 2; *(uint8_t*)0x20007f21 = 6; *(uint8_t*)0x20007f22 = 0; *(uint8_t*)0x20007f23 = 0xe1; *(uint8_t*)0x20007f24 = 8; *(uint8_t*)0x20007f25 = 0x24; *(uint8_t*)0x20007f26 = 6; *(uint8_t*)0x20007f27 = 0; *(uint8_t*)0x20007f28 = 0; memcpy((void*)0x20007f29, "W?s", 3); *(uint8_t*)0x20007f2c = 5; *(uint8_t*)0x20007f2d = 0x24; *(uint8_t*)0x20007f2e = 0; *(uint16_t*)0x20007f2f = 3; *(uint8_t*)0x20007f31 = 0xd; *(uint8_t*)0x20007f32 = 0x24; *(uint8_t*)0x20007f33 = 0xf; *(uint8_t*)0x20007f34 = 1; *(uint32_t*)0x20007f35 = 0x200; *(uint16_t*)0x20007f39 = 0; *(uint16_t*)0x20007f3b = 0x200; *(uint8_t*)0x20007f3d = 3; *(uint8_t*)0x20007f3e = 6; *(uint8_t*)0x20007f3f = 0x24; *(uint8_t*)0x20007f40 = 0x1a; *(uint16_t*)0x20007f41 = 0x1000; *(uint8_t*)0x20007f43 = 0; *(uint8_t*)0x20007f44 = 9; *(uint8_t*)0x20007f45 = 5; *(uint8_t*)0x20007f46 = 0x81; *(uint8_t*)0x20007f47 = 3; *(uint16_t*)0x20007f48 = 0x20; *(uint8_t*)0x20007f4a = 0x3f; *(uint8_t*)0x20007f4b = 0; *(uint8_t*)0x20007f4c = 0xd8; *(uint8_t*)0x20007f4d = 9; *(uint8_t*)0x20007f4e = 5; *(uint8_t*)0x20007f4f = 0x82; *(uint8_t*)0x20007f50 = 2; *(uint16_t*)0x20007f51 = 8; *(uint8_t*)0x20007f53 = -1; *(uint8_t*)0x20007f54 = 0xec; *(uint8_t*)0x20007f55 = 5; *(uint8_t*)0x20007f56 = 9; *(uint8_t*)0x20007f57 = 5; *(uint8_t*)0x20007f58 = 3; *(uint8_t*)0x20007f59 = 2; *(uint16_t*)0x20007f5a = 0x3cf; *(uint8_t*)0x20007f5c = 0x81; *(uint8_t*)0x20007f5d = 0x39; *(uint8_t*)0x20007f5e = 5; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f80; *(uint8_t*)0x20007f80 = 0xa; *(uint8_t*)0x20007f81 = 6; *(uint16_t*)0x20007f82 = 0; *(uint8_t*)0x20007f84 = 2; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x77; *(uint8_t*)0x20007f87 = -1; *(uint8_t*)0x20007f88 = 0x2f; *(uint8_t*)0x20007f89 = 0; *(uint32_t*)0x20008288 = 5; *(uint32_t*)0x2000828c = 0x20007fc0; *(uint8_t*)0x20007fc0 = 5; *(uint8_t*)0x20007fc1 = 0xf; *(uint16_t*)0x20007fc2 = 5; *(uint8_t*)0x20007fc4 = 0; *(uint32_t*)0x20008290 = 5; *(uint32_t*)0x20008294 = 0x69; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 0x69; *(uint8_t*)0x20008001 = 3; memcpy((void*)0x20008002, "\xd2\x5a\x9c\x8f\x14\x52\xa3\xc6\xff\xbf\xec\xa8\xeb\x77\x79\x35\xb5\x8c\x9b\x74\x06\x77\x50\x86\xff\xf7\x17\xb5\x4f\x05\xac\x59\xf9\x45\x17\xff\x3c\xd6\xf3\x10\x1d\xbf\xa7\x9b\xb8\x2a\xe3\x1b\x1d\x31\x6d\x08\xa7\x1d\x14\xfc\x2c\x1c\xfa\x8c\x89\x30\x68\xbd\xe2\xbb\x83\x0a\xe9\x1f\xc9\x42\x88\xcc\x23\x2a\xaa\xc0\xe6\x4b\x84\x00\x7b\x0e\x75\x36\xc3\xec\x34\xed\xef\x04\xde\xd9\x34\x21\xa3\x77\xe0\x69\x53\x26\xaa", 103); *(uint32_t*)0x2000829c = 0xac; *(uint32_t*)0x200082a0 = 0x20008080; *(uint8_t*)0x20008080 = 0xac; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x73\x60\x60\x9c\xe8\x30\x0a\xe4\x62\x33\x08\xd5\xf8\xb9\x7b\xfd\x50\xd3\xd8\x63\x40\x8b\x8e\xa4\x01\xc8\x6d\xa9\xd4\x2c\xe5\xf3\x86\x7c\xe8\xd7\x21\xfb\x2a\xb5\xc2\x5f\x6b\x4c\x5e\x85\xf5\xea\xf3\x41\xbd\x51\x4a\x16\xc2\xdf\xe3\xc7\xa1\xd7\xf4\x27\xae\x62\xc0\xbf\xf3\x79\xe8\x4d\x56\x63\x7e\xc1\x37\x7b\x8c\x8a\xd5\xb5\x5b\x09\x9c\xfa\xa4\xa7\xa6\xee\xb0\x58\x9f\x81\xe7\xa4\x33\x00\xef\xf5\x33\x54\xe1\xb2\xbd\xcd\xc3\x4d\x79\x45\xd6\x35\x62\xe4\x8d\x5e\xd9\x3b\xef\x75\xfd\x01\x60\xfc\xd7\xc3\xa6\xbe\x7f\x0c\x64\x2b\xb6\xe5\x61\xe3\x5a\x1c\x73\x11\x0b\xdc\xde\xd7\x69\x98\x65\xe2\x5e\xb2\x38\xcf\x8f\x3b\x10\xad\x3c\x10\x48\x80\x28\xc3\x70\x63\xc8\x86\x2f\x90\x7b\x06\x82\x9e", 170); *(uint32_t*)0x200082a4 = 4; *(uint32_t*)0x200082a8 = 0x20008140; *(uint8_t*)0x20008140 = 4; *(uint8_t*)0x20008141 = 3; *(uint16_t*)0x20008142 = 0x81a; *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x20008180; *(uint8_t*)0x20008180 = 4; *(uint8_t*)0x20008181 = 3; *(uint16_t*)0x20008182 = 0x180a; *(uint32_t*)0x200082b4 = 0xb9; *(uint32_t*)0x200082b8 = 0x200081c0; *(uint8_t*)0x200081c0 = 0xb9; *(uint8_t*)0x200081c1 = 3; memcpy((void*)0x200081c2, "\x37\xef\xeb\x85\x4b\x40\x51\xa4\x6c\x67\xae\xe7\xea\xa0\xf6\x2f\xde\x9f\x59\x9c\xd5\xba\x25\x32\x9d\x50\xae\xe1\x6b\x30\xc6\xc1\xa5\x14\x83\x10\x81\xaf\xc1\xdf\xd2\x68\x2f\xf4\x87\x16\xa9\x1b\xf9\x5e\x08\x42\x12\xb0\x69\x6d\x43\xe1\xc6\xc4\x3a\xda\xf9\xed\x3e\xf7\x0e\x62\x73\x59\x94\xd2\xd0\x86\x51\x39\x60\x49\x88\xfa\xc1\x79\x78\xd9\xc0\x5a\x84\xf3\x42\x38\x31\xdd\x1d\xdd\xc6\xc9\x4d\x50\xdd\xd6\x74\xf1\x65\x25\xbb\xf9\xa8\xdb\x3b\xb4\x90\x01\xbe\x38\xa1\x96\x70\xab\xd9\x9f\x4a\x2e\x97\xcf\xb2\x0d\x46\xc6\x37\x83\x2a\x3e\xc9\x7f\xf0\x94\xc6\xa3\x30\x49\x64\xb7\x2b\xcf\x11\x6b\xf2\x7f\xed\xd5\x52\x1a\xd3\xda\x22\x62\x97\xff\xf8\x49\xc3\x3c\x5d\x84\x9e\x3e\x30\x37\x52\x79\x01\xee\xf6\x3a\x59\x9b\xaa\x54\xfc\x46\xa4\x6f\xf1", 183); res = -1; res = syz_usb_connect(2, 0x5f, 0x20007f00, 0x20008280); if (res != -1) r[23] = res; break; case 44: syz_usb_disconnect(r[23]); break; case 45: *(uint8_t*)0x200082c0 = 0x12; *(uint8_t*)0x200082c1 = 1; *(uint16_t*)0x200082c2 = 0x110; *(uint8_t*)0x200082c4 = 2; *(uint8_t*)0x200082c5 = 0; *(uint8_t*)0x200082c6 = 0; *(uint8_t*)0x200082c7 = 0x20; *(uint16_t*)0x200082c8 = 0x525; *(uint16_t*)0x200082ca = 0xa4a1; *(uint16_t*)0x200082cc = 0x40; *(uint8_t*)0x200082ce = 1; *(uint8_t*)0x200082cf = 2; *(uint8_t*)0x200082d0 = 3; *(uint8_t*)0x200082d1 = 1; *(uint8_t*)0x200082d2 = 9; *(uint8_t*)0x200082d3 = 2; *(uint16_t*)0x200082d4 = 0xb3; *(uint8_t*)0x200082d6 = 1; *(uint8_t*)0x200082d7 = 1; *(uint8_t*)0x200082d8 = 6; *(uint8_t*)0x200082d9 = 0x28; *(uint8_t*)0x200082da = -1; *(uint8_t*)0x200082db = 9; *(uint8_t*)0x200082dc = 4; *(uint8_t*)0x200082dd = 0; *(uint8_t*)0x200082de = 9; *(uint8_t*)0x200082df = 2; *(uint8_t*)0x200082e0 = 2; *(uint8_t*)0x200082e1 = 6; *(uint8_t*)0x200082e2 = 0; *(uint8_t*)0x200082e3 = 4; *(uint8_t*)0x200082e4 = 6; *(uint8_t*)0x200082e5 = 0x24; *(uint8_t*)0x200082e6 = 6; *(uint8_t*)0x200082e7 = 0; *(uint8_t*)0x200082e8 = 0; memset((void*)0x200082e9, 177, 1); *(uint8_t*)0x200082ea = 5; *(uint8_t*)0x200082eb = 0x24; *(uint8_t*)0x200082ec = 0; *(uint16_t*)0x200082ed = 8; *(uint8_t*)0x200082ef = 0xd; *(uint8_t*)0x200082f0 = 0x24; *(uint8_t*)0x200082f1 = 0xf; *(uint8_t*)0x200082f2 = 1; *(uint32_t*)0x200082f3 = 0x9208; *(uint16_t*)0x200082f7 = 2; *(uint16_t*)0x200082f9 = 0; *(uint8_t*)0x200082fb = 0x20; *(uint8_t*)0x200082fc = 0x5e; *(uint8_t*)0x200082fd = 0x24; *(uint8_t*)0x200082fe = 0x13; *(uint8_t*)0x200082ff = 7; memcpy((void*)0x20008300, "\x63\xb0\xb9\x53\x77\x14\x7b\xa2\x14\xd9\x50\xfc\x04\xb2\x2c\x04\xbe\x09\xd9\xb9\x6f\x1a\xb9\x4b\xb0\x2e\x8a\x2a\x9e\x23\xcf\x7d\x3a\xca\xb2\x2a\x80\xed\x35\x0e\xc4\xb1\x78\x06\xed\xcb\x16\x9e\x50\x75\x37\x3d\x99\x17\x80\x21\x13\x92\xeb\x3d\x9f\x11\x73\xa5\x39\x84\x3b\xf2\xc3\xf6\x6a\x4a\x69\x60\xa5\x5a\x22\x07\x76\x7d\xb3\xc5\x5a\x7d\xd2\x89\x8b\x5c\xcb\x40", 90); *(uint8_t*)0x2000835a = 0xc; *(uint8_t*)0x2000835b = 0x24; *(uint8_t*)0x2000835c = 0x1b; *(uint16_t*)0x2000835d = 0x2a; *(uint16_t*)0x2000835f = 0x100; *(uint8_t*)0x20008361 = 0xe0; *(uint8_t*)0x20008362 = 0x76; *(uint16_t*)0x20008363 = 0; *(uint8_t*)0x20008365 = -1; *(uint8_t*)0x20008366 = 4; *(uint8_t*)0x20008367 = 0x24; *(uint8_t*)0x20008368 = 2; *(uint8_t*)0x20008369 = 0xa; *(uint8_t*)0x2000836a = 9; *(uint8_t*)0x2000836b = 5; *(uint8_t*)0x2000836c = 0x81; *(uint8_t*)0x2000836d = 3; *(uint16_t*)0x2000836e = 0x20; *(uint8_t*)0x20008370 = 0x73; *(uint8_t*)0x20008371 = 0x35; *(uint8_t*)0x20008372 = 0x3f; *(uint8_t*)0x20008373 = 9; *(uint8_t*)0x20008374 = 5; *(uint8_t*)0x20008375 = 0x82; *(uint8_t*)0x20008376 = 2; *(uint16_t*)0x20008377 = 8; *(uint8_t*)0x20008379 = 3; *(uint8_t*)0x2000837a = 1; *(uint8_t*)0x2000837b = 3; *(uint8_t*)0x2000837c = 9; *(uint8_t*)0x2000837d = 5; *(uint8_t*)0x2000837e = 3; *(uint8_t*)0x2000837f = 2; *(uint16_t*)0x20008380 = 0x40; *(uint8_t*)0x20008382 = 5; *(uint8_t*)0x20008383 = 0x40; *(uint8_t*)0x20008384 = 2; *(uint32_t*)0x200087c0 = 0xa; *(uint32_t*)0x200087c4 = 0x200083c0; *(uint8_t*)0x200083c0 = 0xa; *(uint8_t*)0x200083c1 = 6; *(uint16_t*)0x200083c2 = 0x201; *(uint8_t*)0x200083c4 = 0x79; *(uint8_t*)0x200083c5 = 3; *(uint8_t*)0x200083c6 = 0x3f; *(uint8_t*)0x200083c7 = 0x20; *(uint8_t*)0x200083c8 = 6; *(uint8_t*)0x200083c9 = 0; *(uint32_t*)0x200087c8 = 0x37; *(uint32_t*)0x200087cc = 0x20008400; *(uint8_t*)0x20008400 = 5; *(uint8_t*)0x20008401 = 0xf; *(uint16_t*)0x20008402 = 0x37; *(uint8_t*)0x20008404 = 5; *(uint8_t*)0x20008405 = 7; *(uint8_t*)0x20008406 = 0x10; *(uint8_t*)0x20008407 = 2; STORE_BY_BITMASK(uint32_t, , 0x20008408, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008409, 0xa, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008409, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000840a, 5, 0, 16); *(uint8_t*)0x2000840c = 7; *(uint8_t*)0x2000840d = 0x10; *(uint8_t*)0x2000840e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000840f, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008410, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008410, 9, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008411, 8, 0, 16); *(uint8_t*)0x20008413 = 0xa; *(uint8_t*)0x20008414 = 0x10; *(uint8_t*)0x20008415 = 3; *(uint8_t*)0x20008416 = 0xc9; *(uint16_t*)0x20008417 = 7; *(uint8_t*)0x20008419 = 7; *(uint8_t*)0x2000841a = 0; *(uint16_t*)0x2000841b = 8; *(uint8_t*)0x2000841d = 0xa; *(uint8_t*)0x2000841e = 0x10; *(uint8_t*)0x2000841f = 3; *(uint8_t*)0x20008420 = 2; *(uint16_t*)0x20008421 = 0xc; *(uint8_t*)0x20008423 = 0; *(uint8_t*)0x20008424 = 6; *(uint16_t*)0x20008425 = 6; *(uint8_t*)0x20008427 = 0x10; *(uint8_t*)0x20008428 = 0x10; *(uint8_t*)0x20008429 = 0xa; *(uint8_t*)0x2000842a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000842b, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000842b, 0x8001, 5, 27); *(uint16_t*)0x2000842f = 0xf00f; *(uint16_t*)0x20008431 = 0xfffd; *(uint32_t*)0x20008433 = 0x3fc0; *(uint32_t*)0x200087d0 = 9; *(uint32_t*)0x200087d4 = 0x4f; *(uint32_t*)0x200087d8 = 0x20008440; *(uint8_t*)0x20008440 = 0x4f; *(uint8_t*)0x20008441 = 3; memcpy((void*)0x20008442, "\xc0\x66\x3b\x11\x6d\xab\x9b\xa5\xc0\xa2\xf7\xa2\xad\x48\x6f\xfc\x16\x4a\x43\x65\x89\x95\x65\xc5\xe9\x9b\x01\x52\x39\xf3\x78\xdf\x56\xdb\x4d\xc3\xb0\xbb\x08\xdc\xd2\x08\xd9\x58\xfa\x3c\xf0\x80\x97\xaa\x20\x8b\x2d\x28\x65\xb5\x02\xcb\xc9\x4b\x1a\x8e\x33\xbd\xd9\xd6\x48\x1f\xbf\x32\xd4\x91\x34\x22\xfe\x18\x9f", 77); *(uint32_t*)0x200087dc = 0x85; *(uint32_t*)0x200087e0 = 0x200084c0; *(uint8_t*)0x200084c0 = 0x85; *(uint8_t*)0x200084c1 = 3; memcpy((void*)0x200084c2, "\xc9\xc4\x87\xa9\x0b\xe3\xd4\x0e\xf7\x82\x37\x3d\x78\x5f\x86\xbd\xfc\x3d\xb6\xfb\x0d\xd0\xa7\x44\x0b\x2f\xe4\x59\x5c\x3a\x6b\xd6\x7a\xa8\x51\x8d\x89\x7a\x8a\x75\x7d\x5f\x1c\xeb\x86\xe5\x98\xca\xbf\x23\x45\xf7\x71\xc3\xc7\x12\x8b\xd1\x6d\xd4\xb1\xee\x9b\x7d\xbc\xaf\x61\x1e\x97\xf6\xdc\xb9\xf1\x71\xe8\xf7\x05\x2b\x0f\x33\xe6\x31\xbf\xe9\x9d\xdc\x44\x13\xe5\xe5\xd7\xb6\x34\xdc\xc3\xb7\x7e\x4d\x30\x1f\x89\xa8\xd3\xb8\x51\xb0\x23\x06\xca\xbe\xc2\x11\x12\x7a\x8e\x54\x1d\x16\x26\x36\x58\x8f\xf5\x74\xde\x82\xde\x8f\x30\x7d\x43", 131); *(uint32_t*)0x200087e4 = 4; *(uint32_t*)0x200087e8 = 0x20008580; *(uint8_t*)0x20008580 = 4; *(uint8_t*)0x20008581 = 3; *(uint16_t*)0x20008582 = 0x1407; *(uint32_t*)0x200087ec = 4; *(uint32_t*)0x200087f0 = 0x200085c0; *(uint8_t*)0x200085c0 = 4; *(uint8_t*)0x200085c1 = 3; *(uint16_t*)0x200085c2 = 0; *(uint32_t*)0x200087f4 = 0xaa; *(uint32_t*)0x200087f8 = 0x20008600; *(uint8_t*)0x20008600 = 0xaa; *(uint8_t*)0x20008601 = 3; memcpy((void*)0x20008602, "\xce\x39\x5e\x8e\x9f\x40\x9a\x37\xda\xeb\x1c\x20\xbe\x9c\xa4\x00\x4a\xe8\x10\xcf\x16\x53\xec\xcd\x6e\x66\x3d\xd7\x4f\x8b\xc0\x69\x89\xb4\xd1\xa6\x5c\x9f\x48\x0b\xd3\x7e\x9d\xd8\x53\x49\xf2\x98\xdd\xad\xdc\x2c\xc9\xe4\xed\xa1\x47\xf2\x31\x40\x2e\x11\x6f\xb5\x94\xa6\x37\x18\xd8\x21\xd8\x85\xeb\xd6\x7e\xda\x45\x15\x58\xb1\xfb\xa3\x09\x3e\xcb\xd4\x0c\xbe\x5f\xbe\x07\xf9\x4e\xd9\x27\xd8\xe5\x03\x9a\x7c\x49\x7a\xa8\xd1\xf1\x0a\x4d\xda\xc0\x49\xad\x82\x0f\x8c\x53\x2c\x5a\x3f\x00\x94\x79\x55\x03\x24\x23\x92\x2e\x95\xaa\x5b\xfe\xe0\x41\xf7\xfe\x87\x44\xec\xc4\x42\x40\x57\xee\xc9\x70\x40\xb3\x41\xd0\xdd\xdc\xaf\x20\x6d\xa6\x43\x1e\x98\x7f\x04\xcf\xd5\x58\x02\xca\xd3\xa1\x14", 168); *(uint32_t*)0x200087fc = 4; *(uint32_t*)0x20008800 = 0x200086c0; *(uint8_t*)0x200086c0 = 4; *(uint8_t*)0x200086c1 = 3; *(uint16_t*)0x200086c2 = 0x3c01; *(uint32_t*)0x20008804 = 4; *(uint32_t*)0x20008808 = 0x20008700; *(uint8_t*)0x20008700 = 4; *(uint8_t*)0x20008701 = 3; *(uint16_t*)0x20008702 = 0x1809; *(uint32_t*)0x2000880c = 4; *(uint32_t*)0x20008810 = 0x20008740; *(uint8_t*)0x20008740 = 4; *(uint8_t*)0x20008741 = 3; *(uint16_t*)0x20008742 = 0x807; *(uint32_t*)0x20008814 = 4; *(uint32_t*)0x20008818 = 0x20008780; *(uint8_t*)0x20008780 = 4; *(uint8_t*)0x20008781 = 3; *(uint16_t*)0x20008782 = 0x1c; res = -1; res = syz_usb_connect(3, 0xc5, 0x200082c0, 0x200087c0); if (res != -1) r[24] = res; break; case 46: syz_usb_ep_read(r[24], 8, 0x7d, 0x20008840); break; case 47: *(uint8_t*)0x200088c0 = 0x12; *(uint8_t*)0x200088c1 = 1; *(uint16_t*)0x200088c2 = 0x250; *(uint8_t*)0x200088c4 = 0; *(uint8_t*)0x200088c5 = 0; *(uint8_t*)0x200088c6 = 0; *(uint8_t*)0x200088c7 = 0x10; *(uint16_t*)0x200088c8 = 0x56a; *(uint16_t*)0x200088ca = 0x62; *(uint16_t*)0x200088cc = 0x40; *(uint8_t*)0x200088ce = 1; *(uint8_t*)0x200088cf = 2; *(uint8_t*)0x200088d0 = 3; *(uint8_t*)0x200088d1 = 1; *(uint8_t*)0x200088d2 = 9; *(uint8_t*)0x200088d3 = 2; *(uint16_t*)0x200088d4 = 0x2d; *(uint8_t*)0x200088d6 = 1; *(uint8_t*)0x200088d7 = 1; *(uint8_t*)0x200088d8 = 0; *(uint8_t*)0x200088d9 = 0xf0; *(uint8_t*)0x200088da = 0x8e; *(uint8_t*)0x200088db = 9; *(uint8_t*)0x200088dc = 4; *(uint8_t*)0x200088dd = 0; *(uint8_t*)0x200088de = 5; *(uint8_t*)0x200088df = 1; *(uint8_t*)0x200088e0 = 3; *(uint8_t*)0x200088e1 = 1; *(uint8_t*)0x200088e2 = 2; *(uint8_t*)0x200088e3 = 0; *(uint8_t*)0x200088e4 = 9; *(uint8_t*)0x200088e5 = 0x21; *(uint16_t*)0x200088e6 = 3; *(uint8_t*)0x200088e8 = 0xf; *(uint8_t*)0x200088e9 = 1; *(uint8_t*)0x200088ea = 0x22; *(uint16_t*)0x200088eb = 0xa21; *(uint8_t*)0x200088ed = 9; *(uint8_t*)0x200088ee = 5; *(uint8_t*)0x200088ef = 0x81; *(uint8_t*)0x200088f0 = 3; *(uint16_t*)0x200088f1 = 0x3af; *(uint8_t*)0x200088f3 = 1; *(uint8_t*)0x200088f4 = 0x40; *(uint8_t*)0x200088f5 = 2; *(uint8_t*)0x200088f6 = 9; *(uint8_t*)0x200088f7 = 5; *(uint8_t*)0x200088f8 = 2; *(uint8_t*)0x200088f9 = 3; *(uint16_t*)0x200088fa = 0x10; *(uint8_t*)0x200088fc = 6; *(uint8_t*)0x200088fd = 1; *(uint8_t*)0x200088fe = 9; *(uint32_t*)0x20008c00 = 0xa; *(uint32_t*)0x20008c04 = 0x20008900; *(uint8_t*)0x20008900 = 0xa; *(uint8_t*)0x20008901 = 6; *(uint16_t*)0x20008902 = 0x250; *(uint8_t*)0x20008904 = 3; *(uint8_t*)0x20008905 = 1; *(uint8_t*)0x20008906 = 0x46; *(uint8_t*)0x20008907 = -1; *(uint8_t*)0x20008908 = 0x20; *(uint8_t*)0x20008909 = 0; *(uint32_t*)0x20008c08 = 0x34; *(uint32_t*)0x20008c0c = 0x20008940; *(uint8_t*)0x20008940 = 5; *(uint8_t*)0x20008941 = 0xf; *(uint16_t*)0x20008942 = 0x34; *(uint8_t*)0x20008944 = 2; *(uint8_t*)0x20008945 = 0xb; *(uint8_t*)0x20008946 = 0x10; *(uint8_t*)0x20008947 = 1; *(uint8_t*)0x20008948 = 2; *(uint16_t*)0x20008949 = 0xfa; *(uint8_t*)0x2000894b = 8; *(uint8_t*)0x2000894c = 0x80; *(uint16_t*)0x2000894d = 5; *(uint8_t*)0x2000894f = 3; *(uint8_t*)0x20008950 = 0x24; *(uint8_t*)0x20008951 = 0x10; *(uint8_t*)0x20008952 = 0xa; *(uint8_t*)0x20008953 = 5; STORE_BY_BITMASK(uint32_t, , 0x20008954, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20008954, 9, 5, 27); *(uint16_t*)0x20008958 = 0xf00f; *(uint16_t*)0x2000895a = 0; *(uint32_t*)0x2000895c = 0xffc00f; *(uint32_t*)0x20008960 = 0xff00c0; *(uint32_t*)0x20008964 = 0x101ffc0; *(uint32_t*)0x20008968 = 0xff0030; *(uint32_t*)0x2000896c = 0x30; *(uint32_t*)0x20008970 = 0x30; *(uint32_t*)0x20008c10 = 4; *(uint32_t*)0x20008c14 = 0xed; *(uint32_t*)0x20008c18 = 0x20008980; *(uint8_t*)0x20008980 = 0xed; *(uint8_t*)0x20008981 = 3; memcpy((void*)0x20008982, "\xe7\xdb\x91\x4e\xf4\xa7\x1a\x3a\xba\x44\x3e\xe1\x81\xc2\x72\xe7\xfb\xb6\x36\x48\xa9\x97\x75\x4b\x81\xa1\x93\x8f\x52\xb9\xfd\x8c\x2b\x76\xca\x28\xee\x1f\xcb\xa2\x80\x02\x1f\xbe\x02\xff\xa0\x3e\xa7\x53\xf2\xd5\x1b\x71\xf1\xcb\x93\x91\xea\x31\xfa\xab\xf8\xed\x37\xa9\x85\x3b\x87\xee\xba\xa0\xa1\x26\x96\x96\xe6\x5e\x30\x9e\xa4\xbf\x77\x55\xff\x1b\x99\x28\x0f\xd6\x82\x30\xd7\xd8\x99\xd0\x97\xe1\x6e\xe0\xb2\x24\xde\x57\x33\x94\x39\xc8\x0a\xd7\xfb\xf8\xbb\xf3\x2a\xa0\x0e\x29\x80\x2b\xde\x1c\x8c\x5e\x62\x28\xfa\x0a\x54\xc8\x35\x0e\xf9\x97\x11\x2f\x76\x3e\x17\x42\x8f\xb8\xe9\x5a\x56\x68\x95\x95\xf3\x0a\x3c\x16\x15\x18\x09\xb0\xc6\xb1\xd4\xd4\x76\x65\x10\xc6\xf0\x66\xfe\x4b\x35\xa3\xea\x90\xd3\x88\xd1\xb4\xd4\xe9\xc6\xb3\x09\x71\xe2\x37\xe2\x3f\xd2\x05\xf9\x90\x5e\xe7\xd7\x9f\x44\x43\x70\x7a\xdc\x7f\x65\xce\x2b\x15\x99\x4d\xaa\xc7\xb9\x54\x35\x3f\xb2\x32\x01\x84\x41\x22\x71\x05\x31\x87\x9c\x62\x91\xc7\xdf\xbf\x6b\xe4\x54\xb9\xcf\x2f\x2e", 235); *(uint32_t*)0x20008c1c = 4; *(uint32_t*)0x20008c20 = 0x20008a80; *(uint8_t*)0x20008a80 = 4; *(uint8_t*)0x20008a81 = 3; *(uint16_t*)0x20008a82 = 0x410; *(uint32_t*)0x20008c24 = 0x64; *(uint32_t*)0x20008c28 = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x64; *(uint8_t*)0x20008ac1 = 3; memcpy((void*)0x20008ac2, "\x04\x1c\x8b\x1b\xd1\x43\xea\x1d\x63\x82\x9b\x76\x9d\xdb\x88\x6a\x6a\xaf\xee\xdd\x5f\x65\x2b\xc9\x48\x67\x7c\x9a\x6e\x3a\xcf\xe0\x4a\x15\x19\x05\x3f\x95\xe5\xfc\xf7\x9b\x08\x53\x62\xcd\xac\x6a\xbb\xf8\xf1\x37\x81\xa6\x21\x88\x52\x57\x05\x2b\x12\x00\x45\xda\x2c\x49\x4a\x30\xbc\x6a\xe6\xc4\x16\x0c\xf4\x97\x00\x2a\xf8\xb7\x7e\x21\x68\x93\x24\xbd\x6e\x75\xac\xed\xa7\xcf\x6a\x50\x92\x0b\x2a\xb1", 98); *(uint32_t*)0x20008c2c = 0x87; *(uint32_t*)0x20008c30 = 0x20008b40; *(uint8_t*)0x20008b40 = 0x87; *(uint8_t*)0x20008b41 = 3; memcpy((void*)0x20008b42, "\x15\x08\x37\xb1\xe6\x9e\x50\x07\x39\x8a\xc0\x2c\x4a\x0b\x25\x07\x2d\xaa\x81\xa6\x4a\xf1\x0b\xcd\xc5\x73\x63\x33\xf4\x9c\x92\x1f\x86\xd9\xcb\xc6\xb7\x78\xf1\xd2\x16\x79\xd8\x47\xd5\xb8\xa9\xb7\x0f\xc5\x6b\xb5\xa4\x33\x04\x0a\xfd\x94\x37\x7b\x25\x15\xa5\x5c\xda\x70\xdb\x64\x44\x2a\xda\xe0\x90\x5a\xa9\x0f\x91\x1d\x3b\xee\xf8\x00\xab\x6f\xd8\x7a\x5c\x51\xfd\xa8\xfa\xa7\x50\xd1\x95\xc2\xe6\x57\x24\x97\x81\xc6\xaf\x05\x23\xe0\x49\x2f\x9a\x69\xe2\x27\xe1\x0c\xa0\x31\x0f\x1a\x01\x0f\x8b\x98\x6a\x9a\x05\x53\xa5\x33\x1f\x97\x54\xfc\x90", 133); res = -1; res = syz_usb_connect(3, 0x3f, 0x200088c0, 0x20008c00); if (res != -1) r[25] = res; break; case 48: memcpy((void*)0x20008c40, "\xa6\x90\x8c\x55\x30\x81\x4d\x6a\x6b\xfd\x6d\x6c\x75\x94\xd4\xaf\x8a\x49\x62\xd8\x82\xda\x65\x7b\xb4\x02\xc7\xd0\xae\x45\x35\x16\x81\x60\xdb\xf6\x7b\x82\xf2\x23\xd5\x77\xb0\xe1\x6e\x6a\xc3\xc4\x6a\x40\x15\xa6\xed\x7c\x4f\xa6\x5d\x1d\xba\xa2\x68\xb7\x48\xde\xc4\x67\x74\xec\xa9\x22\x47\x96\x94\x49\xa9\xf5\x9e\x9e\xdd\xe4\xd3\x7e\x7b\xd1\x78\x82\xeb\x00\x5e\x24\xfe\x43\xf5\x76\x54\x00\x0e\xad\xec\x3f\x1d\xe9\x91\x7e\xb2\x8c\x2a\x87\x71\x82\xc4\x7b\x55\x6d", 114); syz_usb_ep_write(r[25], 7, 0x72, 0x20008c40); break; case 49: syz_usbip_server_init(4); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor184006337 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/17 (1.78s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffffff}) (fail_nth: 1) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1a, &(0x7f0000000040)={0x0, 0xe6, "f137161ab86c594202b997d9f12d007021870322c8d909748409951ae9800c1e207f98b769c740f867ea14bbf8666a4f98d229aaafbc33c6c52168db8933c4a4a4a3dd3ce0ccea96e71d81ff4aca8331cb01bf35433853d1abd48fd6d0ce1314df6507bae535a2b4e3eaa74c5d23006594148a0fe5b4a884ef8f41346e49cc90474cb17bac301d4797ed05dfc6ccb74bebaabe549172d622a30605a4e49fd3f8537de5272c33ad4f07cd060577bce65e5c80a34168cde68117e4f900e35a3d888e02ee111752213b40d2af258c01f36de50ce8e83d4226a30d6a4cc43a883f6c20e3fada8ad2"}, &(0x7f0000000140)=0xee) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r1, @in6={{0xa, 0x4e22, 0x3, @private2, 0x1}}, [0x7fffffff, 0x1, 0x7fff, 0x4, 0x7, 0x1, 0x3ff, 0x40, 0x5, 0x1, 0x0, 0x7, 0x0, 0x8, 0x1f]}, &(0x7f0000000280)=0xfc) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000002c0)={r2, @in6={{0xa, 0x4e20, 0x9, @private2={0xfc, 0x2, '\x00', 0x1}, 0x3}}}, 0x84) r3 = openat$pktcdvd(0xffffff9c, &(0x7f0000000380), 0x0, 0x0) ioctl$MEDIA_REQUEST_IOC_QUEUE(r3, 0x7c80, 0x0) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f00000003c0)={r1, @in6={{0xa, 0x4e23, 0x7f, @private0, 0x5}}, 0x5, 0x476f}, 0x88) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_SRVCORE_ACQUIREGLOBALEVENTOBJECT(r3, 0xc0206440, &(0x7f0000000500)={0x1, 0x2, &(0x7f0000000480), &(0x7f00000004c0)={0x0}, 0x4, 0x8}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTQ2_RGXTDMSETTRANSFERCONTEXTPROPERTY(r3, 0xc0206440, &(0x7f00000005c0)={0x8a, 0x7, &(0x7f0000000540)={r4, 0x400}, &(0x7f0000000580), 0x10, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXBREAKPOINT_RGXENABLEBREAKPOINT(r3, 0xc0206440, &(0x7f0000000680)={0x83, 0x2, &(0x7f0000000600)={r4}, &(0x7f0000000640), 0x4, 0x4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@deauth={@wo_ht={{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x240}, @broadcast, @device_a, @random="2015d229785b", {0x8}}, 0x27, @val={0x8c, 0x18, {0xc93, "ffe3240f0484", @long="067ecc39a78a3ea47c22246d391b92c4"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_xfrm_policy_alloc_security\x00') syz_emit_ethernet(0xbc, &(0x7f0000000140)={@dev={'\xaa\xaa\xaa\xaa\xaa', 0x3b}, @broadcast, @void, {@mpls_mc={0x8848, {[{0x8, 0x0, 0x1}, {0x1, 0x0, 0x1}, {0x4, 0x0, 0x1}, {}, {0x0, 0x0, 0x1}], @ipv4=@dccp={{0x15, 0x4, 0x2, 0x33, 0x9a, 0x65, 0x0, 0x7, 0x21, 0x0, @dev={0xac, 0x14, 0x14, 0x1e}, @rand_addr=0x64010101, {[@noop, @end, @timestamp_addr={0x44, 0x1c, 0xe9, 0x1, 0x2, [{@dev={0xac, 0x14, 0x14, 0x28}, 0xf7e}, {@loopback, 0x7fff}, {@private=0xa010101, 0x5}]}, @generic={0x83, 0xe, "db10ac96c2cf817c67fc6d7e"}, @rr={0x7, 0x7, 0x87, [@local]}, @end, @ra={0x94, 0x4, 0x7}, @end, @generic={0x44, 0x5, "e0d910"}]}}, {{0x4e20, 0x4e23, 0x4, 0x1, 0xf, 0x0, 0x0, 0x9, 0x5, "d77b5a", 0x7, "c6dd9c"}, "494a1261c05df7372b3c29631b6232d41f19fa8727ecea11ccf1979683ceb144705e12c13fba0e399f08f58397f3ea7bdb746b3dcabe"}}}}}}, &(0x7f0000000200)={0x0, 0x3, [0xf9, 0x208, 0x50c, 0x74d]}) syz_emit_vhci(&(0x7f0000000240)=@HCI_EVENT_PKT={0x4, @HCI_EV_VENDOR={{0xff, 0xc1}, "0626cab051d180b0c2e36c0814bbca7e31d691502e1c7c0eae1a042e7372921a0c6dfccedd81a98f58b9850ba2f68bc25d5cab15a0af010796b5fdfb8a3b35f3eb48ee0c7b2ed287cf469fdec0248e957ef0dd22f3fc6d746e70262c277c016177e56a68031293b56b02c1b6f867d10a3bbf33817b39d487ae0659a68cffb8df46df59a7d104b7c6711d45af1f966d69e635809cf24a70d4c2ea9cc98d37599807148af36b475eb2ce56e027ac751769f8710272d187722ecdf7a8f86d8b977aa8"}}, 0xc4) syz_execute_func(&(0x7f0000000340)="c4c17d6f7072c4e1f9112fc4e3c95d33abc4c2790eb000000000c4e17a12b70c0000000f0156e9c4e10dd55e0cf30f526b000f7e20c4c179e702") syz_extract_tcp_res(&(0x7f0000000380), 0x80000000, 0x100) r5 = dup(0xffffffffffffffff) r6 = fcntl$getown(0xffffffffffffffff, 0x9) lstat(&(0x7f00000026c0)='./file0\x00', &(0x7f0000002700)={0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000002800)=0x0, &(0x7f0000002840), &(0x7f0000002880)=0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002ac0)={0x2020, 0x0, 0x0, 0x0}, 0x2020) statx(0xffffffffffffffff, &(0x7f0000004b00)='./file0\x00', 0x2000, 0x20, &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004d00)={{{@in6=@ipv4={""/10, ""/2, @private}, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@initdev}}, &(0x7f0000004e00)=0xe4) r13 = getgid() syz_fuse_handle_req(r5, &(0x7f00000003c0)="235810537c7f886ca91721045ff7badfae4429b252cd658172c1d0d418ed70057439fc22ffc77b29085c9488ff9340f8a2ade99bf9af14a357257b8aa69b4b8effe7afd6876b3b512b86fa1dff555c6dc6186266c91fa281c9dc72ee17ead0e2a3fe9ff03e7c32d27e267f5be0fd6d1f9efc02af7fe9d68d755519201dea7abe681053ab98f73fc0c6a0684e91b741c8c9451f9459b598ee6f4ec0c91f3e917af1e6646f3c54f8faf0487d8eccf087e28f8768f48ae15d098904b3254285702e308a937d5e23a2aef3c25312516c502d5e0233065229ee4a70dbc414604b7f055eb7a2724803e85e5b4cd05af711ed730fceb81bcae17a4967aa6ccff3c0f4966b7ff3d15f093e94eb0a46b70c0fa5b8628cac3c31019bba6002416fc6661d858fff16a96215b1d18a877d9a534ac40256a3557931ade27f587cce26a20c013dc67f2e922a52689aaefa1b064d03f8f6a39f96b0de1d21394cb6c23010eb9e4a79414735ed9965425f8a01008496dbad0497fa0d65acec59ffa6a280bc58e2d887a10e9665eaeb97436ebdeb2b58a9ae40e449273246fd9967539f212ed8969b6f9a49d65bcad2dd9d8ee42e3205741117e431d443ff3e94c47e7fd627d30511d5fbcec6a758383d31367aca8e3af772a1021105ab2c1b4aa7614dea8cfa4b06f53af373779862c9bdb76ef93c74618eee7347a074d4f71a98233b24b2a25729c9a1983d819c3f42d328d08f0d4dd1642f61b62a89fc300f5066d8e457f5fd49daa79e1b1d43d26f89f2ca990450e860bcc47d5cf4778c37c451ed22d60fe2bcfa2caff75c4170990a2e8e2187197f8638b067854ccf9dbe91586dd42341401c4fb4f31330668acb516eba2227cbca4c8fa2f39a03521bd8032f5e1aedf49c50e601b9fad4e0d6f5b5932ea214fd508485703d0845798d43bdbff9638677e6a996efbbd1936e97282062709f778b455cb4d20013f5fe4c9bba0f7cfc1802e8180fb6d46f5176d1bdbb43d960d494f3a30ed7ab4db07de5ad924b5797b509f96083f4ada9fcebede1eb0fb0dfa2cdc2144b15cf4c280f87d1187e808e37cdef537552e383f46ccfe86215b207153985e6b13196221fdea6c947864d12147d7b01efc3df144e2caa24d1a4782a51a8235c4c0eadf0440c8e434a4d072be5845547175f37c55fddd5e78495ace434c483f28bb3487ad8d68bd74377fd82e17bafeb062b81c68e8a6389c8d81079e4c9faa2a8fcf12415cc21ebcd92de80884550594ca64b56b0b424a65f80cab164b2f6f2f33c7aeaa8b6602e7183b9d0ae153a1703b303675aae133b3dd9c646677f6d8a492da099efb4a7e4dee392818a15d6bf9efb07eead5b40ac25bb0f0092f4b0ecaf0ac3391b3ecfd0635ec496b8b66d7a451c6d10379c15291c4f3682f05fb73944cd1be0f0fa8554358b30deb7386931ae95eb2a16faed245ffcadb394acdf0638a626278233019366e2ecd9db1a4b5ae27ff83d7b571cd7ffc151dc4d0cef1d0300c98a41697751851f8e05249cae19963f812589a7d64cfab846439f471343ba5effac9a57f76d0abfb95e878bee4c9424f0ca1718195eff14060acfb3e0df4cbc560bc2be9ab4f0a0bd686fe213d44947170e68e73baadd982ce2d170a50d1eca0240cd3cece9f74da3a1c1476ff11fa334d72c18506b5c00a441ea2e9c72c76b385037f86ca594aaade987a79bbd3e3c40d0007a7ff8529905b94c5461656292950b41c83443dc84d6fdf52e4497ed6804981af13385649200d893093bf2ea8225b389c4dfd2e815b3bdf9d7084d29009eae4e8822a5b6a52aa76afd951d04afa8e1286396a834dcf8c6b57cc4efbc0c16779d53f0bcd74043c06ecebe59328dcca8bb6105af23565906e5466c7311b1aac6762e4b626036fe31d3e7b0fa2e658ca9351078eeca7b467e118e9b88959de1f41869405a83bdc6ce980c729f7e2a460fa9bee161e54d271a874bb4d0a22cd1a4376de36b5868ca0e10933e5fe2f7385c1af62b86f8e5c3126626b8bc6d568f621da323707ea332d7654439fba4671d0caeb7ef94e25a8286bd9a19a29e4932c7db9b82347da52492b3814a44b92f61559c22654c8b301a8dfe9daeae0cade946c0666e94c4a6353bb0eb2137d36853ad4f7a20a5081e63afeece203fa6eeea7f629d001dabaf5b1a3c6761517bc99a8e63f66c01884927b4bc40bc34190c9e553c690fbc6444dd8bba656874fa804631b56d24541a9bd6fb77db4903769f9d0444d08a21ff59d949659d80b1402d919ac0fb8380ed9115b6693c195f8f1a90a3a42235d8ea782eda2bf194d32fbcc563271afda73d7096a2e9e467541e7667c267c595e123372975267768b8d16cb6130eaebf698be76eefabbeacd59f631cc104f042263e3e2962597969721a6c022aba14112e2f3802ba635391cd1f94323525c816efa9e86552399e79665ff554f586754f72d53a0d9475c655948bd13ec93dd8cc43e5b813ebfea4abcd780eedb682ac4f66e16847f7821fdc40da073f7fc59fe57ca6ad5f4ddd8a41e8aadf3e2178cf4295c85999e2c2d824a08ebb9a9b09e2efbf9b8d0373091ea61ec6af17df1e71aceb403a41d3bafefc56dcff186023e9f289e61b746904b3ce34869b5327c924a27336b216d2206eeba9b1dfdce022e3a13a2617387fb3ff5a1d0f38fbb9063bcb69b5e33ee457efe051df453462b718d7d5e780310471a73d99e2eb1e23236c74b9377c3e0ebb93ea7a6a7b322c425910209f891841d65cb8db3b2b0d51d27cde0ca185bd3bf1f402ff10fc611b93fa6f94ebf6079ac6d5f30ff866a4dbf30729fc3cd003ed9eee6e1c92319a8c6269e1a7dba0491d27b326388bc32d58bf685ec429a8ca7a12b660182308710b5aa61dce0a143fad3bbc1a81a8f814ee37b434c7d729331ce7f72ddf31dca719bdfa04c03aeceb4c640c1cddd0f01137bd6e2f7aefb51b0210b8cdb2ccb0f5d7458d0571927675f1bedb36d0bf30ac68db438ffba74aca623725f27522701bb6c5ca414d2391cd533a82c066724c6d3fd68fe42a834dccf5bf70347429ad8e382215f72fad936ef949bf64dad12577ead0dc6cf271be7ca8e0baabb4397ff063f3ae8e741210c6a3ab3b442ba8fb16f228c5dafeb1b440827defbc48f5cbceb2740755c985d060e82c86c732bbd560883591a1ac058299f17f2e2a128560280ba089e84c3465452a6507a63f884944a83a21d26c8e498ff5dbd489c69ca7853249018e9d03520b23f47b297b8526322b1f6bd54d060ccea301cc8a3a15da2d39b64ea4ddb03c7b6cba605e8dd486d12d8f0c6cd9fb47816112baa0a7ae0eba4f0f89b2143203a119a6bb8545c1ba66788495f4e7dad96df8119b1c11d7ffb07107c0c035a80697a8ed780d9c5561929385085f0aa7bc748f2b5e234e210ce77722c54e80b886c0d614658ffa23408caca9cf013869ef6629f8461640daea869ad4c365530de527815cafee314f8ca7b9879522c42629e3e71296e5f60a84db39d5c9000016ea33f481d80ccb80f085d5ed3f700badc3b4b7d80dd8a778f03817a10d67892d36870a98bdc70cfda4834c7815421fc9727401bd4f8111bbba7686024b4272f5a68a665194afc4f1a9f857af270e3022c18dfc18f67b3977e641c6258f00c1430ea79578f4dc82a0bab52140df4be0adb329195a297df0be6e12349770b4477a4465a81439f22b6bdc677ab86d4edbbdfc7db3cf06d4a94d33c6c11fa163fefb1a87a9b52c1cc409ebede7263c88975edb237fa01b583f79fc7a4f8e8ac89af79308d99b473cf33f3344a4e5523f3e35d388d18ee1185caa1918d23aae4193aedfe125042e16d571865261dd63bf0c9dd8485fa64e2410a26a436c83c9e34556f37c1d69d2fd574278c4b2c8baf3834ee2e0f364b54c36780f28a8ebe56e1d9e1cbdfd773ce8aacdefda09f40dffd847aadf67c44471008cee0776fb068954308f16203d017b290cd1ad9e4cdc49f326352807560ddda490c05c6d5e04f1940083aaba83e029370fd76e7757c73c0543ddff26c3a30762e2c9c556aa282c7f46f3dd8e200168053a03174c5669dc43900a39417c9dff8ed3f10eb07c470a522ec820712ff88259cf7f5ee52cf4ee690bcabd88763f66329f3725a436ca1938d4da48dedffea82dc54a2a0a5cfb64c3e278f41b933cefeb02f982532e98677241d7ec2f8d1427da1711919d672e951b6d1cd8f2c0203fedd521f75a229d996713358136d8b4eb797134fec874e3d38a01cb82a87c8c211e6429efe677173aab0a0fb9f558f4b06f7705bcd177ec1dd80d0445b5448e7dc294538aaecc59610dbe6f2b3b16b275c18d33a78f0c1dcbb07e137628b622f885aee80b82684cdd5fde5a29aadf63d85e95159649adce0f9e57b53b82c75b87a12747ef0f84be50693ccae798e38aaf050666163e6bed48f5f1baf49adea21223bfb089199898dcd2e91b708bd62b61f138cc48bed88b772d14bcc53968aa32fa3f114584752db53278b25f367d52c207ec5459668382aac7ebfdf3a2075cef679bd77ec17a1143de084720085486685ac869733bc07d74246fbf8abb3662be750dddd3b13ecb2d9135f5c68d1fdde549d9c2091d96aa35f84336b4215131f36476ec848d533d7dca1e0aa41eefb8806052a8cdd538b755707f93e048d771505b8890d8f680b880ccb8ee2949e35a63ee48e7b467128b65ffe606ced28a3bc3172bd09f2b58ef6322a3fa31e0fab37a3afe729ad43d5cd02b42be4d8e602b99516dbdbd812e1becaeba14b2b2bfaf0555900251e31d839798141b32abdc558b3bf30edc1145f541798507da329c5acc1ff56d4fd5f6e18c02081222c698b3d0f2b19539a7c2c91f78b1be76481991e241d2ae889d4cb133f90f77d922d984b5a5d1b2aa038fb001f0bac88c14a36f62296ab324d52b5754d4e842889da654143b4bd719f082cbcfa2ec9031b9b4b8bb8ef46bc3ffa52d35385bf27e3ccd86108481ff6640e8b0e309d28b149420f95eb9afa0f6e188b7005f421225385bdea3825ad5fbfc6d9f2997476bc36e5dfe4b686d1a2d402516d4eee990e1ea6a234838103f42d705abf37835673ca78675b5354c2a99130e2b7a64ee26a2ad6c1cd2de64ed5912eb7708db3afbb4a683109b1057298f356e4cf4fab200caf7403c719aa81ab01d3d7f9155073f56495e5116196e9a9de82f10a5c08dfb2f915494df7a0700efb722d3416a5d32bc02297111650847dee676d268772dec413da3a1320989c1be0d5c9c1b6fc4f70fbdad888abb0be8f116f0d7a6f3abaf636bb6b69222daf4ccbd6d07293def59cd5ec908454d079495f27bfaf9e45fb2c99964e6b2fba03af0382d5b60adebbb28fb8f8f8efdd8da65eac29377cf07c62e1bf10f61fa912e6271f2cb9509a7631b7abec3396bebce10bc79e2c49956d127f9d01b73584540cb6c0b52a709e3af1d00c84f6d22fb195dd8823aa336afea898ed87ada2b22d1b8ec508cf6986e93459265ed7c258732c291ca41e7876f1b438b17d36c24a02f200feeee18ace8dc4aad51a42bb9815d82c2a9a37f775cd612e084226942ea0dc6f5d8923349bbbedc2a45cfcfddeda2d52d14f2ff8329aac01d2ec3c37f23c5c90d026280238ce09e00eca9f6c30bdaa5dc91f4342f8af6a3ec1339c47dcae8f9360c32502bfa86e1ffc582d5888f29cac39ef90a3150111f661199faf7e2413b57bb9a72aaa2d5fae32b462884a928d83cea60557025c5de018044345fb083def49bc383319894dad28b5339cbadb6038dc8479f7e4b2f01c1ced3ff854205be93884885b129878bdbb18caa68c30940719a408a03fc61ebea87d9d3ef2162594589654475c2c37eaa8737338acc18b341a351ec39aa94cba171096fd7fb832e3031f4d82ff2328aa189623cd93fce6f4525c2dd013dc9c7b4d19add3bf9c334886e9d1cb4df997d99563a57b66d8321d42152f721705d6c484618ad33cb46b5c1a41ccd397ede50432dc9d41aa8b2fb375af75d332356d7df3d5d439fdebcf8e25b22493c6fe140013e2952321867d12947b1f2dd272a173694a5fddd887fe1ec96df6467630d1449d723ff023ec127b12a2411a096e3129e845d50b146683635d805cf196735828c8a0a004047a19acfcc41b62fe0fbff91881e7613bf7a737195f1858ed7198dcaca13210619d7f7398d812de463f221f0c264874aa3b3416dcdfaed76bf255d7a7a15d6acc9864d1bd900354b3bf0df70bae932c4b82e8aa60d395b939cc60f8964ab755ba50b40a713f68d2e001a2b5abcfdbb821a0a3a7a97cdccc0b05bca8f033fbcd954569cb7c312d4cb9e69275613306679882570726118eb66b4b6f0d236c33e35658ed87f028ca43c55c26968179aed7549c8c2e92672a445106d0429846917c5fc607fa285db9aa61281c1c524a76b3d40de5da9bc7afbae9c03555d056383ea7f5eacf5de95638e11242a420c9aa322c808cf2a14ab479d8135e4ff487b215c8cec44c7290d3459100b2196c54e88ca2841d8a6011c6db1b5c2fbc5135da6053d893d116b9f23d5a0f77f9f64c50a0448552fb3d4002ccfb95ed54c37eae931737bf02bcd226b133b9d27debfae748730a87be8df5c31cddf16c26bc3f3b4df7abcbc52edadb7a7c29e87dd5d6330b761649fc9f098a7b6b68cf5dce767667e8b5a7cd4bb22d1c9229c455169d72edd3bae9c251c0788968f1d13af8e47ba32923c6614c44d5196fa805761dba59a39b893bf0973dabb976edf63f3cb54732d43b90ee7ab0374e10fd722d5c361a4108931e8ee3fa190793f901b18ff7b5ed8c162b37ffcb39c6c0c084c9c76b3964e31351f5112accfe16c6268580ce0b44cd4c33f292171df6af35914225c8b1aff1985cea0ea7349a43a510d5fbf1881a032f96b1f58f4fa94dbcdf98f6b113a2f851e76d4f1cf0686e3b44057c363c849c5700659d7e5a1c2b3ccfd5aaa889c2f99a9b1c8319c3cd348be29b2e9bfefbc28cb774729958c12c9dfa74b893a07745aed2e5144723c8fc0506852f17e6a4a8f599d2c4a1d7c0ba9d77db8416eb10932cdc749cfa99890ee8017c0664084f86489c975255252c3876f8dcd98c00b73611ce2734e1fe0ee5c0a0abb0c50004044f93ad2ff0109bcb19a3a20f186d68e387d34a5b578c4253cd9672614803bf96726e8ab00146d2fe266e62e4865f5e7fe31d41497e7195122fcda825fb4e9fcdd09b421ddb6e925a4d5cb7ff2fa56fe1497ad659cc5b6efd8f883998b7451175f9827547b84195c25fc1631072a55c17e90a3279a54a29697312bfef3eefcba8d3114556a545d18ab0df74df266859151959a1b051f8322f798cb45d5cbe5291bdd71dad665f64dde6954ef00718918fe01727963964642d4c4a5bba9303f44fe97ff99f06748dc863ff0cc17fc82b29fbe0c712c77ed36697f23b4a22a9f248522f9946c3abcd32e165fd66fdbc7b4a0df71a8d2571f32da4ada51c14ca086301d6ed02006c6a38ce4e7671f3d0862a4e3c22b6aa7b7c049a7762287570562e8b452efc78741e7c2822ad0fd435e76a8044b05b388aafc4cf61575760398872364469961e87d14d1795eb627faeda18f9c1228fc994d580508c996d3662799b7237e596910a7c5c7facd47fa3084da48488767f60cfe58ec401415ac66031623320f9fda37c0af9fe4cda1b2893d2df0ac8226013a36ca7b1366032ea7b25a5591bebc8ce489777c0cba28d1f0cafeaeea7d5b4d2009309eebc913078112bb126920ca6e5e2b2210ce5410cce45fc463746cf168f7ee2b91c797b330e0464822a618e457ce39a00367d9cd3d3f5938ce36eb2a31a90d049258c849955e97f08017269b3e5f69e9128195638bc8c1fa735e6eb2435c9587f4f436d9e68a8797bb42100d48e7b26197c65fb8903961382fb0fe229860173068d9429110823bc2ff717a7157054c326bdac3ad358177f9a406d894b842d6d91edb356b06283b329bca6e12290655fef24029ba1daaf45f17ebc834d12e35e39f2e20e2c7362aeb0031f4877b633be1bed36f5d7ba24d0148f846a786f388e2ab79662d559b861a36a4ce60dceb5fdb9f479358fd84a5c7f102f75b8143d3626fffa5469c22072a97d63ff9e0667c2f2db41cd03e5d43914bb590bb1f11f4c3533bcc47ffc99eedf677c9d646c60f99398915891ab67197ddbdc11e03daf03139ceadaf99226875163f11c29027f6ec6ee647c9bb1f7695f1f2918a3285a13eadb73d3e94cb0dbf9273f75e1a8b391cc6e4c14ed5683c2756c7b33d84351e1ce0ba7b02e2305de65b29456b5c55344647c7b0b16cd836dba2711a4cc97738267c462c85fad608a81612d7f89a7fe663bd064354a80f8be0165df5d9bae1c69ea56962b111220cdc136ada90bb1315f865caff1e2526acd2ef4c36a70f266088d7d348e561132971668e91a89004085a5b092f8e28423d16b749cdcbf92a4365e468dd67be241e5dea705b606b28099a5d3d46a07620fc4f731e3d3605debe687042cac937427367c35b546af2dfc094a721dc7fd13df68e9a799ecb107c908bac9f8c4430cc10c6299c794d028d516c3ef3f77f9f64201660949b5ee29a5894d738fa4e4bcdda88fe12bcffe85da7b10d02c80922f3907134fe64605508b6cbe35e97f12f1bb15fce6fac0b0bbed62183ba88b8413c692c1d465376146a5ac69e0f10450f04c8b6f3c90c58ac33604aa811a9b74ebbd07b0684c51a553006da57f4df29df30a64622266b3ec06c435d650521f3ea725a3c8c128c73f0d3447dd1a85b10a061e9ac4469bd8ead5b59cc639b817e67d90ccd773e224aeb67dd2636917436b76475d8e0255cf7d14f2836a50d23fb11b3843548b3a52d8fa10ca8c97e1f0ed7a00cfc8067a5b99a41c07d3ce0a0456b8443bb5f0903db5e7bc16b0d0d4f321a57572d3368d97ab7705830d23ff78ac8d69402c920f7fb91d6efc16ce43993a1a68eb8eda08d7cc55fca8549f40839ac8e5e263e8fcddb10dd20fbedd949c8d3c1e186e9fdd5aa2765a1ef54f9e8b2a7a0b38f1c8f8dafe5fcef0ff0316921dbaab27f6b2e09e49d0a56c9ade5d8cb658699baa984543fde4e720e02e5503e835c7a63effee3dfa58e4ccdbe1943b5921b58fd0ed664ef73df892318e10703234859b565d17de8c925198b448159c8e8d73c8b1e5eb68705e582d5128f207b546f8122e04e37bcc9d1ca9b2c7ae51d4542448b36d6ff16d998eece9f07be341d1d8f989f23446040a4997272c99d45348372fc49b70fb5e0faca975184c6025995f6aa49f1b293df66d51d753d9c7775576d0e770134d3a4fbd53c99b0a7b6afe7337f73248163239a714dfeb285b0b49ef602d62ad6935a83c83bc814bd407b1ff5228292f9bfbbd071c81dc9591a05c9507bff87c9e527b8f14e8ee13d187eb867dc2c95dd903c37692d03e7b00985fbc11313078dec7ff69f2e01a8342399400f98cc66833d9c85ff7f10cbef733213cdae61545f39e85c59302b560a72d0437b266cbae16fad4a000ddea19949408c7477fcb948915323ebb79a55c769ccb18e2f552ab763ba65302ae7bc476e3625eb88a7a6698ceccfac22900ca3c44dec8866b2a114c0831cf653d4c1fba9a7785a1caa2b97343384226b1aced93da71d30b6650645bc113ac62d32d2032ddb65626ee86c3b9dfbbd8d0caeea7453dbea304e34d3f80522cd317b49bcabb869331c7c321852100430423bcb1ec15c50c19b766a7ce471d51b01041b685a29c4bfdb552c866d583b7c3c7fd56cfc73725df784e4d90281567fe8c38d866b06ef13bb30fd23906e662cf9d5113d7b52b014b4aeb3a183524b497be9220ae1e0b2f7674d279942941bbd81ed595a93c2341399b6ac36ff869f894cae291308b21284d398b5fa6ac76b9d59f03e48c275f4f20ce0a5059de69ca9ec999d73202def666b37b3a96a95b12c74331038facacab188da878a860e1b399d6b3bd3c136e0a5e9963c1691889f0d400f34dcc51ef1002ebfee2814605a4d1067ed7396c115e3a94f151c8e4aa2930fd8bc534d579d5d8843bd2029056fc558b9869408b9951f75672433ead19e109cd18308f1c9d6f9ccbc9f767993b59ea2b5046864f5e0c3bde42e7932c56b9fb25289e16ab3bebb692547de1a4dbe119ab2bd71e471cbdf6c6e8519aca77c2cbb8273343c1bed23922e557f87b408d87af78896ed30f0a6178ad98a34ded6148443fddf4a5c00a81ae9df2159fd658c859fb6b274988c848f993e761c263e90d7db8f662c876b7a61ff2d938ba7fed4cb5cd8ee514870b50520e733f21cdc3bd7ed41d297b96dfeff379d37e6071bb1ac84feffab2cdd985fea2fe6c46e6b7569c8c2454591795ccc56511d853fd2a01a1eb0ce2505ab65782b7836ba67844505aabcb5dc6372a313fe7acc7f48b0d2bef79403c2837d88e52fe926ad16d51be7e8c62a5955a61e85270839f36eee946370927eb19841301677e837abac18d709bc84dda60b12107a23eb733543ff32cce5248d0f461921295291837c150a4c1d489d31c5bf5bfc2da1427e1ece74aea7053f1feda64f099fc447a7908ce44b13461549f23ef18c1d8107befb09f9d719a0ac57080f1cdbfd46704d79947aa10c5b0bb226e7f68309747240f773a627536561fb6c1c9b26aa5e23be01f2d3f7aadc995440015d2564b9c16b853d665724f9f722b34ab1d44c27d0e0cb01c49d9e05de91c2e040764f0c212e6d63f7b72493dccbf858164cf48151bbe4f1dc2c91586673431af7b8461d30161c561170dfa31edde2ccc9dddbc7a8e46231752405cf308ecd8d3505636dba7035c94f728623bb87603afb90b5c23e9ac1937b2ea3984d579da29970ef049ffd9705fa283ef62f1a9fbbefbc5f8f3f79bdd8d70f0a893972e5aca3a164e672ba88ebdb6206a4dda5eb5adfd16352d42c4fbddf117f2b0d30e8c39f1bc63f3bc03b452a870117af7a3fd301af714bfa398367a9ac2aa381170bc7ca860144258a9a38a61454c9cdef24f1c662f28e8d1ee7749f61a9c79a9e16593f2d5500deaa730aca4eef3273878431a874b03e44f6495b52ea9b22d9417fb3f2ccbe2c482add308e4a3c55b7532a4e64cf108d833d54abf3cf93b3f9085263d2774c2214dc62e3c6a7886946b7bbb4d0fdd82d502232f891e95e2075b6974fcbc81579fe8eeb7ee221a904cedbbbab2595ef93537fdea03eb93b49680119d996c8e706dfc4d99433954c5367725d4808119b683b59641c4bffd3fbab0c7e125f02bad95cbfc26eab96079f8dfbf6623589d14e0c20d15e07c34bccce36fb927965f96c8cc89b3e51438212a9bec92af4b592ae76e66d531d344385f5568552e37bd25cbe307d839975914f30915d24e8f3d892c8a19fa484c35df1fb92af80edf403340caced5c224767e9e687456563dff29ca86e365855de94057b66c576bec5f5b7fc3f0043336b8a487ae2519b8ff0122e7ac2bf57d29ba64808dd3a20d26e4382ce7bb1fbd34734f5ae6625ee8a7dd56f", 0x2000, &(0x7f0000004f40)={&(0x7f00000023c0)={0x50, 0x0, 0x3f, {0x7, 0x22, 0x8001, 0x1040000, 0x8, 0xf6e1, 0x8, 0x9}}, &(0x7f0000002440)={0x18, 0x0, 0x9, {0x40d}}, &(0x7f0000002480)={0x18, 0x0, 0x7, {0x7}}, &(0x7f00000024c0)={0x18, 0x0, 0xffff, {0x8}}, &(0x7f0000002500)={0x18, 0x0, 0xce0, {0x1c}}, &(0x7f0000002540)={0x28, 0x0, 0x1, {{0x100, 0x5, 0x2, r6}}}, &(0x7f0000002580)={0x60, 0xfffffffffffffffe, 0x8, {{0xcd95, 0x1f, 0x7, 0x48, 0xaac5, 0x6, 0xad, 0x5}}}, &(0x7f0000002600)={0x18, 0xfffffffffffffff5, 0x9, {0x9}}, &(0x7f0000002640)={0x11, 0x0, 0x0, {'\x00'}}, &(0x7f0000002680)={0x20, 0x0, 0x10000}, &(0x7f0000002780)={0x78, 0x0, 0x9, {0x3, 0x0, 0x0, {0x6, 0x0, 0xfffffffffffff20d, 0xfffffffffffffff8, 0x1, 0x3ff, 0x5, 0x9, 0x726, 0x1000, 0x6, r7, 0xee01, 0x7, 0x7}}}, &(0x7f00000028c0)={0x90, 0x0, 0x3, {0x2, 0x2, 0x100000000, 0x61a26b8d, 0x6, 0x2, {0x1, 0x3, 0x1, 0x100000000, 0x3, 0x8f, 0x4, 0x1ff, 0x849, 0x1000, 0x7, r8, 0xffffffffffffffff, 0x5, 0x1f}}}, &(0x7f0000002980)={0x130, 0x0, 0xa00000000000, [{0x4, 0x1, 0x6, 0x9, '\x01\x01\x01\x01\x01\x01'}, {0x6, 0x1, 0x5, 0xfffffffe, '\xaa\xaa\xaa\xaa\xaa'}, {0x1, 0x1ff, 0x3, 0x7, '{#-'}, {0x5, 0x0, 0x2, 0x761, '[#'}, {0x3, 0x0, 0x2, 0x6, '#]'}, {0x1, 0x714, 0x5, 0x3, '*^\\^b'}, {0x5, 0xeb68, 0x4, 0xfffffa80, '--$-'}, {0x6, 0xfffffffffffffeff, 0x1, 0x1, '-'}, {0x1, 0x8, 0x3, 0xf2, '!\\{'}]}, &(0x7f0000004c40)={0xb0, 0x0, 0xcf, [{{0x1, 0x1, 0x3, 0x100000000, 0x4, 0x81, {0x5, 0x7f, 0x5, 0x6, 0xffff, 0x3, 0x1f, 0x3, 0x8, 0xc000, 0xf5c8, r10, r11, 0x2, 0x9}}, {0x4, 0x80, 0x5, 0x2, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000004e40)={0xa0, 0x0, 0x400, {{0x6, 0x2, 0x400, 0x7, 0x4, 0x9, {0x4, 0x1000, 0xffff, 0x6, 0x1, 0xffff, 0x65f, 0x647c2b8f, 0x400, 0x8000, 0x8, r12, r13, 0x3, 0x6b}}, {0x0, 0xd}}}, &(0x7f0000004f00)={0x20, 0x0, 0x800, {0x0, 0x0, 0x10001}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004f80), r5) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r14 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x343, &(0x7f0000004fc0)={0x0, 0x5004, 0x0, 0x1, 0x1de, 0x0, r14}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000005040)=0x0, &(0x7f0000005080)=0x0) r17 = openat$uinput(0xffffff9c, &(0x7f00000050c0), 0x2, 0x0) r18 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000005100), 0x488200, 0x0) syz_io_uring_submit(r15, r16, &(0x7f0000005140)=@IORING_OP_SPLICE={0x1e, 0x3, 0x0, @fd=r14, 0x200, {0x0, r17}, 0x6, 0x1, 0x0, {0x0, 0x0, r18}}, 0x3dd1) r19 = openat$keychord(0xffffff9c, &(0x7f0000005180), 0x171000, 0x0) r20 = openat$ubi_ctrl(0xffffff9c, &(0x7f00000051c0), 0x10400, 0x0) syz_kvm_setup_cpu$arm64(r19, r20, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005240)=[{0x0, &(0x7f0000005200)="4623d8a4ce0217c9e59555c166890679e3e0c1940df5b9fcbf91649ef54d80f0c8bcc80e36b5574c4bc9f943401854f56aa2", 0x32}], 0x1, 0x0, &(0x7f0000005280)=[@featur2], 0x1) r21 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x8000, r18, 0x0) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000052c0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005300), &(0x7f0000005340)='./file0\x00', 0xfd, 0x2, &(0x7f0000005540)=[{&(0x7f0000005380)="873519f25df082b371ba5b45adb5709c00805747c37fe044064595cd4728bf8980302b25b4b083b42b41336e130f1b6ff0a2f172498e522b4fe5826eababf53a9852f93ebeb841e1645f32936127029d68fe73eced89c1b93587012a47c42a583d6975592b3f2cdf4337fc6d5e85e5f5835fafe095935ec90484e9081aa8d22498431301baad4a34368c26c64d85326c7e00682178f8d13e6a8969f15b9d5dbcfec2c0e69680c3928ca015b92e25f5078de354fe32cc7121609a0762e1b73efd8967a2fe235e4d1ef9e5ac88bc1ed706a984641b06470b2294d045ce7eba51c0728938a2c6eeb6d8574429cc24bcb2a784", 0xf1, 0x40}, {&(0x7f0000005480)="62935bfe26e9c9f2dc3c3e9dfb491858efb598369bcca51923989ba943cf447baf56625df0f685ed2d034b37c07563f668728f6dc6833609b1221970e55088869d29c01b2dd05c4820b08042b5074008c9757712c480e25d89b9c48e957e5b5c7b0beccfb1fcccedbcedc83806038075fc2a0f8228beb47f1fece09bddcbbe0021abe9c3d198369b81b67dbd6a7d334b8d28b802cc97d934c164e97d9d7b70dc6c", 0xa1, 0x1ff}], 0x8800, &(0x7f0000005580)={[{'\xaa\xaa\xaa\xaa\xaa'}, {}, {':&-]!'}, {'}'}, {',-V'}, {'\\*})'}, {'*^\\^b'}], [{@appraise}, {@fowner_lt={'fowner<', r8}}, {@smackfshat={'smackfshat', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@obj_type={'obj_type', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@dont_appraise}, {@dont_measure}, {@fowner_lt={'fowner<', r9}}, {@dont_appraise}]}) syz_open_dev$I2C(&(0x7f0000005640), 0x40, 0x300) syz_open_procfs(r6, &(0x7f0000005680)='net/if_inet6\x00') syz_open_pts(r19, 0x800) syz_read_part_table(0x9, 0x9, &(0x7f0000006c40)=[{&(0x7f00000056c0)="46410638b7a128c15c6cb27d2335806da87c0d4915424452cf0ba9eee0a5d49d634f090df26f35bb0433c13a270dcb44cfe9ba62b5ba38d4ae3c65ead2727f1d2a5f02daa270cea6f4f60902e2eda654b16ec6635a1c6cd15d6bd6343214b83422d1a19b5dae439b9fbc3db5c218d4b08acfc9fcdbe5d4e6a5127adadce610d815e8c6d8adc78689eaae29d81a20040aeeef4ee55d7701ea725e91b74f5b37814beed118549979c8a40d0b290977ada4d65874c7dcca030a9a15509bc27e6e87d526912437b86904f742c9c13c1e00bc5e3e943c1430d1cc018f5a4decf24602db5bf2286e64ce751d8df16f280934fb08b619b2b5e931195ad2f7c87ae956c64a2fdac4fd791611acc2a865d994ea90ed158581e80d0386b153f19fab2781b72d1de003b187d2b1195342b3a003bf4483b4d890ab1b2f51e8d58f0a5ad78e0df9d629c22c2a324a982e1fc2738c360db3a8ba5e55ae5c9d58f1c2f6bed0b6de5bb4ee3b5f842ceef91b2056541ff55312ee90a2bd0997066c37f3d8377895921b08021589049ed7b23cebaf9b41d08e759058a3452cb9df2aee1d2b90e510ba9bc948400a69aa13833d1b4c44445129e0af5012fd6a534181fb20426826a4b3694e4a5181199df1ed31de36f2ed49211822ad915d3b71acaecff3c84d4e3bb19fba3219e26145735ff71dceeeee7aa247539ad2731113d3f364426be9006e6b0e358b81d4074549e08ef27613a3715e5e89ba0a71e3995231e99aac5e4ee7078f59e3e7d4fabed26e7507411fbe4b0353106278ac69f3b91ec69fa542eb7c964394062f65c650197fbe733c22832673d066e4ed40073b284ee4e51b1259367d4eb9e172007e6fb80a0a6fe62b3f3d5e5b68fe047ea4d6fbfaa30a00fc29bc58a31cfb8212f2c49c3a2e711ae502bd647bd56bb7cfc1d84d141827be211b5ffbed786bfa1313d2aed534f00019363ac129612ca25c763b077f5a724d61fc7974fa824badc14006f2febfb1e35a3dd72e82334a263756ff4204680cba1c03c55e09dffb5a58e4c55b5bd7a70ee8525929a0ee9f9091e34bb8d2f0af6d2a2670c591186bee6ceddab8e1fe8d4be397a545c483fd684cd812df5e312ab5f4812b4784efaef1c3dbe79094fbabd6ca5f0a45462396f818a5c7bf61c8c3f43366c1265f4638d1dc7bde11461035c7af77e6844c5d47bc1897dfabec7687ed25794a71a3aa2be1665719e7eaf649bfaffcea2492d43bca7f0304210cfca91a0dadf66b7c3c6baf8c5055ef4f3c56aa03bb6e400d7caca69e4243ac71c939ccf27310b73ba59897e2020c717c33db9a4a582912a3a8d7c0a870b12a9f982aafd0cf159575189d8c26886434229fb0c76c56508b638a2509b65847722af197e95cf0cff2368448d42ad62db27ff017a7fbed923bef6283408712c3f04a790338f4f80cf4f3e92faafa3bf6cff5ed3cf3b17b505075e12b6958bf2e5cb40241f672874a0f940fd57e82e9caff113d671da23da3436a31800c2d3487965f87c3f8250610aaff783d78595e1926b77e97b2e3ad09087af919ace3f04fd275887b1fc81ee2f5bad8de1cc35ee0c03adeed9a9197d7a8fa5db59dc500a94bd184a2a80d9704797e76bc0fc43ed57296143dc9d858b14a7bdfb418197f0974b6eee299958051b1d414ab126cef5bc36ae4055c4f19e7e01d2092d99f1d2a5a56614fedf481d578cb851ad73e1829bc350f7e56ee0d2e71fe731c1b30fd845fd82ca0acf029aff4a75e0d38fb7af582a19c0c7deb19544bc7a13c1896032441cba6ae39c35ae880b45a5c97545ac099243a791c6f2eb93556208b8b203542752a673b9df02bf04ad3c18eecaa5eb22d1b65e59c3449b5cc42df350dd4822bcf671df78420689cac22658cd9f0f390e26e0796ac4b7f30b1989f09cf5ba516eb1667ecc1d853739a20e5e78599bda830d002d45eb66d63a778b8412af5d63e3ef26494e21bbcde5b97a94f7978ac903d467c5b6d0717dc4a9d146ed4b58bfe373a5908702f997f1090b4b19093f8905085ecb691107b059e0e1cd0c4a94c9a473af2d12bd5998a8b8b4802f931b90515519f20feeadea5684c064f9adb423935b8de298b03e579abad6a23a86c86edd39c2ed6a4685e69bc715405ab7a3f27664bdb68fef1fcd090f060381f1aa374a074a640f991ec6d8b288b1b0507068560314fe94aeb85c42f4df3adb21485696515da2fa7f441b753d5f8ca4545f2d1dc1eb34e418c043beb518bb35fe30235aabf7ec5f371b3a48c0ea6a613ebb4e4da5b71408aa55774239ac749030a52740cd8535b9e3d28a4e87b4c4f4044c8195c3211f947e5007df7b64e37c414bfd54f7b59823720be00498c18b57dad0043f0c50a75817418c1dbc3db8dc733ceb2b5b6d20bec1e38a2f909aa619480e2ca05d9000b7eaff370c077ed389422890dd426278c63c2ac4285e840e6c7f9da04d69af4482d96ee5824de091614d8b1b4cf49f5a701e4b42ff58a62823c2776fba4c27ec86c24ba103ed01c66729ad602924a5137b718d8ddeeb08339d83c45feca01c393357a676438114363591d31c2ba6fafa5d8571af7c3a3690fdeb099e44192b5871fd0a3365fb2e230c6c03a7473782b303a5be14f038d8ea34a63084300516eb7884e593358e66b3dfb6dac4d0815d58dafb85e8cca4426536a384dc89f7413f14cc92e7377a90938f99ef7f535c218ae2e909acdbfd7eb5b0b47408e3d6d73dda39fbd6b23af18f1a6703ee3b1f75bb7c000a4ca5a7bccaae86c4abac81da293e43f91d2c3dff12ffa5229139a08ae5fc2ec139be978b8182d6a60c7ff39bb0aa820a107d92e38b95e748a184b53f5624f457239f6384dddcb9fd7e8ef295265d79b64c5c0a93bf21635b8c680907810d8e72a581e5aa0e00fbf351e3c841c7d0c51a2636837b27c6a91425b506a22c27d1420d0b13e60de3e9c56667a98983ba9bdd1c5a52dc6127b659e6d80706959f07d3a5fa8b3b88eab05e7a0c04ee12a21372c713f64c6adbeedd7a8b7a692674975bbe55ce402714402f20c7f57ff1f79357d8edabef1d868f0a2b3dd7aa3bbe58e80814970734f7dec70d314e811593a32cc861f4a8a4b3f0d7ceb4ebb32664f5644497ac9562cdd5a54193f2238e65c1874c86421c5cfb43ae156931c7840d10de47a4d0f2f3174c36c8645ac02f544c3690b5137af7d2ced3fb04359bbf22b6720ea94f2e3b5675fb77ade56c977d668064efdd1c615119a528c9ec1353e84103e5dce6a0bd073f9ffbea0819cf6c0cc58ead00c92340298cc094564117f3fb894274ca91d7976459619f544b250586c6d44afba5574b7ef5126b070409a1f5eedc65007b00339f160422fff38d67eaa8d782fc4192a29810879eb12859942fa141a21c39d9eea03eba1aa7b3ac7e2b1daf4f69f475b8e75c5ac7c2efdd777932d403143cdd08902d5e3459301c28c88c4df342ca13910b760e34c40194bb51b82cf14adeed5ae47517d3cbc73bbb5a8899c30e606519989a85d2e15b0e89ebba43f0c8a752f07010380caa70dc409ff805c24574829d06bb9a1495d5a3085df9029e23d92bbc46d7c7c1db7365e92e8d2449aade38926a64368723a0e8a777b3261c9c97bae825b551ba940551a7e15e3013dc09a05229d0c9ac64ee15ee3d46742628924c09e6360cc43006fb9a0e1c06e5584637cee005ee26ceba70295cba5637dfc9821148ed7415003d518368423ae708cfac638f2b8e1d3a71011bda803acd2cfa429ea5fa045fe078f91ebe45e7d51d43f08302d5f3b0ccc3eb7dc03818b33567e86f8e5dc40451569a7954858d26df8554935276f5654afecf240c7e86c92ecba4d3ff75821312d6a3b82e18cc234da5bacc286ef0924ce23bd30708de58132574b548c9628b52d34291d1c4a7ffdfe63de1fa9b5e0fa6e62f3528a80c9cc97a7c515403fce895ab795635266af746d89d2c94058ca38501d86b4d6324d0df0d9c1e47bbf838baa206aa2ec4397828e992fe963b2e83722802627629030106cf20ec98e245147c94426214ddfb979120651adde14a425fef29a20c0cc5460393acbdba57b3c3836627e6a9c19a2344312a9bc661b760285415a2874e2f2187b5c6dbf38b059636f9ed1de1692d3b86504a7c1b668e5aa0f87cf497f0cab266e4db64ec6465580be1d97244947304688cb3576490b8db086b08905820ea9d91dfc8f3b966a9e568d856a9cce3f1731ac16e4cf48714334b6c7ac3597fcae85d17946b0ae2899845e96066e0a648385c98ee5c119391356b204acbd4a5c7cc2cbceece0f58dfb73fc30ef7c1769b4f56ed1b77d76248b0ea2a66db0e5217b5d624237191abe9486ac0bd32e3e7362331441734a8dd9ed983b92bf26472c5021f8bea131ece47c8f45e68a25a8beb4885895c27982306dafa1fac905b276c2f60ccdcabe2a5b325b5c5d8482f305660244c361711f0eed7746c0daf99dfde36caff294051182c5b6589fc0700b751fb2b3807f0bcbd277a844ce82a54558f55cdd25a30b2283abe519c827b10aed612f8aea3cb7aca8b34028c0b363c9acc52ddea9e0c34e8a5c90869fe60d28307e35d3e43582f3773d46669e4313a07b12e7d6d501436f8e6f4bc347b29194144d82c5daa9730fea3466c3167209f09697da034f86ca9e5a7e28c05999f4161dca7518140413504be2aa60ef71b66484fca1b0bb11afd59755b978dd294e3da85655b90f05be0823e262aa693c43bc23f4948a6096ffe1b58e1bcd65b0db70c62a4f85d7dd4be6cddfeaf1383814a6728b4c301eab03b950bac867375d1b6c61eb2f7fde960b16f5948379e2115ab5401356db05a7dc30a2999897b163c73d34807106dfdcf7b7f9b9e7377fc722003c868ca5c14a0e2f1d1940ec6aefcf85fed207622ed38120c6a8aad7b4e9e87d5e4e9a6a55c6e132e9e1e9a3a62b4f7c6ce0093f886547dfc48de1d2e0c85bf01b49f99241a36d324cdbade5377d5aa5733377ec7e97b7ac54387fd29391319d3f3bbcd07b2870b9646bf2835b3abb5121dc20a638c6d0d62b0a05d94a5f1c03bff6e871a84f9a7defa16f30cb8b3ff57cb5a9b8958b592119cb0c802513c14aec2d27cfffbfb4e6a2a840f8b0d746a83fa8bd227021b038f50c411f7922fb38ec89f51d71b7d3d9e241db1be1b4507e5b68fa1ee89c2127445e5d6ed4e7433de7bf4d72b7f7b1c9aa7c408e4c1050ce177427984f5035b51e3ad52b56d8aaf38e567930a711c8dc3488ffcdc1a56fe1b4c5df22673bcc3e9ccdbb3ab670a24547f5ded42decfddd522104075c37ddede460925dcbc6e5ef206028aa7ea0c84d60d990fcd48d76c9a47be6819250d4d10fcefc7a124c6f3faaf51f7b67dcc2b39acf119c8f89b93b58395247fa459c1ffe6fc5a70c32d5196da593b336be0467164ebbc986fc145b32bb91a4c058884c82f5cacda62a4312bb35070e74de2bba07648b7eb9d9fae891648f5432b6a7d5986ef2027872cf9e1a086c576abac8dc401aab0da93abf0ab71ecd9bb96e39180362a10a2185071ebb8ca2ca8d9719d47bfc18b62f9771b97dfed73b982325eb943d785c787500d5ac0d26a9ca90cc73c2acfe872f4e32eb4439083bdb3249701ddddb500df3f896bb1f7a3706d64be16d00f6fdcd6bf41df86535f298d2dd04317774bd6b3903f371d59be719b7ec1d003b3c9705a8f78889b8f7da0d46defdced2df70d8cb4570828bb26549b55011589c73bec4207c8d59ebe1896b3761c185a132", 0x1000, 0x8001}, {&(0x7f00000066c0)="31e3c3fa6d99", 0x6, 0x3ff}, {&(0x7f0000006700)="39de863b7148208e432fcddbd9e9148e716c1b48a3967c870c70145d90ed681b3f8bce849fee7f50091570854e20103723e56454e711543f6e2be92c34090d8cc792260be9b960c1e4", 0x49, 0x9}, {&(0x7f0000006780)="17fad571f80fecd34a59bc03f6c02bbd6d56cd8d958924b4ae4189b88b85897efd4e596e1118bb0c771c2c5ba37ded06d78111390c1c80cf6ea9df8727f88559815ed76b36fa13fb4d08e1ccdad7973b5bec5655a74a671fde99ee92397c56d409dadb10c4c37ee92cb41d03ae6fb164e7f86985039128d38be83b5e16c35ee34eb2b8396c5348028781a0a879f88159740ab89705d637bedafa915f195a152597fa0d7da9b76476602c6eeefca1e80a6d3d0ed1a75b00f7a5e153dd851e2301c8daa7d49b4ad91c62d1a6967f54cf9621c240ed587192f69959e05407850ce3831c4e811e6fff1cdf93cfabde887358316881845356d7", 0xf7, 0x26}, {&(0x7f0000006880)="c286968e2238742a47e0e8d444a6a661b7708222f4eddab97a749dcebe2cc83a314b828795f915a36d873b714aef15ddb1b4f62f06800bbe85eaebcb76abe944719249ee7927c88e78a968e93f45c52013ef97ef6f989b1d1cd30fff88677962c8f3052ad0a4631e4e750ba80f3753916c2dffc6a4023cdb62a1b5f2afbb965b2f78c5dd47af90b002da1a26a24fcb99bf81fb29574a2f98107a7937639873b95f4a569a0406cc358b46efae587e9008be69d711ae202c22e29a2f615fd23dcf", 0xc0}, {&(0x7f0000006940)="97fc4dd9db673e16fd0f0eb9a4a26e2a49f42e1616190b0634dfd6135145f4e451bbbad56dadf266964eba7d1007c0a23f8cf03d4f8fe09a7989152b7cf2ec30f2693a06befdf023d79f48c208d742c7b75915bcc1be583517ced3b826b97075e62a8ed12dbb264807c6ffd0227614491fb9de0d8a925a2638c31608de405bbf79e96f171fd58338b1d6979d33a7dae8ad62f2ba53fefc3c", 0x98, 0x20}, {&(0x7f0000006a00)="77d8d606bfb424e7b995809ab4f559115fd82e972d98b651dfc69b10df600fb4f78efd586f9cc26edc41b1d2fac87efe59e262411f27a94cf796ed31236b457ca0f147530efbd4cfa6b6a0fee46c25abcf7ad8282aae5299e299799cd52d0a58d7ff9dddd0103724c88da92dbefab6248038abef9ec52264afc74825f7ea70b2ca95d6900f9b647a3f986e18287cb2bf4b4c19efc8c218fd905c3727c86c37026bfbde3af078eb07b798e6d3d8f2e4d5d3bc188cdd20f2ebb1461c5e53b05f2989ffac3b168dee56da0fc011974c660e400ae2d8b2c80acb231581ee91763129b2888aeb12", 0xe5, 0x800}, {&(0x7f0000006b00)="560c1bea71b0f97244fa386d26bf6b1b04308e4bc7fffa", 0x17, 0x80000001}, {&(0x7f0000006b40)="14e55a14a7953387ee55333c1d1694ca98c7999b49788642766805d6f5a290eb1e959ee35a740459e13300262f2af9c357f7a8c1cba187e448bc3c8f865cc9be88624fb0f0d0bb885d9cc2abe171a2478a7420db22e8607e3fbec7e2601d9e11086cfa8cf14d99676b679d8d6bf1dd4faab8fe9a5f4e3f695fe2e6abf09f702683802d44cc3a298255c4c59533731ff5b23e053afb716d58cad667686ee647f48e199c9b5c3d0d2d470f2ce1c5b8b5708ae023ad9880caf31d01f96aebbfcc7df95358a016c5471cc2ce2ced6105057c9d22c8167890ca19", 0xd8, 0x400}]) syz_usb_connect(0x2, 0x6c6, &(0x7f0000006cc0)={{0x12, 0x1, 0x200, 0x62, 0xa5, 0xbe, 0x10, 0x2833, 0x211, 0x37a4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6b4, 0x1, 0x20, 0x0, 0xa0, 0x1, [{{0x9, 0x4, 0xdf, 0x0, 0x10, 0xff, 0x1, 0x0, 0x5, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x1, 0x1}]}, @cdc_ecm={{0x9, 0x24, 0x6, 0x0, 0x0, "fd506508"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x40000000, 0x8, 0x4cc5, 0x7f}, [@network_terminal={0x7, 0x24, 0xa, 0x8, 0x3f, 0x0, 0x81}, @country_functional={0x10, 0x24, 0x7, 0x80, 0x5, [0x44, 0x2, 0x800, 0x101, 0x4]}, @acm={0x4, 0x24, 0x2, 0x4}, @mbim_extended={0x8, 0x24, 0x1c, 0x0, 0xc0, 0x5325}, @ncm={0x6, 0x24, 0x1a, 0x7f}]}], [{{0x9, 0x5, 0x5, 0x0, 0xa716c6d63b98b5a2, 0x6, 0x0, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xe9, 0xf000}]}}, {{0x9, 0x5, 0xe, 0x2, 0x200, 0x8, 0x7, 0x40}}, {{0x9, 0x5, 0x0, 0x10605a5c87a92a7e, 0x200, 0x8, 0x3, 0x1, [@generic={0x9b, 0x21, "f2ef0a5c069cdb319138e185061d7e196ae94e535d80f27666fba23b374325f15dc5f20812fe05b0620f6ffcb81003b1f39c5dcd1bff14e2bbeb387335a3534f5adb60ffc4f28595c8f992f77fd5f67a04842b9c4364e3556be9bacb8fd56ed77859291153f6c566026363bfa5f2e6ff2fa6d29317f2d562445364939915a75dd7365f6ab9c15ddbc7c3a45f7eb98fd1fea3551bbd46f20a87"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x3ff, 0x1, 0x20, 0xef, [@generic={0xec, 0x6, "f642246a5372991db97e5824a410e28300d3bd153638f6dac6e1189a0c560a0a0e5f8b15e07879ac95016515202646a7b5b5fc74b7cd40d515b2849d8c1dd9ae4fca16c2e6cf0e8a20ce54f05fa123c019208cb34b5ee561c274ea40a7b34e5813a4a29be40817eb1f7b3e9bef60f7c56657481236b93e2c297f17c776b98f1d0c8f2a56447766c7288ba6b1e385b84a516a98ab729ba70e31fee3aab101d590a4481ae5856326c6825b73c7ae7d3b99cb3c59db31a12726234b900584e8db779352188d12c932d4aacb59eef33d33b9550510cf2b49da747e031c83117b511a1bb93ed76c716e6a0254"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x6, 0x40}]}}, {{0x9, 0x5, 0x1, 0x0, 0x100, 0xfe, 0x8, 0x37, [@generic={0xe9, 0x23, "1a0e3542857d49ea63b7261ebfc19f14272e284d2665d2795e43f6f9ca62776c9ee52d991879d7d67b4d8b270fd51598beac1c0339b2257ad68c1dde54885ae2d219b87cde159a9897c88bda26e08a3691055022739c1fe64adb98639dc25421c449cf364800c4c365062f2488e6901e56e62f4b703eae7af26298a1eee1bfe62d9b2ae35320ae2baf174e94ff55321097be81e0279f5d0aa84dd18ca0864d98d0edbbeaa19ddf3626fd83a2e2b5f676a734d4784b3c6877fd1bb3c9543df7abda9bd9c9be405949747e21073c18957fff0eaac0273cfd3f702cb65597949a172726f7e459536c"}, @generic={0x18, 0x10, "a0289017f3f433f11059489a61115823e1138ae84a34"}]}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0x67, 0x3, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x80, 0x2e6}]}}, {{0x9, 0x5, 0xd, 0x4, 0x200, 0x48, 0x35, 0x8, [@generic={0xe5, 0x5, "30efe9c1a6e5c89c2031214c60fbbeaa4578091e38009c761d15774802934cfd36355b3518ccfe59fa5e7ccee3c13ac4affbe073e0e788c9b5e32216efbf02e35869d7b233a389f812bfd849433c328466eda5e0e3237529cdc65e4eee743d31ffc186a1fe794bdf1364f31eaeff39829e8f6144850d7470cc71572d1f2f23dccdbcdd99e4930de7edbf59b338db3490305fd7710257980b7f76b8daeacb2ad618131fb9b5a3e026c9ddbd69483cd794caad29f2e3b63124a952b462de0cd951d7efd9b3b29107b641417e7783d90159137fa5273a95e0cc46c97c2246e611acb14b4d"}]}}, {{0x9, 0x5, 0x3, 0x10, 0x8, 0x0, 0x33, 0x9}}, {{0x9, 0x5, 0x2, 0xc, 0x400, 0xed, 0x7, 0x9, [@generic={0x84, 0x31, "ee4cd219154df491c4d32aa32112cff407511b06b17f743409ecc216c31e92cefa2b5cc59e634d7aeba2c9e5e36d8efadc0255172518f909b4e1a7daf4d988b1eeaf196c76ee902b657d12fc23c21e176cd149e98a8d8d5755b74fed1a4284bcfd6e6961951ff8216f7bb42f790edd539c1bc5bbac44f767a685c57cbbdec830c52c"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x1, 0xfe01}]}}, {{0x9, 0x5, 0x3, 0x0, 0x40, 0x2, 0x5, 0x3}}, {{0x9, 0x5, 0x0, 0x0, 0x400, 0x0, 0x2f, 0x4}}, {{0x9, 0x5, 0x8f, 0x8, 0x8, 0x81, 0x1, 0x7f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xfb}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0x40, 0x76, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x31, 0x8}]}}, {{0x9, 0x5, 0xf, 0x10, 0x3ff, 0x6, 0xb2, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x80, 0x6}]}}, {{0x9, 0x5, 0xf, 0x10, 0x200, 0x6, 0x6, 0xca, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x20, 0x3}]}}, {{0x9, 0x5, 0x80, 0x10, 0x400, 0x1, 0xfc, 0x4, [@generic={0xd4, 0x21, "28a1dfa1d28f9ae60d0a8e9e3c512db35369d479fa6e6aa099e267e1ced77ca2e180b429779023a872b0ef8807e11f8b8b21b811d4fe5527335ce86e3a95cdf960d1e79e88c276c174d183d2f3bc0862dd7e1d29ac589ceb22024e25a44c3e8123581d1448fd2db5332fe41c23f9aa959564f32db1da14610415ddc293dc57c9d6c775d22151bdab236a5a73592e5518055728ae819e25c080cbb9bf0203b6639b8fd8d716d9c571d6b260ea297733d53c3a05449b9b9221d0f402610c9837189f9c6ab3baaf031d48692690c9981cee1426"}, @generic={0xc3, 0x6, "60ed98576fbbbee3db67d535ea7e1a19d92d689e2f03308a615a5641e72e694d996f76c1111c88c507c39a87f34a3682dafbfe583b79f5b950a30614162c605f7e6c5d452b4f84a145f20bf4470ddf43f06c415dc6c41551fd458ba6aedf57d74cb85a25e43324814b62c3be4108b1ea5b9dd22a78a45cdf5d8f27c11f35026bf7ef10c7d1f0615fe1c44a302a84d88b8d6c2d85049c9f48a04b4e61801c017f609b673fc8290f7362a0ed35882a335b657f835fce8e20100cde82c1a3dc180611"}]}}]}}]}}]}}, &(0x7f0000007740)={0xa, &(0x7f00000073c0)={0xa, 0x6, 0x310, 0x5, 0x80, 0xff, 0xbf, 0x5}, 0x5, &(0x7f0000007400)={0x5, 0xf, 0x5}, 0x5, [{0xa8, &(0x7f0000007440)=@string={0xa8, 0x3, "0584bddc149671f9e6c6cd123b796cafe2eb5d2bd3cf65e3eb0f3a601aba7164713d4042653f2cca182207d4e7ffa8bc71e705aa48bcff03fddd2e3e6bebe11cb61f95faf14afdf29440021e851fb682aa24e624e833952db6d1f96aa7edfc74ce501359694c7583eb5e48dfe227d2105d5e3d2359e3c728a48adff09b1132f928893ceefae67700983be1ca94e818e7a1463c802f1fc2a72d40900933403d7b255a35d9dc33"}}, {0x4, &(0x7f0000007500)=@lang_id={0x4, 0x3, 0x42c}}, {0xf4, &(0x7f0000007540)=@string={0xf4, 0x3, "1c537117dc720af3ccf108687c86cb544bc885379e435dbb861bc9a01550592e6008ae94a1f98317ad9cd804016b079b5ec294dcaf4537cf5b68c3c4353754caf369ba34101cbd21926b15cef67ab63ead40abfbef867b372fe2781866f87a2dccf98ffe66531c1d5021406c69ce84b439130cac71f52564b7c8fa621d71d5ff001517593f059da0cb82f1fd5e327df9abec4946e34e20d3f1df8f4a0422f9bb538949b4a14d1b3afd6793e81d3ba596d16d8cee0e700314e531e602fe5cb832b22c7a2f9f36f39d053876478157d541e8c0977a9acaf691f1234f665d234f82ee90ff8982d9c1371a15ddc8ed2392dd5a96"}}, {0x98, &(0x7f0000007640)=@string={0x98, 0x3, "078cbefd67796b8d00c6a027e5d07bc3b00756acafb9096e3e381a99fdbe8a5161ca19a9628d61baefd6972b48f5e04b0fa6e2b99cca8df5b50dbd97d656c02f8583a58ce8cbd35c69fb3f86de0ddac90f5be8d4f04a3ad4f31293b509959139bea0f3067d0ebfa3c5b210e1993078b0ae929561fc7734869b3dd8d812c00a3035236166a31227ae291e696ab4f81f4e3f02d6b2f334"}}, {0x4, &(0x7f0000007700)=@lang_id={0x4, 0x3, 0x43e}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007780)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f00000079c0)={0x18, &(0x7f0000007800)={0x20, 0x11, 0xb7, {0xb7, 0x9, "72f591ba5c694f16a4d92075ef3ec8bc46920954799ec8d3c0308f3b4779da6e18e9824a86746d013a399afc7f6fceb6c37f7f131c71ebc001f666ea63ed3ade132009735a546622f9e639d481c967cc7b5b747cc5e62fdc41bbb4bb95878a442cc49111c0f57886f17077a1b4b22e3cf28eecb798feed6f168dd9cc2646f8b79ed41bba94de9e304fc845179a7321f04784aa917ba08405b0a95b8303d914ef8e374780dd8e3437c95c35764cd063e7a3ec6d790b"}}, &(0x7f00000078c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x813}}, &(0x7f0000007900)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x18, 0x8, 0x0, 0x3}]}}, &(0x7f0000007940)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7, 0x80, 0x6, 0xe0, "8402487c", "8056a3ff"}}, &(0x7f0000007980)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xa7, 0x2, 0x7d, 0x0, 0x80, 0x7, 0x6}}}, &(0x7f0000007e80)={0x44, &(0x7f0000007a00)={0x40, 0x10, 0x8c, "21b83825059f24506d8e842085d1f2e7f964471b20ed0a8e50a9aa4ef16b5a6f2dbb2b570a4f8d13d60e47bb7821ff912111dee40a78d42b4d13ea812d929ccf3964c5468f89d2d21630ec87067a2d13f45238b446bf57c6b9ec35578fa587fc77fe2108b1590be081681ccc024f1f590be9e5bec9ea86b9803c60299dda1a82f8ff04428671a43bc2c3393a"}, &(0x7f0000007ac0)={0x0, 0xa, 0x1, 0x4}, &(0x7f0000007b00)={0x0, 0x8, 0x1, 0xfb}, &(0x7f0000007b40)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000007b80)={0x20, 0x0, 0x4, {0x140, 0x20}}, &(0x7f0000007bc0)={0x40, 0x7, 0x2, 0x3ff}, &(0x7f0000007c00)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000007c40)={0x40, 0xb, 0x2, "8a02"}, &(0x7f0000007c80)={0x40, 0xf, 0x2, 0x321a}, &(0x7f0000007cc0)={0x40, 0x13, 0x6, @link_local}, &(0x7f0000007d00)={0x40, 0x17, 0x6, @random="b0fe281fa391"}, &(0x7f0000007d40)={0x40, 0x19, 0x2, '#7'}, &(0x7f0000007d80)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000007dc0)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007e00)={0x40, 0x1e, 0x1, 0x6}, &(0x7f0000007e40)={0x40, 0x21, 0x1, 0x9e}}) r23 = syz_usb_connect$cdc_ecm(0x2, 0x5f, &(0x7f0000007f00)={{0x12, 0x1, 0x70, 0x2, 0x0, 0x0, 0x50, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4d, 0x1, 0x1, 0x2, 0x70, 0x40, [{{0x9, 0x4, 0x0, 0xc4, 0x3, 0x2, 0x6, 0x0, 0xe1, {{0x8, 0x24, 0x6, 0x0, 0x0, 'W?s'}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x200, 0x0, 0x200, 0x3}, [@ncm={0x6, 0x24, 0x1a, 0x1000}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x3f, 0x0, 0xd8}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0xff, 0xec, 0x5}}, {{0x9, 0x5, 0x3, 0x2, 0x3cf, 0x81, 0x39, 0x5}}}}}]}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f80)={0xa, 0x6, 0x0, 0x2, 0x20, 0x77, 0xff, 0x2f}, 0x5, &(0x7f0000007fc0)={0x5, 0xf, 0x5}, 0x5, [{0x69, &(0x7f0000008000)=@string={0x69, 0x3, "d25a9c8f1452a3c6ffbfeca8eb777935b58c9b7406775086fff717b54f05ac59f94517ff3cd6f3101dbfa79bb82ae31b1d316d08a71d14fc2c1cfa8c893068bde2bb830ae91fc94288cc232aaac0e64b84007b0e7536c3ec34edef04ded93421a377e0695326aa"}}, {0xac, &(0x7f0000008080)=@string={0xac, 0x3, "7360609ce8300ae4623308d5f8b97bfd50d3d863408b8ea401c86da9d42ce5f3867ce8d721fb2ab5c25f6b4c5e85f5eaf341bd514a16c2dfe3c7a1d7f427ae62c0bff379e84d56637ec1377b8c8ad5b55b099cfaa4a7a6eeb0589f81e7a43300eff53354e1b2bdcdc34d7945d63562e48d5ed93bef75fd0160fcd7c3a6be7f0c642bb6e561e35a1c73110bdcded7699865e25eb238cf8f3b10ad3c10488028c37063c8862f907b06829e"}}, {0x4, &(0x7f0000008140)=@lang_id={0x4, 0x3, 0x81a}}, {0x4, &(0x7f0000008180)=@lang_id={0x4, 0x3, 0x180a}}, {0xb9, &(0x7f00000081c0)=@string={0xb9, 0x3, "37efeb854b4051a46c67aee7eaa0f62fde9f599cd5ba25329d50aee16b30c6c1a514831081afc1dfd2682ff48716a91bf95e084212b0696d43e1c6c43adaf9ed3ef70e62735994d2d0865139604988fac17978d9c05a84f3423831dd1dddc6c94d50ddd674f16525bbf9a8db3bb49001be38a19670abd99f4a2e97cfb20d46c637832a3ec97ff094c6a3304964b72bcf116bf27fedd5521ad3da226297fff849c33c5d849e3e3037527901eef63a599baa54fc46a46ff1"}}]}) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ecm(0x3, 0xc5, &(0x7f00000082c0)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xb3, 0x1, 0x1, 0x6, 0x28, 0xff, [{{0x9, 0x4, 0x0, 0x9, 0x2, 0x2, 0x6, 0x0, 0x4, {{0x6, 0x24, 0x6, 0x0, 0x0, "b1"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9208, 0x2, 0x0, 0x20}, [@mdlm_detail={0x5e, 0x24, 0x13, 0x7, "63b0b95377147ba214d950fc04b22c04be09d9b96f1ab94bb02e8a2a9e23cf7d3acab22a80ed350ec4b17806edcb169e5075373d991780211392eb3d9f1173a539843bf2c3f66a4a6960a55a2207767db3c55a7dd2898b5ccb40"}, @mbim={0xc, 0x24, 0x1b, 0x2a, 0x100, 0xe0, 0x76, 0x0, 0xff}, @acm={0x4, 0x24, 0x2, 0xa}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x73, 0x35, 0x3f}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0x3, 0x1, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x40, 0x2}}}}}]}}]}}, &(0x7f00000087c0)={0xa, &(0x7f00000083c0)={0xa, 0x6, 0x201, 0x79, 0x3, 0x3f, 0x20, 0x6}, 0x37, &(0x7f0000008400)={0x5, 0xf, 0x37, 0x5, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0xa, 0x6, 0x5}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x1, 0x9, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0xa737ee064a5fddc9, 0x7, 0x7, 0x0, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0xc, 0x0, 0x6, 0x6}, @ssp_cap={0x10, 0x10, 0xa, 0x1, 0x1, 0x8001, 0xf00f, 0xfffd, [0x3fc0]}]}, 0x9, [{0x4f, &(0x7f0000008440)=@string={0x4f, 0x3, "c0663b116dab9ba5c0a2f7a2ad486ffc164a4365899565c5e99b015239f378df56db4dc3b0bb08dcd208d958fa3cf08097aa208b2d2865b502cbc94b1a8e33bdd9d6481fbf32d4913422fe189f"}}, {0x85, &(0x7f00000084c0)=@string={0x85, 0x3, "c9c487a90be3d40ef782373d785f86bdfc3db6fb0dd0a7440b2fe4595c3a6bd67aa8518d897a8a757d5f1ceb86e598cabf2345f771c3c7128bd16dd4b1ee9b7dbcaf611e97f6dcb9f171e8f7052b0f33e631bfe99ddc4413e5e5d7b634dcc3b77e4d301f89a8d3b851b02306cabec211127a8e541d162636588ff574de82de8f307d43"}}, {0x4, &(0x7f0000008580)=@lang_id={0x4, 0x3, 0x1407}}, {0x4, &(0x7f00000085c0)=@lang_id={0x4}}, {0xaa, &(0x7f0000008600)=@string={0xaa, 0x3, "ce395e8e9f409a37daeb1c20be9ca4004ae810cf1653eccd6e663dd74f8bc06989b4d1a65c9f480bd37e9dd85349f298ddaddc2cc9e4eda147f231402e116fb594a63718d821d885ebd67eda451558b1fba3093ecbd40cbe5fbe07f94ed927d8e5039a7c497aa8d1f10a4ddac049ad820f8c532c5a3f00947955032423922e95aa5bfee041f7fe8744ecc4424057eec97040b341d0dddcaf206da6431e987f04cfd55802cad3a114"}}, {0x4, &(0x7f00000086c0)=@lang_id={0x4, 0x3, 0x3c01}}, {0x4, &(0x7f0000008700)=@lang_id={0x4, 0x3, 0x1809}}, {0x4, &(0x7f0000008740)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000008780)=@lang_id={0x4, 0x3, 0x1c}}]}) syz_usb_ep_read(r24, 0x8, 0x7d, &(0x7f0000008840)=""/125) r25 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f00000088c0)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x10, 0x56a, 0x62, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0xf0, 0x8e, [{{0x9, 0x4, 0x0, 0x5, 0x1, 0x3, 0x1, 0x2, 0x0, {0x9, 0x21, 0x3, 0xf, 0x1, {0x22, 0xa21}}, {{{0x9, 0x5, 0x81, 0x3, 0x3af, 0x1, 0x40, 0x2}}, [{{0x9, 0x5, 0x2, 0x3, 0x10, 0x6, 0x1, 0x9}}]}}}]}}]}}, &(0x7f0000008c00)={0xa, &(0x7f0000008900)={0xa, 0x6, 0x250, 0x3, 0x1, 0x46, 0xff, 0x20}, 0x34, &(0x7f0000008940)={0x5, 0xf, 0x34, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0xfa, 0x8, 0x80, 0x5, 0x3}, @ssp_cap={0x24, 0x10, 0xa, 0x5, 0x6, 0x9, 0xf00f, 0x0, [0xffc00f, 0xff00c0, 0x101ffc0, 0xff0030, 0x30, 0x30]}]}, 0x4, [{0xed, &(0x7f0000008980)=@string={0xed, 0x3, "e7db914ef4a71a3aba443ee181c272e7fbb63648a997754b81a1938f52b9fd8c2b76ca28ee1fcba280021fbe02ffa03ea753f2d51b71f1cb9391ea31faabf8ed37a9853b87eebaa0a1269696e65e309ea4bf7755ff1b99280fd68230d7d899d097e16ee0b224de57339439c80ad7fbf8bbf32aa00e29802bde1c8c5e6228fa0a54c8350ef997112f763e17428fb8e95a56689595f30a3c16151809b0c6b1d4d4766510c6f066fe4b35a3ea90d388d1b4d4e9c6b30971e237e23fd205f9905ee7d79f4443707adc7f65ce2b15994daac7b954353fb23201844122710531879c6291c7dfbf6be454b9cf2f2e"}}, {0x4, &(0x7f0000008a80)=@lang_id={0x4, 0x3, 0x410}}, {0x64, &(0x7f0000008ac0)=@string={0x64, 0x3, "041c8b1bd143ea1d63829b769ddb886a6aafeedd5f652bc948677c9a6e3acfe04a1519053f95e5fcf79b085362cdac6abbf8f13781a621885257052b120045da2c494a30bc6ae6c4160cf497002af8b77e21689324bd6e75aceda7cf6a50920b2ab1"}}, {0x87, &(0x7f0000008b40)=@string={0x87, 0x3, "150837b1e69e5007398ac02c4a0b25072daa81a64af10bcdc5736333f49c921f86d9cbc6b778f1d21679d847d5b8a9b70fc56bb5a433040afd94377b2515a55cda70db64442adae0905aa90f911d3beef800ab6fd87a5c51fda8faa750d195c2e657249781c6af0523e0492f9a69e227e10ca0310f1a010f8b986a9a0553a5331f9754fc90"}}]}) syz_usb_ep_write(r25, 0x7, 0x72, &(0x7f0000008c40)="a6908c5530814d6a6bfd6d6c7594d4af8a4962d882da657bb402c7d0ae4535168160dbf67b82f223d577b0e16e6ac3c46a4015a6ed7c4fa65d1dbaa268b748dec46774eca92247969449a9f59e9edde4d37e7bd17882eb005e24fe43f57654000eadec3f1de9917eb28c2a877182c47b556d") syz_usbip_server_init(0x4) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } static void setup_binfmt_misc() { if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) { } write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:"); write_file("/proc/sys/fs/binfmt_misc/register", ":syz1:M:1:\x02::./file0:POC"); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 38 ? 50 : 0) + (call == 43 ? 3000 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 300 : 0) + (call == 46 ? 3000 : 0) + (call == 47 ? 300 : 0) + (call == 48 ? 3000 : 0) + (call == 49 ? 300 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_dup #define __NR_dup 41 #endif #ifndef __NR_fcntl #define __NR_fcntl 55 #endif #ifndef __NR_getgid #define __NR_getgid 47 #endif #ifndef __NR_getresuid #define __NR_getresuid 165 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_read #define __NR_read 3 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[26] = {0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000000 = -1; inject_fault(1); res = syscall(__NR_ioctl, -1, 0x89e2, 0x20000000); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xe6; memcpy((void*)0x20000048, "\xf1\x37\x16\x1a\xb8\x6c\x59\x42\x02\xb9\x97\xd9\xf1\x2d\x00\x70\x21\x87\x03\x22\xc8\xd9\x09\x74\x84\x09\x95\x1a\xe9\x80\x0c\x1e\x20\x7f\x98\xb7\x69\xc7\x40\xf8\x67\xea\x14\xbb\xf8\x66\x6a\x4f\x98\xd2\x29\xaa\xaf\xbc\x33\xc6\xc5\x21\x68\xdb\x89\x33\xc4\xa4\xa4\xa3\xdd\x3c\xe0\xcc\xea\x96\xe7\x1d\x81\xff\x4a\xca\x83\x31\xcb\x01\xbf\x35\x43\x38\x53\xd1\xab\xd4\x8f\xd6\xd0\xce\x13\x14\xdf\x65\x07\xba\xe5\x35\xa2\xb4\xe3\xea\xa7\x4c\x5d\x23\x00\x65\x94\x14\x8a\x0f\xe5\xb4\xa8\x84\xef\x8f\x41\x34\x6e\x49\xcc\x90\x47\x4c\xb1\x7b\xac\x30\x1d\x47\x97\xed\x05\xdf\xc6\xcc\xb7\x4b\xeb\xaa\xbe\x54\x91\x72\xd6\x22\xa3\x06\x05\xa4\xe4\x9f\xd3\xf8\x53\x7d\xe5\x27\x2c\x33\xad\x4f\x07\xcd\x06\x05\x77\xbc\xe6\x5e\x5c\x80\xa3\x41\x68\xcd\xe6\x81\x17\xe4\xf9\x00\xe3\x5a\x3d\x88\x8e\x02\xee\x11\x17\x52\x21\x3b\x40\xd2\xaf\x25\x8c\x01\xf3\x6d\xe5\x0c\xe8\xe8\x3d\x42\x26\xa3\x0d\x6a\x4c\xc4\x3a\x88\x3f\x6c\x20\xe3\xfa\xda\x8a\xd2", 230); *(uint32_t*)0x20000140 = 0xee; res = syscall(__NR_getsockopt, -1, 0x84, 0x1a, 0x20000040, 0x20000140); if (res != -1) r[1] = *(uint32_t*)0x20000040; break; case 2: *(uint32_t*)0x20000180 = r[1]; *(uint16_t*)0x20000184 = 0xa; *(uint16_t*)0x20000186 = htobe16(0x4e22); *(uint32_t*)0x20000188 = htobe32(3); *(uint8_t*)0x2000018c = 0xfc; *(uint8_t*)0x2000018d = 2; memset((void*)0x2000018e, 0, 13); *(uint8_t*)0x2000019b = 0; *(uint32_t*)0x2000019c = 1; *(uint64_t*)0x20000204 = 0x7fffffff; *(uint64_t*)0x2000020c = 1; *(uint64_t*)0x20000214 = 0x7fff; *(uint64_t*)0x2000021c = 4; *(uint64_t*)0x20000224 = 7; *(uint64_t*)0x2000022c = 1; *(uint64_t*)0x20000234 = 0x3ff; *(uint64_t*)0x2000023c = 0x40; *(uint64_t*)0x20000244 = 5; *(uint64_t*)0x2000024c = 1; *(uint64_t*)0x20000254 = 0; *(uint64_t*)0x2000025c = 7; *(uint64_t*)0x20000264 = 0; *(uint64_t*)0x2000026c = 8; *(uint64_t*)0x20000274 = 0x1f; *(uint32_t*)0x20000280 = 0xfc; res = syscall(__NR_getsockopt, (intptr_t)r[0], 0x84, 0x70, 0x20000180, 0x20000280); if (res != -1) r[2] = *(uint32_t*)0x20000180; break; case 3: *(uint32_t*)0x200002c0 = r[2]; *(uint16_t*)0x200002c4 = 0xa; *(uint16_t*)0x200002c6 = htobe16(0x4e20); *(uint32_t*)0x200002c8 = htobe32(9); *(uint8_t*)0x200002cc = 0xfc; *(uint8_t*)0x200002cd = 2; memset((void*)0x200002ce, 0, 13); *(uint8_t*)0x200002db = 1; *(uint32_t*)0x200002dc = 3; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 6, 0x200002c0, 0x84); break; case 4: memcpy((void*)0x20000380, "/dev/pktcdvd/control\000", 21); res = syscall(__NR_openat, 0xffffff9c, 0x20000380, 0, 0); if (res != -1) r[3] = res; break; case 5: syscall(__NR_ioctl, (intptr_t)r[3], 0x7c80, 0); break; case 6: *(uint32_t*)0x200003c0 = r[1]; *(uint16_t*)0x200003c4 = 0xa; *(uint16_t*)0x200003c6 = htobe16(0x4e23); *(uint32_t*)0x200003c8 = htobe32(0x7f); *(uint8_t*)0x200003cc = 0xfc; *(uint8_t*)0x200003cd = 0; memset((void*)0x200003ce, 0, 13); *(uint8_t*)0x200003db = 0; *(uint32_t*)0x200003dc = 5; *(uint16_t*)0x20000444 = 5; *(uint16_t*)0x20000446 = 0x476f; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 0x1f, 0x200003c0, 0x88); break; case 7: *(uint32_t*)0x20000500 = 1; *(uint32_t*)0x20000504 = 2; *(uint64_t*)0x20000508 = 0x20000480; *(uint32_t*)0x20000480 = 0; *(uint64_t*)0x20000510 = 0x200004c0; *(uint32_t*)0x20000518 = 4; *(uint32_t*)0x2000051c = 8; res = syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000500); if (res != -1) r[4] = *(uint32_t*)0x200004c0; break; case 8: *(uint32_t*)0x200005c0 = 0x8a; *(uint32_t*)0x200005c4 = 7; *(uint64_t*)0x200005c8 = 0x20000540; *(uint32_t*)0x20000540 = r[4]; *(uint32_t*)0x20000544 = 0x400; *(uint64_t*)0x20000548 = 0; *(uint64_t*)0x200005d0 = 0x20000580; *(uint32_t*)0x200005d8 = 0x10; *(uint32_t*)0x200005dc = 0xc; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x200005c0); break; case 9: *(uint32_t*)0x20000680 = 0x83; *(uint32_t*)0x20000684 = 2; *(uint64_t*)0x20000688 = 0x20000600; *(uint32_t*)0x20000600 = r[4]; *(uint64_t*)0x20000690 = 0x20000640; *(uint32_t*)0x20000698 = 4; *(uint32_t*)0x2000069c = 4; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000680); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 0x240, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); memset((void*)0x20000044, 255, 6); *(uint8_t*)0x2000004a = 8; *(uint8_t*)0x2000004b = 2; *(uint8_t*)0x2000004c = 0x11; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; memcpy((void*)0x20000050, "\x20\x15\xd2\x29\x78\x5b", 6); STORE_BY_BITMASK(uint16_t, , 0x20000056, 8, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0, 4, 12); *(uint16_t*)0x20000058 = 0x27; *(uint8_t*)0x2000005a = 0x8c; *(uint8_t*)0x2000005b = 0x18; *(uint16_t*)0x2000005c = 0xc93; memcpy((void*)0x2000005e, "\xff\xe3\x24\x0f\x04\x84", 6); memcpy((void*)0x20000064, "\x06\x7e\xcc\x39\xa7\x8a\x3e\xa4\x7c\x22\x24\x6d\x39\x1b\x92\xc4", 16); syz_80211_inject_frame(0x20000000, 0x20000040, 0x34); break; case 11: memcpy((void*)0x20000080, "wlan1\000", 6); memset((void*)0x200000c0, 1, 6); syz_80211_join_ibss(0x20000080, 0x200000c0, 6, 2); break; case 12: memcpy((void*)0x20000100, "bpf_lsm_xfrm_policy_alloc_security\000", 35); syz_btf_id_by_name(0x20000100); break; case 13: memcpy((void*)0x20000340, "\xc4\xc1\x7d\x6f\x70\x72\xc4\xe1\xf9\x11\x2f\xc4\xe3\xc9\x5d\x33\xab\xc4\xc2\x79\x0e\xb0\x00\x00\x00\x00\xc4\xe1\x7a\x12\xb7\x0c\x00\x00\x00\x0f\x01\x56\xe9\xc4\xe1\x0d\xd5\x5e\x0c\xf3\x0f\x52\x6b\x00\x0f\x7e\x20\xc4\xc1\x79\xe7\x02", 58); syz_execute_func(0x20000340); break; case 14: res = syscall(__NR_dup, -1); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_fcntl, -1, 9, 0); if (res != -1) r[6] = res; break; case 16: memcpy((void*)0x200026c0, "./file0\000", 8); res = syscall(__NR_lstat, 0x200026c0, 0x20002700); if (res != -1) r[7] = *(uint32_t*)0x20002710; break; case 17: res = syscall(__NR_getresuid, 0x20002800, 0x20002840, 0x20002880); if (res != -1) { r[8] = *(uint32_t*)0x20002800; r[9] = *(uint32_t*)0x20002880; } break; case 18: res = syscall(__NR_read, -1, 0x20002ac0, 0x2020); if (res != -1) r[10] = *(uint32_t*)0x20002ad0; break; case 19: memcpy((void*)0x20004b00, "./file0\000", 8); res = syscall(__NR_statx, -1, 0x20004b00, 0x2000, 0x20, 0x20004b40); if (res != -1) r[11] = *(uint32_t*)0x20004b58; break; case 20: *(uint32_t*)0x20004e00 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004d00, 0x20004e00); if (res != -1) r[12] = *(uint32_t*)0x20004d34; break; case 21: res = syscall(__NR_getgid); if (res != -1) r[13] = res; break; case 22: memcpy((void*)0x200003c0, "\x23\x58\x10\x53\x7c\x7f\x88\x6c\xa9\x17\x21\x04\x5f\xf7\xba\xdf\xae\x44\x29\xb2\x52\xcd\x65\x81\x72\xc1\xd0\xd4\x18\xed\x70\x05\x74\x39\xfc\x22\xff\xc7\x7b\x29\x08\x5c\x94\x88\xff\x93\x40\xf8\xa2\xad\xe9\x9b\xf9\xaf\x14\xa3\x57\x25\x7b\x8a\xa6\x9b\x4b\x8e\xff\xe7\xaf\xd6\x87\x6b\x3b\x51\x2b\x86\xfa\x1d\xff\x55\x5c\x6d\xc6\x18\x62\x66\xc9\x1f\xa2\x81\xc9\xdc\x72\xee\x17\xea\xd0\xe2\xa3\xfe\x9f\xf0\x3e\x7c\x32\xd2\x7e\x26\x7f\x5b\xe0\xfd\x6d\x1f\x9e\xfc\x02\xaf\x7f\xe9\xd6\x8d\x75\x55\x19\x20\x1d\xea\x7a\xbe\x68\x10\x53\xab\x98\xf7\x3f\xc0\xc6\xa0\x68\x4e\x91\xb7\x41\xc8\xc9\x45\x1f\x94\x59\xb5\x98\xee\x6f\x4e\xc0\xc9\x1f\x3e\x91\x7a\xf1\xe6\x64\x6f\x3c\x54\xf8\xfa\xf0\x48\x7d\x8e\xcc\xf0\x87\xe2\x8f\x87\x68\xf4\x8a\xe1\x5d\x09\x89\x04\xb3\x25\x42\x85\x70\x2e\x30\x8a\x93\x7d\x5e\x23\xa2\xae\xf3\xc2\x53\x12\x51\x6c\x50\x2d\x5e\x02\x33\x06\x52\x29\xee\x4a\x70\xdb\xc4\x14\x60\x4b\x7f\x05\x5e\xb7\xa2\x72\x48\x03\xe8\x5e\x5b\x4c\xd0\x5a\xf7\x11\xed\x73\x0f\xce\xb8\x1b\xca\xe1\x7a\x49\x67\xaa\x6c\xcf\xf3\xc0\xf4\x96\x6b\x7f\xf3\xd1\x5f\x09\x3e\x94\xeb\x0a\x46\xb7\x0c\x0f\xa5\xb8\x62\x8c\xac\x3c\x31\x01\x9b\xba\x60\x02\x41\x6f\xc6\x66\x1d\x85\x8f\xff\x16\xa9\x62\x15\xb1\xd1\x8a\x87\x7d\x9a\x53\x4a\xc4\x02\x56\xa3\x55\x79\x31\xad\xe2\x7f\x58\x7c\xce\x26\xa2\x0c\x01\x3d\xc6\x7f\x2e\x92\x2a\x52\x68\x9a\xae\xfa\x1b\x06\x4d\x03\xf8\xf6\xa3\x9f\x96\xb0\xde\x1d\x21\x39\x4c\xb6\xc2\x30\x10\xeb\x9e\x4a\x79\x41\x47\x35\xed\x99\x65\x42\x5f\x8a\x01\x00\x84\x96\xdb\xad\x04\x97\xfa\x0d\x65\xac\xec\x59\xff\xa6\xa2\x80\xbc\x58\xe2\xd8\x87\xa1\x0e\x96\x65\xea\xeb\x97\x43\x6e\xbd\xeb\x2b\x58\xa9\xae\x40\xe4\x49\x27\x32\x46\xfd\x99\x67\x53\x9f\x21\x2e\xd8\x96\x9b\x6f\x9a\x49\xd6\x5b\xca\xd2\xdd\x9d\x8e\xe4\x2e\x32\x05\x74\x11\x17\xe4\x31\xd4\x43\xff\x3e\x94\xc4\x7e\x7f\xd6\x27\xd3\x05\x11\xd5\xfb\xce\xc6\xa7\x58\x38\x3d\x31\x36\x7a\xca\x8e\x3a\xf7\x72\xa1\x02\x11\x05\xab\x2c\x1b\x4a\xa7\x61\x4d\xea\x8c\xfa\x4b\x06\xf5\x3a\xf3\x73\x77\x98\x62\xc9\xbd\xb7\x6e\xf9\x3c\x74\x61\x8e\xee\x73\x47\xa0\x74\xd4\xf7\x1a\x98\x23\x3b\x24\xb2\xa2\x57\x29\xc9\xa1\x98\x3d\x81\x9c\x3f\x42\xd3\x28\xd0\x8f\x0d\x4d\xd1\x64\x2f\x61\xb6\x2a\x89\xfc\x30\x0f\x50\x66\xd8\xe4\x57\xf5\xfd\x49\xda\xa7\x9e\x1b\x1d\x43\xd2\x6f\x89\xf2\xca\x99\x04\x50\xe8\x60\xbc\xc4\x7d\x5c\xf4\x77\x8c\x37\xc4\x51\xed\x22\xd6\x0f\xe2\xbc\xfa\x2c\xaf\xf7\x5c\x41\x70\x99\x0a\x2e\x8e\x21\x87\x19\x7f\x86\x38\xb0\x67\x85\x4c\xcf\x9d\xbe\x91\x58\x6d\xd4\x23\x41\x40\x1c\x4f\xb4\xf3\x13\x30\x66\x8a\xcb\x51\x6e\xba\x22\x27\xcb\xca\x4c\x8f\xa2\xf3\x9a\x03\x52\x1b\xd8\x03\x2f\x5e\x1a\xed\xf4\x9c\x50\xe6\x01\xb9\xfa\xd4\xe0\xd6\xf5\xb5\x93\x2e\xa2\x14\xfd\x50\x84\x85\x70\x3d\x08\x45\x79\x8d\x43\xbd\xbf\xf9\x63\x86\x77\xe6\xa9\x96\xef\xbb\xd1\x93\x6e\x97\x28\x20\x62\x70\x9f\x77\x8b\x45\x5c\xb4\xd2\x00\x13\xf5\xfe\x4c\x9b\xba\x0f\x7c\xfc\x18\x02\xe8\x18\x0f\xb6\xd4\x6f\x51\x76\xd1\xbd\xbb\x43\xd9\x60\xd4\x94\xf3\xa3\x0e\xd7\xab\x4d\xb0\x7d\xe5\xad\x92\x4b\x57\x97\xb5\x09\xf9\x60\x83\xf4\xad\xa9\xfc\xeb\xed\xe1\xeb\x0f\xb0\xdf\xa2\xcd\xc2\x14\x4b\x15\xcf\x4c\x28\x0f\x87\xd1\x18\x7e\x80\x8e\x37\xcd\xef\x53\x75\x52\xe3\x83\xf4\x6c\xcf\xe8\x62\x15\xb2\x07\x15\x39\x85\xe6\xb1\x31\x96\x22\x1f\xde\xa6\xc9\x47\x86\x4d\x12\x14\x7d\x7b\x01\xef\xc3\xdf\x14\x4e\x2c\xaa\x24\xd1\xa4\x78\x2a\x51\xa8\x23\x5c\x4c\x0e\xad\xf0\x44\x0c\x8e\x43\x4a\x4d\x07\x2b\xe5\x84\x55\x47\x17\x5f\x37\xc5\x5f\xdd\xd5\xe7\x84\x95\xac\xe4\x34\xc4\x83\xf2\x8b\xb3\x48\x7a\xd8\xd6\x8b\xd7\x43\x77\xfd\x82\xe1\x7b\xaf\xeb\x06\x2b\x81\xc6\x8e\x8a\x63\x89\xc8\xd8\x10\x79\xe4\xc9\xfa\xa2\xa8\xfc\xf1\x24\x15\xcc\x21\xeb\xcd\x92\xde\x80\x88\x45\x50\x59\x4c\xa6\x4b\x56\xb0\xb4\x24\xa6\x5f\x80\xca\xb1\x64\xb2\xf6\xf2\xf3\x3c\x7a\xea\xa8\xb6\x60\x2e\x71\x83\xb9\xd0\xae\x15\x3a\x17\x03\xb3\x03\x67\x5a\xae\x13\x3b\x3d\xd9\xc6\x46\x67\x7f\x6d\x8a\x49\x2d\xa0\x99\xef\xb4\xa7\xe4\xde\xe3\x92\x81\x8a\x15\xd6\xbf\x9e\xfb\x07\xee\xad\x5b\x40\xac\x25\xbb\x0f\x00\x92\xf4\xb0\xec\xaf\x0a\xc3\x39\x1b\x3e\xcf\xd0\x63\x5e\xc4\x96\xb8\xb6\x6d\x7a\x45\x1c\x6d\x10\x37\x9c\x15\x29\x1c\x4f\x36\x82\xf0\x5f\xb7\x39\x44\xcd\x1b\xe0\xf0\xfa\x85\x54\x35\x8b\x30\xde\xb7\x38\x69\x31\xae\x95\xeb\x2a\x16\xfa\xed\x24\x5f\xfc\xad\xb3\x94\xac\xdf\x06\x38\xa6\x26\x27\x82\x33\x01\x93\x66\xe2\xec\xd9\xdb\x1a\x4b\x5a\xe2\x7f\xf8\x3d\x7b\x57\x1c\xd7\xff\xc1\x51\xdc\x4d\x0c\xef\x1d\x03\x00\xc9\x8a\x41\x69\x77\x51\x85\x1f\x8e\x05\x24\x9c\xae\x19\x96\x3f\x81\x25\x89\xa7\xd6\x4c\xfa\xb8\x46\x43\x9f\x47\x13\x43\xba\x5e\xff\xac\x9a\x57\xf7\x6d\x0a\xbf\xb9\x5e\x87\x8b\xee\x4c\x94\x24\xf0\xca\x17\x18\x19\x5e\xff\x14\x06\x0a\xcf\xb3\xe0\xdf\x4c\xbc\x56\x0b\xc2\xbe\x9a\xb4\xf0\xa0\xbd\x68\x6f\xe2\x13\xd4\x49\x47\x17\x0e\x68\xe7\x3b\xaa\xdd\x98\x2c\xe2\xd1\x70\xa5\x0d\x1e\xca\x02\x40\xcd\x3c\xec\xe9\xf7\x4d\xa3\xa1\xc1\x47\x6f\xf1\x1f\xa3\x34\xd7\x2c\x18\x50\x6b\x5c\x00\xa4\x41\xea\x2e\x9c\x72\xc7\x6b\x38\x50\x37\xf8\x6c\xa5\x94\xaa\xad\xe9\x87\xa7\x9b\xbd\x3e\x3c\x40\xd0\x00\x7a\x7f\xf8\x52\x99\x05\xb9\x4c\x54\x61\x65\x62\x92\x95\x0b\x41\xc8\x34\x43\xdc\x84\xd6\xfd\xf5\x2e\x44\x97\xed\x68\x04\x98\x1a\xf1\x33\x85\x64\x92\x00\xd8\x93\x09\x3b\xf2\xea\x82\x25\xb3\x89\xc4\xdf\xd2\xe8\x15\xb3\xbd\xf9\xd7\x08\x4d\x29\x00\x9e\xae\x4e\x88\x22\xa5\xb6\xa5\x2a\xa7\x6a\xfd\x95\x1d\x04\xaf\xa8\xe1\x28\x63\x96\xa8\x34\xdc\xf8\xc6\xb5\x7c\xc4\xef\xbc\x0c\x16\x77\x9d\x53\xf0\xbc\xd7\x40\x43\xc0\x6e\xce\xbe\x59\x32\x8d\xcc\xa8\xbb\x61\x05\xaf\x23\x56\x59\x06\xe5\x46\x6c\x73\x11\xb1\xaa\xc6\x76\x2e\x4b\x62\x60\x36\xfe\x31\xd3\xe7\xb0\xfa\x2e\x65\x8c\xa9\x35\x10\x78\xee\xca\x7b\x46\x7e\x11\x8e\x9b\x88\x95\x9d\xe1\xf4\x18\x69\x40\x5a\x83\xbd\xc6\xce\x98\x0c\x72\x9f\x7e\x2a\x46\x0f\xa9\xbe\xe1\x61\xe5\x4d\x27\x1a\x87\x4b\xb4\xd0\xa2\x2c\xd1\xa4\x37\x6d\xe3\x6b\x58\x68\xca\x0e\x10\x93\x3e\x5f\xe2\xf7\x38\x5c\x1a\xf6\x2b\x86\xf8\xe5\xc3\x12\x66\x26\xb8\xbc\x6d\x56\x8f\x62\x1d\xa3\x23\x70\x7e\xa3\x32\xd7\x65\x44\x39\xfb\xa4\x67\x1d\x0c\xae\xb7\xef\x94\xe2\x5a\x82\x86\xbd\x9a\x19\xa2\x9e\x49\x32\xc7\xdb\x9b\x82\x34\x7d\xa5\x24\x92\xb3\x81\x4a\x44\xb9\x2f\x61\x55\x9c\x22\x65\x4c\x8b\x30\x1a\x8d\xfe\x9d\xae\xae\x0c\xad\xe9\x46\xc0\x66\x6e\x94\xc4\xa6\x35\x3b\xb0\xeb\x21\x37\xd3\x68\x53\xad\x4f\x7a\x20\xa5\x08\x1e\x63\xaf\xee\xce\x20\x3f\xa6\xee\xea\x7f\x62\x9d\x00\x1d\xab\xaf\x5b\x1a\x3c\x67\x61\x51\x7b\xc9\x9a\x8e\x63\xf6\x6c\x01\x88\x49\x27\xb4\xbc\x40\xbc\x34\x19\x0c\x9e\x55\x3c\x69\x0f\xbc\x64\x44\xdd\x8b\xba\x65\x68\x74\xfa\x80\x46\x31\xb5\x6d\x24\x54\x1a\x9b\xd6\xfb\x77\xdb\x49\x03\x76\x9f\x9d\x04\x44\xd0\x8a\x21\xff\x59\xd9\x49\x65\x9d\x80\xb1\x40\x2d\x91\x9a\xc0\xfb\x83\x80\xed\x91\x15\xb6\x69\x3c\x19\x5f\x8f\x1a\x90\xa3\xa4\x22\x35\xd8\xea\x78\x2e\xda\x2b\xf1\x94\xd3\x2f\xbc\xc5\x63\x27\x1a\xfd\xa7\x3d\x70\x96\xa2\xe9\xe4\x67\x54\x1e\x76\x67\xc2\x67\xc5\x95\xe1\x23\x37\x29\x75\x26\x77\x68\xb8\xd1\x6c\xb6\x13\x0e\xae\xbf\x69\x8b\xe7\x6e\xef\xab\xbe\xac\xd5\x9f\x63\x1c\xc1\x04\xf0\x42\x26\x3e\x3e\x29\x62\x59\x79\x69\x72\x1a\x6c\x02\x2a\xba\x14\x11\x2e\x2f\x38\x02\xba\x63\x53\x91\xcd\x1f\x94\x32\x35\x25\xc8\x16\xef\xa9\xe8\x65\x52\x39\x9e\x79\x66\x5f\xf5\x54\xf5\x86\x75\x4f\x72\xd5\x3a\x0d\x94\x75\xc6\x55\x94\x8b\xd1\x3e\xc9\x3d\xd8\xcc\x43\xe5\xb8\x13\xeb\xfe\xa4\xab\xcd\x78\x0e\xed\xb6\x82\xac\x4f\x66\xe1\x68\x47\xf7\x82\x1f\xdc\x40\xda\x07\x3f\x7f\xc5\x9f\xe5\x7c\xa6\xad\x5f\x4d\xdd\x8a\x41\xe8\xaa\xdf\x3e\x21\x78\xcf\x42\x95\xc8\x59\x99\xe2\xc2\xd8\x24\xa0\x8e\xbb\x9a\x9b\x09\xe2\xef\xbf\x9b\x8d\x03\x73\x09\x1e\xa6\x1e\xc6\xaf\x17\xdf\x1e\x71\xac\xeb\x40\x3a\x41\xd3\xba\xfe\xfc\x56\xdc\xff\x18\x60\x23\xe9\xf2\x89\xe6\x1b\x74\x69\x04\xb3\xce\x34\x86\x9b\x53\x27\xc9\x24\xa2\x73\x36\xb2\x16\xd2\x20\x6e\xeb\xa9\xb1\xdf\xdc\xe0\x22\xe3\xa1\x3a\x26\x17\x38\x7f\xb3\xff\x5a\x1d\x0f\x38\xfb\xb9\x06\x3b\xcb\x69\xb5\xe3\x3e\xe4\x57\xef\xe0\x51\xdf\x45\x34\x62\xb7\x18\xd7\xd5\xe7\x80\x31\x04\x71\xa7\x3d\x99\xe2\xeb\x1e\x23\x23\x6c\x74\xb9\x37\x7c\x3e\x0e\xbb\x93\xea\x7a\x6a\x7b\x32\x2c\x42\x59\x10\x20\x9f\x89\x18\x41\xd6\x5c\xb8\xdb\x3b\x2b\x0d\x51\xd2\x7c\xde\x0c\xa1\x85\xbd\x3b\xf1\xf4\x02\xff\x10\xfc\x61\x1b\x93\xfa\x6f\x94\xeb\xf6\x07\x9a\xc6\xd5\xf3\x0f\xf8\x66\xa4\xdb\xf3\x07\x29\xfc\x3c\xd0\x03\xed\x9e\xee\x6e\x1c\x92\x31\x9a\x8c\x62\x69\xe1\xa7\xdb\xa0\x49\x1d\x27\xb3\x26\x38\x8b\xc3\x2d\x58\xbf\x68\x5e\xc4\x29\xa8\xca\x7a\x12\xb6\x60\x18\x23\x08\x71\x0b\x5a\xa6\x1d\xce\x0a\x14\x3f\xad\x3b\xbc\x1a\x81\xa8\xf8\x14\xee\x37\xb4\x34\xc7\xd7\x29\x33\x1c\xe7\xf7\x2d\xdf\x31\xdc\xa7\x19\xbd\xfa\x04\xc0\x3a\xec\xeb\x4c\x64\x0c\x1c\xdd\xd0\xf0\x11\x37\xbd\x6e\x2f\x7a\xef\xb5\x1b\x02\x10\xb8\xcd\xb2\xcc\xb0\xf5\xd7\x45\x8d\x05\x71\x92\x76\x75\xf1\xbe\xdb\x36\xd0\xbf\x30\xac\x68\xdb\x43\x8f\xfb\xa7\x4a\xca\x62\x37\x25\xf2\x75\x22\x70\x1b\xb6\xc5\xca\x41\x4d\x23\x91\xcd\x53\x3a\x82\xc0\x66\x72\x4c\x6d\x3f\xd6\x8f\xe4\x2a\x83\x4d\xcc\xf5\xbf\x70\x34\x74\x29\xad\x8e\x38\x22\x15\xf7\x2f\xad\x93\x6e\xf9\x49\xbf\x64\xda\xd1\x25\x77\xea\xd0\xdc\x6c\xf2\x71\xbe\x7c\xa8\xe0\xba\xab\xb4\x39\x7f\xf0\x63\xf3\xae\x8e\x74\x12\x10\xc6\xa3\xab\x3b\x44\x2b\xa8\xfb\x16\xf2\x28\xc5\xda\xfe\xb1\xb4\x40\x82\x7d\xef\xbc\x48\xf5\xcb\xce\xb2\x74\x07\x55\xc9\x85\xd0\x60\xe8\x2c\x86\xc7\x32\xbb\xd5\x60\x88\x35\x91\xa1\xac\x05\x82\x99\xf1\x7f\x2e\x2a\x12\x85\x60\x28\x0b\xa0\x89\xe8\x4c\x34\x65\x45\x2a\x65\x07\xa6\x3f\x88\x49\x44\xa8\x3a\x21\xd2\x6c\x8e\x49\x8f\xf5\xdb\xd4\x89\xc6\x9c\xa7\x85\x32\x49\x01\x8e\x9d\x03\x52\x0b\x23\xf4\x7b\x29\x7b\x85\x26\x32\x2b\x1f\x6b\xd5\x4d\x06\x0c\xce\xa3\x01\xcc\x8a\x3a\x15\xda\x2d\x39\xb6\x4e\xa4\xdd\xb0\x3c\x7b\x6c\xba\x60\x5e\x8d\xd4\x86\xd1\x2d\x8f\x0c\x6c\xd9\xfb\x47\x81\x61\x12\xba\xa0\xa7\xae\x0e\xba\x4f\x0f\x89\xb2\x14\x32\x03\xa1\x19\xa6\xbb\x85\x45\xc1\xba\x66\x78\x84\x95\xf4\xe7\xda\xd9\x6d\xf8\x11\x9b\x1c\x11\xd7\xff\xb0\x71\x07\xc0\xc0\x35\xa8\x06\x97\xa8\xed\x78\x0d\x9c\x55\x61\x92\x93\x85\x08\x5f\x0a\xa7\xbc\x74\x8f\x2b\x5e\x23\x4e\x21\x0c\xe7\x77\x22\xc5\x4e\x80\xb8\x86\xc0\xd6\x14\x65\x8f\xfa\x23\x40\x8c\xac\xa9\xcf\x01\x38\x69\xef\x66\x29\xf8\x46\x16\x40\xda\xea\x86\x9a\xd4\xc3\x65\x53\x0d\xe5\x27\x81\x5c\xaf\xee\x31\x4f\x8c\xa7\xb9\x87\x95\x22\xc4\x26\x29\xe3\xe7\x12\x96\xe5\xf6\x0a\x84\xdb\x39\xd5\xc9\x00\x00\x16\xea\x33\xf4\x81\xd8\x0c\xcb\x80\xf0\x85\xd5\xed\x3f\x70\x0b\xad\xc3\xb4\xb7\xd8\x0d\xd8\xa7\x78\xf0\x38\x17\xa1\x0d\x67\x89\x2d\x36\x87\x0a\x98\xbd\xc7\x0c\xfd\xa4\x83\x4c\x78\x15\x42\x1f\xc9\x72\x74\x01\xbd\x4f\x81\x11\xbb\xba\x76\x86\x02\x4b\x42\x72\xf5\xa6\x8a\x66\x51\x94\xaf\xc4\xf1\xa9\xf8\x57\xaf\x27\x0e\x30\x22\xc1\x8d\xfc\x18\xf6\x7b\x39\x77\xe6\x41\xc6\x25\x8f\x00\xc1\x43\x0e\xa7\x95\x78\xf4\xdc\x82\xa0\xba\xb5\x21\x40\xdf\x4b\xe0\xad\xb3\x29\x19\x5a\x29\x7d\xf0\xbe\x6e\x12\x34\x97\x70\xb4\x47\x7a\x44\x65\xa8\x14\x39\xf2\x2b\x6b\xdc\x67\x7a\xb8\x6d\x4e\xdb\xbd\xfc\x7d\xb3\xcf\x06\xd4\xa9\x4d\x33\xc6\xc1\x1f\xa1\x63\xfe\xfb\x1a\x87\xa9\xb5\x2c\x1c\xc4\x09\xeb\xed\xe7\x26\x3c\x88\x97\x5e\xdb\x23\x7f\xa0\x1b\x58\x3f\x79\xfc\x7a\x4f\x8e\x8a\xc8\x9a\xf7\x93\x08\xd9\x9b\x47\x3c\xf3\x3f\x33\x44\xa4\xe5\x52\x3f\x3e\x35\xd3\x88\xd1\x8e\xe1\x18\x5c\xaa\x19\x18\xd2\x3a\xae\x41\x93\xae\xdf\xe1\x25\x04\x2e\x16\xd5\x71\x86\x52\x61\xdd\x63\xbf\x0c\x9d\xd8\x48\x5f\xa6\x4e\x24\x10\xa2\x6a\x43\x6c\x83\xc9\xe3\x45\x56\xf3\x7c\x1d\x69\xd2\xfd\x57\x42\x78\xc4\xb2\xc8\xba\xf3\x83\x4e\xe2\xe0\xf3\x64\xb5\x4c\x36\x78\x0f\x28\xa8\xeb\xe5\x6e\x1d\x9e\x1c\xbd\xfd\x77\x3c\xe8\xaa\xcd\xef\xda\x09\xf4\x0d\xff\xd8\x47\xaa\xdf\x67\xc4\x44\x71\x00\x8c\xee\x07\x76\xfb\x06\x89\x54\x30\x8f\x16\x20\x3d\x01\x7b\x29\x0c\xd1\xad\x9e\x4c\xdc\x49\xf3\x26\x35\x28\x07\x56\x0d\xdd\xa4\x90\xc0\x5c\x6d\x5e\x04\xf1\x94\x00\x83\xaa\xba\x83\xe0\x29\x37\x0f\xd7\x6e\x77\x57\xc7\x3c\x05\x43\xdd\xff\x26\xc3\xa3\x07\x62\xe2\xc9\xc5\x56\xaa\x28\x2c\x7f\x46\xf3\xdd\x8e\x20\x01\x68\x05\x3a\x03\x17\x4c\x56\x69\xdc\x43\x90\x0a\x39\x41\x7c\x9d\xff\x8e\xd3\xf1\x0e\xb0\x7c\x47\x0a\x52\x2e\xc8\x20\x71\x2f\xf8\x82\x59\xcf\x7f\x5e\xe5\x2c\xf4\xee\x69\x0b\xca\xbd\x88\x76\x3f\x66\x32\x9f\x37\x25\xa4\x36\xca\x19\x38\xd4\xda\x48\xde\xdf\xfe\xa8\x2d\xc5\x4a\x2a\x0a\x5c\xfb\x64\xc3\xe2\x78\xf4\x1b\x93\x3c\xef\xeb\x02\xf9\x82\x53\x2e\x98\x67\x72\x41\xd7\xec\x2f\x8d\x14\x27\xda\x17\x11\x91\x9d\x67\x2e\x95\x1b\x6d\x1c\xd8\xf2\xc0\x20\x3f\xed\xd5\x21\xf7\x5a\x22\x9d\x99\x67\x13\x35\x81\x36\xd8\xb4\xeb\x79\x71\x34\xfe\xc8\x74\xe3\xd3\x8a\x01\xcb\x82\xa8\x7c\x8c\x21\x1e\x64\x29\xef\xe6\x77\x17\x3a\xab\x0a\x0f\xb9\xf5\x58\xf4\xb0\x6f\x77\x05\xbc\xd1\x77\xec\x1d\xd8\x0d\x04\x45\xb5\x44\x8e\x7d\xc2\x94\x53\x8a\xae\xcc\x59\x61\x0d\xbe\x6f\x2b\x3b\x16\xb2\x75\xc1\x8d\x33\xa7\x8f\x0c\x1d\xcb\xb0\x7e\x13\x76\x28\xb6\x22\xf8\x85\xae\xe8\x0b\x82\x68\x4c\xdd\x5f\xde\x5a\x29\xaa\xdf\x63\xd8\x5e\x95\x15\x96\x49\xad\xce\x0f\x9e\x57\xb5\x3b\x82\xc7\x5b\x87\xa1\x27\x47\xef\x0f\x84\xbe\x50\x69\x3c\xca\xe7\x98\xe3\x8a\xaf\x05\x06\x66\x16\x3e\x6b\xed\x48\xf5\xf1\xba\xf4\x9a\xde\xa2\x12\x23\xbf\xb0\x89\x19\x98\x98\xdc\xd2\xe9\x1b\x70\x8b\xd6\x2b\x61\xf1\x38\xcc\x48\xbe\xd8\x8b\x77\x2d\x14\xbc\xc5\x39\x68\xaa\x32\xfa\x3f\x11\x45\x84\x75\x2d\xb5\x32\x78\xb2\x5f\x36\x7d\x52\xc2\x07\xec\x54\x59\x66\x83\x82\xaa\xc7\xeb\xfd\xf3\xa2\x07\x5c\xef\x67\x9b\xd7\x7e\xc1\x7a\x11\x43\xde\x08\x47\x20\x08\x54\x86\x68\x5a\xc8\x69\x73\x3b\xc0\x7d\x74\x24\x6f\xbf\x8a\xbb\x36\x62\xbe\x75\x0d\xdd\xd3\xb1\x3e\xcb\x2d\x91\x35\xf5\xc6\x8d\x1f\xdd\xe5\x49\xd9\xc2\x09\x1d\x96\xaa\x35\xf8\x43\x36\xb4\x21\x51\x31\xf3\x64\x76\xec\x84\x8d\x53\x3d\x7d\xca\x1e\x0a\xa4\x1e\xef\xb8\x80\x60\x52\xa8\xcd\xd5\x38\xb7\x55\x70\x7f\x93\xe0\x48\xd7\x71\x50\x5b\x88\x90\xd8\xf6\x80\xb8\x80\xcc\xb8\xee\x29\x49\xe3\x5a\x63\xee\x48\xe7\xb4\x67\x12\x8b\x65\xff\xe6\x06\xce\xd2\x8a\x3b\xc3\x17\x2b\xd0\x9f\x2b\x58\xef\x63\x22\xa3\xfa\x31\xe0\xfa\xb3\x7a\x3a\xfe\x72\x9a\xd4\x3d\x5c\xd0\x2b\x42\xbe\x4d\x8e\x60\x2b\x99\x51\x6d\xbd\xbd\x81\x2e\x1b\xec\xae\xba\x14\xb2\xb2\xbf\xaf\x05\x55\x90\x02\x51\xe3\x1d\x83\x97\x98\x14\x1b\x32\xab\xdc\x55\x8b\x3b\xf3\x0e\xdc\x11\x45\xf5\x41\x79\x85\x07\xda\x32\x9c\x5a\xcc\x1f\xf5\x6d\x4f\xd5\xf6\xe1\x8c\x02\x08\x12\x22\xc6\x98\xb3\xd0\xf2\xb1\x95\x39\xa7\xc2\xc9\x1f\x78\xb1\xbe\x76\x48\x19\x91\xe2\x41\xd2\xae\x88\x9d\x4c\xb1\x33\xf9\x0f\x77\xd9\x22\xd9\x84\xb5\xa5\xd1\xb2\xaa\x03\x8f\xb0\x01\xf0\xba\xc8\x8c\x14\xa3\x6f\x62\x29\x6a\xb3\x24\xd5\x2b\x57\x54\xd4\xe8\x42\x88\x9d\xa6\x54\x14\x3b\x4b\xd7\x19\xf0\x82\xcb\xcf\xa2\xec\x90\x31\xb9\xb4\xb8\xbb\x8e\xf4\x6b\xc3\xff\xa5\x2d\x35\x38\x5b\xf2\x7e\x3c\xcd\x86\x10\x84\x81\xff\x66\x40\xe8\xb0\xe3\x09\xd2\x8b\x14\x94\x20\xf9\x5e\xb9\xaf\xa0\xf6\xe1\x88\xb7\x00\x5f\x42\x12\x25\x38\x5b\xde\xa3\x82\x5a\xd5\xfb\xfc\x6d\x9f\x29\x97\x47\x6b\xc3\x6e\x5d\xfe\x4b\x68\x6d\x1a\x2d\x40\x25\x16\xd4\xee\xe9\x90\xe1\xea\x6a\x23\x48\x38\x10\x3f\x42\xd7\x05\xab\xf3\x78\x35\x67\x3c\xa7\x86\x75\xb5\x35\x4c\x2a\x99\x13\x0e\x2b\x7a\x64\xee\x26\xa2\xad\x6c\x1c\xd2\xde\x64\xed\x59\x12\xeb\x77\x08\xdb\x3a\xfb\xb4\xa6\x83\x10\x9b\x10\x57\x29\x8f\x35\x6e\x4c\xf4\xfa\xb2\x00\xca\xf7\x40\x3c\x71\x9a\xa8\x1a\xb0\x1d\x3d\x7f\x91\x55\x07\x3f\x56\x49\x5e\x51\x16\x19\x6e\x9a\x9d\xe8\x2f\x10\xa5\xc0\x8d\xfb\x2f\x91\x54\x94\xdf\x7a\x07\x00\xef\xb7\x22\xd3\x41\x6a\x5d\x32\xbc\x02\x29\x71\x11\x65\x08\x47\xde\xe6\x76\xd2\x68\x77\x2d\xec\x41\x3d\xa3\xa1\x32\x09\x89\xc1\xbe\x0d\x5c\x9c\x1b\x6f\xc4\xf7\x0f\xbd\xad\x88\x8a\xbb\x0b\xe8\xf1\x16\xf0\xd7\xa6\xf3\xab\xaf\x63\x6b\xb6\xb6\x92\x22\xda\xf4\xcc\xbd\x6d\x07\x29\x3d\xef\x59\xcd\x5e\xc9\x08\x45\x4d\x07\x94\x95\xf2\x7b\xfa\xf9\xe4\x5f\xb2\xc9\x99\x64\xe6\xb2\xfb\xa0\x3a\xf0\x38\x2d\x5b\x60\xad\xeb\xbb\x28\xfb\x8f\x8f\x8e\xfd\xd8\xda\x65\xea\xc2\x93\x77\xcf\x07\xc6\x2e\x1b\xf1\x0f\x61\xfa\x91\x2e\x62\x71\xf2\xcb\x95\x09\xa7\x63\x1b\x7a\xbe\xc3\x39\x6b\xeb\xce\x10\xbc\x79\xe2\xc4\x99\x56\xd1\x27\xf9\xd0\x1b\x73\x58\x45\x40\xcb\x6c\x0b\x52\xa7\x09\xe3\xaf\x1d\x00\xc8\x4f\x6d\x22\xfb\x19\x5d\xd8\x82\x3a\xa3\x36\xaf\xea\x89\x8e\xd8\x7a\xda\x2b\x22\xd1\xb8\xec\x50\x8c\xf6\x98\x6e\x93\x45\x92\x65\xed\x7c\x25\x87\x32\xc2\x91\xca\x41\xe7\x87\x6f\x1b\x43\x8b\x17\xd3\x6c\x24\xa0\x2f\x20\x0f\xee\xee\x18\xac\xe8\xdc\x4a\xad\x51\xa4\x2b\xb9\x81\x5d\x82\xc2\xa9\xa3\x7f\x77\x5c\xd6\x12\xe0\x84\x22\x69\x42\xea\x0d\xc6\xf5\xd8\x92\x33\x49\xbb\xbe\xdc\x2a\x45\xcf\xcf\xdd\xed\xa2\xd5\x2d\x14\xf2\xff\x83\x29\xaa\xc0\x1d\x2e\xc3\xc3\x7f\x23\xc5\xc9\x0d\x02\x62\x80\x23\x8c\xe0\x9e\x00\xec\xa9\xf6\xc3\x0b\xda\xa5\xdc\x91\xf4\x34\x2f\x8a\xf6\xa3\xec\x13\x39\xc4\x7d\xca\xe8\xf9\x36\x0c\x32\x50\x2b\xfa\x86\xe1\xff\xc5\x82\xd5\x88\x8f\x29\xca\xc3\x9e\xf9\x0a\x31\x50\x11\x1f\x66\x11\x99\xfa\xf7\xe2\x41\x3b\x57\xbb\x9a\x72\xaa\xa2\xd5\xfa\xe3\x2b\x46\x28\x84\xa9\x28\xd8\x3c\xea\x60\x55\x70\x25\xc5\xde\x01\x80\x44\x34\x5f\xb0\x83\xde\xf4\x9b\xc3\x83\x31\x98\x94\xda\xd2\x8b\x53\x39\xcb\xad\xb6\x03\x8d\xc8\x47\x9f\x7e\x4b\x2f\x01\xc1\xce\xd3\xff\x85\x42\x05\xbe\x93\x88\x48\x85\xb1\x29\x87\x8b\xdb\xb1\x8c\xaa\x68\xc3\x09\x40\x71\x9a\x40\x8a\x03\xfc\x61\xeb\xea\x87\xd9\xd3\xef\x21\x62\x59\x45\x89\x65\x44\x75\xc2\xc3\x7e\xaa\x87\x37\x33\x8a\xcc\x18\xb3\x41\xa3\x51\xec\x39\xaa\x94\xcb\xa1\x71\x09\x6f\xd7\xfb\x83\x2e\x30\x31\xf4\xd8\x2f\xf2\x32\x8a\xa1\x89\x62\x3c\xd9\x3f\xce\x6f\x45\x25\xc2\xdd\x01\x3d\xc9\xc7\xb4\xd1\x9a\xdd\x3b\xf9\xc3\x34\x88\x6e\x9d\x1c\xb4\xdf\x99\x7d\x99\x56\x3a\x57\xb6\x6d\x83\x21\xd4\x21\x52\xf7\x21\x70\x5d\x6c\x48\x46\x18\xad\x33\xcb\x46\xb5\xc1\xa4\x1c\xcd\x39\x7e\xde\x50\x43\x2d\xc9\xd4\x1a\xa8\xb2\xfb\x37\x5a\xf7\x5d\x33\x23\x56\xd7\xdf\x3d\x5d\x43\x9f\xde\xbc\xf8\xe2\x5b\x22\x49\x3c\x6f\xe1\x40\x01\x3e\x29\x52\x32\x18\x67\xd1\x29\x47\xb1\xf2\xdd\x27\x2a\x17\x36\x94\xa5\xfd\xdd\x88\x7f\xe1\xec\x96\xdf\x64\x67\x63\x0d\x14\x49\xd7\x23\xff\x02\x3e\xc1\x27\xb1\x2a\x24\x11\xa0\x96\xe3\x12\x9e\x84\x5d\x50\xb1\x46\x68\x36\x35\xd8\x05\xcf\x19\x67\x35\x82\x8c\x8a\x0a\x00\x40\x47\xa1\x9a\xcf\xcc\x41\xb6\x2f\xe0\xfb\xff\x91\x88\x1e\x76\x13\xbf\x7a\x73\x71\x95\xf1\x85\x8e\xd7\x19\x8d\xca\xca\x13\x21\x06\x19\xd7\xf7\x39\x8d\x81\x2d\xe4\x63\xf2\x21\xf0\xc2\x64\x87\x4a\xa3\xb3\x41\x6d\xcd\xfa\xed\x76\xbf\x25\x5d\x7a\x7a\x15\xd6\xac\xc9\x86\x4d\x1b\xd9\x00\x35\x4b\x3b\xf0\xdf\x70\xba\xe9\x32\xc4\xb8\x2e\x8a\xa6\x0d\x39\x5b\x93\x9c\xc6\x0f\x89\x64\xab\x75\x5b\xa5\x0b\x40\xa7\x13\xf6\x8d\x2e\x00\x1a\x2b\x5a\xbc\xfd\xbb\x82\x1a\x0a\x3a\x7a\x97\xcd\xcc\xc0\xb0\x5b\xca\x8f\x03\x3f\xbc\xd9\x54\x56\x9c\xb7\xc3\x12\xd4\xcb\x9e\x69\x27\x56\x13\x30\x66\x79\x88\x25\x70\x72\x61\x18\xeb\x66\xb4\xb6\xf0\xd2\x36\xc3\x3e\x35\x65\x8e\xd8\x7f\x02\x8c\xa4\x3c\x55\xc2\x69\x68\x17\x9a\xed\x75\x49\xc8\xc2\xe9\x26\x72\xa4\x45\x10\x6d\x04\x29\x84\x69\x17\xc5\xfc\x60\x7f\xa2\x85\xdb\x9a\xa6\x12\x81\xc1\xc5\x24\xa7\x6b\x3d\x40\xde\x5d\xa9\xbc\x7a\xfb\xae\x9c\x03\x55\x5d\x05\x63\x83\xea\x7f\x5e\xac\xf5\xde\x95\x63\x8e\x11\x24\x2a\x42\x0c\x9a\xa3\x22\xc8\x08\xcf\x2a\x14\xab\x47\x9d\x81\x35\xe4\xff\x48\x7b\x21\x5c\x8c\xec\x44\xc7\x29\x0d\x34\x59\x10\x0b\x21\x96\xc5\x4e\x88\xca\x28\x41\xd8\xa6\x01\x1c\x6d\xb1\xb5\xc2\xfb\xc5\x13\x5d\xa6\x05\x3d\x89\x3d\x11\x6b\x9f\x23\xd5\xa0\xf7\x7f\x9f\x64\xc5\x0a\x04\x48\x55\x2f\xb3\xd4\x00\x2c\xcf\xb9\x5e\xd5\x4c\x37\xea\xe9\x31\x73\x7b\xf0\x2b\xcd\x22\x6b\x13\x3b\x9d\x27\xde\xbf\xae\x74\x87\x30\xa8\x7b\xe8\xdf\x5c\x31\xcd\xdf\x16\xc2\x6b\xc3\xf3\xb4\xdf\x7a\xbc\xbc\x52\xed\xad\xb7\xa7\xc2\x9e\x87\xdd\x5d\x63\x30\xb7\x61\x64\x9f\xc9\xf0\x98\xa7\xb6\xb6\x8c\xf5\xdc\xe7\x67\x66\x7e\x8b\x5a\x7c\xd4\xbb\x22\xd1\xc9\x22\x9c\x45\x51\x69\xd7\x2e\xdd\x3b\xae\x9c\x25\x1c\x07\x88\x96\x8f\x1d\x13\xaf\x8e\x47\xba\x32\x92\x3c\x66\x14\xc4\x4d\x51\x96\xfa\x80\x57\x61\xdb\xa5\x9a\x39\xb8\x93\xbf\x09\x73\xda\xbb\x97\x6e\xdf\x63\xf3\xcb\x54\x73\x2d\x43\xb9\x0e\xe7\xab\x03\x74\xe1\x0f\xd7\x22\xd5\xc3\x61\xa4\x10\x89\x31\xe8\xee\x3f\xa1\x90\x79\x3f\x90\x1b\x18\xff\x7b\x5e\xd8\xc1\x62\xb3\x7f\xfc\xb3\x9c\x6c\x0c\x08\x4c\x9c\x76\xb3\x96\x4e\x31\x35\x1f\x51\x12\xac\xcf\xe1\x6c\x62\x68\x58\x0c\xe0\xb4\x4c\xd4\xc3\x3f\x29\x21\x71\xdf\x6a\xf3\x59\x14\x22\x5c\x8b\x1a\xff\x19\x85\xce\xa0\xea\x73\x49\xa4\x3a\x51\x0d\x5f\xbf\x18\x81\xa0\x32\xf9\x6b\x1f\x58\xf4\xfa\x94\xdb\xcd\xf9\x8f\x6b\x11\x3a\x2f\x85\x1e\x76\xd4\xf1\xcf\x06\x86\xe3\xb4\x40\x57\xc3\x63\xc8\x49\xc5\x70\x06\x59\xd7\xe5\xa1\xc2\xb3\xcc\xfd\x5a\xaa\x88\x9c\x2f\x99\xa9\xb1\xc8\x31\x9c\x3c\xd3\x48\xbe\x29\xb2\xe9\xbf\xef\xbc\x28\xcb\x77\x47\x29\x95\x8c\x12\xc9\xdf\xa7\x4b\x89\x3a\x07\x74\x5a\xed\x2e\x51\x44\x72\x3c\x8f\xc0\x50\x68\x52\xf1\x7e\x6a\x4a\x8f\x59\x9d\x2c\x4a\x1d\x7c\x0b\xa9\xd7\x7d\xb8\x41\x6e\xb1\x09\x32\xcd\xc7\x49\xcf\xa9\x98\x90\xee\x80\x17\xc0\x66\x40\x84\xf8\x64\x89\xc9\x75\x25\x52\x52\xc3\x87\x6f\x8d\xcd\x98\xc0\x0b\x73\x61\x1c\xe2\x73\x4e\x1f\xe0\xee\x5c\x0a\x0a\xbb\x0c\x50\x00\x40\x44\xf9\x3a\xd2\xff\x01\x09\xbc\xb1\x9a\x3a\x20\xf1\x86\xd6\x8e\x38\x7d\x34\xa5\xb5\x78\xc4\x25\x3c\xd9\x67\x26\x14\x80\x3b\xf9\x67\x26\xe8\xab\x00\x14\x6d\x2f\xe2\x66\xe6\x2e\x48\x65\xf5\xe7\xfe\x31\xd4\x14\x97\xe7\x19\x51\x22\xfc\xda\x82\x5f\xb4\xe9\xfc\xdd\x09\xb4\x21\xdd\xb6\xe9\x25\xa4\xd5\xcb\x7f\xf2\xfa\x56\xfe\x14\x97\xad\x65\x9c\xc5\xb6\xef\xd8\xf8\x83\x99\x8b\x74\x51\x17\x5f\x98\x27\x54\x7b\x84\x19\x5c\x25\xfc\x16\x31\x07\x2a\x55\xc1\x7e\x90\xa3\x27\x9a\x54\xa2\x96\x97\x31\x2b\xfe\xf3\xee\xfc\xba\x8d\x31\x14\x55\x6a\x54\x5d\x18\xab\x0d\xf7\x4d\xf2\x66\x85\x91\x51\x95\x9a\x1b\x05\x1f\x83\x22\xf7\x98\xcb\x45\xd5\xcb\xe5\x29\x1b\xdd\x71\xda\xd6\x65\xf6\x4d\xde\x69\x54\xef\x00\x71\x89\x18\xfe\x01\x72\x79\x63\x96\x46\x42\xd4\xc4\xa5\xbb\xa9\x30\x3f\x44\xfe\x97\xff\x99\xf0\x67\x48\xdc\x86\x3f\xf0\xcc\x17\xfc\x82\xb2\x9f\xbe\x0c\x71\x2c\x77\xed\x36\x69\x7f\x23\xb4\xa2\x2a\x9f\x24\x85\x22\xf9\x94\x6c\x3a\xbc\xd3\x2e\x16\x5f\xd6\x6f\xdb\xc7\xb4\xa0\xdf\x71\xa8\xd2\x57\x1f\x32\xda\x4a\xda\x51\xc1\x4c\xa0\x86\x30\x1d\x6e\xd0\x20\x06\xc6\xa3\x8c\xe4\xe7\x67\x1f\x3d\x08\x62\xa4\xe3\xc2\x2b\x6a\xa7\xb7\xc0\x49\xa7\x76\x22\x87\x57\x05\x62\xe8\xb4\x52\xef\xc7\x87\x41\xe7\xc2\x82\x2a\xd0\xfd\x43\x5e\x76\xa8\x04\x4b\x05\xb3\x88\xaa\xfc\x4c\xf6\x15\x75\x76\x03\x98\x87\x23\x64\x46\x99\x61\xe8\x7d\x14\xd1\x79\x5e\xb6\x27\xfa\xed\xa1\x8f\x9c\x12\x28\xfc\x99\x4d\x58\x05\x08\xc9\x96\xd3\x66\x27\x99\xb7\x23\x7e\x59\x69\x10\xa7\xc5\xc7\xfa\xcd\x47\xfa\x30\x84\xda\x48\x48\x87\x67\xf6\x0c\xfe\x58\xec\x40\x14\x15\xac\x66\x03\x16\x23\x32\x0f\x9f\xda\x37\xc0\xaf\x9f\xe4\xcd\xa1\xb2\x89\x3d\x2d\xf0\xac\x82\x26\x01\x3a\x36\xca\x7b\x13\x66\x03\x2e\xa7\xb2\x5a\x55\x91\xbe\xbc\x8c\xe4\x89\x77\x7c\x0c\xba\x28\xd1\xf0\xca\xfe\xae\xea\x7d\x5b\x4d\x20\x09\x30\x9e\xeb\xc9\x13\x07\x81\x12\xbb\x12\x69\x20\xca\x6e\x5e\x2b\x22\x10\xce\x54\x10\xcc\xe4\x5f\xc4\x63\x74\x6c\xf1\x68\xf7\xee\x2b\x91\xc7\x97\xb3\x30\xe0\x46\x48\x22\xa6\x18\xe4\x57\xce\x39\xa0\x03\x67\xd9\xcd\x3d\x3f\x59\x38\xce\x36\xeb\x2a\x31\xa9\x0d\x04\x92\x58\xc8\x49\x95\x5e\x97\xf0\x80\x17\x26\x9b\x3e\x5f\x69\xe9\x12\x81\x95\x63\x8b\xc8\xc1\xfa\x73\x5e\x6e\xb2\x43\x5c\x95\x87\xf4\xf4\x36\xd9\xe6\x8a\x87\x97\xbb\x42\x10\x0d\x48\xe7\xb2\x61\x97\xc6\x5f\xb8\x90\x39\x61\x38\x2f\xb0\xfe\x22\x98\x60\x17\x30\x68\xd9\x42\x91\x10\x82\x3b\xc2\xff\x71\x7a\x71\x57\x05\x4c\x32\x6b\xda\xc3\xad\x35\x81\x77\xf9\xa4\x06\xd8\x94\xb8\x42\xd6\xd9\x1e\xdb\x35\x6b\x06\x28\x3b\x32\x9b\xca\x6e\x12\x29\x06\x55\xfe\xf2\x40\x29\xba\x1d\xaa\xf4\x5f\x17\xeb\xc8\x34\xd1\x2e\x35\xe3\x9f\x2e\x20\xe2\xc7\x36\x2a\xeb\x00\x31\xf4\x87\x7b\x63\x3b\xe1\xbe\xd3\x6f\x5d\x7b\xa2\x4d\x01\x48\xf8\x46\xa7\x86\xf3\x88\xe2\xab\x79\x66\x2d\x55\x9b\x86\x1a\x36\xa4\xce\x60\xdc\xeb\x5f\xdb\x9f\x47\x93\x58\xfd\x84\xa5\xc7\xf1\x02\xf7\x5b\x81\x43\xd3\x62\x6f\xff\xa5\x46\x9c\x22\x07\x2a\x97\xd6\x3f\xf9\xe0\x66\x7c\x2f\x2d\xb4\x1c\xd0\x3e\x5d\x43\x91\x4b\xb5\x90\xbb\x1f\x11\xf4\xc3\x53\x3b\xcc\x47\xff\xc9\x9e\xed\xf6\x77\xc9\xd6\x46\xc6\x0f\x99\x39\x89\x15\x89\x1a\xb6\x71\x97\xdd\xbd\xc1\x1e\x03\xda\xf0\x31\x39\xce\xad\xaf\x99\x22\x68\x75\x16\x3f\x11\xc2\x90\x27\xf6\xec\x6e\xe6\x47\xc9\xbb\x1f\x76\x95\xf1\xf2\x91\x8a\x32\x85\xa1\x3e\xad\xb7\x3d\x3e\x94\xcb\x0d\xbf\x92\x73\xf7\x5e\x1a\x8b\x39\x1c\xc6\xe4\xc1\x4e\xd5\x68\x3c\x27\x56\xc7\xb3\x3d\x84\x35\x1e\x1c\xe0\xba\x7b\x02\xe2\x30\x5d\xe6\x5b\x29\x45\x6b\x5c\x55\x34\x46\x47\xc7\xb0\xb1\x6c\xd8\x36\xdb\xa2\x71\x1a\x4c\xc9\x77\x38\x26\x7c\x46\x2c\x85\xfa\xd6\x08\xa8\x16\x12\xd7\xf8\x9a\x7f\xe6\x63\xbd\x06\x43\x54\xa8\x0f\x8b\xe0\x16\x5d\xf5\xd9\xba\xe1\xc6\x9e\xa5\x69\x62\xb1\x11\x22\x0c\xdc\x13\x6a\xda\x90\xbb\x13\x15\xf8\x65\xca\xff\x1e\x25\x26\xac\xd2\xef\x4c\x36\xa7\x0f\x26\x60\x88\xd7\xd3\x48\xe5\x61\x13\x29\x71\x66\x8e\x91\xa8\x90\x04\x08\x5a\x5b\x09\x2f\x8e\x28\x42\x3d\x16\xb7\x49\xcd\xcb\xf9\x2a\x43\x65\xe4\x68\xdd\x67\xbe\x24\x1e\x5d\xea\x70\x5b\x60\x6b\x28\x09\x9a\x5d\x3d\x46\xa0\x76\x20\xfc\x4f\x73\x1e\x3d\x36\x05\xde\xbe\x68\x70\x42\xca\xc9\x37\x42\x73\x67\xc3\x5b\x54\x6a\xf2\xdf\xc0\x94\xa7\x21\xdc\x7f\xd1\x3d\xf6\x8e\x9a\x79\x9e\xcb\x10\x7c\x90\x8b\xac\x9f\x8c\x44\x30\xcc\x10\xc6\x29\x9c\x79\x4d\x02\x8d\x51\x6c\x3e\xf3\xf7\x7f\x9f\x64\x20\x16\x60\x94\x9b\x5e\xe2\x9a\x58\x94\xd7\x38\xfa\x4e\x4b\xcd\xda\x88\xfe\x12\xbc\xff\xe8\x5d\xa7\xb1\x0d\x02\xc8\x09\x22\xf3\x90\x71\x34\xfe\x64\x60\x55\x08\xb6\xcb\xe3\x5e\x97\xf1\x2f\x1b\xb1\x5f\xce\x6f\xac\x0b\x0b\xbe\xd6\x21\x83\xba\x88\xb8\x41\x3c\x69\x2c\x1d\x46\x53\x76\x14\x6a\x5a\xc6\x9e\x0f\x10\x45\x0f\x04\xc8\xb6\xf3\xc9\x0c\x58\xac\x33\x60\x4a\xa8\x11\xa9\xb7\x4e\xbb\xd0\x7b\x06\x84\xc5\x1a\x55\x30\x06\xda\x57\xf4\xdf\x29\xdf\x30\xa6\x46\x22\x26\x6b\x3e\xc0\x6c\x43\x5d\x65\x05\x21\xf3\xea\x72\x5a\x3c\x8c\x12\x8c\x73\xf0\xd3\x44\x7d\xd1\xa8\x5b\x10\xa0\x61\xe9\xac\x44\x69\xbd\x8e\xad\x5b\x59\xcc\x63\x9b\x81\x7e\x67\xd9\x0c\xcd\x77\x3e\x22\x4a\xeb\x67\xdd\x26\x36\x91\x74\x36\xb7\x64\x75\xd8\xe0\x25\x5c\xf7\xd1\x4f\x28\x36\xa5\x0d\x23\xfb\x11\xb3\x84\x35\x48\xb3\xa5\x2d\x8f\xa1\x0c\xa8\xc9\x7e\x1f\x0e\xd7\xa0\x0c\xfc\x80\x67\xa5\xb9\x9a\x41\xc0\x7d\x3c\xe0\xa0\x45\x6b\x84\x43\xbb\x5f\x09\x03\xdb\x5e\x7b\xc1\x6b\x0d\x0d\x4f\x32\x1a\x57\x57\x2d\x33\x68\xd9\x7a\xb7\x70\x58\x30\xd2\x3f\xf7\x8a\xc8\xd6\x94\x02\xc9\x20\xf7\xfb\x91\xd6\xef\xc1\x6c\xe4\x39\x93\xa1\xa6\x8e\xb8\xed\xa0\x8d\x7c\xc5\x5f\xca\x85\x49\xf4\x08\x39\xac\x8e\x5e\x26\x3e\x8f\xcd\xdb\x10\xdd\x20\xfb\xed\xd9\x49\xc8\xd3\xc1\xe1\x86\xe9\xfd\xd5\xaa\x27\x65\xa1\xef\x54\xf9\xe8\xb2\xa7\xa0\xb3\x8f\x1c\x8f\x8d\xaf\xe5\xfc\xef\x0f\xf0\x31\x69\x21\xdb\xaa\xb2\x7f\x6b\x2e\x09\xe4\x9d\x0a\x56\xc9\xad\xe5\xd8\xcb\x65\x86\x99\xba\xa9\x84\x54\x3f\xde\x4e\x72\x0e\x02\xe5\x50\x3e\x83\x5c\x7a\x63\xef\xfe\xe3\xdf\xa5\x8e\x4c\xcd\xbe\x19\x43\xb5\x92\x1b\x58\xfd\x0e\xd6\x64\xef\x73\xdf\x89\x23\x18\xe1\x07\x03\x23\x48\x59\xb5\x65\xd1\x7d\xe8\xc9\x25\x19\x8b\x44\x81\x59\xc8\xe8\xd7\x3c\x8b\x1e\x5e\xb6\x87\x05\xe5\x82\xd5\x12\x8f\x20\x7b\x54\x6f\x81\x22\xe0\x4e\x37\xbc\xc9\xd1\xca\x9b\x2c\x7a\xe5\x1d\x45\x42\x44\x8b\x36\xd6\xff\x16\xd9\x98\xee\xce\x9f\x07\xbe\x34\x1d\x1d\x8f\x98\x9f\x23\x44\x60\x40\xa4\x99\x72\x72\xc9\x9d\x45\x34\x83\x72\xfc\x49\xb7\x0f\xb5\xe0\xfa\xca\x97\x51\x84\xc6\x02\x59\x95\xf6\xaa\x49\xf1\xb2\x93\xdf\x66\xd5\x1d\x75\x3d\x9c\x77\x75\x57\x6d\x0e\x77\x01\x34\xd3\xa4\xfb\xd5\x3c\x99\xb0\xa7\xb6\xaf\xe7\x33\x7f\x73\x24\x81\x63\x23\x9a\x71\x4d\xfe\xb2\x85\xb0\xb4\x9e\xf6\x02\xd6\x2a\xd6\x93\x5a\x83\xc8\x3b\xc8\x14\xbd\x40\x7b\x1f\xf5\x22\x82\x92\xf9\xbf\xbb\xd0\x71\xc8\x1d\xc9\x59\x1a\x05\xc9\x50\x7b\xff\x87\xc9\xe5\x27\xb8\xf1\x4e\x8e\xe1\x3d\x18\x7e\xb8\x67\xdc\x2c\x95\xdd\x90\x3c\x37\x69\x2d\x03\xe7\xb0\x09\x85\xfb\xc1\x13\x13\x07\x8d\xec\x7f\xf6\x9f\x2e\x01\xa8\x34\x23\x99\x40\x0f\x98\xcc\x66\x83\x3d\x9c\x85\xff\x7f\x10\xcb\xef\x73\x32\x13\xcd\xae\x61\x54\x5f\x39\xe8\x5c\x59\x30\x2b\x56\x0a\x72\xd0\x43\x7b\x26\x6c\xba\xe1\x6f\xad\x4a\x00\x0d\xde\xa1\x99\x49\x40\x8c\x74\x77\xfc\xb9\x48\x91\x53\x23\xeb\xb7\x9a\x55\xc7\x69\xcc\xb1\x8e\x2f\x55\x2a\xb7\x63\xba\x65\x30\x2a\xe7\xbc\x47\x6e\x36\x25\xeb\x88\xa7\xa6\x69\x8c\xec\xcf\xac\x22\x90\x0c\xa3\xc4\x4d\xec\x88\x66\xb2\xa1\x14\xc0\x83\x1c\xf6\x53\xd4\xc1\xfb\xa9\xa7\x78\x5a\x1c\xaa\x2b\x97\x34\x33\x84\x22\x6b\x1a\xce\xd9\x3d\xa7\x1d\x30\xb6\x65\x06\x45\xbc\x11\x3a\xc6\x2d\x32\xd2\x03\x2d\xdb\x65\x62\x6e\xe8\x6c\x3b\x9d\xfb\xbd\x8d\x0c\xae\xea\x74\x53\xdb\xea\x30\x4e\x34\xd3\xf8\x05\x22\xcd\x31\x7b\x49\xbc\xab\xb8\x69\x33\x1c\x7c\x32\x18\x52\x10\x04\x30\x42\x3b\xcb\x1e\xc1\x5c\x50\xc1\x9b\x76\x6a\x7c\xe4\x71\xd5\x1b\x01\x04\x1b\x68\x5a\x29\xc4\xbf\xdb\x55\x2c\x86\x6d\x58\x3b\x7c\x3c\x7f\xd5\x6c\xfc\x73\x72\x5d\xf7\x84\xe4\xd9\x02\x81\x56\x7f\xe8\xc3\x8d\x86\x6b\x06\xef\x13\xbb\x30\xfd\x23\x90\x6e\x66\x2c\xf9\xd5\x11\x3d\x7b\x52\xb0\x14\xb4\xae\xb3\xa1\x83\x52\x4b\x49\x7b\xe9\x22\x0a\xe1\xe0\xb2\xf7\x67\x4d\x27\x99\x42\x94\x1b\xbd\x81\xed\x59\x5a\x93\xc2\x34\x13\x99\xb6\xac\x36\xff\x86\x9f\x89\x4c\xae\x29\x13\x08\xb2\x12\x84\xd3\x98\xb5\xfa\x6a\xc7\x6b\x9d\x59\xf0\x3e\x48\xc2\x75\xf4\xf2\x0c\xe0\xa5\x05\x9d\xe6\x9c\xa9\xec\x99\x9d\x73\x20\x2d\xef\x66\x6b\x37\xb3\xa9\x6a\x95\xb1\x2c\x74\x33\x10\x38\xfa\xca\xca\xb1\x88\xda\x87\x8a\x86\x0e\x1b\x39\x9d\x6b\x3b\xd3\xc1\x36\xe0\xa5\xe9\x96\x3c\x16\x91\x88\x9f\x0d\x40\x0f\x34\xdc\xc5\x1e\xf1\x00\x2e\xbf\xee\x28\x14\x60\x5a\x4d\x10\x67\xed\x73\x96\xc1\x15\xe3\xa9\x4f\x15\x1c\x8e\x4a\xa2\x93\x0f\xd8\xbc\x53\x4d\x57\x9d\x5d\x88\x43\xbd\x20\x29\x05\x6f\xc5\x58\xb9\x86\x94\x08\xb9\x95\x1f\x75\x67\x24\x33\xea\xd1\x9e\x10\x9c\xd1\x83\x08\xf1\xc9\xd6\xf9\xcc\xbc\x9f\x76\x79\x93\xb5\x9e\xa2\xb5\x04\x68\x64\xf5\xe0\xc3\xbd\xe4\x2e\x79\x32\xc5\x6b\x9f\xb2\x52\x89\xe1\x6a\xb3\xbe\xbb\x69\x25\x47\xde\x1a\x4d\xbe\x11\x9a\xb2\xbd\x71\xe4\x71\xcb\xdf\x6c\x6e\x85\x19\xac\xa7\x7c\x2c\xbb\x82\x73\x34\x3c\x1b\xed\x23\x92\x2e\x55\x7f\x87\xb4\x08\xd8\x7a\xf7\x88\x96\xed\x30\xf0\xa6\x17\x8a\xd9\x8a\x34\xde\xd6\x14\x84\x43\xfd\xdf\x4a\x5c\x00\xa8\x1a\xe9\xdf\x21\x59\xfd\x65\x8c\x85\x9f\xb6\xb2\x74\x98\x8c\x84\x8f\x99\x3e\x76\x1c\x26\x3e\x90\xd7\xdb\x8f\x66\x2c\x87\x6b\x7a\x61\xff\x2d\x93\x8b\xa7\xfe\xd4\xcb\x5c\xd8\xee\x51\x48\x70\xb5\x05\x20\xe7\x33\xf2\x1c\xdc\x3b\xd7\xed\x41\xd2\x97\xb9\x6d\xfe\xff\x37\x9d\x37\xe6\x07\x1b\xb1\xac\x84\xfe\xff\xab\x2c\xdd\x98\x5f\xea\x2f\xe6\xc4\x6e\x6b\x75\x69\xc8\xc2\x45\x45\x91\x79\x5c\xcc\x56\x51\x1d\x85\x3f\xd2\xa0\x1a\x1e\xb0\xce\x25\x05\xab\x65\x78\x2b\x78\x36\xba\x67\x84\x45\x05\xaa\xbc\xb5\xdc\x63\x72\xa3\x13\xfe\x7a\xcc\x7f\x48\xb0\xd2\xbe\xf7\x94\x03\xc2\x83\x7d\x88\xe5\x2f\xe9\x26\xad\x16\xd5\x1b\xe7\xe8\xc6\x2a\x59\x55\xa6\x1e\x85\x27\x08\x39\xf3\x6e\xee\x94\x63\x70\x92\x7e\xb1\x98\x41\x30\x16\x77\xe8\x37\xab\xac\x18\xd7\x09\xbc\x84\xdd\xa6\x0b\x12\x10\x7a\x23\xeb\x73\x35\x43\xff\x32\xcc\xe5\x24\x8d\x0f\x46\x19\x21\x29\x52\x91\x83\x7c\x15\x0a\x4c\x1d\x48\x9d\x31\xc5\xbf\x5b\xfc\x2d\xa1\x42\x7e\x1e\xce\x74\xae\xa7\x05\x3f\x1f\xed\xa6\x4f\x09\x9f\xc4\x47\xa7\x90\x8c\xe4\x4b\x13\x46\x15\x49\xf2\x3e\xf1\x8c\x1d\x81\x07\xbe\xfb\x09\xf9\xd7\x19\xa0\xac\x57\x08\x0f\x1c\xdb\xfd\x46\x70\x4d\x79\x94\x7a\xa1\x0c\x5b\x0b\xb2\x26\xe7\xf6\x83\x09\x74\x72\x40\xf7\x73\xa6\x27\x53\x65\x61\xfb\x6c\x1c\x9b\x26\xaa\x5e\x23\xbe\x01\xf2\xd3\xf7\xaa\xdc\x99\x54\x40\x01\x5d\x25\x64\xb9\xc1\x6b\x85\x3d\x66\x57\x24\xf9\xf7\x22\xb3\x4a\xb1\xd4\x4c\x27\xd0\xe0\xcb\x01\xc4\x9d\x9e\x05\xde\x91\xc2\xe0\x40\x76\x4f\x0c\x21\x2e\x6d\x63\xf7\xb7\x24\x93\xdc\xcb\xf8\x58\x16\x4c\xf4\x81\x51\xbb\xe4\xf1\xdc\x2c\x91\x58\x66\x73\x43\x1a\xf7\xb8\x46\x1d\x30\x16\x1c\x56\x11\x70\xdf\xa3\x1e\xdd\xe2\xcc\xc9\xdd\xdb\xc7\xa8\xe4\x62\x31\x75\x24\x05\xcf\x30\x8e\xcd\x8d\x35\x05\x63\x6d\xba\x70\x35\xc9\x4f\x72\x86\x23\xbb\x87\x60\x3a\xfb\x90\xb5\xc2\x3e\x9a\xc1\x93\x7b\x2e\xa3\x98\x4d\x57\x9d\xa2\x99\x70\xef\x04\x9f\xfd\x97\x05\xfa\x28\x3e\xf6\x2f\x1a\x9f\xbb\xef\xbc\x5f\x8f\x3f\x79\xbd\xd8\xd7\x0f\x0a\x89\x39\x72\xe5\xac\xa3\xa1\x64\xe6\x72\xba\x88\xeb\xdb\x62\x06\xa4\xdd\xa5\xeb\x5a\xdf\xd1\x63\x52\xd4\x2c\x4f\xbd\xdf\x11\x7f\x2b\x0d\x30\xe8\xc3\x9f\x1b\xc6\x3f\x3b\xc0\x3b\x45\x2a\x87\x01\x17\xaf\x7a\x3f\xd3\x01\xaf\x71\x4b\xfa\x39\x83\x67\xa9\xac\x2a\xa3\x81\x17\x0b\xc7\xca\x86\x01\x44\x25\x8a\x9a\x38\xa6\x14\x54\xc9\xcd\xef\x24\xf1\xc6\x62\xf2\x8e\x8d\x1e\xe7\x74\x9f\x61\xa9\xc7\x9a\x9e\x16\x59\x3f\x2d\x55\x00\xde\xaa\x73\x0a\xca\x4e\xef\x32\x73\x87\x84\x31\xa8\x74\xb0\x3e\x44\xf6\x49\x5b\x52\xea\x9b\x22\xd9\x41\x7f\xb3\xf2\xcc\xbe\x2c\x48\x2a\xdd\x30\x8e\x4a\x3c\x55\xb7\x53\x2a\x4e\x64\xcf\x10\x8d\x83\x3d\x54\xab\xf3\xcf\x93\xb3\xf9\x08\x52\x63\xd2\x77\x4c\x22\x14\xdc\x62\xe3\xc6\xa7\x88\x69\x46\xb7\xbb\xb4\xd0\xfd\xd8\x2d\x50\x22\x32\xf8\x91\xe9\x5e\x20\x75\xb6\x97\x4f\xcb\xc8\x15\x79\xfe\x8e\xeb\x7e\xe2\x21\xa9\x04\xce\xdb\xbb\xab\x25\x95\xef\x93\x53\x7f\xde\xa0\x3e\xb9\x3b\x49\x68\x01\x19\xd9\x96\xc8\xe7\x06\xdf\xc4\xd9\x94\x33\x95\x4c\x53\x67\x72\x5d\x48\x08\x11\x9b\x68\x3b\x59\x64\x1c\x4b\xff\xd3\xfb\xab\x0c\x7e\x12\x5f\x02\xba\xd9\x5c\xbf\xc2\x6e\xab\x96\x07\x9f\x8d\xfb\xf6\x62\x35\x89\xd1\x4e\x0c\x20\xd1\x5e\x07\xc3\x4b\xcc\xce\x36\xfb\x92\x79\x65\xf9\x6c\x8c\xc8\x9b\x3e\x51\x43\x82\x12\xa9\xbe\xc9\x2a\xf4\xb5\x92\xae\x76\xe6\x6d\x53\x1d\x34\x43\x85\xf5\x56\x85\x52\xe3\x7b\xd2\x5c\xbe\x30\x7d\x83\x99\x75\x91\x4f\x30\x91\x5d\x24\xe8\xf3\xd8\x92\xc8\xa1\x9f\xa4\x84\xc3\x5d\xf1\xfb\x92\xaf\x80\xed\xf4\x03\x34\x0c\xac\xed\x5c\x22\x47\x67\xe9\xe6\x87\x45\x65\x63\xdf\xf2\x9c\xa8\x6e\x36\x58\x55\xde\x94\x05\x7b\x66\xc5\x76\xbe\xc5\xf5\xb7\xfc\x3f\x00\x43\x33\x6b\x8a\x48\x7a\xe2\x51\x9b\x8f\xf0\x12\x2e\x7a\xc2\xbf\x57\xd2\x9b\xa6\x48\x08\xdd\x3a\x20\xd2\x6e\x43\x82\xce\x7b\xb1\xfb\xd3\x47\x34\xf5\xae\x66\x25\xee\x8a\x7d\xd5\x6f", 8192); *(uint32_t*)0x20004f40 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x50; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 0x3f; *(uint32_t*)0x200023d0 = 7; *(uint32_t*)0x200023d4 = 0x22; *(uint32_t*)0x200023d8 = 0x8001; *(uint32_t*)0x200023dc = 0x1040000; *(uint16_t*)0x200023e0 = 8; *(uint16_t*)0x200023e2 = 0xf6e1; *(uint32_t*)0x200023e4 = 8; *(uint32_t*)0x200023e8 = 9; *(uint16_t*)0x200023ec = 0; *(uint16_t*)0x200023ee = 0; memset((void*)0x200023f0, 0, 32); *(uint32_t*)0x20004f44 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 9; *(uint64_t*)0x20002450 = 0x40d; *(uint32_t*)0x20004f48 = 0x20002480; *(uint32_t*)0x20002480 = 0x18; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 7; *(uint64_t*)0x20002490 = 7; *(uint32_t*)0x20004f4c = 0x200024c0; *(uint32_t*)0x200024c0 = 0x18; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 0xffff; *(uint32_t*)0x200024d0 = 8; *(uint32_t*)0x200024d4 = 0; *(uint32_t*)0x20004f50 = 0x20002500; *(uint32_t*)0x20002500 = 0x18; *(uint32_t*)0x20002504 = 0; *(uint64_t*)0x20002508 = 0xce0; *(uint32_t*)0x20002510 = 0x1c; *(uint32_t*)0x20002514 = 0; *(uint32_t*)0x20004f54 = 0x20002540; *(uint32_t*)0x20002540 = 0x28; *(uint32_t*)0x20002544 = 0; *(uint64_t*)0x20002548 = 1; *(uint64_t*)0x20002550 = 0x100; *(uint64_t*)0x20002558 = 5; *(uint32_t*)0x20002560 = 2; *(uint32_t*)0x20002564 = r[6]; *(uint32_t*)0x20004f58 = 0x20002580; *(uint32_t*)0x20002580 = 0x60; *(uint32_t*)0x20002584 = 0xfffffffe; *(uint64_t*)0x20002588 = 8; *(uint64_t*)0x20002590 = 0xcd95; *(uint64_t*)0x20002598 = 0x1f; *(uint64_t*)0x200025a0 = 7; *(uint64_t*)0x200025a8 = 0x48; *(uint64_t*)0x200025b0 = 0xaac5; *(uint32_t*)0x200025b8 = 6; *(uint32_t*)0x200025bc = 0xad; *(uint32_t*)0x200025c0 = 5; *(uint32_t*)0x200025c4 = 0; memset((void*)0x200025c8, 0, 24); *(uint32_t*)0x20004f5c = 0x20002600; *(uint32_t*)0x20002600 = 0x18; *(uint32_t*)0x20002604 = 0xfffffff5; *(uint64_t*)0x20002608 = 9; *(uint32_t*)0x20002610 = 9; *(uint32_t*)0x20002614 = 0; *(uint32_t*)0x20004f60 = 0x20002640; *(uint32_t*)0x20002640 = 0x11; *(uint32_t*)0x20002644 = 0; *(uint64_t*)0x20002648 = 0; memset((void*)0x20002650, 0, 1); *(uint32_t*)0x20004f64 = 0x20002680; *(uint32_t*)0x20002680 = 0x20; *(uint32_t*)0x20002684 = 0; *(uint64_t*)0x20002688 = 0x10000; *(uint64_t*)0x20002690 = 0; *(uint32_t*)0x20002698 = 0; *(uint32_t*)0x2000269c = 0; *(uint32_t*)0x20004f68 = 0x20002780; *(uint32_t*)0x20002780 = 0x78; *(uint32_t*)0x20002784 = 0; *(uint64_t*)0x20002788 = 9; *(uint64_t*)0x20002790 = 3; *(uint32_t*)0x20002798 = 0; *(uint32_t*)0x2000279c = 0; *(uint64_t*)0x200027a0 = 6; *(uint64_t*)0x200027a8 = 0; *(uint64_t*)0x200027b0 = 0xfffffffffffff20d; *(uint64_t*)0x200027b8 = 0xfffffffffffffff8; *(uint64_t*)0x200027c0 = 1; *(uint64_t*)0x200027c8 = 0x3ff; *(uint32_t*)0x200027d0 = 5; *(uint32_t*)0x200027d4 = 9; *(uint32_t*)0x200027d8 = 0x726; *(uint32_t*)0x200027dc = 0x1000; *(uint32_t*)0x200027e0 = 6; *(uint32_t*)0x200027e4 = r[7]; *(uint32_t*)0x200027e8 = 0xee01; *(uint32_t*)0x200027ec = 7; *(uint32_t*)0x200027f0 = 7; *(uint32_t*)0x200027f4 = 0; *(uint32_t*)0x20004f6c = 0x200028c0; *(uint32_t*)0x200028c0 = 0x90; *(uint32_t*)0x200028c4 = 0; *(uint64_t*)0x200028c8 = 3; *(uint64_t*)0x200028d0 = 2; *(uint64_t*)0x200028d8 = 2; *(uint64_t*)0x200028e0 = 0x100000000; *(uint64_t*)0x200028e8 = 0x61a26b8d; *(uint32_t*)0x200028f0 = 6; *(uint32_t*)0x200028f4 = 2; *(uint64_t*)0x200028f8 = 1; *(uint64_t*)0x20002900 = 3; *(uint64_t*)0x20002908 = 1; *(uint64_t*)0x20002910 = 0x100000000; *(uint64_t*)0x20002918 = 3; *(uint64_t*)0x20002920 = 0x8f; *(uint32_t*)0x20002928 = 4; *(uint32_t*)0x2000292c = 0x1ff; *(uint32_t*)0x20002930 = 0x849; *(uint32_t*)0x20002934 = 0x1000; *(uint32_t*)0x20002938 = 7; *(uint32_t*)0x2000293c = r[8]; *(uint32_t*)0x20002940 = -1; *(uint32_t*)0x20002944 = 5; *(uint32_t*)0x20002948 = 0x1f; *(uint32_t*)0x2000294c = 0; *(uint32_t*)0x20004f70 = 0x20002980; *(uint32_t*)0x20002980 = 0x130; *(uint32_t*)0x20002984 = 0; *(uint64_t*)0x20002988 = 0xa00000000000; *(uint64_t*)0x20002990 = 4; *(uint64_t*)0x20002998 = 1; *(uint32_t*)0x200029a0 = 6; *(uint32_t*)0x200029a4 = 9; memset((void*)0x200029a8, 1, 6); *(uint64_t*)0x200029b0 = 6; *(uint64_t*)0x200029b8 = 1; *(uint32_t*)0x200029c0 = 5; *(uint32_t*)0x200029c4 = 0xfffffffe; memset((void*)0x200029c8, 170, 5); *(uint64_t*)0x200029d0 = 1; *(uint64_t*)0x200029d8 = 0x1ff; *(uint32_t*)0x200029e0 = 3; *(uint32_t*)0x200029e4 = 7; memcpy((void*)0x200029e8, "{#-", 3); *(uint64_t*)0x200029f0 = 5; *(uint64_t*)0x200029f8 = 0; *(uint32_t*)0x20002a00 = 2; *(uint32_t*)0x20002a04 = 0x761; memcpy((void*)0x20002a08, "[#", 2); *(uint64_t*)0x20002a10 = 3; *(uint64_t*)0x20002a18 = 0; *(uint32_t*)0x20002a20 = 2; *(uint32_t*)0x20002a24 = 6; memcpy((void*)0x20002a28, "#]", 2); *(uint64_t*)0x20002a30 = 1; *(uint64_t*)0x20002a38 = 0x714; *(uint32_t*)0x20002a40 = 5; *(uint32_t*)0x20002a44 = 3; memcpy((void*)0x20002a48, "*^\\^b", 5); *(uint64_t*)0x20002a50 = 5; *(uint64_t*)0x20002a58 = 0xeb68; *(uint32_t*)0x20002a60 = 4; *(uint32_t*)0x20002a64 = 0xfffffa80; memcpy((void*)0x20002a68, "--$-", 4); *(uint64_t*)0x20002a70 = 6; *(uint64_t*)0x20002a78 = 0xfffffffffffffeff; *(uint32_t*)0x20002a80 = 1; *(uint32_t*)0x20002a84 = 1; memset((void*)0x20002a88, 45, 1); *(uint64_t*)0x20002a90 = 1; *(uint64_t*)0x20002a98 = 8; *(uint32_t*)0x20002aa0 = 3; *(uint32_t*)0x20002aa4 = 0xf2; memcpy((void*)0x20002aa8, "!\\{", 3); *(uint32_t*)0x20004f74 = 0x20004c40; *(uint32_t*)0x20004c40 = 0xb0; *(uint32_t*)0x20004c44 = 0; *(uint64_t*)0x20004c48 = 0xcf; *(uint64_t*)0x20004c50 = 1; *(uint64_t*)0x20004c58 = 1; *(uint64_t*)0x20004c60 = 3; *(uint64_t*)0x20004c68 = 0x100000000; *(uint32_t*)0x20004c70 = 4; *(uint32_t*)0x20004c74 = 0x81; *(uint64_t*)0x20004c78 = 5; *(uint64_t*)0x20004c80 = 0x7f; *(uint64_t*)0x20004c88 = 5; *(uint64_t*)0x20004c90 = 6; *(uint64_t*)0x20004c98 = 0xffff; *(uint64_t*)0x20004ca0 = 3; *(uint32_t*)0x20004ca8 = 0x1f; *(uint32_t*)0x20004cac = 3; *(uint32_t*)0x20004cb0 = 8; *(uint32_t*)0x20004cb4 = 0xc000; *(uint32_t*)0x20004cb8 = 0xf5c8; *(uint32_t*)0x20004cbc = r[10]; *(uint32_t*)0x20004cc0 = r[11]; *(uint32_t*)0x20004cc4 = 2; *(uint32_t*)0x20004cc8 = 9; *(uint32_t*)0x20004ccc = 0; *(uint64_t*)0x20004cd0 = 4; *(uint64_t*)0x20004cd8 = 0x80; *(uint32_t*)0x20004ce0 = 5; *(uint32_t*)0x20004ce4 = 2; memset((void*)0x20004ce8, 170, 5); *(uint32_t*)0x20004f78 = 0x20004e40; *(uint32_t*)0x20004e40 = 0xa0; *(uint32_t*)0x20004e44 = 0; *(uint64_t*)0x20004e48 = 0x400; *(uint64_t*)0x20004e50 = 6; *(uint64_t*)0x20004e58 = 2; *(uint64_t*)0x20004e60 = 0x400; *(uint64_t*)0x20004e68 = 7; *(uint32_t*)0x20004e70 = 4; *(uint32_t*)0x20004e74 = 9; *(uint64_t*)0x20004e78 = 4; *(uint64_t*)0x20004e80 = 0x1000; *(uint64_t*)0x20004e88 = 0xffff; *(uint64_t*)0x20004e90 = 6; *(uint64_t*)0x20004e98 = 1; *(uint64_t*)0x20004ea0 = 0xffff; *(uint32_t*)0x20004ea8 = 0x65f; *(uint32_t*)0x20004eac = 0x647c2b8f; *(uint32_t*)0x20004eb0 = 0x400; *(uint32_t*)0x20004eb4 = 0x8000; *(uint32_t*)0x20004eb8 = 8; *(uint32_t*)0x20004ebc = r[12]; *(uint32_t*)0x20004ec0 = r[13]; *(uint32_t*)0x20004ec4 = 3; *(uint32_t*)0x20004ec8 = 0x6b; *(uint32_t*)0x20004ecc = 0; *(uint64_t*)0x20004ed0 = 0; *(uint32_t*)0x20004ed8 = 0xd; *(uint32_t*)0x20004edc = 0; *(uint32_t*)0x20004f7c = 0x20004f00; *(uint32_t*)0x20004f00 = 0x20; *(uint32_t*)0x20004f04 = 0; *(uint64_t*)0x20004f08 = 0x800; *(uint32_t*)0x20004f10 = 0; *(uint32_t*)0x20004f14 = 0; *(uint32_t*)0x20004f18 = 0x10001; *(uint32_t*)0x20004f1c = 0; syz_fuse_handle_req(r[5], 0x200003c0, 0x2000, 0x20004f40); break; case 23: memcpy((void*)0x20004f80, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004f80, r[5]); break; case 24: syz_init_net_socket(0x24, 2, 0); break; case 25: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[14] = res; break; case 26: *(uint32_t*)0x20004fc4 = 0x5004; *(uint32_t*)0x20004fc8 = 0; *(uint32_t*)0x20004fcc = 1; *(uint32_t*)0x20004fd0 = 0x1de; *(uint32_t*)0x20004fd8 = r[14]; memset((void*)0x20004fdc, 0, 12); res = -1; res = syz_io_uring_setup(0x343, 0x20004fc0, 0x20ffc000, 0x20ffb000, 0x20005040, 0x20005080); if (res != -1) { r[15] = *(uint64_t*)0x20005040; r[16] = *(uint64_t*)0x20005080; } break; case 27: memcpy((void*)0x200050c0, "/dev/uinput\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 2, 0); if (res != -1) r[17] = res; break; case 28: memcpy((void*)0x20005100, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0x488200, 0); if (res != -1) r[18] = res; break; case 29: *(uint8_t*)0x20005140 = 0x1e; *(uint8_t*)0x20005141 = 3; *(uint16_t*)0x20005142 = 0; *(uint32_t*)0x20005144 = r[14]; *(uint64_t*)0x20005148 = 0x200; *(uint32_t*)0x20005150 = 0; *(uint32_t*)0x20005154 = r[17]; *(uint32_t*)0x20005158 = 6; *(uint32_t*)0x2000515c = 1; *(uint64_t*)0x20005160 = 0; *(uint16_t*)0x20005168 = 0; *(uint16_t*)0x2000516a = 0; *(uint32_t*)0x2000516c = r[18]; memset((void*)0x20005170, 0, 16); syz_io_uring_submit(r[15], r[16], 0x20005140, 0x3dd1); break; case 30: memcpy((void*)0x20005180, "/dev/keychord\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x20005180, 0x171000, 0); if (res != -1) r[19] = res; break; case 31: memcpy((void*)0x200051c0, "/dev/ubi_ctrl\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x200051c0, 0x10400, 0); if (res != -1) r[20] = res; break; case 32: *(uint32_t*)0x20005240 = 0; *(uint32_t*)0x20005244 = 0x20005200; memcpy((void*)0x20005200, "\x46\x23\xd8\xa4\xce\x02\x17\xc9\xe5\x95\x55\xc1\x66\x89\x06\x79\xe3\xe0\xc1\x94\x0d\xf5\xb9\xfc\xbf\x91\x64\x9e\xf5\x4d\x80\xf0\xc8\xbc\xc8\x0e\x36\xb5\x57\x4c\x4b\xc9\xf9\x43\x40\x18\x54\xf5\x6a\xa2", 50); *(uint32_t*)0x20005248 = 0x32; *(uint64_t*)0x20005280 = 1; *(uint64_t*)0x20005288 = 0; syz_kvm_setup_cpu(r[19], r[20], 0x20fe8000, 0x20005240, 1, 0, 0x20005280, 1); break; case 33: res = syscall(__NR_mmap, 0x20ffc000, 0x2000, 0x1000000, 0x8000, (intptr_t)r[18], 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x200052c0 = 1; syz_memcpy_off(r[21], 0x114, 0x200052c0, 0, 4); break; case 35: memcpy((void*)0x20005300, "adfs\000", 5); memcpy((void*)0x20005340, "./file0\000", 8); *(uint32_t*)0x20005540 = 0x20005380; memcpy((void*)0x20005380, "\x87\x35\x19\xf2\x5d\xf0\x82\xb3\x71\xba\x5b\x45\xad\xb5\x70\x9c\x00\x80\x57\x47\xc3\x7f\xe0\x44\x06\x45\x95\xcd\x47\x28\xbf\x89\x80\x30\x2b\x25\xb4\xb0\x83\xb4\x2b\x41\x33\x6e\x13\x0f\x1b\x6f\xf0\xa2\xf1\x72\x49\x8e\x52\x2b\x4f\xe5\x82\x6e\xab\xab\xf5\x3a\x98\x52\xf9\x3e\xbe\xb8\x41\xe1\x64\x5f\x32\x93\x61\x27\x02\x9d\x68\xfe\x73\xec\xed\x89\xc1\xb9\x35\x87\x01\x2a\x47\xc4\x2a\x58\x3d\x69\x75\x59\x2b\x3f\x2c\xdf\x43\x37\xfc\x6d\x5e\x85\xe5\xf5\x83\x5f\xaf\xe0\x95\x93\x5e\xc9\x04\x84\xe9\x08\x1a\xa8\xd2\x24\x98\x43\x13\x01\xba\xad\x4a\x34\x36\x8c\x26\xc6\x4d\x85\x32\x6c\x7e\x00\x68\x21\x78\xf8\xd1\x3e\x6a\x89\x69\xf1\x5b\x9d\x5d\xbc\xfe\xc2\xc0\xe6\x96\x80\xc3\x92\x8c\xa0\x15\xb9\x2e\x25\xf5\x07\x8d\xe3\x54\xfe\x32\xcc\x71\x21\x60\x9a\x07\x62\xe1\xb7\x3e\xfd\x89\x67\xa2\xfe\x23\x5e\x4d\x1e\xf9\xe5\xac\x88\xbc\x1e\xd7\x06\xa9\x84\x64\x1b\x06\x47\x0b\x22\x94\xd0\x45\xce\x7e\xba\x51\xc0\x72\x89\x38\xa2\xc6\xee\xb6\xd8\x57\x44\x29\xcc\x24\xbc\xb2\xa7\x84", 241); *(uint32_t*)0x20005544 = 0xf1; *(uint32_t*)0x20005548 = 0x40; *(uint32_t*)0x2000554c = 0x20005480; memcpy((void*)0x20005480, "\x62\x93\x5b\xfe\x26\xe9\xc9\xf2\xdc\x3c\x3e\x9d\xfb\x49\x18\x58\xef\xb5\x98\x36\x9b\xcc\xa5\x19\x23\x98\x9b\xa9\x43\xcf\x44\x7b\xaf\x56\x62\x5d\xf0\xf6\x85\xed\x2d\x03\x4b\x37\xc0\x75\x63\xf6\x68\x72\x8f\x6d\xc6\x83\x36\x09\xb1\x22\x19\x70\xe5\x50\x88\x86\x9d\x29\xc0\x1b\x2d\xd0\x5c\x48\x20\xb0\x80\x42\xb5\x07\x40\x08\xc9\x75\x77\x12\xc4\x80\xe2\x5d\x89\xb9\xc4\x8e\x95\x7e\x5b\x5c\x7b\x0b\xec\xcf\xb1\xfc\xcc\xed\xbc\xed\xc8\x38\x06\x03\x80\x75\xfc\x2a\x0f\x82\x28\xbe\xb4\x7f\x1f\xec\xe0\x9b\xdd\xcb\xbe\x00\x21\xab\xe9\xc3\xd1\x98\x36\x9b\x81\xb6\x7d\xbd\x6a\x7d\x33\x4b\x8d\x28\xb8\x02\xcc\x97\xd9\x34\xc1\x64\xe9\x7d\x9d\x7b\x70\xdc\x6c", 161); *(uint32_t*)0x20005550 = 0xa1; *(uint32_t*)0x20005554 = 0x1ff; memset((void*)0x20005580, 170, 5); *(uint8_t*)0x20005585 = 0x2c; *(uint8_t*)0x20005586 = 0x2c; memcpy((void*)0x20005587, ":&-]!", 5); *(uint8_t*)0x2000558c = 0x2c; memset((void*)0x2000558d, 125, 1); *(uint8_t*)0x2000558e = 0x2c; memcpy((void*)0x2000558f, ",-V", 3); *(uint8_t*)0x20005592 = 0x2c; memcpy((void*)0x20005593, "\\*})", 4); *(uint8_t*)0x20005597 = 0x2c; memcpy((void*)0x20005598, "*^\\^b", 5); *(uint8_t*)0x2000559d = 0x2c; memcpy((void*)0x2000559e, "appraise", 8); *(uint8_t*)0x200055a6 = 0x2c; memcpy((void*)0x200055a7, "fowner<", 7); sprintf((char*)0x200055ae, "%020llu", (long long)r[8]); *(uint8_t*)0x200055c2 = 0x2c; memcpy((void*)0x200055c3, "smackfshat", 10); *(uint8_t*)0x200055cd = 0x3d; memset((void*)0x200055ce, 170, 5); *(uint8_t*)0x200055d3 = 0x2c; memcpy((void*)0x200055d4, "obj_type", 8); *(uint8_t*)0x200055dc = 0x3d; memset((void*)0x200055dd, 170, 5); *(uint8_t*)0x200055e2 = 0x2c; memcpy((void*)0x200055e3, "dont_appraise", 13); *(uint8_t*)0x200055f0 = 0x2c; memcpy((void*)0x200055f1, "dont_measure", 12); *(uint8_t*)0x200055fd = 0x2c; memcpy((void*)0x200055fe, "fowner<", 7); sprintf((char*)0x20005605, "%020llu", (long long)r[9]); *(uint8_t*)0x20005619 = 0x2c; memcpy((void*)0x2000561a, "dont_appraise", 13); *(uint8_t*)0x20005627 = 0x2c; *(uint8_t*)0x20005628 = 0; syz_mount_image(0x20005300, 0x20005340, 0xfd, 2, 0x20005540, 0x8800, 0x20005580); break; case 36: memcpy((void*)0x20005640, "/dev/i2c-#\000", 11); syz_open_dev(0x20005640, 0x40, 0x300); break; case 37: memcpy((void*)0x20005680, "net/if_inet6\000", 13); syz_open_procfs(r[6], 0x20005680); break; case 38: syz_open_pts(r[19], 0x800); break; case 39: *(uint32_t*)0x20006c40 = 0x200056c0; memcpy((void*)0x200056c0, "\x46\x41\x06\x38\xb7\xa1\x28\xc1\x5c\x6c\xb2\x7d\x23\x35\x80\x6d\xa8\x7c\x0d\x49\x15\x42\x44\x52\xcf\x0b\xa9\xee\xe0\xa5\xd4\x9d\x63\x4f\x09\x0d\xf2\x6f\x35\xbb\x04\x33\xc1\x3a\x27\x0d\xcb\x44\xcf\xe9\xba\x62\xb5\xba\x38\xd4\xae\x3c\x65\xea\xd2\x72\x7f\x1d\x2a\x5f\x02\xda\xa2\x70\xce\xa6\xf4\xf6\x09\x02\xe2\xed\xa6\x54\xb1\x6e\xc6\x63\x5a\x1c\x6c\xd1\x5d\x6b\xd6\x34\x32\x14\xb8\x34\x22\xd1\xa1\x9b\x5d\xae\x43\x9b\x9f\xbc\x3d\xb5\xc2\x18\xd4\xb0\x8a\xcf\xc9\xfc\xdb\xe5\xd4\xe6\xa5\x12\x7a\xda\xdc\xe6\x10\xd8\x15\xe8\xc6\xd8\xad\xc7\x86\x89\xea\xae\x29\xd8\x1a\x20\x04\x0a\xee\xef\x4e\xe5\x5d\x77\x01\xea\x72\x5e\x91\xb7\x4f\x5b\x37\x81\x4b\xee\xd1\x18\x54\x99\x79\xc8\xa4\x0d\x0b\x29\x09\x77\xad\xa4\xd6\x58\x74\xc7\xdc\xca\x03\x0a\x9a\x15\x50\x9b\xc2\x7e\x6e\x87\xd5\x26\x91\x24\x37\xb8\x69\x04\xf7\x42\xc9\xc1\x3c\x1e\x00\xbc\x5e\x3e\x94\x3c\x14\x30\xd1\xcc\x01\x8f\x5a\x4d\xec\xf2\x46\x02\xdb\x5b\xf2\x28\x6e\x64\xce\x75\x1d\x8d\xf1\x6f\x28\x09\x34\xfb\x08\xb6\x19\xb2\xb5\xe9\x31\x19\x5a\xd2\xf7\xc8\x7a\xe9\x56\xc6\x4a\x2f\xda\xc4\xfd\x79\x16\x11\xac\xc2\xa8\x65\xd9\x94\xea\x90\xed\x15\x85\x81\xe8\x0d\x03\x86\xb1\x53\xf1\x9f\xab\x27\x81\xb7\x2d\x1d\xe0\x03\xb1\x87\xd2\xb1\x19\x53\x42\xb3\xa0\x03\xbf\x44\x83\xb4\xd8\x90\xab\x1b\x2f\x51\xe8\xd5\x8f\x0a\x5a\xd7\x8e\x0d\xf9\xd6\x29\xc2\x2c\x2a\x32\x4a\x98\x2e\x1f\xc2\x73\x8c\x36\x0d\xb3\xa8\xba\x5e\x55\xae\x5c\x9d\x58\xf1\xc2\xf6\xbe\xd0\xb6\xde\x5b\xb4\xee\x3b\x5f\x84\x2c\xee\xf9\x1b\x20\x56\x54\x1f\xf5\x53\x12\xee\x90\xa2\xbd\x09\x97\x06\x6c\x37\xf3\xd8\x37\x78\x95\x92\x1b\x08\x02\x15\x89\x04\x9e\xd7\xb2\x3c\xeb\xaf\x9b\x41\xd0\x8e\x75\x90\x58\xa3\x45\x2c\xb9\xdf\x2a\xee\x1d\x2b\x90\xe5\x10\xba\x9b\xc9\x48\x40\x0a\x69\xaa\x13\x83\x3d\x1b\x4c\x44\x44\x51\x29\xe0\xaf\x50\x12\xfd\x6a\x53\x41\x81\xfb\x20\x42\x68\x26\xa4\xb3\x69\x4e\x4a\x51\x81\x19\x9d\xf1\xed\x31\xde\x36\xf2\xed\x49\x21\x18\x22\xad\x91\x5d\x3b\x71\xac\xae\xcf\xf3\xc8\x4d\x4e\x3b\xb1\x9f\xba\x32\x19\xe2\x61\x45\x73\x5f\xf7\x1d\xce\xee\xee\x7a\xa2\x47\x53\x9a\xd2\x73\x11\x13\xd3\xf3\x64\x42\x6b\xe9\x00\x6e\x6b\x0e\x35\x8b\x81\xd4\x07\x45\x49\xe0\x8e\xf2\x76\x13\xa3\x71\x5e\x5e\x89\xba\x0a\x71\xe3\x99\x52\x31\xe9\x9a\xac\x5e\x4e\xe7\x07\x8f\x59\xe3\xe7\xd4\xfa\xbe\xd2\x6e\x75\x07\x41\x1f\xbe\x4b\x03\x53\x10\x62\x78\xac\x69\xf3\xb9\x1e\xc6\x9f\xa5\x42\xeb\x7c\x96\x43\x94\x06\x2f\x65\xc6\x50\x19\x7f\xbe\x73\x3c\x22\x83\x26\x73\xd0\x66\xe4\xed\x40\x07\x3b\x28\x4e\xe4\xe5\x1b\x12\x59\x36\x7d\x4e\xb9\xe1\x72\x00\x7e\x6f\xb8\x0a\x0a\x6f\xe6\x2b\x3f\x3d\x5e\x5b\x68\xfe\x04\x7e\xa4\xd6\xfb\xfa\xa3\x0a\x00\xfc\x29\xbc\x58\xa3\x1c\xfb\x82\x12\xf2\xc4\x9c\x3a\x2e\x71\x1a\xe5\x02\xbd\x64\x7b\xd5\x6b\xb7\xcf\xc1\xd8\x4d\x14\x18\x27\xbe\x21\x1b\x5f\xfb\xed\x78\x6b\xfa\x13\x13\xd2\xae\xd5\x34\xf0\x00\x19\x36\x3a\xc1\x29\x61\x2c\xa2\x5c\x76\x3b\x07\x7f\x5a\x72\x4d\x61\xfc\x79\x74\xfa\x82\x4b\xad\xc1\x40\x06\xf2\xfe\xbf\xb1\xe3\x5a\x3d\xd7\x2e\x82\x33\x4a\x26\x37\x56\xff\x42\x04\x68\x0c\xba\x1c\x03\xc5\x5e\x09\xdf\xfb\x5a\x58\xe4\xc5\x5b\x5b\xd7\xa7\x0e\xe8\x52\x59\x29\xa0\xee\x9f\x90\x91\xe3\x4b\xb8\xd2\xf0\xaf\x6d\x2a\x26\x70\xc5\x91\x18\x6b\xee\x6c\xed\xda\xb8\xe1\xfe\x8d\x4b\xe3\x97\xa5\x45\xc4\x83\xfd\x68\x4c\xd8\x12\xdf\x5e\x31\x2a\xb5\xf4\x81\x2b\x47\x84\xef\xae\xf1\xc3\xdb\xe7\x90\x94\xfb\xab\xd6\xca\x5f\x0a\x45\x46\x23\x96\xf8\x18\xa5\xc7\xbf\x61\xc8\xc3\xf4\x33\x66\xc1\x26\x5f\x46\x38\xd1\xdc\x7b\xde\x11\x46\x10\x35\xc7\xaf\x77\xe6\x84\x4c\x5d\x47\xbc\x18\x97\xdf\xab\xec\x76\x87\xed\x25\x79\x4a\x71\xa3\xaa\x2b\xe1\x66\x57\x19\xe7\xea\xf6\x49\xbf\xaf\xfc\xea\x24\x92\xd4\x3b\xca\x7f\x03\x04\x21\x0c\xfc\xa9\x1a\x0d\xad\xf6\x6b\x7c\x3c\x6b\xaf\x8c\x50\x55\xef\x4f\x3c\x56\xaa\x03\xbb\x6e\x40\x0d\x7c\xac\xa6\x9e\x42\x43\xac\x71\xc9\x39\xcc\xf2\x73\x10\xb7\x3b\xa5\x98\x97\xe2\x02\x0c\x71\x7c\x33\xdb\x9a\x4a\x58\x29\x12\xa3\xa8\xd7\xc0\xa8\x70\xb1\x2a\x9f\x98\x2a\xaf\xd0\xcf\x15\x95\x75\x18\x9d\x8c\x26\x88\x64\x34\x22\x9f\xb0\xc7\x6c\x56\x50\x8b\x63\x8a\x25\x09\xb6\x58\x47\x72\x2a\xf1\x97\xe9\x5c\xf0\xcf\xf2\x36\x84\x48\xd4\x2a\xd6\x2d\xb2\x7f\xf0\x17\xa7\xfb\xed\x92\x3b\xef\x62\x83\x40\x87\x12\xc3\xf0\x4a\x79\x03\x38\xf4\xf8\x0c\xf4\xf3\xe9\x2f\xaa\xfa\x3b\xf6\xcf\xf5\xed\x3c\xf3\xb1\x7b\x50\x50\x75\xe1\x2b\x69\x58\xbf\x2e\x5c\xb4\x02\x41\xf6\x72\x87\x4a\x0f\x94\x0f\xd5\x7e\x82\xe9\xca\xff\x11\x3d\x67\x1d\xa2\x3d\xa3\x43\x6a\x31\x80\x0c\x2d\x34\x87\x96\x5f\x87\xc3\xf8\x25\x06\x10\xaa\xff\x78\x3d\x78\x59\x5e\x19\x26\xb7\x7e\x97\xb2\xe3\xad\x09\x08\x7a\xf9\x19\xac\xe3\xf0\x4f\xd2\x75\x88\x7b\x1f\xc8\x1e\xe2\xf5\xba\xd8\xde\x1c\xc3\x5e\xe0\xc0\x3a\xde\xed\x9a\x91\x97\xd7\xa8\xfa\x5d\xb5\x9d\xc5\x00\xa9\x4b\xd1\x84\xa2\xa8\x0d\x97\x04\x79\x7e\x76\xbc\x0f\xc4\x3e\xd5\x72\x96\x14\x3d\xc9\xd8\x58\xb1\x4a\x7b\xdf\xb4\x18\x19\x7f\x09\x74\xb6\xee\xe2\x99\x95\x80\x51\xb1\xd4\x14\xab\x12\x6c\xef\x5b\xc3\x6a\xe4\x05\x5c\x4f\x19\xe7\xe0\x1d\x20\x92\xd9\x9f\x1d\x2a\x5a\x56\x61\x4f\xed\xf4\x81\xd5\x78\xcb\x85\x1a\xd7\x3e\x18\x29\xbc\x35\x0f\x7e\x56\xee\x0d\x2e\x71\xfe\x73\x1c\x1b\x30\xfd\x84\x5f\xd8\x2c\xa0\xac\xf0\x29\xaf\xf4\xa7\x5e\x0d\x38\xfb\x7a\xf5\x82\xa1\x9c\x0c\x7d\xeb\x19\x54\x4b\xc7\xa1\x3c\x18\x96\x03\x24\x41\xcb\xa6\xae\x39\xc3\x5a\xe8\x80\xb4\x5a\x5c\x97\x54\x5a\xc0\x99\x24\x3a\x79\x1c\x6f\x2e\xb9\x35\x56\x20\x8b\x8b\x20\x35\x42\x75\x2a\x67\x3b\x9d\xf0\x2b\xf0\x4a\xd3\xc1\x8e\xec\xaa\x5e\xb2\x2d\x1b\x65\xe5\x9c\x34\x49\xb5\xcc\x42\xdf\x35\x0d\xd4\x82\x2b\xcf\x67\x1d\xf7\x84\x20\x68\x9c\xac\x22\x65\x8c\xd9\xf0\xf3\x90\xe2\x6e\x07\x96\xac\x4b\x7f\x30\xb1\x98\x9f\x09\xcf\x5b\xa5\x16\xeb\x16\x67\xec\xc1\xd8\x53\x73\x9a\x20\xe5\xe7\x85\x99\xbd\xa8\x30\xd0\x02\xd4\x5e\xb6\x6d\x63\xa7\x78\xb8\x41\x2a\xf5\xd6\x3e\x3e\xf2\x64\x94\xe2\x1b\xbc\xde\x5b\x97\xa9\x4f\x79\x78\xac\x90\x3d\x46\x7c\x5b\x6d\x07\x17\xdc\x4a\x9d\x14\x6e\xd4\xb5\x8b\xfe\x37\x3a\x59\x08\x70\x2f\x99\x7f\x10\x90\xb4\xb1\x90\x93\xf8\x90\x50\x85\xec\xb6\x91\x10\x7b\x05\x9e\x0e\x1c\xd0\xc4\xa9\x4c\x9a\x47\x3a\xf2\xd1\x2b\xd5\x99\x8a\x8b\x8b\x48\x02\xf9\x31\xb9\x05\x15\x51\x9f\x20\xfe\xea\xde\xa5\x68\x4c\x06\x4f\x9a\xdb\x42\x39\x35\xb8\xde\x29\x8b\x03\xe5\x79\xab\xad\x6a\x23\xa8\x6c\x86\xed\xd3\x9c\x2e\xd6\xa4\x68\x5e\x69\xbc\x71\x54\x05\xab\x7a\x3f\x27\x66\x4b\xdb\x68\xfe\xf1\xfc\xd0\x90\xf0\x60\x38\x1f\x1a\xa3\x74\xa0\x74\xa6\x40\xf9\x91\xec\x6d\x8b\x28\x8b\x1b\x05\x07\x06\x85\x60\x31\x4f\xe9\x4a\xeb\x85\xc4\x2f\x4d\xf3\xad\xb2\x14\x85\x69\x65\x15\xda\x2f\xa7\xf4\x41\xb7\x53\xd5\xf8\xca\x45\x45\xf2\xd1\xdc\x1e\xb3\x4e\x41\x8c\x04\x3b\xeb\x51\x8b\xb3\x5f\xe3\x02\x35\xaa\xbf\x7e\xc5\xf3\x71\xb3\xa4\x8c\x0e\xa6\xa6\x13\xeb\xb4\xe4\xda\x5b\x71\x40\x8a\xa5\x57\x74\x23\x9a\xc7\x49\x03\x0a\x52\x74\x0c\xd8\x53\x5b\x9e\x3d\x28\xa4\xe8\x7b\x4c\x4f\x40\x44\xc8\x19\x5c\x32\x11\xf9\x47\xe5\x00\x7d\xf7\xb6\x4e\x37\xc4\x14\xbf\xd5\x4f\x7b\x59\x82\x37\x20\xbe\x00\x49\x8c\x18\xb5\x7d\xad\x00\x43\xf0\xc5\x0a\x75\x81\x74\x18\xc1\xdb\xc3\xdb\x8d\xc7\x33\xce\xb2\xb5\xb6\xd2\x0b\xec\x1e\x38\xa2\xf9\x09\xaa\x61\x94\x80\xe2\xca\x05\xd9\x00\x0b\x7e\xaf\xf3\x70\xc0\x77\xed\x38\x94\x22\x89\x0d\xd4\x26\x27\x8c\x63\xc2\xac\x42\x85\xe8\x40\xe6\xc7\xf9\xda\x04\xd6\x9a\xf4\x48\x2d\x96\xee\x58\x24\xde\x09\x16\x14\xd8\xb1\xb4\xcf\x49\xf5\xa7\x01\xe4\xb4\x2f\xf5\x8a\x62\x82\x3c\x27\x76\xfb\xa4\xc2\x7e\xc8\x6c\x24\xba\x10\x3e\xd0\x1c\x66\x72\x9a\xd6\x02\x92\x4a\x51\x37\xb7\x18\xd8\xdd\xee\xb0\x83\x39\xd8\x3c\x45\xfe\xca\x01\xc3\x93\x35\x7a\x67\x64\x38\x11\x43\x63\x59\x1d\x31\xc2\xba\x6f\xaf\xa5\xd8\x57\x1a\xf7\xc3\xa3\x69\x0f\xde\xb0\x99\xe4\x41\x92\xb5\x87\x1f\xd0\xa3\x36\x5f\xb2\xe2\x30\xc6\xc0\x3a\x74\x73\x78\x2b\x30\x3a\x5b\xe1\x4f\x03\x8d\x8e\xa3\x4a\x63\x08\x43\x00\x51\x6e\xb7\x88\x4e\x59\x33\x58\xe6\x6b\x3d\xfb\x6d\xac\x4d\x08\x15\xd5\x8d\xaf\xb8\x5e\x8c\xca\x44\x26\x53\x6a\x38\x4d\xc8\x9f\x74\x13\xf1\x4c\xc9\x2e\x73\x77\xa9\x09\x38\xf9\x9e\xf7\xf5\x35\xc2\x18\xae\x2e\x90\x9a\xcd\xbf\xd7\xeb\x5b\x0b\x47\x40\x8e\x3d\x6d\x73\xdd\xa3\x9f\xbd\x6b\x23\xaf\x18\xf1\xa6\x70\x3e\xe3\xb1\xf7\x5b\xb7\xc0\x00\xa4\xca\x5a\x7b\xcc\xaa\xe8\x6c\x4a\xba\xc8\x1d\xa2\x93\xe4\x3f\x91\xd2\xc3\xdf\xf1\x2f\xfa\x52\x29\x13\x9a\x08\xae\x5f\xc2\xec\x13\x9b\xe9\x78\xb8\x18\x2d\x6a\x60\xc7\xff\x39\xbb\x0a\xa8\x20\xa1\x07\xd9\x2e\x38\xb9\x5e\x74\x8a\x18\x4b\x53\xf5\x62\x4f\x45\x72\x39\xf6\x38\x4d\xdd\xcb\x9f\xd7\xe8\xef\x29\x52\x65\xd7\x9b\x64\xc5\xc0\xa9\x3b\xf2\x16\x35\xb8\xc6\x80\x90\x78\x10\xd8\xe7\x2a\x58\x1e\x5a\xa0\xe0\x0f\xbf\x35\x1e\x3c\x84\x1c\x7d\x0c\x51\xa2\x63\x68\x37\xb2\x7c\x6a\x91\x42\x5b\x50\x6a\x22\xc2\x7d\x14\x20\xd0\xb1\x3e\x60\xde\x3e\x9c\x56\x66\x7a\x98\x98\x3b\xa9\xbd\xd1\xc5\xa5\x2d\xc6\x12\x7b\x65\x9e\x6d\x80\x70\x69\x59\xf0\x7d\x3a\x5f\xa8\xb3\xb8\x8e\xab\x05\xe7\xa0\xc0\x4e\xe1\x2a\x21\x37\x2c\x71\x3f\x64\xc6\xad\xbe\xed\xd7\xa8\xb7\xa6\x92\x67\x49\x75\xbb\xe5\x5c\xe4\x02\x71\x44\x02\xf2\x0c\x7f\x57\xff\x1f\x79\x35\x7d\x8e\xda\xbe\xf1\xd8\x68\xf0\xa2\xb3\xdd\x7a\xa3\xbb\xe5\x8e\x80\x81\x49\x70\x73\x4f\x7d\xec\x70\xd3\x14\xe8\x11\x59\x3a\x32\xcc\x86\x1f\x4a\x8a\x4b\x3f\x0d\x7c\xeb\x4e\xbb\x32\x66\x4f\x56\x44\x49\x7a\xc9\x56\x2c\xdd\x5a\x54\x19\x3f\x22\x38\xe6\x5c\x18\x74\xc8\x64\x21\xc5\xcf\xb4\x3a\xe1\x56\x93\x1c\x78\x40\xd1\x0d\xe4\x7a\x4d\x0f\x2f\x31\x74\xc3\x6c\x86\x45\xac\x02\xf5\x44\xc3\x69\x0b\x51\x37\xaf\x7d\x2c\xed\x3f\xb0\x43\x59\xbb\xf2\x2b\x67\x20\xea\x94\xf2\xe3\xb5\x67\x5f\xb7\x7a\xde\x56\xc9\x77\xd6\x68\x06\x4e\xfd\xd1\xc6\x15\x11\x9a\x52\x8c\x9e\xc1\x35\x3e\x84\x10\x3e\x5d\xce\x6a\x0b\xd0\x73\xf9\xff\xbe\xa0\x81\x9c\xf6\xc0\xcc\x58\xea\xd0\x0c\x92\x34\x02\x98\xcc\x09\x45\x64\x11\x7f\x3f\xb8\x94\x27\x4c\xa9\x1d\x79\x76\x45\x96\x19\xf5\x44\xb2\x50\x58\x6c\x6d\x44\xaf\xba\x55\x74\xb7\xef\x51\x26\xb0\x70\x40\x9a\x1f\x5e\xed\xc6\x50\x07\xb0\x03\x39\xf1\x60\x42\x2f\xff\x38\xd6\x7e\xaa\x8d\x78\x2f\xc4\x19\x2a\x29\x81\x08\x79\xeb\x12\x85\x99\x42\xfa\x14\x1a\x21\xc3\x9d\x9e\xea\x03\xeb\xa1\xaa\x7b\x3a\xc7\xe2\xb1\xda\xf4\xf6\x9f\x47\x5b\x8e\x75\xc5\xac\x7c\x2e\xfd\xd7\x77\x93\x2d\x40\x31\x43\xcd\xd0\x89\x02\xd5\xe3\x45\x93\x01\xc2\x8c\x88\xc4\xdf\x34\x2c\xa1\x39\x10\xb7\x60\xe3\x4c\x40\x19\x4b\xb5\x1b\x82\xcf\x14\xad\xee\xd5\xae\x47\x51\x7d\x3c\xbc\x73\xbb\xb5\xa8\x89\x9c\x30\xe6\x06\x51\x99\x89\xa8\x5d\x2e\x15\xb0\xe8\x9e\xbb\xa4\x3f\x0c\x8a\x75\x2f\x07\x01\x03\x80\xca\xa7\x0d\xc4\x09\xff\x80\x5c\x24\x57\x48\x29\xd0\x6b\xb9\xa1\x49\x5d\x5a\x30\x85\xdf\x90\x29\xe2\x3d\x92\xbb\xc4\x6d\x7c\x7c\x1d\xb7\x36\x5e\x92\xe8\xd2\x44\x9a\xad\xe3\x89\x26\xa6\x43\x68\x72\x3a\x0e\x8a\x77\x7b\x32\x61\xc9\xc9\x7b\xae\x82\x5b\x55\x1b\xa9\x40\x55\x1a\x7e\x15\xe3\x01\x3d\xc0\x9a\x05\x22\x9d\x0c\x9a\xc6\x4e\xe1\x5e\xe3\xd4\x67\x42\x62\x89\x24\xc0\x9e\x63\x60\xcc\x43\x00\x6f\xb9\xa0\xe1\xc0\x6e\x55\x84\x63\x7c\xee\x00\x5e\xe2\x6c\xeb\xa7\x02\x95\xcb\xa5\x63\x7d\xfc\x98\x21\x14\x8e\xd7\x41\x50\x03\xd5\x18\x36\x84\x23\xae\x70\x8c\xfa\xc6\x38\xf2\xb8\xe1\xd3\xa7\x10\x11\xbd\xa8\x03\xac\xd2\xcf\xa4\x29\xea\x5f\xa0\x45\xfe\x07\x8f\x91\xeb\xe4\x5e\x7d\x51\xd4\x3f\x08\x30\x2d\x5f\x3b\x0c\xcc\x3e\xb7\xdc\x03\x81\x8b\x33\x56\x7e\x86\xf8\xe5\xdc\x40\x45\x15\x69\xa7\x95\x48\x58\xd2\x6d\xf8\x55\x49\x35\x27\x6f\x56\x54\xaf\xec\xf2\x40\xc7\xe8\x6c\x92\xec\xba\x4d\x3f\xf7\x58\x21\x31\x2d\x6a\x3b\x82\xe1\x8c\xc2\x34\xda\x5b\xac\xc2\x86\xef\x09\x24\xce\x23\xbd\x30\x70\x8d\xe5\x81\x32\x57\x4b\x54\x8c\x96\x28\xb5\x2d\x34\x29\x1d\x1c\x4a\x7f\xfd\xfe\x63\xde\x1f\xa9\xb5\xe0\xfa\x6e\x62\xf3\x52\x8a\x80\xc9\xcc\x97\xa7\xc5\x15\x40\x3f\xce\x89\x5a\xb7\x95\x63\x52\x66\xaf\x74\x6d\x89\xd2\xc9\x40\x58\xca\x38\x50\x1d\x86\xb4\xd6\x32\x4d\x0d\xf0\xd9\xc1\xe4\x7b\xbf\x83\x8b\xaa\x20\x6a\xa2\xec\x43\x97\x82\x8e\x99\x2f\xe9\x63\xb2\xe8\x37\x22\x80\x26\x27\x62\x90\x30\x10\x6c\xf2\x0e\xc9\x8e\x24\x51\x47\xc9\x44\x26\x21\x4d\xdf\xb9\x79\x12\x06\x51\xad\xde\x14\xa4\x25\xfe\xf2\x9a\x20\xc0\xcc\x54\x60\x39\x3a\xcb\xdb\xa5\x7b\x3c\x38\x36\x62\x7e\x6a\x9c\x19\xa2\x34\x43\x12\xa9\xbc\x66\x1b\x76\x02\x85\x41\x5a\x28\x74\xe2\xf2\x18\x7b\x5c\x6d\xbf\x38\xb0\x59\x63\x6f\x9e\xd1\xde\x16\x92\xd3\xb8\x65\x04\xa7\xc1\xb6\x68\xe5\xaa\x0f\x87\xcf\x49\x7f\x0c\xab\x26\x6e\x4d\xb6\x4e\xc6\x46\x55\x80\xbe\x1d\x97\x24\x49\x47\x30\x46\x88\xcb\x35\x76\x49\x0b\x8d\xb0\x86\xb0\x89\x05\x82\x0e\xa9\xd9\x1d\xfc\x8f\x3b\x96\x6a\x9e\x56\x8d\x85\x6a\x9c\xce\x3f\x17\x31\xac\x16\xe4\xcf\x48\x71\x43\x34\xb6\xc7\xac\x35\x97\xfc\xae\x85\xd1\x79\x46\xb0\xae\x28\x99\x84\x5e\x96\x06\x6e\x0a\x64\x83\x85\xc9\x8e\xe5\xc1\x19\x39\x13\x56\xb2\x04\xac\xbd\x4a\x5c\x7c\xc2\xcb\xce\xec\xe0\xf5\x8d\xfb\x73\xfc\x30\xef\x7c\x17\x69\xb4\xf5\x6e\xd1\xb7\x7d\x76\x24\x8b\x0e\xa2\xa6\x6d\xb0\xe5\x21\x7b\x5d\x62\x42\x37\x19\x1a\xbe\x94\x86\xac\x0b\xd3\x2e\x3e\x73\x62\x33\x14\x41\x73\x4a\x8d\xd9\xed\x98\x3b\x92\xbf\x26\x47\x2c\x50\x21\xf8\xbe\xa1\x31\xec\xe4\x7c\x8f\x45\xe6\x8a\x25\xa8\xbe\xb4\x88\x58\x95\xc2\x79\x82\x30\x6d\xaf\xa1\xfa\xc9\x05\xb2\x76\xc2\xf6\x0c\xcd\xca\xbe\x2a\x5b\x32\x5b\x5c\x5d\x84\x82\xf3\x05\x66\x02\x44\xc3\x61\x71\x1f\x0e\xed\x77\x46\xc0\xda\xf9\x9d\xfd\xe3\x6c\xaf\xf2\x94\x05\x11\x82\xc5\xb6\x58\x9f\xc0\x70\x0b\x75\x1f\xb2\xb3\x80\x7f\x0b\xcb\xd2\x77\xa8\x44\xce\x82\xa5\x45\x58\xf5\x5c\xdd\x25\xa3\x0b\x22\x83\xab\xe5\x19\xc8\x27\xb1\x0a\xed\x61\x2f\x8a\xea\x3c\xb7\xac\xa8\xb3\x40\x28\xc0\xb3\x63\xc9\xac\xc5\x2d\xde\xa9\xe0\xc3\x4e\x8a\x5c\x90\x86\x9f\xe6\x0d\x28\x30\x7e\x35\xd3\xe4\x35\x82\xf3\x77\x3d\x46\x66\x9e\x43\x13\xa0\x7b\x12\xe7\xd6\xd5\x01\x43\x6f\x8e\x6f\x4b\xc3\x47\xb2\x91\x94\x14\x4d\x82\xc5\xda\xa9\x73\x0f\xea\x34\x66\xc3\x16\x72\x09\xf0\x96\x97\xda\x03\x4f\x86\xca\x9e\x5a\x7e\x28\xc0\x59\x99\xf4\x16\x1d\xca\x75\x18\x14\x04\x13\x50\x4b\xe2\xaa\x60\xef\x71\xb6\x64\x84\xfc\xa1\xb0\xbb\x11\xaf\xd5\x97\x55\xb9\x78\xdd\x29\x4e\x3d\xa8\x56\x55\xb9\x0f\x05\xbe\x08\x23\xe2\x62\xaa\x69\x3c\x43\xbc\x23\xf4\x94\x8a\x60\x96\xff\xe1\xb5\x8e\x1b\xcd\x65\xb0\xdb\x70\xc6\x2a\x4f\x85\xd7\xdd\x4b\xe6\xcd\xdf\xea\xf1\x38\x38\x14\xa6\x72\x8b\x4c\x30\x1e\xab\x03\xb9\x50\xba\xc8\x67\x37\x5d\x1b\x6c\x61\xeb\x2f\x7f\xde\x96\x0b\x16\xf5\x94\x83\x79\xe2\x11\x5a\xb5\x40\x13\x56\xdb\x05\xa7\xdc\x30\xa2\x99\x98\x97\xb1\x63\xc7\x3d\x34\x80\x71\x06\xdf\xdc\xf7\xb7\xf9\xb9\xe7\x37\x7f\xc7\x22\x00\x3c\x86\x8c\xa5\xc1\x4a\x0e\x2f\x1d\x19\x40\xec\x6a\xef\xcf\x85\xfe\xd2\x07\x62\x2e\xd3\x81\x20\xc6\xa8\xaa\xd7\xb4\xe9\xe8\x7d\x5e\x4e\x9a\x6a\x55\xc6\xe1\x32\xe9\xe1\xe9\xa3\xa6\x2b\x4f\x7c\x6c\xe0\x09\x3f\x88\x65\x47\xdf\xc4\x8d\xe1\xd2\xe0\xc8\x5b\xf0\x1b\x49\xf9\x92\x41\xa3\x6d\x32\x4c\xdb\xad\xe5\x37\x7d\x5a\xa5\x73\x33\x77\xec\x7e\x97\xb7\xac\x54\x38\x7f\xd2\x93\x91\x31\x9d\x3f\x3b\xbc\xd0\x7b\x28\x70\xb9\x64\x6b\xf2\x83\x5b\x3a\xbb\x51\x21\xdc\x20\xa6\x38\xc6\xd0\xd6\x2b\x0a\x05\xd9\x4a\x5f\x1c\x03\xbf\xf6\xe8\x71\xa8\x4f\x9a\x7d\xef\xa1\x6f\x30\xcb\x8b\x3f\xf5\x7c\xb5\xa9\xb8\x95\x8b\x59\x21\x19\xcb\x0c\x80\x25\x13\xc1\x4a\xec\x2d\x27\xcf\xff\xbf\xb4\xe6\xa2\xa8\x40\xf8\xb0\xd7\x46\xa8\x3f\xa8\xbd\x22\x70\x21\xb0\x38\xf5\x0c\x41\x1f\x79\x22\xfb\x38\xec\x89\xf5\x1d\x71\xb7\xd3\xd9\xe2\x41\xdb\x1b\xe1\xb4\x50\x7e\x5b\x68\xfa\x1e\xe8\x9c\x21\x27\x44\x5e\x5d\x6e\xd4\xe7\x43\x3d\xe7\xbf\x4d\x72\xb7\xf7\xb1\xc9\xaa\x7c\x40\x8e\x4c\x10\x50\xce\x17\x74\x27\x98\x4f\x50\x35\xb5\x1e\x3a\xd5\x2b\x56\xd8\xaa\xf3\x8e\x56\x79\x30\xa7\x11\xc8\xdc\x34\x88\xff\xcd\xc1\xa5\x6f\xe1\xb4\xc5\xdf\x22\x67\x3b\xcc\x3e\x9c\xcd\xbb\x3a\xb6\x70\xa2\x45\x47\xf5\xde\xd4\x2d\xec\xfd\xdd\x52\x21\x04\x07\x5c\x37\xdd\xed\xe4\x60\x92\x5d\xcb\xc6\xe5\xef\x20\x60\x28\xaa\x7e\xa0\xc8\x4d\x60\xd9\x90\xfc\xd4\x8d\x76\xc9\xa4\x7b\xe6\x81\x92\x50\xd4\xd1\x0f\xce\xfc\x7a\x12\x4c\x6f\x3f\xaa\xf5\x1f\x7b\x67\xdc\xc2\xb3\x9a\xcf\x11\x9c\x8f\x89\xb9\x3b\x58\x39\x52\x47\xfa\x45\x9c\x1f\xfe\x6f\xc5\xa7\x0c\x32\xd5\x19\x6d\xa5\x93\xb3\x36\xbe\x04\x67\x16\x4e\xbb\xc9\x86\xfc\x14\x5b\x32\xbb\x91\xa4\xc0\x58\x88\x4c\x82\xf5\xca\xcd\xa6\x2a\x43\x12\xbb\x35\x07\x0e\x74\xde\x2b\xba\x07\x64\x8b\x7e\xb9\xd9\xfa\xe8\x91\x64\x8f\x54\x32\xb6\xa7\xd5\x98\x6e\xf2\x02\x78\x72\xcf\x9e\x1a\x08\x6c\x57\x6a\xba\xc8\xdc\x40\x1a\xab\x0d\xa9\x3a\xbf\x0a\xb7\x1e\xcd\x9b\xb9\x6e\x39\x18\x03\x62\xa1\x0a\x21\x85\x07\x1e\xbb\x8c\xa2\xca\x8d\x97\x19\xd4\x7b\xfc\x18\xb6\x2f\x97\x71\xb9\x7d\xfe\xd7\x3b\x98\x23\x25\xeb\x94\x3d\x78\x5c\x78\x75\x00\xd5\xac\x0d\x26\xa9\xca\x90\xcc\x73\xc2\xac\xfe\x87\x2f\x4e\x32\xeb\x44\x39\x08\x3b\xdb\x32\x49\x70\x1d\xdd\xdb\x50\x0d\xf3\xf8\x96\xbb\x1f\x7a\x37\x06\xd6\x4b\xe1\x6d\x00\xf6\xfd\xcd\x6b\xf4\x1d\xf8\x65\x35\xf2\x98\xd2\xdd\x04\x31\x77\x74\xbd\x6b\x39\x03\xf3\x71\xd5\x9b\xe7\x19\xb7\xec\x1d\x00\x3b\x3c\x97\x05\xa8\xf7\x88\x89\xb8\xf7\xda\x0d\x46\xde\xfd\xce\xd2\xdf\x70\xd8\xcb\x45\x70\x82\x8b\xb2\x65\x49\xb5\x50\x11\x58\x9c\x73\xbe\xc4\x20\x7c\x8d\x59\xeb\xe1\x89\x6b\x37\x61\xc1\x85\xa1\x32", 4096); *(uint32_t*)0x20006c44 = 0x1000; *(uint32_t*)0x20006c48 = 0x8001; *(uint32_t*)0x20006c4c = 0x200066c0; memcpy((void*)0x200066c0, "\x31\xe3\xc3\xfa\x6d\x99", 6); *(uint32_t*)0x20006c50 = 6; *(uint32_t*)0x20006c54 = 0x3ff; *(uint32_t*)0x20006c58 = 0x20006700; memcpy((void*)0x20006700, "\x39\xde\x86\x3b\x71\x48\x20\x8e\x43\x2f\xcd\xdb\xd9\xe9\x14\x8e\x71\x6c\x1b\x48\xa3\x96\x7c\x87\x0c\x70\x14\x5d\x90\xed\x68\x1b\x3f\x8b\xce\x84\x9f\xee\x7f\x50\x09\x15\x70\x85\x4e\x20\x10\x37\x23\xe5\x64\x54\xe7\x11\x54\x3f\x6e\x2b\xe9\x2c\x34\x09\x0d\x8c\xc7\x92\x26\x0b\xe9\xb9\x60\xc1\xe4", 73); *(uint32_t*)0x20006c5c = 0x49; *(uint32_t*)0x20006c60 = 9; *(uint32_t*)0x20006c64 = 0x20006780; memcpy((void*)0x20006780, "\x17\xfa\xd5\x71\xf8\x0f\xec\xd3\x4a\x59\xbc\x03\xf6\xc0\x2b\xbd\x6d\x56\xcd\x8d\x95\x89\x24\xb4\xae\x41\x89\xb8\x8b\x85\x89\x7e\xfd\x4e\x59\x6e\x11\x18\xbb\x0c\x77\x1c\x2c\x5b\xa3\x7d\xed\x06\xd7\x81\x11\x39\x0c\x1c\x80\xcf\x6e\xa9\xdf\x87\x27\xf8\x85\x59\x81\x5e\xd7\x6b\x36\xfa\x13\xfb\x4d\x08\xe1\xcc\xda\xd7\x97\x3b\x5b\xec\x56\x55\xa7\x4a\x67\x1f\xde\x99\xee\x92\x39\x7c\x56\xd4\x09\xda\xdb\x10\xc4\xc3\x7e\xe9\x2c\xb4\x1d\x03\xae\x6f\xb1\x64\xe7\xf8\x69\x85\x03\x91\x28\xd3\x8b\xe8\x3b\x5e\x16\xc3\x5e\xe3\x4e\xb2\xb8\x39\x6c\x53\x48\x02\x87\x81\xa0\xa8\x79\xf8\x81\x59\x74\x0a\xb8\x97\x05\xd6\x37\xbe\xda\xfa\x91\x5f\x19\x5a\x15\x25\x97\xfa\x0d\x7d\xa9\xb7\x64\x76\x60\x2c\x6e\xee\xfc\xa1\xe8\x0a\x6d\x3d\x0e\xd1\xa7\x5b\x00\xf7\xa5\xe1\x53\xdd\x85\x1e\x23\x01\xc8\xda\xa7\xd4\x9b\x4a\xd9\x1c\x62\xd1\xa6\x96\x7f\x54\xcf\x96\x21\xc2\x40\xed\x58\x71\x92\xf6\x99\x59\xe0\x54\x07\x85\x0c\xe3\x83\x1c\x4e\x81\x1e\x6f\xff\x1c\xdf\x93\xcf\xab\xde\x88\x73\x58\x31\x68\x81\x84\x53\x56\xd7", 247); *(uint32_t*)0x20006c68 = 0xf7; *(uint32_t*)0x20006c6c = 0x26; *(uint32_t*)0x20006c70 = 0x20006880; memcpy((void*)0x20006880, "\xc2\x86\x96\x8e\x22\x38\x74\x2a\x47\xe0\xe8\xd4\x44\xa6\xa6\x61\xb7\x70\x82\x22\xf4\xed\xda\xb9\x7a\x74\x9d\xce\xbe\x2c\xc8\x3a\x31\x4b\x82\x87\x95\xf9\x15\xa3\x6d\x87\x3b\x71\x4a\xef\x15\xdd\xb1\xb4\xf6\x2f\x06\x80\x0b\xbe\x85\xea\xeb\xcb\x76\xab\xe9\x44\x71\x92\x49\xee\x79\x27\xc8\x8e\x78\xa9\x68\xe9\x3f\x45\xc5\x20\x13\xef\x97\xef\x6f\x98\x9b\x1d\x1c\xd3\x0f\xff\x88\x67\x79\x62\xc8\xf3\x05\x2a\xd0\xa4\x63\x1e\x4e\x75\x0b\xa8\x0f\x37\x53\x91\x6c\x2d\xff\xc6\xa4\x02\x3c\xdb\x62\xa1\xb5\xf2\xaf\xbb\x96\x5b\x2f\x78\xc5\xdd\x47\xaf\x90\xb0\x02\xda\x1a\x26\xa2\x4f\xcb\x99\xbf\x81\xfb\x29\x57\x4a\x2f\x98\x10\x7a\x79\x37\x63\x98\x73\xb9\x5f\x4a\x56\x9a\x04\x06\xcc\x35\x8b\x46\xef\xae\x58\x7e\x90\x08\xbe\x69\xd7\x11\xae\x20\x2c\x22\xe2\x9a\x2f\x61\x5f\xd2\x3d\xcf", 192); *(uint32_t*)0x20006c74 = 0xc0; *(uint32_t*)0x20006c78 = 0; *(uint32_t*)0x20006c7c = 0x20006940; memcpy((void*)0x20006940, "\x97\xfc\x4d\xd9\xdb\x67\x3e\x16\xfd\x0f\x0e\xb9\xa4\xa2\x6e\x2a\x49\xf4\x2e\x16\x16\x19\x0b\x06\x34\xdf\xd6\x13\x51\x45\xf4\xe4\x51\xbb\xba\xd5\x6d\xad\xf2\x66\x96\x4e\xba\x7d\x10\x07\xc0\xa2\x3f\x8c\xf0\x3d\x4f\x8f\xe0\x9a\x79\x89\x15\x2b\x7c\xf2\xec\x30\xf2\x69\x3a\x06\xbe\xfd\xf0\x23\xd7\x9f\x48\xc2\x08\xd7\x42\xc7\xb7\x59\x15\xbc\xc1\xbe\x58\x35\x17\xce\xd3\xb8\x26\xb9\x70\x75\xe6\x2a\x8e\xd1\x2d\xbb\x26\x48\x07\xc6\xff\xd0\x22\x76\x14\x49\x1f\xb9\xde\x0d\x8a\x92\x5a\x26\x38\xc3\x16\x08\xde\x40\x5b\xbf\x79\xe9\x6f\x17\x1f\xd5\x83\x38\xb1\xd6\x97\x9d\x33\xa7\xda\xe8\xad\x62\xf2\xba\x53\xfe\xfc\x3c", 152); *(uint32_t*)0x20006c80 = 0x98; *(uint32_t*)0x20006c84 = 0x20; *(uint32_t*)0x20006c88 = 0x20006a00; memcpy((void*)0x20006a00, "\x77\xd8\xd6\x06\xbf\xb4\x24\xe7\xb9\x95\x80\x9a\xb4\xf5\x59\x11\x5f\xd8\x2e\x97\x2d\x98\xb6\x51\xdf\xc6\x9b\x10\xdf\x60\x0f\xb4\xf7\x8e\xfd\x58\x6f\x9c\xc2\x6e\xdc\x41\xb1\xd2\xfa\xc8\x7e\xfe\x59\xe2\x62\x41\x1f\x27\xa9\x4c\xf7\x96\xed\x31\x23\x6b\x45\x7c\xa0\xf1\x47\x53\x0e\xfb\xd4\xcf\xa6\xb6\xa0\xfe\xe4\x6c\x25\xab\xcf\x7a\xd8\x28\x2a\xae\x52\x99\xe2\x99\x79\x9c\xd5\x2d\x0a\x58\xd7\xff\x9d\xdd\xd0\x10\x37\x24\xc8\x8d\xa9\x2d\xbe\xfa\xb6\x24\x80\x38\xab\xef\x9e\xc5\x22\x64\xaf\xc7\x48\x25\xf7\xea\x70\xb2\xca\x95\xd6\x90\x0f\x9b\x64\x7a\x3f\x98\x6e\x18\x28\x7c\xb2\xbf\x4b\x4c\x19\xef\xc8\xc2\x18\xfd\x90\x5c\x37\x27\xc8\x6c\x37\x02\x6b\xfb\xde\x3a\xf0\x78\xeb\x07\xb7\x98\xe6\xd3\xd8\xf2\xe4\xd5\xd3\xbc\x18\x8c\xdd\x20\xf2\xeb\xb1\x46\x1c\x5e\x53\xb0\x5f\x29\x89\xff\xac\x3b\x16\x8d\xee\x56\xda\x0f\xc0\x11\x97\x4c\x66\x0e\x40\x0a\xe2\xd8\xb2\xc8\x0a\xcb\x23\x15\x81\xee\x91\x76\x31\x29\xb2\x88\x8a\xeb\x12", 229); *(uint32_t*)0x20006c8c = 0xe5; *(uint32_t*)0x20006c90 = 0x800; *(uint32_t*)0x20006c94 = 0x20006b00; memcpy((void*)0x20006b00, "\x56\x0c\x1b\xea\x71\xb0\xf9\x72\x44\xfa\x38\x6d\x26\xbf\x6b\x1b\x04\x30\x8e\x4b\xc7\xff\xfa", 23); *(uint32_t*)0x20006c98 = 0x17; *(uint32_t*)0x20006c9c = 0x80000001; *(uint32_t*)0x20006ca0 = 0x20006b40; memcpy((void*)0x20006b40, "\x14\xe5\x5a\x14\xa7\x95\x33\x87\xee\x55\x33\x3c\x1d\x16\x94\xca\x98\xc7\x99\x9b\x49\x78\x86\x42\x76\x68\x05\xd6\xf5\xa2\x90\xeb\x1e\x95\x9e\xe3\x5a\x74\x04\x59\xe1\x33\x00\x26\x2f\x2a\xf9\xc3\x57\xf7\xa8\xc1\xcb\xa1\x87\xe4\x48\xbc\x3c\x8f\x86\x5c\xc9\xbe\x88\x62\x4f\xb0\xf0\xd0\xbb\x88\x5d\x9c\xc2\xab\xe1\x71\xa2\x47\x8a\x74\x20\xdb\x22\xe8\x60\x7e\x3f\xbe\xc7\xe2\x60\x1d\x9e\x11\x08\x6c\xfa\x8c\xf1\x4d\x99\x67\x6b\x67\x9d\x8d\x6b\xf1\xdd\x4f\xaa\xb8\xfe\x9a\x5f\x4e\x3f\x69\x5f\xe2\xe6\xab\xf0\x9f\x70\x26\x83\x80\x2d\x44\xcc\x3a\x29\x82\x55\xc4\xc5\x95\x33\x73\x1f\xf5\xb2\x3e\x05\x3a\xfb\x71\x6d\x58\xca\xd6\x67\x68\x6e\xe6\x47\xf4\x8e\x19\x9c\x9b\x5c\x3d\x0d\x2d\x47\x0f\x2c\xe1\xc5\xb8\xb5\x70\x8a\xe0\x23\xad\x98\x80\xca\xf3\x1d\x01\xf9\x6a\xeb\xbf\xcc\x7d\xf9\x53\x58\xa0\x16\xc5\x47\x1c\xc2\xce\x2c\xed\x61\x05\x05\x7c\x9d\x22\xc8\x16\x78\x90\xca\x19", 216); *(uint32_t*)0x20006ca4 = 0xd8; *(uint32_t*)0x20006ca8 = 0x400; syz_read_part_table(9, 9, 0x20006c40); break; case 40: *(uint8_t*)0x20006cc0 = 0x12; *(uint8_t*)0x20006cc1 = 1; *(uint16_t*)0x20006cc2 = 0x200; *(uint8_t*)0x20006cc4 = 0x62; *(uint8_t*)0x20006cc5 = 0xa5; *(uint8_t*)0x20006cc6 = 0xbe; *(uint8_t*)0x20006cc7 = 0x10; *(uint16_t*)0x20006cc8 = 0x2833; *(uint16_t*)0x20006cca = 0x211; *(uint16_t*)0x20006ccc = 0x37a4; *(uint8_t*)0x20006cce = 1; *(uint8_t*)0x20006ccf = 2; *(uint8_t*)0x20006cd0 = 3; *(uint8_t*)0x20006cd1 = 1; *(uint8_t*)0x20006cd2 = 9; *(uint8_t*)0x20006cd3 = 2; *(uint16_t*)0x20006cd4 = 0x6b4; *(uint8_t*)0x20006cd6 = 1; *(uint8_t*)0x20006cd7 = 0x20; *(uint8_t*)0x20006cd8 = 0; *(uint8_t*)0x20006cd9 = 0xa0; *(uint8_t*)0x20006cda = 1; *(uint8_t*)0x20006cdb = 9; *(uint8_t*)0x20006cdc = 4; *(uint8_t*)0x20006cdd = 0xdf; *(uint8_t*)0x20006cde = 0; *(uint8_t*)0x20006cdf = 0x10; *(uint8_t*)0x20006ce0 = -1; *(uint8_t*)0x20006ce1 = 1; *(uint8_t*)0x20006ce2 = 0; *(uint8_t*)0x20006ce3 = 5; *(uint8_t*)0x20006ce4 = 7; *(uint8_t*)0x20006ce5 = 0x24; *(uint8_t*)0x20006ce6 = 1; *(uint8_t*)0x20006ce7 = 1; *(uint8_t*)0x20006ce8 = 1; *(uint16_t*)0x20006ce9 = 1; *(uint8_t*)0x20006ceb = 9; *(uint8_t*)0x20006cec = 0x24; *(uint8_t*)0x20006ced = 6; *(uint8_t*)0x20006cee = 0; *(uint8_t*)0x20006cef = 0; memcpy((void*)0x20006cf0, "\xfd\x50\x65\x08", 4); *(uint8_t*)0x20006cf4 = 5; *(uint8_t*)0x20006cf5 = 0x24; *(uint8_t*)0x20006cf6 = 0; *(uint16_t*)0x20006cf7 = 3; *(uint8_t*)0x20006cf9 = 0xd; *(uint8_t*)0x20006cfa = 0x24; *(uint8_t*)0x20006cfb = 0xf; *(uint8_t*)0x20006cfc = 1; *(uint32_t*)0x20006cfd = 0x40000000; *(uint16_t*)0x20006d01 = 8; *(uint16_t*)0x20006d03 = 0x4cc5; *(uint8_t*)0x20006d05 = 0x7f; *(uint8_t*)0x20006d06 = 7; *(uint8_t*)0x20006d07 = 0x24; *(uint8_t*)0x20006d08 = 0xa; *(uint8_t*)0x20006d09 = 8; *(uint8_t*)0x20006d0a = 0x3f; *(uint8_t*)0x20006d0b = 0; *(uint8_t*)0x20006d0c = 0x81; *(uint8_t*)0x20006d0d = 0x10; *(uint8_t*)0x20006d0e = 0x24; *(uint8_t*)0x20006d0f = 7; *(uint8_t*)0x20006d10 = 0x80; *(uint16_t*)0x20006d11 = 5; *(uint16_t*)0x20006d13 = 0x44; *(uint16_t*)0x20006d15 = 2; *(uint16_t*)0x20006d17 = 0x800; *(uint16_t*)0x20006d19 = 0x101; *(uint16_t*)0x20006d1b = 4; *(uint8_t*)0x20006d1d = 4; *(uint8_t*)0x20006d1e = 0x24; *(uint8_t*)0x20006d1f = 2; *(uint8_t*)0x20006d20 = 4; *(uint8_t*)0x20006d21 = 8; *(uint8_t*)0x20006d22 = 0x24; *(uint8_t*)0x20006d23 = 0x1c; *(uint16_t*)0x20006d24 = 0; *(uint8_t*)0x20006d26 = 0xc0; *(uint16_t*)0x20006d27 = 0x5325; *(uint8_t*)0x20006d29 = 6; *(uint8_t*)0x20006d2a = 0x24; *(uint8_t*)0x20006d2b = 0x1a; *(uint16_t*)0x20006d2c = 0x7f; *(uint8_t*)0x20006d2e = 0; *(uint8_t*)0x20006d2f = 9; *(uint8_t*)0x20006d30 = 5; *(uint8_t*)0x20006d31 = 5; *(uint8_t*)0x20006d32 = 0; *(uint16_t*)0x20006d33 = 0xb5a2; *(uint8_t*)0x20006d35 = 6; *(uint8_t*)0x20006d36 = 0; *(uint8_t*)0x20006d37 = 5; *(uint8_t*)0x20006d38 = 7; *(uint8_t*)0x20006d39 = 0x25; *(uint8_t*)0x20006d3a = 1; *(uint8_t*)0x20006d3b = 0x82; *(uint8_t*)0x20006d3c = 0xe9; *(uint16_t*)0x20006d3d = 0xf000; *(uint8_t*)0x20006d3f = 9; *(uint8_t*)0x20006d40 = 5; *(uint8_t*)0x20006d41 = 0xe; *(uint8_t*)0x20006d42 = 2; *(uint16_t*)0x20006d43 = 0x200; *(uint8_t*)0x20006d45 = 8; *(uint8_t*)0x20006d46 = 7; *(uint8_t*)0x20006d47 = 0x40; *(uint8_t*)0x20006d48 = 9; *(uint8_t*)0x20006d49 = 5; *(uint8_t*)0x20006d4a = 0; *(uint8_t*)0x20006d4b = 0x7e; *(uint16_t*)0x20006d4c = 0x200; *(uint8_t*)0x20006d4e = 8; *(uint8_t*)0x20006d4f = 3; *(uint8_t*)0x20006d50 = 1; *(uint8_t*)0x20006d51 = 0x9b; *(uint8_t*)0x20006d52 = 0x21; memcpy((void*)0x20006d53, "\xf2\xef\x0a\x5c\x06\x9c\xdb\x31\x91\x38\xe1\x85\x06\x1d\x7e\x19\x6a\xe9\x4e\x53\x5d\x80\xf2\x76\x66\xfb\xa2\x3b\x37\x43\x25\xf1\x5d\xc5\xf2\x08\x12\xfe\x05\xb0\x62\x0f\x6f\xfc\xb8\x10\x03\xb1\xf3\x9c\x5d\xcd\x1b\xff\x14\xe2\xbb\xeb\x38\x73\x35\xa3\x53\x4f\x5a\xdb\x60\xff\xc4\xf2\x85\x95\xc8\xf9\x92\xf7\x7f\xd5\xf6\x7a\x04\x84\x2b\x9c\x43\x64\xe3\x55\x6b\xe9\xba\xcb\x8f\xd5\x6e\xd7\x78\x59\x29\x11\x53\xf6\xc5\x66\x02\x63\x63\xbf\xa5\xf2\xe6\xff\x2f\xa6\xd2\x93\x17\xf2\xd5\x62\x44\x53\x64\x93\x99\x15\xa7\x5d\xd7\x36\x5f\x6a\xb9\xc1\x5d\xdb\xc7\xc3\xa4\x5f\x7e\xb9\x8f\xd1\xfe\xa3\x55\x1b\xbd\x46\xf2\x0a\x87", 153); *(uint8_t*)0x20006dec = 9; *(uint8_t*)0x20006ded = 5; *(uint8_t*)0x20006dee = 0x80; *(uint8_t*)0x20006def = 1; *(uint16_t*)0x20006df0 = 0x3ff; *(uint8_t*)0x20006df2 = 1; *(uint8_t*)0x20006df3 = 0x20; *(uint8_t*)0x20006df4 = 0xef; *(uint8_t*)0x20006df5 = 0xec; *(uint8_t*)0x20006df6 = 6; memcpy((void*)0x20006df7, "\xf6\x42\x24\x6a\x53\x72\x99\x1d\xb9\x7e\x58\x24\xa4\x10\xe2\x83\x00\xd3\xbd\x15\x36\x38\xf6\xda\xc6\xe1\x18\x9a\x0c\x56\x0a\x0a\x0e\x5f\x8b\x15\xe0\x78\x79\xac\x95\x01\x65\x15\x20\x26\x46\xa7\xb5\xb5\xfc\x74\xb7\xcd\x40\xd5\x15\xb2\x84\x9d\x8c\x1d\xd9\xae\x4f\xca\x16\xc2\xe6\xcf\x0e\x8a\x20\xce\x54\xf0\x5f\xa1\x23\xc0\x19\x20\x8c\xb3\x4b\x5e\xe5\x61\xc2\x74\xea\x40\xa7\xb3\x4e\x58\x13\xa4\xa2\x9b\xe4\x08\x17\xeb\x1f\x7b\x3e\x9b\xef\x60\xf7\xc5\x66\x57\x48\x12\x36\xb9\x3e\x2c\x29\x7f\x17\xc7\x76\xb9\x8f\x1d\x0c\x8f\x2a\x56\x44\x77\x66\xc7\x28\x8b\xa6\xb1\xe3\x85\xb8\x4a\x51\x6a\x98\xab\x72\x9b\xa7\x0e\x31\xfe\xe3\xaa\xb1\x01\xd5\x90\xa4\x48\x1a\xe5\x85\x63\x26\xc6\x82\x5b\x73\xc7\xae\x7d\x3b\x99\xcb\x3c\x59\xdb\x31\xa1\x27\x26\x23\x4b\x90\x05\x84\xe8\xdb\x77\x93\x52\x18\x8d\x12\xc9\x32\xd4\xaa\xcb\x59\xee\xf3\x3d\x33\xb9\x55\x05\x10\xcf\x2b\x49\xda\x74\x7e\x03\x1c\x83\x11\x7b\x51\x1a\x1b\xb9\x3e\xd7\x6c\x71\x6e\x6a\x02\x54", 234); *(uint8_t*)0x20006ee1 = 7; *(uint8_t*)0x20006ee2 = 0x25; *(uint8_t*)0x20006ee3 = 1; *(uint8_t*)0x20006ee4 = 0; *(uint8_t*)0x20006ee5 = 6; *(uint16_t*)0x20006ee6 = 0x40; *(uint8_t*)0x20006ee8 = 9; *(uint8_t*)0x20006ee9 = 5; *(uint8_t*)0x20006eea = 1; *(uint8_t*)0x20006eeb = 0; *(uint16_t*)0x20006eec = 0x100; *(uint8_t*)0x20006eee = 0xfe; *(uint8_t*)0x20006eef = 8; *(uint8_t*)0x20006ef0 = 0x37; *(uint8_t*)0x20006ef1 = 0xe9; *(uint8_t*)0x20006ef2 = 0x23; memcpy((void*)0x20006ef3, "\x1a\x0e\x35\x42\x85\x7d\x49\xea\x63\xb7\x26\x1e\xbf\xc1\x9f\x14\x27\x2e\x28\x4d\x26\x65\xd2\x79\x5e\x43\xf6\xf9\xca\x62\x77\x6c\x9e\xe5\x2d\x99\x18\x79\xd7\xd6\x7b\x4d\x8b\x27\x0f\xd5\x15\x98\xbe\xac\x1c\x03\x39\xb2\x25\x7a\xd6\x8c\x1d\xde\x54\x88\x5a\xe2\xd2\x19\xb8\x7c\xde\x15\x9a\x98\x97\xc8\x8b\xda\x26\xe0\x8a\x36\x91\x05\x50\x22\x73\x9c\x1f\xe6\x4a\xdb\x98\x63\x9d\xc2\x54\x21\xc4\x49\xcf\x36\x48\x00\xc4\xc3\x65\x06\x2f\x24\x88\xe6\x90\x1e\x56\xe6\x2f\x4b\x70\x3e\xae\x7a\xf2\x62\x98\xa1\xee\xe1\xbf\xe6\x2d\x9b\x2a\xe3\x53\x20\xae\x2b\xaf\x17\x4e\x94\xff\x55\x32\x10\x97\xbe\x81\xe0\x27\x9f\x5d\x0a\xa8\x4d\xd1\x8c\xa0\x86\x4d\x98\xd0\xed\xbb\xea\xa1\x9d\xdf\x36\x26\xfd\x83\xa2\xe2\xb5\xf6\x76\xa7\x34\xd4\x78\x4b\x3c\x68\x77\xfd\x1b\xb3\xc9\x54\x3d\xf7\xab\xda\x9b\xd9\xc9\xbe\x40\x59\x49\x74\x7e\x21\x07\x3c\x18\x95\x7f\xff\x0e\xaa\xc0\x27\x3c\xfd\x3f\x70\x2c\xb6\x55\x97\x94\x9a\x17\x27\x26\xf7\xe4\x59\x53\x6c", 231); *(uint8_t*)0x20006fda = 0x18; *(uint8_t*)0x20006fdb = 0x10; memcpy((void*)0x20006fdc, "\xa0\x28\x90\x17\xf3\xf4\x33\xf1\x10\x59\x48\x9a\x61\x11\x58\x23\xe1\x13\x8a\xe8\x4a\x34", 22); *(uint8_t*)0x20006ff2 = 9; *(uint8_t*)0x20006ff3 = 5; *(uint8_t*)0x20006ff4 = 0xe; *(uint8_t*)0x20006ff5 = 4; *(uint16_t*)0x20006ff6 = 0x10; *(uint8_t*)0x20006ff8 = 0x67; *(uint8_t*)0x20006ff9 = 3; *(uint8_t*)0x20006ffa = 8; *(uint8_t*)0x20006ffb = 7; *(uint8_t*)0x20006ffc = 0x25; *(uint8_t*)0x20006ffd = 1; *(uint8_t*)0x20006ffe = 1; *(uint8_t*)0x20006fff = 0x80; *(uint16_t*)0x20007000 = 0x2e6; *(uint8_t*)0x20007002 = 9; *(uint8_t*)0x20007003 = 5; *(uint8_t*)0x20007004 = 0xd; *(uint8_t*)0x20007005 = 4; *(uint16_t*)0x20007006 = 0x200; *(uint8_t*)0x20007008 = 0x48; *(uint8_t*)0x20007009 = 0x35; *(uint8_t*)0x2000700a = 8; *(uint8_t*)0x2000700b = 0xe5; *(uint8_t*)0x2000700c = 5; memcpy((void*)0x2000700d, "\x30\xef\xe9\xc1\xa6\xe5\xc8\x9c\x20\x31\x21\x4c\x60\xfb\xbe\xaa\x45\x78\x09\x1e\x38\x00\x9c\x76\x1d\x15\x77\x48\x02\x93\x4c\xfd\x36\x35\x5b\x35\x18\xcc\xfe\x59\xfa\x5e\x7c\xce\xe3\xc1\x3a\xc4\xaf\xfb\xe0\x73\xe0\xe7\x88\xc9\xb5\xe3\x22\x16\xef\xbf\x02\xe3\x58\x69\xd7\xb2\x33\xa3\x89\xf8\x12\xbf\xd8\x49\x43\x3c\x32\x84\x66\xed\xa5\xe0\xe3\x23\x75\x29\xcd\xc6\x5e\x4e\xee\x74\x3d\x31\xff\xc1\x86\xa1\xfe\x79\x4b\xdf\x13\x64\xf3\x1e\xae\xff\x39\x82\x9e\x8f\x61\x44\x85\x0d\x74\x70\xcc\x71\x57\x2d\x1f\x2f\x23\xdc\xcd\xbc\xdd\x99\xe4\x93\x0d\xe7\xed\xbf\x59\xb3\x38\xdb\x34\x90\x30\x5f\xd7\x71\x02\x57\x98\x0b\x7f\x76\xb8\xda\xea\xcb\x2a\xd6\x18\x13\x1f\xb9\xb5\xa3\xe0\x26\xc9\xdd\xbd\x69\x48\x3c\xd7\x94\xca\xad\x29\xf2\xe3\xb6\x31\x24\xa9\x52\xb4\x62\xde\x0c\xd9\x51\xd7\xef\xd9\xb3\xb2\x91\x07\xb6\x41\x41\x7e\x77\x83\xd9\x01\x59\x13\x7f\xa5\x27\x3a\x95\xe0\xcc\x46\xc9\x7c\x22\x46\xe6\x11\xac\xb1\x4b\x4d", 227); *(uint8_t*)0x200070f0 = 9; *(uint8_t*)0x200070f1 = 5; *(uint8_t*)0x200070f2 = 3; *(uint8_t*)0x200070f3 = 0x10; *(uint16_t*)0x200070f4 = 8; *(uint8_t*)0x200070f6 = 0; *(uint8_t*)0x200070f7 = 0x33; *(uint8_t*)0x200070f8 = 9; *(uint8_t*)0x200070f9 = 9; *(uint8_t*)0x200070fa = 5; *(uint8_t*)0x200070fb = 2; *(uint8_t*)0x200070fc = 0xc; *(uint16_t*)0x200070fd = 0x400; *(uint8_t*)0x200070ff = 0xed; *(uint8_t*)0x20007100 = 7; *(uint8_t*)0x20007101 = 9; *(uint8_t*)0x20007102 = 0x84; *(uint8_t*)0x20007103 = 0x31; memcpy((void*)0x20007104, "\xee\x4c\xd2\x19\x15\x4d\xf4\x91\xc4\xd3\x2a\xa3\x21\x12\xcf\xf4\x07\x51\x1b\x06\xb1\x7f\x74\x34\x09\xec\xc2\x16\xc3\x1e\x92\xce\xfa\x2b\x5c\xc5\x9e\x63\x4d\x7a\xeb\xa2\xc9\xe5\xe3\x6d\x8e\xfa\xdc\x02\x55\x17\x25\x18\xf9\x09\xb4\xe1\xa7\xda\xf4\xd9\x88\xb1\xee\xaf\x19\x6c\x76\xee\x90\x2b\x65\x7d\x12\xfc\x23\xc2\x1e\x17\x6c\xd1\x49\xe9\x8a\x8d\x8d\x57\x55\xb7\x4f\xed\x1a\x42\x84\xbc\xfd\x6e\x69\x61\x95\x1f\xf8\x21\x6f\x7b\xb4\x2f\x79\x0e\xdd\x53\x9c\x1b\xc5\xbb\xac\x44\xf7\x67\xa6\x85\xc5\x7c\xbb\xde\xc8\x30\xc5\x2c", 130); *(uint8_t*)0x20007186 = 7; *(uint8_t*)0x20007187 = 0x25; *(uint8_t*)0x20007188 = 1; *(uint8_t*)0x20007189 = 0x83; *(uint8_t*)0x2000718a = 1; *(uint16_t*)0x2000718b = 0xfe01; *(uint8_t*)0x2000718d = 9; *(uint8_t*)0x2000718e = 5; *(uint8_t*)0x2000718f = 3; *(uint8_t*)0x20007190 = 0; *(uint16_t*)0x20007191 = 0x40; *(uint8_t*)0x20007193 = 2; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 9; *(uint8_t*)0x20007197 = 5; *(uint8_t*)0x20007198 = 0; *(uint8_t*)0x20007199 = 0; *(uint16_t*)0x2000719a = 0x400; *(uint8_t*)0x2000719c = 0; *(uint8_t*)0x2000719d = 0x2f; *(uint8_t*)0x2000719e = 4; *(uint8_t*)0x2000719f = 9; *(uint8_t*)0x200071a0 = 5; *(uint8_t*)0x200071a1 = 0x8f; *(uint8_t*)0x200071a2 = 8; *(uint16_t*)0x200071a3 = 8; *(uint8_t*)0x200071a5 = 0x81; *(uint8_t*)0x200071a6 = 1; *(uint8_t*)0x200071a7 = 0x7f; *(uint8_t*)0x200071a8 = 7; *(uint8_t*)0x200071a9 = 0x25; *(uint8_t*)0x200071aa = 1; *(uint8_t*)0x200071ab = 0; *(uint8_t*)0x200071ac = 9; *(uint16_t*)0x200071ad = 0xfb; *(uint8_t*)0x200071af = 7; *(uint8_t*)0x200071b0 = 0x25; *(uint8_t*)0x200071b1 = 1; *(uint8_t*)0x200071b2 = 0x81; *(uint8_t*)0x200071b3 = 7; *(uint16_t*)0x200071b4 = 3; *(uint8_t*)0x200071b6 = 9; *(uint8_t*)0x200071b7 = 5; *(uint8_t*)0x200071b8 = 2; *(uint8_t*)0x200071b9 = 0; *(uint16_t*)0x200071ba = 0x400; *(uint8_t*)0x200071bc = 0x40; *(uint8_t*)0x200071bd = 0x76; *(uint8_t*)0x200071be = 3; *(uint8_t*)0x200071bf = 7; *(uint8_t*)0x200071c0 = 0x25; *(uint8_t*)0x200071c1 = 1; *(uint8_t*)0x200071c2 = 0x80; *(uint8_t*)0x200071c3 = 0x31; *(uint16_t*)0x200071c4 = 8; *(uint8_t*)0x200071c6 = 9; *(uint8_t*)0x200071c7 = 5; *(uint8_t*)0x200071c8 = 0xf; *(uint8_t*)0x200071c9 = 0x10; *(uint16_t*)0x200071ca = 0x3ff; *(uint8_t*)0x200071cc = 6; *(uint8_t*)0x200071cd = 0xb2; *(uint8_t*)0x200071ce = 6; *(uint8_t*)0x200071cf = 7; *(uint8_t*)0x200071d0 = 0x25; *(uint8_t*)0x200071d1 = 1; *(uint8_t*)0x200071d2 = 0x82; *(uint8_t*)0x200071d3 = 0x80; *(uint16_t*)0x200071d4 = 6; *(uint8_t*)0x200071d6 = 9; *(uint8_t*)0x200071d7 = 5; *(uint8_t*)0x200071d8 = 0xf; *(uint8_t*)0x200071d9 = 0x10; *(uint16_t*)0x200071da = 0x200; *(uint8_t*)0x200071dc = 6; *(uint8_t*)0x200071dd = 6; *(uint8_t*)0x200071de = 0xca; *(uint8_t*)0x200071df = 7; *(uint8_t*)0x200071e0 = 0x25; *(uint8_t*)0x200071e1 = 1; *(uint8_t*)0x200071e2 = 0x81; *(uint8_t*)0x200071e3 = 0x20; *(uint16_t*)0x200071e4 = 3; *(uint8_t*)0x200071e6 = 9; *(uint8_t*)0x200071e7 = 5; *(uint8_t*)0x200071e8 = 0x80; *(uint8_t*)0x200071e9 = 0x10; *(uint16_t*)0x200071ea = 0x400; *(uint8_t*)0x200071ec = 1; *(uint8_t*)0x200071ed = 0xfc; *(uint8_t*)0x200071ee = 4; *(uint8_t*)0x200071ef = 0xd4; *(uint8_t*)0x200071f0 = 0x21; memcpy((void*)0x200071f1, "\x28\xa1\xdf\xa1\xd2\x8f\x9a\xe6\x0d\x0a\x8e\x9e\x3c\x51\x2d\xb3\x53\x69\xd4\x79\xfa\x6e\x6a\xa0\x99\xe2\x67\xe1\xce\xd7\x7c\xa2\xe1\x80\xb4\x29\x77\x90\x23\xa8\x72\xb0\xef\x88\x07\xe1\x1f\x8b\x8b\x21\xb8\x11\xd4\xfe\x55\x27\x33\x5c\xe8\x6e\x3a\x95\xcd\xf9\x60\xd1\xe7\x9e\x88\xc2\x76\xc1\x74\xd1\x83\xd2\xf3\xbc\x08\x62\xdd\x7e\x1d\x29\xac\x58\x9c\xeb\x22\x02\x4e\x25\xa4\x4c\x3e\x81\x23\x58\x1d\x14\x48\xfd\x2d\xb5\x33\x2f\xe4\x1c\x23\xf9\xaa\x95\x95\x64\xf3\x2d\xb1\xda\x14\x61\x04\x15\xdd\xc2\x93\xdc\x57\xc9\xd6\xc7\x75\xd2\x21\x51\xbd\xab\x23\x6a\x5a\x73\x59\x2e\x55\x18\x05\x57\x28\xae\x81\x9e\x25\xc0\x80\xcb\xb9\xbf\x02\x03\xb6\x63\x9b\x8f\xd8\xd7\x16\xd9\xc5\x71\xd6\xb2\x60\xea\x29\x77\x33\xd5\x3c\x3a\x05\x44\x9b\x9b\x92\x21\xd0\xf4\x02\x61\x0c\x98\x37\x18\x9f\x9c\x6a\xb3\xba\xaf\x03\x1d\x48\x69\x26\x90\xc9\x98\x1c\xee\x14\x26", 210); *(uint8_t*)0x200072c3 = 0xc3; *(uint8_t*)0x200072c4 = 6; memcpy((void*)0x200072c5, "\x60\xed\x98\x57\x6f\xbb\xbe\xe3\xdb\x67\xd5\x35\xea\x7e\x1a\x19\xd9\x2d\x68\x9e\x2f\x03\x30\x8a\x61\x5a\x56\x41\xe7\x2e\x69\x4d\x99\x6f\x76\xc1\x11\x1c\x88\xc5\x07\xc3\x9a\x87\xf3\x4a\x36\x82\xda\xfb\xfe\x58\x3b\x79\xf5\xb9\x50\xa3\x06\x14\x16\x2c\x60\x5f\x7e\x6c\x5d\x45\x2b\x4f\x84\xa1\x45\xf2\x0b\xf4\x47\x0d\xdf\x43\xf0\x6c\x41\x5d\xc6\xc4\x15\x51\xfd\x45\x8b\xa6\xae\xdf\x57\xd7\x4c\xb8\x5a\x25\xe4\x33\x24\x81\x4b\x62\xc3\xbe\x41\x08\xb1\xea\x5b\x9d\xd2\x2a\x78\xa4\x5c\xdf\x5d\x8f\x27\xc1\x1f\x35\x02\x6b\xf7\xef\x10\xc7\xd1\xf0\x61\x5f\xe1\xc4\x4a\x30\x2a\x84\xd8\x8b\x8d\x6c\x2d\x85\x04\x9c\x9f\x48\xa0\x4b\x4e\x61\x80\x1c\x01\x7f\x60\x9b\x67\x3f\xc8\x29\x0f\x73\x62\xa0\xed\x35\x88\x2a\x33\x5b\x65\x7f\x83\x5f\xce\x8e\x20\x10\x0c\xde\x82\xc1\xa3\xdc\x18\x06\x11", 193); *(uint32_t*)0x20007740 = 0xa; *(uint32_t*)0x20007744 = 0x200073c0; *(uint8_t*)0x200073c0 = 0xa; *(uint8_t*)0x200073c1 = 6; *(uint16_t*)0x200073c2 = 0x310; *(uint8_t*)0x200073c4 = 5; *(uint8_t*)0x200073c5 = 0x80; *(uint8_t*)0x200073c6 = -1; *(uint8_t*)0x200073c7 = 0xbf; *(uint8_t*)0x200073c8 = 5; *(uint8_t*)0x200073c9 = 0; *(uint32_t*)0x20007748 = 5; *(uint32_t*)0x2000774c = 0x20007400; *(uint8_t*)0x20007400 = 5; *(uint8_t*)0x20007401 = 0xf; *(uint16_t*)0x20007402 = 5; *(uint8_t*)0x20007404 = 0; *(uint32_t*)0x20007750 = 5; *(uint32_t*)0x20007754 = 0xa8; *(uint32_t*)0x20007758 = 0x20007440; *(uint8_t*)0x20007440 = 0xa8; *(uint8_t*)0x20007441 = 3; memcpy((void*)0x20007442, "\x05\x84\xbd\xdc\x14\x96\x71\xf9\xe6\xc6\xcd\x12\x3b\x79\x6c\xaf\xe2\xeb\x5d\x2b\xd3\xcf\x65\xe3\xeb\x0f\x3a\x60\x1a\xba\x71\x64\x71\x3d\x40\x42\x65\x3f\x2c\xca\x18\x22\x07\xd4\xe7\xff\xa8\xbc\x71\xe7\x05\xaa\x48\xbc\xff\x03\xfd\xdd\x2e\x3e\x6b\xeb\xe1\x1c\xb6\x1f\x95\xfa\xf1\x4a\xfd\xf2\x94\x40\x02\x1e\x85\x1f\xb6\x82\xaa\x24\xe6\x24\xe8\x33\x95\x2d\xb6\xd1\xf9\x6a\xa7\xed\xfc\x74\xce\x50\x13\x59\x69\x4c\x75\x83\xeb\x5e\x48\xdf\xe2\x27\xd2\x10\x5d\x5e\x3d\x23\x59\xe3\xc7\x28\xa4\x8a\xdf\xf0\x9b\x11\x32\xf9\x28\x89\x3c\xee\xfa\xe6\x77\x00\x98\x3b\xe1\xca\x94\xe8\x18\xe7\xa1\x46\x3c\x80\x2f\x1f\xc2\xa7\x2d\x40\x90\x09\x33\x40\x3d\x7b\x25\x5a\x35\xd9\xdc\x33", 166); *(uint32_t*)0x2000775c = 4; *(uint32_t*)0x20007760 = 0x20007500; *(uint8_t*)0x20007500 = 4; *(uint8_t*)0x20007501 = 3; *(uint16_t*)0x20007502 = 0x42c; *(uint32_t*)0x20007764 = 0xf4; *(uint32_t*)0x20007768 = 0x20007540; *(uint8_t*)0x20007540 = 0xf4; *(uint8_t*)0x20007541 = 3; memcpy((void*)0x20007542, "\x1c\x53\x71\x17\xdc\x72\x0a\xf3\xcc\xf1\x08\x68\x7c\x86\xcb\x54\x4b\xc8\x85\x37\x9e\x43\x5d\xbb\x86\x1b\xc9\xa0\x15\x50\x59\x2e\x60\x08\xae\x94\xa1\xf9\x83\x17\xad\x9c\xd8\x04\x01\x6b\x07\x9b\x5e\xc2\x94\xdc\xaf\x45\x37\xcf\x5b\x68\xc3\xc4\x35\x37\x54\xca\xf3\x69\xba\x34\x10\x1c\xbd\x21\x92\x6b\x15\xce\xf6\x7a\xb6\x3e\xad\x40\xab\xfb\xef\x86\x7b\x37\x2f\xe2\x78\x18\x66\xf8\x7a\x2d\xcc\xf9\x8f\xfe\x66\x53\x1c\x1d\x50\x21\x40\x6c\x69\xce\x84\xb4\x39\x13\x0c\xac\x71\xf5\x25\x64\xb7\xc8\xfa\x62\x1d\x71\xd5\xff\x00\x15\x17\x59\x3f\x05\x9d\xa0\xcb\x82\xf1\xfd\x5e\x32\x7d\xf9\xab\xec\x49\x46\xe3\x4e\x20\xd3\xf1\xdf\x8f\x4a\x04\x22\xf9\xbb\x53\x89\x49\xb4\xa1\x4d\x1b\x3a\xfd\x67\x93\xe8\x1d\x3b\xa5\x96\xd1\x6d\x8c\xee\x0e\x70\x03\x14\xe5\x31\xe6\x02\xfe\x5c\xb8\x32\xb2\x2c\x7a\x2f\x9f\x36\xf3\x9d\x05\x38\x76\x47\x81\x57\xd5\x41\xe8\xc0\x97\x7a\x9a\xca\xf6\x91\xf1\x23\x4f\x66\x5d\x23\x4f\x82\xee\x90\xff\x89\x82\xd9\xc1\x37\x1a\x15\xdd\xc8\xed\x23\x92\xdd\x5a\x96", 242); *(uint32_t*)0x2000776c = 0x98; *(uint32_t*)0x20007770 = 0x20007640; *(uint8_t*)0x20007640 = 0x98; *(uint8_t*)0x20007641 = 3; memcpy((void*)0x20007642, "\x07\x8c\xbe\xfd\x67\x79\x6b\x8d\x00\xc6\xa0\x27\xe5\xd0\x7b\xc3\xb0\x07\x56\xac\xaf\xb9\x09\x6e\x3e\x38\x1a\x99\xfd\xbe\x8a\x51\x61\xca\x19\xa9\x62\x8d\x61\xba\xef\xd6\x97\x2b\x48\xf5\xe0\x4b\x0f\xa6\xe2\xb9\x9c\xca\x8d\xf5\xb5\x0d\xbd\x97\xd6\x56\xc0\x2f\x85\x83\xa5\x8c\xe8\xcb\xd3\x5c\x69\xfb\x3f\x86\xde\x0d\xda\xc9\x0f\x5b\xe8\xd4\xf0\x4a\x3a\xd4\xf3\x12\x93\xb5\x09\x95\x91\x39\xbe\xa0\xf3\x06\x7d\x0e\xbf\xa3\xc5\xb2\x10\xe1\x99\x30\x78\xb0\xae\x92\x95\x61\xfc\x77\x34\x86\x9b\x3d\xd8\xd8\x12\xc0\x0a\x30\x35\x23\x61\x66\xa3\x12\x27\xae\x29\x1e\x69\x6a\xb4\xf8\x1f\x4e\x3f\x02\xd6\xb2\xf3\x34", 150); *(uint32_t*)0x20007774 = 4; *(uint32_t*)0x20007778 = 0x20007700; *(uint8_t*)0x20007700 = 4; *(uint8_t*)0x20007701 = 3; *(uint16_t*)0x20007702 = 0x43e; syz_usb_connect(2, 0x6c6, 0x20006cc0, 0x20007740); break; case 41: *(uint8_t*)0x20007780 = 0x12; *(uint8_t*)0x20007781 = 1; *(uint16_t*)0x20007782 = 0x200; *(uint8_t*)0x20007784 = -1; *(uint8_t*)0x20007785 = -1; *(uint8_t*)0x20007786 = -1; *(uint8_t*)0x20007787 = 0x40; *(uint16_t*)0x20007788 = 0xcf3; *(uint16_t*)0x2000778a = 0x9271; *(uint16_t*)0x2000778c = 0x108; *(uint8_t*)0x2000778e = 1; *(uint8_t*)0x2000778f = 2; *(uint8_t*)0x20007790 = 3; *(uint8_t*)0x20007791 = 1; *(uint8_t*)0x20007792 = 9; *(uint8_t*)0x20007793 = 2; *(uint16_t*)0x20007794 = 0x48; *(uint8_t*)0x20007796 = 1; *(uint8_t*)0x20007797 = 1; *(uint8_t*)0x20007798 = 0; *(uint8_t*)0x20007799 = 0x80; *(uint8_t*)0x2000779a = 0xfa; *(uint8_t*)0x2000779b = 9; *(uint8_t*)0x2000779c = 4; *(uint8_t*)0x2000779d = 0; *(uint8_t*)0x2000779e = 0; *(uint8_t*)0x2000779f = 6; *(uint8_t*)0x200077a0 = -1; *(uint8_t*)0x200077a1 = 0; *(uint8_t*)0x200077a2 = 0; *(uint8_t*)0x200077a3 = 0; *(uint8_t*)0x200077a4 = 9; *(uint8_t*)0x200077a5 = 5; *(uint8_t*)0x200077a6 = 1; *(uint8_t*)0x200077a7 = 2; *(uint16_t*)0x200077a8 = 0x200; *(uint8_t*)0x200077aa = 0; *(uint8_t*)0x200077ab = 0; *(uint8_t*)0x200077ac = 0; *(uint8_t*)0x200077ad = 9; *(uint8_t*)0x200077ae = 5; *(uint8_t*)0x200077af = 0x82; *(uint8_t*)0x200077b0 = 2; *(uint16_t*)0x200077b1 = 0x200; *(uint8_t*)0x200077b3 = 0; *(uint8_t*)0x200077b4 = 0; *(uint8_t*)0x200077b5 = 0; *(uint8_t*)0x200077b6 = 9; *(uint8_t*)0x200077b7 = 5; *(uint8_t*)0x200077b8 = 0x83; *(uint8_t*)0x200077b9 = 3; *(uint16_t*)0x200077ba = 0x40; *(uint8_t*)0x200077bc = 1; *(uint8_t*)0x200077bd = 0; *(uint8_t*)0x200077be = 0; *(uint8_t*)0x200077bf = 9; *(uint8_t*)0x200077c0 = 5; *(uint8_t*)0x200077c1 = 4; *(uint8_t*)0x200077c2 = 3; *(uint16_t*)0x200077c3 = 0x40; *(uint8_t*)0x200077c5 = 1; *(uint8_t*)0x200077c6 = 0; *(uint8_t*)0x200077c7 = 0; *(uint8_t*)0x200077c8 = 9; *(uint8_t*)0x200077c9 = 5; *(uint8_t*)0x200077ca = 5; *(uint8_t*)0x200077cb = 2; *(uint16_t*)0x200077cc = 0x200; *(uint8_t*)0x200077ce = 0; *(uint8_t*)0x200077cf = 0; *(uint8_t*)0x200077d0 = 0; *(uint8_t*)0x200077d1 = 9; *(uint8_t*)0x200077d2 = 5; *(uint8_t*)0x200077d3 = 6; *(uint8_t*)0x200077d4 = 2; *(uint16_t*)0x200077d5 = 0x200; *(uint8_t*)0x200077d7 = 0; *(uint8_t*)0x200077d8 = 0; *(uint8_t*)0x200077d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007780, 0); if (res != -1) r[22] = res; break; case 42: *(uint32_t*)0x200079c0 = 0x18; *(uint32_t*)0x200079c4 = 0x20007800; *(uint8_t*)0x20007800 = 0x20; *(uint8_t*)0x20007801 = 0x11; *(uint32_t*)0x20007802 = 0xb7; *(uint8_t*)0x20007806 = 0xb7; *(uint8_t*)0x20007807 = 9; memcpy((void*)0x20007808, "\x72\xf5\x91\xba\x5c\x69\x4f\x16\xa4\xd9\x20\x75\xef\x3e\xc8\xbc\x46\x92\x09\x54\x79\x9e\xc8\xd3\xc0\x30\x8f\x3b\x47\x79\xda\x6e\x18\xe9\x82\x4a\x86\x74\x6d\x01\x3a\x39\x9a\xfc\x7f\x6f\xce\xb6\xc3\x7f\x7f\x13\x1c\x71\xeb\xc0\x01\xf6\x66\xea\x63\xed\x3a\xde\x13\x20\x09\x73\x5a\x54\x66\x22\xf9\xe6\x39\xd4\x81\xc9\x67\xcc\x7b\x5b\x74\x7c\xc5\xe6\x2f\xdc\x41\xbb\xb4\xbb\x95\x87\x8a\x44\x2c\xc4\x91\x11\xc0\xf5\x78\x86\xf1\x70\x77\xa1\xb4\xb2\x2e\x3c\xf2\x8e\xec\xb7\x98\xfe\xed\x6f\x16\x8d\xd9\xcc\x26\x46\xf8\xb7\x9e\xd4\x1b\xba\x94\xde\x9e\x30\x4f\xc8\x45\x17\x9a\x73\x21\xf0\x47\x84\xaa\x91\x7b\xa0\x84\x05\xb0\xa9\x5b\x83\x03\xd9\x14\xef\x8e\x37\x47\x80\xdd\x8e\x34\x37\xc9\x5c\x35\x76\x4c\xd0\x63\xe7\xa3\xec\x6d\x79\x0b", 181); *(uint32_t*)0x200079c8 = 0x200078c0; *(uint8_t*)0x200078c0 = 0; *(uint8_t*)0x200078c1 = 3; *(uint32_t*)0x200078c2 = 4; *(uint8_t*)0x200078c6 = 4; *(uint8_t*)0x200078c7 = 3; *(uint16_t*)0x200078c8 = 0x813; *(uint32_t*)0x200079cc = 0x20007900; *(uint8_t*)0x20007900 = 0; *(uint8_t*)0x20007901 = 0xf; *(uint32_t*)0x20007902 = 0xc; *(uint8_t*)0x20007906 = 5; *(uint8_t*)0x20007907 = 0xf; *(uint16_t*)0x20007908 = 0xc; *(uint8_t*)0x2000790a = 1; *(uint8_t*)0x2000790b = 7; *(uint8_t*)0x2000790c = 0x10; *(uint8_t*)0x2000790d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000790e, 0x18, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20007910, 3, 0, 16); *(uint32_t*)0x200079d0 = 0x20007940; *(uint8_t*)0x20007940 = 0x20; *(uint8_t*)0x20007941 = 0x29; *(uint32_t*)0x20007942 = 0xf; *(uint8_t*)0x20007946 = 0xf; *(uint8_t*)0x20007947 = 0x29; *(uint8_t*)0x20007948 = 7; *(uint16_t*)0x20007949 = 0x80; *(uint8_t*)0x2000794b = 6; *(uint8_t*)0x2000794c = 0xe0; memcpy((void*)0x2000794d, "\x84\x02\x48\x7c", 4); memcpy((void*)0x20007951, "\x80\x56\xa3\xff", 4); *(uint32_t*)0x200079d4 = 0x20007980; *(uint8_t*)0x20007980 = 0x20; *(uint8_t*)0x20007981 = 0x2a; *(uint32_t*)0x20007982 = 0xc; *(uint8_t*)0x20007986 = 0xc; *(uint8_t*)0x20007987 = 0x2a; *(uint8_t*)0x20007988 = 0xa7; *(uint16_t*)0x20007989 = 2; *(uint8_t*)0x2000798b = 0x7d; *(uint8_t*)0x2000798c = 0; *(uint8_t*)0x2000798d = 0x80; *(uint16_t*)0x2000798e = 7; *(uint16_t*)0x20007990 = 6; *(uint32_t*)0x20007e80 = 0x44; *(uint32_t*)0x20007e84 = 0x20007a00; *(uint8_t*)0x20007a00 = 0x40; *(uint8_t*)0x20007a01 = 0x10; *(uint32_t*)0x20007a02 = 0x8c; memcpy((void*)0x20007a06, "\x21\xb8\x38\x25\x05\x9f\x24\x50\x6d\x8e\x84\x20\x85\xd1\xf2\xe7\xf9\x64\x47\x1b\x20\xed\x0a\x8e\x50\xa9\xaa\x4e\xf1\x6b\x5a\x6f\x2d\xbb\x2b\x57\x0a\x4f\x8d\x13\xd6\x0e\x47\xbb\x78\x21\xff\x91\x21\x11\xde\xe4\x0a\x78\xd4\x2b\x4d\x13\xea\x81\x2d\x92\x9c\xcf\x39\x64\xc5\x46\x8f\x89\xd2\xd2\x16\x30\xec\x87\x06\x7a\x2d\x13\xf4\x52\x38\xb4\x46\xbf\x57\xc6\xb9\xec\x35\x57\x8f\xa5\x87\xfc\x77\xfe\x21\x08\xb1\x59\x0b\xe0\x81\x68\x1c\xcc\x02\x4f\x1f\x59\x0b\xe9\xe5\xbe\xc9\xea\x86\xb9\x80\x3c\x60\x29\x9d\xda\x1a\x82\xf8\xff\x04\x42\x86\x71\xa4\x3b\xc2\xc3\x39\x3a", 140); *(uint32_t*)0x20007e88 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0; *(uint8_t*)0x20007ac1 = 0xa; *(uint32_t*)0x20007ac2 = 1; *(uint8_t*)0x20007ac6 = 4; *(uint32_t*)0x20007e8c = 0x20007b00; *(uint8_t*)0x20007b00 = 0; *(uint8_t*)0x20007b01 = 8; *(uint32_t*)0x20007b02 = 1; *(uint8_t*)0x20007b06 = 0xfb; *(uint32_t*)0x20007e90 = 0x20007b40; *(uint8_t*)0x20007b40 = 0x20; *(uint8_t*)0x20007b41 = 0; *(uint32_t*)0x20007b42 = 4; *(uint16_t*)0x20007b46 = 1; *(uint16_t*)0x20007b48 = 1; *(uint32_t*)0x20007e94 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x20; *(uint8_t*)0x20007b81 = 0; *(uint32_t*)0x20007b82 = 4; *(uint16_t*)0x20007b86 = 0x140; *(uint16_t*)0x20007b88 = 0x20; *(uint32_t*)0x20007e98 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 7; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 0x3ff; *(uint32_t*)0x20007e9c = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 9; *(uint32_t*)0x20007c02 = 1; *(uint8_t*)0x20007c06 = 0x81; *(uint32_t*)0x20007ea0 = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0xb; *(uint32_t*)0x20007c42 = 2; memcpy((void*)0x20007c46, "\x8a\x02", 2); *(uint32_t*)0x20007ea4 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0xf; *(uint32_t*)0x20007c82 = 2; *(uint16_t*)0x20007c86 = 0x321a; *(uint32_t*)0x20007ea8 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x13; *(uint32_t*)0x20007cc2 = 6; *(uint8_t*)0x20007cc6 = 1; *(uint8_t*)0x20007cc7 = 0x80; *(uint8_t*)0x20007cc8 = 0xc2; *(uint8_t*)0x20007cc9 = 0; *(uint8_t*)0x20007cca = 0; *(uint8_t*)0x20007ccb = 0; *(uint32_t*)0x20007eac = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x17; *(uint32_t*)0x20007d02 = 6; memcpy((void*)0x20007d06, "\xb0\xfe\x28\x1f\xa3\x91", 6); *(uint32_t*)0x20007eb0 = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x19; *(uint32_t*)0x20007d42 = 2; memcpy((void*)0x20007d46, "#7", 2); *(uint32_t*)0x20007eb4 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x1a; *(uint32_t*)0x20007d82 = 2; *(uint16_t*)0x20007d86 = 6; *(uint32_t*)0x20007eb8 = 0x20007dc0; *(uint8_t*)0x20007dc0 = 0x40; *(uint8_t*)0x20007dc1 = 0x1c; *(uint32_t*)0x20007dc2 = 1; *(uint8_t*)0x20007dc6 = 6; *(uint32_t*)0x20007ebc = 0x20007e00; *(uint8_t*)0x20007e00 = 0x40; *(uint8_t*)0x20007e01 = 0x1e; *(uint32_t*)0x20007e02 = 1; *(uint8_t*)0x20007e06 = 6; *(uint32_t*)0x20007ec0 = 0x20007e40; *(uint8_t*)0x20007e40 = 0x40; *(uint8_t*)0x20007e41 = 0x21; *(uint32_t*)0x20007e42 = 1; *(uint8_t*)0x20007e46 = 0x9e; syz_usb_control_io(r[22], 0x200079c0, 0x20007e80); break; case 43: *(uint8_t*)0x20007f00 = 0x12; *(uint8_t*)0x20007f01 = 1; *(uint16_t*)0x20007f02 = 0x70; *(uint8_t*)0x20007f04 = 2; *(uint8_t*)0x20007f05 = 0; *(uint8_t*)0x20007f06 = 0; *(uint8_t*)0x20007f07 = 0x50; *(uint16_t*)0x20007f08 = 0x525; *(uint16_t*)0x20007f0a = 0xa4a1; *(uint16_t*)0x20007f0c = 0x40; *(uint8_t*)0x20007f0e = 1; *(uint8_t*)0x20007f0f = 2; *(uint8_t*)0x20007f10 = 3; *(uint8_t*)0x20007f11 = 1; *(uint8_t*)0x20007f12 = 9; *(uint8_t*)0x20007f13 = 2; *(uint16_t*)0x20007f14 = 0x4d; *(uint8_t*)0x20007f16 = 1; *(uint8_t*)0x20007f17 = 1; *(uint8_t*)0x20007f18 = 2; *(uint8_t*)0x20007f19 = 0x70; *(uint8_t*)0x20007f1a = 0x40; *(uint8_t*)0x20007f1b = 9; *(uint8_t*)0x20007f1c = 4; *(uint8_t*)0x20007f1d = 0; *(uint8_t*)0x20007f1e = 0xc4; *(uint8_t*)0x20007f1f = 3; *(uint8_t*)0x20007f20 = 2; *(uint8_t*)0x20007f21 = 6; *(uint8_t*)0x20007f22 = 0; *(uint8_t*)0x20007f23 = 0xe1; *(uint8_t*)0x20007f24 = 8; *(uint8_t*)0x20007f25 = 0x24; *(uint8_t*)0x20007f26 = 6; *(uint8_t*)0x20007f27 = 0; *(uint8_t*)0x20007f28 = 0; memcpy((void*)0x20007f29, "W?s", 3); *(uint8_t*)0x20007f2c = 5; *(uint8_t*)0x20007f2d = 0x24; *(uint8_t*)0x20007f2e = 0; *(uint16_t*)0x20007f2f = 3; *(uint8_t*)0x20007f31 = 0xd; *(uint8_t*)0x20007f32 = 0x24; *(uint8_t*)0x20007f33 = 0xf; *(uint8_t*)0x20007f34 = 1; *(uint32_t*)0x20007f35 = 0x200; *(uint16_t*)0x20007f39 = 0; *(uint16_t*)0x20007f3b = 0x200; *(uint8_t*)0x20007f3d = 3; *(uint8_t*)0x20007f3e = 6; *(uint8_t*)0x20007f3f = 0x24; *(uint8_t*)0x20007f40 = 0x1a; *(uint16_t*)0x20007f41 = 0x1000; *(uint8_t*)0x20007f43 = 0; *(uint8_t*)0x20007f44 = 9; *(uint8_t*)0x20007f45 = 5; *(uint8_t*)0x20007f46 = 0x81; *(uint8_t*)0x20007f47 = 3; *(uint16_t*)0x20007f48 = 0x20; *(uint8_t*)0x20007f4a = 0x3f; *(uint8_t*)0x20007f4b = 0; *(uint8_t*)0x20007f4c = 0xd8; *(uint8_t*)0x20007f4d = 9; *(uint8_t*)0x20007f4e = 5; *(uint8_t*)0x20007f4f = 0x82; *(uint8_t*)0x20007f50 = 2; *(uint16_t*)0x20007f51 = 8; *(uint8_t*)0x20007f53 = -1; *(uint8_t*)0x20007f54 = 0xec; *(uint8_t*)0x20007f55 = 5; *(uint8_t*)0x20007f56 = 9; *(uint8_t*)0x20007f57 = 5; *(uint8_t*)0x20007f58 = 3; *(uint8_t*)0x20007f59 = 2; *(uint16_t*)0x20007f5a = 0x3cf; *(uint8_t*)0x20007f5c = 0x81; *(uint8_t*)0x20007f5d = 0x39; *(uint8_t*)0x20007f5e = 5; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f80; *(uint8_t*)0x20007f80 = 0xa; *(uint8_t*)0x20007f81 = 6; *(uint16_t*)0x20007f82 = 0; *(uint8_t*)0x20007f84 = 2; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x77; *(uint8_t*)0x20007f87 = -1; *(uint8_t*)0x20007f88 = 0x2f; *(uint8_t*)0x20007f89 = 0; *(uint32_t*)0x20008288 = 5; *(uint32_t*)0x2000828c = 0x20007fc0; *(uint8_t*)0x20007fc0 = 5; *(uint8_t*)0x20007fc1 = 0xf; *(uint16_t*)0x20007fc2 = 5; *(uint8_t*)0x20007fc4 = 0; *(uint32_t*)0x20008290 = 5; *(uint32_t*)0x20008294 = 0x69; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 0x69; *(uint8_t*)0x20008001 = 3; memcpy((void*)0x20008002, "\xd2\x5a\x9c\x8f\x14\x52\xa3\xc6\xff\xbf\xec\xa8\xeb\x77\x79\x35\xb5\x8c\x9b\x74\x06\x77\x50\x86\xff\xf7\x17\xb5\x4f\x05\xac\x59\xf9\x45\x17\xff\x3c\xd6\xf3\x10\x1d\xbf\xa7\x9b\xb8\x2a\xe3\x1b\x1d\x31\x6d\x08\xa7\x1d\x14\xfc\x2c\x1c\xfa\x8c\x89\x30\x68\xbd\xe2\xbb\x83\x0a\xe9\x1f\xc9\x42\x88\xcc\x23\x2a\xaa\xc0\xe6\x4b\x84\x00\x7b\x0e\x75\x36\xc3\xec\x34\xed\xef\x04\xde\xd9\x34\x21\xa3\x77\xe0\x69\x53\x26\xaa", 103); *(uint32_t*)0x2000829c = 0xac; *(uint32_t*)0x200082a0 = 0x20008080; *(uint8_t*)0x20008080 = 0xac; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x73\x60\x60\x9c\xe8\x30\x0a\xe4\x62\x33\x08\xd5\xf8\xb9\x7b\xfd\x50\xd3\xd8\x63\x40\x8b\x8e\xa4\x01\xc8\x6d\xa9\xd4\x2c\xe5\xf3\x86\x7c\xe8\xd7\x21\xfb\x2a\xb5\xc2\x5f\x6b\x4c\x5e\x85\xf5\xea\xf3\x41\xbd\x51\x4a\x16\xc2\xdf\xe3\xc7\xa1\xd7\xf4\x27\xae\x62\xc0\xbf\xf3\x79\xe8\x4d\x56\x63\x7e\xc1\x37\x7b\x8c\x8a\xd5\xb5\x5b\x09\x9c\xfa\xa4\xa7\xa6\xee\xb0\x58\x9f\x81\xe7\xa4\x33\x00\xef\xf5\x33\x54\xe1\xb2\xbd\xcd\xc3\x4d\x79\x45\xd6\x35\x62\xe4\x8d\x5e\xd9\x3b\xef\x75\xfd\x01\x60\xfc\xd7\xc3\xa6\xbe\x7f\x0c\x64\x2b\xb6\xe5\x61\xe3\x5a\x1c\x73\x11\x0b\xdc\xde\xd7\x69\x98\x65\xe2\x5e\xb2\x38\xcf\x8f\x3b\x10\xad\x3c\x10\x48\x80\x28\xc3\x70\x63\xc8\x86\x2f\x90\x7b\x06\x82\x9e", 170); *(uint32_t*)0x200082a4 = 4; *(uint32_t*)0x200082a8 = 0x20008140; *(uint8_t*)0x20008140 = 4; *(uint8_t*)0x20008141 = 3; *(uint16_t*)0x20008142 = 0x81a; *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x20008180; *(uint8_t*)0x20008180 = 4; *(uint8_t*)0x20008181 = 3; *(uint16_t*)0x20008182 = 0x180a; *(uint32_t*)0x200082b4 = 0xb9; *(uint32_t*)0x200082b8 = 0x200081c0; *(uint8_t*)0x200081c0 = 0xb9; *(uint8_t*)0x200081c1 = 3; memcpy((void*)0x200081c2, "\x37\xef\xeb\x85\x4b\x40\x51\xa4\x6c\x67\xae\xe7\xea\xa0\xf6\x2f\xde\x9f\x59\x9c\xd5\xba\x25\x32\x9d\x50\xae\xe1\x6b\x30\xc6\xc1\xa5\x14\x83\x10\x81\xaf\xc1\xdf\xd2\x68\x2f\xf4\x87\x16\xa9\x1b\xf9\x5e\x08\x42\x12\xb0\x69\x6d\x43\xe1\xc6\xc4\x3a\xda\xf9\xed\x3e\xf7\x0e\x62\x73\x59\x94\xd2\xd0\x86\x51\x39\x60\x49\x88\xfa\xc1\x79\x78\xd9\xc0\x5a\x84\xf3\x42\x38\x31\xdd\x1d\xdd\xc6\xc9\x4d\x50\xdd\xd6\x74\xf1\x65\x25\xbb\xf9\xa8\xdb\x3b\xb4\x90\x01\xbe\x38\xa1\x96\x70\xab\xd9\x9f\x4a\x2e\x97\xcf\xb2\x0d\x46\xc6\x37\x83\x2a\x3e\xc9\x7f\xf0\x94\xc6\xa3\x30\x49\x64\xb7\x2b\xcf\x11\x6b\xf2\x7f\xed\xd5\x52\x1a\xd3\xda\x22\x62\x97\xff\xf8\x49\xc3\x3c\x5d\x84\x9e\x3e\x30\x37\x52\x79\x01\xee\xf6\x3a\x59\x9b\xaa\x54\xfc\x46\xa4\x6f\xf1", 183); res = -1; res = syz_usb_connect(2, 0x5f, 0x20007f00, 0x20008280); if (res != -1) r[23] = res; break; case 44: syz_usb_disconnect(r[23]); break; case 45: *(uint8_t*)0x200082c0 = 0x12; *(uint8_t*)0x200082c1 = 1; *(uint16_t*)0x200082c2 = 0x110; *(uint8_t*)0x200082c4 = 2; *(uint8_t*)0x200082c5 = 0; *(uint8_t*)0x200082c6 = 0; *(uint8_t*)0x200082c7 = 0x20; *(uint16_t*)0x200082c8 = 0x525; *(uint16_t*)0x200082ca = 0xa4a1; *(uint16_t*)0x200082cc = 0x40; *(uint8_t*)0x200082ce = 1; *(uint8_t*)0x200082cf = 2; *(uint8_t*)0x200082d0 = 3; *(uint8_t*)0x200082d1 = 1; *(uint8_t*)0x200082d2 = 9; *(uint8_t*)0x200082d3 = 2; *(uint16_t*)0x200082d4 = 0xb3; *(uint8_t*)0x200082d6 = 1; *(uint8_t*)0x200082d7 = 1; *(uint8_t*)0x200082d8 = 6; *(uint8_t*)0x200082d9 = 0x28; *(uint8_t*)0x200082da = -1; *(uint8_t*)0x200082db = 9; *(uint8_t*)0x200082dc = 4; *(uint8_t*)0x200082dd = 0; *(uint8_t*)0x200082de = 9; *(uint8_t*)0x200082df = 2; *(uint8_t*)0x200082e0 = 2; *(uint8_t*)0x200082e1 = 6; *(uint8_t*)0x200082e2 = 0; *(uint8_t*)0x200082e3 = 4; *(uint8_t*)0x200082e4 = 6; *(uint8_t*)0x200082e5 = 0x24; *(uint8_t*)0x200082e6 = 6; *(uint8_t*)0x200082e7 = 0; *(uint8_t*)0x200082e8 = 0; memset((void*)0x200082e9, 177, 1); *(uint8_t*)0x200082ea = 5; *(uint8_t*)0x200082eb = 0x24; *(uint8_t*)0x200082ec = 0; *(uint16_t*)0x200082ed = 8; *(uint8_t*)0x200082ef = 0xd; *(uint8_t*)0x200082f0 = 0x24; *(uint8_t*)0x200082f1 = 0xf; *(uint8_t*)0x200082f2 = 1; *(uint32_t*)0x200082f3 = 0x9208; *(uint16_t*)0x200082f7 = 2; *(uint16_t*)0x200082f9 = 0; *(uint8_t*)0x200082fb = 0x20; *(uint8_t*)0x200082fc = 0x5e; *(uint8_t*)0x200082fd = 0x24; *(uint8_t*)0x200082fe = 0x13; *(uint8_t*)0x200082ff = 7; memcpy((void*)0x20008300, "\x63\xb0\xb9\x53\x77\x14\x7b\xa2\x14\xd9\x50\xfc\x04\xb2\x2c\x04\xbe\x09\xd9\xb9\x6f\x1a\xb9\x4b\xb0\x2e\x8a\x2a\x9e\x23\xcf\x7d\x3a\xca\xb2\x2a\x80\xed\x35\x0e\xc4\xb1\x78\x06\xed\xcb\x16\x9e\x50\x75\x37\x3d\x99\x17\x80\x21\x13\x92\xeb\x3d\x9f\x11\x73\xa5\x39\x84\x3b\xf2\xc3\xf6\x6a\x4a\x69\x60\xa5\x5a\x22\x07\x76\x7d\xb3\xc5\x5a\x7d\xd2\x89\x8b\x5c\xcb\x40", 90); *(uint8_t*)0x2000835a = 0xc; *(uint8_t*)0x2000835b = 0x24; *(uint8_t*)0x2000835c = 0x1b; *(uint16_t*)0x2000835d = 0x2a; *(uint16_t*)0x2000835f = 0x100; *(uint8_t*)0x20008361 = 0xe0; *(uint8_t*)0x20008362 = 0x76; *(uint16_t*)0x20008363 = 0; *(uint8_t*)0x20008365 = -1; *(uint8_t*)0x20008366 = 4; *(uint8_t*)0x20008367 = 0x24; *(uint8_t*)0x20008368 = 2; *(uint8_t*)0x20008369 = 0xa; *(uint8_t*)0x2000836a = 9; *(uint8_t*)0x2000836b = 5; *(uint8_t*)0x2000836c = 0x81; *(uint8_t*)0x2000836d = 3; *(uint16_t*)0x2000836e = 0x20; *(uint8_t*)0x20008370 = 0x73; *(uint8_t*)0x20008371 = 0x35; *(uint8_t*)0x20008372 = 0x3f; *(uint8_t*)0x20008373 = 9; *(uint8_t*)0x20008374 = 5; *(uint8_t*)0x20008375 = 0x82; *(uint8_t*)0x20008376 = 2; *(uint16_t*)0x20008377 = 8; *(uint8_t*)0x20008379 = 3; *(uint8_t*)0x2000837a = 1; *(uint8_t*)0x2000837b = 3; *(uint8_t*)0x2000837c = 9; *(uint8_t*)0x2000837d = 5; *(uint8_t*)0x2000837e = 3; *(uint8_t*)0x2000837f = 2; *(uint16_t*)0x20008380 = 0x40; *(uint8_t*)0x20008382 = 5; *(uint8_t*)0x20008383 = 0x40; *(uint8_t*)0x20008384 = 2; *(uint32_t*)0x200087c0 = 0xa; *(uint32_t*)0x200087c4 = 0x200083c0; *(uint8_t*)0x200083c0 = 0xa; *(uint8_t*)0x200083c1 = 6; *(uint16_t*)0x200083c2 = 0x201; *(uint8_t*)0x200083c4 = 0x79; *(uint8_t*)0x200083c5 = 3; *(uint8_t*)0x200083c6 = 0x3f; *(uint8_t*)0x200083c7 = 0x20; *(uint8_t*)0x200083c8 = 6; *(uint8_t*)0x200083c9 = 0; *(uint32_t*)0x200087c8 = 0x37; *(uint32_t*)0x200087cc = 0x20008400; *(uint8_t*)0x20008400 = 5; *(uint8_t*)0x20008401 = 0xf; *(uint16_t*)0x20008402 = 0x37; *(uint8_t*)0x20008404 = 5; *(uint8_t*)0x20008405 = 7; *(uint8_t*)0x20008406 = 0x10; *(uint8_t*)0x20008407 = 2; STORE_BY_BITMASK(uint32_t, , 0x20008408, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008409, 0xa, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008409, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000840a, 5, 0, 16); *(uint8_t*)0x2000840c = 7; *(uint8_t*)0x2000840d = 0x10; *(uint8_t*)0x2000840e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000840f, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008410, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008410, 9, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008411, 8, 0, 16); *(uint8_t*)0x20008413 = 0xa; *(uint8_t*)0x20008414 = 0x10; *(uint8_t*)0x20008415 = 3; *(uint8_t*)0x20008416 = 0xc9; *(uint16_t*)0x20008417 = 7; *(uint8_t*)0x20008419 = 7; *(uint8_t*)0x2000841a = 0; *(uint16_t*)0x2000841b = 8; *(uint8_t*)0x2000841d = 0xa; *(uint8_t*)0x2000841e = 0x10; *(uint8_t*)0x2000841f = 3; *(uint8_t*)0x20008420 = 2; *(uint16_t*)0x20008421 = 0xc; *(uint8_t*)0x20008423 = 0; *(uint8_t*)0x20008424 = 6; *(uint16_t*)0x20008425 = 6; *(uint8_t*)0x20008427 = 0x10; *(uint8_t*)0x20008428 = 0x10; *(uint8_t*)0x20008429 = 0xa; *(uint8_t*)0x2000842a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000842b, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000842b, 0x8001, 5, 27); *(uint16_t*)0x2000842f = 0xf00f; *(uint16_t*)0x20008431 = 0xfffd; *(uint32_t*)0x20008433 = 0x3fc0; *(uint32_t*)0x200087d0 = 9; *(uint32_t*)0x200087d4 = 0x4f; *(uint32_t*)0x200087d8 = 0x20008440; *(uint8_t*)0x20008440 = 0x4f; *(uint8_t*)0x20008441 = 3; memcpy((void*)0x20008442, "\xc0\x66\x3b\x11\x6d\xab\x9b\xa5\xc0\xa2\xf7\xa2\xad\x48\x6f\xfc\x16\x4a\x43\x65\x89\x95\x65\xc5\xe9\x9b\x01\x52\x39\xf3\x78\xdf\x56\xdb\x4d\xc3\xb0\xbb\x08\xdc\xd2\x08\xd9\x58\xfa\x3c\xf0\x80\x97\xaa\x20\x8b\x2d\x28\x65\xb5\x02\xcb\xc9\x4b\x1a\x8e\x33\xbd\xd9\xd6\x48\x1f\xbf\x32\xd4\x91\x34\x22\xfe\x18\x9f", 77); *(uint32_t*)0x200087dc = 0x85; *(uint32_t*)0x200087e0 = 0x200084c0; *(uint8_t*)0x200084c0 = 0x85; *(uint8_t*)0x200084c1 = 3; memcpy((void*)0x200084c2, "\xc9\xc4\x87\xa9\x0b\xe3\xd4\x0e\xf7\x82\x37\x3d\x78\x5f\x86\xbd\xfc\x3d\xb6\xfb\x0d\xd0\xa7\x44\x0b\x2f\xe4\x59\x5c\x3a\x6b\xd6\x7a\xa8\x51\x8d\x89\x7a\x8a\x75\x7d\x5f\x1c\xeb\x86\xe5\x98\xca\xbf\x23\x45\xf7\x71\xc3\xc7\x12\x8b\xd1\x6d\xd4\xb1\xee\x9b\x7d\xbc\xaf\x61\x1e\x97\xf6\xdc\xb9\xf1\x71\xe8\xf7\x05\x2b\x0f\x33\xe6\x31\xbf\xe9\x9d\xdc\x44\x13\xe5\xe5\xd7\xb6\x34\xdc\xc3\xb7\x7e\x4d\x30\x1f\x89\xa8\xd3\xb8\x51\xb0\x23\x06\xca\xbe\xc2\x11\x12\x7a\x8e\x54\x1d\x16\x26\x36\x58\x8f\xf5\x74\xde\x82\xde\x8f\x30\x7d\x43", 131); *(uint32_t*)0x200087e4 = 4; *(uint32_t*)0x200087e8 = 0x20008580; *(uint8_t*)0x20008580 = 4; *(uint8_t*)0x20008581 = 3; *(uint16_t*)0x20008582 = 0x1407; *(uint32_t*)0x200087ec = 4; *(uint32_t*)0x200087f0 = 0x200085c0; *(uint8_t*)0x200085c0 = 4; *(uint8_t*)0x200085c1 = 3; *(uint16_t*)0x200085c2 = 0; *(uint32_t*)0x200087f4 = 0xaa; *(uint32_t*)0x200087f8 = 0x20008600; *(uint8_t*)0x20008600 = 0xaa; *(uint8_t*)0x20008601 = 3; memcpy((void*)0x20008602, "\xce\x39\x5e\x8e\x9f\x40\x9a\x37\xda\xeb\x1c\x20\xbe\x9c\xa4\x00\x4a\xe8\x10\xcf\x16\x53\xec\xcd\x6e\x66\x3d\xd7\x4f\x8b\xc0\x69\x89\xb4\xd1\xa6\x5c\x9f\x48\x0b\xd3\x7e\x9d\xd8\x53\x49\xf2\x98\xdd\xad\xdc\x2c\xc9\xe4\xed\xa1\x47\xf2\x31\x40\x2e\x11\x6f\xb5\x94\xa6\x37\x18\xd8\x21\xd8\x85\xeb\xd6\x7e\xda\x45\x15\x58\xb1\xfb\xa3\x09\x3e\xcb\xd4\x0c\xbe\x5f\xbe\x07\xf9\x4e\xd9\x27\xd8\xe5\x03\x9a\x7c\x49\x7a\xa8\xd1\xf1\x0a\x4d\xda\xc0\x49\xad\x82\x0f\x8c\x53\x2c\x5a\x3f\x00\x94\x79\x55\x03\x24\x23\x92\x2e\x95\xaa\x5b\xfe\xe0\x41\xf7\xfe\x87\x44\xec\xc4\x42\x40\x57\xee\xc9\x70\x40\xb3\x41\xd0\xdd\xdc\xaf\x20\x6d\xa6\x43\x1e\x98\x7f\x04\xcf\xd5\x58\x02\xca\xd3\xa1\x14", 168); *(uint32_t*)0x200087fc = 4; *(uint32_t*)0x20008800 = 0x200086c0; *(uint8_t*)0x200086c0 = 4; *(uint8_t*)0x200086c1 = 3; *(uint16_t*)0x200086c2 = 0x3c01; *(uint32_t*)0x20008804 = 4; *(uint32_t*)0x20008808 = 0x20008700; *(uint8_t*)0x20008700 = 4; *(uint8_t*)0x20008701 = 3; *(uint16_t*)0x20008702 = 0x1809; *(uint32_t*)0x2000880c = 4; *(uint32_t*)0x20008810 = 0x20008740; *(uint8_t*)0x20008740 = 4; *(uint8_t*)0x20008741 = 3; *(uint16_t*)0x20008742 = 0x807; *(uint32_t*)0x20008814 = 4; *(uint32_t*)0x20008818 = 0x20008780; *(uint8_t*)0x20008780 = 4; *(uint8_t*)0x20008781 = 3; *(uint16_t*)0x20008782 = 0x1c; res = -1; res = syz_usb_connect(3, 0xc5, 0x200082c0, 0x200087c0); if (res != -1) r[24] = res; break; case 46: syz_usb_ep_read(r[24], 8, 0x7d, 0x20008840); break; case 47: *(uint8_t*)0x200088c0 = 0x12; *(uint8_t*)0x200088c1 = 1; *(uint16_t*)0x200088c2 = 0x250; *(uint8_t*)0x200088c4 = 0; *(uint8_t*)0x200088c5 = 0; *(uint8_t*)0x200088c6 = 0; *(uint8_t*)0x200088c7 = 0x10; *(uint16_t*)0x200088c8 = 0x56a; *(uint16_t*)0x200088ca = 0x62; *(uint16_t*)0x200088cc = 0x40; *(uint8_t*)0x200088ce = 1; *(uint8_t*)0x200088cf = 2; *(uint8_t*)0x200088d0 = 3; *(uint8_t*)0x200088d1 = 1; *(uint8_t*)0x200088d2 = 9; *(uint8_t*)0x200088d3 = 2; *(uint16_t*)0x200088d4 = 0x2d; *(uint8_t*)0x200088d6 = 1; *(uint8_t*)0x200088d7 = 1; *(uint8_t*)0x200088d8 = 0; *(uint8_t*)0x200088d9 = 0xf0; *(uint8_t*)0x200088da = 0x8e; *(uint8_t*)0x200088db = 9; *(uint8_t*)0x200088dc = 4; *(uint8_t*)0x200088dd = 0; *(uint8_t*)0x200088de = 5; *(uint8_t*)0x200088df = 1; *(uint8_t*)0x200088e0 = 3; *(uint8_t*)0x200088e1 = 1; *(uint8_t*)0x200088e2 = 2; *(uint8_t*)0x200088e3 = 0; *(uint8_t*)0x200088e4 = 9; *(uint8_t*)0x200088e5 = 0x21; *(uint16_t*)0x200088e6 = 3; *(uint8_t*)0x200088e8 = 0xf; *(uint8_t*)0x200088e9 = 1; *(uint8_t*)0x200088ea = 0x22; *(uint16_t*)0x200088eb = 0xa21; *(uint8_t*)0x200088ed = 9; *(uint8_t*)0x200088ee = 5; *(uint8_t*)0x200088ef = 0x81; *(uint8_t*)0x200088f0 = 3; *(uint16_t*)0x200088f1 = 0x3af; *(uint8_t*)0x200088f3 = 1; *(uint8_t*)0x200088f4 = 0x40; *(uint8_t*)0x200088f5 = 2; *(uint8_t*)0x200088f6 = 9; *(uint8_t*)0x200088f7 = 5; *(uint8_t*)0x200088f8 = 2; *(uint8_t*)0x200088f9 = 3; *(uint16_t*)0x200088fa = 0x10; *(uint8_t*)0x200088fc = 6; *(uint8_t*)0x200088fd = 1; *(uint8_t*)0x200088fe = 9; *(uint32_t*)0x20008c00 = 0xa; *(uint32_t*)0x20008c04 = 0x20008900; *(uint8_t*)0x20008900 = 0xa; *(uint8_t*)0x20008901 = 6; *(uint16_t*)0x20008902 = 0x250; *(uint8_t*)0x20008904 = 3; *(uint8_t*)0x20008905 = 1; *(uint8_t*)0x20008906 = 0x46; *(uint8_t*)0x20008907 = -1; *(uint8_t*)0x20008908 = 0x20; *(uint8_t*)0x20008909 = 0; *(uint32_t*)0x20008c08 = 0x34; *(uint32_t*)0x20008c0c = 0x20008940; *(uint8_t*)0x20008940 = 5; *(uint8_t*)0x20008941 = 0xf; *(uint16_t*)0x20008942 = 0x34; *(uint8_t*)0x20008944 = 2; *(uint8_t*)0x20008945 = 0xb; *(uint8_t*)0x20008946 = 0x10; *(uint8_t*)0x20008947 = 1; *(uint8_t*)0x20008948 = 2; *(uint16_t*)0x20008949 = 0xfa; *(uint8_t*)0x2000894b = 8; *(uint8_t*)0x2000894c = 0x80; *(uint16_t*)0x2000894d = 5; *(uint8_t*)0x2000894f = 3; *(uint8_t*)0x20008950 = 0x24; *(uint8_t*)0x20008951 = 0x10; *(uint8_t*)0x20008952 = 0xa; *(uint8_t*)0x20008953 = 5; STORE_BY_BITMASK(uint32_t, , 0x20008954, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20008954, 9, 5, 27); *(uint16_t*)0x20008958 = 0xf00f; *(uint16_t*)0x2000895a = 0; *(uint32_t*)0x2000895c = 0xffc00f; *(uint32_t*)0x20008960 = 0xff00c0; *(uint32_t*)0x20008964 = 0x101ffc0; *(uint32_t*)0x20008968 = 0xff0030; *(uint32_t*)0x2000896c = 0x30; *(uint32_t*)0x20008970 = 0x30; *(uint32_t*)0x20008c10 = 4; *(uint32_t*)0x20008c14 = 0xed; *(uint32_t*)0x20008c18 = 0x20008980; *(uint8_t*)0x20008980 = 0xed; *(uint8_t*)0x20008981 = 3; memcpy((void*)0x20008982, "\xe7\xdb\x91\x4e\xf4\xa7\x1a\x3a\xba\x44\x3e\xe1\x81\xc2\x72\xe7\xfb\xb6\x36\x48\xa9\x97\x75\x4b\x81\xa1\x93\x8f\x52\xb9\xfd\x8c\x2b\x76\xca\x28\xee\x1f\xcb\xa2\x80\x02\x1f\xbe\x02\xff\xa0\x3e\xa7\x53\xf2\xd5\x1b\x71\xf1\xcb\x93\x91\xea\x31\xfa\xab\xf8\xed\x37\xa9\x85\x3b\x87\xee\xba\xa0\xa1\x26\x96\x96\xe6\x5e\x30\x9e\xa4\xbf\x77\x55\xff\x1b\x99\x28\x0f\xd6\x82\x30\xd7\xd8\x99\xd0\x97\xe1\x6e\xe0\xb2\x24\xde\x57\x33\x94\x39\xc8\x0a\xd7\xfb\xf8\xbb\xf3\x2a\xa0\x0e\x29\x80\x2b\xde\x1c\x8c\x5e\x62\x28\xfa\x0a\x54\xc8\x35\x0e\xf9\x97\x11\x2f\x76\x3e\x17\x42\x8f\xb8\xe9\x5a\x56\x68\x95\x95\xf3\x0a\x3c\x16\x15\x18\x09\xb0\xc6\xb1\xd4\xd4\x76\x65\x10\xc6\xf0\x66\xfe\x4b\x35\xa3\xea\x90\xd3\x88\xd1\xb4\xd4\xe9\xc6\xb3\x09\x71\xe2\x37\xe2\x3f\xd2\x05\xf9\x90\x5e\xe7\xd7\x9f\x44\x43\x70\x7a\xdc\x7f\x65\xce\x2b\x15\x99\x4d\xaa\xc7\xb9\x54\x35\x3f\xb2\x32\x01\x84\x41\x22\x71\x05\x31\x87\x9c\x62\x91\xc7\xdf\xbf\x6b\xe4\x54\xb9\xcf\x2f\x2e", 235); *(uint32_t*)0x20008c1c = 4; *(uint32_t*)0x20008c20 = 0x20008a80; *(uint8_t*)0x20008a80 = 4; *(uint8_t*)0x20008a81 = 3; *(uint16_t*)0x20008a82 = 0x410; *(uint32_t*)0x20008c24 = 0x64; *(uint32_t*)0x20008c28 = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x64; *(uint8_t*)0x20008ac1 = 3; memcpy((void*)0x20008ac2, "\x04\x1c\x8b\x1b\xd1\x43\xea\x1d\x63\x82\x9b\x76\x9d\xdb\x88\x6a\x6a\xaf\xee\xdd\x5f\x65\x2b\xc9\x48\x67\x7c\x9a\x6e\x3a\xcf\xe0\x4a\x15\x19\x05\x3f\x95\xe5\xfc\xf7\x9b\x08\x53\x62\xcd\xac\x6a\xbb\xf8\xf1\x37\x81\xa6\x21\x88\x52\x57\x05\x2b\x12\x00\x45\xda\x2c\x49\x4a\x30\xbc\x6a\xe6\xc4\x16\x0c\xf4\x97\x00\x2a\xf8\xb7\x7e\x21\x68\x93\x24\xbd\x6e\x75\xac\xed\xa7\xcf\x6a\x50\x92\x0b\x2a\xb1", 98); *(uint32_t*)0x20008c2c = 0x87; *(uint32_t*)0x20008c30 = 0x20008b40; *(uint8_t*)0x20008b40 = 0x87; *(uint8_t*)0x20008b41 = 3; memcpy((void*)0x20008b42, "\x15\x08\x37\xb1\xe6\x9e\x50\x07\x39\x8a\xc0\x2c\x4a\x0b\x25\x07\x2d\xaa\x81\xa6\x4a\xf1\x0b\xcd\xc5\x73\x63\x33\xf4\x9c\x92\x1f\x86\xd9\xcb\xc6\xb7\x78\xf1\xd2\x16\x79\xd8\x47\xd5\xb8\xa9\xb7\x0f\xc5\x6b\xb5\xa4\x33\x04\x0a\xfd\x94\x37\x7b\x25\x15\xa5\x5c\xda\x70\xdb\x64\x44\x2a\xda\xe0\x90\x5a\xa9\x0f\x91\x1d\x3b\xee\xf8\x00\xab\x6f\xd8\x7a\x5c\x51\xfd\xa8\xfa\xa7\x50\xd1\x95\xc2\xe6\x57\x24\x97\x81\xc6\xaf\x05\x23\xe0\x49\x2f\x9a\x69\xe2\x27\xe1\x0c\xa0\x31\x0f\x1a\x01\x0f\x8b\x98\x6a\x9a\x05\x53\xa5\x33\x1f\x97\x54\xfc\x90", 133); res = -1; res = syz_usb_connect(3, 0x3f, 0x200088c0, 0x20008c00); if (res != -1) r[25] = res; break; case 48: memcpy((void*)0x20008c40, "\xa6\x90\x8c\x55\x30\x81\x4d\x6a\x6b\xfd\x6d\x6c\x75\x94\xd4\xaf\x8a\x49\x62\xd8\x82\xda\x65\x7b\xb4\x02\xc7\xd0\xae\x45\x35\x16\x81\x60\xdb\xf6\x7b\x82\xf2\x23\xd5\x77\xb0\xe1\x6e\x6a\xc3\xc4\x6a\x40\x15\xa6\xed\x7c\x4f\xa6\x5d\x1d\xba\xa2\x68\xb7\x48\xde\xc4\x67\x74\xec\xa9\x22\x47\x96\x94\x49\xa9\xf5\x9e\x9e\xdd\xe4\xd3\x7e\x7b\xd1\x78\x82\xeb\x00\x5e\x24\xfe\x43\xf5\x76\x54\x00\x0e\xad\xec\x3f\x1d\xe9\x91\x7e\xb2\x8c\x2a\x87\x71\x82\xc4\x7b\x55\x6d", 114); syz_usb_ep_write(r[25], 7, 0x72, 0x20008c40); break; case 49: syz_usbip_server_init(4); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_binfmt_misc(); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor410161258 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/20 (1.79s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:true USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffffff}) (fail_nth: 1) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1a, &(0x7f0000000040)={0x0, 0xe6, "f137161ab86c594202b997d9f12d007021870322c8d909748409951ae9800c1e207f98b769c740f867ea14bbf8666a4f98d229aaafbc33c6c52168db8933c4a4a4a3dd3ce0ccea96e71d81ff4aca8331cb01bf35433853d1abd48fd6d0ce1314df6507bae535a2b4e3eaa74c5d23006594148a0fe5b4a884ef8f41346e49cc90474cb17bac301d4797ed05dfc6ccb74bebaabe549172d622a30605a4e49fd3f8537de5272c33ad4f07cd060577bce65e5c80a34168cde68117e4f900e35a3d888e02ee111752213b40d2af258c01f36de50ce8e83d4226a30d6a4cc43a883f6c20e3fada8ad2"}, &(0x7f0000000140)=0xee) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r1, @in6={{0xa, 0x4e22, 0x3, @private2, 0x1}}, [0x7fffffff, 0x1, 0x7fff, 0x4, 0x7, 0x1, 0x3ff, 0x40, 0x5, 0x1, 0x0, 0x7, 0x0, 0x8, 0x1f]}, &(0x7f0000000280)=0xfc) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000002c0)={r2, @in6={{0xa, 0x4e20, 0x9, @private2={0xfc, 0x2, '\x00', 0x1}, 0x3}}}, 0x84) r3 = openat$pktcdvd(0xffffff9c, &(0x7f0000000380), 0x0, 0x0) ioctl$MEDIA_REQUEST_IOC_QUEUE(r3, 0x7c80, 0x0) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f00000003c0)={r1, @in6={{0xa, 0x4e23, 0x7f, @private0, 0x5}}, 0x5, 0x476f}, 0x88) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_SRVCORE_ACQUIREGLOBALEVENTOBJECT(r3, 0xc0206440, &(0x7f0000000500)={0x1, 0x2, &(0x7f0000000480), &(0x7f00000004c0)={0x0}, 0x4, 0x8}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTQ2_RGXTDMSETTRANSFERCONTEXTPROPERTY(r3, 0xc0206440, &(0x7f00000005c0)={0x8a, 0x7, &(0x7f0000000540)={r4, 0x400}, &(0x7f0000000580), 0x10, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXBREAKPOINT_RGXENABLEBREAKPOINT(r3, 0xc0206440, &(0x7f0000000680)={0x83, 0x2, &(0x7f0000000600)={r4}, &(0x7f0000000640), 0x4, 0x4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@deauth={@wo_ht={{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x240}, @broadcast, @device_a, @random="2015d229785b", {0x8}}, 0x27, @val={0x8c, 0x18, {0xc93, "ffe3240f0484", @long="067ecc39a78a3ea47c22246d391b92c4"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_xfrm_policy_alloc_security\x00') syz_emit_ethernet(0xbc, &(0x7f0000000140)={@dev={'\xaa\xaa\xaa\xaa\xaa', 0x3b}, @broadcast, @void, {@mpls_mc={0x8848, {[{0x8, 0x0, 0x1}, {0x1, 0x0, 0x1}, {0x4, 0x0, 0x1}, {}, {0x0, 0x0, 0x1}], @ipv4=@dccp={{0x15, 0x4, 0x2, 0x33, 0x9a, 0x65, 0x0, 0x7, 0x21, 0x0, @dev={0xac, 0x14, 0x14, 0x1e}, @rand_addr=0x64010101, {[@noop, @end, @timestamp_addr={0x44, 0x1c, 0xe9, 0x1, 0x2, [{@dev={0xac, 0x14, 0x14, 0x28}, 0xf7e}, {@loopback, 0x7fff}, {@private=0xa010101, 0x5}]}, @generic={0x83, 0xe, "db10ac96c2cf817c67fc6d7e"}, @rr={0x7, 0x7, 0x87, [@local]}, @end, @ra={0x94, 0x4, 0x7}, @end, @generic={0x44, 0x5, "e0d910"}]}}, {{0x4e20, 0x4e23, 0x4, 0x1, 0xf, 0x0, 0x0, 0x9, 0x5, "d77b5a", 0x7, "c6dd9c"}, "494a1261c05df7372b3c29631b6232d41f19fa8727ecea11ccf1979683ceb144705e12c13fba0e399f08f58397f3ea7bdb746b3dcabe"}}}}}}, &(0x7f0000000200)={0x0, 0x3, [0xf9, 0x208, 0x50c, 0x74d]}) syz_emit_vhci(&(0x7f0000000240)=@HCI_EVENT_PKT={0x4, @HCI_EV_VENDOR={{0xff, 0xc1}, "0626cab051d180b0c2e36c0814bbca7e31d691502e1c7c0eae1a042e7372921a0c6dfccedd81a98f58b9850ba2f68bc25d5cab15a0af010796b5fdfb8a3b35f3eb48ee0c7b2ed287cf469fdec0248e957ef0dd22f3fc6d746e70262c277c016177e56a68031293b56b02c1b6f867d10a3bbf33817b39d487ae0659a68cffb8df46df59a7d104b7c6711d45af1f966d69e635809cf24a70d4c2ea9cc98d37599807148af36b475eb2ce56e027ac751769f8710272d187722ecdf7a8f86d8b977aa8"}}, 0xc4) syz_execute_func(&(0x7f0000000340)="c4c17d6f7072c4e1f9112fc4e3c95d33abc4c2790eb000000000c4e17a12b70c0000000f0156e9c4e10dd55e0cf30f526b000f7e20c4c179e702") syz_extract_tcp_res(&(0x7f0000000380), 0x80000000, 0x100) r5 = dup(0xffffffffffffffff) r6 = fcntl$getown(0xffffffffffffffff, 0x9) lstat(&(0x7f00000026c0)='./file0\x00', &(0x7f0000002700)={0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000002800)=0x0, &(0x7f0000002840), &(0x7f0000002880)=0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002ac0)={0x2020, 0x0, 0x0, 0x0}, 0x2020) statx(0xffffffffffffffff, &(0x7f0000004b00)='./file0\x00', 0x2000, 0x20, &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004d00)={{{@in6=@ipv4={""/10, ""/2, @private}, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@initdev}}, &(0x7f0000004e00)=0xe4) r13 = getgid() syz_fuse_handle_req(r5, &(0x7f00000003c0)="235810537c7f886ca91721045ff7badfae4429b252cd658172c1d0d418ed70057439fc22ffc77b29085c9488ff9340f8a2ade99bf9af14a357257b8aa69b4b8effe7afd6876b3b512b86fa1dff555c6dc6186266c91fa281c9dc72ee17ead0e2a3fe9ff03e7c32d27e267f5be0fd6d1f9efc02af7fe9d68d755519201dea7abe681053ab98f73fc0c6a0684e91b741c8c9451f9459b598ee6f4ec0c91f3e917af1e6646f3c54f8faf0487d8eccf087e28f8768f48ae15d098904b3254285702e308a937d5e23a2aef3c25312516c502d5e0233065229ee4a70dbc414604b7f055eb7a2724803e85e5b4cd05af711ed730fceb81bcae17a4967aa6ccff3c0f4966b7ff3d15f093e94eb0a46b70c0fa5b8628cac3c31019bba6002416fc6661d858fff16a96215b1d18a877d9a534ac40256a3557931ade27f587cce26a20c013dc67f2e922a52689aaefa1b064d03f8f6a39f96b0de1d21394cb6c23010eb9e4a79414735ed9965425f8a01008496dbad0497fa0d65acec59ffa6a280bc58e2d887a10e9665eaeb97436ebdeb2b58a9ae40e449273246fd9967539f212ed8969b6f9a49d65bcad2dd9d8ee42e3205741117e431d443ff3e94c47e7fd627d30511d5fbcec6a758383d31367aca8e3af772a1021105ab2c1b4aa7614dea8cfa4b06f53af373779862c9bdb76ef93c74618eee7347a074d4f71a98233b24b2a25729c9a1983d819c3f42d328d08f0d4dd1642f61b62a89fc300f5066d8e457f5fd49daa79e1b1d43d26f89f2ca990450e860bcc47d5cf4778c37c451ed22d60fe2bcfa2caff75c4170990a2e8e2187197f8638b067854ccf9dbe91586dd42341401c4fb4f31330668acb516eba2227cbca4c8fa2f39a03521bd8032f5e1aedf49c50e601b9fad4e0d6f5b5932ea214fd508485703d0845798d43bdbff9638677e6a996efbbd1936e97282062709f778b455cb4d20013f5fe4c9bba0f7cfc1802e8180fb6d46f5176d1bdbb43d960d494f3a30ed7ab4db07de5ad924b5797b509f96083f4ada9fcebede1eb0fb0dfa2cdc2144b15cf4c280f87d1187e808e37cdef537552e383f46ccfe86215b207153985e6b13196221fdea6c947864d12147d7b01efc3df144e2caa24d1a4782a51a8235c4c0eadf0440c8e434a4d072be5845547175f37c55fddd5e78495ace434c483f28bb3487ad8d68bd74377fd82e17bafeb062b81c68e8a6389c8d81079e4c9faa2a8fcf12415cc21ebcd92de80884550594ca64b56b0b424a65f80cab164b2f6f2f33c7aeaa8b6602e7183b9d0ae153a1703b303675aae133b3dd9c646677f6d8a492da099efb4a7e4dee392818a15d6bf9efb07eead5b40ac25bb0f0092f4b0ecaf0ac3391b3ecfd0635ec496b8b66d7a451c6d10379c15291c4f3682f05fb73944cd1be0f0fa8554358b30deb7386931ae95eb2a16faed245ffcadb394acdf0638a626278233019366e2ecd9db1a4b5ae27ff83d7b571cd7ffc151dc4d0cef1d0300c98a41697751851f8e05249cae19963f812589a7d64cfab846439f471343ba5effac9a57f76d0abfb95e878bee4c9424f0ca1718195eff14060acfb3e0df4cbc560bc2be9ab4f0a0bd686fe213d44947170e68e73baadd982ce2d170a50d1eca0240cd3cece9f74da3a1c1476ff11fa334d72c18506b5c00a441ea2e9c72c76b385037f86ca594aaade987a79bbd3e3c40d0007a7ff8529905b94c5461656292950b41c83443dc84d6fdf52e4497ed6804981af13385649200d893093bf2ea8225b389c4dfd2e815b3bdf9d7084d29009eae4e8822a5b6a52aa76afd951d04afa8e1286396a834dcf8c6b57cc4efbc0c16779d53f0bcd74043c06ecebe59328dcca8bb6105af23565906e5466c7311b1aac6762e4b626036fe31d3e7b0fa2e658ca9351078eeca7b467e118e9b88959de1f41869405a83bdc6ce980c729f7e2a460fa9bee161e54d271a874bb4d0a22cd1a4376de36b5868ca0e10933e5fe2f7385c1af62b86f8e5c3126626b8bc6d568f621da323707ea332d7654439fba4671d0caeb7ef94e25a8286bd9a19a29e4932c7db9b82347da52492b3814a44b92f61559c22654c8b301a8dfe9daeae0cade946c0666e94c4a6353bb0eb2137d36853ad4f7a20a5081e63afeece203fa6eeea7f629d001dabaf5b1a3c6761517bc99a8e63f66c01884927b4bc40bc34190c9e553c690fbc6444dd8bba656874fa804631b56d24541a9bd6fb77db4903769f9d0444d08a21ff59d949659d80b1402d919ac0fb8380ed9115b6693c195f8f1a90a3a42235d8ea782eda2bf194d32fbcc563271afda73d7096a2e9e467541e7667c267c595e123372975267768b8d16cb6130eaebf698be76eefabbeacd59f631cc104f042263e3e2962597969721a6c022aba14112e2f3802ba635391cd1f94323525c816efa9e86552399e79665ff554f586754f72d53a0d9475c655948bd13ec93dd8cc43e5b813ebfea4abcd780eedb682ac4f66e16847f7821fdc40da073f7fc59fe57ca6ad5f4ddd8a41e8aadf3e2178cf4295c85999e2c2d824a08ebb9a9b09e2efbf9b8d0373091ea61ec6af17df1e71aceb403a41d3bafefc56dcff186023e9f289e61b746904b3ce34869b5327c924a27336b216d2206eeba9b1dfdce022e3a13a2617387fb3ff5a1d0f38fbb9063bcb69b5e33ee457efe051df453462b718d7d5e780310471a73d99e2eb1e23236c74b9377c3e0ebb93ea7a6a7b322c425910209f891841d65cb8db3b2b0d51d27cde0ca185bd3bf1f402ff10fc611b93fa6f94ebf6079ac6d5f30ff866a4dbf30729fc3cd003ed9eee6e1c92319a8c6269e1a7dba0491d27b326388bc32d58bf685ec429a8ca7a12b660182308710b5aa61dce0a143fad3bbc1a81a8f814ee37b434c7d729331ce7f72ddf31dca719bdfa04c03aeceb4c640c1cddd0f01137bd6e2f7aefb51b0210b8cdb2ccb0f5d7458d0571927675f1bedb36d0bf30ac68db438ffba74aca623725f27522701bb6c5ca414d2391cd533a82c066724c6d3fd68fe42a834dccf5bf70347429ad8e382215f72fad936ef949bf64dad12577ead0dc6cf271be7ca8e0baabb4397ff063f3ae8e741210c6a3ab3b442ba8fb16f228c5dafeb1b440827defbc48f5cbceb2740755c985d060e82c86c732bbd560883591a1ac058299f17f2e2a128560280ba089e84c3465452a6507a63f884944a83a21d26c8e498ff5dbd489c69ca7853249018e9d03520b23f47b297b8526322b1f6bd54d060ccea301cc8a3a15da2d39b64ea4ddb03c7b6cba605e8dd486d12d8f0c6cd9fb47816112baa0a7ae0eba4f0f89b2143203a119a6bb8545c1ba66788495f4e7dad96df8119b1c11d7ffb07107c0c035a80697a8ed780d9c5561929385085f0aa7bc748f2b5e234e210ce77722c54e80b886c0d614658ffa23408caca9cf013869ef6629f8461640daea869ad4c365530de527815cafee314f8ca7b9879522c42629e3e71296e5f60a84db39d5c9000016ea33f481d80ccb80f085d5ed3f700badc3b4b7d80dd8a778f03817a10d67892d36870a98bdc70cfda4834c7815421fc9727401bd4f8111bbba7686024b4272f5a68a665194afc4f1a9f857af270e3022c18dfc18f67b3977e641c6258f00c1430ea79578f4dc82a0bab52140df4be0adb329195a297df0be6e12349770b4477a4465a81439f22b6bdc677ab86d4edbbdfc7db3cf06d4a94d33c6c11fa163fefb1a87a9b52c1cc409ebede7263c88975edb237fa01b583f79fc7a4f8e8ac89af79308d99b473cf33f3344a4e5523f3e35d388d18ee1185caa1918d23aae4193aedfe125042e16d571865261dd63bf0c9dd8485fa64e2410a26a436c83c9e34556f37c1d69d2fd574278c4b2c8baf3834ee2e0f364b54c36780f28a8ebe56e1d9e1cbdfd773ce8aacdefda09f40dffd847aadf67c44471008cee0776fb068954308f16203d017b290cd1ad9e4cdc49f326352807560ddda490c05c6d5e04f1940083aaba83e029370fd76e7757c73c0543ddff26c3a30762e2c9c556aa282c7f46f3dd8e200168053a03174c5669dc43900a39417c9dff8ed3f10eb07c470a522ec820712ff88259cf7f5ee52cf4ee690bcabd88763f66329f3725a436ca1938d4da48dedffea82dc54a2a0a5cfb64c3e278f41b933cefeb02f982532e98677241d7ec2f8d1427da1711919d672e951b6d1cd8f2c0203fedd521f75a229d996713358136d8b4eb797134fec874e3d38a01cb82a87c8c211e6429efe677173aab0a0fb9f558f4b06f7705bcd177ec1dd80d0445b5448e7dc294538aaecc59610dbe6f2b3b16b275c18d33a78f0c1dcbb07e137628b622f885aee80b82684cdd5fde5a29aadf63d85e95159649adce0f9e57b53b82c75b87a12747ef0f84be50693ccae798e38aaf050666163e6bed48f5f1baf49adea21223bfb089199898dcd2e91b708bd62b61f138cc48bed88b772d14bcc53968aa32fa3f114584752db53278b25f367d52c207ec5459668382aac7ebfdf3a2075cef679bd77ec17a1143de084720085486685ac869733bc07d74246fbf8abb3662be750dddd3b13ecb2d9135f5c68d1fdde549d9c2091d96aa35f84336b4215131f36476ec848d533d7dca1e0aa41eefb8806052a8cdd538b755707f93e048d771505b8890d8f680b880ccb8ee2949e35a63ee48e7b467128b65ffe606ced28a3bc3172bd09f2b58ef6322a3fa31e0fab37a3afe729ad43d5cd02b42be4d8e602b99516dbdbd812e1becaeba14b2b2bfaf0555900251e31d839798141b32abdc558b3bf30edc1145f541798507da329c5acc1ff56d4fd5f6e18c02081222c698b3d0f2b19539a7c2c91f78b1be76481991e241d2ae889d4cb133f90f77d922d984b5a5d1b2aa038fb001f0bac88c14a36f62296ab324d52b5754d4e842889da654143b4bd719f082cbcfa2ec9031b9b4b8bb8ef46bc3ffa52d35385bf27e3ccd86108481ff6640e8b0e309d28b149420f95eb9afa0f6e188b7005f421225385bdea3825ad5fbfc6d9f2997476bc36e5dfe4b686d1a2d402516d4eee990e1ea6a234838103f42d705abf37835673ca78675b5354c2a99130e2b7a64ee26a2ad6c1cd2de64ed5912eb7708db3afbb4a683109b1057298f356e4cf4fab200caf7403c719aa81ab01d3d7f9155073f56495e5116196e9a9de82f10a5c08dfb2f915494df7a0700efb722d3416a5d32bc02297111650847dee676d268772dec413da3a1320989c1be0d5c9c1b6fc4f70fbdad888abb0be8f116f0d7a6f3abaf636bb6b69222daf4ccbd6d07293def59cd5ec908454d079495f27bfaf9e45fb2c99964e6b2fba03af0382d5b60adebbb28fb8f8f8efdd8da65eac29377cf07c62e1bf10f61fa912e6271f2cb9509a7631b7abec3396bebce10bc79e2c49956d127f9d01b73584540cb6c0b52a709e3af1d00c84f6d22fb195dd8823aa336afea898ed87ada2b22d1b8ec508cf6986e93459265ed7c258732c291ca41e7876f1b438b17d36c24a02f200feeee18ace8dc4aad51a42bb9815d82c2a9a37f775cd612e084226942ea0dc6f5d8923349bbbedc2a45cfcfddeda2d52d14f2ff8329aac01d2ec3c37f23c5c90d026280238ce09e00eca9f6c30bdaa5dc91f4342f8af6a3ec1339c47dcae8f9360c32502bfa86e1ffc582d5888f29cac39ef90a3150111f661199faf7e2413b57bb9a72aaa2d5fae32b462884a928d83cea60557025c5de018044345fb083def49bc383319894dad28b5339cbadb6038dc8479f7e4b2f01c1ced3ff854205be93884885b129878bdbb18caa68c30940719a408a03fc61ebea87d9d3ef2162594589654475c2c37eaa8737338acc18b341a351ec39aa94cba171096fd7fb832e3031f4d82ff2328aa189623cd93fce6f4525c2dd013dc9c7b4d19add3bf9c334886e9d1cb4df997d99563a57b66d8321d42152f721705d6c484618ad33cb46b5c1a41ccd397ede50432dc9d41aa8b2fb375af75d332356d7df3d5d439fdebcf8e25b22493c6fe140013e2952321867d12947b1f2dd272a173694a5fddd887fe1ec96df6467630d1449d723ff023ec127b12a2411a096e3129e845d50b146683635d805cf196735828c8a0a004047a19acfcc41b62fe0fbff91881e7613bf7a737195f1858ed7198dcaca13210619d7f7398d812de463f221f0c264874aa3b3416dcdfaed76bf255d7a7a15d6acc9864d1bd900354b3bf0df70bae932c4b82e8aa60d395b939cc60f8964ab755ba50b40a713f68d2e001a2b5abcfdbb821a0a3a7a97cdccc0b05bca8f033fbcd954569cb7c312d4cb9e69275613306679882570726118eb66b4b6f0d236c33e35658ed87f028ca43c55c26968179aed7549c8c2e92672a445106d0429846917c5fc607fa285db9aa61281c1c524a76b3d40de5da9bc7afbae9c03555d056383ea7f5eacf5de95638e11242a420c9aa322c808cf2a14ab479d8135e4ff487b215c8cec44c7290d3459100b2196c54e88ca2841d8a6011c6db1b5c2fbc5135da6053d893d116b9f23d5a0f77f9f64c50a0448552fb3d4002ccfb95ed54c37eae931737bf02bcd226b133b9d27debfae748730a87be8df5c31cddf16c26bc3f3b4df7abcbc52edadb7a7c29e87dd5d6330b761649fc9f098a7b6b68cf5dce767667e8b5a7cd4bb22d1c9229c455169d72edd3bae9c251c0788968f1d13af8e47ba32923c6614c44d5196fa805761dba59a39b893bf0973dabb976edf63f3cb54732d43b90ee7ab0374e10fd722d5c361a4108931e8ee3fa190793f901b18ff7b5ed8c162b37ffcb39c6c0c084c9c76b3964e31351f5112accfe16c6268580ce0b44cd4c33f292171df6af35914225c8b1aff1985cea0ea7349a43a510d5fbf1881a032f96b1f58f4fa94dbcdf98f6b113a2f851e76d4f1cf0686e3b44057c363c849c5700659d7e5a1c2b3ccfd5aaa889c2f99a9b1c8319c3cd348be29b2e9bfefbc28cb774729958c12c9dfa74b893a07745aed2e5144723c8fc0506852f17e6a4a8f599d2c4a1d7c0ba9d77db8416eb10932cdc749cfa99890ee8017c0664084f86489c975255252c3876f8dcd98c00b73611ce2734e1fe0ee5c0a0abb0c50004044f93ad2ff0109bcb19a3a20f186d68e387d34a5b578c4253cd9672614803bf96726e8ab00146d2fe266e62e4865f5e7fe31d41497e7195122fcda825fb4e9fcdd09b421ddb6e925a4d5cb7ff2fa56fe1497ad659cc5b6efd8f883998b7451175f9827547b84195c25fc1631072a55c17e90a3279a54a29697312bfef3eefcba8d3114556a545d18ab0df74df266859151959a1b051f8322f798cb45d5cbe5291bdd71dad665f64dde6954ef00718918fe01727963964642d4c4a5bba9303f44fe97ff99f06748dc863ff0cc17fc82b29fbe0c712c77ed36697f23b4a22a9f248522f9946c3abcd32e165fd66fdbc7b4a0df71a8d2571f32da4ada51c14ca086301d6ed02006c6a38ce4e7671f3d0862a4e3c22b6aa7b7c049a7762287570562e8b452efc78741e7c2822ad0fd435e76a8044b05b388aafc4cf61575760398872364469961e87d14d1795eb627faeda18f9c1228fc994d580508c996d3662799b7237e596910a7c5c7facd47fa3084da48488767f60cfe58ec401415ac66031623320f9fda37c0af9fe4cda1b2893d2df0ac8226013a36ca7b1366032ea7b25a5591bebc8ce489777c0cba28d1f0cafeaeea7d5b4d2009309eebc913078112bb126920ca6e5e2b2210ce5410cce45fc463746cf168f7ee2b91c797b330e0464822a618e457ce39a00367d9cd3d3f5938ce36eb2a31a90d049258c849955e97f08017269b3e5f69e9128195638bc8c1fa735e6eb2435c9587f4f436d9e68a8797bb42100d48e7b26197c65fb8903961382fb0fe229860173068d9429110823bc2ff717a7157054c326bdac3ad358177f9a406d894b842d6d91edb356b06283b329bca6e12290655fef24029ba1daaf45f17ebc834d12e35e39f2e20e2c7362aeb0031f4877b633be1bed36f5d7ba24d0148f846a786f388e2ab79662d559b861a36a4ce60dceb5fdb9f479358fd84a5c7f102f75b8143d3626fffa5469c22072a97d63ff9e0667c2f2db41cd03e5d43914bb590bb1f11f4c3533bcc47ffc99eedf677c9d646c60f99398915891ab67197ddbdc11e03daf03139ceadaf99226875163f11c29027f6ec6ee647c9bb1f7695f1f2918a3285a13eadb73d3e94cb0dbf9273f75e1a8b391cc6e4c14ed5683c2756c7b33d84351e1ce0ba7b02e2305de65b29456b5c55344647c7b0b16cd836dba2711a4cc97738267c462c85fad608a81612d7f89a7fe663bd064354a80f8be0165df5d9bae1c69ea56962b111220cdc136ada90bb1315f865caff1e2526acd2ef4c36a70f266088d7d348e561132971668e91a89004085a5b092f8e28423d16b749cdcbf92a4365e468dd67be241e5dea705b606b28099a5d3d46a07620fc4f731e3d3605debe687042cac937427367c35b546af2dfc094a721dc7fd13df68e9a799ecb107c908bac9f8c4430cc10c6299c794d028d516c3ef3f77f9f64201660949b5ee29a5894d738fa4e4bcdda88fe12bcffe85da7b10d02c80922f3907134fe64605508b6cbe35e97f12f1bb15fce6fac0b0bbed62183ba88b8413c692c1d465376146a5ac69e0f10450f04c8b6f3c90c58ac33604aa811a9b74ebbd07b0684c51a553006da57f4df29df30a64622266b3ec06c435d650521f3ea725a3c8c128c73f0d3447dd1a85b10a061e9ac4469bd8ead5b59cc639b817e67d90ccd773e224aeb67dd2636917436b76475d8e0255cf7d14f2836a50d23fb11b3843548b3a52d8fa10ca8c97e1f0ed7a00cfc8067a5b99a41c07d3ce0a0456b8443bb5f0903db5e7bc16b0d0d4f321a57572d3368d97ab7705830d23ff78ac8d69402c920f7fb91d6efc16ce43993a1a68eb8eda08d7cc55fca8549f40839ac8e5e263e8fcddb10dd20fbedd949c8d3c1e186e9fdd5aa2765a1ef54f9e8b2a7a0b38f1c8f8dafe5fcef0ff0316921dbaab27f6b2e09e49d0a56c9ade5d8cb658699baa984543fde4e720e02e5503e835c7a63effee3dfa58e4ccdbe1943b5921b58fd0ed664ef73df892318e10703234859b565d17de8c925198b448159c8e8d73c8b1e5eb68705e582d5128f207b546f8122e04e37bcc9d1ca9b2c7ae51d4542448b36d6ff16d998eece9f07be341d1d8f989f23446040a4997272c99d45348372fc49b70fb5e0faca975184c6025995f6aa49f1b293df66d51d753d9c7775576d0e770134d3a4fbd53c99b0a7b6afe7337f73248163239a714dfeb285b0b49ef602d62ad6935a83c83bc814bd407b1ff5228292f9bfbbd071c81dc9591a05c9507bff87c9e527b8f14e8ee13d187eb867dc2c95dd903c37692d03e7b00985fbc11313078dec7ff69f2e01a8342399400f98cc66833d9c85ff7f10cbef733213cdae61545f39e85c59302b560a72d0437b266cbae16fad4a000ddea19949408c7477fcb948915323ebb79a55c769ccb18e2f552ab763ba65302ae7bc476e3625eb88a7a6698ceccfac22900ca3c44dec8866b2a114c0831cf653d4c1fba9a7785a1caa2b97343384226b1aced93da71d30b6650645bc113ac62d32d2032ddb65626ee86c3b9dfbbd8d0caeea7453dbea304e34d3f80522cd317b49bcabb869331c7c321852100430423bcb1ec15c50c19b766a7ce471d51b01041b685a29c4bfdb552c866d583b7c3c7fd56cfc73725df784e4d90281567fe8c38d866b06ef13bb30fd23906e662cf9d5113d7b52b014b4aeb3a183524b497be9220ae1e0b2f7674d279942941bbd81ed595a93c2341399b6ac36ff869f894cae291308b21284d398b5fa6ac76b9d59f03e48c275f4f20ce0a5059de69ca9ec999d73202def666b37b3a96a95b12c74331038facacab188da878a860e1b399d6b3bd3c136e0a5e9963c1691889f0d400f34dcc51ef1002ebfee2814605a4d1067ed7396c115e3a94f151c8e4aa2930fd8bc534d579d5d8843bd2029056fc558b9869408b9951f75672433ead19e109cd18308f1c9d6f9ccbc9f767993b59ea2b5046864f5e0c3bde42e7932c56b9fb25289e16ab3bebb692547de1a4dbe119ab2bd71e471cbdf6c6e8519aca77c2cbb8273343c1bed23922e557f87b408d87af78896ed30f0a6178ad98a34ded6148443fddf4a5c00a81ae9df2159fd658c859fb6b274988c848f993e761c263e90d7db8f662c876b7a61ff2d938ba7fed4cb5cd8ee514870b50520e733f21cdc3bd7ed41d297b96dfeff379d37e6071bb1ac84feffab2cdd985fea2fe6c46e6b7569c8c2454591795ccc56511d853fd2a01a1eb0ce2505ab65782b7836ba67844505aabcb5dc6372a313fe7acc7f48b0d2bef79403c2837d88e52fe926ad16d51be7e8c62a5955a61e85270839f36eee946370927eb19841301677e837abac18d709bc84dda60b12107a23eb733543ff32cce5248d0f461921295291837c150a4c1d489d31c5bf5bfc2da1427e1ece74aea7053f1feda64f099fc447a7908ce44b13461549f23ef18c1d8107befb09f9d719a0ac57080f1cdbfd46704d79947aa10c5b0bb226e7f68309747240f773a627536561fb6c1c9b26aa5e23be01f2d3f7aadc995440015d2564b9c16b853d665724f9f722b34ab1d44c27d0e0cb01c49d9e05de91c2e040764f0c212e6d63f7b72493dccbf858164cf48151bbe4f1dc2c91586673431af7b8461d30161c561170dfa31edde2ccc9dddbc7a8e46231752405cf308ecd8d3505636dba7035c94f728623bb87603afb90b5c23e9ac1937b2ea3984d579da29970ef049ffd9705fa283ef62f1a9fbbefbc5f8f3f79bdd8d70f0a893972e5aca3a164e672ba88ebdb6206a4dda5eb5adfd16352d42c4fbddf117f2b0d30e8c39f1bc63f3bc03b452a870117af7a3fd301af714bfa398367a9ac2aa381170bc7ca860144258a9a38a61454c9cdef24f1c662f28e8d1ee7749f61a9c79a9e16593f2d5500deaa730aca4eef3273878431a874b03e44f6495b52ea9b22d9417fb3f2ccbe2c482add308e4a3c55b7532a4e64cf108d833d54abf3cf93b3f9085263d2774c2214dc62e3c6a7886946b7bbb4d0fdd82d502232f891e95e2075b6974fcbc81579fe8eeb7ee221a904cedbbbab2595ef93537fdea03eb93b49680119d996c8e706dfc4d99433954c5367725d4808119b683b59641c4bffd3fbab0c7e125f02bad95cbfc26eab96079f8dfbf6623589d14e0c20d15e07c34bccce36fb927965f96c8cc89b3e51438212a9bec92af4b592ae76e66d531d344385f5568552e37bd25cbe307d839975914f30915d24e8f3d892c8a19fa484c35df1fb92af80edf403340caced5c224767e9e687456563dff29ca86e365855de94057b66c576bec5f5b7fc3f0043336b8a487ae2519b8ff0122e7ac2bf57d29ba64808dd3a20d26e4382ce7bb1fbd34734f5ae6625ee8a7dd56f", 0x2000, &(0x7f0000004f40)={&(0x7f00000023c0)={0x50, 0x0, 0x3f, {0x7, 0x22, 0x8001, 0x1040000, 0x8, 0xf6e1, 0x8, 0x9}}, &(0x7f0000002440)={0x18, 0x0, 0x9, {0x40d}}, &(0x7f0000002480)={0x18, 0x0, 0x7, {0x7}}, &(0x7f00000024c0)={0x18, 0x0, 0xffff, {0x8}}, &(0x7f0000002500)={0x18, 0x0, 0xce0, {0x1c}}, &(0x7f0000002540)={0x28, 0x0, 0x1, {{0x100, 0x5, 0x2, r6}}}, &(0x7f0000002580)={0x60, 0xfffffffffffffffe, 0x8, {{0xcd95, 0x1f, 0x7, 0x48, 0xaac5, 0x6, 0xad, 0x5}}}, &(0x7f0000002600)={0x18, 0xfffffffffffffff5, 0x9, {0x9}}, &(0x7f0000002640)={0x11, 0x0, 0x0, {'\x00'}}, &(0x7f0000002680)={0x20, 0x0, 0x10000}, &(0x7f0000002780)={0x78, 0x0, 0x9, {0x3, 0x0, 0x0, {0x6, 0x0, 0xfffffffffffff20d, 0xfffffffffffffff8, 0x1, 0x3ff, 0x5, 0x9, 0x726, 0x1000, 0x6, r7, 0xee01, 0x7, 0x7}}}, &(0x7f00000028c0)={0x90, 0x0, 0x3, {0x2, 0x2, 0x100000000, 0x61a26b8d, 0x6, 0x2, {0x1, 0x3, 0x1, 0x100000000, 0x3, 0x8f, 0x4, 0x1ff, 0x849, 0x1000, 0x7, r8, 0xffffffffffffffff, 0x5, 0x1f}}}, &(0x7f0000002980)={0x130, 0x0, 0xa00000000000, [{0x4, 0x1, 0x6, 0x9, '\x01\x01\x01\x01\x01\x01'}, {0x6, 0x1, 0x5, 0xfffffffe, '\xaa\xaa\xaa\xaa\xaa'}, {0x1, 0x1ff, 0x3, 0x7, '{#-'}, {0x5, 0x0, 0x2, 0x761, '[#'}, {0x3, 0x0, 0x2, 0x6, '#]'}, {0x1, 0x714, 0x5, 0x3, '*^\\^b'}, {0x5, 0xeb68, 0x4, 0xfffffa80, '--$-'}, {0x6, 0xfffffffffffffeff, 0x1, 0x1, '-'}, {0x1, 0x8, 0x3, 0xf2, '!\\{'}]}, &(0x7f0000004c40)={0xb0, 0x0, 0xcf, [{{0x1, 0x1, 0x3, 0x100000000, 0x4, 0x81, {0x5, 0x7f, 0x5, 0x6, 0xffff, 0x3, 0x1f, 0x3, 0x8, 0xc000, 0xf5c8, r10, r11, 0x2, 0x9}}, {0x4, 0x80, 0x5, 0x2, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000004e40)={0xa0, 0x0, 0x400, {{0x6, 0x2, 0x400, 0x7, 0x4, 0x9, {0x4, 0x1000, 0xffff, 0x6, 0x1, 0xffff, 0x65f, 0x647c2b8f, 0x400, 0x8000, 0x8, r12, r13, 0x3, 0x6b}}, {0x0, 0xd}}}, &(0x7f0000004f00)={0x20, 0x0, 0x800, {0x0, 0x0, 0x10001}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004f80), r5) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r14 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x343, &(0x7f0000004fc0)={0x0, 0x5004, 0x0, 0x1, 0x1de, 0x0, r14}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000005040)=0x0, &(0x7f0000005080)=0x0) r17 = openat$uinput(0xffffff9c, &(0x7f00000050c0), 0x2, 0x0) r18 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000005100), 0x488200, 0x0) syz_io_uring_submit(r15, r16, &(0x7f0000005140)=@IORING_OP_SPLICE={0x1e, 0x3, 0x0, @fd=r14, 0x200, {0x0, r17}, 0x6, 0x1, 0x0, {0x0, 0x0, r18}}, 0x3dd1) r19 = openat$keychord(0xffffff9c, &(0x7f0000005180), 0x171000, 0x0) r20 = openat$ubi_ctrl(0xffffff9c, &(0x7f00000051c0), 0x10400, 0x0) syz_kvm_setup_cpu$arm64(r19, r20, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005240)=[{0x0, &(0x7f0000005200)="4623d8a4ce0217c9e59555c166890679e3e0c1940df5b9fcbf91649ef54d80f0c8bcc80e36b5574c4bc9f943401854f56aa2", 0x32}], 0x1, 0x0, &(0x7f0000005280)=[@featur2], 0x1) r21 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x8000, r18, 0x0) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000052c0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005300), &(0x7f0000005340)='./file0\x00', 0xfd, 0x2, &(0x7f0000005540)=[{&(0x7f0000005380)="873519f25df082b371ba5b45adb5709c00805747c37fe044064595cd4728bf8980302b25b4b083b42b41336e130f1b6ff0a2f172498e522b4fe5826eababf53a9852f93ebeb841e1645f32936127029d68fe73eced89c1b93587012a47c42a583d6975592b3f2cdf4337fc6d5e85e5f5835fafe095935ec90484e9081aa8d22498431301baad4a34368c26c64d85326c7e00682178f8d13e6a8969f15b9d5dbcfec2c0e69680c3928ca015b92e25f5078de354fe32cc7121609a0762e1b73efd8967a2fe235e4d1ef9e5ac88bc1ed706a984641b06470b2294d045ce7eba51c0728938a2c6eeb6d8574429cc24bcb2a784", 0xf1, 0x40}, {&(0x7f0000005480)="62935bfe26e9c9f2dc3c3e9dfb491858efb598369bcca51923989ba943cf447baf56625df0f685ed2d034b37c07563f668728f6dc6833609b1221970e55088869d29c01b2dd05c4820b08042b5074008c9757712c480e25d89b9c48e957e5b5c7b0beccfb1fcccedbcedc83806038075fc2a0f8228beb47f1fece09bddcbbe0021abe9c3d198369b81b67dbd6a7d334b8d28b802cc97d934c164e97d9d7b70dc6c", 0xa1, 0x1ff}], 0x8800, &(0x7f0000005580)={[{'\xaa\xaa\xaa\xaa\xaa'}, {}, {':&-]!'}, {'}'}, {',-V'}, {'\\*})'}, {'*^\\^b'}], [{@appraise}, {@fowner_lt={'fowner<', r8}}, {@smackfshat={'smackfshat', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@obj_type={'obj_type', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@dont_appraise}, {@dont_measure}, {@fowner_lt={'fowner<', r9}}, {@dont_appraise}]}) syz_open_dev$I2C(&(0x7f0000005640), 0x40, 0x300) syz_open_procfs(r6, &(0x7f0000005680)='net/if_inet6\x00') syz_open_pts(r19, 0x800) syz_read_part_table(0x9, 0x9, &(0x7f0000006c40)=[{&(0x7f00000056c0)="46410638b7a128c15c6cb27d2335806da87c0d4915424452cf0ba9eee0a5d49d634f090df26f35bb0433c13a270dcb44cfe9ba62b5ba38d4ae3c65ead2727f1d2a5f02daa270cea6f4f60902e2eda654b16ec6635a1c6cd15d6bd6343214b83422d1a19b5dae439b9fbc3db5c218d4b08acfc9fcdbe5d4e6a5127adadce610d815e8c6d8adc78689eaae29d81a20040aeeef4ee55d7701ea725e91b74f5b37814beed118549979c8a40d0b290977ada4d65874c7dcca030a9a15509bc27e6e87d526912437b86904f742c9c13c1e00bc5e3e943c1430d1cc018f5a4decf24602db5bf2286e64ce751d8df16f280934fb08b619b2b5e931195ad2f7c87ae956c64a2fdac4fd791611acc2a865d994ea90ed158581e80d0386b153f19fab2781b72d1de003b187d2b1195342b3a003bf4483b4d890ab1b2f51e8d58f0a5ad78e0df9d629c22c2a324a982e1fc2738c360db3a8ba5e55ae5c9d58f1c2f6bed0b6de5bb4ee3b5f842ceef91b2056541ff55312ee90a2bd0997066c37f3d8377895921b08021589049ed7b23cebaf9b41d08e759058a3452cb9df2aee1d2b90e510ba9bc948400a69aa13833d1b4c44445129e0af5012fd6a534181fb20426826a4b3694e4a5181199df1ed31de36f2ed49211822ad915d3b71acaecff3c84d4e3bb19fba3219e26145735ff71dceeeee7aa247539ad2731113d3f364426be9006e6b0e358b81d4074549e08ef27613a3715e5e89ba0a71e3995231e99aac5e4ee7078f59e3e7d4fabed26e7507411fbe4b0353106278ac69f3b91ec69fa542eb7c964394062f65c650197fbe733c22832673d066e4ed40073b284ee4e51b1259367d4eb9e172007e6fb80a0a6fe62b3f3d5e5b68fe047ea4d6fbfaa30a00fc29bc58a31cfb8212f2c49c3a2e711ae502bd647bd56bb7cfc1d84d141827be211b5ffbed786bfa1313d2aed534f00019363ac129612ca25c763b077f5a724d61fc7974fa824badc14006f2febfb1e35a3dd72e82334a263756ff4204680cba1c03c55e09dffb5a58e4c55b5bd7a70ee8525929a0ee9f9091e34bb8d2f0af6d2a2670c591186bee6ceddab8e1fe8d4be397a545c483fd684cd812df5e312ab5f4812b4784efaef1c3dbe79094fbabd6ca5f0a45462396f818a5c7bf61c8c3f43366c1265f4638d1dc7bde11461035c7af77e6844c5d47bc1897dfabec7687ed25794a71a3aa2be1665719e7eaf649bfaffcea2492d43bca7f0304210cfca91a0dadf66b7c3c6baf8c5055ef4f3c56aa03bb6e400d7caca69e4243ac71c939ccf27310b73ba59897e2020c717c33db9a4a582912a3a8d7c0a870b12a9f982aafd0cf159575189d8c26886434229fb0c76c56508b638a2509b65847722af197e95cf0cff2368448d42ad62db27ff017a7fbed923bef6283408712c3f04a790338f4f80cf4f3e92faafa3bf6cff5ed3cf3b17b505075e12b6958bf2e5cb40241f672874a0f940fd57e82e9caff113d671da23da3436a31800c2d3487965f87c3f8250610aaff783d78595e1926b77e97b2e3ad09087af919ace3f04fd275887b1fc81ee2f5bad8de1cc35ee0c03adeed9a9197d7a8fa5db59dc500a94bd184a2a80d9704797e76bc0fc43ed57296143dc9d858b14a7bdfb418197f0974b6eee299958051b1d414ab126cef5bc36ae4055c4f19e7e01d2092d99f1d2a5a56614fedf481d578cb851ad73e1829bc350f7e56ee0d2e71fe731c1b30fd845fd82ca0acf029aff4a75e0d38fb7af582a19c0c7deb19544bc7a13c1896032441cba6ae39c35ae880b45a5c97545ac099243a791c6f2eb93556208b8b203542752a673b9df02bf04ad3c18eecaa5eb22d1b65e59c3449b5cc42df350dd4822bcf671df78420689cac22658cd9f0f390e26e0796ac4b7f30b1989f09cf5ba516eb1667ecc1d853739a20e5e78599bda830d002d45eb66d63a778b8412af5d63e3ef26494e21bbcde5b97a94f7978ac903d467c5b6d0717dc4a9d146ed4b58bfe373a5908702f997f1090b4b19093f8905085ecb691107b059e0e1cd0c4a94c9a473af2d12bd5998a8b8b4802f931b90515519f20feeadea5684c064f9adb423935b8de298b03e579abad6a23a86c86edd39c2ed6a4685e69bc715405ab7a3f27664bdb68fef1fcd090f060381f1aa374a074a640f991ec6d8b288b1b0507068560314fe94aeb85c42f4df3adb21485696515da2fa7f441b753d5f8ca4545f2d1dc1eb34e418c043beb518bb35fe30235aabf7ec5f371b3a48c0ea6a613ebb4e4da5b71408aa55774239ac749030a52740cd8535b9e3d28a4e87b4c4f4044c8195c3211f947e5007df7b64e37c414bfd54f7b59823720be00498c18b57dad0043f0c50a75817418c1dbc3db8dc733ceb2b5b6d20bec1e38a2f909aa619480e2ca05d9000b7eaff370c077ed389422890dd426278c63c2ac4285e840e6c7f9da04d69af4482d96ee5824de091614d8b1b4cf49f5a701e4b42ff58a62823c2776fba4c27ec86c24ba103ed01c66729ad602924a5137b718d8ddeeb08339d83c45feca01c393357a676438114363591d31c2ba6fafa5d8571af7c3a3690fdeb099e44192b5871fd0a3365fb2e230c6c03a7473782b303a5be14f038d8ea34a63084300516eb7884e593358e66b3dfb6dac4d0815d58dafb85e8cca4426536a384dc89f7413f14cc92e7377a90938f99ef7f535c218ae2e909acdbfd7eb5b0b47408e3d6d73dda39fbd6b23af18f1a6703ee3b1f75bb7c000a4ca5a7bccaae86c4abac81da293e43f91d2c3dff12ffa5229139a08ae5fc2ec139be978b8182d6a60c7ff39bb0aa820a107d92e38b95e748a184b53f5624f457239f6384dddcb9fd7e8ef295265d79b64c5c0a93bf21635b8c680907810d8e72a581e5aa0e00fbf351e3c841c7d0c51a2636837b27c6a91425b506a22c27d1420d0b13e60de3e9c56667a98983ba9bdd1c5a52dc6127b659e6d80706959f07d3a5fa8b3b88eab05e7a0c04ee12a21372c713f64c6adbeedd7a8b7a692674975bbe55ce402714402f20c7f57ff1f79357d8edabef1d868f0a2b3dd7aa3bbe58e80814970734f7dec70d314e811593a32cc861f4a8a4b3f0d7ceb4ebb32664f5644497ac9562cdd5a54193f2238e65c1874c86421c5cfb43ae156931c7840d10de47a4d0f2f3174c36c8645ac02f544c3690b5137af7d2ced3fb04359bbf22b6720ea94f2e3b5675fb77ade56c977d668064efdd1c615119a528c9ec1353e84103e5dce6a0bd073f9ffbea0819cf6c0cc58ead00c92340298cc094564117f3fb894274ca91d7976459619f544b250586c6d44afba5574b7ef5126b070409a1f5eedc65007b00339f160422fff38d67eaa8d782fc4192a29810879eb12859942fa141a21c39d9eea03eba1aa7b3ac7e2b1daf4f69f475b8e75c5ac7c2efdd777932d403143cdd08902d5e3459301c28c88c4df342ca13910b760e34c40194bb51b82cf14adeed5ae47517d3cbc73bbb5a8899c30e606519989a85d2e15b0e89ebba43f0c8a752f07010380caa70dc409ff805c24574829d06bb9a1495d5a3085df9029e23d92bbc46d7c7c1db7365e92e8d2449aade38926a64368723a0e8a777b3261c9c97bae825b551ba940551a7e15e3013dc09a05229d0c9ac64ee15ee3d46742628924c09e6360cc43006fb9a0e1c06e5584637cee005ee26ceba70295cba5637dfc9821148ed7415003d518368423ae708cfac638f2b8e1d3a71011bda803acd2cfa429ea5fa045fe078f91ebe45e7d51d43f08302d5f3b0ccc3eb7dc03818b33567e86f8e5dc40451569a7954858d26df8554935276f5654afecf240c7e86c92ecba4d3ff75821312d6a3b82e18cc234da5bacc286ef0924ce23bd30708de58132574b548c9628b52d34291d1c4a7ffdfe63de1fa9b5e0fa6e62f3528a80c9cc97a7c515403fce895ab795635266af746d89d2c94058ca38501d86b4d6324d0df0d9c1e47bbf838baa206aa2ec4397828e992fe963b2e83722802627629030106cf20ec98e245147c94426214ddfb979120651adde14a425fef29a20c0cc5460393acbdba57b3c3836627e6a9c19a2344312a9bc661b760285415a2874e2f2187b5c6dbf38b059636f9ed1de1692d3b86504a7c1b668e5aa0f87cf497f0cab266e4db64ec6465580be1d97244947304688cb3576490b8db086b08905820ea9d91dfc8f3b966a9e568d856a9cce3f1731ac16e4cf48714334b6c7ac3597fcae85d17946b0ae2899845e96066e0a648385c98ee5c119391356b204acbd4a5c7cc2cbceece0f58dfb73fc30ef7c1769b4f56ed1b77d76248b0ea2a66db0e5217b5d624237191abe9486ac0bd32e3e7362331441734a8dd9ed983b92bf26472c5021f8bea131ece47c8f45e68a25a8beb4885895c27982306dafa1fac905b276c2f60ccdcabe2a5b325b5c5d8482f305660244c361711f0eed7746c0daf99dfde36caff294051182c5b6589fc0700b751fb2b3807f0bcbd277a844ce82a54558f55cdd25a30b2283abe519c827b10aed612f8aea3cb7aca8b34028c0b363c9acc52ddea9e0c34e8a5c90869fe60d28307e35d3e43582f3773d46669e4313a07b12e7d6d501436f8e6f4bc347b29194144d82c5daa9730fea3466c3167209f09697da034f86ca9e5a7e28c05999f4161dca7518140413504be2aa60ef71b66484fca1b0bb11afd59755b978dd294e3da85655b90f05be0823e262aa693c43bc23f4948a6096ffe1b58e1bcd65b0db70c62a4f85d7dd4be6cddfeaf1383814a6728b4c301eab03b950bac867375d1b6c61eb2f7fde960b16f5948379e2115ab5401356db05a7dc30a2999897b163c73d34807106dfdcf7b7f9b9e7377fc722003c868ca5c14a0e2f1d1940ec6aefcf85fed207622ed38120c6a8aad7b4e9e87d5e4e9a6a55c6e132e9e1e9a3a62b4f7c6ce0093f886547dfc48de1d2e0c85bf01b49f99241a36d324cdbade5377d5aa5733377ec7e97b7ac54387fd29391319d3f3bbcd07b2870b9646bf2835b3abb5121dc20a638c6d0d62b0a05d94a5f1c03bff6e871a84f9a7defa16f30cb8b3ff57cb5a9b8958b592119cb0c802513c14aec2d27cfffbfb4e6a2a840f8b0d746a83fa8bd227021b038f50c411f7922fb38ec89f51d71b7d3d9e241db1be1b4507e5b68fa1ee89c2127445e5d6ed4e7433de7bf4d72b7f7b1c9aa7c408e4c1050ce177427984f5035b51e3ad52b56d8aaf38e567930a711c8dc3488ffcdc1a56fe1b4c5df22673bcc3e9ccdbb3ab670a24547f5ded42decfddd522104075c37ddede460925dcbc6e5ef206028aa7ea0c84d60d990fcd48d76c9a47be6819250d4d10fcefc7a124c6f3faaf51f7b67dcc2b39acf119c8f89b93b58395247fa459c1ffe6fc5a70c32d5196da593b336be0467164ebbc986fc145b32bb91a4c058884c82f5cacda62a4312bb35070e74de2bba07648b7eb9d9fae891648f5432b6a7d5986ef2027872cf9e1a086c576abac8dc401aab0da93abf0ab71ecd9bb96e39180362a10a2185071ebb8ca2ca8d9719d47bfc18b62f9771b97dfed73b982325eb943d785c787500d5ac0d26a9ca90cc73c2acfe872f4e32eb4439083bdb3249701ddddb500df3f896bb1f7a3706d64be16d00f6fdcd6bf41df86535f298d2dd04317774bd6b3903f371d59be719b7ec1d003b3c9705a8f78889b8f7da0d46defdced2df70d8cb4570828bb26549b55011589c73bec4207c8d59ebe1896b3761c185a132", 0x1000, 0x8001}, {&(0x7f00000066c0)="31e3c3fa6d99", 0x6, 0x3ff}, {&(0x7f0000006700)="39de863b7148208e432fcddbd9e9148e716c1b48a3967c870c70145d90ed681b3f8bce849fee7f50091570854e20103723e56454e711543f6e2be92c34090d8cc792260be9b960c1e4", 0x49, 0x9}, {&(0x7f0000006780)="17fad571f80fecd34a59bc03f6c02bbd6d56cd8d958924b4ae4189b88b85897efd4e596e1118bb0c771c2c5ba37ded06d78111390c1c80cf6ea9df8727f88559815ed76b36fa13fb4d08e1ccdad7973b5bec5655a74a671fde99ee92397c56d409dadb10c4c37ee92cb41d03ae6fb164e7f86985039128d38be83b5e16c35ee34eb2b8396c5348028781a0a879f88159740ab89705d637bedafa915f195a152597fa0d7da9b76476602c6eeefca1e80a6d3d0ed1a75b00f7a5e153dd851e2301c8daa7d49b4ad91c62d1a6967f54cf9621c240ed587192f69959e05407850ce3831c4e811e6fff1cdf93cfabde887358316881845356d7", 0xf7, 0x26}, {&(0x7f0000006880)="c286968e2238742a47e0e8d444a6a661b7708222f4eddab97a749dcebe2cc83a314b828795f915a36d873b714aef15ddb1b4f62f06800bbe85eaebcb76abe944719249ee7927c88e78a968e93f45c52013ef97ef6f989b1d1cd30fff88677962c8f3052ad0a4631e4e750ba80f3753916c2dffc6a4023cdb62a1b5f2afbb965b2f78c5dd47af90b002da1a26a24fcb99bf81fb29574a2f98107a7937639873b95f4a569a0406cc358b46efae587e9008be69d711ae202c22e29a2f615fd23dcf", 0xc0}, {&(0x7f0000006940)="97fc4dd9db673e16fd0f0eb9a4a26e2a49f42e1616190b0634dfd6135145f4e451bbbad56dadf266964eba7d1007c0a23f8cf03d4f8fe09a7989152b7cf2ec30f2693a06befdf023d79f48c208d742c7b75915bcc1be583517ced3b826b97075e62a8ed12dbb264807c6ffd0227614491fb9de0d8a925a2638c31608de405bbf79e96f171fd58338b1d6979d33a7dae8ad62f2ba53fefc3c", 0x98, 0x20}, {&(0x7f0000006a00)="77d8d606bfb424e7b995809ab4f559115fd82e972d98b651dfc69b10df600fb4f78efd586f9cc26edc41b1d2fac87efe59e262411f27a94cf796ed31236b457ca0f147530efbd4cfa6b6a0fee46c25abcf7ad8282aae5299e299799cd52d0a58d7ff9dddd0103724c88da92dbefab6248038abef9ec52264afc74825f7ea70b2ca95d6900f9b647a3f986e18287cb2bf4b4c19efc8c218fd905c3727c86c37026bfbde3af078eb07b798e6d3d8f2e4d5d3bc188cdd20f2ebb1461c5e53b05f2989ffac3b168dee56da0fc011974c660e400ae2d8b2c80acb231581ee91763129b2888aeb12", 0xe5, 0x800}, {&(0x7f0000006b00)="560c1bea71b0f97244fa386d26bf6b1b04308e4bc7fffa", 0x17, 0x80000001}, {&(0x7f0000006b40)="14e55a14a7953387ee55333c1d1694ca98c7999b49788642766805d6f5a290eb1e959ee35a740459e13300262f2af9c357f7a8c1cba187e448bc3c8f865cc9be88624fb0f0d0bb885d9cc2abe171a2478a7420db22e8607e3fbec7e2601d9e11086cfa8cf14d99676b679d8d6bf1dd4faab8fe9a5f4e3f695fe2e6abf09f702683802d44cc3a298255c4c59533731ff5b23e053afb716d58cad667686ee647f48e199c9b5c3d0d2d470f2ce1c5b8b5708ae023ad9880caf31d01f96aebbfcc7df95358a016c5471cc2ce2ced6105057c9d22c8167890ca19", 0xd8, 0x400}]) syz_usb_connect(0x2, 0x6c6, &(0x7f0000006cc0)={{0x12, 0x1, 0x200, 0x62, 0xa5, 0xbe, 0x10, 0x2833, 0x211, 0x37a4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6b4, 0x1, 0x20, 0x0, 0xa0, 0x1, [{{0x9, 0x4, 0xdf, 0x0, 0x10, 0xff, 0x1, 0x0, 0x5, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x1, 0x1}]}, @cdc_ecm={{0x9, 0x24, 0x6, 0x0, 0x0, "fd506508"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x40000000, 0x8, 0x4cc5, 0x7f}, [@network_terminal={0x7, 0x24, 0xa, 0x8, 0x3f, 0x0, 0x81}, @country_functional={0x10, 0x24, 0x7, 0x80, 0x5, [0x44, 0x2, 0x800, 0x101, 0x4]}, @acm={0x4, 0x24, 0x2, 0x4}, @mbim_extended={0x8, 0x24, 0x1c, 0x0, 0xc0, 0x5325}, @ncm={0x6, 0x24, 0x1a, 0x7f}]}], [{{0x9, 0x5, 0x5, 0x0, 0xa716c6d63b98b5a2, 0x6, 0x0, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xe9, 0xf000}]}}, {{0x9, 0x5, 0xe, 0x2, 0x200, 0x8, 0x7, 0x40}}, {{0x9, 0x5, 0x0, 0x10605a5c87a92a7e, 0x200, 0x8, 0x3, 0x1, [@generic={0x9b, 0x21, "f2ef0a5c069cdb319138e185061d7e196ae94e535d80f27666fba23b374325f15dc5f20812fe05b0620f6ffcb81003b1f39c5dcd1bff14e2bbeb387335a3534f5adb60ffc4f28595c8f992f77fd5f67a04842b9c4364e3556be9bacb8fd56ed77859291153f6c566026363bfa5f2e6ff2fa6d29317f2d562445364939915a75dd7365f6ab9c15ddbc7c3a45f7eb98fd1fea3551bbd46f20a87"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x3ff, 0x1, 0x20, 0xef, [@generic={0xec, 0x6, "f642246a5372991db97e5824a410e28300d3bd153638f6dac6e1189a0c560a0a0e5f8b15e07879ac95016515202646a7b5b5fc74b7cd40d515b2849d8c1dd9ae4fca16c2e6cf0e8a20ce54f05fa123c019208cb34b5ee561c274ea40a7b34e5813a4a29be40817eb1f7b3e9bef60f7c56657481236b93e2c297f17c776b98f1d0c8f2a56447766c7288ba6b1e385b84a516a98ab729ba70e31fee3aab101d590a4481ae5856326c6825b73c7ae7d3b99cb3c59db31a12726234b900584e8db779352188d12c932d4aacb59eef33d33b9550510cf2b49da747e031c83117b511a1bb93ed76c716e6a0254"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x6, 0x40}]}}, {{0x9, 0x5, 0x1, 0x0, 0x100, 0xfe, 0x8, 0x37, [@generic={0xe9, 0x23, "1a0e3542857d49ea63b7261ebfc19f14272e284d2665d2795e43f6f9ca62776c9ee52d991879d7d67b4d8b270fd51598beac1c0339b2257ad68c1dde54885ae2d219b87cde159a9897c88bda26e08a3691055022739c1fe64adb98639dc25421c449cf364800c4c365062f2488e6901e56e62f4b703eae7af26298a1eee1bfe62d9b2ae35320ae2baf174e94ff55321097be81e0279f5d0aa84dd18ca0864d98d0edbbeaa19ddf3626fd83a2e2b5f676a734d4784b3c6877fd1bb3c9543df7abda9bd9c9be405949747e21073c18957fff0eaac0273cfd3f702cb65597949a172726f7e459536c"}, @generic={0x18, 0x10, "a0289017f3f433f11059489a61115823e1138ae84a34"}]}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0x67, 0x3, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x80, 0x2e6}]}}, {{0x9, 0x5, 0xd, 0x4, 0x200, 0x48, 0x35, 0x8, [@generic={0xe5, 0x5, "30efe9c1a6e5c89c2031214c60fbbeaa4578091e38009c761d15774802934cfd36355b3518ccfe59fa5e7ccee3c13ac4affbe073e0e788c9b5e32216efbf02e35869d7b233a389f812bfd849433c328466eda5e0e3237529cdc65e4eee743d31ffc186a1fe794bdf1364f31eaeff39829e8f6144850d7470cc71572d1f2f23dccdbcdd99e4930de7edbf59b338db3490305fd7710257980b7f76b8daeacb2ad618131fb9b5a3e026c9ddbd69483cd794caad29f2e3b63124a952b462de0cd951d7efd9b3b29107b641417e7783d90159137fa5273a95e0cc46c97c2246e611acb14b4d"}]}}, {{0x9, 0x5, 0x3, 0x10, 0x8, 0x0, 0x33, 0x9}}, {{0x9, 0x5, 0x2, 0xc, 0x400, 0xed, 0x7, 0x9, [@generic={0x84, 0x31, "ee4cd219154df491c4d32aa32112cff407511b06b17f743409ecc216c31e92cefa2b5cc59e634d7aeba2c9e5e36d8efadc0255172518f909b4e1a7daf4d988b1eeaf196c76ee902b657d12fc23c21e176cd149e98a8d8d5755b74fed1a4284bcfd6e6961951ff8216f7bb42f790edd539c1bc5bbac44f767a685c57cbbdec830c52c"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x1, 0xfe01}]}}, {{0x9, 0x5, 0x3, 0x0, 0x40, 0x2, 0x5, 0x3}}, {{0x9, 0x5, 0x0, 0x0, 0x400, 0x0, 0x2f, 0x4}}, {{0x9, 0x5, 0x8f, 0x8, 0x8, 0x81, 0x1, 0x7f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xfb}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0x40, 0x76, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x31, 0x8}]}}, {{0x9, 0x5, 0xf, 0x10, 0x3ff, 0x6, 0xb2, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x80, 0x6}]}}, {{0x9, 0x5, 0xf, 0x10, 0x200, 0x6, 0x6, 0xca, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x20, 0x3}]}}, {{0x9, 0x5, 0x80, 0x10, 0x400, 0x1, 0xfc, 0x4, [@generic={0xd4, 0x21, "28a1dfa1d28f9ae60d0a8e9e3c512db35369d479fa6e6aa099e267e1ced77ca2e180b429779023a872b0ef8807e11f8b8b21b811d4fe5527335ce86e3a95cdf960d1e79e88c276c174d183d2f3bc0862dd7e1d29ac589ceb22024e25a44c3e8123581d1448fd2db5332fe41c23f9aa959564f32db1da14610415ddc293dc57c9d6c775d22151bdab236a5a73592e5518055728ae819e25c080cbb9bf0203b6639b8fd8d716d9c571d6b260ea297733d53c3a05449b9b9221d0f402610c9837189f9c6ab3baaf031d48692690c9981cee1426"}, @generic={0xc3, 0x6, "60ed98576fbbbee3db67d535ea7e1a19d92d689e2f03308a615a5641e72e694d996f76c1111c88c507c39a87f34a3682dafbfe583b79f5b950a30614162c605f7e6c5d452b4f84a145f20bf4470ddf43f06c415dc6c41551fd458ba6aedf57d74cb85a25e43324814b62c3be4108b1ea5b9dd22a78a45cdf5d8f27c11f35026bf7ef10c7d1f0615fe1c44a302a84d88b8d6c2d85049c9f48a04b4e61801c017f609b673fc8290f7362a0ed35882a335b657f835fce8e20100cde82c1a3dc180611"}]}}]}}]}}]}}, &(0x7f0000007740)={0xa, &(0x7f00000073c0)={0xa, 0x6, 0x310, 0x5, 0x80, 0xff, 0xbf, 0x5}, 0x5, &(0x7f0000007400)={0x5, 0xf, 0x5}, 0x5, [{0xa8, &(0x7f0000007440)=@string={0xa8, 0x3, "0584bddc149671f9e6c6cd123b796cafe2eb5d2bd3cf65e3eb0f3a601aba7164713d4042653f2cca182207d4e7ffa8bc71e705aa48bcff03fddd2e3e6bebe11cb61f95faf14afdf29440021e851fb682aa24e624e833952db6d1f96aa7edfc74ce501359694c7583eb5e48dfe227d2105d5e3d2359e3c728a48adff09b1132f928893ceefae67700983be1ca94e818e7a1463c802f1fc2a72d40900933403d7b255a35d9dc33"}}, {0x4, &(0x7f0000007500)=@lang_id={0x4, 0x3, 0x42c}}, {0xf4, &(0x7f0000007540)=@string={0xf4, 0x3, "1c537117dc720af3ccf108687c86cb544bc885379e435dbb861bc9a01550592e6008ae94a1f98317ad9cd804016b079b5ec294dcaf4537cf5b68c3c4353754caf369ba34101cbd21926b15cef67ab63ead40abfbef867b372fe2781866f87a2dccf98ffe66531c1d5021406c69ce84b439130cac71f52564b7c8fa621d71d5ff001517593f059da0cb82f1fd5e327df9abec4946e34e20d3f1df8f4a0422f9bb538949b4a14d1b3afd6793e81d3ba596d16d8cee0e700314e531e602fe5cb832b22c7a2f9f36f39d053876478157d541e8c0977a9acaf691f1234f665d234f82ee90ff8982d9c1371a15ddc8ed2392dd5a96"}}, {0x98, &(0x7f0000007640)=@string={0x98, 0x3, "078cbefd67796b8d00c6a027e5d07bc3b00756acafb9096e3e381a99fdbe8a5161ca19a9628d61baefd6972b48f5e04b0fa6e2b99cca8df5b50dbd97d656c02f8583a58ce8cbd35c69fb3f86de0ddac90f5be8d4f04a3ad4f31293b509959139bea0f3067d0ebfa3c5b210e1993078b0ae929561fc7734869b3dd8d812c00a3035236166a31227ae291e696ab4f81f4e3f02d6b2f334"}}, {0x4, &(0x7f0000007700)=@lang_id={0x4, 0x3, 0x43e}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007780)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f00000079c0)={0x18, &(0x7f0000007800)={0x20, 0x11, 0xb7, {0xb7, 0x9, "72f591ba5c694f16a4d92075ef3ec8bc46920954799ec8d3c0308f3b4779da6e18e9824a86746d013a399afc7f6fceb6c37f7f131c71ebc001f666ea63ed3ade132009735a546622f9e639d481c967cc7b5b747cc5e62fdc41bbb4bb95878a442cc49111c0f57886f17077a1b4b22e3cf28eecb798feed6f168dd9cc2646f8b79ed41bba94de9e304fc845179a7321f04784aa917ba08405b0a95b8303d914ef8e374780dd8e3437c95c35764cd063e7a3ec6d790b"}}, &(0x7f00000078c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x813}}, &(0x7f0000007900)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x18, 0x8, 0x0, 0x3}]}}, &(0x7f0000007940)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7, 0x80, 0x6, 0xe0, "8402487c", "8056a3ff"}}, &(0x7f0000007980)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xa7, 0x2, 0x7d, 0x0, 0x80, 0x7, 0x6}}}, &(0x7f0000007e80)={0x44, &(0x7f0000007a00)={0x40, 0x10, 0x8c, "21b83825059f24506d8e842085d1f2e7f964471b20ed0a8e50a9aa4ef16b5a6f2dbb2b570a4f8d13d60e47bb7821ff912111dee40a78d42b4d13ea812d929ccf3964c5468f89d2d21630ec87067a2d13f45238b446bf57c6b9ec35578fa587fc77fe2108b1590be081681ccc024f1f590be9e5bec9ea86b9803c60299dda1a82f8ff04428671a43bc2c3393a"}, &(0x7f0000007ac0)={0x0, 0xa, 0x1, 0x4}, &(0x7f0000007b00)={0x0, 0x8, 0x1, 0xfb}, &(0x7f0000007b40)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000007b80)={0x20, 0x0, 0x4, {0x140, 0x20}}, &(0x7f0000007bc0)={0x40, 0x7, 0x2, 0x3ff}, &(0x7f0000007c00)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000007c40)={0x40, 0xb, 0x2, "8a02"}, &(0x7f0000007c80)={0x40, 0xf, 0x2, 0x321a}, &(0x7f0000007cc0)={0x40, 0x13, 0x6, @link_local}, &(0x7f0000007d00)={0x40, 0x17, 0x6, @random="b0fe281fa391"}, &(0x7f0000007d40)={0x40, 0x19, 0x2, '#7'}, &(0x7f0000007d80)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000007dc0)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007e00)={0x40, 0x1e, 0x1, 0x6}, &(0x7f0000007e40)={0x40, 0x21, 0x1, 0x9e}}) r23 = syz_usb_connect$cdc_ecm(0x2, 0x5f, &(0x7f0000007f00)={{0x12, 0x1, 0x70, 0x2, 0x0, 0x0, 0x50, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4d, 0x1, 0x1, 0x2, 0x70, 0x40, [{{0x9, 0x4, 0x0, 0xc4, 0x3, 0x2, 0x6, 0x0, 0xe1, {{0x8, 0x24, 0x6, 0x0, 0x0, 'W?s'}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x200, 0x0, 0x200, 0x3}, [@ncm={0x6, 0x24, 0x1a, 0x1000}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x3f, 0x0, 0xd8}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0xff, 0xec, 0x5}}, {{0x9, 0x5, 0x3, 0x2, 0x3cf, 0x81, 0x39, 0x5}}}}}]}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f80)={0xa, 0x6, 0x0, 0x2, 0x20, 0x77, 0xff, 0x2f}, 0x5, &(0x7f0000007fc0)={0x5, 0xf, 0x5}, 0x5, [{0x69, &(0x7f0000008000)=@string={0x69, 0x3, "d25a9c8f1452a3c6ffbfeca8eb777935b58c9b7406775086fff717b54f05ac59f94517ff3cd6f3101dbfa79bb82ae31b1d316d08a71d14fc2c1cfa8c893068bde2bb830ae91fc94288cc232aaac0e64b84007b0e7536c3ec34edef04ded93421a377e0695326aa"}}, {0xac, &(0x7f0000008080)=@string={0xac, 0x3, "7360609ce8300ae4623308d5f8b97bfd50d3d863408b8ea401c86da9d42ce5f3867ce8d721fb2ab5c25f6b4c5e85f5eaf341bd514a16c2dfe3c7a1d7f427ae62c0bff379e84d56637ec1377b8c8ad5b55b099cfaa4a7a6eeb0589f81e7a43300eff53354e1b2bdcdc34d7945d63562e48d5ed93bef75fd0160fcd7c3a6be7f0c642bb6e561e35a1c73110bdcded7699865e25eb238cf8f3b10ad3c10488028c37063c8862f907b06829e"}}, {0x4, &(0x7f0000008140)=@lang_id={0x4, 0x3, 0x81a}}, {0x4, &(0x7f0000008180)=@lang_id={0x4, 0x3, 0x180a}}, {0xb9, &(0x7f00000081c0)=@string={0xb9, 0x3, "37efeb854b4051a46c67aee7eaa0f62fde9f599cd5ba25329d50aee16b30c6c1a514831081afc1dfd2682ff48716a91bf95e084212b0696d43e1c6c43adaf9ed3ef70e62735994d2d0865139604988fac17978d9c05a84f3423831dd1dddc6c94d50ddd674f16525bbf9a8db3bb49001be38a19670abd99f4a2e97cfb20d46c637832a3ec97ff094c6a3304964b72bcf116bf27fedd5521ad3da226297fff849c33c5d849e3e3037527901eef63a599baa54fc46a46ff1"}}]}) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ecm(0x3, 0xc5, &(0x7f00000082c0)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xb3, 0x1, 0x1, 0x6, 0x28, 0xff, [{{0x9, 0x4, 0x0, 0x9, 0x2, 0x2, 0x6, 0x0, 0x4, {{0x6, 0x24, 0x6, 0x0, 0x0, "b1"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9208, 0x2, 0x0, 0x20}, [@mdlm_detail={0x5e, 0x24, 0x13, 0x7, "63b0b95377147ba214d950fc04b22c04be09d9b96f1ab94bb02e8a2a9e23cf7d3acab22a80ed350ec4b17806edcb169e5075373d991780211392eb3d9f1173a539843bf2c3f66a4a6960a55a2207767db3c55a7dd2898b5ccb40"}, @mbim={0xc, 0x24, 0x1b, 0x2a, 0x100, 0xe0, 0x76, 0x0, 0xff}, @acm={0x4, 0x24, 0x2, 0xa}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x73, 0x35, 0x3f}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0x3, 0x1, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x40, 0x2}}}}}]}}]}}, &(0x7f00000087c0)={0xa, &(0x7f00000083c0)={0xa, 0x6, 0x201, 0x79, 0x3, 0x3f, 0x20, 0x6}, 0x37, &(0x7f0000008400)={0x5, 0xf, 0x37, 0x5, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0xa, 0x6, 0x5}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x1, 0x9, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0xa737ee064a5fddc9, 0x7, 0x7, 0x0, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0xc, 0x0, 0x6, 0x6}, @ssp_cap={0x10, 0x10, 0xa, 0x1, 0x1, 0x8001, 0xf00f, 0xfffd, [0x3fc0]}]}, 0x9, [{0x4f, &(0x7f0000008440)=@string={0x4f, 0x3, "c0663b116dab9ba5c0a2f7a2ad486ffc164a4365899565c5e99b015239f378df56db4dc3b0bb08dcd208d958fa3cf08097aa208b2d2865b502cbc94b1a8e33bdd9d6481fbf32d4913422fe189f"}}, {0x85, &(0x7f00000084c0)=@string={0x85, 0x3, "c9c487a90be3d40ef782373d785f86bdfc3db6fb0dd0a7440b2fe4595c3a6bd67aa8518d897a8a757d5f1ceb86e598cabf2345f771c3c7128bd16dd4b1ee9b7dbcaf611e97f6dcb9f171e8f7052b0f33e631bfe99ddc4413e5e5d7b634dcc3b77e4d301f89a8d3b851b02306cabec211127a8e541d162636588ff574de82de8f307d43"}}, {0x4, &(0x7f0000008580)=@lang_id={0x4, 0x3, 0x1407}}, {0x4, &(0x7f00000085c0)=@lang_id={0x4}}, {0xaa, &(0x7f0000008600)=@string={0xaa, 0x3, "ce395e8e9f409a37daeb1c20be9ca4004ae810cf1653eccd6e663dd74f8bc06989b4d1a65c9f480bd37e9dd85349f298ddaddc2cc9e4eda147f231402e116fb594a63718d821d885ebd67eda451558b1fba3093ecbd40cbe5fbe07f94ed927d8e5039a7c497aa8d1f10a4ddac049ad820f8c532c5a3f00947955032423922e95aa5bfee041f7fe8744ecc4424057eec97040b341d0dddcaf206da6431e987f04cfd55802cad3a114"}}, {0x4, &(0x7f00000086c0)=@lang_id={0x4, 0x3, 0x3c01}}, {0x4, &(0x7f0000008700)=@lang_id={0x4, 0x3, 0x1809}}, {0x4, &(0x7f0000008740)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000008780)=@lang_id={0x4, 0x3, 0x1c}}]}) syz_usb_ep_read(r24, 0x8, 0x7d, &(0x7f0000008840)=""/125) r25 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f00000088c0)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x10, 0x56a, 0x62, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0xf0, 0x8e, [{{0x9, 0x4, 0x0, 0x5, 0x1, 0x3, 0x1, 0x2, 0x0, {0x9, 0x21, 0x3, 0xf, 0x1, {0x22, 0xa21}}, {{{0x9, 0x5, 0x81, 0x3, 0x3af, 0x1, 0x40, 0x2}}, [{{0x9, 0x5, 0x2, 0x3, 0x10, 0x6, 0x1, 0x9}}]}}}]}}]}}, &(0x7f0000008c00)={0xa, &(0x7f0000008900)={0xa, 0x6, 0x250, 0x3, 0x1, 0x46, 0xff, 0x20}, 0x34, &(0x7f0000008940)={0x5, 0xf, 0x34, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0xfa, 0x8, 0x80, 0x5, 0x3}, @ssp_cap={0x24, 0x10, 0xa, 0x5, 0x6, 0x9, 0xf00f, 0x0, [0xffc00f, 0xff00c0, 0x101ffc0, 0xff0030, 0x30, 0x30]}]}, 0x4, [{0xed, &(0x7f0000008980)=@string={0xed, 0x3, "e7db914ef4a71a3aba443ee181c272e7fbb63648a997754b81a1938f52b9fd8c2b76ca28ee1fcba280021fbe02ffa03ea753f2d51b71f1cb9391ea31faabf8ed37a9853b87eebaa0a1269696e65e309ea4bf7755ff1b99280fd68230d7d899d097e16ee0b224de57339439c80ad7fbf8bbf32aa00e29802bde1c8c5e6228fa0a54c8350ef997112f763e17428fb8e95a56689595f30a3c16151809b0c6b1d4d4766510c6f066fe4b35a3ea90d388d1b4d4e9c6b30971e237e23fd205f9905ee7d79f4443707adc7f65ce2b15994daac7b954353fb23201844122710531879c6291c7dfbf6be454b9cf2f2e"}}, {0x4, &(0x7f0000008a80)=@lang_id={0x4, 0x3, 0x410}}, {0x64, &(0x7f0000008ac0)=@string={0x64, 0x3, "041c8b1bd143ea1d63829b769ddb886a6aafeedd5f652bc948677c9a6e3acfe04a1519053f95e5fcf79b085362cdac6abbf8f13781a621885257052b120045da2c494a30bc6ae6c4160cf497002af8b77e21689324bd6e75aceda7cf6a50920b2ab1"}}, {0x87, &(0x7f0000008b40)=@string={0x87, 0x3, "150837b1e69e5007398ac02c4a0b25072daa81a64af10bcdc5736333f49c921f86d9cbc6b778f1d21679d847d5b8a9b70fc56bb5a433040afd94377b2515a55cda70db64442adae0905aa90f911d3beef800ab6fd87a5c51fda8faa750d195c2e657249781c6af0523e0492f9a69e227e10ca0310f1a010f8b986a9a0553a5331f9754fc90"}}]}) syz_usb_ep_write(r25, 0x7, 0x72, &(0x7f0000008c40)="a6908c5530814d6a6bfd6d6c7594d4af8a4962d882da657bb402c7d0ae4535168160dbf67b82f223d577b0e16e6ac3c46a4015a6ed7c4fa65d1dbaa268b748dec46774eca92247969449a9f59e9edde4d37e7bd17882eb005e24fe43f57654000eadec3f1de9917eb28c2a877182c47b556d") syz_usbip_server_init(0x4) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset, unsigned int total_len) { struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset); if (offset == total_len || offset + hdr->nlmsg_len > total_len) return -1; return hdr->nlmsg_len; } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static struct nlmsg nlmsg; const int kInitNetNsFd = 239; #define DEVLINK_FAMILY_NAME "devlink" #define DEVLINK_CMD_PORT_GET 5 #define DEVLINK_CMD_RELOAD 37 #define DEVLINK_ATTR_BUS_NAME 1 #define DEVLINK_ATTR_DEV_NAME 2 #define DEVLINK_ATTR_NETDEV_NAME 7 #define DEVLINK_ATTR_NETNS_FD 138 static void netlink_devlink_netns_move(const char* bus_name, const char* dev_name, int netns_fd) { struct genlmsghdr genlhdr; int sock; int id, err; sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); id = netlink_query_family_id(&nlmsg, sock, DEVLINK_FAMILY_NAME, true); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_RELOAD; netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_NETNS_FD, &netns_fd, sizeof(netns_fd)); err = netlink_send(&nlmsg, sock); if (err < 0) { } error: close(sock); } static struct nlmsg nlmsg2; static void initialize_devlink_ports(const char* bus_name, const char* dev_name, const char* netdev_prefix) { struct genlmsghdr genlhdr; int len, total_len, id, err, offset; uint16_t netdev_index; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (rtsock == -1) exit(1); id = netlink_query_family_id(&nlmsg, sock, DEVLINK_FAMILY_NAME, true); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_PORT_GET; netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); err = netlink_send_ext(&nlmsg, sock, id, &total_len, true); if (err < 0) { goto error; } offset = 0; netdev_index = 0; while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) { struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg.buf + offset + len; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) { char* port_name; char netdev_name[IFNAMSIZ]; port_name = (char*)(attr + 1); snprintf(netdev_name, sizeof(netdev_name), "%s%d", netdev_prefix, netdev_index); netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0, 0, netdev_name); break; } } offset += len; netdev_index++; } error: close(rtsock); close(sock); } static void initialize_devlink_pci(void) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); int ret = setns(kInitNetNsFd, 0); if (ret == -1) exit(1); netlink_devlink_netns_move("pci", "0000:00:10.0", netns); ret = setns(netns, 0); if (ret == -1) exit(1); close(netns); initialize_devlink_ports("pci", "0000:00:10.0", "netpci"); } #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } initialize_devlink_pci(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 38 ? 50 : 0) + (call == 43 ? 3000 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 300 : 0) + (call == 46 ? 3000 : 0) + (call == 47 ? 300 : 0) + (call == 48 ? 3000 : 0) + (call == 49 ? 300 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_dup #define __NR_dup 41 #endif #ifndef __NR_fcntl #define __NR_fcntl 55 #endif #ifndef __NR_getgid #define __NR_getgid 47 #endif #ifndef __NR_getresuid #define __NR_getresuid 165 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_read #define __NR_read 3 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[26] = {0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000000 = -1; inject_fault(1); res = syscall(__NR_ioctl, -1, 0x89e2, 0x20000000); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xe6; memcpy((void*)0x20000048, "\xf1\x37\x16\x1a\xb8\x6c\x59\x42\x02\xb9\x97\xd9\xf1\x2d\x00\x70\x21\x87\x03\x22\xc8\xd9\x09\x74\x84\x09\x95\x1a\xe9\x80\x0c\x1e\x20\x7f\x98\xb7\x69\xc7\x40\xf8\x67\xea\x14\xbb\xf8\x66\x6a\x4f\x98\xd2\x29\xaa\xaf\xbc\x33\xc6\xc5\x21\x68\xdb\x89\x33\xc4\xa4\xa4\xa3\xdd\x3c\xe0\xcc\xea\x96\xe7\x1d\x81\xff\x4a\xca\x83\x31\xcb\x01\xbf\x35\x43\x38\x53\xd1\xab\xd4\x8f\xd6\xd0\xce\x13\x14\xdf\x65\x07\xba\xe5\x35\xa2\xb4\xe3\xea\xa7\x4c\x5d\x23\x00\x65\x94\x14\x8a\x0f\xe5\xb4\xa8\x84\xef\x8f\x41\x34\x6e\x49\xcc\x90\x47\x4c\xb1\x7b\xac\x30\x1d\x47\x97\xed\x05\xdf\xc6\xcc\xb7\x4b\xeb\xaa\xbe\x54\x91\x72\xd6\x22\xa3\x06\x05\xa4\xe4\x9f\xd3\xf8\x53\x7d\xe5\x27\x2c\x33\xad\x4f\x07\xcd\x06\x05\x77\xbc\xe6\x5e\x5c\x80\xa3\x41\x68\xcd\xe6\x81\x17\xe4\xf9\x00\xe3\x5a\x3d\x88\x8e\x02\xee\x11\x17\x52\x21\x3b\x40\xd2\xaf\x25\x8c\x01\xf3\x6d\xe5\x0c\xe8\xe8\x3d\x42\x26\xa3\x0d\x6a\x4c\xc4\x3a\x88\x3f\x6c\x20\xe3\xfa\xda\x8a\xd2", 230); *(uint32_t*)0x20000140 = 0xee; res = syscall(__NR_getsockopt, -1, 0x84, 0x1a, 0x20000040, 0x20000140); if (res != -1) r[1] = *(uint32_t*)0x20000040; break; case 2: *(uint32_t*)0x20000180 = r[1]; *(uint16_t*)0x20000184 = 0xa; *(uint16_t*)0x20000186 = htobe16(0x4e22); *(uint32_t*)0x20000188 = htobe32(3); *(uint8_t*)0x2000018c = 0xfc; *(uint8_t*)0x2000018d = 2; memset((void*)0x2000018e, 0, 13); *(uint8_t*)0x2000019b = 0; *(uint32_t*)0x2000019c = 1; *(uint64_t*)0x20000204 = 0x7fffffff; *(uint64_t*)0x2000020c = 1; *(uint64_t*)0x20000214 = 0x7fff; *(uint64_t*)0x2000021c = 4; *(uint64_t*)0x20000224 = 7; *(uint64_t*)0x2000022c = 1; *(uint64_t*)0x20000234 = 0x3ff; *(uint64_t*)0x2000023c = 0x40; *(uint64_t*)0x20000244 = 5; *(uint64_t*)0x2000024c = 1; *(uint64_t*)0x20000254 = 0; *(uint64_t*)0x2000025c = 7; *(uint64_t*)0x20000264 = 0; *(uint64_t*)0x2000026c = 8; *(uint64_t*)0x20000274 = 0x1f; *(uint32_t*)0x20000280 = 0xfc; res = syscall(__NR_getsockopt, (intptr_t)r[0], 0x84, 0x70, 0x20000180, 0x20000280); if (res != -1) r[2] = *(uint32_t*)0x20000180; break; case 3: *(uint32_t*)0x200002c0 = r[2]; *(uint16_t*)0x200002c4 = 0xa; *(uint16_t*)0x200002c6 = htobe16(0x4e20); *(uint32_t*)0x200002c8 = htobe32(9); *(uint8_t*)0x200002cc = 0xfc; *(uint8_t*)0x200002cd = 2; memset((void*)0x200002ce, 0, 13); *(uint8_t*)0x200002db = 1; *(uint32_t*)0x200002dc = 3; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 6, 0x200002c0, 0x84); break; case 4: memcpy((void*)0x20000380, "/dev/pktcdvd/control\000", 21); res = syscall(__NR_openat, 0xffffff9c, 0x20000380, 0, 0); if (res != -1) r[3] = res; break; case 5: syscall(__NR_ioctl, (intptr_t)r[3], 0x7c80, 0); break; case 6: *(uint32_t*)0x200003c0 = r[1]; *(uint16_t*)0x200003c4 = 0xa; *(uint16_t*)0x200003c6 = htobe16(0x4e23); *(uint32_t*)0x200003c8 = htobe32(0x7f); *(uint8_t*)0x200003cc = 0xfc; *(uint8_t*)0x200003cd = 0; memset((void*)0x200003ce, 0, 13); *(uint8_t*)0x200003db = 0; *(uint32_t*)0x200003dc = 5; *(uint16_t*)0x20000444 = 5; *(uint16_t*)0x20000446 = 0x476f; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 0x1f, 0x200003c0, 0x88); break; case 7: *(uint32_t*)0x20000500 = 1; *(uint32_t*)0x20000504 = 2; *(uint64_t*)0x20000508 = 0x20000480; *(uint32_t*)0x20000480 = 0; *(uint64_t*)0x20000510 = 0x200004c0; *(uint32_t*)0x20000518 = 4; *(uint32_t*)0x2000051c = 8; res = syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000500); if (res != -1) r[4] = *(uint32_t*)0x200004c0; break; case 8: *(uint32_t*)0x200005c0 = 0x8a; *(uint32_t*)0x200005c4 = 7; *(uint64_t*)0x200005c8 = 0x20000540; *(uint32_t*)0x20000540 = r[4]; *(uint32_t*)0x20000544 = 0x400; *(uint64_t*)0x20000548 = 0; *(uint64_t*)0x200005d0 = 0x20000580; *(uint32_t*)0x200005d8 = 0x10; *(uint32_t*)0x200005dc = 0xc; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x200005c0); break; case 9: *(uint32_t*)0x20000680 = 0x83; *(uint32_t*)0x20000684 = 2; *(uint64_t*)0x20000688 = 0x20000600; *(uint32_t*)0x20000600 = r[4]; *(uint64_t*)0x20000690 = 0x20000640; *(uint32_t*)0x20000698 = 4; *(uint32_t*)0x2000069c = 4; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000680); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 0x240, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); memset((void*)0x20000044, 255, 6); *(uint8_t*)0x2000004a = 8; *(uint8_t*)0x2000004b = 2; *(uint8_t*)0x2000004c = 0x11; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; memcpy((void*)0x20000050, "\x20\x15\xd2\x29\x78\x5b", 6); STORE_BY_BITMASK(uint16_t, , 0x20000056, 8, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0, 4, 12); *(uint16_t*)0x20000058 = 0x27; *(uint8_t*)0x2000005a = 0x8c; *(uint8_t*)0x2000005b = 0x18; *(uint16_t*)0x2000005c = 0xc93; memcpy((void*)0x2000005e, "\xff\xe3\x24\x0f\x04\x84", 6); memcpy((void*)0x20000064, "\x06\x7e\xcc\x39\xa7\x8a\x3e\xa4\x7c\x22\x24\x6d\x39\x1b\x92\xc4", 16); syz_80211_inject_frame(0x20000000, 0x20000040, 0x34); break; case 11: memcpy((void*)0x20000080, "wlan1\000", 6); memset((void*)0x200000c0, 1, 6); syz_80211_join_ibss(0x20000080, 0x200000c0, 6, 2); break; case 12: memcpy((void*)0x20000100, "bpf_lsm_xfrm_policy_alloc_security\000", 35); syz_btf_id_by_name(0x20000100); break; case 13: memcpy((void*)0x20000340, "\xc4\xc1\x7d\x6f\x70\x72\xc4\xe1\xf9\x11\x2f\xc4\xe3\xc9\x5d\x33\xab\xc4\xc2\x79\x0e\xb0\x00\x00\x00\x00\xc4\xe1\x7a\x12\xb7\x0c\x00\x00\x00\x0f\x01\x56\xe9\xc4\xe1\x0d\xd5\x5e\x0c\xf3\x0f\x52\x6b\x00\x0f\x7e\x20\xc4\xc1\x79\xe7\x02", 58); syz_execute_func(0x20000340); break; case 14: res = syscall(__NR_dup, -1); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_fcntl, -1, 9, 0); if (res != -1) r[6] = res; break; case 16: memcpy((void*)0x200026c0, "./file0\000", 8); res = syscall(__NR_lstat, 0x200026c0, 0x20002700); if (res != -1) r[7] = *(uint32_t*)0x20002710; break; case 17: res = syscall(__NR_getresuid, 0x20002800, 0x20002840, 0x20002880); if (res != -1) { r[8] = *(uint32_t*)0x20002800; r[9] = *(uint32_t*)0x20002880; } break; case 18: res = syscall(__NR_read, -1, 0x20002ac0, 0x2020); if (res != -1) r[10] = *(uint32_t*)0x20002ad0; break; case 19: memcpy((void*)0x20004b00, "./file0\000", 8); res = syscall(__NR_statx, -1, 0x20004b00, 0x2000, 0x20, 0x20004b40); if (res != -1) r[11] = *(uint32_t*)0x20004b58; break; case 20: *(uint32_t*)0x20004e00 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004d00, 0x20004e00); if (res != -1) r[12] = *(uint32_t*)0x20004d34; break; case 21: res = syscall(__NR_getgid); if (res != -1) r[13] = res; break; case 22: memcpy((void*)0x200003c0, "\x23\x58\x10\x53\x7c\x7f\x88\x6c\xa9\x17\x21\x04\x5f\xf7\xba\xdf\xae\x44\x29\xb2\x52\xcd\x65\x81\x72\xc1\xd0\xd4\x18\xed\x70\x05\x74\x39\xfc\x22\xff\xc7\x7b\x29\x08\x5c\x94\x88\xff\x93\x40\xf8\xa2\xad\xe9\x9b\xf9\xaf\x14\xa3\x57\x25\x7b\x8a\xa6\x9b\x4b\x8e\xff\xe7\xaf\xd6\x87\x6b\x3b\x51\x2b\x86\xfa\x1d\xff\x55\x5c\x6d\xc6\x18\x62\x66\xc9\x1f\xa2\x81\xc9\xdc\x72\xee\x17\xea\xd0\xe2\xa3\xfe\x9f\xf0\x3e\x7c\x32\xd2\x7e\x26\x7f\x5b\xe0\xfd\x6d\x1f\x9e\xfc\x02\xaf\x7f\xe9\xd6\x8d\x75\x55\x19\x20\x1d\xea\x7a\xbe\x68\x10\x53\xab\x98\xf7\x3f\xc0\xc6\xa0\x68\x4e\x91\xb7\x41\xc8\xc9\x45\x1f\x94\x59\xb5\x98\xee\x6f\x4e\xc0\xc9\x1f\x3e\x91\x7a\xf1\xe6\x64\x6f\x3c\x54\xf8\xfa\xf0\x48\x7d\x8e\xcc\xf0\x87\xe2\x8f\x87\x68\xf4\x8a\xe1\x5d\x09\x89\x04\xb3\x25\x42\x85\x70\x2e\x30\x8a\x93\x7d\x5e\x23\xa2\xae\xf3\xc2\x53\x12\x51\x6c\x50\x2d\x5e\x02\x33\x06\x52\x29\xee\x4a\x70\xdb\xc4\x14\x60\x4b\x7f\x05\x5e\xb7\xa2\x72\x48\x03\xe8\x5e\x5b\x4c\xd0\x5a\xf7\x11\xed\x73\x0f\xce\xb8\x1b\xca\xe1\x7a\x49\x67\xaa\x6c\xcf\xf3\xc0\xf4\x96\x6b\x7f\xf3\xd1\x5f\x09\x3e\x94\xeb\x0a\x46\xb7\x0c\x0f\xa5\xb8\x62\x8c\xac\x3c\x31\x01\x9b\xba\x60\x02\x41\x6f\xc6\x66\x1d\x85\x8f\xff\x16\xa9\x62\x15\xb1\xd1\x8a\x87\x7d\x9a\x53\x4a\xc4\x02\x56\xa3\x55\x79\x31\xad\xe2\x7f\x58\x7c\xce\x26\xa2\x0c\x01\x3d\xc6\x7f\x2e\x92\x2a\x52\x68\x9a\xae\xfa\x1b\x06\x4d\x03\xf8\xf6\xa3\x9f\x96\xb0\xde\x1d\x21\x39\x4c\xb6\xc2\x30\x10\xeb\x9e\x4a\x79\x41\x47\x35\xed\x99\x65\x42\x5f\x8a\x01\x00\x84\x96\xdb\xad\x04\x97\xfa\x0d\x65\xac\xec\x59\xff\xa6\xa2\x80\xbc\x58\xe2\xd8\x87\xa1\x0e\x96\x65\xea\xeb\x97\x43\x6e\xbd\xeb\x2b\x58\xa9\xae\x40\xe4\x49\x27\x32\x46\xfd\x99\x67\x53\x9f\x21\x2e\xd8\x96\x9b\x6f\x9a\x49\xd6\x5b\xca\xd2\xdd\x9d\x8e\xe4\x2e\x32\x05\x74\x11\x17\xe4\x31\xd4\x43\xff\x3e\x94\xc4\x7e\x7f\xd6\x27\xd3\x05\x11\xd5\xfb\xce\xc6\xa7\x58\x38\x3d\x31\x36\x7a\xca\x8e\x3a\xf7\x72\xa1\x02\x11\x05\xab\x2c\x1b\x4a\xa7\x61\x4d\xea\x8c\xfa\x4b\x06\xf5\x3a\xf3\x73\x77\x98\x62\xc9\xbd\xb7\x6e\xf9\x3c\x74\x61\x8e\xee\x73\x47\xa0\x74\xd4\xf7\x1a\x98\x23\x3b\x24\xb2\xa2\x57\x29\xc9\xa1\x98\x3d\x81\x9c\x3f\x42\xd3\x28\xd0\x8f\x0d\x4d\xd1\x64\x2f\x61\xb6\x2a\x89\xfc\x30\x0f\x50\x66\xd8\xe4\x57\xf5\xfd\x49\xda\xa7\x9e\x1b\x1d\x43\xd2\x6f\x89\xf2\xca\x99\x04\x50\xe8\x60\xbc\xc4\x7d\x5c\xf4\x77\x8c\x37\xc4\x51\xed\x22\xd6\x0f\xe2\xbc\xfa\x2c\xaf\xf7\x5c\x41\x70\x99\x0a\x2e\x8e\x21\x87\x19\x7f\x86\x38\xb0\x67\x85\x4c\xcf\x9d\xbe\x91\x58\x6d\xd4\x23\x41\x40\x1c\x4f\xb4\xf3\x13\x30\x66\x8a\xcb\x51\x6e\xba\x22\x27\xcb\xca\x4c\x8f\xa2\xf3\x9a\x03\x52\x1b\xd8\x03\x2f\x5e\x1a\xed\xf4\x9c\x50\xe6\x01\xb9\xfa\xd4\xe0\xd6\xf5\xb5\x93\x2e\xa2\x14\xfd\x50\x84\x85\x70\x3d\x08\x45\x79\x8d\x43\xbd\xbf\xf9\x63\x86\x77\xe6\xa9\x96\xef\xbb\xd1\x93\x6e\x97\x28\x20\x62\x70\x9f\x77\x8b\x45\x5c\xb4\xd2\x00\x13\xf5\xfe\x4c\x9b\xba\x0f\x7c\xfc\x18\x02\xe8\x18\x0f\xb6\xd4\x6f\x51\x76\xd1\xbd\xbb\x43\xd9\x60\xd4\x94\xf3\xa3\x0e\xd7\xab\x4d\xb0\x7d\xe5\xad\x92\x4b\x57\x97\xb5\x09\xf9\x60\x83\xf4\xad\xa9\xfc\xeb\xed\xe1\xeb\x0f\xb0\xdf\xa2\xcd\xc2\x14\x4b\x15\xcf\x4c\x28\x0f\x87\xd1\x18\x7e\x80\x8e\x37\xcd\xef\x53\x75\x52\xe3\x83\xf4\x6c\xcf\xe8\x62\x15\xb2\x07\x15\x39\x85\xe6\xb1\x31\x96\x22\x1f\xde\xa6\xc9\x47\x86\x4d\x12\x14\x7d\x7b\x01\xef\xc3\xdf\x14\x4e\x2c\xaa\x24\xd1\xa4\x78\x2a\x51\xa8\x23\x5c\x4c\x0e\xad\xf0\x44\x0c\x8e\x43\x4a\x4d\x07\x2b\xe5\x84\x55\x47\x17\x5f\x37\xc5\x5f\xdd\xd5\xe7\x84\x95\xac\xe4\x34\xc4\x83\xf2\x8b\xb3\x48\x7a\xd8\xd6\x8b\xd7\x43\x77\xfd\x82\xe1\x7b\xaf\xeb\x06\x2b\x81\xc6\x8e\x8a\x63\x89\xc8\xd8\x10\x79\xe4\xc9\xfa\xa2\xa8\xfc\xf1\x24\x15\xcc\x21\xeb\xcd\x92\xde\x80\x88\x45\x50\x59\x4c\xa6\x4b\x56\xb0\xb4\x24\xa6\x5f\x80\xca\xb1\x64\xb2\xf6\xf2\xf3\x3c\x7a\xea\xa8\xb6\x60\x2e\x71\x83\xb9\xd0\xae\x15\x3a\x17\x03\xb3\x03\x67\x5a\xae\x13\x3b\x3d\xd9\xc6\x46\x67\x7f\x6d\x8a\x49\x2d\xa0\x99\xef\xb4\xa7\xe4\xde\xe3\x92\x81\x8a\x15\xd6\xbf\x9e\xfb\x07\xee\xad\x5b\x40\xac\x25\xbb\x0f\x00\x92\xf4\xb0\xec\xaf\x0a\xc3\x39\x1b\x3e\xcf\xd0\x63\x5e\xc4\x96\xb8\xb6\x6d\x7a\x45\x1c\x6d\x10\x37\x9c\x15\x29\x1c\x4f\x36\x82\xf0\x5f\xb7\x39\x44\xcd\x1b\xe0\xf0\xfa\x85\x54\x35\x8b\x30\xde\xb7\x38\x69\x31\xae\x95\xeb\x2a\x16\xfa\xed\x24\x5f\xfc\xad\xb3\x94\xac\xdf\x06\x38\xa6\x26\x27\x82\x33\x01\x93\x66\xe2\xec\xd9\xdb\x1a\x4b\x5a\xe2\x7f\xf8\x3d\x7b\x57\x1c\xd7\xff\xc1\x51\xdc\x4d\x0c\xef\x1d\x03\x00\xc9\x8a\x41\x69\x77\x51\x85\x1f\x8e\x05\x24\x9c\xae\x19\x96\x3f\x81\x25\x89\xa7\xd6\x4c\xfa\xb8\x46\x43\x9f\x47\x13\x43\xba\x5e\xff\xac\x9a\x57\xf7\x6d\x0a\xbf\xb9\x5e\x87\x8b\xee\x4c\x94\x24\xf0\xca\x17\x18\x19\x5e\xff\x14\x06\x0a\xcf\xb3\xe0\xdf\x4c\xbc\x56\x0b\xc2\xbe\x9a\xb4\xf0\xa0\xbd\x68\x6f\xe2\x13\xd4\x49\x47\x17\x0e\x68\xe7\x3b\xaa\xdd\x98\x2c\xe2\xd1\x70\xa5\x0d\x1e\xca\x02\x40\xcd\x3c\xec\xe9\xf7\x4d\xa3\xa1\xc1\x47\x6f\xf1\x1f\xa3\x34\xd7\x2c\x18\x50\x6b\x5c\x00\xa4\x41\xea\x2e\x9c\x72\xc7\x6b\x38\x50\x37\xf8\x6c\xa5\x94\xaa\xad\xe9\x87\xa7\x9b\xbd\x3e\x3c\x40\xd0\x00\x7a\x7f\xf8\x52\x99\x05\xb9\x4c\x54\x61\x65\x62\x92\x95\x0b\x41\xc8\x34\x43\xdc\x84\xd6\xfd\xf5\x2e\x44\x97\xed\x68\x04\x98\x1a\xf1\x33\x85\x64\x92\x00\xd8\x93\x09\x3b\xf2\xea\x82\x25\xb3\x89\xc4\xdf\xd2\xe8\x15\xb3\xbd\xf9\xd7\x08\x4d\x29\x00\x9e\xae\x4e\x88\x22\xa5\xb6\xa5\x2a\xa7\x6a\xfd\x95\x1d\x04\xaf\xa8\xe1\x28\x63\x96\xa8\x34\xdc\xf8\xc6\xb5\x7c\xc4\xef\xbc\x0c\x16\x77\x9d\x53\xf0\xbc\xd7\x40\x43\xc0\x6e\xce\xbe\x59\x32\x8d\xcc\xa8\xbb\x61\x05\xaf\x23\x56\x59\x06\xe5\x46\x6c\x73\x11\xb1\xaa\xc6\x76\x2e\x4b\x62\x60\x36\xfe\x31\xd3\xe7\xb0\xfa\x2e\x65\x8c\xa9\x35\x10\x78\xee\xca\x7b\x46\x7e\x11\x8e\x9b\x88\x95\x9d\xe1\xf4\x18\x69\x40\x5a\x83\xbd\xc6\xce\x98\x0c\x72\x9f\x7e\x2a\x46\x0f\xa9\xbe\xe1\x61\xe5\x4d\x27\x1a\x87\x4b\xb4\xd0\xa2\x2c\xd1\xa4\x37\x6d\xe3\x6b\x58\x68\xca\x0e\x10\x93\x3e\x5f\xe2\xf7\x38\x5c\x1a\xf6\x2b\x86\xf8\xe5\xc3\x12\x66\x26\xb8\xbc\x6d\x56\x8f\x62\x1d\xa3\x23\x70\x7e\xa3\x32\xd7\x65\x44\x39\xfb\xa4\x67\x1d\x0c\xae\xb7\xef\x94\xe2\x5a\x82\x86\xbd\x9a\x19\xa2\x9e\x49\x32\xc7\xdb\x9b\x82\x34\x7d\xa5\x24\x92\xb3\x81\x4a\x44\xb9\x2f\x61\x55\x9c\x22\x65\x4c\x8b\x30\x1a\x8d\xfe\x9d\xae\xae\x0c\xad\xe9\x46\xc0\x66\x6e\x94\xc4\xa6\x35\x3b\xb0\xeb\x21\x37\xd3\x68\x53\xad\x4f\x7a\x20\xa5\x08\x1e\x63\xaf\xee\xce\x20\x3f\xa6\xee\xea\x7f\x62\x9d\x00\x1d\xab\xaf\x5b\x1a\x3c\x67\x61\x51\x7b\xc9\x9a\x8e\x63\xf6\x6c\x01\x88\x49\x27\xb4\xbc\x40\xbc\x34\x19\x0c\x9e\x55\x3c\x69\x0f\xbc\x64\x44\xdd\x8b\xba\x65\x68\x74\xfa\x80\x46\x31\xb5\x6d\x24\x54\x1a\x9b\xd6\xfb\x77\xdb\x49\x03\x76\x9f\x9d\x04\x44\xd0\x8a\x21\xff\x59\xd9\x49\x65\x9d\x80\xb1\x40\x2d\x91\x9a\xc0\xfb\x83\x80\xed\x91\x15\xb6\x69\x3c\x19\x5f\x8f\x1a\x90\xa3\xa4\x22\x35\xd8\xea\x78\x2e\xda\x2b\xf1\x94\xd3\x2f\xbc\xc5\x63\x27\x1a\xfd\xa7\x3d\x70\x96\xa2\xe9\xe4\x67\x54\x1e\x76\x67\xc2\x67\xc5\x95\xe1\x23\x37\x29\x75\x26\x77\x68\xb8\xd1\x6c\xb6\x13\x0e\xae\xbf\x69\x8b\xe7\x6e\xef\xab\xbe\xac\xd5\x9f\x63\x1c\xc1\x04\xf0\x42\x26\x3e\x3e\x29\x62\x59\x79\x69\x72\x1a\x6c\x02\x2a\xba\x14\x11\x2e\x2f\x38\x02\xba\x63\x53\x91\xcd\x1f\x94\x32\x35\x25\xc8\x16\xef\xa9\xe8\x65\x52\x39\x9e\x79\x66\x5f\xf5\x54\xf5\x86\x75\x4f\x72\xd5\x3a\x0d\x94\x75\xc6\x55\x94\x8b\xd1\x3e\xc9\x3d\xd8\xcc\x43\xe5\xb8\x13\xeb\xfe\xa4\xab\xcd\x78\x0e\xed\xb6\x82\xac\x4f\x66\xe1\x68\x47\xf7\x82\x1f\xdc\x40\xda\x07\x3f\x7f\xc5\x9f\xe5\x7c\xa6\xad\x5f\x4d\xdd\x8a\x41\xe8\xaa\xdf\x3e\x21\x78\xcf\x42\x95\xc8\x59\x99\xe2\xc2\xd8\x24\xa0\x8e\xbb\x9a\x9b\x09\xe2\xef\xbf\x9b\x8d\x03\x73\x09\x1e\xa6\x1e\xc6\xaf\x17\xdf\x1e\x71\xac\xeb\x40\x3a\x41\xd3\xba\xfe\xfc\x56\xdc\xff\x18\x60\x23\xe9\xf2\x89\xe6\x1b\x74\x69\x04\xb3\xce\x34\x86\x9b\x53\x27\xc9\x24\xa2\x73\x36\xb2\x16\xd2\x20\x6e\xeb\xa9\xb1\xdf\xdc\xe0\x22\xe3\xa1\x3a\x26\x17\x38\x7f\xb3\xff\x5a\x1d\x0f\x38\xfb\xb9\x06\x3b\xcb\x69\xb5\xe3\x3e\xe4\x57\xef\xe0\x51\xdf\x45\x34\x62\xb7\x18\xd7\xd5\xe7\x80\x31\x04\x71\xa7\x3d\x99\xe2\xeb\x1e\x23\x23\x6c\x74\xb9\x37\x7c\x3e\x0e\xbb\x93\xea\x7a\x6a\x7b\x32\x2c\x42\x59\x10\x20\x9f\x89\x18\x41\xd6\x5c\xb8\xdb\x3b\x2b\x0d\x51\xd2\x7c\xde\x0c\xa1\x85\xbd\x3b\xf1\xf4\x02\xff\x10\xfc\x61\x1b\x93\xfa\x6f\x94\xeb\xf6\x07\x9a\xc6\xd5\xf3\x0f\xf8\x66\xa4\xdb\xf3\x07\x29\xfc\x3c\xd0\x03\xed\x9e\xee\x6e\x1c\x92\x31\x9a\x8c\x62\x69\xe1\xa7\xdb\xa0\x49\x1d\x27\xb3\x26\x38\x8b\xc3\x2d\x58\xbf\x68\x5e\xc4\x29\xa8\xca\x7a\x12\xb6\x60\x18\x23\x08\x71\x0b\x5a\xa6\x1d\xce\x0a\x14\x3f\xad\x3b\xbc\x1a\x81\xa8\xf8\x14\xee\x37\xb4\x34\xc7\xd7\x29\x33\x1c\xe7\xf7\x2d\xdf\x31\xdc\xa7\x19\xbd\xfa\x04\xc0\x3a\xec\xeb\x4c\x64\x0c\x1c\xdd\xd0\xf0\x11\x37\xbd\x6e\x2f\x7a\xef\xb5\x1b\x02\x10\xb8\xcd\xb2\xcc\xb0\xf5\xd7\x45\x8d\x05\x71\x92\x76\x75\xf1\xbe\xdb\x36\xd0\xbf\x30\xac\x68\xdb\x43\x8f\xfb\xa7\x4a\xca\x62\x37\x25\xf2\x75\x22\x70\x1b\xb6\xc5\xca\x41\x4d\x23\x91\xcd\x53\x3a\x82\xc0\x66\x72\x4c\x6d\x3f\xd6\x8f\xe4\x2a\x83\x4d\xcc\xf5\xbf\x70\x34\x74\x29\xad\x8e\x38\x22\x15\xf7\x2f\xad\x93\x6e\xf9\x49\xbf\x64\xda\xd1\x25\x77\xea\xd0\xdc\x6c\xf2\x71\xbe\x7c\xa8\xe0\xba\xab\xb4\x39\x7f\xf0\x63\xf3\xae\x8e\x74\x12\x10\xc6\xa3\xab\x3b\x44\x2b\xa8\xfb\x16\xf2\x28\xc5\xda\xfe\xb1\xb4\x40\x82\x7d\xef\xbc\x48\xf5\xcb\xce\xb2\x74\x07\x55\xc9\x85\xd0\x60\xe8\x2c\x86\xc7\x32\xbb\xd5\x60\x88\x35\x91\xa1\xac\x05\x82\x99\xf1\x7f\x2e\x2a\x12\x85\x60\x28\x0b\xa0\x89\xe8\x4c\x34\x65\x45\x2a\x65\x07\xa6\x3f\x88\x49\x44\xa8\x3a\x21\xd2\x6c\x8e\x49\x8f\xf5\xdb\xd4\x89\xc6\x9c\xa7\x85\x32\x49\x01\x8e\x9d\x03\x52\x0b\x23\xf4\x7b\x29\x7b\x85\x26\x32\x2b\x1f\x6b\xd5\x4d\x06\x0c\xce\xa3\x01\xcc\x8a\x3a\x15\xda\x2d\x39\xb6\x4e\xa4\xdd\xb0\x3c\x7b\x6c\xba\x60\x5e\x8d\xd4\x86\xd1\x2d\x8f\x0c\x6c\xd9\xfb\x47\x81\x61\x12\xba\xa0\xa7\xae\x0e\xba\x4f\x0f\x89\xb2\x14\x32\x03\xa1\x19\xa6\xbb\x85\x45\xc1\xba\x66\x78\x84\x95\xf4\xe7\xda\xd9\x6d\xf8\x11\x9b\x1c\x11\xd7\xff\xb0\x71\x07\xc0\xc0\x35\xa8\x06\x97\xa8\xed\x78\x0d\x9c\x55\x61\x92\x93\x85\x08\x5f\x0a\xa7\xbc\x74\x8f\x2b\x5e\x23\x4e\x21\x0c\xe7\x77\x22\xc5\x4e\x80\xb8\x86\xc0\xd6\x14\x65\x8f\xfa\x23\x40\x8c\xac\xa9\xcf\x01\x38\x69\xef\x66\x29\xf8\x46\x16\x40\xda\xea\x86\x9a\xd4\xc3\x65\x53\x0d\xe5\x27\x81\x5c\xaf\xee\x31\x4f\x8c\xa7\xb9\x87\x95\x22\xc4\x26\x29\xe3\xe7\x12\x96\xe5\xf6\x0a\x84\xdb\x39\xd5\xc9\x00\x00\x16\xea\x33\xf4\x81\xd8\x0c\xcb\x80\xf0\x85\xd5\xed\x3f\x70\x0b\xad\xc3\xb4\xb7\xd8\x0d\xd8\xa7\x78\xf0\x38\x17\xa1\x0d\x67\x89\x2d\x36\x87\x0a\x98\xbd\xc7\x0c\xfd\xa4\x83\x4c\x78\x15\x42\x1f\xc9\x72\x74\x01\xbd\x4f\x81\x11\xbb\xba\x76\x86\x02\x4b\x42\x72\xf5\xa6\x8a\x66\x51\x94\xaf\xc4\xf1\xa9\xf8\x57\xaf\x27\x0e\x30\x22\xc1\x8d\xfc\x18\xf6\x7b\x39\x77\xe6\x41\xc6\x25\x8f\x00\xc1\x43\x0e\xa7\x95\x78\xf4\xdc\x82\xa0\xba\xb5\x21\x40\xdf\x4b\xe0\xad\xb3\x29\x19\x5a\x29\x7d\xf0\xbe\x6e\x12\x34\x97\x70\xb4\x47\x7a\x44\x65\xa8\x14\x39\xf2\x2b\x6b\xdc\x67\x7a\xb8\x6d\x4e\xdb\xbd\xfc\x7d\xb3\xcf\x06\xd4\xa9\x4d\x33\xc6\xc1\x1f\xa1\x63\xfe\xfb\x1a\x87\xa9\xb5\x2c\x1c\xc4\x09\xeb\xed\xe7\x26\x3c\x88\x97\x5e\xdb\x23\x7f\xa0\x1b\x58\x3f\x79\xfc\x7a\x4f\x8e\x8a\xc8\x9a\xf7\x93\x08\xd9\x9b\x47\x3c\xf3\x3f\x33\x44\xa4\xe5\x52\x3f\x3e\x35\xd3\x88\xd1\x8e\xe1\x18\x5c\xaa\x19\x18\xd2\x3a\xae\x41\x93\xae\xdf\xe1\x25\x04\x2e\x16\xd5\x71\x86\x52\x61\xdd\x63\xbf\x0c\x9d\xd8\x48\x5f\xa6\x4e\x24\x10\xa2\x6a\x43\x6c\x83\xc9\xe3\x45\x56\xf3\x7c\x1d\x69\xd2\xfd\x57\x42\x78\xc4\xb2\xc8\xba\xf3\x83\x4e\xe2\xe0\xf3\x64\xb5\x4c\x36\x78\x0f\x28\xa8\xeb\xe5\x6e\x1d\x9e\x1c\xbd\xfd\x77\x3c\xe8\xaa\xcd\xef\xda\x09\xf4\x0d\xff\xd8\x47\xaa\xdf\x67\xc4\x44\x71\x00\x8c\xee\x07\x76\xfb\x06\x89\x54\x30\x8f\x16\x20\x3d\x01\x7b\x29\x0c\xd1\xad\x9e\x4c\xdc\x49\xf3\x26\x35\x28\x07\x56\x0d\xdd\xa4\x90\xc0\x5c\x6d\x5e\x04\xf1\x94\x00\x83\xaa\xba\x83\xe0\x29\x37\x0f\xd7\x6e\x77\x57\xc7\x3c\x05\x43\xdd\xff\x26\xc3\xa3\x07\x62\xe2\xc9\xc5\x56\xaa\x28\x2c\x7f\x46\xf3\xdd\x8e\x20\x01\x68\x05\x3a\x03\x17\x4c\x56\x69\xdc\x43\x90\x0a\x39\x41\x7c\x9d\xff\x8e\xd3\xf1\x0e\xb0\x7c\x47\x0a\x52\x2e\xc8\x20\x71\x2f\xf8\x82\x59\xcf\x7f\x5e\xe5\x2c\xf4\xee\x69\x0b\xca\xbd\x88\x76\x3f\x66\x32\x9f\x37\x25\xa4\x36\xca\x19\x38\xd4\xda\x48\xde\xdf\xfe\xa8\x2d\xc5\x4a\x2a\x0a\x5c\xfb\x64\xc3\xe2\x78\xf4\x1b\x93\x3c\xef\xeb\x02\xf9\x82\x53\x2e\x98\x67\x72\x41\xd7\xec\x2f\x8d\x14\x27\xda\x17\x11\x91\x9d\x67\x2e\x95\x1b\x6d\x1c\xd8\xf2\xc0\x20\x3f\xed\xd5\x21\xf7\x5a\x22\x9d\x99\x67\x13\x35\x81\x36\xd8\xb4\xeb\x79\x71\x34\xfe\xc8\x74\xe3\xd3\x8a\x01\xcb\x82\xa8\x7c\x8c\x21\x1e\x64\x29\xef\xe6\x77\x17\x3a\xab\x0a\x0f\xb9\xf5\x58\xf4\xb0\x6f\x77\x05\xbc\xd1\x77\xec\x1d\xd8\x0d\x04\x45\xb5\x44\x8e\x7d\xc2\x94\x53\x8a\xae\xcc\x59\x61\x0d\xbe\x6f\x2b\x3b\x16\xb2\x75\xc1\x8d\x33\xa7\x8f\x0c\x1d\xcb\xb0\x7e\x13\x76\x28\xb6\x22\xf8\x85\xae\xe8\x0b\x82\x68\x4c\xdd\x5f\xde\x5a\x29\xaa\xdf\x63\xd8\x5e\x95\x15\x96\x49\xad\xce\x0f\x9e\x57\xb5\x3b\x82\xc7\x5b\x87\xa1\x27\x47\xef\x0f\x84\xbe\x50\x69\x3c\xca\xe7\x98\xe3\x8a\xaf\x05\x06\x66\x16\x3e\x6b\xed\x48\xf5\xf1\xba\xf4\x9a\xde\xa2\x12\x23\xbf\xb0\x89\x19\x98\x98\xdc\xd2\xe9\x1b\x70\x8b\xd6\x2b\x61\xf1\x38\xcc\x48\xbe\xd8\x8b\x77\x2d\x14\xbc\xc5\x39\x68\xaa\x32\xfa\x3f\x11\x45\x84\x75\x2d\xb5\x32\x78\xb2\x5f\x36\x7d\x52\xc2\x07\xec\x54\x59\x66\x83\x82\xaa\xc7\xeb\xfd\xf3\xa2\x07\x5c\xef\x67\x9b\xd7\x7e\xc1\x7a\x11\x43\xde\x08\x47\x20\x08\x54\x86\x68\x5a\xc8\x69\x73\x3b\xc0\x7d\x74\x24\x6f\xbf\x8a\xbb\x36\x62\xbe\x75\x0d\xdd\xd3\xb1\x3e\xcb\x2d\x91\x35\xf5\xc6\x8d\x1f\xdd\xe5\x49\xd9\xc2\x09\x1d\x96\xaa\x35\xf8\x43\x36\xb4\x21\x51\x31\xf3\x64\x76\xec\x84\x8d\x53\x3d\x7d\xca\x1e\x0a\xa4\x1e\xef\xb8\x80\x60\x52\xa8\xcd\xd5\x38\xb7\x55\x70\x7f\x93\xe0\x48\xd7\x71\x50\x5b\x88\x90\xd8\xf6\x80\xb8\x80\xcc\xb8\xee\x29\x49\xe3\x5a\x63\xee\x48\xe7\xb4\x67\x12\x8b\x65\xff\xe6\x06\xce\xd2\x8a\x3b\xc3\x17\x2b\xd0\x9f\x2b\x58\xef\x63\x22\xa3\xfa\x31\xe0\xfa\xb3\x7a\x3a\xfe\x72\x9a\xd4\x3d\x5c\xd0\x2b\x42\xbe\x4d\x8e\x60\x2b\x99\x51\x6d\xbd\xbd\x81\x2e\x1b\xec\xae\xba\x14\xb2\xb2\xbf\xaf\x05\x55\x90\x02\x51\xe3\x1d\x83\x97\x98\x14\x1b\x32\xab\xdc\x55\x8b\x3b\xf3\x0e\xdc\x11\x45\xf5\x41\x79\x85\x07\xda\x32\x9c\x5a\xcc\x1f\xf5\x6d\x4f\xd5\xf6\xe1\x8c\x02\x08\x12\x22\xc6\x98\xb3\xd0\xf2\xb1\x95\x39\xa7\xc2\xc9\x1f\x78\xb1\xbe\x76\x48\x19\x91\xe2\x41\xd2\xae\x88\x9d\x4c\xb1\x33\xf9\x0f\x77\xd9\x22\xd9\x84\xb5\xa5\xd1\xb2\xaa\x03\x8f\xb0\x01\xf0\xba\xc8\x8c\x14\xa3\x6f\x62\x29\x6a\xb3\x24\xd5\x2b\x57\x54\xd4\xe8\x42\x88\x9d\xa6\x54\x14\x3b\x4b\xd7\x19\xf0\x82\xcb\xcf\xa2\xec\x90\x31\xb9\xb4\xb8\xbb\x8e\xf4\x6b\xc3\xff\xa5\x2d\x35\x38\x5b\xf2\x7e\x3c\xcd\x86\x10\x84\x81\xff\x66\x40\xe8\xb0\xe3\x09\xd2\x8b\x14\x94\x20\xf9\x5e\xb9\xaf\xa0\xf6\xe1\x88\xb7\x00\x5f\x42\x12\x25\x38\x5b\xde\xa3\x82\x5a\xd5\xfb\xfc\x6d\x9f\x29\x97\x47\x6b\xc3\x6e\x5d\xfe\x4b\x68\x6d\x1a\x2d\x40\x25\x16\xd4\xee\xe9\x90\xe1\xea\x6a\x23\x48\x38\x10\x3f\x42\xd7\x05\xab\xf3\x78\x35\x67\x3c\xa7\x86\x75\xb5\x35\x4c\x2a\x99\x13\x0e\x2b\x7a\x64\xee\x26\xa2\xad\x6c\x1c\xd2\xde\x64\xed\x59\x12\xeb\x77\x08\xdb\x3a\xfb\xb4\xa6\x83\x10\x9b\x10\x57\x29\x8f\x35\x6e\x4c\xf4\xfa\xb2\x00\xca\xf7\x40\x3c\x71\x9a\xa8\x1a\xb0\x1d\x3d\x7f\x91\x55\x07\x3f\x56\x49\x5e\x51\x16\x19\x6e\x9a\x9d\xe8\x2f\x10\xa5\xc0\x8d\xfb\x2f\x91\x54\x94\xdf\x7a\x07\x00\xef\xb7\x22\xd3\x41\x6a\x5d\x32\xbc\x02\x29\x71\x11\x65\x08\x47\xde\xe6\x76\xd2\x68\x77\x2d\xec\x41\x3d\xa3\xa1\x32\x09\x89\xc1\xbe\x0d\x5c\x9c\x1b\x6f\xc4\xf7\x0f\xbd\xad\x88\x8a\xbb\x0b\xe8\xf1\x16\xf0\xd7\xa6\xf3\xab\xaf\x63\x6b\xb6\xb6\x92\x22\xda\xf4\xcc\xbd\x6d\x07\x29\x3d\xef\x59\xcd\x5e\xc9\x08\x45\x4d\x07\x94\x95\xf2\x7b\xfa\xf9\xe4\x5f\xb2\xc9\x99\x64\xe6\xb2\xfb\xa0\x3a\xf0\x38\x2d\x5b\x60\xad\xeb\xbb\x28\xfb\x8f\x8f\x8e\xfd\xd8\xda\x65\xea\xc2\x93\x77\xcf\x07\xc6\x2e\x1b\xf1\x0f\x61\xfa\x91\x2e\x62\x71\xf2\xcb\x95\x09\xa7\x63\x1b\x7a\xbe\xc3\x39\x6b\xeb\xce\x10\xbc\x79\xe2\xc4\x99\x56\xd1\x27\xf9\xd0\x1b\x73\x58\x45\x40\xcb\x6c\x0b\x52\xa7\x09\xe3\xaf\x1d\x00\xc8\x4f\x6d\x22\xfb\x19\x5d\xd8\x82\x3a\xa3\x36\xaf\xea\x89\x8e\xd8\x7a\xda\x2b\x22\xd1\xb8\xec\x50\x8c\xf6\x98\x6e\x93\x45\x92\x65\xed\x7c\x25\x87\x32\xc2\x91\xca\x41\xe7\x87\x6f\x1b\x43\x8b\x17\xd3\x6c\x24\xa0\x2f\x20\x0f\xee\xee\x18\xac\xe8\xdc\x4a\xad\x51\xa4\x2b\xb9\x81\x5d\x82\xc2\xa9\xa3\x7f\x77\x5c\xd6\x12\xe0\x84\x22\x69\x42\xea\x0d\xc6\xf5\xd8\x92\x33\x49\xbb\xbe\xdc\x2a\x45\xcf\xcf\xdd\xed\xa2\xd5\x2d\x14\xf2\xff\x83\x29\xaa\xc0\x1d\x2e\xc3\xc3\x7f\x23\xc5\xc9\x0d\x02\x62\x80\x23\x8c\xe0\x9e\x00\xec\xa9\xf6\xc3\x0b\xda\xa5\xdc\x91\xf4\x34\x2f\x8a\xf6\xa3\xec\x13\x39\xc4\x7d\xca\xe8\xf9\x36\x0c\x32\x50\x2b\xfa\x86\xe1\xff\xc5\x82\xd5\x88\x8f\x29\xca\xc3\x9e\xf9\x0a\x31\x50\x11\x1f\x66\x11\x99\xfa\xf7\xe2\x41\x3b\x57\xbb\x9a\x72\xaa\xa2\xd5\xfa\xe3\x2b\x46\x28\x84\xa9\x28\xd8\x3c\xea\x60\x55\x70\x25\xc5\xde\x01\x80\x44\x34\x5f\xb0\x83\xde\xf4\x9b\xc3\x83\x31\x98\x94\xda\xd2\x8b\x53\x39\xcb\xad\xb6\x03\x8d\xc8\x47\x9f\x7e\x4b\x2f\x01\xc1\xce\xd3\xff\x85\x42\x05\xbe\x93\x88\x48\x85\xb1\x29\x87\x8b\xdb\xb1\x8c\xaa\x68\xc3\x09\x40\x71\x9a\x40\x8a\x03\xfc\x61\xeb\xea\x87\xd9\xd3\xef\x21\x62\x59\x45\x89\x65\x44\x75\xc2\xc3\x7e\xaa\x87\x37\x33\x8a\xcc\x18\xb3\x41\xa3\x51\xec\x39\xaa\x94\xcb\xa1\x71\x09\x6f\xd7\xfb\x83\x2e\x30\x31\xf4\xd8\x2f\xf2\x32\x8a\xa1\x89\x62\x3c\xd9\x3f\xce\x6f\x45\x25\xc2\xdd\x01\x3d\xc9\xc7\xb4\xd1\x9a\xdd\x3b\xf9\xc3\x34\x88\x6e\x9d\x1c\xb4\xdf\x99\x7d\x99\x56\x3a\x57\xb6\x6d\x83\x21\xd4\x21\x52\xf7\x21\x70\x5d\x6c\x48\x46\x18\xad\x33\xcb\x46\xb5\xc1\xa4\x1c\xcd\x39\x7e\xde\x50\x43\x2d\xc9\xd4\x1a\xa8\xb2\xfb\x37\x5a\xf7\x5d\x33\x23\x56\xd7\xdf\x3d\x5d\x43\x9f\xde\xbc\xf8\xe2\x5b\x22\x49\x3c\x6f\xe1\x40\x01\x3e\x29\x52\x32\x18\x67\xd1\x29\x47\xb1\xf2\xdd\x27\x2a\x17\x36\x94\xa5\xfd\xdd\x88\x7f\xe1\xec\x96\xdf\x64\x67\x63\x0d\x14\x49\xd7\x23\xff\x02\x3e\xc1\x27\xb1\x2a\x24\x11\xa0\x96\xe3\x12\x9e\x84\x5d\x50\xb1\x46\x68\x36\x35\xd8\x05\xcf\x19\x67\x35\x82\x8c\x8a\x0a\x00\x40\x47\xa1\x9a\xcf\xcc\x41\xb6\x2f\xe0\xfb\xff\x91\x88\x1e\x76\x13\xbf\x7a\x73\x71\x95\xf1\x85\x8e\xd7\x19\x8d\xca\xca\x13\x21\x06\x19\xd7\xf7\x39\x8d\x81\x2d\xe4\x63\xf2\x21\xf0\xc2\x64\x87\x4a\xa3\xb3\x41\x6d\xcd\xfa\xed\x76\xbf\x25\x5d\x7a\x7a\x15\xd6\xac\xc9\x86\x4d\x1b\xd9\x00\x35\x4b\x3b\xf0\xdf\x70\xba\xe9\x32\xc4\xb8\x2e\x8a\xa6\x0d\x39\x5b\x93\x9c\xc6\x0f\x89\x64\xab\x75\x5b\xa5\x0b\x40\xa7\x13\xf6\x8d\x2e\x00\x1a\x2b\x5a\xbc\xfd\xbb\x82\x1a\x0a\x3a\x7a\x97\xcd\xcc\xc0\xb0\x5b\xca\x8f\x03\x3f\xbc\xd9\x54\x56\x9c\xb7\xc3\x12\xd4\xcb\x9e\x69\x27\x56\x13\x30\x66\x79\x88\x25\x70\x72\x61\x18\xeb\x66\xb4\xb6\xf0\xd2\x36\xc3\x3e\x35\x65\x8e\xd8\x7f\x02\x8c\xa4\x3c\x55\xc2\x69\x68\x17\x9a\xed\x75\x49\xc8\xc2\xe9\x26\x72\xa4\x45\x10\x6d\x04\x29\x84\x69\x17\xc5\xfc\x60\x7f\xa2\x85\xdb\x9a\xa6\x12\x81\xc1\xc5\x24\xa7\x6b\x3d\x40\xde\x5d\xa9\xbc\x7a\xfb\xae\x9c\x03\x55\x5d\x05\x63\x83\xea\x7f\x5e\xac\xf5\xde\x95\x63\x8e\x11\x24\x2a\x42\x0c\x9a\xa3\x22\xc8\x08\xcf\x2a\x14\xab\x47\x9d\x81\x35\xe4\xff\x48\x7b\x21\x5c\x8c\xec\x44\xc7\x29\x0d\x34\x59\x10\x0b\x21\x96\xc5\x4e\x88\xca\x28\x41\xd8\xa6\x01\x1c\x6d\xb1\xb5\xc2\xfb\xc5\x13\x5d\xa6\x05\x3d\x89\x3d\x11\x6b\x9f\x23\xd5\xa0\xf7\x7f\x9f\x64\xc5\x0a\x04\x48\x55\x2f\xb3\xd4\x00\x2c\xcf\xb9\x5e\xd5\x4c\x37\xea\xe9\x31\x73\x7b\xf0\x2b\xcd\x22\x6b\x13\x3b\x9d\x27\xde\xbf\xae\x74\x87\x30\xa8\x7b\xe8\xdf\x5c\x31\xcd\xdf\x16\xc2\x6b\xc3\xf3\xb4\xdf\x7a\xbc\xbc\x52\xed\xad\xb7\xa7\xc2\x9e\x87\xdd\x5d\x63\x30\xb7\x61\x64\x9f\xc9\xf0\x98\xa7\xb6\xb6\x8c\xf5\xdc\xe7\x67\x66\x7e\x8b\x5a\x7c\xd4\xbb\x22\xd1\xc9\x22\x9c\x45\x51\x69\xd7\x2e\xdd\x3b\xae\x9c\x25\x1c\x07\x88\x96\x8f\x1d\x13\xaf\x8e\x47\xba\x32\x92\x3c\x66\x14\xc4\x4d\x51\x96\xfa\x80\x57\x61\xdb\xa5\x9a\x39\xb8\x93\xbf\x09\x73\xda\xbb\x97\x6e\xdf\x63\xf3\xcb\x54\x73\x2d\x43\xb9\x0e\xe7\xab\x03\x74\xe1\x0f\xd7\x22\xd5\xc3\x61\xa4\x10\x89\x31\xe8\xee\x3f\xa1\x90\x79\x3f\x90\x1b\x18\xff\x7b\x5e\xd8\xc1\x62\xb3\x7f\xfc\xb3\x9c\x6c\x0c\x08\x4c\x9c\x76\xb3\x96\x4e\x31\x35\x1f\x51\x12\xac\xcf\xe1\x6c\x62\x68\x58\x0c\xe0\xb4\x4c\xd4\xc3\x3f\x29\x21\x71\xdf\x6a\xf3\x59\x14\x22\x5c\x8b\x1a\xff\x19\x85\xce\xa0\xea\x73\x49\xa4\x3a\x51\x0d\x5f\xbf\x18\x81\xa0\x32\xf9\x6b\x1f\x58\xf4\xfa\x94\xdb\xcd\xf9\x8f\x6b\x11\x3a\x2f\x85\x1e\x76\xd4\xf1\xcf\x06\x86\xe3\xb4\x40\x57\xc3\x63\xc8\x49\xc5\x70\x06\x59\xd7\xe5\xa1\xc2\xb3\xcc\xfd\x5a\xaa\x88\x9c\x2f\x99\xa9\xb1\xc8\x31\x9c\x3c\xd3\x48\xbe\x29\xb2\xe9\xbf\xef\xbc\x28\xcb\x77\x47\x29\x95\x8c\x12\xc9\xdf\xa7\x4b\x89\x3a\x07\x74\x5a\xed\x2e\x51\x44\x72\x3c\x8f\xc0\x50\x68\x52\xf1\x7e\x6a\x4a\x8f\x59\x9d\x2c\x4a\x1d\x7c\x0b\xa9\xd7\x7d\xb8\x41\x6e\xb1\x09\x32\xcd\xc7\x49\xcf\xa9\x98\x90\xee\x80\x17\xc0\x66\x40\x84\xf8\x64\x89\xc9\x75\x25\x52\x52\xc3\x87\x6f\x8d\xcd\x98\xc0\x0b\x73\x61\x1c\xe2\x73\x4e\x1f\xe0\xee\x5c\x0a\x0a\xbb\x0c\x50\x00\x40\x44\xf9\x3a\xd2\xff\x01\x09\xbc\xb1\x9a\x3a\x20\xf1\x86\xd6\x8e\x38\x7d\x34\xa5\xb5\x78\xc4\x25\x3c\xd9\x67\x26\x14\x80\x3b\xf9\x67\x26\xe8\xab\x00\x14\x6d\x2f\xe2\x66\xe6\x2e\x48\x65\xf5\xe7\xfe\x31\xd4\x14\x97\xe7\x19\x51\x22\xfc\xda\x82\x5f\xb4\xe9\xfc\xdd\x09\xb4\x21\xdd\xb6\xe9\x25\xa4\xd5\xcb\x7f\xf2\xfa\x56\xfe\x14\x97\xad\x65\x9c\xc5\xb6\xef\xd8\xf8\x83\x99\x8b\x74\x51\x17\x5f\x98\x27\x54\x7b\x84\x19\x5c\x25\xfc\x16\x31\x07\x2a\x55\xc1\x7e\x90\xa3\x27\x9a\x54\xa2\x96\x97\x31\x2b\xfe\xf3\xee\xfc\xba\x8d\x31\x14\x55\x6a\x54\x5d\x18\xab\x0d\xf7\x4d\xf2\x66\x85\x91\x51\x95\x9a\x1b\x05\x1f\x83\x22\xf7\x98\xcb\x45\xd5\xcb\xe5\x29\x1b\xdd\x71\xda\xd6\x65\xf6\x4d\xde\x69\x54\xef\x00\x71\x89\x18\xfe\x01\x72\x79\x63\x96\x46\x42\xd4\xc4\xa5\xbb\xa9\x30\x3f\x44\xfe\x97\xff\x99\xf0\x67\x48\xdc\x86\x3f\xf0\xcc\x17\xfc\x82\xb2\x9f\xbe\x0c\x71\x2c\x77\xed\x36\x69\x7f\x23\xb4\xa2\x2a\x9f\x24\x85\x22\xf9\x94\x6c\x3a\xbc\xd3\x2e\x16\x5f\xd6\x6f\xdb\xc7\xb4\xa0\xdf\x71\xa8\xd2\x57\x1f\x32\xda\x4a\xda\x51\xc1\x4c\xa0\x86\x30\x1d\x6e\xd0\x20\x06\xc6\xa3\x8c\xe4\xe7\x67\x1f\x3d\x08\x62\xa4\xe3\xc2\x2b\x6a\xa7\xb7\xc0\x49\xa7\x76\x22\x87\x57\x05\x62\xe8\xb4\x52\xef\xc7\x87\x41\xe7\xc2\x82\x2a\xd0\xfd\x43\x5e\x76\xa8\x04\x4b\x05\xb3\x88\xaa\xfc\x4c\xf6\x15\x75\x76\x03\x98\x87\x23\x64\x46\x99\x61\xe8\x7d\x14\xd1\x79\x5e\xb6\x27\xfa\xed\xa1\x8f\x9c\x12\x28\xfc\x99\x4d\x58\x05\x08\xc9\x96\xd3\x66\x27\x99\xb7\x23\x7e\x59\x69\x10\xa7\xc5\xc7\xfa\xcd\x47\xfa\x30\x84\xda\x48\x48\x87\x67\xf6\x0c\xfe\x58\xec\x40\x14\x15\xac\x66\x03\x16\x23\x32\x0f\x9f\xda\x37\xc0\xaf\x9f\xe4\xcd\xa1\xb2\x89\x3d\x2d\xf0\xac\x82\x26\x01\x3a\x36\xca\x7b\x13\x66\x03\x2e\xa7\xb2\x5a\x55\x91\xbe\xbc\x8c\xe4\x89\x77\x7c\x0c\xba\x28\xd1\xf0\xca\xfe\xae\xea\x7d\x5b\x4d\x20\x09\x30\x9e\xeb\xc9\x13\x07\x81\x12\xbb\x12\x69\x20\xca\x6e\x5e\x2b\x22\x10\xce\x54\x10\xcc\xe4\x5f\xc4\x63\x74\x6c\xf1\x68\xf7\xee\x2b\x91\xc7\x97\xb3\x30\xe0\x46\x48\x22\xa6\x18\xe4\x57\xce\x39\xa0\x03\x67\xd9\xcd\x3d\x3f\x59\x38\xce\x36\xeb\x2a\x31\xa9\x0d\x04\x92\x58\xc8\x49\x95\x5e\x97\xf0\x80\x17\x26\x9b\x3e\x5f\x69\xe9\x12\x81\x95\x63\x8b\xc8\xc1\xfa\x73\x5e\x6e\xb2\x43\x5c\x95\x87\xf4\xf4\x36\xd9\xe6\x8a\x87\x97\xbb\x42\x10\x0d\x48\xe7\xb2\x61\x97\xc6\x5f\xb8\x90\x39\x61\x38\x2f\xb0\xfe\x22\x98\x60\x17\x30\x68\xd9\x42\x91\x10\x82\x3b\xc2\xff\x71\x7a\x71\x57\x05\x4c\x32\x6b\xda\xc3\xad\x35\x81\x77\xf9\xa4\x06\xd8\x94\xb8\x42\xd6\xd9\x1e\xdb\x35\x6b\x06\x28\x3b\x32\x9b\xca\x6e\x12\x29\x06\x55\xfe\xf2\x40\x29\xba\x1d\xaa\xf4\x5f\x17\xeb\xc8\x34\xd1\x2e\x35\xe3\x9f\x2e\x20\xe2\xc7\x36\x2a\xeb\x00\x31\xf4\x87\x7b\x63\x3b\xe1\xbe\xd3\x6f\x5d\x7b\xa2\x4d\x01\x48\xf8\x46\xa7\x86\xf3\x88\xe2\xab\x79\x66\x2d\x55\x9b\x86\x1a\x36\xa4\xce\x60\xdc\xeb\x5f\xdb\x9f\x47\x93\x58\xfd\x84\xa5\xc7\xf1\x02\xf7\x5b\x81\x43\xd3\x62\x6f\xff\xa5\x46\x9c\x22\x07\x2a\x97\xd6\x3f\xf9\xe0\x66\x7c\x2f\x2d\xb4\x1c\xd0\x3e\x5d\x43\x91\x4b\xb5\x90\xbb\x1f\x11\xf4\xc3\x53\x3b\xcc\x47\xff\xc9\x9e\xed\xf6\x77\xc9\xd6\x46\xc6\x0f\x99\x39\x89\x15\x89\x1a\xb6\x71\x97\xdd\xbd\xc1\x1e\x03\xda\xf0\x31\x39\xce\xad\xaf\x99\x22\x68\x75\x16\x3f\x11\xc2\x90\x27\xf6\xec\x6e\xe6\x47\xc9\xbb\x1f\x76\x95\xf1\xf2\x91\x8a\x32\x85\xa1\x3e\xad\xb7\x3d\x3e\x94\xcb\x0d\xbf\x92\x73\xf7\x5e\x1a\x8b\x39\x1c\xc6\xe4\xc1\x4e\xd5\x68\x3c\x27\x56\xc7\xb3\x3d\x84\x35\x1e\x1c\xe0\xba\x7b\x02\xe2\x30\x5d\xe6\x5b\x29\x45\x6b\x5c\x55\x34\x46\x47\xc7\xb0\xb1\x6c\xd8\x36\xdb\xa2\x71\x1a\x4c\xc9\x77\x38\x26\x7c\x46\x2c\x85\xfa\xd6\x08\xa8\x16\x12\xd7\xf8\x9a\x7f\xe6\x63\xbd\x06\x43\x54\xa8\x0f\x8b\xe0\x16\x5d\xf5\xd9\xba\xe1\xc6\x9e\xa5\x69\x62\xb1\x11\x22\x0c\xdc\x13\x6a\xda\x90\xbb\x13\x15\xf8\x65\xca\xff\x1e\x25\x26\xac\xd2\xef\x4c\x36\xa7\x0f\x26\x60\x88\xd7\xd3\x48\xe5\x61\x13\x29\x71\x66\x8e\x91\xa8\x90\x04\x08\x5a\x5b\x09\x2f\x8e\x28\x42\x3d\x16\xb7\x49\xcd\xcb\xf9\x2a\x43\x65\xe4\x68\xdd\x67\xbe\x24\x1e\x5d\xea\x70\x5b\x60\x6b\x28\x09\x9a\x5d\x3d\x46\xa0\x76\x20\xfc\x4f\x73\x1e\x3d\x36\x05\xde\xbe\x68\x70\x42\xca\xc9\x37\x42\x73\x67\xc3\x5b\x54\x6a\xf2\xdf\xc0\x94\xa7\x21\xdc\x7f\xd1\x3d\xf6\x8e\x9a\x79\x9e\xcb\x10\x7c\x90\x8b\xac\x9f\x8c\x44\x30\xcc\x10\xc6\x29\x9c\x79\x4d\x02\x8d\x51\x6c\x3e\xf3\xf7\x7f\x9f\x64\x20\x16\x60\x94\x9b\x5e\xe2\x9a\x58\x94\xd7\x38\xfa\x4e\x4b\xcd\xda\x88\xfe\x12\xbc\xff\xe8\x5d\xa7\xb1\x0d\x02\xc8\x09\x22\xf3\x90\x71\x34\xfe\x64\x60\x55\x08\xb6\xcb\xe3\x5e\x97\xf1\x2f\x1b\xb1\x5f\xce\x6f\xac\x0b\x0b\xbe\xd6\x21\x83\xba\x88\xb8\x41\x3c\x69\x2c\x1d\x46\x53\x76\x14\x6a\x5a\xc6\x9e\x0f\x10\x45\x0f\x04\xc8\xb6\xf3\xc9\x0c\x58\xac\x33\x60\x4a\xa8\x11\xa9\xb7\x4e\xbb\xd0\x7b\x06\x84\xc5\x1a\x55\x30\x06\xda\x57\xf4\xdf\x29\xdf\x30\xa6\x46\x22\x26\x6b\x3e\xc0\x6c\x43\x5d\x65\x05\x21\xf3\xea\x72\x5a\x3c\x8c\x12\x8c\x73\xf0\xd3\x44\x7d\xd1\xa8\x5b\x10\xa0\x61\xe9\xac\x44\x69\xbd\x8e\xad\x5b\x59\xcc\x63\x9b\x81\x7e\x67\xd9\x0c\xcd\x77\x3e\x22\x4a\xeb\x67\xdd\x26\x36\x91\x74\x36\xb7\x64\x75\xd8\xe0\x25\x5c\xf7\xd1\x4f\x28\x36\xa5\x0d\x23\xfb\x11\xb3\x84\x35\x48\xb3\xa5\x2d\x8f\xa1\x0c\xa8\xc9\x7e\x1f\x0e\xd7\xa0\x0c\xfc\x80\x67\xa5\xb9\x9a\x41\xc0\x7d\x3c\xe0\xa0\x45\x6b\x84\x43\xbb\x5f\x09\x03\xdb\x5e\x7b\xc1\x6b\x0d\x0d\x4f\x32\x1a\x57\x57\x2d\x33\x68\xd9\x7a\xb7\x70\x58\x30\xd2\x3f\xf7\x8a\xc8\xd6\x94\x02\xc9\x20\xf7\xfb\x91\xd6\xef\xc1\x6c\xe4\x39\x93\xa1\xa6\x8e\xb8\xed\xa0\x8d\x7c\xc5\x5f\xca\x85\x49\xf4\x08\x39\xac\x8e\x5e\x26\x3e\x8f\xcd\xdb\x10\xdd\x20\xfb\xed\xd9\x49\xc8\xd3\xc1\xe1\x86\xe9\xfd\xd5\xaa\x27\x65\xa1\xef\x54\xf9\xe8\xb2\xa7\xa0\xb3\x8f\x1c\x8f\x8d\xaf\xe5\xfc\xef\x0f\xf0\x31\x69\x21\xdb\xaa\xb2\x7f\x6b\x2e\x09\xe4\x9d\x0a\x56\xc9\xad\xe5\xd8\xcb\x65\x86\x99\xba\xa9\x84\x54\x3f\xde\x4e\x72\x0e\x02\xe5\x50\x3e\x83\x5c\x7a\x63\xef\xfe\xe3\xdf\xa5\x8e\x4c\xcd\xbe\x19\x43\xb5\x92\x1b\x58\xfd\x0e\xd6\x64\xef\x73\xdf\x89\x23\x18\xe1\x07\x03\x23\x48\x59\xb5\x65\xd1\x7d\xe8\xc9\x25\x19\x8b\x44\x81\x59\xc8\xe8\xd7\x3c\x8b\x1e\x5e\xb6\x87\x05\xe5\x82\xd5\x12\x8f\x20\x7b\x54\x6f\x81\x22\xe0\x4e\x37\xbc\xc9\xd1\xca\x9b\x2c\x7a\xe5\x1d\x45\x42\x44\x8b\x36\xd6\xff\x16\xd9\x98\xee\xce\x9f\x07\xbe\x34\x1d\x1d\x8f\x98\x9f\x23\x44\x60\x40\xa4\x99\x72\x72\xc9\x9d\x45\x34\x83\x72\xfc\x49\xb7\x0f\xb5\xe0\xfa\xca\x97\x51\x84\xc6\x02\x59\x95\xf6\xaa\x49\xf1\xb2\x93\xdf\x66\xd5\x1d\x75\x3d\x9c\x77\x75\x57\x6d\x0e\x77\x01\x34\xd3\xa4\xfb\xd5\x3c\x99\xb0\xa7\xb6\xaf\xe7\x33\x7f\x73\x24\x81\x63\x23\x9a\x71\x4d\xfe\xb2\x85\xb0\xb4\x9e\xf6\x02\xd6\x2a\xd6\x93\x5a\x83\xc8\x3b\xc8\x14\xbd\x40\x7b\x1f\xf5\x22\x82\x92\xf9\xbf\xbb\xd0\x71\xc8\x1d\xc9\x59\x1a\x05\xc9\x50\x7b\xff\x87\xc9\xe5\x27\xb8\xf1\x4e\x8e\xe1\x3d\x18\x7e\xb8\x67\xdc\x2c\x95\xdd\x90\x3c\x37\x69\x2d\x03\xe7\xb0\x09\x85\xfb\xc1\x13\x13\x07\x8d\xec\x7f\xf6\x9f\x2e\x01\xa8\x34\x23\x99\x40\x0f\x98\xcc\x66\x83\x3d\x9c\x85\xff\x7f\x10\xcb\xef\x73\x32\x13\xcd\xae\x61\x54\x5f\x39\xe8\x5c\x59\x30\x2b\x56\x0a\x72\xd0\x43\x7b\x26\x6c\xba\xe1\x6f\xad\x4a\x00\x0d\xde\xa1\x99\x49\x40\x8c\x74\x77\xfc\xb9\x48\x91\x53\x23\xeb\xb7\x9a\x55\xc7\x69\xcc\xb1\x8e\x2f\x55\x2a\xb7\x63\xba\x65\x30\x2a\xe7\xbc\x47\x6e\x36\x25\xeb\x88\xa7\xa6\x69\x8c\xec\xcf\xac\x22\x90\x0c\xa3\xc4\x4d\xec\x88\x66\xb2\xa1\x14\xc0\x83\x1c\xf6\x53\xd4\xc1\xfb\xa9\xa7\x78\x5a\x1c\xaa\x2b\x97\x34\x33\x84\x22\x6b\x1a\xce\xd9\x3d\xa7\x1d\x30\xb6\x65\x06\x45\xbc\x11\x3a\xc6\x2d\x32\xd2\x03\x2d\xdb\x65\x62\x6e\xe8\x6c\x3b\x9d\xfb\xbd\x8d\x0c\xae\xea\x74\x53\xdb\xea\x30\x4e\x34\xd3\xf8\x05\x22\xcd\x31\x7b\x49\xbc\xab\xb8\x69\x33\x1c\x7c\x32\x18\x52\x10\x04\x30\x42\x3b\xcb\x1e\xc1\x5c\x50\xc1\x9b\x76\x6a\x7c\xe4\x71\xd5\x1b\x01\x04\x1b\x68\x5a\x29\xc4\xbf\xdb\x55\x2c\x86\x6d\x58\x3b\x7c\x3c\x7f\xd5\x6c\xfc\x73\x72\x5d\xf7\x84\xe4\xd9\x02\x81\x56\x7f\xe8\xc3\x8d\x86\x6b\x06\xef\x13\xbb\x30\xfd\x23\x90\x6e\x66\x2c\xf9\xd5\x11\x3d\x7b\x52\xb0\x14\xb4\xae\xb3\xa1\x83\x52\x4b\x49\x7b\xe9\x22\x0a\xe1\xe0\xb2\xf7\x67\x4d\x27\x99\x42\x94\x1b\xbd\x81\xed\x59\x5a\x93\xc2\x34\x13\x99\xb6\xac\x36\xff\x86\x9f\x89\x4c\xae\x29\x13\x08\xb2\x12\x84\xd3\x98\xb5\xfa\x6a\xc7\x6b\x9d\x59\xf0\x3e\x48\xc2\x75\xf4\xf2\x0c\xe0\xa5\x05\x9d\xe6\x9c\xa9\xec\x99\x9d\x73\x20\x2d\xef\x66\x6b\x37\xb3\xa9\x6a\x95\xb1\x2c\x74\x33\x10\x38\xfa\xca\xca\xb1\x88\xda\x87\x8a\x86\x0e\x1b\x39\x9d\x6b\x3b\xd3\xc1\x36\xe0\xa5\xe9\x96\x3c\x16\x91\x88\x9f\x0d\x40\x0f\x34\xdc\xc5\x1e\xf1\x00\x2e\xbf\xee\x28\x14\x60\x5a\x4d\x10\x67\xed\x73\x96\xc1\x15\xe3\xa9\x4f\x15\x1c\x8e\x4a\xa2\x93\x0f\xd8\xbc\x53\x4d\x57\x9d\x5d\x88\x43\xbd\x20\x29\x05\x6f\xc5\x58\xb9\x86\x94\x08\xb9\x95\x1f\x75\x67\x24\x33\xea\xd1\x9e\x10\x9c\xd1\x83\x08\xf1\xc9\xd6\xf9\xcc\xbc\x9f\x76\x79\x93\xb5\x9e\xa2\xb5\x04\x68\x64\xf5\xe0\xc3\xbd\xe4\x2e\x79\x32\xc5\x6b\x9f\xb2\x52\x89\xe1\x6a\xb3\xbe\xbb\x69\x25\x47\xde\x1a\x4d\xbe\x11\x9a\xb2\xbd\x71\xe4\x71\xcb\xdf\x6c\x6e\x85\x19\xac\xa7\x7c\x2c\xbb\x82\x73\x34\x3c\x1b\xed\x23\x92\x2e\x55\x7f\x87\xb4\x08\xd8\x7a\xf7\x88\x96\xed\x30\xf0\xa6\x17\x8a\xd9\x8a\x34\xde\xd6\x14\x84\x43\xfd\xdf\x4a\x5c\x00\xa8\x1a\xe9\xdf\x21\x59\xfd\x65\x8c\x85\x9f\xb6\xb2\x74\x98\x8c\x84\x8f\x99\x3e\x76\x1c\x26\x3e\x90\xd7\xdb\x8f\x66\x2c\x87\x6b\x7a\x61\xff\x2d\x93\x8b\xa7\xfe\xd4\xcb\x5c\xd8\xee\x51\x48\x70\xb5\x05\x20\xe7\x33\xf2\x1c\xdc\x3b\xd7\xed\x41\xd2\x97\xb9\x6d\xfe\xff\x37\x9d\x37\xe6\x07\x1b\xb1\xac\x84\xfe\xff\xab\x2c\xdd\x98\x5f\xea\x2f\xe6\xc4\x6e\x6b\x75\x69\xc8\xc2\x45\x45\x91\x79\x5c\xcc\x56\x51\x1d\x85\x3f\xd2\xa0\x1a\x1e\xb0\xce\x25\x05\xab\x65\x78\x2b\x78\x36\xba\x67\x84\x45\x05\xaa\xbc\xb5\xdc\x63\x72\xa3\x13\xfe\x7a\xcc\x7f\x48\xb0\xd2\xbe\xf7\x94\x03\xc2\x83\x7d\x88\xe5\x2f\xe9\x26\xad\x16\xd5\x1b\xe7\xe8\xc6\x2a\x59\x55\xa6\x1e\x85\x27\x08\x39\xf3\x6e\xee\x94\x63\x70\x92\x7e\xb1\x98\x41\x30\x16\x77\xe8\x37\xab\xac\x18\xd7\x09\xbc\x84\xdd\xa6\x0b\x12\x10\x7a\x23\xeb\x73\x35\x43\xff\x32\xcc\xe5\x24\x8d\x0f\x46\x19\x21\x29\x52\x91\x83\x7c\x15\x0a\x4c\x1d\x48\x9d\x31\xc5\xbf\x5b\xfc\x2d\xa1\x42\x7e\x1e\xce\x74\xae\xa7\x05\x3f\x1f\xed\xa6\x4f\x09\x9f\xc4\x47\xa7\x90\x8c\xe4\x4b\x13\x46\x15\x49\xf2\x3e\xf1\x8c\x1d\x81\x07\xbe\xfb\x09\xf9\xd7\x19\xa0\xac\x57\x08\x0f\x1c\xdb\xfd\x46\x70\x4d\x79\x94\x7a\xa1\x0c\x5b\x0b\xb2\x26\xe7\xf6\x83\x09\x74\x72\x40\xf7\x73\xa6\x27\x53\x65\x61\xfb\x6c\x1c\x9b\x26\xaa\x5e\x23\xbe\x01\xf2\xd3\xf7\xaa\xdc\x99\x54\x40\x01\x5d\x25\x64\xb9\xc1\x6b\x85\x3d\x66\x57\x24\xf9\xf7\x22\xb3\x4a\xb1\xd4\x4c\x27\xd0\xe0\xcb\x01\xc4\x9d\x9e\x05\xde\x91\xc2\xe0\x40\x76\x4f\x0c\x21\x2e\x6d\x63\xf7\xb7\x24\x93\xdc\xcb\xf8\x58\x16\x4c\xf4\x81\x51\xbb\xe4\xf1\xdc\x2c\x91\x58\x66\x73\x43\x1a\xf7\xb8\x46\x1d\x30\x16\x1c\x56\x11\x70\xdf\xa3\x1e\xdd\xe2\xcc\xc9\xdd\xdb\xc7\xa8\xe4\x62\x31\x75\x24\x05\xcf\x30\x8e\xcd\x8d\x35\x05\x63\x6d\xba\x70\x35\xc9\x4f\x72\x86\x23\xbb\x87\x60\x3a\xfb\x90\xb5\xc2\x3e\x9a\xc1\x93\x7b\x2e\xa3\x98\x4d\x57\x9d\xa2\x99\x70\xef\x04\x9f\xfd\x97\x05\xfa\x28\x3e\xf6\x2f\x1a\x9f\xbb\xef\xbc\x5f\x8f\x3f\x79\xbd\xd8\xd7\x0f\x0a\x89\x39\x72\xe5\xac\xa3\xa1\x64\xe6\x72\xba\x88\xeb\xdb\x62\x06\xa4\xdd\xa5\xeb\x5a\xdf\xd1\x63\x52\xd4\x2c\x4f\xbd\xdf\x11\x7f\x2b\x0d\x30\xe8\xc3\x9f\x1b\xc6\x3f\x3b\xc0\x3b\x45\x2a\x87\x01\x17\xaf\x7a\x3f\xd3\x01\xaf\x71\x4b\xfa\x39\x83\x67\xa9\xac\x2a\xa3\x81\x17\x0b\xc7\xca\x86\x01\x44\x25\x8a\x9a\x38\xa6\x14\x54\xc9\xcd\xef\x24\xf1\xc6\x62\xf2\x8e\x8d\x1e\xe7\x74\x9f\x61\xa9\xc7\x9a\x9e\x16\x59\x3f\x2d\x55\x00\xde\xaa\x73\x0a\xca\x4e\xef\x32\x73\x87\x84\x31\xa8\x74\xb0\x3e\x44\xf6\x49\x5b\x52\xea\x9b\x22\xd9\x41\x7f\xb3\xf2\xcc\xbe\x2c\x48\x2a\xdd\x30\x8e\x4a\x3c\x55\xb7\x53\x2a\x4e\x64\xcf\x10\x8d\x83\x3d\x54\xab\xf3\xcf\x93\xb3\xf9\x08\x52\x63\xd2\x77\x4c\x22\x14\xdc\x62\xe3\xc6\xa7\x88\x69\x46\xb7\xbb\xb4\xd0\xfd\xd8\x2d\x50\x22\x32\xf8\x91\xe9\x5e\x20\x75\xb6\x97\x4f\xcb\xc8\x15\x79\xfe\x8e\xeb\x7e\xe2\x21\xa9\x04\xce\xdb\xbb\xab\x25\x95\xef\x93\x53\x7f\xde\xa0\x3e\xb9\x3b\x49\x68\x01\x19\xd9\x96\xc8\xe7\x06\xdf\xc4\xd9\x94\x33\x95\x4c\x53\x67\x72\x5d\x48\x08\x11\x9b\x68\x3b\x59\x64\x1c\x4b\xff\xd3\xfb\xab\x0c\x7e\x12\x5f\x02\xba\xd9\x5c\xbf\xc2\x6e\xab\x96\x07\x9f\x8d\xfb\xf6\x62\x35\x89\xd1\x4e\x0c\x20\xd1\x5e\x07\xc3\x4b\xcc\xce\x36\xfb\x92\x79\x65\xf9\x6c\x8c\xc8\x9b\x3e\x51\x43\x82\x12\xa9\xbe\xc9\x2a\xf4\xb5\x92\xae\x76\xe6\x6d\x53\x1d\x34\x43\x85\xf5\x56\x85\x52\xe3\x7b\xd2\x5c\xbe\x30\x7d\x83\x99\x75\x91\x4f\x30\x91\x5d\x24\xe8\xf3\xd8\x92\xc8\xa1\x9f\xa4\x84\xc3\x5d\xf1\xfb\x92\xaf\x80\xed\xf4\x03\x34\x0c\xac\xed\x5c\x22\x47\x67\xe9\xe6\x87\x45\x65\x63\xdf\xf2\x9c\xa8\x6e\x36\x58\x55\xde\x94\x05\x7b\x66\xc5\x76\xbe\xc5\xf5\xb7\xfc\x3f\x00\x43\x33\x6b\x8a\x48\x7a\xe2\x51\x9b\x8f\xf0\x12\x2e\x7a\xc2\xbf\x57\xd2\x9b\xa6\x48\x08\xdd\x3a\x20\xd2\x6e\x43\x82\xce\x7b\xb1\xfb\xd3\x47\x34\xf5\xae\x66\x25\xee\x8a\x7d\xd5\x6f", 8192); *(uint32_t*)0x20004f40 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x50; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 0x3f; *(uint32_t*)0x200023d0 = 7; *(uint32_t*)0x200023d4 = 0x22; *(uint32_t*)0x200023d8 = 0x8001; *(uint32_t*)0x200023dc = 0x1040000; *(uint16_t*)0x200023e0 = 8; *(uint16_t*)0x200023e2 = 0xf6e1; *(uint32_t*)0x200023e4 = 8; *(uint32_t*)0x200023e8 = 9; *(uint16_t*)0x200023ec = 0; *(uint16_t*)0x200023ee = 0; memset((void*)0x200023f0, 0, 32); *(uint32_t*)0x20004f44 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 9; *(uint64_t*)0x20002450 = 0x40d; *(uint32_t*)0x20004f48 = 0x20002480; *(uint32_t*)0x20002480 = 0x18; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 7; *(uint64_t*)0x20002490 = 7; *(uint32_t*)0x20004f4c = 0x200024c0; *(uint32_t*)0x200024c0 = 0x18; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 0xffff; *(uint32_t*)0x200024d0 = 8; *(uint32_t*)0x200024d4 = 0; *(uint32_t*)0x20004f50 = 0x20002500; *(uint32_t*)0x20002500 = 0x18; *(uint32_t*)0x20002504 = 0; *(uint64_t*)0x20002508 = 0xce0; *(uint32_t*)0x20002510 = 0x1c; *(uint32_t*)0x20002514 = 0; *(uint32_t*)0x20004f54 = 0x20002540; *(uint32_t*)0x20002540 = 0x28; *(uint32_t*)0x20002544 = 0; *(uint64_t*)0x20002548 = 1; *(uint64_t*)0x20002550 = 0x100; *(uint64_t*)0x20002558 = 5; *(uint32_t*)0x20002560 = 2; *(uint32_t*)0x20002564 = r[6]; *(uint32_t*)0x20004f58 = 0x20002580; *(uint32_t*)0x20002580 = 0x60; *(uint32_t*)0x20002584 = 0xfffffffe; *(uint64_t*)0x20002588 = 8; *(uint64_t*)0x20002590 = 0xcd95; *(uint64_t*)0x20002598 = 0x1f; *(uint64_t*)0x200025a0 = 7; *(uint64_t*)0x200025a8 = 0x48; *(uint64_t*)0x200025b0 = 0xaac5; *(uint32_t*)0x200025b8 = 6; *(uint32_t*)0x200025bc = 0xad; *(uint32_t*)0x200025c0 = 5; *(uint32_t*)0x200025c4 = 0; memset((void*)0x200025c8, 0, 24); *(uint32_t*)0x20004f5c = 0x20002600; *(uint32_t*)0x20002600 = 0x18; *(uint32_t*)0x20002604 = 0xfffffff5; *(uint64_t*)0x20002608 = 9; *(uint32_t*)0x20002610 = 9; *(uint32_t*)0x20002614 = 0; *(uint32_t*)0x20004f60 = 0x20002640; *(uint32_t*)0x20002640 = 0x11; *(uint32_t*)0x20002644 = 0; *(uint64_t*)0x20002648 = 0; memset((void*)0x20002650, 0, 1); *(uint32_t*)0x20004f64 = 0x20002680; *(uint32_t*)0x20002680 = 0x20; *(uint32_t*)0x20002684 = 0; *(uint64_t*)0x20002688 = 0x10000; *(uint64_t*)0x20002690 = 0; *(uint32_t*)0x20002698 = 0; *(uint32_t*)0x2000269c = 0; *(uint32_t*)0x20004f68 = 0x20002780; *(uint32_t*)0x20002780 = 0x78; *(uint32_t*)0x20002784 = 0; *(uint64_t*)0x20002788 = 9; *(uint64_t*)0x20002790 = 3; *(uint32_t*)0x20002798 = 0; *(uint32_t*)0x2000279c = 0; *(uint64_t*)0x200027a0 = 6; *(uint64_t*)0x200027a8 = 0; *(uint64_t*)0x200027b0 = 0xfffffffffffff20d; *(uint64_t*)0x200027b8 = 0xfffffffffffffff8; *(uint64_t*)0x200027c0 = 1; *(uint64_t*)0x200027c8 = 0x3ff; *(uint32_t*)0x200027d0 = 5; *(uint32_t*)0x200027d4 = 9; *(uint32_t*)0x200027d8 = 0x726; *(uint32_t*)0x200027dc = 0x1000; *(uint32_t*)0x200027e0 = 6; *(uint32_t*)0x200027e4 = r[7]; *(uint32_t*)0x200027e8 = 0xee01; *(uint32_t*)0x200027ec = 7; *(uint32_t*)0x200027f0 = 7; *(uint32_t*)0x200027f4 = 0; *(uint32_t*)0x20004f6c = 0x200028c0; *(uint32_t*)0x200028c0 = 0x90; *(uint32_t*)0x200028c4 = 0; *(uint64_t*)0x200028c8 = 3; *(uint64_t*)0x200028d0 = 2; *(uint64_t*)0x200028d8 = 2; *(uint64_t*)0x200028e0 = 0x100000000; *(uint64_t*)0x200028e8 = 0x61a26b8d; *(uint32_t*)0x200028f0 = 6; *(uint32_t*)0x200028f4 = 2; *(uint64_t*)0x200028f8 = 1; *(uint64_t*)0x20002900 = 3; *(uint64_t*)0x20002908 = 1; *(uint64_t*)0x20002910 = 0x100000000; *(uint64_t*)0x20002918 = 3; *(uint64_t*)0x20002920 = 0x8f; *(uint32_t*)0x20002928 = 4; *(uint32_t*)0x2000292c = 0x1ff; *(uint32_t*)0x20002930 = 0x849; *(uint32_t*)0x20002934 = 0x1000; *(uint32_t*)0x20002938 = 7; *(uint32_t*)0x2000293c = r[8]; *(uint32_t*)0x20002940 = -1; *(uint32_t*)0x20002944 = 5; *(uint32_t*)0x20002948 = 0x1f; *(uint32_t*)0x2000294c = 0; *(uint32_t*)0x20004f70 = 0x20002980; *(uint32_t*)0x20002980 = 0x130; *(uint32_t*)0x20002984 = 0; *(uint64_t*)0x20002988 = 0xa00000000000; *(uint64_t*)0x20002990 = 4; *(uint64_t*)0x20002998 = 1; *(uint32_t*)0x200029a0 = 6; *(uint32_t*)0x200029a4 = 9; memset((void*)0x200029a8, 1, 6); *(uint64_t*)0x200029b0 = 6; *(uint64_t*)0x200029b8 = 1; *(uint32_t*)0x200029c0 = 5; *(uint32_t*)0x200029c4 = 0xfffffffe; memset((void*)0x200029c8, 170, 5); *(uint64_t*)0x200029d0 = 1; *(uint64_t*)0x200029d8 = 0x1ff; *(uint32_t*)0x200029e0 = 3; *(uint32_t*)0x200029e4 = 7; memcpy((void*)0x200029e8, "{#-", 3); *(uint64_t*)0x200029f0 = 5; *(uint64_t*)0x200029f8 = 0; *(uint32_t*)0x20002a00 = 2; *(uint32_t*)0x20002a04 = 0x761; memcpy((void*)0x20002a08, "[#", 2); *(uint64_t*)0x20002a10 = 3; *(uint64_t*)0x20002a18 = 0; *(uint32_t*)0x20002a20 = 2; *(uint32_t*)0x20002a24 = 6; memcpy((void*)0x20002a28, "#]", 2); *(uint64_t*)0x20002a30 = 1; *(uint64_t*)0x20002a38 = 0x714; *(uint32_t*)0x20002a40 = 5; *(uint32_t*)0x20002a44 = 3; memcpy((void*)0x20002a48, "*^\\^b", 5); *(uint64_t*)0x20002a50 = 5; *(uint64_t*)0x20002a58 = 0xeb68; *(uint32_t*)0x20002a60 = 4; *(uint32_t*)0x20002a64 = 0xfffffa80; memcpy((void*)0x20002a68, "--$-", 4); *(uint64_t*)0x20002a70 = 6; *(uint64_t*)0x20002a78 = 0xfffffffffffffeff; *(uint32_t*)0x20002a80 = 1; *(uint32_t*)0x20002a84 = 1; memset((void*)0x20002a88, 45, 1); *(uint64_t*)0x20002a90 = 1; *(uint64_t*)0x20002a98 = 8; *(uint32_t*)0x20002aa0 = 3; *(uint32_t*)0x20002aa4 = 0xf2; memcpy((void*)0x20002aa8, "!\\{", 3); *(uint32_t*)0x20004f74 = 0x20004c40; *(uint32_t*)0x20004c40 = 0xb0; *(uint32_t*)0x20004c44 = 0; *(uint64_t*)0x20004c48 = 0xcf; *(uint64_t*)0x20004c50 = 1; *(uint64_t*)0x20004c58 = 1; *(uint64_t*)0x20004c60 = 3; *(uint64_t*)0x20004c68 = 0x100000000; *(uint32_t*)0x20004c70 = 4; *(uint32_t*)0x20004c74 = 0x81; *(uint64_t*)0x20004c78 = 5; *(uint64_t*)0x20004c80 = 0x7f; *(uint64_t*)0x20004c88 = 5; *(uint64_t*)0x20004c90 = 6; *(uint64_t*)0x20004c98 = 0xffff; *(uint64_t*)0x20004ca0 = 3; *(uint32_t*)0x20004ca8 = 0x1f; *(uint32_t*)0x20004cac = 3; *(uint32_t*)0x20004cb0 = 8; *(uint32_t*)0x20004cb4 = 0xc000; *(uint32_t*)0x20004cb8 = 0xf5c8; *(uint32_t*)0x20004cbc = r[10]; *(uint32_t*)0x20004cc0 = r[11]; *(uint32_t*)0x20004cc4 = 2; *(uint32_t*)0x20004cc8 = 9; *(uint32_t*)0x20004ccc = 0; *(uint64_t*)0x20004cd0 = 4; *(uint64_t*)0x20004cd8 = 0x80; *(uint32_t*)0x20004ce0 = 5; *(uint32_t*)0x20004ce4 = 2; memset((void*)0x20004ce8, 170, 5); *(uint32_t*)0x20004f78 = 0x20004e40; *(uint32_t*)0x20004e40 = 0xa0; *(uint32_t*)0x20004e44 = 0; *(uint64_t*)0x20004e48 = 0x400; *(uint64_t*)0x20004e50 = 6; *(uint64_t*)0x20004e58 = 2; *(uint64_t*)0x20004e60 = 0x400; *(uint64_t*)0x20004e68 = 7; *(uint32_t*)0x20004e70 = 4; *(uint32_t*)0x20004e74 = 9; *(uint64_t*)0x20004e78 = 4; *(uint64_t*)0x20004e80 = 0x1000; *(uint64_t*)0x20004e88 = 0xffff; *(uint64_t*)0x20004e90 = 6; *(uint64_t*)0x20004e98 = 1; *(uint64_t*)0x20004ea0 = 0xffff; *(uint32_t*)0x20004ea8 = 0x65f; *(uint32_t*)0x20004eac = 0x647c2b8f; *(uint32_t*)0x20004eb0 = 0x400; *(uint32_t*)0x20004eb4 = 0x8000; *(uint32_t*)0x20004eb8 = 8; *(uint32_t*)0x20004ebc = r[12]; *(uint32_t*)0x20004ec0 = r[13]; *(uint32_t*)0x20004ec4 = 3; *(uint32_t*)0x20004ec8 = 0x6b; *(uint32_t*)0x20004ecc = 0; *(uint64_t*)0x20004ed0 = 0; *(uint32_t*)0x20004ed8 = 0xd; *(uint32_t*)0x20004edc = 0; *(uint32_t*)0x20004f7c = 0x20004f00; *(uint32_t*)0x20004f00 = 0x20; *(uint32_t*)0x20004f04 = 0; *(uint64_t*)0x20004f08 = 0x800; *(uint32_t*)0x20004f10 = 0; *(uint32_t*)0x20004f14 = 0; *(uint32_t*)0x20004f18 = 0x10001; *(uint32_t*)0x20004f1c = 0; syz_fuse_handle_req(r[5], 0x200003c0, 0x2000, 0x20004f40); break; case 23: memcpy((void*)0x20004f80, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004f80, r[5]); break; case 24: syz_init_net_socket(0x24, 2, 0); break; case 25: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[14] = res; break; case 26: *(uint32_t*)0x20004fc4 = 0x5004; *(uint32_t*)0x20004fc8 = 0; *(uint32_t*)0x20004fcc = 1; *(uint32_t*)0x20004fd0 = 0x1de; *(uint32_t*)0x20004fd8 = r[14]; memset((void*)0x20004fdc, 0, 12); res = -1; res = syz_io_uring_setup(0x343, 0x20004fc0, 0x20ffc000, 0x20ffb000, 0x20005040, 0x20005080); if (res != -1) { r[15] = *(uint64_t*)0x20005040; r[16] = *(uint64_t*)0x20005080; } break; case 27: memcpy((void*)0x200050c0, "/dev/uinput\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 2, 0); if (res != -1) r[17] = res; break; case 28: memcpy((void*)0x20005100, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0x488200, 0); if (res != -1) r[18] = res; break; case 29: *(uint8_t*)0x20005140 = 0x1e; *(uint8_t*)0x20005141 = 3; *(uint16_t*)0x20005142 = 0; *(uint32_t*)0x20005144 = r[14]; *(uint64_t*)0x20005148 = 0x200; *(uint32_t*)0x20005150 = 0; *(uint32_t*)0x20005154 = r[17]; *(uint32_t*)0x20005158 = 6; *(uint32_t*)0x2000515c = 1; *(uint64_t*)0x20005160 = 0; *(uint16_t*)0x20005168 = 0; *(uint16_t*)0x2000516a = 0; *(uint32_t*)0x2000516c = r[18]; memset((void*)0x20005170, 0, 16); syz_io_uring_submit(r[15], r[16], 0x20005140, 0x3dd1); break; case 30: memcpy((void*)0x20005180, "/dev/keychord\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x20005180, 0x171000, 0); if (res != -1) r[19] = res; break; case 31: memcpy((void*)0x200051c0, "/dev/ubi_ctrl\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x200051c0, 0x10400, 0); if (res != -1) r[20] = res; break; case 32: *(uint32_t*)0x20005240 = 0; *(uint32_t*)0x20005244 = 0x20005200; memcpy((void*)0x20005200, "\x46\x23\xd8\xa4\xce\x02\x17\xc9\xe5\x95\x55\xc1\x66\x89\x06\x79\xe3\xe0\xc1\x94\x0d\xf5\xb9\xfc\xbf\x91\x64\x9e\xf5\x4d\x80\xf0\xc8\xbc\xc8\x0e\x36\xb5\x57\x4c\x4b\xc9\xf9\x43\x40\x18\x54\xf5\x6a\xa2", 50); *(uint32_t*)0x20005248 = 0x32; *(uint64_t*)0x20005280 = 1; *(uint64_t*)0x20005288 = 0; syz_kvm_setup_cpu(r[19], r[20], 0x20fe8000, 0x20005240, 1, 0, 0x20005280, 1); break; case 33: res = syscall(__NR_mmap, 0x20ffc000, 0x2000, 0x1000000, 0x8000, (intptr_t)r[18], 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x200052c0 = 1; syz_memcpy_off(r[21], 0x114, 0x200052c0, 0, 4); break; case 35: memcpy((void*)0x20005300, "adfs\000", 5); memcpy((void*)0x20005340, "./file0\000", 8); *(uint32_t*)0x20005540 = 0x20005380; memcpy((void*)0x20005380, "\x87\x35\x19\xf2\x5d\xf0\x82\xb3\x71\xba\x5b\x45\xad\xb5\x70\x9c\x00\x80\x57\x47\xc3\x7f\xe0\x44\x06\x45\x95\xcd\x47\x28\xbf\x89\x80\x30\x2b\x25\xb4\xb0\x83\xb4\x2b\x41\x33\x6e\x13\x0f\x1b\x6f\xf0\xa2\xf1\x72\x49\x8e\x52\x2b\x4f\xe5\x82\x6e\xab\xab\xf5\x3a\x98\x52\xf9\x3e\xbe\xb8\x41\xe1\x64\x5f\x32\x93\x61\x27\x02\x9d\x68\xfe\x73\xec\xed\x89\xc1\xb9\x35\x87\x01\x2a\x47\xc4\x2a\x58\x3d\x69\x75\x59\x2b\x3f\x2c\xdf\x43\x37\xfc\x6d\x5e\x85\xe5\xf5\x83\x5f\xaf\xe0\x95\x93\x5e\xc9\x04\x84\xe9\x08\x1a\xa8\xd2\x24\x98\x43\x13\x01\xba\xad\x4a\x34\x36\x8c\x26\xc6\x4d\x85\x32\x6c\x7e\x00\x68\x21\x78\xf8\xd1\x3e\x6a\x89\x69\xf1\x5b\x9d\x5d\xbc\xfe\xc2\xc0\xe6\x96\x80\xc3\x92\x8c\xa0\x15\xb9\x2e\x25\xf5\x07\x8d\xe3\x54\xfe\x32\xcc\x71\x21\x60\x9a\x07\x62\xe1\xb7\x3e\xfd\x89\x67\xa2\xfe\x23\x5e\x4d\x1e\xf9\xe5\xac\x88\xbc\x1e\xd7\x06\xa9\x84\x64\x1b\x06\x47\x0b\x22\x94\xd0\x45\xce\x7e\xba\x51\xc0\x72\x89\x38\xa2\xc6\xee\xb6\xd8\x57\x44\x29\xcc\x24\xbc\xb2\xa7\x84", 241); *(uint32_t*)0x20005544 = 0xf1; *(uint32_t*)0x20005548 = 0x40; *(uint32_t*)0x2000554c = 0x20005480; memcpy((void*)0x20005480, "\x62\x93\x5b\xfe\x26\xe9\xc9\xf2\xdc\x3c\x3e\x9d\xfb\x49\x18\x58\xef\xb5\x98\x36\x9b\xcc\xa5\x19\x23\x98\x9b\xa9\x43\xcf\x44\x7b\xaf\x56\x62\x5d\xf0\xf6\x85\xed\x2d\x03\x4b\x37\xc0\x75\x63\xf6\x68\x72\x8f\x6d\xc6\x83\x36\x09\xb1\x22\x19\x70\xe5\x50\x88\x86\x9d\x29\xc0\x1b\x2d\xd0\x5c\x48\x20\xb0\x80\x42\xb5\x07\x40\x08\xc9\x75\x77\x12\xc4\x80\xe2\x5d\x89\xb9\xc4\x8e\x95\x7e\x5b\x5c\x7b\x0b\xec\xcf\xb1\xfc\xcc\xed\xbc\xed\xc8\x38\x06\x03\x80\x75\xfc\x2a\x0f\x82\x28\xbe\xb4\x7f\x1f\xec\xe0\x9b\xdd\xcb\xbe\x00\x21\xab\xe9\xc3\xd1\x98\x36\x9b\x81\xb6\x7d\xbd\x6a\x7d\x33\x4b\x8d\x28\xb8\x02\xcc\x97\xd9\x34\xc1\x64\xe9\x7d\x9d\x7b\x70\xdc\x6c", 161); *(uint32_t*)0x20005550 = 0xa1; *(uint32_t*)0x20005554 = 0x1ff; memset((void*)0x20005580, 170, 5); *(uint8_t*)0x20005585 = 0x2c; *(uint8_t*)0x20005586 = 0x2c; memcpy((void*)0x20005587, ":&-]!", 5); *(uint8_t*)0x2000558c = 0x2c; memset((void*)0x2000558d, 125, 1); *(uint8_t*)0x2000558e = 0x2c; memcpy((void*)0x2000558f, ",-V", 3); *(uint8_t*)0x20005592 = 0x2c; memcpy((void*)0x20005593, "\\*})", 4); *(uint8_t*)0x20005597 = 0x2c; memcpy((void*)0x20005598, "*^\\^b", 5); *(uint8_t*)0x2000559d = 0x2c; memcpy((void*)0x2000559e, "appraise", 8); *(uint8_t*)0x200055a6 = 0x2c; memcpy((void*)0x200055a7, "fowner<", 7); sprintf((char*)0x200055ae, "%020llu", (long long)r[8]); *(uint8_t*)0x200055c2 = 0x2c; memcpy((void*)0x200055c3, "smackfshat", 10); *(uint8_t*)0x200055cd = 0x3d; memset((void*)0x200055ce, 170, 5); *(uint8_t*)0x200055d3 = 0x2c; memcpy((void*)0x200055d4, "obj_type", 8); *(uint8_t*)0x200055dc = 0x3d; memset((void*)0x200055dd, 170, 5); *(uint8_t*)0x200055e2 = 0x2c; memcpy((void*)0x200055e3, "dont_appraise", 13); *(uint8_t*)0x200055f0 = 0x2c; memcpy((void*)0x200055f1, "dont_measure", 12); *(uint8_t*)0x200055fd = 0x2c; memcpy((void*)0x200055fe, "fowner<", 7); sprintf((char*)0x20005605, "%020llu", (long long)r[9]); *(uint8_t*)0x20005619 = 0x2c; memcpy((void*)0x2000561a, "dont_appraise", 13); *(uint8_t*)0x20005627 = 0x2c; *(uint8_t*)0x20005628 = 0; syz_mount_image(0x20005300, 0x20005340, 0xfd, 2, 0x20005540, 0x8800, 0x20005580); break; case 36: memcpy((void*)0x20005640, "/dev/i2c-#\000", 11); syz_open_dev(0x20005640, 0x40, 0x300); break; case 37: memcpy((void*)0x20005680, "net/if_inet6\000", 13); syz_open_procfs(r[6], 0x20005680); break; case 38: syz_open_pts(r[19], 0x800); break; case 39: *(uint32_t*)0x20006c40 = 0x200056c0; memcpy((void*)0x200056c0, "\x46\x41\x06\x38\xb7\xa1\x28\xc1\x5c\x6c\xb2\x7d\x23\x35\x80\x6d\xa8\x7c\x0d\x49\x15\x42\x44\x52\xcf\x0b\xa9\xee\xe0\xa5\xd4\x9d\x63\x4f\x09\x0d\xf2\x6f\x35\xbb\x04\x33\xc1\x3a\x27\x0d\xcb\x44\xcf\xe9\xba\x62\xb5\xba\x38\xd4\xae\x3c\x65\xea\xd2\x72\x7f\x1d\x2a\x5f\x02\xda\xa2\x70\xce\xa6\xf4\xf6\x09\x02\xe2\xed\xa6\x54\xb1\x6e\xc6\x63\x5a\x1c\x6c\xd1\x5d\x6b\xd6\x34\x32\x14\xb8\x34\x22\xd1\xa1\x9b\x5d\xae\x43\x9b\x9f\xbc\x3d\xb5\xc2\x18\xd4\xb0\x8a\xcf\xc9\xfc\xdb\xe5\xd4\xe6\xa5\x12\x7a\xda\xdc\xe6\x10\xd8\x15\xe8\xc6\xd8\xad\xc7\x86\x89\xea\xae\x29\xd8\x1a\x20\x04\x0a\xee\xef\x4e\xe5\x5d\x77\x01\xea\x72\x5e\x91\xb7\x4f\x5b\x37\x81\x4b\xee\xd1\x18\x54\x99\x79\xc8\xa4\x0d\x0b\x29\x09\x77\xad\xa4\xd6\x58\x74\xc7\xdc\xca\x03\x0a\x9a\x15\x50\x9b\xc2\x7e\x6e\x87\xd5\x26\x91\x24\x37\xb8\x69\x04\xf7\x42\xc9\xc1\x3c\x1e\x00\xbc\x5e\x3e\x94\x3c\x14\x30\xd1\xcc\x01\x8f\x5a\x4d\xec\xf2\x46\x02\xdb\x5b\xf2\x28\x6e\x64\xce\x75\x1d\x8d\xf1\x6f\x28\x09\x34\xfb\x08\xb6\x19\xb2\xb5\xe9\x31\x19\x5a\xd2\xf7\xc8\x7a\xe9\x56\xc6\x4a\x2f\xda\xc4\xfd\x79\x16\x11\xac\xc2\xa8\x65\xd9\x94\xea\x90\xed\x15\x85\x81\xe8\x0d\x03\x86\xb1\x53\xf1\x9f\xab\x27\x81\xb7\x2d\x1d\xe0\x03\xb1\x87\xd2\xb1\x19\x53\x42\xb3\xa0\x03\xbf\x44\x83\xb4\xd8\x90\xab\x1b\x2f\x51\xe8\xd5\x8f\x0a\x5a\xd7\x8e\x0d\xf9\xd6\x29\xc2\x2c\x2a\x32\x4a\x98\x2e\x1f\xc2\x73\x8c\x36\x0d\xb3\xa8\xba\x5e\x55\xae\x5c\x9d\x58\xf1\xc2\xf6\xbe\xd0\xb6\xde\x5b\xb4\xee\x3b\x5f\x84\x2c\xee\xf9\x1b\x20\x56\x54\x1f\xf5\x53\x12\xee\x90\xa2\xbd\x09\x97\x06\x6c\x37\xf3\xd8\x37\x78\x95\x92\x1b\x08\x02\x15\x89\x04\x9e\xd7\xb2\x3c\xeb\xaf\x9b\x41\xd0\x8e\x75\x90\x58\xa3\x45\x2c\xb9\xdf\x2a\xee\x1d\x2b\x90\xe5\x10\xba\x9b\xc9\x48\x40\x0a\x69\xaa\x13\x83\x3d\x1b\x4c\x44\x44\x51\x29\xe0\xaf\x50\x12\xfd\x6a\x53\x41\x81\xfb\x20\x42\x68\x26\xa4\xb3\x69\x4e\x4a\x51\x81\x19\x9d\xf1\xed\x31\xde\x36\xf2\xed\x49\x21\x18\x22\xad\x91\x5d\x3b\x71\xac\xae\xcf\xf3\xc8\x4d\x4e\x3b\xb1\x9f\xba\x32\x19\xe2\x61\x45\x73\x5f\xf7\x1d\xce\xee\xee\x7a\xa2\x47\x53\x9a\xd2\x73\x11\x13\xd3\xf3\x64\x42\x6b\xe9\x00\x6e\x6b\x0e\x35\x8b\x81\xd4\x07\x45\x49\xe0\x8e\xf2\x76\x13\xa3\x71\x5e\x5e\x89\xba\x0a\x71\xe3\x99\x52\x31\xe9\x9a\xac\x5e\x4e\xe7\x07\x8f\x59\xe3\xe7\xd4\xfa\xbe\xd2\x6e\x75\x07\x41\x1f\xbe\x4b\x03\x53\x10\x62\x78\xac\x69\xf3\xb9\x1e\xc6\x9f\xa5\x42\xeb\x7c\x96\x43\x94\x06\x2f\x65\xc6\x50\x19\x7f\xbe\x73\x3c\x22\x83\x26\x73\xd0\x66\xe4\xed\x40\x07\x3b\x28\x4e\xe4\xe5\x1b\x12\x59\x36\x7d\x4e\xb9\xe1\x72\x00\x7e\x6f\xb8\x0a\x0a\x6f\xe6\x2b\x3f\x3d\x5e\x5b\x68\xfe\x04\x7e\xa4\xd6\xfb\xfa\xa3\x0a\x00\xfc\x29\xbc\x58\xa3\x1c\xfb\x82\x12\xf2\xc4\x9c\x3a\x2e\x71\x1a\xe5\x02\xbd\x64\x7b\xd5\x6b\xb7\xcf\xc1\xd8\x4d\x14\x18\x27\xbe\x21\x1b\x5f\xfb\xed\x78\x6b\xfa\x13\x13\xd2\xae\xd5\x34\xf0\x00\x19\x36\x3a\xc1\x29\x61\x2c\xa2\x5c\x76\x3b\x07\x7f\x5a\x72\x4d\x61\xfc\x79\x74\xfa\x82\x4b\xad\xc1\x40\x06\xf2\xfe\xbf\xb1\xe3\x5a\x3d\xd7\x2e\x82\x33\x4a\x26\x37\x56\xff\x42\x04\x68\x0c\xba\x1c\x03\xc5\x5e\x09\xdf\xfb\x5a\x58\xe4\xc5\x5b\x5b\xd7\xa7\x0e\xe8\x52\x59\x29\xa0\xee\x9f\x90\x91\xe3\x4b\xb8\xd2\xf0\xaf\x6d\x2a\x26\x70\xc5\x91\x18\x6b\xee\x6c\xed\xda\xb8\xe1\xfe\x8d\x4b\xe3\x97\xa5\x45\xc4\x83\xfd\x68\x4c\xd8\x12\xdf\x5e\x31\x2a\xb5\xf4\x81\x2b\x47\x84\xef\xae\xf1\xc3\xdb\xe7\x90\x94\xfb\xab\xd6\xca\x5f\x0a\x45\x46\x23\x96\xf8\x18\xa5\xc7\xbf\x61\xc8\xc3\xf4\x33\x66\xc1\x26\x5f\x46\x38\xd1\xdc\x7b\xde\x11\x46\x10\x35\xc7\xaf\x77\xe6\x84\x4c\x5d\x47\xbc\x18\x97\xdf\xab\xec\x76\x87\xed\x25\x79\x4a\x71\xa3\xaa\x2b\xe1\x66\x57\x19\xe7\xea\xf6\x49\xbf\xaf\xfc\xea\x24\x92\xd4\x3b\xca\x7f\x03\x04\x21\x0c\xfc\xa9\x1a\x0d\xad\xf6\x6b\x7c\x3c\x6b\xaf\x8c\x50\x55\xef\x4f\x3c\x56\xaa\x03\xbb\x6e\x40\x0d\x7c\xac\xa6\x9e\x42\x43\xac\x71\xc9\x39\xcc\xf2\x73\x10\xb7\x3b\xa5\x98\x97\xe2\x02\x0c\x71\x7c\x33\xdb\x9a\x4a\x58\x29\x12\xa3\xa8\xd7\xc0\xa8\x70\xb1\x2a\x9f\x98\x2a\xaf\xd0\xcf\x15\x95\x75\x18\x9d\x8c\x26\x88\x64\x34\x22\x9f\xb0\xc7\x6c\x56\x50\x8b\x63\x8a\x25\x09\xb6\x58\x47\x72\x2a\xf1\x97\xe9\x5c\xf0\xcf\xf2\x36\x84\x48\xd4\x2a\xd6\x2d\xb2\x7f\xf0\x17\xa7\xfb\xed\x92\x3b\xef\x62\x83\x40\x87\x12\xc3\xf0\x4a\x79\x03\x38\xf4\xf8\x0c\xf4\xf3\xe9\x2f\xaa\xfa\x3b\xf6\xcf\xf5\xed\x3c\xf3\xb1\x7b\x50\x50\x75\xe1\x2b\x69\x58\xbf\x2e\x5c\xb4\x02\x41\xf6\x72\x87\x4a\x0f\x94\x0f\xd5\x7e\x82\xe9\xca\xff\x11\x3d\x67\x1d\xa2\x3d\xa3\x43\x6a\x31\x80\x0c\x2d\x34\x87\x96\x5f\x87\xc3\xf8\x25\x06\x10\xaa\xff\x78\x3d\x78\x59\x5e\x19\x26\xb7\x7e\x97\xb2\xe3\xad\x09\x08\x7a\xf9\x19\xac\xe3\xf0\x4f\xd2\x75\x88\x7b\x1f\xc8\x1e\xe2\xf5\xba\xd8\xde\x1c\xc3\x5e\xe0\xc0\x3a\xde\xed\x9a\x91\x97\xd7\xa8\xfa\x5d\xb5\x9d\xc5\x00\xa9\x4b\xd1\x84\xa2\xa8\x0d\x97\x04\x79\x7e\x76\xbc\x0f\xc4\x3e\xd5\x72\x96\x14\x3d\xc9\xd8\x58\xb1\x4a\x7b\xdf\xb4\x18\x19\x7f\x09\x74\xb6\xee\xe2\x99\x95\x80\x51\xb1\xd4\x14\xab\x12\x6c\xef\x5b\xc3\x6a\xe4\x05\x5c\x4f\x19\xe7\xe0\x1d\x20\x92\xd9\x9f\x1d\x2a\x5a\x56\x61\x4f\xed\xf4\x81\xd5\x78\xcb\x85\x1a\xd7\x3e\x18\x29\xbc\x35\x0f\x7e\x56\xee\x0d\x2e\x71\xfe\x73\x1c\x1b\x30\xfd\x84\x5f\xd8\x2c\xa0\xac\xf0\x29\xaf\xf4\xa7\x5e\x0d\x38\xfb\x7a\xf5\x82\xa1\x9c\x0c\x7d\xeb\x19\x54\x4b\xc7\xa1\x3c\x18\x96\x03\x24\x41\xcb\xa6\xae\x39\xc3\x5a\xe8\x80\xb4\x5a\x5c\x97\x54\x5a\xc0\x99\x24\x3a\x79\x1c\x6f\x2e\xb9\x35\x56\x20\x8b\x8b\x20\x35\x42\x75\x2a\x67\x3b\x9d\xf0\x2b\xf0\x4a\xd3\xc1\x8e\xec\xaa\x5e\xb2\x2d\x1b\x65\xe5\x9c\x34\x49\xb5\xcc\x42\xdf\x35\x0d\xd4\x82\x2b\xcf\x67\x1d\xf7\x84\x20\x68\x9c\xac\x22\x65\x8c\xd9\xf0\xf3\x90\xe2\x6e\x07\x96\xac\x4b\x7f\x30\xb1\x98\x9f\x09\xcf\x5b\xa5\x16\xeb\x16\x67\xec\xc1\xd8\x53\x73\x9a\x20\xe5\xe7\x85\x99\xbd\xa8\x30\xd0\x02\xd4\x5e\xb6\x6d\x63\xa7\x78\xb8\x41\x2a\xf5\xd6\x3e\x3e\xf2\x64\x94\xe2\x1b\xbc\xde\x5b\x97\xa9\x4f\x79\x78\xac\x90\x3d\x46\x7c\x5b\x6d\x07\x17\xdc\x4a\x9d\x14\x6e\xd4\xb5\x8b\xfe\x37\x3a\x59\x08\x70\x2f\x99\x7f\x10\x90\xb4\xb1\x90\x93\xf8\x90\x50\x85\xec\xb6\x91\x10\x7b\x05\x9e\x0e\x1c\xd0\xc4\xa9\x4c\x9a\x47\x3a\xf2\xd1\x2b\xd5\x99\x8a\x8b\x8b\x48\x02\xf9\x31\xb9\x05\x15\x51\x9f\x20\xfe\xea\xde\xa5\x68\x4c\x06\x4f\x9a\xdb\x42\x39\x35\xb8\xde\x29\x8b\x03\xe5\x79\xab\xad\x6a\x23\xa8\x6c\x86\xed\xd3\x9c\x2e\xd6\xa4\x68\x5e\x69\xbc\x71\x54\x05\xab\x7a\x3f\x27\x66\x4b\xdb\x68\xfe\xf1\xfc\xd0\x90\xf0\x60\x38\x1f\x1a\xa3\x74\xa0\x74\xa6\x40\xf9\x91\xec\x6d\x8b\x28\x8b\x1b\x05\x07\x06\x85\x60\x31\x4f\xe9\x4a\xeb\x85\xc4\x2f\x4d\xf3\xad\xb2\x14\x85\x69\x65\x15\xda\x2f\xa7\xf4\x41\xb7\x53\xd5\xf8\xca\x45\x45\xf2\xd1\xdc\x1e\xb3\x4e\x41\x8c\x04\x3b\xeb\x51\x8b\xb3\x5f\xe3\x02\x35\xaa\xbf\x7e\xc5\xf3\x71\xb3\xa4\x8c\x0e\xa6\xa6\x13\xeb\xb4\xe4\xda\x5b\x71\x40\x8a\xa5\x57\x74\x23\x9a\xc7\x49\x03\x0a\x52\x74\x0c\xd8\x53\x5b\x9e\x3d\x28\xa4\xe8\x7b\x4c\x4f\x40\x44\xc8\x19\x5c\x32\x11\xf9\x47\xe5\x00\x7d\xf7\xb6\x4e\x37\xc4\x14\xbf\xd5\x4f\x7b\x59\x82\x37\x20\xbe\x00\x49\x8c\x18\xb5\x7d\xad\x00\x43\xf0\xc5\x0a\x75\x81\x74\x18\xc1\xdb\xc3\xdb\x8d\xc7\x33\xce\xb2\xb5\xb6\xd2\x0b\xec\x1e\x38\xa2\xf9\x09\xaa\x61\x94\x80\xe2\xca\x05\xd9\x00\x0b\x7e\xaf\xf3\x70\xc0\x77\xed\x38\x94\x22\x89\x0d\xd4\x26\x27\x8c\x63\xc2\xac\x42\x85\xe8\x40\xe6\xc7\xf9\xda\x04\xd6\x9a\xf4\x48\x2d\x96\xee\x58\x24\xde\x09\x16\x14\xd8\xb1\xb4\xcf\x49\xf5\xa7\x01\xe4\xb4\x2f\xf5\x8a\x62\x82\x3c\x27\x76\xfb\xa4\xc2\x7e\xc8\x6c\x24\xba\x10\x3e\xd0\x1c\x66\x72\x9a\xd6\x02\x92\x4a\x51\x37\xb7\x18\xd8\xdd\xee\xb0\x83\x39\xd8\x3c\x45\xfe\xca\x01\xc3\x93\x35\x7a\x67\x64\x38\x11\x43\x63\x59\x1d\x31\xc2\xba\x6f\xaf\xa5\xd8\x57\x1a\xf7\xc3\xa3\x69\x0f\xde\xb0\x99\xe4\x41\x92\xb5\x87\x1f\xd0\xa3\x36\x5f\xb2\xe2\x30\xc6\xc0\x3a\x74\x73\x78\x2b\x30\x3a\x5b\xe1\x4f\x03\x8d\x8e\xa3\x4a\x63\x08\x43\x00\x51\x6e\xb7\x88\x4e\x59\x33\x58\xe6\x6b\x3d\xfb\x6d\xac\x4d\x08\x15\xd5\x8d\xaf\xb8\x5e\x8c\xca\x44\x26\x53\x6a\x38\x4d\xc8\x9f\x74\x13\xf1\x4c\xc9\x2e\x73\x77\xa9\x09\x38\xf9\x9e\xf7\xf5\x35\xc2\x18\xae\x2e\x90\x9a\xcd\xbf\xd7\xeb\x5b\x0b\x47\x40\x8e\x3d\x6d\x73\xdd\xa3\x9f\xbd\x6b\x23\xaf\x18\xf1\xa6\x70\x3e\xe3\xb1\xf7\x5b\xb7\xc0\x00\xa4\xca\x5a\x7b\xcc\xaa\xe8\x6c\x4a\xba\xc8\x1d\xa2\x93\xe4\x3f\x91\xd2\xc3\xdf\xf1\x2f\xfa\x52\x29\x13\x9a\x08\xae\x5f\xc2\xec\x13\x9b\xe9\x78\xb8\x18\x2d\x6a\x60\xc7\xff\x39\xbb\x0a\xa8\x20\xa1\x07\xd9\x2e\x38\xb9\x5e\x74\x8a\x18\x4b\x53\xf5\x62\x4f\x45\x72\x39\xf6\x38\x4d\xdd\xcb\x9f\xd7\xe8\xef\x29\x52\x65\xd7\x9b\x64\xc5\xc0\xa9\x3b\xf2\x16\x35\xb8\xc6\x80\x90\x78\x10\xd8\xe7\x2a\x58\x1e\x5a\xa0\xe0\x0f\xbf\x35\x1e\x3c\x84\x1c\x7d\x0c\x51\xa2\x63\x68\x37\xb2\x7c\x6a\x91\x42\x5b\x50\x6a\x22\xc2\x7d\x14\x20\xd0\xb1\x3e\x60\xde\x3e\x9c\x56\x66\x7a\x98\x98\x3b\xa9\xbd\xd1\xc5\xa5\x2d\xc6\x12\x7b\x65\x9e\x6d\x80\x70\x69\x59\xf0\x7d\x3a\x5f\xa8\xb3\xb8\x8e\xab\x05\xe7\xa0\xc0\x4e\xe1\x2a\x21\x37\x2c\x71\x3f\x64\xc6\xad\xbe\xed\xd7\xa8\xb7\xa6\x92\x67\x49\x75\xbb\xe5\x5c\xe4\x02\x71\x44\x02\xf2\x0c\x7f\x57\xff\x1f\x79\x35\x7d\x8e\xda\xbe\xf1\xd8\x68\xf0\xa2\xb3\xdd\x7a\xa3\xbb\xe5\x8e\x80\x81\x49\x70\x73\x4f\x7d\xec\x70\xd3\x14\xe8\x11\x59\x3a\x32\xcc\x86\x1f\x4a\x8a\x4b\x3f\x0d\x7c\xeb\x4e\xbb\x32\x66\x4f\x56\x44\x49\x7a\xc9\x56\x2c\xdd\x5a\x54\x19\x3f\x22\x38\xe6\x5c\x18\x74\xc8\x64\x21\xc5\xcf\xb4\x3a\xe1\x56\x93\x1c\x78\x40\xd1\x0d\xe4\x7a\x4d\x0f\x2f\x31\x74\xc3\x6c\x86\x45\xac\x02\xf5\x44\xc3\x69\x0b\x51\x37\xaf\x7d\x2c\xed\x3f\xb0\x43\x59\xbb\xf2\x2b\x67\x20\xea\x94\xf2\xe3\xb5\x67\x5f\xb7\x7a\xde\x56\xc9\x77\xd6\x68\x06\x4e\xfd\xd1\xc6\x15\x11\x9a\x52\x8c\x9e\xc1\x35\x3e\x84\x10\x3e\x5d\xce\x6a\x0b\xd0\x73\xf9\xff\xbe\xa0\x81\x9c\xf6\xc0\xcc\x58\xea\xd0\x0c\x92\x34\x02\x98\xcc\x09\x45\x64\x11\x7f\x3f\xb8\x94\x27\x4c\xa9\x1d\x79\x76\x45\x96\x19\xf5\x44\xb2\x50\x58\x6c\x6d\x44\xaf\xba\x55\x74\xb7\xef\x51\x26\xb0\x70\x40\x9a\x1f\x5e\xed\xc6\x50\x07\xb0\x03\x39\xf1\x60\x42\x2f\xff\x38\xd6\x7e\xaa\x8d\x78\x2f\xc4\x19\x2a\x29\x81\x08\x79\xeb\x12\x85\x99\x42\xfa\x14\x1a\x21\xc3\x9d\x9e\xea\x03\xeb\xa1\xaa\x7b\x3a\xc7\xe2\xb1\xda\xf4\xf6\x9f\x47\x5b\x8e\x75\xc5\xac\x7c\x2e\xfd\xd7\x77\x93\x2d\x40\x31\x43\xcd\xd0\x89\x02\xd5\xe3\x45\x93\x01\xc2\x8c\x88\xc4\xdf\x34\x2c\xa1\x39\x10\xb7\x60\xe3\x4c\x40\x19\x4b\xb5\x1b\x82\xcf\x14\xad\xee\xd5\xae\x47\x51\x7d\x3c\xbc\x73\xbb\xb5\xa8\x89\x9c\x30\xe6\x06\x51\x99\x89\xa8\x5d\x2e\x15\xb0\xe8\x9e\xbb\xa4\x3f\x0c\x8a\x75\x2f\x07\x01\x03\x80\xca\xa7\x0d\xc4\x09\xff\x80\x5c\x24\x57\x48\x29\xd0\x6b\xb9\xa1\x49\x5d\x5a\x30\x85\xdf\x90\x29\xe2\x3d\x92\xbb\xc4\x6d\x7c\x7c\x1d\xb7\x36\x5e\x92\xe8\xd2\x44\x9a\xad\xe3\x89\x26\xa6\x43\x68\x72\x3a\x0e\x8a\x77\x7b\x32\x61\xc9\xc9\x7b\xae\x82\x5b\x55\x1b\xa9\x40\x55\x1a\x7e\x15\xe3\x01\x3d\xc0\x9a\x05\x22\x9d\x0c\x9a\xc6\x4e\xe1\x5e\xe3\xd4\x67\x42\x62\x89\x24\xc0\x9e\x63\x60\xcc\x43\x00\x6f\xb9\xa0\xe1\xc0\x6e\x55\x84\x63\x7c\xee\x00\x5e\xe2\x6c\xeb\xa7\x02\x95\xcb\xa5\x63\x7d\xfc\x98\x21\x14\x8e\xd7\x41\x50\x03\xd5\x18\x36\x84\x23\xae\x70\x8c\xfa\xc6\x38\xf2\xb8\xe1\xd3\xa7\x10\x11\xbd\xa8\x03\xac\xd2\xcf\xa4\x29\xea\x5f\xa0\x45\xfe\x07\x8f\x91\xeb\xe4\x5e\x7d\x51\xd4\x3f\x08\x30\x2d\x5f\x3b\x0c\xcc\x3e\xb7\xdc\x03\x81\x8b\x33\x56\x7e\x86\xf8\xe5\xdc\x40\x45\x15\x69\xa7\x95\x48\x58\xd2\x6d\xf8\x55\x49\x35\x27\x6f\x56\x54\xaf\xec\xf2\x40\xc7\xe8\x6c\x92\xec\xba\x4d\x3f\xf7\x58\x21\x31\x2d\x6a\x3b\x82\xe1\x8c\xc2\x34\xda\x5b\xac\xc2\x86\xef\x09\x24\xce\x23\xbd\x30\x70\x8d\xe5\x81\x32\x57\x4b\x54\x8c\x96\x28\xb5\x2d\x34\x29\x1d\x1c\x4a\x7f\xfd\xfe\x63\xde\x1f\xa9\xb5\xe0\xfa\x6e\x62\xf3\x52\x8a\x80\xc9\xcc\x97\xa7\xc5\x15\x40\x3f\xce\x89\x5a\xb7\x95\x63\x52\x66\xaf\x74\x6d\x89\xd2\xc9\x40\x58\xca\x38\x50\x1d\x86\xb4\xd6\x32\x4d\x0d\xf0\xd9\xc1\xe4\x7b\xbf\x83\x8b\xaa\x20\x6a\xa2\xec\x43\x97\x82\x8e\x99\x2f\xe9\x63\xb2\xe8\x37\x22\x80\x26\x27\x62\x90\x30\x10\x6c\xf2\x0e\xc9\x8e\x24\x51\x47\xc9\x44\x26\x21\x4d\xdf\xb9\x79\x12\x06\x51\xad\xde\x14\xa4\x25\xfe\xf2\x9a\x20\xc0\xcc\x54\x60\x39\x3a\xcb\xdb\xa5\x7b\x3c\x38\x36\x62\x7e\x6a\x9c\x19\xa2\x34\x43\x12\xa9\xbc\x66\x1b\x76\x02\x85\x41\x5a\x28\x74\xe2\xf2\x18\x7b\x5c\x6d\xbf\x38\xb0\x59\x63\x6f\x9e\xd1\xde\x16\x92\xd3\xb8\x65\x04\xa7\xc1\xb6\x68\xe5\xaa\x0f\x87\xcf\x49\x7f\x0c\xab\x26\x6e\x4d\xb6\x4e\xc6\x46\x55\x80\xbe\x1d\x97\x24\x49\x47\x30\x46\x88\xcb\x35\x76\x49\x0b\x8d\xb0\x86\xb0\x89\x05\x82\x0e\xa9\xd9\x1d\xfc\x8f\x3b\x96\x6a\x9e\x56\x8d\x85\x6a\x9c\xce\x3f\x17\x31\xac\x16\xe4\xcf\x48\x71\x43\x34\xb6\xc7\xac\x35\x97\xfc\xae\x85\xd1\x79\x46\xb0\xae\x28\x99\x84\x5e\x96\x06\x6e\x0a\x64\x83\x85\xc9\x8e\xe5\xc1\x19\x39\x13\x56\xb2\x04\xac\xbd\x4a\x5c\x7c\xc2\xcb\xce\xec\xe0\xf5\x8d\xfb\x73\xfc\x30\xef\x7c\x17\x69\xb4\xf5\x6e\xd1\xb7\x7d\x76\x24\x8b\x0e\xa2\xa6\x6d\xb0\xe5\x21\x7b\x5d\x62\x42\x37\x19\x1a\xbe\x94\x86\xac\x0b\xd3\x2e\x3e\x73\x62\x33\x14\x41\x73\x4a\x8d\xd9\xed\x98\x3b\x92\xbf\x26\x47\x2c\x50\x21\xf8\xbe\xa1\x31\xec\xe4\x7c\x8f\x45\xe6\x8a\x25\xa8\xbe\xb4\x88\x58\x95\xc2\x79\x82\x30\x6d\xaf\xa1\xfa\xc9\x05\xb2\x76\xc2\xf6\x0c\xcd\xca\xbe\x2a\x5b\x32\x5b\x5c\x5d\x84\x82\xf3\x05\x66\x02\x44\xc3\x61\x71\x1f\x0e\xed\x77\x46\xc0\xda\xf9\x9d\xfd\xe3\x6c\xaf\xf2\x94\x05\x11\x82\xc5\xb6\x58\x9f\xc0\x70\x0b\x75\x1f\xb2\xb3\x80\x7f\x0b\xcb\xd2\x77\xa8\x44\xce\x82\xa5\x45\x58\xf5\x5c\xdd\x25\xa3\x0b\x22\x83\xab\xe5\x19\xc8\x27\xb1\x0a\xed\x61\x2f\x8a\xea\x3c\xb7\xac\xa8\xb3\x40\x28\xc0\xb3\x63\xc9\xac\xc5\x2d\xde\xa9\xe0\xc3\x4e\x8a\x5c\x90\x86\x9f\xe6\x0d\x28\x30\x7e\x35\xd3\xe4\x35\x82\xf3\x77\x3d\x46\x66\x9e\x43\x13\xa0\x7b\x12\xe7\xd6\xd5\x01\x43\x6f\x8e\x6f\x4b\xc3\x47\xb2\x91\x94\x14\x4d\x82\xc5\xda\xa9\x73\x0f\xea\x34\x66\xc3\x16\x72\x09\xf0\x96\x97\xda\x03\x4f\x86\xca\x9e\x5a\x7e\x28\xc0\x59\x99\xf4\x16\x1d\xca\x75\x18\x14\x04\x13\x50\x4b\xe2\xaa\x60\xef\x71\xb6\x64\x84\xfc\xa1\xb0\xbb\x11\xaf\xd5\x97\x55\xb9\x78\xdd\x29\x4e\x3d\xa8\x56\x55\xb9\x0f\x05\xbe\x08\x23\xe2\x62\xaa\x69\x3c\x43\xbc\x23\xf4\x94\x8a\x60\x96\xff\xe1\xb5\x8e\x1b\xcd\x65\xb0\xdb\x70\xc6\x2a\x4f\x85\xd7\xdd\x4b\xe6\xcd\xdf\xea\xf1\x38\x38\x14\xa6\x72\x8b\x4c\x30\x1e\xab\x03\xb9\x50\xba\xc8\x67\x37\x5d\x1b\x6c\x61\xeb\x2f\x7f\xde\x96\x0b\x16\xf5\x94\x83\x79\xe2\x11\x5a\xb5\x40\x13\x56\xdb\x05\xa7\xdc\x30\xa2\x99\x98\x97\xb1\x63\xc7\x3d\x34\x80\x71\x06\xdf\xdc\xf7\xb7\xf9\xb9\xe7\x37\x7f\xc7\x22\x00\x3c\x86\x8c\xa5\xc1\x4a\x0e\x2f\x1d\x19\x40\xec\x6a\xef\xcf\x85\xfe\xd2\x07\x62\x2e\xd3\x81\x20\xc6\xa8\xaa\xd7\xb4\xe9\xe8\x7d\x5e\x4e\x9a\x6a\x55\xc6\xe1\x32\xe9\xe1\xe9\xa3\xa6\x2b\x4f\x7c\x6c\xe0\x09\x3f\x88\x65\x47\xdf\xc4\x8d\xe1\xd2\xe0\xc8\x5b\xf0\x1b\x49\xf9\x92\x41\xa3\x6d\x32\x4c\xdb\xad\xe5\x37\x7d\x5a\xa5\x73\x33\x77\xec\x7e\x97\xb7\xac\x54\x38\x7f\xd2\x93\x91\x31\x9d\x3f\x3b\xbc\xd0\x7b\x28\x70\xb9\x64\x6b\xf2\x83\x5b\x3a\xbb\x51\x21\xdc\x20\xa6\x38\xc6\xd0\xd6\x2b\x0a\x05\xd9\x4a\x5f\x1c\x03\xbf\xf6\xe8\x71\xa8\x4f\x9a\x7d\xef\xa1\x6f\x30\xcb\x8b\x3f\xf5\x7c\xb5\xa9\xb8\x95\x8b\x59\x21\x19\xcb\x0c\x80\x25\x13\xc1\x4a\xec\x2d\x27\xcf\xff\xbf\xb4\xe6\xa2\xa8\x40\xf8\xb0\xd7\x46\xa8\x3f\xa8\xbd\x22\x70\x21\xb0\x38\xf5\x0c\x41\x1f\x79\x22\xfb\x38\xec\x89\xf5\x1d\x71\xb7\xd3\xd9\xe2\x41\xdb\x1b\xe1\xb4\x50\x7e\x5b\x68\xfa\x1e\xe8\x9c\x21\x27\x44\x5e\x5d\x6e\xd4\xe7\x43\x3d\xe7\xbf\x4d\x72\xb7\xf7\xb1\xc9\xaa\x7c\x40\x8e\x4c\x10\x50\xce\x17\x74\x27\x98\x4f\x50\x35\xb5\x1e\x3a\xd5\x2b\x56\xd8\xaa\xf3\x8e\x56\x79\x30\xa7\x11\xc8\xdc\x34\x88\xff\xcd\xc1\xa5\x6f\xe1\xb4\xc5\xdf\x22\x67\x3b\xcc\x3e\x9c\xcd\xbb\x3a\xb6\x70\xa2\x45\x47\xf5\xde\xd4\x2d\xec\xfd\xdd\x52\x21\x04\x07\x5c\x37\xdd\xed\xe4\x60\x92\x5d\xcb\xc6\xe5\xef\x20\x60\x28\xaa\x7e\xa0\xc8\x4d\x60\xd9\x90\xfc\xd4\x8d\x76\xc9\xa4\x7b\xe6\x81\x92\x50\xd4\xd1\x0f\xce\xfc\x7a\x12\x4c\x6f\x3f\xaa\xf5\x1f\x7b\x67\xdc\xc2\xb3\x9a\xcf\x11\x9c\x8f\x89\xb9\x3b\x58\x39\x52\x47\xfa\x45\x9c\x1f\xfe\x6f\xc5\xa7\x0c\x32\xd5\x19\x6d\xa5\x93\xb3\x36\xbe\x04\x67\x16\x4e\xbb\xc9\x86\xfc\x14\x5b\x32\xbb\x91\xa4\xc0\x58\x88\x4c\x82\xf5\xca\xcd\xa6\x2a\x43\x12\xbb\x35\x07\x0e\x74\xde\x2b\xba\x07\x64\x8b\x7e\xb9\xd9\xfa\xe8\x91\x64\x8f\x54\x32\xb6\xa7\xd5\x98\x6e\xf2\x02\x78\x72\xcf\x9e\x1a\x08\x6c\x57\x6a\xba\xc8\xdc\x40\x1a\xab\x0d\xa9\x3a\xbf\x0a\xb7\x1e\xcd\x9b\xb9\x6e\x39\x18\x03\x62\xa1\x0a\x21\x85\x07\x1e\xbb\x8c\xa2\xca\x8d\x97\x19\xd4\x7b\xfc\x18\xb6\x2f\x97\x71\xb9\x7d\xfe\xd7\x3b\x98\x23\x25\xeb\x94\x3d\x78\x5c\x78\x75\x00\xd5\xac\x0d\x26\xa9\xca\x90\xcc\x73\xc2\xac\xfe\x87\x2f\x4e\x32\xeb\x44\x39\x08\x3b\xdb\x32\x49\x70\x1d\xdd\xdb\x50\x0d\xf3\xf8\x96\xbb\x1f\x7a\x37\x06\xd6\x4b\xe1\x6d\x00\xf6\xfd\xcd\x6b\xf4\x1d\xf8\x65\x35\xf2\x98\xd2\xdd\x04\x31\x77\x74\xbd\x6b\x39\x03\xf3\x71\xd5\x9b\xe7\x19\xb7\xec\x1d\x00\x3b\x3c\x97\x05\xa8\xf7\x88\x89\xb8\xf7\xda\x0d\x46\xde\xfd\xce\xd2\xdf\x70\xd8\xcb\x45\x70\x82\x8b\xb2\x65\x49\xb5\x50\x11\x58\x9c\x73\xbe\xc4\x20\x7c\x8d\x59\xeb\xe1\x89\x6b\x37\x61\xc1\x85\xa1\x32", 4096); *(uint32_t*)0x20006c44 = 0x1000; *(uint32_t*)0x20006c48 = 0x8001; *(uint32_t*)0x20006c4c = 0x200066c0; memcpy((void*)0x200066c0, "\x31\xe3\xc3\xfa\x6d\x99", 6); *(uint32_t*)0x20006c50 = 6; *(uint32_t*)0x20006c54 = 0x3ff; *(uint32_t*)0x20006c58 = 0x20006700; memcpy((void*)0x20006700, "\x39\xde\x86\x3b\x71\x48\x20\x8e\x43\x2f\xcd\xdb\xd9\xe9\x14\x8e\x71\x6c\x1b\x48\xa3\x96\x7c\x87\x0c\x70\x14\x5d\x90\xed\x68\x1b\x3f\x8b\xce\x84\x9f\xee\x7f\x50\x09\x15\x70\x85\x4e\x20\x10\x37\x23\xe5\x64\x54\xe7\x11\x54\x3f\x6e\x2b\xe9\x2c\x34\x09\x0d\x8c\xc7\x92\x26\x0b\xe9\xb9\x60\xc1\xe4", 73); *(uint32_t*)0x20006c5c = 0x49; *(uint32_t*)0x20006c60 = 9; *(uint32_t*)0x20006c64 = 0x20006780; memcpy((void*)0x20006780, "\x17\xfa\xd5\x71\xf8\x0f\xec\xd3\x4a\x59\xbc\x03\xf6\xc0\x2b\xbd\x6d\x56\xcd\x8d\x95\x89\x24\xb4\xae\x41\x89\xb8\x8b\x85\x89\x7e\xfd\x4e\x59\x6e\x11\x18\xbb\x0c\x77\x1c\x2c\x5b\xa3\x7d\xed\x06\xd7\x81\x11\x39\x0c\x1c\x80\xcf\x6e\xa9\xdf\x87\x27\xf8\x85\x59\x81\x5e\xd7\x6b\x36\xfa\x13\xfb\x4d\x08\xe1\xcc\xda\xd7\x97\x3b\x5b\xec\x56\x55\xa7\x4a\x67\x1f\xde\x99\xee\x92\x39\x7c\x56\xd4\x09\xda\xdb\x10\xc4\xc3\x7e\xe9\x2c\xb4\x1d\x03\xae\x6f\xb1\x64\xe7\xf8\x69\x85\x03\x91\x28\xd3\x8b\xe8\x3b\x5e\x16\xc3\x5e\xe3\x4e\xb2\xb8\x39\x6c\x53\x48\x02\x87\x81\xa0\xa8\x79\xf8\x81\x59\x74\x0a\xb8\x97\x05\xd6\x37\xbe\xda\xfa\x91\x5f\x19\x5a\x15\x25\x97\xfa\x0d\x7d\xa9\xb7\x64\x76\x60\x2c\x6e\xee\xfc\xa1\xe8\x0a\x6d\x3d\x0e\xd1\xa7\x5b\x00\xf7\xa5\xe1\x53\xdd\x85\x1e\x23\x01\xc8\xda\xa7\xd4\x9b\x4a\xd9\x1c\x62\xd1\xa6\x96\x7f\x54\xcf\x96\x21\xc2\x40\xed\x58\x71\x92\xf6\x99\x59\xe0\x54\x07\x85\x0c\xe3\x83\x1c\x4e\x81\x1e\x6f\xff\x1c\xdf\x93\xcf\xab\xde\x88\x73\x58\x31\x68\x81\x84\x53\x56\xd7", 247); *(uint32_t*)0x20006c68 = 0xf7; *(uint32_t*)0x20006c6c = 0x26; *(uint32_t*)0x20006c70 = 0x20006880; memcpy((void*)0x20006880, "\xc2\x86\x96\x8e\x22\x38\x74\x2a\x47\xe0\xe8\xd4\x44\xa6\xa6\x61\xb7\x70\x82\x22\xf4\xed\xda\xb9\x7a\x74\x9d\xce\xbe\x2c\xc8\x3a\x31\x4b\x82\x87\x95\xf9\x15\xa3\x6d\x87\x3b\x71\x4a\xef\x15\xdd\xb1\xb4\xf6\x2f\x06\x80\x0b\xbe\x85\xea\xeb\xcb\x76\xab\xe9\x44\x71\x92\x49\xee\x79\x27\xc8\x8e\x78\xa9\x68\xe9\x3f\x45\xc5\x20\x13\xef\x97\xef\x6f\x98\x9b\x1d\x1c\xd3\x0f\xff\x88\x67\x79\x62\xc8\xf3\x05\x2a\xd0\xa4\x63\x1e\x4e\x75\x0b\xa8\x0f\x37\x53\x91\x6c\x2d\xff\xc6\xa4\x02\x3c\xdb\x62\xa1\xb5\xf2\xaf\xbb\x96\x5b\x2f\x78\xc5\xdd\x47\xaf\x90\xb0\x02\xda\x1a\x26\xa2\x4f\xcb\x99\xbf\x81\xfb\x29\x57\x4a\x2f\x98\x10\x7a\x79\x37\x63\x98\x73\xb9\x5f\x4a\x56\x9a\x04\x06\xcc\x35\x8b\x46\xef\xae\x58\x7e\x90\x08\xbe\x69\xd7\x11\xae\x20\x2c\x22\xe2\x9a\x2f\x61\x5f\xd2\x3d\xcf", 192); *(uint32_t*)0x20006c74 = 0xc0; *(uint32_t*)0x20006c78 = 0; *(uint32_t*)0x20006c7c = 0x20006940; memcpy((void*)0x20006940, "\x97\xfc\x4d\xd9\xdb\x67\x3e\x16\xfd\x0f\x0e\xb9\xa4\xa2\x6e\x2a\x49\xf4\x2e\x16\x16\x19\x0b\x06\x34\xdf\xd6\x13\x51\x45\xf4\xe4\x51\xbb\xba\xd5\x6d\xad\xf2\x66\x96\x4e\xba\x7d\x10\x07\xc0\xa2\x3f\x8c\xf0\x3d\x4f\x8f\xe0\x9a\x79\x89\x15\x2b\x7c\xf2\xec\x30\xf2\x69\x3a\x06\xbe\xfd\xf0\x23\xd7\x9f\x48\xc2\x08\xd7\x42\xc7\xb7\x59\x15\xbc\xc1\xbe\x58\x35\x17\xce\xd3\xb8\x26\xb9\x70\x75\xe6\x2a\x8e\xd1\x2d\xbb\x26\x48\x07\xc6\xff\xd0\x22\x76\x14\x49\x1f\xb9\xde\x0d\x8a\x92\x5a\x26\x38\xc3\x16\x08\xde\x40\x5b\xbf\x79\xe9\x6f\x17\x1f\xd5\x83\x38\xb1\xd6\x97\x9d\x33\xa7\xda\xe8\xad\x62\xf2\xba\x53\xfe\xfc\x3c", 152); *(uint32_t*)0x20006c80 = 0x98; *(uint32_t*)0x20006c84 = 0x20; *(uint32_t*)0x20006c88 = 0x20006a00; memcpy((void*)0x20006a00, "\x77\xd8\xd6\x06\xbf\xb4\x24\xe7\xb9\x95\x80\x9a\xb4\xf5\x59\x11\x5f\xd8\x2e\x97\x2d\x98\xb6\x51\xdf\xc6\x9b\x10\xdf\x60\x0f\xb4\xf7\x8e\xfd\x58\x6f\x9c\xc2\x6e\xdc\x41\xb1\xd2\xfa\xc8\x7e\xfe\x59\xe2\x62\x41\x1f\x27\xa9\x4c\xf7\x96\xed\x31\x23\x6b\x45\x7c\xa0\xf1\x47\x53\x0e\xfb\xd4\xcf\xa6\xb6\xa0\xfe\xe4\x6c\x25\xab\xcf\x7a\xd8\x28\x2a\xae\x52\x99\xe2\x99\x79\x9c\xd5\x2d\x0a\x58\xd7\xff\x9d\xdd\xd0\x10\x37\x24\xc8\x8d\xa9\x2d\xbe\xfa\xb6\x24\x80\x38\xab\xef\x9e\xc5\x22\x64\xaf\xc7\x48\x25\xf7\xea\x70\xb2\xca\x95\xd6\x90\x0f\x9b\x64\x7a\x3f\x98\x6e\x18\x28\x7c\xb2\xbf\x4b\x4c\x19\xef\xc8\xc2\x18\xfd\x90\x5c\x37\x27\xc8\x6c\x37\x02\x6b\xfb\xde\x3a\xf0\x78\xeb\x07\xb7\x98\xe6\xd3\xd8\xf2\xe4\xd5\xd3\xbc\x18\x8c\xdd\x20\xf2\xeb\xb1\x46\x1c\x5e\x53\xb0\x5f\x29\x89\xff\xac\x3b\x16\x8d\xee\x56\xda\x0f\xc0\x11\x97\x4c\x66\x0e\x40\x0a\xe2\xd8\xb2\xc8\x0a\xcb\x23\x15\x81\xee\x91\x76\x31\x29\xb2\x88\x8a\xeb\x12", 229); *(uint32_t*)0x20006c8c = 0xe5; *(uint32_t*)0x20006c90 = 0x800; *(uint32_t*)0x20006c94 = 0x20006b00; memcpy((void*)0x20006b00, "\x56\x0c\x1b\xea\x71\xb0\xf9\x72\x44\xfa\x38\x6d\x26\xbf\x6b\x1b\x04\x30\x8e\x4b\xc7\xff\xfa", 23); *(uint32_t*)0x20006c98 = 0x17; *(uint32_t*)0x20006c9c = 0x80000001; *(uint32_t*)0x20006ca0 = 0x20006b40; memcpy((void*)0x20006b40, "\x14\xe5\x5a\x14\xa7\x95\x33\x87\xee\x55\x33\x3c\x1d\x16\x94\xca\x98\xc7\x99\x9b\x49\x78\x86\x42\x76\x68\x05\xd6\xf5\xa2\x90\xeb\x1e\x95\x9e\xe3\x5a\x74\x04\x59\xe1\x33\x00\x26\x2f\x2a\xf9\xc3\x57\xf7\xa8\xc1\xcb\xa1\x87\xe4\x48\xbc\x3c\x8f\x86\x5c\xc9\xbe\x88\x62\x4f\xb0\xf0\xd0\xbb\x88\x5d\x9c\xc2\xab\xe1\x71\xa2\x47\x8a\x74\x20\xdb\x22\xe8\x60\x7e\x3f\xbe\xc7\xe2\x60\x1d\x9e\x11\x08\x6c\xfa\x8c\xf1\x4d\x99\x67\x6b\x67\x9d\x8d\x6b\xf1\xdd\x4f\xaa\xb8\xfe\x9a\x5f\x4e\x3f\x69\x5f\xe2\xe6\xab\xf0\x9f\x70\x26\x83\x80\x2d\x44\xcc\x3a\x29\x82\x55\xc4\xc5\x95\x33\x73\x1f\xf5\xb2\x3e\x05\x3a\xfb\x71\x6d\x58\xca\xd6\x67\x68\x6e\xe6\x47\xf4\x8e\x19\x9c\x9b\x5c\x3d\x0d\x2d\x47\x0f\x2c\xe1\xc5\xb8\xb5\x70\x8a\xe0\x23\xad\x98\x80\xca\xf3\x1d\x01\xf9\x6a\xeb\xbf\xcc\x7d\xf9\x53\x58\xa0\x16\xc5\x47\x1c\xc2\xce\x2c\xed\x61\x05\x05\x7c\x9d\x22\xc8\x16\x78\x90\xca\x19", 216); *(uint32_t*)0x20006ca4 = 0xd8; *(uint32_t*)0x20006ca8 = 0x400; syz_read_part_table(9, 9, 0x20006c40); break; case 40: *(uint8_t*)0x20006cc0 = 0x12; *(uint8_t*)0x20006cc1 = 1; *(uint16_t*)0x20006cc2 = 0x200; *(uint8_t*)0x20006cc4 = 0x62; *(uint8_t*)0x20006cc5 = 0xa5; *(uint8_t*)0x20006cc6 = 0xbe; *(uint8_t*)0x20006cc7 = 0x10; *(uint16_t*)0x20006cc8 = 0x2833; *(uint16_t*)0x20006cca = 0x211; *(uint16_t*)0x20006ccc = 0x37a4; *(uint8_t*)0x20006cce = 1; *(uint8_t*)0x20006ccf = 2; *(uint8_t*)0x20006cd0 = 3; *(uint8_t*)0x20006cd1 = 1; *(uint8_t*)0x20006cd2 = 9; *(uint8_t*)0x20006cd3 = 2; *(uint16_t*)0x20006cd4 = 0x6b4; *(uint8_t*)0x20006cd6 = 1; *(uint8_t*)0x20006cd7 = 0x20; *(uint8_t*)0x20006cd8 = 0; *(uint8_t*)0x20006cd9 = 0xa0; *(uint8_t*)0x20006cda = 1; *(uint8_t*)0x20006cdb = 9; *(uint8_t*)0x20006cdc = 4; *(uint8_t*)0x20006cdd = 0xdf; *(uint8_t*)0x20006cde = 0; *(uint8_t*)0x20006cdf = 0x10; *(uint8_t*)0x20006ce0 = -1; *(uint8_t*)0x20006ce1 = 1; *(uint8_t*)0x20006ce2 = 0; *(uint8_t*)0x20006ce3 = 5; *(uint8_t*)0x20006ce4 = 7; *(uint8_t*)0x20006ce5 = 0x24; *(uint8_t*)0x20006ce6 = 1; *(uint8_t*)0x20006ce7 = 1; *(uint8_t*)0x20006ce8 = 1; *(uint16_t*)0x20006ce9 = 1; *(uint8_t*)0x20006ceb = 9; *(uint8_t*)0x20006cec = 0x24; *(uint8_t*)0x20006ced = 6; *(uint8_t*)0x20006cee = 0; *(uint8_t*)0x20006cef = 0; memcpy((void*)0x20006cf0, "\xfd\x50\x65\x08", 4); *(uint8_t*)0x20006cf4 = 5; *(uint8_t*)0x20006cf5 = 0x24; *(uint8_t*)0x20006cf6 = 0; *(uint16_t*)0x20006cf7 = 3; *(uint8_t*)0x20006cf9 = 0xd; *(uint8_t*)0x20006cfa = 0x24; *(uint8_t*)0x20006cfb = 0xf; *(uint8_t*)0x20006cfc = 1; *(uint32_t*)0x20006cfd = 0x40000000; *(uint16_t*)0x20006d01 = 8; *(uint16_t*)0x20006d03 = 0x4cc5; *(uint8_t*)0x20006d05 = 0x7f; *(uint8_t*)0x20006d06 = 7; *(uint8_t*)0x20006d07 = 0x24; *(uint8_t*)0x20006d08 = 0xa; *(uint8_t*)0x20006d09 = 8; *(uint8_t*)0x20006d0a = 0x3f; *(uint8_t*)0x20006d0b = 0; *(uint8_t*)0x20006d0c = 0x81; *(uint8_t*)0x20006d0d = 0x10; *(uint8_t*)0x20006d0e = 0x24; *(uint8_t*)0x20006d0f = 7; *(uint8_t*)0x20006d10 = 0x80; *(uint16_t*)0x20006d11 = 5; *(uint16_t*)0x20006d13 = 0x44; *(uint16_t*)0x20006d15 = 2; *(uint16_t*)0x20006d17 = 0x800; *(uint16_t*)0x20006d19 = 0x101; *(uint16_t*)0x20006d1b = 4; *(uint8_t*)0x20006d1d = 4; *(uint8_t*)0x20006d1e = 0x24; *(uint8_t*)0x20006d1f = 2; *(uint8_t*)0x20006d20 = 4; *(uint8_t*)0x20006d21 = 8; *(uint8_t*)0x20006d22 = 0x24; *(uint8_t*)0x20006d23 = 0x1c; *(uint16_t*)0x20006d24 = 0; *(uint8_t*)0x20006d26 = 0xc0; *(uint16_t*)0x20006d27 = 0x5325; *(uint8_t*)0x20006d29 = 6; *(uint8_t*)0x20006d2a = 0x24; *(uint8_t*)0x20006d2b = 0x1a; *(uint16_t*)0x20006d2c = 0x7f; *(uint8_t*)0x20006d2e = 0; *(uint8_t*)0x20006d2f = 9; *(uint8_t*)0x20006d30 = 5; *(uint8_t*)0x20006d31 = 5; *(uint8_t*)0x20006d32 = 0; *(uint16_t*)0x20006d33 = 0xb5a2; *(uint8_t*)0x20006d35 = 6; *(uint8_t*)0x20006d36 = 0; *(uint8_t*)0x20006d37 = 5; *(uint8_t*)0x20006d38 = 7; *(uint8_t*)0x20006d39 = 0x25; *(uint8_t*)0x20006d3a = 1; *(uint8_t*)0x20006d3b = 0x82; *(uint8_t*)0x20006d3c = 0xe9; *(uint16_t*)0x20006d3d = 0xf000; *(uint8_t*)0x20006d3f = 9; *(uint8_t*)0x20006d40 = 5; *(uint8_t*)0x20006d41 = 0xe; *(uint8_t*)0x20006d42 = 2; *(uint16_t*)0x20006d43 = 0x200; *(uint8_t*)0x20006d45 = 8; *(uint8_t*)0x20006d46 = 7; *(uint8_t*)0x20006d47 = 0x40; *(uint8_t*)0x20006d48 = 9; *(uint8_t*)0x20006d49 = 5; *(uint8_t*)0x20006d4a = 0; *(uint8_t*)0x20006d4b = 0x7e; *(uint16_t*)0x20006d4c = 0x200; *(uint8_t*)0x20006d4e = 8; *(uint8_t*)0x20006d4f = 3; *(uint8_t*)0x20006d50 = 1; *(uint8_t*)0x20006d51 = 0x9b; *(uint8_t*)0x20006d52 = 0x21; memcpy((void*)0x20006d53, "\xf2\xef\x0a\x5c\x06\x9c\xdb\x31\x91\x38\xe1\x85\x06\x1d\x7e\x19\x6a\xe9\x4e\x53\x5d\x80\xf2\x76\x66\xfb\xa2\x3b\x37\x43\x25\xf1\x5d\xc5\xf2\x08\x12\xfe\x05\xb0\x62\x0f\x6f\xfc\xb8\x10\x03\xb1\xf3\x9c\x5d\xcd\x1b\xff\x14\xe2\xbb\xeb\x38\x73\x35\xa3\x53\x4f\x5a\xdb\x60\xff\xc4\xf2\x85\x95\xc8\xf9\x92\xf7\x7f\xd5\xf6\x7a\x04\x84\x2b\x9c\x43\x64\xe3\x55\x6b\xe9\xba\xcb\x8f\xd5\x6e\xd7\x78\x59\x29\x11\x53\xf6\xc5\x66\x02\x63\x63\xbf\xa5\xf2\xe6\xff\x2f\xa6\xd2\x93\x17\xf2\xd5\x62\x44\x53\x64\x93\x99\x15\xa7\x5d\xd7\x36\x5f\x6a\xb9\xc1\x5d\xdb\xc7\xc3\xa4\x5f\x7e\xb9\x8f\xd1\xfe\xa3\x55\x1b\xbd\x46\xf2\x0a\x87", 153); *(uint8_t*)0x20006dec = 9; *(uint8_t*)0x20006ded = 5; *(uint8_t*)0x20006dee = 0x80; *(uint8_t*)0x20006def = 1; *(uint16_t*)0x20006df0 = 0x3ff; *(uint8_t*)0x20006df2 = 1; *(uint8_t*)0x20006df3 = 0x20; *(uint8_t*)0x20006df4 = 0xef; *(uint8_t*)0x20006df5 = 0xec; *(uint8_t*)0x20006df6 = 6; memcpy((void*)0x20006df7, "\xf6\x42\x24\x6a\x53\x72\x99\x1d\xb9\x7e\x58\x24\xa4\x10\xe2\x83\x00\xd3\xbd\x15\x36\x38\xf6\xda\xc6\xe1\x18\x9a\x0c\x56\x0a\x0a\x0e\x5f\x8b\x15\xe0\x78\x79\xac\x95\x01\x65\x15\x20\x26\x46\xa7\xb5\xb5\xfc\x74\xb7\xcd\x40\xd5\x15\xb2\x84\x9d\x8c\x1d\xd9\xae\x4f\xca\x16\xc2\xe6\xcf\x0e\x8a\x20\xce\x54\xf0\x5f\xa1\x23\xc0\x19\x20\x8c\xb3\x4b\x5e\xe5\x61\xc2\x74\xea\x40\xa7\xb3\x4e\x58\x13\xa4\xa2\x9b\xe4\x08\x17\xeb\x1f\x7b\x3e\x9b\xef\x60\xf7\xc5\x66\x57\x48\x12\x36\xb9\x3e\x2c\x29\x7f\x17\xc7\x76\xb9\x8f\x1d\x0c\x8f\x2a\x56\x44\x77\x66\xc7\x28\x8b\xa6\xb1\xe3\x85\xb8\x4a\x51\x6a\x98\xab\x72\x9b\xa7\x0e\x31\xfe\xe3\xaa\xb1\x01\xd5\x90\xa4\x48\x1a\xe5\x85\x63\x26\xc6\x82\x5b\x73\xc7\xae\x7d\x3b\x99\xcb\x3c\x59\xdb\x31\xa1\x27\x26\x23\x4b\x90\x05\x84\xe8\xdb\x77\x93\x52\x18\x8d\x12\xc9\x32\xd4\xaa\xcb\x59\xee\xf3\x3d\x33\xb9\x55\x05\x10\xcf\x2b\x49\xda\x74\x7e\x03\x1c\x83\x11\x7b\x51\x1a\x1b\xb9\x3e\xd7\x6c\x71\x6e\x6a\x02\x54", 234); *(uint8_t*)0x20006ee1 = 7; *(uint8_t*)0x20006ee2 = 0x25; *(uint8_t*)0x20006ee3 = 1; *(uint8_t*)0x20006ee4 = 0; *(uint8_t*)0x20006ee5 = 6; *(uint16_t*)0x20006ee6 = 0x40; *(uint8_t*)0x20006ee8 = 9; *(uint8_t*)0x20006ee9 = 5; *(uint8_t*)0x20006eea = 1; *(uint8_t*)0x20006eeb = 0; *(uint16_t*)0x20006eec = 0x100; *(uint8_t*)0x20006eee = 0xfe; *(uint8_t*)0x20006eef = 8; *(uint8_t*)0x20006ef0 = 0x37; *(uint8_t*)0x20006ef1 = 0xe9; *(uint8_t*)0x20006ef2 = 0x23; memcpy((void*)0x20006ef3, "\x1a\x0e\x35\x42\x85\x7d\x49\xea\x63\xb7\x26\x1e\xbf\xc1\x9f\x14\x27\x2e\x28\x4d\x26\x65\xd2\x79\x5e\x43\xf6\xf9\xca\x62\x77\x6c\x9e\xe5\x2d\x99\x18\x79\xd7\xd6\x7b\x4d\x8b\x27\x0f\xd5\x15\x98\xbe\xac\x1c\x03\x39\xb2\x25\x7a\xd6\x8c\x1d\xde\x54\x88\x5a\xe2\xd2\x19\xb8\x7c\xde\x15\x9a\x98\x97\xc8\x8b\xda\x26\xe0\x8a\x36\x91\x05\x50\x22\x73\x9c\x1f\xe6\x4a\xdb\x98\x63\x9d\xc2\x54\x21\xc4\x49\xcf\x36\x48\x00\xc4\xc3\x65\x06\x2f\x24\x88\xe6\x90\x1e\x56\xe6\x2f\x4b\x70\x3e\xae\x7a\xf2\x62\x98\xa1\xee\xe1\xbf\xe6\x2d\x9b\x2a\xe3\x53\x20\xae\x2b\xaf\x17\x4e\x94\xff\x55\x32\x10\x97\xbe\x81\xe0\x27\x9f\x5d\x0a\xa8\x4d\xd1\x8c\xa0\x86\x4d\x98\xd0\xed\xbb\xea\xa1\x9d\xdf\x36\x26\xfd\x83\xa2\xe2\xb5\xf6\x76\xa7\x34\xd4\x78\x4b\x3c\x68\x77\xfd\x1b\xb3\xc9\x54\x3d\xf7\xab\xda\x9b\xd9\xc9\xbe\x40\x59\x49\x74\x7e\x21\x07\x3c\x18\x95\x7f\xff\x0e\xaa\xc0\x27\x3c\xfd\x3f\x70\x2c\xb6\x55\x97\x94\x9a\x17\x27\x26\xf7\xe4\x59\x53\x6c", 231); *(uint8_t*)0x20006fda = 0x18; *(uint8_t*)0x20006fdb = 0x10; memcpy((void*)0x20006fdc, "\xa0\x28\x90\x17\xf3\xf4\x33\xf1\x10\x59\x48\x9a\x61\x11\x58\x23\xe1\x13\x8a\xe8\x4a\x34", 22); *(uint8_t*)0x20006ff2 = 9; *(uint8_t*)0x20006ff3 = 5; *(uint8_t*)0x20006ff4 = 0xe; *(uint8_t*)0x20006ff5 = 4; *(uint16_t*)0x20006ff6 = 0x10; *(uint8_t*)0x20006ff8 = 0x67; *(uint8_t*)0x20006ff9 = 3; *(uint8_t*)0x20006ffa = 8; *(uint8_t*)0x20006ffb = 7; *(uint8_t*)0x20006ffc = 0x25; *(uint8_t*)0x20006ffd = 1; *(uint8_t*)0x20006ffe = 1; *(uint8_t*)0x20006fff = 0x80; *(uint16_t*)0x20007000 = 0x2e6; *(uint8_t*)0x20007002 = 9; *(uint8_t*)0x20007003 = 5; *(uint8_t*)0x20007004 = 0xd; *(uint8_t*)0x20007005 = 4; *(uint16_t*)0x20007006 = 0x200; *(uint8_t*)0x20007008 = 0x48; *(uint8_t*)0x20007009 = 0x35; *(uint8_t*)0x2000700a = 8; *(uint8_t*)0x2000700b = 0xe5; *(uint8_t*)0x2000700c = 5; memcpy((void*)0x2000700d, "\x30\xef\xe9\xc1\xa6\xe5\xc8\x9c\x20\x31\x21\x4c\x60\xfb\xbe\xaa\x45\x78\x09\x1e\x38\x00\x9c\x76\x1d\x15\x77\x48\x02\x93\x4c\xfd\x36\x35\x5b\x35\x18\xcc\xfe\x59\xfa\x5e\x7c\xce\xe3\xc1\x3a\xc4\xaf\xfb\xe0\x73\xe0\xe7\x88\xc9\xb5\xe3\x22\x16\xef\xbf\x02\xe3\x58\x69\xd7\xb2\x33\xa3\x89\xf8\x12\xbf\xd8\x49\x43\x3c\x32\x84\x66\xed\xa5\xe0\xe3\x23\x75\x29\xcd\xc6\x5e\x4e\xee\x74\x3d\x31\xff\xc1\x86\xa1\xfe\x79\x4b\xdf\x13\x64\xf3\x1e\xae\xff\x39\x82\x9e\x8f\x61\x44\x85\x0d\x74\x70\xcc\x71\x57\x2d\x1f\x2f\x23\xdc\xcd\xbc\xdd\x99\xe4\x93\x0d\xe7\xed\xbf\x59\xb3\x38\xdb\x34\x90\x30\x5f\xd7\x71\x02\x57\x98\x0b\x7f\x76\xb8\xda\xea\xcb\x2a\xd6\x18\x13\x1f\xb9\xb5\xa3\xe0\x26\xc9\xdd\xbd\x69\x48\x3c\xd7\x94\xca\xad\x29\xf2\xe3\xb6\x31\x24\xa9\x52\xb4\x62\xde\x0c\xd9\x51\xd7\xef\xd9\xb3\xb2\x91\x07\xb6\x41\x41\x7e\x77\x83\xd9\x01\x59\x13\x7f\xa5\x27\x3a\x95\xe0\xcc\x46\xc9\x7c\x22\x46\xe6\x11\xac\xb1\x4b\x4d", 227); *(uint8_t*)0x200070f0 = 9; *(uint8_t*)0x200070f1 = 5; *(uint8_t*)0x200070f2 = 3; *(uint8_t*)0x200070f3 = 0x10; *(uint16_t*)0x200070f4 = 8; *(uint8_t*)0x200070f6 = 0; *(uint8_t*)0x200070f7 = 0x33; *(uint8_t*)0x200070f8 = 9; *(uint8_t*)0x200070f9 = 9; *(uint8_t*)0x200070fa = 5; *(uint8_t*)0x200070fb = 2; *(uint8_t*)0x200070fc = 0xc; *(uint16_t*)0x200070fd = 0x400; *(uint8_t*)0x200070ff = 0xed; *(uint8_t*)0x20007100 = 7; *(uint8_t*)0x20007101 = 9; *(uint8_t*)0x20007102 = 0x84; *(uint8_t*)0x20007103 = 0x31; memcpy((void*)0x20007104, "\xee\x4c\xd2\x19\x15\x4d\xf4\x91\xc4\xd3\x2a\xa3\x21\x12\xcf\xf4\x07\x51\x1b\x06\xb1\x7f\x74\x34\x09\xec\xc2\x16\xc3\x1e\x92\xce\xfa\x2b\x5c\xc5\x9e\x63\x4d\x7a\xeb\xa2\xc9\xe5\xe3\x6d\x8e\xfa\xdc\x02\x55\x17\x25\x18\xf9\x09\xb4\xe1\xa7\xda\xf4\xd9\x88\xb1\xee\xaf\x19\x6c\x76\xee\x90\x2b\x65\x7d\x12\xfc\x23\xc2\x1e\x17\x6c\xd1\x49\xe9\x8a\x8d\x8d\x57\x55\xb7\x4f\xed\x1a\x42\x84\xbc\xfd\x6e\x69\x61\x95\x1f\xf8\x21\x6f\x7b\xb4\x2f\x79\x0e\xdd\x53\x9c\x1b\xc5\xbb\xac\x44\xf7\x67\xa6\x85\xc5\x7c\xbb\xde\xc8\x30\xc5\x2c", 130); *(uint8_t*)0x20007186 = 7; *(uint8_t*)0x20007187 = 0x25; *(uint8_t*)0x20007188 = 1; *(uint8_t*)0x20007189 = 0x83; *(uint8_t*)0x2000718a = 1; *(uint16_t*)0x2000718b = 0xfe01; *(uint8_t*)0x2000718d = 9; *(uint8_t*)0x2000718e = 5; *(uint8_t*)0x2000718f = 3; *(uint8_t*)0x20007190 = 0; *(uint16_t*)0x20007191 = 0x40; *(uint8_t*)0x20007193 = 2; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 9; *(uint8_t*)0x20007197 = 5; *(uint8_t*)0x20007198 = 0; *(uint8_t*)0x20007199 = 0; *(uint16_t*)0x2000719a = 0x400; *(uint8_t*)0x2000719c = 0; *(uint8_t*)0x2000719d = 0x2f; *(uint8_t*)0x2000719e = 4; *(uint8_t*)0x2000719f = 9; *(uint8_t*)0x200071a0 = 5; *(uint8_t*)0x200071a1 = 0x8f; *(uint8_t*)0x200071a2 = 8; *(uint16_t*)0x200071a3 = 8; *(uint8_t*)0x200071a5 = 0x81; *(uint8_t*)0x200071a6 = 1; *(uint8_t*)0x200071a7 = 0x7f; *(uint8_t*)0x200071a8 = 7; *(uint8_t*)0x200071a9 = 0x25; *(uint8_t*)0x200071aa = 1; *(uint8_t*)0x200071ab = 0; *(uint8_t*)0x200071ac = 9; *(uint16_t*)0x200071ad = 0xfb; *(uint8_t*)0x200071af = 7; *(uint8_t*)0x200071b0 = 0x25; *(uint8_t*)0x200071b1 = 1; *(uint8_t*)0x200071b2 = 0x81; *(uint8_t*)0x200071b3 = 7; *(uint16_t*)0x200071b4 = 3; *(uint8_t*)0x200071b6 = 9; *(uint8_t*)0x200071b7 = 5; *(uint8_t*)0x200071b8 = 2; *(uint8_t*)0x200071b9 = 0; *(uint16_t*)0x200071ba = 0x400; *(uint8_t*)0x200071bc = 0x40; *(uint8_t*)0x200071bd = 0x76; *(uint8_t*)0x200071be = 3; *(uint8_t*)0x200071bf = 7; *(uint8_t*)0x200071c0 = 0x25; *(uint8_t*)0x200071c1 = 1; *(uint8_t*)0x200071c2 = 0x80; *(uint8_t*)0x200071c3 = 0x31; *(uint16_t*)0x200071c4 = 8; *(uint8_t*)0x200071c6 = 9; *(uint8_t*)0x200071c7 = 5; *(uint8_t*)0x200071c8 = 0xf; *(uint8_t*)0x200071c9 = 0x10; *(uint16_t*)0x200071ca = 0x3ff; *(uint8_t*)0x200071cc = 6; *(uint8_t*)0x200071cd = 0xb2; *(uint8_t*)0x200071ce = 6; *(uint8_t*)0x200071cf = 7; *(uint8_t*)0x200071d0 = 0x25; *(uint8_t*)0x200071d1 = 1; *(uint8_t*)0x200071d2 = 0x82; *(uint8_t*)0x200071d3 = 0x80; *(uint16_t*)0x200071d4 = 6; *(uint8_t*)0x200071d6 = 9; *(uint8_t*)0x200071d7 = 5; *(uint8_t*)0x200071d8 = 0xf; *(uint8_t*)0x200071d9 = 0x10; *(uint16_t*)0x200071da = 0x200; *(uint8_t*)0x200071dc = 6; *(uint8_t*)0x200071dd = 6; *(uint8_t*)0x200071de = 0xca; *(uint8_t*)0x200071df = 7; *(uint8_t*)0x200071e0 = 0x25; *(uint8_t*)0x200071e1 = 1; *(uint8_t*)0x200071e2 = 0x81; *(uint8_t*)0x200071e3 = 0x20; *(uint16_t*)0x200071e4 = 3; *(uint8_t*)0x200071e6 = 9; *(uint8_t*)0x200071e7 = 5; *(uint8_t*)0x200071e8 = 0x80; *(uint8_t*)0x200071e9 = 0x10; *(uint16_t*)0x200071ea = 0x400; *(uint8_t*)0x200071ec = 1; *(uint8_t*)0x200071ed = 0xfc; *(uint8_t*)0x200071ee = 4; *(uint8_t*)0x200071ef = 0xd4; *(uint8_t*)0x200071f0 = 0x21; memcpy((void*)0x200071f1, "\x28\xa1\xdf\xa1\xd2\x8f\x9a\xe6\x0d\x0a\x8e\x9e\x3c\x51\x2d\xb3\x53\x69\xd4\x79\xfa\x6e\x6a\xa0\x99\xe2\x67\xe1\xce\xd7\x7c\xa2\xe1\x80\xb4\x29\x77\x90\x23\xa8\x72\xb0\xef\x88\x07\xe1\x1f\x8b\x8b\x21\xb8\x11\xd4\xfe\x55\x27\x33\x5c\xe8\x6e\x3a\x95\xcd\xf9\x60\xd1\xe7\x9e\x88\xc2\x76\xc1\x74\xd1\x83\xd2\xf3\xbc\x08\x62\xdd\x7e\x1d\x29\xac\x58\x9c\xeb\x22\x02\x4e\x25\xa4\x4c\x3e\x81\x23\x58\x1d\x14\x48\xfd\x2d\xb5\x33\x2f\xe4\x1c\x23\xf9\xaa\x95\x95\x64\xf3\x2d\xb1\xda\x14\x61\x04\x15\xdd\xc2\x93\xdc\x57\xc9\xd6\xc7\x75\xd2\x21\x51\xbd\xab\x23\x6a\x5a\x73\x59\x2e\x55\x18\x05\x57\x28\xae\x81\x9e\x25\xc0\x80\xcb\xb9\xbf\x02\x03\xb6\x63\x9b\x8f\xd8\xd7\x16\xd9\xc5\x71\xd6\xb2\x60\xea\x29\x77\x33\xd5\x3c\x3a\x05\x44\x9b\x9b\x92\x21\xd0\xf4\x02\x61\x0c\x98\x37\x18\x9f\x9c\x6a\xb3\xba\xaf\x03\x1d\x48\x69\x26\x90\xc9\x98\x1c\xee\x14\x26", 210); *(uint8_t*)0x200072c3 = 0xc3; *(uint8_t*)0x200072c4 = 6; memcpy((void*)0x200072c5, "\x60\xed\x98\x57\x6f\xbb\xbe\xe3\xdb\x67\xd5\x35\xea\x7e\x1a\x19\xd9\x2d\x68\x9e\x2f\x03\x30\x8a\x61\x5a\x56\x41\xe7\x2e\x69\x4d\x99\x6f\x76\xc1\x11\x1c\x88\xc5\x07\xc3\x9a\x87\xf3\x4a\x36\x82\xda\xfb\xfe\x58\x3b\x79\xf5\xb9\x50\xa3\x06\x14\x16\x2c\x60\x5f\x7e\x6c\x5d\x45\x2b\x4f\x84\xa1\x45\xf2\x0b\xf4\x47\x0d\xdf\x43\xf0\x6c\x41\x5d\xc6\xc4\x15\x51\xfd\x45\x8b\xa6\xae\xdf\x57\xd7\x4c\xb8\x5a\x25\xe4\x33\x24\x81\x4b\x62\xc3\xbe\x41\x08\xb1\xea\x5b\x9d\xd2\x2a\x78\xa4\x5c\xdf\x5d\x8f\x27\xc1\x1f\x35\x02\x6b\xf7\xef\x10\xc7\xd1\xf0\x61\x5f\xe1\xc4\x4a\x30\x2a\x84\xd8\x8b\x8d\x6c\x2d\x85\x04\x9c\x9f\x48\xa0\x4b\x4e\x61\x80\x1c\x01\x7f\x60\x9b\x67\x3f\xc8\x29\x0f\x73\x62\xa0\xed\x35\x88\x2a\x33\x5b\x65\x7f\x83\x5f\xce\x8e\x20\x10\x0c\xde\x82\xc1\xa3\xdc\x18\x06\x11", 193); *(uint32_t*)0x20007740 = 0xa; *(uint32_t*)0x20007744 = 0x200073c0; *(uint8_t*)0x200073c0 = 0xa; *(uint8_t*)0x200073c1 = 6; *(uint16_t*)0x200073c2 = 0x310; *(uint8_t*)0x200073c4 = 5; *(uint8_t*)0x200073c5 = 0x80; *(uint8_t*)0x200073c6 = -1; *(uint8_t*)0x200073c7 = 0xbf; *(uint8_t*)0x200073c8 = 5; *(uint8_t*)0x200073c9 = 0; *(uint32_t*)0x20007748 = 5; *(uint32_t*)0x2000774c = 0x20007400; *(uint8_t*)0x20007400 = 5; *(uint8_t*)0x20007401 = 0xf; *(uint16_t*)0x20007402 = 5; *(uint8_t*)0x20007404 = 0; *(uint32_t*)0x20007750 = 5; *(uint32_t*)0x20007754 = 0xa8; *(uint32_t*)0x20007758 = 0x20007440; *(uint8_t*)0x20007440 = 0xa8; *(uint8_t*)0x20007441 = 3; memcpy((void*)0x20007442, "\x05\x84\xbd\xdc\x14\x96\x71\xf9\xe6\xc6\xcd\x12\x3b\x79\x6c\xaf\xe2\xeb\x5d\x2b\xd3\xcf\x65\xe3\xeb\x0f\x3a\x60\x1a\xba\x71\x64\x71\x3d\x40\x42\x65\x3f\x2c\xca\x18\x22\x07\xd4\xe7\xff\xa8\xbc\x71\xe7\x05\xaa\x48\xbc\xff\x03\xfd\xdd\x2e\x3e\x6b\xeb\xe1\x1c\xb6\x1f\x95\xfa\xf1\x4a\xfd\xf2\x94\x40\x02\x1e\x85\x1f\xb6\x82\xaa\x24\xe6\x24\xe8\x33\x95\x2d\xb6\xd1\xf9\x6a\xa7\xed\xfc\x74\xce\x50\x13\x59\x69\x4c\x75\x83\xeb\x5e\x48\xdf\xe2\x27\xd2\x10\x5d\x5e\x3d\x23\x59\xe3\xc7\x28\xa4\x8a\xdf\xf0\x9b\x11\x32\xf9\x28\x89\x3c\xee\xfa\xe6\x77\x00\x98\x3b\xe1\xca\x94\xe8\x18\xe7\xa1\x46\x3c\x80\x2f\x1f\xc2\xa7\x2d\x40\x90\x09\x33\x40\x3d\x7b\x25\x5a\x35\xd9\xdc\x33", 166); *(uint32_t*)0x2000775c = 4; *(uint32_t*)0x20007760 = 0x20007500; *(uint8_t*)0x20007500 = 4; *(uint8_t*)0x20007501 = 3; *(uint16_t*)0x20007502 = 0x42c; *(uint32_t*)0x20007764 = 0xf4; *(uint32_t*)0x20007768 = 0x20007540; *(uint8_t*)0x20007540 = 0xf4; *(uint8_t*)0x20007541 = 3; memcpy((void*)0x20007542, "\x1c\x53\x71\x17\xdc\x72\x0a\xf3\xcc\xf1\x08\x68\x7c\x86\xcb\x54\x4b\xc8\x85\x37\x9e\x43\x5d\xbb\x86\x1b\xc9\xa0\x15\x50\x59\x2e\x60\x08\xae\x94\xa1\xf9\x83\x17\xad\x9c\xd8\x04\x01\x6b\x07\x9b\x5e\xc2\x94\xdc\xaf\x45\x37\xcf\x5b\x68\xc3\xc4\x35\x37\x54\xca\xf3\x69\xba\x34\x10\x1c\xbd\x21\x92\x6b\x15\xce\xf6\x7a\xb6\x3e\xad\x40\xab\xfb\xef\x86\x7b\x37\x2f\xe2\x78\x18\x66\xf8\x7a\x2d\xcc\xf9\x8f\xfe\x66\x53\x1c\x1d\x50\x21\x40\x6c\x69\xce\x84\xb4\x39\x13\x0c\xac\x71\xf5\x25\x64\xb7\xc8\xfa\x62\x1d\x71\xd5\xff\x00\x15\x17\x59\x3f\x05\x9d\xa0\xcb\x82\xf1\xfd\x5e\x32\x7d\xf9\xab\xec\x49\x46\xe3\x4e\x20\xd3\xf1\xdf\x8f\x4a\x04\x22\xf9\xbb\x53\x89\x49\xb4\xa1\x4d\x1b\x3a\xfd\x67\x93\xe8\x1d\x3b\xa5\x96\xd1\x6d\x8c\xee\x0e\x70\x03\x14\xe5\x31\xe6\x02\xfe\x5c\xb8\x32\xb2\x2c\x7a\x2f\x9f\x36\xf3\x9d\x05\x38\x76\x47\x81\x57\xd5\x41\xe8\xc0\x97\x7a\x9a\xca\xf6\x91\xf1\x23\x4f\x66\x5d\x23\x4f\x82\xee\x90\xff\x89\x82\xd9\xc1\x37\x1a\x15\xdd\xc8\xed\x23\x92\xdd\x5a\x96", 242); *(uint32_t*)0x2000776c = 0x98; *(uint32_t*)0x20007770 = 0x20007640; *(uint8_t*)0x20007640 = 0x98; *(uint8_t*)0x20007641 = 3; memcpy((void*)0x20007642, "\x07\x8c\xbe\xfd\x67\x79\x6b\x8d\x00\xc6\xa0\x27\xe5\xd0\x7b\xc3\xb0\x07\x56\xac\xaf\xb9\x09\x6e\x3e\x38\x1a\x99\xfd\xbe\x8a\x51\x61\xca\x19\xa9\x62\x8d\x61\xba\xef\xd6\x97\x2b\x48\xf5\xe0\x4b\x0f\xa6\xe2\xb9\x9c\xca\x8d\xf5\xb5\x0d\xbd\x97\xd6\x56\xc0\x2f\x85\x83\xa5\x8c\xe8\xcb\xd3\x5c\x69\xfb\x3f\x86\xde\x0d\xda\xc9\x0f\x5b\xe8\xd4\xf0\x4a\x3a\xd4\xf3\x12\x93\xb5\x09\x95\x91\x39\xbe\xa0\xf3\x06\x7d\x0e\xbf\xa3\xc5\xb2\x10\xe1\x99\x30\x78\xb0\xae\x92\x95\x61\xfc\x77\x34\x86\x9b\x3d\xd8\xd8\x12\xc0\x0a\x30\x35\x23\x61\x66\xa3\x12\x27\xae\x29\x1e\x69\x6a\xb4\xf8\x1f\x4e\x3f\x02\xd6\xb2\xf3\x34", 150); *(uint32_t*)0x20007774 = 4; *(uint32_t*)0x20007778 = 0x20007700; *(uint8_t*)0x20007700 = 4; *(uint8_t*)0x20007701 = 3; *(uint16_t*)0x20007702 = 0x43e; syz_usb_connect(2, 0x6c6, 0x20006cc0, 0x20007740); break; case 41: *(uint8_t*)0x20007780 = 0x12; *(uint8_t*)0x20007781 = 1; *(uint16_t*)0x20007782 = 0x200; *(uint8_t*)0x20007784 = -1; *(uint8_t*)0x20007785 = -1; *(uint8_t*)0x20007786 = -1; *(uint8_t*)0x20007787 = 0x40; *(uint16_t*)0x20007788 = 0xcf3; *(uint16_t*)0x2000778a = 0x9271; *(uint16_t*)0x2000778c = 0x108; *(uint8_t*)0x2000778e = 1; *(uint8_t*)0x2000778f = 2; *(uint8_t*)0x20007790 = 3; *(uint8_t*)0x20007791 = 1; *(uint8_t*)0x20007792 = 9; *(uint8_t*)0x20007793 = 2; *(uint16_t*)0x20007794 = 0x48; *(uint8_t*)0x20007796 = 1; *(uint8_t*)0x20007797 = 1; *(uint8_t*)0x20007798 = 0; *(uint8_t*)0x20007799 = 0x80; *(uint8_t*)0x2000779a = 0xfa; *(uint8_t*)0x2000779b = 9; *(uint8_t*)0x2000779c = 4; *(uint8_t*)0x2000779d = 0; *(uint8_t*)0x2000779e = 0; *(uint8_t*)0x2000779f = 6; *(uint8_t*)0x200077a0 = -1; *(uint8_t*)0x200077a1 = 0; *(uint8_t*)0x200077a2 = 0; *(uint8_t*)0x200077a3 = 0; *(uint8_t*)0x200077a4 = 9; *(uint8_t*)0x200077a5 = 5; *(uint8_t*)0x200077a6 = 1; *(uint8_t*)0x200077a7 = 2; *(uint16_t*)0x200077a8 = 0x200; *(uint8_t*)0x200077aa = 0; *(uint8_t*)0x200077ab = 0; *(uint8_t*)0x200077ac = 0; *(uint8_t*)0x200077ad = 9; *(uint8_t*)0x200077ae = 5; *(uint8_t*)0x200077af = 0x82; *(uint8_t*)0x200077b0 = 2; *(uint16_t*)0x200077b1 = 0x200; *(uint8_t*)0x200077b3 = 0; *(uint8_t*)0x200077b4 = 0; *(uint8_t*)0x200077b5 = 0; *(uint8_t*)0x200077b6 = 9; *(uint8_t*)0x200077b7 = 5; *(uint8_t*)0x200077b8 = 0x83; *(uint8_t*)0x200077b9 = 3; *(uint16_t*)0x200077ba = 0x40; *(uint8_t*)0x200077bc = 1; *(uint8_t*)0x200077bd = 0; *(uint8_t*)0x200077be = 0; *(uint8_t*)0x200077bf = 9; *(uint8_t*)0x200077c0 = 5; *(uint8_t*)0x200077c1 = 4; *(uint8_t*)0x200077c2 = 3; *(uint16_t*)0x200077c3 = 0x40; *(uint8_t*)0x200077c5 = 1; *(uint8_t*)0x200077c6 = 0; *(uint8_t*)0x200077c7 = 0; *(uint8_t*)0x200077c8 = 9; *(uint8_t*)0x200077c9 = 5; *(uint8_t*)0x200077ca = 5; *(uint8_t*)0x200077cb = 2; *(uint16_t*)0x200077cc = 0x200; *(uint8_t*)0x200077ce = 0; *(uint8_t*)0x200077cf = 0; *(uint8_t*)0x200077d0 = 0; *(uint8_t*)0x200077d1 = 9; *(uint8_t*)0x200077d2 = 5; *(uint8_t*)0x200077d3 = 6; *(uint8_t*)0x200077d4 = 2; *(uint16_t*)0x200077d5 = 0x200; *(uint8_t*)0x200077d7 = 0; *(uint8_t*)0x200077d8 = 0; *(uint8_t*)0x200077d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007780, 0); if (res != -1) r[22] = res; break; case 42: *(uint32_t*)0x200079c0 = 0x18; *(uint32_t*)0x200079c4 = 0x20007800; *(uint8_t*)0x20007800 = 0x20; *(uint8_t*)0x20007801 = 0x11; *(uint32_t*)0x20007802 = 0xb7; *(uint8_t*)0x20007806 = 0xb7; *(uint8_t*)0x20007807 = 9; memcpy((void*)0x20007808, "\x72\xf5\x91\xba\x5c\x69\x4f\x16\xa4\xd9\x20\x75\xef\x3e\xc8\xbc\x46\x92\x09\x54\x79\x9e\xc8\xd3\xc0\x30\x8f\x3b\x47\x79\xda\x6e\x18\xe9\x82\x4a\x86\x74\x6d\x01\x3a\x39\x9a\xfc\x7f\x6f\xce\xb6\xc3\x7f\x7f\x13\x1c\x71\xeb\xc0\x01\xf6\x66\xea\x63\xed\x3a\xde\x13\x20\x09\x73\x5a\x54\x66\x22\xf9\xe6\x39\xd4\x81\xc9\x67\xcc\x7b\x5b\x74\x7c\xc5\xe6\x2f\xdc\x41\xbb\xb4\xbb\x95\x87\x8a\x44\x2c\xc4\x91\x11\xc0\xf5\x78\x86\xf1\x70\x77\xa1\xb4\xb2\x2e\x3c\xf2\x8e\xec\xb7\x98\xfe\xed\x6f\x16\x8d\xd9\xcc\x26\x46\xf8\xb7\x9e\xd4\x1b\xba\x94\xde\x9e\x30\x4f\xc8\x45\x17\x9a\x73\x21\xf0\x47\x84\xaa\x91\x7b\xa0\x84\x05\xb0\xa9\x5b\x83\x03\xd9\x14\xef\x8e\x37\x47\x80\xdd\x8e\x34\x37\xc9\x5c\x35\x76\x4c\xd0\x63\xe7\xa3\xec\x6d\x79\x0b", 181); *(uint32_t*)0x200079c8 = 0x200078c0; *(uint8_t*)0x200078c0 = 0; *(uint8_t*)0x200078c1 = 3; *(uint32_t*)0x200078c2 = 4; *(uint8_t*)0x200078c6 = 4; *(uint8_t*)0x200078c7 = 3; *(uint16_t*)0x200078c8 = 0x813; *(uint32_t*)0x200079cc = 0x20007900; *(uint8_t*)0x20007900 = 0; *(uint8_t*)0x20007901 = 0xf; *(uint32_t*)0x20007902 = 0xc; *(uint8_t*)0x20007906 = 5; *(uint8_t*)0x20007907 = 0xf; *(uint16_t*)0x20007908 = 0xc; *(uint8_t*)0x2000790a = 1; *(uint8_t*)0x2000790b = 7; *(uint8_t*)0x2000790c = 0x10; *(uint8_t*)0x2000790d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000790e, 0x18, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20007910, 3, 0, 16); *(uint32_t*)0x200079d0 = 0x20007940; *(uint8_t*)0x20007940 = 0x20; *(uint8_t*)0x20007941 = 0x29; *(uint32_t*)0x20007942 = 0xf; *(uint8_t*)0x20007946 = 0xf; *(uint8_t*)0x20007947 = 0x29; *(uint8_t*)0x20007948 = 7; *(uint16_t*)0x20007949 = 0x80; *(uint8_t*)0x2000794b = 6; *(uint8_t*)0x2000794c = 0xe0; memcpy((void*)0x2000794d, "\x84\x02\x48\x7c", 4); memcpy((void*)0x20007951, "\x80\x56\xa3\xff", 4); *(uint32_t*)0x200079d4 = 0x20007980; *(uint8_t*)0x20007980 = 0x20; *(uint8_t*)0x20007981 = 0x2a; *(uint32_t*)0x20007982 = 0xc; *(uint8_t*)0x20007986 = 0xc; *(uint8_t*)0x20007987 = 0x2a; *(uint8_t*)0x20007988 = 0xa7; *(uint16_t*)0x20007989 = 2; *(uint8_t*)0x2000798b = 0x7d; *(uint8_t*)0x2000798c = 0; *(uint8_t*)0x2000798d = 0x80; *(uint16_t*)0x2000798e = 7; *(uint16_t*)0x20007990 = 6; *(uint32_t*)0x20007e80 = 0x44; *(uint32_t*)0x20007e84 = 0x20007a00; *(uint8_t*)0x20007a00 = 0x40; *(uint8_t*)0x20007a01 = 0x10; *(uint32_t*)0x20007a02 = 0x8c; memcpy((void*)0x20007a06, "\x21\xb8\x38\x25\x05\x9f\x24\x50\x6d\x8e\x84\x20\x85\xd1\xf2\xe7\xf9\x64\x47\x1b\x20\xed\x0a\x8e\x50\xa9\xaa\x4e\xf1\x6b\x5a\x6f\x2d\xbb\x2b\x57\x0a\x4f\x8d\x13\xd6\x0e\x47\xbb\x78\x21\xff\x91\x21\x11\xde\xe4\x0a\x78\xd4\x2b\x4d\x13\xea\x81\x2d\x92\x9c\xcf\x39\x64\xc5\x46\x8f\x89\xd2\xd2\x16\x30\xec\x87\x06\x7a\x2d\x13\xf4\x52\x38\xb4\x46\xbf\x57\xc6\xb9\xec\x35\x57\x8f\xa5\x87\xfc\x77\xfe\x21\x08\xb1\x59\x0b\xe0\x81\x68\x1c\xcc\x02\x4f\x1f\x59\x0b\xe9\xe5\xbe\xc9\xea\x86\xb9\x80\x3c\x60\x29\x9d\xda\x1a\x82\xf8\xff\x04\x42\x86\x71\xa4\x3b\xc2\xc3\x39\x3a", 140); *(uint32_t*)0x20007e88 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0; *(uint8_t*)0x20007ac1 = 0xa; *(uint32_t*)0x20007ac2 = 1; *(uint8_t*)0x20007ac6 = 4; *(uint32_t*)0x20007e8c = 0x20007b00; *(uint8_t*)0x20007b00 = 0; *(uint8_t*)0x20007b01 = 8; *(uint32_t*)0x20007b02 = 1; *(uint8_t*)0x20007b06 = 0xfb; *(uint32_t*)0x20007e90 = 0x20007b40; *(uint8_t*)0x20007b40 = 0x20; *(uint8_t*)0x20007b41 = 0; *(uint32_t*)0x20007b42 = 4; *(uint16_t*)0x20007b46 = 1; *(uint16_t*)0x20007b48 = 1; *(uint32_t*)0x20007e94 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x20; *(uint8_t*)0x20007b81 = 0; *(uint32_t*)0x20007b82 = 4; *(uint16_t*)0x20007b86 = 0x140; *(uint16_t*)0x20007b88 = 0x20; *(uint32_t*)0x20007e98 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 7; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 0x3ff; *(uint32_t*)0x20007e9c = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 9; *(uint32_t*)0x20007c02 = 1; *(uint8_t*)0x20007c06 = 0x81; *(uint32_t*)0x20007ea0 = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0xb; *(uint32_t*)0x20007c42 = 2; memcpy((void*)0x20007c46, "\x8a\x02", 2); *(uint32_t*)0x20007ea4 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0xf; *(uint32_t*)0x20007c82 = 2; *(uint16_t*)0x20007c86 = 0x321a; *(uint32_t*)0x20007ea8 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x13; *(uint32_t*)0x20007cc2 = 6; *(uint8_t*)0x20007cc6 = 1; *(uint8_t*)0x20007cc7 = 0x80; *(uint8_t*)0x20007cc8 = 0xc2; *(uint8_t*)0x20007cc9 = 0; *(uint8_t*)0x20007cca = 0; *(uint8_t*)0x20007ccb = 0; *(uint32_t*)0x20007eac = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x17; *(uint32_t*)0x20007d02 = 6; memcpy((void*)0x20007d06, "\xb0\xfe\x28\x1f\xa3\x91", 6); *(uint32_t*)0x20007eb0 = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x19; *(uint32_t*)0x20007d42 = 2; memcpy((void*)0x20007d46, "#7", 2); *(uint32_t*)0x20007eb4 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x1a; *(uint32_t*)0x20007d82 = 2; *(uint16_t*)0x20007d86 = 6; *(uint32_t*)0x20007eb8 = 0x20007dc0; *(uint8_t*)0x20007dc0 = 0x40; *(uint8_t*)0x20007dc1 = 0x1c; *(uint32_t*)0x20007dc2 = 1; *(uint8_t*)0x20007dc6 = 6; *(uint32_t*)0x20007ebc = 0x20007e00; *(uint8_t*)0x20007e00 = 0x40; *(uint8_t*)0x20007e01 = 0x1e; *(uint32_t*)0x20007e02 = 1; *(uint8_t*)0x20007e06 = 6; *(uint32_t*)0x20007ec0 = 0x20007e40; *(uint8_t*)0x20007e40 = 0x40; *(uint8_t*)0x20007e41 = 0x21; *(uint32_t*)0x20007e42 = 1; *(uint8_t*)0x20007e46 = 0x9e; syz_usb_control_io(r[22], 0x200079c0, 0x20007e80); break; case 43: *(uint8_t*)0x20007f00 = 0x12; *(uint8_t*)0x20007f01 = 1; *(uint16_t*)0x20007f02 = 0x70; *(uint8_t*)0x20007f04 = 2; *(uint8_t*)0x20007f05 = 0; *(uint8_t*)0x20007f06 = 0; *(uint8_t*)0x20007f07 = 0x50; *(uint16_t*)0x20007f08 = 0x525; *(uint16_t*)0x20007f0a = 0xa4a1; *(uint16_t*)0x20007f0c = 0x40; *(uint8_t*)0x20007f0e = 1; *(uint8_t*)0x20007f0f = 2; *(uint8_t*)0x20007f10 = 3; *(uint8_t*)0x20007f11 = 1; *(uint8_t*)0x20007f12 = 9; *(uint8_t*)0x20007f13 = 2; *(uint16_t*)0x20007f14 = 0x4d; *(uint8_t*)0x20007f16 = 1; *(uint8_t*)0x20007f17 = 1; *(uint8_t*)0x20007f18 = 2; *(uint8_t*)0x20007f19 = 0x70; *(uint8_t*)0x20007f1a = 0x40; *(uint8_t*)0x20007f1b = 9; *(uint8_t*)0x20007f1c = 4; *(uint8_t*)0x20007f1d = 0; *(uint8_t*)0x20007f1e = 0xc4; *(uint8_t*)0x20007f1f = 3; *(uint8_t*)0x20007f20 = 2; *(uint8_t*)0x20007f21 = 6; *(uint8_t*)0x20007f22 = 0; *(uint8_t*)0x20007f23 = 0xe1; *(uint8_t*)0x20007f24 = 8; *(uint8_t*)0x20007f25 = 0x24; *(uint8_t*)0x20007f26 = 6; *(uint8_t*)0x20007f27 = 0; *(uint8_t*)0x20007f28 = 0; memcpy((void*)0x20007f29, "W?s", 3); *(uint8_t*)0x20007f2c = 5; *(uint8_t*)0x20007f2d = 0x24; *(uint8_t*)0x20007f2e = 0; *(uint16_t*)0x20007f2f = 3; *(uint8_t*)0x20007f31 = 0xd; *(uint8_t*)0x20007f32 = 0x24; *(uint8_t*)0x20007f33 = 0xf; *(uint8_t*)0x20007f34 = 1; *(uint32_t*)0x20007f35 = 0x200; *(uint16_t*)0x20007f39 = 0; *(uint16_t*)0x20007f3b = 0x200; *(uint8_t*)0x20007f3d = 3; *(uint8_t*)0x20007f3e = 6; *(uint8_t*)0x20007f3f = 0x24; *(uint8_t*)0x20007f40 = 0x1a; *(uint16_t*)0x20007f41 = 0x1000; *(uint8_t*)0x20007f43 = 0; *(uint8_t*)0x20007f44 = 9; *(uint8_t*)0x20007f45 = 5; *(uint8_t*)0x20007f46 = 0x81; *(uint8_t*)0x20007f47 = 3; *(uint16_t*)0x20007f48 = 0x20; *(uint8_t*)0x20007f4a = 0x3f; *(uint8_t*)0x20007f4b = 0; *(uint8_t*)0x20007f4c = 0xd8; *(uint8_t*)0x20007f4d = 9; *(uint8_t*)0x20007f4e = 5; *(uint8_t*)0x20007f4f = 0x82; *(uint8_t*)0x20007f50 = 2; *(uint16_t*)0x20007f51 = 8; *(uint8_t*)0x20007f53 = -1; *(uint8_t*)0x20007f54 = 0xec; *(uint8_t*)0x20007f55 = 5; *(uint8_t*)0x20007f56 = 9; *(uint8_t*)0x20007f57 = 5; *(uint8_t*)0x20007f58 = 3; *(uint8_t*)0x20007f59 = 2; *(uint16_t*)0x20007f5a = 0x3cf; *(uint8_t*)0x20007f5c = 0x81; *(uint8_t*)0x20007f5d = 0x39; *(uint8_t*)0x20007f5e = 5; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f80; *(uint8_t*)0x20007f80 = 0xa; *(uint8_t*)0x20007f81 = 6; *(uint16_t*)0x20007f82 = 0; *(uint8_t*)0x20007f84 = 2; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x77; *(uint8_t*)0x20007f87 = -1; *(uint8_t*)0x20007f88 = 0x2f; *(uint8_t*)0x20007f89 = 0; *(uint32_t*)0x20008288 = 5; *(uint32_t*)0x2000828c = 0x20007fc0; *(uint8_t*)0x20007fc0 = 5; *(uint8_t*)0x20007fc1 = 0xf; *(uint16_t*)0x20007fc2 = 5; *(uint8_t*)0x20007fc4 = 0; *(uint32_t*)0x20008290 = 5; *(uint32_t*)0x20008294 = 0x69; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 0x69; *(uint8_t*)0x20008001 = 3; memcpy((void*)0x20008002, "\xd2\x5a\x9c\x8f\x14\x52\xa3\xc6\xff\xbf\xec\xa8\xeb\x77\x79\x35\xb5\x8c\x9b\x74\x06\x77\x50\x86\xff\xf7\x17\xb5\x4f\x05\xac\x59\xf9\x45\x17\xff\x3c\xd6\xf3\x10\x1d\xbf\xa7\x9b\xb8\x2a\xe3\x1b\x1d\x31\x6d\x08\xa7\x1d\x14\xfc\x2c\x1c\xfa\x8c\x89\x30\x68\xbd\xe2\xbb\x83\x0a\xe9\x1f\xc9\x42\x88\xcc\x23\x2a\xaa\xc0\xe6\x4b\x84\x00\x7b\x0e\x75\x36\xc3\xec\x34\xed\xef\x04\xde\xd9\x34\x21\xa3\x77\xe0\x69\x53\x26\xaa", 103); *(uint32_t*)0x2000829c = 0xac; *(uint32_t*)0x200082a0 = 0x20008080; *(uint8_t*)0x20008080 = 0xac; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x73\x60\x60\x9c\xe8\x30\x0a\xe4\x62\x33\x08\xd5\xf8\xb9\x7b\xfd\x50\xd3\xd8\x63\x40\x8b\x8e\xa4\x01\xc8\x6d\xa9\xd4\x2c\xe5\xf3\x86\x7c\xe8\xd7\x21\xfb\x2a\xb5\xc2\x5f\x6b\x4c\x5e\x85\xf5\xea\xf3\x41\xbd\x51\x4a\x16\xc2\xdf\xe3\xc7\xa1\xd7\xf4\x27\xae\x62\xc0\xbf\xf3\x79\xe8\x4d\x56\x63\x7e\xc1\x37\x7b\x8c\x8a\xd5\xb5\x5b\x09\x9c\xfa\xa4\xa7\xa6\xee\xb0\x58\x9f\x81\xe7\xa4\x33\x00\xef\xf5\x33\x54\xe1\xb2\xbd\xcd\xc3\x4d\x79\x45\xd6\x35\x62\xe4\x8d\x5e\xd9\x3b\xef\x75\xfd\x01\x60\xfc\xd7\xc3\xa6\xbe\x7f\x0c\x64\x2b\xb6\xe5\x61\xe3\x5a\x1c\x73\x11\x0b\xdc\xde\xd7\x69\x98\x65\xe2\x5e\xb2\x38\xcf\x8f\x3b\x10\xad\x3c\x10\x48\x80\x28\xc3\x70\x63\xc8\x86\x2f\x90\x7b\x06\x82\x9e", 170); *(uint32_t*)0x200082a4 = 4; *(uint32_t*)0x200082a8 = 0x20008140; *(uint8_t*)0x20008140 = 4; *(uint8_t*)0x20008141 = 3; *(uint16_t*)0x20008142 = 0x81a; *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x20008180; *(uint8_t*)0x20008180 = 4; *(uint8_t*)0x20008181 = 3; *(uint16_t*)0x20008182 = 0x180a; *(uint32_t*)0x200082b4 = 0xb9; *(uint32_t*)0x200082b8 = 0x200081c0; *(uint8_t*)0x200081c0 = 0xb9; *(uint8_t*)0x200081c1 = 3; memcpy((void*)0x200081c2, "\x37\xef\xeb\x85\x4b\x40\x51\xa4\x6c\x67\xae\xe7\xea\xa0\xf6\x2f\xde\x9f\x59\x9c\xd5\xba\x25\x32\x9d\x50\xae\xe1\x6b\x30\xc6\xc1\xa5\x14\x83\x10\x81\xaf\xc1\xdf\xd2\x68\x2f\xf4\x87\x16\xa9\x1b\xf9\x5e\x08\x42\x12\xb0\x69\x6d\x43\xe1\xc6\xc4\x3a\xda\xf9\xed\x3e\xf7\x0e\x62\x73\x59\x94\xd2\xd0\x86\x51\x39\x60\x49\x88\xfa\xc1\x79\x78\xd9\xc0\x5a\x84\xf3\x42\x38\x31\xdd\x1d\xdd\xc6\xc9\x4d\x50\xdd\xd6\x74\xf1\x65\x25\xbb\xf9\xa8\xdb\x3b\xb4\x90\x01\xbe\x38\xa1\x96\x70\xab\xd9\x9f\x4a\x2e\x97\xcf\xb2\x0d\x46\xc6\x37\x83\x2a\x3e\xc9\x7f\xf0\x94\xc6\xa3\x30\x49\x64\xb7\x2b\xcf\x11\x6b\xf2\x7f\xed\xd5\x52\x1a\xd3\xda\x22\x62\x97\xff\xf8\x49\xc3\x3c\x5d\x84\x9e\x3e\x30\x37\x52\x79\x01\xee\xf6\x3a\x59\x9b\xaa\x54\xfc\x46\xa4\x6f\xf1", 183); res = -1; res = syz_usb_connect(2, 0x5f, 0x20007f00, 0x20008280); if (res != -1) r[23] = res; break; case 44: syz_usb_disconnect(r[23]); break; case 45: *(uint8_t*)0x200082c0 = 0x12; *(uint8_t*)0x200082c1 = 1; *(uint16_t*)0x200082c2 = 0x110; *(uint8_t*)0x200082c4 = 2; *(uint8_t*)0x200082c5 = 0; *(uint8_t*)0x200082c6 = 0; *(uint8_t*)0x200082c7 = 0x20; *(uint16_t*)0x200082c8 = 0x525; *(uint16_t*)0x200082ca = 0xa4a1; *(uint16_t*)0x200082cc = 0x40; *(uint8_t*)0x200082ce = 1; *(uint8_t*)0x200082cf = 2; *(uint8_t*)0x200082d0 = 3; *(uint8_t*)0x200082d1 = 1; *(uint8_t*)0x200082d2 = 9; *(uint8_t*)0x200082d3 = 2; *(uint16_t*)0x200082d4 = 0xb3; *(uint8_t*)0x200082d6 = 1; *(uint8_t*)0x200082d7 = 1; *(uint8_t*)0x200082d8 = 6; *(uint8_t*)0x200082d9 = 0x28; *(uint8_t*)0x200082da = -1; *(uint8_t*)0x200082db = 9; *(uint8_t*)0x200082dc = 4; *(uint8_t*)0x200082dd = 0; *(uint8_t*)0x200082de = 9; *(uint8_t*)0x200082df = 2; *(uint8_t*)0x200082e0 = 2; *(uint8_t*)0x200082e1 = 6; *(uint8_t*)0x200082e2 = 0; *(uint8_t*)0x200082e3 = 4; *(uint8_t*)0x200082e4 = 6; *(uint8_t*)0x200082e5 = 0x24; *(uint8_t*)0x200082e6 = 6; *(uint8_t*)0x200082e7 = 0; *(uint8_t*)0x200082e8 = 0; memset((void*)0x200082e9, 177, 1); *(uint8_t*)0x200082ea = 5; *(uint8_t*)0x200082eb = 0x24; *(uint8_t*)0x200082ec = 0; *(uint16_t*)0x200082ed = 8; *(uint8_t*)0x200082ef = 0xd; *(uint8_t*)0x200082f0 = 0x24; *(uint8_t*)0x200082f1 = 0xf; *(uint8_t*)0x200082f2 = 1; *(uint32_t*)0x200082f3 = 0x9208; *(uint16_t*)0x200082f7 = 2; *(uint16_t*)0x200082f9 = 0; *(uint8_t*)0x200082fb = 0x20; *(uint8_t*)0x200082fc = 0x5e; *(uint8_t*)0x200082fd = 0x24; *(uint8_t*)0x200082fe = 0x13; *(uint8_t*)0x200082ff = 7; memcpy((void*)0x20008300, "\x63\xb0\xb9\x53\x77\x14\x7b\xa2\x14\xd9\x50\xfc\x04\xb2\x2c\x04\xbe\x09\xd9\xb9\x6f\x1a\xb9\x4b\xb0\x2e\x8a\x2a\x9e\x23\xcf\x7d\x3a\xca\xb2\x2a\x80\xed\x35\x0e\xc4\xb1\x78\x06\xed\xcb\x16\x9e\x50\x75\x37\x3d\x99\x17\x80\x21\x13\x92\xeb\x3d\x9f\x11\x73\xa5\x39\x84\x3b\xf2\xc3\xf6\x6a\x4a\x69\x60\xa5\x5a\x22\x07\x76\x7d\xb3\xc5\x5a\x7d\xd2\x89\x8b\x5c\xcb\x40", 90); *(uint8_t*)0x2000835a = 0xc; *(uint8_t*)0x2000835b = 0x24; *(uint8_t*)0x2000835c = 0x1b; *(uint16_t*)0x2000835d = 0x2a; *(uint16_t*)0x2000835f = 0x100; *(uint8_t*)0x20008361 = 0xe0; *(uint8_t*)0x20008362 = 0x76; *(uint16_t*)0x20008363 = 0; *(uint8_t*)0x20008365 = -1; *(uint8_t*)0x20008366 = 4; *(uint8_t*)0x20008367 = 0x24; *(uint8_t*)0x20008368 = 2; *(uint8_t*)0x20008369 = 0xa; *(uint8_t*)0x2000836a = 9; *(uint8_t*)0x2000836b = 5; *(uint8_t*)0x2000836c = 0x81; *(uint8_t*)0x2000836d = 3; *(uint16_t*)0x2000836e = 0x20; *(uint8_t*)0x20008370 = 0x73; *(uint8_t*)0x20008371 = 0x35; *(uint8_t*)0x20008372 = 0x3f; *(uint8_t*)0x20008373 = 9; *(uint8_t*)0x20008374 = 5; *(uint8_t*)0x20008375 = 0x82; *(uint8_t*)0x20008376 = 2; *(uint16_t*)0x20008377 = 8; *(uint8_t*)0x20008379 = 3; *(uint8_t*)0x2000837a = 1; *(uint8_t*)0x2000837b = 3; *(uint8_t*)0x2000837c = 9; *(uint8_t*)0x2000837d = 5; *(uint8_t*)0x2000837e = 3; *(uint8_t*)0x2000837f = 2; *(uint16_t*)0x20008380 = 0x40; *(uint8_t*)0x20008382 = 5; *(uint8_t*)0x20008383 = 0x40; *(uint8_t*)0x20008384 = 2; *(uint32_t*)0x200087c0 = 0xa; *(uint32_t*)0x200087c4 = 0x200083c0; *(uint8_t*)0x200083c0 = 0xa; *(uint8_t*)0x200083c1 = 6; *(uint16_t*)0x200083c2 = 0x201; *(uint8_t*)0x200083c4 = 0x79; *(uint8_t*)0x200083c5 = 3; *(uint8_t*)0x200083c6 = 0x3f; *(uint8_t*)0x200083c7 = 0x20; *(uint8_t*)0x200083c8 = 6; *(uint8_t*)0x200083c9 = 0; *(uint32_t*)0x200087c8 = 0x37; *(uint32_t*)0x200087cc = 0x20008400; *(uint8_t*)0x20008400 = 5; *(uint8_t*)0x20008401 = 0xf; *(uint16_t*)0x20008402 = 0x37; *(uint8_t*)0x20008404 = 5; *(uint8_t*)0x20008405 = 7; *(uint8_t*)0x20008406 = 0x10; *(uint8_t*)0x20008407 = 2; STORE_BY_BITMASK(uint32_t, , 0x20008408, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008409, 0xa, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008409, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000840a, 5, 0, 16); *(uint8_t*)0x2000840c = 7; *(uint8_t*)0x2000840d = 0x10; *(uint8_t*)0x2000840e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000840f, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008410, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008410, 9, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008411, 8, 0, 16); *(uint8_t*)0x20008413 = 0xa; *(uint8_t*)0x20008414 = 0x10; *(uint8_t*)0x20008415 = 3; *(uint8_t*)0x20008416 = 0xc9; *(uint16_t*)0x20008417 = 7; *(uint8_t*)0x20008419 = 7; *(uint8_t*)0x2000841a = 0; *(uint16_t*)0x2000841b = 8; *(uint8_t*)0x2000841d = 0xa; *(uint8_t*)0x2000841e = 0x10; *(uint8_t*)0x2000841f = 3; *(uint8_t*)0x20008420 = 2; *(uint16_t*)0x20008421 = 0xc; *(uint8_t*)0x20008423 = 0; *(uint8_t*)0x20008424 = 6; *(uint16_t*)0x20008425 = 6; *(uint8_t*)0x20008427 = 0x10; *(uint8_t*)0x20008428 = 0x10; *(uint8_t*)0x20008429 = 0xa; *(uint8_t*)0x2000842a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000842b, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000842b, 0x8001, 5, 27); *(uint16_t*)0x2000842f = 0xf00f; *(uint16_t*)0x20008431 = 0xfffd; *(uint32_t*)0x20008433 = 0x3fc0; *(uint32_t*)0x200087d0 = 9; *(uint32_t*)0x200087d4 = 0x4f; *(uint32_t*)0x200087d8 = 0x20008440; *(uint8_t*)0x20008440 = 0x4f; *(uint8_t*)0x20008441 = 3; memcpy((void*)0x20008442, "\xc0\x66\x3b\x11\x6d\xab\x9b\xa5\xc0\xa2\xf7\xa2\xad\x48\x6f\xfc\x16\x4a\x43\x65\x89\x95\x65\xc5\xe9\x9b\x01\x52\x39\xf3\x78\xdf\x56\xdb\x4d\xc3\xb0\xbb\x08\xdc\xd2\x08\xd9\x58\xfa\x3c\xf0\x80\x97\xaa\x20\x8b\x2d\x28\x65\xb5\x02\xcb\xc9\x4b\x1a\x8e\x33\xbd\xd9\xd6\x48\x1f\xbf\x32\xd4\x91\x34\x22\xfe\x18\x9f", 77); *(uint32_t*)0x200087dc = 0x85; *(uint32_t*)0x200087e0 = 0x200084c0; *(uint8_t*)0x200084c0 = 0x85; *(uint8_t*)0x200084c1 = 3; memcpy((void*)0x200084c2, "\xc9\xc4\x87\xa9\x0b\xe3\xd4\x0e\xf7\x82\x37\x3d\x78\x5f\x86\xbd\xfc\x3d\xb6\xfb\x0d\xd0\xa7\x44\x0b\x2f\xe4\x59\x5c\x3a\x6b\xd6\x7a\xa8\x51\x8d\x89\x7a\x8a\x75\x7d\x5f\x1c\xeb\x86\xe5\x98\xca\xbf\x23\x45\xf7\x71\xc3\xc7\x12\x8b\xd1\x6d\xd4\xb1\xee\x9b\x7d\xbc\xaf\x61\x1e\x97\xf6\xdc\xb9\xf1\x71\xe8\xf7\x05\x2b\x0f\x33\xe6\x31\xbf\xe9\x9d\xdc\x44\x13\xe5\xe5\xd7\xb6\x34\xdc\xc3\xb7\x7e\x4d\x30\x1f\x89\xa8\xd3\xb8\x51\xb0\x23\x06\xca\xbe\xc2\x11\x12\x7a\x8e\x54\x1d\x16\x26\x36\x58\x8f\xf5\x74\xde\x82\xde\x8f\x30\x7d\x43", 131); *(uint32_t*)0x200087e4 = 4; *(uint32_t*)0x200087e8 = 0x20008580; *(uint8_t*)0x20008580 = 4; *(uint8_t*)0x20008581 = 3; *(uint16_t*)0x20008582 = 0x1407; *(uint32_t*)0x200087ec = 4; *(uint32_t*)0x200087f0 = 0x200085c0; *(uint8_t*)0x200085c0 = 4; *(uint8_t*)0x200085c1 = 3; *(uint16_t*)0x200085c2 = 0; *(uint32_t*)0x200087f4 = 0xaa; *(uint32_t*)0x200087f8 = 0x20008600; *(uint8_t*)0x20008600 = 0xaa; *(uint8_t*)0x20008601 = 3; memcpy((void*)0x20008602, "\xce\x39\x5e\x8e\x9f\x40\x9a\x37\xda\xeb\x1c\x20\xbe\x9c\xa4\x00\x4a\xe8\x10\xcf\x16\x53\xec\xcd\x6e\x66\x3d\xd7\x4f\x8b\xc0\x69\x89\xb4\xd1\xa6\x5c\x9f\x48\x0b\xd3\x7e\x9d\xd8\x53\x49\xf2\x98\xdd\xad\xdc\x2c\xc9\xe4\xed\xa1\x47\xf2\x31\x40\x2e\x11\x6f\xb5\x94\xa6\x37\x18\xd8\x21\xd8\x85\xeb\xd6\x7e\xda\x45\x15\x58\xb1\xfb\xa3\x09\x3e\xcb\xd4\x0c\xbe\x5f\xbe\x07\xf9\x4e\xd9\x27\xd8\xe5\x03\x9a\x7c\x49\x7a\xa8\xd1\xf1\x0a\x4d\xda\xc0\x49\xad\x82\x0f\x8c\x53\x2c\x5a\x3f\x00\x94\x79\x55\x03\x24\x23\x92\x2e\x95\xaa\x5b\xfe\xe0\x41\xf7\xfe\x87\x44\xec\xc4\x42\x40\x57\xee\xc9\x70\x40\xb3\x41\xd0\xdd\xdc\xaf\x20\x6d\xa6\x43\x1e\x98\x7f\x04\xcf\xd5\x58\x02\xca\xd3\xa1\x14", 168); *(uint32_t*)0x200087fc = 4; *(uint32_t*)0x20008800 = 0x200086c0; *(uint8_t*)0x200086c0 = 4; *(uint8_t*)0x200086c1 = 3; *(uint16_t*)0x200086c2 = 0x3c01; *(uint32_t*)0x20008804 = 4; *(uint32_t*)0x20008808 = 0x20008700; *(uint8_t*)0x20008700 = 4; *(uint8_t*)0x20008701 = 3; *(uint16_t*)0x20008702 = 0x1809; *(uint32_t*)0x2000880c = 4; *(uint32_t*)0x20008810 = 0x20008740; *(uint8_t*)0x20008740 = 4; *(uint8_t*)0x20008741 = 3; *(uint16_t*)0x20008742 = 0x807; *(uint32_t*)0x20008814 = 4; *(uint32_t*)0x20008818 = 0x20008780; *(uint8_t*)0x20008780 = 4; *(uint8_t*)0x20008781 = 3; *(uint16_t*)0x20008782 = 0x1c; res = -1; res = syz_usb_connect(3, 0xc5, 0x200082c0, 0x200087c0); if (res != -1) r[24] = res; break; case 46: syz_usb_ep_read(r[24], 8, 0x7d, 0x20008840); break; case 47: *(uint8_t*)0x200088c0 = 0x12; *(uint8_t*)0x200088c1 = 1; *(uint16_t*)0x200088c2 = 0x250; *(uint8_t*)0x200088c4 = 0; *(uint8_t*)0x200088c5 = 0; *(uint8_t*)0x200088c6 = 0; *(uint8_t*)0x200088c7 = 0x10; *(uint16_t*)0x200088c8 = 0x56a; *(uint16_t*)0x200088ca = 0x62; *(uint16_t*)0x200088cc = 0x40; *(uint8_t*)0x200088ce = 1; *(uint8_t*)0x200088cf = 2; *(uint8_t*)0x200088d0 = 3; *(uint8_t*)0x200088d1 = 1; *(uint8_t*)0x200088d2 = 9; *(uint8_t*)0x200088d3 = 2; *(uint16_t*)0x200088d4 = 0x2d; *(uint8_t*)0x200088d6 = 1; *(uint8_t*)0x200088d7 = 1; *(uint8_t*)0x200088d8 = 0; *(uint8_t*)0x200088d9 = 0xf0; *(uint8_t*)0x200088da = 0x8e; *(uint8_t*)0x200088db = 9; *(uint8_t*)0x200088dc = 4; *(uint8_t*)0x200088dd = 0; *(uint8_t*)0x200088de = 5; *(uint8_t*)0x200088df = 1; *(uint8_t*)0x200088e0 = 3; *(uint8_t*)0x200088e1 = 1; *(uint8_t*)0x200088e2 = 2; *(uint8_t*)0x200088e3 = 0; *(uint8_t*)0x200088e4 = 9; *(uint8_t*)0x200088e5 = 0x21; *(uint16_t*)0x200088e6 = 3; *(uint8_t*)0x200088e8 = 0xf; *(uint8_t*)0x200088e9 = 1; *(uint8_t*)0x200088ea = 0x22; *(uint16_t*)0x200088eb = 0xa21; *(uint8_t*)0x200088ed = 9; *(uint8_t*)0x200088ee = 5; *(uint8_t*)0x200088ef = 0x81; *(uint8_t*)0x200088f0 = 3; *(uint16_t*)0x200088f1 = 0x3af; *(uint8_t*)0x200088f3 = 1; *(uint8_t*)0x200088f4 = 0x40; *(uint8_t*)0x200088f5 = 2; *(uint8_t*)0x200088f6 = 9; *(uint8_t*)0x200088f7 = 5; *(uint8_t*)0x200088f8 = 2; *(uint8_t*)0x200088f9 = 3; *(uint16_t*)0x200088fa = 0x10; *(uint8_t*)0x200088fc = 6; *(uint8_t*)0x200088fd = 1; *(uint8_t*)0x200088fe = 9; *(uint32_t*)0x20008c00 = 0xa; *(uint32_t*)0x20008c04 = 0x20008900; *(uint8_t*)0x20008900 = 0xa; *(uint8_t*)0x20008901 = 6; *(uint16_t*)0x20008902 = 0x250; *(uint8_t*)0x20008904 = 3; *(uint8_t*)0x20008905 = 1; *(uint8_t*)0x20008906 = 0x46; *(uint8_t*)0x20008907 = -1; *(uint8_t*)0x20008908 = 0x20; *(uint8_t*)0x20008909 = 0; *(uint32_t*)0x20008c08 = 0x34; *(uint32_t*)0x20008c0c = 0x20008940; *(uint8_t*)0x20008940 = 5; *(uint8_t*)0x20008941 = 0xf; *(uint16_t*)0x20008942 = 0x34; *(uint8_t*)0x20008944 = 2; *(uint8_t*)0x20008945 = 0xb; *(uint8_t*)0x20008946 = 0x10; *(uint8_t*)0x20008947 = 1; *(uint8_t*)0x20008948 = 2; *(uint16_t*)0x20008949 = 0xfa; *(uint8_t*)0x2000894b = 8; *(uint8_t*)0x2000894c = 0x80; *(uint16_t*)0x2000894d = 5; *(uint8_t*)0x2000894f = 3; *(uint8_t*)0x20008950 = 0x24; *(uint8_t*)0x20008951 = 0x10; *(uint8_t*)0x20008952 = 0xa; *(uint8_t*)0x20008953 = 5; STORE_BY_BITMASK(uint32_t, , 0x20008954, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20008954, 9, 5, 27); *(uint16_t*)0x20008958 = 0xf00f; *(uint16_t*)0x2000895a = 0; *(uint32_t*)0x2000895c = 0xffc00f; *(uint32_t*)0x20008960 = 0xff00c0; *(uint32_t*)0x20008964 = 0x101ffc0; *(uint32_t*)0x20008968 = 0xff0030; *(uint32_t*)0x2000896c = 0x30; *(uint32_t*)0x20008970 = 0x30; *(uint32_t*)0x20008c10 = 4; *(uint32_t*)0x20008c14 = 0xed; *(uint32_t*)0x20008c18 = 0x20008980; *(uint8_t*)0x20008980 = 0xed; *(uint8_t*)0x20008981 = 3; memcpy((void*)0x20008982, "\xe7\xdb\x91\x4e\xf4\xa7\x1a\x3a\xba\x44\x3e\xe1\x81\xc2\x72\xe7\xfb\xb6\x36\x48\xa9\x97\x75\x4b\x81\xa1\x93\x8f\x52\xb9\xfd\x8c\x2b\x76\xca\x28\xee\x1f\xcb\xa2\x80\x02\x1f\xbe\x02\xff\xa0\x3e\xa7\x53\xf2\xd5\x1b\x71\xf1\xcb\x93\x91\xea\x31\xfa\xab\xf8\xed\x37\xa9\x85\x3b\x87\xee\xba\xa0\xa1\x26\x96\x96\xe6\x5e\x30\x9e\xa4\xbf\x77\x55\xff\x1b\x99\x28\x0f\xd6\x82\x30\xd7\xd8\x99\xd0\x97\xe1\x6e\xe0\xb2\x24\xde\x57\x33\x94\x39\xc8\x0a\xd7\xfb\xf8\xbb\xf3\x2a\xa0\x0e\x29\x80\x2b\xde\x1c\x8c\x5e\x62\x28\xfa\x0a\x54\xc8\x35\x0e\xf9\x97\x11\x2f\x76\x3e\x17\x42\x8f\xb8\xe9\x5a\x56\x68\x95\x95\xf3\x0a\x3c\x16\x15\x18\x09\xb0\xc6\xb1\xd4\xd4\x76\x65\x10\xc6\xf0\x66\xfe\x4b\x35\xa3\xea\x90\xd3\x88\xd1\xb4\xd4\xe9\xc6\xb3\x09\x71\xe2\x37\xe2\x3f\xd2\x05\xf9\x90\x5e\xe7\xd7\x9f\x44\x43\x70\x7a\xdc\x7f\x65\xce\x2b\x15\x99\x4d\xaa\xc7\xb9\x54\x35\x3f\xb2\x32\x01\x84\x41\x22\x71\x05\x31\x87\x9c\x62\x91\xc7\xdf\xbf\x6b\xe4\x54\xb9\xcf\x2f\x2e", 235); *(uint32_t*)0x20008c1c = 4; *(uint32_t*)0x20008c20 = 0x20008a80; *(uint8_t*)0x20008a80 = 4; *(uint8_t*)0x20008a81 = 3; *(uint16_t*)0x20008a82 = 0x410; *(uint32_t*)0x20008c24 = 0x64; *(uint32_t*)0x20008c28 = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x64; *(uint8_t*)0x20008ac1 = 3; memcpy((void*)0x20008ac2, "\x04\x1c\x8b\x1b\xd1\x43\xea\x1d\x63\x82\x9b\x76\x9d\xdb\x88\x6a\x6a\xaf\xee\xdd\x5f\x65\x2b\xc9\x48\x67\x7c\x9a\x6e\x3a\xcf\xe0\x4a\x15\x19\x05\x3f\x95\xe5\xfc\xf7\x9b\x08\x53\x62\xcd\xac\x6a\xbb\xf8\xf1\x37\x81\xa6\x21\x88\x52\x57\x05\x2b\x12\x00\x45\xda\x2c\x49\x4a\x30\xbc\x6a\xe6\xc4\x16\x0c\xf4\x97\x00\x2a\xf8\xb7\x7e\x21\x68\x93\x24\xbd\x6e\x75\xac\xed\xa7\xcf\x6a\x50\x92\x0b\x2a\xb1", 98); *(uint32_t*)0x20008c2c = 0x87; *(uint32_t*)0x20008c30 = 0x20008b40; *(uint8_t*)0x20008b40 = 0x87; *(uint8_t*)0x20008b41 = 3; memcpy((void*)0x20008b42, "\x15\x08\x37\xb1\xe6\x9e\x50\x07\x39\x8a\xc0\x2c\x4a\x0b\x25\x07\x2d\xaa\x81\xa6\x4a\xf1\x0b\xcd\xc5\x73\x63\x33\xf4\x9c\x92\x1f\x86\xd9\xcb\xc6\xb7\x78\xf1\xd2\x16\x79\xd8\x47\xd5\xb8\xa9\xb7\x0f\xc5\x6b\xb5\xa4\x33\x04\x0a\xfd\x94\x37\x7b\x25\x15\xa5\x5c\xda\x70\xdb\x64\x44\x2a\xda\xe0\x90\x5a\xa9\x0f\x91\x1d\x3b\xee\xf8\x00\xab\x6f\xd8\x7a\x5c\x51\xfd\xa8\xfa\xa7\x50\xd1\x95\xc2\xe6\x57\x24\x97\x81\xc6\xaf\x05\x23\xe0\x49\x2f\x9a\x69\xe2\x27\xe1\x0c\xa0\x31\x0f\x1a\x01\x0f\x8b\x98\x6a\x9a\x05\x53\xa5\x33\x1f\x97\x54\xfc\x90", 133); res = -1; res = syz_usb_connect(3, 0x3f, 0x200088c0, 0x20008c00); if (res != -1) r[25] = res; break; case 48: memcpy((void*)0x20008c40, "\xa6\x90\x8c\x55\x30\x81\x4d\x6a\x6b\xfd\x6d\x6c\x75\x94\xd4\xaf\x8a\x49\x62\xd8\x82\xda\x65\x7b\xb4\x02\xc7\xd0\xae\x45\x35\x16\x81\x60\xdb\xf6\x7b\x82\xf2\x23\xd5\x77\xb0\xe1\x6e\x6a\xc3\xc4\x6a\x40\x15\xa6\xed\x7c\x4f\xa6\x5d\x1d\xba\xa2\x68\xb7\x48\xde\xc4\x67\x74\xec\xa9\x22\x47\x96\x94\x49\xa9\xf5\x9e\x9e\xdd\xe4\xd3\x7e\x7b\xd1\x78\x82\xeb\x00\x5e\x24\xfe\x43\xf5\x76\x54\x00\x0e\xad\xec\x3f\x1d\xe9\x91\x7e\xb2\x8c\x2a\x87\x71\x82\xc4\x7b\x55\x6d", 114); syz_usb_ep_write(r[25], 7, 0x72, 0x20008c40); break; case 49: syz_usbip_server_init(4); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor724671367 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/8 (1.81s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffffff}) (fail_nth: 1) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1a, &(0x7f0000000040)={0x0, 0xe6, "f137161ab86c594202b997d9f12d007021870322c8d909748409951ae9800c1e207f98b769c740f867ea14bbf8666a4f98d229aaafbc33c6c52168db8933c4a4a4a3dd3ce0ccea96e71d81ff4aca8331cb01bf35433853d1abd48fd6d0ce1314df6507bae535a2b4e3eaa74c5d23006594148a0fe5b4a884ef8f41346e49cc90474cb17bac301d4797ed05dfc6ccb74bebaabe549172d622a30605a4e49fd3f8537de5272c33ad4f07cd060577bce65e5c80a34168cde68117e4f900e35a3d888e02ee111752213b40d2af258c01f36de50ce8e83d4226a30d6a4cc43a883f6c20e3fada8ad2"}, &(0x7f0000000140)=0xee) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r1, @in6={{0xa, 0x4e22, 0x3, @private2, 0x1}}, [0x7fffffff, 0x1, 0x7fff, 0x4, 0x7, 0x1, 0x3ff, 0x40, 0x5, 0x1, 0x0, 0x7, 0x0, 0x8, 0x1f]}, &(0x7f0000000280)=0xfc) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000002c0)={r2, @in6={{0xa, 0x4e20, 0x9, @private2={0xfc, 0x2, '\x00', 0x1}, 0x3}}}, 0x84) r3 = openat$pktcdvd(0xffffff9c, &(0x7f0000000380), 0x0, 0x0) ioctl$MEDIA_REQUEST_IOC_QUEUE(r3, 0x7c80, 0x0) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f00000003c0)={r1, @in6={{0xa, 0x4e23, 0x7f, @private0, 0x5}}, 0x5, 0x476f}, 0x88) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_SRVCORE_ACQUIREGLOBALEVENTOBJECT(r3, 0xc0206440, &(0x7f0000000500)={0x1, 0x2, &(0x7f0000000480), &(0x7f00000004c0)={0x0}, 0x4, 0x8}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTQ2_RGXTDMSETTRANSFERCONTEXTPROPERTY(r3, 0xc0206440, &(0x7f00000005c0)={0x8a, 0x7, &(0x7f0000000540)={r4, 0x400}, &(0x7f0000000580), 0x10, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXBREAKPOINT_RGXENABLEBREAKPOINT(r3, 0xc0206440, &(0x7f0000000680)={0x83, 0x2, &(0x7f0000000600)={r4}, &(0x7f0000000640), 0x4, 0x4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@deauth={@wo_ht={{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x240}, @broadcast, @device_a, @random="2015d229785b", {0x8}}, 0x27, @val={0x8c, 0x18, {0xc93, "ffe3240f0484", @long="067ecc39a78a3ea47c22246d391b92c4"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_xfrm_policy_alloc_security\x00') syz_emit_ethernet(0xbc, &(0x7f0000000140)={@dev={'\xaa\xaa\xaa\xaa\xaa', 0x3b}, @broadcast, @void, {@mpls_mc={0x8848, {[{0x8, 0x0, 0x1}, {0x1, 0x0, 0x1}, {0x4, 0x0, 0x1}, {}, {0x0, 0x0, 0x1}], @ipv4=@dccp={{0x15, 0x4, 0x2, 0x33, 0x9a, 0x65, 0x0, 0x7, 0x21, 0x0, @dev={0xac, 0x14, 0x14, 0x1e}, @rand_addr=0x64010101, {[@noop, @end, @timestamp_addr={0x44, 0x1c, 0xe9, 0x1, 0x2, [{@dev={0xac, 0x14, 0x14, 0x28}, 0xf7e}, {@loopback, 0x7fff}, {@private=0xa010101, 0x5}]}, @generic={0x83, 0xe, "db10ac96c2cf817c67fc6d7e"}, @rr={0x7, 0x7, 0x87, [@local]}, @end, @ra={0x94, 0x4, 0x7}, @end, @generic={0x44, 0x5, "e0d910"}]}}, {{0x4e20, 0x4e23, 0x4, 0x1, 0xf, 0x0, 0x0, 0x9, 0x5, "d77b5a", 0x7, "c6dd9c"}, "494a1261c05df7372b3c29631b6232d41f19fa8727ecea11ccf1979683ceb144705e12c13fba0e399f08f58397f3ea7bdb746b3dcabe"}}}}}}, &(0x7f0000000200)={0x0, 0x3, [0xf9, 0x208, 0x50c, 0x74d]}) syz_emit_vhci(&(0x7f0000000240)=@HCI_EVENT_PKT={0x4, @HCI_EV_VENDOR={{0xff, 0xc1}, "0626cab051d180b0c2e36c0814bbca7e31d691502e1c7c0eae1a042e7372921a0c6dfccedd81a98f58b9850ba2f68bc25d5cab15a0af010796b5fdfb8a3b35f3eb48ee0c7b2ed287cf469fdec0248e957ef0dd22f3fc6d746e70262c277c016177e56a68031293b56b02c1b6f867d10a3bbf33817b39d487ae0659a68cffb8df46df59a7d104b7c6711d45af1f966d69e635809cf24a70d4c2ea9cc98d37599807148af36b475eb2ce56e027ac751769f8710272d187722ecdf7a8f86d8b977aa8"}}, 0xc4) syz_execute_func(&(0x7f0000000340)="c4c17d6f7072c4e1f9112fc4e3c95d33abc4c2790eb000000000c4e17a12b70c0000000f0156e9c4e10dd55e0cf30f526b000f7e20c4c179e702") syz_extract_tcp_res(&(0x7f0000000380), 0x80000000, 0x100) r5 = dup(0xffffffffffffffff) r6 = fcntl$getown(0xffffffffffffffff, 0x9) lstat(&(0x7f00000026c0)='./file0\x00', &(0x7f0000002700)={0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000002800)=0x0, &(0x7f0000002840), &(0x7f0000002880)=0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002ac0)={0x2020, 0x0, 0x0, 0x0}, 0x2020) statx(0xffffffffffffffff, &(0x7f0000004b00)='./file0\x00', 0x2000, 0x20, &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004d00)={{{@in6=@ipv4={""/10, ""/2, @private}, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@initdev}}, &(0x7f0000004e00)=0xe4) r13 = getgid() syz_fuse_handle_req(r5, &(0x7f00000003c0)="235810537c7f886ca91721045ff7badfae4429b252cd658172c1d0d418ed70057439fc22ffc77b29085c9488ff9340f8a2ade99bf9af14a357257b8aa69b4b8effe7afd6876b3b512b86fa1dff555c6dc6186266c91fa281c9dc72ee17ead0e2a3fe9ff03e7c32d27e267f5be0fd6d1f9efc02af7fe9d68d755519201dea7abe681053ab98f73fc0c6a0684e91b741c8c9451f9459b598ee6f4ec0c91f3e917af1e6646f3c54f8faf0487d8eccf087e28f8768f48ae15d098904b3254285702e308a937d5e23a2aef3c25312516c502d5e0233065229ee4a70dbc414604b7f055eb7a2724803e85e5b4cd05af711ed730fceb81bcae17a4967aa6ccff3c0f4966b7ff3d15f093e94eb0a46b70c0fa5b8628cac3c31019bba6002416fc6661d858fff16a96215b1d18a877d9a534ac40256a3557931ade27f587cce26a20c013dc67f2e922a52689aaefa1b064d03f8f6a39f96b0de1d21394cb6c23010eb9e4a79414735ed9965425f8a01008496dbad0497fa0d65acec59ffa6a280bc58e2d887a10e9665eaeb97436ebdeb2b58a9ae40e449273246fd9967539f212ed8969b6f9a49d65bcad2dd9d8ee42e3205741117e431d443ff3e94c47e7fd627d30511d5fbcec6a758383d31367aca8e3af772a1021105ab2c1b4aa7614dea8cfa4b06f53af373779862c9bdb76ef93c74618eee7347a074d4f71a98233b24b2a25729c9a1983d819c3f42d328d08f0d4dd1642f61b62a89fc300f5066d8e457f5fd49daa79e1b1d43d26f89f2ca990450e860bcc47d5cf4778c37c451ed22d60fe2bcfa2caff75c4170990a2e8e2187197f8638b067854ccf9dbe91586dd42341401c4fb4f31330668acb516eba2227cbca4c8fa2f39a03521bd8032f5e1aedf49c50e601b9fad4e0d6f5b5932ea214fd508485703d0845798d43bdbff9638677e6a996efbbd1936e97282062709f778b455cb4d20013f5fe4c9bba0f7cfc1802e8180fb6d46f5176d1bdbb43d960d494f3a30ed7ab4db07de5ad924b5797b509f96083f4ada9fcebede1eb0fb0dfa2cdc2144b15cf4c280f87d1187e808e37cdef537552e383f46ccfe86215b207153985e6b13196221fdea6c947864d12147d7b01efc3df144e2caa24d1a4782a51a8235c4c0eadf0440c8e434a4d072be5845547175f37c55fddd5e78495ace434c483f28bb3487ad8d68bd74377fd82e17bafeb062b81c68e8a6389c8d81079e4c9faa2a8fcf12415cc21ebcd92de80884550594ca64b56b0b424a65f80cab164b2f6f2f33c7aeaa8b6602e7183b9d0ae153a1703b303675aae133b3dd9c646677f6d8a492da099efb4a7e4dee392818a15d6bf9efb07eead5b40ac25bb0f0092f4b0ecaf0ac3391b3ecfd0635ec496b8b66d7a451c6d10379c15291c4f3682f05fb73944cd1be0f0fa8554358b30deb7386931ae95eb2a16faed245ffcadb394acdf0638a626278233019366e2ecd9db1a4b5ae27ff83d7b571cd7ffc151dc4d0cef1d0300c98a41697751851f8e05249cae19963f812589a7d64cfab846439f471343ba5effac9a57f76d0abfb95e878bee4c9424f0ca1718195eff14060acfb3e0df4cbc560bc2be9ab4f0a0bd686fe213d44947170e68e73baadd982ce2d170a50d1eca0240cd3cece9f74da3a1c1476ff11fa334d72c18506b5c00a441ea2e9c72c76b385037f86ca594aaade987a79bbd3e3c40d0007a7ff8529905b94c5461656292950b41c83443dc84d6fdf52e4497ed6804981af13385649200d893093bf2ea8225b389c4dfd2e815b3bdf9d7084d29009eae4e8822a5b6a52aa76afd951d04afa8e1286396a834dcf8c6b57cc4efbc0c16779d53f0bcd74043c06ecebe59328dcca8bb6105af23565906e5466c7311b1aac6762e4b626036fe31d3e7b0fa2e658ca9351078eeca7b467e118e9b88959de1f41869405a83bdc6ce980c729f7e2a460fa9bee161e54d271a874bb4d0a22cd1a4376de36b5868ca0e10933e5fe2f7385c1af62b86f8e5c3126626b8bc6d568f621da323707ea332d7654439fba4671d0caeb7ef94e25a8286bd9a19a29e4932c7db9b82347da52492b3814a44b92f61559c22654c8b301a8dfe9daeae0cade946c0666e94c4a6353bb0eb2137d36853ad4f7a20a5081e63afeece203fa6eeea7f629d001dabaf5b1a3c6761517bc99a8e63f66c01884927b4bc40bc34190c9e553c690fbc6444dd8bba656874fa804631b56d24541a9bd6fb77db4903769f9d0444d08a21ff59d949659d80b1402d919ac0fb8380ed9115b6693c195f8f1a90a3a42235d8ea782eda2bf194d32fbcc563271afda73d7096a2e9e467541e7667c267c595e123372975267768b8d16cb6130eaebf698be76eefabbeacd59f631cc104f042263e3e2962597969721a6c022aba14112e2f3802ba635391cd1f94323525c816efa9e86552399e79665ff554f586754f72d53a0d9475c655948bd13ec93dd8cc43e5b813ebfea4abcd780eedb682ac4f66e16847f7821fdc40da073f7fc59fe57ca6ad5f4ddd8a41e8aadf3e2178cf4295c85999e2c2d824a08ebb9a9b09e2efbf9b8d0373091ea61ec6af17df1e71aceb403a41d3bafefc56dcff186023e9f289e61b746904b3ce34869b5327c924a27336b216d2206eeba9b1dfdce022e3a13a2617387fb3ff5a1d0f38fbb9063bcb69b5e33ee457efe051df453462b718d7d5e780310471a73d99e2eb1e23236c74b9377c3e0ebb93ea7a6a7b322c425910209f891841d65cb8db3b2b0d51d27cde0ca185bd3bf1f402ff10fc611b93fa6f94ebf6079ac6d5f30ff866a4dbf30729fc3cd003ed9eee6e1c92319a8c6269e1a7dba0491d27b326388bc32d58bf685ec429a8ca7a12b660182308710b5aa61dce0a143fad3bbc1a81a8f814ee37b434c7d729331ce7f72ddf31dca719bdfa04c03aeceb4c640c1cddd0f01137bd6e2f7aefb51b0210b8cdb2ccb0f5d7458d0571927675f1bedb36d0bf30ac68db438ffba74aca623725f27522701bb6c5ca414d2391cd533a82c066724c6d3fd68fe42a834dccf5bf70347429ad8e382215f72fad936ef949bf64dad12577ead0dc6cf271be7ca8e0baabb4397ff063f3ae8e741210c6a3ab3b442ba8fb16f228c5dafeb1b440827defbc48f5cbceb2740755c985d060e82c86c732bbd560883591a1ac058299f17f2e2a128560280ba089e84c3465452a6507a63f884944a83a21d26c8e498ff5dbd489c69ca7853249018e9d03520b23f47b297b8526322b1f6bd54d060ccea301cc8a3a15da2d39b64ea4ddb03c7b6cba605e8dd486d12d8f0c6cd9fb47816112baa0a7ae0eba4f0f89b2143203a119a6bb8545c1ba66788495f4e7dad96df8119b1c11d7ffb07107c0c035a80697a8ed780d9c5561929385085f0aa7bc748f2b5e234e210ce77722c54e80b886c0d614658ffa23408caca9cf013869ef6629f8461640daea869ad4c365530de527815cafee314f8ca7b9879522c42629e3e71296e5f60a84db39d5c9000016ea33f481d80ccb80f085d5ed3f700badc3b4b7d80dd8a778f03817a10d67892d36870a98bdc70cfda4834c7815421fc9727401bd4f8111bbba7686024b4272f5a68a665194afc4f1a9f857af270e3022c18dfc18f67b3977e641c6258f00c1430ea79578f4dc82a0bab52140df4be0adb329195a297df0be6e12349770b4477a4465a81439f22b6bdc677ab86d4edbbdfc7db3cf06d4a94d33c6c11fa163fefb1a87a9b52c1cc409ebede7263c88975edb237fa01b583f79fc7a4f8e8ac89af79308d99b473cf33f3344a4e5523f3e35d388d18ee1185caa1918d23aae4193aedfe125042e16d571865261dd63bf0c9dd8485fa64e2410a26a436c83c9e34556f37c1d69d2fd574278c4b2c8baf3834ee2e0f364b54c36780f28a8ebe56e1d9e1cbdfd773ce8aacdefda09f40dffd847aadf67c44471008cee0776fb068954308f16203d017b290cd1ad9e4cdc49f326352807560ddda490c05c6d5e04f1940083aaba83e029370fd76e7757c73c0543ddff26c3a30762e2c9c556aa282c7f46f3dd8e200168053a03174c5669dc43900a39417c9dff8ed3f10eb07c470a522ec820712ff88259cf7f5ee52cf4ee690bcabd88763f66329f3725a436ca1938d4da48dedffea82dc54a2a0a5cfb64c3e278f41b933cefeb02f982532e98677241d7ec2f8d1427da1711919d672e951b6d1cd8f2c0203fedd521f75a229d996713358136d8b4eb797134fec874e3d38a01cb82a87c8c211e6429efe677173aab0a0fb9f558f4b06f7705bcd177ec1dd80d0445b5448e7dc294538aaecc59610dbe6f2b3b16b275c18d33a78f0c1dcbb07e137628b622f885aee80b82684cdd5fde5a29aadf63d85e95159649adce0f9e57b53b82c75b87a12747ef0f84be50693ccae798e38aaf050666163e6bed48f5f1baf49adea21223bfb089199898dcd2e91b708bd62b61f138cc48bed88b772d14bcc53968aa32fa3f114584752db53278b25f367d52c207ec5459668382aac7ebfdf3a2075cef679bd77ec17a1143de084720085486685ac869733bc07d74246fbf8abb3662be750dddd3b13ecb2d9135f5c68d1fdde549d9c2091d96aa35f84336b4215131f36476ec848d533d7dca1e0aa41eefb8806052a8cdd538b755707f93e048d771505b8890d8f680b880ccb8ee2949e35a63ee48e7b467128b65ffe606ced28a3bc3172bd09f2b58ef6322a3fa31e0fab37a3afe729ad43d5cd02b42be4d8e602b99516dbdbd812e1becaeba14b2b2bfaf0555900251e31d839798141b32abdc558b3bf30edc1145f541798507da329c5acc1ff56d4fd5f6e18c02081222c698b3d0f2b19539a7c2c91f78b1be76481991e241d2ae889d4cb133f90f77d922d984b5a5d1b2aa038fb001f0bac88c14a36f62296ab324d52b5754d4e842889da654143b4bd719f082cbcfa2ec9031b9b4b8bb8ef46bc3ffa52d35385bf27e3ccd86108481ff6640e8b0e309d28b149420f95eb9afa0f6e188b7005f421225385bdea3825ad5fbfc6d9f2997476bc36e5dfe4b686d1a2d402516d4eee990e1ea6a234838103f42d705abf37835673ca78675b5354c2a99130e2b7a64ee26a2ad6c1cd2de64ed5912eb7708db3afbb4a683109b1057298f356e4cf4fab200caf7403c719aa81ab01d3d7f9155073f56495e5116196e9a9de82f10a5c08dfb2f915494df7a0700efb722d3416a5d32bc02297111650847dee676d268772dec413da3a1320989c1be0d5c9c1b6fc4f70fbdad888abb0be8f116f0d7a6f3abaf636bb6b69222daf4ccbd6d07293def59cd5ec908454d079495f27bfaf9e45fb2c99964e6b2fba03af0382d5b60adebbb28fb8f8f8efdd8da65eac29377cf07c62e1bf10f61fa912e6271f2cb9509a7631b7abec3396bebce10bc79e2c49956d127f9d01b73584540cb6c0b52a709e3af1d00c84f6d22fb195dd8823aa336afea898ed87ada2b22d1b8ec508cf6986e93459265ed7c258732c291ca41e7876f1b438b17d36c24a02f200feeee18ace8dc4aad51a42bb9815d82c2a9a37f775cd612e084226942ea0dc6f5d8923349bbbedc2a45cfcfddeda2d52d14f2ff8329aac01d2ec3c37f23c5c90d026280238ce09e00eca9f6c30bdaa5dc91f4342f8af6a3ec1339c47dcae8f9360c32502bfa86e1ffc582d5888f29cac39ef90a3150111f661199faf7e2413b57bb9a72aaa2d5fae32b462884a928d83cea60557025c5de018044345fb083def49bc383319894dad28b5339cbadb6038dc8479f7e4b2f01c1ced3ff854205be93884885b129878bdbb18caa68c30940719a408a03fc61ebea87d9d3ef2162594589654475c2c37eaa8737338acc18b341a351ec39aa94cba171096fd7fb832e3031f4d82ff2328aa189623cd93fce6f4525c2dd013dc9c7b4d19add3bf9c334886e9d1cb4df997d99563a57b66d8321d42152f721705d6c484618ad33cb46b5c1a41ccd397ede50432dc9d41aa8b2fb375af75d332356d7df3d5d439fdebcf8e25b22493c6fe140013e2952321867d12947b1f2dd272a173694a5fddd887fe1ec96df6467630d1449d723ff023ec127b12a2411a096e3129e845d50b146683635d805cf196735828c8a0a004047a19acfcc41b62fe0fbff91881e7613bf7a737195f1858ed7198dcaca13210619d7f7398d812de463f221f0c264874aa3b3416dcdfaed76bf255d7a7a15d6acc9864d1bd900354b3bf0df70bae932c4b82e8aa60d395b939cc60f8964ab755ba50b40a713f68d2e001a2b5abcfdbb821a0a3a7a97cdccc0b05bca8f033fbcd954569cb7c312d4cb9e69275613306679882570726118eb66b4b6f0d236c33e35658ed87f028ca43c55c26968179aed7549c8c2e92672a445106d0429846917c5fc607fa285db9aa61281c1c524a76b3d40de5da9bc7afbae9c03555d056383ea7f5eacf5de95638e11242a420c9aa322c808cf2a14ab479d8135e4ff487b215c8cec44c7290d3459100b2196c54e88ca2841d8a6011c6db1b5c2fbc5135da6053d893d116b9f23d5a0f77f9f64c50a0448552fb3d4002ccfb95ed54c37eae931737bf02bcd226b133b9d27debfae748730a87be8df5c31cddf16c26bc3f3b4df7abcbc52edadb7a7c29e87dd5d6330b761649fc9f098a7b6b68cf5dce767667e8b5a7cd4bb22d1c9229c455169d72edd3bae9c251c0788968f1d13af8e47ba32923c6614c44d5196fa805761dba59a39b893bf0973dabb976edf63f3cb54732d43b90ee7ab0374e10fd722d5c361a4108931e8ee3fa190793f901b18ff7b5ed8c162b37ffcb39c6c0c084c9c76b3964e31351f5112accfe16c6268580ce0b44cd4c33f292171df6af35914225c8b1aff1985cea0ea7349a43a510d5fbf1881a032f96b1f58f4fa94dbcdf98f6b113a2f851e76d4f1cf0686e3b44057c363c849c5700659d7e5a1c2b3ccfd5aaa889c2f99a9b1c8319c3cd348be29b2e9bfefbc28cb774729958c12c9dfa74b893a07745aed2e5144723c8fc0506852f17e6a4a8f599d2c4a1d7c0ba9d77db8416eb10932cdc749cfa99890ee8017c0664084f86489c975255252c3876f8dcd98c00b73611ce2734e1fe0ee5c0a0abb0c50004044f93ad2ff0109bcb19a3a20f186d68e387d34a5b578c4253cd9672614803bf96726e8ab00146d2fe266e62e4865f5e7fe31d41497e7195122fcda825fb4e9fcdd09b421ddb6e925a4d5cb7ff2fa56fe1497ad659cc5b6efd8f883998b7451175f9827547b84195c25fc1631072a55c17e90a3279a54a29697312bfef3eefcba8d3114556a545d18ab0df74df266859151959a1b051f8322f798cb45d5cbe5291bdd71dad665f64dde6954ef00718918fe01727963964642d4c4a5bba9303f44fe97ff99f06748dc863ff0cc17fc82b29fbe0c712c77ed36697f23b4a22a9f248522f9946c3abcd32e165fd66fdbc7b4a0df71a8d2571f32da4ada51c14ca086301d6ed02006c6a38ce4e7671f3d0862a4e3c22b6aa7b7c049a7762287570562e8b452efc78741e7c2822ad0fd435e76a8044b05b388aafc4cf61575760398872364469961e87d14d1795eb627faeda18f9c1228fc994d580508c996d3662799b7237e596910a7c5c7facd47fa3084da48488767f60cfe58ec401415ac66031623320f9fda37c0af9fe4cda1b2893d2df0ac8226013a36ca7b1366032ea7b25a5591bebc8ce489777c0cba28d1f0cafeaeea7d5b4d2009309eebc913078112bb126920ca6e5e2b2210ce5410cce45fc463746cf168f7ee2b91c797b330e0464822a618e457ce39a00367d9cd3d3f5938ce36eb2a31a90d049258c849955e97f08017269b3e5f69e9128195638bc8c1fa735e6eb2435c9587f4f436d9e68a8797bb42100d48e7b26197c65fb8903961382fb0fe229860173068d9429110823bc2ff717a7157054c326bdac3ad358177f9a406d894b842d6d91edb356b06283b329bca6e12290655fef24029ba1daaf45f17ebc834d12e35e39f2e20e2c7362aeb0031f4877b633be1bed36f5d7ba24d0148f846a786f388e2ab79662d559b861a36a4ce60dceb5fdb9f479358fd84a5c7f102f75b8143d3626fffa5469c22072a97d63ff9e0667c2f2db41cd03e5d43914bb590bb1f11f4c3533bcc47ffc99eedf677c9d646c60f99398915891ab67197ddbdc11e03daf03139ceadaf99226875163f11c29027f6ec6ee647c9bb1f7695f1f2918a3285a13eadb73d3e94cb0dbf9273f75e1a8b391cc6e4c14ed5683c2756c7b33d84351e1ce0ba7b02e2305de65b29456b5c55344647c7b0b16cd836dba2711a4cc97738267c462c85fad608a81612d7f89a7fe663bd064354a80f8be0165df5d9bae1c69ea56962b111220cdc136ada90bb1315f865caff1e2526acd2ef4c36a70f266088d7d348e561132971668e91a89004085a5b092f8e28423d16b749cdcbf92a4365e468dd67be241e5dea705b606b28099a5d3d46a07620fc4f731e3d3605debe687042cac937427367c35b546af2dfc094a721dc7fd13df68e9a799ecb107c908bac9f8c4430cc10c6299c794d028d516c3ef3f77f9f64201660949b5ee29a5894d738fa4e4bcdda88fe12bcffe85da7b10d02c80922f3907134fe64605508b6cbe35e97f12f1bb15fce6fac0b0bbed62183ba88b8413c692c1d465376146a5ac69e0f10450f04c8b6f3c90c58ac33604aa811a9b74ebbd07b0684c51a553006da57f4df29df30a64622266b3ec06c435d650521f3ea725a3c8c128c73f0d3447dd1a85b10a061e9ac4469bd8ead5b59cc639b817e67d90ccd773e224aeb67dd2636917436b76475d8e0255cf7d14f2836a50d23fb11b3843548b3a52d8fa10ca8c97e1f0ed7a00cfc8067a5b99a41c07d3ce0a0456b8443bb5f0903db5e7bc16b0d0d4f321a57572d3368d97ab7705830d23ff78ac8d69402c920f7fb91d6efc16ce43993a1a68eb8eda08d7cc55fca8549f40839ac8e5e263e8fcddb10dd20fbedd949c8d3c1e186e9fdd5aa2765a1ef54f9e8b2a7a0b38f1c8f8dafe5fcef0ff0316921dbaab27f6b2e09e49d0a56c9ade5d8cb658699baa984543fde4e720e02e5503e835c7a63effee3dfa58e4ccdbe1943b5921b58fd0ed664ef73df892318e10703234859b565d17de8c925198b448159c8e8d73c8b1e5eb68705e582d5128f207b546f8122e04e37bcc9d1ca9b2c7ae51d4542448b36d6ff16d998eece9f07be341d1d8f989f23446040a4997272c99d45348372fc49b70fb5e0faca975184c6025995f6aa49f1b293df66d51d753d9c7775576d0e770134d3a4fbd53c99b0a7b6afe7337f73248163239a714dfeb285b0b49ef602d62ad6935a83c83bc814bd407b1ff5228292f9bfbbd071c81dc9591a05c9507bff87c9e527b8f14e8ee13d187eb867dc2c95dd903c37692d03e7b00985fbc11313078dec7ff69f2e01a8342399400f98cc66833d9c85ff7f10cbef733213cdae61545f39e85c59302b560a72d0437b266cbae16fad4a000ddea19949408c7477fcb948915323ebb79a55c769ccb18e2f552ab763ba65302ae7bc476e3625eb88a7a6698ceccfac22900ca3c44dec8866b2a114c0831cf653d4c1fba9a7785a1caa2b97343384226b1aced93da71d30b6650645bc113ac62d32d2032ddb65626ee86c3b9dfbbd8d0caeea7453dbea304e34d3f80522cd317b49bcabb869331c7c321852100430423bcb1ec15c50c19b766a7ce471d51b01041b685a29c4bfdb552c866d583b7c3c7fd56cfc73725df784e4d90281567fe8c38d866b06ef13bb30fd23906e662cf9d5113d7b52b014b4aeb3a183524b497be9220ae1e0b2f7674d279942941bbd81ed595a93c2341399b6ac36ff869f894cae291308b21284d398b5fa6ac76b9d59f03e48c275f4f20ce0a5059de69ca9ec999d73202def666b37b3a96a95b12c74331038facacab188da878a860e1b399d6b3bd3c136e0a5e9963c1691889f0d400f34dcc51ef1002ebfee2814605a4d1067ed7396c115e3a94f151c8e4aa2930fd8bc534d579d5d8843bd2029056fc558b9869408b9951f75672433ead19e109cd18308f1c9d6f9ccbc9f767993b59ea2b5046864f5e0c3bde42e7932c56b9fb25289e16ab3bebb692547de1a4dbe119ab2bd71e471cbdf6c6e8519aca77c2cbb8273343c1bed23922e557f87b408d87af78896ed30f0a6178ad98a34ded6148443fddf4a5c00a81ae9df2159fd658c859fb6b274988c848f993e761c263e90d7db8f662c876b7a61ff2d938ba7fed4cb5cd8ee514870b50520e733f21cdc3bd7ed41d297b96dfeff379d37e6071bb1ac84feffab2cdd985fea2fe6c46e6b7569c8c2454591795ccc56511d853fd2a01a1eb0ce2505ab65782b7836ba67844505aabcb5dc6372a313fe7acc7f48b0d2bef79403c2837d88e52fe926ad16d51be7e8c62a5955a61e85270839f36eee946370927eb19841301677e837abac18d709bc84dda60b12107a23eb733543ff32cce5248d0f461921295291837c150a4c1d489d31c5bf5bfc2da1427e1ece74aea7053f1feda64f099fc447a7908ce44b13461549f23ef18c1d8107befb09f9d719a0ac57080f1cdbfd46704d79947aa10c5b0bb226e7f68309747240f773a627536561fb6c1c9b26aa5e23be01f2d3f7aadc995440015d2564b9c16b853d665724f9f722b34ab1d44c27d0e0cb01c49d9e05de91c2e040764f0c212e6d63f7b72493dccbf858164cf48151bbe4f1dc2c91586673431af7b8461d30161c561170dfa31edde2ccc9dddbc7a8e46231752405cf308ecd8d3505636dba7035c94f728623bb87603afb90b5c23e9ac1937b2ea3984d579da29970ef049ffd9705fa283ef62f1a9fbbefbc5f8f3f79bdd8d70f0a893972e5aca3a164e672ba88ebdb6206a4dda5eb5adfd16352d42c4fbddf117f2b0d30e8c39f1bc63f3bc03b452a870117af7a3fd301af714bfa398367a9ac2aa381170bc7ca860144258a9a38a61454c9cdef24f1c662f28e8d1ee7749f61a9c79a9e16593f2d5500deaa730aca4eef3273878431a874b03e44f6495b52ea9b22d9417fb3f2ccbe2c482add308e4a3c55b7532a4e64cf108d833d54abf3cf93b3f9085263d2774c2214dc62e3c6a7886946b7bbb4d0fdd82d502232f891e95e2075b6974fcbc81579fe8eeb7ee221a904cedbbbab2595ef93537fdea03eb93b49680119d996c8e706dfc4d99433954c5367725d4808119b683b59641c4bffd3fbab0c7e125f02bad95cbfc26eab96079f8dfbf6623589d14e0c20d15e07c34bccce36fb927965f96c8cc89b3e51438212a9bec92af4b592ae76e66d531d344385f5568552e37bd25cbe307d839975914f30915d24e8f3d892c8a19fa484c35df1fb92af80edf403340caced5c224767e9e687456563dff29ca86e365855de94057b66c576bec5f5b7fc3f0043336b8a487ae2519b8ff0122e7ac2bf57d29ba64808dd3a20d26e4382ce7bb1fbd34734f5ae6625ee8a7dd56f", 0x2000, &(0x7f0000004f40)={&(0x7f00000023c0)={0x50, 0x0, 0x3f, {0x7, 0x22, 0x8001, 0x1040000, 0x8, 0xf6e1, 0x8, 0x9}}, &(0x7f0000002440)={0x18, 0x0, 0x9, {0x40d}}, &(0x7f0000002480)={0x18, 0x0, 0x7, {0x7}}, &(0x7f00000024c0)={0x18, 0x0, 0xffff, {0x8}}, &(0x7f0000002500)={0x18, 0x0, 0xce0, {0x1c}}, &(0x7f0000002540)={0x28, 0x0, 0x1, {{0x100, 0x5, 0x2, r6}}}, &(0x7f0000002580)={0x60, 0xfffffffffffffffe, 0x8, {{0xcd95, 0x1f, 0x7, 0x48, 0xaac5, 0x6, 0xad, 0x5}}}, &(0x7f0000002600)={0x18, 0xfffffffffffffff5, 0x9, {0x9}}, &(0x7f0000002640)={0x11, 0x0, 0x0, {'\x00'}}, &(0x7f0000002680)={0x20, 0x0, 0x10000}, &(0x7f0000002780)={0x78, 0x0, 0x9, {0x3, 0x0, 0x0, {0x6, 0x0, 0xfffffffffffff20d, 0xfffffffffffffff8, 0x1, 0x3ff, 0x5, 0x9, 0x726, 0x1000, 0x6, r7, 0xee01, 0x7, 0x7}}}, &(0x7f00000028c0)={0x90, 0x0, 0x3, {0x2, 0x2, 0x100000000, 0x61a26b8d, 0x6, 0x2, {0x1, 0x3, 0x1, 0x100000000, 0x3, 0x8f, 0x4, 0x1ff, 0x849, 0x1000, 0x7, r8, 0xffffffffffffffff, 0x5, 0x1f}}}, &(0x7f0000002980)={0x130, 0x0, 0xa00000000000, [{0x4, 0x1, 0x6, 0x9, '\x01\x01\x01\x01\x01\x01'}, {0x6, 0x1, 0x5, 0xfffffffe, '\xaa\xaa\xaa\xaa\xaa'}, {0x1, 0x1ff, 0x3, 0x7, '{#-'}, {0x5, 0x0, 0x2, 0x761, '[#'}, {0x3, 0x0, 0x2, 0x6, '#]'}, {0x1, 0x714, 0x5, 0x3, '*^\\^b'}, {0x5, 0xeb68, 0x4, 0xfffffa80, '--$-'}, {0x6, 0xfffffffffffffeff, 0x1, 0x1, '-'}, {0x1, 0x8, 0x3, 0xf2, '!\\{'}]}, &(0x7f0000004c40)={0xb0, 0x0, 0xcf, [{{0x1, 0x1, 0x3, 0x100000000, 0x4, 0x81, {0x5, 0x7f, 0x5, 0x6, 0xffff, 0x3, 0x1f, 0x3, 0x8, 0xc000, 0xf5c8, r10, r11, 0x2, 0x9}}, {0x4, 0x80, 0x5, 0x2, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000004e40)={0xa0, 0x0, 0x400, {{0x6, 0x2, 0x400, 0x7, 0x4, 0x9, {0x4, 0x1000, 0xffff, 0x6, 0x1, 0xffff, 0x65f, 0x647c2b8f, 0x400, 0x8000, 0x8, r12, r13, 0x3, 0x6b}}, {0x0, 0xd}}}, &(0x7f0000004f00)={0x20, 0x0, 0x800, {0x0, 0x0, 0x10001}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004f80), r5) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r14 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x343, &(0x7f0000004fc0)={0x0, 0x5004, 0x0, 0x1, 0x1de, 0x0, r14}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000005040)=0x0, &(0x7f0000005080)=0x0) r17 = openat$uinput(0xffffff9c, &(0x7f00000050c0), 0x2, 0x0) r18 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000005100), 0x488200, 0x0) syz_io_uring_submit(r15, r16, &(0x7f0000005140)=@IORING_OP_SPLICE={0x1e, 0x3, 0x0, @fd=r14, 0x200, {0x0, r17}, 0x6, 0x1, 0x0, {0x0, 0x0, r18}}, 0x3dd1) r19 = openat$keychord(0xffffff9c, &(0x7f0000005180), 0x171000, 0x0) r20 = openat$ubi_ctrl(0xffffff9c, &(0x7f00000051c0), 0x10400, 0x0) syz_kvm_setup_cpu$arm64(r19, r20, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005240)=[{0x0, &(0x7f0000005200)="4623d8a4ce0217c9e59555c166890679e3e0c1940df5b9fcbf91649ef54d80f0c8bcc80e36b5574c4bc9f943401854f56aa2", 0x32}], 0x1, 0x0, &(0x7f0000005280)=[@featur2], 0x1) r21 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x8000, r18, 0x0) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000052c0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005300), &(0x7f0000005340)='./file0\x00', 0xfd, 0x2, &(0x7f0000005540)=[{&(0x7f0000005380)="873519f25df082b371ba5b45adb5709c00805747c37fe044064595cd4728bf8980302b25b4b083b42b41336e130f1b6ff0a2f172498e522b4fe5826eababf53a9852f93ebeb841e1645f32936127029d68fe73eced89c1b93587012a47c42a583d6975592b3f2cdf4337fc6d5e85e5f5835fafe095935ec90484e9081aa8d22498431301baad4a34368c26c64d85326c7e00682178f8d13e6a8969f15b9d5dbcfec2c0e69680c3928ca015b92e25f5078de354fe32cc7121609a0762e1b73efd8967a2fe235e4d1ef9e5ac88bc1ed706a984641b06470b2294d045ce7eba51c0728938a2c6eeb6d8574429cc24bcb2a784", 0xf1, 0x40}, {&(0x7f0000005480)="62935bfe26e9c9f2dc3c3e9dfb491858efb598369bcca51923989ba943cf447baf56625df0f685ed2d034b37c07563f668728f6dc6833609b1221970e55088869d29c01b2dd05c4820b08042b5074008c9757712c480e25d89b9c48e957e5b5c7b0beccfb1fcccedbcedc83806038075fc2a0f8228beb47f1fece09bddcbbe0021abe9c3d198369b81b67dbd6a7d334b8d28b802cc97d934c164e97d9d7b70dc6c", 0xa1, 0x1ff}], 0x8800, &(0x7f0000005580)={[{'\xaa\xaa\xaa\xaa\xaa'}, {}, {':&-]!'}, {'}'}, {',-V'}, {'\\*})'}, {'*^\\^b'}], [{@appraise}, {@fowner_lt={'fowner<', r8}}, {@smackfshat={'smackfshat', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@obj_type={'obj_type', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@dont_appraise}, {@dont_measure}, {@fowner_lt={'fowner<', r9}}, {@dont_appraise}]}) syz_open_dev$I2C(&(0x7f0000005640), 0x40, 0x300) syz_open_procfs(r6, &(0x7f0000005680)='net/if_inet6\x00') syz_open_pts(r19, 0x800) syz_read_part_table(0x9, 0x9, &(0x7f0000006c40)=[{&(0x7f00000056c0)="46410638b7a128c15c6cb27d2335806da87c0d4915424452cf0ba9eee0a5d49d634f090df26f35bb0433c13a270dcb44cfe9ba62b5ba38d4ae3c65ead2727f1d2a5f02daa270cea6f4f60902e2eda654b16ec6635a1c6cd15d6bd6343214b83422d1a19b5dae439b9fbc3db5c218d4b08acfc9fcdbe5d4e6a5127adadce610d815e8c6d8adc78689eaae29d81a20040aeeef4ee55d7701ea725e91b74f5b37814beed118549979c8a40d0b290977ada4d65874c7dcca030a9a15509bc27e6e87d526912437b86904f742c9c13c1e00bc5e3e943c1430d1cc018f5a4decf24602db5bf2286e64ce751d8df16f280934fb08b619b2b5e931195ad2f7c87ae956c64a2fdac4fd791611acc2a865d994ea90ed158581e80d0386b153f19fab2781b72d1de003b187d2b1195342b3a003bf4483b4d890ab1b2f51e8d58f0a5ad78e0df9d629c22c2a324a982e1fc2738c360db3a8ba5e55ae5c9d58f1c2f6bed0b6de5bb4ee3b5f842ceef91b2056541ff55312ee90a2bd0997066c37f3d8377895921b08021589049ed7b23cebaf9b41d08e759058a3452cb9df2aee1d2b90e510ba9bc948400a69aa13833d1b4c44445129e0af5012fd6a534181fb20426826a4b3694e4a5181199df1ed31de36f2ed49211822ad915d3b71acaecff3c84d4e3bb19fba3219e26145735ff71dceeeee7aa247539ad2731113d3f364426be9006e6b0e358b81d4074549e08ef27613a3715e5e89ba0a71e3995231e99aac5e4ee7078f59e3e7d4fabed26e7507411fbe4b0353106278ac69f3b91ec69fa542eb7c964394062f65c650197fbe733c22832673d066e4ed40073b284ee4e51b1259367d4eb9e172007e6fb80a0a6fe62b3f3d5e5b68fe047ea4d6fbfaa30a00fc29bc58a31cfb8212f2c49c3a2e711ae502bd647bd56bb7cfc1d84d141827be211b5ffbed786bfa1313d2aed534f00019363ac129612ca25c763b077f5a724d61fc7974fa824badc14006f2febfb1e35a3dd72e82334a263756ff4204680cba1c03c55e09dffb5a58e4c55b5bd7a70ee8525929a0ee9f9091e34bb8d2f0af6d2a2670c591186bee6ceddab8e1fe8d4be397a545c483fd684cd812df5e312ab5f4812b4784efaef1c3dbe79094fbabd6ca5f0a45462396f818a5c7bf61c8c3f43366c1265f4638d1dc7bde11461035c7af77e6844c5d47bc1897dfabec7687ed25794a71a3aa2be1665719e7eaf649bfaffcea2492d43bca7f0304210cfca91a0dadf66b7c3c6baf8c5055ef4f3c56aa03bb6e400d7caca69e4243ac71c939ccf27310b73ba59897e2020c717c33db9a4a582912a3a8d7c0a870b12a9f982aafd0cf159575189d8c26886434229fb0c76c56508b638a2509b65847722af197e95cf0cff2368448d42ad62db27ff017a7fbed923bef6283408712c3f04a790338f4f80cf4f3e92faafa3bf6cff5ed3cf3b17b505075e12b6958bf2e5cb40241f672874a0f940fd57e82e9caff113d671da23da3436a31800c2d3487965f87c3f8250610aaff783d78595e1926b77e97b2e3ad09087af919ace3f04fd275887b1fc81ee2f5bad8de1cc35ee0c03adeed9a9197d7a8fa5db59dc500a94bd184a2a80d9704797e76bc0fc43ed57296143dc9d858b14a7bdfb418197f0974b6eee299958051b1d414ab126cef5bc36ae4055c4f19e7e01d2092d99f1d2a5a56614fedf481d578cb851ad73e1829bc350f7e56ee0d2e71fe731c1b30fd845fd82ca0acf029aff4a75e0d38fb7af582a19c0c7deb19544bc7a13c1896032441cba6ae39c35ae880b45a5c97545ac099243a791c6f2eb93556208b8b203542752a673b9df02bf04ad3c18eecaa5eb22d1b65e59c3449b5cc42df350dd4822bcf671df78420689cac22658cd9f0f390e26e0796ac4b7f30b1989f09cf5ba516eb1667ecc1d853739a20e5e78599bda830d002d45eb66d63a778b8412af5d63e3ef26494e21bbcde5b97a94f7978ac903d467c5b6d0717dc4a9d146ed4b58bfe373a5908702f997f1090b4b19093f8905085ecb691107b059e0e1cd0c4a94c9a473af2d12bd5998a8b8b4802f931b90515519f20feeadea5684c064f9adb423935b8de298b03e579abad6a23a86c86edd39c2ed6a4685e69bc715405ab7a3f27664bdb68fef1fcd090f060381f1aa374a074a640f991ec6d8b288b1b0507068560314fe94aeb85c42f4df3adb21485696515da2fa7f441b753d5f8ca4545f2d1dc1eb34e418c043beb518bb35fe30235aabf7ec5f371b3a48c0ea6a613ebb4e4da5b71408aa55774239ac749030a52740cd8535b9e3d28a4e87b4c4f4044c8195c3211f947e5007df7b64e37c414bfd54f7b59823720be00498c18b57dad0043f0c50a75817418c1dbc3db8dc733ceb2b5b6d20bec1e38a2f909aa619480e2ca05d9000b7eaff370c077ed389422890dd426278c63c2ac4285e840e6c7f9da04d69af4482d96ee5824de091614d8b1b4cf49f5a701e4b42ff58a62823c2776fba4c27ec86c24ba103ed01c66729ad602924a5137b718d8ddeeb08339d83c45feca01c393357a676438114363591d31c2ba6fafa5d8571af7c3a3690fdeb099e44192b5871fd0a3365fb2e230c6c03a7473782b303a5be14f038d8ea34a63084300516eb7884e593358e66b3dfb6dac4d0815d58dafb85e8cca4426536a384dc89f7413f14cc92e7377a90938f99ef7f535c218ae2e909acdbfd7eb5b0b47408e3d6d73dda39fbd6b23af18f1a6703ee3b1f75bb7c000a4ca5a7bccaae86c4abac81da293e43f91d2c3dff12ffa5229139a08ae5fc2ec139be978b8182d6a60c7ff39bb0aa820a107d92e38b95e748a184b53f5624f457239f6384dddcb9fd7e8ef295265d79b64c5c0a93bf21635b8c680907810d8e72a581e5aa0e00fbf351e3c841c7d0c51a2636837b27c6a91425b506a22c27d1420d0b13e60de3e9c56667a98983ba9bdd1c5a52dc6127b659e6d80706959f07d3a5fa8b3b88eab05e7a0c04ee12a21372c713f64c6adbeedd7a8b7a692674975bbe55ce402714402f20c7f57ff1f79357d8edabef1d868f0a2b3dd7aa3bbe58e80814970734f7dec70d314e811593a32cc861f4a8a4b3f0d7ceb4ebb32664f5644497ac9562cdd5a54193f2238e65c1874c86421c5cfb43ae156931c7840d10de47a4d0f2f3174c36c8645ac02f544c3690b5137af7d2ced3fb04359bbf22b6720ea94f2e3b5675fb77ade56c977d668064efdd1c615119a528c9ec1353e84103e5dce6a0bd073f9ffbea0819cf6c0cc58ead00c92340298cc094564117f3fb894274ca91d7976459619f544b250586c6d44afba5574b7ef5126b070409a1f5eedc65007b00339f160422fff38d67eaa8d782fc4192a29810879eb12859942fa141a21c39d9eea03eba1aa7b3ac7e2b1daf4f69f475b8e75c5ac7c2efdd777932d403143cdd08902d5e3459301c28c88c4df342ca13910b760e34c40194bb51b82cf14adeed5ae47517d3cbc73bbb5a8899c30e606519989a85d2e15b0e89ebba43f0c8a752f07010380caa70dc409ff805c24574829d06bb9a1495d5a3085df9029e23d92bbc46d7c7c1db7365e92e8d2449aade38926a64368723a0e8a777b3261c9c97bae825b551ba940551a7e15e3013dc09a05229d0c9ac64ee15ee3d46742628924c09e6360cc43006fb9a0e1c06e5584637cee005ee26ceba70295cba5637dfc9821148ed7415003d518368423ae708cfac638f2b8e1d3a71011bda803acd2cfa429ea5fa045fe078f91ebe45e7d51d43f08302d5f3b0ccc3eb7dc03818b33567e86f8e5dc40451569a7954858d26df8554935276f5654afecf240c7e86c92ecba4d3ff75821312d6a3b82e18cc234da5bacc286ef0924ce23bd30708de58132574b548c9628b52d34291d1c4a7ffdfe63de1fa9b5e0fa6e62f3528a80c9cc97a7c515403fce895ab795635266af746d89d2c94058ca38501d86b4d6324d0df0d9c1e47bbf838baa206aa2ec4397828e992fe963b2e83722802627629030106cf20ec98e245147c94426214ddfb979120651adde14a425fef29a20c0cc5460393acbdba57b3c3836627e6a9c19a2344312a9bc661b760285415a2874e2f2187b5c6dbf38b059636f9ed1de1692d3b86504a7c1b668e5aa0f87cf497f0cab266e4db64ec6465580be1d97244947304688cb3576490b8db086b08905820ea9d91dfc8f3b966a9e568d856a9cce3f1731ac16e4cf48714334b6c7ac3597fcae85d17946b0ae2899845e96066e0a648385c98ee5c119391356b204acbd4a5c7cc2cbceece0f58dfb73fc30ef7c1769b4f56ed1b77d76248b0ea2a66db0e5217b5d624237191abe9486ac0bd32e3e7362331441734a8dd9ed983b92bf26472c5021f8bea131ece47c8f45e68a25a8beb4885895c27982306dafa1fac905b276c2f60ccdcabe2a5b325b5c5d8482f305660244c361711f0eed7746c0daf99dfde36caff294051182c5b6589fc0700b751fb2b3807f0bcbd277a844ce82a54558f55cdd25a30b2283abe519c827b10aed612f8aea3cb7aca8b34028c0b363c9acc52ddea9e0c34e8a5c90869fe60d28307e35d3e43582f3773d46669e4313a07b12e7d6d501436f8e6f4bc347b29194144d82c5daa9730fea3466c3167209f09697da034f86ca9e5a7e28c05999f4161dca7518140413504be2aa60ef71b66484fca1b0bb11afd59755b978dd294e3da85655b90f05be0823e262aa693c43bc23f4948a6096ffe1b58e1bcd65b0db70c62a4f85d7dd4be6cddfeaf1383814a6728b4c301eab03b950bac867375d1b6c61eb2f7fde960b16f5948379e2115ab5401356db05a7dc30a2999897b163c73d34807106dfdcf7b7f9b9e7377fc722003c868ca5c14a0e2f1d1940ec6aefcf85fed207622ed38120c6a8aad7b4e9e87d5e4e9a6a55c6e132e9e1e9a3a62b4f7c6ce0093f886547dfc48de1d2e0c85bf01b49f99241a36d324cdbade5377d5aa5733377ec7e97b7ac54387fd29391319d3f3bbcd07b2870b9646bf2835b3abb5121dc20a638c6d0d62b0a05d94a5f1c03bff6e871a84f9a7defa16f30cb8b3ff57cb5a9b8958b592119cb0c802513c14aec2d27cfffbfb4e6a2a840f8b0d746a83fa8bd227021b038f50c411f7922fb38ec89f51d71b7d3d9e241db1be1b4507e5b68fa1ee89c2127445e5d6ed4e7433de7bf4d72b7f7b1c9aa7c408e4c1050ce177427984f5035b51e3ad52b56d8aaf38e567930a711c8dc3488ffcdc1a56fe1b4c5df22673bcc3e9ccdbb3ab670a24547f5ded42decfddd522104075c37ddede460925dcbc6e5ef206028aa7ea0c84d60d990fcd48d76c9a47be6819250d4d10fcefc7a124c6f3faaf51f7b67dcc2b39acf119c8f89b93b58395247fa459c1ffe6fc5a70c32d5196da593b336be0467164ebbc986fc145b32bb91a4c058884c82f5cacda62a4312bb35070e74de2bba07648b7eb9d9fae891648f5432b6a7d5986ef2027872cf9e1a086c576abac8dc401aab0da93abf0ab71ecd9bb96e39180362a10a2185071ebb8ca2ca8d9719d47bfc18b62f9771b97dfed73b982325eb943d785c787500d5ac0d26a9ca90cc73c2acfe872f4e32eb4439083bdb3249701ddddb500df3f896bb1f7a3706d64be16d00f6fdcd6bf41df86535f298d2dd04317774bd6b3903f371d59be719b7ec1d003b3c9705a8f78889b8f7da0d46defdced2df70d8cb4570828bb26549b55011589c73bec4207c8d59ebe1896b3761c185a132", 0x1000, 0x8001}, {&(0x7f00000066c0)="31e3c3fa6d99", 0x6, 0x3ff}, {&(0x7f0000006700)="39de863b7148208e432fcddbd9e9148e716c1b48a3967c870c70145d90ed681b3f8bce849fee7f50091570854e20103723e56454e711543f6e2be92c34090d8cc792260be9b960c1e4", 0x49, 0x9}, {&(0x7f0000006780)="17fad571f80fecd34a59bc03f6c02bbd6d56cd8d958924b4ae4189b88b85897efd4e596e1118bb0c771c2c5ba37ded06d78111390c1c80cf6ea9df8727f88559815ed76b36fa13fb4d08e1ccdad7973b5bec5655a74a671fde99ee92397c56d409dadb10c4c37ee92cb41d03ae6fb164e7f86985039128d38be83b5e16c35ee34eb2b8396c5348028781a0a879f88159740ab89705d637bedafa915f195a152597fa0d7da9b76476602c6eeefca1e80a6d3d0ed1a75b00f7a5e153dd851e2301c8daa7d49b4ad91c62d1a6967f54cf9621c240ed587192f69959e05407850ce3831c4e811e6fff1cdf93cfabde887358316881845356d7", 0xf7, 0x26}, {&(0x7f0000006880)="c286968e2238742a47e0e8d444a6a661b7708222f4eddab97a749dcebe2cc83a314b828795f915a36d873b714aef15ddb1b4f62f06800bbe85eaebcb76abe944719249ee7927c88e78a968e93f45c52013ef97ef6f989b1d1cd30fff88677962c8f3052ad0a4631e4e750ba80f3753916c2dffc6a4023cdb62a1b5f2afbb965b2f78c5dd47af90b002da1a26a24fcb99bf81fb29574a2f98107a7937639873b95f4a569a0406cc358b46efae587e9008be69d711ae202c22e29a2f615fd23dcf", 0xc0}, {&(0x7f0000006940)="97fc4dd9db673e16fd0f0eb9a4a26e2a49f42e1616190b0634dfd6135145f4e451bbbad56dadf266964eba7d1007c0a23f8cf03d4f8fe09a7989152b7cf2ec30f2693a06befdf023d79f48c208d742c7b75915bcc1be583517ced3b826b97075e62a8ed12dbb264807c6ffd0227614491fb9de0d8a925a2638c31608de405bbf79e96f171fd58338b1d6979d33a7dae8ad62f2ba53fefc3c", 0x98, 0x20}, {&(0x7f0000006a00)="77d8d606bfb424e7b995809ab4f559115fd82e972d98b651dfc69b10df600fb4f78efd586f9cc26edc41b1d2fac87efe59e262411f27a94cf796ed31236b457ca0f147530efbd4cfa6b6a0fee46c25abcf7ad8282aae5299e299799cd52d0a58d7ff9dddd0103724c88da92dbefab6248038abef9ec52264afc74825f7ea70b2ca95d6900f9b647a3f986e18287cb2bf4b4c19efc8c218fd905c3727c86c37026bfbde3af078eb07b798e6d3d8f2e4d5d3bc188cdd20f2ebb1461c5e53b05f2989ffac3b168dee56da0fc011974c660e400ae2d8b2c80acb231581ee91763129b2888aeb12", 0xe5, 0x800}, {&(0x7f0000006b00)="560c1bea71b0f97244fa386d26bf6b1b04308e4bc7fffa", 0x17, 0x80000001}, {&(0x7f0000006b40)="14e55a14a7953387ee55333c1d1694ca98c7999b49788642766805d6f5a290eb1e959ee35a740459e13300262f2af9c357f7a8c1cba187e448bc3c8f865cc9be88624fb0f0d0bb885d9cc2abe171a2478a7420db22e8607e3fbec7e2601d9e11086cfa8cf14d99676b679d8d6bf1dd4faab8fe9a5f4e3f695fe2e6abf09f702683802d44cc3a298255c4c59533731ff5b23e053afb716d58cad667686ee647f48e199c9b5c3d0d2d470f2ce1c5b8b5708ae023ad9880caf31d01f96aebbfcc7df95358a016c5471cc2ce2ced6105057c9d22c8167890ca19", 0xd8, 0x400}]) syz_usb_connect(0x2, 0x6c6, &(0x7f0000006cc0)={{0x12, 0x1, 0x200, 0x62, 0xa5, 0xbe, 0x10, 0x2833, 0x211, 0x37a4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6b4, 0x1, 0x20, 0x0, 0xa0, 0x1, [{{0x9, 0x4, 0xdf, 0x0, 0x10, 0xff, 0x1, 0x0, 0x5, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x1, 0x1}]}, @cdc_ecm={{0x9, 0x24, 0x6, 0x0, 0x0, "fd506508"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x40000000, 0x8, 0x4cc5, 0x7f}, [@network_terminal={0x7, 0x24, 0xa, 0x8, 0x3f, 0x0, 0x81}, @country_functional={0x10, 0x24, 0x7, 0x80, 0x5, [0x44, 0x2, 0x800, 0x101, 0x4]}, @acm={0x4, 0x24, 0x2, 0x4}, @mbim_extended={0x8, 0x24, 0x1c, 0x0, 0xc0, 0x5325}, @ncm={0x6, 0x24, 0x1a, 0x7f}]}], [{{0x9, 0x5, 0x5, 0x0, 0xa716c6d63b98b5a2, 0x6, 0x0, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xe9, 0xf000}]}}, {{0x9, 0x5, 0xe, 0x2, 0x200, 0x8, 0x7, 0x40}}, {{0x9, 0x5, 0x0, 0x10605a5c87a92a7e, 0x200, 0x8, 0x3, 0x1, [@generic={0x9b, 0x21, "f2ef0a5c069cdb319138e185061d7e196ae94e535d80f27666fba23b374325f15dc5f20812fe05b0620f6ffcb81003b1f39c5dcd1bff14e2bbeb387335a3534f5adb60ffc4f28595c8f992f77fd5f67a04842b9c4364e3556be9bacb8fd56ed77859291153f6c566026363bfa5f2e6ff2fa6d29317f2d562445364939915a75dd7365f6ab9c15ddbc7c3a45f7eb98fd1fea3551bbd46f20a87"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x3ff, 0x1, 0x20, 0xef, [@generic={0xec, 0x6, "f642246a5372991db97e5824a410e28300d3bd153638f6dac6e1189a0c560a0a0e5f8b15e07879ac95016515202646a7b5b5fc74b7cd40d515b2849d8c1dd9ae4fca16c2e6cf0e8a20ce54f05fa123c019208cb34b5ee561c274ea40a7b34e5813a4a29be40817eb1f7b3e9bef60f7c56657481236b93e2c297f17c776b98f1d0c8f2a56447766c7288ba6b1e385b84a516a98ab729ba70e31fee3aab101d590a4481ae5856326c6825b73c7ae7d3b99cb3c59db31a12726234b900584e8db779352188d12c932d4aacb59eef33d33b9550510cf2b49da747e031c83117b511a1bb93ed76c716e6a0254"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x6, 0x40}]}}, {{0x9, 0x5, 0x1, 0x0, 0x100, 0xfe, 0x8, 0x37, [@generic={0xe9, 0x23, "1a0e3542857d49ea63b7261ebfc19f14272e284d2665d2795e43f6f9ca62776c9ee52d991879d7d67b4d8b270fd51598beac1c0339b2257ad68c1dde54885ae2d219b87cde159a9897c88bda26e08a3691055022739c1fe64adb98639dc25421c449cf364800c4c365062f2488e6901e56e62f4b703eae7af26298a1eee1bfe62d9b2ae35320ae2baf174e94ff55321097be81e0279f5d0aa84dd18ca0864d98d0edbbeaa19ddf3626fd83a2e2b5f676a734d4784b3c6877fd1bb3c9543df7abda9bd9c9be405949747e21073c18957fff0eaac0273cfd3f702cb65597949a172726f7e459536c"}, @generic={0x18, 0x10, "a0289017f3f433f11059489a61115823e1138ae84a34"}]}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0x67, 0x3, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x80, 0x2e6}]}}, {{0x9, 0x5, 0xd, 0x4, 0x200, 0x48, 0x35, 0x8, [@generic={0xe5, 0x5, "30efe9c1a6e5c89c2031214c60fbbeaa4578091e38009c761d15774802934cfd36355b3518ccfe59fa5e7ccee3c13ac4affbe073e0e788c9b5e32216efbf02e35869d7b233a389f812bfd849433c328466eda5e0e3237529cdc65e4eee743d31ffc186a1fe794bdf1364f31eaeff39829e8f6144850d7470cc71572d1f2f23dccdbcdd99e4930de7edbf59b338db3490305fd7710257980b7f76b8daeacb2ad618131fb9b5a3e026c9ddbd69483cd794caad29f2e3b63124a952b462de0cd951d7efd9b3b29107b641417e7783d90159137fa5273a95e0cc46c97c2246e611acb14b4d"}]}}, {{0x9, 0x5, 0x3, 0x10, 0x8, 0x0, 0x33, 0x9}}, {{0x9, 0x5, 0x2, 0xc, 0x400, 0xed, 0x7, 0x9, [@generic={0x84, 0x31, "ee4cd219154df491c4d32aa32112cff407511b06b17f743409ecc216c31e92cefa2b5cc59e634d7aeba2c9e5e36d8efadc0255172518f909b4e1a7daf4d988b1eeaf196c76ee902b657d12fc23c21e176cd149e98a8d8d5755b74fed1a4284bcfd6e6961951ff8216f7bb42f790edd539c1bc5bbac44f767a685c57cbbdec830c52c"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x1, 0xfe01}]}}, {{0x9, 0x5, 0x3, 0x0, 0x40, 0x2, 0x5, 0x3}}, {{0x9, 0x5, 0x0, 0x0, 0x400, 0x0, 0x2f, 0x4}}, {{0x9, 0x5, 0x8f, 0x8, 0x8, 0x81, 0x1, 0x7f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xfb}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0x40, 0x76, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x31, 0x8}]}}, {{0x9, 0x5, 0xf, 0x10, 0x3ff, 0x6, 0xb2, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x80, 0x6}]}}, {{0x9, 0x5, 0xf, 0x10, 0x200, 0x6, 0x6, 0xca, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x20, 0x3}]}}, {{0x9, 0x5, 0x80, 0x10, 0x400, 0x1, 0xfc, 0x4, [@generic={0xd4, 0x21, "28a1dfa1d28f9ae60d0a8e9e3c512db35369d479fa6e6aa099e267e1ced77ca2e180b429779023a872b0ef8807e11f8b8b21b811d4fe5527335ce86e3a95cdf960d1e79e88c276c174d183d2f3bc0862dd7e1d29ac589ceb22024e25a44c3e8123581d1448fd2db5332fe41c23f9aa959564f32db1da14610415ddc293dc57c9d6c775d22151bdab236a5a73592e5518055728ae819e25c080cbb9bf0203b6639b8fd8d716d9c571d6b260ea297733d53c3a05449b9b9221d0f402610c9837189f9c6ab3baaf031d48692690c9981cee1426"}, @generic={0xc3, 0x6, "60ed98576fbbbee3db67d535ea7e1a19d92d689e2f03308a615a5641e72e694d996f76c1111c88c507c39a87f34a3682dafbfe583b79f5b950a30614162c605f7e6c5d452b4f84a145f20bf4470ddf43f06c415dc6c41551fd458ba6aedf57d74cb85a25e43324814b62c3be4108b1ea5b9dd22a78a45cdf5d8f27c11f35026bf7ef10c7d1f0615fe1c44a302a84d88b8d6c2d85049c9f48a04b4e61801c017f609b673fc8290f7362a0ed35882a335b657f835fce8e20100cde82c1a3dc180611"}]}}]}}]}}]}}, &(0x7f0000007740)={0xa, &(0x7f00000073c0)={0xa, 0x6, 0x310, 0x5, 0x80, 0xff, 0xbf, 0x5}, 0x5, &(0x7f0000007400)={0x5, 0xf, 0x5}, 0x5, [{0xa8, &(0x7f0000007440)=@string={0xa8, 0x3, "0584bddc149671f9e6c6cd123b796cafe2eb5d2bd3cf65e3eb0f3a601aba7164713d4042653f2cca182207d4e7ffa8bc71e705aa48bcff03fddd2e3e6bebe11cb61f95faf14afdf29440021e851fb682aa24e624e833952db6d1f96aa7edfc74ce501359694c7583eb5e48dfe227d2105d5e3d2359e3c728a48adff09b1132f928893ceefae67700983be1ca94e818e7a1463c802f1fc2a72d40900933403d7b255a35d9dc33"}}, {0x4, &(0x7f0000007500)=@lang_id={0x4, 0x3, 0x42c}}, {0xf4, &(0x7f0000007540)=@string={0xf4, 0x3, "1c537117dc720af3ccf108687c86cb544bc885379e435dbb861bc9a01550592e6008ae94a1f98317ad9cd804016b079b5ec294dcaf4537cf5b68c3c4353754caf369ba34101cbd21926b15cef67ab63ead40abfbef867b372fe2781866f87a2dccf98ffe66531c1d5021406c69ce84b439130cac71f52564b7c8fa621d71d5ff001517593f059da0cb82f1fd5e327df9abec4946e34e20d3f1df8f4a0422f9bb538949b4a14d1b3afd6793e81d3ba596d16d8cee0e700314e531e602fe5cb832b22c7a2f9f36f39d053876478157d541e8c0977a9acaf691f1234f665d234f82ee90ff8982d9c1371a15ddc8ed2392dd5a96"}}, {0x98, &(0x7f0000007640)=@string={0x98, 0x3, "078cbefd67796b8d00c6a027e5d07bc3b00756acafb9096e3e381a99fdbe8a5161ca19a9628d61baefd6972b48f5e04b0fa6e2b99cca8df5b50dbd97d656c02f8583a58ce8cbd35c69fb3f86de0ddac90f5be8d4f04a3ad4f31293b509959139bea0f3067d0ebfa3c5b210e1993078b0ae929561fc7734869b3dd8d812c00a3035236166a31227ae291e696ab4f81f4e3f02d6b2f334"}}, {0x4, &(0x7f0000007700)=@lang_id={0x4, 0x3, 0x43e}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007780)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f00000079c0)={0x18, &(0x7f0000007800)={0x20, 0x11, 0xb7, {0xb7, 0x9, "72f591ba5c694f16a4d92075ef3ec8bc46920954799ec8d3c0308f3b4779da6e18e9824a86746d013a399afc7f6fceb6c37f7f131c71ebc001f666ea63ed3ade132009735a546622f9e639d481c967cc7b5b747cc5e62fdc41bbb4bb95878a442cc49111c0f57886f17077a1b4b22e3cf28eecb798feed6f168dd9cc2646f8b79ed41bba94de9e304fc845179a7321f04784aa917ba08405b0a95b8303d914ef8e374780dd8e3437c95c35764cd063e7a3ec6d790b"}}, &(0x7f00000078c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x813}}, &(0x7f0000007900)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x18, 0x8, 0x0, 0x3}]}}, &(0x7f0000007940)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7, 0x80, 0x6, 0xe0, "8402487c", "8056a3ff"}}, &(0x7f0000007980)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xa7, 0x2, 0x7d, 0x0, 0x80, 0x7, 0x6}}}, &(0x7f0000007e80)={0x44, &(0x7f0000007a00)={0x40, 0x10, 0x8c, "21b83825059f24506d8e842085d1f2e7f964471b20ed0a8e50a9aa4ef16b5a6f2dbb2b570a4f8d13d60e47bb7821ff912111dee40a78d42b4d13ea812d929ccf3964c5468f89d2d21630ec87067a2d13f45238b446bf57c6b9ec35578fa587fc77fe2108b1590be081681ccc024f1f590be9e5bec9ea86b9803c60299dda1a82f8ff04428671a43bc2c3393a"}, &(0x7f0000007ac0)={0x0, 0xa, 0x1, 0x4}, &(0x7f0000007b00)={0x0, 0x8, 0x1, 0xfb}, &(0x7f0000007b40)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000007b80)={0x20, 0x0, 0x4, {0x140, 0x20}}, &(0x7f0000007bc0)={0x40, 0x7, 0x2, 0x3ff}, &(0x7f0000007c00)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000007c40)={0x40, 0xb, 0x2, "8a02"}, &(0x7f0000007c80)={0x40, 0xf, 0x2, 0x321a}, &(0x7f0000007cc0)={0x40, 0x13, 0x6, @link_local}, &(0x7f0000007d00)={0x40, 0x17, 0x6, @random="b0fe281fa391"}, &(0x7f0000007d40)={0x40, 0x19, 0x2, '#7'}, &(0x7f0000007d80)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000007dc0)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007e00)={0x40, 0x1e, 0x1, 0x6}, &(0x7f0000007e40)={0x40, 0x21, 0x1, 0x9e}}) r23 = syz_usb_connect$cdc_ecm(0x2, 0x5f, &(0x7f0000007f00)={{0x12, 0x1, 0x70, 0x2, 0x0, 0x0, 0x50, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4d, 0x1, 0x1, 0x2, 0x70, 0x40, [{{0x9, 0x4, 0x0, 0xc4, 0x3, 0x2, 0x6, 0x0, 0xe1, {{0x8, 0x24, 0x6, 0x0, 0x0, 'W?s'}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x200, 0x0, 0x200, 0x3}, [@ncm={0x6, 0x24, 0x1a, 0x1000}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x3f, 0x0, 0xd8}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0xff, 0xec, 0x5}}, {{0x9, 0x5, 0x3, 0x2, 0x3cf, 0x81, 0x39, 0x5}}}}}]}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f80)={0xa, 0x6, 0x0, 0x2, 0x20, 0x77, 0xff, 0x2f}, 0x5, &(0x7f0000007fc0)={0x5, 0xf, 0x5}, 0x5, [{0x69, &(0x7f0000008000)=@string={0x69, 0x3, "d25a9c8f1452a3c6ffbfeca8eb777935b58c9b7406775086fff717b54f05ac59f94517ff3cd6f3101dbfa79bb82ae31b1d316d08a71d14fc2c1cfa8c893068bde2bb830ae91fc94288cc232aaac0e64b84007b0e7536c3ec34edef04ded93421a377e0695326aa"}}, {0xac, &(0x7f0000008080)=@string={0xac, 0x3, "7360609ce8300ae4623308d5f8b97bfd50d3d863408b8ea401c86da9d42ce5f3867ce8d721fb2ab5c25f6b4c5e85f5eaf341bd514a16c2dfe3c7a1d7f427ae62c0bff379e84d56637ec1377b8c8ad5b55b099cfaa4a7a6eeb0589f81e7a43300eff53354e1b2bdcdc34d7945d63562e48d5ed93bef75fd0160fcd7c3a6be7f0c642bb6e561e35a1c73110bdcded7699865e25eb238cf8f3b10ad3c10488028c37063c8862f907b06829e"}}, {0x4, &(0x7f0000008140)=@lang_id={0x4, 0x3, 0x81a}}, {0x4, &(0x7f0000008180)=@lang_id={0x4, 0x3, 0x180a}}, {0xb9, &(0x7f00000081c0)=@string={0xb9, 0x3, "37efeb854b4051a46c67aee7eaa0f62fde9f599cd5ba25329d50aee16b30c6c1a514831081afc1dfd2682ff48716a91bf95e084212b0696d43e1c6c43adaf9ed3ef70e62735994d2d0865139604988fac17978d9c05a84f3423831dd1dddc6c94d50ddd674f16525bbf9a8db3bb49001be38a19670abd99f4a2e97cfb20d46c637832a3ec97ff094c6a3304964b72bcf116bf27fedd5521ad3da226297fff849c33c5d849e3e3037527901eef63a599baa54fc46a46ff1"}}]}) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ecm(0x3, 0xc5, &(0x7f00000082c0)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xb3, 0x1, 0x1, 0x6, 0x28, 0xff, [{{0x9, 0x4, 0x0, 0x9, 0x2, 0x2, 0x6, 0x0, 0x4, {{0x6, 0x24, 0x6, 0x0, 0x0, "b1"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9208, 0x2, 0x0, 0x20}, [@mdlm_detail={0x5e, 0x24, 0x13, 0x7, "63b0b95377147ba214d950fc04b22c04be09d9b96f1ab94bb02e8a2a9e23cf7d3acab22a80ed350ec4b17806edcb169e5075373d991780211392eb3d9f1173a539843bf2c3f66a4a6960a55a2207767db3c55a7dd2898b5ccb40"}, @mbim={0xc, 0x24, 0x1b, 0x2a, 0x100, 0xe0, 0x76, 0x0, 0xff}, @acm={0x4, 0x24, 0x2, 0xa}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x73, 0x35, 0x3f}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0x3, 0x1, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x40, 0x2}}}}}]}}]}}, &(0x7f00000087c0)={0xa, &(0x7f00000083c0)={0xa, 0x6, 0x201, 0x79, 0x3, 0x3f, 0x20, 0x6}, 0x37, &(0x7f0000008400)={0x5, 0xf, 0x37, 0x5, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0xa, 0x6, 0x5}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x1, 0x9, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0xa737ee064a5fddc9, 0x7, 0x7, 0x0, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0xc, 0x0, 0x6, 0x6}, @ssp_cap={0x10, 0x10, 0xa, 0x1, 0x1, 0x8001, 0xf00f, 0xfffd, [0x3fc0]}]}, 0x9, [{0x4f, &(0x7f0000008440)=@string={0x4f, 0x3, "c0663b116dab9ba5c0a2f7a2ad486ffc164a4365899565c5e99b015239f378df56db4dc3b0bb08dcd208d958fa3cf08097aa208b2d2865b502cbc94b1a8e33bdd9d6481fbf32d4913422fe189f"}}, {0x85, &(0x7f00000084c0)=@string={0x85, 0x3, "c9c487a90be3d40ef782373d785f86bdfc3db6fb0dd0a7440b2fe4595c3a6bd67aa8518d897a8a757d5f1ceb86e598cabf2345f771c3c7128bd16dd4b1ee9b7dbcaf611e97f6dcb9f171e8f7052b0f33e631bfe99ddc4413e5e5d7b634dcc3b77e4d301f89a8d3b851b02306cabec211127a8e541d162636588ff574de82de8f307d43"}}, {0x4, &(0x7f0000008580)=@lang_id={0x4, 0x3, 0x1407}}, {0x4, &(0x7f00000085c0)=@lang_id={0x4}}, {0xaa, &(0x7f0000008600)=@string={0xaa, 0x3, "ce395e8e9f409a37daeb1c20be9ca4004ae810cf1653eccd6e663dd74f8bc06989b4d1a65c9f480bd37e9dd85349f298ddaddc2cc9e4eda147f231402e116fb594a63718d821d885ebd67eda451558b1fba3093ecbd40cbe5fbe07f94ed927d8e5039a7c497aa8d1f10a4ddac049ad820f8c532c5a3f00947955032423922e95aa5bfee041f7fe8744ecc4424057eec97040b341d0dddcaf206da6431e987f04cfd55802cad3a114"}}, {0x4, &(0x7f00000086c0)=@lang_id={0x4, 0x3, 0x3c01}}, {0x4, &(0x7f0000008700)=@lang_id={0x4, 0x3, 0x1809}}, {0x4, &(0x7f0000008740)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000008780)=@lang_id={0x4, 0x3, 0x1c}}]}) syz_usb_ep_read(r24, 0x8, 0x7d, &(0x7f0000008840)=""/125) r25 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f00000088c0)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x10, 0x56a, 0x62, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0xf0, 0x8e, [{{0x9, 0x4, 0x0, 0x5, 0x1, 0x3, 0x1, 0x2, 0x0, {0x9, 0x21, 0x3, 0xf, 0x1, {0x22, 0xa21}}, {{{0x9, 0x5, 0x81, 0x3, 0x3af, 0x1, 0x40, 0x2}}, [{{0x9, 0x5, 0x2, 0x3, 0x10, 0x6, 0x1, 0x9}}]}}}]}}]}}, &(0x7f0000008c00)={0xa, &(0x7f0000008900)={0xa, 0x6, 0x250, 0x3, 0x1, 0x46, 0xff, 0x20}, 0x34, &(0x7f0000008940)={0x5, 0xf, 0x34, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0xfa, 0x8, 0x80, 0x5, 0x3}, @ssp_cap={0x24, 0x10, 0xa, 0x5, 0x6, 0x9, 0xf00f, 0x0, [0xffc00f, 0xff00c0, 0x101ffc0, 0xff0030, 0x30, 0x30]}]}, 0x4, [{0xed, &(0x7f0000008980)=@string={0xed, 0x3, "e7db914ef4a71a3aba443ee181c272e7fbb63648a997754b81a1938f52b9fd8c2b76ca28ee1fcba280021fbe02ffa03ea753f2d51b71f1cb9391ea31faabf8ed37a9853b87eebaa0a1269696e65e309ea4bf7755ff1b99280fd68230d7d899d097e16ee0b224de57339439c80ad7fbf8bbf32aa00e29802bde1c8c5e6228fa0a54c8350ef997112f763e17428fb8e95a56689595f30a3c16151809b0c6b1d4d4766510c6f066fe4b35a3ea90d388d1b4d4e9c6b30971e237e23fd205f9905ee7d79f4443707adc7f65ce2b15994daac7b954353fb23201844122710531879c6291c7dfbf6be454b9cf2f2e"}}, {0x4, &(0x7f0000008a80)=@lang_id={0x4, 0x3, 0x410}}, {0x64, &(0x7f0000008ac0)=@string={0x64, 0x3, "041c8b1bd143ea1d63829b769ddb886a6aafeedd5f652bc948677c9a6e3acfe04a1519053f95e5fcf79b085362cdac6abbf8f13781a621885257052b120045da2c494a30bc6ae6c4160cf497002af8b77e21689324bd6e75aceda7cf6a50920b2ab1"}}, {0x87, &(0x7f0000008b40)=@string={0x87, 0x3, "150837b1e69e5007398ac02c4a0b25072daa81a64af10bcdc5736333f49c921f86d9cbc6b778f1d21679d847d5b8a9b70fc56bb5a433040afd94377b2515a55cda70db64442adae0905aa90f911d3beef800ab6fd87a5c51fda8faa750d195c2e657249781c6af0523e0492f9a69e227e10ca0310f1a010f8b986a9a0553a5331f9754fc90"}}]}) syz_usb_ep_write(r25, 0x7, 0x72, &(0x7f0000008c40)="a6908c5530814d6a6bfd6d6c7594d4af8a4962d882da657bb402c7d0ae4535168160dbf67b82f223d577b0e16e6ac3c46a4015a6ed7c4fa65d1dbaa268b748dec46774eca92247969449a9f59e9edde4d37e7bd17882eb005e24fe43f57654000eadec3f1de9917eb28c2a877182c47b556d") syz_usbip_server_init(0x4) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 38 ? 50 : 0) + (call == 43 ? 3000 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 300 : 0) + (call == 46 ? 3000 : 0) + (call == 47 ? 300 : 0) + (call == 48 ? 3000 : 0) + (call == 49 ? 300 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_dup #define __NR_dup 41 #endif #ifndef __NR_fcntl #define __NR_fcntl 55 #endif #ifndef __NR_getgid #define __NR_getgid 47 #endif #ifndef __NR_getresuid #define __NR_getresuid 165 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_read #define __NR_read 3 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[26] = {0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000000 = -1; inject_fault(1); res = syscall(__NR_ioctl, -1, 0x89e2, 0x20000000); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xe6; memcpy((void*)0x20000048, "\xf1\x37\x16\x1a\xb8\x6c\x59\x42\x02\xb9\x97\xd9\xf1\x2d\x00\x70\x21\x87\x03\x22\xc8\xd9\x09\x74\x84\x09\x95\x1a\xe9\x80\x0c\x1e\x20\x7f\x98\xb7\x69\xc7\x40\xf8\x67\xea\x14\xbb\xf8\x66\x6a\x4f\x98\xd2\x29\xaa\xaf\xbc\x33\xc6\xc5\x21\x68\xdb\x89\x33\xc4\xa4\xa4\xa3\xdd\x3c\xe0\xcc\xea\x96\xe7\x1d\x81\xff\x4a\xca\x83\x31\xcb\x01\xbf\x35\x43\x38\x53\xd1\xab\xd4\x8f\xd6\xd0\xce\x13\x14\xdf\x65\x07\xba\xe5\x35\xa2\xb4\xe3\xea\xa7\x4c\x5d\x23\x00\x65\x94\x14\x8a\x0f\xe5\xb4\xa8\x84\xef\x8f\x41\x34\x6e\x49\xcc\x90\x47\x4c\xb1\x7b\xac\x30\x1d\x47\x97\xed\x05\xdf\xc6\xcc\xb7\x4b\xeb\xaa\xbe\x54\x91\x72\xd6\x22\xa3\x06\x05\xa4\xe4\x9f\xd3\xf8\x53\x7d\xe5\x27\x2c\x33\xad\x4f\x07\xcd\x06\x05\x77\xbc\xe6\x5e\x5c\x80\xa3\x41\x68\xcd\xe6\x81\x17\xe4\xf9\x00\xe3\x5a\x3d\x88\x8e\x02\xee\x11\x17\x52\x21\x3b\x40\xd2\xaf\x25\x8c\x01\xf3\x6d\xe5\x0c\xe8\xe8\x3d\x42\x26\xa3\x0d\x6a\x4c\xc4\x3a\x88\x3f\x6c\x20\xe3\xfa\xda\x8a\xd2", 230); *(uint32_t*)0x20000140 = 0xee; res = syscall(__NR_getsockopt, -1, 0x84, 0x1a, 0x20000040, 0x20000140); if (res != -1) r[1] = *(uint32_t*)0x20000040; break; case 2: *(uint32_t*)0x20000180 = r[1]; *(uint16_t*)0x20000184 = 0xa; *(uint16_t*)0x20000186 = htobe16(0x4e22); *(uint32_t*)0x20000188 = htobe32(3); *(uint8_t*)0x2000018c = 0xfc; *(uint8_t*)0x2000018d = 2; memset((void*)0x2000018e, 0, 13); *(uint8_t*)0x2000019b = 0; *(uint32_t*)0x2000019c = 1; *(uint64_t*)0x20000204 = 0x7fffffff; *(uint64_t*)0x2000020c = 1; *(uint64_t*)0x20000214 = 0x7fff; *(uint64_t*)0x2000021c = 4; *(uint64_t*)0x20000224 = 7; *(uint64_t*)0x2000022c = 1; *(uint64_t*)0x20000234 = 0x3ff; *(uint64_t*)0x2000023c = 0x40; *(uint64_t*)0x20000244 = 5; *(uint64_t*)0x2000024c = 1; *(uint64_t*)0x20000254 = 0; *(uint64_t*)0x2000025c = 7; *(uint64_t*)0x20000264 = 0; *(uint64_t*)0x2000026c = 8; *(uint64_t*)0x20000274 = 0x1f; *(uint32_t*)0x20000280 = 0xfc; res = syscall(__NR_getsockopt, (intptr_t)r[0], 0x84, 0x70, 0x20000180, 0x20000280); if (res != -1) r[2] = *(uint32_t*)0x20000180; break; case 3: *(uint32_t*)0x200002c0 = r[2]; *(uint16_t*)0x200002c4 = 0xa; *(uint16_t*)0x200002c6 = htobe16(0x4e20); *(uint32_t*)0x200002c8 = htobe32(9); *(uint8_t*)0x200002cc = 0xfc; *(uint8_t*)0x200002cd = 2; memset((void*)0x200002ce, 0, 13); *(uint8_t*)0x200002db = 1; *(uint32_t*)0x200002dc = 3; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 6, 0x200002c0, 0x84); break; case 4: memcpy((void*)0x20000380, "/dev/pktcdvd/control\000", 21); res = syscall(__NR_openat, 0xffffff9c, 0x20000380, 0, 0); if (res != -1) r[3] = res; break; case 5: syscall(__NR_ioctl, (intptr_t)r[3], 0x7c80, 0); break; case 6: *(uint32_t*)0x200003c0 = r[1]; *(uint16_t*)0x200003c4 = 0xa; *(uint16_t*)0x200003c6 = htobe16(0x4e23); *(uint32_t*)0x200003c8 = htobe32(0x7f); *(uint8_t*)0x200003cc = 0xfc; *(uint8_t*)0x200003cd = 0; memset((void*)0x200003ce, 0, 13); *(uint8_t*)0x200003db = 0; *(uint32_t*)0x200003dc = 5; *(uint16_t*)0x20000444 = 5; *(uint16_t*)0x20000446 = 0x476f; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 0x1f, 0x200003c0, 0x88); break; case 7: *(uint32_t*)0x20000500 = 1; *(uint32_t*)0x20000504 = 2; *(uint64_t*)0x20000508 = 0x20000480; *(uint32_t*)0x20000480 = 0; *(uint64_t*)0x20000510 = 0x200004c0; *(uint32_t*)0x20000518 = 4; *(uint32_t*)0x2000051c = 8; res = syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000500); if (res != -1) r[4] = *(uint32_t*)0x200004c0; break; case 8: *(uint32_t*)0x200005c0 = 0x8a; *(uint32_t*)0x200005c4 = 7; *(uint64_t*)0x200005c8 = 0x20000540; *(uint32_t*)0x20000540 = r[4]; *(uint32_t*)0x20000544 = 0x400; *(uint64_t*)0x20000548 = 0; *(uint64_t*)0x200005d0 = 0x20000580; *(uint32_t*)0x200005d8 = 0x10; *(uint32_t*)0x200005dc = 0xc; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x200005c0); break; case 9: *(uint32_t*)0x20000680 = 0x83; *(uint32_t*)0x20000684 = 2; *(uint64_t*)0x20000688 = 0x20000600; *(uint32_t*)0x20000600 = r[4]; *(uint64_t*)0x20000690 = 0x20000640; *(uint32_t*)0x20000698 = 4; *(uint32_t*)0x2000069c = 4; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000680); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 0x240, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); memset((void*)0x20000044, 255, 6); *(uint8_t*)0x2000004a = 8; *(uint8_t*)0x2000004b = 2; *(uint8_t*)0x2000004c = 0x11; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; memcpy((void*)0x20000050, "\x20\x15\xd2\x29\x78\x5b", 6); STORE_BY_BITMASK(uint16_t, , 0x20000056, 8, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0, 4, 12); *(uint16_t*)0x20000058 = 0x27; *(uint8_t*)0x2000005a = 0x8c; *(uint8_t*)0x2000005b = 0x18; *(uint16_t*)0x2000005c = 0xc93; memcpy((void*)0x2000005e, "\xff\xe3\x24\x0f\x04\x84", 6); memcpy((void*)0x20000064, "\x06\x7e\xcc\x39\xa7\x8a\x3e\xa4\x7c\x22\x24\x6d\x39\x1b\x92\xc4", 16); syz_80211_inject_frame(0x20000000, 0x20000040, 0x34); break; case 11: memcpy((void*)0x20000080, "wlan1\000", 6); memset((void*)0x200000c0, 1, 6); syz_80211_join_ibss(0x20000080, 0x200000c0, 6, 2); break; case 12: memcpy((void*)0x20000100, "bpf_lsm_xfrm_policy_alloc_security\000", 35); syz_btf_id_by_name(0x20000100); break; case 13: memcpy((void*)0x20000340, "\xc4\xc1\x7d\x6f\x70\x72\xc4\xe1\xf9\x11\x2f\xc4\xe3\xc9\x5d\x33\xab\xc4\xc2\x79\x0e\xb0\x00\x00\x00\x00\xc4\xe1\x7a\x12\xb7\x0c\x00\x00\x00\x0f\x01\x56\xe9\xc4\xe1\x0d\xd5\x5e\x0c\xf3\x0f\x52\x6b\x00\x0f\x7e\x20\xc4\xc1\x79\xe7\x02", 58); syz_execute_func(0x20000340); break; case 14: res = syscall(__NR_dup, -1); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_fcntl, -1, 9, 0); if (res != -1) r[6] = res; break; case 16: memcpy((void*)0x200026c0, "./file0\000", 8); res = syscall(__NR_lstat, 0x200026c0, 0x20002700); if (res != -1) r[7] = *(uint32_t*)0x20002710; break; case 17: res = syscall(__NR_getresuid, 0x20002800, 0x20002840, 0x20002880); if (res != -1) { r[8] = *(uint32_t*)0x20002800; r[9] = *(uint32_t*)0x20002880; } break; case 18: res = syscall(__NR_read, -1, 0x20002ac0, 0x2020); if (res != -1) r[10] = *(uint32_t*)0x20002ad0; break; case 19: memcpy((void*)0x20004b00, "./file0\000", 8); res = syscall(__NR_statx, -1, 0x20004b00, 0x2000, 0x20, 0x20004b40); if (res != -1) r[11] = *(uint32_t*)0x20004b58; break; case 20: *(uint32_t*)0x20004e00 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004d00, 0x20004e00); if (res != -1) r[12] = *(uint32_t*)0x20004d34; break; case 21: res = syscall(__NR_getgid); if (res != -1) r[13] = res; break; case 22: memcpy((void*)0x200003c0, "\x23\x58\x10\x53\x7c\x7f\x88\x6c\xa9\x17\x21\x04\x5f\xf7\xba\xdf\xae\x44\x29\xb2\x52\xcd\x65\x81\x72\xc1\xd0\xd4\x18\xed\x70\x05\x74\x39\xfc\x22\xff\xc7\x7b\x29\x08\x5c\x94\x88\xff\x93\x40\xf8\xa2\xad\xe9\x9b\xf9\xaf\x14\xa3\x57\x25\x7b\x8a\xa6\x9b\x4b\x8e\xff\xe7\xaf\xd6\x87\x6b\x3b\x51\x2b\x86\xfa\x1d\xff\x55\x5c\x6d\xc6\x18\x62\x66\xc9\x1f\xa2\x81\xc9\xdc\x72\xee\x17\xea\xd0\xe2\xa3\xfe\x9f\xf0\x3e\x7c\x32\xd2\x7e\x26\x7f\x5b\xe0\xfd\x6d\x1f\x9e\xfc\x02\xaf\x7f\xe9\xd6\x8d\x75\x55\x19\x20\x1d\xea\x7a\xbe\x68\x10\x53\xab\x98\xf7\x3f\xc0\xc6\xa0\x68\x4e\x91\xb7\x41\xc8\xc9\x45\x1f\x94\x59\xb5\x98\xee\x6f\x4e\xc0\xc9\x1f\x3e\x91\x7a\xf1\xe6\x64\x6f\x3c\x54\xf8\xfa\xf0\x48\x7d\x8e\xcc\xf0\x87\xe2\x8f\x87\x68\xf4\x8a\xe1\x5d\x09\x89\x04\xb3\x25\x42\x85\x70\x2e\x30\x8a\x93\x7d\x5e\x23\xa2\xae\xf3\xc2\x53\x12\x51\x6c\x50\x2d\x5e\x02\x33\x06\x52\x29\xee\x4a\x70\xdb\xc4\x14\x60\x4b\x7f\x05\x5e\xb7\xa2\x72\x48\x03\xe8\x5e\x5b\x4c\xd0\x5a\xf7\x11\xed\x73\x0f\xce\xb8\x1b\xca\xe1\x7a\x49\x67\xaa\x6c\xcf\xf3\xc0\xf4\x96\x6b\x7f\xf3\xd1\x5f\x09\x3e\x94\xeb\x0a\x46\xb7\x0c\x0f\xa5\xb8\x62\x8c\xac\x3c\x31\x01\x9b\xba\x60\x02\x41\x6f\xc6\x66\x1d\x85\x8f\xff\x16\xa9\x62\x15\xb1\xd1\x8a\x87\x7d\x9a\x53\x4a\xc4\x02\x56\xa3\x55\x79\x31\xad\xe2\x7f\x58\x7c\xce\x26\xa2\x0c\x01\x3d\xc6\x7f\x2e\x92\x2a\x52\x68\x9a\xae\xfa\x1b\x06\x4d\x03\xf8\xf6\xa3\x9f\x96\xb0\xde\x1d\x21\x39\x4c\xb6\xc2\x30\x10\xeb\x9e\x4a\x79\x41\x47\x35\xed\x99\x65\x42\x5f\x8a\x01\x00\x84\x96\xdb\xad\x04\x97\xfa\x0d\x65\xac\xec\x59\xff\xa6\xa2\x80\xbc\x58\xe2\xd8\x87\xa1\x0e\x96\x65\xea\xeb\x97\x43\x6e\xbd\xeb\x2b\x58\xa9\xae\x40\xe4\x49\x27\x32\x46\xfd\x99\x67\x53\x9f\x21\x2e\xd8\x96\x9b\x6f\x9a\x49\xd6\x5b\xca\xd2\xdd\x9d\x8e\xe4\x2e\x32\x05\x74\x11\x17\xe4\x31\xd4\x43\xff\x3e\x94\xc4\x7e\x7f\xd6\x27\xd3\x05\x11\xd5\xfb\xce\xc6\xa7\x58\x38\x3d\x31\x36\x7a\xca\x8e\x3a\xf7\x72\xa1\x02\x11\x05\xab\x2c\x1b\x4a\xa7\x61\x4d\xea\x8c\xfa\x4b\x06\xf5\x3a\xf3\x73\x77\x98\x62\xc9\xbd\xb7\x6e\xf9\x3c\x74\x61\x8e\xee\x73\x47\xa0\x74\xd4\xf7\x1a\x98\x23\x3b\x24\xb2\xa2\x57\x29\xc9\xa1\x98\x3d\x81\x9c\x3f\x42\xd3\x28\xd0\x8f\x0d\x4d\xd1\x64\x2f\x61\xb6\x2a\x89\xfc\x30\x0f\x50\x66\xd8\xe4\x57\xf5\xfd\x49\xda\xa7\x9e\x1b\x1d\x43\xd2\x6f\x89\xf2\xca\x99\x04\x50\xe8\x60\xbc\xc4\x7d\x5c\xf4\x77\x8c\x37\xc4\x51\xed\x22\xd6\x0f\xe2\xbc\xfa\x2c\xaf\xf7\x5c\x41\x70\x99\x0a\x2e\x8e\x21\x87\x19\x7f\x86\x38\xb0\x67\x85\x4c\xcf\x9d\xbe\x91\x58\x6d\xd4\x23\x41\x40\x1c\x4f\xb4\xf3\x13\x30\x66\x8a\xcb\x51\x6e\xba\x22\x27\xcb\xca\x4c\x8f\xa2\xf3\x9a\x03\x52\x1b\xd8\x03\x2f\x5e\x1a\xed\xf4\x9c\x50\xe6\x01\xb9\xfa\xd4\xe0\xd6\xf5\xb5\x93\x2e\xa2\x14\xfd\x50\x84\x85\x70\x3d\x08\x45\x79\x8d\x43\xbd\xbf\xf9\x63\x86\x77\xe6\xa9\x96\xef\xbb\xd1\x93\x6e\x97\x28\x20\x62\x70\x9f\x77\x8b\x45\x5c\xb4\xd2\x00\x13\xf5\xfe\x4c\x9b\xba\x0f\x7c\xfc\x18\x02\xe8\x18\x0f\xb6\xd4\x6f\x51\x76\xd1\xbd\xbb\x43\xd9\x60\xd4\x94\xf3\xa3\x0e\xd7\xab\x4d\xb0\x7d\xe5\xad\x92\x4b\x57\x97\xb5\x09\xf9\x60\x83\xf4\xad\xa9\xfc\xeb\xed\xe1\xeb\x0f\xb0\xdf\xa2\xcd\xc2\x14\x4b\x15\xcf\x4c\x28\x0f\x87\xd1\x18\x7e\x80\x8e\x37\xcd\xef\x53\x75\x52\xe3\x83\xf4\x6c\xcf\xe8\x62\x15\xb2\x07\x15\x39\x85\xe6\xb1\x31\x96\x22\x1f\xde\xa6\xc9\x47\x86\x4d\x12\x14\x7d\x7b\x01\xef\xc3\xdf\x14\x4e\x2c\xaa\x24\xd1\xa4\x78\x2a\x51\xa8\x23\x5c\x4c\x0e\xad\xf0\x44\x0c\x8e\x43\x4a\x4d\x07\x2b\xe5\x84\x55\x47\x17\x5f\x37\xc5\x5f\xdd\xd5\xe7\x84\x95\xac\xe4\x34\xc4\x83\xf2\x8b\xb3\x48\x7a\xd8\xd6\x8b\xd7\x43\x77\xfd\x82\xe1\x7b\xaf\xeb\x06\x2b\x81\xc6\x8e\x8a\x63\x89\xc8\xd8\x10\x79\xe4\xc9\xfa\xa2\xa8\xfc\xf1\x24\x15\xcc\x21\xeb\xcd\x92\xde\x80\x88\x45\x50\x59\x4c\xa6\x4b\x56\xb0\xb4\x24\xa6\x5f\x80\xca\xb1\x64\xb2\xf6\xf2\xf3\x3c\x7a\xea\xa8\xb6\x60\x2e\x71\x83\xb9\xd0\xae\x15\x3a\x17\x03\xb3\x03\x67\x5a\xae\x13\x3b\x3d\xd9\xc6\x46\x67\x7f\x6d\x8a\x49\x2d\xa0\x99\xef\xb4\xa7\xe4\xde\xe3\x92\x81\x8a\x15\xd6\xbf\x9e\xfb\x07\xee\xad\x5b\x40\xac\x25\xbb\x0f\x00\x92\xf4\xb0\xec\xaf\x0a\xc3\x39\x1b\x3e\xcf\xd0\x63\x5e\xc4\x96\xb8\xb6\x6d\x7a\x45\x1c\x6d\x10\x37\x9c\x15\x29\x1c\x4f\x36\x82\xf0\x5f\xb7\x39\x44\xcd\x1b\xe0\xf0\xfa\x85\x54\x35\x8b\x30\xde\xb7\x38\x69\x31\xae\x95\xeb\x2a\x16\xfa\xed\x24\x5f\xfc\xad\xb3\x94\xac\xdf\x06\x38\xa6\x26\x27\x82\x33\x01\x93\x66\xe2\xec\xd9\xdb\x1a\x4b\x5a\xe2\x7f\xf8\x3d\x7b\x57\x1c\xd7\xff\xc1\x51\xdc\x4d\x0c\xef\x1d\x03\x00\xc9\x8a\x41\x69\x77\x51\x85\x1f\x8e\x05\x24\x9c\xae\x19\x96\x3f\x81\x25\x89\xa7\xd6\x4c\xfa\xb8\x46\x43\x9f\x47\x13\x43\xba\x5e\xff\xac\x9a\x57\xf7\x6d\x0a\xbf\xb9\x5e\x87\x8b\xee\x4c\x94\x24\xf0\xca\x17\x18\x19\x5e\xff\x14\x06\x0a\xcf\xb3\xe0\xdf\x4c\xbc\x56\x0b\xc2\xbe\x9a\xb4\xf0\xa0\xbd\x68\x6f\xe2\x13\xd4\x49\x47\x17\x0e\x68\xe7\x3b\xaa\xdd\x98\x2c\xe2\xd1\x70\xa5\x0d\x1e\xca\x02\x40\xcd\x3c\xec\xe9\xf7\x4d\xa3\xa1\xc1\x47\x6f\xf1\x1f\xa3\x34\xd7\x2c\x18\x50\x6b\x5c\x00\xa4\x41\xea\x2e\x9c\x72\xc7\x6b\x38\x50\x37\xf8\x6c\xa5\x94\xaa\xad\xe9\x87\xa7\x9b\xbd\x3e\x3c\x40\xd0\x00\x7a\x7f\xf8\x52\x99\x05\xb9\x4c\x54\x61\x65\x62\x92\x95\x0b\x41\xc8\x34\x43\xdc\x84\xd6\xfd\xf5\x2e\x44\x97\xed\x68\x04\x98\x1a\xf1\x33\x85\x64\x92\x00\xd8\x93\x09\x3b\xf2\xea\x82\x25\xb3\x89\xc4\xdf\xd2\xe8\x15\xb3\xbd\xf9\xd7\x08\x4d\x29\x00\x9e\xae\x4e\x88\x22\xa5\xb6\xa5\x2a\xa7\x6a\xfd\x95\x1d\x04\xaf\xa8\xe1\x28\x63\x96\xa8\x34\xdc\xf8\xc6\xb5\x7c\xc4\xef\xbc\x0c\x16\x77\x9d\x53\xf0\xbc\xd7\x40\x43\xc0\x6e\xce\xbe\x59\x32\x8d\xcc\xa8\xbb\x61\x05\xaf\x23\x56\x59\x06\xe5\x46\x6c\x73\x11\xb1\xaa\xc6\x76\x2e\x4b\x62\x60\x36\xfe\x31\xd3\xe7\xb0\xfa\x2e\x65\x8c\xa9\x35\x10\x78\xee\xca\x7b\x46\x7e\x11\x8e\x9b\x88\x95\x9d\xe1\xf4\x18\x69\x40\x5a\x83\xbd\xc6\xce\x98\x0c\x72\x9f\x7e\x2a\x46\x0f\xa9\xbe\xe1\x61\xe5\x4d\x27\x1a\x87\x4b\xb4\xd0\xa2\x2c\xd1\xa4\x37\x6d\xe3\x6b\x58\x68\xca\x0e\x10\x93\x3e\x5f\xe2\xf7\x38\x5c\x1a\xf6\x2b\x86\xf8\xe5\xc3\x12\x66\x26\xb8\xbc\x6d\x56\x8f\x62\x1d\xa3\x23\x70\x7e\xa3\x32\xd7\x65\x44\x39\xfb\xa4\x67\x1d\x0c\xae\xb7\xef\x94\xe2\x5a\x82\x86\xbd\x9a\x19\xa2\x9e\x49\x32\xc7\xdb\x9b\x82\x34\x7d\xa5\x24\x92\xb3\x81\x4a\x44\xb9\x2f\x61\x55\x9c\x22\x65\x4c\x8b\x30\x1a\x8d\xfe\x9d\xae\xae\x0c\xad\xe9\x46\xc0\x66\x6e\x94\xc4\xa6\x35\x3b\xb0\xeb\x21\x37\xd3\x68\x53\xad\x4f\x7a\x20\xa5\x08\x1e\x63\xaf\xee\xce\x20\x3f\xa6\xee\xea\x7f\x62\x9d\x00\x1d\xab\xaf\x5b\x1a\x3c\x67\x61\x51\x7b\xc9\x9a\x8e\x63\xf6\x6c\x01\x88\x49\x27\xb4\xbc\x40\xbc\x34\x19\x0c\x9e\x55\x3c\x69\x0f\xbc\x64\x44\xdd\x8b\xba\x65\x68\x74\xfa\x80\x46\x31\xb5\x6d\x24\x54\x1a\x9b\xd6\xfb\x77\xdb\x49\x03\x76\x9f\x9d\x04\x44\xd0\x8a\x21\xff\x59\xd9\x49\x65\x9d\x80\xb1\x40\x2d\x91\x9a\xc0\xfb\x83\x80\xed\x91\x15\xb6\x69\x3c\x19\x5f\x8f\x1a\x90\xa3\xa4\x22\x35\xd8\xea\x78\x2e\xda\x2b\xf1\x94\xd3\x2f\xbc\xc5\x63\x27\x1a\xfd\xa7\x3d\x70\x96\xa2\xe9\xe4\x67\x54\x1e\x76\x67\xc2\x67\xc5\x95\xe1\x23\x37\x29\x75\x26\x77\x68\xb8\xd1\x6c\xb6\x13\x0e\xae\xbf\x69\x8b\xe7\x6e\xef\xab\xbe\xac\xd5\x9f\x63\x1c\xc1\x04\xf0\x42\x26\x3e\x3e\x29\x62\x59\x79\x69\x72\x1a\x6c\x02\x2a\xba\x14\x11\x2e\x2f\x38\x02\xba\x63\x53\x91\xcd\x1f\x94\x32\x35\x25\xc8\x16\xef\xa9\xe8\x65\x52\x39\x9e\x79\x66\x5f\xf5\x54\xf5\x86\x75\x4f\x72\xd5\x3a\x0d\x94\x75\xc6\x55\x94\x8b\xd1\x3e\xc9\x3d\xd8\xcc\x43\xe5\xb8\x13\xeb\xfe\xa4\xab\xcd\x78\x0e\xed\xb6\x82\xac\x4f\x66\xe1\x68\x47\xf7\x82\x1f\xdc\x40\xda\x07\x3f\x7f\xc5\x9f\xe5\x7c\xa6\xad\x5f\x4d\xdd\x8a\x41\xe8\xaa\xdf\x3e\x21\x78\xcf\x42\x95\xc8\x59\x99\xe2\xc2\xd8\x24\xa0\x8e\xbb\x9a\x9b\x09\xe2\xef\xbf\x9b\x8d\x03\x73\x09\x1e\xa6\x1e\xc6\xaf\x17\xdf\x1e\x71\xac\xeb\x40\x3a\x41\xd3\xba\xfe\xfc\x56\xdc\xff\x18\x60\x23\xe9\xf2\x89\xe6\x1b\x74\x69\x04\xb3\xce\x34\x86\x9b\x53\x27\xc9\x24\xa2\x73\x36\xb2\x16\xd2\x20\x6e\xeb\xa9\xb1\xdf\xdc\xe0\x22\xe3\xa1\x3a\x26\x17\x38\x7f\xb3\xff\x5a\x1d\x0f\x38\xfb\xb9\x06\x3b\xcb\x69\xb5\xe3\x3e\xe4\x57\xef\xe0\x51\xdf\x45\x34\x62\xb7\x18\xd7\xd5\xe7\x80\x31\x04\x71\xa7\x3d\x99\xe2\xeb\x1e\x23\x23\x6c\x74\xb9\x37\x7c\x3e\x0e\xbb\x93\xea\x7a\x6a\x7b\x32\x2c\x42\x59\x10\x20\x9f\x89\x18\x41\xd6\x5c\xb8\xdb\x3b\x2b\x0d\x51\xd2\x7c\xde\x0c\xa1\x85\xbd\x3b\xf1\xf4\x02\xff\x10\xfc\x61\x1b\x93\xfa\x6f\x94\xeb\xf6\x07\x9a\xc6\xd5\xf3\x0f\xf8\x66\xa4\xdb\xf3\x07\x29\xfc\x3c\xd0\x03\xed\x9e\xee\x6e\x1c\x92\x31\x9a\x8c\x62\x69\xe1\xa7\xdb\xa0\x49\x1d\x27\xb3\x26\x38\x8b\xc3\x2d\x58\xbf\x68\x5e\xc4\x29\xa8\xca\x7a\x12\xb6\x60\x18\x23\x08\x71\x0b\x5a\xa6\x1d\xce\x0a\x14\x3f\xad\x3b\xbc\x1a\x81\xa8\xf8\x14\xee\x37\xb4\x34\xc7\xd7\x29\x33\x1c\xe7\xf7\x2d\xdf\x31\xdc\xa7\x19\xbd\xfa\x04\xc0\x3a\xec\xeb\x4c\x64\x0c\x1c\xdd\xd0\xf0\x11\x37\xbd\x6e\x2f\x7a\xef\xb5\x1b\x02\x10\xb8\xcd\xb2\xcc\xb0\xf5\xd7\x45\x8d\x05\x71\x92\x76\x75\xf1\xbe\xdb\x36\xd0\xbf\x30\xac\x68\xdb\x43\x8f\xfb\xa7\x4a\xca\x62\x37\x25\xf2\x75\x22\x70\x1b\xb6\xc5\xca\x41\x4d\x23\x91\xcd\x53\x3a\x82\xc0\x66\x72\x4c\x6d\x3f\xd6\x8f\xe4\x2a\x83\x4d\xcc\xf5\xbf\x70\x34\x74\x29\xad\x8e\x38\x22\x15\xf7\x2f\xad\x93\x6e\xf9\x49\xbf\x64\xda\xd1\x25\x77\xea\xd0\xdc\x6c\xf2\x71\xbe\x7c\xa8\xe0\xba\xab\xb4\x39\x7f\xf0\x63\xf3\xae\x8e\x74\x12\x10\xc6\xa3\xab\x3b\x44\x2b\xa8\xfb\x16\xf2\x28\xc5\xda\xfe\xb1\xb4\x40\x82\x7d\xef\xbc\x48\xf5\xcb\xce\xb2\x74\x07\x55\xc9\x85\xd0\x60\xe8\x2c\x86\xc7\x32\xbb\xd5\x60\x88\x35\x91\xa1\xac\x05\x82\x99\xf1\x7f\x2e\x2a\x12\x85\x60\x28\x0b\xa0\x89\xe8\x4c\x34\x65\x45\x2a\x65\x07\xa6\x3f\x88\x49\x44\xa8\x3a\x21\xd2\x6c\x8e\x49\x8f\xf5\xdb\xd4\x89\xc6\x9c\xa7\x85\x32\x49\x01\x8e\x9d\x03\x52\x0b\x23\xf4\x7b\x29\x7b\x85\x26\x32\x2b\x1f\x6b\xd5\x4d\x06\x0c\xce\xa3\x01\xcc\x8a\x3a\x15\xda\x2d\x39\xb6\x4e\xa4\xdd\xb0\x3c\x7b\x6c\xba\x60\x5e\x8d\xd4\x86\xd1\x2d\x8f\x0c\x6c\xd9\xfb\x47\x81\x61\x12\xba\xa0\xa7\xae\x0e\xba\x4f\x0f\x89\xb2\x14\x32\x03\xa1\x19\xa6\xbb\x85\x45\xc1\xba\x66\x78\x84\x95\xf4\xe7\xda\xd9\x6d\xf8\x11\x9b\x1c\x11\xd7\xff\xb0\x71\x07\xc0\xc0\x35\xa8\x06\x97\xa8\xed\x78\x0d\x9c\x55\x61\x92\x93\x85\x08\x5f\x0a\xa7\xbc\x74\x8f\x2b\x5e\x23\x4e\x21\x0c\xe7\x77\x22\xc5\x4e\x80\xb8\x86\xc0\xd6\x14\x65\x8f\xfa\x23\x40\x8c\xac\xa9\xcf\x01\x38\x69\xef\x66\x29\xf8\x46\x16\x40\xda\xea\x86\x9a\xd4\xc3\x65\x53\x0d\xe5\x27\x81\x5c\xaf\xee\x31\x4f\x8c\xa7\xb9\x87\x95\x22\xc4\x26\x29\xe3\xe7\x12\x96\xe5\xf6\x0a\x84\xdb\x39\xd5\xc9\x00\x00\x16\xea\x33\xf4\x81\xd8\x0c\xcb\x80\xf0\x85\xd5\xed\x3f\x70\x0b\xad\xc3\xb4\xb7\xd8\x0d\xd8\xa7\x78\xf0\x38\x17\xa1\x0d\x67\x89\x2d\x36\x87\x0a\x98\xbd\xc7\x0c\xfd\xa4\x83\x4c\x78\x15\x42\x1f\xc9\x72\x74\x01\xbd\x4f\x81\x11\xbb\xba\x76\x86\x02\x4b\x42\x72\xf5\xa6\x8a\x66\x51\x94\xaf\xc4\xf1\xa9\xf8\x57\xaf\x27\x0e\x30\x22\xc1\x8d\xfc\x18\xf6\x7b\x39\x77\xe6\x41\xc6\x25\x8f\x00\xc1\x43\x0e\xa7\x95\x78\xf4\xdc\x82\xa0\xba\xb5\x21\x40\xdf\x4b\xe0\xad\xb3\x29\x19\x5a\x29\x7d\xf0\xbe\x6e\x12\x34\x97\x70\xb4\x47\x7a\x44\x65\xa8\x14\x39\xf2\x2b\x6b\xdc\x67\x7a\xb8\x6d\x4e\xdb\xbd\xfc\x7d\xb3\xcf\x06\xd4\xa9\x4d\x33\xc6\xc1\x1f\xa1\x63\xfe\xfb\x1a\x87\xa9\xb5\x2c\x1c\xc4\x09\xeb\xed\xe7\x26\x3c\x88\x97\x5e\xdb\x23\x7f\xa0\x1b\x58\x3f\x79\xfc\x7a\x4f\x8e\x8a\xc8\x9a\xf7\x93\x08\xd9\x9b\x47\x3c\xf3\x3f\x33\x44\xa4\xe5\x52\x3f\x3e\x35\xd3\x88\xd1\x8e\xe1\x18\x5c\xaa\x19\x18\xd2\x3a\xae\x41\x93\xae\xdf\xe1\x25\x04\x2e\x16\xd5\x71\x86\x52\x61\xdd\x63\xbf\x0c\x9d\xd8\x48\x5f\xa6\x4e\x24\x10\xa2\x6a\x43\x6c\x83\xc9\xe3\x45\x56\xf3\x7c\x1d\x69\xd2\xfd\x57\x42\x78\xc4\xb2\xc8\xba\xf3\x83\x4e\xe2\xe0\xf3\x64\xb5\x4c\x36\x78\x0f\x28\xa8\xeb\xe5\x6e\x1d\x9e\x1c\xbd\xfd\x77\x3c\xe8\xaa\xcd\xef\xda\x09\xf4\x0d\xff\xd8\x47\xaa\xdf\x67\xc4\x44\x71\x00\x8c\xee\x07\x76\xfb\x06\x89\x54\x30\x8f\x16\x20\x3d\x01\x7b\x29\x0c\xd1\xad\x9e\x4c\xdc\x49\xf3\x26\x35\x28\x07\x56\x0d\xdd\xa4\x90\xc0\x5c\x6d\x5e\x04\xf1\x94\x00\x83\xaa\xba\x83\xe0\x29\x37\x0f\xd7\x6e\x77\x57\xc7\x3c\x05\x43\xdd\xff\x26\xc3\xa3\x07\x62\xe2\xc9\xc5\x56\xaa\x28\x2c\x7f\x46\xf3\xdd\x8e\x20\x01\x68\x05\x3a\x03\x17\x4c\x56\x69\xdc\x43\x90\x0a\x39\x41\x7c\x9d\xff\x8e\xd3\xf1\x0e\xb0\x7c\x47\x0a\x52\x2e\xc8\x20\x71\x2f\xf8\x82\x59\xcf\x7f\x5e\xe5\x2c\xf4\xee\x69\x0b\xca\xbd\x88\x76\x3f\x66\x32\x9f\x37\x25\xa4\x36\xca\x19\x38\xd4\xda\x48\xde\xdf\xfe\xa8\x2d\xc5\x4a\x2a\x0a\x5c\xfb\x64\xc3\xe2\x78\xf4\x1b\x93\x3c\xef\xeb\x02\xf9\x82\x53\x2e\x98\x67\x72\x41\xd7\xec\x2f\x8d\x14\x27\xda\x17\x11\x91\x9d\x67\x2e\x95\x1b\x6d\x1c\xd8\xf2\xc0\x20\x3f\xed\xd5\x21\xf7\x5a\x22\x9d\x99\x67\x13\x35\x81\x36\xd8\xb4\xeb\x79\x71\x34\xfe\xc8\x74\xe3\xd3\x8a\x01\xcb\x82\xa8\x7c\x8c\x21\x1e\x64\x29\xef\xe6\x77\x17\x3a\xab\x0a\x0f\xb9\xf5\x58\xf4\xb0\x6f\x77\x05\xbc\xd1\x77\xec\x1d\xd8\x0d\x04\x45\xb5\x44\x8e\x7d\xc2\x94\x53\x8a\xae\xcc\x59\x61\x0d\xbe\x6f\x2b\x3b\x16\xb2\x75\xc1\x8d\x33\xa7\x8f\x0c\x1d\xcb\xb0\x7e\x13\x76\x28\xb6\x22\xf8\x85\xae\xe8\x0b\x82\x68\x4c\xdd\x5f\xde\x5a\x29\xaa\xdf\x63\xd8\x5e\x95\x15\x96\x49\xad\xce\x0f\x9e\x57\xb5\x3b\x82\xc7\x5b\x87\xa1\x27\x47\xef\x0f\x84\xbe\x50\x69\x3c\xca\xe7\x98\xe3\x8a\xaf\x05\x06\x66\x16\x3e\x6b\xed\x48\xf5\xf1\xba\xf4\x9a\xde\xa2\x12\x23\xbf\xb0\x89\x19\x98\x98\xdc\xd2\xe9\x1b\x70\x8b\xd6\x2b\x61\xf1\x38\xcc\x48\xbe\xd8\x8b\x77\x2d\x14\xbc\xc5\x39\x68\xaa\x32\xfa\x3f\x11\x45\x84\x75\x2d\xb5\x32\x78\xb2\x5f\x36\x7d\x52\xc2\x07\xec\x54\x59\x66\x83\x82\xaa\xc7\xeb\xfd\xf3\xa2\x07\x5c\xef\x67\x9b\xd7\x7e\xc1\x7a\x11\x43\xde\x08\x47\x20\x08\x54\x86\x68\x5a\xc8\x69\x73\x3b\xc0\x7d\x74\x24\x6f\xbf\x8a\xbb\x36\x62\xbe\x75\x0d\xdd\xd3\xb1\x3e\xcb\x2d\x91\x35\xf5\xc6\x8d\x1f\xdd\xe5\x49\xd9\xc2\x09\x1d\x96\xaa\x35\xf8\x43\x36\xb4\x21\x51\x31\xf3\x64\x76\xec\x84\x8d\x53\x3d\x7d\xca\x1e\x0a\xa4\x1e\xef\xb8\x80\x60\x52\xa8\xcd\xd5\x38\xb7\x55\x70\x7f\x93\xe0\x48\xd7\x71\x50\x5b\x88\x90\xd8\xf6\x80\xb8\x80\xcc\xb8\xee\x29\x49\xe3\x5a\x63\xee\x48\xe7\xb4\x67\x12\x8b\x65\xff\xe6\x06\xce\xd2\x8a\x3b\xc3\x17\x2b\xd0\x9f\x2b\x58\xef\x63\x22\xa3\xfa\x31\xe0\xfa\xb3\x7a\x3a\xfe\x72\x9a\xd4\x3d\x5c\xd0\x2b\x42\xbe\x4d\x8e\x60\x2b\x99\x51\x6d\xbd\xbd\x81\x2e\x1b\xec\xae\xba\x14\xb2\xb2\xbf\xaf\x05\x55\x90\x02\x51\xe3\x1d\x83\x97\x98\x14\x1b\x32\xab\xdc\x55\x8b\x3b\xf3\x0e\xdc\x11\x45\xf5\x41\x79\x85\x07\xda\x32\x9c\x5a\xcc\x1f\xf5\x6d\x4f\xd5\xf6\xe1\x8c\x02\x08\x12\x22\xc6\x98\xb3\xd0\xf2\xb1\x95\x39\xa7\xc2\xc9\x1f\x78\xb1\xbe\x76\x48\x19\x91\xe2\x41\xd2\xae\x88\x9d\x4c\xb1\x33\xf9\x0f\x77\xd9\x22\xd9\x84\xb5\xa5\xd1\xb2\xaa\x03\x8f\xb0\x01\xf0\xba\xc8\x8c\x14\xa3\x6f\x62\x29\x6a\xb3\x24\xd5\x2b\x57\x54\xd4\xe8\x42\x88\x9d\xa6\x54\x14\x3b\x4b\xd7\x19\xf0\x82\xcb\xcf\xa2\xec\x90\x31\xb9\xb4\xb8\xbb\x8e\xf4\x6b\xc3\xff\xa5\x2d\x35\x38\x5b\xf2\x7e\x3c\xcd\x86\x10\x84\x81\xff\x66\x40\xe8\xb0\xe3\x09\xd2\x8b\x14\x94\x20\xf9\x5e\xb9\xaf\xa0\xf6\xe1\x88\xb7\x00\x5f\x42\x12\x25\x38\x5b\xde\xa3\x82\x5a\xd5\xfb\xfc\x6d\x9f\x29\x97\x47\x6b\xc3\x6e\x5d\xfe\x4b\x68\x6d\x1a\x2d\x40\x25\x16\xd4\xee\xe9\x90\xe1\xea\x6a\x23\x48\x38\x10\x3f\x42\xd7\x05\xab\xf3\x78\x35\x67\x3c\xa7\x86\x75\xb5\x35\x4c\x2a\x99\x13\x0e\x2b\x7a\x64\xee\x26\xa2\xad\x6c\x1c\xd2\xde\x64\xed\x59\x12\xeb\x77\x08\xdb\x3a\xfb\xb4\xa6\x83\x10\x9b\x10\x57\x29\x8f\x35\x6e\x4c\xf4\xfa\xb2\x00\xca\xf7\x40\x3c\x71\x9a\xa8\x1a\xb0\x1d\x3d\x7f\x91\x55\x07\x3f\x56\x49\x5e\x51\x16\x19\x6e\x9a\x9d\xe8\x2f\x10\xa5\xc0\x8d\xfb\x2f\x91\x54\x94\xdf\x7a\x07\x00\xef\xb7\x22\xd3\x41\x6a\x5d\x32\xbc\x02\x29\x71\x11\x65\x08\x47\xde\xe6\x76\xd2\x68\x77\x2d\xec\x41\x3d\xa3\xa1\x32\x09\x89\xc1\xbe\x0d\x5c\x9c\x1b\x6f\xc4\xf7\x0f\xbd\xad\x88\x8a\xbb\x0b\xe8\xf1\x16\xf0\xd7\xa6\xf3\xab\xaf\x63\x6b\xb6\xb6\x92\x22\xda\xf4\xcc\xbd\x6d\x07\x29\x3d\xef\x59\xcd\x5e\xc9\x08\x45\x4d\x07\x94\x95\xf2\x7b\xfa\xf9\xe4\x5f\xb2\xc9\x99\x64\xe6\xb2\xfb\xa0\x3a\xf0\x38\x2d\x5b\x60\xad\xeb\xbb\x28\xfb\x8f\x8f\x8e\xfd\xd8\xda\x65\xea\xc2\x93\x77\xcf\x07\xc6\x2e\x1b\xf1\x0f\x61\xfa\x91\x2e\x62\x71\xf2\xcb\x95\x09\xa7\x63\x1b\x7a\xbe\xc3\x39\x6b\xeb\xce\x10\xbc\x79\xe2\xc4\x99\x56\xd1\x27\xf9\xd0\x1b\x73\x58\x45\x40\xcb\x6c\x0b\x52\xa7\x09\xe3\xaf\x1d\x00\xc8\x4f\x6d\x22\xfb\x19\x5d\xd8\x82\x3a\xa3\x36\xaf\xea\x89\x8e\xd8\x7a\xda\x2b\x22\xd1\xb8\xec\x50\x8c\xf6\x98\x6e\x93\x45\x92\x65\xed\x7c\x25\x87\x32\xc2\x91\xca\x41\xe7\x87\x6f\x1b\x43\x8b\x17\xd3\x6c\x24\xa0\x2f\x20\x0f\xee\xee\x18\xac\xe8\xdc\x4a\xad\x51\xa4\x2b\xb9\x81\x5d\x82\xc2\xa9\xa3\x7f\x77\x5c\xd6\x12\xe0\x84\x22\x69\x42\xea\x0d\xc6\xf5\xd8\x92\x33\x49\xbb\xbe\xdc\x2a\x45\xcf\xcf\xdd\xed\xa2\xd5\x2d\x14\xf2\xff\x83\x29\xaa\xc0\x1d\x2e\xc3\xc3\x7f\x23\xc5\xc9\x0d\x02\x62\x80\x23\x8c\xe0\x9e\x00\xec\xa9\xf6\xc3\x0b\xda\xa5\xdc\x91\xf4\x34\x2f\x8a\xf6\xa3\xec\x13\x39\xc4\x7d\xca\xe8\xf9\x36\x0c\x32\x50\x2b\xfa\x86\xe1\xff\xc5\x82\xd5\x88\x8f\x29\xca\xc3\x9e\xf9\x0a\x31\x50\x11\x1f\x66\x11\x99\xfa\xf7\xe2\x41\x3b\x57\xbb\x9a\x72\xaa\xa2\xd5\xfa\xe3\x2b\x46\x28\x84\xa9\x28\xd8\x3c\xea\x60\x55\x70\x25\xc5\xde\x01\x80\x44\x34\x5f\xb0\x83\xde\xf4\x9b\xc3\x83\x31\x98\x94\xda\xd2\x8b\x53\x39\xcb\xad\xb6\x03\x8d\xc8\x47\x9f\x7e\x4b\x2f\x01\xc1\xce\xd3\xff\x85\x42\x05\xbe\x93\x88\x48\x85\xb1\x29\x87\x8b\xdb\xb1\x8c\xaa\x68\xc3\x09\x40\x71\x9a\x40\x8a\x03\xfc\x61\xeb\xea\x87\xd9\xd3\xef\x21\x62\x59\x45\x89\x65\x44\x75\xc2\xc3\x7e\xaa\x87\x37\x33\x8a\xcc\x18\xb3\x41\xa3\x51\xec\x39\xaa\x94\xcb\xa1\x71\x09\x6f\xd7\xfb\x83\x2e\x30\x31\xf4\xd8\x2f\xf2\x32\x8a\xa1\x89\x62\x3c\xd9\x3f\xce\x6f\x45\x25\xc2\xdd\x01\x3d\xc9\xc7\xb4\xd1\x9a\xdd\x3b\xf9\xc3\x34\x88\x6e\x9d\x1c\xb4\xdf\x99\x7d\x99\x56\x3a\x57\xb6\x6d\x83\x21\xd4\x21\x52\xf7\x21\x70\x5d\x6c\x48\x46\x18\xad\x33\xcb\x46\xb5\xc1\xa4\x1c\xcd\x39\x7e\xde\x50\x43\x2d\xc9\xd4\x1a\xa8\xb2\xfb\x37\x5a\xf7\x5d\x33\x23\x56\xd7\xdf\x3d\x5d\x43\x9f\xde\xbc\xf8\xe2\x5b\x22\x49\x3c\x6f\xe1\x40\x01\x3e\x29\x52\x32\x18\x67\xd1\x29\x47\xb1\xf2\xdd\x27\x2a\x17\x36\x94\xa5\xfd\xdd\x88\x7f\xe1\xec\x96\xdf\x64\x67\x63\x0d\x14\x49\xd7\x23\xff\x02\x3e\xc1\x27\xb1\x2a\x24\x11\xa0\x96\xe3\x12\x9e\x84\x5d\x50\xb1\x46\x68\x36\x35\xd8\x05\xcf\x19\x67\x35\x82\x8c\x8a\x0a\x00\x40\x47\xa1\x9a\xcf\xcc\x41\xb6\x2f\xe0\xfb\xff\x91\x88\x1e\x76\x13\xbf\x7a\x73\x71\x95\xf1\x85\x8e\xd7\x19\x8d\xca\xca\x13\x21\x06\x19\xd7\xf7\x39\x8d\x81\x2d\xe4\x63\xf2\x21\xf0\xc2\x64\x87\x4a\xa3\xb3\x41\x6d\xcd\xfa\xed\x76\xbf\x25\x5d\x7a\x7a\x15\xd6\xac\xc9\x86\x4d\x1b\xd9\x00\x35\x4b\x3b\xf0\xdf\x70\xba\xe9\x32\xc4\xb8\x2e\x8a\xa6\x0d\x39\x5b\x93\x9c\xc6\x0f\x89\x64\xab\x75\x5b\xa5\x0b\x40\xa7\x13\xf6\x8d\x2e\x00\x1a\x2b\x5a\xbc\xfd\xbb\x82\x1a\x0a\x3a\x7a\x97\xcd\xcc\xc0\xb0\x5b\xca\x8f\x03\x3f\xbc\xd9\x54\x56\x9c\xb7\xc3\x12\xd4\xcb\x9e\x69\x27\x56\x13\x30\x66\x79\x88\x25\x70\x72\x61\x18\xeb\x66\xb4\xb6\xf0\xd2\x36\xc3\x3e\x35\x65\x8e\xd8\x7f\x02\x8c\xa4\x3c\x55\xc2\x69\x68\x17\x9a\xed\x75\x49\xc8\xc2\xe9\x26\x72\xa4\x45\x10\x6d\x04\x29\x84\x69\x17\xc5\xfc\x60\x7f\xa2\x85\xdb\x9a\xa6\x12\x81\xc1\xc5\x24\xa7\x6b\x3d\x40\xde\x5d\xa9\xbc\x7a\xfb\xae\x9c\x03\x55\x5d\x05\x63\x83\xea\x7f\x5e\xac\xf5\xde\x95\x63\x8e\x11\x24\x2a\x42\x0c\x9a\xa3\x22\xc8\x08\xcf\x2a\x14\xab\x47\x9d\x81\x35\xe4\xff\x48\x7b\x21\x5c\x8c\xec\x44\xc7\x29\x0d\x34\x59\x10\x0b\x21\x96\xc5\x4e\x88\xca\x28\x41\xd8\xa6\x01\x1c\x6d\xb1\xb5\xc2\xfb\xc5\x13\x5d\xa6\x05\x3d\x89\x3d\x11\x6b\x9f\x23\xd5\xa0\xf7\x7f\x9f\x64\xc5\x0a\x04\x48\x55\x2f\xb3\xd4\x00\x2c\xcf\xb9\x5e\xd5\x4c\x37\xea\xe9\x31\x73\x7b\xf0\x2b\xcd\x22\x6b\x13\x3b\x9d\x27\xde\xbf\xae\x74\x87\x30\xa8\x7b\xe8\xdf\x5c\x31\xcd\xdf\x16\xc2\x6b\xc3\xf3\xb4\xdf\x7a\xbc\xbc\x52\xed\xad\xb7\xa7\xc2\x9e\x87\xdd\x5d\x63\x30\xb7\x61\x64\x9f\xc9\xf0\x98\xa7\xb6\xb6\x8c\xf5\xdc\xe7\x67\x66\x7e\x8b\x5a\x7c\xd4\xbb\x22\xd1\xc9\x22\x9c\x45\x51\x69\xd7\x2e\xdd\x3b\xae\x9c\x25\x1c\x07\x88\x96\x8f\x1d\x13\xaf\x8e\x47\xba\x32\x92\x3c\x66\x14\xc4\x4d\x51\x96\xfa\x80\x57\x61\xdb\xa5\x9a\x39\xb8\x93\xbf\x09\x73\xda\xbb\x97\x6e\xdf\x63\xf3\xcb\x54\x73\x2d\x43\xb9\x0e\xe7\xab\x03\x74\xe1\x0f\xd7\x22\xd5\xc3\x61\xa4\x10\x89\x31\xe8\xee\x3f\xa1\x90\x79\x3f\x90\x1b\x18\xff\x7b\x5e\xd8\xc1\x62\xb3\x7f\xfc\xb3\x9c\x6c\x0c\x08\x4c\x9c\x76\xb3\x96\x4e\x31\x35\x1f\x51\x12\xac\xcf\xe1\x6c\x62\x68\x58\x0c\xe0\xb4\x4c\xd4\xc3\x3f\x29\x21\x71\xdf\x6a\xf3\x59\x14\x22\x5c\x8b\x1a\xff\x19\x85\xce\xa0\xea\x73\x49\xa4\x3a\x51\x0d\x5f\xbf\x18\x81\xa0\x32\xf9\x6b\x1f\x58\xf4\xfa\x94\xdb\xcd\xf9\x8f\x6b\x11\x3a\x2f\x85\x1e\x76\xd4\xf1\xcf\x06\x86\xe3\xb4\x40\x57\xc3\x63\xc8\x49\xc5\x70\x06\x59\xd7\xe5\xa1\xc2\xb3\xcc\xfd\x5a\xaa\x88\x9c\x2f\x99\xa9\xb1\xc8\x31\x9c\x3c\xd3\x48\xbe\x29\xb2\xe9\xbf\xef\xbc\x28\xcb\x77\x47\x29\x95\x8c\x12\xc9\xdf\xa7\x4b\x89\x3a\x07\x74\x5a\xed\x2e\x51\x44\x72\x3c\x8f\xc0\x50\x68\x52\xf1\x7e\x6a\x4a\x8f\x59\x9d\x2c\x4a\x1d\x7c\x0b\xa9\xd7\x7d\xb8\x41\x6e\xb1\x09\x32\xcd\xc7\x49\xcf\xa9\x98\x90\xee\x80\x17\xc0\x66\x40\x84\xf8\x64\x89\xc9\x75\x25\x52\x52\xc3\x87\x6f\x8d\xcd\x98\xc0\x0b\x73\x61\x1c\xe2\x73\x4e\x1f\xe0\xee\x5c\x0a\x0a\xbb\x0c\x50\x00\x40\x44\xf9\x3a\xd2\xff\x01\x09\xbc\xb1\x9a\x3a\x20\xf1\x86\xd6\x8e\x38\x7d\x34\xa5\xb5\x78\xc4\x25\x3c\xd9\x67\x26\x14\x80\x3b\xf9\x67\x26\xe8\xab\x00\x14\x6d\x2f\xe2\x66\xe6\x2e\x48\x65\xf5\xe7\xfe\x31\xd4\x14\x97\xe7\x19\x51\x22\xfc\xda\x82\x5f\xb4\xe9\xfc\xdd\x09\xb4\x21\xdd\xb6\xe9\x25\xa4\xd5\xcb\x7f\xf2\xfa\x56\xfe\x14\x97\xad\x65\x9c\xc5\xb6\xef\xd8\xf8\x83\x99\x8b\x74\x51\x17\x5f\x98\x27\x54\x7b\x84\x19\x5c\x25\xfc\x16\x31\x07\x2a\x55\xc1\x7e\x90\xa3\x27\x9a\x54\xa2\x96\x97\x31\x2b\xfe\xf3\xee\xfc\xba\x8d\x31\x14\x55\x6a\x54\x5d\x18\xab\x0d\xf7\x4d\xf2\x66\x85\x91\x51\x95\x9a\x1b\x05\x1f\x83\x22\xf7\x98\xcb\x45\xd5\xcb\xe5\x29\x1b\xdd\x71\xda\xd6\x65\xf6\x4d\xde\x69\x54\xef\x00\x71\x89\x18\xfe\x01\x72\x79\x63\x96\x46\x42\xd4\xc4\xa5\xbb\xa9\x30\x3f\x44\xfe\x97\xff\x99\xf0\x67\x48\xdc\x86\x3f\xf0\xcc\x17\xfc\x82\xb2\x9f\xbe\x0c\x71\x2c\x77\xed\x36\x69\x7f\x23\xb4\xa2\x2a\x9f\x24\x85\x22\xf9\x94\x6c\x3a\xbc\xd3\x2e\x16\x5f\xd6\x6f\xdb\xc7\xb4\xa0\xdf\x71\xa8\xd2\x57\x1f\x32\xda\x4a\xda\x51\xc1\x4c\xa0\x86\x30\x1d\x6e\xd0\x20\x06\xc6\xa3\x8c\xe4\xe7\x67\x1f\x3d\x08\x62\xa4\xe3\xc2\x2b\x6a\xa7\xb7\xc0\x49\xa7\x76\x22\x87\x57\x05\x62\xe8\xb4\x52\xef\xc7\x87\x41\xe7\xc2\x82\x2a\xd0\xfd\x43\x5e\x76\xa8\x04\x4b\x05\xb3\x88\xaa\xfc\x4c\xf6\x15\x75\x76\x03\x98\x87\x23\x64\x46\x99\x61\xe8\x7d\x14\xd1\x79\x5e\xb6\x27\xfa\xed\xa1\x8f\x9c\x12\x28\xfc\x99\x4d\x58\x05\x08\xc9\x96\xd3\x66\x27\x99\xb7\x23\x7e\x59\x69\x10\xa7\xc5\xc7\xfa\xcd\x47\xfa\x30\x84\xda\x48\x48\x87\x67\xf6\x0c\xfe\x58\xec\x40\x14\x15\xac\x66\x03\x16\x23\x32\x0f\x9f\xda\x37\xc0\xaf\x9f\xe4\xcd\xa1\xb2\x89\x3d\x2d\xf0\xac\x82\x26\x01\x3a\x36\xca\x7b\x13\x66\x03\x2e\xa7\xb2\x5a\x55\x91\xbe\xbc\x8c\xe4\x89\x77\x7c\x0c\xba\x28\xd1\xf0\xca\xfe\xae\xea\x7d\x5b\x4d\x20\x09\x30\x9e\xeb\xc9\x13\x07\x81\x12\xbb\x12\x69\x20\xca\x6e\x5e\x2b\x22\x10\xce\x54\x10\xcc\xe4\x5f\xc4\x63\x74\x6c\xf1\x68\xf7\xee\x2b\x91\xc7\x97\xb3\x30\xe0\x46\x48\x22\xa6\x18\xe4\x57\xce\x39\xa0\x03\x67\xd9\xcd\x3d\x3f\x59\x38\xce\x36\xeb\x2a\x31\xa9\x0d\x04\x92\x58\xc8\x49\x95\x5e\x97\xf0\x80\x17\x26\x9b\x3e\x5f\x69\xe9\x12\x81\x95\x63\x8b\xc8\xc1\xfa\x73\x5e\x6e\xb2\x43\x5c\x95\x87\xf4\xf4\x36\xd9\xe6\x8a\x87\x97\xbb\x42\x10\x0d\x48\xe7\xb2\x61\x97\xc6\x5f\xb8\x90\x39\x61\x38\x2f\xb0\xfe\x22\x98\x60\x17\x30\x68\xd9\x42\x91\x10\x82\x3b\xc2\xff\x71\x7a\x71\x57\x05\x4c\x32\x6b\xda\xc3\xad\x35\x81\x77\xf9\xa4\x06\xd8\x94\xb8\x42\xd6\xd9\x1e\xdb\x35\x6b\x06\x28\x3b\x32\x9b\xca\x6e\x12\x29\x06\x55\xfe\xf2\x40\x29\xba\x1d\xaa\xf4\x5f\x17\xeb\xc8\x34\xd1\x2e\x35\xe3\x9f\x2e\x20\xe2\xc7\x36\x2a\xeb\x00\x31\xf4\x87\x7b\x63\x3b\xe1\xbe\xd3\x6f\x5d\x7b\xa2\x4d\x01\x48\xf8\x46\xa7\x86\xf3\x88\xe2\xab\x79\x66\x2d\x55\x9b\x86\x1a\x36\xa4\xce\x60\xdc\xeb\x5f\xdb\x9f\x47\x93\x58\xfd\x84\xa5\xc7\xf1\x02\xf7\x5b\x81\x43\xd3\x62\x6f\xff\xa5\x46\x9c\x22\x07\x2a\x97\xd6\x3f\xf9\xe0\x66\x7c\x2f\x2d\xb4\x1c\xd0\x3e\x5d\x43\x91\x4b\xb5\x90\xbb\x1f\x11\xf4\xc3\x53\x3b\xcc\x47\xff\xc9\x9e\xed\xf6\x77\xc9\xd6\x46\xc6\x0f\x99\x39\x89\x15\x89\x1a\xb6\x71\x97\xdd\xbd\xc1\x1e\x03\xda\xf0\x31\x39\xce\xad\xaf\x99\x22\x68\x75\x16\x3f\x11\xc2\x90\x27\xf6\xec\x6e\xe6\x47\xc9\xbb\x1f\x76\x95\xf1\xf2\x91\x8a\x32\x85\xa1\x3e\xad\xb7\x3d\x3e\x94\xcb\x0d\xbf\x92\x73\xf7\x5e\x1a\x8b\x39\x1c\xc6\xe4\xc1\x4e\xd5\x68\x3c\x27\x56\xc7\xb3\x3d\x84\x35\x1e\x1c\xe0\xba\x7b\x02\xe2\x30\x5d\xe6\x5b\x29\x45\x6b\x5c\x55\x34\x46\x47\xc7\xb0\xb1\x6c\xd8\x36\xdb\xa2\x71\x1a\x4c\xc9\x77\x38\x26\x7c\x46\x2c\x85\xfa\xd6\x08\xa8\x16\x12\xd7\xf8\x9a\x7f\xe6\x63\xbd\x06\x43\x54\xa8\x0f\x8b\xe0\x16\x5d\xf5\xd9\xba\xe1\xc6\x9e\xa5\x69\x62\xb1\x11\x22\x0c\xdc\x13\x6a\xda\x90\xbb\x13\x15\xf8\x65\xca\xff\x1e\x25\x26\xac\xd2\xef\x4c\x36\xa7\x0f\x26\x60\x88\xd7\xd3\x48\xe5\x61\x13\x29\x71\x66\x8e\x91\xa8\x90\x04\x08\x5a\x5b\x09\x2f\x8e\x28\x42\x3d\x16\xb7\x49\xcd\xcb\xf9\x2a\x43\x65\xe4\x68\xdd\x67\xbe\x24\x1e\x5d\xea\x70\x5b\x60\x6b\x28\x09\x9a\x5d\x3d\x46\xa0\x76\x20\xfc\x4f\x73\x1e\x3d\x36\x05\xde\xbe\x68\x70\x42\xca\xc9\x37\x42\x73\x67\xc3\x5b\x54\x6a\xf2\xdf\xc0\x94\xa7\x21\xdc\x7f\xd1\x3d\xf6\x8e\x9a\x79\x9e\xcb\x10\x7c\x90\x8b\xac\x9f\x8c\x44\x30\xcc\x10\xc6\x29\x9c\x79\x4d\x02\x8d\x51\x6c\x3e\xf3\xf7\x7f\x9f\x64\x20\x16\x60\x94\x9b\x5e\xe2\x9a\x58\x94\xd7\x38\xfa\x4e\x4b\xcd\xda\x88\xfe\x12\xbc\xff\xe8\x5d\xa7\xb1\x0d\x02\xc8\x09\x22\xf3\x90\x71\x34\xfe\x64\x60\x55\x08\xb6\xcb\xe3\x5e\x97\xf1\x2f\x1b\xb1\x5f\xce\x6f\xac\x0b\x0b\xbe\xd6\x21\x83\xba\x88\xb8\x41\x3c\x69\x2c\x1d\x46\x53\x76\x14\x6a\x5a\xc6\x9e\x0f\x10\x45\x0f\x04\xc8\xb6\xf3\xc9\x0c\x58\xac\x33\x60\x4a\xa8\x11\xa9\xb7\x4e\xbb\xd0\x7b\x06\x84\xc5\x1a\x55\x30\x06\xda\x57\xf4\xdf\x29\xdf\x30\xa6\x46\x22\x26\x6b\x3e\xc0\x6c\x43\x5d\x65\x05\x21\xf3\xea\x72\x5a\x3c\x8c\x12\x8c\x73\xf0\xd3\x44\x7d\xd1\xa8\x5b\x10\xa0\x61\xe9\xac\x44\x69\xbd\x8e\xad\x5b\x59\xcc\x63\x9b\x81\x7e\x67\xd9\x0c\xcd\x77\x3e\x22\x4a\xeb\x67\xdd\x26\x36\x91\x74\x36\xb7\x64\x75\xd8\xe0\x25\x5c\xf7\xd1\x4f\x28\x36\xa5\x0d\x23\xfb\x11\xb3\x84\x35\x48\xb3\xa5\x2d\x8f\xa1\x0c\xa8\xc9\x7e\x1f\x0e\xd7\xa0\x0c\xfc\x80\x67\xa5\xb9\x9a\x41\xc0\x7d\x3c\xe0\xa0\x45\x6b\x84\x43\xbb\x5f\x09\x03\xdb\x5e\x7b\xc1\x6b\x0d\x0d\x4f\x32\x1a\x57\x57\x2d\x33\x68\xd9\x7a\xb7\x70\x58\x30\xd2\x3f\xf7\x8a\xc8\xd6\x94\x02\xc9\x20\xf7\xfb\x91\xd6\xef\xc1\x6c\xe4\x39\x93\xa1\xa6\x8e\xb8\xed\xa0\x8d\x7c\xc5\x5f\xca\x85\x49\xf4\x08\x39\xac\x8e\x5e\x26\x3e\x8f\xcd\xdb\x10\xdd\x20\xfb\xed\xd9\x49\xc8\xd3\xc1\xe1\x86\xe9\xfd\xd5\xaa\x27\x65\xa1\xef\x54\xf9\xe8\xb2\xa7\xa0\xb3\x8f\x1c\x8f\x8d\xaf\xe5\xfc\xef\x0f\xf0\x31\x69\x21\xdb\xaa\xb2\x7f\x6b\x2e\x09\xe4\x9d\x0a\x56\xc9\xad\xe5\xd8\xcb\x65\x86\x99\xba\xa9\x84\x54\x3f\xde\x4e\x72\x0e\x02\xe5\x50\x3e\x83\x5c\x7a\x63\xef\xfe\xe3\xdf\xa5\x8e\x4c\xcd\xbe\x19\x43\xb5\x92\x1b\x58\xfd\x0e\xd6\x64\xef\x73\xdf\x89\x23\x18\xe1\x07\x03\x23\x48\x59\xb5\x65\xd1\x7d\xe8\xc9\x25\x19\x8b\x44\x81\x59\xc8\xe8\xd7\x3c\x8b\x1e\x5e\xb6\x87\x05\xe5\x82\xd5\x12\x8f\x20\x7b\x54\x6f\x81\x22\xe0\x4e\x37\xbc\xc9\xd1\xca\x9b\x2c\x7a\xe5\x1d\x45\x42\x44\x8b\x36\xd6\xff\x16\xd9\x98\xee\xce\x9f\x07\xbe\x34\x1d\x1d\x8f\x98\x9f\x23\x44\x60\x40\xa4\x99\x72\x72\xc9\x9d\x45\x34\x83\x72\xfc\x49\xb7\x0f\xb5\xe0\xfa\xca\x97\x51\x84\xc6\x02\x59\x95\xf6\xaa\x49\xf1\xb2\x93\xdf\x66\xd5\x1d\x75\x3d\x9c\x77\x75\x57\x6d\x0e\x77\x01\x34\xd3\xa4\xfb\xd5\x3c\x99\xb0\xa7\xb6\xaf\xe7\x33\x7f\x73\x24\x81\x63\x23\x9a\x71\x4d\xfe\xb2\x85\xb0\xb4\x9e\xf6\x02\xd6\x2a\xd6\x93\x5a\x83\xc8\x3b\xc8\x14\xbd\x40\x7b\x1f\xf5\x22\x82\x92\xf9\xbf\xbb\xd0\x71\xc8\x1d\xc9\x59\x1a\x05\xc9\x50\x7b\xff\x87\xc9\xe5\x27\xb8\xf1\x4e\x8e\xe1\x3d\x18\x7e\xb8\x67\xdc\x2c\x95\xdd\x90\x3c\x37\x69\x2d\x03\xe7\xb0\x09\x85\xfb\xc1\x13\x13\x07\x8d\xec\x7f\xf6\x9f\x2e\x01\xa8\x34\x23\x99\x40\x0f\x98\xcc\x66\x83\x3d\x9c\x85\xff\x7f\x10\xcb\xef\x73\x32\x13\xcd\xae\x61\x54\x5f\x39\xe8\x5c\x59\x30\x2b\x56\x0a\x72\xd0\x43\x7b\x26\x6c\xba\xe1\x6f\xad\x4a\x00\x0d\xde\xa1\x99\x49\x40\x8c\x74\x77\xfc\xb9\x48\x91\x53\x23\xeb\xb7\x9a\x55\xc7\x69\xcc\xb1\x8e\x2f\x55\x2a\xb7\x63\xba\x65\x30\x2a\xe7\xbc\x47\x6e\x36\x25\xeb\x88\xa7\xa6\x69\x8c\xec\xcf\xac\x22\x90\x0c\xa3\xc4\x4d\xec\x88\x66\xb2\xa1\x14\xc0\x83\x1c\xf6\x53\xd4\xc1\xfb\xa9\xa7\x78\x5a\x1c\xaa\x2b\x97\x34\x33\x84\x22\x6b\x1a\xce\xd9\x3d\xa7\x1d\x30\xb6\x65\x06\x45\xbc\x11\x3a\xc6\x2d\x32\xd2\x03\x2d\xdb\x65\x62\x6e\xe8\x6c\x3b\x9d\xfb\xbd\x8d\x0c\xae\xea\x74\x53\xdb\xea\x30\x4e\x34\xd3\xf8\x05\x22\xcd\x31\x7b\x49\xbc\xab\xb8\x69\x33\x1c\x7c\x32\x18\x52\x10\x04\x30\x42\x3b\xcb\x1e\xc1\x5c\x50\xc1\x9b\x76\x6a\x7c\xe4\x71\xd5\x1b\x01\x04\x1b\x68\x5a\x29\xc4\xbf\xdb\x55\x2c\x86\x6d\x58\x3b\x7c\x3c\x7f\xd5\x6c\xfc\x73\x72\x5d\xf7\x84\xe4\xd9\x02\x81\x56\x7f\xe8\xc3\x8d\x86\x6b\x06\xef\x13\xbb\x30\xfd\x23\x90\x6e\x66\x2c\xf9\xd5\x11\x3d\x7b\x52\xb0\x14\xb4\xae\xb3\xa1\x83\x52\x4b\x49\x7b\xe9\x22\x0a\xe1\xe0\xb2\xf7\x67\x4d\x27\x99\x42\x94\x1b\xbd\x81\xed\x59\x5a\x93\xc2\x34\x13\x99\xb6\xac\x36\xff\x86\x9f\x89\x4c\xae\x29\x13\x08\xb2\x12\x84\xd3\x98\xb5\xfa\x6a\xc7\x6b\x9d\x59\xf0\x3e\x48\xc2\x75\xf4\xf2\x0c\xe0\xa5\x05\x9d\xe6\x9c\xa9\xec\x99\x9d\x73\x20\x2d\xef\x66\x6b\x37\xb3\xa9\x6a\x95\xb1\x2c\x74\x33\x10\x38\xfa\xca\xca\xb1\x88\xda\x87\x8a\x86\x0e\x1b\x39\x9d\x6b\x3b\xd3\xc1\x36\xe0\xa5\xe9\x96\x3c\x16\x91\x88\x9f\x0d\x40\x0f\x34\xdc\xc5\x1e\xf1\x00\x2e\xbf\xee\x28\x14\x60\x5a\x4d\x10\x67\xed\x73\x96\xc1\x15\xe3\xa9\x4f\x15\x1c\x8e\x4a\xa2\x93\x0f\xd8\xbc\x53\x4d\x57\x9d\x5d\x88\x43\xbd\x20\x29\x05\x6f\xc5\x58\xb9\x86\x94\x08\xb9\x95\x1f\x75\x67\x24\x33\xea\xd1\x9e\x10\x9c\xd1\x83\x08\xf1\xc9\xd6\xf9\xcc\xbc\x9f\x76\x79\x93\xb5\x9e\xa2\xb5\x04\x68\x64\xf5\xe0\xc3\xbd\xe4\x2e\x79\x32\xc5\x6b\x9f\xb2\x52\x89\xe1\x6a\xb3\xbe\xbb\x69\x25\x47\xde\x1a\x4d\xbe\x11\x9a\xb2\xbd\x71\xe4\x71\xcb\xdf\x6c\x6e\x85\x19\xac\xa7\x7c\x2c\xbb\x82\x73\x34\x3c\x1b\xed\x23\x92\x2e\x55\x7f\x87\xb4\x08\xd8\x7a\xf7\x88\x96\xed\x30\xf0\xa6\x17\x8a\xd9\x8a\x34\xde\xd6\x14\x84\x43\xfd\xdf\x4a\x5c\x00\xa8\x1a\xe9\xdf\x21\x59\xfd\x65\x8c\x85\x9f\xb6\xb2\x74\x98\x8c\x84\x8f\x99\x3e\x76\x1c\x26\x3e\x90\xd7\xdb\x8f\x66\x2c\x87\x6b\x7a\x61\xff\x2d\x93\x8b\xa7\xfe\xd4\xcb\x5c\xd8\xee\x51\x48\x70\xb5\x05\x20\xe7\x33\xf2\x1c\xdc\x3b\xd7\xed\x41\xd2\x97\xb9\x6d\xfe\xff\x37\x9d\x37\xe6\x07\x1b\xb1\xac\x84\xfe\xff\xab\x2c\xdd\x98\x5f\xea\x2f\xe6\xc4\x6e\x6b\x75\x69\xc8\xc2\x45\x45\x91\x79\x5c\xcc\x56\x51\x1d\x85\x3f\xd2\xa0\x1a\x1e\xb0\xce\x25\x05\xab\x65\x78\x2b\x78\x36\xba\x67\x84\x45\x05\xaa\xbc\xb5\xdc\x63\x72\xa3\x13\xfe\x7a\xcc\x7f\x48\xb0\xd2\xbe\xf7\x94\x03\xc2\x83\x7d\x88\xe5\x2f\xe9\x26\xad\x16\xd5\x1b\xe7\xe8\xc6\x2a\x59\x55\xa6\x1e\x85\x27\x08\x39\xf3\x6e\xee\x94\x63\x70\x92\x7e\xb1\x98\x41\x30\x16\x77\xe8\x37\xab\xac\x18\xd7\x09\xbc\x84\xdd\xa6\x0b\x12\x10\x7a\x23\xeb\x73\x35\x43\xff\x32\xcc\xe5\x24\x8d\x0f\x46\x19\x21\x29\x52\x91\x83\x7c\x15\x0a\x4c\x1d\x48\x9d\x31\xc5\xbf\x5b\xfc\x2d\xa1\x42\x7e\x1e\xce\x74\xae\xa7\x05\x3f\x1f\xed\xa6\x4f\x09\x9f\xc4\x47\xa7\x90\x8c\xe4\x4b\x13\x46\x15\x49\xf2\x3e\xf1\x8c\x1d\x81\x07\xbe\xfb\x09\xf9\xd7\x19\xa0\xac\x57\x08\x0f\x1c\xdb\xfd\x46\x70\x4d\x79\x94\x7a\xa1\x0c\x5b\x0b\xb2\x26\xe7\xf6\x83\x09\x74\x72\x40\xf7\x73\xa6\x27\x53\x65\x61\xfb\x6c\x1c\x9b\x26\xaa\x5e\x23\xbe\x01\xf2\xd3\xf7\xaa\xdc\x99\x54\x40\x01\x5d\x25\x64\xb9\xc1\x6b\x85\x3d\x66\x57\x24\xf9\xf7\x22\xb3\x4a\xb1\xd4\x4c\x27\xd0\xe0\xcb\x01\xc4\x9d\x9e\x05\xde\x91\xc2\xe0\x40\x76\x4f\x0c\x21\x2e\x6d\x63\xf7\xb7\x24\x93\xdc\xcb\xf8\x58\x16\x4c\xf4\x81\x51\xbb\xe4\xf1\xdc\x2c\x91\x58\x66\x73\x43\x1a\xf7\xb8\x46\x1d\x30\x16\x1c\x56\x11\x70\xdf\xa3\x1e\xdd\xe2\xcc\xc9\xdd\xdb\xc7\xa8\xe4\x62\x31\x75\x24\x05\xcf\x30\x8e\xcd\x8d\x35\x05\x63\x6d\xba\x70\x35\xc9\x4f\x72\x86\x23\xbb\x87\x60\x3a\xfb\x90\xb5\xc2\x3e\x9a\xc1\x93\x7b\x2e\xa3\x98\x4d\x57\x9d\xa2\x99\x70\xef\x04\x9f\xfd\x97\x05\xfa\x28\x3e\xf6\x2f\x1a\x9f\xbb\xef\xbc\x5f\x8f\x3f\x79\xbd\xd8\xd7\x0f\x0a\x89\x39\x72\xe5\xac\xa3\xa1\x64\xe6\x72\xba\x88\xeb\xdb\x62\x06\xa4\xdd\xa5\xeb\x5a\xdf\xd1\x63\x52\xd4\x2c\x4f\xbd\xdf\x11\x7f\x2b\x0d\x30\xe8\xc3\x9f\x1b\xc6\x3f\x3b\xc0\x3b\x45\x2a\x87\x01\x17\xaf\x7a\x3f\xd3\x01\xaf\x71\x4b\xfa\x39\x83\x67\xa9\xac\x2a\xa3\x81\x17\x0b\xc7\xca\x86\x01\x44\x25\x8a\x9a\x38\xa6\x14\x54\xc9\xcd\xef\x24\xf1\xc6\x62\xf2\x8e\x8d\x1e\xe7\x74\x9f\x61\xa9\xc7\x9a\x9e\x16\x59\x3f\x2d\x55\x00\xde\xaa\x73\x0a\xca\x4e\xef\x32\x73\x87\x84\x31\xa8\x74\xb0\x3e\x44\xf6\x49\x5b\x52\xea\x9b\x22\xd9\x41\x7f\xb3\xf2\xcc\xbe\x2c\x48\x2a\xdd\x30\x8e\x4a\x3c\x55\xb7\x53\x2a\x4e\x64\xcf\x10\x8d\x83\x3d\x54\xab\xf3\xcf\x93\xb3\xf9\x08\x52\x63\xd2\x77\x4c\x22\x14\xdc\x62\xe3\xc6\xa7\x88\x69\x46\xb7\xbb\xb4\xd0\xfd\xd8\x2d\x50\x22\x32\xf8\x91\xe9\x5e\x20\x75\xb6\x97\x4f\xcb\xc8\x15\x79\xfe\x8e\xeb\x7e\xe2\x21\xa9\x04\xce\xdb\xbb\xab\x25\x95\xef\x93\x53\x7f\xde\xa0\x3e\xb9\x3b\x49\x68\x01\x19\xd9\x96\xc8\xe7\x06\xdf\xc4\xd9\x94\x33\x95\x4c\x53\x67\x72\x5d\x48\x08\x11\x9b\x68\x3b\x59\x64\x1c\x4b\xff\xd3\xfb\xab\x0c\x7e\x12\x5f\x02\xba\xd9\x5c\xbf\xc2\x6e\xab\x96\x07\x9f\x8d\xfb\xf6\x62\x35\x89\xd1\x4e\x0c\x20\xd1\x5e\x07\xc3\x4b\xcc\xce\x36\xfb\x92\x79\x65\xf9\x6c\x8c\xc8\x9b\x3e\x51\x43\x82\x12\xa9\xbe\xc9\x2a\xf4\xb5\x92\xae\x76\xe6\x6d\x53\x1d\x34\x43\x85\xf5\x56\x85\x52\xe3\x7b\xd2\x5c\xbe\x30\x7d\x83\x99\x75\x91\x4f\x30\x91\x5d\x24\xe8\xf3\xd8\x92\xc8\xa1\x9f\xa4\x84\xc3\x5d\xf1\xfb\x92\xaf\x80\xed\xf4\x03\x34\x0c\xac\xed\x5c\x22\x47\x67\xe9\xe6\x87\x45\x65\x63\xdf\xf2\x9c\xa8\x6e\x36\x58\x55\xde\x94\x05\x7b\x66\xc5\x76\xbe\xc5\xf5\xb7\xfc\x3f\x00\x43\x33\x6b\x8a\x48\x7a\xe2\x51\x9b\x8f\xf0\x12\x2e\x7a\xc2\xbf\x57\xd2\x9b\xa6\x48\x08\xdd\x3a\x20\xd2\x6e\x43\x82\xce\x7b\xb1\xfb\xd3\x47\x34\xf5\xae\x66\x25\xee\x8a\x7d\xd5\x6f", 8192); *(uint32_t*)0x20004f40 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x50; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 0x3f; *(uint32_t*)0x200023d0 = 7; *(uint32_t*)0x200023d4 = 0x22; *(uint32_t*)0x200023d8 = 0x8001; *(uint32_t*)0x200023dc = 0x1040000; *(uint16_t*)0x200023e0 = 8; *(uint16_t*)0x200023e2 = 0xf6e1; *(uint32_t*)0x200023e4 = 8; *(uint32_t*)0x200023e8 = 9; *(uint16_t*)0x200023ec = 0; *(uint16_t*)0x200023ee = 0; memset((void*)0x200023f0, 0, 32); *(uint32_t*)0x20004f44 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 9; *(uint64_t*)0x20002450 = 0x40d; *(uint32_t*)0x20004f48 = 0x20002480; *(uint32_t*)0x20002480 = 0x18; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 7; *(uint64_t*)0x20002490 = 7; *(uint32_t*)0x20004f4c = 0x200024c0; *(uint32_t*)0x200024c0 = 0x18; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 0xffff; *(uint32_t*)0x200024d0 = 8; *(uint32_t*)0x200024d4 = 0; *(uint32_t*)0x20004f50 = 0x20002500; *(uint32_t*)0x20002500 = 0x18; *(uint32_t*)0x20002504 = 0; *(uint64_t*)0x20002508 = 0xce0; *(uint32_t*)0x20002510 = 0x1c; *(uint32_t*)0x20002514 = 0; *(uint32_t*)0x20004f54 = 0x20002540; *(uint32_t*)0x20002540 = 0x28; *(uint32_t*)0x20002544 = 0; *(uint64_t*)0x20002548 = 1; *(uint64_t*)0x20002550 = 0x100; *(uint64_t*)0x20002558 = 5; *(uint32_t*)0x20002560 = 2; *(uint32_t*)0x20002564 = r[6]; *(uint32_t*)0x20004f58 = 0x20002580; *(uint32_t*)0x20002580 = 0x60; *(uint32_t*)0x20002584 = 0xfffffffe; *(uint64_t*)0x20002588 = 8; *(uint64_t*)0x20002590 = 0xcd95; *(uint64_t*)0x20002598 = 0x1f; *(uint64_t*)0x200025a0 = 7; *(uint64_t*)0x200025a8 = 0x48; *(uint64_t*)0x200025b0 = 0xaac5; *(uint32_t*)0x200025b8 = 6; *(uint32_t*)0x200025bc = 0xad; *(uint32_t*)0x200025c0 = 5; *(uint32_t*)0x200025c4 = 0; memset((void*)0x200025c8, 0, 24); *(uint32_t*)0x20004f5c = 0x20002600; *(uint32_t*)0x20002600 = 0x18; *(uint32_t*)0x20002604 = 0xfffffff5; *(uint64_t*)0x20002608 = 9; *(uint32_t*)0x20002610 = 9; *(uint32_t*)0x20002614 = 0; *(uint32_t*)0x20004f60 = 0x20002640; *(uint32_t*)0x20002640 = 0x11; *(uint32_t*)0x20002644 = 0; *(uint64_t*)0x20002648 = 0; memset((void*)0x20002650, 0, 1); *(uint32_t*)0x20004f64 = 0x20002680; *(uint32_t*)0x20002680 = 0x20; *(uint32_t*)0x20002684 = 0; *(uint64_t*)0x20002688 = 0x10000; *(uint64_t*)0x20002690 = 0; *(uint32_t*)0x20002698 = 0; *(uint32_t*)0x2000269c = 0; *(uint32_t*)0x20004f68 = 0x20002780; *(uint32_t*)0x20002780 = 0x78; *(uint32_t*)0x20002784 = 0; *(uint64_t*)0x20002788 = 9; *(uint64_t*)0x20002790 = 3; *(uint32_t*)0x20002798 = 0; *(uint32_t*)0x2000279c = 0; *(uint64_t*)0x200027a0 = 6; *(uint64_t*)0x200027a8 = 0; *(uint64_t*)0x200027b0 = 0xfffffffffffff20d; *(uint64_t*)0x200027b8 = 0xfffffffffffffff8; *(uint64_t*)0x200027c0 = 1; *(uint64_t*)0x200027c8 = 0x3ff; *(uint32_t*)0x200027d0 = 5; *(uint32_t*)0x200027d4 = 9; *(uint32_t*)0x200027d8 = 0x726; *(uint32_t*)0x200027dc = 0x1000; *(uint32_t*)0x200027e0 = 6; *(uint32_t*)0x200027e4 = r[7]; *(uint32_t*)0x200027e8 = 0xee01; *(uint32_t*)0x200027ec = 7; *(uint32_t*)0x200027f0 = 7; *(uint32_t*)0x200027f4 = 0; *(uint32_t*)0x20004f6c = 0x200028c0; *(uint32_t*)0x200028c0 = 0x90; *(uint32_t*)0x200028c4 = 0; *(uint64_t*)0x200028c8 = 3; *(uint64_t*)0x200028d0 = 2; *(uint64_t*)0x200028d8 = 2; *(uint64_t*)0x200028e0 = 0x100000000; *(uint64_t*)0x200028e8 = 0x61a26b8d; *(uint32_t*)0x200028f0 = 6; *(uint32_t*)0x200028f4 = 2; *(uint64_t*)0x200028f8 = 1; *(uint64_t*)0x20002900 = 3; *(uint64_t*)0x20002908 = 1; *(uint64_t*)0x20002910 = 0x100000000; *(uint64_t*)0x20002918 = 3; *(uint64_t*)0x20002920 = 0x8f; *(uint32_t*)0x20002928 = 4; *(uint32_t*)0x2000292c = 0x1ff; *(uint32_t*)0x20002930 = 0x849; *(uint32_t*)0x20002934 = 0x1000; *(uint32_t*)0x20002938 = 7; *(uint32_t*)0x2000293c = r[8]; *(uint32_t*)0x20002940 = -1; *(uint32_t*)0x20002944 = 5; *(uint32_t*)0x20002948 = 0x1f; *(uint32_t*)0x2000294c = 0; *(uint32_t*)0x20004f70 = 0x20002980; *(uint32_t*)0x20002980 = 0x130; *(uint32_t*)0x20002984 = 0; *(uint64_t*)0x20002988 = 0xa00000000000; *(uint64_t*)0x20002990 = 4; *(uint64_t*)0x20002998 = 1; *(uint32_t*)0x200029a0 = 6; *(uint32_t*)0x200029a4 = 9; memset((void*)0x200029a8, 1, 6); *(uint64_t*)0x200029b0 = 6; *(uint64_t*)0x200029b8 = 1; *(uint32_t*)0x200029c0 = 5; *(uint32_t*)0x200029c4 = 0xfffffffe; memset((void*)0x200029c8, 170, 5); *(uint64_t*)0x200029d0 = 1; *(uint64_t*)0x200029d8 = 0x1ff; *(uint32_t*)0x200029e0 = 3; *(uint32_t*)0x200029e4 = 7; memcpy((void*)0x200029e8, "{#-", 3); *(uint64_t*)0x200029f0 = 5; *(uint64_t*)0x200029f8 = 0; *(uint32_t*)0x20002a00 = 2; *(uint32_t*)0x20002a04 = 0x761; memcpy((void*)0x20002a08, "[#", 2); *(uint64_t*)0x20002a10 = 3; *(uint64_t*)0x20002a18 = 0; *(uint32_t*)0x20002a20 = 2; *(uint32_t*)0x20002a24 = 6; memcpy((void*)0x20002a28, "#]", 2); *(uint64_t*)0x20002a30 = 1; *(uint64_t*)0x20002a38 = 0x714; *(uint32_t*)0x20002a40 = 5; *(uint32_t*)0x20002a44 = 3; memcpy((void*)0x20002a48, "*^\\^b", 5); *(uint64_t*)0x20002a50 = 5; *(uint64_t*)0x20002a58 = 0xeb68; *(uint32_t*)0x20002a60 = 4; *(uint32_t*)0x20002a64 = 0xfffffa80; memcpy((void*)0x20002a68, "--$-", 4); *(uint64_t*)0x20002a70 = 6; *(uint64_t*)0x20002a78 = 0xfffffffffffffeff; *(uint32_t*)0x20002a80 = 1; *(uint32_t*)0x20002a84 = 1; memset((void*)0x20002a88, 45, 1); *(uint64_t*)0x20002a90 = 1; *(uint64_t*)0x20002a98 = 8; *(uint32_t*)0x20002aa0 = 3; *(uint32_t*)0x20002aa4 = 0xf2; memcpy((void*)0x20002aa8, "!\\{", 3); *(uint32_t*)0x20004f74 = 0x20004c40; *(uint32_t*)0x20004c40 = 0xb0; *(uint32_t*)0x20004c44 = 0; *(uint64_t*)0x20004c48 = 0xcf; *(uint64_t*)0x20004c50 = 1; *(uint64_t*)0x20004c58 = 1; *(uint64_t*)0x20004c60 = 3; *(uint64_t*)0x20004c68 = 0x100000000; *(uint32_t*)0x20004c70 = 4; *(uint32_t*)0x20004c74 = 0x81; *(uint64_t*)0x20004c78 = 5; *(uint64_t*)0x20004c80 = 0x7f; *(uint64_t*)0x20004c88 = 5; *(uint64_t*)0x20004c90 = 6; *(uint64_t*)0x20004c98 = 0xffff; *(uint64_t*)0x20004ca0 = 3; *(uint32_t*)0x20004ca8 = 0x1f; *(uint32_t*)0x20004cac = 3; *(uint32_t*)0x20004cb0 = 8; *(uint32_t*)0x20004cb4 = 0xc000; *(uint32_t*)0x20004cb8 = 0xf5c8; *(uint32_t*)0x20004cbc = r[10]; *(uint32_t*)0x20004cc0 = r[11]; *(uint32_t*)0x20004cc4 = 2; *(uint32_t*)0x20004cc8 = 9; *(uint32_t*)0x20004ccc = 0; *(uint64_t*)0x20004cd0 = 4; *(uint64_t*)0x20004cd8 = 0x80; *(uint32_t*)0x20004ce0 = 5; *(uint32_t*)0x20004ce4 = 2; memset((void*)0x20004ce8, 170, 5); *(uint32_t*)0x20004f78 = 0x20004e40; *(uint32_t*)0x20004e40 = 0xa0; *(uint32_t*)0x20004e44 = 0; *(uint64_t*)0x20004e48 = 0x400; *(uint64_t*)0x20004e50 = 6; *(uint64_t*)0x20004e58 = 2; *(uint64_t*)0x20004e60 = 0x400; *(uint64_t*)0x20004e68 = 7; *(uint32_t*)0x20004e70 = 4; *(uint32_t*)0x20004e74 = 9; *(uint64_t*)0x20004e78 = 4; *(uint64_t*)0x20004e80 = 0x1000; *(uint64_t*)0x20004e88 = 0xffff; *(uint64_t*)0x20004e90 = 6; *(uint64_t*)0x20004e98 = 1; *(uint64_t*)0x20004ea0 = 0xffff; *(uint32_t*)0x20004ea8 = 0x65f; *(uint32_t*)0x20004eac = 0x647c2b8f; *(uint32_t*)0x20004eb0 = 0x400; *(uint32_t*)0x20004eb4 = 0x8000; *(uint32_t*)0x20004eb8 = 8; *(uint32_t*)0x20004ebc = r[12]; *(uint32_t*)0x20004ec0 = r[13]; *(uint32_t*)0x20004ec4 = 3; *(uint32_t*)0x20004ec8 = 0x6b; *(uint32_t*)0x20004ecc = 0; *(uint64_t*)0x20004ed0 = 0; *(uint32_t*)0x20004ed8 = 0xd; *(uint32_t*)0x20004edc = 0; *(uint32_t*)0x20004f7c = 0x20004f00; *(uint32_t*)0x20004f00 = 0x20; *(uint32_t*)0x20004f04 = 0; *(uint64_t*)0x20004f08 = 0x800; *(uint32_t*)0x20004f10 = 0; *(uint32_t*)0x20004f14 = 0; *(uint32_t*)0x20004f18 = 0x10001; *(uint32_t*)0x20004f1c = 0; syz_fuse_handle_req(r[5], 0x200003c0, 0x2000, 0x20004f40); break; case 23: memcpy((void*)0x20004f80, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004f80, r[5]); break; case 24: syz_init_net_socket(0x24, 2, 0); break; case 25: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[14] = res; break; case 26: *(uint32_t*)0x20004fc4 = 0x5004; *(uint32_t*)0x20004fc8 = 0; *(uint32_t*)0x20004fcc = 1; *(uint32_t*)0x20004fd0 = 0x1de; *(uint32_t*)0x20004fd8 = r[14]; memset((void*)0x20004fdc, 0, 12); res = -1; res = syz_io_uring_setup(0x343, 0x20004fc0, 0x20ffc000, 0x20ffb000, 0x20005040, 0x20005080); if (res != -1) { r[15] = *(uint64_t*)0x20005040; r[16] = *(uint64_t*)0x20005080; } break; case 27: memcpy((void*)0x200050c0, "/dev/uinput\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 2, 0); if (res != -1) r[17] = res; break; case 28: memcpy((void*)0x20005100, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0x488200, 0); if (res != -1) r[18] = res; break; case 29: *(uint8_t*)0x20005140 = 0x1e; *(uint8_t*)0x20005141 = 3; *(uint16_t*)0x20005142 = 0; *(uint32_t*)0x20005144 = r[14]; *(uint64_t*)0x20005148 = 0x200; *(uint32_t*)0x20005150 = 0; *(uint32_t*)0x20005154 = r[17]; *(uint32_t*)0x20005158 = 6; *(uint32_t*)0x2000515c = 1; *(uint64_t*)0x20005160 = 0; *(uint16_t*)0x20005168 = 0; *(uint16_t*)0x2000516a = 0; *(uint32_t*)0x2000516c = r[18]; memset((void*)0x20005170, 0, 16); syz_io_uring_submit(r[15], r[16], 0x20005140, 0x3dd1); break; case 30: memcpy((void*)0x20005180, "/dev/keychord\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x20005180, 0x171000, 0); if (res != -1) r[19] = res; break; case 31: memcpy((void*)0x200051c0, "/dev/ubi_ctrl\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x200051c0, 0x10400, 0); if (res != -1) r[20] = res; break; case 32: *(uint32_t*)0x20005240 = 0; *(uint32_t*)0x20005244 = 0x20005200; memcpy((void*)0x20005200, "\x46\x23\xd8\xa4\xce\x02\x17\xc9\xe5\x95\x55\xc1\x66\x89\x06\x79\xe3\xe0\xc1\x94\x0d\xf5\xb9\xfc\xbf\x91\x64\x9e\xf5\x4d\x80\xf0\xc8\xbc\xc8\x0e\x36\xb5\x57\x4c\x4b\xc9\xf9\x43\x40\x18\x54\xf5\x6a\xa2", 50); *(uint32_t*)0x20005248 = 0x32; *(uint64_t*)0x20005280 = 1; *(uint64_t*)0x20005288 = 0; syz_kvm_setup_cpu(r[19], r[20], 0x20fe8000, 0x20005240, 1, 0, 0x20005280, 1); break; case 33: res = syscall(__NR_mmap, 0x20ffc000, 0x2000, 0x1000000, 0x8000, (intptr_t)r[18], 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x200052c0 = 1; syz_memcpy_off(r[21], 0x114, 0x200052c0, 0, 4); break; case 35: memcpy((void*)0x20005300, "adfs\000", 5); memcpy((void*)0x20005340, "./file0\000", 8); *(uint32_t*)0x20005540 = 0x20005380; memcpy((void*)0x20005380, "\x87\x35\x19\xf2\x5d\xf0\x82\xb3\x71\xba\x5b\x45\xad\xb5\x70\x9c\x00\x80\x57\x47\xc3\x7f\xe0\x44\x06\x45\x95\xcd\x47\x28\xbf\x89\x80\x30\x2b\x25\xb4\xb0\x83\xb4\x2b\x41\x33\x6e\x13\x0f\x1b\x6f\xf0\xa2\xf1\x72\x49\x8e\x52\x2b\x4f\xe5\x82\x6e\xab\xab\xf5\x3a\x98\x52\xf9\x3e\xbe\xb8\x41\xe1\x64\x5f\x32\x93\x61\x27\x02\x9d\x68\xfe\x73\xec\xed\x89\xc1\xb9\x35\x87\x01\x2a\x47\xc4\x2a\x58\x3d\x69\x75\x59\x2b\x3f\x2c\xdf\x43\x37\xfc\x6d\x5e\x85\xe5\xf5\x83\x5f\xaf\xe0\x95\x93\x5e\xc9\x04\x84\xe9\x08\x1a\xa8\xd2\x24\x98\x43\x13\x01\xba\xad\x4a\x34\x36\x8c\x26\xc6\x4d\x85\x32\x6c\x7e\x00\x68\x21\x78\xf8\xd1\x3e\x6a\x89\x69\xf1\x5b\x9d\x5d\xbc\xfe\xc2\xc0\xe6\x96\x80\xc3\x92\x8c\xa0\x15\xb9\x2e\x25\xf5\x07\x8d\xe3\x54\xfe\x32\xcc\x71\x21\x60\x9a\x07\x62\xe1\xb7\x3e\xfd\x89\x67\xa2\xfe\x23\x5e\x4d\x1e\xf9\xe5\xac\x88\xbc\x1e\xd7\x06\xa9\x84\x64\x1b\x06\x47\x0b\x22\x94\xd0\x45\xce\x7e\xba\x51\xc0\x72\x89\x38\xa2\xc6\xee\xb6\xd8\x57\x44\x29\xcc\x24\xbc\xb2\xa7\x84", 241); *(uint32_t*)0x20005544 = 0xf1; *(uint32_t*)0x20005548 = 0x40; *(uint32_t*)0x2000554c = 0x20005480; memcpy((void*)0x20005480, "\x62\x93\x5b\xfe\x26\xe9\xc9\xf2\xdc\x3c\x3e\x9d\xfb\x49\x18\x58\xef\xb5\x98\x36\x9b\xcc\xa5\x19\x23\x98\x9b\xa9\x43\xcf\x44\x7b\xaf\x56\x62\x5d\xf0\xf6\x85\xed\x2d\x03\x4b\x37\xc0\x75\x63\xf6\x68\x72\x8f\x6d\xc6\x83\x36\x09\xb1\x22\x19\x70\xe5\x50\x88\x86\x9d\x29\xc0\x1b\x2d\xd0\x5c\x48\x20\xb0\x80\x42\xb5\x07\x40\x08\xc9\x75\x77\x12\xc4\x80\xe2\x5d\x89\xb9\xc4\x8e\x95\x7e\x5b\x5c\x7b\x0b\xec\xcf\xb1\xfc\xcc\xed\xbc\xed\xc8\x38\x06\x03\x80\x75\xfc\x2a\x0f\x82\x28\xbe\xb4\x7f\x1f\xec\xe0\x9b\xdd\xcb\xbe\x00\x21\xab\xe9\xc3\xd1\x98\x36\x9b\x81\xb6\x7d\xbd\x6a\x7d\x33\x4b\x8d\x28\xb8\x02\xcc\x97\xd9\x34\xc1\x64\xe9\x7d\x9d\x7b\x70\xdc\x6c", 161); *(uint32_t*)0x20005550 = 0xa1; *(uint32_t*)0x20005554 = 0x1ff; memset((void*)0x20005580, 170, 5); *(uint8_t*)0x20005585 = 0x2c; *(uint8_t*)0x20005586 = 0x2c; memcpy((void*)0x20005587, ":&-]!", 5); *(uint8_t*)0x2000558c = 0x2c; memset((void*)0x2000558d, 125, 1); *(uint8_t*)0x2000558e = 0x2c; memcpy((void*)0x2000558f, ",-V", 3); *(uint8_t*)0x20005592 = 0x2c; memcpy((void*)0x20005593, "\\*})", 4); *(uint8_t*)0x20005597 = 0x2c; memcpy((void*)0x20005598, "*^\\^b", 5); *(uint8_t*)0x2000559d = 0x2c; memcpy((void*)0x2000559e, "appraise", 8); *(uint8_t*)0x200055a6 = 0x2c; memcpy((void*)0x200055a7, "fowner<", 7); sprintf((char*)0x200055ae, "%020llu", (long long)r[8]); *(uint8_t*)0x200055c2 = 0x2c; memcpy((void*)0x200055c3, "smackfshat", 10); *(uint8_t*)0x200055cd = 0x3d; memset((void*)0x200055ce, 170, 5); *(uint8_t*)0x200055d3 = 0x2c; memcpy((void*)0x200055d4, "obj_type", 8); *(uint8_t*)0x200055dc = 0x3d; memset((void*)0x200055dd, 170, 5); *(uint8_t*)0x200055e2 = 0x2c; memcpy((void*)0x200055e3, "dont_appraise", 13); *(uint8_t*)0x200055f0 = 0x2c; memcpy((void*)0x200055f1, "dont_measure", 12); *(uint8_t*)0x200055fd = 0x2c; memcpy((void*)0x200055fe, "fowner<", 7); sprintf((char*)0x20005605, "%020llu", (long long)r[9]); *(uint8_t*)0x20005619 = 0x2c; memcpy((void*)0x2000561a, "dont_appraise", 13); *(uint8_t*)0x20005627 = 0x2c; *(uint8_t*)0x20005628 = 0; syz_mount_image(0x20005300, 0x20005340, 0xfd, 2, 0x20005540, 0x8800, 0x20005580); break; case 36: memcpy((void*)0x20005640, "/dev/i2c-#\000", 11); syz_open_dev(0x20005640, 0x40, 0x300); break; case 37: memcpy((void*)0x20005680, "net/if_inet6\000", 13); syz_open_procfs(r[6], 0x20005680); break; case 38: syz_open_pts(r[19], 0x800); break; case 39: *(uint32_t*)0x20006c40 = 0x200056c0; memcpy((void*)0x200056c0, "\x46\x41\x06\x38\xb7\xa1\x28\xc1\x5c\x6c\xb2\x7d\x23\x35\x80\x6d\xa8\x7c\x0d\x49\x15\x42\x44\x52\xcf\x0b\xa9\xee\xe0\xa5\xd4\x9d\x63\x4f\x09\x0d\xf2\x6f\x35\xbb\x04\x33\xc1\x3a\x27\x0d\xcb\x44\xcf\xe9\xba\x62\xb5\xba\x38\xd4\xae\x3c\x65\xea\xd2\x72\x7f\x1d\x2a\x5f\x02\xda\xa2\x70\xce\xa6\xf4\xf6\x09\x02\xe2\xed\xa6\x54\xb1\x6e\xc6\x63\x5a\x1c\x6c\xd1\x5d\x6b\xd6\x34\x32\x14\xb8\x34\x22\xd1\xa1\x9b\x5d\xae\x43\x9b\x9f\xbc\x3d\xb5\xc2\x18\xd4\xb0\x8a\xcf\xc9\xfc\xdb\xe5\xd4\xe6\xa5\x12\x7a\xda\xdc\xe6\x10\xd8\x15\xe8\xc6\xd8\xad\xc7\x86\x89\xea\xae\x29\xd8\x1a\x20\x04\x0a\xee\xef\x4e\xe5\x5d\x77\x01\xea\x72\x5e\x91\xb7\x4f\x5b\x37\x81\x4b\xee\xd1\x18\x54\x99\x79\xc8\xa4\x0d\x0b\x29\x09\x77\xad\xa4\xd6\x58\x74\xc7\xdc\xca\x03\x0a\x9a\x15\x50\x9b\xc2\x7e\x6e\x87\xd5\x26\x91\x24\x37\xb8\x69\x04\xf7\x42\xc9\xc1\x3c\x1e\x00\xbc\x5e\x3e\x94\x3c\x14\x30\xd1\xcc\x01\x8f\x5a\x4d\xec\xf2\x46\x02\xdb\x5b\xf2\x28\x6e\x64\xce\x75\x1d\x8d\xf1\x6f\x28\x09\x34\xfb\x08\xb6\x19\xb2\xb5\xe9\x31\x19\x5a\xd2\xf7\xc8\x7a\xe9\x56\xc6\x4a\x2f\xda\xc4\xfd\x79\x16\x11\xac\xc2\xa8\x65\xd9\x94\xea\x90\xed\x15\x85\x81\xe8\x0d\x03\x86\xb1\x53\xf1\x9f\xab\x27\x81\xb7\x2d\x1d\xe0\x03\xb1\x87\xd2\xb1\x19\x53\x42\xb3\xa0\x03\xbf\x44\x83\xb4\xd8\x90\xab\x1b\x2f\x51\xe8\xd5\x8f\x0a\x5a\xd7\x8e\x0d\xf9\xd6\x29\xc2\x2c\x2a\x32\x4a\x98\x2e\x1f\xc2\x73\x8c\x36\x0d\xb3\xa8\xba\x5e\x55\xae\x5c\x9d\x58\xf1\xc2\xf6\xbe\xd0\xb6\xde\x5b\xb4\xee\x3b\x5f\x84\x2c\xee\xf9\x1b\x20\x56\x54\x1f\xf5\x53\x12\xee\x90\xa2\xbd\x09\x97\x06\x6c\x37\xf3\xd8\x37\x78\x95\x92\x1b\x08\x02\x15\x89\x04\x9e\xd7\xb2\x3c\xeb\xaf\x9b\x41\xd0\x8e\x75\x90\x58\xa3\x45\x2c\xb9\xdf\x2a\xee\x1d\x2b\x90\xe5\x10\xba\x9b\xc9\x48\x40\x0a\x69\xaa\x13\x83\x3d\x1b\x4c\x44\x44\x51\x29\xe0\xaf\x50\x12\xfd\x6a\x53\x41\x81\xfb\x20\x42\x68\x26\xa4\xb3\x69\x4e\x4a\x51\x81\x19\x9d\xf1\xed\x31\xde\x36\xf2\xed\x49\x21\x18\x22\xad\x91\x5d\x3b\x71\xac\xae\xcf\xf3\xc8\x4d\x4e\x3b\xb1\x9f\xba\x32\x19\xe2\x61\x45\x73\x5f\xf7\x1d\xce\xee\xee\x7a\xa2\x47\x53\x9a\xd2\x73\x11\x13\xd3\xf3\x64\x42\x6b\xe9\x00\x6e\x6b\x0e\x35\x8b\x81\xd4\x07\x45\x49\xe0\x8e\xf2\x76\x13\xa3\x71\x5e\x5e\x89\xba\x0a\x71\xe3\x99\x52\x31\xe9\x9a\xac\x5e\x4e\xe7\x07\x8f\x59\xe3\xe7\xd4\xfa\xbe\xd2\x6e\x75\x07\x41\x1f\xbe\x4b\x03\x53\x10\x62\x78\xac\x69\xf3\xb9\x1e\xc6\x9f\xa5\x42\xeb\x7c\x96\x43\x94\x06\x2f\x65\xc6\x50\x19\x7f\xbe\x73\x3c\x22\x83\x26\x73\xd0\x66\xe4\xed\x40\x07\x3b\x28\x4e\xe4\xe5\x1b\x12\x59\x36\x7d\x4e\xb9\xe1\x72\x00\x7e\x6f\xb8\x0a\x0a\x6f\xe6\x2b\x3f\x3d\x5e\x5b\x68\xfe\x04\x7e\xa4\xd6\xfb\xfa\xa3\x0a\x00\xfc\x29\xbc\x58\xa3\x1c\xfb\x82\x12\xf2\xc4\x9c\x3a\x2e\x71\x1a\xe5\x02\xbd\x64\x7b\xd5\x6b\xb7\xcf\xc1\xd8\x4d\x14\x18\x27\xbe\x21\x1b\x5f\xfb\xed\x78\x6b\xfa\x13\x13\xd2\xae\xd5\x34\xf0\x00\x19\x36\x3a\xc1\x29\x61\x2c\xa2\x5c\x76\x3b\x07\x7f\x5a\x72\x4d\x61\xfc\x79\x74\xfa\x82\x4b\xad\xc1\x40\x06\xf2\xfe\xbf\xb1\xe3\x5a\x3d\xd7\x2e\x82\x33\x4a\x26\x37\x56\xff\x42\x04\x68\x0c\xba\x1c\x03\xc5\x5e\x09\xdf\xfb\x5a\x58\xe4\xc5\x5b\x5b\xd7\xa7\x0e\xe8\x52\x59\x29\xa0\xee\x9f\x90\x91\xe3\x4b\xb8\xd2\xf0\xaf\x6d\x2a\x26\x70\xc5\x91\x18\x6b\xee\x6c\xed\xda\xb8\xe1\xfe\x8d\x4b\xe3\x97\xa5\x45\xc4\x83\xfd\x68\x4c\xd8\x12\xdf\x5e\x31\x2a\xb5\xf4\x81\x2b\x47\x84\xef\xae\xf1\xc3\xdb\xe7\x90\x94\xfb\xab\xd6\xca\x5f\x0a\x45\x46\x23\x96\xf8\x18\xa5\xc7\xbf\x61\xc8\xc3\xf4\x33\x66\xc1\x26\x5f\x46\x38\xd1\xdc\x7b\xde\x11\x46\x10\x35\xc7\xaf\x77\xe6\x84\x4c\x5d\x47\xbc\x18\x97\xdf\xab\xec\x76\x87\xed\x25\x79\x4a\x71\xa3\xaa\x2b\xe1\x66\x57\x19\xe7\xea\xf6\x49\xbf\xaf\xfc\xea\x24\x92\xd4\x3b\xca\x7f\x03\x04\x21\x0c\xfc\xa9\x1a\x0d\xad\xf6\x6b\x7c\x3c\x6b\xaf\x8c\x50\x55\xef\x4f\x3c\x56\xaa\x03\xbb\x6e\x40\x0d\x7c\xac\xa6\x9e\x42\x43\xac\x71\xc9\x39\xcc\xf2\x73\x10\xb7\x3b\xa5\x98\x97\xe2\x02\x0c\x71\x7c\x33\xdb\x9a\x4a\x58\x29\x12\xa3\xa8\xd7\xc0\xa8\x70\xb1\x2a\x9f\x98\x2a\xaf\xd0\xcf\x15\x95\x75\x18\x9d\x8c\x26\x88\x64\x34\x22\x9f\xb0\xc7\x6c\x56\x50\x8b\x63\x8a\x25\x09\xb6\x58\x47\x72\x2a\xf1\x97\xe9\x5c\xf0\xcf\xf2\x36\x84\x48\xd4\x2a\xd6\x2d\xb2\x7f\xf0\x17\xa7\xfb\xed\x92\x3b\xef\x62\x83\x40\x87\x12\xc3\xf0\x4a\x79\x03\x38\xf4\xf8\x0c\xf4\xf3\xe9\x2f\xaa\xfa\x3b\xf6\xcf\xf5\xed\x3c\xf3\xb1\x7b\x50\x50\x75\xe1\x2b\x69\x58\xbf\x2e\x5c\xb4\x02\x41\xf6\x72\x87\x4a\x0f\x94\x0f\xd5\x7e\x82\xe9\xca\xff\x11\x3d\x67\x1d\xa2\x3d\xa3\x43\x6a\x31\x80\x0c\x2d\x34\x87\x96\x5f\x87\xc3\xf8\x25\x06\x10\xaa\xff\x78\x3d\x78\x59\x5e\x19\x26\xb7\x7e\x97\xb2\xe3\xad\x09\x08\x7a\xf9\x19\xac\xe3\xf0\x4f\xd2\x75\x88\x7b\x1f\xc8\x1e\xe2\xf5\xba\xd8\xde\x1c\xc3\x5e\xe0\xc0\x3a\xde\xed\x9a\x91\x97\xd7\xa8\xfa\x5d\xb5\x9d\xc5\x00\xa9\x4b\xd1\x84\xa2\xa8\x0d\x97\x04\x79\x7e\x76\xbc\x0f\xc4\x3e\xd5\x72\x96\x14\x3d\xc9\xd8\x58\xb1\x4a\x7b\xdf\xb4\x18\x19\x7f\x09\x74\xb6\xee\xe2\x99\x95\x80\x51\xb1\xd4\x14\xab\x12\x6c\xef\x5b\xc3\x6a\xe4\x05\x5c\x4f\x19\xe7\xe0\x1d\x20\x92\xd9\x9f\x1d\x2a\x5a\x56\x61\x4f\xed\xf4\x81\xd5\x78\xcb\x85\x1a\xd7\x3e\x18\x29\xbc\x35\x0f\x7e\x56\xee\x0d\x2e\x71\xfe\x73\x1c\x1b\x30\xfd\x84\x5f\xd8\x2c\xa0\xac\xf0\x29\xaf\xf4\xa7\x5e\x0d\x38\xfb\x7a\xf5\x82\xa1\x9c\x0c\x7d\xeb\x19\x54\x4b\xc7\xa1\x3c\x18\x96\x03\x24\x41\xcb\xa6\xae\x39\xc3\x5a\xe8\x80\xb4\x5a\x5c\x97\x54\x5a\xc0\x99\x24\x3a\x79\x1c\x6f\x2e\xb9\x35\x56\x20\x8b\x8b\x20\x35\x42\x75\x2a\x67\x3b\x9d\xf0\x2b\xf0\x4a\xd3\xc1\x8e\xec\xaa\x5e\xb2\x2d\x1b\x65\xe5\x9c\x34\x49\xb5\xcc\x42\xdf\x35\x0d\xd4\x82\x2b\xcf\x67\x1d\xf7\x84\x20\x68\x9c\xac\x22\x65\x8c\xd9\xf0\xf3\x90\xe2\x6e\x07\x96\xac\x4b\x7f\x30\xb1\x98\x9f\x09\xcf\x5b\xa5\x16\xeb\x16\x67\xec\xc1\xd8\x53\x73\x9a\x20\xe5\xe7\x85\x99\xbd\xa8\x30\xd0\x02\xd4\x5e\xb6\x6d\x63\xa7\x78\xb8\x41\x2a\xf5\xd6\x3e\x3e\xf2\x64\x94\xe2\x1b\xbc\xde\x5b\x97\xa9\x4f\x79\x78\xac\x90\x3d\x46\x7c\x5b\x6d\x07\x17\xdc\x4a\x9d\x14\x6e\xd4\xb5\x8b\xfe\x37\x3a\x59\x08\x70\x2f\x99\x7f\x10\x90\xb4\xb1\x90\x93\xf8\x90\x50\x85\xec\xb6\x91\x10\x7b\x05\x9e\x0e\x1c\xd0\xc4\xa9\x4c\x9a\x47\x3a\xf2\xd1\x2b\xd5\x99\x8a\x8b\x8b\x48\x02\xf9\x31\xb9\x05\x15\x51\x9f\x20\xfe\xea\xde\xa5\x68\x4c\x06\x4f\x9a\xdb\x42\x39\x35\xb8\xde\x29\x8b\x03\xe5\x79\xab\xad\x6a\x23\xa8\x6c\x86\xed\xd3\x9c\x2e\xd6\xa4\x68\x5e\x69\xbc\x71\x54\x05\xab\x7a\x3f\x27\x66\x4b\xdb\x68\xfe\xf1\xfc\xd0\x90\xf0\x60\x38\x1f\x1a\xa3\x74\xa0\x74\xa6\x40\xf9\x91\xec\x6d\x8b\x28\x8b\x1b\x05\x07\x06\x85\x60\x31\x4f\xe9\x4a\xeb\x85\xc4\x2f\x4d\xf3\xad\xb2\x14\x85\x69\x65\x15\xda\x2f\xa7\xf4\x41\xb7\x53\xd5\xf8\xca\x45\x45\xf2\xd1\xdc\x1e\xb3\x4e\x41\x8c\x04\x3b\xeb\x51\x8b\xb3\x5f\xe3\x02\x35\xaa\xbf\x7e\xc5\xf3\x71\xb3\xa4\x8c\x0e\xa6\xa6\x13\xeb\xb4\xe4\xda\x5b\x71\x40\x8a\xa5\x57\x74\x23\x9a\xc7\x49\x03\x0a\x52\x74\x0c\xd8\x53\x5b\x9e\x3d\x28\xa4\xe8\x7b\x4c\x4f\x40\x44\xc8\x19\x5c\x32\x11\xf9\x47\xe5\x00\x7d\xf7\xb6\x4e\x37\xc4\x14\xbf\xd5\x4f\x7b\x59\x82\x37\x20\xbe\x00\x49\x8c\x18\xb5\x7d\xad\x00\x43\xf0\xc5\x0a\x75\x81\x74\x18\xc1\xdb\xc3\xdb\x8d\xc7\x33\xce\xb2\xb5\xb6\xd2\x0b\xec\x1e\x38\xa2\xf9\x09\xaa\x61\x94\x80\xe2\xca\x05\xd9\x00\x0b\x7e\xaf\xf3\x70\xc0\x77\xed\x38\x94\x22\x89\x0d\xd4\x26\x27\x8c\x63\xc2\xac\x42\x85\xe8\x40\xe6\xc7\xf9\xda\x04\xd6\x9a\xf4\x48\x2d\x96\xee\x58\x24\xde\x09\x16\x14\xd8\xb1\xb4\xcf\x49\xf5\xa7\x01\xe4\xb4\x2f\xf5\x8a\x62\x82\x3c\x27\x76\xfb\xa4\xc2\x7e\xc8\x6c\x24\xba\x10\x3e\xd0\x1c\x66\x72\x9a\xd6\x02\x92\x4a\x51\x37\xb7\x18\xd8\xdd\xee\xb0\x83\x39\xd8\x3c\x45\xfe\xca\x01\xc3\x93\x35\x7a\x67\x64\x38\x11\x43\x63\x59\x1d\x31\xc2\xba\x6f\xaf\xa5\xd8\x57\x1a\xf7\xc3\xa3\x69\x0f\xde\xb0\x99\xe4\x41\x92\xb5\x87\x1f\xd0\xa3\x36\x5f\xb2\xe2\x30\xc6\xc0\x3a\x74\x73\x78\x2b\x30\x3a\x5b\xe1\x4f\x03\x8d\x8e\xa3\x4a\x63\x08\x43\x00\x51\x6e\xb7\x88\x4e\x59\x33\x58\xe6\x6b\x3d\xfb\x6d\xac\x4d\x08\x15\xd5\x8d\xaf\xb8\x5e\x8c\xca\x44\x26\x53\x6a\x38\x4d\xc8\x9f\x74\x13\xf1\x4c\xc9\x2e\x73\x77\xa9\x09\x38\xf9\x9e\xf7\xf5\x35\xc2\x18\xae\x2e\x90\x9a\xcd\xbf\xd7\xeb\x5b\x0b\x47\x40\x8e\x3d\x6d\x73\xdd\xa3\x9f\xbd\x6b\x23\xaf\x18\xf1\xa6\x70\x3e\xe3\xb1\xf7\x5b\xb7\xc0\x00\xa4\xca\x5a\x7b\xcc\xaa\xe8\x6c\x4a\xba\xc8\x1d\xa2\x93\xe4\x3f\x91\xd2\xc3\xdf\xf1\x2f\xfa\x52\x29\x13\x9a\x08\xae\x5f\xc2\xec\x13\x9b\xe9\x78\xb8\x18\x2d\x6a\x60\xc7\xff\x39\xbb\x0a\xa8\x20\xa1\x07\xd9\x2e\x38\xb9\x5e\x74\x8a\x18\x4b\x53\xf5\x62\x4f\x45\x72\x39\xf6\x38\x4d\xdd\xcb\x9f\xd7\xe8\xef\x29\x52\x65\xd7\x9b\x64\xc5\xc0\xa9\x3b\xf2\x16\x35\xb8\xc6\x80\x90\x78\x10\xd8\xe7\x2a\x58\x1e\x5a\xa0\xe0\x0f\xbf\x35\x1e\x3c\x84\x1c\x7d\x0c\x51\xa2\x63\x68\x37\xb2\x7c\x6a\x91\x42\x5b\x50\x6a\x22\xc2\x7d\x14\x20\xd0\xb1\x3e\x60\xde\x3e\x9c\x56\x66\x7a\x98\x98\x3b\xa9\xbd\xd1\xc5\xa5\x2d\xc6\x12\x7b\x65\x9e\x6d\x80\x70\x69\x59\xf0\x7d\x3a\x5f\xa8\xb3\xb8\x8e\xab\x05\xe7\xa0\xc0\x4e\xe1\x2a\x21\x37\x2c\x71\x3f\x64\xc6\xad\xbe\xed\xd7\xa8\xb7\xa6\x92\x67\x49\x75\xbb\xe5\x5c\xe4\x02\x71\x44\x02\xf2\x0c\x7f\x57\xff\x1f\x79\x35\x7d\x8e\xda\xbe\xf1\xd8\x68\xf0\xa2\xb3\xdd\x7a\xa3\xbb\xe5\x8e\x80\x81\x49\x70\x73\x4f\x7d\xec\x70\xd3\x14\xe8\x11\x59\x3a\x32\xcc\x86\x1f\x4a\x8a\x4b\x3f\x0d\x7c\xeb\x4e\xbb\x32\x66\x4f\x56\x44\x49\x7a\xc9\x56\x2c\xdd\x5a\x54\x19\x3f\x22\x38\xe6\x5c\x18\x74\xc8\x64\x21\xc5\xcf\xb4\x3a\xe1\x56\x93\x1c\x78\x40\xd1\x0d\xe4\x7a\x4d\x0f\x2f\x31\x74\xc3\x6c\x86\x45\xac\x02\xf5\x44\xc3\x69\x0b\x51\x37\xaf\x7d\x2c\xed\x3f\xb0\x43\x59\xbb\xf2\x2b\x67\x20\xea\x94\xf2\xe3\xb5\x67\x5f\xb7\x7a\xde\x56\xc9\x77\xd6\x68\x06\x4e\xfd\xd1\xc6\x15\x11\x9a\x52\x8c\x9e\xc1\x35\x3e\x84\x10\x3e\x5d\xce\x6a\x0b\xd0\x73\xf9\xff\xbe\xa0\x81\x9c\xf6\xc0\xcc\x58\xea\xd0\x0c\x92\x34\x02\x98\xcc\x09\x45\x64\x11\x7f\x3f\xb8\x94\x27\x4c\xa9\x1d\x79\x76\x45\x96\x19\xf5\x44\xb2\x50\x58\x6c\x6d\x44\xaf\xba\x55\x74\xb7\xef\x51\x26\xb0\x70\x40\x9a\x1f\x5e\xed\xc6\x50\x07\xb0\x03\x39\xf1\x60\x42\x2f\xff\x38\xd6\x7e\xaa\x8d\x78\x2f\xc4\x19\x2a\x29\x81\x08\x79\xeb\x12\x85\x99\x42\xfa\x14\x1a\x21\xc3\x9d\x9e\xea\x03\xeb\xa1\xaa\x7b\x3a\xc7\xe2\xb1\xda\xf4\xf6\x9f\x47\x5b\x8e\x75\xc5\xac\x7c\x2e\xfd\xd7\x77\x93\x2d\x40\x31\x43\xcd\xd0\x89\x02\xd5\xe3\x45\x93\x01\xc2\x8c\x88\xc4\xdf\x34\x2c\xa1\x39\x10\xb7\x60\xe3\x4c\x40\x19\x4b\xb5\x1b\x82\xcf\x14\xad\xee\xd5\xae\x47\x51\x7d\x3c\xbc\x73\xbb\xb5\xa8\x89\x9c\x30\xe6\x06\x51\x99\x89\xa8\x5d\x2e\x15\xb0\xe8\x9e\xbb\xa4\x3f\x0c\x8a\x75\x2f\x07\x01\x03\x80\xca\xa7\x0d\xc4\x09\xff\x80\x5c\x24\x57\x48\x29\xd0\x6b\xb9\xa1\x49\x5d\x5a\x30\x85\xdf\x90\x29\xe2\x3d\x92\xbb\xc4\x6d\x7c\x7c\x1d\xb7\x36\x5e\x92\xe8\xd2\x44\x9a\xad\xe3\x89\x26\xa6\x43\x68\x72\x3a\x0e\x8a\x77\x7b\x32\x61\xc9\xc9\x7b\xae\x82\x5b\x55\x1b\xa9\x40\x55\x1a\x7e\x15\xe3\x01\x3d\xc0\x9a\x05\x22\x9d\x0c\x9a\xc6\x4e\xe1\x5e\xe3\xd4\x67\x42\x62\x89\x24\xc0\x9e\x63\x60\xcc\x43\x00\x6f\xb9\xa0\xe1\xc0\x6e\x55\x84\x63\x7c\xee\x00\x5e\xe2\x6c\xeb\xa7\x02\x95\xcb\xa5\x63\x7d\xfc\x98\x21\x14\x8e\xd7\x41\x50\x03\xd5\x18\x36\x84\x23\xae\x70\x8c\xfa\xc6\x38\xf2\xb8\xe1\xd3\xa7\x10\x11\xbd\xa8\x03\xac\xd2\xcf\xa4\x29\xea\x5f\xa0\x45\xfe\x07\x8f\x91\xeb\xe4\x5e\x7d\x51\xd4\x3f\x08\x30\x2d\x5f\x3b\x0c\xcc\x3e\xb7\xdc\x03\x81\x8b\x33\x56\x7e\x86\xf8\xe5\xdc\x40\x45\x15\x69\xa7\x95\x48\x58\xd2\x6d\xf8\x55\x49\x35\x27\x6f\x56\x54\xaf\xec\xf2\x40\xc7\xe8\x6c\x92\xec\xba\x4d\x3f\xf7\x58\x21\x31\x2d\x6a\x3b\x82\xe1\x8c\xc2\x34\xda\x5b\xac\xc2\x86\xef\x09\x24\xce\x23\xbd\x30\x70\x8d\xe5\x81\x32\x57\x4b\x54\x8c\x96\x28\xb5\x2d\x34\x29\x1d\x1c\x4a\x7f\xfd\xfe\x63\xde\x1f\xa9\xb5\xe0\xfa\x6e\x62\xf3\x52\x8a\x80\xc9\xcc\x97\xa7\xc5\x15\x40\x3f\xce\x89\x5a\xb7\x95\x63\x52\x66\xaf\x74\x6d\x89\xd2\xc9\x40\x58\xca\x38\x50\x1d\x86\xb4\xd6\x32\x4d\x0d\xf0\xd9\xc1\xe4\x7b\xbf\x83\x8b\xaa\x20\x6a\xa2\xec\x43\x97\x82\x8e\x99\x2f\xe9\x63\xb2\xe8\x37\x22\x80\x26\x27\x62\x90\x30\x10\x6c\xf2\x0e\xc9\x8e\x24\x51\x47\xc9\x44\x26\x21\x4d\xdf\xb9\x79\x12\x06\x51\xad\xde\x14\xa4\x25\xfe\xf2\x9a\x20\xc0\xcc\x54\x60\x39\x3a\xcb\xdb\xa5\x7b\x3c\x38\x36\x62\x7e\x6a\x9c\x19\xa2\x34\x43\x12\xa9\xbc\x66\x1b\x76\x02\x85\x41\x5a\x28\x74\xe2\xf2\x18\x7b\x5c\x6d\xbf\x38\xb0\x59\x63\x6f\x9e\xd1\xde\x16\x92\xd3\xb8\x65\x04\xa7\xc1\xb6\x68\xe5\xaa\x0f\x87\xcf\x49\x7f\x0c\xab\x26\x6e\x4d\xb6\x4e\xc6\x46\x55\x80\xbe\x1d\x97\x24\x49\x47\x30\x46\x88\xcb\x35\x76\x49\x0b\x8d\xb0\x86\xb0\x89\x05\x82\x0e\xa9\xd9\x1d\xfc\x8f\x3b\x96\x6a\x9e\x56\x8d\x85\x6a\x9c\xce\x3f\x17\x31\xac\x16\xe4\xcf\x48\x71\x43\x34\xb6\xc7\xac\x35\x97\xfc\xae\x85\xd1\x79\x46\xb0\xae\x28\x99\x84\x5e\x96\x06\x6e\x0a\x64\x83\x85\xc9\x8e\xe5\xc1\x19\x39\x13\x56\xb2\x04\xac\xbd\x4a\x5c\x7c\xc2\xcb\xce\xec\xe0\xf5\x8d\xfb\x73\xfc\x30\xef\x7c\x17\x69\xb4\xf5\x6e\xd1\xb7\x7d\x76\x24\x8b\x0e\xa2\xa6\x6d\xb0\xe5\x21\x7b\x5d\x62\x42\x37\x19\x1a\xbe\x94\x86\xac\x0b\xd3\x2e\x3e\x73\x62\x33\x14\x41\x73\x4a\x8d\xd9\xed\x98\x3b\x92\xbf\x26\x47\x2c\x50\x21\xf8\xbe\xa1\x31\xec\xe4\x7c\x8f\x45\xe6\x8a\x25\xa8\xbe\xb4\x88\x58\x95\xc2\x79\x82\x30\x6d\xaf\xa1\xfa\xc9\x05\xb2\x76\xc2\xf6\x0c\xcd\xca\xbe\x2a\x5b\x32\x5b\x5c\x5d\x84\x82\xf3\x05\x66\x02\x44\xc3\x61\x71\x1f\x0e\xed\x77\x46\xc0\xda\xf9\x9d\xfd\xe3\x6c\xaf\xf2\x94\x05\x11\x82\xc5\xb6\x58\x9f\xc0\x70\x0b\x75\x1f\xb2\xb3\x80\x7f\x0b\xcb\xd2\x77\xa8\x44\xce\x82\xa5\x45\x58\xf5\x5c\xdd\x25\xa3\x0b\x22\x83\xab\xe5\x19\xc8\x27\xb1\x0a\xed\x61\x2f\x8a\xea\x3c\xb7\xac\xa8\xb3\x40\x28\xc0\xb3\x63\xc9\xac\xc5\x2d\xde\xa9\xe0\xc3\x4e\x8a\x5c\x90\x86\x9f\xe6\x0d\x28\x30\x7e\x35\xd3\xe4\x35\x82\xf3\x77\x3d\x46\x66\x9e\x43\x13\xa0\x7b\x12\xe7\xd6\xd5\x01\x43\x6f\x8e\x6f\x4b\xc3\x47\xb2\x91\x94\x14\x4d\x82\xc5\xda\xa9\x73\x0f\xea\x34\x66\xc3\x16\x72\x09\xf0\x96\x97\xda\x03\x4f\x86\xca\x9e\x5a\x7e\x28\xc0\x59\x99\xf4\x16\x1d\xca\x75\x18\x14\x04\x13\x50\x4b\xe2\xaa\x60\xef\x71\xb6\x64\x84\xfc\xa1\xb0\xbb\x11\xaf\xd5\x97\x55\xb9\x78\xdd\x29\x4e\x3d\xa8\x56\x55\xb9\x0f\x05\xbe\x08\x23\xe2\x62\xaa\x69\x3c\x43\xbc\x23\xf4\x94\x8a\x60\x96\xff\xe1\xb5\x8e\x1b\xcd\x65\xb0\xdb\x70\xc6\x2a\x4f\x85\xd7\xdd\x4b\xe6\xcd\xdf\xea\xf1\x38\x38\x14\xa6\x72\x8b\x4c\x30\x1e\xab\x03\xb9\x50\xba\xc8\x67\x37\x5d\x1b\x6c\x61\xeb\x2f\x7f\xde\x96\x0b\x16\xf5\x94\x83\x79\xe2\x11\x5a\xb5\x40\x13\x56\xdb\x05\xa7\xdc\x30\xa2\x99\x98\x97\xb1\x63\xc7\x3d\x34\x80\x71\x06\xdf\xdc\xf7\xb7\xf9\xb9\xe7\x37\x7f\xc7\x22\x00\x3c\x86\x8c\xa5\xc1\x4a\x0e\x2f\x1d\x19\x40\xec\x6a\xef\xcf\x85\xfe\xd2\x07\x62\x2e\xd3\x81\x20\xc6\xa8\xaa\xd7\xb4\xe9\xe8\x7d\x5e\x4e\x9a\x6a\x55\xc6\xe1\x32\xe9\xe1\xe9\xa3\xa6\x2b\x4f\x7c\x6c\xe0\x09\x3f\x88\x65\x47\xdf\xc4\x8d\xe1\xd2\xe0\xc8\x5b\xf0\x1b\x49\xf9\x92\x41\xa3\x6d\x32\x4c\xdb\xad\xe5\x37\x7d\x5a\xa5\x73\x33\x77\xec\x7e\x97\xb7\xac\x54\x38\x7f\xd2\x93\x91\x31\x9d\x3f\x3b\xbc\xd0\x7b\x28\x70\xb9\x64\x6b\xf2\x83\x5b\x3a\xbb\x51\x21\xdc\x20\xa6\x38\xc6\xd0\xd6\x2b\x0a\x05\xd9\x4a\x5f\x1c\x03\xbf\xf6\xe8\x71\xa8\x4f\x9a\x7d\xef\xa1\x6f\x30\xcb\x8b\x3f\xf5\x7c\xb5\xa9\xb8\x95\x8b\x59\x21\x19\xcb\x0c\x80\x25\x13\xc1\x4a\xec\x2d\x27\xcf\xff\xbf\xb4\xe6\xa2\xa8\x40\xf8\xb0\xd7\x46\xa8\x3f\xa8\xbd\x22\x70\x21\xb0\x38\xf5\x0c\x41\x1f\x79\x22\xfb\x38\xec\x89\xf5\x1d\x71\xb7\xd3\xd9\xe2\x41\xdb\x1b\xe1\xb4\x50\x7e\x5b\x68\xfa\x1e\xe8\x9c\x21\x27\x44\x5e\x5d\x6e\xd4\xe7\x43\x3d\xe7\xbf\x4d\x72\xb7\xf7\xb1\xc9\xaa\x7c\x40\x8e\x4c\x10\x50\xce\x17\x74\x27\x98\x4f\x50\x35\xb5\x1e\x3a\xd5\x2b\x56\xd8\xaa\xf3\x8e\x56\x79\x30\xa7\x11\xc8\xdc\x34\x88\xff\xcd\xc1\xa5\x6f\xe1\xb4\xc5\xdf\x22\x67\x3b\xcc\x3e\x9c\xcd\xbb\x3a\xb6\x70\xa2\x45\x47\xf5\xde\xd4\x2d\xec\xfd\xdd\x52\x21\x04\x07\x5c\x37\xdd\xed\xe4\x60\x92\x5d\xcb\xc6\xe5\xef\x20\x60\x28\xaa\x7e\xa0\xc8\x4d\x60\xd9\x90\xfc\xd4\x8d\x76\xc9\xa4\x7b\xe6\x81\x92\x50\xd4\xd1\x0f\xce\xfc\x7a\x12\x4c\x6f\x3f\xaa\xf5\x1f\x7b\x67\xdc\xc2\xb3\x9a\xcf\x11\x9c\x8f\x89\xb9\x3b\x58\x39\x52\x47\xfa\x45\x9c\x1f\xfe\x6f\xc5\xa7\x0c\x32\xd5\x19\x6d\xa5\x93\xb3\x36\xbe\x04\x67\x16\x4e\xbb\xc9\x86\xfc\x14\x5b\x32\xbb\x91\xa4\xc0\x58\x88\x4c\x82\xf5\xca\xcd\xa6\x2a\x43\x12\xbb\x35\x07\x0e\x74\xde\x2b\xba\x07\x64\x8b\x7e\xb9\xd9\xfa\xe8\x91\x64\x8f\x54\x32\xb6\xa7\xd5\x98\x6e\xf2\x02\x78\x72\xcf\x9e\x1a\x08\x6c\x57\x6a\xba\xc8\xdc\x40\x1a\xab\x0d\xa9\x3a\xbf\x0a\xb7\x1e\xcd\x9b\xb9\x6e\x39\x18\x03\x62\xa1\x0a\x21\x85\x07\x1e\xbb\x8c\xa2\xca\x8d\x97\x19\xd4\x7b\xfc\x18\xb6\x2f\x97\x71\xb9\x7d\xfe\xd7\x3b\x98\x23\x25\xeb\x94\x3d\x78\x5c\x78\x75\x00\xd5\xac\x0d\x26\xa9\xca\x90\xcc\x73\xc2\xac\xfe\x87\x2f\x4e\x32\xeb\x44\x39\x08\x3b\xdb\x32\x49\x70\x1d\xdd\xdb\x50\x0d\xf3\xf8\x96\xbb\x1f\x7a\x37\x06\xd6\x4b\xe1\x6d\x00\xf6\xfd\xcd\x6b\xf4\x1d\xf8\x65\x35\xf2\x98\xd2\xdd\x04\x31\x77\x74\xbd\x6b\x39\x03\xf3\x71\xd5\x9b\xe7\x19\xb7\xec\x1d\x00\x3b\x3c\x97\x05\xa8\xf7\x88\x89\xb8\xf7\xda\x0d\x46\xde\xfd\xce\xd2\xdf\x70\xd8\xcb\x45\x70\x82\x8b\xb2\x65\x49\xb5\x50\x11\x58\x9c\x73\xbe\xc4\x20\x7c\x8d\x59\xeb\xe1\x89\x6b\x37\x61\xc1\x85\xa1\x32", 4096); *(uint32_t*)0x20006c44 = 0x1000; *(uint32_t*)0x20006c48 = 0x8001; *(uint32_t*)0x20006c4c = 0x200066c0; memcpy((void*)0x200066c0, "\x31\xe3\xc3\xfa\x6d\x99", 6); *(uint32_t*)0x20006c50 = 6; *(uint32_t*)0x20006c54 = 0x3ff; *(uint32_t*)0x20006c58 = 0x20006700; memcpy((void*)0x20006700, "\x39\xde\x86\x3b\x71\x48\x20\x8e\x43\x2f\xcd\xdb\xd9\xe9\x14\x8e\x71\x6c\x1b\x48\xa3\x96\x7c\x87\x0c\x70\x14\x5d\x90\xed\x68\x1b\x3f\x8b\xce\x84\x9f\xee\x7f\x50\x09\x15\x70\x85\x4e\x20\x10\x37\x23\xe5\x64\x54\xe7\x11\x54\x3f\x6e\x2b\xe9\x2c\x34\x09\x0d\x8c\xc7\x92\x26\x0b\xe9\xb9\x60\xc1\xe4", 73); *(uint32_t*)0x20006c5c = 0x49; *(uint32_t*)0x20006c60 = 9; *(uint32_t*)0x20006c64 = 0x20006780; memcpy((void*)0x20006780, "\x17\xfa\xd5\x71\xf8\x0f\xec\xd3\x4a\x59\xbc\x03\xf6\xc0\x2b\xbd\x6d\x56\xcd\x8d\x95\x89\x24\xb4\xae\x41\x89\xb8\x8b\x85\x89\x7e\xfd\x4e\x59\x6e\x11\x18\xbb\x0c\x77\x1c\x2c\x5b\xa3\x7d\xed\x06\xd7\x81\x11\x39\x0c\x1c\x80\xcf\x6e\xa9\xdf\x87\x27\xf8\x85\x59\x81\x5e\xd7\x6b\x36\xfa\x13\xfb\x4d\x08\xe1\xcc\xda\xd7\x97\x3b\x5b\xec\x56\x55\xa7\x4a\x67\x1f\xde\x99\xee\x92\x39\x7c\x56\xd4\x09\xda\xdb\x10\xc4\xc3\x7e\xe9\x2c\xb4\x1d\x03\xae\x6f\xb1\x64\xe7\xf8\x69\x85\x03\x91\x28\xd3\x8b\xe8\x3b\x5e\x16\xc3\x5e\xe3\x4e\xb2\xb8\x39\x6c\x53\x48\x02\x87\x81\xa0\xa8\x79\xf8\x81\x59\x74\x0a\xb8\x97\x05\xd6\x37\xbe\xda\xfa\x91\x5f\x19\x5a\x15\x25\x97\xfa\x0d\x7d\xa9\xb7\x64\x76\x60\x2c\x6e\xee\xfc\xa1\xe8\x0a\x6d\x3d\x0e\xd1\xa7\x5b\x00\xf7\xa5\xe1\x53\xdd\x85\x1e\x23\x01\xc8\xda\xa7\xd4\x9b\x4a\xd9\x1c\x62\xd1\xa6\x96\x7f\x54\xcf\x96\x21\xc2\x40\xed\x58\x71\x92\xf6\x99\x59\xe0\x54\x07\x85\x0c\xe3\x83\x1c\x4e\x81\x1e\x6f\xff\x1c\xdf\x93\xcf\xab\xde\x88\x73\x58\x31\x68\x81\x84\x53\x56\xd7", 247); *(uint32_t*)0x20006c68 = 0xf7; *(uint32_t*)0x20006c6c = 0x26; *(uint32_t*)0x20006c70 = 0x20006880; memcpy((void*)0x20006880, "\xc2\x86\x96\x8e\x22\x38\x74\x2a\x47\xe0\xe8\xd4\x44\xa6\xa6\x61\xb7\x70\x82\x22\xf4\xed\xda\xb9\x7a\x74\x9d\xce\xbe\x2c\xc8\x3a\x31\x4b\x82\x87\x95\xf9\x15\xa3\x6d\x87\x3b\x71\x4a\xef\x15\xdd\xb1\xb4\xf6\x2f\x06\x80\x0b\xbe\x85\xea\xeb\xcb\x76\xab\xe9\x44\x71\x92\x49\xee\x79\x27\xc8\x8e\x78\xa9\x68\xe9\x3f\x45\xc5\x20\x13\xef\x97\xef\x6f\x98\x9b\x1d\x1c\xd3\x0f\xff\x88\x67\x79\x62\xc8\xf3\x05\x2a\xd0\xa4\x63\x1e\x4e\x75\x0b\xa8\x0f\x37\x53\x91\x6c\x2d\xff\xc6\xa4\x02\x3c\xdb\x62\xa1\xb5\xf2\xaf\xbb\x96\x5b\x2f\x78\xc5\xdd\x47\xaf\x90\xb0\x02\xda\x1a\x26\xa2\x4f\xcb\x99\xbf\x81\xfb\x29\x57\x4a\x2f\x98\x10\x7a\x79\x37\x63\x98\x73\xb9\x5f\x4a\x56\x9a\x04\x06\xcc\x35\x8b\x46\xef\xae\x58\x7e\x90\x08\xbe\x69\xd7\x11\xae\x20\x2c\x22\xe2\x9a\x2f\x61\x5f\xd2\x3d\xcf", 192); *(uint32_t*)0x20006c74 = 0xc0; *(uint32_t*)0x20006c78 = 0; *(uint32_t*)0x20006c7c = 0x20006940; memcpy((void*)0x20006940, "\x97\xfc\x4d\xd9\xdb\x67\x3e\x16\xfd\x0f\x0e\xb9\xa4\xa2\x6e\x2a\x49\xf4\x2e\x16\x16\x19\x0b\x06\x34\xdf\xd6\x13\x51\x45\xf4\xe4\x51\xbb\xba\xd5\x6d\xad\xf2\x66\x96\x4e\xba\x7d\x10\x07\xc0\xa2\x3f\x8c\xf0\x3d\x4f\x8f\xe0\x9a\x79\x89\x15\x2b\x7c\xf2\xec\x30\xf2\x69\x3a\x06\xbe\xfd\xf0\x23\xd7\x9f\x48\xc2\x08\xd7\x42\xc7\xb7\x59\x15\xbc\xc1\xbe\x58\x35\x17\xce\xd3\xb8\x26\xb9\x70\x75\xe6\x2a\x8e\xd1\x2d\xbb\x26\x48\x07\xc6\xff\xd0\x22\x76\x14\x49\x1f\xb9\xde\x0d\x8a\x92\x5a\x26\x38\xc3\x16\x08\xde\x40\x5b\xbf\x79\xe9\x6f\x17\x1f\xd5\x83\x38\xb1\xd6\x97\x9d\x33\xa7\xda\xe8\xad\x62\xf2\xba\x53\xfe\xfc\x3c", 152); *(uint32_t*)0x20006c80 = 0x98; *(uint32_t*)0x20006c84 = 0x20; *(uint32_t*)0x20006c88 = 0x20006a00; memcpy((void*)0x20006a00, "\x77\xd8\xd6\x06\xbf\xb4\x24\xe7\xb9\x95\x80\x9a\xb4\xf5\x59\x11\x5f\xd8\x2e\x97\x2d\x98\xb6\x51\xdf\xc6\x9b\x10\xdf\x60\x0f\xb4\xf7\x8e\xfd\x58\x6f\x9c\xc2\x6e\xdc\x41\xb1\xd2\xfa\xc8\x7e\xfe\x59\xe2\x62\x41\x1f\x27\xa9\x4c\xf7\x96\xed\x31\x23\x6b\x45\x7c\xa0\xf1\x47\x53\x0e\xfb\xd4\xcf\xa6\xb6\xa0\xfe\xe4\x6c\x25\xab\xcf\x7a\xd8\x28\x2a\xae\x52\x99\xe2\x99\x79\x9c\xd5\x2d\x0a\x58\xd7\xff\x9d\xdd\xd0\x10\x37\x24\xc8\x8d\xa9\x2d\xbe\xfa\xb6\x24\x80\x38\xab\xef\x9e\xc5\x22\x64\xaf\xc7\x48\x25\xf7\xea\x70\xb2\xca\x95\xd6\x90\x0f\x9b\x64\x7a\x3f\x98\x6e\x18\x28\x7c\xb2\xbf\x4b\x4c\x19\xef\xc8\xc2\x18\xfd\x90\x5c\x37\x27\xc8\x6c\x37\x02\x6b\xfb\xde\x3a\xf0\x78\xeb\x07\xb7\x98\xe6\xd3\xd8\xf2\xe4\xd5\xd3\xbc\x18\x8c\xdd\x20\xf2\xeb\xb1\x46\x1c\x5e\x53\xb0\x5f\x29\x89\xff\xac\x3b\x16\x8d\xee\x56\xda\x0f\xc0\x11\x97\x4c\x66\x0e\x40\x0a\xe2\xd8\xb2\xc8\x0a\xcb\x23\x15\x81\xee\x91\x76\x31\x29\xb2\x88\x8a\xeb\x12", 229); *(uint32_t*)0x20006c8c = 0xe5; *(uint32_t*)0x20006c90 = 0x800; *(uint32_t*)0x20006c94 = 0x20006b00; memcpy((void*)0x20006b00, "\x56\x0c\x1b\xea\x71\xb0\xf9\x72\x44\xfa\x38\x6d\x26\xbf\x6b\x1b\x04\x30\x8e\x4b\xc7\xff\xfa", 23); *(uint32_t*)0x20006c98 = 0x17; *(uint32_t*)0x20006c9c = 0x80000001; *(uint32_t*)0x20006ca0 = 0x20006b40; memcpy((void*)0x20006b40, "\x14\xe5\x5a\x14\xa7\x95\x33\x87\xee\x55\x33\x3c\x1d\x16\x94\xca\x98\xc7\x99\x9b\x49\x78\x86\x42\x76\x68\x05\xd6\xf5\xa2\x90\xeb\x1e\x95\x9e\xe3\x5a\x74\x04\x59\xe1\x33\x00\x26\x2f\x2a\xf9\xc3\x57\xf7\xa8\xc1\xcb\xa1\x87\xe4\x48\xbc\x3c\x8f\x86\x5c\xc9\xbe\x88\x62\x4f\xb0\xf0\xd0\xbb\x88\x5d\x9c\xc2\xab\xe1\x71\xa2\x47\x8a\x74\x20\xdb\x22\xe8\x60\x7e\x3f\xbe\xc7\xe2\x60\x1d\x9e\x11\x08\x6c\xfa\x8c\xf1\x4d\x99\x67\x6b\x67\x9d\x8d\x6b\xf1\xdd\x4f\xaa\xb8\xfe\x9a\x5f\x4e\x3f\x69\x5f\xe2\xe6\xab\xf0\x9f\x70\x26\x83\x80\x2d\x44\xcc\x3a\x29\x82\x55\xc4\xc5\x95\x33\x73\x1f\xf5\xb2\x3e\x05\x3a\xfb\x71\x6d\x58\xca\xd6\x67\x68\x6e\xe6\x47\xf4\x8e\x19\x9c\x9b\x5c\x3d\x0d\x2d\x47\x0f\x2c\xe1\xc5\xb8\xb5\x70\x8a\xe0\x23\xad\x98\x80\xca\xf3\x1d\x01\xf9\x6a\xeb\xbf\xcc\x7d\xf9\x53\x58\xa0\x16\xc5\x47\x1c\xc2\xce\x2c\xed\x61\x05\x05\x7c\x9d\x22\xc8\x16\x78\x90\xca\x19", 216); *(uint32_t*)0x20006ca4 = 0xd8; *(uint32_t*)0x20006ca8 = 0x400; syz_read_part_table(9, 9, 0x20006c40); break; case 40: *(uint8_t*)0x20006cc0 = 0x12; *(uint8_t*)0x20006cc1 = 1; *(uint16_t*)0x20006cc2 = 0x200; *(uint8_t*)0x20006cc4 = 0x62; *(uint8_t*)0x20006cc5 = 0xa5; *(uint8_t*)0x20006cc6 = 0xbe; *(uint8_t*)0x20006cc7 = 0x10; *(uint16_t*)0x20006cc8 = 0x2833; *(uint16_t*)0x20006cca = 0x211; *(uint16_t*)0x20006ccc = 0x37a4; *(uint8_t*)0x20006cce = 1; *(uint8_t*)0x20006ccf = 2; *(uint8_t*)0x20006cd0 = 3; *(uint8_t*)0x20006cd1 = 1; *(uint8_t*)0x20006cd2 = 9; *(uint8_t*)0x20006cd3 = 2; *(uint16_t*)0x20006cd4 = 0x6b4; *(uint8_t*)0x20006cd6 = 1; *(uint8_t*)0x20006cd7 = 0x20; *(uint8_t*)0x20006cd8 = 0; *(uint8_t*)0x20006cd9 = 0xa0; *(uint8_t*)0x20006cda = 1; *(uint8_t*)0x20006cdb = 9; *(uint8_t*)0x20006cdc = 4; *(uint8_t*)0x20006cdd = 0xdf; *(uint8_t*)0x20006cde = 0; *(uint8_t*)0x20006cdf = 0x10; *(uint8_t*)0x20006ce0 = -1; *(uint8_t*)0x20006ce1 = 1; *(uint8_t*)0x20006ce2 = 0; *(uint8_t*)0x20006ce3 = 5; *(uint8_t*)0x20006ce4 = 7; *(uint8_t*)0x20006ce5 = 0x24; *(uint8_t*)0x20006ce6 = 1; *(uint8_t*)0x20006ce7 = 1; *(uint8_t*)0x20006ce8 = 1; *(uint16_t*)0x20006ce9 = 1; *(uint8_t*)0x20006ceb = 9; *(uint8_t*)0x20006cec = 0x24; *(uint8_t*)0x20006ced = 6; *(uint8_t*)0x20006cee = 0; *(uint8_t*)0x20006cef = 0; memcpy((void*)0x20006cf0, "\xfd\x50\x65\x08", 4); *(uint8_t*)0x20006cf4 = 5; *(uint8_t*)0x20006cf5 = 0x24; *(uint8_t*)0x20006cf6 = 0; *(uint16_t*)0x20006cf7 = 3; *(uint8_t*)0x20006cf9 = 0xd; *(uint8_t*)0x20006cfa = 0x24; *(uint8_t*)0x20006cfb = 0xf; *(uint8_t*)0x20006cfc = 1; *(uint32_t*)0x20006cfd = 0x40000000; *(uint16_t*)0x20006d01 = 8; *(uint16_t*)0x20006d03 = 0x4cc5; *(uint8_t*)0x20006d05 = 0x7f; *(uint8_t*)0x20006d06 = 7; *(uint8_t*)0x20006d07 = 0x24; *(uint8_t*)0x20006d08 = 0xa; *(uint8_t*)0x20006d09 = 8; *(uint8_t*)0x20006d0a = 0x3f; *(uint8_t*)0x20006d0b = 0; *(uint8_t*)0x20006d0c = 0x81; *(uint8_t*)0x20006d0d = 0x10; *(uint8_t*)0x20006d0e = 0x24; *(uint8_t*)0x20006d0f = 7; *(uint8_t*)0x20006d10 = 0x80; *(uint16_t*)0x20006d11 = 5; *(uint16_t*)0x20006d13 = 0x44; *(uint16_t*)0x20006d15 = 2; *(uint16_t*)0x20006d17 = 0x800; *(uint16_t*)0x20006d19 = 0x101; *(uint16_t*)0x20006d1b = 4; *(uint8_t*)0x20006d1d = 4; *(uint8_t*)0x20006d1e = 0x24; *(uint8_t*)0x20006d1f = 2; *(uint8_t*)0x20006d20 = 4; *(uint8_t*)0x20006d21 = 8; *(uint8_t*)0x20006d22 = 0x24; *(uint8_t*)0x20006d23 = 0x1c; *(uint16_t*)0x20006d24 = 0; *(uint8_t*)0x20006d26 = 0xc0; *(uint16_t*)0x20006d27 = 0x5325; *(uint8_t*)0x20006d29 = 6; *(uint8_t*)0x20006d2a = 0x24; *(uint8_t*)0x20006d2b = 0x1a; *(uint16_t*)0x20006d2c = 0x7f; *(uint8_t*)0x20006d2e = 0; *(uint8_t*)0x20006d2f = 9; *(uint8_t*)0x20006d30 = 5; *(uint8_t*)0x20006d31 = 5; *(uint8_t*)0x20006d32 = 0; *(uint16_t*)0x20006d33 = 0xb5a2; *(uint8_t*)0x20006d35 = 6; *(uint8_t*)0x20006d36 = 0; *(uint8_t*)0x20006d37 = 5; *(uint8_t*)0x20006d38 = 7; *(uint8_t*)0x20006d39 = 0x25; *(uint8_t*)0x20006d3a = 1; *(uint8_t*)0x20006d3b = 0x82; *(uint8_t*)0x20006d3c = 0xe9; *(uint16_t*)0x20006d3d = 0xf000; *(uint8_t*)0x20006d3f = 9; *(uint8_t*)0x20006d40 = 5; *(uint8_t*)0x20006d41 = 0xe; *(uint8_t*)0x20006d42 = 2; *(uint16_t*)0x20006d43 = 0x200; *(uint8_t*)0x20006d45 = 8; *(uint8_t*)0x20006d46 = 7; *(uint8_t*)0x20006d47 = 0x40; *(uint8_t*)0x20006d48 = 9; *(uint8_t*)0x20006d49 = 5; *(uint8_t*)0x20006d4a = 0; *(uint8_t*)0x20006d4b = 0x7e; *(uint16_t*)0x20006d4c = 0x200; *(uint8_t*)0x20006d4e = 8; *(uint8_t*)0x20006d4f = 3; *(uint8_t*)0x20006d50 = 1; *(uint8_t*)0x20006d51 = 0x9b; *(uint8_t*)0x20006d52 = 0x21; memcpy((void*)0x20006d53, "\xf2\xef\x0a\x5c\x06\x9c\xdb\x31\x91\x38\xe1\x85\x06\x1d\x7e\x19\x6a\xe9\x4e\x53\x5d\x80\xf2\x76\x66\xfb\xa2\x3b\x37\x43\x25\xf1\x5d\xc5\xf2\x08\x12\xfe\x05\xb0\x62\x0f\x6f\xfc\xb8\x10\x03\xb1\xf3\x9c\x5d\xcd\x1b\xff\x14\xe2\xbb\xeb\x38\x73\x35\xa3\x53\x4f\x5a\xdb\x60\xff\xc4\xf2\x85\x95\xc8\xf9\x92\xf7\x7f\xd5\xf6\x7a\x04\x84\x2b\x9c\x43\x64\xe3\x55\x6b\xe9\xba\xcb\x8f\xd5\x6e\xd7\x78\x59\x29\x11\x53\xf6\xc5\x66\x02\x63\x63\xbf\xa5\xf2\xe6\xff\x2f\xa6\xd2\x93\x17\xf2\xd5\x62\x44\x53\x64\x93\x99\x15\xa7\x5d\xd7\x36\x5f\x6a\xb9\xc1\x5d\xdb\xc7\xc3\xa4\x5f\x7e\xb9\x8f\xd1\xfe\xa3\x55\x1b\xbd\x46\xf2\x0a\x87", 153); *(uint8_t*)0x20006dec = 9; *(uint8_t*)0x20006ded = 5; *(uint8_t*)0x20006dee = 0x80; *(uint8_t*)0x20006def = 1; *(uint16_t*)0x20006df0 = 0x3ff; *(uint8_t*)0x20006df2 = 1; *(uint8_t*)0x20006df3 = 0x20; *(uint8_t*)0x20006df4 = 0xef; *(uint8_t*)0x20006df5 = 0xec; *(uint8_t*)0x20006df6 = 6; memcpy((void*)0x20006df7, "\xf6\x42\x24\x6a\x53\x72\x99\x1d\xb9\x7e\x58\x24\xa4\x10\xe2\x83\x00\xd3\xbd\x15\x36\x38\xf6\xda\xc6\xe1\x18\x9a\x0c\x56\x0a\x0a\x0e\x5f\x8b\x15\xe0\x78\x79\xac\x95\x01\x65\x15\x20\x26\x46\xa7\xb5\xb5\xfc\x74\xb7\xcd\x40\xd5\x15\xb2\x84\x9d\x8c\x1d\xd9\xae\x4f\xca\x16\xc2\xe6\xcf\x0e\x8a\x20\xce\x54\xf0\x5f\xa1\x23\xc0\x19\x20\x8c\xb3\x4b\x5e\xe5\x61\xc2\x74\xea\x40\xa7\xb3\x4e\x58\x13\xa4\xa2\x9b\xe4\x08\x17\xeb\x1f\x7b\x3e\x9b\xef\x60\xf7\xc5\x66\x57\x48\x12\x36\xb9\x3e\x2c\x29\x7f\x17\xc7\x76\xb9\x8f\x1d\x0c\x8f\x2a\x56\x44\x77\x66\xc7\x28\x8b\xa6\xb1\xe3\x85\xb8\x4a\x51\x6a\x98\xab\x72\x9b\xa7\x0e\x31\xfe\xe3\xaa\xb1\x01\xd5\x90\xa4\x48\x1a\xe5\x85\x63\x26\xc6\x82\x5b\x73\xc7\xae\x7d\x3b\x99\xcb\x3c\x59\xdb\x31\xa1\x27\x26\x23\x4b\x90\x05\x84\xe8\xdb\x77\x93\x52\x18\x8d\x12\xc9\x32\xd4\xaa\xcb\x59\xee\xf3\x3d\x33\xb9\x55\x05\x10\xcf\x2b\x49\xda\x74\x7e\x03\x1c\x83\x11\x7b\x51\x1a\x1b\xb9\x3e\xd7\x6c\x71\x6e\x6a\x02\x54", 234); *(uint8_t*)0x20006ee1 = 7; *(uint8_t*)0x20006ee2 = 0x25; *(uint8_t*)0x20006ee3 = 1; *(uint8_t*)0x20006ee4 = 0; *(uint8_t*)0x20006ee5 = 6; *(uint16_t*)0x20006ee6 = 0x40; *(uint8_t*)0x20006ee8 = 9; *(uint8_t*)0x20006ee9 = 5; *(uint8_t*)0x20006eea = 1; *(uint8_t*)0x20006eeb = 0; *(uint16_t*)0x20006eec = 0x100; *(uint8_t*)0x20006eee = 0xfe; *(uint8_t*)0x20006eef = 8; *(uint8_t*)0x20006ef0 = 0x37; *(uint8_t*)0x20006ef1 = 0xe9; *(uint8_t*)0x20006ef2 = 0x23; memcpy((void*)0x20006ef3, "\x1a\x0e\x35\x42\x85\x7d\x49\xea\x63\xb7\x26\x1e\xbf\xc1\x9f\x14\x27\x2e\x28\x4d\x26\x65\xd2\x79\x5e\x43\xf6\xf9\xca\x62\x77\x6c\x9e\xe5\x2d\x99\x18\x79\xd7\xd6\x7b\x4d\x8b\x27\x0f\xd5\x15\x98\xbe\xac\x1c\x03\x39\xb2\x25\x7a\xd6\x8c\x1d\xde\x54\x88\x5a\xe2\xd2\x19\xb8\x7c\xde\x15\x9a\x98\x97\xc8\x8b\xda\x26\xe0\x8a\x36\x91\x05\x50\x22\x73\x9c\x1f\xe6\x4a\xdb\x98\x63\x9d\xc2\x54\x21\xc4\x49\xcf\x36\x48\x00\xc4\xc3\x65\x06\x2f\x24\x88\xe6\x90\x1e\x56\xe6\x2f\x4b\x70\x3e\xae\x7a\xf2\x62\x98\xa1\xee\xe1\xbf\xe6\x2d\x9b\x2a\xe3\x53\x20\xae\x2b\xaf\x17\x4e\x94\xff\x55\x32\x10\x97\xbe\x81\xe0\x27\x9f\x5d\x0a\xa8\x4d\xd1\x8c\xa0\x86\x4d\x98\xd0\xed\xbb\xea\xa1\x9d\xdf\x36\x26\xfd\x83\xa2\xe2\xb5\xf6\x76\xa7\x34\xd4\x78\x4b\x3c\x68\x77\xfd\x1b\xb3\xc9\x54\x3d\xf7\xab\xda\x9b\xd9\xc9\xbe\x40\x59\x49\x74\x7e\x21\x07\x3c\x18\x95\x7f\xff\x0e\xaa\xc0\x27\x3c\xfd\x3f\x70\x2c\xb6\x55\x97\x94\x9a\x17\x27\x26\xf7\xe4\x59\x53\x6c", 231); *(uint8_t*)0x20006fda = 0x18; *(uint8_t*)0x20006fdb = 0x10; memcpy((void*)0x20006fdc, "\xa0\x28\x90\x17\xf3\xf4\x33\xf1\x10\x59\x48\x9a\x61\x11\x58\x23\xe1\x13\x8a\xe8\x4a\x34", 22); *(uint8_t*)0x20006ff2 = 9; *(uint8_t*)0x20006ff3 = 5; *(uint8_t*)0x20006ff4 = 0xe; *(uint8_t*)0x20006ff5 = 4; *(uint16_t*)0x20006ff6 = 0x10; *(uint8_t*)0x20006ff8 = 0x67; *(uint8_t*)0x20006ff9 = 3; *(uint8_t*)0x20006ffa = 8; *(uint8_t*)0x20006ffb = 7; *(uint8_t*)0x20006ffc = 0x25; *(uint8_t*)0x20006ffd = 1; *(uint8_t*)0x20006ffe = 1; *(uint8_t*)0x20006fff = 0x80; *(uint16_t*)0x20007000 = 0x2e6; *(uint8_t*)0x20007002 = 9; *(uint8_t*)0x20007003 = 5; *(uint8_t*)0x20007004 = 0xd; *(uint8_t*)0x20007005 = 4; *(uint16_t*)0x20007006 = 0x200; *(uint8_t*)0x20007008 = 0x48; *(uint8_t*)0x20007009 = 0x35; *(uint8_t*)0x2000700a = 8; *(uint8_t*)0x2000700b = 0xe5; *(uint8_t*)0x2000700c = 5; memcpy((void*)0x2000700d, "\x30\xef\xe9\xc1\xa6\xe5\xc8\x9c\x20\x31\x21\x4c\x60\xfb\xbe\xaa\x45\x78\x09\x1e\x38\x00\x9c\x76\x1d\x15\x77\x48\x02\x93\x4c\xfd\x36\x35\x5b\x35\x18\xcc\xfe\x59\xfa\x5e\x7c\xce\xe3\xc1\x3a\xc4\xaf\xfb\xe0\x73\xe0\xe7\x88\xc9\xb5\xe3\x22\x16\xef\xbf\x02\xe3\x58\x69\xd7\xb2\x33\xa3\x89\xf8\x12\xbf\xd8\x49\x43\x3c\x32\x84\x66\xed\xa5\xe0\xe3\x23\x75\x29\xcd\xc6\x5e\x4e\xee\x74\x3d\x31\xff\xc1\x86\xa1\xfe\x79\x4b\xdf\x13\x64\xf3\x1e\xae\xff\x39\x82\x9e\x8f\x61\x44\x85\x0d\x74\x70\xcc\x71\x57\x2d\x1f\x2f\x23\xdc\xcd\xbc\xdd\x99\xe4\x93\x0d\xe7\xed\xbf\x59\xb3\x38\xdb\x34\x90\x30\x5f\xd7\x71\x02\x57\x98\x0b\x7f\x76\xb8\xda\xea\xcb\x2a\xd6\x18\x13\x1f\xb9\xb5\xa3\xe0\x26\xc9\xdd\xbd\x69\x48\x3c\xd7\x94\xca\xad\x29\xf2\xe3\xb6\x31\x24\xa9\x52\xb4\x62\xde\x0c\xd9\x51\xd7\xef\xd9\xb3\xb2\x91\x07\xb6\x41\x41\x7e\x77\x83\xd9\x01\x59\x13\x7f\xa5\x27\x3a\x95\xe0\xcc\x46\xc9\x7c\x22\x46\xe6\x11\xac\xb1\x4b\x4d", 227); *(uint8_t*)0x200070f0 = 9; *(uint8_t*)0x200070f1 = 5; *(uint8_t*)0x200070f2 = 3; *(uint8_t*)0x200070f3 = 0x10; *(uint16_t*)0x200070f4 = 8; *(uint8_t*)0x200070f6 = 0; *(uint8_t*)0x200070f7 = 0x33; *(uint8_t*)0x200070f8 = 9; *(uint8_t*)0x200070f9 = 9; *(uint8_t*)0x200070fa = 5; *(uint8_t*)0x200070fb = 2; *(uint8_t*)0x200070fc = 0xc; *(uint16_t*)0x200070fd = 0x400; *(uint8_t*)0x200070ff = 0xed; *(uint8_t*)0x20007100 = 7; *(uint8_t*)0x20007101 = 9; *(uint8_t*)0x20007102 = 0x84; *(uint8_t*)0x20007103 = 0x31; memcpy((void*)0x20007104, "\xee\x4c\xd2\x19\x15\x4d\xf4\x91\xc4\xd3\x2a\xa3\x21\x12\xcf\xf4\x07\x51\x1b\x06\xb1\x7f\x74\x34\x09\xec\xc2\x16\xc3\x1e\x92\xce\xfa\x2b\x5c\xc5\x9e\x63\x4d\x7a\xeb\xa2\xc9\xe5\xe3\x6d\x8e\xfa\xdc\x02\x55\x17\x25\x18\xf9\x09\xb4\xe1\xa7\xda\xf4\xd9\x88\xb1\xee\xaf\x19\x6c\x76\xee\x90\x2b\x65\x7d\x12\xfc\x23\xc2\x1e\x17\x6c\xd1\x49\xe9\x8a\x8d\x8d\x57\x55\xb7\x4f\xed\x1a\x42\x84\xbc\xfd\x6e\x69\x61\x95\x1f\xf8\x21\x6f\x7b\xb4\x2f\x79\x0e\xdd\x53\x9c\x1b\xc5\xbb\xac\x44\xf7\x67\xa6\x85\xc5\x7c\xbb\xde\xc8\x30\xc5\x2c", 130); *(uint8_t*)0x20007186 = 7; *(uint8_t*)0x20007187 = 0x25; *(uint8_t*)0x20007188 = 1; *(uint8_t*)0x20007189 = 0x83; *(uint8_t*)0x2000718a = 1; *(uint16_t*)0x2000718b = 0xfe01; *(uint8_t*)0x2000718d = 9; *(uint8_t*)0x2000718e = 5; *(uint8_t*)0x2000718f = 3; *(uint8_t*)0x20007190 = 0; *(uint16_t*)0x20007191 = 0x40; *(uint8_t*)0x20007193 = 2; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 9; *(uint8_t*)0x20007197 = 5; *(uint8_t*)0x20007198 = 0; *(uint8_t*)0x20007199 = 0; *(uint16_t*)0x2000719a = 0x400; *(uint8_t*)0x2000719c = 0; *(uint8_t*)0x2000719d = 0x2f; *(uint8_t*)0x2000719e = 4; *(uint8_t*)0x2000719f = 9; *(uint8_t*)0x200071a0 = 5; *(uint8_t*)0x200071a1 = 0x8f; *(uint8_t*)0x200071a2 = 8; *(uint16_t*)0x200071a3 = 8; *(uint8_t*)0x200071a5 = 0x81; *(uint8_t*)0x200071a6 = 1; *(uint8_t*)0x200071a7 = 0x7f; *(uint8_t*)0x200071a8 = 7; *(uint8_t*)0x200071a9 = 0x25; *(uint8_t*)0x200071aa = 1; *(uint8_t*)0x200071ab = 0; *(uint8_t*)0x200071ac = 9; *(uint16_t*)0x200071ad = 0xfb; *(uint8_t*)0x200071af = 7; *(uint8_t*)0x200071b0 = 0x25; *(uint8_t*)0x200071b1 = 1; *(uint8_t*)0x200071b2 = 0x81; *(uint8_t*)0x200071b3 = 7; *(uint16_t*)0x200071b4 = 3; *(uint8_t*)0x200071b6 = 9; *(uint8_t*)0x200071b7 = 5; *(uint8_t*)0x200071b8 = 2; *(uint8_t*)0x200071b9 = 0; *(uint16_t*)0x200071ba = 0x400; *(uint8_t*)0x200071bc = 0x40; *(uint8_t*)0x200071bd = 0x76; *(uint8_t*)0x200071be = 3; *(uint8_t*)0x200071bf = 7; *(uint8_t*)0x200071c0 = 0x25; *(uint8_t*)0x200071c1 = 1; *(uint8_t*)0x200071c2 = 0x80; *(uint8_t*)0x200071c3 = 0x31; *(uint16_t*)0x200071c4 = 8; *(uint8_t*)0x200071c6 = 9; *(uint8_t*)0x200071c7 = 5; *(uint8_t*)0x200071c8 = 0xf; *(uint8_t*)0x200071c9 = 0x10; *(uint16_t*)0x200071ca = 0x3ff; *(uint8_t*)0x200071cc = 6; *(uint8_t*)0x200071cd = 0xb2; *(uint8_t*)0x200071ce = 6; *(uint8_t*)0x200071cf = 7; *(uint8_t*)0x200071d0 = 0x25; *(uint8_t*)0x200071d1 = 1; *(uint8_t*)0x200071d2 = 0x82; *(uint8_t*)0x200071d3 = 0x80; *(uint16_t*)0x200071d4 = 6; *(uint8_t*)0x200071d6 = 9; *(uint8_t*)0x200071d7 = 5; *(uint8_t*)0x200071d8 = 0xf; *(uint8_t*)0x200071d9 = 0x10; *(uint16_t*)0x200071da = 0x200; *(uint8_t*)0x200071dc = 6; *(uint8_t*)0x200071dd = 6; *(uint8_t*)0x200071de = 0xca; *(uint8_t*)0x200071df = 7; *(uint8_t*)0x200071e0 = 0x25; *(uint8_t*)0x200071e1 = 1; *(uint8_t*)0x200071e2 = 0x81; *(uint8_t*)0x200071e3 = 0x20; *(uint16_t*)0x200071e4 = 3; *(uint8_t*)0x200071e6 = 9; *(uint8_t*)0x200071e7 = 5; *(uint8_t*)0x200071e8 = 0x80; *(uint8_t*)0x200071e9 = 0x10; *(uint16_t*)0x200071ea = 0x400; *(uint8_t*)0x200071ec = 1; *(uint8_t*)0x200071ed = 0xfc; *(uint8_t*)0x200071ee = 4; *(uint8_t*)0x200071ef = 0xd4; *(uint8_t*)0x200071f0 = 0x21; memcpy((void*)0x200071f1, "\x28\xa1\xdf\xa1\xd2\x8f\x9a\xe6\x0d\x0a\x8e\x9e\x3c\x51\x2d\xb3\x53\x69\xd4\x79\xfa\x6e\x6a\xa0\x99\xe2\x67\xe1\xce\xd7\x7c\xa2\xe1\x80\xb4\x29\x77\x90\x23\xa8\x72\xb0\xef\x88\x07\xe1\x1f\x8b\x8b\x21\xb8\x11\xd4\xfe\x55\x27\x33\x5c\xe8\x6e\x3a\x95\xcd\xf9\x60\xd1\xe7\x9e\x88\xc2\x76\xc1\x74\xd1\x83\xd2\xf3\xbc\x08\x62\xdd\x7e\x1d\x29\xac\x58\x9c\xeb\x22\x02\x4e\x25\xa4\x4c\x3e\x81\x23\x58\x1d\x14\x48\xfd\x2d\xb5\x33\x2f\xe4\x1c\x23\xf9\xaa\x95\x95\x64\xf3\x2d\xb1\xda\x14\x61\x04\x15\xdd\xc2\x93\xdc\x57\xc9\xd6\xc7\x75\xd2\x21\x51\xbd\xab\x23\x6a\x5a\x73\x59\x2e\x55\x18\x05\x57\x28\xae\x81\x9e\x25\xc0\x80\xcb\xb9\xbf\x02\x03\xb6\x63\x9b\x8f\xd8\xd7\x16\xd9\xc5\x71\xd6\xb2\x60\xea\x29\x77\x33\xd5\x3c\x3a\x05\x44\x9b\x9b\x92\x21\xd0\xf4\x02\x61\x0c\x98\x37\x18\x9f\x9c\x6a\xb3\xba\xaf\x03\x1d\x48\x69\x26\x90\xc9\x98\x1c\xee\x14\x26", 210); *(uint8_t*)0x200072c3 = 0xc3; *(uint8_t*)0x200072c4 = 6; memcpy((void*)0x200072c5, "\x60\xed\x98\x57\x6f\xbb\xbe\xe3\xdb\x67\xd5\x35\xea\x7e\x1a\x19\xd9\x2d\x68\x9e\x2f\x03\x30\x8a\x61\x5a\x56\x41\xe7\x2e\x69\x4d\x99\x6f\x76\xc1\x11\x1c\x88\xc5\x07\xc3\x9a\x87\xf3\x4a\x36\x82\xda\xfb\xfe\x58\x3b\x79\xf5\xb9\x50\xa3\x06\x14\x16\x2c\x60\x5f\x7e\x6c\x5d\x45\x2b\x4f\x84\xa1\x45\xf2\x0b\xf4\x47\x0d\xdf\x43\xf0\x6c\x41\x5d\xc6\xc4\x15\x51\xfd\x45\x8b\xa6\xae\xdf\x57\xd7\x4c\xb8\x5a\x25\xe4\x33\x24\x81\x4b\x62\xc3\xbe\x41\x08\xb1\xea\x5b\x9d\xd2\x2a\x78\xa4\x5c\xdf\x5d\x8f\x27\xc1\x1f\x35\x02\x6b\xf7\xef\x10\xc7\xd1\xf0\x61\x5f\xe1\xc4\x4a\x30\x2a\x84\xd8\x8b\x8d\x6c\x2d\x85\x04\x9c\x9f\x48\xa0\x4b\x4e\x61\x80\x1c\x01\x7f\x60\x9b\x67\x3f\xc8\x29\x0f\x73\x62\xa0\xed\x35\x88\x2a\x33\x5b\x65\x7f\x83\x5f\xce\x8e\x20\x10\x0c\xde\x82\xc1\xa3\xdc\x18\x06\x11", 193); *(uint32_t*)0x20007740 = 0xa; *(uint32_t*)0x20007744 = 0x200073c0; *(uint8_t*)0x200073c0 = 0xa; *(uint8_t*)0x200073c1 = 6; *(uint16_t*)0x200073c2 = 0x310; *(uint8_t*)0x200073c4 = 5; *(uint8_t*)0x200073c5 = 0x80; *(uint8_t*)0x200073c6 = -1; *(uint8_t*)0x200073c7 = 0xbf; *(uint8_t*)0x200073c8 = 5; *(uint8_t*)0x200073c9 = 0; *(uint32_t*)0x20007748 = 5; *(uint32_t*)0x2000774c = 0x20007400; *(uint8_t*)0x20007400 = 5; *(uint8_t*)0x20007401 = 0xf; *(uint16_t*)0x20007402 = 5; *(uint8_t*)0x20007404 = 0; *(uint32_t*)0x20007750 = 5; *(uint32_t*)0x20007754 = 0xa8; *(uint32_t*)0x20007758 = 0x20007440; *(uint8_t*)0x20007440 = 0xa8; *(uint8_t*)0x20007441 = 3; memcpy((void*)0x20007442, "\x05\x84\xbd\xdc\x14\x96\x71\xf9\xe6\xc6\xcd\x12\x3b\x79\x6c\xaf\xe2\xeb\x5d\x2b\xd3\xcf\x65\xe3\xeb\x0f\x3a\x60\x1a\xba\x71\x64\x71\x3d\x40\x42\x65\x3f\x2c\xca\x18\x22\x07\xd4\xe7\xff\xa8\xbc\x71\xe7\x05\xaa\x48\xbc\xff\x03\xfd\xdd\x2e\x3e\x6b\xeb\xe1\x1c\xb6\x1f\x95\xfa\xf1\x4a\xfd\xf2\x94\x40\x02\x1e\x85\x1f\xb6\x82\xaa\x24\xe6\x24\xe8\x33\x95\x2d\xb6\xd1\xf9\x6a\xa7\xed\xfc\x74\xce\x50\x13\x59\x69\x4c\x75\x83\xeb\x5e\x48\xdf\xe2\x27\xd2\x10\x5d\x5e\x3d\x23\x59\xe3\xc7\x28\xa4\x8a\xdf\xf0\x9b\x11\x32\xf9\x28\x89\x3c\xee\xfa\xe6\x77\x00\x98\x3b\xe1\xca\x94\xe8\x18\xe7\xa1\x46\x3c\x80\x2f\x1f\xc2\xa7\x2d\x40\x90\x09\x33\x40\x3d\x7b\x25\x5a\x35\xd9\xdc\x33", 166); *(uint32_t*)0x2000775c = 4; *(uint32_t*)0x20007760 = 0x20007500; *(uint8_t*)0x20007500 = 4; *(uint8_t*)0x20007501 = 3; *(uint16_t*)0x20007502 = 0x42c; *(uint32_t*)0x20007764 = 0xf4; *(uint32_t*)0x20007768 = 0x20007540; *(uint8_t*)0x20007540 = 0xf4; *(uint8_t*)0x20007541 = 3; memcpy((void*)0x20007542, "\x1c\x53\x71\x17\xdc\x72\x0a\xf3\xcc\xf1\x08\x68\x7c\x86\xcb\x54\x4b\xc8\x85\x37\x9e\x43\x5d\xbb\x86\x1b\xc9\xa0\x15\x50\x59\x2e\x60\x08\xae\x94\xa1\xf9\x83\x17\xad\x9c\xd8\x04\x01\x6b\x07\x9b\x5e\xc2\x94\xdc\xaf\x45\x37\xcf\x5b\x68\xc3\xc4\x35\x37\x54\xca\xf3\x69\xba\x34\x10\x1c\xbd\x21\x92\x6b\x15\xce\xf6\x7a\xb6\x3e\xad\x40\xab\xfb\xef\x86\x7b\x37\x2f\xe2\x78\x18\x66\xf8\x7a\x2d\xcc\xf9\x8f\xfe\x66\x53\x1c\x1d\x50\x21\x40\x6c\x69\xce\x84\xb4\x39\x13\x0c\xac\x71\xf5\x25\x64\xb7\xc8\xfa\x62\x1d\x71\xd5\xff\x00\x15\x17\x59\x3f\x05\x9d\xa0\xcb\x82\xf1\xfd\x5e\x32\x7d\xf9\xab\xec\x49\x46\xe3\x4e\x20\xd3\xf1\xdf\x8f\x4a\x04\x22\xf9\xbb\x53\x89\x49\xb4\xa1\x4d\x1b\x3a\xfd\x67\x93\xe8\x1d\x3b\xa5\x96\xd1\x6d\x8c\xee\x0e\x70\x03\x14\xe5\x31\xe6\x02\xfe\x5c\xb8\x32\xb2\x2c\x7a\x2f\x9f\x36\xf3\x9d\x05\x38\x76\x47\x81\x57\xd5\x41\xe8\xc0\x97\x7a\x9a\xca\xf6\x91\xf1\x23\x4f\x66\x5d\x23\x4f\x82\xee\x90\xff\x89\x82\xd9\xc1\x37\x1a\x15\xdd\xc8\xed\x23\x92\xdd\x5a\x96", 242); *(uint32_t*)0x2000776c = 0x98; *(uint32_t*)0x20007770 = 0x20007640; *(uint8_t*)0x20007640 = 0x98; *(uint8_t*)0x20007641 = 3; memcpy((void*)0x20007642, "\x07\x8c\xbe\xfd\x67\x79\x6b\x8d\x00\xc6\xa0\x27\xe5\xd0\x7b\xc3\xb0\x07\x56\xac\xaf\xb9\x09\x6e\x3e\x38\x1a\x99\xfd\xbe\x8a\x51\x61\xca\x19\xa9\x62\x8d\x61\xba\xef\xd6\x97\x2b\x48\xf5\xe0\x4b\x0f\xa6\xe2\xb9\x9c\xca\x8d\xf5\xb5\x0d\xbd\x97\xd6\x56\xc0\x2f\x85\x83\xa5\x8c\xe8\xcb\xd3\x5c\x69\xfb\x3f\x86\xde\x0d\xda\xc9\x0f\x5b\xe8\xd4\xf0\x4a\x3a\xd4\xf3\x12\x93\xb5\x09\x95\x91\x39\xbe\xa0\xf3\x06\x7d\x0e\xbf\xa3\xc5\xb2\x10\xe1\x99\x30\x78\xb0\xae\x92\x95\x61\xfc\x77\x34\x86\x9b\x3d\xd8\xd8\x12\xc0\x0a\x30\x35\x23\x61\x66\xa3\x12\x27\xae\x29\x1e\x69\x6a\xb4\xf8\x1f\x4e\x3f\x02\xd6\xb2\xf3\x34", 150); *(uint32_t*)0x20007774 = 4; *(uint32_t*)0x20007778 = 0x20007700; *(uint8_t*)0x20007700 = 4; *(uint8_t*)0x20007701 = 3; *(uint16_t*)0x20007702 = 0x43e; syz_usb_connect(2, 0x6c6, 0x20006cc0, 0x20007740); break; case 41: *(uint8_t*)0x20007780 = 0x12; *(uint8_t*)0x20007781 = 1; *(uint16_t*)0x20007782 = 0x200; *(uint8_t*)0x20007784 = -1; *(uint8_t*)0x20007785 = -1; *(uint8_t*)0x20007786 = -1; *(uint8_t*)0x20007787 = 0x40; *(uint16_t*)0x20007788 = 0xcf3; *(uint16_t*)0x2000778a = 0x9271; *(uint16_t*)0x2000778c = 0x108; *(uint8_t*)0x2000778e = 1; *(uint8_t*)0x2000778f = 2; *(uint8_t*)0x20007790 = 3; *(uint8_t*)0x20007791 = 1; *(uint8_t*)0x20007792 = 9; *(uint8_t*)0x20007793 = 2; *(uint16_t*)0x20007794 = 0x48; *(uint8_t*)0x20007796 = 1; *(uint8_t*)0x20007797 = 1; *(uint8_t*)0x20007798 = 0; *(uint8_t*)0x20007799 = 0x80; *(uint8_t*)0x2000779a = 0xfa; *(uint8_t*)0x2000779b = 9; *(uint8_t*)0x2000779c = 4; *(uint8_t*)0x2000779d = 0; *(uint8_t*)0x2000779e = 0; *(uint8_t*)0x2000779f = 6; *(uint8_t*)0x200077a0 = -1; *(uint8_t*)0x200077a1 = 0; *(uint8_t*)0x200077a2 = 0; *(uint8_t*)0x200077a3 = 0; *(uint8_t*)0x200077a4 = 9; *(uint8_t*)0x200077a5 = 5; *(uint8_t*)0x200077a6 = 1; *(uint8_t*)0x200077a7 = 2; *(uint16_t*)0x200077a8 = 0x200; *(uint8_t*)0x200077aa = 0; *(uint8_t*)0x200077ab = 0; *(uint8_t*)0x200077ac = 0; *(uint8_t*)0x200077ad = 9; *(uint8_t*)0x200077ae = 5; *(uint8_t*)0x200077af = 0x82; *(uint8_t*)0x200077b0 = 2; *(uint16_t*)0x200077b1 = 0x200; *(uint8_t*)0x200077b3 = 0; *(uint8_t*)0x200077b4 = 0; *(uint8_t*)0x200077b5 = 0; *(uint8_t*)0x200077b6 = 9; *(uint8_t*)0x200077b7 = 5; *(uint8_t*)0x200077b8 = 0x83; *(uint8_t*)0x200077b9 = 3; *(uint16_t*)0x200077ba = 0x40; *(uint8_t*)0x200077bc = 1; *(uint8_t*)0x200077bd = 0; *(uint8_t*)0x200077be = 0; *(uint8_t*)0x200077bf = 9; *(uint8_t*)0x200077c0 = 5; *(uint8_t*)0x200077c1 = 4; *(uint8_t*)0x200077c2 = 3; *(uint16_t*)0x200077c3 = 0x40; *(uint8_t*)0x200077c5 = 1; *(uint8_t*)0x200077c6 = 0; *(uint8_t*)0x200077c7 = 0; *(uint8_t*)0x200077c8 = 9; *(uint8_t*)0x200077c9 = 5; *(uint8_t*)0x200077ca = 5; *(uint8_t*)0x200077cb = 2; *(uint16_t*)0x200077cc = 0x200; *(uint8_t*)0x200077ce = 0; *(uint8_t*)0x200077cf = 0; *(uint8_t*)0x200077d0 = 0; *(uint8_t*)0x200077d1 = 9; *(uint8_t*)0x200077d2 = 5; *(uint8_t*)0x200077d3 = 6; *(uint8_t*)0x200077d4 = 2; *(uint16_t*)0x200077d5 = 0x200; *(uint8_t*)0x200077d7 = 0; *(uint8_t*)0x200077d8 = 0; *(uint8_t*)0x200077d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007780, 0); if (res != -1) r[22] = res; break; case 42: *(uint32_t*)0x200079c0 = 0x18; *(uint32_t*)0x200079c4 = 0x20007800; *(uint8_t*)0x20007800 = 0x20; *(uint8_t*)0x20007801 = 0x11; *(uint32_t*)0x20007802 = 0xb7; *(uint8_t*)0x20007806 = 0xb7; *(uint8_t*)0x20007807 = 9; memcpy((void*)0x20007808, "\x72\xf5\x91\xba\x5c\x69\x4f\x16\xa4\xd9\x20\x75\xef\x3e\xc8\xbc\x46\x92\x09\x54\x79\x9e\xc8\xd3\xc0\x30\x8f\x3b\x47\x79\xda\x6e\x18\xe9\x82\x4a\x86\x74\x6d\x01\x3a\x39\x9a\xfc\x7f\x6f\xce\xb6\xc3\x7f\x7f\x13\x1c\x71\xeb\xc0\x01\xf6\x66\xea\x63\xed\x3a\xde\x13\x20\x09\x73\x5a\x54\x66\x22\xf9\xe6\x39\xd4\x81\xc9\x67\xcc\x7b\x5b\x74\x7c\xc5\xe6\x2f\xdc\x41\xbb\xb4\xbb\x95\x87\x8a\x44\x2c\xc4\x91\x11\xc0\xf5\x78\x86\xf1\x70\x77\xa1\xb4\xb2\x2e\x3c\xf2\x8e\xec\xb7\x98\xfe\xed\x6f\x16\x8d\xd9\xcc\x26\x46\xf8\xb7\x9e\xd4\x1b\xba\x94\xde\x9e\x30\x4f\xc8\x45\x17\x9a\x73\x21\xf0\x47\x84\xaa\x91\x7b\xa0\x84\x05\xb0\xa9\x5b\x83\x03\xd9\x14\xef\x8e\x37\x47\x80\xdd\x8e\x34\x37\xc9\x5c\x35\x76\x4c\xd0\x63\xe7\xa3\xec\x6d\x79\x0b", 181); *(uint32_t*)0x200079c8 = 0x200078c0; *(uint8_t*)0x200078c0 = 0; *(uint8_t*)0x200078c1 = 3; *(uint32_t*)0x200078c2 = 4; *(uint8_t*)0x200078c6 = 4; *(uint8_t*)0x200078c7 = 3; *(uint16_t*)0x200078c8 = 0x813; *(uint32_t*)0x200079cc = 0x20007900; *(uint8_t*)0x20007900 = 0; *(uint8_t*)0x20007901 = 0xf; *(uint32_t*)0x20007902 = 0xc; *(uint8_t*)0x20007906 = 5; *(uint8_t*)0x20007907 = 0xf; *(uint16_t*)0x20007908 = 0xc; *(uint8_t*)0x2000790a = 1; *(uint8_t*)0x2000790b = 7; *(uint8_t*)0x2000790c = 0x10; *(uint8_t*)0x2000790d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000790e, 0x18, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20007910, 3, 0, 16); *(uint32_t*)0x200079d0 = 0x20007940; *(uint8_t*)0x20007940 = 0x20; *(uint8_t*)0x20007941 = 0x29; *(uint32_t*)0x20007942 = 0xf; *(uint8_t*)0x20007946 = 0xf; *(uint8_t*)0x20007947 = 0x29; *(uint8_t*)0x20007948 = 7; *(uint16_t*)0x20007949 = 0x80; *(uint8_t*)0x2000794b = 6; *(uint8_t*)0x2000794c = 0xe0; memcpy((void*)0x2000794d, "\x84\x02\x48\x7c", 4); memcpy((void*)0x20007951, "\x80\x56\xa3\xff", 4); *(uint32_t*)0x200079d4 = 0x20007980; *(uint8_t*)0x20007980 = 0x20; *(uint8_t*)0x20007981 = 0x2a; *(uint32_t*)0x20007982 = 0xc; *(uint8_t*)0x20007986 = 0xc; *(uint8_t*)0x20007987 = 0x2a; *(uint8_t*)0x20007988 = 0xa7; *(uint16_t*)0x20007989 = 2; *(uint8_t*)0x2000798b = 0x7d; *(uint8_t*)0x2000798c = 0; *(uint8_t*)0x2000798d = 0x80; *(uint16_t*)0x2000798e = 7; *(uint16_t*)0x20007990 = 6; *(uint32_t*)0x20007e80 = 0x44; *(uint32_t*)0x20007e84 = 0x20007a00; *(uint8_t*)0x20007a00 = 0x40; *(uint8_t*)0x20007a01 = 0x10; *(uint32_t*)0x20007a02 = 0x8c; memcpy((void*)0x20007a06, "\x21\xb8\x38\x25\x05\x9f\x24\x50\x6d\x8e\x84\x20\x85\xd1\xf2\xe7\xf9\x64\x47\x1b\x20\xed\x0a\x8e\x50\xa9\xaa\x4e\xf1\x6b\x5a\x6f\x2d\xbb\x2b\x57\x0a\x4f\x8d\x13\xd6\x0e\x47\xbb\x78\x21\xff\x91\x21\x11\xde\xe4\x0a\x78\xd4\x2b\x4d\x13\xea\x81\x2d\x92\x9c\xcf\x39\x64\xc5\x46\x8f\x89\xd2\xd2\x16\x30\xec\x87\x06\x7a\x2d\x13\xf4\x52\x38\xb4\x46\xbf\x57\xc6\xb9\xec\x35\x57\x8f\xa5\x87\xfc\x77\xfe\x21\x08\xb1\x59\x0b\xe0\x81\x68\x1c\xcc\x02\x4f\x1f\x59\x0b\xe9\xe5\xbe\xc9\xea\x86\xb9\x80\x3c\x60\x29\x9d\xda\x1a\x82\xf8\xff\x04\x42\x86\x71\xa4\x3b\xc2\xc3\x39\x3a", 140); *(uint32_t*)0x20007e88 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0; *(uint8_t*)0x20007ac1 = 0xa; *(uint32_t*)0x20007ac2 = 1; *(uint8_t*)0x20007ac6 = 4; *(uint32_t*)0x20007e8c = 0x20007b00; *(uint8_t*)0x20007b00 = 0; *(uint8_t*)0x20007b01 = 8; *(uint32_t*)0x20007b02 = 1; *(uint8_t*)0x20007b06 = 0xfb; *(uint32_t*)0x20007e90 = 0x20007b40; *(uint8_t*)0x20007b40 = 0x20; *(uint8_t*)0x20007b41 = 0; *(uint32_t*)0x20007b42 = 4; *(uint16_t*)0x20007b46 = 1; *(uint16_t*)0x20007b48 = 1; *(uint32_t*)0x20007e94 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x20; *(uint8_t*)0x20007b81 = 0; *(uint32_t*)0x20007b82 = 4; *(uint16_t*)0x20007b86 = 0x140; *(uint16_t*)0x20007b88 = 0x20; *(uint32_t*)0x20007e98 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 7; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 0x3ff; *(uint32_t*)0x20007e9c = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 9; *(uint32_t*)0x20007c02 = 1; *(uint8_t*)0x20007c06 = 0x81; *(uint32_t*)0x20007ea0 = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0xb; *(uint32_t*)0x20007c42 = 2; memcpy((void*)0x20007c46, "\x8a\x02", 2); *(uint32_t*)0x20007ea4 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0xf; *(uint32_t*)0x20007c82 = 2; *(uint16_t*)0x20007c86 = 0x321a; *(uint32_t*)0x20007ea8 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x13; *(uint32_t*)0x20007cc2 = 6; *(uint8_t*)0x20007cc6 = 1; *(uint8_t*)0x20007cc7 = 0x80; *(uint8_t*)0x20007cc8 = 0xc2; *(uint8_t*)0x20007cc9 = 0; *(uint8_t*)0x20007cca = 0; *(uint8_t*)0x20007ccb = 0; *(uint32_t*)0x20007eac = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x17; *(uint32_t*)0x20007d02 = 6; memcpy((void*)0x20007d06, "\xb0\xfe\x28\x1f\xa3\x91", 6); *(uint32_t*)0x20007eb0 = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x19; *(uint32_t*)0x20007d42 = 2; memcpy((void*)0x20007d46, "#7", 2); *(uint32_t*)0x20007eb4 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x1a; *(uint32_t*)0x20007d82 = 2; *(uint16_t*)0x20007d86 = 6; *(uint32_t*)0x20007eb8 = 0x20007dc0; *(uint8_t*)0x20007dc0 = 0x40; *(uint8_t*)0x20007dc1 = 0x1c; *(uint32_t*)0x20007dc2 = 1; *(uint8_t*)0x20007dc6 = 6; *(uint32_t*)0x20007ebc = 0x20007e00; *(uint8_t*)0x20007e00 = 0x40; *(uint8_t*)0x20007e01 = 0x1e; *(uint32_t*)0x20007e02 = 1; *(uint8_t*)0x20007e06 = 6; *(uint32_t*)0x20007ec0 = 0x20007e40; *(uint8_t*)0x20007e40 = 0x40; *(uint8_t*)0x20007e41 = 0x21; *(uint32_t*)0x20007e42 = 1; *(uint8_t*)0x20007e46 = 0x9e; syz_usb_control_io(r[22], 0x200079c0, 0x20007e80); break; case 43: *(uint8_t*)0x20007f00 = 0x12; *(uint8_t*)0x20007f01 = 1; *(uint16_t*)0x20007f02 = 0x70; *(uint8_t*)0x20007f04 = 2; *(uint8_t*)0x20007f05 = 0; *(uint8_t*)0x20007f06 = 0; *(uint8_t*)0x20007f07 = 0x50; *(uint16_t*)0x20007f08 = 0x525; *(uint16_t*)0x20007f0a = 0xa4a1; *(uint16_t*)0x20007f0c = 0x40; *(uint8_t*)0x20007f0e = 1; *(uint8_t*)0x20007f0f = 2; *(uint8_t*)0x20007f10 = 3; *(uint8_t*)0x20007f11 = 1; *(uint8_t*)0x20007f12 = 9; *(uint8_t*)0x20007f13 = 2; *(uint16_t*)0x20007f14 = 0x4d; *(uint8_t*)0x20007f16 = 1; *(uint8_t*)0x20007f17 = 1; *(uint8_t*)0x20007f18 = 2; *(uint8_t*)0x20007f19 = 0x70; *(uint8_t*)0x20007f1a = 0x40; *(uint8_t*)0x20007f1b = 9; *(uint8_t*)0x20007f1c = 4; *(uint8_t*)0x20007f1d = 0; *(uint8_t*)0x20007f1e = 0xc4; *(uint8_t*)0x20007f1f = 3; *(uint8_t*)0x20007f20 = 2; *(uint8_t*)0x20007f21 = 6; *(uint8_t*)0x20007f22 = 0; *(uint8_t*)0x20007f23 = 0xe1; *(uint8_t*)0x20007f24 = 8; *(uint8_t*)0x20007f25 = 0x24; *(uint8_t*)0x20007f26 = 6; *(uint8_t*)0x20007f27 = 0; *(uint8_t*)0x20007f28 = 0; memcpy((void*)0x20007f29, "W?s", 3); *(uint8_t*)0x20007f2c = 5; *(uint8_t*)0x20007f2d = 0x24; *(uint8_t*)0x20007f2e = 0; *(uint16_t*)0x20007f2f = 3; *(uint8_t*)0x20007f31 = 0xd; *(uint8_t*)0x20007f32 = 0x24; *(uint8_t*)0x20007f33 = 0xf; *(uint8_t*)0x20007f34 = 1; *(uint32_t*)0x20007f35 = 0x200; *(uint16_t*)0x20007f39 = 0; *(uint16_t*)0x20007f3b = 0x200; *(uint8_t*)0x20007f3d = 3; *(uint8_t*)0x20007f3e = 6; *(uint8_t*)0x20007f3f = 0x24; *(uint8_t*)0x20007f40 = 0x1a; *(uint16_t*)0x20007f41 = 0x1000; *(uint8_t*)0x20007f43 = 0; *(uint8_t*)0x20007f44 = 9; *(uint8_t*)0x20007f45 = 5; *(uint8_t*)0x20007f46 = 0x81; *(uint8_t*)0x20007f47 = 3; *(uint16_t*)0x20007f48 = 0x20; *(uint8_t*)0x20007f4a = 0x3f; *(uint8_t*)0x20007f4b = 0; *(uint8_t*)0x20007f4c = 0xd8; *(uint8_t*)0x20007f4d = 9; *(uint8_t*)0x20007f4e = 5; *(uint8_t*)0x20007f4f = 0x82; *(uint8_t*)0x20007f50 = 2; *(uint16_t*)0x20007f51 = 8; *(uint8_t*)0x20007f53 = -1; *(uint8_t*)0x20007f54 = 0xec; *(uint8_t*)0x20007f55 = 5; *(uint8_t*)0x20007f56 = 9; *(uint8_t*)0x20007f57 = 5; *(uint8_t*)0x20007f58 = 3; *(uint8_t*)0x20007f59 = 2; *(uint16_t*)0x20007f5a = 0x3cf; *(uint8_t*)0x20007f5c = 0x81; *(uint8_t*)0x20007f5d = 0x39; *(uint8_t*)0x20007f5e = 5; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f80; *(uint8_t*)0x20007f80 = 0xa; *(uint8_t*)0x20007f81 = 6; *(uint16_t*)0x20007f82 = 0; *(uint8_t*)0x20007f84 = 2; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x77; *(uint8_t*)0x20007f87 = -1; *(uint8_t*)0x20007f88 = 0x2f; *(uint8_t*)0x20007f89 = 0; *(uint32_t*)0x20008288 = 5; *(uint32_t*)0x2000828c = 0x20007fc0; *(uint8_t*)0x20007fc0 = 5; *(uint8_t*)0x20007fc1 = 0xf; *(uint16_t*)0x20007fc2 = 5; *(uint8_t*)0x20007fc4 = 0; *(uint32_t*)0x20008290 = 5; *(uint32_t*)0x20008294 = 0x69; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 0x69; *(uint8_t*)0x20008001 = 3; memcpy((void*)0x20008002, "\xd2\x5a\x9c\x8f\x14\x52\xa3\xc6\xff\xbf\xec\xa8\xeb\x77\x79\x35\xb5\x8c\x9b\x74\x06\x77\x50\x86\xff\xf7\x17\xb5\x4f\x05\xac\x59\xf9\x45\x17\xff\x3c\xd6\xf3\x10\x1d\xbf\xa7\x9b\xb8\x2a\xe3\x1b\x1d\x31\x6d\x08\xa7\x1d\x14\xfc\x2c\x1c\xfa\x8c\x89\x30\x68\xbd\xe2\xbb\x83\x0a\xe9\x1f\xc9\x42\x88\xcc\x23\x2a\xaa\xc0\xe6\x4b\x84\x00\x7b\x0e\x75\x36\xc3\xec\x34\xed\xef\x04\xde\xd9\x34\x21\xa3\x77\xe0\x69\x53\x26\xaa", 103); *(uint32_t*)0x2000829c = 0xac; *(uint32_t*)0x200082a0 = 0x20008080; *(uint8_t*)0x20008080 = 0xac; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x73\x60\x60\x9c\xe8\x30\x0a\xe4\x62\x33\x08\xd5\xf8\xb9\x7b\xfd\x50\xd3\xd8\x63\x40\x8b\x8e\xa4\x01\xc8\x6d\xa9\xd4\x2c\xe5\xf3\x86\x7c\xe8\xd7\x21\xfb\x2a\xb5\xc2\x5f\x6b\x4c\x5e\x85\xf5\xea\xf3\x41\xbd\x51\x4a\x16\xc2\xdf\xe3\xc7\xa1\xd7\xf4\x27\xae\x62\xc0\xbf\xf3\x79\xe8\x4d\x56\x63\x7e\xc1\x37\x7b\x8c\x8a\xd5\xb5\x5b\x09\x9c\xfa\xa4\xa7\xa6\xee\xb0\x58\x9f\x81\xe7\xa4\x33\x00\xef\xf5\x33\x54\xe1\xb2\xbd\xcd\xc3\x4d\x79\x45\xd6\x35\x62\xe4\x8d\x5e\xd9\x3b\xef\x75\xfd\x01\x60\xfc\xd7\xc3\xa6\xbe\x7f\x0c\x64\x2b\xb6\xe5\x61\xe3\x5a\x1c\x73\x11\x0b\xdc\xde\xd7\x69\x98\x65\xe2\x5e\xb2\x38\xcf\x8f\x3b\x10\xad\x3c\x10\x48\x80\x28\xc3\x70\x63\xc8\x86\x2f\x90\x7b\x06\x82\x9e", 170); *(uint32_t*)0x200082a4 = 4; *(uint32_t*)0x200082a8 = 0x20008140; *(uint8_t*)0x20008140 = 4; *(uint8_t*)0x20008141 = 3; *(uint16_t*)0x20008142 = 0x81a; *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x20008180; *(uint8_t*)0x20008180 = 4; *(uint8_t*)0x20008181 = 3; *(uint16_t*)0x20008182 = 0x180a; *(uint32_t*)0x200082b4 = 0xb9; *(uint32_t*)0x200082b8 = 0x200081c0; *(uint8_t*)0x200081c0 = 0xb9; *(uint8_t*)0x200081c1 = 3; memcpy((void*)0x200081c2, "\x37\xef\xeb\x85\x4b\x40\x51\xa4\x6c\x67\xae\xe7\xea\xa0\xf6\x2f\xde\x9f\x59\x9c\xd5\xba\x25\x32\x9d\x50\xae\xe1\x6b\x30\xc6\xc1\xa5\x14\x83\x10\x81\xaf\xc1\xdf\xd2\x68\x2f\xf4\x87\x16\xa9\x1b\xf9\x5e\x08\x42\x12\xb0\x69\x6d\x43\xe1\xc6\xc4\x3a\xda\xf9\xed\x3e\xf7\x0e\x62\x73\x59\x94\xd2\xd0\x86\x51\x39\x60\x49\x88\xfa\xc1\x79\x78\xd9\xc0\x5a\x84\xf3\x42\x38\x31\xdd\x1d\xdd\xc6\xc9\x4d\x50\xdd\xd6\x74\xf1\x65\x25\xbb\xf9\xa8\xdb\x3b\xb4\x90\x01\xbe\x38\xa1\x96\x70\xab\xd9\x9f\x4a\x2e\x97\xcf\xb2\x0d\x46\xc6\x37\x83\x2a\x3e\xc9\x7f\xf0\x94\xc6\xa3\x30\x49\x64\xb7\x2b\xcf\x11\x6b\xf2\x7f\xed\xd5\x52\x1a\xd3\xda\x22\x62\x97\xff\xf8\x49\xc3\x3c\x5d\x84\x9e\x3e\x30\x37\x52\x79\x01\xee\xf6\x3a\x59\x9b\xaa\x54\xfc\x46\xa4\x6f\xf1", 183); res = -1; res = syz_usb_connect(2, 0x5f, 0x20007f00, 0x20008280); if (res != -1) r[23] = res; break; case 44: syz_usb_disconnect(r[23]); break; case 45: *(uint8_t*)0x200082c0 = 0x12; *(uint8_t*)0x200082c1 = 1; *(uint16_t*)0x200082c2 = 0x110; *(uint8_t*)0x200082c4 = 2; *(uint8_t*)0x200082c5 = 0; *(uint8_t*)0x200082c6 = 0; *(uint8_t*)0x200082c7 = 0x20; *(uint16_t*)0x200082c8 = 0x525; *(uint16_t*)0x200082ca = 0xa4a1; *(uint16_t*)0x200082cc = 0x40; *(uint8_t*)0x200082ce = 1; *(uint8_t*)0x200082cf = 2; *(uint8_t*)0x200082d0 = 3; *(uint8_t*)0x200082d1 = 1; *(uint8_t*)0x200082d2 = 9; *(uint8_t*)0x200082d3 = 2; *(uint16_t*)0x200082d4 = 0xb3; *(uint8_t*)0x200082d6 = 1; *(uint8_t*)0x200082d7 = 1; *(uint8_t*)0x200082d8 = 6; *(uint8_t*)0x200082d9 = 0x28; *(uint8_t*)0x200082da = -1; *(uint8_t*)0x200082db = 9; *(uint8_t*)0x200082dc = 4; *(uint8_t*)0x200082dd = 0; *(uint8_t*)0x200082de = 9; *(uint8_t*)0x200082df = 2; *(uint8_t*)0x200082e0 = 2; *(uint8_t*)0x200082e1 = 6; *(uint8_t*)0x200082e2 = 0; *(uint8_t*)0x200082e3 = 4; *(uint8_t*)0x200082e4 = 6; *(uint8_t*)0x200082e5 = 0x24; *(uint8_t*)0x200082e6 = 6; *(uint8_t*)0x200082e7 = 0; *(uint8_t*)0x200082e8 = 0; memset((void*)0x200082e9, 177, 1); *(uint8_t*)0x200082ea = 5; *(uint8_t*)0x200082eb = 0x24; *(uint8_t*)0x200082ec = 0; *(uint16_t*)0x200082ed = 8; *(uint8_t*)0x200082ef = 0xd; *(uint8_t*)0x200082f0 = 0x24; *(uint8_t*)0x200082f1 = 0xf; *(uint8_t*)0x200082f2 = 1; *(uint32_t*)0x200082f3 = 0x9208; *(uint16_t*)0x200082f7 = 2; *(uint16_t*)0x200082f9 = 0; *(uint8_t*)0x200082fb = 0x20; *(uint8_t*)0x200082fc = 0x5e; *(uint8_t*)0x200082fd = 0x24; *(uint8_t*)0x200082fe = 0x13; *(uint8_t*)0x200082ff = 7; memcpy((void*)0x20008300, "\x63\xb0\xb9\x53\x77\x14\x7b\xa2\x14\xd9\x50\xfc\x04\xb2\x2c\x04\xbe\x09\xd9\xb9\x6f\x1a\xb9\x4b\xb0\x2e\x8a\x2a\x9e\x23\xcf\x7d\x3a\xca\xb2\x2a\x80\xed\x35\x0e\xc4\xb1\x78\x06\xed\xcb\x16\x9e\x50\x75\x37\x3d\x99\x17\x80\x21\x13\x92\xeb\x3d\x9f\x11\x73\xa5\x39\x84\x3b\xf2\xc3\xf6\x6a\x4a\x69\x60\xa5\x5a\x22\x07\x76\x7d\xb3\xc5\x5a\x7d\xd2\x89\x8b\x5c\xcb\x40", 90); *(uint8_t*)0x2000835a = 0xc; *(uint8_t*)0x2000835b = 0x24; *(uint8_t*)0x2000835c = 0x1b; *(uint16_t*)0x2000835d = 0x2a; *(uint16_t*)0x2000835f = 0x100; *(uint8_t*)0x20008361 = 0xe0; *(uint8_t*)0x20008362 = 0x76; *(uint16_t*)0x20008363 = 0; *(uint8_t*)0x20008365 = -1; *(uint8_t*)0x20008366 = 4; *(uint8_t*)0x20008367 = 0x24; *(uint8_t*)0x20008368 = 2; *(uint8_t*)0x20008369 = 0xa; *(uint8_t*)0x2000836a = 9; *(uint8_t*)0x2000836b = 5; *(uint8_t*)0x2000836c = 0x81; *(uint8_t*)0x2000836d = 3; *(uint16_t*)0x2000836e = 0x20; *(uint8_t*)0x20008370 = 0x73; *(uint8_t*)0x20008371 = 0x35; *(uint8_t*)0x20008372 = 0x3f; *(uint8_t*)0x20008373 = 9; *(uint8_t*)0x20008374 = 5; *(uint8_t*)0x20008375 = 0x82; *(uint8_t*)0x20008376 = 2; *(uint16_t*)0x20008377 = 8; *(uint8_t*)0x20008379 = 3; *(uint8_t*)0x2000837a = 1; *(uint8_t*)0x2000837b = 3; *(uint8_t*)0x2000837c = 9; *(uint8_t*)0x2000837d = 5; *(uint8_t*)0x2000837e = 3; *(uint8_t*)0x2000837f = 2; *(uint16_t*)0x20008380 = 0x40; *(uint8_t*)0x20008382 = 5; *(uint8_t*)0x20008383 = 0x40; *(uint8_t*)0x20008384 = 2; *(uint32_t*)0x200087c0 = 0xa; *(uint32_t*)0x200087c4 = 0x200083c0; *(uint8_t*)0x200083c0 = 0xa; *(uint8_t*)0x200083c1 = 6; *(uint16_t*)0x200083c2 = 0x201; *(uint8_t*)0x200083c4 = 0x79; *(uint8_t*)0x200083c5 = 3; *(uint8_t*)0x200083c6 = 0x3f; *(uint8_t*)0x200083c7 = 0x20; *(uint8_t*)0x200083c8 = 6; *(uint8_t*)0x200083c9 = 0; *(uint32_t*)0x200087c8 = 0x37; *(uint32_t*)0x200087cc = 0x20008400; *(uint8_t*)0x20008400 = 5; *(uint8_t*)0x20008401 = 0xf; *(uint16_t*)0x20008402 = 0x37; *(uint8_t*)0x20008404 = 5; *(uint8_t*)0x20008405 = 7; *(uint8_t*)0x20008406 = 0x10; *(uint8_t*)0x20008407 = 2; STORE_BY_BITMASK(uint32_t, , 0x20008408, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008409, 0xa, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008409, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000840a, 5, 0, 16); *(uint8_t*)0x2000840c = 7; *(uint8_t*)0x2000840d = 0x10; *(uint8_t*)0x2000840e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000840f, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008410, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008410, 9, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008411, 8, 0, 16); *(uint8_t*)0x20008413 = 0xa; *(uint8_t*)0x20008414 = 0x10; *(uint8_t*)0x20008415 = 3; *(uint8_t*)0x20008416 = 0xc9; *(uint16_t*)0x20008417 = 7; *(uint8_t*)0x20008419 = 7; *(uint8_t*)0x2000841a = 0; *(uint16_t*)0x2000841b = 8; *(uint8_t*)0x2000841d = 0xa; *(uint8_t*)0x2000841e = 0x10; *(uint8_t*)0x2000841f = 3; *(uint8_t*)0x20008420 = 2; *(uint16_t*)0x20008421 = 0xc; *(uint8_t*)0x20008423 = 0; *(uint8_t*)0x20008424 = 6; *(uint16_t*)0x20008425 = 6; *(uint8_t*)0x20008427 = 0x10; *(uint8_t*)0x20008428 = 0x10; *(uint8_t*)0x20008429 = 0xa; *(uint8_t*)0x2000842a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000842b, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000842b, 0x8001, 5, 27); *(uint16_t*)0x2000842f = 0xf00f; *(uint16_t*)0x20008431 = 0xfffd; *(uint32_t*)0x20008433 = 0x3fc0; *(uint32_t*)0x200087d0 = 9; *(uint32_t*)0x200087d4 = 0x4f; *(uint32_t*)0x200087d8 = 0x20008440; *(uint8_t*)0x20008440 = 0x4f; *(uint8_t*)0x20008441 = 3; memcpy((void*)0x20008442, "\xc0\x66\x3b\x11\x6d\xab\x9b\xa5\xc0\xa2\xf7\xa2\xad\x48\x6f\xfc\x16\x4a\x43\x65\x89\x95\x65\xc5\xe9\x9b\x01\x52\x39\xf3\x78\xdf\x56\xdb\x4d\xc3\xb0\xbb\x08\xdc\xd2\x08\xd9\x58\xfa\x3c\xf0\x80\x97\xaa\x20\x8b\x2d\x28\x65\xb5\x02\xcb\xc9\x4b\x1a\x8e\x33\xbd\xd9\xd6\x48\x1f\xbf\x32\xd4\x91\x34\x22\xfe\x18\x9f", 77); *(uint32_t*)0x200087dc = 0x85; *(uint32_t*)0x200087e0 = 0x200084c0; *(uint8_t*)0x200084c0 = 0x85; *(uint8_t*)0x200084c1 = 3; memcpy((void*)0x200084c2, "\xc9\xc4\x87\xa9\x0b\xe3\xd4\x0e\xf7\x82\x37\x3d\x78\x5f\x86\xbd\xfc\x3d\xb6\xfb\x0d\xd0\xa7\x44\x0b\x2f\xe4\x59\x5c\x3a\x6b\xd6\x7a\xa8\x51\x8d\x89\x7a\x8a\x75\x7d\x5f\x1c\xeb\x86\xe5\x98\xca\xbf\x23\x45\xf7\x71\xc3\xc7\x12\x8b\xd1\x6d\xd4\xb1\xee\x9b\x7d\xbc\xaf\x61\x1e\x97\xf6\xdc\xb9\xf1\x71\xe8\xf7\x05\x2b\x0f\x33\xe6\x31\xbf\xe9\x9d\xdc\x44\x13\xe5\xe5\xd7\xb6\x34\xdc\xc3\xb7\x7e\x4d\x30\x1f\x89\xa8\xd3\xb8\x51\xb0\x23\x06\xca\xbe\xc2\x11\x12\x7a\x8e\x54\x1d\x16\x26\x36\x58\x8f\xf5\x74\xde\x82\xde\x8f\x30\x7d\x43", 131); *(uint32_t*)0x200087e4 = 4; *(uint32_t*)0x200087e8 = 0x20008580; *(uint8_t*)0x20008580 = 4; *(uint8_t*)0x20008581 = 3; *(uint16_t*)0x20008582 = 0x1407; *(uint32_t*)0x200087ec = 4; *(uint32_t*)0x200087f0 = 0x200085c0; *(uint8_t*)0x200085c0 = 4; *(uint8_t*)0x200085c1 = 3; *(uint16_t*)0x200085c2 = 0; *(uint32_t*)0x200087f4 = 0xaa; *(uint32_t*)0x200087f8 = 0x20008600; *(uint8_t*)0x20008600 = 0xaa; *(uint8_t*)0x20008601 = 3; memcpy((void*)0x20008602, "\xce\x39\x5e\x8e\x9f\x40\x9a\x37\xda\xeb\x1c\x20\xbe\x9c\xa4\x00\x4a\xe8\x10\xcf\x16\x53\xec\xcd\x6e\x66\x3d\xd7\x4f\x8b\xc0\x69\x89\xb4\xd1\xa6\x5c\x9f\x48\x0b\xd3\x7e\x9d\xd8\x53\x49\xf2\x98\xdd\xad\xdc\x2c\xc9\xe4\xed\xa1\x47\xf2\x31\x40\x2e\x11\x6f\xb5\x94\xa6\x37\x18\xd8\x21\xd8\x85\xeb\xd6\x7e\xda\x45\x15\x58\xb1\xfb\xa3\x09\x3e\xcb\xd4\x0c\xbe\x5f\xbe\x07\xf9\x4e\xd9\x27\xd8\xe5\x03\x9a\x7c\x49\x7a\xa8\xd1\xf1\x0a\x4d\xda\xc0\x49\xad\x82\x0f\x8c\x53\x2c\x5a\x3f\x00\x94\x79\x55\x03\x24\x23\x92\x2e\x95\xaa\x5b\xfe\xe0\x41\xf7\xfe\x87\x44\xec\xc4\x42\x40\x57\xee\xc9\x70\x40\xb3\x41\xd0\xdd\xdc\xaf\x20\x6d\xa6\x43\x1e\x98\x7f\x04\xcf\xd5\x58\x02\xca\xd3\xa1\x14", 168); *(uint32_t*)0x200087fc = 4; *(uint32_t*)0x20008800 = 0x200086c0; *(uint8_t*)0x200086c0 = 4; *(uint8_t*)0x200086c1 = 3; *(uint16_t*)0x200086c2 = 0x3c01; *(uint32_t*)0x20008804 = 4; *(uint32_t*)0x20008808 = 0x20008700; *(uint8_t*)0x20008700 = 4; *(uint8_t*)0x20008701 = 3; *(uint16_t*)0x20008702 = 0x1809; *(uint32_t*)0x2000880c = 4; *(uint32_t*)0x20008810 = 0x20008740; *(uint8_t*)0x20008740 = 4; *(uint8_t*)0x20008741 = 3; *(uint16_t*)0x20008742 = 0x807; *(uint32_t*)0x20008814 = 4; *(uint32_t*)0x20008818 = 0x20008780; *(uint8_t*)0x20008780 = 4; *(uint8_t*)0x20008781 = 3; *(uint16_t*)0x20008782 = 0x1c; res = -1; res = syz_usb_connect(3, 0xc5, 0x200082c0, 0x200087c0); if (res != -1) r[24] = res; break; case 46: syz_usb_ep_read(r[24], 8, 0x7d, 0x20008840); break; case 47: *(uint8_t*)0x200088c0 = 0x12; *(uint8_t*)0x200088c1 = 1; *(uint16_t*)0x200088c2 = 0x250; *(uint8_t*)0x200088c4 = 0; *(uint8_t*)0x200088c5 = 0; *(uint8_t*)0x200088c6 = 0; *(uint8_t*)0x200088c7 = 0x10; *(uint16_t*)0x200088c8 = 0x56a; *(uint16_t*)0x200088ca = 0x62; *(uint16_t*)0x200088cc = 0x40; *(uint8_t*)0x200088ce = 1; *(uint8_t*)0x200088cf = 2; *(uint8_t*)0x200088d0 = 3; *(uint8_t*)0x200088d1 = 1; *(uint8_t*)0x200088d2 = 9; *(uint8_t*)0x200088d3 = 2; *(uint16_t*)0x200088d4 = 0x2d; *(uint8_t*)0x200088d6 = 1; *(uint8_t*)0x200088d7 = 1; *(uint8_t*)0x200088d8 = 0; *(uint8_t*)0x200088d9 = 0xf0; *(uint8_t*)0x200088da = 0x8e; *(uint8_t*)0x200088db = 9; *(uint8_t*)0x200088dc = 4; *(uint8_t*)0x200088dd = 0; *(uint8_t*)0x200088de = 5; *(uint8_t*)0x200088df = 1; *(uint8_t*)0x200088e0 = 3; *(uint8_t*)0x200088e1 = 1; *(uint8_t*)0x200088e2 = 2; *(uint8_t*)0x200088e3 = 0; *(uint8_t*)0x200088e4 = 9; *(uint8_t*)0x200088e5 = 0x21; *(uint16_t*)0x200088e6 = 3; *(uint8_t*)0x200088e8 = 0xf; *(uint8_t*)0x200088e9 = 1; *(uint8_t*)0x200088ea = 0x22; *(uint16_t*)0x200088eb = 0xa21; *(uint8_t*)0x200088ed = 9; *(uint8_t*)0x200088ee = 5; *(uint8_t*)0x200088ef = 0x81; *(uint8_t*)0x200088f0 = 3; *(uint16_t*)0x200088f1 = 0x3af; *(uint8_t*)0x200088f3 = 1; *(uint8_t*)0x200088f4 = 0x40; *(uint8_t*)0x200088f5 = 2; *(uint8_t*)0x200088f6 = 9; *(uint8_t*)0x200088f7 = 5; *(uint8_t*)0x200088f8 = 2; *(uint8_t*)0x200088f9 = 3; *(uint16_t*)0x200088fa = 0x10; *(uint8_t*)0x200088fc = 6; *(uint8_t*)0x200088fd = 1; *(uint8_t*)0x200088fe = 9; *(uint32_t*)0x20008c00 = 0xa; *(uint32_t*)0x20008c04 = 0x20008900; *(uint8_t*)0x20008900 = 0xa; *(uint8_t*)0x20008901 = 6; *(uint16_t*)0x20008902 = 0x250; *(uint8_t*)0x20008904 = 3; *(uint8_t*)0x20008905 = 1; *(uint8_t*)0x20008906 = 0x46; *(uint8_t*)0x20008907 = -1; *(uint8_t*)0x20008908 = 0x20; *(uint8_t*)0x20008909 = 0; *(uint32_t*)0x20008c08 = 0x34; *(uint32_t*)0x20008c0c = 0x20008940; *(uint8_t*)0x20008940 = 5; *(uint8_t*)0x20008941 = 0xf; *(uint16_t*)0x20008942 = 0x34; *(uint8_t*)0x20008944 = 2; *(uint8_t*)0x20008945 = 0xb; *(uint8_t*)0x20008946 = 0x10; *(uint8_t*)0x20008947 = 1; *(uint8_t*)0x20008948 = 2; *(uint16_t*)0x20008949 = 0xfa; *(uint8_t*)0x2000894b = 8; *(uint8_t*)0x2000894c = 0x80; *(uint16_t*)0x2000894d = 5; *(uint8_t*)0x2000894f = 3; *(uint8_t*)0x20008950 = 0x24; *(uint8_t*)0x20008951 = 0x10; *(uint8_t*)0x20008952 = 0xa; *(uint8_t*)0x20008953 = 5; STORE_BY_BITMASK(uint32_t, , 0x20008954, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20008954, 9, 5, 27); *(uint16_t*)0x20008958 = 0xf00f; *(uint16_t*)0x2000895a = 0; *(uint32_t*)0x2000895c = 0xffc00f; *(uint32_t*)0x20008960 = 0xff00c0; *(uint32_t*)0x20008964 = 0x101ffc0; *(uint32_t*)0x20008968 = 0xff0030; *(uint32_t*)0x2000896c = 0x30; *(uint32_t*)0x20008970 = 0x30; *(uint32_t*)0x20008c10 = 4; *(uint32_t*)0x20008c14 = 0xed; *(uint32_t*)0x20008c18 = 0x20008980; *(uint8_t*)0x20008980 = 0xed; *(uint8_t*)0x20008981 = 3; memcpy((void*)0x20008982, "\xe7\xdb\x91\x4e\xf4\xa7\x1a\x3a\xba\x44\x3e\xe1\x81\xc2\x72\xe7\xfb\xb6\x36\x48\xa9\x97\x75\x4b\x81\xa1\x93\x8f\x52\xb9\xfd\x8c\x2b\x76\xca\x28\xee\x1f\xcb\xa2\x80\x02\x1f\xbe\x02\xff\xa0\x3e\xa7\x53\xf2\xd5\x1b\x71\xf1\xcb\x93\x91\xea\x31\xfa\xab\xf8\xed\x37\xa9\x85\x3b\x87\xee\xba\xa0\xa1\x26\x96\x96\xe6\x5e\x30\x9e\xa4\xbf\x77\x55\xff\x1b\x99\x28\x0f\xd6\x82\x30\xd7\xd8\x99\xd0\x97\xe1\x6e\xe0\xb2\x24\xde\x57\x33\x94\x39\xc8\x0a\xd7\xfb\xf8\xbb\xf3\x2a\xa0\x0e\x29\x80\x2b\xde\x1c\x8c\x5e\x62\x28\xfa\x0a\x54\xc8\x35\x0e\xf9\x97\x11\x2f\x76\x3e\x17\x42\x8f\xb8\xe9\x5a\x56\x68\x95\x95\xf3\x0a\x3c\x16\x15\x18\x09\xb0\xc6\xb1\xd4\xd4\x76\x65\x10\xc6\xf0\x66\xfe\x4b\x35\xa3\xea\x90\xd3\x88\xd1\xb4\xd4\xe9\xc6\xb3\x09\x71\xe2\x37\xe2\x3f\xd2\x05\xf9\x90\x5e\xe7\xd7\x9f\x44\x43\x70\x7a\xdc\x7f\x65\xce\x2b\x15\x99\x4d\xaa\xc7\xb9\x54\x35\x3f\xb2\x32\x01\x84\x41\x22\x71\x05\x31\x87\x9c\x62\x91\xc7\xdf\xbf\x6b\xe4\x54\xb9\xcf\x2f\x2e", 235); *(uint32_t*)0x20008c1c = 4; *(uint32_t*)0x20008c20 = 0x20008a80; *(uint8_t*)0x20008a80 = 4; *(uint8_t*)0x20008a81 = 3; *(uint16_t*)0x20008a82 = 0x410; *(uint32_t*)0x20008c24 = 0x64; *(uint32_t*)0x20008c28 = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x64; *(uint8_t*)0x20008ac1 = 3; memcpy((void*)0x20008ac2, "\x04\x1c\x8b\x1b\xd1\x43\xea\x1d\x63\x82\x9b\x76\x9d\xdb\x88\x6a\x6a\xaf\xee\xdd\x5f\x65\x2b\xc9\x48\x67\x7c\x9a\x6e\x3a\xcf\xe0\x4a\x15\x19\x05\x3f\x95\xe5\xfc\xf7\x9b\x08\x53\x62\xcd\xac\x6a\xbb\xf8\xf1\x37\x81\xa6\x21\x88\x52\x57\x05\x2b\x12\x00\x45\xda\x2c\x49\x4a\x30\xbc\x6a\xe6\xc4\x16\x0c\xf4\x97\x00\x2a\xf8\xb7\x7e\x21\x68\x93\x24\xbd\x6e\x75\xac\xed\xa7\xcf\x6a\x50\x92\x0b\x2a\xb1", 98); *(uint32_t*)0x20008c2c = 0x87; *(uint32_t*)0x20008c30 = 0x20008b40; *(uint8_t*)0x20008b40 = 0x87; *(uint8_t*)0x20008b41 = 3; memcpy((void*)0x20008b42, "\x15\x08\x37\xb1\xe6\x9e\x50\x07\x39\x8a\xc0\x2c\x4a\x0b\x25\x07\x2d\xaa\x81\xa6\x4a\xf1\x0b\xcd\xc5\x73\x63\x33\xf4\x9c\x92\x1f\x86\xd9\xcb\xc6\xb7\x78\xf1\xd2\x16\x79\xd8\x47\xd5\xb8\xa9\xb7\x0f\xc5\x6b\xb5\xa4\x33\x04\x0a\xfd\x94\x37\x7b\x25\x15\xa5\x5c\xda\x70\xdb\x64\x44\x2a\xda\xe0\x90\x5a\xa9\x0f\x91\x1d\x3b\xee\xf8\x00\xab\x6f\xd8\x7a\x5c\x51\xfd\xa8\xfa\xa7\x50\xd1\x95\xc2\xe6\x57\x24\x97\x81\xc6\xaf\x05\x23\xe0\x49\x2f\x9a\x69\xe2\x27\xe1\x0c\xa0\x31\x0f\x1a\x01\x0f\x8b\x98\x6a\x9a\x05\x53\xa5\x33\x1f\x97\x54\xfc\x90", 133); res = -1; res = syz_usb_connect(3, 0x3f, 0x200088c0, 0x20008c00); if (res != -1) r[25] = res; break; case 48: memcpy((void*)0x20008c40, "\xa6\x90\x8c\x55\x30\x81\x4d\x6a\x6b\xfd\x6d\x6c\x75\x94\xd4\xaf\x8a\x49\x62\xd8\x82\xda\x65\x7b\xb4\x02\xc7\xd0\xae\x45\x35\x16\x81\x60\xdb\xf6\x7b\x82\xf2\x23\xd5\x77\xb0\xe1\x6e\x6a\xc3\xc4\x6a\x40\x15\xa6\xed\x7c\x4f\xa6\x5d\x1d\xba\xa2\x68\xb7\x48\xde\xc4\x67\x74\xec\xa9\x22\x47\x96\x94\x49\xa9\xf5\x9e\x9e\xdd\xe4\xd3\x7e\x7b\xd1\x78\x82\xeb\x00\x5e\x24\xfe\x43\xf5\x76\x54\x00\x0e\xad\xec\x3f\x1d\xe9\x91\x7e\xb2\x8c\x2a\x87\x71\x82\xc4\x7b\x55\x6d", 114); syz_usb_ep_write(r[25], 7, 0x72, 0x20008c40); break; case 49: syz_usbip_server_init(4); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); loop(); return 0; } :122:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :109:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :104:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor271230379 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/23 (1.81s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:true IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffffff}) (fail_nth: 1) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1a, &(0x7f0000000040)={0x0, 0xe6, "f137161ab86c594202b997d9f12d007021870322c8d909748409951ae9800c1e207f98b769c740f867ea14bbf8666a4f98d229aaafbc33c6c52168db8933c4a4a4a3dd3ce0ccea96e71d81ff4aca8331cb01bf35433853d1abd48fd6d0ce1314df6507bae535a2b4e3eaa74c5d23006594148a0fe5b4a884ef8f41346e49cc90474cb17bac301d4797ed05dfc6ccb74bebaabe549172d622a30605a4e49fd3f8537de5272c33ad4f07cd060577bce65e5c80a34168cde68117e4f900e35a3d888e02ee111752213b40d2af258c01f36de50ce8e83d4226a30d6a4cc43a883f6c20e3fada8ad2"}, &(0x7f0000000140)=0xee) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r1, @in6={{0xa, 0x4e22, 0x3, @private2, 0x1}}, [0x7fffffff, 0x1, 0x7fff, 0x4, 0x7, 0x1, 0x3ff, 0x40, 0x5, 0x1, 0x0, 0x7, 0x0, 0x8, 0x1f]}, &(0x7f0000000280)=0xfc) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000002c0)={r2, @in6={{0xa, 0x4e20, 0x9, @private2={0xfc, 0x2, '\x00', 0x1}, 0x3}}}, 0x84) r3 = openat$pktcdvd(0xffffff9c, &(0x7f0000000380), 0x0, 0x0) ioctl$MEDIA_REQUEST_IOC_QUEUE(r3, 0x7c80, 0x0) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f00000003c0)={r1, @in6={{0xa, 0x4e23, 0x7f, @private0, 0x5}}, 0x5, 0x476f}, 0x88) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_SRVCORE_ACQUIREGLOBALEVENTOBJECT(r3, 0xc0206440, &(0x7f0000000500)={0x1, 0x2, &(0x7f0000000480), &(0x7f00000004c0)={0x0}, 0x4, 0x8}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTQ2_RGXTDMSETTRANSFERCONTEXTPROPERTY(r3, 0xc0206440, &(0x7f00000005c0)={0x8a, 0x7, &(0x7f0000000540)={r4, 0x400}, &(0x7f0000000580), 0x10, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXBREAKPOINT_RGXENABLEBREAKPOINT(r3, 0xc0206440, &(0x7f0000000680)={0x83, 0x2, &(0x7f0000000600)={r4}, &(0x7f0000000640), 0x4, 0x4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@deauth={@wo_ht={{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x240}, @broadcast, @device_a, @random="2015d229785b", {0x8}}, 0x27, @val={0x8c, 0x18, {0xc93, "ffe3240f0484", @long="067ecc39a78a3ea47c22246d391b92c4"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_xfrm_policy_alloc_security\x00') syz_emit_ethernet(0xbc, &(0x7f0000000140)={@dev={'\xaa\xaa\xaa\xaa\xaa', 0x3b}, @broadcast, @void, {@mpls_mc={0x8848, {[{0x8, 0x0, 0x1}, {0x1, 0x0, 0x1}, {0x4, 0x0, 0x1}, {}, {0x0, 0x0, 0x1}], @ipv4=@dccp={{0x15, 0x4, 0x2, 0x33, 0x9a, 0x65, 0x0, 0x7, 0x21, 0x0, @dev={0xac, 0x14, 0x14, 0x1e}, @rand_addr=0x64010101, {[@noop, @end, @timestamp_addr={0x44, 0x1c, 0xe9, 0x1, 0x2, [{@dev={0xac, 0x14, 0x14, 0x28}, 0xf7e}, {@loopback, 0x7fff}, {@private=0xa010101, 0x5}]}, @generic={0x83, 0xe, "db10ac96c2cf817c67fc6d7e"}, @rr={0x7, 0x7, 0x87, [@local]}, @end, @ra={0x94, 0x4, 0x7}, @end, @generic={0x44, 0x5, "e0d910"}]}}, {{0x4e20, 0x4e23, 0x4, 0x1, 0xf, 0x0, 0x0, 0x9, 0x5, "d77b5a", 0x7, "c6dd9c"}, "494a1261c05df7372b3c29631b6232d41f19fa8727ecea11ccf1979683ceb144705e12c13fba0e399f08f58397f3ea7bdb746b3dcabe"}}}}}}, &(0x7f0000000200)={0x0, 0x3, [0xf9, 0x208, 0x50c, 0x74d]}) syz_emit_vhci(&(0x7f0000000240)=@HCI_EVENT_PKT={0x4, @HCI_EV_VENDOR={{0xff, 0xc1}, "0626cab051d180b0c2e36c0814bbca7e31d691502e1c7c0eae1a042e7372921a0c6dfccedd81a98f58b9850ba2f68bc25d5cab15a0af010796b5fdfb8a3b35f3eb48ee0c7b2ed287cf469fdec0248e957ef0dd22f3fc6d746e70262c277c016177e56a68031293b56b02c1b6f867d10a3bbf33817b39d487ae0659a68cffb8df46df59a7d104b7c6711d45af1f966d69e635809cf24a70d4c2ea9cc98d37599807148af36b475eb2ce56e027ac751769f8710272d187722ecdf7a8f86d8b977aa8"}}, 0xc4) syz_execute_func(&(0x7f0000000340)="c4c17d6f7072c4e1f9112fc4e3c95d33abc4c2790eb000000000c4e17a12b70c0000000f0156e9c4e10dd55e0cf30f526b000f7e20c4c179e702") syz_extract_tcp_res(&(0x7f0000000380), 0x80000000, 0x100) r5 = dup(0xffffffffffffffff) r6 = fcntl$getown(0xffffffffffffffff, 0x9) lstat(&(0x7f00000026c0)='./file0\x00', &(0x7f0000002700)={0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000002800)=0x0, &(0x7f0000002840), &(0x7f0000002880)=0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002ac0)={0x2020, 0x0, 0x0, 0x0}, 0x2020) statx(0xffffffffffffffff, &(0x7f0000004b00)='./file0\x00', 0x2000, 0x20, &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004d00)={{{@in6=@ipv4={""/10, ""/2, @private}, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@initdev}}, &(0x7f0000004e00)=0xe4) r13 = getgid() syz_fuse_handle_req(r5, &(0x7f00000003c0)="235810537c7f886ca91721045ff7badfae4429b252cd658172c1d0d418ed70057439fc22ffc77b29085c9488ff9340f8a2ade99bf9af14a357257b8aa69b4b8effe7afd6876b3b512b86fa1dff555c6dc6186266c91fa281c9dc72ee17ead0e2a3fe9ff03e7c32d27e267f5be0fd6d1f9efc02af7fe9d68d755519201dea7abe681053ab98f73fc0c6a0684e91b741c8c9451f9459b598ee6f4ec0c91f3e917af1e6646f3c54f8faf0487d8eccf087e28f8768f48ae15d098904b3254285702e308a937d5e23a2aef3c25312516c502d5e0233065229ee4a70dbc414604b7f055eb7a2724803e85e5b4cd05af711ed730fceb81bcae17a4967aa6ccff3c0f4966b7ff3d15f093e94eb0a46b70c0fa5b8628cac3c31019bba6002416fc6661d858fff16a96215b1d18a877d9a534ac40256a3557931ade27f587cce26a20c013dc67f2e922a52689aaefa1b064d03f8f6a39f96b0de1d21394cb6c23010eb9e4a79414735ed9965425f8a01008496dbad0497fa0d65acec59ffa6a280bc58e2d887a10e9665eaeb97436ebdeb2b58a9ae40e449273246fd9967539f212ed8969b6f9a49d65bcad2dd9d8ee42e3205741117e431d443ff3e94c47e7fd627d30511d5fbcec6a758383d31367aca8e3af772a1021105ab2c1b4aa7614dea8cfa4b06f53af373779862c9bdb76ef93c74618eee7347a074d4f71a98233b24b2a25729c9a1983d819c3f42d328d08f0d4dd1642f61b62a89fc300f5066d8e457f5fd49daa79e1b1d43d26f89f2ca990450e860bcc47d5cf4778c37c451ed22d60fe2bcfa2caff75c4170990a2e8e2187197f8638b067854ccf9dbe91586dd42341401c4fb4f31330668acb516eba2227cbca4c8fa2f39a03521bd8032f5e1aedf49c50e601b9fad4e0d6f5b5932ea214fd508485703d0845798d43bdbff9638677e6a996efbbd1936e97282062709f778b455cb4d20013f5fe4c9bba0f7cfc1802e8180fb6d46f5176d1bdbb43d960d494f3a30ed7ab4db07de5ad924b5797b509f96083f4ada9fcebede1eb0fb0dfa2cdc2144b15cf4c280f87d1187e808e37cdef537552e383f46ccfe86215b207153985e6b13196221fdea6c947864d12147d7b01efc3df144e2caa24d1a4782a51a8235c4c0eadf0440c8e434a4d072be5845547175f37c55fddd5e78495ace434c483f28bb3487ad8d68bd74377fd82e17bafeb062b81c68e8a6389c8d81079e4c9faa2a8fcf12415cc21ebcd92de80884550594ca64b56b0b424a65f80cab164b2f6f2f33c7aeaa8b6602e7183b9d0ae153a1703b303675aae133b3dd9c646677f6d8a492da099efb4a7e4dee392818a15d6bf9efb07eead5b40ac25bb0f0092f4b0ecaf0ac3391b3ecfd0635ec496b8b66d7a451c6d10379c15291c4f3682f05fb73944cd1be0f0fa8554358b30deb7386931ae95eb2a16faed245ffcadb394acdf0638a626278233019366e2ecd9db1a4b5ae27ff83d7b571cd7ffc151dc4d0cef1d0300c98a41697751851f8e05249cae19963f812589a7d64cfab846439f471343ba5effac9a57f76d0abfb95e878bee4c9424f0ca1718195eff14060acfb3e0df4cbc560bc2be9ab4f0a0bd686fe213d44947170e68e73baadd982ce2d170a50d1eca0240cd3cece9f74da3a1c1476ff11fa334d72c18506b5c00a441ea2e9c72c76b385037f86ca594aaade987a79bbd3e3c40d0007a7ff8529905b94c5461656292950b41c83443dc84d6fdf52e4497ed6804981af13385649200d893093bf2ea8225b389c4dfd2e815b3bdf9d7084d29009eae4e8822a5b6a52aa76afd951d04afa8e1286396a834dcf8c6b57cc4efbc0c16779d53f0bcd74043c06ecebe59328dcca8bb6105af23565906e5466c7311b1aac6762e4b626036fe31d3e7b0fa2e658ca9351078eeca7b467e118e9b88959de1f41869405a83bdc6ce980c729f7e2a460fa9bee161e54d271a874bb4d0a22cd1a4376de36b5868ca0e10933e5fe2f7385c1af62b86f8e5c3126626b8bc6d568f621da323707ea332d7654439fba4671d0caeb7ef94e25a8286bd9a19a29e4932c7db9b82347da52492b3814a44b92f61559c22654c8b301a8dfe9daeae0cade946c0666e94c4a6353bb0eb2137d36853ad4f7a20a5081e63afeece203fa6eeea7f629d001dabaf5b1a3c6761517bc99a8e63f66c01884927b4bc40bc34190c9e553c690fbc6444dd8bba656874fa804631b56d24541a9bd6fb77db4903769f9d0444d08a21ff59d949659d80b1402d919ac0fb8380ed9115b6693c195f8f1a90a3a42235d8ea782eda2bf194d32fbcc563271afda73d7096a2e9e467541e7667c267c595e123372975267768b8d16cb6130eaebf698be76eefabbeacd59f631cc104f042263e3e2962597969721a6c022aba14112e2f3802ba635391cd1f94323525c816efa9e86552399e79665ff554f586754f72d53a0d9475c655948bd13ec93dd8cc43e5b813ebfea4abcd780eedb682ac4f66e16847f7821fdc40da073f7fc59fe57ca6ad5f4ddd8a41e8aadf3e2178cf4295c85999e2c2d824a08ebb9a9b09e2efbf9b8d0373091ea61ec6af17df1e71aceb403a41d3bafefc56dcff186023e9f289e61b746904b3ce34869b5327c924a27336b216d2206eeba9b1dfdce022e3a13a2617387fb3ff5a1d0f38fbb9063bcb69b5e33ee457efe051df453462b718d7d5e780310471a73d99e2eb1e23236c74b9377c3e0ebb93ea7a6a7b322c425910209f891841d65cb8db3b2b0d51d27cde0ca185bd3bf1f402ff10fc611b93fa6f94ebf6079ac6d5f30ff866a4dbf30729fc3cd003ed9eee6e1c92319a8c6269e1a7dba0491d27b326388bc32d58bf685ec429a8ca7a12b660182308710b5aa61dce0a143fad3bbc1a81a8f814ee37b434c7d729331ce7f72ddf31dca719bdfa04c03aeceb4c640c1cddd0f01137bd6e2f7aefb51b0210b8cdb2ccb0f5d7458d0571927675f1bedb36d0bf30ac68db438ffba74aca623725f27522701bb6c5ca414d2391cd533a82c066724c6d3fd68fe42a834dccf5bf70347429ad8e382215f72fad936ef949bf64dad12577ead0dc6cf271be7ca8e0baabb4397ff063f3ae8e741210c6a3ab3b442ba8fb16f228c5dafeb1b440827defbc48f5cbceb2740755c985d060e82c86c732bbd560883591a1ac058299f17f2e2a128560280ba089e84c3465452a6507a63f884944a83a21d26c8e498ff5dbd489c69ca7853249018e9d03520b23f47b297b8526322b1f6bd54d060ccea301cc8a3a15da2d39b64ea4ddb03c7b6cba605e8dd486d12d8f0c6cd9fb47816112baa0a7ae0eba4f0f89b2143203a119a6bb8545c1ba66788495f4e7dad96df8119b1c11d7ffb07107c0c035a80697a8ed780d9c5561929385085f0aa7bc748f2b5e234e210ce77722c54e80b886c0d614658ffa23408caca9cf013869ef6629f8461640daea869ad4c365530de527815cafee314f8ca7b9879522c42629e3e71296e5f60a84db39d5c9000016ea33f481d80ccb80f085d5ed3f700badc3b4b7d80dd8a778f03817a10d67892d36870a98bdc70cfda4834c7815421fc9727401bd4f8111bbba7686024b4272f5a68a665194afc4f1a9f857af270e3022c18dfc18f67b3977e641c6258f00c1430ea79578f4dc82a0bab52140df4be0adb329195a297df0be6e12349770b4477a4465a81439f22b6bdc677ab86d4edbbdfc7db3cf06d4a94d33c6c11fa163fefb1a87a9b52c1cc409ebede7263c88975edb237fa01b583f79fc7a4f8e8ac89af79308d99b473cf33f3344a4e5523f3e35d388d18ee1185caa1918d23aae4193aedfe125042e16d571865261dd63bf0c9dd8485fa64e2410a26a436c83c9e34556f37c1d69d2fd574278c4b2c8baf3834ee2e0f364b54c36780f28a8ebe56e1d9e1cbdfd773ce8aacdefda09f40dffd847aadf67c44471008cee0776fb068954308f16203d017b290cd1ad9e4cdc49f326352807560ddda490c05c6d5e04f1940083aaba83e029370fd76e7757c73c0543ddff26c3a30762e2c9c556aa282c7f46f3dd8e200168053a03174c5669dc43900a39417c9dff8ed3f10eb07c470a522ec820712ff88259cf7f5ee52cf4ee690bcabd88763f66329f3725a436ca1938d4da48dedffea82dc54a2a0a5cfb64c3e278f41b933cefeb02f982532e98677241d7ec2f8d1427da1711919d672e951b6d1cd8f2c0203fedd521f75a229d996713358136d8b4eb797134fec874e3d38a01cb82a87c8c211e6429efe677173aab0a0fb9f558f4b06f7705bcd177ec1dd80d0445b5448e7dc294538aaecc59610dbe6f2b3b16b275c18d33a78f0c1dcbb07e137628b622f885aee80b82684cdd5fde5a29aadf63d85e95159649adce0f9e57b53b82c75b87a12747ef0f84be50693ccae798e38aaf050666163e6bed48f5f1baf49adea21223bfb089199898dcd2e91b708bd62b61f138cc48bed88b772d14bcc53968aa32fa3f114584752db53278b25f367d52c207ec5459668382aac7ebfdf3a2075cef679bd77ec17a1143de084720085486685ac869733bc07d74246fbf8abb3662be750dddd3b13ecb2d9135f5c68d1fdde549d9c2091d96aa35f84336b4215131f36476ec848d533d7dca1e0aa41eefb8806052a8cdd538b755707f93e048d771505b8890d8f680b880ccb8ee2949e35a63ee48e7b467128b65ffe606ced28a3bc3172bd09f2b58ef6322a3fa31e0fab37a3afe729ad43d5cd02b42be4d8e602b99516dbdbd812e1becaeba14b2b2bfaf0555900251e31d839798141b32abdc558b3bf30edc1145f541798507da329c5acc1ff56d4fd5f6e18c02081222c698b3d0f2b19539a7c2c91f78b1be76481991e241d2ae889d4cb133f90f77d922d984b5a5d1b2aa038fb001f0bac88c14a36f62296ab324d52b5754d4e842889da654143b4bd719f082cbcfa2ec9031b9b4b8bb8ef46bc3ffa52d35385bf27e3ccd86108481ff6640e8b0e309d28b149420f95eb9afa0f6e188b7005f421225385bdea3825ad5fbfc6d9f2997476bc36e5dfe4b686d1a2d402516d4eee990e1ea6a234838103f42d705abf37835673ca78675b5354c2a99130e2b7a64ee26a2ad6c1cd2de64ed5912eb7708db3afbb4a683109b1057298f356e4cf4fab200caf7403c719aa81ab01d3d7f9155073f56495e5116196e9a9de82f10a5c08dfb2f915494df7a0700efb722d3416a5d32bc02297111650847dee676d268772dec413da3a1320989c1be0d5c9c1b6fc4f70fbdad888abb0be8f116f0d7a6f3abaf636bb6b69222daf4ccbd6d07293def59cd5ec908454d079495f27bfaf9e45fb2c99964e6b2fba03af0382d5b60adebbb28fb8f8f8efdd8da65eac29377cf07c62e1bf10f61fa912e6271f2cb9509a7631b7abec3396bebce10bc79e2c49956d127f9d01b73584540cb6c0b52a709e3af1d00c84f6d22fb195dd8823aa336afea898ed87ada2b22d1b8ec508cf6986e93459265ed7c258732c291ca41e7876f1b438b17d36c24a02f200feeee18ace8dc4aad51a42bb9815d82c2a9a37f775cd612e084226942ea0dc6f5d8923349bbbedc2a45cfcfddeda2d52d14f2ff8329aac01d2ec3c37f23c5c90d026280238ce09e00eca9f6c30bdaa5dc91f4342f8af6a3ec1339c47dcae8f9360c32502bfa86e1ffc582d5888f29cac39ef90a3150111f661199faf7e2413b57bb9a72aaa2d5fae32b462884a928d83cea60557025c5de018044345fb083def49bc383319894dad28b5339cbadb6038dc8479f7e4b2f01c1ced3ff854205be93884885b129878bdbb18caa68c30940719a408a03fc61ebea87d9d3ef2162594589654475c2c37eaa8737338acc18b341a351ec39aa94cba171096fd7fb832e3031f4d82ff2328aa189623cd93fce6f4525c2dd013dc9c7b4d19add3bf9c334886e9d1cb4df997d99563a57b66d8321d42152f721705d6c484618ad33cb46b5c1a41ccd397ede50432dc9d41aa8b2fb375af75d332356d7df3d5d439fdebcf8e25b22493c6fe140013e2952321867d12947b1f2dd272a173694a5fddd887fe1ec96df6467630d1449d723ff023ec127b12a2411a096e3129e845d50b146683635d805cf196735828c8a0a004047a19acfcc41b62fe0fbff91881e7613bf7a737195f1858ed7198dcaca13210619d7f7398d812de463f221f0c264874aa3b3416dcdfaed76bf255d7a7a15d6acc9864d1bd900354b3bf0df70bae932c4b82e8aa60d395b939cc60f8964ab755ba50b40a713f68d2e001a2b5abcfdbb821a0a3a7a97cdccc0b05bca8f033fbcd954569cb7c312d4cb9e69275613306679882570726118eb66b4b6f0d236c33e35658ed87f028ca43c55c26968179aed7549c8c2e92672a445106d0429846917c5fc607fa285db9aa61281c1c524a76b3d40de5da9bc7afbae9c03555d056383ea7f5eacf5de95638e11242a420c9aa322c808cf2a14ab479d8135e4ff487b215c8cec44c7290d3459100b2196c54e88ca2841d8a6011c6db1b5c2fbc5135da6053d893d116b9f23d5a0f77f9f64c50a0448552fb3d4002ccfb95ed54c37eae931737bf02bcd226b133b9d27debfae748730a87be8df5c31cddf16c26bc3f3b4df7abcbc52edadb7a7c29e87dd5d6330b761649fc9f098a7b6b68cf5dce767667e8b5a7cd4bb22d1c9229c455169d72edd3bae9c251c0788968f1d13af8e47ba32923c6614c44d5196fa805761dba59a39b893bf0973dabb976edf63f3cb54732d43b90ee7ab0374e10fd722d5c361a4108931e8ee3fa190793f901b18ff7b5ed8c162b37ffcb39c6c0c084c9c76b3964e31351f5112accfe16c6268580ce0b44cd4c33f292171df6af35914225c8b1aff1985cea0ea7349a43a510d5fbf1881a032f96b1f58f4fa94dbcdf98f6b113a2f851e76d4f1cf0686e3b44057c363c849c5700659d7e5a1c2b3ccfd5aaa889c2f99a9b1c8319c3cd348be29b2e9bfefbc28cb774729958c12c9dfa74b893a07745aed2e5144723c8fc0506852f17e6a4a8f599d2c4a1d7c0ba9d77db8416eb10932cdc749cfa99890ee8017c0664084f86489c975255252c3876f8dcd98c00b73611ce2734e1fe0ee5c0a0abb0c50004044f93ad2ff0109bcb19a3a20f186d68e387d34a5b578c4253cd9672614803bf96726e8ab00146d2fe266e62e4865f5e7fe31d41497e7195122fcda825fb4e9fcdd09b421ddb6e925a4d5cb7ff2fa56fe1497ad659cc5b6efd8f883998b7451175f9827547b84195c25fc1631072a55c17e90a3279a54a29697312bfef3eefcba8d3114556a545d18ab0df74df266859151959a1b051f8322f798cb45d5cbe5291bdd71dad665f64dde6954ef00718918fe01727963964642d4c4a5bba9303f44fe97ff99f06748dc863ff0cc17fc82b29fbe0c712c77ed36697f23b4a22a9f248522f9946c3abcd32e165fd66fdbc7b4a0df71a8d2571f32da4ada51c14ca086301d6ed02006c6a38ce4e7671f3d0862a4e3c22b6aa7b7c049a7762287570562e8b452efc78741e7c2822ad0fd435e76a8044b05b388aafc4cf61575760398872364469961e87d14d1795eb627faeda18f9c1228fc994d580508c996d3662799b7237e596910a7c5c7facd47fa3084da48488767f60cfe58ec401415ac66031623320f9fda37c0af9fe4cda1b2893d2df0ac8226013a36ca7b1366032ea7b25a5591bebc8ce489777c0cba28d1f0cafeaeea7d5b4d2009309eebc913078112bb126920ca6e5e2b2210ce5410cce45fc463746cf168f7ee2b91c797b330e0464822a618e457ce39a00367d9cd3d3f5938ce36eb2a31a90d049258c849955e97f08017269b3e5f69e9128195638bc8c1fa735e6eb2435c9587f4f436d9e68a8797bb42100d48e7b26197c65fb8903961382fb0fe229860173068d9429110823bc2ff717a7157054c326bdac3ad358177f9a406d894b842d6d91edb356b06283b329bca6e12290655fef24029ba1daaf45f17ebc834d12e35e39f2e20e2c7362aeb0031f4877b633be1bed36f5d7ba24d0148f846a786f388e2ab79662d559b861a36a4ce60dceb5fdb9f479358fd84a5c7f102f75b8143d3626fffa5469c22072a97d63ff9e0667c2f2db41cd03e5d43914bb590bb1f11f4c3533bcc47ffc99eedf677c9d646c60f99398915891ab67197ddbdc11e03daf03139ceadaf99226875163f11c29027f6ec6ee647c9bb1f7695f1f2918a3285a13eadb73d3e94cb0dbf9273f75e1a8b391cc6e4c14ed5683c2756c7b33d84351e1ce0ba7b02e2305de65b29456b5c55344647c7b0b16cd836dba2711a4cc97738267c462c85fad608a81612d7f89a7fe663bd064354a80f8be0165df5d9bae1c69ea56962b111220cdc136ada90bb1315f865caff1e2526acd2ef4c36a70f266088d7d348e561132971668e91a89004085a5b092f8e28423d16b749cdcbf92a4365e468dd67be241e5dea705b606b28099a5d3d46a07620fc4f731e3d3605debe687042cac937427367c35b546af2dfc094a721dc7fd13df68e9a799ecb107c908bac9f8c4430cc10c6299c794d028d516c3ef3f77f9f64201660949b5ee29a5894d738fa4e4bcdda88fe12bcffe85da7b10d02c80922f3907134fe64605508b6cbe35e97f12f1bb15fce6fac0b0bbed62183ba88b8413c692c1d465376146a5ac69e0f10450f04c8b6f3c90c58ac33604aa811a9b74ebbd07b0684c51a553006da57f4df29df30a64622266b3ec06c435d650521f3ea725a3c8c128c73f0d3447dd1a85b10a061e9ac4469bd8ead5b59cc639b817e67d90ccd773e224aeb67dd2636917436b76475d8e0255cf7d14f2836a50d23fb11b3843548b3a52d8fa10ca8c97e1f0ed7a00cfc8067a5b99a41c07d3ce0a0456b8443bb5f0903db5e7bc16b0d0d4f321a57572d3368d97ab7705830d23ff78ac8d69402c920f7fb91d6efc16ce43993a1a68eb8eda08d7cc55fca8549f40839ac8e5e263e8fcddb10dd20fbedd949c8d3c1e186e9fdd5aa2765a1ef54f9e8b2a7a0b38f1c8f8dafe5fcef0ff0316921dbaab27f6b2e09e49d0a56c9ade5d8cb658699baa984543fde4e720e02e5503e835c7a63effee3dfa58e4ccdbe1943b5921b58fd0ed664ef73df892318e10703234859b565d17de8c925198b448159c8e8d73c8b1e5eb68705e582d5128f207b546f8122e04e37bcc9d1ca9b2c7ae51d4542448b36d6ff16d998eece9f07be341d1d8f989f23446040a4997272c99d45348372fc49b70fb5e0faca975184c6025995f6aa49f1b293df66d51d753d9c7775576d0e770134d3a4fbd53c99b0a7b6afe7337f73248163239a714dfeb285b0b49ef602d62ad6935a83c83bc814bd407b1ff5228292f9bfbbd071c81dc9591a05c9507bff87c9e527b8f14e8ee13d187eb867dc2c95dd903c37692d03e7b00985fbc11313078dec7ff69f2e01a8342399400f98cc66833d9c85ff7f10cbef733213cdae61545f39e85c59302b560a72d0437b266cbae16fad4a000ddea19949408c7477fcb948915323ebb79a55c769ccb18e2f552ab763ba65302ae7bc476e3625eb88a7a6698ceccfac22900ca3c44dec8866b2a114c0831cf653d4c1fba9a7785a1caa2b97343384226b1aced93da71d30b6650645bc113ac62d32d2032ddb65626ee86c3b9dfbbd8d0caeea7453dbea304e34d3f80522cd317b49bcabb869331c7c321852100430423bcb1ec15c50c19b766a7ce471d51b01041b685a29c4bfdb552c866d583b7c3c7fd56cfc73725df784e4d90281567fe8c38d866b06ef13bb30fd23906e662cf9d5113d7b52b014b4aeb3a183524b497be9220ae1e0b2f7674d279942941bbd81ed595a93c2341399b6ac36ff869f894cae291308b21284d398b5fa6ac76b9d59f03e48c275f4f20ce0a5059de69ca9ec999d73202def666b37b3a96a95b12c74331038facacab188da878a860e1b399d6b3bd3c136e0a5e9963c1691889f0d400f34dcc51ef1002ebfee2814605a4d1067ed7396c115e3a94f151c8e4aa2930fd8bc534d579d5d8843bd2029056fc558b9869408b9951f75672433ead19e109cd18308f1c9d6f9ccbc9f767993b59ea2b5046864f5e0c3bde42e7932c56b9fb25289e16ab3bebb692547de1a4dbe119ab2bd71e471cbdf6c6e8519aca77c2cbb8273343c1bed23922e557f87b408d87af78896ed30f0a6178ad98a34ded6148443fddf4a5c00a81ae9df2159fd658c859fb6b274988c848f993e761c263e90d7db8f662c876b7a61ff2d938ba7fed4cb5cd8ee514870b50520e733f21cdc3bd7ed41d297b96dfeff379d37e6071bb1ac84feffab2cdd985fea2fe6c46e6b7569c8c2454591795ccc56511d853fd2a01a1eb0ce2505ab65782b7836ba67844505aabcb5dc6372a313fe7acc7f48b0d2bef79403c2837d88e52fe926ad16d51be7e8c62a5955a61e85270839f36eee946370927eb19841301677e837abac18d709bc84dda60b12107a23eb733543ff32cce5248d0f461921295291837c150a4c1d489d31c5bf5bfc2da1427e1ece74aea7053f1feda64f099fc447a7908ce44b13461549f23ef18c1d8107befb09f9d719a0ac57080f1cdbfd46704d79947aa10c5b0bb226e7f68309747240f773a627536561fb6c1c9b26aa5e23be01f2d3f7aadc995440015d2564b9c16b853d665724f9f722b34ab1d44c27d0e0cb01c49d9e05de91c2e040764f0c212e6d63f7b72493dccbf858164cf48151bbe4f1dc2c91586673431af7b8461d30161c561170dfa31edde2ccc9dddbc7a8e46231752405cf308ecd8d3505636dba7035c94f728623bb87603afb90b5c23e9ac1937b2ea3984d579da29970ef049ffd9705fa283ef62f1a9fbbefbc5f8f3f79bdd8d70f0a893972e5aca3a164e672ba88ebdb6206a4dda5eb5adfd16352d42c4fbddf117f2b0d30e8c39f1bc63f3bc03b452a870117af7a3fd301af714bfa398367a9ac2aa381170bc7ca860144258a9a38a61454c9cdef24f1c662f28e8d1ee7749f61a9c79a9e16593f2d5500deaa730aca4eef3273878431a874b03e44f6495b52ea9b22d9417fb3f2ccbe2c482add308e4a3c55b7532a4e64cf108d833d54abf3cf93b3f9085263d2774c2214dc62e3c6a7886946b7bbb4d0fdd82d502232f891e95e2075b6974fcbc81579fe8eeb7ee221a904cedbbbab2595ef93537fdea03eb93b49680119d996c8e706dfc4d99433954c5367725d4808119b683b59641c4bffd3fbab0c7e125f02bad95cbfc26eab96079f8dfbf6623589d14e0c20d15e07c34bccce36fb927965f96c8cc89b3e51438212a9bec92af4b592ae76e66d531d344385f5568552e37bd25cbe307d839975914f30915d24e8f3d892c8a19fa484c35df1fb92af80edf403340caced5c224767e9e687456563dff29ca86e365855de94057b66c576bec5f5b7fc3f0043336b8a487ae2519b8ff0122e7ac2bf57d29ba64808dd3a20d26e4382ce7bb1fbd34734f5ae6625ee8a7dd56f", 0x2000, &(0x7f0000004f40)={&(0x7f00000023c0)={0x50, 0x0, 0x3f, {0x7, 0x22, 0x8001, 0x1040000, 0x8, 0xf6e1, 0x8, 0x9}}, &(0x7f0000002440)={0x18, 0x0, 0x9, {0x40d}}, &(0x7f0000002480)={0x18, 0x0, 0x7, {0x7}}, &(0x7f00000024c0)={0x18, 0x0, 0xffff, {0x8}}, &(0x7f0000002500)={0x18, 0x0, 0xce0, {0x1c}}, &(0x7f0000002540)={0x28, 0x0, 0x1, {{0x100, 0x5, 0x2, r6}}}, &(0x7f0000002580)={0x60, 0xfffffffffffffffe, 0x8, {{0xcd95, 0x1f, 0x7, 0x48, 0xaac5, 0x6, 0xad, 0x5}}}, &(0x7f0000002600)={0x18, 0xfffffffffffffff5, 0x9, {0x9}}, &(0x7f0000002640)={0x11, 0x0, 0x0, {'\x00'}}, &(0x7f0000002680)={0x20, 0x0, 0x10000}, &(0x7f0000002780)={0x78, 0x0, 0x9, {0x3, 0x0, 0x0, {0x6, 0x0, 0xfffffffffffff20d, 0xfffffffffffffff8, 0x1, 0x3ff, 0x5, 0x9, 0x726, 0x1000, 0x6, r7, 0xee01, 0x7, 0x7}}}, &(0x7f00000028c0)={0x90, 0x0, 0x3, {0x2, 0x2, 0x100000000, 0x61a26b8d, 0x6, 0x2, {0x1, 0x3, 0x1, 0x100000000, 0x3, 0x8f, 0x4, 0x1ff, 0x849, 0x1000, 0x7, r8, 0xffffffffffffffff, 0x5, 0x1f}}}, &(0x7f0000002980)={0x130, 0x0, 0xa00000000000, [{0x4, 0x1, 0x6, 0x9, '\x01\x01\x01\x01\x01\x01'}, {0x6, 0x1, 0x5, 0xfffffffe, '\xaa\xaa\xaa\xaa\xaa'}, {0x1, 0x1ff, 0x3, 0x7, '{#-'}, {0x5, 0x0, 0x2, 0x761, '[#'}, {0x3, 0x0, 0x2, 0x6, '#]'}, {0x1, 0x714, 0x5, 0x3, '*^\\^b'}, {0x5, 0xeb68, 0x4, 0xfffffa80, '--$-'}, {0x6, 0xfffffffffffffeff, 0x1, 0x1, '-'}, {0x1, 0x8, 0x3, 0xf2, '!\\{'}]}, &(0x7f0000004c40)={0xb0, 0x0, 0xcf, [{{0x1, 0x1, 0x3, 0x100000000, 0x4, 0x81, {0x5, 0x7f, 0x5, 0x6, 0xffff, 0x3, 0x1f, 0x3, 0x8, 0xc000, 0xf5c8, r10, r11, 0x2, 0x9}}, {0x4, 0x80, 0x5, 0x2, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000004e40)={0xa0, 0x0, 0x400, {{0x6, 0x2, 0x400, 0x7, 0x4, 0x9, {0x4, 0x1000, 0xffff, 0x6, 0x1, 0xffff, 0x65f, 0x647c2b8f, 0x400, 0x8000, 0x8, r12, r13, 0x3, 0x6b}}, {0x0, 0xd}}}, &(0x7f0000004f00)={0x20, 0x0, 0x800, {0x0, 0x0, 0x10001}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004f80), r5) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r14 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x343, &(0x7f0000004fc0)={0x0, 0x5004, 0x0, 0x1, 0x1de, 0x0, r14}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000005040)=0x0, &(0x7f0000005080)=0x0) r17 = openat$uinput(0xffffff9c, &(0x7f00000050c0), 0x2, 0x0) r18 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000005100), 0x488200, 0x0) syz_io_uring_submit(r15, r16, &(0x7f0000005140)=@IORING_OP_SPLICE={0x1e, 0x3, 0x0, @fd=r14, 0x200, {0x0, r17}, 0x6, 0x1, 0x0, {0x0, 0x0, r18}}, 0x3dd1) r19 = openat$keychord(0xffffff9c, &(0x7f0000005180), 0x171000, 0x0) r20 = openat$ubi_ctrl(0xffffff9c, &(0x7f00000051c0), 0x10400, 0x0) syz_kvm_setup_cpu$arm64(r19, r20, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005240)=[{0x0, &(0x7f0000005200)="4623d8a4ce0217c9e59555c166890679e3e0c1940df5b9fcbf91649ef54d80f0c8bcc80e36b5574c4bc9f943401854f56aa2", 0x32}], 0x1, 0x0, &(0x7f0000005280)=[@featur2], 0x1) r21 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x8000, r18, 0x0) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000052c0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005300), &(0x7f0000005340)='./file0\x00', 0xfd, 0x2, &(0x7f0000005540)=[{&(0x7f0000005380)="873519f25df082b371ba5b45adb5709c00805747c37fe044064595cd4728bf8980302b25b4b083b42b41336e130f1b6ff0a2f172498e522b4fe5826eababf53a9852f93ebeb841e1645f32936127029d68fe73eced89c1b93587012a47c42a583d6975592b3f2cdf4337fc6d5e85e5f5835fafe095935ec90484e9081aa8d22498431301baad4a34368c26c64d85326c7e00682178f8d13e6a8969f15b9d5dbcfec2c0e69680c3928ca015b92e25f5078de354fe32cc7121609a0762e1b73efd8967a2fe235e4d1ef9e5ac88bc1ed706a984641b06470b2294d045ce7eba51c0728938a2c6eeb6d8574429cc24bcb2a784", 0xf1, 0x40}, {&(0x7f0000005480)="62935bfe26e9c9f2dc3c3e9dfb491858efb598369bcca51923989ba943cf447baf56625df0f685ed2d034b37c07563f668728f6dc6833609b1221970e55088869d29c01b2dd05c4820b08042b5074008c9757712c480e25d89b9c48e957e5b5c7b0beccfb1fcccedbcedc83806038075fc2a0f8228beb47f1fece09bddcbbe0021abe9c3d198369b81b67dbd6a7d334b8d28b802cc97d934c164e97d9d7b70dc6c", 0xa1, 0x1ff}], 0x8800, &(0x7f0000005580)={[{'\xaa\xaa\xaa\xaa\xaa'}, {}, {':&-]!'}, {'}'}, {',-V'}, {'\\*})'}, {'*^\\^b'}], [{@appraise}, {@fowner_lt={'fowner<', r8}}, {@smackfshat={'smackfshat', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@obj_type={'obj_type', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@dont_appraise}, {@dont_measure}, {@fowner_lt={'fowner<', r9}}, {@dont_appraise}]}) syz_open_dev$I2C(&(0x7f0000005640), 0x40, 0x300) syz_open_procfs(r6, &(0x7f0000005680)='net/if_inet6\x00') syz_open_pts(r19, 0x800) syz_read_part_table(0x9, 0x9, &(0x7f0000006c40)=[{&(0x7f00000056c0)="46410638b7a128c15c6cb27d2335806da87c0d4915424452cf0ba9eee0a5d49d634f090df26f35bb0433c13a270dcb44cfe9ba62b5ba38d4ae3c65ead2727f1d2a5f02daa270cea6f4f60902e2eda654b16ec6635a1c6cd15d6bd6343214b83422d1a19b5dae439b9fbc3db5c218d4b08acfc9fcdbe5d4e6a5127adadce610d815e8c6d8adc78689eaae29d81a20040aeeef4ee55d7701ea725e91b74f5b37814beed118549979c8a40d0b290977ada4d65874c7dcca030a9a15509bc27e6e87d526912437b86904f742c9c13c1e00bc5e3e943c1430d1cc018f5a4decf24602db5bf2286e64ce751d8df16f280934fb08b619b2b5e931195ad2f7c87ae956c64a2fdac4fd791611acc2a865d994ea90ed158581e80d0386b153f19fab2781b72d1de003b187d2b1195342b3a003bf4483b4d890ab1b2f51e8d58f0a5ad78e0df9d629c22c2a324a982e1fc2738c360db3a8ba5e55ae5c9d58f1c2f6bed0b6de5bb4ee3b5f842ceef91b2056541ff55312ee90a2bd0997066c37f3d8377895921b08021589049ed7b23cebaf9b41d08e759058a3452cb9df2aee1d2b90e510ba9bc948400a69aa13833d1b4c44445129e0af5012fd6a534181fb20426826a4b3694e4a5181199df1ed31de36f2ed49211822ad915d3b71acaecff3c84d4e3bb19fba3219e26145735ff71dceeeee7aa247539ad2731113d3f364426be9006e6b0e358b81d4074549e08ef27613a3715e5e89ba0a71e3995231e99aac5e4ee7078f59e3e7d4fabed26e7507411fbe4b0353106278ac69f3b91ec69fa542eb7c964394062f65c650197fbe733c22832673d066e4ed40073b284ee4e51b1259367d4eb9e172007e6fb80a0a6fe62b3f3d5e5b68fe047ea4d6fbfaa30a00fc29bc58a31cfb8212f2c49c3a2e711ae502bd647bd56bb7cfc1d84d141827be211b5ffbed786bfa1313d2aed534f00019363ac129612ca25c763b077f5a724d61fc7974fa824badc14006f2febfb1e35a3dd72e82334a263756ff4204680cba1c03c55e09dffb5a58e4c55b5bd7a70ee8525929a0ee9f9091e34bb8d2f0af6d2a2670c591186bee6ceddab8e1fe8d4be397a545c483fd684cd812df5e312ab5f4812b4784efaef1c3dbe79094fbabd6ca5f0a45462396f818a5c7bf61c8c3f43366c1265f4638d1dc7bde11461035c7af77e6844c5d47bc1897dfabec7687ed25794a71a3aa2be1665719e7eaf649bfaffcea2492d43bca7f0304210cfca91a0dadf66b7c3c6baf8c5055ef4f3c56aa03bb6e400d7caca69e4243ac71c939ccf27310b73ba59897e2020c717c33db9a4a582912a3a8d7c0a870b12a9f982aafd0cf159575189d8c26886434229fb0c76c56508b638a2509b65847722af197e95cf0cff2368448d42ad62db27ff017a7fbed923bef6283408712c3f04a790338f4f80cf4f3e92faafa3bf6cff5ed3cf3b17b505075e12b6958bf2e5cb40241f672874a0f940fd57e82e9caff113d671da23da3436a31800c2d3487965f87c3f8250610aaff783d78595e1926b77e97b2e3ad09087af919ace3f04fd275887b1fc81ee2f5bad8de1cc35ee0c03adeed9a9197d7a8fa5db59dc500a94bd184a2a80d9704797e76bc0fc43ed57296143dc9d858b14a7bdfb418197f0974b6eee299958051b1d414ab126cef5bc36ae4055c4f19e7e01d2092d99f1d2a5a56614fedf481d578cb851ad73e1829bc350f7e56ee0d2e71fe731c1b30fd845fd82ca0acf029aff4a75e0d38fb7af582a19c0c7deb19544bc7a13c1896032441cba6ae39c35ae880b45a5c97545ac099243a791c6f2eb93556208b8b203542752a673b9df02bf04ad3c18eecaa5eb22d1b65e59c3449b5cc42df350dd4822bcf671df78420689cac22658cd9f0f390e26e0796ac4b7f30b1989f09cf5ba516eb1667ecc1d853739a20e5e78599bda830d002d45eb66d63a778b8412af5d63e3ef26494e21bbcde5b97a94f7978ac903d467c5b6d0717dc4a9d146ed4b58bfe373a5908702f997f1090b4b19093f8905085ecb691107b059e0e1cd0c4a94c9a473af2d12bd5998a8b8b4802f931b90515519f20feeadea5684c064f9adb423935b8de298b03e579abad6a23a86c86edd39c2ed6a4685e69bc715405ab7a3f27664bdb68fef1fcd090f060381f1aa374a074a640f991ec6d8b288b1b0507068560314fe94aeb85c42f4df3adb21485696515da2fa7f441b753d5f8ca4545f2d1dc1eb34e418c043beb518bb35fe30235aabf7ec5f371b3a48c0ea6a613ebb4e4da5b71408aa55774239ac749030a52740cd8535b9e3d28a4e87b4c4f4044c8195c3211f947e5007df7b64e37c414bfd54f7b59823720be00498c18b57dad0043f0c50a75817418c1dbc3db8dc733ceb2b5b6d20bec1e38a2f909aa619480e2ca05d9000b7eaff370c077ed389422890dd426278c63c2ac4285e840e6c7f9da04d69af4482d96ee5824de091614d8b1b4cf49f5a701e4b42ff58a62823c2776fba4c27ec86c24ba103ed01c66729ad602924a5137b718d8ddeeb08339d83c45feca01c393357a676438114363591d31c2ba6fafa5d8571af7c3a3690fdeb099e44192b5871fd0a3365fb2e230c6c03a7473782b303a5be14f038d8ea34a63084300516eb7884e593358e66b3dfb6dac4d0815d58dafb85e8cca4426536a384dc89f7413f14cc92e7377a90938f99ef7f535c218ae2e909acdbfd7eb5b0b47408e3d6d73dda39fbd6b23af18f1a6703ee3b1f75bb7c000a4ca5a7bccaae86c4abac81da293e43f91d2c3dff12ffa5229139a08ae5fc2ec139be978b8182d6a60c7ff39bb0aa820a107d92e38b95e748a184b53f5624f457239f6384dddcb9fd7e8ef295265d79b64c5c0a93bf21635b8c680907810d8e72a581e5aa0e00fbf351e3c841c7d0c51a2636837b27c6a91425b506a22c27d1420d0b13e60de3e9c56667a98983ba9bdd1c5a52dc6127b659e6d80706959f07d3a5fa8b3b88eab05e7a0c04ee12a21372c713f64c6adbeedd7a8b7a692674975bbe55ce402714402f20c7f57ff1f79357d8edabef1d868f0a2b3dd7aa3bbe58e80814970734f7dec70d314e811593a32cc861f4a8a4b3f0d7ceb4ebb32664f5644497ac9562cdd5a54193f2238e65c1874c86421c5cfb43ae156931c7840d10de47a4d0f2f3174c36c8645ac02f544c3690b5137af7d2ced3fb04359bbf22b6720ea94f2e3b5675fb77ade56c977d668064efdd1c615119a528c9ec1353e84103e5dce6a0bd073f9ffbea0819cf6c0cc58ead00c92340298cc094564117f3fb894274ca91d7976459619f544b250586c6d44afba5574b7ef5126b070409a1f5eedc65007b00339f160422fff38d67eaa8d782fc4192a29810879eb12859942fa141a21c39d9eea03eba1aa7b3ac7e2b1daf4f69f475b8e75c5ac7c2efdd777932d403143cdd08902d5e3459301c28c88c4df342ca13910b760e34c40194bb51b82cf14adeed5ae47517d3cbc73bbb5a8899c30e606519989a85d2e15b0e89ebba43f0c8a752f07010380caa70dc409ff805c24574829d06bb9a1495d5a3085df9029e23d92bbc46d7c7c1db7365e92e8d2449aade38926a64368723a0e8a777b3261c9c97bae825b551ba940551a7e15e3013dc09a05229d0c9ac64ee15ee3d46742628924c09e6360cc43006fb9a0e1c06e5584637cee005ee26ceba70295cba5637dfc9821148ed7415003d518368423ae708cfac638f2b8e1d3a71011bda803acd2cfa429ea5fa045fe078f91ebe45e7d51d43f08302d5f3b0ccc3eb7dc03818b33567e86f8e5dc40451569a7954858d26df8554935276f5654afecf240c7e86c92ecba4d3ff75821312d6a3b82e18cc234da5bacc286ef0924ce23bd30708de58132574b548c9628b52d34291d1c4a7ffdfe63de1fa9b5e0fa6e62f3528a80c9cc97a7c515403fce895ab795635266af746d89d2c94058ca38501d86b4d6324d0df0d9c1e47bbf838baa206aa2ec4397828e992fe963b2e83722802627629030106cf20ec98e245147c94426214ddfb979120651adde14a425fef29a20c0cc5460393acbdba57b3c3836627e6a9c19a2344312a9bc661b760285415a2874e2f2187b5c6dbf38b059636f9ed1de1692d3b86504a7c1b668e5aa0f87cf497f0cab266e4db64ec6465580be1d97244947304688cb3576490b8db086b08905820ea9d91dfc8f3b966a9e568d856a9cce3f1731ac16e4cf48714334b6c7ac3597fcae85d17946b0ae2899845e96066e0a648385c98ee5c119391356b204acbd4a5c7cc2cbceece0f58dfb73fc30ef7c1769b4f56ed1b77d76248b0ea2a66db0e5217b5d624237191abe9486ac0bd32e3e7362331441734a8dd9ed983b92bf26472c5021f8bea131ece47c8f45e68a25a8beb4885895c27982306dafa1fac905b276c2f60ccdcabe2a5b325b5c5d8482f305660244c361711f0eed7746c0daf99dfde36caff294051182c5b6589fc0700b751fb2b3807f0bcbd277a844ce82a54558f55cdd25a30b2283abe519c827b10aed612f8aea3cb7aca8b34028c0b363c9acc52ddea9e0c34e8a5c90869fe60d28307e35d3e43582f3773d46669e4313a07b12e7d6d501436f8e6f4bc347b29194144d82c5daa9730fea3466c3167209f09697da034f86ca9e5a7e28c05999f4161dca7518140413504be2aa60ef71b66484fca1b0bb11afd59755b978dd294e3da85655b90f05be0823e262aa693c43bc23f4948a6096ffe1b58e1bcd65b0db70c62a4f85d7dd4be6cddfeaf1383814a6728b4c301eab03b950bac867375d1b6c61eb2f7fde960b16f5948379e2115ab5401356db05a7dc30a2999897b163c73d34807106dfdcf7b7f9b9e7377fc722003c868ca5c14a0e2f1d1940ec6aefcf85fed207622ed38120c6a8aad7b4e9e87d5e4e9a6a55c6e132e9e1e9a3a62b4f7c6ce0093f886547dfc48de1d2e0c85bf01b49f99241a36d324cdbade5377d5aa5733377ec7e97b7ac54387fd29391319d3f3bbcd07b2870b9646bf2835b3abb5121dc20a638c6d0d62b0a05d94a5f1c03bff6e871a84f9a7defa16f30cb8b3ff57cb5a9b8958b592119cb0c802513c14aec2d27cfffbfb4e6a2a840f8b0d746a83fa8bd227021b038f50c411f7922fb38ec89f51d71b7d3d9e241db1be1b4507e5b68fa1ee89c2127445e5d6ed4e7433de7bf4d72b7f7b1c9aa7c408e4c1050ce177427984f5035b51e3ad52b56d8aaf38e567930a711c8dc3488ffcdc1a56fe1b4c5df22673bcc3e9ccdbb3ab670a24547f5ded42decfddd522104075c37ddede460925dcbc6e5ef206028aa7ea0c84d60d990fcd48d76c9a47be6819250d4d10fcefc7a124c6f3faaf51f7b67dcc2b39acf119c8f89b93b58395247fa459c1ffe6fc5a70c32d5196da593b336be0467164ebbc986fc145b32bb91a4c058884c82f5cacda62a4312bb35070e74de2bba07648b7eb9d9fae891648f5432b6a7d5986ef2027872cf9e1a086c576abac8dc401aab0da93abf0ab71ecd9bb96e39180362a10a2185071ebb8ca2ca8d9719d47bfc18b62f9771b97dfed73b982325eb943d785c787500d5ac0d26a9ca90cc73c2acfe872f4e32eb4439083bdb3249701ddddb500df3f896bb1f7a3706d64be16d00f6fdcd6bf41df86535f298d2dd04317774bd6b3903f371d59be719b7ec1d003b3c9705a8f78889b8f7da0d46defdced2df70d8cb4570828bb26549b55011589c73bec4207c8d59ebe1896b3761c185a132", 0x1000, 0x8001}, {&(0x7f00000066c0)="31e3c3fa6d99", 0x6, 0x3ff}, {&(0x7f0000006700)="39de863b7148208e432fcddbd9e9148e716c1b48a3967c870c70145d90ed681b3f8bce849fee7f50091570854e20103723e56454e711543f6e2be92c34090d8cc792260be9b960c1e4", 0x49, 0x9}, {&(0x7f0000006780)="17fad571f80fecd34a59bc03f6c02bbd6d56cd8d958924b4ae4189b88b85897efd4e596e1118bb0c771c2c5ba37ded06d78111390c1c80cf6ea9df8727f88559815ed76b36fa13fb4d08e1ccdad7973b5bec5655a74a671fde99ee92397c56d409dadb10c4c37ee92cb41d03ae6fb164e7f86985039128d38be83b5e16c35ee34eb2b8396c5348028781a0a879f88159740ab89705d637bedafa915f195a152597fa0d7da9b76476602c6eeefca1e80a6d3d0ed1a75b00f7a5e153dd851e2301c8daa7d49b4ad91c62d1a6967f54cf9621c240ed587192f69959e05407850ce3831c4e811e6fff1cdf93cfabde887358316881845356d7", 0xf7, 0x26}, {&(0x7f0000006880)="c286968e2238742a47e0e8d444a6a661b7708222f4eddab97a749dcebe2cc83a314b828795f915a36d873b714aef15ddb1b4f62f06800bbe85eaebcb76abe944719249ee7927c88e78a968e93f45c52013ef97ef6f989b1d1cd30fff88677962c8f3052ad0a4631e4e750ba80f3753916c2dffc6a4023cdb62a1b5f2afbb965b2f78c5dd47af90b002da1a26a24fcb99bf81fb29574a2f98107a7937639873b95f4a569a0406cc358b46efae587e9008be69d711ae202c22e29a2f615fd23dcf", 0xc0}, {&(0x7f0000006940)="97fc4dd9db673e16fd0f0eb9a4a26e2a49f42e1616190b0634dfd6135145f4e451bbbad56dadf266964eba7d1007c0a23f8cf03d4f8fe09a7989152b7cf2ec30f2693a06befdf023d79f48c208d742c7b75915bcc1be583517ced3b826b97075e62a8ed12dbb264807c6ffd0227614491fb9de0d8a925a2638c31608de405bbf79e96f171fd58338b1d6979d33a7dae8ad62f2ba53fefc3c", 0x98, 0x20}, {&(0x7f0000006a00)="77d8d606bfb424e7b995809ab4f559115fd82e972d98b651dfc69b10df600fb4f78efd586f9cc26edc41b1d2fac87efe59e262411f27a94cf796ed31236b457ca0f147530efbd4cfa6b6a0fee46c25abcf7ad8282aae5299e299799cd52d0a58d7ff9dddd0103724c88da92dbefab6248038abef9ec52264afc74825f7ea70b2ca95d6900f9b647a3f986e18287cb2bf4b4c19efc8c218fd905c3727c86c37026bfbde3af078eb07b798e6d3d8f2e4d5d3bc188cdd20f2ebb1461c5e53b05f2989ffac3b168dee56da0fc011974c660e400ae2d8b2c80acb231581ee91763129b2888aeb12", 0xe5, 0x800}, {&(0x7f0000006b00)="560c1bea71b0f97244fa386d26bf6b1b04308e4bc7fffa", 0x17, 0x80000001}, {&(0x7f0000006b40)="14e55a14a7953387ee55333c1d1694ca98c7999b49788642766805d6f5a290eb1e959ee35a740459e13300262f2af9c357f7a8c1cba187e448bc3c8f865cc9be88624fb0f0d0bb885d9cc2abe171a2478a7420db22e8607e3fbec7e2601d9e11086cfa8cf14d99676b679d8d6bf1dd4faab8fe9a5f4e3f695fe2e6abf09f702683802d44cc3a298255c4c59533731ff5b23e053afb716d58cad667686ee647f48e199c9b5c3d0d2d470f2ce1c5b8b5708ae023ad9880caf31d01f96aebbfcc7df95358a016c5471cc2ce2ced6105057c9d22c8167890ca19", 0xd8, 0x400}]) syz_usb_connect(0x2, 0x6c6, &(0x7f0000006cc0)={{0x12, 0x1, 0x200, 0x62, 0xa5, 0xbe, 0x10, 0x2833, 0x211, 0x37a4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6b4, 0x1, 0x20, 0x0, 0xa0, 0x1, [{{0x9, 0x4, 0xdf, 0x0, 0x10, 0xff, 0x1, 0x0, 0x5, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x1, 0x1}]}, @cdc_ecm={{0x9, 0x24, 0x6, 0x0, 0x0, "fd506508"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x40000000, 0x8, 0x4cc5, 0x7f}, [@network_terminal={0x7, 0x24, 0xa, 0x8, 0x3f, 0x0, 0x81}, @country_functional={0x10, 0x24, 0x7, 0x80, 0x5, [0x44, 0x2, 0x800, 0x101, 0x4]}, @acm={0x4, 0x24, 0x2, 0x4}, @mbim_extended={0x8, 0x24, 0x1c, 0x0, 0xc0, 0x5325}, @ncm={0x6, 0x24, 0x1a, 0x7f}]}], [{{0x9, 0x5, 0x5, 0x0, 0xa716c6d63b98b5a2, 0x6, 0x0, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xe9, 0xf000}]}}, {{0x9, 0x5, 0xe, 0x2, 0x200, 0x8, 0x7, 0x40}}, {{0x9, 0x5, 0x0, 0x10605a5c87a92a7e, 0x200, 0x8, 0x3, 0x1, [@generic={0x9b, 0x21, "f2ef0a5c069cdb319138e185061d7e196ae94e535d80f27666fba23b374325f15dc5f20812fe05b0620f6ffcb81003b1f39c5dcd1bff14e2bbeb387335a3534f5adb60ffc4f28595c8f992f77fd5f67a04842b9c4364e3556be9bacb8fd56ed77859291153f6c566026363bfa5f2e6ff2fa6d29317f2d562445364939915a75dd7365f6ab9c15ddbc7c3a45f7eb98fd1fea3551bbd46f20a87"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x3ff, 0x1, 0x20, 0xef, [@generic={0xec, 0x6, "f642246a5372991db97e5824a410e28300d3bd153638f6dac6e1189a0c560a0a0e5f8b15e07879ac95016515202646a7b5b5fc74b7cd40d515b2849d8c1dd9ae4fca16c2e6cf0e8a20ce54f05fa123c019208cb34b5ee561c274ea40a7b34e5813a4a29be40817eb1f7b3e9bef60f7c56657481236b93e2c297f17c776b98f1d0c8f2a56447766c7288ba6b1e385b84a516a98ab729ba70e31fee3aab101d590a4481ae5856326c6825b73c7ae7d3b99cb3c59db31a12726234b900584e8db779352188d12c932d4aacb59eef33d33b9550510cf2b49da747e031c83117b511a1bb93ed76c716e6a0254"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x6, 0x40}]}}, {{0x9, 0x5, 0x1, 0x0, 0x100, 0xfe, 0x8, 0x37, [@generic={0xe9, 0x23, "1a0e3542857d49ea63b7261ebfc19f14272e284d2665d2795e43f6f9ca62776c9ee52d991879d7d67b4d8b270fd51598beac1c0339b2257ad68c1dde54885ae2d219b87cde159a9897c88bda26e08a3691055022739c1fe64adb98639dc25421c449cf364800c4c365062f2488e6901e56e62f4b703eae7af26298a1eee1bfe62d9b2ae35320ae2baf174e94ff55321097be81e0279f5d0aa84dd18ca0864d98d0edbbeaa19ddf3626fd83a2e2b5f676a734d4784b3c6877fd1bb3c9543df7abda9bd9c9be405949747e21073c18957fff0eaac0273cfd3f702cb65597949a172726f7e459536c"}, @generic={0x18, 0x10, "a0289017f3f433f11059489a61115823e1138ae84a34"}]}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0x67, 0x3, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x80, 0x2e6}]}}, {{0x9, 0x5, 0xd, 0x4, 0x200, 0x48, 0x35, 0x8, [@generic={0xe5, 0x5, "30efe9c1a6e5c89c2031214c60fbbeaa4578091e38009c761d15774802934cfd36355b3518ccfe59fa5e7ccee3c13ac4affbe073e0e788c9b5e32216efbf02e35869d7b233a389f812bfd849433c328466eda5e0e3237529cdc65e4eee743d31ffc186a1fe794bdf1364f31eaeff39829e8f6144850d7470cc71572d1f2f23dccdbcdd99e4930de7edbf59b338db3490305fd7710257980b7f76b8daeacb2ad618131fb9b5a3e026c9ddbd69483cd794caad29f2e3b63124a952b462de0cd951d7efd9b3b29107b641417e7783d90159137fa5273a95e0cc46c97c2246e611acb14b4d"}]}}, {{0x9, 0x5, 0x3, 0x10, 0x8, 0x0, 0x33, 0x9}}, {{0x9, 0x5, 0x2, 0xc, 0x400, 0xed, 0x7, 0x9, [@generic={0x84, 0x31, "ee4cd219154df491c4d32aa32112cff407511b06b17f743409ecc216c31e92cefa2b5cc59e634d7aeba2c9e5e36d8efadc0255172518f909b4e1a7daf4d988b1eeaf196c76ee902b657d12fc23c21e176cd149e98a8d8d5755b74fed1a4284bcfd6e6961951ff8216f7bb42f790edd539c1bc5bbac44f767a685c57cbbdec830c52c"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x1, 0xfe01}]}}, {{0x9, 0x5, 0x3, 0x0, 0x40, 0x2, 0x5, 0x3}}, {{0x9, 0x5, 0x0, 0x0, 0x400, 0x0, 0x2f, 0x4}}, {{0x9, 0x5, 0x8f, 0x8, 0x8, 0x81, 0x1, 0x7f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xfb}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0x40, 0x76, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x31, 0x8}]}}, {{0x9, 0x5, 0xf, 0x10, 0x3ff, 0x6, 0xb2, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x80, 0x6}]}}, {{0x9, 0x5, 0xf, 0x10, 0x200, 0x6, 0x6, 0xca, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x20, 0x3}]}}, {{0x9, 0x5, 0x80, 0x10, 0x400, 0x1, 0xfc, 0x4, [@generic={0xd4, 0x21, "28a1dfa1d28f9ae60d0a8e9e3c512db35369d479fa6e6aa099e267e1ced77ca2e180b429779023a872b0ef8807e11f8b8b21b811d4fe5527335ce86e3a95cdf960d1e79e88c276c174d183d2f3bc0862dd7e1d29ac589ceb22024e25a44c3e8123581d1448fd2db5332fe41c23f9aa959564f32db1da14610415ddc293dc57c9d6c775d22151bdab236a5a73592e5518055728ae819e25c080cbb9bf0203b6639b8fd8d716d9c571d6b260ea297733d53c3a05449b9b9221d0f402610c9837189f9c6ab3baaf031d48692690c9981cee1426"}, @generic={0xc3, 0x6, "60ed98576fbbbee3db67d535ea7e1a19d92d689e2f03308a615a5641e72e694d996f76c1111c88c507c39a87f34a3682dafbfe583b79f5b950a30614162c605f7e6c5d452b4f84a145f20bf4470ddf43f06c415dc6c41551fd458ba6aedf57d74cb85a25e43324814b62c3be4108b1ea5b9dd22a78a45cdf5d8f27c11f35026bf7ef10c7d1f0615fe1c44a302a84d88b8d6c2d85049c9f48a04b4e61801c017f609b673fc8290f7362a0ed35882a335b657f835fce8e20100cde82c1a3dc180611"}]}}]}}]}}]}}, &(0x7f0000007740)={0xa, &(0x7f00000073c0)={0xa, 0x6, 0x310, 0x5, 0x80, 0xff, 0xbf, 0x5}, 0x5, &(0x7f0000007400)={0x5, 0xf, 0x5}, 0x5, [{0xa8, &(0x7f0000007440)=@string={0xa8, 0x3, "0584bddc149671f9e6c6cd123b796cafe2eb5d2bd3cf65e3eb0f3a601aba7164713d4042653f2cca182207d4e7ffa8bc71e705aa48bcff03fddd2e3e6bebe11cb61f95faf14afdf29440021e851fb682aa24e624e833952db6d1f96aa7edfc74ce501359694c7583eb5e48dfe227d2105d5e3d2359e3c728a48adff09b1132f928893ceefae67700983be1ca94e818e7a1463c802f1fc2a72d40900933403d7b255a35d9dc33"}}, {0x4, &(0x7f0000007500)=@lang_id={0x4, 0x3, 0x42c}}, {0xf4, &(0x7f0000007540)=@string={0xf4, 0x3, "1c537117dc720af3ccf108687c86cb544bc885379e435dbb861bc9a01550592e6008ae94a1f98317ad9cd804016b079b5ec294dcaf4537cf5b68c3c4353754caf369ba34101cbd21926b15cef67ab63ead40abfbef867b372fe2781866f87a2dccf98ffe66531c1d5021406c69ce84b439130cac71f52564b7c8fa621d71d5ff001517593f059da0cb82f1fd5e327df9abec4946e34e20d3f1df8f4a0422f9bb538949b4a14d1b3afd6793e81d3ba596d16d8cee0e700314e531e602fe5cb832b22c7a2f9f36f39d053876478157d541e8c0977a9acaf691f1234f665d234f82ee90ff8982d9c1371a15ddc8ed2392dd5a96"}}, {0x98, &(0x7f0000007640)=@string={0x98, 0x3, "078cbefd67796b8d00c6a027e5d07bc3b00756acafb9096e3e381a99fdbe8a5161ca19a9628d61baefd6972b48f5e04b0fa6e2b99cca8df5b50dbd97d656c02f8583a58ce8cbd35c69fb3f86de0ddac90f5be8d4f04a3ad4f31293b509959139bea0f3067d0ebfa3c5b210e1993078b0ae929561fc7734869b3dd8d812c00a3035236166a31227ae291e696ab4f81f4e3f02d6b2f334"}}, {0x4, &(0x7f0000007700)=@lang_id={0x4, 0x3, 0x43e}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007780)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f00000079c0)={0x18, &(0x7f0000007800)={0x20, 0x11, 0xb7, {0xb7, 0x9, "72f591ba5c694f16a4d92075ef3ec8bc46920954799ec8d3c0308f3b4779da6e18e9824a86746d013a399afc7f6fceb6c37f7f131c71ebc001f666ea63ed3ade132009735a546622f9e639d481c967cc7b5b747cc5e62fdc41bbb4bb95878a442cc49111c0f57886f17077a1b4b22e3cf28eecb798feed6f168dd9cc2646f8b79ed41bba94de9e304fc845179a7321f04784aa917ba08405b0a95b8303d914ef8e374780dd8e3437c95c35764cd063e7a3ec6d790b"}}, &(0x7f00000078c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x813}}, &(0x7f0000007900)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x18, 0x8, 0x0, 0x3}]}}, &(0x7f0000007940)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7, 0x80, 0x6, 0xe0, "8402487c", "8056a3ff"}}, &(0x7f0000007980)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xa7, 0x2, 0x7d, 0x0, 0x80, 0x7, 0x6}}}, &(0x7f0000007e80)={0x44, &(0x7f0000007a00)={0x40, 0x10, 0x8c, "21b83825059f24506d8e842085d1f2e7f964471b20ed0a8e50a9aa4ef16b5a6f2dbb2b570a4f8d13d60e47bb7821ff912111dee40a78d42b4d13ea812d929ccf3964c5468f89d2d21630ec87067a2d13f45238b446bf57c6b9ec35578fa587fc77fe2108b1590be081681ccc024f1f590be9e5bec9ea86b9803c60299dda1a82f8ff04428671a43bc2c3393a"}, &(0x7f0000007ac0)={0x0, 0xa, 0x1, 0x4}, &(0x7f0000007b00)={0x0, 0x8, 0x1, 0xfb}, &(0x7f0000007b40)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000007b80)={0x20, 0x0, 0x4, {0x140, 0x20}}, &(0x7f0000007bc0)={0x40, 0x7, 0x2, 0x3ff}, &(0x7f0000007c00)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000007c40)={0x40, 0xb, 0x2, "8a02"}, &(0x7f0000007c80)={0x40, 0xf, 0x2, 0x321a}, &(0x7f0000007cc0)={0x40, 0x13, 0x6, @link_local}, &(0x7f0000007d00)={0x40, 0x17, 0x6, @random="b0fe281fa391"}, &(0x7f0000007d40)={0x40, 0x19, 0x2, '#7'}, &(0x7f0000007d80)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000007dc0)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007e00)={0x40, 0x1e, 0x1, 0x6}, &(0x7f0000007e40)={0x40, 0x21, 0x1, 0x9e}}) r23 = syz_usb_connect$cdc_ecm(0x2, 0x5f, &(0x7f0000007f00)={{0x12, 0x1, 0x70, 0x2, 0x0, 0x0, 0x50, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4d, 0x1, 0x1, 0x2, 0x70, 0x40, [{{0x9, 0x4, 0x0, 0xc4, 0x3, 0x2, 0x6, 0x0, 0xe1, {{0x8, 0x24, 0x6, 0x0, 0x0, 'W?s'}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x200, 0x0, 0x200, 0x3}, [@ncm={0x6, 0x24, 0x1a, 0x1000}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x3f, 0x0, 0xd8}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0xff, 0xec, 0x5}}, {{0x9, 0x5, 0x3, 0x2, 0x3cf, 0x81, 0x39, 0x5}}}}}]}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f80)={0xa, 0x6, 0x0, 0x2, 0x20, 0x77, 0xff, 0x2f}, 0x5, &(0x7f0000007fc0)={0x5, 0xf, 0x5}, 0x5, [{0x69, &(0x7f0000008000)=@string={0x69, 0x3, "d25a9c8f1452a3c6ffbfeca8eb777935b58c9b7406775086fff717b54f05ac59f94517ff3cd6f3101dbfa79bb82ae31b1d316d08a71d14fc2c1cfa8c893068bde2bb830ae91fc94288cc232aaac0e64b84007b0e7536c3ec34edef04ded93421a377e0695326aa"}}, {0xac, &(0x7f0000008080)=@string={0xac, 0x3, "7360609ce8300ae4623308d5f8b97bfd50d3d863408b8ea401c86da9d42ce5f3867ce8d721fb2ab5c25f6b4c5e85f5eaf341bd514a16c2dfe3c7a1d7f427ae62c0bff379e84d56637ec1377b8c8ad5b55b099cfaa4a7a6eeb0589f81e7a43300eff53354e1b2bdcdc34d7945d63562e48d5ed93bef75fd0160fcd7c3a6be7f0c642bb6e561e35a1c73110bdcded7699865e25eb238cf8f3b10ad3c10488028c37063c8862f907b06829e"}}, {0x4, &(0x7f0000008140)=@lang_id={0x4, 0x3, 0x81a}}, {0x4, &(0x7f0000008180)=@lang_id={0x4, 0x3, 0x180a}}, {0xb9, &(0x7f00000081c0)=@string={0xb9, 0x3, "37efeb854b4051a46c67aee7eaa0f62fde9f599cd5ba25329d50aee16b30c6c1a514831081afc1dfd2682ff48716a91bf95e084212b0696d43e1c6c43adaf9ed3ef70e62735994d2d0865139604988fac17978d9c05a84f3423831dd1dddc6c94d50ddd674f16525bbf9a8db3bb49001be38a19670abd99f4a2e97cfb20d46c637832a3ec97ff094c6a3304964b72bcf116bf27fedd5521ad3da226297fff849c33c5d849e3e3037527901eef63a599baa54fc46a46ff1"}}]}) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ecm(0x3, 0xc5, &(0x7f00000082c0)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xb3, 0x1, 0x1, 0x6, 0x28, 0xff, [{{0x9, 0x4, 0x0, 0x9, 0x2, 0x2, 0x6, 0x0, 0x4, {{0x6, 0x24, 0x6, 0x0, 0x0, "b1"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9208, 0x2, 0x0, 0x20}, [@mdlm_detail={0x5e, 0x24, 0x13, 0x7, "63b0b95377147ba214d950fc04b22c04be09d9b96f1ab94bb02e8a2a9e23cf7d3acab22a80ed350ec4b17806edcb169e5075373d991780211392eb3d9f1173a539843bf2c3f66a4a6960a55a2207767db3c55a7dd2898b5ccb40"}, @mbim={0xc, 0x24, 0x1b, 0x2a, 0x100, 0xe0, 0x76, 0x0, 0xff}, @acm={0x4, 0x24, 0x2, 0xa}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x73, 0x35, 0x3f}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0x3, 0x1, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x40, 0x2}}}}}]}}]}}, &(0x7f00000087c0)={0xa, &(0x7f00000083c0)={0xa, 0x6, 0x201, 0x79, 0x3, 0x3f, 0x20, 0x6}, 0x37, &(0x7f0000008400)={0x5, 0xf, 0x37, 0x5, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0xa, 0x6, 0x5}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x1, 0x9, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0xa737ee064a5fddc9, 0x7, 0x7, 0x0, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0xc, 0x0, 0x6, 0x6}, @ssp_cap={0x10, 0x10, 0xa, 0x1, 0x1, 0x8001, 0xf00f, 0xfffd, [0x3fc0]}]}, 0x9, [{0x4f, &(0x7f0000008440)=@string={0x4f, 0x3, "c0663b116dab9ba5c0a2f7a2ad486ffc164a4365899565c5e99b015239f378df56db4dc3b0bb08dcd208d958fa3cf08097aa208b2d2865b502cbc94b1a8e33bdd9d6481fbf32d4913422fe189f"}}, {0x85, &(0x7f00000084c0)=@string={0x85, 0x3, "c9c487a90be3d40ef782373d785f86bdfc3db6fb0dd0a7440b2fe4595c3a6bd67aa8518d897a8a757d5f1ceb86e598cabf2345f771c3c7128bd16dd4b1ee9b7dbcaf611e97f6dcb9f171e8f7052b0f33e631bfe99ddc4413e5e5d7b634dcc3b77e4d301f89a8d3b851b02306cabec211127a8e541d162636588ff574de82de8f307d43"}}, {0x4, &(0x7f0000008580)=@lang_id={0x4, 0x3, 0x1407}}, {0x4, &(0x7f00000085c0)=@lang_id={0x4}}, {0xaa, &(0x7f0000008600)=@string={0xaa, 0x3, "ce395e8e9f409a37daeb1c20be9ca4004ae810cf1653eccd6e663dd74f8bc06989b4d1a65c9f480bd37e9dd85349f298ddaddc2cc9e4eda147f231402e116fb594a63718d821d885ebd67eda451558b1fba3093ecbd40cbe5fbe07f94ed927d8e5039a7c497aa8d1f10a4ddac049ad820f8c532c5a3f00947955032423922e95aa5bfee041f7fe8744ecc4424057eec97040b341d0dddcaf206da6431e987f04cfd55802cad3a114"}}, {0x4, &(0x7f00000086c0)=@lang_id={0x4, 0x3, 0x3c01}}, {0x4, &(0x7f0000008700)=@lang_id={0x4, 0x3, 0x1809}}, {0x4, &(0x7f0000008740)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000008780)=@lang_id={0x4, 0x3, 0x1c}}]}) syz_usb_ep_read(r24, 0x8, 0x7d, &(0x7f0000008840)=""/125) r25 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f00000088c0)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x10, 0x56a, 0x62, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0xf0, 0x8e, [{{0x9, 0x4, 0x0, 0x5, 0x1, 0x3, 0x1, 0x2, 0x0, {0x9, 0x21, 0x3, 0xf, 0x1, {0x22, 0xa21}}, {{{0x9, 0x5, 0x81, 0x3, 0x3af, 0x1, 0x40, 0x2}}, [{{0x9, 0x5, 0x2, 0x3, 0x10, 0x6, 0x1, 0x9}}]}}}]}}]}}, &(0x7f0000008c00)={0xa, &(0x7f0000008900)={0xa, 0x6, 0x250, 0x3, 0x1, 0x46, 0xff, 0x20}, 0x34, &(0x7f0000008940)={0x5, 0xf, 0x34, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0xfa, 0x8, 0x80, 0x5, 0x3}, @ssp_cap={0x24, 0x10, 0xa, 0x5, 0x6, 0x9, 0xf00f, 0x0, [0xffc00f, 0xff00c0, 0x101ffc0, 0xff0030, 0x30, 0x30]}]}, 0x4, [{0xed, &(0x7f0000008980)=@string={0xed, 0x3, "e7db914ef4a71a3aba443ee181c272e7fbb63648a997754b81a1938f52b9fd8c2b76ca28ee1fcba280021fbe02ffa03ea753f2d51b71f1cb9391ea31faabf8ed37a9853b87eebaa0a1269696e65e309ea4bf7755ff1b99280fd68230d7d899d097e16ee0b224de57339439c80ad7fbf8bbf32aa00e29802bde1c8c5e6228fa0a54c8350ef997112f763e17428fb8e95a56689595f30a3c16151809b0c6b1d4d4766510c6f066fe4b35a3ea90d388d1b4d4e9c6b30971e237e23fd205f9905ee7d79f4443707adc7f65ce2b15994daac7b954353fb23201844122710531879c6291c7dfbf6be454b9cf2f2e"}}, {0x4, &(0x7f0000008a80)=@lang_id={0x4, 0x3, 0x410}}, {0x64, &(0x7f0000008ac0)=@string={0x64, 0x3, "041c8b1bd143ea1d63829b769ddb886a6aafeedd5f652bc948677c9a6e3acfe04a1519053f95e5fcf79b085362cdac6abbf8f13781a621885257052b120045da2c494a30bc6ae6c4160cf497002af8b77e21689324bd6e75aceda7cf6a50920b2ab1"}}, {0x87, &(0x7f0000008b40)=@string={0x87, 0x3, "150837b1e69e5007398ac02c4a0b25072daa81a64af10bcdc5736333f49c921f86d9cbc6b778f1d21679d847d5b8a9b70fc56bb5a433040afd94377b2515a55cda70db64442adae0905aa90f911d3beef800ab6fd87a5c51fda8faa750d195c2e657249781c6af0523e0492f9a69e227e10ca0310f1a010f8b986a9a0553a5331f9754fc90"}}]}) syz_usb_ep_write(r25, 0x7, 0x72, &(0x7f0000008c40)="a6908c5530814d6a6bfd6d6c7594d4af8a4962d882da657bb402c7d0ae4535168160dbf67b82f223d577b0e16e6ac3c46a4015a6ed7c4fa65d1dbaa268b748dec46774eca92247969449a9f59e9edde4d37e7bd17882eb005e24fe43f57654000eadec3f1de9917eb28c2a877182c47b556d") syz_usbip_server_init(0x4) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static struct nlmsg nlmsg; const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } static int hwsim80211_create_device(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t mac_addr[ETH_ALEN]) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_NEW_RADIO; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_SUPPORT_P2P_DEVICE, NULL, 0); netlink_attr(nlmsg, HWSIM_ATTR_PERM_ADDR, mac_addr, ETH_ALEN); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static void initialize_wifi_devices(void) { int rfkill = open("/dev/rfkill", O_RDWR); if (rfkill == -1) { if (errno != ENOENT && errno != EACCES) exit(1); } else { struct rfkill_event event = {0}; event.type = RFKILL_TYPE_ALL; event.op = RFKILL_OP_CHANGE_ALL; if (write(rfkill, &event, sizeof(event)) != (ssize_t)(sizeof(event))) exit(1); close(rfkill); } uint8_t mac_addr[6] = WIFI_MAC_BASE; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return; } int hwsim_family_id = netlink_query_family_id(&nlmsg, sock, "MAC80211_HWSIM", true); int nl80211_family_id = netlink_query_family_id(&nlmsg, sock, "nl80211", true); uint8_t ssid[] = WIFI_IBSS_SSID; uint8_t bssid[] = WIFI_IBSS_BSSID; struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = true, .mac = bssid, .ssid = ssid, .ssid_len = sizeof(ssid)}; for (int device_id = 0; device_id < WIFI_INITIAL_DEVICE_COUNT; device_id++) { mac_addr[5] = device_id; int ret = hwsim80211_create_device(&nlmsg, sock, hwsim_family_id, mac_addr); if (ret < 0) exit(1); char interface[6] = "wlan0"; interface[4] += device_id; if (nl80211_setup_ibss_interface(&nlmsg, sock, nl80211_family_id, interface, &ibss_props) < 0) exit(1); } for (int device_id = 0; device_id < WIFI_INITIAL_DEVICE_COUNT; device_id++) { char interface[6] = "wlan0"; interface[4] += device_id; int ret = await_ifla_operstate(&nlmsg, interface, IF_OPER_UP); if (ret < 0) exit(1); } close(sock); } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } initialize_wifi_devices(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 38 ? 50 : 0) + (call == 43 ? 3000 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 300 : 0) + (call == 46 ? 3000 : 0) + (call == 47 ? 300 : 0) + (call == 48 ? 3000 : 0) + (call == 49 ? 300 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_dup #define __NR_dup 41 #endif #ifndef __NR_fcntl #define __NR_fcntl 55 #endif #ifndef __NR_getgid #define __NR_getgid 47 #endif #ifndef __NR_getresuid #define __NR_getresuid 165 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_read #define __NR_read 3 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[26] = {0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000000 = -1; inject_fault(1); res = syscall(__NR_ioctl, -1, 0x89e2, 0x20000000); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xe6; memcpy((void*)0x20000048, "\xf1\x37\x16\x1a\xb8\x6c\x59\x42\x02\xb9\x97\xd9\xf1\x2d\x00\x70\x21\x87\x03\x22\xc8\xd9\x09\x74\x84\x09\x95\x1a\xe9\x80\x0c\x1e\x20\x7f\x98\xb7\x69\xc7\x40\xf8\x67\xea\x14\xbb\xf8\x66\x6a\x4f\x98\xd2\x29\xaa\xaf\xbc\x33\xc6\xc5\x21\x68\xdb\x89\x33\xc4\xa4\xa4\xa3\xdd\x3c\xe0\xcc\xea\x96\xe7\x1d\x81\xff\x4a\xca\x83\x31\xcb\x01\xbf\x35\x43\x38\x53\xd1\xab\xd4\x8f\xd6\xd0\xce\x13\x14\xdf\x65\x07\xba\xe5\x35\xa2\xb4\xe3\xea\xa7\x4c\x5d\x23\x00\x65\x94\x14\x8a\x0f\xe5\xb4\xa8\x84\xef\x8f\x41\x34\x6e\x49\xcc\x90\x47\x4c\xb1\x7b\xac\x30\x1d\x47\x97\xed\x05\xdf\xc6\xcc\xb7\x4b\xeb\xaa\xbe\x54\x91\x72\xd6\x22\xa3\x06\x05\xa4\xe4\x9f\xd3\xf8\x53\x7d\xe5\x27\x2c\x33\xad\x4f\x07\xcd\x06\x05\x77\xbc\xe6\x5e\x5c\x80\xa3\x41\x68\xcd\xe6\x81\x17\xe4\xf9\x00\xe3\x5a\x3d\x88\x8e\x02\xee\x11\x17\x52\x21\x3b\x40\xd2\xaf\x25\x8c\x01\xf3\x6d\xe5\x0c\xe8\xe8\x3d\x42\x26\xa3\x0d\x6a\x4c\xc4\x3a\x88\x3f\x6c\x20\xe3\xfa\xda\x8a\xd2", 230); *(uint32_t*)0x20000140 = 0xee; res = syscall(__NR_getsockopt, -1, 0x84, 0x1a, 0x20000040, 0x20000140); if (res != -1) r[1] = *(uint32_t*)0x20000040; break; case 2: *(uint32_t*)0x20000180 = r[1]; *(uint16_t*)0x20000184 = 0xa; *(uint16_t*)0x20000186 = htobe16(0x4e22); *(uint32_t*)0x20000188 = htobe32(3); *(uint8_t*)0x2000018c = 0xfc; *(uint8_t*)0x2000018d = 2; memset((void*)0x2000018e, 0, 13); *(uint8_t*)0x2000019b = 0; *(uint32_t*)0x2000019c = 1; *(uint64_t*)0x20000204 = 0x7fffffff; *(uint64_t*)0x2000020c = 1; *(uint64_t*)0x20000214 = 0x7fff; *(uint64_t*)0x2000021c = 4; *(uint64_t*)0x20000224 = 7; *(uint64_t*)0x2000022c = 1; *(uint64_t*)0x20000234 = 0x3ff; *(uint64_t*)0x2000023c = 0x40; *(uint64_t*)0x20000244 = 5; *(uint64_t*)0x2000024c = 1; *(uint64_t*)0x20000254 = 0; *(uint64_t*)0x2000025c = 7; *(uint64_t*)0x20000264 = 0; *(uint64_t*)0x2000026c = 8; *(uint64_t*)0x20000274 = 0x1f; *(uint32_t*)0x20000280 = 0xfc; res = syscall(__NR_getsockopt, (intptr_t)r[0], 0x84, 0x70, 0x20000180, 0x20000280); if (res != -1) r[2] = *(uint32_t*)0x20000180; break; case 3: *(uint32_t*)0x200002c0 = r[2]; *(uint16_t*)0x200002c4 = 0xa; *(uint16_t*)0x200002c6 = htobe16(0x4e20); *(uint32_t*)0x200002c8 = htobe32(9); *(uint8_t*)0x200002cc = 0xfc; *(uint8_t*)0x200002cd = 2; memset((void*)0x200002ce, 0, 13); *(uint8_t*)0x200002db = 1; *(uint32_t*)0x200002dc = 3; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 6, 0x200002c0, 0x84); break; case 4: memcpy((void*)0x20000380, "/dev/pktcdvd/control\000", 21); res = syscall(__NR_openat, 0xffffff9c, 0x20000380, 0, 0); if (res != -1) r[3] = res; break; case 5: syscall(__NR_ioctl, (intptr_t)r[3], 0x7c80, 0); break; case 6: *(uint32_t*)0x200003c0 = r[1]; *(uint16_t*)0x200003c4 = 0xa; *(uint16_t*)0x200003c6 = htobe16(0x4e23); *(uint32_t*)0x200003c8 = htobe32(0x7f); *(uint8_t*)0x200003cc = 0xfc; *(uint8_t*)0x200003cd = 0; memset((void*)0x200003ce, 0, 13); *(uint8_t*)0x200003db = 0; *(uint32_t*)0x200003dc = 5; *(uint16_t*)0x20000444 = 5; *(uint16_t*)0x20000446 = 0x476f; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 0x1f, 0x200003c0, 0x88); break; case 7: *(uint32_t*)0x20000500 = 1; *(uint32_t*)0x20000504 = 2; *(uint64_t*)0x20000508 = 0x20000480; *(uint32_t*)0x20000480 = 0; *(uint64_t*)0x20000510 = 0x200004c0; *(uint32_t*)0x20000518 = 4; *(uint32_t*)0x2000051c = 8; res = syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000500); if (res != -1) r[4] = *(uint32_t*)0x200004c0; break; case 8: *(uint32_t*)0x200005c0 = 0x8a; *(uint32_t*)0x200005c4 = 7; *(uint64_t*)0x200005c8 = 0x20000540; *(uint32_t*)0x20000540 = r[4]; *(uint32_t*)0x20000544 = 0x400; *(uint64_t*)0x20000548 = 0; *(uint64_t*)0x200005d0 = 0x20000580; *(uint32_t*)0x200005d8 = 0x10; *(uint32_t*)0x200005dc = 0xc; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x200005c0); break; case 9: *(uint32_t*)0x20000680 = 0x83; *(uint32_t*)0x20000684 = 2; *(uint64_t*)0x20000688 = 0x20000600; *(uint32_t*)0x20000600 = r[4]; *(uint64_t*)0x20000690 = 0x20000640; *(uint32_t*)0x20000698 = 4; *(uint32_t*)0x2000069c = 4; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000680); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 0x240, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); memset((void*)0x20000044, 255, 6); *(uint8_t*)0x2000004a = 8; *(uint8_t*)0x2000004b = 2; *(uint8_t*)0x2000004c = 0x11; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; memcpy((void*)0x20000050, "\x20\x15\xd2\x29\x78\x5b", 6); STORE_BY_BITMASK(uint16_t, , 0x20000056, 8, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0, 4, 12); *(uint16_t*)0x20000058 = 0x27; *(uint8_t*)0x2000005a = 0x8c; *(uint8_t*)0x2000005b = 0x18; *(uint16_t*)0x2000005c = 0xc93; memcpy((void*)0x2000005e, "\xff\xe3\x24\x0f\x04\x84", 6); memcpy((void*)0x20000064, "\x06\x7e\xcc\x39\xa7\x8a\x3e\xa4\x7c\x22\x24\x6d\x39\x1b\x92\xc4", 16); syz_80211_inject_frame(0x20000000, 0x20000040, 0x34); break; case 11: memcpy((void*)0x20000080, "wlan1\000", 6); memset((void*)0x200000c0, 1, 6); syz_80211_join_ibss(0x20000080, 0x200000c0, 6, 2); break; case 12: memcpy((void*)0x20000100, "bpf_lsm_xfrm_policy_alloc_security\000", 35); syz_btf_id_by_name(0x20000100); break; case 13: memcpy((void*)0x20000340, "\xc4\xc1\x7d\x6f\x70\x72\xc4\xe1\xf9\x11\x2f\xc4\xe3\xc9\x5d\x33\xab\xc4\xc2\x79\x0e\xb0\x00\x00\x00\x00\xc4\xe1\x7a\x12\xb7\x0c\x00\x00\x00\x0f\x01\x56\xe9\xc4\xe1\x0d\xd5\x5e\x0c\xf3\x0f\x52\x6b\x00\x0f\x7e\x20\xc4\xc1\x79\xe7\x02", 58); syz_execute_func(0x20000340); break; case 14: res = syscall(__NR_dup, -1); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_fcntl, -1, 9, 0); if (res != -1) r[6] = res; break; case 16: memcpy((void*)0x200026c0, "./file0\000", 8); res = syscall(__NR_lstat, 0x200026c0, 0x20002700); if (res != -1) r[7] = *(uint32_t*)0x20002710; break; case 17: res = syscall(__NR_getresuid, 0x20002800, 0x20002840, 0x20002880); if (res != -1) { r[8] = *(uint32_t*)0x20002800; r[9] = *(uint32_t*)0x20002880; } break; case 18: res = syscall(__NR_read, -1, 0x20002ac0, 0x2020); if (res != -1) r[10] = *(uint32_t*)0x20002ad0; break; case 19: memcpy((void*)0x20004b00, "./file0\000", 8); res = syscall(__NR_statx, -1, 0x20004b00, 0x2000, 0x20, 0x20004b40); if (res != -1) r[11] = *(uint32_t*)0x20004b58; break; case 20: *(uint32_t*)0x20004e00 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004d00, 0x20004e00); if (res != -1) r[12] = *(uint32_t*)0x20004d34; break; case 21: res = syscall(__NR_getgid); if (res != -1) r[13] = res; break; case 22: memcpy((void*)0x200003c0, "\x23\x58\x10\x53\x7c\x7f\x88\x6c\xa9\x17\x21\x04\x5f\xf7\xba\xdf\xae\x44\x29\xb2\x52\xcd\x65\x81\x72\xc1\xd0\xd4\x18\xed\x70\x05\x74\x39\xfc\x22\xff\xc7\x7b\x29\x08\x5c\x94\x88\xff\x93\x40\xf8\xa2\xad\xe9\x9b\xf9\xaf\x14\xa3\x57\x25\x7b\x8a\xa6\x9b\x4b\x8e\xff\xe7\xaf\xd6\x87\x6b\x3b\x51\x2b\x86\xfa\x1d\xff\x55\x5c\x6d\xc6\x18\x62\x66\xc9\x1f\xa2\x81\xc9\xdc\x72\xee\x17\xea\xd0\xe2\xa3\xfe\x9f\xf0\x3e\x7c\x32\xd2\x7e\x26\x7f\x5b\xe0\xfd\x6d\x1f\x9e\xfc\x02\xaf\x7f\xe9\xd6\x8d\x75\x55\x19\x20\x1d\xea\x7a\xbe\x68\x10\x53\xab\x98\xf7\x3f\xc0\xc6\xa0\x68\x4e\x91\xb7\x41\xc8\xc9\x45\x1f\x94\x59\xb5\x98\xee\x6f\x4e\xc0\xc9\x1f\x3e\x91\x7a\xf1\xe6\x64\x6f\x3c\x54\xf8\xfa\xf0\x48\x7d\x8e\xcc\xf0\x87\xe2\x8f\x87\x68\xf4\x8a\xe1\x5d\x09\x89\x04\xb3\x25\x42\x85\x70\x2e\x30\x8a\x93\x7d\x5e\x23\xa2\xae\xf3\xc2\x53\x12\x51\x6c\x50\x2d\x5e\x02\x33\x06\x52\x29\xee\x4a\x70\xdb\xc4\x14\x60\x4b\x7f\x05\x5e\xb7\xa2\x72\x48\x03\xe8\x5e\x5b\x4c\xd0\x5a\xf7\x11\xed\x73\x0f\xce\xb8\x1b\xca\xe1\x7a\x49\x67\xaa\x6c\xcf\xf3\xc0\xf4\x96\x6b\x7f\xf3\xd1\x5f\x09\x3e\x94\xeb\x0a\x46\xb7\x0c\x0f\xa5\xb8\x62\x8c\xac\x3c\x31\x01\x9b\xba\x60\x02\x41\x6f\xc6\x66\x1d\x85\x8f\xff\x16\xa9\x62\x15\xb1\xd1\x8a\x87\x7d\x9a\x53\x4a\xc4\x02\x56\xa3\x55\x79\x31\xad\xe2\x7f\x58\x7c\xce\x26\xa2\x0c\x01\x3d\xc6\x7f\x2e\x92\x2a\x52\x68\x9a\xae\xfa\x1b\x06\x4d\x03\xf8\xf6\xa3\x9f\x96\xb0\xde\x1d\x21\x39\x4c\xb6\xc2\x30\x10\xeb\x9e\x4a\x79\x41\x47\x35\xed\x99\x65\x42\x5f\x8a\x01\x00\x84\x96\xdb\xad\x04\x97\xfa\x0d\x65\xac\xec\x59\xff\xa6\xa2\x80\xbc\x58\xe2\xd8\x87\xa1\x0e\x96\x65\xea\xeb\x97\x43\x6e\xbd\xeb\x2b\x58\xa9\xae\x40\xe4\x49\x27\x32\x46\xfd\x99\x67\x53\x9f\x21\x2e\xd8\x96\x9b\x6f\x9a\x49\xd6\x5b\xca\xd2\xdd\x9d\x8e\xe4\x2e\x32\x05\x74\x11\x17\xe4\x31\xd4\x43\xff\x3e\x94\xc4\x7e\x7f\xd6\x27\xd3\x05\x11\xd5\xfb\xce\xc6\xa7\x58\x38\x3d\x31\x36\x7a\xca\x8e\x3a\xf7\x72\xa1\x02\x11\x05\xab\x2c\x1b\x4a\xa7\x61\x4d\xea\x8c\xfa\x4b\x06\xf5\x3a\xf3\x73\x77\x98\x62\xc9\xbd\xb7\x6e\xf9\x3c\x74\x61\x8e\xee\x73\x47\xa0\x74\xd4\xf7\x1a\x98\x23\x3b\x24\xb2\xa2\x57\x29\xc9\xa1\x98\x3d\x81\x9c\x3f\x42\xd3\x28\xd0\x8f\x0d\x4d\xd1\x64\x2f\x61\xb6\x2a\x89\xfc\x30\x0f\x50\x66\xd8\xe4\x57\xf5\xfd\x49\xda\xa7\x9e\x1b\x1d\x43\xd2\x6f\x89\xf2\xca\x99\x04\x50\xe8\x60\xbc\xc4\x7d\x5c\xf4\x77\x8c\x37\xc4\x51\xed\x22\xd6\x0f\xe2\xbc\xfa\x2c\xaf\xf7\x5c\x41\x70\x99\x0a\x2e\x8e\x21\x87\x19\x7f\x86\x38\xb0\x67\x85\x4c\xcf\x9d\xbe\x91\x58\x6d\xd4\x23\x41\x40\x1c\x4f\xb4\xf3\x13\x30\x66\x8a\xcb\x51\x6e\xba\x22\x27\xcb\xca\x4c\x8f\xa2\xf3\x9a\x03\x52\x1b\xd8\x03\x2f\x5e\x1a\xed\xf4\x9c\x50\xe6\x01\xb9\xfa\xd4\xe0\xd6\xf5\xb5\x93\x2e\xa2\x14\xfd\x50\x84\x85\x70\x3d\x08\x45\x79\x8d\x43\xbd\xbf\xf9\x63\x86\x77\xe6\xa9\x96\xef\xbb\xd1\x93\x6e\x97\x28\x20\x62\x70\x9f\x77\x8b\x45\x5c\xb4\xd2\x00\x13\xf5\xfe\x4c\x9b\xba\x0f\x7c\xfc\x18\x02\xe8\x18\x0f\xb6\xd4\x6f\x51\x76\xd1\xbd\xbb\x43\xd9\x60\xd4\x94\xf3\xa3\x0e\xd7\xab\x4d\xb0\x7d\xe5\xad\x92\x4b\x57\x97\xb5\x09\xf9\x60\x83\xf4\xad\xa9\xfc\xeb\xed\xe1\xeb\x0f\xb0\xdf\xa2\xcd\xc2\x14\x4b\x15\xcf\x4c\x28\x0f\x87\xd1\x18\x7e\x80\x8e\x37\xcd\xef\x53\x75\x52\xe3\x83\xf4\x6c\xcf\xe8\x62\x15\xb2\x07\x15\x39\x85\xe6\xb1\x31\x96\x22\x1f\xde\xa6\xc9\x47\x86\x4d\x12\x14\x7d\x7b\x01\xef\xc3\xdf\x14\x4e\x2c\xaa\x24\xd1\xa4\x78\x2a\x51\xa8\x23\x5c\x4c\x0e\xad\xf0\x44\x0c\x8e\x43\x4a\x4d\x07\x2b\xe5\x84\x55\x47\x17\x5f\x37\xc5\x5f\xdd\xd5\xe7\x84\x95\xac\xe4\x34\xc4\x83\xf2\x8b\xb3\x48\x7a\xd8\xd6\x8b\xd7\x43\x77\xfd\x82\xe1\x7b\xaf\xeb\x06\x2b\x81\xc6\x8e\x8a\x63\x89\xc8\xd8\x10\x79\xe4\xc9\xfa\xa2\xa8\xfc\xf1\x24\x15\xcc\x21\xeb\xcd\x92\xde\x80\x88\x45\x50\x59\x4c\xa6\x4b\x56\xb0\xb4\x24\xa6\x5f\x80\xca\xb1\x64\xb2\xf6\xf2\xf3\x3c\x7a\xea\xa8\xb6\x60\x2e\x71\x83\xb9\xd0\xae\x15\x3a\x17\x03\xb3\x03\x67\x5a\xae\x13\x3b\x3d\xd9\xc6\x46\x67\x7f\x6d\x8a\x49\x2d\xa0\x99\xef\xb4\xa7\xe4\xde\xe3\x92\x81\x8a\x15\xd6\xbf\x9e\xfb\x07\xee\xad\x5b\x40\xac\x25\xbb\x0f\x00\x92\xf4\xb0\xec\xaf\x0a\xc3\x39\x1b\x3e\xcf\xd0\x63\x5e\xc4\x96\xb8\xb6\x6d\x7a\x45\x1c\x6d\x10\x37\x9c\x15\x29\x1c\x4f\x36\x82\xf0\x5f\xb7\x39\x44\xcd\x1b\xe0\xf0\xfa\x85\x54\x35\x8b\x30\xde\xb7\x38\x69\x31\xae\x95\xeb\x2a\x16\xfa\xed\x24\x5f\xfc\xad\xb3\x94\xac\xdf\x06\x38\xa6\x26\x27\x82\x33\x01\x93\x66\xe2\xec\xd9\xdb\x1a\x4b\x5a\xe2\x7f\xf8\x3d\x7b\x57\x1c\xd7\xff\xc1\x51\xdc\x4d\x0c\xef\x1d\x03\x00\xc9\x8a\x41\x69\x77\x51\x85\x1f\x8e\x05\x24\x9c\xae\x19\x96\x3f\x81\x25\x89\xa7\xd6\x4c\xfa\xb8\x46\x43\x9f\x47\x13\x43\xba\x5e\xff\xac\x9a\x57\xf7\x6d\x0a\xbf\xb9\x5e\x87\x8b\xee\x4c\x94\x24\xf0\xca\x17\x18\x19\x5e\xff\x14\x06\x0a\xcf\xb3\xe0\xdf\x4c\xbc\x56\x0b\xc2\xbe\x9a\xb4\xf0\xa0\xbd\x68\x6f\xe2\x13\xd4\x49\x47\x17\x0e\x68\xe7\x3b\xaa\xdd\x98\x2c\xe2\xd1\x70\xa5\x0d\x1e\xca\x02\x40\xcd\x3c\xec\xe9\xf7\x4d\xa3\xa1\xc1\x47\x6f\xf1\x1f\xa3\x34\xd7\x2c\x18\x50\x6b\x5c\x00\xa4\x41\xea\x2e\x9c\x72\xc7\x6b\x38\x50\x37\xf8\x6c\xa5\x94\xaa\xad\xe9\x87\xa7\x9b\xbd\x3e\x3c\x40\xd0\x00\x7a\x7f\xf8\x52\x99\x05\xb9\x4c\x54\x61\x65\x62\x92\x95\x0b\x41\xc8\x34\x43\xdc\x84\xd6\xfd\xf5\x2e\x44\x97\xed\x68\x04\x98\x1a\xf1\x33\x85\x64\x92\x00\xd8\x93\x09\x3b\xf2\xea\x82\x25\xb3\x89\xc4\xdf\xd2\xe8\x15\xb3\xbd\xf9\xd7\x08\x4d\x29\x00\x9e\xae\x4e\x88\x22\xa5\xb6\xa5\x2a\xa7\x6a\xfd\x95\x1d\x04\xaf\xa8\xe1\x28\x63\x96\xa8\x34\xdc\xf8\xc6\xb5\x7c\xc4\xef\xbc\x0c\x16\x77\x9d\x53\xf0\xbc\xd7\x40\x43\xc0\x6e\xce\xbe\x59\x32\x8d\xcc\xa8\xbb\x61\x05\xaf\x23\x56\x59\x06\xe5\x46\x6c\x73\x11\xb1\xaa\xc6\x76\x2e\x4b\x62\x60\x36\xfe\x31\xd3\xe7\xb0\xfa\x2e\x65\x8c\xa9\x35\x10\x78\xee\xca\x7b\x46\x7e\x11\x8e\x9b\x88\x95\x9d\xe1\xf4\x18\x69\x40\x5a\x83\xbd\xc6\xce\x98\x0c\x72\x9f\x7e\x2a\x46\x0f\xa9\xbe\xe1\x61\xe5\x4d\x27\x1a\x87\x4b\xb4\xd0\xa2\x2c\xd1\xa4\x37\x6d\xe3\x6b\x58\x68\xca\x0e\x10\x93\x3e\x5f\xe2\xf7\x38\x5c\x1a\xf6\x2b\x86\xf8\xe5\xc3\x12\x66\x26\xb8\xbc\x6d\x56\x8f\x62\x1d\xa3\x23\x70\x7e\xa3\x32\xd7\x65\x44\x39\xfb\xa4\x67\x1d\x0c\xae\xb7\xef\x94\xe2\x5a\x82\x86\xbd\x9a\x19\xa2\x9e\x49\x32\xc7\xdb\x9b\x82\x34\x7d\xa5\x24\x92\xb3\x81\x4a\x44\xb9\x2f\x61\x55\x9c\x22\x65\x4c\x8b\x30\x1a\x8d\xfe\x9d\xae\xae\x0c\xad\xe9\x46\xc0\x66\x6e\x94\xc4\xa6\x35\x3b\xb0\xeb\x21\x37\xd3\x68\x53\xad\x4f\x7a\x20\xa5\x08\x1e\x63\xaf\xee\xce\x20\x3f\xa6\xee\xea\x7f\x62\x9d\x00\x1d\xab\xaf\x5b\x1a\x3c\x67\x61\x51\x7b\xc9\x9a\x8e\x63\xf6\x6c\x01\x88\x49\x27\xb4\xbc\x40\xbc\x34\x19\x0c\x9e\x55\x3c\x69\x0f\xbc\x64\x44\xdd\x8b\xba\x65\x68\x74\xfa\x80\x46\x31\xb5\x6d\x24\x54\x1a\x9b\xd6\xfb\x77\xdb\x49\x03\x76\x9f\x9d\x04\x44\xd0\x8a\x21\xff\x59\xd9\x49\x65\x9d\x80\xb1\x40\x2d\x91\x9a\xc0\xfb\x83\x80\xed\x91\x15\xb6\x69\x3c\x19\x5f\x8f\x1a\x90\xa3\xa4\x22\x35\xd8\xea\x78\x2e\xda\x2b\xf1\x94\xd3\x2f\xbc\xc5\x63\x27\x1a\xfd\xa7\x3d\x70\x96\xa2\xe9\xe4\x67\x54\x1e\x76\x67\xc2\x67\xc5\x95\xe1\x23\x37\x29\x75\x26\x77\x68\xb8\xd1\x6c\xb6\x13\x0e\xae\xbf\x69\x8b\xe7\x6e\xef\xab\xbe\xac\xd5\x9f\x63\x1c\xc1\x04\xf0\x42\x26\x3e\x3e\x29\x62\x59\x79\x69\x72\x1a\x6c\x02\x2a\xba\x14\x11\x2e\x2f\x38\x02\xba\x63\x53\x91\xcd\x1f\x94\x32\x35\x25\xc8\x16\xef\xa9\xe8\x65\x52\x39\x9e\x79\x66\x5f\xf5\x54\xf5\x86\x75\x4f\x72\xd5\x3a\x0d\x94\x75\xc6\x55\x94\x8b\xd1\x3e\xc9\x3d\xd8\xcc\x43\xe5\xb8\x13\xeb\xfe\xa4\xab\xcd\x78\x0e\xed\xb6\x82\xac\x4f\x66\xe1\x68\x47\xf7\x82\x1f\xdc\x40\xda\x07\x3f\x7f\xc5\x9f\xe5\x7c\xa6\xad\x5f\x4d\xdd\x8a\x41\xe8\xaa\xdf\x3e\x21\x78\xcf\x42\x95\xc8\x59\x99\xe2\xc2\xd8\x24\xa0\x8e\xbb\x9a\x9b\x09\xe2\xef\xbf\x9b\x8d\x03\x73\x09\x1e\xa6\x1e\xc6\xaf\x17\xdf\x1e\x71\xac\xeb\x40\x3a\x41\xd3\xba\xfe\xfc\x56\xdc\xff\x18\x60\x23\xe9\xf2\x89\xe6\x1b\x74\x69\x04\xb3\xce\x34\x86\x9b\x53\x27\xc9\x24\xa2\x73\x36\xb2\x16\xd2\x20\x6e\xeb\xa9\xb1\xdf\xdc\xe0\x22\xe3\xa1\x3a\x26\x17\x38\x7f\xb3\xff\x5a\x1d\x0f\x38\xfb\xb9\x06\x3b\xcb\x69\xb5\xe3\x3e\xe4\x57\xef\xe0\x51\xdf\x45\x34\x62\xb7\x18\xd7\xd5\xe7\x80\x31\x04\x71\xa7\x3d\x99\xe2\xeb\x1e\x23\x23\x6c\x74\xb9\x37\x7c\x3e\x0e\xbb\x93\xea\x7a\x6a\x7b\x32\x2c\x42\x59\x10\x20\x9f\x89\x18\x41\xd6\x5c\xb8\xdb\x3b\x2b\x0d\x51\xd2\x7c\xde\x0c\xa1\x85\xbd\x3b\xf1\xf4\x02\xff\x10\xfc\x61\x1b\x93\xfa\x6f\x94\xeb\xf6\x07\x9a\xc6\xd5\xf3\x0f\xf8\x66\xa4\xdb\xf3\x07\x29\xfc\x3c\xd0\x03\xed\x9e\xee\x6e\x1c\x92\x31\x9a\x8c\x62\x69\xe1\xa7\xdb\xa0\x49\x1d\x27\xb3\x26\x38\x8b\xc3\x2d\x58\xbf\x68\x5e\xc4\x29\xa8\xca\x7a\x12\xb6\x60\x18\x23\x08\x71\x0b\x5a\xa6\x1d\xce\x0a\x14\x3f\xad\x3b\xbc\x1a\x81\xa8\xf8\x14\xee\x37\xb4\x34\xc7\xd7\x29\x33\x1c\xe7\xf7\x2d\xdf\x31\xdc\xa7\x19\xbd\xfa\x04\xc0\x3a\xec\xeb\x4c\x64\x0c\x1c\xdd\xd0\xf0\x11\x37\xbd\x6e\x2f\x7a\xef\xb5\x1b\x02\x10\xb8\xcd\xb2\xcc\xb0\xf5\xd7\x45\x8d\x05\x71\x92\x76\x75\xf1\xbe\xdb\x36\xd0\xbf\x30\xac\x68\xdb\x43\x8f\xfb\xa7\x4a\xca\x62\x37\x25\xf2\x75\x22\x70\x1b\xb6\xc5\xca\x41\x4d\x23\x91\xcd\x53\x3a\x82\xc0\x66\x72\x4c\x6d\x3f\xd6\x8f\xe4\x2a\x83\x4d\xcc\xf5\xbf\x70\x34\x74\x29\xad\x8e\x38\x22\x15\xf7\x2f\xad\x93\x6e\xf9\x49\xbf\x64\xda\xd1\x25\x77\xea\xd0\xdc\x6c\xf2\x71\xbe\x7c\xa8\xe0\xba\xab\xb4\x39\x7f\xf0\x63\xf3\xae\x8e\x74\x12\x10\xc6\xa3\xab\x3b\x44\x2b\xa8\xfb\x16\xf2\x28\xc5\xda\xfe\xb1\xb4\x40\x82\x7d\xef\xbc\x48\xf5\xcb\xce\xb2\x74\x07\x55\xc9\x85\xd0\x60\xe8\x2c\x86\xc7\x32\xbb\xd5\x60\x88\x35\x91\xa1\xac\x05\x82\x99\xf1\x7f\x2e\x2a\x12\x85\x60\x28\x0b\xa0\x89\xe8\x4c\x34\x65\x45\x2a\x65\x07\xa6\x3f\x88\x49\x44\xa8\x3a\x21\xd2\x6c\x8e\x49\x8f\xf5\xdb\xd4\x89\xc6\x9c\xa7\x85\x32\x49\x01\x8e\x9d\x03\x52\x0b\x23\xf4\x7b\x29\x7b\x85\x26\x32\x2b\x1f\x6b\xd5\x4d\x06\x0c\xce\xa3\x01\xcc\x8a\x3a\x15\xda\x2d\x39\xb6\x4e\xa4\xdd\xb0\x3c\x7b\x6c\xba\x60\x5e\x8d\xd4\x86\xd1\x2d\x8f\x0c\x6c\xd9\xfb\x47\x81\x61\x12\xba\xa0\xa7\xae\x0e\xba\x4f\x0f\x89\xb2\x14\x32\x03\xa1\x19\xa6\xbb\x85\x45\xc1\xba\x66\x78\x84\x95\xf4\xe7\xda\xd9\x6d\xf8\x11\x9b\x1c\x11\xd7\xff\xb0\x71\x07\xc0\xc0\x35\xa8\x06\x97\xa8\xed\x78\x0d\x9c\x55\x61\x92\x93\x85\x08\x5f\x0a\xa7\xbc\x74\x8f\x2b\x5e\x23\x4e\x21\x0c\xe7\x77\x22\xc5\x4e\x80\xb8\x86\xc0\xd6\x14\x65\x8f\xfa\x23\x40\x8c\xac\xa9\xcf\x01\x38\x69\xef\x66\x29\xf8\x46\x16\x40\xda\xea\x86\x9a\xd4\xc3\x65\x53\x0d\xe5\x27\x81\x5c\xaf\xee\x31\x4f\x8c\xa7\xb9\x87\x95\x22\xc4\x26\x29\xe3\xe7\x12\x96\xe5\xf6\x0a\x84\xdb\x39\xd5\xc9\x00\x00\x16\xea\x33\xf4\x81\xd8\x0c\xcb\x80\xf0\x85\xd5\xed\x3f\x70\x0b\xad\xc3\xb4\xb7\xd8\x0d\xd8\xa7\x78\xf0\x38\x17\xa1\x0d\x67\x89\x2d\x36\x87\x0a\x98\xbd\xc7\x0c\xfd\xa4\x83\x4c\x78\x15\x42\x1f\xc9\x72\x74\x01\xbd\x4f\x81\x11\xbb\xba\x76\x86\x02\x4b\x42\x72\xf5\xa6\x8a\x66\x51\x94\xaf\xc4\xf1\xa9\xf8\x57\xaf\x27\x0e\x30\x22\xc1\x8d\xfc\x18\xf6\x7b\x39\x77\xe6\x41\xc6\x25\x8f\x00\xc1\x43\x0e\xa7\x95\x78\xf4\xdc\x82\xa0\xba\xb5\x21\x40\xdf\x4b\xe0\xad\xb3\x29\x19\x5a\x29\x7d\xf0\xbe\x6e\x12\x34\x97\x70\xb4\x47\x7a\x44\x65\xa8\x14\x39\xf2\x2b\x6b\xdc\x67\x7a\xb8\x6d\x4e\xdb\xbd\xfc\x7d\xb3\xcf\x06\xd4\xa9\x4d\x33\xc6\xc1\x1f\xa1\x63\xfe\xfb\x1a\x87\xa9\xb5\x2c\x1c\xc4\x09\xeb\xed\xe7\x26\x3c\x88\x97\x5e\xdb\x23\x7f\xa0\x1b\x58\x3f\x79\xfc\x7a\x4f\x8e\x8a\xc8\x9a\xf7\x93\x08\xd9\x9b\x47\x3c\xf3\x3f\x33\x44\xa4\xe5\x52\x3f\x3e\x35\xd3\x88\xd1\x8e\xe1\x18\x5c\xaa\x19\x18\xd2\x3a\xae\x41\x93\xae\xdf\xe1\x25\x04\x2e\x16\xd5\x71\x86\x52\x61\xdd\x63\xbf\x0c\x9d\xd8\x48\x5f\xa6\x4e\x24\x10\xa2\x6a\x43\x6c\x83\xc9\xe3\x45\x56\xf3\x7c\x1d\x69\xd2\xfd\x57\x42\x78\xc4\xb2\xc8\xba\xf3\x83\x4e\xe2\xe0\xf3\x64\xb5\x4c\x36\x78\x0f\x28\xa8\xeb\xe5\x6e\x1d\x9e\x1c\xbd\xfd\x77\x3c\xe8\xaa\xcd\xef\xda\x09\xf4\x0d\xff\xd8\x47\xaa\xdf\x67\xc4\x44\x71\x00\x8c\xee\x07\x76\xfb\x06\x89\x54\x30\x8f\x16\x20\x3d\x01\x7b\x29\x0c\xd1\xad\x9e\x4c\xdc\x49\xf3\x26\x35\x28\x07\x56\x0d\xdd\xa4\x90\xc0\x5c\x6d\x5e\x04\xf1\x94\x00\x83\xaa\xba\x83\xe0\x29\x37\x0f\xd7\x6e\x77\x57\xc7\x3c\x05\x43\xdd\xff\x26\xc3\xa3\x07\x62\xe2\xc9\xc5\x56\xaa\x28\x2c\x7f\x46\xf3\xdd\x8e\x20\x01\x68\x05\x3a\x03\x17\x4c\x56\x69\xdc\x43\x90\x0a\x39\x41\x7c\x9d\xff\x8e\xd3\xf1\x0e\xb0\x7c\x47\x0a\x52\x2e\xc8\x20\x71\x2f\xf8\x82\x59\xcf\x7f\x5e\xe5\x2c\xf4\xee\x69\x0b\xca\xbd\x88\x76\x3f\x66\x32\x9f\x37\x25\xa4\x36\xca\x19\x38\xd4\xda\x48\xde\xdf\xfe\xa8\x2d\xc5\x4a\x2a\x0a\x5c\xfb\x64\xc3\xe2\x78\xf4\x1b\x93\x3c\xef\xeb\x02\xf9\x82\x53\x2e\x98\x67\x72\x41\xd7\xec\x2f\x8d\x14\x27\xda\x17\x11\x91\x9d\x67\x2e\x95\x1b\x6d\x1c\xd8\xf2\xc0\x20\x3f\xed\xd5\x21\xf7\x5a\x22\x9d\x99\x67\x13\x35\x81\x36\xd8\xb4\xeb\x79\x71\x34\xfe\xc8\x74\xe3\xd3\x8a\x01\xcb\x82\xa8\x7c\x8c\x21\x1e\x64\x29\xef\xe6\x77\x17\x3a\xab\x0a\x0f\xb9\xf5\x58\xf4\xb0\x6f\x77\x05\xbc\xd1\x77\xec\x1d\xd8\x0d\x04\x45\xb5\x44\x8e\x7d\xc2\x94\x53\x8a\xae\xcc\x59\x61\x0d\xbe\x6f\x2b\x3b\x16\xb2\x75\xc1\x8d\x33\xa7\x8f\x0c\x1d\xcb\xb0\x7e\x13\x76\x28\xb6\x22\xf8\x85\xae\xe8\x0b\x82\x68\x4c\xdd\x5f\xde\x5a\x29\xaa\xdf\x63\xd8\x5e\x95\x15\x96\x49\xad\xce\x0f\x9e\x57\xb5\x3b\x82\xc7\x5b\x87\xa1\x27\x47\xef\x0f\x84\xbe\x50\x69\x3c\xca\xe7\x98\xe3\x8a\xaf\x05\x06\x66\x16\x3e\x6b\xed\x48\xf5\xf1\xba\xf4\x9a\xde\xa2\x12\x23\xbf\xb0\x89\x19\x98\x98\xdc\xd2\xe9\x1b\x70\x8b\xd6\x2b\x61\xf1\x38\xcc\x48\xbe\xd8\x8b\x77\x2d\x14\xbc\xc5\x39\x68\xaa\x32\xfa\x3f\x11\x45\x84\x75\x2d\xb5\x32\x78\xb2\x5f\x36\x7d\x52\xc2\x07\xec\x54\x59\x66\x83\x82\xaa\xc7\xeb\xfd\xf3\xa2\x07\x5c\xef\x67\x9b\xd7\x7e\xc1\x7a\x11\x43\xde\x08\x47\x20\x08\x54\x86\x68\x5a\xc8\x69\x73\x3b\xc0\x7d\x74\x24\x6f\xbf\x8a\xbb\x36\x62\xbe\x75\x0d\xdd\xd3\xb1\x3e\xcb\x2d\x91\x35\xf5\xc6\x8d\x1f\xdd\xe5\x49\xd9\xc2\x09\x1d\x96\xaa\x35\xf8\x43\x36\xb4\x21\x51\x31\xf3\x64\x76\xec\x84\x8d\x53\x3d\x7d\xca\x1e\x0a\xa4\x1e\xef\xb8\x80\x60\x52\xa8\xcd\xd5\x38\xb7\x55\x70\x7f\x93\xe0\x48\xd7\x71\x50\x5b\x88\x90\xd8\xf6\x80\xb8\x80\xcc\xb8\xee\x29\x49\xe3\x5a\x63\xee\x48\xe7\xb4\x67\x12\x8b\x65\xff\xe6\x06\xce\xd2\x8a\x3b\xc3\x17\x2b\xd0\x9f\x2b\x58\xef\x63\x22\xa3\xfa\x31\xe0\xfa\xb3\x7a\x3a\xfe\x72\x9a\xd4\x3d\x5c\xd0\x2b\x42\xbe\x4d\x8e\x60\x2b\x99\x51\x6d\xbd\xbd\x81\x2e\x1b\xec\xae\xba\x14\xb2\xb2\xbf\xaf\x05\x55\x90\x02\x51\xe3\x1d\x83\x97\x98\x14\x1b\x32\xab\xdc\x55\x8b\x3b\xf3\x0e\xdc\x11\x45\xf5\x41\x79\x85\x07\xda\x32\x9c\x5a\xcc\x1f\xf5\x6d\x4f\xd5\xf6\xe1\x8c\x02\x08\x12\x22\xc6\x98\xb3\xd0\xf2\xb1\x95\x39\xa7\xc2\xc9\x1f\x78\xb1\xbe\x76\x48\x19\x91\xe2\x41\xd2\xae\x88\x9d\x4c\xb1\x33\xf9\x0f\x77\xd9\x22\xd9\x84\xb5\xa5\xd1\xb2\xaa\x03\x8f\xb0\x01\xf0\xba\xc8\x8c\x14\xa3\x6f\x62\x29\x6a\xb3\x24\xd5\x2b\x57\x54\xd4\xe8\x42\x88\x9d\xa6\x54\x14\x3b\x4b\xd7\x19\xf0\x82\xcb\xcf\xa2\xec\x90\x31\xb9\xb4\xb8\xbb\x8e\xf4\x6b\xc3\xff\xa5\x2d\x35\x38\x5b\xf2\x7e\x3c\xcd\x86\x10\x84\x81\xff\x66\x40\xe8\xb0\xe3\x09\xd2\x8b\x14\x94\x20\xf9\x5e\xb9\xaf\xa0\xf6\xe1\x88\xb7\x00\x5f\x42\x12\x25\x38\x5b\xde\xa3\x82\x5a\xd5\xfb\xfc\x6d\x9f\x29\x97\x47\x6b\xc3\x6e\x5d\xfe\x4b\x68\x6d\x1a\x2d\x40\x25\x16\xd4\xee\xe9\x90\xe1\xea\x6a\x23\x48\x38\x10\x3f\x42\xd7\x05\xab\xf3\x78\x35\x67\x3c\xa7\x86\x75\xb5\x35\x4c\x2a\x99\x13\x0e\x2b\x7a\x64\xee\x26\xa2\xad\x6c\x1c\xd2\xde\x64\xed\x59\x12\xeb\x77\x08\xdb\x3a\xfb\xb4\xa6\x83\x10\x9b\x10\x57\x29\x8f\x35\x6e\x4c\xf4\xfa\xb2\x00\xca\xf7\x40\x3c\x71\x9a\xa8\x1a\xb0\x1d\x3d\x7f\x91\x55\x07\x3f\x56\x49\x5e\x51\x16\x19\x6e\x9a\x9d\xe8\x2f\x10\xa5\xc0\x8d\xfb\x2f\x91\x54\x94\xdf\x7a\x07\x00\xef\xb7\x22\xd3\x41\x6a\x5d\x32\xbc\x02\x29\x71\x11\x65\x08\x47\xde\xe6\x76\xd2\x68\x77\x2d\xec\x41\x3d\xa3\xa1\x32\x09\x89\xc1\xbe\x0d\x5c\x9c\x1b\x6f\xc4\xf7\x0f\xbd\xad\x88\x8a\xbb\x0b\xe8\xf1\x16\xf0\xd7\xa6\xf3\xab\xaf\x63\x6b\xb6\xb6\x92\x22\xda\xf4\xcc\xbd\x6d\x07\x29\x3d\xef\x59\xcd\x5e\xc9\x08\x45\x4d\x07\x94\x95\xf2\x7b\xfa\xf9\xe4\x5f\xb2\xc9\x99\x64\xe6\xb2\xfb\xa0\x3a\xf0\x38\x2d\x5b\x60\xad\xeb\xbb\x28\xfb\x8f\x8f\x8e\xfd\xd8\xda\x65\xea\xc2\x93\x77\xcf\x07\xc6\x2e\x1b\xf1\x0f\x61\xfa\x91\x2e\x62\x71\xf2\xcb\x95\x09\xa7\x63\x1b\x7a\xbe\xc3\x39\x6b\xeb\xce\x10\xbc\x79\xe2\xc4\x99\x56\xd1\x27\xf9\xd0\x1b\x73\x58\x45\x40\xcb\x6c\x0b\x52\xa7\x09\xe3\xaf\x1d\x00\xc8\x4f\x6d\x22\xfb\x19\x5d\xd8\x82\x3a\xa3\x36\xaf\xea\x89\x8e\xd8\x7a\xda\x2b\x22\xd1\xb8\xec\x50\x8c\xf6\x98\x6e\x93\x45\x92\x65\xed\x7c\x25\x87\x32\xc2\x91\xca\x41\xe7\x87\x6f\x1b\x43\x8b\x17\xd3\x6c\x24\xa0\x2f\x20\x0f\xee\xee\x18\xac\xe8\xdc\x4a\xad\x51\xa4\x2b\xb9\x81\x5d\x82\xc2\xa9\xa3\x7f\x77\x5c\xd6\x12\xe0\x84\x22\x69\x42\xea\x0d\xc6\xf5\xd8\x92\x33\x49\xbb\xbe\xdc\x2a\x45\xcf\xcf\xdd\xed\xa2\xd5\x2d\x14\xf2\xff\x83\x29\xaa\xc0\x1d\x2e\xc3\xc3\x7f\x23\xc5\xc9\x0d\x02\x62\x80\x23\x8c\xe0\x9e\x00\xec\xa9\xf6\xc3\x0b\xda\xa5\xdc\x91\xf4\x34\x2f\x8a\xf6\xa3\xec\x13\x39\xc4\x7d\xca\xe8\xf9\x36\x0c\x32\x50\x2b\xfa\x86\xe1\xff\xc5\x82\xd5\x88\x8f\x29\xca\xc3\x9e\xf9\x0a\x31\x50\x11\x1f\x66\x11\x99\xfa\xf7\xe2\x41\x3b\x57\xbb\x9a\x72\xaa\xa2\xd5\xfa\xe3\x2b\x46\x28\x84\xa9\x28\xd8\x3c\xea\x60\x55\x70\x25\xc5\xde\x01\x80\x44\x34\x5f\xb0\x83\xde\xf4\x9b\xc3\x83\x31\x98\x94\xda\xd2\x8b\x53\x39\xcb\xad\xb6\x03\x8d\xc8\x47\x9f\x7e\x4b\x2f\x01\xc1\xce\xd3\xff\x85\x42\x05\xbe\x93\x88\x48\x85\xb1\x29\x87\x8b\xdb\xb1\x8c\xaa\x68\xc3\x09\x40\x71\x9a\x40\x8a\x03\xfc\x61\xeb\xea\x87\xd9\xd3\xef\x21\x62\x59\x45\x89\x65\x44\x75\xc2\xc3\x7e\xaa\x87\x37\x33\x8a\xcc\x18\xb3\x41\xa3\x51\xec\x39\xaa\x94\xcb\xa1\x71\x09\x6f\xd7\xfb\x83\x2e\x30\x31\xf4\xd8\x2f\xf2\x32\x8a\xa1\x89\x62\x3c\xd9\x3f\xce\x6f\x45\x25\xc2\xdd\x01\x3d\xc9\xc7\xb4\xd1\x9a\xdd\x3b\xf9\xc3\x34\x88\x6e\x9d\x1c\xb4\xdf\x99\x7d\x99\x56\x3a\x57\xb6\x6d\x83\x21\xd4\x21\x52\xf7\x21\x70\x5d\x6c\x48\x46\x18\xad\x33\xcb\x46\xb5\xc1\xa4\x1c\xcd\x39\x7e\xde\x50\x43\x2d\xc9\xd4\x1a\xa8\xb2\xfb\x37\x5a\xf7\x5d\x33\x23\x56\xd7\xdf\x3d\x5d\x43\x9f\xde\xbc\xf8\xe2\x5b\x22\x49\x3c\x6f\xe1\x40\x01\x3e\x29\x52\x32\x18\x67\xd1\x29\x47\xb1\xf2\xdd\x27\x2a\x17\x36\x94\xa5\xfd\xdd\x88\x7f\xe1\xec\x96\xdf\x64\x67\x63\x0d\x14\x49\xd7\x23\xff\x02\x3e\xc1\x27\xb1\x2a\x24\x11\xa0\x96\xe3\x12\x9e\x84\x5d\x50\xb1\x46\x68\x36\x35\xd8\x05\xcf\x19\x67\x35\x82\x8c\x8a\x0a\x00\x40\x47\xa1\x9a\xcf\xcc\x41\xb6\x2f\xe0\xfb\xff\x91\x88\x1e\x76\x13\xbf\x7a\x73\x71\x95\xf1\x85\x8e\xd7\x19\x8d\xca\xca\x13\x21\x06\x19\xd7\xf7\x39\x8d\x81\x2d\xe4\x63\xf2\x21\xf0\xc2\x64\x87\x4a\xa3\xb3\x41\x6d\xcd\xfa\xed\x76\xbf\x25\x5d\x7a\x7a\x15\xd6\xac\xc9\x86\x4d\x1b\xd9\x00\x35\x4b\x3b\xf0\xdf\x70\xba\xe9\x32\xc4\xb8\x2e\x8a\xa6\x0d\x39\x5b\x93\x9c\xc6\x0f\x89\x64\xab\x75\x5b\xa5\x0b\x40\xa7\x13\xf6\x8d\x2e\x00\x1a\x2b\x5a\xbc\xfd\xbb\x82\x1a\x0a\x3a\x7a\x97\xcd\xcc\xc0\xb0\x5b\xca\x8f\x03\x3f\xbc\xd9\x54\x56\x9c\xb7\xc3\x12\xd4\xcb\x9e\x69\x27\x56\x13\x30\x66\x79\x88\x25\x70\x72\x61\x18\xeb\x66\xb4\xb6\xf0\xd2\x36\xc3\x3e\x35\x65\x8e\xd8\x7f\x02\x8c\xa4\x3c\x55\xc2\x69\x68\x17\x9a\xed\x75\x49\xc8\xc2\xe9\x26\x72\xa4\x45\x10\x6d\x04\x29\x84\x69\x17\xc5\xfc\x60\x7f\xa2\x85\xdb\x9a\xa6\x12\x81\xc1\xc5\x24\xa7\x6b\x3d\x40\xde\x5d\xa9\xbc\x7a\xfb\xae\x9c\x03\x55\x5d\x05\x63\x83\xea\x7f\x5e\xac\xf5\xde\x95\x63\x8e\x11\x24\x2a\x42\x0c\x9a\xa3\x22\xc8\x08\xcf\x2a\x14\xab\x47\x9d\x81\x35\xe4\xff\x48\x7b\x21\x5c\x8c\xec\x44\xc7\x29\x0d\x34\x59\x10\x0b\x21\x96\xc5\x4e\x88\xca\x28\x41\xd8\xa6\x01\x1c\x6d\xb1\xb5\xc2\xfb\xc5\x13\x5d\xa6\x05\x3d\x89\x3d\x11\x6b\x9f\x23\xd5\xa0\xf7\x7f\x9f\x64\xc5\x0a\x04\x48\x55\x2f\xb3\xd4\x00\x2c\xcf\xb9\x5e\xd5\x4c\x37\xea\xe9\x31\x73\x7b\xf0\x2b\xcd\x22\x6b\x13\x3b\x9d\x27\xde\xbf\xae\x74\x87\x30\xa8\x7b\xe8\xdf\x5c\x31\xcd\xdf\x16\xc2\x6b\xc3\xf3\xb4\xdf\x7a\xbc\xbc\x52\xed\xad\xb7\xa7\xc2\x9e\x87\xdd\x5d\x63\x30\xb7\x61\x64\x9f\xc9\xf0\x98\xa7\xb6\xb6\x8c\xf5\xdc\xe7\x67\x66\x7e\x8b\x5a\x7c\xd4\xbb\x22\xd1\xc9\x22\x9c\x45\x51\x69\xd7\x2e\xdd\x3b\xae\x9c\x25\x1c\x07\x88\x96\x8f\x1d\x13\xaf\x8e\x47\xba\x32\x92\x3c\x66\x14\xc4\x4d\x51\x96\xfa\x80\x57\x61\xdb\xa5\x9a\x39\xb8\x93\xbf\x09\x73\xda\xbb\x97\x6e\xdf\x63\xf3\xcb\x54\x73\x2d\x43\xb9\x0e\xe7\xab\x03\x74\xe1\x0f\xd7\x22\xd5\xc3\x61\xa4\x10\x89\x31\xe8\xee\x3f\xa1\x90\x79\x3f\x90\x1b\x18\xff\x7b\x5e\xd8\xc1\x62\xb3\x7f\xfc\xb3\x9c\x6c\x0c\x08\x4c\x9c\x76\xb3\x96\x4e\x31\x35\x1f\x51\x12\xac\xcf\xe1\x6c\x62\x68\x58\x0c\xe0\xb4\x4c\xd4\xc3\x3f\x29\x21\x71\xdf\x6a\xf3\x59\x14\x22\x5c\x8b\x1a\xff\x19\x85\xce\xa0\xea\x73\x49\xa4\x3a\x51\x0d\x5f\xbf\x18\x81\xa0\x32\xf9\x6b\x1f\x58\xf4\xfa\x94\xdb\xcd\xf9\x8f\x6b\x11\x3a\x2f\x85\x1e\x76\xd4\xf1\xcf\x06\x86\xe3\xb4\x40\x57\xc3\x63\xc8\x49\xc5\x70\x06\x59\xd7\xe5\xa1\xc2\xb3\xcc\xfd\x5a\xaa\x88\x9c\x2f\x99\xa9\xb1\xc8\x31\x9c\x3c\xd3\x48\xbe\x29\xb2\xe9\xbf\xef\xbc\x28\xcb\x77\x47\x29\x95\x8c\x12\xc9\xdf\xa7\x4b\x89\x3a\x07\x74\x5a\xed\x2e\x51\x44\x72\x3c\x8f\xc0\x50\x68\x52\xf1\x7e\x6a\x4a\x8f\x59\x9d\x2c\x4a\x1d\x7c\x0b\xa9\xd7\x7d\xb8\x41\x6e\xb1\x09\x32\xcd\xc7\x49\xcf\xa9\x98\x90\xee\x80\x17\xc0\x66\x40\x84\xf8\x64\x89\xc9\x75\x25\x52\x52\xc3\x87\x6f\x8d\xcd\x98\xc0\x0b\x73\x61\x1c\xe2\x73\x4e\x1f\xe0\xee\x5c\x0a\x0a\xbb\x0c\x50\x00\x40\x44\xf9\x3a\xd2\xff\x01\x09\xbc\xb1\x9a\x3a\x20\xf1\x86\xd6\x8e\x38\x7d\x34\xa5\xb5\x78\xc4\x25\x3c\xd9\x67\x26\x14\x80\x3b\xf9\x67\x26\xe8\xab\x00\x14\x6d\x2f\xe2\x66\xe6\x2e\x48\x65\xf5\xe7\xfe\x31\xd4\x14\x97\xe7\x19\x51\x22\xfc\xda\x82\x5f\xb4\xe9\xfc\xdd\x09\xb4\x21\xdd\xb6\xe9\x25\xa4\xd5\xcb\x7f\xf2\xfa\x56\xfe\x14\x97\xad\x65\x9c\xc5\xb6\xef\xd8\xf8\x83\x99\x8b\x74\x51\x17\x5f\x98\x27\x54\x7b\x84\x19\x5c\x25\xfc\x16\x31\x07\x2a\x55\xc1\x7e\x90\xa3\x27\x9a\x54\xa2\x96\x97\x31\x2b\xfe\xf3\xee\xfc\xba\x8d\x31\x14\x55\x6a\x54\x5d\x18\xab\x0d\xf7\x4d\xf2\x66\x85\x91\x51\x95\x9a\x1b\x05\x1f\x83\x22\xf7\x98\xcb\x45\xd5\xcb\xe5\x29\x1b\xdd\x71\xda\xd6\x65\xf6\x4d\xde\x69\x54\xef\x00\x71\x89\x18\xfe\x01\x72\x79\x63\x96\x46\x42\xd4\xc4\xa5\xbb\xa9\x30\x3f\x44\xfe\x97\xff\x99\xf0\x67\x48\xdc\x86\x3f\xf0\xcc\x17\xfc\x82\xb2\x9f\xbe\x0c\x71\x2c\x77\xed\x36\x69\x7f\x23\xb4\xa2\x2a\x9f\x24\x85\x22\xf9\x94\x6c\x3a\xbc\xd3\x2e\x16\x5f\xd6\x6f\xdb\xc7\xb4\xa0\xdf\x71\xa8\xd2\x57\x1f\x32\xda\x4a\xda\x51\xc1\x4c\xa0\x86\x30\x1d\x6e\xd0\x20\x06\xc6\xa3\x8c\xe4\xe7\x67\x1f\x3d\x08\x62\xa4\xe3\xc2\x2b\x6a\xa7\xb7\xc0\x49\xa7\x76\x22\x87\x57\x05\x62\xe8\xb4\x52\xef\xc7\x87\x41\xe7\xc2\x82\x2a\xd0\xfd\x43\x5e\x76\xa8\x04\x4b\x05\xb3\x88\xaa\xfc\x4c\xf6\x15\x75\x76\x03\x98\x87\x23\x64\x46\x99\x61\xe8\x7d\x14\xd1\x79\x5e\xb6\x27\xfa\xed\xa1\x8f\x9c\x12\x28\xfc\x99\x4d\x58\x05\x08\xc9\x96\xd3\x66\x27\x99\xb7\x23\x7e\x59\x69\x10\xa7\xc5\xc7\xfa\xcd\x47\xfa\x30\x84\xda\x48\x48\x87\x67\xf6\x0c\xfe\x58\xec\x40\x14\x15\xac\x66\x03\x16\x23\x32\x0f\x9f\xda\x37\xc0\xaf\x9f\xe4\xcd\xa1\xb2\x89\x3d\x2d\xf0\xac\x82\x26\x01\x3a\x36\xca\x7b\x13\x66\x03\x2e\xa7\xb2\x5a\x55\x91\xbe\xbc\x8c\xe4\x89\x77\x7c\x0c\xba\x28\xd1\xf0\xca\xfe\xae\xea\x7d\x5b\x4d\x20\x09\x30\x9e\xeb\xc9\x13\x07\x81\x12\xbb\x12\x69\x20\xca\x6e\x5e\x2b\x22\x10\xce\x54\x10\xcc\xe4\x5f\xc4\x63\x74\x6c\xf1\x68\xf7\xee\x2b\x91\xc7\x97\xb3\x30\xe0\x46\x48\x22\xa6\x18\xe4\x57\xce\x39\xa0\x03\x67\xd9\xcd\x3d\x3f\x59\x38\xce\x36\xeb\x2a\x31\xa9\x0d\x04\x92\x58\xc8\x49\x95\x5e\x97\xf0\x80\x17\x26\x9b\x3e\x5f\x69\xe9\x12\x81\x95\x63\x8b\xc8\xc1\xfa\x73\x5e\x6e\xb2\x43\x5c\x95\x87\xf4\xf4\x36\xd9\xe6\x8a\x87\x97\xbb\x42\x10\x0d\x48\xe7\xb2\x61\x97\xc6\x5f\xb8\x90\x39\x61\x38\x2f\xb0\xfe\x22\x98\x60\x17\x30\x68\xd9\x42\x91\x10\x82\x3b\xc2\xff\x71\x7a\x71\x57\x05\x4c\x32\x6b\xda\xc3\xad\x35\x81\x77\xf9\xa4\x06\xd8\x94\xb8\x42\xd6\xd9\x1e\xdb\x35\x6b\x06\x28\x3b\x32\x9b\xca\x6e\x12\x29\x06\x55\xfe\xf2\x40\x29\xba\x1d\xaa\xf4\x5f\x17\xeb\xc8\x34\xd1\x2e\x35\xe3\x9f\x2e\x20\xe2\xc7\x36\x2a\xeb\x00\x31\xf4\x87\x7b\x63\x3b\xe1\xbe\xd3\x6f\x5d\x7b\xa2\x4d\x01\x48\xf8\x46\xa7\x86\xf3\x88\xe2\xab\x79\x66\x2d\x55\x9b\x86\x1a\x36\xa4\xce\x60\xdc\xeb\x5f\xdb\x9f\x47\x93\x58\xfd\x84\xa5\xc7\xf1\x02\xf7\x5b\x81\x43\xd3\x62\x6f\xff\xa5\x46\x9c\x22\x07\x2a\x97\xd6\x3f\xf9\xe0\x66\x7c\x2f\x2d\xb4\x1c\xd0\x3e\x5d\x43\x91\x4b\xb5\x90\xbb\x1f\x11\xf4\xc3\x53\x3b\xcc\x47\xff\xc9\x9e\xed\xf6\x77\xc9\xd6\x46\xc6\x0f\x99\x39\x89\x15\x89\x1a\xb6\x71\x97\xdd\xbd\xc1\x1e\x03\xda\xf0\x31\x39\xce\xad\xaf\x99\x22\x68\x75\x16\x3f\x11\xc2\x90\x27\xf6\xec\x6e\xe6\x47\xc9\xbb\x1f\x76\x95\xf1\xf2\x91\x8a\x32\x85\xa1\x3e\xad\xb7\x3d\x3e\x94\xcb\x0d\xbf\x92\x73\xf7\x5e\x1a\x8b\x39\x1c\xc6\xe4\xc1\x4e\xd5\x68\x3c\x27\x56\xc7\xb3\x3d\x84\x35\x1e\x1c\xe0\xba\x7b\x02\xe2\x30\x5d\xe6\x5b\x29\x45\x6b\x5c\x55\x34\x46\x47\xc7\xb0\xb1\x6c\xd8\x36\xdb\xa2\x71\x1a\x4c\xc9\x77\x38\x26\x7c\x46\x2c\x85\xfa\xd6\x08\xa8\x16\x12\xd7\xf8\x9a\x7f\xe6\x63\xbd\x06\x43\x54\xa8\x0f\x8b\xe0\x16\x5d\xf5\xd9\xba\xe1\xc6\x9e\xa5\x69\x62\xb1\x11\x22\x0c\xdc\x13\x6a\xda\x90\xbb\x13\x15\xf8\x65\xca\xff\x1e\x25\x26\xac\xd2\xef\x4c\x36\xa7\x0f\x26\x60\x88\xd7\xd3\x48\xe5\x61\x13\x29\x71\x66\x8e\x91\xa8\x90\x04\x08\x5a\x5b\x09\x2f\x8e\x28\x42\x3d\x16\xb7\x49\xcd\xcb\xf9\x2a\x43\x65\xe4\x68\xdd\x67\xbe\x24\x1e\x5d\xea\x70\x5b\x60\x6b\x28\x09\x9a\x5d\x3d\x46\xa0\x76\x20\xfc\x4f\x73\x1e\x3d\x36\x05\xde\xbe\x68\x70\x42\xca\xc9\x37\x42\x73\x67\xc3\x5b\x54\x6a\xf2\xdf\xc0\x94\xa7\x21\xdc\x7f\xd1\x3d\xf6\x8e\x9a\x79\x9e\xcb\x10\x7c\x90\x8b\xac\x9f\x8c\x44\x30\xcc\x10\xc6\x29\x9c\x79\x4d\x02\x8d\x51\x6c\x3e\xf3\xf7\x7f\x9f\x64\x20\x16\x60\x94\x9b\x5e\xe2\x9a\x58\x94\xd7\x38\xfa\x4e\x4b\xcd\xda\x88\xfe\x12\xbc\xff\xe8\x5d\xa7\xb1\x0d\x02\xc8\x09\x22\xf3\x90\x71\x34\xfe\x64\x60\x55\x08\xb6\xcb\xe3\x5e\x97\xf1\x2f\x1b\xb1\x5f\xce\x6f\xac\x0b\x0b\xbe\xd6\x21\x83\xba\x88\xb8\x41\x3c\x69\x2c\x1d\x46\x53\x76\x14\x6a\x5a\xc6\x9e\x0f\x10\x45\x0f\x04\xc8\xb6\xf3\xc9\x0c\x58\xac\x33\x60\x4a\xa8\x11\xa9\xb7\x4e\xbb\xd0\x7b\x06\x84\xc5\x1a\x55\x30\x06\xda\x57\xf4\xdf\x29\xdf\x30\xa6\x46\x22\x26\x6b\x3e\xc0\x6c\x43\x5d\x65\x05\x21\xf3\xea\x72\x5a\x3c\x8c\x12\x8c\x73\xf0\xd3\x44\x7d\xd1\xa8\x5b\x10\xa0\x61\xe9\xac\x44\x69\xbd\x8e\xad\x5b\x59\xcc\x63\x9b\x81\x7e\x67\xd9\x0c\xcd\x77\x3e\x22\x4a\xeb\x67\xdd\x26\x36\x91\x74\x36\xb7\x64\x75\xd8\xe0\x25\x5c\xf7\xd1\x4f\x28\x36\xa5\x0d\x23\xfb\x11\xb3\x84\x35\x48\xb3\xa5\x2d\x8f\xa1\x0c\xa8\xc9\x7e\x1f\x0e\xd7\xa0\x0c\xfc\x80\x67\xa5\xb9\x9a\x41\xc0\x7d\x3c\xe0\xa0\x45\x6b\x84\x43\xbb\x5f\x09\x03\xdb\x5e\x7b\xc1\x6b\x0d\x0d\x4f\x32\x1a\x57\x57\x2d\x33\x68\xd9\x7a\xb7\x70\x58\x30\xd2\x3f\xf7\x8a\xc8\xd6\x94\x02\xc9\x20\xf7\xfb\x91\xd6\xef\xc1\x6c\xe4\x39\x93\xa1\xa6\x8e\xb8\xed\xa0\x8d\x7c\xc5\x5f\xca\x85\x49\xf4\x08\x39\xac\x8e\x5e\x26\x3e\x8f\xcd\xdb\x10\xdd\x20\xfb\xed\xd9\x49\xc8\xd3\xc1\xe1\x86\xe9\xfd\xd5\xaa\x27\x65\xa1\xef\x54\xf9\xe8\xb2\xa7\xa0\xb3\x8f\x1c\x8f\x8d\xaf\xe5\xfc\xef\x0f\xf0\x31\x69\x21\xdb\xaa\xb2\x7f\x6b\x2e\x09\xe4\x9d\x0a\x56\xc9\xad\xe5\xd8\xcb\x65\x86\x99\xba\xa9\x84\x54\x3f\xde\x4e\x72\x0e\x02\xe5\x50\x3e\x83\x5c\x7a\x63\xef\xfe\xe3\xdf\xa5\x8e\x4c\xcd\xbe\x19\x43\xb5\x92\x1b\x58\xfd\x0e\xd6\x64\xef\x73\xdf\x89\x23\x18\xe1\x07\x03\x23\x48\x59\xb5\x65\xd1\x7d\xe8\xc9\x25\x19\x8b\x44\x81\x59\xc8\xe8\xd7\x3c\x8b\x1e\x5e\xb6\x87\x05\xe5\x82\xd5\x12\x8f\x20\x7b\x54\x6f\x81\x22\xe0\x4e\x37\xbc\xc9\xd1\xca\x9b\x2c\x7a\xe5\x1d\x45\x42\x44\x8b\x36\xd6\xff\x16\xd9\x98\xee\xce\x9f\x07\xbe\x34\x1d\x1d\x8f\x98\x9f\x23\x44\x60\x40\xa4\x99\x72\x72\xc9\x9d\x45\x34\x83\x72\xfc\x49\xb7\x0f\xb5\xe0\xfa\xca\x97\x51\x84\xc6\x02\x59\x95\xf6\xaa\x49\xf1\xb2\x93\xdf\x66\xd5\x1d\x75\x3d\x9c\x77\x75\x57\x6d\x0e\x77\x01\x34\xd3\xa4\xfb\xd5\x3c\x99\xb0\xa7\xb6\xaf\xe7\x33\x7f\x73\x24\x81\x63\x23\x9a\x71\x4d\xfe\xb2\x85\xb0\xb4\x9e\xf6\x02\xd6\x2a\xd6\x93\x5a\x83\xc8\x3b\xc8\x14\xbd\x40\x7b\x1f\xf5\x22\x82\x92\xf9\xbf\xbb\xd0\x71\xc8\x1d\xc9\x59\x1a\x05\xc9\x50\x7b\xff\x87\xc9\xe5\x27\xb8\xf1\x4e\x8e\xe1\x3d\x18\x7e\xb8\x67\xdc\x2c\x95\xdd\x90\x3c\x37\x69\x2d\x03\xe7\xb0\x09\x85\xfb\xc1\x13\x13\x07\x8d\xec\x7f\xf6\x9f\x2e\x01\xa8\x34\x23\x99\x40\x0f\x98\xcc\x66\x83\x3d\x9c\x85\xff\x7f\x10\xcb\xef\x73\x32\x13\xcd\xae\x61\x54\x5f\x39\xe8\x5c\x59\x30\x2b\x56\x0a\x72\xd0\x43\x7b\x26\x6c\xba\xe1\x6f\xad\x4a\x00\x0d\xde\xa1\x99\x49\x40\x8c\x74\x77\xfc\xb9\x48\x91\x53\x23\xeb\xb7\x9a\x55\xc7\x69\xcc\xb1\x8e\x2f\x55\x2a\xb7\x63\xba\x65\x30\x2a\xe7\xbc\x47\x6e\x36\x25\xeb\x88\xa7\xa6\x69\x8c\xec\xcf\xac\x22\x90\x0c\xa3\xc4\x4d\xec\x88\x66\xb2\xa1\x14\xc0\x83\x1c\xf6\x53\xd4\xc1\xfb\xa9\xa7\x78\x5a\x1c\xaa\x2b\x97\x34\x33\x84\x22\x6b\x1a\xce\xd9\x3d\xa7\x1d\x30\xb6\x65\x06\x45\xbc\x11\x3a\xc6\x2d\x32\xd2\x03\x2d\xdb\x65\x62\x6e\xe8\x6c\x3b\x9d\xfb\xbd\x8d\x0c\xae\xea\x74\x53\xdb\xea\x30\x4e\x34\xd3\xf8\x05\x22\xcd\x31\x7b\x49\xbc\xab\xb8\x69\x33\x1c\x7c\x32\x18\x52\x10\x04\x30\x42\x3b\xcb\x1e\xc1\x5c\x50\xc1\x9b\x76\x6a\x7c\xe4\x71\xd5\x1b\x01\x04\x1b\x68\x5a\x29\xc4\xbf\xdb\x55\x2c\x86\x6d\x58\x3b\x7c\x3c\x7f\xd5\x6c\xfc\x73\x72\x5d\xf7\x84\xe4\xd9\x02\x81\x56\x7f\xe8\xc3\x8d\x86\x6b\x06\xef\x13\xbb\x30\xfd\x23\x90\x6e\x66\x2c\xf9\xd5\x11\x3d\x7b\x52\xb0\x14\xb4\xae\xb3\xa1\x83\x52\x4b\x49\x7b\xe9\x22\x0a\xe1\xe0\xb2\xf7\x67\x4d\x27\x99\x42\x94\x1b\xbd\x81\xed\x59\x5a\x93\xc2\x34\x13\x99\xb6\xac\x36\xff\x86\x9f\x89\x4c\xae\x29\x13\x08\xb2\x12\x84\xd3\x98\xb5\xfa\x6a\xc7\x6b\x9d\x59\xf0\x3e\x48\xc2\x75\xf4\xf2\x0c\xe0\xa5\x05\x9d\xe6\x9c\xa9\xec\x99\x9d\x73\x20\x2d\xef\x66\x6b\x37\xb3\xa9\x6a\x95\xb1\x2c\x74\x33\x10\x38\xfa\xca\xca\xb1\x88\xda\x87\x8a\x86\x0e\x1b\x39\x9d\x6b\x3b\xd3\xc1\x36\xe0\xa5\xe9\x96\x3c\x16\x91\x88\x9f\x0d\x40\x0f\x34\xdc\xc5\x1e\xf1\x00\x2e\xbf\xee\x28\x14\x60\x5a\x4d\x10\x67\xed\x73\x96\xc1\x15\xe3\xa9\x4f\x15\x1c\x8e\x4a\xa2\x93\x0f\xd8\xbc\x53\x4d\x57\x9d\x5d\x88\x43\xbd\x20\x29\x05\x6f\xc5\x58\xb9\x86\x94\x08\xb9\x95\x1f\x75\x67\x24\x33\xea\xd1\x9e\x10\x9c\xd1\x83\x08\xf1\xc9\xd6\xf9\xcc\xbc\x9f\x76\x79\x93\xb5\x9e\xa2\xb5\x04\x68\x64\xf5\xe0\xc3\xbd\xe4\x2e\x79\x32\xc5\x6b\x9f\xb2\x52\x89\xe1\x6a\xb3\xbe\xbb\x69\x25\x47\xde\x1a\x4d\xbe\x11\x9a\xb2\xbd\x71\xe4\x71\xcb\xdf\x6c\x6e\x85\x19\xac\xa7\x7c\x2c\xbb\x82\x73\x34\x3c\x1b\xed\x23\x92\x2e\x55\x7f\x87\xb4\x08\xd8\x7a\xf7\x88\x96\xed\x30\xf0\xa6\x17\x8a\xd9\x8a\x34\xde\xd6\x14\x84\x43\xfd\xdf\x4a\x5c\x00\xa8\x1a\xe9\xdf\x21\x59\xfd\x65\x8c\x85\x9f\xb6\xb2\x74\x98\x8c\x84\x8f\x99\x3e\x76\x1c\x26\x3e\x90\xd7\xdb\x8f\x66\x2c\x87\x6b\x7a\x61\xff\x2d\x93\x8b\xa7\xfe\xd4\xcb\x5c\xd8\xee\x51\x48\x70\xb5\x05\x20\xe7\x33\xf2\x1c\xdc\x3b\xd7\xed\x41\xd2\x97\xb9\x6d\xfe\xff\x37\x9d\x37\xe6\x07\x1b\xb1\xac\x84\xfe\xff\xab\x2c\xdd\x98\x5f\xea\x2f\xe6\xc4\x6e\x6b\x75\x69\xc8\xc2\x45\x45\x91\x79\x5c\xcc\x56\x51\x1d\x85\x3f\xd2\xa0\x1a\x1e\xb0\xce\x25\x05\xab\x65\x78\x2b\x78\x36\xba\x67\x84\x45\x05\xaa\xbc\xb5\xdc\x63\x72\xa3\x13\xfe\x7a\xcc\x7f\x48\xb0\xd2\xbe\xf7\x94\x03\xc2\x83\x7d\x88\xe5\x2f\xe9\x26\xad\x16\xd5\x1b\xe7\xe8\xc6\x2a\x59\x55\xa6\x1e\x85\x27\x08\x39\xf3\x6e\xee\x94\x63\x70\x92\x7e\xb1\x98\x41\x30\x16\x77\xe8\x37\xab\xac\x18\xd7\x09\xbc\x84\xdd\xa6\x0b\x12\x10\x7a\x23\xeb\x73\x35\x43\xff\x32\xcc\xe5\x24\x8d\x0f\x46\x19\x21\x29\x52\x91\x83\x7c\x15\x0a\x4c\x1d\x48\x9d\x31\xc5\xbf\x5b\xfc\x2d\xa1\x42\x7e\x1e\xce\x74\xae\xa7\x05\x3f\x1f\xed\xa6\x4f\x09\x9f\xc4\x47\xa7\x90\x8c\xe4\x4b\x13\x46\x15\x49\xf2\x3e\xf1\x8c\x1d\x81\x07\xbe\xfb\x09\xf9\xd7\x19\xa0\xac\x57\x08\x0f\x1c\xdb\xfd\x46\x70\x4d\x79\x94\x7a\xa1\x0c\x5b\x0b\xb2\x26\xe7\xf6\x83\x09\x74\x72\x40\xf7\x73\xa6\x27\x53\x65\x61\xfb\x6c\x1c\x9b\x26\xaa\x5e\x23\xbe\x01\xf2\xd3\xf7\xaa\xdc\x99\x54\x40\x01\x5d\x25\x64\xb9\xc1\x6b\x85\x3d\x66\x57\x24\xf9\xf7\x22\xb3\x4a\xb1\xd4\x4c\x27\xd0\xe0\xcb\x01\xc4\x9d\x9e\x05\xde\x91\xc2\xe0\x40\x76\x4f\x0c\x21\x2e\x6d\x63\xf7\xb7\x24\x93\xdc\xcb\xf8\x58\x16\x4c\xf4\x81\x51\xbb\xe4\xf1\xdc\x2c\x91\x58\x66\x73\x43\x1a\xf7\xb8\x46\x1d\x30\x16\x1c\x56\x11\x70\xdf\xa3\x1e\xdd\xe2\xcc\xc9\xdd\xdb\xc7\xa8\xe4\x62\x31\x75\x24\x05\xcf\x30\x8e\xcd\x8d\x35\x05\x63\x6d\xba\x70\x35\xc9\x4f\x72\x86\x23\xbb\x87\x60\x3a\xfb\x90\xb5\xc2\x3e\x9a\xc1\x93\x7b\x2e\xa3\x98\x4d\x57\x9d\xa2\x99\x70\xef\x04\x9f\xfd\x97\x05\xfa\x28\x3e\xf6\x2f\x1a\x9f\xbb\xef\xbc\x5f\x8f\x3f\x79\xbd\xd8\xd7\x0f\x0a\x89\x39\x72\xe5\xac\xa3\xa1\x64\xe6\x72\xba\x88\xeb\xdb\x62\x06\xa4\xdd\xa5\xeb\x5a\xdf\xd1\x63\x52\xd4\x2c\x4f\xbd\xdf\x11\x7f\x2b\x0d\x30\xe8\xc3\x9f\x1b\xc6\x3f\x3b\xc0\x3b\x45\x2a\x87\x01\x17\xaf\x7a\x3f\xd3\x01\xaf\x71\x4b\xfa\x39\x83\x67\xa9\xac\x2a\xa3\x81\x17\x0b\xc7\xca\x86\x01\x44\x25\x8a\x9a\x38\xa6\x14\x54\xc9\xcd\xef\x24\xf1\xc6\x62\xf2\x8e\x8d\x1e\xe7\x74\x9f\x61\xa9\xc7\x9a\x9e\x16\x59\x3f\x2d\x55\x00\xde\xaa\x73\x0a\xca\x4e\xef\x32\x73\x87\x84\x31\xa8\x74\xb0\x3e\x44\xf6\x49\x5b\x52\xea\x9b\x22\xd9\x41\x7f\xb3\xf2\xcc\xbe\x2c\x48\x2a\xdd\x30\x8e\x4a\x3c\x55\xb7\x53\x2a\x4e\x64\xcf\x10\x8d\x83\x3d\x54\xab\xf3\xcf\x93\xb3\xf9\x08\x52\x63\xd2\x77\x4c\x22\x14\xdc\x62\xe3\xc6\xa7\x88\x69\x46\xb7\xbb\xb4\xd0\xfd\xd8\x2d\x50\x22\x32\xf8\x91\xe9\x5e\x20\x75\xb6\x97\x4f\xcb\xc8\x15\x79\xfe\x8e\xeb\x7e\xe2\x21\xa9\x04\xce\xdb\xbb\xab\x25\x95\xef\x93\x53\x7f\xde\xa0\x3e\xb9\x3b\x49\x68\x01\x19\xd9\x96\xc8\xe7\x06\xdf\xc4\xd9\x94\x33\x95\x4c\x53\x67\x72\x5d\x48\x08\x11\x9b\x68\x3b\x59\x64\x1c\x4b\xff\xd3\xfb\xab\x0c\x7e\x12\x5f\x02\xba\xd9\x5c\xbf\xc2\x6e\xab\x96\x07\x9f\x8d\xfb\xf6\x62\x35\x89\xd1\x4e\x0c\x20\xd1\x5e\x07\xc3\x4b\xcc\xce\x36\xfb\x92\x79\x65\xf9\x6c\x8c\xc8\x9b\x3e\x51\x43\x82\x12\xa9\xbe\xc9\x2a\xf4\xb5\x92\xae\x76\xe6\x6d\x53\x1d\x34\x43\x85\xf5\x56\x85\x52\xe3\x7b\xd2\x5c\xbe\x30\x7d\x83\x99\x75\x91\x4f\x30\x91\x5d\x24\xe8\xf3\xd8\x92\xc8\xa1\x9f\xa4\x84\xc3\x5d\xf1\xfb\x92\xaf\x80\xed\xf4\x03\x34\x0c\xac\xed\x5c\x22\x47\x67\xe9\xe6\x87\x45\x65\x63\xdf\xf2\x9c\xa8\x6e\x36\x58\x55\xde\x94\x05\x7b\x66\xc5\x76\xbe\xc5\xf5\xb7\xfc\x3f\x00\x43\x33\x6b\x8a\x48\x7a\xe2\x51\x9b\x8f\xf0\x12\x2e\x7a\xc2\xbf\x57\xd2\x9b\xa6\x48\x08\xdd\x3a\x20\xd2\x6e\x43\x82\xce\x7b\xb1\xfb\xd3\x47\x34\xf5\xae\x66\x25\xee\x8a\x7d\xd5\x6f", 8192); *(uint32_t*)0x20004f40 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x50; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 0x3f; *(uint32_t*)0x200023d0 = 7; *(uint32_t*)0x200023d4 = 0x22; *(uint32_t*)0x200023d8 = 0x8001; *(uint32_t*)0x200023dc = 0x1040000; *(uint16_t*)0x200023e0 = 8; *(uint16_t*)0x200023e2 = 0xf6e1; *(uint32_t*)0x200023e4 = 8; *(uint32_t*)0x200023e8 = 9; *(uint16_t*)0x200023ec = 0; *(uint16_t*)0x200023ee = 0; memset((void*)0x200023f0, 0, 32); *(uint32_t*)0x20004f44 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 9; *(uint64_t*)0x20002450 = 0x40d; *(uint32_t*)0x20004f48 = 0x20002480; *(uint32_t*)0x20002480 = 0x18; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 7; *(uint64_t*)0x20002490 = 7; *(uint32_t*)0x20004f4c = 0x200024c0; *(uint32_t*)0x200024c0 = 0x18; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 0xffff; *(uint32_t*)0x200024d0 = 8; *(uint32_t*)0x200024d4 = 0; *(uint32_t*)0x20004f50 = 0x20002500; *(uint32_t*)0x20002500 = 0x18; *(uint32_t*)0x20002504 = 0; *(uint64_t*)0x20002508 = 0xce0; *(uint32_t*)0x20002510 = 0x1c; *(uint32_t*)0x20002514 = 0; *(uint32_t*)0x20004f54 = 0x20002540; *(uint32_t*)0x20002540 = 0x28; *(uint32_t*)0x20002544 = 0; *(uint64_t*)0x20002548 = 1; *(uint64_t*)0x20002550 = 0x100; *(uint64_t*)0x20002558 = 5; *(uint32_t*)0x20002560 = 2; *(uint32_t*)0x20002564 = r[6]; *(uint32_t*)0x20004f58 = 0x20002580; *(uint32_t*)0x20002580 = 0x60; *(uint32_t*)0x20002584 = 0xfffffffe; *(uint64_t*)0x20002588 = 8; *(uint64_t*)0x20002590 = 0xcd95; *(uint64_t*)0x20002598 = 0x1f; *(uint64_t*)0x200025a0 = 7; *(uint64_t*)0x200025a8 = 0x48; *(uint64_t*)0x200025b0 = 0xaac5; *(uint32_t*)0x200025b8 = 6; *(uint32_t*)0x200025bc = 0xad; *(uint32_t*)0x200025c0 = 5; *(uint32_t*)0x200025c4 = 0; memset((void*)0x200025c8, 0, 24); *(uint32_t*)0x20004f5c = 0x20002600; *(uint32_t*)0x20002600 = 0x18; *(uint32_t*)0x20002604 = 0xfffffff5; *(uint64_t*)0x20002608 = 9; *(uint32_t*)0x20002610 = 9; *(uint32_t*)0x20002614 = 0; *(uint32_t*)0x20004f60 = 0x20002640; *(uint32_t*)0x20002640 = 0x11; *(uint32_t*)0x20002644 = 0; *(uint64_t*)0x20002648 = 0; memset((void*)0x20002650, 0, 1); *(uint32_t*)0x20004f64 = 0x20002680; *(uint32_t*)0x20002680 = 0x20; *(uint32_t*)0x20002684 = 0; *(uint64_t*)0x20002688 = 0x10000; *(uint64_t*)0x20002690 = 0; *(uint32_t*)0x20002698 = 0; *(uint32_t*)0x2000269c = 0; *(uint32_t*)0x20004f68 = 0x20002780; *(uint32_t*)0x20002780 = 0x78; *(uint32_t*)0x20002784 = 0; *(uint64_t*)0x20002788 = 9; *(uint64_t*)0x20002790 = 3; *(uint32_t*)0x20002798 = 0; *(uint32_t*)0x2000279c = 0; *(uint64_t*)0x200027a0 = 6; *(uint64_t*)0x200027a8 = 0; *(uint64_t*)0x200027b0 = 0xfffffffffffff20d; *(uint64_t*)0x200027b8 = 0xfffffffffffffff8; *(uint64_t*)0x200027c0 = 1; *(uint64_t*)0x200027c8 = 0x3ff; *(uint32_t*)0x200027d0 = 5; *(uint32_t*)0x200027d4 = 9; *(uint32_t*)0x200027d8 = 0x726; *(uint32_t*)0x200027dc = 0x1000; *(uint32_t*)0x200027e0 = 6; *(uint32_t*)0x200027e4 = r[7]; *(uint32_t*)0x200027e8 = 0xee01; *(uint32_t*)0x200027ec = 7; *(uint32_t*)0x200027f0 = 7; *(uint32_t*)0x200027f4 = 0; *(uint32_t*)0x20004f6c = 0x200028c0; *(uint32_t*)0x200028c0 = 0x90; *(uint32_t*)0x200028c4 = 0; *(uint64_t*)0x200028c8 = 3; *(uint64_t*)0x200028d0 = 2; *(uint64_t*)0x200028d8 = 2; *(uint64_t*)0x200028e0 = 0x100000000; *(uint64_t*)0x200028e8 = 0x61a26b8d; *(uint32_t*)0x200028f0 = 6; *(uint32_t*)0x200028f4 = 2; *(uint64_t*)0x200028f8 = 1; *(uint64_t*)0x20002900 = 3; *(uint64_t*)0x20002908 = 1; *(uint64_t*)0x20002910 = 0x100000000; *(uint64_t*)0x20002918 = 3; *(uint64_t*)0x20002920 = 0x8f; *(uint32_t*)0x20002928 = 4; *(uint32_t*)0x2000292c = 0x1ff; *(uint32_t*)0x20002930 = 0x849; *(uint32_t*)0x20002934 = 0x1000; *(uint32_t*)0x20002938 = 7; *(uint32_t*)0x2000293c = r[8]; *(uint32_t*)0x20002940 = -1; *(uint32_t*)0x20002944 = 5; *(uint32_t*)0x20002948 = 0x1f; *(uint32_t*)0x2000294c = 0; *(uint32_t*)0x20004f70 = 0x20002980; *(uint32_t*)0x20002980 = 0x130; *(uint32_t*)0x20002984 = 0; *(uint64_t*)0x20002988 = 0xa00000000000; *(uint64_t*)0x20002990 = 4; *(uint64_t*)0x20002998 = 1; *(uint32_t*)0x200029a0 = 6; *(uint32_t*)0x200029a4 = 9; memset((void*)0x200029a8, 1, 6); *(uint64_t*)0x200029b0 = 6; *(uint64_t*)0x200029b8 = 1; *(uint32_t*)0x200029c0 = 5; *(uint32_t*)0x200029c4 = 0xfffffffe; memset((void*)0x200029c8, 170, 5); *(uint64_t*)0x200029d0 = 1; *(uint64_t*)0x200029d8 = 0x1ff; *(uint32_t*)0x200029e0 = 3; *(uint32_t*)0x200029e4 = 7; memcpy((void*)0x200029e8, "{#-", 3); *(uint64_t*)0x200029f0 = 5; *(uint64_t*)0x200029f8 = 0; *(uint32_t*)0x20002a00 = 2; *(uint32_t*)0x20002a04 = 0x761; memcpy((void*)0x20002a08, "[#", 2); *(uint64_t*)0x20002a10 = 3; *(uint64_t*)0x20002a18 = 0; *(uint32_t*)0x20002a20 = 2; *(uint32_t*)0x20002a24 = 6; memcpy((void*)0x20002a28, "#]", 2); *(uint64_t*)0x20002a30 = 1; *(uint64_t*)0x20002a38 = 0x714; *(uint32_t*)0x20002a40 = 5; *(uint32_t*)0x20002a44 = 3; memcpy((void*)0x20002a48, "*^\\^b", 5); *(uint64_t*)0x20002a50 = 5; *(uint64_t*)0x20002a58 = 0xeb68; *(uint32_t*)0x20002a60 = 4; *(uint32_t*)0x20002a64 = 0xfffffa80; memcpy((void*)0x20002a68, "--$-", 4); *(uint64_t*)0x20002a70 = 6; *(uint64_t*)0x20002a78 = 0xfffffffffffffeff; *(uint32_t*)0x20002a80 = 1; *(uint32_t*)0x20002a84 = 1; memset((void*)0x20002a88, 45, 1); *(uint64_t*)0x20002a90 = 1; *(uint64_t*)0x20002a98 = 8; *(uint32_t*)0x20002aa0 = 3; *(uint32_t*)0x20002aa4 = 0xf2; memcpy((void*)0x20002aa8, "!\\{", 3); *(uint32_t*)0x20004f74 = 0x20004c40; *(uint32_t*)0x20004c40 = 0xb0; *(uint32_t*)0x20004c44 = 0; *(uint64_t*)0x20004c48 = 0xcf; *(uint64_t*)0x20004c50 = 1; *(uint64_t*)0x20004c58 = 1; *(uint64_t*)0x20004c60 = 3; *(uint64_t*)0x20004c68 = 0x100000000; *(uint32_t*)0x20004c70 = 4; *(uint32_t*)0x20004c74 = 0x81; *(uint64_t*)0x20004c78 = 5; *(uint64_t*)0x20004c80 = 0x7f; *(uint64_t*)0x20004c88 = 5; *(uint64_t*)0x20004c90 = 6; *(uint64_t*)0x20004c98 = 0xffff; *(uint64_t*)0x20004ca0 = 3; *(uint32_t*)0x20004ca8 = 0x1f; *(uint32_t*)0x20004cac = 3; *(uint32_t*)0x20004cb0 = 8; *(uint32_t*)0x20004cb4 = 0xc000; *(uint32_t*)0x20004cb8 = 0xf5c8; *(uint32_t*)0x20004cbc = r[10]; *(uint32_t*)0x20004cc0 = r[11]; *(uint32_t*)0x20004cc4 = 2; *(uint32_t*)0x20004cc8 = 9; *(uint32_t*)0x20004ccc = 0; *(uint64_t*)0x20004cd0 = 4; *(uint64_t*)0x20004cd8 = 0x80; *(uint32_t*)0x20004ce0 = 5; *(uint32_t*)0x20004ce4 = 2; memset((void*)0x20004ce8, 170, 5); *(uint32_t*)0x20004f78 = 0x20004e40; *(uint32_t*)0x20004e40 = 0xa0; *(uint32_t*)0x20004e44 = 0; *(uint64_t*)0x20004e48 = 0x400; *(uint64_t*)0x20004e50 = 6; *(uint64_t*)0x20004e58 = 2; *(uint64_t*)0x20004e60 = 0x400; *(uint64_t*)0x20004e68 = 7; *(uint32_t*)0x20004e70 = 4; *(uint32_t*)0x20004e74 = 9; *(uint64_t*)0x20004e78 = 4; *(uint64_t*)0x20004e80 = 0x1000; *(uint64_t*)0x20004e88 = 0xffff; *(uint64_t*)0x20004e90 = 6; *(uint64_t*)0x20004e98 = 1; *(uint64_t*)0x20004ea0 = 0xffff; *(uint32_t*)0x20004ea8 = 0x65f; *(uint32_t*)0x20004eac = 0x647c2b8f; *(uint32_t*)0x20004eb0 = 0x400; *(uint32_t*)0x20004eb4 = 0x8000; *(uint32_t*)0x20004eb8 = 8; *(uint32_t*)0x20004ebc = r[12]; *(uint32_t*)0x20004ec0 = r[13]; *(uint32_t*)0x20004ec4 = 3; *(uint32_t*)0x20004ec8 = 0x6b; *(uint32_t*)0x20004ecc = 0; *(uint64_t*)0x20004ed0 = 0; *(uint32_t*)0x20004ed8 = 0xd; *(uint32_t*)0x20004edc = 0; *(uint32_t*)0x20004f7c = 0x20004f00; *(uint32_t*)0x20004f00 = 0x20; *(uint32_t*)0x20004f04 = 0; *(uint64_t*)0x20004f08 = 0x800; *(uint32_t*)0x20004f10 = 0; *(uint32_t*)0x20004f14 = 0; *(uint32_t*)0x20004f18 = 0x10001; *(uint32_t*)0x20004f1c = 0; syz_fuse_handle_req(r[5], 0x200003c0, 0x2000, 0x20004f40); break; case 23: memcpy((void*)0x20004f80, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004f80, r[5]); break; case 24: syz_init_net_socket(0x24, 2, 0); break; case 25: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[14] = res; break; case 26: *(uint32_t*)0x20004fc4 = 0x5004; *(uint32_t*)0x20004fc8 = 0; *(uint32_t*)0x20004fcc = 1; *(uint32_t*)0x20004fd0 = 0x1de; *(uint32_t*)0x20004fd8 = r[14]; memset((void*)0x20004fdc, 0, 12); res = -1; res = syz_io_uring_setup(0x343, 0x20004fc0, 0x20ffc000, 0x20ffb000, 0x20005040, 0x20005080); if (res != -1) { r[15] = *(uint64_t*)0x20005040; r[16] = *(uint64_t*)0x20005080; } break; case 27: memcpy((void*)0x200050c0, "/dev/uinput\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 2, 0); if (res != -1) r[17] = res; break; case 28: memcpy((void*)0x20005100, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0x488200, 0); if (res != -1) r[18] = res; break; case 29: *(uint8_t*)0x20005140 = 0x1e; *(uint8_t*)0x20005141 = 3; *(uint16_t*)0x20005142 = 0; *(uint32_t*)0x20005144 = r[14]; *(uint64_t*)0x20005148 = 0x200; *(uint32_t*)0x20005150 = 0; *(uint32_t*)0x20005154 = r[17]; *(uint32_t*)0x20005158 = 6; *(uint32_t*)0x2000515c = 1; *(uint64_t*)0x20005160 = 0; *(uint16_t*)0x20005168 = 0; *(uint16_t*)0x2000516a = 0; *(uint32_t*)0x2000516c = r[18]; memset((void*)0x20005170, 0, 16); syz_io_uring_submit(r[15], r[16], 0x20005140, 0x3dd1); break; case 30: memcpy((void*)0x20005180, "/dev/keychord\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x20005180, 0x171000, 0); if (res != -1) r[19] = res; break; case 31: memcpy((void*)0x200051c0, "/dev/ubi_ctrl\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x200051c0, 0x10400, 0); if (res != -1) r[20] = res; break; case 32: *(uint32_t*)0x20005240 = 0; *(uint32_t*)0x20005244 = 0x20005200; memcpy((void*)0x20005200, "\x46\x23\xd8\xa4\xce\x02\x17\xc9\xe5\x95\x55\xc1\x66\x89\x06\x79\xe3\xe0\xc1\x94\x0d\xf5\xb9\xfc\xbf\x91\x64\x9e\xf5\x4d\x80\xf0\xc8\xbc\xc8\x0e\x36\xb5\x57\x4c\x4b\xc9\xf9\x43\x40\x18\x54\xf5\x6a\xa2", 50); *(uint32_t*)0x20005248 = 0x32; *(uint64_t*)0x20005280 = 1; *(uint64_t*)0x20005288 = 0; syz_kvm_setup_cpu(r[19], r[20], 0x20fe8000, 0x20005240, 1, 0, 0x20005280, 1); break; case 33: res = syscall(__NR_mmap, 0x20ffc000, 0x2000, 0x1000000, 0x8000, (intptr_t)r[18], 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x200052c0 = 1; syz_memcpy_off(r[21], 0x114, 0x200052c0, 0, 4); break; case 35: memcpy((void*)0x20005300, "adfs\000", 5); memcpy((void*)0x20005340, "./file0\000", 8); *(uint32_t*)0x20005540 = 0x20005380; memcpy((void*)0x20005380, "\x87\x35\x19\xf2\x5d\xf0\x82\xb3\x71\xba\x5b\x45\xad\xb5\x70\x9c\x00\x80\x57\x47\xc3\x7f\xe0\x44\x06\x45\x95\xcd\x47\x28\xbf\x89\x80\x30\x2b\x25\xb4\xb0\x83\xb4\x2b\x41\x33\x6e\x13\x0f\x1b\x6f\xf0\xa2\xf1\x72\x49\x8e\x52\x2b\x4f\xe5\x82\x6e\xab\xab\xf5\x3a\x98\x52\xf9\x3e\xbe\xb8\x41\xe1\x64\x5f\x32\x93\x61\x27\x02\x9d\x68\xfe\x73\xec\xed\x89\xc1\xb9\x35\x87\x01\x2a\x47\xc4\x2a\x58\x3d\x69\x75\x59\x2b\x3f\x2c\xdf\x43\x37\xfc\x6d\x5e\x85\xe5\xf5\x83\x5f\xaf\xe0\x95\x93\x5e\xc9\x04\x84\xe9\x08\x1a\xa8\xd2\x24\x98\x43\x13\x01\xba\xad\x4a\x34\x36\x8c\x26\xc6\x4d\x85\x32\x6c\x7e\x00\x68\x21\x78\xf8\xd1\x3e\x6a\x89\x69\xf1\x5b\x9d\x5d\xbc\xfe\xc2\xc0\xe6\x96\x80\xc3\x92\x8c\xa0\x15\xb9\x2e\x25\xf5\x07\x8d\xe3\x54\xfe\x32\xcc\x71\x21\x60\x9a\x07\x62\xe1\xb7\x3e\xfd\x89\x67\xa2\xfe\x23\x5e\x4d\x1e\xf9\xe5\xac\x88\xbc\x1e\xd7\x06\xa9\x84\x64\x1b\x06\x47\x0b\x22\x94\xd0\x45\xce\x7e\xba\x51\xc0\x72\x89\x38\xa2\xc6\xee\xb6\xd8\x57\x44\x29\xcc\x24\xbc\xb2\xa7\x84", 241); *(uint32_t*)0x20005544 = 0xf1; *(uint32_t*)0x20005548 = 0x40; *(uint32_t*)0x2000554c = 0x20005480; memcpy((void*)0x20005480, "\x62\x93\x5b\xfe\x26\xe9\xc9\xf2\xdc\x3c\x3e\x9d\xfb\x49\x18\x58\xef\xb5\x98\x36\x9b\xcc\xa5\x19\x23\x98\x9b\xa9\x43\xcf\x44\x7b\xaf\x56\x62\x5d\xf0\xf6\x85\xed\x2d\x03\x4b\x37\xc0\x75\x63\xf6\x68\x72\x8f\x6d\xc6\x83\x36\x09\xb1\x22\x19\x70\xe5\x50\x88\x86\x9d\x29\xc0\x1b\x2d\xd0\x5c\x48\x20\xb0\x80\x42\xb5\x07\x40\x08\xc9\x75\x77\x12\xc4\x80\xe2\x5d\x89\xb9\xc4\x8e\x95\x7e\x5b\x5c\x7b\x0b\xec\xcf\xb1\xfc\xcc\xed\xbc\xed\xc8\x38\x06\x03\x80\x75\xfc\x2a\x0f\x82\x28\xbe\xb4\x7f\x1f\xec\xe0\x9b\xdd\xcb\xbe\x00\x21\xab\xe9\xc3\xd1\x98\x36\x9b\x81\xb6\x7d\xbd\x6a\x7d\x33\x4b\x8d\x28\xb8\x02\xcc\x97\xd9\x34\xc1\x64\xe9\x7d\x9d\x7b\x70\xdc\x6c", 161); *(uint32_t*)0x20005550 = 0xa1; *(uint32_t*)0x20005554 = 0x1ff; memset((void*)0x20005580, 170, 5); *(uint8_t*)0x20005585 = 0x2c; *(uint8_t*)0x20005586 = 0x2c; memcpy((void*)0x20005587, ":&-]!", 5); *(uint8_t*)0x2000558c = 0x2c; memset((void*)0x2000558d, 125, 1); *(uint8_t*)0x2000558e = 0x2c; memcpy((void*)0x2000558f, ",-V", 3); *(uint8_t*)0x20005592 = 0x2c; memcpy((void*)0x20005593, "\\*})", 4); *(uint8_t*)0x20005597 = 0x2c; memcpy((void*)0x20005598, "*^\\^b", 5); *(uint8_t*)0x2000559d = 0x2c; memcpy((void*)0x2000559e, "appraise", 8); *(uint8_t*)0x200055a6 = 0x2c; memcpy((void*)0x200055a7, "fowner<", 7); sprintf((char*)0x200055ae, "%020llu", (long long)r[8]); *(uint8_t*)0x200055c2 = 0x2c; memcpy((void*)0x200055c3, "smackfshat", 10); *(uint8_t*)0x200055cd = 0x3d; memset((void*)0x200055ce, 170, 5); *(uint8_t*)0x200055d3 = 0x2c; memcpy((void*)0x200055d4, "obj_type", 8); *(uint8_t*)0x200055dc = 0x3d; memset((void*)0x200055dd, 170, 5); *(uint8_t*)0x200055e2 = 0x2c; memcpy((void*)0x200055e3, "dont_appraise", 13); *(uint8_t*)0x200055f0 = 0x2c; memcpy((void*)0x200055f1, "dont_measure", 12); *(uint8_t*)0x200055fd = 0x2c; memcpy((void*)0x200055fe, "fowner<", 7); sprintf((char*)0x20005605, "%020llu", (long long)r[9]); *(uint8_t*)0x20005619 = 0x2c; memcpy((void*)0x2000561a, "dont_appraise", 13); *(uint8_t*)0x20005627 = 0x2c; *(uint8_t*)0x20005628 = 0; syz_mount_image(0x20005300, 0x20005340, 0xfd, 2, 0x20005540, 0x8800, 0x20005580); break; case 36: memcpy((void*)0x20005640, "/dev/i2c-#\000", 11); syz_open_dev(0x20005640, 0x40, 0x300); break; case 37: memcpy((void*)0x20005680, "net/if_inet6\000", 13); syz_open_procfs(r[6], 0x20005680); break; case 38: syz_open_pts(r[19], 0x800); break; case 39: *(uint32_t*)0x20006c40 = 0x200056c0; memcpy((void*)0x200056c0, "\x46\x41\x06\x38\xb7\xa1\x28\xc1\x5c\x6c\xb2\x7d\x23\x35\x80\x6d\xa8\x7c\x0d\x49\x15\x42\x44\x52\xcf\x0b\xa9\xee\xe0\xa5\xd4\x9d\x63\x4f\x09\x0d\xf2\x6f\x35\xbb\x04\x33\xc1\x3a\x27\x0d\xcb\x44\xcf\xe9\xba\x62\xb5\xba\x38\xd4\xae\x3c\x65\xea\xd2\x72\x7f\x1d\x2a\x5f\x02\xda\xa2\x70\xce\xa6\xf4\xf6\x09\x02\xe2\xed\xa6\x54\xb1\x6e\xc6\x63\x5a\x1c\x6c\xd1\x5d\x6b\xd6\x34\x32\x14\xb8\x34\x22\xd1\xa1\x9b\x5d\xae\x43\x9b\x9f\xbc\x3d\xb5\xc2\x18\xd4\xb0\x8a\xcf\xc9\xfc\xdb\xe5\xd4\xe6\xa5\x12\x7a\xda\xdc\xe6\x10\xd8\x15\xe8\xc6\xd8\xad\xc7\x86\x89\xea\xae\x29\xd8\x1a\x20\x04\x0a\xee\xef\x4e\xe5\x5d\x77\x01\xea\x72\x5e\x91\xb7\x4f\x5b\x37\x81\x4b\xee\xd1\x18\x54\x99\x79\xc8\xa4\x0d\x0b\x29\x09\x77\xad\xa4\xd6\x58\x74\xc7\xdc\xca\x03\x0a\x9a\x15\x50\x9b\xc2\x7e\x6e\x87\xd5\x26\x91\x24\x37\xb8\x69\x04\xf7\x42\xc9\xc1\x3c\x1e\x00\xbc\x5e\x3e\x94\x3c\x14\x30\xd1\xcc\x01\x8f\x5a\x4d\xec\xf2\x46\x02\xdb\x5b\xf2\x28\x6e\x64\xce\x75\x1d\x8d\xf1\x6f\x28\x09\x34\xfb\x08\xb6\x19\xb2\xb5\xe9\x31\x19\x5a\xd2\xf7\xc8\x7a\xe9\x56\xc6\x4a\x2f\xda\xc4\xfd\x79\x16\x11\xac\xc2\xa8\x65\xd9\x94\xea\x90\xed\x15\x85\x81\xe8\x0d\x03\x86\xb1\x53\xf1\x9f\xab\x27\x81\xb7\x2d\x1d\xe0\x03\xb1\x87\xd2\xb1\x19\x53\x42\xb3\xa0\x03\xbf\x44\x83\xb4\xd8\x90\xab\x1b\x2f\x51\xe8\xd5\x8f\x0a\x5a\xd7\x8e\x0d\xf9\xd6\x29\xc2\x2c\x2a\x32\x4a\x98\x2e\x1f\xc2\x73\x8c\x36\x0d\xb3\xa8\xba\x5e\x55\xae\x5c\x9d\x58\xf1\xc2\xf6\xbe\xd0\xb6\xde\x5b\xb4\xee\x3b\x5f\x84\x2c\xee\xf9\x1b\x20\x56\x54\x1f\xf5\x53\x12\xee\x90\xa2\xbd\x09\x97\x06\x6c\x37\xf3\xd8\x37\x78\x95\x92\x1b\x08\x02\x15\x89\x04\x9e\xd7\xb2\x3c\xeb\xaf\x9b\x41\xd0\x8e\x75\x90\x58\xa3\x45\x2c\xb9\xdf\x2a\xee\x1d\x2b\x90\xe5\x10\xba\x9b\xc9\x48\x40\x0a\x69\xaa\x13\x83\x3d\x1b\x4c\x44\x44\x51\x29\xe0\xaf\x50\x12\xfd\x6a\x53\x41\x81\xfb\x20\x42\x68\x26\xa4\xb3\x69\x4e\x4a\x51\x81\x19\x9d\xf1\xed\x31\xde\x36\xf2\xed\x49\x21\x18\x22\xad\x91\x5d\x3b\x71\xac\xae\xcf\xf3\xc8\x4d\x4e\x3b\xb1\x9f\xba\x32\x19\xe2\x61\x45\x73\x5f\xf7\x1d\xce\xee\xee\x7a\xa2\x47\x53\x9a\xd2\x73\x11\x13\xd3\xf3\x64\x42\x6b\xe9\x00\x6e\x6b\x0e\x35\x8b\x81\xd4\x07\x45\x49\xe0\x8e\xf2\x76\x13\xa3\x71\x5e\x5e\x89\xba\x0a\x71\xe3\x99\x52\x31\xe9\x9a\xac\x5e\x4e\xe7\x07\x8f\x59\xe3\xe7\xd4\xfa\xbe\xd2\x6e\x75\x07\x41\x1f\xbe\x4b\x03\x53\x10\x62\x78\xac\x69\xf3\xb9\x1e\xc6\x9f\xa5\x42\xeb\x7c\x96\x43\x94\x06\x2f\x65\xc6\x50\x19\x7f\xbe\x73\x3c\x22\x83\x26\x73\xd0\x66\xe4\xed\x40\x07\x3b\x28\x4e\xe4\xe5\x1b\x12\x59\x36\x7d\x4e\xb9\xe1\x72\x00\x7e\x6f\xb8\x0a\x0a\x6f\xe6\x2b\x3f\x3d\x5e\x5b\x68\xfe\x04\x7e\xa4\xd6\xfb\xfa\xa3\x0a\x00\xfc\x29\xbc\x58\xa3\x1c\xfb\x82\x12\xf2\xc4\x9c\x3a\x2e\x71\x1a\xe5\x02\xbd\x64\x7b\xd5\x6b\xb7\xcf\xc1\xd8\x4d\x14\x18\x27\xbe\x21\x1b\x5f\xfb\xed\x78\x6b\xfa\x13\x13\xd2\xae\xd5\x34\xf0\x00\x19\x36\x3a\xc1\x29\x61\x2c\xa2\x5c\x76\x3b\x07\x7f\x5a\x72\x4d\x61\xfc\x79\x74\xfa\x82\x4b\xad\xc1\x40\x06\xf2\xfe\xbf\xb1\xe3\x5a\x3d\xd7\x2e\x82\x33\x4a\x26\x37\x56\xff\x42\x04\x68\x0c\xba\x1c\x03\xc5\x5e\x09\xdf\xfb\x5a\x58\xe4\xc5\x5b\x5b\xd7\xa7\x0e\xe8\x52\x59\x29\xa0\xee\x9f\x90\x91\xe3\x4b\xb8\xd2\xf0\xaf\x6d\x2a\x26\x70\xc5\x91\x18\x6b\xee\x6c\xed\xda\xb8\xe1\xfe\x8d\x4b\xe3\x97\xa5\x45\xc4\x83\xfd\x68\x4c\xd8\x12\xdf\x5e\x31\x2a\xb5\xf4\x81\x2b\x47\x84\xef\xae\xf1\xc3\xdb\xe7\x90\x94\xfb\xab\xd6\xca\x5f\x0a\x45\x46\x23\x96\xf8\x18\xa5\xc7\xbf\x61\xc8\xc3\xf4\x33\x66\xc1\x26\x5f\x46\x38\xd1\xdc\x7b\xde\x11\x46\x10\x35\xc7\xaf\x77\xe6\x84\x4c\x5d\x47\xbc\x18\x97\xdf\xab\xec\x76\x87\xed\x25\x79\x4a\x71\xa3\xaa\x2b\xe1\x66\x57\x19\xe7\xea\xf6\x49\xbf\xaf\xfc\xea\x24\x92\xd4\x3b\xca\x7f\x03\x04\x21\x0c\xfc\xa9\x1a\x0d\xad\xf6\x6b\x7c\x3c\x6b\xaf\x8c\x50\x55\xef\x4f\x3c\x56\xaa\x03\xbb\x6e\x40\x0d\x7c\xac\xa6\x9e\x42\x43\xac\x71\xc9\x39\xcc\xf2\x73\x10\xb7\x3b\xa5\x98\x97\xe2\x02\x0c\x71\x7c\x33\xdb\x9a\x4a\x58\x29\x12\xa3\xa8\xd7\xc0\xa8\x70\xb1\x2a\x9f\x98\x2a\xaf\xd0\xcf\x15\x95\x75\x18\x9d\x8c\x26\x88\x64\x34\x22\x9f\xb0\xc7\x6c\x56\x50\x8b\x63\x8a\x25\x09\xb6\x58\x47\x72\x2a\xf1\x97\xe9\x5c\xf0\xcf\xf2\x36\x84\x48\xd4\x2a\xd6\x2d\xb2\x7f\xf0\x17\xa7\xfb\xed\x92\x3b\xef\x62\x83\x40\x87\x12\xc3\xf0\x4a\x79\x03\x38\xf4\xf8\x0c\xf4\xf3\xe9\x2f\xaa\xfa\x3b\xf6\xcf\xf5\xed\x3c\xf3\xb1\x7b\x50\x50\x75\xe1\x2b\x69\x58\xbf\x2e\x5c\xb4\x02\x41\xf6\x72\x87\x4a\x0f\x94\x0f\xd5\x7e\x82\xe9\xca\xff\x11\x3d\x67\x1d\xa2\x3d\xa3\x43\x6a\x31\x80\x0c\x2d\x34\x87\x96\x5f\x87\xc3\xf8\x25\x06\x10\xaa\xff\x78\x3d\x78\x59\x5e\x19\x26\xb7\x7e\x97\xb2\xe3\xad\x09\x08\x7a\xf9\x19\xac\xe3\xf0\x4f\xd2\x75\x88\x7b\x1f\xc8\x1e\xe2\xf5\xba\xd8\xde\x1c\xc3\x5e\xe0\xc0\x3a\xde\xed\x9a\x91\x97\xd7\xa8\xfa\x5d\xb5\x9d\xc5\x00\xa9\x4b\xd1\x84\xa2\xa8\x0d\x97\x04\x79\x7e\x76\xbc\x0f\xc4\x3e\xd5\x72\x96\x14\x3d\xc9\xd8\x58\xb1\x4a\x7b\xdf\xb4\x18\x19\x7f\x09\x74\xb6\xee\xe2\x99\x95\x80\x51\xb1\xd4\x14\xab\x12\x6c\xef\x5b\xc3\x6a\xe4\x05\x5c\x4f\x19\xe7\xe0\x1d\x20\x92\xd9\x9f\x1d\x2a\x5a\x56\x61\x4f\xed\xf4\x81\xd5\x78\xcb\x85\x1a\xd7\x3e\x18\x29\xbc\x35\x0f\x7e\x56\xee\x0d\x2e\x71\xfe\x73\x1c\x1b\x30\xfd\x84\x5f\xd8\x2c\xa0\xac\xf0\x29\xaf\xf4\xa7\x5e\x0d\x38\xfb\x7a\xf5\x82\xa1\x9c\x0c\x7d\xeb\x19\x54\x4b\xc7\xa1\x3c\x18\x96\x03\x24\x41\xcb\xa6\xae\x39\xc3\x5a\xe8\x80\xb4\x5a\x5c\x97\x54\x5a\xc0\x99\x24\x3a\x79\x1c\x6f\x2e\xb9\x35\x56\x20\x8b\x8b\x20\x35\x42\x75\x2a\x67\x3b\x9d\xf0\x2b\xf0\x4a\xd3\xc1\x8e\xec\xaa\x5e\xb2\x2d\x1b\x65\xe5\x9c\x34\x49\xb5\xcc\x42\xdf\x35\x0d\xd4\x82\x2b\xcf\x67\x1d\xf7\x84\x20\x68\x9c\xac\x22\x65\x8c\xd9\xf0\xf3\x90\xe2\x6e\x07\x96\xac\x4b\x7f\x30\xb1\x98\x9f\x09\xcf\x5b\xa5\x16\xeb\x16\x67\xec\xc1\xd8\x53\x73\x9a\x20\xe5\xe7\x85\x99\xbd\xa8\x30\xd0\x02\xd4\x5e\xb6\x6d\x63\xa7\x78\xb8\x41\x2a\xf5\xd6\x3e\x3e\xf2\x64\x94\xe2\x1b\xbc\xde\x5b\x97\xa9\x4f\x79\x78\xac\x90\x3d\x46\x7c\x5b\x6d\x07\x17\xdc\x4a\x9d\x14\x6e\xd4\xb5\x8b\xfe\x37\x3a\x59\x08\x70\x2f\x99\x7f\x10\x90\xb4\xb1\x90\x93\xf8\x90\x50\x85\xec\xb6\x91\x10\x7b\x05\x9e\x0e\x1c\xd0\xc4\xa9\x4c\x9a\x47\x3a\xf2\xd1\x2b\xd5\x99\x8a\x8b\x8b\x48\x02\xf9\x31\xb9\x05\x15\x51\x9f\x20\xfe\xea\xde\xa5\x68\x4c\x06\x4f\x9a\xdb\x42\x39\x35\xb8\xde\x29\x8b\x03\xe5\x79\xab\xad\x6a\x23\xa8\x6c\x86\xed\xd3\x9c\x2e\xd6\xa4\x68\x5e\x69\xbc\x71\x54\x05\xab\x7a\x3f\x27\x66\x4b\xdb\x68\xfe\xf1\xfc\xd0\x90\xf0\x60\x38\x1f\x1a\xa3\x74\xa0\x74\xa6\x40\xf9\x91\xec\x6d\x8b\x28\x8b\x1b\x05\x07\x06\x85\x60\x31\x4f\xe9\x4a\xeb\x85\xc4\x2f\x4d\xf3\xad\xb2\x14\x85\x69\x65\x15\xda\x2f\xa7\xf4\x41\xb7\x53\xd5\xf8\xca\x45\x45\xf2\xd1\xdc\x1e\xb3\x4e\x41\x8c\x04\x3b\xeb\x51\x8b\xb3\x5f\xe3\x02\x35\xaa\xbf\x7e\xc5\xf3\x71\xb3\xa4\x8c\x0e\xa6\xa6\x13\xeb\xb4\xe4\xda\x5b\x71\x40\x8a\xa5\x57\x74\x23\x9a\xc7\x49\x03\x0a\x52\x74\x0c\xd8\x53\x5b\x9e\x3d\x28\xa4\xe8\x7b\x4c\x4f\x40\x44\xc8\x19\x5c\x32\x11\xf9\x47\xe5\x00\x7d\xf7\xb6\x4e\x37\xc4\x14\xbf\xd5\x4f\x7b\x59\x82\x37\x20\xbe\x00\x49\x8c\x18\xb5\x7d\xad\x00\x43\xf0\xc5\x0a\x75\x81\x74\x18\xc1\xdb\xc3\xdb\x8d\xc7\x33\xce\xb2\xb5\xb6\xd2\x0b\xec\x1e\x38\xa2\xf9\x09\xaa\x61\x94\x80\xe2\xca\x05\xd9\x00\x0b\x7e\xaf\xf3\x70\xc0\x77\xed\x38\x94\x22\x89\x0d\xd4\x26\x27\x8c\x63\xc2\xac\x42\x85\xe8\x40\xe6\xc7\xf9\xda\x04\xd6\x9a\xf4\x48\x2d\x96\xee\x58\x24\xde\x09\x16\x14\xd8\xb1\xb4\xcf\x49\xf5\xa7\x01\xe4\xb4\x2f\xf5\x8a\x62\x82\x3c\x27\x76\xfb\xa4\xc2\x7e\xc8\x6c\x24\xba\x10\x3e\xd0\x1c\x66\x72\x9a\xd6\x02\x92\x4a\x51\x37\xb7\x18\xd8\xdd\xee\xb0\x83\x39\xd8\x3c\x45\xfe\xca\x01\xc3\x93\x35\x7a\x67\x64\x38\x11\x43\x63\x59\x1d\x31\xc2\xba\x6f\xaf\xa5\xd8\x57\x1a\xf7\xc3\xa3\x69\x0f\xde\xb0\x99\xe4\x41\x92\xb5\x87\x1f\xd0\xa3\x36\x5f\xb2\xe2\x30\xc6\xc0\x3a\x74\x73\x78\x2b\x30\x3a\x5b\xe1\x4f\x03\x8d\x8e\xa3\x4a\x63\x08\x43\x00\x51\x6e\xb7\x88\x4e\x59\x33\x58\xe6\x6b\x3d\xfb\x6d\xac\x4d\x08\x15\xd5\x8d\xaf\xb8\x5e\x8c\xca\x44\x26\x53\x6a\x38\x4d\xc8\x9f\x74\x13\xf1\x4c\xc9\x2e\x73\x77\xa9\x09\x38\xf9\x9e\xf7\xf5\x35\xc2\x18\xae\x2e\x90\x9a\xcd\xbf\xd7\xeb\x5b\x0b\x47\x40\x8e\x3d\x6d\x73\xdd\xa3\x9f\xbd\x6b\x23\xaf\x18\xf1\xa6\x70\x3e\xe3\xb1\xf7\x5b\xb7\xc0\x00\xa4\xca\x5a\x7b\xcc\xaa\xe8\x6c\x4a\xba\xc8\x1d\xa2\x93\xe4\x3f\x91\xd2\xc3\xdf\xf1\x2f\xfa\x52\x29\x13\x9a\x08\xae\x5f\xc2\xec\x13\x9b\xe9\x78\xb8\x18\x2d\x6a\x60\xc7\xff\x39\xbb\x0a\xa8\x20\xa1\x07\xd9\x2e\x38\xb9\x5e\x74\x8a\x18\x4b\x53\xf5\x62\x4f\x45\x72\x39\xf6\x38\x4d\xdd\xcb\x9f\xd7\xe8\xef\x29\x52\x65\xd7\x9b\x64\xc5\xc0\xa9\x3b\xf2\x16\x35\xb8\xc6\x80\x90\x78\x10\xd8\xe7\x2a\x58\x1e\x5a\xa0\xe0\x0f\xbf\x35\x1e\x3c\x84\x1c\x7d\x0c\x51\xa2\x63\x68\x37\xb2\x7c\x6a\x91\x42\x5b\x50\x6a\x22\xc2\x7d\x14\x20\xd0\xb1\x3e\x60\xde\x3e\x9c\x56\x66\x7a\x98\x98\x3b\xa9\xbd\xd1\xc5\xa5\x2d\xc6\x12\x7b\x65\x9e\x6d\x80\x70\x69\x59\xf0\x7d\x3a\x5f\xa8\xb3\xb8\x8e\xab\x05\xe7\xa0\xc0\x4e\xe1\x2a\x21\x37\x2c\x71\x3f\x64\xc6\xad\xbe\xed\xd7\xa8\xb7\xa6\x92\x67\x49\x75\xbb\xe5\x5c\xe4\x02\x71\x44\x02\xf2\x0c\x7f\x57\xff\x1f\x79\x35\x7d\x8e\xda\xbe\xf1\xd8\x68\xf0\xa2\xb3\xdd\x7a\xa3\xbb\xe5\x8e\x80\x81\x49\x70\x73\x4f\x7d\xec\x70\xd3\x14\xe8\x11\x59\x3a\x32\xcc\x86\x1f\x4a\x8a\x4b\x3f\x0d\x7c\xeb\x4e\xbb\x32\x66\x4f\x56\x44\x49\x7a\xc9\x56\x2c\xdd\x5a\x54\x19\x3f\x22\x38\xe6\x5c\x18\x74\xc8\x64\x21\xc5\xcf\xb4\x3a\xe1\x56\x93\x1c\x78\x40\xd1\x0d\xe4\x7a\x4d\x0f\x2f\x31\x74\xc3\x6c\x86\x45\xac\x02\xf5\x44\xc3\x69\x0b\x51\x37\xaf\x7d\x2c\xed\x3f\xb0\x43\x59\xbb\xf2\x2b\x67\x20\xea\x94\xf2\xe3\xb5\x67\x5f\xb7\x7a\xde\x56\xc9\x77\xd6\x68\x06\x4e\xfd\xd1\xc6\x15\x11\x9a\x52\x8c\x9e\xc1\x35\x3e\x84\x10\x3e\x5d\xce\x6a\x0b\xd0\x73\xf9\xff\xbe\xa0\x81\x9c\xf6\xc0\xcc\x58\xea\xd0\x0c\x92\x34\x02\x98\xcc\x09\x45\x64\x11\x7f\x3f\xb8\x94\x27\x4c\xa9\x1d\x79\x76\x45\x96\x19\xf5\x44\xb2\x50\x58\x6c\x6d\x44\xaf\xba\x55\x74\xb7\xef\x51\x26\xb0\x70\x40\x9a\x1f\x5e\xed\xc6\x50\x07\xb0\x03\x39\xf1\x60\x42\x2f\xff\x38\xd6\x7e\xaa\x8d\x78\x2f\xc4\x19\x2a\x29\x81\x08\x79\xeb\x12\x85\x99\x42\xfa\x14\x1a\x21\xc3\x9d\x9e\xea\x03\xeb\xa1\xaa\x7b\x3a\xc7\xe2\xb1\xda\xf4\xf6\x9f\x47\x5b\x8e\x75\xc5\xac\x7c\x2e\xfd\xd7\x77\x93\x2d\x40\x31\x43\xcd\xd0\x89\x02\xd5\xe3\x45\x93\x01\xc2\x8c\x88\xc4\xdf\x34\x2c\xa1\x39\x10\xb7\x60\xe3\x4c\x40\x19\x4b\xb5\x1b\x82\xcf\x14\xad\xee\xd5\xae\x47\x51\x7d\x3c\xbc\x73\xbb\xb5\xa8\x89\x9c\x30\xe6\x06\x51\x99\x89\xa8\x5d\x2e\x15\xb0\xe8\x9e\xbb\xa4\x3f\x0c\x8a\x75\x2f\x07\x01\x03\x80\xca\xa7\x0d\xc4\x09\xff\x80\x5c\x24\x57\x48\x29\xd0\x6b\xb9\xa1\x49\x5d\x5a\x30\x85\xdf\x90\x29\xe2\x3d\x92\xbb\xc4\x6d\x7c\x7c\x1d\xb7\x36\x5e\x92\xe8\xd2\x44\x9a\xad\xe3\x89\x26\xa6\x43\x68\x72\x3a\x0e\x8a\x77\x7b\x32\x61\xc9\xc9\x7b\xae\x82\x5b\x55\x1b\xa9\x40\x55\x1a\x7e\x15\xe3\x01\x3d\xc0\x9a\x05\x22\x9d\x0c\x9a\xc6\x4e\xe1\x5e\xe3\xd4\x67\x42\x62\x89\x24\xc0\x9e\x63\x60\xcc\x43\x00\x6f\xb9\xa0\xe1\xc0\x6e\x55\x84\x63\x7c\xee\x00\x5e\xe2\x6c\xeb\xa7\x02\x95\xcb\xa5\x63\x7d\xfc\x98\x21\x14\x8e\xd7\x41\x50\x03\xd5\x18\x36\x84\x23\xae\x70\x8c\xfa\xc6\x38\xf2\xb8\xe1\xd3\xa7\x10\x11\xbd\xa8\x03\xac\xd2\xcf\xa4\x29\xea\x5f\xa0\x45\xfe\x07\x8f\x91\xeb\xe4\x5e\x7d\x51\xd4\x3f\x08\x30\x2d\x5f\x3b\x0c\xcc\x3e\xb7\xdc\x03\x81\x8b\x33\x56\x7e\x86\xf8\xe5\xdc\x40\x45\x15\x69\xa7\x95\x48\x58\xd2\x6d\xf8\x55\x49\x35\x27\x6f\x56\x54\xaf\xec\xf2\x40\xc7\xe8\x6c\x92\xec\xba\x4d\x3f\xf7\x58\x21\x31\x2d\x6a\x3b\x82\xe1\x8c\xc2\x34\xda\x5b\xac\xc2\x86\xef\x09\x24\xce\x23\xbd\x30\x70\x8d\xe5\x81\x32\x57\x4b\x54\x8c\x96\x28\xb5\x2d\x34\x29\x1d\x1c\x4a\x7f\xfd\xfe\x63\xde\x1f\xa9\xb5\xe0\xfa\x6e\x62\xf3\x52\x8a\x80\xc9\xcc\x97\xa7\xc5\x15\x40\x3f\xce\x89\x5a\xb7\x95\x63\x52\x66\xaf\x74\x6d\x89\xd2\xc9\x40\x58\xca\x38\x50\x1d\x86\xb4\xd6\x32\x4d\x0d\xf0\xd9\xc1\xe4\x7b\xbf\x83\x8b\xaa\x20\x6a\xa2\xec\x43\x97\x82\x8e\x99\x2f\xe9\x63\xb2\xe8\x37\x22\x80\x26\x27\x62\x90\x30\x10\x6c\xf2\x0e\xc9\x8e\x24\x51\x47\xc9\x44\x26\x21\x4d\xdf\xb9\x79\x12\x06\x51\xad\xde\x14\xa4\x25\xfe\xf2\x9a\x20\xc0\xcc\x54\x60\x39\x3a\xcb\xdb\xa5\x7b\x3c\x38\x36\x62\x7e\x6a\x9c\x19\xa2\x34\x43\x12\xa9\xbc\x66\x1b\x76\x02\x85\x41\x5a\x28\x74\xe2\xf2\x18\x7b\x5c\x6d\xbf\x38\xb0\x59\x63\x6f\x9e\xd1\xde\x16\x92\xd3\xb8\x65\x04\xa7\xc1\xb6\x68\xe5\xaa\x0f\x87\xcf\x49\x7f\x0c\xab\x26\x6e\x4d\xb6\x4e\xc6\x46\x55\x80\xbe\x1d\x97\x24\x49\x47\x30\x46\x88\xcb\x35\x76\x49\x0b\x8d\xb0\x86\xb0\x89\x05\x82\x0e\xa9\xd9\x1d\xfc\x8f\x3b\x96\x6a\x9e\x56\x8d\x85\x6a\x9c\xce\x3f\x17\x31\xac\x16\xe4\xcf\x48\x71\x43\x34\xb6\xc7\xac\x35\x97\xfc\xae\x85\xd1\x79\x46\xb0\xae\x28\x99\x84\x5e\x96\x06\x6e\x0a\x64\x83\x85\xc9\x8e\xe5\xc1\x19\x39\x13\x56\xb2\x04\xac\xbd\x4a\x5c\x7c\xc2\xcb\xce\xec\xe0\xf5\x8d\xfb\x73\xfc\x30\xef\x7c\x17\x69\xb4\xf5\x6e\xd1\xb7\x7d\x76\x24\x8b\x0e\xa2\xa6\x6d\xb0\xe5\x21\x7b\x5d\x62\x42\x37\x19\x1a\xbe\x94\x86\xac\x0b\xd3\x2e\x3e\x73\x62\x33\x14\x41\x73\x4a\x8d\xd9\xed\x98\x3b\x92\xbf\x26\x47\x2c\x50\x21\xf8\xbe\xa1\x31\xec\xe4\x7c\x8f\x45\xe6\x8a\x25\xa8\xbe\xb4\x88\x58\x95\xc2\x79\x82\x30\x6d\xaf\xa1\xfa\xc9\x05\xb2\x76\xc2\xf6\x0c\xcd\xca\xbe\x2a\x5b\x32\x5b\x5c\x5d\x84\x82\xf3\x05\x66\x02\x44\xc3\x61\x71\x1f\x0e\xed\x77\x46\xc0\xda\xf9\x9d\xfd\xe3\x6c\xaf\xf2\x94\x05\x11\x82\xc5\xb6\x58\x9f\xc0\x70\x0b\x75\x1f\xb2\xb3\x80\x7f\x0b\xcb\xd2\x77\xa8\x44\xce\x82\xa5\x45\x58\xf5\x5c\xdd\x25\xa3\x0b\x22\x83\xab\xe5\x19\xc8\x27\xb1\x0a\xed\x61\x2f\x8a\xea\x3c\xb7\xac\xa8\xb3\x40\x28\xc0\xb3\x63\xc9\xac\xc5\x2d\xde\xa9\xe0\xc3\x4e\x8a\x5c\x90\x86\x9f\xe6\x0d\x28\x30\x7e\x35\xd3\xe4\x35\x82\xf3\x77\x3d\x46\x66\x9e\x43\x13\xa0\x7b\x12\xe7\xd6\xd5\x01\x43\x6f\x8e\x6f\x4b\xc3\x47\xb2\x91\x94\x14\x4d\x82\xc5\xda\xa9\x73\x0f\xea\x34\x66\xc3\x16\x72\x09\xf0\x96\x97\xda\x03\x4f\x86\xca\x9e\x5a\x7e\x28\xc0\x59\x99\xf4\x16\x1d\xca\x75\x18\x14\x04\x13\x50\x4b\xe2\xaa\x60\xef\x71\xb6\x64\x84\xfc\xa1\xb0\xbb\x11\xaf\xd5\x97\x55\xb9\x78\xdd\x29\x4e\x3d\xa8\x56\x55\xb9\x0f\x05\xbe\x08\x23\xe2\x62\xaa\x69\x3c\x43\xbc\x23\xf4\x94\x8a\x60\x96\xff\xe1\xb5\x8e\x1b\xcd\x65\xb0\xdb\x70\xc6\x2a\x4f\x85\xd7\xdd\x4b\xe6\xcd\xdf\xea\xf1\x38\x38\x14\xa6\x72\x8b\x4c\x30\x1e\xab\x03\xb9\x50\xba\xc8\x67\x37\x5d\x1b\x6c\x61\xeb\x2f\x7f\xde\x96\x0b\x16\xf5\x94\x83\x79\xe2\x11\x5a\xb5\x40\x13\x56\xdb\x05\xa7\xdc\x30\xa2\x99\x98\x97\xb1\x63\xc7\x3d\x34\x80\x71\x06\xdf\xdc\xf7\xb7\xf9\xb9\xe7\x37\x7f\xc7\x22\x00\x3c\x86\x8c\xa5\xc1\x4a\x0e\x2f\x1d\x19\x40\xec\x6a\xef\xcf\x85\xfe\xd2\x07\x62\x2e\xd3\x81\x20\xc6\xa8\xaa\xd7\xb4\xe9\xe8\x7d\x5e\x4e\x9a\x6a\x55\xc6\xe1\x32\xe9\xe1\xe9\xa3\xa6\x2b\x4f\x7c\x6c\xe0\x09\x3f\x88\x65\x47\xdf\xc4\x8d\xe1\xd2\xe0\xc8\x5b\xf0\x1b\x49\xf9\x92\x41\xa3\x6d\x32\x4c\xdb\xad\xe5\x37\x7d\x5a\xa5\x73\x33\x77\xec\x7e\x97\xb7\xac\x54\x38\x7f\xd2\x93\x91\x31\x9d\x3f\x3b\xbc\xd0\x7b\x28\x70\xb9\x64\x6b\xf2\x83\x5b\x3a\xbb\x51\x21\xdc\x20\xa6\x38\xc6\xd0\xd6\x2b\x0a\x05\xd9\x4a\x5f\x1c\x03\xbf\xf6\xe8\x71\xa8\x4f\x9a\x7d\xef\xa1\x6f\x30\xcb\x8b\x3f\xf5\x7c\xb5\xa9\xb8\x95\x8b\x59\x21\x19\xcb\x0c\x80\x25\x13\xc1\x4a\xec\x2d\x27\xcf\xff\xbf\xb4\xe6\xa2\xa8\x40\xf8\xb0\xd7\x46\xa8\x3f\xa8\xbd\x22\x70\x21\xb0\x38\xf5\x0c\x41\x1f\x79\x22\xfb\x38\xec\x89\xf5\x1d\x71\xb7\xd3\xd9\xe2\x41\xdb\x1b\xe1\xb4\x50\x7e\x5b\x68\xfa\x1e\xe8\x9c\x21\x27\x44\x5e\x5d\x6e\xd4\xe7\x43\x3d\xe7\xbf\x4d\x72\xb7\xf7\xb1\xc9\xaa\x7c\x40\x8e\x4c\x10\x50\xce\x17\x74\x27\x98\x4f\x50\x35\xb5\x1e\x3a\xd5\x2b\x56\xd8\xaa\xf3\x8e\x56\x79\x30\xa7\x11\xc8\xdc\x34\x88\xff\xcd\xc1\xa5\x6f\xe1\xb4\xc5\xdf\x22\x67\x3b\xcc\x3e\x9c\xcd\xbb\x3a\xb6\x70\xa2\x45\x47\xf5\xde\xd4\x2d\xec\xfd\xdd\x52\x21\x04\x07\x5c\x37\xdd\xed\xe4\x60\x92\x5d\xcb\xc6\xe5\xef\x20\x60\x28\xaa\x7e\xa0\xc8\x4d\x60\xd9\x90\xfc\xd4\x8d\x76\xc9\xa4\x7b\xe6\x81\x92\x50\xd4\xd1\x0f\xce\xfc\x7a\x12\x4c\x6f\x3f\xaa\xf5\x1f\x7b\x67\xdc\xc2\xb3\x9a\xcf\x11\x9c\x8f\x89\xb9\x3b\x58\x39\x52\x47\xfa\x45\x9c\x1f\xfe\x6f\xc5\xa7\x0c\x32\xd5\x19\x6d\xa5\x93\xb3\x36\xbe\x04\x67\x16\x4e\xbb\xc9\x86\xfc\x14\x5b\x32\xbb\x91\xa4\xc0\x58\x88\x4c\x82\xf5\xca\xcd\xa6\x2a\x43\x12\xbb\x35\x07\x0e\x74\xde\x2b\xba\x07\x64\x8b\x7e\xb9\xd9\xfa\xe8\x91\x64\x8f\x54\x32\xb6\xa7\xd5\x98\x6e\xf2\x02\x78\x72\xcf\x9e\x1a\x08\x6c\x57\x6a\xba\xc8\xdc\x40\x1a\xab\x0d\xa9\x3a\xbf\x0a\xb7\x1e\xcd\x9b\xb9\x6e\x39\x18\x03\x62\xa1\x0a\x21\x85\x07\x1e\xbb\x8c\xa2\xca\x8d\x97\x19\xd4\x7b\xfc\x18\xb6\x2f\x97\x71\xb9\x7d\xfe\xd7\x3b\x98\x23\x25\xeb\x94\x3d\x78\x5c\x78\x75\x00\xd5\xac\x0d\x26\xa9\xca\x90\xcc\x73\xc2\xac\xfe\x87\x2f\x4e\x32\xeb\x44\x39\x08\x3b\xdb\x32\x49\x70\x1d\xdd\xdb\x50\x0d\xf3\xf8\x96\xbb\x1f\x7a\x37\x06\xd6\x4b\xe1\x6d\x00\xf6\xfd\xcd\x6b\xf4\x1d\xf8\x65\x35\xf2\x98\xd2\xdd\x04\x31\x77\x74\xbd\x6b\x39\x03\xf3\x71\xd5\x9b\xe7\x19\xb7\xec\x1d\x00\x3b\x3c\x97\x05\xa8\xf7\x88\x89\xb8\xf7\xda\x0d\x46\xde\xfd\xce\xd2\xdf\x70\xd8\xcb\x45\x70\x82\x8b\xb2\x65\x49\xb5\x50\x11\x58\x9c\x73\xbe\xc4\x20\x7c\x8d\x59\xeb\xe1\x89\x6b\x37\x61\xc1\x85\xa1\x32", 4096); *(uint32_t*)0x20006c44 = 0x1000; *(uint32_t*)0x20006c48 = 0x8001; *(uint32_t*)0x20006c4c = 0x200066c0; memcpy((void*)0x200066c0, "\x31\xe3\xc3\xfa\x6d\x99", 6); *(uint32_t*)0x20006c50 = 6; *(uint32_t*)0x20006c54 = 0x3ff; *(uint32_t*)0x20006c58 = 0x20006700; memcpy((void*)0x20006700, "\x39\xde\x86\x3b\x71\x48\x20\x8e\x43\x2f\xcd\xdb\xd9\xe9\x14\x8e\x71\x6c\x1b\x48\xa3\x96\x7c\x87\x0c\x70\x14\x5d\x90\xed\x68\x1b\x3f\x8b\xce\x84\x9f\xee\x7f\x50\x09\x15\x70\x85\x4e\x20\x10\x37\x23\xe5\x64\x54\xe7\x11\x54\x3f\x6e\x2b\xe9\x2c\x34\x09\x0d\x8c\xc7\x92\x26\x0b\xe9\xb9\x60\xc1\xe4", 73); *(uint32_t*)0x20006c5c = 0x49; *(uint32_t*)0x20006c60 = 9; *(uint32_t*)0x20006c64 = 0x20006780; memcpy((void*)0x20006780, "\x17\xfa\xd5\x71\xf8\x0f\xec\xd3\x4a\x59\xbc\x03\xf6\xc0\x2b\xbd\x6d\x56\xcd\x8d\x95\x89\x24\xb4\xae\x41\x89\xb8\x8b\x85\x89\x7e\xfd\x4e\x59\x6e\x11\x18\xbb\x0c\x77\x1c\x2c\x5b\xa3\x7d\xed\x06\xd7\x81\x11\x39\x0c\x1c\x80\xcf\x6e\xa9\xdf\x87\x27\xf8\x85\x59\x81\x5e\xd7\x6b\x36\xfa\x13\xfb\x4d\x08\xe1\xcc\xda\xd7\x97\x3b\x5b\xec\x56\x55\xa7\x4a\x67\x1f\xde\x99\xee\x92\x39\x7c\x56\xd4\x09\xda\xdb\x10\xc4\xc3\x7e\xe9\x2c\xb4\x1d\x03\xae\x6f\xb1\x64\xe7\xf8\x69\x85\x03\x91\x28\xd3\x8b\xe8\x3b\x5e\x16\xc3\x5e\xe3\x4e\xb2\xb8\x39\x6c\x53\x48\x02\x87\x81\xa0\xa8\x79\xf8\x81\x59\x74\x0a\xb8\x97\x05\xd6\x37\xbe\xda\xfa\x91\x5f\x19\x5a\x15\x25\x97\xfa\x0d\x7d\xa9\xb7\x64\x76\x60\x2c\x6e\xee\xfc\xa1\xe8\x0a\x6d\x3d\x0e\xd1\xa7\x5b\x00\xf7\xa5\xe1\x53\xdd\x85\x1e\x23\x01\xc8\xda\xa7\xd4\x9b\x4a\xd9\x1c\x62\xd1\xa6\x96\x7f\x54\xcf\x96\x21\xc2\x40\xed\x58\x71\x92\xf6\x99\x59\xe0\x54\x07\x85\x0c\xe3\x83\x1c\x4e\x81\x1e\x6f\xff\x1c\xdf\x93\xcf\xab\xde\x88\x73\x58\x31\x68\x81\x84\x53\x56\xd7", 247); *(uint32_t*)0x20006c68 = 0xf7; *(uint32_t*)0x20006c6c = 0x26; *(uint32_t*)0x20006c70 = 0x20006880; memcpy((void*)0x20006880, "\xc2\x86\x96\x8e\x22\x38\x74\x2a\x47\xe0\xe8\xd4\x44\xa6\xa6\x61\xb7\x70\x82\x22\xf4\xed\xda\xb9\x7a\x74\x9d\xce\xbe\x2c\xc8\x3a\x31\x4b\x82\x87\x95\xf9\x15\xa3\x6d\x87\x3b\x71\x4a\xef\x15\xdd\xb1\xb4\xf6\x2f\x06\x80\x0b\xbe\x85\xea\xeb\xcb\x76\xab\xe9\x44\x71\x92\x49\xee\x79\x27\xc8\x8e\x78\xa9\x68\xe9\x3f\x45\xc5\x20\x13\xef\x97\xef\x6f\x98\x9b\x1d\x1c\xd3\x0f\xff\x88\x67\x79\x62\xc8\xf3\x05\x2a\xd0\xa4\x63\x1e\x4e\x75\x0b\xa8\x0f\x37\x53\x91\x6c\x2d\xff\xc6\xa4\x02\x3c\xdb\x62\xa1\xb5\xf2\xaf\xbb\x96\x5b\x2f\x78\xc5\xdd\x47\xaf\x90\xb0\x02\xda\x1a\x26\xa2\x4f\xcb\x99\xbf\x81\xfb\x29\x57\x4a\x2f\x98\x10\x7a\x79\x37\x63\x98\x73\xb9\x5f\x4a\x56\x9a\x04\x06\xcc\x35\x8b\x46\xef\xae\x58\x7e\x90\x08\xbe\x69\xd7\x11\xae\x20\x2c\x22\xe2\x9a\x2f\x61\x5f\xd2\x3d\xcf", 192); *(uint32_t*)0x20006c74 = 0xc0; *(uint32_t*)0x20006c78 = 0; *(uint32_t*)0x20006c7c = 0x20006940; memcpy((void*)0x20006940, "\x97\xfc\x4d\xd9\xdb\x67\x3e\x16\xfd\x0f\x0e\xb9\xa4\xa2\x6e\x2a\x49\xf4\x2e\x16\x16\x19\x0b\x06\x34\xdf\xd6\x13\x51\x45\xf4\xe4\x51\xbb\xba\xd5\x6d\xad\xf2\x66\x96\x4e\xba\x7d\x10\x07\xc0\xa2\x3f\x8c\xf0\x3d\x4f\x8f\xe0\x9a\x79\x89\x15\x2b\x7c\xf2\xec\x30\xf2\x69\x3a\x06\xbe\xfd\xf0\x23\xd7\x9f\x48\xc2\x08\xd7\x42\xc7\xb7\x59\x15\xbc\xc1\xbe\x58\x35\x17\xce\xd3\xb8\x26\xb9\x70\x75\xe6\x2a\x8e\xd1\x2d\xbb\x26\x48\x07\xc6\xff\xd0\x22\x76\x14\x49\x1f\xb9\xde\x0d\x8a\x92\x5a\x26\x38\xc3\x16\x08\xde\x40\x5b\xbf\x79\xe9\x6f\x17\x1f\xd5\x83\x38\xb1\xd6\x97\x9d\x33\xa7\xda\xe8\xad\x62\xf2\xba\x53\xfe\xfc\x3c", 152); *(uint32_t*)0x20006c80 = 0x98; *(uint32_t*)0x20006c84 = 0x20; *(uint32_t*)0x20006c88 = 0x20006a00; memcpy((void*)0x20006a00, "\x77\xd8\xd6\x06\xbf\xb4\x24\xe7\xb9\x95\x80\x9a\xb4\xf5\x59\x11\x5f\xd8\x2e\x97\x2d\x98\xb6\x51\xdf\xc6\x9b\x10\xdf\x60\x0f\xb4\xf7\x8e\xfd\x58\x6f\x9c\xc2\x6e\xdc\x41\xb1\xd2\xfa\xc8\x7e\xfe\x59\xe2\x62\x41\x1f\x27\xa9\x4c\xf7\x96\xed\x31\x23\x6b\x45\x7c\xa0\xf1\x47\x53\x0e\xfb\xd4\xcf\xa6\xb6\xa0\xfe\xe4\x6c\x25\xab\xcf\x7a\xd8\x28\x2a\xae\x52\x99\xe2\x99\x79\x9c\xd5\x2d\x0a\x58\xd7\xff\x9d\xdd\xd0\x10\x37\x24\xc8\x8d\xa9\x2d\xbe\xfa\xb6\x24\x80\x38\xab\xef\x9e\xc5\x22\x64\xaf\xc7\x48\x25\xf7\xea\x70\xb2\xca\x95\xd6\x90\x0f\x9b\x64\x7a\x3f\x98\x6e\x18\x28\x7c\xb2\xbf\x4b\x4c\x19\xef\xc8\xc2\x18\xfd\x90\x5c\x37\x27\xc8\x6c\x37\x02\x6b\xfb\xde\x3a\xf0\x78\xeb\x07\xb7\x98\xe6\xd3\xd8\xf2\xe4\xd5\xd3\xbc\x18\x8c\xdd\x20\xf2\xeb\xb1\x46\x1c\x5e\x53\xb0\x5f\x29\x89\xff\xac\x3b\x16\x8d\xee\x56\xda\x0f\xc0\x11\x97\x4c\x66\x0e\x40\x0a\xe2\xd8\xb2\xc8\x0a\xcb\x23\x15\x81\xee\x91\x76\x31\x29\xb2\x88\x8a\xeb\x12", 229); *(uint32_t*)0x20006c8c = 0xe5; *(uint32_t*)0x20006c90 = 0x800; *(uint32_t*)0x20006c94 = 0x20006b00; memcpy((void*)0x20006b00, "\x56\x0c\x1b\xea\x71\xb0\xf9\x72\x44\xfa\x38\x6d\x26\xbf\x6b\x1b\x04\x30\x8e\x4b\xc7\xff\xfa", 23); *(uint32_t*)0x20006c98 = 0x17; *(uint32_t*)0x20006c9c = 0x80000001; *(uint32_t*)0x20006ca0 = 0x20006b40; memcpy((void*)0x20006b40, "\x14\xe5\x5a\x14\xa7\x95\x33\x87\xee\x55\x33\x3c\x1d\x16\x94\xca\x98\xc7\x99\x9b\x49\x78\x86\x42\x76\x68\x05\xd6\xf5\xa2\x90\xeb\x1e\x95\x9e\xe3\x5a\x74\x04\x59\xe1\x33\x00\x26\x2f\x2a\xf9\xc3\x57\xf7\xa8\xc1\xcb\xa1\x87\xe4\x48\xbc\x3c\x8f\x86\x5c\xc9\xbe\x88\x62\x4f\xb0\xf0\xd0\xbb\x88\x5d\x9c\xc2\xab\xe1\x71\xa2\x47\x8a\x74\x20\xdb\x22\xe8\x60\x7e\x3f\xbe\xc7\xe2\x60\x1d\x9e\x11\x08\x6c\xfa\x8c\xf1\x4d\x99\x67\x6b\x67\x9d\x8d\x6b\xf1\xdd\x4f\xaa\xb8\xfe\x9a\x5f\x4e\x3f\x69\x5f\xe2\xe6\xab\xf0\x9f\x70\x26\x83\x80\x2d\x44\xcc\x3a\x29\x82\x55\xc4\xc5\x95\x33\x73\x1f\xf5\xb2\x3e\x05\x3a\xfb\x71\x6d\x58\xca\xd6\x67\x68\x6e\xe6\x47\xf4\x8e\x19\x9c\x9b\x5c\x3d\x0d\x2d\x47\x0f\x2c\xe1\xc5\xb8\xb5\x70\x8a\xe0\x23\xad\x98\x80\xca\xf3\x1d\x01\xf9\x6a\xeb\xbf\xcc\x7d\xf9\x53\x58\xa0\x16\xc5\x47\x1c\xc2\xce\x2c\xed\x61\x05\x05\x7c\x9d\x22\xc8\x16\x78\x90\xca\x19", 216); *(uint32_t*)0x20006ca4 = 0xd8; *(uint32_t*)0x20006ca8 = 0x400; syz_read_part_table(9, 9, 0x20006c40); break; case 40: *(uint8_t*)0x20006cc0 = 0x12; *(uint8_t*)0x20006cc1 = 1; *(uint16_t*)0x20006cc2 = 0x200; *(uint8_t*)0x20006cc4 = 0x62; *(uint8_t*)0x20006cc5 = 0xa5; *(uint8_t*)0x20006cc6 = 0xbe; *(uint8_t*)0x20006cc7 = 0x10; *(uint16_t*)0x20006cc8 = 0x2833; *(uint16_t*)0x20006cca = 0x211; *(uint16_t*)0x20006ccc = 0x37a4; *(uint8_t*)0x20006cce = 1; *(uint8_t*)0x20006ccf = 2; *(uint8_t*)0x20006cd0 = 3; *(uint8_t*)0x20006cd1 = 1; *(uint8_t*)0x20006cd2 = 9; *(uint8_t*)0x20006cd3 = 2; *(uint16_t*)0x20006cd4 = 0x6b4; *(uint8_t*)0x20006cd6 = 1; *(uint8_t*)0x20006cd7 = 0x20; *(uint8_t*)0x20006cd8 = 0; *(uint8_t*)0x20006cd9 = 0xa0; *(uint8_t*)0x20006cda = 1; *(uint8_t*)0x20006cdb = 9; *(uint8_t*)0x20006cdc = 4; *(uint8_t*)0x20006cdd = 0xdf; *(uint8_t*)0x20006cde = 0; *(uint8_t*)0x20006cdf = 0x10; *(uint8_t*)0x20006ce0 = -1; *(uint8_t*)0x20006ce1 = 1; *(uint8_t*)0x20006ce2 = 0; *(uint8_t*)0x20006ce3 = 5; *(uint8_t*)0x20006ce4 = 7; *(uint8_t*)0x20006ce5 = 0x24; *(uint8_t*)0x20006ce6 = 1; *(uint8_t*)0x20006ce7 = 1; *(uint8_t*)0x20006ce8 = 1; *(uint16_t*)0x20006ce9 = 1; *(uint8_t*)0x20006ceb = 9; *(uint8_t*)0x20006cec = 0x24; *(uint8_t*)0x20006ced = 6; *(uint8_t*)0x20006cee = 0; *(uint8_t*)0x20006cef = 0; memcpy((void*)0x20006cf0, "\xfd\x50\x65\x08", 4); *(uint8_t*)0x20006cf4 = 5; *(uint8_t*)0x20006cf5 = 0x24; *(uint8_t*)0x20006cf6 = 0; *(uint16_t*)0x20006cf7 = 3; *(uint8_t*)0x20006cf9 = 0xd; *(uint8_t*)0x20006cfa = 0x24; *(uint8_t*)0x20006cfb = 0xf; *(uint8_t*)0x20006cfc = 1; *(uint32_t*)0x20006cfd = 0x40000000; *(uint16_t*)0x20006d01 = 8; *(uint16_t*)0x20006d03 = 0x4cc5; *(uint8_t*)0x20006d05 = 0x7f; *(uint8_t*)0x20006d06 = 7; *(uint8_t*)0x20006d07 = 0x24; *(uint8_t*)0x20006d08 = 0xa; *(uint8_t*)0x20006d09 = 8; *(uint8_t*)0x20006d0a = 0x3f; *(uint8_t*)0x20006d0b = 0; *(uint8_t*)0x20006d0c = 0x81; *(uint8_t*)0x20006d0d = 0x10; *(uint8_t*)0x20006d0e = 0x24; *(uint8_t*)0x20006d0f = 7; *(uint8_t*)0x20006d10 = 0x80; *(uint16_t*)0x20006d11 = 5; *(uint16_t*)0x20006d13 = 0x44; *(uint16_t*)0x20006d15 = 2; *(uint16_t*)0x20006d17 = 0x800; *(uint16_t*)0x20006d19 = 0x101; *(uint16_t*)0x20006d1b = 4; *(uint8_t*)0x20006d1d = 4; *(uint8_t*)0x20006d1e = 0x24; *(uint8_t*)0x20006d1f = 2; *(uint8_t*)0x20006d20 = 4; *(uint8_t*)0x20006d21 = 8; *(uint8_t*)0x20006d22 = 0x24; *(uint8_t*)0x20006d23 = 0x1c; *(uint16_t*)0x20006d24 = 0; *(uint8_t*)0x20006d26 = 0xc0; *(uint16_t*)0x20006d27 = 0x5325; *(uint8_t*)0x20006d29 = 6; *(uint8_t*)0x20006d2a = 0x24; *(uint8_t*)0x20006d2b = 0x1a; *(uint16_t*)0x20006d2c = 0x7f; *(uint8_t*)0x20006d2e = 0; *(uint8_t*)0x20006d2f = 9; *(uint8_t*)0x20006d30 = 5; *(uint8_t*)0x20006d31 = 5; *(uint8_t*)0x20006d32 = 0; *(uint16_t*)0x20006d33 = 0xb5a2; *(uint8_t*)0x20006d35 = 6; *(uint8_t*)0x20006d36 = 0; *(uint8_t*)0x20006d37 = 5; *(uint8_t*)0x20006d38 = 7; *(uint8_t*)0x20006d39 = 0x25; *(uint8_t*)0x20006d3a = 1; *(uint8_t*)0x20006d3b = 0x82; *(uint8_t*)0x20006d3c = 0xe9; *(uint16_t*)0x20006d3d = 0xf000; *(uint8_t*)0x20006d3f = 9; *(uint8_t*)0x20006d40 = 5; *(uint8_t*)0x20006d41 = 0xe; *(uint8_t*)0x20006d42 = 2; *(uint16_t*)0x20006d43 = 0x200; *(uint8_t*)0x20006d45 = 8; *(uint8_t*)0x20006d46 = 7; *(uint8_t*)0x20006d47 = 0x40; *(uint8_t*)0x20006d48 = 9; *(uint8_t*)0x20006d49 = 5; *(uint8_t*)0x20006d4a = 0; *(uint8_t*)0x20006d4b = 0x7e; *(uint16_t*)0x20006d4c = 0x200; *(uint8_t*)0x20006d4e = 8; *(uint8_t*)0x20006d4f = 3; *(uint8_t*)0x20006d50 = 1; *(uint8_t*)0x20006d51 = 0x9b; *(uint8_t*)0x20006d52 = 0x21; memcpy((void*)0x20006d53, "\xf2\xef\x0a\x5c\x06\x9c\xdb\x31\x91\x38\xe1\x85\x06\x1d\x7e\x19\x6a\xe9\x4e\x53\x5d\x80\xf2\x76\x66\xfb\xa2\x3b\x37\x43\x25\xf1\x5d\xc5\xf2\x08\x12\xfe\x05\xb0\x62\x0f\x6f\xfc\xb8\x10\x03\xb1\xf3\x9c\x5d\xcd\x1b\xff\x14\xe2\xbb\xeb\x38\x73\x35\xa3\x53\x4f\x5a\xdb\x60\xff\xc4\xf2\x85\x95\xc8\xf9\x92\xf7\x7f\xd5\xf6\x7a\x04\x84\x2b\x9c\x43\x64\xe3\x55\x6b\xe9\xba\xcb\x8f\xd5\x6e\xd7\x78\x59\x29\x11\x53\xf6\xc5\x66\x02\x63\x63\xbf\xa5\xf2\xe6\xff\x2f\xa6\xd2\x93\x17\xf2\xd5\x62\x44\x53\x64\x93\x99\x15\xa7\x5d\xd7\x36\x5f\x6a\xb9\xc1\x5d\xdb\xc7\xc3\xa4\x5f\x7e\xb9\x8f\xd1\xfe\xa3\x55\x1b\xbd\x46\xf2\x0a\x87", 153); *(uint8_t*)0x20006dec = 9; *(uint8_t*)0x20006ded = 5; *(uint8_t*)0x20006dee = 0x80; *(uint8_t*)0x20006def = 1; *(uint16_t*)0x20006df0 = 0x3ff; *(uint8_t*)0x20006df2 = 1; *(uint8_t*)0x20006df3 = 0x20; *(uint8_t*)0x20006df4 = 0xef; *(uint8_t*)0x20006df5 = 0xec; *(uint8_t*)0x20006df6 = 6; memcpy((void*)0x20006df7, "\xf6\x42\x24\x6a\x53\x72\x99\x1d\xb9\x7e\x58\x24\xa4\x10\xe2\x83\x00\xd3\xbd\x15\x36\x38\xf6\xda\xc6\xe1\x18\x9a\x0c\x56\x0a\x0a\x0e\x5f\x8b\x15\xe0\x78\x79\xac\x95\x01\x65\x15\x20\x26\x46\xa7\xb5\xb5\xfc\x74\xb7\xcd\x40\xd5\x15\xb2\x84\x9d\x8c\x1d\xd9\xae\x4f\xca\x16\xc2\xe6\xcf\x0e\x8a\x20\xce\x54\xf0\x5f\xa1\x23\xc0\x19\x20\x8c\xb3\x4b\x5e\xe5\x61\xc2\x74\xea\x40\xa7\xb3\x4e\x58\x13\xa4\xa2\x9b\xe4\x08\x17\xeb\x1f\x7b\x3e\x9b\xef\x60\xf7\xc5\x66\x57\x48\x12\x36\xb9\x3e\x2c\x29\x7f\x17\xc7\x76\xb9\x8f\x1d\x0c\x8f\x2a\x56\x44\x77\x66\xc7\x28\x8b\xa6\xb1\xe3\x85\xb8\x4a\x51\x6a\x98\xab\x72\x9b\xa7\x0e\x31\xfe\xe3\xaa\xb1\x01\xd5\x90\xa4\x48\x1a\xe5\x85\x63\x26\xc6\x82\x5b\x73\xc7\xae\x7d\x3b\x99\xcb\x3c\x59\xdb\x31\xa1\x27\x26\x23\x4b\x90\x05\x84\xe8\xdb\x77\x93\x52\x18\x8d\x12\xc9\x32\xd4\xaa\xcb\x59\xee\xf3\x3d\x33\xb9\x55\x05\x10\xcf\x2b\x49\xda\x74\x7e\x03\x1c\x83\x11\x7b\x51\x1a\x1b\xb9\x3e\xd7\x6c\x71\x6e\x6a\x02\x54", 234); *(uint8_t*)0x20006ee1 = 7; *(uint8_t*)0x20006ee2 = 0x25; *(uint8_t*)0x20006ee3 = 1; *(uint8_t*)0x20006ee4 = 0; *(uint8_t*)0x20006ee5 = 6; *(uint16_t*)0x20006ee6 = 0x40; *(uint8_t*)0x20006ee8 = 9; *(uint8_t*)0x20006ee9 = 5; *(uint8_t*)0x20006eea = 1; *(uint8_t*)0x20006eeb = 0; *(uint16_t*)0x20006eec = 0x100; *(uint8_t*)0x20006eee = 0xfe; *(uint8_t*)0x20006eef = 8; *(uint8_t*)0x20006ef0 = 0x37; *(uint8_t*)0x20006ef1 = 0xe9; *(uint8_t*)0x20006ef2 = 0x23; memcpy((void*)0x20006ef3, "\x1a\x0e\x35\x42\x85\x7d\x49\xea\x63\xb7\x26\x1e\xbf\xc1\x9f\x14\x27\x2e\x28\x4d\x26\x65\xd2\x79\x5e\x43\xf6\xf9\xca\x62\x77\x6c\x9e\xe5\x2d\x99\x18\x79\xd7\xd6\x7b\x4d\x8b\x27\x0f\xd5\x15\x98\xbe\xac\x1c\x03\x39\xb2\x25\x7a\xd6\x8c\x1d\xde\x54\x88\x5a\xe2\xd2\x19\xb8\x7c\xde\x15\x9a\x98\x97\xc8\x8b\xda\x26\xe0\x8a\x36\x91\x05\x50\x22\x73\x9c\x1f\xe6\x4a\xdb\x98\x63\x9d\xc2\x54\x21\xc4\x49\xcf\x36\x48\x00\xc4\xc3\x65\x06\x2f\x24\x88\xe6\x90\x1e\x56\xe6\x2f\x4b\x70\x3e\xae\x7a\xf2\x62\x98\xa1\xee\xe1\xbf\xe6\x2d\x9b\x2a\xe3\x53\x20\xae\x2b\xaf\x17\x4e\x94\xff\x55\x32\x10\x97\xbe\x81\xe0\x27\x9f\x5d\x0a\xa8\x4d\xd1\x8c\xa0\x86\x4d\x98\xd0\xed\xbb\xea\xa1\x9d\xdf\x36\x26\xfd\x83\xa2\xe2\xb5\xf6\x76\xa7\x34\xd4\x78\x4b\x3c\x68\x77\xfd\x1b\xb3\xc9\x54\x3d\xf7\xab\xda\x9b\xd9\xc9\xbe\x40\x59\x49\x74\x7e\x21\x07\x3c\x18\x95\x7f\xff\x0e\xaa\xc0\x27\x3c\xfd\x3f\x70\x2c\xb6\x55\x97\x94\x9a\x17\x27\x26\xf7\xe4\x59\x53\x6c", 231); *(uint8_t*)0x20006fda = 0x18; *(uint8_t*)0x20006fdb = 0x10; memcpy((void*)0x20006fdc, "\xa0\x28\x90\x17\xf3\xf4\x33\xf1\x10\x59\x48\x9a\x61\x11\x58\x23\xe1\x13\x8a\xe8\x4a\x34", 22); *(uint8_t*)0x20006ff2 = 9; *(uint8_t*)0x20006ff3 = 5; *(uint8_t*)0x20006ff4 = 0xe; *(uint8_t*)0x20006ff5 = 4; *(uint16_t*)0x20006ff6 = 0x10; *(uint8_t*)0x20006ff8 = 0x67; *(uint8_t*)0x20006ff9 = 3; *(uint8_t*)0x20006ffa = 8; *(uint8_t*)0x20006ffb = 7; *(uint8_t*)0x20006ffc = 0x25; *(uint8_t*)0x20006ffd = 1; *(uint8_t*)0x20006ffe = 1; *(uint8_t*)0x20006fff = 0x80; *(uint16_t*)0x20007000 = 0x2e6; *(uint8_t*)0x20007002 = 9; *(uint8_t*)0x20007003 = 5; *(uint8_t*)0x20007004 = 0xd; *(uint8_t*)0x20007005 = 4; *(uint16_t*)0x20007006 = 0x200; *(uint8_t*)0x20007008 = 0x48; *(uint8_t*)0x20007009 = 0x35; *(uint8_t*)0x2000700a = 8; *(uint8_t*)0x2000700b = 0xe5; *(uint8_t*)0x2000700c = 5; memcpy((void*)0x2000700d, "\x30\xef\xe9\xc1\xa6\xe5\xc8\x9c\x20\x31\x21\x4c\x60\xfb\xbe\xaa\x45\x78\x09\x1e\x38\x00\x9c\x76\x1d\x15\x77\x48\x02\x93\x4c\xfd\x36\x35\x5b\x35\x18\xcc\xfe\x59\xfa\x5e\x7c\xce\xe3\xc1\x3a\xc4\xaf\xfb\xe0\x73\xe0\xe7\x88\xc9\xb5\xe3\x22\x16\xef\xbf\x02\xe3\x58\x69\xd7\xb2\x33\xa3\x89\xf8\x12\xbf\xd8\x49\x43\x3c\x32\x84\x66\xed\xa5\xe0\xe3\x23\x75\x29\xcd\xc6\x5e\x4e\xee\x74\x3d\x31\xff\xc1\x86\xa1\xfe\x79\x4b\xdf\x13\x64\xf3\x1e\xae\xff\x39\x82\x9e\x8f\x61\x44\x85\x0d\x74\x70\xcc\x71\x57\x2d\x1f\x2f\x23\xdc\xcd\xbc\xdd\x99\xe4\x93\x0d\xe7\xed\xbf\x59\xb3\x38\xdb\x34\x90\x30\x5f\xd7\x71\x02\x57\x98\x0b\x7f\x76\xb8\xda\xea\xcb\x2a\xd6\x18\x13\x1f\xb9\xb5\xa3\xe0\x26\xc9\xdd\xbd\x69\x48\x3c\xd7\x94\xca\xad\x29\xf2\xe3\xb6\x31\x24\xa9\x52\xb4\x62\xde\x0c\xd9\x51\xd7\xef\xd9\xb3\xb2\x91\x07\xb6\x41\x41\x7e\x77\x83\xd9\x01\x59\x13\x7f\xa5\x27\x3a\x95\xe0\xcc\x46\xc9\x7c\x22\x46\xe6\x11\xac\xb1\x4b\x4d", 227); *(uint8_t*)0x200070f0 = 9; *(uint8_t*)0x200070f1 = 5; *(uint8_t*)0x200070f2 = 3; *(uint8_t*)0x200070f3 = 0x10; *(uint16_t*)0x200070f4 = 8; *(uint8_t*)0x200070f6 = 0; *(uint8_t*)0x200070f7 = 0x33; *(uint8_t*)0x200070f8 = 9; *(uint8_t*)0x200070f9 = 9; *(uint8_t*)0x200070fa = 5; *(uint8_t*)0x200070fb = 2; *(uint8_t*)0x200070fc = 0xc; *(uint16_t*)0x200070fd = 0x400; *(uint8_t*)0x200070ff = 0xed; *(uint8_t*)0x20007100 = 7; *(uint8_t*)0x20007101 = 9; *(uint8_t*)0x20007102 = 0x84; *(uint8_t*)0x20007103 = 0x31; memcpy((void*)0x20007104, "\xee\x4c\xd2\x19\x15\x4d\xf4\x91\xc4\xd3\x2a\xa3\x21\x12\xcf\xf4\x07\x51\x1b\x06\xb1\x7f\x74\x34\x09\xec\xc2\x16\xc3\x1e\x92\xce\xfa\x2b\x5c\xc5\x9e\x63\x4d\x7a\xeb\xa2\xc9\xe5\xe3\x6d\x8e\xfa\xdc\x02\x55\x17\x25\x18\xf9\x09\xb4\xe1\xa7\xda\xf4\xd9\x88\xb1\xee\xaf\x19\x6c\x76\xee\x90\x2b\x65\x7d\x12\xfc\x23\xc2\x1e\x17\x6c\xd1\x49\xe9\x8a\x8d\x8d\x57\x55\xb7\x4f\xed\x1a\x42\x84\xbc\xfd\x6e\x69\x61\x95\x1f\xf8\x21\x6f\x7b\xb4\x2f\x79\x0e\xdd\x53\x9c\x1b\xc5\xbb\xac\x44\xf7\x67\xa6\x85\xc5\x7c\xbb\xde\xc8\x30\xc5\x2c", 130); *(uint8_t*)0x20007186 = 7; *(uint8_t*)0x20007187 = 0x25; *(uint8_t*)0x20007188 = 1; *(uint8_t*)0x20007189 = 0x83; *(uint8_t*)0x2000718a = 1; *(uint16_t*)0x2000718b = 0xfe01; *(uint8_t*)0x2000718d = 9; *(uint8_t*)0x2000718e = 5; *(uint8_t*)0x2000718f = 3; *(uint8_t*)0x20007190 = 0; *(uint16_t*)0x20007191 = 0x40; *(uint8_t*)0x20007193 = 2; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 9; *(uint8_t*)0x20007197 = 5; *(uint8_t*)0x20007198 = 0; *(uint8_t*)0x20007199 = 0; *(uint16_t*)0x2000719a = 0x400; *(uint8_t*)0x2000719c = 0; *(uint8_t*)0x2000719d = 0x2f; *(uint8_t*)0x2000719e = 4; *(uint8_t*)0x2000719f = 9; *(uint8_t*)0x200071a0 = 5; *(uint8_t*)0x200071a1 = 0x8f; *(uint8_t*)0x200071a2 = 8; *(uint16_t*)0x200071a3 = 8; *(uint8_t*)0x200071a5 = 0x81; *(uint8_t*)0x200071a6 = 1; *(uint8_t*)0x200071a7 = 0x7f; *(uint8_t*)0x200071a8 = 7; *(uint8_t*)0x200071a9 = 0x25; *(uint8_t*)0x200071aa = 1; *(uint8_t*)0x200071ab = 0; *(uint8_t*)0x200071ac = 9; *(uint16_t*)0x200071ad = 0xfb; *(uint8_t*)0x200071af = 7; *(uint8_t*)0x200071b0 = 0x25; *(uint8_t*)0x200071b1 = 1; *(uint8_t*)0x200071b2 = 0x81; *(uint8_t*)0x200071b3 = 7; *(uint16_t*)0x200071b4 = 3; *(uint8_t*)0x200071b6 = 9; *(uint8_t*)0x200071b7 = 5; *(uint8_t*)0x200071b8 = 2; *(uint8_t*)0x200071b9 = 0; *(uint16_t*)0x200071ba = 0x400; *(uint8_t*)0x200071bc = 0x40; *(uint8_t*)0x200071bd = 0x76; *(uint8_t*)0x200071be = 3; *(uint8_t*)0x200071bf = 7; *(uint8_t*)0x200071c0 = 0x25; *(uint8_t*)0x200071c1 = 1; *(uint8_t*)0x200071c2 = 0x80; *(uint8_t*)0x200071c3 = 0x31; *(uint16_t*)0x200071c4 = 8; *(uint8_t*)0x200071c6 = 9; *(uint8_t*)0x200071c7 = 5; *(uint8_t*)0x200071c8 = 0xf; *(uint8_t*)0x200071c9 = 0x10; *(uint16_t*)0x200071ca = 0x3ff; *(uint8_t*)0x200071cc = 6; *(uint8_t*)0x200071cd = 0xb2; *(uint8_t*)0x200071ce = 6; *(uint8_t*)0x200071cf = 7; *(uint8_t*)0x200071d0 = 0x25; *(uint8_t*)0x200071d1 = 1; *(uint8_t*)0x200071d2 = 0x82; *(uint8_t*)0x200071d3 = 0x80; *(uint16_t*)0x200071d4 = 6; *(uint8_t*)0x200071d6 = 9; *(uint8_t*)0x200071d7 = 5; *(uint8_t*)0x200071d8 = 0xf; *(uint8_t*)0x200071d9 = 0x10; *(uint16_t*)0x200071da = 0x200; *(uint8_t*)0x200071dc = 6; *(uint8_t*)0x200071dd = 6; *(uint8_t*)0x200071de = 0xca; *(uint8_t*)0x200071df = 7; *(uint8_t*)0x200071e0 = 0x25; *(uint8_t*)0x200071e1 = 1; *(uint8_t*)0x200071e2 = 0x81; *(uint8_t*)0x200071e3 = 0x20; *(uint16_t*)0x200071e4 = 3; *(uint8_t*)0x200071e6 = 9; *(uint8_t*)0x200071e7 = 5; *(uint8_t*)0x200071e8 = 0x80; *(uint8_t*)0x200071e9 = 0x10; *(uint16_t*)0x200071ea = 0x400; *(uint8_t*)0x200071ec = 1; *(uint8_t*)0x200071ed = 0xfc; *(uint8_t*)0x200071ee = 4; *(uint8_t*)0x200071ef = 0xd4; *(uint8_t*)0x200071f0 = 0x21; memcpy((void*)0x200071f1, "\x28\xa1\xdf\xa1\xd2\x8f\x9a\xe6\x0d\x0a\x8e\x9e\x3c\x51\x2d\xb3\x53\x69\xd4\x79\xfa\x6e\x6a\xa0\x99\xe2\x67\xe1\xce\xd7\x7c\xa2\xe1\x80\xb4\x29\x77\x90\x23\xa8\x72\xb0\xef\x88\x07\xe1\x1f\x8b\x8b\x21\xb8\x11\xd4\xfe\x55\x27\x33\x5c\xe8\x6e\x3a\x95\xcd\xf9\x60\xd1\xe7\x9e\x88\xc2\x76\xc1\x74\xd1\x83\xd2\xf3\xbc\x08\x62\xdd\x7e\x1d\x29\xac\x58\x9c\xeb\x22\x02\x4e\x25\xa4\x4c\x3e\x81\x23\x58\x1d\x14\x48\xfd\x2d\xb5\x33\x2f\xe4\x1c\x23\xf9\xaa\x95\x95\x64\xf3\x2d\xb1\xda\x14\x61\x04\x15\xdd\xc2\x93\xdc\x57\xc9\xd6\xc7\x75\xd2\x21\x51\xbd\xab\x23\x6a\x5a\x73\x59\x2e\x55\x18\x05\x57\x28\xae\x81\x9e\x25\xc0\x80\xcb\xb9\xbf\x02\x03\xb6\x63\x9b\x8f\xd8\xd7\x16\xd9\xc5\x71\xd6\xb2\x60\xea\x29\x77\x33\xd5\x3c\x3a\x05\x44\x9b\x9b\x92\x21\xd0\xf4\x02\x61\x0c\x98\x37\x18\x9f\x9c\x6a\xb3\xba\xaf\x03\x1d\x48\x69\x26\x90\xc9\x98\x1c\xee\x14\x26", 210); *(uint8_t*)0x200072c3 = 0xc3; *(uint8_t*)0x200072c4 = 6; memcpy((void*)0x200072c5, "\x60\xed\x98\x57\x6f\xbb\xbe\xe3\xdb\x67\xd5\x35\xea\x7e\x1a\x19\xd9\x2d\x68\x9e\x2f\x03\x30\x8a\x61\x5a\x56\x41\xe7\x2e\x69\x4d\x99\x6f\x76\xc1\x11\x1c\x88\xc5\x07\xc3\x9a\x87\xf3\x4a\x36\x82\xda\xfb\xfe\x58\x3b\x79\xf5\xb9\x50\xa3\x06\x14\x16\x2c\x60\x5f\x7e\x6c\x5d\x45\x2b\x4f\x84\xa1\x45\xf2\x0b\xf4\x47\x0d\xdf\x43\xf0\x6c\x41\x5d\xc6\xc4\x15\x51\xfd\x45\x8b\xa6\xae\xdf\x57\xd7\x4c\xb8\x5a\x25\xe4\x33\x24\x81\x4b\x62\xc3\xbe\x41\x08\xb1\xea\x5b\x9d\xd2\x2a\x78\xa4\x5c\xdf\x5d\x8f\x27\xc1\x1f\x35\x02\x6b\xf7\xef\x10\xc7\xd1\xf0\x61\x5f\xe1\xc4\x4a\x30\x2a\x84\xd8\x8b\x8d\x6c\x2d\x85\x04\x9c\x9f\x48\xa0\x4b\x4e\x61\x80\x1c\x01\x7f\x60\x9b\x67\x3f\xc8\x29\x0f\x73\x62\xa0\xed\x35\x88\x2a\x33\x5b\x65\x7f\x83\x5f\xce\x8e\x20\x10\x0c\xde\x82\xc1\xa3\xdc\x18\x06\x11", 193); *(uint32_t*)0x20007740 = 0xa; *(uint32_t*)0x20007744 = 0x200073c0; *(uint8_t*)0x200073c0 = 0xa; *(uint8_t*)0x200073c1 = 6; *(uint16_t*)0x200073c2 = 0x310; *(uint8_t*)0x200073c4 = 5; *(uint8_t*)0x200073c5 = 0x80; *(uint8_t*)0x200073c6 = -1; *(uint8_t*)0x200073c7 = 0xbf; *(uint8_t*)0x200073c8 = 5; *(uint8_t*)0x200073c9 = 0; *(uint32_t*)0x20007748 = 5; *(uint32_t*)0x2000774c = 0x20007400; *(uint8_t*)0x20007400 = 5; *(uint8_t*)0x20007401 = 0xf; *(uint16_t*)0x20007402 = 5; *(uint8_t*)0x20007404 = 0; *(uint32_t*)0x20007750 = 5; *(uint32_t*)0x20007754 = 0xa8; *(uint32_t*)0x20007758 = 0x20007440; *(uint8_t*)0x20007440 = 0xa8; *(uint8_t*)0x20007441 = 3; memcpy((void*)0x20007442, "\x05\x84\xbd\xdc\x14\x96\x71\xf9\xe6\xc6\xcd\x12\x3b\x79\x6c\xaf\xe2\xeb\x5d\x2b\xd3\xcf\x65\xe3\xeb\x0f\x3a\x60\x1a\xba\x71\x64\x71\x3d\x40\x42\x65\x3f\x2c\xca\x18\x22\x07\xd4\xe7\xff\xa8\xbc\x71\xe7\x05\xaa\x48\xbc\xff\x03\xfd\xdd\x2e\x3e\x6b\xeb\xe1\x1c\xb6\x1f\x95\xfa\xf1\x4a\xfd\xf2\x94\x40\x02\x1e\x85\x1f\xb6\x82\xaa\x24\xe6\x24\xe8\x33\x95\x2d\xb6\xd1\xf9\x6a\xa7\xed\xfc\x74\xce\x50\x13\x59\x69\x4c\x75\x83\xeb\x5e\x48\xdf\xe2\x27\xd2\x10\x5d\x5e\x3d\x23\x59\xe3\xc7\x28\xa4\x8a\xdf\xf0\x9b\x11\x32\xf9\x28\x89\x3c\xee\xfa\xe6\x77\x00\x98\x3b\xe1\xca\x94\xe8\x18\xe7\xa1\x46\x3c\x80\x2f\x1f\xc2\xa7\x2d\x40\x90\x09\x33\x40\x3d\x7b\x25\x5a\x35\xd9\xdc\x33", 166); *(uint32_t*)0x2000775c = 4; *(uint32_t*)0x20007760 = 0x20007500; *(uint8_t*)0x20007500 = 4; *(uint8_t*)0x20007501 = 3; *(uint16_t*)0x20007502 = 0x42c; *(uint32_t*)0x20007764 = 0xf4; *(uint32_t*)0x20007768 = 0x20007540; *(uint8_t*)0x20007540 = 0xf4; *(uint8_t*)0x20007541 = 3; memcpy((void*)0x20007542, "\x1c\x53\x71\x17\xdc\x72\x0a\xf3\xcc\xf1\x08\x68\x7c\x86\xcb\x54\x4b\xc8\x85\x37\x9e\x43\x5d\xbb\x86\x1b\xc9\xa0\x15\x50\x59\x2e\x60\x08\xae\x94\xa1\xf9\x83\x17\xad\x9c\xd8\x04\x01\x6b\x07\x9b\x5e\xc2\x94\xdc\xaf\x45\x37\xcf\x5b\x68\xc3\xc4\x35\x37\x54\xca\xf3\x69\xba\x34\x10\x1c\xbd\x21\x92\x6b\x15\xce\xf6\x7a\xb6\x3e\xad\x40\xab\xfb\xef\x86\x7b\x37\x2f\xe2\x78\x18\x66\xf8\x7a\x2d\xcc\xf9\x8f\xfe\x66\x53\x1c\x1d\x50\x21\x40\x6c\x69\xce\x84\xb4\x39\x13\x0c\xac\x71\xf5\x25\x64\xb7\xc8\xfa\x62\x1d\x71\xd5\xff\x00\x15\x17\x59\x3f\x05\x9d\xa0\xcb\x82\xf1\xfd\x5e\x32\x7d\xf9\xab\xec\x49\x46\xe3\x4e\x20\xd3\xf1\xdf\x8f\x4a\x04\x22\xf9\xbb\x53\x89\x49\xb4\xa1\x4d\x1b\x3a\xfd\x67\x93\xe8\x1d\x3b\xa5\x96\xd1\x6d\x8c\xee\x0e\x70\x03\x14\xe5\x31\xe6\x02\xfe\x5c\xb8\x32\xb2\x2c\x7a\x2f\x9f\x36\xf3\x9d\x05\x38\x76\x47\x81\x57\xd5\x41\xe8\xc0\x97\x7a\x9a\xca\xf6\x91\xf1\x23\x4f\x66\x5d\x23\x4f\x82\xee\x90\xff\x89\x82\xd9\xc1\x37\x1a\x15\xdd\xc8\xed\x23\x92\xdd\x5a\x96", 242); *(uint32_t*)0x2000776c = 0x98; *(uint32_t*)0x20007770 = 0x20007640; *(uint8_t*)0x20007640 = 0x98; *(uint8_t*)0x20007641 = 3; memcpy((void*)0x20007642, "\x07\x8c\xbe\xfd\x67\x79\x6b\x8d\x00\xc6\xa0\x27\xe5\xd0\x7b\xc3\xb0\x07\x56\xac\xaf\xb9\x09\x6e\x3e\x38\x1a\x99\xfd\xbe\x8a\x51\x61\xca\x19\xa9\x62\x8d\x61\xba\xef\xd6\x97\x2b\x48\xf5\xe0\x4b\x0f\xa6\xe2\xb9\x9c\xca\x8d\xf5\xb5\x0d\xbd\x97\xd6\x56\xc0\x2f\x85\x83\xa5\x8c\xe8\xcb\xd3\x5c\x69\xfb\x3f\x86\xde\x0d\xda\xc9\x0f\x5b\xe8\xd4\xf0\x4a\x3a\xd4\xf3\x12\x93\xb5\x09\x95\x91\x39\xbe\xa0\xf3\x06\x7d\x0e\xbf\xa3\xc5\xb2\x10\xe1\x99\x30\x78\xb0\xae\x92\x95\x61\xfc\x77\x34\x86\x9b\x3d\xd8\xd8\x12\xc0\x0a\x30\x35\x23\x61\x66\xa3\x12\x27\xae\x29\x1e\x69\x6a\xb4\xf8\x1f\x4e\x3f\x02\xd6\xb2\xf3\x34", 150); *(uint32_t*)0x20007774 = 4; *(uint32_t*)0x20007778 = 0x20007700; *(uint8_t*)0x20007700 = 4; *(uint8_t*)0x20007701 = 3; *(uint16_t*)0x20007702 = 0x43e; syz_usb_connect(2, 0x6c6, 0x20006cc0, 0x20007740); break; case 41: *(uint8_t*)0x20007780 = 0x12; *(uint8_t*)0x20007781 = 1; *(uint16_t*)0x20007782 = 0x200; *(uint8_t*)0x20007784 = -1; *(uint8_t*)0x20007785 = -1; *(uint8_t*)0x20007786 = -1; *(uint8_t*)0x20007787 = 0x40; *(uint16_t*)0x20007788 = 0xcf3; *(uint16_t*)0x2000778a = 0x9271; *(uint16_t*)0x2000778c = 0x108; *(uint8_t*)0x2000778e = 1; *(uint8_t*)0x2000778f = 2; *(uint8_t*)0x20007790 = 3; *(uint8_t*)0x20007791 = 1; *(uint8_t*)0x20007792 = 9; *(uint8_t*)0x20007793 = 2; *(uint16_t*)0x20007794 = 0x48; *(uint8_t*)0x20007796 = 1; *(uint8_t*)0x20007797 = 1; *(uint8_t*)0x20007798 = 0; *(uint8_t*)0x20007799 = 0x80; *(uint8_t*)0x2000779a = 0xfa; *(uint8_t*)0x2000779b = 9; *(uint8_t*)0x2000779c = 4; *(uint8_t*)0x2000779d = 0; *(uint8_t*)0x2000779e = 0; *(uint8_t*)0x2000779f = 6; *(uint8_t*)0x200077a0 = -1; *(uint8_t*)0x200077a1 = 0; *(uint8_t*)0x200077a2 = 0; *(uint8_t*)0x200077a3 = 0; *(uint8_t*)0x200077a4 = 9; *(uint8_t*)0x200077a5 = 5; *(uint8_t*)0x200077a6 = 1; *(uint8_t*)0x200077a7 = 2; *(uint16_t*)0x200077a8 = 0x200; *(uint8_t*)0x200077aa = 0; *(uint8_t*)0x200077ab = 0; *(uint8_t*)0x200077ac = 0; *(uint8_t*)0x200077ad = 9; *(uint8_t*)0x200077ae = 5; *(uint8_t*)0x200077af = 0x82; *(uint8_t*)0x200077b0 = 2; *(uint16_t*)0x200077b1 = 0x200; *(uint8_t*)0x200077b3 = 0; *(uint8_t*)0x200077b4 = 0; *(uint8_t*)0x200077b5 = 0; *(uint8_t*)0x200077b6 = 9; *(uint8_t*)0x200077b7 = 5; *(uint8_t*)0x200077b8 = 0x83; *(uint8_t*)0x200077b9 = 3; *(uint16_t*)0x200077ba = 0x40; *(uint8_t*)0x200077bc = 1; *(uint8_t*)0x200077bd = 0; *(uint8_t*)0x200077be = 0; *(uint8_t*)0x200077bf = 9; *(uint8_t*)0x200077c0 = 5; *(uint8_t*)0x200077c1 = 4; *(uint8_t*)0x200077c2 = 3; *(uint16_t*)0x200077c3 = 0x40; *(uint8_t*)0x200077c5 = 1; *(uint8_t*)0x200077c6 = 0; *(uint8_t*)0x200077c7 = 0; *(uint8_t*)0x200077c8 = 9; *(uint8_t*)0x200077c9 = 5; *(uint8_t*)0x200077ca = 5; *(uint8_t*)0x200077cb = 2; *(uint16_t*)0x200077cc = 0x200; *(uint8_t*)0x200077ce = 0; *(uint8_t*)0x200077cf = 0; *(uint8_t*)0x200077d0 = 0; *(uint8_t*)0x200077d1 = 9; *(uint8_t*)0x200077d2 = 5; *(uint8_t*)0x200077d3 = 6; *(uint8_t*)0x200077d4 = 2; *(uint16_t*)0x200077d5 = 0x200; *(uint8_t*)0x200077d7 = 0; *(uint8_t*)0x200077d8 = 0; *(uint8_t*)0x200077d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007780, 0); if (res != -1) r[22] = res; break; case 42: *(uint32_t*)0x200079c0 = 0x18; *(uint32_t*)0x200079c4 = 0x20007800; *(uint8_t*)0x20007800 = 0x20; *(uint8_t*)0x20007801 = 0x11; *(uint32_t*)0x20007802 = 0xb7; *(uint8_t*)0x20007806 = 0xb7; *(uint8_t*)0x20007807 = 9; memcpy((void*)0x20007808, "\x72\xf5\x91\xba\x5c\x69\x4f\x16\xa4\xd9\x20\x75\xef\x3e\xc8\xbc\x46\x92\x09\x54\x79\x9e\xc8\xd3\xc0\x30\x8f\x3b\x47\x79\xda\x6e\x18\xe9\x82\x4a\x86\x74\x6d\x01\x3a\x39\x9a\xfc\x7f\x6f\xce\xb6\xc3\x7f\x7f\x13\x1c\x71\xeb\xc0\x01\xf6\x66\xea\x63\xed\x3a\xde\x13\x20\x09\x73\x5a\x54\x66\x22\xf9\xe6\x39\xd4\x81\xc9\x67\xcc\x7b\x5b\x74\x7c\xc5\xe6\x2f\xdc\x41\xbb\xb4\xbb\x95\x87\x8a\x44\x2c\xc4\x91\x11\xc0\xf5\x78\x86\xf1\x70\x77\xa1\xb4\xb2\x2e\x3c\xf2\x8e\xec\xb7\x98\xfe\xed\x6f\x16\x8d\xd9\xcc\x26\x46\xf8\xb7\x9e\xd4\x1b\xba\x94\xde\x9e\x30\x4f\xc8\x45\x17\x9a\x73\x21\xf0\x47\x84\xaa\x91\x7b\xa0\x84\x05\xb0\xa9\x5b\x83\x03\xd9\x14\xef\x8e\x37\x47\x80\xdd\x8e\x34\x37\xc9\x5c\x35\x76\x4c\xd0\x63\xe7\xa3\xec\x6d\x79\x0b", 181); *(uint32_t*)0x200079c8 = 0x200078c0; *(uint8_t*)0x200078c0 = 0; *(uint8_t*)0x200078c1 = 3; *(uint32_t*)0x200078c2 = 4; *(uint8_t*)0x200078c6 = 4; *(uint8_t*)0x200078c7 = 3; *(uint16_t*)0x200078c8 = 0x813; *(uint32_t*)0x200079cc = 0x20007900; *(uint8_t*)0x20007900 = 0; *(uint8_t*)0x20007901 = 0xf; *(uint32_t*)0x20007902 = 0xc; *(uint8_t*)0x20007906 = 5; *(uint8_t*)0x20007907 = 0xf; *(uint16_t*)0x20007908 = 0xc; *(uint8_t*)0x2000790a = 1; *(uint8_t*)0x2000790b = 7; *(uint8_t*)0x2000790c = 0x10; *(uint8_t*)0x2000790d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000790e, 0x18, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20007910, 3, 0, 16); *(uint32_t*)0x200079d0 = 0x20007940; *(uint8_t*)0x20007940 = 0x20; *(uint8_t*)0x20007941 = 0x29; *(uint32_t*)0x20007942 = 0xf; *(uint8_t*)0x20007946 = 0xf; *(uint8_t*)0x20007947 = 0x29; *(uint8_t*)0x20007948 = 7; *(uint16_t*)0x20007949 = 0x80; *(uint8_t*)0x2000794b = 6; *(uint8_t*)0x2000794c = 0xe0; memcpy((void*)0x2000794d, "\x84\x02\x48\x7c", 4); memcpy((void*)0x20007951, "\x80\x56\xa3\xff", 4); *(uint32_t*)0x200079d4 = 0x20007980; *(uint8_t*)0x20007980 = 0x20; *(uint8_t*)0x20007981 = 0x2a; *(uint32_t*)0x20007982 = 0xc; *(uint8_t*)0x20007986 = 0xc; *(uint8_t*)0x20007987 = 0x2a; *(uint8_t*)0x20007988 = 0xa7; *(uint16_t*)0x20007989 = 2; *(uint8_t*)0x2000798b = 0x7d; *(uint8_t*)0x2000798c = 0; *(uint8_t*)0x2000798d = 0x80; *(uint16_t*)0x2000798e = 7; *(uint16_t*)0x20007990 = 6; *(uint32_t*)0x20007e80 = 0x44; *(uint32_t*)0x20007e84 = 0x20007a00; *(uint8_t*)0x20007a00 = 0x40; *(uint8_t*)0x20007a01 = 0x10; *(uint32_t*)0x20007a02 = 0x8c; memcpy((void*)0x20007a06, "\x21\xb8\x38\x25\x05\x9f\x24\x50\x6d\x8e\x84\x20\x85\xd1\xf2\xe7\xf9\x64\x47\x1b\x20\xed\x0a\x8e\x50\xa9\xaa\x4e\xf1\x6b\x5a\x6f\x2d\xbb\x2b\x57\x0a\x4f\x8d\x13\xd6\x0e\x47\xbb\x78\x21\xff\x91\x21\x11\xde\xe4\x0a\x78\xd4\x2b\x4d\x13\xea\x81\x2d\x92\x9c\xcf\x39\x64\xc5\x46\x8f\x89\xd2\xd2\x16\x30\xec\x87\x06\x7a\x2d\x13\xf4\x52\x38\xb4\x46\xbf\x57\xc6\xb9\xec\x35\x57\x8f\xa5\x87\xfc\x77\xfe\x21\x08\xb1\x59\x0b\xe0\x81\x68\x1c\xcc\x02\x4f\x1f\x59\x0b\xe9\xe5\xbe\xc9\xea\x86\xb9\x80\x3c\x60\x29\x9d\xda\x1a\x82\xf8\xff\x04\x42\x86\x71\xa4\x3b\xc2\xc3\x39\x3a", 140); *(uint32_t*)0x20007e88 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0; *(uint8_t*)0x20007ac1 = 0xa; *(uint32_t*)0x20007ac2 = 1; *(uint8_t*)0x20007ac6 = 4; *(uint32_t*)0x20007e8c = 0x20007b00; *(uint8_t*)0x20007b00 = 0; *(uint8_t*)0x20007b01 = 8; *(uint32_t*)0x20007b02 = 1; *(uint8_t*)0x20007b06 = 0xfb; *(uint32_t*)0x20007e90 = 0x20007b40; *(uint8_t*)0x20007b40 = 0x20; *(uint8_t*)0x20007b41 = 0; *(uint32_t*)0x20007b42 = 4; *(uint16_t*)0x20007b46 = 1; *(uint16_t*)0x20007b48 = 1; *(uint32_t*)0x20007e94 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x20; *(uint8_t*)0x20007b81 = 0; *(uint32_t*)0x20007b82 = 4; *(uint16_t*)0x20007b86 = 0x140; *(uint16_t*)0x20007b88 = 0x20; *(uint32_t*)0x20007e98 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 7; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 0x3ff; *(uint32_t*)0x20007e9c = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 9; *(uint32_t*)0x20007c02 = 1; *(uint8_t*)0x20007c06 = 0x81; *(uint32_t*)0x20007ea0 = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0xb; *(uint32_t*)0x20007c42 = 2; memcpy((void*)0x20007c46, "\x8a\x02", 2); *(uint32_t*)0x20007ea4 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0xf; *(uint32_t*)0x20007c82 = 2; *(uint16_t*)0x20007c86 = 0x321a; *(uint32_t*)0x20007ea8 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x13; *(uint32_t*)0x20007cc2 = 6; *(uint8_t*)0x20007cc6 = 1; *(uint8_t*)0x20007cc7 = 0x80; *(uint8_t*)0x20007cc8 = 0xc2; *(uint8_t*)0x20007cc9 = 0; *(uint8_t*)0x20007cca = 0; *(uint8_t*)0x20007ccb = 0; *(uint32_t*)0x20007eac = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x17; *(uint32_t*)0x20007d02 = 6; memcpy((void*)0x20007d06, "\xb0\xfe\x28\x1f\xa3\x91", 6); *(uint32_t*)0x20007eb0 = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x19; *(uint32_t*)0x20007d42 = 2; memcpy((void*)0x20007d46, "#7", 2); *(uint32_t*)0x20007eb4 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x1a; *(uint32_t*)0x20007d82 = 2; *(uint16_t*)0x20007d86 = 6; *(uint32_t*)0x20007eb8 = 0x20007dc0; *(uint8_t*)0x20007dc0 = 0x40; *(uint8_t*)0x20007dc1 = 0x1c; *(uint32_t*)0x20007dc2 = 1; *(uint8_t*)0x20007dc6 = 6; *(uint32_t*)0x20007ebc = 0x20007e00; *(uint8_t*)0x20007e00 = 0x40; *(uint8_t*)0x20007e01 = 0x1e; *(uint32_t*)0x20007e02 = 1; *(uint8_t*)0x20007e06 = 6; *(uint32_t*)0x20007ec0 = 0x20007e40; *(uint8_t*)0x20007e40 = 0x40; *(uint8_t*)0x20007e41 = 0x21; *(uint32_t*)0x20007e42 = 1; *(uint8_t*)0x20007e46 = 0x9e; syz_usb_control_io(r[22], 0x200079c0, 0x20007e80); break; case 43: *(uint8_t*)0x20007f00 = 0x12; *(uint8_t*)0x20007f01 = 1; *(uint16_t*)0x20007f02 = 0x70; *(uint8_t*)0x20007f04 = 2; *(uint8_t*)0x20007f05 = 0; *(uint8_t*)0x20007f06 = 0; *(uint8_t*)0x20007f07 = 0x50; *(uint16_t*)0x20007f08 = 0x525; *(uint16_t*)0x20007f0a = 0xa4a1; *(uint16_t*)0x20007f0c = 0x40; *(uint8_t*)0x20007f0e = 1; *(uint8_t*)0x20007f0f = 2; *(uint8_t*)0x20007f10 = 3; *(uint8_t*)0x20007f11 = 1; *(uint8_t*)0x20007f12 = 9; *(uint8_t*)0x20007f13 = 2; *(uint16_t*)0x20007f14 = 0x4d; *(uint8_t*)0x20007f16 = 1; *(uint8_t*)0x20007f17 = 1; *(uint8_t*)0x20007f18 = 2; *(uint8_t*)0x20007f19 = 0x70; *(uint8_t*)0x20007f1a = 0x40; *(uint8_t*)0x20007f1b = 9; *(uint8_t*)0x20007f1c = 4; *(uint8_t*)0x20007f1d = 0; *(uint8_t*)0x20007f1e = 0xc4; *(uint8_t*)0x20007f1f = 3; *(uint8_t*)0x20007f20 = 2; *(uint8_t*)0x20007f21 = 6; *(uint8_t*)0x20007f22 = 0; *(uint8_t*)0x20007f23 = 0xe1; *(uint8_t*)0x20007f24 = 8; *(uint8_t*)0x20007f25 = 0x24; *(uint8_t*)0x20007f26 = 6; *(uint8_t*)0x20007f27 = 0; *(uint8_t*)0x20007f28 = 0; memcpy((void*)0x20007f29, "W?s", 3); *(uint8_t*)0x20007f2c = 5; *(uint8_t*)0x20007f2d = 0x24; *(uint8_t*)0x20007f2e = 0; *(uint16_t*)0x20007f2f = 3; *(uint8_t*)0x20007f31 = 0xd; *(uint8_t*)0x20007f32 = 0x24; *(uint8_t*)0x20007f33 = 0xf; *(uint8_t*)0x20007f34 = 1; *(uint32_t*)0x20007f35 = 0x200; *(uint16_t*)0x20007f39 = 0; *(uint16_t*)0x20007f3b = 0x200; *(uint8_t*)0x20007f3d = 3; *(uint8_t*)0x20007f3e = 6; *(uint8_t*)0x20007f3f = 0x24; *(uint8_t*)0x20007f40 = 0x1a; *(uint16_t*)0x20007f41 = 0x1000; *(uint8_t*)0x20007f43 = 0; *(uint8_t*)0x20007f44 = 9; *(uint8_t*)0x20007f45 = 5; *(uint8_t*)0x20007f46 = 0x81; *(uint8_t*)0x20007f47 = 3; *(uint16_t*)0x20007f48 = 0x20; *(uint8_t*)0x20007f4a = 0x3f; *(uint8_t*)0x20007f4b = 0; *(uint8_t*)0x20007f4c = 0xd8; *(uint8_t*)0x20007f4d = 9; *(uint8_t*)0x20007f4e = 5; *(uint8_t*)0x20007f4f = 0x82; *(uint8_t*)0x20007f50 = 2; *(uint16_t*)0x20007f51 = 8; *(uint8_t*)0x20007f53 = -1; *(uint8_t*)0x20007f54 = 0xec; *(uint8_t*)0x20007f55 = 5; *(uint8_t*)0x20007f56 = 9; *(uint8_t*)0x20007f57 = 5; *(uint8_t*)0x20007f58 = 3; *(uint8_t*)0x20007f59 = 2; *(uint16_t*)0x20007f5a = 0x3cf; *(uint8_t*)0x20007f5c = 0x81; *(uint8_t*)0x20007f5d = 0x39; *(uint8_t*)0x20007f5e = 5; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f80; *(uint8_t*)0x20007f80 = 0xa; *(uint8_t*)0x20007f81 = 6; *(uint16_t*)0x20007f82 = 0; *(uint8_t*)0x20007f84 = 2; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x77; *(uint8_t*)0x20007f87 = -1; *(uint8_t*)0x20007f88 = 0x2f; *(uint8_t*)0x20007f89 = 0; *(uint32_t*)0x20008288 = 5; *(uint32_t*)0x2000828c = 0x20007fc0; *(uint8_t*)0x20007fc0 = 5; *(uint8_t*)0x20007fc1 = 0xf; *(uint16_t*)0x20007fc2 = 5; *(uint8_t*)0x20007fc4 = 0; *(uint32_t*)0x20008290 = 5; *(uint32_t*)0x20008294 = 0x69; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 0x69; *(uint8_t*)0x20008001 = 3; memcpy((void*)0x20008002, "\xd2\x5a\x9c\x8f\x14\x52\xa3\xc6\xff\xbf\xec\xa8\xeb\x77\x79\x35\xb5\x8c\x9b\x74\x06\x77\x50\x86\xff\xf7\x17\xb5\x4f\x05\xac\x59\xf9\x45\x17\xff\x3c\xd6\xf3\x10\x1d\xbf\xa7\x9b\xb8\x2a\xe3\x1b\x1d\x31\x6d\x08\xa7\x1d\x14\xfc\x2c\x1c\xfa\x8c\x89\x30\x68\xbd\xe2\xbb\x83\x0a\xe9\x1f\xc9\x42\x88\xcc\x23\x2a\xaa\xc0\xe6\x4b\x84\x00\x7b\x0e\x75\x36\xc3\xec\x34\xed\xef\x04\xde\xd9\x34\x21\xa3\x77\xe0\x69\x53\x26\xaa", 103); *(uint32_t*)0x2000829c = 0xac; *(uint32_t*)0x200082a0 = 0x20008080; *(uint8_t*)0x20008080 = 0xac; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x73\x60\x60\x9c\xe8\x30\x0a\xe4\x62\x33\x08\xd5\xf8\xb9\x7b\xfd\x50\xd3\xd8\x63\x40\x8b\x8e\xa4\x01\xc8\x6d\xa9\xd4\x2c\xe5\xf3\x86\x7c\xe8\xd7\x21\xfb\x2a\xb5\xc2\x5f\x6b\x4c\x5e\x85\xf5\xea\xf3\x41\xbd\x51\x4a\x16\xc2\xdf\xe3\xc7\xa1\xd7\xf4\x27\xae\x62\xc0\xbf\xf3\x79\xe8\x4d\x56\x63\x7e\xc1\x37\x7b\x8c\x8a\xd5\xb5\x5b\x09\x9c\xfa\xa4\xa7\xa6\xee\xb0\x58\x9f\x81\xe7\xa4\x33\x00\xef\xf5\x33\x54\xe1\xb2\xbd\xcd\xc3\x4d\x79\x45\xd6\x35\x62\xe4\x8d\x5e\xd9\x3b\xef\x75\xfd\x01\x60\xfc\xd7\xc3\xa6\xbe\x7f\x0c\x64\x2b\xb6\xe5\x61\xe3\x5a\x1c\x73\x11\x0b\xdc\xde\xd7\x69\x98\x65\xe2\x5e\xb2\x38\xcf\x8f\x3b\x10\xad\x3c\x10\x48\x80\x28\xc3\x70\x63\xc8\x86\x2f\x90\x7b\x06\x82\x9e", 170); *(uint32_t*)0x200082a4 = 4; *(uint32_t*)0x200082a8 = 0x20008140; *(uint8_t*)0x20008140 = 4; *(uint8_t*)0x20008141 = 3; *(uint16_t*)0x20008142 = 0x81a; *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x20008180; *(uint8_t*)0x20008180 = 4; *(uint8_t*)0x20008181 = 3; *(uint16_t*)0x20008182 = 0x180a; *(uint32_t*)0x200082b4 = 0xb9; *(uint32_t*)0x200082b8 = 0x200081c0; *(uint8_t*)0x200081c0 = 0xb9; *(uint8_t*)0x200081c1 = 3; memcpy((void*)0x200081c2, "\x37\xef\xeb\x85\x4b\x40\x51\xa4\x6c\x67\xae\xe7\xea\xa0\xf6\x2f\xde\x9f\x59\x9c\xd5\xba\x25\x32\x9d\x50\xae\xe1\x6b\x30\xc6\xc1\xa5\x14\x83\x10\x81\xaf\xc1\xdf\xd2\x68\x2f\xf4\x87\x16\xa9\x1b\xf9\x5e\x08\x42\x12\xb0\x69\x6d\x43\xe1\xc6\xc4\x3a\xda\xf9\xed\x3e\xf7\x0e\x62\x73\x59\x94\xd2\xd0\x86\x51\x39\x60\x49\x88\xfa\xc1\x79\x78\xd9\xc0\x5a\x84\xf3\x42\x38\x31\xdd\x1d\xdd\xc6\xc9\x4d\x50\xdd\xd6\x74\xf1\x65\x25\xbb\xf9\xa8\xdb\x3b\xb4\x90\x01\xbe\x38\xa1\x96\x70\xab\xd9\x9f\x4a\x2e\x97\xcf\xb2\x0d\x46\xc6\x37\x83\x2a\x3e\xc9\x7f\xf0\x94\xc6\xa3\x30\x49\x64\xb7\x2b\xcf\x11\x6b\xf2\x7f\xed\xd5\x52\x1a\xd3\xda\x22\x62\x97\xff\xf8\x49\xc3\x3c\x5d\x84\x9e\x3e\x30\x37\x52\x79\x01\xee\xf6\x3a\x59\x9b\xaa\x54\xfc\x46\xa4\x6f\xf1", 183); res = -1; res = syz_usb_connect(2, 0x5f, 0x20007f00, 0x20008280); if (res != -1) r[23] = res; break; case 44: syz_usb_disconnect(r[23]); break; case 45: *(uint8_t*)0x200082c0 = 0x12; *(uint8_t*)0x200082c1 = 1; *(uint16_t*)0x200082c2 = 0x110; *(uint8_t*)0x200082c4 = 2; *(uint8_t*)0x200082c5 = 0; *(uint8_t*)0x200082c6 = 0; *(uint8_t*)0x200082c7 = 0x20; *(uint16_t*)0x200082c8 = 0x525; *(uint16_t*)0x200082ca = 0xa4a1; *(uint16_t*)0x200082cc = 0x40; *(uint8_t*)0x200082ce = 1; *(uint8_t*)0x200082cf = 2; *(uint8_t*)0x200082d0 = 3; *(uint8_t*)0x200082d1 = 1; *(uint8_t*)0x200082d2 = 9; *(uint8_t*)0x200082d3 = 2; *(uint16_t*)0x200082d4 = 0xb3; *(uint8_t*)0x200082d6 = 1; *(uint8_t*)0x200082d7 = 1; *(uint8_t*)0x200082d8 = 6; *(uint8_t*)0x200082d9 = 0x28; *(uint8_t*)0x200082da = -1; *(uint8_t*)0x200082db = 9; *(uint8_t*)0x200082dc = 4; *(uint8_t*)0x200082dd = 0; *(uint8_t*)0x200082de = 9; *(uint8_t*)0x200082df = 2; *(uint8_t*)0x200082e0 = 2; *(uint8_t*)0x200082e1 = 6; *(uint8_t*)0x200082e2 = 0; *(uint8_t*)0x200082e3 = 4; *(uint8_t*)0x200082e4 = 6; *(uint8_t*)0x200082e5 = 0x24; *(uint8_t*)0x200082e6 = 6; *(uint8_t*)0x200082e7 = 0; *(uint8_t*)0x200082e8 = 0; memset((void*)0x200082e9, 177, 1); *(uint8_t*)0x200082ea = 5; *(uint8_t*)0x200082eb = 0x24; *(uint8_t*)0x200082ec = 0; *(uint16_t*)0x200082ed = 8; *(uint8_t*)0x200082ef = 0xd; *(uint8_t*)0x200082f0 = 0x24; *(uint8_t*)0x200082f1 = 0xf; *(uint8_t*)0x200082f2 = 1; *(uint32_t*)0x200082f3 = 0x9208; *(uint16_t*)0x200082f7 = 2; *(uint16_t*)0x200082f9 = 0; *(uint8_t*)0x200082fb = 0x20; *(uint8_t*)0x200082fc = 0x5e; *(uint8_t*)0x200082fd = 0x24; *(uint8_t*)0x200082fe = 0x13; *(uint8_t*)0x200082ff = 7; memcpy((void*)0x20008300, "\x63\xb0\xb9\x53\x77\x14\x7b\xa2\x14\xd9\x50\xfc\x04\xb2\x2c\x04\xbe\x09\xd9\xb9\x6f\x1a\xb9\x4b\xb0\x2e\x8a\x2a\x9e\x23\xcf\x7d\x3a\xca\xb2\x2a\x80\xed\x35\x0e\xc4\xb1\x78\x06\xed\xcb\x16\x9e\x50\x75\x37\x3d\x99\x17\x80\x21\x13\x92\xeb\x3d\x9f\x11\x73\xa5\x39\x84\x3b\xf2\xc3\xf6\x6a\x4a\x69\x60\xa5\x5a\x22\x07\x76\x7d\xb3\xc5\x5a\x7d\xd2\x89\x8b\x5c\xcb\x40", 90); *(uint8_t*)0x2000835a = 0xc; *(uint8_t*)0x2000835b = 0x24; *(uint8_t*)0x2000835c = 0x1b; *(uint16_t*)0x2000835d = 0x2a; *(uint16_t*)0x2000835f = 0x100; *(uint8_t*)0x20008361 = 0xe0; *(uint8_t*)0x20008362 = 0x76; *(uint16_t*)0x20008363 = 0; *(uint8_t*)0x20008365 = -1; *(uint8_t*)0x20008366 = 4; *(uint8_t*)0x20008367 = 0x24; *(uint8_t*)0x20008368 = 2; *(uint8_t*)0x20008369 = 0xa; *(uint8_t*)0x2000836a = 9; *(uint8_t*)0x2000836b = 5; *(uint8_t*)0x2000836c = 0x81; *(uint8_t*)0x2000836d = 3; *(uint16_t*)0x2000836e = 0x20; *(uint8_t*)0x20008370 = 0x73; *(uint8_t*)0x20008371 = 0x35; *(uint8_t*)0x20008372 = 0x3f; *(uint8_t*)0x20008373 = 9; *(uint8_t*)0x20008374 = 5; *(uint8_t*)0x20008375 = 0x82; *(uint8_t*)0x20008376 = 2; *(uint16_t*)0x20008377 = 8; *(uint8_t*)0x20008379 = 3; *(uint8_t*)0x2000837a = 1; *(uint8_t*)0x2000837b = 3; *(uint8_t*)0x2000837c = 9; *(uint8_t*)0x2000837d = 5; *(uint8_t*)0x2000837e = 3; *(uint8_t*)0x2000837f = 2; *(uint16_t*)0x20008380 = 0x40; *(uint8_t*)0x20008382 = 5; *(uint8_t*)0x20008383 = 0x40; *(uint8_t*)0x20008384 = 2; *(uint32_t*)0x200087c0 = 0xa; *(uint32_t*)0x200087c4 = 0x200083c0; *(uint8_t*)0x200083c0 = 0xa; *(uint8_t*)0x200083c1 = 6; *(uint16_t*)0x200083c2 = 0x201; *(uint8_t*)0x200083c4 = 0x79; *(uint8_t*)0x200083c5 = 3; *(uint8_t*)0x200083c6 = 0x3f; *(uint8_t*)0x200083c7 = 0x20; *(uint8_t*)0x200083c8 = 6; *(uint8_t*)0x200083c9 = 0; *(uint32_t*)0x200087c8 = 0x37; *(uint32_t*)0x200087cc = 0x20008400; *(uint8_t*)0x20008400 = 5; *(uint8_t*)0x20008401 = 0xf; *(uint16_t*)0x20008402 = 0x37; *(uint8_t*)0x20008404 = 5; *(uint8_t*)0x20008405 = 7; *(uint8_t*)0x20008406 = 0x10; *(uint8_t*)0x20008407 = 2; STORE_BY_BITMASK(uint32_t, , 0x20008408, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008409, 0xa, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008409, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000840a, 5, 0, 16); *(uint8_t*)0x2000840c = 7; *(uint8_t*)0x2000840d = 0x10; *(uint8_t*)0x2000840e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000840f, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008410, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008410, 9, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008411, 8, 0, 16); *(uint8_t*)0x20008413 = 0xa; *(uint8_t*)0x20008414 = 0x10; *(uint8_t*)0x20008415 = 3; *(uint8_t*)0x20008416 = 0xc9; *(uint16_t*)0x20008417 = 7; *(uint8_t*)0x20008419 = 7; *(uint8_t*)0x2000841a = 0; *(uint16_t*)0x2000841b = 8; *(uint8_t*)0x2000841d = 0xa; *(uint8_t*)0x2000841e = 0x10; *(uint8_t*)0x2000841f = 3; *(uint8_t*)0x20008420 = 2; *(uint16_t*)0x20008421 = 0xc; *(uint8_t*)0x20008423 = 0; *(uint8_t*)0x20008424 = 6; *(uint16_t*)0x20008425 = 6; *(uint8_t*)0x20008427 = 0x10; *(uint8_t*)0x20008428 = 0x10; *(uint8_t*)0x20008429 = 0xa; *(uint8_t*)0x2000842a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000842b, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000842b, 0x8001, 5, 27); *(uint16_t*)0x2000842f = 0xf00f; *(uint16_t*)0x20008431 = 0xfffd; *(uint32_t*)0x20008433 = 0x3fc0; *(uint32_t*)0x200087d0 = 9; *(uint32_t*)0x200087d4 = 0x4f; *(uint32_t*)0x200087d8 = 0x20008440; *(uint8_t*)0x20008440 = 0x4f; *(uint8_t*)0x20008441 = 3; memcpy((void*)0x20008442, "\xc0\x66\x3b\x11\x6d\xab\x9b\xa5\xc0\xa2\xf7\xa2\xad\x48\x6f\xfc\x16\x4a\x43\x65\x89\x95\x65\xc5\xe9\x9b\x01\x52\x39\xf3\x78\xdf\x56\xdb\x4d\xc3\xb0\xbb\x08\xdc\xd2\x08\xd9\x58\xfa\x3c\xf0\x80\x97\xaa\x20\x8b\x2d\x28\x65\xb5\x02\xcb\xc9\x4b\x1a\x8e\x33\xbd\xd9\xd6\x48\x1f\xbf\x32\xd4\x91\x34\x22\xfe\x18\x9f", 77); *(uint32_t*)0x200087dc = 0x85; *(uint32_t*)0x200087e0 = 0x200084c0; *(uint8_t*)0x200084c0 = 0x85; *(uint8_t*)0x200084c1 = 3; memcpy((void*)0x200084c2, "\xc9\xc4\x87\xa9\x0b\xe3\xd4\x0e\xf7\x82\x37\x3d\x78\x5f\x86\xbd\xfc\x3d\xb6\xfb\x0d\xd0\xa7\x44\x0b\x2f\xe4\x59\x5c\x3a\x6b\xd6\x7a\xa8\x51\x8d\x89\x7a\x8a\x75\x7d\x5f\x1c\xeb\x86\xe5\x98\xca\xbf\x23\x45\xf7\x71\xc3\xc7\x12\x8b\xd1\x6d\xd4\xb1\xee\x9b\x7d\xbc\xaf\x61\x1e\x97\xf6\xdc\xb9\xf1\x71\xe8\xf7\x05\x2b\x0f\x33\xe6\x31\xbf\xe9\x9d\xdc\x44\x13\xe5\xe5\xd7\xb6\x34\xdc\xc3\xb7\x7e\x4d\x30\x1f\x89\xa8\xd3\xb8\x51\xb0\x23\x06\xca\xbe\xc2\x11\x12\x7a\x8e\x54\x1d\x16\x26\x36\x58\x8f\xf5\x74\xde\x82\xde\x8f\x30\x7d\x43", 131); *(uint32_t*)0x200087e4 = 4; *(uint32_t*)0x200087e8 = 0x20008580; *(uint8_t*)0x20008580 = 4; *(uint8_t*)0x20008581 = 3; *(uint16_t*)0x20008582 = 0x1407; *(uint32_t*)0x200087ec = 4; *(uint32_t*)0x200087f0 = 0x200085c0; *(uint8_t*)0x200085c0 = 4; *(uint8_t*)0x200085c1 = 3; *(uint16_t*)0x200085c2 = 0; *(uint32_t*)0x200087f4 = 0xaa; *(uint32_t*)0x200087f8 = 0x20008600; *(uint8_t*)0x20008600 = 0xaa; *(uint8_t*)0x20008601 = 3; memcpy((void*)0x20008602, "\xce\x39\x5e\x8e\x9f\x40\x9a\x37\xda\xeb\x1c\x20\xbe\x9c\xa4\x00\x4a\xe8\x10\xcf\x16\x53\xec\xcd\x6e\x66\x3d\xd7\x4f\x8b\xc0\x69\x89\xb4\xd1\xa6\x5c\x9f\x48\x0b\xd3\x7e\x9d\xd8\x53\x49\xf2\x98\xdd\xad\xdc\x2c\xc9\xe4\xed\xa1\x47\xf2\x31\x40\x2e\x11\x6f\xb5\x94\xa6\x37\x18\xd8\x21\xd8\x85\xeb\xd6\x7e\xda\x45\x15\x58\xb1\xfb\xa3\x09\x3e\xcb\xd4\x0c\xbe\x5f\xbe\x07\xf9\x4e\xd9\x27\xd8\xe5\x03\x9a\x7c\x49\x7a\xa8\xd1\xf1\x0a\x4d\xda\xc0\x49\xad\x82\x0f\x8c\x53\x2c\x5a\x3f\x00\x94\x79\x55\x03\x24\x23\x92\x2e\x95\xaa\x5b\xfe\xe0\x41\xf7\xfe\x87\x44\xec\xc4\x42\x40\x57\xee\xc9\x70\x40\xb3\x41\xd0\xdd\xdc\xaf\x20\x6d\xa6\x43\x1e\x98\x7f\x04\xcf\xd5\x58\x02\xca\xd3\xa1\x14", 168); *(uint32_t*)0x200087fc = 4; *(uint32_t*)0x20008800 = 0x200086c0; *(uint8_t*)0x200086c0 = 4; *(uint8_t*)0x200086c1 = 3; *(uint16_t*)0x200086c2 = 0x3c01; *(uint32_t*)0x20008804 = 4; *(uint32_t*)0x20008808 = 0x20008700; *(uint8_t*)0x20008700 = 4; *(uint8_t*)0x20008701 = 3; *(uint16_t*)0x20008702 = 0x1809; *(uint32_t*)0x2000880c = 4; *(uint32_t*)0x20008810 = 0x20008740; *(uint8_t*)0x20008740 = 4; *(uint8_t*)0x20008741 = 3; *(uint16_t*)0x20008742 = 0x807; *(uint32_t*)0x20008814 = 4; *(uint32_t*)0x20008818 = 0x20008780; *(uint8_t*)0x20008780 = 4; *(uint8_t*)0x20008781 = 3; *(uint16_t*)0x20008782 = 0x1c; res = -1; res = syz_usb_connect(3, 0xc5, 0x200082c0, 0x200087c0); if (res != -1) r[24] = res; break; case 46: syz_usb_ep_read(r[24], 8, 0x7d, 0x20008840); break; case 47: *(uint8_t*)0x200088c0 = 0x12; *(uint8_t*)0x200088c1 = 1; *(uint16_t*)0x200088c2 = 0x250; *(uint8_t*)0x200088c4 = 0; *(uint8_t*)0x200088c5 = 0; *(uint8_t*)0x200088c6 = 0; *(uint8_t*)0x200088c7 = 0x10; *(uint16_t*)0x200088c8 = 0x56a; *(uint16_t*)0x200088ca = 0x62; *(uint16_t*)0x200088cc = 0x40; *(uint8_t*)0x200088ce = 1; *(uint8_t*)0x200088cf = 2; *(uint8_t*)0x200088d0 = 3; *(uint8_t*)0x200088d1 = 1; *(uint8_t*)0x200088d2 = 9; *(uint8_t*)0x200088d3 = 2; *(uint16_t*)0x200088d4 = 0x2d; *(uint8_t*)0x200088d6 = 1; *(uint8_t*)0x200088d7 = 1; *(uint8_t*)0x200088d8 = 0; *(uint8_t*)0x200088d9 = 0xf0; *(uint8_t*)0x200088da = 0x8e; *(uint8_t*)0x200088db = 9; *(uint8_t*)0x200088dc = 4; *(uint8_t*)0x200088dd = 0; *(uint8_t*)0x200088de = 5; *(uint8_t*)0x200088df = 1; *(uint8_t*)0x200088e0 = 3; *(uint8_t*)0x200088e1 = 1; *(uint8_t*)0x200088e2 = 2; *(uint8_t*)0x200088e3 = 0; *(uint8_t*)0x200088e4 = 9; *(uint8_t*)0x200088e5 = 0x21; *(uint16_t*)0x200088e6 = 3; *(uint8_t*)0x200088e8 = 0xf; *(uint8_t*)0x200088e9 = 1; *(uint8_t*)0x200088ea = 0x22; *(uint16_t*)0x200088eb = 0xa21; *(uint8_t*)0x200088ed = 9; *(uint8_t*)0x200088ee = 5; *(uint8_t*)0x200088ef = 0x81; *(uint8_t*)0x200088f0 = 3; *(uint16_t*)0x200088f1 = 0x3af; *(uint8_t*)0x200088f3 = 1; *(uint8_t*)0x200088f4 = 0x40; *(uint8_t*)0x200088f5 = 2; *(uint8_t*)0x200088f6 = 9; *(uint8_t*)0x200088f7 = 5; *(uint8_t*)0x200088f8 = 2; *(uint8_t*)0x200088f9 = 3; *(uint16_t*)0x200088fa = 0x10; *(uint8_t*)0x200088fc = 6; *(uint8_t*)0x200088fd = 1; *(uint8_t*)0x200088fe = 9; *(uint32_t*)0x20008c00 = 0xa; *(uint32_t*)0x20008c04 = 0x20008900; *(uint8_t*)0x20008900 = 0xa; *(uint8_t*)0x20008901 = 6; *(uint16_t*)0x20008902 = 0x250; *(uint8_t*)0x20008904 = 3; *(uint8_t*)0x20008905 = 1; *(uint8_t*)0x20008906 = 0x46; *(uint8_t*)0x20008907 = -1; *(uint8_t*)0x20008908 = 0x20; *(uint8_t*)0x20008909 = 0; *(uint32_t*)0x20008c08 = 0x34; *(uint32_t*)0x20008c0c = 0x20008940; *(uint8_t*)0x20008940 = 5; *(uint8_t*)0x20008941 = 0xf; *(uint16_t*)0x20008942 = 0x34; *(uint8_t*)0x20008944 = 2; *(uint8_t*)0x20008945 = 0xb; *(uint8_t*)0x20008946 = 0x10; *(uint8_t*)0x20008947 = 1; *(uint8_t*)0x20008948 = 2; *(uint16_t*)0x20008949 = 0xfa; *(uint8_t*)0x2000894b = 8; *(uint8_t*)0x2000894c = 0x80; *(uint16_t*)0x2000894d = 5; *(uint8_t*)0x2000894f = 3; *(uint8_t*)0x20008950 = 0x24; *(uint8_t*)0x20008951 = 0x10; *(uint8_t*)0x20008952 = 0xa; *(uint8_t*)0x20008953 = 5; STORE_BY_BITMASK(uint32_t, , 0x20008954, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20008954, 9, 5, 27); *(uint16_t*)0x20008958 = 0xf00f; *(uint16_t*)0x2000895a = 0; *(uint32_t*)0x2000895c = 0xffc00f; *(uint32_t*)0x20008960 = 0xff00c0; *(uint32_t*)0x20008964 = 0x101ffc0; *(uint32_t*)0x20008968 = 0xff0030; *(uint32_t*)0x2000896c = 0x30; *(uint32_t*)0x20008970 = 0x30; *(uint32_t*)0x20008c10 = 4; *(uint32_t*)0x20008c14 = 0xed; *(uint32_t*)0x20008c18 = 0x20008980; *(uint8_t*)0x20008980 = 0xed; *(uint8_t*)0x20008981 = 3; memcpy((void*)0x20008982, "\xe7\xdb\x91\x4e\xf4\xa7\x1a\x3a\xba\x44\x3e\xe1\x81\xc2\x72\xe7\xfb\xb6\x36\x48\xa9\x97\x75\x4b\x81\xa1\x93\x8f\x52\xb9\xfd\x8c\x2b\x76\xca\x28\xee\x1f\xcb\xa2\x80\x02\x1f\xbe\x02\xff\xa0\x3e\xa7\x53\xf2\xd5\x1b\x71\xf1\xcb\x93\x91\xea\x31\xfa\xab\xf8\xed\x37\xa9\x85\x3b\x87\xee\xba\xa0\xa1\x26\x96\x96\xe6\x5e\x30\x9e\xa4\xbf\x77\x55\xff\x1b\x99\x28\x0f\xd6\x82\x30\xd7\xd8\x99\xd0\x97\xe1\x6e\xe0\xb2\x24\xde\x57\x33\x94\x39\xc8\x0a\xd7\xfb\xf8\xbb\xf3\x2a\xa0\x0e\x29\x80\x2b\xde\x1c\x8c\x5e\x62\x28\xfa\x0a\x54\xc8\x35\x0e\xf9\x97\x11\x2f\x76\x3e\x17\x42\x8f\xb8\xe9\x5a\x56\x68\x95\x95\xf3\x0a\x3c\x16\x15\x18\x09\xb0\xc6\xb1\xd4\xd4\x76\x65\x10\xc6\xf0\x66\xfe\x4b\x35\xa3\xea\x90\xd3\x88\xd1\xb4\xd4\xe9\xc6\xb3\x09\x71\xe2\x37\xe2\x3f\xd2\x05\xf9\x90\x5e\xe7\xd7\x9f\x44\x43\x70\x7a\xdc\x7f\x65\xce\x2b\x15\x99\x4d\xaa\xc7\xb9\x54\x35\x3f\xb2\x32\x01\x84\x41\x22\x71\x05\x31\x87\x9c\x62\x91\xc7\xdf\xbf\x6b\xe4\x54\xb9\xcf\x2f\x2e", 235); *(uint32_t*)0x20008c1c = 4; *(uint32_t*)0x20008c20 = 0x20008a80; *(uint8_t*)0x20008a80 = 4; *(uint8_t*)0x20008a81 = 3; *(uint16_t*)0x20008a82 = 0x410; *(uint32_t*)0x20008c24 = 0x64; *(uint32_t*)0x20008c28 = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x64; *(uint8_t*)0x20008ac1 = 3; memcpy((void*)0x20008ac2, "\x04\x1c\x8b\x1b\xd1\x43\xea\x1d\x63\x82\x9b\x76\x9d\xdb\x88\x6a\x6a\xaf\xee\xdd\x5f\x65\x2b\xc9\x48\x67\x7c\x9a\x6e\x3a\xcf\xe0\x4a\x15\x19\x05\x3f\x95\xe5\xfc\xf7\x9b\x08\x53\x62\xcd\xac\x6a\xbb\xf8\xf1\x37\x81\xa6\x21\x88\x52\x57\x05\x2b\x12\x00\x45\xda\x2c\x49\x4a\x30\xbc\x6a\xe6\xc4\x16\x0c\xf4\x97\x00\x2a\xf8\xb7\x7e\x21\x68\x93\x24\xbd\x6e\x75\xac\xed\xa7\xcf\x6a\x50\x92\x0b\x2a\xb1", 98); *(uint32_t*)0x20008c2c = 0x87; *(uint32_t*)0x20008c30 = 0x20008b40; *(uint8_t*)0x20008b40 = 0x87; *(uint8_t*)0x20008b41 = 3; memcpy((void*)0x20008b42, "\x15\x08\x37\xb1\xe6\x9e\x50\x07\x39\x8a\xc0\x2c\x4a\x0b\x25\x07\x2d\xaa\x81\xa6\x4a\xf1\x0b\xcd\xc5\x73\x63\x33\xf4\x9c\x92\x1f\x86\xd9\xcb\xc6\xb7\x78\xf1\xd2\x16\x79\xd8\x47\xd5\xb8\xa9\xb7\x0f\xc5\x6b\xb5\xa4\x33\x04\x0a\xfd\x94\x37\x7b\x25\x15\xa5\x5c\xda\x70\xdb\x64\x44\x2a\xda\xe0\x90\x5a\xa9\x0f\x91\x1d\x3b\xee\xf8\x00\xab\x6f\xd8\x7a\x5c\x51\xfd\xa8\xfa\xa7\x50\xd1\x95\xc2\xe6\x57\x24\x97\x81\xc6\xaf\x05\x23\xe0\x49\x2f\x9a\x69\xe2\x27\xe1\x0c\xa0\x31\x0f\x1a\x01\x0f\x8b\x98\x6a\x9a\x05\x53\xa5\x33\x1f\x97\x54\xfc\x90", 133); res = -1; res = syz_usb_connect(3, 0x3f, 0x200088c0, 0x20008c00); if (res != -1) r[25] = res; break; case 48: memcpy((void*)0x20008c40, "\xa6\x90\x8c\x55\x30\x81\x4d\x6a\x6b\xfd\x6d\x6c\x75\x94\xd4\xaf\x8a\x49\x62\xd8\x82\xda\x65\x7b\xb4\x02\xc7\xd0\xae\x45\x35\x16\x81\x60\xdb\xf6\x7b\x82\xf2\x23\xd5\x77\xb0\xe1\x6e\x6a\xc3\xc4\x6a\x40\x15\xa6\xed\x7c\x4f\xa6\x5d\x1d\xba\xa2\x68\xb7\x48\xde\xc4\x67\x74\xec\xa9\x22\x47\x96\x94\x49\xa9\xf5\x9e\x9e\xdd\xe4\xd3\x7e\x7b\xd1\x78\x82\xeb\x00\x5e\x24\xfe\x43\xf5\x76\x54\x00\x0e\xad\xec\x3f\x1d\xe9\x91\x7e\xb2\x8c\x2a\x87\x71\x82\xc4\x7b\x55\x6d", 114); syz_usb_ep_write(r[25], 7, 0x72, 0x20008c40); break; case 49: syz_usbip_server_init(4); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :127:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :114:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :109:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor172956580 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/3 (1.80s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffffff}) (fail_nth: 1) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1a, &(0x7f0000000040)={0x0, 0xe6, "f137161ab86c594202b997d9f12d007021870322c8d909748409951ae9800c1e207f98b769c740f867ea14bbf8666a4f98d229aaafbc33c6c52168db8933c4a4a4a3dd3ce0ccea96e71d81ff4aca8331cb01bf35433853d1abd48fd6d0ce1314df6507bae535a2b4e3eaa74c5d23006594148a0fe5b4a884ef8f41346e49cc90474cb17bac301d4797ed05dfc6ccb74bebaabe549172d622a30605a4e49fd3f8537de5272c33ad4f07cd060577bce65e5c80a34168cde68117e4f900e35a3d888e02ee111752213b40d2af258c01f36de50ce8e83d4226a30d6a4cc43a883f6c20e3fada8ad2"}, &(0x7f0000000140)=0xee) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r1, @in6={{0xa, 0x4e22, 0x3, @private2, 0x1}}, [0x7fffffff, 0x1, 0x7fff, 0x4, 0x7, 0x1, 0x3ff, 0x40, 0x5, 0x1, 0x0, 0x7, 0x0, 0x8, 0x1f]}, &(0x7f0000000280)=0xfc) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000002c0)={r2, @in6={{0xa, 0x4e20, 0x9, @private2={0xfc, 0x2, '\x00', 0x1}, 0x3}}}, 0x84) r3 = openat$pktcdvd(0xffffff9c, &(0x7f0000000380), 0x0, 0x0) ioctl$MEDIA_REQUEST_IOC_QUEUE(r3, 0x7c80, 0x0) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f00000003c0)={r1, @in6={{0xa, 0x4e23, 0x7f, @private0, 0x5}}, 0x5, 0x476f}, 0x88) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_SRVCORE_ACQUIREGLOBALEVENTOBJECT(r3, 0xc0206440, &(0x7f0000000500)={0x1, 0x2, &(0x7f0000000480), &(0x7f00000004c0)={0x0}, 0x4, 0x8}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTQ2_RGXTDMSETTRANSFERCONTEXTPROPERTY(r3, 0xc0206440, &(0x7f00000005c0)={0x8a, 0x7, &(0x7f0000000540)={r4, 0x400}, &(0x7f0000000580), 0x10, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXBREAKPOINT_RGXENABLEBREAKPOINT(r3, 0xc0206440, &(0x7f0000000680)={0x83, 0x2, &(0x7f0000000600)={r4}, &(0x7f0000000640), 0x4, 0x4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@deauth={@wo_ht={{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x240}, @broadcast, @device_a, @random="2015d229785b", {0x8}}, 0x27, @val={0x8c, 0x18, {0xc93, "ffe3240f0484", @long="067ecc39a78a3ea47c22246d391b92c4"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_xfrm_policy_alloc_security\x00') syz_emit_ethernet(0xbc, &(0x7f0000000140)={@dev={'\xaa\xaa\xaa\xaa\xaa', 0x3b}, @broadcast, @void, {@mpls_mc={0x8848, {[{0x8, 0x0, 0x1}, {0x1, 0x0, 0x1}, {0x4, 0x0, 0x1}, {}, {0x0, 0x0, 0x1}], @ipv4=@dccp={{0x15, 0x4, 0x2, 0x33, 0x9a, 0x65, 0x0, 0x7, 0x21, 0x0, @dev={0xac, 0x14, 0x14, 0x1e}, @rand_addr=0x64010101, {[@noop, @end, @timestamp_addr={0x44, 0x1c, 0xe9, 0x1, 0x2, [{@dev={0xac, 0x14, 0x14, 0x28}, 0xf7e}, {@loopback, 0x7fff}, {@private=0xa010101, 0x5}]}, @generic={0x83, 0xe, "db10ac96c2cf817c67fc6d7e"}, @rr={0x7, 0x7, 0x87, [@local]}, @end, @ra={0x94, 0x4, 0x7}, @end, @generic={0x44, 0x5, "e0d910"}]}}, {{0x4e20, 0x4e23, 0x4, 0x1, 0xf, 0x0, 0x0, 0x9, 0x5, "d77b5a", 0x7, "c6dd9c"}, "494a1261c05df7372b3c29631b6232d41f19fa8727ecea11ccf1979683ceb144705e12c13fba0e399f08f58397f3ea7bdb746b3dcabe"}}}}}}, &(0x7f0000000200)={0x0, 0x3, [0xf9, 0x208, 0x50c, 0x74d]}) syz_emit_vhci(&(0x7f0000000240)=@HCI_EVENT_PKT={0x4, @HCI_EV_VENDOR={{0xff, 0xc1}, "0626cab051d180b0c2e36c0814bbca7e31d691502e1c7c0eae1a042e7372921a0c6dfccedd81a98f58b9850ba2f68bc25d5cab15a0af010796b5fdfb8a3b35f3eb48ee0c7b2ed287cf469fdec0248e957ef0dd22f3fc6d746e70262c277c016177e56a68031293b56b02c1b6f867d10a3bbf33817b39d487ae0659a68cffb8df46df59a7d104b7c6711d45af1f966d69e635809cf24a70d4c2ea9cc98d37599807148af36b475eb2ce56e027ac751769f8710272d187722ecdf7a8f86d8b977aa8"}}, 0xc4) syz_execute_func(&(0x7f0000000340)="c4c17d6f7072c4e1f9112fc4e3c95d33abc4c2790eb000000000c4e17a12b70c0000000f0156e9c4e10dd55e0cf30f526b000f7e20c4c179e702") syz_extract_tcp_res(&(0x7f0000000380), 0x80000000, 0x100) r5 = dup(0xffffffffffffffff) r6 = fcntl$getown(0xffffffffffffffff, 0x9) lstat(&(0x7f00000026c0)='./file0\x00', &(0x7f0000002700)={0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000002800)=0x0, &(0x7f0000002840), &(0x7f0000002880)=0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002ac0)={0x2020, 0x0, 0x0, 0x0}, 0x2020) statx(0xffffffffffffffff, &(0x7f0000004b00)='./file0\x00', 0x2000, 0x20, &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004d00)={{{@in6=@ipv4={""/10, ""/2, @private}, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@initdev}}, &(0x7f0000004e00)=0xe4) r13 = getgid() syz_fuse_handle_req(r5, &(0x7f00000003c0)="235810537c7f886ca91721045ff7badfae4429b252cd658172c1d0d418ed70057439fc22ffc77b29085c9488ff9340f8a2ade99bf9af14a357257b8aa69b4b8effe7afd6876b3b512b86fa1dff555c6dc6186266c91fa281c9dc72ee17ead0e2a3fe9ff03e7c32d27e267f5be0fd6d1f9efc02af7fe9d68d755519201dea7abe681053ab98f73fc0c6a0684e91b741c8c9451f9459b598ee6f4ec0c91f3e917af1e6646f3c54f8faf0487d8eccf087e28f8768f48ae15d098904b3254285702e308a937d5e23a2aef3c25312516c502d5e0233065229ee4a70dbc414604b7f055eb7a2724803e85e5b4cd05af711ed730fceb81bcae17a4967aa6ccff3c0f4966b7ff3d15f093e94eb0a46b70c0fa5b8628cac3c31019bba6002416fc6661d858fff16a96215b1d18a877d9a534ac40256a3557931ade27f587cce26a20c013dc67f2e922a52689aaefa1b064d03f8f6a39f96b0de1d21394cb6c23010eb9e4a79414735ed9965425f8a01008496dbad0497fa0d65acec59ffa6a280bc58e2d887a10e9665eaeb97436ebdeb2b58a9ae40e449273246fd9967539f212ed8969b6f9a49d65bcad2dd9d8ee42e3205741117e431d443ff3e94c47e7fd627d30511d5fbcec6a758383d31367aca8e3af772a1021105ab2c1b4aa7614dea8cfa4b06f53af373779862c9bdb76ef93c74618eee7347a074d4f71a98233b24b2a25729c9a1983d819c3f42d328d08f0d4dd1642f61b62a89fc300f5066d8e457f5fd49daa79e1b1d43d26f89f2ca990450e860bcc47d5cf4778c37c451ed22d60fe2bcfa2caff75c4170990a2e8e2187197f8638b067854ccf9dbe91586dd42341401c4fb4f31330668acb516eba2227cbca4c8fa2f39a03521bd8032f5e1aedf49c50e601b9fad4e0d6f5b5932ea214fd508485703d0845798d43bdbff9638677e6a996efbbd1936e97282062709f778b455cb4d20013f5fe4c9bba0f7cfc1802e8180fb6d46f5176d1bdbb43d960d494f3a30ed7ab4db07de5ad924b5797b509f96083f4ada9fcebede1eb0fb0dfa2cdc2144b15cf4c280f87d1187e808e37cdef537552e383f46ccfe86215b207153985e6b13196221fdea6c947864d12147d7b01efc3df144e2caa24d1a4782a51a8235c4c0eadf0440c8e434a4d072be5845547175f37c55fddd5e78495ace434c483f28bb3487ad8d68bd74377fd82e17bafeb062b81c68e8a6389c8d81079e4c9faa2a8fcf12415cc21ebcd92de80884550594ca64b56b0b424a65f80cab164b2f6f2f33c7aeaa8b6602e7183b9d0ae153a1703b303675aae133b3dd9c646677f6d8a492da099efb4a7e4dee392818a15d6bf9efb07eead5b40ac25bb0f0092f4b0ecaf0ac3391b3ecfd0635ec496b8b66d7a451c6d10379c15291c4f3682f05fb73944cd1be0f0fa8554358b30deb7386931ae95eb2a16faed245ffcadb394acdf0638a626278233019366e2ecd9db1a4b5ae27ff83d7b571cd7ffc151dc4d0cef1d0300c98a41697751851f8e05249cae19963f812589a7d64cfab846439f471343ba5effac9a57f76d0abfb95e878bee4c9424f0ca1718195eff14060acfb3e0df4cbc560bc2be9ab4f0a0bd686fe213d44947170e68e73baadd982ce2d170a50d1eca0240cd3cece9f74da3a1c1476ff11fa334d72c18506b5c00a441ea2e9c72c76b385037f86ca594aaade987a79bbd3e3c40d0007a7ff8529905b94c5461656292950b41c83443dc84d6fdf52e4497ed6804981af13385649200d893093bf2ea8225b389c4dfd2e815b3bdf9d7084d29009eae4e8822a5b6a52aa76afd951d04afa8e1286396a834dcf8c6b57cc4efbc0c16779d53f0bcd74043c06ecebe59328dcca8bb6105af23565906e5466c7311b1aac6762e4b626036fe31d3e7b0fa2e658ca9351078eeca7b467e118e9b88959de1f41869405a83bdc6ce980c729f7e2a460fa9bee161e54d271a874bb4d0a22cd1a4376de36b5868ca0e10933e5fe2f7385c1af62b86f8e5c3126626b8bc6d568f621da323707ea332d7654439fba4671d0caeb7ef94e25a8286bd9a19a29e4932c7db9b82347da52492b3814a44b92f61559c22654c8b301a8dfe9daeae0cade946c0666e94c4a6353bb0eb2137d36853ad4f7a20a5081e63afeece203fa6eeea7f629d001dabaf5b1a3c6761517bc99a8e63f66c01884927b4bc40bc34190c9e553c690fbc6444dd8bba656874fa804631b56d24541a9bd6fb77db4903769f9d0444d08a21ff59d949659d80b1402d919ac0fb8380ed9115b6693c195f8f1a90a3a42235d8ea782eda2bf194d32fbcc563271afda73d7096a2e9e467541e7667c267c595e123372975267768b8d16cb6130eaebf698be76eefabbeacd59f631cc104f042263e3e2962597969721a6c022aba14112e2f3802ba635391cd1f94323525c816efa9e86552399e79665ff554f586754f72d53a0d9475c655948bd13ec93dd8cc43e5b813ebfea4abcd780eedb682ac4f66e16847f7821fdc40da073f7fc59fe57ca6ad5f4ddd8a41e8aadf3e2178cf4295c85999e2c2d824a08ebb9a9b09e2efbf9b8d0373091ea61ec6af17df1e71aceb403a41d3bafefc56dcff186023e9f289e61b746904b3ce34869b5327c924a27336b216d2206eeba9b1dfdce022e3a13a2617387fb3ff5a1d0f38fbb9063bcb69b5e33ee457efe051df453462b718d7d5e780310471a73d99e2eb1e23236c74b9377c3e0ebb93ea7a6a7b322c425910209f891841d65cb8db3b2b0d51d27cde0ca185bd3bf1f402ff10fc611b93fa6f94ebf6079ac6d5f30ff866a4dbf30729fc3cd003ed9eee6e1c92319a8c6269e1a7dba0491d27b326388bc32d58bf685ec429a8ca7a12b660182308710b5aa61dce0a143fad3bbc1a81a8f814ee37b434c7d729331ce7f72ddf31dca719bdfa04c03aeceb4c640c1cddd0f01137bd6e2f7aefb51b0210b8cdb2ccb0f5d7458d0571927675f1bedb36d0bf30ac68db438ffba74aca623725f27522701bb6c5ca414d2391cd533a82c066724c6d3fd68fe42a834dccf5bf70347429ad8e382215f72fad936ef949bf64dad12577ead0dc6cf271be7ca8e0baabb4397ff063f3ae8e741210c6a3ab3b442ba8fb16f228c5dafeb1b440827defbc48f5cbceb2740755c985d060e82c86c732bbd560883591a1ac058299f17f2e2a128560280ba089e84c3465452a6507a63f884944a83a21d26c8e498ff5dbd489c69ca7853249018e9d03520b23f47b297b8526322b1f6bd54d060ccea301cc8a3a15da2d39b64ea4ddb03c7b6cba605e8dd486d12d8f0c6cd9fb47816112baa0a7ae0eba4f0f89b2143203a119a6bb8545c1ba66788495f4e7dad96df8119b1c11d7ffb07107c0c035a80697a8ed780d9c5561929385085f0aa7bc748f2b5e234e210ce77722c54e80b886c0d614658ffa23408caca9cf013869ef6629f8461640daea869ad4c365530de527815cafee314f8ca7b9879522c42629e3e71296e5f60a84db39d5c9000016ea33f481d80ccb80f085d5ed3f700badc3b4b7d80dd8a778f03817a10d67892d36870a98bdc70cfda4834c7815421fc9727401bd4f8111bbba7686024b4272f5a68a665194afc4f1a9f857af270e3022c18dfc18f67b3977e641c6258f00c1430ea79578f4dc82a0bab52140df4be0adb329195a297df0be6e12349770b4477a4465a81439f22b6bdc677ab86d4edbbdfc7db3cf06d4a94d33c6c11fa163fefb1a87a9b52c1cc409ebede7263c88975edb237fa01b583f79fc7a4f8e8ac89af79308d99b473cf33f3344a4e5523f3e35d388d18ee1185caa1918d23aae4193aedfe125042e16d571865261dd63bf0c9dd8485fa64e2410a26a436c83c9e34556f37c1d69d2fd574278c4b2c8baf3834ee2e0f364b54c36780f28a8ebe56e1d9e1cbdfd773ce8aacdefda09f40dffd847aadf67c44471008cee0776fb068954308f16203d017b290cd1ad9e4cdc49f326352807560ddda490c05c6d5e04f1940083aaba83e029370fd76e7757c73c0543ddff26c3a30762e2c9c556aa282c7f46f3dd8e200168053a03174c5669dc43900a39417c9dff8ed3f10eb07c470a522ec820712ff88259cf7f5ee52cf4ee690bcabd88763f66329f3725a436ca1938d4da48dedffea82dc54a2a0a5cfb64c3e278f41b933cefeb02f982532e98677241d7ec2f8d1427da1711919d672e951b6d1cd8f2c0203fedd521f75a229d996713358136d8b4eb797134fec874e3d38a01cb82a87c8c211e6429efe677173aab0a0fb9f558f4b06f7705bcd177ec1dd80d0445b5448e7dc294538aaecc59610dbe6f2b3b16b275c18d33a78f0c1dcbb07e137628b622f885aee80b82684cdd5fde5a29aadf63d85e95159649adce0f9e57b53b82c75b87a12747ef0f84be50693ccae798e38aaf050666163e6bed48f5f1baf49adea21223bfb089199898dcd2e91b708bd62b61f138cc48bed88b772d14bcc53968aa32fa3f114584752db53278b25f367d52c207ec5459668382aac7ebfdf3a2075cef679bd77ec17a1143de084720085486685ac869733bc07d74246fbf8abb3662be750dddd3b13ecb2d9135f5c68d1fdde549d9c2091d96aa35f84336b4215131f36476ec848d533d7dca1e0aa41eefb8806052a8cdd538b755707f93e048d771505b8890d8f680b880ccb8ee2949e35a63ee48e7b467128b65ffe606ced28a3bc3172bd09f2b58ef6322a3fa31e0fab37a3afe729ad43d5cd02b42be4d8e602b99516dbdbd812e1becaeba14b2b2bfaf0555900251e31d839798141b32abdc558b3bf30edc1145f541798507da329c5acc1ff56d4fd5f6e18c02081222c698b3d0f2b19539a7c2c91f78b1be76481991e241d2ae889d4cb133f90f77d922d984b5a5d1b2aa038fb001f0bac88c14a36f62296ab324d52b5754d4e842889da654143b4bd719f082cbcfa2ec9031b9b4b8bb8ef46bc3ffa52d35385bf27e3ccd86108481ff6640e8b0e309d28b149420f95eb9afa0f6e188b7005f421225385bdea3825ad5fbfc6d9f2997476bc36e5dfe4b686d1a2d402516d4eee990e1ea6a234838103f42d705abf37835673ca78675b5354c2a99130e2b7a64ee26a2ad6c1cd2de64ed5912eb7708db3afbb4a683109b1057298f356e4cf4fab200caf7403c719aa81ab01d3d7f9155073f56495e5116196e9a9de82f10a5c08dfb2f915494df7a0700efb722d3416a5d32bc02297111650847dee676d268772dec413da3a1320989c1be0d5c9c1b6fc4f70fbdad888abb0be8f116f0d7a6f3abaf636bb6b69222daf4ccbd6d07293def59cd5ec908454d079495f27bfaf9e45fb2c99964e6b2fba03af0382d5b60adebbb28fb8f8f8efdd8da65eac29377cf07c62e1bf10f61fa912e6271f2cb9509a7631b7abec3396bebce10bc79e2c49956d127f9d01b73584540cb6c0b52a709e3af1d00c84f6d22fb195dd8823aa336afea898ed87ada2b22d1b8ec508cf6986e93459265ed7c258732c291ca41e7876f1b438b17d36c24a02f200feeee18ace8dc4aad51a42bb9815d82c2a9a37f775cd612e084226942ea0dc6f5d8923349bbbedc2a45cfcfddeda2d52d14f2ff8329aac01d2ec3c37f23c5c90d026280238ce09e00eca9f6c30bdaa5dc91f4342f8af6a3ec1339c47dcae8f9360c32502bfa86e1ffc582d5888f29cac39ef90a3150111f661199faf7e2413b57bb9a72aaa2d5fae32b462884a928d83cea60557025c5de018044345fb083def49bc383319894dad28b5339cbadb6038dc8479f7e4b2f01c1ced3ff854205be93884885b129878bdbb18caa68c30940719a408a03fc61ebea87d9d3ef2162594589654475c2c37eaa8737338acc18b341a351ec39aa94cba171096fd7fb832e3031f4d82ff2328aa189623cd93fce6f4525c2dd013dc9c7b4d19add3bf9c334886e9d1cb4df997d99563a57b66d8321d42152f721705d6c484618ad33cb46b5c1a41ccd397ede50432dc9d41aa8b2fb375af75d332356d7df3d5d439fdebcf8e25b22493c6fe140013e2952321867d12947b1f2dd272a173694a5fddd887fe1ec96df6467630d1449d723ff023ec127b12a2411a096e3129e845d50b146683635d805cf196735828c8a0a004047a19acfcc41b62fe0fbff91881e7613bf7a737195f1858ed7198dcaca13210619d7f7398d812de463f221f0c264874aa3b3416dcdfaed76bf255d7a7a15d6acc9864d1bd900354b3bf0df70bae932c4b82e8aa60d395b939cc60f8964ab755ba50b40a713f68d2e001a2b5abcfdbb821a0a3a7a97cdccc0b05bca8f033fbcd954569cb7c312d4cb9e69275613306679882570726118eb66b4b6f0d236c33e35658ed87f028ca43c55c26968179aed7549c8c2e92672a445106d0429846917c5fc607fa285db9aa61281c1c524a76b3d40de5da9bc7afbae9c03555d056383ea7f5eacf5de95638e11242a420c9aa322c808cf2a14ab479d8135e4ff487b215c8cec44c7290d3459100b2196c54e88ca2841d8a6011c6db1b5c2fbc5135da6053d893d116b9f23d5a0f77f9f64c50a0448552fb3d4002ccfb95ed54c37eae931737bf02bcd226b133b9d27debfae748730a87be8df5c31cddf16c26bc3f3b4df7abcbc52edadb7a7c29e87dd5d6330b761649fc9f098a7b6b68cf5dce767667e8b5a7cd4bb22d1c9229c455169d72edd3bae9c251c0788968f1d13af8e47ba32923c6614c44d5196fa805761dba59a39b893bf0973dabb976edf63f3cb54732d43b90ee7ab0374e10fd722d5c361a4108931e8ee3fa190793f901b18ff7b5ed8c162b37ffcb39c6c0c084c9c76b3964e31351f5112accfe16c6268580ce0b44cd4c33f292171df6af35914225c8b1aff1985cea0ea7349a43a510d5fbf1881a032f96b1f58f4fa94dbcdf98f6b113a2f851e76d4f1cf0686e3b44057c363c849c5700659d7e5a1c2b3ccfd5aaa889c2f99a9b1c8319c3cd348be29b2e9bfefbc28cb774729958c12c9dfa74b893a07745aed2e5144723c8fc0506852f17e6a4a8f599d2c4a1d7c0ba9d77db8416eb10932cdc749cfa99890ee8017c0664084f86489c975255252c3876f8dcd98c00b73611ce2734e1fe0ee5c0a0abb0c50004044f93ad2ff0109bcb19a3a20f186d68e387d34a5b578c4253cd9672614803bf96726e8ab00146d2fe266e62e4865f5e7fe31d41497e7195122fcda825fb4e9fcdd09b421ddb6e925a4d5cb7ff2fa56fe1497ad659cc5b6efd8f883998b7451175f9827547b84195c25fc1631072a55c17e90a3279a54a29697312bfef3eefcba8d3114556a545d18ab0df74df266859151959a1b051f8322f798cb45d5cbe5291bdd71dad665f64dde6954ef00718918fe01727963964642d4c4a5bba9303f44fe97ff99f06748dc863ff0cc17fc82b29fbe0c712c77ed36697f23b4a22a9f248522f9946c3abcd32e165fd66fdbc7b4a0df71a8d2571f32da4ada51c14ca086301d6ed02006c6a38ce4e7671f3d0862a4e3c22b6aa7b7c049a7762287570562e8b452efc78741e7c2822ad0fd435e76a8044b05b388aafc4cf61575760398872364469961e87d14d1795eb627faeda18f9c1228fc994d580508c996d3662799b7237e596910a7c5c7facd47fa3084da48488767f60cfe58ec401415ac66031623320f9fda37c0af9fe4cda1b2893d2df0ac8226013a36ca7b1366032ea7b25a5591bebc8ce489777c0cba28d1f0cafeaeea7d5b4d2009309eebc913078112bb126920ca6e5e2b2210ce5410cce45fc463746cf168f7ee2b91c797b330e0464822a618e457ce39a00367d9cd3d3f5938ce36eb2a31a90d049258c849955e97f08017269b3e5f69e9128195638bc8c1fa735e6eb2435c9587f4f436d9e68a8797bb42100d48e7b26197c65fb8903961382fb0fe229860173068d9429110823bc2ff717a7157054c326bdac3ad358177f9a406d894b842d6d91edb356b06283b329bca6e12290655fef24029ba1daaf45f17ebc834d12e35e39f2e20e2c7362aeb0031f4877b633be1bed36f5d7ba24d0148f846a786f388e2ab79662d559b861a36a4ce60dceb5fdb9f479358fd84a5c7f102f75b8143d3626fffa5469c22072a97d63ff9e0667c2f2db41cd03e5d43914bb590bb1f11f4c3533bcc47ffc99eedf677c9d646c60f99398915891ab67197ddbdc11e03daf03139ceadaf99226875163f11c29027f6ec6ee647c9bb1f7695f1f2918a3285a13eadb73d3e94cb0dbf9273f75e1a8b391cc6e4c14ed5683c2756c7b33d84351e1ce0ba7b02e2305de65b29456b5c55344647c7b0b16cd836dba2711a4cc97738267c462c85fad608a81612d7f89a7fe663bd064354a80f8be0165df5d9bae1c69ea56962b111220cdc136ada90bb1315f865caff1e2526acd2ef4c36a70f266088d7d348e561132971668e91a89004085a5b092f8e28423d16b749cdcbf92a4365e468dd67be241e5dea705b606b28099a5d3d46a07620fc4f731e3d3605debe687042cac937427367c35b546af2dfc094a721dc7fd13df68e9a799ecb107c908bac9f8c4430cc10c6299c794d028d516c3ef3f77f9f64201660949b5ee29a5894d738fa4e4bcdda88fe12bcffe85da7b10d02c80922f3907134fe64605508b6cbe35e97f12f1bb15fce6fac0b0bbed62183ba88b8413c692c1d465376146a5ac69e0f10450f04c8b6f3c90c58ac33604aa811a9b74ebbd07b0684c51a553006da57f4df29df30a64622266b3ec06c435d650521f3ea725a3c8c128c73f0d3447dd1a85b10a061e9ac4469bd8ead5b59cc639b817e67d90ccd773e224aeb67dd2636917436b76475d8e0255cf7d14f2836a50d23fb11b3843548b3a52d8fa10ca8c97e1f0ed7a00cfc8067a5b99a41c07d3ce0a0456b8443bb5f0903db5e7bc16b0d0d4f321a57572d3368d97ab7705830d23ff78ac8d69402c920f7fb91d6efc16ce43993a1a68eb8eda08d7cc55fca8549f40839ac8e5e263e8fcddb10dd20fbedd949c8d3c1e186e9fdd5aa2765a1ef54f9e8b2a7a0b38f1c8f8dafe5fcef0ff0316921dbaab27f6b2e09e49d0a56c9ade5d8cb658699baa984543fde4e720e02e5503e835c7a63effee3dfa58e4ccdbe1943b5921b58fd0ed664ef73df892318e10703234859b565d17de8c925198b448159c8e8d73c8b1e5eb68705e582d5128f207b546f8122e04e37bcc9d1ca9b2c7ae51d4542448b36d6ff16d998eece9f07be341d1d8f989f23446040a4997272c99d45348372fc49b70fb5e0faca975184c6025995f6aa49f1b293df66d51d753d9c7775576d0e770134d3a4fbd53c99b0a7b6afe7337f73248163239a714dfeb285b0b49ef602d62ad6935a83c83bc814bd407b1ff5228292f9bfbbd071c81dc9591a05c9507bff87c9e527b8f14e8ee13d187eb867dc2c95dd903c37692d03e7b00985fbc11313078dec7ff69f2e01a8342399400f98cc66833d9c85ff7f10cbef733213cdae61545f39e85c59302b560a72d0437b266cbae16fad4a000ddea19949408c7477fcb948915323ebb79a55c769ccb18e2f552ab763ba65302ae7bc476e3625eb88a7a6698ceccfac22900ca3c44dec8866b2a114c0831cf653d4c1fba9a7785a1caa2b97343384226b1aced93da71d30b6650645bc113ac62d32d2032ddb65626ee86c3b9dfbbd8d0caeea7453dbea304e34d3f80522cd317b49bcabb869331c7c321852100430423bcb1ec15c50c19b766a7ce471d51b01041b685a29c4bfdb552c866d583b7c3c7fd56cfc73725df784e4d90281567fe8c38d866b06ef13bb30fd23906e662cf9d5113d7b52b014b4aeb3a183524b497be9220ae1e0b2f7674d279942941bbd81ed595a93c2341399b6ac36ff869f894cae291308b21284d398b5fa6ac76b9d59f03e48c275f4f20ce0a5059de69ca9ec999d73202def666b37b3a96a95b12c74331038facacab188da878a860e1b399d6b3bd3c136e0a5e9963c1691889f0d400f34dcc51ef1002ebfee2814605a4d1067ed7396c115e3a94f151c8e4aa2930fd8bc534d579d5d8843bd2029056fc558b9869408b9951f75672433ead19e109cd18308f1c9d6f9ccbc9f767993b59ea2b5046864f5e0c3bde42e7932c56b9fb25289e16ab3bebb692547de1a4dbe119ab2bd71e471cbdf6c6e8519aca77c2cbb8273343c1bed23922e557f87b408d87af78896ed30f0a6178ad98a34ded6148443fddf4a5c00a81ae9df2159fd658c859fb6b274988c848f993e761c263e90d7db8f662c876b7a61ff2d938ba7fed4cb5cd8ee514870b50520e733f21cdc3bd7ed41d297b96dfeff379d37e6071bb1ac84feffab2cdd985fea2fe6c46e6b7569c8c2454591795ccc56511d853fd2a01a1eb0ce2505ab65782b7836ba67844505aabcb5dc6372a313fe7acc7f48b0d2bef79403c2837d88e52fe926ad16d51be7e8c62a5955a61e85270839f36eee946370927eb19841301677e837abac18d709bc84dda60b12107a23eb733543ff32cce5248d0f461921295291837c150a4c1d489d31c5bf5bfc2da1427e1ece74aea7053f1feda64f099fc447a7908ce44b13461549f23ef18c1d8107befb09f9d719a0ac57080f1cdbfd46704d79947aa10c5b0bb226e7f68309747240f773a627536561fb6c1c9b26aa5e23be01f2d3f7aadc995440015d2564b9c16b853d665724f9f722b34ab1d44c27d0e0cb01c49d9e05de91c2e040764f0c212e6d63f7b72493dccbf858164cf48151bbe4f1dc2c91586673431af7b8461d30161c561170dfa31edde2ccc9dddbc7a8e46231752405cf308ecd8d3505636dba7035c94f728623bb87603afb90b5c23e9ac1937b2ea3984d579da29970ef049ffd9705fa283ef62f1a9fbbefbc5f8f3f79bdd8d70f0a893972e5aca3a164e672ba88ebdb6206a4dda5eb5adfd16352d42c4fbddf117f2b0d30e8c39f1bc63f3bc03b452a870117af7a3fd301af714bfa398367a9ac2aa381170bc7ca860144258a9a38a61454c9cdef24f1c662f28e8d1ee7749f61a9c79a9e16593f2d5500deaa730aca4eef3273878431a874b03e44f6495b52ea9b22d9417fb3f2ccbe2c482add308e4a3c55b7532a4e64cf108d833d54abf3cf93b3f9085263d2774c2214dc62e3c6a7886946b7bbb4d0fdd82d502232f891e95e2075b6974fcbc81579fe8eeb7ee221a904cedbbbab2595ef93537fdea03eb93b49680119d996c8e706dfc4d99433954c5367725d4808119b683b59641c4bffd3fbab0c7e125f02bad95cbfc26eab96079f8dfbf6623589d14e0c20d15e07c34bccce36fb927965f96c8cc89b3e51438212a9bec92af4b592ae76e66d531d344385f5568552e37bd25cbe307d839975914f30915d24e8f3d892c8a19fa484c35df1fb92af80edf403340caced5c224767e9e687456563dff29ca86e365855de94057b66c576bec5f5b7fc3f0043336b8a487ae2519b8ff0122e7ac2bf57d29ba64808dd3a20d26e4382ce7bb1fbd34734f5ae6625ee8a7dd56f", 0x2000, &(0x7f0000004f40)={&(0x7f00000023c0)={0x50, 0x0, 0x3f, {0x7, 0x22, 0x8001, 0x1040000, 0x8, 0xf6e1, 0x8, 0x9}}, &(0x7f0000002440)={0x18, 0x0, 0x9, {0x40d}}, &(0x7f0000002480)={0x18, 0x0, 0x7, {0x7}}, &(0x7f00000024c0)={0x18, 0x0, 0xffff, {0x8}}, &(0x7f0000002500)={0x18, 0x0, 0xce0, {0x1c}}, &(0x7f0000002540)={0x28, 0x0, 0x1, {{0x100, 0x5, 0x2, r6}}}, &(0x7f0000002580)={0x60, 0xfffffffffffffffe, 0x8, {{0xcd95, 0x1f, 0x7, 0x48, 0xaac5, 0x6, 0xad, 0x5}}}, &(0x7f0000002600)={0x18, 0xfffffffffffffff5, 0x9, {0x9}}, &(0x7f0000002640)={0x11, 0x0, 0x0, {'\x00'}}, &(0x7f0000002680)={0x20, 0x0, 0x10000}, &(0x7f0000002780)={0x78, 0x0, 0x9, {0x3, 0x0, 0x0, {0x6, 0x0, 0xfffffffffffff20d, 0xfffffffffffffff8, 0x1, 0x3ff, 0x5, 0x9, 0x726, 0x1000, 0x6, r7, 0xee01, 0x7, 0x7}}}, &(0x7f00000028c0)={0x90, 0x0, 0x3, {0x2, 0x2, 0x100000000, 0x61a26b8d, 0x6, 0x2, {0x1, 0x3, 0x1, 0x100000000, 0x3, 0x8f, 0x4, 0x1ff, 0x849, 0x1000, 0x7, r8, 0xffffffffffffffff, 0x5, 0x1f}}}, &(0x7f0000002980)={0x130, 0x0, 0xa00000000000, [{0x4, 0x1, 0x6, 0x9, '\x01\x01\x01\x01\x01\x01'}, {0x6, 0x1, 0x5, 0xfffffffe, '\xaa\xaa\xaa\xaa\xaa'}, {0x1, 0x1ff, 0x3, 0x7, '{#-'}, {0x5, 0x0, 0x2, 0x761, '[#'}, {0x3, 0x0, 0x2, 0x6, '#]'}, {0x1, 0x714, 0x5, 0x3, '*^\\^b'}, {0x5, 0xeb68, 0x4, 0xfffffa80, '--$-'}, {0x6, 0xfffffffffffffeff, 0x1, 0x1, '-'}, {0x1, 0x8, 0x3, 0xf2, '!\\{'}]}, &(0x7f0000004c40)={0xb0, 0x0, 0xcf, [{{0x1, 0x1, 0x3, 0x100000000, 0x4, 0x81, {0x5, 0x7f, 0x5, 0x6, 0xffff, 0x3, 0x1f, 0x3, 0x8, 0xc000, 0xf5c8, r10, r11, 0x2, 0x9}}, {0x4, 0x80, 0x5, 0x2, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000004e40)={0xa0, 0x0, 0x400, {{0x6, 0x2, 0x400, 0x7, 0x4, 0x9, {0x4, 0x1000, 0xffff, 0x6, 0x1, 0xffff, 0x65f, 0x647c2b8f, 0x400, 0x8000, 0x8, r12, r13, 0x3, 0x6b}}, {0x0, 0xd}}}, &(0x7f0000004f00)={0x20, 0x0, 0x800, {0x0, 0x0, 0x10001}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004f80), r5) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r14 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x343, &(0x7f0000004fc0)={0x0, 0x5004, 0x0, 0x1, 0x1de, 0x0, r14}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000005040)=0x0, &(0x7f0000005080)=0x0) r17 = openat$uinput(0xffffff9c, &(0x7f00000050c0), 0x2, 0x0) r18 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000005100), 0x488200, 0x0) syz_io_uring_submit(r15, r16, &(0x7f0000005140)=@IORING_OP_SPLICE={0x1e, 0x3, 0x0, @fd=r14, 0x200, {0x0, r17}, 0x6, 0x1, 0x0, {0x0, 0x0, r18}}, 0x3dd1) r19 = openat$keychord(0xffffff9c, &(0x7f0000005180), 0x171000, 0x0) r20 = openat$ubi_ctrl(0xffffff9c, &(0x7f00000051c0), 0x10400, 0x0) syz_kvm_setup_cpu$arm64(r19, r20, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005240)=[{0x0, &(0x7f0000005200)="4623d8a4ce0217c9e59555c166890679e3e0c1940df5b9fcbf91649ef54d80f0c8bcc80e36b5574c4bc9f943401854f56aa2", 0x32}], 0x1, 0x0, &(0x7f0000005280)=[@featur2], 0x1) r21 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x8000, r18, 0x0) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000052c0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005300), &(0x7f0000005340)='./file0\x00', 0xfd, 0x2, &(0x7f0000005540)=[{&(0x7f0000005380)="873519f25df082b371ba5b45adb5709c00805747c37fe044064595cd4728bf8980302b25b4b083b42b41336e130f1b6ff0a2f172498e522b4fe5826eababf53a9852f93ebeb841e1645f32936127029d68fe73eced89c1b93587012a47c42a583d6975592b3f2cdf4337fc6d5e85e5f5835fafe095935ec90484e9081aa8d22498431301baad4a34368c26c64d85326c7e00682178f8d13e6a8969f15b9d5dbcfec2c0e69680c3928ca015b92e25f5078de354fe32cc7121609a0762e1b73efd8967a2fe235e4d1ef9e5ac88bc1ed706a984641b06470b2294d045ce7eba51c0728938a2c6eeb6d8574429cc24bcb2a784", 0xf1, 0x40}, {&(0x7f0000005480)="62935bfe26e9c9f2dc3c3e9dfb491858efb598369bcca51923989ba943cf447baf56625df0f685ed2d034b37c07563f668728f6dc6833609b1221970e55088869d29c01b2dd05c4820b08042b5074008c9757712c480e25d89b9c48e957e5b5c7b0beccfb1fcccedbcedc83806038075fc2a0f8228beb47f1fece09bddcbbe0021abe9c3d198369b81b67dbd6a7d334b8d28b802cc97d934c164e97d9d7b70dc6c", 0xa1, 0x1ff}], 0x8800, &(0x7f0000005580)={[{'\xaa\xaa\xaa\xaa\xaa'}, {}, {':&-]!'}, {'}'}, {',-V'}, {'\\*})'}, {'*^\\^b'}], [{@appraise}, {@fowner_lt={'fowner<', r8}}, {@smackfshat={'smackfshat', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@obj_type={'obj_type', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@dont_appraise}, {@dont_measure}, {@fowner_lt={'fowner<', r9}}, {@dont_appraise}]}) syz_open_dev$I2C(&(0x7f0000005640), 0x40, 0x300) syz_open_procfs(r6, &(0x7f0000005680)='net/if_inet6\x00') syz_open_pts(r19, 0x800) syz_read_part_table(0x9, 0x9, &(0x7f0000006c40)=[{&(0x7f00000056c0)="46410638b7a128c15c6cb27d2335806da87c0d4915424452cf0ba9eee0a5d49d634f090df26f35bb0433c13a270dcb44cfe9ba62b5ba38d4ae3c65ead2727f1d2a5f02daa270cea6f4f60902e2eda654b16ec6635a1c6cd15d6bd6343214b83422d1a19b5dae439b9fbc3db5c218d4b08acfc9fcdbe5d4e6a5127adadce610d815e8c6d8adc78689eaae29d81a20040aeeef4ee55d7701ea725e91b74f5b37814beed118549979c8a40d0b290977ada4d65874c7dcca030a9a15509bc27e6e87d526912437b86904f742c9c13c1e00bc5e3e943c1430d1cc018f5a4decf24602db5bf2286e64ce751d8df16f280934fb08b619b2b5e931195ad2f7c87ae956c64a2fdac4fd791611acc2a865d994ea90ed158581e80d0386b153f19fab2781b72d1de003b187d2b1195342b3a003bf4483b4d890ab1b2f51e8d58f0a5ad78e0df9d629c22c2a324a982e1fc2738c360db3a8ba5e55ae5c9d58f1c2f6bed0b6de5bb4ee3b5f842ceef91b2056541ff55312ee90a2bd0997066c37f3d8377895921b08021589049ed7b23cebaf9b41d08e759058a3452cb9df2aee1d2b90e510ba9bc948400a69aa13833d1b4c44445129e0af5012fd6a534181fb20426826a4b3694e4a5181199df1ed31de36f2ed49211822ad915d3b71acaecff3c84d4e3bb19fba3219e26145735ff71dceeeee7aa247539ad2731113d3f364426be9006e6b0e358b81d4074549e08ef27613a3715e5e89ba0a71e3995231e99aac5e4ee7078f59e3e7d4fabed26e7507411fbe4b0353106278ac69f3b91ec69fa542eb7c964394062f65c650197fbe733c22832673d066e4ed40073b284ee4e51b1259367d4eb9e172007e6fb80a0a6fe62b3f3d5e5b68fe047ea4d6fbfaa30a00fc29bc58a31cfb8212f2c49c3a2e711ae502bd647bd56bb7cfc1d84d141827be211b5ffbed786bfa1313d2aed534f00019363ac129612ca25c763b077f5a724d61fc7974fa824badc14006f2febfb1e35a3dd72e82334a263756ff4204680cba1c03c55e09dffb5a58e4c55b5bd7a70ee8525929a0ee9f9091e34bb8d2f0af6d2a2670c591186bee6ceddab8e1fe8d4be397a545c483fd684cd812df5e312ab5f4812b4784efaef1c3dbe79094fbabd6ca5f0a45462396f818a5c7bf61c8c3f43366c1265f4638d1dc7bde11461035c7af77e6844c5d47bc1897dfabec7687ed25794a71a3aa2be1665719e7eaf649bfaffcea2492d43bca7f0304210cfca91a0dadf66b7c3c6baf8c5055ef4f3c56aa03bb6e400d7caca69e4243ac71c939ccf27310b73ba59897e2020c717c33db9a4a582912a3a8d7c0a870b12a9f982aafd0cf159575189d8c26886434229fb0c76c56508b638a2509b65847722af197e95cf0cff2368448d42ad62db27ff017a7fbed923bef6283408712c3f04a790338f4f80cf4f3e92faafa3bf6cff5ed3cf3b17b505075e12b6958bf2e5cb40241f672874a0f940fd57e82e9caff113d671da23da3436a31800c2d3487965f87c3f8250610aaff783d78595e1926b77e97b2e3ad09087af919ace3f04fd275887b1fc81ee2f5bad8de1cc35ee0c03adeed9a9197d7a8fa5db59dc500a94bd184a2a80d9704797e76bc0fc43ed57296143dc9d858b14a7bdfb418197f0974b6eee299958051b1d414ab126cef5bc36ae4055c4f19e7e01d2092d99f1d2a5a56614fedf481d578cb851ad73e1829bc350f7e56ee0d2e71fe731c1b30fd845fd82ca0acf029aff4a75e0d38fb7af582a19c0c7deb19544bc7a13c1896032441cba6ae39c35ae880b45a5c97545ac099243a791c6f2eb93556208b8b203542752a673b9df02bf04ad3c18eecaa5eb22d1b65e59c3449b5cc42df350dd4822bcf671df78420689cac22658cd9f0f390e26e0796ac4b7f30b1989f09cf5ba516eb1667ecc1d853739a20e5e78599bda830d002d45eb66d63a778b8412af5d63e3ef26494e21bbcde5b97a94f7978ac903d467c5b6d0717dc4a9d146ed4b58bfe373a5908702f997f1090b4b19093f8905085ecb691107b059e0e1cd0c4a94c9a473af2d12bd5998a8b8b4802f931b90515519f20feeadea5684c064f9adb423935b8de298b03e579abad6a23a86c86edd39c2ed6a4685e69bc715405ab7a3f27664bdb68fef1fcd090f060381f1aa374a074a640f991ec6d8b288b1b0507068560314fe94aeb85c42f4df3adb21485696515da2fa7f441b753d5f8ca4545f2d1dc1eb34e418c043beb518bb35fe30235aabf7ec5f371b3a48c0ea6a613ebb4e4da5b71408aa55774239ac749030a52740cd8535b9e3d28a4e87b4c4f4044c8195c3211f947e5007df7b64e37c414bfd54f7b59823720be00498c18b57dad0043f0c50a75817418c1dbc3db8dc733ceb2b5b6d20bec1e38a2f909aa619480e2ca05d9000b7eaff370c077ed389422890dd426278c63c2ac4285e840e6c7f9da04d69af4482d96ee5824de091614d8b1b4cf49f5a701e4b42ff58a62823c2776fba4c27ec86c24ba103ed01c66729ad602924a5137b718d8ddeeb08339d83c45feca01c393357a676438114363591d31c2ba6fafa5d8571af7c3a3690fdeb099e44192b5871fd0a3365fb2e230c6c03a7473782b303a5be14f038d8ea34a63084300516eb7884e593358e66b3dfb6dac4d0815d58dafb85e8cca4426536a384dc89f7413f14cc92e7377a90938f99ef7f535c218ae2e909acdbfd7eb5b0b47408e3d6d73dda39fbd6b23af18f1a6703ee3b1f75bb7c000a4ca5a7bccaae86c4abac81da293e43f91d2c3dff12ffa5229139a08ae5fc2ec139be978b8182d6a60c7ff39bb0aa820a107d92e38b95e748a184b53f5624f457239f6384dddcb9fd7e8ef295265d79b64c5c0a93bf21635b8c680907810d8e72a581e5aa0e00fbf351e3c841c7d0c51a2636837b27c6a91425b506a22c27d1420d0b13e60de3e9c56667a98983ba9bdd1c5a52dc6127b659e6d80706959f07d3a5fa8b3b88eab05e7a0c04ee12a21372c713f64c6adbeedd7a8b7a692674975bbe55ce402714402f20c7f57ff1f79357d8edabef1d868f0a2b3dd7aa3bbe58e80814970734f7dec70d314e811593a32cc861f4a8a4b3f0d7ceb4ebb32664f5644497ac9562cdd5a54193f2238e65c1874c86421c5cfb43ae156931c7840d10de47a4d0f2f3174c36c8645ac02f544c3690b5137af7d2ced3fb04359bbf22b6720ea94f2e3b5675fb77ade56c977d668064efdd1c615119a528c9ec1353e84103e5dce6a0bd073f9ffbea0819cf6c0cc58ead00c92340298cc094564117f3fb894274ca91d7976459619f544b250586c6d44afba5574b7ef5126b070409a1f5eedc65007b00339f160422fff38d67eaa8d782fc4192a29810879eb12859942fa141a21c39d9eea03eba1aa7b3ac7e2b1daf4f69f475b8e75c5ac7c2efdd777932d403143cdd08902d5e3459301c28c88c4df342ca13910b760e34c40194bb51b82cf14adeed5ae47517d3cbc73bbb5a8899c30e606519989a85d2e15b0e89ebba43f0c8a752f07010380caa70dc409ff805c24574829d06bb9a1495d5a3085df9029e23d92bbc46d7c7c1db7365e92e8d2449aade38926a64368723a0e8a777b3261c9c97bae825b551ba940551a7e15e3013dc09a05229d0c9ac64ee15ee3d46742628924c09e6360cc43006fb9a0e1c06e5584637cee005ee26ceba70295cba5637dfc9821148ed7415003d518368423ae708cfac638f2b8e1d3a71011bda803acd2cfa429ea5fa045fe078f91ebe45e7d51d43f08302d5f3b0ccc3eb7dc03818b33567e86f8e5dc40451569a7954858d26df8554935276f5654afecf240c7e86c92ecba4d3ff75821312d6a3b82e18cc234da5bacc286ef0924ce23bd30708de58132574b548c9628b52d34291d1c4a7ffdfe63de1fa9b5e0fa6e62f3528a80c9cc97a7c515403fce895ab795635266af746d89d2c94058ca38501d86b4d6324d0df0d9c1e47bbf838baa206aa2ec4397828e992fe963b2e83722802627629030106cf20ec98e245147c94426214ddfb979120651adde14a425fef29a20c0cc5460393acbdba57b3c3836627e6a9c19a2344312a9bc661b760285415a2874e2f2187b5c6dbf38b059636f9ed1de1692d3b86504a7c1b668e5aa0f87cf497f0cab266e4db64ec6465580be1d97244947304688cb3576490b8db086b08905820ea9d91dfc8f3b966a9e568d856a9cce3f1731ac16e4cf48714334b6c7ac3597fcae85d17946b0ae2899845e96066e0a648385c98ee5c119391356b204acbd4a5c7cc2cbceece0f58dfb73fc30ef7c1769b4f56ed1b77d76248b0ea2a66db0e5217b5d624237191abe9486ac0bd32e3e7362331441734a8dd9ed983b92bf26472c5021f8bea131ece47c8f45e68a25a8beb4885895c27982306dafa1fac905b276c2f60ccdcabe2a5b325b5c5d8482f305660244c361711f0eed7746c0daf99dfde36caff294051182c5b6589fc0700b751fb2b3807f0bcbd277a844ce82a54558f55cdd25a30b2283abe519c827b10aed612f8aea3cb7aca8b34028c0b363c9acc52ddea9e0c34e8a5c90869fe60d28307e35d3e43582f3773d46669e4313a07b12e7d6d501436f8e6f4bc347b29194144d82c5daa9730fea3466c3167209f09697da034f86ca9e5a7e28c05999f4161dca7518140413504be2aa60ef71b66484fca1b0bb11afd59755b978dd294e3da85655b90f05be0823e262aa693c43bc23f4948a6096ffe1b58e1bcd65b0db70c62a4f85d7dd4be6cddfeaf1383814a6728b4c301eab03b950bac867375d1b6c61eb2f7fde960b16f5948379e2115ab5401356db05a7dc30a2999897b163c73d34807106dfdcf7b7f9b9e7377fc722003c868ca5c14a0e2f1d1940ec6aefcf85fed207622ed38120c6a8aad7b4e9e87d5e4e9a6a55c6e132e9e1e9a3a62b4f7c6ce0093f886547dfc48de1d2e0c85bf01b49f99241a36d324cdbade5377d5aa5733377ec7e97b7ac54387fd29391319d3f3bbcd07b2870b9646bf2835b3abb5121dc20a638c6d0d62b0a05d94a5f1c03bff6e871a84f9a7defa16f30cb8b3ff57cb5a9b8958b592119cb0c802513c14aec2d27cfffbfb4e6a2a840f8b0d746a83fa8bd227021b038f50c411f7922fb38ec89f51d71b7d3d9e241db1be1b4507e5b68fa1ee89c2127445e5d6ed4e7433de7bf4d72b7f7b1c9aa7c408e4c1050ce177427984f5035b51e3ad52b56d8aaf38e567930a711c8dc3488ffcdc1a56fe1b4c5df22673bcc3e9ccdbb3ab670a24547f5ded42decfddd522104075c37ddede460925dcbc6e5ef206028aa7ea0c84d60d990fcd48d76c9a47be6819250d4d10fcefc7a124c6f3faaf51f7b67dcc2b39acf119c8f89b93b58395247fa459c1ffe6fc5a70c32d5196da593b336be0467164ebbc986fc145b32bb91a4c058884c82f5cacda62a4312bb35070e74de2bba07648b7eb9d9fae891648f5432b6a7d5986ef2027872cf9e1a086c576abac8dc401aab0da93abf0ab71ecd9bb96e39180362a10a2185071ebb8ca2ca8d9719d47bfc18b62f9771b97dfed73b982325eb943d785c787500d5ac0d26a9ca90cc73c2acfe872f4e32eb4439083bdb3249701ddddb500df3f896bb1f7a3706d64be16d00f6fdcd6bf41df86535f298d2dd04317774bd6b3903f371d59be719b7ec1d003b3c9705a8f78889b8f7da0d46defdced2df70d8cb4570828bb26549b55011589c73bec4207c8d59ebe1896b3761c185a132", 0x1000, 0x8001}, {&(0x7f00000066c0)="31e3c3fa6d99", 0x6, 0x3ff}, {&(0x7f0000006700)="39de863b7148208e432fcddbd9e9148e716c1b48a3967c870c70145d90ed681b3f8bce849fee7f50091570854e20103723e56454e711543f6e2be92c34090d8cc792260be9b960c1e4", 0x49, 0x9}, {&(0x7f0000006780)="17fad571f80fecd34a59bc03f6c02bbd6d56cd8d958924b4ae4189b88b85897efd4e596e1118bb0c771c2c5ba37ded06d78111390c1c80cf6ea9df8727f88559815ed76b36fa13fb4d08e1ccdad7973b5bec5655a74a671fde99ee92397c56d409dadb10c4c37ee92cb41d03ae6fb164e7f86985039128d38be83b5e16c35ee34eb2b8396c5348028781a0a879f88159740ab89705d637bedafa915f195a152597fa0d7da9b76476602c6eeefca1e80a6d3d0ed1a75b00f7a5e153dd851e2301c8daa7d49b4ad91c62d1a6967f54cf9621c240ed587192f69959e05407850ce3831c4e811e6fff1cdf93cfabde887358316881845356d7", 0xf7, 0x26}, {&(0x7f0000006880)="c286968e2238742a47e0e8d444a6a661b7708222f4eddab97a749dcebe2cc83a314b828795f915a36d873b714aef15ddb1b4f62f06800bbe85eaebcb76abe944719249ee7927c88e78a968e93f45c52013ef97ef6f989b1d1cd30fff88677962c8f3052ad0a4631e4e750ba80f3753916c2dffc6a4023cdb62a1b5f2afbb965b2f78c5dd47af90b002da1a26a24fcb99bf81fb29574a2f98107a7937639873b95f4a569a0406cc358b46efae587e9008be69d711ae202c22e29a2f615fd23dcf", 0xc0}, {&(0x7f0000006940)="97fc4dd9db673e16fd0f0eb9a4a26e2a49f42e1616190b0634dfd6135145f4e451bbbad56dadf266964eba7d1007c0a23f8cf03d4f8fe09a7989152b7cf2ec30f2693a06befdf023d79f48c208d742c7b75915bcc1be583517ced3b826b97075e62a8ed12dbb264807c6ffd0227614491fb9de0d8a925a2638c31608de405bbf79e96f171fd58338b1d6979d33a7dae8ad62f2ba53fefc3c", 0x98, 0x20}, {&(0x7f0000006a00)="77d8d606bfb424e7b995809ab4f559115fd82e972d98b651dfc69b10df600fb4f78efd586f9cc26edc41b1d2fac87efe59e262411f27a94cf796ed31236b457ca0f147530efbd4cfa6b6a0fee46c25abcf7ad8282aae5299e299799cd52d0a58d7ff9dddd0103724c88da92dbefab6248038abef9ec52264afc74825f7ea70b2ca95d6900f9b647a3f986e18287cb2bf4b4c19efc8c218fd905c3727c86c37026bfbde3af078eb07b798e6d3d8f2e4d5d3bc188cdd20f2ebb1461c5e53b05f2989ffac3b168dee56da0fc011974c660e400ae2d8b2c80acb231581ee91763129b2888aeb12", 0xe5, 0x800}, {&(0x7f0000006b00)="560c1bea71b0f97244fa386d26bf6b1b04308e4bc7fffa", 0x17, 0x80000001}, {&(0x7f0000006b40)="14e55a14a7953387ee55333c1d1694ca98c7999b49788642766805d6f5a290eb1e959ee35a740459e13300262f2af9c357f7a8c1cba187e448bc3c8f865cc9be88624fb0f0d0bb885d9cc2abe171a2478a7420db22e8607e3fbec7e2601d9e11086cfa8cf14d99676b679d8d6bf1dd4faab8fe9a5f4e3f695fe2e6abf09f702683802d44cc3a298255c4c59533731ff5b23e053afb716d58cad667686ee647f48e199c9b5c3d0d2d470f2ce1c5b8b5708ae023ad9880caf31d01f96aebbfcc7df95358a016c5471cc2ce2ced6105057c9d22c8167890ca19", 0xd8, 0x400}]) syz_usb_connect(0x2, 0x6c6, &(0x7f0000006cc0)={{0x12, 0x1, 0x200, 0x62, 0xa5, 0xbe, 0x10, 0x2833, 0x211, 0x37a4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6b4, 0x1, 0x20, 0x0, 0xa0, 0x1, [{{0x9, 0x4, 0xdf, 0x0, 0x10, 0xff, 0x1, 0x0, 0x5, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x1, 0x1}]}, @cdc_ecm={{0x9, 0x24, 0x6, 0x0, 0x0, "fd506508"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x40000000, 0x8, 0x4cc5, 0x7f}, [@network_terminal={0x7, 0x24, 0xa, 0x8, 0x3f, 0x0, 0x81}, @country_functional={0x10, 0x24, 0x7, 0x80, 0x5, [0x44, 0x2, 0x800, 0x101, 0x4]}, @acm={0x4, 0x24, 0x2, 0x4}, @mbim_extended={0x8, 0x24, 0x1c, 0x0, 0xc0, 0x5325}, @ncm={0x6, 0x24, 0x1a, 0x7f}]}], [{{0x9, 0x5, 0x5, 0x0, 0xa716c6d63b98b5a2, 0x6, 0x0, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xe9, 0xf000}]}}, {{0x9, 0x5, 0xe, 0x2, 0x200, 0x8, 0x7, 0x40}}, {{0x9, 0x5, 0x0, 0x10605a5c87a92a7e, 0x200, 0x8, 0x3, 0x1, [@generic={0x9b, 0x21, "f2ef0a5c069cdb319138e185061d7e196ae94e535d80f27666fba23b374325f15dc5f20812fe05b0620f6ffcb81003b1f39c5dcd1bff14e2bbeb387335a3534f5adb60ffc4f28595c8f992f77fd5f67a04842b9c4364e3556be9bacb8fd56ed77859291153f6c566026363bfa5f2e6ff2fa6d29317f2d562445364939915a75dd7365f6ab9c15ddbc7c3a45f7eb98fd1fea3551bbd46f20a87"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x3ff, 0x1, 0x20, 0xef, [@generic={0xec, 0x6, "f642246a5372991db97e5824a410e28300d3bd153638f6dac6e1189a0c560a0a0e5f8b15e07879ac95016515202646a7b5b5fc74b7cd40d515b2849d8c1dd9ae4fca16c2e6cf0e8a20ce54f05fa123c019208cb34b5ee561c274ea40a7b34e5813a4a29be40817eb1f7b3e9bef60f7c56657481236b93e2c297f17c776b98f1d0c8f2a56447766c7288ba6b1e385b84a516a98ab729ba70e31fee3aab101d590a4481ae5856326c6825b73c7ae7d3b99cb3c59db31a12726234b900584e8db779352188d12c932d4aacb59eef33d33b9550510cf2b49da747e031c83117b511a1bb93ed76c716e6a0254"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x6, 0x40}]}}, {{0x9, 0x5, 0x1, 0x0, 0x100, 0xfe, 0x8, 0x37, [@generic={0xe9, 0x23, "1a0e3542857d49ea63b7261ebfc19f14272e284d2665d2795e43f6f9ca62776c9ee52d991879d7d67b4d8b270fd51598beac1c0339b2257ad68c1dde54885ae2d219b87cde159a9897c88bda26e08a3691055022739c1fe64adb98639dc25421c449cf364800c4c365062f2488e6901e56e62f4b703eae7af26298a1eee1bfe62d9b2ae35320ae2baf174e94ff55321097be81e0279f5d0aa84dd18ca0864d98d0edbbeaa19ddf3626fd83a2e2b5f676a734d4784b3c6877fd1bb3c9543df7abda9bd9c9be405949747e21073c18957fff0eaac0273cfd3f702cb65597949a172726f7e459536c"}, @generic={0x18, 0x10, "a0289017f3f433f11059489a61115823e1138ae84a34"}]}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0x67, 0x3, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x80, 0x2e6}]}}, {{0x9, 0x5, 0xd, 0x4, 0x200, 0x48, 0x35, 0x8, [@generic={0xe5, 0x5, "30efe9c1a6e5c89c2031214c60fbbeaa4578091e38009c761d15774802934cfd36355b3518ccfe59fa5e7ccee3c13ac4affbe073e0e788c9b5e32216efbf02e35869d7b233a389f812bfd849433c328466eda5e0e3237529cdc65e4eee743d31ffc186a1fe794bdf1364f31eaeff39829e8f6144850d7470cc71572d1f2f23dccdbcdd99e4930de7edbf59b338db3490305fd7710257980b7f76b8daeacb2ad618131fb9b5a3e026c9ddbd69483cd794caad29f2e3b63124a952b462de0cd951d7efd9b3b29107b641417e7783d90159137fa5273a95e0cc46c97c2246e611acb14b4d"}]}}, {{0x9, 0x5, 0x3, 0x10, 0x8, 0x0, 0x33, 0x9}}, {{0x9, 0x5, 0x2, 0xc, 0x400, 0xed, 0x7, 0x9, [@generic={0x84, 0x31, "ee4cd219154df491c4d32aa32112cff407511b06b17f743409ecc216c31e92cefa2b5cc59e634d7aeba2c9e5e36d8efadc0255172518f909b4e1a7daf4d988b1eeaf196c76ee902b657d12fc23c21e176cd149e98a8d8d5755b74fed1a4284bcfd6e6961951ff8216f7bb42f790edd539c1bc5bbac44f767a685c57cbbdec830c52c"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x1, 0xfe01}]}}, {{0x9, 0x5, 0x3, 0x0, 0x40, 0x2, 0x5, 0x3}}, {{0x9, 0x5, 0x0, 0x0, 0x400, 0x0, 0x2f, 0x4}}, {{0x9, 0x5, 0x8f, 0x8, 0x8, 0x81, 0x1, 0x7f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xfb}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0x40, 0x76, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x31, 0x8}]}}, {{0x9, 0x5, 0xf, 0x10, 0x3ff, 0x6, 0xb2, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x80, 0x6}]}}, {{0x9, 0x5, 0xf, 0x10, 0x200, 0x6, 0x6, 0xca, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x20, 0x3}]}}, {{0x9, 0x5, 0x80, 0x10, 0x400, 0x1, 0xfc, 0x4, [@generic={0xd4, 0x21, "28a1dfa1d28f9ae60d0a8e9e3c512db35369d479fa6e6aa099e267e1ced77ca2e180b429779023a872b0ef8807e11f8b8b21b811d4fe5527335ce86e3a95cdf960d1e79e88c276c174d183d2f3bc0862dd7e1d29ac589ceb22024e25a44c3e8123581d1448fd2db5332fe41c23f9aa959564f32db1da14610415ddc293dc57c9d6c775d22151bdab236a5a73592e5518055728ae819e25c080cbb9bf0203b6639b8fd8d716d9c571d6b260ea297733d53c3a05449b9b9221d0f402610c9837189f9c6ab3baaf031d48692690c9981cee1426"}, @generic={0xc3, 0x6, "60ed98576fbbbee3db67d535ea7e1a19d92d689e2f03308a615a5641e72e694d996f76c1111c88c507c39a87f34a3682dafbfe583b79f5b950a30614162c605f7e6c5d452b4f84a145f20bf4470ddf43f06c415dc6c41551fd458ba6aedf57d74cb85a25e43324814b62c3be4108b1ea5b9dd22a78a45cdf5d8f27c11f35026bf7ef10c7d1f0615fe1c44a302a84d88b8d6c2d85049c9f48a04b4e61801c017f609b673fc8290f7362a0ed35882a335b657f835fce8e20100cde82c1a3dc180611"}]}}]}}]}}]}}, &(0x7f0000007740)={0xa, &(0x7f00000073c0)={0xa, 0x6, 0x310, 0x5, 0x80, 0xff, 0xbf, 0x5}, 0x5, &(0x7f0000007400)={0x5, 0xf, 0x5}, 0x5, [{0xa8, &(0x7f0000007440)=@string={0xa8, 0x3, "0584bddc149671f9e6c6cd123b796cafe2eb5d2bd3cf65e3eb0f3a601aba7164713d4042653f2cca182207d4e7ffa8bc71e705aa48bcff03fddd2e3e6bebe11cb61f95faf14afdf29440021e851fb682aa24e624e833952db6d1f96aa7edfc74ce501359694c7583eb5e48dfe227d2105d5e3d2359e3c728a48adff09b1132f928893ceefae67700983be1ca94e818e7a1463c802f1fc2a72d40900933403d7b255a35d9dc33"}}, {0x4, &(0x7f0000007500)=@lang_id={0x4, 0x3, 0x42c}}, {0xf4, &(0x7f0000007540)=@string={0xf4, 0x3, "1c537117dc720af3ccf108687c86cb544bc885379e435dbb861bc9a01550592e6008ae94a1f98317ad9cd804016b079b5ec294dcaf4537cf5b68c3c4353754caf369ba34101cbd21926b15cef67ab63ead40abfbef867b372fe2781866f87a2dccf98ffe66531c1d5021406c69ce84b439130cac71f52564b7c8fa621d71d5ff001517593f059da0cb82f1fd5e327df9abec4946e34e20d3f1df8f4a0422f9bb538949b4a14d1b3afd6793e81d3ba596d16d8cee0e700314e531e602fe5cb832b22c7a2f9f36f39d053876478157d541e8c0977a9acaf691f1234f665d234f82ee90ff8982d9c1371a15ddc8ed2392dd5a96"}}, {0x98, &(0x7f0000007640)=@string={0x98, 0x3, "078cbefd67796b8d00c6a027e5d07bc3b00756acafb9096e3e381a99fdbe8a5161ca19a9628d61baefd6972b48f5e04b0fa6e2b99cca8df5b50dbd97d656c02f8583a58ce8cbd35c69fb3f86de0ddac90f5be8d4f04a3ad4f31293b509959139bea0f3067d0ebfa3c5b210e1993078b0ae929561fc7734869b3dd8d812c00a3035236166a31227ae291e696ab4f81f4e3f02d6b2f334"}}, {0x4, &(0x7f0000007700)=@lang_id={0x4, 0x3, 0x43e}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007780)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f00000079c0)={0x18, &(0x7f0000007800)={0x20, 0x11, 0xb7, {0xb7, 0x9, "72f591ba5c694f16a4d92075ef3ec8bc46920954799ec8d3c0308f3b4779da6e18e9824a86746d013a399afc7f6fceb6c37f7f131c71ebc001f666ea63ed3ade132009735a546622f9e639d481c967cc7b5b747cc5e62fdc41bbb4bb95878a442cc49111c0f57886f17077a1b4b22e3cf28eecb798feed6f168dd9cc2646f8b79ed41bba94de9e304fc845179a7321f04784aa917ba08405b0a95b8303d914ef8e374780dd8e3437c95c35764cd063e7a3ec6d790b"}}, &(0x7f00000078c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x813}}, &(0x7f0000007900)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x18, 0x8, 0x0, 0x3}]}}, &(0x7f0000007940)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7, 0x80, 0x6, 0xe0, "8402487c", "8056a3ff"}}, &(0x7f0000007980)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xa7, 0x2, 0x7d, 0x0, 0x80, 0x7, 0x6}}}, &(0x7f0000007e80)={0x44, &(0x7f0000007a00)={0x40, 0x10, 0x8c, "21b83825059f24506d8e842085d1f2e7f964471b20ed0a8e50a9aa4ef16b5a6f2dbb2b570a4f8d13d60e47bb7821ff912111dee40a78d42b4d13ea812d929ccf3964c5468f89d2d21630ec87067a2d13f45238b446bf57c6b9ec35578fa587fc77fe2108b1590be081681ccc024f1f590be9e5bec9ea86b9803c60299dda1a82f8ff04428671a43bc2c3393a"}, &(0x7f0000007ac0)={0x0, 0xa, 0x1, 0x4}, &(0x7f0000007b00)={0x0, 0x8, 0x1, 0xfb}, &(0x7f0000007b40)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000007b80)={0x20, 0x0, 0x4, {0x140, 0x20}}, &(0x7f0000007bc0)={0x40, 0x7, 0x2, 0x3ff}, &(0x7f0000007c00)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000007c40)={0x40, 0xb, 0x2, "8a02"}, &(0x7f0000007c80)={0x40, 0xf, 0x2, 0x321a}, &(0x7f0000007cc0)={0x40, 0x13, 0x6, @link_local}, &(0x7f0000007d00)={0x40, 0x17, 0x6, @random="b0fe281fa391"}, &(0x7f0000007d40)={0x40, 0x19, 0x2, '#7'}, &(0x7f0000007d80)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000007dc0)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007e00)={0x40, 0x1e, 0x1, 0x6}, &(0x7f0000007e40)={0x40, 0x21, 0x1, 0x9e}}) r23 = syz_usb_connect$cdc_ecm(0x2, 0x5f, &(0x7f0000007f00)={{0x12, 0x1, 0x70, 0x2, 0x0, 0x0, 0x50, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4d, 0x1, 0x1, 0x2, 0x70, 0x40, [{{0x9, 0x4, 0x0, 0xc4, 0x3, 0x2, 0x6, 0x0, 0xe1, {{0x8, 0x24, 0x6, 0x0, 0x0, 'W?s'}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x200, 0x0, 0x200, 0x3}, [@ncm={0x6, 0x24, 0x1a, 0x1000}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x3f, 0x0, 0xd8}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0xff, 0xec, 0x5}}, {{0x9, 0x5, 0x3, 0x2, 0x3cf, 0x81, 0x39, 0x5}}}}}]}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f80)={0xa, 0x6, 0x0, 0x2, 0x20, 0x77, 0xff, 0x2f}, 0x5, &(0x7f0000007fc0)={0x5, 0xf, 0x5}, 0x5, [{0x69, &(0x7f0000008000)=@string={0x69, 0x3, "d25a9c8f1452a3c6ffbfeca8eb777935b58c9b7406775086fff717b54f05ac59f94517ff3cd6f3101dbfa79bb82ae31b1d316d08a71d14fc2c1cfa8c893068bde2bb830ae91fc94288cc232aaac0e64b84007b0e7536c3ec34edef04ded93421a377e0695326aa"}}, {0xac, &(0x7f0000008080)=@string={0xac, 0x3, "7360609ce8300ae4623308d5f8b97bfd50d3d863408b8ea401c86da9d42ce5f3867ce8d721fb2ab5c25f6b4c5e85f5eaf341bd514a16c2dfe3c7a1d7f427ae62c0bff379e84d56637ec1377b8c8ad5b55b099cfaa4a7a6eeb0589f81e7a43300eff53354e1b2bdcdc34d7945d63562e48d5ed93bef75fd0160fcd7c3a6be7f0c642bb6e561e35a1c73110bdcded7699865e25eb238cf8f3b10ad3c10488028c37063c8862f907b06829e"}}, {0x4, &(0x7f0000008140)=@lang_id={0x4, 0x3, 0x81a}}, {0x4, &(0x7f0000008180)=@lang_id={0x4, 0x3, 0x180a}}, {0xb9, &(0x7f00000081c0)=@string={0xb9, 0x3, "37efeb854b4051a46c67aee7eaa0f62fde9f599cd5ba25329d50aee16b30c6c1a514831081afc1dfd2682ff48716a91bf95e084212b0696d43e1c6c43adaf9ed3ef70e62735994d2d0865139604988fac17978d9c05a84f3423831dd1dddc6c94d50ddd674f16525bbf9a8db3bb49001be38a19670abd99f4a2e97cfb20d46c637832a3ec97ff094c6a3304964b72bcf116bf27fedd5521ad3da226297fff849c33c5d849e3e3037527901eef63a599baa54fc46a46ff1"}}]}) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ecm(0x3, 0xc5, &(0x7f00000082c0)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xb3, 0x1, 0x1, 0x6, 0x28, 0xff, [{{0x9, 0x4, 0x0, 0x9, 0x2, 0x2, 0x6, 0x0, 0x4, {{0x6, 0x24, 0x6, 0x0, 0x0, "b1"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9208, 0x2, 0x0, 0x20}, [@mdlm_detail={0x5e, 0x24, 0x13, 0x7, "63b0b95377147ba214d950fc04b22c04be09d9b96f1ab94bb02e8a2a9e23cf7d3acab22a80ed350ec4b17806edcb169e5075373d991780211392eb3d9f1173a539843bf2c3f66a4a6960a55a2207767db3c55a7dd2898b5ccb40"}, @mbim={0xc, 0x24, 0x1b, 0x2a, 0x100, 0xe0, 0x76, 0x0, 0xff}, @acm={0x4, 0x24, 0x2, 0xa}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x73, 0x35, 0x3f}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0x3, 0x1, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x40, 0x2}}}}}]}}]}}, &(0x7f00000087c0)={0xa, &(0x7f00000083c0)={0xa, 0x6, 0x201, 0x79, 0x3, 0x3f, 0x20, 0x6}, 0x37, &(0x7f0000008400)={0x5, 0xf, 0x37, 0x5, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0xa, 0x6, 0x5}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x1, 0x9, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0xa737ee064a5fddc9, 0x7, 0x7, 0x0, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0xc, 0x0, 0x6, 0x6}, @ssp_cap={0x10, 0x10, 0xa, 0x1, 0x1, 0x8001, 0xf00f, 0xfffd, [0x3fc0]}]}, 0x9, [{0x4f, &(0x7f0000008440)=@string={0x4f, 0x3, "c0663b116dab9ba5c0a2f7a2ad486ffc164a4365899565c5e99b015239f378df56db4dc3b0bb08dcd208d958fa3cf08097aa208b2d2865b502cbc94b1a8e33bdd9d6481fbf32d4913422fe189f"}}, {0x85, &(0x7f00000084c0)=@string={0x85, 0x3, "c9c487a90be3d40ef782373d785f86bdfc3db6fb0dd0a7440b2fe4595c3a6bd67aa8518d897a8a757d5f1ceb86e598cabf2345f771c3c7128bd16dd4b1ee9b7dbcaf611e97f6dcb9f171e8f7052b0f33e631bfe99ddc4413e5e5d7b634dcc3b77e4d301f89a8d3b851b02306cabec211127a8e541d162636588ff574de82de8f307d43"}}, {0x4, &(0x7f0000008580)=@lang_id={0x4, 0x3, 0x1407}}, {0x4, &(0x7f00000085c0)=@lang_id={0x4}}, {0xaa, &(0x7f0000008600)=@string={0xaa, 0x3, "ce395e8e9f409a37daeb1c20be9ca4004ae810cf1653eccd6e663dd74f8bc06989b4d1a65c9f480bd37e9dd85349f298ddaddc2cc9e4eda147f231402e116fb594a63718d821d885ebd67eda451558b1fba3093ecbd40cbe5fbe07f94ed927d8e5039a7c497aa8d1f10a4ddac049ad820f8c532c5a3f00947955032423922e95aa5bfee041f7fe8744ecc4424057eec97040b341d0dddcaf206da6431e987f04cfd55802cad3a114"}}, {0x4, &(0x7f00000086c0)=@lang_id={0x4, 0x3, 0x3c01}}, {0x4, &(0x7f0000008700)=@lang_id={0x4, 0x3, 0x1809}}, {0x4, &(0x7f0000008740)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000008780)=@lang_id={0x4, 0x3, 0x1c}}]}) syz_usb_ep_read(r24, 0x8, 0x7d, &(0x7f0000008840)=""/125) r25 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f00000088c0)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x10, 0x56a, 0x62, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0xf0, 0x8e, [{{0x9, 0x4, 0x0, 0x5, 0x1, 0x3, 0x1, 0x2, 0x0, {0x9, 0x21, 0x3, 0xf, 0x1, {0x22, 0xa21}}, {{{0x9, 0x5, 0x81, 0x3, 0x3af, 0x1, 0x40, 0x2}}, [{{0x9, 0x5, 0x2, 0x3, 0x10, 0x6, 0x1, 0x9}}]}}}]}}]}}, &(0x7f0000008c00)={0xa, &(0x7f0000008900)={0xa, 0x6, 0x250, 0x3, 0x1, 0x46, 0xff, 0x20}, 0x34, &(0x7f0000008940)={0x5, 0xf, 0x34, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0xfa, 0x8, 0x80, 0x5, 0x3}, @ssp_cap={0x24, 0x10, 0xa, 0x5, 0x6, 0x9, 0xf00f, 0x0, [0xffc00f, 0xff00c0, 0x101ffc0, 0xff0030, 0x30, 0x30]}]}, 0x4, [{0xed, &(0x7f0000008980)=@string={0xed, 0x3, "e7db914ef4a71a3aba443ee181c272e7fbb63648a997754b81a1938f52b9fd8c2b76ca28ee1fcba280021fbe02ffa03ea753f2d51b71f1cb9391ea31faabf8ed37a9853b87eebaa0a1269696e65e309ea4bf7755ff1b99280fd68230d7d899d097e16ee0b224de57339439c80ad7fbf8bbf32aa00e29802bde1c8c5e6228fa0a54c8350ef997112f763e17428fb8e95a56689595f30a3c16151809b0c6b1d4d4766510c6f066fe4b35a3ea90d388d1b4d4e9c6b30971e237e23fd205f9905ee7d79f4443707adc7f65ce2b15994daac7b954353fb23201844122710531879c6291c7dfbf6be454b9cf2f2e"}}, {0x4, &(0x7f0000008a80)=@lang_id={0x4, 0x3, 0x410}}, {0x64, &(0x7f0000008ac0)=@string={0x64, 0x3, "041c8b1bd143ea1d63829b769ddb886a6aafeedd5f652bc948677c9a6e3acfe04a1519053f95e5fcf79b085362cdac6abbf8f13781a621885257052b120045da2c494a30bc6ae6c4160cf497002af8b77e21689324bd6e75aceda7cf6a50920b2ab1"}}, {0x87, &(0x7f0000008b40)=@string={0x87, 0x3, "150837b1e69e5007398ac02c4a0b25072daa81a64af10bcdc5736333f49c921f86d9cbc6b778f1d21679d847d5b8a9b70fc56bb5a433040afd94377b2515a55cda70db64442adae0905aa90f911d3beef800ab6fd87a5c51fda8faa750d195c2e657249781c6af0523e0492f9a69e227e10ca0310f1a010f8b986a9a0553a5331f9754fc90"}}]}) syz_usb_ep_write(r25, 0x7, 0x72, &(0x7f0000008c40)="a6908c5530814d6a6bfd6d6c7594d4af8a4962d882da657bb402c7d0ae4535168160dbf67b82f223d577b0e16e6ac3c46a4015a6ed7c4fa65d1dbaa268b748dec46774eca92247969449a9f59e9edde4d37e7bd17882eb005e24fe43f57654000eadec3f1de9917eb28c2a877182c47b556d") syz_usbip_server_init(0x4) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 38 ? 50 : 0) + (call == 43 ? 3000 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 300 : 0) + (call == 46 ? 3000 : 0) + (call == 47 ? 300 : 0) + (call == 48 ? 3000 : 0) + (call == 49 ? 300 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } #ifndef __NR_dup #define __NR_dup 41 #endif #ifndef __NR_fcntl #define __NR_fcntl 55 #endif #ifndef __NR_getgid #define __NR_getgid 47 #endif #ifndef __NR_getresuid #define __NR_getresuid 165 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_read #define __NR_read 3 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[26] = {0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000000 = -1; inject_fault(1); res = syscall(__NR_ioctl, -1, 0x89e2, 0x20000000); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xe6; memcpy((void*)0x20000048, "\xf1\x37\x16\x1a\xb8\x6c\x59\x42\x02\xb9\x97\xd9\xf1\x2d\x00\x70\x21\x87\x03\x22\xc8\xd9\x09\x74\x84\x09\x95\x1a\xe9\x80\x0c\x1e\x20\x7f\x98\xb7\x69\xc7\x40\xf8\x67\xea\x14\xbb\xf8\x66\x6a\x4f\x98\xd2\x29\xaa\xaf\xbc\x33\xc6\xc5\x21\x68\xdb\x89\x33\xc4\xa4\xa4\xa3\xdd\x3c\xe0\xcc\xea\x96\xe7\x1d\x81\xff\x4a\xca\x83\x31\xcb\x01\xbf\x35\x43\x38\x53\xd1\xab\xd4\x8f\xd6\xd0\xce\x13\x14\xdf\x65\x07\xba\xe5\x35\xa2\xb4\xe3\xea\xa7\x4c\x5d\x23\x00\x65\x94\x14\x8a\x0f\xe5\xb4\xa8\x84\xef\x8f\x41\x34\x6e\x49\xcc\x90\x47\x4c\xb1\x7b\xac\x30\x1d\x47\x97\xed\x05\xdf\xc6\xcc\xb7\x4b\xeb\xaa\xbe\x54\x91\x72\xd6\x22\xa3\x06\x05\xa4\xe4\x9f\xd3\xf8\x53\x7d\xe5\x27\x2c\x33\xad\x4f\x07\xcd\x06\x05\x77\xbc\xe6\x5e\x5c\x80\xa3\x41\x68\xcd\xe6\x81\x17\xe4\xf9\x00\xe3\x5a\x3d\x88\x8e\x02\xee\x11\x17\x52\x21\x3b\x40\xd2\xaf\x25\x8c\x01\xf3\x6d\xe5\x0c\xe8\xe8\x3d\x42\x26\xa3\x0d\x6a\x4c\xc4\x3a\x88\x3f\x6c\x20\xe3\xfa\xda\x8a\xd2", 230); *(uint32_t*)0x20000140 = 0xee; res = syscall(__NR_getsockopt, -1, 0x84, 0x1a, 0x20000040, 0x20000140); if (res != -1) r[1] = *(uint32_t*)0x20000040; break; case 2: *(uint32_t*)0x20000180 = r[1]; *(uint16_t*)0x20000184 = 0xa; *(uint16_t*)0x20000186 = htobe16(0x4e22); *(uint32_t*)0x20000188 = htobe32(3); *(uint8_t*)0x2000018c = 0xfc; *(uint8_t*)0x2000018d = 2; memset((void*)0x2000018e, 0, 13); *(uint8_t*)0x2000019b = 0; *(uint32_t*)0x2000019c = 1; *(uint64_t*)0x20000204 = 0x7fffffff; *(uint64_t*)0x2000020c = 1; *(uint64_t*)0x20000214 = 0x7fff; *(uint64_t*)0x2000021c = 4; *(uint64_t*)0x20000224 = 7; *(uint64_t*)0x2000022c = 1; *(uint64_t*)0x20000234 = 0x3ff; *(uint64_t*)0x2000023c = 0x40; *(uint64_t*)0x20000244 = 5; *(uint64_t*)0x2000024c = 1; *(uint64_t*)0x20000254 = 0; *(uint64_t*)0x2000025c = 7; *(uint64_t*)0x20000264 = 0; *(uint64_t*)0x2000026c = 8; *(uint64_t*)0x20000274 = 0x1f; *(uint32_t*)0x20000280 = 0xfc; res = syscall(__NR_getsockopt, (intptr_t)r[0], 0x84, 0x70, 0x20000180, 0x20000280); if (res != -1) r[2] = *(uint32_t*)0x20000180; break; case 3: *(uint32_t*)0x200002c0 = r[2]; *(uint16_t*)0x200002c4 = 0xa; *(uint16_t*)0x200002c6 = htobe16(0x4e20); *(uint32_t*)0x200002c8 = htobe32(9); *(uint8_t*)0x200002cc = 0xfc; *(uint8_t*)0x200002cd = 2; memset((void*)0x200002ce, 0, 13); *(uint8_t*)0x200002db = 1; *(uint32_t*)0x200002dc = 3; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 6, 0x200002c0, 0x84); break; case 4: memcpy((void*)0x20000380, "/dev/pktcdvd/control\000", 21); res = syscall(__NR_openat, 0xffffff9c, 0x20000380, 0, 0); if (res != -1) r[3] = res; break; case 5: syscall(__NR_ioctl, (intptr_t)r[3], 0x7c80, 0); break; case 6: *(uint32_t*)0x200003c0 = r[1]; *(uint16_t*)0x200003c4 = 0xa; *(uint16_t*)0x200003c6 = htobe16(0x4e23); *(uint32_t*)0x200003c8 = htobe32(0x7f); *(uint8_t*)0x200003cc = 0xfc; *(uint8_t*)0x200003cd = 0; memset((void*)0x200003ce, 0, 13); *(uint8_t*)0x200003db = 0; *(uint32_t*)0x200003dc = 5; *(uint16_t*)0x20000444 = 5; *(uint16_t*)0x20000446 = 0x476f; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 0x1f, 0x200003c0, 0x88); break; case 7: *(uint32_t*)0x20000500 = 1; *(uint32_t*)0x20000504 = 2; *(uint64_t*)0x20000508 = 0x20000480; *(uint32_t*)0x20000480 = 0; *(uint64_t*)0x20000510 = 0x200004c0; *(uint32_t*)0x20000518 = 4; *(uint32_t*)0x2000051c = 8; res = syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000500); if (res != -1) r[4] = *(uint32_t*)0x200004c0; break; case 8: *(uint32_t*)0x200005c0 = 0x8a; *(uint32_t*)0x200005c4 = 7; *(uint64_t*)0x200005c8 = 0x20000540; *(uint32_t*)0x20000540 = r[4]; *(uint32_t*)0x20000544 = 0x400; *(uint64_t*)0x20000548 = 0; *(uint64_t*)0x200005d0 = 0x20000580; *(uint32_t*)0x200005d8 = 0x10; *(uint32_t*)0x200005dc = 0xc; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x200005c0); break; case 9: *(uint32_t*)0x20000680 = 0x83; *(uint32_t*)0x20000684 = 2; *(uint64_t*)0x20000688 = 0x20000600; *(uint32_t*)0x20000600 = r[4]; *(uint64_t*)0x20000690 = 0x20000640; *(uint32_t*)0x20000698 = 4; *(uint32_t*)0x2000069c = 4; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000680); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 0x240, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); memset((void*)0x20000044, 255, 6); *(uint8_t*)0x2000004a = 8; *(uint8_t*)0x2000004b = 2; *(uint8_t*)0x2000004c = 0x11; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; memcpy((void*)0x20000050, "\x20\x15\xd2\x29\x78\x5b", 6); STORE_BY_BITMASK(uint16_t, , 0x20000056, 8, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0, 4, 12); *(uint16_t*)0x20000058 = 0x27; *(uint8_t*)0x2000005a = 0x8c; *(uint8_t*)0x2000005b = 0x18; *(uint16_t*)0x2000005c = 0xc93; memcpy((void*)0x2000005e, "\xff\xe3\x24\x0f\x04\x84", 6); memcpy((void*)0x20000064, "\x06\x7e\xcc\x39\xa7\x8a\x3e\xa4\x7c\x22\x24\x6d\x39\x1b\x92\xc4", 16); syz_80211_inject_frame(0x20000000, 0x20000040, 0x34); break; case 11: memcpy((void*)0x20000080, "wlan1\000", 6); memset((void*)0x200000c0, 1, 6); syz_80211_join_ibss(0x20000080, 0x200000c0, 6, 2); break; case 12: memcpy((void*)0x20000100, "bpf_lsm_xfrm_policy_alloc_security\000", 35); syz_btf_id_by_name(0x20000100); break; case 13: memcpy((void*)0x20000340, "\xc4\xc1\x7d\x6f\x70\x72\xc4\xe1\xf9\x11\x2f\xc4\xe3\xc9\x5d\x33\xab\xc4\xc2\x79\x0e\xb0\x00\x00\x00\x00\xc4\xe1\x7a\x12\xb7\x0c\x00\x00\x00\x0f\x01\x56\xe9\xc4\xe1\x0d\xd5\x5e\x0c\xf3\x0f\x52\x6b\x00\x0f\x7e\x20\xc4\xc1\x79\xe7\x02", 58); syz_execute_func(0x20000340); break; case 14: res = syscall(__NR_dup, -1); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_fcntl, -1, 9, 0); if (res != -1) r[6] = res; break; case 16: memcpy((void*)0x200026c0, "./file0\000", 8); res = syscall(__NR_lstat, 0x200026c0, 0x20002700); if (res != -1) r[7] = *(uint32_t*)0x20002710; break; case 17: res = syscall(__NR_getresuid, 0x20002800, 0x20002840, 0x20002880); if (res != -1) { r[8] = *(uint32_t*)0x20002800; r[9] = *(uint32_t*)0x20002880; } break; case 18: res = syscall(__NR_read, -1, 0x20002ac0, 0x2020); if (res != -1) r[10] = *(uint32_t*)0x20002ad0; break; case 19: memcpy((void*)0x20004b00, "./file0\000", 8); res = syscall(__NR_statx, -1, 0x20004b00, 0x2000, 0x20, 0x20004b40); if (res != -1) r[11] = *(uint32_t*)0x20004b58; break; case 20: *(uint32_t*)0x20004e00 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004d00, 0x20004e00); if (res != -1) r[12] = *(uint32_t*)0x20004d34; break; case 21: res = syscall(__NR_getgid); if (res != -1) r[13] = res; break; case 22: memcpy((void*)0x200003c0, "\x23\x58\x10\x53\x7c\x7f\x88\x6c\xa9\x17\x21\x04\x5f\xf7\xba\xdf\xae\x44\x29\xb2\x52\xcd\x65\x81\x72\xc1\xd0\xd4\x18\xed\x70\x05\x74\x39\xfc\x22\xff\xc7\x7b\x29\x08\x5c\x94\x88\xff\x93\x40\xf8\xa2\xad\xe9\x9b\xf9\xaf\x14\xa3\x57\x25\x7b\x8a\xa6\x9b\x4b\x8e\xff\xe7\xaf\xd6\x87\x6b\x3b\x51\x2b\x86\xfa\x1d\xff\x55\x5c\x6d\xc6\x18\x62\x66\xc9\x1f\xa2\x81\xc9\xdc\x72\xee\x17\xea\xd0\xe2\xa3\xfe\x9f\xf0\x3e\x7c\x32\xd2\x7e\x26\x7f\x5b\xe0\xfd\x6d\x1f\x9e\xfc\x02\xaf\x7f\xe9\xd6\x8d\x75\x55\x19\x20\x1d\xea\x7a\xbe\x68\x10\x53\xab\x98\xf7\x3f\xc0\xc6\xa0\x68\x4e\x91\xb7\x41\xc8\xc9\x45\x1f\x94\x59\xb5\x98\xee\x6f\x4e\xc0\xc9\x1f\x3e\x91\x7a\xf1\xe6\x64\x6f\x3c\x54\xf8\xfa\xf0\x48\x7d\x8e\xcc\xf0\x87\xe2\x8f\x87\x68\xf4\x8a\xe1\x5d\x09\x89\x04\xb3\x25\x42\x85\x70\x2e\x30\x8a\x93\x7d\x5e\x23\xa2\xae\xf3\xc2\x53\x12\x51\x6c\x50\x2d\x5e\x02\x33\x06\x52\x29\xee\x4a\x70\xdb\xc4\x14\x60\x4b\x7f\x05\x5e\xb7\xa2\x72\x48\x03\xe8\x5e\x5b\x4c\xd0\x5a\xf7\x11\xed\x73\x0f\xce\xb8\x1b\xca\xe1\x7a\x49\x67\xaa\x6c\xcf\xf3\xc0\xf4\x96\x6b\x7f\xf3\xd1\x5f\x09\x3e\x94\xeb\x0a\x46\xb7\x0c\x0f\xa5\xb8\x62\x8c\xac\x3c\x31\x01\x9b\xba\x60\x02\x41\x6f\xc6\x66\x1d\x85\x8f\xff\x16\xa9\x62\x15\xb1\xd1\x8a\x87\x7d\x9a\x53\x4a\xc4\x02\x56\xa3\x55\x79\x31\xad\xe2\x7f\x58\x7c\xce\x26\xa2\x0c\x01\x3d\xc6\x7f\x2e\x92\x2a\x52\x68\x9a\xae\xfa\x1b\x06\x4d\x03\xf8\xf6\xa3\x9f\x96\xb0\xde\x1d\x21\x39\x4c\xb6\xc2\x30\x10\xeb\x9e\x4a\x79\x41\x47\x35\xed\x99\x65\x42\x5f\x8a\x01\x00\x84\x96\xdb\xad\x04\x97\xfa\x0d\x65\xac\xec\x59\xff\xa6\xa2\x80\xbc\x58\xe2\xd8\x87\xa1\x0e\x96\x65\xea\xeb\x97\x43\x6e\xbd\xeb\x2b\x58\xa9\xae\x40\xe4\x49\x27\x32\x46\xfd\x99\x67\x53\x9f\x21\x2e\xd8\x96\x9b\x6f\x9a\x49\xd6\x5b\xca\xd2\xdd\x9d\x8e\xe4\x2e\x32\x05\x74\x11\x17\xe4\x31\xd4\x43\xff\x3e\x94\xc4\x7e\x7f\xd6\x27\xd3\x05\x11\xd5\xfb\xce\xc6\xa7\x58\x38\x3d\x31\x36\x7a\xca\x8e\x3a\xf7\x72\xa1\x02\x11\x05\xab\x2c\x1b\x4a\xa7\x61\x4d\xea\x8c\xfa\x4b\x06\xf5\x3a\xf3\x73\x77\x98\x62\xc9\xbd\xb7\x6e\xf9\x3c\x74\x61\x8e\xee\x73\x47\xa0\x74\xd4\xf7\x1a\x98\x23\x3b\x24\xb2\xa2\x57\x29\xc9\xa1\x98\x3d\x81\x9c\x3f\x42\xd3\x28\xd0\x8f\x0d\x4d\xd1\x64\x2f\x61\xb6\x2a\x89\xfc\x30\x0f\x50\x66\xd8\xe4\x57\xf5\xfd\x49\xda\xa7\x9e\x1b\x1d\x43\xd2\x6f\x89\xf2\xca\x99\x04\x50\xe8\x60\xbc\xc4\x7d\x5c\xf4\x77\x8c\x37\xc4\x51\xed\x22\xd6\x0f\xe2\xbc\xfa\x2c\xaf\xf7\x5c\x41\x70\x99\x0a\x2e\x8e\x21\x87\x19\x7f\x86\x38\xb0\x67\x85\x4c\xcf\x9d\xbe\x91\x58\x6d\xd4\x23\x41\x40\x1c\x4f\xb4\xf3\x13\x30\x66\x8a\xcb\x51\x6e\xba\x22\x27\xcb\xca\x4c\x8f\xa2\xf3\x9a\x03\x52\x1b\xd8\x03\x2f\x5e\x1a\xed\xf4\x9c\x50\xe6\x01\xb9\xfa\xd4\xe0\xd6\xf5\xb5\x93\x2e\xa2\x14\xfd\x50\x84\x85\x70\x3d\x08\x45\x79\x8d\x43\xbd\xbf\xf9\x63\x86\x77\xe6\xa9\x96\xef\xbb\xd1\x93\x6e\x97\x28\x20\x62\x70\x9f\x77\x8b\x45\x5c\xb4\xd2\x00\x13\xf5\xfe\x4c\x9b\xba\x0f\x7c\xfc\x18\x02\xe8\x18\x0f\xb6\xd4\x6f\x51\x76\xd1\xbd\xbb\x43\xd9\x60\xd4\x94\xf3\xa3\x0e\xd7\xab\x4d\xb0\x7d\xe5\xad\x92\x4b\x57\x97\xb5\x09\xf9\x60\x83\xf4\xad\xa9\xfc\xeb\xed\xe1\xeb\x0f\xb0\xdf\xa2\xcd\xc2\x14\x4b\x15\xcf\x4c\x28\x0f\x87\xd1\x18\x7e\x80\x8e\x37\xcd\xef\x53\x75\x52\xe3\x83\xf4\x6c\xcf\xe8\x62\x15\xb2\x07\x15\x39\x85\xe6\xb1\x31\x96\x22\x1f\xde\xa6\xc9\x47\x86\x4d\x12\x14\x7d\x7b\x01\xef\xc3\xdf\x14\x4e\x2c\xaa\x24\xd1\xa4\x78\x2a\x51\xa8\x23\x5c\x4c\x0e\xad\xf0\x44\x0c\x8e\x43\x4a\x4d\x07\x2b\xe5\x84\x55\x47\x17\x5f\x37\xc5\x5f\xdd\xd5\xe7\x84\x95\xac\xe4\x34\xc4\x83\xf2\x8b\xb3\x48\x7a\xd8\xd6\x8b\xd7\x43\x77\xfd\x82\xe1\x7b\xaf\xeb\x06\x2b\x81\xc6\x8e\x8a\x63\x89\xc8\xd8\x10\x79\xe4\xc9\xfa\xa2\xa8\xfc\xf1\x24\x15\xcc\x21\xeb\xcd\x92\xde\x80\x88\x45\x50\x59\x4c\xa6\x4b\x56\xb0\xb4\x24\xa6\x5f\x80\xca\xb1\x64\xb2\xf6\xf2\xf3\x3c\x7a\xea\xa8\xb6\x60\x2e\x71\x83\xb9\xd0\xae\x15\x3a\x17\x03\xb3\x03\x67\x5a\xae\x13\x3b\x3d\xd9\xc6\x46\x67\x7f\x6d\x8a\x49\x2d\xa0\x99\xef\xb4\xa7\xe4\xde\xe3\x92\x81\x8a\x15\xd6\xbf\x9e\xfb\x07\xee\xad\x5b\x40\xac\x25\xbb\x0f\x00\x92\xf4\xb0\xec\xaf\x0a\xc3\x39\x1b\x3e\xcf\xd0\x63\x5e\xc4\x96\xb8\xb6\x6d\x7a\x45\x1c\x6d\x10\x37\x9c\x15\x29\x1c\x4f\x36\x82\xf0\x5f\xb7\x39\x44\xcd\x1b\xe0\xf0\xfa\x85\x54\x35\x8b\x30\xde\xb7\x38\x69\x31\xae\x95\xeb\x2a\x16\xfa\xed\x24\x5f\xfc\xad\xb3\x94\xac\xdf\x06\x38\xa6\x26\x27\x82\x33\x01\x93\x66\xe2\xec\xd9\xdb\x1a\x4b\x5a\xe2\x7f\xf8\x3d\x7b\x57\x1c\xd7\xff\xc1\x51\xdc\x4d\x0c\xef\x1d\x03\x00\xc9\x8a\x41\x69\x77\x51\x85\x1f\x8e\x05\x24\x9c\xae\x19\x96\x3f\x81\x25\x89\xa7\xd6\x4c\xfa\xb8\x46\x43\x9f\x47\x13\x43\xba\x5e\xff\xac\x9a\x57\xf7\x6d\x0a\xbf\xb9\x5e\x87\x8b\xee\x4c\x94\x24\xf0\xca\x17\x18\x19\x5e\xff\x14\x06\x0a\xcf\xb3\xe0\xdf\x4c\xbc\x56\x0b\xc2\xbe\x9a\xb4\xf0\xa0\xbd\x68\x6f\xe2\x13\xd4\x49\x47\x17\x0e\x68\xe7\x3b\xaa\xdd\x98\x2c\xe2\xd1\x70\xa5\x0d\x1e\xca\x02\x40\xcd\x3c\xec\xe9\xf7\x4d\xa3\xa1\xc1\x47\x6f\xf1\x1f\xa3\x34\xd7\x2c\x18\x50\x6b\x5c\x00\xa4\x41\xea\x2e\x9c\x72\xc7\x6b\x38\x50\x37\xf8\x6c\xa5\x94\xaa\xad\xe9\x87\xa7\x9b\xbd\x3e\x3c\x40\xd0\x00\x7a\x7f\xf8\x52\x99\x05\xb9\x4c\x54\x61\x65\x62\x92\x95\x0b\x41\xc8\x34\x43\xdc\x84\xd6\xfd\xf5\x2e\x44\x97\xed\x68\x04\x98\x1a\xf1\x33\x85\x64\x92\x00\xd8\x93\x09\x3b\xf2\xea\x82\x25\xb3\x89\xc4\xdf\xd2\xe8\x15\xb3\xbd\xf9\xd7\x08\x4d\x29\x00\x9e\xae\x4e\x88\x22\xa5\xb6\xa5\x2a\xa7\x6a\xfd\x95\x1d\x04\xaf\xa8\xe1\x28\x63\x96\xa8\x34\xdc\xf8\xc6\xb5\x7c\xc4\xef\xbc\x0c\x16\x77\x9d\x53\xf0\xbc\xd7\x40\x43\xc0\x6e\xce\xbe\x59\x32\x8d\xcc\xa8\xbb\x61\x05\xaf\x23\x56\x59\x06\xe5\x46\x6c\x73\x11\xb1\xaa\xc6\x76\x2e\x4b\x62\x60\x36\xfe\x31\xd3\xe7\xb0\xfa\x2e\x65\x8c\xa9\x35\x10\x78\xee\xca\x7b\x46\x7e\x11\x8e\x9b\x88\x95\x9d\xe1\xf4\x18\x69\x40\x5a\x83\xbd\xc6\xce\x98\x0c\x72\x9f\x7e\x2a\x46\x0f\xa9\xbe\xe1\x61\xe5\x4d\x27\x1a\x87\x4b\xb4\xd0\xa2\x2c\xd1\xa4\x37\x6d\xe3\x6b\x58\x68\xca\x0e\x10\x93\x3e\x5f\xe2\xf7\x38\x5c\x1a\xf6\x2b\x86\xf8\xe5\xc3\x12\x66\x26\xb8\xbc\x6d\x56\x8f\x62\x1d\xa3\x23\x70\x7e\xa3\x32\xd7\x65\x44\x39\xfb\xa4\x67\x1d\x0c\xae\xb7\xef\x94\xe2\x5a\x82\x86\xbd\x9a\x19\xa2\x9e\x49\x32\xc7\xdb\x9b\x82\x34\x7d\xa5\x24\x92\xb3\x81\x4a\x44\xb9\x2f\x61\x55\x9c\x22\x65\x4c\x8b\x30\x1a\x8d\xfe\x9d\xae\xae\x0c\xad\xe9\x46\xc0\x66\x6e\x94\xc4\xa6\x35\x3b\xb0\xeb\x21\x37\xd3\x68\x53\xad\x4f\x7a\x20\xa5\x08\x1e\x63\xaf\xee\xce\x20\x3f\xa6\xee\xea\x7f\x62\x9d\x00\x1d\xab\xaf\x5b\x1a\x3c\x67\x61\x51\x7b\xc9\x9a\x8e\x63\xf6\x6c\x01\x88\x49\x27\xb4\xbc\x40\xbc\x34\x19\x0c\x9e\x55\x3c\x69\x0f\xbc\x64\x44\xdd\x8b\xba\x65\x68\x74\xfa\x80\x46\x31\xb5\x6d\x24\x54\x1a\x9b\xd6\xfb\x77\xdb\x49\x03\x76\x9f\x9d\x04\x44\xd0\x8a\x21\xff\x59\xd9\x49\x65\x9d\x80\xb1\x40\x2d\x91\x9a\xc0\xfb\x83\x80\xed\x91\x15\xb6\x69\x3c\x19\x5f\x8f\x1a\x90\xa3\xa4\x22\x35\xd8\xea\x78\x2e\xda\x2b\xf1\x94\xd3\x2f\xbc\xc5\x63\x27\x1a\xfd\xa7\x3d\x70\x96\xa2\xe9\xe4\x67\x54\x1e\x76\x67\xc2\x67\xc5\x95\xe1\x23\x37\x29\x75\x26\x77\x68\xb8\xd1\x6c\xb6\x13\x0e\xae\xbf\x69\x8b\xe7\x6e\xef\xab\xbe\xac\xd5\x9f\x63\x1c\xc1\x04\xf0\x42\x26\x3e\x3e\x29\x62\x59\x79\x69\x72\x1a\x6c\x02\x2a\xba\x14\x11\x2e\x2f\x38\x02\xba\x63\x53\x91\xcd\x1f\x94\x32\x35\x25\xc8\x16\xef\xa9\xe8\x65\x52\x39\x9e\x79\x66\x5f\xf5\x54\xf5\x86\x75\x4f\x72\xd5\x3a\x0d\x94\x75\xc6\x55\x94\x8b\xd1\x3e\xc9\x3d\xd8\xcc\x43\xe5\xb8\x13\xeb\xfe\xa4\xab\xcd\x78\x0e\xed\xb6\x82\xac\x4f\x66\xe1\x68\x47\xf7\x82\x1f\xdc\x40\xda\x07\x3f\x7f\xc5\x9f\xe5\x7c\xa6\xad\x5f\x4d\xdd\x8a\x41\xe8\xaa\xdf\x3e\x21\x78\xcf\x42\x95\xc8\x59\x99\xe2\xc2\xd8\x24\xa0\x8e\xbb\x9a\x9b\x09\xe2\xef\xbf\x9b\x8d\x03\x73\x09\x1e\xa6\x1e\xc6\xaf\x17\xdf\x1e\x71\xac\xeb\x40\x3a\x41\xd3\xba\xfe\xfc\x56\xdc\xff\x18\x60\x23\xe9\xf2\x89\xe6\x1b\x74\x69\x04\xb3\xce\x34\x86\x9b\x53\x27\xc9\x24\xa2\x73\x36\xb2\x16\xd2\x20\x6e\xeb\xa9\xb1\xdf\xdc\xe0\x22\xe3\xa1\x3a\x26\x17\x38\x7f\xb3\xff\x5a\x1d\x0f\x38\xfb\xb9\x06\x3b\xcb\x69\xb5\xe3\x3e\xe4\x57\xef\xe0\x51\xdf\x45\x34\x62\xb7\x18\xd7\xd5\xe7\x80\x31\x04\x71\xa7\x3d\x99\xe2\xeb\x1e\x23\x23\x6c\x74\xb9\x37\x7c\x3e\x0e\xbb\x93\xea\x7a\x6a\x7b\x32\x2c\x42\x59\x10\x20\x9f\x89\x18\x41\xd6\x5c\xb8\xdb\x3b\x2b\x0d\x51\xd2\x7c\xde\x0c\xa1\x85\xbd\x3b\xf1\xf4\x02\xff\x10\xfc\x61\x1b\x93\xfa\x6f\x94\xeb\xf6\x07\x9a\xc6\xd5\xf3\x0f\xf8\x66\xa4\xdb\xf3\x07\x29\xfc\x3c\xd0\x03\xed\x9e\xee\x6e\x1c\x92\x31\x9a\x8c\x62\x69\xe1\xa7\xdb\xa0\x49\x1d\x27\xb3\x26\x38\x8b\xc3\x2d\x58\xbf\x68\x5e\xc4\x29\xa8\xca\x7a\x12\xb6\x60\x18\x23\x08\x71\x0b\x5a\xa6\x1d\xce\x0a\x14\x3f\xad\x3b\xbc\x1a\x81\xa8\xf8\x14\xee\x37\xb4\x34\xc7\xd7\x29\x33\x1c\xe7\xf7\x2d\xdf\x31\xdc\xa7\x19\xbd\xfa\x04\xc0\x3a\xec\xeb\x4c\x64\x0c\x1c\xdd\xd0\xf0\x11\x37\xbd\x6e\x2f\x7a\xef\xb5\x1b\x02\x10\xb8\xcd\xb2\xcc\xb0\xf5\xd7\x45\x8d\x05\x71\x92\x76\x75\xf1\xbe\xdb\x36\xd0\xbf\x30\xac\x68\xdb\x43\x8f\xfb\xa7\x4a\xca\x62\x37\x25\xf2\x75\x22\x70\x1b\xb6\xc5\xca\x41\x4d\x23\x91\xcd\x53\x3a\x82\xc0\x66\x72\x4c\x6d\x3f\xd6\x8f\xe4\x2a\x83\x4d\xcc\xf5\xbf\x70\x34\x74\x29\xad\x8e\x38\x22\x15\xf7\x2f\xad\x93\x6e\xf9\x49\xbf\x64\xda\xd1\x25\x77\xea\xd0\xdc\x6c\xf2\x71\xbe\x7c\xa8\xe0\xba\xab\xb4\x39\x7f\xf0\x63\xf3\xae\x8e\x74\x12\x10\xc6\xa3\xab\x3b\x44\x2b\xa8\xfb\x16\xf2\x28\xc5\xda\xfe\xb1\xb4\x40\x82\x7d\xef\xbc\x48\xf5\xcb\xce\xb2\x74\x07\x55\xc9\x85\xd0\x60\xe8\x2c\x86\xc7\x32\xbb\xd5\x60\x88\x35\x91\xa1\xac\x05\x82\x99\xf1\x7f\x2e\x2a\x12\x85\x60\x28\x0b\xa0\x89\xe8\x4c\x34\x65\x45\x2a\x65\x07\xa6\x3f\x88\x49\x44\xa8\x3a\x21\xd2\x6c\x8e\x49\x8f\xf5\xdb\xd4\x89\xc6\x9c\xa7\x85\x32\x49\x01\x8e\x9d\x03\x52\x0b\x23\xf4\x7b\x29\x7b\x85\x26\x32\x2b\x1f\x6b\xd5\x4d\x06\x0c\xce\xa3\x01\xcc\x8a\x3a\x15\xda\x2d\x39\xb6\x4e\xa4\xdd\xb0\x3c\x7b\x6c\xba\x60\x5e\x8d\xd4\x86\xd1\x2d\x8f\x0c\x6c\xd9\xfb\x47\x81\x61\x12\xba\xa0\xa7\xae\x0e\xba\x4f\x0f\x89\xb2\x14\x32\x03\xa1\x19\xa6\xbb\x85\x45\xc1\xba\x66\x78\x84\x95\xf4\xe7\xda\xd9\x6d\xf8\x11\x9b\x1c\x11\xd7\xff\xb0\x71\x07\xc0\xc0\x35\xa8\x06\x97\xa8\xed\x78\x0d\x9c\x55\x61\x92\x93\x85\x08\x5f\x0a\xa7\xbc\x74\x8f\x2b\x5e\x23\x4e\x21\x0c\xe7\x77\x22\xc5\x4e\x80\xb8\x86\xc0\xd6\x14\x65\x8f\xfa\x23\x40\x8c\xac\xa9\xcf\x01\x38\x69\xef\x66\x29\xf8\x46\x16\x40\xda\xea\x86\x9a\xd4\xc3\x65\x53\x0d\xe5\x27\x81\x5c\xaf\xee\x31\x4f\x8c\xa7\xb9\x87\x95\x22\xc4\x26\x29\xe3\xe7\x12\x96\xe5\xf6\x0a\x84\xdb\x39\xd5\xc9\x00\x00\x16\xea\x33\xf4\x81\xd8\x0c\xcb\x80\xf0\x85\xd5\xed\x3f\x70\x0b\xad\xc3\xb4\xb7\xd8\x0d\xd8\xa7\x78\xf0\x38\x17\xa1\x0d\x67\x89\x2d\x36\x87\x0a\x98\xbd\xc7\x0c\xfd\xa4\x83\x4c\x78\x15\x42\x1f\xc9\x72\x74\x01\xbd\x4f\x81\x11\xbb\xba\x76\x86\x02\x4b\x42\x72\xf5\xa6\x8a\x66\x51\x94\xaf\xc4\xf1\xa9\xf8\x57\xaf\x27\x0e\x30\x22\xc1\x8d\xfc\x18\xf6\x7b\x39\x77\xe6\x41\xc6\x25\x8f\x00\xc1\x43\x0e\xa7\x95\x78\xf4\xdc\x82\xa0\xba\xb5\x21\x40\xdf\x4b\xe0\xad\xb3\x29\x19\x5a\x29\x7d\xf0\xbe\x6e\x12\x34\x97\x70\xb4\x47\x7a\x44\x65\xa8\x14\x39\xf2\x2b\x6b\xdc\x67\x7a\xb8\x6d\x4e\xdb\xbd\xfc\x7d\xb3\xcf\x06\xd4\xa9\x4d\x33\xc6\xc1\x1f\xa1\x63\xfe\xfb\x1a\x87\xa9\xb5\x2c\x1c\xc4\x09\xeb\xed\xe7\x26\x3c\x88\x97\x5e\xdb\x23\x7f\xa0\x1b\x58\x3f\x79\xfc\x7a\x4f\x8e\x8a\xc8\x9a\xf7\x93\x08\xd9\x9b\x47\x3c\xf3\x3f\x33\x44\xa4\xe5\x52\x3f\x3e\x35\xd3\x88\xd1\x8e\xe1\x18\x5c\xaa\x19\x18\xd2\x3a\xae\x41\x93\xae\xdf\xe1\x25\x04\x2e\x16\xd5\x71\x86\x52\x61\xdd\x63\xbf\x0c\x9d\xd8\x48\x5f\xa6\x4e\x24\x10\xa2\x6a\x43\x6c\x83\xc9\xe3\x45\x56\xf3\x7c\x1d\x69\xd2\xfd\x57\x42\x78\xc4\xb2\xc8\xba\xf3\x83\x4e\xe2\xe0\xf3\x64\xb5\x4c\x36\x78\x0f\x28\xa8\xeb\xe5\x6e\x1d\x9e\x1c\xbd\xfd\x77\x3c\xe8\xaa\xcd\xef\xda\x09\xf4\x0d\xff\xd8\x47\xaa\xdf\x67\xc4\x44\x71\x00\x8c\xee\x07\x76\xfb\x06\x89\x54\x30\x8f\x16\x20\x3d\x01\x7b\x29\x0c\xd1\xad\x9e\x4c\xdc\x49\xf3\x26\x35\x28\x07\x56\x0d\xdd\xa4\x90\xc0\x5c\x6d\x5e\x04\xf1\x94\x00\x83\xaa\xba\x83\xe0\x29\x37\x0f\xd7\x6e\x77\x57\xc7\x3c\x05\x43\xdd\xff\x26\xc3\xa3\x07\x62\xe2\xc9\xc5\x56\xaa\x28\x2c\x7f\x46\xf3\xdd\x8e\x20\x01\x68\x05\x3a\x03\x17\x4c\x56\x69\xdc\x43\x90\x0a\x39\x41\x7c\x9d\xff\x8e\xd3\xf1\x0e\xb0\x7c\x47\x0a\x52\x2e\xc8\x20\x71\x2f\xf8\x82\x59\xcf\x7f\x5e\xe5\x2c\xf4\xee\x69\x0b\xca\xbd\x88\x76\x3f\x66\x32\x9f\x37\x25\xa4\x36\xca\x19\x38\xd4\xda\x48\xde\xdf\xfe\xa8\x2d\xc5\x4a\x2a\x0a\x5c\xfb\x64\xc3\xe2\x78\xf4\x1b\x93\x3c\xef\xeb\x02\xf9\x82\x53\x2e\x98\x67\x72\x41\xd7\xec\x2f\x8d\x14\x27\xda\x17\x11\x91\x9d\x67\x2e\x95\x1b\x6d\x1c\xd8\xf2\xc0\x20\x3f\xed\xd5\x21\xf7\x5a\x22\x9d\x99\x67\x13\x35\x81\x36\xd8\xb4\xeb\x79\x71\x34\xfe\xc8\x74\xe3\xd3\x8a\x01\xcb\x82\xa8\x7c\x8c\x21\x1e\x64\x29\xef\xe6\x77\x17\x3a\xab\x0a\x0f\xb9\xf5\x58\xf4\xb0\x6f\x77\x05\xbc\xd1\x77\xec\x1d\xd8\x0d\x04\x45\xb5\x44\x8e\x7d\xc2\x94\x53\x8a\xae\xcc\x59\x61\x0d\xbe\x6f\x2b\x3b\x16\xb2\x75\xc1\x8d\x33\xa7\x8f\x0c\x1d\xcb\xb0\x7e\x13\x76\x28\xb6\x22\xf8\x85\xae\xe8\x0b\x82\x68\x4c\xdd\x5f\xde\x5a\x29\xaa\xdf\x63\xd8\x5e\x95\x15\x96\x49\xad\xce\x0f\x9e\x57\xb5\x3b\x82\xc7\x5b\x87\xa1\x27\x47\xef\x0f\x84\xbe\x50\x69\x3c\xca\xe7\x98\xe3\x8a\xaf\x05\x06\x66\x16\x3e\x6b\xed\x48\xf5\xf1\xba\xf4\x9a\xde\xa2\x12\x23\xbf\xb0\x89\x19\x98\x98\xdc\xd2\xe9\x1b\x70\x8b\xd6\x2b\x61\xf1\x38\xcc\x48\xbe\xd8\x8b\x77\x2d\x14\xbc\xc5\x39\x68\xaa\x32\xfa\x3f\x11\x45\x84\x75\x2d\xb5\x32\x78\xb2\x5f\x36\x7d\x52\xc2\x07\xec\x54\x59\x66\x83\x82\xaa\xc7\xeb\xfd\xf3\xa2\x07\x5c\xef\x67\x9b\xd7\x7e\xc1\x7a\x11\x43\xde\x08\x47\x20\x08\x54\x86\x68\x5a\xc8\x69\x73\x3b\xc0\x7d\x74\x24\x6f\xbf\x8a\xbb\x36\x62\xbe\x75\x0d\xdd\xd3\xb1\x3e\xcb\x2d\x91\x35\xf5\xc6\x8d\x1f\xdd\xe5\x49\xd9\xc2\x09\x1d\x96\xaa\x35\xf8\x43\x36\xb4\x21\x51\x31\xf3\x64\x76\xec\x84\x8d\x53\x3d\x7d\xca\x1e\x0a\xa4\x1e\xef\xb8\x80\x60\x52\xa8\xcd\xd5\x38\xb7\x55\x70\x7f\x93\xe0\x48\xd7\x71\x50\x5b\x88\x90\xd8\xf6\x80\xb8\x80\xcc\xb8\xee\x29\x49\xe3\x5a\x63\xee\x48\xe7\xb4\x67\x12\x8b\x65\xff\xe6\x06\xce\xd2\x8a\x3b\xc3\x17\x2b\xd0\x9f\x2b\x58\xef\x63\x22\xa3\xfa\x31\xe0\xfa\xb3\x7a\x3a\xfe\x72\x9a\xd4\x3d\x5c\xd0\x2b\x42\xbe\x4d\x8e\x60\x2b\x99\x51\x6d\xbd\xbd\x81\x2e\x1b\xec\xae\xba\x14\xb2\xb2\xbf\xaf\x05\x55\x90\x02\x51\xe3\x1d\x83\x97\x98\x14\x1b\x32\xab\xdc\x55\x8b\x3b\xf3\x0e\xdc\x11\x45\xf5\x41\x79\x85\x07\xda\x32\x9c\x5a\xcc\x1f\xf5\x6d\x4f\xd5\xf6\xe1\x8c\x02\x08\x12\x22\xc6\x98\xb3\xd0\xf2\xb1\x95\x39\xa7\xc2\xc9\x1f\x78\xb1\xbe\x76\x48\x19\x91\xe2\x41\xd2\xae\x88\x9d\x4c\xb1\x33\xf9\x0f\x77\xd9\x22\xd9\x84\xb5\xa5\xd1\xb2\xaa\x03\x8f\xb0\x01\xf0\xba\xc8\x8c\x14\xa3\x6f\x62\x29\x6a\xb3\x24\xd5\x2b\x57\x54\xd4\xe8\x42\x88\x9d\xa6\x54\x14\x3b\x4b\xd7\x19\xf0\x82\xcb\xcf\xa2\xec\x90\x31\xb9\xb4\xb8\xbb\x8e\xf4\x6b\xc3\xff\xa5\x2d\x35\x38\x5b\xf2\x7e\x3c\xcd\x86\x10\x84\x81\xff\x66\x40\xe8\xb0\xe3\x09\xd2\x8b\x14\x94\x20\xf9\x5e\xb9\xaf\xa0\xf6\xe1\x88\xb7\x00\x5f\x42\x12\x25\x38\x5b\xde\xa3\x82\x5a\xd5\xfb\xfc\x6d\x9f\x29\x97\x47\x6b\xc3\x6e\x5d\xfe\x4b\x68\x6d\x1a\x2d\x40\x25\x16\xd4\xee\xe9\x90\xe1\xea\x6a\x23\x48\x38\x10\x3f\x42\xd7\x05\xab\xf3\x78\x35\x67\x3c\xa7\x86\x75\xb5\x35\x4c\x2a\x99\x13\x0e\x2b\x7a\x64\xee\x26\xa2\xad\x6c\x1c\xd2\xde\x64\xed\x59\x12\xeb\x77\x08\xdb\x3a\xfb\xb4\xa6\x83\x10\x9b\x10\x57\x29\x8f\x35\x6e\x4c\xf4\xfa\xb2\x00\xca\xf7\x40\x3c\x71\x9a\xa8\x1a\xb0\x1d\x3d\x7f\x91\x55\x07\x3f\x56\x49\x5e\x51\x16\x19\x6e\x9a\x9d\xe8\x2f\x10\xa5\xc0\x8d\xfb\x2f\x91\x54\x94\xdf\x7a\x07\x00\xef\xb7\x22\xd3\x41\x6a\x5d\x32\xbc\x02\x29\x71\x11\x65\x08\x47\xde\xe6\x76\xd2\x68\x77\x2d\xec\x41\x3d\xa3\xa1\x32\x09\x89\xc1\xbe\x0d\x5c\x9c\x1b\x6f\xc4\xf7\x0f\xbd\xad\x88\x8a\xbb\x0b\xe8\xf1\x16\xf0\xd7\xa6\xf3\xab\xaf\x63\x6b\xb6\xb6\x92\x22\xda\xf4\xcc\xbd\x6d\x07\x29\x3d\xef\x59\xcd\x5e\xc9\x08\x45\x4d\x07\x94\x95\xf2\x7b\xfa\xf9\xe4\x5f\xb2\xc9\x99\x64\xe6\xb2\xfb\xa0\x3a\xf0\x38\x2d\x5b\x60\xad\xeb\xbb\x28\xfb\x8f\x8f\x8e\xfd\xd8\xda\x65\xea\xc2\x93\x77\xcf\x07\xc6\x2e\x1b\xf1\x0f\x61\xfa\x91\x2e\x62\x71\xf2\xcb\x95\x09\xa7\x63\x1b\x7a\xbe\xc3\x39\x6b\xeb\xce\x10\xbc\x79\xe2\xc4\x99\x56\xd1\x27\xf9\xd0\x1b\x73\x58\x45\x40\xcb\x6c\x0b\x52\xa7\x09\xe3\xaf\x1d\x00\xc8\x4f\x6d\x22\xfb\x19\x5d\xd8\x82\x3a\xa3\x36\xaf\xea\x89\x8e\xd8\x7a\xda\x2b\x22\xd1\xb8\xec\x50\x8c\xf6\x98\x6e\x93\x45\x92\x65\xed\x7c\x25\x87\x32\xc2\x91\xca\x41\xe7\x87\x6f\x1b\x43\x8b\x17\xd3\x6c\x24\xa0\x2f\x20\x0f\xee\xee\x18\xac\xe8\xdc\x4a\xad\x51\xa4\x2b\xb9\x81\x5d\x82\xc2\xa9\xa3\x7f\x77\x5c\xd6\x12\xe0\x84\x22\x69\x42\xea\x0d\xc6\xf5\xd8\x92\x33\x49\xbb\xbe\xdc\x2a\x45\xcf\xcf\xdd\xed\xa2\xd5\x2d\x14\xf2\xff\x83\x29\xaa\xc0\x1d\x2e\xc3\xc3\x7f\x23\xc5\xc9\x0d\x02\x62\x80\x23\x8c\xe0\x9e\x00\xec\xa9\xf6\xc3\x0b\xda\xa5\xdc\x91\xf4\x34\x2f\x8a\xf6\xa3\xec\x13\x39\xc4\x7d\xca\xe8\xf9\x36\x0c\x32\x50\x2b\xfa\x86\xe1\xff\xc5\x82\xd5\x88\x8f\x29\xca\xc3\x9e\xf9\x0a\x31\x50\x11\x1f\x66\x11\x99\xfa\xf7\xe2\x41\x3b\x57\xbb\x9a\x72\xaa\xa2\xd5\xfa\xe3\x2b\x46\x28\x84\xa9\x28\xd8\x3c\xea\x60\x55\x70\x25\xc5\xde\x01\x80\x44\x34\x5f\xb0\x83\xde\xf4\x9b\xc3\x83\x31\x98\x94\xda\xd2\x8b\x53\x39\xcb\xad\xb6\x03\x8d\xc8\x47\x9f\x7e\x4b\x2f\x01\xc1\xce\xd3\xff\x85\x42\x05\xbe\x93\x88\x48\x85\xb1\x29\x87\x8b\xdb\xb1\x8c\xaa\x68\xc3\x09\x40\x71\x9a\x40\x8a\x03\xfc\x61\xeb\xea\x87\xd9\xd3\xef\x21\x62\x59\x45\x89\x65\x44\x75\xc2\xc3\x7e\xaa\x87\x37\x33\x8a\xcc\x18\xb3\x41\xa3\x51\xec\x39\xaa\x94\xcb\xa1\x71\x09\x6f\xd7\xfb\x83\x2e\x30\x31\xf4\xd8\x2f\xf2\x32\x8a\xa1\x89\x62\x3c\xd9\x3f\xce\x6f\x45\x25\xc2\xdd\x01\x3d\xc9\xc7\xb4\xd1\x9a\xdd\x3b\xf9\xc3\x34\x88\x6e\x9d\x1c\xb4\xdf\x99\x7d\x99\x56\x3a\x57\xb6\x6d\x83\x21\xd4\x21\x52\xf7\x21\x70\x5d\x6c\x48\x46\x18\xad\x33\xcb\x46\xb5\xc1\xa4\x1c\xcd\x39\x7e\xde\x50\x43\x2d\xc9\xd4\x1a\xa8\xb2\xfb\x37\x5a\xf7\x5d\x33\x23\x56\xd7\xdf\x3d\x5d\x43\x9f\xde\xbc\xf8\xe2\x5b\x22\x49\x3c\x6f\xe1\x40\x01\x3e\x29\x52\x32\x18\x67\xd1\x29\x47\xb1\xf2\xdd\x27\x2a\x17\x36\x94\xa5\xfd\xdd\x88\x7f\xe1\xec\x96\xdf\x64\x67\x63\x0d\x14\x49\xd7\x23\xff\x02\x3e\xc1\x27\xb1\x2a\x24\x11\xa0\x96\xe3\x12\x9e\x84\x5d\x50\xb1\x46\x68\x36\x35\xd8\x05\xcf\x19\x67\x35\x82\x8c\x8a\x0a\x00\x40\x47\xa1\x9a\xcf\xcc\x41\xb6\x2f\xe0\xfb\xff\x91\x88\x1e\x76\x13\xbf\x7a\x73\x71\x95\xf1\x85\x8e\xd7\x19\x8d\xca\xca\x13\x21\x06\x19\xd7\xf7\x39\x8d\x81\x2d\xe4\x63\xf2\x21\xf0\xc2\x64\x87\x4a\xa3\xb3\x41\x6d\xcd\xfa\xed\x76\xbf\x25\x5d\x7a\x7a\x15\xd6\xac\xc9\x86\x4d\x1b\xd9\x00\x35\x4b\x3b\xf0\xdf\x70\xba\xe9\x32\xc4\xb8\x2e\x8a\xa6\x0d\x39\x5b\x93\x9c\xc6\x0f\x89\x64\xab\x75\x5b\xa5\x0b\x40\xa7\x13\xf6\x8d\x2e\x00\x1a\x2b\x5a\xbc\xfd\xbb\x82\x1a\x0a\x3a\x7a\x97\xcd\xcc\xc0\xb0\x5b\xca\x8f\x03\x3f\xbc\xd9\x54\x56\x9c\xb7\xc3\x12\xd4\xcb\x9e\x69\x27\x56\x13\x30\x66\x79\x88\x25\x70\x72\x61\x18\xeb\x66\xb4\xb6\xf0\xd2\x36\xc3\x3e\x35\x65\x8e\xd8\x7f\x02\x8c\xa4\x3c\x55\xc2\x69\x68\x17\x9a\xed\x75\x49\xc8\xc2\xe9\x26\x72\xa4\x45\x10\x6d\x04\x29\x84\x69\x17\xc5\xfc\x60\x7f\xa2\x85\xdb\x9a\xa6\x12\x81\xc1\xc5\x24\xa7\x6b\x3d\x40\xde\x5d\xa9\xbc\x7a\xfb\xae\x9c\x03\x55\x5d\x05\x63\x83\xea\x7f\x5e\xac\xf5\xde\x95\x63\x8e\x11\x24\x2a\x42\x0c\x9a\xa3\x22\xc8\x08\xcf\x2a\x14\xab\x47\x9d\x81\x35\xe4\xff\x48\x7b\x21\x5c\x8c\xec\x44\xc7\x29\x0d\x34\x59\x10\x0b\x21\x96\xc5\x4e\x88\xca\x28\x41\xd8\xa6\x01\x1c\x6d\xb1\xb5\xc2\xfb\xc5\x13\x5d\xa6\x05\x3d\x89\x3d\x11\x6b\x9f\x23\xd5\xa0\xf7\x7f\x9f\x64\xc5\x0a\x04\x48\x55\x2f\xb3\xd4\x00\x2c\xcf\xb9\x5e\xd5\x4c\x37\xea\xe9\x31\x73\x7b\xf0\x2b\xcd\x22\x6b\x13\x3b\x9d\x27\xde\xbf\xae\x74\x87\x30\xa8\x7b\xe8\xdf\x5c\x31\xcd\xdf\x16\xc2\x6b\xc3\xf3\xb4\xdf\x7a\xbc\xbc\x52\xed\xad\xb7\xa7\xc2\x9e\x87\xdd\x5d\x63\x30\xb7\x61\x64\x9f\xc9\xf0\x98\xa7\xb6\xb6\x8c\xf5\xdc\xe7\x67\x66\x7e\x8b\x5a\x7c\xd4\xbb\x22\xd1\xc9\x22\x9c\x45\x51\x69\xd7\x2e\xdd\x3b\xae\x9c\x25\x1c\x07\x88\x96\x8f\x1d\x13\xaf\x8e\x47\xba\x32\x92\x3c\x66\x14\xc4\x4d\x51\x96\xfa\x80\x57\x61\xdb\xa5\x9a\x39\xb8\x93\xbf\x09\x73\xda\xbb\x97\x6e\xdf\x63\xf3\xcb\x54\x73\x2d\x43\xb9\x0e\xe7\xab\x03\x74\xe1\x0f\xd7\x22\xd5\xc3\x61\xa4\x10\x89\x31\xe8\xee\x3f\xa1\x90\x79\x3f\x90\x1b\x18\xff\x7b\x5e\xd8\xc1\x62\xb3\x7f\xfc\xb3\x9c\x6c\x0c\x08\x4c\x9c\x76\xb3\x96\x4e\x31\x35\x1f\x51\x12\xac\xcf\xe1\x6c\x62\x68\x58\x0c\xe0\xb4\x4c\xd4\xc3\x3f\x29\x21\x71\xdf\x6a\xf3\x59\x14\x22\x5c\x8b\x1a\xff\x19\x85\xce\xa0\xea\x73\x49\xa4\x3a\x51\x0d\x5f\xbf\x18\x81\xa0\x32\xf9\x6b\x1f\x58\xf4\xfa\x94\xdb\xcd\xf9\x8f\x6b\x11\x3a\x2f\x85\x1e\x76\xd4\xf1\xcf\x06\x86\xe3\xb4\x40\x57\xc3\x63\xc8\x49\xc5\x70\x06\x59\xd7\xe5\xa1\xc2\xb3\xcc\xfd\x5a\xaa\x88\x9c\x2f\x99\xa9\xb1\xc8\x31\x9c\x3c\xd3\x48\xbe\x29\xb2\xe9\xbf\xef\xbc\x28\xcb\x77\x47\x29\x95\x8c\x12\xc9\xdf\xa7\x4b\x89\x3a\x07\x74\x5a\xed\x2e\x51\x44\x72\x3c\x8f\xc0\x50\x68\x52\xf1\x7e\x6a\x4a\x8f\x59\x9d\x2c\x4a\x1d\x7c\x0b\xa9\xd7\x7d\xb8\x41\x6e\xb1\x09\x32\xcd\xc7\x49\xcf\xa9\x98\x90\xee\x80\x17\xc0\x66\x40\x84\xf8\x64\x89\xc9\x75\x25\x52\x52\xc3\x87\x6f\x8d\xcd\x98\xc0\x0b\x73\x61\x1c\xe2\x73\x4e\x1f\xe0\xee\x5c\x0a\x0a\xbb\x0c\x50\x00\x40\x44\xf9\x3a\xd2\xff\x01\x09\xbc\xb1\x9a\x3a\x20\xf1\x86\xd6\x8e\x38\x7d\x34\xa5\xb5\x78\xc4\x25\x3c\xd9\x67\x26\x14\x80\x3b\xf9\x67\x26\xe8\xab\x00\x14\x6d\x2f\xe2\x66\xe6\x2e\x48\x65\xf5\xe7\xfe\x31\xd4\x14\x97\xe7\x19\x51\x22\xfc\xda\x82\x5f\xb4\xe9\xfc\xdd\x09\xb4\x21\xdd\xb6\xe9\x25\xa4\xd5\xcb\x7f\xf2\xfa\x56\xfe\x14\x97\xad\x65\x9c\xc5\xb6\xef\xd8\xf8\x83\x99\x8b\x74\x51\x17\x5f\x98\x27\x54\x7b\x84\x19\x5c\x25\xfc\x16\x31\x07\x2a\x55\xc1\x7e\x90\xa3\x27\x9a\x54\xa2\x96\x97\x31\x2b\xfe\xf3\xee\xfc\xba\x8d\x31\x14\x55\x6a\x54\x5d\x18\xab\x0d\xf7\x4d\xf2\x66\x85\x91\x51\x95\x9a\x1b\x05\x1f\x83\x22\xf7\x98\xcb\x45\xd5\xcb\xe5\x29\x1b\xdd\x71\xda\xd6\x65\xf6\x4d\xde\x69\x54\xef\x00\x71\x89\x18\xfe\x01\x72\x79\x63\x96\x46\x42\xd4\xc4\xa5\xbb\xa9\x30\x3f\x44\xfe\x97\xff\x99\xf0\x67\x48\xdc\x86\x3f\xf0\xcc\x17\xfc\x82\xb2\x9f\xbe\x0c\x71\x2c\x77\xed\x36\x69\x7f\x23\xb4\xa2\x2a\x9f\x24\x85\x22\xf9\x94\x6c\x3a\xbc\xd3\x2e\x16\x5f\xd6\x6f\xdb\xc7\xb4\xa0\xdf\x71\xa8\xd2\x57\x1f\x32\xda\x4a\xda\x51\xc1\x4c\xa0\x86\x30\x1d\x6e\xd0\x20\x06\xc6\xa3\x8c\xe4\xe7\x67\x1f\x3d\x08\x62\xa4\xe3\xc2\x2b\x6a\xa7\xb7\xc0\x49\xa7\x76\x22\x87\x57\x05\x62\xe8\xb4\x52\xef\xc7\x87\x41\xe7\xc2\x82\x2a\xd0\xfd\x43\x5e\x76\xa8\x04\x4b\x05\xb3\x88\xaa\xfc\x4c\xf6\x15\x75\x76\x03\x98\x87\x23\x64\x46\x99\x61\xe8\x7d\x14\xd1\x79\x5e\xb6\x27\xfa\xed\xa1\x8f\x9c\x12\x28\xfc\x99\x4d\x58\x05\x08\xc9\x96\xd3\x66\x27\x99\xb7\x23\x7e\x59\x69\x10\xa7\xc5\xc7\xfa\xcd\x47\xfa\x30\x84\xda\x48\x48\x87\x67\xf6\x0c\xfe\x58\xec\x40\x14\x15\xac\x66\x03\x16\x23\x32\x0f\x9f\xda\x37\xc0\xaf\x9f\xe4\xcd\xa1\xb2\x89\x3d\x2d\xf0\xac\x82\x26\x01\x3a\x36\xca\x7b\x13\x66\x03\x2e\xa7\xb2\x5a\x55\x91\xbe\xbc\x8c\xe4\x89\x77\x7c\x0c\xba\x28\xd1\xf0\xca\xfe\xae\xea\x7d\x5b\x4d\x20\x09\x30\x9e\xeb\xc9\x13\x07\x81\x12\xbb\x12\x69\x20\xca\x6e\x5e\x2b\x22\x10\xce\x54\x10\xcc\xe4\x5f\xc4\x63\x74\x6c\xf1\x68\xf7\xee\x2b\x91\xc7\x97\xb3\x30\xe0\x46\x48\x22\xa6\x18\xe4\x57\xce\x39\xa0\x03\x67\xd9\xcd\x3d\x3f\x59\x38\xce\x36\xeb\x2a\x31\xa9\x0d\x04\x92\x58\xc8\x49\x95\x5e\x97\xf0\x80\x17\x26\x9b\x3e\x5f\x69\xe9\x12\x81\x95\x63\x8b\xc8\xc1\xfa\x73\x5e\x6e\xb2\x43\x5c\x95\x87\xf4\xf4\x36\xd9\xe6\x8a\x87\x97\xbb\x42\x10\x0d\x48\xe7\xb2\x61\x97\xc6\x5f\xb8\x90\x39\x61\x38\x2f\xb0\xfe\x22\x98\x60\x17\x30\x68\xd9\x42\x91\x10\x82\x3b\xc2\xff\x71\x7a\x71\x57\x05\x4c\x32\x6b\xda\xc3\xad\x35\x81\x77\xf9\xa4\x06\xd8\x94\xb8\x42\xd6\xd9\x1e\xdb\x35\x6b\x06\x28\x3b\x32\x9b\xca\x6e\x12\x29\x06\x55\xfe\xf2\x40\x29\xba\x1d\xaa\xf4\x5f\x17\xeb\xc8\x34\xd1\x2e\x35\xe3\x9f\x2e\x20\xe2\xc7\x36\x2a\xeb\x00\x31\xf4\x87\x7b\x63\x3b\xe1\xbe\xd3\x6f\x5d\x7b\xa2\x4d\x01\x48\xf8\x46\xa7\x86\xf3\x88\xe2\xab\x79\x66\x2d\x55\x9b\x86\x1a\x36\xa4\xce\x60\xdc\xeb\x5f\xdb\x9f\x47\x93\x58\xfd\x84\xa5\xc7\xf1\x02\xf7\x5b\x81\x43\xd3\x62\x6f\xff\xa5\x46\x9c\x22\x07\x2a\x97\xd6\x3f\xf9\xe0\x66\x7c\x2f\x2d\xb4\x1c\xd0\x3e\x5d\x43\x91\x4b\xb5\x90\xbb\x1f\x11\xf4\xc3\x53\x3b\xcc\x47\xff\xc9\x9e\xed\xf6\x77\xc9\xd6\x46\xc6\x0f\x99\x39\x89\x15\x89\x1a\xb6\x71\x97\xdd\xbd\xc1\x1e\x03\xda\xf0\x31\x39\xce\xad\xaf\x99\x22\x68\x75\x16\x3f\x11\xc2\x90\x27\xf6\xec\x6e\xe6\x47\xc9\xbb\x1f\x76\x95\xf1\xf2\x91\x8a\x32\x85\xa1\x3e\xad\xb7\x3d\x3e\x94\xcb\x0d\xbf\x92\x73\xf7\x5e\x1a\x8b\x39\x1c\xc6\xe4\xc1\x4e\xd5\x68\x3c\x27\x56\xc7\xb3\x3d\x84\x35\x1e\x1c\xe0\xba\x7b\x02\xe2\x30\x5d\xe6\x5b\x29\x45\x6b\x5c\x55\x34\x46\x47\xc7\xb0\xb1\x6c\xd8\x36\xdb\xa2\x71\x1a\x4c\xc9\x77\x38\x26\x7c\x46\x2c\x85\xfa\xd6\x08\xa8\x16\x12\xd7\xf8\x9a\x7f\xe6\x63\xbd\x06\x43\x54\xa8\x0f\x8b\xe0\x16\x5d\xf5\xd9\xba\xe1\xc6\x9e\xa5\x69\x62\xb1\x11\x22\x0c\xdc\x13\x6a\xda\x90\xbb\x13\x15\xf8\x65\xca\xff\x1e\x25\x26\xac\xd2\xef\x4c\x36\xa7\x0f\x26\x60\x88\xd7\xd3\x48\xe5\x61\x13\x29\x71\x66\x8e\x91\xa8\x90\x04\x08\x5a\x5b\x09\x2f\x8e\x28\x42\x3d\x16\xb7\x49\xcd\xcb\xf9\x2a\x43\x65\xe4\x68\xdd\x67\xbe\x24\x1e\x5d\xea\x70\x5b\x60\x6b\x28\x09\x9a\x5d\x3d\x46\xa0\x76\x20\xfc\x4f\x73\x1e\x3d\x36\x05\xde\xbe\x68\x70\x42\xca\xc9\x37\x42\x73\x67\xc3\x5b\x54\x6a\xf2\xdf\xc0\x94\xa7\x21\xdc\x7f\xd1\x3d\xf6\x8e\x9a\x79\x9e\xcb\x10\x7c\x90\x8b\xac\x9f\x8c\x44\x30\xcc\x10\xc6\x29\x9c\x79\x4d\x02\x8d\x51\x6c\x3e\xf3\xf7\x7f\x9f\x64\x20\x16\x60\x94\x9b\x5e\xe2\x9a\x58\x94\xd7\x38\xfa\x4e\x4b\xcd\xda\x88\xfe\x12\xbc\xff\xe8\x5d\xa7\xb1\x0d\x02\xc8\x09\x22\xf3\x90\x71\x34\xfe\x64\x60\x55\x08\xb6\xcb\xe3\x5e\x97\xf1\x2f\x1b\xb1\x5f\xce\x6f\xac\x0b\x0b\xbe\xd6\x21\x83\xba\x88\xb8\x41\x3c\x69\x2c\x1d\x46\x53\x76\x14\x6a\x5a\xc6\x9e\x0f\x10\x45\x0f\x04\xc8\xb6\xf3\xc9\x0c\x58\xac\x33\x60\x4a\xa8\x11\xa9\xb7\x4e\xbb\xd0\x7b\x06\x84\xc5\x1a\x55\x30\x06\xda\x57\xf4\xdf\x29\xdf\x30\xa6\x46\x22\x26\x6b\x3e\xc0\x6c\x43\x5d\x65\x05\x21\xf3\xea\x72\x5a\x3c\x8c\x12\x8c\x73\xf0\xd3\x44\x7d\xd1\xa8\x5b\x10\xa0\x61\xe9\xac\x44\x69\xbd\x8e\xad\x5b\x59\xcc\x63\x9b\x81\x7e\x67\xd9\x0c\xcd\x77\x3e\x22\x4a\xeb\x67\xdd\x26\x36\x91\x74\x36\xb7\x64\x75\xd8\xe0\x25\x5c\xf7\xd1\x4f\x28\x36\xa5\x0d\x23\xfb\x11\xb3\x84\x35\x48\xb3\xa5\x2d\x8f\xa1\x0c\xa8\xc9\x7e\x1f\x0e\xd7\xa0\x0c\xfc\x80\x67\xa5\xb9\x9a\x41\xc0\x7d\x3c\xe0\xa0\x45\x6b\x84\x43\xbb\x5f\x09\x03\xdb\x5e\x7b\xc1\x6b\x0d\x0d\x4f\x32\x1a\x57\x57\x2d\x33\x68\xd9\x7a\xb7\x70\x58\x30\xd2\x3f\xf7\x8a\xc8\xd6\x94\x02\xc9\x20\xf7\xfb\x91\xd6\xef\xc1\x6c\xe4\x39\x93\xa1\xa6\x8e\xb8\xed\xa0\x8d\x7c\xc5\x5f\xca\x85\x49\xf4\x08\x39\xac\x8e\x5e\x26\x3e\x8f\xcd\xdb\x10\xdd\x20\xfb\xed\xd9\x49\xc8\xd3\xc1\xe1\x86\xe9\xfd\xd5\xaa\x27\x65\xa1\xef\x54\xf9\xe8\xb2\xa7\xa0\xb3\x8f\x1c\x8f\x8d\xaf\xe5\xfc\xef\x0f\xf0\x31\x69\x21\xdb\xaa\xb2\x7f\x6b\x2e\x09\xe4\x9d\x0a\x56\xc9\xad\xe5\xd8\xcb\x65\x86\x99\xba\xa9\x84\x54\x3f\xde\x4e\x72\x0e\x02\xe5\x50\x3e\x83\x5c\x7a\x63\xef\xfe\xe3\xdf\xa5\x8e\x4c\xcd\xbe\x19\x43\xb5\x92\x1b\x58\xfd\x0e\xd6\x64\xef\x73\xdf\x89\x23\x18\xe1\x07\x03\x23\x48\x59\xb5\x65\xd1\x7d\xe8\xc9\x25\x19\x8b\x44\x81\x59\xc8\xe8\xd7\x3c\x8b\x1e\x5e\xb6\x87\x05\xe5\x82\xd5\x12\x8f\x20\x7b\x54\x6f\x81\x22\xe0\x4e\x37\xbc\xc9\xd1\xca\x9b\x2c\x7a\xe5\x1d\x45\x42\x44\x8b\x36\xd6\xff\x16\xd9\x98\xee\xce\x9f\x07\xbe\x34\x1d\x1d\x8f\x98\x9f\x23\x44\x60\x40\xa4\x99\x72\x72\xc9\x9d\x45\x34\x83\x72\xfc\x49\xb7\x0f\xb5\xe0\xfa\xca\x97\x51\x84\xc6\x02\x59\x95\xf6\xaa\x49\xf1\xb2\x93\xdf\x66\xd5\x1d\x75\x3d\x9c\x77\x75\x57\x6d\x0e\x77\x01\x34\xd3\xa4\xfb\xd5\x3c\x99\xb0\xa7\xb6\xaf\xe7\x33\x7f\x73\x24\x81\x63\x23\x9a\x71\x4d\xfe\xb2\x85\xb0\xb4\x9e\xf6\x02\xd6\x2a\xd6\x93\x5a\x83\xc8\x3b\xc8\x14\xbd\x40\x7b\x1f\xf5\x22\x82\x92\xf9\xbf\xbb\xd0\x71\xc8\x1d\xc9\x59\x1a\x05\xc9\x50\x7b\xff\x87\xc9\xe5\x27\xb8\xf1\x4e\x8e\xe1\x3d\x18\x7e\xb8\x67\xdc\x2c\x95\xdd\x90\x3c\x37\x69\x2d\x03\xe7\xb0\x09\x85\xfb\xc1\x13\x13\x07\x8d\xec\x7f\xf6\x9f\x2e\x01\xa8\x34\x23\x99\x40\x0f\x98\xcc\x66\x83\x3d\x9c\x85\xff\x7f\x10\xcb\xef\x73\x32\x13\xcd\xae\x61\x54\x5f\x39\xe8\x5c\x59\x30\x2b\x56\x0a\x72\xd0\x43\x7b\x26\x6c\xba\xe1\x6f\xad\x4a\x00\x0d\xde\xa1\x99\x49\x40\x8c\x74\x77\xfc\xb9\x48\x91\x53\x23\xeb\xb7\x9a\x55\xc7\x69\xcc\xb1\x8e\x2f\x55\x2a\xb7\x63\xba\x65\x30\x2a\xe7\xbc\x47\x6e\x36\x25\xeb\x88\xa7\xa6\x69\x8c\xec\xcf\xac\x22\x90\x0c\xa3\xc4\x4d\xec\x88\x66\xb2\xa1\x14\xc0\x83\x1c\xf6\x53\xd4\xc1\xfb\xa9\xa7\x78\x5a\x1c\xaa\x2b\x97\x34\x33\x84\x22\x6b\x1a\xce\xd9\x3d\xa7\x1d\x30\xb6\x65\x06\x45\xbc\x11\x3a\xc6\x2d\x32\xd2\x03\x2d\xdb\x65\x62\x6e\xe8\x6c\x3b\x9d\xfb\xbd\x8d\x0c\xae\xea\x74\x53\xdb\xea\x30\x4e\x34\xd3\xf8\x05\x22\xcd\x31\x7b\x49\xbc\xab\xb8\x69\x33\x1c\x7c\x32\x18\x52\x10\x04\x30\x42\x3b\xcb\x1e\xc1\x5c\x50\xc1\x9b\x76\x6a\x7c\xe4\x71\xd5\x1b\x01\x04\x1b\x68\x5a\x29\xc4\xbf\xdb\x55\x2c\x86\x6d\x58\x3b\x7c\x3c\x7f\xd5\x6c\xfc\x73\x72\x5d\xf7\x84\xe4\xd9\x02\x81\x56\x7f\xe8\xc3\x8d\x86\x6b\x06\xef\x13\xbb\x30\xfd\x23\x90\x6e\x66\x2c\xf9\xd5\x11\x3d\x7b\x52\xb0\x14\xb4\xae\xb3\xa1\x83\x52\x4b\x49\x7b\xe9\x22\x0a\xe1\xe0\xb2\xf7\x67\x4d\x27\x99\x42\x94\x1b\xbd\x81\xed\x59\x5a\x93\xc2\x34\x13\x99\xb6\xac\x36\xff\x86\x9f\x89\x4c\xae\x29\x13\x08\xb2\x12\x84\xd3\x98\xb5\xfa\x6a\xc7\x6b\x9d\x59\xf0\x3e\x48\xc2\x75\xf4\xf2\x0c\xe0\xa5\x05\x9d\xe6\x9c\xa9\xec\x99\x9d\x73\x20\x2d\xef\x66\x6b\x37\xb3\xa9\x6a\x95\xb1\x2c\x74\x33\x10\x38\xfa\xca\xca\xb1\x88\xda\x87\x8a\x86\x0e\x1b\x39\x9d\x6b\x3b\xd3\xc1\x36\xe0\xa5\xe9\x96\x3c\x16\x91\x88\x9f\x0d\x40\x0f\x34\xdc\xc5\x1e\xf1\x00\x2e\xbf\xee\x28\x14\x60\x5a\x4d\x10\x67\xed\x73\x96\xc1\x15\xe3\xa9\x4f\x15\x1c\x8e\x4a\xa2\x93\x0f\xd8\xbc\x53\x4d\x57\x9d\x5d\x88\x43\xbd\x20\x29\x05\x6f\xc5\x58\xb9\x86\x94\x08\xb9\x95\x1f\x75\x67\x24\x33\xea\xd1\x9e\x10\x9c\xd1\x83\x08\xf1\xc9\xd6\xf9\xcc\xbc\x9f\x76\x79\x93\xb5\x9e\xa2\xb5\x04\x68\x64\xf5\xe0\xc3\xbd\xe4\x2e\x79\x32\xc5\x6b\x9f\xb2\x52\x89\xe1\x6a\xb3\xbe\xbb\x69\x25\x47\xde\x1a\x4d\xbe\x11\x9a\xb2\xbd\x71\xe4\x71\xcb\xdf\x6c\x6e\x85\x19\xac\xa7\x7c\x2c\xbb\x82\x73\x34\x3c\x1b\xed\x23\x92\x2e\x55\x7f\x87\xb4\x08\xd8\x7a\xf7\x88\x96\xed\x30\xf0\xa6\x17\x8a\xd9\x8a\x34\xde\xd6\x14\x84\x43\xfd\xdf\x4a\x5c\x00\xa8\x1a\xe9\xdf\x21\x59\xfd\x65\x8c\x85\x9f\xb6\xb2\x74\x98\x8c\x84\x8f\x99\x3e\x76\x1c\x26\x3e\x90\xd7\xdb\x8f\x66\x2c\x87\x6b\x7a\x61\xff\x2d\x93\x8b\xa7\xfe\xd4\xcb\x5c\xd8\xee\x51\x48\x70\xb5\x05\x20\xe7\x33\xf2\x1c\xdc\x3b\xd7\xed\x41\xd2\x97\xb9\x6d\xfe\xff\x37\x9d\x37\xe6\x07\x1b\xb1\xac\x84\xfe\xff\xab\x2c\xdd\x98\x5f\xea\x2f\xe6\xc4\x6e\x6b\x75\x69\xc8\xc2\x45\x45\x91\x79\x5c\xcc\x56\x51\x1d\x85\x3f\xd2\xa0\x1a\x1e\xb0\xce\x25\x05\xab\x65\x78\x2b\x78\x36\xba\x67\x84\x45\x05\xaa\xbc\xb5\xdc\x63\x72\xa3\x13\xfe\x7a\xcc\x7f\x48\xb0\xd2\xbe\xf7\x94\x03\xc2\x83\x7d\x88\xe5\x2f\xe9\x26\xad\x16\xd5\x1b\xe7\xe8\xc6\x2a\x59\x55\xa6\x1e\x85\x27\x08\x39\xf3\x6e\xee\x94\x63\x70\x92\x7e\xb1\x98\x41\x30\x16\x77\xe8\x37\xab\xac\x18\xd7\x09\xbc\x84\xdd\xa6\x0b\x12\x10\x7a\x23\xeb\x73\x35\x43\xff\x32\xcc\xe5\x24\x8d\x0f\x46\x19\x21\x29\x52\x91\x83\x7c\x15\x0a\x4c\x1d\x48\x9d\x31\xc5\xbf\x5b\xfc\x2d\xa1\x42\x7e\x1e\xce\x74\xae\xa7\x05\x3f\x1f\xed\xa6\x4f\x09\x9f\xc4\x47\xa7\x90\x8c\xe4\x4b\x13\x46\x15\x49\xf2\x3e\xf1\x8c\x1d\x81\x07\xbe\xfb\x09\xf9\xd7\x19\xa0\xac\x57\x08\x0f\x1c\xdb\xfd\x46\x70\x4d\x79\x94\x7a\xa1\x0c\x5b\x0b\xb2\x26\xe7\xf6\x83\x09\x74\x72\x40\xf7\x73\xa6\x27\x53\x65\x61\xfb\x6c\x1c\x9b\x26\xaa\x5e\x23\xbe\x01\xf2\xd3\xf7\xaa\xdc\x99\x54\x40\x01\x5d\x25\x64\xb9\xc1\x6b\x85\x3d\x66\x57\x24\xf9\xf7\x22\xb3\x4a\xb1\xd4\x4c\x27\xd0\xe0\xcb\x01\xc4\x9d\x9e\x05\xde\x91\xc2\xe0\x40\x76\x4f\x0c\x21\x2e\x6d\x63\xf7\xb7\x24\x93\xdc\xcb\xf8\x58\x16\x4c\xf4\x81\x51\xbb\xe4\xf1\xdc\x2c\x91\x58\x66\x73\x43\x1a\xf7\xb8\x46\x1d\x30\x16\x1c\x56\x11\x70\xdf\xa3\x1e\xdd\xe2\xcc\xc9\xdd\xdb\xc7\xa8\xe4\x62\x31\x75\x24\x05\xcf\x30\x8e\xcd\x8d\x35\x05\x63\x6d\xba\x70\x35\xc9\x4f\x72\x86\x23\xbb\x87\x60\x3a\xfb\x90\xb5\xc2\x3e\x9a\xc1\x93\x7b\x2e\xa3\x98\x4d\x57\x9d\xa2\x99\x70\xef\x04\x9f\xfd\x97\x05\xfa\x28\x3e\xf6\x2f\x1a\x9f\xbb\xef\xbc\x5f\x8f\x3f\x79\xbd\xd8\xd7\x0f\x0a\x89\x39\x72\xe5\xac\xa3\xa1\x64\xe6\x72\xba\x88\xeb\xdb\x62\x06\xa4\xdd\xa5\xeb\x5a\xdf\xd1\x63\x52\xd4\x2c\x4f\xbd\xdf\x11\x7f\x2b\x0d\x30\xe8\xc3\x9f\x1b\xc6\x3f\x3b\xc0\x3b\x45\x2a\x87\x01\x17\xaf\x7a\x3f\xd3\x01\xaf\x71\x4b\xfa\x39\x83\x67\xa9\xac\x2a\xa3\x81\x17\x0b\xc7\xca\x86\x01\x44\x25\x8a\x9a\x38\xa6\x14\x54\xc9\xcd\xef\x24\xf1\xc6\x62\xf2\x8e\x8d\x1e\xe7\x74\x9f\x61\xa9\xc7\x9a\x9e\x16\x59\x3f\x2d\x55\x00\xde\xaa\x73\x0a\xca\x4e\xef\x32\x73\x87\x84\x31\xa8\x74\xb0\x3e\x44\xf6\x49\x5b\x52\xea\x9b\x22\xd9\x41\x7f\xb3\xf2\xcc\xbe\x2c\x48\x2a\xdd\x30\x8e\x4a\x3c\x55\xb7\x53\x2a\x4e\x64\xcf\x10\x8d\x83\x3d\x54\xab\xf3\xcf\x93\xb3\xf9\x08\x52\x63\xd2\x77\x4c\x22\x14\xdc\x62\xe3\xc6\xa7\x88\x69\x46\xb7\xbb\xb4\xd0\xfd\xd8\x2d\x50\x22\x32\xf8\x91\xe9\x5e\x20\x75\xb6\x97\x4f\xcb\xc8\x15\x79\xfe\x8e\xeb\x7e\xe2\x21\xa9\x04\xce\xdb\xbb\xab\x25\x95\xef\x93\x53\x7f\xde\xa0\x3e\xb9\x3b\x49\x68\x01\x19\xd9\x96\xc8\xe7\x06\xdf\xc4\xd9\x94\x33\x95\x4c\x53\x67\x72\x5d\x48\x08\x11\x9b\x68\x3b\x59\x64\x1c\x4b\xff\xd3\xfb\xab\x0c\x7e\x12\x5f\x02\xba\xd9\x5c\xbf\xc2\x6e\xab\x96\x07\x9f\x8d\xfb\xf6\x62\x35\x89\xd1\x4e\x0c\x20\xd1\x5e\x07\xc3\x4b\xcc\xce\x36\xfb\x92\x79\x65\xf9\x6c\x8c\xc8\x9b\x3e\x51\x43\x82\x12\xa9\xbe\xc9\x2a\xf4\xb5\x92\xae\x76\xe6\x6d\x53\x1d\x34\x43\x85\xf5\x56\x85\x52\xe3\x7b\xd2\x5c\xbe\x30\x7d\x83\x99\x75\x91\x4f\x30\x91\x5d\x24\xe8\xf3\xd8\x92\xc8\xa1\x9f\xa4\x84\xc3\x5d\xf1\xfb\x92\xaf\x80\xed\xf4\x03\x34\x0c\xac\xed\x5c\x22\x47\x67\xe9\xe6\x87\x45\x65\x63\xdf\xf2\x9c\xa8\x6e\x36\x58\x55\xde\x94\x05\x7b\x66\xc5\x76\xbe\xc5\xf5\xb7\xfc\x3f\x00\x43\x33\x6b\x8a\x48\x7a\xe2\x51\x9b\x8f\xf0\x12\x2e\x7a\xc2\xbf\x57\xd2\x9b\xa6\x48\x08\xdd\x3a\x20\xd2\x6e\x43\x82\xce\x7b\xb1\xfb\xd3\x47\x34\xf5\xae\x66\x25\xee\x8a\x7d\xd5\x6f", 8192); *(uint32_t*)0x20004f40 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x50; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 0x3f; *(uint32_t*)0x200023d0 = 7; *(uint32_t*)0x200023d4 = 0x22; *(uint32_t*)0x200023d8 = 0x8001; *(uint32_t*)0x200023dc = 0x1040000; *(uint16_t*)0x200023e0 = 8; *(uint16_t*)0x200023e2 = 0xf6e1; *(uint32_t*)0x200023e4 = 8; *(uint32_t*)0x200023e8 = 9; *(uint16_t*)0x200023ec = 0; *(uint16_t*)0x200023ee = 0; memset((void*)0x200023f0, 0, 32); *(uint32_t*)0x20004f44 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 9; *(uint64_t*)0x20002450 = 0x40d; *(uint32_t*)0x20004f48 = 0x20002480; *(uint32_t*)0x20002480 = 0x18; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 7; *(uint64_t*)0x20002490 = 7; *(uint32_t*)0x20004f4c = 0x200024c0; *(uint32_t*)0x200024c0 = 0x18; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 0xffff; *(uint32_t*)0x200024d0 = 8; *(uint32_t*)0x200024d4 = 0; *(uint32_t*)0x20004f50 = 0x20002500; *(uint32_t*)0x20002500 = 0x18; *(uint32_t*)0x20002504 = 0; *(uint64_t*)0x20002508 = 0xce0; *(uint32_t*)0x20002510 = 0x1c; *(uint32_t*)0x20002514 = 0; *(uint32_t*)0x20004f54 = 0x20002540; *(uint32_t*)0x20002540 = 0x28; *(uint32_t*)0x20002544 = 0; *(uint64_t*)0x20002548 = 1; *(uint64_t*)0x20002550 = 0x100; *(uint64_t*)0x20002558 = 5; *(uint32_t*)0x20002560 = 2; *(uint32_t*)0x20002564 = r[6]; *(uint32_t*)0x20004f58 = 0x20002580; *(uint32_t*)0x20002580 = 0x60; *(uint32_t*)0x20002584 = 0xfffffffe; *(uint64_t*)0x20002588 = 8; *(uint64_t*)0x20002590 = 0xcd95; *(uint64_t*)0x20002598 = 0x1f; *(uint64_t*)0x200025a0 = 7; *(uint64_t*)0x200025a8 = 0x48; *(uint64_t*)0x200025b0 = 0xaac5; *(uint32_t*)0x200025b8 = 6; *(uint32_t*)0x200025bc = 0xad; *(uint32_t*)0x200025c0 = 5; *(uint32_t*)0x200025c4 = 0; memset((void*)0x200025c8, 0, 24); *(uint32_t*)0x20004f5c = 0x20002600; *(uint32_t*)0x20002600 = 0x18; *(uint32_t*)0x20002604 = 0xfffffff5; *(uint64_t*)0x20002608 = 9; *(uint32_t*)0x20002610 = 9; *(uint32_t*)0x20002614 = 0; *(uint32_t*)0x20004f60 = 0x20002640; *(uint32_t*)0x20002640 = 0x11; *(uint32_t*)0x20002644 = 0; *(uint64_t*)0x20002648 = 0; memset((void*)0x20002650, 0, 1); *(uint32_t*)0x20004f64 = 0x20002680; *(uint32_t*)0x20002680 = 0x20; *(uint32_t*)0x20002684 = 0; *(uint64_t*)0x20002688 = 0x10000; *(uint64_t*)0x20002690 = 0; *(uint32_t*)0x20002698 = 0; *(uint32_t*)0x2000269c = 0; *(uint32_t*)0x20004f68 = 0x20002780; *(uint32_t*)0x20002780 = 0x78; *(uint32_t*)0x20002784 = 0; *(uint64_t*)0x20002788 = 9; *(uint64_t*)0x20002790 = 3; *(uint32_t*)0x20002798 = 0; *(uint32_t*)0x2000279c = 0; *(uint64_t*)0x200027a0 = 6; *(uint64_t*)0x200027a8 = 0; *(uint64_t*)0x200027b0 = 0xfffffffffffff20d; *(uint64_t*)0x200027b8 = 0xfffffffffffffff8; *(uint64_t*)0x200027c0 = 1; *(uint64_t*)0x200027c8 = 0x3ff; *(uint32_t*)0x200027d0 = 5; *(uint32_t*)0x200027d4 = 9; *(uint32_t*)0x200027d8 = 0x726; *(uint32_t*)0x200027dc = 0x1000; *(uint32_t*)0x200027e0 = 6; *(uint32_t*)0x200027e4 = r[7]; *(uint32_t*)0x200027e8 = 0xee01; *(uint32_t*)0x200027ec = 7; *(uint32_t*)0x200027f0 = 7; *(uint32_t*)0x200027f4 = 0; *(uint32_t*)0x20004f6c = 0x200028c0; *(uint32_t*)0x200028c0 = 0x90; *(uint32_t*)0x200028c4 = 0; *(uint64_t*)0x200028c8 = 3; *(uint64_t*)0x200028d0 = 2; *(uint64_t*)0x200028d8 = 2; *(uint64_t*)0x200028e0 = 0x100000000; *(uint64_t*)0x200028e8 = 0x61a26b8d; *(uint32_t*)0x200028f0 = 6; *(uint32_t*)0x200028f4 = 2; *(uint64_t*)0x200028f8 = 1; *(uint64_t*)0x20002900 = 3; *(uint64_t*)0x20002908 = 1; *(uint64_t*)0x20002910 = 0x100000000; *(uint64_t*)0x20002918 = 3; *(uint64_t*)0x20002920 = 0x8f; *(uint32_t*)0x20002928 = 4; *(uint32_t*)0x2000292c = 0x1ff; *(uint32_t*)0x20002930 = 0x849; *(uint32_t*)0x20002934 = 0x1000; *(uint32_t*)0x20002938 = 7; *(uint32_t*)0x2000293c = r[8]; *(uint32_t*)0x20002940 = -1; *(uint32_t*)0x20002944 = 5; *(uint32_t*)0x20002948 = 0x1f; *(uint32_t*)0x2000294c = 0; *(uint32_t*)0x20004f70 = 0x20002980; *(uint32_t*)0x20002980 = 0x130; *(uint32_t*)0x20002984 = 0; *(uint64_t*)0x20002988 = 0xa00000000000; *(uint64_t*)0x20002990 = 4; *(uint64_t*)0x20002998 = 1; *(uint32_t*)0x200029a0 = 6; *(uint32_t*)0x200029a4 = 9; memset((void*)0x200029a8, 1, 6); *(uint64_t*)0x200029b0 = 6; *(uint64_t*)0x200029b8 = 1; *(uint32_t*)0x200029c0 = 5; *(uint32_t*)0x200029c4 = 0xfffffffe; memset((void*)0x200029c8, 170, 5); *(uint64_t*)0x200029d0 = 1; *(uint64_t*)0x200029d8 = 0x1ff; *(uint32_t*)0x200029e0 = 3; *(uint32_t*)0x200029e4 = 7; memcpy((void*)0x200029e8, "{#-", 3); *(uint64_t*)0x200029f0 = 5; *(uint64_t*)0x200029f8 = 0; *(uint32_t*)0x20002a00 = 2; *(uint32_t*)0x20002a04 = 0x761; memcpy((void*)0x20002a08, "[#", 2); *(uint64_t*)0x20002a10 = 3; *(uint64_t*)0x20002a18 = 0; *(uint32_t*)0x20002a20 = 2; *(uint32_t*)0x20002a24 = 6; memcpy((void*)0x20002a28, "#]", 2); *(uint64_t*)0x20002a30 = 1; *(uint64_t*)0x20002a38 = 0x714; *(uint32_t*)0x20002a40 = 5; *(uint32_t*)0x20002a44 = 3; memcpy((void*)0x20002a48, "*^\\^b", 5); *(uint64_t*)0x20002a50 = 5; *(uint64_t*)0x20002a58 = 0xeb68; *(uint32_t*)0x20002a60 = 4; *(uint32_t*)0x20002a64 = 0xfffffa80; memcpy((void*)0x20002a68, "--$-", 4); *(uint64_t*)0x20002a70 = 6; *(uint64_t*)0x20002a78 = 0xfffffffffffffeff; *(uint32_t*)0x20002a80 = 1; *(uint32_t*)0x20002a84 = 1; memset((void*)0x20002a88, 45, 1); *(uint64_t*)0x20002a90 = 1; *(uint64_t*)0x20002a98 = 8; *(uint32_t*)0x20002aa0 = 3; *(uint32_t*)0x20002aa4 = 0xf2; memcpy((void*)0x20002aa8, "!\\{", 3); *(uint32_t*)0x20004f74 = 0x20004c40; *(uint32_t*)0x20004c40 = 0xb0; *(uint32_t*)0x20004c44 = 0; *(uint64_t*)0x20004c48 = 0xcf; *(uint64_t*)0x20004c50 = 1; *(uint64_t*)0x20004c58 = 1; *(uint64_t*)0x20004c60 = 3; *(uint64_t*)0x20004c68 = 0x100000000; *(uint32_t*)0x20004c70 = 4; *(uint32_t*)0x20004c74 = 0x81; *(uint64_t*)0x20004c78 = 5; *(uint64_t*)0x20004c80 = 0x7f; *(uint64_t*)0x20004c88 = 5; *(uint64_t*)0x20004c90 = 6; *(uint64_t*)0x20004c98 = 0xffff; *(uint64_t*)0x20004ca0 = 3; *(uint32_t*)0x20004ca8 = 0x1f; *(uint32_t*)0x20004cac = 3; *(uint32_t*)0x20004cb0 = 8; *(uint32_t*)0x20004cb4 = 0xc000; *(uint32_t*)0x20004cb8 = 0xf5c8; *(uint32_t*)0x20004cbc = r[10]; *(uint32_t*)0x20004cc0 = r[11]; *(uint32_t*)0x20004cc4 = 2; *(uint32_t*)0x20004cc8 = 9; *(uint32_t*)0x20004ccc = 0; *(uint64_t*)0x20004cd0 = 4; *(uint64_t*)0x20004cd8 = 0x80; *(uint32_t*)0x20004ce0 = 5; *(uint32_t*)0x20004ce4 = 2; memset((void*)0x20004ce8, 170, 5); *(uint32_t*)0x20004f78 = 0x20004e40; *(uint32_t*)0x20004e40 = 0xa0; *(uint32_t*)0x20004e44 = 0; *(uint64_t*)0x20004e48 = 0x400; *(uint64_t*)0x20004e50 = 6; *(uint64_t*)0x20004e58 = 2; *(uint64_t*)0x20004e60 = 0x400; *(uint64_t*)0x20004e68 = 7; *(uint32_t*)0x20004e70 = 4; *(uint32_t*)0x20004e74 = 9; *(uint64_t*)0x20004e78 = 4; *(uint64_t*)0x20004e80 = 0x1000; *(uint64_t*)0x20004e88 = 0xffff; *(uint64_t*)0x20004e90 = 6; *(uint64_t*)0x20004e98 = 1; *(uint64_t*)0x20004ea0 = 0xffff; *(uint32_t*)0x20004ea8 = 0x65f; *(uint32_t*)0x20004eac = 0x647c2b8f; *(uint32_t*)0x20004eb0 = 0x400; *(uint32_t*)0x20004eb4 = 0x8000; *(uint32_t*)0x20004eb8 = 8; *(uint32_t*)0x20004ebc = r[12]; *(uint32_t*)0x20004ec0 = r[13]; *(uint32_t*)0x20004ec4 = 3; *(uint32_t*)0x20004ec8 = 0x6b; *(uint32_t*)0x20004ecc = 0; *(uint64_t*)0x20004ed0 = 0; *(uint32_t*)0x20004ed8 = 0xd; *(uint32_t*)0x20004edc = 0; *(uint32_t*)0x20004f7c = 0x20004f00; *(uint32_t*)0x20004f00 = 0x20; *(uint32_t*)0x20004f04 = 0; *(uint64_t*)0x20004f08 = 0x800; *(uint32_t*)0x20004f10 = 0; *(uint32_t*)0x20004f14 = 0; *(uint32_t*)0x20004f18 = 0x10001; *(uint32_t*)0x20004f1c = 0; syz_fuse_handle_req(r[5], 0x200003c0, 0x2000, 0x20004f40); break; case 23: memcpy((void*)0x20004f80, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004f80, r[5]); break; case 24: syz_init_net_socket(0x24, 2, 0); break; case 25: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[14] = res; break; case 26: *(uint32_t*)0x20004fc4 = 0x5004; *(uint32_t*)0x20004fc8 = 0; *(uint32_t*)0x20004fcc = 1; *(uint32_t*)0x20004fd0 = 0x1de; *(uint32_t*)0x20004fd8 = r[14]; memset((void*)0x20004fdc, 0, 12); res = -1; res = syz_io_uring_setup(0x343, 0x20004fc0, 0x20ffc000, 0x20ffb000, 0x20005040, 0x20005080); if (res != -1) { r[15] = *(uint64_t*)0x20005040; r[16] = *(uint64_t*)0x20005080; } break; case 27: memcpy((void*)0x200050c0, "/dev/uinput\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 2, 0); if (res != -1) r[17] = res; break; case 28: memcpy((void*)0x20005100, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0x488200, 0); if (res != -1) r[18] = res; break; case 29: *(uint8_t*)0x20005140 = 0x1e; *(uint8_t*)0x20005141 = 3; *(uint16_t*)0x20005142 = 0; *(uint32_t*)0x20005144 = r[14]; *(uint64_t*)0x20005148 = 0x200; *(uint32_t*)0x20005150 = 0; *(uint32_t*)0x20005154 = r[17]; *(uint32_t*)0x20005158 = 6; *(uint32_t*)0x2000515c = 1; *(uint64_t*)0x20005160 = 0; *(uint16_t*)0x20005168 = 0; *(uint16_t*)0x2000516a = 0; *(uint32_t*)0x2000516c = r[18]; memset((void*)0x20005170, 0, 16); syz_io_uring_submit(r[15], r[16], 0x20005140, 0x3dd1); break; case 30: memcpy((void*)0x20005180, "/dev/keychord\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x20005180, 0x171000, 0); if (res != -1) r[19] = res; break; case 31: memcpy((void*)0x200051c0, "/dev/ubi_ctrl\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x200051c0, 0x10400, 0); if (res != -1) r[20] = res; break; case 32: *(uint32_t*)0x20005240 = 0; *(uint32_t*)0x20005244 = 0x20005200; memcpy((void*)0x20005200, "\x46\x23\xd8\xa4\xce\x02\x17\xc9\xe5\x95\x55\xc1\x66\x89\x06\x79\xe3\xe0\xc1\x94\x0d\xf5\xb9\xfc\xbf\x91\x64\x9e\xf5\x4d\x80\xf0\xc8\xbc\xc8\x0e\x36\xb5\x57\x4c\x4b\xc9\xf9\x43\x40\x18\x54\xf5\x6a\xa2", 50); *(uint32_t*)0x20005248 = 0x32; *(uint64_t*)0x20005280 = 1; *(uint64_t*)0x20005288 = 0; syz_kvm_setup_cpu(r[19], r[20], 0x20fe8000, 0x20005240, 1, 0, 0x20005280, 1); break; case 33: res = syscall(__NR_mmap, 0x20ffc000, 0x2000, 0x1000000, 0x8000, (intptr_t)r[18], 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x200052c0 = 1; syz_memcpy_off(r[21], 0x114, 0x200052c0, 0, 4); break; case 35: memcpy((void*)0x20005300, "adfs\000", 5); memcpy((void*)0x20005340, "./file0\000", 8); *(uint32_t*)0x20005540 = 0x20005380; memcpy((void*)0x20005380, "\x87\x35\x19\xf2\x5d\xf0\x82\xb3\x71\xba\x5b\x45\xad\xb5\x70\x9c\x00\x80\x57\x47\xc3\x7f\xe0\x44\x06\x45\x95\xcd\x47\x28\xbf\x89\x80\x30\x2b\x25\xb4\xb0\x83\xb4\x2b\x41\x33\x6e\x13\x0f\x1b\x6f\xf0\xa2\xf1\x72\x49\x8e\x52\x2b\x4f\xe5\x82\x6e\xab\xab\xf5\x3a\x98\x52\xf9\x3e\xbe\xb8\x41\xe1\x64\x5f\x32\x93\x61\x27\x02\x9d\x68\xfe\x73\xec\xed\x89\xc1\xb9\x35\x87\x01\x2a\x47\xc4\x2a\x58\x3d\x69\x75\x59\x2b\x3f\x2c\xdf\x43\x37\xfc\x6d\x5e\x85\xe5\xf5\x83\x5f\xaf\xe0\x95\x93\x5e\xc9\x04\x84\xe9\x08\x1a\xa8\xd2\x24\x98\x43\x13\x01\xba\xad\x4a\x34\x36\x8c\x26\xc6\x4d\x85\x32\x6c\x7e\x00\x68\x21\x78\xf8\xd1\x3e\x6a\x89\x69\xf1\x5b\x9d\x5d\xbc\xfe\xc2\xc0\xe6\x96\x80\xc3\x92\x8c\xa0\x15\xb9\x2e\x25\xf5\x07\x8d\xe3\x54\xfe\x32\xcc\x71\x21\x60\x9a\x07\x62\xe1\xb7\x3e\xfd\x89\x67\xa2\xfe\x23\x5e\x4d\x1e\xf9\xe5\xac\x88\xbc\x1e\xd7\x06\xa9\x84\x64\x1b\x06\x47\x0b\x22\x94\xd0\x45\xce\x7e\xba\x51\xc0\x72\x89\x38\xa2\xc6\xee\xb6\xd8\x57\x44\x29\xcc\x24\xbc\xb2\xa7\x84", 241); *(uint32_t*)0x20005544 = 0xf1; *(uint32_t*)0x20005548 = 0x40; *(uint32_t*)0x2000554c = 0x20005480; memcpy((void*)0x20005480, "\x62\x93\x5b\xfe\x26\xe9\xc9\xf2\xdc\x3c\x3e\x9d\xfb\x49\x18\x58\xef\xb5\x98\x36\x9b\xcc\xa5\x19\x23\x98\x9b\xa9\x43\xcf\x44\x7b\xaf\x56\x62\x5d\xf0\xf6\x85\xed\x2d\x03\x4b\x37\xc0\x75\x63\xf6\x68\x72\x8f\x6d\xc6\x83\x36\x09\xb1\x22\x19\x70\xe5\x50\x88\x86\x9d\x29\xc0\x1b\x2d\xd0\x5c\x48\x20\xb0\x80\x42\xb5\x07\x40\x08\xc9\x75\x77\x12\xc4\x80\xe2\x5d\x89\xb9\xc4\x8e\x95\x7e\x5b\x5c\x7b\x0b\xec\xcf\xb1\xfc\xcc\xed\xbc\xed\xc8\x38\x06\x03\x80\x75\xfc\x2a\x0f\x82\x28\xbe\xb4\x7f\x1f\xec\xe0\x9b\xdd\xcb\xbe\x00\x21\xab\xe9\xc3\xd1\x98\x36\x9b\x81\xb6\x7d\xbd\x6a\x7d\x33\x4b\x8d\x28\xb8\x02\xcc\x97\xd9\x34\xc1\x64\xe9\x7d\x9d\x7b\x70\xdc\x6c", 161); *(uint32_t*)0x20005550 = 0xa1; *(uint32_t*)0x20005554 = 0x1ff; memset((void*)0x20005580, 170, 5); *(uint8_t*)0x20005585 = 0x2c; *(uint8_t*)0x20005586 = 0x2c; memcpy((void*)0x20005587, ":&-]!", 5); *(uint8_t*)0x2000558c = 0x2c; memset((void*)0x2000558d, 125, 1); *(uint8_t*)0x2000558e = 0x2c; memcpy((void*)0x2000558f, ",-V", 3); *(uint8_t*)0x20005592 = 0x2c; memcpy((void*)0x20005593, "\\*})", 4); *(uint8_t*)0x20005597 = 0x2c; memcpy((void*)0x20005598, "*^\\^b", 5); *(uint8_t*)0x2000559d = 0x2c; memcpy((void*)0x2000559e, "appraise", 8); *(uint8_t*)0x200055a6 = 0x2c; memcpy((void*)0x200055a7, "fowner<", 7); sprintf((char*)0x200055ae, "%020llu", (long long)r[8]); *(uint8_t*)0x200055c2 = 0x2c; memcpy((void*)0x200055c3, "smackfshat", 10); *(uint8_t*)0x200055cd = 0x3d; memset((void*)0x200055ce, 170, 5); *(uint8_t*)0x200055d3 = 0x2c; memcpy((void*)0x200055d4, "obj_type", 8); *(uint8_t*)0x200055dc = 0x3d; memset((void*)0x200055dd, 170, 5); *(uint8_t*)0x200055e2 = 0x2c; memcpy((void*)0x200055e3, "dont_appraise", 13); *(uint8_t*)0x200055f0 = 0x2c; memcpy((void*)0x200055f1, "dont_measure", 12); *(uint8_t*)0x200055fd = 0x2c; memcpy((void*)0x200055fe, "fowner<", 7); sprintf((char*)0x20005605, "%020llu", (long long)r[9]); *(uint8_t*)0x20005619 = 0x2c; memcpy((void*)0x2000561a, "dont_appraise", 13); *(uint8_t*)0x20005627 = 0x2c; *(uint8_t*)0x20005628 = 0; syz_mount_image(0x20005300, 0x20005340, 0xfd, 2, 0x20005540, 0x8800, 0x20005580); break; case 36: memcpy((void*)0x20005640, "/dev/i2c-#\000", 11); syz_open_dev(0x20005640, 0x40, 0x300); break; case 37: memcpy((void*)0x20005680, "net/if_inet6\000", 13); syz_open_procfs(r[6], 0x20005680); break; case 38: syz_open_pts(r[19], 0x800); break; case 39: *(uint32_t*)0x20006c40 = 0x200056c0; memcpy((void*)0x200056c0, "\x46\x41\x06\x38\xb7\xa1\x28\xc1\x5c\x6c\xb2\x7d\x23\x35\x80\x6d\xa8\x7c\x0d\x49\x15\x42\x44\x52\xcf\x0b\xa9\xee\xe0\xa5\xd4\x9d\x63\x4f\x09\x0d\xf2\x6f\x35\xbb\x04\x33\xc1\x3a\x27\x0d\xcb\x44\xcf\xe9\xba\x62\xb5\xba\x38\xd4\xae\x3c\x65\xea\xd2\x72\x7f\x1d\x2a\x5f\x02\xda\xa2\x70\xce\xa6\xf4\xf6\x09\x02\xe2\xed\xa6\x54\xb1\x6e\xc6\x63\x5a\x1c\x6c\xd1\x5d\x6b\xd6\x34\x32\x14\xb8\x34\x22\xd1\xa1\x9b\x5d\xae\x43\x9b\x9f\xbc\x3d\xb5\xc2\x18\xd4\xb0\x8a\xcf\xc9\xfc\xdb\xe5\xd4\xe6\xa5\x12\x7a\xda\xdc\xe6\x10\xd8\x15\xe8\xc6\xd8\xad\xc7\x86\x89\xea\xae\x29\xd8\x1a\x20\x04\x0a\xee\xef\x4e\xe5\x5d\x77\x01\xea\x72\x5e\x91\xb7\x4f\x5b\x37\x81\x4b\xee\xd1\x18\x54\x99\x79\xc8\xa4\x0d\x0b\x29\x09\x77\xad\xa4\xd6\x58\x74\xc7\xdc\xca\x03\x0a\x9a\x15\x50\x9b\xc2\x7e\x6e\x87\xd5\x26\x91\x24\x37\xb8\x69\x04\xf7\x42\xc9\xc1\x3c\x1e\x00\xbc\x5e\x3e\x94\x3c\x14\x30\xd1\xcc\x01\x8f\x5a\x4d\xec\xf2\x46\x02\xdb\x5b\xf2\x28\x6e\x64\xce\x75\x1d\x8d\xf1\x6f\x28\x09\x34\xfb\x08\xb6\x19\xb2\xb5\xe9\x31\x19\x5a\xd2\xf7\xc8\x7a\xe9\x56\xc6\x4a\x2f\xda\xc4\xfd\x79\x16\x11\xac\xc2\xa8\x65\xd9\x94\xea\x90\xed\x15\x85\x81\xe8\x0d\x03\x86\xb1\x53\xf1\x9f\xab\x27\x81\xb7\x2d\x1d\xe0\x03\xb1\x87\xd2\xb1\x19\x53\x42\xb3\xa0\x03\xbf\x44\x83\xb4\xd8\x90\xab\x1b\x2f\x51\xe8\xd5\x8f\x0a\x5a\xd7\x8e\x0d\xf9\xd6\x29\xc2\x2c\x2a\x32\x4a\x98\x2e\x1f\xc2\x73\x8c\x36\x0d\xb3\xa8\xba\x5e\x55\xae\x5c\x9d\x58\xf1\xc2\xf6\xbe\xd0\xb6\xde\x5b\xb4\xee\x3b\x5f\x84\x2c\xee\xf9\x1b\x20\x56\x54\x1f\xf5\x53\x12\xee\x90\xa2\xbd\x09\x97\x06\x6c\x37\xf3\xd8\x37\x78\x95\x92\x1b\x08\x02\x15\x89\x04\x9e\xd7\xb2\x3c\xeb\xaf\x9b\x41\xd0\x8e\x75\x90\x58\xa3\x45\x2c\xb9\xdf\x2a\xee\x1d\x2b\x90\xe5\x10\xba\x9b\xc9\x48\x40\x0a\x69\xaa\x13\x83\x3d\x1b\x4c\x44\x44\x51\x29\xe0\xaf\x50\x12\xfd\x6a\x53\x41\x81\xfb\x20\x42\x68\x26\xa4\xb3\x69\x4e\x4a\x51\x81\x19\x9d\xf1\xed\x31\xde\x36\xf2\xed\x49\x21\x18\x22\xad\x91\x5d\x3b\x71\xac\xae\xcf\xf3\xc8\x4d\x4e\x3b\xb1\x9f\xba\x32\x19\xe2\x61\x45\x73\x5f\xf7\x1d\xce\xee\xee\x7a\xa2\x47\x53\x9a\xd2\x73\x11\x13\xd3\xf3\x64\x42\x6b\xe9\x00\x6e\x6b\x0e\x35\x8b\x81\xd4\x07\x45\x49\xe0\x8e\xf2\x76\x13\xa3\x71\x5e\x5e\x89\xba\x0a\x71\xe3\x99\x52\x31\xe9\x9a\xac\x5e\x4e\xe7\x07\x8f\x59\xe3\xe7\xd4\xfa\xbe\xd2\x6e\x75\x07\x41\x1f\xbe\x4b\x03\x53\x10\x62\x78\xac\x69\xf3\xb9\x1e\xc6\x9f\xa5\x42\xeb\x7c\x96\x43\x94\x06\x2f\x65\xc6\x50\x19\x7f\xbe\x73\x3c\x22\x83\x26\x73\xd0\x66\xe4\xed\x40\x07\x3b\x28\x4e\xe4\xe5\x1b\x12\x59\x36\x7d\x4e\xb9\xe1\x72\x00\x7e\x6f\xb8\x0a\x0a\x6f\xe6\x2b\x3f\x3d\x5e\x5b\x68\xfe\x04\x7e\xa4\xd6\xfb\xfa\xa3\x0a\x00\xfc\x29\xbc\x58\xa3\x1c\xfb\x82\x12\xf2\xc4\x9c\x3a\x2e\x71\x1a\xe5\x02\xbd\x64\x7b\xd5\x6b\xb7\xcf\xc1\xd8\x4d\x14\x18\x27\xbe\x21\x1b\x5f\xfb\xed\x78\x6b\xfa\x13\x13\xd2\xae\xd5\x34\xf0\x00\x19\x36\x3a\xc1\x29\x61\x2c\xa2\x5c\x76\x3b\x07\x7f\x5a\x72\x4d\x61\xfc\x79\x74\xfa\x82\x4b\xad\xc1\x40\x06\xf2\xfe\xbf\xb1\xe3\x5a\x3d\xd7\x2e\x82\x33\x4a\x26\x37\x56\xff\x42\x04\x68\x0c\xba\x1c\x03\xc5\x5e\x09\xdf\xfb\x5a\x58\xe4\xc5\x5b\x5b\xd7\xa7\x0e\xe8\x52\x59\x29\xa0\xee\x9f\x90\x91\xe3\x4b\xb8\xd2\xf0\xaf\x6d\x2a\x26\x70\xc5\x91\x18\x6b\xee\x6c\xed\xda\xb8\xe1\xfe\x8d\x4b\xe3\x97\xa5\x45\xc4\x83\xfd\x68\x4c\xd8\x12\xdf\x5e\x31\x2a\xb5\xf4\x81\x2b\x47\x84\xef\xae\xf1\xc3\xdb\xe7\x90\x94\xfb\xab\xd6\xca\x5f\x0a\x45\x46\x23\x96\xf8\x18\xa5\xc7\xbf\x61\xc8\xc3\xf4\x33\x66\xc1\x26\x5f\x46\x38\xd1\xdc\x7b\xde\x11\x46\x10\x35\xc7\xaf\x77\xe6\x84\x4c\x5d\x47\xbc\x18\x97\xdf\xab\xec\x76\x87\xed\x25\x79\x4a\x71\xa3\xaa\x2b\xe1\x66\x57\x19\xe7\xea\xf6\x49\xbf\xaf\xfc\xea\x24\x92\xd4\x3b\xca\x7f\x03\x04\x21\x0c\xfc\xa9\x1a\x0d\xad\xf6\x6b\x7c\x3c\x6b\xaf\x8c\x50\x55\xef\x4f\x3c\x56\xaa\x03\xbb\x6e\x40\x0d\x7c\xac\xa6\x9e\x42\x43\xac\x71\xc9\x39\xcc\xf2\x73\x10\xb7\x3b\xa5\x98\x97\xe2\x02\x0c\x71\x7c\x33\xdb\x9a\x4a\x58\x29\x12\xa3\xa8\xd7\xc0\xa8\x70\xb1\x2a\x9f\x98\x2a\xaf\xd0\xcf\x15\x95\x75\x18\x9d\x8c\x26\x88\x64\x34\x22\x9f\xb0\xc7\x6c\x56\x50\x8b\x63\x8a\x25\x09\xb6\x58\x47\x72\x2a\xf1\x97\xe9\x5c\xf0\xcf\xf2\x36\x84\x48\xd4\x2a\xd6\x2d\xb2\x7f\xf0\x17\xa7\xfb\xed\x92\x3b\xef\x62\x83\x40\x87\x12\xc3\xf0\x4a\x79\x03\x38\xf4\xf8\x0c\xf4\xf3\xe9\x2f\xaa\xfa\x3b\xf6\xcf\xf5\xed\x3c\xf3\xb1\x7b\x50\x50\x75\xe1\x2b\x69\x58\xbf\x2e\x5c\xb4\x02\x41\xf6\x72\x87\x4a\x0f\x94\x0f\xd5\x7e\x82\xe9\xca\xff\x11\x3d\x67\x1d\xa2\x3d\xa3\x43\x6a\x31\x80\x0c\x2d\x34\x87\x96\x5f\x87\xc3\xf8\x25\x06\x10\xaa\xff\x78\x3d\x78\x59\x5e\x19\x26\xb7\x7e\x97\xb2\xe3\xad\x09\x08\x7a\xf9\x19\xac\xe3\xf0\x4f\xd2\x75\x88\x7b\x1f\xc8\x1e\xe2\xf5\xba\xd8\xde\x1c\xc3\x5e\xe0\xc0\x3a\xde\xed\x9a\x91\x97\xd7\xa8\xfa\x5d\xb5\x9d\xc5\x00\xa9\x4b\xd1\x84\xa2\xa8\x0d\x97\x04\x79\x7e\x76\xbc\x0f\xc4\x3e\xd5\x72\x96\x14\x3d\xc9\xd8\x58\xb1\x4a\x7b\xdf\xb4\x18\x19\x7f\x09\x74\xb6\xee\xe2\x99\x95\x80\x51\xb1\xd4\x14\xab\x12\x6c\xef\x5b\xc3\x6a\xe4\x05\x5c\x4f\x19\xe7\xe0\x1d\x20\x92\xd9\x9f\x1d\x2a\x5a\x56\x61\x4f\xed\xf4\x81\xd5\x78\xcb\x85\x1a\xd7\x3e\x18\x29\xbc\x35\x0f\x7e\x56\xee\x0d\x2e\x71\xfe\x73\x1c\x1b\x30\xfd\x84\x5f\xd8\x2c\xa0\xac\xf0\x29\xaf\xf4\xa7\x5e\x0d\x38\xfb\x7a\xf5\x82\xa1\x9c\x0c\x7d\xeb\x19\x54\x4b\xc7\xa1\x3c\x18\x96\x03\x24\x41\xcb\xa6\xae\x39\xc3\x5a\xe8\x80\xb4\x5a\x5c\x97\x54\x5a\xc0\x99\x24\x3a\x79\x1c\x6f\x2e\xb9\x35\x56\x20\x8b\x8b\x20\x35\x42\x75\x2a\x67\x3b\x9d\xf0\x2b\xf0\x4a\xd3\xc1\x8e\xec\xaa\x5e\xb2\x2d\x1b\x65\xe5\x9c\x34\x49\xb5\xcc\x42\xdf\x35\x0d\xd4\x82\x2b\xcf\x67\x1d\xf7\x84\x20\x68\x9c\xac\x22\x65\x8c\xd9\xf0\xf3\x90\xe2\x6e\x07\x96\xac\x4b\x7f\x30\xb1\x98\x9f\x09\xcf\x5b\xa5\x16\xeb\x16\x67\xec\xc1\xd8\x53\x73\x9a\x20\xe5\xe7\x85\x99\xbd\xa8\x30\xd0\x02\xd4\x5e\xb6\x6d\x63\xa7\x78\xb8\x41\x2a\xf5\xd6\x3e\x3e\xf2\x64\x94\xe2\x1b\xbc\xde\x5b\x97\xa9\x4f\x79\x78\xac\x90\x3d\x46\x7c\x5b\x6d\x07\x17\xdc\x4a\x9d\x14\x6e\xd4\xb5\x8b\xfe\x37\x3a\x59\x08\x70\x2f\x99\x7f\x10\x90\xb4\xb1\x90\x93\xf8\x90\x50\x85\xec\xb6\x91\x10\x7b\x05\x9e\x0e\x1c\xd0\xc4\xa9\x4c\x9a\x47\x3a\xf2\xd1\x2b\xd5\x99\x8a\x8b\x8b\x48\x02\xf9\x31\xb9\x05\x15\x51\x9f\x20\xfe\xea\xde\xa5\x68\x4c\x06\x4f\x9a\xdb\x42\x39\x35\xb8\xde\x29\x8b\x03\xe5\x79\xab\xad\x6a\x23\xa8\x6c\x86\xed\xd3\x9c\x2e\xd6\xa4\x68\x5e\x69\xbc\x71\x54\x05\xab\x7a\x3f\x27\x66\x4b\xdb\x68\xfe\xf1\xfc\xd0\x90\xf0\x60\x38\x1f\x1a\xa3\x74\xa0\x74\xa6\x40\xf9\x91\xec\x6d\x8b\x28\x8b\x1b\x05\x07\x06\x85\x60\x31\x4f\xe9\x4a\xeb\x85\xc4\x2f\x4d\xf3\xad\xb2\x14\x85\x69\x65\x15\xda\x2f\xa7\xf4\x41\xb7\x53\xd5\xf8\xca\x45\x45\xf2\xd1\xdc\x1e\xb3\x4e\x41\x8c\x04\x3b\xeb\x51\x8b\xb3\x5f\xe3\x02\x35\xaa\xbf\x7e\xc5\xf3\x71\xb3\xa4\x8c\x0e\xa6\xa6\x13\xeb\xb4\xe4\xda\x5b\x71\x40\x8a\xa5\x57\x74\x23\x9a\xc7\x49\x03\x0a\x52\x74\x0c\xd8\x53\x5b\x9e\x3d\x28\xa4\xe8\x7b\x4c\x4f\x40\x44\xc8\x19\x5c\x32\x11\xf9\x47\xe5\x00\x7d\xf7\xb6\x4e\x37\xc4\x14\xbf\xd5\x4f\x7b\x59\x82\x37\x20\xbe\x00\x49\x8c\x18\xb5\x7d\xad\x00\x43\xf0\xc5\x0a\x75\x81\x74\x18\xc1\xdb\xc3\xdb\x8d\xc7\x33\xce\xb2\xb5\xb6\xd2\x0b\xec\x1e\x38\xa2\xf9\x09\xaa\x61\x94\x80\xe2\xca\x05\xd9\x00\x0b\x7e\xaf\xf3\x70\xc0\x77\xed\x38\x94\x22\x89\x0d\xd4\x26\x27\x8c\x63\xc2\xac\x42\x85\xe8\x40\xe6\xc7\xf9\xda\x04\xd6\x9a\xf4\x48\x2d\x96\xee\x58\x24\xde\x09\x16\x14\xd8\xb1\xb4\xcf\x49\xf5\xa7\x01\xe4\xb4\x2f\xf5\x8a\x62\x82\x3c\x27\x76\xfb\xa4\xc2\x7e\xc8\x6c\x24\xba\x10\x3e\xd0\x1c\x66\x72\x9a\xd6\x02\x92\x4a\x51\x37\xb7\x18\xd8\xdd\xee\xb0\x83\x39\xd8\x3c\x45\xfe\xca\x01\xc3\x93\x35\x7a\x67\x64\x38\x11\x43\x63\x59\x1d\x31\xc2\xba\x6f\xaf\xa5\xd8\x57\x1a\xf7\xc3\xa3\x69\x0f\xde\xb0\x99\xe4\x41\x92\xb5\x87\x1f\xd0\xa3\x36\x5f\xb2\xe2\x30\xc6\xc0\x3a\x74\x73\x78\x2b\x30\x3a\x5b\xe1\x4f\x03\x8d\x8e\xa3\x4a\x63\x08\x43\x00\x51\x6e\xb7\x88\x4e\x59\x33\x58\xe6\x6b\x3d\xfb\x6d\xac\x4d\x08\x15\xd5\x8d\xaf\xb8\x5e\x8c\xca\x44\x26\x53\x6a\x38\x4d\xc8\x9f\x74\x13\xf1\x4c\xc9\x2e\x73\x77\xa9\x09\x38\xf9\x9e\xf7\xf5\x35\xc2\x18\xae\x2e\x90\x9a\xcd\xbf\xd7\xeb\x5b\x0b\x47\x40\x8e\x3d\x6d\x73\xdd\xa3\x9f\xbd\x6b\x23\xaf\x18\xf1\xa6\x70\x3e\xe3\xb1\xf7\x5b\xb7\xc0\x00\xa4\xca\x5a\x7b\xcc\xaa\xe8\x6c\x4a\xba\xc8\x1d\xa2\x93\xe4\x3f\x91\xd2\xc3\xdf\xf1\x2f\xfa\x52\x29\x13\x9a\x08\xae\x5f\xc2\xec\x13\x9b\xe9\x78\xb8\x18\x2d\x6a\x60\xc7\xff\x39\xbb\x0a\xa8\x20\xa1\x07\xd9\x2e\x38\xb9\x5e\x74\x8a\x18\x4b\x53\xf5\x62\x4f\x45\x72\x39\xf6\x38\x4d\xdd\xcb\x9f\xd7\xe8\xef\x29\x52\x65\xd7\x9b\x64\xc5\xc0\xa9\x3b\xf2\x16\x35\xb8\xc6\x80\x90\x78\x10\xd8\xe7\x2a\x58\x1e\x5a\xa0\xe0\x0f\xbf\x35\x1e\x3c\x84\x1c\x7d\x0c\x51\xa2\x63\x68\x37\xb2\x7c\x6a\x91\x42\x5b\x50\x6a\x22\xc2\x7d\x14\x20\xd0\xb1\x3e\x60\xde\x3e\x9c\x56\x66\x7a\x98\x98\x3b\xa9\xbd\xd1\xc5\xa5\x2d\xc6\x12\x7b\x65\x9e\x6d\x80\x70\x69\x59\xf0\x7d\x3a\x5f\xa8\xb3\xb8\x8e\xab\x05\xe7\xa0\xc0\x4e\xe1\x2a\x21\x37\x2c\x71\x3f\x64\xc6\xad\xbe\xed\xd7\xa8\xb7\xa6\x92\x67\x49\x75\xbb\xe5\x5c\xe4\x02\x71\x44\x02\xf2\x0c\x7f\x57\xff\x1f\x79\x35\x7d\x8e\xda\xbe\xf1\xd8\x68\xf0\xa2\xb3\xdd\x7a\xa3\xbb\xe5\x8e\x80\x81\x49\x70\x73\x4f\x7d\xec\x70\xd3\x14\xe8\x11\x59\x3a\x32\xcc\x86\x1f\x4a\x8a\x4b\x3f\x0d\x7c\xeb\x4e\xbb\x32\x66\x4f\x56\x44\x49\x7a\xc9\x56\x2c\xdd\x5a\x54\x19\x3f\x22\x38\xe6\x5c\x18\x74\xc8\x64\x21\xc5\xcf\xb4\x3a\xe1\x56\x93\x1c\x78\x40\xd1\x0d\xe4\x7a\x4d\x0f\x2f\x31\x74\xc3\x6c\x86\x45\xac\x02\xf5\x44\xc3\x69\x0b\x51\x37\xaf\x7d\x2c\xed\x3f\xb0\x43\x59\xbb\xf2\x2b\x67\x20\xea\x94\xf2\xe3\xb5\x67\x5f\xb7\x7a\xde\x56\xc9\x77\xd6\x68\x06\x4e\xfd\xd1\xc6\x15\x11\x9a\x52\x8c\x9e\xc1\x35\x3e\x84\x10\x3e\x5d\xce\x6a\x0b\xd0\x73\xf9\xff\xbe\xa0\x81\x9c\xf6\xc0\xcc\x58\xea\xd0\x0c\x92\x34\x02\x98\xcc\x09\x45\x64\x11\x7f\x3f\xb8\x94\x27\x4c\xa9\x1d\x79\x76\x45\x96\x19\xf5\x44\xb2\x50\x58\x6c\x6d\x44\xaf\xba\x55\x74\xb7\xef\x51\x26\xb0\x70\x40\x9a\x1f\x5e\xed\xc6\x50\x07\xb0\x03\x39\xf1\x60\x42\x2f\xff\x38\xd6\x7e\xaa\x8d\x78\x2f\xc4\x19\x2a\x29\x81\x08\x79\xeb\x12\x85\x99\x42\xfa\x14\x1a\x21\xc3\x9d\x9e\xea\x03\xeb\xa1\xaa\x7b\x3a\xc7\xe2\xb1\xda\xf4\xf6\x9f\x47\x5b\x8e\x75\xc5\xac\x7c\x2e\xfd\xd7\x77\x93\x2d\x40\x31\x43\xcd\xd0\x89\x02\xd5\xe3\x45\x93\x01\xc2\x8c\x88\xc4\xdf\x34\x2c\xa1\x39\x10\xb7\x60\xe3\x4c\x40\x19\x4b\xb5\x1b\x82\xcf\x14\xad\xee\xd5\xae\x47\x51\x7d\x3c\xbc\x73\xbb\xb5\xa8\x89\x9c\x30\xe6\x06\x51\x99\x89\xa8\x5d\x2e\x15\xb0\xe8\x9e\xbb\xa4\x3f\x0c\x8a\x75\x2f\x07\x01\x03\x80\xca\xa7\x0d\xc4\x09\xff\x80\x5c\x24\x57\x48\x29\xd0\x6b\xb9\xa1\x49\x5d\x5a\x30\x85\xdf\x90\x29\xe2\x3d\x92\xbb\xc4\x6d\x7c\x7c\x1d\xb7\x36\x5e\x92\xe8\xd2\x44\x9a\xad\xe3\x89\x26\xa6\x43\x68\x72\x3a\x0e\x8a\x77\x7b\x32\x61\xc9\xc9\x7b\xae\x82\x5b\x55\x1b\xa9\x40\x55\x1a\x7e\x15\xe3\x01\x3d\xc0\x9a\x05\x22\x9d\x0c\x9a\xc6\x4e\xe1\x5e\xe3\xd4\x67\x42\x62\x89\x24\xc0\x9e\x63\x60\xcc\x43\x00\x6f\xb9\xa0\xe1\xc0\x6e\x55\x84\x63\x7c\xee\x00\x5e\xe2\x6c\xeb\xa7\x02\x95\xcb\xa5\x63\x7d\xfc\x98\x21\x14\x8e\xd7\x41\x50\x03\xd5\x18\x36\x84\x23\xae\x70\x8c\xfa\xc6\x38\xf2\xb8\xe1\xd3\xa7\x10\x11\xbd\xa8\x03\xac\xd2\xcf\xa4\x29\xea\x5f\xa0\x45\xfe\x07\x8f\x91\xeb\xe4\x5e\x7d\x51\xd4\x3f\x08\x30\x2d\x5f\x3b\x0c\xcc\x3e\xb7\xdc\x03\x81\x8b\x33\x56\x7e\x86\xf8\xe5\xdc\x40\x45\x15\x69\xa7\x95\x48\x58\xd2\x6d\xf8\x55\x49\x35\x27\x6f\x56\x54\xaf\xec\xf2\x40\xc7\xe8\x6c\x92\xec\xba\x4d\x3f\xf7\x58\x21\x31\x2d\x6a\x3b\x82\xe1\x8c\xc2\x34\xda\x5b\xac\xc2\x86\xef\x09\x24\xce\x23\xbd\x30\x70\x8d\xe5\x81\x32\x57\x4b\x54\x8c\x96\x28\xb5\x2d\x34\x29\x1d\x1c\x4a\x7f\xfd\xfe\x63\xde\x1f\xa9\xb5\xe0\xfa\x6e\x62\xf3\x52\x8a\x80\xc9\xcc\x97\xa7\xc5\x15\x40\x3f\xce\x89\x5a\xb7\x95\x63\x52\x66\xaf\x74\x6d\x89\xd2\xc9\x40\x58\xca\x38\x50\x1d\x86\xb4\xd6\x32\x4d\x0d\xf0\xd9\xc1\xe4\x7b\xbf\x83\x8b\xaa\x20\x6a\xa2\xec\x43\x97\x82\x8e\x99\x2f\xe9\x63\xb2\xe8\x37\x22\x80\x26\x27\x62\x90\x30\x10\x6c\xf2\x0e\xc9\x8e\x24\x51\x47\xc9\x44\x26\x21\x4d\xdf\xb9\x79\x12\x06\x51\xad\xde\x14\xa4\x25\xfe\xf2\x9a\x20\xc0\xcc\x54\x60\x39\x3a\xcb\xdb\xa5\x7b\x3c\x38\x36\x62\x7e\x6a\x9c\x19\xa2\x34\x43\x12\xa9\xbc\x66\x1b\x76\x02\x85\x41\x5a\x28\x74\xe2\xf2\x18\x7b\x5c\x6d\xbf\x38\xb0\x59\x63\x6f\x9e\xd1\xde\x16\x92\xd3\xb8\x65\x04\xa7\xc1\xb6\x68\xe5\xaa\x0f\x87\xcf\x49\x7f\x0c\xab\x26\x6e\x4d\xb6\x4e\xc6\x46\x55\x80\xbe\x1d\x97\x24\x49\x47\x30\x46\x88\xcb\x35\x76\x49\x0b\x8d\xb0\x86\xb0\x89\x05\x82\x0e\xa9\xd9\x1d\xfc\x8f\x3b\x96\x6a\x9e\x56\x8d\x85\x6a\x9c\xce\x3f\x17\x31\xac\x16\xe4\xcf\x48\x71\x43\x34\xb6\xc7\xac\x35\x97\xfc\xae\x85\xd1\x79\x46\xb0\xae\x28\x99\x84\x5e\x96\x06\x6e\x0a\x64\x83\x85\xc9\x8e\xe5\xc1\x19\x39\x13\x56\xb2\x04\xac\xbd\x4a\x5c\x7c\xc2\xcb\xce\xec\xe0\xf5\x8d\xfb\x73\xfc\x30\xef\x7c\x17\x69\xb4\xf5\x6e\xd1\xb7\x7d\x76\x24\x8b\x0e\xa2\xa6\x6d\xb0\xe5\x21\x7b\x5d\x62\x42\x37\x19\x1a\xbe\x94\x86\xac\x0b\xd3\x2e\x3e\x73\x62\x33\x14\x41\x73\x4a\x8d\xd9\xed\x98\x3b\x92\xbf\x26\x47\x2c\x50\x21\xf8\xbe\xa1\x31\xec\xe4\x7c\x8f\x45\xe6\x8a\x25\xa8\xbe\xb4\x88\x58\x95\xc2\x79\x82\x30\x6d\xaf\xa1\xfa\xc9\x05\xb2\x76\xc2\xf6\x0c\xcd\xca\xbe\x2a\x5b\x32\x5b\x5c\x5d\x84\x82\xf3\x05\x66\x02\x44\xc3\x61\x71\x1f\x0e\xed\x77\x46\xc0\xda\xf9\x9d\xfd\xe3\x6c\xaf\xf2\x94\x05\x11\x82\xc5\xb6\x58\x9f\xc0\x70\x0b\x75\x1f\xb2\xb3\x80\x7f\x0b\xcb\xd2\x77\xa8\x44\xce\x82\xa5\x45\x58\xf5\x5c\xdd\x25\xa3\x0b\x22\x83\xab\xe5\x19\xc8\x27\xb1\x0a\xed\x61\x2f\x8a\xea\x3c\xb7\xac\xa8\xb3\x40\x28\xc0\xb3\x63\xc9\xac\xc5\x2d\xde\xa9\xe0\xc3\x4e\x8a\x5c\x90\x86\x9f\xe6\x0d\x28\x30\x7e\x35\xd3\xe4\x35\x82\xf3\x77\x3d\x46\x66\x9e\x43\x13\xa0\x7b\x12\xe7\xd6\xd5\x01\x43\x6f\x8e\x6f\x4b\xc3\x47\xb2\x91\x94\x14\x4d\x82\xc5\xda\xa9\x73\x0f\xea\x34\x66\xc3\x16\x72\x09\xf0\x96\x97\xda\x03\x4f\x86\xca\x9e\x5a\x7e\x28\xc0\x59\x99\xf4\x16\x1d\xca\x75\x18\x14\x04\x13\x50\x4b\xe2\xaa\x60\xef\x71\xb6\x64\x84\xfc\xa1\xb0\xbb\x11\xaf\xd5\x97\x55\xb9\x78\xdd\x29\x4e\x3d\xa8\x56\x55\xb9\x0f\x05\xbe\x08\x23\xe2\x62\xaa\x69\x3c\x43\xbc\x23\xf4\x94\x8a\x60\x96\xff\xe1\xb5\x8e\x1b\xcd\x65\xb0\xdb\x70\xc6\x2a\x4f\x85\xd7\xdd\x4b\xe6\xcd\xdf\xea\xf1\x38\x38\x14\xa6\x72\x8b\x4c\x30\x1e\xab\x03\xb9\x50\xba\xc8\x67\x37\x5d\x1b\x6c\x61\xeb\x2f\x7f\xde\x96\x0b\x16\xf5\x94\x83\x79\xe2\x11\x5a\xb5\x40\x13\x56\xdb\x05\xa7\xdc\x30\xa2\x99\x98\x97\xb1\x63\xc7\x3d\x34\x80\x71\x06\xdf\xdc\xf7\xb7\xf9\xb9\xe7\x37\x7f\xc7\x22\x00\x3c\x86\x8c\xa5\xc1\x4a\x0e\x2f\x1d\x19\x40\xec\x6a\xef\xcf\x85\xfe\xd2\x07\x62\x2e\xd3\x81\x20\xc6\xa8\xaa\xd7\xb4\xe9\xe8\x7d\x5e\x4e\x9a\x6a\x55\xc6\xe1\x32\xe9\xe1\xe9\xa3\xa6\x2b\x4f\x7c\x6c\xe0\x09\x3f\x88\x65\x47\xdf\xc4\x8d\xe1\xd2\xe0\xc8\x5b\xf0\x1b\x49\xf9\x92\x41\xa3\x6d\x32\x4c\xdb\xad\xe5\x37\x7d\x5a\xa5\x73\x33\x77\xec\x7e\x97\xb7\xac\x54\x38\x7f\xd2\x93\x91\x31\x9d\x3f\x3b\xbc\xd0\x7b\x28\x70\xb9\x64\x6b\xf2\x83\x5b\x3a\xbb\x51\x21\xdc\x20\xa6\x38\xc6\xd0\xd6\x2b\x0a\x05\xd9\x4a\x5f\x1c\x03\xbf\xf6\xe8\x71\xa8\x4f\x9a\x7d\xef\xa1\x6f\x30\xcb\x8b\x3f\xf5\x7c\xb5\xa9\xb8\x95\x8b\x59\x21\x19\xcb\x0c\x80\x25\x13\xc1\x4a\xec\x2d\x27\xcf\xff\xbf\xb4\xe6\xa2\xa8\x40\xf8\xb0\xd7\x46\xa8\x3f\xa8\xbd\x22\x70\x21\xb0\x38\xf5\x0c\x41\x1f\x79\x22\xfb\x38\xec\x89\xf5\x1d\x71\xb7\xd3\xd9\xe2\x41\xdb\x1b\xe1\xb4\x50\x7e\x5b\x68\xfa\x1e\xe8\x9c\x21\x27\x44\x5e\x5d\x6e\xd4\xe7\x43\x3d\xe7\xbf\x4d\x72\xb7\xf7\xb1\xc9\xaa\x7c\x40\x8e\x4c\x10\x50\xce\x17\x74\x27\x98\x4f\x50\x35\xb5\x1e\x3a\xd5\x2b\x56\xd8\xaa\xf3\x8e\x56\x79\x30\xa7\x11\xc8\xdc\x34\x88\xff\xcd\xc1\xa5\x6f\xe1\xb4\xc5\xdf\x22\x67\x3b\xcc\x3e\x9c\xcd\xbb\x3a\xb6\x70\xa2\x45\x47\xf5\xde\xd4\x2d\xec\xfd\xdd\x52\x21\x04\x07\x5c\x37\xdd\xed\xe4\x60\x92\x5d\xcb\xc6\xe5\xef\x20\x60\x28\xaa\x7e\xa0\xc8\x4d\x60\xd9\x90\xfc\xd4\x8d\x76\xc9\xa4\x7b\xe6\x81\x92\x50\xd4\xd1\x0f\xce\xfc\x7a\x12\x4c\x6f\x3f\xaa\xf5\x1f\x7b\x67\xdc\xc2\xb3\x9a\xcf\x11\x9c\x8f\x89\xb9\x3b\x58\x39\x52\x47\xfa\x45\x9c\x1f\xfe\x6f\xc5\xa7\x0c\x32\xd5\x19\x6d\xa5\x93\xb3\x36\xbe\x04\x67\x16\x4e\xbb\xc9\x86\xfc\x14\x5b\x32\xbb\x91\xa4\xc0\x58\x88\x4c\x82\xf5\xca\xcd\xa6\x2a\x43\x12\xbb\x35\x07\x0e\x74\xde\x2b\xba\x07\x64\x8b\x7e\xb9\xd9\xfa\xe8\x91\x64\x8f\x54\x32\xb6\xa7\xd5\x98\x6e\xf2\x02\x78\x72\xcf\x9e\x1a\x08\x6c\x57\x6a\xba\xc8\xdc\x40\x1a\xab\x0d\xa9\x3a\xbf\x0a\xb7\x1e\xcd\x9b\xb9\x6e\x39\x18\x03\x62\xa1\x0a\x21\x85\x07\x1e\xbb\x8c\xa2\xca\x8d\x97\x19\xd4\x7b\xfc\x18\xb6\x2f\x97\x71\xb9\x7d\xfe\xd7\x3b\x98\x23\x25\xeb\x94\x3d\x78\x5c\x78\x75\x00\xd5\xac\x0d\x26\xa9\xca\x90\xcc\x73\xc2\xac\xfe\x87\x2f\x4e\x32\xeb\x44\x39\x08\x3b\xdb\x32\x49\x70\x1d\xdd\xdb\x50\x0d\xf3\xf8\x96\xbb\x1f\x7a\x37\x06\xd6\x4b\xe1\x6d\x00\xf6\xfd\xcd\x6b\xf4\x1d\xf8\x65\x35\xf2\x98\xd2\xdd\x04\x31\x77\x74\xbd\x6b\x39\x03\xf3\x71\xd5\x9b\xe7\x19\xb7\xec\x1d\x00\x3b\x3c\x97\x05\xa8\xf7\x88\x89\xb8\xf7\xda\x0d\x46\xde\xfd\xce\xd2\xdf\x70\xd8\xcb\x45\x70\x82\x8b\xb2\x65\x49\xb5\x50\x11\x58\x9c\x73\xbe\xc4\x20\x7c\x8d\x59\xeb\xe1\x89\x6b\x37\x61\xc1\x85\xa1\x32", 4096); *(uint32_t*)0x20006c44 = 0x1000; *(uint32_t*)0x20006c48 = 0x8001; *(uint32_t*)0x20006c4c = 0x200066c0; memcpy((void*)0x200066c0, "\x31\xe3\xc3\xfa\x6d\x99", 6); *(uint32_t*)0x20006c50 = 6; *(uint32_t*)0x20006c54 = 0x3ff; *(uint32_t*)0x20006c58 = 0x20006700; memcpy((void*)0x20006700, "\x39\xde\x86\x3b\x71\x48\x20\x8e\x43\x2f\xcd\xdb\xd9\xe9\x14\x8e\x71\x6c\x1b\x48\xa3\x96\x7c\x87\x0c\x70\x14\x5d\x90\xed\x68\x1b\x3f\x8b\xce\x84\x9f\xee\x7f\x50\x09\x15\x70\x85\x4e\x20\x10\x37\x23\xe5\x64\x54\xe7\x11\x54\x3f\x6e\x2b\xe9\x2c\x34\x09\x0d\x8c\xc7\x92\x26\x0b\xe9\xb9\x60\xc1\xe4", 73); *(uint32_t*)0x20006c5c = 0x49; *(uint32_t*)0x20006c60 = 9; *(uint32_t*)0x20006c64 = 0x20006780; memcpy((void*)0x20006780, "\x17\xfa\xd5\x71\xf8\x0f\xec\xd3\x4a\x59\xbc\x03\xf6\xc0\x2b\xbd\x6d\x56\xcd\x8d\x95\x89\x24\xb4\xae\x41\x89\xb8\x8b\x85\x89\x7e\xfd\x4e\x59\x6e\x11\x18\xbb\x0c\x77\x1c\x2c\x5b\xa3\x7d\xed\x06\xd7\x81\x11\x39\x0c\x1c\x80\xcf\x6e\xa9\xdf\x87\x27\xf8\x85\x59\x81\x5e\xd7\x6b\x36\xfa\x13\xfb\x4d\x08\xe1\xcc\xda\xd7\x97\x3b\x5b\xec\x56\x55\xa7\x4a\x67\x1f\xde\x99\xee\x92\x39\x7c\x56\xd4\x09\xda\xdb\x10\xc4\xc3\x7e\xe9\x2c\xb4\x1d\x03\xae\x6f\xb1\x64\xe7\xf8\x69\x85\x03\x91\x28\xd3\x8b\xe8\x3b\x5e\x16\xc3\x5e\xe3\x4e\xb2\xb8\x39\x6c\x53\x48\x02\x87\x81\xa0\xa8\x79\xf8\x81\x59\x74\x0a\xb8\x97\x05\xd6\x37\xbe\xda\xfa\x91\x5f\x19\x5a\x15\x25\x97\xfa\x0d\x7d\xa9\xb7\x64\x76\x60\x2c\x6e\xee\xfc\xa1\xe8\x0a\x6d\x3d\x0e\xd1\xa7\x5b\x00\xf7\xa5\xe1\x53\xdd\x85\x1e\x23\x01\xc8\xda\xa7\xd4\x9b\x4a\xd9\x1c\x62\xd1\xa6\x96\x7f\x54\xcf\x96\x21\xc2\x40\xed\x58\x71\x92\xf6\x99\x59\xe0\x54\x07\x85\x0c\xe3\x83\x1c\x4e\x81\x1e\x6f\xff\x1c\xdf\x93\xcf\xab\xde\x88\x73\x58\x31\x68\x81\x84\x53\x56\xd7", 247); *(uint32_t*)0x20006c68 = 0xf7; *(uint32_t*)0x20006c6c = 0x26; *(uint32_t*)0x20006c70 = 0x20006880; memcpy((void*)0x20006880, "\xc2\x86\x96\x8e\x22\x38\x74\x2a\x47\xe0\xe8\xd4\x44\xa6\xa6\x61\xb7\x70\x82\x22\xf4\xed\xda\xb9\x7a\x74\x9d\xce\xbe\x2c\xc8\x3a\x31\x4b\x82\x87\x95\xf9\x15\xa3\x6d\x87\x3b\x71\x4a\xef\x15\xdd\xb1\xb4\xf6\x2f\x06\x80\x0b\xbe\x85\xea\xeb\xcb\x76\xab\xe9\x44\x71\x92\x49\xee\x79\x27\xc8\x8e\x78\xa9\x68\xe9\x3f\x45\xc5\x20\x13\xef\x97\xef\x6f\x98\x9b\x1d\x1c\xd3\x0f\xff\x88\x67\x79\x62\xc8\xf3\x05\x2a\xd0\xa4\x63\x1e\x4e\x75\x0b\xa8\x0f\x37\x53\x91\x6c\x2d\xff\xc6\xa4\x02\x3c\xdb\x62\xa1\xb5\xf2\xaf\xbb\x96\x5b\x2f\x78\xc5\xdd\x47\xaf\x90\xb0\x02\xda\x1a\x26\xa2\x4f\xcb\x99\xbf\x81\xfb\x29\x57\x4a\x2f\x98\x10\x7a\x79\x37\x63\x98\x73\xb9\x5f\x4a\x56\x9a\x04\x06\xcc\x35\x8b\x46\xef\xae\x58\x7e\x90\x08\xbe\x69\xd7\x11\xae\x20\x2c\x22\xe2\x9a\x2f\x61\x5f\xd2\x3d\xcf", 192); *(uint32_t*)0x20006c74 = 0xc0; *(uint32_t*)0x20006c78 = 0; *(uint32_t*)0x20006c7c = 0x20006940; memcpy((void*)0x20006940, "\x97\xfc\x4d\xd9\xdb\x67\x3e\x16\xfd\x0f\x0e\xb9\xa4\xa2\x6e\x2a\x49\xf4\x2e\x16\x16\x19\x0b\x06\x34\xdf\xd6\x13\x51\x45\xf4\xe4\x51\xbb\xba\xd5\x6d\xad\xf2\x66\x96\x4e\xba\x7d\x10\x07\xc0\xa2\x3f\x8c\xf0\x3d\x4f\x8f\xe0\x9a\x79\x89\x15\x2b\x7c\xf2\xec\x30\xf2\x69\x3a\x06\xbe\xfd\xf0\x23\xd7\x9f\x48\xc2\x08\xd7\x42\xc7\xb7\x59\x15\xbc\xc1\xbe\x58\x35\x17\xce\xd3\xb8\x26\xb9\x70\x75\xe6\x2a\x8e\xd1\x2d\xbb\x26\x48\x07\xc6\xff\xd0\x22\x76\x14\x49\x1f\xb9\xde\x0d\x8a\x92\x5a\x26\x38\xc3\x16\x08\xde\x40\x5b\xbf\x79\xe9\x6f\x17\x1f\xd5\x83\x38\xb1\xd6\x97\x9d\x33\xa7\xda\xe8\xad\x62\xf2\xba\x53\xfe\xfc\x3c", 152); *(uint32_t*)0x20006c80 = 0x98; *(uint32_t*)0x20006c84 = 0x20; *(uint32_t*)0x20006c88 = 0x20006a00; memcpy((void*)0x20006a00, "\x77\xd8\xd6\x06\xbf\xb4\x24\xe7\xb9\x95\x80\x9a\xb4\xf5\x59\x11\x5f\xd8\x2e\x97\x2d\x98\xb6\x51\xdf\xc6\x9b\x10\xdf\x60\x0f\xb4\xf7\x8e\xfd\x58\x6f\x9c\xc2\x6e\xdc\x41\xb1\xd2\xfa\xc8\x7e\xfe\x59\xe2\x62\x41\x1f\x27\xa9\x4c\xf7\x96\xed\x31\x23\x6b\x45\x7c\xa0\xf1\x47\x53\x0e\xfb\xd4\xcf\xa6\xb6\xa0\xfe\xe4\x6c\x25\xab\xcf\x7a\xd8\x28\x2a\xae\x52\x99\xe2\x99\x79\x9c\xd5\x2d\x0a\x58\xd7\xff\x9d\xdd\xd0\x10\x37\x24\xc8\x8d\xa9\x2d\xbe\xfa\xb6\x24\x80\x38\xab\xef\x9e\xc5\x22\x64\xaf\xc7\x48\x25\xf7\xea\x70\xb2\xca\x95\xd6\x90\x0f\x9b\x64\x7a\x3f\x98\x6e\x18\x28\x7c\xb2\xbf\x4b\x4c\x19\xef\xc8\xc2\x18\xfd\x90\x5c\x37\x27\xc8\x6c\x37\x02\x6b\xfb\xde\x3a\xf0\x78\xeb\x07\xb7\x98\xe6\xd3\xd8\xf2\xe4\xd5\xd3\xbc\x18\x8c\xdd\x20\xf2\xeb\xb1\x46\x1c\x5e\x53\xb0\x5f\x29\x89\xff\xac\x3b\x16\x8d\xee\x56\xda\x0f\xc0\x11\x97\x4c\x66\x0e\x40\x0a\xe2\xd8\xb2\xc8\x0a\xcb\x23\x15\x81\xee\x91\x76\x31\x29\xb2\x88\x8a\xeb\x12", 229); *(uint32_t*)0x20006c8c = 0xe5; *(uint32_t*)0x20006c90 = 0x800; *(uint32_t*)0x20006c94 = 0x20006b00; memcpy((void*)0x20006b00, "\x56\x0c\x1b\xea\x71\xb0\xf9\x72\x44\xfa\x38\x6d\x26\xbf\x6b\x1b\x04\x30\x8e\x4b\xc7\xff\xfa", 23); *(uint32_t*)0x20006c98 = 0x17; *(uint32_t*)0x20006c9c = 0x80000001; *(uint32_t*)0x20006ca0 = 0x20006b40; memcpy((void*)0x20006b40, "\x14\xe5\x5a\x14\xa7\x95\x33\x87\xee\x55\x33\x3c\x1d\x16\x94\xca\x98\xc7\x99\x9b\x49\x78\x86\x42\x76\x68\x05\xd6\xf5\xa2\x90\xeb\x1e\x95\x9e\xe3\x5a\x74\x04\x59\xe1\x33\x00\x26\x2f\x2a\xf9\xc3\x57\xf7\xa8\xc1\xcb\xa1\x87\xe4\x48\xbc\x3c\x8f\x86\x5c\xc9\xbe\x88\x62\x4f\xb0\xf0\xd0\xbb\x88\x5d\x9c\xc2\xab\xe1\x71\xa2\x47\x8a\x74\x20\xdb\x22\xe8\x60\x7e\x3f\xbe\xc7\xe2\x60\x1d\x9e\x11\x08\x6c\xfa\x8c\xf1\x4d\x99\x67\x6b\x67\x9d\x8d\x6b\xf1\xdd\x4f\xaa\xb8\xfe\x9a\x5f\x4e\x3f\x69\x5f\xe2\xe6\xab\xf0\x9f\x70\x26\x83\x80\x2d\x44\xcc\x3a\x29\x82\x55\xc4\xc5\x95\x33\x73\x1f\xf5\xb2\x3e\x05\x3a\xfb\x71\x6d\x58\xca\xd6\x67\x68\x6e\xe6\x47\xf4\x8e\x19\x9c\x9b\x5c\x3d\x0d\x2d\x47\x0f\x2c\xe1\xc5\xb8\xb5\x70\x8a\xe0\x23\xad\x98\x80\xca\xf3\x1d\x01\xf9\x6a\xeb\xbf\xcc\x7d\xf9\x53\x58\xa0\x16\xc5\x47\x1c\xc2\xce\x2c\xed\x61\x05\x05\x7c\x9d\x22\xc8\x16\x78\x90\xca\x19", 216); *(uint32_t*)0x20006ca4 = 0xd8; *(uint32_t*)0x20006ca8 = 0x400; syz_read_part_table(9, 9, 0x20006c40); break; case 40: *(uint8_t*)0x20006cc0 = 0x12; *(uint8_t*)0x20006cc1 = 1; *(uint16_t*)0x20006cc2 = 0x200; *(uint8_t*)0x20006cc4 = 0x62; *(uint8_t*)0x20006cc5 = 0xa5; *(uint8_t*)0x20006cc6 = 0xbe; *(uint8_t*)0x20006cc7 = 0x10; *(uint16_t*)0x20006cc8 = 0x2833; *(uint16_t*)0x20006cca = 0x211; *(uint16_t*)0x20006ccc = 0x37a4; *(uint8_t*)0x20006cce = 1; *(uint8_t*)0x20006ccf = 2; *(uint8_t*)0x20006cd0 = 3; *(uint8_t*)0x20006cd1 = 1; *(uint8_t*)0x20006cd2 = 9; *(uint8_t*)0x20006cd3 = 2; *(uint16_t*)0x20006cd4 = 0x6b4; *(uint8_t*)0x20006cd6 = 1; *(uint8_t*)0x20006cd7 = 0x20; *(uint8_t*)0x20006cd8 = 0; *(uint8_t*)0x20006cd9 = 0xa0; *(uint8_t*)0x20006cda = 1; *(uint8_t*)0x20006cdb = 9; *(uint8_t*)0x20006cdc = 4; *(uint8_t*)0x20006cdd = 0xdf; *(uint8_t*)0x20006cde = 0; *(uint8_t*)0x20006cdf = 0x10; *(uint8_t*)0x20006ce0 = -1; *(uint8_t*)0x20006ce1 = 1; *(uint8_t*)0x20006ce2 = 0; *(uint8_t*)0x20006ce3 = 5; *(uint8_t*)0x20006ce4 = 7; *(uint8_t*)0x20006ce5 = 0x24; *(uint8_t*)0x20006ce6 = 1; *(uint8_t*)0x20006ce7 = 1; *(uint8_t*)0x20006ce8 = 1; *(uint16_t*)0x20006ce9 = 1; *(uint8_t*)0x20006ceb = 9; *(uint8_t*)0x20006cec = 0x24; *(uint8_t*)0x20006ced = 6; *(uint8_t*)0x20006cee = 0; *(uint8_t*)0x20006cef = 0; memcpy((void*)0x20006cf0, "\xfd\x50\x65\x08", 4); *(uint8_t*)0x20006cf4 = 5; *(uint8_t*)0x20006cf5 = 0x24; *(uint8_t*)0x20006cf6 = 0; *(uint16_t*)0x20006cf7 = 3; *(uint8_t*)0x20006cf9 = 0xd; *(uint8_t*)0x20006cfa = 0x24; *(uint8_t*)0x20006cfb = 0xf; *(uint8_t*)0x20006cfc = 1; *(uint32_t*)0x20006cfd = 0x40000000; *(uint16_t*)0x20006d01 = 8; *(uint16_t*)0x20006d03 = 0x4cc5; *(uint8_t*)0x20006d05 = 0x7f; *(uint8_t*)0x20006d06 = 7; *(uint8_t*)0x20006d07 = 0x24; *(uint8_t*)0x20006d08 = 0xa; *(uint8_t*)0x20006d09 = 8; *(uint8_t*)0x20006d0a = 0x3f; *(uint8_t*)0x20006d0b = 0; *(uint8_t*)0x20006d0c = 0x81; *(uint8_t*)0x20006d0d = 0x10; *(uint8_t*)0x20006d0e = 0x24; *(uint8_t*)0x20006d0f = 7; *(uint8_t*)0x20006d10 = 0x80; *(uint16_t*)0x20006d11 = 5; *(uint16_t*)0x20006d13 = 0x44; *(uint16_t*)0x20006d15 = 2; *(uint16_t*)0x20006d17 = 0x800; *(uint16_t*)0x20006d19 = 0x101; *(uint16_t*)0x20006d1b = 4; *(uint8_t*)0x20006d1d = 4; *(uint8_t*)0x20006d1e = 0x24; *(uint8_t*)0x20006d1f = 2; *(uint8_t*)0x20006d20 = 4; *(uint8_t*)0x20006d21 = 8; *(uint8_t*)0x20006d22 = 0x24; *(uint8_t*)0x20006d23 = 0x1c; *(uint16_t*)0x20006d24 = 0; *(uint8_t*)0x20006d26 = 0xc0; *(uint16_t*)0x20006d27 = 0x5325; *(uint8_t*)0x20006d29 = 6; *(uint8_t*)0x20006d2a = 0x24; *(uint8_t*)0x20006d2b = 0x1a; *(uint16_t*)0x20006d2c = 0x7f; *(uint8_t*)0x20006d2e = 0; *(uint8_t*)0x20006d2f = 9; *(uint8_t*)0x20006d30 = 5; *(uint8_t*)0x20006d31 = 5; *(uint8_t*)0x20006d32 = 0; *(uint16_t*)0x20006d33 = 0xb5a2; *(uint8_t*)0x20006d35 = 6; *(uint8_t*)0x20006d36 = 0; *(uint8_t*)0x20006d37 = 5; *(uint8_t*)0x20006d38 = 7; *(uint8_t*)0x20006d39 = 0x25; *(uint8_t*)0x20006d3a = 1; *(uint8_t*)0x20006d3b = 0x82; *(uint8_t*)0x20006d3c = 0xe9; *(uint16_t*)0x20006d3d = 0xf000; *(uint8_t*)0x20006d3f = 9; *(uint8_t*)0x20006d40 = 5; *(uint8_t*)0x20006d41 = 0xe; *(uint8_t*)0x20006d42 = 2; *(uint16_t*)0x20006d43 = 0x200; *(uint8_t*)0x20006d45 = 8; *(uint8_t*)0x20006d46 = 7; *(uint8_t*)0x20006d47 = 0x40; *(uint8_t*)0x20006d48 = 9; *(uint8_t*)0x20006d49 = 5; *(uint8_t*)0x20006d4a = 0; *(uint8_t*)0x20006d4b = 0x7e; *(uint16_t*)0x20006d4c = 0x200; *(uint8_t*)0x20006d4e = 8; *(uint8_t*)0x20006d4f = 3; *(uint8_t*)0x20006d50 = 1; *(uint8_t*)0x20006d51 = 0x9b; *(uint8_t*)0x20006d52 = 0x21; memcpy((void*)0x20006d53, "\xf2\xef\x0a\x5c\x06\x9c\xdb\x31\x91\x38\xe1\x85\x06\x1d\x7e\x19\x6a\xe9\x4e\x53\x5d\x80\xf2\x76\x66\xfb\xa2\x3b\x37\x43\x25\xf1\x5d\xc5\xf2\x08\x12\xfe\x05\xb0\x62\x0f\x6f\xfc\xb8\x10\x03\xb1\xf3\x9c\x5d\xcd\x1b\xff\x14\xe2\xbb\xeb\x38\x73\x35\xa3\x53\x4f\x5a\xdb\x60\xff\xc4\xf2\x85\x95\xc8\xf9\x92\xf7\x7f\xd5\xf6\x7a\x04\x84\x2b\x9c\x43\x64\xe3\x55\x6b\xe9\xba\xcb\x8f\xd5\x6e\xd7\x78\x59\x29\x11\x53\xf6\xc5\x66\x02\x63\x63\xbf\xa5\xf2\xe6\xff\x2f\xa6\xd2\x93\x17\xf2\xd5\x62\x44\x53\x64\x93\x99\x15\xa7\x5d\xd7\x36\x5f\x6a\xb9\xc1\x5d\xdb\xc7\xc3\xa4\x5f\x7e\xb9\x8f\xd1\xfe\xa3\x55\x1b\xbd\x46\xf2\x0a\x87", 153); *(uint8_t*)0x20006dec = 9; *(uint8_t*)0x20006ded = 5; *(uint8_t*)0x20006dee = 0x80; *(uint8_t*)0x20006def = 1; *(uint16_t*)0x20006df0 = 0x3ff; *(uint8_t*)0x20006df2 = 1; *(uint8_t*)0x20006df3 = 0x20; *(uint8_t*)0x20006df4 = 0xef; *(uint8_t*)0x20006df5 = 0xec; *(uint8_t*)0x20006df6 = 6; memcpy((void*)0x20006df7, "\xf6\x42\x24\x6a\x53\x72\x99\x1d\xb9\x7e\x58\x24\xa4\x10\xe2\x83\x00\xd3\xbd\x15\x36\x38\xf6\xda\xc6\xe1\x18\x9a\x0c\x56\x0a\x0a\x0e\x5f\x8b\x15\xe0\x78\x79\xac\x95\x01\x65\x15\x20\x26\x46\xa7\xb5\xb5\xfc\x74\xb7\xcd\x40\xd5\x15\xb2\x84\x9d\x8c\x1d\xd9\xae\x4f\xca\x16\xc2\xe6\xcf\x0e\x8a\x20\xce\x54\xf0\x5f\xa1\x23\xc0\x19\x20\x8c\xb3\x4b\x5e\xe5\x61\xc2\x74\xea\x40\xa7\xb3\x4e\x58\x13\xa4\xa2\x9b\xe4\x08\x17\xeb\x1f\x7b\x3e\x9b\xef\x60\xf7\xc5\x66\x57\x48\x12\x36\xb9\x3e\x2c\x29\x7f\x17\xc7\x76\xb9\x8f\x1d\x0c\x8f\x2a\x56\x44\x77\x66\xc7\x28\x8b\xa6\xb1\xe3\x85\xb8\x4a\x51\x6a\x98\xab\x72\x9b\xa7\x0e\x31\xfe\xe3\xaa\xb1\x01\xd5\x90\xa4\x48\x1a\xe5\x85\x63\x26\xc6\x82\x5b\x73\xc7\xae\x7d\x3b\x99\xcb\x3c\x59\xdb\x31\xa1\x27\x26\x23\x4b\x90\x05\x84\xe8\xdb\x77\x93\x52\x18\x8d\x12\xc9\x32\xd4\xaa\xcb\x59\xee\xf3\x3d\x33\xb9\x55\x05\x10\xcf\x2b\x49\xda\x74\x7e\x03\x1c\x83\x11\x7b\x51\x1a\x1b\xb9\x3e\xd7\x6c\x71\x6e\x6a\x02\x54", 234); *(uint8_t*)0x20006ee1 = 7; *(uint8_t*)0x20006ee2 = 0x25; *(uint8_t*)0x20006ee3 = 1; *(uint8_t*)0x20006ee4 = 0; *(uint8_t*)0x20006ee5 = 6; *(uint16_t*)0x20006ee6 = 0x40; *(uint8_t*)0x20006ee8 = 9; *(uint8_t*)0x20006ee9 = 5; *(uint8_t*)0x20006eea = 1; *(uint8_t*)0x20006eeb = 0; *(uint16_t*)0x20006eec = 0x100; *(uint8_t*)0x20006eee = 0xfe; *(uint8_t*)0x20006eef = 8; *(uint8_t*)0x20006ef0 = 0x37; *(uint8_t*)0x20006ef1 = 0xe9; *(uint8_t*)0x20006ef2 = 0x23; memcpy((void*)0x20006ef3, "\x1a\x0e\x35\x42\x85\x7d\x49\xea\x63\xb7\x26\x1e\xbf\xc1\x9f\x14\x27\x2e\x28\x4d\x26\x65\xd2\x79\x5e\x43\xf6\xf9\xca\x62\x77\x6c\x9e\xe5\x2d\x99\x18\x79\xd7\xd6\x7b\x4d\x8b\x27\x0f\xd5\x15\x98\xbe\xac\x1c\x03\x39\xb2\x25\x7a\xd6\x8c\x1d\xde\x54\x88\x5a\xe2\xd2\x19\xb8\x7c\xde\x15\x9a\x98\x97\xc8\x8b\xda\x26\xe0\x8a\x36\x91\x05\x50\x22\x73\x9c\x1f\xe6\x4a\xdb\x98\x63\x9d\xc2\x54\x21\xc4\x49\xcf\x36\x48\x00\xc4\xc3\x65\x06\x2f\x24\x88\xe6\x90\x1e\x56\xe6\x2f\x4b\x70\x3e\xae\x7a\xf2\x62\x98\xa1\xee\xe1\xbf\xe6\x2d\x9b\x2a\xe3\x53\x20\xae\x2b\xaf\x17\x4e\x94\xff\x55\x32\x10\x97\xbe\x81\xe0\x27\x9f\x5d\x0a\xa8\x4d\xd1\x8c\xa0\x86\x4d\x98\xd0\xed\xbb\xea\xa1\x9d\xdf\x36\x26\xfd\x83\xa2\xe2\xb5\xf6\x76\xa7\x34\xd4\x78\x4b\x3c\x68\x77\xfd\x1b\xb3\xc9\x54\x3d\xf7\xab\xda\x9b\xd9\xc9\xbe\x40\x59\x49\x74\x7e\x21\x07\x3c\x18\x95\x7f\xff\x0e\xaa\xc0\x27\x3c\xfd\x3f\x70\x2c\xb6\x55\x97\x94\x9a\x17\x27\x26\xf7\xe4\x59\x53\x6c", 231); *(uint8_t*)0x20006fda = 0x18; *(uint8_t*)0x20006fdb = 0x10; memcpy((void*)0x20006fdc, "\xa0\x28\x90\x17\xf3\xf4\x33\xf1\x10\x59\x48\x9a\x61\x11\x58\x23\xe1\x13\x8a\xe8\x4a\x34", 22); *(uint8_t*)0x20006ff2 = 9; *(uint8_t*)0x20006ff3 = 5; *(uint8_t*)0x20006ff4 = 0xe; *(uint8_t*)0x20006ff5 = 4; *(uint16_t*)0x20006ff6 = 0x10; *(uint8_t*)0x20006ff8 = 0x67; *(uint8_t*)0x20006ff9 = 3; *(uint8_t*)0x20006ffa = 8; *(uint8_t*)0x20006ffb = 7; *(uint8_t*)0x20006ffc = 0x25; *(uint8_t*)0x20006ffd = 1; *(uint8_t*)0x20006ffe = 1; *(uint8_t*)0x20006fff = 0x80; *(uint16_t*)0x20007000 = 0x2e6; *(uint8_t*)0x20007002 = 9; *(uint8_t*)0x20007003 = 5; *(uint8_t*)0x20007004 = 0xd; *(uint8_t*)0x20007005 = 4; *(uint16_t*)0x20007006 = 0x200; *(uint8_t*)0x20007008 = 0x48; *(uint8_t*)0x20007009 = 0x35; *(uint8_t*)0x2000700a = 8; *(uint8_t*)0x2000700b = 0xe5; *(uint8_t*)0x2000700c = 5; memcpy((void*)0x2000700d, "\x30\xef\xe9\xc1\xa6\xe5\xc8\x9c\x20\x31\x21\x4c\x60\xfb\xbe\xaa\x45\x78\x09\x1e\x38\x00\x9c\x76\x1d\x15\x77\x48\x02\x93\x4c\xfd\x36\x35\x5b\x35\x18\xcc\xfe\x59\xfa\x5e\x7c\xce\xe3\xc1\x3a\xc4\xaf\xfb\xe0\x73\xe0\xe7\x88\xc9\xb5\xe3\x22\x16\xef\xbf\x02\xe3\x58\x69\xd7\xb2\x33\xa3\x89\xf8\x12\xbf\xd8\x49\x43\x3c\x32\x84\x66\xed\xa5\xe0\xe3\x23\x75\x29\xcd\xc6\x5e\x4e\xee\x74\x3d\x31\xff\xc1\x86\xa1\xfe\x79\x4b\xdf\x13\x64\xf3\x1e\xae\xff\x39\x82\x9e\x8f\x61\x44\x85\x0d\x74\x70\xcc\x71\x57\x2d\x1f\x2f\x23\xdc\xcd\xbc\xdd\x99\xe4\x93\x0d\xe7\xed\xbf\x59\xb3\x38\xdb\x34\x90\x30\x5f\xd7\x71\x02\x57\x98\x0b\x7f\x76\xb8\xda\xea\xcb\x2a\xd6\x18\x13\x1f\xb9\xb5\xa3\xe0\x26\xc9\xdd\xbd\x69\x48\x3c\xd7\x94\xca\xad\x29\xf2\xe3\xb6\x31\x24\xa9\x52\xb4\x62\xde\x0c\xd9\x51\xd7\xef\xd9\xb3\xb2\x91\x07\xb6\x41\x41\x7e\x77\x83\xd9\x01\x59\x13\x7f\xa5\x27\x3a\x95\xe0\xcc\x46\xc9\x7c\x22\x46\xe6\x11\xac\xb1\x4b\x4d", 227); *(uint8_t*)0x200070f0 = 9; *(uint8_t*)0x200070f1 = 5; *(uint8_t*)0x200070f2 = 3; *(uint8_t*)0x200070f3 = 0x10; *(uint16_t*)0x200070f4 = 8; *(uint8_t*)0x200070f6 = 0; *(uint8_t*)0x200070f7 = 0x33; *(uint8_t*)0x200070f8 = 9; *(uint8_t*)0x200070f9 = 9; *(uint8_t*)0x200070fa = 5; *(uint8_t*)0x200070fb = 2; *(uint8_t*)0x200070fc = 0xc; *(uint16_t*)0x200070fd = 0x400; *(uint8_t*)0x200070ff = 0xed; *(uint8_t*)0x20007100 = 7; *(uint8_t*)0x20007101 = 9; *(uint8_t*)0x20007102 = 0x84; *(uint8_t*)0x20007103 = 0x31; memcpy((void*)0x20007104, "\xee\x4c\xd2\x19\x15\x4d\xf4\x91\xc4\xd3\x2a\xa3\x21\x12\xcf\xf4\x07\x51\x1b\x06\xb1\x7f\x74\x34\x09\xec\xc2\x16\xc3\x1e\x92\xce\xfa\x2b\x5c\xc5\x9e\x63\x4d\x7a\xeb\xa2\xc9\xe5\xe3\x6d\x8e\xfa\xdc\x02\x55\x17\x25\x18\xf9\x09\xb4\xe1\xa7\xda\xf4\xd9\x88\xb1\xee\xaf\x19\x6c\x76\xee\x90\x2b\x65\x7d\x12\xfc\x23\xc2\x1e\x17\x6c\xd1\x49\xe9\x8a\x8d\x8d\x57\x55\xb7\x4f\xed\x1a\x42\x84\xbc\xfd\x6e\x69\x61\x95\x1f\xf8\x21\x6f\x7b\xb4\x2f\x79\x0e\xdd\x53\x9c\x1b\xc5\xbb\xac\x44\xf7\x67\xa6\x85\xc5\x7c\xbb\xde\xc8\x30\xc5\x2c", 130); *(uint8_t*)0x20007186 = 7; *(uint8_t*)0x20007187 = 0x25; *(uint8_t*)0x20007188 = 1; *(uint8_t*)0x20007189 = 0x83; *(uint8_t*)0x2000718a = 1; *(uint16_t*)0x2000718b = 0xfe01; *(uint8_t*)0x2000718d = 9; *(uint8_t*)0x2000718e = 5; *(uint8_t*)0x2000718f = 3; *(uint8_t*)0x20007190 = 0; *(uint16_t*)0x20007191 = 0x40; *(uint8_t*)0x20007193 = 2; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 9; *(uint8_t*)0x20007197 = 5; *(uint8_t*)0x20007198 = 0; *(uint8_t*)0x20007199 = 0; *(uint16_t*)0x2000719a = 0x400; *(uint8_t*)0x2000719c = 0; *(uint8_t*)0x2000719d = 0x2f; *(uint8_t*)0x2000719e = 4; *(uint8_t*)0x2000719f = 9; *(uint8_t*)0x200071a0 = 5; *(uint8_t*)0x200071a1 = 0x8f; *(uint8_t*)0x200071a2 = 8; *(uint16_t*)0x200071a3 = 8; *(uint8_t*)0x200071a5 = 0x81; *(uint8_t*)0x200071a6 = 1; *(uint8_t*)0x200071a7 = 0x7f; *(uint8_t*)0x200071a8 = 7; *(uint8_t*)0x200071a9 = 0x25; *(uint8_t*)0x200071aa = 1; *(uint8_t*)0x200071ab = 0; *(uint8_t*)0x200071ac = 9; *(uint16_t*)0x200071ad = 0xfb; *(uint8_t*)0x200071af = 7; *(uint8_t*)0x200071b0 = 0x25; *(uint8_t*)0x200071b1 = 1; *(uint8_t*)0x200071b2 = 0x81; *(uint8_t*)0x200071b3 = 7; *(uint16_t*)0x200071b4 = 3; *(uint8_t*)0x200071b6 = 9; *(uint8_t*)0x200071b7 = 5; *(uint8_t*)0x200071b8 = 2; *(uint8_t*)0x200071b9 = 0; *(uint16_t*)0x200071ba = 0x400; *(uint8_t*)0x200071bc = 0x40; *(uint8_t*)0x200071bd = 0x76; *(uint8_t*)0x200071be = 3; *(uint8_t*)0x200071bf = 7; *(uint8_t*)0x200071c0 = 0x25; *(uint8_t*)0x200071c1 = 1; *(uint8_t*)0x200071c2 = 0x80; *(uint8_t*)0x200071c3 = 0x31; *(uint16_t*)0x200071c4 = 8; *(uint8_t*)0x200071c6 = 9; *(uint8_t*)0x200071c7 = 5; *(uint8_t*)0x200071c8 = 0xf; *(uint8_t*)0x200071c9 = 0x10; *(uint16_t*)0x200071ca = 0x3ff; *(uint8_t*)0x200071cc = 6; *(uint8_t*)0x200071cd = 0xb2; *(uint8_t*)0x200071ce = 6; *(uint8_t*)0x200071cf = 7; *(uint8_t*)0x200071d0 = 0x25; *(uint8_t*)0x200071d1 = 1; *(uint8_t*)0x200071d2 = 0x82; *(uint8_t*)0x200071d3 = 0x80; *(uint16_t*)0x200071d4 = 6; *(uint8_t*)0x200071d6 = 9; *(uint8_t*)0x200071d7 = 5; *(uint8_t*)0x200071d8 = 0xf; *(uint8_t*)0x200071d9 = 0x10; *(uint16_t*)0x200071da = 0x200; *(uint8_t*)0x200071dc = 6; *(uint8_t*)0x200071dd = 6; *(uint8_t*)0x200071de = 0xca; *(uint8_t*)0x200071df = 7; *(uint8_t*)0x200071e0 = 0x25; *(uint8_t*)0x200071e1 = 1; *(uint8_t*)0x200071e2 = 0x81; *(uint8_t*)0x200071e3 = 0x20; *(uint16_t*)0x200071e4 = 3; *(uint8_t*)0x200071e6 = 9; *(uint8_t*)0x200071e7 = 5; *(uint8_t*)0x200071e8 = 0x80; *(uint8_t*)0x200071e9 = 0x10; *(uint16_t*)0x200071ea = 0x400; *(uint8_t*)0x200071ec = 1; *(uint8_t*)0x200071ed = 0xfc; *(uint8_t*)0x200071ee = 4; *(uint8_t*)0x200071ef = 0xd4; *(uint8_t*)0x200071f0 = 0x21; memcpy((void*)0x200071f1, "\x28\xa1\xdf\xa1\xd2\x8f\x9a\xe6\x0d\x0a\x8e\x9e\x3c\x51\x2d\xb3\x53\x69\xd4\x79\xfa\x6e\x6a\xa0\x99\xe2\x67\xe1\xce\xd7\x7c\xa2\xe1\x80\xb4\x29\x77\x90\x23\xa8\x72\xb0\xef\x88\x07\xe1\x1f\x8b\x8b\x21\xb8\x11\xd4\xfe\x55\x27\x33\x5c\xe8\x6e\x3a\x95\xcd\xf9\x60\xd1\xe7\x9e\x88\xc2\x76\xc1\x74\xd1\x83\xd2\xf3\xbc\x08\x62\xdd\x7e\x1d\x29\xac\x58\x9c\xeb\x22\x02\x4e\x25\xa4\x4c\x3e\x81\x23\x58\x1d\x14\x48\xfd\x2d\xb5\x33\x2f\xe4\x1c\x23\xf9\xaa\x95\x95\x64\xf3\x2d\xb1\xda\x14\x61\x04\x15\xdd\xc2\x93\xdc\x57\xc9\xd6\xc7\x75\xd2\x21\x51\xbd\xab\x23\x6a\x5a\x73\x59\x2e\x55\x18\x05\x57\x28\xae\x81\x9e\x25\xc0\x80\xcb\xb9\xbf\x02\x03\xb6\x63\x9b\x8f\xd8\xd7\x16\xd9\xc5\x71\xd6\xb2\x60\xea\x29\x77\x33\xd5\x3c\x3a\x05\x44\x9b\x9b\x92\x21\xd0\xf4\x02\x61\x0c\x98\x37\x18\x9f\x9c\x6a\xb3\xba\xaf\x03\x1d\x48\x69\x26\x90\xc9\x98\x1c\xee\x14\x26", 210); *(uint8_t*)0x200072c3 = 0xc3; *(uint8_t*)0x200072c4 = 6; memcpy((void*)0x200072c5, "\x60\xed\x98\x57\x6f\xbb\xbe\xe3\xdb\x67\xd5\x35\xea\x7e\x1a\x19\xd9\x2d\x68\x9e\x2f\x03\x30\x8a\x61\x5a\x56\x41\xe7\x2e\x69\x4d\x99\x6f\x76\xc1\x11\x1c\x88\xc5\x07\xc3\x9a\x87\xf3\x4a\x36\x82\xda\xfb\xfe\x58\x3b\x79\xf5\xb9\x50\xa3\x06\x14\x16\x2c\x60\x5f\x7e\x6c\x5d\x45\x2b\x4f\x84\xa1\x45\xf2\x0b\xf4\x47\x0d\xdf\x43\xf0\x6c\x41\x5d\xc6\xc4\x15\x51\xfd\x45\x8b\xa6\xae\xdf\x57\xd7\x4c\xb8\x5a\x25\xe4\x33\x24\x81\x4b\x62\xc3\xbe\x41\x08\xb1\xea\x5b\x9d\xd2\x2a\x78\xa4\x5c\xdf\x5d\x8f\x27\xc1\x1f\x35\x02\x6b\xf7\xef\x10\xc7\xd1\xf0\x61\x5f\xe1\xc4\x4a\x30\x2a\x84\xd8\x8b\x8d\x6c\x2d\x85\x04\x9c\x9f\x48\xa0\x4b\x4e\x61\x80\x1c\x01\x7f\x60\x9b\x67\x3f\xc8\x29\x0f\x73\x62\xa0\xed\x35\x88\x2a\x33\x5b\x65\x7f\x83\x5f\xce\x8e\x20\x10\x0c\xde\x82\xc1\xa3\xdc\x18\x06\x11", 193); *(uint32_t*)0x20007740 = 0xa; *(uint32_t*)0x20007744 = 0x200073c0; *(uint8_t*)0x200073c0 = 0xa; *(uint8_t*)0x200073c1 = 6; *(uint16_t*)0x200073c2 = 0x310; *(uint8_t*)0x200073c4 = 5; *(uint8_t*)0x200073c5 = 0x80; *(uint8_t*)0x200073c6 = -1; *(uint8_t*)0x200073c7 = 0xbf; *(uint8_t*)0x200073c8 = 5; *(uint8_t*)0x200073c9 = 0; *(uint32_t*)0x20007748 = 5; *(uint32_t*)0x2000774c = 0x20007400; *(uint8_t*)0x20007400 = 5; *(uint8_t*)0x20007401 = 0xf; *(uint16_t*)0x20007402 = 5; *(uint8_t*)0x20007404 = 0; *(uint32_t*)0x20007750 = 5; *(uint32_t*)0x20007754 = 0xa8; *(uint32_t*)0x20007758 = 0x20007440; *(uint8_t*)0x20007440 = 0xa8; *(uint8_t*)0x20007441 = 3; memcpy((void*)0x20007442, "\x05\x84\xbd\xdc\x14\x96\x71\xf9\xe6\xc6\xcd\x12\x3b\x79\x6c\xaf\xe2\xeb\x5d\x2b\xd3\xcf\x65\xe3\xeb\x0f\x3a\x60\x1a\xba\x71\x64\x71\x3d\x40\x42\x65\x3f\x2c\xca\x18\x22\x07\xd4\xe7\xff\xa8\xbc\x71\xe7\x05\xaa\x48\xbc\xff\x03\xfd\xdd\x2e\x3e\x6b\xeb\xe1\x1c\xb6\x1f\x95\xfa\xf1\x4a\xfd\xf2\x94\x40\x02\x1e\x85\x1f\xb6\x82\xaa\x24\xe6\x24\xe8\x33\x95\x2d\xb6\xd1\xf9\x6a\xa7\xed\xfc\x74\xce\x50\x13\x59\x69\x4c\x75\x83\xeb\x5e\x48\xdf\xe2\x27\xd2\x10\x5d\x5e\x3d\x23\x59\xe3\xc7\x28\xa4\x8a\xdf\xf0\x9b\x11\x32\xf9\x28\x89\x3c\xee\xfa\xe6\x77\x00\x98\x3b\xe1\xca\x94\xe8\x18\xe7\xa1\x46\x3c\x80\x2f\x1f\xc2\xa7\x2d\x40\x90\x09\x33\x40\x3d\x7b\x25\x5a\x35\xd9\xdc\x33", 166); *(uint32_t*)0x2000775c = 4; *(uint32_t*)0x20007760 = 0x20007500; *(uint8_t*)0x20007500 = 4; *(uint8_t*)0x20007501 = 3; *(uint16_t*)0x20007502 = 0x42c; *(uint32_t*)0x20007764 = 0xf4; *(uint32_t*)0x20007768 = 0x20007540; *(uint8_t*)0x20007540 = 0xf4; *(uint8_t*)0x20007541 = 3; memcpy((void*)0x20007542, "\x1c\x53\x71\x17\xdc\x72\x0a\xf3\xcc\xf1\x08\x68\x7c\x86\xcb\x54\x4b\xc8\x85\x37\x9e\x43\x5d\xbb\x86\x1b\xc9\xa0\x15\x50\x59\x2e\x60\x08\xae\x94\xa1\xf9\x83\x17\xad\x9c\xd8\x04\x01\x6b\x07\x9b\x5e\xc2\x94\xdc\xaf\x45\x37\xcf\x5b\x68\xc3\xc4\x35\x37\x54\xca\xf3\x69\xba\x34\x10\x1c\xbd\x21\x92\x6b\x15\xce\xf6\x7a\xb6\x3e\xad\x40\xab\xfb\xef\x86\x7b\x37\x2f\xe2\x78\x18\x66\xf8\x7a\x2d\xcc\xf9\x8f\xfe\x66\x53\x1c\x1d\x50\x21\x40\x6c\x69\xce\x84\xb4\x39\x13\x0c\xac\x71\xf5\x25\x64\xb7\xc8\xfa\x62\x1d\x71\xd5\xff\x00\x15\x17\x59\x3f\x05\x9d\xa0\xcb\x82\xf1\xfd\x5e\x32\x7d\xf9\xab\xec\x49\x46\xe3\x4e\x20\xd3\xf1\xdf\x8f\x4a\x04\x22\xf9\xbb\x53\x89\x49\xb4\xa1\x4d\x1b\x3a\xfd\x67\x93\xe8\x1d\x3b\xa5\x96\xd1\x6d\x8c\xee\x0e\x70\x03\x14\xe5\x31\xe6\x02\xfe\x5c\xb8\x32\xb2\x2c\x7a\x2f\x9f\x36\xf3\x9d\x05\x38\x76\x47\x81\x57\xd5\x41\xe8\xc0\x97\x7a\x9a\xca\xf6\x91\xf1\x23\x4f\x66\x5d\x23\x4f\x82\xee\x90\xff\x89\x82\xd9\xc1\x37\x1a\x15\xdd\xc8\xed\x23\x92\xdd\x5a\x96", 242); *(uint32_t*)0x2000776c = 0x98; *(uint32_t*)0x20007770 = 0x20007640; *(uint8_t*)0x20007640 = 0x98; *(uint8_t*)0x20007641 = 3; memcpy((void*)0x20007642, "\x07\x8c\xbe\xfd\x67\x79\x6b\x8d\x00\xc6\xa0\x27\xe5\xd0\x7b\xc3\xb0\x07\x56\xac\xaf\xb9\x09\x6e\x3e\x38\x1a\x99\xfd\xbe\x8a\x51\x61\xca\x19\xa9\x62\x8d\x61\xba\xef\xd6\x97\x2b\x48\xf5\xe0\x4b\x0f\xa6\xe2\xb9\x9c\xca\x8d\xf5\xb5\x0d\xbd\x97\xd6\x56\xc0\x2f\x85\x83\xa5\x8c\xe8\xcb\xd3\x5c\x69\xfb\x3f\x86\xde\x0d\xda\xc9\x0f\x5b\xe8\xd4\xf0\x4a\x3a\xd4\xf3\x12\x93\xb5\x09\x95\x91\x39\xbe\xa0\xf3\x06\x7d\x0e\xbf\xa3\xc5\xb2\x10\xe1\x99\x30\x78\xb0\xae\x92\x95\x61\xfc\x77\x34\x86\x9b\x3d\xd8\xd8\x12\xc0\x0a\x30\x35\x23\x61\x66\xa3\x12\x27\xae\x29\x1e\x69\x6a\xb4\xf8\x1f\x4e\x3f\x02\xd6\xb2\xf3\x34", 150); *(uint32_t*)0x20007774 = 4; *(uint32_t*)0x20007778 = 0x20007700; *(uint8_t*)0x20007700 = 4; *(uint8_t*)0x20007701 = 3; *(uint16_t*)0x20007702 = 0x43e; syz_usb_connect(2, 0x6c6, 0x20006cc0, 0x20007740); break; case 41: *(uint8_t*)0x20007780 = 0x12; *(uint8_t*)0x20007781 = 1; *(uint16_t*)0x20007782 = 0x200; *(uint8_t*)0x20007784 = -1; *(uint8_t*)0x20007785 = -1; *(uint8_t*)0x20007786 = -1; *(uint8_t*)0x20007787 = 0x40; *(uint16_t*)0x20007788 = 0xcf3; *(uint16_t*)0x2000778a = 0x9271; *(uint16_t*)0x2000778c = 0x108; *(uint8_t*)0x2000778e = 1; *(uint8_t*)0x2000778f = 2; *(uint8_t*)0x20007790 = 3; *(uint8_t*)0x20007791 = 1; *(uint8_t*)0x20007792 = 9; *(uint8_t*)0x20007793 = 2; *(uint16_t*)0x20007794 = 0x48; *(uint8_t*)0x20007796 = 1; *(uint8_t*)0x20007797 = 1; *(uint8_t*)0x20007798 = 0; *(uint8_t*)0x20007799 = 0x80; *(uint8_t*)0x2000779a = 0xfa; *(uint8_t*)0x2000779b = 9; *(uint8_t*)0x2000779c = 4; *(uint8_t*)0x2000779d = 0; *(uint8_t*)0x2000779e = 0; *(uint8_t*)0x2000779f = 6; *(uint8_t*)0x200077a0 = -1; *(uint8_t*)0x200077a1 = 0; *(uint8_t*)0x200077a2 = 0; *(uint8_t*)0x200077a3 = 0; *(uint8_t*)0x200077a4 = 9; *(uint8_t*)0x200077a5 = 5; *(uint8_t*)0x200077a6 = 1; *(uint8_t*)0x200077a7 = 2; *(uint16_t*)0x200077a8 = 0x200; *(uint8_t*)0x200077aa = 0; *(uint8_t*)0x200077ab = 0; *(uint8_t*)0x200077ac = 0; *(uint8_t*)0x200077ad = 9; *(uint8_t*)0x200077ae = 5; *(uint8_t*)0x200077af = 0x82; *(uint8_t*)0x200077b0 = 2; *(uint16_t*)0x200077b1 = 0x200; *(uint8_t*)0x200077b3 = 0; *(uint8_t*)0x200077b4 = 0; *(uint8_t*)0x200077b5 = 0; *(uint8_t*)0x200077b6 = 9; *(uint8_t*)0x200077b7 = 5; *(uint8_t*)0x200077b8 = 0x83; *(uint8_t*)0x200077b9 = 3; *(uint16_t*)0x200077ba = 0x40; *(uint8_t*)0x200077bc = 1; *(uint8_t*)0x200077bd = 0; *(uint8_t*)0x200077be = 0; *(uint8_t*)0x200077bf = 9; *(uint8_t*)0x200077c0 = 5; *(uint8_t*)0x200077c1 = 4; *(uint8_t*)0x200077c2 = 3; *(uint16_t*)0x200077c3 = 0x40; *(uint8_t*)0x200077c5 = 1; *(uint8_t*)0x200077c6 = 0; *(uint8_t*)0x200077c7 = 0; *(uint8_t*)0x200077c8 = 9; *(uint8_t*)0x200077c9 = 5; *(uint8_t*)0x200077ca = 5; *(uint8_t*)0x200077cb = 2; *(uint16_t*)0x200077cc = 0x200; *(uint8_t*)0x200077ce = 0; *(uint8_t*)0x200077cf = 0; *(uint8_t*)0x200077d0 = 0; *(uint8_t*)0x200077d1 = 9; *(uint8_t*)0x200077d2 = 5; *(uint8_t*)0x200077d3 = 6; *(uint8_t*)0x200077d4 = 2; *(uint16_t*)0x200077d5 = 0x200; *(uint8_t*)0x200077d7 = 0; *(uint8_t*)0x200077d8 = 0; *(uint8_t*)0x200077d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007780, 0); if (res != -1) r[22] = res; break; case 42: *(uint32_t*)0x200079c0 = 0x18; *(uint32_t*)0x200079c4 = 0x20007800; *(uint8_t*)0x20007800 = 0x20; *(uint8_t*)0x20007801 = 0x11; *(uint32_t*)0x20007802 = 0xb7; *(uint8_t*)0x20007806 = 0xb7; *(uint8_t*)0x20007807 = 9; memcpy((void*)0x20007808, "\x72\xf5\x91\xba\x5c\x69\x4f\x16\xa4\xd9\x20\x75\xef\x3e\xc8\xbc\x46\x92\x09\x54\x79\x9e\xc8\xd3\xc0\x30\x8f\x3b\x47\x79\xda\x6e\x18\xe9\x82\x4a\x86\x74\x6d\x01\x3a\x39\x9a\xfc\x7f\x6f\xce\xb6\xc3\x7f\x7f\x13\x1c\x71\xeb\xc0\x01\xf6\x66\xea\x63\xed\x3a\xde\x13\x20\x09\x73\x5a\x54\x66\x22\xf9\xe6\x39\xd4\x81\xc9\x67\xcc\x7b\x5b\x74\x7c\xc5\xe6\x2f\xdc\x41\xbb\xb4\xbb\x95\x87\x8a\x44\x2c\xc4\x91\x11\xc0\xf5\x78\x86\xf1\x70\x77\xa1\xb4\xb2\x2e\x3c\xf2\x8e\xec\xb7\x98\xfe\xed\x6f\x16\x8d\xd9\xcc\x26\x46\xf8\xb7\x9e\xd4\x1b\xba\x94\xde\x9e\x30\x4f\xc8\x45\x17\x9a\x73\x21\xf0\x47\x84\xaa\x91\x7b\xa0\x84\x05\xb0\xa9\x5b\x83\x03\xd9\x14\xef\x8e\x37\x47\x80\xdd\x8e\x34\x37\xc9\x5c\x35\x76\x4c\xd0\x63\xe7\xa3\xec\x6d\x79\x0b", 181); *(uint32_t*)0x200079c8 = 0x200078c0; *(uint8_t*)0x200078c0 = 0; *(uint8_t*)0x200078c1 = 3; *(uint32_t*)0x200078c2 = 4; *(uint8_t*)0x200078c6 = 4; *(uint8_t*)0x200078c7 = 3; *(uint16_t*)0x200078c8 = 0x813; *(uint32_t*)0x200079cc = 0x20007900; *(uint8_t*)0x20007900 = 0; *(uint8_t*)0x20007901 = 0xf; *(uint32_t*)0x20007902 = 0xc; *(uint8_t*)0x20007906 = 5; *(uint8_t*)0x20007907 = 0xf; *(uint16_t*)0x20007908 = 0xc; *(uint8_t*)0x2000790a = 1; *(uint8_t*)0x2000790b = 7; *(uint8_t*)0x2000790c = 0x10; *(uint8_t*)0x2000790d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000790e, 0x18, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20007910, 3, 0, 16); *(uint32_t*)0x200079d0 = 0x20007940; *(uint8_t*)0x20007940 = 0x20; *(uint8_t*)0x20007941 = 0x29; *(uint32_t*)0x20007942 = 0xf; *(uint8_t*)0x20007946 = 0xf; *(uint8_t*)0x20007947 = 0x29; *(uint8_t*)0x20007948 = 7; *(uint16_t*)0x20007949 = 0x80; *(uint8_t*)0x2000794b = 6; *(uint8_t*)0x2000794c = 0xe0; memcpy((void*)0x2000794d, "\x84\x02\x48\x7c", 4); memcpy((void*)0x20007951, "\x80\x56\xa3\xff", 4); *(uint32_t*)0x200079d4 = 0x20007980; *(uint8_t*)0x20007980 = 0x20; *(uint8_t*)0x20007981 = 0x2a; *(uint32_t*)0x20007982 = 0xc; *(uint8_t*)0x20007986 = 0xc; *(uint8_t*)0x20007987 = 0x2a; *(uint8_t*)0x20007988 = 0xa7; *(uint16_t*)0x20007989 = 2; *(uint8_t*)0x2000798b = 0x7d; *(uint8_t*)0x2000798c = 0; *(uint8_t*)0x2000798d = 0x80; *(uint16_t*)0x2000798e = 7; *(uint16_t*)0x20007990 = 6; *(uint32_t*)0x20007e80 = 0x44; *(uint32_t*)0x20007e84 = 0x20007a00; *(uint8_t*)0x20007a00 = 0x40; *(uint8_t*)0x20007a01 = 0x10; *(uint32_t*)0x20007a02 = 0x8c; memcpy((void*)0x20007a06, "\x21\xb8\x38\x25\x05\x9f\x24\x50\x6d\x8e\x84\x20\x85\xd1\xf2\xe7\xf9\x64\x47\x1b\x20\xed\x0a\x8e\x50\xa9\xaa\x4e\xf1\x6b\x5a\x6f\x2d\xbb\x2b\x57\x0a\x4f\x8d\x13\xd6\x0e\x47\xbb\x78\x21\xff\x91\x21\x11\xde\xe4\x0a\x78\xd4\x2b\x4d\x13\xea\x81\x2d\x92\x9c\xcf\x39\x64\xc5\x46\x8f\x89\xd2\xd2\x16\x30\xec\x87\x06\x7a\x2d\x13\xf4\x52\x38\xb4\x46\xbf\x57\xc6\xb9\xec\x35\x57\x8f\xa5\x87\xfc\x77\xfe\x21\x08\xb1\x59\x0b\xe0\x81\x68\x1c\xcc\x02\x4f\x1f\x59\x0b\xe9\xe5\xbe\xc9\xea\x86\xb9\x80\x3c\x60\x29\x9d\xda\x1a\x82\xf8\xff\x04\x42\x86\x71\xa4\x3b\xc2\xc3\x39\x3a", 140); *(uint32_t*)0x20007e88 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0; *(uint8_t*)0x20007ac1 = 0xa; *(uint32_t*)0x20007ac2 = 1; *(uint8_t*)0x20007ac6 = 4; *(uint32_t*)0x20007e8c = 0x20007b00; *(uint8_t*)0x20007b00 = 0; *(uint8_t*)0x20007b01 = 8; *(uint32_t*)0x20007b02 = 1; *(uint8_t*)0x20007b06 = 0xfb; *(uint32_t*)0x20007e90 = 0x20007b40; *(uint8_t*)0x20007b40 = 0x20; *(uint8_t*)0x20007b41 = 0; *(uint32_t*)0x20007b42 = 4; *(uint16_t*)0x20007b46 = 1; *(uint16_t*)0x20007b48 = 1; *(uint32_t*)0x20007e94 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x20; *(uint8_t*)0x20007b81 = 0; *(uint32_t*)0x20007b82 = 4; *(uint16_t*)0x20007b86 = 0x140; *(uint16_t*)0x20007b88 = 0x20; *(uint32_t*)0x20007e98 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 7; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 0x3ff; *(uint32_t*)0x20007e9c = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 9; *(uint32_t*)0x20007c02 = 1; *(uint8_t*)0x20007c06 = 0x81; *(uint32_t*)0x20007ea0 = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0xb; *(uint32_t*)0x20007c42 = 2; memcpy((void*)0x20007c46, "\x8a\x02", 2); *(uint32_t*)0x20007ea4 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0xf; *(uint32_t*)0x20007c82 = 2; *(uint16_t*)0x20007c86 = 0x321a; *(uint32_t*)0x20007ea8 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x13; *(uint32_t*)0x20007cc2 = 6; *(uint8_t*)0x20007cc6 = 1; *(uint8_t*)0x20007cc7 = 0x80; *(uint8_t*)0x20007cc8 = 0xc2; *(uint8_t*)0x20007cc9 = 0; *(uint8_t*)0x20007cca = 0; *(uint8_t*)0x20007ccb = 0; *(uint32_t*)0x20007eac = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x17; *(uint32_t*)0x20007d02 = 6; memcpy((void*)0x20007d06, "\xb0\xfe\x28\x1f\xa3\x91", 6); *(uint32_t*)0x20007eb0 = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x19; *(uint32_t*)0x20007d42 = 2; memcpy((void*)0x20007d46, "#7", 2); *(uint32_t*)0x20007eb4 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x1a; *(uint32_t*)0x20007d82 = 2; *(uint16_t*)0x20007d86 = 6; *(uint32_t*)0x20007eb8 = 0x20007dc0; *(uint8_t*)0x20007dc0 = 0x40; *(uint8_t*)0x20007dc1 = 0x1c; *(uint32_t*)0x20007dc2 = 1; *(uint8_t*)0x20007dc6 = 6; *(uint32_t*)0x20007ebc = 0x20007e00; *(uint8_t*)0x20007e00 = 0x40; *(uint8_t*)0x20007e01 = 0x1e; *(uint32_t*)0x20007e02 = 1; *(uint8_t*)0x20007e06 = 6; *(uint32_t*)0x20007ec0 = 0x20007e40; *(uint8_t*)0x20007e40 = 0x40; *(uint8_t*)0x20007e41 = 0x21; *(uint32_t*)0x20007e42 = 1; *(uint8_t*)0x20007e46 = 0x9e; syz_usb_control_io(r[22], 0x200079c0, 0x20007e80); break; case 43: *(uint8_t*)0x20007f00 = 0x12; *(uint8_t*)0x20007f01 = 1; *(uint16_t*)0x20007f02 = 0x70; *(uint8_t*)0x20007f04 = 2; *(uint8_t*)0x20007f05 = 0; *(uint8_t*)0x20007f06 = 0; *(uint8_t*)0x20007f07 = 0x50; *(uint16_t*)0x20007f08 = 0x525; *(uint16_t*)0x20007f0a = 0xa4a1; *(uint16_t*)0x20007f0c = 0x40; *(uint8_t*)0x20007f0e = 1; *(uint8_t*)0x20007f0f = 2; *(uint8_t*)0x20007f10 = 3; *(uint8_t*)0x20007f11 = 1; *(uint8_t*)0x20007f12 = 9; *(uint8_t*)0x20007f13 = 2; *(uint16_t*)0x20007f14 = 0x4d; *(uint8_t*)0x20007f16 = 1; *(uint8_t*)0x20007f17 = 1; *(uint8_t*)0x20007f18 = 2; *(uint8_t*)0x20007f19 = 0x70; *(uint8_t*)0x20007f1a = 0x40; *(uint8_t*)0x20007f1b = 9; *(uint8_t*)0x20007f1c = 4; *(uint8_t*)0x20007f1d = 0; *(uint8_t*)0x20007f1e = 0xc4; *(uint8_t*)0x20007f1f = 3; *(uint8_t*)0x20007f20 = 2; *(uint8_t*)0x20007f21 = 6; *(uint8_t*)0x20007f22 = 0; *(uint8_t*)0x20007f23 = 0xe1; *(uint8_t*)0x20007f24 = 8; *(uint8_t*)0x20007f25 = 0x24; *(uint8_t*)0x20007f26 = 6; *(uint8_t*)0x20007f27 = 0; *(uint8_t*)0x20007f28 = 0; memcpy((void*)0x20007f29, "W?s", 3); *(uint8_t*)0x20007f2c = 5; *(uint8_t*)0x20007f2d = 0x24; *(uint8_t*)0x20007f2e = 0; *(uint16_t*)0x20007f2f = 3; *(uint8_t*)0x20007f31 = 0xd; *(uint8_t*)0x20007f32 = 0x24; *(uint8_t*)0x20007f33 = 0xf; *(uint8_t*)0x20007f34 = 1; *(uint32_t*)0x20007f35 = 0x200; *(uint16_t*)0x20007f39 = 0; *(uint16_t*)0x20007f3b = 0x200; *(uint8_t*)0x20007f3d = 3; *(uint8_t*)0x20007f3e = 6; *(uint8_t*)0x20007f3f = 0x24; *(uint8_t*)0x20007f40 = 0x1a; *(uint16_t*)0x20007f41 = 0x1000; *(uint8_t*)0x20007f43 = 0; *(uint8_t*)0x20007f44 = 9; *(uint8_t*)0x20007f45 = 5; *(uint8_t*)0x20007f46 = 0x81; *(uint8_t*)0x20007f47 = 3; *(uint16_t*)0x20007f48 = 0x20; *(uint8_t*)0x20007f4a = 0x3f; *(uint8_t*)0x20007f4b = 0; *(uint8_t*)0x20007f4c = 0xd8; *(uint8_t*)0x20007f4d = 9; *(uint8_t*)0x20007f4e = 5; *(uint8_t*)0x20007f4f = 0x82; *(uint8_t*)0x20007f50 = 2; *(uint16_t*)0x20007f51 = 8; *(uint8_t*)0x20007f53 = -1; *(uint8_t*)0x20007f54 = 0xec; *(uint8_t*)0x20007f55 = 5; *(uint8_t*)0x20007f56 = 9; *(uint8_t*)0x20007f57 = 5; *(uint8_t*)0x20007f58 = 3; *(uint8_t*)0x20007f59 = 2; *(uint16_t*)0x20007f5a = 0x3cf; *(uint8_t*)0x20007f5c = 0x81; *(uint8_t*)0x20007f5d = 0x39; *(uint8_t*)0x20007f5e = 5; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f80; *(uint8_t*)0x20007f80 = 0xa; *(uint8_t*)0x20007f81 = 6; *(uint16_t*)0x20007f82 = 0; *(uint8_t*)0x20007f84 = 2; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x77; *(uint8_t*)0x20007f87 = -1; *(uint8_t*)0x20007f88 = 0x2f; *(uint8_t*)0x20007f89 = 0; *(uint32_t*)0x20008288 = 5; *(uint32_t*)0x2000828c = 0x20007fc0; *(uint8_t*)0x20007fc0 = 5; *(uint8_t*)0x20007fc1 = 0xf; *(uint16_t*)0x20007fc2 = 5; *(uint8_t*)0x20007fc4 = 0; *(uint32_t*)0x20008290 = 5; *(uint32_t*)0x20008294 = 0x69; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 0x69; *(uint8_t*)0x20008001 = 3; memcpy((void*)0x20008002, "\xd2\x5a\x9c\x8f\x14\x52\xa3\xc6\xff\xbf\xec\xa8\xeb\x77\x79\x35\xb5\x8c\x9b\x74\x06\x77\x50\x86\xff\xf7\x17\xb5\x4f\x05\xac\x59\xf9\x45\x17\xff\x3c\xd6\xf3\x10\x1d\xbf\xa7\x9b\xb8\x2a\xe3\x1b\x1d\x31\x6d\x08\xa7\x1d\x14\xfc\x2c\x1c\xfa\x8c\x89\x30\x68\xbd\xe2\xbb\x83\x0a\xe9\x1f\xc9\x42\x88\xcc\x23\x2a\xaa\xc0\xe6\x4b\x84\x00\x7b\x0e\x75\x36\xc3\xec\x34\xed\xef\x04\xde\xd9\x34\x21\xa3\x77\xe0\x69\x53\x26\xaa", 103); *(uint32_t*)0x2000829c = 0xac; *(uint32_t*)0x200082a0 = 0x20008080; *(uint8_t*)0x20008080 = 0xac; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x73\x60\x60\x9c\xe8\x30\x0a\xe4\x62\x33\x08\xd5\xf8\xb9\x7b\xfd\x50\xd3\xd8\x63\x40\x8b\x8e\xa4\x01\xc8\x6d\xa9\xd4\x2c\xe5\xf3\x86\x7c\xe8\xd7\x21\xfb\x2a\xb5\xc2\x5f\x6b\x4c\x5e\x85\xf5\xea\xf3\x41\xbd\x51\x4a\x16\xc2\xdf\xe3\xc7\xa1\xd7\xf4\x27\xae\x62\xc0\xbf\xf3\x79\xe8\x4d\x56\x63\x7e\xc1\x37\x7b\x8c\x8a\xd5\xb5\x5b\x09\x9c\xfa\xa4\xa7\xa6\xee\xb0\x58\x9f\x81\xe7\xa4\x33\x00\xef\xf5\x33\x54\xe1\xb2\xbd\xcd\xc3\x4d\x79\x45\xd6\x35\x62\xe4\x8d\x5e\xd9\x3b\xef\x75\xfd\x01\x60\xfc\xd7\xc3\xa6\xbe\x7f\x0c\x64\x2b\xb6\xe5\x61\xe3\x5a\x1c\x73\x11\x0b\xdc\xde\xd7\x69\x98\x65\xe2\x5e\xb2\x38\xcf\x8f\x3b\x10\xad\x3c\x10\x48\x80\x28\xc3\x70\x63\xc8\x86\x2f\x90\x7b\x06\x82\x9e", 170); *(uint32_t*)0x200082a4 = 4; *(uint32_t*)0x200082a8 = 0x20008140; *(uint8_t*)0x20008140 = 4; *(uint8_t*)0x20008141 = 3; *(uint16_t*)0x20008142 = 0x81a; *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x20008180; *(uint8_t*)0x20008180 = 4; *(uint8_t*)0x20008181 = 3; *(uint16_t*)0x20008182 = 0x180a; *(uint32_t*)0x200082b4 = 0xb9; *(uint32_t*)0x200082b8 = 0x200081c0; *(uint8_t*)0x200081c0 = 0xb9; *(uint8_t*)0x200081c1 = 3; memcpy((void*)0x200081c2, "\x37\xef\xeb\x85\x4b\x40\x51\xa4\x6c\x67\xae\xe7\xea\xa0\xf6\x2f\xde\x9f\x59\x9c\xd5\xba\x25\x32\x9d\x50\xae\xe1\x6b\x30\xc6\xc1\xa5\x14\x83\x10\x81\xaf\xc1\xdf\xd2\x68\x2f\xf4\x87\x16\xa9\x1b\xf9\x5e\x08\x42\x12\xb0\x69\x6d\x43\xe1\xc6\xc4\x3a\xda\xf9\xed\x3e\xf7\x0e\x62\x73\x59\x94\xd2\xd0\x86\x51\x39\x60\x49\x88\xfa\xc1\x79\x78\xd9\xc0\x5a\x84\xf3\x42\x38\x31\xdd\x1d\xdd\xc6\xc9\x4d\x50\xdd\xd6\x74\xf1\x65\x25\xbb\xf9\xa8\xdb\x3b\xb4\x90\x01\xbe\x38\xa1\x96\x70\xab\xd9\x9f\x4a\x2e\x97\xcf\xb2\x0d\x46\xc6\x37\x83\x2a\x3e\xc9\x7f\xf0\x94\xc6\xa3\x30\x49\x64\xb7\x2b\xcf\x11\x6b\xf2\x7f\xed\xd5\x52\x1a\xd3\xda\x22\x62\x97\xff\xf8\x49\xc3\x3c\x5d\x84\x9e\x3e\x30\x37\x52\x79\x01\xee\xf6\x3a\x59\x9b\xaa\x54\xfc\x46\xa4\x6f\xf1", 183); res = -1; res = syz_usb_connect(2, 0x5f, 0x20007f00, 0x20008280); if (res != -1) r[23] = res; break; case 44: syz_usb_disconnect(r[23]); break; case 45: *(uint8_t*)0x200082c0 = 0x12; *(uint8_t*)0x200082c1 = 1; *(uint16_t*)0x200082c2 = 0x110; *(uint8_t*)0x200082c4 = 2; *(uint8_t*)0x200082c5 = 0; *(uint8_t*)0x200082c6 = 0; *(uint8_t*)0x200082c7 = 0x20; *(uint16_t*)0x200082c8 = 0x525; *(uint16_t*)0x200082ca = 0xa4a1; *(uint16_t*)0x200082cc = 0x40; *(uint8_t*)0x200082ce = 1; *(uint8_t*)0x200082cf = 2; *(uint8_t*)0x200082d0 = 3; *(uint8_t*)0x200082d1 = 1; *(uint8_t*)0x200082d2 = 9; *(uint8_t*)0x200082d3 = 2; *(uint16_t*)0x200082d4 = 0xb3; *(uint8_t*)0x200082d6 = 1; *(uint8_t*)0x200082d7 = 1; *(uint8_t*)0x200082d8 = 6; *(uint8_t*)0x200082d9 = 0x28; *(uint8_t*)0x200082da = -1; *(uint8_t*)0x200082db = 9; *(uint8_t*)0x200082dc = 4; *(uint8_t*)0x200082dd = 0; *(uint8_t*)0x200082de = 9; *(uint8_t*)0x200082df = 2; *(uint8_t*)0x200082e0 = 2; *(uint8_t*)0x200082e1 = 6; *(uint8_t*)0x200082e2 = 0; *(uint8_t*)0x200082e3 = 4; *(uint8_t*)0x200082e4 = 6; *(uint8_t*)0x200082e5 = 0x24; *(uint8_t*)0x200082e6 = 6; *(uint8_t*)0x200082e7 = 0; *(uint8_t*)0x200082e8 = 0; memset((void*)0x200082e9, 177, 1); *(uint8_t*)0x200082ea = 5; *(uint8_t*)0x200082eb = 0x24; *(uint8_t*)0x200082ec = 0; *(uint16_t*)0x200082ed = 8; *(uint8_t*)0x200082ef = 0xd; *(uint8_t*)0x200082f0 = 0x24; *(uint8_t*)0x200082f1 = 0xf; *(uint8_t*)0x200082f2 = 1; *(uint32_t*)0x200082f3 = 0x9208; *(uint16_t*)0x200082f7 = 2; *(uint16_t*)0x200082f9 = 0; *(uint8_t*)0x200082fb = 0x20; *(uint8_t*)0x200082fc = 0x5e; *(uint8_t*)0x200082fd = 0x24; *(uint8_t*)0x200082fe = 0x13; *(uint8_t*)0x200082ff = 7; memcpy((void*)0x20008300, "\x63\xb0\xb9\x53\x77\x14\x7b\xa2\x14\xd9\x50\xfc\x04\xb2\x2c\x04\xbe\x09\xd9\xb9\x6f\x1a\xb9\x4b\xb0\x2e\x8a\x2a\x9e\x23\xcf\x7d\x3a\xca\xb2\x2a\x80\xed\x35\x0e\xc4\xb1\x78\x06\xed\xcb\x16\x9e\x50\x75\x37\x3d\x99\x17\x80\x21\x13\x92\xeb\x3d\x9f\x11\x73\xa5\x39\x84\x3b\xf2\xc3\xf6\x6a\x4a\x69\x60\xa5\x5a\x22\x07\x76\x7d\xb3\xc5\x5a\x7d\xd2\x89\x8b\x5c\xcb\x40", 90); *(uint8_t*)0x2000835a = 0xc; *(uint8_t*)0x2000835b = 0x24; *(uint8_t*)0x2000835c = 0x1b; *(uint16_t*)0x2000835d = 0x2a; *(uint16_t*)0x2000835f = 0x100; *(uint8_t*)0x20008361 = 0xe0; *(uint8_t*)0x20008362 = 0x76; *(uint16_t*)0x20008363 = 0; *(uint8_t*)0x20008365 = -1; *(uint8_t*)0x20008366 = 4; *(uint8_t*)0x20008367 = 0x24; *(uint8_t*)0x20008368 = 2; *(uint8_t*)0x20008369 = 0xa; *(uint8_t*)0x2000836a = 9; *(uint8_t*)0x2000836b = 5; *(uint8_t*)0x2000836c = 0x81; *(uint8_t*)0x2000836d = 3; *(uint16_t*)0x2000836e = 0x20; *(uint8_t*)0x20008370 = 0x73; *(uint8_t*)0x20008371 = 0x35; *(uint8_t*)0x20008372 = 0x3f; *(uint8_t*)0x20008373 = 9; *(uint8_t*)0x20008374 = 5; *(uint8_t*)0x20008375 = 0x82; *(uint8_t*)0x20008376 = 2; *(uint16_t*)0x20008377 = 8; *(uint8_t*)0x20008379 = 3; *(uint8_t*)0x2000837a = 1; *(uint8_t*)0x2000837b = 3; *(uint8_t*)0x2000837c = 9; *(uint8_t*)0x2000837d = 5; *(uint8_t*)0x2000837e = 3; *(uint8_t*)0x2000837f = 2; *(uint16_t*)0x20008380 = 0x40; *(uint8_t*)0x20008382 = 5; *(uint8_t*)0x20008383 = 0x40; *(uint8_t*)0x20008384 = 2; *(uint32_t*)0x200087c0 = 0xa; *(uint32_t*)0x200087c4 = 0x200083c0; *(uint8_t*)0x200083c0 = 0xa; *(uint8_t*)0x200083c1 = 6; *(uint16_t*)0x200083c2 = 0x201; *(uint8_t*)0x200083c4 = 0x79; *(uint8_t*)0x200083c5 = 3; *(uint8_t*)0x200083c6 = 0x3f; *(uint8_t*)0x200083c7 = 0x20; *(uint8_t*)0x200083c8 = 6; *(uint8_t*)0x200083c9 = 0; *(uint32_t*)0x200087c8 = 0x37; *(uint32_t*)0x200087cc = 0x20008400; *(uint8_t*)0x20008400 = 5; *(uint8_t*)0x20008401 = 0xf; *(uint16_t*)0x20008402 = 0x37; *(uint8_t*)0x20008404 = 5; *(uint8_t*)0x20008405 = 7; *(uint8_t*)0x20008406 = 0x10; *(uint8_t*)0x20008407 = 2; STORE_BY_BITMASK(uint32_t, , 0x20008408, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008409, 0xa, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008409, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000840a, 5, 0, 16); *(uint8_t*)0x2000840c = 7; *(uint8_t*)0x2000840d = 0x10; *(uint8_t*)0x2000840e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000840f, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008410, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008410, 9, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008411, 8, 0, 16); *(uint8_t*)0x20008413 = 0xa; *(uint8_t*)0x20008414 = 0x10; *(uint8_t*)0x20008415 = 3; *(uint8_t*)0x20008416 = 0xc9; *(uint16_t*)0x20008417 = 7; *(uint8_t*)0x20008419 = 7; *(uint8_t*)0x2000841a = 0; *(uint16_t*)0x2000841b = 8; *(uint8_t*)0x2000841d = 0xa; *(uint8_t*)0x2000841e = 0x10; *(uint8_t*)0x2000841f = 3; *(uint8_t*)0x20008420 = 2; *(uint16_t*)0x20008421 = 0xc; *(uint8_t*)0x20008423 = 0; *(uint8_t*)0x20008424 = 6; *(uint16_t*)0x20008425 = 6; *(uint8_t*)0x20008427 = 0x10; *(uint8_t*)0x20008428 = 0x10; *(uint8_t*)0x20008429 = 0xa; *(uint8_t*)0x2000842a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000842b, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000842b, 0x8001, 5, 27); *(uint16_t*)0x2000842f = 0xf00f; *(uint16_t*)0x20008431 = 0xfffd; *(uint32_t*)0x20008433 = 0x3fc0; *(uint32_t*)0x200087d0 = 9; *(uint32_t*)0x200087d4 = 0x4f; *(uint32_t*)0x200087d8 = 0x20008440; *(uint8_t*)0x20008440 = 0x4f; *(uint8_t*)0x20008441 = 3; memcpy((void*)0x20008442, "\xc0\x66\x3b\x11\x6d\xab\x9b\xa5\xc0\xa2\xf7\xa2\xad\x48\x6f\xfc\x16\x4a\x43\x65\x89\x95\x65\xc5\xe9\x9b\x01\x52\x39\xf3\x78\xdf\x56\xdb\x4d\xc3\xb0\xbb\x08\xdc\xd2\x08\xd9\x58\xfa\x3c\xf0\x80\x97\xaa\x20\x8b\x2d\x28\x65\xb5\x02\xcb\xc9\x4b\x1a\x8e\x33\xbd\xd9\xd6\x48\x1f\xbf\x32\xd4\x91\x34\x22\xfe\x18\x9f", 77); *(uint32_t*)0x200087dc = 0x85; *(uint32_t*)0x200087e0 = 0x200084c0; *(uint8_t*)0x200084c0 = 0x85; *(uint8_t*)0x200084c1 = 3; memcpy((void*)0x200084c2, "\xc9\xc4\x87\xa9\x0b\xe3\xd4\x0e\xf7\x82\x37\x3d\x78\x5f\x86\xbd\xfc\x3d\xb6\xfb\x0d\xd0\xa7\x44\x0b\x2f\xe4\x59\x5c\x3a\x6b\xd6\x7a\xa8\x51\x8d\x89\x7a\x8a\x75\x7d\x5f\x1c\xeb\x86\xe5\x98\xca\xbf\x23\x45\xf7\x71\xc3\xc7\x12\x8b\xd1\x6d\xd4\xb1\xee\x9b\x7d\xbc\xaf\x61\x1e\x97\xf6\xdc\xb9\xf1\x71\xe8\xf7\x05\x2b\x0f\x33\xe6\x31\xbf\xe9\x9d\xdc\x44\x13\xe5\xe5\xd7\xb6\x34\xdc\xc3\xb7\x7e\x4d\x30\x1f\x89\xa8\xd3\xb8\x51\xb0\x23\x06\xca\xbe\xc2\x11\x12\x7a\x8e\x54\x1d\x16\x26\x36\x58\x8f\xf5\x74\xde\x82\xde\x8f\x30\x7d\x43", 131); *(uint32_t*)0x200087e4 = 4; *(uint32_t*)0x200087e8 = 0x20008580; *(uint8_t*)0x20008580 = 4; *(uint8_t*)0x20008581 = 3; *(uint16_t*)0x20008582 = 0x1407; *(uint32_t*)0x200087ec = 4; *(uint32_t*)0x200087f0 = 0x200085c0; *(uint8_t*)0x200085c0 = 4; *(uint8_t*)0x200085c1 = 3; *(uint16_t*)0x200085c2 = 0; *(uint32_t*)0x200087f4 = 0xaa; *(uint32_t*)0x200087f8 = 0x20008600; *(uint8_t*)0x20008600 = 0xaa; *(uint8_t*)0x20008601 = 3; memcpy((void*)0x20008602, "\xce\x39\x5e\x8e\x9f\x40\x9a\x37\xda\xeb\x1c\x20\xbe\x9c\xa4\x00\x4a\xe8\x10\xcf\x16\x53\xec\xcd\x6e\x66\x3d\xd7\x4f\x8b\xc0\x69\x89\xb4\xd1\xa6\x5c\x9f\x48\x0b\xd3\x7e\x9d\xd8\x53\x49\xf2\x98\xdd\xad\xdc\x2c\xc9\xe4\xed\xa1\x47\xf2\x31\x40\x2e\x11\x6f\xb5\x94\xa6\x37\x18\xd8\x21\xd8\x85\xeb\xd6\x7e\xda\x45\x15\x58\xb1\xfb\xa3\x09\x3e\xcb\xd4\x0c\xbe\x5f\xbe\x07\xf9\x4e\xd9\x27\xd8\xe5\x03\x9a\x7c\x49\x7a\xa8\xd1\xf1\x0a\x4d\xda\xc0\x49\xad\x82\x0f\x8c\x53\x2c\x5a\x3f\x00\x94\x79\x55\x03\x24\x23\x92\x2e\x95\xaa\x5b\xfe\xe0\x41\xf7\xfe\x87\x44\xec\xc4\x42\x40\x57\xee\xc9\x70\x40\xb3\x41\xd0\xdd\xdc\xaf\x20\x6d\xa6\x43\x1e\x98\x7f\x04\xcf\xd5\x58\x02\xca\xd3\xa1\x14", 168); *(uint32_t*)0x200087fc = 4; *(uint32_t*)0x20008800 = 0x200086c0; *(uint8_t*)0x200086c0 = 4; *(uint8_t*)0x200086c1 = 3; *(uint16_t*)0x200086c2 = 0x3c01; *(uint32_t*)0x20008804 = 4; *(uint32_t*)0x20008808 = 0x20008700; *(uint8_t*)0x20008700 = 4; *(uint8_t*)0x20008701 = 3; *(uint16_t*)0x20008702 = 0x1809; *(uint32_t*)0x2000880c = 4; *(uint32_t*)0x20008810 = 0x20008740; *(uint8_t*)0x20008740 = 4; *(uint8_t*)0x20008741 = 3; *(uint16_t*)0x20008742 = 0x807; *(uint32_t*)0x20008814 = 4; *(uint32_t*)0x20008818 = 0x20008780; *(uint8_t*)0x20008780 = 4; *(uint8_t*)0x20008781 = 3; *(uint16_t*)0x20008782 = 0x1c; res = -1; res = syz_usb_connect(3, 0xc5, 0x200082c0, 0x200087c0); if (res != -1) r[24] = res; break; case 46: syz_usb_ep_read(r[24], 8, 0x7d, 0x20008840); break; case 47: *(uint8_t*)0x200088c0 = 0x12; *(uint8_t*)0x200088c1 = 1; *(uint16_t*)0x200088c2 = 0x250; *(uint8_t*)0x200088c4 = 0; *(uint8_t*)0x200088c5 = 0; *(uint8_t*)0x200088c6 = 0; *(uint8_t*)0x200088c7 = 0x10; *(uint16_t*)0x200088c8 = 0x56a; *(uint16_t*)0x200088ca = 0x62; *(uint16_t*)0x200088cc = 0x40; *(uint8_t*)0x200088ce = 1; *(uint8_t*)0x200088cf = 2; *(uint8_t*)0x200088d0 = 3; *(uint8_t*)0x200088d1 = 1; *(uint8_t*)0x200088d2 = 9; *(uint8_t*)0x200088d3 = 2; *(uint16_t*)0x200088d4 = 0x2d; *(uint8_t*)0x200088d6 = 1; *(uint8_t*)0x200088d7 = 1; *(uint8_t*)0x200088d8 = 0; *(uint8_t*)0x200088d9 = 0xf0; *(uint8_t*)0x200088da = 0x8e; *(uint8_t*)0x200088db = 9; *(uint8_t*)0x200088dc = 4; *(uint8_t*)0x200088dd = 0; *(uint8_t*)0x200088de = 5; *(uint8_t*)0x200088df = 1; *(uint8_t*)0x200088e0 = 3; *(uint8_t*)0x200088e1 = 1; *(uint8_t*)0x200088e2 = 2; *(uint8_t*)0x200088e3 = 0; *(uint8_t*)0x200088e4 = 9; *(uint8_t*)0x200088e5 = 0x21; *(uint16_t*)0x200088e6 = 3; *(uint8_t*)0x200088e8 = 0xf; *(uint8_t*)0x200088e9 = 1; *(uint8_t*)0x200088ea = 0x22; *(uint16_t*)0x200088eb = 0xa21; *(uint8_t*)0x200088ed = 9; *(uint8_t*)0x200088ee = 5; *(uint8_t*)0x200088ef = 0x81; *(uint8_t*)0x200088f0 = 3; *(uint16_t*)0x200088f1 = 0x3af; *(uint8_t*)0x200088f3 = 1; *(uint8_t*)0x200088f4 = 0x40; *(uint8_t*)0x200088f5 = 2; *(uint8_t*)0x200088f6 = 9; *(uint8_t*)0x200088f7 = 5; *(uint8_t*)0x200088f8 = 2; *(uint8_t*)0x200088f9 = 3; *(uint16_t*)0x200088fa = 0x10; *(uint8_t*)0x200088fc = 6; *(uint8_t*)0x200088fd = 1; *(uint8_t*)0x200088fe = 9; *(uint32_t*)0x20008c00 = 0xa; *(uint32_t*)0x20008c04 = 0x20008900; *(uint8_t*)0x20008900 = 0xa; *(uint8_t*)0x20008901 = 6; *(uint16_t*)0x20008902 = 0x250; *(uint8_t*)0x20008904 = 3; *(uint8_t*)0x20008905 = 1; *(uint8_t*)0x20008906 = 0x46; *(uint8_t*)0x20008907 = -1; *(uint8_t*)0x20008908 = 0x20; *(uint8_t*)0x20008909 = 0; *(uint32_t*)0x20008c08 = 0x34; *(uint32_t*)0x20008c0c = 0x20008940; *(uint8_t*)0x20008940 = 5; *(uint8_t*)0x20008941 = 0xf; *(uint16_t*)0x20008942 = 0x34; *(uint8_t*)0x20008944 = 2; *(uint8_t*)0x20008945 = 0xb; *(uint8_t*)0x20008946 = 0x10; *(uint8_t*)0x20008947 = 1; *(uint8_t*)0x20008948 = 2; *(uint16_t*)0x20008949 = 0xfa; *(uint8_t*)0x2000894b = 8; *(uint8_t*)0x2000894c = 0x80; *(uint16_t*)0x2000894d = 5; *(uint8_t*)0x2000894f = 3; *(uint8_t*)0x20008950 = 0x24; *(uint8_t*)0x20008951 = 0x10; *(uint8_t*)0x20008952 = 0xa; *(uint8_t*)0x20008953 = 5; STORE_BY_BITMASK(uint32_t, , 0x20008954, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20008954, 9, 5, 27); *(uint16_t*)0x20008958 = 0xf00f; *(uint16_t*)0x2000895a = 0; *(uint32_t*)0x2000895c = 0xffc00f; *(uint32_t*)0x20008960 = 0xff00c0; *(uint32_t*)0x20008964 = 0x101ffc0; *(uint32_t*)0x20008968 = 0xff0030; *(uint32_t*)0x2000896c = 0x30; *(uint32_t*)0x20008970 = 0x30; *(uint32_t*)0x20008c10 = 4; *(uint32_t*)0x20008c14 = 0xed; *(uint32_t*)0x20008c18 = 0x20008980; *(uint8_t*)0x20008980 = 0xed; *(uint8_t*)0x20008981 = 3; memcpy((void*)0x20008982, "\xe7\xdb\x91\x4e\xf4\xa7\x1a\x3a\xba\x44\x3e\xe1\x81\xc2\x72\xe7\xfb\xb6\x36\x48\xa9\x97\x75\x4b\x81\xa1\x93\x8f\x52\xb9\xfd\x8c\x2b\x76\xca\x28\xee\x1f\xcb\xa2\x80\x02\x1f\xbe\x02\xff\xa0\x3e\xa7\x53\xf2\xd5\x1b\x71\xf1\xcb\x93\x91\xea\x31\xfa\xab\xf8\xed\x37\xa9\x85\x3b\x87\xee\xba\xa0\xa1\x26\x96\x96\xe6\x5e\x30\x9e\xa4\xbf\x77\x55\xff\x1b\x99\x28\x0f\xd6\x82\x30\xd7\xd8\x99\xd0\x97\xe1\x6e\xe0\xb2\x24\xde\x57\x33\x94\x39\xc8\x0a\xd7\xfb\xf8\xbb\xf3\x2a\xa0\x0e\x29\x80\x2b\xde\x1c\x8c\x5e\x62\x28\xfa\x0a\x54\xc8\x35\x0e\xf9\x97\x11\x2f\x76\x3e\x17\x42\x8f\xb8\xe9\x5a\x56\x68\x95\x95\xf3\x0a\x3c\x16\x15\x18\x09\xb0\xc6\xb1\xd4\xd4\x76\x65\x10\xc6\xf0\x66\xfe\x4b\x35\xa3\xea\x90\xd3\x88\xd1\xb4\xd4\xe9\xc6\xb3\x09\x71\xe2\x37\xe2\x3f\xd2\x05\xf9\x90\x5e\xe7\xd7\x9f\x44\x43\x70\x7a\xdc\x7f\x65\xce\x2b\x15\x99\x4d\xaa\xc7\xb9\x54\x35\x3f\xb2\x32\x01\x84\x41\x22\x71\x05\x31\x87\x9c\x62\x91\xc7\xdf\xbf\x6b\xe4\x54\xb9\xcf\x2f\x2e", 235); *(uint32_t*)0x20008c1c = 4; *(uint32_t*)0x20008c20 = 0x20008a80; *(uint8_t*)0x20008a80 = 4; *(uint8_t*)0x20008a81 = 3; *(uint16_t*)0x20008a82 = 0x410; *(uint32_t*)0x20008c24 = 0x64; *(uint32_t*)0x20008c28 = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x64; *(uint8_t*)0x20008ac1 = 3; memcpy((void*)0x20008ac2, "\x04\x1c\x8b\x1b\xd1\x43\xea\x1d\x63\x82\x9b\x76\x9d\xdb\x88\x6a\x6a\xaf\xee\xdd\x5f\x65\x2b\xc9\x48\x67\x7c\x9a\x6e\x3a\xcf\xe0\x4a\x15\x19\x05\x3f\x95\xe5\xfc\xf7\x9b\x08\x53\x62\xcd\xac\x6a\xbb\xf8\xf1\x37\x81\xa6\x21\x88\x52\x57\x05\x2b\x12\x00\x45\xda\x2c\x49\x4a\x30\xbc\x6a\xe6\xc4\x16\x0c\xf4\x97\x00\x2a\xf8\xb7\x7e\x21\x68\x93\x24\xbd\x6e\x75\xac\xed\xa7\xcf\x6a\x50\x92\x0b\x2a\xb1", 98); *(uint32_t*)0x20008c2c = 0x87; *(uint32_t*)0x20008c30 = 0x20008b40; *(uint8_t*)0x20008b40 = 0x87; *(uint8_t*)0x20008b41 = 3; memcpy((void*)0x20008b42, "\x15\x08\x37\xb1\xe6\x9e\x50\x07\x39\x8a\xc0\x2c\x4a\x0b\x25\x07\x2d\xaa\x81\xa6\x4a\xf1\x0b\xcd\xc5\x73\x63\x33\xf4\x9c\x92\x1f\x86\xd9\xcb\xc6\xb7\x78\xf1\xd2\x16\x79\xd8\x47\xd5\xb8\xa9\xb7\x0f\xc5\x6b\xb5\xa4\x33\x04\x0a\xfd\x94\x37\x7b\x25\x15\xa5\x5c\xda\x70\xdb\x64\x44\x2a\xda\xe0\x90\x5a\xa9\x0f\x91\x1d\x3b\xee\xf8\x00\xab\x6f\xd8\x7a\x5c\x51\xfd\xa8\xfa\xa7\x50\xd1\x95\xc2\xe6\x57\x24\x97\x81\xc6\xaf\x05\x23\xe0\x49\x2f\x9a\x69\xe2\x27\xe1\x0c\xa0\x31\x0f\x1a\x01\x0f\x8b\x98\x6a\x9a\x05\x53\xa5\x33\x1f\x97\x54\xfc\x90", 133); res = -1; res = syz_usb_connect(3, 0x3f, 0x200088c0, 0x20008c00); if (res != -1) r[25] = res; break; case 48: memcpy((void*)0x20008c40, "\xa6\x90\x8c\x55\x30\x81\x4d\x6a\x6b\xfd\x6d\x6c\x75\x94\xd4\xaf\x8a\x49\x62\xd8\x82\xda\x65\x7b\xb4\x02\xc7\xd0\xae\x45\x35\x16\x81\x60\xdb\xf6\x7b\x82\xf2\x23\xd5\x77\xb0\xe1\x6e\x6a\xc3\xc4\x6a\x40\x15\xa6\xed\x7c\x4f\xa6\x5d\x1d\xba\xa2\x68\xb7\x48\xde\xc4\x67\x74\xec\xa9\x22\x47\x96\x94\x49\xa9\xf5\x9e\x9e\xdd\xe4\xd3\x7e\x7b\xd1\x78\x82\xeb\x00\x5e\x24\xfe\x43\xf5\x76\x54\x00\x0e\xad\xec\x3f\x1d\xe9\x91\x7e\xb2\x8c\x2a\x87\x71\x82\xc4\x7b\x55\x6d", 114); syz_usb_ep_write(r[25], 7, 0x72, 0x20008c40); break; case 49: syz_usbip_server_init(4); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :124:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :111:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :106:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor480413498 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/10 (1.81s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:namespace Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffffff}) (fail_nth: 1) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1a, &(0x7f0000000040)={0x0, 0xe6, "f137161ab86c594202b997d9f12d007021870322c8d909748409951ae9800c1e207f98b769c740f867ea14bbf8666a4f98d229aaafbc33c6c52168db8933c4a4a4a3dd3ce0ccea96e71d81ff4aca8331cb01bf35433853d1abd48fd6d0ce1314df6507bae535a2b4e3eaa74c5d23006594148a0fe5b4a884ef8f41346e49cc90474cb17bac301d4797ed05dfc6ccb74bebaabe549172d622a30605a4e49fd3f8537de5272c33ad4f07cd060577bce65e5c80a34168cde68117e4f900e35a3d888e02ee111752213b40d2af258c01f36de50ce8e83d4226a30d6a4cc43a883f6c20e3fada8ad2"}, &(0x7f0000000140)=0xee) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r1, @in6={{0xa, 0x4e22, 0x3, @private2, 0x1}}, [0x7fffffff, 0x1, 0x7fff, 0x4, 0x7, 0x1, 0x3ff, 0x40, 0x5, 0x1, 0x0, 0x7, 0x0, 0x8, 0x1f]}, &(0x7f0000000280)=0xfc) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000002c0)={r2, @in6={{0xa, 0x4e20, 0x9, @private2={0xfc, 0x2, '\x00', 0x1}, 0x3}}}, 0x84) r3 = openat$pktcdvd(0xffffff9c, &(0x7f0000000380), 0x0, 0x0) ioctl$MEDIA_REQUEST_IOC_QUEUE(r3, 0x7c80, 0x0) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f00000003c0)={r1, @in6={{0xa, 0x4e23, 0x7f, @private0, 0x5}}, 0x5, 0x476f}, 0x88) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_SRVCORE_ACQUIREGLOBALEVENTOBJECT(r3, 0xc0206440, &(0x7f0000000500)={0x1, 0x2, &(0x7f0000000480), &(0x7f00000004c0)={0x0}, 0x4, 0x8}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTQ2_RGXTDMSETTRANSFERCONTEXTPROPERTY(r3, 0xc0206440, &(0x7f00000005c0)={0x8a, 0x7, &(0x7f0000000540)={r4, 0x400}, &(0x7f0000000580), 0x10, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXBREAKPOINT_RGXENABLEBREAKPOINT(r3, 0xc0206440, &(0x7f0000000680)={0x83, 0x2, &(0x7f0000000600)={r4}, &(0x7f0000000640), 0x4, 0x4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@deauth={@wo_ht={{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x240}, @broadcast, @device_a, @random="2015d229785b", {0x8}}, 0x27, @val={0x8c, 0x18, {0xc93, "ffe3240f0484", @long="067ecc39a78a3ea47c22246d391b92c4"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_xfrm_policy_alloc_security\x00') syz_emit_ethernet(0xbc, &(0x7f0000000140)={@dev={'\xaa\xaa\xaa\xaa\xaa', 0x3b}, @broadcast, @void, {@mpls_mc={0x8848, {[{0x8, 0x0, 0x1}, {0x1, 0x0, 0x1}, {0x4, 0x0, 0x1}, {}, {0x0, 0x0, 0x1}], @ipv4=@dccp={{0x15, 0x4, 0x2, 0x33, 0x9a, 0x65, 0x0, 0x7, 0x21, 0x0, @dev={0xac, 0x14, 0x14, 0x1e}, @rand_addr=0x64010101, {[@noop, @end, @timestamp_addr={0x44, 0x1c, 0xe9, 0x1, 0x2, [{@dev={0xac, 0x14, 0x14, 0x28}, 0xf7e}, {@loopback, 0x7fff}, {@private=0xa010101, 0x5}]}, @generic={0x83, 0xe, "db10ac96c2cf817c67fc6d7e"}, @rr={0x7, 0x7, 0x87, [@local]}, @end, @ra={0x94, 0x4, 0x7}, @end, @generic={0x44, 0x5, "e0d910"}]}}, {{0x4e20, 0x4e23, 0x4, 0x1, 0xf, 0x0, 0x0, 0x9, 0x5, "d77b5a", 0x7, "c6dd9c"}, "494a1261c05df7372b3c29631b6232d41f19fa8727ecea11ccf1979683ceb144705e12c13fba0e399f08f58397f3ea7bdb746b3dcabe"}}}}}}, &(0x7f0000000200)={0x0, 0x3, [0xf9, 0x208, 0x50c, 0x74d]}) syz_emit_vhci(&(0x7f0000000240)=@HCI_EVENT_PKT={0x4, @HCI_EV_VENDOR={{0xff, 0xc1}, "0626cab051d180b0c2e36c0814bbca7e31d691502e1c7c0eae1a042e7372921a0c6dfccedd81a98f58b9850ba2f68bc25d5cab15a0af010796b5fdfb8a3b35f3eb48ee0c7b2ed287cf469fdec0248e957ef0dd22f3fc6d746e70262c277c016177e56a68031293b56b02c1b6f867d10a3bbf33817b39d487ae0659a68cffb8df46df59a7d104b7c6711d45af1f966d69e635809cf24a70d4c2ea9cc98d37599807148af36b475eb2ce56e027ac751769f8710272d187722ecdf7a8f86d8b977aa8"}}, 0xc4) syz_execute_func(&(0x7f0000000340)="c4c17d6f7072c4e1f9112fc4e3c95d33abc4c2790eb000000000c4e17a12b70c0000000f0156e9c4e10dd55e0cf30f526b000f7e20c4c179e702") syz_extract_tcp_res(&(0x7f0000000380), 0x80000000, 0x100) r5 = dup(0xffffffffffffffff) r6 = fcntl$getown(0xffffffffffffffff, 0x9) lstat(&(0x7f00000026c0)='./file0\x00', &(0x7f0000002700)={0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000002800)=0x0, &(0x7f0000002840), &(0x7f0000002880)=0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002ac0)={0x2020, 0x0, 0x0, 0x0}, 0x2020) statx(0xffffffffffffffff, &(0x7f0000004b00)='./file0\x00', 0x2000, 0x20, &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004d00)={{{@in6=@ipv4={""/10, ""/2, @private}, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@initdev}}, &(0x7f0000004e00)=0xe4) r13 = getgid() syz_fuse_handle_req(r5, &(0x7f00000003c0)="235810537c7f886ca91721045ff7badfae4429b252cd658172c1d0d418ed70057439fc22ffc77b29085c9488ff9340f8a2ade99bf9af14a357257b8aa69b4b8effe7afd6876b3b512b86fa1dff555c6dc6186266c91fa281c9dc72ee17ead0e2a3fe9ff03e7c32d27e267f5be0fd6d1f9efc02af7fe9d68d755519201dea7abe681053ab98f73fc0c6a0684e91b741c8c9451f9459b598ee6f4ec0c91f3e917af1e6646f3c54f8faf0487d8eccf087e28f8768f48ae15d098904b3254285702e308a937d5e23a2aef3c25312516c502d5e0233065229ee4a70dbc414604b7f055eb7a2724803e85e5b4cd05af711ed730fceb81bcae17a4967aa6ccff3c0f4966b7ff3d15f093e94eb0a46b70c0fa5b8628cac3c31019bba6002416fc6661d858fff16a96215b1d18a877d9a534ac40256a3557931ade27f587cce26a20c013dc67f2e922a52689aaefa1b064d03f8f6a39f96b0de1d21394cb6c23010eb9e4a79414735ed9965425f8a01008496dbad0497fa0d65acec59ffa6a280bc58e2d887a10e9665eaeb97436ebdeb2b58a9ae40e449273246fd9967539f212ed8969b6f9a49d65bcad2dd9d8ee42e3205741117e431d443ff3e94c47e7fd627d30511d5fbcec6a758383d31367aca8e3af772a1021105ab2c1b4aa7614dea8cfa4b06f53af373779862c9bdb76ef93c74618eee7347a074d4f71a98233b24b2a25729c9a1983d819c3f42d328d08f0d4dd1642f61b62a89fc300f5066d8e457f5fd49daa79e1b1d43d26f89f2ca990450e860bcc47d5cf4778c37c451ed22d60fe2bcfa2caff75c4170990a2e8e2187197f8638b067854ccf9dbe91586dd42341401c4fb4f31330668acb516eba2227cbca4c8fa2f39a03521bd8032f5e1aedf49c50e601b9fad4e0d6f5b5932ea214fd508485703d0845798d43bdbff9638677e6a996efbbd1936e97282062709f778b455cb4d20013f5fe4c9bba0f7cfc1802e8180fb6d46f5176d1bdbb43d960d494f3a30ed7ab4db07de5ad924b5797b509f96083f4ada9fcebede1eb0fb0dfa2cdc2144b15cf4c280f87d1187e808e37cdef537552e383f46ccfe86215b207153985e6b13196221fdea6c947864d12147d7b01efc3df144e2caa24d1a4782a51a8235c4c0eadf0440c8e434a4d072be5845547175f37c55fddd5e78495ace434c483f28bb3487ad8d68bd74377fd82e17bafeb062b81c68e8a6389c8d81079e4c9faa2a8fcf12415cc21ebcd92de80884550594ca64b56b0b424a65f80cab164b2f6f2f33c7aeaa8b6602e7183b9d0ae153a1703b303675aae133b3dd9c646677f6d8a492da099efb4a7e4dee392818a15d6bf9efb07eead5b40ac25bb0f0092f4b0ecaf0ac3391b3ecfd0635ec496b8b66d7a451c6d10379c15291c4f3682f05fb73944cd1be0f0fa8554358b30deb7386931ae95eb2a16faed245ffcadb394acdf0638a626278233019366e2ecd9db1a4b5ae27ff83d7b571cd7ffc151dc4d0cef1d0300c98a41697751851f8e05249cae19963f812589a7d64cfab846439f471343ba5effac9a57f76d0abfb95e878bee4c9424f0ca1718195eff14060acfb3e0df4cbc560bc2be9ab4f0a0bd686fe213d44947170e68e73baadd982ce2d170a50d1eca0240cd3cece9f74da3a1c1476ff11fa334d72c18506b5c00a441ea2e9c72c76b385037f86ca594aaade987a79bbd3e3c40d0007a7ff8529905b94c5461656292950b41c83443dc84d6fdf52e4497ed6804981af13385649200d893093bf2ea8225b389c4dfd2e815b3bdf9d7084d29009eae4e8822a5b6a52aa76afd951d04afa8e1286396a834dcf8c6b57cc4efbc0c16779d53f0bcd74043c06ecebe59328dcca8bb6105af23565906e5466c7311b1aac6762e4b626036fe31d3e7b0fa2e658ca9351078eeca7b467e118e9b88959de1f41869405a83bdc6ce980c729f7e2a460fa9bee161e54d271a874bb4d0a22cd1a4376de36b5868ca0e10933e5fe2f7385c1af62b86f8e5c3126626b8bc6d568f621da323707ea332d7654439fba4671d0caeb7ef94e25a8286bd9a19a29e4932c7db9b82347da52492b3814a44b92f61559c22654c8b301a8dfe9daeae0cade946c0666e94c4a6353bb0eb2137d36853ad4f7a20a5081e63afeece203fa6eeea7f629d001dabaf5b1a3c6761517bc99a8e63f66c01884927b4bc40bc34190c9e553c690fbc6444dd8bba656874fa804631b56d24541a9bd6fb77db4903769f9d0444d08a21ff59d949659d80b1402d919ac0fb8380ed9115b6693c195f8f1a90a3a42235d8ea782eda2bf194d32fbcc563271afda73d7096a2e9e467541e7667c267c595e123372975267768b8d16cb6130eaebf698be76eefabbeacd59f631cc104f042263e3e2962597969721a6c022aba14112e2f3802ba635391cd1f94323525c816efa9e86552399e79665ff554f586754f72d53a0d9475c655948bd13ec93dd8cc43e5b813ebfea4abcd780eedb682ac4f66e16847f7821fdc40da073f7fc59fe57ca6ad5f4ddd8a41e8aadf3e2178cf4295c85999e2c2d824a08ebb9a9b09e2efbf9b8d0373091ea61ec6af17df1e71aceb403a41d3bafefc56dcff186023e9f289e61b746904b3ce34869b5327c924a27336b216d2206eeba9b1dfdce022e3a13a2617387fb3ff5a1d0f38fbb9063bcb69b5e33ee457efe051df453462b718d7d5e780310471a73d99e2eb1e23236c74b9377c3e0ebb93ea7a6a7b322c425910209f891841d65cb8db3b2b0d51d27cde0ca185bd3bf1f402ff10fc611b93fa6f94ebf6079ac6d5f30ff866a4dbf30729fc3cd003ed9eee6e1c92319a8c6269e1a7dba0491d27b326388bc32d58bf685ec429a8ca7a12b660182308710b5aa61dce0a143fad3bbc1a81a8f814ee37b434c7d729331ce7f72ddf31dca719bdfa04c03aeceb4c640c1cddd0f01137bd6e2f7aefb51b0210b8cdb2ccb0f5d7458d0571927675f1bedb36d0bf30ac68db438ffba74aca623725f27522701bb6c5ca414d2391cd533a82c066724c6d3fd68fe42a834dccf5bf70347429ad8e382215f72fad936ef949bf64dad12577ead0dc6cf271be7ca8e0baabb4397ff063f3ae8e741210c6a3ab3b442ba8fb16f228c5dafeb1b440827defbc48f5cbceb2740755c985d060e82c86c732bbd560883591a1ac058299f17f2e2a128560280ba089e84c3465452a6507a63f884944a83a21d26c8e498ff5dbd489c69ca7853249018e9d03520b23f47b297b8526322b1f6bd54d060ccea301cc8a3a15da2d39b64ea4ddb03c7b6cba605e8dd486d12d8f0c6cd9fb47816112baa0a7ae0eba4f0f89b2143203a119a6bb8545c1ba66788495f4e7dad96df8119b1c11d7ffb07107c0c035a80697a8ed780d9c5561929385085f0aa7bc748f2b5e234e210ce77722c54e80b886c0d614658ffa23408caca9cf013869ef6629f8461640daea869ad4c365530de527815cafee314f8ca7b9879522c42629e3e71296e5f60a84db39d5c9000016ea33f481d80ccb80f085d5ed3f700badc3b4b7d80dd8a778f03817a10d67892d36870a98bdc70cfda4834c7815421fc9727401bd4f8111bbba7686024b4272f5a68a665194afc4f1a9f857af270e3022c18dfc18f67b3977e641c6258f00c1430ea79578f4dc82a0bab52140df4be0adb329195a297df0be6e12349770b4477a4465a81439f22b6bdc677ab86d4edbbdfc7db3cf06d4a94d33c6c11fa163fefb1a87a9b52c1cc409ebede7263c88975edb237fa01b583f79fc7a4f8e8ac89af79308d99b473cf33f3344a4e5523f3e35d388d18ee1185caa1918d23aae4193aedfe125042e16d571865261dd63bf0c9dd8485fa64e2410a26a436c83c9e34556f37c1d69d2fd574278c4b2c8baf3834ee2e0f364b54c36780f28a8ebe56e1d9e1cbdfd773ce8aacdefda09f40dffd847aadf67c44471008cee0776fb068954308f16203d017b290cd1ad9e4cdc49f326352807560ddda490c05c6d5e04f1940083aaba83e029370fd76e7757c73c0543ddff26c3a30762e2c9c556aa282c7f46f3dd8e200168053a03174c5669dc43900a39417c9dff8ed3f10eb07c470a522ec820712ff88259cf7f5ee52cf4ee690bcabd88763f66329f3725a436ca1938d4da48dedffea82dc54a2a0a5cfb64c3e278f41b933cefeb02f982532e98677241d7ec2f8d1427da1711919d672e951b6d1cd8f2c0203fedd521f75a229d996713358136d8b4eb797134fec874e3d38a01cb82a87c8c211e6429efe677173aab0a0fb9f558f4b06f7705bcd177ec1dd80d0445b5448e7dc294538aaecc59610dbe6f2b3b16b275c18d33a78f0c1dcbb07e137628b622f885aee80b82684cdd5fde5a29aadf63d85e95159649adce0f9e57b53b82c75b87a12747ef0f84be50693ccae798e38aaf050666163e6bed48f5f1baf49adea21223bfb089199898dcd2e91b708bd62b61f138cc48bed88b772d14bcc53968aa32fa3f114584752db53278b25f367d52c207ec5459668382aac7ebfdf3a2075cef679bd77ec17a1143de084720085486685ac869733bc07d74246fbf8abb3662be750dddd3b13ecb2d9135f5c68d1fdde549d9c2091d96aa35f84336b4215131f36476ec848d533d7dca1e0aa41eefb8806052a8cdd538b755707f93e048d771505b8890d8f680b880ccb8ee2949e35a63ee48e7b467128b65ffe606ced28a3bc3172bd09f2b58ef6322a3fa31e0fab37a3afe729ad43d5cd02b42be4d8e602b99516dbdbd812e1becaeba14b2b2bfaf0555900251e31d839798141b32abdc558b3bf30edc1145f541798507da329c5acc1ff56d4fd5f6e18c02081222c698b3d0f2b19539a7c2c91f78b1be76481991e241d2ae889d4cb133f90f77d922d984b5a5d1b2aa038fb001f0bac88c14a36f62296ab324d52b5754d4e842889da654143b4bd719f082cbcfa2ec9031b9b4b8bb8ef46bc3ffa52d35385bf27e3ccd86108481ff6640e8b0e309d28b149420f95eb9afa0f6e188b7005f421225385bdea3825ad5fbfc6d9f2997476bc36e5dfe4b686d1a2d402516d4eee990e1ea6a234838103f42d705abf37835673ca78675b5354c2a99130e2b7a64ee26a2ad6c1cd2de64ed5912eb7708db3afbb4a683109b1057298f356e4cf4fab200caf7403c719aa81ab01d3d7f9155073f56495e5116196e9a9de82f10a5c08dfb2f915494df7a0700efb722d3416a5d32bc02297111650847dee676d268772dec413da3a1320989c1be0d5c9c1b6fc4f70fbdad888abb0be8f116f0d7a6f3abaf636bb6b69222daf4ccbd6d07293def59cd5ec908454d079495f27bfaf9e45fb2c99964e6b2fba03af0382d5b60adebbb28fb8f8f8efdd8da65eac29377cf07c62e1bf10f61fa912e6271f2cb9509a7631b7abec3396bebce10bc79e2c49956d127f9d01b73584540cb6c0b52a709e3af1d00c84f6d22fb195dd8823aa336afea898ed87ada2b22d1b8ec508cf6986e93459265ed7c258732c291ca41e7876f1b438b17d36c24a02f200feeee18ace8dc4aad51a42bb9815d82c2a9a37f775cd612e084226942ea0dc6f5d8923349bbbedc2a45cfcfddeda2d52d14f2ff8329aac01d2ec3c37f23c5c90d026280238ce09e00eca9f6c30bdaa5dc91f4342f8af6a3ec1339c47dcae8f9360c32502bfa86e1ffc582d5888f29cac39ef90a3150111f661199faf7e2413b57bb9a72aaa2d5fae32b462884a928d83cea60557025c5de018044345fb083def49bc383319894dad28b5339cbadb6038dc8479f7e4b2f01c1ced3ff854205be93884885b129878bdbb18caa68c30940719a408a03fc61ebea87d9d3ef2162594589654475c2c37eaa8737338acc18b341a351ec39aa94cba171096fd7fb832e3031f4d82ff2328aa189623cd93fce6f4525c2dd013dc9c7b4d19add3bf9c334886e9d1cb4df997d99563a57b66d8321d42152f721705d6c484618ad33cb46b5c1a41ccd397ede50432dc9d41aa8b2fb375af75d332356d7df3d5d439fdebcf8e25b22493c6fe140013e2952321867d12947b1f2dd272a173694a5fddd887fe1ec96df6467630d1449d723ff023ec127b12a2411a096e3129e845d50b146683635d805cf196735828c8a0a004047a19acfcc41b62fe0fbff91881e7613bf7a737195f1858ed7198dcaca13210619d7f7398d812de463f221f0c264874aa3b3416dcdfaed76bf255d7a7a15d6acc9864d1bd900354b3bf0df70bae932c4b82e8aa60d395b939cc60f8964ab755ba50b40a713f68d2e001a2b5abcfdbb821a0a3a7a97cdccc0b05bca8f033fbcd954569cb7c312d4cb9e69275613306679882570726118eb66b4b6f0d236c33e35658ed87f028ca43c55c26968179aed7549c8c2e92672a445106d0429846917c5fc607fa285db9aa61281c1c524a76b3d40de5da9bc7afbae9c03555d056383ea7f5eacf5de95638e11242a420c9aa322c808cf2a14ab479d8135e4ff487b215c8cec44c7290d3459100b2196c54e88ca2841d8a6011c6db1b5c2fbc5135da6053d893d116b9f23d5a0f77f9f64c50a0448552fb3d4002ccfb95ed54c37eae931737bf02bcd226b133b9d27debfae748730a87be8df5c31cddf16c26bc3f3b4df7abcbc52edadb7a7c29e87dd5d6330b761649fc9f098a7b6b68cf5dce767667e8b5a7cd4bb22d1c9229c455169d72edd3bae9c251c0788968f1d13af8e47ba32923c6614c44d5196fa805761dba59a39b893bf0973dabb976edf63f3cb54732d43b90ee7ab0374e10fd722d5c361a4108931e8ee3fa190793f901b18ff7b5ed8c162b37ffcb39c6c0c084c9c76b3964e31351f5112accfe16c6268580ce0b44cd4c33f292171df6af35914225c8b1aff1985cea0ea7349a43a510d5fbf1881a032f96b1f58f4fa94dbcdf98f6b113a2f851e76d4f1cf0686e3b44057c363c849c5700659d7e5a1c2b3ccfd5aaa889c2f99a9b1c8319c3cd348be29b2e9bfefbc28cb774729958c12c9dfa74b893a07745aed2e5144723c8fc0506852f17e6a4a8f599d2c4a1d7c0ba9d77db8416eb10932cdc749cfa99890ee8017c0664084f86489c975255252c3876f8dcd98c00b73611ce2734e1fe0ee5c0a0abb0c50004044f93ad2ff0109bcb19a3a20f186d68e387d34a5b578c4253cd9672614803bf96726e8ab00146d2fe266e62e4865f5e7fe31d41497e7195122fcda825fb4e9fcdd09b421ddb6e925a4d5cb7ff2fa56fe1497ad659cc5b6efd8f883998b7451175f9827547b84195c25fc1631072a55c17e90a3279a54a29697312bfef3eefcba8d3114556a545d18ab0df74df266859151959a1b051f8322f798cb45d5cbe5291bdd71dad665f64dde6954ef00718918fe01727963964642d4c4a5bba9303f44fe97ff99f06748dc863ff0cc17fc82b29fbe0c712c77ed36697f23b4a22a9f248522f9946c3abcd32e165fd66fdbc7b4a0df71a8d2571f32da4ada51c14ca086301d6ed02006c6a38ce4e7671f3d0862a4e3c22b6aa7b7c049a7762287570562e8b452efc78741e7c2822ad0fd435e76a8044b05b388aafc4cf61575760398872364469961e87d14d1795eb627faeda18f9c1228fc994d580508c996d3662799b7237e596910a7c5c7facd47fa3084da48488767f60cfe58ec401415ac66031623320f9fda37c0af9fe4cda1b2893d2df0ac8226013a36ca7b1366032ea7b25a5591bebc8ce489777c0cba28d1f0cafeaeea7d5b4d2009309eebc913078112bb126920ca6e5e2b2210ce5410cce45fc463746cf168f7ee2b91c797b330e0464822a618e457ce39a00367d9cd3d3f5938ce36eb2a31a90d049258c849955e97f08017269b3e5f69e9128195638bc8c1fa735e6eb2435c9587f4f436d9e68a8797bb42100d48e7b26197c65fb8903961382fb0fe229860173068d9429110823bc2ff717a7157054c326bdac3ad358177f9a406d894b842d6d91edb356b06283b329bca6e12290655fef24029ba1daaf45f17ebc834d12e35e39f2e20e2c7362aeb0031f4877b633be1bed36f5d7ba24d0148f846a786f388e2ab79662d559b861a36a4ce60dceb5fdb9f479358fd84a5c7f102f75b8143d3626fffa5469c22072a97d63ff9e0667c2f2db41cd03e5d43914bb590bb1f11f4c3533bcc47ffc99eedf677c9d646c60f99398915891ab67197ddbdc11e03daf03139ceadaf99226875163f11c29027f6ec6ee647c9bb1f7695f1f2918a3285a13eadb73d3e94cb0dbf9273f75e1a8b391cc6e4c14ed5683c2756c7b33d84351e1ce0ba7b02e2305de65b29456b5c55344647c7b0b16cd836dba2711a4cc97738267c462c85fad608a81612d7f89a7fe663bd064354a80f8be0165df5d9bae1c69ea56962b111220cdc136ada90bb1315f865caff1e2526acd2ef4c36a70f266088d7d348e561132971668e91a89004085a5b092f8e28423d16b749cdcbf92a4365e468dd67be241e5dea705b606b28099a5d3d46a07620fc4f731e3d3605debe687042cac937427367c35b546af2dfc094a721dc7fd13df68e9a799ecb107c908bac9f8c4430cc10c6299c794d028d516c3ef3f77f9f64201660949b5ee29a5894d738fa4e4bcdda88fe12bcffe85da7b10d02c80922f3907134fe64605508b6cbe35e97f12f1bb15fce6fac0b0bbed62183ba88b8413c692c1d465376146a5ac69e0f10450f04c8b6f3c90c58ac33604aa811a9b74ebbd07b0684c51a553006da57f4df29df30a64622266b3ec06c435d650521f3ea725a3c8c128c73f0d3447dd1a85b10a061e9ac4469bd8ead5b59cc639b817e67d90ccd773e224aeb67dd2636917436b76475d8e0255cf7d14f2836a50d23fb11b3843548b3a52d8fa10ca8c97e1f0ed7a00cfc8067a5b99a41c07d3ce0a0456b8443bb5f0903db5e7bc16b0d0d4f321a57572d3368d97ab7705830d23ff78ac8d69402c920f7fb91d6efc16ce43993a1a68eb8eda08d7cc55fca8549f40839ac8e5e263e8fcddb10dd20fbedd949c8d3c1e186e9fdd5aa2765a1ef54f9e8b2a7a0b38f1c8f8dafe5fcef0ff0316921dbaab27f6b2e09e49d0a56c9ade5d8cb658699baa984543fde4e720e02e5503e835c7a63effee3dfa58e4ccdbe1943b5921b58fd0ed664ef73df892318e10703234859b565d17de8c925198b448159c8e8d73c8b1e5eb68705e582d5128f207b546f8122e04e37bcc9d1ca9b2c7ae51d4542448b36d6ff16d998eece9f07be341d1d8f989f23446040a4997272c99d45348372fc49b70fb5e0faca975184c6025995f6aa49f1b293df66d51d753d9c7775576d0e770134d3a4fbd53c99b0a7b6afe7337f73248163239a714dfeb285b0b49ef602d62ad6935a83c83bc814bd407b1ff5228292f9bfbbd071c81dc9591a05c9507bff87c9e527b8f14e8ee13d187eb867dc2c95dd903c37692d03e7b00985fbc11313078dec7ff69f2e01a8342399400f98cc66833d9c85ff7f10cbef733213cdae61545f39e85c59302b560a72d0437b266cbae16fad4a000ddea19949408c7477fcb948915323ebb79a55c769ccb18e2f552ab763ba65302ae7bc476e3625eb88a7a6698ceccfac22900ca3c44dec8866b2a114c0831cf653d4c1fba9a7785a1caa2b97343384226b1aced93da71d30b6650645bc113ac62d32d2032ddb65626ee86c3b9dfbbd8d0caeea7453dbea304e34d3f80522cd317b49bcabb869331c7c321852100430423bcb1ec15c50c19b766a7ce471d51b01041b685a29c4bfdb552c866d583b7c3c7fd56cfc73725df784e4d90281567fe8c38d866b06ef13bb30fd23906e662cf9d5113d7b52b014b4aeb3a183524b497be9220ae1e0b2f7674d279942941bbd81ed595a93c2341399b6ac36ff869f894cae291308b21284d398b5fa6ac76b9d59f03e48c275f4f20ce0a5059de69ca9ec999d73202def666b37b3a96a95b12c74331038facacab188da878a860e1b399d6b3bd3c136e0a5e9963c1691889f0d400f34dcc51ef1002ebfee2814605a4d1067ed7396c115e3a94f151c8e4aa2930fd8bc534d579d5d8843bd2029056fc558b9869408b9951f75672433ead19e109cd18308f1c9d6f9ccbc9f767993b59ea2b5046864f5e0c3bde42e7932c56b9fb25289e16ab3bebb692547de1a4dbe119ab2bd71e471cbdf6c6e8519aca77c2cbb8273343c1bed23922e557f87b408d87af78896ed30f0a6178ad98a34ded6148443fddf4a5c00a81ae9df2159fd658c859fb6b274988c848f993e761c263e90d7db8f662c876b7a61ff2d938ba7fed4cb5cd8ee514870b50520e733f21cdc3bd7ed41d297b96dfeff379d37e6071bb1ac84feffab2cdd985fea2fe6c46e6b7569c8c2454591795ccc56511d853fd2a01a1eb0ce2505ab65782b7836ba67844505aabcb5dc6372a313fe7acc7f48b0d2bef79403c2837d88e52fe926ad16d51be7e8c62a5955a61e85270839f36eee946370927eb19841301677e837abac18d709bc84dda60b12107a23eb733543ff32cce5248d0f461921295291837c150a4c1d489d31c5bf5bfc2da1427e1ece74aea7053f1feda64f099fc447a7908ce44b13461549f23ef18c1d8107befb09f9d719a0ac57080f1cdbfd46704d79947aa10c5b0bb226e7f68309747240f773a627536561fb6c1c9b26aa5e23be01f2d3f7aadc995440015d2564b9c16b853d665724f9f722b34ab1d44c27d0e0cb01c49d9e05de91c2e040764f0c212e6d63f7b72493dccbf858164cf48151bbe4f1dc2c91586673431af7b8461d30161c561170dfa31edde2ccc9dddbc7a8e46231752405cf308ecd8d3505636dba7035c94f728623bb87603afb90b5c23e9ac1937b2ea3984d579da29970ef049ffd9705fa283ef62f1a9fbbefbc5f8f3f79bdd8d70f0a893972e5aca3a164e672ba88ebdb6206a4dda5eb5adfd16352d42c4fbddf117f2b0d30e8c39f1bc63f3bc03b452a870117af7a3fd301af714bfa398367a9ac2aa381170bc7ca860144258a9a38a61454c9cdef24f1c662f28e8d1ee7749f61a9c79a9e16593f2d5500deaa730aca4eef3273878431a874b03e44f6495b52ea9b22d9417fb3f2ccbe2c482add308e4a3c55b7532a4e64cf108d833d54abf3cf93b3f9085263d2774c2214dc62e3c6a7886946b7bbb4d0fdd82d502232f891e95e2075b6974fcbc81579fe8eeb7ee221a904cedbbbab2595ef93537fdea03eb93b49680119d996c8e706dfc4d99433954c5367725d4808119b683b59641c4bffd3fbab0c7e125f02bad95cbfc26eab96079f8dfbf6623589d14e0c20d15e07c34bccce36fb927965f96c8cc89b3e51438212a9bec92af4b592ae76e66d531d344385f5568552e37bd25cbe307d839975914f30915d24e8f3d892c8a19fa484c35df1fb92af80edf403340caced5c224767e9e687456563dff29ca86e365855de94057b66c576bec5f5b7fc3f0043336b8a487ae2519b8ff0122e7ac2bf57d29ba64808dd3a20d26e4382ce7bb1fbd34734f5ae6625ee8a7dd56f", 0x2000, &(0x7f0000004f40)={&(0x7f00000023c0)={0x50, 0x0, 0x3f, {0x7, 0x22, 0x8001, 0x1040000, 0x8, 0xf6e1, 0x8, 0x9}}, &(0x7f0000002440)={0x18, 0x0, 0x9, {0x40d}}, &(0x7f0000002480)={0x18, 0x0, 0x7, {0x7}}, &(0x7f00000024c0)={0x18, 0x0, 0xffff, {0x8}}, &(0x7f0000002500)={0x18, 0x0, 0xce0, {0x1c}}, &(0x7f0000002540)={0x28, 0x0, 0x1, {{0x100, 0x5, 0x2, r6}}}, &(0x7f0000002580)={0x60, 0xfffffffffffffffe, 0x8, {{0xcd95, 0x1f, 0x7, 0x48, 0xaac5, 0x6, 0xad, 0x5}}}, &(0x7f0000002600)={0x18, 0xfffffffffffffff5, 0x9, {0x9}}, &(0x7f0000002640)={0x11, 0x0, 0x0, {'\x00'}}, &(0x7f0000002680)={0x20, 0x0, 0x10000}, &(0x7f0000002780)={0x78, 0x0, 0x9, {0x3, 0x0, 0x0, {0x6, 0x0, 0xfffffffffffff20d, 0xfffffffffffffff8, 0x1, 0x3ff, 0x5, 0x9, 0x726, 0x1000, 0x6, r7, 0xee01, 0x7, 0x7}}}, &(0x7f00000028c0)={0x90, 0x0, 0x3, {0x2, 0x2, 0x100000000, 0x61a26b8d, 0x6, 0x2, {0x1, 0x3, 0x1, 0x100000000, 0x3, 0x8f, 0x4, 0x1ff, 0x849, 0x1000, 0x7, r8, 0xffffffffffffffff, 0x5, 0x1f}}}, &(0x7f0000002980)={0x130, 0x0, 0xa00000000000, [{0x4, 0x1, 0x6, 0x9, '\x01\x01\x01\x01\x01\x01'}, {0x6, 0x1, 0x5, 0xfffffffe, '\xaa\xaa\xaa\xaa\xaa'}, {0x1, 0x1ff, 0x3, 0x7, '{#-'}, {0x5, 0x0, 0x2, 0x761, '[#'}, {0x3, 0x0, 0x2, 0x6, '#]'}, {0x1, 0x714, 0x5, 0x3, '*^\\^b'}, {0x5, 0xeb68, 0x4, 0xfffffa80, '--$-'}, {0x6, 0xfffffffffffffeff, 0x1, 0x1, '-'}, {0x1, 0x8, 0x3, 0xf2, '!\\{'}]}, &(0x7f0000004c40)={0xb0, 0x0, 0xcf, [{{0x1, 0x1, 0x3, 0x100000000, 0x4, 0x81, {0x5, 0x7f, 0x5, 0x6, 0xffff, 0x3, 0x1f, 0x3, 0x8, 0xc000, 0xf5c8, r10, r11, 0x2, 0x9}}, {0x4, 0x80, 0x5, 0x2, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000004e40)={0xa0, 0x0, 0x400, {{0x6, 0x2, 0x400, 0x7, 0x4, 0x9, {0x4, 0x1000, 0xffff, 0x6, 0x1, 0xffff, 0x65f, 0x647c2b8f, 0x400, 0x8000, 0x8, r12, r13, 0x3, 0x6b}}, {0x0, 0xd}}}, &(0x7f0000004f00)={0x20, 0x0, 0x800, {0x0, 0x0, 0x10001}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004f80), r5) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r14 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x343, &(0x7f0000004fc0)={0x0, 0x5004, 0x0, 0x1, 0x1de, 0x0, r14}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000005040)=0x0, &(0x7f0000005080)=0x0) r17 = openat$uinput(0xffffff9c, &(0x7f00000050c0), 0x2, 0x0) r18 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000005100), 0x488200, 0x0) syz_io_uring_submit(r15, r16, &(0x7f0000005140)=@IORING_OP_SPLICE={0x1e, 0x3, 0x0, @fd=r14, 0x200, {0x0, r17}, 0x6, 0x1, 0x0, {0x0, 0x0, r18}}, 0x3dd1) r19 = openat$keychord(0xffffff9c, &(0x7f0000005180), 0x171000, 0x0) r20 = openat$ubi_ctrl(0xffffff9c, &(0x7f00000051c0), 0x10400, 0x0) syz_kvm_setup_cpu$arm64(r19, r20, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005240)=[{0x0, &(0x7f0000005200)="4623d8a4ce0217c9e59555c166890679e3e0c1940df5b9fcbf91649ef54d80f0c8bcc80e36b5574c4bc9f943401854f56aa2", 0x32}], 0x1, 0x0, &(0x7f0000005280)=[@featur2], 0x1) r21 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x8000, r18, 0x0) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000052c0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005300), &(0x7f0000005340)='./file0\x00', 0xfd, 0x2, &(0x7f0000005540)=[{&(0x7f0000005380)="873519f25df082b371ba5b45adb5709c00805747c37fe044064595cd4728bf8980302b25b4b083b42b41336e130f1b6ff0a2f172498e522b4fe5826eababf53a9852f93ebeb841e1645f32936127029d68fe73eced89c1b93587012a47c42a583d6975592b3f2cdf4337fc6d5e85e5f5835fafe095935ec90484e9081aa8d22498431301baad4a34368c26c64d85326c7e00682178f8d13e6a8969f15b9d5dbcfec2c0e69680c3928ca015b92e25f5078de354fe32cc7121609a0762e1b73efd8967a2fe235e4d1ef9e5ac88bc1ed706a984641b06470b2294d045ce7eba51c0728938a2c6eeb6d8574429cc24bcb2a784", 0xf1, 0x40}, {&(0x7f0000005480)="62935bfe26e9c9f2dc3c3e9dfb491858efb598369bcca51923989ba943cf447baf56625df0f685ed2d034b37c07563f668728f6dc6833609b1221970e55088869d29c01b2dd05c4820b08042b5074008c9757712c480e25d89b9c48e957e5b5c7b0beccfb1fcccedbcedc83806038075fc2a0f8228beb47f1fece09bddcbbe0021abe9c3d198369b81b67dbd6a7d334b8d28b802cc97d934c164e97d9d7b70dc6c", 0xa1, 0x1ff}], 0x8800, &(0x7f0000005580)={[{'\xaa\xaa\xaa\xaa\xaa'}, {}, {':&-]!'}, {'}'}, {',-V'}, {'\\*})'}, {'*^\\^b'}], [{@appraise}, {@fowner_lt={'fowner<', r8}}, {@smackfshat={'smackfshat', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@obj_type={'obj_type', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@dont_appraise}, {@dont_measure}, {@fowner_lt={'fowner<', r9}}, {@dont_appraise}]}) syz_open_dev$I2C(&(0x7f0000005640), 0x40, 0x300) syz_open_procfs(r6, &(0x7f0000005680)='net/if_inet6\x00') syz_open_pts(r19, 0x800) syz_read_part_table(0x9, 0x9, &(0x7f0000006c40)=[{&(0x7f00000056c0)="46410638b7a128c15c6cb27d2335806da87c0d4915424452cf0ba9eee0a5d49d634f090df26f35bb0433c13a270dcb44cfe9ba62b5ba38d4ae3c65ead2727f1d2a5f02daa270cea6f4f60902e2eda654b16ec6635a1c6cd15d6bd6343214b83422d1a19b5dae439b9fbc3db5c218d4b08acfc9fcdbe5d4e6a5127adadce610d815e8c6d8adc78689eaae29d81a20040aeeef4ee55d7701ea725e91b74f5b37814beed118549979c8a40d0b290977ada4d65874c7dcca030a9a15509bc27e6e87d526912437b86904f742c9c13c1e00bc5e3e943c1430d1cc018f5a4decf24602db5bf2286e64ce751d8df16f280934fb08b619b2b5e931195ad2f7c87ae956c64a2fdac4fd791611acc2a865d994ea90ed158581e80d0386b153f19fab2781b72d1de003b187d2b1195342b3a003bf4483b4d890ab1b2f51e8d58f0a5ad78e0df9d629c22c2a324a982e1fc2738c360db3a8ba5e55ae5c9d58f1c2f6bed0b6de5bb4ee3b5f842ceef91b2056541ff55312ee90a2bd0997066c37f3d8377895921b08021589049ed7b23cebaf9b41d08e759058a3452cb9df2aee1d2b90e510ba9bc948400a69aa13833d1b4c44445129e0af5012fd6a534181fb20426826a4b3694e4a5181199df1ed31de36f2ed49211822ad915d3b71acaecff3c84d4e3bb19fba3219e26145735ff71dceeeee7aa247539ad2731113d3f364426be9006e6b0e358b81d4074549e08ef27613a3715e5e89ba0a71e3995231e99aac5e4ee7078f59e3e7d4fabed26e7507411fbe4b0353106278ac69f3b91ec69fa542eb7c964394062f65c650197fbe733c22832673d066e4ed40073b284ee4e51b1259367d4eb9e172007e6fb80a0a6fe62b3f3d5e5b68fe047ea4d6fbfaa30a00fc29bc58a31cfb8212f2c49c3a2e711ae502bd647bd56bb7cfc1d84d141827be211b5ffbed786bfa1313d2aed534f00019363ac129612ca25c763b077f5a724d61fc7974fa824badc14006f2febfb1e35a3dd72e82334a263756ff4204680cba1c03c55e09dffb5a58e4c55b5bd7a70ee8525929a0ee9f9091e34bb8d2f0af6d2a2670c591186bee6ceddab8e1fe8d4be397a545c483fd684cd812df5e312ab5f4812b4784efaef1c3dbe79094fbabd6ca5f0a45462396f818a5c7bf61c8c3f43366c1265f4638d1dc7bde11461035c7af77e6844c5d47bc1897dfabec7687ed25794a71a3aa2be1665719e7eaf649bfaffcea2492d43bca7f0304210cfca91a0dadf66b7c3c6baf8c5055ef4f3c56aa03bb6e400d7caca69e4243ac71c939ccf27310b73ba59897e2020c717c33db9a4a582912a3a8d7c0a870b12a9f982aafd0cf159575189d8c26886434229fb0c76c56508b638a2509b65847722af197e95cf0cff2368448d42ad62db27ff017a7fbed923bef6283408712c3f04a790338f4f80cf4f3e92faafa3bf6cff5ed3cf3b17b505075e12b6958bf2e5cb40241f672874a0f940fd57e82e9caff113d671da23da3436a31800c2d3487965f87c3f8250610aaff783d78595e1926b77e97b2e3ad09087af919ace3f04fd275887b1fc81ee2f5bad8de1cc35ee0c03adeed9a9197d7a8fa5db59dc500a94bd184a2a80d9704797e76bc0fc43ed57296143dc9d858b14a7bdfb418197f0974b6eee299958051b1d414ab126cef5bc36ae4055c4f19e7e01d2092d99f1d2a5a56614fedf481d578cb851ad73e1829bc350f7e56ee0d2e71fe731c1b30fd845fd82ca0acf029aff4a75e0d38fb7af582a19c0c7deb19544bc7a13c1896032441cba6ae39c35ae880b45a5c97545ac099243a791c6f2eb93556208b8b203542752a673b9df02bf04ad3c18eecaa5eb22d1b65e59c3449b5cc42df350dd4822bcf671df78420689cac22658cd9f0f390e26e0796ac4b7f30b1989f09cf5ba516eb1667ecc1d853739a20e5e78599bda830d002d45eb66d63a778b8412af5d63e3ef26494e21bbcde5b97a94f7978ac903d467c5b6d0717dc4a9d146ed4b58bfe373a5908702f997f1090b4b19093f8905085ecb691107b059e0e1cd0c4a94c9a473af2d12bd5998a8b8b4802f931b90515519f20feeadea5684c064f9adb423935b8de298b03e579abad6a23a86c86edd39c2ed6a4685e69bc715405ab7a3f27664bdb68fef1fcd090f060381f1aa374a074a640f991ec6d8b288b1b0507068560314fe94aeb85c42f4df3adb21485696515da2fa7f441b753d5f8ca4545f2d1dc1eb34e418c043beb518bb35fe30235aabf7ec5f371b3a48c0ea6a613ebb4e4da5b71408aa55774239ac749030a52740cd8535b9e3d28a4e87b4c4f4044c8195c3211f947e5007df7b64e37c414bfd54f7b59823720be00498c18b57dad0043f0c50a75817418c1dbc3db8dc733ceb2b5b6d20bec1e38a2f909aa619480e2ca05d9000b7eaff370c077ed389422890dd426278c63c2ac4285e840e6c7f9da04d69af4482d96ee5824de091614d8b1b4cf49f5a701e4b42ff58a62823c2776fba4c27ec86c24ba103ed01c66729ad602924a5137b718d8ddeeb08339d83c45feca01c393357a676438114363591d31c2ba6fafa5d8571af7c3a3690fdeb099e44192b5871fd0a3365fb2e230c6c03a7473782b303a5be14f038d8ea34a63084300516eb7884e593358e66b3dfb6dac4d0815d58dafb85e8cca4426536a384dc89f7413f14cc92e7377a90938f99ef7f535c218ae2e909acdbfd7eb5b0b47408e3d6d73dda39fbd6b23af18f1a6703ee3b1f75bb7c000a4ca5a7bccaae86c4abac81da293e43f91d2c3dff12ffa5229139a08ae5fc2ec139be978b8182d6a60c7ff39bb0aa820a107d92e38b95e748a184b53f5624f457239f6384dddcb9fd7e8ef295265d79b64c5c0a93bf21635b8c680907810d8e72a581e5aa0e00fbf351e3c841c7d0c51a2636837b27c6a91425b506a22c27d1420d0b13e60de3e9c56667a98983ba9bdd1c5a52dc6127b659e6d80706959f07d3a5fa8b3b88eab05e7a0c04ee12a21372c713f64c6adbeedd7a8b7a692674975bbe55ce402714402f20c7f57ff1f79357d8edabef1d868f0a2b3dd7aa3bbe58e80814970734f7dec70d314e811593a32cc861f4a8a4b3f0d7ceb4ebb32664f5644497ac9562cdd5a54193f2238e65c1874c86421c5cfb43ae156931c7840d10de47a4d0f2f3174c36c8645ac02f544c3690b5137af7d2ced3fb04359bbf22b6720ea94f2e3b5675fb77ade56c977d668064efdd1c615119a528c9ec1353e84103e5dce6a0bd073f9ffbea0819cf6c0cc58ead00c92340298cc094564117f3fb894274ca91d7976459619f544b250586c6d44afba5574b7ef5126b070409a1f5eedc65007b00339f160422fff38d67eaa8d782fc4192a29810879eb12859942fa141a21c39d9eea03eba1aa7b3ac7e2b1daf4f69f475b8e75c5ac7c2efdd777932d403143cdd08902d5e3459301c28c88c4df342ca13910b760e34c40194bb51b82cf14adeed5ae47517d3cbc73bbb5a8899c30e606519989a85d2e15b0e89ebba43f0c8a752f07010380caa70dc409ff805c24574829d06bb9a1495d5a3085df9029e23d92bbc46d7c7c1db7365e92e8d2449aade38926a64368723a0e8a777b3261c9c97bae825b551ba940551a7e15e3013dc09a05229d0c9ac64ee15ee3d46742628924c09e6360cc43006fb9a0e1c06e5584637cee005ee26ceba70295cba5637dfc9821148ed7415003d518368423ae708cfac638f2b8e1d3a71011bda803acd2cfa429ea5fa045fe078f91ebe45e7d51d43f08302d5f3b0ccc3eb7dc03818b33567e86f8e5dc40451569a7954858d26df8554935276f5654afecf240c7e86c92ecba4d3ff75821312d6a3b82e18cc234da5bacc286ef0924ce23bd30708de58132574b548c9628b52d34291d1c4a7ffdfe63de1fa9b5e0fa6e62f3528a80c9cc97a7c515403fce895ab795635266af746d89d2c94058ca38501d86b4d6324d0df0d9c1e47bbf838baa206aa2ec4397828e992fe963b2e83722802627629030106cf20ec98e245147c94426214ddfb979120651adde14a425fef29a20c0cc5460393acbdba57b3c3836627e6a9c19a2344312a9bc661b760285415a2874e2f2187b5c6dbf38b059636f9ed1de1692d3b86504a7c1b668e5aa0f87cf497f0cab266e4db64ec6465580be1d97244947304688cb3576490b8db086b08905820ea9d91dfc8f3b966a9e568d856a9cce3f1731ac16e4cf48714334b6c7ac3597fcae85d17946b0ae2899845e96066e0a648385c98ee5c119391356b204acbd4a5c7cc2cbceece0f58dfb73fc30ef7c1769b4f56ed1b77d76248b0ea2a66db0e5217b5d624237191abe9486ac0bd32e3e7362331441734a8dd9ed983b92bf26472c5021f8bea131ece47c8f45e68a25a8beb4885895c27982306dafa1fac905b276c2f60ccdcabe2a5b325b5c5d8482f305660244c361711f0eed7746c0daf99dfde36caff294051182c5b6589fc0700b751fb2b3807f0bcbd277a844ce82a54558f55cdd25a30b2283abe519c827b10aed612f8aea3cb7aca8b34028c0b363c9acc52ddea9e0c34e8a5c90869fe60d28307e35d3e43582f3773d46669e4313a07b12e7d6d501436f8e6f4bc347b29194144d82c5daa9730fea3466c3167209f09697da034f86ca9e5a7e28c05999f4161dca7518140413504be2aa60ef71b66484fca1b0bb11afd59755b978dd294e3da85655b90f05be0823e262aa693c43bc23f4948a6096ffe1b58e1bcd65b0db70c62a4f85d7dd4be6cddfeaf1383814a6728b4c301eab03b950bac867375d1b6c61eb2f7fde960b16f5948379e2115ab5401356db05a7dc30a2999897b163c73d34807106dfdcf7b7f9b9e7377fc722003c868ca5c14a0e2f1d1940ec6aefcf85fed207622ed38120c6a8aad7b4e9e87d5e4e9a6a55c6e132e9e1e9a3a62b4f7c6ce0093f886547dfc48de1d2e0c85bf01b49f99241a36d324cdbade5377d5aa5733377ec7e97b7ac54387fd29391319d3f3bbcd07b2870b9646bf2835b3abb5121dc20a638c6d0d62b0a05d94a5f1c03bff6e871a84f9a7defa16f30cb8b3ff57cb5a9b8958b592119cb0c802513c14aec2d27cfffbfb4e6a2a840f8b0d746a83fa8bd227021b038f50c411f7922fb38ec89f51d71b7d3d9e241db1be1b4507e5b68fa1ee89c2127445e5d6ed4e7433de7bf4d72b7f7b1c9aa7c408e4c1050ce177427984f5035b51e3ad52b56d8aaf38e567930a711c8dc3488ffcdc1a56fe1b4c5df22673bcc3e9ccdbb3ab670a24547f5ded42decfddd522104075c37ddede460925dcbc6e5ef206028aa7ea0c84d60d990fcd48d76c9a47be6819250d4d10fcefc7a124c6f3faaf51f7b67dcc2b39acf119c8f89b93b58395247fa459c1ffe6fc5a70c32d5196da593b336be0467164ebbc986fc145b32bb91a4c058884c82f5cacda62a4312bb35070e74de2bba07648b7eb9d9fae891648f5432b6a7d5986ef2027872cf9e1a086c576abac8dc401aab0da93abf0ab71ecd9bb96e39180362a10a2185071ebb8ca2ca8d9719d47bfc18b62f9771b97dfed73b982325eb943d785c787500d5ac0d26a9ca90cc73c2acfe872f4e32eb4439083bdb3249701ddddb500df3f896bb1f7a3706d64be16d00f6fdcd6bf41df86535f298d2dd04317774bd6b3903f371d59be719b7ec1d003b3c9705a8f78889b8f7da0d46defdced2df70d8cb4570828bb26549b55011589c73bec4207c8d59ebe1896b3761c185a132", 0x1000, 0x8001}, {&(0x7f00000066c0)="31e3c3fa6d99", 0x6, 0x3ff}, {&(0x7f0000006700)="39de863b7148208e432fcddbd9e9148e716c1b48a3967c870c70145d90ed681b3f8bce849fee7f50091570854e20103723e56454e711543f6e2be92c34090d8cc792260be9b960c1e4", 0x49, 0x9}, {&(0x7f0000006780)="17fad571f80fecd34a59bc03f6c02bbd6d56cd8d958924b4ae4189b88b85897efd4e596e1118bb0c771c2c5ba37ded06d78111390c1c80cf6ea9df8727f88559815ed76b36fa13fb4d08e1ccdad7973b5bec5655a74a671fde99ee92397c56d409dadb10c4c37ee92cb41d03ae6fb164e7f86985039128d38be83b5e16c35ee34eb2b8396c5348028781a0a879f88159740ab89705d637bedafa915f195a152597fa0d7da9b76476602c6eeefca1e80a6d3d0ed1a75b00f7a5e153dd851e2301c8daa7d49b4ad91c62d1a6967f54cf9621c240ed587192f69959e05407850ce3831c4e811e6fff1cdf93cfabde887358316881845356d7", 0xf7, 0x26}, {&(0x7f0000006880)="c286968e2238742a47e0e8d444a6a661b7708222f4eddab97a749dcebe2cc83a314b828795f915a36d873b714aef15ddb1b4f62f06800bbe85eaebcb76abe944719249ee7927c88e78a968e93f45c52013ef97ef6f989b1d1cd30fff88677962c8f3052ad0a4631e4e750ba80f3753916c2dffc6a4023cdb62a1b5f2afbb965b2f78c5dd47af90b002da1a26a24fcb99bf81fb29574a2f98107a7937639873b95f4a569a0406cc358b46efae587e9008be69d711ae202c22e29a2f615fd23dcf", 0xc0}, {&(0x7f0000006940)="97fc4dd9db673e16fd0f0eb9a4a26e2a49f42e1616190b0634dfd6135145f4e451bbbad56dadf266964eba7d1007c0a23f8cf03d4f8fe09a7989152b7cf2ec30f2693a06befdf023d79f48c208d742c7b75915bcc1be583517ced3b826b97075e62a8ed12dbb264807c6ffd0227614491fb9de0d8a925a2638c31608de405bbf79e96f171fd58338b1d6979d33a7dae8ad62f2ba53fefc3c", 0x98, 0x20}, {&(0x7f0000006a00)="77d8d606bfb424e7b995809ab4f559115fd82e972d98b651dfc69b10df600fb4f78efd586f9cc26edc41b1d2fac87efe59e262411f27a94cf796ed31236b457ca0f147530efbd4cfa6b6a0fee46c25abcf7ad8282aae5299e299799cd52d0a58d7ff9dddd0103724c88da92dbefab6248038abef9ec52264afc74825f7ea70b2ca95d6900f9b647a3f986e18287cb2bf4b4c19efc8c218fd905c3727c86c37026bfbde3af078eb07b798e6d3d8f2e4d5d3bc188cdd20f2ebb1461c5e53b05f2989ffac3b168dee56da0fc011974c660e400ae2d8b2c80acb231581ee91763129b2888aeb12", 0xe5, 0x800}, {&(0x7f0000006b00)="560c1bea71b0f97244fa386d26bf6b1b04308e4bc7fffa", 0x17, 0x80000001}, {&(0x7f0000006b40)="14e55a14a7953387ee55333c1d1694ca98c7999b49788642766805d6f5a290eb1e959ee35a740459e13300262f2af9c357f7a8c1cba187e448bc3c8f865cc9be88624fb0f0d0bb885d9cc2abe171a2478a7420db22e8607e3fbec7e2601d9e11086cfa8cf14d99676b679d8d6bf1dd4faab8fe9a5f4e3f695fe2e6abf09f702683802d44cc3a298255c4c59533731ff5b23e053afb716d58cad667686ee647f48e199c9b5c3d0d2d470f2ce1c5b8b5708ae023ad9880caf31d01f96aebbfcc7df95358a016c5471cc2ce2ced6105057c9d22c8167890ca19", 0xd8, 0x400}]) syz_usb_connect(0x2, 0x6c6, &(0x7f0000006cc0)={{0x12, 0x1, 0x200, 0x62, 0xa5, 0xbe, 0x10, 0x2833, 0x211, 0x37a4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6b4, 0x1, 0x20, 0x0, 0xa0, 0x1, [{{0x9, 0x4, 0xdf, 0x0, 0x10, 0xff, 0x1, 0x0, 0x5, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x1, 0x1}]}, @cdc_ecm={{0x9, 0x24, 0x6, 0x0, 0x0, "fd506508"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x40000000, 0x8, 0x4cc5, 0x7f}, [@network_terminal={0x7, 0x24, 0xa, 0x8, 0x3f, 0x0, 0x81}, @country_functional={0x10, 0x24, 0x7, 0x80, 0x5, [0x44, 0x2, 0x800, 0x101, 0x4]}, @acm={0x4, 0x24, 0x2, 0x4}, @mbim_extended={0x8, 0x24, 0x1c, 0x0, 0xc0, 0x5325}, @ncm={0x6, 0x24, 0x1a, 0x7f}]}], [{{0x9, 0x5, 0x5, 0x0, 0xa716c6d63b98b5a2, 0x6, 0x0, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xe9, 0xf000}]}}, {{0x9, 0x5, 0xe, 0x2, 0x200, 0x8, 0x7, 0x40}}, {{0x9, 0x5, 0x0, 0x10605a5c87a92a7e, 0x200, 0x8, 0x3, 0x1, [@generic={0x9b, 0x21, "f2ef0a5c069cdb319138e185061d7e196ae94e535d80f27666fba23b374325f15dc5f20812fe05b0620f6ffcb81003b1f39c5dcd1bff14e2bbeb387335a3534f5adb60ffc4f28595c8f992f77fd5f67a04842b9c4364e3556be9bacb8fd56ed77859291153f6c566026363bfa5f2e6ff2fa6d29317f2d562445364939915a75dd7365f6ab9c15ddbc7c3a45f7eb98fd1fea3551bbd46f20a87"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x3ff, 0x1, 0x20, 0xef, [@generic={0xec, 0x6, "f642246a5372991db97e5824a410e28300d3bd153638f6dac6e1189a0c560a0a0e5f8b15e07879ac95016515202646a7b5b5fc74b7cd40d515b2849d8c1dd9ae4fca16c2e6cf0e8a20ce54f05fa123c019208cb34b5ee561c274ea40a7b34e5813a4a29be40817eb1f7b3e9bef60f7c56657481236b93e2c297f17c776b98f1d0c8f2a56447766c7288ba6b1e385b84a516a98ab729ba70e31fee3aab101d590a4481ae5856326c6825b73c7ae7d3b99cb3c59db31a12726234b900584e8db779352188d12c932d4aacb59eef33d33b9550510cf2b49da747e031c83117b511a1bb93ed76c716e6a0254"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x6, 0x40}]}}, {{0x9, 0x5, 0x1, 0x0, 0x100, 0xfe, 0x8, 0x37, [@generic={0xe9, 0x23, "1a0e3542857d49ea63b7261ebfc19f14272e284d2665d2795e43f6f9ca62776c9ee52d991879d7d67b4d8b270fd51598beac1c0339b2257ad68c1dde54885ae2d219b87cde159a9897c88bda26e08a3691055022739c1fe64adb98639dc25421c449cf364800c4c365062f2488e6901e56e62f4b703eae7af26298a1eee1bfe62d9b2ae35320ae2baf174e94ff55321097be81e0279f5d0aa84dd18ca0864d98d0edbbeaa19ddf3626fd83a2e2b5f676a734d4784b3c6877fd1bb3c9543df7abda9bd9c9be405949747e21073c18957fff0eaac0273cfd3f702cb65597949a172726f7e459536c"}, @generic={0x18, 0x10, "a0289017f3f433f11059489a61115823e1138ae84a34"}]}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0x67, 0x3, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x80, 0x2e6}]}}, {{0x9, 0x5, 0xd, 0x4, 0x200, 0x48, 0x35, 0x8, [@generic={0xe5, 0x5, "30efe9c1a6e5c89c2031214c60fbbeaa4578091e38009c761d15774802934cfd36355b3518ccfe59fa5e7ccee3c13ac4affbe073e0e788c9b5e32216efbf02e35869d7b233a389f812bfd849433c328466eda5e0e3237529cdc65e4eee743d31ffc186a1fe794bdf1364f31eaeff39829e8f6144850d7470cc71572d1f2f23dccdbcdd99e4930de7edbf59b338db3490305fd7710257980b7f76b8daeacb2ad618131fb9b5a3e026c9ddbd69483cd794caad29f2e3b63124a952b462de0cd951d7efd9b3b29107b641417e7783d90159137fa5273a95e0cc46c97c2246e611acb14b4d"}]}}, {{0x9, 0x5, 0x3, 0x10, 0x8, 0x0, 0x33, 0x9}}, {{0x9, 0x5, 0x2, 0xc, 0x400, 0xed, 0x7, 0x9, [@generic={0x84, 0x31, "ee4cd219154df491c4d32aa32112cff407511b06b17f743409ecc216c31e92cefa2b5cc59e634d7aeba2c9e5e36d8efadc0255172518f909b4e1a7daf4d988b1eeaf196c76ee902b657d12fc23c21e176cd149e98a8d8d5755b74fed1a4284bcfd6e6961951ff8216f7bb42f790edd539c1bc5bbac44f767a685c57cbbdec830c52c"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x1, 0xfe01}]}}, {{0x9, 0x5, 0x3, 0x0, 0x40, 0x2, 0x5, 0x3}}, {{0x9, 0x5, 0x0, 0x0, 0x400, 0x0, 0x2f, 0x4}}, {{0x9, 0x5, 0x8f, 0x8, 0x8, 0x81, 0x1, 0x7f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xfb}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0x40, 0x76, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x31, 0x8}]}}, {{0x9, 0x5, 0xf, 0x10, 0x3ff, 0x6, 0xb2, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x80, 0x6}]}}, {{0x9, 0x5, 0xf, 0x10, 0x200, 0x6, 0x6, 0xca, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x20, 0x3}]}}, {{0x9, 0x5, 0x80, 0x10, 0x400, 0x1, 0xfc, 0x4, [@generic={0xd4, 0x21, "28a1dfa1d28f9ae60d0a8e9e3c512db35369d479fa6e6aa099e267e1ced77ca2e180b429779023a872b0ef8807e11f8b8b21b811d4fe5527335ce86e3a95cdf960d1e79e88c276c174d183d2f3bc0862dd7e1d29ac589ceb22024e25a44c3e8123581d1448fd2db5332fe41c23f9aa959564f32db1da14610415ddc293dc57c9d6c775d22151bdab236a5a73592e5518055728ae819e25c080cbb9bf0203b6639b8fd8d716d9c571d6b260ea297733d53c3a05449b9b9221d0f402610c9837189f9c6ab3baaf031d48692690c9981cee1426"}, @generic={0xc3, 0x6, "60ed98576fbbbee3db67d535ea7e1a19d92d689e2f03308a615a5641e72e694d996f76c1111c88c507c39a87f34a3682dafbfe583b79f5b950a30614162c605f7e6c5d452b4f84a145f20bf4470ddf43f06c415dc6c41551fd458ba6aedf57d74cb85a25e43324814b62c3be4108b1ea5b9dd22a78a45cdf5d8f27c11f35026bf7ef10c7d1f0615fe1c44a302a84d88b8d6c2d85049c9f48a04b4e61801c017f609b673fc8290f7362a0ed35882a335b657f835fce8e20100cde82c1a3dc180611"}]}}]}}]}}]}}, &(0x7f0000007740)={0xa, &(0x7f00000073c0)={0xa, 0x6, 0x310, 0x5, 0x80, 0xff, 0xbf, 0x5}, 0x5, &(0x7f0000007400)={0x5, 0xf, 0x5}, 0x5, [{0xa8, &(0x7f0000007440)=@string={0xa8, 0x3, "0584bddc149671f9e6c6cd123b796cafe2eb5d2bd3cf65e3eb0f3a601aba7164713d4042653f2cca182207d4e7ffa8bc71e705aa48bcff03fddd2e3e6bebe11cb61f95faf14afdf29440021e851fb682aa24e624e833952db6d1f96aa7edfc74ce501359694c7583eb5e48dfe227d2105d5e3d2359e3c728a48adff09b1132f928893ceefae67700983be1ca94e818e7a1463c802f1fc2a72d40900933403d7b255a35d9dc33"}}, {0x4, &(0x7f0000007500)=@lang_id={0x4, 0x3, 0x42c}}, {0xf4, &(0x7f0000007540)=@string={0xf4, 0x3, "1c537117dc720af3ccf108687c86cb544bc885379e435dbb861bc9a01550592e6008ae94a1f98317ad9cd804016b079b5ec294dcaf4537cf5b68c3c4353754caf369ba34101cbd21926b15cef67ab63ead40abfbef867b372fe2781866f87a2dccf98ffe66531c1d5021406c69ce84b439130cac71f52564b7c8fa621d71d5ff001517593f059da0cb82f1fd5e327df9abec4946e34e20d3f1df8f4a0422f9bb538949b4a14d1b3afd6793e81d3ba596d16d8cee0e700314e531e602fe5cb832b22c7a2f9f36f39d053876478157d541e8c0977a9acaf691f1234f665d234f82ee90ff8982d9c1371a15ddc8ed2392dd5a96"}}, {0x98, &(0x7f0000007640)=@string={0x98, 0x3, "078cbefd67796b8d00c6a027e5d07bc3b00756acafb9096e3e381a99fdbe8a5161ca19a9628d61baefd6972b48f5e04b0fa6e2b99cca8df5b50dbd97d656c02f8583a58ce8cbd35c69fb3f86de0ddac90f5be8d4f04a3ad4f31293b509959139bea0f3067d0ebfa3c5b210e1993078b0ae929561fc7734869b3dd8d812c00a3035236166a31227ae291e696ab4f81f4e3f02d6b2f334"}}, {0x4, &(0x7f0000007700)=@lang_id={0x4, 0x3, 0x43e}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007780)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f00000079c0)={0x18, &(0x7f0000007800)={0x20, 0x11, 0xb7, {0xb7, 0x9, "72f591ba5c694f16a4d92075ef3ec8bc46920954799ec8d3c0308f3b4779da6e18e9824a86746d013a399afc7f6fceb6c37f7f131c71ebc001f666ea63ed3ade132009735a546622f9e639d481c967cc7b5b747cc5e62fdc41bbb4bb95878a442cc49111c0f57886f17077a1b4b22e3cf28eecb798feed6f168dd9cc2646f8b79ed41bba94de9e304fc845179a7321f04784aa917ba08405b0a95b8303d914ef8e374780dd8e3437c95c35764cd063e7a3ec6d790b"}}, &(0x7f00000078c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x813}}, &(0x7f0000007900)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x18, 0x8, 0x0, 0x3}]}}, &(0x7f0000007940)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7, 0x80, 0x6, 0xe0, "8402487c", "8056a3ff"}}, &(0x7f0000007980)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xa7, 0x2, 0x7d, 0x0, 0x80, 0x7, 0x6}}}, &(0x7f0000007e80)={0x44, &(0x7f0000007a00)={0x40, 0x10, 0x8c, "21b83825059f24506d8e842085d1f2e7f964471b20ed0a8e50a9aa4ef16b5a6f2dbb2b570a4f8d13d60e47bb7821ff912111dee40a78d42b4d13ea812d929ccf3964c5468f89d2d21630ec87067a2d13f45238b446bf57c6b9ec35578fa587fc77fe2108b1590be081681ccc024f1f590be9e5bec9ea86b9803c60299dda1a82f8ff04428671a43bc2c3393a"}, &(0x7f0000007ac0)={0x0, 0xa, 0x1, 0x4}, &(0x7f0000007b00)={0x0, 0x8, 0x1, 0xfb}, &(0x7f0000007b40)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000007b80)={0x20, 0x0, 0x4, {0x140, 0x20}}, &(0x7f0000007bc0)={0x40, 0x7, 0x2, 0x3ff}, &(0x7f0000007c00)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000007c40)={0x40, 0xb, 0x2, "8a02"}, &(0x7f0000007c80)={0x40, 0xf, 0x2, 0x321a}, &(0x7f0000007cc0)={0x40, 0x13, 0x6, @link_local}, &(0x7f0000007d00)={0x40, 0x17, 0x6, @random="b0fe281fa391"}, &(0x7f0000007d40)={0x40, 0x19, 0x2, '#7'}, &(0x7f0000007d80)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000007dc0)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007e00)={0x40, 0x1e, 0x1, 0x6}, &(0x7f0000007e40)={0x40, 0x21, 0x1, 0x9e}}) r23 = syz_usb_connect$cdc_ecm(0x2, 0x5f, &(0x7f0000007f00)={{0x12, 0x1, 0x70, 0x2, 0x0, 0x0, 0x50, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4d, 0x1, 0x1, 0x2, 0x70, 0x40, [{{0x9, 0x4, 0x0, 0xc4, 0x3, 0x2, 0x6, 0x0, 0xe1, {{0x8, 0x24, 0x6, 0x0, 0x0, 'W?s'}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x200, 0x0, 0x200, 0x3}, [@ncm={0x6, 0x24, 0x1a, 0x1000}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x3f, 0x0, 0xd8}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0xff, 0xec, 0x5}}, {{0x9, 0x5, 0x3, 0x2, 0x3cf, 0x81, 0x39, 0x5}}}}}]}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f80)={0xa, 0x6, 0x0, 0x2, 0x20, 0x77, 0xff, 0x2f}, 0x5, &(0x7f0000007fc0)={0x5, 0xf, 0x5}, 0x5, [{0x69, &(0x7f0000008000)=@string={0x69, 0x3, "d25a9c8f1452a3c6ffbfeca8eb777935b58c9b7406775086fff717b54f05ac59f94517ff3cd6f3101dbfa79bb82ae31b1d316d08a71d14fc2c1cfa8c893068bde2bb830ae91fc94288cc232aaac0e64b84007b0e7536c3ec34edef04ded93421a377e0695326aa"}}, {0xac, &(0x7f0000008080)=@string={0xac, 0x3, "7360609ce8300ae4623308d5f8b97bfd50d3d863408b8ea401c86da9d42ce5f3867ce8d721fb2ab5c25f6b4c5e85f5eaf341bd514a16c2dfe3c7a1d7f427ae62c0bff379e84d56637ec1377b8c8ad5b55b099cfaa4a7a6eeb0589f81e7a43300eff53354e1b2bdcdc34d7945d63562e48d5ed93bef75fd0160fcd7c3a6be7f0c642bb6e561e35a1c73110bdcded7699865e25eb238cf8f3b10ad3c10488028c37063c8862f907b06829e"}}, {0x4, &(0x7f0000008140)=@lang_id={0x4, 0x3, 0x81a}}, {0x4, &(0x7f0000008180)=@lang_id={0x4, 0x3, 0x180a}}, {0xb9, &(0x7f00000081c0)=@string={0xb9, 0x3, "37efeb854b4051a46c67aee7eaa0f62fde9f599cd5ba25329d50aee16b30c6c1a514831081afc1dfd2682ff48716a91bf95e084212b0696d43e1c6c43adaf9ed3ef70e62735994d2d0865139604988fac17978d9c05a84f3423831dd1dddc6c94d50ddd674f16525bbf9a8db3bb49001be38a19670abd99f4a2e97cfb20d46c637832a3ec97ff094c6a3304964b72bcf116bf27fedd5521ad3da226297fff849c33c5d849e3e3037527901eef63a599baa54fc46a46ff1"}}]}) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ecm(0x3, 0xc5, &(0x7f00000082c0)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xb3, 0x1, 0x1, 0x6, 0x28, 0xff, [{{0x9, 0x4, 0x0, 0x9, 0x2, 0x2, 0x6, 0x0, 0x4, {{0x6, 0x24, 0x6, 0x0, 0x0, "b1"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9208, 0x2, 0x0, 0x20}, [@mdlm_detail={0x5e, 0x24, 0x13, 0x7, "63b0b95377147ba214d950fc04b22c04be09d9b96f1ab94bb02e8a2a9e23cf7d3acab22a80ed350ec4b17806edcb169e5075373d991780211392eb3d9f1173a539843bf2c3f66a4a6960a55a2207767db3c55a7dd2898b5ccb40"}, @mbim={0xc, 0x24, 0x1b, 0x2a, 0x100, 0xe0, 0x76, 0x0, 0xff}, @acm={0x4, 0x24, 0x2, 0xa}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x73, 0x35, 0x3f}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0x3, 0x1, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x40, 0x2}}}}}]}}]}}, &(0x7f00000087c0)={0xa, &(0x7f00000083c0)={0xa, 0x6, 0x201, 0x79, 0x3, 0x3f, 0x20, 0x6}, 0x37, &(0x7f0000008400)={0x5, 0xf, 0x37, 0x5, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0xa, 0x6, 0x5}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x1, 0x9, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0xa737ee064a5fddc9, 0x7, 0x7, 0x0, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0xc, 0x0, 0x6, 0x6}, @ssp_cap={0x10, 0x10, 0xa, 0x1, 0x1, 0x8001, 0xf00f, 0xfffd, [0x3fc0]}]}, 0x9, [{0x4f, &(0x7f0000008440)=@string={0x4f, 0x3, "c0663b116dab9ba5c0a2f7a2ad486ffc164a4365899565c5e99b015239f378df56db4dc3b0bb08dcd208d958fa3cf08097aa208b2d2865b502cbc94b1a8e33bdd9d6481fbf32d4913422fe189f"}}, {0x85, &(0x7f00000084c0)=@string={0x85, 0x3, "c9c487a90be3d40ef782373d785f86bdfc3db6fb0dd0a7440b2fe4595c3a6bd67aa8518d897a8a757d5f1ceb86e598cabf2345f771c3c7128bd16dd4b1ee9b7dbcaf611e97f6dcb9f171e8f7052b0f33e631bfe99ddc4413e5e5d7b634dcc3b77e4d301f89a8d3b851b02306cabec211127a8e541d162636588ff574de82de8f307d43"}}, {0x4, &(0x7f0000008580)=@lang_id={0x4, 0x3, 0x1407}}, {0x4, &(0x7f00000085c0)=@lang_id={0x4}}, {0xaa, &(0x7f0000008600)=@string={0xaa, 0x3, "ce395e8e9f409a37daeb1c20be9ca4004ae810cf1653eccd6e663dd74f8bc06989b4d1a65c9f480bd37e9dd85349f298ddaddc2cc9e4eda147f231402e116fb594a63718d821d885ebd67eda451558b1fba3093ecbd40cbe5fbe07f94ed927d8e5039a7c497aa8d1f10a4ddac049ad820f8c532c5a3f00947955032423922e95aa5bfee041f7fe8744ecc4424057eec97040b341d0dddcaf206da6431e987f04cfd55802cad3a114"}}, {0x4, &(0x7f00000086c0)=@lang_id={0x4, 0x3, 0x3c01}}, {0x4, &(0x7f0000008700)=@lang_id={0x4, 0x3, 0x1809}}, {0x4, &(0x7f0000008740)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000008780)=@lang_id={0x4, 0x3, 0x1c}}]}) syz_usb_ep_read(r24, 0x8, 0x7d, &(0x7f0000008840)=""/125) r25 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f00000088c0)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x10, 0x56a, 0x62, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0xf0, 0x8e, [{{0x9, 0x4, 0x0, 0x5, 0x1, 0x3, 0x1, 0x2, 0x0, {0x9, 0x21, 0x3, 0xf, 0x1, {0x22, 0xa21}}, {{{0x9, 0x5, 0x81, 0x3, 0x3af, 0x1, 0x40, 0x2}}, [{{0x9, 0x5, 0x2, 0x3, 0x10, 0x6, 0x1, 0x9}}]}}}]}}]}}, &(0x7f0000008c00)={0xa, &(0x7f0000008900)={0xa, 0x6, 0x250, 0x3, 0x1, 0x46, 0xff, 0x20}, 0x34, &(0x7f0000008940)={0x5, 0xf, 0x34, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0xfa, 0x8, 0x80, 0x5, 0x3}, @ssp_cap={0x24, 0x10, 0xa, 0x5, 0x6, 0x9, 0xf00f, 0x0, [0xffc00f, 0xff00c0, 0x101ffc0, 0xff0030, 0x30, 0x30]}]}, 0x4, [{0xed, &(0x7f0000008980)=@string={0xed, 0x3, "e7db914ef4a71a3aba443ee181c272e7fbb63648a997754b81a1938f52b9fd8c2b76ca28ee1fcba280021fbe02ffa03ea753f2d51b71f1cb9391ea31faabf8ed37a9853b87eebaa0a1269696e65e309ea4bf7755ff1b99280fd68230d7d899d097e16ee0b224de57339439c80ad7fbf8bbf32aa00e29802bde1c8c5e6228fa0a54c8350ef997112f763e17428fb8e95a56689595f30a3c16151809b0c6b1d4d4766510c6f066fe4b35a3ea90d388d1b4d4e9c6b30971e237e23fd205f9905ee7d79f4443707adc7f65ce2b15994daac7b954353fb23201844122710531879c6291c7dfbf6be454b9cf2f2e"}}, {0x4, &(0x7f0000008a80)=@lang_id={0x4, 0x3, 0x410}}, {0x64, &(0x7f0000008ac0)=@string={0x64, 0x3, "041c8b1bd143ea1d63829b769ddb886a6aafeedd5f652bc948677c9a6e3acfe04a1519053f95e5fcf79b085362cdac6abbf8f13781a621885257052b120045da2c494a30bc6ae6c4160cf497002af8b77e21689324bd6e75aceda7cf6a50920b2ab1"}}, {0x87, &(0x7f0000008b40)=@string={0x87, 0x3, "150837b1e69e5007398ac02c4a0b25072daa81a64af10bcdc5736333f49c921f86d9cbc6b778f1d21679d847d5b8a9b70fc56bb5a433040afd94377b2515a55cda70db64442adae0905aa90f911d3beef800ab6fd87a5c51fda8faa750d195c2e657249781c6af0523e0492f9a69e227e10ca0310f1a010f8b986a9a0553a5331f9754fc90"}}]}) syz_usb_ep_write(r25, 0x7, 0x72, &(0x7f0000008c40)="a6908c5530814d6a6bfd6d6c7594d4af8a4962d882da657bb402c7d0ae4535168160dbf67b82f223d577b0e16e6ac3c46a4015a6ed7c4fa65d1dbaa268b748dec46774eca92247969449a9f59e9edde4d37e7bd17882eb005e24fe43f57654000eadec3f1de9917eb28c2a877182c47b556d") syz_usbip_server_init(0x4) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int real_uid; static int real_gid; __attribute__((aligned(64 << 10))) static char sandbox_stack[1 << 20]; static int namespace_sandbox_proc(void* arg) { sandbox_common(); write_file("/proc/self/setgroups", "deny"); if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) exit(1); if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) exit(1); if (unshare(CLONE_NEWNET)) exit(1); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount(NULL, "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); drop_caps(); loop(); exit(1); } static int do_sandbox_namespace(void) { setup_common(); real_uid = getuid(); real_gid = getgid(); mprotect(sandbox_stack, 4096, PROT_NONE); int pid = clone(namespace_sandbox_proc, &sandbox_stack[sizeof(sandbox_stack) - 64], CLONE_NEWUSER | CLONE_NEWPID, 0); return wait_for_loop(pid); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 38 ? 50 : 0) + (call == 43 ? 3000 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 300 : 0) + (call == 46 ? 3000 : 0) + (call == 47 ? 300 : 0) + (call == 48 ? 3000 : 0) + (call == 49 ? 300 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_dup #define __NR_dup 41 #endif #ifndef __NR_fcntl #define __NR_fcntl 55 #endif #ifndef __NR_getgid #define __NR_getgid 47 #endif #ifndef __NR_getresuid #define __NR_getresuid 165 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_read #define __NR_read 3 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[26] = {0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000000 = -1; inject_fault(1); res = syscall(__NR_ioctl, -1, 0x89e2, 0x20000000); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xe6; memcpy((void*)0x20000048, "\xf1\x37\x16\x1a\xb8\x6c\x59\x42\x02\xb9\x97\xd9\xf1\x2d\x00\x70\x21\x87\x03\x22\xc8\xd9\x09\x74\x84\x09\x95\x1a\xe9\x80\x0c\x1e\x20\x7f\x98\xb7\x69\xc7\x40\xf8\x67\xea\x14\xbb\xf8\x66\x6a\x4f\x98\xd2\x29\xaa\xaf\xbc\x33\xc6\xc5\x21\x68\xdb\x89\x33\xc4\xa4\xa4\xa3\xdd\x3c\xe0\xcc\xea\x96\xe7\x1d\x81\xff\x4a\xca\x83\x31\xcb\x01\xbf\x35\x43\x38\x53\xd1\xab\xd4\x8f\xd6\xd0\xce\x13\x14\xdf\x65\x07\xba\xe5\x35\xa2\xb4\xe3\xea\xa7\x4c\x5d\x23\x00\x65\x94\x14\x8a\x0f\xe5\xb4\xa8\x84\xef\x8f\x41\x34\x6e\x49\xcc\x90\x47\x4c\xb1\x7b\xac\x30\x1d\x47\x97\xed\x05\xdf\xc6\xcc\xb7\x4b\xeb\xaa\xbe\x54\x91\x72\xd6\x22\xa3\x06\x05\xa4\xe4\x9f\xd3\xf8\x53\x7d\xe5\x27\x2c\x33\xad\x4f\x07\xcd\x06\x05\x77\xbc\xe6\x5e\x5c\x80\xa3\x41\x68\xcd\xe6\x81\x17\xe4\xf9\x00\xe3\x5a\x3d\x88\x8e\x02\xee\x11\x17\x52\x21\x3b\x40\xd2\xaf\x25\x8c\x01\xf3\x6d\xe5\x0c\xe8\xe8\x3d\x42\x26\xa3\x0d\x6a\x4c\xc4\x3a\x88\x3f\x6c\x20\xe3\xfa\xda\x8a\xd2", 230); *(uint32_t*)0x20000140 = 0xee; res = syscall(__NR_getsockopt, -1, 0x84, 0x1a, 0x20000040, 0x20000140); if (res != -1) r[1] = *(uint32_t*)0x20000040; break; case 2: *(uint32_t*)0x20000180 = r[1]; *(uint16_t*)0x20000184 = 0xa; *(uint16_t*)0x20000186 = htobe16(0x4e22); *(uint32_t*)0x20000188 = htobe32(3); *(uint8_t*)0x2000018c = 0xfc; *(uint8_t*)0x2000018d = 2; memset((void*)0x2000018e, 0, 13); *(uint8_t*)0x2000019b = 0; *(uint32_t*)0x2000019c = 1; *(uint64_t*)0x20000204 = 0x7fffffff; *(uint64_t*)0x2000020c = 1; *(uint64_t*)0x20000214 = 0x7fff; *(uint64_t*)0x2000021c = 4; *(uint64_t*)0x20000224 = 7; *(uint64_t*)0x2000022c = 1; *(uint64_t*)0x20000234 = 0x3ff; *(uint64_t*)0x2000023c = 0x40; *(uint64_t*)0x20000244 = 5; *(uint64_t*)0x2000024c = 1; *(uint64_t*)0x20000254 = 0; *(uint64_t*)0x2000025c = 7; *(uint64_t*)0x20000264 = 0; *(uint64_t*)0x2000026c = 8; *(uint64_t*)0x20000274 = 0x1f; *(uint32_t*)0x20000280 = 0xfc; res = syscall(__NR_getsockopt, (intptr_t)r[0], 0x84, 0x70, 0x20000180, 0x20000280); if (res != -1) r[2] = *(uint32_t*)0x20000180; break; case 3: *(uint32_t*)0x200002c0 = r[2]; *(uint16_t*)0x200002c4 = 0xa; *(uint16_t*)0x200002c6 = htobe16(0x4e20); *(uint32_t*)0x200002c8 = htobe32(9); *(uint8_t*)0x200002cc = 0xfc; *(uint8_t*)0x200002cd = 2; memset((void*)0x200002ce, 0, 13); *(uint8_t*)0x200002db = 1; *(uint32_t*)0x200002dc = 3; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 6, 0x200002c0, 0x84); break; case 4: memcpy((void*)0x20000380, "/dev/pktcdvd/control\000", 21); res = syscall(__NR_openat, 0xffffff9c, 0x20000380, 0, 0); if (res != -1) r[3] = res; break; case 5: syscall(__NR_ioctl, (intptr_t)r[3], 0x7c80, 0); break; case 6: *(uint32_t*)0x200003c0 = r[1]; *(uint16_t*)0x200003c4 = 0xa; *(uint16_t*)0x200003c6 = htobe16(0x4e23); *(uint32_t*)0x200003c8 = htobe32(0x7f); *(uint8_t*)0x200003cc = 0xfc; *(uint8_t*)0x200003cd = 0; memset((void*)0x200003ce, 0, 13); *(uint8_t*)0x200003db = 0; *(uint32_t*)0x200003dc = 5; *(uint16_t*)0x20000444 = 5; *(uint16_t*)0x20000446 = 0x476f; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 0x1f, 0x200003c0, 0x88); break; case 7: *(uint32_t*)0x20000500 = 1; *(uint32_t*)0x20000504 = 2; *(uint64_t*)0x20000508 = 0x20000480; *(uint32_t*)0x20000480 = 0; *(uint64_t*)0x20000510 = 0x200004c0; *(uint32_t*)0x20000518 = 4; *(uint32_t*)0x2000051c = 8; res = syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000500); if (res != -1) r[4] = *(uint32_t*)0x200004c0; break; case 8: *(uint32_t*)0x200005c0 = 0x8a; *(uint32_t*)0x200005c4 = 7; *(uint64_t*)0x200005c8 = 0x20000540; *(uint32_t*)0x20000540 = r[4]; *(uint32_t*)0x20000544 = 0x400; *(uint64_t*)0x20000548 = 0; *(uint64_t*)0x200005d0 = 0x20000580; *(uint32_t*)0x200005d8 = 0x10; *(uint32_t*)0x200005dc = 0xc; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x200005c0); break; case 9: *(uint32_t*)0x20000680 = 0x83; *(uint32_t*)0x20000684 = 2; *(uint64_t*)0x20000688 = 0x20000600; *(uint32_t*)0x20000600 = r[4]; *(uint64_t*)0x20000690 = 0x20000640; *(uint32_t*)0x20000698 = 4; *(uint32_t*)0x2000069c = 4; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000680); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 0x240, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); memset((void*)0x20000044, 255, 6); *(uint8_t*)0x2000004a = 8; *(uint8_t*)0x2000004b = 2; *(uint8_t*)0x2000004c = 0x11; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; memcpy((void*)0x20000050, "\x20\x15\xd2\x29\x78\x5b", 6); STORE_BY_BITMASK(uint16_t, , 0x20000056, 8, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0, 4, 12); *(uint16_t*)0x20000058 = 0x27; *(uint8_t*)0x2000005a = 0x8c; *(uint8_t*)0x2000005b = 0x18; *(uint16_t*)0x2000005c = 0xc93; memcpy((void*)0x2000005e, "\xff\xe3\x24\x0f\x04\x84", 6); memcpy((void*)0x20000064, "\x06\x7e\xcc\x39\xa7\x8a\x3e\xa4\x7c\x22\x24\x6d\x39\x1b\x92\xc4", 16); syz_80211_inject_frame(0x20000000, 0x20000040, 0x34); break; case 11: memcpy((void*)0x20000080, "wlan1\000", 6); memset((void*)0x200000c0, 1, 6); syz_80211_join_ibss(0x20000080, 0x200000c0, 6, 2); break; case 12: memcpy((void*)0x20000100, "bpf_lsm_xfrm_policy_alloc_security\000", 35); syz_btf_id_by_name(0x20000100); break; case 13: memcpy((void*)0x20000340, "\xc4\xc1\x7d\x6f\x70\x72\xc4\xe1\xf9\x11\x2f\xc4\xe3\xc9\x5d\x33\xab\xc4\xc2\x79\x0e\xb0\x00\x00\x00\x00\xc4\xe1\x7a\x12\xb7\x0c\x00\x00\x00\x0f\x01\x56\xe9\xc4\xe1\x0d\xd5\x5e\x0c\xf3\x0f\x52\x6b\x00\x0f\x7e\x20\xc4\xc1\x79\xe7\x02", 58); syz_execute_func(0x20000340); break; case 14: res = syscall(__NR_dup, -1); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_fcntl, -1, 9, 0); if (res != -1) r[6] = res; break; case 16: memcpy((void*)0x200026c0, "./file0\000", 8); res = syscall(__NR_lstat, 0x200026c0, 0x20002700); if (res != -1) r[7] = *(uint32_t*)0x20002710; break; case 17: res = syscall(__NR_getresuid, 0x20002800, 0x20002840, 0x20002880); if (res != -1) { r[8] = *(uint32_t*)0x20002800; r[9] = *(uint32_t*)0x20002880; } break; case 18: res = syscall(__NR_read, -1, 0x20002ac0, 0x2020); if (res != -1) r[10] = *(uint32_t*)0x20002ad0; break; case 19: memcpy((void*)0x20004b00, "./file0\000", 8); res = syscall(__NR_statx, -1, 0x20004b00, 0x2000, 0x20, 0x20004b40); if (res != -1) r[11] = *(uint32_t*)0x20004b58; break; case 20: *(uint32_t*)0x20004e00 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004d00, 0x20004e00); if (res != -1) r[12] = *(uint32_t*)0x20004d34; break; case 21: res = syscall(__NR_getgid); if (res != -1) r[13] = res; break; case 22: memcpy((void*)0x200003c0, "\x23\x58\x10\x53\x7c\x7f\x88\x6c\xa9\x17\x21\x04\x5f\xf7\xba\xdf\xae\x44\x29\xb2\x52\xcd\x65\x81\x72\xc1\xd0\xd4\x18\xed\x70\x05\x74\x39\xfc\x22\xff\xc7\x7b\x29\x08\x5c\x94\x88\xff\x93\x40\xf8\xa2\xad\xe9\x9b\xf9\xaf\x14\xa3\x57\x25\x7b\x8a\xa6\x9b\x4b\x8e\xff\xe7\xaf\xd6\x87\x6b\x3b\x51\x2b\x86\xfa\x1d\xff\x55\x5c\x6d\xc6\x18\x62\x66\xc9\x1f\xa2\x81\xc9\xdc\x72\xee\x17\xea\xd0\xe2\xa3\xfe\x9f\xf0\x3e\x7c\x32\xd2\x7e\x26\x7f\x5b\xe0\xfd\x6d\x1f\x9e\xfc\x02\xaf\x7f\xe9\xd6\x8d\x75\x55\x19\x20\x1d\xea\x7a\xbe\x68\x10\x53\xab\x98\xf7\x3f\xc0\xc6\xa0\x68\x4e\x91\xb7\x41\xc8\xc9\x45\x1f\x94\x59\xb5\x98\xee\x6f\x4e\xc0\xc9\x1f\x3e\x91\x7a\xf1\xe6\x64\x6f\x3c\x54\xf8\xfa\xf0\x48\x7d\x8e\xcc\xf0\x87\xe2\x8f\x87\x68\xf4\x8a\xe1\x5d\x09\x89\x04\xb3\x25\x42\x85\x70\x2e\x30\x8a\x93\x7d\x5e\x23\xa2\xae\xf3\xc2\x53\x12\x51\x6c\x50\x2d\x5e\x02\x33\x06\x52\x29\xee\x4a\x70\xdb\xc4\x14\x60\x4b\x7f\x05\x5e\xb7\xa2\x72\x48\x03\xe8\x5e\x5b\x4c\xd0\x5a\xf7\x11\xed\x73\x0f\xce\xb8\x1b\xca\xe1\x7a\x49\x67\xaa\x6c\xcf\xf3\xc0\xf4\x96\x6b\x7f\xf3\xd1\x5f\x09\x3e\x94\xeb\x0a\x46\xb7\x0c\x0f\xa5\xb8\x62\x8c\xac\x3c\x31\x01\x9b\xba\x60\x02\x41\x6f\xc6\x66\x1d\x85\x8f\xff\x16\xa9\x62\x15\xb1\xd1\x8a\x87\x7d\x9a\x53\x4a\xc4\x02\x56\xa3\x55\x79\x31\xad\xe2\x7f\x58\x7c\xce\x26\xa2\x0c\x01\x3d\xc6\x7f\x2e\x92\x2a\x52\x68\x9a\xae\xfa\x1b\x06\x4d\x03\xf8\xf6\xa3\x9f\x96\xb0\xde\x1d\x21\x39\x4c\xb6\xc2\x30\x10\xeb\x9e\x4a\x79\x41\x47\x35\xed\x99\x65\x42\x5f\x8a\x01\x00\x84\x96\xdb\xad\x04\x97\xfa\x0d\x65\xac\xec\x59\xff\xa6\xa2\x80\xbc\x58\xe2\xd8\x87\xa1\x0e\x96\x65\xea\xeb\x97\x43\x6e\xbd\xeb\x2b\x58\xa9\xae\x40\xe4\x49\x27\x32\x46\xfd\x99\x67\x53\x9f\x21\x2e\xd8\x96\x9b\x6f\x9a\x49\xd6\x5b\xca\xd2\xdd\x9d\x8e\xe4\x2e\x32\x05\x74\x11\x17\xe4\x31\xd4\x43\xff\x3e\x94\xc4\x7e\x7f\xd6\x27\xd3\x05\x11\xd5\xfb\xce\xc6\xa7\x58\x38\x3d\x31\x36\x7a\xca\x8e\x3a\xf7\x72\xa1\x02\x11\x05\xab\x2c\x1b\x4a\xa7\x61\x4d\xea\x8c\xfa\x4b\x06\xf5\x3a\xf3\x73\x77\x98\x62\xc9\xbd\xb7\x6e\xf9\x3c\x74\x61\x8e\xee\x73\x47\xa0\x74\xd4\xf7\x1a\x98\x23\x3b\x24\xb2\xa2\x57\x29\xc9\xa1\x98\x3d\x81\x9c\x3f\x42\xd3\x28\xd0\x8f\x0d\x4d\xd1\x64\x2f\x61\xb6\x2a\x89\xfc\x30\x0f\x50\x66\xd8\xe4\x57\xf5\xfd\x49\xda\xa7\x9e\x1b\x1d\x43\xd2\x6f\x89\xf2\xca\x99\x04\x50\xe8\x60\xbc\xc4\x7d\x5c\xf4\x77\x8c\x37\xc4\x51\xed\x22\xd6\x0f\xe2\xbc\xfa\x2c\xaf\xf7\x5c\x41\x70\x99\x0a\x2e\x8e\x21\x87\x19\x7f\x86\x38\xb0\x67\x85\x4c\xcf\x9d\xbe\x91\x58\x6d\xd4\x23\x41\x40\x1c\x4f\xb4\xf3\x13\x30\x66\x8a\xcb\x51\x6e\xba\x22\x27\xcb\xca\x4c\x8f\xa2\xf3\x9a\x03\x52\x1b\xd8\x03\x2f\x5e\x1a\xed\xf4\x9c\x50\xe6\x01\xb9\xfa\xd4\xe0\xd6\xf5\xb5\x93\x2e\xa2\x14\xfd\x50\x84\x85\x70\x3d\x08\x45\x79\x8d\x43\xbd\xbf\xf9\x63\x86\x77\xe6\xa9\x96\xef\xbb\xd1\x93\x6e\x97\x28\x20\x62\x70\x9f\x77\x8b\x45\x5c\xb4\xd2\x00\x13\xf5\xfe\x4c\x9b\xba\x0f\x7c\xfc\x18\x02\xe8\x18\x0f\xb6\xd4\x6f\x51\x76\xd1\xbd\xbb\x43\xd9\x60\xd4\x94\xf3\xa3\x0e\xd7\xab\x4d\xb0\x7d\xe5\xad\x92\x4b\x57\x97\xb5\x09\xf9\x60\x83\xf4\xad\xa9\xfc\xeb\xed\xe1\xeb\x0f\xb0\xdf\xa2\xcd\xc2\x14\x4b\x15\xcf\x4c\x28\x0f\x87\xd1\x18\x7e\x80\x8e\x37\xcd\xef\x53\x75\x52\xe3\x83\xf4\x6c\xcf\xe8\x62\x15\xb2\x07\x15\x39\x85\xe6\xb1\x31\x96\x22\x1f\xde\xa6\xc9\x47\x86\x4d\x12\x14\x7d\x7b\x01\xef\xc3\xdf\x14\x4e\x2c\xaa\x24\xd1\xa4\x78\x2a\x51\xa8\x23\x5c\x4c\x0e\xad\xf0\x44\x0c\x8e\x43\x4a\x4d\x07\x2b\xe5\x84\x55\x47\x17\x5f\x37\xc5\x5f\xdd\xd5\xe7\x84\x95\xac\xe4\x34\xc4\x83\xf2\x8b\xb3\x48\x7a\xd8\xd6\x8b\xd7\x43\x77\xfd\x82\xe1\x7b\xaf\xeb\x06\x2b\x81\xc6\x8e\x8a\x63\x89\xc8\xd8\x10\x79\xe4\xc9\xfa\xa2\xa8\xfc\xf1\x24\x15\xcc\x21\xeb\xcd\x92\xde\x80\x88\x45\x50\x59\x4c\xa6\x4b\x56\xb0\xb4\x24\xa6\x5f\x80\xca\xb1\x64\xb2\xf6\xf2\xf3\x3c\x7a\xea\xa8\xb6\x60\x2e\x71\x83\xb9\xd0\xae\x15\x3a\x17\x03\xb3\x03\x67\x5a\xae\x13\x3b\x3d\xd9\xc6\x46\x67\x7f\x6d\x8a\x49\x2d\xa0\x99\xef\xb4\xa7\xe4\xde\xe3\x92\x81\x8a\x15\xd6\xbf\x9e\xfb\x07\xee\xad\x5b\x40\xac\x25\xbb\x0f\x00\x92\xf4\xb0\xec\xaf\x0a\xc3\x39\x1b\x3e\xcf\xd0\x63\x5e\xc4\x96\xb8\xb6\x6d\x7a\x45\x1c\x6d\x10\x37\x9c\x15\x29\x1c\x4f\x36\x82\xf0\x5f\xb7\x39\x44\xcd\x1b\xe0\xf0\xfa\x85\x54\x35\x8b\x30\xde\xb7\x38\x69\x31\xae\x95\xeb\x2a\x16\xfa\xed\x24\x5f\xfc\xad\xb3\x94\xac\xdf\x06\x38\xa6\x26\x27\x82\x33\x01\x93\x66\xe2\xec\xd9\xdb\x1a\x4b\x5a\xe2\x7f\xf8\x3d\x7b\x57\x1c\xd7\xff\xc1\x51\xdc\x4d\x0c\xef\x1d\x03\x00\xc9\x8a\x41\x69\x77\x51\x85\x1f\x8e\x05\x24\x9c\xae\x19\x96\x3f\x81\x25\x89\xa7\xd6\x4c\xfa\xb8\x46\x43\x9f\x47\x13\x43\xba\x5e\xff\xac\x9a\x57\xf7\x6d\x0a\xbf\xb9\x5e\x87\x8b\xee\x4c\x94\x24\xf0\xca\x17\x18\x19\x5e\xff\x14\x06\x0a\xcf\xb3\xe0\xdf\x4c\xbc\x56\x0b\xc2\xbe\x9a\xb4\xf0\xa0\xbd\x68\x6f\xe2\x13\xd4\x49\x47\x17\x0e\x68\xe7\x3b\xaa\xdd\x98\x2c\xe2\xd1\x70\xa5\x0d\x1e\xca\x02\x40\xcd\x3c\xec\xe9\xf7\x4d\xa3\xa1\xc1\x47\x6f\xf1\x1f\xa3\x34\xd7\x2c\x18\x50\x6b\x5c\x00\xa4\x41\xea\x2e\x9c\x72\xc7\x6b\x38\x50\x37\xf8\x6c\xa5\x94\xaa\xad\xe9\x87\xa7\x9b\xbd\x3e\x3c\x40\xd0\x00\x7a\x7f\xf8\x52\x99\x05\xb9\x4c\x54\x61\x65\x62\x92\x95\x0b\x41\xc8\x34\x43\xdc\x84\xd6\xfd\xf5\x2e\x44\x97\xed\x68\x04\x98\x1a\xf1\x33\x85\x64\x92\x00\xd8\x93\x09\x3b\xf2\xea\x82\x25\xb3\x89\xc4\xdf\xd2\xe8\x15\xb3\xbd\xf9\xd7\x08\x4d\x29\x00\x9e\xae\x4e\x88\x22\xa5\xb6\xa5\x2a\xa7\x6a\xfd\x95\x1d\x04\xaf\xa8\xe1\x28\x63\x96\xa8\x34\xdc\xf8\xc6\xb5\x7c\xc4\xef\xbc\x0c\x16\x77\x9d\x53\xf0\xbc\xd7\x40\x43\xc0\x6e\xce\xbe\x59\x32\x8d\xcc\xa8\xbb\x61\x05\xaf\x23\x56\x59\x06\xe5\x46\x6c\x73\x11\xb1\xaa\xc6\x76\x2e\x4b\x62\x60\x36\xfe\x31\xd3\xe7\xb0\xfa\x2e\x65\x8c\xa9\x35\x10\x78\xee\xca\x7b\x46\x7e\x11\x8e\x9b\x88\x95\x9d\xe1\xf4\x18\x69\x40\x5a\x83\xbd\xc6\xce\x98\x0c\x72\x9f\x7e\x2a\x46\x0f\xa9\xbe\xe1\x61\xe5\x4d\x27\x1a\x87\x4b\xb4\xd0\xa2\x2c\xd1\xa4\x37\x6d\xe3\x6b\x58\x68\xca\x0e\x10\x93\x3e\x5f\xe2\xf7\x38\x5c\x1a\xf6\x2b\x86\xf8\xe5\xc3\x12\x66\x26\xb8\xbc\x6d\x56\x8f\x62\x1d\xa3\x23\x70\x7e\xa3\x32\xd7\x65\x44\x39\xfb\xa4\x67\x1d\x0c\xae\xb7\xef\x94\xe2\x5a\x82\x86\xbd\x9a\x19\xa2\x9e\x49\x32\xc7\xdb\x9b\x82\x34\x7d\xa5\x24\x92\xb3\x81\x4a\x44\xb9\x2f\x61\x55\x9c\x22\x65\x4c\x8b\x30\x1a\x8d\xfe\x9d\xae\xae\x0c\xad\xe9\x46\xc0\x66\x6e\x94\xc4\xa6\x35\x3b\xb0\xeb\x21\x37\xd3\x68\x53\xad\x4f\x7a\x20\xa5\x08\x1e\x63\xaf\xee\xce\x20\x3f\xa6\xee\xea\x7f\x62\x9d\x00\x1d\xab\xaf\x5b\x1a\x3c\x67\x61\x51\x7b\xc9\x9a\x8e\x63\xf6\x6c\x01\x88\x49\x27\xb4\xbc\x40\xbc\x34\x19\x0c\x9e\x55\x3c\x69\x0f\xbc\x64\x44\xdd\x8b\xba\x65\x68\x74\xfa\x80\x46\x31\xb5\x6d\x24\x54\x1a\x9b\xd6\xfb\x77\xdb\x49\x03\x76\x9f\x9d\x04\x44\xd0\x8a\x21\xff\x59\xd9\x49\x65\x9d\x80\xb1\x40\x2d\x91\x9a\xc0\xfb\x83\x80\xed\x91\x15\xb6\x69\x3c\x19\x5f\x8f\x1a\x90\xa3\xa4\x22\x35\xd8\xea\x78\x2e\xda\x2b\xf1\x94\xd3\x2f\xbc\xc5\x63\x27\x1a\xfd\xa7\x3d\x70\x96\xa2\xe9\xe4\x67\x54\x1e\x76\x67\xc2\x67\xc5\x95\xe1\x23\x37\x29\x75\x26\x77\x68\xb8\xd1\x6c\xb6\x13\x0e\xae\xbf\x69\x8b\xe7\x6e\xef\xab\xbe\xac\xd5\x9f\x63\x1c\xc1\x04\xf0\x42\x26\x3e\x3e\x29\x62\x59\x79\x69\x72\x1a\x6c\x02\x2a\xba\x14\x11\x2e\x2f\x38\x02\xba\x63\x53\x91\xcd\x1f\x94\x32\x35\x25\xc8\x16\xef\xa9\xe8\x65\x52\x39\x9e\x79\x66\x5f\xf5\x54\xf5\x86\x75\x4f\x72\xd5\x3a\x0d\x94\x75\xc6\x55\x94\x8b\xd1\x3e\xc9\x3d\xd8\xcc\x43\xe5\xb8\x13\xeb\xfe\xa4\xab\xcd\x78\x0e\xed\xb6\x82\xac\x4f\x66\xe1\x68\x47\xf7\x82\x1f\xdc\x40\xda\x07\x3f\x7f\xc5\x9f\xe5\x7c\xa6\xad\x5f\x4d\xdd\x8a\x41\xe8\xaa\xdf\x3e\x21\x78\xcf\x42\x95\xc8\x59\x99\xe2\xc2\xd8\x24\xa0\x8e\xbb\x9a\x9b\x09\xe2\xef\xbf\x9b\x8d\x03\x73\x09\x1e\xa6\x1e\xc6\xaf\x17\xdf\x1e\x71\xac\xeb\x40\x3a\x41\xd3\xba\xfe\xfc\x56\xdc\xff\x18\x60\x23\xe9\xf2\x89\xe6\x1b\x74\x69\x04\xb3\xce\x34\x86\x9b\x53\x27\xc9\x24\xa2\x73\x36\xb2\x16\xd2\x20\x6e\xeb\xa9\xb1\xdf\xdc\xe0\x22\xe3\xa1\x3a\x26\x17\x38\x7f\xb3\xff\x5a\x1d\x0f\x38\xfb\xb9\x06\x3b\xcb\x69\xb5\xe3\x3e\xe4\x57\xef\xe0\x51\xdf\x45\x34\x62\xb7\x18\xd7\xd5\xe7\x80\x31\x04\x71\xa7\x3d\x99\xe2\xeb\x1e\x23\x23\x6c\x74\xb9\x37\x7c\x3e\x0e\xbb\x93\xea\x7a\x6a\x7b\x32\x2c\x42\x59\x10\x20\x9f\x89\x18\x41\xd6\x5c\xb8\xdb\x3b\x2b\x0d\x51\xd2\x7c\xde\x0c\xa1\x85\xbd\x3b\xf1\xf4\x02\xff\x10\xfc\x61\x1b\x93\xfa\x6f\x94\xeb\xf6\x07\x9a\xc6\xd5\xf3\x0f\xf8\x66\xa4\xdb\xf3\x07\x29\xfc\x3c\xd0\x03\xed\x9e\xee\x6e\x1c\x92\x31\x9a\x8c\x62\x69\xe1\xa7\xdb\xa0\x49\x1d\x27\xb3\x26\x38\x8b\xc3\x2d\x58\xbf\x68\x5e\xc4\x29\xa8\xca\x7a\x12\xb6\x60\x18\x23\x08\x71\x0b\x5a\xa6\x1d\xce\x0a\x14\x3f\xad\x3b\xbc\x1a\x81\xa8\xf8\x14\xee\x37\xb4\x34\xc7\xd7\x29\x33\x1c\xe7\xf7\x2d\xdf\x31\xdc\xa7\x19\xbd\xfa\x04\xc0\x3a\xec\xeb\x4c\x64\x0c\x1c\xdd\xd0\xf0\x11\x37\xbd\x6e\x2f\x7a\xef\xb5\x1b\x02\x10\xb8\xcd\xb2\xcc\xb0\xf5\xd7\x45\x8d\x05\x71\x92\x76\x75\xf1\xbe\xdb\x36\xd0\xbf\x30\xac\x68\xdb\x43\x8f\xfb\xa7\x4a\xca\x62\x37\x25\xf2\x75\x22\x70\x1b\xb6\xc5\xca\x41\x4d\x23\x91\xcd\x53\x3a\x82\xc0\x66\x72\x4c\x6d\x3f\xd6\x8f\xe4\x2a\x83\x4d\xcc\xf5\xbf\x70\x34\x74\x29\xad\x8e\x38\x22\x15\xf7\x2f\xad\x93\x6e\xf9\x49\xbf\x64\xda\xd1\x25\x77\xea\xd0\xdc\x6c\xf2\x71\xbe\x7c\xa8\xe0\xba\xab\xb4\x39\x7f\xf0\x63\xf3\xae\x8e\x74\x12\x10\xc6\xa3\xab\x3b\x44\x2b\xa8\xfb\x16\xf2\x28\xc5\xda\xfe\xb1\xb4\x40\x82\x7d\xef\xbc\x48\xf5\xcb\xce\xb2\x74\x07\x55\xc9\x85\xd0\x60\xe8\x2c\x86\xc7\x32\xbb\xd5\x60\x88\x35\x91\xa1\xac\x05\x82\x99\xf1\x7f\x2e\x2a\x12\x85\x60\x28\x0b\xa0\x89\xe8\x4c\x34\x65\x45\x2a\x65\x07\xa6\x3f\x88\x49\x44\xa8\x3a\x21\xd2\x6c\x8e\x49\x8f\xf5\xdb\xd4\x89\xc6\x9c\xa7\x85\x32\x49\x01\x8e\x9d\x03\x52\x0b\x23\xf4\x7b\x29\x7b\x85\x26\x32\x2b\x1f\x6b\xd5\x4d\x06\x0c\xce\xa3\x01\xcc\x8a\x3a\x15\xda\x2d\x39\xb6\x4e\xa4\xdd\xb0\x3c\x7b\x6c\xba\x60\x5e\x8d\xd4\x86\xd1\x2d\x8f\x0c\x6c\xd9\xfb\x47\x81\x61\x12\xba\xa0\xa7\xae\x0e\xba\x4f\x0f\x89\xb2\x14\x32\x03\xa1\x19\xa6\xbb\x85\x45\xc1\xba\x66\x78\x84\x95\xf4\xe7\xda\xd9\x6d\xf8\x11\x9b\x1c\x11\xd7\xff\xb0\x71\x07\xc0\xc0\x35\xa8\x06\x97\xa8\xed\x78\x0d\x9c\x55\x61\x92\x93\x85\x08\x5f\x0a\xa7\xbc\x74\x8f\x2b\x5e\x23\x4e\x21\x0c\xe7\x77\x22\xc5\x4e\x80\xb8\x86\xc0\xd6\x14\x65\x8f\xfa\x23\x40\x8c\xac\xa9\xcf\x01\x38\x69\xef\x66\x29\xf8\x46\x16\x40\xda\xea\x86\x9a\xd4\xc3\x65\x53\x0d\xe5\x27\x81\x5c\xaf\xee\x31\x4f\x8c\xa7\xb9\x87\x95\x22\xc4\x26\x29\xe3\xe7\x12\x96\xe5\xf6\x0a\x84\xdb\x39\xd5\xc9\x00\x00\x16\xea\x33\xf4\x81\xd8\x0c\xcb\x80\xf0\x85\xd5\xed\x3f\x70\x0b\xad\xc3\xb4\xb7\xd8\x0d\xd8\xa7\x78\xf0\x38\x17\xa1\x0d\x67\x89\x2d\x36\x87\x0a\x98\xbd\xc7\x0c\xfd\xa4\x83\x4c\x78\x15\x42\x1f\xc9\x72\x74\x01\xbd\x4f\x81\x11\xbb\xba\x76\x86\x02\x4b\x42\x72\xf5\xa6\x8a\x66\x51\x94\xaf\xc4\xf1\xa9\xf8\x57\xaf\x27\x0e\x30\x22\xc1\x8d\xfc\x18\xf6\x7b\x39\x77\xe6\x41\xc6\x25\x8f\x00\xc1\x43\x0e\xa7\x95\x78\xf4\xdc\x82\xa0\xba\xb5\x21\x40\xdf\x4b\xe0\xad\xb3\x29\x19\x5a\x29\x7d\xf0\xbe\x6e\x12\x34\x97\x70\xb4\x47\x7a\x44\x65\xa8\x14\x39\xf2\x2b\x6b\xdc\x67\x7a\xb8\x6d\x4e\xdb\xbd\xfc\x7d\xb3\xcf\x06\xd4\xa9\x4d\x33\xc6\xc1\x1f\xa1\x63\xfe\xfb\x1a\x87\xa9\xb5\x2c\x1c\xc4\x09\xeb\xed\xe7\x26\x3c\x88\x97\x5e\xdb\x23\x7f\xa0\x1b\x58\x3f\x79\xfc\x7a\x4f\x8e\x8a\xc8\x9a\xf7\x93\x08\xd9\x9b\x47\x3c\xf3\x3f\x33\x44\xa4\xe5\x52\x3f\x3e\x35\xd3\x88\xd1\x8e\xe1\x18\x5c\xaa\x19\x18\xd2\x3a\xae\x41\x93\xae\xdf\xe1\x25\x04\x2e\x16\xd5\x71\x86\x52\x61\xdd\x63\xbf\x0c\x9d\xd8\x48\x5f\xa6\x4e\x24\x10\xa2\x6a\x43\x6c\x83\xc9\xe3\x45\x56\xf3\x7c\x1d\x69\xd2\xfd\x57\x42\x78\xc4\xb2\xc8\xba\xf3\x83\x4e\xe2\xe0\xf3\x64\xb5\x4c\x36\x78\x0f\x28\xa8\xeb\xe5\x6e\x1d\x9e\x1c\xbd\xfd\x77\x3c\xe8\xaa\xcd\xef\xda\x09\xf4\x0d\xff\xd8\x47\xaa\xdf\x67\xc4\x44\x71\x00\x8c\xee\x07\x76\xfb\x06\x89\x54\x30\x8f\x16\x20\x3d\x01\x7b\x29\x0c\xd1\xad\x9e\x4c\xdc\x49\xf3\x26\x35\x28\x07\x56\x0d\xdd\xa4\x90\xc0\x5c\x6d\x5e\x04\xf1\x94\x00\x83\xaa\xba\x83\xe0\x29\x37\x0f\xd7\x6e\x77\x57\xc7\x3c\x05\x43\xdd\xff\x26\xc3\xa3\x07\x62\xe2\xc9\xc5\x56\xaa\x28\x2c\x7f\x46\xf3\xdd\x8e\x20\x01\x68\x05\x3a\x03\x17\x4c\x56\x69\xdc\x43\x90\x0a\x39\x41\x7c\x9d\xff\x8e\xd3\xf1\x0e\xb0\x7c\x47\x0a\x52\x2e\xc8\x20\x71\x2f\xf8\x82\x59\xcf\x7f\x5e\xe5\x2c\xf4\xee\x69\x0b\xca\xbd\x88\x76\x3f\x66\x32\x9f\x37\x25\xa4\x36\xca\x19\x38\xd4\xda\x48\xde\xdf\xfe\xa8\x2d\xc5\x4a\x2a\x0a\x5c\xfb\x64\xc3\xe2\x78\xf4\x1b\x93\x3c\xef\xeb\x02\xf9\x82\x53\x2e\x98\x67\x72\x41\xd7\xec\x2f\x8d\x14\x27\xda\x17\x11\x91\x9d\x67\x2e\x95\x1b\x6d\x1c\xd8\xf2\xc0\x20\x3f\xed\xd5\x21\xf7\x5a\x22\x9d\x99\x67\x13\x35\x81\x36\xd8\xb4\xeb\x79\x71\x34\xfe\xc8\x74\xe3\xd3\x8a\x01\xcb\x82\xa8\x7c\x8c\x21\x1e\x64\x29\xef\xe6\x77\x17\x3a\xab\x0a\x0f\xb9\xf5\x58\xf4\xb0\x6f\x77\x05\xbc\xd1\x77\xec\x1d\xd8\x0d\x04\x45\xb5\x44\x8e\x7d\xc2\x94\x53\x8a\xae\xcc\x59\x61\x0d\xbe\x6f\x2b\x3b\x16\xb2\x75\xc1\x8d\x33\xa7\x8f\x0c\x1d\xcb\xb0\x7e\x13\x76\x28\xb6\x22\xf8\x85\xae\xe8\x0b\x82\x68\x4c\xdd\x5f\xde\x5a\x29\xaa\xdf\x63\xd8\x5e\x95\x15\x96\x49\xad\xce\x0f\x9e\x57\xb5\x3b\x82\xc7\x5b\x87\xa1\x27\x47\xef\x0f\x84\xbe\x50\x69\x3c\xca\xe7\x98\xe3\x8a\xaf\x05\x06\x66\x16\x3e\x6b\xed\x48\xf5\xf1\xba\xf4\x9a\xde\xa2\x12\x23\xbf\xb0\x89\x19\x98\x98\xdc\xd2\xe9\x1b\x70\x8b\xd6\x2b\x61\xf1\x38\xcc\x48\xbe\xd8\x8b\x77\x2d\x14\xbc\xc5\x39\x68\xaa\x32\xfa\x3f\x11\x45\x84\x75\x2d\xb5\x32\x78\xb2\x5f\x36\x7d\x52\xc2\x07\xec\x54\x59\x66\x83\x82\xaa\xc7\xeb\xfd\xf3\xa2\x07\x5c\xef\x67\x9b\xd7\x7e\xc1\x7a\x11\x43\xde\x08\x47\x20\x08\x54\x86\x68\x5a\xc8\x69\x73\x3b\xc0\x7d\x74\x24\x6f\xbf\x8a\xbb\x36\x62\xbe\x75\x0d\xdd\xd3\xb1\x3e\xcb\x2d\x91\x35\xf5\xc6\x8d\x1f\xdd\xe5\x49\xd9\xc2\x09\x1d\x96\xaa\x35\xf8\x43\x36\xb4\x21\x51\x31\xf3\x64\x76\xec\x84\x8d\x53\x3d\x7d\xca\x1e\x0a\xa4\x1e\xef\xb8\x80\x60\x52\xa8\xcd\xd5\x38\xb7\x55\x70\x7f\x93\xe0\x48\xd7\x71\x50\x5b\x88\x90\xd8\xf6\x80\xb8\x80\xcc\xb8\xee\x29\x49\xe3\x5a\x63\xee\x48\xe7\xb4\x67\x12\x8b\x65\xff\xe6\x06\xce\xd2\x8a\x3b\xc3\x17\x2b\xd0\x9f\x2b\x58\xef\x63\x22\xa3\xfa\x31\xe0\xfa\xb3\x7a\x3a\xfe\x72\x9a\xd4\x3d\x5c\xd0\x2b\x42\xbe\x4d\x8e\x60\x2b\x99\x51\x6d\xbd\xbd\x81\x2e\x1b\xec\xae\xba\x14\xb2\xb2\xbf\xaf\x05\x55\x90\x02\x51\xe3\x1d\x83\x97\x98\x14\x1b\x32\xab\xdc\x55\x8b\x3b\xf3\x0e\xdc\x11\x45\xf5\x41\x79\x85\x07\xda\x32\x9c\x5a\xcc\x1f\xf5\x6d\x4f\xd5\xf6\xe1\x8c\x02\x08\x12\x22\xc6\x98\xb3\xd0\xf2\xb1\x95\x39\xa7\xc2\xc9\x1f\x78\xb1\xbe\x76\x48\x19\x91\xe2\x41\xd2\xae\x88\x9d\x4c\xb1\x33\xf9\x0f\x77\xd9\x22\xd9\x84\xb5\xa5\xd1\xb2\xaa\x03\x8f\xb0\x01\xf0\xba\xc8\x8c\x14\xa3\x6f\x62\x29\x6a\xb3\x24\xd5\x2b\x57\x54\xd4\xe8\x42\x88\x9d\xa6\x54\x14\x3b\x4b\xd7\x19\xf0\x82\xcb\xcf\xa2\xec\x90\x31\xb9\xb4\xb8\xbb\x8e\xf4\x6b\xc3\xff\xa5\x2d\x35\x38\x5b\xf2\x7e\x3c\xcd\x86\x10\x84\x81\xff\x66\x40\xe8\xb0\xe3\x09\xd2\x8b\x14\x94\x20\xf9\x5e\xb9\xaf\xa0\xf6\xe1\x88\xb7\x00\x5f\x42\x12\x25\x38\x5b\xde\xa3\x82\x5a\xd5\xfb\xfc\x6d\x9f\x29\x97\x47\x6b\xc3\x6e\x5d\xfe\x4b\x68\x6d\x1a\x2d\x40\x25\x16\xd4\xee\xe9\x90\xe1\xea\x6a\x23\x48\x38\x10\x3f\x42\xd7\x05\xab\xf3\x78\x35\x67\x3c\xa7\x86\x75\xb5\x35\x4c\x2a\x99\x13\x0e\x2b\x7a\x64\xee\x26\xa2\xad\x6c\x1c\xd2\xde\x64\xed\x59\x12\xeb\x77\x08\xdb\x3a\xfb\xb4\xa6\x83\x10\x9b\x10\x57\x29\x8f\x35\x6e\x4c\xf4\xfa\xb2\x00\xca\xf7\x40\x3c\x71\x9a\xa8\x1a\xb0\x1d\x3d\x7f\x91\x55\x07\x3f\x56\x49\x5e\x51\x16\x19\x6e\x9a\x9d\xe8\x2f\x10\xa5\xc0\x8d\xfb\x2f\x91\x54\x94\xdf\x7a\x07\x00\xef\xb7\x22\xd3\x41\x6a\x5d\x32\xbc\x02\x29\x71\x11\x65\x08\x47\xde\xe6\x76\xd2\x68\x77\x2d\xec\x41\x3d\xa3\xa1\x32\x09\x89\xc1\xbe\x0d\x5c\x9c\x1b\x6f\xc4\xf7\x0f\xbd\xad\x88\x8a\xbb\x0b\xe8\xf1\x16\xf0\xd7\xa6\xf3\xab\xaf\x63\x6b\xb6\xb6\x92\x22\xda\xf4\xcc\xbd\x6d\x07\x29\x3d\xef\x59\xcd\x5e\xc9\x08\x45\x4d\x07\x94\x95\xf2\x7b\xfa\xf9\xe4\x5f\xb2\xc9\x99\x64\xe6\xb2\xfb\xa0\x3a\xf0\x38\x2d\x5b\x60\xad\xeb\xbb\x28\xfb\x8f\x8f\x8e\xfd\xd8\xda\x65\xea\xc2\x93\x77\xcf\x07\xc6\x2e\x1b\xf1\x0f\x61\xfa\x91\x2e\x62\x71\xf2\xcb\x95\x09\xa7\x63\x1b\x7a\xbe\xc3\x39\x6b\xeb\xce\x10\xbc\x79\xe2\xc4\x99\x56\xd1\x27\xf9\xd0\x1b\x73\x58\x45\x40\xcb\x6c\x0b\x52\xa7\x09\xe3\xaf\x1d\x00\xc8\x4f\x6d\x22\xfb\x19\x5d\xd8\x82\x3a\xa3\x36\xaf\xea\x89\x8e\xd8\x7a\xda\x2b\x22\xd1\xb8\xec\x50\x8c\xf6\x98\x6e\x93\x45\x92\x65\xed\x7c\x25\x87\x32\xc2\x91\xca\x41\xe7\x87\x6f\x1b\x43\x8b\x17\xd3\x6c\x24\xa0\x2f\x20\x0f\xee\xee\x18\xac\xe8\xdc\x4a\xad\x51\xa4\x2b\xb9\x81\x5d\x82\xc2\xa9\xa3\x7f\x77\x5c\xd6\x12\xe0\x84\x22\x69\x42\xea\x0d\xc6\xf5\xd8\x92\x33\x49\xbb\xbe\xdc\x2a\x45\xcf\xcf\xdd\xed\xa2\xd5\x2d\x14\xf2\xff\x83\x29\xaa\xc0\x1d\x2e\xc3\xc3\x7f\x23\xc5\xc9\x0d\x02\x62\x80\x23\x8c\xe0\x9e\x00\xec\xa9\xf6\xc3\x0b\xda\xa5\xdc\x91\xf4\x34\x2f\x8a\xf6\xa3\xec\x13\x39\xc4\x7d\xca\xe8\xf9\x36\x0c\x32\x50\x2b\xfa\x86\xe1\xff\xc5\x82\xd5\x88\x8f\x29\xca\xc3\x9e\xf9\x0a\x31\x50\x11\x1f\x66\x11\x99\xfa\xf7\xe2\x41\x3b\x57\xbb\x9a\x72\xaa\xa2\xd5\xfa\xe3\x2b\x46\x28\x84\xa9\x28\xd8\x3c\xea\x60\x55\x70\x25\xc5\xde\x01\x80\x44\x34\x5f\xb0\x83\xde\xf4\x9b\xc3\x83\x31\x98\x94\xda\xd2\x8b\x53\x39\xcb\xad\xb6\x03\x8d\xc8\x47\x9f\x7e\x4b\x2f\x01\xc1\xce\xd3\xff\x85\x42\x05\xbe\x93\x88\x48\x85\xb1\x29\x87\x8b\xdb\xb1\x8c\xaa\x68\xc3\x09\x40\x71\x9a\x40\x8a\x03\xfc\x61\xeb\xea\x87\xd9\xd3\xef\x21\x62\x59\x45\x89\x65\x44\x75\xc2\xc3\x7e\xaa\x87\x37\x33\x8a\xcc\x18\xb3\x41\xa3\x51\xec\x39\xaa\x94\xcb\xa1\x71\x09\x6f\xd7\xfb\x83\x2e\x30\x31\xf4\xd8\x2f\xf2\x32\x8a\xa1\x89\x62\x3c\xd9\x3f\xce\x6f\x45\x25\xc2\xdd\x01\x3d\xc9\xc7\xb4\xd1\x9a\xdd\x3b\xf9\xc3\x34\x88\x6e\x9d\x1c\xb4\xdf\x99\x7d\x99\x56\x3a\x57\xb6\x6d\x83\x21\xd4\x21\x52\xf7\x21\x70\x5d\x6c\x48\x46\x18\xad\x33\xcb\x46\xb5\xc1\xa4\x1c\xcd\x39\x7e\xde\x50\x43\x2d\xc9\xd4\x1a\xa8\xb2\xfb\x37\x5a\xf7\x5d\x33\x23\x56\xd7\xdf\x3d\x5d\x43\x9f\xde\xbc\xf8\xe2\x5b\x22\x49\x3c\x6f\xe1\x40\x01\x3e\x29\x52\x32\x18\x67\xd1\x29\x47\xb1\xf2\xdd\x27\x2a\x17\x36\x94\xa5\xfd\xdd\x88\x7f\xe1\xec\x96\xdf\x64\x67\x63\x0d\x14\x49\xd7\x23\xff\x02\x3e\xc1\x27\xb1\x2a\x24\x11\xa0\x96\xe3\x12\x9e\x84\x5d\x50\xb1\x46\x68\x36\x35\xd8\x05\xcf\x19\x67\x35\x82\x8c\x8a\x0a\x00\x40\x47\xa1\x9a\xcf\xcc\x41\xb6\x2f\xe0\xfb\xff\x91\x88\x1e\x76\x13\xbf\x7a\x73\x71\x95\xf1\x85\x8e\xd7\x19\x8d\xca\xca\x13\x21\x06\x19\xd7\xf7\x39\x8d\x81\x2d\xe4\x63\xf2\x21\xf0\xc2\x64\x87\x4a\xa3\xb3\x41\x6d\xcd\xfa\xed\x76\xbf\x25\x5d\x7a\x7a\x15\xd6\xac\xc9\x86\x4d\x1b\xd9\x00\x35\x4b\x3b\xf0\xdf\x70\xba\xe9\x32\xc4\xb8\x2e\x8a\xa6\x0d\x39\x5b\x93\x9c\xc6\x0f\x89\x64\xab\x75\x5b\xa5\x0b\x40\xa7\x13\xf6\x8d\x2e\x00\x1a\x2b\x5a\xbc\xfd\xbb\x82\x1a\x0a\x3a\x7a\x97\xcd\xcc\xc0\xb0\x5b\xca\x8f\x03\x3f\xbc\xd9\x54\x56\x9c\xb7\xc3\x12\xd4\xcb\x9e\x69\x27\x56\x13\x30\x66\x79\x88\x25\x70\x72\x61\x18\xeb\x66\xb4\xb6\xf0\xd2\x36\xc3\x3e\x35\x65\x8e\xd8\x7f\x02\x8c\xa4\x3c\x55\xc2\x69\x68\x17\x9a\xed\x75\x49\xc8\xc2\xe9\x26\x72\xa4\x45\x10\x6d\x04\x29\x84\x69\x17\xc5\xfc\x60\x7f\xa2\x85\xdb\x9a\xa6\x12\x81\xc1\xc5\x24\xa7\x6b\x3d\x40\xde\x5d\xa9\xbc\x7a\xfb\xae\x9c\x03\x55\x5d\x05\x63\x83\xea\x7f\x5e\xac\xf5\xde\x95\x63\x8e\x11\x24\x2a\x42\x0c\x9a\xa3\x22\xc8\x08\xcf\x2a\x14\xab\x47\x9d\x81\x35\xe4\xff\x48\x7b\x21\x5c\x8c\xec\x44\xc7\x29\x0d\x34\x59\x10\x0b\x21\x96\xc5\x4e\x88\xca\x28\x41\xd8\xa6\x01\x1c\x6d\xb1\xb5\xc2\xfb\xc5\x13\x5d\xa6\x05\x3d\x89\x3d\x11\x6b\x9f\x23\xd5\xa0\xf7\x7f\x9f\x64\xc5\x0a\x04\x48\x55\x2f\xb3\xd4\x00\x2c\xcf\xb9\x5e\xd5\x4c\x37\xea\xe9\x31\x73\x7b\xf0\x2b\xcd\x22\x6b\x13\x3b\x9d\x27\xde\xbf\xae\x74\x87\x30\xa8\x7b\xe8\xdf\x5c\x31\xcd\xdf\x16\xc2\x6b\xc3\xf3\xb4\xdf\x7a\xbc\xbc\x52\xed\xad\xb7\xa7\xc2\x9e\x87\xdd\x5d\x63\x30\xb7\x61\x64\x9f\xc9\xf0\x98\xa7\xb6\xb6\x8c\xf5\xdc\xe7\x67\x66\x7e\x8b\x5a\x7c\xd4\xbb\x22\xd1\xc9\x22\x9c\x45\x51\x69\xd7\x2e\xdd\x3b\xae\x9c\x25\x1c\x07\x88\x96\x8f\x1d\x13\xaf\x8e\x47\xba\x32\x92\x3c\x66\x14\xc4\x4d\x51\x96\xfa\x80\x57\x61\xdb\xa5\x9a\x39\xb8\x93\xbf\x09\x73\xda\xbb\x97\x6e\xdf\x63\xf3\xcb\x54\x73\x2d\x43\xb9\x0e\xe7\xab\x03\x74\xe1\x0f\xd7\x22\xd5\xc3\x61\xa4\x10\x89\x31\xe8\xee\x3f\xa1\x90\x79\x3f\x90\x1b\x18\xff\x7b\x5e\xd8\xc1\x62\xb3\x7f\xfc\xb3\x9c\x6c\x0c\x08\x4c\x9c\x76\xb3\x96\x4e\x31\x35\x1f\x51\x12\xac\xcf\xe1\x6c\x62\x68\x58\x0c\xe0\xb4\x4c\xd4\xc3\x3f\x29\x21\x71\xdf\x6a\xf3\x59\x14\x22\x5c\x8b\x1a\xff\x19\x85\xce\xa0\xea\x73\x49\xa4\x3a\x51\x0d\x5f\xbf\x18\x81\xa0\x32\xf9\x6b\x1f\x58\xf4\xfa\x94\xdb\xcd\xf9\x8f\x6b\x11\x3a\x2f\x85\x1e\x76\xd4\xf1\xcf\x06\x86\xe3\xb4\x40\x57\xc3\x63\xc8\x49\xc5\x70\x06\x59\xd7\xe5\xa1\xc2\xb3\xcc\xfd\x5a\xaa\x88\x9c\x2f\x99\xa9\xb1\xc8\x31\x9c\x3c\xd3\x48\xbe\x29\xb2\xe9\xbf\xef\xbc\x28\xcb\x77\x47\x29\x95\x8c\x12\xc9\xdf\xa7\x4b\x89\x3a\x07\x74\x5a\xed\x2e\x51\x44\x72\x3c\x8f\xc0\x50\x68\x52\xf1\x7e\x6a\x4a\x8f\x59\x9d\x2c\x4a\x1d\x7c\x0b\xa9\xd7\x7d\xb8\x41\x6e\xb1\x09\x32\xcd\xc7\x49\xcf\xa9\x98\x90\xee\x80\x17\xc0\x66\x40\x84\xf8\x64\x89\xc9\x75\x25\x52\x52\xc3\x87\x6f\x8d\xcd\x98\xc0\x0b\x73\x61\x1c\xe2\x73\x4e\x1f\xe0\xee\x5c\x0a\x0a\xbb\x0c\x50\x00\x40\x44\xf9\x3a\xd2\xff\x01\x09\xbc\xb1\x9a\x3a\x20\xf1\x86\xd6\x8e\x38\x7d\x34\xa5\xb5\x78\xc4\x25\x3c\xd9\x67\x26\x14\x80\x3b\xf9\x67\x26\xe8\xab\x00\x14\x6d\x2f\xe2\x66\xe6\x2e\x48\x65\xf5\xe7\xfe\x31\xd4\x14\x97\xe7\x19\x51\x22\xfc\xda\x82\x5f\xb4\xe9\xfc\xdd\x09\xb4\x21\xdd\xb6\xe9\x25\xa4\xd5\xcb\x7f\xf2\xfa\x56\xfe\x14\x97\xad\x65\x9c\xc5\xb6\xef\xd8\xf8\x83\x99\x8b\x74\x51\x17\x5f\x98\x27\x54\x7b\x84\x19\x5c\x25\xfc\x16\x31\x07\x2a\x55\xc1\x7e\x90\xa3\x27\x9a\x54\xa2\x96\x97\x31\x2b\xfe\xf3\xee\xfc\xba\x8d\x31\x14\x55\x6a\x54\x5d\x18\xab\x0d\xf7\x4d\xf2\x66\x85\x91\x51\x95\x9a\x1b\x05\x1f\x83\x22\xf7\x98\xcb\x45\xd5\xcb\xe5\x29\x1b\xdd\x71\xda\xd6\x65\xf6\x4d\xde\x69\x54\xef\x00\x71\x89\x18\xfe\x01\x72\x79\x63\x96\x46\x42\xd4\xc4\xa5\xbb\xa9\x30\x3f\x44\xfe\x97\xff\x99\xf0\x67\x48\xdc\x86\x3f\xf0\xcc\x17\xfc\x82\xb2\x9f\xbe\x0c\x71\x2c\x77\xed\x36\x69\x7f\x23\xb4\xa2\x2a\x9f\x24\x85\x22\xf9\x94\x6c\x3a\xbc\xd3\x2e\x16\x5f\xd6\x6f\xdb\xc7\xb4\xa0\xdf\x71\xa8\xd2\x57\x1f\x32\xda\x4a\xda\x51\xc1\x4c\xa0\x86\x30\x1d\x6e\xd0\x20\x06\xc6\xa3\x8c\xe4\xe7\x67\x1f\x3d\x08\x62\xa4\xe3\xc2\x2b\x6a\xa7\xb7\xc0\x49\xa7\x76\x22\x87\x57\x05\x62\xe8\xb4\x52\xef\xc7\x87\x41\xe7\xc2\x82\x2a\xd0\xfd\x43\x5e\x76\xa8\x04\x4b\x05\xb3\x88\xaa\xfc\x4c\xf6\x15\x75\x76\x03\x98\x87\x23\x64\x46\x99\x61\xe8\x7d\x14\xd1\x79\x5e\xb6\x27\xfa\xed\xa1\x8f\x9c\x12\x28\xfc\x99\x4d\x58\x05\x08\xc9\x96\xd3\x66\x27\x99\xb7\x23\x7e\x59\x69\x10\xa7\xc5\xc7\xfa\xcd\x47\xfa\x30\x84\xda\x48\x48\x87\x67\xf6\x0c\xfe\x58\xec\x40\x14\x15\xac\x66\x03\x16\x23\x32\x0f\x9f\xda\x37\xc0\xaf\x9f\xe4\xcd\xa1\xb2\x89\x3d\x2d\xf0\xac\x82\x26\x01\x3a\x36\xca\x7b\x13\x66\x03\x2e\xa7\xb2\x5a\x55\x91\xbe\xbc\x8c\xe4\x89\x77\x7c\x0c\xba\x28\xd1\xf0\xca\xfe\xae\xea\x7d\x5b\x4d\x20\x09\x30\x9e\xeb\xc9\x13\x07\x81\x12\xbb\x12\x69\x20\xca\x6e\x5e\x2b\x22\x10\xce\x54\x10\xcc\xe4\x5f\xc4\x63\x74\x6c\xf1\x68\xf7\xee\x2b\x91\xc7\x97\xb3\x30\xe0\x46\x48\x22\xa6\x18\xe4\x57\xce\x39\xa0\x03\x67\xd9\xcd\x3d\x3f\x59\x38\xce\x36\xeb\x2a\x31\xa9\x0d\x04\x92\x58\xc8\x49\x95\x5e\x97\xf0\x80\x17\x26\x9b\x3e\x5f\x69\xe9\x12\x81\x95\x63\x8b\xc8\xc1\xfa\x73\x5e\x6e\xb2\x43\x5c\x95\x87\xf4\xf4\x36\xd9\xe6\x8a\x87\x97\xbb\x42\x10\x0d\x48\xe7\xb2\x61\x97\xc6\x5f\xb8\x90\x39\x61\x38\x2f\xb0\xfe\x22\x98\x60\x17\x30\x68\xd9\x42\x91\x10\x82\x3b\xc2\xff\x71\x7a\x71\x57\x05\x4c\x32\x6b\xda\xc3\xad\x35\x81\x77\xf9\xa4\x06\xd8\x94\xb8\x42\xd6\xd9\x1e\xdb\x35\x6b\x06\x28\x3b\x32\x9b\xca\x6e\x12\x29\x06\x55\xfe\xf2\x40\x29\xba\x1d\xaa\xf4\x5f\x17\xeb\xc8\x34\xd1\x2e\x35\xe3\x9f\x2e\x20\xe2\xc7\x36\x2a\xeb\x00\x31\xf4\x87\x7b\x63\x3b\xe1\xbe\xd3\x6f\x5d\x7b\xa2\x4d\x01\x48\xf8\x46\xa7\x86\xf3\x88\xe2\xab\x79\x66\x2d\x55\x9b\x86\x1a\x36\xa4\xce\x60\xdc\xeb\x5f\xdb\x9f\x47\x93\x58\xfd\x84\xa5\xc7\xf1\x02\xf7\x5b\x81\x43\xd3\x62\x6f\xff\xa5\x46\x9c\x22\x07\x2a\x97\xd6\x3f\xf9\xe0\x66\x7c\x2f\x2d\xb4\x1c\xd0\x3e\x5d\x43\x91\x4b\xb5\x90\xbb\x1f\x11\xf4\xc3\x53\x3b\xcc\x47\xff\xc9\x9e\xed\xf6\x77\xc9\xd6\x46\xc6\x0f\x99\x39\x89\x15\x89\x1a\xb6\x71\x97\xdd\xbd\xc1\x1e\x03\xda\xf0\x31\x39\xce\xad\xaf\x99\x22\x68\x75\x16\x3f\x11\xc2\x90\x27\xf6\xec\x6e\xe6\x47\xc9\xbb\x1f\x76\x95\xf1\xf2\x91\x8a\x32\x85\xa1\x3e\xad\xb7\x3d\x3e\x94\xcb\x0d\xbf\x92\x73\xf7\x5e\x1a\x8b\x39\x1c\xc6\xe4\xc1\x4e\xd5\x68\x3c\x27\x56\xc7\xb3\x3d\x84\x35\x1e\x1c\xe0\xba\x7b\x02\xe2\x30\x5d\xe6\x5b\x29\x45\x6b\x5c\x55\x34\x46\x47\xc7\xb0\xb1\x6c\xd8\x36\xdb\xa2\x71\x1a\x4c\xc9\x77\x38\x26\x7c\x46\x2c\x85\xfa\xd6\x08\xa8\x16\x12\xd7\xf8\x9a\x7f\xe6\x63\xbd\x06\x43\x54\xa8\x0f\x8b\xe0\x16\x5d\xf5\xd9\xba\xe1\xc6\x9e\xa5\x69\x62\xb1\x11\x22\x0c\xdc\x13\x6a\xda\x90\xbb\x13\x15\xf8\x65\xca\xff\x1e\x25\x26\xac\xd2\xef\x4c\x36\xa7\x0f\x26\x60\x88\xd7\xd3\x48\xe5\x61\x13\x29\x71\x66\x8e\x91\xa8\x90\x04\x08\x5a\x5b\x09\x2f\x8e\x28\x42\x3d\x16\xb7\x49\xcd\xcb\xf9\x2a\x43\x65\xe4\x68\xdd\x67\xbe\x24\x1e\x5d\xea\x70\x5b\x60\x6b\x28\x09\x9a\x5d\x3d\x46\xa0\x76\x20\xfc\x4f\x73\x1e\x3d\x36\x05\xde\xbe\x68\x70\x42\xca\xc9\x37\x42\x73\x67\xc3\x5b\x54\x6a\xf2\xdf\xc0\x94\xa7\x21\xdc\x7f\xd1\x3d\xf6\x8e\x9a\x79\x9e\xcb\x10\x7c\x90\x8b\xac\x9f\x8c\x44\x30\xcc\x10\xc6\x29\x9c\x79\x4d\x02\x8d\x51\x6c\x3e\xf3\xf7\x7f\x9f\x64\x20\x16\x60\x94\x9b\x5e\xe2\x9a\x58\x94\xd7\x38\xfa\x4e\x4b\xcd\xda\x88\xfe\x12\xbc\xff\xe8\x5d\xa7\xb1\x0d\x02\xc8\x09\x22\xf3\x90\x71\x34\xfe\x64\x60\x55\x08\xb6\xcb\xe3\x5e\x97\xf1\x2f\x1b\xb1\x5f\xce\x6f\xac\x0b\x0b\xbe\xd6\x21\x83\xba\x88\xb8\x41\x3c\x69\x2c\x1d\x46\x53\x76\x14\x6a\x5a\xc6\x9e\x0f\x10\x45\x0f\x04\xc8\xb6\xf3\xc9\x0c\x58\xac\x33\x60\x4a\xa8\x11\xa9\xb7\x4e\xbb\xd0\x7b\x06\x84\xc5\x1a\x55\x30\x06\xda\x57\xf4\xdf\x29\xdf\x30\xa6\x46\x22\x26\x6b\x3e\xc0\x6c\x43\x5d\x65\x05\x21\xf3\xea\x72\x5a\x3c\x8c\x12\x8c\x73\xf0\xd3\x44\x7d\xd1\xa8\x5b\x10\xa0\x61\xe9\xac\x44\x69\xbd\x8e\xad\x5b\x59\xcc\x63\x9b\x81\x7e\x67\xd9\x0c\xcd\x77\x3e\x22\x4a\xeb\x67\xdd\x26\x36\x91\x74\x36\xb7\x64\x75\xd8\xe0\x25\x5c\xf7\xd1\x4f\x28\x36\xa5\x0d\x23\xfb\x11\xb3\x84\x35\x48\xb3\xa5\x2d\x8f\xa1\x0c\xa8\xc9\x7e\x1f\x0e\xd7\xa0\x0c\xfc\x80\x67\xa5\xb9\x9a\x41\xc0\x7d\x3c\xe0\xa0\x45\x6b\x84\x43\xbb\x5f\x09\x03\xdb\x5e\x7b\xc1\x6b\x0d\x0d\x4f\x32\x1a\x57\x57\x2d\x33\x68\xd9\x7a\xb7\x70\x58\x30\xd2\x3f\xf7\x8a\xc8\xd6\x94\x02\xc9\x20\xf7\xfb\x91\xd6\xef\xc1\x6c\xe4\x39\x93\xa1\xa6\x8e\xb8\xed\xa0\x8d\x7c\xc5\x5f\xca\x85\x49\xf4\x08\x39\xac\x8e\x5e\x26\x3e\x8f\xcd\xdb\x10\xdd\x20\xfb\xed\xd9\x49\xc8\xd3\xc1\xe1\x86\xe9\xfd\xd5\xaa\x27\x65\xa1\xef\x54\xf9\xe8\xb2\xa7\xa0\xb3\x8f\x1c\x8f\x8d\xaf\xe5\xfc\xef\x0f\xf0\x31\x69\x21\xdb\xaa\xb2\x7f\x6b\x2e\x09\xe4\x9d\x0a\x56\xc9\xad\xe5\xd8\xcb\x65\x86\x99\xba\xa9\x84\x54\x3f\xde\x4e\x72\x0e\x02\xe5\x50\x3e\x83\x5c\x7a\x63\xef\xfe\xe3\xdf\xa5\x8e\x4c\xcd\xbe\x19\x43\xb5\x92\x1b\x58\xfd\x0e\xd6\x64\xef\x73\xdf\x89\x23\x18\xe1\x07\x03\x23\x48\x59\xb5\x65\xd1\x7d\xe8\xc9\x25\x19\x8b\x44\x81\x59\xc8\xe8\xd7\x3c\x8b\x1e\x5e\xb6\x87\x05\xe5\x82\xd5\x12\x8f\x20\x7b\x54\x6f\x81\x22\xe0\x4e\x37\xbc\xc9\xd1\xca\x9b\x2c\x7a\xe5\x1d\x45\x42\x44\x8b\x36\xd6\xff\x16\xd9\x98\xee\xce\x9f\x07\xbe\x34\x1d\x1d\x8f\x98\x9f\x23\x44\x60\x40\xa4\x99\x72\x72\xc9\x9d\x45\x34\x83\x72\xfc\x49\xb7\x0f\xb5\xe0\xfa\xca\x97\x51\x84\xc6\x02\x59\x95\xf6\xaa\x49\xf1\xb2\x93\xdf\x66\xd5\x1d\x75\x3d\x9c\x77\x75\x57\x6d\x0e\x77\x01\x34\xd3\xa4\xfb\xd5\x3c\x99\xb0\xa7\xb6\xaf\xe7\x33\x7f\x73\x24\x81\x63\x23\x9a\x71\x4d\xfe\xb2\x85\xb0\xb4\x9e\xf6\x02\xd6\x2a\xd6\x93\x5a\x83\xc8\x3b\xc8\x14\xbd\x40\x7b\x1f\xf5\x22\x82\x92\xf9\xbf\xbb\xd0\x71\xc8\x1d\xc9\x59\x1a\x05\xc9\x50\x7b\xff\x87\xc9\xe5\x27\xb8\xf1\x4e\x8e\xe1\x3d\x18\x7e\xb8\x67\xdc\x2c\x95\xdd\x90\x3c\x37\x69\x2d\x03\xe7\xb0\x09\x85\xfb\xc1\x13\x13\x07\x8d\xec\x7f\xf6\x9f\x2e\x01\xa8\x34\x23\x99\x40\x0f\x98\xcc\x66\x83\x3d\x9c\x85\xff\x7f\x10\xcb\xef\x73\x32\x13\xcd\xae\x61\x54\x5f\x39\xe8\x5c\x59\x30\x2b\x56\x0a\x72\xd0\x43\x7b\x26\x6c\xba\xe1\x6f\xad\x4a\x00\x0d\xde\xa1\x99\x49\x40\x8c\x74\x77\xfc\xb9\x48\x91\x53\x23\xeb\xb7\x9a\x55\xc7\x69\xcc\xb1\x8e\x2f\x55\x2a\xb7\x63\xba\x65\x30\x2a\xe7\xbc\x47\x6e\x36\x25\xeb\x88\xa7\xa6\x69\x8c\xec\xcf\xac\x22\x90\x0c\xa3\xc4\x4d\xec\x88\x66\xb2\xa1\x14\xc0\x83\x1c\xf6\x53\xd4\xc1\xfb\xa9\xa7\x78\x5a\x1c\xaa\x2b\x97\x34\x33\x84\x22\x6b\x1a\xce\xd9\x3d\xa7\x1d\x30\xb6\x65\x06\x45\xbc\x11\x3a\xc6\x2d\x32\xd2\x03\x2d\xdb\x65\x62\x6e\xe8\x6c\x3b\x9d\xfb\xbd\x8d\x0c\xae\xea\x74\x53\xdb\xea\x30\x4e\x34\xd3\xf8\x05\x22\xcd\x31\x7b\x49\xbc\xab\xb8\x69\x33\x1c\x7c\x32\x18\x52\x10\x04\x30\x42\x3b\xcb\x1e\xc1\x5c\x50\xc1\x9b\x76\x6a\x7c\xe4\x71\xd5\x1b\x01\x04\x1b\x68\x5a\x29\xc4\xbf\xdb\x55\x2c\x86\x6d\x58\x3b\x7c\x3c\x7f\xd5\x6c\xfc\x73\x72\x5d\xf7\x84\xe4\xd9\x02\x81\x56\x7f\xe8\xc3\x8d\x86\x6b\x06\xef\x13\xbb\x30\xfd\x23\x90\x6e\x66\x2c\xf9\xd5\x11\x3d\x7b\x52\xb0\x14\xb4\xae\xb3\xa1\x83\x52\x4b\x49\x7b\xe9\x22\x0a\xe1\xe0\xb2\xf7\x67\x4d\x27\x99\x42\x94\x1b\xbd\x81\xed\x59\x5a\x93\xc2\x34\x13\x99\xb6\xac\x36\xff\x86\x9f\x89\x4c\xae\x29\x13\x08\xb2\x12\x84\xd3\x98\xb5\xfa\x6a\xc7\x6b\x9d\x59\xf0\x3e\x48\xc2\x75\xf4\xf2\x0c\xe0\xa5\x05\x9d\xe6\x9c\xa9\xec\x99\x9d\x73\x20\x2d\xef\x66\x6b\x37\xb3\xa9\x6a\x95\xb1\x2c\x74\x33\x10\x38\xfa\xca\xca\xb1\x88\xda\x87\x8a\x86\x0e\x1b\x39\x9d\x6b\x3b\xd3\xc1\x36\xe0\xa5\xe9\x96\x3c\x16\x91\x88\x9f\x0d\x40\x0f\x34\xdc\xc5\x1e\xf1\x00\x2e\xbf\xee\x28\x14\x60\x5a\x4d\x10\x67\xed\x73\x96\xc1\x15\xe3\xa9\x4f\x15\x1c\x8e\x4a\xa2\x93\x0f\xd8\xbc\x53\x4d\x57\x9d\x5d\x88\x43\xbd\x20\x29\x05\x6f\xc5\x58\xb9\x86\x94\x08\xb9\x95\x1f\x75\x67\x24\x33\xea\xd1\x9e\x10\x9c\xd1\x83\x08\xf1\xc9\xd6\xf9\xcc\xbc\x9f\x76\x79\x93\xb5\x9e\xa2\xb5\x04\x68\x64\xf5\xe0\xc3\xbd\xe4\x2e\x79\x32\xc5\x6b\x9f\xb2\x52\x89\xe1\x6a\xb3\xbe\xbb\x69\x25\x47\xde\x1a\x4d\xbe\x11\x9a\xb2\xbd\x71\xe4\x71\xcb\xdf\x6c\x6e\x85\x19\xac\xa7\x7c\x2c\xbb\x82\x73\x34\x3c\x1b\xed\x23\x92\x2e\x55\x7f\x87\xb4\x08\xd8\x7a\xf7\x88\x96\xed\x30\xf0\xa6\x17\x8a\xd9\x8a\x34\xde\xd6\x14\x84\x43\xfd\xdf\x4a\x5c\x00\xa8\x1a\xe9\xdf\x21\x59\xfd\x65\x8c\x85\x9f\xb6\xb2\x74\x98\x8c\x84\x8f\x99\x3e\x76\x1c\x26\x3e\x90\xd7\xdb\x8f\x66\x2c\x87\x6b\x7a\x61\xff\x2d\x93\x8b\xa7\xfe\xd4\xcb\x5c\xd8\xee\x51\x48\x70\xb5\x05\x20\xe7\x33\xf2\x1c\xdc\x3b\xd7\xed\x41\xd2\x97\xb9\x6d\xfe\xff\x37\x9d\x37\xe6\x07\x1b\xb1\xac\x84\xfe\xff\xab\x2c\xdd\x98\x5f\xea\x2f\xe6\xc4\x6e\x6b\x75\x69\xc8\xc2\x45\x45\x91\x79\x5c\xcc\x56\x51\x1d\x85\x3f\xd2\xa0\x1a\x1e\xb0\xce\x25\x05\xab\x65\x78\x2b\x78\x36\xba\x67\x84\x45\x05\xaa\xbc\xb5\xdc\x63\x72\xa3\x13\xfe\x7a\xcc\x7f\x48\xb0\xd2\xbe\xf7\x94\x03\xc2\x83\x7d\x88\xe5\x2f\xe9\x26\xad\x16\xd5\x1b\xe7\xe8\xc6\x2a\x59\x55\xa6\x1e\x85\x27\x08\x39\xf3\x6e\xee\x94\x63\x70\x92\x7e\xb1\x98\x41\x30\x16\x77\xe8\x37\xab\xac\x18\xd7\x09\xbc\x84\xdd\xa6\x0b\x12\x10\x7a\x23\xeb\x73\x35\x43\xff\x32\xcc\xe5\x24\x8d\x0f\x46\x19\x21\x29\x52\x91\x83\x7c\x15\x0a\x4c\x1d\x48\x9d\x31\xc5\xbf\x5b\xfc\x2d\xa1\x42\x7e\x1e\xce\x74\xae\xa7\x05\x3f\x1f\xed\xa6\x4f\x09\x9f\xc4\x47\xa7\x90\x8c\xe4\x4b\x13\x46\x15\x49\xf2\x3e\xf1\x8c\x1d\x81\x07\xbe\xfb\x09\xf9\xd7\x19\xa0\xac\x57\x08\x0f\x1c\xdb\xfd\x46\x70\x4d\x79\x94\x7a\xa1\x0c\x5b\x0b\xb2\x26\xe7\xf6\x83\x09\x74\x72\x40\xf7\x73\xa6\x27\x53\x65\x61\xfb\x6c\x1c\x9b\x26\xaa\x5e\x23\xbe\x01\xf2\xd3\xf7\xaa\xdc\x99\x54\x40\x01\x5d\x25\x64\xb9\xc1\x6b\x85\x3d\x66\x57\x24\xf9\xf7\x22\xb3\x4a\xb1\xd4\x4c\x27\xd0\xe0\xcb\x01\xc4\x9d\x9e\x05\xde\x91\xc2\xe0\x40\x76\x4f\x0c\x21\x2e\x6d\x63\xf7\xb7\x24\x93\xdc\xcb\xf8\x58\x16\x4c\xf4\x81\x51\xbb\xe4\xf1\xdc\x2c\x91\x58\x66\x73\x43\x1a\xf7\xb8\x46\x1d\x30\x16\x1c\x56\x11\x70\xdf\xa3\x1e\xdd\xe2\xcc\xc9\xdd\xdb\xc7\xa8\xe4\x62\x31\x75\x24\x05\xcf\x30\x8e\xcd\x8d\x35\x05\x63\x6d\xba\x70\x35\xc9\x4f\x72\x86\x23\xbb\x87\x60\x3a\xfb\x90\xb5\xc2\x3e\x9a\xc1\x93\x7b\x2e\xa3\x98\x4d\x57\x9d\xa2\x99\x70\xef\x04\x9f\xfd\x97\x05\xfa\x28\x3e\xf6\x2f\x1a\x9f\xbb\xef\xbc\x5f\x8f\x3f\x79\xbd\xd8\xd7\x0f\x0a\x89\x39\x72\xe5\xac\xa3\xa1\x64\xe6\x72\xba\x88\xeb\xdb\x62\x06\xa4\xdd\xa5\xeb\x5a\xdf\xd1\x63\x52\xd4\x2c\x4f\xbd\xdf\x11\x7f\x2b\x0d\x30\xe8\xc3\x9f\x1b\xc6\x3f\x3b\xc0\x3b\x45\x2a\x87\x01\x17\xaf\x7a\x3f\xd3\x01\xaf\x71\x4b\xfa\x39\x83\x67\xa9\xac\x2a\xa3\x81\x17\x0b\xc7\xca\x86\x01\x44\x25\x8a\x9a\x38\xa6\x14\x54\xc9\xcd\xef\x24\xf1\xc6\x62\xf2\x8e\x8d\x1e\xe7\x74\x9f\x61\xa9\xc7\x9a\x9e\x16\x59\x3f\x2d\x55\x00\xde\xaa\x73\x0a\xca\x4e\xef\x32\x73\x87\x84\x31\xa8\x74\xb0\x3e\x44\xf6\x49\x5b\x52\xea\x9b\x22\xd9\x41\x7f\xb3\xf2\xcc\xbe\x2c\x48\x2a\xdd\x30\x8e\x4a\x3c\x55\xb7\x53\x2a\x4e\x64\xcf\x10\x8d\x83\x3d\x54\xab\xf3\xcf\x93\xb3\xf9\x08\x52\x63\xd2\x77\x4c\x22\x14\xdc\x62\xe3\xc6\xa7\x88\x69\x46\xb7\xbb\xb4\xd0\xfd\xd8\x2d\x50\x22\x32\xf8\x91\xe9\x5e\x20\x75\xb6\x97\x4f\xcb\xc8\x15\x79\xfe\x8e\xeb\x7e\xe2\x21\xa9\x04\xce\xdb\xbb\xab\x25\x95\xef\x93\x53\x7f\xde\xa0\x3e\xb9\x3b\x49\x68\x01\x19\xd9\x96\xc8\xe7\x06\xdf\xc4\xd9\x94\x33\x95\x4c\x53\x67\x72\x5d\x48\x08\x11\x9b\x68\x3b\x59\x64\x1c\x4b\xff\xd3\xfb\xab\x0c\x7e\x12\x5f\x02\xba\xd9\x5c\xbf\xc2\x6e\xab\x96\x07\x9f\x8d\xfb\xf6\x62\x35\x89\xd1\x4e\x0c\x20\xd1\x5e\x07\xc3\x4b\xcc\xce\x36\xfb\x92\x79\x65\xf9\x6c\x8c\xc8\x9b\x3e\x51\x43\x82\x12\xa9\xbe\xc9\x2a\xf4\xb5\x92\xae\x76\xe6\x6d\x53\x1d\x34\x43\x85\xf5\x56\x85\x52\xe3\x7b\xd2\x5c\xbe\x30\x7d\x83\x99\x75\x91\x4f\x30\x91\x5d\x24\xe8\xf3\xd8\x92\xc8\xa1\x9f\xa4\x84\xc3\x5d\xf1\xfb\x92\xaf\x80\xed\xf4\x03\x34\x0c\xac\xed\x5c\x22\x47\x67\xe9\xe6\x87\x45\x65\x63\xdf\xf2\x9c\xa8\x6e\x36\x58\x55\xde\x94\x05\x7b\x66\xc5\x76\xbe\xc5\xf5\xb7\xfc\x3f\x00\x43\x33\x6b\x8a\x48\x7a\xe2\x51\x9b\x8f\xf0\x12\x2e\x7a\xc2\xbf\x57\xd2\x9b\xa6\x48\x08\xdd\x3a\x20\xd2\x6e\x43\x82\xce\x7b\xb1\xfb\xd3\x47\x34\xf5\xae\x66\x25\xee\x8a\x7d\xd5\x6f", 8192); *(uint32_t*)0x20004f40 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x50; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 0x3f; *(uint32_t*)0x200023d0 = 7; *(uint32_t*)0x200023d4 = 0x22; *(uint32_t*)0x200023d8 = 0x8001; *(uint32_t*)0x200023dc = 0x1040000; *(uint16_t*)0x200023e0 = 8; *(uint16_t*)0x200023e2 = 0xf6e1; *(uint32_t*)0x200023e4 = 8; *(uint32_t*)0x200023e8 = 9; *(uint16_t*)0x200023ec = 0; *(uint16_t*)0x200023ee = 0; memset((void*)0x200023f0, 0, 32); *(uint32_t*)0x20004f44 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 9; *(uint64_t*)0x20002450 = 0x40d; *(uint32_t*)0x20004f48 = 0x20002480; *(uint32_t*)0x20002480 = 0x18; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 7; *(uint64_t*)0x20002490 = 7; *(uint32_t*)0x20004f4c = 0x200024c0; *(uint32_t*)0x200024c0 = 0x18; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 0xffff; *(uint32_t*)0x200024d0 = 8; *(uint32_t*)0x200024d4 = 0; *(uint32_t*)0x20004f50 = 0x20002500; *(uint32_t*)0x20002500 = 0x18; *(uint32_t*)0x20002504 = 0; *(uint64_t*)0x20002508 = 0xce0; *(uint32_t*)0x20002510 = 0x1c; *(uint32_t*)0x20002514 = 0; *(uint32_t*)0x20004f54 = 0x20002540; *(uint32_t*)0x20002540 = 0x28; *(uint32_t*)0x20002544 = 0; *(uint64_t*)0x20002548 = 1; *(uint64_t*)0x20002550 = 0x100; *(uint64_t*)0x20002558 = 5; *(uint32_t*)0x20002560 = 2; *(uint32_t*)0x20002564 = r[6]; *(uint32_t*)0x20004f58 = 0x20002580; *(uint32_t*)0x20002580 = 0x60; *(uint32_t*)0x20002584 = 0xfffffffe; *(uint64_t*)0x20002588 = 8; *(uint64_t*)0x20002590 = 0xcd95; *(uint64_t*)0x20002598 = 0x1f; *(uint64_t*)0x200025a0 = 7; *(uint64_t*)0x200025a8 = 0x48; *(uint64_t*)0x200025b0 = 0xaac5; *(uint32_t*)0x200025b8 = 6; *(uint32_t*)0x200025bc = 0xad; *(uint32_t*)0x200025c0 = 5; *(uint32_t*)0x200025c4 = 0; memset((void*)0x200025c8, 0, 24); *(uint32_t*)0x20004f5c = 0x20002600; *(uint32_t*)0x20002600 = 0x18; *(uint32_t*)0x20002604 = 0xfffffff5; *(uint64_t*)0x20002608 = 9; *(uint32_t*)0x20002610 = 9; *(uint32_t*)0x20002614 = 0; *(uint32_t*)0x20004f60 = 0x20002640; *(uint32_t*)0x20002640 = 0x11; *(uint32_t*)0x20002644 = 0; *(uint64_t*)0x20002648 = 0; memset((void*)0x20002650, 0, 1); *(uint32_t*)0x20004f64 = 0x20002680; *(uint32_t*)0x20002680 = 0x20; *(uint32_t*)0x20002684 = 0; *(uint64_t*)0x20002688 = 0x10000; *(uint64_t*)0x20002690 = 0; *(uint32_t*)0x20002698 = 0; *(uint32_t*)0x2000269c = 0; *(uint32_t*)0x20004f68 = 0x20002780; *(uint32_t*)0x20002780 = 0x78; *(uint32_t*)0x20002784 = 0; *(uint64_t*)0x20002788 = 9; *(uint64_t*)0x20002790 = 3; *(uint32_t*)0x20002798 = 0; *(uint32_t*)0x2000279c = 0; *(uint64_t*)0x200027a0 = 6; *(uint64_t*)0x200027a8 = 0; *(uint64_t*)0x200027b0 = 0xfffffffffffff20d; *(uint64_t*)0x200027b8 = 0xfffffffffffffff8; *(uint64_t*)0x200027c0 = 1; *(uint64_t*)0x200027c8 = 0x3ff; *(uint32_t*)0x200027d0 = 5; *(uint32_t*)0x200027d4 = 9; *(uint32_t*)0x200027d8 = 0x726; *(uint32_t*)0x200027dc = 0x1000; *(uint32_t*)0x200027e0 = 6; *(uint32_t*)0x200027e4 = r[7]; *(uint32_t*)0x200027e8 = 0xee01; *(uint32_t*)0x200027ec = 7; *(uint32_t*)0x200027f0 = 7; *(uint32_t*)0x200027f4 = 0; *(uint32_t*)0x20004f6c = 0x200028c0; *(uint32_t*)0x200028c0 = 0x90; *(uint32_t*)0x200028c4 = 0; *(uint64_t*)0x200028c8 = 3; *(uint64_t*)0x200028d0 = 2; *(uint64_t*)0x200028d8 = 2; *(uint64_t*)0x200028e0 = 0x100000000; *(uint64_t*)0x200028e8 = 0x61a26b8d; *(uint32_t*)0x200028f0 = 6; *(uint32_t*)0x200028f4 = 2; *(uint64_t*)0x200028f8 = 1; *(uint64_t*)0x20002900 = 3; *(uint64_t*)0x20002908 = 1; *(uint64_t*)0x20002910 = 0x100000000; *(uint64_t*)0x20002918 = 3; *(uint64_t*)0x20002920 = 0x8f; *(uint32_t*)0x20002928 = 4; *(uint32_t*)0x2000292c = 0x1ff; *(uint32_t*)0x20002930 = 0x849; *(uint32_t*)0x20002934 = 0x1000; *(uint32_t*)0x20002938 = 7; *(uint32_t*)0x2000293c = r[8]; *(uint32_t*)0x20002940 = -1; *(uint32_t*)0x20002944 = 5; *(uint32_t*)0x20002948 = 0x1f; *(uint32_t*)0x2000294c = 0; *(uint32_t*)0x20004f70 = 0x20002980; *(uint32_t*)0x20002980 = 0x130; *(uint32_t*)0x20002984 = 0; *(uint64_t*)0x20002988 = 0xa00000000000; *(uint64_t*)0x20002990 = 4; *(uint64_t*)0x20002998 = 1; *(uint32_t*)0x200029a0 = 6; *(uint32_t*)0x200029a4 = 9; memset((void*)0x200029a8, 1, 6); *(uint64_t*)0x200029b0 = 6; *(uint64_t*)0x200029b8 = 1; *(uint32_t*)0x200029c0 = 5; *(uint32_t*)0x200029c4 = 0xfffffffe; memset((void*)0x200029c8, 170, 5); *(uint64_t*)0x200029d0 = 1; *(uint64_t*)0x200029d8 = 0x1ff; *(uint32_t*)0x200029e0 = 3; *(uint32_t*)0x200029e4 = 7; memcpy((void*)0x200029e8, "{#-", 3); *(uint64_t*)0x200029f0 = 5; *(uint64_t*)0x200029f8 = 0; *(uint32_t*)0x20002a00 = 2; *(uint32_t*)0x20002a04 = 0x761; memcpy((void*)0x20002a08, "[#", 2); *(uint64_t*)0x20002a10 = 3; *(uint64_t*)0x20002a18 = 0; *(uint32_t*)0x20002a20 = 2; *(uint32_t*)0x20002a24 = 6; memcpy((void*)0x20002a28, "#]", 2); *(uint64_t*)0x20002a30 = 1; *(uint64_t*)0x20002a38 = 0x714; *(uint32_t*)0x20002a40 = 5; *(uint32_t*)0x20002a44 = 3; memcpy((void*)0x20002a48, "*^\\^b", 5); *(uint64_t*)0x20002a50 = 5; *(uint64_t*)0x20002a58 = 0xeb68; *(uint32_t*)0x20002a60 = 4; *(uint32_t*)0x20002a64 = 0xfffffa80; memcpy((void*)0x20002a68, "--$-", 4); *(uint64_t*)0x20002a70 = 6; *(uint64_t*)0x20002a78 = 0xfffffffffffffeff; *(uint32_t*)0x20002a80 = 1; *(uint32_t*)0x20002a84 = 1; memset((void*)0x20002a88, 45, 1); *(uint64_t*)0x20002a90 = 1; *(uint64_t*)0x20002a98 = 8; *(uint32_t*)0x20002aa0 = 3; *(uint32_t*)0x20002aa4 = 0xf2; memcpy((void*)0x20002aa8, "!\\{", 3); *(uint32_t*)0x20004f74 = 0x20004c40; *(uint32_t*)0x20004c40 = 0xb0; *(uint32_t*)0x20004c44 = 0; *(uint64_t*)0x20004c48 = 0xcf; *(uint64_t*)0x20004c50 = 1; *(uint64_t*)0x20004c58 = 1; *(uint64_t*)0x20004c60 = 3; *(uint64_t*)0x20004c68 = 0x100000000; *(uint32_t*)0x20004c70 = 4; *(uint32_t*)0x20004c74 = 0x81; *(uint64_t*)0x20004c78 = 5; *(uint64_t*)0x20004c80 = 0x7f; *(uint64_t*)0x20004c88 = 5; *(uint64_t*)0x20004c90 = 6; *(uint64_t*)0x20004c98 = 0xffff; *(uint64_t*)0x20004ca0 = 3; *(uint32_t*)0x20004ca8 = 0x1f; *(uint32_t*)0x20004cac = 3; *(uint32_t*)0x20004cb0 = 8; *(uint32_t*)0x20004cb4 = 0xc000; *(uint32_t*)0x20004cb8 = 0xf5c8; *(uint32_t*)0x20004cbc = r[10]; *(uint32_t*)0x20004cc0 = r[11]; *(uint32_t*)0x20004cc4 = 2; *(uint32_t*)0x20004cc8 = 9; *(uint32_t*)0x20004ccc = 0; *(uint64_t*)0x20004cd0 = 4; *(uint64_t*)0x20004cd8 = 0x80; *(uint32_t*)0x20004ce0 = 5; *(uint32_t*)0x20004ce4 = 2; memset((void*)0x20004ce8, 170, 5); *(uint32_t*)0x20004f78 = 0x20004e40; *(uint32_t*)0x20004e40 = 0xa0; *(uint32_t*)0x20004e44 = 0; *(uint64_t*)0x20004e48 = 0x400; *(uint64_t*)0x20004e50 = 6; *(uint64_t*)0x20004e58 = 2; *(uint64_t*)0x20004e60 = 0x400; *(uint64_t*)0x20004e68 = 7; *(uint32_t*)0x20004e70 = 4; *(uint32_t*)0x20004e74 = 9; *(uint64_t*)0x20004e78 = 4; *(uint64_t*)0x20004e80 = 0x1000; *(uint64_t*)0x20004e88 = 0xffff; *(uint64_t*)0x20004e90 = 6; *(uint64_t*)0x20004e98 = 1; *(uint64_t*)0x20004ea0 = 0xffff; *(uint32_t*)0x20004ea8 = 0x65f; *(uint32_t*)0x20004eac = 0x647c2b8f; *(uint32_t*)0x20004eb0 = 0x400; *(uint32_t*)0x20004eb4 = 0x8000; *(uint32_t*)0x20004eb8 = 8; *(uint32_t*)0x20004ebc = r[12]; *(uint32_t*)0x20004ec0 = r[13]; *(uint32_t*)0x20004ec4 = 3; *(uint32_t*)0x20004ec8 = 0x6b; *(uint32_t*)0x20004ecc = 0; *(uint64_t*)0x20004ed0 = 0; *(uint32_t*)0x20004ed8 = 0xd; *(uint32_t*)0x20004edc = 0; *(uint32_t*)0x20004f7c = 0x20004f00; *(uint32_t*)0x20004f00 = 0x20; *(uint32_t*)0x20004f04 = 0; *(uint64_t*)0x20004f08 = 0x800; *(uint32_t*)0x20004f10 = 0; *(uint32_t*)0x20004f14 = 0; *(uint32_t*)0x20004f18 = 0x10001; *(uint32_t*)0x20004f1c = 0; syz_fuse_handle_req(r[5], 0x200003c0, 0x2000, 0x20004f40); break; case 23: memcpy((void*)0x20004f80, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004f80, r[5]); break; case 24: syz_init_net_socket(0x24, 2, 0); break; case 25: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[14] = res; break; case 26: *(uint32_t*)0x20004fc4 = 0x5004; *(uint32_t*)0x20004fc8 = 0; *(uint32_t*)0x20004fcc = 1; *(uint32_t*)0x20004fd0 = 0x1de; *(uint32_t*)0x20004fd8 = r[14]; memset((void*)0x20004fdc, 0, 12); res = -1; res = syz_io_uring_setup(0x343, 0x20004fc0, 0x20ffc000, 0x20ffb000, 0x20005040, 0x20005080); if (res != -1) { r[15] = *(uint64_t*)0x20005040; r[16] = *(uint64_t*)0x20005080; } break; case 27: memcpy((void*)0x200050c0, "/dev/uinput\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 2, 0); if (res != -1) r[17] = res; break; case 28: memcpy((void*)0x20005100, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0x488200, 0); if (res != -1) r[18] = res; break; case 29: *(uint8_t*)0x20005140 = 0x1e; *(uint8_t*)0x20005141 = 3; *(uint16_t*)0x20005142 = 0; *(uint32_t*)0x20005144 = r[14]; *(uint64_t*)0x20005148 = 0x200; *(uint32_t*)0x20005150 = 0; *(uint32_t*)0x20005154 = r[17]; *(uint32_t*)0x20005158 = 6; *(uint32_t*)0x2000515c = 1; *(uint64_t*)0x20005160 = 0; *(uint16_t*)0x20005168 = 0; *(uint16_t*)0x2000516a = 0; *(uint32_t*)0x2000516c = r[18]; memset((void*)0x20005170, 0, 16); syz_io_uring_submit(r[15], r[16], 0x20005140, 0x3dd1); break; case 30: memcpy((void*)0x20005180, "/dev/keychord\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x20005180, 0x171000, 0); if (res != -1) r[19] = res; break; case 31: memcpy((void*)0x200051c0, "/dev/ubi_ctrl\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x200051c0, 0x10400, 0); if (res != -1) r[20] = res; break; case 32: *(uint32_t*)0x20005240 = 0; *(uint32_t*)0x20005244 = 0x20005200; memcpy((void*)0x20005200, "\x46\x23\xd8\xa4\xce\x02\x17\xc9\xe5\x95\x55\xc1\x66\x89\x06\x79\xe3\xe0\xc1\x94\x0d\xf5\xb9\xfc\xbf\x91\x64\x9e\xf5\x4d\x80\xf0\xc8\xbc\xc8\x0e\x36\xb5\x57\x4c\x4b\xc9\xf9\x43\x40\x18\x54\xf5\x6a\xa2", 50); *(uint32_t*)0x20005248 = 0x32; *(uint64_t*)0x20005280 = 1; *(uint64_t*)0x20005288 = 0; syz_kvm_setup_cpu(r[19], r[20], 0x20fe8000, 0x20005240, 1, 0, 0x20005280, 1); break; case 33: res = syscall(__NR_mmap, 0x20ffc000, 0x2000, 0x1000000, 0x8000, (intptr_t)r[18], 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x200052c0 = 1; syz_memcpy_off(r[21], 0x114, 0x200052c0, 0, 4); break; case 35: memcpy((void*)0x20005300, "adfs\000", 5); memcpy((void*)0x20005340, "./file0\000", 8); *(uint32_t*)0x20005540 = 0x20005380; memcpy((void*)0x20005380, "\x87\x35\x19\xf2\x5d\xf0\x82\xb3\x71\xba\x5b\x45\xad\xb5\x70\x9c\x00\x80\x57\x47\xc3\x7f\xe0\x44\x06\x45\x95\xcd\x47\x28\xbf\x89\x80\x30\x2b\x25\xb4\xb0\x83\xb4\x2b\x41\x33\x6e\x13\x0f\x1b\x6f\xf0\xa2\xf1\x72\x49\x8e\x52\x2b\x4f\xe5\x82\x6e\xab\xab\xf5\x3a\x98\x52\xf9\x3e\xbe\xb8\x41\xe1\x64\x5f\x32\x93\x61\x27\x02\x9d\x68\xfe\x73\xec\xed\x89\xc1\xb9\x35\x87\x01\x2a\x47\xc4\x2a\x58\x3d\x69\x75\x59\x2b\x3f\x2c\xdf\x43\x37\xfc\x6d\x5e\x85\xe5\xf5\x83\x5f\xaf\xe0\x95\x93\x5e\xc9\x04\x84\xe9\x08\x1a\xa8\xd2\x24\x98\x43\x13\x01\xba\xad\x4a\x34\x36\x8c\x26\xc6\x4d\x85\x32\x6c\x7e\x00\x68\x21\x78\xf8\xd1\x3e\x6a\x89\x69\xf1\x5b\x9d\x5d\xbc\xfe\xc2\xc0\xe6\x96\x80\xc3\x92\x8c\xa0\x15\xb9\x2e\x25\xf5\x07\x8d\xe3\x54\xfe\x32\xcc\x71\x21\x60\x9a\x07\x62\xe1\xb7\x3e\xfd\x89\x67\xa2\xfe\x23\x5e\x4d\x1e\xf9\xe5\xac\x88\xbc\x1e\xd7\x06\xa9\x84\x64\x1b\x06\x47\x0b\x22\x94\xd0\x45\xce\x7e\xba\x51\xc0\x72\x89\x38\xa2\xc6\xee\xb6\xd8\x57\x44\x29\xcc\x24\xbc\xb2\xa7\x84", 241); *(uint32_t*)0x20005544 = 0xf1; *(uint32_t*)0x20005548 = 0x40; *(uint32_t*)0x2000554c = 0x20005480; memcpy((void*)0x20005480, "\x62\x93\x5b\xfe\x26\xe9\xc9\xf2\xdc\x3c\x3e\x9d\xfb\x49\x18\x58\xef\xb5\x98\x36\x9b\xcc\xa5\x19\x23\x98\x9b\xa9\x43\xcf\x44\x7b\xaf\x56\x62\x5d\xf0\xf6\x85\xed\x2d\x03\x4b\x37\xc0\x75\x63\xf6\x68\x72\x8f\x6d\xc6\x83\x36\x09\xb1\x22\x19\x70\xe5\x50\x88\x86\x9d\x29\xc0\x1b\x2d\xd0\x5c\x48\x20\xb0\x80\x42\xb5\x07\x40\x08\xc9\x75\x77\x12\xc4\x80\xe2\x5d\x89\xb9\xc4\x8e\x95\x7e\x5b\x5c\x7b\x0b\xec\xcf\xb1\xfc\xcc\xed\xbc\xed\xc8\x38\x06\x03\x80\x75\xfc\x2a\x0f\x82\x28\xbe\xb4\x7f\x1f\xec\xe0\x9b\xdd\xcb\xbe\x00\x21\xab\xe9\xc3\xd1\x98\x36\x9b\x81\xb6\x7d\xbd\x6a\x7d\x33\x4b\x8d\x28\xb8\x02\xcc\x97\xd9\x34\xc1\x64\xe9\x7d\x9d\x7b\x70\xdc\x6c", 161); *(uint32_t*)0x20005550 = 0xa1; *(uint32_t*)0x20005554 = 0x1ff; memset((void*)0x20005580, 170, 5); *(uint8_t*)0x20005585 = 0x2c; *(uint8_t*)0x20005586 = 0x2c; memcpy((void*)0x20005587, ":&-]!", 5); *(uint8_t*)0x2000558c = 0x2c; memset((void*)0x2000558d, 125, 1); *(uint8_t*)0x2000558e = 0x2c; memcpy((void*)0x2000558f, ",-V", 3); *(uint8_t*)0x20005592 = 0x2c; memcpy((void*)0x20005593, "\\*})", 4); *(uint8_t*)0x20005597 = 0x2c; memcpy((void*)0x20005598, "*^\\^b", 5); *(uint8_t*)0x2000559d = 0x2c; memcpy((void*)0x2000559e, "appraise", 8); *(uint8_t*)0x200055a6 = 0x2c; memcpy((void*)0x200055a7, "fowner<", 7); sprintf((char*)0x200055ae, "%020llu", (long long)r[8]); *(uint8_t*)0x200055c2 = 0x2c; memcpy((void*)0x200055c3, "smackfshat", 10); *(uint8_t*)0x200055cd = 0x3d; memset((void*)0x200055ce, 170, 5); *(uint8_t*)0x200055d3 = 0x2c; memcpy((void*)0x200055d4, "obj_type", 8); *(uint8_t*)0x200055dc = 0x3d; memset((void*)0x200055dd, 170, 5); *(uint8_t*)0x200055e2 = 0x2c; memcpy((void*)0x200055e3, "dont_appraise", 13); *(uint8_t*)0x200055f0 = 0x2c; memcpy((void*)0x200055f1, "dont_measure", 12); *(uint8_t*)0x200055fd = 0x2c; memcpy((void*)0x200055fe, "fowner<", 7); sprintf((char*)0x20005605, "%020llu", (long long)r[9]); *(uint8_t*)0x20005619 = 0x2c; memcpy((void*)0x2000561a, "dont_appraise", 13); *(uint8_t*)0x20005627 = 0x2c; *(uint8_t*)0x20005628 = 0; syz_mount_image(0x20005300, 0x20005340, 0xfd, 2, 0x20005540, 0x8800, 0x20005580); break; case 36: memcpy((void*)0x20005640, "/dev/i2c-#\000", 11); syz_open_dev(0x20005640, 0x40, 0x300); break; case 37: memcpy((void*)0x20005680, "net/if_inet6\000", 13); syz_open_procfs(r[6], 0x20005680); break; case 38: syz_open_pts(r[19], 0x800); break; case 39: *(uint32_t*)0x20006c40 = 0x200056c0; memcpy((void*)0x200056c0, "\x46\x41\x06\x38\xb7\xa1\x28\xc1\x5c\x6c\xb2\x7d\x23\x35\x80\x6d\xa8\x7c\x0d\x49\x15\x42\x44\x52\xcf\x0b\xa9\xee\xe0\xa5\xd4\x9d\x63\x4f\x09\x0d\xf2\x6f\x35\xbb\x04\x33\xc1\x3a\x27\x0d\xcb\x44\xcf\xe9\xba\x62\xb5\xba\x38\xd4\xae\x3c\x65\xea\xd2\x72\x7f\x1d\x2a\x5f\x02\xda\xa2\x70\xce\xa6\xf4\xf6\x09\x02\xe2\xed\xa6\x54\xb1\x6e\xc6\x63\x5a\x1c\x6c\xd1\x5d\x6b\xd6\x34\x32\x14\xb8\x34\x22\xd1\xa1\x9b\x5d\xae\x43\x9b\x9f\xbc\x3d\xb5\xc2\x18\xd4\xb0\x8a\xcf\xc9\xfc\xdb\xe5\xd4\xe6\xa5\x12\x7a\xda\xdc\xe6\x10\xd8\x15\xe8\xc6\xd8\xad\xc7\x86\x89\xea\xae\x29\xd8\x1a\x20\x04\x0a\xee\xef\x4e\xe5\x5d\x77\x01\xea\x72\x5e\x91\xb7\x4f\x5b\x37\x81\x4b\xee\xd1\x18\x54\x99\x79\xc8\xa4\x0d\x0b\x29\x09\x77\xad\xa4\xd6\x58\x74\xc7\xdc\xca\x03\x0a\x9a\x15\x50\x9b\xc2\x7e\x6e\x87\xd5\x26\x91\x24\x37\xb8\x69\x04\xf7\x42\xc9\xc1\x3c\x1e\x00\xbc\x5e\x3e\x94\x3c\x14\x30\xd1\xcc\x01\x8f\x5a\x4d\xec\xf2\x46\x02\xdb\x5b\xf2\x28\x6e\x64\xce\x75\x1d\x8d\xf1\x6f\x28\x09\x34\xfb\x08\xb6\x19\xb2\xb5\xe9\x31\x19\x5a\xd2\xf7\xc8\x7a\xe9\x56\xc6\x4a\x2f\xda\xc4\xfd\x79\x16\x11\xac\xc2\xa8\x65\xd9\x94\xea\x90\xed\x15\x85\x81\xe8\x0d\x03\x86\xb1\x53\xf1\x9f\xab\x27\x81\xb7\x2d\x1d\xe0\x03\xb1\x87\xd2\xb1\x19\x53\x42\xb3\xa0\x03\xbf\x44\x83\xb4\xd8\x90\xab\x1b\x2f\x51\xe8\xd5\x8f\x0a\x5a\xd7\x8e\x0d\xf9\xd6\x29\xc2\x2c\x2a\x32\x4a\x98\x2e\x1f\xc2\x73\x8c\x36\x0d\xb3\xa8\xba\x5e\x55\xae\x5c\x9d\x58\xf1\xc2\xf6\xbe\xd0\xb6\xde\x5b\xb4\xee\x3b\x5f\x84\x2c\xee\xf9\x1b\x20\x56\x54\x1f\xf5\x53\x12\xee\x90\xa2\xbd\x09\x97\x06\x6c\x37\xf3\xd8\x37\x78\x95\x92\x1b\x08\x02\x15\x89\x04\x9e\xd7\xb2\x3c\xeb\xaf\x9b\x41\xd0\x8e\x75\x90\x58\xa3\x45\x2c\xb9\xdf\x2a\xee\x1d\x2b\x90\xe5\x10\xba\x9b\xc9\x48\x40\x0a\x69\xaa\x13\x83\x3d\x1b\x4c\x44\x44\x51\x29\xe0\xaf\x50\x12\xfd\x6a\x53\x41\x81\xfb\x20\x42\x68\x26\xa4\xb3\x69\x4e\x4a\x51\x81\x19\x9d\xf1\xed\x31\xde\x36\xf2\xed\x49\x21\x18\x22\xad\x91\x5d\x3b\x71\xac\xae\xcf\xf3\xc8\x4d\x4e\x3b\xb1\x9f\xba\x32\x19\xe2\x61\x45\x73\x5f\xf7\x1d\xce\xee\xee\x7a\xa2\x47\x53\x9a\xd2\x73\x11\x13\xd3\xf3\x64\x42\x6b\xe9\x00\x6e\x6b\x0e\x35\x8b\x81\xd4\x07\x45\x49\xe0\x8e\xf2\x76\x13\xa3\x71\x5e\x5e\x89\xba\x0a\x71\xe3\x99\x52\x31\xe9\x9a\xac\x5e\x4e\xe7\x07\x8f\x59\xe3\xe7\xd4\xfa\xbe\xd2\x6e\x75\x07\x41\x1f\xbe\x4b\x03\x53\x10\x62\x78\xac\x69\xf3\xb9\x1e\xc6\x9f\xa5\x42\xeb\x7c\x96\x43\x94\x06\x2f\x65\xc6\x50\x19\x7f\xbe\x73\x3c\x22\x83\x26\x73\xd0\x66\xe4\xed\x40\x07\x3b\x28\x4e\xe4\xe5\x1b\x12\x59\x36\x7d\x4e\xb9\xe1\x72\x00\x7e\x6f\xb8\x0a\x0a\x6f\xe6\x2b\x3f\x3d\x5e\x5b\x68\xfe\x04\x7e\xa4\xd6\xfb\xfa\xa3\x0a\x00\xfc\x29\xbc\x58\xa3\x1c\xfb\x82\x12\xf2\xc4\x9c\x3a\x2e\x71\x1a\xe5\x02\xbd\x64\x7b\xd5\x6b\xb7\xcf\xc1\xd8\x4d\x14\x18\x27\xbe\x21\x1b\x5f\xfb\xed\x78\x6b\xfa\x13\x13\xd2\xae\xd5\x34\xf0\x00\x19\x36\x3a\xc1\x29\x61\x2c\xa2\x5c\x76\x3b\x07\x7f\x5a\x72\x4d\x61\xfc\x79\x74\xfa\x82\x4b\xad\xc1\x40\x06\xf2\xfe\xbf\xb1\xe3\x5a\x3d\xd7\x2e\x82\x33\x4a\x26\x37\x56\xff\x42\x04\x68\x0c\xba\x1c\x03\xc5\x5e\x09\xdf\xfb\x5a\x58\xe4\xc5\x5b\x5b\xd7\xa7\x0e\xe8\x52\x59\x29\xa0\xee\x9f\x90\x91\xe3\x4b\xb8\xd2\xf0\xaf\x6d\x2a\x26\x70\xc5\x91\x18\x6b\xee\x6c\xed\xda\xb8\xe1\xfe\x8d\x4b\xe3\x97\xa5\x45\xc4\x83\xfd\x68\x4c\xd8\x12\xdf\x5e\x31\x2a\xb5\xf4\x81\x2b\x47\x84\xef\xae\xf1\xc3\xdb\xe7\x90\x94\xfb\xab\xd6\xca\x5f\x0a\x45\x46\x23\x96\xf8\x18\xa5\xc7\xbf\x61\xc8\xc3\xf4\x33\x66\xc1\x26\x5f\x46\x38\xd1\xdc\x7b\xde\x11\x46\x10\x35\xc7\xaf\x77\xe6\x84\x4c\x5d\x47\xbc\x18\x97\xdf\xab\xec\x76\x87\xed\x25\x79\x4a\x71\xa3\xaa\x2b\xe1\x66\x57\x19\xe7\xea\xf6\x49\xbf\xaf\xfc\xea\x24\x92\xd4\x3b\xca\x7f\x03\x04\x21\x0c\xfc\xa9\x1a\x0d\xad\xf6\x6b\x7c\x3c\x6b\xaf\x8c\x50\x55\xef\x4f\x3c\x56\xaa\x03\xbb\x6e\x40\x0d\x7c\xac\xa6\x9e\x42\x43\xac\x71\xc9\x39\xcc\xf2\x73\x10\xb7\x3b\xa5\x98\x97\xe2\x02\x0c\x71\x7c\x33\xdb\x9a\x4a\x58\x29\x12\xa3\xa8\xd7\xc0\xa8\x70\xb1\x2a\x9f\x98\x2a\xaf\xd0\xcf\x15\x95\x75\x18\x9d\x8c\x26\x88\x64\x34\x22\x9f\xb0\xc7\x6c\x56\x50\x8b\x63\x8a\x25\x09\xb6\x58\x47\x72\x2a\xf1\x97\xe9\x5c\xf0\xcf\xf2\x36\x84\x48\xd4\x2a\xd6\x2d\xb2\x7f\xf0\x17\xa7\xfb\xed\x92\x3b\xef\x62\x83\x40\x87\x12\xc3\xf0\x4a\x79\x03\x38\xf4\xf8\x0c\xf4\xf3\xe9\x2f\xaa\xfa\x3b\xf6\xcf\xf5\xed\x3c\xf3\xb1\x7b\x50\x50\x75\xe1\x2b\x69\x58\xbf\x2e\x5c\xb4\x02\x41\xf6\x72\x87\x4a\x0f\x94\x0f\xd5\x7e\x82\xe9\xca\xff\x11\x3d\x67\x1d\xa2\x3d\xa3\x43\x6a\x31\x80\x0c\x2d\x34\x87\x96\x5f\x87\xc3\xf8\x25\x06\x10\xaa\xff\x78\x3d\x78\x59\x5e\x19\x26\xb7\x7e\x97\xb2\xe3\xad\x09\x08\x7a\xf9\x19\xac\xe3\xf0\x4f\xd2\x75\x88\x7b\x1f\xc8\x1e\xe2\xf5\xba\xd8\xde\x1c\xc3\x5e\xe0\xc0\x3a\xde\xed\x9a\x91\x97\xd7\xa8\xfa\x5d\xb5\x9d\xc5\x00\xa9\x4b\xd1\x84\xa2\xa8\x0d\x97\x04\x79\x7e\x76\xbc\x0f\xc4\x3e\xd5\x72\x96\x14\x3d\xc9\xd8\x58\xb1\x4a\x7b\xdf\xb4\x18\x19\x7f\x09\x74\xb6\xee\xe2\x99\x95\x80\x51\xb1\xd4\x14\xab\x12\x6c\xef\x5b\xc3\x6a\xe4\x05\x5c\x4f\x19\xe7\xe0\x1d\x20\x92\xd9\x9f\x1d\x2a\x5a\x56\x61\x4f\xed\xf4\x81\xd5\x78\xcb\x85\x1a\xd7\x3e\x18\x29\xbc\x35\x0f\x7e\x56\xee\x0d\x2e\x71\xfe\x73\x1c\x1b\x30\xfd\x84\x5f\xd8\x2c\xa0\xac\xf0\x29\xaf\xf4\xa7\x5e\x0d\x38\xfb\x7a\xf5\x82\xa1\x9c\x0c\x7d\xeb\x19\x54\x4b\xc7\xa1\x3c\x18\x96\x03\x24\x41\xcb\xa6\xae\x39\xc3\x5a\xe8\x80\xb4\x5a\x5c\x97\x54\x5a\xc0\x99\x24\x3a\x79\x1c\x6f\x2e\xb9\x35\x56\x20\x8b\x8b\x20\x35\x42\x75\x2a\x67\x3b\x9d\xf0\x2b\xf0\x4a\xd3\xc1\x8e\xec\xaa\x5e\xb2\x2d\x1b\x65\xe5\x9c\x34\x49\xb5\xcc\x42\xdf\x35\x0d\xd4\x82\x2b\xcf\x67\x1d\xf7\x84\x20\x68\x9c\xac\x22\x65\x8c\xd9\xf0\xf3\x90\xe2\x6e\x07\x96\xac\x4b\x7f\x30\xb1\x98\x9f\x09\xcf\x5b\xa5\x16\xeb\x16\x67\xec\xc1\xd8\x53\x73\x9a\x20\xe5\xe7\x85\x99\xbd\xa8\x30\xd0\x02\xd4\x5e\xb6\x6d\x63\xa7\x78\xb8\x41\x2a\xf5\xd6\x3e\x3e\xf2\x64\x94\xe2\x1b\xbc\xde\x5b\x97\xa9\x4f\x79\x78\xac\x90\x3d\x46\x7c\x5b\x6d\x07\x17\xdc\x4a\x9d\x14\x6e\xd4\xb5\x8b\xfe\x37\x3a\x59\x08\x70\x2f\x99\x7f\x10\x90\xb4\xb1\x90\x93\xf8\x90\x50\x85\xec\xb6\x91\x10\x7b\x05\x9e\x0e\x1c\xd0\xc4\xa9\x4c\x9a\x47\x3a\xf2\xd1\x2b\xd5\x99\x8a\x8b\x8b\x48\x02\xf9\x31\xb9\x05\x15\x51\x9f\x20\xfe\xea\xde\xa5\x68\x4c\x06\x4f\x9a\xdb\x42\x39\x35\xb8\xde\x29\x8b\x03\xe5\x79\xab\xad\x6a\x23\xa8\x6c\x86\xed\xd3\x9c\x2e\xd6\xa4\x68\x5e\x69\xbc\x71\x54\x05\xab\x7a\x3f\x27\x66\x4b\xdb\x68\xfe\xf1\xfc\xd0\x90\xf0\x60\x38\x1f\x1a\xa3\x74\xa0\x74\xa6\x40\xf9\x91\xec\x6d\x8b\x28\x8b\x1b\x05\x07\x06\x85\x60\x31\x4f\xe9\x4a\xeb\x85\xc4\x2f\x4d\xf3\xad\xb2\x14\x85\x69\x65\x15\xda\x2f\xa7\xf4\x41\xb7\x53\xd5\xf8\xca\x45\x45\xf2\xd1\xdc\x1e\xb3\x4e\x41\x8c\x04\x3b\xeb\x51\x8b\xb3\x5f\xe3\x02\x35\xaa\xbf\x7e\xc5\xf3\x71\xb3\xa4\x8c\x0e\xa6\xa6\x13\xeb\xb4\xe4\xda\x5b\x71\x40\x8a\xa5\x57\x74\x23\x9a\xc7\x49\x03\x0a\x52\x74\x0c\xd8\x53\x5b\x9e\x3d\x28\xa4\xe8\x7b\x4c\x4f\x40\x44\xc8\x19\x5c\x32\x11\xf9\x47\xe5\x00\x7d\xf7\xb6\x4e\x37\xc4\x14\xbf\xd5\x4f\x7b\x59\x82\x37\x20\xbe\x00\x49\x8c\x18\xb5\x7d\xad\x00\x43\xf0\xc5\x0a\x75\x81\x74\x18\xc1\xdb\xc3\xdb\x8d\xc7\x33\xce\xb2\xb5\xb6\xd2\x0b\xec\x1e\x38\xa2\xf9\x09\xaa\x61\x94\x80\xe2\xca\x05\xd9\x00\x0b\x7e\xaf\xf3\x70\xc0\x77\xed\x38\x94\x22\x89\x0d\xd4\x26\x27\x8c\x63\xc2\xac\x42\x85\xe8\x40\xe6\xc7\xf9\xda\x04\xd6\x9a\xf4\x48\x2d\x96\xee\x58\x24\xde\x09\x16\x14\xd8\xb1\xb4\xcf\x49\xf5\xa7\x01\xe4\xb4\x2f\xf5\x8a\x62\x82\x3c\x27\x76\xfb\xa4\xc2\x7e\xc8\x6c\x24\xba\x10\x3e\xd0\x1c\x66\x72\x9a\xd6\x02\x92\x4a\x51\x37\xb7\x18\xd8\xdd\xee\xb0\x83\x39\xd8\x3c\x45\xfe\xca\x01\xc3\x93\x35\x7a\x67\x64\x38\x11\x43\x63\x59\x1d\x31\xc2\xba\x6f\xaf\xa5\xd8\x57\x1a\xf7\xc3\xa3\x69\x0f\xde\xb0\x99\xe4\x41\x92\xb5\x87\x1f\xd0\xa3\x36\x5f\xb2\xe2\x30\xc6\xc0\x3a\x74\x73\x78\x2b\x30\x3a\x5b\xe1\x4f\x03\x8d\x8e\xa3\x4a\x63\x08\x43\x00\x51\x6e\xb7\x88\x4e\x59\x33\x58\xe6\x6b\x3d\xfb\x6d\xac\x4d\x08\x15\xd5\x8d\xaf\xb8\x5e\x8c\xca\x44\x26\x53\x6a\x38\x4d\xc8\x9f\x74\x13\xf1\x4c\xc9\x2e\x73\x77\xa9\x09\x38\xf9\x9e\xf7\xf5\x35\xc2\x18\xae\x2e\x90\x9a\xcd\xbf\xd7\xeb\x5b\x0b\x47\x40\x8e\x3d\x6d\x73\xdd\xa3\x9f\xbd\x6b\x23\xaf\x18\xf1\xa6\x70\x3e\xe3\xb1\xf7\x5b\xb7\xc0\x00\xa4\xca\x5a\x7b\xcc\xaa\xe8\x6c\x4a\xba\xc8\x1d\xa2\x93\xe4\x3f\x91\xd2\xc3\xdf\xf1\x2f\xfa\x52\x29\x13\x9a\x08\xae\x5f\xc2\xec\x13\x9b\xe9\x78\xb8\x18\x2d\x6a\x60\xc7\xff\x39\xbb\x0a\xa8\x20\xa1\x07\xd9\x2e\x38\xb9\x5e\x74\x8a\x18\x4b\x53\xf5\x62\x4f\x45\x72\x39\xf6\x38\x4d\xdd\xcb\x9f\xd7\xe8\xef\x29\x52\x65\xd7\x9b\x64\xc5\xc0\xa9\x3b\xf2\x16\x35\xb8\xc6\x80\x90\x78\x10\xd8\xe7\x2a\x58\x1e\x5a\xa0\xe0\x0f\xbf\x35\x1e\x3c\x84\x1c\x7d\x0c\x51\xa2\x63\x68\x37\xb2\x7c\x6a\x91\x42\x5b\x50\x6a\x22\xc2\x7d\x14\x20\xd0\xb1\x3e\x60\xde\x3e\x9c\x56\x66\x7a\x98\x98\x3b\xa9\xbd\xd1\xc5\xa5\x2d\xc6\x12\x7b\x65\x9e\x6d\x80\x70\x69\x59\xf0\x7d\x3a\x5f\xa8\xb3\xb8\x8e\xab\x05\xe7\xa0\xc0\x4e\xe1\x2a\x21\x37\x2c\x71\x3f\x64\xc6\xad\xbe\xed\xd7\xa8\xb7\xa6\x92\x67\x49\x75\xbb\xe5\x5c\xe4\x02\x71\x44\x02\xf2\x0c\x7f\x57\xff\x1f\x79\x35\x7d\x8e\xda\xbe\xf1\xd8\x68\xf0\xa2\xb3\xdd\x7a\xa3\xbb\xe5\x8e\x80\x81\x49\x70\x73\x4f\x7d\xec\x70\xd3\x14\xe8\x11\x59\x3a\x32\xcc\x86\x1f\x4a\x8a\x4b\x3f\x0d\x7c\xeb\x4e\xbb\x32\x66\x4f\x56\x44\x49\x7a\xc9\x56\x2c\xdd\x5a\x54\x19\x3f\x22\x38\xe6\x5c\x18\x74\xc8\x64\x21\xc5\xcf\xb4\x3a\xe1\x56\x93\x1c\x78\x40\xd1\x0d\xe4\x7a\x4d\x0f\x2f\x31\x74\xc3\x6c\x86\x45\xac\x02\xf5\x44\xc3\x69\x0b\x51\x37\xaf\x7d\x2c\xed\x3f\xb0\x43\x59\xbb\xf2\x2b\x67\x20\xea\x94\xf2\xe3\xb5\x67\x5f\xb7\x7a\xde\x56\xc9\x77\xd6\x68\x06\x4e\xfd\xd1\xc6\x15\x11\x9a\x52\x8c\x9e\xc1\x35\x3e\x84\x10\x3e\x5d\xce\x6a\x0b\xd0\x73\xf9\xff\xbe\xa0\x81\x9c\xf6\xc0\xcc\x58\xea\xd0\x0c\x92\x34\x02\x98\xcc\x09\x45\x64\x11\x7f\x3f\xb8\x94\x27\x4c\xa9\x1d\x79\x76\x45\x96\x19\xf5\x44\xb2\x50\x58\x6c\x6d\x44\xaf\xba\x55\x74\xb7\xef\x51\x26\xb0\x70\x40\x9a\x1f\x5e\xed\xc6\x50\x07\xb0\x03\x39\xf1\x60\x42\x2f\xff\x38\xd6\x7e\xaa\x8d\x78\x2f\xc4\x19\x2a\x29\x81\x08\x79\xeb\x12\x85\x99\x42\xfa\x14\x1a\x21\xc3\x9d\x9e\xea\x03\xeb\xa1\xaa\x7b\x3a\xc7\xe2\xb1\xda\xf4\xf6\x9f\x47\x5b\x8e\x75\xc5\xac\x7c\x2e\xfd\xd7\x77\x93\x2d\x40\x31\x43\xcd\xd0\x89\x02\xd5\xe3\x45\x93\x01\xc2\x8c\x88\xc4\xdf\x34\x2c\xa1\x39\x10\xb7\x60\xe3\x4c\x40\x19\x4b\xb5\x1b\x82\xcf\x14\xad\xee\xd5\xae\x47\x51\x7d\x3c\xbc\x73\xbb\xb5\xa8\x89\x9c\x30\xe6\x06\x51\x99\x89\xa8\x5d\x2e\x15\xb0\xe8\x9e\xbb\xa4\x3f\x0c\x8a\x75\x2f\x07\x01\x03\x80\xca\xa7\x0d\xc4\x09\xff\x80\x5c\x24\x57\x48\x29\xd0\x6b\xb9\xa1\x49\x5d\x5a\x30\x85\xdf\x90\x29\xe2\x3d\x92\xbb\xc4\x6d\x7c\x7c\x1d\xb7\x36\x5e\x92\xe8\xd2\x44\x9a\xad\xe3\x89\x26\xa6\x43\x68\x72\x3a\x0e\x8a\x77\x7b\x32\x61\xc9\xc9\x7b\xae\x82\x5b\x55\x1b\xa9\x40\x55\x1a\x7e\x15\xe3\x01\x3d\xc0\x9a\x05\x22\x9d\x0c\x9a\xc6\x4e\xe1\x5e\xe3\xd4\x67\x42\x62\x89\x24\xc0\x9e\x63\x60\xcc\x43\x00\x6f\xb9\xa0\xe1\xc0\x6e\x55\x84\x63\x7c\xee\x00\x5e\xe2\x6c\xeb\xa7\x02\x95\xcb\xa5\x63\x7d\xfc\x98\x21\x14\x8e\xd7\x41\x50\x03\xd5\x18\x36\x84\x23\xae\x70\x8c\xfa\xc6\x38\xf2\xb8\xe1\xd3\xa7\x10\x11\xbd\xa8\x03\xac\xd2\xcf\xa4\x29\xea\x5f\xa0\x45\xfe\x07\x8f\x91\xeb\xe4\x5e\x7d\x51\xd4\x3f\x08\x30\x2d\x5f\x3b\x0c\xcc\x3e\xb7\xdc\x03\x81\x8b\x33\x56\x7e\x86\xf8\xe5\xdc\x40\x45\x15\x69\xa7\x95\x48\x58\xd2\x6d\xf8\x55\x49\x35\x27\x6f\x56\x54\xaf\xec\xf2\x40\xc7\xe8\x6c\x92\xec\xba\x4d\x3f\xf7\x58\x21\x31\x2d\x6a\x3b\x82\xe1\x8c\xc2\x34\xda\x5b\xac\xc2\x86\xef\x09\x24\xce\x23\xbd\x30\x70\x8d\xe5\x81\x32\x57\x4b\x54\x8c\x96\x28\xb5\x2d\x34\x29\x1d\x1c\x4a\x7f\xfd\xfe\x63\xde\x1f\xa9\xb5\xe0\xfa\x6e\x62\xf3\x52\x8a\x80\xc9\xcc\x97\xa7\xc5\x15\x40\x3f\xce\x89\x5a\xb7\x95\x63\x52\x66\xaf\x74\x6d\x89\xd2\xc9\x40\x58\xca\x38\x50\x1d\x86\xb4\xd6\x32\x4d\x0d\xf0\xd9\xc1\xe4\x7b\xbf\x83\x8b\xaa\x20\x6a\xa2\xec\x43\x97\x82\x8e\x99\x2f\xe9\x63\xb2\xe8\x37\x22\x80\x26\x27\x62\x90\x30\x10\x6c\xf2\x0e\xc9\x8e\x24\x51\x47\xc9\x44\x26\x21\x4d\xdf\xb9\x79\x12\x06\x51\xad\xde\x14\xa4\x25\xfe\xf2\x9a\x20\xc0\xcc\x54\x60\x39\x3a\xcb\xdb\xa5\x7b\x3c\x38\x36\x62\x7e\x6a\x9c\x19\xa2\x34\x43\x12\xa9\xbc\x66\x1b\x76\x02\x85\x41\x5a\x28\x74\xe2\xf2\x18\x7b\x5c\x6d\xbf\x38\xb0\x59\x63\x6f\x9e\xd1\xde\x16\x92\xd3\xb8\x65\x04\xa7\xc1\xb6\x68\xe5\xaa\x0f\x87\xcf\x49\x7f\x0c\xab\x26\x6e\x4d\xb6\x4e\xc6\x46\x55\x80\xbe\x1d\x97\x24\x49\x47\x30\x46\x88\xcb\x35\x76\x49\x0b\x8d\xb0\x86\xb0\x89\x05\x82\x0e\xa9\xd9\x1d\xfc\x8f\x3b\x96\x6a\x9e\x56\x8d\x85\x6a\x9c\xce\x3f\x17\x31\xac\x16\xe4\xcf\x48\x71\x43\x34\xb6\xc7\xac\x35\x97\xfc\xae\x85\xd1\x79\x46\xb0\xae\x28\x99\x84\x5e\x96\x06\x6e\x0a\x64\x83\x85\xc9\x8e\xe5\xc1\x19\x39\x13\x56\xb2\x04\xac\xbd\x4a\x5c\x7c\xc2\xcb\xce\xec\xe0\xf5\x8d\xfb\x73\xfc\x30\xef\x7c\x17\x69\xb4\xf5\x6e\xd1\xb7\x7d\x76\x24\x8b\x0e\xa2\xa6\x6d\xb0\xe5\x21\x7b\x5d\x62\x42\x37\x19\x1a\xbe\x94\x86\xac\x0b\xd3\x2e\x3e\x73\x62\x33\x14\x41\x73\x4a\x8d\xd9\xed\x98\x3b\x92\xbf\x26\x47\x2c\x50\x21\xf8\xbe\xa1\x31\xec\xe4\x7c\x8f\x45\xe6\x8a\x25\xa8\xbe\xb4\x88\x58\x95\xc2\x79\x82\x30\x6d\xaf\xa1\xfa\xc9\x05\xb2\x76\xc2\xf6\x0c\xcd\xca\xbe\x2a\x5b\x32\x5b\x5c\x5d\x84\x82\xf3\x05\x66\x02\x44\xc3\x61\x71\x1f\x0e\xed\x77\x46\xc0\xda\xf9\x9d\xfd\xe3\x6c\xaf\xf2\x94\x05\x11\x82\xc5\xb6\x58\x9f\xc0\x70\x0b\x75\x1f\xb2\xb3\x80\x7f\x0b\xcb\xd2\x77\xa8\x44\xce\x82\xa5\x45\x58\xf5\x5c\xdd\x25\xa3\x0b\x22\x83\xab\xe5\x19\xc8\x27\xb1\x0a\xed\x61\x2f\x8a\xea\x3c\xb7\xac\xa8\xb3\x40\x28\xc0\xb3\x63\xc9\xac\xc5\x2d\xde\xa9\xe0\xc3\x4e\x8a\x5c\x90\x86\x9f\xe6\x0d\x28\x30\x7e\x35\xd3\xe4\x35\x82\xf3\x77\x3d\x46\x66\x9e\x43\x13\xa0\x7b\x12\xe7\xd6\xd5\x01\x43\x6f\x8e\x6f\x4b\xc3\x47\xb2\x91\x94\x14\x4d\x82\xc5\xda\xa9\x73\x0f\xea\x34\x66\xc3\x16\x72\x09\xf0\x96\x97\xda\x03\x4f\x86\xca\x9e\x5a\x7e\x28\xc0\x59\x99\xf4\x16\x1d\xca\x75\x18\x14\x04\x13\x50\x4b\xe2\xaa\x60\xef\x71\xb6\x64\x84\xfc\xa1\xb0\xbb\x11\xaf\xd5\x97\x55\xb9\x78\xdd\x29\x4e\x3d\xa8\x56\x55\xb9\x0f\x05\xbe\x08\x23\xe2\x62\xaa\x69\x3c\x43\xbc\x23\xf4\x94\x8a\x60\x96\xff\xe1\xb5\x8e\x1b\xcd\x65\xb0\xdb\x70\xc6\x2a\x4f\x85\xd7\xdd\x4b\xe6\xcd\xdf\xea\xf1\x38\x38\x14\xa6\x72\x8b\x4c\x30\x1e\xab\x03\xb9\x50\xba\xc8\x67\x37\x5d\x1b\x6c\x61\xeb\x2f\x7f\xde\x96\x0b\x16\xf5\x94\x83\x79\xe2\x11\x5a\xb5\x40\x13\x56\xdb\x05\xa7\xdc\x30\xa2\x99\x98\x97\xb1\x63\xc7\x3d\x34\x80\x71\x06\xdf\xdc\xf7\xb7\xf9\xb9\xe7\x37\x7f\xc7\x22\x00\x3c\x86\x8c\xa5\xc1\x4a\x0e\x2f\x1d\x19\x40\xec\x6a\xef\xcf\x85\xfe\xd2\x07\x62\x2e\xd3\x81\x20\xc6\xa8\xaa\xd7\xb4\xe9\xe8\x7d\x5e\x4e\x9a\x6a\x55\xc6\xe1\x32\xe9\xe1\xe9\xa3\xa6\x2b\x4f\x7c\x6c\xe0\x09\x3f\x88\x65\x47\xdf\xc4\x8d\xe1\xd2\xe0\xc8\x5b\xf0\x1b\x49\xf9\x92\x41\xa3\x6d\x32\x4c\xdb\xad\xe5\x37\x7d\x5a\xa5\x73\x33\x77\xec\x7e\x97\xb7\xac\x54\x38\x7f\xd2\x93\x91\x31\x9d\x3f\x3b\xbc\xd0\x7b\x28\x70\xb9\x64\x6b\xf2\x83\x5b\x3a\xbb\x51\x21\xdc\x20\xa6\x38\xc6\xd0\xd6\x2b\x0a\x05\xd9\x4a\x5f\x1c\x03\xbf\xf6\xe8\x71\xa8\x4f\x9a\x7d\xef\xa1\x6f\x30\xcb\x8b\x3f\xf5\x7c\xb5\xa9\xb8\x95\x8b\x59\x21\x19\xcb\x0c\x80\x25\x13\xc1\x4a\xec\x2d\x27\xcf\xff\xbf\xb4\xe6\xa2\xa8\x40\xf8\xb0\xd7\x46\xa8\x3f\xa8\xbd\x22\x70\x21\xb0\x38\xf5\x0c\x41\x1f\x79\x22\xfb\x38\xec\x89\xf5\x1d\x71\xb7\xd3\xd9\xe2\x41\xdb\x1b\xe1\xb4\x50\x7e\x5b\x68\xfa\x1e\xe8\x9c\x21\x27\x44\x5e\x5d\x6e\xd4\xe7\x43\x3d\xe7\xbf\x4d\x72\xb7\xf7\xb1\xc9\xaa\x7c\x40\x8e\x4c\x10\x50\xce\x17\x74\x27\x98\x4f\x50\x35\xb5\x1e\x3a\xd5\x2b\x56\xd8\xaa\xf3\x8e\x56\x79\x30\xa7\x11\xc8\xdc\x34\x88\xff\xcd\xc1\xa5\x6f\xe1\xb4\xc5\xdf\x22\x67\x3b\xcc\x3e\x9c\xcd\xbb\x3a\xb6\x70\xa2\x45\x47\xf5\xde\xd4\x2d\xec\xfd\xdd\x52\x21\x04\x07\x5c\x37\xdd\xed\xe4\x60\x92\x5d\xcb\xc6\xe5\xef\x20\x60\x28\xaa\x7e\xa0\xc8\x4d\x60\xd9\x90\xfc\xd4\x8d\x76\xc9\xa4\x7b\xe6\x81\x92\x50\xd4\xd1\x0f\xce\xfc\x7a\x12\x4c\x6f\x3f\xaa\xf5\x1f\x7b\x67\xdc\xc2\xb3\x9a\xcf\x11\x9c\x8f\x89\xb9\x3b\x58\x39\x52\x47\xfa\x45\x9c\x1f\xfe\x6f\xc5\xa7\x0c\x32\xd5\x19\x6d\xa5\x93\xb3\x36\xbe\x04\x67\x16\x4e\xbb\xc9\x86\xfc\x14\x5b\x32\xbb\x91\xa4\xc0\x58\x88\x4c\x82\xf5\xca\xcd\xa6\x2a\x43\x12\xbb\x35\x07\x0e\x74\xde\x2b\xba\x07\x64\x8b\x7e\xb9\xd9\xfa\xe8\x91\x64\x8f\x54\x32\xb6\xa7\xd5\x98\x6e\xf2\x02\x78\x72\xcf\x9e\x1a\x08\x6c\x57\x6a\xba\xc8\xdc\x40\x1a\xab\x0d\xa9\x3a\xbf\x0a\xb7\x1e\xcd\x9b\xb9\x6e\x39\x18\x03\x62\xa1\x0a\x21\x85\x07\x1e\xbb\x8c\xa2\xca\x8d\x97\x19\xd4\x7b\xfc\x18\xb6\x2f\x97\x71\xb9\x7d\xfe\xd7\x3b\x98\x23\x25\xeb\x94\x3d\x78\x5c\x78\x75\x00\xd5\xac\x0d\x26\xa9\xca\x90\xcc\x73\xc2\xac\xfe\x87\x2f\x4e\x32\xeb\x44\x39\x08\x3b\xdb\x32\x49\x70\x1d\xdd\xdb\x50\x0d\xf3\xf8\x96\xbb\x1f\x7a\x37\x06\xd6\x4b\xe1\x6d\x00\xf6\xfd\xcd\x6b\xf4\x1d\xf8\x65\x35\xf2\x98\xd2\xdd\x04\x31\x77\x74\xbd\x6b\x39\x03\xf3\x71\xd5\x9b\xe7\x19\xb7\xec\x1d\x00\x3b\x3c\x97\x05\xa8\xf7\x88\x89\xb8\xf7\xda\x0d\x46\xde\xfd\xce\xd2\xdf\x70\xd8\xcb\x45\x70\x82\x8b\xb2\x65\x49\xb5\x50\x11\x58\x9c\x73\xbe\xc4\x20\x7c\x8d\x59\xeb\xe1\x89\x6b\x37\x61\xc1\x85\xa1\x32", 4096); *(uint32_t*)0x20006c44 = 0x1000; *(uint32_t*)0x20006c48 = 0x8001; *(uint32_t*)0x20006c4c = 0x200066c0; memcpy((void*)0x200066c0, "\x31\xe3\xc3\xfa\x6d\x99", 6); *(uint32_t*)0x20006c50 = 6; *(uint32_t*)0x20006c54 = 0x3ff; *(uint32_t*)0x20006c58 = 0x20006700; memcpy((void*)0x20006700, "\x39\xde\x86\x3b\x71\x48\x20\x8e\x43\x2f\xcd\xdb\xd9\xe9\x14\x8e\x71\x6c\x1b\x48\xa3\x96\x7c\x87\x0c\x70\x14\x5d\x90\xed\x68\x1b\x3f\x8b\xce\x84\x9f\xee\x7f\x50\x09\x15\x70\x85\x4e\x20\x10\x37\x23\xe5\x64\x54\xe7\x11\x54\x3f\x6e\x2b\xe9\x2c\x34\x09\x0d\x8c\xc7\x92\x26\x0b\xe9\xb9\x60\xc1\xe4", 73); *(uint32_t*)0x20006c5c = 0x49; *(uint32_t*)0x20006c60 = 9; *(uint32_t*)0x20006c64 = 0x20006780; memcpy((void*)0x20006780, "\x17\xfa\xd5\x71\xf8\x0f\xec\xd3\x4a\x59\xbc\x03\xf6\xc0\x2b\xbd\x6d\x56\xcd\x8d\x95\x89\x24\xb4\xae\x41\x89\xb8\x8b\x85\x89\x7e\xfd\x4e\x59\x6e\x11\x18\xbb\x0c\x77\x1c\x2c\x5b\xa3\x7d\xed\x06\xd7\x81\x11\x39\x0c\x1c\x80\xcf\x6e\xa9\xdf\x87\x27\xf8\x85\x59\x81\x5e\xd7\x6b\x36\xfa\x13\xfb\x4d\x08\xe1\xcc\xda\xd7\x97\x3b\x5b\xec\x56\x55\xa7\x4a\x67\x1f\xde\x99\xee\x92\x39\x7c\x56\xd4\x09\xda\xdb\x10\xc4\xc3\x7e\xe9\x2c\xb4\x1d\x03\xae\x6f\xb1\x64\xe7\xf8\x69\x85\x03\x91\x28\xd3\x8b\xe8\x3b\x5e\x16\xc3\x5e\xe3\x4e\xb2\xb8\x39\x6c\x53\x48\x02\x87\x81\xa0\xa8\x79\xf8\x81\x59\x74\x0a\xb8\x97\x05\xd6\x37\xbe\xda\xfa\x91\x5f\x19\x5a\x15\x25\x97\xfa\x0d\x7d\xa9\xb7\x64\x76\x60\x2c\x6e\xee\xfc\xa1\xe8\x0a\x6d\x3d\x0e\xd1\xa7\x5b\x00\xf7\xa5\xe1\x53\xdd\x85\x1e\x23\x01\xc8\xda\xa7\xd4\x9b\x4a\xd9\x1c\x62\xd1\xa6\x96\x7f\x54\xcf\x96\x21\xc2\x40\xed\x58\x71\x92\xf6\x99\x59\xe0\x54\x07\x85\x0c\xe3\x83\x1c\x4e\x81\x1e\x6f\xff\x1c\xdf\x93\xcf\xab\xde\x88\x73\x58\x31\x68\x81\x84\x53\x56\xd7", 247); *(uint32_t*)0x20006c68 = 0xf7; *(uint32_t*)0x20006c6c = 0x26; *(uint32_t*)0x20006c70 = 0x20006880; memcpy((void*)0x20006880, "\xc2\x86\x96\x8e\x22\x38\x74\x2a\x47\xe0\xe8\xd4\x44\xa6\xa6\x61\xb7\x70\x82\x22\xf4\xed\xda\xb9\x7a\x74\x9d\xce\xbe\x2c\xc8\x3a\x31\x4b\x82\x87\x95\xf9\x15\xa3\x6d\x87\x3b\x71\x4a\xef\x15\xdd\xb1\xb4\xf6\x2f\x06\x80\x0b\xbe\x85\xea\xeb\xcb\x76\xab\xe9\x44\x71\x92\x49\xee\x79\x27\xc8\x8e\x78\xa9\x68\xe9\x3f\x45\xc5\x20\x13\xef\x97\xef\x6f\x98\x9b\x1d\x1c\xd3\x0f\xff\x88\x67\x79\x62\xc8\xf3\x05\x2a\xd0\xa4\x63\x1e\x4e\x75\x0b\xa8\x0f\x37\x53\x91\x6c\x2d\xff\xc6\xa4\x02\x3c\xdb\x62\xa1\xb5\xf2\xaf\xbb\x96\x5b\x2f\x78\xc5\xdd\x47\xaf\x90\xb0\x02\xda\x1a\x26\xa2\x4f\xcb\x99\xbf\x81\xfb\x29\x57\x4a\x2f\x98\x10\x7a\x79\x37\x63\x98\x73\xb9\x5f\x4a\x56\x9a\x04\x06\xcc\x35\x8b\x46\xef\xae\x58\x7e\x90\x08\xbe\x69\xd7\x11\xae\x20\x2c\x22\xe2\x9a\x2f\x61\x5f\xd2\x3d\xcf", 192); *(uint32_t*)0x20006c74 = 0xc0; *(uint32_t*)0x20006c78 = 0; *(uint32_t*)0x20006c7c = 0x20006940; memcpy((void*)0x20006940, "\x97\xfc\x4d\xd9\xdb\x67\x3e\x16\xfd\x0f\x0e\xb9\xa4\xa2\x6e\x2a\x49\xf4\x2e\x16\x16\x19\x0b\x06\x34\xdf\xd6\x13\x51\x45\xf4\xe4\x51\xbb\xba\xd5\x6d\xad\xf2\x66\x96\x4e\xba\x7d\x10\x07\xc0\xa2\x3f\x8c\xf0\x3d\x4f\x8f\xe0\x9a\x79\x89\x15\x2b\x7c\xf2\xec\x30\xf2\x69\x3a\x06\xbe\xfd\xf0\x23\xd7\x9f\x48\xc2\x08\xd7\x42\xc7\xb7\x59\x15\xbc\xc1\xbe\x58\x35\x17\xce\xd3\xb8\x26\xb9\x70\x75\xe6\x2a\x8e\xd1\x2d\xbb\x26\x48\x07\xc6\xff\xd0\x22\x76\x14\x49\x1f\xb9\xde\x0d\x8a\x92\x5a\x26\x38\xc3\x16\x08\xde\x40\x5b\xbf\x79\xe9\x6f\x17\x1f\xd5\x83\x38\xb1\xd6\x97\x9d\x33\xa7\xda\xe8\xad\x62\xf2\xba\x53\xfe\xfc\x3c", 152); *(uint32_t*)0x20006c80 = 0x98; *(uint32_t*)0x20006c84 = 0x20; *(uint32_t*)0x20006c88 = 0x20006a00; memcpy((void*)0x20006a00, "\x77\xd8\xd6\x06\xbf\xb4\x24\xe7\xb9\x95\x80\x9a\xb4\xf5\x59\x11\x5f\xd8\x2e\x97\x2d\x98\xb6\x51\xdf\xc6\x9b\x10\xdf\x60\x0f\xb4\xf7\x8e\xfd\x58\x6f\x9c\xc2\x6e\xdc\x41\xb1\xd2\xfa\xc8\x7e\xfe\x59\xe2\x62\x41\x1f\x27\xa9\x4c\xf7\x96\xed\x31\x23\x6b\x45\x7c\xa0\xf1\x47\x53\x0e\xfb\xd4\xcf\xa6\xb6\xa0\xfe\xe4\x6c\x25\xab\xcf\x7a\xd8\x28\x2a\xae\x52\x99\xe2\x99\x79\x9c\xd5\x2d\x0a\x58\xd7\xff\x9d\xdd\xd0\x10\x37\x24\xc8\x8d\xa9\x2d\xbe\xfa\xb6\x24\x80\x38\xab\xef\x9e\xc5\x22\x64\xaf\xc7\x48\x25\xf7\xea\x70\xb2\xca\x95\xd6\x90\x0f\x9b\x64\x7a\x3f\x98\x6e\x18\x28\x7c\xb2\xbf\x4b\x4c\x19\xef\xc8\xc2\x18\xfd\x90\x5c\x37\x27\xc8\x6c\x37\x02\x6b\xfb\xde\x3a\xf0\x78\xeb\x07\xb7\x98\xe6\xd3\xd8\xf2\xe4\xd5\xd3\xbc\x18\x8c\xdd\x20\xf2\xeb\xb1\x46\x1c\x5e\x53\xb0\x5f\x29\x89\xff\xac\x3b\x16\x8d\xee\x56\xda\x0f\xc0\x11\x97\x4c\x66\x0e\x40\x0a\xe2\xd8\xb2\xc8\x0a\xcb\x23\x15\x81\xee\x91\x76\x31\x29\xb2\x88\x8a\xeb\x12", 229); *(uint32_t*)0x20006c8c = 0xe5; *(uint32_t*)0x20006c90 = 0x800; *(uint32_t*)0x20006c94 = 0x20006b00; memcpy((void*)0x20006b00, "\x56\x0c\x1b\xea\x71\xb0\xf9\x72\x44\xfa\x38\x6d\x26\xbf\x6b\x1b\x04\x30\x8e\x4b\xc7\xff\xfa", 23); *(uint32_t*)0x20006c98 = 0x17; *(uint32_t*)0x20006c9c = 0x80000001; *(uint32_t*)0x20006ca0 = 0x20006b40; memcpy((void*)0x20006b40, "\x14\xe5\x5a\x14\xa7\x95\x33\x87\xee\x55\x33\x3c\x1d\x16\x94\xca\x98\xc7\x99\x9b\x49\x78\x86\x42\x76\x68\x05\xd6\xf5\xa2\x90\xeb\x1e\x95\x9e\xe3\x5a\x74\x04\x59\xe1\x33\x00\x26\x2f\x2a\xf9\xc3\x57\xf7\xa8\xc1\xcb\xa1\x87\xe4\x48\xbc\x3c\x8f\x86\x5c\xc9\xbe\x88\x62\x4f\xb0\xf0\xd0\xbb\x88\x5d\x9c\xc2\xab\xe1\x71\xa2\x47\x8a\x74\x20\xdb\x22\xe8\x60\x7e\x3f\xbe\xc7\xe2\x60\x1d\x9e\x11\x08\x6c\xfa\x8c\xf1\x4d\x99\x67\x6b\x67\x9d\x8d\x6b\xf1\xdd\x4f\xaa\xb8\xfe\x9a\x5f\x4e\x3f\x69\x5f\xe2\xe6\xab\xf0\x9f\x70\x26\x83\x80\x2d\x44\xcc\x3a\x29\x82\x55\xc4\xc5\x95\x33\x73\x1f\xf5\xb2\x3e\x05\x3a\xfb\x71\x6d\x58\xca\xd6\x67\x68\x6e\xe6\x47\xf4\x8e\x19\x9c\x9b\x5c\x3d\x0d\x2d\x47\x0f\x2c\xe1\xc5\xb8\xb5\x70\x8a\xe0\x23\xad\x98\x80\xca\xf3\x1d\x01\xf9\x6a\xeb\xbf\xcc\x7d\xf9\x53\x58\xa0\x16\xc5\x47\x1c\xc2\xce\x2c\xed\x61\x05\x05\x7c\x9d\x22\xc8\x16\x78\x90\xca\x19", 216); *(uint32_t*)0x20006ca4 = 0xd8; *(uint32_t*)0x20006ca8 = 0x400; syz_read_part_table(9, 9, 0x20006c40); break; case 40: *(uint8_t*)0x20006cc0 = 0x12; *(uint8_t*)0x20006cc1 = 1; *(uint16_t*)0x20006cc2 = 0x200; *(uint8_t*)0x20006cc4 = 0x62; *(uint8_t*)0x20006cc5 = 0xa5; *(uint8_t*)0x20006cc6 = 0xbe; *(uint8_t*)0x20006cc7 = 0x10; *(uint16_t*)0x20006cc8 = 0x2833; *(uint16_t*)0x20006cca = 0x211; *(uint16_t*)0x20006ccc = 0x37a4; *(uint8_t*)0x20006cce = 1; *(uint8_t*)0x20006ccf = 2; *(uint8_t*)0x20006cd0 = 3; *(uint8_t*)0x20006cd1 = 1; *(uint8_t*)0x20006cd2 = 9; *(uint8_t*)0x20006cd3 = 2; *(uint16_t*)0x20006cd4 = 0x6b4; *(uint8_t*)0x20006cd6 = 1; *(uint8_t*)0x20006cd7 = 0x20; *(uint8_t*)0x20006cd8 = 0; *(uint8_t*)0x20006cd9 = 0xa0; *(uint8_t*)0x20006cda = 1; *(uint8_t*)0x20006cdb = 9; *(uint8_t*)0x20006cdc = 4; *(uint8_t*)0x20006cdd = 0xdf; *(uint8_t*)0x20006cde = 0; *(uint8_t*)0x20006cdf = 0x10; *(uint8_t*)0x20006ce0 = -1; *(uint8_t*)0x20006ce1 = 1; *(uint8_t*)0x20006ce2 = 0; *(uint8_t*)0x20006ce3 = 5; *(uint8_t*)0x20006ce4 = 7; *(uint8_t*)0x20006ce5 = 0x24; *(uint8_t*)0x20006ce6 = 1; *(uint8_t*)0x20006ce7 = 1; *(uint8_t*)0x20006ce8 = 1; *(uint16_t*)0x20006ce9 = 1; *(uint8_t*)0x20006ceb = 9; *(uint8_t*)0x20006cec = 0x24; *(uint8_t*)0x20006ced = 6; *(uint8_t*)0x20006cee = 0; *(uint8_t*)0x20006cef = 0; memcpy((void*)0x20006cf0, "\xfd\x50\x65\x08", 4); *(uint8_t*)0x20006cf4 = 5; *(uint8_t*)0x20006cf5 = 0x24; *(uint8_t*)0x20006cf6 = 0; *(uint16_t*)0x20006cf7 = 3; *(uint8_t*)0x20006cf9 = 0xd; *(uint8_t*)0x20006cfa = 0x24; *(uint8_t*)0x20006cfb = 0xf; *(uint8_t*)0x20006cfc = 1; *(uint32_t*)0x20006cfd = 0x40000000; *(uint16_t*)0x20006d01 = 8; *(uint16_t*)0x20006d03 = 0x4cc5; *(uint8_t*)0x20006d05 = 0x7f; *(uint8_t*)0x20006d06 = 7; *(uint8_t*)0x20006d07 = 0x24; *(uint8_t*)0x20006d08 = 0xa; *(uint8_t*)0x20006d09 = 8; *(uint8_t*)0x20006d0a = 0x3f; *(uint8_t*)0x20006d0b = 0; *(uint8_t*)0x20006d0c = 0x81; *(uint8_t*)0x20006d0d = 0x10; *(uint8_t*)0x20006d0e = 0x24; *(uint8_t*)0x20006d0f = 7; *(uint8_t*)0x20006d10 = 0x80; *(uint16_t*)0x20006d11 = 5; *(uint16_t*)0x20006d13 = 0x44; *(uint16_t*)0x20006d15 = 2; *(uint16_t*)0x20006d17 = 0x800; *(uint16_t*)0x20006d19 = 0x101; *(uint16_t*)0x20006d1b = 4; *(uint8_t*)0x20006d1d = 4; *(uint8_t*)0x20006d1e = 0x24; *(uint8_t*)0x20006d1f = 2; *(uint8_t*)0x20006d20 = 4; *(uint8_t*)0x20006d21 = 8; *(uint8_t*)0x20006d22 = 0x24; *(uint8_t*)0x20006d23 = 0x1c; *(uint16_t*)0x20006d24 = 0; *(uint8_t*)0x20006d26 = 0xc0; *(uint16_t*)0x20006d27 = 0x5325; *(uint8_t*)0x20006d29 = 6; *(uint8_t*)0x20006d2a = 0x24; *(uint8_t*)0x20006d2b = 0x1a; *(uint16_t*)0x20006d2c = 0x7f; *(uint8_t*)0x20006d2e = 0; *(uint8_t*)0x20006d2f = 9; *(uint8_t*)0x20006d30 = 5; *(uint8_t*)0x20006d31 = 5; *(uint8_t*)0x20006d32 = 0; *(uint16_t*)0x20006d33 = 0xb5a2; *(uint8_t*)0x20006d35 = 6; *(uint8_t*)0x20006d36 = 0; *(uint8_t*)0x20006d37 = 5; *(uint8_t*)0x20006d38 = 7; *(uint8_t*)0x20006d39 = 0x25; *(uint8_t*)0x20006d3a = 1; *(uint8_t*)0x20006d3b = 0x82; *(uint8_t*)0x20006d3c = 0xe9; *(uint16_t*)0x20006d3d = 0xf000; *(uint8_t*)0x20006d3f = 9; *(uint8_t*)0x20006d40 = 5; *(uint8_t*)0x20006d41 = 0xe; *(uint8_t*)0x20006d42 = 2; *(uint16_t*)0x20006d43 = 0x200; *(uint8_t*)0x20006d45 = 8; *(uint8_t*)0x20006d46 = 7; *(uint8_t*)0x20006d47 = 0x40; *(uint8_t*)0x20006d48 = 9; *(uint8_t*)0x20006d49 = 5; *(uint8_t*)0x20006d4a = 0; *(uint8_t*)0x20006d4b = 0x7e; *(uint16_t*)0x20006d4c = 0x200; *(uint8_t*)0x20006d4e = 8; *(uint8_t*)0x20006d4f = 3; *(uint8_t*)0x20006d50 = 1; *(uint8_t*)0x20006d51 = 0x9b; *(uint8_t*)0x20006d52 = 0x21; memcpy((void*)0x20006d53, "\xf2\xef\x0a\x5c\x06\x9c\xdb\x31\x91\x38\xe1\x85\x06\x1d\x7e\x19\x6a\xe9\x4e\x53\x5d\x80\xf2\x76\x66\xfb\xa2\x3b\x37\x43\x25\xf1\x5d\xc5\xf2\x08\x12\xfe\x05\xb0\x62\x0f\x6f\xfc\xb8\x10\x03\xb1\xf3\x9c\x5d\xcd\x1b\xff\x14\xe2\xbb\xeb\x38\x73\x35\xa3\x53\x4f\x5a\xdb\x60\xff\xc4\xf2\x85\x95\xc8\xf9\x92\xf7\x7f\xd5\xf6\x7a\x04\x84\x2b\x9c\x43\x64\xe3\x55\x6b\xe9\xba\xcb\x8f\xd5\x6e\xd7\x78\x59\x29\x11\x53\xf6\xc5\x66\x02\x63\x63\xbf\xa5\xf2\xe6\xff\x2f\xa6\xd2\x93\x17\xf2\xd5\x62\x44\x53\x64\x93\x99\x15\xa7\x5d\xd7\x36\x5f\x6a\xb9\xc1\x5d\xdb\xc7\xc3\xa4\x5f\x7e\xb9\x8f\xd1\xfe\xa3\x55\x1b\xbd\x46\xf2\x0a\x87", 153); *(uint8_t*)0x20006dec = 9; *(uint8_t*)0x20006ded = 5; *(uint8_t*)0x20006dee = 0x80; *(uint8_t*)0x20006def = 1; *(uint16_t*)0x20006df0 = 0x3ff; *(uint8_t*)0x20006df2 = 1; *(uint8_t*)0x20006df3 = 0x20; *(uint8_t*)0x20006df4 = 0xef; *(uint8_t*)0x20006df5 = 0xec; *(uint8_t*)0x20006df6 = 6; memcpy((void*)0x20006df7, "\xf6\x42\x24\x6a\x53\x72\x99\x1d\xb9\x7e\x58\x24\xa4\x10\xe2\x83\x00\xd3\xbd\x15\x36\x38\xf6\xda\xc6\xe1\x18\x9a\x0c\x56\x0a\x0a\x0e\x5f\x8b\x15\xe0\x78\x79\xac\x95\x01\x65\x15\x20\x26\x46\xa7\xb5\xb5\xfc\x74\xb7\xcd\x40\xd5\x15\xb2\x84\x9d\x8c\x1d\xd9\xae\x4f\xca\x16\xc2\xe6\xcf\x0e\x8a\x20\xce\x54\xf0\x5f\xa1\x23\xc0\x19\x20\x8c\xb3\x4b\x5e\xe5\x61\xc2\x74\xea\x40\xa7\xb3\x4e\x58\x13\xa4\xa2\x9b\xe4\x08\x17\xeb\x1f\x7b\x3e\x9b\xef\x60\xf7\xc5\x66\x57\x48\x12\x36\xb9\x3e\x2c\x29\x7f\x17\xc7\x76\xb9\x8f\x1d\x0c\x8f\x2a\x56\x44\x77\x66\xc7\x28\x8b\xa6\xb1\xe3\x85\xb8\x4a\x51\x6a\x98\xab\x72\x9b\xa7\x0e\x31\xfe\xe3\xaa\xb1\x01\xd5\x90\xa4\x48\x1a\xe5\x85\x63\x26\xc6\x82\x5b\x73\xc7\xae\x7d\x3b\x99\xcb\x3c\x59\xdb\x31\xa1\x27\x26\x23\x4b\x90\x05\x84\xe8\xdb\x77\x93\x52\x18\x8d\x12\xc9\x32\xd4\xaa\xcb\x59\xee\xf3\x3d\x33\xb9\x55\x05\x10\xcf\x2b\x49\xda\x74\x7e\x03\x1c\x83\x11\x7b\x51\x1a\x1b\xb9\x3e\xd7\x6c\x71\x6e\x6a\x02\x54", 234); *(uint8_t*)0x20006ee1 = 7; *(uint8_t*)0x20006ee2 = 0x25; *(uint8_t*)0x20006ee3 = 1; *(uint8_t*)0x20006ee4 = 0; *(uint8_t*)0x20006ee5 = 6; *(uint16_t*)0x20006ee6 = 0x40; *(uint8_t*)0x20006ee8 = 9; *(uint8_t*)0x20006ee9 = 5; *(uint8_t*)0x20006eea = 1; *(uint8_t*)0x20006eeb = 0; *(uint16_t*)0x20006eec = 0x100; *(uint8_t*)0x20006eee = 0xfe; *(uint8_t*)0x20006eef = 8; *(uint8_t*)0x20006ef0 = 0x37; *(uint8_t*)0x20006ef1 = 0xe9; *(uint8_t*)0x20006ef2 = 0x23; memcpy((void*)0x20006ef3, "\x1a\x0e\x35\x42\x85\x7d\x49\xea\x63\xb7\x26\x1e\xbf\xc1\x9f\x14\x27\x2e\x28\x4d\x26\x65\xd2\x79\x5e\x43\xf6\xf9\xca\x62\x77\x6c\x9e\xe5\x2d\x99\x18\x79\xd7\xd6\x7b\x4d\x8b\x27\x0f\xd5\x15\x98\xbe\xac\x1c\x03\x39\xb2\x25\x7a\xd6\x8c\x1d\xde\x54\x88\x5a\xe2\xd2\x19\xb8\x7c\xde\x15\x9a\x98\x97\xc8\x8b\xda\x26\xe0\x8a\x36\x91\x05\x50\x22\x73\x9c\x1f\xe6\x4a\xdb\x98\x63\x9d\xc2\x54\x21\xc4\x49\xcf\x36\x48\x00\xc4\xc3\x65\x06\x2f\x24\x88\xe6\x90\x1e\x56\xe6\x2f\x4b\x70\x3e\xae\x7a\xf2\x62\x98\xa1\xee\xe1\xbf\xe6\x2d\x9b\x2a\xe3\x53\x20\xae\x2b\xaf\x17\x4e\x94\xff\x55\x32\x10\x97\xbe\x81\xe0\x27\x9f\x5d\x0a\xa8\x4d\xd1\x8c\xa0\x86\x4d\x98\xd0\xed\xbb\xea\xa1\x9d\xdf\x36\x26\xfd\x83\xa2\xe2\xb5\xf6\x76\xa7\x34\xd4\x78\x4b\x3c\x68\x77\xfd\x1b\xb3\xc9\x54\x3d\xf7\xab\xda\x9b\xd9\xc9\xbe\x40\x59\x49\x74\x7e\x21\x07\x3c\x18\x95\x7f\xff\x0e\xaa\xc0\x27\x3c\xfd\x3f\x70\x2c\xb6\x55\x97\x94\x9a\x17\x27\x26\xf7\xe4\x59\x53\x6c", 231); *(uint8_t*)0x20006fda = 0x18; *(uint8_t*)0x20006fdb = 0x10; memcpy((void*)0x20006fdc, "\xa0\x28\x90\x17\xf3\xf4\x33\xf1\x10\x59\x48\x9a\x61\x11\x58\x23\xe1\x13\x8a\xe8\x4a\x34", 22); *(uint8_t*)0x20006ff2 = 9; *(uint8_t*)0x20006ff3 = 5; *(uint8_t*)0x20006ff4 = 0xe; *(uint8_t*)0x20006ff5 = 4; *(uint16_t*)0x20006ff6 = 0x10; *(uint8_t*)0x20006ff8 = 0x67; *(uint8_t*)0x20006ff9 = 3; *(uint8_t*)0x20006ffa = 8; *(uint8_t*)0x20006ffb = 7; *(uint8_t*)0x20006ffc = 0x25; *(uint8_t*)0x20006ffd = 1; *(uint8_t*)0x20006ffe = 1; *(uint8_t*)0x20006fff = 0x80; *(uint16_t*)0x20007000 = 0x2e6; *(uint8_t*)0x20007002 = 9; *(uint8_t*)0x20007003 = 5; *(uint8_t*)0x20007004 = 0xd; *(uint8_t*)0x20007005 = 4; *(uint16_t*)0x20007006 = 0x200; *(uint8_t*)0x20007008 = 0x48; *(uint8_t*)0x20007009 = 0x35; *(uint8_t*)0x2000700a = 8; *(uint8_t*)0x2000700b = 0xe5; *(uint8_t*)0x2000700c = 5; memcpy((void*)0x2000700d, "\x30\xef\xe9\xc1\xa6\xe5\xc8\x9c\x20\x31\x21\x4c\x60\xfb\xbe\xaa\x45\x78\x09\x1e\x38\x00\x9c\x76\x1d\x15\x77\x48\x02\x93\x4c\xfd\x36\x35\x5b\x35\x18\xcc\xfe\x59\xfa\x5e\x7c\xce\xe3\xc1\x3a\xc4\xaf\xfb\xe0\x73\xe0\xe7\x88\xc9\xb5\xe3\x22\x16\xef\xbf\x02\xe3\x58\x69\xd7\xb2\x33\xa3\x89\xf8\x12\xbf\xd8\x49\x43\x3c\x32\x84\x66\xed\xa5\xe0\xe3\x23\x75\x29\xcd\xc6\x5e\x4e\xee\x74\x3d\x31\xff\xc1\x86\xa1\xfe\x79\x4b\xdf\x13\x64\xf3\x1e\xae\xff\x39\x82\x9e\x8f\x61\x44\x85\x0d\x74\x70\xcc\x71\x57\x2d\x1f\x2f\x23\xdc\xcd\xbc\xdd\x99\xe4\x93\x0d\xe7\xed\xbf\x59\xb3\x38\xdb\x34\x90\x30\x5f\xd7\x71\x02\x57\x98\x0b\x7f\x76\xb8\xda\xea\xcb\x2a\xd6\x18\x13\x1f\xb9\xb5\xa3\xe0\x26\xc9\xdd\xbd\x69\x48\x3c\xd7\x94\xca\xad\x29\xf2\xe3\xb6\x31\x24\xa9\x52\xb4\x62\xde\x0c\xd9\x51\xd7\xef\xd9\xb3\xb2\x91\x07\xb6\x41\x41\x7e\x77\x83\xd9\x01\x59\x13\x7f\xa5\x27\x3a\x95\xe0\xcc\x46\xc9\x7c\x22\x46\xe6\x11\xac\xb1\x4b\x4d", 227); *(uint8_t*)0x200070f0 = 9; *(uint8_t*)0x200070f1 = 5; *(uint8_t*)0x200070f2 = 3; *(uint8_t*)0x200070f3 = 0x10; *(uint16_t*)0x200070f4 = 8; *(uint8_t*)0x200070f6 = 0; *(uint8_t*)0x200070f7 = 0x33; *(uint8_t*)0x200070f8 = 9; *(uint8_t*)0x200070f9 = 9; *(uint8_t*)0x200070fa = 5; *(uint8_t*)0x200070fb = 2; *(uint8_t*)0x200070fc = 0xc; *(uint16_t*)0x200070fd = 0x400; *(uint8_t*)0x200070ff = 0xed; *(uint8_t*)0x20007100 = 7; *(uint8_t*)0x20007101 = 9; *(uint8_t*)0x20007102 = 0x84; *(uint8_t*)0x20007103 = 0x31; memcpy((void*)0x20007104, "\xee\x4c\xd2\x19\x15\x4d\xf4\x91\xc4\xd3\x2a\xa3\x21\x12\xcf\xf4\x07\x51\x1b\x06\xb1\x7f\x74\x34\x09\xec\xc2\x16\xc3\x1e\x92\xce\xfa\x2b\x5c\xc5\x9e\x63\x4d\x7a\xeb\xa2\xc9\xe5\xe3\x6d\x8e\xfa\xdc\x02\x55\x17\x25\x18\xf9\x09\xb4\xe1\xa7\xda\xf4\xd9\x88\xb1\xee\xaf\x19\x6c\x76\xee\x90\x2b\x65\x7d\x12\xfc\x23\xc2\x1e\x17\x6c\xd1\x49\xe9\x8a\x8d\x8d\x57\x55\xb7\x4f\xed\x1a\x42\x84\xbc\xfd\x6e\x69\x61\x95\x1f\xf8\x21\x6f\x7b\xb4\x2f\x79\x0e\xdd\x53\x9c\x1b\xc5\xbb\xac\x44\xf7\x67\xa6\x85\xc5\x7c\xbb\xde\xc8\x30\xc5\x2c", 130); *(uint8_t*)0x20007186 = 7; *(uint8_t*)0x20007187 = 0x25; *(uint8_t*)0x20007188 = 1; *(uint8_t*)0x20007189 = 0x83; *(uint8_t*)0x2000718a = 1; *(uint16_t*)0x2000718b = 0xfe01; *(uint8_t*)0x2000718d = 9; *(uint8_t*)0x2000718e = 5; *(uint8_t*)0x2000718f = 3; *(uint8_t*)0x20007190 = 0; *(uint16_t*)0x20007191 = 0x40; *(uint8_t*)0x20007193 = 2; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 9; *(uint8_t*)0x20007197 = 5; *(uint8_t*)0x20007198 = 0; *(uint8_t*)0x20007199 = 0; *(uint16_t*)0x2000719a = 0x400; *(uint8_t*)0x2000719c = 0; *(uint8_t*)0x2000719d = 0x2f; *(uint8_t*)0x2000719e = 4; *(uint8_t*)0x2000719f = 9; *(uint8_t*)0x200071a0 = 5; *(uint8_t*)0x200071a1 = 0x8f; *(uint8_t*)0x200071a2 = 8; *(uint16_t*)0x200071a3 = 8; *(uint8_t*)0x200071a5 = 0x81; *(uint8_t*)0x200071a6 = 1; *(uint8_t*)0x200071a7 = 0x7f; *(uint8_t*)0x200071a8 = 7; *(uint8_t*)0x200071a9 = 0x25; *(uint8_t*)0x200071aa = 1; *(uint8_t*)0x200071ab = 0; *(uint8_t*)0x200071ac = 9; *(uint16_t*)0x200071ad = 0xfb; *(uint8_t*)0x200071af = 7; *(uint8_t*)0x200071b0 = 0x25; *(uint8_t*)0x200071b1 = 1; *(uint8_t*)0x200071b2 = 0x81; *(uint8_t*)0x200071b3 = 7; *(uint16_t*)0x200071b4 = 3; *(uint8_t*)0x200071b6 = 9; *(uint8_t*)0x200071b7 = 5; *(uint8_t*)0x200071b8 = 2; *(uint8_t*)0x200071b9 = 0; *(uint16_t*)0x200071ba = 0x400; *(uint8_t*)0x200071bc = 0x40; *(uint8_t*)0x200071bd = 0x76; *(uint8_t*)0x200071be = 3; *(uint8_t*)0x200071bf = 7; *(uint8_t*)0x200071c0 = 0x25; *(uint8_t*)0x200071c1 = 1; *(uint8_t*)0x200071c2 = 0x80; *(uint8_t*)0x200071c3 = 0x31; *(uint16_t*)0x200071c4 = 8; *(uint8_t*)0x200071c6 = 9; *(uint8_t*)0x200071c7 = 5; *(uint8_t*)0x200071c8 = 0xf; *(uint8_t*)0x200071c9 = 0x10; *(uint16_t*)0x200071ca = 0x3ff; *(uint8_t*)0x200071cc = 6; *(uint8_t*)0x200071cd = 0xb2; *(uint8_t*)0x200071ce = 6; *(uint8_t*)0x200071cf = 7; *(uint8_t*)0x200071d0 = 0x25; *(uint8_t*)0x200071d1 = 1; *(uint8_t*)0x200071d2 = 0x82; *(uint8_t*)0x200071d3 = 0x80; *(uint16_t*)0x200071d4 = 6; *(uint8_t*)0x200071d6 = 9; *(uint8_t*)0x200071d7 = 5; *(uint8_t*)0x200071d8 = 0xf; *(uint8_t*)0x200071d9 = 0x10; *(uint16_t*)0x200071da = 0x200; *(uint8_t*)0x200071dc = 6; *(uint8_t*)0x200071dd = 6; *(uint8_t*)0x200071de = 0xca; *(uint8_t*)0x200071df = 7; *(uint8_t*)0x200071e0 = 0x25; *(uint8_t*)0x200071e1 = 1; *(uint8_t*)0x200071e2 = 0x81; *(uint8_t*)0x200071e3 = 0x20; *(uint16_t*)0x200071e4 = 3; *(uint8_t*)0x200071e6 = 9; *(uint8_t*)0x200071e7 = 5; *(uint8_t*)0x200071e8 = 0x80; *(uint8_t*)0x200071e9 = 0x10; *(uint16_t*)0x200071ea = 0x400; *(uint8_t*)0x200071ec = 1; *(uint8_t*)0x200071ed = 0xfc; *(uint8_t*)0x200071ee = 4; *(uint8_t*)0x200071ef = 0xd4; *(uint8_t*)0x200071f0 = 0x21; memcpy((void*)0x200071f1, "\x28\xa1\xdf\xa1\xd2\x8f\x9a\xe6\x0d\x0a\x8e\x9e\x3c\x51\x2d\xb3\x53\x69\xd4\x79\xfa\x6e\x6a\xa0\x99\xe2\x67\xe1\xce\xd7\x7c\xa2\xe1\x80\xb4\x29\x77\x90\x23\xa8\x72\xb0\xef\x88\x07\xe1\x1f\x8b\x8b\x21\xb8\x11\xd4\xfe\x55\x27\x33\x5c\xe8\x6e\x3a\x95\xcd\xf9\x60\xd1\xe7\x9e\x88\xc2\x76\xc1\x74\xd1\x83\xd2\xf3\xbc\x08\x62\xdd\x7e\x1d\x29\xac\x58\x9c\xeb\x22\x02\x4e\x25\xa4\x4c\x3e\x81\x23\x58\x1d\x14\x48\xfd\x2d\xb5\x33\x2f\xe4\x1c\x23\xf9\xaa\x95\x95\x64\xf3\x2d\xb1\xda\x14\x61\x04\x15\xdd\xc2\x93\xdc\x57\xc9\xd6\xc7\x75\xd2\x21\x51\xbd\xab\x23\x6a\x5a\x73\x59\x2e\x55\x18\x05\x57\x28\xae\x81\x9e\x25\xc0\x80\xcb\xb9\xbf\x02\x03\xb6\x63\x9b\x8f\xd8\xd7\x16\xd9\xc5\x71\xd6\xb2\x60\xea\x29\x77\x33\xd5\x3c\x3a\x05\x44\x9b\x9b\x92\x21\xd0\xf4\x02\x61\x0c\x98\x37\x18\x9f\x9c\x6a\xb3\xba\xaf\x03\x1d\x48\x69\x26\x90\xc9\x98\x1c\xee\x14\x26", 210); *(uint8_t*)0x200072c3 = 0xc3; *(uint8_t*)0x200072c4 = 6; memcpy((void*)0x200072c5, "\x60\xed\x98\x57\x6f\xbb\xbe\xe3\xdb\x67\xd5\x35\xea\x7e\x1a\x19\xd9\x2d\x68\x9e\x2f\x03\x30\x8a\x61\x5a\x56\x41\xe7\x2e\x69\x4d\x99\x6f\x76\xc1\x11\x1c\x88\xc5\x07\xc3\x9a\x87\xf3\x4a\x36\x82\xda\xfb\xfe\x58\x3b\x79\xf5\xb9\x50\xa3\x06\x14\x16\x2c\x60\x5f\x7e\x6c\x5d\x45\x2b\x4f\x84\xa1\x45\xf2\x0b\xf4\x47\x0d\xdf\x43\xf0\x6c\x41\x5d\xc6\xc4\x15\x51\xfd\x45\x8b\xa6\xae\xdf\x57\xd7\x4c\xb8\x5a\x25\xe4\x33\x24\x81\x4b\x62\xc3\xbe\x41\x08\xb1\xea\x5b\x9d\xd2\x2a\x78\xa4\x5c\xdf\x5d\x8f\x27\xc1\x1f\x35\x02\x6b\xf7\xef\x10\xc7\xd1\xf0\x61\x5f\xe1\xc4\x4a\x30\x2a\x84\xd8\x8b\x8d\x6c\x2d\x85\x04\x9c\x9f\x48\xa0\x4b\x4e\x61\x80\x1c\x01\x7f\x60\x9b\x67\x3f\xc8\x29\x0f\x73\x62\xa0\xed\x35\x88\x2a\x33\x5b\x65\x7f\x83\x5f\xce\x8e\x20\x10\x0c\xde\x82\xc1\xa3\xdc\x18\x06\x11", 193); *(uint32_t*)0x20007740 = 0xa; *(uint32_t*)0x20007744 = 0x200073c0; *(uint8_t*)0x200073c0 = 0xa; *(uint8_t*)0x200073c1 = 6; *(uint16_t*)0x200073c2 = 0x310; *(uint8_t*)0x200073c4 = 5; *(uint8_t*)0x200073c5 = 0x80; *(uint8_t*)0x200073c6 = -1; *(uint8_t*)0x200073c7 = 0xbf; *(uint8_t*)0x200073c8 = 5; *(uint8_t*)0x200073c9 = 0; *(uint32_t*)0x20007748 = 5; *(uint32_t*)0x2000774c = 0x20007400; *(uint8_t*)0x20007400 = 5; *(uint8_t*)0x20007401 = 0xf; *(uint16_t*)0x20007402 = 5; *(uint8_t*)0x20007404 = 0; *(uint32_t*)0x20007750 = 5; *(uint32_t*)0x20007754 = 0xa8; *(uint32_t*)0x20007758 = 0x20007440; *(uint8_t*)0x20007440 = 0xa8; *(uint8_t*)0x20007441 = 3; memcpy((void*)0x20007442, "\x05\x84\xbd\xdc\x14\x96\x71\xf9\xe6\xc6\xcd\x12\x3b\x79\x6c\xaf\xe2\xeb\x5d\x2b\xd3\xcf\x65\xe3\xeb\x0f\x3a\x60\x1a\xba\x71\x64\x71\x3d\x40\x42\x65\x3f\x2c\xca\x18\x22\x07\xd4\xe7\xff\xa8\xbc\x71\xe7\x05\xaa\x48\xbc\xff\x03\xfd\xdd\x2e\x3e\x6b\xeb\xe1\x1c\xb6\x1f\x95\xfa\xf1\x4a\xfd\xf2\x94\x40\x02\x1e\x85\x1f\xb6\x82\xaa\x24\xe6\x24\xe8\x33\x95\x2d\xb6\xd1\xf9\x6a\xa7\xed\xfc\x74\xce\x50\x13\x59\x69\x4c\x75\x83\xeb\x5e\x48\xdf\xe2\x27\xd2\x10\x5d\x5e\x3d\x23\x59\xe3\xc7\x28\xa4\x8a\xdf\xf0\x9b\x11\x32\xf9\x28\x89\x3c\xee\xfa\xe6\x77\x00\x98\x3b\xe1\xca\x94\xe8\x18\xe7\xa1\x46\x3c\x80\x2f\x1f\xc2\xa7\x2d\x40\x90\x09\x33\x40\x3d\x7b\x25\x5a\x35\xd9\xdc\x33", 166); *(uint32_t*)0x2000775c = 4; *(uint32_t*)0x20007760 = 0x20007500; *(uint8_t*)0x20007500 = 4; *(uint8_t*)0x20007501 = 3; *(uint16_t*)0x20007502 = 0x42c; *(uint32_t*)0x20007764 = 0xf4; *(uint32_t*)0x20007768 = 0x20007540; *(uint8_t*)0x20007540 = 0xf4; *(uint8_t*)0x20007541 = 3; memcpy((void*)0x20007542, "\x1c\x53\x71\x17\xdc\x72\x0a\xf3\xcc\xf1\x08\x68\x7c\x86\xcb\x54\x4b\xc8\x85\x37\x9e\x43\x5d\xbb\x86\x1b\xc9\xa0\x15\x50\x59\x2e\x60\x08\xae\x94\xa1\xf9\x83\x17\xad\x9c\xd8\x04\x01\x6b\x07\x9b\x5e\xc2\x94\xdc\xaf\x45\x37\xcf\x5b\x68\xc3\xc4\x35\x37\x54\xca\xf3\x69\xba\x34\x10\x1c\xbd\x21\x92\x6b\x15\xce\xf6\x7a\xb6\x3e\xad\x40\xab\xfb\xef\x86\x7b\x37\x2f\xe2\x78\x18\x66\xf8\x7a\x2d\xcc\xf9\x8f\xfe\x66\x53\x1c\x1d\x50\x21\x40\x6c\x69\xce\x84\xb4\x39\x13\x0c\xac\x71\xf5\x25\x64\xb7\xc8\xfa\x62\x1d\x71\xd5\xff\x00\x15\x17\x59\x3f\x05\x9d\xa0\xcb\x82\xf1\xfd\x5e\x32\x7d\xf9\xab\xec\x49\x46\xe3\x4e\x20\xd3\xf1\xdf\x8f\x4a\x04\x22\xf9\xbb\x53\x89\x49\xb4\xa1\x4d\x1b\x3a\xfd\x67\x93\xe8\x1d\x3b\xa5\x96\xd1\x6d\x8c\xee\x0e\x70\x03\x14\xe5\x31\xe6\x02\xfe\x5c\xb8\x32\xb2\x2c\x7a\x2f\x9f\x36\xf3\x9d\x05\x38\x76\x47\x81\x57\xd5\x41\xe8\xc0\x97\x7a\x9a\xca\xf6\x91\xf1\x23\x4f\x66\x5d\x23\x4f\x82\xee\x90\xff\x89\x82\xd9\xc1\x37\x1a\x15\xdd\xc8\xed\x23\x92\xdd\x5a\x96", 242); *(uint32_t*)0x2000776c = 0x98; *(uint32_t*)0x20007770 = 0x20007640; *(uint8_t*)0x20007640 = 0x98; *(uint8_t*)0x20007641 = 3; memcpy((void*)0x20007642, "\x07\x8c\xbe\xfd\x67\x79\x6b\x8d\x00\xc6\xa0\x27\xe5\xd0\x7b\xc3\xb0\x07\x56\xac\xaf\xb9\x09\x6e\x3e\x38\x1a\x99\xfd\xbe\x8a\x51\x61\xca\x19\xa9\x62\x8d\x61\xba\xef\xd6\x97\x2b\x48\xf5\xe0\x4b\x0f\xa6\xe2\xb9\x9c\xca\x8d\xf5\xb5\x0d\xbd\x97\xd6\x56\xc0\x2f\x85\x83\xa5\x8c\xe8\xcb\xd3\x5c\x69\xfb\x3f\x86\xde\x0d\xda\xc9\x0f\x5b\xe8\xd4\xf0\x4a\x3a\xd4\xf3\x12\x93\xb5\x09\x95\x91\x39\xbe\xa0\xf3\x06\x7d\x0e\xbf\xa3\xc5\xb2\x10\xe1\x99\x30\x78\xb0\xae\x92\x95\x61\xfc\x77\x34\x86\x9b\x3d\xd8\xd8\x12\xc0\x0a\x30\x35\x23\x61\x66\xa3\x12\x27\xae\x29\x1e\x69\x6a\xb4\xf8\x1f\x4e\x3f\x02\xd6\xb2\xf3\x34", 150); *(uint32_t*)0x20007774 = 4; *(uint32_t*)0x20007778 = 0x20007700; *(uint8_t*)0x20007700 = 4; *(uint8_t*)0x20007701 = 3; *(uint16_t*)0x20007702 = 0x43e; syz_usb_connect(2, 0x6c6, 0x20006cc0, 0x20007740); break; case 41: *(uint8_t*)0x20007780 = 0x12; *(uint8_t*)0x20007781 = 1; *(uint16_t*)0x20007782 = 0x200; *(uint8_t*)0x20007784 = -1; *(uint8_t*)0x20007785 = -1; *(uint8_t*)0x20007786 = -1; *(uint8_t*)0x20007787 = 0x40; *(uint16_t*)0x20007788 = 0xcf3; *(uint16_t*)0x2000778a = 0x9271; *(uint16_t*)0x2000778c = 0x108; *(uint8_t*)0x2000778e = 1; *(uint8_t*)0x2000778f = 2; *(uint8_t*)0x20007790 = 3; *(uint8_t*)0x20007791 = 1; *(uint8_t*)0x20007792 = 9; *(uint8_t*)0x20007793 = 2; *(uint16_t*)0x20007794 = 0x48; *(uint8_t*)0x20007796 = 1; *(uint8_t*)0x20007797 = 1; *(uint8_t*)0x20007798 = 0; *(uint8_t*)0x20007799 = 0x80; *(uint8_t*)0x2000779a = 0xfa; *(uint8_t*)0x2000779b = 9; *(uint8_t*)0x2000779c = 4; *(uint8_t*)0x2000779d = 0; *(uint8_t*)0x2000779e = 0; *(uint8_t*)0x2000779f = 6; *(uint8_t*)0x200077a0 = -1; *(uint8_t*)0x200077a1 = 0; *(uint8_t*)0x200077a2 = 0; *(uint8_t*)0x200077a3 = 0; *(uint8_t*)0x200077a4 = 9; *(uint8_t*)0x200077a5 = 5; *(uint8_t*)0x200077a6 = 1; *(uint8_t*)0x200077a7 = 2; *(uint16_t*)0x200077a8 = 0x200; *(uint8_t*)0x200077aa = 0; *(uint8_t*)0x200077ab = 0; *(uint8_t*)0x200077ac = 0; *(uint8_t*)0x200077ad = 9; *(uint8_t*)0x200077ae = 5; *(uint8_t*)0x200077af = 0x82; *(uint8_t*)0x200077b0 = 2; *(uint16_t*)0x200077b1 = 0x200; *(uint8_t*)0x200077b3 = 0; *(uint8_t*)0x200077b4 = 0; *(uint8_t*)0x200077b5 = 0; *(uint8_t*)0x200077b6 = 9; *(uint8_t*)0x200077b7 = 5; *(uint8_t*)0x200077b8 = 0x83; *(uint8_t*)0x200077b9 = 3; *(uint16_t*)0x200077ba = 0x40; *(uint8_t*)0x200077bc = 1; *(uint8_t*)0x200077bd = 0; *(uint8_t*)0x200077be = 0; *(uint8_t*)0x200077bf = 9; *(uint8_t*)0x200077c0 = 5; *(uint8_t*)0x200077c1 = 4; *(uint8_t*)0x200077c2 = 3; *(uint16_t*)0x200077c3 = 0x40; *(uint8_t*)0x200077c5 = 1; *(uint8_t*)0x200077c6 = 0; *(uint8_t*)0x200077c7 = 0; *(uint8_t*)0x200077c8 = 9; *(uint8_t*)0x200077c9 = 5; *(uint8_t*)0x200077ca = 5; *(uint8_t*)0x200077cb = 2; *(uint16_t*)0x200077cc = 0x200; *(uint8_t*)0x200077ce = 0; *(uint8_t*)0x200077cf = 0; *(uint8_t*)0x200077d0 = 0; *(uint8_t*)0x200077d1 = 9; *(uint8_t*)0x200077d2 = 5; *(uint8_t*)0x200077d3 = 6; *(uint8_t*)0x200077d4 = 2; *(uint16_t*)0x200077d5 = 0x200; *(uint8_t*)0x200077d7 = 0; *(uint8_t*)0x200077d8 = 0; *(uint8_t*)0x200077d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007780, 0); if (res != -1) r[22] = res; break; case 42: *(uint32_t*)0x200079c0 = 0x18; *(uint32_t*)0x200079c4 = 0x20007800; *(uint8_t*)0x20007800 = 0x20; *(uint8_t*)0x20007801 = 0x11; *(uint32_t*)0x20007802 = 0xb7; *(uint8_t*)0x20007806 = 0xb7; *(uint8_t*)0x20007807 = 9; memcpy((void*)0x20007808, "\x72\xf5\x91\xba\x5c\x69\x4f\x16\xa4\xd9\x20\x75\xef\x3e\xc8\xbc\x46\x92\x09\x54\x79\x9e\xc8\xd3\xc0\x30\x8f\x3b\x47\x79\xda\x6e\x18\xe9\x82\x4a\x86\x74\x6d\x01\x3a\x39\x9a\xfc\x7f\x6f\xce\xb6\xc3\x7f\x7f\x13\x1c\x71\xeb\xc0\x01\xf6\x66\xea\x63\xed\x3a\xde\x13\x20\x09\x73\x5a\x54\x66\x22\xf9\xe6\x39\xd4\x81\xc9\x67\xcc\x7b\x5b\x74\x7c\xc5\xe6\x2f\xdc\x41\xbb\xb4\xbb\x95\x87\x8a\x44\x2c\xc4\x91\x11\xc0\xf5\x78\x86\xf1\x70\x77\xa1\xb4\xb2\x2e\x3c\xf2\x8e\xec\xb7\x98\xfe\xed\x6f\x16\x8d\xd9\xcc\x26\x46\xf8\xb7\x9e\xd4\x1b\xba\x94\xde\x9e\x30\x4f\xc8\x45\x17\x9a\x73\x21\xf0\x47\x84\xaa\x91\x7b\xa0\x84\x05\xb0\xa9\x5b\x83\x03\xd9\x14\xef\x8e\x37\x47\x80\xdd\x8e\x34\x37\xc9\x5c\x35\x76\x4c\xd0\x63\xe7\xa3\xec\x6d\x79\x0b", 181); *(uint32_t*)0x200079c8 = 0x200078c0; *(uint8_t*)0x200078c0 = 0; *(uint8_t*)0x200078c1 = 3; *(uint32_t*)0x200078c2 = 4; *(uint8_t*)0x200078c6 = 4; *(uint8_t*)0x200078c7 = 3; *(uint16_t*)0x200078c8 = 0x813; *(uint32_t*)0x200079cc = 0x20007900; *(uint8_t*)0x20007900 = 0; *(uint8_t*)0x20007901 = 0xf; *(uint32_t*)0x20007902 = 0xc; *(uint8_t*)0x20007906 = 5; *(uint8_t*)0x20007907 = 0xf; *(uint16_t*)0x20007908 = 0xc; *(uint8_t*)0x2000790a = 1; *(uint8_t*)0x2000790b = 7; *(uint8_t*)0x2000790c = 0x10; *(uint8_t*)0x2000790d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000790e, 0x18, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20007910, 3, 0, 16); *(uint32_t*)0x200079d0 = 0x20007940; *(uint8_t*)0x20007940 = 0x20; *(uint8_t*)0x20007941 = 0x29; *(uint32_t*)0x20007942 = 0xf; *(uint8_t*)0x20007946 = 0xf; *(uint8_t*)0x20007947 = 0x29; *(uint8_t*)0x20007948 = 7; *(uint16_t*)0x20007949 = 0x80; *(uint8_t*)0x2000794b = 6; *(uint8_t*)0x2000794c = 0xe0; memcpy((void*)0x2000794d, "\x84\x02\x48\x7c", 4); memcpy((void*)0x20007951, "\x80\x56\xa3\xff", 4); *(uint32_t*)0x200079d4 = 0x20007980; *(uint8_t*)0x20007980 = 0x20; *(uint8_t*)0x20007981 = 0x2a; *(uint32_t*)0x20007982 = 0xc; *(uint8_t*)0x20007986 = 0xc; *(uint8_t*)0x20007987 = 0x2a; *(uint8_t*)0x20007988 = 0xa7; *(uint16_t*)0x20007989 = 2; *(uint8_t*)0x2000798b = 0x7d; *(uint8_t*)0x2000798c = 0; *(uint8_t*)0x2000798d = 0x80; *(uint16_t*)0x2000798e = 7; *(uint16_t*)0x20007990 = 6; *(uint32_t*)0x20007e80 = 0x44; *(uint32_t*)0x20007e84 = 0x20007a00; *(uint8_t*)0x20007a00 = 0x40; *(uint8_t*)0x20007a01 = 0x10; *(uint32_t*)0x20007a02 = 0x8c; memcpy((void*)0x20007a06, "\x21\xb8\x38\x25\x05\x9f\x24\x50\x6d\x8e\x84\x20\x85\xd1\xf2\xe7\xf9\x64\x47\x1b\x20\xed\x0a\x8e\x50\xa9\xaa\x4e\xf1\x6b\x5a\x6f\x2d\xbb\x2b\x57\x0a\x4f\x8d\x13\xd6\x0e\x47\xbb\x78\x21\xff\x91\x21\x11\xde\xe4\x0a\x78\xd4\x2b\x4d\x13\xea\x81\x2d\x92\x9c\xcf\x39\x64\xc5\x46\x8f\x89\xd2\xd2\x16\x30\xec\x87\x06\x7a\x2d\x13\xf4\x52\x38\xb4\x46\xbf\x57\xc6\xb9\xec\x35\x57\x8f\xa5\x87\xfc\x77\xfe\x21\x08\xb1\x59\x0b\xe0\x81\x68\x1c\xcc\x02\x4f\x1f\x59\x0b\xe9\xe5\xbe\xc9\xea\x86\xb9\x80\x3c\x60\x29\x9d\xda\x1a\x82\xf8\xff\x04\x42\x86\x71\xa4\x3b\xc2\xc3\x39\x3a", 140); *(uint32_t*)0x20007e88 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0; *(uint8_t*)0x20007ac1 = 0xa; *(uint32_t*)0x20007ac2 = 1; *(uint8_t*)0x20007ac6 = 4; *(uint32_t*)0x20007e8c = 0x20007b00; *(uint8_t*)0x20007b00 = 0; *(uint8_t*)0x20007b01 = 8; *(uint32_t*)0x20007b02 = 1; *(uint8_t*)0x20007b06 = 0xfb; *(uint32_t*)0x20007e90 = 0x20007b40; *(uint8_t*)0x20007b40 = 0x20; *(uint8_t*)0x20007b41 = 0; *(uint32_t*)0x20007b42 = 4; *(uint16_t*)0x20007b46 = 1; *(uint16_t*)0x20007b48 = 1; *(uint32_t*)0x20007e94 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x20; *(uint8_t*)0x20007b81 = 0; *(uint32_t*)0x20007b82 = 4; *(uint16_t*)0x20007b86 = 0x140; *(uint16_t*)0x20007b88 = 0x20; *(uint32_t*)0x20007e98 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 7; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 0x3ff; *(uint32_t*)0x20007e9c = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 9; *(uint32_t*)0x20007c02 = 1; *(uint8_t*)0x20007c06 = 0x81; *(uint32_t*)0x20007ea0 = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0xb; *(uint32_t*)0x20007c42 = 2; memcpy((void*)0x20007c46, "\x8a\x02", 2); *(uint32_t*)0x20007ea4 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0xf; *(uint32_t*)0x20007c82 = 2; *(uint16_t*)0x20007c86 = 0x321a; *(uint32_t*)0x20007ea8 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x13; *(uint32_t*)0x20007cc2 = 6; *(uint8_t*)0x20007cc6 = 1; *(uint8_t*)0x20007cc7 = 0x80; *(uint8_t*)0x20007cc8 = 0xc2; *(uint8_t*)0x20007cc9 = 0; *(uint8_t*)0x20007cca = 0; *(uint8_t*)0x20007ccb = 0; *(uint32_t*)0x20007eac = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x17; *(uint32_t*)0x20007d02 = 6; memcpy((void*)0x20007d06, "\xb0\xfe\x28\x1f\xa3\x91", 6); *(uint32_t*)0x20007eb0 = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x19; *(uint32_t*)0x20007d42 = 2; memcpy((void*)0x20007d46, "#7", 2); *(uint32_t*)0x20007eb4 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x1a; *(uint32_t*)0x20007d82 = 2; *(uint16_t*)0x20007d86 = 6; *(uint32_t*)0x20007eb8 = 0x20007dc0; *(uint8_t*)0x20007dc0 = 0x40; *(uint8_t*)0x20007dc1 = 0x1c; *(uint32_t*)0x20007dc2 = 1; *(uint8_t*)0x20007dc6 = 6; *(uint32_t*)0x20007ebc = 0x20007e00; *(uint8_t*)0x20007e00 = 0x40; *(uint8_t*)0x20007e01 = 0x1e; *(uint32_t*)0x20007e02 = 1; *(uint8_t*)0x20007e06 = 6; *(uint32_t*)0x20007ec0 = 0x20007e40; *(uint8_t*)0x20007e40 = 0x40; *(uint8_t*)0x20007e41 = 0x21; *(uint32_t*)0x20007e42 = 1; *(uint8_t*)0x20007e46 = 0x9e; syz_usb_control_io(r[22], 0x200079c0, 0x20007e80); break; case 43: *(uint8_t*)0x20007f00 = 0x12; *(uint8_t*)0x20007f01 = 1; *(uint16_t*)0x20007f02 = 0x70; *(uint8_t*)0x20007f04 = 2; *(uint8_t*)0x20007f05 = 0; *(uint8_t*)0x20007f06 = 0; *(uint8_t*)0x20007f07 = 0x50; *(uint16_t*)0x20007f08 = 0x525; *(uint16_t*)0x20007f0a = 0xa4a1; *(uint16_t*)0x20007f0c = 0x40; *(uint8_t*)0x20007f0e = 1; *(uint8_t*)0x20007f0f = 2; *(uint8_t*)0x20007f10 = 3; *(uint8_t*)0x20007f11 = 1; *(uint8_t*)0x20007f12 = 9; *(uint8_t*)0x20007f13 = 2; *(uint16_t*)0x20007f14 = 0x4d; *(uint8_t*)0x20007f16 = 1; *(uint8_t*)0x20007f17 = 1; *(uint8_t*)0x20007f18 = 2; *(uint8_t*)0x20007f19 = 0x70; *(uint8_t*)0x20007f1a = 0x40; *(uint8_t*)0x20007f1b = 9; *(uint8_t*)0x20007f1c = 4; *(uint8_t*)0x20007f1d = 0; *(uint8_t*)0x20007f1e = 0xc4; *(uint8_t*)0x20007f1f = 3; *(uint8_t*)0x20007f20 = 2; *(uint8_t*)0x20007f21 = 6; *(uint8_t*)0x20007f22 = 0; *(uint8_t*)0x20007f23 = 0xe1; *(uint8_t*)0x20007f24 = 8; *(uint8_t*)0x20007f25 = 0x24; *(uint8_t*)0x20007f26 = 6; *(uint8_t*)0x20007f27 = 0; *(uint8_t*)0x20007f28 = 0; memcpy((void*)0x20007f29, "W?s", 3); *(uint8_t*)0x20007f2c = 5; *(uint8_t*)0x20007f2d = 0x24; *(uint8_t*)0x20007f2e = 0; *(uint16_t*)0x20007f2f = 3; *(uint8_t*)0x20007f31 = 0xd; *(uint8_t*)0x20007f32 = 0x24; *(uint8_t*)0x20007f33 = 0xf; *(uint8_t*)0x20007f34 = 1; *(uint32_t*)0x20007f35 = 0x200; *(uint16_t*)0x20007f39 = 0; *(uint16_t*)0x20007f3b = 0x200; *(uint8_t*)0x20007f3d = 3; *(uint8_t*)0x20007f3e = 6; *(uint8_t*)0x20007f3f = 0x24; *(uint8_t*)0x20007f40 = 0x1a; *(uint16_t*)0x20007f41 = 0x1000; *(uint8_t*)0x20007f43 = 0; *(uint8_t*)0x20007f44 = 9; *(uint8_t*)0x20007f45 = 5; *(uint8_t*)0x20007f46 = 0x81; *(uint8_t*)0x20007f47 = 3; *(uint16_t*)0x20007f48 = 0x20; *(uint8_t*)0x20007f4a = 0x3f; *(uint8_t*)0x20007f4b = 0; *(uint8_t*)0x20007f4c = 0xd8; *(uint8_t*)0x20007f4d = 9; *(uint8_t*)0x20007f4e = 5; *(uint8_t*)0x20007f4f = 0x82; *(uint8_t*)0x20007f50 = 2; *(uint16_t*)0x20007f51 = 8; *(uint8_t*)0x20007f53 = -1; *(uint8_t*)0x20007f54 = 0xec; *(uint8_t*)0x20007f55 = 5; *(uint8_t*)0x20007f56 = 9; *(uint8_t*)0x20007f57 = 5; *(uint8_t*)0x20007f58 = 3; *(uint8_t*)0x20007f59 = 2; *(uint16_t*)0x20007f5a = 0x3cf; *(uint8_t*)0x20007f5c = 0x81; *(uint8_t*)0x20007f5d = 0x39; *(uint8_t*)0x20007f5e = 5; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f80; *(uint8_t*)0x20007f80 = 0xa; *(uint8_t*)0x20007f81 = 6; *(uint16_t*)0x20007f82 = 0; *(uint8_t*)0x20007f84 = 2; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x77; *(uint8_t*)0x20007f87 = -1; *(uint8_t*)0x20007f88 = 0x2f; *(uint8_t*)0x20007f89 = 0; *(uint32_t*)0x20008288 = 5; *(uint32_t*)0x2000828c = 0x20007fc0; *(uint8_t*)0x20007fc0 = 5; *(uint8_t*)0x20007fc1 = 0xf; *(uint16_t*)0x20007fc2 = 5; *(uint8_t*)0x20007fc4 = 0; *(uint32_t*)0x20008290 = 5; *(uint32_t*)0x20008294 = 0x69; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 0x69; *(uint8_t*)0x20008001 = 3; memcpy((void*)0x20008002, "\xd2\x5a\x9c\x8f\x14\x52\xa3\xc6\xff\xbf\xec\xa8\xeb\x77\x79\x35\xb5\x8c\x9b\x74\x06\x77\x50\x86\xff\xf7\x17\xb5\x4f\x05\xac\x59\xf9\x45\x17\xff\x3c\xd6\xf3\x10\x1d\xbf\xa7\x9b\xb8\x2a\xe3\x1b\x1d\x31\x6d\x08\xa7\x1d\x14\xfc\x2c\x1c\xfa\x8c\x89\x30\x68\xbd\xe2\xbb\x83\x0a\xe9\x1f\xc9\x42\x88\xcc\x23\x2a\xaa\xc0\xe6\x4b\x84\x00\x7b\x0e\x75\x36\xc3\xec\x34\xed\xef\x04\xde\xd9\x34\x21\xa3\x77\xe0\x69\x53\x26\xaa", 103); *(uint32_t*)0x2000829c = 0xac; *(uint32_t*)0x200082a0 = 0x20008080; *(uint8_t*)0x20008080 = 0xac; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x73\x60\x60\x9c\xe8\x30\x0a\xe4\x62\x33\x08\xd5\xf8\xb9\x7b\xfd\x50\xd3\xd8\x63\x40\x8b\x8e\xa4\x01\xc8\x6d\xa9\xd4\x2c\xe5\xf3\x86\x7c\xe8\xd7\x21\xfb\x2a\xb5\xc2\x5f\x6b\x4c\x5e\x85\xf5\xea\xf3\x41\xbd\x51\x4a\x16\xc2\xdf\xe3\xc7\xa1\xd7\xf4\x27\xae\x62\xc0\xbf\xf3\x79\xe8\x4d\x56\x63\x7e\xc1\x37\x7b\x8c\x8a\xd5\xb5\x5b\x09\x9c\xfa\xa4\xa7\xa6\xee\xb0\x58\x9f\x81\xe7\xa4\x33\x00\xef\xf5\x33\x54\xe1\xb2\xbd\xcd\xc3\x4d\x79\x45\xd6\x35\x62\xe4\x8d\x5e\xd9\x3b\xef\x75\xfd\x01\x60\xfc\xd7\xc3\xa6\xbe\x7f\x0c\x64\x2b\xb6\xe5\x61\xe3\x5a\x1c\x73\x11\x0b\xdc\xde\xd7\x69\x98\x65\xe2\x5e\xb2\x38\xcf\x8f\x3b\x10\xad\x3c\x10\x48\x80\x28\xc3\x70\x63\xc8\x86\x2f\x90\x7b\x06\x82\x9e", 170); *(uint32_t*)0x200082a4 = 4; *(uint32_t*)0x200082a8 = 0x20008140; *(uint8_t*)0x20008140 = 4; *(uint8_t*)0x20008141 = 3; *(uint16_t*)0x20008142 = 0x81a; *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x20008180; *(uint8_t*)0x20008180 = 4; *(uint8_t*)0x20008181 = 3; *(uint16_t*)0x20008182 = 0x180a; *(uint32_t*)0x200082b4 = 0xb9; *(uint32_t*)0x200082b8 = 0x200081c0; *(uint8_t*)0x200081c0 = 0xb9; *(uint8_t*)0x200081c1 = 3; memcpy((void*)0x200081c2, "\x37\xef\xeb\x85\x4b\x40\x51\xa4\x6c\x67\xae\xe7\xea\xa0\xf6\x2f\xde\x9f\x59\x9c\xd5\xba\x25\x32\x9d\x50\xae\xe1\x6b\x30\xc6\xc1\xa5\x14\x83\x10\x81\xaf\xc1\xdf\xd2\x68\x2f\xf4\x87\x16\xa9\x1b\xf9\x5e\x08\x42\x12\xb0\x69\x6d\x43\xe1\xc6\xc4\x3a\xda\xf9\xed\x3e\xf7\x0e\x62\x73\x59\x94\xd2\xd0\x86\x51\x39\x60\x49\x88\xfa\xc1\x79\x78\xd9\xc0\x5a\x84\xf3\x42\x38\x31\xdd\x1d\xdd\xc6\xc9\x4d\x50\xdd\xd6\x74\xf1\x65\x25\xbb\xf9\xa8\xdb\x3b\xb4\x90\x01\xbe\x38\xa1\x96\x70\xab\xd9\x9f\x4a\x2e\x97\xcf\xb2\x0d\x46\xc6\x37\x83\x2a\x3e\xc9\x7f\xf0\x94\xc6\xa3\x30\x49\x64\xb7\x2b\xcf\x11\x6b\xf2\x7f\xed\xd5\x52\x1a\xd3\xda\x22\x62\x97\xff\xf8\x49\xc3\x3c\x5d\x84\x9e\x3e\x30\x37\x52\x79\x01\xee\xf6\x3a\x59\x9b\xaa\x54\xfc\x46\xa4\x6f\xf1", 183); res = -1; res = syz_usb_connect(2, 0x5f, 0x20007f00, 0x20008280); if (res != -1) r[23] = res; break; case 44: syz_usb_disconnect(r[23]); break; case 45: *(uint8_t*)0x200082c0 = 0x12; *(uint8_t*)0x200082c1 = 1; *(uint16_t*)0x200082c2 = 0x110; *(uint8_t*)0x200082c4 = 2; *(uint8_t*)0x200082c5 = 0; *(uint8_t*)0x200082c6 = 0; *(uint8_t*)0x200082c7 = 0x20; *(uint16_t*)0x200082c8 = 0x525; *(uint16_t*)0x200082ca = 0xa4a1; *(uint16_t*)0x200082cc = 0x40; *(uint8_t*)0x200082ce = 1; *(uint8_t*)0x200082cf = 2; *(uint8_t*)0x200082d0 = 3; *(uint8_t*)0x200082d1 = 1; *(uint8_t*)0x200082d2 = 9; *(uint8_t*)0x200082d3 = 2; *(uint16_t*)0x200082d4 = 0xb3; *(uint8_t*)0x200082d6 = 1; *(uint8_t*)0x200082d7 = 1; *(uint8_t*)0x200082d8 = 6; *(uint8_t*)0x200082d9 = 0x28; *(uint8_t*)0x200082da = -1; *(uint8_t*)0x200082db = 9; *(uint8_t*)0x200082dc = 4; *(uint8_t*)0x200082dd = 0; *(uint8_t*)0x200082de = 9; *(uint8_t*)0x200082df = 2; *(uint8_t*)0x200082e0 = 2; *(uint8_t*)0x200082e1 = 6; *(uint8_t*)0x200082e2 = 0; *(uint8_t*)0x200082e3 = 4; *(uint8_t*)0x200082e4 = 6; *(uint8_t*)0x200082e5 = 0x24; *(uint8_t*)0x200082e6 = 6; *(uint8_t*)0x200082e7 = 0; *(uint8_t*)0x200082e8 = 0; memset((void*)0x200082e9, 177, 1); *(uint8_t*)0x200082ea = 5; *(uint8_t*)0x200082eb = 0x24; *(uint8_t*)0x200082ec = 0; *(uint16_t*)0x200082ed = 8; *(uint8_t*)0x200082ef = 0xd; *(uint8_t*)0x200082f0 = 0x24; *(uint8_t*)0x200082f1 = 0xf; *(uint8_t*)0x200082f2 = 1; *(uint32_t*)0x200082f3 = 0x9208; *(uint16_t*)0x200082f7 = 2; *(uint16_t*)0x200082f9 = 0; *(uint8_t*)0x200082fb = 0x20; *(uint8_t*)0x200082fc = 0x5e; *(uint8_t*)0x200082fd = 0x24; *(uint8_t*)0x200082fe = 0x13; *(uint8_t*)0x200082ff = 7; memcpy((void*)0x20008300, "\x63\xb0\xb9\x53\x77\x14\x7b\xa2\x14\xd9\x50\xfc\x04\xb2\x2c\x04\xbe\x09\xd9\xb9\x6f\x1a\xb9\x4b\xb0\x2e\x8a\x2a\x9e\x23\xcf\x7d\x3a\xca\xb2\x2a\x80\xed\x35\x0e\xc4\xb1\x78\x06\xed\xcb\x16\x9e\x50\x75\x37\x3d\x99\x17\x80\x21\x13\x92\xeb\x3d\x9f\x11\x73\xa5\x39\x84\x3b\xf2\xc3\xf6\x6a\x4a\x69\x60\xa5\x5a\x22\x07\x76\x7d\xb3\xc5\x5a\x7d\xd2\x89\x8b\x5c\xcb\x40", 90); *(uint8_t*)0x2000835a = 0xc; *(uint8_t*)0x2000835b = 0x24; *(uint8_t*)0x2000835c = 0x1b; *(uint16_t*)0x2000835d = 0x2a; *(uint16_t*)0x2000835f = 0x100; *(uint8_t*)0x20008361 = 0xe0; *(uint8_t*)0x20008362 = 0x76; *(uint16_t*)0x20008363 = 0; *(uint8_t*)0x20008365 = -1; *(uint8_t*)0x20008366 = 4; *(uint8_t*)0x20008367 = 0x24; *(uint8_t*)0x20008368 = 2; *(uint8_t*)0x20008369 = 0xa; *(uint8_t*)0x2000836a = 9; *(uint8_t*)0x2000836b = 5; *(uint8_t*)0x2000836c = 0x81; *(uint8_t*)0x2000836d = 3; *(uint16_t*)0x2000836e = 0x20; *(uint8_t*)0x20008370 = 0x73; *(uint8_t*)0x20008371 = 0x35; *(uint8_t*)0x20008372 = 0x3f; *(uint8_t*)0x20008373 = 9; *(uint8_t*)0x20008374 = 5; *(uint8_t*)0x20008375 = 0x82; *(uint8_t*)0x20008376 = 2; *(uint16_t*)0x20008377 = 8; *(uint8_t*)0x20008379 = 3; *(uint8_t*)0x2000837a = 1; *(uint8_t*)0x2000837b = 3; *(uint8_t*)0x2000837c = 9; *(uint8_t*)0x2000837d = 5; *(uint8_t*)0x2000837e = 3; *(uint8_t*)0x2000837f = 2; *(uint16_t*)0x20008380 = 0x40; *(uint8_t*)0x20008382 = 5; *(uint8_t*)0x20008383 = 0x40; *(uint8_t*)0x20008384 = 2; *(uint32_t*)0x200087c0 = 0xa; *(uint32_t*)0x200087c4 = 0x200083c0; *(uint8_t*)0x200083c0 = 0xa; *(uint8_t*)0x200083c1 = 6; *(uint16_t*)0x200083c2 = 0x201; *(uint8_t*)0x200083c4 = 0x79; *(uint8_t*)0x200083c5 = 3; *(uint8_t*)0x200083c6 = 0x3f; *(uint8_t*)0x200083c7 = 0x20; *(uint8_t*)0x200083c8 = 6; *(uint8_t*)0x200083c9 = 0; *(uint32_t*)0x200087c8 = 0x37; *(uint32_t*)0x200087cc = 0x20008400; *(uint8_t*)0x20008400 = 5; *(uint8_t*)0x20008401 = 0xf; *(uint16_t*)0x20008402 = 0x37; *(uint8_t*)0x20008404 = 5; *(uint8_t*)0x20008405 = 7; *(uint8_t*)0x20008406 = 0x10; *(uint8_t*)0x20008407 = 2; STORE_BY_BITMASK(uint32_t, , 0x20008408, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008409, 0xa, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008409, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000840a, 5, 0, 16); *(uint8_t*)0x2000840c = 7; *(uint8_t*)0x2000840d = 0x10; *(uint8_t*)0x2000840e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000840f, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008410, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008410, 9, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008411, 8, 0, 16); *(uint8_t*)0x20008413 = 0xa; *(uint8_t*)0x20008414 = 0x10; *(uint8_t*)0x20008415 = 3; *(uint8_t*)0x20008416 = 0xc9; *(uint16_t*)0x20008417 = 7; *(uint8_t*)0x20008419 = 7; *(uint8_t*)0x2000841a = 0; *(uint16_t*)0x2000841b = 8; *(uint8_t*)0x2000841d = 0xa; *(uint8_t*)0x2000841e = 0x10; *(uint8_t*)0x2000841f = 3; *(uint8_t*)0x20008420 = 2; *(uint16_t*)0x20008421 = 0xc; *(uint8_t*)0x20008423 = 0; *(uint8_t*)0x20008424 = 6; *(uint16_t*)0x20008425 = 6; *(uint8_t*)0x20008427 = 0x10; *(uint8_t*)0x20008428 = 0x10; *(uint8_t*)0x20008429 = 0xa; *(uint8_t*)0x2000842a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000842b, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000842b, 0x8001, 5, 27); *(uint16_t*)0x2000842f = 0xf00f; *(uint16_t*)0x20008431 = 0xfffd; *(uint32_t*)0x20008433 = 0x3fc0; *(uint32_t*)0x200087d0 = 9; *(uint32_t*)0x200087d4 = 0x4f; *(uint32_t*)0x200087d8 = 0x20008440; *(uint8_t*)0x20008440 = 0x4f; *(uint8_t*)0x20008441 = 3; memcpy((void*)0x20008442, "\xc0\x66\x3b\x11\x6d\xab\x9b\xa5\xc0\xa2\xf7\xa2\xad\x48\x6f\xfc\x16\x4a\x43\x65\x89\x95\x65\xc5\xe9\x9b\x01\x52\x39\xf3\x78\xdf\x56\xdb\x4d\xc3\xb0\xbb\x08\xdc\xd2\x08\xd9\x58\xfa\x3c\xf0\x80\x97\xaa\x20\x8b\x2d\x28\x65\xb5\x02\xcb\xc9\x4b\x1a\x8e\x33\xbd\xd9\xd6\x48\x1f\xbf\x32\xd4\x91\x34\x22\xfe\x18\x9f", 77); *(uint32_t*)0x200087dc = 0x85; *(uint32_t*)0x200087e0 = 0x200084c0; *(uint8_t*)0x200084c0 = 0x85; *(uint8_t*)0x200084c1 = 3; memcpy((void*)0x200084c2, "\xc9\xc4\x87\xa9\x0b\xe3\xd4\x0e\xf7\x82\x37\x3d\x78\x5f\x86\xbd\xfc\x3d\xb6\xfb\x0d\xd0\xa7\x44\x0b\x2f\xe4\x59\x5c\x3a\x6b\xd6\x7a\xa8\x51\x8d\x89\x7a\x8a\x75\x7d\x5f\x1c\xeb\x86\xe5\x98\xca\xbf\x23\x45\xf7\x71\xc3\xc7\x12\x8b\xd1\x6d\xd4\xb1\xee\x9b\x7d\xbc\xaf\x61\x1e\x97\xf6\xdc\xb9\xf1\x71\xe8\xf7\x05\x2b\x0f\x33\xe6\x31\xbf\xe9\x9d\xdc\x44\x13\xe5\xe5\xd7\xb6\x34\xdc\xc3\xb7\x7e\x4d\x30\x1f\x89\xa8\xd3\xb8\x51\xb0\x23\x06\xca\xbe\xc2\x11\x12\x7a\x8e\x54\x1d\x16\x26\x36\x58\x8f\xf5\x74\xde\x82\xde\x8f\x30\x7d\x43", 131); *(uint32_t*)0x200087e4 = 4; *(uint32_t*)0x200087e8 = 0x20008580; *(uint8_t*)0x20008580 = 4; *(uint8_t*)0x20008581 = 3; *(uint16_t*)0x20008582 = 0x1407; *(uint32_t*)0x200087ec = 4; *(uint32_t*)0x200087f0 = 0x200085c0; *(uint8_t*)0x200085c0 = 4; *(uint8_t*)0x200085c1 = 3; *(uint16_t*)0x200085c2 = 0; *(uint32_t*)0x200087f4 = 0xaa; *(uint32_t*)0x200087f8 = 0x20008600; *(uint8_t*)0x20008600 = 0xaa; *(uint8_t*)0x20008601 = 3; memcpy((void*)0x20008602, "\xce\x39\x5e\x8e\x9f\x40\x9a\x37\xda\xeb\x1c\x20\xbe\x9c\xa4\x00\x4a\xe8\x10\xcf\x16\x53\xec\xcd\x6e\x66\x3d\xd7\x4f\x8b\xc0\x69\x89\xb4\xd1\xa6\x5c\x9f\x48\x0b\xd3\x7e\x9d\xd8\x53\x49\xf2\x98\xdd\xad\xdc\x2c\xc9\xe4\xed\xa1\x47\xf2\x31\x40\x2e\x11\x6f\xb5\x94\xa6\x37\x18\xd8\x21\xd8\x85\xeb\xd6\x7e\xda\x45\x15\x58\xb1\xfb\xa3\x09\x3e\xcb\xd4\x0c\xbe\x5f\xbe\x07\xf9\x4e\xd9\x27\xd8\xe5\x03\x9a\x7c\x49\x7a\xa8\xd1\xf1\x0a\x4d\xda\xc0\x49\xad\x82\x0f\x8c\x53\x2c\x5a\x3f\x00\x94\x79\x55\x03\x24\x23\x92\x2e\x95\xaa\x5b\xfe\xe0\x41\xf7\xfe\x87\x44\xec\xc4\x42\x40\x57\xee\xc9\x70\x40\xb3\x41\xd0\xdd\xdc\xaf\x20\x6d\xa6\x43\x1e\x98\x7f\x04\xcf\xd5\x58\x02\xca\xd3\xa1\x14", 168); *(uint32_t*)0x200087fc = 4; *(uint32_t*)0x20008800 = 0x200086c0; *(uint8_t*)0x200086c0 = 4; *(uint8_t*)0x200086c1 = 3; *(uint16_t*)0x200086c2 = 0x3c01; *(uint32_t*)0x20008804 = 4; *(uint32_t*)0x20008808 = 0x20008700; *(uint8_t*)0x20008700 = 4; *(uint8_t*)0x20008701 = 3; *(uint16_t*)0x20008702 = 0x1809; *(uint32_t*)0x2000880c = 4; *(uint32_t*)0x20008810 = 0x20008740; *(uint8_t*)0x20008740 = 4; *(uint8_t*)0x20008741 = 3; *(uint16_t*)0x20008742 = 0x807; *(uint32_t*)0x20008814 = 4; *(uint32_t*)0x20008818 = 0x20008780; *(uint8_t*)0x20008780 = 4; *(uint8_t*)0x20008781 = 3; *(uint16_t*)0x20008782 = 0x1c; res = -1; res = syz_usb_connect(3, 0xc5, 0x200082c0, 0x200087c0); if (res != -1) r[24] = res; break; case 46: syz_usb_ep_read(r[24], 8, 0x7d, 0x20008840); break; case 47: *(uint8_t*)0x200088c0 = 0x12; *(uint8_t*)0x200088c1 = 1; *(uint16_t*)0x200088c2 = 0x250; *(uint8_t*)0x200088c4 = 0; *(uint8_t*)0x200088c5 = 0; *(uint8_t*)0x200088c6 = 0; *(uint8_t*)0x200088c7 = 0x10; *(uint16_t*)0x200088c8 = 0x56a; *(uint16_t*)0x200088ca = 0x62; *(uint16_t*)0x200088cc = 0x40; *(uint8_t*)0x200088ce = 1; *(uint8_t*)0x200088cf = 2; *(uint8_t*)0x200088d0 = 3; *(uint8_t*)0x200088d1 = 1; *(uint8_t*)0x200088d2 = 9; *(uint8_t*)0x200088d3 = 2; *(uint16_t*)0x200088d4 = 0x2d; *(uint8_t*)0x200088d6 = 1; *(uint8_t*)0x200088d7 = 1; *(uint8_t*)0x200088d8 = 0; *(uint8_t*)0x200088d9 = 0xf0; *(uint8_t*)0x200088da = 0x8e; *(uint8_t*)0x200088db = 9; *(uint8_t*)0x200088dc = 4; *(uint8_t*)0x200088dd = 0; *(uint8_t*)0x200088de = 5; *(uint8_t*)0x200088df = 1; *(uint8_t*)0x200088e0 = 3; *(uint8_t*)0x200088e1 = 1; *(uint8_t*)0x200088e2 = 2; *(uint8_t*)0x200088e3 = 0; *(uint8_t*)0x200088e4 = 9; *(uint8_t*)0x200088e5 = 0x21; *(uint16_t*)0x200088e6 = 3; *(uint8_t*)0x200088e8 = 0xf; *(uint8_t*)0x200088e9 = 1; *(uint8_t*)0x200088ea = 0x22; *(uint16_t*)0x200088eb = 0xa21; *(uint8_t*)0x200088ed = 9; *(uint8_t*)0x200088ee = 5; *(uint8_t*)0x200088ef = 0x81; *(uint8_t*)0x200088f0 = 3; *(uint16_t*)0x200088f1 = 0x3af; *(uint8_t*)0x200088f3 = 1; *(uint8_t*)0x200088f4 = 0x40; *(uint8_t*)0x200088f5 = 2; *(uint8_t*)0x200088f6 = 9; *(uint8_t*)0x200088f7 = 5; *(uint8_t*)0x200088f8 = 2; *(uint8_t*)0x200088f9 = 3; *(uint16_t*)0x200088fa = 0x10; *(uint8_t*)0x200088fc = 6; *(uint8_t*)0x200088fd = 1; *(uint8_t*)0x200088fe = 9; *(uint32_t*)0x20008c00 = 0xa; *(uint32_t*)0x20008c04 = 0x20008900; *(uint8_t*)0x20008900 = 0xa; *(uint8_t*)0x20008901 = 6; *(uint16_t*)0x20008902 = 0x250; *(uint8_t*)0x20008904 = 3; *(uint8_t*)0x20008905 = 1; *(uint8_t*)0x20008906 = 0x46; *(uint8_t*)0x20008907 = -1; *(uint8_t*)0x20008908 = 0x20; *(uint8_t*)0x20008909 = 0; *(uint32_t*)0x20008c08 = 0x34; *(uint32_t*)0x20008c0c = 0x20008940; *(uint8_t*)0x20008940 = 5; *(uint8_t*)0x20008941 = 0xf; *(uint16_t*)0x20008942 = 0x34; *(uint8_t*)0x20008944 = 2; *(uint8_t*)0x20008945 = 0xb; *(uint8_t*)0x20008946 = 0x10; *(uint8_t*)0x20008947 = 1; *(uint8_t*)0x20008948 = 2; *(uint16_t*)0x20008949 = 0xfa; *(uint8_t*)0x2000894b = 8; *(uint8_t*)0x2000894c = 0x80; *(uint16_t*)0x2000894d = 5; *(uint8_t*)0x2000894f = 3; *(uint8_t*)0x20008950 = 0x24; *(uint8_t*)0x20008951 = 0x10; *(uint8_t*)0x20008952 = 0xa; *(uint8_t*)0x20008953 = 5; STORE_BY_BITMASK(uint32_t, , 0x20008954, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20008954, 9, 5, 27); *(uint16_t*)0x20008958 = 0xf00f; *(uint16_t*)0x2000895a = 0; *(uint32_t*)0x2000895c = 0xffc00f; *(uint32_t*)0x20008960 = 0xff00c0; *(uint32_t*)0x20008964 = 0x101ffc0; *(uint32_t*)0x20008968 = 0xff0030; *(uint32_t*)0x2000896c = 0x30; *(uint32_t*)0x20008970 = 0x30; *(uint32_t*)0x20008c10 = 4; *(uint32_t*)0x20008c14 = 0xed; *(uint32_t*)0x20008c18 = 0x20008980; *(uint8_t*)0x20008980 = 0xed; *(uint8_t*)0x20008981 = 3; memcpy((void*)0x20008982, "\xe7\xdb\x91\x4e\xf4\xa7\x1a\x3a\xba\x44\x3e\xe1\x81\xc2\x72\xe7\xfb\xb6\x36\x48\xa9\x97\x75\x4b\x81\xa1\x93\x8f\x52\xb9\xfd\x8c\x2b\x76\xca\x28\xee\x1f\xcb\xa2\x80\x02\x1f\xbe\x02\xff\xa0\x3e\xa7\x53\xf2\xd5\x1b\x71\xf1\xcb\x93\x91\xea\x31\xfa\xab\xf8\xed\x37\xa9\x85\x3b\x87\xee\xba\xa0\xa1\x26\x96\x96\xe6\x5e\x30\x9e\xa4\xbf\x77\x55\xff\x1b\x99\x28\x0f\xd6\x82\x30\xd7\xd8\x99\xd0\x97\xe1\x6e\xe0\xb2\x24\xde\x57\x33\x94\x39\xc8\x0a\xd7\xfb\xf8\xbb\xf3\x2a\xa0\x0e\x29\x80\x2b\xde\x1c\x8c\x5e\x62\x28\xfa\x0a\x54\xc8\x35\x0e\xf9\x97\x11\x2f\x76\x3e\x17\x42\x8f\xb8\xe9\x5a\x56\x68\x95\x95\xf3\x0a\x3c\x16\x15\x18\x09\xb0\xc6\xb1\xd4\xd4\x76\x65\x10\xc6\xf0\x66\xfe\x4b\x35\xa3\xea\x90\xd3\x88\xd1\xb4\xd4\xe9\xc6\xb3\x09\x71\xe2\x37\xe2\x3f\xd2\x05\xf9\x90\x5e\xe7\xd7\x9f\x44\x43\x70\x7a\xdc\x7f\x65\xce\x2b\x15\x99\x4d\xaa\xc7\xb9\x54\x35\x3f\xb2\x32\x01\x84\x41\x22\x71\x05\x31\x87\x9c\x62\x91\xc7\xdf\xbf\x6b\xe4\x54\xb9\xcf\x2f\x2e", 235); *(uint32_t*)0x20008c1c = 4; *(uint32_t*)0x20008c20 = 0x20008a80; *(uint8_t*)0x20008a80 = 4; *(uint8_t*)0x20008a81 = 3; *(uint16_t*)0x20008a82 = 0x410; *(uint32_t*)0x20008c24 = 0x64; *(uint32_t*)0x20008c28 = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x64; *(uint8_t*)0x20008ac1 = 3; memcpy((void*)0x20008ac2, "\x04\x1c\x8b\x1b\xd1\x43\xea\x1d\x63\x82\x9b\x76\x9d\xdb\x88\x6a\x6a\xaf\xee\xdd\x5f\x65\x2b\xc9\x48\x67\x7c\x9a\x6e\x3a\xcf\xe0\x4a\x15\x19\x05\x3f\x95\xe5\xfc\xf7\x9b\x08\x53\x62\xcd\xac\x6a\xbb\xf8\xf1\x37\x81\xa6\x21\x88\x52\x57\x05\x2b\x12\x00\x45\xda\x2c\x49\x4a\x30\xbc\x6a\xe6\xc4\x16\x0c\xf4\x97\x00\x2a\xf8\xb7\x7e\x21\x68\x93\x24\xbd\x6e\x75\xac\xed\xa7\xcf\x6a\x50\x92\x0b\x2a\xb1", 98); *(uint32_t*)0x20008c2c = 0x87; *(uint32_t*)0x20008c30 = 0x20008b40; *(uint8_t*)0x20008b40 = 0x87; *(uint8_t*)0x20008b41 = 3; memcpy((void*)0x20008b42, "\x15\x08\x37\xb1\xe6\x9e\x50\x07\x39\x8a\xc0\x2c\x4a\x0b\x25\x07\x2d\xaa\x81\xa6\x4a\xf1\x0b\xcd\xc5\x73\x63\x33\xf4\x9c\x92\x1f\x86\xd9\xcb\xc6\xb7\x78\xf1\xd2\x16\x79\xd8\x47\xd5\xb8\xa9\xb7\x0f\xc5\x6b\xb5\xa4\x33\x04\x0a\xfd\x94\x37\x7b\x25\x15\xa5\x5c\xda\x70\xdb\x64\x44\x2a\xda\xe0\x90\x5a\xa9\x0f\x91\x1d\x3b\xee\xf8\x00\xab\x6f\xd8\x7a\x5c\x51\xfd\xa8\xfa\xa7\x50\xd1\x95\xc2\xe6\x57\x24\x97\x81\xc6\xaf\x05\x23\xe0\x49\x2f\x9a\x69\xe2\x27\xe1\x0c\xa0\x31\x0f\x1a\x01\x0f\x8b\x98\x6a\x9a\x05\x53\xa5\x33\x1f\x97\x54\xfc\x90", 133); res = -1; res = syz_usb_connect(3, 0x3f, 0x200088c0, 0x20008c00); if (res != -1) r[25] = res; break; case 48: memcpy((void*)0x20008c40, "\xa6\x90\x8c\x55\x30\x81\x4d\x6a\x6b\xfd\x6d\x6c\x75\x94\xd4\xaf\x8a\x49\x62\xd8\x82\xda\x65\x7b\xb4\x02\xc7\xd0\xae\x45\x35\x16\x81\x60\xdb\xf6\x7b\x82\xf2\x23\xd5\x77\xb0\xe1\x6e\x6a\xc3\xc4\x6a\x40\x15\xa6\xed\x7c\x4f\xa6\x5d\x1d\xba\xa2\x68\xb7\x48\xde\xc4\x67\x74\xec\xa9\x22\x47\x96\x94\x49\xa9\xf5\x9e\x9e\xdd\xe4\xd3\x7e\x7b\xd1\x78\x82\xeb\x00\x5e\x24\xfe\x43\xf5\x76\x54\x00\x0e\xad\xec\x3f\x1d\xe9\x91\x7e\xb2\x8c\x2a\x87\x71\x82\xc4\x7b\x55\x6d", 114); syz_usb_ep_write(r[25], 7, 0x72, 0x20008c40); break; case 49: syz_usbip_server_init(4); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_namespace(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor978222862 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/0 (1.83s) csource_test.go:118: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffffff}) (fail_nth: 1) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1a, &(0x7f0000000040)={0x0, 0xe6, "f137161ab86c594202b997d9f12d007021870322c8d909748409951ae9800c1e207f98b769c740f867ea14bbf8666a4f98d229aaafbc33c6c52168db8933c4a4a4a3dd3ce0ccea96e71d81ff4aca8331cb01bf35433853d1abd48fd6d0ce1314df6507bae535a2b4e3eaa74c5d23006594148a0fe5b4a884ef8f41346e49cc90474cb17bac301d4797ed05dfc6ccb74bebaabe549172d622a30605a4e49fd3f8537de5272c33ad4f07cd060577bce65e5c80a34168cde68117e4f900e35a3d888e02ee111752213b40d2af258c01f36de50ce8e83d4226a30d6a4cc43a883f6c20e3fada8ad2"}, &(0x7f0000000140)=0xee) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r1, @in6={{0xa, 0x4e22, 0x3, @private2, 0x1}}, [0x7fffffff, 0x1, 0x7fff, 0x4, 0x7, 0x1, 0x3ff, 0x40, 0x5, 0x1, 0x0, 0x7, 0x0, 0x8, 0x1f]}, &(0x7f0000000280)=0xfc) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000002c0)={r2, @in6={{0xa, 0x4e20, 0x9, @private2={0xfc, 0x2, '\x00', 0x1}, 0x3}}}, 0x84) r3 = openat$pktcdvd(0xffffff9c, &(0x7f0000000380), 0x0, 0x0) ioctl$MEDIA_REQUEST_IOC_QUEUE(r3, 0x7c80, 0x0) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f00000003c0)={r1, @in6={{0xa, 0x4e23, 0x7f, @private0, 0x5}}, 0x5, 0x476f}, 0x88) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_SRVCORE_ACQUIREGLOBALEVENTOBJECT(r3, 0xc0206440, &(0x7f0000000500)={0x1, 0x2, &(0x7f0000000480), &(0x7f00000004c0)={0x0}, 0x4, 0x8}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTQ2_RGXTDMSETTRANSFERCONTEXTPROPERTY(r3, 0xc0206440, &(0x7f00000005c0)={0x8a, 0x7, &(0x7f0000000540)={r4, 0x400}, &(0x7f0000000580), 0x10, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXBREAKPOINT_RGXENABLEBREAKPOINT(r3, 0xc0206440, &(0x7f0000000680)={0x83, 0x2, &(0x7f0000000600)={r4}, &(0x7f0000000640), 0x4, 0x4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@deauth={@wo_ht={{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x240}, @broadcast, @device_a, @random="2015d229785b", {0x8}}, 0x27, @val={0x8c, 0x18, {0xc93, "ffe3240f0484", @long="067ecc39a78a3ea47c22246d391b92c4"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_xfrm_policy_alloc_security\x00') syz_emit_ethernet(0xbc, &(0x7f0000000140)={@dev={'\xaa\xaa\xaa\xaa\xaa', 0x3b}, @broadcast, @void, {@mpls_mc={0x8848, {[{0x8, 0x0, 0x1}, {0x1, 0x0, 0x1}, {0x4, 0x0, 0x1}, {}, {0x0, 0x0, 0x1}], @ipv4=@dccp={{0x15, 0x4, 0x2, 0x33, 0x9a, 0x65, 0x0, 0x7, 0x21, 0x0, @dev={0xac, 0x14, 0x14, 0x1e}, @rand_addr=0x64010101, {[@noop, @end, @timestamp_addr={0x44, 0x1c, 0xe9, 0x1, 0x2, [{@dev={0xac, 0x14, 0x14, 0x28}, 0xf7e}, {@loopback, 0x7fff}, {@private=0xa010101, 0x5}]}, @generic={0x83, 0xe, "db10ac96c2cf817c67fc6d7e"}, @rr={0x7, 0x7, 0x87, [@local]}, @end, @ra={0x94, 0x4, 0x7}, @end, @generic={0x44, 0x5, "e0d910"}]}}, {{0x4e20, 0x4e23, 0x4, 0x1, 0xf, 0x0, 0x0, 0x9, 0x5, "d77b5a", 0x7, "c6dd9c"}, "494a1261c05df7372b3c29631b6232d41f19fa8727ecea11ccf1979683ceb144705e12c13fba0e399f08f58397f3ea7bdb746b3dcabe"}}}}}}, &(0x7f0000000200)={0x0, 0x3, [0xf9, 0x208, 0x50c, 0x74d]}) syz_emit_vhci(&(0x7f0000000240)=@HCI_EVENT_PKT={0x4, @HCI_EV_VENDOR={{0xff, 0xc1}, "0626cab051d180b0c2e36c0814bbca7e31d691502e1c7c0eae1a042e7372921a0c6dfccedd81a98f58b9850ba2f68bc25d5cab15a0af010796b5fdfb8a3b35f3eb48ee0c7b2ed287cf469fdec0248e957ef0dd22f3fc6d746e70262c277c016177e56a68031293b56b02c1b6f867d10a3bbf33817b39d487ae0659a68cffb8df46df59a7d104b7c6711d45af1f966d69e635809cf24a70d4c2ea9cc98d37599807148af36b475eb2ce56e027ac751769f8710272d187722ecdf7a8f86d8b977aa8"}}, 0xc4) syz_execute_func(&(0x7f0000000340)="c4c17d6f7072c4e1f9112fc4e3c95d33abc4c2790eb000000000c4e17a12b70c0000000f0156e9c4e10dd55e0cf30f526b000f7e20c4c179e702") syz_extract_tcp_res(&(0x7f0000000380), 0x80000000, 0x100) r5 = dup(0xffffffffffffffff) r6 = fcntl$getown(0xffffffffffffffff, 0x9) lstat(&(0x7f00000026c0)='./file0\x00', &(0x7f0000002700)={0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000002800)=0x0, &(0x7f0000002840), &(0x7f0000002880)=0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002ac0)={0x2020, 0x0, 0x0, 0x0}, 0x2020) statx(0xffffffffffffffff, &(0x7f0000004b00)='./file0\x00', 0x2000, 0x20, &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004d00)={{{@in6=@ipv4={""/10, ""/2, @private}, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@initdev}}, &(0x7f0000004e00)=0xe4) r13 = getgid() syz_fuse_handle_req(r5, &(0x7f00000003c0)="235810537c7f886ca91721045ff7badfae4429b252cd658172c1d0d418ed70057439fc22ffc77b29085c9488ff9340f8a2ade99bf9af14a357257b8aa69b4b8effe7afd6876b3b512b86fa1dff555c6dc6186266c91fa281c9dc72ee17ead0e2a3fe9ff03e7c32d27e267f5be0fd6d1f9efc02af7fe9d68d755519201dea7abe681053ab98f73fc0c6a0684e91b741c8c9451f9459b598ee6f4ec0c91f3e917af1e6646f3c54f8faf0487d8eccf087e28f8768f48ae15d098904b3254285702e308a937d5e23a2aef3c25312516c502d5e0233065229ee4a70dbc414604b7f055eb7a2724803e85e5b4cd05af711ed730fceb81bcae17a4967aa6ccff3c0f4966b7ff3d15f093e94eb0a46b70c0fa5b8628cac3c31019bba6002416fc6661d858fff16a96215b1d18a877d9a534ac40256a3557931ade27f587cce26a20c013dc67f2e922a52689aaefa1b064d03f8f6a39f96b0de1d21394cb6c23010eb9e4a79414735ed9965425f8a01008496dbad0497fa0d65acec59ffa6a280bc58e2d887a10e9665eaeb97436ebdeb2b58a9ae40e449273246fd9967539f212ed8969b6f9a49d65bcad2dd9d8ee42e3205741117e431d443ff3e94c47e7fd627d30511d5fbcec6a758383d31367aca8e3af772a1021105ab2c1b4aa7614dea8cfa4b06f53af373779862c9bdb76ef93c74618eee7347a074d4f71a98233b24b2a25729c9a1983d819c3f42d328d08f0d4dd1642f61b62a89fc300f5066d8e457f5fd49daa79e1b1d43d26f89f2ca990450e860bcc47d5cf4778c37c451ed22d60fe2bcfa2caff75c4170990a2e8e2187197f8638b067854ccf9dbe91586dd42341401c4fb4f31330668acb516eba2227cbca4c8fa2f39a03521bd8032f5e1aedf49c50e601b9fad4e0d6f5b5932ea214fd508485703d0845798d43bdbff9638677e6a996efbbd1936e97282062709f778b455cb4d20013f5fe4c9bba0f7cfc1802e8180fb6d46f5176d1bdbb43d960d494f3a30ed7ab4db07de5ad924b5797b509f96083f4ada9fcebede1eb0fb0dfa2cdc2144b15cf4c280f87d1187e808e37cdef537552e383f46ccfe86215b207153985e6b13196221fdea6c947864d12147d7b01efc3df144e2caa24d1a4782a51a8235c4c0eadf0440c8e434a4d072be5845547175f37c55fddd5e78495ace434c483f28bb3487ad8d68bd74377fd82e17bafeb062b81c68e8a6389c8d81079e4c9faa2a8fcf12415cc21ebcd92de80884550594ca64b56b0b424a65f80cab164b2f6f2f33c7aeaa8b6602e7183b9d0ae153a1703b303675aae133b3dd9c646677f6d8a492da099efb4a7e4dee392818a15d6bf9efb07eead5b40ac25bb0f0092f4b0ecaf0ac3391b3ecfd0635ec496b8b66d7a451c6d10379c15291c4f3682f05fb73944cd1be0f0fa8554358b30deb7386931ae95eb2a16faed245ffcadb394acdf0638a626278233019366e2ecd9db1a4b5ae27ff83d7b571cd7ffc151dc4d0cef1d0300c98a41697751851f8e05249cae19963f812589a7d64cfab846439f471343ba5effac9a57f76d0abfb95e878bee4c9424f0ca1718195eff14060acfb3e0df4cbc560bc2be9ab4f0a0bd686fe213d44947170e68e73baadd982ce2d170a50d1eca0240cd3cece9f74da3a1c1476ff11fa334d72c18506b5c00a441ea2e9c72c76b385037f86ca594aaade987a79bbd3e3c40d0007a7ff8529905b94c5461656292950b41c83443dc84d6fdf52e4497ed6804981af13385649200d893093bf2ea8225b389c4dfd2e815b3bdf9d7084d29009eae4e8822a5b6a52aa76afd951d04afa8e1286396a834dcf8c6b57cc4efbc0c16779d53f0bcd74043c06ecebe59328dcca8bb6105af23565906e5466c7311b1aac6762e4b626036fe31d3e7b0fa2e658ca9351078eeca7b467e118e9b88959de1f41869405a83bdc6ce980c729f7e2a460fa9bee161e54d271a874bb4d0a22cd1a4376de36b5868ca0e10933e5fe2f7385c1af62b86f8e5c3126626b8bc6d568f621da323707ea332d7654439fba4671d0caeb7ef94e25a8286bd9a19a29e4932c7db9b82347da52492b3814a44b92f61559c22654c8b301a8dfe9daeae0cade946c0666e94c4a6353bb0eb2137d36853ad4f7a20a5081e63afeece203fa6eeea7f629d001dabaf5b1a3c6761517bc99a8e63f66c01884927b4bc40bc34190c9e553c690fbc6444dd8bba656874fa804631b56d24541a9bd6fb77db4903769f9d0444d08a21ff59d949659d80b1402d919ac0fb8380ed9115b6693c195f8f1a90a3a42235d8ea782eda2bf194d32fbcc563271afda73d7096a2e9e467541e7667c267c595e123372975267768b8d16cb6130eaebf698be76eefabbeacd59f631cc104f042263e3e2962597969721a6c022aba14112e2f3802ba635391cd1f94323525c816efa9e86552399e79665ff554f586754f72d53a0d9475c655948bd13ec93dd8cc43e5b813ebfea4abcd780eedb682ac4f66e16847f7821fdc40da073f7fc59fe57ca6ad5f4ddd8a41e8aadf3e2178cf4295c85999e2c2d824a08ebb9a9b09e2efbf9b8d0373091ea61ec6af17df1e71aceb403a41d3bafefc56dcff186023e9f289e61b746904b3ce34869b5327c924a27336b216d2206eeba9b1dfdce022e3a13a2617387fb3ff5a1d0f38fbb9063bcb69b5e33ee457efe051df453462b718d7d5e780310471a73d99e2eb1e23236c74b9377c3e0ebb93ea7a6a7b322c425910209f891841d65cb8db3b2b0d51d27cde0ca185bd3bf1f402ff10fc611b93fa6f94ebf6079ac6d5f30ff866a4dbf30729fc3cd003ed9eee6e1c92319a8c6269e1a7dba0491d27b326388bc32d58bf685ec429a8ca7a12b660182308710b5aa61dce0a143fad3bbc1a81a8f814ee37b434c7d729331ce7f72ddf31dca719bdfa04c03aeceb4c640c1cddd0f01137bd6e2f7aefb51b0210b8cdb2ccb0f5d7458d0571927675f1bedb36d0bf30ac68db438ffba74aca623725f27522701bb6c5ca414d2391cd533a82c066724c6d3fd68fe42a834dccf5bf70347429ad8e382215f72fad936ef949bf64dad12577ead0dc6cf271be7ca8e0baabb4397ff063f3ae8e741210c6a3ab3b442ba8fb16f228c5dafeb1b440827defbc48f5cbceb2740755c985d060e82c86c732bbd560883591a1ac058299f17f2e2a128560280ba089e84c3465452a6507a63f884944a83a21d26c8e498ff5dbd489c69ca7853249018e9d03520b23f47b297b8526322b1f6bd54d060ccea301cc8a3a15da2d39b64ea4ddb03c7b6cba605e8dd486d12d8f0c6cd9fb47816112baa0a7ae0eba4f0f89b2143203a119a6bb8545c1ba66788495f4e7dad96df8119b1c11d7ffb07107c0c035a80697a8ed780d9c5561929385085f0aa7bc748f2b5e234e210ce77722c54e80b886c0d614658ffa23408caca9cf013869ef6629f8461640daea869ad4c365530de527815cafee314f8ca7b9879522c42629e3e71296e5f60a84db39d5c9000016ea33f481d80ccb80f085d5ed3f700badc3b4b7d80dd8a778f03817a10d67892d36870a98bdc70cfda4834c7815421fc9727401bd4f8111bbba7686024b4272f5a68a665194afc4f1a9f857af270e3022c18dfc18f67b3977e641c6258f00c1430ea79578f4dc82a0bab52140df4be0adb329195a297df0be6e12349770b4477a4465a81439f22b6bdc677ab86d4edbbdfc7db3cf06d4a94d33c6c11fa163fefb1a87a9b52c1cc409ebede7263c88975edb237fa01b583f79fc7a4f8e8ac89af79308d99b473cf33f3344a4e5523f3e35d388d18ee1185caa1918d23aae4193aedfe125042e16d571865261dd63bf0c9dd8485fa64e2410a26a436c83c9e34556f37c1d69d2fd574278c4b2c8baf3834ee2e0f364b54c36780f28a8ebe56e1d9e1cbdfd773ce8aacdefda09f40dffd847aadf67c44471008cee0776fb068954308f16203d017b290cd1ad9e4cdc49f326352807560ddda490c05c6d5e04f1940083aaba83e029370fd76e7757c73c0543ddff26c3a30762e2c9c556aa282c7f46f3dd8e200168053a03174c5669dc43900a39417c9dff8ed3f10eb07c470a522ec820712ff88259cf7f5ee52cf4ee690bcabd88763f66329f3725a436ca1938d4da48dedffea82dc54a2a0a5cfb64c3e278f41b933cefeb02f982532e98677241d7ec2f8d1427da1711919d672e951b6d1cd8f2c0203fedd521f75a229d996713358136d8b4eb797134fec874e3d38a01cb82a87c8c211e6429efe677173aab0a0fb9f558f4b06f7705bcd177ec1dd80d0445b5448e7dc294538aaecc59610dbe6f2b3b16b275c18d33a78f0c1dcbb07e137628b622f885aee80b82684cdd5fde5a29aadf63d85e95159649adce0f9e57b53b82c75b87a12747ef0f84be50693ccae798e38aaf050666163e6bed48f5f1baf49adea21223bfb089199898dcd2e91b708bd62b61f138cc48bed88b772d14bcc53968aa32fa3f114584752db53278b25f367d52c207ec5459668382aac7ebfdf3a2075cef679bd77ec17a1143de084720085486685ac869733bc07d74246fbf8abb3662be750dddd3b13ecb2d9135f5c68d1fdde549d9c2091d96aa35f84336b4215131f36476ec848d533d7dca1e0aa41eefb8806052a8cdd538b755707f93e048d771505b8890d8f680b880ccb8ee2949e35a63ee48e7b467128b65ffe606ced28a3bc3172bd09f2b58ef6322a3fa31e0fab37a3afe729ad43d5cd02b42be4d8e602b99516dbdbd812e1becaeba14b2b2bfaf0555900251e31d839798141b32abdc558b3bf30edc1145f541798507da329c5acc1ff56d4fd5f6e18c02081222c698b3d0f2b19539a7c2c91f78b1be76481991e241d2ae889d4cb133f90f77d922d984b5a5d1b2aa038fb001f0bac88c14a36f62296ab324d52b5754d4e842889da654143b4bd719f082cbcfa2ec9031b9b4b8bb8ef46bc3ffa52d35385bf27e3ccd86108481ff6640e8b0e309d28b149420f95eb9afa0f6e188b7005f421225385bdea3825ad5fbfc6d9f2997476bc36e5dfe4b686d1a2d402516d4eee990e1ea6a234838103f42d705abf37835673ca78675b5354c2a99130e2b7a64ee26a2ad6c1cd2de64ed5912eb7708db3afbb4a683109b1057298f356e4cf4fab200caf7403c719aa81ab01d3d7f9155073f56495e5116196e9a9de82f10a5c08dfb2f915494df7a0700efb722d3416a5d32bc02297111650847dee676d268772dec413da3a1320989c1be0d5c9c1b6fc4f70fbdad888abb0be8f116f0d7a6f3abaf636bb6b69222daf4ccbd6d07293def59cd5ec908454d079495f27bfaf9e45fb2c99964e6b2fba03af0382d5b60adebbb28fb8f8f8efdd8da65eac29377cf07c62e1bf10f61fa912e6271f2cb9509a7631b7abec3396bebce10bc79e2c49956d127f9d01b73584540cb6c0b52a709e3af1d00c84f6d22fb195dd8823aa336afea898ed87ada2b22d1b8ec508cf6986e93459265ed7c258732c291ca41e7876f1b438b17d36c24a02f200feeee18ace8dc4aad51a42bb9815d82c2a9a37f775cd612e084226942ea0dc6f5d8923349bbbedc2a45cfcfddeda2d52d14f2ff8329aac01d2ec3c37f23c5c90d026280238ce09e00eca9f6c30bdaa5dc91f4342f8af6a3ec1339c47dcae8f9360c32502bfa86e1ffc582d5888f29cac39ef90a3150111f661199faf7e2413b57bb9a72aaa2d5fae32b462884a928d83cea60557025c5de018044345fb083def49bc383319894dad28b5339cbadb6038dc8479f7e4b2f01c1ced3ff854205be93884885b129878bdbb18caa68c30940719a408a03fc61ebea87d9d3ef2162594589654475c2c37eaa8737338acc18b341a351ec39aa94cba171096fd7fb832e3031f4d82ff2328aa189623cd93fce6f4525c2dd013dc9c7b4d19add3bf9c334886e9d1cb4df997d99563a57b66d8321d42152f721705d6c484618ad33cb46b5c1a41ccd397ede50432dc9d41aa8b2fb375af75d332356d7df3d5d439fdebcf8e25b22493c6fe140013e2952321867d12947b1f2dd272a173694a5fddd887fe1ec96df6467630d1449d723ff023ec127b12a2411a096e3129e845d50b146683635d805cf196735828c8a0a004047a19acfcc41b62fe0fbff91881e7613bf7a737195f1858ed7198dcaca13210619d7f7398d812de463f221f0c264874aa3b3416dcdfaed76bf255d7a7a15d6acc9864d1bd900354b3bf0df70bae932c4b82e8aa60d395b939cc60f8964ab755ba50b40a713f68d2e001a2b5abcfdbb821a0a3a7a97cdccc0b05bca8f033fbcd954569cb7c312d4cb9e69275613306679882570726118eb66b4b6f0d236c33e35658ed87f028ca43c55c26968179aed7549c8c2e92672a445106d0429846917c5fc607fa285db9aa61281c1c524a76b3d40de5da9bc7afbae9c03555d056383ea7f5eacf5de95638e11242a420c9aa322c808cf2a14ab479d8135e4ff487b215c8cec44c7290d3459100b2196c54e88ca2841d8a6011c6db1b5c2fbc5135da6053d893d116b9f23d5a0f77f9f64c50a0448552fb3d4002ccfb95ed54c37eae931737bf02bcd226b133b9d27debfae748730a87be8df5c31cddf16c26bc3f3b4df7abcbc52edadb7a7c29e87dd5d6330b761649fc9f098a7b6b68cf5dce767667e8b5a7cd4bb22d1c9229c455169d72edd3bae9c251c0788968f1d13af8e47ba32923c6614c44d5196fa805761dba59a39b893bf0973dabb976edf63f3cb54732d43b90ee7ab0374e10fd722d5c361a4108931e8ee3fa190793f901b18ff7b5ed8c162b37ffcb39c6c0c084c9c76b3964e31351f5112accfe16c6268580ce0b44cd4c33f292171df6af35914225c8b1aff1985cea0ea7349a43a510d5fbf1881a032f96b1f58f4fa94dbcdf98f6b113a2f851e76d4f1cf0686e3b44057c363c849c5700659d7e5a1c2b3ccfd5aaa889c2f99a9b1c8319c3cd348be29b2e9bfefbc28cb774729958c12c9dfa74b893a07745aed2e5144723c8fc0506852f17e6a4a8f599d2c4a1d7c0ba9d77db8416eb10932cdc749cfa99890ee8017c0664084f86489c975255252c3876f8dcd98c00b73611ce2734e1fe0ee5c0a0abb0c50004044f93ad2ff0109bcb19a3a20f186d68e387d34a5b578c4253cd9672614803bf96726e8ab00146d2fe266e62e4865f5e7fe31d41497e7195122fcda825fb4e9fcdd09b421ddb6e925a4d5cb7ff2fa56fe1497ad659cc5b6efd8f883998b7451175f9827547b84195c25fc1631072a55c17e90a3279a54a29697312bfef3eefcba8d3114556a545d18ab0df74df266859151959a1b051f8322f798cb45d5cbe5291bdd71dad665f64dde6954ef00718918fe01727963964642d4c4a5bba9303f44fe97ff99f06748dc863ff0cc17fc82b29fbe0c712c77ed36697f23b4a22a9f248522f9946c3abcd32e165fd66fdbc7b4a0df71a8d2571f32da4ada51c14ca086301d6ed02006c6a38ce4e7671f3d0862a4e3c22b6aa7b7c049a7762287570562e8b452efc78741e7c2822ad0fd435e76a8044b05b388aafc4cf61575760398872364469961e87d14d1795eb627faeda18f9c1228fc994d580508c996d3662799b7237e596910a7c5c7facd47fa3084da48488767f60cfe58ec401415ac66031623320f9fda37c0af9fe4cda1b2893d2df0ac8226013a36ca7b1366032ea7b25a5591bebc8ce489777c0cba28d1f0cafeaeea7d5b4d2009309eebc913078112bb126920ca6e5e2b2210ce5410cce45fc463746cf168f7ee2b91c797b330e0464822a618e457ce39a00367d9cd3d3f5938ce36eb2a31a90d049258c849955e97f08017269b3e5f69e9128195638bc8c1fa735e6eb2435c9587f4f436d9e68a8797bb42100d48e7b26197c65fb8903961382fb0fe229860173068d9429110823bc2ff717a7157054c326bdac3ad358177f9a406d894b842d6d91edb356b06283b329bca6e12290655fef24029ba1daaf45f17ebc834d12e35e39f2e20e2c7362aeb0031f4877b633be1bed36f5d7ba24d0148f846a786f388e2ab79662d559b861a36a4ce60dceb5fdb9f479358fd84a5c7f102f75b8143d3626fffa5469c22072a97d63ff9e0667c2f2db41cd03e5d43914bb590bb1f11f4c3533bcc47ffc99eedf677c9d646c60f99398915891ab67197ddbdc11e03daf03139ceadaf99226875163f11c29027f6ec6ee647c9bb1f7695f1f2918a3285a13eadb73d3e94cb0dbf9273f75e1a8b391cc6e4c14ed5683c2756c7b33d84351e1ce0ba7b02e2305de65b29456b5c55344647c7b0b16cd836dba2711a4cc97738267c462c85fad608a81612d7f89a7fe663bd064354a80f8be0165df5d9bae1c69ea56962b111220cdc136ada90bb1315f865caff1e2526acd2ef4c36a70f266088d7d348e561132971668e91a89004085a5b092f8e28423d16b749cdcbf92a4365e468dd67be241e5dea705b606b28099a5d3d46a07620fc4f731e3d3605debe687042cac937427367c35b546af2dfc094a721dc7fd13df68e9a799ecb107c908bac9f8c4430cc10c6299c794d028d516c3ef3f77f9f64201660949b5ee29a5894d738fa4e4bcdda88fe12bcffe85da7b10d02c80922f3907134fe64605508b6cbe35e97f12f1bb15fce6fac0b0bbed62183ba88b8413c692c1d465376146a5ac69e0f10450f04c8b6f3c90c58ac33604aa811a9b74ebbd07b0684c51a553006da57f4df29df30a64622266b3ec06c435d650521f3ea725a3c8c128c73f0d3447dd1a85b10a061e9ac4469bd8ead5b59cc639b817e67d90ccd773e224aeb67dd2636917436b76475d8e0255cf7d14f2836a50d23fb11b3843548b3a52d8fa10ca8c97e1f0ed7a00cfc8067a5b99a41c07d3ce0a0456b8443bb5f0903db5e7bc16b0d0d4f321a57572d3368d97ab7705830d23ff78ac8d69402c920f7fb91d6efc16ce43993a1a68eb8eda08d7cc55fca8549f40839ac8e5e263e8fcddb10dd20fbedd949c8d3c1e186e9fdd5aa2765a1ef54f9e8b2a7a0b38f1c8f8dafe5fcef0ff0316921dbaab27f6b2e09e49d0a56c9ade5d8cb658699baa984543fde4e720e02e5503e835c7a63effee3dfa58e4ccdbe1943b5921b58fd0ed664ef73df892318e10703234859b565d17de8c925198b448159c8e8d73c8b1e5eb68705e582d5128f207b546f8122e04e37bcc9d1ca9b2c7ae51d4542448b36d6ff16d998eece9f07be341d1d8f989f23446040a4997272c99d45348372fc49b70fb5e0faca975184c6025995f6aa49f1b293df66d51d753d9c7775576d0e770134d3a4fbd53c99b0a7b6afe7337f73248163239a714dfeb285b0b49ef602d62ad6935a83c83bc814bd407b1ff5228292f9bfbbd071c81dc9591a05c9507bff87c9e527b8f14e8ee13d187eb867dc2c95dd903c37692d03e7b00985fbc11313078dec7ff69f2e01a8342399400f98cc66833d9c85ff7f10cbef733213cdae61545f39e85c59302b560a72d0437b266cbae16fad4a000ddea19949408c7477fcb948915323ebb79a55c769ccb18e2f552ab763ba65302ae7bc476e3625eb88a7a6698ceccfac22900ca3c44dec8866b2a114c0831cf653d4c1fba9a7785a1caa2b97343384226b1aced93da71d30b6650645bc113ac62d32d2032ddb65626ee86c3b9dfbbd8d0caeea7453dbea304e34d3f80522cd317b49bcabb869331c7c321852100430423bcb1ec15c50c19b766a7ce471d51b01041b685a29c4bfdb552c866d583b7c3c7fd56cfc73725df784e4d90281567fe8c38d866b06ef13bb30fd23906e662cf9d5113d7b52b014b4aeb3a183524b497be9220ae1e0b2f7674d279942941bbd81ed595a93c2341399b6ac36ff869f894cae291308b21284d398b5fa6ac76b9d59f03e48c275f4f20ce0a5059de69ca9ec999d73202def666b37b3a96a95b12c74331038facacab188da878a860e1b399d6b3bd3c136e0a5e9963c1691889f0d400f34dcc51ef1002ebfee2814605a4d1067ed7396c115e3a94f151c8e4aa2930fd8bc534d579d5d8843bd2029056fc558b9869408b9951f75672433ead19e109cd18308f1c9d6f9ccbc9f767993b59ea2b5046864f5e0c3bde42e7932c56b9fb25289e16ab3bebb692547de1a4dbe119ab2bd71e471cbdf6c6e8519aca77c2cbb8273343c1bed23922e557f87b408d87af78896ed30f0a6178ad98a34ded6148443fddf4a5c00a81ae9df2159fd658c859fb6b274988c848f993e761c263e90d7db8f662c876b7a61ff2d938ba7fed4cb5cd8ee514870b50520e733f21cdc3bd7ed41d297b96dfeff379d37e6071bb1ac84feffab2cdd985fea2fe6c46e6b7569c8c2454591795ccc56511d853fd2a01a1eb0ce2505ab65782b7836ba67844505aabcb5dc6372a313fe7acc7f48b0d2bef79403c2837d88e52fe926ad16d51be7e8c62a5955a61e85270839f36eee946370927eb19841301677e837abac18d709bc84dda60b12107a23eb733543ff32cce5248d0f461921295291837c150a4c1d489d31c5bf5bfc2da1427e1ece74aea7053f1feda64f099fc447a7908ce44b13461549f23ef18c1d8107befb09f9d719a0ac57080f1cdbfd46704d79947aa10c5b0bb226e7f68309747240f773a627536561fb6c1c9b26aa5e23be01f2d3f7aadc995440015d2564b9c16b853d665724f9f722b34ab1d44c27d0e0cb01c49d9e05de91c2e040764f0c212e6d63f7b72493dccbf858164cf48151bbe4f1dc2c91586673431af7b8461d30161c561170dfa31edde2ccc9dddbc7a8e46231752405cf308ecd8d3505636dba7035c94f728623bb87603afb90b5c23e9ac1937b2ea3984d579da29970ef049ffd9705fa283ef62f1a9fbbefbc5f8f3f79bdd8d70f0a893972e5aca3a164e672ba88ebdb6206a4dda5eb5adfd16352d42c4fbddf117f2b0d30e8c39f1bc63f3bc03b452a870117af7a3fd301af714bfa398367a9ac2aa381170bc7ca860144258a9a38a61454c9cdef24f1c662f28e8d1ee7749f61a9c79a9e16593f2d5500deaa730aca4eef3273878431a874b03e44f6495b52ea9b22d9417fb3f2ccbe2c482add308e4a3c55b7532a4e64cf108d833d54abf3cf93b3f9085263d2774c2214dc62e3c6a7886946b7bbb4d0fdd82d502232f891e95e2075b6974fcbc81579fe8eeb7ee221a904cedbbbab2595ef93537fdea03eb93b49680119d996c8e706dfc4d99433954c5367725d4808119b683b59641c4bffd3fbab0c7e125f02bad95cbfc26eab96079f8dfbf6623589d14e0c20d15e07c34bccce36fb927965f96c8cc89b3e51438212a9bec92af4b592ae76e66d531d344385f5568552e37bd25cbe307d839975914f30915d24e8f3d892c8a19fa484c35df1fb92af80edf403340caced5c224767e9e687456563dff29ca86e365855de94057b66c576bec5f5b7fc3f0043336b8a487ae2519b8ff0122e7ac2bf57d29ba64808dd3a20d26e4382ce7bb1fbd34734f5ae6625ee8a7dd56f", 0x2000, &(0x7f0000004f40)={&(0x7f00000023c0)={0x50, 0x0, 0x3f, {0x7, 0x22, 0x8001, 0x1040000, 0x8, 0xf6e1, 0x8, 0x9}}, &(0x7f0000002440)={0x18, 0x0, 0x9, {0x40d}}, &(0x7f0000002480)={0x18, 0x0, 0x7, {0x7}}, &(0x7f00000024c0)={0x18, 0x0, 0xffff, {0x8}}, &(0x7f0000002500)={0x18, 0x0, 0xce0, {0x1c}}, &(0x7f0000002540)={0x28, 0x0, 0x1, {{0x100, 0x5, 0x2, r6}}}, &(0x7f0000002580)={0x60, 0xfffffffffffffffe, 0x8, {{0xcd95, 0x1f, 0x7, 0x48, 0xaac5, 0x6, 0xad, 0x5}}}, &(0x7f0000002600)={0x18, 0xfffffffffffffff5, 0x9, {0x9}}, &(0x7f0000002640)={0x11, 0x0, 0x0, {'\x00'}}, &(0x7f0000002680)={0x20, 0x0, 0x10000}, &(0x7f0000002780)={0x78, 0x0, 0x9, {0x3, 0x0, 0x0, {0x6, 0x0, 0xfffffffffffff20d, 0xfffffffffffffff8, 0x1, 0x3ff, 0x5, 0x9, 0x726, 0x1000, 0x6, r7, 0xee01, 0x7, 0x7}}}, &(0x7f00000028c0)={0x90, 0x0, 0x3, {0x2, 0x2, 0x100000000, 0x61a26b8d, 0x6, 0x2, {0x1, 0x3, 0x1, 0x100000000, 0x3, 0x8f, 0x4, 0x1ff, 0x849, 0x1000, 0x7, r8, 0xffffffffffffffff, 0x5, 0x1f}}}, &(0x7f0000002980)={0x130, 0x0, 0xa00000000000, [{0x4, 0x1, 0x6, 0x9, '\x01\x01\x01\x01\x01\x01'}, {0x6, 0x1, 0x5, 0xfffffffe, '\xaa\xaa\xaa\xaa\xaa'}, {0x1, 0x1ff, 0x3, 0x7, '{#-'}, {0x5, 0x0, 0x2, 0x761, '[#'}, {0x3, 0x0, 0x2, 0x6, '#]'}, {0x1, 0x714, 0x5, 0x3, '*^\\^b'}, {0x5, 0xeb68, 0x4, 0xfffffa80, '--$-'}, {0x6, 0xfffffffffffffeff, 0x1, 0x1, '-'}, {0x1, 0x8, 0x3, 0xf2, '!\\{'}]}, &(0x7f0000004c40)={0xb0, 0x0, 0xcf, [{{0x1, 0x1, 0x3, 0x100000000, 0x4, 0x81, {0x5, 0x7f, 0x5, 0x6, 0xffff, 0x3, 0x1f, 0x3, 0x8, 0xc000, 0xf5c8, r10, r11, 0x2, 0x9}}, {0x4, 0x80, 0x5, 0x2, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000004e40)={0xa0, 0x0, 0x400, {{0x6, 0x2, 0x400, 0x7, 0x4, 0x9, {0x4, 0x1000, 0xffff, 0x6, 0x1, 0xffff, 0x65f, 0x647c2b8f, 0x400, 0x8000, 0x8, r12, r13, 0x3, 0x6b}}, {0x0, 0xd}}}, &(0x7f0000004f00)={0x20, 0x0, 0x800, {0x0, 0x0, 0x10001}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004f80), r5) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r14 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x343, &(0x7f0000004fc0)={0x0, 0x5004, 0x0, 0x1, 0x1de, 0x0, r14}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000005040)=0x0, &(0x7f0000005080)=0x0) r17 = openat$uinput(0xffffff9c, &(0x7f00000050c0), 0x2, 0x0) r18 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000005100), 0x488200, 0x0) syz_io_uring_submit(r15, r16, &(0x7f0000005140)=@IORING_OP_SPLICE={0x1e, 0x3, 0x0, @fd=r14, 0x200, {0x0, r17}, 0x6, 0x1, 0x0, {0x0, 0x0, r18}}, 0x3dd1) r19 = openat$keychord(0xffffff9c, &(0x7f0000005180), 0x171000, 0x0) r20 = openat$ubi_ctrl(0xffffff9c, &(0x7f00000051c0), 0x10400, 0x0) syz_kvm_setup_cpu$arm64(r19, r20, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005240)=[{0x0, &(0x7f0000005200)="4623d8a4ce0217c9e59555c166890679e3e0c1940df5b9fcbf91649ef54d80f0c8bcc80e36b5574c4bc9f943401854f56aa2", 0x32}], 0x1, 0x0, &(0x7f0000005280)=[@featur2], 0x1) r21 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x8000, r18, 0x0) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000052c0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005300), &(0x7f0000005340)='./file0\x00', 0xfd, 0x2, &(0x7f0000005540)=[{&(0x7f0000005380)="873519f25df082b371ba5b45adb5709c00805747c37fe044064595cd4728bf8980302b25b4b083b42b41336e130f1b6ff0a2f172498e522b4fe5826eababf53a9852f93ebeb841e1645f32936127029d68fe73eced89c1b93587012a47c42a583d6975592b3f2cdf4337fc6d5e85e5f5835fafe095935ec90484e9081aa8d22498431301baad4a34368c26c64d85326c7e00682178f8d13e6a8969f15b9d5dbcfec2c0e69680c3928ca015b92e25f5078de354fe32cc7121609a0762e1b73efd8967a2fe235e4d1ef9e5ac88bc1ed706a984641b06470b2294d045ce7eba51c0728938a2c6eeb6d8574429cc24bcb2a784", 0xf1, 0x40}, {&(0x7f0000005480)="62935bfe26e9c9f2dc3c3e9dfb491858efb598369bcca51923989ba943cf447baf56625df0f685ed2d034b37c07563f668728f6dc6833609b1221970e55088869d29c01b2dd05c4820b08042b5074008c9757712c480e25d89b9c48e957e5b5c7b0beccfb1fcccedbcedc83806038075fc2a0f8228beb47f1fece09bddcbbe0021abe9c3d198369b81b67dbd6a7d334b8d28b802cc97d934c164e97d9d7b70dc6c", 0xa1, 0x1ff}], 0x8800, &(0x7f0000005580)={[{'\xaa\xaa\xaa\xaa\xaa'}, {}, {':&-]!'}, {'}'}, {',-V'}, {'\\*})'}, {'*^\\^b'}], [{@appraise}, {@fowner_lt={'fowner<', r8}}, {@smackfshat={'smackfshat', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@obj_type={'obj_type', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@dont_appraise}, {@dont_measure}, {@fowner_lt={'fowner<', r9}}, {@dont_appraise}]}) syz_open_dev$I2C(&(0x7f0000005640), 0x40, 0x300) syz_open_procfs(r6, &(0x7f0000005680)='net/if_inet6\x00') syz_open_pts(r19, 0x800) syz_read_part_table(0x9, 0x9, &(0x7f0000006c40)=[{&(0x7f00000056c0)="46410638b7a128c15c6cb27d2335806da87c0d4915424452cf0ba9eee0a5d49d634f090df26f35bb0433c13a270dcb44cfe9ba62b5ba38d4ae3c65ead2727f1d2a5f02daa270cea6f4f60902e2eda654b16ec6635a1c6cd15d6bd6343214b83422d1a19b5dae439b9fbc3db5c218d4b08acfc9fcdbe5d4e6a5127adadce610d815e8c6d8adc78689eaae29d81a20040aeeef4ee55d7701ea725e91b74f5b37814beed118549979c8a40d0b290977ada4d65874c7dcca030a9a15509bc27e6e87d526912437b86904f742c9c13c1e00bc5e3e943c1430d1cc018f5a4decf24602db5bf2286e64ce751d8df16f280934fb08b619b2b5e931195ad2f7c87ae956c64a2fdac4fd791611acc2a865d994ea90ed158581e80d0386b153f19fab2781b72d1de003b187d2b1195342b3a003bf4483b4d890ab1b2f51e8d58f0a5ad78e0df9d629c22c2a324a982e1fc2738c360db3a8ba5e55ae5c9d58f1c2f6bed0b6de5bb4ee3b5f842ceef91b2056541ff55312ee90a2bd0997066c37f3d8377895921b08021589049ed7b23cebaf9b41d08e759058a3452cb9df2aee1d2b90e510ba9bc948400a69aa13833d1b4c44445129e0af5012fd6a534181fb20426826a4b3694e4a5181199df1ed31de36f2ed49211822ad915d3b71acaecff3c84d4e3bb19fba3219e26145735ff71dceeeee7aa247539ad2731113d3f364426be9006e6b0e358b81d4074549e08ef27613a3715e5e89ba0a71e3995231e99aac5e4ee7078f59e3e7d4fabed26e7507411fbe4b0353106278ac69f3b91ec69fa542eb7c964394062f65c650197fbe733c22832673d066e4ed40073b284ee4e51b1259367d4eb9e172007e6fb80a0a6fe62b3f3d5e5b68fe047ea4d6fbfaa30a00fc29bc58a31cfb8212f2c49c3a2e711ae502bd647bd56bb7cfc1d84d141827be211b5ffbed786bfa1313d2aed534f00019363ac129612ca25c763b077f5a724d61fc7974fa824badc14006f2febfb1e35a3dd72e82334a263756ff4204680cba1c03c55e09dffb5a58e4c55b5bd7a70ee8525929a0ee9f9091e34bb8d2f0af6d2a2670c591186bee6ceddab8e1fe8d4be397a545c483fd684cd812df5e312ab5f4812b4784efaef1c3dbe79094fbabd6ca5f0a45462396f818a5c7bf61c8c3f43366c1265f4638d1dc7bde11461035c7af77e6844c5d47bc1897dfabec7687ed25794a71a3aa2be1665719e7eaf649bfaffcea2492d43bca7f0304210cfca91a0dadf66b7c3c6baf8c5055ef4f3c56aa03bb6e400d7caca69e4243ac71c939ccf27310b73ba59897e2020c717c33db9a4a582912a3a8d7c0a870b12a9f982aafd0cf159575189d8c26886434229fb0c76c56508b638a2509b65847722af197e95cf0cff2368448d42ad62db27ff017a7fbed923bef6283408712c3f04a790338f4f80cf4f3e92faafa3bf6cff5ed3cf3b17b505075e12b6958bf2e5cb40241f672874a0f940fd57e82e9caff113d671da23da3436a31800c2d3487965f87c3f8250610aaff783d78595e1926b77e97b2e3ad09087af919ace3f04fd275887b1fc81ee2f5bad8de1cc35ee0c03adeed9a9197d7a8fa5db59dc500a94bd184a2a80d9704797e76bc0fc43ed57296143dc9d858b14a7bdfb418197f0974b6eee299958051b1d414ab126cef5bc36ae4055c4f19e7e01d2092d99f1d2a5a56614fedf481d578cb851ad73e1829bc350f7e56ee0d2e71fe731c1b30fd845fd82ca0acf029aff4a75e0d38fb7af582a19c0c7deb19544bc7a13c1896032441cba6ae39c35ae880b45a5c97545ac099243a791c6f2eb93556208b8b203542752a673b9df02bf04ad3c18eecaa5eb22d1b65e59c3449b5cc42df350dd4822bcf671df78420689cac22658cd9f0f390e26e0796ac4b7f30b1989f09cf5ba516eb1667ecc1d853739a20e5e78599bda830d002d45eb66d63a778b8412af5d63e3ef26494e21bbcde5b97a94f7978ac903d467c5b6d0717dc4a9d146ed4b58bfe373a5908702f997f1090b4b19093f8905085ecb691107b059e0e1cd0c4a94c9a473af2d12bd5998a8b8b4802f931b90515519f20feeadea5684c064f9adb423935b8de298b03e579abad6a23a86c86edd39c2ed6a4685e69bc715405ab7a3f27664bdb68fef1fcd090f060381f1aa374a074a640f991ec6d8b288b1b0507068560314fe94aeb85c42f4df3adb21485696515da2fa7f441b753d5f8ca4545f2d1dc1eb34e418c043beb518bb35fe30235aabf7ec5f371b3a48c0ea6a613ebb4e4da5b71408aa55774239ac749030a52740cd8535b9e3d28a4e87b4c4f4044c8195c3211f947e5007df7b64e37c414bfd54f7b59823720be00498c18b57dad0043f0c50a75817418c1dbc3db8dc733ceb2b5b6d20bec1e38a2f909aa619480e2ca05d9000b7eaff370c077ed389422890dd426278c63c2ac4285e840e6c7f9da04d69af4482d96ee5824de091614d8b1b4cf49f5a701e4b42ff58a62823c2776fba4c27ec86c24ba103ed01c66729ad602924a5137b718d8ddeeb08339d83c45feca01c393357a676438114363591d31c2ba6fafa5d8571af7c3a3690fdeb099e44192b5871fd0a3365fb2e230c6c03a7473782b303a5be14f038d8ea34a63084300516eb7884e593358e66b3dfb6dac4d0815d58dafb85e8cca4426536a384dc89f7413f14cc92e7377a90938f99ef7f535c218ae2e909acdbfd7eb5b0b47408e3d6d73dda39fbd6b23af18f1a6703ee3b1f75bb7c000a4ca5a7bccaae86c4abac81da293e43f91d2c3dff12ffa5229139a08ae5fc2ec139be978b8182d6a60c7ff39bb0aa820a107d92e38b95e748a184b53f5624f457239f6384dddcb9fd7e8ef295265d79b64c5c0a93bf21635b8c680907810d8e72a581e5aa0e00fbf351e3c841c7d0c51a2636837b27c6a91425b506a22c27d1420d0b13e60de3e9c56667a98983ba9bdd1c5a52dc6127b659e6d80706959f07d3a5fa8b3b88eab05e7a0c04ee12a21372c713f64c6adbeedd7a8b7a692674975bbe55ce402714402f20c7f57ff1f79357d8edabef1d868f0a2b3dd7aa3bbe58e80814970734f7dec70d314e811593a32cc861f4a8a4b3f0d7ceb4ebb32664f5644497ac9562cdd5a54193f2238e65c1874c86421c5cfb43ae156931c7840d10de47a4d0f2f3174c36c8645ac02f544c3690b5137af7d2ced3fb04359bbf22b6720ea94f2e3b5675fb77ade56c977d668064efdd1c615119a528c9ec1353e84103e5dce6a0bd073f9ffbea0819cf6c0cc58ead00c92340298cc094564117f3fb894274ca91d7976459619f544b250586c6d44afba5574b7ef5126b070409a1f5eedc65007b00339f160422fff38d67eaa8d782fc4192a29810879eb12859942fa141a21c39d9eea03eba1aa7b3ac7e2b1daf4f69f475b8e75c5ac7c2efdd777932d403143cdd08902d5e3459301c28c88c4df342ca13910b760e34c40194bb51b82cf14adeed5ae47517d3cbc73bbb5a8899c30e606519989a85d2e15b0e89ebba43f0c8a752f07010380caa70dc409ff805c24574829d06bb9a1495d5a3085df9029e23d92bbc46d7c7c1db7365e92e8d2449aade38926a64368723a0e8a777b3261c9c97bae825b551ba940551a7e15e3013dc09a05229d0c9ac64ee15ee3d46742628924c09e6360cc43006fb9a0e1c06e5584637cee005ee26ceba70295cba5637dfc9821148ed7415003d518368423ae708cfac638f2b8e1d3a71011bda803acd2cfa429ea5fa045fe078f91ebe45e7d51d43f08302d5f3b0ccc3eb7dc03818b33567e86f8e5dc40451569a7954858d26df8554935276f5654afecf240c7e86c92ecba4d3ff75821312d6a3b82e18cc234da5bacc286ef0924ce23bd30708de58132574b548c9628b52d34291d1c4a7ffdfe63de1fa9b5e0fa6e62f3528a80c9cc97a7c515403fce895ab795635266af746d89d2c94058ca38501d86b4d6324d0df0d9c1e47bbf838baa206aa2ec4397828e992fe963b2e83722802627629030106cf20ec98e245147c94426214ddfb979120651adde14a425fef29a20c0cc5460393acbdba57b3c3836627e6a9c19a2344312a9bc661b760285415a2874e2f2187b5c6dbf38b059636f9ed1de1692d3b86504a7c1b668e5aa0f87cf497f0cab266e4db64ec6465580be1d97244947304688cb3576490b8db086b08905820ea9d91dfc8f3b966a9e568d856a9cce3f1731ac16e4cf48714334b6c7ac3597fcae85d17946b0ae2899845e96066e0a648385c98ee5c119391356b204acbd4a5c7cc2cbceece0f58dfb73fc30ef7c1769b4f56ed1b77d76248b0ea2a66db0e5217b5d624237191abe9486ac0bd32e3e7362331441734a8dd9ed983b92bf26472c5021f8bea131ece47c8f45e68a25a8beb4885895c27982306dafa1fac905b276c2f60ccdcabe2a5b325b5c5d8482f305660244c361711f0eed7746c0daf99dfde36caff294051182c5b6589fc0700b751fb2b3807f0bcbd277a844ce82a54558f55cdd25a30b2283abe519c827b10aed612f8aea3cb7aca8b34028c0b363c9acc52ddea9e0c34e8a5c90869fe60d28307e35d3e43582f3773d46669e4313a07b12e7d6d501436f8e6f4bc347b29194144d82c5daa9730fea3466c3167209f09697da034f86ca9e5a7e28c05999f4161dca7518140413504be2aa60ef71b66484fca1b0bb11afd59755b978dd294e3da85655b90f05be0823e262aa693c43bc23f4948a6096ffe1b58e1bcd65b0db70c62a4f85d7dd4be6cddfeaf1383814a6728b4c301eab03b950bac867375d1b6c61eb2f7fde960b16f5948379e2115ab5401356db05a7dc30a2999897b163c73d34807106dfdcf7b7f9b9e7377fc722003c868ca5c14a0e2f1d1940ec6aefcf85fed207622ed38120c6a8aad7b4e9e87d5e4e9a6a55c6e132e9e1e9a3a62b4f7c6ce0093f886547dfc48de1d2e0c85bf01b49f99241a36d324cdbade5377d5aa5733377ec7e97b7ac54387fd29391319d3f3bbcd07b2870b9646bf2835b3abb5121dc20a638c6d0d62b0a05d94a5f1c03bff6e871a84f9a7defa16f30cb8b3ff57cb5a9b8958b592119cb0c802513c14aec2d27cfffbfb4e6a2a840f8b0d746a83fa8bd227021b038f50c411f7922fb38ec89f51d71b7d3d9e241db1be1b4507e5b68fa1ee89c2127445e5d6ed4e7433de7bf4d72b7f7b1c9aa7c408e4c1050ce177427984f5035b51e3ad52b56d8aaf38e567930a711c8dc3488ffcdc1a56fe1b4c5df22673bcc3e9ccdbb3ab670a24547f5ded42decfddd522104075c37ddede460925dcbc6e5ef206028aa7ea0c84d60d990fcd48d76c9a47be6819250d4d10fcefc7a124c6f3faaf51f7b67dcc2b39acf119c8f89b93b58395247fa459c1ffe6fc5a70c32d5196da593b336be0467164ebbc986fc145b32bb91a4c058884c82f5cacda62a4312bb35070e74de2bba07648b7eb9d9fae891648f5432b6a7d5986ef2027872cf9e1a086c576abac8dc401aab0da93abf0ab71ecd9bb96e39180362a10a2185071ebb8ca2ca8d9719d47bfc18b62f9771b97dfed73b982325eb943d785c787500d5ac0d26a9ca90cc73c2acfe872f4e32eb4439083bdb3249701ddddb500df3f896bb1f7a3706d64be16d00f6fdcd6bf41df86535f298d2dd04317774bd6b3903f371d59be719b7ec1d003b3c9705a8f78889b8f7da0d46defdced2df70d8cb4570828bb26549b55011589c73bec4207c8d59ebe1896b3761c185a132", 0x1000, 0x8001}, {&(0x7f00000066c0)="31e3c3fa6d99", 0x6, 0x3ff}, {&(0x7f0000006700)="39de863b7148208e432fcddbd9e9148e716c1b48a3967c870c70145d90ed681b3f8bce849fee7f50091570854e20103723e56454e711543f6e2be92c34090d8cc792260be9b960c1e4", 0x49, 0x9}, {&(0x7f0000006780)="17fad571f80fecd34a59bc03f6c02bbd6d56cd8d958924b4ae4189b88b85897efd4e596e1118bb0c771c2c5ba37ded06d78111390c1c80cf6ea9df8727f88559815ed76b36fa13fb4d08e1ccdad7973b5bec5655a74a671fde99ee92397c56d409dadb10c4c37ee92cb41d03ae6fb164e7f86985039128d38be83b5e16c35ee34eb2b8396c5348028781a0a879f88159740ab89705d637bedafa915f195a152597fa0d7da9b76476602c6eeefca1e80a6d3d0ed1a75b00f7a5e153dd851e2301c8daa7d49b4ad91c62d1a6967f54cf9621c240ed587192f69959e05407850ce3831c4e811e6fff1cdf93cfabde887358316881845356d7", 0xf7, 0x26}, {&(0x7f0000006880)="c286968e2238742a47e0e8d444a6a661b7708222f4eddab97a749dcebe2cc83a314b828795f915a36d873b714aef15ddb1b4f62f06800bbe85eaebcb76abe944719249ee7927c88e78a968e93f45c52013ef97ef6f989b1d1cd30fff88677962c8f3052ad0a4631e4e750ba80f3753916c2dffc6a4023cdb62a1b5f2afbb965b2f78c5dd47af90b002da1a26a24fcb99bf81fb29574a2f98107a7937639873b95f4a569a0406cc358b46efae587e9008be69d711ae202c22e29a2f615fd23dcf", 0xc0}, {&(0x7f0000006940)="97fc4dd9db673e16fd0f0eb9a4a26e2a49f42e1616190b0634dfd6135145f4e451bbbad56dadf266964eba7d1007c0a23f8cf03d4f8fe09a7989152b7cf2ec30f2693a06befdf023d79f48c208d742c7b75915bcc1be583517ced3b826b97075e62a8ed12dbb264807c6ffd0227614491fb9de0d8a925a2638c31608de405bbf79e96f171fd58338b1d6979d33a7dae8ad62f2ba53fefc3c", 0x98, 0x20}, {&(0x7f0000006a00)="77d8d606bfb424e7b995809ab4f559115fd82e972d98b651dfc69b10df600fb4f78efd586f9cc26edc41b1d2fac87efe59e262411f27a94cf796ed31236b457ca0f147530efbd4cfa6b6a0fee46c25abcf7ad8282aae5299e299799cd52d0a58d7ff9dddd0103724c88da92dbefab6248038abef9ec52264afc74825f7ea70b2ca95d6900f9b647a3f986e18287cb2bf4b4c19efc8c218fd905c3727c86c37026bfbde3af078eb07b798e6d3d8f2e4d5d3bc188cdd20f2ebb1461c5e53b05f2989ffac3b168dee56da0fc011974c660e400ae2d8b2c80acb231581ee91763129b2888aeb12", 0xe5, 0x800}, {&(0x7f0000006b00)="560c1bea71b0f97244fa386d26bf6b1b04308e4bc7fffa", 0x17, 0x80000001}, {&(0x7f0000006b40)="14e55a14a7953387ee55333c1d1694ca98c7999b49788642766805d6f5a290eb1e959ee35a740459e13300262f2af9c357f7a8c1cba187e448bc3c8f865cc9be88624fb0f0d0bb885d9cc2abe171a2478a7420db22e8607e3fbec7e2601d9e11086cfa8cf14d99676b679d8d6bf1dd4faab8fe9a5f4e3f695fe2e6abf09f702683802d44cc3a298255c4c59533731ff5b23e053afb716d58cad667686ee647f48e199c9b5c3d0d2d470f2ce1c5b8b5708ae023ad9880caf31d01f96aebbfcc7df95358a016c5471cc2ce2ced6105057c9d22c8167890ca19", 0xd8, 0x400}]) syz_usb_connect(0x2, 0x6c6, &(0x7f0000006cc0)={{0x12, 0x1, 0x200, 0x62, 0xa5, 0xbe, 0x10, 0x2833, 0x211, 0x37a4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6b4, 0x1, 0x20, 0x0, 0xa0, 0x1, [{{0x9, 0x4, 0xdf, 0x0, 0x10, 0xff, 0x1, 0x0, 0x5, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x1, 0x1}]}, @cdc_ecm={{0x9, 0x24, 0x6, 0x0, 0x0, "fd506508"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x40000000, 0x8, 0x4cc5, 0x7f}, [@network_terminal={0x7, 0x24, 0xa, 0x8, 0x3f, 0x0, 0x81}, @country_functional={0x10, 0x24, 0x7, 0x80, 0x5, [0x44, 0x2, 0x800, 0x101, 0x4]}, @acm={0x4, 0x24, 0x2, 0x4}, @mbim_extended={0x8, 0x24, 0x1c, 0x0, 0xc0, 0x5325}, @ncm={0x6, 0x24, 0x1a, 0x7f}]}], [{{0x9, 0x5, 0x5, 0x0, 0xa716c6d63b98b5a2, 0x6, 0x0, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xe9, 0xf000}]}}, {{0x9, 0x5, 0xe, 0x2, 0x200, 0x8, 0x7, 0x40}}, {{0x9, 0x5, 0x0, 0x10605a5c87a92a7e, 0x200, 0x8, 0x3, 0x1, [@generic={0x9b, 0x21, "f2ef0a5c069cdb319138e185061d7e196ae94e535d80f27666fba23b374325f15dc5f20812fe05b0620f6ffcb81003b1f39c5dcd1bff14e2bbeb387335a3534f5adb60ffc4f28595c8f992f77fd5f67a04842b9c4364e3556be9bacb8fd56ed77859291153f6c566026363bfa5f2e6ff2fa6d29317f2d562445364939915a75dd7365f6ab9c15ddbc7c3a45f7eb98fd1fea3551bbd46f20a87"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x3ff, 0x1, 0x20, 0xef, [@generic={0xec, 0x6, "f642246a5372991db97e5824a410e28300d3bd153638f6dac6e1189a0c560a0a0e5f8b15e07879ac95016515202646a7b5b5fc74b7cd40d515b2849d8c1dd9ae4fca16c2e6cf0e8a20ce54f05fa123c019208cb34b5ee561c274ea40a7b34e5813a4a29be40817eb1f7b3e9bef60f7c56657481236b93e2c297f17c776b98f1d0c8f2a56447766c7288ba6b1e385b84a516a98ab729ba70e31fee3aab101d590a4481ae5856326c6825b73c7ae7d3b99cb3c59db31a12726234b900584e8db779352188d12c932d4aacb59eef33d33b9550510cf2b49da747e031c83117b511a1bb93ed76c716e6a0254"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x6, 0x40}]}}, {{0x9, 0x5, 0x1, 0x0, 0x100, 0xfe, 0x8, 0x37, [@generic={0xe9, 0x23, "1a0e3542857d49ea63b7261ebfc19f14272e284d2665d2795e43f6f9ca62776c9ee52d991879d7d67b4d8b270fd51598beac1c0339b2257ad68c1dde54885ae2d219b87cde159a9897c88bda26e08a3691055022739c1fe64adb98639dc25421c449cf364800c4c365062f2488e6901e56e62f4b703eae7af26298a1eee1bfe62d9b2ae35320ae2baf174e94ff55321097be81e0279f5d0aa84dd18ca0864d98d0edbbeaa19ddf3626fd83a2e2b5f676a734d4784b3c6877fd1bb3c9543df7abda9bd9c9be405949747e21073c18957fff0eaac0273cfd3f702cb65597949a172726f7e459536c"}, @generic={0x18, 0x10, "a0289017f3f433f11059489a61115823e1138ae84a34"}]}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0x67, 0x3, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x80, 0x2e6}]}}, {{0x9, 0x5, 0xd, 0x4, 0x200, 0x48, 0x35, 0x8, [@generic={0xe5, 0x5, "30efe9c1a6e5c89c2031214c60fbbeaa4578091e38009c761d15774802934cfd36355b3518ccfe59fa5e7ccee3c13ac4affbe073e0e788c9b5e32216efbf02e35869d7b233a389f812bfd849433c328466eda5e0e3237529cdc65e4eee743d31ffc186a1fe794bdf1364f31eaeff39829e8f6144850d7470cc71572d1f2f23dccdbcdd99e4930de7edbf59b338db3490305fd7710257980b7f76b8daeacb2ad618131fb9b5a3e026c9ddbd69483cd794caad29f2e3b63124a952b462de0cd951d7efd9b3b29107b641417e7783d90159137fa5273a95e0cc46c97c2246e611acb14b4d"}]}}, {{0x9, 0x5, 0x3, 0x10, 0x8, 0x0, 0x33, 0x9}}, {{0x9, 0x5, 0x2, 0xc, 0x400, 0xed, 0x7, 0x9, [@generic={0x84, 0x31, "ee4cd219154df491c4d32aa32112cff407511b06b17f743409ecc216c31e92cefa2b5cc59e634d7aeba2c9e5e36d8efadc0255172518f909b4e1a7daf4d988b1eeaf196c76ee902b657d12fc23c21e176cd149e98a8d8d5755b74fed1a4284bcfd6e6961951ff8216f7bb42f790edd539c1bc5bbac44f767a685c57cbbdec830c52c"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x1, 0xfe01}]}}, {{0x9, 0x5, 0x3, 0x0, 0x40, 0x2, 0x5, 0x3}}, {{0x9, 0x5, 0x0, 0x0, 0x400, 0x0, 0x2f, 0x4}}, {{0x9, 0x5, 0x8f, 0x8, 0x8, 0x81, 0x1, 0x7f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xfb}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0x40, 0x76, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x31, 0x8}]}}, {{0x9, 0x5, 0xf, 0x10, 0x3ff, 0x6, 0xb2, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x80, 0x6}]}}, {{0x9, 0x5, 0xf, 0x10, 0x200, 0x6, 0x6, 0xca, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x20, 0x3}]}}, {{0x9, 0x5, 0x80, 0x10, 0x400, 0x1, 0xfc, 0x4, [@generic={0xd4, 0x21, "28a1dfa1d28f9ae60d0a8e9e3c512db35369d479fa6e6aa099e267e1ced77ca2e180b429779023a872b0ef8807e11f8b8b21b811d4fe5527335ce86e3a95cdf960d1e79e88c276c174d183d2f3bc0862dd7e1d29ac589ceb22024e25a44c3e8123581d1448fd2db5332fe41c23f9aa959564f32db1da14610415ddc293dc57c9d6c775d22151bdab236a5a73592e5518055728ae819e25c080cbb9bf0203b6639b8fd8d716d9c571d6b260ea297733d53c3a05449b9b9221d0f402610c9837189f9c6ab3baaf031d48692690c9981cee1426"}, @generic={0xc3, 0x6, "60ed98576fbbbee3db67d535ea7e1a19d92d689e2f03308a615a5641e72e694d996f76c1111c88c507c39a87f34a3682dafbfe583b79f5b950a30614162c605f7e6c5d452b4f84a145f20bf4470ddf43f06c415dc6c41551fd458ba6aedf57d74cb85a25e43324814b62c3be4108b1ea5b9dd22a78a45cdf5d8f27c11f35026bf7ef10c7d1f0615fe1c44a302a84d88b8d6c2d85049c9f48a04b4e61801c017f609b673fc8290f7362a0ed35882a335b657f835fce8e20100cde82c1a3dc180611"}]}}]}}]}}]}}, &(0x7f0000007740)={0xa, &(0x7f00000073c0)={0xa, 0x6, 0x310, 0x5, 0x80, 0xff, 0xbf, 0x5}, 0x5, &(0x7f0000007400)={0x5, 0xf, 0x5}, 0x5, [{0xa8, &(0x7f0000007440)=@string={0xa8, 0x3, "0584bddc149671f9e6c6cd123b796cafe2eb5d2bd3cf65e3eb0f3a601aba7164713d4042653f2cca182207d4e7ffa8bc71e705aa48bcff03fddd2e3e6bebe11cb61f95faf14afdf29440021e851fb682aa24e624e833952db6d1f96aa7edfc74ce501359694c7583eb5e48dfe227d2105d5e3d2359e3c728a48adff09b1132f928893ceefae67700983be1ca94e818e7a1463c802f1fc2a72d40900933403d7b255a35d9dc33"}}, {0x4, &(0x7f0000007500)=@lang_id={0x4, 0x3, 0x42c}}, {0xf4, &(0x7f0000007540)=@string={0xf4, 0x3, "1c537117dc720af3ccf108687c86cb544bc885379e435dbb861bc9a01550592e6008ae94a1f98317ad9cd804016b079b5ec294dcaf4537cf5b68c3c4353754caf369ba34101cbd21926b15cef67ab63ead40abfbef867b372fe2781866f87a2dccf98ffe66531c1d5021406c69ce84b439130cac71f52564b7c8fa621d71d5ff001517593f059da0cb82f1fd5e327df9abec4946e34e20d3f1df8f4a0422f9bb538949b4a14d1b3afd6793e81d3ba596d16d8cee0e700314e531e602fe5cb832b22c7a2f9f36f39d053876478157d541e8c0977a9acaf691f1234f665d234f82ee90ff8982d9c1371a15ddc8ed2392dd5a96"}}, {0x98, &(0x7f0000007640)=@string={0x98, 0x3, "078cbefd67796b8d00c6a027e5d07bc3b00756acafb9096e3e381a99fdbe8a5161ca19a9628d61baefd6972b48f5e04b0fa6e2b99cca8df5b50dbd97d656c02f8583a58ce8cbd35c69fb3f86de0ddac90f5be8d4f04a3ad4f31293b509959139bea0f3067d0ebfa3c5b210e1993078b0ae929561fc7734869b3dd8d812c00a3035236166a31227ae291e696ab4f81f4e3f02d6b2f334"}}, {0x4, &(0x7f0000007700)=@lang_id={0x4, 0x3, 0x43e}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007780)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f00000079c0)={0x18, &(0x7f0000007800)={0x20, 0x11, 0xb7, {0xb7, 0x9, "72f591ba5c694f16a4d92075ef3ec8bc46920954799ec8d3c0308f3b4779da6e18e9824a86746d013a399afc7f6fceb6c37f7f131c71ebc001f666ea63ed3ade132009735a546622f9e639d481c967cc7b5b747cc5e62fdc41bbb4bb95878a442cc49111c0f57886f17077a1b4b22e3cf28eecb798feed6f168dd9cc2646f8b79ed41bba94de9e304fc845179a7321f04784aa917ba08405b0a95b8303d914ef8e374780dd8e3437c95c35764cd063e7a3ec6d790b"}}, &(0x7f00000078c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x813}}, &(0x7f0000007900)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x18, 0x8, 0x0, 0x3}]}}, &(0x7f0000007940)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7, 0x80, 0x6, 0xe0, "8402487c", "8056a3ff"}}, &(0x7f0000007980)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xa7, 0x2, 0x7d, 0x0, 0x80, 0x7, 0x6}}}, &(0x7f0000007e80)={0x44, &(0x7f0000007a00)={0x40, 0x10, 0x8c, "21b83825059f24506d8e842085d1f2e7f964471b20ed0a8e50a9aa4ef16b5a6f2dbb2b570a4f8d13d60e47bb7821ff912111dee40a78d42b4d13ea812d929ccf3964c5468f89d2d21630ec87067a2d13f45238b446bf57c6b9ec35578fa587fc77fe2108b1590be081681ccc024f1f590be9e5bec9ea86b9803c60299dda1a82f8ff04428671a43bc2c3393a"}, &(0x7f0000007ac0)={0x0, 0xa, 0x1, 0x4}, &(0x7f0000007b00)={0x0, 0x8, 0x1, 0xfb}, &(0x7f0000007b40)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000007b80)={0x20, 0x0, 0x4, {0x140, 0x20}}, &(0x7f0000007bc0)={0x40, 0x7, 0x2, 0x3ff}, &(0x7f0000007c00)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000007c40)={0x40, 0xb, 0x2, "8a02"}, &(0x7f0000007c80)={0x40, 0xf, 0x2, 0x321a}, &(0x7f0000007cc0)={0x40, 0x13, 0x6, @link_local}, &(0x7f0000007d00)={0x40, 0x17, 0x6, @random="b0fe281fa391"}, &(0x7f0000007d40)={0x40, 0x19, 0x2, '#7'}, &(0x7f0000007d80)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000007dc0)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007e00)={0x40, 0x1e, 0x1, 0x6}, &(0x7f0000007e40)={0x40, 0x21, 0x1, 0x9e}}) r23 = syz_usb_connect$cdc_ecm(0x2, 0x5f, &(0x7f0000007f00)={{0x12, 0x1, 0x70, 0x2, 0x0, 0x0, 0x50, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4d, 0x1, 0x1, 0x2, 0x70, 0x40, [{{0x9, 0x4, 0x0, 0xc4, 0x3, 0x2, 0x6, 0x0, 0xe1, {{0x8, 0x24, 0x6, 0x0, 0x0, 'W?s'}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x200, 0x0, 0x200, 0x3}, [@ncm={0x6, 0x24, 0x1a, 0x1000}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x3f, 0x0, 0xd8}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0xff, 0xec, 0x5}}, {{0x9, 0x5, 0x3, 0x2, 0x3cf, 0x81, 0x39, 0x5}}}}}]}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f80)={0xa, 0x6, 0x0, 0x2, 0x20, 0x77, 0xff, 0x2f}, 0x5, &(0x7f0000007fc0)={0x5, 0xf, 0x5}, 0x5, [{0x69, &(0x7f0000008000)=@string={0x69, 0x3, "d25a9c8f1452a3c6ffbfeca8eb777935b58c9b7406775086fff717b54f05ac59f94517ff3cd6f3101dbfa79bb82ae31b1d316d08a71d14fc2c1cfa8c893068bde2bb830ae91fc94288cc232aaac0e64b84007b0e7536c3ec34edef04ded93421a377e0695326aa"}}, {0xac, &(0x7f0000008080)=@string={0xac, 0x3, "7360609ce8300ae4623308d5f8b97bfd50d3d863408b8ea401c86da9d42ce5f3867ce8d721fb2ab5c25f6b4c5e85f5eaf341bd514a16c2dfe3c7a1d7f427ae62c0bff379e84d56637ec1377b8c8ad5b55b099cfaa4a7a6eeb0589f81e7a43300eff53354e1b2bdcdc34d7945d63562e48d5ed93bef75fd0160fcd7c3a6be7f0c642bb6e561e35a1c73110bdcded7699865e25eb238cf8f3b10ad3c10488028c37063c8862f907b06829e"}}, {0x4, &(0x7f0000008140)=@lang_id={0x4, 0x3, 0x81a}}, {0x4, &(0x7f0000008180)=@lang_id={0x4, 0x3, 0x180a}}, {0xb9, &(0x7f00000081c0)=@string={0xb9, 0x3, "37efeb854b4051a46c67aee7eaa0f62fde9f599cd5ba25329d50aee16b30c6c1a514831081afc1dfd2682ff48716a91bf95e084212b0696d43e1c6c43adaf9ed3ef70e62735994d2d0865139604988fac17978d9c05a84f3423831dd1dddc6c94d50ddd674f16525bbf9a8db3bb49001be38a19670abd99f4a2e97cfb20d46c637832a3ec97ff094c6a3304964b72bcf116bf27fedd5521ad3da226297fff849c33c5d849e3e3037527901eef63a599baa54fc46a46ff1"}}]}) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ecm(0x3, 0xc5, &(0x7f00000082c0)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xb3, 0x1, 0x1, 0x6, 0x28, 0xff, [{{0x9, 0x4, 0x0, 0x9, 0x2, 0x2, 0x6, 0x0, 0x4, {{0x6, 0x24, 0x6, 0x0, 0x0, "b1"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9208, 0x2, 0x0, 0x20}, [@mdlm_detail={0x5e, 0x24, 0x13, 0x7, "63b0b95377147ba214d950fc04b22c04be09d9b96f1ab94bb02e8a2a9e23cf7d3acab22a80ed350ec4b17806edcb169e5075373d991780211392eb3d9f1173a539843bf2c3f66a4a6960a55a2207767db3c55a7dd2898b5ccb40"}, @mbim={0xc, 0x24, 0x1b, 0x2a, 0x100, 0xe0, 0x76, 0x0, 0xff}, @acm={0x4, 0x24, 0x2, 0xa}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x73, 0x35, 0x3f}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0x3, 0x1, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x40, 0x2}}}}}]}}]}}, &(0x7f00000087c0)={0xa, &(0x7f00000083c0)={0xa, 0x6, 0x201, 0x79, 0x3, 0x3f, 0x20, 0x6}, 0x37, &(0x7f0000008400)={0x5, 0xf, 0x37, 0x5, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0xa, 0x6, 0x5}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x1, 0x9, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0xa737ee064a5fddc9, 0x7, 0x7, 0x0, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0xc, 0x0, 0x6, 0x6}, @ssp_cap={0x10, 0x10, 0xa, 0x1, 0x1, 0x8001, 0xf00f, 0xfffd, [0x3fc0]}]}, 0x9, [{0x4f, &(0x7f0000008440)=@string={0x4f, 0x3, "c0663b116dab9ba5c0a2f7a2ad486ffc164a4365899565c5e99b015239f378df56db4dc3b0bb08dcd208d958fa3cf08097aa208b2d2865b502cbc94b1a8e33bdd9d6481fbf32d4913422fe189f"}}, {0x85, &(0x7f00000084c0)=@string={0x85, 0x3, "c9c487a90be3d40ef782373d785f86bdfc3db6fb0dd0a7440b2fe4595c3a6bd67aa8518d897a8a757d5f1ceb86e598cabf2345f771c3c7128bd16dd4b1ee9b7dbcaf611e97f6dcb9f171e8f7052b0f33e631bfe99ddc4413e5e5d7b634dcc3b77e4d301f89a8d3b851b02306cabec211127a8e541d162636588ff574de82de8f307d43"}}, {0x4, &(0x7f0000008580)=@lang_id={0x4, 0x3, 0x1407}}, {0x4, &(0x7f00000085c0)=@lang_id={0x4}}, {0xaa, &(0x7f0000008600)=@string={0xaa, 0x3, "ce395e8e9f409a37daeb1c20be9ca4004ae810cf1653eccd6e663dd74f8bc06989b4d1a65c9f480bd37e9dd85349f298ddaddc2cc9e4eda147f231402e116fb594a63718d821d885ebd67eda451558b1fba3093ecbd40cbe5fbe07f94ed927d8e5039a7c497aa8d1f10a4ddac049ad820f8c532c5a3f00947955032423922e95aa5bfee041f7fe8744ecc4424057eec97040b341d0dddcaf206da6431e987f04cfd55802cad3a114"}}, {0x4, &(0x7f00000086c0)=@lang_id={0x4, 0x3, 0x3c01}}, {0x4, &(0x7f0000008700)=@lang_id={0x4, 0x3, 0x1809}}, {0x4, &(0x7f0000008740)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000008780)=@lang_id={0x4, 0x3, 0x1c}}]}) syz_usb_ep_read(r24, 0x8, 0x7d, &(0x7f0000008840)=""/125) r25 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f00000088c0)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x10, 0x56a, 0x62, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0xf0, 0x8e, [{{0x9, 0x4, 0x0, 0x5, 0x1, 0x3, 0x1, 0x2, 0x0, {0x9, 0x21, 0x3, 0xf, 0x1, {0x22, 0xa21}}, {{{0x9, 0x5, 0x81, 0x3, 0x3af, 0x1, 0x40, 0x2}}, [{{0x9, 0x5, 0x2, 0x3, 0x10, 0x6, 0x1, 0x9}}]}}}]}}]}}, &(0x7f0000008c00)={0xa, &(0x7f0000008900)={0xa, 0x6, 0x250, 0x3, 0x1, 0x46, 0xff, 0x20}, 0x34, &(0x7f0000008940)={0x5, 0xf, 0x34, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0xfa, 0x8, 0x80, 0x5, 0x3}, @ssp_cap={0x24, 0x10, 0xa, 0x5, 0x6, 0x9, 0xf00f, 0x0, [0xffc00f, 0xff00c0, 0x101ffc0, 0xff0030, 0x30, 0x30]}]}, 0x4, [{0xed, &(0x7f0000008980)=@string={0xed, 0x3, "e7db914ef4a71a3aba443ee181c272e7fbb63648a997754b81a1938f52b9fd8c2b76ca28ee1fcba280021fbe02ffa03ea753f2d51b71f1cb9391ea31faabf8ed37a9853b87eebaa0a1269696e65e309ea4bf7755ff1b99280fd68230d7d899d097e16ee0b224de57339439c80ad7fbf8bbf32aa00e29802bde1c8c5e6228fa0a54c8350ef997112f763e17428fb8e95a56689595f30a3c16151809b0c6b1d4d4766510c6f066fe4b35a3ea90d388d1b4d4e9c6b30971e237e23fd205f9905ee7d79f4443707adc7f65ce2b15994daac7b954353fb23201844122710531879c6291c7dfbf6be454b9cf2f2e"}}, {0x4, &(0x7f0000008a80)=@lang_id={0x4, 0x3, 0x410}}, {0x64, &(0x7f0000008ac0)=@string={0x64, 0x3, "041c8b1bd143ea1d63829b769ddb886a6aafeedd5f652bc948677c9a6e3acfe04a1519053f95e5fcf79b085362cdac6abbf8f13781a621885257052b120045da2c494a30bc6ae6c4160cf497002af8b77e21689324bd6e75aceda7cf6a50920b2ab1"}}, {0x87, &(0x7f0000008b40)=@string={0x87, 0x3, "150837b1e69e5007398ac02c4a0b25072daa81a64af10bcdc5736333f49c921f86d9cbc6b778f1d21679d847d5b8a9b70fc56bb5a433040afd94377b2515a55cda70db64442adae0905aa90f911d3beef800ab6fd87a5c51fda8faa750d195c2e657249781c6af0523e0492f9a69e227e10ca0310f1a010f8b986a9a0553a5331f9754fc90"}}]}) syz_usb_ep_write(r25, 0x7, 0x72, &(0x7f0000008c40)="a6908c5530814d6a6bfd6d6c7594d4af8a4962d882da657bb402c7d0ae4535168160dbf67b82f223d577b0e16e6ac3c46a4015a6ed7c4fa65d1dbaa268b748dec46774eca92247969449a9f59e9edde4d37e7bd17882eb005e24fe43f57654000eadec3f1de9917eb28c2a877182c47b556d") syz_usbip_server_init(0x4) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_dup #define __NR_dup 41 #endif #ifndef __NR_fcntl #define __NR_fcntl 55 #endif #ifndef __NR_getgid #define __NR_getgid 47 #endif #ifndef __NR_getresuid #define __NR_getresuid 165 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_read #define __NR_read 3 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[26] = {0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; *(uint32_t*)0x20000000 = -1; inject_fault(1); res = syscall(__NR_ioctl, -1, 0x89e2, 0x20000000); if (res != -1) r[0] = *(uint32_t*)0x20000000; *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xe6; memcpy((void*)0x20000048, "\xf1\x37\x16\x1a\xb8\x6c\x59\x42\x02\xb9\x97\xd9\xf1\x2d\x00\x70\x21\x87\x03\x22\xc8\xd9\x09\x74\x84\x09\x95\x1a\xe9\x80\x0c\x1e\x20\x7f\x98\xb7\x69\xc7\x40\xf8\x67\xea\x14\xbb\xf8\x66\x6a\x4f\x98\xd2\x29\xaa\xaf\xbc\x33\xc6\xc5\x21\x68\xdb\x89\x33\xc4\xa4\xa4\xa3\xdd\x3c\xe0\xcc\xea\x96\xe7\x1d\x81\xff\x4a\xca\x83\x31\xcb\x01\xbf\x35\x43\x38\x53\xd1\xab\xd4\x8f\xd6\xd0\xce\x13\x14\xdf\x65\x07\xba\xe5\x35\xa2\xb4\xe3\xea\xa7\x4c\x5d\x23\x00\x65\x94\x14\x8a\x0f\xe5\xb4\xa8\x84\xef\x8f\x41\x34\x6e\x49\xcc\x90\x47\x4c\xb1\x7b\xac\x30\x1d\x47\x97\xed\x05\xdf\xc6\xcc\xb7\x4b\xeb\xaa\xbe\x54\x91\x72\xd6\x22\xa3\x06\x05\xa4\xe4\x9f\xd3\xf8\x53\x7d\xe5\x27\x2c\x33\xad\x4f\x07\xcd\x06\x05\x77\xbc\xe6\x5e\x5c\x80\xa3\x41\x68\xcd\xe6\x81\x17\xe4\xf9\x00\xe3\x5a\x3d\x88\x8e\x02\xee\x11\x17\x52\x21\x3b\x40\xd2\xaf\x25\x8c\x01\xf3\x6d\xe5\x0c\xe8\xe8\x3d\x42\x26\xa3\x0d\x6a\x4c\xc4\x3a\x88\x3f\x6c\x20\xe3\xfa\xda\x8a\xd2", 230); *(uint32_t*)0x20000140 = 0xee; res = syscall(__NR_getsockopt, -1, 0x84, 0x1a, 0x20000040, 0x20000140); if (res != -1) r[1] = *(uint32_t*)0x20000040; *(uint32_t*)0x20000180 = r[1]; *(uint16_t*)0x20000184 = 0xa; *(uint16_t*)0x20000186 = htobe16(0x4e22); *(uint32_t*)0x20000188 = htobe32(3); *(uint8_t*)0x2000018c = 0xfc; *(uint8_t*)0x2000018d = 2; memset((void*)0x2000018e, 0, 13); *(uint8_t*)0x2000019b = 0; *(uint32_t*)0x2000019c = 1; *(uint64_t*)0x20000204 = 0x7fffffff; *(uint64_t*)0x2000020c = 1; *(uint64_t*)0x20000214 = 0x7fff; *(uint64_t*)0x2000021c = 4; *(uint64_t*)0x20000224 = 7; *(uint64_t*)0x2000022c = 1; *(uint64_t*)0x20000234 = 0x3ff; *(uint64_t*)0x2000023c = 0x40; *(uint64_t*)0x20000244 = 5; *(uint64_t*)0x2000024c = 1; *(uint64_t*)0x20000254 = 0; *(uint64_t*)0x2000025c = 7; *(uint64_t*)0x20000264 = 0; *(uint64_t*)0x2000026c = 8; *(uint64_t*)0x20000274 = 0x1f; *(uint32_t*)0x20000280 = 0xfc; res = syscall(__NR_getsockopt, (intptr_t)r[0], 0x84, 0x70, 0x20000180, 0x20000280); if (res != -1) r[2] = *(uint32_t*)0x20000180; *(uint32_t*)0x200002c0 = r[2]; *(uint16_t*)0x200002c4 = 0xa; *(uint16_t*)0x200002c6 = htobe16(0x4e20); *(uint32_t*)0x200002c8 = htobe32(9); *(uint8_t*)0x200002cc = 0xfc; *(uint8_t*)0x200002cd = 2; memset((void*)0x200002ce, 0, 13); *(uint8_t*)0x200002db = 1; *(uint32_t*)0x200002dc = 3; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 6, 0x200002c0, 0x84); memcpy((void*)0x20000380, "/dev/pktcdvd/control\000", 21); res = syscall(__NR_openat, 0xffffff9c, 0x20000380, 0, 0); if (res != -1) r[3] = res; syscall(__NR_ioctl, (intptr_t)r[3], 0x7c80, 0); *(uint32_t*)0x200003c0 = r[1]; *(uint16_t*)0x200003c4 = 0xa; *(uint16_t*)0x200003c6 = htobe16(0x4e23); *(uint32_t*)0x200003c8 = htobe32(0x7f); *(uint8_t*)0x200003cc = 0xfc; *(uint8_t*)0x200003cd = 0; memset((void*)0x200003ce, 0, 13); *(uint8_t*)0x200003db = 0; *(uint32_t*)0x200003dc = 5; *(uint16_t*)0x20000444 = 5; *(uint16_t*)0x20000446 = 0x476f; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 0x1f, 0x200003c0, 0x88); *(uint32_t*)0x20000500 = 1; *(uint32_t*)0x20000504 = 2; *(uint64_t*)0x20000508 = 0x20000480; *(uint32_t*)0x20000480 = 0; *(uint64_t*)0x20000510 = 0x200004c0; *(uint32_t*)0x20000518 = 4; *(uint32_t*)0x2000051c = 8; res = syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000500); if (res != -1) r[4] = *(uint32_t*)0x200004c0; *(uint32_t*)0x200005c0 = 0x8a; *(uint32_t*)0x200005c4 = 7; *(uint64_t*)0x200005c8 = 0x20000540; *(uint32_t*)0x20000540 = r[4]; *(uint32_t*)0x20000544 = 0x400; *(uint64_t*)0x20000548 = 0; *(uint64_t*)0x200005d0 = 0x20000580; *(uint32_t*)0x200005d8 = 0x10; *(uint32_t*)0x200005dc = 0xc; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x200005c0); *(uint32_t*)0x20000680 = 0x83; *(uint32_t*)0x20000684 = 2; *(uint64_t*)0x20000688 = 0x20000600; *(uint32_t*)0x20000600 = r[4]; *(uint64_t*)0x20000690 = 0x20000640; *(uint32_t*)0x20000698 = 4; *(uint32_t*)0x2000069c = 4; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000680); *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 0x240, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); memset((void*)0x20000044, 255, 6); *(uint8_t*)0x2000004a = 8; *(uint8_t*)0x2000004b = 2; *(uint8_t*)0x2000004c = 0x11; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; memcpy((void*)0x20000050, "\x20\x15\xd2\x29\x78\x5b", 6); STORE_BY_BITMASK(uint16_t, , 0x20000056, 8, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0, 4, 12); *(uint16_t*)0x20000058 = 0x27; *(uint8_t*)0x2000005a = 0x8c; *(uint8_t*)0x2000005b = 0x18; *(uint16_t*)0x2000005c = 0xc93; memcpy((void*)0x2000005e, "\xff\xe3\x24\x0f\x04\x84", 6); memcpy((void*)0x20000064, "\x06\x7e\xcc\x39\xa7\x8a\x3e\xa4\x7c\x22\x24\x6d\x39\x1b\x92\xc4", 16); syz_80211_inject_frame(0x20000000, 0x20000040, 0x34); memcpy((void*)0x20000080, "wlan1\000", 6); memset((void*)0x200000c0, 1, 6); syz_80211_join_ibss(0x20000080, 0x200000c0, 6, 2); memcpy((void*)0x20000100, "bpf_lsm_xfrm_policy_alloc_security\000", 35); syz_btf_id_by_name(0x20000100); memcpy((void*)0x20000340, "\xc4\xc1\x7d\x6f\x70\x72\xc4\xe1\xf9\x11\x2f\xc4\xe3\xc9\x5d\x33\xab\xc4\xc2\x79\x0e\xb0\x00\x00\x00\x00\xc4\xe1\x7a\x12\xb7\x0c\x00\x00\x00\x0f\x01\x56\xe9\xc4\xe1\x0d\xd5\x5e\x0c\xf3\x0f\x52\x6b\x00\x0f\x7e\x20\xc4\xc1\x79\xe7\x02", 58); syz_execute_func(0x20000340); res = syscall(__NR_dup, -1); if (res != -1) r[5] = res; res = syscall(__NR_fcntl, -1, 9, 0); if (res != -1) r[6] = res; memcpy((void*)0x200026c0, "./file0\000", 8); res = syscall(__NR_lstat, 0x200026c0, 0x20002700); if (res != -1) r[7] = *(uint32_t*)0x20002710; res = syscall(__NR_getresuid, 0x20002800, 0x20002840, 0x20002880); if (res != -1) { r[8] = *(uint32_t*)0x20002800; r[9] = *(uint32_t*)0x20002880; } res = syscall(__NR_read, -1, 0x20002ac0, 0x2020); if (res != -1) r[10] = *(uint32_t*)0x20002ad0; memcpy((void*)0x20004b00, "./file0\000", 8); res = syscall(__NR_statx, -1, 0x20004b00, 0x2000, 0x20, 0x20004b40); if (res != -1) r[11] = *(uint32_t*)0x20004b58; *(uint32_t*)0x20004e00 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004d00, 0x20004e00); if (res != -1) r[12] = *(uint32_t*)0x20004d34; res = syscall(__NR_getgid); if (res != -1) r[13] = res; memcpy((void*)0x200003c0, "\x23\x58\x10\x53\x7c\x7f\x88\x6c\xa9\x17\x21\x04\x5f\xf7\xba\xdf\xae\x44\x29\xb2\x52\xcd\x65\x81\x72\xc1\xd0\xd4\x18\xed\x70\x05\x74\x39\xfc\x22\xff\xc7\x7b\x29\x08\x5c\x94\x88\xff\x93\x40\xf8\xa2\xad\xe9\x9b\xf9\xaf\x14\xa3\x57\x25\x7b\x8a\xa6\x9b\x4b\x8e\xff\xe7\xaf\xd6\x87\x6b\x3b\x51\x2b\x86\xfa\x1d\xff\x55\x5c\x6d\xc6\x18\x62\x66\xc9\x1f\xa2\x81\xc9\xdc\x72\xee\x17\xea\xd0\xe2\xa3\xfe\x9f\xf0\x3e\x7c\x32\xd2\x7e\x26\x7f\x5b\xe0\xfd\x6d\x1f\x9e\xfc\x02\xaf\x7f\xe9\xd6\x8d\x75\x55\x19\x20\x1d\xea\x7a\xbe\x68\x10\x53\xab\x98\xf7\x3f\xc0\xc6\xa0\x68\x4e\x91\xb7\x41\xc8\xc9\x45\x1f\x94\x59\xb5\x98\xee\x6f\x4e\xc0\xc9\x1f\x3e\x91\x7a\xf1\xe6\x64\x6f\x3c\x54\xf8\xfa\xf0\x48\x7d\x8e\xcc\xf0\x87\xe2\x8f\x87\x68\xf4\x8a\xe1\x5d\x09\x89\x04\xb3\x25\x42\x85\x70\x2e\x30\x8a\x93\x7d\x5e\x23\xa2\xae\xf3\xc2\x53\x12\x51\x6c\x50\x2d\x5e\x02\x33\x06\x52\x29\xee\x4a\x70\xdb\xc4\x14\x60\x4b\x7f\x05\x5e\xb7\xa2\x72\x48\x03\xe8\x5e\x5b\x4c\xd0\x5a\xf7\x11\xed\x73\x0f\xce\xb8\x1b\xca\xe1\x7a\x49\x67\xaa\x6c\xcf\xf3\xc0\xf4\x96\x6b\x7f\xf3\xd1\x5f\x09\x3e\x94\xeb\x0a\x46\xb7\x0c\x0f\xa5\xb8\x62\x8c\xac\x3c\x31\x01\x9b\xba\x60\x02\x41\x6f\xc6\x66\x1d\x85\x8f\xff\x16\xa9\x62\x15\xb1\xd1\x8a\x87\x7d\x9a\x53\x4a\xc4\x02\x56\xa3\x55\x79\x31\xad\xe2\x7f\x58\x7c\xce\x26\xa2\x0c\x01\x3d\xc6\x7f\x2e\x92\x2a\x52\x68\x9a\xae\xfa\x1b\x06\x4d\x03\xf8\xf6\xa3\x9f\x96\xb0\xde\x1d\x21\x39\x4c\xb6\xc2\x30\x10\xeb\x9e\x4a\x79\x41\x47\x35\xed\x99\x65\x42\x5f\x8a\x01\x00\x84\x96\xdb\xad\x04\x97\xfa\x0d\x65\xac\xec\x59\xff\xa6\xa2\x80\xbc\x58\xe2\xd8\x87\xa1\x0e\x96\x65\xea\xeb\x97\x43\x6e\xbd\xeb\x2b\x58\xa9\xae\x40\xe4\x49\x27\x32\x46\xfd\x99\x67\x53\x9f\x21\x2e\xd8\x96\x9b\x6f\x9a\x49\xd6\x5b\xca\xd2\xdd\x9d\x8e\xe4\x2e\x32\x05\x74\x11\x17\xe4\x31\xd4\x43\xff\x3e\x94\xc4\x7e\x7f\xd6\x27\xd3\x05\x11\xd5\xfb\xce\xc6\xa7\x58\x38\x3d\x31\x36\x7a\xca\x8e\x3a\xf7\x72\xa1\x02\x11\x05\xab\x2c\x1b\x4a\xa7\x61\x4d\xea\x8c\xfa\x4b\x06\xf5\x3a\xf3\x73\x77\x98\x62\xc9\xbd\xb7\x6e\xf9\x3c\x74\x61\x8e\xee\x73\x47\xa0\x74\xd4\xf7\x1a\x98\x23\x3b\x24\xb2\xa2\x57\x29\xc9\xa1\x98\x3d\x81\x9c\x3f\x42\xd3\x28\xd0\x8f\x0d\x4d\xd1\x64\x2f\x61\xb6\x2a\x89\xfc\x30\x0f\x50\x66\xd8\xe4\x57\xf5\xfd\x49\xda\xa7\x9e\x1b\x1d\x43\xd2\x6f\x89\xf2\xca\x99\x04\x50\xe8\x60\xbc\xc4\x7d\x5c\xf4\x77\x8c\x37\xc4\x51\xed\x22\xd6\x0f\xe2\xbc\xfa\x2c\xaf\xf7\x5c\x41\x70\x99\x0a\x2e\x8e\x21\x87\x19\x7f\x86\x38\xb0\x67\x85\x4c\xcf\x9d\xbe\x91\x58\x6d\xd4\x23\x41\x40\x1c\x4f\xb4\xf3\x13\x30\x66\x8a\xcb\x51\x6e\xba\x22\x27\xcb\xca\x4c\x8f\xa2\xf3\x9a\x03\x52\x1b\xd8\x03\x2f\x5e\x1a\xed\xf4\x9c\x50\xe6\x01\xb9\xfa\xd4\xe0\xd6\xf5\xb5\x93\x2e\xa2\x14\xfd\x50\x84\x85\x70\x3d\x08\x45\x79\x8d\x43\xbd\xbf\xf9\x63\x86\x77\xe6\xa9\x96\xef\xbb\xd1\x93\x6e\x97\x28\x20\x62\x70\x9f\x77\x8b\x45\x5c\xb4\xd2\x00\x13\xf5\xfe\x4c\x9b\xba\x0f\x7c\xfc\x18\x02\xe8\x18\x0f\xb6\xd4\x6f\x51\x76\xd1\xbd\xbb\x43\xd9\x60\xd4\x94\xf3\xa3\x0e\xd7\xab\x4d\xb0\x7d\xe5\xad\x92\x4b\x57\x97\xb5\x09\xf9\x60\x83\xf4\xad\xa9\xfc\xeb\xed\xe1\xeb\x0f\xb0\xdf\xa2\xcd\xc2\x14\x4b\x15\xcf\x4c\x28\x0f\x87\xd1\x18\x7e\x80\x8e\x37\xcd\xef\x53\x75\x52\xe3\x83\xf4\x6c\xcf\xe8\x62\x15\xb2\x07\x15\x39\x85\xe6\xb1\x31\x96\x22\x1f\xde\xa6\xc9\x47\x86\x4d\x12\x14\x7d\x7b\x01\xef\xc3\xdf\x14\x4e\x2c\xaa\x24\xd1\xa4\x78\x2a\x51\xa8\x23\x5c\x4c\x0e\xad\xf0\x44\x0c\x8e\x43\x4a\x4d\x07\x2b\xe5\x84\x55\x47\x17\x5f\x37\xc5\x5f\xdd\xd5\xe7\x84\x95\xac\xe4\x34\xc4\x83\xf2\x8b\xb3\x48\x7a\xd8\xd6\x8b\xd7\x43\x77\xfd\x82\xe1\x7b\xaf\xeb\x06\x2b\x81\xc6\x8e\x8a\x63\x89\xc8\xd8\x10\x79\xe4\xc9\xfa\xa2\xa8\xfc\xf1\x24\x15\xcc\x21\xeb\xcd\x92\xde\x80\x88\x45\x50\x59\x4c\xa6\x4b\x56\xb0\xb4\x24\xa6\x5f\x80\xca\xb1\x64\xb2\xf6\xf2\xf3\x3c\x7a\xea\xa8\xb6\x60\x2e\x71\x83\xb9\xd0\xae\x15\x3a\x17\x03\xb3\x03\x67\x5a\xae\x13\x3b\x3d\xd9\xc6\x46\x67\x7f\x6d\x8a\x49\x2d\xa0\x99\xef\xb4\xa7\xe4\xde\xe3\x92\x81\x8a\x15\xd6\xbf\x9e\xfb\x07\xee\xad\x5b\x40\xac\x25\xbb\x0f\x00\x92\xf4\xb0\xec\xaf\x0a\xc3\x39\x1b\x3e\xcf\xd0\x63\x5e\xc4\x96\xb8\xb6\x6d\x7a\x45\x1c\x6d\x10\x37\x9c\x15\x29\x1c\x4f\x36\x82\xf0\x5f\xb7\x39\x44\xcd\x1b\xe0\xf0\xfa\x85\x54\x35\x8b\x30\xde\xb7\x38\x69\x31\xae\x95\xeb\x2a\x16\xfa\xed\x24\x5f\xfc\xad\xb3\x94\xac\xdf\x06\x38\xa6\x26\x27\x82\x33\x01\x93\x66\xe2\xec\xd9\xdb\x1a\x4b\x5a\xe2\x7f\xf8\x3d\x7b\x57\x1c\xd7\xff\xc1\x51\xdc\x4d\x0c\xef\x1d\x03\x00\xc9\x8a\x41\x69\x77\x51\x85\x1f\x8e\x05\x24\x9c\xae\x19\x96\x3f\x81\x25\x89\xa7\xd6\x4c\xfa\xb8\x46\x43\x9f\x47\x13\x43\xba\x5e\xff\xac\x9a\x57\xf7\x6d\x0a\xbf\xb9\x5e\x87\x8b\xee\x4c\x94\x24\xf0\xca\x17\x18\x19\x5e\xff\x14\x06\x0a\xcf\xb3\xe0\xdf\x4c\xbc\x56\x0b\xc2\xbe\x9a\xb4\xf0\xa0\xbd\x68\x6f\xe2\x13\xd4\x49\x47\x17\x0e\x68\xe7\x3b\xaa\xdd\x98\x2c\xe2\xd1\x70\xa5\x0d\x1e\xca\x02\x40\xcd\x3c\xec\xe9\xf7\x4d\xa3\xa1\xc1\x47\x6f\xf1\x1f\xa3\x34\xd7\x2c\x18\x50\x6b\x5c\x00\xa4\x41\xea\x2e\x9c\x72\xc7\x6b\x38\x50\x37\xf8\x6c\xa5\x94\xaa\xad\xe9\x87\xa7\x9b\xbd\x3e\x3c\x40\xd0\x00\x7a\x7f\xf8\x52\x99\x05\xb9\x4c\x54\x61\x65\x62\x92\x95\x0b\x41\xc8\x34\x43\xdc\x84\xd6\xfd\xf5\x2e\x44\x97\xed\x68\x04\x98\x1a\xf1\x33\x85\x64\x92\x00\xd8\x93\x09\x3b\xf2\xea\x82\x25\xb3\x89\xc4\xdf\xd2\xe8\x15\xb3\xbd\xf9\xd7\x08\x4d\x29\x00\x9e\xae\x4e\x88\x22\xa5\xb6\xa5\x2a\xa7\x6a\xfd\x95\x1d\x04\xaf\xa8\xe1\x28\x63\x96\xa8\x34\xdc\xf8\xc6\xb5\x7c\xc4\xef\xbc\x0c\x16\x77\x9d\x53\xf0\xbc\xd7\x40\x43\xc0\x6e\xce\xbe\x59\x32\x8d\xcc\xa8\xbb\x61\x05\xaf\x23\x56\x59\x06\xe5\x46\x6c\x73\x11\xb1\xaa\xc6\x76\x2e\x4b\x62\x60\x36\xfe\x31\xd3\xe7\xb0\xfa\x2e\x65\x8c\xa9\x35\x10\x78\xee\xca\x7b\x46\x7e\x11\x8e\x9b\x88\x95\x9d\xe1\xf4\x18\x69\x40\x5a\x83\xbd\xc6\xce\x98\x0c\x72\x9f\x7e\x2a\x46\x0f\xa9\xbe\xe1\x61\xe5\x4d\x27\x1a\x87\x4b\xb4\xd0\xa2\x2c\xd1\xa4\x37\x6d\xe3\x6b\x58\x68\xca\x0e\x10\x93\x3e\x5f\xe2\xf7\x38\x5c\x1a\xf6\x2b\x86\xf8\xe5\xc3\x12\x66\x26\xb8\xbc\x6d\x56\x8f\x62\x1d\xa3\x23\x70\x7e\xa3\x32\xd7\x65\x44\x39\xfb\xa4\x67\x1d\x0c\xae\xb7\xef\x94\xe2\x5a\x82\x86\xbd\x9a\x19\xa2\x9e\x49\x32\xc7\xdb\x9b\x82\x34\x7d\xa5\x24\x92\xb3\x81\x4a\x44\xb9\x2f\x61\x55\x9c\x22\x65\x4c\x8b\x30\x1a\x8d\xfe\x9d\xae\xae\x0c\xad\xe9\x46\xc0\x66\x6e\x94\xc4\xa6\x35\x3b\xb0\xeb\x21\x37\xd3\x68\x53\xad\x4f\x7a\x20\xa5\x08\x1e\x63\xaf\xee\xce\x20\x3f\xa6\xee\xea\x7f\x62\x9d\x00\x1d\xab\xaf\x5b\x1a\x3c\x67\x61\x51\x7b\xc9\x9a\x8e\x63\xf6\x6c\x01\x88\x49\x27\xb4\xbc\x40\xbc\x34\x19\x0c\x9e\x55\x3c\x69\x0f\xbc\x64\x44\xdd\x8b\xba\x65\x68\x74\xfa\x80\x46\x31\xb5\x6d\x24\x54\x1a\x9b\xd6\xfb\x77\xdb\x49\x03\x76\x9f\x9d\x04\x44\xd0\x8a\x21\xff\x59\xd9\x49\x65\x9d\x80\xb1\x40\x2d\x91\x9a\xc0\xfb\x83\x80\xed\x91\x15\xb6\x69\x3c\x19\x5f\x8f\x1a\x90\xa3\xa4\x22\x35\xd8\xea\x78\x2e\xda\x2b\xf1\x94\xd3\x2f\xbc\xc5\x63\x27\x1a\xfd\xa7\x3d\x70\x96\xa2\xe9\xe4\x67\x54\x1e\x76\x67\xc2\x67\xc5\x95\xe1\x23\x37\x29\x75\x26\x77\x68\xb8\xd1\x6c\xb6\x13\x0e\xae\xbf\x69\x8b\xe7\x6e\xef\xab\xbe\xac\xd5\x9f\x63\x1c\xc1\x04\xf0\x42\x26\x3e\x3e\x29\x62\x59\x79\x69\x72\x1a\x6c\x02\x2a\xba\x14\x11\x2e\x2f\x38\x02\xba\x63\x53\x91\xcd\x1f\x94\x32\x35\x25\xc8\x16\xef\xa9\xe8\x65\x52\x39\x9e\x79\x66\x5f\xf5\x54\xf5\x86\x75\x4f\x72\xd5\x3a\x0d\x94\x75\xc6\x55\x94\x8b\xd1\x3e\xc9\x3d\xd8\xcc\x43\xe5\xb8\x13\xeb\xfe\xa4\xab\xcd\x78\x0e\xed\xb6\x82\xac\x4f\x66\xe1\x68\x47\xf7\x82\x1f\xdc\x40\xda\x07\x3f\x7f\xc5\x9f\xe5\x7c\xa6\xad\x5f\x4d\xdd\x8a\x41\xe8\xaa\xdf\x3e\x21\x78\xcf\x42\x95\xc8\x59\x99\xe2\xc2\xd8\x24\xa0\x8e\xbb\x9a\x9b\x09\xe2\xef\xbf\x9b\x8d\x03\x73\x09\x1e\xa6\x1e\xc6\xaf\x17\xdf\x1e\x71\xac\xeb\x40\x3a\x41\xd3\xba\xfe\xfc\x56\xdc\xff\x18\x60\x23\xe9\xf2\x89\xe6\x1b\x74\x69\x04\xb3\xce\x34\x86\x9b\x53\x27\xc9\x24\xa2\x73\x36\xb2\x16\xd2\x20\x6e\xeb\xa9\xb1\xdf\xdc\xe0\x22\xe3\xa1\x3a\x26\x17\x38\x7f\xb3\xff\x5a\x1d\x0f\x38\xfb\xb9\x06\x3b\xcb\x69\xb5\xe3\x3e\xe4\x57\xef\xe0\x51\xdf\x45\x34\x62\xb7\x18\xd7\xd5\xe7\x80\x31\x04\x71\xa7\x3d\x99\xe2\xeb\x1e\x23\x23\x6c\x74\xb9\x37\x7c\x3e\x0e\xbb\x93\xea\x7a\x6a\x7b\x32\x2c\x42\x59\x10\x20\x9f\x89\x18\x41\xd6\x5c\xb8\xdb\x3b\x2b\x0d\x51\xd2\x7c\xde\x0c\xa1\x85\xbd\x3b\xf1\xf4\x02\xff\x10\xfc\x61\x1b\x93\xfa\x6f\x94\xeb\xf6\x07\x9a\xc6\xd5\xf3\x0f\xf8\x66\xa4\xdb\xf3\x07\x29\xfc\x3c\xd0\x03\xed\x9e\xee\x6e\x1c\x92\x31\x9a\x8c\x62\x69\xe1\xa7\xdb\xa0\x49\x1d\x27\xb3\x26\x38\x8b\xc3\x2d\x58\xbf\x68\x5e\xc4\x29\xa8\xca\x7a\x12\xb6\x60\x18\x23\x08\x71\x0b\x5a\xa6\x1d\xce\x0a\x14\x3f\xad\x3b\xbc\x1a\x81\xa8\xf8\x14\xee\x37\xb4\x34\xc7\xd7\x29\x33\x1c\xe7\xf7\x2d\xdf\x31\xdc\xa7\x19\xbd\xfa\x04\xc0\x3a\xec\xeb\x4c\x64\x0c\x1c\xdd\xd0\xf0\x11\x37\xbd\x6e\x2f\x7a\xef\xb5\x1b\x02\x10\xb8\xcd\xb2\xcc\xb0\xf5\xd7\x45\x8d\x05\x71\x92\x76\x75\xf1\xbe\xdb\x36\xd0\xbf\x30\xac\x68\xdb\x43\x8f\xfb\xa7\x4a\xca\x62\x37\x25\xf2\x75\x22\x70\x1b\xb6\xc5\xca\x41\x4d\x23\x91\xcd\x53\x3a\x82\xc0\x66\x72\x4c\x6d\x3f\xd6\x8f\xe4\x2a\x83\x4d\xcc\xf5\xbf\x70\x34\x74\x29\xad\x8e\x38\x22\x15\xf7\x2f\xad\x93\x6e\xf9\x49\xbf\x64\xda\xd1\x25\x77\xea\xd0\xdc\x6c\xf2\x71\xbe\x7c\xa8\xe0\xba\xab\xb4\x39\x7f\xf0\x63\xf3\xae\x8e\x74\x12\x10\xc6\xa3\xab\x3b\x44\x2b\xa8\xfb\x16\xf2\x28\xc5\xda\xfe\xb1\xb4\x40\x82\x7d\xef\xbc\x48\xf5\xcb\xce\xb2\x74\x07\x55\xc9\x85\xd0\x60\xe8\x2c\x86\xc7\x32\xbb\xd5\x60\x88\x35\x91\xa1\xac\x05\x82\x99\xf1\x7f\x2e\x2a\x12\x85\x60\x28\x0b\xa0\x89\xe8\x4c\x34\x65\x45\x2a\x65\x07\xa6\x3f\x88\x49\x44\xa8\x3a\x21\xd2\x6c\x8e\x49\x8f\xf5\xdb\xd4\x89\xc6\x9c\xa7\x85\x32\x49\x01\x8e\x9d\x03\x52\x0b\x23\xf4\x7b\x29\x7b\x85\x26\x32\x2b\x1f\x6b\xd5\x4d\x06\x0c\xce\xa3\x01\xcc\x8a\x3a\x15\xda\x2d\x39\xb6\x4e\xa4\xdd\xb0\x3c\x7b\x6c\xba\x60\x5e\x8d\xd4\x86\xd1\x2d\x8f\x0c\x6c\xd9\xfb\x47\x81\x61\x12\xba\xa0\xa7\xae\x0e\xba\x4f\x0f\x89\xb2\x14\x32\x03\xa1\x19\xa6\xbb\x85\x45\xc1\xba\x66\x78\x84\x95\xf4\xe7\xda\xd9\x6d\xf8\x11\x9b\x1c\x11\xd7\xff\xb0\x71\x07\xc0\xc0\x35\xa8\x06\x97\xa8\xed\x78\x0d\x9c\x55\x61\x92\x93\x85\x08\x5f\x0a\xa7\xbc\x74\x8f\x2b\x5e\x23\x4e\x21\x0c\xe7\x77\x22\xc5\x4e\x80\xb8\x86\xc0\xd6\x14\x65\x8f\xfa\x23\x40\x8c\xac\xa9\xcf\x01\x38\x69\xef\x66\x29\xf8\x46\x16\x40\xda\xea\x86\x9a\xd4\xc3\x65\x53\x0d\xe5\x27\x81\x5c\xaf\xee\x31\x4f\x8c\xa7\xb9\x87\x95\x22\xc4\x26\x29\xe3\xe7\x12\x96\xe5\xf6\x0a\x84\xdb\x39\xd5\xc9\x00\x00\x16\xea\x33\xf4\x81\xd8\x0c\xcb\x80\xf0\x85\xd5\xed\x3f\x70\x0b\xad\xc3\xb4\xb7\xd8\x0d\xd8\xa7\x78\xf0\x38\x17\xa1\x0d\x67\x89\x2d\x36\x87\x0a\x98\xbd\xc7\x0c\xfd\xa4\x83\x4c\x78\x15\x42\x1f\xc9\x72\x74\x01\xbd\x4f\x81\x11\xbb\xba\x76\x86\x02\x4b\x42\x72\xf5\xa6\x8a\x66\x51\x94\xaf\xc4\xf1\xa9\xf8\x57\xaf\x27\x0e\x30\x22\xc1\x8d\xfc\x18\xf6\x7b\x39\x77\xe6\x41\xc6\x25\x8f\x00\xc1\x43\x0e\xa7\x95\x78\xf4\xdc\x82\xa0\xba\xb5\x21\x40\xdf\x4b\xe0\xad\xb3\x29\x19\x5a\x29\x7d\xf0\xbe\x6e\x12\x34\x97\x70\xb4\x47\x7a\x44\x65\xa8\x14\x39\xf2\x2b\x6b\xdc\x67\x7a\xb8\x6d\x4e\xdb\xbd\xfc\x7d\xb3\xcf\x06\xd4\xa9\x4d\x33\xc6\xc1\x1f\xa1\x63\xfe\xfb\x1a\x87\xa9\xb5\x2c\x1c\xc4\x09\xeb\xed\xe7\x26\x3c\x88\x97\x5e\xdb\x23\x7f\xa0\x1b\x58\x3f\x79\xfc\x7a\x4f\x8e\x8a\xc8\x9a\xf7\x93\x08\xd9\x9b\x47\x3c\xf3\x3f\x33\x44\xa4\xe5\x52\x3f\x3e\x35\xd3\x88\xd1\x8e\xe1\x18\x5c\xaa\x19\x18\xd2\x3a\xae\x41\x93\xae\xdf\xe1\x25\x04\x2e\x16\xd5\x71\x86\x52\x61\xdd\x63\xbf\x0c\x9d\xd8\x48\x5f\xa6\x4e\x24\x10\xa2\x6a\x43\x6c\x83\xc9\xe3\x45\x56\xf3\x7c\x1d\x69\xd2\xfd\x57\x42\x78\xc4\xb2\xc8\xba\xf3\x83\x4e\xe2\xe0\xf3\x64\xb5\x4c\x36\x78\x0f\x28\xa8\xeb\xe5\x6e\x1d\x9e\x1c\xbd\xfd\x77\x3c\xe8\xaa\xcd\xef\xda\x09\xf4\x0d\xff\xd8\x47\xaa\xdf\x67\xc4\x44\x71\x00\x8c\xee\x07\x76\xfb\x06\x89\x54\x30\x8f\x16\x20\x3d\x01\x7b\x29\x0c\xd1\xad\x9e\x4c\xdc\x49\xf3\x26\x35\x28\x07\x56\x0d\xdd\xa4\x90\xc0\x5c\x6d\x5e\x04\xf1\x94\x00\x83\xaa\xba\x83\xe0\x29\x37\x0f\xd7\x6e\x77\x57\xc7\x3c\x05\x43\xdd\xff\x26\xc3\xa3\x07\x62\xe2\xc9\xc5\x56\xaa\x28\x2c\x7f\x46\xf3\xdd\x8e\x20\x01\x68\x05\x3a\x03\x17\x4c\x56\x69\xdc\x43\x90\x0a\x39\x41\x7c\x9d\xff\x8e\xd3\xf1\x0e\xb0\x7c\x47\x0a\x52\x2e\xc8\x20\x71\x2f\xf8\x82\x59\xcf\x7f\x5e\xe5\x2c\xf4\xee\x69\x0b\xca\xbd\x88\x76\x3f\x66\x32\x9f\x37\x25\xa4\x36\xca\x19\x38\xd4\xda\x48\xde\xdf\xfe\xa8\x2d\xc5\x4a\x2a\x0a\x5c\xfb\x64\xc3\xe2\x78\xf4\x1b\x93\x3c\xef\xeb\x02\xf9\x82\x53\x2e\x98\x67\x72\x41\xd7\xec\x2f\x8d\x14\x27\xda\x17\x11\x91\x9d\x67\x2e\x95\x1b\x6d\x1c\xd8\xf2\xc0\x20\x3f\xed\xd5\x21\xf7\x5a\x22\x9d\x99\x67\x13\x35\x81\x36\xd8\xb4\xeb\x79\x71\x34\xfe\xc8\x74\xe3\xd3\x8a\x01\xcb\x82\xa8\x7c\x8c\x21\x1e\x64\x29\xef\xe6\x77\x17\x3a\xab\x0a\x0f\xb9\xf5\x58\xf4\xb0\x6f\x77\x05\xbc\xd1\x77\xec\x1d\xd8\x0d\x04\x45\xb5\x44\x8e\x7d\xc2\x94\x53\x8a\xae\xcc\x59\x61\x0d\xbe\x6f\x2b\x3b\x16\xb2\x75\xc1\x8d\x33\xa7\x8f\x0c\x1d\xcb\xb0\x7e\x13\x76\x28\xb6\x22\xf8\x85\xae\xe8\x0b\x82\x68\x4c\xdd\x5f\xde\x5a\x29\xaa\xdf\x63\xd8\x5e\x95\x15\x96\x49\xad\xce\x0f\x9e\x57\xb5\x3b\x82\xc7\x5b\x87\xa1\x27\x47\xef\x0f\x84\xbe\x50\x69\x3c\xca\xe7\x98\xe3\x8a\xaf\x05\x06\x66\x16\x3e\x6b\xed\x48\xf5\xf1\xba\xf4\x9a\xde\xa2\x12\x23\xbf\xb0\x89\x19\x98\x98\xdc\xd2\xe9\x1b\x70\x8b\xd6\x2b\x61\xf1\x38\xcc\x48\xbe\xd8\x8b\x77\x2d\x14\xbc\xc5\x39\x68\xaa\x32\xfa\x3f\x11\x45\x84\x75\x2d\xb5\x32\x78\xb2\x5f\x36\x7d\x52\xc2\x07\xec\x54\x59\x66\x83\x82\xaa\xc7\xeb\xfd\xf3\xa2\x07\x5c\xef\x67\x9b\xd7\x7e\xc1\x7a\x11\x43\xde\x08\x47\x20\x08\x54\x86\x68\x5a\xc8\x69\x73\x3b\xc0\x7d\x74\x24\x6f\xbf\x8a\xbb\x36\x62\xbe\x75\x0d\xdd\xd3\xb1\x3e\xcb\x2d\x91\x35\xf5\xc6\x8d\x1f\xdd\xe5\x49\xd9\xc2\x09\x1d\x96\xaa\x35\xf8\x43\x36\xb4\x21\x51\x31\xf3\x64\x76\xec\x84\x8d\x53\x3d\x7d\xca\x1e\x0a\xa4\x1e\xef\xb8\x80\x60\x52\xa8\xcd\xd5\x38\xb7\x55\x70\x7f\x93\xe0\x48\xd7\x71\x50\x5b\x88\x90\xd8\xf6\x80\xb8\x80\xcc\xb8\xee\x29\x49\xe3\x5a\x63\xee\x48\xe7\xb4\x67\x12\x8b\x65\xff\xe6\x06\xce\xd2\x8a\x3b\xc3\x17\x2b\xd0\x9f\x2b\x58\xef\x63\x22\xa3\xfa\x31\xe0\xfa\xb3\x7a\x3a\xfe\x72\x9a\xd4\x3d\x5c\xd0\x2b\x42\xbe\x4d\x8e\x60\x2b\x99\x51\x6d\xbd\xbd\x81\x2e\x1b\xec\xae\xba\x14\xb2\xb2\xbf\xaf\x05\x55\x90\x02\x51\xe3\x1d\x83\x97\x98\x14\x1b\x32\xab\xdc\x55\x8b\x3b\xf3\x0e\xdc\x11\x45\xf5\x41\x79\x85\x07\xda\x32\x9c\x5a\xcc\x1f\xf5\x6d\x4f\xd5\xf6\xe1\x8c\x02\x08\x12\x22\xc6\x98\xb3\xd0\xf2\xb1\x95\x39\xa7\xc2\xc9\x1f\x78\xb1\xbe\x76\x48\x19\x91\xe2\x41\xd2\xae\x88\x9d\x4c\xb1\x33\xf9\x0f\x77\xd9\x22\xd9\x84\xb5\xa5\xd1\xb2\xaa\x03\x8f\xb0\x01\xf0\xba\xc8\x8c\x14\xa3\x6f\x62\x29\x6a\xb3\x24\xd5\x2b\x57\x54\xd4\xe8\x42\x88\x9d\xa6\x54\x14\x3b\x4b\xd7\x19\xf0\x82\xcb\xcf\xa2\xec\x90\x31\xb9\xb4\xb8\xbb\x8e\xf4\x6b\xc3\xff\xa5\x2d\x35\x38\x5b\xf2\x7e\x3c\xcd\x86\x10\x84\x81\xff\x66\x40\xe8\xb0\xe3\x09\xd2\x8b\x14\x94\x20\xf9\x5e\xb9\xaf\xa0\xf6\xe1\x88\xb7\x00\x5f\x42\x12\x25\x38\x5b\xde\xa3\x82\x5a\xd5\xfb\xfc\x6d\x9f\x29\x97\x47\x6b\xc3\x6e\x5d\xfe\x4b\x68\x6d\x1a\x2d\x40\x25\x16\xd4\xee\xe9\x90\xe1\xea\x6a\x23\x48\x38\x10\x3f\x42\xd7\x05\xab\xf3\x78\x35\x67\x3c\xa7\x86\x75\xb5\x35\x4c\x2a\x99\x13\x0e\x2b\x7a\x64\xee\x26\xa2\xad\x6c\x1c\xd2\xde\x64\xed\x59\x12\xeb\x77\x08\xdb\x3a\xfb\xb4\xa6\x83\x10\x9b\x10\x57\x29\x8f\x35\x6e\x4c\xf4\xfa\xb2\x00\xca\xf7\x40\x3c\x71\x9a\xa8\x1a\xb0\x1d\x3d\x7f\x91\x55\x07\x3f\x56\x49\x5e\x51\x16\x19\x6e\x9a\x9d\xe8\x2f\x10\xa5\xc0\x8d\xfb\x2f\x91\x54\x94\xdf\x7a\x07\x00\xef\xb7\x22\xd3\x41\x6a\x5d\x32\xbc\x02\x29\x71\x11\x65\x08\x47\xde\xe6\x76\xd2\x68\x77\x2d\xec\x41\x3d\xa3\xa1\x32\x09\x89\xc1\xbe\x0d\x5c\x9c\x1b\x6f\xc4\xf7\x0f\xbd\xad\x88\x8a\xbb\x0b\xe8\xf1\x16\xf0\xd7\xa6\xf3\xab\xaf\x63\x6b\xb6\xb6\x92\x22\xda\xf4\xcc\xbd\x6d\x07\x29\x3d\xef\x59\xcd\x5e\xc9\x08\x45\x4d\x07\x94\x95\xf2\x7b\xfa\xf9\xe4\x5f\xb2\xc9\x99\x64\xe6\xb2\xfb\xa0\x3a\xf0\x38\x2d\x5b\x60\xad\xeb\xbb\x28\xfb\x8f\x8f\x8e\xfd\xd8\xda\x65\xea\xc2\x93\x77\xcf\x07\xc6\x2e\x1b\xf1\x0f\x61\xfa\x91\x2e\x62\x71\xf2\xcb\x95\x09\xa7\x63\x1b\x7a\xbe\xc3\x39\x6b\xeb\xce\x10\xbc\x79\xe2\xc4\x99\x56\xd1\x27\xf9\xd0\x1b\x73\x58\x45\x40\xcb\x6c\x0b\x52\xa7\x09\xe3\xaf\x1d\x00\xc8\x4f\x6d\x22\xfb\x19\x5d\xd8\x82\x3a\xa3\x36\xaf\xea\x89\x8e\xd8\x7a\xda\x2b\x22\xd1\xb8\xec\x50\x8c\xf6\x98\x6e\x93\x45\x92\x65\xed\x7c\x25\x87\x32\xc2\x91\xca\x41\xe7\x87\x6f\x1b\x43\x8b\x17\xd3\x6c\x24\xa0\x2f\x20\x0f\xee\xee\x18\xac\xe8\xdc\x4a\xad\x51\xa4\x2b\xb9\x81\x5d\x82\xc2\xa9\xa3\x7f\x77\x5c\xd6\x12\xe0\x84\x22\x69\x42\xea\x0d\xc6\xf5\xd8\x92\x33\x49\xbb\xbe\xdc\x2a\x45\xcf\xcf\xdd\xed\xa2\xd5\x2d\x14\xf2\xff\x83\x29\xaa\xc0\x1d\x2e\xc3\xc3\x7f\x23\xc5\xc9\x0d\x02\x62\x80\x23\x8c\xe0\x9e\x00\xec\xa9\xf6\xc3\x0b\xda\xa5\xdc\x91\xf4\x34\x2f\x8a\xf6\xa3\xec\x13\x39\xc4\x7d\xca\xe8\xf9\x36\x0c\x32\x50\x2b\xfa\x86\xe1\xff\xc5\x82\xd5\x88\x8f\x29\xca\xc3\x9e\xf9\x0a\x31\x50\x11\x1f\x66\x11\x99\xfa\xf7\xe2\x41\x3b\x57\xbb\x9a\x72\xaa\xa2\xd5\xfa\xe3\x2b\x46\x28\x84\xa9\x28\xd8\x3c\xea\x60\x55\x70\x25\xc5\xde\x01\x80\x44\x34\x5f\xb0\x83\xde\xf4\x9b\xc3\x83\x31\x98\x94\xda\xd2\x8b\x53\x39\xcb\xad\xb6\x03\x8d\xc8\x47\x9f\x7e\x4b\x2f\x01\xc1\xce\xd3\xff\x85\x42\x05\xbe\x93\x88\x48\x85\xb1\x29\x87\x8b\xdb\xb1\x8c\xaa\x68\xc3\x09\x40\x71\x9a\x40\x8a\x03\xfc\x61\xeb\xea\x87\xd9\xd3\xef\x21\x62\x59\x45\x89\x65\x44\x75\xc2\xc3\x7e\xaa\x87\x37\x33\x8a\xcc\x18\xb3\x41\xa3\x51\xec\x39\xaa\x94\xcb\xa1\x71\x09\x6f\xd7\xfb\x83\x2e\x30\x31\xf4\xd8\x2f\xf2\x32\x8a\xa1\x89\x62\x3c\xd9\x3f\xce\x6f\x45\x25\xc2\xdd\x01\x3d\xc9\xc7\xb4\xd1\x9a\xdd\x3b\xf9\xc3\x34\x88\x6e\x9d\x1c\xb4\xdf\x99\x7d\x99\x56\x3a\x57\xb6\x6d\x83\x21\xd4\x21\x52\xf7\x21\x70\x5d\x6c\x48\x46\x18\xad\x33\xcb\x46\xb5\xc1\xa4\x1c\xcd\x39\x7e\xde\x50\x43\x2d\xc9\xd4\x1a\xa8\xb2\xfb\x37\x5a\xf7\x5d\x33\x23\x56\xd7\xdf\x3d\x5d\x43\x9f\xde\xbc\xf8\xe2\x5b\x22\x49\x3c\x6f\xe1\x40\x01\x3e\x29\x52\x32\x18\x67\xd1\x29\x47\xb1\xf2\xdd\x27\x2a\x17\x36\x94\xa5\xfd\xdd\x88\x7f\xe1\xec\x96\xdf\x64\x67\x63\x0d\x14\x49\xd7\x23\xff\x02\x3e\xc1\x27\xb1\x2a\x24\x11\xa0\x96\xe3\x12\x9e\x84\x5d\x50\xb1\x46\x68\x36\x35\xd8\x05\xcf\x19\x67\x35\x82\x8c\x8a\x0a\x00\x40\x47\xa1\x9a\xcf\xcc\x41\xb6\x2f\xe0\xfb\xff\x91\x88\x1e\x76\x13\xbf\x7a\x73\x71\x95\xf1\x85\x8e\xd7\x19\x8d\xca\xca\x13\x21\x06\x19\xd7\xf7\x39\x8d\x81\x2d\xe4\x63\xf2\x21\xf0\xc2\x64\x87\x4a\xa3\xb3\x41\x6d\xcd\xfa\xed\x76\xbf\x25\x5d\x7a\x7a\x15\xd6\xac\xc9\x86\x4d\x1b\xd9\x00\x35\x4b\x3b\xf0\xdf\x70\xba\xe9\x32\xc4\xb8\x2e\x8a\xa6\x0d\x39\x5b\x93\x9c\xc6\x0f\x89\x64\xab\x75\x5b\xa5\x0b\x40\xa7\x13\xf6\x8d\x2e\x00\x1a\x2b\x5a\xbc\xfd\xbb\x82\x1a\x0a\x3a\x7a\x97\xcd\xcc\xc0\xb0\x5b\xca\x8f\x03\x3f\xbc\xd9\x54\x56\x9c\xb7\xc3\x12\xd4\xcb\x9e\x69\x27\x56\x13\x30\x66\x79\x88\x25\x70\x72\x61\x18\xeb\x66\xb4\xb6\xf0\xd2\x36\xc3\x3e\x35\x65\x8e\xd8\x7f\x02\x8c\xa4\x3c\x55\xc2\x69\x68\x17\x9a\xed\x75\x49\xc8\xc2\xe9\x26\x72\xa4\x45\x10\x6d\x04\x29\x84\x69\x17\xc5\xfc\x60\x7f\xa2\x85\xdb\x9a\xa6\x12\x81\xc1\xc5\x24\xa7\x6b\x3d\x40\xde\x5d\xa9\xbc\x7a\xfb\xae\x9c\x03\x55\x5d\x05\x63\x83\xea\x7f\x5e\xac\xf5\xde\x95\x63\x8e\x11\x24\x2a\x42\x0c\x9a\xa3\x22\xc8\x08\xcf\x2a\x14\xab\x47\x9d\x81\x35\xe4\xff\x48\x7b\x21\x5c\x8c\xec\x44\xc7\x29\x0d\x34\x59\x10\x0b\x21\x96\xc5\x4e\x88\xca\x28\x41\xd8\xa6\x01\x1c\x6d\xb1\xb5\xc2\xfb\xc5\x13\x5d\xa6\x05\x3d\x89\x3d\x11\x6b\x9f\x23\xd5\xa0\xf7\x7f\x9f\x64\xc5\x0a\x04\x48\x55\x2f\xb3\xd4\x00\x2c\xcf\xb9\x5e\xd5\x4c\x37\xea\xe9\x31\x73\x7b\xf0\x2b\xcd\x22\x6b\x13\x3b\x9d\x27\xde\xbf\xae\x74\x87\x30\xa8\x7b\xe8\xdf\x5c\x31\xcd\xdf\x16\xc2\x6b\xc3\xf3\xb4\xdf\x7a\xbc\xbc\x52\xed\xad\xb7\xa7\xc2\x9e\x87\xdd\x5d\x63\x30\xb7\x61\x64\x9f\xc9\xf0\x98\xa7\xb6\xb6\x8c\xf5\xdc\xe7\x67\x66\x7e\x8b\x5a\x7c\xd4\xbb\x22\xd1\xc9\x22\x9c\x45\x51\x69\xd7\x2e\xdd\x3b\xae\x9c\x25\x1c\x07\x88\x96\x8f\x1d\x13\xaf\x8e\x47\xba\x32\x92\x3c\x66\x14\xc4\x4d\x51\x96\xfa\x80\x57\x61\xdb\xa5\x9a\x39\xb8\x93\xbf\x09\x73\xda\xbb\x97\x6e\xdf\x63\xf3\xcb\x54\x73\x2d\x43\xb9\x0e\xe7\xab\x03\x74\xe1\x0f\xd7\x22\xd5\xc3\x61\xa4\x10\x89\x31\xe8\xee\x3f\xa1\x90\x79\x3f\x90\x1b\x18\xff\x7b\x5e\xd8\xc1\x62\xb3\x7f\xfc\xb3\x9c\x6c\x0c\x08\x4c\x9c\x76\xb3\x96\x4e\x31\x35\x1f\x51\x12\xac\xcf\xe1\x6c\x62\x68\x58\x0c\xe0\xb4\x4c\xd4\xc3\x3f\x29\x21\x71\xdf\x6a\xf3\x59\x14\x22\x5c\x8b\x1a\xff\x19\x85\xce\xa0\xea\x73\x49\xa4\x3a\x51\x0d\x5f\xbf\x18\x81\xa0\x32\xf9\x6b\x1f\x58\xf4\xfa\x94\xdb\xcd\xf9\x8f\x6b\x11\x3a\x2f\x85\x1e\x76\xd4\xf1\xcf\x06\x86\xe3\xb4\x40\x57\xc3\x63\xc8\x49\xc5\x70\x06\x59\xd7\xe5\xa1\xc2\xb3\xcc\xfd\x5a\xaa\x88\x9c\x2f\x99\xa9\xb1\xc8\x31\x9c\x3c\xd3\x48\xbe\x29\xb2\xe9\xbf\xef\xbc\x28\xcb\x77\x47\x29\x95\x8c\x12\xc9\xdf\xa7\x4b\x89\x3a\x07\x74\x5a\xed\x2e\x51\x44\x72\x3c\x8f\xc0\x50\x68\x52\xf1\x7e\x6a\x4a\x8f\x59\x9d\x2c\x4a\x1d\x7c\x0b\xa9\xd7\x7d\xb8\x41\x6e\xb1\x09\x32\xcd\xc7\x49\xcf\xa9\x98\x90\xee\x80\x17\xc0\x66\x40\x84\xf8\x64\x89\xc9\x75\x25\x52\x52\xc3\x87\x6f\x8d\xcd\x98\xc0\x0b\x73\x61\x1c\xe2\x73\x4e\x1f\xe0\xee\x5c\x0a\x0a\xbb\x0c\x50\x00\x40\x44\xf9\x3a\xd2\xff\x01\x09\xbc\xb1\x9a\x3a\x20\xf1\x86\xd6\x8e\x38\x7d\x34\xa5\xb5\x78\xc4\x25\x3c\xd9\x67\x26\x14\x80\x3b\xf9\x67\x26\xe8\xab\x00\x14\x6d\x2f\xe2\x66\xe6\x2e\x48\x65\xf5\xe7\xfe\x31\xd4\x14\x97\xe7\x19\x51\x22\xfc\xda\x82\x5f\xb4\xe9\xfc\xdd\x09\xb4\x21\xdd\xb6\xe9\x25\xa4\xd5\xcb\x7f\xf2\xfa\x56\xfe\x14\x97\xad\x65\x9c\xc5\xb6\xef\xd8\xf8\x83\x99\x8b\x74\x51\x17\x5f\x98\x27\x54\x7b\x84\x19\x5c\x25\xfc\x16\x31\x07\x2a\x55\xc1\x7e\x90\xa3\x27\x9a\x54\xa2\x96\x97\x31\x2b\xfe\xf3\xee\xfc\xba\x8d\x31\x14\x55\x6a\x54\x5d\x18\xab\x0d\xf7\x4d\xf2\x66\x85\x91\x51\x95\x9a\x1b\x05\x1f\x83\x22\xf7\x98\xcb\x45\xd5\xcb\xe5\x29\x1b\xdd\x71\xda\xd6\x65\xf6\x4d\xde\x69\x54\xef\x00\x71\x89\x18\xfe\x01\x72\x79\x63\x96\x46\x42\xd4\xc4\xa5\xbb\xa9\x30\x3f\x44\xfe\x97\xff\x99\xf0\x67\x48\xdc\x86\x3f\xf0\xcc\x17\xfc\x82\xb2\x9f\xbe\x0c\x71\x2c\x77\xed\x36\x69\x7f\x23\xb4\xa2\x2a\x9f\x24\x85\x22\xf9\x94\x6c\x3a\xbc\xd3\x2e\x16\x5f\xd6\x6f\xdb\xc7\xb4\xa0\xdf\x71\xa8\xd2\x57\x1f\x32\xda\x4a\xda\x51\xc1\x4c\xa0\x86\x30\x1d\x6e\xd0\x20\x06\xc6\xa3\x8c\xe4\xe7\x67\x1f\x3d\x08\x62\xa4\xe3\xc2\x2b\x6a\xa7\xb7\xc0\x49\xa7\x76\x22\x87\x57\x05\x62\xe8\xb4\x52\xef\xc7\x87\x41\xe7\xc2\x82\x2a\xd0\xfd\x43\x5e\x76\xa8\x04\x4b\x05\xb3\x88\xaa\xfc\x4c\xf6\x15\x75\x76\x03\x98\x87\x23\x64\x46\x99\x61\xe8\x7d\x14\xd1\x79\x5e\xb6\x27\xfa\xed\xa1\x8f\x9c\x12\x28\xfc\x99\x4d\x58\x05\x08\xc9\x96\xd3\x66\x27\x99\xb7\x23\x7e\x59\x69\x10\xa7\xc5\xc7\xfa\xcd\x47\xfa\x30\x84\xda\x48\x48\x87\x67\xf6\x0c\xfe\x58\xec\x40\x14\x15\xac\x66\x03\x16\x23\x32\x0f\x9f\xda\x37\xc0\xaf\x9f\xe4\xcd\xa1\xb2\x89\x3d\x2d\xf0\xac\x82\x26\x01\x3a\x36\xca\x7b\x13\x66\x03\x2e\xa7\xb2\x5a\x55\x91\xbe\xbc\x8c\xe4\x89\x77\x7c\x0c\xba\x28\xd1\xf0\xca\xfe\xae\xea\x7d\x5b\x4d\x20\x09\x30\x9e\xeb\xc9\x13\x07\x81\x12\xbb\x12\x69\x20\xca\x6e\x5e\x2b\x22\x10\xce\x54\x10\xcc\xe4\x5f\xc4\x63\x74\x6c\xf1\x68\xf7\xee\x2b\x91\xc7\x97\xb3\x30\xe0\x46\x48\x22\xa6\x18\xe4\x57\xce\x39\xa0\x03\x67\xd9\xcd\x3d\x3f\x59\x38\xce\x36\xeb\x2a\x31\xa9\x0d\x04\x92\x58\xc8\x49\x95\x5e\x97\xf0\x80\x17\x26\x9b\x3e\x5f\x69\xe9\x12\x81\x95\x63\x8b\xc8\xc1\xfa\x73\x5e\x6e\xb2\x43\x5c\x95\x87\xf4\xf4\x36\xd9\xe6\x8a\x87\x97\xbb\x42\x10\x0d\x48\xe7\xb2\x61\x97\xc6\x5f\xb8\x90\x39\x61\x38\x2f\xb0\xfe\x22\x98\x60\x17\x30\x68\xd9\x42\x91\x10\x82\x3b\xc2\xff\x71\x7a\x71\x57\x05\x4c\x32\x6b\xda\xc3\xad\x35\x81\x77\xf9\xa4\x06\xd8\x94\xb8\x42\xd6\xd9\x1e\xdb\x35\x6b\x06\x28\x3b\x32\x9b\xca\x6e\x12\x29\x06\x55\xfe\xf2\x40\x29\xba\x1d\xaa\xf4\x5f\x17\xeb\xc8\x34\xd1\x2e\x35\xe3\x9f\x2e\x20\xe2\xc7\x36\x2a\xeb\x00\x31\xf4\x87\x7b\x63\x3b\xe1\xbe\xd3\x6f\x5d\x7b\xa2\x4d\x01\x48\xf8\x46\xa7\x86\xf3\x88\xe2\xab\x79\x66\x2d\x55\x9b\x86\x1a\x36\xa4\xce\x60\xdc\xeb\x5f\xdb\x9f\x47\x93\x58\xfd\x84\xa5\xc7\xf1\x02\xf7\x5b\x81\x43\xd3\x62\x6f\xff\xa5\x46\x9c\x22\x07\x2a\x97\xd6\x3f\xf9\xe0\x66\x7c\x2f\x2d\xb4\x1c\xd0\x3e\x5d\x43\x91\x4b\xb5\x90\xbb\x1f\x11\xf4\xc3\x53\x3b\xcc\x47\xff\xc9\x9e\xed\xf6\x77\xc9\xd6\x46\xc6\x0f\x99\x39\x89\x15\x89\x1a\xb6\x71\x97\xdd\xbd\xc1\x1e\x03\xda\xf0\x31\x39\xce\xad\xaf\x99\x22\x68\x75\x16\x3f\x11\xc2\x90\x27\xf6\xec\x6e\xe6\x47\xc9\xbb\x1f\x76\x95\xf1\xf2\x91\x8a\x32\x85\xa1\x3e\xad\xb7\x3d\x3e\x94\xcb\x0d\xbf\x92\x73\xf7\x5e\x1a\x8b\x39\x1c\xc6\xe4\xc1\x4e\xd5\x68\x3c\x27\x56\xc7\xb3\x3d\x84\x35\x1e\x1c\xe0\xba\x7b\x02\xe2\x30\x5d\xe6\x5b\x29\x45\x6b\x5c\x55\x34\x46\x47\xc7\xb0\xb1\x6c\xd8\x36\xdb\xa2\x71\x1a\x4c\xc9\x77\x38\x26\x7c\x46\x2c\x85\xfa\xd6\x08\xa8\x16\x12\xd7\xf8\x9a\x7f\xe6\x63\xbd\x06\x43\x54\xa8\x0f\x8b\xe0\x16\x5d\xf5\xd9\xba\xe1\xc6\x9e\xa5\x69\x62\xb1\x11\x22\x0c\xdc\x13\x6a\xda\x90\xbb\x13\x15\xf8\x65\xca\xff\x1e\x25\x26\xac\xd2\xef\x4c\x36\xa7\x0f\x26\x60\x88\xd7\xd3\x48\xe5\x61\x13\x29\x71\x66\x8e\x91\xa8\x90\x04\x08\x5a\x5b\x09\x2f\x8e\x28\x42\x3d\x16\xb7\x49\xcd\xcb\xf9\x2a\x43\x65\xe4\x68\xdd\x67\xbe\x24\x1e\x5d\xea\x70\x5b\x60\x6b\x28\x09\x9a\x5d\x3d\x46\xa0\x76\x20\xfc\x4f\x73\x1e\x3d\x36\x05\xde\xbe\x68\x70\x42\xca\xc9\x37\x42\x73\x67\xc3\x5b\x54\x6a\xf2\xdf\xc0\x94\xa7\x21\xdc\x7f\xd1\x3d\xf6\x8e\x9a\x79\x9e\xcb\x10\x7c\x90\x8b\xac\x9f\x8c\x44\x30\xcc\x10\xc6\x29\x9c\x79\x4d\x02\x8d\x51\x6c\x3e\xf3\xf7\x7f\x9f\x64\x20\x16\x60\x94\x9b\x5e\xe2\x9a\x58\x94\xd7\x38\xfa\x4e\x4b\xcd\xda\x88\xfe\x12\xbc\xff\xe8\x5d\xa7\xb1\x0d\x02\xc8\x09\x22\xf3\x90\x71\x34\xfe\x64\x60\x55\x08\xb6\xcb\xe3\x5e\x97\xf1\x2f\x1b\xb1\x5f\xce\x6f\xac\x0b\x0b\xbe\xd6\x21\x83\xba\x88\xb8\x41\x3c\x69\x2c\x1d\x46\x53\x76\x14\x6a\x5a\xc6\x9e\x0f\x10\x45\x0f\x04\xc8\xb6\xf3\xc9\x0c\x58\xac\x33\x60\x4a\xa8\x11\xa9\xb7\x4e\xbb\xd0\x7b\x06\x84\xc5\x1a\x55\x30\x06\xda\x57\xf4\xdf\x29\xdf\x30\xa6\x46\x22\x26\x6b\x3e\xc0\x6c\x43\x5d\x65\x05\x21\xf3\xea\x72\x5a\x3c\x8c\x12\x8c\x73\xf0\xd3\x44\x7d\xd1\xa8\x5b\x10\xa0\x61\xe9\xac\x44\x69\xbd\x8e\xad\x5b\x59\xcc\x63\x9b\x81\x7e\x67\xd9\x0c\xcd\x77\x3e\x22\x4a\xeb\x67\xdd\x26\x36\x91\x74\x36\xb7\x64\x75\xd8\xe0\x25\x5c\xf7\xd1\x4f\x28\x36\xa5\x0d\x23\xfb\x11\xb3\x84\x35\x48\xb3\xa5\x2d\x8f\xa1\x0c\xa8\xc9\x7e\x1f\x0e\xd7\xa0\x0c\xfc\x80\x67\xa5\xb9\x9a\x41\xc0\x7d\x3c\xe0\xa0\x45\x6b\x84\x43\xbb\x5f\x09\x03\xdb\x5e\x7b\xc1\x6b\x0d\x0d\x4f\x32\x1a\x57\x57\x2d\x33\x68\xd9\x7a\xb7\x70\x58\x30\xd2\x3f\xf7\x8a\xc8\xd6\x94\x02\xc9\x20\xf7\xfb\x91\xd6\xef\xc1\x6c\xe4\x39\x93\xa1\xa6\x8e\xb8\xed\xa0\x8d\x7c\xc5\x5f\xca\x85\x49\xf4\x08\x39\xac\x8e\x5e\x26\x3e\x8f\xcd\xdb\x10\xdd\x20\xfb\xed\xd9\x49\xc8\xd3\xc1\xe1\x86\xe9\xfd\xd5\xaa\x27\x65\xa1\xef\x54\xf9\xe8\xb2\xa7\xa0\xb3\x8f\x1c\x8f\x8d\xaf\xe5\xfc\xef\x0f\xf0\x31\x69\x21\xdb\xaa\xb2\x7f\x6b\x2e\x09\xe4\x9d\x0a\x56\xc9\xad\xe5\xd8\xcb\x65\x86\x99\xba\xa9\x84\x54\x3f\xde\x4e\x72\x0e\x02\xe5\x50\x3e\x83\x5c\x7a\x63\xef\xfe\xe3\xdf\xa5\x8e\x4c\xcd\xbe\x19\x43\xb5\x92\x1b\x58\xfd\x0e\xd6\x64\xef\x73\xdf\x89\x23\x18\xe1\x07\x03\x23\x48\x59\xb5\x65\xd1\x7d\xe8\xc9\x25\x19\x8b\x44\x81\x59\xc8\xe8\xd7\x3c\x8b\x1e\x5e\xb6\x87\x05\xe5\x82\xd5\x12\x8f\x20\x7b\x54\x6f\x81\x22\xe0\x4e\x37\xbc\xc9\xd1\xca\x9b\x2c\x7a\xe5\x1d\x45\x42\x44\x8b\x36\xd6\xff\x16\xd9\x98\xee\xce\x9f\x07\xbe\x34\x1d\x1d\x8f\x98\x9f\x23\x44\x60\x40\xa4\x99\x72\x72\xc9\x9d\x45\x34\x83\x72\xfc\x49\xb7\x0f\xb5\xe0\xfa\xca\x97\x51\x84\xc6\x02\x59\x95\xf6\xaa\x49\xf1\xb2\x93\xdf\x66\xd5\x1d\x75\x3d\x9c\x77\x75\x57\x6d\x0e\x77\x01\x34\xd3\xa4\xfb\xd5\x3c\x99\xb0\xa7\xb6\xaf\xe7\x33\x7f\x73\x24\x81\x63\x23\x9a\x71\x4d\xfe\xb2\x85\xb0\xb4\x9e\xf6\x02\xd6\x2a\xd6\x93\x5a\x83\xc8\x3b\xc8\x14\xbd\x40\x7b\x1f\xf5\x22\x82\x92\xf9\xbf\xbb\xd0\x71\xc8\x1d\xc9\x59\x1a\x05\xc9\x50\x7b\xff\x87\xc9\xe5\x27\xb8\xf1\x4e\x8e\xe1\x3d\x18\x7e\xb8\x67\xdc\x2c\x95\xdd\x90\x3c\x37\x69\x2d\x03\xe7\xb0\x09\x85\xfb\xc1\x13\x13\x07\x8d\xec\x7f\xf6\x9f\x2e\x01\xa8\x34\x23\x99\x40\x0f\x98\xcc\x66\x83\x3d\x9c\x85\xff\x7f\x10\xcb\xef\x73\x32\x13\xcd\xae\x61\x54\x5f\x39\xe8\x5c\x59\x30\x2b\x56\x0a\x72\xd0\x43\x7b\x26\x6c\xba\xe1\x6f\xad\x4a\x00\x0d\xde\xa1\x99\x49\x40\x8c\x74\x77\xfc\xb9\x48\x91\x53\x23\xeb\xb7\x9a\x55\xc7\x69\xcc\xb1\x8e\x2f\x55\x2a\xb7\x63\xba\x65\x30\x2a\xe7\xbc\x47\x6e\x36\x25\xeb\x88\xa7\xa6\x69\x8c\xec\xcf\xac\x22\x90\x0c\xa3\xc4\x4d\xec\x88\x66\xb2\xa1\x14\xc0\x83\x1c\xf6\x53\xd4\xc1\xfb\xa9\xa7\x78\x5a\x1c\xaa\x2b\x97\x34\x33\x84\x22\x6b\x1a\xce\xd9\x3d\xa7\x1d\x30\xb6\x65\x06\x45\xbc\x11\x3a\xc6\x2d\x32\xd2\x03\x2d\xdb\x65\x62\x6e\xe8\x6c\x3b\x9d\xfb\xbd\x8d\x0c\xae\xea\x74\x53\xdb\xea\x30\x4e\x34\xd3\xf8\x05\x22\xcd\x31\x7b\x49\xbc\xab\xb8\x69\x33\x1c\x7c\x32\x18\x52\x10\x04\x30\x42\x3b\xcb\x1e\xc1\x5c\x50\xc1\x9b\x76\x6a\x7c\xe4\x71\xd5\x1b\x01\x04\x1b\x68\x5a\x29\xc4\xbf\xdb\x55\x2c\x86\x6d\x58\x3b\x7c\x3c\x7f\xd5\x6c\xfc\x73\x72\x5d\xf7\x84\xe4\xd9\x02\x81\x56\x7f\xe8\xc3\x8d\x86\x6b\x06\xef\x13\xbb\x30\xfd\x23\x90\x6e\x66\x2c\xf9\xd5\x11\x3d\x7b\x52\xb0\x14\xb4\xae\xb3\xa1\x83\x52\x4b\x49\x7b\xe9\x22\x0a\xe1\xe0\xb2\xf7\x67\x4d\x27\x99\x42\x94\x1b\xbd\x81\xed\x59\x5a\x93\xc2\x34\x13\x99\xb6\xac\x36\xff\x86\x9f\x89\x4c\xae\x29\x13\x08\xb2\x12\x84\xd3\x98\xb5\xfa\x6a\xc7\x6b\x9d\x59\xf0\x3e\x48\xc2\x75\xf4\xf2\x0c\xe0\xa5\x05\x9d\xe6\x9c\xa9\xec\x99\x9d\x73\x20\x2d\xef\x66\x6b\x37\xb3\xa9\x6a\x95\xb1\x2c\x74\x33\x10\x38\xfa\xca\xca\xb1\x88\xda\x87\x8a\x86\x0e\x1b\x39\x9d\x6b\x3b\xd3\xc1\x36\xe0\xa5\xe9\x96\x3c\x16\x91\x88\x9f\x0d\x40\x0f\x34\xdc\xc5\x1e\xf1\x00\x2e\xbf\xee\x28\x14\x60\x5a\x4d\x10\x67\xed\x73\x96\xc1\x15\xe3\xa9\x4f\x15\x1c\x8e\x4a\xa2\x93\x0f\xd8\xbc\x53\x4d\x57\x9d\x5d\x88\x43\xbd\x20\x29\x05\x6f\xc5\x58\xb9\x86\x94\x08\xb9\x95\x1f\x75\x67\x24\x33\xea\xd1\x9e\x10\x9c\xd1\x83\x08\xf1\xc9\xd6\xf9\xcc\xbc\x9f\x76\x79\x93\xb5\x9e\xa2\xb5\x04\x68\x64\xf5\xe0\xc3\xbd\xe4\x2e\x79\x32\xc5\x6b\x9f\xb2\x52\x89\xe1\x6a\xb3\xbe\xbb\x69\x25\x47\xde\x1a\x4d\xbe\x11\x9a\xb2\xbd\x71\xe4\x71\xcb\xdf\x6c\x6e\x85\x19\xac\xa7\x7c\x2c\xbb\x82\x73\x34\x3c\x1b\xed\x23\x92\x2e\x55\x7f\x87\xb4\x08\xd8\x7a\xf7\x88\x96\xed\x30\xf0\xa6\x17\x8a\xd9\x8a\x34\xde\xd6\x14\x84\x43\xfd\xdf\x4a\x5c\x00\xa8\x1a\xe9\xdf\x21\x59\xfd\x65\x8c\x85\x9f\xb6\xb2\x74\x98\x8c\x84\x8f\x99\x3e\x76\x1c\x26\x3e\x90\xd7\xdb\x8f\x66\x2c\x87\x6b\x7a\x61\xff\x2d\x93\x8b\xa7\xfe\xd4\xcb\x5c\xd8\xee\x51\x48\x70\xb5\x05\x20\xe7\x33\xf2\x1c\xdc\x3b\xd7\xed\x41\xd2\x97\xb9\x6d\xfe\xff\x37\x9d\x37\xe6\x07\x1b\xb1\xac\x84\xfe\xff\xab\x2c\xdd\x98\x5f\xea\x2f\xe6\xc4\x6e\x6b\x75\x69\xc8\xc2\x45\x45\x91\x79\x5c\xcc\x56\x51\x1d\x85\x3f\xd2\xa0\x1a\x1e\xb0\xce\x25\x05\xab\x65\x78\x2b\x78\x36\xba\x67\x84\x45\x05\xaa\xbc\xb5\xdc\x63\x72\xa3\x13\xfe\x7a\xcc\x7f\x48\xb0\xd2\xbe\xf7\x94\x03\xc2\x83\x7d\x88\xe5\x2f\xe9\x26\xad\x16\xd5\x1b\xe7\xe8\xc6\x2a\x59\x55\xa6\x1e\x85\x27\x08\x39\xf3\x6e\xee\x94\x63\x70\x92\x7e\xb1\x98\x41\x30\x16\x77\xe8\x37\xab\xac\x18\xd7\x09\xbc\x84\xdd\xa6\x0b\x12\x10\x7a\x23\xeb\x73\x35\x43\xff\x32\xcc\xe5\x24\x8d\x0f\x46\x19\x21\x29\x52\x91\x83\x7c\x15\x0a\x4c\x1d\x48\x9d\x31\xc5\xbf\x5b\xfc\x2d\xa1\x42\x7e\x1e\xce\x74\xae\xa7\x05\x3f\x1f\xed\xa6\x4f\x09\x9f\xc4\x47\xa7\x90\x8c\xe4\x4b\x13\x46\x15\x49\xf2\x3e\xf1\x8c\x1d\x81\x07\xbe\xfb\x09\xf9\xd7\x19\xa0\xac\x57\x08\x0f\x1c\xdb\xfd\x46\x70\x4d\x79\x94\x7a\xa1\x0c\x5b\x0b\xb2\x26\xe7\xf6\x83\x09\x74\x72\x40\xf7\x73\xa6\x27\x53\x65\x61\xfb\x6c\x1c\x9b\x26\xaa\x5e\x23\xbe\x01\xf2\xd3\xf7\xaa\xdc\x99\x54\x40\x01\x5d\x25\x64\xb9\xc1\x6b\x85\x3d\x66\x57\x24\xf9\xf7\x22\xb3\x4a\xb1\xd4\x4c\x27\xd0\xe0\xcb\x01\xc4\x9d\x9e\x05\xde\x91\xc2\xe0\x40\x76\x4f\x0c\x21\x2e\x6d\x63\xf7\xb7\x24\x93\xdc\xcb\xf8\x58\x16\x4c\xf4\x81\x51\xbb\xe4\xf1\xdc\x2c\x91\x58\x66\x73\x43\x1a\xf7\xb8\x46\x1d\x30\x16\x1c\x56\x11\x70\xdf\xa3\x1e\xdd\xe2\xcc\xc9\xdd\xdb\xc7\xa8\xe4\x62\x31\x75\x24\x05\xcf\x30\x8e\xcd\x8d\x35\x05\x63\x6d\xba\x70\x35\xc9\x4f\x72\x86\x23\xbb\x87\x60\x3a\xfb\x90\xb5\xc2\x3e\x9a\xc1\x93\x7b\x2e\xa3\x98\x4d\x57\x9d\xa2\x99\x70\xef\x04\x9f\xfd\x97\x05\xfa\x28\x3e\xf6\x2f\x1a\x9f\xbb\xef\xbc\x5f\x8f\x3f\x79\xbd\xd8\xd7\x0f\x0a\x89\x39\x72\xe5\xac\xa3\xa1\x64\xe6\x72\xba\x88\xeb\xdb\x62\x06\xa4\xdd\xa5\xeb\x5a\xdf\xd1\x63\x52\xd4\x2c\x4f\xbd\xdf\x11\x7f\x2b\x0d\x30\xe8\xc3\x9f\x1b\xc6\x3f\x3b\xc0\x3b\x45\x2a\x87\x01\x17\xaf\x7a\x3f\xd3\x01\xaf\x71\x4b\xfa\x39\x83\x67\xa9\xac\x2a\xa3\x81\x17\x0b\xc7\xca\x86\x01\x44\x25\x8a\x9a\x38\xa6\x14\x54\xc9\xcd\xef\x24\xf1\xc6\x62\xf2\x8e\x8d\x1e\xe7\x74\x9f\x61\xa9\xc7\x9a\x9e\x16\x59\x3f\x2d\x55\x00\xde\xaa\x73\x0a\xca\x4e\xef\x32\x73\x87\x84\x31\xa8\x74\xb0\x3e\x44\xf6\x49\x5b\x52\xea\x9b\x22\xd9\x41\x7f\xb3\xf2\xcc\xbe\x2c\x48\x2a\xdd\x30\x8e\x4a\x3c\x55\xb7\x53\x2a\x4e\x64\xcf\x10\x8d\x83\x3d\x54\xab\xf3\xcf\x93\xb3\xf9\x08\x52\x63\xd2\x77\x4c\x22\x14\xdc\x62\xe3\xc6\xa7\x88\x69\x46\xb7\xbb\xb4\xd0\xfd\xd8\x2d\x50\x22\x32\xf8\x91\xe9\x5e\x20\x75\xb6\x97\x4f\xcb\xc8\x15\x79\xfe\x8e\xeb\x7e\xe2\x21\xa9\x04\xce\xdb\xbb\xab\x25\x95\xef\x93\x53\x7f\xde\xa0\x3e\xb9\x3b\x49\x68\x01\x19\xd9\x96\xc8\xe7\x06\xdf\xc4\xd9\x94\x33\x95\x4c\x53\x67\x72\x5d\x48\x08\x11\x9b\x68\x3b\x59\x64\x1c\x4b\xff\xd3\xfb\xab\x0c\x7e\x12\x5f\x02\xba\xd9\x5c\xbf\xc2\x6e\xab\x96\x07\x9f\x8d\xfb\xf6\x62\x35\x89\xd1\x4e\x0c\x20\xd1\x5e\x07\xc3\x4b\xcc\xce\x36\xfb\x92\x79\x65\xf9\x6c\x8c\xc8\x9b\x3e\x51\x43\x82\x12\xa9\xbe\xc9\x2a\xf4\xb5\x92\xae\x76\xe6\x6d\x53\x1d\x34\x43\x85\xf5\x56\x85\x52\xe3\x7b\xd2\x5c\xbe\x30\x7d\x83\x99\x75\x91\x4f\x30\x91\x5d\x24\xe8\xf3\xd8\x92\xc8\xa1\x9f\xa4\x84\xc3\x5d\xf1\xfb\x92\xaf\x80\xed\xf4\x03\x34\x0c\xac\xed\x5c\x22\x47\x67\xe9\xe6\x87\x45\x65\x63\xdf\xf2\x9c\xa8\x6e\x36\x58\x55\xde\x94\x05\x7b\x66\xc5\x76\xbe\xc5\xf5\xb7\xfc\x3f\x00\x43\x33\x6b\x8a\x48\x7a\xe2\x51\x9b\x8f\xf0\x12\x2e\x7a\xc2\xbf\x57\xd2\x9b\xa6\x48\x08\xdd\x3a\x20\xd2\x6e\x43\x82\xce\x7b\xb1\xfb\xd3\x47\x34\xf5\xae\x66\x25\xee\x8a\x7d\xd5\x6f", 8192); *(uint32_t*)0x20004f40 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x50; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 0x3f; *(uint32_t*)0x200023d0 = 7; *(uint32_t*)0x200023d4 = 0x22; *(uint32_t*)0x200023d8 = 0x8001; *(uint32_t*)0x200023dc = 0x1040000; *(uint16_t*)0x200023e0 = 8; *(uint16_t*)0x200023e2 = 0xf6e1; *(uint32_t*)0x200023e4 = 8; *(uint32_t*)0x200023e8 = 9; *(uint16_t*)0x200023ec = 0; *(uint16_t*)0x200023ee = 0; memset((void*)0x200023f0, 0, 32); *(uint32_t*)0x20004f44 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 9; *(uint64_t*)0x20002450 = 0x40d; *(uint32_t*)0x20004f48 = 0x20002480; *(uint32_t*)0x20002480 = 0x18; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 7; *(uint64_t*)0x20002490 = 7; *(uint32_t*)0x20004f4c = 0x200024c0; *(uint32_t*)0x200024c0 = 0x18; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 0xffff; *(uint32_t*)0x200024d0 = 8; *(uint32_t*)0x200024d4 = 0; *(uint32_t*)0x20004f50 = 0x20002500; *(uint32_t*)0x20002500 = 0x18; *(uint32_t*)0x20002504 = 0; *(uint64_t*)0x20002508 = 0xce0; *(uint32_t*)0x20002510 = 0x1c; *(uint32_t*)0x20002514 = 0; *(uint32_t*)0x20004f54 = 0x20002540; *(uint32_t*)0x20002540 = 0x28; *(uint32_t*)0x20002544 = 0; *(uint64_t*)0x20002548 = 1; *(uint64_t*)0x20002550 = 0x100; *(uint64_t*)0x20002558 = 5; *(uint32_t*)0x20002560 = 2; *(uint32_t*)0x20002564 = r[6]; *(uint32_t*)0x20004f58 = 0x20002580; *(uint32_t*)0x20002580 = 0x60; *(uint32_t*)0x20002584 = 0xfffffffe; *(uint64_t*)0x20002588 = 8; *(uint64_t*)0x20002590 = 0xcd95; *(uint64_t*)0x20002598 = 0x1f; *(uint64_t*)0x200025a0 = 7; *(uint64_t*)0x200025a8 = 0x48; *(uint64_t*)0x200025b0 = 0xaac5; *(uint32_t*)0x200025b8 = 6; *(uint32_t*)0x200025bc = 0xad; *(uint32_t*)0x200025c0 = 5; *(uint32_t*)0x200025c4 = 0; memset((void*)0x200025c8, 0, 24); *(uint32_t*)0x20004f5c = 0x20002600; *(uint32_t*)0x20002600 = 0x18; *(uint32_t*)0x20002604 = 0xfffffff5; *(uint64_t*)0x20002608 = 9; *(uint32_t*)0x20002610 = 9; *(uint32_t*)0x20002614 = 0; *(uint32_t*)0x20004f60 = 0x20002640; *(uint32_t*)0x20002640 = 0x11; *(uint32_t*)0x20002644 = 0; *(uint64_t*)0x20002648 = 0; memset((void*)0x20002650, 0, 1); *(uint32_t*)0x20004f64 = 0x20002680; *(uint32_t*)0x20002680 = 0x20; *(uint32_t*)0x20002684 = 0; *(uint64_t*)0x20002688 = 0x10000; *(uint64_t*)0x20002690 = 0; *(uint32_t*)0x20002698 = 0; *(uint32_t*)0x2000269c = 0; *(uint32_t*)0x20004f68 = 0x20002780; *(uint32_t*)0x20002780 = 0x78; *(uint32_t*)0x20002784 = 0; *(uint64_t*)0x20002788 = 9; *(uint64_t*)0x20002790 = 3; *(uint32_t*)0x20002798 = 0; *(uint32_t*)0x2000279c = 0; *(uint64_t*)0x200027a0 = 6; *(uint64_t*)0x200027a8 = 0; *(uint64_t*)0x200027b0 = 0xfffffffffffff20d; *(uint64_t*)0x200027b8 = 0xfffffffffffffff8; *(uint64_t*)0x200027c0 = 1; *(uint64_t*)0x200027c8 = 0x3ff; *(uint32_t*)0x200027d0 = 5; *(uint32_t*)0x200027d4 = 9; *(uint32_t*)0x200027d8 = 0x726; *(uint32_t*)0x200027dc = 0x1000; *(uint32_t*)0x200027e0 = 6; *(uint32_t*)0x200027e4 = r[7]; *(uint32_t*)0x200027e8 = 0xee01; *(uint32_t*)0x200027ec = 7; *(uint32_t*)0x200027f0 = 7; *(uint32_t*)0x200027f4 = 0; *(uint32_t*)0x20004f6c = 0x200028c0; *(uint32_t*)0x200028c0 = 0x90; *(uint32_t*)0x200028c4 = 0; *(uint64_t*)0x200028c8 = 3; *(uint64_t*)0x200028d0 = 2; *(uint64_t*)0x200028d8 = 2; *(uint64_t*)0x200028e0 = 0x100000000; *(uint64_t*)0x200028e8 = 0x61a26b8d; *(uint32_t*)0x200028f0 = 6; *(uint32_t*)0x200028f4 = 2; *(uint64_t*)0x200028f8 = 1; *(uint64_t*)0x20002900 = 3; *(uint64_t*)0x20002908 = 1; *(uint64_t*)0x20002910 = 0x100000000; *(uint64_t*)0x20002918 = 3; *(uint64_t*)0x20002920 = 0x8f; *(uint32_t*)0x20002928 = 4; *(uint32_t*)0x2000292c = 0x1ff; *(uint32_t*)0x20002930 = 0x849; *(uint32_t*)0x20002934 = 0x1000; *(uint32_t*)0x20002938 = 7; *(uint32_t*)0x2000293c = r[8]; *(uint32_t*)0x20002940 = -1; *(uint32_t*)0x20002944 = 5; *(uint32_t*)0x20002948 = 0x1f; *(uint32_t*)0x2000294c = 0; *(uint32_t*)0x20004f70 = 0x20002980; *(uint32_t*)0x20002980 = 0x130; *(uint32_t*)0x20002984 = 0; *(uint64_t*)0x20002988 = 0xa00000000000; *(uint64_t*)0x20002990 = 4; *(uint64_t*)0x20002998 = 1; *(uint32_t*)0x200029a0 = 6; *(uint32_t*)0x200029a4 = 9; memset((void*)0x200029a8, 1, 6); *(uint64_t*)0x200029b0 = 6; *(uint64_t*)0x200029b8 = 1; *(uint32_t*)0x200029c0 = 5; *(uint32_t*)0x200029c4 = 0xfffffffe; memset((void*)0x200029c8, 170, 5); *(uint64_t*)0x200029d0 = 1; *(uint64_t*)0x200029d8 = 0x1ff; *(uint32_t*)0x200029e0 = 3; *(uint32_t*)0x200029e4 = 7; memcpy((void*)0x200029e8, "{#-", 3); *(uint64_t*)0x200029f0 = 5; *(uint64_t*)0x200029f8 = 0; *(uint32_t*)0x20002a00 = 2; *(uint32_t*)0x20002a04 = 0x761; memcpy((void*)0x20002a08, "[#", 2); *(uint64_t*)0x20002a10 = 3; *(uint64_t*)0x20002a18 = 0; *(uint32_t*)0x20002a20 = 2; *(uint32_t*)0x20002a24 = 6; memcpy((void*)0x20002a28, "#]", 2); *(uint64_t*)0x20002a30 = 1; *(uint64_t*)0x20002a38 = 0x714; *(uint32_t*)0x20002a40 = 5; *(uint32_t*)0x20002a44 = 3; memcpy((void*)0x20002a48, "*^\\^b", 5); *(uint64_t*)0x20002a50 = 5; *(uint64_t*)0x20002a58 = 0xeb68; *(uint32_t*)0x20002a60 = 4; *(uint32_t*)0x20002a64 = 0xfffffa80; memcpy((void*)0x20002a68, "--$-", 4); *(uint64_t*)0x20002a70 = 6; *(uint64_t*)0x20002a78 = 0xfffffffffffffeff; *(uint32_t*)0x20002a80 = 1; *(uint32_t*)0x20002a84 = 1; memset((void*)0x20002a88, 45, 1); *(uint64_t*)0x20002a90 = 1; *(uint64_t*)0x20002a98 = 8; *(uint32_t*)0x20002aa0 = 3; *(uint32_t*)0x20002aa4 = 0xf2; memcpy((void*)0x20002aa8, "!\\{", 3); *(uint32_t*)0x20004f74 = 0x20004c40; *(uint32_t*)0x20004c40 = 0xb0; *(uint32_t*)0x20004c44 = 0; *(uint64_t*)0x20004c48 = 0xcf; *(uint64_t*)0x20004c50 = 1; *(uint64_t*)0x20004c58 = 1; *(uint64_t*)0x20004c60 = 3; *(uint64_t*)0x20004c68 = 0x100000000; *(uint32_t*)0x20004c70 = 4; *(uint32_t*)0x20004c74 = 0x81; *(uint64_t*)0x20004c78 = 5; *(uint64_t*)0x20004c80 = 0x7f; *(uint64_t*)0x20004c88 = 5; *(uint64_t*)0x20004c90 = 6; *(uint64_t*)0x20004c98 = 0xffff; *(uint64_t*)0x20004ca0 = 3; *(uint32_t*)0x20004ca8 = 0x1f; *(uint32_t*)0x20004cac = 3; *(uint32_t*)0x20004cb0 = 8; *(uint32_t*)0x20004cb4 = 0xc000; *(uint32_t*)0x20004cb8 = 0xf5c8; *(uint32_t*)0x20004cbc = r[10]; *(uint32_t*)0x20004cc0 = r[11]; *(uint32_t*)0x20004cc4 = 2; *(uint32_t*)0x20004cc8 = 9; *(uint32_t*)0x20004ccc = 0; *(uint64_t*)0x20004cd0 = 4; *(uint64_t*)0x20004cd8 = 0x80; *(uint32_t*)0x20004ce0 = 5; *(uint32_t*)0x20004ce4 = 2; memset((void*)0x20004ce8, 170, 5); *(uint32_t*)0x20004f78 = 0x20004e40; *(uint32_t*)0x20004e40 = 0xa0; *(uint32_t*)0x20004e44 = 0; *(uint64_t*)0x20004e48 = 0x400; *(uint64_t*)0x20004e50 = 6; *(uint64_t*)0x20004e58 = 2; *(uint64_t*)0x20004e60 = 0x400; *(uint64_t*)0x20004e68 = 7; *(uint32_t*)0x20004e70 = 4; *(uint32_t*)0x20004e74 = 9; *(uint64_t*)0x20004e78 = 4; *(uint64_t*)0x20004e80 = 0x1000; *(uint64_t*)0x20004e88 = 0xffff; *(uint64_t*)0x20004e90 = 6; *(uint64_t*)0x20004e98 = 1; *(uint64_t*)0x20004ea0 = 0xffff; *(uint32_t*)0x20004ea8 = 0x65f; *(uint32_t*)0x20004eac = 0x647c2b8f; *(uint32_t*)0x20004eb0 = 0x400; *(uint32_t*)0x20004eb4 = 0x8000; *(uint32_t*)0x20004eb8 = 8; *(uint32_t*)0x20004ebc = r[12]; *(uint32_t*)0x20004ec0 = r[13]; *(uint32_t*)0x20004ec4 = 3; *(uint32_t*)0x20004ec8 = 0x6b; *(uint32_t*)0x20004ecc = 0; *(uint64_t*)0x20004ed0 = 0; *(uint32_t*)0x20004ed8 = 0xd; *(uint32_t*)0x20004edc = 0; *(uint32_t*)0x20004f7c = 0x20004f00; *(uint32_t*)0x20004f00 = 0x20; *(uint32_t*)0x20004f04 = 0; *(uint64_t*)0x20004f08 = 0x800; *(uint32_t*)0x20004f10 = 0; *(uint32_t*)0x20004f14 = 0; *(uint32_t*)0x20004f18 = 0x10001; *(uint32_t*)0x20004f1c = 0; syz_fuse_handle_req(r[5], 0x200003c0, 0x2000, 0x20004f40); memcpy((void*)0x20004f80, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004f80, r[5]); syz_init_net_socket(0x24, 2, 0); res = -1; res = syz_io_uring_complete(0); if (res != -1) r[14] = res; *(uint32_t*)0x20004fc4 = 0x5004; *(uint32_t*)0x20004fc8 = 0; *(uint32_t*)0x20004fcc = 1; *(uint32_t*)0x20004fd0 = 0x1de; *(uint32_t*)0x20004fd8 = r[14]; memset((void*)0x20004fdc, 0, 12); res = -1; res = syz_io_uring_setup(0x343, 0x20004fc0, 0x20ffc000, 0x20ffb000, 0x20005040, 0x20005080); if (res != -1) { r[15] = *(uint64_t*)0x20005040; r[16] = *(uint64_t*)0x20005080; } memcpy((void*)0x200050c0, "/dev/uinput\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 2, 0); if (res != -1) r[17] = res; memcpy((void*)0x20005100, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0x488200, 0); if (res != -1) r[18] = res; *(uint8_t*)0x20005140 = 0x1e; *(uint8_t*)0x20005141 = 3; *(uint16_t*)0x20005142 = 0; *(uint32_t*)0x20005144 = r[14]; *(uint64_t*)0x20005148 = 0x200; *(uint32_t*)0x20005150 = 0; *(uint32_t*)0x20005154 = r[17]; *(uint32_t*)0x20005158 = 6; *(uint32_t*)0x2000515c = 1; *(uint64_t*)0x20005160 = 0; *(uint16_t*)0x20005168 = 0; *(uint16_t*)0x2000516a = 0; *(uint32_t*)0x2000516c = r[18]; memset((void*)0x20005170, 0, 16); syz_io_uring_submit(r[15], r[16], 0x20005140, 0x3dd1); memcpy((void*)0x20005180, "/dev/keychord\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x20005180, 0x171000, 0); if (res != -1) r[19] = res; memcpy((void*)0x200051c0, "/dev/ubi_ctrl\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x200051c0, 0x10400, 0); if (res != -1) r[20] = res; *(uint32_t*)0x20005240 = 0; *(uint32_t*)0x20005244 = 0x20005200; memcpy((void*)0x20005200, "\x46\x23\xd8\xa4\xce\x02\x17\xc9\xe5\x95\x55\xc1\x66\x89\x06\x79\xe3\xe0\xc1\x94\x0d\xf5\xb9\xfc\xbf\x91\x64\x9e\xf5\x4d\x80\xf0\xc8\xbc\xc8\x0e\x36\xb5\x57\x4c\x4b\xc9\xf9\x43\x40\x18\x54\xf5\x6a\xa2", 50); *(uint32_t*)0x20005248 = 0x32; *(uint64_t*)0x20005280 = 1; *(uint64_t*)0x20005288 = 0; syz_kvm_setup_cpu(r[19], r[20], 0x20fe8000, 0x20005240, 1, 0, 0x20005280, 1); res = syscall(__NR_mmap, 0x20ffc000, 0x2000, 0x1000000, 0x8000, (intptr_t)r[18], 0); if (res != -1) r[21] = res; *(uint32_t*)0x200052c0 = 1; syz_memcpy_off(r[21], 0x114, 0x200052c0, 0, 4); memcpy((void*)0x20005300, "adfs\000", 5); memcpy((void*)0x20005340, "./file0\000", 8); *(uint32_t*)0x20005540 = 0x20005380; memcpy((void*)0x20005380, "\x87\x35\x19\xf2\x5d\xf0\x82\xb3\x71\xba\x5b\x45\xad\xb5\x70\x9c\x00\x80\x57\x47\xc3\x7f\xe0\x44\x06\x45\x95\xcd\x47\x28\xbf\x89\x80\x30\x2b\x25\xb4\xb0\x83\xb4\x2b\x41\x33\x6e\x13\x0f\x1b\x6f\xf0\xa2\xf1\x72\x49\x8e\x52\x2b\x4f\xe5\x82\x6e\xab\xab\xf5\x3a\x98\x52\xf9\x3e\xbe\xb8\x41\xe1\x64\x5f\x32\x93\x61\x27\x02\x9d\x68\xfe\x73\xec\xed\x89\xc1\xb9\x35\x87\x01\x2a\x47\xc4\x2a\x58\x3d\x69\x75\x59\x2b\x3f\x2c\xdf\x43\x37\xfc\x6d\x5e\x85\xe5\xf5\x83\x5f\xaf\xe0\x95\x93\x5e\xc9\x04\x84\xe9\x08\x1a\xa8\xd2\x24\x98\x43\x13\x01\xba\xad\x4a\x34\x36\x8c\x26\xc6\x4d\x85\x32\x6c\x7e\x00\x68\x21\x78\xf8\xd1\x3e\x6a\x89\x69\xf1\x5b\x9d\x5d\xbc\xfe\xc2\xc0\xe6\x96\x80\xc3\x92\x8c\xa0\x15\xb9\x2e\x25\xf5\x07\x8d\xe3\x54\xfe\x32\xcc\x71\x21\x60\x9a\x07\x62\xe1\xb7\x3e\xfd\x89\x67\xa2\xfe\x23\x5e\x4d\x1e\xf9\xe5\xac\x88\xbc\x1e\xd7\x06\xa9\x84\x64\x1b\x06\x47\x0b\x22\x94\xd0\x45\xce\x7e\xba\x51\xc0\x72\x89\x38\xa2\xc6\xee\xb6\xd8\x57\x44\x29\xcc\x24\xbc\xb2\xa7\x84", 241); *(uint32_t*)0x20005544 = 0xf1; *(uint32_t*)0x20005548 = 0x40; *(uint32_t*)0x2000554c = 0x20005480; memcpy((void*)0x20005480, "\x62\x93\x5b\xfe\x26\xe9\xc9\xf2\xdc\x3c\x3e\x9d\xfb\x49\x18\x58\xef\xb5\x98\x36\x9b\xcc\xa5\x19\x23\x98\x9b\xa9\x43\xcf\x44\x7b\xaf\x56\x62\x5d\xf0\xf6\x85\xed\x2d\x03\x4b\x37\xc0\x75\x63\xf6\x68\x72\x8f\x6d\xc6\x83\x36\x09\xb1\x22\x19\x70\xe5\x50\x88\x86\x9d\x29\xc0\x1b\x2d\xd0\x5c\x48\x20\xb0\x80\x42\xb5\x07\x40\x08\xc9\x75\x77\x12\xc4\x80\xe2\x5d\x89\xb9\xc4\x8e\x95\x7e\x5b\x5c\x7b\x0b\xec\xcf\xb1\xfc\xcc\xed\xbc\xed\xc8\x38\x06\x03\x80\x75\xfc\x2a\x0f\x82\x28\xbe\xb4\x7f\x1f\xec\xe0\x9b\xdd\xcb\xbe\x00\x21\xab\xe9\xc3\xd1\x98\x36\x9b\x81\xb6\x7d\xbd\x6a\x7d\x33\x4b\x8d\x28\xb8\x02\xcc\x97\xd9\x34\xc1\x64\xe9\x7d\x9d\x7b\x70\xdc\x6c", 161); *(uint32_t*)0x20005550 = 0xa1; *(uint32_t*)0x20005554 = 0x1ff; memset((void*)0x20005580, 170, 5); *(uint8_t*)0x20005585 = 0x2c; *(uint8_t*)0x20005586 = 0x2c; memcpy((void*)0x20005587, ":&-]!", 5); *(uint8_t*)0x2000558c = 0x2c; memset((void*)0x2000558d, 125, 1); *(uint8_t*)0x2000558e = 0x2c; memcpy((void*)0x2000558f, ",-V", 3); *(uint8_t*)0x20005592 = 0x2c; memcpy((void*)0x20005593, "\\*})", 4); *(uint8_t*)0x20005597 = 0x2c; memcpy((void*)0x20005598, "*^\\^b", 5); *(uint8_t*)0x2000559d = 0x2c; memcpy((void*)0x2000559e, "appraise", 8); *(uint8_t*)0x200055a6 = 0x2c; memcpy((void*)0x200055a7, "fowner<", 7); sprintf((char*)0x200055ae, "%020llu", (long long)r[8]); *(uint8_t*)0x200055c2 = 0x2c; memcpy((void*)0x200055c3, "smackfshat", 10); *(uint8_t*)0x200055cd = 0x3d; memset((void*)0x200055ce, 170, 5); *(uint8_t*)0x200055d3 = 0x2c; memcpy((void*)0x200055d4, "obj_type", 8); *(uint8_t*)0x200055dc = 0x3d; memset((void*)0x200055dd, 170, 5); *(uint8_t*)0x200055e2 = 0x2c; memcpy((void*)0x200055e3, "dont_appraise", 13); *(uint8_t*)0x200055f0 = 0x2c; memcpy((void*)0x200055f1, "dont_measure", 12); *(uint8_t*)0x200055fd = 0x2c; memcpy((void*)0x200055fe, "fowner<", 7); sprintf((char*)0x20005605, "%020llu", (long long)r[9]); *(uint8_t*)0x20005619 = 0x2c; memcpy((void*)0x2000561a, "dont_appraise", 13); *(uint8_t*)0x20005627 = 0x2c; *(uint8_t*)0x20005628 = 0; syz_mount_image(0x20005300, 0x20005340, 0xfd, 2, 0x20005540, 0x8800, 0x20005580); memcpy((void*)0x20005640, "/dev/i2c-#\000", 11); syz_open_dev(0x20005640, 0x40, 0x300); memcpy((void*)0x20005680, "net/if_inet6\000", 13); syz_open_procfs(r[6], 0x20005680); syz_open_pts(r[19], 0x800); *(uint32_t*)0x20006c40 = 0x200056c0; memcpy((void*)0x200056c0, "\x46\x41\x06\x38\xb7\xa1\x28\xc1\x5c\x6c\xb2\x7d\x23\x35\x80\x6d\xa8\x7c\x0d\x49\x15\x42\x44\x52\xcf\x0b\xa9\xee\xe0\xa5\xd4\x9d\x63\x4f\x09\x0d\xf2\x6f\x35\xbb\x04\x33\xc1\x3a\x27\x0d\xcb\x44\xcf\xe9\xba\x62\xb5\xba\x38\xd4\xae\x3c\x65\xea\xd2\x72\x7f\x1d\x2a\x5f\x02\xda\xa2\x70\xce\xa6\xf4\xf6\x09\x02\xe2\xed\xa6\x54\xb1\x6e\xc6\x63\x5a\x1c\x6c\xd1\x5d\x6b\xd6\x34\x32\x14\xb8\x34\x22\xd1\xa1\x9b\x5d\xae\x43\x9b\x9f\xbc\x3d\xb5\xc2\x18\xd4\xb0\x8a\xcf\xc9\xfc\xdb\xe5\xd4\xe6\xa5\x12\x7a\xda\xdc\xe6\x10\xd8\x15\xe8\xc6\xd8\xad\xc7\x86\x89\xea\xae\x29\xd8\x1a\x20\x04\x0a\xee\xef\x4e\xe5\x5d\x77\x01\xea\x72\x5e\x91\xb7\x4f\x5b\x37\x81\x4b\xee\xd1\x18\x54\x99\x79\xc8\xa4\x0d\x0b\x29\x09\x77\xad\xa4\xd6\x58\x74\xc7\xdc\xca\x03\x0a\x9a\x15\x50\x9b\xc2\x7e\x6e\x87\xd5\x26\x91\x24\x37\xb8\x69\x04\xf7\x42\xc9\xc1\x3c\x1e\x00\xbc\x5e\x3e\x94\x3c\x14\x30\xd1\xcc\x01\x8f\x5a\x4d\xec\xf2\x46\x02\xdb\x5b\xf2\x28\x6e\x64\xce\x75\x1d\x8d\xf1\x6f\x28\x09\x34\xfb\x08\xb6\x19\xb2\xb5\xe9\x31\x19\x5a\xd2\xf7\xc8\x7a\xe9\x56\xc6\x4a\x2f\xda\xc4\xfd\x79\x16\x11\xac\xc2\xa8\x65\xd9\x94\xea\x90\xed\x15\x85\x81\xe8\x0d\x03\x86\xb1\x53\xf1\x9f\xab\x27\x81\xb7\x2d\x1d\xe0\x03\xb1\x87\xd2\xb1\x19\x53\x42\xb3\xa0\x03\xbf\x44\x83\xb4\xd8\x90\xab\x1b\x2f\x51\xe8\xd5\x8f\x0a\x5a\xd7\x8e\x0d\xf9\xd6\x29\xc2\x2c\x2a\x32\x4a\x98\x2e\x1f\xc2\x73\x8c\x36\x0d\xb3\xa8\xba\x5e\x55\xae\x5c\x9d\x58\xf1\xc2\xf6\xbe\xd0\xb6\xde\x5b\xb4\xee\x3b\x5f\x84\x2c\xee\xf9\x1b\x20\x56\x54\x1f\xf5\x53\x12\xee\x90\xa2\xbd\x09\x97\x06\x6c\x37\xf3\xd8\x37\x78\x95\x92\x1b\x08\x02\x15\x89\x04\x9e\xd7\xb2\x3c\xeb\xaf\x9b\x41\xd0\x8e\x75\x90\x58\xa3\x45\x2c\xb9\xdf\x2a\xee\x1d\x2b\x90\xe5\x10\xba\x9b\xc9\x48\x40\x0a\x69\xaa\x13\x83\x3d\x1b\x4c\x44\x44\x51\x29\xe0\xaf\x50\x12\xfd\x6a\x53\x41\x81\xfb\x20\x42\x68\x26\xa4\xb3\x69\x4e\x4a\x51\x81\x19\x9d\xf1\xed\x31\xde\x36\xf2\xed\x49\x21\x18\x22\xad\x91\x5d\x3b\x71\xac\xae\xcf\xf3\xc8\x4d\x4e\x3b\xb1\x9f\xba\x32\x19\xe2\x61\x45\x73\x5f\xf7\x1d\xce\xee\xee\x7a\xa2\x47\x53\x9a\xd2\x73\x11\x13\xd3\xf3\x64\x42\x6b\xe9\x00\x6e\x6b\x0e\x35\x8b\x81\xd4\x07\x45\x49\xe0\x8e\xf2\x76\x13\xa3\x71\x5e\x5e\x89\xba\x0a\x71\xe3\x99\x52\x31\xe9\x9a\xac\x5e\x4e\xe7\x07\x8f\x59\xe3\xe7\xd4\xfa\xbe\xd2\x6e\x75\x07\x41\x1f\xbe\x4b\x03\x53\x10\x62\x78\xac\x69\xf3\xb9\x1e\xc6\x9f\xa5\x42\xeb\x7c\x96\x43\x94\x06\x2f\x65\xc6\x50\x19\x7f\xbe\x73\x3c\x22\x83\x26\x73\xd0\x66\xe4\xed\x40\x07\x3b\x28\x4e\xe4\xe5\x1b\x12\x59\x36\x7d\x4e\xb9\xe1\x72\x00\x7e\x6f\xb8\x0a\x0a\x6f\xe6\x2b\x3f\x3d\x5e\x5b\x68\xfe\x04\x7e\xa4\xd6\xfb\xfa\xa3\x0a\x00\xfc\x29\xbc\x58\xa3\x1c\xfb\x82\x12\xf2\xc4\x9c\x3a\x2e\x71\x1a\xe5\x02\xbd\x64\x7b\xd5\x6b\xb7\xcf\xc1\xd8\x4d\x14\x18\x27\xbe\x21\x1b\x5f\xfb\xed\x78\x6b\xfa\x13\x13\xd2\xae\xd5\x34\xf0\x00\x19\x36\x3a\xc1\x29\x61\x2c\xa2\x5c\x76\x3b\x07\x7f\x5a\x72\x4d\x61\xfc\x79\x74\xfa\x82\x4b\xad\xc1\x40\x06\xf2\xfe\xbf\xb1\xe3\x5a\x3d\xd7\x2e\x82\x33\x4a\x26\x37\x56\xff\x42\x04\x68\x0c\xba\x1c\x03\xc5\x5e\x09\xdf\xfb\x5a\x58\xe4\xc5\x5b\x5b\xd7\xa7\x0e\xe8\x52\x59\x29\xa0\xee\x9f\x90\x91\xe3\x4b\xb8\xd2\xf0\xaf\x6d\x2a\x26\x70\xc5\x91\x18\x6b\xee\x6c\xed\xda\xb8\xe1\xfe\x8d\x4b\xe3\x97\xa5\x45\xc4\x83\xfd\x68\x4c\xd8\x12\xdf\x5e\x31\x2a\xb5\xf4\x81\x2b\x47\x84\xef\xae\xf1\xc3\xdb\xe7\x90\x94\xfb\xab\xd6\xca\x5f\x0a\x45\x46\x23\x96\xf8\x18\xa5\xc7\xbf\x61\xc8\xc3\xf4\x33\x66\xc1\x26\x5f\x46\x38\xd1\xdc\x7b\xde\x11\x46\x10\x35\xc7\xaf\x77\xe6\x84\x4c\x5d\x47\xbc\x18\x97\xdf\xab\xec\x76\x87\xed\x25\x79\x4a\x71\xa3\xaa\x2b\xe1\x66\x57\x19\xe7\xea\xf6\x49\xbf\xaf\xfc\xea\x24\x92\xd4\x3b\xca\x7f\x03\x04\x21\x0c\xfc\xa9\x1a\x0d\xad\xf6\x6b\x7c\x3c\x6b\xaf\x8c\x50\x55\xef\x4f\x3c\x56\xaa\x03\xbb\x6e\x40\x0d\x7c\xac\xa6\x9e\x42\x43\xac\x71\xc9\x39\xcc\xf2\x73\x10\xb7\x3b\xa5\x98\x97\xe2\x02\x0c\x71\x7c\x33\xdb\x9a\x4a\x58\x29\x12\xa3\xa8\xd7\xc0\xa8\x70\xb1\x2a\x9f\x98\x2a\xaf\xd0\xcf\x15\x95\x75\x18\x9d\x8c\x26\x88\x64\x34\x22\x9f\xb0\xc7\x6c\x56\x50\x8b\x63\x8a\x25\x09\xb6\x58\x47\x72\x2a\xf1\x97\xe9\x5c\xf0\xcf\xf2\x36\x84\x48\xd4\x2a\xd6\x2d\xb2\x7f\xf0\x17\xa7\xfb\xed\x92\x3b\xef\x62\x83\x40\x87\x12\xc3\xf0\x4a\x79\x03\x38\xf4\xf8\x0c\xf4\xf3\xe9\x2f\xaa\xfa\x3b\xf6\xcf\xf5\xed\x3c\xf3\xb1\x7b\x50\x50\x75\xe1\x2b\x69\x58\xbf\x2e\x5c\xb4\x02\x41\xf6\x72\x87\x4a\x0f\x94\x0f\xd5\x7e\x82\xe9\xca\xff\x11\x3d\x67\x1d\xa2\x3d\xa3\x43\x6a\x31\x80\x0c\x2d\x34\x87\x96\x5f\x87\xc3\xf8\x25\x06\x10\xaa\xff\x78\x3d\x78\x59\x5e\x19\x26\xb7\x7e\x97\xb2\xe3\xad\x09\x08\x7a\xf9\x19\xac\xe3\xf0\x4f\xd2\x75\x88\x7b\x1f\xc8\x1e\xe2\xf5\xba\xd8\xde\x1c\xc3\x5e\xe0\xc0\x3a\xde\xed\x9a\x91\x97\xd7\xa8\xfa\x5d\xb5\x9d\xc5\x00\xa9\x4b\xd1\x84\xa2\xa8\x0d\x97\x04\x79\x7e\x76\xbc\x0f\xc4\x3e\xd5\x72\x96\x14\x3d\xc9\xd8\x58\xb1\x4a\x7b\xdf\xb4\x18\x19\x7f\x09\x74\xb6\xee\xe2\x99\x95\x80\x51\xb1\xd4\x14\xab\x12\x6c\xef\x5b\xc3\x6a\xe4\x05\x5c\x4f\x19\xe7\xe0\x1d\x20\x92\xd9\x9f\x1d\x2a\x5a\x56\x61\x4f\xed\xf4\x81\xd5\x78\xcb\x85\x1a\xd7\x3e\x18\x29\xbc\x35\x0f\x7e\x56\xee\x0d\x2e\x71\xfe\x73\x1c\x1b\x30\xfd\x84\x5f\xd8\x2c\xa0\xac\xf0\x29\xaf\xf4\xa7\x5e\x0d\x38\xfb\x7a\xf5\x82\xa1\x9c\x0c\x7d\xeb\x19\x54\x4b\xc7\xa1\x3c\x18\x96\x03\x24\x41\xcb\xa6\xae\x39\xc3\x5a\xe8\x80\xb4\x5a\x5c\x97\x54\x5a\xc0\x99\x24\x3a\x79\x1c\x6f\x2e\xb9\x35\x56\x20\x8b\x8b\x20\x35\x42\x75\x2a\x67\x3b\x9d\xf0\x2b\xf0\x4a\xd3\xc1\x8e\xec\xaa\x5e\xb2\x2d\x1b\x65\xe5\x9c\x34\x49\xb5\xcc\x42\xdf\x35\x0d\xd4\x82\x2b\xcf\x67\x1d\xf7\x84\x20\x68\x9c\xac\x22\x65\x8c\xd9\xf0\xf3\x90\xe2\x6e\x07\x96\xac\x4b\x7f\x30\xb1\x98\x9f\x09\xcf\x5b\xa5\x16\xeb\x16\x67\xec\xc1\xd8\x53\x73\x9a\x20\xe5\xe7\x85\x99\xbd\xa8\x30\xd0\x02\xd4\x5e\xb6\x6d\x63\xa7\x78\xb8\x41\x2a\xf5\xd6\x3e\x3e\xf2\x64\x94\xe2\x1b\xbc\xde\x5b\x97\xa9\x4f\x79\x78\xac\x90\x3d\x46\x7c\x5b\x6d\x07\x17\xdc\x4a\x9d\x14\x6e\xd4\xb5\x8b\xfe\x37\x3a\x59\x08\x70\x2f\x99\x7f\x10\x90\xb4\xb1\x90\x93\xf8\x90\x50\x85\xec\xb6\x91\x10\x7b\x05\x9e\x0e\x1c\xd0\xc4\xa9\x4c\x9a\x47\x3a\xf2\xd1\x2b\xd5\x99\x8a\x8b\x8b\x48\x02\xf9\x31\xb9\x05\x15\x51\x9f\x20\xfe\xea\xde\xa5\x68\x4c\x06\x4f\x9a\xdb\x42\x39\x35\xb8\xde\x29\x8b\x03\xe5\x79\xab\xad\x6a\x23\xa8\x6c\x86\xed\xd3\x9c\x2e\xd6\xa4\x68\x5e\x69\xbc\x71\x54\x05\xab\x7a\x3f\x27\x66\x4b\xdb\x68\xfe\xf1\xfc\xd0\x90\xf0\x60\x38\x1f\x1a\xa3\x74\xa0\x74\xa6\x40\xf9\x91\xec\x6d\x8b\x28\x8b\x1b\x05\x07\x06\x85\x60\x31\x4f\xe9\x4a\xeb\x85\xc4\x2f\x4d\xf3\xad\xb2\x14\x85\x69\x65\x15\xda\x2f\xa7\xf4\x41\xb7\x53\xd5\xf8\xca\x45\x45\xf2\xd1\xdc\x1e\xb3\x4e\x41\x8c\x04\x3b\xeb\x51\x8b\xb3\x5f\xe3\x02\x35\xaa\xbf\x7e\xc5\xf3\x71\xb3\xa4\x8c\x0e\xa6\xa6\x13\xeb\xb4\xe4\xda\x5b\x71\x40\x8a\xa5\x57\x74\x23\x9a\xc7\x49\x03\x0a\x52\x74\x0c\xd8\x53\x5b\x9e\x3d\x28\xa4\xe8\x7b\x4c\x4f\x40\x44\xc8\x19\x5c\x32\x11\xf9\x47\xe5\x00\x7d\xf7\xb6\x4e\x37\xc4\x14\xbf\xd5\x4f\x7b\x59\x82\x37\x20\xbe\x00\x49\x8c\x18\xb5\x7d\xad\x00\x43\xf0\xc5\x0a\x75\x81\x74\x18\xc1\xdb\xc3\xdb\x8d\xc7\x33\xce\xb2\xb5\xb6\xd2\x0b\xec\x1e\x38\xa2\xf9\x09\xaa\x61\x94\x80\xe2\xca\x05\xd9\x00\x0b\x7e\xaf\xf3\x70\xc0\x77\xed\x38\x94\x22\x89\x0d\xd4\x26\x27\x8c\x63\xc2\xac\x42\x85\xe8\x40\xe6\xc7\xf9\xda\x04\xd6\x9a\xf4\x48\x2d\x96\xee\x58\x24\xde\x09\x16\x14\xd8\xb1\xb4\xcf\x49\xf5\xa7\x01\xe4\xb4\x2f\xf5\x8a\x62\x82\x3c\x27\x76\xfb\xa4\xc2\x7e\xc8\x6c\x24\xba\x10\x3e\xd0\x1c\x66\x72\x9a\xd6\x02\x92\x4a\x51\x37\xb7\x18\xd8\xdd\xee\xb0\x83\x39\xd8\x3c\x45\xfe\xca\x01\xc3\x93\x35\x7a\x67\x64\x38\x11\x43\x63\x59\x1d\x31\xc2\xba\x6f\xaf\xa5\xd8\x57\x1a\xf7\xc3\xa3\x69\x0f\xde\xb0\x99\xe4\x41\x92\xb5\x87\x1f\xd0\xa3\x36\x5f\xb2\xe2\x30\xc6\xc0\x3a\x74\x73\x78\x2b\x30\x3a\x5b\xe1\x4f\x03\x8d\x8e\xa3\x4a\x63\x08\x43\x00\x51\x6e\xb7\x88\x4e\x59\x33\x58\xe6\x6b\x3d\xfb\x6d\xac\x4d\x08\x15\xd5\x8d\xaf\xb8\x5e\x8c\xca\x44\x26\x53\x6a\x38\x4d\xc8\x9f\x74\x13\xf1\x4c\xc9\x2e\x73\x77\xa9\x09\x38\xf9\x9e\xf7\xf5\x35\xc2\x18\xae\x2e\x90\x9a\xcd\xbf\xd7\xeb\x5b\x0b\x47\x40\x8e\x3d\x6d\x73\xdd\xa3\x9f\xbd\x6b\x23\xaf\x18\xf1\xa6\x70\x3e\xe3\xb1\xf7\x5b\xb7\xc0\x00\xa4\xca\x5a\x7b\xcc\xaa\xe8\x6c\x4a\xba\xc8\x1d\xa2\x93\xe4\x3f\x91\xd2\xc3\xdf\xf1\x2f\xfa\x52\x29\x13\x9a\x08\xae\x5f\xc2\xec\x13\x9b\xe9\x78\xb8\x18\x2d\x6a\x60\xc7\xff\x39\xbb\x0a\xa8\x20\xa1\x07\xd9\x2e\x38\xb9\x5e\x74\x8a\x18\x4b\x53\xf5\x62\x4f\x45\x72\x39\xf6\x38\x4d\xdd\xcb\x9f\xd7\xe8\xef\x29\x52\x65\xd7\x9b\x64\xc5\xc0\xa9\x3b\xf2\x16\x35\xb8\xc6\x80\x90\x78\x10\xd8\xe7\x2a\x58\x1e\x5a\xa0\xe0\x0f\xbf\x35\x1e\x3c\x84\x1c\x7d\x0c\x51\xa2\x63\x68\x37\xb2\x7c\x6a\x91\x42\x5b\x50\x6a\x22\xc2\x7d\x14\x20\xd0\xb1\x3e\x60\xde\x3e\x9c\x56\x66\x7a\x98\x98\x3b\xa9\xbd\xd1\xc5\xa5\x2d\xc6\x12\x7b\x65\x9e\x6d\x80\x70\x69\x59\xf0\x7d\x3a\x5f\xa8\xb3\xb8\x8e\xab\x05\xe7\xa0\xc0\x4e\xe1\x2a\x21\x37\x2c\x71\x3f\x64\xc6\xad\xbe\xed\xd7\xa8\xb7\xa6\x92\x67\x49\x75\xbb\xe5\x5c\xe4\x02\x71\x44\x02\xf2\x0c\x7f\x57\xff\x1f\x79\x35\x7d\x8e\xda\xbe\xf1\xd8\x68\xf0\xa2\xb3\xdd\x7a\xa3\xbb\xe5\x8e\x80\x81\x49\x70\x73\x4f\x7d\xec\x70\xd3\x14\xe8\x11\x59\x3a\x32\xcc\x86\x1f\x4a\x8a\x4b\x3f\x0d\x7c\xeb\x4e\xbb\x32\x66\x4f\x56\x44\x49\x7a\xc9\x56\x2c\xdd\x5a\x54\x19\x3f\x22\x38\xe6\x5c\x18\x74\xc8\x64\x21\xc5\xcf\xb4\x3a\xe1\x56\x93\x1c\x78\x40\xd1\x0d\xe4\x7a\x4d\x0f\x2f\x31\x74\xc3\x6c\x86\x45\xac\x02\xf5\x44\xc3\x69\x0b\x51\x37\xaf\x7d\x2c\xed\x3f\xb0\x43\x59\xbb\xf2\x2b\x67\x20\xea\x94\xf2\xe3\xb5\x67\x5f\xb7\x7a\xde\x56\xc9\x77\xd6\x68\x06\x4e\xfd\xd1\xc6\x15\x11\x9a\x52\x8c\x9e\xc1\x35\x3e\x84\x10\x3e\x5d\xce\x6a\x0b\xd0\x73\xf9\xff\xbe\xa0\x81\x9c\xf6\xc0\xcc\x58\xea\xd0\x0c\x92\x34\x02\x98\xcc\x09\x45\x64\x11\x7f\x3f\xb8\x94\x27\x4c\xa9\x1d\x79\x76\x45\x96\x19\xf5\x44\xb2\x50\x58\x6c\x6d\x44\xaf\xba\x55\x74\xb7\xef\x51\x26\xb0\x70\x40\x9a\x1f\x5e\xed\xc6\x50\x07\xb0\x03\x39\xf1\x60\x42\x2f\xff\x38\xd6\x7e\xaa\x8d\x78\x2f\xc4\x19\x2a\x29\x81\x08\x79\xeb\x12\x85\x99\x42\xfa\x14\x1a\x21\xc3\x9d\x9e\xea\x03\xeb\xa1\xaa\x7b\x3a\xc7\xe2\xb1\xda\xf4\xf6\x9f\x47\x5b\x8e\x75\xc5\xac\x7c\x2e\xfd\xd7\x77\x93\x2d\x40\x31\x43\xcd\xd0\x89\x02\xd5\xe3\x45\x93\x01\xc2\x8c\x88\xc4\xdf\x34\x2c\xa1\x39\x10\xb7\x60\xe3\x4c\x40\x19\x4b\xb5\x1b\x82\xcf\x14\xad\xee\xd5\xae\x47\x51\x7d\x3c\xbc\x73\xbb\xb5\xa8\x89\x9c\x30\xe6\x06\x51\x99\x89\xa8\x5d\x2e\x15\xb0\xe8\x9e\xbb\xa4\x3f\x0c\x8a\x75\x2f\x07\x01\x03\x80\xca\xa7\x0d\xc4\x09\xff\x80\x5c\x24\x57\x48\x29\xd0\x6b\xb9\xa1\x49\x5d\x5a\x30\x85\xdf\x90\x29\xe2\x3d\x92\xbb\xc4\x6d\x7c\x7c\x1d\xb7\x36\x5e\x92\xe8\xd2\x44\x9a\xad\xe3\x89\x26\xa6\x43\x68\x72\x3a\x0e\x8a\x77\x7b\x32\x61\xc9\xc9\x7b\xae\x82\x5b\x55\x1b\xa9\x40\x55\x1a\x7e\x15\xe3\x01\x3d\xc0\x9a\x05\x22\x9d\x0c\x9a\xc6\x4e\xe1\x5e\xe3\xd4\x67\x42\x62\x89\x24\xc0\x9e\x63\x60\xcc\x43\x00\x6f\xb9\xa0\xe1\xc0\x6e\x55\x84\x63\x7c\xee\x00\x5e\xe2\x6c\xeb\xa7\x02\x95\xcb\xa5\x63\x7d\xfc\x98\x21\x14\x8e\xd7\x41\x50\x03\xd5\x18\x36\x84\x23\xae\x70\x8c\xfa\xc6\x38\xf2\xb8\xe1\xd3\xa7\x10\x11\xbd\xa8\x03\xac\xd2\xcf\xa4\x29\xea\x5f\xa0\x45\xfe\x07\x8f\x91\xeb\xe4\x5e\x7d\x51\xd4\x3f\x08\x30\x2d\x5f\x3b\x0c\xcc\x3e\xb7\xdc\x03\x81\x8b\x33\x56\x7e\x86\xf8\xe5\xdc\x40\x45\x15\x69\xa7\x95\x48\x58\xd2\x6d\xf8\x55\x49\x35\x27\x6f\x56\x54\xaf\xec\xf2\x40\xc7\xe8\x6c\x92\xec\xba\x4d\x3f\xf7\x58\x21\x31\x2d\x6a\x3b\x82\xe1\x8c\xc2\x34\xda\x5b\xac\xc2\x86\xef\x09\x24\xce\x23\xbd\x30\x70\x8d\xe5\x81\x32\x57\x4b\x54\x8c\x96\x28\xb5\x2d\x34\x29\x1d\x1c\x4a\x7f\xfd\xfe\x63\xde\x1f\xa9\xb5\xe0\xfa\x6e\x62\xf3\x52\x8a\x80\xc9\xcc\x97\xa7\xc5\x15\x40\x3f\xce\x89\x5a\xb7\x95\x63\x52\x66\xaf\x74\x6d\x89\xd2\xc9\x40\x58\xca\x38\x50\x1d\x86\xb4\xd6\x32\x4d\x0d\xf0\xd9\xc1\xe4\x7b\xbf\x83\x8b\xaa\x20\x6a\xa2\xec\x43\x97\x82\x8e\x99\x2f\xe9\x63\xb2\xe8\x37\x22\x80\x26\x27\x62\x90\x30\x10\x6c\xf2\x0e\xc9\x8e\x24\x51\x47\xc9\x44\x26\x21\x4d\xdf\xb9\x79\x12\x06\x51\xad\xde\x14\xa4\x25\xfe\xf2\x9a\x20\xc0\xcc\x54\x60\x39\x3a\xcb\xdb\xa5\x7b\x3c\x38\x36\x62\x7e\x6a\x9c\x19\xa2\x34\x43\x12\xa9\xbc\x66\x1b\x76\x02\x85\x41\x5a\x28\x74\xe2\xf2\x18\x7b\x5c\x6d\xbf\x38\xb0\x59\x63\x6f\x9e\xd1\xde\x16\x92\xd3\xb8\x65\x04\xa7\xc1\xb6\x68\xe5\xaa\x0f\x87\xcf\x49\x7f\x0c\xab\x26\x6e\x4d\xb6\x4e\xc6\x46\x55\x80\xbe\x1d\x97\x24\x49\x47\x30\x46\x88\xcb\x35\x76\x49\x0b\x8d\xb0\x86\xb0\x89\x05\x82\x0e\xa9\xd9\x1d\xfc\x8f\x3b\x96\x6a\x9e\x56\x8d\x85\x6a\x9c\xce\x3f\x17\x31\xac\x16\xe4\xcf\x48\x71\x43\x34\xb6\xc7\xac\x35\x97\xfc\xae\x85\xd1\x79\x46\xb0\xae\x28\x99\x84\x5e\x96\x06\x6e\x0a\x64\x83\x85\xc9\x8e\xe5\xc1\x19\x39\x13\x56\xb2\x04\xac\xbd\x4a\x5c\x7c\xc2\xcb\xce\xec\xe0\xf5\x8d\xfb\x73\xfc\x30\xef\x7c\x17\x69\xb4\xf5\x6e\xd1\xb7\x7d\x76\x24\x8b\x0e\xa2\xa6\x6d\xb0\xe5\x21\x7b\x5d\x62\x42\x37\x19\x1a\xbe\x94\x86\xac\x0b\xd3\x2e\x3e\x73\x62\x33\x14\x41\x73\x4a\x8d\xd9\xed\x98\x3b\x92\xbf\x26\x47\x2c\x50\x21\xf8\xbe\xa1\x31\xec\xe4\x7c\x8f\x45\xe6\x8a\x25\xa8\xbe\xb4\x88\x58\x95\xc2\x79\x82\x30\x6d\xaf\xa1\xfa\xc9\x05\xb2\x76\xc2\xf6\x0c\xcd\xca\xbe\x2a\x5b\x32\x5b\x5c\x5d\x84\x82\xf3\x05\x66\x02\x44\xc3\x61\x71\x1f\x0e\xed\x77\x46\xc0\xda\xf9\x9d\xfd\xe3\x6c\xaf\xf2\x94\x05\x11\x82\xc5\xb6\x58\x9f\xc0\x70\x0b\x75\x1f\xb2\xb3\x80\x7f\x0b\xcb\xd2\x77\xa8\x44\xce\x82\xa5\x45\x58\xf5\x5c\xdd\x25\xa3\x0b\x22\x83\xab\xe5\x19\xc8\x27\xb1\x0a\xed\x61\x2f\x8a\xea\x3c\xb7\xac\xa8\xb3\x40\x28\xc0\xb3\x63\xc9\xac\xc5\x2d\xde\xa9\xe0\xc3\x4e\x8a\x5c\x90\x86\x9f\xe6\x0d\x28\x30\x7e\x35\xd3\xe4\x35\x82\xf3\x77\x3d\x46\x66\x9e\x43\x13\xa0\x7b\x12\xe7\xd6\xd5\x01\x43\x6f\x8e\x6f\x4b\xc3\x47\xb2\x91\x94\x14\x4d\x82\xc5\xda\xa9\x73\x0f\xea\x34\x66\xc3\x16\x72\x09\xf0\x96\x97\xda\x03\x4f\x86\xca\x9e\x5a\x7e\x28\xc0\x59\x99\xf4\x16\x1d\xca\x75\x18\x14\x04\x13\x50\x4b\xe2\xaa\x60\xef\x71\xb6\x64\x84\xfc\xa1\xb0\xbb\x11\xaf\xd5\x97\x55\xb9\x78\xdd\x29\x4e\x3d\xa8\x56\x55\xb9\x0f\x05\xbe\x08\x23\xe2\x62\xaa\x69\x3c\x43\xbc\x23\xf4\x94\x8a\x60\x96\xff\xe1\xb5\x8e\x1b\xcd\x65\xb0\xdb\x70\xc6\x2a\x4f\x85\xd7\xdd\x4b\xe6\xcd\xdf\xea\xf1\x38\x38\x14\xa6\x72\x8b\x4c\x30\x1e\xab\x03\xb9\x50\xba\xc8\x67\x37\x5d\x1b\x6c\x61\xeb\x2f\x7f\xde\x96\x0b\x16\xf5\x94\x83\x79\xe2\x11\x5a\xb5\x40\x13\x56\xdb\x05\xa7\xdc\x30\xa2\x99\x98\x97\xb1\x63\xc7\x3d\x34\x80\x71\x06\xdf\xdc\xf7\xb7\xf9\xb9\xe7\x37\x7f\xc7\x22\x00\x3c\x86\x8c\xa5\xc1\x4a\x0e\x2f\x1d\x19\x40\xec\x6a\xef\xcf\x85\xfe\xd2\x07\x62\x2e\xd3\x81\x20\xc6\xa8\xaa\xd7\xb4\xe9\xe8\x7d\x5e\x4e\x9a\x6a\x55\xc6\xe1\x32\xe9\xe1\xe9\xa3\xa6\x2b\x4f\x7c\x6c\xe0\x09\x3f\x88\x65\x47\xdf\xc4\x8d\xe1\xd2\xe0\xc8\x5b\xf0\x1b\x49\xf9\x92\x41\xa3\x6d\x32\x4c\xdb\xad\xe5\x37\x7d\x5a\xa5\x73\x33\x77\xec\x7e\x97\xb7\xac\x54\x38\x7f\xd2\x93\x91\x31\x9d\x3f\x3b\xbc\xd0\x7b\x28\x70\xb9\x64\x6b\xf2\x83\x5b\x3a\xbb\x51\x21\xdc\x20\xa6\x38\xc6\xd0\xd6\x2b\x0a\x05\xd9\x4a\x5f\x1c\x03\xbf\xf6\xe8\x71\xa8\x4f\x9a\x7d\xef\xa1\x6f\x30\xcb\x8b\x3f\xf5\x7c\xb5\xa9\xb8\x95\x8b\x59\x21\x19\xcb\x0c\x80\x25\x13\xc1\x4a\xec\x2d\x27\xcf\xff\xbf\xb4\xe6\xa2\xa8\x40\xf8\xb0\xd7\x46\xa8\x3f\xa8\xbd\x22\x70\x21\xb0\x38\xf5\x0c\x41\x1f\x79\x22\xfb\x38\xec\x89\xf5\x1d\x71\xb7\xd3\xd9\xe2\x41\xdb\x1b\xe1\xb4\x50\x7e\x5b\x68\xfa\x1e\xe8\x9c\x21\x27\x44\x5e\x5d\x6e\xd4\xe7\x43\x3d\xe7\xbf\x4d\x72\xb7\xf7\xb1\xc9\xaa\x7c\x40\x8e\x4c\x10\x50\xce\x17\x74\x27\x98\x4f\x50\x35\xb5\x1e\x3a\xd5\x2b\x56\xd8\xaa\xf3\x8e\x56\x79\x30\xa7\x11\xc8\xdc\x34\x88\xff\xcd\xc1\xa5\x6f\xe1\xb4\xc5\xdf\x22\x67\x3b\xcc\x3e\x9c\xcd\xbb\x3a\xb6\x70\xa2\x45\x47\xf5\xde\xd4\x2d\xec\xfd\xdd\x52\x21\x04\x07\x5c\x37\xdd\xed\xe4\x60\x92\x5d\xcb\xc6\xe5\xef\x20\x60\x28\xaa\x7e\xa0\xc8\x4d\x60\xd9\x90\xfc\xd4\x8d\x76\xc9\xa4\x7b\xe6\x81\x92\x50\xd4\xd1\x0f\xce\xfc\x7a\x12\x4c\x6f\x3f\xaa\xf5\x1f\x7b\x67\xdc\xc2\xb3\x9a\xcf\x11\x9c\x8f\x89\xb9\x3b\x58\x39\x52\x47\xfa\x45\x9c\x1f\xfe\x6f\xc5\xa7\x0c\x32\xd5\x19\x6d\xa5\x93\xb3\x36\xbe\x04\x67\x16\x4e\xbb\xc9\x86\xfc\x14\x5b\x32\xbb\x91\xa4\xc0\x58\x88\x4c\x82\xf5\xca\xcd\xa6\x2a\x43\x12\xbb\x35\x07\x0e\x74\xde\x2b\xba\x07\x64\x8b\x7e\xb9\xd9\xfa\xe8\x91\x64\x8f\x54\x32\xb6\xa7\xd5\x98\x6e\xf2\x02\x78\x72\xcf\x9e\x1a\x08\x6c\x57\x6a\xba\xc8\xdc\x40\x1a\xab\x0d\xa9\x3a\xbf\x0a\xb7\x1e\xcd\x9b\xb9\x6e\x39\x18\x03\x62\xa1\x0a\x21\x85\x07\x1e\xbb\x8c\xa2\xca\x8d\x97\x19\xd4\x7b\xfc\x18\xb6\x2f\x97\x71\xb9\x7d\xfe\xd7\x3b\x98\x23\x25\xeb\x94\x3d\x78\x5c\x78\x75\x00\xd5\xac\x0d\x26\xa9\xca\x90\xcc\x73\xc2\xac\xfe\x87\x2f\x4e\x32\xeb\x44\x39\x08\x3b\xdb\x32\x49\x70\x1d\xdd\xdb\x50\x0d\xf3\xf8\x96\xbb\x1f\x7a\x37\x06\xd6\x4b\xe1\x6d\x00\xf6\xfd\xcd\x6b\xf4\x1d\xf8\x65\x35\xf2\x98\xd2\xdd\x04\x31\x77\x74\xbd\x6b\x39\x03\xf3\x71\xd5\x9b\xe7\x19\xb7\xec\x1d\x00\x3b\x3c\x97\x05\xa8\xf7\x88\x89\xb8\xf7\xda\x0d\x46\xde\xfd\xce\xd2\xdf\x70\xd8\xcb\x45\x70\x82\x8b\xb2\x65\x49\xb5\x50\x11\x58\x9c\x73\xbe\xc4\x20\x7c\x8d\x59\xeb\xe1\x89\x6b\x37\x61\xc1\x85\xa1\x32", 4096); *(uint32_t*)0x20006c44 = 0x1000; *(uint32_t*)0x20006c48 = 0x8001; *(uint32_t*)0x20006c4c = 0x200066c0; memcpy((void*)0x200066c0, "\x31\xe3\xc3\xfa\x6d\x99", 6); *(uint32_t*)0x20006c50 = 6; *(uint32_t*)0x20006c54 = 0x3ff; *(uint32_t*)0x20006c58 = 0x20006700; memcpy((void*)0x20006700, "\x39\xde\x86\x3b\x71\x48\x20\x8e\x43\x2f\xcd\xdb\xd9\xe9\x14\x8e\x71\x6c\x1b\x48\xa3\x96\x7c\x87\x0c\x70\x14\x5d\x90\xed\x68\x1b\x3f\x8b\xce\x84\x9f\xee\x7f\x50\x09\x15\x70\x85\x4e\x20\x10\x37\x23\xe5\x64\x54\xe7\x11\x54\x3f\x6e\x2b\xe9\x2c\x34\x09\x0d\x8c\xc7\x92\x26\x0b\xe9\xb9\x60\xc1\xe4", 73); *(uint32_t*)0x20006c5c = 0x49; *(uint32_t*)0x20006c60 = 9; *(uint32_t*)0x20006c64 = 0x20006780; memcpy((void*)0x20006780, "\x17\xfa\xd5\x71\xf8\x0f\xec\xd3\x4a\x59\xbc\x03\xf6\xc0\x2b\xbd\x6d\x56\xcd\x8d\x95\x89\x24\xb4\xae\x41\x89\xb8\x8b\x85\x89\x7e\xfd\x4e\x59\x6e\x11\x18\xbb\x0c\x77\x1c\x2c\x5b\xa3\x7d\xed\x06\xd7\x81\x11\x39\x0c\x1c\x80\xcf\x6e\xa9\xdf\x87\x27\xf8\x85\x59\x81\x5e\xd7\x6b\x36\xfa\x13\xfb\x4d\x08\xe1\xcc\xda\xd7\x97\x3b\x5b\xec\x56\x55\xa7\x4a\x67\x1f\xde\x99\xee\x92\x39\x7c\x56\xd4\x09\xda\xdb\x10\xc4\xc3\x7e\xe9\x2c\xb4\x1d\x03\xae\x6f\xb1\x64\xe7\xf8\x69\x85\x03\x91\x28\xd3\x8b\xe8\x3b\x5e\x16\xc3\x5e\xe3\x4e\xb2\xb8\x39\x6c\x53\x48\x02\x87\x81\xa0\xa8\x79\xf8\x81\x59\x74\x0a\xb8\x97\x05\xd6\x37\xbe\xda\xfa\x91\x5f\x19\x5a\x15\x25\x97\xfa\x0d\x7d\xa9\xb7\x64\x76\x60\x2c\x6e\xee\xfc\xa1\xe8\x0a\x6d\x3d\x0e\xd1\xa7\x5b\x00\xf7\xa5\xe1\x53\xdd\x85\x1e\x23\x01\xc8\xda\xa7\xd4\x9b\x4a\xd9\x1c\x62\xd1\xa6\x96\x7f\x54\xcf\x96\x21\xc2\x40\xed\x58\x71\x92\xf6\x99\x59\xe0\x54\x07\x85\x0c\xe3\x83\x1c\x4e\x81\x1e\x6f\xff\x1c\xdf\x93\xcf\xab\xde\x88\x73\x58\x31\x68\x81\x84\x53\x56\xd7", 247); *(uint32_t*)0x20006c68 = 0xf7; *(uint32_t*)0x20006c6c = 0x26; *(uint32_t*)0x20006c70 = 0x20006880; memcpy((void*)0x20006880, "\xc2\x86\x96\x8e\x22\x38\x74\x2a\x47\xe0\xe8\xd4\x44\xa6\xa6\x61\xb7\x70\x82\x22\xf4\xed\xda\xb9\x7a\x74\x9d\xce\xbe\x2c\xc8\x3a\x31\x4b\x82\x87\x95\xf9\x15\xa3\x6d\x87\x3b\x71\x4a\xef\x15\xdd\xb1\xb4\xf6\x2f\x06\x80\x0b\xbe\x85\xea\xeb\xcb\x76\xab\xe9\x44\x71\x92\x49\xee\x79\x27\xc8\x8e\x78\xa9\x68\xe9\x3f\x45\xc5\x20\x13\xef\x97\xef\x6f\x98\x9b\x1d\x1c\xd3\x0f\xff\x88\x67\x79\x62\xc8\xf3\x05\x2a\xd0\xa4\x63\x1e\x4e\x75\x0b\xa8\x0f\x37\x53\x91\x6c\x2d\xff\xc6\xa4\x02\x3c\xdb\x62\xa1\xb5\xf2\xaf\xbb\x96\x5b\x2f\x78\xc5\xdd\x47\xaf\x90\xb0\x02\xda\x1a\x26\xa2\x4f\xcb\x99\xbf\x81\xfb\x29\x57\x4a\x2f\x98\x10\x7a\x79\x37\x63\x98\x73\xb9\x5f\x4a\x56\x9a\x04\x06\xcc\x35\x8b\x46\xef\xae\x58\x7e\x90\x08\xbe\x69\xd7\x11\xae\x20\x2c\x22\xe2\x9a\x2f\x61\x5f\xd2\x3d\xcf", 192); *(uint32_t*)0x20006c74 = 0xc0; *(uint32_t*)0x20006c78 = 0; *(uint32_t*)0x20006c7c = 0x20006940; memcpy((void*)0x20006940, "\x97\xfc\x4d\xd9\xdb\x67\x3e\x16\xfd\x0f\x0e\xb9\xa4\xa2\x6e\x2a\x49\xf4\x2e\x16\x16\x19\x0b\x06\x34\xdf\xd6\x13\x51\x45\xf4\xe4\x51\xbb\xba\xd5\x6d\xad\xf2\x66\x96\x4e\xba\x7d\x10\x07\xc0\xa2\x3f\x8c\xf0\x3d\x4f\x8f\xe0\x9a\x79\x89\x15\x2b\x7c\xf2\xec\x30\xf2\x69\x3a\x06\xbe\xfd\xf0\x23\xd7\x9f\x48\xc2\x08\xd7\x42\xc7\xb7\x59\x15\xbc\xc1\xbe\x58\x35\x17\xce\xd3\xb8\x26\xb9\x70\x75\xe6\x2a\x8e\xd1\x2d\xbb\x26\x48\x07\xc6\xff\xd0\x22\x76\x14\x49\x1f\xb9\xde\x0d\x8a\x92\x5a\x26\x38\xc3\x16\x08\xde\x40\x5b\xbf\x79\xe9\x6f\x17\x1f\xd5\x83\x38\xb1\xd6\x97\x9d\x33\xa7\xda\xe8\xad\x62\xf2\xba\x53\xfe\xfc\x3c", 152); *(uint32_t*)0x20006c80 = 0x98; *(uint32_t*)0x20006c84 = 0x20; *(uint32_t*)0x20006c88 = 0x20006a00; memcpy((void*)0x20006a00, "\x77\xd8\xd6\x06\xbf\xb4\x24\xe7\xb9\x95\x80\x9a\xb4\xf5\x59\x11\x5f\xd8\x2e\x97\x2d\x98\xb6\x51\xdf\xc6\x9b\x10\xdf\x60\x0f\xb4\xf7\x8e\xfd\x58\x6f\x9c\xc2\x6e\xdc\x41\xb1\xd2\xfa\xc8\x7e\xfe\x59\xe2\x62\x41\x1f\x27\xa9\x4c\xf7\x96\xed\x31\x23\x6b\x45\x7c\xa0\xf1\x47\x53\x0e\xfb\xd4\xcf\xa6\xb6\xa0\xfe\xe4\x6c\x25\xab\xcf\x7a\xd8\x28\x2a\xae\x52\x99\xe2\x99\x79\x9c\xd5\x2d\x0a\x58\xd7\xff\x9d\xdd\xd0\x10\x37\x24\xc8\x8d\xa9\x2d\xbe\xfa\xb6\x24\x80\x38\xab\xef\x9e\xc5\x22\x64\xaf\xc7\x48\x25\xf7\xea\x70\xb2\xca\x95\xd6\x90\x0f\x9b\x64\x7a\x3f\x98\x6e\x18\x28\x7c\xb2\xbf\x4b\x4c\x19\xef\xc8\xc2\x18\xfd\x90\x5c\x37\x27\xc8\x6c\x37\x02\x6b\xfb\xde\x3a\xf0\x78\xeb\x07\xb7\x98\xe6\xd3\xd8\xf2\xe4\xd5\xd3\xbc\x18\x8c\xdd\x20\xf2\xeb\xb1\x46\x1c\x5e\x53\xb0\x5f\x29\x89\xff\xac\x3b\x16\x8d\xee\x56\xda\x0f\xc0\x11\x97\x4c\x66\x0e\x40\x0a\xe2\xd8\xb2\xc8\x0a\xcb\x23\x15\x81\xee\x91\x76\x31\x29\xb2\x88\x8a\xeb\x12", 229); *(uint32_t*)0x20006c8c = 0xe5; *(uint32_t*)0x20006c90 = 0x800; *(uint32_t*)0x20006c94 = 0x20006b00; memcpy((void*)0x20006b00, "\x56\x0c\x1b\xea\x71\xb0\xf9\x72\x44\xfa\x38\x6d\x26\xbf\x6b\x1b\x04\x30\x8e\x4b\xc7\xff\xfa", 23); *(uint32_t*)0x20006c98 = 0x17; *(uint32_t*)0x20006c9c = 0x80000001; *(uint32_t*)0x20006ca0 = 0x20006b40; memcpy((void*)0x20006b40, "\x14\xe5\x5a\x14\xa7\x95\x33\x87\xee\x55\x33\x3c\x1d\x16\x94\xca\x98\xc7\x99\x9b\x49\x78\x86\x42\x76\x68\x05\xd6\xf5\xa2\x90\xeb\x1e\x95\x9e\xe3\x5a\x74\x04\x59\xe1\x33\x00\x26\x2f\x2a\xf9\xc3\x57\xf7\xa8\xc1\xcb\xa1\x87\xe4\x48\xbc\x3c\x8f\x86\x5c\xc9\xbe\x88\x62\x4f\xb0\xf0\xd0\xbb\x88\x5d\x9c\xc2\xab\xe1\x71\xa2\x47\x8a\x74\x20\xdb\x22\xe8\x60\x7e\x3f\xbe\xc7\xe2\x60\x1d\x9e\x11\x08\x6c\xfa\x8c\xf1\x4d\x99\x67\x6b\x67\x9d\x8d\x6b\xf1\xdd\x4f\xaa\xb8\xfe\x9a\x5f\x4e\x3f\x69\x5f\xe2\xe6\xab\xf0\x9f\x70\x26\x83\x80\x2d\x44\xcc\x3a\x29\x82\x55\xc4\xc5\x95\x33\x73\x1f\xf5\xb2\x3e\x05\x3a\xfb\x71\x6d\x58\xca\xd6\x67\x68\x6e\xe6\x47\xf4\x8e\x19\x9c\x9b\x5c\x3d\x0d\x2d\x47\x0f\x2c\xe1\xc5\xb8\xb5\x70\x8a\xe0\x23\xad\x98\x80\xca\xf3\x1d\x01\xf9\x6a\xeb\xbf\xcc\x7d\xf9\x53\x58\xa0\x16\xc5\x47\x1c\xc2\xce\x2c\xed\x61\x05\x05\x7c\x9d\x22\xc8\x16\x78\x90\xca\x19", 216); *(uint32_t*)0x20006ca4 = 0xd8; *(uint32_t*)0x20006ca8 = 0x400; syz_read_part_table(9, 9, 0x20006c40); *(uint8_t*)0x20006cc0 = 0x12; *(uint8_t*)0x20006cc1 = 1; *(uint16_t*)0x20006cc2 = 0x200; *(uint8_t*)0x20006cc4 = 0x62; *(uint8_t*)0x20006cc5 = 0xa5; *(uint8_t*)0x20006cc6 = 0xbe; *(uint8_t*)0x20006cc7 = 0x10; *(uint16_t*)0x20006cc8 = 0x2833; *(uint16_t*)0x20006cca = 0x211; *(uint16_t*)0x20006ccc = 0x37a4; *(uint8_t*)0x20006cce = 1; *(uint8_t*)0x20006ccf = 2; *(uint8_t*)0x20006cd0 = 3; *(uint8_t*)0x20006cd1 = 1; *(uint8_t*)0x20006cd2 = 9; *(uint8_t*)0x20006cd3 = 2; *(uint16_t*)0x20006cd4 = 0x6b4; *(uint8_t*)0x20006cd6 = 1; *(uint8_t*)0x20006cd7 = 0x20; *(uint8_t*)0x20006cd8 = 0; *(uint8_t*)0x20006cd9 = 0xa0; *(uint8_t*)0x20006cda = 1; *(uint8_t*)0x20006cdb = 9; *(uint8_t*)0x20006cdc = 4; *(uint8_t*)0x20006cdd = 0xdf; *(uint8_t*)0x20006cde = 0; *(uint8_t*)0x20006cdf = 0x10; *(uint8_t*)0x20006ce0 = -1; *(uint8_t*)0x20006ce1 = 1; *(uint8_t*)0x20006ce2 = 0; *(uint8_t*)0x20006ce3 = 5; *(uint8_t*)0x20006ce4 = 7; *(uint8_t*)0x20006ce5 = 0x24; *(uint8_t*)0x20006ce6 = 1; *(uint8_t*)0x20006ce7 = 1; *(uint8_t*)0x20006ce8 = 1; *(uint16_t*)0x20006ce9 = 1; *(uint8_t*)0x20006ceb = 9; *(uint8_t*)0x20006cec = 0x24; *(uint8_t*)0x20006ced = 6; *(uint8_t*)0x20006cee = 0; *(uint8_t*)0x20006cef = 0; memcpy((void*)0x20006cf0, "\xfd\x50\x65\x08", 4); *(uint8_t*)0x20006cf4 = 5; *(uint8_t*)0x20006cf5 = 0x24; *(uint8_t*)0x20006cf6 = 0; *(uint16_t*)0x20006cf7 = 3; *(uint8_t*)0x20006cf9 = 0xd; *(uint8_t*)0x20006cfa = 0x24; *(uint8_t*)0x20006cfb = 0xf; *(uint8_t*)0x20006cfc = 1; *(uint32_t*)0x20006cfd = 0x40000000; *(uint16_t*)0x20006d01 = 8; *(uint16_t*)0x20006d03 = 0x4cc5; *(uint8_t*)0x20006d05 = 0x7f; *(uint8_t*)0x20006d06 = 7; *(uint8_t*)0x20006d07 = 0x24; *(uint8_t*)0x20006d08 = 0xa; *(uint8_t*)0x20006d09 = 8; *(uint8_t*)0x20006d0a = 0x3f; *(uint8_t*)0x20006d0b = 0; *(uint8_t*)0x20006d0c = 0x81; *(uint8_t*)0x20006d0d = 0x10; *(uint8_t*)0x20006d0e = 0x24; *(uint8_t*)0x20006d0f = 7; *(uint8_t*)0x20006d10 = 0x80; *(uint16_t*)0x20006d11 = 5; *(uint16_t*)0x20006d13 = 0x44; *(uint16_t*)0x20006d15 = 2; *(uint16_t*)0x20006d17 = 0x800; *(uint16_t*)0x20006d19 = 0x101; *(uint16_t*)0x20006d1b = 4; *(uint8_t*)0x20006d1d = 4; *(uint8_t*)0x20006d1e = 0x24; *(uint8_t*)0x20006d1f = 2; *(uint8_t*)0x20006d20 = 4; *(uint8_t*)0x20006d21 = 8; *(uint8_t*)0x20006d22 = 0x24; *(uint8_t*)0x20006d23 = 0x1c; *(uint16_t*)0x20006d24 = 0; *(uint8_t*)0x20006d26 = 0xc0; *(uint16_t*)0x20006d27 = 0x5325; *(uint8_t*)0x20006d29 = 6; *(uint8_t*)0x20006d2a = 0x24; *(uint8_t*)0x20006d2b = 0x1a; *(uint16_t*)0x20006d2c = 0x7f; *(uint8_t*)0x20006d2e = 0; *(uint8_t*)0x20006d2f = 9; *(uint8_t*)0x20006d30 = 5; *(uint8_t*)0x20006d31 = 5; *(uint8_t*)0x20006d32 = 0; *(uint16_t*)0x20006d33 = 0xb5a2; *(uint8_t*)0x20006d35 = 6; *(uint8_t*)0x20006d36 = 0; *(uint8_t*)0x20006d37 = 5; *(uint8_t*)0x20006d38 = 7; *(uint8_t*)0x20006d39 = 0x25; *(uint8_t*)0x20006d3a = 1; *(uint8_t*)0x20006d3b = 0x82; *(uint8_t*)0x20006d3c = 0xe9; *(uint16_t*)0x20006d3d = 0xf000; *(uint8_t*)0x20006d3f = 9; *(uint8_t*)0x20006d40 = 5; *(uint8_t*)0x20006d41 = 0xe; *(uint8_t*)0x20006d42 = 2; *(uint16_t*)0x20006d43 = 0x200; *(uint8_t*)0x20006d45 = 8; *(uint8_t*)0x20006d46 = 7; *(uint8_t*)0x20006d47 = 0x40; *(uint8_t*)0x20006d48 = 9; *(uint8_t*)0x20006d49 = 5; *(uint8_t*)0x20006d4a = 0; *(uint8_t*)0x20006d4b = 0x7e; *(uint16_t*)0x20006d4c = 0x200; *(uint8_t*)0x20006d4e = 8; *(uint8_t*)0x20006d4f = 3; *(uint8_t*)0x20006d50 = 1; *(uint8_t*)0x20006d51 = 0x9b; *(uint8_t*)0x20006d52 = 0x21; memcpy((void*)0x20006d53, "\xf2\xef\x0a\x5c\x06\x9c\xdb\x31\x91\x38\xe1\x85\x06\x1d\x7e\x19\x6a\xe9\x4e\x53\x5d\x80\xf2\x76\x66\xfb\xa2\x3b\x37\x43\x25\xf1\x5d\xc5\xf2\x08\x12\xfe\x05\xb0\x62\x0f\x6f\xfc\xb8\x10\x03\xb1\xf3\x9c\x5d\xcd\x1b\xff\x14\xe2\xbb\xeb\x38\x73\x35\xa3\x53\x4f\x5a\xdb\x60\xff\xc4\xf2\x85\x95\xc8\xf9\x92\xf7\x7f\xd5\xf6\x7a\x04\x84\x2b\x9c\x43\x64\xe3\x55\x6b\xe9\xba\xcb\x8f\xd5\x6e\xd7\x78\x59\x29\x11\x53\xf6\xc5\x66\x02\x63\x63\xbf\xa5\xf2\xe6\xff\x2f\xa6\xd2\x93\x17\xf2\xd5\x62\x44\x53\x64\x93\x99\x15\xa7\x5d\xd7\x36\x5f\x6a\xb9\xc1\x5d\xdb\xc7\xc3\xa4\x5f\x7e\xb9\x8f\xd1\xfe\xa3\x55\x1b\xbd\x46\xf2\x0a\x87", 153); *(uint8_t*)0x20006dec = 9; *(uint8_t*)0x20006ded = 5; *(uint8_t*)0x20006dee = 0x80; *(uint8_t*)0x20006def = 1; *(uint16_t*)0x20006df0 = 0x3ff; *(uint8_t*)0x20006df2 = 1; *(uint8_t*)0x20006df3 = 0x20; *(uint8_t*)0x20006df4 = 0xef; *(uint8_t*)0x20006df5 = 0xec; *(uint8_t*)0x20006df6 = 6; memcpy((void*)0x20006df7, "\xf6\x42\x24\x6a\x53\x72\x99\x1d\xb9\x7e\x58\x24\xa4\x10\xe2\x83\x00\xd3\xbd\x15\x36\x38\xf6\xda\xc6\xe1\x18\x9a\x0c\x56\x0a\x0a\x0e\x5f\x8b\x15\xe0\x78\x79\xac\x95\x01\x65\x15\x20\x26\x46\xa7\xb5\xb5\xfc\x74\xb7\xcd\x40\xd5\x15\xb2\x84\x9d\x8c\x1d\xd9\xae\x4f\xca\x16\xc2\xe6\xcf\x0e\x8a\x20\xce\x54\xf0\x5f\xa1\x23\xc0\x19\x20\x8c\xb3\x4b\x5e\xe5\x61\xc2\x74\xea\x40\xa7\xb3\x4e\x58\x13\xa4\xa2\x9b\xe4\x08\x17\xeb\x1f\x7b\x3e\x9b\xef\x60\xf7\xc5\x66\x57\x48\x12\x36\xb9\x3e\x2c\x29\x7f\x17\xc7\x76\xb9\x8f\x1d\x0c\x8f\x2a\x56\x44\x77\x66\xc7\x28\x8b\xa6\xb1\xe3\x85\xb8\x4a\x51\x6a\x98\xab\x72\x9b\xa7\x0e\x31\xfe\xe3\xaa\xb1\x01\xd5\x90\xa4\x48\x1a\xe5\x85\x63\x26\xc6\x82\x5b\x73\xc7\xae\x7d\x3b\x99\xcb\x3c\x59\xdb\x31\xa1\x27\x26\x23\x4b\x90\x05\x84\xe8\xdb\x77\x93\x52\x18\x8d\x12\xc9\x32\xd4\xaa\xcb\x59\xee\xf3\x3d\x33\xb9\x55\x05\x10\xcf\x2b\x49\xda\x74\x7e\x03\x1c\x83\x11\x7b\x51\x1a\x1b\xb9\x3e\xd7\x6c\x71\x6e\x6a\x02\x54", 234); *(uint8_t*)0x20006ee1 = 7; *(uint8_t*)0x20006ee2 = 0x25; *(uint8_t*)0x20006ee3 = 1; *(uint8_t*)0x20006ee4 = 0; *(uint8_t*)0x20006ee5 = 6; *(uint16_t*)0x20006ee6 = 0x40; *(uint8_t*)0x20006ee8 = 9; *(uint8_t*)0x20006ee9 = 5; *(uint8_t*)0x20006eea = 1; *(uint8_t*)0x20006eeb = 0; *(uint16_t*)0x20006eec = 0x100; *(uint8_t*)0x20006eee = 0xfe; *(uint8_t*)0x20006eef = 8; *(uint8_t*)0x20006ef0 = 0x37; *(uint8_t*)0x20006ef1 = 0xe9; *(uint8_t*)0x20006ef2 = 0x23; memcpy((void*)0x20006ef3, "\x1a\x0e\x35\x42\x85\x7d\x49\xea\x63\xb7\x26\x1e\xbf\xc1\x9f\x14\x27\x2e\x28\x4d\x26\x65\xd2\x79\x5e\x43\xf6\xf9\xca\x62\x77\x6c\x9e\xe5\x2d\x99\x18\x79\xd7\xd6\x7b\x4d\x8b\x27\x0f\xd5\x15\x98\xbe\xac\x1c\x03\x39\xb2\x25\x7a\xd6\x8c\x1d\xde\x54\x88\x5a\xe2\xd2\x19\xb8\x7c\xde\x15\x9a\x98\x97\xc8\x8b\xda\x26\xe0\x8a\x36\x91\x05\x50\x22\x73\x9c\x1f\xe6\x4a\xdb\x98\x63\x9d\xc2\x54\x21\xc4\x49\xcf\x36\x48\x00\xc4\xc3\x65\x06\x2f\x24\x88\xe6\x90\x1e\x56\xe6\x2f\x4b\x70\x3e\xae\x7a\xf2\x62\x98\xa1\xee\xe1\xbf\xe6\x2d\x9b\x2a\xe3\x53\x20\xae\x2b\xaf\x17\x4e\x94\xff\x55\x32\x10\x97\xbe\x81\xe0\x27\x9f\x5d\x0a\xa8\x4d\xd1\x8c\xa0\x86\x4d\x98\xd0\xed\xbb\xea\xa1\x9d\xdf\x36\x26\xfd\x83\xa2\xe2\xb5\xf6\x76\xa7\x34\xd4\x78\x4b\x3c\x68\x77\xfd\x1b\xb3\xc9\x54\x3d\xf7\xab\xda\x9b\xd9\xc9\xbe\x40\x59\x49\x74\x7e\x21\x07\x3c\x18\x95\x7f\xff\x0e\xaa\xc0\x27\x3c\xfd\x3f\x70\x2c\xb6\x55\x97\x94\x9a\x17\x27\x26\xf7\xe4\x59\x53\x6c", 231); *(uint8_t*)0x20006fda = 0x18; *(uint8_t*)0x20006fdb = 0x10; memcpy((void*)0x20006fdc, "\xa0\x28\x90\x17\xf3\xf4\x33\xf1\x10\x59\x48\x9a\x61\x11\x58\x23\xe1\x13\x8a\xe8\x4a\x34", 22); *(uint8_t*)0x20006ff2 = 9; *(uint8_t*)0x20006ff3 = 5; *(uint8_t*)0x20006ff4 = 0xe; *(uint8_t*)0x20006ff5 = 4; *(uint16_t*)0x20006ff6 = 0x10; *(uint8_t*)0x20006ff8 = 0x67; *(uint8_t*)0x20006ff9 = 3; *(uint8_t*)0x20006ffa = 8; *(uint8_t*)0x20006ffb = 7; *(uint8_t*)0x20006ffc = 0x25; *(uint8_t*)0x20006ffd = 1; *(uint8_t*)0x20006ffe = 1; *(uint8_t*)0x20006fff = 0x80; *(uint16_t*)0x20007000 = 0x2e6; *(uint8_t*)0x20007002 = 9; *(uint8_t*)0x20007003 = 5; *(uint8_t*)0x20007004 = 0xd; *(uint8_t*)0x20007005 = 4; *(uint16_t*)0x20007006 = 0x200; *(uint8_t*)0x20007008 = 0x48; *(uint8_t*)0x20007009 = 0x35; *(uint8_t*)0x2000700a = 8; *(uint8_t*)0x2000700b = 0xe5; *(uint8_t*)0x2000700c = 5; memcpy((void*)0x2000700d, "\x30\xef\xe9\xc1\xa6\xe5\xc8\x9c\x20\x31\x21\x4c\x60\xfb\xbe\xaa\x45\x78\x09\x1e\x38\x00\x9c\x76\x1d\x15\x77\x48\x02\x93\x4c\xfd\x36\x35\x5b\x35\x18\xcc\xfe\x59\xfa\x5e\x7c\xce\xe3\xc1\x3a\xc4\xaf\xfb\xe0\x73\xe0\xe7\x88\xc9\xb5\xe3\x22\x16\xef\xbf\x02\xe3\x58\x69\xd7\xb2\x33\xa3\x89\xf8\x12\xbf\xd8\x49\x43\x3c\x32\x84\x66\xed\xa5\xe0\xe3\x23\x75\x29\xcd\xc6\x5e\x4e\xee\x74\x3d\x31\xff\xc1\x86\xa1\xfe\x79\x4b\xdf\x13\x64\xf3\x1e\xae\xff\x39\x82\x9e\x8f\x61\x44\x85\x0d\x74\x70\xcc\x71\x57\x2d\x1f\x2f\x23\xdc\xcd\xbc\xdd\x99\xe4\x93\x0d\xe7\xed\xbf\x59\xb3\x38\xdb\x34\x90\x30\x5f\xd7\x71\x02\x57\x98\x0b\x7f\x76\xb8\xda\xea\xcb\x2a\xd6\x18\x13\x1f\xb9\xb5\xa3\xe0\x26\xc9\xdd\xbd\x69\x48\x3c\xd7\x94\xca\xad\x29\xf2\xe3\xb6\x31\x24\xa9\x52\xb4\x62\xde\x0c\xd9\x51\xd7\xef\xd9\xb3\xb2\x91\x07\xb6\x41\x41\x7e\x77\x83\xd9\x01\x59\x13\x7f\xa5\x27\x3a\x95\xe0\xcc\x46\xc9\x7c\x22\x46\xe6\x11\xac\xb1\x4b\x4d", 227); *(uint8_t*)0x200070f0 = 9; *(uint8_t*)0x200070f1 = 5; *(uint8_t*)0x200070f2 = 3; *(uint8_t*)0x200070f3 = 0x10; *(uint16_t*)0x200070f4 = 8; *(uint8_t*)0x200070f6 = 0; *(uint8_t*)0x200070f7 = 0x33; *(uint8_t*)0x200070f8 = 9; *(uint8_t*)0x200070f9 = 9; *(uint8_t*)0x200070fa = 5; *(uint8_t*)0x200070fb = 2; *(uint8_t*)0x200070fc = 0xc; *(uint16_t*)0x200070fd = 0x400; *(uint8_t*)0x200070ff = 0xed; *(uint8_t*)0x20007100 = 7; *(uint8_t*)0x20007101 = 9; *(uint8_t*)0x20007102 = 0x84; *(uint8_t*)0x20007103 = 0x31; memcpy((void*)0x20007104, "\xee\x4c\xd2\x19\x15\x4d\xf4\x91\xc4\xd3\x2a\xa3\x21\x12\xcf\xf4\x07\x51\x1b\x06\xb1\x7f\x74\x34\x09\xec\xc2\x16\xc3\x1e\x92\xce\xfa\x2b\x5c\xc5\x9e\x63\x4d\x7a\xeb\xa2\xc9\xe5\xe3\x6d\x8e\xfa\xdc\x02\x55\x17\x25\x18\xf9\x09\xb4\xe1\xa7\xda\xf4\xd9\x88\xb1\xee\xaf\x19\x6c\x76\xee\x90\x2b\x65\x7d\x12\xfc\x23\xc2\x1e\x17\x6c\xd1\x49\xe9\x8a\x8d\x8d\x57\x55\xb7\x4f\xed\x1a\x42\x84\xbc\xfd\x6e\x69\x61\x95\x1f\xf8\x21\x6f\x7b\xb4\x2f\x79\x0e\xdd\x53\x9c\x1b\xc5\xbb\xac\x44\xf7\x67\xa6\x85\xc5\x7c\xbb\xde\xc8\x30\xc5\x2c", 130); *(uint8_t*)0x20007186 = 7; *(uint8_t*)0x20007187 = 0x25; *(uint8_t*)0x20007188 = 1; *(uint8_t*)0x20007189 = 0x83; *(uint8_t*)0x2000718a = 1; *(uint16_t*)0x2000718b = 0xfe01; *(uint8_t*)0x2000718d = 9; *(uint8_t*)0x2000718e = 5; *(uint8_t*)0x2000718f = 3; *(uint8_t*)0x20007190 = 0; *(uint16_t*)0x20007191 = 0x40; *(uint8_t*)0x20007193 = 2; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 9; *(uint8_t*)0x20007197 = 5; *(uint8_t*)0x20007198 = 0; *(uint8_t*)0x20007199 = 0; *(uint16_t*)0x2000719a = 0x400; *(uint8_t*)0x2000719c = 0; *(uint8_t*)0x2000719d = 0x2f; *(uint8_t*)0x2000719e = 4; *(uint8_t*)0x2000719f = 9; *(uint8_t*)0x200071a0 = 5; *(uint8_t*)0x200071a1 = 0x8f; *(uint8_t*)0x200071a2 = 8; *(uint16_t*)0x200071a3 = 8; *(uint8_t*)0x200071a5 = 0x81; *(uint8_t*)0x200071a6 = 1; *(uint8_t*)0x200071a7 = 0x7f; *(uint8_t*)0x200071a8 = 7; *(uint8_t*)0x200071a9 = 0x25; *(uint8_t*)0x200071aa = 1; *(uint8_t*)0x200071ab = 0; *(uint8_t*)0x200071ac = 9; *(uint16_t*)0x200071ad = 0xfb; *(uint8_t*)0x200071af = 7; *(uint8_t*)0x200071b0 = 0x25; *(uint8_t*)0x200071b1 = 1; *(uint8_t*)0x200071b2 = 0x81; *(uint8_t*)0x200071b3 = 7; *(uint16_t*)0x200071b4 = 3; *(uint8_t*)0x200071b6 = 9; *(uint8_t*)0x200071b7 = 5; *(uint8_t*)0x200071b8 = 2; *(uint8_t*)0x200071b9 = 0; *(uint16_t*)0x200071ba = 0x400; *(uint8_t*)0x200071bc = 0x40; *(uint8_t*)0x200071bd = 0x76; *(uint8_t*)0x200071be = 3; *(uint8_t*)0x200071bf = 7; *(uint8_t*)0x200071c0 = 0x25; *(uint8_t*)0x200071c1 = 1; *(uint8_t*)0x200071c2 = 0x80; *(uint8_t*)0x200071c3 = 0x31; *(uint16_t*)0x200071c4 = 8; *(uint8_t*)0x200071c6 = 9; *(uint8_t*)0x200071c7 = 5; *(uint8_t*)0x200071c8 = 0xf; *(uint8_t*)0x200071c9 = 0x10; *(uint16_t*)0x200071ca = 0x3ff; *(uint8_t*)0x200071cc = 6; *(uint8_t*)0x200071cd = 0xb2; *(uint8_t*)0x200071ce = 6; *(uint8_t*)0x200071cf = 7; *(uint8_t*)0x200071d0 = 0x25; *(uint8_t*)0x200071d1 = 1; *(uint8_t*)0x200071d2 = 0x82; *(uint8_t*)0x200071d3 = 0x80; *(uint16_t*)0x200071d4 = 6; *(uint8_t*)0x200071d6 = 9; *(uint8_t*)0x200071d7 = 5; *(uint8_t*)0x200071d8 = 0xf; *(uint8_t*)0x200071d9 = 0x10; *(uint16_t*)0x200071da = 0x200; *(uint8_t*)0x200071dc = 6; *(uint8_t*)0x200071dd = 6; *(uint8_t*)0x200071de = 0xca; *(uint8_t*)0x200071df = 7; *(uint8_t*)0x200071e0 = 0x25; *(uint8_t*)0x200071e1 = 1; *(uint8_t*)0x200071e2 = 0x81; *(uint8_t*)0x200071e3 = 0x20; *(uint16_t*)0x200071e4 = 3; *(uint8_t*)0x200071e6 = 9; *(uint8_t*)0x200071e7 = 5; *(uint8_t*)0x200071e8 = 0x80; *(uint8_t*)0x200071e9 = 0x10; *(uint16_t*)0x200071ea = 0x400; *(uint8_t*)0x200071ec = 1; *(uint8_t*)0x200071ed = 0xfc; *(uint8_t*)0x200071ee = 4; *(uint8_t*)0x200071ef = 0xd4; *(uint8_t*)0x200071f0 = 0x21; memcpy((void*)0x200071f1, "\x28\xa1\xdf\xa1\xd2\x8f\x9a\xe6\x0d\x0a\x8e\x9e\x3c\x51\x2d\xb3\x53\x69\xd4\x79\xfa\x6e\x6a\xa0\x99\xe2\x67\xe1\xce\xd7\x7c\xa2\xe1\x80\xb4\x29\x77\x90\x23\xa8\x72\xb0\xef\x88\x07\xe1\x1f\x8b\x8b\x21\xb8\x11\xd4\xfe\x55\x27\x33\x5c\xe8\x6e\x3a\x95\xcd\xf9\x60\xd1\xe7\x9e\x88\xc2\x76\xc1\x74\xd1\x83\xd2\xf3\xbc\x08\x62\xdd\x7e\x1d\x29\xac\x58\x9c\xeb\x22\x02\x4e\x25\xa4\x4c\x3e\x81\x23\x58\x1d\x14\x48\xfd\x2d\xb5\x33\x2f\xe4\x1c\x23\xf9\xaa\x95\x95\x64\xf3\x2d\xb1\xda\x14\x61\x04\x15\xdd\xc2\x93\xdc\x57\xc9\xd6\xc7\x75\xd2\x21\x51\xbd\xab\x23\x6a\x5a\x73\x59\x2e\x55\x18\x05\x57\x28\xae\x81\x9e\x25\xc0\x80\xcb\xb9\xbf\x02\x03\xb6\x63\x9b\x8f\xd8\xd7\x16\xd9\xc5\x71\xd6\xb2\x60\xea\x29\x77\x33\xd5\x3c\x3a\x05\x44\x9b\x9b\x92\x21\xd0\xf4\x02\x61\x0c\x98\x37\x18\x9f\x9c\x6a\xb3\xba\xaf\x03\x1d\x48\x69\x26\x90\xc9\x98\x1c\xee\x14\x26", 210); *(uint8_t*)0x200072c3 = 0xc3; *(uint8_t*)0x200072c4 = 6; memcpy((void*)0x200072c5, "\x60\xed\x98\x57\x6f\xbb\xbe\xe3\xdb\x67\xd5\x35\xea\x7e\x1a\x19\xd9\x2d\x68\x9e\x2f\x03\x30\x8a\x61\x5a\x56\x41\xe7\x2e\x69\x4d\x99\x6f\x76\xc1\x11\x1c\x88\xc5\x07\xc3\x9a\x87\xf3\x4a\x36\x82\xda\xfb\xfe\x58\x3b\x79\xf5\xb9\x50\xa3\x06\x14\x16\x2c\x60\x5f\x7e\x6c\x5d\x45\x2b\x4f\x84\xa1\x45\xf2\x0b\xf4\x47\x0d\xdf\x43\xf0\x6c\x41\x5d\xc6\xc4\x15\x51\xfd\x45\x8b\xa6\xae\xdf\x57\xd7\x4c\xb8\x5a\x25\xe4\x33\x24\x81\x4b\x62\xc3\xbe\x41\x08\xb1\xea\x5b\x9d\xd2\x2a\x78\xa4\x5c\xdf\x5d\x8f\x27\xc1\x1f\x35\x02\x6b\xf7\xef\x10\xc7\xd1\xf0\x61\x5f\xe1\xc4\x4a\x30\x2a\x84\xd8\x8b\x8d\x6c\x2d\x85\x04\x9c\x9f\x48\xa0\x4b\x4e\x61\x80\x1c\x01\x7f\x60\x9b\x67\x3f\xc8\x29\x0f\x73\x62\xa0\xed\x35\x88\x2a\x33\x5b\x65\x7f\x83\x5f\xce\x8e\x20\x10\x0c\xde\x82\xc1\xa3\xdc\x18\x06\x11", 193); *(uint32_t*)0x20007740 = 0xa; *(uint32_t*)0x20007744 = 0x200073c0; *(uint8_t*)0x200073c0 = 0xa; *(uint8_t*)0x200073c1 = 6; *(uint16_t*)0x200073c2 = 0x310; *(uint8_t*)0x200073c4 = 5; *(uint8_t*)0x200073c5 = 0x80; *(uint8_t*)0x200073c6 = -1; *(uint8_t*)0x200073c7 = 0xbf; *(uint8_t*)0x200073c8 = 5; *(uint8_t*)0x200073c9 = 0; *(uint32_t*)0x20007748 = 5; *(uint32_t*)0x2000774c = 0x20007400; *(uint8_t*)0x20007400 = 5; *(uint8_t*)0x20007401 = 0xf; *(uint16_t*)0x20007402 = 5; *(uint8_t*)0x20007404 = 0; *(uint32_t*)0x20007750 = 5; *(uint32_t*)0x20007754 = 0xa8; *(uint32_t*)0x20007758 = 0x20007440; *(uint8_t*)0x20007440 = 0xa8; *(uint8_t*)0x20007441 = 3; memcpy((void*)0x20007442, "\x05\x84\xbd\xdc\x14\x96\x71\xf9\xe6\xc6\xcd\x12\x3b\x79\x6c\xaf\xe2\xeb\x5d\x2b\xd3\xcf\x65\xe3\xeb\x0f\x3a\x60\x1a\xba\x71\x64\x71\x3d\x40\x42\x65\x3f\x2c\xca\x18\x22\x07\xd4\xe7\xff\xa8\xbc\x71\xe7\x05\xaa\x48\xbc\xff\x03\xfd\xdd\x2e\x3e\x6b\xeb\xe1\x1c\xb6\x1f\x95\xfa\xf1\x4a\xfd\xf2\x94\x40\x02\x1e\x85\x1f\xb6\x82\xaa\x24\xe6\x24\xe8\x33\x95\x2d\xb6\xd1\xf9\x6a\xa7\xed\xfc\x74\xce\x50\x13\x59\x69\x4c\x75\x83\xeb\x5e\x48\xdf\xe2\x27\xd2\x10\x5d\x5e\x3d\x23\x59\xe3\xc7\x28\xa4\x8a\xdf\xf0\x9b\x11\x32\xf9\x28\x89\x3c\xee\xfa\xe6\x77\x00\x98\x3b\xe1\xca\x94\xe8\x18\xe7\xa1\x46\x3c\x80\x2f\x1f\xc2\xa7\x2d\x40\x90\x09\x33\x40\x3d\x7b\x25\x5a\x35\xd9\xdc\x33", 166); *(uint32_t*)0x2000775c = 4; *(uint32_t*)0x20007760 = 0x20007500; *(uint8_t*)0x20007500 = 4; *(uint8_t*)0x20007501 = 3; *(uint16_t*)0x20007502 = 0x42c; *(uint32_t*)0x20007764 = 0xf4; *(uint32_t*)0x20007768 = 0x20007540; *(uint8_t*)0x20007540 = 0xf4; *(uint8_t*)0x20007541 = 3; memcpy((void*)0x20007542, "\x1c\x53\x71\x17\xdc\x72\x0a\xf3\xcc\xf1\x08\x68\x7c\x86\xcb\x54\x4b\xc8\x85\x37\x9e\x43\x5d\xbb\x86\x1b\xc9\xa0\x15\x50\x59\x2e\x60\x08\xae\x94\xa1\xf9\x83\x17\xad\x9c\xd8\x04\x01\x6b\x07\x9b\x5e\xc2\x94\xdc\xaf\x45\x37\xcf\x5b\x68\xc3\xc4\x35\x37\x54\xca\xf3\x69\xba\x34\x10\x1c\xbd\x21\x92\x6b\x15\xce\xf6\x7a\xb6\x3e\xad\x40\xab\xfb\xef\x86\x7b\x37\x2f\xe2\x78\x18\x66\xf8\x7a\x2d\xcc\xf9\x8f\xfe\x66\x53\x1c\x1d\x50\x21\x40\x6c\x69\xce\x84\xb4\x39\x13\x0c\xac\x71\xf5\x25\x64\xb7\xc8\xfa\x62\x1d\x71\xd5\xff\x00\x15\x17\x59\x3f\x05\x9d\xa0\xcb\x82\xf1\xfd\x5e\x32\x7d\xf9\xab\xec\x49\x46\xe3\x4e\x20\xd3\xf1\xdf\x8f\x4a\x04\x22\xf9\xbb\x53\x89\x49\xb4\xa1\x4d\x1b\x3a\xfd\x67\x93\xe8\x1d\x3b\xa5\x96\xd1\x6d\x8c\xee\x0e\x70\x03\x14\xe5\x31\xe6\x02\xfe\x5c\xb8\x32\xb2\x2c\x7a\x2f\x9f\x36\xf3\x9d\x05\x38\x76\x47\x81\x57\xd5\x41\xe8\xc0\x97\x7a\x9a\xca\xf6\x91\xf1\x23\x4f\x66\x5d\x23\x4f\x82\xee\x90\xff\x89\x82\xd9\xc1\x37\x1a\x15\xdd\xc8\xed\x23\x92\xdd\x5a\x96", 242); *(uint32_t*)0x2000776c = 0x98; *(uint32_t*)0x20007770 = 0x20007640; *(uint8_t*)0x20007640 = 0x98; *(uint8_t*)0x20007641 = 3; memcpy((void*)0x20007642, "\x07\x8c\xbe\xfd\x67\x79\x6b\x8d\x00\xc6\xa0\x27\xe5\xd0\x7b\xc3\xb0\x07\x56\xac\xaf\xb9\x09\x6e\x3e\x38\x1a\x99\xfd\xbe\x8a\x51\x61\xca\x19\xa9\x62\x8d\x61\xba\xef\xd6\x97\x2b\x48\xf5\xe0\x4b\x0f\xa6\xe2\xb9\x9c\xca\x8d\xf5\xb5\x0d\xbd\x97\xd6\x56\xc0\x2f\x85\x83\xa5\x8c\xe8\xcb\xd3\x5c\x69\xfb\x3f\x86\xde\x0d\xda\xc9\x0f\x5b\xe8\xd4\xf0\x4a\x3a\xd4\xf3\x12\x93\xb5\x09\x95\x91\x39\xbe\xa0\xf3\x06\x7d\x0e\xbf\xa3\xc5\xb2\x10\xe1\x99\x30\x78\xb0\xae\x92\x95\x61\xfc\x77\x34\x86\x9b\x3d\xd8\xd8\x12\xc0\x0a\x30\x35\x23\x61\x66\xa3\x12\x27\xae\x29\x1e\x69\x6a\xb4\xf8\x1f\x4e\x3f\x02\xd6\xb2\xf3\x34", 150); *(uint32_t*)0x20007774 = 4; *(uint32_t*)0x20007778 = 0x20007700; *(uint8_t*)0x20007700 = 4; *(uint8_t*)0x20007701 = 3; *(uint16_t*)0x20007702 = 0x43e; syz_usb_connect(2, 0x6c6, 0x20006cc0, 0x20007740); *(uint8_t*)0x20007780 = 0x12; *(uint8_t*)0x20007781 = 1; *(uint16_t*)0x20007782 = 0x200; *(uint8_t*)0x20007784 = -1; *(uint8_t*)0x20007785 = -1; *(uint8_t*)0x20007786 = -1; *(uint8_t*)0x20007787 = 0x40; *(uint16_t*)0x20007788 = 0xcf3; *(uint16_t*)0x2000778a = 0x9271; *(uint16_t*)0x2000778c = 0x108; *(uint8_t*)0x2000778e = 1; *(uint8_t*)0x2000778f = 2; *(uint8_t*)0x20007790 = 3; *(uint8_t*)0x20007791 = 1; *(uint8_t*)0x20007792 = 9; *(uint8_t*)0x20007793 = 2; *(uint16_t*)0x20007794 = 0x48; *(uint8_t*)0x20007796 = 1; *(uint8_t*)0x20007797 = 1; *(uint8_t*)0x20007798 = 0; *(uint8_t*)0x20007799 = 0x80; *(uint8_t*)0x2000779a = 0xfa; *(uint8_t*)0x2000779b = 9; *(uint8_t*)0x2000779c = 4; *(uint8_t*)0x2000779d = 0; *(uint8_t*)0x2000779e = 0; *(uint8_t*)0x2000779f = 6; *(uint8_t*)0x200077a0 = -1; *(uint8_t*)0x200077a1 = 0; *(uint8_t*)0x200077a2 = 0; *(uint8_t*)0x200077a3 = 0; *(uint8_t*)0x200077a4 = 9; *(uint8_t*)0x200077a5 = 5; *(uint8_t*)0x200077a6 = 1; *(uint8_t*)0x200077a7 = 2; *(uint16_t*)0x200077a8 = 0x200; *(uint8_t*)0x200077aa = 0; *(uint8_t*)0x200077ab = 0; *(uint8_t*)0x200077ac = 0; *(uint8_t*)0x200077ad = 9; *(uint8_t*)0x200077ae = 5; *(uint8_t*)0x200077af = 0x82; *(uint8_t*)0x200077b0 = 2; *(uint16_t*)0x200077b1 = 0x200; *(uint8_t*)0x200077b3 = 0; *(uint8_t*)0x200077b4 = 0; *(uint8_t*)0x200077b5 = 0; *(uint8_t*)0x200077b6 = 9; *(uint8_t*)0x200077b7 = 5; *(uint8_t*)0x200077b8 = 0x83; *(uint8_t*)0x200077b9 = 3; *(uint16_t*)0x200077ba = 0x40; *(uint8_t*)0x200077bc = 1; *(uint8_t*)0x200077bd = 0; *(uint8_t*)0x200077be = 0; *(uint8_t*)0x200077bf = 9; *(uint8_t*)0x200077c0 = 5; *(uint8_t*)0x200077c1 = 4; *(uint8_t*)0x200077c2 = 3; *(uint16_t*)0x200077c3 = 0x40; *(uint8_t*)0x200077c5 = 1; *(uint8_t*)0x200077c6 = 0; *(uint8_t*)0x200077c7 = 0; *(uint8_t*)0x200077c8 = 9; *(uint8_t*)0x200077c9 = 5; *(uint8_t*)0x200077ca = 5; *(uint8_t*)0x200077cb = 2; *(uint16_t*)0x200077cc = 0x200; *(uint8_t*)0x200077ce = 0; *(uint8_t*)0x200077cf = 0; *(uint8_t*)0x200077d0 = 0; *(uint8_t*)0x200077d1 = 9; *(uint8_t*)0x200077d2 = 5; *(uint8_t*)0x200077d3 = 6; *(uint8_t*)0x200077d4 = 2; *(uint16_t*)0x200077d5 = 0x200; *(uint8_t*)0x200077d7 = 0; *(uint8_t*)0x200077d8 = 0; *(uint8_t*)0x200077d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007780, 0); if (res != -1) r[22] = res; *(uint32_t*)0x200079c0 = 0x18; *(uint32_t*)0x200079c4 = 0x20007800; *(uint8_t*)0x20007800 = 0x20; *(uint8_t*)0x20007801 = 0x11; *(uint32_t*)0x20007802 = 0xb7; *(uint8_t*)0x20007806 = 0xb7; *(uint8_t*)0x20007807 = 9; memcpy((void*)0x20007808, "\x72\xf5\x91\xba\x5c\x69\x4f\x16\xa4\xd9\x20\x75\xef\x3e\xc8\xbc\x46\x92\x09\x54\x79\x9e\xc8\xd3\xc0\x30\x8f\x3b\x47\x79\xda\x6e\x18\xe9\x82\x4a\x86\x74\x6d\x01\x3a\x39\x9a\xfc\x7f\x6f\xce\xb6\xc3\x7f\x7f\x13\x1c\x71\xeb\xc0\x01\xf6\x66\xea\x63\xed\x3a\xde\x13\x20\x09\x73\x5a\x54\x66\x22\xf9\xe6\x39\xd4\x81\xc9\x67\xcc\x7b\x5b\x74\x7c\xc5\xe6\x2f\xdc\x41\xbb\xb4\xbb\x95\x87\x8a\x44\x2c\xc4\x91\x11\xc0\xf5\x78\x86\xf1\x70\x77\xa1\xb4\xb2\x2e\x3c\xf2\x8e\xec\xb7\x98\xfe\xed\x6f\x16\x8d\xd9\xcc\x26\x46\xf8\xb7\x9e\xd4\x1b\xba\x94\xde\x9e\x30\x4f\xc8\x45\x17\x9a\x73\x21\xf0\x47\x84\xaa\x91\x7b\xa0\x84\x05\xb0\xa9\x5b\x83\x03\xd9\x14\xef\x8e\x37\x47\x80\xdd\x8e\x34\x37\xc9\x5c\x35\x76\x4c\xd0\x63\xe7\xa3\xec\x6d\x79\x0b", 181); *(uint32_t*)0x200079c8 = 0x200078c0; *(uint8_t*)0x200078c0 = 0; *(uint8_t*)0x200078c1 = 3; *(uint32_t*)0x200078c2 = 4; *(uint8_t*)0x200078c6 = 4; *(uint8_t*)0x200078c7 = 3; *(uint16_t*)0x200078c8 = 0x813; *(uint32_t*)0x200079cc = 0x20007900; *(uint8_t*)0x20007900 = 0; *(uint8_t*)0x20007901 = 0xf; *(uint32_t*)0x20007902 = 0xc; *(uint8_t*)0x20007906 = 5; *(uint8_t*)0x20007907 = 0xf; *(uint16_t*)0x20007908 = 0xc; *(uint8_t*)0x2000790a = 1; *(uint8_t*)0x2000790b = 7; *(uint8_t*)0x2000790c = 0x10; *(uint8_t*)0x2000790d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000790e, 0x18, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20007910, 3, 0, 16); *(uint32_t*)0x200079d0 = 0x20007940; *(uint8_t*)0x20007940 = 0x20; *(uint8_t*)0x20007941 = 0x29; *(uint32_t*)0x20007942 = 0xf; *(uint8_t*)0x20007946 = 0xf; *(uint8_t*)0x20007947 = 0x29; *(uint8_t*)0x20007948 = 7; *(uint16_t*)0x20007949 = 0x80; *(uint8_t*)0x2000794b = 6; *(uint8_t*)0x2000794c = 0xe0; memcpy((void*)0x2000794d, "\x84\x02\x48\x7c", 4); memcpy((void*)0x20007951, "\x80\x56\xa3\xff", 4); *(uint32_t*)0x200079d4 = 0x20007980; *(uint8_t*)0x20007980 = 0x20; *(uint8_t*)0x20007981 = 0x2a; *(uint32_t*)0x20007982 = 0xc; *(uint8_t*)0x20007986 = 0xc; *(uint8_t*)0x20007987 = 0x2a; *(uint8_t*)0x20007988 = 0xa7; *(uint16_t*)0x20007989 = 2; *(uint8_t*)0x2000798b = 0x7d; *(uint8_t*)0x2000798c = 0; *(uint8_t*)0x2000798d = 0x80; *(uint16_t*)0x2000798e = 7; *(uint16_t*)0x20007990 = 6; *(uint32_t*)0x20007e80 = 0x44; *(uint32_t*)0x20007e84 = 0x20007a00; *(uint8_t*)0x20007a00 = 0x40; *(uint8_t*)0x20007a01 = 0x10; *(uint32_t*)0x20007a02 = 0x8c; memcpy((void*)0x20007a06, "\x21\xb8\x38\x25\x05\x9f\x24\x50\x6d\x8e\x84\x20\x85\xd1\xf2\xe7\xf9\x64\x47\x1b\x20\xed\x0a\x8e\x50\xa9\xaa\x4e\xf1\x6b\x5a\x6f\x2d\xbb\x2b\x57\x0a\x4f\x8d\x13\xd6\x0e\x47\xbb\x78\x21\xff\x91\x21\x11\xde\xe4\x0a\x78\xd4\x2b\x4d\x13\xea\x81\x2d\x92\x9c\xcf\x39\x64\xc5\x46\x8f\x89\xd2\xd2\x16\x30\xec\x87\x06\x7a\x2d\x13\xf4\x52\x38\xb4\x46\xbf\x57\xc6\xb9\xec\x35\x57\x8f\xa5\x87\xfc\x77\xfe\x21\x08\xb1\x59\x0b\xe0\x81\x68\x1c\xcc\x02\x4f\x1f\x59\x0b\xe9\xe5\xbe\xc9\xea\x86\xb9\x80\x3c\x60\x29\x9d\xda\x1a\x82\xf8\xff\x04\x42\x86\x71\xa4\x3b\xc2\xc3\x39\x3a", 140); *(uint32_t*)0x20007e88 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0; *(uint8_t*)0x20007ac1 = 0xa; *(uint32_t*)0x20007ac2 = 1; *(uint8_t*)0x20007ac6 = 4; *(uint32_t*)0x20007e8c = 0x20007b00; *(uint8_t*)0x20007b00 = 0; *(uint8_t*)0x20007b01 = 8; *(uint32_t*)0x20007b02 = 1; *(uint8_t*)0x20007b06 = 0xfb; *(uint32_t*)0x20007e90 = 0x20007b40; *(uint8_t*)0x20007b40 = 0x20; *(uint8_t*)0x20007b41 = 0; *(uint32_t*)0x20007b42 = 4; *(uint16_t*)0x20007b46 = 1; *(uint16_t*)0x20007b48 = 1; *(uint32_t*)0x20007e94 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x20; *(uint8_t*)0x20007b81 = 0; *(uint32_t*)0x20007b82 = 4; *(uint16_t*)0x20007b86 = 0x140; *(uint16_t*)0x20007b88 = 0x20; *(uint32_t*)0x20007e98 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 7; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 0x3ff; *(uint32_t*)0x20007e9c = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 9; *(uint32_t*)0x20007c02 = 1; *(uint8_t*)0x20007c06 = 0x81; *(uint32_t*)0x20007ea0 = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0xb; *(uint32_t*)0x20007c42 = 2; memcpy((void*)0x20007c46, "\x8a\x02", 2); *(uint32_t*)0x20007ea4 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0xf; *(uint32_t*)0x20007c82 = 2; *(uint16_t*)0x20007c86 = 0x321a; *(uint32_t*)0x20007ea8 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x13; *(uint32_t*)0x20007cc2 = 6; *(uint8_t*)0x20007cc6 = 1; *(uint8_t*)0x20007cc7 = 0x80; *(uint8_t*)0x20007cc8 = 0xc2; *(uint8_t*)0x20007cc9 = 0; *(uint8_t*)0x20007cca = 0; *(uint8_t*)0x20007ccb = 0; *(uint32_t*)0x20007eac = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x17; *(uint32_t*)0x20007d02 = 6; memcpy((void*)0x20007d06, "\xb0\xfe\x28\x1f\xa3\x91", 6); *(uint32_t*)0x20007eb0 = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x19; *(uint32_t*)0x20007d42 = 2; memcpy((void*)0x20007d46, "#7", 2); *(uint32_t*)0x20007eb4 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x1a; *(uint32_t*)0x20007d82 = 2; *(uint16_t*)0x20007d86 = 6; *(uint32_t*)0x20007eb8 = 0x20007dc0; *(uint8_t*)0x20007dc0 = 0x40; *(uint8_t*)0x20007dc1 = 0x1c; *(uint32_t*)0x20007dc2 = 1; *(uint8_t*)0x20007dc6 = 6; *(uint32_t*)0x20007ebc = 0x20007e00; *(uint8_t*)0x20007e00 = 0x40; *(uint8_t*)0x20007e01 = 0x1e; *(uint32_t*)0x20007e02 = 1; *(uint8_t*)0x20007e06 = 6; *(uint32_t*)0x20007ec0 = 0x20007e40; *(uint8_t*)0x20007e40 = 0x40; *(uint8_t*)0x20007e41 = 0x21; *(uint32_t*)0x20007e42 = 1; *(uint8_t*)0x20007e46 = 0x9e; syz_usb_control_io(r[22], 0x200079c0, 0x20007e80); *(uint8_t*)0x20007f00 = 0x12; *(uint8_t*)0x20007f01 = 1; *(uint16_t*)0x20007f02 = 0x70; *(uint8_t*)0x20007f04 = 2; *(uint8_t*)0x20007f05 = 0; *(uint8_t*)0x20007f06 = 0; *(uint8_t*)0x20007f07 = 0x50; *(uint16_t*)0x20007f08 = 0x525; *(uint16_t*)0x20007f0a = 0xa4a1; *(uint16_t*)0x20007f0c = 0x40; *(uint8_t*)0x20007f0e = 1; *(uint8_t*)0x20007f0f = 2; *(uint8_t*)0x20007f10 = 3; *(uint8_t*)0x20007f11 = 1; *(uint8_t*)0x20007f12 = 9; *(uint8_t*)0x20007f13 = 2; *(uint16_t*)0x20007f14 = 0x4d; *(uint8_t*)0x20007f16 = 1; *(uint8_t*)0x20007f17 = 1; *(uint8_t*)0x20007f18 = 2; *(uint8_t*)0x20007f19 = 0x70; *(uint8_t*)0x20007f1a = 0x40; *(uint8_t*)0x20007f1b = 9; *(uint8_t*)0x20007f1c = 4; *(uint8_t*)0x20007f1d = 0; *(uint8_t*)0x20007f1e = 0xc4; *(uint8_t*)0x20007f1f = 3; *(uint8_t*)0x20007f20 = 2; *(uint8_t*)0x20007f21 = 6; *(uint8_t*)0x20007f22 = 0; *(uint8_t*)0x20007f23 = 0xe1; *(uint8_t*)0x20007f24 = 8; *(uint8_t*)0x20007f25 = 0x24; *(uint8_t*)0x20007f26 = 6; *(uint8_t*)0x20007f27 = 0; *(uint8_t*)0x20007f28 = 0; memcpy((void*)0x20007f29, "W?s", 3); *(uint8_t*)0x20007f2c = 5; *(uint8_t*)0x20007f2d = 0x24; *(uint8_t*)0x20007f2e = 0; *(uint16_t*)0x20007f2f = 3; *(uint8_t*)0x20007f31 = 0xd; *(uint8_t*)0x20007f32 = 0x24; *(uint8_t*)0x20007f33 = 0xf; *(uint8_t*)0x20007f34 = 1; *(uint32_t*)0x20007f35 = 0x200; *(uint16_t*)0x20007f39 = 0; *(uint16_t*)0x20007f3b = 0x200; *(uint8_t*)0x20007f3d = 3; *(uint8_t*)0x20007f3e = 6; *(uint8_t*)0x20007f3f = 0x24; *(uint8_t*)0x20007f40 = 0x1a; *(uint16_t*)0x20007f41 = 0x1000; *(uint8_t*)0x20007f43 = 0; *(uint8_t*)0x20007f44 = 9; *(uint8_t*)0x20007f45 = 5; *(uint8_t*)0x20007f46 = 0x81; *(uint8_t*)0x20007f47 = 3; *(uint16_t*)0x20007f48 = 0x20; *(uint8_t*)0x20007f4a = 0x3f; *(uint8_t*)0x20007f4b = 0; *(uint8_t*)0x20007f4c = 0xd8; *(uint8_t*)0x20007f4d = 9; *(uint8_t*)0x20007f4e = 5; *(uint8_t*)0x20007f4f = 0x82; *(uint8_t*)0x20007f50 = 2; *(uint16_t*)0x20007f51 = 8; *(uint8_t*)0x20007f53 = -1; *(uint8_t*)0x20007f54 = 0xec; *(uint8_t*)0x20007f55 = 5; *(uint8_t*)0x20007f56 = 9; *(uint8_t*)0x20007f57 = 5; *(uint8_t*)0x20007f58 = 3; *(uint8_t*)0x20007f59 = 2; *(uint16_t*)0x20007f5a = 0x3cf; *(uint8_t*)0x20007f5c = 0x81; *(uint8_t*)0x20007f5d = 0x39; *(uint8_t*)0x20007f5e = 5; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f80; *(uint8_t*)0x20007f80 = 0xa; *(uint8_t*)0x20007f81 = 6; *(uint16_t*)0x20007f82 = 0; *(uint8_t*)0x20007f84 = 2; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x77; *(uint8_t*)0x20007f87 = -1; *(uint8_t*)0x20007f88 = 0x2f; *(uint8_t*)0x20007f89 = 0; *(uint32_t*)0x20008288 = 5; *(uint32_t*)0x2000828c = 0x20007fc0; *(uint8_t*)0x20007fc0 = 5; *(uint8_t*)0x20007fc1 = 0xf; *(uint16_t*)0x20007fc2 = 5; *(uint8_t*)0x20007fc4 = 0; *(uint32_t*)0x20008290 = 5; *(uint32_t*)0x20008294 = 0x69; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 0x69; *(uint8_t*)0x20008001 = 3; memcpy((void*)0x20008002, "\xd2\x5a\x9c\x8f\x14\x52\xa3\xc6\xff\xbf\xec\xa8\xeb\x77\x79\x35\xb5\x8c\x9b\x74\x06\x77\x50\x86\xff\xf7\x17\xb5\x4f\x05\xac\x59\xf9\x45\x17\xff\x3c\xd6\xf3\x10\x1d\xbf\xa7\x9b\xb8\x2a\xe3\x1b\x1d\x31\x6d\x08\xa7\x1d\x14\xfc\x2c\x1c\xfa\x8c\x89\x30\x68\xbd\xe2\xbb\x83\x0a\xe9\x1f\xc9\x42\x88\xcc\x23\x2a\xaa\xc0\xe6\x4b\x84\x00\x7b\x0e\x75\x36\xc3\xec\x34\xed\xef\x04\xde\xd9\x34\x21\xa3\x77\xe0\x69\x53\x26\xaa", 103); *(uint32_t*)0x2000829c = 0xac; *(uint32_t*)0x200082a0 = 0x20008080; *(uint8_t*)0x20008080 = 0xac; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x73\x60\x60\x9c\xe8\x30\x0a\xe4\x62\x33\x08\xd5\xf8\xb9\x7b\xfd\x50\xd3\xd8\x63\x40\x8b\x8e\xa4\x01\xc8\x6d\xa9\xd4\x2c\xe5\xf3\x86\x7c\xe8\xd7\x21\xfb\x2a\xb5\xc2\x5f\x6b\x4c\x5e\x85\xf5\xea\xf3\x41\xbd\x51\x4a\x16\xc2\xdf\xe3\xc7\xa1\xd7\xf4\x27\xae\x62\xc0\xbf\xf3\x79\xe8\x4d\x56\x63\x7e\xc1\x37\x7b\x8c\x8a\xd5\xb5\x5b\x09\x9c\xfa\xa4\xa7\xa6\xee\xb0\x58\x9f\x81\xe7\xa4\x33\x00\xef\xf5\x33\x54\xe1\xb2\xbd\xcd\xc3\x4d\x79\x45\xd6\x35\x62\xe4\x8d\x5e\xd9\x3b\xef\x75\xfd\x01\x60\xfc\xd7\xc3\xa6\xbe\x7f\x0c\x64\x2b\xb6\xe5\x61\xe3\x5a\x1c\x73\x11\x0b\xdc\xde\xd7\x69\x98\x65\xe2\x5e\xb2\x38\xcf\x8f\x3b\x10\xad\x3c\x10\x48\x80\x28\xc3\x70\x63\xc8\x86\x2f\x90\x7b\x06\x82\x9e", 170); *(uint32_t*)0x200082a4 = 4; *(uint32_t*)0x200082a8 = 0x20008140; *(uint8_t*)0x20008140 = 4; *(uint8_t*)0x20008141 = 3; *(uint16_t*)0x20008142 = 0x81a; *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x20008180; *(uint8_t*)0x20008180 = 4; *(uint8_t*)0x20008181 = 3; *(uint16_t*)0x20008182 = 0x180a; *(uint32_t*)0x200082b4 = 0xb9; *(uint32_t*)0x200082b8 = 0x200081c0; *(uint8_t*)0x200081c0 = 0xb9; *(uint8_t*)0x200081c1 = 3; memcpy((void*)0x200081c2, "\x37\xef\xeb\x85\x4b\x40\x51\xa4\x6c\x67\xae\xe7\xea\xa0\xf6\x2f\xde\x9f\x59\x9c\xd5\xba\x25\x32\x9d\x50\xae\xe1\x6b\x30\xc6\xc1\xa5\x14\x83\x10\x81\xaf\xc1\xdf\xd2\x68\x2f\xf4\x87\x16\xa9\x1b\xf9\x5e\x08\x42\x12\xb0\x69\x6d\x43\xe1\xc6\xc4\x3a\xda\xf9\xed\x3e\xf7\x0e\x62\x73\x59\x94\xd2\xd0\x86\x51\x39\x60\x49\x88\xfa\xc1\x79\x78\xd9\xc0\x5a\x84\xf3\x42\x38\x31\xdd\x1d\xdd\xc6\xc9\x4d\x50\xdd\xd6\x74\xf1\x65\x25\xbb\xf9\xa8\xdb\x3b\xb4\x90\x01\xbe\x38\xa1\x96\x70\xab\xd9\x9f\x4a\x2e\x97\xcf\xb2\x0d\x46\xc6\x37\x83\x2a\x3e\xc9\x7f\xf0\x94\xc6\xa3\x30\x49\x64\xb7\x2b\xcf\x11\x6b\xf2\x7f\xed\xd5\x52\x1a\xd3\xda\x22\x62\x97\xff\xf8\x49\xc3\x3c\x5d\x84\x9e\x3e\x30\x37\x52\x79\x01\xee\xf6\x3a\x59\x9b\xaa\x54\xfc\x46\xa4\x6f\xf1", 183); res = -1; res = syz_usb_connect(2, 0x5f, 0x20007f00, 0x20008280); if (res != -1) r[23] = res; syz_usb_disconnect(r[23]); *(uint8_t*)0x200082c0 = 0x12; *(uint8_t*)0x200082c1 = 1; *(uint16_t*)0x200082c2 = 0x110; *(uint8_t*)0x200082c4 = 2; *(uint8_t*)0x200082c5 = 0; *(uint8_t*)0x200082c6 = 0; *(uint8_t*)0x200082c7 = 0x20; *(uint16_t*)0x200082c8 = 0x525; *(uint16_t*)0x200082ca = 0xa4a1; *(uint16_t*)0x200082cc = 0x40; *(uint8_t*)0x200082ce = 1; *(uint8_t*)0x200082cf = 2; *(uint8_t*)0x200082d0 = 3; *(uint8_t*)0x200082d1 = 1; *(uint8_t*)0x200082d2 = 9; *(uint8_t*)0x200082d3 = 2; *(uint16_t*)0x200082d4 = 0xb3; *(uint8_t*)0x200082d6 = 1; *(uint8_t*)0x200082d7 = 1; *(uint8_t*)0x200082d8 = 6; *(uint8_t*)0x200082d9 = 0x28; *(uint8_t*)0x200082da = -1; *(uint8_t*)0x200082db = 9; *(uint8_t*)0x200082dc = 4; *(uint8_t*)0x200082dd = 0; *(uint8_t*)0x200082de = 9; *(uint8_t*)0x200082df = 2; *(uint8_t*)0x200082e0 = 2; *(uint8_t*)0x200082e1 = 6; *(uint8_t*)0x200082e2 = 0; *(uint8_t*)0x200082e3 = 4; *(uint8_t*)0x200082e4 = 6; *(uint8_t*)0x200082e5 = 0x24; *(uint8_t*)0x200082e6 = 6; *(uint8_t*)0x200082e7 = 0; *(uint8_t*)0x200082e8 = 0; memset((void*)0x200082e9, 177, 1); *(uint8_t*)0x200082ea = 5; *(uint8_t*)0x200082eb = 0x24; *(uint8_t*)0x200082ec = 0; *(uint16_t*)0x200082ed = 8; *(uint8_t*)0x200082ef = 0xd; *(uint8_t*)0x200082f0 = 0x24; *(uint8_t*)0x200082f1 = 0xf; *(uint8_t*)0x200082f2 = 1; *(uint32_t*)0x200082f3 = 0x9208; *(uint16_t*)0x200082f7 = 2; *(uint16_t*)0x200082f9 = 0; *(uint8_t*)0x200082fb = 0x20; *(uint8_t*)0x200082fc = 0x5e; *(uint8_t*)0x200082fd = 0x24; *(uint8_t*)0x200082fe = 0x13; *(uint8_t*)0x200082ff = 7; memcpy((void*)0x20008300, "\x63\xb0\xb9\x53\x77\x14\x7b\xa2\x14\xd9\x50\xfc\x04\xb2\x2c\x04\xbe\x09\xd9\xb9\x6f\x1a\xb9\x4b\xb0\x2e\x8a\x2a\x9e\x23\xcf\x7d\x3a\xca\xb2\x2a\x80\xed\x35\x0e\xc4\xb1\x78\x06\xed\xcb\x16\x9e\x50\x75\x37\x3d\x99\x17\x80\x21\x13\x92\xeb\x3d\x9f\x11\x73\xa5\x39\x84\x3b\xf2\xc3\xf6\x6a\x4a\x69\x60\xa5\x5a\x22\x07\x76\x7d\xb3\xc5\x5a\x7d\xd2\x89\x8b\x5c\xcb\x40", 90); *(uint8_t*)0x2000835a = 0xc; *(uint8_t*)0x2000835b = 0x24; *(uint8_t*)0x2000835c = 0x1b; *(uint16_t*)0x2000835d = 0x2a; *(uint16_t*)0x2000835f = 0x100; *(uint8_t*)0x20008361 = 0xe0; *(uint8_t*)0x20008362 = 0x76; *(uint16_t*)0x20008363 = 0; *(uint8_t*)0x20008365 = -1; *(uint8_t*)0x20008366 = 4; *(uint8_t*)0x20008367 = 0x24; *(uint8_t*)0x20008368 = 2; *(uint8_t*)0x20008369 = 0xa; *(uint8_t*)0x2000836a = 9; *(uint8_t*)0x2000836b = 5; *(uint8_t*)0x2000836c = 0x81; *(uint8_t*)0x2000836d = 3; *(uint16_t*)0x2000836e = 0x20; *(uint8_t*)0x20008370 = 0x73; *(uint8_t*)0x20008371 = 0x35; *(uint8_t*)0x20008372 = 0x3f; *(uint8_t*)0x20008373 = 9; *(uint8_t*)0x20008374 = 5; *(uint8_t*)0x20008375 = 0x82; *(uint8_t*)0x20008376 = 2; *(uint16_t*)0x20008377 = 8; *(uint8_t*)0x20008379 = 3; *(uint8_t*)0x2000837a = 1; *(uint8_t*)0x2000837b = 3; *(uint8_t*)0x2000837c = 9; *(uint8_t*)0x2000837d = 5; *(uint8_t*)0x2000837e = 3; *(uint8_t*)0x2000837f = 2; *(uint16_t*)0x20008380 = 0x40; *(uint8_t*)0x20008382 = 5; *(uint8_t*)0x20008383 = 0x40; *(uint8_t*)0x20008384 = 2; *(uint32_t*)0x200087c0 = 0xa; *(uint32_t*)0x200087c4 = 0x200083c0; *(uint8_t*)0x200083c0 = 0xa; *(uint8_t*)0x200083c1 = 6; *(uint16_t*)0x200083c2 = 0x201; *(uint8_t*)0x200083c4 = 0x79; *(uint8_t*)0x200083c5 = 3; *(uint8_t*)0x200083c6 = 0x3f; *(uint8_t*)0x200083c7 = 0x20; *(uint8_t*)0x200083c8 = 6; *(uint8_t*)0x200083c9 = 0; *(uint32_t*)0x200087c8 = 0x37; *(uint32_t*)0x200087cc = 0x20008400; *(uint8_t*)0x20008400 = 5; *(uint8_t*)0x20008401 = 0xf; *(uint16_t*)0x20008402 = 0x37; *(uint8_t*)0x20008404 = 5; *(uint8_t*)0x20008405 = 7; *(uint8_t*)0x20008406 = 0x10; *(uint8_t*)0x20008407 = 2; STORE_BY_BITMASK(uint32_t, , 0x20008408, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008409, 0xa, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008409, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000840a, 5, 0, 16); *(uint8_t*)0x2000840c = 7; *(uint8_t*)0x2000840d = 0x10; *(uint8_t*)0x2000840e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000840f, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008410, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008410, 9, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008411, 8, 0, 16); *(uint8_t*)0x20008413 = 0xa; *(uint8_t*)0x20008414 = 0x10; *(uint8_t*)0x20008415 = 3; *(uint8_t*)0x20008416 = 0xc9; *(uint16_t*)0x20008417 = 7; *(uint8_t*)0x20008419 = 7; *(uint8_t*)0x2000841a = 0; *(uint16_t*)0x2000841b = 8; *(uint8_t*)0x2000841d = 0xa; *(uint8_t*)0x2000841e = 0x10; *(uint8_t*)0x2000841f = 3; *(uint8_t*)0x20008420 = 2; *(uint16_t*)0x20008421 = 0xc; *(uint8_t*)0x20008423 = 0; *(uint8_t*)0x20008424 = 6; *(uint16_t*)0x20008425 = 6; *(uint8_t*)0x20008427 = 0x10; *(uint8_t*)0x20008428 = 0x10; *(uint8_t*)0x20008429 = 0xa; *(uint8_t*)0x2000842a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000842b, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000842b, 0x8001, 5, 27); *(uint16_t*)0x2000842f = 0xf00f; *(uint16_t*)0x20008431 = 0xfffd; *(uint32_t*)0x20008433 = 0x3fc0; *(uint32_t*)0x200087d0 = 9; *(uint32_t*)0x200087d4 = 0x4f; *(uint32_t*)0x200087d8 = 0x20008440; *(uint8_t*)0x20008440 = 0x4f; *(uint8_t*)0x20008441 = 3; memcpy((void*)0x20008442, "\xc0\x66\x3b\x11\x6d\xab\x9b\xa5\xc0\xa2\xf7\xa2\xad\x48\x6f\xfc\x16\x4a\x43\x65\x89\x95\x65\xc5\xe9\x9b\x01\x52\x39\xf3\x78\xdf\x56\xdb\x4d\xc3\xb0\xbb\x08\xdc\xd2\x08\xd9\x58\xfa\x3c\xf0\x80\x97\xaa\x20\x8b\x2d\x28\x65\xb5\x02\xcb\xc9\x4b\x1a\x8e\x33\xbd\xd9\xd6\x48\x1f\xbf\x32\xd4\x91\x34\x22\xfe\x18\x9f", 77); *(uint32_t*)0x200087dc = 0x85; *(uint32_t*)0x200087e0 = 0x200084c0; *(uint8_t*)0x200084c0 = 0x85; *(uint8_t*)0x200084c1 = 3; memcpy((void*)0x200084c2, "\xc9\xc4\x87\xa9\x0b\xe3\xd4\x0e\xf7\x82\x37\x3d\x78\x5f\x86\xbd\xfc\x3d\xb6\xfb\x0d\xd0\xa7\x44\x0b\x2f\xe4\x59\x5c\x3a\x6b\xd6\x7a\xa8\x51\x8d\x89\x7a\x8a\x75\x7d\x5f\x1c\xeb\x86\xe5\x98\xca\xbf\x23\x45\xf7\x71\xc3\xc7\x12\x8b\xd1\x6d\xd4\xb1\xee\x9b\x7d\xbc\xaf\x61\x1e\x97\xf6\xdc\xb9\xf1\x71\xe8\xf7\x05\x2b\x0f\x33\xe6\x31\xbf\xe9\x9d\xdc\x44\x13\xe5\xe5\xd7\xb6\x34\xdc\xc3\xb7\x7e\x4d\x30\x1f\x89\xa8\xd3\xb8\x51\xb0\x23\x06\xca\xbe\xc2\x11\x12\x7a\x8e\x54\x1d\x16\x26\x36\x58\x8f\xf5\x74\xde\x82\xde\x8f\x30\x7d\x43", 131); *(uint32_t*)0x200087e4 = 4; *(uint32_t*)0x200087e8 = 0x20008580; *(uint8_t*)0x20008580 = 4; *(uint8_t*)0x20008581 = 3; *(uint16_t*)0x20008582 = 0x1407; *(uint32_t*)0x200087ec = 4; *(uint32_t*)0x200087f0 = 0x200085c0; *(uint8_t*)0x200085c0 = 4; *(uint8_t*)0x200085c1 = 3; *(uint16_t*)0x200085c2 = 0; *(uint32_t*)0x200087f4 = 0xaa; *(uint32_t*)0x200087f8 = 0x20008600; *(uint8_t*)0x20008600 = 0xaa; *(uint8_t*)0x20008601 = 3; memcpy((void*)0x20008602, "\xce\x39\x5e\x8e\x9f\x40\x9a\x37\xda\xeb\x1c\x20\xbe\x9c\xa4\x00\x4a\xe8\x10\xcf\x16\x53\xec\xcd\x6e\x66\x3d\xd7\x4f\x8b\xc0\x69\x89\xb4\xd1\xa6\x5c\x9f\x48\x0b\xd3\x7e\x9d\xd8\x53\x49\xf2\x98\xdd\xad\xdc\x2c\xc9\xe4\xed\xa1\x47\xf2\x31\x40\x2e\x11\x6f\xb5\x94\xa6\x37\x18\xd8\x21\xd8\x85\xeb\xd6\x7e\xda\x45\x15\x58\xb1\xfb\xa3\x09\x3e\xcb\xd4\x0c\xbe\x5f\xbe\x07\xf9\x4e\xd9\x27\xd8\xe5\x03\x9a\x7c\x49\x7a\xa8\xd1\xf1\x0a\x4d\xda\xc0\x49\xad\x82\x0f\x8c\x53\x2c\x5a\x3f\x00\x94\x79\x55\x03\x24\x23\x92\x2e\x95\xaa\x5b\xfe\xe0\x41\xf7\xfe\x87\x44\xec\xc4\x42\x40\x57\xee\xc9\x70\x40\xb3\x41\xd0\xdd\xdc\xaf\x20\x6d\xa6\x43\x1e\x98\x7f\x04\xcf\xd5\x58\x02\xca\xd3\xa1\x14", 168); *(uint32_t*)0x200087fc = 4; *(uint32_t*)0x20008800 = 0x200086c0; *(uint8_t*)0x200086c0 = 4; *(uint8_t*)0x200086c1 = 3; *(uint16_t*)0x200086c2 = 0x3c01; *(uint32_t*)0x20008804 = 4; *(uint32_t*)0x20008808 = 0x20008700; *(uint8_t*)0x20008700 = 4; *(uint8_t*)0x20008701 = 3; *(uint16_t*)0x20008702 = 0x1809; *(uint32_t*)0x2000880c = 4; *(uint32_t*)0x20008810 = 0x20008740; *(uint8_t*)0x20008740 = 4; *(uint8_t*)0x20008741 = 3; *(uint16_t*)0x20008742 = 0x807; *(uint32_t*)0x20008814 = 4; *(uint32_t*)0x20008818 = 0x20008780; *(uint8_t*)0x20008780 = 4; *(uint8_t*)0x20008781 = 3; *(uint16_t*)0x20008782 = 0x1c; res = -1; res = syz_usb_connect(3, 0xc5, 0x200082c0, 0x200087c0); if (res != -1) r[24] = res; syz_usb_ep_read(r[24], 8, 0x7d, 0x20008840); *(uint8_t*)0x200088c0 = 0x12; *(uint8_t*)0x200088c1 = 1; *(uint16_t*)0x200088c2 = 0x250; *(uint8_t*)0x200088c4 = 0; *(uint8_t*)0x200088c5 = 0; *(uint8_t*)0x200088c6 = 0; *(uint8_t*)0x200088c7 = 0x10; *(uint16_t*)0x200088c8 = 0x56a; *(uint16_t*)0x200088ca = 0x62; *(uint16_t*)0x200088cc = 0x40; *(uint8_t*)0x200088ce = 1; *(uint8_t*)0x200088cf = 2; *(uint8_t*)0x200088d0 = 3; *(uint8_t*)0x200088d1 = 1; *(uint8_t*)0x200088d2 = 9; *(uint8_t*)0x200088d3 = 2; *(uint16_t*)0x200088d4 = 0x2d; *(uint8_t*)0x200088d6 = 1; *(uint8_t*)0x200088d7 = 1; *(uint8_t*)0x200088d8 = 0; *(uint8_t*)0x200088d9 = 0xf0; *(uint8_t*)0x200088da = 0x8e; *(uint8_t*)0x200088db = 9; *(uint8_t*)0x200088dc = 4; *(uint8_t*)0x200088dd = 0; *(uint8_t*)0x200088de = 5; *(uint8_t*)0x200088df = 1; *(uint8_t*)0x200088e0 = 3; *(uint8_t*)0x200088e1 = 1; *(uint8_t*)0x200088e2 = 2; *(uint8_t*)0x200088e3 = 0; *(uint8_t*)0x200088e4 = 9; *(uint8_t*)0x200088e5 = 0x21; *(uint16_t*)0x200088e6 = 3; *(uint8_t*)0x200088e8 = 0xf; *(uint8_t*)0x200088e9 = 1; *(uint8_t*)0x200088ea = 0x22; *(uint16_t*)0x200088eb = 0xa21; *(uint8_t*)0x200088ed = 9; *(uint8_t*)0x200088ee = 5; *(uint8_t*)0x200088ef = 0x81; *(uint8_t*)0x200088f0 = 3; *(uint16_t*)0x200088f1 = 0x3af; *(uint8_t*)0x200088f3 = 1; *(uint8_t*)0x200088f4 = 0x40; *(uint8_t*)0x200088f5 = 2; *(uint8_t*)0x200088f6 = 9; *(uint8_t*)0x200088f7 = 5; *(uint8_t*)0x200088f8 = 2; *(uint8_t*)0x200088f9 = 3; *(uint16_t*)0x200088fa = 0x10; *(uint8_t*)0x200088fc = 6; *(uint8_t*)0x200088fd = 1; *(uint8_t*)0x200088fe = 9; *(uint32_t*)0x20008c00 = 0xa; *(uint32_t*)0x20008c04 = 0x20008900; *(uint8_t*)0x20008900 = 0xa; *(uint8_t*)0x20008901 = 6; *(uint16_t*)0x20008902 = 0x250; *(uint8_t*)0x20008904 = 3; *(uint8_t*)0x20008905 = 1; *(uint8_t*)0x20008906 = 0x46; *(uint8_t*)0x20008907 = -1; *(uint8_t*)0x20008908 = 0x20; *(uint8_t*)0x20008909 = 0; *(uint32_t*)0x20008c08 = 0x34; *(uint32_t*)0x20008c0c = 0x20008940; *(uint8_t*)0x20008940 = 5; *(uint8_t*)0x20008941 = 0xf; *(uint16_t*)0x20008942 = 0x34; *(uint8_t*)0x20008944 = 2; *(uint8_t*)0x20008945 = 0xb; *(uint8_t*)0x20008946 = 0x10; *(uint8_t*)0x20008947 = 1; *(uint8_t*)0x20008948 = 2; *(uint16_t*)0x20008949 = 0xfa; *(uint8_t*)0x2000894b = 8; *(uint8_t*)0x2000894c = 0x80; *(uint16_t*)0x2000894d = 5; *(uint8_t*)0x2000894f = 3; *(uint8_t*)0x20008950 = 0x24; *(uint8_t*)0x20008951 = 0x10; *(uint8_t*)0x20008952 = 0xa; *(uint8_t*)0x20008953 = 5; STORE_BY_BITMASK(uint32_t, , 0x20008954, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20008954, 9, 5, 27); *(uint16_t*)0x20008958 = 0xf00f; *(uint16_t*)0x2000895a = 0; *(uint32_t*)0x2000895c = 0xffc00f; *(uint32_t*)0x20008960 = 0xff00c0; *(uint32_t*)0x20008964 = 0x101ffc0; *(uint32_t*)0x20008968 = 0xff0030; *(uint32_t*)0x2000896c = 0x30; *(uint32_t*)0x20008970 = 0x30; *(uint32_t*)0x20008c10 = 4; *(uint32_t*)0x20008c14 = 0xed; *(uint32_t*)0x20008c18 = 0x20008980; *(uint8_t*)0x20008980 = 0xed; *(uint8_t*)0x20008981 = 3; memcpy((void*)0x20008982, "\xe7\xdb\x91\x4e\xf4\xa7\x1a\x3a\xba\x44\x3e\xe1\x81\xc2\x72\xe7\xfb\xb6\x36\x48\xa9\x97\x75\x4b\x81\xa1\x93\x8f\x52\xb9\xfd\x8c\x2b\x76\xca\x28\xee\x1f\xcb\xa2\x80\x02\x1f\xbe\x02\xff\xa0\x3e\xa7\x53\xf2\xd5\x1b\x71\xf1\xcb\x93\x91\xea\x31\xfa\xab\xf8\xed\x37\xa9\x85\x3b\x87\xee\xba\xa0\xa1\x26\x96\x96\xe6\x5e\x30\x9e\xa4\xbf\x77\x55\xff\x1b\x99\x28\x0f\xd6\x82\x30\xd7\xd8\x99\xd0\x97\xe1\x6e\xe0\xb2\x24\xde\x57\x33\x94\x39\xc8\x0a\xd7\xfb\xf8\xbb\xf3\x2a\xa0\x0e\x29\x80\x2b\xde\x1c\x8c\x5e\x62\x28\xfa\x0a\x54\xc8\x35\x0e\xf9\x97\x11\x2f\x76\x3e\x17\x42\x8f\xb8\xe9\x5a\x56\x68\x95\x95\xf3\x0a\x3c\x16\x15\x18\x09\xb0\xc6\xb1\xd4\xd4\x76\x65\x10\xc6\xf0\x66\xfe\x4b\x35\xa3\xea\x90\xd3\x88\xd1\xb4\xd4\xe9\xc6\xb3\x09\x71\xe2\x37\xe2\x3f\xd2\x05\xf9\x90\x5e\xe7\xd7\x9f\x44\x43\x70\x7a\xdc\x7f\x65\xce\x2b\x15\x99\x4d\xaa\xc7\xb9\x54\x35\x3f\xb2\x32\x01\x84\x41\x22\x71\x05\x31\x87\x9c\x62\x91\xc7\xdf\xbf\x6b\xe4\x54\xb9\xcf\x2f\x2e", 235); *(uint32_t*)0x20008c1c = 4; *(uint32_t*)0x20008c20 = 0x20008a80; *(uint8_t*)0x20008a80 = 4; *(uint8_t*)0x20008a81 = 3; *(uint16_t*)0x20008a82 = 0x410; *(uint32_t*)0x20008c24 = 0x64; *(uint32_t*)0x20008c28 = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x64; *(uint8_t*)0x20008ac1 = 3; memcpy((void*)0x20008ac2, "\x04\x1c\x8b\x1b\xd1\x43\xea\x1d\x63\x82\x9b\x76\x9d\xdb\x88\x6a\x6a\xaf\xee\xdd\x5f\x65\x2b\xc9\x48\x67\x7c\x9a\x6e\x3a\xcf\xe0\x4a\x15\x19\x05\x3f\x95\xe5\xfc\xf7\x9b\x08\x53\x62\xcd\xac\x6a\xbb\xf8\xf1\x37\x81\xa6\x21\x88\x52\x57\x05\x2b\x12\x00\x45\xda\x2c\x49\x4a\x30\xbc\x6a\xe6\xc4\x16\x0c\xf4\x97\x00\x2a\xf8\xb7\x7e\x21\x68\x93\x24\xbd\x6e\x75\xac\xed\xa7\xcf\x6a\x50\x92\x0b\x2a\xb1", 98); *(uint32_t*)0x20008c2c = 0x87; *(uint32_t*)0x20008c30 = 0x20008b40; *(uint8_t*)0x20008b40 = 0x87; *(uint8_t*)0x20008b41 = 3; memcpy((void*)0x20008b42, "\x15\x08\x37\xb1\xe6\x9e\x50\x07\x39\x8a\xc0\x2c\x4a\x0b\x25\x07\x2d\xaa\x81\xa6\x4a\xf1\x0b\xcd\xc5\x73\x63\x33\xf4\x9c\x92\x1f\x86\xd9\xcb\xc6\xb7\x78\xf1\xd2\x16\x79\xd8\x47\xd5\xb8\xa9\xb7\x0f\xc5\x6b\xb5\xa4\x33\x04\x0a\xfd\x94\x37\x7b\x25\x15\xa5\x5c\xda\x70\xdb\x64\x44\x2a\xda\xe0\x90\x5a\xa9\x0f\x91\x1d\x3b\xee\xf8\x00\xab\x6f\xd8\x7a\x5c\x51\xfd\xa8\xfa\xa7\x50\xd1\x95\xc2\xe6\x57\x24\x97\x81\xc6\xaf\x05\x23\xe0\x49\x2f\x9a\x69\xe2\x27\xe1\x0c\xa0\x31\x0f\x1a\x01\x0f\x8b\x98\x6a\x9a\x05\x53\xa5\x33\x1f\x97\x54\xfc\x90", 133); res = -1; res = syz_usb_connect(3, 0x3f, 0x200088c0, 0x20008c00); if (res != -1) r[25] = res; memcpy((void*)0x20008c40, "\xa6\x90\x8c\x55\x30\x81\x4d\x6a\x6b\xfd\x6d\x6c\x75\x94\xd4\xaf\x8a\x49\x62\xd8\x82\xda\x65\x7b\xb4\x02\xc7\xd0\xae\x45\x35\x16\x81\x60\xdb\xf6\x7b\x82\xf2\x23\xd5\x77\xb0\xe1\x6e\x6a\xc3\xc4\x6a\x40\x15\xa6\xed\x7c\x4f\xa6\x5d\x1d\xba\xa2\x68\xb7\x48\xde\xc4\x67\x74\xec\xa9\x22\x47\x96\x94\x49\xa9\xf5\x9e\x9e\xdd\xe4\xd3\x7e\x7b\xd1\x78\x82\xeb\x00\x5e\x24\xfe\x43\xf5\x76\x54\x00\x0e\xad\xec\x3f\x1d\xe9\x91\x7e\xb2\x8c\x2a\x87\x71\x82\xc4\x7b\x55\x6d", 114); syz_usb_ep_write(r[25], 7, 0x72, 0x20008c40); syz_usbip_server_init(4); } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :103:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :90:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :85:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor828220716 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/22 (1.82s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffffff}) (fail_nth: 1) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1a, &(0x7f0000000040)={0x0, 0xe6, "f137161ab86c594202b997d9f12d007021870322c8d909748409951ae9800c1e207f98b769c740f867ea14bbf8666a4f98d229aaafbc33c6c52168db8933c4a4a4a3dd3ce0ccea96e71d81ff4aca8331cb01bf35433853d1abd48fd6d0ce1314df6507bae535a2b4e3eaa74c5d23006594148a0fe5b4a884ef8f41346e49cc90474cb17bac301d4797ed05dfc6ccb74bebaabe549172d622a30605a4e49fd3f8537de5272c33ad4f07cd060577bce65e5c80a34168cde68117e4f900e35a3d888e02ee111752213b40d2af258c01f36de50ce8e83d4226a30d6a4cc43a883f6c20e3fada8ad2"}, &(0x7f0000000140)=0xee) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r1, @in6={{0xa, 0x4e22, 0x3, @private2, 0x1}}, [0x7fffffff, 0x1, 0x7fff, 0x4, 0x7, 0x1, 0x3ff, 0x40, 0x5, 0x1, 0x0, 0x7, 0x0, 0x8, 0x1f]}, &(0x7f0000000280)=0xfc) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000002c0)={r2, @in6={{0xa, 0x4e20, 0x9, @private2={0xfc, 0x2, '\x00', 0x1}, 0x3}}}, 0x84) r3 = openat$pktcdvd(0xffffff9c, &(0x7f0000000380), 0x0, 0x0) ioctl$MEDIA_REQUEST_IOC_QUEUE(r3, 0x7c80, 0x0) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f00000003c0)={r1, @in6={{0xa, 0x4e23, 0x7f, @private0, 0x5}}, 0x5, 0x476f}, 0x88) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_SRVCORE_ACQUIREGLOBALEVENTOBJECT(r3, 0xc0206440, &(0x7f0000000500)={0x1, 0x2, &(0x7f0000000480), &(0x7f00000004c0)={0x0}, 0x4, 0x8}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTQ2_RGXTDMSETTRANSFERCONTEXTPROPERTY(r3, 0xc0206440, &(0x7f00000005c0)={0x8a, 0x7, &(0x7f0000000540)={r4, 0x400}, &(0x7f0000000580), 0x10, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXBREAKPOINT_RGXENABLEBREAKPOINT(r3, 0xc0206440, &(0x7f0000000680)={0x83, 0x2, &(0x7f0000000600)={r4}, &(0x7f0000000640), 0x4, 0x4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@deauth={@wo_ht={{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x240}, @broadcast, @device_a, @random="2015d229785b", {0x8}}, 0x27, @val={0x8c, 0x18, {0xc93, "ffe3240f0484", @long="067ecc39a78a3ea47c22246d391b92c4"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_xfrm_policy_alloc_security\x00') syz_emit_ethernet(0xbc, &(0x7f0000000140)={@dev={'\xaa\xaa\xaa\xaa\xaa', 0x3b}, @broadcast, @void, {@mpls_mc={0x8848, {[{0x8, 0x0, 0x1}, {0x1, 0x0, 0x1}, {0x4, 0x0, 0x1}, {}, {0x0, 0x0, 0x1}], @ipv4=@dccp={{0x15, 0x4, 0x2, 0x33, 0x9a, 0x65, 0x0, 0x7, 0x21, 0x0, @dev={0xac, 0x14, 0x14, 0x1e}, @rand_addr=0x64010101, {[@noop, @end, @timestamp_addr={0x44, 0x1c, 0xe9, 0x1, 0x2, [{@dev={0xac, 0x14, 0x14, 0x28}, 0xf7e}, {@loopback, 0x7fff}, {@private=0xa010101, 0x5}]}, @generic={0x83, 0xe, "db10ac96c2cf817c67fc6d7e"}, @rr={0x7, 0x7, 0x87, [@local]}, @end, @ra={0x94, 0x4, 0x7}, @end, @generic={0x44, 0x5, "e0d910"}]}}, {{0x4e20, 0x4e23, 0x4, 0x1, 0xf, 0x0, 0x0, 0x9, 0x5, "d77b5a", 0x7, "c6dd9c"}, "494a1261c05df7372b3c29631b6232d41f19fa8727ecea11ccf1979683ceb144705e12c13fba0e399f08f58397f3ea7bdb746b3dcabe"}}}}}}, &(0x7f0000000200)={0x0, 0x3, [0xf9, 0x208, 0x50c, 0x74d]}) syz_emit_vhci(&(0x7f0000000240)=@HCI_EVENT_PKT={0x4, @HCI_EV_VENDOR={{0xff, 0xc1}, "0626cab051d180b0c2e36c0814bbca7e31d691502e1c7c0eae1a042e7372921a0c6dfccedd81a98f58b9850ba2f68bc25d5cab15a0af010796b5fdfb8a3b35f3eb48ee0c7b2ed287cf469fdec0248e957ef0dd22f3fc6d746e70262c277c016177e56a68031293b56b02c1b6f867d10a3bbf33817b39d487ae0659a68cffb8df46df59a7d104b7c6711d45af1f966d69e635809cf24a70d4c2ea9cc98d37599807148af36b475eb2ce56e027ac751769f8710272d187722ecdf7a8f86d8b977aa8"}}, 0xc4) syz_execute_func(&(0x7f0000000340)="c4c17d6f7072c4e1f9112fc4e3c95d33abc4c2790eb000000000c4e17a12b70c0000000f0156e9c4e10dd55e0cf30f526b000f7e20c4c179e702") syz_extract_tcp_res(&(0x7f0000000380), 0x80000000, 0x100) r5 = dup(0xffffffffffffffff) r6 = fcntl$getown(0xffffffffffffffff, 0x9) lstat(&(0x7f00000026c0)='./file0\x00', &(0x7f0000002700)={0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000002800)=0x0, &(0x7f0000002840), &(0x7f0000002880)=0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002ac0)={0x2020, 0x0, 0x0, 0x0}, 0x2020) statx(0xffffffffffffffff, &(0x7f0000004b00)='./file0\x00', 0x2000, 0x20, &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004d00)={{{@in6=@ipv4={""/10, ""/2, @private}, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@initdev}}, &(0x7f0000004e00)=0xe4) r13 = getgid() syz_fuse_handle_req(r5, &(0x7f00000003c0)="235810537c7f886ca91721045ff7badfae4429b252cd658172c1d0d418ed70057439fc22ffc77b29085c9488ff9340f8a2ade99bf9af14a357257b8aa69b4b8effe7afd6876b3b512b86fa1dff555c6dc6186266c91fa281c9dc72ee17ead0e2a3fe9ff03e7c32d27e267f5be0fd6d1f9efc02af7fe9d68d755519201dea7abe681053ab98f73fc0c6a0684e91b741c8c9451f9459b598ee6f4ec0c91f3e917af1e6646f3c54f8faf0487d8eccf087e28f8768f48ae15d098904b3254285702e308a937d5e23a2aef3c25312516c502d5e0233065229ee4a70dbc414604b7f055eb7a2724803e85e5b4cd05af711ed730fceb81bcae17a4967aa6ccff3c0f4966b7ff3d15f093e94eb0a46b70c0fa5b8628cac3c31019bba6002416fc6661d858fff16a96215b1d18a877d9a534ac40256a3557931ade27f587cce26a20c013dc67f2e922a52689aaefa1b064d03f8f6a39f96b0de1d21394cb6c23010eb9e4a79414735ed9965425f8a01008496dbad0497fa0d65acec59ffa6a280bc58e2d887a10e9665eaeb97436ebdeb2b58a9ae40e449273246fd9967539f212ed8969b6f9a49d65bcad2dd9d8ee42e3205741117e431d443ff3e94c47e7fd627d30511d5fbcec6a758383d31367aca8e3af772a1021105ab2c1b4aa7614dea8cfa4b06f53af373779862c9bdb76ef93c74618eee7347a074d4f71a98233b24b2a25729c9a1983d819c3f42d328d08f0d4dd1642f61b62a89fc300f5066d8e457f5fd49daa79e1b1d43d26f89f2ca990450e860bcc47d5cf4778c37c451ed22d60fe2bcfa2caff75c4170990a2e8e2187197f8638b067854ccf9dbe91586dd42341401c4fb4f31330668acb516eba2227cbca4c8fa2f39a03521bd8032f5e1aedf49c50e601b9fad4e0d6f5b5932ea214fd508485703d0845798d43bdbff9638677e6a996efbbd1936e97282062709f778b455cb4d20013f5fe4c9bba0f7cfc1802e8180fb6d46f5176d1bdbb43d960d494f3a30ed7ab4db07de5ad924b5797b509f96083f4ada9fcebede1eb0fb0dfa2cdc2144b15cf4c280f87d1187e808e37cdef537552e383f46ccfe86215b207153985e6b13196221fdea6c947864d12147d7b01efc3df144e2caa24d1a4782a51a8235c4c0eadf0440c8e434a4d072be5845547175f37c55fddd5e78495ace434c483f28bb3487ad8d68bd74377fd82e17bafeb062b81c68e8a6389c8d81079e4c9faa2a8fcf12415cc21ebcd92de80884550594ca64b56b0b424a65f80cab164b2f6f2f33c7aeaa8b6602e7183b9d0ae153a1703b303675aae133b3dd9c646677f6d8a492da099efb4a7e4dee392818a15d6bf9efb07eead5b40ac25bb0f0092f4b0ecaf0ac3391b3ecfd0635ec496b8b66d7a451c6d10379c15291c4f3682f05fb73944cd1be0f0fa8554358b30deb7386931ae95eb2a16faed245ffcadb394acdf0638a626278233019366e2ecd9db1a4b5ae27ff83d7b571cd7ffc151dc4d0cef1d0300c98a41697751851f8e05249cae19963f812589a7d64cfab846439f471343ba5effac9a57f76d0abfb95e878bee4c9424f0ca1718195eff14060acfb3e0df4cbc560bc2be9ab4f0a0bd686fe213d44947170e68e73baadd982ce2d170a50d1eca0240cd3cece9f74da3a1c1476ff11fa334d72c18506b5c00a441ea2e9c72c76b385037f86ca594aaade987a79bbd3e3c40d0007a7ff8529905b94c5461656292950b41c83443dc84d6fdf52e4497ed6804981af13385649200d893093bf2ea8225b389c4dfd2e815b3bdf9d7084d29009eae4e8822a5b6a52aa76afd951d04afa8e1286396a834dcf8c6b57cc4efbc0c16779d53f0bcd74043c06ecebe59328dcca8bb6105af23565906e5466c7311b1aac6762e4b626036fe31d3e7b0fa2e658ca9351078eeca7b467e118e9b88959de1f41869405a83bdc6ce980c729f7e2a460fa9bee161e54d271a874bb4d0a22cd1a4376de36b5868ca0e10933e5fe2f7385c1af62b86f8e5c3126626b8bc6d568f621da323707ea332d7654439fba4671d0caeb7ef94e25a8286bd9a19a29e4932c7db9b82347da52492b3814a44b92f61559c22654c8b301a8dfe9daeae0cade946c0666e94c4a6353bb0eb2137d36853ad4f7a20a5081e63afeece203fa6eeea7f629d001dabaf5b1a3c6761517bc99a8e63f66c01884927b4bc40bc34190c9e553c690fbc6444dd8bba656874fa804631b56d24541a9bd6fb77db4903769f9d0444d08a21ff59d949659d80b1402d919ac0fb8380ed9115b6693c195f8f1a90a3a42235d8ea782eda2bf194d32fbcc563271afda73d7096a2e9e467541e7667c267c595e123372975267768b8d16cb6130eaebf698be76eefabbeacd59f631cc104f042263e3e2962597969721a6c022aba14112e2f3802ba635391cd1f94323525c816efa9e86552399e79665ff554f586754f72d53a0d9475c655948bd13ec93dd8cc43e5b813ebfea4abcd780eedb682ac4f66e16847f7821fdc40da073f7fc59fe57ca6ad5f4ddd8a41e8aadf3e2178cf4295c85999e2c2d824a08ebb9a9b09e2efbf9b8d0373091ea61ec6af17df1e71aceb403a41d3bafefc56dcff186023e9f289e61b746904b3ce34869b5327c924a27336b216d2206eeba9b1dfdce022e3a13a2617387fb3ff5a1d0f38fbb9063bcb69b5e33ee457efe051df453462b718d7d5e780310471a73d99e2eb1e23236c74b9377c3e0ebb93ea7a6a7b322c425910209f891841d65cb8db3b2b0d51d27cde0ca185bd3bf1f402ff10fc611b93fa6f94ebf6079ac6d5f30ff866a4dbf30729fc3cd003ed9eee6e1c92319a8c6269e1a7dba0491d27b326388bc32d58bf685ec429a8ca7a12b660182308710b5aa61dce0a143fad3bbc1a81a8f814ee37b434c7d729331ce7f72ddf31dca719bdfa04c03aeceb4c640c1cddd0f01137bd6e2f7aefb51b0210b8cdb2ccb0f5d7458d0571927675f1bedb36d0bf30ac68db438ffba74aca623725f27522701bb6c5ca414d2391cd533a82c066724c6d3fd68fe42a834dccf5bf70347429ad8e382215f72fad936ef949bf64dad12577ead0dc6cf271be7ca8e0baabb4397ff063f3ae8e741210c6a3ab3b442ba8fb16f228c5dafeb1b440827defbc48f5cbceb2740755c985d060e82c86c732bbd560883591a1ac058299f17f2e2a128560280ba089e84c3465452a6507a63f884944a83a21d26c8e498ff5dbd489c69ca7853249018e9d03520b23f47b297b8526322b1f6bd54d060ccea301cc8a3a15da2d39b64ea4ddb03c7b6cba605e8dd486d12d8f0c6cd9fb47816112baa0a7ae0eba4f0f89b2143203a119a6bb8545c1ba66788495f4e7dad96df8119b1c11d7ffb07107c0c035a80697a8ed780d9c5561929385085f0aa7bc748f2b5e234e210ce77722c54e80b886c0d614658ffa23408caca9cf013869ef6629f8461640daea869ad4c365530de527815cafee314f8ca7b9879522c42629e3e71296e5f60a84db39d5c9000016ea33f481d80ccb80f085d5ed3f700badc3b4b7d80dd8a778f03817a10d67892d36870a98bdc70cfda4834c7815421fc9727401bd4f8111bbba7686024b4272f5a68a665194afc4f1a9f857af270e3022c18dfc18f67b3977e641c6258f00c1430ea79578f4dc82a0bab52140df4be0adb329195a297df0be6e12349770b4477a4465a81439f22b6bdc677ab86d4edbbdfc7db3cf06d4a94d33c6c11fa163fefb1a87a9b52c1cc409ebede7263c88975edb237fa01b583f79fc7a4f8e8ac89af79308d99b473cf33f3344a4e5523f3e35d388d18ee1185caa1918d23aae4193aedfe125042e16d571865261dd63bf0c9dd8485fa64e2410a26a436c83c9e34556f37c1d69d2fd574278c4b2c8baf3834ee2e0f364b54c36780f28a8ebe56e1d9e1cbdfd773ce8aacdefda09f40dffd847aadf67c44471008cee0776fb068954308f16203d017b290cd1ad9e4cdc49f326352807560ddda490c05c6d5e04f1940083aaba83e029370fd76e7757c73c0543ddff26c3a30762e2c9c556aa282c7f46f3dd8e200168053a03174c5669dc43900a39417c9dff8ed3f10eb07c470a522ec820712ff88259cf7f5ee52cf4ee690bcabd88763f66329f3725a436ca1938d4da48dedffea82dc54a2a0a5cfb64c3e278f41b933cefeb02f982532e98677241d7ec2f8d1427da1711919d672e951b6d1cd8f2c0203fedd521f75a229d996713358136d8b4eb797134fec874e3d38a01cb82a87c8c211e6429efe677173aab0a0fb9f558f4b06f7705bcd177ec1dd80d0445b5448e7dc294538aaecc59610dbe6f2b3b16b275c18d33a78f0c1dcbb07e137628b622f885aee80b82684cdd5fde5a29aadf63d85e95159649adce0f9e57b53b82c75b87a12747ef0f84be50693ccae798e38aaf050666163e6bed48f5f1baf49adea21223bfb089199898dcd2e91b708bd62b61f138cc48bed88b772d14bcc53968aa32fa3f114584752db53278b25f367d52c207ec5459668382aac7ebfdf3a2075cef679bd77ec17a1143de084720085486685ac869733bc07d74246fbf8abb3662be750dddd3b13ecb2d9135f5c68d1fdde549d9c2091d96aa35f84336b4215131f36476ec848d533d7dca1e0aa41eefb8806052a8cdd538b755707f93e048d771505b8890d8f680b880ccb8ee2949e35a63ee48e7b467128b65ffe606ced28a3bc3172bd09f2b58ef6322a3fa31e0fab37a3afe729ad43d5cd02b42be4d8e602b99516dbdbd812e1becaeba14b2b2bfaf0555900251e31d839798141b32abdc558b3bf30edc1145f541798507da329c5acc1ff56d4fd5f6e18c02081222c698b3d0f2b19539a7c2c91f78b1be76481991e241d2ae889d4cb133f90f77d922d984b5a5d1b2aa038fb001f0bac88c14a36f62296ab324d52b5754d4e842889da654143b4bd719f082cbcfa2ec9031b9b4b8bb8ef46bc3ffa52d35385bf27e3ccd86108481ff6640e8b0e309d28b149420f95eb9afa0f6e188b7005f421225385bdea3825ad5fbfc6d9f2997476bc36e5dfe4b686d1a2d402516d4eee990e1ea6a234838103f42d705abf37835673ca78675b5354c2a99130e2b7a64ee26a2ad6c1cd2de64ed5912eb7708db3afbb4a683109b1057298f356e4cf4fab200caf7403c719aa81ab01d3d7f9155073f56495e5116196e9a9de82f10a5c08dfb2f915494df7a0700efb722d3416a5d32bc02297111650847dee676d268772dec413da3a1320989c1be0d5c9c1b6fc4f70fbdad888abb0be8f116f0d7a6f3abaf636bb6b69222daf4ccbd6d07293def59cd5ec908454d079495f27bfaf9e45fb2c99964e6b2fba03af0382d5b60adebbb28fb8f8f8efdd8da65eac29377cf07c62e1bf10f61fa912e6271f2cb9509a7631b7abec3396bebce10bc79e2c49956d127f9d01b73584540cb6c0b52a709e3af1d00c84f6d22fb195dd8823aa336afea898ed87ada2b22d1b8ec508cf6986e93459265ed7c258732c291ca41e7876f1b438b17d36c24a02f200feeee18ace8dc4aad51a42bb9815d82c2a9a37f775cd612e084226942ea0dc6f5d8923349bbbedc2a45cfcfddeda2d52d14f2ff8329aac01d2ec3c37f23c5c90d026280238ce09e00eca9f6c30bdaa5dc91f4342f8af6a3ec1339c47dcae8f9360c32502bfa86e1ffc582d5888f29cac39ef90a3150111f661199faf7e2413b57bb9a72aaa2d5fae32b462884a928d83cea60557025c5de018044345fb083def49bc383319894dad28b5339cbadb6038dc8479f7e4b2f01c1ced3ff854205be93884885b129878bdbb18caa68c30940719a408a03fc61ebea87d9d3ef2162594589654475c2c37eaa8737338acc18b341a351ec39aa94cba171096fd7fb832e3031f4d82ff2328aa189623cd93fce6f4525c2dd013dc9c7b4d19add3bf9c334886e9d1cb4df997d99563a57b66d8321d42152f721705d6c484618ad33cb46b5c1a41ccd397ede50432dc9d41aa8b2fb375af75d332356d7df3d5d439fdebcf8e25b22493c6fe140013e2952321867d12947b1f2dd272a173694a5fddd887fe1ec96df6467630d1449d723ff023ec127b12a2411a096e3129e845d50b146683635d805cf196735828c8a0a004047a19acfcc41b62fe0fbff91881e7613bf7a737195f1858ed7198dcaca13210619d7f7398d812de463f221f0c264874aa3b3416dcdfaed76bf255d7a7a15d6acc9864d1bd900354b3bf0df70bae932c4b82e8aa60d395b939cc60f8964ab755ba50b40a713f68d2e001a2b5abcfdbb821a0a3a7a97cdccc0b05bca8f033fbcd954569cb7c312d4cb9e69275613306679882570726118eb66b4b6f0d236c33e35658ed87f028ca43c55c26968179aed7549c8c2e92672a445106d0429846917c5fc607fa285db9aa61281c1c524a76b3d40de5da9bc7afbae9c03555d056383ea7f5eacf5de95638e11242a420c9aa322c808cf2a14ab479d8135e4ff487b215c8cec44c7290d3459100b2196c54e88ca2841d8a6011c6db1b5c2fbc5135da6053d893d116b9f23d5a0f77f9f64c50a0448552fb3d4002ccfb95ed54c37eae931737bf02bcd226b133b9d27debfae748730a87be8df5c31cddf16c26bc3f3b4df7abcbc52edadb7a7c29e87dd5d6330b761649fc9f098a7b6b68cf5dce767667e8b5a7cd4bb22d1c9229c455169d72edd3bae9c251c0788968f1d13af8e47ba32923c6614c44d5196fa805761dba59a39b893bf0973dabb976edf63f3cb54732d43b90ee7ab0374e10fd722d5c361a4108931e8ee3fa190793f901b18ff7b5ed8c162b37ffcb39c6c0c084c9c76b3964e31351f5112accfe16c6268580ce0b44cd4c33f292171df6af35914225c8b1aff1985cea0ea7349a43a510d5fbf1881a032f96b1f58f4fa94dbcdf98f6b113a2f851e76d4f1cf0686e3b44057c363c849c5700659d7e5a1c2b3ccfd5aaa889c2f99a9b1c8319c3cd348be29b2e9bfefbc28cb774729958c12c9dfa74b893a07745aed2e5144723c8fc0506852f17e6a4a8f599d2c4a1d7c0ba9d77db8416eb10932cdc749cfa99890ee8017c0664084f86489c975255252c3876f8dcd98c00b73611ce2734e1fe0ee5c0a0abb0c50004044f93ad2ff0109bcb19a3a20f186d68e387d34a5b578c4253cd9672614803bf96726e8ab00146d2fe266e62e4865f5e7fe31d41497e7195122fcda825fb4e9fcdd09b421ddb6e925a4d5cb7ff2fa56fe1497ad659cc5b6efd8f883998b7451175f9827547b84195c25fc1631072a55c17e90a3279a54a29697312bfef3eefcba8d3114556a545d18ab0df74df266859151959a1b051f8322f798cb45d5cbe5291bdd71dad665f64dde6954ef00718918fe01727963964642d4c4a5bba9303f44fe97ff99f06748dc863ff0cc17fc82b29fbe0c712c77ed36697f23b4a22a9f248522f9946c3abcd32e165fd66fdbc7b4a0df71a8d2571f32da4ada51c14ca086301d6ed02006c6a38ce4e7671f3d0862a4e3c22b6aa7b7c049a7762287570562e8b452efc78741e7c2822ad0fd435e76a8044b05b388aafc4cf61575760398872364469961e87d14d1795eb627faeda18f9c1228fc994d580508c996d3662799b7237e596910a7c5c7facd47fa3084da48488767f60cfe58ec401415ac66031623320f9fda37c0af9fe4cda1b2893d2df0ac8226013a36ca7b1366032ea7b25a5591bebc8ce489777c0cba28d1f0cafeaeea7d5b4d2009309eebc913078112bb126920ca6e5e2b2210ce5410cce45fc463746cf168f7ee2b91c797b330e0464822a618e457ce39a00367d9cd3d3f5938ce36eb2a31a90d049258c849955e97f08017269b3e5f69e9128195638bc8c1fa735e6eb2435c9587f4f436d9e68a8797bb42100d48e7b26197c65fb8903961382fb0fe229860173068d9429110823bc2ff717a7157054c326bdac3ad358177f9a406d894b842d6d91edb356b06283b329bca6e12290655fef24029ba1daaf45f17ebc834d12e35e39f2e20e2c7362aeb0031f4877b633be1bed36f5d7ba24d0148f846a786f388e2ab79662d559b861a36a4ce60dceb5fdb9f479358fd84a5c7f102f75b8143d3626fffa5469c22072a97d63ff9e0667c2f2db41cd03e5d43914bb590bb1f11f4c3533bcc47ffc99eedf677c9d646c60f99398915891ab67197ddbdc11e03daf03139ceadaf99226875163f11c29027f6ec6ee647c9bb1f7695f1f2918a3285a13eadb73d3e94cb0dbf9273f75e1a8b391cc6e4c14ed5683c2756c7b33d84351e1ce0ba7b02e2305de65b29456b5c55344647c7b0b16cd836dba2711a4cc97738267c462c85fad608a81612d7f89a7fe663bd064354a80f8be0165df5d9bae1c69ea56962b111220cdc136ada90bb1315f865caff1e2526acd2ef4c36a70f266088d7d348e561132971668e91a89004085a5b092f8e28423d16b749cdcbf92a4365e468dd67be241e5dea705b606b28099a5d3d46a07620fc4f731e3d3605debe687042cac937427367c35b546af2dfc094a721dc7fd13df68e9a799ecb107c908bac9f8c4430cc10c6299c794d028d516c3ef3f77f9f64201660949b5ee29a5894d738fa4e4bcdda88fe12bcffe85da7b10d02c80922f3907134fe64605508b6cbe35e97f12f1bb15fce6fac0b0bbed62183ba88b8413c692c1d465376146a5ac69e0f10450f04c8b6f3c90c58ac33604aa811a9b74ebbd07b0684c51a553006da57f4df29df30a64622266b3ec06c435d650521f3ea725a3c8c128c73f0d3447dd1a85b10a061e9ac4469bd8ead5b59cc639b817e67d90ccd773e224aeb67dd2636917436b76475d8e0255cf7d14f2836a50d23fb11b3843548b3a52d8fa10ca8c97e1f0ed7a00cfc8067a5b99a41c07d3ce0a0456b8443bb5f0903db5e7bc16b0d0d4f321a57572d3368d97ab7705830d23ff78ac8d69402c920f7fb91d6efc16ce43993a1a68eb8eda08d7cc55fca8549f40839ac8e5e263e8fcddb10dd20fbedd949c8d3c1e186e9fdd5aa2765a1ef54f9e8b2a7a0b38f1c8f8dafe5fcef0ff0316921dbaab27f6b2e09e49d0a56c9ade5d8cb658699baa984543fde4e720e02e5503e835c7a63effee3dfa58e4ccdbe1943b5921b58fd0ed664ef73df892318e10703234859b565d17de8c925198b448159c8e8d73c8b1e5eb68705e582d5128f207b546f8122e04e37bcc9d1ca9b2c7ae51d4542448b36d6ff16d998eece9f07be341d1d8f989f23446040a4997272c99d45348372fc49b70fb5e0faca975184c6025995f6aa49f1b293df66d51d753d9c7775576d0e770134d3a4fbd53c99b0a7b6afe7337f73248163239a714dfeb285b0b49ef602d62ad6935a83c83bc814bd407b1ff5228292f9bfbbd071c81dc9591a05c9507bff87c9e527b8f14e8ee13d187eb867dc2c95dd903c37692d03e7b00985fbc11313078dec7ff69f2e01a8342399400f98cc66833d9c85ff7f10cbef733213cdae61545f39e85c59302b560a72d0437b266cbae16fad4a000ddea19949408c7477fcb948915323ebb79a55c769ccb18e2f552ab763ba65302ae7bc476e3625eb88a7a6698ceccfac22900ca3c44dec8866b2a114c0831cf653d4c1fba9a7785a1caa2b97343384226b1aced93da71d30b6650645bc113ac62d32d2032ddb65626ee86c3b9dfbbd8d0caeea7453dbea304e34d3f80522cd317b49bcabb869331c7c321852100430423bcb1ec15c50c19b766a7ce471d51b01041b685a29c4bfdb552c866d583b7c3c7fd56cfc73725df784e4d90281567fe8c38d866b06ef13bb30fd23906e662cf9d5113d7b52b014b4aeb3a183524b497be9220ae1e0b2f7674d279942941bbd81ed595a93c2341399b6ac36ff869f894cae291308b21284d398b5fa6ac76b9d59f03e48c275f4f20ce0a5059de69ca9ec999d73202def666b37b3a96a95b12c74331038facacab188da878a860e1b399d6b3bd3c136e0a5e9963c1691889f0d400f34dcc51ef1002ebfee2814605a4d1067ed7396c115e3a94f151c8e4aa2930fd8bc534d579d5d8843bd2029056fc558b9869408b9951f75672433ead19e109cd18308f1c9d6f9ccbc9f767993b59ea2b5046864f5e0c3bde42e7932c56b9fb25289e16ab3bebb692547de1a4dbe119ab2bd71e471cbdf6c6e8519aca77c2cbb8273343c1bed23922e557f87b408d87af78896ed30f0a6178ad98a34ded6148443fddf4a5c00a81ae9df2159fd658c859fb6b274988c848f993e761c263e90d7db8f662c876b7a61ff2d938ba7fed4cb5cd8ee514870b50520e733f21cdc3bd7ed41d297b96dfeff379d37e6071bb1ac84feffab2cdd985fea2fe6c46e6b7569c8c2454591795ccc56511d853fd2a01a1eb0ce2505ab65782b7836ba67844505aabcb5dc6372a313fe7acc7f48b0d2bef79403c2837d88e52fe926ad16d51be7e8c62a5955a61e85270839f36eee946370927eb19841301677e837abac18d709bc84dda60b12107a23eb733543ff32cce5248d0f461921295291837c150a4c1d489d31c5bf5bfc2da1427e1ece74aea7053f1feda64f099fc447a7908ce44b13461549f23ef18c1d8107befb09f9d719a0ac57080f1cdbfd46704d79947aa10c5b0bb226e7f68309747240f773a627536561fb6c1c9b26aa5e23be01f2d3f7aadc995440015d2564b9c16b853d665724f9f722b34ab1d44c27d0e0cb01c49d9e05de91c2e040764f0c212e6d63f7b72493dccbf858164cf48151bbe4f1dc2c91586673431af7b8461d30161c561170dfa31edde2ccc9dddbc7a8e46231752405cf308ecd8d3505636dba7035c94f728623bb87603afb90b5c23e9ac1937b2ea3984d579da29970ef049ffd9705fa283ef62f1a9fbbefbc5f8f3f79bdd8d70f0a893972e5aca3a164e672ba88ebdb6206a4dda5eb5adfd16352d42c4fbddf117f2b0d30e8c39f1bc63f3bc03b452a870117af7a3fd301af714bfa398367a9ac2aa381170bc7ca860144258a9a38a61454c9cdef24f1c662f28e8d1ee7749f61a9c79a9e16593f2d5500deaa730aca4eef3273878431a874b03e44f6495b52ea9b22d9417fb3f2ccbe2c482add308e4a3c55b7532a4e64cf108d833d54abf3cf93b3f9085263d2774c2214dc62e3c6a7886946b7bbb4d0fdd82d502232f891e95e2075b6974fcbc81579fe8eeb7ee221a904cedbbbab2595ef93537fdea03eb93b49680119d996c8e706dfc4d99433954c5367725d4808119b683b59641c4bffd3fbab0c7e125f02bad95cbfc26eab96079f8dfbf6623589d14e0c20d15e07c34bccce36fb927965f96c8cc89b3e51438212a9bec92af4b592ae76e66d531d344385f5568552e37bd25cbe307d839975914f30915d24e8f3d892c8a19fa484c35df1fb92af80edf403340caced5c224767e9e687456563dff29ca86e365855de94057b66c576bec5f5b7fc3f0043336b8a487ae2519b8ff0122e7ac2bf57d29ba64808dd3a20d26e4382ce7bb1fbd34734f5ae6625ee8a7dd56f", 0x2000, &(0x7f0000004f40)={&(0x7f00000023c0)={0x50, 0x0, 0x3f, {0x7, 0x22, 0x8001, 0x1040000, 0x8, 0xf6e1, 0x8, 0x9}}, &(0x7f0000002440)={0x18, 0x0, 0x9, {0x40d}}, &(0x7f0000002480)={0x18, 0x0, 0x7, {0x7}}, &(0x7f00000024c0)={0x18, 0x0, 0xffff, {0x8}}, &(0x7f0000002500)={0x18, 0x0, 0xce0, {0x1c}}, &(0x7f0000002540)={0x28, 0x0, 0x1, {{0x100, 0x5, 0x2, r6}}}, &(0x7f0000002580)={0x60, 0xfffffffffffffffe, 0x8, {{0xcd95, 0x1f, 0x7, 0x48, 0xaac5, 0x6, 0xad, 0x5}}}, &(0x7f0000002600)={0x18, 0xfffffffffffffff5, 0x9, {0x9}}, &(0x7f0000002640)={0x11, 0x0, 0x0, {'\x00'}}, &(0x7f0000002680)={0x20, 0x0, 0x10000}, &(0x7f0000002780)={0x78, 0x0, 0x9, {0x3, 0x0, 0x0, {0x6, 0x0, 0xfffffffffffff20d, 0xfffffffffffffff8, 0x1, 0x3ff, 0x5, 0x9, 0x726, 0x1000, 0x6, r7, 0xee01, 0x7, 0x7}}}, &(0x7f00000028c0)={0x90, 0x0, 0x3, {0x2, 0x2, 0x100000000, 0x61a26b8d, 0x6, 0x2, {0x1, 0x3, 0x1, 0x100000000, 0x3, 0x8f, 0x4, 0x1ff, 0x849, 0x1000, 0x7, r8, 0xffffffffffffffff, 0x5, 0x1f}}}, &(0x7f0000002980)={0x130, 0x0, 0xa00000000000, [{0x4, 0x1, 0x6, 0x9, '\x01\x01\x01\x01\x01\x01'}, {0x6, 0x1, 0x5, 0xfffffffe, '\xaa\xaa\xaa\xaa\xaa'}, {0x1, 0x1ff, 0x3, 0x7, '{#-'}, {0x5, 0x0, 0x2, 0x761, '[#'}, {0x3, 0x0, 0x2, 0x6, '#]'}, {0x1, 0x714, 0x5, 0x3, '*^\\^b'}, {0x5, 0xeb68, 0x4, 0xfffffa80, '--$-'}, {0x6, 0xfffffffffffffeff, 0x1, 0x1, '-'}, {0x1, 0x8, 0x3, 0xf2, '!\\{'}]}, &(0x7f0000004c40)={0xb0, 0x0, 0xcf, [{{0x1, 0x1, 0x3, 0x100000000, 0x4, 0x81, {0x5, 0x7f, 0x5, 0x6, 0xffff, 0x3, 0x1f, 0x3, 0x8, 0xc000, 0xf5c8, r10, r11, 0x2, 0x9}}, {0x4, 0x80, 0x5, 0x2, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000004e40)={0xa0, 0x0, 0x400, {{0x6, 0x2, 0x400, 0x7, 0x4, 0x9, {0x4, 0x1000, 0xffff, 0x6, 0x1, 0xffff, 0x65f, 0x647c2b8f, 0x400, 0x8000, 0x8, r12, r13, 0x3, 0x6b}}, {0x0, 0xd}}}, &(0x7f0000004f00)={0x20, 0x0, 0x800, {0x0, 0x0, 0x10001}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004f80), r5) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r14 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x343, &(0x7f0000004fc0)={0x0, 0x5004, 0x0, 0x1, 0x1de, 0x0, r14}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000005040)=0x0, &(0x7f0000005080)=0x0) r17 = openat$uinput(0xffffff9c, &(0x7f00000050c0), 0x2, 0x0) r18 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000005100), 0x488200, 0x0) syz_io_uring_submit(r15, r16, &(0x7f0000005140)=@IORING_OP_SPLICE={0x1e, 0x3, 0x0, @fd=r14, 0x200, {0x0, r17}, 0x6, 0x1, 0x0, {0x0, 0x0, r18}}, 0x3dd1) r19 = openat$keychord(0xffffff9c, &(0x7f0000005180), 0x171000, 0x0) r20 = openat$ubi_ctrl(0xffffff9c, &(0x7f00000051c0), 0x10400, 0x0) syz_kvm_setup_cpu$arm64(r19, r20, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005240)=[{0x0, &(0x7f0000005200)="4623d8a4ce0217c9e59555c166890679e3e0c1940df5b9fcbf91649ef54d80f0c8bcc80e36b5574c4bc9f943401854f56aa2", 0x32}], 0x1, 0x0, &(0x7f0000005280)=[@featur2], 0x1) r21 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x8000, r18, 0x0) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000052c0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005300), &(0x7f0000005340)='./file0\x00', 0xfd, 0x2, &(0x7f0000005540)=[{&(0x7f0000005380)="873519f25df082b371ba5b45adb5709c00805747c37fe044064595cd4728bf8980302b25b4b083b42b41336e130f1b6ff0a2f172498e522b4fe5826eababf53a9852f93ebeb841e1645f32936127029d68fe73eced89c1b93587012a47c42a583d6975592b3f2cdf4337fc6d5e85e5f5835fafe095935ec90484e9081aa8d22498431301baad4a34368c26c64d85326c7e00682178f8d13e6a8969f15b9d5dbcfec2c0e69680c3928ca015b92e25f5078de354fe32cc7121609a0762e1b73efd8967a2fe235e4d1ef9e5ac88bc1ed706a984641b06470b2294d045ce7eba51c0728938a2c6eeb6d8574429cc24bcb2a784", 0xf1, 0x40}, {&(0x7f0000005480)="62935bfe26e9c9f2dc3c3e9dfb491858efb598369bcca51923989ba943cf447baf56625df0f685ed2d034b37c07563f668728f6dc6833609b1221970e55088869d29c01b2dd05c4820b08042b5074008c9757712c480e25d89b9c48e957e5b5c7b0beccfb1fcccedbcedc83806038075fc2a0f8228beb47f1fece09bddcbbe0021abe9c3d198369b81b67dbd6a7d334b8d28b802cc97d934c164e97d9d7b70dc6c", 0xa1, 0x1ff}], 0x8800, &(0x7f0000005580)={[{'\xaa\xaa\xaa\xaa\xaa'}, {}, {':&-]!'}, {'}'}, {',-V'}, {'\\*})'}, {'*^\\^b'}], [{@appraise}, {@fowner_lt={'fowner<', r8}}, {@smackfshat={'smackfshat', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@obj_type={'obj_type', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@dont_appraise}, {@dont_measure}, {@fowner_lt={'fowner<', r9}}, {@dont_appraise}]}) syz_open_dev$I2C(&(0x7f0000005640), 0x40, 0x300) syz_open_procfs(r6, &(0x7f0000005680)='net/if_inet6\x00') syz_open_pts(r19, 0x800) syz_read_part_table(0x9, 0x9, &(0x7f0000006c40)=[{&(0x7f00000056c0)="46410638b7a128c15c6cb27d2335806da87c0d4915424452cf0ba9eee0a5d49d634f090df26f35bb0433c13a270dcb44cfe9ba62b5ba38d4ae3c65ead2727f1d2a5f02daa270cea6f4f60902e2eda654b16ec6635a1c6cd15d6bd6343214b83422d1a19b5dae439b9fbc3db5c218d4b08acfc9fcdbe5d4e6a5127adadce610d815e8c6d8adc78689eaae29d81a20040aeeef4ee55d7701ea725e91b74f5b37814beed118549979c8a40d0b290977ada4d65874c7dcca030a9a15509bc27e6e87d526912437b86904f742c9c13c1e00bc5e3e943c1430d1cc018f5a4decf24602db5bf2286e64ce751d8df16f280934fb08b619b2b5e931195ad2f7c87ae956c64a2fdac4fd791611acc2a865d994ea90ed158581e80d0386b153f19fab2781b72d1de003b187d2b1195342b3a003bf4483b4d890ab1b2f51e8d58f0a5ad78e0df9d629c22c2a324a982e1fc2738c360db3a8ba5e55ae5c9d58f1c2f6bed0b6de5bb4ee3b5f842ceef91b2056541ff55312ee90a2bd0997066c37f3d8377895921b08021589049ed7b23cebaf9b41d08e759058a3452cb9df2aee1d2b90e510ba9bc948400a69aa13833d1b4c44445129e0af5012fd6a534181fb20426826a4b3694e4a5181199df1ed31de36f2ed49211822ad915d3b71acaecff3c84d4e3bb19fba3219e26145735ff71dceeeee7aa247539ad2731113d3f364426be9006e6b0e358b81d4074549e08ef27613a3715e5e89ba0a71e3995231e99aac5e4ee7078f59e3e7d4fabed26e7507411fbe4b0353106278ac69f3b91ec69fa542eb7c964394062f65c650197fbe733c22832673d066e4ed40073b284ee4e51b1259367d4eb9e172007e6fb80a0a6fe62b3f3d5e5b68fe047ea4d6fbfaa30a00fc29bc58a31cfb8212f2c49c3a2e711ae502bd647bd56bb7cfc1d84d141827be211b5ffbed786bfa1313d2aed534f00019363ac129612ca25c763b077f5a724d61fc7974fa824badc14006f2febfb1e35a3dd72e82334a263756ff4204680cba1c03c55e09dffb5a58e4c55b5bd7a70ee8525929a0ee9f9091e34bb8d2f0af6d2a2670c591186bee6ceddab8e1fe8d4be397a545c483fd684cd812df5e312ab5f4812b4784efaef1c3dbe79094fbabd6ca5f0a45462396f818a5c7bf61c8c3f43366c1265f4638d1dc7bde11461035c7af77e6844c5d47bc1897dfabec7687ed25794a71a3aa2be1665719e7eaf649bfaffcea2492d43bca7f0304210cfca91a0dadf66b7c3c6baf8c5055ef4f3c56aa03bb6e400d7caca69e4243ac71c939ccf27310b73ba59897e2020c717c33db9a4a582912a3a8d7c0a870b12a9f982aafd0cf159575189d8c26886434229fb0c76c56508b638a2509b65847722af197e95cf0cff2368448d42ad62db27ff017a7fbed923bef6283408712c3f04a790338f4f80cf4f3e92faafa3bf6cff5ed3cf3b17b505075e12b6958bf2e5cb40241f672874a0f940fd57e82e9caff113d671da23da3436a31800c2d3487965f87c3f8250610aaff783d78595e1926b77e97b2e3ad09087af919ace3f04fd275887b1fc81ee2f5bad8de1cc35ee0c03adeed9a9197d7a8fa5db59dc500a94bd184a2a80d9704797e76bc0fc43ed57296143dc9d858b14a7bdfb418197f0974b6eee299958051b1d414ab126cef5bc36ae4055c4f19e7e01d2092d99f1d2a5a56614fedf481d578cb851ad73e1829bc350f7e56ee0d2e71fe731c1b30fd845fd82ca0acf029aff4a75e0d38fb7af582a19c0c7deb19544bc7a13c1896032441cba6ae39c35ae880b45a5c97545ac099243a791c6f2eb93556208b8b203542752a673b9df02bf04ad3c18eecaa5eb22d1b65e59c3449b5cc42df350dd4822bcf671df78420689cac22658cd9f0f390e26e0796ac4b7f30b1989f09cf5ba516eb1667ecc1d853739a20e5e78599bda830d002d45eb66d63a778b8412af5d63e3ef26494e21bbcde5b97a94f7978ac903d467c5b6d0717dc4a9d146ed4b58bfe373a5908702f997f1090b4b19093f8905085ecb691107b059e0e1cd0c4a94c9a473af2d12bd5998a8b8b4802f931b90515519f20feeadea5684c064f9adb423935b8de298b03e579abad6a23a86c86edd39c2ed6a4685e69bc715405ab7a3f27664bdb68fef1fcd090f060381f1aa374a074a640f991ec6d8b288b1b0507068560314fe94aeb85c42f4df3adb21485696515da2fa7f441b753d5f8ca4545f2d1dc1eb34e418c043beb518bb35fe30235aabf7ec5f371b3a48c0ea6a613ebb4e4da5b71408aa55774239ac749030a52740cd8535b9e3d28a4e87b4c4f4044c8195c3211f947e5007df7b64e37c414bfd54f7b59823720be00498c18b57dad0043f0c50a75817418c1dbc3db8dc733ceb2b5b6d20bec1e38a2f909aa619480e2ca05d9000b7eaff370c077ed389422890dd426278c63c2ac4285e840e6c7f9da04d69af4482d96ee5824de091614d8b1b4cf49f5a701e4b42ff58a62823c2776fba4c27ec86c24ba103ed01c66729ad602924a5137b718d8ddeeb08339d83c45feca01c393357a676438114363591d31c2ba6fafa5d8571af7c3a3690fdeb099e44192b5871fd0a3365fb2e230c6c03a7473782b303a5be14f038d8ea34a63084300516eb7884e593358e66b3dfb6dac4d0815d58dafb85e8cca4426536a384dc89f7413f14cc92e7377a90938f99ef7f535c218ae2e909acdbfd7eb5b0b47408e3d6d73dda39fbd6b23af18f1a6703ee3b1f75bb7c000a4ca5a7bccaae86c4abac81da293e43f91d2c3dff12ffa5229139a08ae5fc2ec139be978b8182d6a60c7ff39bb0aa820a107d92e38b95e748a184b53f5624f457239f6384dddcb9fd7e8ef295265d79b64c5c0a93bf21635b8c680907810d8e72a581e5aa0e00fbf351e3c841c7d0c51a2636837b27c6a91425b506a22c27d1420d0b13e60de3e9c56667a98983ba9bdd1c5a52dc6127b659e6d80706959f07d3a5fa8b3b88eab05e7a0c04ee12a21372c713f64c6adbeedd7a8b7a692674975bbe55ce402714402f20c7f57ff1f79357d8edabef1d868f0a2b3dd7aa3bbe58e80814970734f7dec70d314e811593a32cc861f4a8a4b3f0d7ceb4ebb32664f5644497ac9562cdd5a54193f2238e65c1874c86421c5cfb43ae156931c7840d10de47a4d0f2f3174c36c8645ac02f544c3690b5137af7d2ced3fb04359bbf22b6720ea94f2e3b5675fb77ade56c977d668064efdd1c615119a528c9ec1353e84103e5dce6a0bd073f9ffbea0819cf6c0cc58ead00c92340298cc094564117f3fb894274ca91d7976459619f544b250586c6d44afba5574b7ef5126b070409a1f5eedc65007b00339f160422fff38d67eaa8d782fc4192a29810879eb12859942fa141a21c39d9eea03eba1aa7b3ac7e2b1daf4f69f475b8e75c5ac7c2efdd777932d403143cdd08902d5e3459301c28c88c4df342ca13910b760e34c40194bb51b82cf14adeed5ae47517d3cbc73bbb5a8899c30e606519989a85d2e15b0e89ebba43f0c8a752f07010380caa70dc409ff805c24574829d06bb9a1495d5a3085df9029e23d92bbc46d7c7c1db7365e92e8d2449aade38926a64368723a0e8a777b3261c9c97bae825b551ba940551a7e15e3013dc09a05229d0c9ac64ee15ee3d46742628924c09e6360cc43006fb9a0e1c06e5584637cee005ee26ceba70295cba5637dfc9821148ed7415003d518368423ae708cfac638f2b8e1d3a71011bda803acd2cfa429ea5fa045fe078f91ebe45e7d51d43f08302d5f3b0ccc3eb7dc03818b33567e86f8e5dc40451569a7954858d26df8554935276f5654afecf240c7e86c92ecba4d3ff75821312d6a3b82e18cc234da5bacc286ef0924ce23bd30708de58132574b548c9628b52d34291d1c4a7ffdfe63de1fa9b5e0fa6e62f3528a80c9cc97a7c515403fce895ab795635266af746d89d2c94058ca38501d86b4d6324d0df0d9c1e47bbf838baa206aa2ec4397828e992fe963b2e83722802627629030106cf20ec98e245147c94426214ddfb979120651adde14a425fef29a20c0cc5460393acbdba57b3c3836627e6a9c19a2344312a9bc661b760285415a2874e2f2187b5c6dbf38b059636f9ed1de1692d3b86504a7c1b668e5aa0f87cf497f0cab266e4db64ec6465580be1d97244947304688cb3576490b8db086b08905820ea9d91dfc8f3b966a9e568d856a9cce3f1731ac16e4cf48714334b6c7ac3597fcae85d17946b0ae2899845e96066e0a648385c98ee5c119391356b204acbd4a5c7cc2cbceece0f58dfb73fc30ef7c1769b4f56ed1b77d76248b0ea2a66db0e5217b5d624237191abe9486ac0bd32e3e7362331441734a8dd9ed983b92bf26472c5021f8bea131ece47c8f45e68a25a8beb4885895c27982306dafa1fac905b276c2f60ccdcabe2a5b325b5c5d8482f305660244c361711f0eed7746c0daf99dfde36caff294051182c5b6589fc0700b751fb2b3807f0bcbd277a844ce82a54558f55cdd25a30b2283abe519c827b10aed612f8aea3cb7aca8b34028c0b363c9acc52ddea9e0c34e8a5c90869fe60d28307e35d3e43582f3773d46669e4313a07b12e7d6d501436f8e6f4bc347b29194144d82c5daa9730fea3466c3167209f09697da034f86ca9e5a7e28c05999f4161dca7518140413504be2aa60ef71b66484fca1b0bb11afd59755b978dd294e3da85655b90f05be0823e262aa693c43bc23f4948a6096ffe1b58e1bcd65b0db70c62a4f85d7dd4be6cddfeaf1383814a6728b4c301eab03b950bac867375d1b6c61eb2f7fde960b16f5948379e2115ab5401356db05a7dc30a2999897b163c73d34807106dfdcf7b7f9b9e7377fc722003c868ca5c14a0e2f1d1940ec6aefcf85fed207622ed38120c6a8aad7b4e9e87d5e4e9a6a55c6e132e9e1e9a3a62b4f7c6ce0093f886547dfc48de1d2e0c85bf01b49f99241a36d324cdbade5377d5aa5733377ec7e97b7ac54387fd29391319d3f3bbcd07b2870b9646bf2835b3abb5121dc20a638c6d0d62b0a05d94a5f1c03bff6e871a84f9a7defa16f30cb8b3ff57cb5a9b8958b592119cb0c802513c14aec2d27cfffbfb4e6a2a840f8b0d746a83fa8bd227021b038f50c411f7922fb38ec89f51d71b7d3d9e241db1be1b4507e5b68fa1ee89c2127445e5d6ed4e7433de7bf4d72b7f7b1c9aa7c408e4c1050ce177427984f5035b51e3ad52b56d8aaf38e567930a711c8dc3488ffcdc1a56fe1b4c5df22673bcc3e9ccdbb3ab670a24547f5ded42decfddd522104075c37ddede460925dcbc6e5ef206028aa7ea0c84d60d990fcd48d76c9a47be6819250d4d10fcefc7a124c6f3faaf51f7b67dcc2b39acf119c8f89b93b58395247fa459c1ffe6fc5a70c32d5196da593b336be0467164ebbc986fc145b32bb91a4c058884c82f5cacda62a4312bb35070e74de2bba07648b7eb9d9fae891648f5432b6a7d5986ef2027872cf9e1a086c576abac8dc401aab0da93abf0ab71ecd9bb96e39180362a10a2185071ebb8ca2ca8d9719d47bfc18b62f9771b97dfed73b982325eb943d785c787500d5ac0d26a9ca90cc73c2acfe872f4e32eb4439083bdb3249701ddddb500df3f896bb1f7a3706d64be16d00f6fdcd6bf41df86535f298d2dd04317774bd6b3903f371d59be719b7ec1d003b3c9705a8f78889b8f7da0d46defdced2df70d8cb4570828bb26549b55011589c73bec4207c8d59ebe1896b3761c185a132", 0x1000, 0x8001}, {&(0x7f00000066c0)="31e3c3fa6d99", 0x6, 0x3ff}, {&(0x7f0000006700)="39de863b7148208e432fcddbd9e9148e716c1b48a3967c870c70145d90ed681b3f8bce849fee7f50091570854e20103723e56454e711543f6e2be92c34090d8cc792260be9b960c1e4", 0x49, 0x9}, {&(0x7f0000006780)="17fad571f80fecd34a59bc03f6c02bbd6d56cd8d958924b4ae4189b88b85897efd4e596e1118bb0c771c2c5ba37ded06d78111390c1c80cf6ea9df8727f88559815ed76b36fa13fb4d08e1ccdad7973b5bec5655a74a671fde99ee92397c56d409dadb10c4c37ee92cb41d03ae6fb164e7f86985039128d38be83b5e16c35ee34eb2b8396c5348028781a0a879f88159740ab89705d637bedafa915f195a152597fa0d7da9b76476602c6eeefca1e80a6d3d0ed1a75b00f7a5e153dd851e2301c8daa7d49b4ad91c62d1a6967f54cf9621c240ed587192f69959e05407850ce3831c4e811e6fff1cdf93cfabde887358316881845356d7", 0xf7, 0x26}, {&(0x7f0000006880)="c286968e2238742a47e0e8d444a6a661b7708222f4eddab97a749dcebe2cc83a314b828795f915a36d873b714aef15ddb1b4f62f06800bbe85eaebcb76abe944719249ee7927c88e78a968e93f45c52013ef97ef6f989b1d1cd30fff88677962c8f3052ad0a4631e4e750ba80f3753916c2dffc6a4023cdb62a1b5f2afbb965b2f78c5dd47af90b002da1a26a24fcb99bf81fb29574a2f98107a7937639873b95f4a569a0406cc358b46efae587e9008be69d711ae202c22e29a2f615fd23dcf", 0xc0}, {&(0x7f0000006940)="97fc4dd9db673e16fd0f0eb9a4a26e2a49f42e1616190b0634dfd6135145f4e451bbbad56dadf266964eba7d1007c0a23f8cf03d4f8fe09a7989152b7cf2ec30f2693a06befdf023d79f48c208d742c7b75915bcc1be583517ced3b826b97075e62a8ed12dbb264807c6ffd0227614491fb9de0d8a925a2638c31608de405bbf79e96f171fd58338b1d6979d33a7dae8ad62f2ba53fefc3c", 0x98, 0x20}, {&(0x7f0000006a00)="77d8d606bfb424e7b995809ab4f559115fd82e972d98b651dfc69b10df600fb4f78efd586f9cc26edc41b1d2fac87efe59e262411f27a94cf796ed31236b457ca0f147530efbd4cfa6b6a0fee46c25abcf7ad8282aae5299e299799cd52d0a58d7ff9dddd0103724c88da92dbefab6248038abef9ec52264afc74825f7ea70b2ca95d6900f9b647a3f986e18287cb2bf4b4c19efc8c218fd905c3727c86c37026bfbde3af078eb07b798e6d3d8f2e4d5d3bc188cdd20f2ebb1461c5e53b05f2989ffac3b168dee56da0fc011974c660e400ae2d8b2c80acb231581ee91763129b2888aeb12", 0xe5, 0x800}, {&(0x7f0000006b00)="560c1bea71b0f97244fa386d26bf6b1b04308e4bc7fffa", 0x17, 0x80000001}, {&(0x7f0000006b40)="14e55a14a7953387ee55333c1d1694ca98c7999b49788642766805d6f5a290eb1e959ee35a740459e13300262f2af9c357f7a8c1cba187e448bc3c8f865cc9be88624fb0f0d0bb885d9cc2abe171a2478a7420db22e8607e3fbec7e2601d9e11086cfa8cf14d99676b679d8d6bf1dd4faab8fe9a5f4e3f695fe2e6abf09f702683802d44cc3a298255c4c59533731ff5b23e053afb716d58cad667686ee647f48e199c9b5c3d0d2d470f2ce1c5b8b5708ae023ad9880caf31d01f96aebbfcc7df95358a016c5471cc2ce2ced6105057c9d22c8167890ca19", 0xd8, 0x400}]) syz_usb_connect(0x2, 0x6c6, &(0x7f0000006cc0)={{0x12, 0x1, 0x200, 0x62, 0xa5, 0xbe, 0x10, 0x2833, 0x211, 0x37a4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6b4, 0x1, 0x20, 0x0, 0xa0, 0x1, [{{0x9, 0x4, 0xdf, 0x0, 0x10, 0xff, 0x1, 0x0, 0x5, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x1, 0x1}]}, @cdc_ecm={{0x9, 0x24, 0x6, 0x0, 0x0, "fd506508"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x40000000, 0x8, 0x4cc5, 0x7f}, [@network_terminal={0x7, 0x24, 0xa, 0x8, 0x3f, 0x0, 0x81}, @country_functional={0x10, 0x24, 0x7, 0x80, 0x5, [0x44, 0x2, 0x800, 0x101, 0x4]}, @acm={0x4, 0x24, 0x2, 0x4}, @mbim_extended={0x8, 0x24, 0x1c, 0x0, 0xc0, 0x5325}, @ncm={0x6, 0x24, 0x1a, 0x7f}]}], [{{0x9, 0x5, 0x5, 0x0, 0xa716c6d63b98b5a2, 0x6, 0x0, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xe9, 0xf000}]}}, {{0x9, 0x5, 0xe, 0x2, 0x200, 0x8, 0x7, 0x40}}, {{0x9, 0x5, 0x0, 0x10605a5c87a92a7e, 0x200, 0x8, 0x3, 0x1, [@generic={0x9b, 0x21, "f2ef0a5c069cdb319138e185061d7e196ae94e535d80f27666fba23b374325f15dc5f20812fe05b0620f6ffcb81003b1f39c5dcd1bff14e2bbeb387335a3534f5adb60ffc4f28595c8f992f77fd5f67a04842b9c4364e3556be9bacb8fd56ed77859291153f6c566026363bfa5f2e6ff2fa6d29317f2d562445364939915a75dd7365f6ab9c15ddbc7c3a45f7eb98fd1fea3551bbd46f20a87"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x3ff, 0x1, 0x20, 0xef, [@generic={0xec, 0x6, "f642246a5372991db97e5824a410e28300d3bd153638f6dac6e1189a0c560a0a0e5f8b15e07879ac95016515202646a7b5b5fc74b7cd40d515b2849d8c1dd9ae4fca16c2e6cf0e8a20ce54f05fa123c019208cb34b5ee561c274ea40a7b34e5813a4a29be40817eb1f7b3e9bef60f7c56657481236b93e2c297f17c776b98f1d0c8f2a56447766c7288ba6b1e385b84a516a98ab729ba70e31fee3aab101d590a4481ae5856326c6825b73c7ae7d3b99cb3c59db31a12726234b900584e8db779352188d12c932d4aacb59eef33d33b9550510cf2b49da747e031c83117b511a1bb93ed76c716e6a0254"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x6, 0x40}]}}, {{0x9, 0x5, 0x1, 0x0, 0x100, 0xfe, 0x8, 0x37, [@generic={0xe9, 0x23, "1a0e3542857d49ea63b7261ebfc19f14272e284d2665d2795e43f6f9ca62776c9ee52d991879d7d67b4d8b270fd51598beac1c0339b2257ad68c1dde54885ae2d219b87cde159a9897c88bda26e08a3691055022739c1fe64adb98639dc25421c449cf364800c4c365062f2488e6901e56e62f4b703eae7af26298a1eee1bfe62d9b2ae35320ae2baf174e94ff55321097be81e0279f5d0aa84dd18ca0864d98d0edbbeaa19ddf3626fd83a2e2b5f676a734d4784b3c6877fd1bb3c9543df7abda9bd9c9be405949747e21073c18957fff0eaac0273cfd3f702cb65597949a172726f7e459536c"}, @generic={0x18, 0x10, "a0289017f3f433f11059489a61115823e1138ae84a34"}]}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0x67, 0x3, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x80, 0x2e6}]}}, {{0x9, 0x5, 0xd, 0x4, 0x200, 0x48, 0x35, 0x8, [@generic={0xe5, 0x5, "30efe9c1a6e5c89c2031214c60fbbeaa4578091e38009c761d15774802934cfd36355b3518ccfe59fa5e7ccee3c13ac4affbe073e0e788c9b5e32216efbf02e35869d7b233a389f812bfd849433c328466eda5e0e3237529cdc65e4eee743d31ffc186a1fe794bdf1364f31eaeff39829e8f6144850d7470cc71572d1f2f23dccdbcdd99e4930de7edbf59b338db3490305fd7710257980b7f76b8daeacb2ad618131fb9b5a3e026c9ddbd69483cd794caad29f2e3b63124a952b462de0cd951d7efd9b3b29107b641417e7783d90159137fa5273a95e0cc46c97c2246e611acb14b4d"}]}}, {{0x9, 0x5, 0x3, 0x10, 0x8, 0x0, 0x33, 0x9}}, {{0x9, 0x5, 0x2, 0xc, 0x400, 0xed, 0x7, 0x9, [@generic={0x84, 0x31, "ee4cd219154df491c4d32aa32112cff407511b06b17f743409ecc216c31e92cefa2b5cc59e634d7aeba2c9e5e36d8efadc0255172518f909b4e1a7daf4d988b1eeaf196c76ee902b657d12fc23c21e176cd149e98a8d8d5755b74fed1a4284bcfd6e6961951ff8216f7bb42f790edd539c1bc5bbac44f767a685c57cbbdec830c52c"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x1, 0xfe01}]}}, {{0x9, 0x5, 0x3, 0x0, 0x40, 0x2, 0x5, 0x3}}, {{0x9, 0x5, 0x0, 0x0, 0x400, 0x0, 0x2f, 0x4}}, {{0x9, 0x5, 0x8f, 0x8, 0x8, 0x81, 0x1, 0x7f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xfb}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0x40, 0x76, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x31, 0x8}]}}, {{0x9, 0x5, 0xf, 0x10, 0x3ff, 0x6, 0xb2, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x80, 0x6}]}}, {{0x9, 0x5, 0xf, 0x10, 0x200, 0x6, 0x6, 0xca, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x20, 0x3}]}}, {{0x9, 0x5, 0x80, 0x10, 0x400, 0x1, 0xfc, 0x4, [@generic={0xd4, 0x21, "28a1dfa1d28f9ae60d0a8e9e3c512db35369d479fa6e6aa099e267e1ced77ca2e180b429779023a872b0ef8807e11f8b8b21b811d4fe5527335ce86e3a95cdf960d1e79e88c276c174d183d2f3bc0862dd7e1d29ac589ceb22024e25a44c3e8123581d1448fd2db5332fe41c23f9aa959564f32db1da14610415ddc293dc57c9d6c775d22151bdab236a5a73592e5518055728ae819e25c080cbb9bf0203b6639b8fd8d716d9c571d6b260ea297733d53c3a05449b9b9221d0f402610c9837189f9c6ab3baaf031d48692690c9981cee1426"}, @generic={0xc3, 0x6, "60ed98576fbbbee3db67d535ea7e1a19d92d689e2f03308a615a5641e72e694d996f76c1111c88c507c39a87f34a3682dafbfe583b79f5b950a30614162c605f7e6c5d452b4f84a145f20bf4470ddf43f06c415dc6c41551fd458ba6aedf57d74cb85a25e43324814b62c3be4108b1ea5b9dd22a78a45cdf5d8f27c11f35026bf7ef10c7d1f0615fe1c44a302a84d88b8d6c2d85049c9f48a04b4e61801c017f609b673fc8290f7362a0ed35882a335b657f835fce8e20100cde82c1a3dc180611"}]}}]}}]}}]}}, &(0x7f0000007740)={0xa, &(0x7f00000073c0)={0xa, 0x6, 0x310, 0x5, 0x80, 0xff, 0xbf, 0x5}, 0x5, &(0x7f0000007400)={0x5, 0xf, 0x5}, 0x5, [{0xa8, &(0x7f0000007440)=@string={0xa8, 0x3, "0584bddc149671f9e6c6cd123b796cafe2eb5d2bd3cf65e3eb0f3a601aba7164713d4042653f2cca182207d4e7ffa8bc71e705aa48bcff03fddd2e3e6bebe11cb61f95faf14afdf29440021e851fb682aa24e624e833952db6d1f96aa7edfc74ce501359694c7583eb5e48dfe227d2105d5e3d2359e3c728a48adff09b1132f928893ceefae67700983be1ca94e818e7a1463c802f1fc2a72d40900933403d7b255a35d9dc33"}}, {0x4, &(0x7f0000007500)=@lang_id={0x4, 0x3, 0x42c}}, {0xf4, &(0x7f0000007540)=@string={0xf4, 0x3, "1c537117dc720af3ccf108687c86cb544bc885379e435dbb861bc9a01550592e6008ae94a1f98317ad9cd804016b079b5ec294dcaf4537cf5b68c3c4353754caf369ba34101cbd21926b15cef67ab63ead40abfbef867b372fe2781866f87a2dccf98ffe66531c1d5021406c69ce84b439130cac71f52564b7c8fa621d71d5ff001517593f059da0cb82f1fd5e327df9abec4946e34e20d3f1df8f4a0422f9bb538949b4a14d1b3afd6793e81d3ba596d16d8cee0e700314e531e602fe5cb832b22c7a2f9f36f39d053876478157d541e8c0977a9acaf691f1234f665d234f82ee90ff8982d9c1371a15ddc8ed2392dd5a96"}}, {0x98, &(0x7f0000007640)=@string={0x98, 0x3, "078cbefd67796b8d00c6a027e5d07bc3b00756acafb9096e3e381a99fdbe8a5161ca19a9628d61baefd6972b48f5e04b0fa6e2b99cca8df5b50dbd97d656c02f8583a58ce8cbd35c69fb3f86de0ddac90f5be8d4f04a3ad4f31293b509959139bea0f3067d0ebfa3c5b210e1993078b0ae929561fc7734869b3dd8d812c00a3035236166a31227ae291e696ab4f81f4e3f02d6b2f334"}}, {0x4, &(0x7f0000007700)=@lang_id={0x4, 0x3, 0x43e}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007780)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f00000079c0)={0x18, &(0x7f0000007800)={0x20, 0x11, 0xb7, {0xb7, 0x9, "72f591ba5c694f16a4d92075ef3ec8bc46920954799ec8d3c0308f3b4779da6e18e9824a86746d013a399afc7f6fceb6c37f7f131c71ebc001f666ea63ed3ade132009735a546622f9e639d481c967cc7b5b747cc5e62fdc41bbb4bb95878a442cc49111c0f57886f17077a1b4b22e3cf28eecb798feed6f168dd9cc2646f8b79ed41bba94de9e304fc845179a7321f04784aa917ba08405b0a95b8303d914ef8e374780dd8e3437c95c35764cd063e7a3ec6d790b"}}, &(0x7f00000078c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x813}}, &(0x7f0000007900)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x18, 0x8, 0x0, 0x3}]}}, &(0x7f0000007940)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7, 0x80, 0x6, 0xe0, "8402487c", "8056a3ff"}}, &(0x7f0000007980)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xa7, 0x2, 0x7d, 0x0, 0x80, 0x7, 0x6}}}, &(0x7f0000007e80)={0x44, &(0x7f0000007a00)={0x40, 0x10, 0x8c, "21b83825059f24506d8e842085d1f2e7f964471b20ed0a8e50a9aa4ef16b5a6f2dbb2b570a4f8d13d60e47bb7821ff912111dee40a78d42b4d13ea812d929ccf3964c5468f89d2d21630ec87067a2d13f45238b446bf57c6b9ec35578fa587fc77fe2108b1590be081681ccc024f1f590be9e5bec9ea86b9803c60299dda1a82f8ff04428671a43bc2c3393a"}, &(0x7f0000007ac0)={0x0, 0xa, 0x1, 0x4}, &(0x7f0000007b00)={0x0, 0x8, 0x1, 0xfb}, &(0x7f0000007b40)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000007b80)={0x20, 0x0, 0x4, {0x140, 0x20}}, &(0x7f0000007bc0)={0x40, 0x7, 0x2, 0x3ff}, &(0x7f0000007c00)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000007c40)={0x40, 0xb, 0x2, "8a02"}, &(0x7f0000007c80)={0x40, 0xf, 0x2, 0x321a}, &(0x7f0000007cc0)={0x40, 0x13, 0x6, @link_local}, &(0x7f0000007d00)={0x40, 0x17, 0x6, @random="b0fe281fa391"}, &(0x7f0000007d40)={0x40, 0x19, 0x2, '#7'}, &(0x7f0000007d80)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000007dc0)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007e00)={0x40, 0x1e, 0x1, 0x6}, &(0x7f0000007e40)={0x40, 0x21, 0x1, 0x9e}}) r23 = syz_usb_connect$cdc_ecm(0x2, 0x5f, &(0x7f0000007f00)={{0x12, 0x1, 0x70, 0x2, 0x0, 0x0, 0x50, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4d, 0x1, 0x1, 0x2, 0x70, 0x40, [{{0x9, 0x4, 0x0, 0xc4, 0x3, 0x2, 0x6, 0x0, 0xe1, {{0x8, 0x24, 0x6, 0x0, 0x0, 'W?s'}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x200, 0x0, 0x200, 0x3}, [@ncm={0x6, 0x24, 0x1a, 0x1000}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x3f, 0x0, 0xd8}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0xff, 0xec, 0x5}}, {{0x9, 0x5, 0x3, 0x2, 0x3cf, 0x81, 0x39, 0x5}}}}}]}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f80)={0xa, 0x6, 0x0, 0x2, 0x20, 0x77, 0xff, 0x2f}, 0x5, &(0x7f0000007fc0)={0x5, 0xf, 0x5}, 0x5, [{0x69, &(0x7f0000008000)=@string={0x69, 0x3, "d25a9c8f1452a3c6ffbfeca8eb777935b58c9b7406775086fff717b54f05ac59f94517ff3cd6f3101dbfa79bb82ae31b1d316d08a71d14fc2c1cfa8c893068bde2bb830ae91fc94288cc232aaac0e64b84007b0e7536c3ec34edef04ded93421a377e0695326aa"}}, {0xac, &(0x7f0000008080)=@string={0xac, 0x3, "7360609ce8300ae4623308d5f8b97bfd50d3d863408b8ea401c86da9d42ce5f3867ce8d721fb2ab5c25f6b4c5e85f5eaf341bd514a16c2dfe3c7a1d7f427ae62c0bff379e84d56637ec1377b8c8ad5b55b099cfaa4a7a6eeb0589f81e7a43300eff53354e1b2bdcdc34d7945d63562e48d5ed93bef75fd0160fcd7c3a6be7f0c642bb6e561e35a1c73110bdcded7699865e25eb238cf8f3b10ad3c10488028c37063c8862f907b06829e"}}, {0x4, &(0x7f0000008140)=@lang_id={0x4, 0x3, 0x81a}}, {0x4, &(0x7f0000008180)=@lang_id={0x4, 0x3, 0x180a}}, {0xb9, &(0x7f00000081c0)=@string={0xb9, 0x3, "37efeb854b4051a46c67aee7eaa0f62fde9f599cd5ba25329d50aee16b30c6c1a514831081afc1dfd2682ff48716a91bf95e084212b0696d43e1c6c43adaf9ed3ef70e62735994d2d0865139604988fac17978d9c05a84f3423831dd1dddc6c94d50ddd674f16525bbf9a8db3bb49001be38a19670abd99f4a2e97cfb20d46c637832a3ec97ff094c6a3304964b72bcf116bf27fedd5521ad3da226297fff849c33c5d849e3e3037527901eef63a599baa54fc46a46ff1"}}]}) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ecm(0x3, 0xc5, &(0x7f00000082c0)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xb3, 0x1, 0x1, 0x6, 0x28, 0xff, [{{0x9, 0x4, 0x0, 0x9, 0x2, 0x2, 0x6, 0x0, 0x4, {{0x6, 0x24, 0x6, 0x0, 0x0, "b1"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9208, 0x2, 0x0, 0x20}, [@mdlm_detail={0x5e, 0x24, 0x13, 0x7, "63b0b95377147ba214d950fc04b22c04be09d9b96f1ab94bb02e8a2a9e23cf7d3acab22a80ed350ec4b17806edcb169e5075373d991780211392eb3d9f1173a539843bf2c3f66a4a6960a55a2207767db3c55a7dd2898b5ccb40"}, @mbim={0xc, 0x24, 0x1b, 0x2a, 0x100, 0xe0, 0x76, 0x0, 0xff}, @acm={0x4, 0x24, 0x2, 0xa}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x73, 0x35, 0x3f}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0x3, 0x1, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x40, 0x2}}}}}]}}]}}, &(0x7f00000087c0)={0xa, &(0x7f00000083c0)={0xa, 0x6, 0x201, 0x79, 0x3, 0x3f, 0x20, 0x6}, 0x37, &(0x7f0000008400)={0x5, 0xf, 0x37, 0x5, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0xa, 0x6, 0x5}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x1, 0x9, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0xa737ee064a5fddc9, 0x7, 0x7, 0x0, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0xc, 0x0, 0x6, 0x6}, @ssp_cap={0x10, 0x10, 0xa, 0x1, 0x1, 0x8001, 0xf00f, 0xfffd, [0x3fc0]}]}, 0x9, [{0x4f, &(0x7f0000008440)=@string={0x4f, 0x3, "c0663b116dab9ba5c0a2f7a2ad486ffc164a4365899565c5e99b015239f378df56db4dc3b0bb08dcd208d958fa3cf08097aa208b2d2865b502cbc94b1a8e33bdd9d6481fbf32d4913422fe189f"}}, {0x85, &(0x7f00000084c0)=@string={0x85, 0x3, "c9c487a90be3d40ef782373d785f86bdfc3db6fb0dd0a7440b2fe4595c3a6bd67aa8518d897a8a757d5f1ceb86e598cabf2345f771c3c7128bd16dd4b1ee9b7dbcaf611e97f6dcb9f171e8f7052b0f33e631bfe99ddc4413e5e5d7b634dcc3b77e4d301f89a8d3b851b02306cabec211127a8e541d162636588ff574de82de8f307d43"}}, {0x4, &(0x7f0000008580)=@lang_id={0x4, 0x3, 0x1407}}, {0x4, &(0x7f00000085c0)=@lang_id={0x4}}, {0xaa, &(0x7f0000008600)=@string={0xaa, 0x3, "ce395e8e9f409a37daeb1c20be9ca4004ae810cf1653eccd6e663dd74f8bc06989b4d1a65c9f480bd37e9dd85349f298ddaddc2cc9e4eda147f231402e116fb594a63718d821d885ebd67eda451558b1fba3093ecbd40cbe5fbe07f94ed927d8e5039a7c497aa8d1f10a4ddac049ad820f8c532c5a3f00947955032423922e95aa5bfee041f7fe8744ecc4424057eec97040b341d0dddcaf206da6431e987f04cfd55802cad3a114"}}, {0x4, &(0x7f00000086c0)=@lang_id={0x4, 0x3, 0x3c01}}, {0x4, &(0x7f0000008700)=@lang_id={0x4, 0x3, 0x1809}}, {0x4, &(0x7f0000008740)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000008780)=@lang_id={0x4, 0x3, 0x1c}}]}) syz_usb_ep_read(r24, 0x8, 0x7d, &(0x7f0000008840)=""/125) r25 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f00000088c0)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x10, 0x56a, 0x62, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0xf0, 0x8e, [{{0x9, 0x4, 0x0, 0x5, 0x1, 0x3, 0x1, 0x2, 0x0, {0x9, 0x21, 0x3, 0xf, 0x1, {0x22, 0xa21}}, {{{0x9, 0x5, 0x81, 0x3, 0x3af, 0x1, 0x40, 0x2}}, [{{0x9, 0x5, 0x2, 0x3, 0x10, 0x6, 0x1, 0x9}}]}}}]}}]}}, &(0x7f0000008c00)={0xa, &(0x7f0000008900)={0xa, 0x6, 0x250, 0x3, 0x1, 0x46, 0xff, 0x20}, 0x34, &(0x7f0000008940)={0x5, 0xf, 0x34, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0xfa, 0x8, 0x80, 0x5, 0x3}, @ssp_cap={0x24, 0x10, 0xa, 0x5, 0x6, 0x9, 0xf00f, 0x0, [0xffc00f, 0xff00c0, 0x101ffc0, 0xff0030, 0x30, 0x30]}]}, 0x4, [{0xed, &(0x7f0000008980)=@string={0xed, 0x3, "e7db914ef4a71a3aba443ee181c272e7fbb63648a997754b81a1938f52b9fd8c2b76ca28ee1fcba280021fbe02ffa03ea753f2d51b71f1cb9391ea31faabf8ed37a9853b87eebaa0a1269696e65e309ea4bf7755ff1b99280fd68230d7d899d097e16ee0b224de57339439c80ad7fbf8bbf32aa00e29802bde1c8c5e6228fa0a54c8350ef997112f763e17428fb8e95a56689595f30a3c16151809b0c6b1d4d4766510c6f066fe4b35a3ea90d388d1b4d4e9c6b30971e237e23fd205f9905ee7d79f4443707adc7f65ce2b15994daac7b954353fb23201844122710531879c6291c7dfbf6be454b9cf2f2e"}}, {0x4, &(0x7f0000008a80)=@lang_id={0x4, 0x3, 0x410}}, {0x64, &(0x7f0000008ac0)=@string={0x64, 0x3, "041c8b1bd143ea1d63829b769ddb886a6aafeedd5f652bc948677c9a6e3acfe04a1519053f95e5fcf79b085362cdac6abbf8f13781a621885257052b120045da2c494a30bc6ae6c4160cf497002af8b77e21689324bd6e75aceda7cf6a50920b2ab1"}}, {0x87, &(0x7f0000008b40)=@string={0x87, 0x3, "150837b1e69e5007398ac02c4a0b25072daa81a64af10bcdc5736333f49c921f86d9cbc6b778f1d21679d847d5b8a9b70fc56bb5a433040afd94377b2515a55cda70db64442adae0905aa90f911d3beef800ab6fd87a5c51fda8faa750d195c2e657249781c6af0523e0492f9a69e227e10ca0310f1a010f8b986a9a0553a5331f9754fc90"}}]}) syz_usb_ep_write(r25, 0x7, 0x72, &(0x7f0000008c40)="a6908c5530814d6a6bfd6d6c7594d4af8a4962d882da657bb402c7d0ae4535168160dbf67b82f223d577b0e16e6ac3c46a4015a6ed7c4fa65d1dbaa268b748dec46774eca92247969449a9f59e9edde4d37e7bd17882eb005e24fe43f57654000eadec3f1de9917eb28c2a877182c47b556d") syz_usbip_server_init(0x4) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } #define BTPROTO_HCI 1 #define ACL_LINK 1 #define SCAN_PAGE 2 typedef struct { uint8_t b[6]; } __attribute__((packed)) bdaddr_t; #define HCI_COMMAND_PKT 1 #define HCI_EVENT_PKT 4 #define HCI_VENDOR_PKT 0xff struct hci_command_hdr { uint16_t opcode; uint8_t plen; } __attribute__((packed)); struct hci_event_hdr { uint8_t evt; uint8_t plen; } __attribute__((packed)); #define HCI_EV_CONN_COMPLETE 0x03 struct hci_ev_conn_complete { uint8_t status; uint16_t handle; bdaddr_t bdaddr; uint8_t link_type; uint8_t encr_mode; } __attribute__((packed)); #define HCI_EV_CONN_REQUEST 0x04 struct hci_ev_conn_request { bdaddr_t bdaddr; uint8_t dev_class[3]; uint8_t link_type; } __attribute__((packed)); #define HCI_EV_REMOTE_FEATURES 0x0b struct hci_ev_remote_features { uint8_t status; uint16_t handle; uint8_t features[8]; } __attribute__((packed)); #define HCI_EV_CMD_COMPLETE 0x0e struct hci_ev_cmd_complete { uint8_t ncmd; uint16_t opcode; } __attribute__((packed)); #define HCI_OP_WRITE_SCAN_ENABLE 0x0c1a #define HCI_OP_READ_BUFFER_SIZE 0x1005 struct hci_rp_read_buffer_size { uint8_t status; uint16_t acl_mtu; uint8_t sco_mtu; uint16_t acl_max_pkt; uint16_t sco_max_pkt; } __attribute__((packed)); #define HCI_OP_READ_BD_ADDR 0x1009 struct hci_rp_read_bd_addr { uint8_t status; bdaddr_t bdaddr; } __attribute__((packed)); #define HCI_EV_LE_META 0x3e struct hci_ev_le_meta { uint8_t subevent; } __attribute__((packed)); #define HCI_EV_LE_CONN_COMPLETE 0x01 struct hci_ev_le_conn_complete { uint8_t status; uint16_t handle; uint8_t role; uint8_t bdaddr_type; bdaddr_t bdaddr; uint16_t interval; uint16_t latency; uint16_t supervision_timeout; uint8_t clk_accurancy; } __attribute__((packed)); struct hci_dev_req { uint16_t dev_id; uint32_t dev_opt; }; struct vhci_vendor_pkt { uint8_t type; uint8_t opcode; uint16_t id; }; #define HCIDEVUP _IOW('H', 201, int) #define HCISETSCAN _IOW('H', 221, int) static int vhci_fd = -1; static void rfkill_unblock_all() { int fd = open("/dev/rfkill", O_WRONLY); if (fd < 0) exit(1); struct rfkill_event event = {0}; event.idx = 0; event.type = RFKILL_TYPE_ALL; event.op = RFKILL_OP_CHANGE_ALL; event.soft = 0; event.hard = 0; if (write(fd, &event, sizeof(event)) < 0) exit(1); close(fd); } static void hci_send_event_packet(int fd, uint8_t evt, void* data, size_t data_len) { struct iovec iv[3]; struct hci_event_hdr hdr; hdr.evt = evt; hdr.plen = data_len; uint8_t type = HCI_EVENT_PKT; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = sizeof(hdr); iv[2].iov_base = data; iv[2].iov_len = data_len; if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0) exit(1); } static void hci_send_event_cmd_complete(int fd, uint16_t opcode, void* data, size_t data_len) { struct iovec iv[4]; struct hci_event_hdr hdr; hdr.evt = HCI_EV_CMD_COMPLETE; hdr.plen = sizeof(struct hci_ev_cmd_complete) + data_len; struct hci_ev_cmd_complete evt_hdr; evt_hdr.ncmd = 1; evt_hdr.opcode = opcode; uint8_t type = HCI_EVENT_PKT; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = sizeof(hdr); iv[2].iov_base = &evt_hdr; iv[2].iov_len = sizeof(evt_hdr); iv[3].iov_base = data; iv[3].iov_len = data_len; if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0) exit(1); } static bool process_command_pkt(int fd, char* buf, ssize_t buf_size) { struct hci_command_hdr* hdr = (struct hci_command_hdr*)buf; if (buf_size < (ssize_t)sizeof(struct hci_command_hdr) || hdr->plen != buf_size - sizeof(struct hci_command_hdr)) exit(1); switch (hdr->opcode) { case HCI_OP_WRITE_SCAN_ENABLE: { uint8_t status = 0; hci_send_event_cmd_complete(fd, hdr->opcode, &status, sizeof(status)); return true; } case HCI_OP_READ_BD_ADDR: { struct hci_rp_read_bd_addr rp = {0}; rp.status = 0; memset(&rp.bdaddr, 0xaa, 6); hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp)); return false; } case HCI_OP_READ_BUFFER_SIZE: { struct hci_rp_read_buffer_size rp = {0}; rp.status = 0; rp.acl_mtu = 1021; rp.sco_mtu = 96; rp.acl_max_pkt = 4; rp.sco_max_pkt = 6; hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp)); return false; } } char dummy[0xf9] = {0}; hci_send_event_cmd_complete(fd, hdr->opcode, dummy, sizeof(dummy)); return false; } static void* event_thread(void* arg) { while (1) { char buf[1024] = {0}; ssize_t buf_size = read(vhci_fd, buf, sizeof(buf)); if (buf_size < 0) exit(1); if (buf_size > 0 && buf[0] == HCI_COMMAND_PKT) { if (process_command_pkt(vhci_fd, buf + 1, buf_size - 1)) break; } } return NULL; } #define HCI_HANDLE_1 200 #define HCI_HANDLE_2 201 static void initialize_vhci() { int hci_sock = socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI); if (hci_sock < 0) exit(1); vhci_fd = open("/dev/vhci", O_RDWR); if (vhci_fd == -1) exit(1); const int kVhciFd = 241; if (dup2(vhci_fd, kVhciFd) < 0) exit(1); close(vhci_fd); vhci_fd = kVhciFd; struct vhci_vendor_pkt vendor_pkt; if (read(vhci_fd, &vendor_pkt, sizeof(vendor_pkt)) != sizeof(vendor_pkt)) exit(1); if (vendor_pkt.type != HCI_VENDOR_PKT) exit(1); pthread_t th; if (pthread_create(&th, NULL, event_thread, NULL)) exit(1); int ret = ioctl(hci_sock, HCIDEVUP, vendor_pkt.id); if (ret) { if (errno == ERFKILL) { rfkill_unblock_all(); ret = ioctl(hci_sock, HCIDEVUP, vendor_pkt.id); } if (ret && errno != EALREADY) exit(1); } struct hci_dev_req dr = {0}; dr.dev_id = vendor_pkt.id; dr.dev_opt = SCAN_PAGE; if (ioctl(hci_sock, HCISETSCAN, &dr)) exit(1); struct hci_ev_conn_request request; memset(&request, 0, sizeof(request)); memset(&request.bdaddr, 0xaa, 6); *(uint8_t*)&request.bdaddr.b[5] = 0x10; request.link_type = ACL_LINK; hci_send_event_packet(vhci_fd, HCI_EV_CONN_REQUEST, &request, sizeof(request)); struct hci_ev_conn_complete complete; memset(&complete, 0, sizeof(complete)); complete.status = 0; complete.handle = HCI_HANDLE_1; memset(&complete.bdaddr, 0xaa, 6); *(uint8_t*)&complete.bdaddr.b[5] = 0x10; complete.link_type = ACL_LINK; complete.encr_mode = 0; hci_send_event_packet(vhci_fd, HCI_EV_CONN_COMPLETE, &complete, sizeof(complete)); struct hci_ev_remote_features features; memset(&features, 0, sizeof(features)); features.status = 0; features.handle = HCI_HANDLE_1; hci_send_event_packet(vhci_fd, HCI_EV_REMOTE_FEATURES, &features, sizeof(features)); struct { struct hci_ev_le_meta le_meta; struct hci_ev_le_conn_complete le_conn; } le_conn; memset(&le_conn, 0, sizeof(le_conn)); le_conn.le_meta.subevent = HCI_EV_LE_CONN_COMPLETE; memset(&le_conn.le_conn.bdaddr, 0xaa, 6); *(uint8_t*)&le_conn.le_conn.bdaddr.b[5] = 0x11; le_conn.le_conn.role = 1; le_conn.le_conn.handle = HCI_HANDLE_2; hci_send_event_packet(vhci_fd, HCI_EV_LE_META, &le_conn, sizeof(le_conn)); pthread_join(th, NULL); close(hci_sock); } static long syz_emit_vhci(volatile long a0, volatile long a1) { if (vhci_fd < 0) return (uintptr_t)-1; char* data = (char*)a0; uint32_t length = a1; return write(vhci_fd, data, length); } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); initialize_vhci(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 38 ? 50 : 0) + (call == 43 ? 3000 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 300 : 0) + (call == 46 ? 3000 : 0) + (call == 47 ? 300 : 0) + (call == 48 ? 3000 : 0) + (call == 49 ? 300 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_dup #define __NR_dup 41 #endif #ifndef __NR_fcntl #define __NR_fcntl 55 #endif #ifndef __NR_getgid #define __NR_getgid 47 #endif #ifndef __NR_getresuid #define __NR_getresuid 165 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_read #define __NR_read 3 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[26] = {0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000000 = -1; inject_fault(1); res = syscall(__NR_ioctl, -1, 0x89e2, 0x20000000); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xe6; memcpy((void*)0x20000048, "\xf1\x37\x16\x1a\xb8\x6c\x59\x42\x02\xb9\x97\xd9\xf1\x2d\x00\x70\x21\x87\x03\x22\xc8\xd9\x09\x74\x84\x09\x95\x1a\xe9\x80\x0c\x1e\x20\x7f\x98\xb7\x69\xc7\x40\xf8\x67\xea\x14\xbb\xf8\x66\x6a\x4f\x98\xd2\x29\xaa\xaf\xbc\x33\xc6\xc5\x21\x68\xdb\x89\x33\xc4\xa4\xa4\xa3\xdd\x3c\xe0\xcc\xea\x96\xe7\x1d\x81\xff\x4a\xca\x83\x31\xcb\x01\xbf\x35\x43\x38\x53\xd1\xab\xd4\x8f\xd6\xd0\xce\x13\x14\xdf\x65\x07\xba\xe5\x35\xa2\xb4\xe3\xea\xa7\x4c\x5d\x23\x00\x65\x94\x14\x8a\x0f\xe5\xb4\xa8\x84\xef\x8f\x41\x34\x6e\x49\xcc\x90\x47\x4c\xb1\x7b\xac\x30\x1d\x47\x97\xed\x05\xdf\xc6\xcc\xb7\x4b\xeb\xaa\xbe\x54\x91\x72\xd6\x22\xa3\x06\x05\xa4\xe4\x9f\xd3\xf8\x53\x7d\xe5\x27\x2c\x33\xad\x4f\x07\xcd\x06\x05\x77\xbc\xe6\x5e\x5c\x80\xa3\x41\x68\xcd\xe6\x81\x17\xe4\xf9\x00\xe3\x5a\x3d\x88\x8e\x02\xee\x11\x17\x52\x21\x3b\x40\xd2\xaf\x25\x8c\x01\xf3\x6d\xe5\x0c\xe8\xe8\x3d\x42\x26\xa3\x0d\x6a\x4c\xc4\x3a\x88\x3f\x6c\x20\xe3\xfa\xda\x8a\xd2", 230); *(uint32_t*)0x20000140 = 0xee; res = syscall(__NR_getsockopt, -1, 0x84, 0x1a, 0x20000040, 0x20000140); if (res != -1) r[1] = *(uint32_t*)0x20000040; break; case 2: *(uint32_t*)0x20000180 = r[1]; *(uint16_t*)0x20000184 = 0xa; *(uint16_t*)0x20000186 = htobe16(0x4e22); *(uint32_t*)0x20000188 = htobe32(3); *(uint8_t*)0x2000018c = 0xfc; *(uint8_t*)0x2000018d = 2; memset((void*)0x2000018e, 0, 13); *(uint8_t*)0x2000019b = 0; *(uint32_t*)0x2000019c = 1; *(uint64_t*)0x20000204 = 0x7fffffff; *(uint64_t*)0x2000020c = 1; *(uint64_t*)0x20000214 = 0x7fff; *(uint64_t*)0x2000021c = 4; *(uint64_t*)0x20000224 = 7; *(uint64_t*)0x2000022c = 1; *(uint64_t*)0x20000234 = 0x3ff; *(uint64_t*)0x2000023c = 0x40; *(uint64_t*)0x20000244 = 5; *(uint64_t*)0x2000024c = 1; *(uint64_t*)0x20000254 = 0; *(uint64_t*)0x2000025c = 7; *(uint64_t*)0x20000264 = 0; *(uint64_t*)0x2000026c = 8; *(uint64_t*)0x20000274 = 0x1f; *(uint32_t*)0x20000280 = 0xfc; res = syscall(__NR_getsockopt, (intptr_t)r[0], 0x84, 0x70, 0x20000180, 0x20000280); if (res != -1) r[2] = *(uint32_t*)0x20000180; break; case 3: *(uint32_t*)0x200002c0 = r[2]; *(uint16_t*)0x200002c4 = 0xa; *(uint16_t*)0x200002c6 = htobe16(0x4e20); *(uint32_t*)0x200002c8 = htobe32(9); *(uint8_t*)0x200002cc = 0xfc; *(uint8_t*)0x200002cd = 2; memset((void*)0x200002ce, 0, 13); *(uint8_t*)0x200002db = 1; *(uint32_t*)0x200002dc = 3; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 6, 0x200002c0, 0x84); break; case 4: memcpy((void*)0x20000380, "/dev/pktcdvd/control\000", 21); res = syscall(__NR_openat, 0xffffff9c, 0x20000380, 0, 0); if (res != -1) r[3] = res; break; case 5: syscall(__NR_ioctl, (intptr_t)r[3], 0x7c80, 0); break; case 6: *(uint32_t*)0x200003c0 = r[1]; *(uint16_t*)0x200003c4 = 0xa; *(uint16_t*)0x200003c6 = htobe16(0x4e23); *(uint32_t*)0x200003c8 = htobe32(0x7f); *(uint8_t*)0x200003cc = 0xfc; *(uint8_t*)0x200003cd = 0; memset((void*)0x200003ce, 0, 13); *(uint8_t*)0x200003db = 0; *(uint32_t*)0x200003dc = 5; *(uint16_t*)0x20000444 = 5; *(uint16_t*)0x20000446 = 0x476f; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 0x1f, 0x200003c0, 0x88); break; case 7: *(uint32_t*)0x20000500 = 1; *(uint32_t*)0x20000504 = 2; *(uint64_t*)0x20000508 = 0x20000480; *(uint32_t*)0x20000480 = 0; *(uint64_t*)0x20000510 = 0x200004c0; *(uint32_t*)0x20000518 = 4; *(uint32_t*)0x2000051c = 8; res = syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000500); if (res != -1) r[4] = *(uint32_t*)0x200004c0; break; case 8: *(uint32_t*)0x200005c0 = 0x8a; *(uint32_t*)0x200005c4 = 7; *(uint64_t*)0x200005c8 = 0x20000540; *(uint32_t*)0x20000540 = r[4]; *(uint32_t*)0x20000544 = 0x400; *(uint64_t*)0x20000548 = 0; *(uint64_t*)0x200005d0 = 0x20000580; *(uint32_t*)0x200005d8 = 0x10; *(uint32_t*)0x200005dc = 0xc; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x200005c0); break; case 9: *(uint32_t*)0x20000680 = 0x83; *(uint32_t*)0x20000684 = 2; *(uint64_t*)0x20000688 = 0x20000600; *(uint32_t*)0x20000600 = r[4]; *(uint64_t*)0x20000690 = 0x20000640; *(uint32_t*)0x20000698 = 4; *(uint32_t*)0x2000069c = 4; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000680); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 0x240, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); memset((void*)0x20000044, 255, 6); *(uint8_t*)0x2000004a = 8; *(uint8_t*)0x2000004b = 2; *(uint8_t*)0x2000004c = 0x11; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; memcpy((void*)0x20000050, "\x20\x15\xd2\x29\x78\x5b", 6); STORE_BY_BITMASK(uint16_t, , 0x20000056, 8, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0, 4, 12); *(uint16_t*)0x20000058 = 0x27; *(uint8_t*)0x2000005a = 0x8c; *(uint8_t*)0x2000005b = 0x18; *(uint16_t*)0x2000005c = 0xc93; memcpy((void*)0x2000005e, "\xff\xe3\x24\x0f\x04\x84", 6); memcpy((void*)0x20000064, "\x06\x7e\xcc\x39\xa7\x8a\x3e\xa4\x7c\x22\x24\x6d\x39\x1b\x92\xc4", 16); syz_80211_inject_frame(0x20000000, 0x20000040, 0x34); break; case 11: memcpy((void*)0x20000080, "wlan1\000", 6); memset((void*)0x200000c0, 1, 6); syz_80211_join_ibss(0x20000080, 0x200000c0, 6, 2); break; case 12: memcpy((void*)0x20000100, "bpf_lsm_xfrm_policy_alloc_security\000", 35); syz_btf_id_by_name(0x20000100); break; case 13: *(uint8_t*)0x20000240 = 4; *(uint8_t*)0x20000241 = -1; *(uint8_t*)0x20000242 = 0xc1; memcpy((void*)0x20000243, "\x06\x26\xca\xb0\x51\xd1\x80\xb0\xc2\xe3\x6c\x08\x14\xbb\xca\x7e\x31\xd6\x91\x50\x2e\x1c\x7c\x0e\xae\x1a\x04\x2e\x73\x72\x92\x1a\x0c\x6d\xfc\xce\xdd\x81\xa9\x8f\x58\xb9\x85\x0b\xa2\xf6\x8b\xc2\x5d\x5c\xab\x15\xa0\xaf\x01\x07\x96\xb5\xfd\xfb\x8a\x3b\x35\xf3\xeb\x48\xee\x0c\x7b\x2e\xd2\x87\xcf\x46\x9f\xde\xc0\x24\x8e\x95\x7e\xf0\xdd\x22\xf3\xfc\x6d\x74\x6e\x70\x26\x2c\x27\x7c\x01\x61\x77\xe5\x6a\x68\x03\x12\x93\xb5\x6b\x02\xc1\xb6\xf8\x67\xd1\x0a\x3b\xbf\x33\x81\x7b\x39\xd4\x87\xae\x06\x59\xa6\x8c\xff\xb8\xdf\x46\xdf\x59\xa7\xd1\x04\xb7\xc6\x71\x1d\x45\xaf\x1f\x96\x6d\x69\xe6\x35\x80\x9c\xf2\x4a\x70\xd4\xc2\xea\x9c\xc9\x8d\x37\x59\x98\x07\x14\x8a\xf3\x6b\x47\x5e\xb2\xce\x56\xe0\x27\xac\x75\x17\x69\xf8\x71\x02\x72\xd1\x87\x72\x2e\xcd\xf7\xa8\xf8\x6d\x8b\x97\x7a\xa8", 193); syz_emit_vhci(0x20000240, 0xc4); break; case 14: memcpy((void*)0x20000340, "\xc4\xc1\x7d\x6f\x70\x72\xc4\xe1\xf9\x11\x2f\xc4\xe3\xc9\x5d\x33\xab\xc4\xc2\x79\x0e\xb0\x00\x00\x00\x00\xc4\xe1\x7a\x12\xb7\x0c\x00\x00\x00\x0f\x01\x56\xe9\xc4\xe1\x0d\xd5\x5e\x0c\xf3\x0f\x52\x6b\x00\x0f\x7e\x20\xc4\xc1\x79\xe7\x02", 58); syz_execute_func(0x20000340); break; case 15: res = syscall(__NR_dup, -1); if (res != -1) r[5] = res; break; case 16: res = syscall(__NR_fcntl, -1, 9, 0); if (res != -1) r[6] = res; break; case 17: memcpy((void*)0x200026c0, "./file0\000", 8); res = syscall(__NR_lstat, 0x200026c0, 0x20002700); if (res != -1) r[7] = *(uint32_t*)0x20002710; break; case 18: res = syscall(__NR_getresuid, 0x20002800, 0x20002840, 0x20002880); if (res != -1) { r[8] = *(uint32_t*)0x20002800; r[9] = *(uint32_t*)0x20002880; } break; case 19: res = syscall(__NR_read, -1, 0x20002ac0, 0x2020); if (res != -1) r[10] = *(uint32_t*)0x20002ad0; break; case 20: memcpy((void*)0x20004b00, "./file0\000", 8); res = syscall(__NR_statx, -1, 0x20004b00, 0x2000, 0x20, 0x20004b40); if (res != -1) r[11] = *(uint32_t*)0x20004b58; break; case 21: *(uint32_t*)0x20004e00 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004d00, 0x20004e00); if (res != -1) r[12] = *(uint32_t*)0x20004d34; break; case 22: res = syscall(__NR_getgid); if (res != -1) r[13] = res; break; case 23: memcpy((void*)0x200003c0, "\x23\x58\x10\x53\x7c\x7f\x88\x6c\xa9\x17\x21\x04\x5f\xf7\xba\xdf\xae\x44\x29\xb2\x52\xcd\x65\x81\x72\xc1\xd0\xd4\x18\xed\x70\x05\x74\x39\xfc\x22\xff\xc7\x7b\x29\x08\x5c\x94\x88\xff\x93\x40\xf8\xa2\xad\xe9\x9b\xf9\xaf\x14\xa3\x57\x25\x7b\x8a\xa6\x9b\x4b\x8e\xff\xe7\xaf\xd6\x87\x6b\x3b\x51\x2b\x86\xfa\x1d\xff\x55\x5c\x6d\xc6\x18\x62\x66\xc9\x1f\xa2\x81\xc9\xdc\x72\xee\x17\xea\xd0\xe2\xa3\xfe\x9f\xf0\x3e\x7c\x32\xd2\x7e\x26\x7f\x5b\xe0\xfd\x6d\x1f\x9e\xfc\x02\xaf\x7f\xe9\xd6\x8d\x75\x55\x19\x20\x1d\xea\x7a\xbe\x68\x10\x53\xab\x98\xf7\x3f\xc0\xc6\xa0\x68\x4e\x91\xb7\x41\xc8\xc9\x45\x1f\x94\x59\xb5\x98\xee\x6f\x4e\xc0\xc9\x1f\x3e\x91\x7a\xf1\xe6\x64\x6f\x3c\x54\xf8\xfa\xf0\x48\x7d\x8e\xcc\xf0\x87\xe2\x8f\x87\x68\xf4\x8a\xe1\x5d\x09\x89\x04\xb3\x25\x42\x85\x70\x2e\x30\x8a\x93\x7d\x5e\x23\xa2\xae\xf3\xc2\x53\x12\x51\x6c\x50\x2d\x5e\x02\x33\x06\x52\x29\xee\x4a\x70\xdb\xc4\x14\x60\x4b\x7f\x05\x5e\xb7\xa2\x72\x48\x03\xe8\x5e\x5b\x4c\xd0\x5a\xf7\x11\xed\x73\x0f\xce\xb8\x1b\xca\xe1\x7a\x49\x67\xaa\x6c\xcf\xf3\xc0\xf4\x96\x6b\x7f\xf3\xd1\x5f\x09\x3e\x94\xeb\x0a\x46\xb7\x0c\x0f\xa5\xb8\x62\x8c\xac\x3c\x31\x01\x9b\xba\x60\x02\x41\x6f\xc6\x66\x1d\x85\x8f\xff\x16\xa9\x62\x15\xb1\xd1\x8a\x87\x7d\x9a\x53\x4a\xc4\x02\x56\xa3\x55\x79\x31\xad\xe2\x7f\x58\x7c\xce\x26\xa2\x0c\x01\x3d\xc6\x7f\x2e\x92\x2a\x52\x68\x9a\xae\xfa\x1b\x06\x4d\x03\xf8\xf6\xa3\x9f\x96\xb0\xde\x1d\x21\x39\x4c\xb6\xc2\x30\x10\xeb\x9e\x4a\x79\x41\x47\x35\xed\x99\x65\x42\x5f\x8a\x01\x00\x84\x96\xdb\xad\x04\x97\xfa\x0d\x65\xac\xec\x59\xff\xa6\xa2\x80\xbc\x58\xe2\xd8\x87\xa1\x0e\x96\x65\xea\xeb\x97\x43\x6e\xbd\xeb\x2b\x58\xa9\xae\x40\xe4\x49\x27\x32\x46\xfd\x99\x67\x53\x9f\x21\x2e\xd8\x96\x9b\x6f\x9a\x49\xd6\x5b\xca\xd2\xdd\x9d\x8e\xe4\x2e\x32\x05\x74\x11\x17\xe4\x31\xd4\x43\xff\x3e\x94\xc4\x7e\x7f\xd6\x27\xd3\x05\x11\xd5\xfb\xce\xc6\xa7\x58\x38\x3d\x31\x36\x7a\xca\x8e\x3a\xf7\x72\xa1\x02\x11\x05\xab\x2c\x1b\x4a\xa7\x61\x4d\xea\x8c\xfa\x4b\x06\xf5\x3a\xf3\x73\x77\x98\x62\xc9\xbd\xb7\x6e\xf9\x3c\x74\x61\x8e\xee\x73\x47\xa0\x74\xd4\xf7\x1a\x98\x23\x3b\x24\xb2\xa2\x57\x29\xc9\xa1\x98\x3d\x81\x9c\x3f\x42\xd3\x28\xd0\x8f\x0d\x4d\xd1\x64\x2f\x61\xb6\x2a\x89\xfc\x30\x0f\x50\x66\xd8\xe4\x57\xf5\xfd\x49\xda\xa7\x9e\x1b\x1d\x43\xd2\x6f\x89\xf2\xca\x99\x04\x50\xe8\x60\xbc\xc4\x7d\x5c\xf4\x77\x8c\x37\xc4\x51\xed\x22\xd6\x0f\xe2\xbc\xfa\x2c\xaf\xf7\x5c\x41\x70\x99\x0a\x2e\x8e\x21\x87\x19\x7f\x86\x38\xb0\x67\x85\x4c\xcf\x9d\xbe\x91\x58\x6d\xd4\x23\x41\x40\x1c\x4f\xb4\xf3\x13\x30\x66\x8a\xcb\x51\x6e\xba\x22\x27\xcb\xca\x4c\x8f\xa2\xf3\x9a\x03\x52\x1b\xd8\x03\x2f\x5e\x1a\xed\xf4\x9c\x50\xe6\x01\xb9\xfa\xd4\xe0\xd6\xf5\xb5\x93\x2e\xa2\x14\xfd\x50\x84\x85\x70\x3d\x08\x45\x79\x8d\x43\xbd\xbf\xf9\x63\x86\x77\xe6\xa9\x96\xef\xbb\xd1\x93\x6e\x97\x28\x20\x62\x70\x9f\x77\x8b\x45\x5c\xb4\xd2\x00\x13\xf5\xfe\x4c\x9b\xba\x0f\x7c\xfc\x18\x02\xe8\x18\x0f\xb6\xd4\x6f\x51\x76\xd1\xbd\xbb\x43\xd9\x60\xd4\x94\xf3\xa3\x0e\xd7\xab\x4d\xb0\x7d\xe5\xad\x92\x4b\x57\x97\xb5\x09\xf9\x60\x83\xf4\xad\xa9\xfc\xeb\xed\xe1\xeb\x0f\xb0\xdf\xa2\xcd\xc2\x14\x4b\x15\xcf\x4c\x28\x0f\x87\xd1\x18\x7e\x80\x8e\x37\xcd\xef\x53\x75\x52\xe3\x83\xf4\x6c\xcf\xe8\x62\x15\xb2\x07\x15\x39\x85\xe6\xb1\x31\x96\x22\x1f\xde\xa6\xc9\x47\x86\x4d\x12\x14\x7d\x7b\x01\xef\xc3\xdf\x14\x4e\x2c\xaa\x24\xd1\xa4\x78\x2a\x51\xa8\x23\x5c\x4c\x0e\xad\xf0\x44\x0c\x8e\x43\x4a\x4d\x07\x2b\xe5\x84\x55\x47\x17\x5f\x37\xc5\x5f\xdd\xd5\xe7\x84\x95\xac\xe4\x34\xc4\x83\xf2\x8b\xb3\x48\x7a\xd8\xd6\x8b\xd7\x43\x77\xfd\x82\xe1\x7b\xaf\xeb\x06\x2b\x81\xc6\x8e\x8a\x63\x89\xc8\xd8\x10\x79\xe4\xc9\xfa\xa2\xa8\xfc\xf1\x24\x15\xcc\x21\xeb\xcd\x92\xde\x80\x88\x45\x50\x59\x4c\xa6\x4b\x56\xb0\xb4\x24\xa6\x5f\x80\xca\xb1\x64\xb2\xf6\xf2\xf3\x3c\x7a\xea\xa8\xb6\x60\x2e\x71\x83\xb9\xd0\xae\x15\x3a\x17\x03\xb3\x03\x67\x5a\xae\x13\x3b\x3d\xd9\xc6\x46\x67\x7f\x6d\x8a\x49\x2d\xa0\x99\xef\xb4\xa7\xe4\xde\xe3\x92\x81\x8a\x15\xd6\xbf\x9e\xfb\x07\xee\xad\x5b\x40\xac\x25\xbb\x0f\x00\x92\xf4\xb0\xec\xaf\x0a\xc3\x39\x1b\x3e\xcf\xd0\x63\x5e\xc4\x96\xb8\xb6\x6d\x7a\x45\x1c\x6d\x10\x37\x9c\x15\x29\x1c\x4f\x36\x82\xf0\x5f\xb7\x39\x44\xcd\x1b\xe0\xf0\xfa\x85\x54\x35\x8b\x30\xde\xb7\x38\x69\x31\xae\x95\xeb\x2a\x16\xfa\xed\x24\x5f\xfc\xad\xb3\x94\xac\xdf\x06\x38\xa6\x26\x27\x82\x33\x01\x93\x66\xe2\xec\xd9\xdb\x1a\x4b\x5a\xe2\x7f\xf8\x3d\x7b\x57\x1c\xd7\xff\xc1\x51\xdc\x4d\x0c\xef\x1d\x03\x00\xc9\x8a\x41\x69\x77\x51\x85\x1f\x8e\x05\x24\x9c\xae\x19\x96\x3f\x81\x25\x89\xa7\xd6\x4c\xfa\xb8\x46\x43\x9f\x47\x13\x43\xba\x5e\xff\xac\x9a\x57\xf7\x6d\x0a\xbf\xb9\x5e\x87\x8b\xee\x4c\x94\x24\xf0\xca\x17\x18\x19\x5e\xff\x14\x06\x0a\xcf\xb3\xe0\xdf\x4c\xbc\x56\x0b\xc2\xbe\x9a\xb4\xf0\xa0\xbd\x68\x6f\xe2\x13\xd4\x49\x47\x17\x0e\x68\xe7\x3b\xaa\xdd\x98\x2c\xe2\xd1\x70\xa5\x0d\x1e\xca\x02\x40\xcd\x3c\xec\xe9\xf7\x4d\xa3\xa1\xc1\x47\x6f\xf1\x1f\xa3\x34\xd7\x2c\x18\x50\x6b\x5c\x00\xa4\x41\xea\x2e\x9c\x72\xc7\x6b\x38\x50\x37\xf8\x6c\xa5\x94\xaa\xad\xe9\x87\xa7\x9b\xbd\x3e\x3c\x40\xd0\x00\x7a\x7f\xf8\x52\x99\x05\xb9\x4c\x54\x61\x65\x62\x92\x95\x0b\x41\xc8\x34\x43\xdc\x84\xd6\xfd\xf5\x2e\x44\x97\xed\x68\x04\x98\x1a\xf1\x33\x85\x64\x92\x00\xd8\x93\x09\x3b\xf2\xea\x82\x25\xb3\x89\xc4\xdf\xd2\xe8\x15\xb3\xbd\xf9\xd7\x08\x4d\x29\x00\x9e\xae\x4e\x88\x22\xa5\xb6\xa5\x2a\xa7\x6a\xfd\x95\x1d\x04\xaf\xa8\xe1\x28\x63\x96\xa8\x34\xdc\xf8\xc6\xb5\x7c\xc4\xef\xbc\x0c\x16\x77\x9d\x53\xf0\xbc\xd7\x40\x43\xc0\x6e\xce\xbe\x59\x32\x8d\xcc\xa8\xbb\x61\x05\xaf\x23\x56\x59\x06\xe5\x46\x6c\x73\x11\xb1\xaa\xc6\x76\x2e\x4b\x62\x60\x36\xfe\x31\xd3\xe7\xb0\xfa\x2e\x65\x8c\xa9\x35\x10\x78\xee\xca\x7b\x46\x7e\x11\x8e\x9b\x88\x95\x9d\xe1\xf4\x18\x69\x40\x5a\x83\xbd\xc6\xce\x98\x0c\x72\x9f\x7e\x2a\x46\x0f\xa9\xbe\xe1\x61\xe5\x4d\x27\x1a\x87\x4b\xb4\xd0\xa2\x2c\xd1\xa4\x37\x6d\xe3\x6b\x58\x68\xca\x0e\x10\x93\x3e\x5f\xe2\xf7\x38\x5c\x1a\xf6\x2b\x86\xf8\xe5\xc3\x12\x66\x26\xb8\xbc\x6d\x56\x8f\x62\x1d\xa3\x23\x70\x7e\xa3\x32\xd7\x65\x44\x39\xfb\xa4\x67\x1d\x0c\xae\xb7\xef\x94\xe2\x5a\x82\x86\xbd\x9a\x19\xa2\x9e\x49\x32\xc7\xdb\x9b\x82\x34\x7d\xa5\x24\x92\xb3\x81\x4a\x44\xb9\x2f\x61\x55\x9c\x22\x65\x4c\x8b\x30\x1a\x8d\xfe\x9d\xae\xae\x0c\xad\xe9\x46\xc0\x66\x6e\x94\xc4\xa6\x35\x3b\xb0\xeb\x21\x37\xd3\x68\x53\xad\x4f\x7a\x20\xa5\x08\x1e\x63\xaf\xee\xce\x20\x3f\xa6\xee\xea\x7f\x62\x9d\x00\x1d\xab\xaf\x5b\x1a\x3c\x67\x61\x51\x7b\xc9\x9a\x8e\x63\xf6\x6c\x01\x88\x49\x27\xb4\xbc\x40\xbc\x34\x19\x0c\x9e\x55\x3c\x69\x0f\xbc\x64\x44\xdd\x8b\xba\x65\x68\x74\xfa\x80\x46\x31\xb5\x6d\x24\x54\x1a\x9b\xd6\xfb\x77\xdb\x49\x03\x76\x9f\x9d\x04\x44\xd0\x8a\x21\xff\x59\xd9\x49\x65\x9d\x80\xb1\x40\x2d\x91\x9a\xc0\xfb\x83\x80\xed\x91\x15\xb6\x69\x3c\x19\x5f\x8f\x1a\x90\xa3\xa4\x22\x35\xd8\xea\x78\x2e\xda\x2b\xf1\x94\xd3\x2f\xbc\xc5\x63\x27\x1a\xfd\xa7\x3d\x70\x96\xa2\xe9\xe4\x67\x54\x1e\x76\x67\xc2\x67\xc5\x95\xe1\x23\x37\x29\x75\x26\x77\x68\xb8\xd1\x6c\xb6\x13\x0e\xae\xbf\x69\x8b\xe7\x6e\xef\xab\xbe\xac\xd5\x9f\x63\x1c\xc1\x04\xf0\x42\x26\x3e\x3e\x29\x62\x59\x79\x69\x72\x1a\x6c\x02\x2a\xba\x14\x11\x2e\x2f\x38\x02\xba\x63\x53\x91\xcd\x1f\x94\x32\x35\x25\xc8\x16\xef\xa9\xe8\x65\x52\x39\x9e\x79\x66\x5f\xf5\x54\xf5\x86\x75\x4f\x72\xd5\x3a\x0d\x94\x75\xc6\x55\x94\x8b\xd1\x3e\xc9\x3d\xd8\xcc\x43\xe5\xb8\x13\xeb\xfe\xa4\xab\xcd\x78\x0e\xed\xb6\x82\xac\x4f\x66\xe1\x68\x47\xf7\x82\x1f\xdc\x40\xda\x07\x3f\x7f\xc5\x9f\xe5\x7c\xa6\xad\x5f\x4d\xdd\x8a\x41\xe8\xaa\xdf\x3e\x21\x78\xcf\x42\x95\xc8\x59\x99\xe2\xc2\xd8\x24\xa0\x8e\xbb\x9a\x9b\x09\xe2\xef\xbf\x9b\x8d\x03\x73\x09\x1e\xa6\x1e\xc6\xaf\x17\xdf\x1e\x71\xac\xeb\x40\x3a\x41\xd3\xba\xfe\xfc\x56\xdc\xff\x18\x60\x23\xe9\xf2\x89\xe6\x1b\x74\x69\x04\xb3\xce\x34\x86\x9b\x53\x27\xc9\x24\xa2\x73\x36\xb2\x16\xd2\x20\x6e\xeb\xa9\xb1\xdf\xdc\xe0\x22\xe3\xa1\x3a\x26\x17\x38\x7f\xb3\xff\x5a\x1d\x0f\x38\xfb\xb9\x06\x3b\xcb\x69\xb5\xe3\x3e\xe4\x57\xef\xe0\x51\xdf\x45\x34\x62\xb7\x18\xd7\xd5\xe7\x80\x31\x04\x71\xa7\x3d\x99\xe2\xeb\x1e\x23\x23\x6c\x74\xb9\x37\x7c\x3e\x0e\xbb\x93\xea\x7a\x6a\x7b\x32\x2c\x42\x59\x10\x20\x9f\x89\x18\x41\xd6\x5c\xb8\xdb\x3b\x2b\x0d\x51\xd2\x7c\xde\x0c\xa1\x85\xbd\x3b\xf1\xf4\x02\xff\x10\xfc\x61\x1b\x93\xfa\x6f\x94\xeb\xf6\x07\x9a\xc6\xd5\xf3\x0f\xf8\x66\xa4\xdb\xf3\x07\x29\xfc\x3c\xd0\x03\xed\x9e\xee\x6e\x1c\x92\x31\x9a\x8c\x62\x69\xe1\xa7\xdb\xa0\x49\x1d\x27\xb3\x26\x38\x8b\xc3\x2d\x58\xbf\x68\x5e\xc4\x29\xa8\xca\x7a\x12\xb6\x60\x18\x23\x08\x71\x0b\x5a\xa6\x1d\xce\x0a\x14\x3f\xad\x3b\xbc\x1a\x81\xa8\xf8\x14\xee\x37\xb4\x34\xc7\xd7\x29\x33\x1c\xe7\xf7\x2d\xdf\x31\xdc\xa7\x19\xbd\xfa\x04\xc0\x3a\xec\xeb\x4c\x64\x0c\x1c\xdd\xd0\xf0\x11\x37\xbd\x6e\x2f\x7a\xef\xb5\x1b\x02\x10\xb8\xcd\xb2\xcc\xb0\xf5\xd7\x45\x8d\x05\x71\x92\x76\x75\xf1\xbe\xdb\x36\xd0\xbf\x30\xac\x68\xdb\x43\x8f\xfb\xa7\x4a\xca\x62\x37\x25\xf2\x75\x22\x70\x1b\xb6\xc5\xca\x41\x4d\x23\x91\xcd\x53\x3a\x82\xc0\x66\x72\x4c\x6d\x3f\xd6\x8f\xe4\x2a\x83\x4d\xcc\xf5\xbf\x70\x34\x74\x29\xad\x8e\x38\x22\x15\xf7\x2f\xad\x93\x6e\xf9\x49\xbf\x64\xda\xd1\x25\x77\xea\xd0\xdc\x6c\xf2\x71\xbe\x7c\xa8\xe0\xba\xab\xb4\x39\x7f\xf0\x63\xf3\xae\x8e\x74\x12\x10\xc6\xa3\xab\x3b\x44\x2b\xa8\xfb\x16\xf2\x28\xc5\xda\xfe\xb1\xb4\x40\x82\x7d\xef\xbc\x48\xf5\xcb\xce\xb2\x74\x07\x55\xc9\x85\xd0\x60\xe8\x2c\x86\xc7\x32\xbb\xd5\x60\x88\x35\x91\xa1\xac\x05\x82\x99\xf1\x7f\x2e\x2a\x12\x85\x60\x28\x0b\xa0\x89\xe8\x4c\x34\x65\x45\x2a\x65\x07\xa6\x3f\x88\x49\x44\xa8\x3a\x21\xd2\x6c\x8e\x49\x8f\xf5\xdb\xd4\x89\xc6\x9c\xa7\x85\x32\x49\x01\x8e\x9d\x03\x52\x0b\x23\xf4\x7b\x29\x7b\x85\x26\x32\x2b\x1f\x6b\xd5\x4d\x06\x0c\xce\xa3\x01\xcc\x8a\x3a\x15\xda\x2d\x39\xb6\x4e\xa4\xdd\xb0\x3c\x7b\x6c\xba\x60\x5e\x8d\xd4\x86\xd1\x2d\x8f\x0c\x6c\xd9\xfb\x47\x81\x61\x12\xba\xa0\xa7\xae\x0e\xba\x4f\x0f\x89\xb2\x14\x32\x03\xa1\x19\xa6\xbb\x85\x45\xc1\xba\x66\x78\x84\x95\xf4\xe7\xda\xd9\x6d\xf8\x11\x9b\x1c\x11\xd7\xff\xb0\x71\x07\xc0\xc0\x35\xa8\x06\x97\xa8\xed\x78\x0d\x9c\x55\x61\x92\x93\x85\x08\x5f\x0a\xa7\xbc\x74\x8f\x2b\x5e\x23\x4e\x21\x0c\xe7\x77\x22\xc5\x4e\x80\xb8\x86\xc0\xd6\x14\x65\x8f\xfa\x23\x40\x8c\xac\xa9\xcf\x01\x38\x69\xef\x66\x29\xf8\x46\x16\x40\xda\xea\x86\x9a\xd4\xc3\x65\x53\x0d\xe5\x27\x81\x5c\xaf\xee\x31\x4f\x8c\xa7\xb9\x87\x95\x22\xc4\x26\x29\xe3\xe7\x12\x96\xe5\xf6\x0a\x84\xdb\x39\xd5\xc9\x00\x00\x16\xea\x33\xf4\x81\xd8\x0c\xcb\x80\xf0\x85\xd5\xed\x3f\x70\x0b\xad\xc3\xb4\xb7\xd8\x0d\xd8\xa7\x78\xf0\x38\x17\xa1\x0d\x67\x89\x2d\x36\x87\x0a\x98\xbd\xc7\x0c\xfd\xa4\x83\x4c\x78\x15\x42\x1f\xc9\x72\x74\x01\xbd\x4f\x81\x11\xbb\xba\x76\x86\x02\x4b\x42\x72\xf5\xa6\x8a\x66\x51\x94\xaf\xc4\xf1\xa9\xf8\x57\xaf\x27\x0e\x30\x22\xc1\x8d\xfc\x18\xf6\x7b\x39\x77\xe6\x41\xc6\x25\x8f\x00\xc1\x43\x0e\xa7\x95\x78\xf4\xdc\x82\xa0\xba\xb5\x21\x40\xdf\x4b\xe0\xad\xb3\x29\x19\x5a\x29\x7d\xf0\xbe\x6e\x12\x34\x97\x70\xb4\x47\x7a\x44\x65\xa8\x14\x39\xf2\x2b\x6b\xdc\x67\x7a\xb8\x6d\x4e\xdb\xbd\xfc\x7d\xb3\xcf\x06\xd4\xa9\x4d\x33\xc6\xc1\x1f\xa1\x63\xfe\xfb\x1a\x87\xa9\xb5\x2c\x1c\xc4\x09\xeb\xed\xe7\x26\x3c\x88\x97\x5e\xdb\x23\x7f\xa0\x1b\x58\x3f\x79\xfc\x7a\x4f\x8e\x8a\xc8\x9a\xf7\x93\x08\xd9\x9b\x47\x3c\xf3\x3f\x33\x44\xa4\xe5\x52\x3f\x3e\x35\xd3\x88\xd1\x8e\xe1\x18\x5c\xaa\x19\x18\xd2\x3a\xae\x41\x93\xae\xdf\xe1\x25\x04\x2e\x16\xd5\x71\x86\x52\x61\xdd\x63\xbf\x0c\x9d\xd8\x48\x5f\xa6\x4e\x24\x10\xa2\x6a\x43\x6c\x83\xc9\xe3\x45\x56\xf3\x7c\x1d\x69\xd2\xfd\x57\x42\x78\xc4\xb2\xc8\xba\xf3\x83\x4e\xe2\xe0\xf3\x64\xb5\x4c\x36\x78\x0f\x28\xa8\xeb\xe5\x6e\x1d\x9e\x1c\xbd\xfd\x77\x3c\xe8\xaa\xcd\xef\xda\x09\xf4\x0d\xff\xd8\x47\xaa\xdf\x67\xc4\x44\x71\x00\x8c\xee\x07\x76\xfb\x06\x89\x54\x30\x8f\x16\x20\x3d\x01\x7b\x29\x0c\xd1\xad\x9e\x4c\xdc\x49\xf3\x26\x35\x28\x07\x56\x0d\xdd\xa4\x90\xc0\x5c\x6d\x5e\x04\xf1\x94\x00\x83\xaa\xba\x83\xe0\x29\x37\x0f\xd7\x6e\x77\x57\xc7\x3c\x05\x43\xdd\xff\x26\xc3\xa3\x07\x62\xe2\xc9\xc5\x56\xaa\x28\x2c\x7f\x46\xf3\xdd\x8e\x20\x01\x68\x05\x3a\x03\x17\x4c\x56\x69\xdc\x43\x90\x0a\x39\x41\x7c\x9d\xff\x8e\xd3\xf1\x0e\xb0\x7c\x47\x0a\x52\x2e\xc8\x20\x71\x2f\xf8\x82\x59\xcf\x7f\x5e\xe5\x2c\xf4\xee\x69\x0b\xca\xbd\x88\x76\x3f\x66\x32\x9f\x37\x25\xa4\x36\xca\x19\x38\xd4\xda\x48\xde\xdf\xfe\xa8\x2d\xc5\x4a\x2a\x0a\x5c\xfb\x64\xc3\xe2\x78\xf4\x1b\x93\x3c\xef\xeb\x02\xf9\x82\x53\x2e\x98\x67\x72\x41\xd7\xec\x2f\x8d\x14\x27\xda\x17\x11\x91\x9d\x67\x2e\x95\x1b\x6d\x1c\xd8\xf2\xc0\x20\x3f\xed\xd5\x21\xf7\x5a\x22\x9d\x99\x67\x13\x35\x81\x36\xd8\xb4\xeb\x79\x71\x34\xfe\xc8\x74\xe3\xd3\x8a\x01\xcb\x82\xa8\x7c\x8c\x21\x1e\x64\x29\xef\xe6\x77\x17\x3a\xab\x0a\x0f\xb9\xf5\x58\xf4\xb0\x6f\x77\x05\xbc\xd1\x77\xec\x1d\xd8\x0d\x04\x45\xb5\x44\x8e\x7d\xc2\x94\x53\x8a\xae\xcc\x59\x61\x0d\xbe\x6f\x2b\x3b\x16\xb2\x75\xc1\x8d\x33\xa7\x8f\x0c\x1d\xcb\xb0\x7e\x13\x76\x28\xb6\x22\xf8\x85\xae\xe8\x0b\x82\x68\x4c\xdd\x5f\xde\x5a\x29\xaa\xdf\x63\xd8\x5e\x95\x15\x96\x49\xad\xce\x0f\x9e\x57\xb5\x3b\x82\xc7\x5b\x87\xa1\x27\x47\xef\x0f\x84\xbe\x50\x69\x3c\xca\xe7\x98\xe3\x8a\xaf\x05\x06\x66\x16\x3e\x6b\xed\x48\xf5\xf1\xba\xf4\x9a\xde\xa2\x12\x23\xbf\xb0\x89\x19\x98\x98\xdc\xd2\xe9\x1b\x70\x8b\xd6\x2b\x61\xf1\x38\xcc\x48\xbe\xd8\x8b\x77\x2d\x14\xbc\xc5\x39\x68\xaa\x32\xfa\x3f\x11\x45\x84\x75\x2d\xb5\x32\x78\xb2\x5f\x36\x7d\x52\xc2\x07\xec\x54\x59\x66\x83\x82\xaa\xc7\xeb\xfd\xf3\xa2\x07\x5c\xef\x67\x9b\xd7\x7e\xc1\x7a\x11\x43\xde\x08\x47\x20\x08\x54\x86\x68\x5a\xc8\x69\x73\x3b\xc0\x7d\x74\x24\x6f\xbf\x8a\xbb\x36\x62\xbe\x75\x0d\xdd\xd3\xb1\x3e\xcb\x2d\x91\x35\xf5\xc6\x8d\x1f\xdd\xe5\x49\xd9\xc2\x09\x1d\x96\xaa\x35\xf8\x43\x36\xb4\x21\x51\x31\xf3\x64\x76\xec\x84\x8d\x53\x3d\x7d\xca\x1e\x0a\xa4\x1e\xef\xb8\x80\x60\x52\xa8\xcd\xd5\x38\xb7\x55\x70\x7f\x93\xe0\x48\xd7\x71\x50\x5b\x88\x90\xd8\xf6\x80\xb8\x80\xcc\xb8\xee\x29\x49\xe3\x5a\x63\xee\x48\xe7\xb4\x67\x12\x8b\x65\xff\xe6\x06\xce\xd2\x8a\x3b\xc3\x17\x2b\xd0\x9f\x2b\x58\xef\x63\x22\xa3\xfa\x31\xe0\xfa\xb3\x7a\x3a\xfe\x72\x9a\xd4\x3d\x5c\xd0\x2b\x42\xbe\x4d\x8e\x60\x2b\x99\x51\x6d\xbd\xbd\x81\x2e\x1b\xec\xae\xba\x14\xb2\xb2\xbf\xaf\x05\x55\x90\x02\x51\xe3\x1d\x83\x97\x98\x14\x1b\x32\xab\xdc\x55\x8b\x3b\xf3\x0e\xdc\x11\x45\xf5\x41\x79\x85\x07\xda\x32\x9c\x5a\xcc\x1f\xf5\x6d\x4f\xd5\xf6\xe1\x8c\x02\x08\x12\x22\xc6\x98\xb3\xd0\xf2\xb1\x95\x39\xa7\xc2\xc9\x1f\x78\xb1\xbe\x76\x48\x19\x91\xe2\x41\xd2\xae\x88\x9d\x4c\xb1\x33\xf9\x0f\x77\xd9\x22\xd9\x84\xb5\xa5\xd1\xb2\xaa\x03\x8f\xb0\x01\xf0\xba\xc8\x8c\x14\xa3\x6f\x62\x29\x6a\xb3\x24\xd5\x2b\x57\x54\xd4\xe8\x42\x88\x9d\xa6\x54\x14\x3b\x4b\xd7\x19\xf0\x82\xcb\xcf\xa2\xec\x90\x31\xb9\xb4\xb8\xbb\x8e\xf4\x6b\xc3\xff\xa5\x2d\x35\x38\x5b\xf2\x7e\x3c\xcd\x86\x10\x84\x81\xff\x66\x40\xe8\xb0\xe3\x09\xd2\x8b\x14\x94\x20\xf9\x5e\xb9\xaf\xa0\xf6\xe1\x88\xb7\x00\x5f\x42\x12\x25\x38\x5b\xde\xa3\x82\x5a\xd5\xfb\xfc\x6d\x9f\x29\x97\x47\x6b\xc3\x6e\x5d\xfe\x4b\x68\x6d\x1a\x2d\x40\x25\x16\xd4\xee\xe9\x90\xe1\xea\x6a\x23\x48\x38\x10\x3f\x42\xd7\x05\xab\xf3\x78\x35\x67\x3c\xa7\x86\x75\xb5\x35\x4c\x2a\x99\x13\x0e\x2b\x7a\x64\xee\x26\xa2\xad\x6c\x1c\xd2\xde\x64\xed\x59\x12\xeb\x77\x08\xdb\x3a\xfb\xb4\xa6\x83\x10\x9b\x10\x57\x29\x8f\x35\x6e\x4c\xf4\xfa\xb2\x00\xca\xf7\x40\x3c\x71\x9a\xa8\x1a\xb0\x1d\x3d\x7f\x91\x55\x07\x3f\x56\x49\x5e\x51\x16\x19\x6e\x9a\x9d\xe8\x2f\x10\xa5\xc0\x8d\xfb\x2f\x91\x54\x94\xdf\x7a\x07\x00\xef\xb7\x22\xd3\x41\x6a\x5d\x32\xbc\x02\x29\x71\x11\x65\x08\x47\xde\xe6\x76\xd2\x68\x77\x2d\xec\x41\x3d\xa3\xa1\x32\x09\x89\xc1\xbe\x0d\x5c\x9c\x1b\x6f\xc4\xf7\x0f\xbd\xad\x88\x8a\xbb\x0b\xe8\xf1\x16\xf0\xd7\xa6\xf3\xab\xaf\x63\x6b\xb6\xb6\x92\x22\xda\xf4\xcc\xbd\x6d\x07\x29\x3d\xef\x59\xcd\x5e\xc9\x08\x45\x4d\x07\x94\x95\xf2\x7b\xfa\xf9\xe4\x5f\xb2\xc9\x99\x64\xe6\xb2\xfb\xa0\x3a\xf0\x38\x2d\x5b\x60\xad\xeb\xbb\x28\xfb\x8f\x8f\x8e\xfd\xd8\xda\x65\xea\xc2\x93\x77\xcf\x07\xc6\x2e\x1b\xf1\x0f\x61\xfa\x91\x2e\x62\x71\xf2\xcb\x95\x09\xa7\x63\x1b\x7a\xbe\xc3\x39\x6b\xeb\xce\x10\xbc\x79\xe2\xc4\x99\x56\xd1\x27\xf9\xd0\x1b\x73\x58\x45\x40\xcb\x6c\x0b\x52\xa7\x09\xe3\xaf\x1d\x00\xc8\x4f\x6d\x22\xfb\x19\x5d\xd8\x82\x3a\xa3\x36\xaf\xea\x89\x8e\xd8\x7a\xda\x2b\x22\xd1\xb8\xec\x50\x8c\xf6\x98\x6e\x93\x45\x92\x65\xed\x7c\x25\x87\x32\xc2\x91\xca\x41\xe7\x87\x6f\x1b\x43\x8b\x17\xd3\x6c\x24\xa0\x2f\x20\x0f\xee\xee\x18\xac\xe8\xdc\x4a\xad\x51\xa4\x2b\xb9\x81\x5d\x82\xc2\xa9\xa3\x7f\x77\x5c\xd6\x12\xe0\x84\x22\x69\x42\xea\x0d\xc6\xf5\xd8\x92\x33\x49\xbb\xbe\xdc\x2a\x45\xcf\xcf\xdd\xed\xa2\xd5\x2d\x14\xf2\xff\x83\x29\xaa\xc0\x1d\x2e\xc3\xc3\x7f\x23\xc5\xc9\x0d\x02\x62\x80\x23\x8c\xe0\x9e\x00\xec\xa9\xf6\xc3\x0b\xda\xa5\xdc\x91\xf4\x34\x2f\x8a\xf6\xa3\xec\x13\x39\xc4\x7d\xca\xe8\xf9\x36\x0c\x32\x50\x2b\xfa\x86\xe1\xff\xc5\x82\xd5\x88\x8f\x29\xca\xc3\x9e\xf9\x0a\x31\x50\x11\x1f\x66\x11\x99\xfa\xf7\xe2\x41\x3b\x57\xbb\x9a\x72\xaa\xa2\xd5\xfa\xe3\x2b\x46\x28\x84\xa9\x28\xd8\x3c\xea\x60\x55\x70\x25\xc5\xde\x01\x80\x44\x34\x5f\xb0\x83\xde\xf4\x9b\xc3\x83\x31\x98\x94\xda\xd2\x8b\x53\x39\xcb\xad\xb6\x03\x8d\xc8\x47\x9f\x7e\x4b\x2f\x01\xc1\xce\xd3\xff\x85\x42\x05\xbe\x93\x88\x48\x85\xb1\x29\x87\x8b\xdb\xb1\x8c\xaa\x68\xc3\x09\x40\x71\x9a\x40\x8a\x03\xfc\x61\xeb\xea\x87\xd9\xd3\xef\x21\x62\x59\x45\x89\x65\x44\x75\xc2\xc3\x7e\xaa\x87\x37\x33\x8a\xcc\x18\xb3\x41\xa3\x51\xec\x39\xaa\x94\xcb\xa1\x71\x09\x6f\xd7\xfb\x83\x2e\x30\x31\xf4\xd8\x2f\xf2\x32\x8a\xa1\x89\x62\x3c\xd9\x3f\xce\x6f\x45\x25\xc2\xdd\x01\x3d\xc9\xc7\xb4\xd1\x9a\xdd\x3b\xf9\xc3\x34\x88\x6e\x9d\x1c\xb4\xdf\x99\x7d\x99\x56\x3a\x57\xb6\x6d\x83\x21\xd4\x21\x52\xf7\x21\x70\x5d\x6c\x48\x46\x18\xad\x33\xcb\x46\xb5\xc1\xa4\x1c\xcd\x39\x7e\xde\x50\x43\x2d\xc9\xd4\x1a\xa8\xb2\xfb\x37\x5a\xf7\x5d\x33\x23\x56\xd7\xdf\x3d\x5d\x43\x9f\xde\xbc\xf8\xe2\x5b\x22\x49\x3c\x6f\xe1\x40\x01\x3e\x29\x52\x32\x18\x67\xd1\x29\x47\xb1\xf2\xdd\x27\x2a\x17\x36\x94\xa5\xfd\xdd\x88\x7f\xe1\xec\x96\xdf\x64\x67\x63\x0d\x14\x49\xd7\x23\xff\x02\x3e\xc1\x27\xb1\x2a\x24\x11\xa0\x96\xe3\x12\x9e\x84\x5d\x50\xb1\x46\x68\x36\x35\xd8\x05\xcf\x19\x67\x35\x82\x8c\x8a\x0a\x00\x40\x47\xa1\x9a\xcf\xcc\x41\xb6\x2f\xe0\xfb\xff\x91\x88\x1e\x76\x13\xbf\x7a\x73\x71\x95\xf1\x85\x8e\xd7\x19\x8d\xca\xca\x13\x21\x06\x19\xd7\xf7\x39\x8d\x81\x2d\xe4\x63\xf2\x21\xf0\xc2\x64\x87\x4a\xa3\xb3\x41\x6d\xcd\xfa\xed\x76\xbf\x25\x5d\x7a\x7a\x15\xd6\xac\xc9\x86\x4d\x1b\xd9\x00\x35\x4b\x3b\xf0\xdf\x70\xba\xe9\x32\xc4\xb8\x2e\x8a\xa6\x0d\x39\x5b\x93\x9c\xc6\x0f\x89\x64\xab\x75\x5b\xa5\x0b\x40\xa7\x13\xf6\x8d\x2e\x00\x1a\x2b\x5a\xbc\xfd\xbb\x82\x1a\x0a\x3a\x7a\x97\xcd\xcc\xc0\xb0\x5b\xca\x8f\x03\x3f\xbc\xd9\x54\x56\x9c\xb7\xc3\x12\xd4\xcb\x9e\x69\x27\x56\x13\x30\x66\x79\x88\x25\x70\x72\x61\x18\xeb\x66\xb4\xb6\xf0\xd2\x36\xc3\x3e\x35\x65\x8e\xd8\x7f\x02\x8c\xa4\x3c\x55\xc2\x69\x68\x17\x9a\xed\x75\x49\xc8\xc2\xe9\x26\x72\xa4\x45\x10\x6d\x04\x29\x84\x69\x17\xc5\xfc\x60\x7f\xa2\x85\xdb\x9a\xa6\x12\x81\xc1\xc5\x24\xa7\x6b\x3d\x40\xde\x5d\xa9\xbc\x7a\xfb\xae\x9c\x03\x55\x5d\x05\x63\x83\xea\x7f\x5e\xac\xf5\xde\x95\x63\x8e\x11\x24\x2a\x42\x0c\x9a\xa3\x22\xc8\x08\xcf\x2a\x14\xab\x47\x9d\x81\x35\xe4\xff\x48\x7b\x21\x5c\x8c\xec\x44\xc7\x29\x0d\x34\x59\x10\x0b\x21\x96\xc5\x4e\x88\xca\x28\x41\xd8\xa6\x01\x1c\x6d\xb1\xb5\xc2\xfb\xc5\x13\x5d\xa6\x05\x3d\x89\x3d\x11\x6b\x9f\x23\xd5\xa0\xf7\x7f\x9f\x64\xc5\x0a\x04\x48\x55\x2f\xb3\xd4\x00\x2c\xcf\xb9\x5e\xd5\x4c\x37\xea\xe9\x31\x73\x7b\xf0\x2b\xcd\x22\x6b\x13\x3b\x9d\x27\xde\xbf\xae\x74\x87\x30\xa8\x7b\xe8\xdf\x5c\x31\xcd\xdf\x16\xc2\x6b\xc3\xf3\xb4\xdf\x7a\xbc\xbc\x52\xed\xad\xb7\xa7\xc2\x9e\x87\xdd\x5d\x63\x30\xb7\x61\x64\x9f\xc9\xf0\x98\xa7\xb6\xb6\x8c\xf5\xdc\xe7\x67\x66\x7e\x8b\x5a\x7c\xd4\xbb\x22\xd1\xc9\x22\x9c\x45\x51\x69\xd7\x2e\xdd\x3b\xae\x9c\x25\x1c\x07\x88\x96\x8f\x1d\x13\xaf\x8e\x47\xba\x32\x92\x3c\x66\x14\xc4\x4d\x51\x96\xfa\x80\x57\x61\xdb\xa5\x9a\x39\xb8\x93\xbf\x09\x73\xda\xbb\x97\x6e\xdf\x63\xf3\xcb\x54\x73\x2d\x43\xb9\x0e\xe7\xab\x03\x74\xe1\x0f\xd7\x22\xd5\xc3\x61\xa4\x10\x89\x31\xe8\xee\x3f\xa1\x90\x79\x3f\x90\x1b\x18\xff\x7b\x5e\xd8\xc1\x62\xb3\x7f\xfc\xb3\x9c\x6c\x0c\x08\x4c\x9c\x76\xb3\x96\x4e\x31\x35\x1f\x51\x12\xac\xcf\xe1\x6c\x62\x68\x58\x0c\xe0\xb4\x4c\xd4\xc3\x3f\x29\x21\x71\xdf\x6a\xf3\x59\x14\x22\x5c\x8b\x1a\xff\x19\x85\xce\xa0\xea\x73\x49\xa4\x3a\x51\x0d\x5f\xbf\x18\x81\xa0\x32\xf9\x6b\x1f\x58\xf4\xfa\x94\xdb\xcd\xf9\x8f\x6b\x11\x3a\x2f\x85\x1e\x76\xd4\xf1\xcf\x06\x86\xe3\xb4\x40\x57\xc3\x63\xc8\x49\xc5\x70\x06\x59\xd7\xe5\xa1\xc2\xb3\xcc\xfd\x5a\xaa\x88\x9c\x2f\x99\xa9\xb1\xc8\x31\x9c\x3c\xd3\x48\xbe\x29\xb2\xe9\xbf\xef\xbc\x28\xcb\x77\x47\x29\x95\x8c\x12\xc9\xdf\xa7\x4b\x89\x3a\x07\x74\x5a\xed\x2e\x51\x44\x72\x3c\x8f\xc0\x50\x68\x52\xf1\x7e\x6a\x4a\x8f\x59\x9d\x2c\x4a\x1d\x7c\x0b\xa9\xd7\x7d\xb8\x41\x6e\xb1\x09\x32\xcd\xc7\x49\xcf\xa9\x98\x90\xee\x80\x17\xc0\x66\x40\x84\xf8\x64\x89\xc9\x75\x25\x52\x52\xc3\x87\x6f\x8d\xcd\x98\xc0\x0b\x73\x61\x1c\xe2\x73\x4e\x1f\xe0\xee\x5c\x0a\x0a\xbb\x0c\x50\x00\x40\x44\xf9\x3a\xd2\xff\x01\x09\xbc\xb1\x9a\x3a\x20\xf1\x86\xd6\x8e\x38\x7d\x34\xa5\xb5\x78\xc4\x25\x3c\xd9\x67\x26\x14\x80\x3b\xf9\x67\x26\xe8\xab\x00\x14\x6d\x2f\xe2\x66\xe6\x2e\x48\x65\xf5\xe7\xfe\x31\xd4\x14\x97\xe7\x19\x51\x22\xfc\xda\x82\x5f\xb4\xe9\xfc\xdd\x09\xb4\x21\xdd\xb6\xe9\x25\xa4\xd5\xcb\x7f\xf2\xfa\x56\xfe\x14\x97\xad\x65\x9c\xc5\xb6\xef\xd8\xf8\x83\x99\x8b\x74\x51\x17\x5f\x98\x27\x54\x7b\x84\x19\x5c\x25\xfc\x16\x31\x07\x2a\x55\xc1\x7e\x90\xa3\x27\x9a\x54\xa2\x96\x97\x31\x2b\xfe\xf3\xee\xfc\xba\x8d\x31\x14\x55\x6a\x54\x5d\x18\xab\x0d\xf7\x4d\xf2\x66\x85\x91\x51\x95\x9a\x1b\x05\x1f\x83\x22\xf7\x98\xcb\x45\xd5\xcb\xe5\x29\x1b\xdd\x71\xda\xd6\x65\xf6\x4d\xde\x69\x54\xef\x00\x71\x89\x18\xfe\x01\x72\x79\x63\x96\x46\x42\xd4\xc4\xa5\xbb\xa9\x30\x3f\x44\xfe\x97\xff\x99\xf0\x67\x48\xdc\x86\x3f\xf0\xcc\x17\xfc\x82\xb2\x9f\xbe\x0c\x71\x2c\x77\xed\x36\x69\x7f\x23\xb4\xa2\x2a\x9f\x24\x85\x22\xf9\x94\x6c\x3a\xbc\xd3\x2e\x16\x5f\xd6\x6f\xdb\xc7\xb4\xa0\xdf\x71\xa8\xd2\x57\x1f\x32\xda\x4a\xda\x51\xc1\x4c\xa0\x86\x30\x1d\x6e\xd0\x20\x06\xc6\xa3\x8c\xe4\xe7\x67\x1f\x3d\x08\x62\xa4\xe3\xc2\x2b\x6a\xa7\xb7\xc0\x49\xa7\x76\x22\x87\x57\x05\x62\xe8\xb4\x52\xef\xc7\x87\x41\xe7\xc2\x82\x2a\xd0\xfd\x43\x5e\x76\xa8\x04\x4b\x05\xb3\x88\xaa\xfc\x4c\xf6\x15\x75\x76\x03\x98\x87\x23\x64\x46\x99\x61\xe8\x7d\x14\xd1\x79\x5e\xb6\x27\xfa\xed\xa1\x8f\x9c\x12\x28\xfc\x99\x4d\x58\x05\x08\xc9\x96\xd3\x66\x27\x99\xb7\x23\x7e\x59\x69\x10\xa7\xc5\xc7\xfa\xcd\x47\xfa\x30\x84\xda\x48\x48\x87\x67\xf6\x0c\xfe\x58\xec\x40\x14\x15\xac\x66\x03\x16\x23\x32\x0f\x9f\xda\x37\xc0\xaf\x9f\xe4\xcd\xa1\xb2\x89\x3d\x2d\xf0\xac\x82\x26\x01\x3a\x36\xca\x7b\x13\x66\x03\x2e\xa7\xb2\x5a\x55\x91\xbe\xbc\x8c\xe4\x89\x77\x7c\x0c\xba\x28\xd1\xf0\xca\xfe\xae\xea\x7d\x5b\x4d\x20\x09\x30\x9e\xeb\xc9\x13\x07\x81\x12\xbb\x12\x69\x20\xca\x6e\x5e\x2b\x22\x10\xce\x54\x10\xcc\xe4\x5f\xc4\x63\x74\x6c\xf1\x68\xf7\xee\x2b\x91\xc7\x97\xb3\x30\xe0\x46\x48\x22\xa6\x18\xe4\x57\xce\x39\xa0\x03\x67\xd9\xcd\x3d\x3f\x59\x38\xce\x36\xeb\x2a\x31\xa9\x0d\x04\x92\x58\xc8\x49\x95\x5e\x97\xf0\x80\x17\x26\x9b\x3e\x5f\x69\xe9\x12\x81\x95\x63\x8b\xc8\xc1\xfa\x73\x5e\x6e\xb2\x43\x5c\x95\x87\xf4\xf4\x36\xd9\xe6\x8a\x87\x97\xbb\x42\x10\x0d\x48\xe7\xb2\x61\x97\xc6\x5f\xb8\x90\x39\x61\x38\x2f\xb0\xfe\x22\x98\x60\x17\x30\x68\xd9\x42\x91\x10\x82\x3b\xc2\xff\x71\x7a\x71\x57\x05\x4c\x32\x6b\xda\xc3\xad\x35\x81\x77\xf9\xa4\x06\xd8\x94\xb8\x42\xd6\xd9\x1e\xdb\x35\x6b\x06\x28\x3b\x32\x9b\xca\x6e\x12\x29\x06\x55\xfe\xf2\x40\x29\xba\x1d\xaa\xf4\x5f\x17\xeb\xc8\x34\xd1\x2e\x35\xe3\x9f\x2e\x20\xe2\xc7\x36\x2a\xeb\x00\x31\xf4\x87\x7b\x63\x3b\xe1\xbe\xd3\x6f\x5d\x7b\xa2\x4d\x01\x48\xf8\x46\xa7\x86\xf3\x88\xe2\xab\x79\x66\x2d\x55\x9b\x86\x1a\x36\xa4\xce\x60\xdc\xeb\x5f\xdb\x9f\x47\x93\x58\xfd\x84\xa5\xc7\xf1\x02\xf7\x5b\x81\x43\xd3\x62\x6f\xff\xa5\x46\x9c\x22\x07\x2a\x97\xd6\x3f\xf9\xe0\x66\x7c\x2f\x2d\xb4\x1c\xd0\x3e\x5d\x43\x91\x4b\xb5\x90\xbb\x1f\x11\xf4\xc3\x53\x3b\xcc\x47\xff\xc9\x9e\xed\xf6\x77\xc9\xd6\x46\xc6\x0f\x99\x39\x89\x15\x89\x1a\xb6\x71\x97\xdd\xbd\xc1\x1e\x03\xda\xf0\x31\x39\xce\xad\xaf\x99\x22\x68\x75\x16\x3f\x11\xc2\x90\x27\xf6\xec\x6e\xe6\x47\xc9\xbb\x1f\x76\x95\xf1\xf2\x91\x8a\x32\x85\xa1\x3e\xad\xb7\x3d\x3e\x94\xcb\x0d\xbf\x92\x73\xf7\x5e\x1a\x8b\x39\x1c\xc6\xe4\xc1\x4e\xd5\x68\x3c\x27\x56\xc7\xb3\x3d\x84\x35\x1e\x1c\xe0\xba\x7b\x02\xe2\x30\x5d\xe6\x5b\x29\x45\x6b\x5c\x55\x34\x46\x47\xc7\xb0\xb1\x6c\xd8\x36\xdb\xa2\x71\x1a\x4c\xc9\x77\x38\x26\x7c\x46\x2c\x85\xfa\xd6\x08\xa8\x16\x12\xd7\xf8\x9a\x7f\xe6\x63\xbd\x06\x43\x54\xa8\x0f\x8b\xe0\x16\x5d\xf5\xd9\xba\xe1\xc6\x9e\xa5\x69\x62\xb1\x11\x22\x0c\xdc\x13\x6a\xda\x90\xbb\x13\x15\xf8\x65\xca\xff\x1e\x25\x26\xac\xd2\xef\x4c\x36\xa7\x0f\x26\x60\x88\xd7\xd3\x48\xe5\x61\x13\x29\x71\x66\x8e\x91\xa8\x90\x04\x08\x5a\x5b\x09\x2f\x8e\x28\x42\x3d\x16\xb7\x49\xcd\xcb\xf9\x2a\x43\x65\xe4\x68\xdd\x67\xbe\x24\x1e\x5d\xea\x70\x5b\x60\x6b\x28\x09\x9a\x5d\x3d\x46\xa0\x76\x20\xfc\x4f\x73\x1e\x3d\x36\x05\xde\xbe\x68\x70\x42\xca\xc9\x37\x42\x73\x67\xc3\x5b\x54\x6a\xf2\xdf\xc0\x94\xa7\x21\xdc\x7f\xd1\x3d\xf6\x8e\x9a\x79\x9e\xcb\x10\x7c\x90\x8b\xac\x9f\x8c\x44\x30\xcc\x10\xc6\x29\x9c\x79\x4d\x02\x8d\x51\x6c\x3e\xf3\xf7\x7f\x9f\x64\x20\x16\x60\x94\x9b\x5e\xe2\x9a\x58\x94\xd7\x38\xfa\x4e\x4b\xcd\xda\x88\xfe\x12\xbc\xff\xe8\x5d\xa7\xb1\x0d\x02\xc8\x09\x22\xf3\x90\x71\x34\xfe\x64\x60\x55\x08\xb6\xcb\xe3\x5e\x97\xf1\x2f\x1b\xb1\x5f\xce\x6f\xac\x0b\x0b\xbe\xd6\x21\x83\xba\x88\xb8\x41\x3c\x69\x2c\x1d\x46\x53\x76\x14\x6a\x5a\xc6\x9e\x0f\x10\x45\x0f\x04\xc8\xb6\xf3\xc9\x0c\x58\xac\x33\x60\x4a\xa8\x11\xa9\xb7\x4e\xbb\xd0\x7b\x06\x84\xc5\x1a\x55\x30\x06\xda\x57\xf4\xdf\x29\xdf\x30\xa6\x46\x22\x26\x6b\x3e\xc0\x6c\x43\x5d\x65\x05\x21\xf3\xea\x72\x5a\x3c\x8c\x12\x8c\x73\xf0\xd3\x44\x7d\xd1\xa8\x5b\x10\xa0\x61\xe9\xac\x44\x69\xbd\x8e\xad\x5b\x59\xcc\x63\x9b\x81\x7e\x67\xd9\x0c\xcd\x77\x3e\x22\x4a\xeb\x67\xdd\x26\x36\x91\x74\x36\xb7\x64\x75\xd8\xe0\x25\x5c\xf7\xd1\x4f\x28\x36\xa5\x0d\x23\xfb\x11\xb3\x84\x35\x48\xb3\xa5\x2d\x8f\xa1\x0c\xa8\xc9\x7e\x1f\x0e\xd7\xa0\x0c\xfc\x80\x67\xa5\xb9\x9a\x41\xc0\x7d\x3c\xe0\xa0\x45\x6b\x84\x43\xbb\x5f\x09\x03\xdb\x5e\x7b\xc1\x6b\x0d\x0d\x4f\x32\x1a\x57\x57\x2d\x33\x68\xd9\x7a\xb7\x70\x58\x30\xd2\x3f\xf7\x8a\xc8\xd6\x94\x02\xc9\x20\xf7\xfb\x91\xd6\xef\xc1\x6c\xe4\x39\x93\xa1\xa6\x8e\xb8\xed\xa0\x8d\x7c\xc5\x5f\xca\x85\x49\xf4\x08\x39\xac\x8e\x5e\x26\x3e\x8f\xcd\xdb\x10\xdd\x20\xfb\xed\xd9\x49\xc8\xd3\xc1\xe1\x86\xe9\xfd\xd5\xaa\x27\x65\xa1\xef\x54\xf9\xe8\xb2\xa7\xa0\xb3\x8f\x1c\x8f\x8d\xaf\xe5\xfc\xef\x0f\xf0\x31\x69\x21\xdb\xaa\xb2\x7f\x6b\x2e\x09\xe4\x9d\x0a\x56\xc9\xad\xe5\xd8\xcb\x65\x86\x99\xba\xa9\x84\x54\x3f\xde\x4e\x72\x0e\x02\xe5\x50\x3e\x83\x5c\x7a\x63\xef\xfe\xe3\xdf\xa5\x8e\x4c\xcd\xbe\x19\x43\xb5\x92\x1b\x58\xfd\x0e\xd6\x64\xef\x73\xdf\x89\x23\x18\xe1\x07\x03\x23\x48\x59\xb5\x65\xd1\x7d\xe8\xc9\x25\x19\x8b\x44\x81\x59\xc8\xe8\xd7\x3c\x8b\x1e\x5e\xb6\x87\x05\xe5\x82\xd5\x12\x8f\x20\x7b\x54\x6f\x81\x22\xe0\x4e\x37\xbc\xc9\xd1\xca\x9b\x2c\x7a\xe5\x1d\x45\x42\x44\x8b\x36\xd6\xff\x16\xd9\x98\xee\xce\x9f\x07\xbe\x34\x1d\x1d\x8f\x98\x9f\x23\x44\x60\x40\xa4\x99\x72\x72\xc9\x9d\x45\x34\x83\x72\xfc\x49\xb7\x0f\xb5\xe0\xfa\xca\x97\x51\x84\xc6\x02\x59\x95\xf6\xaa\x49\xf1\xb2\x93\xdf\x66\xd5\x1d\x75\x3d\x9c\x77\x75\x57\x6d\x0e\x77\x01\x34\xd3\xa4\xfb\xd5\x3c\x99\xb0\xa7\xb6\xaf\xe7\x33\x7f\x73\x24\x81\x63\x23\x9a\x71\x4d\xfe\xb2\x85\xb0\xb4\x9e\xf6\x02\xd6\x2a\xd6\x93\x5a\x83\xc8\x3b\xc8\x14\xbd\x40\x7b\x1f\xf5\x22\x82\x92\xf9\xbf\xbb\xd0\x71\xc8\x1d\xc9\x59\x1a\x05\xc9\x50\x7b\xff\x87\xc9\xe5\x27\xb8\xf1\x4e\x8e\xe1\x3d\x18\x7e\xb8\x67\xdc\x2c\x95\xdd\x90\x3c\x37\x69\x2d\x03\xe7\xb0\x09\x85\xfb\xc1\x13\x13\x07\x8d\xec\x7f\xf6\x9f\x2e\x01\xa8\x34\x23\x99\x40\x0f\x98\xcc\x66\x83\x3d\x9c\x85\xff\x7f\x10\xcb\xef\x73\x32\x13\xcd\xae\x61\x54\x5f\x39\xe8\x5c\x59\x30\x2b\x56\x0a\x72\xd0\x43\x7b\x26\x6c\xba\xe1\x6f\xad\x4a\x00\x0d\xde\xa1\x99\x49\x40\x8c\x74\x77\xfc\xb9\x48\x91\x53\x23\xeb\xb7\x9a\x55\xc7\x69\xcc\xb1\x8e\x2f\x55\x2a\xb7\x63\xba\x65\x30\x2a\xe7\xbc\x47\x6e\x36\x25\xeb\x88\xa7\xa6\x69\x8c\xec\xcf\xac\x22\x90\x0c\xa3\xc4\x4d\xec\x88\x66\xb2\xa1\x14\xc0\x83\x1c\xf6\x53\xd4\xc1\xfb\xa9\xa7\x78\x5a\x1c\xaa\x2b\x97\x34\x33\x84\x22\x6b\x1a\xce\xd9\x3d\xa7\x1d\x30\xb6\x65\x06\x45\xbc\x11\x3a\xc6\x2d\x32\xd2\x03\x2d\xdb\x65\x62\x6e\xe8\x6c\x3b\x9d\xfb\xbd\x8d\x0c\xae\xea\x74\x53\xdb\xea\x30\x4e\x34\xd3\xf8\x05\x22\xcd\x31\x7b\x49\xbc\xab\xb8\x69\x33\x1c\x7c\x32\x18\x52\x10\x04\x30\x42\x3b\xcb\x1e\xc1\x5c\x50\xc1\x9b\x76\x6a\x7c\xe4\x71\xd5\x1b\x01\x04\x1b\x68\x5a\x29\xc4\xbf\xdb\x55\x2c\x86\x6d\x58\x3b\x7c\x3c\x7f\xd5\x6c\xfc\x73\x72\x5d\xf7\x84\xe4\xd9\x02\x81\x56\x7f\xe8\xc3\x8d\x86\x6b\x06\xef\x13\xbb\x30\xfd\x23\x90\x6e\x66\x2c\xf9\xd5\x11\x3d\x7b\x52\xb0\x14\xb4\xae\xb3\xa1\x83\x52\x4b\x49\x7b\xe9\x22\x0a\xe1\xe0\xb2\xf7\x67\x4d\x27\x99\x42\x94\x1b\xbd\x81\xed\x59\x5a\x93\xc2\x34\x13\x99\xb6\xac\x36\xff\x86\x9f\x89\x4c\xae\x29\x13\x08\xb2\x12\x84\xd3\x98\xb5\xfa\x6a\xc7\x6b\x9d\x59\xf0\x3e\x48\xc2\x75\xf4\xf2\x0c\xe0\xa5\x05\x9d\xe6\x9c\xa9\xec\x99\x9d\x73\x20\x2d\xef\x66\x6b\x37\xb3\xa9\x6a\x95\xb1\x2c\x74\x33\x10\x38\xfa\xca\xca\xb1\x88\xda\x87\x8a\x86\x0e\x1b\x39\x9d\x6b\x3b\xd3\xc1\x36\xe0\xa5\xe9\x96\x3c\x16\x91\x88\x9f\x0d\x40\x0f\x34\xdc\xc5\x1e\xf1\x00\x2e\xbf\xee\x28\x14\x60\x5a\x4d\x10\x67\xed\x73\x96\xc1\x15\xe3\xa9\x4f\x15\x1c\x8e\x4a\xa2\x93\x0f\xd8\xbc\x53\x4d\x57\x9d\x5d\x88\x43\xbd\x20\x29\x05\x6f\xc5\x58\xb9\x86\x94\x08\xb9\x95\x1f\x75\x67\x24\x33\xea\xd1\x9e\x10\x9c\xd1\x83\x08\xf1\xc9\xd6\xf9\xcc\xbc\x9f\x76\x79\x93\xb5\x9e\xa2\xb5\x04\x68\x64\xf5\xe0\xc3\xbd\xe4\x2e\x79\x32\xc5\x6b\x9f\xb2\x52\x89\xe1\x6a\xb3\xbe\xbb\x69\x25\x47\xde\x1a\x4d\xbe\x11\x9a\xb2\xbd\x71\xe4\x71\xcb\xdf\x6c\x6e\x85\x19\xac\xa7\x7c\x2c\xbb\x82\x73\x34\x3c\x1b\xed\x23\x92\x2e\x55\x7f\x87\xb4\x08\xd8\x7a\xf7\x88\x96\xed\x30\xf0\xa6\x17\x8a\xd9\x8a\x34\xde\xd6\x14\x84\x43\xfd\xdf\x4a\x5c\x00\xa8\x1a\xe9\xdf\x21\x59\xfd\x65\x8c\x85\x9f\xb6\xb2\x74\x98\x8c\x84\x8f\x99\x3e\x76\x1c\x26\x3e\x90\xd7\xdb\x8f\x66\x2c\x87\x6b\x7a\x61\xff\x2d\x93\x8b\xa7\xfe\xd4\xcb\x5c\xd8\xee\x51\x48\x70\xb5\x05\x20\xe7\x33\xf2\x1c\xdc\x3b\xd7\xed\x41\xd2\x97\xb9\x6d\xfe\xff\x37\x9d\x37\xe6\x07\x1b\xb1\xac\x84\xfe\xff\xab\x2c\xdd\x98\x5f\xea\x2f\xe6\xc4\x6e\x6b\x75\x69\xc8\xc2\x45\x45\x91\x79\x5c\xcc\x56\x51\x1d\x85\x3f\xd2\xa0\x1a\x1e\xb0\xce\x25\x05\xab\x65\x78\x2b\x78\x36\xba\x67\x84\x45\x05\xaa\xbc\xb5\xdc\x63\x72\xa3\x13\xfe\x7a\xcc\x7f\x48\xb0\xd2\xbe\xf7\x94\x03\xc2\x83\x7d\x88\xe5\x2f\xe9\x26\xad\x16\xd5\x1b\xe7\xe8\xc6\x2a\x59\x55\xa6\x1e\x85\x27\x08\x39\xf3\x6e\xee\x94\x63\x70\x92\x7e\xb1\x98\x41\x30\x16\x77\xe8\x37\xab\xac\x18\xd7\x09\xbc\x84\xdd\xa6\x0b\x12\x10\x7a\x23\xeb\x73\x35\x43\xff\x32\xcc\xe5\x24\x8d\x0f\x46\x19\x21\x29\x52\x91\x83\x7c\x15\x0a\x4c\x1d\x48\x9d\x31\xc5\xbf\x5b\xfc\x2d\xa1\x42\x7e\x1e\xce\x74\xae\xa7\x05\x3f\x1f\xed\xa6\x4f\x09\x9f\xc4\x47\xa7\x90\x8c\xe4\x4b\x13\x46\x15\x49\xf2\x3e\xf1\x8c\x1d\x81\x07\xbe\xfb\x09\xf9\xd7\x19\xa0\xac\x57\x08\x0f\x1c\xdb\xfd\x46\x70\x4d\x79\x94\x7a\xa1\x0c\x5b\x0b\xb2\x26\xe7\xf6\x83\x09\x74\x72\x40\xf7\x73\xa6\x27\x53\x65\x61\xfb\x6c\x1c\x9b\x26\xaa\x5e\x23\xbe\x01\xf2\xd3\xf7\xaa\xdc\x99\x54\x40\x01\x5d\x25\x64\xb9\xc1\x6b\x85\x3d\x66\x57\x24\xf9\xf7\x22\xb3\x4a\xb1\xd4\x4c\x27\xd0\xe0\xcb\x01\xc4\x9d\x9e\x05\xde\x91\xc2\xe0\x40\x76\x4f\x0c\x21\x2e\x6d\x63\xf7\xb7\x24\x93\xdc\xcb\xf8\x58\x16\x4c\xf4\x81\x51\xbb\xe4\xf1\xdc\x2c\x91\x58\x66\x73\x43\x1a\xf7\xb8\x46\x1d\x30\x16\x1c\x56\x11\x70\xdf\xa3\x1e\xdd\xe2\xcc\xc9\xdd\xdb\xc7\xa8\xe4\x62\x31\x75\x24\x05\xcf\x30\x8e\xcd\x8d\x35\x05\x63\x6d\xba\x70\x35\xc9\x4f\x72\x86\x23\xbb\x87\x60\x3a\xfb\x90\xb5\xc2\x3e\x9a\xc1\x93\x7b\x2e\xa3\x98\x4d\x57\x9d\xa2\x99\x70\xef\x04\x9f\xfd\x97\x05\xfa\x28\x3e\xf6\x2f\x1a\x9f\xbb\xef\xbc\x5f\x8f\x3f\x79\xbd\xd8\xd7\x0f\x0a\x89\x39\x72\xe5\xac\xa3\xa1\x64\xe6\x72\xba\x88\xeb\xdb\x62\x06\xa4\xdd\xa5\xeb\x5a\xdf\xd1\x63\x52\xd4\x2c\x4f\xbd\xdf\x11\x7f\x2b\x0d\x30\xe8\xc3\x9f\x1b\xc6\x3f\x3b\xc0\x3b\x45\x2a\x87\x01\x17\xaf\x7a\x3f\xd3\x01\xaf\x71\x4b\xfa\x39\x83\x67\xa9\xac\x2a\xa3\x81\x17\x0b\xc7\xca\x86\x01\x44\x25\x8a\x9a\x38\xa6\x14\x54\xc9\xcd\xef\x24\xf1\xc6\x62\xf2\x8e\x8d\x1e\xe7\x74\x9f\x61\xa9\xc7\x9a\x9e\x16\x59\x3f\x2d\x55\x00\xde\xaa\x73\x0a\xca\x4e\xef\x32\x73\x87\x84\x31\xa8\x74\xb0\x3e\x44\xf6\x49\x5b\x52\xea\x9b\x22\xd9\x41\x7f\xb3\xf2\xcc\xbe\x2c\x48\x2a\xdd\x30\x8e\x4a\x3c\x55\xb7\x53\x2a\x4e\x64\xcf\x10\x8d\x83\x3d\x54\xab\xf3\xcf\x93\xb3\xf9\x08\x52\x63\xd2\x77\x4c\x22\x14\xdc\x62\xe3\xc6\xa7\x88\x69\x46\xb7\xbb\xb4\xd0\xfd\xd8\x2d\x50\x22\x32\xf8\x91\xe9\x5e\x20\x75\xb6\x97\x4f\xcb\xc8\x15\x79\xfe\x8e\xeb\x7e\xe2\x21\xa9\x04\xce\xdb\xbb\xab\x25\x95\xef\x93\x53\x7f\xde\xa0\x3e\xb9\x3b\x49\x68\x01\x19\xd9\x96\xc8\xe7\x06\xdf\xc4\xd9\x94\x33\x95\x4c\x53\x67\x72\x5d\x48\x08\x11\x9b\x68\x3b\x59\x64\x1c\x4b\xff\xd3\xfb\xab\x0c\x7e\x12\x5f\x02\xba\xd9\x5c\xbf\xc2\x6e\xab\x96\x07\x9f\x8d\xfb\xf6\x62\x35\x89\xd1\x4e\x0c\x20\xd1\x5e\x07\xc3\x4b\xcc\xce\x36\xfb\x92\x79\x65\xf9\x6c\x8c\xc8\x9b\x3e\x51\x43\x82\x12\xa9\xbe\xc9\x2a\xf4\xb5\x92\xae\x76\xe6\x6d\x53\x1d\x34\x43\x85\xf5\x56\x85\x52\xe3\x7b\xd2\x5c\xbe\x30\x7d\x83\x99\x75\x91\x4f\x30\x91\x5d\x24\xe8\xf3\xd8\x92\xc8\xa1\x9f\xa4\x84\xc3\x5d\xf1\xfb\x92\xaf\x80\xed\xf4\x03\x34\x0c\xac\xed\x5c\x22\x47\x67\xe9\xe6\x87\x45\x65\x63\xdf\xf2\x9c\xa8\x6e\x36\x58\x55\xde\x94\x05\x7b\x66\xc5\x76\xbe\xc5\xf5\xb7\xfc\x3f\x00\x43\x33\x6b\x8a\x48\x7a\xe2\x51\x9b\x8f\xf0\x12\x2e\x7a\xc2\xbf\x57\xd2\x9b\xa6\x48\x08\xdd\x3a\x20\xd2\x6e\x43\x82\xce\x7b\xb1\xfb\xd3\x47\x34\xf5\xae\x66\x25\xee\x8a\x7d\xd5\x6f", 8192); *(uint32_t*)0x20004f40 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x50; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 0x3f; *(uint32_t*)0x200023d0 = 7; *(uint32_t*)0x200023d4 = 0x22; *(uint32_t*)0x200023d8 = 0x8001; *(uint32_t*)0x200023dc = 0x1040000; *(uint16_t*)0x200023e0 = 8; *(uint16_t*)0x200023e2 = 0xf6e1; *(uint32_t*)0x200023e4 = 8; *(uint32_t*)0x200023e8 = 9; *(uint16_t*)0x200023ec = 0; *(uint16_t*)0x200023ee = 0; memset((void*)0x200023f0, 0, 32); *(uint32_t*)0x20004f44 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 9; *(uint64_t*)0x20002450 = 0x40d; *(uint32_t*)0x20004f48 = 0x20002480; *(uint32_t*)0x20002480 = 0x18; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 7; *(uint64_t*)0x20002490 = 7; *(uint32_t*)0x20004f4c = 0x200024c0; *(uint32_t*)0x200024c0 = 0x18; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 0xffff; *(uint32_t*)0x200024d0 = 8; *(uint32_t*)0x200024d4 = 0; *(uint32_t*)0x20004f50 = 0x20002500; *(uint32_t*)0x20002500 = 0x18; *(uint32_t*)0x20002504 = 0; *(uint64_t*)0x20002508 = 0xce0; *(uint32_t*)0x20002510 = 0x1c; *(uint32_t*)0x20002514 = 0; *(uint32_t*)0x20004f54 = 0x20002540; *(uint32_t*)0x20002540 = 0x28; *(uint32_t*)0x20002544 = 0; *(uint64_t*)0x20002548 = 1; *(uint64_t*)0x20002550 = 0x100; *(uint64_t*)0x20002558 = 5; *(uint32_t*)0x20002560 = 2; *(uint32_t*)0x20002564 = r[6]; *(uint32_t*)0x20004f58 = 0x20002580; *(uint32_t*)0x20002580 = 0x60; *(uint32_t*)0x20002584 = 0xfffffffe; *(uint64_t*)0x20002588 = 8; *(uint64_t*)0x20002590 = 0xcd95; *(uint64_t*)0x20002598 = 0x1f; *(uint64_t*)0x200025a0 = 7; *(uint64_t*)0x200025a8 = 0x48; *(uint64_t*)0x200025b0 = 0xaac5; *(uint32_t*)0x200025b8 = 6; *(uint32_t*)0x200025bc = 0xad; *(uint32_t*)0x200025c0 = 5; *(uint32_t*)0x200025c4 = 0; memset((void*)0x200025c8, 0, 24); *(uint32_t*)0x20004f5c = 0x20002600; *(uint32_t*)0x20002600 = 0x18; *(uint32_t*)0x20002604 = 0xfffffff5; *(uint64_t*)0x20002608 = 9; *(uint32_t*)0x20002610 = 9; *(uint32_t*)0x20002614 = 0; *(uint32_t*)0x20004f60 = 0x20002640; *(uint32_t*)0x20002640 = 0x11; *(uint32_t*)0x20002644 = 0; *(uint64_t*)0x20002648 = 0; memset((void*)0x20002650, 0, 1); *(uint32_t*)0x20004f64 = 0x20002680; *(uint32_t*)0x20002680 = 0x20; *(uint32_t*)0x20002684 = 0; *(uint64_t*)0x20002688 = 0x10000; *(uint64_t*)0x20002690 = 0; *(uint32_t*)0x20002698 = 0; *(uint32_t*)0x2000269c = 0; *(uint32_t*)0x20004f68 = 0x20002780; *(uint32_t*)0x20002780 = 0x78; *(uint32_t*)0x20002784 = 0; *(uint64_t*)0x20002788 = 9; *(uint64_t*)0x20002790 = 3; *(uint32_t*)0x20002798 = 0; *(uint32_t*)0x2000279c = 0; *(uint64_t*)0x200027a0 = 6; *(uint64_t*)0x200027a8 = 0; *(uint64_t*)0x200027b0 = 0xfffffffffffff20d; *(uint64_t*)0x200027b8 = 0xfffffffffffffff8; *(uint64_t*)0x200027c0 = 1; *(uint64_t*)0x200027c8 = 0x3ff; *(uint32_t*)0x200027d0 = 5; *(uint32_t*)0x200027d4 = 9; *(uint32_t*)0x200027d8 = 0x726; *(uint32_t*)0x200027dc = 0x1000; *(uint32_t*)0x200027e0 = 6; *(uint32_t*)0x200027e4 = r[7]; *(uint32_t*)0x200027e8 = 0xee01; *(uint32_t*)0x200027ec = 7; *(uint32_t*)0x200027f0 = 7; *(uint32_t*)0x200027f4 = 0; *(uint32_t*)0x20004f6c = 0x200028c0; *(uint32_t*)0x200028c0 = 0x90; *(uint32_t*)0x200028c4 = 0; *(uint64_t*)0x200028c8 = 3; *(uint64_t*)0x200028d0 = 2; *(uint64_t*)0x200028d8 = 2; *(uint64_t*)0x200028e0 = 0x100000000; *(uint64_t*)0x200028e8 = 0x61a26b8d; *(uint32_t*)0x200028f0 = 6; *(uint32_t*)0x200028f4 = 2; *(uint64_t*)0x200028f8 = 1; *(uint64_t*)0x20002900 = 3; *(uint64_t*)0x20002908 = 1; *(uint64_t*)0x20002910 = 0x100000000; *(uint64_t*)0x20002918 = 3; *(uint64_t*)0x20002920 = 0x8f; *(uint32_t*)0x20002928 = 4; *(uint32_t*)0x2000292c = 0x1ff; *(uint32_t*)0x20002930 = 0x849; *(uint32_t*)0x20002934 = 0x1000; *(uint32_t*)0x20002938 = 7; *(uint32_t*)0x2000293c = r[8]; *(uint32_t*)0x20002940 = -1; *(uint32_t*)0x20002944 = 5; *(uint32_t*)0x20002948 = 0x1f; *(uint32_t*)0x2000294c = 0; *(uint32_t*)0x20004f70 = 0x20002980; *(uint32_t*)0x20002980 = 0x130; *(uint32_t*)0x20002984 = 0; *(uint64_t*)0x20002988 = 0xa00000000000; *(uint64_t*)0x20002990 = 4; *(uint64_t*)0x20002998 = 1; *(uint32_t*)0x200029a0 = 6; *(uint32_t*)0x200029a4 = 9; memset((void*)0x200029a8, 1, 6); *(uint64_t*)0x200029b0 = 6; *(uint64_t*)0x200029b8 = 1; *(uint32_t*)0x200029c0 = 5; *(uint32_t*)0x200029c4 = 0xfffffffe; memset((void*)0x200029c8, 170, 5); *(uint64_t*)0x200029d0 = 1; *(uint64_t*)0x200029d8 = 0x1ff; *(uint32_t*)0x200029e0 = 3; *(uint32_t*)0x200029e4 = 7; memcpy((void*)0x200029e8, "{#-", 3); *(uint64_t*)0x200029f0 = 5; *(uint64_t*)0x200029f8 = 0; *(uint32_t*)0x20002a00 = 2; *(uint32_t*)0x20002a04 = 0x761; memcpy((void*)0x20002a08, "[#", 2); *(uint64_t*)0x20002a10 = 3; *(uint64_t*)0x20002a18 = 0; *(uint32_t*)0x20002a20 = 2; *(uint32_t*)0x20002a24 = 6; memcpy((void*)0x20002a28, "#]", 2); *(uint64_t*)0x20002a30 = 1; *(uint64_t*)0x20002a38 = 0x714; *(uint32_t*)0x20002a40 = 5; *(uint32_t*)0x20002a44 = 3; memcpy((void*)0x20002a48, "*^\\^b", 5); *(uint64_t*)0x20002a50 = 5; *(uint64_t*)0x20002a58 = 0xeb68; *(uint32_t*)0x20002a60 = 4; *(uint32_t*)0x20002a64 = 0xfffffa80; memcpy((void*)0x20002a68, "--$-", 4); *(uint64_t*)0x20002a70 = 6; *(uint64_t*)0x20002a78 = 0xfffffffffffffeff; *(uint32_t*)0x20002a80 = 1; *(uint32_t*)0x20002a84 = 1; memset((void*)0x20002a88, 45, 1); *(uint64_t*)0x20002a90 = 1; *(uint64_t*)0x20002a98 = 8; *(uint32_t*)0x20002aa0 = 3; *(uint32_t*)0x20002aa4 = 0xf2; memcpy((void*)0x20002aa8, "!\\{", 3); *(uint32_t*)0x20004f74 = 0x20004c40; *(uint32_t*)0x20004c40 = 0xb0; *(uint32_t*)0x20004c44 = 0; *(uint64_t*)0x20004c48 = 0xcf; *(uint64_t*)0x20004c50 = 1; *(uint64_t*)0x20004c58 = 1; *(uint64_t*)0x20004c60 = 3; *(uint64_t*)0x20004c68 = 0x100000000; *(uint32_t*)0x20004c70 = 4; *(uint32_t*)0x20004c74 = 0x81; *(uint64_t*)0x20004c78 = 5; *(uint64_t*)0x20004c80 = 0x7f; *(uint64_t*)0x20004c88 = 5; *(uint64_t*)0x20004c90 = 6; *(uint64_t*)0x20004c98 = 0xffff; *(uint64_t*)0x20004ca0 = 3; *(uint32_t*)0x20004ca8 = 0x1f; *(uint32_t*)0x20004cac = 3; *(uint32_t*)0x20004cb0 = 8; *(uint32_t*)0x20004cb4 = 0xc000; *(uint32_t*)0x20004cb8 = 0xf5c8; *(uint32_t*)0x20004cbc = r[10]; *(uint32_t*)0x20004cc0 = r[11]; *(uint32_t*)0x20004cc4 = 2; *(uint32_t*)0x20004cc8 = 9; *(uint32_t*)0x20004ccc = 0; *(uint64_t*)0x20004cd0 = 4; *(uint64_t*)0x20004cd8 = 0x80; *(uint32_t*)0x20004ce0 = 5; *(uint32_t*)0x20004ce4 = 2; memset((void*)0x20004ce8, 170, 5); *(uint32_t*)0x20004f78 = 0x20004e40; *(uint32_t*)0x20004e40 = 0xa0; *(uint32_t*)0x20004e44 = 0; *(uint64_t*)0x20004e48 = 0x400; *(uint64_t*)0x20004e50 = 6; *(uint64_t*)0x20004e58 = 2; *(uint64_t*)0x20004e60 = 0x400; *(uint64_t*)0x20004e68 = 7; *(uint32_t*)0x20004e70 = 4; *(uint32_t*)0x20004e74 = 9; *(uint64_t*)0x20004e78 = 4; *(uint64_t*)0x20004e80 = 0x1000; *(uint64_t*)0x20004e88 = 0xffff; *(uint64_t*)0x20004e90 = 6; *(uint64_t*)0x20004e98 = 1; *(uint64_t*)0x20004ea0 = 0xffff; *(uint32_t*)0x20004ea8 = 0x65f; *(uint32_t*)0x20004eac = 0x647c2b8f; *(uint32_t*)0x20004eb0 = 0x400; *(uint32_t*)0x20004eb4 = 0x8000; *(uint32_t*)0x20004eb8 = 8; *(uint32_t*)0x20004ebc = r[12]; *(uint32_t*)0x20004ec0 = r[13]; *(uint32_t*)0x20004ec4 = 3; *(uint32_t*)0x20004ec8 = 0x6b; *(uint32_t*)0x20004ecc = 0; *(uint64_t*)0x20004ed0 = 0; *(uint32_t*)0x20004ed8 = 0xd; *(uint32_t*)0x20004edc = 0; *(uint32_t*)0x20004f7c = 0x20004f00; *(uint32_t*)0x20004f00 = 0x20; *(uint32_t*)0x20004f04 = 0; *(uint64_t*)0x20004f08 = 0x800; *(uint32_t*)0x20004f10 = 0; *(uint32_t*)0x20004f14 = 0; *(uint32_t*)0x20004f18 = 0x10001; *(uint32_t*)0x20004f1c = 0; syz_fuse_handle_req(r[5], 0x200003c0, 0x2000, 0x20004f40); break; case 24: memcpy((void*)0x20004f80, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004f80, r[5]); break; case 25: syz_init_net_socket(0x24, 2, 0); break; case 26: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[14] = res; break; case 27: *(uint32_t*)0x20004fc4 = 0x5004; *(uint32_t*)0x20004fc8 = 0; *(uint32_t*)0x20004fcc = 1; *(uint32_t*)0x20004fd0 = 0x1de; *(uint32_t*)0x20004fd8 = r[14]; memset((void*)0x20004fdc, 0, 12); res = -1; res = syz_io_uring_setup(0x343, 0x20004fc0, 0x20ffc000, 0x20ffb000, 0x20005040, 0x20005080); if (res != -1) { r[15] = *(uint64_t*)0x20005040; r[16] = *(uint64_t*)0x20005080; } break; case 28: memcpy((void*)0x200050c0, "/dev/uinput\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 2, 0); if (res != -1) r[17] = res; break; case 29: memcpy((void*)0x20005100, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0x488200, 0); if (res != -1) r[18] = res; break; case 30: *(uint8_t*)0x20005140 = 0x1e; *(uint8_t*)0x20005141 = 3; *(uint16_t*)0x20005142 = 0; *(uint32_t*)0x20005144 = r[14]; *(uint64_t*)0x20005148 = 0x200; *(uint32_t*)0x20005150 = 0; *(uint32_t*)0x20005154 = r[17]; *(uint32_t*)0x20005158 = 6; *(uint32_t*)0x2000515c = 1; *(uint64_t*)0x20005160 = 0; *(uint16_t*)0x20005168 = 0; *(uint16_t*)0x2000516a = 0; *(uint32_t*)0x2000516c = r[18]; memset((void*)0x20005170, 0, 16); syz_io_uring_submit(r[15], r[16], 0x20005140, 0x3dd1); break; case 31: memcpy((void*)0x20005180, "/dev/keychord\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x20005180, 0x171000, 0); if (res != -1) r[19] = res; break; case 32: memcpy((void*)0x200051c0, "/dev/ubi_ctrl\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x200051c0, 0x10400, 0); if (res != -1) r[20] = res; break; case 33: *(uint32_t*)0x20005240 = 0; *(uint32_t*)0x20005244 = 0x20005200; memcpy((void*)0x20005200, "\x46\x23\xd8\xa4\xce\x02\x17\xc9\xe5\x95\x55\xc1\x66\x89\x06\x79\xe3\xe0\xc1\x94\x0d\xf5\xb9\xfc\xbf\x91\x64\x9e\xf5\x4d\x80\xf0\xc8\xbc\xc8\x0e\x36\xb5\x57\x4c\x4b\xc9\xf9\x43\x40\x18\x54\xf5\x6a\xa2", 50); *(uint32_t*)0x20005248 = 0x32; *(uint64_t*)0x20005280 = 1; *(uint64_t*)0x20005288 = 0; syz_kvm_setup_cpu(r[19], r[20], 0x20fe8000, 0x20005240, 1, 0, 0x20005280, 1); break; case 34: res = syscall(__NR_mmap, 0x20ffc000, 0x2000, 0x1000000, 0x8000, (intptr_t)r[18], 0); if (res != -1) r[21] = res; break; case 35: *(uint32_t*)0x200052c0 = 1; syz_memcpy_off(r[21], 0x114, 0x200052c0, 0, 4); break; case 36: memcpy((void*)0x20005300, "adfs\000", 5); memcpy((void*)0x20005340, "./file0\000", 8); *(uint32_t*)0x20005540 = 0x20005380; memcpy((void*)0x20005380, "\x87\x35\x19\xf2\x5d\xf0\x82\xb3\x71\xba\x5b\x45\xad\xb5\x70\x9c\x00\x80\x57\x47\xc3\x7f\xe0\x44\x06\x45\x95\xcd\x47\x28\xbf\x89\x80\x30\x2b\x25\xb4\xb0\x83\xb4\x2b\x41\x33\x6e\x13\x0f\x1b\x6f\xf0\xa2\xf1\x72\x49\x8e\x52\x2b\x4f\xe5\x82\x6e\xab\xab\xf5\x3a\x98\x52\xf9\x3e\xbe\xb8\x41\xe1\x64\x5f\x32\x93\x61\x27\x02\x9d\x68\xfe\x73\xec\xed\x89\xc1\xb9\x35\x87\x01\x2a\x47\xc4\x2a\x58\x3d\x69\x75\x59\x2b\x3f\x2c\xdf\x43\x37\xfc\x6d\x5e\x85\xe5\xf5\x83\x5f\xaf\xe0\x95\x93\x5e\xc9\x04\x84\xe9\x08\x1a\xa8\xd2\x24\x98\x43\x13\x01\xba\xad\x4a\x34\x36\x8c\x26\xc6\x4d\x85\x32\x6c\x7e\x00\x68\x21\x78\xf8\xd1\x3e\x6a\x89\x69\xf1\x5b\x9d\x5d\xbc\xfe\xc2\xc0\xe6\x96\x80\xc3\x92\x8c\xa0\x15\xb9\x2e\x25\xf5\x07\x8d\xe3\x54\xfe\x32\xcc\x71\x21\x60\x9a\x07\x62\xe1\xb7\x3e\xfd\x89\x67\xa2\xfe\x23\x5e\x4d\x1e\xf9\xe5\xac\x88\xbc\x1e\xd7\x06\xa9\x84\x64\x1b\x06\x47\x0b\x22\x94\xd0\x45\xce\x7e\xba\x51\xc0\x72\x89\x38\xa2\xc6\xee\xb6\xd8\x57\x44\x29\xcc\x24\xbc\xb2\xa7\x84", 241); *(uint32_t*)0x20005544 = 0xf1; *(uint32_t*)0x20005548 = 0x40; *(uint32_t*)0x2000554c = 0x20005480; memcpy((void*)0x20005480, "\x62\x93\x5b\xfe\x26\xe9\xc9\xf2\xdc\x3c\x3e\x9d\xfb\x49\x18\x58\xef\xb5\x98\x36\x9b\xcc\xa5\x19\x23\x98\x9b\xa9\x43\xcf\x44\x7b\xaf\x56\x62\x5d\xf0\xf6\x85\xed\x2d\x03\x4b\x37\xc0\x75\x63\xf6\x68\x72\x8f\x6d\xc6\x83\x36\x09\xb1\x22\x19\x70\xe5\x50\x88\x86\x9d\x29\xc0\x1b\x2d\xd0\x5c\x48\x20\xb0\x80\x42\xb5\x07\x40\x08\xc9\x75\x77\x12\xc4\x80\xe2\x5d\x89\xb9\xc4\x8e\x95\x7e\x5b\x5c\x7b\x0b\xec\xcf\xb1\xfc\xcc\xed\xbc\xed\xc8\x38\x06\x03\x80\x75\xfc\x2a\x0f\x82\x28\xbe\xb4\x7f\x1f\xec\xe0\x9b\xdd\xcb\xbe\x00\x21\xab\xe9\xc3\xd1\x98\x36\x9b\x81\xb6\x7d\xbd\x6a\x7d\x33\x4b\x8d\x28\xb8\x02\xcc\x97\xd9\x34\xc1\x64\xe9\x7d\x9d\x7b\x70\xdc\x6c", 161); *(uint32_t*)0x20005550 = 0xa1; *(uint32_t*)0x20005554 = 0x1ff; memset((void*)0x20005580, 170, 5); *(uint8_t*)0x20005585 = 0x2c; *(uint8_t*)0x20005586 = 0x2c; memcpy((void*)0x20005587, ":&-]!", 5); *(uint8_t*)0x2000558c = 0x2c; memset((void*)0x2000558d, 125, 1); *(uint8_t*)0x2000558e = 0x2c; memcpy((void*)0x2000558f, ",-V", 3); *(uint8_t*)0x20005592 = 0x2c; memcpy((void*)0x20005593, "\\*})", 4); *(uint8_t*)0x20005597 = 0x2c; memcpy((void*)0x20005598, "*^\\^b", 5); *(uint8_t*)0x2000559d = 0x2c; memcpy((void*)0x2000559e, "appraise", 8); *(uint8_t*)0x200055a6 = 0x2c; memcpy((void*)0x200055a7, "fowner<", 7); sprintf((char*)0x200055ae, "%020llu", (long long)r[8]); *(uint8_t*)0x200055c2 = 0x2c; memcpy((void*)0x200055c3, "smackfshat", 10); *(uint8_t*)0x200055cd = 0x3d; memset((void*)0x200055ce, 170, 5); *(uint8_t*)0x200055d3 = 0x2c; memcpy((void*)0x200055d4, "obj_type", 8); *(uint8_t*)0x200055dc = 0x3d; memset((void*)0x200055dd, 170, 5); *(uint8_t*)0x200055e2 = 0x2c; memcpy((void*)0x200055e3, "dont_appraise", 13); *(uint8_t*)0x200055f0 = 0x2c; memcpy((void*)0x200055f1, "dont_measure", 12); *(uint8_t*)0x200055fd = 0x2c; memcpy((void*)0x200055fe, "fowner<", 7); sprintf((char*)0x20005605, "%020llu", (long long)r[9]); *(uint8_t*)0x20005619 = 0x2c; memcpy((void*)0x2000561a, "dont_appraise", 13); *(uint8_t*)0x20005627 = 0x2c; *(uint8_t*)0x20005628 = 0; syz_mount_image(0x20005300, 0x20005340, 0xfd, 2, 0x20005540, 0x8800, 0x20005580); break; case 37: memcpy((void*)0x20005640, "/dev/i2c-#\000", 11); syz_open_dev(0x20005640, 0x40, 0x300); break; case 38: memcpy((void*)0x20005680, "net/if_inet6\000", 13); syz_open_procfs(r[6], 0x20005680); break; case 39: syz_open_pts(r[19], 0x800); break; case 40: *(uint32_t*)0x20006c40 = 0x200056c0; memcpy((void*)0x200056c0, "\x46\x41\x06\x38\xb7\xa1\x28\xc1\x5c\x6c\xb2\x7d\x23\x35\x80\x6d\xa8\x7c\x0d\x49\x15\x42\x44\x52\xcf\x0b\xa9\xee\xe0\xa5\xd4\x9d\x63\x4f\x09\x0d\xf2\x6f\x35\xbb\x04\x33\xc1\x3a\x27\x0d\xcb\x44\xcf\xe9\xba\x62\xb5\xba\x38\xd4\xae\x3c\x65\xea\xd2\x72\x7f\x1d\x2a\x5f\x02\xda\xa2\x70\xce\xa6\xf4\xf6\x09\x02\xe2\xed\xa6\x54\xb1\x6e\xc6\x63\x5a\x1c\x6c\xd1\x5d\x6b\xd6\x34\x32\x14\xb8\x34\x22\xd1\xa1\x9b\x5d\xae\x43\x9b\x9f\xbc\x3d\xb5\xc2\x18\xd4\xb0\x8a\xcf\xc9\xfc\xdb\xe5\xd4\xe6\xa5\x12\x7a\xda\xdc\xe6\x10\xd8\x15\xe8\xc6\xd8\xad\xc7\x86\x89\xea\xae\x29\xd8\x1a\x20\x04\x0a\xee\xef\x4e\xe5\x5d\x77\x01\xea\x72\x5e\x91\xb7\x4f\x5b\x37\x81\x4b\xee\xd1\x18\x54\x99\x79\xc8\xa4\x0d\x0b\x29\x09\x77\xad\xa4\xd6\x58\x74\xc7\xdc\xca\x03\x0a\x9a\x15\x50\x9b\xc2\x7e\x6e\x87\xd5\x26\x91\x24\x37\xb8\x69\x04\xf7\x42\xc9\xc1\x3c\x1e\x00\xbc\x5e\x3e\x94\x3c\x14\x30\xd1\xcc\x01\x8f\x5a\x4d\xec\xf2\x46\x02\xdb\x5b\xf2\x28\x6e\x64\xce\x75\x1d\x8d\xf1\x6f\x28\x09\x34\xfb\x08\xb6\x19\xb2\xb5\xe9\x31\x19\x5a\xd2\xf7\xc8\x7a\xe9\x56\xc6\x4a\x2f\xda\xc4\xfd\x79\x16\x11\xac\xc2\xa8\x65\xd9\x94\xea\x90\xed\x15\x85\x81\xe8\x0d\x03\x86\xb1\x53\xf1\x9f\xab\x27\x81\xb7\x2d\x1d\xe0\x03\xb1\x87\xd2\xb1\x19\x53\x42\xb3\xa0\x03\xbf\x44\x83\xb4\xd8\x90\xab\x1b\x2f\x51\xe8\xd5\x8f\x0a\x5a\xd7\x8e\x0d\xf9\xd6\x29\xc2\x2c\x2a\x32\x4a\x98\x2e\x1f\xc2\x73\x8c\x36\x0d\xb3\xa8\xba\x5e\x55\xae\x5c\x9d\x58\xf1\xc2\xf6\xbe\xd0\xb6\xde\x5b\xb4\xee\x3b\x5f\x84\x2c\xee\xf9\x1b\x20\x56\x54\x1f\xf5\x53\x12\xee\x90\xa2\xbd\x09\x97\x06\x6c\x37\xf3\xd8\x37\x78\x95\x92\x1b\x08\x02\x15\x89\x04\x9e\xd7\xb2\x3c\xeb\xaf\x9b\x41\xd0\x8e\x75\x90\x58\xa3\x45\x2c\xb9\xdf\x2a\xee\x1d\x2b\x90\xe5\x10\xba\x9b\xc9\x48\x40\x0a\x69\xaa\x13\x83\x3d\x1b\x4c\x44\x44\x51\x29\xe0\xaf\x50\x12\xfd\x6a\x53\x41\x81\xfb\x20\x42\x68\x26\xa4\xb3\x69\x4e\x4a\x51\x81\x19\x9d\xf1\xed\x31\xde\x36\xf2\xed\x49\x21\x18\x22\xad\x91\x5d\x3b\x71\xac\xae\xcf\xf3\xc8\x4d\x4e\x3b\xb1\x9f\xba\x32\x19\xe2\x61\x45\x73\x5f\xf7\x1d\xce\xee\xee\x7a\xa2\x47\x53\x9a\xd2\x73\x11\x13\xd3\xf3\x64\x42\x6b\xe9\x00\x6e\x6b\x0e\x35\x8b\x81\xd4\x07\x45\x49\xe0\x8e\xf2\x76\x13\xa3\x71\x5e\x5e\x89\xba\x0a\x71\xe3\x99\x52\x31\xe9\x9a\xac\x5e\x4e\xe7\x07\x8f\x59\xe3\xe7\xd4\xfa\xbe\xd2\x6e\x75\x07\x41\x1f\xbe\x4b\x03\x53\x10\x62\x78\xac\x69\xf3\xb9\x1e\xc6\x9f\xa5\x42\xeb\x7c\x96\x43\x94\x06\x2f\x65\xc6\x50\x19\x7f\xbe\x73\x3c\x22\x83\x26\x73\xd0\x66\xe4\xed\x40\x07\x3b\x28\x4e\xe4\xe5\x1b\x12\x59\x36\x7d\x4e\xb9\xe1\x72\x00\x7e\x6f\xb8\x0a\x0a\x6f\xe6\x2b\x3f\x3d\x5e\x5b\x68\xfe\x04\x7e\xa4\xd6\xfb\xfa\xa3\x0a\x00\xfc\x29\xbc\x58\xa3\x1c\xfb\x82\x12\xf2\xc4\x9c\x3a\x2e\x71\x1a\xe5\x02\xbd\x64\x7b\xd5\x6b\xb7\xcf\xc1\xd8\x4d\x14\x18\x27\xbe\x21\x1b\x5f\xfb\xed\x78\x6b\xfa\x13\x13\xd2\xae\xd5\x34\xf0\x00\x19\x36\x3a\xc1\x29\x61\x2c\xa2\x5c\x76\x3b\x07\x7f\x5a\x72\x4d\x61\xfc\x79\x74\xfa\x82\x4b\xad\xc1\x40\x06\xf2\xfe\xbf\xb1\xe3\x5a\x3d\xd7\x2e\x82\x33\x4a\x26\x37\x56\xff\x42\x04\x68\x0c\xba\x1c\x03\xc5\x5e\x09\xdf\xfb\x5a\x58\xe4\xc5\x5b\x5b\xd7\xa7\x0e\xe8\x52\x59\x29\xa0\xee\x9f\x90\x91\xe3\x4b\xb8\xd2\xf0\xaf\x6d\x2a\x26\x70\xc5\x91\x18\x6b\xee\x6c\xed\xda\xb8\xe1\xfe\x8d\x4b\xe3\x97\xa5\x45\xc4\x83\xfd\x68\x4c\xd8\x12\xdf\x5e\x31\x2a\xb5\xf4\x81\x2b\x47\x84\xef\xae\xf1\xc3\xdb\xe7\x90\x94\xfb\xab\xd6\xca\x5f\x0a\x45\x46\x23\x96\xf8\x18\xa5\xc7\xbf\x61\xc8\xc3\xf4\x33\x66\xc1\x26\x5f\x46\x38\xd1\xdc\x7b\xde\x11\x46\x10\x35\xc7\xaf\x77\xe6\x84\x4c\x5d\x47\xbc\x18\x97\xdf\xab\xec\x76\x87\xed\x25\x79\x4a\x71\xa3\xaa\x2b\xe1\x66\x57\x19\xe7\xea\xf6\x49\xbf\xaf\xfc\xea\x24\x92\xd4\x3b\xca\x7f\x03\x04\x21\x0c\xfc\xa9\x1a\x0d\xad\xf6\x6b\x7c\x3c\x6b\xaf\x8c\x50\x55\xef\x4f\x3c\x56\xaa\x03\xbb\x6e\x40\x0d\x7c\xac\xa6\x9e\x42\x43\xac\x71\xc9\x39\xcc\xf2\x73\x10\xb7\x3b\xa5\x98\x97\xe2\x02\x0c\x71\x7c\x33\xdb\x9a\x4a\x58\x29\x12\xa3\xa8\xd7\xc0\xa8\x70\xb1\x2a\x9f\x98\x2a\xaf\xd0\xcf\x15\x95\x75\x18\x9d\x8c\x26\x88\x64\x34\x22\x9f\xb0\xc7\x6c\x56\x50\x8b\x63\x8a\x25\x09\xb6\x58\x47\x72\x2a\xf1\x97\xe9\x5c\xf0\xcf\xf2\x36\x84\x48\xd4\x2a\xd6\x2d\xb2\x7f\xf0\x17\xa7\xfb\xed\x92\x3b\xef\x62\x83\x40\x87\x12\xc3\xf0\x4a\x79\x03\x38\xf4\xf8\x0c\xf4\xf3\xe9\x2f\xaa\xfa\x3b\xf6\xcf\xf5\xed\x3c\xf3\xb1\x7b\x50\x50\x75\xe1\x2b\x69\x58\xbf\x2e\x5c\xb4\x02\x41\xf6\x72\x87\x4a\x0f\x94\x0f\xd5\x7e\x82\xe9\xca\xff\x11\x3d\x67\x1d\xa2\x3d\xa3\x43\x6a\x31\x80\x0c\x2d\x34\x87\x96\x5f\x87\xc3\xf8\x25\x06\x10\xaa\xff\x78\x3d\x78\x59\x5e\x19\x26\xb7\x7e\x97\xb2\xe3\xad\x09\x08\x7a\xf9\x19\xac\xe3\xf0\x4f\xd2\x75\x88\x7b\x1f\xc8\x1e\xe2\xf5\xba\xd8\xde\x1c\xc3\x5e\xe0\xc0\x3a\xde\xed\x9a\x91\x97\xd7\xa8\xfa\x5d\xb5\x9d\xc5\x00\xa9\x4b\xd1\x84\xa2\xa8\x0d\x97\x04\x79\x7e\x76\xbc\x0f\xc4\x3e\xd5\x72\x96\x14\x3d\xc9\xd8\x58\xb1\x4a\x7b\xdf\xb4\x18\x19\x7f\x09\x74\xb6\xee\xe2\x99\x95\x80\x51\xb1\xd4\x14\xab\x12\x6c\xef\x5b\xc3\x6a\xe4\x05\x5c\x4f\x19\xe7\xe0\x1d\x20\x92\xd9\x9f\x1d\x2a\x5a\x56\x61\x4f\xed\xf4\x81\xd5\x78\xcb\x85\x1a\xd7\x3e\x18\x29\xbc\x35\x0f\x7e\x56\xee\x0d\x2e\x71\xfe\x73\x1c\x1b\x30\xfd\x84\x5f\xd8\x2c\xa0\xac\xf0\x29\xaf\xf4\xa7\x5e\x0d\x38\xfb\x7a\xf5\x82\xa1\x9c\x0c\x7d\xeb\x19\x54\x4b\xc7\xa1\x3c\x18\x96\x03\x24\x41\xcb\xa6\xae\x39\xc3\x5a\xe8\x80\xb4\x5a\x5c\x97\x54\x5a\xc0\x99\x24\x3a\x79\x1c\x6f\x2e\xb9\x35\x56\x20\x8b\x8b\x20\x35\x42\x75\x2a\x67\x3b\x9d\xf0\x2b\xf0\x4a\xd3\xc1\x8e\xec\xaa\x5e\xb2\x2d\x1b\x65\xe5\x9c\x34\x49\xb5\xcc\x42\xdf\x35\x0d\xd4\x82\x2b\xcf\x67\x1d\xf7\x84\x20\x68\x9c\xac\x22\x65\x8c\xd9\xf0\xf3\x90\xe2\x6e\x07\x96\xac\x4b\x7f\x30\xb1\x98\x9f\x09\xcf\x5b\xa5\x16\xeb\x16\x67\xec\xc1\xd8\x53\x73\x9a\x20\xe5\xe7\x85\x99\xbd\xa8\x30\xd0\x02\xd4\x5e\xb6\x6d\x63\xa7\x78\xb8\x41\x2a\xf5\xd6\x3e\x3e\xf2\x64\x94\xe2\x1b\xbc\xde\x5b\x97\xa9\x4f\x79\x78\xac\x90\x3d\x46\x7c\x5b\x6d\x07\x17\xdc\x4a\x9d\x14\x6e\xd4\xb5\x8b\xfe\x37\x3a\x59\x08\x70\x2f\x99\x7f\x10\x90\xb4\xb1\x90\x93\xf8\x90\x50\x85\xec\xb6\x91\x10\x7b\x05\x9e\x0e\x1c\xd0\xc4\xa9\x4c\x9a\x47\x3a\xf2\xd1\x2b\xd5\x99\x8a\x8b\x8b\x48\x02\xf9\x31\xb9\x05\x15\x51\x9f\x20\xfe\xea\xde\xa5\x68\x4c\x06\x4f\x9a\xdb\x42\x39\x35\xb8\xde\x29\x8b\x03\xe5\x79\xab\xad\x6a\x23\xa8\x6c\x86\xed\xd3\x9c\x2e\xd6\xa4\x68\x5e\x69\xbc\x71\x54\x05\xab\x7a\x3f\x27\x66\x4b\xdb\x68\xfe\xf1\xfc\xd0\x90\xf0\x60\x38\x1f\x1a\xa3\x74\xa0\x74\xa6\x40\xf9\x91\xec\x6d\x8b\x28\x8b\x1b\x05\x07\x06\x85\x60\x31\x4f\xe9\x4a\xeb\x85\xc4\x2f\x4d\xf3\xad\xb2\x14\x85\x69\x65\x15\xda\x2f\xa7\xf4\x41\xb7\x53\xd5\xf8\xca\x45\x45\xf2\xd1\xdc\x1e\xb3\x4e\x41\x8c\x04\x3b\xeb\x51\x8b\xb3\x5f\xe3\x02\x35\xaa\xbf\x7e\xc5\xf3\x71\xb3\xa4\x8c\x0e\xa6\xa6\x13\xeb\xb4\xe4\xda\x5b\x71\x40\x8a\xa5\x57\x74\x23\x9a\xc7\x49\x03\x0a\x52\x74\x0c\xd8\x53\x5b\x9e\x3d\x28\xa4\xe8\x7b\x4c\x4f\x40\x44\xc8\x19\x5c\x32\x11\xf9\x47\xe5\x00\x7d\xf7\xb6\x4e\x37\xc4\x14\xbf\xd5\x4f\x7b\x59\x82\x37\x20\xbe\x00\x49\x8c\x18\xb5\x7d\xad\x00\x43\xf0\xc5\x0a\x75\x81\x74\x18\xc1\xdb\xc3\xdb\x8d\xc7\x33\xce\xb2\xb5\xb6\xd2\x0b\xec\x1e\x38\xa2\xf9\x09\xaa\x61\x94\x80\xe2\xca\x05\xd9\x00\x0b\x7e\xaf\xf3\x70\xc0\x77\xed\x38\x94\x22\x89\x0d\xd4\x26\x27\x8c\x63\xc2\xac\x42\x85\xe8\x40\xe6\xc7\xf9\xda\x04\xd6\x9a\xf4\x48\x2d\x96\xee\x58\x24\xde\x09\x16\x14\xd8\xb1\xb4\xcf\x49\xf5\xa7\x01\xe4\xb4\x2f\xf5\x8a\x62\x82\x3c\x27\x76\xfb\xa4\xc2\x7e\xc8\x6c\x24\xba\x10\x3e\xd0\x1c\x66\x72\x9a\xd6\x02\x92\x4a\x51\x37\xb7\x18\xd8\xdd\xee\xb0\x83\x39\xd8\x3c\x45\xfe\xca\x01\xc3\x93\x35\x7a\x67\x64\x38\x11\x43\x63\x59\x1d\x31\xc2\xba\x6f\xaf\xa5\xd8\x57\x1a\xf7\xc3\xa3\x69\x0f\xde\xb0\x99\xe4\x41\x92\xb5\x87\x1f\xd0\xa3\x36\x5f\xb2\xe2\x30\xc6\xc0\x3a\x74\x73\x78\x2b\x30\x3a\x5b\xe1\x4f\x03\x8d\x8e\xa3\x4a\x63\x08\x43\x00\x51\x6e\xb7\x88\x4e\x59\x33\x58\xe6\x6b\x3d\xfb\x6d\xac\x4d\x08\x15\xd5\x8d\xaf\xb8\x5e\x8c\xca\x44\x26\x53\x6a\x38\x4d\xc8\x9f\x74\x13\xf1\x4c\xc9\x2e\x73\x77\xa9\x09\x38\xf9\x9e\xf7\xf5\x35\xc2\x18\xae\x2e\x90\x9a\xcd\xbf\xd7\xeb\x5b\x0b\x47\x40\x8e\x3d\x6d\x73\xdd\xa3\x9f\xbd\x6b\x23\xaf\x18\xf1\xa6\x70\x3e\xe3\xb1\xf7\x5b\xb7\xc0\x00\xa4\xca\x5a\x7b\xcc\xaa\xe8\x6c\x4a\xba\xc8\x1d\xa2\x93\xe4\x3f\x91\xd2\xc3\xdf\xf1\x2f\xfa\x52\x29\x13\x9a\x08\xae\x5f\xc2\xec\x13\x9b\xe9\x78\xb8\x18\x2d\x6a\x60\xc7\xff\x39\xbb\x0a\xa8\x20\xa1\x07\xd9\x2e\x38\xb9\x5e\x74\x8a\x18\x4b\x53\xf5\x62\x4f\x45\x72\x39\xf6\x38\x4d\xdd\xcb\x9f\xd7\xe8\xef\x29\x52\x65\xd7\x9b\x64\xc5\xc0\xa9\x3b\xf2\x16\x35\xb8\xc6\x80\x90\x78\x10\xd8\xe7\x2a\x58\x1e\x5a\xa0\xe0\x0f\xbf\x35\x1e\x3c\x84\x1c\x7d\x0c\x51\xa2\x63\x68\x37\xb2\x7c\x6a\x91\x42\x5b\x50\x6a\x22\xc2\x7d\x14\x20\xd0\xb1\x3e\x60\xde\x3e\x9c\x56\x66\x7a\x98\x98\x3b\xa9\xbd\xd1\xc5\xa5\x2d\xc6\x12\x7b\x65\x9e\x6d\x80\x70\x69\x59\xf0\x7d\x3a\x5f\xa8\xb3\xb8\x8e\xab\x05\xe7\xa0\xc0\x4e\xe1\x2a\x21\x37\x2c\x71\x3f\x64\xc6\xad\xbe\xed\xd7\xa8\xb7\xa6\x92\x67\x49\x75\xbb\xe5\x5c\xe4\x02\x71\x44\x02\xf2\x0c\x7f\x57\xff\x1f\x79\x35\x7d\x8e\xda\xbe\xf1\xd8\x68\xf0\xa2\xb3\xdd\x7a\xa3\xbb\xe5\x8e\x80\x81\x49\x70\x73\x4f\x7d\xec\x70\xd3\x14\xe8\x11\x59\x3a\x32\xcc\x86\x1f\x4a\x8a\x4b\x3f\x0d\x7c\xeb\x4e\xbb\x32\x66\x4f\x56\x44\x49\x7a\xc9\x56\x2c\xdd\x5a\x54\x19\x3f\x22\x38\xe6\x5c\x18\x74\xc8\x64\x21\xc5\xcf\xb4\x3a\xe1\x56\x93\x1c\x78\x40\xd1\x0d\xe4\x7a\x4d\x0f\x2f\x31\x74\xc3\x6c\x86\x45\xac\x02\xf5\x44\xc3\x69\x0b\x51\x37\xaf\x7d\x2c\xed\x3f\xb0\x43\x59\xbb\xf2\x2b\x67\x20\xea\x94\xf2\xe3\xb5\x67\x5f\xb7\x7a\xde\x56\xc9\x77\xd6\x68\x06\x4e\xfd\xd1\xc6\x15\x11\x9a\x52\x8c\x9e\xc1\x35\x3e\x84\x10\x3e\x5d\xce\x6a\x0b\xd0\x73\xf9\xff\xbe\xa0\x81\x9c\xf6\xc0\xcc\x58\xea\xd0\x0c\x92\x34\x02\x98\xcc\x09\x45\x64\x11\x7f\x3f\xb8\x94\x27\x4c\xa9\x1d\x79\x76\x45\x96\x19\xf5\x44\xb2\x50\x58\x6c\x6d\x44\xaf\xba\x55\x74\xb7\xef\x51\x26\xb0\x70\x40\x9a\x1f\x5e\xed\xc6\x50\x07\xb0\x03\x39\xf1\x60\x42\x2f\xff\x38\xd6\x7e\xaa\x8d\x78\x2f\xc4\x19\x2a\x29\x81\x08\x79\xeb\x12\x85\x99\x42\xfa\x14\x1a\x21\xc3\x9d\x9e\xea\x03\xeb\xa1\xaa\x7b\x3a\xc7\xe2\xb1\xda\xf4\xf6\x9f\x47\x5b\x8e\x75\xc5\xac\x7c\x2e\xfd\xd7\x77\x93\x2d\x40\x31\x43\xcd\xd0\x89\x02\xd5\xe3\x45\x93\x01\xc2\x8c\x88\xc4\xdf\x34\x2c\xa1\x39\x10\xb7\x60\xe3\x4c\x40\x19\x4b\xb5\x1b\x82\xcf\x14\xad\xee\xd5\xae\x47\x51\x7d\x3c\xbc\x73\xbb\xb5\xa8\x89\x9c\x30\xe6\x06\x51\x99\x89\xa8\x5d\x2e\x15\xb0\xe8\x9e\xbb\xa4\x3f\x0c\x8a\x75\x2f\x07\x01\x03\x80\xca\xa7\x0d\xc4\x09\xff\x80\x5c\x24\x57\x48\x29\xd0\x6b\xb9\xa1\x49\x5d\x5a\x30\x85\xdf\x90\x29\xe2\x3d\x92\xbb\xc4\x6d\x7c\x7c\x1d\xb7\x36\x5e\x92\xe8\xd2\x44\x9a\xad\xe3\x89\x26\xa6\x43\x68\x72\x3a\x0e\x8a\x77\x7b\x32\x61\xc9\xc9\x7b\xae\x82\x5b\x55\x1b\xa9\x40\x55\x1a\x7e\x15\xe3\x01\x3d\xc0\x9a\x05\x22\x9d\x0c\x9a\xc6\x4e\xe1\x5e\xe3\xd4\x67\x42\x62\x89\x24\xc0\x9e\x63\x60\xcc\x43\x00\x6f\xb9\xa0\xe1\xc0\x6e\x55\x84\x63\x7c\xee\x00\x5e\xe2\x6c\xeb\xa7\x02\x95\xcb\xa5\x63\x7d\xfc\x98\x21\x14\x8e\xd7\x41\x50\x03\xd5\x18\x36\x84\x23\xae\x70\x8c\xfa\xc6\x38\xf2\xb8\xe1\xd3\xa7\x10\x11\xbd\xa8\x03\xac\xd2\xcf\xa4\x29\xea\x5f\xa0\x45\xfe\x07\x8f\x91\xeb\xe4\x5e\x7d\x51\xd4\x3f\x08\x30\x2d\x5f\x3b\x0c\xcc\x3e\xb7\xdc\x03\x81\x8b\x33\x56\x7e\x86\xf8\xe5\xdc\x40\x45\x15\x69\xa7\x95\x48\x58\xd2\x6d\xf8\x55\x49\x35\x27\x6f\x56\x54\xaf\xec\xf2\x40\xc7\xe8\x6c\x92\xec\xba\x4d\x3f\xf7\x58\x21\x31\x2d\x6a\x3b\x82\xe1\x8c\xc2\x34\xda\x5b\xac\xc2\x86\xef\x09\x24\xce\x23\xbd\x30\x70\x8d\xe5\x81\x32\x57\x4b\x54\x8c\x96\x28\xb5\x2d\x34\x29\x1d\x1c\x4a\x7f\xfd\xfe\x63\xde\x1f\xa9\xb5\xe0\xfa\x6e\x62\xf3\x52\x8a\x80\xc9\xcc\x97\xa7\xc5\x15\x40\x3f\xce\x89\x5a\xb7\x95\x63\x52\x66\xaf\x74\x6d\x89\xd2\xc9\x40\x58\xca\x38\x50\x1d\x86\xb4\xd6\x32\x4d\x0d\xf0\xd9\xc1\xe4\x7b\xbf\x83\x8b\xaa\x20\x6a\xa2\xec\x43\x97\x82\x8e\x99\x2f\xe9\x63\xb2\xe8\x37\x22\x80\x26\x27\x62\x90\x30\x10\x6c\xf2\x0e\xc9\x8e\x24\x51\x47\xc9\x44\x26\x21\x4d\xdf\xb9\x79\x12\x06\x51\xad\xde\x14\xa4\x25\xfe\xf2\x9a\x20\xc0\xcc\x54\x60\x39\x3a\xcb\xdb\xa5\x7b\x3c\x38\x36\x62\x7e\x6a\x9c\x19\xa2\x34\x43\x12\xa9\xbc\x66\x1b\x76\x02\x85\x41\x5a\x28\x74\xe2\xf2\x18\x7b\x5c\x6d\xbf\x38\xb0\x59\x63\x6f\x9e\xd1\xde\x16\x92\xd3\xb8\x65\x04\xa7\xc1\xb6\x68\xe5\xaa\x0f\x87\xcf\x49\x7f\x0c\xab\x26\x6e\x4d\xb6\x4e\xc6\x46\x55\x80\xbe\x1d\x97\x24\x49\x47\x30\x46\x88\xcb\x35\x76\x49\x0b\x8d\xb0\x86\xb0\x89\x05\x82\x0e\xa9\xd9\x1d\xfc\x8f\x3b\x96\x6a\x9e\x56\x8d\x85\x6a\x9c\xce\x3f\x17\x31\xac\x16\xe4\xcf\x48\x71\x43\x34\xb6\xc7\xac\x35\x97\xfc\xae\x85\xd1\x79\x46\xb0\xae\x28\x99\x84\x5e\x96\x06\x6e\x0a\x64\x83\x85\xc9\x8e\xe5\xc1\x19\x39\x13\x56\xb2\x04\xac\xbd\x4a\x5c\x7c\xc2\xcb\xce\xec\xe0\xf5\x8d\xfb\x73\xfc\x30\xef\x7c\x17\x69\xb4\xf5\x6e\xd1\xb7\x7d\x76\x24\x8b\x0e\xa2\xa6\x6d\xb0\xe5\x21\x7b\x5d\x62\x42\x37\x19\x1a\xbe\x94\x86\xac\x0b\xd3\x2e\x3e\x73\x62\x33\x14\x41\x73\x4a\x8d\xd9\xed\x98\x3b\x92\xbf\x26\x47\x2c\x50\x21\xf8\xbe\xa1\x31\xec\xe4\x7c\x8f\x45\xe6\x8a\x25\xa8\xbe\xb4\x88\x58\x95\xc2\x79\x82\x30\x6d\xaf\xa1\xfa\xc9\x05\xb2\x76\xc2\xf6\x0c\xcd\xca\xbe\x2a\x5b\x32\x5b\x5c\x5d\x84\x82\xf3\x05\x66\x02\x44\xc3\x61\x71\x1f\x0e\xed\x77\x46\xc0\xda\xf9\x9d\xfd\xe3\x6c\xaf\xf2\x94\x05\x11\x82\xc5\xb6\x58\x9f\xc0\x70\x0b\x75\x1f\xb2\xb3\x80\x7f\x0b\xcb\xd2\x77\xa8\x44\xce\x82\xa5\x45\x58\xf5\x5c\xdd\x25\xa3\x0b\x22\x83\xab\xe5\x19\xc8\x27\xb1\x0a\xed\x61\x2f\x8a\xea\x3c\xb7\xac\xa8\xb3\x40\x28\xc0\xb3\x63\xc9\xac\xc5\x2d\xde\xa9\xe0\xc3\x4e\x8a\x5c\x90\x86\x9f\xe6\x0d\x28\x30\x7e\x35\xd3\xe4\x35\x82\xf3\x77\x3d\x46\x66\x9e\x43\x13\xa0\x7b\x12\xe7\xd6\xd5\x01\x43\x6f\x8e\x6f\x4b\xc3\x47\xb2\x91\x94\x14\x4d\x82\xc5\xda\xa9\x73\x0f\xea\x34\x66\xc3\x16\x72\x09\xf0\x96\x97\xda\x03\x4f\x86\xca\x9e\x5a\x7e\x28\xc0\x59\x99\xf4\x16\x1d\xca\x75\x18\x14\x04\x13\x50\x4b\xe2\xaa\x60\xef\x71\xb6\x64\x84\xfc\xa1\xb0\xbb\x11\xaf\xd5\x97\x55\xb9\x78\xdd\x29\x4e\x3d\xa8\x56\x55\xb9\x0f\x05\xbe\x08\x23\xe2\x62\xaa\x69\x3c\x43\xbc\x23\xf4\x94\x8a\x60\x96\xff\xe1\xb5\x8e\x1b\xcd\x65\xb0\xdb\x70\xc6\x2a\x4f\x85\xd7\xdd\x4b\xe6\xcd\xdf\xea\xf1\x38\x38\x14\xa6\x72\x8b\x4c\x30\x1e\xab\x03\xb9\x50\xba\xc8\x67\x37\x5d\x1b\x6c\x61\xeb\x2f\x7f\xde\x96\x0b\x16\xf5\x94\x83\x79\xe2\x11\x5a\xb5\x40\x13\x56\xdb\x05\xa7\xdc\x30\xa2\x99\x98\x97\xb1\x63\xc7\x3d\x34\x80\x71\x06\xdf\xdc\xf7\xb7\xf9\xb9\xe7\x37\x7f\xc7\x22\x00\x3c\x86\x8c\xa5\xc1\x4a\x0e\x2f\x1d\x19\x40\xec\x6a\xef\xcf\x85\xfe\xd2\x07\x62\x2e\xd3\x81\x20\xc6\xa8\xaa\xd7\xb4\xe9\xe8\x7d\x5e\x4e\x9a\x6a\x55\xc6\xe1\x32\xe9\xe1\xe9\xa3\xa6\x2b\x4f\x7c\x6c\xe0\x09\x3f\x88\x65\x47\xdf\xc4\x8d\xe1\xd2\xe0\xc8\x5b\xf0\x1b\x49\xf9\x92\x41\xa3\x6d\x32\x4c\xdb\xad\xe5\x37\x7d\x5a\xa5\x73\x33\x77\xec\x7e\x97\xb7\xac\x54\x38\x7f\xd2\x93\x91\x31\x9d\x3f\x3b\xbc\xd0\x7b\x28\x70\xb9\x64\x6b\xf2\x83\x5b\x3a\xbb\x51\x21\xdc\x20\xa6\x38\xc6\xd0\xd6\x2b\x0a\x05\xd9\x4a\x5f\x1c\x03\xbf\xf6\xe8\x71\xa8\x4f\x9a\x7d\xef\xa1\x6f\x30\xcb\x8b\x3f\xf5\x7c\xb5\xa9\xb8\x95\x8b\x59\x21\x19\xcb\x0c\x80\x25\x13\xc1\x4a\xec\x2d\x27\xcf\xff\xbf\xb4\xe6\xa2\xa8\x40\xf8\xb0\xd7\x46\xa8\x3f\xa8\xbd\x22\x70\x21\xb0\x38\xf5\x0c\x41\x1f\x79\x22\xfb\x38\xec\x89\xf5\x1d\x71\xb7\xd3\xd9\xe2\x41\xdb\x1b\xe1\xb4\x50\x7e\x5b\x68\xfa\x1e\xe8\x9c\x21\x27\x44\x5e\x5d\x6e\xd4\xe7\x43\x3d\xe7\xbf\x4d\x72\xb7\xf7\xb1\xc9\xaa\x7c\x40\x8e\x4c\x10\x50\xce\x17\x74\x27\x98\x4f\x50\x35\xb5\x1e\x3a\xd5\x2b\x56\xd8\xaa\xf3\x8e\x56\x79\x30\xa7\x11\xc8\xdc\x34\x88\xff\xcd\xc1\xa5\x6f\xe1\xb4\xc5\xdf\x22\x67\x3b\xcc\x3e\x9c\xcd\xbb\x3a\xb6\x70\xa2\x45\x47\xf5\xde\xd4\x2d\xec\xfd\xdd\x52\x21\x04\x07\x5c\x37\xdd\xed\xe4\x60\x92\x5d\xcb\xc6\xe5\xef\x20\x60\x28\xaa\x7e\xa0\xc8\x4d\x60\xd9\x90\xfc\xd4\x8d\x76\xc9\xa4\x7b\xe6\x81\x92\x50\xd4\xd1\x0f\xce\xfc\x7a\x12\x4c\x6f\x3f\xaa\xf5\x1f\x7b\x67\xdc\xc2\xb3\x9a\xcf\x11\x9c\x8f\x89\xb9\x3b\x58\x39\x52\x47\xfa\x45\x9c\x1f\xfe\x6f\xc5\xa7\x0c\x32\xd5\x19\x6d\xa5\x93\xb3\x36\xbe\x04\x67\x16\x4e\xbb\xc9\x86\xfc\x14\x5b\x32\xbb\x91\xa4\xc0\x58\x88\x4c\x82\xf5\xca\xcd\xa6\x2a\x43\x12\xbb\x35\x07\x0e\x74\xde\x2b\xba\x07\x64\x8b\x7e\xb9\xd9\xfa\xe8\x91\x64\x8f\x54\x32\xb6\xa7\xd5\x98\x6e\xf2\x02\x78\x72\xcf\x9e\x1a\x08\x6c\x57\x6a\xba\xc8\xdc\x40\x1a\xab\x0d\xa9\x3a\xbf\x0a\xb7\x1e\xcd\x9b\xb9\x6e\x39\x18\x03\x62\xa1\x0a\x21\x85\x07\x1e\xbb\x8c\xa2\xca\x8d\x97\x19\xd4\x7b\xfc\x18\xb6\x2f\x97\x71\xb9\x7d\xfe\xd7\x3b\x98\x23\x25\xeb\x94\x3d\x78\x5c\x78\x75\x00\xd5\xac\x0d\x26\xa9\xca\x90\xcc\x73\xc2\xac\xfe\x87\x2f\x4e\x32\xeb\x44\x39\x08\x3b\xdb\x32\x49\x70\x1d\xdd\xdb\x50\x0d\xf3\xf8\x96\xbb\x1f\x7a\x37\x06\xd6\x4b\xe1\x6d\x00\xf6\xfd\xcd\x6b\xf4\x1d\xf8\x65\x35\xf2\x98\xd2\xdd\x04\x31\x77\x74\xbd\x6b\x39\x03\xf3\x71\xd5\x9b\xe7\x19\xb7\xec\x1d\x00\x3b\x3c\x97\x05\xa8\xf7\x88\x89\xb8\xf7\xda\x0d\x46\xde\xfd\xce\xd2\xdf\x70\xd8\xcb\x45\x70\x82\x8b\xb2\x65\x49\xb5\x50\x11\x58\x9c\x73\xbe\xc4\x20\x7c\x8d\x59\xeb\xe1\x89\x6b\x37\x61\xc1\x85\xa1\x32", 4096); *(uint32_t*)0x20006c44 = 0x1000; *(uint32_t*)0x20006c48 = 0x8001; *(uint32_t*)0x20006c4c = 0x200066c0; memcpy((void*)0x200066c0, "\x31\xe3\xc3\xfa\x6d\x99", 6); *(uint32_t*)0x20006c50 = 6; *(uint32_t*)0x20006c54 = 0x3ff; *(uint32_t*)0x20006c58 = 0x20006700; memcpy((void*)0x20006700, "\x39\xde\x86\x3b\x71\x48\x20\x8e\x43\x2f\xcd\xdb\xd9\xe9\x14\x8e\x71\x6c\x1b\x48\xa3\x96\x7c\x87\x0c\x70\x14\x5d\x90\xed\x68\x1b\x3f\x8b\xce\x84\x9f\xee\x7f\x50\x09\x15\x70\x85\x4e\x20\x10\x37\x23\xe5\x64\x54\xe7\x11\x54\x3f\x6e\x2b\xe9\x2c\x34\x09\x0d\x8c\xc7\x92\x26\x0b\xe9\xb9\x60\xc1\xe4", 73); *(uint32_t*)0x20006c5c = 0x49; *(uint32_t*)0x20006c60 = 9; *(uint32_t*)0x20006c64 = 0x20006780; memcpy((void*)0x20006780, "\x17\xfa\xd5\x71\xf8\x0f\xec\xd3\x4a\x59\xbc\x03\xf6\xc0\x2b\xbd\x6d\x56\xcd\x8d\x95\x89\x24\xb4\xae\x41\x89\xb8\x8b\x85\x89\x7e\xfd\x4e\x59\x6e\x11\x18\xbb\x0c\x77\x1c\x2c\x5b\xa3\x7d\xed\x06\xd7\x81\x11\x39\x0c\x1c\x80\xcf\x6e\xa9\xdf\x87\x27\xf8\x85\x59\x81\x5e\xd7\x6b\x36\xfa\x13\xfb\x4d\x08\xe1\xcc\xda\xd7\x97\x3b\x5b\xec\x56\x55\xa7\x4a\x67\x1f\xde\x99\xee\x92\x39\x7c\x56\xd4\x09\xda\xdb\x10\xc4\xc3\x7e\xe9\x2c\xb4\x1d\x03\xae\x6f\xb1\x64\xe7\xf8\x69\x85\x03\x91\x28\xd3\x8b\xe8\x3b\x5e\x16\xc3\x5e\xe3\x4e\xb2\xb8\x39\x6c\x53\x48\x02\x87\x81\xa0\xa8\x79\xf8\x81\x59\x74\x0a\xb8\x97\x05\xd6\x37\xbe\xda\xfa\x91\x5f\x19\x5a\x15\x25\x97\xfa\x0d\x7d\xa9\xb7\x64\x76\x60\x2c\x6e\xee\xfc\xa1\xe8\x0a\x6d\x3d\x0e\xd1\xa7\x5b\x00\xf7\xa5\xe1\x53\xdd\x85\x1e\x23\x01\xc8\xda\xa7\xd4\x9b\x4a\xd9\x1c\x62\xd1\xa6\x96\x7f\x54\xcf\x96\x21\xc2\x40\xed\x58\x71\x92\xf6\x99\x59\xe0\x54\x07\x85\x0c\xe3\x83\x1c\x4e\x81\x1e\x6f\xff\x1c\xdf\x93\xcf\xab\xde\x88\x73\x58\x31\x68\x81\x84\x53\x56\xd7", 247); *(uint32_t*)0x20006c68 = 0xf7; *(uint32_t*)0x20006c6c = 0x26; *(uint32_t*)0x20006c70 = 0x20006880; memcpy((void*)0x20006880, "\xc2\x86\x96\x8e\x22\x38\x74\x2a\x47\xe0\xe8\xd4\x44\xa6\xa6\x61\xb7\x70\x82\x22\xf4\xed\xda\xb9\x7a\x74\x9d\xce\xbe\x2c\xc8\x3a\x31\x4b\x82\x87\x95\xf9\x15\xa3\x6d\x87\x3b\x71\x4a\xef\x15\xdd\xb1\xb4\xf6\x2f\x06\x80\x0b\xbe\x85\xea\xeb\xcb\x76\xab\xe9\x44\x71\x92\x49\xee\x79\x27\xc8\x8e\x78\xa9\x68\xe9\x3f\x45\xc5\x20\x13\xef\x97\xef\x6f\x98\x9b\x1d\x1c\xd3\x0f\xff\x88\x67\x79\x62\xc8\xf3\x05\x2a\xd0\xa4\x63\x1e\x4e\x75\x0b\xa8\x0f\x37\x53\x91\x6c\x2d\xff\xc6\xa4\x02\x3c\xdb\x62\xa1\xb5\xf2\xaf\xbb\x96\x5b\x2f\x78\xc5\xdd\x47\xaf\x90\xb0\x02\xda\x1a\x26\xa2\x4f\xcb\x99\xbf\x81\xfb\x29\x57\x4a\x2f\x98\x10\x7a\x79\x37\x63\x98\x73\xb9\x5f\x4a\x56\x9a\x04\x06\xcc\x35\x8b\x46\xef\xae\x58\x7e\x90\x08\xbe\x69\xd7\x11\xae\x20\x2c\x22\xe2\x9a\x2f\x61\x5f\xd2\x3d\xcf", 192); *(uint32_t*)0x20006c74 = 0xc0; *(uint32_t*)0x20006c78 = 0; *(uint32_t*)0x20006c7c = 0x20006940; memcpy((void*)0x20006940, "\x97\xfc\x4d\xd9\xdb\x67\x3e\x16\xfd\x0f\x0e\xb9\xa4\xa2\x6e\x2a\x49\xf4\x2e\x16\x16\x19\x0b\x06\x34\xdf\xd6\x13\x51\x45\xf4\xe4\x51\xbb\xba\xd5\x6d\xad\xf2\x66\x96\x4e\xba\x7d\x10\x07\xc0\xa2\x3f\x8c\xf0\x3d\x4f\x8f\xe0\x9a\x79\x89\x15\x2b\x7c\xf2\xec\x30\xf2\x69\x3a\x06\xbe\xfd\xf0\x23\xd7\x9f\x48\xc2\x08\xd7\x42\xc7\xb7\x59\x15\xbc\xc1\xbe\x58\x35\x17\xce\xd3\xb8\x26\xb9\x70\x75\xe6\x2a\x8e\xd1\x2d\xbb\x26\x48\x07\xc6\xff\xd0\x22\x76\x14\x49\x1f\xb9\xde\x0d\x8a\x92\x5a\x26\x38\xc3\x16\x08\xde\x40\x5b\xbf\x79\xe9\x6f\x17\x1f\xd5\x83\x38\xb1\xd6\x97\x9d\x33\xa7\xda\xe8\xad\x62\xf2\xba\x53\xfe\xfc\x3c", 152); *(uint32_t*)0x20006c80 = 0x98; *(uint32_t*)0x20006c84 = 0x20; *(uint32_t*)0x20006c88 = 0x20006a00; memcpy((void*)0x20006a00, "\x77\xd8\xd6\x06\xbf\xb4\x24\xe7\xb9\x95\x80\x9a\xb4\xf5\x59\x11\x5f\xd8\x2e\x97\x2d\x98\xb6\x51\xdf\xc6\x9b\x10\xdf\x60\x0f\xb4\xf7\x8e\xfd\x58\x6f\x9c\xc2\x6e\xdc\x41\xb1\xd2\xfa\xc8\x7e\xfe\x59\xe2\x62\x41\x1f\x27\xa9\x4c\xf7\x96\xed\x31\x23\x6b\x45\x7c\xa0\xf1\x47\x53\x0e\xfb\xd4\xcf\xa6\xb6\xa0\xfe\xe4\x6c\x25\xab\xcf\x7a\xd8\x28\x2a\xae\x52\x99\xe2\x99\x79\x9c\xd5\x2d\x0a\x58\xd7\xff\x9d\xdd\xd0\x10\x37\x24\xc8\x8d\xa9\x2d\xbe\xfa\xb6\x24\x80\x38\xab\xef\x9e\xc5\x22\x64\xaf\xc7\x48\x25\xf7\xea\x70\xb2\xca\x95\xd6\x90\x0f\x9b\x64\x7a\x3f\x98\x6e\x18\x28\x7c\xb2\xbf\x4b\x4c\x19\xef\xc8\xc2\x18\xfd\x90\x5c\x37\x27\xc8\x6c\x37\x02\x6b\xfb\xde\x3a\xf0\x78\xeb\x07\xb7\x98\xe6\xd3\xd8\xf2\xe4\xd5\xd3\xbc\x18\x8c\xdd\x20\xf2\xeb\xb1\x46\x1c\x5e\x53\xb0\x5f\x29\x89\xff\xac\x3b\x16\x8d\xee\x56\xda\x0f\xc0\x11\x97\x4c\x66\x0e\x40\x0a\xe2\xd8\xb2\xc8\x0a\xcb\x23\x15\x81\xee\x91\x76\x31\x29\xb2\x88\x8a\xeb\x12", 229); *(uint32_t*)0x20006c8c = 0xe5; *(uint32_t*)0x20006c90 = 0x800; *(uint32_t*)0x20006c94 = 0x20006b00; memcpy((void*)0x20006b00, "\x56\x0c\x1b\xea\x71\xb0\xf9\x72\x44\xfa\x38\x6d\x26\xbf\x6b\x1b\x04\x30\x8e\x4b\xc7\xff\xfa", 23); *(uint32_t*)0x20006c98 = 0x17; *(uint32_t*)0x20006c9c = 0x80000001; *(uint32_t*)0x20006ca0 = 0x20006b40; memcpy((void*)0x20006b40, "\x14\xe5\x5a\x14\xa7\x95\x33\x87\xee\x55\x33\x3c\x1d\x16\x94\xca\x98\xc7\x99\x9b\x49\x78\x86\x42\x76\x68\x05\xd6\xf5\xa2\x90\xeb\x1e\x95\x9e\xe3\x5a\x74\x04\x59\xe1\x33\x00\x26\x2f\x2a\xf9\xc3\x57\xf7\xa8\xc1\xcb\xa1\x87\xe4\x48\xbc\x3c\x8f\x86\x5c\xc9\xbe\x88\x62\x4f\xb0\xf0\xd0\xbb\x88\x5d\x9c\xc2\xab\xe1\x71\xa2\x47\x8a\x74\x20\xdb\x22\xe8\x60\x7e\x3f\xbe\xc7\xe2\x60\x1d\x9e\x11\x08\x6c\xfa\x8c\xf1\x4d\x99\x67\x6b\x67\x9d\x8d\x6b\xf1\xdd\x4f\xaa\xb8\xfe\x9a\x5f\x4e\x3f\x69\x5f\xe2\xe6\xab\xf0\x9f\x70\x26\x83\x80\x2d\x44\xcc\x3a\x29\x82\x55\xc4\xc5\x95\x33\x73\x1f\xf5\xb2\x3e\x05\x3a\xfb\x71\x6d\x58\xca\xd6\x67\x68\x6e\xe6\x47\xf4\x8e\x19\x9c\x9b\x5c\x3d\x0d\x2d\x47\x0f\x2c\xe1\xc5\xb8\xb5\x70\x8a\xe0\x23\xad\x98\x80\xca\xf3\x1d\x01\xf9\x6a\xeb\xbf\xcc\x7d\xf9\x53\x58\xa0\x16\xc5\x47\x1c\xc2\xce\x2c\xed\x61\x05\x05\x7c\x9d\x22\xc8\x16\x78\x90\xca\x19", 216); *(uint32_t*)0x20006ca4 = 0xd8; *(uint32_t*)0x20006ca8 = 0x400; syz_read_part_table(9, 9, 0x20006c40); break; case 41: *(uint8_t*)0x20006cc0 = 0x12; *(uint8_t*)0x20006cc1 = 1; *(uint16_t*)0x20006cc2 = 0x200; *(uint8_t*)0x20006cc4 = 0x62; *(uint8_t*)0x20006cc5 = 0xa5; *(uint8_t*)0x20006cc6 = 0xbe; *(uint8_t*)0x20006cc7 = 0x10; *(uint16_t*)0x20006cc8 = 0x2833; *(uint16_t*)0x20006cca = 0x211; *(uint16_t*)0x20006ccc = 0x37a4; *(uint8_t*)0x20006cce = 1; *(uint8_t*)0x20006ccf = 2; *(uint8_t*)0x20006cd0 = 3; *(uint8_t*)0x20006cd1 = 1; *(uint8_t*)0x20006cd2 = 9; *(uint8_t*)0x20006cd3 = 2; *(uint16_t*)0x20006cd4 = 0x6b4; *(uint8_t*)0x20006cd6 = 1; *(uint8_t*)0x20006cd7 = 0x20; *(uint8_t*)0x20006cd8 = 0; *(uint8_t*)0x20006cd9 = 0xa0; *(uint8_t*)0x20006cda = 1; *(uint8_t*)0x20006cdb = 9; *(uint8_t*)0x20006cdc = 4; *(uint8_t*)0x20006cdd = 0xdf; *(uint8_t*)0x20006cde = 0; *(uint8_t*)0x20006cdf = 0x10; *(uint8_t*)0x20006ce0 = -1; *(uint8_t*)0x20006ce1 = 1; *(uint8_t*)0x20006ce2 = 0; *(uint8_t*)0x20006ce3 = 5; *(uint8_t*)0x20006ce4 = 7; *(uint8_t*)0x20006ce5 = 0x24; *(uint8_t*)0x20006ce6 = 1; *(uint8_t*)0x20006ce7 = 1; *(uint8_t*)0x20006ce8 = 1; *(uint16_t*)0x20006ce9 = 1; *(uint8_t*)0x20006ceb = 9; *(uint8_t*)0x20006cec = 0x24; *(uint8_t*)0x20006ced = 6; *(uint8_t*)0x20006cee = 0; *(uint8_t*)0x20006cef = 0; memcpy((void*)0x20006cf0, "\xfd\x50\x65\x08", 4); *(uint8_t*)0x20006cf4 = 5; *(uint8_t*)0x20006cf5 = 0x24; *(uint8_t*)0x20006cf6 = 0; *(uint16_t*)0x20006cf7 = 3; *(uint8_t*)0x20006cf9 = 0xd; *(uint8_t*)0x20006cfa = 0x24; *(uint8_t*)0x20006cfb = 0xf; *(uint8_t*)0x20006cfc = 1; *(uint32_t*)0x20006cfd = 0x40000000; *(uint16_t*)0x20006d01 = 8; *(uint16_t*)0x20006d03 = 0x4cc5; *(uint8_t*)0x20006d05 = 0x7f; *(uint8_t*)0x20006d06 = 7; *(uint8_t*)0x20006d07 = 0x24; *(uint8_t*)0x20006d08 = 0xa; *(uint8_t*)0x20006d09 = 8; *(uint8_t*)0x20006d0a = 0x3f; *(uint8_t*)0x20006d0b = 0; *(uint8_t*)0x20006d0c = 0x81; *(uint8_t*)0x20006d0d = 0x10; *(uint8_t*)0x20006d0e = 0x24; *(uint8_t*)0x20006d0f = 7; *(uint8_t*)0x20006d10 = 0x80; *(uint16_t*)0x20006d11 = 5; *(uint16_t*)0x20006d13 = 0x44; *(uint16_t*)0x20006d15 = 2; *(uint16_t*)0x20006d17 = 0x800; *(uint16_t*)0x20006d19 = 0x101; *(uint16_t*)0x20006d1b = 4; *(uint8_t*)0x20006d1d = 4; *(uint8_t*)0x20006d1e = 0x24; *(uint8_t*)0x20006d1f = 2; *(uint8_t*)0x20006d20 = 4; *(uint8_t*)0x20006d21 = 8; *(uint8_t*)0x20006d22 = 0x24; *(uint8_t*)0x20006d23 = 0x1c; *(uint16_t*)0x20006d24 = 0; *(uint8_t*)0x20006d26 = 0xc0; *(uint16_t*)0x20006d27 = 0x5325; *(uint8_t*)0x20006d29 = 6; *(uint8_t*)0x20006d2a = 0x24; *(uint8_t*)0x20006d2b = 0x1a; *(uint16_t*)0x20006d2c = 0x7f; *(uint8_t*)0x20006d2e = 0; *(uint8_t*)0x20006d2f = 9; *(uint8_t*)0x20006d30 = 5; *(uint8_t*)0x20006d31 = 5; *(uint8_t*)0x20006d32 = 0; *(uint16_t*)0x20006d33 = 0xb5a2; *(uint8_t*)0x20006d35 = 6; *(uint8_t*)0x20006d36 = 0; *(uint8_t*)0x20006d37 = 5; *(uint8_t*)0x20006d38 = 7; *(uint8_t*)0x20006d39 = 0x25; *(uint8_t*)0x20006d3a = 1; *(uint8_t*)0x20006d3b = 0x82; *(uint8_t*)0x20006d3c = 0xe9; *(uint16_t*)0x20006d3d = 0xf000; *(uint8_t*)0x20006d3f = 9; *(uint8_t*)0x20006d40 = 5; *(uint8_t*)0x20006d41 = 0xe; *(uint8_t*)0x20006d42 = 2; *(uint16_t*)0x20006d43 = 0x200; *(uint8_t*)0x20006d45 = 8; *(uint8_t*)0x20006d46 = 7; *(uint8_t*)0x20006d47 = 0x40; *(uint8_t*)0x20006d48 = 9; *(uint8_t*)0x20006d49 = 5; *(uint8_t*)0x20006d4a = 0; *(uint8_t*)0x20006d4b = 0x7e; *(uint16_t*)0x20006d4c = 0x200; *(uint8_t*)0x20006d4e = 8; *(uint8_t*)0x20006d4f = 3; *(uint8_t*)0x20006d50 = 1; *(uint8_t*)0x20006d51 = 0x9b; *(uint8_t*)0x20006d52 = 0x21; memcpy((void*)0x20006d53, "\xf2\xef\x0a\x5c\x06\x9c\xdb\x31\x91\x38\xe1\x85\x06\x1d\x7e\x19\x6a\xe9\x4e\x53\x5d\x80\xf2\x76\x66\xfb\xa2\x3b\x37\x43\x25\xf1\x5d\xc5\xf2\x08\x12\xfe\x05\xb0\x62\x0f\x6f\xfc\xb8\x10\x03\xb1\xf3\x9c\x5d\xcd\x1b\xff\x14\xe2\xbb\xeb\x38\x73\x35\xa3\x53\x4f\x5a\xdb\x60\xff\xc4\xf2\x85\x95\xc8\xf9\x92\xf7\x7f\xd5\xf6\x7a\x04\x84\x2b\x9c\x43\x64\xe3\x55\x6b\xe9\xba\xcb\x8f\xd5\x6e\xd7\x78\x59\x29\x11\x53\xf6\xc5\x66\x02\x63\x63\xbf\xa5\xf2\xe6\xff\x2f\xa6\xd2\x93\x17\xf2\xd5\x62\x44\x53\x64\x93\x99\x15\xa7\x5d\xd7\x36\x5f\x6a\xb9\xc1\x5d\xdb\xc7\xc3\xa4\x5f\x7e\xb9\x8f\xd1\xfe\xa3\x55\x1b\xbd\x46\xf2\x0a\x87", 153); *(uint8_t*)0x20006dec = 9; *(uint8_t*)0x20006ded = 5; *(uint8_t*)0x20006dee = 0x80; *(uint8_t*)0x20006def = 1; *(uint16_t*)0x20006df0 = 0x3ff; *(uint8_t*)0x20006df2 = 1; *(uint8_t*)0x20006df3 = 0x20; *(uint8_t*)0x20006df4 = 0xef; *(uint8_t*)0x20006df5 = 0xec; *(uint8_t*)0x20006df6 = 6; memcpy((void*)0x20006df7, "\xf6\x42\x24\x6a\x53\x72\x99\x1d\xb9\x7e\x58\x24\xa4\x10\xe2\x83\x00\xd3\xbd\x15\x36\x38\xf6\xda\xc6\xe1\x18\x9a\x0c\x56\x0a\x0a\x0e\x5f\x8b\x15\xe0\x78\x79\xac\x95\x01\x65\x15\x20\x26\x46\xa7\xb5\xb5\xfc\x74\xb7\xcd\x40\xd5\x15\xb2\x84\x9d\x8c\x1d\xd9\xae\x4f\xca\x16\xc2\xe6\xcf\x0e\x8a\x20\xce\x54\xf0\x5f\xa1\x23\xc0\x19\x20\x8c\xb3\x4b\x5e\xe5\x61\xc2\x74\xea\x40\xa7\xb3\x4e\x58\x13\xa4\xa2\x9b\xe4\x08\x17\xeb\x1f\x7b\x3e\x9b\xef\x60\xf7\xc5\x66\x57\x48\x12\x36\xb9\x3e\x2c\x29\x7f\x17\xc7\x76\xb9\x8f\x1d\x0c\x8f\x2a\x56\x44\x77\x66\xc7\x28\x8b\xa6\xb1\xe3\x85\xb8\x4a\x51\x6a\x98\xab\x72\x9b\xa7\x0e\x31\xfe\xe3\xaa\xb1\x01\xd5\x90\xa4\x48\x1a\xe5\x85\x63\x26\xc6\x82\x5b\x73\xc7\xae\x7d\x3b\x99\xcb\x3c\x59\xdb\x31\xa1\x27\x26\x23\x4b\x90\x05\x84\xe8\xdb\x77\x93\x52\x18\x8d\x12\xc9\x32\xd4\xaa\xcb\x59\xee\xf3\x3d\x33\xb9\x55\x05\x10\xcf\x2b\x49\xda\x74\x7e\x03\x1c\x83\x11\x7b\x51\x1a\x1b\xb9\x3e\xd7\x6c\x71\x6e\x6a\x02\x54", 234); *(uint8_t*)0x20006ee1 = 7; *(uint8_t*)0x20006ee2 = 0x25; *(uint8_t*)0x20006ee3 = 1; *(uint8_t*)0x20006ee4 = 0; *(uint8_t*)0x20006ee5 = 6; *(uint16_t*)0x20006ee6 = 0x40; *(uint8_t*)0x20006ee8 = 9; *(uint8_t*)0x20006ee9 = 5; *(uint8_t*)0x20006eea = 1; *(uint8_t*)0x20006eeb = 0; *(uint16_t*)0x20006eec = 0x100; *(uint8_t*)0x20006eee = 0xfe; *(uint8_t*)0x20006eef = 8; *(uint8_t*)0x20006ef0 = 0x37; *(uint8_t*)0x20006ef1 = 0xe9; *(uint8_t*)0x20006ef2 = 0x23; memcpy((void*)0x20006ef3, "\x1a\x0e\x35\x42\x85\x7d\x49\xea\x63\xb7\x26\x1e\xbf\xc1\x9f\x14\x27\x2e\x28\x4d\x26\x65\xd2\x79\x5e\x43\xf6\xf9\xca\x62\x77\x6c\x9e\xe5\x2d\x99\x18\x79\xd7\xd6\x7b\x4d\x8b\x27\x0f\xd5\x15\x98\xbe\xac\x1c\x03\x39\xb2\x25\x7a\xd6\x8c\x1d\xde\x54\x88\x5a\xe2\xd2\x19\xb8\x7c\xde\x15\x9a\x98\x97\xc8\x8b\xda\x26\xe0\x8a\x36\x91\x05\x50\x22\x73\x9c\x1f\xe6\x4a\xdb\x98\x63\x9d\xc2\x54\x21\xc4\x49\xcf\x36\x48\x00\xc4\xc3\x65\x06\x2f\x24\x88\xe6\x90\x1e\x56\xe6\x2f\x4b\x70\x3e\xae\x7a\xf2\x62\x98\xa1\xee\xe1\xbf\xe6\x2d\x9b\x2a\xe3\x53\x20\xae\x2b\xaf\x17\x4e\x94\xff\x55\x32\x10\x97\xbe\x81\xe0\x27\x9f\x5d\x0a\xa8\x4d\xd1\x8c\xa0\x86\x4d\x98\xd0\xed\xbb\xea\xa1\x9d\xdf\x36\x26\xfd\x83\xa2\xe2\xb5\xf6\x76\xa7\x34\xd4\x78\x4b\x3c\x68\x77\xfd\x1b\xb3\xc9\x54\x3d\xf7\xab\xda\x9b\xd9\xc9\xbe\x40\x59\x49\x74\x7e\x21\x07\x3c\x18\x95\x7f\xff\x0e\xaa\xc0\x27\x3c\xfd\x3f\x70\x2c\xb6\x55\x97\x94\x9a\x17\x27\x26\xf7\xe4\x59\x53\x6c", 231); *(uint8_t*)0x20006fda = 0x18; *(uint8_t*)0x20006fdb = 0x10; memcpy((void*)0x20006fdc, "\xa0\x28\x90\x17\xf3\xf4\x33\xf1\x10\x59\x48\x9a\x61\x11\x58\x23\xe1\x13\x8a\xe8\x4a\x34", 22); *(uint8_t*)0x20006ff2 = 9; *(uint8_t*)0x20006ff3 = 5; *(uint8_t*)0x20006ff4 = 0xe; *(uint8_t*)0x20006ff5 = 4; *(uint16_t*)0x20006ff6 = 0x10; *(uint8_t*)0x20006ff8 = 0x67; *(uint8_t*)0x20006ff9 = 3; *(uint8_t*)0x20006ffa = 8; *(uint8_t*)0x20006ffb = 7; *(uint8_t*)0x20006ffc = 0x25; *(uint8_t*)0x20006ffd = 1; *(uint8_t*)0x20006ffe = 1; *(uint8_t*)0x20006fff = 0x80; *(uint16_t*)0x20007000 = 0x2e6; *(uint8_t*)0x20007002 = 9; *(uint8_t*)0x20007003 = 5; *(uint8_t*)0x20007004 = 0xd; *(uint8_t*)0x20007005 = 4; *(uint16_t*)0x20007006 = 0x200; *(uint8_t*)0x20007008 = 0x48; *(uint8_t*)0x20007009 = 0x35; *(uint8_t*)0x2000700a = 8; *(uint8_t*)0x2000700b = 0xe5; *(uint8_t*)0x2000700c = 5; memcpy((void*)0x2000700d, "\x30\xef\xe9\xc1\xa6\xe5\xc8\x9c\x20\x31\x21\x4c\x60\xfb\xbe\xaa\x45\x78\x09\x1e\x38\x00\x9c\x76\x1d\x15\x77\x48\x02\x93\x4c\xfd\x36\x35\x5b\x35\x18\xcc\xfe\x59\xfa\x5e\x7c\xce\xe3\xc1\x3a\xc4\xaf\xfb\xe0\x73\xe0\xe7\x88\xc9\xb5\xe3\x22\x16\xef\xbf\x02\xe3\x58\x69\xd7\xb2\x33\xa3\x89\xf8\x12\xbf\xd8\x49\x43\x3c\x32\x84\x66\xed\xa5\xe0\xe3\x23\x75\x29\xcd\xc6\x5e\x4e\xee\x74\x3d\x31\xff\xc1\x86\xa1\xfe\x79\x4b\xdf\x13\x64\xf3\x1e\xae\xff\x39\x82\x9e\x8f\x61\x44\x85\x0d\x74\x70\xcc\x71\x57\x2d\x1f\x2f\x23\xdc\xcd\xbc\xdd\x99\xe4\x93\x0d\xe7\xed\xbf\x59\xb3\x38\xdb\x34\x90\x30\x5f\xd7\x71\x02\x57\x98\x0b\x7f\x76\xb8\xda\xea\xcb\x2a\xd6\x18\x13\x1f\xb9\xb5\xa3\xe0\x26\xc9\xdd\xbd\x69\x48\x3c\xd7\x94\xca\xad\x29\xf2\xe3\xb6\x31\x24\xa9\x52\xb4\x62\xde\x0c\xd9\x51\xd7\xef\xd9\xb3\xb2\x91\x07\xb6\x41\x41\x7e\x77\x83\xd9\x01\x59\x13\x7f\xa5\x27\x3a\x95\xe0\xcc\x46\xc9\x7c\x22\x46\xe6\x11\xac\xb1\x4b\x4d", 227); *(uint8_t*)0x200070f0 = 9; *(uint8_t*)0x200070f1 = 5; *(uint8_t*)0x200070f2 = 3; *(uint8_t*)0x200070f3 = 0x10; *(uint16_t*)0x200070f4 = 8; *(uint8_t*)0x200070f6 = 0; *(uint8_t*)0x200070f7 = 0x33; *(uint8_t*)0x200070f8 = 9; *(uint8_t*)0x200070f9 = 9; *(uint8_t*)0x200070fa = 5; *(uint8_t*)0x200070fb = 2; *(uint8_t*)0x200070fc = 0xc; *(uint16_t*)0x200070fd = 0x400; *(uint8_t*)0x200070ff = 0xed; *(uint8_t*)0x20007100 = 7; *(uint8_t*)0x20007101 = 9; *(uint8_t*)0x20007102 = 0x84; *(uint8_t*)0x20007103 = 0x31; memcpy((void*)0x20007104, "\xee\x4c\xd2\x19\x15\x4d\xf4\x91\xc4\xd3\x2a\xa3\x21\x12\xcf\xf4\x07\x51\x1b\x06\xb1\x7f\x74\x34\x09\xec\xc2\x16\xc3\x1e\x92\xce\xfa\x2b\x5c\xc5\x9e\x63\x4d\x7a\xeb\xa2\xc9\xe5\xe3\x6d\x8e\xfa\xdc\x02\x55\x17\x25\x18\xf9\x09\xb4\xe1\xa7\xda\xf4\xd9\x88\xb1\xee\xaf\x19\x6c\x76\xee\x90\x2b\x65\x7d\x12\xfc\x23\xc2\x1e\x17\x6c\xd1\x49\xe9\x8a\x8d\x8d\x57\x55\xb7\x4f\xed\x1a\x42\x84\xbc\xfd\x6e\x69\x61\x95\x1f\xf8\x21\x6f\x7b\xb4\x2f\x79\x0e\xdd\x53\x9c\x1b\xc5\xbb\xac\x44\xf7\x67\xa6\x85\xc5\x7c\xbb\xde\xc8\x30\xc5\x2c", 130); *(uint8_t*)0x20007186 = 7; *(uint8_t*)0x20007187 = 0x25; *(uint8_t*)0x20007188 = 1; *(uint8_t*)0x20007189 = 0x83; *(uint8_t*)0x2000718a = 1; *(uint16_t*)0x2000718b = 0xfe01; *(uint8_t*)0x2000718d = 9; *(uint8_t*)0x2000718e = 5; *(uint8_t*)0x2000718f = 3; *(uint8_t*)0x20007190 = 0; *(uint16_t*)0x20007191 = 0x40; *(uint8_t*)0x20007193 = 2; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 9; *(uint8_t*)0x20007197 = 5; *(uint8_t*)0x20007198 = 0; *(uint8_t*)0x20007199 = 0; *(uint16_t*)0x2000719a = 0x400; *(uint8_t*)0x2000719c = 0; *(uint8_t*)0x2000719d = 0x2f; *(uint8_t*)0x2000719e = 4; *(uint8_t*)0x2000719f = 9; *(uint8_t*)0x200071a0 = 5; *(uint8_t*)0x200071a1 = 0x8f; *(uint8_t*)0x200071a2 = 8; *(uint16_t*)0x200071a3 = 8; *(uint8_t*)0x200071a5 = 0x81; *(uint8_t*)0x200071a6 = 1; *(uint8_t*)0x200071a7 = 0x7f; *(uint8_t*)0x200071a8 = 7; *(uint8_t*)0x200071a9 = 0x25; *(uint8_t*)0x200071aa = 1; *(uint8_t*)0x200071ab = 0; *(uint8_t*)0x200071ac = 9; *(uint16_t*)0x200071ad = 0xfb; *(uint8_t*)0x200071af = 7; *(uint8_t*)0x200071b0 = 0x25; *(uint8_t*)0x200071b1 = 1; *(uint8_t*)0x200071b2 = 0x81; *(uint8_t*)0x200071b3 = 7; *(uint16_t*)0x200071b4 = 3; *(uint8_t*)0x200071b6 = 9; *(uint8_t*)0x200071b7 = 5; *(uint8_t*)0x200071b8 = 2; *(uint8_t*)0x200071b9 = 0; *(uint16_t*)0x200071ba = 0x400; *(uint8_t*)0x200071bc = 0x40; *(uint8_t*)0x200071bd = 0x76; *(uint8_t*)0x200071be = 3; *(uint8_t*)0x200071bf = 7; *(uint8_t*)0x200071c0 = 0x25; *(uint8_t*)0x200071c1 = 1; *(uint8_t*)0x200071c2 = 0x80; *(uint8_t*)0x200071c3 = 0x31; *(uint16_t*)0x200071c4 = 8; *(uint8_t*)0x200071c6 = 9; *(uint8_t*)0x200071c7 = 5; *(uint8_t*)0x200071c8 = 0xf; *(uint8_t*)0x200071c9 = 0x10; *(uint16_t*)0x200071ca = 0x3ff; *(uint8_t*)0x200071cc = 6; *(uint8_t*)0x200071cd = 0xb2; *(uint8_t*)0x200071ce = 6; *(uint8_t*)0x200071cf = 7; *(uint8_t*)0x200071d0 = 0x25; *(uint8_t*)0x200071d1 = 1; *(uint8_t*)0x200071d2 = 0x82; *(uint8_t*)0x200071d3 = 0x80; *(uint16_t*)0x200071d4 = 6; *(uint8_t*)0x200071d6 = 9; *(uint8_t*)0x200071d7 = 5; *(uint8_t*)0x200071d8 = 0xf; *(uint8_t*)0x200071d9 = 0x10; *(uint16_t*)0x200071da = 0x200; *(uint8_t*)0x200071dc = 6; *(uint8_t*)0x200071dd = 6; *(uint8_t*)0x200071de = 0xca; *(uint8_t*)0x200071df = 7; *(uint8_t*)0x200071e0 = 0x25; *(uint8_t*)0x200071e1 = 1; *(uint8_t*)0x200071e2 = 0x81; *(uint8_t*)0x200071e3 = 0x20; *(uint16_t*)0x200071e4 = 3; *(uint8_t*)0x200071e6 = 9; *(uint8_t*)0x200071e7 = 5; *(uint8_t*)0x200071e8 = 0x80; *(uint8_t*)0x200071e9 = 0x10; *(uint16_t*)0x200071ea = 0x400; *(uint8_t*)0x200071ec = 1; *(uint8_t*)0x200071ed = 0xfc; *(uint8_t*)0x200071ee = 4; *(uint8_t*)0x200071ef = 0xd4; *(uint8_t*)0x200071f0 = 0x21; memcpy((void*)0x200071f1, "\x28\xa1\xdf\xa1\xd2\x8f\x9a\xe6\x0d\x0a\x8e\x9e\x3c\x51\x2d\xb3\x53\x69\xd4\x79\xfa\x6e\x6a\xa0\x99\xe2\x67\xe1\xce\xd7\x7c\xa2\xe1\x80\xb4\x29\x77\x90\x23\xa8\x72\xb0\xef\x88\x07\xe1\x1f\x8b\x8b\x21\xb8\x11\xd4\xfe\x55\x27\x33\x5c\xe8\x6e\x3a\x95\xcd\xf9\x60\xd1\xe7\x9e\x88\xc2\x76\xc1\x74\xd1\x83\xd2\xf3\xbc\x08\x62\xdd\x7e\x1d\x29\xac\x58\x9c\xeb\x22\x02\x4e\x25\xa4\x4c\x3e\x81\x23\x58\x1d\x14\x48\xfd\x2d\xb5\x33\x2f\xe4\x1c\x23\xf9\xaa\x95\x95\x64\xf3\x2d\xb1\xda\x14\x61\x04\x15\xdd\xc2\x93\xdc\x57\xc9\xd6\xc7\x75\xd2\x21\x51\xbd\xab\x23\x6a\x5a\x73\x59\x2e\x55\x18\x05\x57\x28\xae\x81\x9e\x25\xc0\x80\xcb\xb9\xbf\x02\x03\xb6\x63\x9b\x8f\xd8\xd7\x16\xd9\xc5\x71\xd6\xb2\x60\xea\x29\x77\x33\xd5\x3c\x3a\x05\x44\x9b\x9b\x92\x21\xd0\xf4\x02\x61\x0c\x98\x37\x18\x9f\x9c\x6a\xb3\xba\xaf\x03\x1d\x48\x69\x26\x90\xc9\x98\x1c\xee\x14\x26", 210); *(uint8_t*)0x200072c3 = 0xc3; *(uint8_t*)0x200072c4 = 6; memcpy((void*)0x200072c5, "\x60\xed\x98\x57\x6f\xbb\xbe\xe3\xdb\x67\xd5\x35\xea\x7e\x1a\x19\xd9\x2d\x68\x9e\x2f\x03\x30\x8a\x61\x5a\x56\x41\xe7\x2e\x69\x4d\x99\x6f\x76\xc1\x11\x1c\x88\xc5\x07\xc3\x9a\x87\xf3\x4a\x36\x82\xda\xfb\xfe\x58\x3b\x79\xf5\xb9\x50\xa3\x06\x14\x16\x2c\x60\x5f\x7e\x6c\x5d\x45\x2b\x4f\x84\xa1\x45\xf2\x0b\xf4\x47\x0d\xdf\x43\xf0\x6c\x41\x5d\xc6\xc4\x15\x51\xfd\x45\x8b\xa6\xae\xdf\x57\xd7\x4c\xb8\x5a\x25\xe4\x33\x24\x81\x4b\x62\xc3\xbe\x41\x08\xb1\xea\x5b\x9d\xd2\x2a\x78\xa4\x5c\xdf\x5d\x8f\x27\xc1\x1f\x35\x02\x6b\xf7\xef\x10\xc7\xd1\xf0\x61\x5f\xe1\xc4\x4a\x30\x2a\x84\xd8\x8b\x8d\x6c\x2d\x85\x04\x9c\x9f\x48\xa0\x4b\x4e\x61\x80\x1c\x01\x7f\x60\x9b\x67\x3f\xc8\x29\x0f\x73\x62\xa0\xed\x35\x88\x2a\x33\x5b\x65\x7f\x83\x5f\xce\x8e\x20\x10\x0c\xde\x82\xc1\xa3\xdc\x18\x06\x11", 193); *(uint32_t*)0x20007740 = 0xa; *(uint32_t*)0x20007744 = 0x200073c0; *(uint8_t*)0x200073c0 = 0xa; *(uint8_t*)0x200073c1 = 6; *(uint16_t*)0x200073c2 = 0x310; *(uint8_t*)0x200073c4 = 5; *(uint8_t*)0x200073c5 = 0x80; *(uint8_t*)0x200073c6 = -1; *(uint8_t*)0x200073c7 = 0xbf; *(uint8_t*)0x200073c8 = 5; *(uint8_t*)0x200073c9 = 0; *(uint32_t*)0x20007748 = 5; *(uint32_t*)0x2000774c = 0x20007400; *(uint8_t*)0x20007400 = 5; *(uint8_t*)0x20007401 = 0xf; *(uint16_t*)0x20007402 = 5; *(uint8_t*)0x20007404 = 0; *(uint32_t*)0x20007750 = 5; *(uint32_t*)0x20007754 = 0xa8; *(uint32_t*)0x20007758 = 0x20007440; *(uint8_t*)0x20007440 = 0xa8; *(uint8_t*)0x20007441 = 3; memcpy((void*)0x20007442, "\x05\x84\xbd\xdc\x14\x96\x71\xf9\xe6\xc6\xcd\x12\x3b\x79\x6c\xaf\xe2\xeb\x5d\x2b\xd3\xcf\x65\xe3\xeb\x0f\x3a\x60\x1a\xba\x71\x64\x71\x3d\x40\x42\x65\x3f\x2c\xca\x18\x22\x07\xd4\xe7\xff\xa8\xbc\x71\xe7\x05\xaa\x48\xbc\xff\x03\xfd\xdd\x2e\x3e\x6b\xeb\xe1\x1c\xb6\x1f\x95\xfa\xf1\x4a\xfd\xf2\x94\x40\x02\x1e\x85\x1f\xb6\x82\xaa\x24\xe6\x24\xe8\x33\x95\x2d\xb6\xd1\xf9\x6a\xa7\xed\xfc\x74\xce\x50\x13\x59\x69\x4c\x75\x83\xeb\x5e\x48\xdf\xe2\x27\xd2\x10\x5d\x5e\x3d\x23\x59\xe3\xc7\x28\xa4\x8a\xdf\xf0\x9b\x11\x32\xf9\x28\x89\x3c\xee\xfa\xe6\x77\x00\x98\x3b\xe1\xca\x94\xe8\x18\xe7\xa1\x46\x3c\x80\x2f\x1f\xc2\xa7\x2d\x40\x90\x09\x33\x40\x3d\x7b\x25\x5a\x35\xd9\xdc\x33", 166); *(uint32_t*)0x2000775c = 4; *(uint32_t*)0x20007760 = 0x20007500; *(uint8_t*)0x20007500 = 4; *(uint8_t*)0x20007501 = 3; *(uint16_t*)0x20007502 = 0x42c; *(uint32_t*)0x20007764 = 0xf4; *(uint32_t*)0x20007768 = 0x20007540; *(uint8_t*)0x20007540 = 0xf4; *(uint8_t*)0x20007541 = 3; memcpy((void*)0x20007542, "\x1c\x53\x71\x17\xdc\x72\x0a\xf3\xcc\xf1\x08\x68\x7c\x86\xcb\x54\x4b\xc8\x85\x37\x9e\x43\x5d\xbb\x86\x1b\xc9\xa0\x15\x50\x59\x2e\x60\x08\xae\x94\xa1\xf9\x83\x17\xad\x9c\xd8\x04\x01\x6b\x07\x9b\x5e\xc2\x94\xdc\xaf\x45\x37\xcf\x5b\x68\xc3\xc4\x35\x37\x54\xca\xf3\x69\xba\x34\x10\x1c\xbd\x21\x92\x6b\x15\xce\xf6\x7a\xb6\x3e\xad\x40\xab\xfb\xef\x86\x7b\x37\x2f\xe2\x78\x18\x66\xf8\x7a\x2d\xcc\xf9\x8f\xfe\x66\x53\x1c\x1d\x50\x21\x40\x6c\x69\xce\x84\xb4\x39\x13\x0c\xac\x71\xf5\x25\x64\xb7\xc8\xfa\x62\x1d\x71\xd5\xff\x00\x15\x17\x59\x3f\x05\x9d\xa0\xcb\x82\xf1\xfd\x5e\x32\x7d\xf9\xab\xec\x49\x46\xe3\x4e\x20\xd3\xf1\xdf\x8f\x4a\x04\x22\xf9\xbb\x53\x89\x49\xb4\xa1\x4d\x1b\x3a\xfd\x67\x93\xe8\x1d\x3b\xa5\x96\xd1\x6d\x8c\xee\x0e\x70\x03\x14\xe5\x31\xe6\x02\xfe\x5c\xb8\x32\xb2\x2c\x7a\x2f\x9f\x36\xf3\x9d\x05\x38\x76\x47\x81\x57\xd5\x41\xe8\xc0\x97\x7a\x9a\xca\xf6\x91\xf1\x23\x4f\x66\x5d\x23\x4f\x82\xee\x90\xff\x89\x82\xd9\xc1\x37\x1a\x15\xdd\xc8\xed\x23\x92\xdd\x5a\x96", 242); *(uint32_t*)0x2000776c = 0x98; *(uint32_t*)0x20007770 = 0x20007640; *(uint8_t*)0x20007640 = 0x98; *(uint8_t*)0x20007641 = 3; memcpy((void*)0x20007642, "\x07\x8c\xbe\xfd\x67\x79\x6b\x8d\x00\xc6\xa0\x27\xe5\xd0\x7b\xc3\xb0\x07\x56\xac\xaf\xb9\x09\x6e\x3e\x38\x1a\x99\xfd\xbe\x8a\x51\x61\xca\x19\xa9\x62\x8d\x61\xba\xef\xd6\x97\x2b\x48\xf5\xe0\x4b\x0f\xa6\xe2\xb9\x9c\xca\x8d\xf5\xb5\x0d\xbd\x97\xd6\x56\xc0\x2f\x85\x83\xa5\x8c\xe8\xcb\xd3\x5c\x69\xfb\x3f\x86\xde\x0d\xda\xc9\x0f\x5b\xe8\xd4\xf0\x4a\x3a\xd4\xf3\x12\x93\xb5\x09\x95\x91\x39\xbe\xa0\xf3\x06\x7d\x0e\xbf\xa3\xc5\xb2\x10\xe1\x99\x30\x78\xb0\xae\x92\x95\x61\xfc\x77\x34\x86\x9b\x3d\xd8\xd8\x12\xc0\x0a\x30\x35\x23\x61\x66\xa3\x12\x27\xae\x29\x1e\x69\x6a\xb4\xf8\x1f\x4e\x3f\x02\xd6\xb2\xf3\x34", 150); *(uint32_t*)0x20007774 = 4; *(uint32_t*)0x20007778 = 0x20007700; *(uint8_t*)0x20007700 = 4; *(uint8_t*)0x20007701 = 3; *(uint16_t*)0x20007702 = 0x43e; syz_usb_connect(2, 0x6c6, 0x20006cc0, 0x20007740); break; case 42: *(uint8_t*)0x20007780 = 0x12; *(uint8_t*)0x20007781 = 1; *(uint16_t*)0x20007782 = 0x200; *(uint8_t*)0x20007784 = -1; *(uint8_t*)0x20007785 = -1; *(uint8_t*)0x20007786 = -1; *(uint8_t*)0x20007787 = 0x40; *(uint16_t*)0x20007788 = 0xcf3; *(uint16_t*)0x2000778a = 0x9271; *(uint16_t*)0x2000778c = 0x108; *(uint8_t*)0x2000778e = 1; *(uint8_t*)0x2000778f = 2; *(uint8_t*)0x20007790 = 3; *(uint8_t*)0x20007791 = 1; *(uint8_t*)0x20007792 = 9; *(uint8_t*)0x20007793 = 2; *(uint16_t*)0x20007794 = 0x48; *(uint8_t*)0x20007796 = 1; *(uint8_t*)0x20007797 = 1; *(uint8_t*)0x20007798 = 0; *(uint8_t*)0x20007799 = 0x80; *(uint8_t*)0x2000779a = 0xfa; *(uint8_t*)0x2000779b = 9; *(uint8_t*)0x2000779c = 4; *(uint8_t*)0x2000779d = 0; *(uint8_t*)0x2000779e = 0; *(uint8_t*)0x2000779f = 6; *(uint8_t*)0x200077a0 = -1; *(uint8_t*)0x200077a1 = 0; *(uint8_t*)0x200077a2 = 0; *(uint8_t*)0x200077a3 = 0; *(uint8_t*)0x200077a4 = 9; *(uint8_t*)0x200077a5 = 5; *(uint8_t*)0x200077a6 = 1; *(uint8_t*)0x200077a7 = 2; *(uint16_t*)0x200077a8 = 0x200; *(uint8_t*)0x200077aa = 0; *(uint8_t*)0x200077ab = 0; *(uint8_t*)0x200077ac = 0; *(uint8_t*)0x200077ad = 9; *(uint8_t*)0x200077ae = 5; *(uint8_t*)0x200077af = 0x82; *(uint8_t*)0x200077b0 = 2; *(uint16_t*)0x200077b1 = 0x200; *(uint8_t*)0x200077b3 = 0; *(uint8_t*)0x200077b4 = 0; *(uint8_t*)0x200077b5 = 0; *(uint8_t*)0x200077b6 = 9; *(uint8_t*)0x200077b7 = 5; *(uint8_t*)0x200077b8 = 0x83; *(uint8_t*)0x200077b9 = 3; *(uint16_t*)0x200077ba = 0x40; *(uint8_t*)0x200077bc = 1; *(uint8_t*)0x200077bd = 0; *(uint8_t*)0x200077be = 0; *(uint8_t*)0x200077bf = 9; *(uint8_t*)0x200077c0 = 5; *(uint8_t*)0x200077c1 = 4; *(uint8_t*)0x200077c2 = 3; *(uint16_t*)0x200077c3 = 0x40; *(uint8_t*)0x200077c5 = 1; *(uint8_t*)0x200077c6 = 0; *(uint8_t*)0x200077c7 = 0; *(uint8_t*)0x200077c8 = 9; *(uint8_t*)0x200077c9 = 5; *(uint8_t*)0x200077ca = 5; *(uint8_t*)0x200077cb = 2; *(uint16_t*)0x200077cc = 0x200; *(uint8_t*)0x200077ce = 0; *(uint8_t*)0x200077cf = 0; *(uint8_t*)0x200077d0 = 0; *(uint8_t*)0x200077d1 = 9; *(uint8_t*)0x200077d2 = 5; *(uint8_t*)0x200077d3 = 6; *(uint8_t*)0x200077d4 = 2; *(uint16_t*)0x200077d5 = 0x200; *(uint8_t*)0x200077d7 = 0; *(uint8_t*)0x200077d8 = 0; *(uint8_t*)0x200077d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007780, 0); if (res != -1) r[22] = res; break; case 43: *(uint32_t*)0x200079c0 = 0x18; *(uint32_t*)0x200079c4 = 0x20007800; *(uint8_t*)0x20007800 = 0x20; *(uint8_t*)0x20007801 = 0x11; *(uint32_t*)0x20007802 = 0xb7; *(uint8_t*)0x20007806 = 0xb7; *(uint8_t*)0x20007807 = 9; memcpy((void*)0x20007808, "\x72\xf5\x91\xba\x5c\x69\x4f\x16\xa4\xd9\x20\x75\xef\x3e\xc8\xbc\x46\x92\x09\x54\x79\x9e\xc8\xd3\xc0\x30\x8f\x3b\x47\x79\xda\x6e\x18\xe9\x82\x4a\x86\x74\x6d\x01\x3a\x39\x9a\xfc\x7f\x6f\xce\xb6\xc3\x7f\x7f\x13\x1c\x71\xeb\xc0\x01\xf6\x66\xea\x63\xed\x3a\xde\x13\x20\x09\x73\x5a\x54\x66\x22\xf9\xe6\x39\xd4\x81\xc9\x67\xcc\x7b\x5b\x74\x7c\xc5\xe6\x2f\xdc\x41\xbb\xb4\xbb\x95\x87\x8a\x44\x2c\xc4\x91\x11\xc0\xf5\x78\x86\xf1\x70\x77\xa1\xb4\xb2\x2e\x3c\xf2\x8e\xec\xb7\x98\xfe\xed\x6f\x16\x8d\xd9\xcc\x26\x46\xf8\xb7\x9e\xd4\x1b\xba\x94\xde\x9e\x30\x4f\xc8\x45\x17\x9a\x73\x21\xf0\x47\x84\xaa\x91\x7b\xa0\x84\x05\xb0\xa9\x5b\x83\x03\xd9\x14\xef\x8e\x37\x47\x80\xdd\x8e\x34\x37\xc9\x5c\x35\x76\x4c\xd0\x63\xe7\xa3\xec\x6d\x79\x0b", 181); *(uint32_t*)0x200079c8 = 0x200078c0; *(uint8_t*)0x200078c0 = 0; *(uint8_t*)0x200078c1 = 3; *(uint32_t*)0x200078c2 = 4; *(uint8_t*)0x200078c6 = 4; *(uint8_t*)0x200078c7 = 3; *(uint16_t*)0x200078c8 = 0x813; *(uint32_t*)0x200079cc = 0x20007900; *(uint8_t*)0x20007900 = 0; *(uint8_t*)0x20007901 = 0xf; *(uint32_t*)0x20007902 = 0xc; *(uint8_t*)0x20007906 = 5; *(uint8_t*)0x20007907 = 0xf; *(uint16_t*)0x20007908 = 0xc; *(uint8_t*)0x2000790a = 1; *(uint8_t*)0x2000790b = 7; *(uint8_t*)0x2000790c = 0x10; *(uint8_t*)0x2000790d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000790e, 0x18, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20007910, 3, 0, 16); *(uint32_t*)0x200079d0 = 0x20007940; *(uint8_t*)0x20007940 = 0x20; *(uint8_t*)0x20007941 = 0x29; *(uint32_t*)0x20007942 = 0xf; *(uint8_t*)0x20007946 = 0xf; *(uint8_t*)0x20007947 = 0x29; *(uint8_t*)0x20007948 = 7; *(uint16_t*)0x20007949 = 0x80; *(uint8_t*)0x2000794b = 6; *(uint8_t*)0x2000794c = 0xe0; memcpy((void*)0x2000794d, "\x84\x02\x48\x7c", 4); memcpy((void*)0x20007951, "\x80\x56\xa3\xff", 4); *(uint32_t*)0x200079d4 = 0x20007980; *(uint8_t*)0x20007980 = 0x20; *(uint8_t*)0x20007981 = 0x2a; *(uint32_t*)0x20007982 = 0xc; *(uint8_t*)0x20007986 = 0xc; *(uint8_t*)0x20007987 = 0x2a; *(uint8_t*)0x20007988 = 0xa7; *(uint16_t*)0x20007989 = 2; *(uint8_t*)0x2000798b = 0x7d; *(uint8_t*)0x2000798c = 0; *(uint8_t*)0x2000798d = 0x80; *(uint16_t*)0x2000798e = 7; *(uint16_t*)0x20007990 = 6; *(uint32_t*)0x20007e80 = 0x44; *(uint32_t*)0x20007e84 = 0x20007a00; *(uint8_t*)0x20007a00 = 0x40; *(uint8_t*)0x20007a01 = 0x10; *(uint32_t*)0x20007a02 = 0x8c; memcpy((void*)0x20007a06, "\x21\xb8\x38\x25\x05\x9f\x24\x50\x6d\x8e\x84\x20\x85\xd1\xf2\xe7\xf9\x64\x47\x1b\x20\xed\x0a\x8e\x50\xa9\xaa\x4e\xf1\x6b\x5a\x6f\x2d\xbb\x2b\x57\x0a\x4f\x8d\x13\xd6\x0e\x47\xbb\x78\x21\xff\x91\x21\x11\xde\xe4\x0a\x78\xd4\x2b\x4d\x13\xea\x81\x2d\x92\x9c\xcf\x39\x64\xc5\x46\x8f\x89\xd2\xd2\x16\x30\xec\x87\x06\x7a\x2d\x13\xf4\x52\x38\xb4\x46\xbf\x57\xc6\xb9\xec\x35\x57\x8f\xa5\x87\xfc\x77\xfe\x21\x08\xb1\x59\x0b\xe0\x81\x68\x1c\xcc\x02\x4f\x1f\x59\x0b\xe9\xe5\xbe\xc9\xea\x86\xb9\x80\x3c\x60\x29\x9d\xda\x1a\x82\xf8\xff\x04\x42\x86\x71\xa4\x3b\xc2\xc3\x39\x3a", 140); *(uint32_t*)0x20007e88 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0; *(uint8_t*)0x20007ac1 = 0xa; *(uint32_t*)0x20007ac2 = 1; *(uint8_t*)0x20007ac6 = 4; *(uint32_t*)0x20007e8c = 0x20007b00; *(uint8_t*)0x20007b00 = 0; *(uint8_t*)0x20007b01 = 8; *(uint32_t*)0x20007b02 = 1; *(uint8_t*)0x20007b06 = 0xfb; *(uint32_t*)0x20007e90 = 0x20007b40; *(uint8_t*)0x20007b40 = 0x20; *(uint8_t*)0x20007b41 = 0; *(uint32_t*)0x20007b42 = 4; *(uint16_t*)0x20007b46 = 1; *(uint16_t*)0x20007b48 = 1; *(uint32_t*)0x20007e94 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x20; *(uint8_t*)0x20007b81 = 0; *(uint32_t*)0x20007b82 = 4; *(uint16_t*)0x20007b86 = 0x140; *(uint16_t*)0x20007b88 = 0x20; *(uint32_t*)0x20007e98 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 7; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 0x3ff; *(uint32_t*)0x20007e9c = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 9; *(uint32_t*)0x20007c02 = 1; *(uint8_t*)0x20007c06 = 0x81; *(uint32_t*)0x20007ea0 = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0xb; *(uint32_t*)0x20007c42 = 2; memcpy((void*)0x20007c46, "\x8a\x02", 2); *(uint32_t*)0x20007ea4 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0xf; *(uint32_t*)0x20007c82 = 2; *(uint16_t*)0x20007c86 = 0x321a; *(uint32_t*)0x20007ea8 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x13; *(uint32_t*)0x20007cc2 = 6; *(uint8_t*)0x20007cc6 = 1; *(uint8_t*)0x20007cc7 = 0x80; *(uint8_t*)0x20007cc8 = 0xc2; *(uint8_t*)0x20007cc9 = 0; *(uint8_t*)0x20007cca = 0; *(uint8_t*)0x20007ccb = 0; *(uint32_t*)0x20007eac = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x17; *(uint32_t*)0x20007d02 = 6; memcpy((void*)0x20007d06, "\xb0\xfe\x28\x1f\xa3\x91", 6); *(uint32_t*)0x20007eb0 = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x19; *(uint32_t*)0x20007d42 = 2; memcpy((void*)0x20007d46, "#7", 2); *(uint32_t*)0x20007eb4 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x1a; *(uint32_t*)0x20007d82 = 2; *(uint16_t*)0x20007d86 = 6; *(uint32_t*)0x20007eb8 = 0x20007dc0; *(uint8_t*)0x20007dc0 = 0x40; *(uint8_t*)0x20007dc1 = 0x1c; *(uint32_t*)0x20007dc2 = 1; *(uint8_t*)0x20007dc6 = 6; *(uint32_t*)0x20007ebc = 0x20007e00; *(uint8_t*)0x20007e00 = 0x40; *(uint8_t*)0x20007e01 = 0x1e; *(uint32_t*)0x20007e02 = 1; *(uint8_t*)0x20007e06 = 6; *(uint32_t*)0x20007ec0 = 0x20007e40; *(uint8_t*)0x20007e40 = 0x40; *(uint8_t*)0x20007e41 = 0x21; *(uint32_t*)0x20007e42 = 1; *(uint8_t*)0x20007e46 = 0x9e; syz_usb_control_io(r[22], 0x200079c0, 0x20007e80); break; case 44: *(uint8_t*)0x20007f00 = 0x12; *(uint8_t*)0x20007f01 = 1; *(uint16_t*)0x20007f02 = 0x70; *(uint8_t*)0x20007f04 = 2; *(uint8_t*)0x20007f05 = 0; *(uint8_t*)0x20007f06 = 0; *(uint8_t*)0x20007f07 = 0x50; *(uint16_t*)0x20007f08 = 0x525; *(uint16_t*)0x20007f0a = 0xa4a1; *(uint16_t*)0x20007f0c = 0x40; *(uint8_t*)0x20007f0e = 1; *(uint8_t*)0x20007f0f = 2; *(uint8_t*)0x20007f10 = 3; *(uint8_t*)0x20007f11 = 1; *(uint8_t*)0x20007f12 = 9; *(uint8_t*)0x20007f13 = 2; *(uint16_t*)0x20007f14 = 0x4d; *(uint8_t*)0x20007f16 = 1; *(uint8_t*)0x20007f17 = 1; *(uint8_t*)0x20007f18 = 2; *(uint8_t*)0x20007f19 = 0x70; *(uint8_t*)0x20007f1a = 0x40; *(uint8_t*)0x20007f1b = 9; *(uint8_t*)0x20007f1c = 4; *(uint8_t*)0x20007f1d = 0; *(uint8_t*)0x20007f1e = 0xc4; *(uint8_t*)0x20007f1f = 3; *(uint8_t*)0x20007f20 = 2; *(uint8_t*)0x20007f21 = 6; *(uint8_t*)0x20007f22 = 0; *(uint8_t*)0x20007f23 = 0xe1; *(uint8_t*)0x20007f24 = 8; *(uint8_t*)0x20007f25 = 0x24; *(uint8_t*)0x20007f26 = 6; *(uint8_t*)0x20007f27 = 0; *(uint8_t*)0x20007f28 = 0; memcpy((void*)0x20007f29, "W?s", 3); *(uint8_t*)0x20007f2c = 5; *(uint8_t*)0x20007f2d = 0x24; *(uint8_t*)0x20007f2e = 0; *(uint16_t*)0x20007f2f = 3; *(uint8_t*)0x20007f31 = 0xd; *(uint8_t*)0x20007f32 = 0x24; *(uint8_t*)0x20007f33 = 0xf; *(uint8_t*)0x20007f34 = 1; *(uint32_t*)0x20007f35 = 0x200; *(uint16_t*)0x20007f39 = 0; *(uint16_t*)0x20007f3b = 0x200; *(uint8_t*)0x20007f3d = 3; *(uint8_t*)0x20007f3e = 6; *(uint8_t*)0x20007f3f = 0x24; *(uint8_t*)0x20007f40 = 0x1a; *(uint16_t*)0x20007f41 = 0x1000; *(uint8_t*)0x20007f43 = 0; *(uint8_t*)0x20007f44 = 9; *(uint8_t*)0x20007f45 = 5; *(uint8_t*)0x20007f46 = 0x81; *(uint8_t*)0x20007f47 = 3; *(uint16_t*)0x20007f48 = 0x20; *(uint8_t*)0x20007f4a = 0x3f; *(uint8_t*)0x20007f4b = 0; *(uint8_t*)0x20007f4c = 0xd8; *(uint8_t*)0x20007f4d = 9; *(uint8_t*)0x20007f4e = 5; *(uint8_t*)0x20007f4f = 0x82; *(uint8_t*)0x20007f50 = 2; *(uint16_t*)0x20007f51 = 8; *(uint8_t*)0x20007f53 = -1; *(uint8_t*)0x20007f54 = 0xec; *(uint8_t*)0x20007f55 = 5; *(uint8_t*)0x20007f56 = 9; *(uint8_t*)0x20007f57 = 5; *(uint8_t*)0x20007f58 = 3; *(uint8_t*)0x20007f59 = 2; *(uint16_t*)0x20007f5a = 0x3cf; *(uint8_t*)0x20007f5c = 0x81; *(uint8_t*)0x20007f5d = 0x39; *(uint8_t*)0x20007f5e = 5; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f80; *(uint8_t*)0x20007f80 = 0xa; *(uint8_t*)0x20007f81 = 6; *(uint16_t*)0x20007f82 = 0; *(uint8_t*)0x20007f84 = 2; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x77; *(uint8_t*)0x20007f87 = -1; *(uint8_t*)0x20007f88 = 0x2f; *(uint8_t*)0x20007f89 = 0; *(uint32_t*)0x20008288 = 5; *(uint32_t*)0x2000828c = 0x20007fc0; *(uint8_t*)0x20007fc0 = 5; *(uint8_t*)0x20007fc1 = 0xf; *(uint16_t*)0x20007fc2 = 5; *(uint8_t*)0x20007fc4 = 0; *(uint32_t*)0x20008290 = 5; *(uint32_t*)0x20008294 = 0x69; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 0x69; *(uint8_t*)0x20008001 = 3; memcpy((void*)0x20008002, "\xd2\x5a\x9c\x8f\x14\x52\xa3\xc6\xff\xbf\xec\xa8\xeb\x77\x79\x35\xb5\x8c\x9b\x74\x06\x77\x50\x86\xff\xf7\x17\xb5\x4f\x05\xac\x59\xf9\x45\x17\xff\x3c\xd6\xf3\x10\x1d\xbf\xa7\x9b\xb8\x2a\xe3\x1b\x1d\x31\x6d\x08\xa7\x1d\x14\xfc\x2c\x1c\xfa\x8c\x89\x30\x68\xbd\xe2\xbb\x83\x0a\xe9\x1f\xc9\x42\x88\xcc\x23\x2a\xaa\xc0\xe6\x4b\x84\x00\x7b\x0e\x75\x36\xc3\xec\x34\xed\xef\x04\xde\xd9\x34\x21\xa3\x77\xe0\x69\x53\x26\xaa", 103); *(uint32_t*)0x2000829c = 0xac; *(uint32_t*)0x200082a0 = 0x20008080; *(uint8_t*)0x20008080 = 0xac; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x73\x60\x60\x9c\xe8\x30\x0a\xe4\x62\x33\x08\xd5\xf8\xb9\x7b\xfd\x50\xd3\xd8\x63\x40\x8b\x8e\xa4\x01\xc8\x6d\xa9\xd4\x2c\xe5\xf3\x86\x7c\xe8\xd7\x21\xfb\x2a\xb5\xc2\x5f\x6b\x4c\x5e\x85\xf5\xea\xf3\x41\xbd\x51\x4a\x16\xc2\xdf\xe3\xc7\xa1\xd7\xf4\x27\xae\x62\xc0\xbf\xf3\x79\xe8\x4d\x56\x63\x7e\xc1\x37\x7b\x8c\x8a\xd5\xb5\x5b\x09\x9c\xfa\xa4\xa7\xa6\xee\xb0\x58\x9f\x81\xe7\xa4\x33\x00\xef\xf5\x33\x54\xe1\xb2\xbd\xcd\xc3\x4d\x79\x45\xd6\x35\x62\xe4\x8d\x5e\xd9\x3b\xef\x75\xfd\x01\x60\xfc\xd7\xc3\xa6\xbe\x7f\x0c\x64\x2b\xb6\xe5\x61\xe3\x5a\x1c\x73\x11\x0b\xdc\xde\xd7\x69\x98\x65\xe2\x5e\xb2\x38\xcf\x8f\x3b\x10\xad\x3c\x10\x48\x80\x28\xc3\x70\x63\xc8\x86\x2f\x90\x7b\x06\x82\x9e", 170); *(uint32_t*)0x200082a4 = 4; *(uint32_t*)0x200082a8 = 0x20008140; *(uint8_t*)0x20008140 = 4; *(uint8_t*)0x20008141 = 3; *(uint16_t*)0x20008142 = 0x81a; *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x20008180; *(uint8_t*)0x20008180 = 4; *(uint8_t*)0x20008181 = 3; *(uint16_t*)0x20008182 = 0x180a; *(uint32_t*)0x200082b4 = 0xb9; *(uint32_t*)0x200082b8 = 0x200081c0; *(uint8_t*)0x200081c0 = 0xb9; *(uint8_t*)0x200081c1 = 3; memcpy((void*)0x200081c2, "\x37\xef\xeb\x85\x4b\x40\x51\xa4\x6c\x67\xae\xe7\xea\xa0\xf6\x2f\xde\x9f\x59\x9c\xd5\xba\x25\x32\x9d\x50\xae\xe1\x6b\x30\xc6\xc1\xa5\x14\x83\x10\x81\xaf\xc1\xdf\xd2\x68\x2f\xf4\x87\x16\xa9\x1b\xf9\x5e\x08\x42\x12\xb0\x69\x6d\x43\xe1\xc6\xc4\x3a\xda\xf9\xed\x3e\xf7\x0e\x62\x73\x59\x94\xd2\xd0\x86\x51\x39\x60\x49\x88\xfa\xc1\x79\x78\xd9\xc0\x5a\x84\xf3\x42\x38\x31\xdd\x1d\xdd\xc6\xc9\x4d\x50\xdd\xd6\x74\xf1\x65\x25\xbb\xf9\xa8\xdb\x3b\xb4\x90\x01\xbe\x38\xa1\x96\x70\xab\xd9\x9f\x4a\x2e\x97\xcf\xb2\x0d\x46\xc6\x37\x83\x2a\x3e\xc9\x7f\xf0\x94\xc6\xa3\x30\x49\x64\xb7\x2b\xcf\x11\x6b\xf2\x7f\xed\xd5\x52\x1a\xd3\xda\x22\x62\x97\xff\xf8\x49\xc3\x3c\x5d\x84\x9e\x3e\x30\x37\x52\x79\x01\xee\xf6\x3a\x59\x9b\xaa\x54\xfc\x46\xa4\x6f\xf1", 183); res = -1; res = syz_usb_connect(2, 0x5f, 0x20007f00, 0x20008280); if (res != -1) r[23] = res; break; case 45: syz_usb_disconnect(r[23]); break; case 46: *(uint8_t*)0x200082c0 = 0x12; *(uint8_t*)0x200082c1 = 1; *(uint16_t*)0x200082c2 = 0x110; *(uint8_t*)0x200082c4 = 2; *(uint8_t*)0x200082c5 = 0; *(uint8_t*)0x200082c6 = 0; *(uint8_t*)0x200082c7 = 0x20; *(uint16_t*)0x200082c8 = 0x525; *(uint16_t*)0x200082ca = 0xa4a1; *(uint16_t*)0x200082cc = 0x40; *(uint8_t*)0x200082ce = 1; *(uint8_t*)0x200082cf = 2; *(uint8_t*)0x200082d0 = 3; *(uint8_t*)0x200082d1 = 1; *(uint8_t*)0x200082d2 = 9; *(uint8_t*)0x200082d3 = 2; *(uint16_t*)0x200082d4 = 0xb3; *(uint8_t*)0x200082d6 = 1; *(uint8_t*)0x200082d7 = 1; *(uint8_t*)0x200082d8 = 6; *(uint8_t*)0x200082d9 = 0x28; *(uint8_t*)0x200082da = -1; *(uint8_t*)0x200082db = 9; *(uint8_t*)0x200082dc = 4; *(uint8_t*)0x200082dd = 0; *(uint8_t*)0x200082de = 9; *(uint8_t*)0x200082df = 2; *(uint8_t*)0x200082e0 = 2; *(uint8_t*)0x200082e1 = 6; *(uint8_t*)0x200082e2 = 0; *(uint8_t*)0x200082e3 = 4; *(uint8_t*)0x200082e4 = 6; *(uint8_t*)0x200082e5 = 0x24; *(uint8_t*)0x200082e6 = 6; *(uint8_t*)0x200082e7 = 0; *(uint8_t*)0x200082e8 = 0; memset((void*)0x200082e9, 177, 1); *(uint8_t*)0x200082ea = 5; *(uint8_t*)0x200082eb = 0x24; *(uint8_t*)0x200082ec = 0; *(uint16_t*)0x200082ed = 8; *(uint8_t*)0x200082ef = 0xd; *(uint8_t*)0x200082f0 = 0x24; *(uint8_t*)0x200082f1 = 0xf; *(uint8_t*)0x200082f2 = 1; *(uint32_t*)0x200082f3 = 0x9208; *(uint16_t*)0x200082f7 = 2; *(uint16_t*)0x200082f9 = 0; *(uint8_t*)0x200082fb = 0x20; *(uint8_t*)0x200082fc = 0x5e; *(uint8_t*)0x200082fd = 0x24; *(uint8_t*)0x200082fe = 0x13; *(uint8_t*)0x200082ff = 7; memcpy((void*)0x20008300, "\x63\xb0\xb9\x53\x77\x14\x7b\xa2\x14\xd9\x50\xfc\x04\xb2\x2c\x04\xbe\x09\xd9\xb9\x6f\x1a\xb9\x4b\xb0\x2e\x8a\x2a\x9e\x23\xcf\x7d\x3a\xca\xb2\x2a\x80\xed\x35\x0e\xc4\xb1\x78\x06\xed\xcb\x16\x9e\x50\x75\x37\x3d\x99\x17\x80\x21\x13\x92\xeb\x3d\x9f\x11\x73\xa5\x39\x84\x3b\xf2\xc3\xf6\x6a\x4a\x69\x60\xa5\x5a\x22\x07\x76\x7d\xb3\xc5\x5a\x7d\xd2\x89\x8b\x5c\xcb\x40", 90); *(uint8_t*)0x2000835a = 0xc; *(uint8_t*)0x2000835b = 0x24; *(uint8_t*)0x2000835c = 0x1b; *(uint16_t*)0x2000835d = 0x2a; *(uint16_t*)0x2000835f = 0x100; *(uint8_t*)0x20008361 = 0xe0; *(uint8_t*)0x20008362 = 0x76; *(uint16_t*)0x20008363 = 0; *(uint8_t*)0x20008365 = -1; *(uint8_t*)0x20008366 = 4; *(uint8_t*)0x20008367 = 0x24; *(uint8_t*)0x20008368 = 2; *(uint8_t*)0x20008369 = 0xa; *(uint8_t*)0x2000836a = 9; *(uint8_t*)0x2000836b = 5; *(uint8_t*)0x2000836c = 0x81; *(uint8_t*)0x2000836d = 3; *(uint16_t*)0x2000836e = 0x20; *(uint8_t*)0x20008370 = 0x73; *(uint8_t*)0x20008371 = 0x35; *(uint8_t*)0x20008372 = 0x3f; *(uint8_t*)0x20008373 = 9; *(uint8_t*)0x20008374 = 5; *(uint8_t*)0x20008375 = 0x82; *(uint8_t*)0x20008376 = 2; *(uint16_t*)0x20008377 = 8; *(uint8_t*)0x20008379 = 3; *(uint8_t*)0x2000837a = 1; *(uint8_t*)0x2000837b = 3; *(uint8_t*)0x2000837c = 9; *(uint8_t*)0x2000837d = 5; *(uint8_t*)0x2000837e = 3; *(uint8_t*)0x2000837f = 2; *(uint16_t*)0x20008380 = 0x40; *(uint8_t*)0x20008382 = 5; *(uint8_t*)0x20008383 = 0x40; *(uint8_t*)0x20008384 = 2; *(uint32_t*)0x200087c0 = 0xa; *(uint32_t*)0x200087c4 = 0x200083c0; *(uint8_t*)0x200083c0 = 0xa; *(uint8_t*)0x200083c1 = 6; *(uint16_t*)0x200083c2 = 0x201; *(uint8_t*)0x200083c4 = 0x79; *(uint8_t*)0x200083c5 = 3; *(uint8_t*)0x200083c6 = 0x3f; *(uint8_t*)0x200083c7 = 0x20; *(uint8_t*)0x200083c8 = 6; *(uint8_t*)0x200083c9 = 0; *(uint32_t*)0x200087c8 = 0x37; *(uint32_t*)0x200087cc = 0x20008400; *(uint8_t*)0x20008400 = 5; *(uint8_t*)0x20008401 = 0xf; *(uint16_t*)0x20008402 = 0x37; *(uint8_t*)0x20008404 = 5; *(uint8_t*)0x20008405 = 7; *(uint8_t*)0x20008406 = 0x10; *(uint8_t*)0x20008407 = 2; STORE_BY_BITMASK(uint32_t, , 0x20008408, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008409, 0xa, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008409, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000840a, 5, 0, 16); *(uint8_t*)0x2000840c = 7; *(uint8_t*)0x2000840d = 0x10; *(uint8_t*)0x2000840e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000840f, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008410, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008410, 9, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008411, 8, 0, 16); *(uint8_t*)0x20008413 = 0xa; *(uint8_t*)0x20008414 = 0x10; *(uint8_t*)0x20008415 = 3; *(uint8_t*)0x20008416 = 0xc9; *(uint16_t*)0x20008417 = 7; *(uint8_t*)0x20008419 = 7; *(uint8_t*)0x2000841a = 0; *(uint16_t*)0x2000841b = 8; *(uint8_t*)0x2000841d = 0xa; *(uint8_t*)0x2000841e = 0x10; *(uint8_t*)0x2000841f = 3; *(uint8_t*)0x20008420 = 2; *(uint16_t*)0x20008421 = 0xc; *(uint8_t*)0x20008423 = 0; *(uint8_t*)0x20008424 = 6; *(uint16_t*)0x20008425 = 6; *(uint8_t*)0x20008427 = 0x10; *(uint8_t*)0x20008428 = 0x10; *(uint8_t*)0x20008429 = 0xa; *(uint8_t*)0x2000842a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000842b, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000842b, 0x8001, 5, 27); *(uint16_t*)0x2000842f = 0xf00f; *(uint16_t*)0x20008431 = 0xfffd; *(uint32_t*)0x20008433 = 0x3fc0; *(uint32_t*)0x200087d0 = 9; *(uint32_t*)0x200087d4 = 0x4f; *(uint32_t*)0x200087d8 = 0x20008440; *(uint8_t*)0x20008440 = 0x4f; *(uint8_t*)0x20008441 = 3; memcpy((void*)0x20008442, "\xc0\x66\x3b\x11\x6d\xab\x9b\xa5\xc0\xa2\xf7\xa2\xad\x48\x6f\xfc\x16\x4a\x43\x65\x89\x95\x65\xc5\xe9\x9b\x01\x52\x39\xf3\x78\xdf\x56\xdb\x4d\xc3\xb0\xbb\x08\xdc\xd2\x08\xd9\x58\xfa\x3c\xf0\x80\x97\xaa\x20\x8b\x2d\x28\x65\xb5\x02\xcb\xc9\x4b\x1a\x8e\x33\xbd\xd9\xd6\x48\x1f\xbf\x32\xd4\x91\x34\x22\xfe\x18\x9f", 77); *(uint32_t*)0x200087dc = 0x85; *(uint32_t*)0x200087e0 = 0x200084c0; *(uint8_t*)0x200084c0 = 0x85; *(uint8_t*)0x200084c1 = 3; memcpy((void*)0x200084c2, "\xc9\xc4\x87\xa9\x0b\xe3\xd4\x0e\xf7\x82\x37\x3d\x78\x5f\x86\xbd\xfc\x3d\xb6\xfb\x0d\xd0\xa7\x44\x0b\x2f\xe4\x59\x5c\x3a\x6b\xd6\x7a\xa8\x51\x8d\x89\x7a\x8a\x75\x7d\x5f\x1c\xeb\x86\xe5\x98\xca\xbf\x23\x45\xf7\x71\xc3\xc7\x12\x8b\xd1\x6d\xd4\xb1\xee\x9b\x7d\xbc\xaf\x61\x1e\x97\xf6\xdc\xb9\xf1\x71\xe8\xf7\x05\x2b\x0f\x33\xe6\x31\xbf\xe9\x9d\xdc\x44\x13\xe5\xe5\xd7\xb6\x34\xdc\xc3\xb7\x7e\x4d\x30\x1f\x89\xa8\xd3\xb8\x51\xb0\x23\x06\xca\xbe\xc2\x11\x12\x7a\x8e\x54\x1d\x16\x26\x36\x58\x8f\xf5\x74\xde\x82\xde\x8f\x30\x7d\x43", 131); *(uint32_t*)0x200087e4 = 4; *(uint32_t*)0x200087e8 = 0x20008580; *(uint8_t*)0x20008580 = 4; *(uint8_t*)0x20008581 = 3; *(uint16_t*)0x20008582 = 0x1407; *(uint32_t*)0x200087ec = 4; *(uint32_t*)0x200087f0 = 0x200085c0; *(uint8_t*)0x200085c0 = 4; *(uint8_t*)0x200085c1 = 3; *(uint16_t*)0x200085c2 = 0; *(uint32_t*)0x200087f4 = 0xaa; *(uint32_t*)0x200087f8 = 0x20008600; *(uint8_t*)0x20008600 = 0xaa; *(uint8_t*)0x20008601 = 3; memcpy((void*)0x20008602, "\xce\x39\x5e\x8e\x9f\x40\x9a\x37\xda\xeb\x1c\x20\xbe\x9c\xa4\x00\x4a\xe8\x10\xcf\x16\x53\xec\xcd\x6e\x66\x3d\xd7\x4f\x8b\xc0\x69\x89\xb4\xd1\xa6\x5c\x9f\x48\x0b\xd3\x7e\x9d\xd8\x53\x49\xf2\x98\xdd\xad\xdc\x2c\xc9\xe4\xed\xa1\x47\xf2\x31\x40\x2e\x11\x6f\xb5\x94\xa6\x37\x18\xd8\x21\xd8\x85\xeb\xd6\x7e\xda\x45\x15\x58\xb1\xfb\xa3\x09\x3e\xcb\xd4\x0c\xbe\x5f\xbe\x07\xf9\x4e\xd9\x27\xd8\xe5\x03\x9a\x7c\x49\x7a\xa8\xd1\xf1\x0a\x4d\xda\xc0\x49\xad\x82\x0f\x8c\x53\x2c\x5a\x3f\x00\x94\x79\x55\x03\x24\x23\x92\x2e\x95\xaa\x5b\xfe\xe0\x41\xf7\xfe\x87\x44\xec\xc4\x42\x40\x57\xee\xc9\x70\x40\xb3\x41\xd0\xdd\xdc\xaf\x20\x6d\xa6\x43\x1e\x98\x7f\x04\xcf\xd5\x58\x02\xca\xd3\xa1\x14", 168); *(uint32_t*)0x200087fc = 4; *(uint32_t*)0x20008800 = 0x200086c0; *(uint8_t*)0x200086c0 = 4; *(uint8_t*)0x200086c1 = 3; *(uint16_t*)0x200086c2 = 0x3c01; *(uint32_t*)0x20008804 = 4; *(uint32_t*)0x20008808 = 0x20008700; *(uint8_t*)0x20008700 = 4; *(uint8_t*)0x20008701 = 3; *(uint16_t*)0x20008702 = 0x1809; *(uint32_t*)0x2000880c = 4; *(uint32_t*)0x20008810 = 0x20008740; *(uint8_t*)0x20008740 = 4; *(uint8_t*)0x20008741 = 3; *(uint16_t*)0x20008742 = 0x807; *(uint32_t*)0x20008814 = 4; *(uint32_t*)0x20008818 = 0x20008780; *(uint8_t*)0x20008780 = 4; *(uint8_t*)0x20008781 = 3; *(uint16_t*)0x20008782 = 0x1c; res = -1; res = syz_usb_connect(3, 0xc5, 0x200082c0, 0x200087c0); if (res != -1) r[24] = res; break; case 47: syz_usb_ep_read(r[24], 8, 0x7d, 0x20008840); break; case 48: *(uint8_t*)0x200088c0 = 0x12; *(uint8_t*)0x200088c1 = 1; *(uint16_t*)0x200088c2 = 0x250; *(uint8_t*)0x200088c4 = 0; *(uint8_t*)0x200088c5 = 0; *(uint8_t*)0x200088c6 = 0; *(uint8_t*)0x200088c7 = 0x10; *(uint16_t*)0x200088c8 = 0x56a; *(uint16_t*)0x200088ca = 0x62; *(uint16_t*)0x200088cc = 0x40; *(uint8_t*)0x200088ce = 1; *(uint8_t*)0x200088cf = 2; *(uint8_t*)0x200088d0 = 3; *(uint8_t*)0x200088d1 = 1; *(uint8_t*)0x200088d2 = 9; *(uint8_t*)0x200088d3 = 2; *(uint16_t*)0x200088d4 = 0x2d; *(uint8_t*)0x200088d6 = 1; *(uint8_t*)0x200088d7 = 1; *(uint8_t*)0x200088d8 = 0; *(uint8_t*)0x200088d9 = 0xf0; *(uint8_t*)0x200088da = 0x8e; *(uint8_t*)0x200088db = 9; *(uint8_t*)0x200088dc = 4; *(uint8_t*)0x200088dd = 0; *(uint8_t*)0x200088de = 5; *(uint8_t*)0x200088df = 1; *(uint8_t*)0x200088e0 = 3; *(uint8_t*)0x200088e1 = 1; *(uint8_t*)0x200088e2 = 2; *(uint8_t*)0x200088e3 = 0; *(uint8_t*)0x200088e4 = 9; *(uint8_t*)0x200088e5 = 0x21; *(uint16_t*)0x200088e6 = 3; *(uint8_t*)0x200088e8 = 0xf; *(uint8_t*)0x200088e9 = 1; *(uint8_t*)0x200088ea = 0x22; *(uint16_t*)0x200088eb = 0xa21; *(uint8_t*)0x200088ed = 9; *(uint8_t*)0x200088ee = 5; *(uint8_t*)0x200088ef = 0x81; *(uint8_t*)0x200088f0 = 3; *(uint16_t*)0x200088f1 = 0x3af; *(uint8_t*)0x200088f3 = 1; *(uint8_t*)0x200088f4 = 0x40; *(uint8_t*)0x200088f5 = 2; *(uint8_t*)0x200088f6 = 9; *(uint8_t*)0x200088f7 = 5; *(uint8_t*)0x200088f8 = 2; *(uint8_t*)0x200088f9 = 3; *(uint16_t*)0x200088fa = 0x10; *(uint8_t*)0x200088fc = 6; *(uint8_t*)0x200088fd = 1; *(uint8_t*)0x200088fe = 9; *(uint32_t*)0x20008c00 = 0xa; *(uint32_t*)0x20008c04 = 0x20008900; *(uint8_t*)0x20008900 = 0xa; *(uint8_t*)0x20008901 = 6; *(uint16_t*)0x20008902 = 0x250; *(uint8_t*)0x20008904 = 3; *(uint8_t*)0x20008905 = 1; *(uint8_t*)0x20008906 = 0x46; *(uint8_t*)0x20008907 = -1; *(uint8_t*)0x20008908 = 0x20; *(uint8_t*)0x20008909 = 0; *(uint32_t*)0x20008c08 = 0x34; *(uint32_t*)0x20008c0c = 0x20008940; *(uint8_t*)0x20008940 = 5; *(uint8_t*)0x20008941 = 0xf; *(uint16_t*)0x20008942 = 0x34; *(uint8_t*)0x20008944 = 2; *(uint8_t*)0x20008945 = 0xb; *(uint8_t*)0x20008946 = 0x10; *(uint8_t*)0x20008947 = 1; *(uint8_t*)0x20008948 = 2; *(uint16_t*)0x20008949 = 0xfa; *(uint8_t*)0x2000894b = 8; *(uint8_t*)0x2000894c = 0x80; *(uint16_t*)0x2000894d = 5; *(uint8_t*)0x2000894f = 3; *(uint8_t*)0x20008950 = 0x24; *(uint8_t*)0x20008951 = 0x10; *(uint8_t*)0x20008952 = 0xa; *(uint8_t*)0x20008953 = 5; STORE_BY_BITMASK(uint32_t, , 0x20008954, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20008954, 9, 5, 27); *(uint16_t*)0x20008958 = 0xf00f; *(uint16_t*)0x2000895a = 0; *(uint32_t*)0x2000895c = 0xffc00f; *(uint32_t*)0x20008960 = 0xff00c0; *(uint32_t*)0x20008964 = 0x101ffc0; *(uint32_t*)0x20008968 = 0xff0030; *(uint32_t*)0x2000896c = 0x30; *(uint32_t*)0x20008970 = 0x30; *(uint32_t*)0x20008c10 = 4; *(uint32_t*)0x20008c14 = 0xed; *(uint32_t*)0x20008c18 = 0x20008980; *(uint8_t*)0x20008980 = 0xed; *(uint8_t*)0x20008981 = 3; memcpy((void*)0x20008982, "\xe7\xdb\x91\x4e\xf4\xa7\x1a\x3a\xba\x44\x3e\xe1\x81\xc2\x72\xe7\xfb\xb6\x36\x48\xa9\x97\x75\x4b\x81\xa1\x93\x8f\x52\xb9\xfd\x8c\x2b\x76\xca\x28\xee\x1f\xcb\xa2\x80\x02\x1f\xbe\x02\xff\xa0\x3e\xa7\x53\xf2\xd5\x1b\x71\xf1\xcb\x93\x91\xea\x31\xfa\xab\xf8\xed\x37\xa9\x85\x3b\x87\xee\xba\xa0\xa1\x26\x96\x96\xe6\x5e\x30\x9e\xa4\xbf\x77\x55\xff\x1b\x99\x28\x0f\xd6\x82\x30\xd7\xd8\x99\xd0\x97\xe1\x6e\xe0\xb2\x24\xde\x57\x33\x94\x39\xc8\x0a\xd7\xfb\xf8\xbb\xf3\x2a\xa0\x0e\x29\x80\x2b\xde\x1c\x8c\x5e\x62\x28\xfa\x0a\x54\xc8\x35\x0e\xf9\x97\x11\x2f\x76\x3e\x17\x42\x8f\xb8\xe9\x5a\x56\x68\x95\x95\xf3\x0a\x3c\x16\x15\x18\x09\xb0\xc6\xb1\xd4\xd4\x76\x65\x10\xc6\xf0\x66\xfe\x4b\x35\xa3\xea\x90\xd3\x88\xd1\xb4\xd4\xe9\xc6\xb3\x09\x71\xe2\x37\xe2\x3f\xd2\x05\xf9\x90\x5e\xe7\xd7\x9f\x44\x43\x70\x7a\xdc\x7f\x65\xce\x2b\x15\x99\x4d\xaa\xc7\xb9\x54\x35\x3f\xb2\x32\x01\x84\x41\x22\x71\x05\x31\x87\x9c\x62\x91\xc7\xdf\xbf\x6b\xe4\x54\xb9\xcf\x2f\x2e", 235); *(uint32_t*)0x20008c1c = 4; *(uint32_t*)0x20008c20 = 0x20008a80; *(uint8_t*)0x20008a80 = 4; *(uint8_t*)0x20008a81 = 3; *(uint16_t*)0x20008a82 = 0x410; *(uint32_t*)0x20008c24 = 0x64; *(uint32_t*)0x20008c28 = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x64; *(uint8_t*)0x20008ac1 = 3; memcpy((void*)0x20008ac2, "\x04\x1c\x8b\x1b\xd1\x43\xea\x1d\x63\x82\x9b\x76\x9d\xdb\x88\x6a\x6a\xaf\xee\xdd\x5f\x65\x2b\xc9\x48\x67\x7c\x9a\x6e\x3a\xcf\xe0\x4a\x15\x19\x05\x3f\x95\xe5\xfc\xf7\x9b\x08\x53\x62\xcd\xac\x6a\xbb\xf8\xf1\x37\x81\xa6\x21\x88\x52\x57\x05\x2b\x12\x00\x45\xda\x2c\x49\x4a\x30\xbc\x6a\xe6\xc4\x16\x0c\xf4\x97\x00\x2a\xf8\xb7\x7e\x21\x68\x93\x24\xbd\x6e\x75\xac\xed\xa7\xcf\x6a\x50\x92\x0b\x2a\xb1", 98); *(uint32_t*)0x20008c2c = 0x87; *(uint32_t*)0x20008c30 = 0x20008b40; *(uint8_t*)0x20008b40 = 0x87; *(uint8_t*)0x20008b41 = 3; memcpy((void*)0x20008b42, "\x15\x08\x37\xb1\xe6\x9e\x50\x07\x39\x8a\xc0\x2c\x4a\x0b\x25\x07\x2d\xaa\x81\xa6\x4a\xf1\x0b\xcd\xc5\x73\x63\x33\xf4\x9c\x92\x1f\x86\xd9\xcb\xc6\xb7\x78\xf1\xd2\x16\x79\xd8\x47\xd5\xb8\xa9\xb7\x0f\xc5\x6b\xb5\xa4\x33\x04\x0a\xfd\x94\x37\x7b\x25\x15\xa5\x5c\xda\x70\xdb\x64\x44\x2a\xda\xe0\x90\x5a\xa9\x0f\x91\x1d\x3b\xee\xf8\x00\xab\x6f\xd8\x7a\x5c\x51\xfd\xa8\xfa\xa7\x50\xd1\x95\xc2\xe6\x57\x24\x97\x81\xc6\xaf\x05\x23\xe0\x49\x2f\x9a\x69\xe2\x27\xe1\x0c\xa0\x31\x0f\x1a\x01\x0f\x8b\x98\x6a\x9a\x05\x53\xa5\x33\x1f\x97\x54\xfc\x90", 133); res = -1; res = syz_usb_connect(3, 0x3f, 0x200088c0, 0x20008c00); if (res != -1) r[25] = res; break; case 49: memcpy((void*)0x20008c40, "\xa6\x90\x8c\x55\x30\x81\x4d\x6a\x6b\xfd\x6d\x6c\x75\x94\xd4\xaf\x8a\x49\x62\xd8\x82\xda\x65\x7b\xb4\x02\xc7\xd0\xae\x45\x35\x16\x81\x60\xdb\xf6\x7b\x82\xf2\x23\xd5\x77\xb0\xe1\x6e\x6a\xc3\xc4\x6a\x40\x15\xa6\xed\x7c\x4f\xa6\x5d\x1d\xba\xa2\x68\xb7\x48\xde\xc4\x67\x74\xec\xa9\x22\x47\x96\x94\x49\xa9\xf5\x9e\x9e\xdd\xe4\xd3\x7e\x7b\xd1\x78\x82\xeb\x00\x5e\x24\xfe\x43\xf5\x76\x54\x00\x0e\xad\xec\x3f\x1d\xe9\x91\x7e\xb2\x8c\x2a\x87\x71\x82\xc4\x7b\x55\x6d", 114); syz_usb_ep_write(r[25], 7, 0x72, 0x20008c40); break; case 50: syz_usbip_server_init(4); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :129:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :116:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :111:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor781753621 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/11 (1.83s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:android Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffffff}) (fail_nth: 1) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1a, &(0x7f0000000040)={0x0, 0xe6, "f137161ab86c594202b997d9f12d007021870322c8d909748409951ae9800c1e207f98b769c740f867ea14bbf8666a4f98d229aaafbc33c6c52168db8933c4a4a4a3dd3ce0ccea96e71d81ff4aca8331cb01bf35433853d1abd48fd6d0ce1314df6507bae535a2b4e3eaa74c5d23006594148a0fe5b4a884ef8f41346e49cc90474cb17bac301d4797ed05dfc6ccb74bebaabe549172d622a30605a4e49fd3f8537de5272c33ad4f07cd060577bce65e5c80a34168cde68117e4f900e35a3d888e02ee111752213b40d2af258c01f36de50ce8e83d4226a30d6a4cc43a883f6c20e3fada8ad2"}, &(0x7f0000000140)=0xee) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r1, @in6={{0xa, 0x4e22, 0x3, @private2, 0x1}}, [0x7fffffff, 0x1, 0x7fff, 0x4, 0x7, 0x1, 0x3ff, 0x40, 0x5, 0x1, 0x0, 0x7, 0x0, 0x8, 0x1f]}, &(0x7f0000000280)=0xfc) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000002c0)={r2, @in6={{0xa, 0x4e20, 0x9, @private2={0xfc, 0x2, '\x00', 0x1}, 0x3}}}, 0x84) r3 = openat$pktcdvd(0xffffff9c, &(0x7f0000000380), 0x0, 0x0) ioctl$MEDIA_REQUEST_IOC_QUEUE(r3, 0x7c80, 0x0) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f00000003c0)={r1, @in6={{0xa, 0x4e23, 0x7f, @private0, 0x5}}, 0x5, 0x476f}, 0x88) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_SRVCORE_ACQUIREGLOBALEVENTOBJECT(r3, 0xc0206440, &(0x7f0000000500)={0x1, 0x2, &(0x7f0000000480), &(0x7f00000004c0)={0x0}, 0x4, 0x8}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTQ2_RGXTDMSETTRANSFERCONTEXTPROPERTY(r3, 0xc0206440, &(0x7f00000005c0)={0x8a, 0x7, &(0x7f0000000540)={r4, 0x400}, &(0x7f0000000580), 0x10, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXBREAKPOINT_RGXENABLEBREAKPOINT(r3, 0xc0206440, &(0x7f0000000680)={0x83, 0x2, &(0x7f0000000600)={r4}, &(0x7f0000000640), 0x4, 0x4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@deauth={@wo_ht={{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x240}, @broadcast, @device_a, @random="2015d229785b", {0x8}}, 0x27, @val={0x8c, 0x18, {0xc93, "ffe3240f0484", @long="067ecc39a78a3ea47c22246d391b92c4"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_xfrm_policy_alloc_security\x00') syz_emit_ethernet(0xbc, &(0x7f0000000140)={@dev={'\xaa\xaa\xaa\xaa\xaa', 0x3b}, @broadcast, @void, {@mpls_mc={0x8848, {[{0x8, 0x0, 0x1}, {0x1, 0x0, 0x1}, {0x4, 0x0, 0x1}, {}, {0x0, 0x0, 0x1}], @ipv4=@dccp={{0x15, 0x4, 0x2, 0x33, 0x9a, 0x65, 0x0, 0x7, 0x21, 0x0, @dev={0xac, 0x14, 0x14, 0x1e}, @rand_addr=0x64010101, {[@noop, @end, @timestamp_addr={0x44, 0x1c, 0xe9, 0x1, 0x2, [{@dev={0xac, 0x14, 0x14, 0x28}, 0xf7e}, {@loopback, 0x7fff}, {@private=0xa010101, 0x5}]}, @generic={0x83, 0xe, "db10ac96c2cf817c67fc6d7e"}, @rr={0x7, 0x7, 0x87, [@local]}, @end, @ra={0x94, 0x4, 0x7}, @end, @generic={0x44, 0x5, "e0d910"}]}}, {{0x4e20, 0x4e23, 0x4, 0x1, 0xf, 0x0, 0x0, 0x9, 0x5, "d77b5a", 0x7, "c6dd9c"}, "494a1261c05df7372b3c29631b6232d41f19fa8727ecea11ccf1979683ceb144705e12c13fba0e399f08f58397f3ea7bdb746b3dcabe"}}}}}}, &(0x7f0000000200)={0x0, 0x3, [0xf9, 0x208, 0x50c, 0x74d]}) syz_emit_vhci(&(0x7f0000000240)=@HCI_EVENT_PKT={0x4, @HCI_EV_VENDOR={{0xff, 0xc1}, "0626cab051d180b0c2e36c0814bbca7e31d691502e1c7c0eae1a042e7372921a0c6dfccedd81a98f58b9850ba2f68bc25d5cab15a0af010796b5fdfb8a3b35f3eb48ee0c7b2ed287cf469fdec0248e957ef0dd22f3fc6d746e70262c277c016177e56a68031293b56b02c1b6f867d10a3bbf33817b39d487ae0659a68cffb8df46df59a7d104b7c6711d45af1f966d69e635809cf24a70d4c2ea9cc98d37599807148af36b475eb2ce56e027ac751769f8710272d187722ecdf7a8f86d8b977aa8"}}, 0xc4) syz_execute_func(&(0x7f0000000340)="c4c17d6f7072c4e1f9112fc4e3c95d33abc4c2790eb000000000c4e17a12b70c0000000f0156e9c4e10dd55e0cf30f526b000f7e20c4c179e702") syz_extract_tcp_res(&(0x7f0000000380), 0x80000000, 0x100) r5 = dup(0xffffffffffffffff) r6 = fcntl$getown(0xffffffffffffffff, 0x9) lstat(&(0x7f00000026c0)='./file0\x00', &(0x7f0000002700)={0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000002800)=0x0, &(0x7f0000002840), &(0x7f0000002880)=0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002ac0)={0x2020, 0x0, 0x0, 0x0}, 0x2020) statx(0xffffffffffffffff, &(0x7f0000004b00)='./file0\x00', 0x2000, 0x20, &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004d00)={{{@in6=@ipv4={""/10, ""/2, @private}, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@initdev}}, &(0x7f0000004e00)=0xe4) r13 = getgid() syz_fuse_handle_req(r5, &(0x7f00000003c0)="235810537c7f886ca91721045ff7badfae4429b252cd658172c1d0d418ed70057439fc22ffc77b29085c9488ff9340f8a2ade99bf9af14a357257b8aa69b4b8effe7afd6876b3b512b86fa1dff555c6dc6186266c91fa281c9dc72ee17ead0e2a3fe9ff03e7c32d27e267f5be0fd6d1f9efc02af7fe9d68d755519201dea7abe681053ab98f73fc0c6a0684e91b741c8c9451f9459b598ee6f4ec0c91f3e917af1e6646f3c54f8faf0487d8eccf087e28f8768f48ae15d098904b3254285702e308a937d5e23a2aef3c25312516c502d5e0233065229ee4a70dbc414604b7f055eb7a2724803e85e5b4cd05af711ed730fceb81bcae17a4967aa6ccff3c0f4966b7ff3d15f093e94eb0a46b70c0fa5b8628cac3c31019bba6002416fc6661d858fff16a96215b1d18a877d9a534ac40256a3557931ade27f587cce26a20c013dc67f2e922a52689aaefa1b064d03f8f6a39f96b0de1d21394cb6c23010eb9e4a79414735ed9965425f8a01008496dbad0497fa0d65acec59ffa6a280bc58e2d887a10e9665eaeb97436ebdeb2b58a9ae40e449273246fd9967539f212ed8969b6f9a49d65bcad2dd9d8ee42e3205741117e431d443ff3e94c47e7fd627d30511d5fbcec6a758383d31367aca8e3af772a1021105ab2c1b4aa7614dea8cfa4b06f53af373779862c9bdb76ef93c74618eee7347a074d4f71a98233b24b2a25729c9a1983d819c3f42d328d08f0d4dd1642f61b62a89fc300f5066d8e457f5fd49daa79e1b1d43d26f89f2ca990450e860bcc47d5cf4778c37c451ed22d60fe2bcfa2caff75c4170990a2e8e2187197f8638b067854ccf9dbe91586dd42341401c4fb4f31330668acb516eba2227cbca4c8fa2f39a03521bd8032f5e1aedf49c50e601b9fad4e0d6f5b5932ea214fd508485703d0845798d43bdbff9638677e6a996efbbd1936e97282062709f778b455cb4d20013f5fe4c9bba0f7cfc1802e8180fb6d46f5176d1bdbb43d960d494f3a30ed7ab4db07de5ad924b5797b509f96083f4ada9fcebede1eb0fb0dfa2cdc2144b15cf4c280f87d1187e808e37cdef537552e383f46ccfe86215b207153985e6b13196221fdea6c947864d12147d7b01efc3df144e2caa24d1a4782a51a8235c4c0eadf0440c8e434a4d072be5845547175f37c55fddd5e78495ace434c483f28bb3487ad8d68bd74377fd82e17bafeb062b81c68e8a6389c8d81079e4c9faa2a8fcf12415cc21ebcd92de80884550594ca64b56b0b424a65f80cab164b2f6f2f33c7aeaa8b6602e7183b9d0ae153a1703b303675aae133b3dd9c646677f6d8a492da099efb4a7e4dee392818a15d6bf9efb07eead5b40ac25bb0f0092f4b0ecaf0ac3391b3ecfd0635ec496b8b66d7a451c6d10379c15291c4f3682f05fb73944cd1be0f0fa8554358b30deb7386931ae95eb2a16faed245ffcadb394acdf0638a626278233019366e2ecd9db1a4b5ae27ff83d7b571cd7ffc151dc4d0cef1d0300c98a41697751851f8e05249cae19963f812589a7d64cfab846439f471343ba5effac9a57f76d0abfb95e878bee4c9424f0ca1718195eff14060acfb3e0df4cbc560bc2be9ab4f0a0bd686fe213d44947170e68e73baadd982ce2d170a50d1eca0240cd3cece9f74da3a1c1476ff11fa334d72c18506b5c00a441ea2e9c72c76b385037f86ca594aaade987a79bbd3e3c40d0007a7ff8529905b94c5461656292950b41c83443dc84d6fdf52e4497ed6804981af13385649200d893093bf2ea8225b389c4dfd2e815b3bdf9d7084d29009eae4e8822a5b6a52aa76afd951d04afa8e1286396a834dcf8c6b57cc4efbc0c16779d53f0bcd74043c06ecebe59328dcca8bb6105af23565906e5466c7311b1aac6762e4b626036fe31d3e7b0fa2e658ca9351078eeca7b467e118e9b88959de1f41869405a83bdc6ce980c729f7e2a460fa9bee161e54d271a874bb4d0a22cd1a4376de36b5868ca0e10933e5fe2f7385c1af62b86f8e5c3126626b8bc6d568f621da323707ea332d7654439fba4671d0caeb7ef94e25a8286bd9a19a29e4932c7db9b82347da52492b3814a44b92f61559c22654c8b301a8dfe9daeae0cade946c0666e94c4a6353bb0eb2137d36853ad4f7a20a5081e63afeece203fa6eeea7f629d001dabaf5b1a3c6761517bc99a8e63f66c01884927b4bc40bc34190c9e553c690fbc6444dd8bba656874fa804631b56d24541a9bd6fb77db4903769f9d0444d08a21ff59d949659d80b1402d919ac0fb8380ed9115b6693c195f8f1a90a3a42235d8ea782eda2bf194d32fbcc563271afda73d7096a2e9e467541e7667c267c595e123372975267768b8d16cb6130eaebf698be76eefabbeacd59f631cc104f042263e3e2962597969721a6c022aba14112e2f3802ba635391cd1f94323525c816efa9e86552399e79665ff554f586754f72d53a0d9475c655948bd13ec93dd8cc43e5b813ebfea4abcd780eedb682ac4f66e16847f7821fdc40da073f7fc59fe57ca6ad5f4ddd8a41e8aadf3e2178cf4295c85999e2c2d824a08ebb9a9b09e2efbf9b8d0373091ea61ec6af17df1e71aceb403a41d3bafefc56dcff186023e9f289e61b746904b3ce34869b5327c924a27336b216d2206eeba9b1dfdce022e3a13a2617387fb3ff5a1d0f38fbb9063bcb69b5e33ee457efe051df453462b718d7d5e780310471a73d99e2eb1e23236c74b9377c3e0ebb93ea7a6a7b322c425910209f891841d65cb8db3b2b0d51d27cde0ca185bd3bf1f402ff10fc611b93fa6f94ebf6079ac6d5f30ff866a4dbf30729fc3cd003ed9eee6e1c92319a8c6269e1a7dba0491d27b326388bc32d58bf685ec429a8ca7a12b660182308710b5aa61dce0a143fad3bbc1a81a8f814ee37b434c7d729331ce7f72ddf31dca719bdfa04c03aeceb4c640c1cddd0f01137bd6e2f7aefb51b0210b8cdb2ccb0f5d7458d0571927675f1bedb36d0bf30ac68db438ffba74aca623725f27522701bb6c5ca414d2391cd533a82c066724c6d3fd68fe42a834dccf5bf70347429ad8e382215f72fad936ef949bf64dad12577ead0dc6cf271be7ca8e0baabb4397ff063f3ae8e741210c6a3ab3b442ba8fb16f228c5dafeb1b440827defbc48f5cbceb2740755c985d060e82c86c732bbd560883591a1ac058299f17f2e2a128560280ba089e84c3465452a6507a63f884944a83a21d26c8e498ff5dbd489c69ca7853249018e9d03520b23f47b297b8526322b1f6bd54d060ccea301cc8a3a15da2d39b64ea4ddb03c7b6cba605e8dd486d12d8f0c6cd9fb47816112baa0a7ae0eba4f0f89b2143203a119a6bb8545c1ba66788495f4e7dad96df8119b1c11d7ffb07107c0c035a80697a8ed780d9c5561929385085f0aa7bc748f2b5e234e210ce77722c54e80b886c0d614658ffa23408caca9cf013869ef6629f8461640daea869ad4c365530de527815cafee314f8ca7b9879522c42629e3e71296e5f60a84db39d5c9000016ea33f481d80ccb80f085d5ed3f700badc3b4b7d80dd8a778f03817a10d67892d36870a98bdc70cfda4834c7815421fc9727401bd4f8111bbba7686024b4272f5a68a665194afc4f1a9f857af270e3022c18dfc18f67b3977e641c6258f00c1430ea79578f4dc82a0bab52140df4be0adb329195a297df0be6e12349770b4477a4465a81439f22b6bdc677ab86d4edbbdfc7db3cf06d4a94d33c6c11fa163fefb1a87a9b52c1cc409ebede7263c88975edb237fa01b583f79fc7a4f8e8ac89af79308d99b473cf33f3344a4e5523f3e35d388d18ee1185caa1918d23aae4193aedfe125042e16d571865261dd63bf0c9dd8485fa64e2410a26a436c83c9e34556f37c1d69d2fd574278c4b2c8baf3834ee2e0f364b54c36780f28a8ebe56e1d9e1cbdfd773ce8aacdefda09f40dffd847aadf67c44471008cee0776fb068954308f16203d017b290cd1ad9e4cdc49f326352807560ddda490c05c6d5e04f1940083aaba83e029370fd76e7757c73c0543ddff26c3a30762e2c9c556aa282c7f46f3dd8e200168053a03174c5669dc43900a39417c9dff8ed3f10eb07c470a522ec820712ff88259cf7f5ee52cf4ee690bcabd88763f66329f3725a436ca1938d4da48dedffea82dc54a2a0a5cfb64c3e278f41b933cefeb02f982532e98677241d7ec2f8d1427da1711919d672e951b6d1cd8f2c0203fedd521f75a229d996713358136d8b4eb797134fec874e3d38a01cb82a87c8c211e6429efe677173aab0a0fb9f558f4b06f7705bcd177ec1dd80d0445b5448e7dc294538aaecc59610dbe6f2b3b16b275c18d33a78f0c1dcbb07e137628b622f885aee80b82684cdd5fde5a29aadf63d85e95159649adce0f9e57b53b82c75b87a12747ef0f84be50693ccae798e38aaf050666163e6bed48f5f1baf49adea21223bfb089199898dcd2e91b708bd62b61f138cc48bed88b772d14bcc53968aa32fa3f114584752db53278b25f367d52c207ec5459668382aac7ebfdf3a2075cef679bd77ec17a1143de084720085486685ac869733bc07d74246fbf8abb3662be750dddd3b13ecb2d9135f5c68d1fdde549d9c2091d96aa35f84336b4215131f36476ec848d533d7dca1e0aa41eefb8806052a8cdd538b755707f93e048d771505b8890d8f680b880ccb8ee2949e35a63ee48e7b467128b65ffe606ced28a3bc3172bd09f2b58ef6322a3fa31e0fab37a3afe729ad43d5cd02b42be4d8e602b99516dbdbd812e1becaeba14b2b2bfaf0555900251e31d839798141b32abdc558b3bf30edc1145f541798507da329c5acc1ff56d4fd5f6e18c02081222c698b3d0f2b19539a7c2c91f78b1be76481991e241d2ae889d4cb133f90f77d922d984b5a5d1b2aa038fb001f0bac88c14a36f62296ab324d52b5754d4e842889da654143b4bd719f082cbcfa2ec9031b9b4b8bb8ef46bc3ffa52d35385bf27e3ccd86108481ff6640e8b0e309d28b149420f95eb9afa0f6e188b7005f421225385bdea3825ad5fbfc6d9f2997476bc36e5dfe4b686d1a2d402516d4eee990e1ea6a234838103f42d705abf37835673ca78675b5354c2a99130e2b7a64ee26a2ad6c1cd2de64ed5912eb7708db3afbb4a683109b1057298f356e4cf4fab200caf7403c719aa81ab01d3d7f9155073f56495e5116196e9a9de82f10a5c08dfb2f915494df7a0700efb722d3416a5d32bc02297111650847dee676d268772dec413da3a1320989c1be0d5c9c1b6fc4f70fbdad888abb0be8f116f0d7a6f3abaf636bb6b69222daf4ccbd6d07293def59cd5ec908454d079495f27bfaf9e45fb2c99964e6b2fba03af0382d5b60adebbb28fb8f8f8efdd8da65eac29377cf07c62e1bf10f61fa912e6271f2cb9509a7631b7abec3396bebce10bc79e2c49956d127f9d01b73584540cb6c0b52a709e3af1d00c84f6d22fb195dd8823aa336afea898ed87ada2b22d1b8ec508cf6986e93459265ed7c258732c291ca41e7876f1b438b17d36c24a02f200feeee18ace8dc4aad51a42bb9815d82c2a9a37f775cd612e084226942ea0dc6f5d8923349bbbedc2a45cfcfddeda2d52d14f2ff8329aac01d2ec3c37f23c5c90d026280238ce09e00eca9f6c30bdaa5dc91f4342f8af6a3ec1339c47dcae8f9360c32502bfa86e1ffc582d5888f29cac39ef90a3150111f661199faf7e2413b57bb9a72aaa2d5fae32b462884a928d83cea60557025c5de018044345fb083def49bc383319894dad28b5339cbadb6038dc8479f7e4b2f01c1ced3ff854205be93884885b129878bdbb18caa68c30940719a408a03fc61ebea87d9d3ef2162594589654475c2c37eaa8737338acc18b341a351ec39aa94cba171096fd7fb832e3031f4d82ff2328aa189623cd93fce6f4525c2dd013dc9c7b4d19add3bf9c334886e9d1cb4df997d99563a57b66d8321d42152f721705d6c484618ad33cb46b5c1a41ccd397ede50432dc9d41aa8b2fb375af75d332356d7df3d5d439fdebcf8e25b22493c6fe140013e2952321867d12947b1f2dd272a173694a5fddd887fe1ec96df6467630d1449d723ff023ec127b12a2411a096e3129e845d50b146683635d805cf196735828c8a0a004047a19acfcc41b62fe0fbff91881e7613bf7a737195f1858ed7198dcaca13210619d7f7398d812de463f221f0c264874aa3b3416dcdfaed76bf255d7a7a15d6acc9864d1bd900354b3bf0df70bae932c4b82e8aa60d395b939cc60f8964ab755ba50b40a713f68d2e001a2b5abcfdbb821a0a3a7a97cdccc0b05bca8f033fbcd954569cb7c312d4cb9e69275613306679882570726118eb66b4b6f0d236c33e35658ed87f028ca43c55c26968179aed7549c8c2e92672a445106d0429846917c5fc607fa285db9aa61281c1c524a76b3d40de5da9bc7afbae9c03555d056383ea7f5eacf5de95638e11242a420c9aa322c808cf2a14ab479d8135e4ff487b215c8cec44c7290d3459100b2196c54e88ca2841d8a6011c6db1b5c2fbc5135da6053d893d116b9f23d5a0f77f9f64c50a0448552fb3d4002ccfb95ed54c37eae931737bf02bcd226b133b9d27debfae748730a87be8df5c31cddf16c26bc3f3b4df7abcbc52edadb7a7c29e87dd5d6330b761649fc9f098a7b6b68cf5dce767667e8b5a7cd4bb22d1c9229c455169d72edd3bae9c251c0788968f1d13af8e47ba32923c6614c44d5196fa805761dba59a39b893bf0973dabb976edf63f3cb54732d43b90ee7ab0374e10fd722d5c361a4108931e8ee3fa190793f901b18ff7b5ed8c162b37ffcb39c6c0c084c9c76b3964e31351f5112accfe16c6268580ce0b44cd4c33f292171df6af35914225c8b1aff1985cea0ea7349a43a510d5fbf1881a032f96b1f58f4fa94dbcdf98f6b113a2f851e76d4f1cf0686e3b44057c363c849c5700659d7e5a1c2b3ccfd5aaa889c2f99a9b1c8319c3cd348be29b2e9bfefbc28cb774729958c12c9dfa74b893a07745aed2e5144723c8fc0506852f17e6a4a8f599d2c4a1d7c0ba9d77db8416eb10932cdc749cfa99890ee8017c0664084f86489c975255252c3876f8dcd98c00b73611ce2734e1fe0ee5c0a0abb0c50004044f93ad2ff0109bcb19a3a20f186d68e387d34a5b578c4253cd9672614803bf96726e8ab00146d2fe266e62e4865f5e7fe31d41497e7195122fcda825fb4e9fcdd09b421ddb6e925a4d5cb7ff2fa56fe1497ad659cc5b6efd8f883998b7451175f9827547b84195c25fc1631072a55c17e90a3279a54a29697312bfef3eefcba8d3114556a545d18ab0df74df266859151959a1b051f8322f798cb45d5cbe5291bdd71dad665f64dde6954ef00718918fe01727963964642d4c4a5bba9303f44fe97ff99f06748dc863ff0cc17fc82b29fbe0c712c77ed36697f23b4a22a9f248522f9946c3abcd32e165fd66fdbc7b4a0df71a8d2571f32da4ada51c14ca086301d6ed02006c6a38ce4e7671f3d0862a4e3c22b6aa7b7c049a7762287570562e8b452efc78741e7c2822ad0fd435e76a8044b05b388aafc4cf61575760398872364469961e87d14d1795eb627faeda18f9c1228fc994d580508c996d3662799b7237e596910a7c5c7facd47fa3084da48488767f60cfe58ec401415ac66031623320f9fda37c0af9fe4cda1b2893d2df0ac8226013a36ca7b1366032ea7b25a5591bebc8ce489777c0cba28d1f0cafeaeea7d5b4d2009309eebc913078112bb126920ca6e5e2b2210ce5410cce45fc463746cf168f7ee2b91c797b330e0464822a618e457ce39a00367d9cd3d3f5938ce36eb2a31a90d049258c849955e97f08017269b3e5f69e9128195638bc8c1fa735e6eb2435c9587f4f436d9e68a8797bb42100d48e7b26197c65fb8903961382fb0fe229860173068d9429110823bc2ff717a7157054c326bdac3ad358177f9a406d894b842d6d91edb356b06283b329bca6e12290655fef24029ba1daaf45f17ebc834d12e35e39f2e20e2c7362aeb0031f4877b633be1bed36f5d7ba24d0148f846a786f388e2ab79662d559b861a36a4ce60dceb5fdb9f479358fd84a5c7f102f75b8143d3626fffa5469c22072a97d63ff9e0667c2f2db41cd03e5d43914bb590bb1f11f4c3533bcc47ffc99eedf677c9d646c60f99398915891ab67197ddbdc11e03daf03139ceadaf99226875163f11c29027f6ec6ee647c9bb1f7695f1f2918a3285a13eadb73d3e94cb0dbf9273f75e1a8b391cc6e4c14ed5683c2756c7b33d84351e1ce0ba7b02e2305de65b29456b5c55344647c7b0b16cd836dba2711a4cc97738267c462c85fad608a81612d7f89a7fe663bd064354a80f8be0165df5d9bae1c69ea56962b111220cdc136ada90bb1315f865caff1e2526acd2ef4c36a70f266088d7d348e561132971668e91a89004085a5b092f8e28423d16b749cdcbf92a4365e468dd67be241e5dea705b606b28099a5d3d46a07620fc4f731e3d3605debe687042cac937427367c35b546af2dfc094a721dc7fd13df68e9a799ecb107c908bac9f8c4430cc10c6299c794d028d516c3ef3f77f9f64201660949b5ee29a5894d738fa4e4bcdda88fe12bcffe85da7b10d02c80922f3907134fe64605508b6cbe35e97f12f1bb15fce6fac0b0bbed62183ba88b8413c692c1d465376146a5ac69e0f10450f04c8b6f3c90c58ac33604aa811a9b74ebbd07b0684c51a553006da57f4df29df30a64622266b3ec06c435d650521f3ea725a3c8c128c73f0d3447dd1a85b10a061e9ac4469bd8ead5b59cc639b817e67d90ccd773e224aeb67dd2636917436b76475d8e0255cf7d14f2836a50d23fb11b3843548b3a52d8fa10ca8c97e1f0ed7a00cfc8067a5b99a41c07d3ce0a0456b8443bb5f0903db5e7bc16b0d0d4f321a57572d3368d97ab7705830d23ff78ac8d69402c920f7fb91d6efc16ce43993a1a68eb8eda08d7cc55fca8549f40839ac8e5e263e8fcddb10dd20fbedd949c8d3c1e186e9fdd5aa2765a1ef54f9e8b2a7a0b38f1c8f8dafe5fcef0ff0316921dbaab27f6b2e09e49d0a56c9ade5d8cb658699baa984543fde4e720e02e5503e835c7a63effee3dfa58e4ccdbe1943b5921b58fd0ed664ef73df892318e10703234859b565d17de8c925198b448159c8e8d73c8b1e5eb68705e582d5128f207b546f8122e04e37bcc9d1ca9b2c7ae51d4542448b36d6ff16d998eece9f07be341d1d8f989f23446040a4997272c99d45348372fc49b70fb5e0faca975184c6025995f6aa49f1b293df66d51d753d9c7775576d0e770134d3a4fbd53c99b0a7b6afe7337f73248163239a714dfeb285b0b49ef602d62ad6935a83c83bc814bd407b1ff5228292f9bfbbd071c81dc9591a05c9507bff87c9e527b8f14e8ee13d187eb867dc2c95dd903c37692d03e7b00985fbc11313078dec7ff69f2e01a8342399400f98cc66833d9c85ff7f10cbef733213cdae61545f39e85c59302b560a72d0437b266cbae16fad4a000ddea19949408c7477fcb948915323ebb79a55c769ccb18e2f552ab763ba65302ae7bc476e3625eb88a7a6698ceccfac22900ca3c44dec8866b2a114c0831cf653d4c1fba9a7785a1caa2b97343384226b1aced93da71d30b6650645bc113ac62d32d2032ddb65626ee86c3b9dfbbd8d0caeea7453dbea304e34d3f80522cd317b49bcabb869331c7c321852100430423bcb1ec15c50c19b766a7ce471d51b01041b685a29c4bfdb552c866d583b7c3c7fd56cfc73725df784e4d90281567fe8c38d866b06ef13bb30fd23906e662cf9d5113d7b52b014b4aeb3a183524b497be9220ae1e0b2f7674d279942941bbd81ed595a93c2341399b6ac36ff869f894cae291308b21284d398b5fa6ac76b9d59f03e48c275f4f20ce0a5059de69ca9ec999d73202def666b37b3a96a95b12c74331038facacab188da878a860e1b399d6b3bd3c136e0a5e9963c1691889f0d400f34dcc51ef1002ebfee2814605a4d1067ed7396c115e3a94f151c8e4aa2930fd8bc534d579d5d8843bd2029056fc558b9869408b9951f75672433ead19e109cd18308f1c9d6f9ccbc9f767993b59ea2b5046864f5e0c3bde42e7932c56b9fb25289e16ab3bebb692547de1a4dbe119ab2bd71e471cbdf6c6e8519aca77c2cbb8273343c1bed23922e557f87b408d87af78896ed30f0a6178ad98a34ded6148443fddf4a5c00a81ae9df2159fd658c859fb6b274988c848f993e761c263e90d7db8f662c876b7a61ff2d938ba7fed4cb5cd8ee514870b50520e733f21cdc3bd7ed41d297b96dfeff379d37e6071bb1ac84feffab2cdd985fea2fe6c46e6b7569c8c2454591795ccc56511d853fd2a01a1eb0ce2505ab65782b7836ba67844505aabcb5dc6372a313fe7acc7f48b0d2bef79403c2837d88e52fe926ad16d51be7e8c62a5955a61e85270839f36eee946370927eb19841301677e837abac18d709bc84dda60b12107a23eb733543ff32cce5248d0f461921295291837c150a4c1d489d31c5bf5bfc2da1427e1ece74aea7053f1feda64f099fc447a7908ce44b13461549f23ef18c1d8107befb09f9d719a0ac57080f1cdbfd46704d79947aa10c5b0bb226e7f68309747240f773a627536561fb6c1c9b26aa5e23be01f2d3f7aadc995440015d2564b9c16b853d665724f9f722b34ab1d44c27d0e0cb01c49d9e05de91c2e040764f0c212e6d63f7b72493dccbf858164cf48151bbe4f1dc2c91586673431af7b8461d30161c561170dfa31edde2ccc9dddbc7a8e46231752405cf308ecd8d3505636dba7035c94f728623bb87603afb90b5c23e9ac1937b2ea3984d579da29970ef049ffd9705fa283ef62f1a9fbbefbc5f8f3f79bdd8d70f0a893972e5aca3a164e672ba88ebdb6206a4dda5eb5adfd16352d42c4fbddf117f2b0d30e8c39f1bc63f3bc03b452a870117af7a3fd301af714bfa398367a9ac2aa381170bc7ca860144258a9a38a61454c9cdef24f1c662f28e8d1ee7749f61a9c79a9e16593f2d5500deaa730aca4eef3273878431a874b03e44f6495b52ea9b22d9417fb3f2ccbe2c482add308e4a3c55b7532a4e64cf108d833d54abf3cf93b3f9085263d2774c2214dc62e3c6a7886946b7bbb4d0fdd82d502232f891e95e2075b6974fcbc81579fe8eeb7ee221a904cedbbbab2595ef93537fdea03eb93b49680119d996c8e706dfc4d99433954c5367725d4808119b683b59641c4bffd3fbab0c7e125f02bad95cbfc26eab96079f8dfbf6623589d14e0c20d15e07c34bccce36fb927965f96c8cc89b3e51438212a9bec92af4b592ae76e66d531d344385f5568552e37bd25cbe307d839975914f30915d24e8f3d892c8a19fa484c35df1fb92af80edf403340caced5c224767e9e687456563dff29ca86e365855de94057b66c576bec5f5b7fc3f0043336b8a487ae2519b8ff0122e7ac2bf57d29ba64808dd3a20d26e4382ce7bb1fbd34734f5ae6625ee8a7dd56f", 0x2000, &(0x7f0000004f40)={&(0x7f00000023c0)={0x50, 0x0, 0x3f, {0x7, 0x22, 0x8001, 0x1040000, 0x8, 0xf6e1, 0x8, 0x9}}, &(0x7f0000002440)={0x18, 0x0, 0x9, {0x40d}}, &(0x7f0000002480)={0x18, 0x0, 0x7, {0x7}}, &(0x7f00000024c0)={0x18, 0x0, 0xffff, {0x8}}, &(0x7f0000002500)={0x18, 0x0, 0xce0, {0x1c}}, &(0x7f0000002540)={0x28, 0x0, 0x1, {{0x100, 0x5, 0x2, r6}}}, &(0x7f0000002580)={0x60, 0xfffffffffffffffe, 0x8, {{0xcd95, 0x1f, 0x7, 0x48, 0xaac5, 0x6, 0xad, 0x5}}}, &(0x7f0000002600)={0x18, 0xfffffffffffffff5, 0x9, {0x9}}, &(0x7f0000002640)={0x11, 0x0, 0x0, {'\x00'}}, &(0x7f0000002680)={0x20, 0x0, 0x10000}, &(0x7f0000002780)={0x78, 0x0, 0x9, {0x3, 0x0, 0x0, {0x6, 0x0, 0xfffffffffffff20d, 0xfffffffffffffff8, 0x1, 0x3ff, 0x5, 0x9, 0x726, 0x1000, 0x6, r7, 0xee01, 0x7, 0x7}}}, &(0x7f00000028c0)={0x90, 0x0, 0x3, {0x2, 0x2, 0x100000000, 0x61a26b8d, 0x6, 0x2, {0x1, 0x3, 0x1, 0x100000000, 0x3, 0x8f, 0x4, 0x1ff, 0x849, 0x1000, 0x7, r8, 0xffffffffffffffff, 0x5, 0x1f}}}, &(0x7f0000002980)={0x130, 0x0, 0xa00000000000, [{0x4, 0x1, 0x6, 0x9, '\x01\x01\x01\x01\x01\x01'}, {0x6, 0x1, 0x5, 0xfffffffe, '\xaa\xaa\xaa\xaa\xaa'}, {0x1, 0x1ff, 0x3, 0x7, '{#-'}, {0x5, 0x0, 0x2, 0x761, '[#'}, {0x3, 0x0, 0x2, 0x6, '#]'}, {0x1, 0x714, 0x5, 0x3, '*^\\^b'}, {0x5, 0xeb68, 0x4, 0xfffffa80, '--$-'}, {0x6, 0xfffffffffffffeff, 0x1, 0x1, '-'}, {0x1, 0x8, 0x3, 0xf2, '!\\{'}]}, &(0x7f0000004c40)={0xb0, 0x0, 0xcf, [{{0x1, 0x1, 0x3, 0x100000000, 0x4, 0x81, {0x5, 0x7f, 0x5, 0x6, 0xffff, 0x3, 0x1f, 0x3, 0x8, 0xc000, 0xf5c8, r10, r11, 0x2, 0x9}}, {0x4, 0x80, 0x5, 0x2, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000004e40)={0xa0, 0x0, 0x400, {{0x6, 0x2, 0x400, 0x7, 0x4, 0x9, {0x4, 0x1000, 0xffff, 0x6, 0x1, 0xffff, 0x65f, 0x647c2b8f, 0x400, 0x8000, 0x8, r12, r13, 0x3, 0x6b}}, {0x0, 0xd}}}, &(0x7f0000004f00)={0x20, 0x0, 0x800, {0x0, 0x0, 0x10001}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000004f80), r5) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r14 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x343, &(0x7f0000004fc0)={0x0, 0x5004, 0x0, 0x1, 0x1de, 0x0, r14}, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000005040)=0x0, &(0x7f0000005080)=0x0) r17 = openat$uinput(0xffffff9c, &(0x7f00000050c0), 0x2, 0x0) r18 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000005100), 0x488200, 0x0) syz_io_uring_submit(r15, r16, &(0x7f0000005140)=@IORING_OP_SPLICE={0x1e, 0x3, 0x0, @fd=r14, 0x200, {0x0, r17}, 0x6, 0x1, 0x0, {0x0, 0x0, r18}}, 0x3dd1) r19 = openat$keychord(0xffffff9c, &(0x7f0000005180), 0x171000, 0x0) r20 = openat$ubi_ctrl(0xffffff9c, &(0x7f00000051c0), 0x10400, 0x0) syz_kvm_setup_cpu$arm64(r19, r20, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005240)=[{0x0, &(0x7f0000005200)="4623d8a4ce0217c9e59555c166890679e3e0c1940df5b9fcbf91649ef54d80f0c8bcc80e36b5574c4bc9f943401854f56aa2", 0x32}], 0x1, 0x0, &(0x7f0000005280)=[@featur2], 0x1) r21 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x8000, r18, 0x0) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000052c0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005300), &(0x7f0000005340)='./file0\x00', 0xfd, 0x2, &(0x7f0000005540)=[{&(0x7f0000005380)="873519f25df082b371ba5b45adb5709c00805747c37fe044064595cd4728bf8980302b25b4b083b42b41336e130f1b6ff0a2f172498e522b4fe5826eababf53a9852f93ebeb841e1645f32936127029d68fe73eced89c1b93587012a47c42a583d6975592b3f2cdf4337fc6d5e85e5f5835fafe095935ec90484e9081aa8d22498431301baad4a34368c26c64d85326c7e00682178f8d13e6a8969f15b9d5dbcfec2c0e69680c3928ca015b92e25f5078de354fe32cc7121609a0762e1b73efd8967a2fe235e4d1ef9e5ac88bc1ed706a984641b06470b2294d045ce7eba51c0728938a2c6eeb6d8574429cc24bcb2a784", 0xf1, 0x40}, {&(0x7f0000005480)="62935bfe26e9c9f2dc3c3e9dfb491858efb598369bcca51923989ba943cf447baf56625df0f685ed2d034b37c07563f668728f6dc6833609b1221970e55088869d29c01b2dd05c4820b08042b5074008c9757712c480e25d89b9c48e957e5b5c7b0beccfb1fcccedbcedc83806038075fc2a0f8228beb47f1fece09bddcbbe0021abe9c3d198369b81b67dbd6a7d334b8d28b802cc97d934c164e97d9d7b70dc6c", 0xa1, 0x1ff}], 0x8800, &(0x7f0000005580)={[{'\xaa\xaa\xaa\xaa\xaa'}, {}, {':&-]!'}, {'}'}, {',-V'}, {'\\*})'}, {'*^\\^b'}], [{@appraise}, {@fowner_lt={'fowner<', r8}}, {@smackfshat={'smackfshat', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@obj_type={'obj_type', 0x3d, '\xaa\xaa\xaa\xaa\xaa'}}, {@dont_appraise}, {@dont_measure}, {@fowner_lt={'fowner<', r9}}, {@dont_appraise}]}) syz_open_dev$I2C(&(0x7f0000005640), 0x40, 0x300) syz_open_procfs(r6, &(0x7f0000005680)='net/if_inet6\x00') syz_open_pts(r19, 0x800) syz_read_part_table(0x9, 0x9, &(0x7f0000006c40)=[{&(0x7f00000056c0)="46410638b7a128c15c6cb27d2335806da87c0d4915424452cf0ba9eee0a5d49d634f090df26f35bb0433c13a270dcb44cfe9ba62b5ba38d4ae3c65ead2727f1d2a5f02daa270cea6f4f60902e2eda654b16ec6635a1c6cd15d6bd6343214b83422d1a19b5dae439b9fbc3db5c218d4b08acfc9fcdbe5d4e6a5127adadce610d815e8c6d8adc78689eaae29d81a20040aeeef4ee55d7701ea725e91b74f5b37814beed118549979c8a40d0b290977ada4d65874c7dcca030a9a15509bc27e6e87d526912437b86904f742c9c13c1e00bc5e3e943c1430d1cc018f5a4decf24602db5bf2286e64ce751d8df16f280934fb08b619b2b5e931195ad2f7c87ae956c64a2fdac4fd791611acc2a865d994ea90ed158581e80d0386b153f19fab2781b72d1de003b187d2b1195342b3a003bf4483b4d890ab1b2f51e8d58f0a5ad78e0df9d629c22c2a324a982e1fc2738c360db3a8ba5e55ae5c9d58f1c2f6bed0b6de5bb4ee3b5f842ceef91b2056541ff55312ee90a2bd0997066c37f3d8377895921b08021589049ed7b23cebaf9b41d08e759058a3452cb9df2aee1d2b90e510ba9bc948400a69aa13833d1b4c44445129e0af5012fd6a534181fb20426826a4b3694e4a5181199df1ed31de36f2ed49211822ad915d3b71acaecff3c84d4e3bb19fba3219e26145735ff71dceeeee7aa247539ad2731113d3f364426be9006e6b0e358b81d4074549e08ef27613a3715e5e89ba0a71e3995231e99aac5e4ee7078f59e3e7d4fabed26e7507411fbe4b0353106278ac69f3b91ec69fa542eb7c964394062f65c650197fbe733c22832673d066e4ed40073b284ee4e51b1259367d4eb9e172007e6fb80a0a6fe62b3f3d5e5b68fe047ea4d6fbfaa30a00fc29bc58a31cfb8212f2c49c3a2e711ae502bd647bd56bb7cfc1d84d141827be211b5ffbed786bfa1313d2aed534f00019363ac129612ca25c763b077f5a724d61fc7974fa824badc14006f2febfb1e35a3dd72e82334a263756ff4204680cba1c03c55e09dffb5a58e4c55b5bd7a70ee8525929a0ee9f9091e34bb8d2f0af6d2a2670c591186bee6ceddab8e1fe8d4be397a545c483fd684cd812df5e312ab5f4812b4784efaef1c3dbe79094fbabd6ca5f0a45462396f818a5c7bf61c8c3f43366c1265f4638d1dc7bde11461035c7af77e6844c5d47bc1897dfabec7687ed25794a71a3aa2be1665719e7eaf649bfaffcea2492d43bca7f0304210cfca91a0dadf66b7c3c6baf8c5055ef4f3c56aa03bb6e400d7caca69e4243ac71c939ccf27310b73ba59897e2020c717c33db9a4a582912a3a8d7c0a870b12a9f982aafd0cf159575189d8c26886434229fb0c76c56508b638a2509b65847722af197e95cf0cff2368448d42ad62db27ff017a7fbed923bef6283408712c3f04a790338f4f80cf4f3e92faafa3bf6cff5ed3cf3b17b505075e12b6958bf2e5cb40241f672874a0f940fd57e82e9caff113d671da23da3436a31800c2d3487965f87c3f8250610aaff783d78595e1926b77e97b2e3ad09087af919ace3f04fd275887b1fc81ee2f5bad8de1cc35ee0c03adeed9a9197d7a8fa5db59dc500a94bd184a2a80d9704797e76bc0fc43ed57296143dc9d858b14a7bdfb418197f0974b6eee299958051b1d414ab126cef5bc36ae4055c4f19e7e01d2092d99f1d2a5a56614fedf481d578cb851ad73e1829bc350f7e56ee0d2e71fe731c1b30fd845fd82ca0acf029aff4a75e0d38fb7af582a19c0c7deb19544bc7a13c1896032441cba6ae39c35ae880b45a5c97545ac099243a791c6f2eb93556208b8b203542752a673b9df02bf04ad3c18eecaa5eb22d1b65e59c3449b5cc42df350dd4822bcf671df78420689cac22658cd9f0f390e26e0796ac4b7f30b1989f09cf5ba516eb1667ecc1d853739a20e5e78599bda830d002d45eb66d63a778b8412af5d63e3ef26494e21bbcde5b97a94f7978ac903d467c5b6d0717dc4a9d146ed4b58bfe373a5908702f997f1090b4b19093f8905085ecb691107b059e0e1cd0c4a94c9a473af2d12bd5998a8b8b4802f931b90515519f20feeadea5684c064f9adb423935b8de298b03e579abad6a23a86c86edd39c2ed6a4685e69bc715405ab7a3f27664bdb68fef1fcd090f060381f1aa374a074a640f991ec6d8b288b1b0507068560314fe94aeb85c42f4df3adb21485696515da2fa7f441b753d5f8ca4545f2d1dc1eb34e418c043beb518bb35fe30235aabf7ec5f371b3a48c0ea6a613ebb4e4da5b71408aa55774239ac749030a52740cd8535b9e3d28a4e87b4c4f4044c8195c3211f947e5007df7b64e37c414bfd54f7b59823720be00498c18b57dad0043f0c50a75817418c1dbc3db8dc733ceb2b5b6d20bec1e38a2f909aa619480e2ca05d9000b7eaff370c077ed389422890dd426278c63c2ac4285e840e6c7f9da04d69af4482d96ee5824de091614d8b1b4cf49f5a701e4b42ff58a62823c2776fba4c27ec86c24ba103ed01c66729ad602924a5137b718d8ddeeb08339d83c45feca01c393357a676438114363591d31c2ba6fafa5d8571af7c3a3690fdeb099e44192b5871fd0a3365fb2e230c6c03a7473782b303a5be14f038d8ea34a63084300516eb7884e593358e66b3dfb6dac4d0815d58dafb85e8cca4426536a384dc89f7413f14cc92e7377a90938f99ef7f535c218ae2e909acdbfd7eb5b0b47408e3d6d73dda39fbd6b23af18f1a6703ee3b1f75bb7c000a4ca5a7bccaae86c4abac81da293e43f91d2c3dff12ffa5229139a08ae5fc2ec139be978b8182d6a60c7ff39bb0aa820a107d92e38b95e748a184b53f5624f457239f6384dddcb9fd7e8ef295265d79b64c5c0a93bf21635b8c680907810d8e72a581e5aa0e00fbf351e3c841c7d0c51a2636837b27c6a91425b506a22c27d1420d0b13e60de3e9c56667a98983ba9bdd1c5a52dc6127b659e6d80706959f07d3a5fa8b3b88eab05e7a0c04ee12a21372c713f64c6adbeedd7a8b7a692674975bbe55ce402714402f20c7f57ff1f79357d8edabef1d868f0a2b3dd7aa3bbe58e80814970734f7dec70d314e811593a32cc861f4a8a4b3f0d7ceb4ebb32664f5644497ac9562cdd5a54193f2238e65c1874c86421c5cfb43ae156931c7840d10de47a4d0f2f3174c36c8645ac02f544c3690b5137af7d2ced3fb04359bbf22b6720ea94f2e3b5675fb77ade56c977d668064efdd1c615119a528c9ec1353e84103e5dce6a0bd073f9ffbea0819cf6c0cc58ead00c92340298cc094564117f3fb894274ca91d7976459619f544b250586c6d44afba5574b7ef5126b070409a1f5eedc65007b00339f160422fff38d67eaa8d782fc4192a29810879eb12859942fa141a21c39d9eea03eba1aa7b3ac7e2b1daf4f69f475b8e75c5ac7c2efdd777932d403143cdd08902d5e3459301c28c88c4df342ca13910b760e34c40194bb51b82cf14adeed5ae47517d3cbc73bbb5a8899c30e606519989a85d2e15b0e89ebba43f0c8a752f07010380caa70dc409ff805c24574829d06bb9a1495d5a3085df9029e23d92bbc46d7c7c1db7365e92e8d2449aade38926a64368723a0e8a777b3261c9c97bae825b551ba940551a7e15e3013dc09a05229d0c9ac64ee15ee3d46742628924c09e6360cc43006fb9a0e1c06e5584637cee005ee26ceba70295cba5637dfc9821148ed7415003d518368423ae708cfac638f2b8e1d3a71011bda803acd2cfa429ea5fa045fe078f91ebe45e7d51d43f08302d5f3b0ccc3eb7dc03818b33567e86f8e5dc40451569a7954858d26df8554935276f5654afecf240c7e86c92ecba4d3ff75821312d6a3b82e18cc234da5bacc286ef0924ce23bd30708de58132574b548c9628b52d34291d1c4a7ffdfe63de1fa9b5e0fa6e62f3528a80c9cc97a7c515403fce895ab795635266af746d89d2c94058ca38501d86b4d6324d0df0d9c1e47bbf838baa206aa2ec4397828e992fe963b2e83722802627629030106cf20ec98e245147c94426214ddfb979120651adde14a425fef29a20c0cc5460393acbdba57b3c3836627e6a9c19a2344312a9bc661b760285415a2874e2f2187b5c6dbf38b059636f9ed1de1692d3b86504a7c1b668e5aa0f87cf497f0cab266e4db64ec6465580be1d97244947304688cb3576490b8db086b08905820ea9d91dfc8f3b966a9e568d856a9cce3f1731ac16e4cf48714334b6c7ac3597fcae85d17946b0ae2899845e96066e0a648385c98ee5c119391356b204acbd4a5c7cc2cbceece0f58dfb73fc30ef7c1769b4f56ed1b77d76248b0ea2a66db0e5217b5d624237191abe9486ac0bd32e3e7362331441734a8dd9ed983b92bf26472c5021f8bea131ece47c8f45e68a25a8beb4885895c27982306dafa1fac905b276c2f60ccdcabe2a5b325b5c5d8482f305660244c361711f0eed7746c0daf99dfde36caff294051182c5b6589fc0700b751fb2b3807f0bcbd277a844ce82a54558f55cdd25a30b2283abe519c827b10aed612f8aea3cb7aca8b34028c0b363c9acc52ddea9e0c34e8a5c90869fe60d28307e35d3e43582f3773d46669e4313a07b12e7d6d501436f8e6f4bc347b29194144d82c5daa9730fea3466c3167209f09697da034f86ca9e5a7e28c05999f4161dca7518140413504be2aa60ef71b66484fca1b0bb11afd59755b978dd294e3da85655b90f05be0823e262aa693c43bc23f4948a6096ffe1b58e1bcd65b0db70c62a4f85d7dd4be6cddfeaf1383814a6728b4c301eab03b950bac867375d1b6c61eb2f7fde960b16f5948379e2115ab5401356db05a7dc30a2999897b163c73d34807106dfdcf7b7f9b9e7377fc722003c868ca5c14a0e2f1d1940ec6aefcf85fed207622ed38120c6a8aad7b4e9e87d5e4e9a6a55c6e132e9e1e9a3a62b4f7c6ce0093f886547dfc48de1d2e0c85bf01b49f99241a36d324cdbade5377d5aa5733377ec7e97b7ac54387fd29391319d3f3bbcd07b2870b9646bf2835b3abb5121dc20a638c6d0d62b0a05d94a5f1c03bff6e871a84f9a7defa16f30cb8b3ff57cb5a9b8958b592119cb0c802513c14aec2d27cfffbfb4e6a2a840f8b0d746a83fa8bd227021b038f50c411f7922fb38ec89f51d71b7d3d9e241db1be1b4507e5b68fa1ee89c2127445e5d6ed4e7433de7bf4d72b7f7b1c9aa7c408e4c1050ce177427984f5035b51e3ad52b56d8aaf38e567930a711c8dc3488ffcdc1a56fe1b4c5df22673bcc3e9ccdbb3ab670a24547f5ded42decfddd522104075c37ddede460925dcbc6e5ef206028aa7ea0c84d60d990fcd48d76c9a47be6819250d4d10fcefc7a124c6f3faaf51f7b67dcc2b39acf119c8f89b93b58395247fa459c1ffe6fc5a70c32d5196da593b336be0467164ebbc986fc145b32bb91a4c058884c82f5cacda62a4312bb35070e74de2bba07648b7eb9d9fae891648f5432b6a7d5986ef2027872cf9e1a086c576abac8dc401aab0da93abf0ab71ecd9bb96e39180362a10a2185071ebb8ca2ca8d9719d47bfc18b62f9771b97dfed73b982325eb943d785c787500d5ac0d26a9ca90cc73c2acfe872f4e32eb4439083bdb3249701ddddb500df3f896bb1f7a3706d64be16d00f6fdcd6bf41df86535f298d2dd04317774bd6b3903f371d59be719b7ec1d003b3c9705a8f78889b8f7da0d46defdced2df70d8cb4570828bb26549b55011589c73bec4207c8d59ebe1896b3761c185a132", 0x1000, 0x8001}, {&(0x7f00000066c0)="31e3c3fa6d99", 0x6, 0x3ff}, {&(0x7f0000006700)="39de863b7148208e432fcddbd9e9148e716c1b48a3967c870c70145d90ed681b3f8bce849fee7f50091570854e20103723e56454e711543f6e2be92c34090d8cc792260be9b960c1e4", 0x49, 0x9}, {&(0x7f0000006780)="17fad571f80fecd34a59bc03f6c02bbd6d56cd8d958924b4ae4189b88b85897efd4e596e1118bb0c771c2c5ba37ded06d78111390c1c80cf6ea9df8727f88559815ed76b36fa13fb4d08e1ccdad7973b5bec5655a74a671fde99ee92397c56d409dadb10c4c37ee92cb41d03ae6fb164e7f86985039128d38be83b5e16c35ee34eb2b8396c5348028781a0a879f88159740ab89705d637bedafa915f195a152597fa0d7da9b76476602c6eeefca1e80a6d3d0ed1a75b00f7a5e153dd851e2301c8daa7d49b4ad91c62d1a6967f54cf9621c240ed587192f69959e05407850ce3831c4e811e6fff1cdf93cfabde887358316881845356d7", 0xf7, 0x26}, {&(0x7f0000006880)="c286968e2238742a47e0e8d444a6a661b7708222f4eddab97a749dcebe2cc83a314b828795f915a36d873b714aef15ddb1b4f62f06800bbe85eaebcb76abe944719249ee7927c88e78a968e93f45c52013ef97ef6f989b1d1cd30fff88677962c8f3052ad0a4631e4e750ba80f3753916c2dffc6a4023cdb62a1b5f2afbb965b2f78c5dd47af90b002da1a26a24fcb99bf81fb29574a2f98107a7937639873b95f4a569a0406cc358b46efae587e9008be69d711ae202c22e29a2f615fd23dcf", 0xc0}, {&(0x7f0000006940)="97fc4dd9db673e16fd0f0eb9a4a26e2a49f42e1616190b0634dfd6135145f4e451bbbad56dadf266964eba7d1007c0a23f8cf03d4f8fe09a7989152b7cf2ec30f2693a06befdf023d79f48c208d742c7b75915bcc1be583517ced3b826b97075e62a8ed12dbb264807c6ffd0227614491fb9de0d8a925a2638c31608de405bbf79e96f171fd58338b1d6979d33a7dae8ad62f2ba53fefc3c", 0x98, 0x20}, {&(0x7f0000006a00)="77d8d606bfb424e7b995809ab4f559115fd82e972d98b651dfc69b10df600fb4f78efd586f9cc26edc41b1d2fac87efe59e262411f27a94cf796ed31236b457ca0f147530efbd4cfa6b6a0fee46c25abcf7ad8282aae5299e299799cd52d0a58d7ff9dddd0103724c88da92dbefab6248038abef9ec52264afc74825f7ea70b2ca95d6900f9b647a3f986e18287cb2bf4b4c19efc8c218fd905c3727c86c37026bfbde3af078eb07b798e6d3d8f2e4d5d3bc188cdd20f2ebb1461c5e53b05f2989ffac3b168dee56da0fc011974c660e400ae2d8b2c80acb231581ee91763129b2888aeb12", 0xe5, 0x800}, {&(0x7f0000006b00)="560c1bea71b0f97244fa386d26bf6b1b04308e4bc7fffa", 0x17, 0x80000001}, {&(0x7f0000006b40)="14e55a14a7953387ee55333c1d1694ca98c7999b49788642766805d6f5a290eb1e959ee35a740459e13300262f2af9c357f7a8c1cba187e448bc3c8f865cc9be88624fb0f0d0bb885d9cc2abe171a2478a7420db22e8607e3fbec7e2601d9e11086cfa8cf14d99676b679d8d6bf1dd4faab8fe9a5f4e3f695fe2e6abf09f702683802d44cc3a298255c4c59533731ff5b23e053afb716d58cad667686ee647f48e199c9b5c3d0d2d470f2ce1c5b8b5708ae023ad9880caf31d01f96aebbfcc7df95358a016c5471cc2ce2ced6105057c9d22c8167890ca19", 0xd8, 0x400}]) syz_usb_connect(0x2, 0x6c6, &(0x7f0000006cc0)={{0x12, 0x1, 0x200, 0x62, 0xa5, 0xbe, 0x10, 0x2833, 0x211, 0x37a4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6b4, 0x1, 0x20, 0x0, 0xa0, 0x1, [{{0x9, 0x4, 0xdf, 0x0, 0x10, 0xff, 0x1, 0x0, 0x5, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x1, 0x1}]}, @cdc_ecm={{0x9, 0x24, 0x6, 0x0, 0x0, "fd506508"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x40000000, 0x8, 0x4cc5, 0x7f}, [@network_terminal={0x7, 0x24, 0xa, 0x8, 0x3f, 0x0, 0x81}, @country_functional={0x10, 0x24, 0x7, 0x80, 0x5, [0x44, 0x2, 0x800, 0x101, 0x4]}, @acm={0x4, 0x24, 0x2, 0x4}, @mbim_extended={0x8, 0x24, 0x1c, 0x0, 0xc0, 0x5325}, @ncm={0x6, 0x24, 0x1a, 0x7f}]}], [{{0x9, 0x5, 0x5, 0x0, 0xa716c6d63b98b5a2, 0x6, 0x0, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xe9, 0xf000}]}}, {{0x9, 0x5, 0xe, 0x2, 0x200, 0x8, 0x7, 0x40}}, {{0x9, 0x5, 0x0, 0x10605a5c87a92a7e, 0x200, 0x8, 0x3, 0x1, [@generic={0x9b, 0x21, "f2ef0a5c069cdb319138e185061d7e196ae94e535d80f27666fba23b374325f15dc5f20812fe05b0620f6ffcb81003b1f39c5dcd1bff14e2bbeb387335a3534f5adb60ffc4f28595c8f992f77fd5f67a04842b9c4364e3556be9bacb8fd56ed77859291153f6c566026363bfa5f2e6ff2fa6d29317f2d562445364939915a75dd7365f6ab9c15ddbc7c3a45f7eb98fd1fea3551bbd46f20a87"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x3ff, 0x1, 0x20, 0xef, [@generic={0xec, 0x6, "f642246a5372991db97e5824a410e28300d3bd153638f6dac6e1189a0c560a0a0e5f8b15e07879ac95016515202646a7b5b5fc74b7cd40d515b2849d8c1dd9ae4fca16c2e6cf0e8a20ce54f05fa123c019208cb34b5ee561c274ea40a7b34e5813a4a29be40817eb1f7b3e9bef60f7c56657481236b93e2c297f17c776b98f1d0c8f2a56447766c7288ba6b1e385b84a516a98ab729ba70e31fee3aab101d590a4481ae5856326c6825b73c7ae7d3b99cb3c59db31a12726234b900584e8db779352188d12c932d4aacb59eef33d33b9550510cf2b49da747e031c83117b511a1bb93ed76c716e6a0254"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x6, 0x40}]}}, {{0x9, 0x5, 0x1, 0x0, 0x100, 0xfe, 0x8, 0x37, [@generic={0xe9, 0x23, "1a0e3542857d49ea63b7261ebfc19f14272e284d2665d2795e43f6f9ca62776c9ee52d991879d7d67b4d8b270fd51598beac1c0339b2257ad68c1dde54885ae2d219b87cde159a9897c88bda26e08a3691055022739c1fe64adb98639dc25421c449cf364800c4c365062f2488e6901e56e62f4b703eae7af26298a1eee1bfe62d9b2ae35320ae2baf174e94ff55321097be81e0279f5d0aa84dd18ca0864d98d0edbbeaa19ddf3626fd83a2e2b5f676a734d4784b3c6877fd1bb3c9543df7abda9bd9c9be405949747e21073c18957fff0eaac0273cfd3f702cb65597949a172726f7e459536c"}, @generic={0x18, 0x10, "a0289017f3f433f11059489a61115823e1138ae84a34"}]}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0x67, 0x3, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x80, 0x2e6}]}}, {{0x9, 0x5, 0xd, 0x4, 0x200, 0x48, 0x35, 0x8, [@generic={0xe5, 0x5, "30efe9c1a6e5c89c2031214c60fbbeaa4578091e38009c761d15774802934cfd36355b3518ccfe59fa5e7ccee3c13ac4affbe073e0e788c9b5e32216efbf02e35869d7b233a389f812bfd849433c328466eda5e0e3237529cdc65e4eee743d31ffc186a1fe794bdf1364f31eaeff39829e8f6144850d7470cc71572d1f2f23dccdbcdd99e4930de7edbf59b338db3490305fd7710257980b7f76b8daeacb2ad618131fb9b5a3e026c9ddbd69483cd794caad29f2e3b63124a952b462de0cd951d7efd9b3b29107b641417e7783d90159137fa5273a95e0cc46c97c2246e611acb14b4d"}]}}, {{0x9, 0x5, 0x3, 0x10, 0x8, 0x0, 0x33, 0x9}}, {{0x9, 0x5, 0x2, 0xc, 0x400, 0xed, 0x7, 0x9, [@generic={0x84, 0x31, "ee4cd219154df491c4d32aa32112cff407511b06b17f743409ecc216c31e92cefa2b5cc59e634d7aeba2c9e5e36d8efadc0255172518f909b4e1a7daf4d988b1eeaf196c76ee902b657d12fc23c21e176cd149e98a8d8d5755b74fed1a4284bcfd6e6961951ff8216f7bb42f790edd539c1bc5bbac44f767a685c57cbbdec830c52c"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x1, 0xfe01}]}}, {{0x9, 0x5, 0x3, 0x0, 0x40, 0x2, 0x5, 0x3}}, {{0x9, 0x5, 0x0, 0x0, 0x400, 0x0, 0x2f, 0x4}}, {{0x9, 0x5, 0x8f, 0x8, 0x8, 0x81, 0x1, 0x7f, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xfb}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0x40, 0x76, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x31, 0x8}]}}, {{0x9, 0x5, 0xf, 0x10, 0x3ff, 0x6, 0xb2, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x80, 0x6}]}}, {{0x9, 0x5, 0xf, 0x10, 0x200, 0x6, 0x6, 0xca, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x20, 0x3}]}}, {{0x9, 0x5, 0x80, 0x10, 0x400, 0x1, 0xfc, 0x4, [@generic={0xd4, 0x21, "28a1dfa1d28f9ae60d0a8e9e3c512db35369d479fa6e6aa099e267e1ced77ca2e180b429779023a872b0ef8807e11f8b8b21b811d4fe5527335ce86e3a95cdf960d1e79e88c276c174d183d2f3bc0862dd7e1d29ac589ceb22024e25a44c3e8123581d1448fd2db5332fe41c23f9aa959564f32db1da14610415ddc293dc57c9d6c775d22151bdab236a5a73592e5518055728ae819e25c080cbb9bf0203b6639b8fd8d716d9c571d6b260ea297733d53c3a05449b9b9221d0f402610c9837189f9c6ab3baaf031d48692690c9981cee1426"}, @generic={0xc3, 0x6, "60ed98576fbbbee3db67d535ea7e1a19d92d689e2f03308a615a5641e72e694d996f76c1111c88c507c39a87f34a3682dafbfe583b79f5b950a30614162c605f7e6c5d452b4f84a145f20bf4470ddf43f06c415dc6c41551fd458ba6aedf57d74cb85a25e43324814b62c3be4108b1ea5b9dd22a78a45cdf5d8f27c11f35026bf7ef10c7d1f0615fe1c44a302a84d88b8d6c2d85049c9f48a04b4e61801c017f609b673fc8290f7362a0ed35882a335b657f835fce8e20100cde82c1a3dc180611"}]}}]}}]}}]}}, &(0x7f0000007740)={0xa, &(0x7f00000073c0)={0xa, 0x6, 0x310, 0x5, 0x80, 0xff, 0xbf, 0x5}, 0x5, &(0x7f0000007400)={0x5, 0xf, 0x5}, 0x5, [{0xa8, &(0x7f0000007440)=@string={0xa8, 0x3, "0584bddc149671f9e6c6cd123b796cafe2eb5d2bd3cf65e3eb0f3a601aba7164713d4042653f2cca182207d4e7ffa8bc71e705aa48bcff03fddd2e3e6bebe11cb61f95faf14afdf29440021e851fb682aa24e624e833952db6d1f96aa7edfc74ce501359694c7583eb5e48dfe227d2105d5e3d2359e3c728a48adff09b1132f928893ceefae67700983be1ca94e818e7a1463c802f1fc2a72d40900933403d7b255a35d9dc33"}}, {0x4, &(0x7f0000007500)=@lang_id={0x4, 0x3, 0x42c}}, {0xf4, &(0x7f0000007540)=@string={0xf4, 0x3, "1c537117dc720af3ccf108687c86cb544bc885379e435dbb861bc9a01550592e6008ae94a1f98317ad9cd804016b079b5ec294dcaf4537cf5b68c3c4353754caf369ba34101cbd21926b15cef67ab63ead40abfbef867b372fe2781866f87a2dccf98ffe66531c1d5021406c69ce84b439130cac71f52564b7c8fa621d71d5ff001517593f059da0cb82f1fd5e327df9abec4946e34e20d3f1df8f4a0422f9bb538949b4a14d1b3afd6793e81d3ba596d16d8cee0e700314e531e602fe5cb832b22c7a2f9f36f39d053876478157d541e8c0977a9acaf691f1234f665d234f82ee90ff8982d9c1371a15ddc8ed2392dd5a96"}}, {0x98, &(0x7f0000007640)=@string={0x98, 0x3, "078cbefd67796b8d00c6a027e5d07bc3b00756acafb9096e3e381a99fdbe8a5161ca19a9628d61baefd6972b48f5e04b0fa6e2b99cca8df5b50dbd97d656c02f8583a58ce8cbd35c69fb3f86de0ddac90f5be8d4f04a3ad4f31293b509959139bea0f3067d0ebfa3c5b210e1993078b0ae929561fc7734869b3dd8d812c00a3035236166a31227ae291e696ab4f81f4e3f02d6b2f334"}}, {0x4, &(0x7f0000007700)=@lang_id={0x4, 0x3, 0x43e}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007780)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f00000079c0)={0x18, &(0x7f0000007800)={0x20, 0x11, 0xb7, {0xb7, 0x9, "72f591ba5c694f16a4d92075ef3ec8bc46920954799ec8d3c0308f3b4779da6e18e9824a86746d013a399afc7f6fceb6c37f7f131c71ebc001f666ea63ed3ade132009735a546622f9e639d481c967cc7b5b747cc5e62fdc41bbb4bb95878a442cc49111c0f57886f17077a1b4b22e3cf28eecb798feed6f168dd9cc2646f8b79ed41bba94de9e304fc845179a7321f04784aa917ba08405b0a95b8303d914ef8e374780dd8e3437c95c35764cd063e7a3ec6d790b"}}, &(0x7f00000078c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x813}}, &(0x7f0000007900)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x18, 0x8, 0x0, 0x3}]}}, &(0x7f0000007940)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7, 0x80, 0x6, 0xe0, "8402487c", "8056a3ff"}}, &(0x7f0000007980)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xa7, 0x2, 0x7d, 0x0, 0x80, 0x7, 0x6}}}, &(0x7f0000007e80)={0x44, &(0x7f0000007a00)={0x40, 0x10, 0x8c, "21b83825059f24506d8e842085d1f2e7f964471b20ed0a8e50a9aa4ef16b5a6f2dbb2b570a4f8d13d60e47bb7821ff912111dee40a78d42b4d13ea812d929ccf3964c5468f89d2d21630ec87067a2d13f45238b446bf57c6b9ec35578fa587fc77fe2108b1590be081681ccc024f1f590be9e5bec9ea86b9803c60299dda1a82f8ff04428671a43bc2c3393a"}, &(0x7f0000007ac0)={0x0, 0xa, 0x1, 0x4}, &(0x7f0000007b00)={0x0, 0x8, 0x1, 0xfb}, &(0x7f0000007b40)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000007b80)={0x20, 0x0, 0x4, {0x140, 0x20}}, &(0x7f0000007bc0)={0x40, 0x7, 0x2, 0x3ff}, &(0x7f0000007c00)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000007c40)={0x40, 0xb, 0x2, "8a02"}, &(0x7f0000007c80)={0x40, 0xf, 0x2, 0x321a}, &(0x7f0000007cc0)={0x40, 0x13, 0x6, @link_local}, &(0x7f0000007d00)={0x40, 0x17, 0x6, @random="b0fe281fa391"}, &(0x7f0000007d40)={0x40, 0x19, 0x2, '#7'}, &(0x7f0000007d80)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000007dc0)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007e00)={0x40, 0x1e, 0x1, 0x6}, &(0x7f0000007e40)={0x40, 0x21, 0x1, 0x9e}}) r23 = syz_usb_connect$cdc_ecm(0x2, 0x5f, &(0x7f0000007f00)={{0x12, 0x1, 0x70, 0x2, 0x0, 0x0, 0x50, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4d, 0x1, 0x1, 0x2, 0x70, 0x40, [{{0x9, 0x4, 0x0, 0xc4, 0x3, 0x2, 0x6, 0x0, 0xe1, {{0x8, 0x24, 0x6, 0x0, 0x0, 'W?s'}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x200, 0x0, 0x200, 0x3}, [@ncm={0x6, 0x24, 0x1a, 0x1000}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x3f, 0x0, 0xd8}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0xff, 0xec, 0x5}}, {{0x9, 0x5, 0x3, 0x2, 0x3cf, 0x81, 0x39, 0x5}}}}}]}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f80)={0xa, 0x6, 0x0, 0x2, 0x20, 0x77, 0xff, 0x2f}, 0x5, &(0x7f0000007fc0)={0x5, 0xf, 0x5}, 0x5, [{0x69, &(0x7f0000008000)=@string={0x69, 0x3, "d25a9c8f1452a3c6ffbfeca8eb777935b58c9b7406775086fff717b54f05ac59f94517ff3cd6f3101dbfa79bb82ae31b1d316d08a71d14fc2c1cfa8c893068bde2bb830ae91fc94288cc232aaac0e64b84007b0e7536c3ec34edef04ded93421a377e0695326aa"}}, {0xac, &(0x7f0000008080)=@string={0xac, 0x3, "7360609ce8300ae4623308d5f8b97bfd50d3d863408b8ea401c86da9d42ce5f3867ce8d721fb2ab5c25f6b4c5e85f5eaf341bd514a16c2dfe3c7a1d7f427ae62c0bff379e84d56637ec1377b8c8ad5b55b099cfaa4a7a6eeb0589f81e7a43300eff53354e1b2bdcdc34d7945d63562e48d5ed93bef75fd0160fcd7c3a6be7f0c642bb6e561e35a1c73110bdcded7699865e25eb238cf8f3b10ad3c10488028c37063c8862f907b06829e"}}, {0x4, &(0x7f0000008140)=@lang_id={0x4, 0x3, 0x81a}}, {0x4, &(0x7f0000008180)=@lang_id={0x4, 0x3, 0x180a}}, {0xb9, &(0x7f00000081c0)=@string={0xb9, 0x3, "37efeb854b4051a46c67aee7eaa0f62fde9f599cd5ba25329d50aee16b30c6c1a514831081afc1dfd2682ff48716a91bf95e084212b0696d43e1c6c43adaf9ed3ef70e62735994d2d0865139604988fac17978d9c05a84f3423831dd1dddc6c94d50ddd674f16525bbf9a8db3bb49001be38a19670abd99f4a2e97cfb20d46c637832a3ec97ff094c6a3304964b72bcf116bf27fedd5521ad3da226297fff849c33c5d849e3e3037527901eef63a599baa54fc46a46ff1"}}]}) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ecm(0x3, 0xc5, &(0x7f00000082c0)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xb3, 0x1, 0x1, 0x6, 0x28, 0xff, [{{0x9, 0x4, 0x0, 0x9, 0x2, 0x2, 0x6, 0x0, 0x4, {{0x6, 0x24, 0x6, 0x0, 0x0, "b1"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9208, 0x2, 0x0, 0x20}, [@mdlm_detail={0x5e, 0x24, 0x13, 0x7, "63b0b95377147ba214d950fc04b22c04be09d9b96f1ab94bb02e8a2a9e23cf7d3acab22a80ed350ec4b17806edcb169e5075373d991780211392eb3d9f1173a539843bf2c3f66a4a6960a55a2207767db3c55a7dd2898b5ccb40"}, @mbim={0xc, 0x24, 0x1b, 0x2a, 0x100, 0xe0, 0x76, 0x0, 0xff}, @acm={0x4, 0x24, 0x2, 0xa}]}, {[{{0x9, 0x5, 0x81, 0x3, 0x20, 0x73, 0x35, 0x3f}}], {{0x9, 0x5, 0x82, 0x2, 0x8, 0x3, 0x1, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x40, 0x2}}}}}]}}]}}, &(0x7f00000087c0)={0xa, &(0x7f00000083c0)={0xa, 0x6, 0x201, 0x79, 0x3, 0x3f, 0x20, 0x6}, 0x37, &(0x7f0000008400)={0x5, 0xf, 0x37, 0x5, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0xa, 0x6, 0x5}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x1, 0x9, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0xa737ee064a5fddc9, 0x7, 0x7, 0x0, 0x8}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0xc, 0x0, 0x6, 0x6}, @ssp_cap={0x10, 0x10, 0xa, 0x1, 0x1, 0x8001, 0xf00f, 0xfffd, [0x3fc0]}]}, 0x9, [{0x4f, &(0x7f0000008440)=@string={0x4f, 0x3, "c0663b116dab9ba5c0a2f7a2ad486ffc164a4365899565c5e99b015239f378df56db4dc3b0bb08dcd208d958fa3cf08097aa208b2d2865b502cbc94b1a8e33bdd9d6481fbf32d4913422fe189f"}}, {0x85, &(0x7f00000084c0)=@string={0x85, 0x3, "c9c487a90be3d40ef782373d785f86bdfc3db6fb0dd0a7440b2fe4595c3a6bd67aa8518d897a8a757d5f1ceb86e598cabf2345f771c3c7128bd16dd4b1ee9b7dbcaf611e97f6dcb9f171e8f7052b0f33e631bfe99ddc4413e5e5d7b634dcc3b77e4d301f89a8d3b851b02306cabec211127a8e541d162636588ff574de82de8f307d43"}}, {0x4, &(0x7f0000008580)=@lang_id={0x4, 0x3, 0x1407}}, {0x4, &(0x7f00000085c0)=@lang_id={0x4}}, {0xaa, &(0x7f0000008600)=@string={0xaa, 0x3, "ce395e8e9f409a37daeb1c20be9ca4004ae810cf1653eccd6e663dd74f8bc06989b4d1a65c9f480bd37e9dd85349f298ddaddc2cc9e4eda147f231402e116fb594a63718d821d885ebd67eda451558b1fba3093ecbd40cbe5fbe07f94ed927d8e5039a7c497aa8d1f10a4ddac049ad820f8c532c5a3f00947955032423922e95aa5bfee041f7fe8744ecc4424057eec97040b341d0dddcaf206da6431e987f04cfd55802cad3a114"}}, {0x4, &(0x7f00000086c0)=@lang_id={0x4, 0x3, 0x3c01}}, {0x4, &(0x7f0000008700)=@lang_id={0x4, 0x3, 0x1809}}, {0x4, &(0x7f0000008740)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000008780)=@lang_id={0x4, 0x3, 0x1c}}]}) syz_usb_ep_read(r24, 0x8, 0x7d, &(0x7f0000008840)=""/125) r25 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f00000088c0)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x10, 0x56a, 0x62, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0xf0, 0x8e, [{{0x9, 0x4, 0x0, 0x5, 0x1, 0x3, 0x1, 0x2, 0x0, {0x9, 0x21, 0x3, 0xf, 0x1, {0x22, 0xa21}}, {{{0x9, 0x5, 0x81, 0x3, 0x3af, 0x1, 0x40, 0x2}}, [{{0x9, 0x5, 0x2, 0x3, 0x10, 0x6, 0x1, 0x9}}]}}}]}}]}}, &(0x7f0000008c00)={0xa, &(0x7f0000008900)={0xa, 0x6, 0x250, 0x3, 0x1, 0x46, 0xff, 0x20}, 0x34, &(0x7f0000008940)={0x5, 0xf, 0x34, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0xfa, 0x8, 0x80, 0x5, 0x3}, @ssp_cap={0x24, 0x10, 0xa, 0x5, 0x6, 0x9, 0xf00f, 0x0, [0xffc00f, 0xff00c0, 0x101ffc0, 0xff0030, 0x30, 0x30]}]}, 0x4, [{0xed, &(0x7f0000008980)=@string={0xed, 0x3, "e7db914ef4a71a3aba443ee181c272e7fbb63648a997754b81a1938f52b9fd8c2b76ca28ee1fcba280021fbe02ffa03ea753f2d51b71f1cb9391ea31faabf8ed37a9853b87eebaa0a1269696e65e309ea4bf7755ff1b99280fd68230d7d899d097e16ee0b224de57339439c80ad7fbf8bbf32aa00e29802bde1c8c5e6228fa0a54c8350ef997112f763e17428fb8e95a56689595f30a3c16151809b0c6b1d4d4766510c6f066fe4b35a3ea90d388d1b4d4e9c6b30971e237e23fd205f9905ee7d79f4443707adc7f65ce2b15994daac7b954353fb23201844122710531879c6291c7dfbf6be454b9cf2f2e"}}, {0x4, &(0x7f0000008a80)=@lang_id={0x4, 0x3, 0x410}}, {0x64, &(0x7f0000008ac0)=@string={0x64, 0x3, "041c8b1bd143ea1d63829b769ddb886a6aafeedd5f652bc948677c9a6e3acfe04a1519053f95e5fcf79b085362cdac6abbf8f13781a621885257052b120045da2c494a30bc6ae6c4160cf497002af8b77e21689324bd6e75aceda7cf6a50920b2ab1"}}, {0x87, &(0x7f0000008b40)=@string={0x87, 0x3, "150837b1e69e5007398ac02c4a0b25072daa81a64af10bcdc5736333f49c921f86d9cbc6b778f1d21679d847d5b8a9b70fc56bb5a433040afd94377b2515a55cda70db64442adae0905aa90f911d3beef800ab6fd87a5c51fda8faa750d195c2e657249781c6af0523e0492f9a69e227e10ca0310f1a010f8b986a9a0553a5331f9754fc90"}}]}) syz_usb_ep_write(r25, 0x7, 0x72, &(0x7f0000008c40)="a6908c5530814d6a6bfd6d6c7594d4af8a4962d882da657bb402c7d0ae4535168160dbf67b82f223d577b0e16e6ac3c46a4015a6ed7c4fa65d1dbaa268b748dec46774eca92247969449a9f59e9edde4d37e7bd17882eb005e24fe43f57654000eadec3f1de9917eb28c2a877182c47b556d") syz_usbip_server_init(0x4) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "/data/data/syzkaller/syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } #define PRIMARY_ARCH AUDIT_ARCH_I386 const struct sock_filter x86_app_filter[] = { BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 120), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 59, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 75, 29, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 15, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 24, 7, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 10, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 8, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 7, 113, 112), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 9, 112, 111), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 13, 110, 109), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 21, 109, 108), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 33, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 26, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 25, 106, 105), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 27, 105, 104), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 34, 103, 102), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 40, 102, 101), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 60, 7, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 54, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 45, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 44, 98, 97), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 46, 97, 96), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 57, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 56, 95, 94), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 94, 93), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 66, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 63, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 61, 91, 90), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 65, 90, 89), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 68, 89, 88), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 114, 15, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 94, 7, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 85, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 77, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 76, 84, 83), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 79, 83, 82), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 90, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 86, 81, 80), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 93, 80, 79), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 102, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 96, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 95, 77, 76), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 98, 76, 75), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 103, 74, 73), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 106, 73, 72), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 125, 7, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 118, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 115, 69, 68), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 68, 67), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 122, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 121, 66, 65), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 123, 65, 64), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 136, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 126, 62, 61), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 134, 61, 60), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 137, 60, 59), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 265, 29, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 207, 15, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 183, 7, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 168, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 54, 53), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 164, 53, 52), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 169, 51, 50), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 182, 50, 49), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 199, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 190, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 188, 47, 46), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 46, 45), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 205, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 44, 43), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 206, 43, 42), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 245, 7, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 218, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 211, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 210, 39, 38), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 212, 38, 37), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 222, 36, 35), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 244, 35, 34), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 254, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 252, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 250, 32, 31), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 253, 31, 30), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 264, 30, 29), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 322, 15, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 295, 7, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 284, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 272, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 271, 25, 24), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 273, 24, 23), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 291, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 285, 22, 21), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 294, 21, 20), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 313, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 300, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 299, 18, 17), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 312, 17, 16), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 318, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 317, 15, 14), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 321, 14, 13), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 351, 7, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 344, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 340, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 337, 10, 9), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 341, 9, 8), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 346, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 345, 7, 6), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 349, 6, 5), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 375, 3, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 358, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 357, 3, 2), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 359, 2, 1), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 380, 1, 0), BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), }; #define x86_app_filter_size (sizeof(x86_app_filter) / sizeof(struct sock_filter)) static const struct sock_filter* primary_app_filter = x86_app_filter; static const size_t primary_app_filter_size = x86_app_filter_size; #define kFilterMaxSize (x86_app_filter_size + 3 + 1 + 4 + 2) #define syscall_nr (offsetof(struct seccomp_data, nr)) #define arch_nr (offsetof(struct seccomp_data, arch)) typedef struct Filter_t { struct sock_filter data[kFilterMaxSize]; size_t count; } Filter; static void push_back(Filter* filter_array, struct sock_filter filter) { if (filter_array->count == kFilterMaxSize) exit(1); filter_array->data[filter_array->count++] = filter; } static void Disallow(Filter* f) { struct sock_filter filter = BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP); push_back(f, filter); } static void ExamineSyscall(Filter* f) { struct sock_filter filter = BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr); push_back(f, filter); } static void ValidateArchitecture(Filter* f) { struct sock_filter filter1 = BPF_STMT(BPF_LD | BPF_W | BPF_ABS, arch_nr); struct sock_filter filter2 = BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, PRIMARY_ARCH, 1, 0); push_back(f, filter1); push_back(f, filter2); Disallow(f); } static void install_filter(const Filter* f) { struct sock_fprog prog = { (unsigned short)f->count, (struct sock_filter*)&f->data[0], }; if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) exit(1); } static void set_app_seccomp_filter() { const struct sock_filter* p = primary_app_filter; size_t p_size = primary_app_filter_size; Filter f; f.count = 0; ValidateArchitecture(&f); ExamineSyscall(&f); for (size_t i = 0; i < p_size; ++i) push_back(&f, p[i]); Disallow(&f); install_filter(&f); } #define AID_NET_BT_ADMIN 3001 #define AID_NET_BT 3002 #define AID_INET 3003 #define AID_EVERYBODY 9997 #define AID_APP 10000 #define UNTRUSTED_APP_UID (AID_APP + 999) #define UNTRUSTED_APP_GID (AID_APP + 999) const char* const SELINUX_CONTEXT_UNTRUSTED_APP = "u:r:untrusted_app:s0:c512,c768"; const char* const SELINUX_LABEL_APP_DATA_FILE = "u:object_r:app_data_file:s0:c512,c768"; const char* const SELINUX_CONTEXT_FILE = "/proc/thread-self/attr/current"; const char* const SELINUX_XATTR_NAME = "security.selinux"; const gid_t UNTRUSTED_APP_GROUPS[] = {UNTRUSTED_APP_GID, AID_NET_BT_ADMIN, AID_NET_BT, AID_INET, AID_EVERYBODY}; const size_t UNTRUSTED_APP_NUM_GROUPS = sizeof(UNTRUSTED_APP_GROUPS) / sizeof(UNTRUSTED_APP_GROUPS[0]); static void getcon(char* context, size_t context_size) { int fd = open(SELINUX_CONTEXT_FILE, O_RDONLY); if (fd < 0) exit(1); ssize_t nread = read(fd, context, context_size); close(fd); if (nread <= 0) exit(1); if (context[nread - 1] == '\n') context[nread - 1] = '\0'; } static void setcon(const char* context) { char new_context[512]; int fd = open(SELINUX_CONTEXT_FILE, O_WRONLY); if (fd < 0) exit(1); ssize_t bytes_written = write(fd, context, strlen(context)); close(fd); if (bytes_written != (ssize_t)strlen(context)) exit(1); getcon(new_context, sizeof(new_context)); if (strcmp(context, new_context) != 0) exit(1); } static void setfilecon(const char* path, const char* context) { char new_context[512]; if (setxattr(path, SELINUX_XATTR_NAME, context, strlen(context) + 1, 0) != 0) exit(1); if (getxattr(path, SELINUX_XATTR_NAME, new_context, sizeof(new_context)) < 0) exit(1); if (strcmp(context, new_context) != 0) exit(1); } static int do_sandbox_android(void) { setup_common(); sandbox_common(); drop_caps(); if (chown(".", UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0) exit(1); if (setgroups(UNTRUSTED_APP_NUM_GROUPS, UNTRUSTED_APP_GROUPS) != 0) exit(1); if (setresgid(UNTRUSTED_APP_GID, UNTRUSTED_APP_GID, UNTRUSTED_APP_GID) != 0) exit(1); set_app_seccomp_filter(); if (setresuid(UNTRUSTED_APP_UID, UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0) exit(1); prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setfilecon(".", SELINUX_LABEL_APP_DATA_FILE); setcon(SELINUX_CONTEXT_UNTRUSTED_APP); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 38 ? 50 : 0) + (call == 43 ? 3000 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 300 : 0) + (call == 46 ? 3000 : 0) + (call == 47 ? 300 : 0) + (call == 48 ? 3000 : 0) + (call == 49 ? 300 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_dup #define __NR_dup 41 #endif #ifndef __NR_fcntl #define __NR_fcntl 55 #endif #ifndef __NR_getgid #define __NR_getgid 47 #endif #ifndef __NR_getresuid #define __NR_getresuid 165 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_read #define __NR_read 3 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[26] = {0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000000 = -1; inject_fault(1); res = syscall(__NR_ioctl, -1, 0x89e2, 0x20000000); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xe6; memcpy((void*)0x20000048, "\xf1\x37\x16\x1a\xb8\x6c\x59\x42\x02\xb9\x97\xd9\xf1\x2d\x00\x70\x21\x87\x03\x22\xc8\xd9\x09\x74\x84\x09\x95\x1a\xe9\x80\x0c\x1e\x20\x7f\x98\xb7\x69\xc7\x40\xf8\x67\xea\x14\xbb\xf8\x66\x6a\x4f\x98\xd2\x29\xaa\xaf\xbc\x33\xc6\xc5\x21\x68\xdb\x89\x33\xc4\xa4\xa4\xa3\xdd\x3c\xe0\xcc\xea\x96\xe7\x1d\x81\xff\x4a\xca\x83\x31\xcb\x01\xbf\x35\x43\x38\x53\xd1\xab\xd4\x8f\xd6\xd0\xce\x13\x14\xdf\x65\x07\xba\xe5\x35\xa2\xb4\xe3\xea\xa7\x4c\x5d\x23\x00\x65\x94\x14\x8a\x0f\xe5\xb4\xa8\x84\xef\x8f\x41\x34\x6e\x49\xcc\x90\x47\x4c\xb1\x7b\xac\x30\x1d\x47\x97\xed\x05\xdf\xc6\xcc\xb7\x4b\xeb\xaa\xbe\x54\x91\x72\xd6\x22\xa3\x06\x05\xa4\xe4\x9f\xd3\xf8\x53\x7d\xe5\x27\x2c\x33\xad\x4f\x07\xcd\x06\x05\x77\xbc\xe6\x5e\x5c\x80\xa3\x41\x68\xcd\xe6\x81\x17\xe4\xf9\x00\xe3\x5a\x3d\x88\x8e\x02\xee\x11\x17\x52\x21\x3b\x40\xd2\xaf\x25\x8c\x01\xf3\x6d\xe5\x0c\xe8\xe8\x3d\x42\x26\xa3\x0d\x6a\x4c\xc4\x3a\x88\x3f\x6c\x20\xe3\xfa\xda\x8a\xd2", 230); *(uint32_t*)0x20000140 = 0xee; res = syscall(__NR_getsockopt, -1, 0x84, 0x1a, 0x20000040, 0x20000140); if (res != -1) r[1] = *(uint32_t*)0x20000040; break; case 2: *(uint32_t*)0x20000180 = r[1]; *(uint16_t*)0x20000184 = 0xa; *(uint16_t*)0x20000186 = htobe16(0x4e22); *(uint32_t*)0x20000188 = htobe32(3); *(uint8_t*)0x2000018c = 0xfc; *(uint8_t*)0x2000018d = 2; memset((void*)0x2000018e, 0, 13); *(uint8_t*)0x2000019b = 0; *(uint32_t*)0x2000019c = 1; *(uint64_t*)0x20000204 = 0x7fffffff; *(uint64_t*)0x2000020c = 1; *(uint64_t*)0x20000214 = 0x7fff; *(uint64_t*)0x2000021c = 4; *(uint64_t*)0x20000224 = 7; *(uint64_t*)0x2000022c = 1; *(uint64_t*)0x20000234 = 0x3ff; *(uint64_t*)0x2000023c = 0x40; *(uint64_t*)0x20000244 = 5; *(uint64_t*)0x2000024c = 1; *(uint64_t*)0x20000254 = 0; *(uint64_t*)0x2000025c = 7; *(uint64_t*)0x20000264 = 0; *(uint64_t*)0x2000026c = 8; *(uint64_t*)0x20000274 = 0x1f; *(uint32_t*)0x20000280 = 0xfc; res = syscall(__NR_getsockopt, (intptr_t)r[0], 0x84, 0x70, 0x20000180, 0x20000280); if (res != -1) r[2] = *(uint32_t*)0x20000180; break; case 3: *(uint32_t*)0x200002c0 = r[2]; *(uint16_t*)0x200002c4 = 0xa; *(uint16_t*)0x200002c6 = htobe16(0x4e20); *(uint32_t*)0x200002c8 = htobe32(9); *(uint8_t*)0x200002cc = 0xfc; *(uint8_t*)0x200002cd = 2; memset((void*)0x200002ce, 0, 13); *(uint8_t*)0x200002db = 1; *(uint32_t*)0x200002dc = 3; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 6, 0x200002c0, 0x84); break; case 4: memcpy((void*)0x20000380, "/dev/pktcdvd/control\000", 21); res = syscall(__NR_openat, 0xffffff9c, 0x20000380, 0, 0); if (res != -1) r[3] = res; break; case 5: syscall(__NR_ioctl, (intptr_t)r[3], 0x7c80, 0); break; case 6: *(uint32_t*)0x200003c0 = r[1]; *(uint16_t*)0x200003c4 = 0xa; *(uint16_t*)0x200003c6 = htobe16(0x4e23); *(uint32_t*)0x200003c8 = htobe32(0x7f); *(uint8_t*)0x200003cc = 0xfc; *(uint8_t*)0x200003cd = 0; memset((void*)0x200003ce, 0, 13); *(uint8_t*)0x200003db = 0; *(uint32_t*)0x200003dc = 5; *(uint16_t*)0x20000444 = 5; *(uint16_t*)0x20000446 = 0x476f; syscall(__NR_setsockopt, (intptr_t)r[0], 0x84, 0x1f, 0x200003c0, 0x88); break; case 7: *(uint32_t*)0x20000500 = 1; *(uint32_t*)0x20000504 = 2; *(uint64_t*)0x20000508 = 0x20000480; *(uint32_t*)0x20000480 = 0; *(uint64_t*)0x20000510 = 0x200004c0; *(uint32_t*)0x20000518 = 4; *(uint32_t*)0x2000051c = 8; res = syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000500); if (res != -1) r[4] = *(uint32_t*)0x200004c0; break; case 8: *(uint32_t*)0x200005c0 = 0x8a; *(uint32_t*)0x200005c4 = 7; *(uint64_t*)0x200005c8 = 0x20000540; *(uint32_t*)0x20000540 = r[4]; *(uint32_t*)0x20000544 = 0x400; *(uint64_t*)0x20000548 = 0; *(uint64_t*)0x200005d0 = 0x20000580; *(uint32_t*)0x200005d8 = 0x10; *(uint32_t*)0x200005dc = 0xc; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x200005c0); break; case 9: *(uint32_t*)0x20000680 = 0x83; *(uint32_t*)0x20000684 = 2; *(uint64_t*)0x20000688 = 0x20000600; *(uint32_t*)0x20000600 = r[4]; *(uint64_t*)0x20000690 = 0x20000640; *(uint32_t*)0x20000698 = 4; *(uint32_t*)0x2000069c = 4; syscall(__NR_ioctl, (intptr_t)r[3], 0xc0206440, 0x20000680); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 0x240, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); memset((void*)0x20000044, 255, 6); *(uint8_t*)0x2000004a = 8; *(uint8_t*)0x2000004b = 2; *(uint8_t*)0x2000004c = 0x11; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; memcpy((void*)0x20000050, "\x20\x15\xd2\x29\x78\x5b", 6); STORE_BY_BITMASK(uint16_t, , 0x20000056, 8, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0, 4, 12); *(uint16_t*)0x20000058 = 0x27; *(uint8_t*)0x2000005a = 0x8c; *(uint8_t*)0x2000005b = 0x18; *(uint16_t*)0x2000005c = 0xc93; memcpy((void*)0x2000005e, "\xff\xe3\x24\x0f\x04\x84", 6); memcpy((void*)0x20000064, "\x06\x7e\xcc\x39\xa7\x8a\x3e\xa4\x7c\x22\x24\x6d\x39\x1b\x92\xc4", 16); syz_80211_inject_frame(0x20000000, 0x20000040, 0x34); break; case 11: memcpy((void*)0x20000080, "wlan1\000", 6); memset((void*)0x200000c0, 1, 6); syz_80211_join_ibss(0x20000080, 0x200000c0, 6, 2); break; case 12: memcpy((void*)0x20000100, "bpf_lsm_xfrm_policy_alloc_security\000", 35); syz_btf_id_by_name(0x20000100); break; case 13: memcpy((void*)0x20000340, "\xc4\xc1\x7d\x6f\x70\x72\xc4\xe1\xf9\x11\x2f\xc4\xe3\xc9\x5d\x33\xab\xc4\xc2\x79\x0e\xb0\x00\x00\x00\x00\xc4\xe1\x7a\x12\xb7\x0c\x00\x00\x00\x0f\x01\x56\xe9\xc4\xe1\x0d\xd5\x5e\x0c\xf3\x0f\x52\x6b\x00\x0f\x7e\x20\xc4\xc1\x79\xe7\x02", 58); syz_execute_func(0x20000340); break; case 14: res = syscall(__NR_dup, -1); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_fcntl, -1, 9, 0); if (res != -1) r[6] = res; break; case 16: memcpy((void*)0x200026c0, "./file0\000", 8); res = syscall(__NR_lstat, 0x200026c0, 0x20002700); if (res != -1) r[7] = *(uint32_t*)0x20002710; break; case 17: res = syscall(__NR_getresuid, 0x20002800, 0x20002840, 0x20002880); if (res != -1) { r[8] = *(uint32_t*)0x20002800; r[9] = *(uint32_t*)0x20002880; } break; case 18: res = syscall(__NR_read, -1, 0x20002ac0, 0x2020); if (res != -1) r[10] = *(uint32_t*)0x20002ad0; break; case 19: memcpy((void*)0x20004b00, "./file0\000", 8); res = syscall(__NR_statx, -1, 0x20004b00, 0x2000, 0x20, 0x20004b40); if (res != -1) r[11] = *(uint32_t*)0x20004b58; break; case 20: *(uint32_t*)0x20004e00 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004d00, 0x20004e00); if (res != -1) r[12] = *(uint32_t*)0x20004d34; break; case 21: res = syscall(__NR_getgid); if (res != -1) r[13] = res; break; case 22: memcpy((void*)0x200003c0, "\x23\x58\x10\x53\x7c\x7f\x88\x6c\xa9\x17\x21\x04\x5f\xf7\xba\xdf\xae\x44\x29\xb2\x52\xcd\x65\x81\x72\xc1\xd0\xd4\x18\xed\x70\x05\x74\x39\xfc\x22\xff\xc7\x7b\x29\x08\x5c\x94\x88\xff\x93\x40\xf8\xa2\xad\xe9\x9b\xf9\xaf\x14\xa3\x57\x25\x7b\x8a\xa6\x9b\x4b\x8e\xff\xe7\xaf\xd6\x87\x6b\x3b\x51\x2b\x86\xfa\x1d\xff\x55\x5c\x6d\xc6\x18\x62\x66\xc9\x1f\xa2\x81\xc9\xdc\x72\xee\x17\xea\xd0\xe2\xa3\xfe\x9f\xf0\x3e\x7c\x32\xd2\x7e\x26\x7f\x5b\xe0\xfd\x6d\x1f\x9e\xfc\x02\xaf\x7f\xe9\xd6\x8d\x75\x55\x19\x20\x1d\xea\x7a\xbe\x68\x10\x53\xab\x98\xf7\x3f\xc0\xc6\xa0\x68\x4e\x91\xb7\x41\xc8\xc9\x45\x1f\x94\x59\xb5\x98\xee\x6f\x4e\xc0\xc9\x1f\x3e\x91\x7a\xf1\xe6\x64\x6f\x3c\x54\xf8\xfa\xf0\x48\x7d\x8e\xcc\xf0\x87\xe2\x8f\x87\x68\xf4\x8a\xe1\x5d\x09\x89\x04\xb3\x25\x42\x85\x70\x2e\x30\x8a\x93\x7d\x5e\x23\xa2\xae\xf3\xc2\x53\x12\x51\x6c\x50\x2d\x5e\x02\x33\x06\x52\x29\xee\x4a\x70\xdb\xc4\x14\x60\x4b\x7f\x05\x5e\xb7\xa2\x72\x48\x03\xe8\x5e\x5b\x4c\xd0\x5a\xf7\x11\xed\x73\x0f\xce\xb8\x1b\xca\xe1\x7a\x49\x67\xaa\x6c\xcf\xf3\xc0\xf4\x96\x6b\x7f\xf3\xd1\x5f\x09\x3e\x94\xeb\x0a\x46\xb7\x0c\x0f\xa5\xb8\x62\x8c\xac\x3c\x31\x01\x9b\xba\x60\x02\x41\x6f\xc6\x66\x1d\x85\x8f\xff\x16\xa9\x62\x15\xb1\xd1\x8a\x87\x7d\x9a\x53\x4a\xc4\x02\x56\xa3\x55\x79\x31\xad\xe2\x7f\x58\x7c\xce\x26\xa2\x0c\x01\x3d\xc6\x7f\x2e\x92\x2a\x52\x68\x9a\xae\xfa\x1b\x06\x4d\x03\xf8\xf6\xa3\x9f\x96\xb0\xde\x1d\x21\x39\x4c\xb6\xc2\x30\x10\xeb\x9e\x4a\x79\x41\x47\x35\xed\x99\x65\x42\x5f\x8a\x01\x00\x84\x96\xdb\xad\x04\x97\xfa\x0d\x65\xac\xec\x59\xff\xa6\xa2\x80\xbc\x58\xe2\xd8\x87\xa1\x0e\x96\x65\xea\xeb\x97\x43\x6e\xbd\xeb\x2b\x58\xa9\xae\x40\xe4\x49\x27\x32\x46\xfd\x99\x67\x53\x9f\x21\x2e\xd8\x96\x9b\x6f\x9a\x49\xd6\x5b\xca\xd2\xdd\x9d\x8e\xe4\x2e\x32\x05\x74\x11\x17\xe4\x31\xd4\x43\xff\x3e\x94\xc4\x7e\x7f\xd6\x27\xd3\x05\x11\xd5\xfb\xce\xc6\xa7\x58\x38\x3d\x31\x36\x7a\xca\x8e\x3a\xf7\x72\xa1\x02\x11\x05\xab\x2c\x1b\x4a\xa7\x61\x4d\xea\x8c\xfa\x4b\x06\xf5\x3a\xf3\x73\x77\x98\x62\xc9\xbd\xb7\x6e\xf9\x3c\x74\x61\x8e\xee\x73\x47\xa0\x74\xd4\xf7\x1a\x98\x23\x3b\x24\xb2\xa2\x57\x29\xc9\xa1\x98\x3d\x81\x9c\x3f\x42\xd3\x28\xd0\x8f\x0d\x4d\xd1\x64\x2f\x61\xb6\x2a\x89\xfc\x30\x0f\x50\x66\xd8\xe4\x57\xf5\xfd\x49\xda\xa7\x9e\x1b\x1d\x43\xd2\x6f\x89\xf2\xca\x99\x04\x50\xe8\x60\xbc\xc4\x7d\x5c\xf4\x77\x8c\x37\xc4\x51\xed\x22\xd6\x0f\xe2\xbc\xfa\x2c\xaf\xf7\x5c\x41\x70\x99\x0a\x2e\x8e\x21\x87\x19\x7f\x86\x38\xb0\x67\x85\x4c\xcf\x9d\xbe\x91\x58\x6d\xd4\x23\x41\x40\x1c\x4f\xb4\xf3\x13\x30\x66\x8a\xcb\x51\x6e\xba\x22\x27\xcb\xca\x4c\x8f\xa2\xf3\x9a\x03\x52\x1b\xd8\x03\x2f\x5e\x1a\xed\xf4\x9c\x50\xe6\x01\xb9\xfa\xd4\xe0\xd6\xf5\xb5\x93\x2e\xa2\x14\xfd\x50\x84\x85\x70\x3d\x08\x45\x79\x8d\x43\xbd\xbf\xf9\x63\x86\x77\xe6\xa9\x96\xef\xbb\xd1\x93\x6e\x97\x28\x20\x62\x70\x9f\x77\x8b\x45\x5c\xb4\xd2\x00\x13\xf5\xfe\x4c\x9b\xba\x0f\x7c\xfc\x18\x02\xe8\x18\x0f\xb6\xd4\x6f\x51\x76\xd1\xbd\xbb\x43\xd9\x60\xd4\x94\xf3\xa3\x0e\xd7\xab\x4d\xb0\x7d\xe5\xad\x92\x4b\x57\x97\xb5\x09\xf9\x60\x83\xf4\xad\xa9\xfc\xeb\xed\xe1\xeb\x0f\xb0\xdf\xa2\xcd\xc2\x14\x4b\x15\xcf\x4c\x28\x0f\x87\xd1\x18\x7e\x80\x8e\x37\xcd\xef\x53\x75\x52\xe3\x83\xf4\x6c\xcf\xe8\x62\x15\xb2\x07\x15\x39\x85\xe6\xb1\x31\x96\x22\x1f\xde\xa6\xc9\x47\x86\x4d\x12\x14\x7d\x7b\x01\xef\xc3\xdf\x14\x4e\x2c\xaa\x24\xd1\xa4\x78\x2a\x51\xa8\x23\x5c\x4c\x0e\xad\xf0\x44\x0c\x8e\x43\x4a\x4d\x07\x2b\xe5\x84\x55\x47\x17\x5f\x37\xc5\x5f\xdd\xd5\xe7\x84\x95\xac\xe4\x34\xc4\x83\xf2\x8b\xb3\x48\x7a\xd8\xd6\x8b\xd7\x43\x77\xfd\x82\xe1\x7b\xaf\xeb\x06\x2b\x81\xc6\x8e\x8a\x63\x89\xc8\xd8\x10\x79\xe4\xc9\xfa\xa2\xa8\xfc\xf1\x24\x15\xcc\x21\xeb\xcd\x92\xde\x80\x88\x45\x50\x59\x4c\xa6\x4b\x56\xb0\xb4\x24\xa6\x5f\x80\xca\xb1\x64\xb2\xf6\xf2\xf3\x3c\x7a\xea\xa8\xb6\x60\x2e\x71\x83\xb9\xd0\xae\x15\x3a\x17\x03\xb3\x03\x67\x5a\xae\x13\x3b\x3d\xd9\xc6\x46\x67\x7f\x6d\x8a\x49\x2d\xa0\x99\xef\xb4\xa7\xe4\xde\xe3\x92\x81\x8a\x15\xd6\xbf\x9e\xfb\x07\xee\xad\x5b\x40\xac\x25\xbb\x0f\x00\x92\xf4\xb0\xec\xaf\x0a\xc3\x39\x1b\x3e\xcf\xd0\x63\x5e\xc4\x96\xb8\xb6\x6d\x7a\x45\x1c\x6d\x10\x37\x9c\x15\x29\x1c\x4f\x36\x82\xf0\x5f\xb7\x39\x44\xcd\x1b\xe0\xf0\xfa\x85\x54\x35\x8b\x30\xde\xb7\x38\x69\x31\xae\x95\xeb\x2a\x16\xfa\xed\x24\x5f\xfc\xad\xb3\x94\xac\xdf\x06\x38\xa6\x26\x27\x82\x33\x01\x93\x66\xe2\xec\xd9\xdb\x1a\x4b\x5a\xe2\x7f\xf8\x3d\x7b\x57\x1c\xd7\xff\xc1\x51\xdc\x4d\x0c\xef\x1d\x03\x00\xc9\x8a\x41\x69\x77\x51\x85\x1f\x8e\x05\x24\x9c\xae\x19\x96\x3f\x81\x25\x89\xa7\xd6\x4c\xfa\xb8\x46\x43\x9f\x47\x13\x43\xba\x5e\xff\xac\x9a\x57\xf7\x6d\x0a\xbf\xb9\x5e\x87\x8b\xee\x4c\x94\x24\xf0\xca\x17\x18\x19\x5e\xff\x14\x06\x0a\xcf\xb3\xe0\xdf\x4c\xbc\x56\x0b\xc2\xbe\x9a\xb4\xf0\xa0\xbd\x68\x6f\xe2\x13\xd4\x49\x47\x17\x0e\x68\xe7\x3b\xaa\xdd\x98\x2c\xe2\xd1\x70\xa5\x0d\x1e\xca\x02\x40\xcd\x3c\xec\xe9\xf7\x4d\xa3\xa1\xc1\x47\x6f\xf1\x1f\xa3\x34\xd7\x2c\x18\x50\x6b\x5c\x00\xa4\x41\xea\x2e\x9c\x72\xc7\x6b\x38\x50\x37\xf8\x6c\xa5\x94\xaa\xad\xe9\x87\xa7\x9b\xbd\x3e\x3c\x40\xd0\x00\x7a\x7f\xf8\x52\x99\x05\xb9\x4c\x54\x61\x65\x62\x92\x95\x0b\x41\xc8\x34\x43\xdc\x84\xd6\xfd\xf5\x2e\x44\x97\xed\x68\x04\x98\x1a\xf1\x33\x85\x64\x92\x00\xd8\x93\x09\x3b\xf2\xea\x82\x25\xb3\x89\xc4\xdf\xd2\xe8\x15\xb3\xbd\xf9\xd7\x08\x4d\x29\x00\x9e\xae\x4e\x88\x22\xa5\xb6\xa5\x2a\xa7\x6a\xfd\x95\x1d\x04\xaf\xa8\xe1\x28\x63\x96\xa8\x34\xdc\xf8\xc6\xb5\x7c\xc4\xef\xbc\x0c\x16\x77\x9d\x53\xf0\xbc\xd7\x40\x43\xc0\x6e\xce\xbe\x59\x32\x8d\xcc\xa8\xbb\x61\x05\xaf\x23\x56\x59\x06\xe5\x46\x6c\x73\x11\xb1\xaa\xc6\x76\x2e\x4b\x62\x60\x36\xfe\x31\xd3\xe7\xb0\xfa\x2e\x65\x8c\xa9\x35\x10\x78\xee\xca\x7b\x46\x7e\x11\x8e\x9b\x88\x95\x9d\xe1\xf4\x18\x69\x40\x5a\x83\xbd\xc6\xce\x98\x0c\x72\x9f\x7e\x2a\x46\x0f\xa9\xbe\xe1\x61\xe5\x4d\x27\x1a\x87\x4b\xb4\xd0\xa2\x2c\xd1\xa4\x37\x6d\xe3\x6b\x58\x68\xca\x0e\x10\x93\x3e\x5f\xe2\xf7\x38\x5c\x1a\xf6\x2b\x86\xf8\xe5\xc3\x12\x66\x26\xb8\xbc\x6d\x56\x8f\x62\x1d\xa3\x23\x70\x7e\xa3\x32\xd7\x65\x44\x39\xfb\xa4\x67\x1d\x0c\xae\xb7\xef\x94\xe2\x5a\x82\x86\xbd\x9a\x19\xa2\x9e\x49\x32\xc7\xdb\x9b\x82\x34\x7d\xa5\x24\x92\xb3\x81\x4a\x44\xb9\x2f\x61\x55\x9c\x22\x65\x4c\x8b\x30\x1a\x8d\xfe\x9d\xae\xae\x0c\xad\xe9\x46\xc0\x66\x6e\x94\xc4\xa6\x35\x3b\xb0\xeb\x21\x37\xd3\x68\x53\xad\x4f\x7a\x20\xa5\x08\x1e\x63\xaf\xee\xce\x20\x3f\xa6\xee\xea\x7f\x62\x9d\x00\x1d\xab\xaf\x5b\x1a\x3c\x67\x61\x51\x7b\xc9\x9a\x8e\x63\xf6\x6c\x01\x88\x49\x27\xb4\xbc\x40\xbc\x34\x19\x0c\x9e\x55\x3c\x69\x0f\xbc\x64\x44\xdd\x8b\xba\x65\x68\x74\xfa\x80\x46\x31\xb5\x6d\x24\x54\x1a\x9b\xd6\xfb\x77\xdb\x49\x03\x76\x9f\x9d\x04\x44\xd0\x8a\x21\xff\x59\xd9\x49\x65\x9d\x80\xb1\x40\x2d\x91\x9a\xc0\xfb\x83\x80\xed\x91\x15\xb6\x69\x3c\x19\x5f\x8f\x1a\x90\xa3\xa4\x22\x35\xd8\xea\x78\x2e\xda\x2b\xf1\x94\xd3\x2f\xbc\xc5\x63\x27\x1a\xfd\xa7\x3d\x70\x96\xa2\xe9\xe4\x67\x54\x1e\x76\x67\xc2\x67\xc5\x95\xe1\x23\x37\x29\x75\x26\x77\x68\xb8\xd1\x6c\xb6\x13\x0e\xae\xbf\x69\x8b\xe7\x6e\xef\xab\xbe\xac\xd5\x9f\x63\x1c\xc1\x04\xf0\x42\x26\x3e\x3e\x29\x62\x59\x79\x69\x72\x1a\x6c\x02\x2a\xba\x14\x11\x2e\x2f\x38\x02\xba\x63\x53\x91\xcd\x1f\x94\x32\x35\x25\xc8\x16\xef\xa9\xe8\x65\x52\x39\x9e\x79\x66\x5f\xf5\x54\xf5\x86\x75\x4f\x72\xd5\x3a\x0d\x94\x75\xc6\x55\x94\x8b\xd1\x3e\xc9\x3d\xd8\xcc\x43\xe5\xb8\x13\xeb\xfe\xa4\xab\xcd\x78\x0e\xed\xb6\x82\xac\x4f\x66\xe1\x68\x47\xf7\x82\x1f\xdc\x40\xda\x07\x3f\x7f\xc5\x9f\xe5\x7c\xa6\xad\x5f\x4d\xdd\x8a\x41\xe8\xaa\xdf\x3e\x21\x78\xcf\x42\x95\xc8\x59\x99\xe2\xc2\xd8\x24\xa0\x8e\xbb\x9a\x9b\x09\xe2\xef\xbf\x9b\x8d\x03\x73\x09\x1e\xa6\x1e\xc6\xaf\x17\xdf\x1e\x71\xac\xeb\x40\x3a\x41\xd3\xba\xfe\xfc\x56\xdc\xff\x18\x60\x23\xe9\xf2\x89\xe6\x1b\x74\x69\x04\xb3\xce\x34\x86\x9b\x53\x27\xc9\x24\xa2\x73\x36\xb2\x16\xd2\x20\x6e\xeb\xa9\xb1\xdf\xdc\xe0\x22\xe3\xa1\x3a\x26\x17\x38\x7f\xb3\xff\x5a\x1d\x0f\x38\xfb\xb9\x06\x3b\xcb\x69\xb5\xe3\x3e\xe4\x57\xef\xe0\x51\xdf\x45\x34\x62\xb7\x18\xd7\xd5\xe7\x80\x31\x04\x71\xa7\x3d\x99\xe2\xeb\x1e\x23\x23\x6c\x74\xb9\x37\x7c\x3e\x0e\xbb\x93\xea\x7a\x6a\x7b\x32\x2c\x42\x59\x10\x20\x9f\x89\x18\x41\xd6\x5c\xb8\xdb\x3b\x2b\x0d\x51\xd2\x7c\xde\x0c\xa1\x85\xbd\x3b\xf1\xf4\x02\xff\x10\xfc\x61\x1b\x93\xfa\x6f\x94\xeb\xf6\x07\x9a\xc6\xd5\xf3\x0f\xf8\x66\xa4\xdb\xf3\x07\x29\xfc\x3c\xd0\x03\xed\x9e\xee\x6e\x1c\x92\x31\x9a\x8c\x62\x69\xe1\xa7\xdb\xa0\x49\x1d\x27\xb3\x26\x38\x8b\xc3\x2d\x58\xbf\x68\x5e\xc4\x29\xa8\xca\x7a\x12\xb6\x60\x18\x23\x08\x71\x0b\x5a\xa6\x1d\xce\x0a\x14\x3f\xad\x3b\xbc\x1a\x81\xa8\xf8\x14\xee\x37\xb4\x34\xc7\xd7\x29\x33\x1c\xe7\xf7\x2d\xdf\x31\xdc\xa7\x19\xbd\xfa\x04\xc0\x3a\xec\xeb\x4c\x64\x0c\x1c\xdd\xd0\xf0\x11\x37\xbd\x6e\x2f\x7a\xef\xb5\x1b\x02\x10\xb8\xcd\xb2\xcc\xb0\xf5\xd7\x45\x8d\x05\x71\x92\x76\x75\xf1\xbe\xdb\x36\xd0\xbf\x30\xac\x68\xdb\x43\x8f\xfb\xa7\x4a\xca\x62\x37\x25\xf2\x75\x22\x70\x1b\xb6\xc5\xca\x41\x4d\x23\x91\xcd\x53\x3a\x82\xc0\x66\x72\x4c\x6d\x3f\xd6\x8f\xe4\x2a\x83\x4d\xcc\xf5\xbf\x70\x34\x74\x29\xad\x8e\x38\x22\x15\xf7\x2f\xad\x93\x6e\xf9\x49\xbf\x64\xda\xd1\x25\x77\xea\xd0\xdc\x6c\xf2\x71\xbe\x7c\xa8\xe0\xba\xab\xb4\x39\x7f\xf0\x63\xf3\xae\x8e\x74\x12\x10\xc6\xa3\xab\x3b\x44\x2b\xa8\xfb\x16\xf2\x28\xc5\xda\xfe\xb1\xb4\x40\x82\x7d\xef\xbc\x48\xf5\xcb\xce\xb2\x74\x07\x55\xc9\x85\xd0\x60\xe8\x2c\x86\xc7\x32\xbb\xd5\x60\x88\x35\x91\xa1\xac\x05\x82\x99\xf1\x7f\x2e\x2a\x12\x85\x60\x28\x0b\xa0\x89\xe8\x4c\x34\x65\x45\x2a\x65\x07\xa6\x3f\x88\x49\x44\xa8\x3a\x21\xd2\x6c\x8e\x49\x8f\xf5\xdb\xd4\x89\xc6\x9c\xa7\x85\x32\x49\x01\x8e\x9d\x03\x52\x0b\x23\xf4\x7b\x29\x7b\x85\x26\x32\x2b\x1f\x6b\xd5\x4d\x06\x0c\xce\xa3\x01\xcc\x8a\x3a\x15\xda\x2d\x39\xb6\x4e\xa4\xdd\xb0\x3c\x7b\x6c\xba\x60\x5e\x8d\xd4\x86\xd1\x2d\x8f\x0c\x6c\xd9\xfb\x47\x81\x61\x12\xba\xa0\xa7\xae\x0e\xba\x4f\x0f\x89\xb2\x14\x32\x03\xa1\x19\xa6\xbb\x85\x45\xc1\xba\x66\x78\x84\x95\xf4\xe7\xda\xd9\x6d\xf8\x11\x9b\x1c\x11\xd7\xff\xb0\x71\x07\xc0\xc0\x35\xa8\x06\x97\xa8\xed\x78\x0d\x9c\x55\x61\x92\x93\x85\x08\x5f\x0a\xa7\xbc\x74\x8f\x2b\x5e\x23\x4e\x21\x0c\xe7\x77\x22\xc5\x4e\x80\xb8\x86\xc0\xd6\x14\x65\x8f\xfa\x23\x40\x8c\xac\xa9\xcf\x01\x38\x69\xef\x66\x29\xf8\x46\x16\x40\xda\xea\x86\x9a\xd4\xc3\x65\x53\x0d\xe5\x27\x81\x5c\xaf\xee\x31\x4f\x8c\xa7\xb9\x87\x95\x22\xc4\x26\x29\xe3\xe7\x12\x96\xe5\xf6\x0a\x84\xdb\x39\xd5\xc9\x00\x00\x16\xea\x33\xf4\x81\xd8\x0c\xcb\x80\xf0\x85\xd5\xed\x3f\x70\x0b\xad\xc3\xb4\xb7\xd8\x0d\xd8\xa7\x78\xf0\x38\x17\xa1\x0d\x67\x89\x2d\x36\x87\x0a\x98\xbd\xc7\x0c\xfd\xa4\x83\x4c\x78\x15\x42\x1f\xc9\x72\x74\x01\xbd\x4f\x81\x11\xbb\xba\x76\x86\x02\x4b\x42\x72\xf5\xa6\x8a\x66\x51\x94\xaf\xc4\xf1\xa9\xf8\x57\xaf\x27\x0e\x30\x22\xc1\x8d\xfc\x18\xf6\x7b\x39\x77\xe6\x41\xc6\x25\x8f\x00\xc1\x43\x0e\xa7\x95\x78\xf4\xdc\x82\xa0\xba\xb5\x21\x40\xdf\x4b\xe0\xad\xb3\x29\x19\x5a\x29\x7d\xf0\xbe\x6e\x12\x34\x97\x70\xb4\x47\x7a\x44\x65\xa8\x14\x39\xf2\x2b\x6b\xdc\x67\x7a\xb8\x6d\x4e\xdb\xbd\xfc\x7d\xb3\xcf\x06\xd4\xa9\x4d\x33\xc6\xc1\x1f\xa1\x63\xfe\xfb\x1a\x87\xa9\xb5\x2c\x1c\xc4\x09\xeb\xed\xe7\x26\x3c\x88\x97\x5e\xdb\x23\x7f\xa0\x1b\x58\x3f\x79\xfc\x7a\x4f\x8e\x8a\xc8\x9a\xf7\x93\x08\xd9\x9b\x47\x3c\xf3\x3f\x33\x44\xa4\xe5\x52\x3f\x3e\x35\xd3\x88\xd1\x8e\xe1\x18\x5c\xaa\x19\x18\xd2\x3a\xae\x41\x93\xae\xdf\xe1\x25\x04\x2e\x16\xd5\x71\x86\x52\x61\xdd\x63\xbf\x0c\x9d\xd8\x48\x5f\xa6\x4e\x24\x10\xa2\x6a\x43\x6c\x83\xc9\xe3\x45\x56\xf3\x7c\x1d\x69\xd2\xfd\x57\x42\x78\xc4\xb2\xc8\xba\xf3\x83\x4e\xe2\xe0\xf3\x64\xb5\x4c\x36\x78\x0f\x28\xa8\xeb\xe5\x6e\x1d\x9e\x1c\xbd\xfd\x77\x3c\xe8\xaa\xcd\xef\xda\x09\xf4\x0d\xff\xd8\x47\xaa\xdf\x67\xc4\x44\x71\x00\x8c\xee\x07\x76\xfb\x06\x89\x54\x30\x8f\x16\x20\x3d\x01\x7b\x29\x0c\xd1\xad\x9e\x4c\xdc\x49\xf3\x26\x35\x28\x07\x56\x0d\xdd\xa4\x90\xc0\x5c\x6d\x5e\x04\xf1\x94\x00\x83\xaa\xba\x83\xe0\x29\x37\x0f\xd7\x6e\x77\x57\xc7\x3c\x05\x43\xdd\xff\x26\xc3\xa3\x07\x62\xe2\xc9\xc5\x56\xaa\x28\x2c\x7f\x46\xf3\xdd\x8e\x20\x01\x68\x05\x3a\x03\x17\x4c\x56\x69\xdc\x43\x90\x0a\x39\x41\x7c\x9d\xff\x8e\xd3\xf1\x0e\xb0\x7c\x47\x0a\x52\x2e\xc8\x20\x71\x2f\xf8\x82\x59\xcf\x7f\x5e\xe5\x2c\xf4\xee\x69\x0b\xca\xbd\x88\x76\x3f\x66\x32\x9f\x37\x25\xa4\x36\xca\x19\x38\xd4\xda\x48\xde\xdf\xfe\xa8\x2d\xc5\x4a\x2a\x0a\x5c\xfb\x64\xc3\xe2\x78\xf4\x1b\x93\x3c\xef\xeb\x02\xf9\x82\x53\x2e\x98\x67\x72\x41\xd7\xec\x2f\x8d\x14\x27\xda\x17\x11\x91\x9d\x67\x2e\x95\x1b\x6d\x1c\xd8\xf2\xc0\x20\x3f\xed\xd5\x21\xf7\x5a\x22\x9d\x99\x67\x13\x35\x81\x36\xd8\xb4\xeb\x79\x71\x34\xfe\xc8\x74\xe3\xd3\x8a\x01\xcb\x82\xa8\x7c\x8c\x21\x1e\x64\x29\xef\xe6\x77\x17\x3a\xab\x0a\x0f\xb9\xf5\x58\xf4\xb0\x6f\x77\x05\xbc\xd1\x77\xec\x1d\xd8\x0d\x04\x45\xb5\x44\x8e\x7d\xc2\x94\x53\x8a\xae\xcc\x59\x61\x0d\xbe\x6f\x2b\x3b\x16\xb2\x75\xc1\x8d\x33\xa7\x8f\x0c\x1d\xcb\xb0\x7e\x13\x76\x28\xb6\x22\xf8\x85\xae\xe8\x0b\x82\x68\x4c\xdd\x5f\xde\x5a\x29\xaa\xdf\x63\xd8\x5e\x95\x15\x96\x49\xad\xce\x0f\x9e\x57\xb5\x3b\x82\xc7\x5b\x87\xa1\x27\x47\xef\x0f\x84\xbe\x50\x69\x3c\xca\xe7\x98\xe3\x8a\xaf\x05\x06\x66\x16\x3e\x6b\xed\x48\xf5\xf1\xba\xf4\x9a\xde\xa2\x12\x23\xbf\xb0\x89\x19\x98\x98\xdc\xd2\xe9\x1b\x70\x8b\xd6\x2b\x61\xf1\x38\xcc\x48\xbe\xd8\x8b\x77\x2d\x14\xbc\xc5\x39\x68\xaa\x32\xfa\x3f\x11\x45\x84\x75\x2d\xb5\x32\x78\xb2\x5f\x36\x7d\x52\xc2\x07\xec\x54\x59\x66\x83\x82\xaa\xc7\xeb\xfd\xf3\xa2\x07\x5c\xef\x67\x9b\xd7\x7e\xc1\x7a\x11\x43\xde\x08\x47\x20\x08\x54\x86\x68\x5a\xc8\x69\x73\x3b\xc0\x7d\x74\x24\x6f\xbf\x8a\xbb\x36\x62\xbe\x75\x0d\xdd\xd3\xb1\x3e\xcb\x2d\x91\x35\xf5\xc6\x8d\x1f\xdd\xe5\x49\xd9\xc2\x09\x1d\x96\xaa\x35\xf8\x43\x36\xb4\x21\x51\x31\xf3\x64\x76\xec\x84\x8d\x53\x3d\x7d\xca\x1e\x0a\xa4\x1e\xef\xb8\x80\x60\x52\xa8\xcd\xd5\x38\xb7\x55\x70\x7f\x93\xe0\x48\xd7\x71\x50\x5b\x88\x90\xd8\xf6\x80\xb8\x80\xcc\xb8\xee\x29\x49\xe3\x5a\x63\xee\x48\xe7\xb4\x67\x12\x8b\x65\xff\xe6\x06\xce\xd2\x8a\x3b\xc3\x17\x2b\xd0\x9f\x2b\x58\xef\x63\x22\xa3\xfa\x31\xe0\xfa\xb3\x7a\x3a\xfe\x72\x9a\xd4\x3d\x5c\xd0\x2b\x42\xbe\x4d\x8e\x60\x2b\x99\x51\x6d\xbd\xbd\x81\x2e\x1b\xec\xae\xba\x14\xb2\xb2\xbf\xaf\x05\x55\x90\x02\x51\xe3\x1d\x83\x97\x98\x14\x1b\x32\xab\xdc\x55\x8b\x3b\xf3\x0e\xdc\x11\x45\xf5\x41\x79\x85\x07\xda\x32\x9c\x5a\xcc\x1f\xf5\x6d\x4f\xd5\xf6\xe1\x8c\x02\x08\x12\x22\xc6\x98\xb3\xd0\xf2\xb1\x95\x39\xa7\xc2\xc9\x1f\x78\xb1\xbe\x76\x48\x19\x91\xe2\x41\xd2\xae\x88\x9d\x4c\xb1\x33\xf9\x0f\x77\xd9\x22\xd9\x84\xb5\xa5\xd1\xb2\xaa\x03\x8f\xb0\x01\xf0\xba\xc8\x8c\x14\xa3\x6f\x62\x29\x6a\xb3\x24\xd5\x2b\x57\x54\xd4\xe8\x42\x88\x9d\xa6\x54\x14\x3b\x4b\xd7\x19\xf0\x82\xcb\xcf\xa2\xec\x90\x31\xb9\xb4\xb8\xbb\x8e\xf4\x6b\xc3\xff\xa5\x2d\x35\x38\x5b\xf2\x7e\x3c\xcd\x86\x10\x84\x81\xff\x66\x40\xe8\xb0\xe3\x09\xd2\x8b\x14\x94\x20\xf9\x5e\xb9\xaf\xa0\xf6\xe1\x88\xb7\x00\x5f\x42\x12\x25\x38\x5b\xde\xa3\x82\x5a\xd5\xfb\xfc\x6d\x9f\x29\x97\x47\x6b\xc3\x6e\x5d\xfe\x4b\x68\x6d\x1a\x2d\x40\x25\x16\xd4\xee\xe9\x90\xe1\xea\x6a\x23\x48\x38\x10\x3f\x42\xd7\x05\xab\xf3\x78\x35\x67\x3c\xa7\x86\x75\xb5\x35\x4c\x2a\x99\x13\x0e\x2b\x7a\x64\xee\x26\xa2\xad\x6c\x1c\xd2\xde\x64\xed\x59\x12\xeb\x77\x08\xdb\x3a\xfb\xb4\xa6\x83\x10\x9b\x10\x57\x29\x8f\x35\x6e\x4c\xf4\xfa\xb2\x00\xca\xf7\x40\x3c\x71\x9a\xa8\x1a\xb0\x1d\x3d\x7f\x91\x55\x07\x3f\x56\x49\x5e\x51\x16\x19\x6e\x9a\x9d\xe8\x2f\x10\xa5\xc0\x8d\xfb\x2f\x91\x54\x94\xdf\x7a\x07\x00\xef\xb7\x22\xd3\x41\x6a\x5d\x32\xbc\x02\x29\x71\x11\x65\x08\x47\xde\xe6\x76\xd2\x68\x77\x2d\xec\x41\x3d\xa3\xa1\x32\x09\x89\xc1\xbe\x0d\x5c\x9c\x1b\x6f\xc4\xf7\x0f\xbd\xad\x88\x8a\xbb\x0b\xe8\xf1\x16\xf0\xd7\xa6\xf3\xab\xaf\x63\x6b\xb6\xb6\x92\x22\xda\xf4\xcc\xbd\x6d\x07\x29\x3d\xef\x59\xcd\x5e\xc9\x08\x45\x4d\x07\x94\x95\xf2\x7b\xfa\xf9\xe4\x5f\xb2\xc9\x99\x64\xe6\xb2\xfb\xa0\x3a\xf0\x38\x2d\x5b\x60\xad\xeb\xbb\x28\xfb\x8f\x8f\x8e\xfd\xd8\xda\x65\xea\xc2\x93\x77\xcf\x07\xc6\x2e\x1b\xf1\x0f\x61\xfa\x91\x2e\x62\x71\xf2\xcb\x95\x09\xa7\x63\x1b\x7a\xbe\xc3\x39\x6b\xeb\xce\x10\xbc\x79\xe2\xc4\x99\x56\xd1\x27\xf9\xd0\x1b\x73\x58\x45\x40\xcb\x6c\x0b\x52\xa7\x09\xe3\xaf\x1d\x00\xc8\x4f\x6d\x22\xfb\x19\x5d\xd8\x82\x3a\xa3\x36\xaf\xea\x89\x8e\xd8\x7a\xda\x2b\x22\xd1\xb8\xec\x50\x8c\xf6\x98\x6e\x93\x45\x92\x65\xed\x7c\x25\x87\x32\xc2\x91\xca\x41\xe7\x87\x6f\x1b\x43\x8b\x17\xd3\x6c\x24\xa0\x2f\x20\x0f\xee\xee\x18\xac\xe8\xdc\x4a\xad\x51\xa4\x2b\xb9\x81\x5d\x82\xc2\xa9\xa3\x7f\x77\x5c\xd6\x12\xe0\x84\x22\x69\x42\xea\x0d\xc6\xf5\xd8\x92\x33\x49\xbb\xbe\xdc\x2a\x45\xcf\xcf\xdd\xed\xa2\xd5\x2d\x14\xf2\xff\x83\x29\xaa\xc0\x1d\x2e\xc3\xc3\x7f\x23\xc5\xc9\x0d\x02\x62\x80\x23\x8c\xe0\x9e\x00\xec\xa9\xf6\xc3\x0b\xda\xa5\xdc\x91\xf4\x34\x2f\x8a\xf6\xa3\xec\x13\x39\xc4\x7d\xca\xe8\xf9\x36\x0c\x32\x50\x2b\xfa\x86\xe1\xff\xc5\x82\xd5\x88\x8f\x29\xca\xc3\x9e\xf9\x0a\x31\x50\x11\x1f\x66\x11\x99\xfa\xf7\xe2\x41\x3b\x57\xbb\x9a\x72\xaa\xa2\xd5\xfa\xe3\x2b\x46\x28\x84\xa9\x28\xd8\x3c\xea\x60\x55\x70\x25\xc5\xde\x01\x80\x44\x34\x5f\xb0\x83\xde\xf4\x9b\xc3\x83\x31\x98\x94\xda\xd2\x8b\x53\x39\xcb\xad\xb6\x03\x8d\xc8\x47\x9f\x7e\x4b\x2f\x01\xc1\xce\xd3\xff\x85\x42\x05\xbe\x93\x88\x48\x85\xb1\x29\x87\x8b\xdb\xb1\x8c\xaa\x68\xc3\x09\x40\x71\x9a\x40\x8a\x03\xfc\x61\xeb\xea\x87\xd9\xd3\xef\x21\x62\x59\x45\x89\x65\x44\x75\xc2\xc3\x7e\xaa\x87\x37\x33\x8a\xcc\x18\xb3\x41\xa3\x51\xec\x39\xaa\x94\xcb\xa1\x71\x09\x6f\xd7\xfb\x83\x2e\x30\x31\xf4\xd8\x2f\xf2\x32\x8a\xa1\x89\x62\x3c\xd9\x3f\xce\x6f\x45\x25\xc2\xdd\x01\x3d\xc9\xc7\xb4\xd1\x9a\xdd\x3b\xf9\xc3\x34\x88\x6e\x9d\x1c\xb4\xdf\x99\x7d\x99\x56\x3a\x57\xb6\x6d\x83\x21\xd4\x21\x52\xf7\x21\x70\x5d\x6c\x48\x46\x18\xad\x33\xcb\x46\xb5\xc1\xa4\x1c\xcd\x39\x7e\xde\x50\x43\x2d\xc9\xd4\x1a\xa8\xb2\xfb\x37\x5a\xf7\x5d\x33\x23\x56\xd7\xdf\x3d\x5d\x43\x9f\xde\xbc\xf8\xe2\x5b\x22\x49\x3c\x6f\xe1\x40\x01\x3e\x29\x52\x32\x18\x67\xd1\x29\x47\xb1\xf2\xdd\x27\x2a\x17\x36\x94\xa5\xfd\xdd\x88\x7f\xe1\xec\x96\xdf\x64\x67\x63\x0d\x14\x49\xd7\x23\xff\x02\x3e\xc1\x27\xb1\x2a\x24\x11\xa0\x96\xe3\x12\x9e\x84\x5d\x50\xb1\x46\x68\x36\x35\xd8\x05\xcf\x19\x67\x35\x82\x8c\x8a\x0a\x00\x40\x47\xa1\x9a\xcf\xcc\x41\xb6\x2f\xe0\xfb\xff\x91\x88\x1e\x76\x13\xbf\x7a\x73\x71\x95\xf1\x85\x8e\xd7\x19\x8d\xca\xca\x13\x21\x06\x19\xd7\xf7\x39\x8d\x81\x2d\xe4\x63\xf2\x21\xf0\xc2\x64\x87\x4a\xa3\xb3\x41\x6d\xcd\xfa\xed\x76\xbf\x25\x5d\x7a\x7a\x15\xd6\xac\xc9\x86\x4d\x1b\xd9\x00\x35\x4b\x3b\xf0\xdf\x70\xba\xe9\x32\xc4\xb8\x2e\x8a\xa6\x0d\x39\x5b\x93\x9c\xc6\x0f\x89\x64\xab\x75\x5b\xa5\x0b\x40\xa7\x13\xf6\x8d\x2e\x00\x1a\x2b\x5a\xbc\xfd\xbb\x82\x1a\x0a\x3a\x7a\x97\xcd\xcc\xc0\xb0\x5b\xca\x8f\x03\x3f\xbc\xd9\x54\x56\x9c\xb7\xc3\x12\xd4\xcb\x9e\x69\x27\x56\x13\x30\x66\x79\x88\x25\x70\x72\x61\x18\xeb\x66\xb4\xb6\xf0\xd2\x36\xc3\x3e\x35\x65\x8e\xd8\x7f\x02\x8c\xa4\x3c\x55\xc2\x69\x68\x17\x9a\xed\x75\x49\xc8\xc2\xe9\x26\x72\xa4\x45\x10\x6d\x04\x29\x84\x69\x17\xc5\xfc\x60\x7f\xa2\x85\xdb\x9a\xa6\x12\x81\xc1\xc5\x24\xa7\x6b\x3d\x40\xde\x5d\xa9\xbc\x7a\xfb\xae\x9c\x03\x55\x5d\x05\x63\x83\xea\x7f\x5e\xac\xf5\xde\x95\x63\x8e\x11\x24\x2a\x42\x0c\x9a\xa3\x22\xc8\x08\xcf\x2a\x14\xab\x47\x9d\x81\x35\xe4\xff\x48\x7b\x21\x5c\x8c\xec\x44\xc7\x29\x0d\x34\x59\x10\x0b\x21\x96\xc5\x4e\x88\xca\x28\x41\xd8\xa6\x01\x1c\x6d\xb1\xb5\xc2\xfb\xc5\x13\x5d\xa6\x05\x3d\x89\x3d\x11\x6b\x9f\x23\xd5\xa0\xf7\x7f\x9f\x64\xc5\x0a\x04\x48\x55\x2f\xb3\xd4\x00\x2c\xcf\xb9\x5e\xd5\x4c\x37\xea\xe9\x31\x73\x7b\xf0\x2b\xcd\x22\x6b\x13\x3b\x9d\x27\xde\xbf\xae\x74\x87\x30\xa8\x7b\xe8\xdf\x5c\x31\xcd\xdf\x16\xc2\x6b\xc3\xf3\xb4\xdf\x7a\xbc\xbc\x52\xed\xad\xb7\xa7\xc2\x9e\x87\xdd\x5d\x63\x30\xb7\x61\x64\x9f\xc9\xf0\x98\xa7\xb6\xb6\x8c\xf5\xdc\xe7\x67\x66\x7e\x8b\x5a\x7c\xd4\xbb\x22\xd1\xc9\x22\x9c\x45\x51\x69\xd7\x2e\xdd\x3b\xae\x9c\x25\x1c\x07\x88\x96\x8f\x1d\x13\xaf\x8e\x47\xba\x32\x92\x3c\x66\x14\xc4\x4d\x51\x96\xfa\x80\x57\x61\xdb\xa5\x9a\x39\xb8\x93\xbf\x09\x73\xda\xbb\x97\x6e\xdf\x63\xf3\xcb\x54\x73\x2d\x43\xb9\x0e\xe7\xab\x03\x74\xe1\x0f\xd7\x22\xd5\xc3\x61\xa4\x10\x89\x31\xe8\xee\x3f\xa1\x90\x79\x3f\x90\x1b\x18\xff\x7b\x5e\xd8\xc1\x62\xb3\x7f\xfc\xb3\x9c\x6c\x0c\x08\x4c\x9c\x76\xb3\x96\x4e\x31\x35\x1f\x51\x12\xac\xcf\xe1\x6c\x62\x68\x58\x0c\xe0\xb4\x4c\xd4\xc3\x3f\x29\x21\x71\xdf\x6a\xf3\x59\x14\x22\x5c\x8b\x1a\xff\x19\x85\xce\xa0\xea\x73\x49\xa4\x3a\x51\x0d\x5f\xbf\x18\x81\xa0\x32\xf9\x6b\x1f\x58\xf4\xfa\x94\xdb\xcd\xf9\x8f\x6b\x11\x3a\x2f\x85\x1e\x76\xd4\xf1\xcf\x06\x86\xe3\xb4\x40\x57\xc3\x63\xc8\x49\xc5\x70\x06\x59\xd7\xe5\xa1\xc2\xb3\xcc\xfd\x5a\xaa\x88\x9c\x2f\x99\xa9\xb1\xc8\x31\x9c\x3c\xd3\x48\xbe\x29\xb2\xe9\xbf\xef\xbc\x28\xcb\x77\x47\x29\x95\x8c\x12\xc9\xdf\xa7\x4b\x89\x3a\x07\x74\x5a\xed\x2e\x51\x44\x72\x3c\x8f\xc0\x50\x68\x52\xf1\x7e\x6a\x4a\x8f\x59\x9d\x2c\x4a\x1d\x7c\x0b\xa9\xd7\x7d\xb8\x41\x6e\xb1\x09\x32\xcd\xc7\x49\xcf\xa9\x98\x90\xee\x80\x17\xc0\x66\x40\x84\xf8\x64\x89\xc9\x75\x25\x52\x52\xc3\x87\x6f\x8d\xcd\x98\xc0\x0b\x73\x61\x1c\xe2\x73\x4e\x1f\xe0\xee\x5c\x0a\x0a\xbb\x0c\x50\x00\x40\x44\xf9\x3a\xd2\xff\x01\x09\xbc\xb1\x9a\x3a\x20\xf1\x86\xd6\x8e\x38\x7d\x34\xa5\xb5\x78\xc4\x25\x3c\xd9\x67\x26\x14\x80\x3b\xf9\x67\x26\xe8\xab\x00\x14\x6d\x2f\xe2\x66\xe6\x2e\x48\x65\xf5\xe7\xfe\x31\xd4\x14\x97\xe7\x19\x51\x22\xfc\xda\x82\x5f\xb4\xe9\xfc\xdd\x09\xb4\x21\xdd\xb6\xe9\x25\xa4\xd5\xcb\x7f\xf2\xfa\x56\xfe\x14\x97\xad\x65\x9c\xc5\xb6\xef\xd8\xf8\x83\x99\x8b\x74\x51\x17\x5f\x98\x27\x54\x7b\x84\x19\x5c\x25\xfc\x16\x31\x07\x2a\x55\xc1\x7e\x90\xa3\x27\x9a\x54\xa2\x96\x97\x31\x2b\xfe\xf3\xee\xfc\xba\x8d\x31\x14\x55\x6a\x54\x5d\x18\xab\x0d\xf7\x4d\xf2\x66\x85\x91\x51\x95\x9a\x1b\x05\x1f\x83\x22\xf7\x98\xcb\x45\xd5\xcb\xe5\x29\x1b\xdd\x71\xda\xd6\x65\xf6\x4d\xde\x69\x54\xef\x00\x71\x89\x18\xfe\x01\x72\x79\x63\x96\x46\x42\xd4\xc4\xa5\xbb\xa9\x30\x3f\x44\xfe\x97\xff\x99\xf0\x67\x48\xdc\x86\x3f\xf0\xcc\x17\xfc\x82\xb2\x9f\xbe\x0c\x71\x2c\x77\xed\x36\x69\x7f\x23\xb4\xa2\x2a\x9f\x24\x85\x22\xf9\x94\x6c\x3a\xbc\xd3\x2e\x16\x5f\xd6\x6f\xdb\xc7\xb4\xa0\xdf\x71\xa8\xd2\x57\x1f\x32\xda\x4a\xda\x51\xc1\x4c\xa0\x86\x30\x1d\x6e\xd0\x20\x06\xc6\xa3\x8c\xe4\xe7\x67\x1f\x3d\x08\x62\xa4\xe3\xc2\x2b\x6a\xa7\xb7\xc0\x49\xa7\x76\x22\x87\x57\x05\x62\xe8\xb4\x52\xef\xc7\x87\x41\xe7\xc2\x82\x2a\xd0\xfd\x43\x5e\x76\xa8\x04\x4b\x05\xb3\x88\xaa\xfc\x4c\xf6\x15\x75\x76\x03\x98\x87\x23\x64\x46\x99\x61\xe8\x7d\x14\xd1\x79\x5e\xb6\x27\xfa\xed\xa1\x8f\x9c\x12\x28\xfc\x99\x4d\x58\x05\x08\xc9\x96\xd3\x66\x27\x99\xb7\x23\x7e\x59\x69\x10\xa7\xc5\xc7\xfa\xcd\x47\xfa\x30\x84\xda\x48\x48\x87\x67\xf6\x0c\xfe\x58\xec\x40\x14\x15\xac\x66\x03\x16\x23\x32\x0f\x9f\xda\x37\xc0\xaf\x9f\xe4\xcd\xa1\xb2\x89\x3d\x2d\xf0\xac\x82\x26\x01\x3a\x36\xca\x7b\x13\x66\x03\x2e\xa7\xb2\x5a\x55\x91\xbe\xbc\x8c\xe4\x89\x77\x7c\x0c\xba\x28\xd1\xf0\xca\xfe\xae\xea\x7d\x5b\x4d\x20\x09\x30\x9e\xeb\xc9\x13\x07\x81\x12\xbb\x12\x69\x20\xca\x6e\x5e\x2b\x22\x10\xce\x54\x10\xcc\xe4\x5f\xc4\x63\x74\x6c\xf1\x68\xf7\xee\x2b\x91\xc7\x97\xb3\x30\xe0\x46\x48\x22\xa6\x18\xe4\x57\xce\x39\xa0\x03\x67\xd9\xcd\x3d\x3f\x59\x38\xce\x36\xeb\x2a\x31\xa9\x0d\x04\x92\x58\xc8\x49\x95\x5e\x97\xf0\x80\x17\x26\x9b\x3e\x5f\x69\xe9\x12\x81\x95\x63\x8b\xc8\xc1\xfa\x73\x5e\x6e\xb2\x43\x5c\x95\x87\xf4\xf4\x36\xd9\xe6\x8a\x87\x97\xbb\x42\x10\x0d\x48\xe7\xb2\x61\x97\xc6\x5f\xb8\x90\x39\x61\x38\x2f\xb0\xfe\x22\x98\x60\x17\x30\x68\xd9\x42\x91\x10\x82\x3b\xc2\xff\x71\x7a\x71\x57\x05\x4c\x32\x6b\xda\xc3\xad\x35\x81\x77\xf9\xa4\x06\xd8\x94\xb8\x42\xd6\xd9\x1e\xdb\x35\x6b\x06\x28\x3b\x32\x9b\xca\x6e\x12\x29\x06\x55\xfe\xf2\x40\x29\xba\x1d\xaa\xf4\x5f\x17\xeb\xc8\x34\xd1\x2e\x35\xe3\x9f\x2e\x20\xe2\xc7\x36\x2a\xeb\x00\x31\xf4\x87\x7b\x63\x3b\xe1\xbe\xd3\x6f\x5d\x7b\xa2\x4d\x01\x48\xf8\x46\xa7\x86\xf3\x88\xe2\xab\x79\x66\x2d\x55\x9b\x86\x1a\x36\xa4\xce\x60\xdc\xeb\x5f\xdb\x9f\x47\x93\x58\xfd\x84\xa5\xc7\xf1\x02\xf7\x5b\x81\x43\xd3\x62\x6f\xff\xa5\x46\x9c\x22\x07\x2a\x97\xd6\x3f\xf9\xe0\x66\x7c\x2f\x2d\xb4\x1c\xd0\x3e\x5d\x43\x91\x4b\xb5\x90\xbb\x1f\x11\xf4\xc3\x53\x3b\xcc\x47\xff\xc9\x9e\xed\xf6\x77\xc9\xd6\x46\xc6\x0f\x99\x39\x89\x15\x89\x1a\xb6\x71\x97\xdd\xbd\xc1\x1e\x03\xda\xf0\x31\x39\xce\xad\xaf\x99\x22\x68\x75\x16\x3f\x11\xc2\x90\x27\xf6\xec\x6e\xe6\x47\xc9\xbb\x1f\x76\x95\xf1\xf2\x91\x8a\x32\x85\xa1\x3e\xad\xb7\x3d\x3e\x94\xcb\x0d\xbf\x92\x73\xf7\x5e\x1a\x8b\x39\x1c\xc6\xe4\xc1\x4e\xd5\x68\x3c\x27\x56\xc7\xb3\x3d\x84\x35\x1e\x1c\xe0\xba\x7b\x02\xe2\x30\x5d\xe6\x5b\x29\x45\x6b\x5c\x55\x34\x46\x47\xc7\xb0\xb1\x6c\xd8\x36\xdb\xa2\x71\x1a\x4c\xc9\x77\x38\x26\x7c\x46\x2c\x85\xfa\xd6\x08\xa8\x16\x12\xd7\xf8\x9a\x7f\xe6\x63\xbd\x06\x43\x54\xa8\x0f\x8b\xe0\x16\x5d\xf5\xd9\xba\xe1\xc6\x9e\xa5\x69\x62\xb1\x11\x22\x0c\xdc\x13\x6a\xda\x90\xbb\x13\x15\xf8\x65\xca\xff\x1e\x25\x26\xac\xd2\xef\x4c\x36\xa7\x0f\x26\x60\x88\xd7\xd3\x48\xe5\x61\x13\x29\x71\x66\x8e\x91\xa8\x90\x04\x08\x5a\x5b\x09\x2f\x8e\x28\x42\x3d\x16\xb7\x49\xcd\xcb\xf9\x2a\x43\x65\xe4\x68\xdd\x67\xbe\x24\x1e\x5d\xea\x70\x5b\x60\x6b\x28\x09\x9a\x5d\x3d\x46\xa0\x76\x20\xfc\x4f\x73\x1e\x3d\x36\x05\xde\xbe\x68\x70\x42\xca\xc9\x37\x42\x73\x67\xc3\x5b\x54\x6a\xf2\xdf\xc0\x94\xa7\x21\xdc\x7f\xd1\x3d\xf6\x8e\x9a\x79\x9e\xcb\x10\x7c\x90\x8b\xac\x9f\x8c\x44\x30\xcc\x10\xc6\x29\x9c\x79\x4d\x02\x8d\x51\x6c\x3e\xf3\xf7\x7f\x9f\x64\x20\x16\x60\x94\x9b\x5e\xe2\x9a\x58\x94\xd7\x38\xfa\x4e\x4b\xcd\xda\x88\xfe\x12\xbc\xff\xe8\x5d\xa7\xb1\x0d\x02\xc8\x09\x22\xf3\x90\x71\x34\xfe\x64\x60\x55\x08\xb6\xcb\xe3\x5e\x97\xf1\x2f\x1b\xb1\x5f\xce\x6f\xac\x0b\x0b\xbe\xd6\x21\x83\xba\x88\xb8\x41\x3c\x69\x2c\x1d\x46\x53\x76\x14\x6a\x5a\xc6\x9e\x0f\x10\x45\x0f\x04\xc8\xb6\xf3\xc9\x0c\x58\xac\x33\x60\x4a\xa8\x11\xa9\xb7\x4e\xbb\xd0\x7b\x06\x84\xc5\x1a\x55\x30\x06\xda\x57\xf4\xdf\x29\xdf\x30\xa6\x46\x22\x26\x6b\x3e\xc0\x6c\x43\x5d\x65\x05\x21\xf3\xea\x72\x5a\x3c\x8c\x12\x8c\x73\xf0\xd3\x44\x7d\xd1\xa8\x5b\x10\xa0\x61\xe9\xac\x44\x69\xbd\x8e\xad\x5b\x59\xcc\x63\x9b\x81\x7e\x67\xd9\x0c\xcd\x77\x3e\x22\x4a\xeb\x67\xdd\x26\x36\x91\x74\x36\xb7\x64\x75\xd8\xe0\x25\x5c\xf7\xd1\x4f\x28\x36\xa5\x0d\x23\xfb\x11\xb3\x84\x35\x48\xb3\xa5\x2d\x8f\xa1\x0c\xa8\xc9\x7e\x1f\x0e\xd7\xa0\x0c\xfc\x80\x67\xa5\xb9\x9a\x41\xc0\x7d\x3c\xe0\xa0\x45\x6b\x84\x43\xbb\x5f\x09\x03\xdb\x5e\x7b\xc1\x6b\x0d\x0d\x4f\x32\x1a\x57\x57\x2d\x33\x68\xd9\x7a\xb7\x70\x58\x30\xd2\x3f\xf7\x8a\xc8\xd6\x94\x02\xc9\x20\xf7\xfb\x91\xd6\xef\xc1\x6c\xe4\x39\x93\xa1\xa6\x8e\xb8\xed\xa0\x8d\x7c\xc5\x5f\xca\x85\x49\xf4\x08\x39\xac\x8e\x5e\x26\x3e\x8f\xcd\xdb\x10\xdd\x20\xfb\xed\xd9\x49\xc8\xd3\xc1\xe1\x86\xe9\xfd\xd5\xaa\x27\x65\xa1\xef\x54\xf9\xe8\xb2\xa7\xa0\xb3\x8f\x1c\x8f\x8d\xaf\xe5\xfc\xef\x0f\xf0\x31\x69\x21\xdb\xaa\xb2\x7f\x6b\x2e\x09\xe4\x9d\x0a\x56\xc9\xad\xe5\xd8\xcb\x65\x86\x99\xba\xa9\x84\x54\x3f\xde\x4e\x72\x0e\x02\xe5\x50\x3e\x83\x5c\x7a\x63\xef\xfe\xe3\xdf\xa5\x8e\x4c\xcd\xbe\x19\x43\xb5\x92\x1b\x58\xfd\x0e\xd6\x64\xef\x73\xdf\x89\x23\x18\xe1\x07\x03\x23\x48\x59\xb5\x65\xd1\x7d\xe8\xc9\x25\x19\x8b\x44\x81\x59\xc8\xe8\xd7\x3c\x8b\x1e\x5e\xb6\x87\x05\xe5\x82\xd5\x12\x8f\x20\x7b\x54\x6f\x81\x22\xe0\x4e\x37\xbc\xc9\xd1\xca\x9b\x2c\x7a\xe5\x1d\x45\x42\x44\x8b\x36\xd6\xff\x16\xd9\x98\xee\xce\x9f\x07\xbe\x34\x1d\x1d\x8f\x98\x9f\x23\x44\x60\x40\xa4\x99\x72\x72\xc9\x9d\x45\x34\x83\x72\xfc\x49\xb7\x0f\xb5\xe0\xfa\xca\x97\x51\x84\xc6\x02\x59\x95\xf6\xaa\x49\xf1\xb2\x93\xdf\x66\xd5\x1d\x75\x3d\x9c\x77\x75\x57\x6d\x0e\x77\x01\x34\xd3\xa4\xfb\xd5\x3c\x99\xb0\xa7\xb6\xaf\xe7\x33\x7f\x73\x24\x81\x63\x23\x9a\x71\x4d\xfe\xb2\x85\xb0\xb4\x9e\xf6\x02\xd6\x2a\xd6\x93\x5a\x83\xc8\x3b\xc8\x14\xbd\x40\x7b\x1f\xf5\x22\x82\x92\xf9\xbf\xbb\xd0\x71\xc8\x1d\xc9\x59\x1a\x05\xc9\x50\x7b\xff\x87\xc9\xe5\x27\xb8\xf1\x4e\x8e\xe1\x3d\x18\x7e\xb8\x67\xdc\x2c\x95\xdd\x90\x3c\x37\x69\x2d\x03\xe7\xb0\x09\x85\xfb\xc1\x13\x13\x07\x8d\xec\x7f\xf6\x9f\x2e\x01\xa8\x34\x23\x99\x40\x0f\x98\xcc\x66\x83\x3d\x9c\x85\xff\x7f\x10\xcb\xef\x73\x32\x13\xcd\xae\x61\x54\x5f\x39\xe8\x5c\x59\x30\x2b\x56\x0a\x72\xd0\x43\x7b\x26\x6c\xba\xe1\x6f\xad\x4a\x00\x0d\xde\xa1\x99\x49\x40\x8c\x74\x77\xfc\xb9\x48\x91\x53\x23\xeb\xb7\x9a\x55\xc7\x69\xcc\xb1\x8e\x2f\x55\x2a\xb7\x63\xba\x65\x30\x2a\xe7\xbc\x47\x6e\x36\x25\xeb\x88\xa7\xa6\x69\x8c\xec\xcf\xac\x22\x90\x0c\xa3\xc4\x4d\xec\x88\x66\xb2\xa1\x14\xc0\x83\x1c\xf6\x53\xd4\xc1\xfb\xa9\xa7\x78\x5a\x1c\xaa\x2b\x97\x34\x33\x84\x22\x6b\x1a\xce\xd9\x3d\xa7\x1d\x30\xb6\x65\x06\x45\xbc\x11\x3a\xc6\x2d\x32\xd2\x03\x2d\xdb\x65\x62\x6e\xe8\x6c\x3b\x9d\xfb\xbd\x8d\x0c\xae\xea\x74\x53\xdb\xea\x30\x4e\x34\xd3\xf8\x05\x22\xcd\x31\x7b\x49\xbc\xab\xb8\x69\x33\x1c\x7c\x32\x18\x52\x10\x04\x30\x42\x3b\xcb\x1e\xc1\x5c\x50\xc1\x9b\x76\x6a\x7c\xe4\x71\xd5\x1b\x01\x04\x1b\x68\x5a\x29\xc4\xbf\xdb\x55\x2c\x86\x6d\x58\x3b\x7c\x3c\x7f\xd5\x6c\xfc\x73\x72\x5d\xf7\x84\xe4\xd9\x02\x81\x56\x7f\xe8\xc3\x8d\x86\x6b\x06\xef\x13\xbb\x30\xfd\x23\x90\x6e\x66\x2c\xf9\xd5\x11\x3d\x7b\x52\xb0\x14\xb4\xae\xb3\xa1\x83\x52\x4b\x49\x7b\xe9\x22\x0a\xe1\xe0\xb2\xf7\x67\x4d\x27\x99\x42\x94\x1b\xbd\x81\xed\x59\x5a\x93\xc2\x34\x13\x99\xb6\xac\x36\xff\x86\x9f\x89\x4c\xae\x29\x13\x08\xb2\x12\x84\xd3\x98\xb5\xfa\x6a\xc7\x6b\x9d\x59\xf0\x3e\x48\xc2\x75\xf4\xf2\x0c\xe0\xa5\x05\x9d\xe6\x9c\xa9\xec\x99\x9d\x73\x20\x2d\xef\x66\x6b\x37\xb3\xa9\x6a\x95\xb1\x2c\x74\x33\x10\x38\xfa\xca\xca\xb1\x88\xda\x87\x8a\x86\x0e\x1b\x39\x9d\x6b\x3b\xd3\xc1\x36\xe0\xa5\xe9\x96\x3c\x16\x91\x88\x9f\x0d\x40\x0f\x34\xdc\xc5\x1e\xf1\x00\x2e\xbf\xee\x28\x14\x60\x5a\x4d\x10\x67\xed\x73\x96\xc1\x15\xe3\xa9\x4f\x15\x1c\x8e\x4a\xa2\x93\x0f\xd8\xbc\x53\x4d\x57\x9d\x5d\x88\x43\xbd\x20\x29\x05\x6f\xc5\x58\xb9\x86\x94\x08\xb9\x95\x1f\x75\x67\x24\x33\xea\xd1\x9e\x10\x9c\xd1\x83\x08\xf1\xc9\xd6\xf9\xcc\xbc\x9f\x76\x79\x93\xb5\x9e\xa2\xb5\x04\x68\x64\xf5\xe0\xc3\xbd\xe4\x2e\x79\x32\xc5\x6b\x9f\xb2\x52\x89\xe1\x6a\xb3\xbe\xbb\x69\x25\x47\xde\x1a\x4d\xbe\x11\x9a\xb2\xbd\x71\xe4\x71\xcb\xdf\x6c\x6e\x85\x19\xac\xa7\x7c\x2c\xbb\x82\x73\x34\x3c\x1b\xed\x23\x92\x2e\x55\x7f\x87\xb4\x08\xd8\x7a\xf7\x88\x96\xed\x30\xf0\xa6\x17\x8a\xd9\x8a\x34\xde\xd6\x14\x84\x43\xfd\xdf\x4a\x5c\x00\xa8\x1a\xe9\xdf\x21\x59\xfd\x65\x8c\x85\x9f\xb6\xb2\x74\x98\x8c\x84\x8f\x99\x3e\x76\x1c\x26\x3e\x90\xd7\xdb\x8f\x66\x2c\x87\x6b\x7a\x61\xff\x2d\x93\x8b\xa7\xfe\xd4\xcb\x5c\xd8\xee\x51\x48\x70\xb5\x05\x20\xe7\x33\xf2\x1c\xdc\x3b\xd7\xed\x41\xd2\x97\xb9\x6d\xfe\xff\x37\x9d\x37\xe6\x07\x1b\xb1\xac\x84\xfe\xff\xab\x2c\xdd\x98\x5f\xea\x2f\xe6\xc4\x6e\x6b\x75\x69\xc8\xc2\x45\x45\x91\x79\x5c\xcc\x56\x51\x1d\x85\x3f\xd2\xa0\x1a\x1e\xb0\xce\x25\x05\xab\x65\x78\x2b\x78\x36\xba\x67\x84\x45\x05\xaa\xbc\xb5\xdc\x63\x72\xa3\x13\xfe\x7a\xcc\x7f\x48\xb0\xd2\xbe\xf7\x94\x03\xc2\x83\x7d\x88\xe5\x2f\xe9\x26\xad\x16\xd5\x1b\xe7\xe8\xc6\x2a\x59\x55\xa6\x1e\x85\x27\x08\x39\xf3\x6e\xee\x94\x63\x70\x92\x7e\xb1\x98\x41\x30\x16\x77\xe8\x37\xab\xac\x18\xd7\x09\xbc\x84\xdd\xa6\x0b\x12\x10\x7a\x23\xeb\x73\x35\x43\xff\x32\xcc\xe5\x24\x8d\x0f\x46\x19\x21\x29\x52\x91\x83\x7c\x15\x0a\x4c\x1d\x48\x9d\x31\xc5\xbf\x5b\xfc\x2d\xa1\x42\x7e\x1e\xce\x74\xae\xa7\x05\x3f\x1f\xed\xa6\x4f\x09\x9f\xc4\x47\xa7\x90\x8c\xe4\x4b\x13\x46\x15\x49\xf2\x3e\xf1\x8c\x1d\x81\x07\xbe\xfb\x09\xf9\xd7\x19\xa0\xac\x57\x08\x0f\x1c\xdb\xfd\x46\x70\x4d\x79\x94\x7a\xa1\x0c\x5b\x0b\xb2\x26\xe7\xf6\x83\x09\x74\x72\x40\xf7\x73\xa6\x27\x53\x65\x61\xfb\x6c\x1c\x9b\x26\xaa\x5e\x23\xbe\x01\xf2\xd3\xf7\xaa\xdc\x99\x54\x40\x01\x5d\x25\x64\xb9\xc1\x6b\x85\x3d\x66\x57\x24\xf9\xf7\x22\xb3\x4a\xb1\xd4\x4c\x27\xd0\xe0\xcb\x01\xc4\x9d\x9e\x05\xde\x91\xc2\xe0\x40\x76\x4f\x0c\x21\x2e\x6d\x63\xf7\xb7\x24\x93\xdc\xcb\xf8\x58\x16\x4c\xf4\x81\x51\xbb\xe4\xf1\xdc\x2c\x91\x58\x66\x73\x43\x1a\xf7\xb8\x46\x1d\x30\x16\x1c\x56\x11\x70\xdf\xa3\x1e\xdd\xe2\xcc\xc9\xdd\xdb\xc7\xa8\xe4\x62\x31\x75\x24\x05\xcf\x30\x8e\xcd\x8d\x35\x05\x63\x6d\xba\x70\x35\xc9\x4f\x72\x86\x23\xbb\x87\x60\x3a\xfb\x90\xb5\xc2\x3e\x9a\xc1\x93\x7b\x2e\xa3\x98\x4d\x57\x9d\xa2\x99\x70\xef\x04\x9f\xfd\x97\x05\xfa\x28\x3e\xf6\x2f\x1a\x9f\xbb\xef\xbc\x5f\x8f\x3f\x79\xbd\xd8\xd7\x0f\x0a\x89\x39\x72\xe5\xac\xa3\xa1\x64\xe6\x72\xba\x88\xeb\xdb\x62\x06\xa4\xdd\xa5\xeb\x5a\xdf\xd1\x63\x52\xd4\x2c\x4f\xbd\xdf\x11\x7f\x2b\x0d\x30\xe8\xc3\x9f\x1b\xc6\x3f\x3b\xc0\x3b\x45\x2a\x87\x01\x17\xaf\x7a\x3f\xd3\x01\xaf\x71\x4b\xfa\x39\x83\x67\xa9\xac\x2a\xa3\x81\x17\x0b\xc7\xca\x86\x01\x44\x25\x8a\x9a\x38\xa6\x14\x54\xc9\xcd\xef\x24\xf1\xc6\x62\xf2\x8e\x8d\x1e\xe7\x74\x9f\x61\xa9\xc7\x9a\x9e\x16\x59\x3f\x2d\x55\x00\xde\xaa\x73\x0a\xca\x4e\xef\x32\x73\x87\x84\x31\xa8\x74\xb0\x3e\x44\xf6\x49\x5b\x52\xea\x9b\x22\xd9\x41\x7f\xb3\xf2\xcc\xbe\x2c\x48\x2a\xdd\x30\x8e\x4a\x3c\x55\xb7\x53\x2a\x4e\x64\xcf\x10\x8d\x83\x3d\x54\xab\xf3\xcf\x93\xb3\xf9\x08\x52\x63\xd2\x77\x4c\x22\x14\xdc\x62\xe3\xc6\xa7\x88\x69\x46\xb7\xbb\xb4\xd0\xfd\xd8\x2d\x50\x22\x32\xf8\x91\xe9\x5e\x20\x75\xb6\x97\x4f\xcb\xc8\x15\x79\xfe\x8e\xeb\x7e\xe2\x21\xa9\x04\xce\xdb\xbb\xab\x25\x95\xef\x93\x53\x7f\xde\xa0\x3e\xb9\x3b\x49\x68\x01\x19\xd9\x96\xc8\xe7\x06\xdf\xc4\xd9\x94\x33\x95\x4c\x53\x67\x72\x5d\x48\x08\x11\x9b\x68\x3b\x59\x64\x1c\x4b\xff\xd3\xfb\xab\x0c\x7e\x12\x5f\x02\xba\xd9\x5c\xbf\xc2\x6e\xab\x96\x07\x9f\x8d\xfb\xf6\x62\x35\x89\xd1\x4e\x0c\x20\xd1\x5e\x07\xc3\x4b\xcc\xce\x36\xfb\x92\x79\x65\xf9\x6c\x8c\xc8\x9b\x3e\x51\x43\x82\x12\xa9\xbe\xc9\x2a\xf4\xb5\x92\xae\x76\xe6\x6d\x53\x1d\x34\x43\x85\xf5\x56\x85\x52\xe3\x7b\xd2\x5c\xbe\x30\x7d\x83\x99\x75\x91\x4f\x30\x91\x5d\x24\xe8\xf3\xd8\x92\xc8\xa1\x9f\xa4\x84\xc3\x5d\xf1\xfb\x92\xaf\x80\xed\xf4\x03\x34\x0c\xac\xed\x5c\x22\x47\x67\xe9\xe6\x87\x45\x65\x63\xdf\xf2\x9c\xa8\x6e\x36\x58\x55\xde\x94\x05\x7b\x66\xc5\x76\xbe\xc5\xf5\xb7\xfc\x3f\x00\x43\x33\x6b\x8a\x48\x7a\xe2\x51\x9b\x8f\xf0\x12\x2e\x7a\xc2\xbf\x57\xd2\x9b\xa6\x48\x08\xdd\x3a\x20\xd2\x6e\x43\x82\xce\x7b\xb1\xfb\xd3\x47\x34\xf5\xae\x66\x25\xee\x8a\x7d\xd5\x6f", 8192); *(uint32_t*)0x20004f40 = 0x200023c0; *(uint32_t*)0x200023c0 = 0x50; *(uint32_t*)0x200023c4 = 0; *(uint64_t*)0x200023c8 = 0x3f; *(uint32_t*)0x200023d0 = 7; *(uint32_t*)0x200023d4 = 0x22; *(uint32_t*)0x200023d8 = 0x8001; *(uint32_t*)0x200023dc = 0x1040000; *(uint16_t*)0x200023e0 = 8; *(uint16_t*)0x200023e2 = 0xf6e1; *(uint32_t*)0x200023e4 = 8; *(uint32_t*)0x200023e8 = 9; *(uint16_t*)0x200023ec = 0; *(uint16_t*)0x200023ee = 0; memset((void*)0x200023f0, 0, 32); *(uint32_t*)0x20004f44 = 0x20002440; *(uint32_t*)0x20002440 = 0x18; *(uint32_t*)0x20002444 = 0; *(uint64_t*)0x20002448 = 9; *(uint64_t*)0x20002450 = 0x40d; *(uint32_t*)0x20004f48 = 0x20002480; *(uint32_t*)0x20002480 = 0x18; *(uint32_t*)0x20002484 = 0; *(uint64_t*)0x20002488 = 7; *(uint64_t*)0x20002490 = 7; *(uint32_t*)0x20004f4c = 0x200024c0; *(uint32_t*)0x200024c0 = 0x18; *(uint32_t*)0x200024c4 = 0; *(uint64_t*)0x200024c8 = 0xffff; *(uint32_t*)0x200024d0 = 8; *(uint32_t*)0x200024d4 = 0; *(uint32_t*)0x20004f50 = 0x20002500; *(uint32_t*)0x20002500 = 0x18; *(uint32_t*)0x20002504 = 0; *(uint64_t*)0x20002508 = 0xce0; *(uint32_t*)0x20002510 = 0x1c; *(uint32_t*)0x20002514 = 0; *(uint32_t*)0x20004f54 = 0x20002540; *(uint32_t*)0x20002540 = 0x28; *(uint32_t*)0x20002544 = 0; *(uint64_t*)0x20002548 = 1; *(uint64_t*)0x20002550 = 0x100; *(uint64_t*)0x20002558 = 5; *(uint32_t*)0x20002560 = 2; *(uint32_t*)0x20002564 = r[6]; *(uint32_t*)0x20004f58 = 0x20002580; *(uint32_t*)0x20002580 = 0x60; *(uint32_t*)0x20002584 = 0xfffffffe; *(uint64_t*)0x20002588 = 8; *(uint64_t*)0x20002590 = 0xcd95; *(uint64_t*)0x20002598 = 0x1f; *(uint64_t*)0x200025a0 = 7; *(uint64_t*)0x200025a8 = 0x48; *(uint64_t*)0x200025b0 = 0xaac5; *(uint32_t*)0x200025b8 = 6; *(uint32_t*)0x200025bc = 0xad; *(uint32_t*)0x200025c0 = 5; *(uint32_t*)0x200025c4 = 0; memset((void*)0x200025c8, 0, 24); *(uint32_t*)0x20004f5c = 0x20002600; *(uint32_t*)0x20002600 = 0x18; *(uint32_t*)0x20002604 = 0xfffffff5; *(uint64_t*)0x20002608 = 9; *(uint32_t*)0x20002610 = 9; *(uint32_t*)0x20002614 = 0; *(uint32_t*)0x20004f60 = 0x20002640; *(uint32_t*)0x20002640 = 0x11; *(uint32_t*)0x20002644 = 0; *(uint64_t*)0x20002648 = 0; memset((void*)0x20002650, 0, 1); *(uint32_t*)0x20004f64 = 0x20002680; *(uint32_t*)0x20002680 = 0x20; *(uint32_t*)0x20002684 = 0; *(uint64_t*)0x20002688 = 0x10000; *(uint64_t*)0x20002690 = 0; *(uint32_t*)0x20002698 = 0; *(uint32_t*)0x2000269c = 0; *(uint32_t*)0x20004f68 = 0x20002780; *(uint32_t*)0x20002780 = 0x78; *(uint32_t*)0x20002784 = 0; *(uint64_t*)0x20002788 = 9; *(uint64_t*)0x20002790 = 3; *(uint32_t*)0x20002798 = 0; *(uint32_t*)0x2000279c = 0; *(uint64_t*)0x200027a0 = 6; *(uint64_t*)0x200027a8 = 0; *(uint64_t*)0x200027b0 = 0xfffffffffffff20d; *(uint64_t*)0x200027b8 = 0xfffffffffffffff8; *(uint64_t*)0x200027c0 = 1; *(uint64_t*)0x200027c8 = 0x3ff; *(uint32_t*)0x200027d0 = 5; *(uint32_t*)0x200027d4 = 9; *(uint32_t*)0x200027d8 = 0x726; *(uint32_t*)0x200027dc = 0x1000; *(uint32_t*)0x200027e0 = 6; *(uint32_t*)0x200027e4 = r[7]; *(uint32_t*)0x200027e8 = 0xee01; *(uint32_t*)0x200027ec = 7; *(uint32_t*)0x200027f0 = 7; *(uint32_t*)0x200027f4 = 0; *(uint32_t*)0x20004f6c = 0x200028c0; *(uint32_t*)0x200028c0 = 0x90; *(uint32_t*)0x200028c4 = 0; *(uint64_t*)0x200028c8 = 3; *(uint64_t*)0x200028d0 = 2; *(uint64_t*)0x200028d8 = 2; *(uint64_t*)0x200028e0 = 0x100000000; *(uint64_t*)0x200028e8 = 0x61a26b8d; *(uint32_t*)0x200028f0 = 6; *(uint32_t*)0x200028f4 = 2; *(uint64_t*)0x200028f8 = 1; *(uint64_t*)0x20002900 = 3; *(uint64_t*)0x20002908 = 1; *(uint64_t*)0x20002910 = 0x100000000; *(uint64_t*)0x20002918 = 3; *(uint64_t*)0x20002920 = 0x8f; *(uint32_t*)0x20002928 = 4; *(uint32_t*)0x2000292c = 0x1ff; *(uint32_t*)0x20002930 = 0x849; *(uint32_t*)0x20002934 = 0x1000; *(uint32_t*)0x20002938 = 7; *(uint32_t*)0x2000293c = r[8]; *(uint32_t*)0x20002940 = -1; *(uint32_t*)0x20002944 = 5; *(uint32_t*)0x20002948 = 0x1f; *(uint32_t*)0x2000294c = 0; *(uint32_t*)0x20004f70 = 0x20002980; *(uint32_t*)0x20002980 = 0x130; *(uint32_t*)0x20002984 = 0; *(uint64_t*)0x20002988 = 0xa00000000000; *(uint64_t*)0x20002990 = 4; *(uint64_t*)0x20002998 = 1; *(uint32_t*)0x200029a0 = 6; *(uint32_t*)0x200029a4 = 9; memset((void*)0x200029a8, 1, 6); *(uint64_t*)0x200029b0 = 6; *(uint64_t*)0x200029b8 = 1; *(uint32_t*)0x200029c0 = 5; *(uint32_t*)0x200029c4 = 0xfffffffe; memset((void*)0x200029c8, 170, 5); *(uint64_t*)0x200029d0 = 1; *(uint64_t*)0x200029d8 = 0x1ff; *(uint32_t*)0x200029e0 = 3; *(uint32_t*)0x200029e4 = 7; memcpy((void*)0x200029e8, "{#-", 3); *(uint64_t*)0x200029f0 = 5; *(uint64_t*)0x200029f8 = 0; *(uint32_t*)0x20002a00 = 2; *(uint32_t*)0x20002a04 = 0x761; memcpy((void*)0x20002a08, "[#", 2); *(uint64_t*)0x20002a10 = 3; *(uint64_t*)0x20002a18 = 0; *(uint32_t*)0x20002a20 = 2; *(uint32_t*)0x20002a24 = 6; memcpy((void*)0x20002a28, "#]", 2); *(uint64_t*)0x20002a30 = 1; *(uint64_t*)0x20002a38 = 0x714; *(uint32_t*)0x20002a40 = 5; *(uint32_t*)0x20002a44 = 3; memcpy((void*)0x20002a48, "*^\\^b", 5); *(uint64_t*)0x20002a50 = 5; *(uint64_t*)0x20002a58 = 0xeb68; *(uint32_t*)0x20002a60 = 4; *(uint32_t*)0x20002a64 = 0xfffffa80; memcpy((void*)0x20002a68, "--$-", 4); *(uint64_t*)0x20002a70 = 6; *(uint64_t*)0x20002a78 = 0xfffffffffffffeff; *(uint32_t*)0x20002a80 = 1; *(uint32_t*)0x20002a84 = 1; memset((void*)0x20002a88, 45, 1); *(uint64_t*)0x20002a90 = 1; *(uint64_t*)0x20002a98 = 8; *(uint32_t*)0x20002aa0 = 3; *(uint32_t*)0x20002aa4 = 0xf2; memcpy((void*)0x20002aa8, "!\\{", 3); *(uint32_t*)0x20004f74 = 0x20004c40; *(uint32_t*)0x20004c40 = 0xb0; *(uint32_t*)0x20004c44 = 0; *(uint64_t*)0x20004c48 = 0xcf; *(uint64_t*)0x20004c50 = 1; *(uint64_t*)0x20004c58 = 1; *(uint64_t*)0x20004c60 = 3; *(uint64_t*)0x20004c68 = 0x100000000; *(uint32_t*)0x20004c70 = 4; *(uint32_t*)0x20004c74 = 0x81; *(uint64_t*)0x20004c78 = 5; *(uint64_t*)0x20004c80 = 0x7f; *(uint64_t*)0x20004c88 = 5; *(uint64_t*)0x20004c90 = 6; *(uint64_t*)0x20004c98 = 0xffff; *(uint64_t*)0x20004ca0 = 3; *(uint32_t*)0x20004ca8 = 0x1f; *(uint32_t*)0x20004cac = 3; *(uint32_t*)0x20004cb0 = 8; *(uint32_t*)0x20004cb4 = 0xc000; *(uint32_t*)0x20004cb8 = 0xf5c8; *(uint32_t*)0x20004cbc = r[10]; *(uint32_t*)0x20004cc0 = r[11]; *(uint32_t*)0x20004cc4 = 2; *(uint32_t*)0x20004cc8 = 9; *(uint32_t*)0x20004ccc = 0; *(uint64_t*)0x20004cd0 = 4; *(uint64_t*)0x20004cd8 = 0x80; *(uint32_t*)0x20004ce0 = 5; *(uint32_t*)0x20004ce4 = 2; memset((void*)0x20004ce8, 170, 5); *(uint32_t*)0x20004f78 = 0x20004e40; *(uint32_t*)0x20004e40 = 0xa0; *(uint32_t*)0x20004e44 = 0; *(uint64_t*)0x20004e48 = 0x400; *(uint64_t*)0x20004e50 = 6; *(uint64_t*)0x20004e58 = 2; *(uint64_t*)0x20004e60 = 0x400; *(uint64_t*)0x20004e68 = 7; *(uint32_t*)0x20004e70 = 4; *(uint32_t*)0x20004e74 = 9; *(uint64_t*)0x20004e78 = 4; *(uint64_t*)0x20004e80 = 0x1000; *(uint64_t*)0x20004e88 = 0xffff; *(uint64_t*)0x20004e90 = 6; *(uint64_t*)0x20004e98 = 1; *(uint64_t*)0x20004ea0 = 0xffff; *(uint32_t*)0x20004ea8 = 0x65f; *(uint32_t*)0x20004eac = 0x647c2b8f; *(uint32_t*)0x20004eb0 = 0x400; *(uint32_t*)0x20004eb4 = 0x8000; *(uint32_t*)0x20004eb8 = 8; *(uint32_t*)0x20004ebc = r[12]; *(uint32_t*)0x20004ec0 = r[13]; *(uint32_t*)0x20004ec4 = 3; *(uint32_t*)0x20004ec8 = 0x6b; *(uint32_t*)0x20004ecc = 0; *(uint64_t*)0x20004ed0 = 0; *(uint32_t*)0x20004ed8 = 0xd; *(uint32_t*)0x20004edc = 0; *(uint32_t*)0x20004f7c = 0x20004f00; *(uint32_t*)0x20004f00 = 0x20; *(uint32_t*)0x20004f04 = 0; *(uint64_t*)0x20004f08 = 0x800; *(uint32_t*)0x20004f10 = 0; *(uint32_t*)0x20004f14 = 0; *(uint32_t*)0x20004f18 = 0x10001; *(uint32_t*)0x20004f1c = 0; syz_fuse_handle_req(r[5], 0x200003c0, 0x2000, 0x20004f40); break; case 23: memcpy((void*)0x20004f80, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004f80, r[5]); break; case 24: syz_init_net_socket(0x24, 2, 0); break; case 25: res = -1; res = syz_io_uring_complete(0); if (res != -1) r[14] = res; break; case 26: *(uint32_t*)0x20004fc4 = 0x5004; *(uint32_t*)0x20004fc8 = 0; *(uint32_t*)0x20004fcc = 1; *(uint32_t*)0x20004fd0 = 0x1de; *(uint32_t*)0x20004fd8 = r[14]; memset((void*)0x20004fdc, 0, 12); res = -1; res = syz_io_uring_setup(0x343, 0x20004fc0, 0x20ffc000, 0x20ffb000, 0x20005040, 0x20005080); if (res != -1) { r[15] = *(uint64_t*)0x20005040; r[16] = *(uint64_t*)0x20005080; } break; case 27: memcpy((void*)0x200050c0, "/dev/uinput\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 2, 0); if (res != -1) r[17] = res; break; case 28: memcpy((void*)0x20005100, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0x488200, 0); if (res != -1) r[18] = res; break; case 29: *(uint8_t*)0x20005140 = 0x1e; *(uint8_t*)0x20005141 = 3; *(uint16_t*)0x20005142 = 0; *(uint32_t*)0x20005144 = r[14]; *(uint64_t*)0x20005148 = 0x200; *(uint32_t*)0x20005150 = 0; *(uint32_t*)0x20005154 = r[17]; *(uint32_t*)0x20005158 = 6; *(uint32_t*)0x2000515c = 1; *(uint64_t*)0x20005160 = 0; *(uint16_t*)0x20005168 = 0; *(uint16_t*)0x2000516a = 0; *(uint32_t*)0x2000516c = r[18]; memset((void*)0x20005170, 0, 16); syz_io_uring_submit(r[15], r[16], 0x20005140, 0x3dd1); break; case 30: memcpy((void*)0x20005180, "/dev/keychord\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x20005180, 0x171000, 0); if (res != -1) r[19] = res; break; case 31: memcpy((void*)0x200051c0, "/dev/ubi_ctrl\000", 14); res = syscall(__NR_openat, 0xffffff9c, 0x200051c0, 0x10400, 0); if (res != -1) r[20] = res; break; case 32: *(uint32_t*)0x20005240 = 0; *(uint32_t*)0x20005244 = 0x20005200; memcpy((void*)0x20005200, "\x46\x23\xd8\xa4\xce\x02\x17\xc9\xe5\x95\x55\xc1\x66\x89\x06\x79\xe3\xe0\xc1\x94\x0d\xf5\xb9\xfc\xbf\x91\x64\x9e\xf5\x4d\x80\xf0\xc8\xbc\xc8\x0e\x36\xb5\x57\x4c\x4b\xc9\xf9\x43\x40\x18\x54\xf5\x6a\xa2", 50); *(uint32_t*)0x20005248 = 0x32; *(uint64_t*)0x20005280 = 1; *(uint64_t*)0x20005288 = 0; syz_kvm_setup_cpu(r[19], r[20], 0x20fe8000, 0x20005240, 1, 0, 0x20005280, 1); break; case 33: res = syscall(__NR_mmap, 0x20ffc000, 0x2000, 0x1000000, 0x8000, (intptr_t)r[18], 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x200052c0 = 1; syz_memcpy_off(r[21], 0x114, 0x200052c0, 0, 4); break; case 35: memcpy((void*)0x20005300, "adfs\000", 5); memcpy((void*)0x20005340, "./file0\000", 8); *(uint32_t*)0x20005540 = 0x20005380; memcpy((void*)0x20005380, "\x87\x35\x19\xf2\x5d\xf0\x82\xb3\x71\xba\x5b\x45\xad\xb5\x70\x9c\x00\x80\x57\x47\xc3\x7f\xe0\x44\x06\x45\x95\xcd\x47\x28\xbf\x89\x80\x30\x2b\x25\xb4\xb0\x83\xb4\x2b\x41\x33\x6e\x13\x0f\x1b\x6f\xf0\xa2\xf1\x72\x49\x8e\x52\x2b\x4f\xe5\x82\x6e\xab\xab\xf5\x3a\x98\x52\xf9\x3e\xbe\xb8\x41\xe1\x64\x5f\x32\x93\x61\x27\x02\x9d\x68\xfe\x73\xec\xed\x89\xc1\xb9\x35\x87\x01\x2a\x47\xc4\x2a\x58\x3d\x69\x75\x59\x2b\x3f\x2c\xdf\x43\x37\xfc\x6d\x5e\x85\xe5\xf5\x83\x5f\xaf\xe0\x95\x93\x5e\xc9\x04\x84\xe9\x08\x1a\xa8\xd2\x24\x98\x43\x13\x01\xba\xad\x4a\x34\x36\x8c\x26\xc6\x4d\x85\x32\x6c\x7e\x00\x68\x21\x78\xf8\xd1\x3e\x6a\x89\x69\xf1\x5b\x9d\x5d\xbc\xfe\xc2\xc0\xe6\x96\x80\xc3\x92\x8c\xa0\x15\xb9\x2e\x25\xf5\x07\x8d\xe3\x54\xfe\x32\xcc\x71\x21\x60\x9a\x07\x62\xe1\xb7\x3e\xfd\x89\x67\xa2\xfe\x23\x5e\x4d\x1e\xf9\xe5\xac\x88\xbc\x1e\xd7\x06\xa9\x84\x64\x1b\x06\x47\x0b\x22\x94\xd0\x45\xce\x7e\xba\x51\xc0\x72\x89\x38\xa2\xc6\xee\xb6\xd8\x57\x44\x29\xcc\x24\xbc\xb2\xa7\x84", 241); *(uint32_t*)0x20005544 = 0xf1; *(uint32_t*)0x20005548 = 0x40; *(uint32_t*)0x2000554c = 0x20005480; memcpy((void*)0x20005480, "\x62\x93\x5b\xfe\x26\xe9\xc9\xf2\xdc\x3c\x3e\x9d\xfb\x49\x18\x58\xef\xb5\x98\x36\x9b\xcc\xa5\x19\x23\x98\x9b\xa9\x43\xcf\x44\x7b\xaf\x56\x62\x5d\xf0\xf6\x85\xed\x2d\x03\x4b\x37\xc0\x75\x63\xf6\x68\x72\x8f\x6d\xc6\x83\x36\x09\xb1\x22\x19\x70\xe5\x50\x88\x86\x9d\x29\xc0\x1b\x2d\xd0\x5c\x48\x20\xb0\x80\x42\xb5\x07\x40\x08\xc9\x75\x77\x12\xc4\x80\xe2\x5d\x89\xb9\xc4\x8e\x95\x7e\x5b\x5c\x7b\x0b\xec\xcf\xb1\xfc\xcc\xed\xbc\xed\xc8\x38\x06\x03\x80\x75\xfc\x2a\x0f\x82\x28\xbe\xb4\x7f\x1f\xec\xe0\x9b\xdd\xcb\xbe\x00\x21\xab\xe9\xc3\xd1\x98\x36\x9b\x81\xb6\x7d\xbd\x6a\x7d\x33\x4b\x8d\x28\xb8\x02\xcc\x97\xd9\x34\xc1\x64\xe9\x7d\x9d\x7b\x70\xdc\x6c", 161); *(uint32_t*)0x20005550 = 0xa1; *(uint32_t*)0x20005554 = 0x1ff; memset((void*)0x20005580, 170, 5); *(uint8_t*)0x20005585 = 0x2c; *(uint8_t*)0x20005586 = 0x2c; memcpy((void*)0x20005587, ":&-]!", 5); *(uint8_t*)0x2000558c = 0x2c; memset((void*)0x2000558d, 125, 1); *(uint8_t*)0x2000558e = 0x2c; memcpy((void*)0x2000558f, ",-V", 3); *(uint8_t*)0x20005592 = 0x2c; memcpy((void*)0x20005593, "\\*})", 4); *(uint8_t*)0x20005597 = 0x2c; memcpy((void*)0x20005598, "*^\\^b", 5); *(uint8_t*)0x2000559d = 0x2c; memcpy((void*)0x2000559e, "appraise", 8); *(uint8_t*)0x200055a6 = 0x2c; memcpy((void*)0x200055a7, "fowner<", 7); sprintf((char*)0x200055ae, "%020llu", (long long)r[8]); *(uint8_t*)0x200055c2 = 0x2c; memcpy((void*)0x200055c3, "smackfshat", 10); *(uint8_t*)0x200055cd = 0x3d; memset((void*)0x200055ce, 170, 5); *(uint8_t*)0x200055d3 = 0x2c; memcpy((void*)0x200055d4, "obj_type", 8); *(uint8_t*)0x200055dc = 0x3d; memset((void*)0x200055dd, 170, 5); *(uint8_t*)0x200055e2 = 0x2c; memcpy((void*)0x200055e3, "dont_appraise", 13); *(uint8_t*)0x200055f0 = 0x2c; memcpy((void*)0x200055f1, "dont_measure", 12); *(uint8_t*)0x200055fd = 0x2c; memcpy((void*)0x200055fe, "fowner<", 7); sprintf((char*)0x20005605, "%020llu", (long long)r[9]); *(uint8_t*)0x20005619 = 0x2c; memcpy((void*)0x2000561a, "dont_appraise", 13); *(uint8_t*)0x20005627 = 0x2c; *(uint8_t*)0x20005628 = 0; syz_mount_image(0x20005300, 0x20005340, 0xfd, 2, 0x20005540, 0x8800, 0x20005580); break; case 36: memcpy((void*)0x20005640, "/dev/i2c-#\000", 11); syz_open_dev(0x20005640, 0x40, 0x300); break; case 37: memcpy((void*)0x20005680, "net/if_inet6\000", 13); syz_open_procfs(r[6], 0x20005680); break; case 38: syz_open_pts(r[19], 0x800); break; case 39: *(uint32_t*)0x20006c40 = 0x200056c0; memcpy((void*)0x200056c0, "\x46\x41\x06\x38\xb7\xa1\x28\xc1\x5c\x6c\xb2\x7d\x23\x35\x80\x6d\xa8\x7c\x0d\x49\x15\x42\x44\x52\xcf\x0b\xa9\xee\xe0\xa5\xd4\x9d\x63\x4f\x09\x0d\xf2\x6f\x35\xbb\x04\x33\xc1\x3a\x27\x0d\xcb\x44\xcf\xe9\xba\x62\xb5\xba\x38\xd4\xae\x3c\x65\xea\xd2\x72\x7f\x1d\x2a\x5f\x02\xda\xa2\x70\xce\xa6\xf4\xf6\x09\x02\xe2\xed\xa6\x54\xb1\x6e\xc6\x63\x5a\x1c\x6c\xd1\x5d\x6b\xd6\x34\x32\x14\xb8\x34\x22\xd1\xa1\x9b\x5d\xae\x43\x9b\x9f\xbc\x3d\xb5\xc2\x18\xd4\xb0\x8a\xcf\xc9\xfc\xdb\xe5\xd4\xe6\xa5\x12\x7a\xda\xdc\xe6\x10\xd8\x15\xe8\xc6\xd8\xad\xc7\x86\x89\xea\xae\x29\xd8\x1a\x20\x04\x0a\xee\xef\x4e\xe5\x5d\x77\x01\xea\x72\x5e\x91\xb7\x4f\x5b\x37\x81\x4b\xee\xd1\x18\x54\x99\x79\xc8\xa4\x0d\x0b\x29\x09\x77\xad\xa4\xd6\x58\x74\xc7\xdc\xca\x03\x0a\x9a\x15\x50\x9b\xc2\x7e\x6e\x87\xd5\x26\x91\x24\x37\xb8\x69\x04\xf7\x42\xc9\xc1\x3c\x1e\x00\xbc\x5e\x3e\x94\x3c\x14\x30\xd1\xcc\x01\x8f\x5a\x4d\xec\xf2\x46\x02\xdb\x5b\xf2\x28\x6e\x64\xce\x75\x1d\x8d\xf1\x6f\x28\x09\x34\xfb\x08\xb6\x19\xb2\xb5\xe9\x31\x19\x5a\xd2\xf7\xc8\x7a\xe9\x56\xc6\x4a\x2f\xda\xc4\xfd\x79\x16\x11\xac\xc2\xa8\x65\xd9\x94\xea\x90\xed\x15\x85\x81\xe8\x0d\x03\x86\xb1\x53\xf1\x9f\xab\x27\x81\xb7\x2d\x1d\xe0\x03\xb1\x87\xd2\xb1\x19\x53\x42\xb3\xa0\x03\xbf\x44\x83\xb4\xd8\x90\xab\x1b\x2f\x51\xe8\xd5\x8f\x0a\x5a\xd7\x8e\x0d\xf9\xd6\x29\xc2\x2c\x2a\x32\x4a\x98\x2e\x1f\xc2\x73\x8c\x36\x0d\xb3\xa8\xba\x5e\x55\xae\x5c\x9d\x58\xf1\xc2\xf6\xbe\xd0\xb6\xde\x5b\xb4\xee\x3b\x5f\x84\x2c\xee\xf9\x1b\x20\x56\x54\x1f\xf5\x53\x12\xee\x90\xa2\xbd\x09\x97\x06\x6c\x37\xf3\xd8\x37\x78\x95\x92\x1b\x08\x02\x15\x89\x04\x9e\xd7\xb2\x3c\xeb\xaf\x9b\x41\xd0\x8e\x75\x90\x58\xa3\x45\x2c\xb9\xdf\x2a\xee\x1d\x2b\x90\xe5\x10\xba\x9b\xc9\x48\x40\x0a\x69\xaa\x13\x83\x3d\x1b\x4c\x44\x44\x51\x29\xe0\xaf\x50\x12\xfd\x6a\x53\x41\x81\xfb\x20\x42\x68\x26\xa4\xb3\x69\x4e\x4a\x51\x81\x19\x9d\xf1\xed\x31\xde\x36\xf2\xed\x49\x21\x18\x22\xad\x91\x5d\x3b\x71\xac\xae\xcf\xf3\xc8\x4d\x4e\x3b\xb1\x9f\xba\x32\x19\xe2\x61\x45\x73\x5f\xf7\x1d\xce\xee\xee\x7a\xa2\x47\x53\x9a\xd2\x73\x11\x13\xd3\xf3\x64\x42\x6b\xe9\x00\x6e\x6b\x0e\x35\x8b\x81\xd4\x07\x45\x49\xe0\x8e\xf2\x76\x13\xa3\x71\x5e\x5e\x89\xba\x0a\x71\xe3\x99\x52\x31\xe9\x9a\xac\x5e\x4e\xe7\x07\x8f\x59\xe3\xe7\xd4\xfa\xbe\xd2\x6e\x75\x07\x41\x1f\xbe\x4b\x03\x53\x10\x62\x78\xac\x69\xf3\xb9\x1e\xc6\x9f\xa5\x42\xeb\x7c\x96\x43\x94\x06\x2f\x65\xc6\x50\x19\x7f\xbe\x73\x3c\x22\x83\x26\x73\xd0\x66\xe4\xed\x40\x07\x3b\x28\x4e\xe4\xe5\x1b\x12\x59\x36\x7d\x4e\xb9\xe1\x72\x00\x7e\x6f\xb8\x0a\x0a\x6f\xe6\x2b\x3f\x3d\x5e\x5b\x68\xfe\x04\x7e\xa4\xd6\xfb\xfa\xa3\x0a\x00\xfc\x29\xbc\x58\xa3\x1c\xfb\x82\x12\xf2\xc4\x9c\x3a\x2e\x71\x1a\xe5\x02\xbd\x64\x7b\xd5\x6b\xb7\xcf\xc1\xd8\x4d\x14\x18\x27\xbe\x21\x1b\x5f\xfb\xed\x78\x6b\xfa\x13\x13\xd2\xae\xd5\x34\xf0\x00\x19\x36\x3a\xc1\x29\x61\x2c\xa2\x5c\x76\x3b\x07\x7f\x5a\x72\x4d\x61\xfc\x79\x74\xfa\x82\x4b\xad\xc1\x40\x06\xf2\xfe\xbf\xb1\xe3\x5a\x3d\xd7\x2e\x82\x33\x4a\x26\x37\x56\xff\x42\x04\x68\x0c\xba\x1c\x03\xc5\x5e\x09\xdf\xfb\x5a\x58\xe4\xc5\x5b\x5b\xd7\xa7\x0e\xe8\x52\x59\x29\xa0\xee\x9f\x90\x91\xe3\x4b\xb8\xd2\xf0\xaf\x6d\x2a\x26\x70\xc5\x91\x18\x6b\xee\x6c\xed\xda\xb8\xe1\xfe\x8d\x4b\xe3\x97\xa5\x45\xc4\x83\xfd\x68\x4c\xd8\x12\xdf\x5e\x31\x2a\xb5\xf4\x81\x2b\x47\x84\xef\xae\xf1\xc3\xdb\xe7\x90\x94\xfb\xab\xd6\xca\x5f\x0a\x45\x46\x23\x96\xf8\x18\xa5\xc7\xbf\x61\xc8\xc3\xf4\x33\x66\xc1\x26\x5f\x46\x38\xd1\xdc\x7b\xde\x11\x46\x10\x35\xc7\xaf\x77\xe6\x84\x4c\x5d\x47\xbc\x18\x97\xdf\xab\xec\x76\x87\xed\x25\x79\x4a\x71\xa3\xaa\x2b\xe1\x66\x57\x19\xe7\xea\xf6\x49\xbf\xaf\xfc\xea\x24\x92\xd4\x3b\xca\x7f\x03\x04\x21\x0c\xfc\xa9\x1a\x0d\xad\xf6\x6b\x7c\x3c\x6b\xaf\x8c\x50\x55\xef\x4f\x3c\x56\xaa\x03\xbb\x6e\x40\x0d\x7c\xac\xa6\x9e\x42\x43\xac\x71\xc9\x39\xcc\xf2\x73\x10\xb7\x3b\xa5\x98\x97\xe2\x02\x0c\x71\x7c\x33\xdb\x9a\x4a\x58\x29\x12\xa3\xa8\xd7\xc0\xa8\x70\xb1\x2a\x9f\x98\x2a\xaf\xd0\xcf\x15\x95\x75\x18\x9d\x8c\x26\x88\x64\x34\x22\x9f\xb0\xc7\x6c\x56\x50\x8b\x63\x8a\x25\x09\xb6\x58\x47\x72\x2a\xf1\x97\xe9\x5c\xf0\xcf\xf2\x36\x84\x48\xd4\x2a\xd6\x2d\xb2\x7f\xf0\x17\xa7\xfb\xed\x92\x3b\xef\x62\x83\x40\x87\x12\xc3\xf0\x4a\x79\x03\x38\xf4\xf8\x0c\xf4\xf3\xe9\x2f\xaa\xfa\x3b\xf6\xcf\xf5\xed\x3c\xf3\xb1\x7b\x50\x50\x75\xe1\x2b\x69\x58\xbf\x2e\x5c\xb4\x02\x41\xf6\x72\x87\x4a\x0f\x94\x0f\xd5\x7e\x82\xe9\xca\xff\x11\x3d\x67\x1d\xa2\x3d\xa3\x43\x6a\x31\x80\x0c\x2d\x34\x87\x96\x5f\x87\xc3\xf8\x25\x06\x10\xaa\xff\x78\x3d\x78\x59\x5e\x19\x26\xb7\x7e\x97\xb2\xe3\xad\x09\x08\x7a\xf9\x19\xac\xe3\xf0\x4f\xd2\x75\x88\x7b\x1f\xc8\x1e\xe2\xf5\xba\xd8\xde\x1c\xc3\x5e\xe0\xc0\x3a\xde\xed\x9a\x91\x97\xd7\xa8\xfa\x5d\xb5\x9d\xc5\x00\xa9\x4b\xd1\x84\xa2\xa8\x0d\x97\x04\x79\x7e\x76\xbc\x0f\xc4\x3e\xd5\x72\x96\x14\x3d\xc9\xd8\x58\xb1\x4a\x7b\xdf\xb4\x18\x19\x7f\x09\x74\xb6\xee\xe2\x99\x95\x80\x51\xb1\xd4\x14\xab\x12\x6c\xef\x5b\xc3\x6a\xe4\x05\x5c\x4f\x19\xe7\xe0\x1d\x20\x92\xd9\x9f\x1d\x2a\x5a\x56\x61\x4f\xed\xf4\x81\xd5\x78\xcb\x85\x1a\xd7\x3e\x18\x29\xbc\x35\x0f\x7e\x56\xee\x0d\x2e\x71\xfe\x73\x1c\x1b\x30\xfd\x84\x5f\xd8\x2c\xa0\xac\xf0\x29\xaf\xf4\xa7\x5e\x0d\x38\xfb\x7a\xf5\x82\xa1\x9c\x0c\x7d\xeb\x19\x54\x4b\xc7\xa1\x3c\x18\x96\x03\x24\x41\xcb\xa6\xae\x39\xc3\x5a\xe8\x80\xb4\x5a\x5c\x97\x54\x5a\xc0\x99\x24\x3a\x79\x1c\x6f\x2e\xb9\x35\x56\x20\x8b\x8b\x20\x35\x42\x75\x2a\x67\x3b\x9d\xf0\x2b\xf0\x4a\xd3\xc1\x8e\xec\xaa\x5e\xb2\x2d\x1b\x65\xe5\x9c\x34\x49\xb5\xcc\x42\xdf\x35\x0d\xd4\x82\x2b\xcf\x67\x1d\xf7\x84\x20\x68\x9c\xac\x22\x65\x8c\xd9\xf0\xf3\x90\xe2\x6e\x07\x96\xac\x4b\x7f\x30\xb1\x98\x9f\x09\xcf\x5b\xa5\x16\xeb\x16\x67\xec\xc1\xd8\x53\x73\x9a\x20\xe5\xe7\x85\x99\xbd\xa8\x30\xd0\x02\xd4\x5e\xb6\x6d\x63\xa7\x78\xb8\x41\x2a\xf5\xd6\x3e\x3e\xf2\x64\x94\xe2\x1b\xbc\xde\x5b\x97\xa9\x4f\x79\x78\xac\x90\x3d\x46\x7c\x5b\x6d\x07\x17\xdc\x4a\x9d\x14\x6e\xd4\xb5\x8b\xfe\x37\x3a\x59\x08\x70\x2f\x99\x7f\x10\x90\xb4\xb1\x90\x93\xf8\x90\x50\x85\xec\xb6\x91\x10\x7b\x05\x9e\x0e\x1c\xd0\xc4\xa9\x4c\x9a\x47\x3a\xf2\xd1\x2b\xd5\x99\x8a\x8b\x8b\x48\x02\xf9\x31\xb9\x05\x15\x51\x9f\x20\xfe\xea\xde\xa5\x68\x4c\x06\x4f\x9a\xdb\x42\x39\x35\xb8\xde\x29\x8b\x03\xe5\x79\xab\xad\x6a\x23\xa8\x6c\x86\xed\xd3\x9c\x2e\xd6\xa4\x68\x5e\x69\xbc\x71\x54\x05\xab\x7a\x3f\x27\x66\x4b\xdb\x68\xfe\xf1\xfc\xd0\x90\xf0\x60\x38\x1f\x1a\xa3\x74\xa0\x74\xa6\x40\xf9\x91\xec\x6d\x8b\x28\x8b\x1b\x05\x07\x06\x85\x60\x31\x4f\xe9\x4a\xeb\x85\xc4\x2f\x4d\xf3\xad\xb2\x14\x85\x69\x65\x15\xda\x2f\xa7\xf4\x41\xb7\x53\xd5\xf8\xca\x45\x45\xf2\xd1\xdc\x1e\xb3\x4e\x41\x8c\x04\x3b\xeb\x51\x8b\xb3\x5f\xe3\x02\x35\xaa\xbf\x7e\xc5\xf3\x71\xb3\xa4\x8c\x0e\xa6\xa6\x13\xeb\xb4\xe4\xda\x5b\x71\x40\x8a\xa5\x57\x74\x23\x9a\xc7\x49\x03\x0a\x52\x74\x0c\xd8\x53\x5b\x9e\x3d\x28\xa4\xe8\x7b\x4c\x4f\x40\x44\xc8\x19\x5c\x32\x11\xf9\x47\xe5\x00\x7d\xf7\xb6\x4e\x37\xc4\x14\xbf\xd5\x4f\x7b\x59\x82\x37\x20\xbe\x00\x49\x8c\x18\xb5\x7d\xad\x00\x43\xf0\xc5\x0a\x75\x81\x74\x18\xc1\xdb\xc3\xdb\x8d\xc7\x33\xce\xb2\xb5\xb6\xd2\x0b\xec\x1e\x38\xa2\xf9\x09\xaa\x61\x94\x80\xe2\xca\x05\xd9\x00\x0b\x7e\xaf\xf3\x70\xc0\x77\xed\x38\x94\x22\x89\x0d\xd4\x26\x27\x8c\x63\xc2\xac\x42\x85\xe8\x40\xe6\xc7\xf9\xda\x04\xd6\x9a\xf4\x48\x2d\x96\xee\x58\x24\xde\x09\x16\x14\xd8\xb1\xb4\xcf\x49\xf5\xa7\x01\xe4\xb4\x2f\xf5\x8a\x62\x82\x3c\x27\x76\xfb\xa4\xc2\x7e\xc8\x6c\x24\xba\x10\x3e\xd0\x1c\x66\x72\x9a\xd6\x02\x92\x4a\x51\x37\xb7\x18\xd8\xdd\xee\xb0\x83\x39\xd8\x3c\x45\xfe\xca\x01\xc3\x93\x35\x7a\x67\x64\x38\x11\x43\x63\x59\x1d\x31\xc2\xba\x6f\xaf\xa5\xd8\x57\x1a\xf7\xc3\xa3\x69\x0f\xde\xb0\x99\xe4\x41\x92\xb5\x87\x1f\xd0\xa3\x36\x5f\xb2\xe2\x30\xc6\xc0\x3a\x74\x73\x78\x2b\x30\x3a\x5b\xe1\x4f\x03\x8d\x8e\xa3\x4a\x63\x08\x43\x00\x51\x6e\xb7\x88\x4e\x59\x33\x58\xe6\x6b\x3d\xfb\x6d\xac\x4d\x08\x15\xd5\x8d\xaf\xb8\x5e\x8c\xca\x44\x26\x53\x6a\x38\x4d\xc8\x9f\x74\x13\xf1\x4c\xc9\x2e\x73\x77\xa9\x09\x38\xf9\x9e\xf7\xf5\x35\xc2\x18\xae\x2e\x90\x9a\xcd\xbf\xd7\xeb\x5b\x0b\x47\x40\x8e\x3d\x6d\x73\xdd\xa3\x9f\xbd\x6b\x23\xaf\x18\xf1\xa6\x70\x3e\xe3\xb1\xf7\x5b\xb7\xc0\x00\xa4\xca\x5a\x7b\xcc\xaa\xe8\x6c\x4a\xba\xc8\x1d\xa2\x93\xe4\x3f\x91\xd2\xc3\xdf\xf1\x2f\xfa\x52\x29\x13\x9a\x08\xae\x5f\xc2\xec\x13\x9b\xe9\x78\xb8\x18\x2d\x6a\x60\xc7\xff\x39\xbb\x0a\xa8\x20\xa1\x07\xd9\x2e\x38\xb9\x5e\x74\x8a\x18\x4b\x53\xf5\x62\x4f\x45\x72\x39\xf6\x38\x4d\xdd\xcb\x9f\xd7\xe8\xef\x29\x52\x65\xd7\x9b\x64\xc5\xc0\xa9\x3b\xf2\x16\x35\xb8\xc6\x80\x90\x78\x10\xd8\xe7\x2a\x58\x1e\x5a\xa0\xe0\x0f\xbf\x35\x1e\x3c\x84\x1c\x7d\x0c\x51\xa2\x63\x68\x37\xb2\x7c\x6a\x91\x42\x5b\x50\x6a\x22\xc2\x7d\x14\x20\xd0\xb1\x3e\x60\xde\x3e\x9c\x56\x66\x7a\x98\x98\x3b\xa9\xbd\xd1\xc5\xa5\x2d\xc6\x12\x7b\x65\x9e\x6d\x80\x70\x69\x59\xf0\x7d\x3a\x5f\xa8\xb3\xb8\x8e\xab\x05\xe7\xa0\xc0\x4e\xe1\x2a\x21\x37\x2c\x71\x3f\x64\xc6\xad\xbe\xed\xd7\xa8\xb7\xa6\x92\x67\x49\x75\xbb\xe5\x5c\xe4\x02\x71\x44\x02\xf2\x0c\x7f\x57\xff\x1f\x79\x35\x7d\x8e\xda\xbe\xf1\xd8\x68\xf0\xa2\xb3\xdd\x7a\xa3\xbb\xe5\x8e\x80\x81\x49\x70\x73\x4f\x7d\xec\x70\xd3\x14\xe8\x11\x59\x3a\x32\xcc\x86\x1f\x4a\x8a\x4b\x3f\x0d\x7c\xeb\x4e\xbb\x32\x66\x4f\x56\x44\x49\x7a\xc9\x56\x2c\xdd\x5a\x54\x19\x3f\x22\x38\xe6\x5c\x18\x74\xc8\x64\x21\xc5\xcf\xb4\x3a\xe1\x56\x93\x1c\x78\x40\xd1\x0d\xe4\x7a\x4d\x0f\x2f\x31\x74\xc3\x6c\x86\x45\xac\x02\xf5\x44\xc3\x69\x0b\x51\x37\xaf\x7d\x2c\xed\x3f\xb0\x43\x59\xbb\xf2\x2b\x67\x20\xea\x94\xf2\xe3\xb5\x67\x5f\xb7\x7a\xde\x56\xc9\x77\xd6\x68\x06\x4e\xfd\xd1\xc6\x15\x11\x9a\x52\x8c\x9e\xc1\x35\x3e\x84\x10\x3e\x5d\xce\x6a\x0b\xd0\x73\xf9\xff\xbe\xa0\x81\x9c\xf6\xc0\xcc\x58\xea\xd0\x0c\x92\x34\x02\x98\xcc\x09\x45\x64\x11\x7f\x3f\xb8\x94\x27\x4c\xa9\x1d\x79\x76\x45\x96\x19\xf5\x44\xb2\x50\x58\x6c\x6d\x44\xaf\xba\x55\x74\xb7\xef\x51\x26\xb0\x70\x40\x9a\x1f\x5e\xed\xc6\x50\x07\xb0\x03\x39\xf1\x60\x42\x2f\xff\x38\xd6\x7e\xaa\x8d\x78\x2f\xc4\x19\x2a\x29\x81\x08\x79\xeb\x12\x85\x99\x42\xfa\x14\x1a\x21\xc3\x9d\x9e\xea\x03\xeb\xa1\xaa\x7b\x3a\xc7\xe2\xb1\xda\xf4\xf6\x9f\x47\x5b\x8e\x75\xc5\xac\x7c\x2e\xfd\xd7\x77\x93\x2d\x40\x31\x43\xcd\xd0\x89\x02\xd5\xe3\x45\x93\x01\xc2\x8c\x88\xc4\xdf\x34\x2c\xa1\x39\x10\xb7\x60\xe3\x4c\x40\x19\x4b\xb5\x1b\x82\xcf\x14\xad\xee\xd5\xae\x47\x51\x7d\x3c\xbc\x73\xbb\xb5\xa8\x89\x9c\x30\xe6\x06\x51\x99\x89\xa8\x5d\x2e\x15\xb0\xe8\x9e\xbb\xa4\x3f\x0c\x8a\x75\x2f\x07\x01\x03\x80\xca\xa7\x0d\xc4\x09\xff\x80\x5c\x24\x57\x48\x29\xd0\x6b\xb9\xa1\x49\x5d\x5a\x30\x85\xdf\x90\x29\xe2\x3d\x92\xbb\xc4\x6d\x7c\x7c\x1d\xb7\x36\x5e\x92\xe8\xd2\x44\x9a\xad\xe3\x89\x26\xa6\x43\x68\x72\x3a\x0e\x8a\x77\x7b\x32\x61\xc9\xc9\x7b\xae\x82\x5b\x55\x1b\xa9\x40\x55\x1a\x7e\x15\xe3\x01\x3d\xc0\x9a\x05\x22\x9d\x0c\x9a\xc6\x4e\xe1\x5e\xe3\xd4\x67\x42\x62\x89\x24\xc0\x9e\x63\x60\xcc\x43\x00\x6f\xb9\xa0\xe1\xc0\x6e\x55\x84\x63\x7c\xee\x00\x5e\xe2\x6c\xeb\xa7\x02\x95\xcb\xa5\x63\x7d\xfc\x98\x21\x14\x8e\xd7\x41\x50\x03\xd5\x18\x36\x84\x23\xae\x70\x8c\xfa\xc6\x38\xf2\xb8\xe1\xd3\xa7\x10\x11\xbd\xa8\x03\xac\xd2\xcf\xa4\x29\xea\x5f\xa0\x45\xfe\x07\x8f\x91\xeb\xe4\x5e\x7d\x51\xd4\x3f\x08\x30\x2d\x5f\x3b\x0c\xcc\x3e\xb7\xdc\x03\x81\x8b\x33\x56\x7e\x86\xf8\xe5\xdc\x40\x45\x15\x69\xa7\x95\x48\x58\xd2\x6d\xf8\x55\x49\x35\x27\x6f\x56\x54\xaf\xec\xf2\x40\xc7\xe8\x6c\x92\xec\xba\x4d\x3f\xf7\x58\x21\x31\x2d\x6a\x3b\x82\xe1\x8c\xc2\x34\xda\x5b\xac\xc2\x86\xef\x09\x24\xce\x23\xbd\x30\x70\x8d\xe5\x81\x32\x57\x4b\x54\x8c\x96\x28\xb5\x2d\x34\x29\x1d\x1c\x4a\x7f\xfd\xfe\x63\xde\x1f\xa9\xb5\xe0\xfa\x6e\x62\xf3\x52\x8a\x80\xc9\xcc\x97\xa7\xc5\x15\x40\x3f\xce\x89\x5a\xb7\x95\x63\x52\x66\xaf\x74\x6d\x89\xd2\xc9\x40\x58\xca\x38\x50\x1d\x86\xb4\xd6\x32\x4d\x0d\xf0\xd9\xc1\xe4\x7b\xbf\x83\x8b\xaa\x20\x6a\xa2\xec\x43\x97\x82\x8e\x99\x2f\xe9\x63\xb2\xe8\x37\x22\x80\x26\x27\x62\x90\x30\x10\x6c\xf2\x0e\xc9\x8e\x24\x51\x47\xc9\x44\x26\x21\x4d\xdf\xb9\x79\x12\x06\x51\xad\xde\x14\xa4\x25\xfe\xf2\x9a\x20\xc0\xcc\x54\x60\x39\x3a\xcb\xdb\xa5\x7b\x3c\x38\x36\x62\x7e\x6a\x9c\x19\xa2\x34\x43\x12\xa9\xbc\x66\x1b\x76\x02\x85\x41\x5a\x28\x74\xe2\xf2\x18\x7b\x5c\x6d\xbf\x38\xb0\x59\x63\x6f\x9e\xd1\xde\x16\x92\xd3\xb8\x65\x04\xa7\xc1\xb6\x68\xe5\xaa\x0f\x87\xcf\x49\x7f\x0c\xab\x26\x6e\x4d\xb6\x4e\xc6\x46\x55\x80\xbe\x1d\x97\x24\x49\x47\x30\x46\x88\xcb\x35\x76\x49\x0b\x8d\xb0\x86\xb0\x89\x05\x82\x0e\xa9\xd9\x1d\xfc\x8f\x3b\x96\x6a\x9e\x56\x8d\x85\x6a\x9c\xce\x3f\x17\x31\xac\x16\xe4\xcf\x48\x71\x43\x34\xb6\xc7\xac\x35\x97\xfc\xae\x85\xd1\x79\x46\xb0\xae\x28\x99\x84\x5e\x96\x06\x6e\x0a\x64\x83\x85\xc9\x8e\xe5\xc1\x19\x39\x13\x56\xb2\x04\xac\xbd\x4a\x5c\x7c\xc2\xcb\xce\xec\xe0\xf5\x8d\xfb\x73\xfc\x30\xef\x7c\x17\x69\xb4\xf5\x6e\xd1\xb7\x7d\x76\x24\x8b\x0e\xa2\xa6\x6d\xb0\xe5\x21\x7b\x5d\x62\x42\x37\x19\x1a\xbe\x94\x86\xac\x0b\xd3\x2e\x3e\x73\x62\x33\x14\x41\x73\x4a\x8d\xd9\xed\x98\x3b\x92\xbf\x26\x47\x2c\x50\x21\xf8\xbe\xa1\x31\xec\xe4\x7c\x8f\x45\xe6\x8a\x25\xa8\xbe\xb4\x88\x58\x95\xc2\x79\x82\x30\x6d\xaf\xa1\xfa\xc9\x05\xb2\x76\xc2\xf6\x0c\xcd\xca\xbe\x2a\x5b\x32\x5b\x5c\x5d\x84\x82\xf3\x05\x66\x02\x44\xc3\x61\x71\x1f\x0e\xed\x77\x46\xc0\xda\xf9\x9d\xfd\xe3\x6c\xaf\xf2\x94\x05\x11\x82\xc5\xb6\x58\x9f\xc0\x70\x0b\x75\x1f\xb2\xb3\x80\x7f\x0b\xcb\xd2\x77\xa8\x44\xce\x82\xa5\x45\x58\xf5\x5c\xdd\x25\xa3\x0b\x22\x83\xab\xe5\x19\xc8\x27\xb1\x0a\xed\x61\x2f\x8a\xea\x3c\xb7\xac\xa8\xb3\x40\x28\xc0\xb3\x63\xc9\xac\xc5\x2d\xde\xa9\xe0\xc3\x4e\x8a\x5c\x90\x86\x9f\xe6\x0d\x28\x30\x7e\x35\xd3\xe4\x35\x82\xf3\x77\x3d\x46\x66\x9e\x43\x13\xa0\x7b\x12\xe7\xd6\xd5\x01\x43\x6f\x8e\x6f\x4b\xc3\x47\xb2\x91\x94\x14\x4d\x82\xc5\xda\xa9\x73\x0f\xea\x34\x66\xc3\x16\x72\x09\xf0\x96\x97\xda\x03\x4f\x86\xca\x9e\x5a\x7e\x28\xc0\x59\x99\xf4\x16\x1d\xca\x75\x18\x14\x04\x13\x50\x4b\xe2\xaa\x60\xef\x71\xb6\x64\x84\xfc\xa1\xb0\xbb\x11\xaf\xd5\x97\x55\xb9\x78\xdd\x29\x4e\x3d\xa8\x56\x55\xb9\x0f\x05\xbe\x08\x23\xe2\x62\xaa\x69\x3c\x43\xbc\x23\xf4\x94\x8a\x60\x96\xff\xe1\xb5\x8e\x1b\xcd\x65\xb0\xdb\x70\xc6\x2a\x4f\x85\xd7\xdd\x4b\xe6\xcd\xdf\xea\xf1\x38\x38\x14\xa6\x72\x8b\x4c\x30\x1e\xab\x03\xb9\x50\xba\xc8\x67\x37\x5d\x1b\x6c\x61\xeb\x2f\x7f\xde\x96\x0b\x16\xf5\x94\x83\x79\xe2\x11\x5a\xb5\x40\x13\x56\xdb\x05\xa7\xdc\x30\xa2\x99\x98\x97\xb1\x63\xc7\x3d\x34\x80\x71\x06\xdf\xdc\xf7\xb7\xf9\xb9\xe7\x37\x7f\xc7\x22\x00\x3c\x86\x8c\xa5\xc1\x4a\x0e\x2f\x1d\x19\x40\xec\x6a\xef\xcf\x85\xfe\xd2\x07\x62\x2e\xd3\x81\x20\xc6\xa8\xaa\xd7\xb4\xe9\xe8\x7d\x5e\x4e\x9a\x6a\x55\xc6\xe1\x32\xe9\xe1\xe9\xa3\xa6\x2b\x4f\x7c\x6c\xe0\x09\x3f\x88\x65\x47\xdf\xc4\x8d\xe1\xd2\xe0\xc8\x5b\xf0\x1b\x49\xf9\x92\x41\xa3\x6d\x32\x4c\xdb\xad\xe5\x37\x7d\x5a\xa5\x73\x33\x77\xec\x7e\x97\xb7\xac\x54\x38\x7f\xd2\x93\x91\x31\x9d\x3f\x3b\xbc\xd0\x7b\x28\x70\xb9\x64\x6b\xf2\x83\x5b\x3a\xbb\x51\x21\xdc\x20\xa6\x38\xc6\xd0\xd6\x2b\x0a\x05\xd9\x4a\x5f\x1c\x03\xbf\xf6\xe8\x71\xa8\x4f\x9a\x7d\xef\xa1\x6f\x30\xcb\x8b\x3f\xf5\x7c\xb5\xa9\xb8\x95\x8b\x59\x21\x19\xcb\x0c\x80\x25\x13\xc1\x4a\xec\x2d\x27\xcf\xff\xbf\xb4\xe6\xa2\xa8\x40\xf8\xb0\xd7\x46\xa8\x3f\xa8\xbd\x22\x70\x21\xb0\x38\xf5\x0c\x41\x1f\x79\x22\xfb\x38\xec\x89\xf5\x1d\x71\xb7\xd3\xd9\xe2\x41\xdb\x1b\xe1\xb4\x50\x7e\x5b\x68\xfa\x1e\xe8\x9c\x21\x27\x44\x5e\x5d\x6e\xd4\xe7\x43\x3d\xe7\xbf\x4d\x72\xb7\xf7\xb1\xc9\xaa\x7c\x40\x8e\x4c\x10\x50\xce\x17\x74\x27\x98\x4f\x50\x35\xb5\x1e\x3a\xd5\x2b\x56\xd8\xaa\xf3\x8e\x56\x79\x30\xa7\x11\xc8\xdc\x34\x88\xff\xcd\xc1\xa5\x6f\xe1\xb4\xc5\xdf\x22\x67\x3b\xcc\x3e\x9c\xcd\xbb\x3a\xb6\x70\xa2\x45\x47\xf5\xde\xd4\x2d\xec\xfd\xdd\x52\x21\x04\x07\x5c\x37\xdd\xed\xe4\x60\x92\x5d\xcb\xc6\xe5\xef\x20\x60\x28\xaa\x7e\xa0\xc8\x4d\x60\xd9\x90\xfc\xd4\x8d\x76\xc9\xa4\x7b\xe6\x81\x92\x50\xd4\xd1\x0f\xce\xfc\x7a\x12\x4c\x6f\x3f\xaa\xf5\x1f\x7b\x67\xdc\xc2\xb3\x9a\xcf\x11\x9c\x8f\x89\xb9\x3b\x58\x39\x52\x47\xfa\x45\x9c\x1f\xfe\x6f\xc5\xa7\x0c\x32\xd5\x19\x6d\xa5\x93\xb3\x36\xbe\x04\x67\x16\x4e\xbb\xc9\x86\xfc\x14\x5b\x32\xbb\x91\xa4\xc0\x58\x88\x4c\x82\xf5\xca\xcd\xa6\x2a\x43\x12\xbb\x35\x07\x0e\x74\xde\x2b\xba\x07\x64\x8b\x7e\xb9\xd9\xfa\xe8\x91\x64\x8f\x54\x32\xb6\xa7\xd5\x98\x6e\xf2\x02\x78\x72\xcf\x9e\x1a\x08\x6c\x57\x6a\xba\xc8\xdc\x40\x1a\xab\x0d\xa9\x3a\xbf\x0a\xb7\x1e\xcd\x9b\xb9\x6e\x39\x18\x03\x62\xa1\x0a\x21\x85\x07\x1e\xbb\x8c\xa2\xca\x8d\x97\x19\xd4\x7b\xfc\x18\xb6\x2f\x97\x71\xb9\x7d\xfe\xd7\x3b\x98\x23\x25\xeb\x94\x3d\x78\x5c\x78\x75\x00\xd5\xac\x0d\x26\xa9\xca\x90\xcc\x73\xc2\xac\xfe\x87\x2f\x4e\x32\xeb\x44\x39\x08\x3b\xdb\x32\x49\x70\x1d\xdd\xdb\x50\x0d\xf3\xf8\x96\xbb\x1f\x7a\x37\x06\xd6\x4b\xe1\x6d\x00\xf6\xfd\xcd\x6b\xf4\x1d\xf8\x65\x35\xf2\x98\xd2\xdd\x04\x31\x77\x74\xbd\x6b\x39\x03\xf3\x71\xd5\x9b\xe7\x19\xb7\xec\x1d\x00\x3b\x3c\x97\x05\xa8\xf7\x88\x89\xb8\xf7\xda\x0d\x46\xde\xfd\xce\xd2\xdf\x70\xd8\xcb\x45\x70\x82\x8b\xb2\x65\x49\xb5\x50\x11\x58\x9c\x73\xbe\xc4\x20\x7c\x8d\x59\xeb\xe1\x89\x6b\x37\x61\xc1\x85\xa1\x32", 4096); *(uint32_t*)0x20006c44 = 0x1000; *(uint32_t*)0x20006c48 = 0x8001; *(uint32_t*)0x20006c4c = 0x200066c0; memcpy((void*)0x200066c0, "\x31\xe3\xc3\xfa\x6d\x99", 6); *(uint32_t*)0x20006c50 = 6; *(uint32_t*)0x20006c54 = 0x3ff; *(uint32_t*)0x20006c58 = 0x20006700; memcpy((void*)0x20006700, "\x39\xde\x86\x3b\x71\x48\x20\x8e\x43\x2f\xcd\xdb\xd9\xe9\x14\x8e\x71\x6c\x1b\x48\xa3\x96\x7c\x87\x0c\x70\x14\x5d\x90\xed\x68\x1b\x3f\x8b\xce\x84\x9f\xee\x7f\x50\x09\x15\x70\x85\x4e\x20\x10\x37\x23\xe5\x64\x54\xe7\x11\x54\x3f\x6e\x2b\xe9\x2c\x34\x09\x0d\x8c\xc7\x92\x26\x0b\xe9\xb9\x60\xc1\xe4", 73); *(uint32_t*)0x20006c5c = 0x49; *(uint32_t*)0x20006c60 = 9; *(uint32_t*)0x20006c64 = 0x20006780; memcpy((void*)0x20006780, "\x17\xfa\xd5\x71\xf8\x0f\xec\xd3\x4a\x59\xbc\x03\xf6\xc0\x2b\xbd\x6d\x56\xcd\x8d\x95\x89\x24\xb4\xae\x41\x89\xb8\x8b\x85\x89\x7e\xfd\x4e\x59\x6e\x11\x18\xbb\x0c\x77\x1c\x2c\x5b\xa3\x7d\xed\x06\xd7\x81\x11\x39\x0c\x1c\x80\xcf\x6e\xa9\xdf\x87\x27\xf8\x85\x59\x81\x5e\xd7\x6b\x36\xfa\x13\xfb\x4d\x08\xe1\xcc\xda\xd7\x97\x3b\x5b\xec\x56\x55\xa7\x4a\x67\x1f\xde\x99\xee\x92\x39\x7c\x56\xd4\x09\xda\xdb\x10\xc4\xc3\x7e\xe9\x2c\xb4\x1d\x03\xae\x6f\xb1\x64\xe7\xf8\x69\x85\x03\x91\x28\xd3\x8b\xe8\x3b\x5e\x16\xc3\x5e\xe3\x4e\xb2\xb8\x39\x6c\x53\x48\x02\x87\x81\xa0\xa8\x79\xf8\x81\x59\x74\x0a\xb8\x97\x05\xd6\x37\xbe\xda\xfa\x91\x5f\x19\x5a\x15\x25\x97\xfa\x0d\x7d\xa9\xb7\x64\x76\x60\x2c\x6e\xee\xfc\xa1\xe8\x0a\x6d\x3d\x0e\xd1\xa7\x5b\x00\xf7\xa5\xe1\x53\xdd\x85\x1e\x23\x01\xc8\xda\xa7\xd4\x9b\x4a\xd9\x1c\x62\xd1\xa6\x96\x7f\x54\xcf\x96\x21\xc2\x40\xed\x58\x71\x92\xf6\x99\x59\xe0\x54\x07\x85\x0c\xe3\x83\x1c\x4e\x81\x1e\x6f\xff\x1c\xdf\x93\xcf\xab\xde\x88\x73\x58\x31\x68\x81\x84\x53\x56\xd7", 247); *(uint32_t*)0x20006c68 = 0xf7; *(uint32_t*)0x20006c6c = 0x26; *(uint32_t*)0x20006c70 = 0x20006880; memcpy((void*)0x20006880, "\xc2\x86\x96\x8e\x22\x38\x74\x2a\x47\xe0\xe8\xd4\x44\xa6\xa6\x61\xb7\x70\x82\x22\xf4\xed\xda\xb9\x7a\x74\x9d\xce\xbe\x2c\xc8\x3a\x31\x4b\x82\x87\x95\xf9\x15\xa3\x6d\x87\x3b\x71\x4a\xef\x15\xdd\xb1\xb4\xf6\x2f\x06\x80\x0b\xbe\x85\xea\xeb\xcb\x76\xab\xe9\x44\x71\x92\x49\xee\x79\x27\xc8\x8e\x78\xa9\x68\xe9\x3f\x45\xc5\x20\x13\xef\x97\xef\x6f\x98\x9b\x1d\x1c\xd3\x0f\xff\x88\x67\x79\x62\xc8\xf3\x05\x2a\xd0\xa4\x63\x1e\x4e\x75\x0b\xa8\x0f\x37\x53\x91\x6c\x2d\xff\xc6\xa4\x02\x3c\xdb\x62\xa1\xb5\xf2\xaf\xbb\x96\x5b\x2f\x78\xc5\xdd\x47\xaf\x90\xb0\x02\xda\x1a\x26\xa2\x4f\xcb\x99\xbf\x81\xfb\x29\x57\x4a\x2f\x98\x10\x7a\x79\x37\x63\x98\x73\xb9\x5f\x4a\x56\x9a\x04\x06\xcc\x35\x8b\x46\xef\xae\x58\x7e\x90\x08\xbe\x69\xd7\x11\xae\x20\x2c\x22\xe2\x9a\x2f\x61\x5f\xd2\x3d\xcf", 192); *(uint32_t*)0x20006c74 = 0xc0; *(uint32_t*)0x20006c78 = 0; *(uint32_t*)0x20006c7c = 0x20006940; memcpy((void*)0x20006940, "\x97\xfc\x4d\xd9\xdb\x67\x3e\x16\xfd\x0f\x0e\xb9\xa4\xa2\x6e\x2a\x49\xf4\x2e\x16\x16\x19\x0b\x06\x34\xdf\xd6\x13\x51\x45\xf4\xe4\x51\xbb\xba\xd5\x6d\xad\xf2\x66\x96\x4e\xba\x7d\x10\x07\xc0\xa2\x3f\x8c\xf0\x3d\x4f\x8f\xe0\x9a\x79\x89\x15\x2b\x7c\xf2\xec\x30\xf2\x69\x3a\x06\xbe\xfd\xf0\x23\xd7\x9f\x48\xc2\x08\xd7\x42\xc7\xb7\x59\x15\xbc\xc1\xbe\x58\x35\x17\xce\xd3\xb8\x26\xb9\x70\x75\xe6\x2a\x8e\xd1\x2d\xbb\x26\x48\x07\xc6\xff\xd0\x22\x76\x14\x49\x1f\xb9\xde\x0d\x8a\x92\x5a\x26\x38\xc3\x16\x08\xde\x40\x5b\xbf\x79\xe9\x6f\x17\x1f\xd5\x83\x38\xb1\xd6\x97\x9d\x33\xa7\xda\xe8\xad\x62\xf2\xba\x53\xfe\xfc\x3c", 152); *(uint32_t*)0x20006c80 = 0x98; *(uint32_t*)0x20006c84 = 0x20; *(uint32_t*)0x20006c88 = 0x20006a00; memcpy((void*)0x20006a00, "\x77\xd8\xd6\x06\xbf\xb4\x24\xe7\xb9\x95\x80\x9a\xb4\xf5\x59\x11\x5f\xd8\x2e\x97\x2d\x98\xb6\x51\xdf\xc6\x9b\x10\xdf\x60\x0f\xb4\xf7\x8e\xfd\x58\x6f\x9c\xc2\x6e\xdc\x41\xb1\xd2\xfa\xc8\x7e\xfe\x59\xe2\x62\x41\x1f\x27\xa9\x4c\xf7\x96\xed\x31\x23\x6b\x45\x7c\xa0\xf1\x47\x53\x0e\xfb\xd4\xcf\xa6\xb6\xa0\xfe\xe4\x6c\x25\xab\xcf\x7a\xd8\x28\x2a\xae\x52\x99\xe2\x99\x79\x9c\xd5\x2d\x0a\x58\xd7\xff\x9d\xdd\xd0\x10\x37\x24\xc8\x8d\xa9\x2d\xbe\xfa\xb6\x24\x80\x38\xab\xef\x9e\xc5\x22\x64\xaf\xc7\x48\x25\xf7\xea\x70\xb2\xca\x95\xd6\x90\x0f\x9b\x64\x7a\x3f\x98\x6e\x18\x28\x7c\xb2\xbf\x4b\x4c\x19\xef\xc8\xc2\x18\xfd\x90\x5c\x37\x27\xc8\x6c\x37\x02\x6b\xfb\xde\x3a\xf0\x78\xeb\x07\xb7\x98\xe6\xd3\xd8\xf2\xe4\xd5\xd3\xbc\x18\x8c\xdd\x20\xf2\xeb\xb1\x46\x1c\x5e\x53\xb0\x5f\x29\x89\xff\xac\x3b\x16\x8d\xee\x56\xda\x0f\xc0\x11\x97\x4c\x66\x0e\x40\x0a\xe2\xd8\xb2\xc8\x0a\xcb\x23\x15\x81\xee\x91\x76\x31\x29\xb2\x88\x8a\xeb\x12", 229); *(uint32_t*)0x20006c8c = 0xe5; *(uint32_t*)0x20006c90 = 0x800; *(uint32_t*)0x20006c94 = 0x20006b00; memcpy((void*)0x20006b00, "\x56\x0c\x1b\xea\x71\xb0\xf9\x72\x44\xfa\x38\x6d\x26\xbf\x6b\x1b\x04\x30\x8e\x4b\xc7\xff\xfa", 23); *(uint32_t*)0x20006c98 = 0x17; *(uint32_t*)0x20006c9c = 0x80000001; *(uint32_t*)0x20006ca0 = 0x20006b40; memcpy((void*)0x20006b40, "\x14\xe5\x5a\x14\xa7\x95\x33\x87\xee\x55\x33\x3c\x1d\x16\x94\xca\x98\xc7\x99\x9b\x49\x78\x86\x42\x76\x68\x05\xd6\xf5\xa2\x90\xeb\x1e\x95\x9e\xe3\x5a\x74\x04\x59\xe1\x33\x00\x26\x2f\x2a\xf9\xc3\x57\xf7\xa8\xc1\xcb\xa1\x87\xe4\x48\xbc\x3c\x8f\x86\x5c\xc9\xbe\x88\x62\x4f\xb0\xf0\xd0\xbb\x88\x5d\x9c\xc2\xab\xe1\x71\xa2\x47\x8a\x74\x20\xdb\x22\xe8\x60\x7e\x3f\xbe\xc7\xe2\x60\x1d\x9e\x11\x08\x6c\xfa\x8c\xf1\x4d\x99\x67\x6b\x67\x9d\x8d\x6b\xf1\xdd\x4f\xaa\xb8\xfe\x9a\x5f\x4e\x3f\x69\x5f\xe2\xe6\xab\xf0\x9f\x70\x26\x83\x80\x2d\x44\xcc\x3a\x29\x82\x55\xc4\xc5\x95\x33\x73\x1f\xf5\xb2\x3e\x05\x3a\xfb\x71\x6d\x58\xca\xd6\x67\x68\x6e\xe6\x47\xf4\x8e\x19\x9c\x9b\x5c\x3d\x0d\x2d\x47\x0f\x2c\xe1\xc5\xb8\xb5\x70\x8a\xe0\x23\xad\x98\x80\xca\xf3\x1d\x01\xf9\x6a\xeb\xbf\xcc\x7d\xf9\x53\x58\xa0\x16\xc5\x47\x1c\xc2\xce\x2c\xed\x61\x05\x05\x7c\x9d\x22\xc8\x16\x78\x90\xca\x19", 216); *(uint32_t*)0x20006ca4 = 0xd8; *(uint32_t*)0x20006ca8 = 0x400; syz_read_part_table(9, 9, 0x20006c40); break; case 40: *(uint8_t*)0x20006cc0 = 0x12; *(uint8_t*)0x20006cc1 = 1; *(uint16_t*)0x20006cc2 = 0x200; *(uint8_t*)0x20006cc4 = 0x62; *(uint8_t*)0x20006cc5 = 0xa5; *(uint8_t*)0x20006cc6 = 0xbe; *(uint8_t*)0x20006cc7 = 0x10; *(uint16_t*)0x20006cc8 = 0x2833; *(uint16_t*)0x20006cca = 0x211; *(uint16_t*)0x20006ccc = 0x37a4; *(uint8_t*)0x20006cce = 1; *(uint8_t*)0x20006ccf = 2; *(uint8_t*)0x20006cd0 = 3; *(uint8_t*)0x20006cd1 = 1; *(uint8_t*)0x20006cd2 = 9; *(uint8_t*)0x20006cd3 = 2; *(uint16_t*)0x20006cd4 = 0x6b4; *(uint8_t*)0x20006cd6 = 1; *(uint8_t*)0x20006cd7 = 0x20; *(uint8_t*)0x20006cd8 = 0; *(uint8_t*)0x20006cd9 = 0xa0; *(uint8_t*)0x20006cda = 1; *(uint8_t*)0x20006cdb = 9; *(uint8_t*)0x20006cdc = 4; *(uint8_t*)0x20006cdd = 0xdf; *(uint8_t*)0x20006cde = 0; *(uint8_t*)0x20006cdf = 0x10; *(uint8_t*)0x20006ce0 = -1; *(uint8_t*)0x20006ce1 = 1; *(uint8_t*)0x20006ce2 = 0; *(uint8_t*)0x20006ce3 = 5; *(uint8_t*)0x20006ce4 = 7; *(uint8_t*)0x20006ce5 = 0x24; *(uint8_t*)0x20006ce6 = 1; *(uint8_t*)0x20006ce7 = 1; *(uint8_t*)0x20006ce8 = 1; *(uint16_t*)0x20006ce9 = 1; *(uint8_t*)0x20006ceb = 9; *(uint8_t*)0x20006cec = 0x24; *(uint8_t*)0x20006ced = 6; *(uint8_t*)0x20006cee = 0; *(uint8_t*)0x20006cef = 0; memcpy((void*)0x20006cf0, "\xfd\x50\x65\x08", 4); *(uint8_t*)0x20006cf4 = 5; *(uint8_t*)0x20006cf5 = 0x24; *(uint8_t*)0x20006cf6 = 0; *(uint16_t*)0x20006cf7 = 3; *(uint8_t*)0x20006cf9 = 0xd; *(uint8_t*)0x20006cfa = 0x24; *(uint8_t*)0x20006cfb = 0xf; *(uint8_t*)0x20006cfc = 1; *(uint32_t*)0x20006cfd = 0x40000000; *(uint16_t*)0x20006d01 = 8; *(uint16_t*)0x20006d03 = 0x4cc5; *(uint8_t*)0x20006d05 = 0x7f; *(uint8_t*)0x20006d06 = 7; *(uint8_t*)0x20006d07 = 0x24; *(uint8_t*)0x20006d08 = 0xa; *(uint8_t*)0x20006d09 = 8; *(uint8_t*)0x20006d0a = 0x3f; *(uint8_t*)0x20006d0b = 0; *(uint8_t*)0x20006d0c = 0x81; *(uint8_t*)0x20006d0d = 0x10; *(uint8_t*)0x20006d0e = 0x24; *(uint8_t*)0x20006d0f = 7; *(uint8_t*)0x20006d10 = 0x80; *(uint16_t*)0x20006d11 = 5; *(uint16_t*)0x20006d13 = 0x44; *(uint16_t*)0x20006d15 = 2; *(uint16_t*)0x20006d17 = 0x800; *(uint16_t*)0x20006d19 = 0x101; *(uint16_t*)0x20006d1b = 4; *(uint8_t*)0x20006d1d = 4; *(uint8_t*)0x20006d1e = 0x24; *(uint8_t*)0x20006d1f = 2; *(uint8_t*)0x20006d20 = 4; *(uint8_t*)0x20006d21 = 8; *(uint8_t*)0x20006d22 = 0x24; *(uint8_t*)0x20006d23 = 0x1c; *(uint16_t*)0x20006d24 = 0; *(uint8_t*)0x20006d26 = 0xc0; *(uint16_t*)0x20006d27 = 0x5325; *(uint8_t*)0x20006d29 = 6; *(uint8_t*)0x20006d2a = 0x24; *(uint8_t*)0x20006d2b = 0x1a; *(uint16_t*)0x20006d2c = 0x7f; *(uint8_t*)0x20006d2e = 0; *(uint8_t*)0x20006d2f = 9; *(uint8_t*)0x20006d30 = 5; *(uint8_t*)0x20006d31 = 5; *(uint8_t*)0x20006d32 = 0; *(uint16_t*)0x20006d33 = 0xb5a2; *(uint8_t*)0x20006d35 = 6; *(uint8_t*)0x20006d36 = 0; *(uint8_t*)0x20006d37 = 5; *(uint8_t*)0x20006d38 = 7; *(uint8_t*)0x20006d39 = 0x25; *(uint8_t*)0x20006d3a = 1; *(uint8_t*)0x20006d3b = 0x82; *(uint8_t*)0x20006d3c = 0xe9; *(uint16_t*)0x20006d3d = 0xf000; *(uint8_t*)0x20006d3f = 9; *(uint8_t*)0x20006d40 = 5; *(uint8_t*)0x20006d41 = 0xe; *(uint8_t*)0x20006d42 = 2; *(uint16_t*)0x20006d43 = 0x200; *(uint8_t*)0x20006d45 = 8; *(uint8_t*)0x20006d46 = 7; *(uint8_t*)0x20006d47 = 0x40; *(uint8_t*)0x20006d48 = 9; *(uint8_t*)0x20006d49 = 5; *(uint8_t*)0x20006d4a = 0; *(uint8_t*)0x20006d4b = 0x7e; *(uint16_t*)0x20006d4c = 0x200; *(uint8_t*)0x20006d4e = 8; *(uint8_t*)0x20006d4f = 3; *(uint8_t*)0x20006d50 = 1; *(uint8_t*)0x20006d51 = 0x9b; *(uint8_t*)0x20006d52 = 0x21; memcpy((void*)0x20006d53, "\xf2\xef\x0a\x5c\x06\x9c\xdb\x31\x91\x38\xe1\x85\x06\x1d\x7e\x19\x6a\xe9\x4e\x53\x5d\x80\xf2\x76\x66\xfb\xa2\x3b\x37\x43\x25\xf1\x5d\xc5\xf2\x08\x12\xfe\x05\xb0\x62\x0f\x6f\xfc\xb8\x10\x03\xb1\xf3\x9c\x5d\xcd\x1b\xff\x14\xe2\xbb\xeb\x38\x73\x35\xa3\x53\x4f\x5a\xdb\x60\xff\xc4\xf2\x85\x95\xc8\xf9\x92\xf7\x7f\xd5\xf6\x7a\x04\x84\x2b\x9c\x43\x64\xe3\x55\x6b\xe9\xba\xcb\x8f\xd5\x6e\xd7\x78\x59\x29\x11\x53\xf6\xc5\x66\x02\x63\x63\xbf\xa5\xf2\xe6\xff\x2f\xa6\xd2\x93\x17\xf2\xd5\x62\x44\x53\x64\x93\x99\x15\xa7\x5d\xd7\x36\x5f\x6a\xb9\xc1\x5d\xdb\xc7\xc3\xa4\x5f\x7e\xb9\x8f\xd1\xfe\xa3\x55\x1b\xbd\x46\xf2\x0a\x87", 153); *(uint8_t*)0x20006dec = 9; *(uint8_t*)0x20006ded = 5; *(uint8_t*)0x20006dee = 0x80; *(uint8_t*)0x20006def = 1; *(uint16_t*)0x20006df0 = 0x3ff; *(uint8_t*)0x20006df2 = 1; *(uint8_t*)0x20006df3 = 0x20; *(uint8_t*)0x20006df4 = 0xef; *(uint8_t*)0x20006df5 = 0xec; *(uint8_t*)0x20006df6 = 6; memcpy((void*)0x20006df7, "\xf6\x42\x24\x6a\x53\x72\x99\x1d\xb9\x7e\x58\x24\xa4\x10\xe2\x83\x00\xd3\xbd\x15\x36\x38\xf6\xda\xc6\xe1\x18\x9a\x0c\x56\x0a\x0a\x0e\x5f\x8b\x15\xe0\x78\x79\xac\x95\x01\x65\x15\x20\x26\x46\xa7\xb5\xb5\xfc\x74\xb7\xcd\x40\xd5\x15\xb2\x84\x9d\x8c\x1d\xd9\xae\x4f\xca\x16\xc2\xe6\xcf\x0e\x8a\x20\xce\x54\xf0\x5f\xa1\x23\xc0\x19\x20\x8c\xb3\x4b\x5e\xe5\x61\xc2\x74\xea\x40\xa7\xb3\x4e\x58\x13\xa4\xa2\x9b\xe4\x08\x17\xeb\x1f\x7b\x3e\x9b\xef\x60\xf7\xc5\x66\x57\x48\x12\x36\xb9\x3e\x2c\x29\x7f\x17\xc7\x76\xb9\x8f\x1d\x0c\x8f\x2a\x56\x44\x77\x66\xc7\x28\x8b\xa6\xb1\xe3\x85\xb8\x4a\x51\x6a\x98\xab\x72\x9b\xa7\x0e\x31\xfe\xe3\xaa\xb1\x01\xd5\x90\xa4\x48\x1a\xe5\x85\x63\x26\xc6\x82\x5b\x73\xc7\xae\x7d\x3b\x99\xcb\x3c\x59\xdb\x31\xa1\x27\x26\x23\x4b\x90\x05\x84\xe8\xdb\x77\x93\x52\x18\x8d\x12\xc9\x32\xd4\xaa\xcb\x59\xee\xf3\x3d\x33\xb9\x55\x05\x10\xcf\x2b\x49\xda\x74\x7e\x03\x1c\x83\x11\x7b\x51\x1a\x1b\xb9\x3e\xd7\x6c\x71\x6e\x6a\x02\x54", 234); *(uint8_t*)0x20006ee1 = 7; *(uint8_t*)0x20006ee2 = 0x25; *(uint8_t*)0x20006ee3 = 1; *(uint8_t*)0x20006ee4 = 0; *(uint8_t*)0x20006ee5 = 6; *(uint16_t*)0x20006ee6 = 0x40; *(uint8_t*)0x20006ee8 = 9; *(uint8_t*)0x20006ee9 = 5; *(uint8_t*)0x20006eea = 1; *(uint8_t*)0x20006eeb = 0; *(uint16_t*)0x20006eec = 0x100; *(uint8_t*)0x20006eee = 0xfe; *(uint8_t*)0x20006eef = 8; *(uint8_t*)0x20006ef0 = 0x37; *(uint8_t*)0x20006ef1 = 0xe9; *(uint8_t*)0x20006ef2 = 0x23; memcpy((void*)0x20006ef3, "\x1a\x0e\x35\x42\x85\x7d\x49\xea\x63\xb7\x26\x1e\xbf\xc1\x9f\x14\x27\x2e\x28\x4d\x26\x65\xd2\x79\x5e\x43\xf6\xf9\xca\x62\x77\x6c\x9e\xe5\x2d\x99\x18\x79\xd7\xd6\x7b\x4d\x8b\x27\x0f\xd5\x15\x98\xbe\xac\x1c\x03\x39\xb2\x25\x7a\xd6\x8c\x1d\xde\x54\x88\x5a\xe2\xd2\x19\xb8\x7c\xde\x15\x9a\x98\x97\xc8\x8b\xda\x26\xe0\x8a\x36\x91\x05\x50\x22\x73\x9c\x1f\xe6\x4a\xdb\x98\x63\x9d\xc2\x54\x21\xc4\x49\xcf\x36\x48\x00\xc4\xc3\x65\x06\x2f\x24\x88\xe6\x90\x1e\x56\xe6\x2f\x4b\x70\x3e\xae\x7a\xf2\x62\x98\xa1\xee\xe1\xbf\xe6\x2d\x9b\x2a\xe3\x53\x20\xae\x2b\xaf\x17\x4e\x94\xff\x55\x32\x10\x97\xbe\x81\xe0\x27\x9f\x5d\x0a\xa8\x4d\xd1\x8c\xa0\x86\x4d\x98\xd0\xed\xbb\xea\xa1\x9d\xdf\x36\x26\xfd\x83\xa2\xe2\xb5\xf6\x76\xa7\x34\xd4\x78\x4b\x3c\x68\x77\xfd\x1b\xb3\xc9\x54\x3d\xf7\xab\xda\x9b\xd9\xc9\xbe\x40\x59\x49\x74\x7e\x21\x07\x3c\x18\x95\x7f\xff\x0e\xaa\xc0\x27\x3c\xfd\x3f\x70\x2c\xb6\x55\x97\x94\x9a\x17\x27\x26\xf7\xe4\x59\x53\x6c", 231); *(uint8_t*)0x20006fda = 0x18; *(uint8_t*)0x20006fdb = 0x10; memcpy((void*)0x20006fdc, "\xa0\x28\x90\x17\xf3\xf4\x33\xf1\x10\x59\x48\x9a\x61\x11\x58\x23\xe1\x13\x8a\xe8\x4a\x34", 22); *(uint8_t*)0x20006ff2 = 9; *(uint8_t*)0x20006ff3 = 5; *(uint8_t*)0x20006ff4 = 0xe; *(uint8_t*)0x20006ff5 = 4; *(uint16_t*)0x20006ff6 = 0x10; *(uint8_t*)0x20006ff8 = 0x67; *(uint8_t*)0x20006ff9 = 3; *(uint8_t*)0x20006ffa = 8; *(uint8_t*)0x20006ffb = 7; *(uint8_t*)0x20006ffc = 0x25; *(uint8_t*)0x20006ffd = 1; *(uint8_t*)0x20006ffe = 1; *(uint8_t*)0x20006fff = 0x80; *(uint16_t*)0x20007000 = 0x2e6; *(uint8_t*)0x20007002 = 9; *(uint8_t*)0x20007003 = 5; *(uint8_t*)0x20007004 = 0xd; *(uint8_t*)0x20007005 = 4; *(uint16_t*)0x20007006 = 0x200; *(uint8_t*)0x20007008 = 0x48; *(uint8_t*)0x20007009 = 0x35; *(uint8_t*)0x2000700a = 8; *(uint8_t*)0x2000700b = 0xe5; *(uint8_t*)0x2000700c = 5; memcpy((void*)0x2000700d, "\x30\xef\xe9\xc1\xa6\xe5\xc8\x9c\x20\x31\x21\x4c\x60\xfb\xbe\xaa\x45\x78\x09\x1e\x38\x00\x9c\x76\x1d\x15\x77\x48\x02\x93\x4c\xfd\x36\x35\x5b\x35\x18\xcc\xfe\x59\xfa\x5e\x7c\xce\xe3\xc1\x3a\xc4\xaf\xfb\xe0\x73\xe0\xe7\x88\xc9\xb5\xe3\x22\x16\xef\xbf\x02\xe3\x58\x69\xd7\xb2\x33\xa3\x89\xf8\x12\xbf\xd8\x49\x43\x3c\x32\x84\x66\xed\xa5\xe0\xe3\x23\x75\x29\xcd\xc6\x5e\x4e\xee\x74\x3d\x31\xff\xc1\x86\xa1\xfe\x79\x4b\xdf\x13\x64\xf3\x1e\xae\xff\x39\x82\x9e\x8f\x61\x44\x85\x0d\x74\x70\xcc\x71\x57\x2d\x1f\x2f\x23\xdc\xcd\xbc\xdd\x99\xe4\x93\x0d\xe7\xed\xbf\x59\xb3\x38\xdb\x34\x90\x30\x5f\xd7\x71\x02\x57\x98\x0b\x7f\x76\xb8\xda\xea\xcb\x2a\xd6\x18\x13\x1f\xb9\xb5\xa3\xe0\x26\xc9\xdd\xbd\x69\x48\x3c\xd7\x94\xca\xad\x29\xf2\xe3\xb6\x31\x24\xa9\x52\xb4\x62\xde\x0c\xd9\x51\xd7\xef\xd9\xb3\xb2\x91\x07\xb6\x41\x41\x7e\x77\x83\xd9\x01\x59\x13\x7f\xa5\x27\x3a\x95\xe0\xcc\x46\xc9\x7c\x22\x46\xe6\x11\xac\xb1\x4b\x4d", 227); *(uint8_t*)0x200070f0 = 9; *(uint8_t*)0x200070f1 = 5; *(uint8_t*)0x200070f2 = 3; *(uint8_t*)0x200070f3 = 0x10; *(uint16_t*)0x200070f4 = 8; *(uint8_t*)0x200070f6 = 0; *(uint8_t*)0x200070f7 = 0x33; *(uint8_t*)0x200070f8 = 9; *(uint8_t*)0x200070f9 = 9; *(uint8_t*)0x200070fa = 5; *(uint8_t*)0x200070fb = 2; *(uint8_t*)0x200070fc = 0xc; *(uint16_t*)0x200070fd = 0x400; *(uint8_t*)0x200070ff = 0xed; *(uint8_t*)0x20007100 = 7; *(uint8_t*)0x20007101 = 9; *(uint8_t*)0x20007102 = 0x84; *(uint8_t*)0x20007103 = 0x31; memcpy((void*)0x20007104, "\xee\x4c\xd2\x19\x15\x4d\xf4\x91\xc4\xd3\x2a\xa3\x21\x12\xcf\xf4\x07\x51\x1b\x06\xb1\x7f\x74\x34\x09\xec\xc2\x16\xc3\x1e\x92\xce\xfa\x2b\x5c\xc5\x9e\x63\x4d\x7a\xeb\xa2\xc9\xe5\xe3\x6d\x8e\xfa\xdc\x02\x55\x17\x25\x18\xf9\x09\xb4\xe1\xa7\xda\xf4\xd9\x88\xb1\xee\xaf\x19\x6c\x76\xee\x90\x2b\x65\x7d\x12\xfc\x23\xc2\x1e\x17\x6c\xd1\x49\xe9\x8a\x8d\x8d\x57\x55\xb7\x4f\xed\x1a\x42\x84\xbc\xfd\x6e\x69\x61\x95\x1f\xf8\x21\x6f\x7b\xb4\x2f\x79\x0e\xdd\x53\x9c\x1b\xc5\xbb\xac\x44\xf7\x67\xa6\x85\xc5\x7c\xbb\xde\xc8\x30\xc5\x2c", 130); *(uint8_t*)0x20007186 = 7; *(uint8_t*)0x20007187 = 0x25; *(uint8_t*)0x20007188 = 1; *(uint8_t*)0x20007189 = 0x83; *(uint8_t*)0x2000718a = 1; *(uint16_t*)0x2000718b = 0xfe01; *(uint8_t*)0x2000718d = 9; *(uint8_t*)0x2000718e = 5; *(uint8_t*)0x2000718f = 3; *(uint8_t*)0x20007190 = 0; *(uint16_t*)0x20007191 = 0x40; *(uint8_t*)0x20007193 = 2; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 9; *(uint8_t*)0x20007197 = 5; *(uint8_t*)0x20007198 = 0; *(uint8_t*)0x20007199 = 0; *(uint16_t*)0x2000719a = 0x400; *(uint8_t*)0x2000719c = 0; *(uint8_t*)0x2000719d = 0x2f; *(uint8_t*)0x2000719e = 4; *(uint8_t*)0x2000719f = 9; *(uint8_t*)0x200071a0 = 5; *(uint8_t*)0x200071a1 = 0x8f; *(uint8_t*)0x200071a2 = 8; *(uint16_t*)0x200071a3 = 8; *(uint8_t*)0x200071a5 = 0x81; *(uint8_t*)0x200071a6 = 1; *(uint8_t*)0x200071a7 = 0x7f; *(uint8_t*)0x200071a8 = 7; *(uint8_t*)0x200071a9 = 0x25; *(uint8_t*)0x200071aa = 1; *(uint8_t*)0x200071ab = 0; *(uint8_t*)0x200071ac = 9; *(uint16_t*)0x200071ad = 0xfb; *(uint8_t*)0x200071af = 7; *(uint8_t*)0x200071b0 = 0x25; *(uint8_t*)0x200071b1 = 1; *(uint8_t*)0x200071b2 = 0x81; *(uint8_t*)0x200071b3 = 7; *(uint16_t*)0x200071b4 = 3; *(uint8_t*)0x200071b6 = 9; *(uint8_t*)0x200071b7 = 5; *(uint8_t*)0x200071b8 = 2; *(uint8_t*)0x200071b9 = 0; *(uint16_t*)0x200071ba = 0x400; *(uint8_t*)0x200071bc = 0x40; *(uint8_t*)0x200071bd = 0x76; *(uint8_t*)0x200071be = 3; *(uint8_t*)0x200071bf = 7; *(uint8_t*)0x200071c0 = 0x25; *(uint8_t*)0x200071c1 = 1; *(uint8_t*)0x200071c2 = 0x80; *(uint8_t*)0x200071c3 = 0x31; *(uint16_t*)0x200071c4 = 8; *(uint8_t*)0x200071c6 = 9; *(uint8_t*)0x200071c7 = 5; *(uint8_t*)0x200071c8 = 0xf; *(uint8_t*)0x200071c9 = 0x10; *(uint16_t*)0x200071ca = 0x3ff; *(uint8_t*)0x200071cc = 6; *(uint8_t*)0x200071cd = 0xb2; *(uint8_t*)0x200071ce = 6; *(uint8_t*)0x200071cf = 7; *(uint8_t*)0x200071d0 = 0x25; *(uint8_t*)0x200071d1 = 1; *(uint8_t*)0x200071d2 = 0x82; *(uint8_t*)0x200071d3 = 0x80; *(uint16_t*)0x200071d4 = 6; *(uint8_t*)0x200071d6 = 9; *(uint8_t*)0x200071d7 = 5; *(uint8_t*)0x200071d8 = 0xf; *(uint8_t*)0x200071d9 = 0x10; *(uint16_t*)0x200071da = 0x200; *(uint8_t*)0x200071dc = 6; *(uint8_t*)0x200071dd = 6; *(uint8_t*)0x200071de = 0xca; *(uint8_t*)0x200071df = 7; *(uint8_t*)0x200071e0 = 0x25; *(uint8_t*)0x200071e1 = 1; *(uint8_t*)0x200071e2 = 0x81; *(uint8_t*)0x200071e3 = 0x20; *(uint16_t*)0x200071e4 = 3; *(uint8_t*)0x200071e6 = 9; *(uint8_t*)0x200071e7 = 5; *(uint8_t*)0x200071e8 = 0x80; *(uint8_t*)0x200071e9 = 0x10; *(uint16_t*)0x200071ea = 0x400; *(uint8_t*)0x200071ec = 1; *(uint8_t*)0x200071ed = 0xfc; *(uint8_t*)0x200071ee = 4; *(uint8_t*)0x200071ef = 0xd4; *(uint8_t*)0x200071f0 = 0x21; memcpy((void*)0x200071f1, "\x28\xa1\xdf\xa1\xd2\x8f\x9a\xe6\x0d\x0a\x8e\x9e\x3c\x51\x2d\xb3\x53\x69\xd4\x79\xfa\x6e\x6a\xa0\x99\xe2\x67\xe1\xce\xd7\x7c\xa2\xe1\x80\xb4\x29\x77\x90\x23\xa8\x72\xb0\xef\x88\x07\xe1\x1f\x8b\x8b\x21\xb8\x11\xd4\xfe\x55\x27\x33\x5c\xe8\x6e\x3a\x95\xcd\xf9\x60\xd1\xe7\x9e\x88\xc2\x76\xc1\x74\xd1\x83\xd2\xf3\xbc\x08\x62\xdd\x7e\x1d\x29\xac\x58\x9c\xeb\x22\x02\x4e\x25\xa4\x4c\x3e\x81\x23\x58\x1d\x14\x48\xfd\x2d\xb5\x33\x2f\xe4\x1c\x23\xf9\xaa\x95\x95\x64\xf3\x2d\xb1\xda\x14\x61\x04\x15\xdd\xc2\x93\xdc\x57\xc9\xd6\xc7\x75\xd2\x21\x51\xbd\xab\x23\x6a\x5a\x73\x59\x2e\x55\x18\x05\x57\x28\xae\x81\x9e\x25\xc0\x80\xcb\xb9\xbf\x02\x03\xb6\x63\x9b\x8f\xd8\xd7\x16\xd9\xc5\x71\xd6\xb2\x60\xea\x29\x77\x33\xd5\x3c\x3a\x05\x44\x9b\x9b\x92\x21\xd0\xf4\x02\x61\x0c\x98\x37\x18\x9f\x9c\x6a\xb3\xba\xaf\x03\x1d\x48\x69\x26\x90\xc9\x98\x1c\xee\x14\x26", 210); *(uint8_t*)0x200072c3 = 0xc3; *(uint8_t*)0x200072c4 = 6; memcpy((void*)0x200072c5, "\x60\xed\x98\x57\x6f\xbb\xbe\xe3\xdb\x67\xd5\x35\xea\x7e\x1a\x19\xd9\x2d\x68\x9e\x2f\x03\x30\x8a\x61\x5a\x56\x41\xe7\x2e\x69\x4d\x99\x6f\x76\xc1\x11\x1c\x88\xc5\x07\xc3\x9a\x87\xf3\x4a\x36\x82\xda\xfb\xfe\x58\x3b\x79\xf5\xb9\x50\xa3\x06\x14\x16\x2c\x60\x5f\x7e\x6c\x5d\x45\x2b\x4f\x84\xa1\x45\xf2\x0b\xf4\x47\x0d\xdf\x43\xf0\x6c\x41\x5d\xc6\xc4\x15\x51\xfd\x45\x8b\xa6\xae\xdf\x57\xd7\x4c\xb8\x5a\x25\xe4\x33\x24\x81\x4b\x62\xc3\xbe\x41\x08\xb1\xea\x5b\x9d\xd2\x2a\x78\xa4\x5c\xdf\x5d\x8f\x27\xc1\x1f\x35\x02\x6b\xf7\xef\x10\xc7\xd1\xf0\x61\x5f\xe1\xc4\x4a\x30\x2a\x84\xd8\x8b\x8d\x6c\x2d\x85\x04\x9c\x9f\x48\xa0\x4b\x4e\x61\x80\x1c\x01\x7f\x60\x9b\x67\x3f\xc8\x29\x0f\x73\x62\xa0\xed\x35\x88\x2a\x33\x5b\x65\x7f\x83\x5f\xce\x8e\x20\x10\x0c\xde\x82\xc1\xa3\xdc\x18\x06\x11", 193); *(uint32_t*)0x20007740 = 0xa; *(uint32_t*)0x20007744 = 0x200073c0; *(uint8_t*)0x200073c0 = 0xa; *(uint8_t*)0x200073c1 = 6; *(uint16_t*)0x200073c2 = 0x310; *(uint8_t*)0x200073c4 = 5; *(uint8_t*)0x200073c5 = 0x80; *(uint8_t*)0x200073c6 = -1; *(uint8_t*)0x200073c7 = 0xbf; *(uint8_t*)0x200073c8 = 5; *(uint8_t*)0x200073c9 = 0; *(uint32_t*)0x20007748 = 5; *(uint32_t*)0x2000774c = 0x20007400; *(uint8_t*)0x20007400 = 5; *(uint8_t*)0x20007401 = 0xf; *(uint16_t*)0x20007402 = 5; *(uint8_t*)0x20007404 = 0; *(uint32_t*)0x20007750 = 5; *(uint32_t*)0x20007754 = 0xa8; *(uint32_t*)0x20007758 = 0x20007440; *(uint8_t*)0x20007440 = 0xa8; *(uint8_t*)0x20007441 = 3; memcpy((void*)0x20007442, "\x05\x84\xbd\xdc\x14\x96\x71\xf9\xe6\xc6\xcd\x12\x3b\x79\x6c\xaf\xe2\xeb\x5d\x2b\xd3\xcf\x65\xe3\xeb\x0f\x3a\x60\x1a\xba\x71\x64\x71\x3d\x40\x42\x65\x3f\x2c\xca\x18\x22\x07\xd4\xe7\xff\xa8\xbc\x71\xe7\x05\xaa\x48\xbc\xff\x03\xfd\xdd\x2e\x3e\x6b\xeb\xe1\x1c\xb6\x1f\x95\xfa\xf1\x4a\xfd\xf2\x94\x40\x02\x1e\x85\x1f\xb6\x82\xaa\x24\xe6\x24\xe8\x33\x95\x2d\xb6\xd1\xf9\x6a\xa7\xed\xfc\x74\xce\x50\x13\x59\x69\x4c\x75\x83\xeb\x5e\x48\xdf\xe2\x27\xd2\x10\x5d\x5e\x3d\x23\x59\xe3\xc7\x28\xa4\x8a\xdf\xf0\x9b\x11\x32\xf9\x28\x89\x3c\xee\xfa\xe6\x77\x00\x98\x3b\xe1\xca\x94\xe8\x18\xe7\xa1\x46\x3c\x80\x2f\x1f\xc2\xa7\x2d\x40\x90\x09\x33\x40\x3d\x7b\x25\x5a\x35\xd9\xdc\x33", 166); *(uint32_t*)0x2000775c = 4; *(uint32_t*)0x20007760 = 0x20007500; *(uint8_t*)0x20007500 = 4; *(uint8_t*)0x20007501 = 3; *(uint16_t*)0x20007502 = 0x42c; *(uint32_t*)0x20007764 = 0xf4; *(uint32_t*)0x20007768 = 0x20007540; *(uint8_t*)0x20007540 = 0xf4; *(uint8_t*)0x20007541 = 3; memcpy((void*)0x20007542, "\x1c\x53\x71\x17\xdc\x72\x0a\xf3\xcc\xf1\x08\x68\x7c\x86\xcb\x54\x4b\xc8\x85\x37\x9e\x43\x5d\xbb\x86\x1b\xc9\xa0\x15\x50\x59\x2e\x60\x08\xae\x94\xa1\xf9\x83\x17\xad\x9c\xd8\x04\x01\x6b\x07\x9b\x5e\xc2\x94\xdc\xaf\x45\x37\xcf\x5b\x68\xc3\xc4\x35\x37\x54\xca\xf3\x69\xba\x34\x10\x1c\xbd\x21\x92\x6b\x15\xce\xf6\x7a\xb6\x3e\xad\x40\xab\xfb\xef\x86\x7b\x37\x2f\xe2\x78\x18\x66\xf8\x7a\x2d\xcc\xf9\x8f\xfe\x66\x53\x1c\x1d\x50\x21\x40\x6c\x69\xce\x84\xb4\x39\x13\x0c\xac\x71\xf5\x25\x64\xb7\xc8\xfa\x62\x1d\x71\xd5\xff\x00\x15\x17\x59\x3f\x05\x9d\xa0\xcb\x82\xf1\xfd\x5e\x32\x7d\xf9\xab\xec\x49\x46\xe3\x4e\x20\xd3\xf1\xdf\x8f\x4a\x04\x22\xf9\xbb\x53\x89\x49\xb4\xa1\x4d\x1b\x3a\xfd\x67\x93\xe8\x1d\x3b\xa5\x96\xd1\x6d\x8c\xee\x0e\x70\x03\x14\xe5\x31\xe6\x02\xfe\x5c\xb8\x32\xb2\x2c\x7a\x2f\x9f\x36\xf3\x9d\x05\x38\x76\x47\x81\x57\xd5\x41\xe8\xc0\x97\x7a\x9a\xca\xf6\x91\xf1\x23\x4f\x66\x5d\x23\x4f\x82\xee\x90\xff\x89\x82\xd9\xc1\x37\x1a\x15\xdd\xc8\xed\x23\x92\xdd\x5a\x96", 242); *(uint32_t*)0x2000776c = 0x98; *(uint32_t*)0x20007770 = 0x20007640; *(uint8_t*)0x20007640 = 0x98; *(uint8_t*)0x20007641 = 3; memcpy((void*)0x20007642, "\x07\x8c\xbe\xfd\x67\x79\x6b\x8d\x00\xc6\xa0\x27\xe5\xd0\x7b\xc3\xb0\x07\x56\xac\xaf\xb9\x09\x6e\x3e\x38\x1a\x99\xfd\xbe\x8a\x51\x61\xca\x19\xa9\x62\x8d\x61\xba\xef\xd6\x97\x2b\x48\xf5\xe0\x4b\x0f\xa6\xe2\xb9\x9c\xca\x8d\xf5\xb5\x0d\xbd\x97\xd6\x56\xc0\x2f\x85\x83\xa5\x8c\xe8\xcb\xd3\x5c\x69\xfb\x3f\x86\xde\x0d\xda\xc9\x0f\x5b\xe8\xd4\xf0\x4a\x3a\xd4\xf3\x12\x93\xb5\x09\x95\x91\x39\xbe\xa0\xf3\x06\x7d\x0e\xbf\xa3\xc5\xb2\x10\xe1\x99\x30\x78\xb0\xae\x92\x95\x61\xfc\x77\x34\x86\x9b\x3d\xd8\xd8\x12\xc0\x0a\x30\x35\x23\x61\x66\xa3\x12\x27\xae\x29\x1e\x69\x6a\xb4\xf8\x1f\x4e\x3f\x02\xd6\xb2\xf3\x34", 150); *(uint32_t*)0x20007774 = 4; *(uint32_t*)0x20007778 = 0x20007700; *(uint8_t*)0x20007700 = 4; *(uint8_t*)0x20007701 = 3; *(uint16_t*)0x20007702 = 0x43e; syz_usb_connect(2, 0x6c6, 0x20006cc0, 0x20007740); break; case 41: *(uint8_t*)0x20007780 = 0x12; *(uint8_t*)0x20007781 = 1; *(uint16_t*)0x20007782 = 0x200; *(uint8_t*)0x20007784 = -1; *(uint8_t*)0x20007785 = -1; *(uint8_t*)0x20007786 = -1; *(uint8_t*)0x20007787 = 0x40; *(uint16_t*)0x20007788 = 0xcf3; *(uint16_t*)0x2000778a = 0x9271; *(uint16_t*)0x2000778c = 0x108; *(uint8_t*)0x2000778e = 1; *(uint8_t*)0x2000778f = 2; *(uint8_t*)0x20007790 = 3; *(uint8_t*)0x20007791 = 1; *(uint8_t*)0x20007792 = 9; *(uint8_t*)0x20007793 = 2; *(uint16_t*)0x20007794 = 0x48; *(uint8_t*)0x20007796 = 1; *(uint8_t*)0x20007797 = 1; *(uint8_t*)0x20007798 = 0; *(uint8_t*)0x20007799 = 0x80; *(uint8_t*)0x2000779a = 0xfa; *(uint8_t*)0x2000779b = 9; *(uint8_t*)0x2000779c = 4; *(uint8_t*)0x2000779d = 0; *(uint8_t*)0x2000779e = 0; *(uint8_t*)0x2000779f = 6; *(uint8_t*)0x200077a0 = -1; *(uint8_t*)0x200077a1 = 0; *(uint8_t*)0x200077a2 = 0; *(uint8_t*)0x200077a3 = 0; *(uint8_t*)0x200077a4 = 9; *(uint8_t*)0x200077a5 = 5; *(uint8_t*)0x200077a6 = 1; *(uint8_t*)0x200077a7 = 2; *(uint16_t*)0x200077a8 = 0x200; *(uint8_t*)0x200077aa = 0; *(uint8_t*)0x200077ab = 0; *(uint8_t*)0x200077ac = 0; *(uint8_t*)0x200077ad = 9; *(uint8_t*)0x200077ae = 5; *(uint8_t*)0x200077af = 0x82; *(uint8_t*)0x200077b0 = 2; *(uint16_t*)0x200077b1 = 0x200; *(uint8_t*)0x200077b3 = 0; *(uint8_t*)0x200077b4 = 0; *(uint8_t*)0x200077b5 = 0; *(uint8_t*)0x200077b6 = 9; *(uint8_t*)0x200077b7 = 5; *(uint8_t*)0x200077b8 = 0x83; *(uint8_t*)0x200077b9 = 3; *(uint16_t*)0x200077ba = 0x40; *(uint8_t*)0x200077bc = 1; *(uint8_t*)0x200077bd = 0; *(uint8_t*)0x200077be = 0; *(uint8_t*)0x200077bf = 9; *(uint8_t*)0x200077c0 = 5; *(uint8_t*)0x200077c1 = 4; *(uint8_t*)0x200077c2 = 3; *(uint16_t*)0x200077c3 = 0x40; *(uint8_t*)0x200077c5 = 1; *(uint8_t*)0x200077c6 = 0; *(uint8_t*)0x200077c7 = 0; *(uint8_t*)0x200077c8 = 9; *(uint8_t*)0x200077c9 = 5; *(uint8_t*)0x200077ca = 5; *(uint8_t*)0x200077cb = 2; *(uint16_t*)0x200077cc = 0x200; *(uint8_t*)0x200077ce = 0; *(uint8_t*)0x200077cf = 0; *(uint8_t*)0x200077d0 = 0; *(uint8_t*)0x200077d1 = 9; *(uint8_t*)0x200077d2 = 5; *(uint8_t*)0x200077d3 = 6; *(uint8_t*)0x200077d4 = 2; *(uint16_t*)0x200077d5 = 0x200; *(uint8_t*)0x200077d7 = 0; *(uint8_t*)0x200077d8 = 0; *(uint8_t*)0x200077d9 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007780, 0); if (res != -1) r[22] = res; break; case 42: *(uint32_t*)0x200079c0 = 0x18; *(uint32_t*)0x200079c4 = 0x20007800; *(uint8_t*)0x20007800 = 0x20; *(uint8_t*)0x20007801 = 0x11; *(uint32_t*)0x20007802 = 0xb7; *(uint8_t*)0x20007806 = 0xb7; *(uint8_t*)0x20007807 = 9; memcpy((void*)0x20007808, "\x72\xf5\x91\xba\x5c\x69\x4f\x16\xa4\xd9\x20\x75\xef\x3e\xc8\xbc\x46\x92\x09\x54\x79\x9e\xc8\xd3\xc0\x30\x8f\x3b\x47\x79\xda\x6e\x18\xe9\x82\x4a\x86\x74\x6d\x01\x3a\x39\x9a\xfc\x7f\x6f\xce\xb6\xc3\x7f\x7f\x13\x1c\x71\xeb\xc0\x01\xf6\x66\xea\x63\xed\x3a\xde\x13\x20\x09\x73\x5a\x54\x66\x22\xf9\xe6\x39\xd4\x81\xc9\x67\xcc\x7b\x5b\x74\x7c\xc5\xe6\x2f\xdc\x41\xbb\xb4\xbb\x95\x87\x8a\x44\x2c\xc4\x91\x11\xc0\xf5\x78\x86\xf1\x70\x77\xa1\xb4\xb2\x2e\x3c\xf2\x8e\xec\xb7\x98\xfe\xed\x6f\x16\x8d\xd9\xcc\x26\x46\xf8\xb7\x9e\xd4\x1b\xba\x94\xde\x9e\x30\x4f\xc8\x45\x17\x9a\x73\x21\xf0\x47\x84\xaa\x91\x7b\xa0\x84\x05\xb0\xa9\x5b\x83\x03\xd9\x14\xef\x8e\x37\x47\x80\xdd\x8e\x34\x37\xc9\x5c\x35\x76\x4c\xd0\x63\xe7\xa3\xec\x6d\x79\x0b", 181); *(uint32_t*)0x200079c8 = 0x200078c0; *(uint8_t*)0x200078c0 = 0; *(uint8_t*)0x200078c1 = 3; *(uint32_t*)0x200078c2 = 4; *(uint8_t*)0x200078c6 = 4; *(uint8_t*)0x200078c7 = 3; *(uint16_t*)0x200078c8 = 0x813; *(uint32_t*)0x200079cc = 0x20007900; *(uint8_t*)0x20007900 = 0; *(uint8_t*)0x20007901 = 0xf; *(uint32_t*)0x20007902 = 0xc; *(uint8_t*)0x20007906 = 5; *(uint8_t*)0x20007907 = 0xf; *(uint16_t*)0x20007908 = 0xc; *(uint8_t*)0x2000790a = 1; *(uint8_t*)0x2000790b = 7; *(uint8_t*)0x2000790c = 0x10; *(uint8_t*)0x2000790d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000790e, 0x18, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000790f, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20007910, 3, 0, 16); *(uint32_t*)0x200079d0 = 0x20007940; *(uint8_t*)0x20007940 = 0x20; *(uint8_t*)0x20007941 = 0x29; *(uint32_t*)0x20007942 = 0xf; *(uint8_t*)0x20007946 = 0xf; *(uint8_t*)0x20007947 = 0x29; *(uint8_t*)0x20007948 = 7; *(uint16_t*)0x20007949 = 0x80; *(uint8_t*)0x2000794b = 6; *(uint8_t*)0x2000794c = 0xe0; memcpy((void*)0x2000794d, "\x84\x02\x48\x7c", 4); memcpy((void*)0x20007951, "\x80\x56\xa3\xff", 4); *(uint32_t*)0x200079d4 = 0x20007980; *(uint8_t*)0x20007980 = 0x20; *(uint8_t*)0x20007981 = 0x2a; *(uint32_t*)0x20007982 = 0xc; *(uint8_t*)0x20007986 = 0xc; *(uint8_t*)0x20007987 = 0x2a; *(uint8_t*)0x20007988 = 0xa7; *(uint16_t*)0x20007989 = 2; *(uint8_t*)0x2000798b = 0x7d; *(uint8_t*)0x2000798c = 0; *(uint8_t*)0x2000798d = 0x80; *(uint16_t*)0x2000798e = 7; *(uint16_t*)0x20007990 = 6; *(uint32_t*)0x20007e80 = 0x44; *(uint32_t*)0x20007e84 = 0x20007a00; *(uint8_t*)0x20007a00 = 0x40; *(uint8_t*)0x20007a01 = 0x10; *(uint32_t*)0x20007a02 = 0x8c; memcpy((void*)0x20007a06, "\x21\xb8\x38\x25\x05\x9f\x24\x50\x6d\x8e\x84\x20\x85\xd1\xf2\xe7\xf9\x64\x47\x1b\x20\xed\x0a\x8e\x50\xa9\xaa\x4e\xf1\x6b\x5a\x6f\x2d\xbb\x2b\x57\x0a\x4f\x8d\x13\xd6\x0e\x47\xbb\x78\x21\xff\x91\x21\x11\xde\xe4\x0a\x78\xd4\x2b\x4d\x13\xea\x81\x2d\x92\x9c\xcf\x39\x64\xc5\x46\x8f\x89\xd2\xd2\x16\x30\xec\x87\x06\x7a\x2d\x13\xf4\x52\x38\xb4\x46\xbf\x57\xc6\xb9\xec\x35\x57\x8f\xa5\x87\xfc\x77\xfe\x21\x08\xb1\x59\x0b\xe0\x81\x68\x1c\xcc\x02\x4f\x1f\x59\x0b\xe9\xe5\xbe\xc9\xea\x86\xb9\x80\x3c\x60\x29\x9d\xda\x1a\x82\xf8\xff\x04\x42\x86\x71\xa4\x3b\xc2\xc3\x39\x3a", 140); *(uint32_t*)0x20007e88 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0; *(uint8_t*)0x20007ac1 = 0xa; *(uint32_t*)0x20007ac2 = 1; *(uint8_t*)0x20007ac6 = 4; *(uint32_t*)0x20007e8c = 0x20007b00; *(uint8_t*)0x20007b00 = 0; *(uint8_t*)0x20007b01 = 8; *(uint32_t*)0x20007b02 = 1; *(uint8_t*)0x20007b06 = 0xfb; *(uint32_t*)0x20007e90 = 0x20007b40; *(uint8_t*)0x20007b40 = 0x20; *(uint8_t*)0x20007b41 = 0; *(uint32_t*)0x20007b42 = 4; *(uint16_t*)0x20007b46 = 1; *(uint16_t*)0x20007b48 = 1; *(uint32_t*)0x20007e94 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x20; *(uint8_t*)0x20007b81 = 0; *(uint32_t*)0x20007b82 = 4; *(uint16_t*)0x20007b86 = 0x140; *(uint16_t*)0x20007b88 = 0x20; *(uint32_t*)0x20007e98 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 7; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 0x3ff; *(uint32_t*)0x20007e9c = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 9; *(uint32_t*)0x20007c02 = 1; *(uint8_t*)0x20007c06 = 0x81; *(uint32_t*)0x20007ea0 = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0xb; *(uint32_t*)0x20007c42 = 2; memcpy((void*)0x20007c46, "\x8a\x02", 2); *(uint32_t*)0x20007ea4 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0xf; *(uint32_t*)0x20007c82 = 2; *(uint16_t*)0x20007c86 = 0x321a; *(uint32_t*)0x20007ea8 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x13; *(uint32_t*)0x20007cc2 = 6; *(uint8_t*)0x20007cc6 = 1; *(uint8_t*)0x20007cc7 = 0x80; *(uint8_t*)0x20007cc8 = 0xc2; *(uint8_t*)0x20007cc9 = 0; *(uint8_t*)0x20007cca = 0; *(uint8_t*)0x20007ccb = 0; *(uint32_t*)0x20007eac = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x17; *(uint32_t*)0x20007d02 = 6; memcpy((void*)0x20007d06, "\xb0\xfe\x28\x1f\xa3\x91", 6); *(uint32_t*)0x20007eb0 = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x19; *(uint32_t*)0x20007d42 = 2; memcpy((void*)0x20007d46, "#7", 2); *(uint32_t*)0x20007eb4 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x1a; *(uint32_t*)0x20007d82 = 2; *(uint16_t*)0x20007d86 = 6; *(uint32_t*)0x20007eb8 = 0x20007dc0; *(uint8_t*)0x20007dc0 = 0x40; *(uint8_t*)0x20007dc1 = 0x1c; *(uint32_t*)0x20007dc2 = 1; *(uint8_t*)0x20007dc6 = 6; *(uint32_t*)0x20007ebc = 0x20007e00; *(uint8_t*)0x20007e00 = 0x40; *(uint8_t*)0x20007e01 = 0x1e; *(uint32_t*)0x20007e02 = 1; *(uint8_t*)0x20007e06 = 6; *(uint32_t*)0x20007ec0 = 0x20007e40; *(uint8_t*)0x20007e40 = 0x40; *(uint8_t*)0x20007e41 = 0x21; *(uint32_t*)0x20007e42 = 1; *(uint8_t*)0x20007e46 = 0x9e; syz_usb_control_io(r[22], 0x200079c0, 0x20007e80); break; case 43: *(uint8_t*)0x20007f00 = 0x12; *(uint8_t*)0x20007f01 = 1; *(uint16_t*)0x20007f02 = 0x70; *(uint8_t*)0x20007f04 = 2; *(uint8_t*)0x20007f05 = 0; *(uint8_t*)0x20007f06 = 0; *(uint8_t*)0x20007f07 = 0x50; *(uint16_t*)0x20007f08 = 0x525; *(uint16_t*)0x20007f0a = 0xa4a1; *(uint16_t*)0x20007f0c = 0x40; *(uint8_t*)0x20007f0e = 1; *(uint8_t*)0x20007f0f = 2; *(uint8_t*)0x20007f10 = 3; *(uint8_t*)0x20007f11 = 1; *(uint8_t*)0x20007f12 = 9; *(uint8_t*)0x20007f13 = 2; *(uint16_t*)0x20007f14 = 0x4d; *(uint8_t*)0x20007f16 = 1; *(uint8_t*)0x20007f17 = 1; *(uint8_t*)0x20007f18 = 2; *(uint8_t*)0x20007f19 = 0x70; *(uint8_t*)0x20007f1a = 0x40; *(uint8_t*)0x20007f1b = 9; *(uint8_t*)0x20007f1c = 4; *(uint8_t*)0x20007f1d = 0; *(uint8_t*)0x20007f1e = 0xc4; *(uint8_t*)0x20007f1f = 3; *(uint8_t*)0x20007f20 = 2; *(uint8_t*)0x20007f21 = 6; *(uint8_t*)0x20007f22 = 0; *(uint8_t*)0x20007f23 = 0xe1; *(uint8_t*)0x20007f24 = 8; *(uint8_t*)0x20007f25 = 0x24; *(uint8_t*)0x20007f26 = 6; *(uint8_t*)0x20007f27 = 0; *(uint8_t*)0x20007f28 = 0; memcpy((void*)0x20007f29, "W?s", 3); *(uint8_t*)0x20007f2c = 5; *(uint8_t*)0x20007f2d = 0x24; *(uint8_t*)0x20007f2e = 0; *(uint16_t*)0x20007f2f = 3; *(uint8_t*)0x20007f31 = 0xd; *(uint8_t*)0x20007f32 = 0x24; *(uint8_t*)0x20007f33 = 0xf; *(uint8_t*)0x20007f34 = 1; *(uint32_t*)0x20007f35 = 0x200; *(uint16_t*)0x20007f39 = 0; *(uint16_t*)0x20007f3b = 0x200; *(uint8_t*)0x20007f3d = 3; *(uint8_t*)0x20007f3e = 6; *(uint8_t*)0x20007f3f = 0x24; *(uint8_t*)0x20007f40 = 0x1a; *(uint16_t*)0x20007f41 = 0x1000; *(uint8_t*)0x20007f43 = 0; *(uint8_t*)0x20007f44 = 9; *(uint8_t*)0x20007f45 = 5; *(uint8_t*)0x20007f46 = 0x81; *(uint8_t*)0x20007f47 = 3; *(uint16_t*)0x20007f48 = 0x20; *(uint8_t*)0x20007f4a = 0x3f; *(uint8_t*)0x20007f4b = 0; *(uint8_t*)0x20007f4c = 0xd8; *(uint8_t*)0x20007f4d = 9; *(uint8_t*)0x20007f4e = 5; *(uint8_t*)0x20007f4f = 0x82; *(uint8_t*)0x20007f50 = 2; *(uint16_t*)0x20007f51 = 8; *(uint8_t*)0x20007f53 = -1; *(uint8_t*)0x20007f54 = 0xec; *(uint8_t*)0x20007f55 = 5; *(uint8_t*)0x20007f56 = 9; *(uint8_t*)0x20007f57 = 5; *(uint8_t*)0x20007f58 = 3; *(uint8_t*)0x20007f59 = 2; *(uint16_t*)0x20007f5a = 0x3cf; *(uint8_t*)0x20007f5c = 0x81; *(uint8_t*)0x20007f5d = 0x39; *(uint8_t*)0x20007f5e = 5; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f80; *(uint8_t*)0x20007f80 = 0xa; *(uint8_t*)0x20007f81 = 6; *(uint16_t*)0x20007f82 = 0; *(uint8_t*)0x20007f84 = 2; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x77; *(uint8_t*)0x20007f87 = -1; *(uint8_t*)0x20007f88 = 0x2f; *(uint8_t*)0x20007f89 = 0; *(uint32_t*)0x20008288 = 5; *(uint32_t*)0x2000828c = 0x20007fc0; *(uint8_t*)0x20007fc0 = 5; *(uint8_t*)0x20007fc1 = 0xf; *(uint16_t*)0x20007fc2 = 5; *(uint8_t*)0x20007fc4 = 0; *(uint32_t*)0x20008290 = 5; *(uint32_t*)0x20008294 = 0x69; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 0x69; *(uint8_t*)0x20008001 = 3; memcpy((void*)0x20008002, "\xd2\x5a\x9c\x8f\x14\x52\xa3\xc6\xff\xbf\xec\xa8\xeb\x77\x79\x35\xb5\x8c\x9b\x74\x06\x77\x50\x86\xff\xf7\x17\xb5\x4f\x05\xac\x59\xf9\x45\x17\xff\x3c\xd6\xf3\x10\x1d\xbf\xa7\x9b\xb8\x2a\xe3\x1b\x1d\x31\x6d\x08\xa7\x1d\x14\xfc\x2c\x1c\xfa\x8c\x89\x30\x68\xbd\xe2\xbb\x83\x0a\xe9\x1f\xc9\x42\x88\xcc\x23\x2a\xaa\xc0\xe6\x4b\x84\x00\x7b\x0e\x75\x36\xc3\xec\x34\xed\xef\x04\xde\xd9\x34\x21\xa3\x77\xe0\x69\x53\x26\xaa", 103); *(uint32_t*)0x2000829c = 0xac; *(uint32_t*)0x200082a0 = 0x20008080; *(uint8_t*)0x20008080 = 0xac; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x73\x60\x60\x9c\xe8\x30\x0a\xe4\x62\x33\x08\xd5\xf8\xb9\x7b\xfd\x50\xd3\xd8\x63\x40\x8b\x8e\xa4\x01\xc8\x6d\xa9\xd4\x2c\xe5\xf3\x86\x7c\xe8\xd7\x21\xfb\x2a\xb5\xc2\x5f\x6b\x4c\x5e\x85\xf5\xea\xf3\x41\xbd\x51\x4a\x16\xc2\xdf\xe3\xc7\xa1\xd7\xf4\x27\xae\x62\xc0\xbf\xf3\x79\xe8\x4d\x56\x63\x7e\xc1\x37\x7b\x8c\x8a\xd5\xb5\x5b\x09\x9c\xfa\xa4\xa7\xa6\xee\xb0\x58\x9f\x81\xe7\xa4\x33\x00\xef\xf5\x33\x54\xe1\xb2\xbd\xcd\xc3\x4d\x79\x45\xd6\x35\x62\xe4\x8d\x5e\xd9\x3b\xef\x75\xfd\x01\x60\xfc\xd7\xc3\xa6\xbe\x7f\x0c\x64\x2b\xb6\xe5\x61\xe3\x5a\x1c\x73\x11\x0b\xdc\xde\xd7\x69\x98\x65\xe2\x5e\xb2\x38\xcf\x8f\x3b\x10\xad\x3c\x10\x48\x80\x28\xc3\x70\x63\xc8\x86\x2f\x90\x7b\x06\x82\x9e", 170); *(uint32_t*)0x200082a4 = 4; *(uint32_t*)0x200082a8 = 0x20008140; *(uint8_t*)0x20008140 = 4; *(uint8_t*)0x20008141 = 3; *(uint16_t*)0x20008142 = 0x81a; *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x20008180; *(uint8_t*)0x20008180 = 4; *(uint8_t*)0x20008181 = 3; *(uint16_t*)0x20008182 = 0x180a; *(uint32_t*)0x200082b4 = 0xb9; *(uint32_t*)0x200082b8 = 0x200081c0; *(uint8_t*)0x200081c0 = 0xb9; *(uint8_t*)0x200081c1 = 3; memcpy((void*)0x200081c2, "\x37\xef\xeb\x85\x4b\x40\x51\xa4\x6c\x67\xae\xe7\xea\xa0\xf6\x2f\xde\x9f\x59\x9c\xd5\xba\x25\x32\x9d\x50\xae\xe1\x6b\x30\xc6\xc1\xa5\x14\x83\x10\x81\xaf\xc1\xdf\xd2\x68\x2f\xf4\x87\x16\xa9\x1b\xf9\x5e\x08\x42\x12\xb0\x69\x6d\x43\xe1\xc6\xc4\x3a\xda\xf9\xed\x3e\xf7\x0e\x62\x73\x59\x94\xd2\xd0\x86\x51\x39\x60\x49\x88\xfa\xc1\x79\x78\xd9\xc0\x5a\x84\xf3\x42\x38\x31\xdd\x1d\xdd\xc6\xc9\x4d\x50\xdd\xd6\x74\xf1\x65\x25\xbb\xf9\xa8\xdb\x3b\xb4\x90\x01\xbe\x38\xa1\x96\x70\xab\xd9\x9f\x4a\x2e\x97\xcf\xb2\x0d\x46\xc6\x37\x83\x2a\x3e\xc9\x7f\xf0\x94\xc6\xa3\x30\x49\x64\xb7\x2b\xcf\x11\x6b\xf2\x7f\xed\xd5\x52\x1a\xd3\xda\x22\x62\x97\xff\xf8\x49\xc3\x3c\x5d\x84\x9e\x3e\x30\x37\x52\x79\x01\xee\xf6\x3a\x59\x9b\xaa\x54\xfc\x46\xa4\x6f\xf1", 183); res = -1; res = syz_usb_connect(2, 0x5f, 0x20007f00, 0x20008280); if (res != -1) r[23] = res; break; case 44: syz_usb_disconnect(r[23]); break; case 45: *(uint8_t*)0x200082c0 = 0x12; *(uint8_t*)0x200082c1 = 1; *(uint16_t*)0x200082c2 = 0x110; *(uint8_t*)0x200082c4 = 2; *(uint8_t*)0x200082c5 = 0; *(uint8_t*)0x200082c6 = 0; *(uint8_t*)0x200082c7 = 0x20; *(uint16_t*)0x200082c8 = 0x525; *(uint16_t*)0x200082ca = 0xa4a1; *(uint16_t*)0x200082cc = 0x40; *(uint8_t*)0x200082ce = 1; *(uint8_t*)0x200082cf = 2; *(uint8_t*)0x200082d0 = 3; *(uint8_t*)0x200082d1 = 1; *(uint8_t*)0x200082d2 = 9; *(uint8_t*)0x200082d3 = 2; *(uint16_t*)0x200082d4 = 0xb3; *(uint8_t*)0x200082d6 = 1; *(uint8_t*)0x200082d7 = 1; *(uint8_t*)0x200082d8 = 6; *(uint8_t*)0x200082d9 = 0x28; *(uint8_t*)0x200082da = -1; *(uint8_t*)0x200082db = 9; *(uint8_t*)0x200082dc = 4; *(uint8_t*)0x200082dd = 0; *(uint8_t*)0x200082de = 9; *(uint8_t*)0x200082df = 2; *(uint8_t*)0x200082e0 = 2; *(uint8_t*)0x200082e1 = 6; *(uint8_t*)0x200082e2 = 0; *(uint8_t*)0x200082e3 = 4; *(uint8_t*)0x200082e4 = 6; *(uint8_t*)0x200082e5 = 0x24; *(uint8_t*)0x200082e6 = 6; *(uint8_t*)0x200082e7 = 0; *(uint8_t*)0x200082e8 = 0; memset((void*)0x200082e9, 177, 1); *(uint8_t*)0x200082ea = 5; *(uint8_t*)0x200082eb = 0x24; *(uint8_t*)0x200082ec = 0; *(uint16_t*)0x200082ed = 8; *(uint8_t*)0x200082ef = 0xd; *(uint8_t*)0x200082f0 = 0x24; *(uint8_t*)0x200082f1 = 0xf; *(uint8_t*)0x200082f2 = 1; *(uint32_t*)0x200082f3 = 0x9208; *(uint16_t*)0x200082f7 = 2; *(uint16_t*)0x200082f9 = 0; *(uint8_t*)0x200082fb = 0x20; *(uint8_t*)0x200082fc = 0x5e; *(uint8_t*)0x200082fd = 0x24; *(uint8_t*)0x200082fe = 0x13; *(uint8_t*)0x200082ff = 7; memcpy((void*)0x20008300, "\x63\xb0\xb9\x53\x77\x14\x7b\xa2\x14\xd9\x50\xfc\x04\xb2\x2c\x04\xbe\x09\xd9\xb9\x6f\x1a\xb9\x4b\xb0\x2e\x8a\x2a\x9e\x23\xcf\x7d\x3a\xca\xb2\x2a\x80\xed\x35\x0e\xc4\xb1\x78\x06\xed\xcb\x16\x9e\x50\x75\x37\x3d\x99\x17\x80\x21\x13\x92\xeb\x3d\x9f\x11\x73\xa5\x39\x84\x3b\xf2\xc3\xf6\x6a\x4a\x69\x60\xa5\x5a\x22\x07\x76\x7d\xb3\xc5\x5a\x7d\xd2\x89\x8b\x5c\xcb\x40", 90); *(uint8_t*)0x2000835a = 0xc; *(uint8_t*)0x2000835b = 0x24; *(uint8_t*)0x2000835c = 0x1b; *(uint16_t*)0x2000835d = 0x2a; *(uint16_t*)0x2000835f = 0x100; *(uint8_t*)0x20008361 = 0xe0; *(uint8_t*)0x20008362 = 0x76; *(uint16_t*)0x20008363 = 0; *(uint8_t*)0x20008365 = -1; *(uint8_t*)0x20008366 = 4; *(uint8_t*)0x20008367 = 0x24; *(uint8_t*)0x20008368 = 2; *(uint8_t*)0x20008369 = 0xa; *(uint8_t*)0x2000836a = 9; *(uint8_t*)0x2000836b = 5; *(uint8_t*)0x2000836c = 0x81; *(uint8_t*)0x2000836d = 3; *(uint16_t*)0x2000836e = 0x20; *(uint8_t*)0x20008370 = 0x73; *(uint8_t*)0x20008371 = 0x35; *(uint8_t*)0x20008372 = 0x3f; *(uint8_t*)0x20008373 = 9; *(uint8_t*)0x20008374 = 5; *(uint8_t*)0x20008375 = 0x82; *(uint8_t*)0x20008376 = 2; *(uint16_t*)0x20008377 = 8; *(uint8_t*)0x20008379 = 3; *(uint8_t*)0x2000837a = 1; *(uint8_t*)0x2000837b = 3; *(uint8_t*)0x2000837c = 9; *(uint8_t*)0x2000837d = 5; *(uint8_t*)0x2000837e = 3; *(uint8_t*)0x2000837f = 2; *(uint16_t*)0x20008380 = 0x40; *(uint8_t*)0x20008382 = 5; *(uint8_t*)0x20008383 = 0x40; *(uint8_t*)0x20008384 = 2; *(uint32_t*)0x200087c0 = 0xa; *(uint32_t*)0x200087c4 = 0x200083c0; *(uint8_t*)0x200083c0 = 0xa; *(uint8_t*)0x200083c1 = 6; *(uint16_t*)0x200083c2 = 0x201; *(uint8_t*)0x200083c4 = 0x79; *(uint8_t*)0x200083c5 = 3; *(uint8_t*)0x200083c6 = 0x3f; *(uint8_t*)0x200083c7 = 0x20; *(uint8_t*)0x200083c8 = 6; *(uint8_t*)0x200083c9 = 0; *(uint32_t*)0x200087c8 = 0x37; *(uint32_t*)0x200087cc = 0x20008400; *(uint8_t*)0x20008400 = 5; *(uint8_t*)0x20008401 = 0xf; *(uint16_t*)0x20008402 = 0x37; *(uint8_t*)0x20008404 = 5; *(uint8_t*)0x20008405 = 7; *(uint8_t*)0x20008406 = 0x10; *(uint8_t*)0x20008407 = 2; STORE_BY_BITMASK(uint32_t, , 0x20008408, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008409, 0xa, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008409, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000840a, 5, 0, 16); *(uint8_t*)0x2000840c = 7; *(uint8_t*)0x2000840d = 0x10; *(uint8_t*)0x2000840e = 2; STORE_BY_BITMASK(uint32_t, , 0x2000840f, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20008410, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20008410, 9, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20008411, 8, 0, 16); *(uint8_t*)0x20008413 = 0xa; *(uint8_t*)0x20008414 = 0x10; *(uint8_t*)0x20008415 = 3; *(uint8_t*)0x20008416 = 0xc9; *(uint16_t*)0x20008417 = 7; *(uint8_t*)0x20008419 = 7; *(uint8_t*)0x2000841a = 0; *(uint16_t*)0x2000841b = 8; *(uint8_t*)0x2000841d = 0xa; *(uint8_t*)0x2000841e = 0x10; *(uint8_t*)0x2000841f = 3; *(uint8_t*)0x20008420 = 2; *(uint16_t*)0x20008421 = 0xc; *(uint8_t*)0x20008423 = 0; *(uint8_t*)0x20008424 = 6; *(uint16_t*)0x20008425 = 6; *(uint8_t*)0x20008427 = 0x10; *(uint8_t*)0x20008428 = 0x10; *(uint8_t*)0x20008429 = 0xa; *(uint8_t*)0x2000842a = 1; STORE_BY_BITMASK(uint32_t, , 0x2000842b, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000842b, 0x8001, 5, 27); *(uint16_t*)0x2000842f = 0xf00f; *(uint16_t*)0x20008431 = 0xfffd; *(uint32_t*)0x20008433 = 0x3fc0; *(uint32_t*)0x200087d0 = 9; *(uint32_t*)0x200087d4 = 0x4f; *(uint32_t*)0x200087d8 = 0x20008440; *(uint8_t*)0x20008440 = 0x4f; *(uint8_t*)0x20008441 = 3; memcpy((void*)0x20008442, "\xc0\x66\x3b\x11\x6d\xab\x9b\xa5\xc0\xa2\xf7\xa2\xad\x48\x6f\xfc\x16\x4a\x43\x65\x89\x95\x65\xc5\xe9\x9b\x01\x52\x39\xf3\x78\xdf\x56\xdb\x4d\xc3\xb0\xbb\x08\xdc\xd2\x08\xd9\x58\xfa\x3c\xf0\x80\x97\xaa\x20\x8b\x2d\x28\x65\xb5\x02\xcb\xc9\x4b\x1a\x8e\x33\xbd\xd9\xd6\x48\x1f\xbf\x32\xd4\x91\x34\x22\xfe\x18\x9f", 77); *(uint32_t*)0x200087dc = 0x85; *(uint32_t*)0x200087e0 = 0x200084c0; *(uint8_t*)0x200084c0 = 0x85; *(uint8_t*)0x200084c1 = 3; memcpy((void*)0x200084c2, "\xc9\xc4\x87\xa9\x0b\xe3\xd4\x0e\xf7\x82\x37\x3d\x78\x5f\x86\xbd\xfc\x3d\xb6\xfb\x0d\xd0\xa7\x44\x0b\x2f\xe4\x59\x5c\x3a\x6b\xd6\x7a\xa8\x51\x8d\x89\x7a\x8a\x75\x7d\x5f\x1c\xeb\x86\xe5\x98\xca\xbf\x23\x45\xf7\x71\xc3\xc7\x12\x8b\xd1\x6d\xd4\xb1\xee\x9b\x7d\xbc\xaf\x61\x1e\x97\xf6\xdc\xb9\xf1\x71\xe8\xf7\x05\x2b\x0f\x33\xe6\x31\xbf\xe9\x9d\xdc\x44\x13\xe5\xe5\xd7\xb6\x34\xdc\xc3\xb7\x7e\x4d\x30\x1f\x89\xa8\xd3\xb8\x51\xb0\x23\x06\xca\xbe\xc2\x11\x12\x7a\x8e\x54\x1d\x16\x26\x36\x58\x8f\xf5\x74\xde\x82\xde\x8f\x30\x7d\x43", 131); *(uint32_t*)0x200087e4 = 4; *(uint32_t*)0x200087e8 = 0x20008580; *(uint8_t*)0x20008580 = 4; *(uint8_t*)0x20008581 = 3; *(uint16_t*)0x20008582 = 0x1407; *(uint32_t*)0x200087ec = 4; *(uint32_t*)0x200087f0 = 0x200085c0; *(uint8_t*)0x200085c0 = 4; *(uint8_t*)0x200085c1 = 3; *(uint16_t*)0x200085c2 = 0; *(uint32_t*)0x200087f4 = 0xaa; *(uint32_t*)0x200087f8 = 0x20008600; *(uint8_t*)0x20008600 = 0xaa; *(uint8_t*)0x20008601 = 3; memcpy((void*)0x20008602, "\xce\x39\x5e\x8e\x9f\x40\x9a\x37\xda\xeb\x1c\x20\xbe\x9c\xa4\x00\x4a\xe8\x10\xcf\x16\x53\xec\xcd\x6e\x66\x3d\xd7\x4f\x8b\xc0\x69\x89\xb4\xd1\xa6\x5c\x9f\x48\x0b\xd3\x7e\x9d\xd8\x53\x49\xf2\x98\xdd\xad\xdc\x2c\xc9\xe4\xed\xa1\x47\xf2\x31\x40\x2e\x11\x6f\xb5\x94\xa6\x37\x18\xd8\x21\xd8\x85\xeb\xd6\x7e\xda\x45\x15\x58\xb1\xfb\xa3\x09\x3e\xcb\xd4\x0c\xbe\x5f\xbe\x07\xf9\x4e\xd9\x27\xd8\xe5\x03\x9a\x7c\x49\x7a\xa8\xd1\xf1\x0a\x4d\xda\xc0\x49\xad\x82\x0f\x8c\x53\x2c\x5a\x3f\x00\x94\x79\x55\x03\x24\x23\x92\x2e\x95\xaa\x5b\xfe\xe0\x41\xf7\xfe\x87\x44\xec\xc4\x42\x40\x57\xee\xc9\x70\x40\xb3\x41\xd0\xdd\xdc\xaf\x20\x6d\xa6\x43\x1e\x98\x7f\x04\xcf\xd5\x58\x02\xca\xd3\xa1\x14", 168); *(uint32_t*)0x200087fc = 4; *(uint32_t*)0x20008800 = 0x200086c0; *(uint8_t*)0x200086c0 = 4; *(uint8_t*)0x200086c1 = 3; *(uint16_t*)0x200086c2 = 0x3c01; *(uint32_t*)0x20008804 = 4; *(uint32_t*)0x20008808 = 0x20008700; *(uint8_t*)0x20008700 = 4; *(uint8_t*)0x20008701 = 3; *(uint16_t*)0x20008702 = 0x1809; *(uint32_t*)0x2000880c = 4; *(uint32_t*)0x20008810 = 0x20008740; *(uint8_t*)0x20008740 = 4; *(uint8_t*)0x20008741 = 3; *(uint16_t*)0x20008742 = 0x807; *(uint32_t*)0x20008814 = 4; *(uint32_t*)0x20008818 = 0x20008780; *(uint8_t*)0x20008780 = 4; *(uint8_t*)0x20008781 = 3; *(uint16_t*)0x20008782 = 0x1c; res = -1; res = syz_usb_connect(3, 0xc5, 0x200082c0, 0x200087c0); if (res != -1) r[24] = res; break; case 46: syz_usb_ep_read(r[24], 8, 0x7d, 0x20008840); break; case 47: *(uint8_t*)0x200088c0 = 0x12; *(uint8_t*)0x200088c1 = 1; *(uint16_t*)0x200088c2 = 0x250; *(uint8_t*)0x200088c4 = 0; *(uint8_t*)0x200088c5 = 0; *(uint8_t*)0x200088c6 = 0; *(uint8_t*)0x200088c7 = 0x10; *(uint16_t*)0x200088c8 = 0x56a; *(uint16_t*)0x200088ca = 0x62; *(uint16_t*)0x200088cc = 0x40; *(uint8_t*)0x200088ce = 1; *(uint8_t*)0x200088cf = 2; *(uint8_t*)0x200088d0 = 3; *(uint8_t*)0x200088d1 = 1; *(uint8_t*)0x200088d2 = 9; *(uint8_t*)0x200088d3 = 2; *(uint16_t*)0x200088d4 = 0x2d; *(uint8_t*)0x200088d6 = 1; *(uint8_t*)0x200088d7 = 1; *(uint8_t*)0x200088d8 = 0; *(uint8_t*)0x200088d9 = 0xf0; *(uint8_t*)0x200088da = 0x8e; *(uint8_t*)0x200088db = 9; *(uint8_t*)0x200088dc = 4; *(uint8_t*)0x200088dd = 0; *(uint8_t*)0x200088de = 5; *(uint8_t*)0x200088df = 1; *(uint8_t*)0x200088e0 = 3; *(uint8_t*)0x200088e1 = 1; *(uint8_t*)0x200088e2 = 2; *(uint8_t*)0x200088e3 = 0; *(uint8_t*)0x200088e4 = 9; *(uint8_t*)0x200088e5 = 0x21; *(uint16_t*)0x200088e6 = 3; *(uint8_t*)0x200088e8 = 0xf; *(uint8_t*)0x200088e9 = 1; *(uint8_t*)0x200088ea = 0x22; *(uint16_t*)0x200088eb = 0xa21; *(uint8_t*)0x200088ed = 9; *(uint8_t*)0x200088ee = 5; *(uint8_t*)0x200088ef = 0x81; *(uint8_t*)0x200088f0 = 3; *(uint16_t*)0x200088f1 = 0x3af; *(uint8_t*)0x200088f3 = 1; *(uint8_t*)0x200088f4 = 0x40; *(uint8_t*)0x200088f5 = 2; *(uint8_t*)0x200088f6 = 9; *(uint8_t*)0x200088f7 = 5; *(uint8_t*)0x200088f8 = 2; *(uint8_t*)0x200088f9 = 3; *(uint16_t*)0x200088fa = 0x10; *(uint8_t*)0x200088fc = 6; *(uint8_t*)0x200088fd = 1; *(uint8_t*)0x200088fe = 9; *(uint32_t*)0x20008c00 = 0xa; *(uint32_t*)0x20008c04 = 0x20008900; *(uint8_t*)0x20008900 = 0xa; *(uint8_t*)0x20008901 = 6; *(uint16_t*)0x20008902 = 0x250; *(uint8_t*)0x20008904 = 3; *(uint8_t*)0x20008905 = 1; *(uint8_t*)0x20008906 = 0x46; *(uint8_t*)0x20008907 = -1; *(uint8_t*)0x20008908 = 0x20; *(uint8_t*)0x20008909 = 0; *(uint32_t*)0x20008c08 = 0x34; *(uint32_t*)0x20008c0c = 0x20008940; *(uint8_t*)0x20008940 = 5; *(uint8_t*)0x20008941 = 0xf; *(uint16_t*)0x20008942 = 0x34; *(uint8_t*)0x20008944 = 2; *(uint8_t*)0x20008945 = 0xb; *(uint8_t*)0x20008946 = 0x10; *(uint8_t*)0x20008947 = 1; *(uint8_t*)0x20008948 = 2; *(uint16_t*)0x20008949 = 0xfa; *(uint8_t*)0x2000894b = 8; *(uint8_t*)0x2000894c = 0x80; *(uint16_t*)0x2000894d = 5; *(uint8_t*)0x2000894f = 3; *(uint8_t*)0x20008950 = 0x24; *(uint8_t*)0x20008951 = 0x10; *(uint8_t*)0x20008952 = 0xa; *(uint8_t*)0x20008953 = 5; STORE_BY_BITMASK(uint32_t, , 0x20008954, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20008954, 9, 5, 27); *(uint16_t*)0x20008958 = 0xf00f; *(uint16_t*)0x2000895a = 0; *(uint32_t*)0x2000895c = 0xffc00f; *(uint32_t*)0x20008960 = 0xff00c0; *(uint32_t*)0x20008964 = 0x101ffc0; *(uint32_t*)0x20008968 = 0xff0030; *(uint32_t*)0x2000896c = 0x30; *(uint32_t*)0x20008970 = 0x30; *(uint32_t*)0x20008c10 = 4; *(uint32_t*)0x20008c14 = 0xed; *(uint32_t*)0x20008c18 = 0x20008980; *(uint8_t*)0x20008980 = 0xed; *(uint8_t*)0x20008981 = 3; memcpy((void*)0x20008982, "\xe7\xdb\x91\x4e\xf4\xa7\x1a\x3a\xba\x44\x3e\xe1\x81\xc2\x72\xe7\xfb\xb6\x36\x48\xa9\x97\x75\x4b\x81\xa1\x93\x8f\x52\xb9\xfd\x8c\x2b\x76\xca\x28\xee\x1f\xcb\xa2\x80\x02\x1f\xbe\x02\xff\xa0\x3e\xa7\x53\xf2\xd5\x1b\x71\xf1\xcb\x93\x91\xea\x31\xfa\xab\xf8\xed\x37\xa9\x85\x3b\x87\xee\xba\xa0\xa1\x26\x96\x96\xe6\x5e\x30\x9e\xa4\xbf\x77\x55\xff\x1b\x99\x28\x0f\xd6\x82\x30\xd7\xd8\x99\xd0\x97\xe1\x6e\xe0\xb2\x24\xde\x57\x33\x94\x39\xc8\x0a\xd7\xfb\xf8\xbb\xf3\x2a\xa0\x0e\x29\x80\x2b\xde\x1c\x8c\x5e\x62\x28\xfa\x0a\x54\xc8\x35\x0e\xf9\x97\x11\x2f\x76\x3e\x17\x42\x8f\xb8\xe9\x5a\x56\x68\x95\x95\xf3\x0a\x3c\x16\x15\x18\x09\xb0\xc6\xb1\xd4\xd4\x76\x65\x10\xc6\xf0\x66\xfe\x4b\x35\xa3\xea\x90\xd3\x88\xd1\xb4\xd4\xe9\xc6\xb3\x09\x71\xe2\x37\xe2\x3f\xd2\x05\xf9\x90\x5e\xe7\xd7\x9f\x44\x43\x70\x7a\xdc\x7f\x65\xce\x2b\x15\x99\x4d\xaa\xc7\xb9\x54\x35\x3f\xb2\x32\x01\x84\x41\x22\x71\x05\x31\x87\x9c\x62\x91\xc7\xdf\xbf\x6b\xe4\x54\xb9\xcf\x2f\x2e", 235); *(uint32_t*)0x20008c1c = 4; *(uint32_t*)0x20008c20 = 0x20008a80; *(uint8_t*)0x20008a80 = 4; *(uint8_t*)0x20008a81 = 3; *(uint16_t*)0x20008a82 = 0x410; *(uint32_t*)0x20008c24 = 0x64; *(uint32_t*)0x20008c28 = 0x20008ac0; *(uint8_t*)0x20008ac0 = 0x64; *(uint8_t*)0x20008ac1 = 3; memcpy((void*)0x20008ac2, "\x04\x1c\x8b\x1b\xd1\x43\xea\x1d\x63\x82\x9b\x76\x9d\xdb\x88\x6a\x6a\xaf\xee\xdd\x5f\x65\x2b\xc9\x48\x67\x7c\x9a\x6e\x3a\xcf\xe0\x4a\x15\x19\x05\x3f\x95\xe5\xfc\xf7\x9b\x08\x53\x62\xcd\xac\x6a\xbb\xf8\xf1\x37\x81\xa6\x21\x88\x52\x57\x05\x2b\x12\x00\x45\xda\x2c\x49\x4a\x30\xbc\x6a\xe6\xc4\x16\x0c\xf4\x97\x00\x2a\xf8\xb7\x7e\x21\x68\x93\x24\xbd\x6e\x75\xac\xed\xa7\xcf\x6a\x50\x92\x0b\x2a\xb1", 98); *(uint32_t*)0x20008c2c = 0x87; *(uint32_t*)0x20008c30 = 0x20008b40; *(uint8_t*)0x20008b40 = 0x87; *(uint8_t*)0x20008b41 = 3; memcpy((void*)0x20008b42, "\x15\x08\x37\xb1\xe6\x9e\x50\x07\x39\x8a\xc0\x2c\x4a\x0b\x25\x07\x2d\xaa\x81\xa6\x4a\xf1\x0b\xcd\xc5\x73\x63\x33\xf4\x9c\x92\x1f\x86\xd9\xcb\xc6\xb7\x78\xf1\xd2\x16\x79\xd8\x47\xd5\xb8\xa9\xb7\x0f\xc5\x6b\xb5\xa4\x33\x04\x0a\xfd\x94\x37\x7b\x25\x15\xa5\x5c\xda\x70\xdb\x64\x44\x2a\xda\xe0\x90\x5a\xa9\x0f\x91\x1d\x3b\xee\xf8\x00\xab\x6f\xd8\x7a\x5c\x51\xfd\xa8\xfa\xa7\x50\xd1\x95\xc2\xe6\x57\x24\x97\x81\xc6\xaf\x05\x23\xe0\x49\x2f\x9a\x69\xe2\x27\xe1\x0c\xa0\x31\x0f\x1a\x01\x0f\x8b\x98\x6a\x9a\x05\x53\xa5\x33\x1f\x97\x54\xfc\x90", 133); res = -1; res = syz_usb_connect(3, 0x3f, 0x200088c0, 0x20008c00); if (res != -1) r[25] = res; break; case 48: memcpy((void*)0x20008c40, "\xa6\x90\x8c\x55\x30\x81\x4d\x6a\x6b\xfd\x6d\x6c\x75\x94\xd4\xaf\x8a\x49\x62\xd8\x82\xda\x65\x7b\xb4\x02\xc7\xd0\xae\x45\x35\x16\x81\x60\xdb\xf6\x7b\x82\xf2\x23\xd5\x77\xb0\xe1\x6e\x6a\xc3\xc4\x6a\x40\x15\xa6\xed\x7c\x4f\xa6\x5d\x1d\xba\xa2\x68\xb7\x48\xde\xc4\x67\x74\xec\xa9\x22\x47\x96\x94\x49\xa9\xf5\x9e\x9e\xdd\xe4\xd3\x7e\x7b\xd1\x78\x82\xeb\x00\x5e\x24\xfe\x43\xf5\x76\x54\x00\x0e\xad\xec\x3f\x1d\xe9\x91\x7e\xb2\x8c\x2a\x87\x71\x82\xc4\x7b\x55\x6d", 114); syz_usb_ep_write(r[25], 7, 0x72, 0x20008c40); break; case 49: syz_usbip_server_init(4); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_android(); return 0; } :132:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :119:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :114:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor079096089 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/9 (1.83s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/2 (1.86s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/24 (1.93s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/26 (2.20s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/19 (2.20s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/25 (2.20s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/18 (2.19s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/1 (2.22s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/5 (2.27s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/29 (2.28s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/28 (2.29s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/12 (2.43s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/21 (2.42s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/16 (2.42s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/7 (2.43s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/15 (2.46s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/30 (2.48s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/14 (2.49s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/6 (2.52s) csource_test.go:116: FAIL FAIL github.com/google/syzkaller/pkg/csource 16.587s ok github.com/google/syzkaller/pkg/db (cached) ? github.com/google/syzkaller/pkg/debugtracer [no test files] ok github.com/google/syzkaller/pkg/email (cached) ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ok github.com/google/syzkaller/pkg/host 18.792s ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ok github.com/google/syzkaller/pkg/instance 1.968s ok github.com/google/syzkaller/pkg/ipc (cached) ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kconfig 1.055s ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig 2.108s ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report (cached) ok github.com/google/syzkaller/pkg/repro 0.168s ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 45.333s ok github.com/google/syzkaller/pkg/serializer (cached) ? github.com/google/syzkaller/pkg/signal [no test files] ok github.com/google/syzkaller/pkg/symbolizer (cached) ok github.com/google/syzkaller/pkg/tool (cached) ok github.com/google/syzkaller/pkg/vcs (cached) ok github.com/google/syzkaller/prog 15.156s ok github.com/google/syzkaller/prog/test 0.717s ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/darwin/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ok github.com/google/syzkaller/sys/linux (cached) ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ok github.com/google/syzkaller/sys/openbsd (cached) ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ok github.com/google/syzkaller/syz-ci 1.762s ok github.com/google/syzkaller/syz-fuzzer (cached) ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state 3.352s ok github.com/google/syzkaller/syz-manager 2.131s ? github.com/google/syzkaller/syz-runner [no test files] ok github.com/google/syzkaller/syz-verifier 0.097s ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ? github.com/google/syzkaller/tools/syz-imagegen [no test files] ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ok github.com/google/syzkaller/tools/syz-kconf (cached) ok github.com/google/syzkaller/tools/syz-linter (cached) ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached) ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 8.249s ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated (cached) ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] FAIL