[  OK  ] Started Getty on tty1.
[  OK  ] Reached target Login Prompts.
[  OK  ] Reached target Multi-User System.
[  OK  ] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[  OK  ] Started Update UTMP about System Runlevel Changes.
[  OK  ] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '[localhost]:53879' (ECDSA) to the list of known hosts.
2021/06/13 22:54:25 fuzzer started
2021/06/13 22:54:26 connecting to host at localhost:39365
2021/06/13 22:54:26 checking machine...
2021/06/13 22:54:26 checking revisions...
2021/06/13 22:54:27 testing simple program...
executing program
executing program
executing program
executing program
syzkaller login: [  132.183820][ T8656] BUG: sleeping function called from invalid context at net/core/sock.c:3064
[  132.223970][ T8656] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 8656, name: syz-executor.0
[  132.263563][ T8656] 1 lock held by syz-executor.0/8656:
[  132.273739][ T8656]  #0: ffffffff8d8c38e0 (hci_sk_list.lock){++++}-{2:2}, at: hci_sock_dev_event+0x3db/0x660
[  132.291544][ T8656] Preemption disabled at:
[  132.291556][ T8656] [<0000000000000000>] 0x0
[  132.308871][ T8656] CPU: 3 PID: 8656 Comm: syz-executor.0 Not tainted 5.13.0-rc6-syzkaller #0
[  132.319013][ T8656] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
[  132.330574][ T8656] Call Trace:
[  132.336527][ T8656]  dump_stack+0x141/0x1d7
[  132.342457][ T8656]  ___might_sleep.cold+0x1f1/0x237
[  132.349955][ T8656]  lock_sock_nested+0x25/0x120
[  132.356189][ T8656]  hci_sock_dev_event+0x465/0x660
[  132.362785][ T8656]  ? hci_send_monitor_ctrl_event+0x560/0x560
[  132.370185][ T8656]  ? do_raw_read_unlock+0x70/0x70
[  132.377092][ T8656]  hci_unregister_dev+0x2fd/0x1130
[  132.384131][ T8656]  ? fsnotify+0x1070/0x1070
[  132.389982][ T8656]  ? hci_bdaddr_list_clear+0x200/0x200
[  132.397437][ T8656]  ? fcntl_setlk+0xe90/0xe90
[  132.404073][ T8656]  vhci_release+0x70/0xe0
[  132.409143][ T8656]  __fput+0x288/0x920
[  132.413701][ T8656]  ? vhci_close_dev+0x50/0x50
[  132.418766][ T8656]  task_work_run+0xdd/0x1a0
[  132.423720][ T8656]  do_exit+0xbfc/0x2a60
[  132.428258][ T8656]  ? find_held_lock+0x2d/0x110
[  132.434917][ T8656]  ? mm_update_next_owner+0x7a0/0x7a0
[  132.441605][ T8656]  ? lock_downgrade+0x6e0/0x6e0
[  132.447253][ T8656]  ? lock_downgrade+0x6e0/0x6e0
[  132.453192][ T8656]  do_group_exit+0x125/0x310
[  132.458456][ T8656]  __ia32_sys_exit_group+0x3a/0x50
[  132.464739][ T8656]  __do_fast_syscall_32+0x67/0xe0
[  132.470348][ T8656]  do_fast_syscall_32+0x2f/0x70
[  132.476682][ T8656]  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
[  132.486852][ T8656] RIP: 0023:0xf7f52549
[  132.491170][ T8656] Code: Unable to access opcode bytes at RIP 0xf7f5251f.
[  132.499255][ T8656] RSP: 002b:00000000ffb55b6c EFLAGS: 00000282 ORIG_RAX: 00000000000000fc
[  132.508946][ T8656] RAX: ffffffffffffffda RBX: 0000000000000043 RCX: 00000000ffb55bb8
[  132.518852][ T8656] RDX: 0000000000000000 RSI: 000000000817214c RDI: 0000000000000010
[  132.527776][ T8656] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  132.538640][ T8656] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  132.549671][ T8656] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  132.583866][ T8656] 
[  132.587005][ T8656] ======================================================
[  132.596986][ T8656] WARNING: possible circular locking dependency detected
[  132.610879][ T8656] 5.13.0-rc6-syzkaller #0 Tainted: G        W        
[  132.620559][ T8656] ------------------------------------------------------
[  132.629659][ T8656] syz-executor.0/8656 is trying to acquire lock:
[  132.636013][ T8656] ffffffff8d8c38e0 (hci_sk_list.lock){++++}-{2:2}, at: bt_sock_unlink+0x1d/0x1c0
[  132.663393][ T8656] 
[  132.663393][ T8656] but task is already holding lock:
[  132.684434][ T8656] ffff88804515b120 (sk_lock-AF_BLUETOOTH-BTPROTO_HCI){+.+.}-{0:0}, at: hci_sock_release+0x61/0x4d0
[  132.706947][ T8656] 
[  132.706947][ T8656] which lock already depends on the new lock.
[  132.706947][ T8656] 
[  132.727363][ T8656] 
[  132.727363][ T8656] the existing dependency chain (in reverse order) is:
[  132.742279][ T8656] 
[  132.742279][ T8656] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_HCI){+.+.}-{0:0}:
[  132.755464][ T8656]        lock_sock_nested+0xca/0x120
[  132.762874][ T8656]        hci_sock_dev_event+0x465/0x660
[  132.771176][ T8656]        hci_unregister_dev+0x2fd/0x1130
[  132.780508][ T8656]        vhci_release+0x70/0xe0
[  132.792525][ T8656]        __fput+0x288/0x920
[  132.798903][ T8656]        task_work_run+0xdd/0x1a0
[  132.807263][ T8656]        do_exit+0xbfc/0x2a60
[  132.813995][ T8656]        do_group_exit+0x125/0x310
[  132.820387][ T8656]        __ia32_sys_exit_group+0x3a/0x50
[  132.826518][ T8656]        __do_fast_syscall_32+0x67/0xe0
[  132.833692][ T8656]        do_fast_syscall_32+0x2f/0x70
[  132.843499][ T8656]        entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
[  132.854440][ T8656] 
[  132.854440][ T8656] -> #0 (hci_sk_list.lock){++++}-{2:2}:
[  132.864347][ T8656]        __lock_acquire+0x2a17/0x5230
[  132.871553][ T8656]        lock_acquire+0x1ab/0x740
[  132.879174][ T8656]        _raw_write_lock+0x2a/0x40
[  132.886666][ T8656]        bt_sock_unlink+0x1d/0x1c0
[  132.894577][ T8656]        hci_sock_release+0xcf/0x4d0
[  132.901010][ T8656]        __sock_release+0xcd/0x280
[  132.907440][ T8656]        sock_close+0x18/0x20
[  132.915611][ T8656]        __fput+0x288/0x920
[  132.921093][ T8656]        task_work_run+0xdd/0x1a0
[  132.926996][ T8656]        do_exit+0xbfc/0x2a60
[  132.932115][ T8656]        do_group_exit+0x125/0x310
[  132.937895][ T8656]        __ia32_sys_exit_group+0x3a/0x50
[  132.945697][ T8656]        __do_fast_syscall_32+0x67/0xe0
[  132.953535][ T8656]        do_fast_syscall_32+0x2f/0x70
[  132.961469][ T8656]        entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
[  132.971848][ T8656] 
[  132.971848][ T8656] other info that might help us debug this:
[  132.971848][ T8656] 
[  132.987302][ T8656]  Possible unsafe locking scenario:
[  132.987302][ T8656] 
[  132.998363][ T8656]        CPU0                    CPU1
[  133.007170][ T8656]        ----                    ----
[  133.015992][ T8656]   lock(sk_lock-AF_BLUETOOTH-BTPROTO_HCI);
[  133.024300][ T8656]                                lock(hci_sk_list.lock);
[  133.035160][ T8656]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_HCI);
[  133.047076][ T8656]   lock(hci_sk_list.lock);
[  133.053769][ T8656] 
[  133.053769][ T8656]  *** DEADLOCK ***
[  133.053769][ T8656] 
[  133.066128][ T8656] 2 locks held by syz-executor.0/8656:
[  133.073648][ T8656]  #0: ffff88802a9a3150 (&sb->s_type->i_mutex_key#13){+.+.}-{3:3}, at: __sock_release+0x86/0x280
[  133.088390][ T8656]  #1: ffff88804515b120 (sk_lock-AF_BLUETOOTH-BTPROTO_HCI){+.+.}-{0:0}, at: hci_sock_release+0x61/0x4d0
[  133.106264][ T8656] 
[  133.106264][ T8656] stack backtrace:
[  133.116341][ T8656] CPU: 3 PID: 8656 Comm: syz-executor.0 Tainted: G        W         5.13.0-rc6-syzkaller #0
[  133.132194][ T8656] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
[  133.147391][ T8656] Call Trace:
[  133.153072][ T8656]  dump_stack+0x141/0x1d7
[  133.160598][ T8656]  check_noncircular+0x25f/0x2e0
[  133.168851][ T8656]  ? stack_trace_save+0x8c/0xc0
[  133.175722][ T8656]  ? print_circular_bug+0x1e0/0x1e0
[  133.183708][ T8656]  ? is_dynamic_key+0x1a0/0x1a0
[  133.191586][ T8656]  ? lockdep_lock+0xc6/0x200
[  133.198223][ T8656]  ? call_rcu_zapped+0xb0/0xb0
[  133.206705][ T8656]  __lock_acquire+0x2a17/0x5230
[  133.214427][ T8656]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[  133.224680][ T8656]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[  133.233967][ T8656]  lock_acquire+0x1ab/0x740
[  133.241092][ T8656]  ? bt_sock_unlink+0x1d/0x1c0
[  133.249012][ T8656]  ? lock_release+0x720/0x720
[  133.256825][ T8656]  ? lock_release+0x720/0x720
[  133.264126][ T8656]  ? lock_downgrade+0x6e0/0x6e0
[  133.271409][ T8656]  ? do_raw_spin_lock+0x120/0x2b0
[  133.278969][ T8656]  ? mark_held_locks+0x9f/0xe0
[  133.286306][ T8656]  _raw_write_lock+0x2a/0x40
[  133.293118][ T8656]  ? bt_sock_unlink+0x1d/0x1c0
[  133.300677][ T8656]  bt_sock_unlink+0x1d/0x1c0
[  133.308268][ T8656]  hci_sock_release+0xcf/0x4d0
[  133.315923][ T8656]  __sock_release+0xcd/0x280
[  133.323207][ T8656]  sock_close+0x18/0x20
[  133.329296][ T8656]  __fput+0x288/0x920
[  133.335760][ T8656]  ? __sock_release+0x280/0x280
[  133.343434][ T8656]  task_work_run+0xdd/0x1a0
[  133.349919][ T8656]  do_exit+0xbfc/0x2a60
[  133.357436][ T8656]  ? find_held_lock+0x2d/0x110
[  133.365823][ T8656]  ? mm_update_next_owner+0x7a0/0x7a0
[  133.374141][ T8656]  ? lock_downgrade+0x6e0/0x6e0
[  133.382204][ T8656]  ? lock_downgrade+0x6e0/0x6e0
[  133.389679][ T8656]  do_group_exit+0x125/0x310
[  133.397042][ T8656]  __ia32_sys_exit_group+0x3a/0x50
[  133.406054][ T8656]  __do_fast_syscall_32+0x67/0xe0
[  133.413517][ T8656]  do_fast_syscall_32+0x2f/0x70
[  133.421888][ T8656]  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
[  133.430398][ T8656] RIP: 0023:0xf7f52549
[  133.436893][ T8656] Code: Unable to access opcode bytes at RIP 0xf7f5251f.
[  133.447695][ T8656] RSP: 002b:00000000ffb55b6c EFLAGS: 00000282 ORIG_RAX: 00000000000000fc
[  133.460490][ T8656] RAX: ffffffffffffffda RBX: 0000000000000043 RCX: 00000000ffb55bb8
[  133.472975][ T8656] RDX: 0000000000000000 RSI: 000000000817214c RDI: 0000000000000010
[  133.486813][ T8656] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  133.500427][ T8656] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  133.513242][ T8656] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
2021/06/13 22:54:41 BUG: program execution failed: executor 0: exit status 67
SYZFAIL: wrong response packet
 (errno 16: Device or resource busy)
loop exited with status 67

SYZFAIL: wrong response packet
 (errno 16: Device or resource busy)
loop exited with status 67

VM DIAGNOSIS:
22:54:40  Registers:
info registers vcpu 0
RAX=0000000000000000 RBX=ffff88802cd3aaa0 RCX=0000000000000000 RDX=ffff8880119654c0
RSI=ffffffff8169a020 RDI=0000000000000003 RBP=0000000000000003 RSP=ffffc9000039f9f8
R8 =0000000000000000 R9 =0000000000000001 R10=ffffffff8169a046 R11=0000000000000000
R12=ffffed10059a7555 R13=0000000000000003 R14=ffff88802cd3aaa8 R15=0000000000000001
RIP=ffffffff8169a022 RFL=00000293 [--S-A-C] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000000000000000 ffffffff 00c00000
GS =0000 ffff88802ca00000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000001000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=0000563433108858 CR3=000000000bc8e000 CR4=00150ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00009fc0
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=ffffffffffffffffffffffffffffffff XMM01=00000000000000000000000000000000
XMM02=ffffffffffffffffffffffffffffffff XMM03=ffffffffffffffffffffffffffffffff
XMM04=0000563432fb71a00000000000000000 XMM05=00000001000000050000563432fb29a0
XMM06=00000000000007e10000000000000000 XMM07=00000000000000000000000000000000
XMM08=00000000000000000000000000000000 XMM09=ffffff00000000000000ffff00ffffff
XMM10=20202000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000
info registers vcpu 1
RAX=0000000000046975 RBX=ffff888011a08000 RCX=ffffffff89168fc1 RDX=0000000000000000
RSI=0000000000000001 RDI=0000000000000000 RBP=0000000000000001 RSP=ffffc9000042fdf8
R8 =0000000000000001 R9 =ffff88802cb365cb R10=ffffed1005966cb9 R11=0000000000000000
R12=ffffed1002341000 R13=0000000000000001 R14=ffffffff8dc96950 R15=0000000000000000
RIP=ffffffff89193a9e RFL=00000202 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=1
ES =0000 0000000000000000 ffffffff 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00000000
FS =0000 0000000000000000 ffffffff 00000000
GS =0000 ffff88802cb00000 ffffffff 00000000
LDT=0000 0000000000000000 00000000 00000000
TR =0040 fffffe000003e000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe000003c000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=0000557841aa2188 CR3=00000000212c4000 CR4=00150ee0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00009fc0
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=ffffffffffffffffffffffffffffffff XMM01=79732f0073636f72702e70756f726763
XMM02=6e002f002f70756f7267632f73662f73 XMM03=00000000000000000000000000000000
XMM04=000000ff000000000000000000000000 XMM05=ff00000000000000ffff000000000000
XMM06=ffffffffffffff00ffffffffffff0000 XMM07=00000000000000000000000000000000
XMM08=000000000000009000000002010100ff XMM09=64641b517f4264546464316450565653
XMM10=64646464646464456464646464646454 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000
info registers vcpu 2
RAX=000000000002ee01 RBX=ffff888011a09c40 RCX=ffffffff89168fc1 RDX=0000000000000000
RSI=0000000000000001 RDI=0000000000000000 RBP=0000000000000002 RSP=ffffc9000043fdf8
R8 =0000000000000001 R9 =ffff88802cc365cb R10=ffffed1005986cb9 R11=0000000000000000
R12=ffffed1002341388 R13=0000000000000002 R14=ffffffff8dc96950 R15=0000000000000000
RIP=ffffffff89193a9e RFL=00000202 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=1
ES =0000 0000000000000000 ffffffff 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00000000
FS =0000 0000000000000000 ffffffff 00000000
GS =0000 ffff88802cc00000 ffffffff 00000000
LDT=0000 0000000000000000 00000000 00000000
TR =0040 fffffe0000079000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000077000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=0000557841aa38e8 CR3=00000000298bd000 CR4=00150ee0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001fa0
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000000000000000000000000000 XMM01=00000000000000000000000000000000
XMM02=000000000000000040f6f10000000000 XMM03=0000ff00000000000000000000000000
XMM04=732f6c61636f6c2f7273752f3d485441 XMM05=622f6c61636f6c2f7273752f3a6e6962
XMM06=73752f3a6e6962732f7273752f3a6e69 XMM07=6e69622f3a6e6962732f3a6e69622f72
XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000
info registers vcpu 3
RAX=dffffc0000000060 RBX=00000000000003fd RCX=0000000000000000 RDX=00000000000003fd
RSI=ffffffff842b0dbc RDI=ffffffff90a3bb60 RBP=ffffffff90a3bb20 RSP=ffffc90000e37688
R8 =0000000000000069 R9 =0000000000000000 R10=ffffffff842b0dad R11=000000000000001f
R12=0000000000000000 R13=fffffbfff21477b7 R14=fffffbfff214776e R15=dffffc0000000000
RIP=ffffffff842b0de2 RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =002b 0000000000000000 ffffffff 00c0f300 DPL=3 DS   [-WA]
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =002b 0000000000000000 ffffffff 00c0f300 DPL=3 DS   [-WA]
FS =0000 0000000000000000 ffffffff 00c00000
GS =0000 ffff88802cd00000 ffffffff 00c00000
LDT=0000 0000000000000000 00000000 00000000
TR =0040 fffffe00000b4000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe00000b2000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007f11dd3b3ab4 CR3=00000000298bd000 CR4=00150ee0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001fa0
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000000000000000000000000000 XMM01=0a6d6172676f727020676e6974756365
XMM02=000000000000000040c3880000000000 XMM03=0000000000000000416312d000000000
XMM04=0000000000000000bf98af0a2226eb10 XMM05=000000c000041730000000c000041720
XMM06=00000000000000003fd3333333333333 XMM07=00000000000000003fd0000000000000
XMM08=00000000000000003fea91c90e425422 XMM09=00000000000000003fd6bd2bb61e41de
XMM10=00000000000000003fd16809204c1d88 XMM11=000000c00009e1d0000000c00009e2b0
XMM12=000000c00009e1f0000000c00009e1e0 XMM13=000000c00009e1b0000000c00009e1c0
XMM14=000000c000788000000000c00009e490 XMM15=000000c0007c8000000000c0007a8000