ok github.com/google/syzkaller/dashboard/app (cached) ? github.com/google/syzkaller/dashboard/dashapi [no test files] ? github.com/google/syzkaller/executor [no test files] ok github.com/google/syzkaller/pkg/ast (cached) ok github.com/google/syzkaller/pkg/bisect (cached) ok github.com/google/syzkaller/pkg/build (cached) ? github.com/google/syzkaller/pkg/cmdprof [no test files] ok github.com/google/syzkaller/pkg/compiler (cached) ok github.com/google/syzkaller/pkg/config (cached) ? github.com/google/syzkaller/pkg/cover [no test files] --- FAIL: TestGenerate (4.39s) --- FAIL: TestGenerate/netbsd/amd64 (0.07s) csource_test.go:67: seed=1590122536646302754 --- FAIL: TestGenerate/netbsd/amd64/14 (1.39s) csource_test.go:123: opts: {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:2 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false UseTmpDir:true HandleSegv:false Repro:true Trace:false} program: r0 = fcntl$dupfd(0xffffffffffffff9c, 0xc, 0xffffffffffffff9c) r1 = dup2(0xffffffffffffffff, r0) pwrite(r1, &(0x7f0000000000)="5d1dd436f0f5a32b117d0f61dc010511e7e3c7f92e33630dfc7a02f9f4df14c215d8716f98892cba0ddcbbd6b2683f5e028152ebbe2d26a7e4c45673b55cf76e7795dd124f82947e0244eb08cfb0b5da0c829b1580ac64473f069f9928c1043bdeaa541829f4ef60f80ea0b9b912a974a5e98ea75423d1126815de1319a78c8127c017f8cbe86d", 0x87, 0x6) getsockname$unix(r0, &(0x7f00000000c0)=@abs, &(0x7f0000000100)=0x8) accept$inet6(r1, &(0x7f0000000140), &(0x7f0000000180)=0xc) socketpair(0x18, 0x844590f3b4efa023, 0x7f, &(0x7f00000001c0)) r2 = accept(0xffffffffffffff9c, &(0x7f0000000200)=@un=@abs, &(0x7f0000000240)=0x8) r3 = getpgrp() stat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$sock_cred(r2, 0xffff, 0x11, &(0x7f00000003c0)={r3, r4}, 0xc) syz_emit_ethernet(0x1000, &(0x7f0000000000)="d28811eb3ef8057d4d7c7229ab1e5a02157440ec598663314f522e6a8f7e2b68cd210834f13e84f257c358e7e19717a79353a0609abf39fc23d280e031dbc36048ed67b318a0553a541c84167d1bf390951abfd5370157ad024bea030e6c003d2e50a932903993429472cca8be8808ca2915858ed2598c1e76f98e662b0678bdfd91862b0af84e1585c3709eeb1b8f065703a75c12e1fa87b77d46d374ee2113bbbd6bdebb4cf0687f79db895a8ac81c3b286c03427e3211e71420afa9b5c9013e638ed97de9983fb33424fe11efd7824cd6979286d59a5c79338b6a9a2d15e70791bdb5186aa74e175a0049c1e39db536377a8354915a8a15125b8be62f01a93740b2428b189ea42e31b6ce7aa3676bf1468b751bf06aacf15904db50c1be9df4cc9d41599c57cfaf66b7e5ee2d2372630a7bf538da786dfff6052e02558a4d1ccf7099a8c599c3c8b515e844f1e23de73d806127228253a7053b5e91511685370c980ffa72e5551ff05fcbd940d514bed2860b875b9a12b26edbb292e0e8d8cbcd9de3aba68f7c1419249fe43a6754bf02a36e0fd1f27c48e9d16c18ed1484e56cc5bc3483519311e33754af2fc4d37cfa1c6e5f0d38ae96a621c04db0fd7d793297e4981f9082937b9322f494bd98b2f43d9b5c19ff19ec177c6305b18800445111763cdaeec351689384783ae7cff9b106639ea611fb72e86d685ea0f6b65dc3b9a2436c89257382d11516a2b06637cfd931e2ca4e625343d6b96525c5bf7dcc437f474e1ff9f3dcc85740444a4c569f50379b985f6843ac29f09a9f99819ae210db22ab19340974957f1fbea41c5851b2fa7a2fa87581a7fb42db8c24b4c6f829be592ca0d0cf1a2fe67dec532cfa77f8f1955da335a84d5aef4905a9a236c607774a0b4ef1d50b55bd49aa877c2b6b2e37a3e4a3b24e95fa557ba89aaf4227b5bb0e640b4698cd004f870c7daa9ea441fdbe8b3053dffce646c0b06df323252cada7f24fcc21624edf49567b2693fec0693d243e067b21e2be296c52bb2a381f4794aa2e85dd5cb6677e94b7e003ebad24573762a640973c0772994da28c6490c1af8f0f91754e71c7f326bd31dfc9c6fc20767d713a93317bcbe0a3efc9c5a8571b7b0a02977741e8a83ca81296145ec955e1ab982c7f466284562b52de135568a142e677c343f5ebd33755d0b91565646d7c362e4664007cae2167db5d0a933e1219d3d6a7387576e542f816fa516d44afc3d99229d4f57fa83b8948f898b8528ded2c539b6033491c6d780cacb2bc3f52c2794de8db395812d4f7a44b9c04d6fd3ca86c68647d3e475de581edc388dcde91b8b24cd42b91a19e91b4b637b43b6fa4e150443ec7c08695c42bc6a930b3084204023bfd15e1c0312e46f430e26b0fcca152209fc1c7f991c111bdcda72e198626766eafc8cf5492189d4cc9a8e2a8a9cb738978ecec37376dc99ca8d3efcfe73da538960ebf78f0a4366376ae5f1bb1f811ecceb62510897855e3066104701b94f61913da4699313cec63a88a9ba444a5fc01c003bf9d6b252504e477f40fb33e595f30ac538bc9eeb29372b7a9d1f6a2a9b0177a171e5f879eab363c7608617c26197df1da9baa0275e23ed1b592cebdcd6ef22b36c4f287dfe849cf54eaed5570ffc450cde8b6ee12efbc8ddfea6bf782c27e5a5816b6f04ff5fe977f05a5b12a1364a659cb6b11ab7a1682e1097e6187cd7cbba87ef4ca8c2caf28499913d98a9e9f2e11c52f37faf2cd207bbe5734da0e91ba5f8b48ad59b122678550b27fefe71af53d6f934104387389b59324cdbf446efe50dbd23db7418ec6666ed9fcaa6f70beac9ca42a90eec8567be21fb45f0886755715f317373523dfeb845ab77333cf8ddf926244a38e024df5af9ea07253d07a59db51123fd811cce2d206eae6943ec87559eb0eb28a94a627831e45b3a7d1f89f7a49fbce7c5a6ed81f4e68dd3ce29346f7c14e5064548d57f11363139e5b669a1744bd9989400827973e67e94cb555b08cf04565f33db17196d16518b4f4b023053e86a7275521fa5b20993de7c2fa09797d924d59893caa98d97b586289da8c9cc3810cfde85b31a4e3118a5cc2fb63e4073dc224e501b637c66674ead1e84a7e3e3ce4adaf0c723e38a41db547e9cc3382ecf9f6b6f964c1f81fe75365593c9a55152ec7c05067474bd71a9370009fee6d87f3eef6c9360a502941e93730454161d0f0391f7c5ebde622f05c1d67368944390b68178fefb825add812f4968670537401703531667cd5150f211b9fcfecf4ee5e0880f3748b9e7a745e802affacc6b4aa5b5d83750fc1c47d4ab69170901e7f5e442bb98a89186054acf207a3cf70173156c559fd72860a7d2679a2ffcb5330204113dbac6b3c3b69aa4f75f21cb2154a4a6b31c025d52ac54960483cedf3f11a1adffef2f1fec94a5561d91868001c3d8395ff450b140095d6536475379f38634acf9dedff61b17f7c87f8c0566be6250cf439eba38c3765393a9ed1016d502ba13a8ef6de35ba669b10a0008223d2e2f88d35fe0a7323324bfabf25a7ac01904549a259e6a8d3a4964f197e94b8f9b3a3163f6349e3dac7e01748f674795cc3bd5a9a3ab5f2c13081167df37e379eeb2ecf9cdfa2371595f30831051ab157ac75f9ebc48b4995597e206c7ba229ab30eccfe6624d8849eae41d2dc7a4d757a373b1d86695c420cc04bf0da664a756b48224163de4418b932339d299061313a634a4ba089b12f85d4da1d27d51de9308310ef6aeb35623d0a772c5cedd2a659fdef092b4df6a88d2964200c285e8c16e7489b81e4159db062ce8a7d0dab651809211edf0586f289ef03dee7bb9f438c1a352f6342c664bfd35d23885b09bd1da62bd65d0bc09a5eb5ae95ea31088147781c335ea177772a22896191a7d15702b6b3437ced886cc85bb26865ce828b9fe78a07b463df7332f6792b2fd86d17b1e98a4cc7729b058c598c961c634b15d0973cacdd9735a0f77786ae2b0766b3194a127345dd8c11f69fa4c44cc5b30e01f6dc561330f636329c97ec05ae8291d9a26b605f1b277c9322115626e2975c791c3ef10954cb8b47cea6cf697eb9db3becb1114ce6392199e87bac043ed7a1583dc660b36deb0221a79ed70bf713f3c9c882583814c2eca8151d271719592d5c1fc6266a276a3e8d38827b290e1044606992d134236a1ae87f9338b7741f2e8a746eb0f607762ed4e18923dbacfea147ad57eff617167d0f54daac45437c5e61b45937e8aa5e7ceef4ca2254b9701a22f577fb627e8e1c1c70401ae811b9a53f4c16a7943e3d81ba3d9209cbdfb208b04ce158e7ba8ee77b0b75f5208686df78712d28f700361159100369b633384ddff4402c0ab0e2ec0aa87186a65d3484d2921d6253fd1fbf46b63ba72eb795cc025690f1f48dbe308f978e2fd5513e2ddc0b066194fd58d3eaa49690bd7e7863885eb5e2ac6870de83592675f74cf8989e18e68f1b60678270ca6b9c0daf444278a7dc82a9780730aa03be56813e81d6f296c6f87d0099618af9f7e991649ec364972d4c8fb669670ec9296ce173838b9c92baf6bf883c134d2c1cbcd928b54991d4c00f4aa7270bf3befeb108e9862f34688cc2db3b7943777671279a17f9c64c40bd8485ef52eb964314c65aa34596f16b80f9ef781c4e8eeb0acd289386c1ae506ae5bd2b20b760ce0c79b56b134e22f57c44abae2f4ecad82efe402a43a47594577a24b79a94c6f7a5edaabeb48fc5ec27aecd82380d0e940a033e87a4474b95d58a5fec59d80b091e9165a14325b38c5e4565c3f0f126f8b2adf83268e0076647ddd43ff2d52d773ab304088458fac4fb9379e20968560a07517d6e0001d2a08c3c6c97825e12259ea861b0ad5649450dffb3afae49cd31efb40513c06b795e071603a47d3c839c401ecc38b117df938836a15b31a135b58892db9b4ebf684db3f7ece8a9d60bc8c810eba0ca0d875835737d25b948b392860aa82cdd5ff7c6b0b4d7ae182168949d9840e33545d6127727abe02dd01418ce4dd46af7b5f0844cb51d4992f4ce1223c23137c211361d0150ed235a0598f9e1d816a40c6aeb8ad5626bc22b2e9395747441cc78a558dedc402473248989912a0aa71ac8d7754de78a1d5b9e548d4ebef224e82cd393524d79b88d6e0405ad02da7117ba037294e535fff4bb7bfcacede3348f01d161348f4eee1a515be530e0f0e64c56544d4ae106445cce1410c790bdbeb1e2d293e012e0297c46c9145dccbd6ff77cbfacda46f27d71d02de14b61c50533319c668fcfac036c7867d12a3d0d8d449c49669586349f2239c4fa5c2b8fdfc423ecd85edccf68547b1a906764c5c03ff332b563eaeeeb8456535c61e917392a03dfe6bebf3dc5710f932b507e3f0cdfb6a9dd035f06de05572ca94d85bfb157e68448ab8b0c4d596ce020dadefceae68153e5f62c5c08143f5db497aafab19cd330c3784db0ade505a29514bd1e8c3b92c4f61653622f875ecacc9e6774adeca1ca42f637c702299a2d3f881be795bba9db340e480aa4e944dec20216b8358455dcf8eed990e41f3376442b9b3e0d88238775b8bea3f688af18539b2e8bafaacc1c4064e9ae887c69dca82acadf3553092e78797a62cc834441c222ff226ea32d203c0b1facc67e630716a3f96a077e2348f2be6d93ec0631a5ef1bed4106119d970e6228f016989a8fdf01bda8eddfd6068d649b3956eab29d303f1fc6867d863c87c3539e8e99ce23953c25ee2b09857d2dfdd4c2d242bd833f6b7f4a67cde7863d653a00521fa68ce231d0615b00175ec1fca377e4e72f78a8f8fbca9da4f408bc1b799971c16ce2e04aa243279efcdb07843d255eb6067e3732bcfdf1c17178d77d3dff424d6772e39aec3bef9592a25e9fbb5510952e583f534a4d1f57ccefe8455f353dfeeeedc8b3ea3d6c41ff4167de5145530f3dd70bc89fdcfa863d8c565208d3272b0238b97d95c5a67872415a27ef06fa26c0f72b571cffb762369c80b5f332f03a9759fec50d604a18a69fb521311fa171ea6fa404873de9195f847d81fd4bae3d5216d6c00cc38d5c75dad1ef686d5ce4acbb477fbf6c5ad0b269e69054b4a59db3c6eb0cec7fbdf32d3306ceb5d1006eb7bf6f07012b116c95fbfcfd99e82f5aba8ebd7c790c9f04075e2bb399d9229be4a0e90dc1b0358eecffadaebc0bdc6ff1cfd00dcebc0a90d7b96c96fa552dc824b944d951db7d2b6ee399b6c1f2965e5931cea561b9dda86b5e7c36741c04a97a00b0695a9d83d629eb5de99bf8ae8d755f331e40253390abb2e6049167496d5ca37563beabda4f82b2c9a58eff2a58a1d2fbc8d72c188d4b3392b9b4286a85f5ded710f243b24832c54791eee1209443f07f374ea2ab614d6a9ac8b0981c3509696c058d32f4aff5af8e9eb2253ed4f83e8b4f3294b61c90d54d3c35f3d44d55a5a1f55bac7e5978b63fbb9df0e9c6b154d6124ef4cf63ff3ae361032147f9ef75f9ea2f4b22eb13693e267b7c4f6365de53686118a934a598ba5a8175ee50f099aa9acd7f2e2c9b05b044b3b061bd1bb3b296b6bf900b856a6448d812e68efd31feffd4452990cd5f7cc02588eefbebb9f56ab77cd502989cd16e89a44553e1989d4dffd977b53ea8b3b636d62bbb265c4280cab59dab24fbe7f16180dfddf62e482ed8edca27a967ce5fae0328b6403cee17a6d63ac71a8a46f6caddb530c6d905a8b6c8ed89f622a0c0a90675c1f8d979b34cd1e954fa9154f") syz_execute_func(&(0x7f0000001000)="c4623937477e660fe30ca4f33e450917c46178ae9172980000c463e122d696c4037d7b050f00000000c463395f473fadc403555d3c5600c4e2b596f0c421fd5bfb") syz_extract_tcp_res(&(0x7f0000001080), 0x5, 0x6fb) r5 = syz_usb_connect(0x721, 0x69, &(0x7f00000010c0)="5d8d97afe958a6b46b8feffe29f05164a8eed8f035a6c4d8f6972106c0f6a0430f0347a9ad29a940d3de0d19dd63c06dad37ea1e105fec8b4dbdb4d7f95164ff313f199aaa43108e9613c1e62958e7762847158e8726924dcbdafffd2a942c440d0a80340487af0eb9", &(0x7f0000001140)="e2f9193eea7fea62b374a3151475bf3be9825dbe21d3907a6baf2fcdf0e6dd64fa7ccce3734ba66273ba0db7e79d314b54d10158b7d4a67b5e264cd1fe32c6bab3d03faa5bd67a4609b48a17eb0386538afe3d83a4f19597909773c9474f1f6685e59157f5c76c2de065f509b7a7cf8e629cca553dcb4445a372883199be746634e857266c2758f8d58dd0dea457790204fc26e26927d5bbff20a99aed0a95d850ec3221f4f1d8f13a8f00be13519ef898d39d28568bb7894c39") syz_usb_disconnect(r5) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; dp = opendir(dir); if (dp == NULL) exit(1); while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } /* -------------------------------------------------------------------------- */ /* * Redefinitions to match the linux types used in common_usb.h. */ struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; int rv = 0; rv = parse_usb_descriptor(dev, dev_len, &usb_devices[i].index); if (!rv) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } /* -------------------------------------------------------------------------- */ static int vhci_open(void) { return open("/dev/vhci", O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } /* -------------------------------------------------------------------------- */ static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index; int portnum, fd, rv; bool done; portnum = procid + 1; if (!dev) { return -1; } if (portnum != 1) { /* For now, we support only one proc. */ return -1; } fd = vhci_open(); if (fd < 0) { return -1; } index = add_usb_index(fd, dev, dev_len); if (!index) { goto err; } rv = vhci_setport(fd, portnum); if (rv != 0) { goto err; } rv = vhci_usb_attach(fd); if (rv != 0) { goto err; } done = false; while (!done) { vhci_request_t req; rv = vhci_usb_recv(fd, &req, sizeof(req)); if (rv != 0) { goto err; } if (req.type != VHCI_REQ_CTRL) { goto err; } char* response_data = NULL; uint32_t response_length = 0; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { bool response_found = false; response_found = lookup_connect_response_in(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &response_data, &response_length); if (!response_found) { goto err; } } else { if (!lookup_connect_response_out(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &done)) { goto err; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { /* TODO: possibly revisit */ } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { goto err; } } sleep_ms(200); return fd; err: close(fd); return -1; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; int collide = 0; again: for (call = 0; call < 15; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45 + (call == 13 ? 3000 : 0) + (call == 14 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_accept #define SYS_accept 30 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_fcntl #define SYS_fcntl 92 #endif #ifndef SYS_getpgrp #define SYS_getpgrp 81 #endif #ifndef SYS_getsockname #define SYS_getsockname 32 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_pwrite #define SYS_pwrite 174 #endif #ifndef SYS_setsockopt #define SYS_setsockopt 105 #endif #ifndef SYS_socketpair #define SYS_socketpair 135 #endif #ifndef SYS_stat #define SYS_stat 439 #endif uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_fcntl, 0xffffff9c, 0xcul, 0xffffff9c); if (res != -1) r[0] = res; break; case 1: res = syscall(SYS_dup2, -1, r[0]); if (res != -1) r[1] = res; break; case 2: memcpy((void*)0x20000000, "\x5d\x1d\xd4\x36\xf0\xf5\xa3\x2b\x11\x7d\x0f\x61\xdc\x01\x05\x11\xe7\xe3\xc7\xf9\x2e\x33\x63\x0d\xfc\x7a\x02\xf9\xf4\xdf\x14\xc2\x15\xd8\x71\x6f\x98\x89\x2c\xba\x0d\xdc\xbb\xd6\xb2\x68\x3f\x5e\x02\x81\x52\xeb\xbe\x2d\x26\xa7\xe4\xc4\x56\x73\xb5\x5c\xf7\x6e\x77\x95\xdd\x12\x4f\x82\x94\x7e\x02\x44\xeb\x08\xcf\xb0\xb5\xda\x0c\x82\x9b\x15\x80\xac\x64\x47\x3f\x06\x9f\x99\x28\xc1\x04\x3b\xde\xaa\x54\x18\x29\xf4\xef\x60\xf8\x0e\xa0\xb9\xb9\x12\xa9\x74\xa5\xe9\x8e\xa7\x54\x23\xd1\x12\x68\x15\xde\x13\x19\xa7\x8c\x81\x27\xc0\x17\xf8\xcb\xe8\x6d", 135); syscall(SYS_pwrite, r[1], 0x20000000ul, 0x87ul, 6ul); break; case 3: *(uint32_t*)0x20000100 = 8; syscall(SYS_getsockname, r[0], 0x200000c0ul, 0x20000100ul); break; case 4: *(uint32_t*)0x20000180 = 0xc; syscall(SYS_accept, r[1], 0x20000140ul, 0x20000180ul); break; case 5: syscall(SYS_socketpair, 0x18ul, 0x844590f3b4efa023ul, 0x7f, 0x200001c0ul); break; case 6: *(uint32_t*)0x20000240 = 8; res = syscall(SYS_accept, 0xffffff9c, 0x20000200ul, 0x20000240ul); if (res != -1) r[2] = res; break; case 7: res = syscall(SYS_getpgrp); if (res != -1) r[3] = res; break; case 8: memcpy((void*)0x20000280, "./file0\000", 8); res = syscall(SYS_stat, 0x20000280ul, 0x200002c0ul); if (res != -1) r[4] = *(uint32_t*)0x200002dc; break; case 9: *(uint32_t*)0x200003c0 = r[3]; *(uint32_t*)0x200003c4 = r[4]; *(uint32_t*)0x200003c8 = 0; syscall(SYS_setsockopt, r[2], 0xffff, 0x11, 0x200003c0ul, 0xcul); break; case 10: memcpy((void*)0x20000000, "\xd2\x88\x11\xeb\x3e\xf8\x05\x7d\x4d\x7c\x72\x29\xab\x1e\x5a\x02\x15\x74\x40\xec\x59\x86\x63\x31\x4f\x52\x2e\x6a\x8f\x7e\x2b\x68\xcd\x21\x08\x34\xf1\x3e\x84\xf2\x57\xc3\x58\xe7\xe1\x97\x17\xa7\x93\x53\xa0\x60\x9a\xbf\x39\xfc\x23\xd2\x80\xe0\x31\xdb\xc3\x60\x48\xed\x67\xb3\x18\xa0\x55\x3a\x54\x1c\x84\x16\x7d\x1b\xf3\x90\x95\x1a\xbf\xd5\x37\x01\x57\xad\x02\x4b\xea\x03\x0e\x6c\x00\x3d\x2e\x50\xa9\x32\x90\x39\x93\x42\x94\x72\xcc\xa8\xbe\x88\x08\xca\x29\x15\x85\x8e\xd2\x59\x8c\x1e\x76\xf9\x8e\x66\x2b\x06\x78\xbd\xfd\x91\x86\x2b\x0a\xf8\x4e\x15\x85\xc3\x70\x9e\xeb\x1b\x8f\x06\x57\x03\xa7\x5c\x12\xe1\xfa\x87\xb7\x7d\x46\xd3\x74\xee\x21\x13\xbb\xbd\x6b\xde\xbb\x4c\xf0\x68\x7f\x79\xdb\x89\x5a\x8a\xc8\x1c\x3b\x28\x6c\x03\x42\x7e\x32\x11\xe7\x14\x20\xaf\xa9\xb5\xc9\x01\x3e\x63\x8e\xd9\x7d\xe9\x98\x3f\xb3\x34\x24\xfe\x11\xef\xd7\x82\x4c\xd6\x97\x92\x86\xd5\x9a\x5c\x79\x33\x8b\x6a\x9a\x2d\x15\xe7\x07\x91\xbd\xb5\x18\x6a\xa7\x4e\x17\x5a\x00\x49\xc1\xe3\x9d\xb5\x36\x37\x7a\x83\x54\x91\x5a\x8a\x15\x12\x5b\x8b\xe6\x2f\x01\xa9\x37\x40\xb2\x42\x8b\x18\x9e\xa4\x2e\x31\xb6\xce\x7a\xa3\x67\x6b\xf1\x46\x8b\x75\x1b\xf0\x6a\xac\xf1\x59\x04\xdb\x50\xc1\xbe\x9d\xf4\xcc\x9d\x41\x59\x9c\x57\xcf\xaf\x66\xb7\xe5\xee\x2d\x23\x72\x63\x0a\x7b\xf5\x38\xda\x78\x6d\xff\xf6\x05\x2e\x02\x55\x8a\x4d\x1c\xcf\x70\x99\xa8\xc5\x99\xc3\xc8\xb5\x15\xe8\x44\xf1\xe2\x3d\xe7\x3d\x80\x61\x27\x22\x82\x53\xa7\x05\x3b\x5e\x91\x51\x16\x85\x37\x0c\x98\x0f\xfa\x72\xe5\x55\x1f\xf0\x5f\xcb\xd9\x40\xd5\x14\xbe\xd2\x86\x0b\x87\x5b\x9a\x12\xb2\x6e\xdb\xb2\x92\xe0\xe8\xd8\xcb\xcd\x9d\xe3\xab\xa6\x8f\x7c\x14\x19\x24\x9f\xe4\x3a\x67\x54\xbf\x02\xa3\x6e\x0f\xd1\xf2\x7c\x48\xe9\xd1\x6c\x18\xed\x14\x84\xe5\x6c\xc5\xbc\x34\x83\x51\x93\x11\xe3\x37\x54\xaf\x2f\xc4\xd3\x7c\xfa\x1c\x6e\x5f\x0d\x38\xae\x96\xa6\x21\xc0\x4d\xb0\xfd\x7d\x79\x32\x97\xe4\x98\x1f\x90\x82\x93\x7b\x93\x22\xf4\x94\xbd\x98\xb2\xf4\x3d\x9b\x5c\x19\xff\x19\xec\x17\x7c\x63\x05\xb1\x88\x00\x44\x51\x11\x76\x3c\xda\xee\xc3\x51\x68\x93\x84\x78\x3a\xe7\xcf\xf9\xb1\x06\x63\x9e\xa6\x11\xfb\x72\xe8\x6d\x68\x5e\xa0\xf6\xb6\x5d\xc3\xb9\xa2\x43\x6c\x89\x25\x73\x82\xd1\x15\x16\xa2\xb0\x66\x37\xcf\xd9\x31\xe2\xca\x4e\x62\x53\x43\xd6\xb9\x65\x25\xc5\xbf\x7d\xcc\x43\x7f\x47\x4e\x1f\xf9\xf3\xdc\xc8\x57\x40\x44\x4a\x4c\x56\x9f\x50\x37\x9b\x98\x5f\x68\x43\xac\x29\xf0\x9a\x9f\x99\x81\x9a\xe2\x10\xdb\x22\xab\x19\x34\x09\x74\x95\x7f\x1f\xbe\xa4\x1c\x58\x51\xb2\xfa\x7a\x2f\xa8\x75\x81\xa7\xfb\x42\xdb\x8c\x24\xb4\xc6\xf8\x29\xbe\x59\x2c\xa0\xd0\xcf\x1a\x2f\xe6\x7d\xec\x53\x2c\xfa\x77\xf8\xf1\x95\x5d\xa3\x35\xa8\x4d\x5a\xef\x49\x05\xa9\xa2\x36\xc6\x07\x77\x4a\x0b\x4e\xf1\xd5\x0b\x55\xbd\x49\xaa\x87\x7c\x2b\x6b\x2e\x37\xa3\xe4\xa3\xb2\x4e\x95\xfa\x55\x7b\xa8\x9a\xaf\x42\x27\xb5\xbb\x0e\x64\x0b\x46\x98\xcd\x00\x4f\x87\x0c\x7d\xaa\x9e\xa4\x41\xfd\xbe\x8b\x30\x53\xdf\xfc\xe6\x46\xc0\xb0\x6d\xf3\x23\x25\x2c\xad\xa7\xf2\x4f\xcc\x21\x62\x4e\xdf\x49\x56\x7b\x26\x93\xfe\xc0\x69\x3d\x24\x3e\x06\x7b\x21\xe2\xbe\x29\x6c\x52\xbb\x2a\x38\x1f\x47\x94\xaa\x2e\x85\xdd\x5c\xb6\x67\x7e\x94\xb7\xe0\x03\xeb\xad\x24\x57\x37\x62\xa6\x40\x97\x3c\x07\x72\x99\x4d\xa2\x8c\x64\x90\xc1\xaf\x8f\x0f\x91\x75\x4e\x71\xc7\xf3\x26\xbd\x31\xdf\xc9\xc6\xfc\x20\x76\x7d\x71\x3a\x93\x31\x7b\xcb\xe0\xa3\xef\xc9\xc5\xa8\x57\x1b\x7b\x0a\x02\x97\x77\x41\xe8\xa8\x3c\xa8\x12\x96\x14\x5e\xc9\x55\xe1\xab\x98\x2c\x7f\x46\x62\x84\x56\x2b\x52\xde\x13\x55\x68\xa1\x42\xe6\x77\xc3\x43\xf5\xeb\xd3\x37\x55\xd0\xb9\x15\x65\x64\x6d\x7c\x36\x2e\x46\x64\x00\x7c\xae\x21\x67\xdb\x5d\x0a\x93\x3e\x12\x19\xd3\xd6\xa7\x38\x75\x76\xe5\x42\xf8\x16\xfa\x51\x6d\x44\xaf\xc3\xd9\x92\x29\xd4\xf5\x7f\xa8\x3b\x89\x48\xf8\x98\xb8\x52\x8d\xed\x2c\x53\x9b\x60\x33\x49\x1c\x6d\x78\x0c\xac\xb2\xbc\x3f\x52\xc2\x79\x4d\xe8\xdb\x39\x58\x12\xd4\xf7\xa4\x4b\x9c\x04\xd6\xfd\x3c\xa8\x6c\x68\x64\x7d\x3e\x47\x5d\xe5\x81\xed\xc3\x88\xdc\xde\x91\xb8\xb2\x4c\xd4\x2b\x91\xa1\x9e\x91\xb4\xb6\x37\xb4\x3b\x6f\xa4\xe1\x50\x44\x3e\xc7\xc0\x86\x95\xc4\x2b\xc6\xa9\x30\xb3\x08\x42\x04\x02\x3b\xfd\x15\xe1\xc0\x31\x2e\x46\xf4\x30\xe2\x6b\x0f\xcc\xa1\x52\x20\x9f\xc1\xc7\xf9\x91\xc1\x11\xbd\xcd\xa7\x2e\x19\x86\x26\x76\x6e\xaf\xc8\xcf\x54\x92\x18\x9d\x4c\xc9\xa8\xe2\xa8\xa9\xcb\x73\x89\x78\xec\xec\x37\x37\x6d\xc9\x9c\xa8\xd3\xef\xcf\xe7\x3d\xa5\x38\x96\x0e\xbf\x78\xf0\xa4\x36\x63\x76\xae\x5f\x1b\xb1\xf8\x11\xec\xce\xb6\x25\x10\x89\x78\x55\xe3\x06\x61\x04\x70\x1b\x94\xf6\x19\x13\xda\x46\x99\x31\x3c\xec\x63\xa8\x8a\x9b\xa4\x44\xa5\xfc\x01\xc0\x03\xbf\x9d\x6b\x25\x25\x04\xe4\x77\xf4\x0f\xb3\x3e\x59\x5f\x30\xac\x53\x8b\xc9\xee\xb2\x93\x72\xb7\xa9\xd1\xf6\xa2\xa9\xb0\x17\x7a\x17\x1e\x5f\x87\x9e\xab\x36\x3c\x76\x08\x61\x7c\x26\x19\x7d\xf1\xda\x9b\xaa\x02\x75\xe2\x3e\xd1\xb5\x92\xce\xbd\xcd\x6e\xf2\x2b\x36\xc4\xf2\x87\xdf\xe8\x49\xcf\x54\xea\xed\x55\x70\xff\xc4\x50\xcd\xe8\xb6\xee\x12\xef\xbc\x8d\xdf\xea\x6b\xf7\x82\xc2\x7e\x5a\x58\x16\xb6\xf0\x4f\xf5\xfe\x97\x7f\x05\xa5\xb1\x2a\x13\x64\xa6\x59\xcb\x6b\x11\xab\x7a\x16\x82\xe1\x09\x7e\x61\x87\xcd\x7c\xbb\xa8\x7e\xf4\xca\x8c\x2c\xaf\x28\x49\x99\x13\xd9\x8a\x9e\x9f\x2e\x11\xc5\x2f\x37\xfa\xf2\xcd\x20\x7b\xbe\x57\x34\xda\x0e\x91\xba\x5f\x8b\x48\xad\x59\xb1\x22\x67\x85\x50\xb2\x7f\xef\xe7\x1a\xf5\x3d\x6f\x93\x41\x04\x38\x73\x89\xb5\x93\x24\xcd\xbf\x44\x6e\xfe\x50\xdb\xd2\x3d\xb7\x41\x8e\xc6\x66\x6e\xd9\xfc\xaa\x6f\x70\xbe\xac\x9c\xa4\x2a\x90\xee\xc8\x56\x7b\xe2\x1f\xb4\x5f\x08\x86\x75\x57\x15\xf3\x17\x37\x35\x23\xdf\xeb\x84\x5a\xb7\x73\x33\xcf\x8d\xdf\x92\x62\x44\xa3\x8e\x02\x4d\xf5\xaf\x9e\xa0\x72\x53\xd0\x7a\x59\xdb\x51\x12\x3f\xd8\x11\xcc\xe2\xd2\x06\xea\xe6\x94\x3e\xc8\x75\x59\xeb\x0e\xb2\x8a\x94\xa6\x27\x83\x1e\x45\xb3\xa7\xd1\xf8\x9f\x7a\x49\xfb\xce\x7c\x5a\x6e\xd8\x1f\x4e\x68\xdd\x3c\xe2\x93\x46\xf7\xc1\x4e\x50\x64\x54\x8d\x57\xf1\x13\x63\x13\x9e\x5b\x66\x9a\x17\x44\xbd\x99\x89\x40\x08\x27\x97\x3e\x67\xe9\x4c\xb5\x55\xb0\x8c\xf0\x45\x65\xf3\x3d\xb1\x71\x96\xd1\x65\x18\xb4\xf4\xb0\x23\x05\x3e\x86\xa7\x27\x55\x21\xfa\x5b\x20\x99\x3d\xe7\xc2\xfa\x09\x79\x7d\x92\x4d\x59\x89\x3c\xaa\x98\xd9\x7b\x58\x62\x89\xda\x8c\x9c\xc3\x81\x0c\xfd\xe8\x5b\x31\xa4\xe3\x11\x8a\x5c\xc2\xfb\x63\xe4\x07\x3d\xc2\x24\xe5\x01\xb6\x37\xc6\x66\x74\xea\xd1\xe8\x4a\x7e\x3e\x3c\xe4\xad\xaf\x0c\x72\x3e\x38\xa4\x1d\xb5\x47\xe9\xcc\x33\x82\xec\xf9\xf6\xb6\xf9\x64\xc1\xf8\x1f\xe7\x53\x65\x59\x3c\x9a\x55\x15\x2e\xc7\xc0\x50\x67\x47\x4b\xd7\x1a\x93\x70\x00\x9f\xee\x6d\x87\xf3\xee\xf6\xc9\x36\x0a\x50\x29\x41\xe9\x37\x30\x45\x41\x61\xd0\xf0\x39\x1f\x7c\x5e\xbd\xe6\x22\xf0\x5c\x1d\x67\x36\x89\x44\x39\x0b\x68\x17\x8f\xef\xb8\x25\xad\xd8\x12\xf4\x96\x86\x70\x53\x74\x01\x70\x35\x31\x66\x7c\xd5\x15\x0f\x21\x1b\x9f\xcf\xec\xf4\xee\x5e\x08\x80\xf3\x74\x8b\x9e\x7a\x74\x5e\x80\x2a\xff\xac\xc6\xb4\xaa\x5b\x5d\x83\x75\x0f\xc1\xc4\x7d\x4a\xb6\x91\x70\x90\x1e\x7f\x5e\x44\x2b\xb9\x8a\x89\x18\x60\x54\xac\xf2\x07\xa3\xcf\x70\x17\x31\x56\xc5\x59\xfd\x72\x86\x0a\x7d\x26\x79\xa2\xff\xcb\x53\x30\x20\x41\x13\xdb\xac\x6b\x3c\x3b\x69\xaa\x4f\x75\xf2\x1c\xb2\x15\x4a\x4a\x6b\x31\xc0\x25\xd5\x2a\xc5\x49\x60\x48\x3c\xed\xf3\xf1\x1a\x1a\xdf\xfe\xf2\xf1\xfe\xc9\x4a\x55\x61\xd9\x18\x68\x00\x1c\x3d\x83\x95\xff\x45\x0b\x14\x00\x95\xd6\x53\x64\x75\x37\x9f\x38\x63\x4a\xcf\x9d\xed\xff\x61\xb1\x7f\x7c\x87\xf8\xc0\x56\x6b\xe6\x25\x0c\xf4\x39\xeb\xa3\x8c\x37\x65\x39\x3a\x9e\xd1\x01\x6d\x50\x2b\xa1\x3a\x8e\xf6\xde\x35\xba\x66\x9b\x10\xa0\x00\x82\x23\xd2\xe2\xf8\x8d\x35\xfe\x0a\x73\x23\x32\x4b\xfa\xbf\x25\xa7\xac\x01\x90\x45\x49\xa2\x59\xe6\xa8\xd3\xa4\x96\x4f\x19\x7e\x94\xb8\xf9\xb3\xa3\x16\x3f\x63\x49\xe3\xda\xc7\xe0\x17\x48\xf6\x74\x79\x5c\xc3\xbd\x5a\x9a\x3a\xb5\xf2\xc1\x30\x81\x16\x7d\xf3\x7e\x37\x9e\xeb\x2e\xcf\x9c\xdf\xa2\x37\x15\x95\xf3\x08\x31\x05\x1a\xb1\x57\xac\x75\xf9\xeb\xc4\x8b\x49\x95\x59\x7e\x20\x6c\x7b\xa2\x29\xab\x30\xec\xcf\xe6\x62\x4d\x88\x49\xea\xe4\x1d\x2d\xc7\xa4\xd7\x57\xa3\x73\xb1\xd8\x66\x95\xc4\x20\xcc\x04\xbf\x0d\xa6\x64\xa7\x56\xb4\x82\x24\x16\x3d\xe4\x41\x8b\x93\x23\x39\xd2\x99\x06\x13\x13\xa6\x34\xa4\xba\x08\x9b\x12\xf8\x5d\x4d\xa1\xd2\x7d\x51\xde\x93\x08\x31\x0e\xf6\xae\xb3\x56\x23\xd0\xa7\x72\xc5\xce\xdd\x2a\x65\x9f\xde\xf0\x92\xb4\xdf\x6a\x88\xd2\x96\x42\x00\xc2\x85\xe8\xc1\x6e\x74\x89\xb8\x1e\x41\x59\xdb\x06\x2c\xe8\xa7\xd0\xda\xb6\x51\x80\x92\x11\xed\xf0\x58\x6f\x28\x9e\xf0\x3d\xee\x7b\xb9\xf4\x38\xc1\xa3\x52\xf6\x34\x2c\x66\x4b\xfd\x35\xd2\x38\x85\xb0\x9b\xd1\xda\x62\xbd\x65\xd0\xbc\x09\xa5\xeb\x5a\xe9\x5e\xa3\x10\x88\x14\x77\x81\xc3\x35\xea\x17\x77\x72\xa2\x28\x96\x19\x1a\x7d\x15\x70\x2b\x6b\x34\x37\xce\xd8\x86\xcc\x85\xbb\x26\x86\x5c\xe8\x28\xb9\xfe\x78\xa0\x7b\x46\x3d\xf7\x33\x2f\x67\x92\xb2\xfd\x86\xd1\x7b\x1e\x98\xa4\xcc\x77\x29\xb0\x58\xc5\x98\xc9\x61\xc6\x34\xb1\x5d\x09\x73\xca\xcd\xd9\x73\x5a\x0f\x77\x78\x6a\xe2\xb0\x76\x6b\x31\x94\xa1\x27\x34\x5d\xd8\xc1\x1f\x69\xfa\x4c\x44\xcc\x5b\x30\xe0\x1f\x6d\xc5\x61\x33\x0f\x63\x63\x29\xc9\x7e\xc0\x5a\xe8\x29\x1d\x9a\x26\xb6\x05\xf1\xb2\x77\xc9\x32\x21\x15\x62\x6e\x29\x75\xc7\x91\xc3\xef\x10\x95\x4c\xb8\xb4\x7c\xea\x6c\xf6\x97\xeb\x9d\xb3\xbe\xcb\x11\x14\xce\x63\x92\x19\x9e\x87\xba\xc0\x43\xed\x7a\x15\x83\xdc\x66\x0b\x36\xde\xb0\x22\x1a\x79\xed\x70\xbf\x71\x3f\x3c\x9c\x88\x25\x83\x81\x4c\x2e\xca\x81\x51\xd2\x71\x71\x95\x92\xd5\xc1\xfc\x62\x66\xa2\x76\xa3\xe8\xd3\x88\x27\xb2\x90\xe1\x04\x46\x06\x99\x2d\x13\x42\x36\xa1\xae\x87\xf9\x33\x8b\x77\x41\xf2\xe8\xa7\x46\xeb\x0f\x60\x77\x62\xed\x4e\x18\x92\x3d\xba\xcf\xea\x14\x7a\xd5\x7e\xff\x61\x71\x67\xd0\xf5\x4d\xaa\xc4\x54\x37\xc5\xe6\x1b\x45\x93\x7e\x8a\xa5\xe7\xce\xef\x4c\xa2\x25\x4b\x97\x01\xa2\x2f\x57\x7f\xb6\x27\xe8\xe1\xc1\xc7\x04\x01\xae\x81\x1b\x9a\x53\xf4\xc1\x6a\x79\x43\xe3\xd8\x1b\xa3\xd9\x20\x9c\xbd\xfb\x20\x8b\x04\xce\x15\x8e\x7b\xa8\xee\x77\xb0\xb7\x5f\x52\x08\x68\x6d\xf7\x87\x12\xd2\x8f\x70\x03\x61\x15\x91\x00\x36\x9b\x63\x33\x84\xdd\xff\x44\x02\xc0\xab\x0e\x2e\xc0\xaa\x87\x18\x6a\x65\xd3\x48\x4d\x29\x21\xd6\x25\x3f\xd1\xfb\xf4\x6b\x63\xba\x72\xeb\x79\x5c\xc0\x25\x69\x0f\x1f\x48\xdb\xe3\x08\xf9\x78\xe2\xfd\x55\x13\xe2\xdd\xc0\xb0\x66\x19\x4f\xd5\x8d\x3e\xaa\x49\x69\x0b\xd7\xe7\x86\x38\x85\xeb\x5e\x2a\xc6\x87\x0d\xe8\x35\x92\x67\x5f\x74\xcf\x89\x89\xe1\x8e\x68\xf1\xb6\x06\x78\x27\x0c\xa6\xb9\xc0\xda\xf4\x44\x27\x8a\x7d\xc8\x2a\x97\x80\x73\x0a\xa0\x3b\xe5\x68\x13\xe8\x1d\x6f\x29\x6c\x6f\x87\xd0\x09\x96\x18\xaf\x9f\x7e\x99\x16\x49\xec\x36\x49\x72\xd4\xc8\xfb\x66\x96\x70\xec\x92\x96\xce\x17\x38\x38\xb9\xc9\x2b\xaf\x6b\xf8\x83\xc1\x34\xd2\xc1\xcb\xcd\x92\x8b\x54\x99\x1d\x4c\x00\xf4\xaa\x72\x70\xbf\x3b\xef\xeb\x10\x8e\x98\x62\xf3\x46\x88\xcc\x2d\xb3\xb7\x94\x37\x77\x67\x12\x79\xa1\x7f\x9c\x64\xc4\x0b\xd8\x48\x5e\xf5\x2e\xb9\x64\x31\x4c\x65\xaa\x34\x59\x6f\x16\xb8\x0f\x9e\xf7\x81\xc4\xe8\xee\xb0\xac\xd2\x89\x38\x6c\x1a\xe5\x06\xae\x5b\xd2\xb2\x0b\x76\x0c\xe0\xc7\x9b\x56\xb1\x34\xe2\x2f\x57\xc4\x4a\xba\xe2\xf4\xec\xad\x82\xef\xe4\x02\xa4\x3a\x47\x59\x45\x77\xa2\x4b\x79\xa9\x4c\x6f\x7a\x5e\xda\xab\xeb\x48\xfc\x5e\xc2\x7a\xec\xd8\x23\x80\xd0\xe9\x40\xa0\x33\xe8\x7a\x44\x74\xb9\x5d\x58\xa5\xfe\xc5\x9d\x80\xb0\x91\xe9\x16\x5a\x14\x32\x5b\x38\xc5\xe4\x56\x5c\x3f\x0f\x12\x6f\x8b\x2a\xdf\x83\x26\x8e\x00\x76\x64\x7d\xdd\x43\xff\x2d\x52\xd7\x73\xab\x30\x40\x88\x45\x8f\xac\x4f\xb9\x37\x9e\x20\x96\x85\x60\xa0\x75\x17\xd6\xe0\x00\x1d\x2a\x08\xc3\xc6\xc9\x78\x25\xe1\x22\x59\xea\x86\x1b\x0a\xd5\x64\x94\x50\xdf\xfb\x3a\xfa\xe4\x9c\xd3\x1e\xfb\x40\x51\x3c\x06\xb7\x95\xe0\x71\x60\x3a\x47\xd3\xc8\x39\xc4\x01\xec\xc3\x8b\x11\x7d\xf9\x38\x83\x6a\x15\xb3\x1a\x13\x5b\x58\x89\x2d\xb9\xb4\xeb\xf6\x84\xdb\x3f\x7e\xce\x8a\x9d\x60\xbc\x8c\x81\x0e\xba\x0c\xa0\xd8\x75\x83\x57\x37\xd2\x5b\x94\x8b\x39\x28\x60\xaa\x82\xcd\xd5\xff\x7c\x6b\x0b\x4d\x7a\xe1\x82\x16\x89\x49\xd9\x84\x0e\x33\x54\x5d\x61\x27\x72\x7a\xbe\x02\xdd\x01\x41\x8c\xe4\xdd\x46\xaf\x7b\x5f\x08\x44\xcb\x51\xd4\x99\x2f\x4c\xe1\x22\x3c\x23\x13\x7c\x21\x13\x61\xd0\x15\x0e\xd2\x35\xa0\x59\x8f\x9e\x1d\x81\x6a\x40\xc6\xae\xb8\xad\x56\x26\xbc\x22\xb2\xe9\x39\x57\x47\x44\x1c\xc7\x8a\x55\x8d\xed\xc4\x02\x47\x32\x48\x98\x99\x12\xa0\xaa\x71\xac\x8d\x77\x54\xde\x78\xa1\xd5\xb9\xe5\x48\xd4\xeb\xef\x22\x4e\x82\xcd\x39\x35\x24\xd7\x9b\x88\xd6\xe0\x40\x5a\xd0\x2d\xa7\x11\x7b\xa0\x37\x29\x4e\x53\x5f\xff\x4b\xb7\xbf\xca\xce\xde\x33\x48\xf0\x1d\x16\x13\x48\xf4\xee\xe1\xa5\x15\xbe\x53\x0e\x0f\x0e\x64\xc5\x65\x44\xd4\xae\x10\x64\x45\xcc\xe1\x41\x0c\x79\x0b\xdb\xeb\x1e\x2d\x29\x3e\x01\x2e\x02\x97\xc4\x6c\x91\x45\xdc\xcb\xd6\xff\x77\xcb\xfa\xcd\xa4\x6f\x27\xd7\x1d\x02\xde\x14\xb6\x1c\x50\x53\x33\x19\xc6\x68\xfc\xfa\xc0\x36\xc7\x86\x7d\x12\xa3\xd0\xd8\xd4\x49\xc4\x96\x69\x58\x63\x49\xf2\x23\x9c\x4f\xa5\xc2\xb8\xfd\xfc\x42\x3e\xcd\x85\xed\xcc\xf6\x85\x47\xb1\xa9\x06\x76\x4c\x5c\x03\xff\x33\x2b\x56\x3e\xae\xee\xb8\x45\x65\x35\xc6\x1e\x91\x73\x92\xa0\x3d\xfe\x6b\xeb\xf3\xdc\x57\x10\xf9\x32\xb5\x07\xe3\xf0\xcd\xfb\x6a\x9d\xd0\x35\xf0\x6d\xe0\x55\x72\xca\x94\xd8\x5b\xfb\x15\x7e\x68\x44\x8a\xb8\xb0\xc4\xd5\x96\xce\x02\x0d\xad\xef\xce\xae\x68\x15\x3e\x5f\x62\xc5\xc0\x81\x43\xf5\xdb\x49\x7a\xaf\xab\x19\xcd\x33\x0c\x37\x84\xdb\x0a\xde\x50\x5a\x29\x51\x4b\xd1\xe8\xc3\xb9\x2c\x4f\x61\x65\x36\x22\xf8\x75\xec\xac\xc9\xe6\x77\x4a\xde\xca\x1c\xa4\x2f\x63\x7c\x70\x22\x99\xa2\xd3\xf8\x81\xbe\x79\x5b\xba\x9d\xb3\x40\xe4\x80\xaa\x4e\x94\x4d\xec\x20\x21\x6b\x83\x58\x45\x5d\xcf\x8e\xed\x99\x0e\x41\xf3\x37\x64\x42\xb9\xb3\xe0\xd8\x82\x38\x77\x5b\x8b\xea\x3f\x68\x8a\xf1\x85\x39\xb2\xe8\xba\xfa\xac\xc1\xc4\x06\x4e\x9a\xe8\x87\xc6\x9d\xca\x82\xac\xad\xf3\x55\x30\x92\xe7\x87\x97\xa6\x2c\xc8\x34\x44\x1c\x22\x2f\xf2\x26\xea\x32\xd2\x03\xc0\xb1\xfa\xcc\x67\xe6\x30\x71\x6a\x3f\x96\xa0\x77\xe2\x34\x8f\x2b\xe6\xd9\x3e\xc0\x63\x1a\x5e\xf1\xbe\xd4\x10\x61\x19\xd9\x70\xe6\x22\x8f\x01\x69\x89\xa8\xfd\xf0\x1b\xda\x8e\xdd\xfd\x60\x68\xd6\x49\xb3\x95\x6e\xab\x29\xd3\x03\xf1\xfc\x68\x67\xd8\x63\xc8\x7c\x35\x39\xe8\xe9\x9c\xe2\x39\x53\xc2\x5e\xe2\xb0\x98\x57\xd2\xdf\xdd\x4c\x2d\x24\x2b\xd8\x33\xf6\xb7\xf4\xa6\x7c\xde\x78\x63\xd6\x53\xa0\x05\x21\xfa\x68\xce\x23\x1d\x06\x15\xb0\x01\x75\xec\x1f\xca\x37\x7e\x4e\x72\xf7\x8a\x8f\x8f\xbc\xa9\xda\x4f\x40\x8b\xc1\xb7\x99\x97\x1c\x16\xce\x2e\x04\xaa\x24\x32\x79\xef\xcd\xb0\x78\x43\xd2\x55\xeb\x60\x67\xe3\x73\x2b\xcf\xdf\x1c\x17\x17\x8d\x77\xd3\xdf\xf4\x24\xd6\x77\x2e\x39\xae\xc3\xbe\xf9\x59\x2a\x25\xe9\xfb\xb5\x51\x09\x52\xe5\x83\xf5\x34\xa4\xd1\xf5\x7c\xce\xfe\x84\x55\xf3\x53\xdf\xee\xee\xdc\x8b\x3e\xa3\xd6\xc4\x1f\xf4\x16\x7d\xe5\x14\x55\x30\xf3\xdd\x70\xbc\x89\xfd\xcf\xa8\x63\xd8\xc5\x65\x20\x8d\x32\x72\xb0\x23\x8b\x97\xd9\x5c\x5a\x67\x87\x24\x15\xa2\x7e\xf0\x6f\xa2\x6c\x0f\x72\xb5\x71\xcf\xfb\x76\x23\x69\xc8\x0b\x5f\x33\x2f\x03\xa9\x75\x9f\xec\x50\xd6\x04\xa1\x8a\x69\xfb\x52\x13\x11\xfa\x17\x1e\xa6\xfa\x40\x48\x73\xde\x91\x95\xf8\x47\xd8\x1f\xd4\xba\xe3\xd5\x21\x6d\x6c\x00\xcc\x38\xd5\xc7\x5d\xad\x1e\xf6\x86\xd5\xce\x4a\xcb\xb4\x77\xfb\xf6\xc5\xad\x0b\x26\x9e\x69\x05\x4b\x4a\x59\xdb\x3c\x6e\xb0\xce\xc7\xfb\xdf\x32\xd3\x30\x6c\xeb\x5d\x10\x06\xeb\x7b\xf6\xf0\x70\x12\xb1\x16\xc9\x5f\xbf\xcf\xd9\x9e\x82\xf5\xab\xa8\xeb\xd7\xc7\x90\xc9\xf0\x40\x75\xe2\xbb\x39\x9d\x92\x29\xbe\x4a\x0e\x90\xdc\x1b\x03\x58\xee\xcf\xfa\xda\xeb\xc0\xbd\xc6\xff\x1c\xfd\x00\xdc\xeb\xc0\xa9\x0d\x7b\x96\xc9\x6f\xa5\x52\xdc\x82\x4b\x94\x4d\x95\x1d\xb7\xd2\xb6\xee\x39\x9b\x6c\x1f\x29\x65\xe5\x93\x1c\xea\x56\x1b\x9d\xda\x86\xb5\xe7\xc3\x67\x41\xc0\x4a\x97\xa0\x0b\x06\x95\xa9\xd8\x3d\x62\x9e\xb5\xde\x99\xbf\x8a\xe8\xd7\x55\xf3\x31\xe4\x02\x53\x39\x0a\xbb\x2e\x60\x49\x16\x74\x96\xd5\xca\x37\x56\x3b\xea\xbd\xa4\xf8\x2b\x2c\x9a\x58\xef\xf2\xa5\x8a\x1d\x2f\xbc\x8d\x72\xc1\x88\xd4\xb3\x39\x2b\x9b\x42\x86\xa8\x5f\x5d\xed\x71\x0f\x24\x3b\x24\x83\x2c\x54\x79\x1e\xee\x12\x09\x44\x3f\x07\xf3\x74\xea\x2a\xb6\x14\xd6\xa9\xac\x8b\x09\x81\xc3\x50\x96\x96\xc0\x58\xd3\x2f\x4a\xff\x5a\xf8\xe9\xeb\x22\x53\xed\x4f\x83\xe8\xb4\xf3\x29\x4b\x61\xc9\x0d\x54\xd3\xc3\x5f\x3d\x44\xd5\x5a\x5a\x1f\x55\xba\xc7\xe5\x97\x8b\x63\xfb\xb9\xdf\x0e\x9c\x6b\x15\x4d\x61\x24\xef\x4c\xf6\x3f\xf3\xae\x36\x10\x32\x14\x7f\x9e\xf7\x5f\x9e\xa2\xf4\xb2\x2e\xb1\x36\x93\xe2\x67\xb7\xc4\xf6\x36\x5d\xe5\x36\x86\x11\x8a\x93\x4a\x59\x8b\xa5\xa8\x17\x5e\xe5\x0f\x09\x9a\xa9\xac\xd7\xf2\xe2\xc9\xb0\x5b\x04\x4b\x3b\x06\x1b\xd1\xbb\x3b\x29\x6b\x6b\xf9\x00\xb8\x56\xa6\x44\x8d\x81\x2e\x68\xef\xd3\x1f\xef\xfd\x44\x52\x99\x0c\xd5\xf7\xcc\x02\x58\x8e\xef\xbe\xbb\x9f\x56\xab\x77\xcd\x50\x29\x89\xcd\x16\xe8\x9a\x44\x55\x3e\x19\x89\xd4\xdf\xfd\x97\x7b\x53\xea\x8b\x3b\x63\x6d\x62\xbb\xb2\x65\xc4\x28\x0c\xab\x59\xda\xb2\x4f\xbe\x7f\x16\x18\x0d\xfd\xdf\x62\xe4\x82\xed\x8e\xdc\xa2\x7a\x96\x7c\xe5\xfa\xe0\x32\x8b\x64\x03\xce\xe1\x7a\x6d\x63\xac\x71\xa8\xa4\x6f\x6c\xad\xdb\x53\x0c\x6d\x90\x5a\x8b\x6c\x8e\xd8\x9f\x62\x2a\x0c\x0a\x90\x67\x5c\x1f\x8d\x97\x9b\x34\xcd\x1e\x95\x4f\xa9\x15\x4f", 4096); break; case 11: memcpy((void*)0x20001000, "\xc4\x62\x39\x37\x47\x7e\x66\x0f\xe3\x0c\xa4\xf3\x3e\x45\x09\x17\xc4\x61\x78\xae\x91\x72\x98\x00\x00\xc4\x63\xe1\x22\xd6\x96\xc4\x03\x7d\x7b\x05\x0f\x00\x00\x00\x00\xc4\x63\x39\x5f\x47\x3f\xad\xc4\x03\x55\x5d\x3c\x56\x00\xc4\xe2\xb5\x96\xf0\xc4\x21\xfd\x5b\xfb", 65); syz_execute_func(0x20001000); break; case 12: break; case 13: memcpy((void*)0x200010c0, "\x5d\x8d\x97\xaf\xe9\x58\xa6\xb4\x6b\x8f\xef\xfe\x29\xf0\x51\x64\xa8\xee\xd8\xf0\x35\xa6\xc4\xd8\xf6\x97\x21\x06\xc0\xf6\xa0\x43\x0f\x03\x47\xa9\xad\x29\xa9\x40\xd3\xde\x0d\x19\xdd\x63\xc0\x6d\xad\x37\xea\x1e\x10\x5f\xec\x8b\x4d\xbd\xb4\xd7\xf9\x51\x64\xff\x31\x3f\x19\x9a\xaa\x43\x10\x8e\x96\x13\xc1\xe6\x29\x58\xe7\x76\x28\x47\x15\x8e\x87\x26\x92\x4d\xcb\xda\xff\xfd\x2a\x94\x2c\x44\x0d\x0a\x80\x34\x04\x87\xaf\x0e\xb9", 105); memcpy((void*)0x20001140, "\xe2\xf9\x19\x3e\xea\x7f\xea\x62\xb3\x74\xa3\x15\x14\x75\xbf\x3b\xe9\x82\x5d\xbe\x21\xd3\x90\x7a\x6b\xaf\x2f\xcd\xf0\xe6\xdd\x64\xfa\x7c\xcc\xe3\x73\x4b\xa6\x62\x73\xba\x0d\xb7\xe7\x9d\x31\x4b\x54\xd1\x01\x58\xb7\xd4\xa6\x7b\x5e\x26\x4c\xd1\xfe\x32\xc6\xba\xb3\xd0\x3f\xaa\x5b\xd6\x7a\x46\x09\xb4\x8a\x17\xeb\x03\x86\x53\x8a\xfe\x3d\x83\xa4\xf1\x95\x97\x90\x97\x73\xc9\x47\x4f\x1f\x66\x85\xe5\x91\x57\xf5\xc7\x6c\x2d\xe0\x65\xf5\x09\xb7\xa7\xcf\x8e\x62\x9c\xca\x55\x3d\xcb\x44\x45\xa3\x72\x88\x31\x99\xbe\x74\x66\x34\xe8\x57\x26\x6c\x27\x58\xf8\xd5\x8d\xd0\xde\xa4\x57\x79\x02\x04\xfc\x26\xe2\x69\x27\xd5\xbb\xff\x20\xa9\x9a\xed\x0a\x95\xd8\x50\xec\x32\x21\xf4\xf1\xd8\xf1\x3a\x8f\x00\xbe\x13\x51\x9e\xf8\x98\xd3\x9d\x28\x56\x8b\xb7\x89\x4c\x39", 186); res = syz_usb_connect(0x721, 0x69, 0x200010c0, 0x20001140); if (res != -1) r[5] = res; break; case 14: syz_usb_disconnect(r[5]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); for (procid = 0; procid < 2; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } : In function 'syz_usb_connect_impl': :637:63: error: unknown type name 'usb_ctrlrequest' :642:55: error: unknown type name 'usb_ctrlrequest' compiler invocation: /syzkaller/netbsd/src/../tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor241664505 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/netbsd/src/../dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/11 (1.40s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false UseTmpDir:true HandleSegv:true Repro:false Trace:false} program: r0 = fcntl$dupfd(0xffffffffffffff9c, 0xc, 0xffffffffffffff9c) r1 = dup2(0xffffffffffffffff, r0) pwrite(r1, &(0x7f0000000000)="5d1dd436f0f5a32b117d0f61dc010511e7e3c7f92e33630dfc7a02f9f4df14c215d8716f98892cba0ddcbbd6b2683f5e028152ebbe2d26a7e4c45673b55cf76e7795dd124f82947e0244eb08cfb0b5da0c829b1580ac64473f069f9928c1043bdeaa541829f4ef60f80ea0b9b912a974a5e98ea75423d1126815de1319a78c8127c017f8cbe86d", 0x87, 0x6) getsockname$unix(r0, &(0x7f00000000c0)=@abs, &(0x7f0000000100)=0x8) accept$inet6(r1, &(0x7f0000000140), &(0x7f0000000180)=0xc) socketpair(0x18, 0x844590f3b4efa023, 0x7f, &(0x7f00000001c0)) r2 = accept(0xffffffffffffff9c, &(0x7f0000000200)=@un=@abs, &(0x7f0000000240)=0x8) r3 = getpgrp() stat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$sock_cred(r2, 0xffff, 0x11, &(0x7f00000003c0)={r3, r4}, 0xc) syz_emit_ethernet(0x1000, &(0x7f0000000000)="d28811eb3ef8057d4d7c7229ab1e5a02157440ec598663314f522e6a8f7e2b68cd210834f13e84f257c358e7e19717a79353a0609abf39fc23d280e031dbc36048ed67b318a0553a541c84167d1bf390951abfd5370157ad024bea030e6c003d2e50a932903993429472cca8be8808ca2915858ed2598c1e76f98e662b0678bdfd91862b0af84e1585c3709eeb1b8f065703a75c12e1fa87b77d46d374ee2113bbbd6bdebb4cf0687f79db895a8ac81c3b286c03427e3211e71420afa9b5c9013e638ed97de9983fb33424fe11efd7824cd6979286d59a5c79338b6a9a2d15e70791bdb5186aa74e175a0049c1e39db536377a8354915a8a15125b8be62f01a93740b2428b189ea42e31b6ce7aa3676bf1468b751bf06aacf15904db50c1be9df4cc9d41599c57cfaf66b7e5ee2d2372630a7bf538da786dfff6052e02558a4d1ccf7099a8c599c3c8b515e844f1e23de73d806127228253a7053b5e91511685370c980ffa72e5551ff05fcbd940d514bed2860b875b9a12b26edbb292e0e8d8cbcd9de3aba68f7c1419249fe43a6754bf02a36e0fd1f27c48e9d16c18ed1484e56cc5bc3483519311e33754af2fc4d37cfa1c6e5f0d38ae96a621c04db0fd7d793297e4981f9082937b9322f494bd98b2f43d9b5c19ff19ec177c6305b18800445111763cdaeec351689384783ae7cff9b106639ea611fb72e86d685ea0f6b65dc3b9a2436c89257382d11516a2b06637cfd931e2ca4e625343d6b96525c5bf7dcc437f474e1ff9f3dcc85740444a4c569f50379b985f6843ac29f09a9f99819ae210db22ab19340974957f1fbea41c5851b2fa7a2fa87581a7fb42db8c24b4c6f829be592ca0d0cf1a2fe67dec532cfa77f8f1955da335a84d5aef4905a9a236c607774a0b4ef1d50b55bd49aa877c2b6b2e37a3e4a3b24e95fa557ba89aaf4227b5bb0e640b4698cd004f870c7daa9ea441fdbe8b3053dffce646c0b06df323252cada7f24fcc21624edf49567b2693fec0693d243e067b21e2be296c52bb2a381f4794aa2e85dd5cb6677e94b7e003ebad24573762a640973c0772994da28c6490c1af8f0f91754e71c7f326bd31dfc9c6fc20767d713a93317bcbe0a3efc9c5a8571b7b0a02977741e8a83ca81296145ec955e1ab982c7f466284562b52de135568a142e677c343f5ebd33755d0b91565646d7c362e4664007cae2167db5d0a933e1219d3d6a7387576e542f816fa516d44afc3d99229d4f57fa83b8948f898b8528ded2c539b6033491c6d780cacb2bc3f52c2794de8db395812d4f7a44b9c04d6fd3ca86c68647d3e475de581edc388dcde91b8b24cd42b91a19e91b4b637b43b6fa4e150443ec7c08695c42bc6a930b3084204023bfd15e1c0312e46f430e26b0fcca152209fc1c7f991c111bdcda72e198626766eafc8cf5492189d4cc9a8e2a8a9cb738978ecec37376dc99ca8d3efcfe73da538960ebf78f0a4366376ae5f1bb1f811ecceb62510897855e3066104701b94f61913da4699313cec63a88a9ba444a5fc01c003bf9d6b252504e477f40fb33e595f30ac538bc9eeb29372b7a9d1f6a2a9b0177a171e5f879eab363c7608617c26197df1da9baa0275e23ed1b592cebdcd6ef22b36c4f287dfe849cf54eaed5570ffc450cde8b6ee12efbc8ddfea6bf782c27e5a5816b6f04ff5fe977f05a5b12a1364a659cb6b11ab7a1682e1097e6187cd7cbba87ef4ca8c2caf28499913d98a9e9f2e11c52f37faf2cd207bbe5734da0e91ba5f8b48ad59b122678550b27fefe71af53d6f934104387389b59324cdbf446efe50dbd23db7418ec6666ed9fcaa6f70beac9ca42a90eec8567be21fb45f0886755715f317373523dfeb845ab77333cf8ddf926244a38e024df5af9ea07253d07a59db51123fd811cce2d206eae6943ec87559eb0eb28a94a627831e45b3a7d1f89f7a49fbce7c5a6ed81f4e68dd3ce29346f7c14e5064548d57f11363139e5b669a1744bd9989400827973e67e94cb555b08cf04565f33db17196d16518b4f4b023053e86a7275521fa5b20993de7c2fa09797d924d59893caa98d97b586289da8c9cc3810cfde85b31a4e3118a5cc2fb63e4073dc224e501b637c66674ead1e84a7e3e3ce4adaf0c723e38a41db547e9cc3382ecf9f6b6f964c1f81fe75365593c9a55152ec7c05067474bd71a9370009fee6d87f3eef6c9360a502941e93730454161d0f0391f7c5ebde622f05c1d67368944390b68178fefb825add812f4968670537401703531667cd5150f211b9fcfecf4ee5e0880f3748b9e7a745e802affacc6b4aa5b5d83750fc1c47d4ab69170901e7f5e442bb98a89186054acf207a3cf70173156c559fd72860a7d2679a2ffcb5330204113dbac6b3c3b69aa4f75f21cb2154a4a6b31c025d52ac54960483cedf3f11a1adffef2f1fec94a5561d91868001c3d8395ff450b140095d6536475379f38634acf9dedff61b17f7c87f8c0566be6250cf439eba38c3765393a9ed1016d502ba13a8ef6de35ba669b10a0008223d2e2f88d35fe0a7323324bfabf25a7ac01904549a259e6a8d3a4964f197e94b8f9b3a3163f6349e3dac7e01748f674795cc3bd5a9a3ab5f2c13081167df37e379eeb2ecf9cdfa2371595f30831051ab157ac75f9ebc48b4995597e206c7ba229ab30eccfe6624d8849eae41d2dc7a4d757a373b1d86695c420cc04bf0da664a756b48224163de4418b932339d299061313a634a4ba089b12f85d4da1d27d51de9308310ef6aeb35623d0a772c5cedd2a659fdef092b4df6a88d2964200c285e8c16e7489b81e4159db062ce8a7d0dab651809211edf0586f289ef03dee7bb9f438c1a352f6342c664bfd35d23885b09bd1da62bd65d0bc09a5eb5ae95ea31088147781c335ea177772a22896191a7d15702b6b3437ced886cc85bb26865ce828b9fe78a07b463df7332f6792b2fd86d17b1e98a4cc7729b058c598c961c634b15d0973cacdd9735a0f77786ae2b0766b3194a127345dd8c11f69fa4c44cc5b30e01f6dc561330f636329c97ec05ae8291d9a26b605f1b277c9322115626e2975c791c3ef10954cb8b47cea6cf697eb9db3becb1114ce6392199e87bac043ed7a1583dc660b36deb0221a79ed70bf713f3c9c882583814c2eca8151d271719592d5c1fc6266a276a3e8d38827b290e1044606992d134236a1ae87f9338b7741f2e8a746eb0f607762ed4e18923dbacfea147ad57eff617167d0f54daac45437c5e61b45937e8aa5e7ceef4ca2254b9701a22f577fb627e8e1c1c70401ae811b9a53f4c16a7943e3d81ba3d9209cbdfb208b04ce158e7ba8ee77b0b75f5208686df78712d28f700361159100369b633384ddff4402c0ab0e2ec0aa87186a65d3484d2921d6253fd1fbf46b63ba72eb795cc025690f1f48dbe308f978e2fd5513e2ddc0b066194fd58d3eaa49690bd7e7863885eb5e2ac6870de83592675f74cf8989e18e68f1b60678270ca6b9c0daf444278a7dc82a9780730aa03be56813e81d6f296c6f87d0099618af9f7e991649ec364972d4c8fb669670ec9296ce173838b9c92baf6bf883c134d2c1cbcd928b54991d4c00f4aa7270bf3befeb108e9862f34688cc2db3b7943777671279a17f9c64c40bd8485ef52eb964314c65aa34596f16b80f9ef781c4e8eeb0acd289386c1ae506ae5bd2b20b760ce0c79b56b134e22f57c44abae2f4ecad82efe402a43a47594577a24b79a94c6f7a5edaabeb48fc5ec27aecd82380d0e940a033e87a4474b95d58a5fec59d80b091e9165a14325b38c5e4565c3f0f126f8b2adf83268e0076647ddd43ff2d52d773ab304088458fac4fb9379e20968560a07517d6e0001d2a08c3c6c97825e12259ea861b0ad5649450dffb3afae49cd31efb40513c06b795e071603a47d3c839c401ecc38b117df938836a15b31a135b58892db9b4ebf684db3f7ece8a9d60bc8c810eba0ca0d875835737d25b948b392860aa82cdd5ff7c6b0b4d7ae182168949d9840e33545d6127727abe02dd01418ce4dd46af7b5f0844cb51d4992f4ce1223c23137c211361d0150ed235a0598f9e1d816a40c6aeb8ad5626bc22b2e9395747441cc78a558dedc402473248989912a0aa71ac8d7754de78a1d5b9e548d4ebef224e82cd393524d79b88d6e0405ad02da7117ba037294e535fff4bb7bfcacede3348f01d161348f4eee1a515be530e0f0e64c56544d4ae106445cce1410c790bdbeb1e2d293e012e0297c46c9145dccbd6ff77cbfacda46f27d71d02de14b61c50533319c668fcfac036c7867d12a3d0d8d449c49669586349f2239c4fa5c2b8fdfc423ecd85edccf68547b1a906764c5c03ff332b563eaeeeb8456535c61e917392a03dfe6bebf3dc5710f932b507e3f0cdfb6a9dd035f06de05572ca94d85bfb157e68448ab8b0c4d596ce020dadefceae68153e5f62c5c08143f5db497aafab19cd330c3784db0ade505a29514bd1e8c3b92c4f61653622f875ecacc9e6774adeca1ca42f637c702299a2d3f881be795bba9db340e480aa4e944dec20216b8358455dcf8eed990e41f3376442b9b3e0d88238775b8bea3f688af18539b2e8bafaacc1c4064e9ae887c69dca82acadf3553092e78797a62cc834441c222ff226ea32d203c0b1facc67e630716a3f96a077e2348f2be6d93ec0631a5ef1bed4106119d970e6228f016989a8fdf01bda8eddfd6068d649b3956eab29d303f1fc6867d863c87c3539e8e99ce23953c25ee2b09857d2dfdd4c2d242bd833f6b7f4a67cde7863d653a00521fa68ce231d0615b00175ec1fca377e4e72f78a8f8fbca9da4f408bc1b799971c16ce2e04aa243279efcdb07843d255eb6067e3732bcfdf1c17178d77d3dff424d6772e39aec3bef9592a25e9fbb5510952e583f534a4d1f57ccefe8455f353dfeeeedc8b3ea3d6c41ff4167de5145530f3dd70bc89fdcfa863d8c565208d3272b0238b97d95c5a67872415a27ef06fa26c0f72b571cffb762369c80b5f332f03a9759fec50d604a18a69fb521311fa171ea6fa404873de9195f847d81fd4bae3d5216d6c00cc38d5c75dad1ef686d5ce4acbb477fbf6c5ad0b269e69054b4a59db3c6eb0cec7fbdf32d3306ceb5d1006eb7bf6f07012b116c95fbfcfd99e82f5aba8ebd7c790c9f04075e2bb399d9229be4a0e90dc1b0358eecffadaebc0bdc6ff1cfd00dcebc0a90d7b96c96fa552dc824b944d951db7d2b6ee399b6c1f2965e5931cea561b9dda86b5e7c36741c04a97a00b0695a9d83d629eb5de99bf8ae8d755f331e40253390abb2e6049167496d5ca37563beabda4f82b2c9a58eff2a58a1d2fbc8d72c188d4b3392b9b4286a85f5ded710f243b24832c54791eee1209443f07f374ea2ab614d6a9ac8b0981c3509696c058d32f4aff5af8e9eb2253ed4f83e8b4f3294b61c90d54d3c35f3d44d55a5a1f55bac7e5978b63fbb9df0e9c6b154d6124ef4cf63ff3ae361032147f9ef75f9ea2f4b22eb13693e267b7c4f6365de53686118a934a598ba5a8175ee50f099aa9acd7f2e2c9b05b044b3b061bd1bb3b296b6bf900b856a6448d812e68efd31feffd4452990cd5f7cc02588eefbebb9f56ab77cd502989cd16e89a44553e1989d4dffd977b53ea8b3b636d62bbb265c4280cab59dab24fbe7f16180dfddf62e482ed8edca27a967ce5fae0328b6403cee17a6d63ac71a8a46f6caddb530c6d905a8b6c8ed89f622a0c0a90675c1f8d979b34cd1e954fa9154f") syz_execute_func(&(0x7f0000001000)="c4623937477e660fe30ca4f33e450917c46178ae9172980000c463e122d696c4037d7b050f00000000c463395f473fadc403555d3c5600c4e2b596f0c421fd5bfb") syz_extract_tcp_res(&(0x7f0000001080), 0x5, 0x6fb) r5 = syz_usb_connect(0x721, 0x69, &(0x7f00000010c0)="5d8d97afe958a6b46b8feffe29f05164a8eed8f035a6c4d8f6972106c0f6a0430f0347a9ad29a940d3de0d19dd63c06dad37ea1e105fec8b4dbdb4d7f95164ff313f199aaa43108e9613c1e62958e7762847158e8726924dcbdafffd2a942c440d0a80340487af0eb9", &(0x7f0000001140)="e2f9193eea7fea62b374a3151475bf3be9825dbe21d3907a6baf2fcdf0e6dd64fa7ccce3734ba66273ba0db7e79d314b54d10158b7d4a67b5e264cd1fe32c6bab3d03faa5bd67a4609b48a17eb0386538afe3d83a4f19597909773c9474f1f6685e59157f5c76c2de065f509b7a7cf8e629cca553dcb4445a372883199be746634e857266c2758f8d58dd0dea457790204fc26e26927d5bbff20a99aed0a95d850ec3221f4f1d8f13a8f00be13519ef898d39d28568bb7894c39") syz_usb_disconnect(r5) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) { __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; } __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); } static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; dp = opendir(dir); if (dp == NULL) exit(1); while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } /* -------------------------------------------------------------------------- */ /* * Redefinitions to match the linux types used in common_usb.h. */ struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; int rv = 0; NONFAILING(rv = parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)); if (!rv) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } /* -------------------------------------------------------------------------- */ static int vhci_open(void) { return open("/dev/vhci", O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } /* -------------------------------------------------------------------------- */ static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index; int portnum, fd, rv; bool done; portnum = procid + 1; if (!dev) { return -1; } if (portnum != 1) { /* For now, we support only one proc. */ return -1; } fd = vhci_open(); if (fd < 0) { return -1; } index = add_usb_index(fd, dev, dev_len); if (!index) { goto err; } rv = vhci_setport(fd, portnum); if (rv != 0) { goto err; } rv = vhci_usb_attach(fd); if (rv != 0) { goto err; } done = false; while (!done) { vhci_request_t req; rv = vhci_usb_recv(fd, &req, sizeof(req)); if (rv != 0) { goto err; } if (req.type != VHCI_REQ_CTRL) { goto err; } char* response_data = NULL; uint32_t response_length = 0; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { bool response_found = false; NONFAILING(response_found = lookup_connect_response_in(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &response_data, &response_length)); if (!response_found) { goto err; } } else { if (!lookup_connect_response_out(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &done)) { goto err; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { /* TODO: possibly revisit */ } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { goto err; } } sleep_ms(200); return fd; err: close(fd); return -1; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); NONFAILING(((void (*)(void))(text))()); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 15; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 13 ? 3000 : 0) + (call == 14 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_accept #define SYS_accept 30 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_fcntl #define SYS_fcntl 92 #endif #ifndef SYS_getpgrp #define SYS_getpgrp 81 #endif #ifndef SYS_getsockname #define SYS_getsockname 32 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_pwrite #define SYS_pwrite 174 #endif #ifndef SYS_setsockopt #define SYS_setsockopt 105 #endif #ifndef SYS_socketpair #define SYS_socketpair 135 #endif #ifndef SYS_stat #define SYS_stat 439 #endif uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_fcntl, 0xffffff9c, 0xcul, 0xffffff9c); if (res != -1) r[0] = res; break; case 1: res = syscall(SYS_dup2, -1, r[0]); if (res != -1) r[1] = res; break; case 2: NONFAILING(memcpy((void*)0x20000000, "\x5d\x1d\xd4\x36\xf0\xf5\xa3\x2b\x11\x7d\x0f\x61\xdc\x01\x05\x11\xe7\xe3\xc7\xf9\x2e\x33\x63\x0d\xfc\x7a\x02\xf9\xf4\xdf\x14\xc2\x15\xd8\x71\x6f\x98\x89\x2c\xba\x0d\xdc\xbb\xd6\xb2\x68\x3f\x5e\x02\x81\x52\xeb\xbe\x2d\x26\xa7\xe4\xc4\x56\x73\xb5\x5c\xf7\x6e\x77\x95\xdd\x12\x4f\x82\x94\x7e\x02\x44\xeb\x08\xcf\xb0\xb5\xda\x0c\x82\x9b\x15\x80\xac\x64\x47\x3f\x06\x9f\x99\x28\xc1\x04\x3b\xde\xaa\x54\x18\x29\xf4\xef\x60\xf8\x0e\xa0\xb9\xb9\x12\xa9\x74\xa5\xe9\x8e\xa7\x54\x23\xd1\x12\x68\x15\xde\x13\x19\xa7\x8c\x81\x27\xc0\x17\xf8\xcb\xe8\x6d", 135)); syscall(SYS_pwrite, r[1], 0x20000000ul, 0x87ul, 6ul); break; case 3: NONFAILING(*(uint32_t*)0x20000100 = 8); syscall(SYS_getsockname, r[0], 0x200000c0ul, 0x20000100ul); break; case 4: NONFAILING(*(uint32_t*)0x20000180 = 0xc); syscall(SYS_accept, r[1], 0x20000140ul, 0x20000180ul); break; case 5: syscall(SYS_socketpair, 0x18ul, 0x844590f3b4efa023ul, 0x7f, 0x200001c0ul); break; case 6: NONFAILING(*(uint32_t*)0x20000240 = 8); res = syscall(SYS_accept, 0xffffff9c, 0x20000200ul, 0x20000240ul); if (res != -1) r[2] = res; break; case 7: res = syscall(SYS_getpgrp); if (res != -1) r[3] = res; break; case 8: NONFAILING(memcpy((void*)0x20000280, "./file0\000", 8)); res = syscall(SYS_stat, 0x20000280ul, 0x200002c0ul); if (res != -1) NONFAILING(r[4] = *(uint32_t*)0x200002dc); break; case 9: NONFAILING(*(uint32_t*)0x200003c0 = r[3]); NONFAILING(*(uint32_t*)0x200003c4 = r[4]); NONFAILING(*(uint32_t*)0x200003c8 = 0); syscall(SYS_setsockopt, r[2], 0xffff, 0x11, 0x200003c0ul, 0xcul); break; case 10: NONFAILING(memcpy((void*)0x20000000, "\xd2\x88\x11\xeb\x3e\xf8\x05\x7d\x4d\x7c\x72\x29\xab\x1e\x5a\x02\x15\x74\x40\xec\x59\x86\x63\x31\x4f\x52\x2e\x6a\x8f\x7e\x2b\x68\xcd\x21\x08\x34\xf1\x3e\x84\xf2\x57\xc3\x58\xe7\xe1\x97\x17\xa7\x93\x53\xa0\x60\x9a\xbf\x39\xfc\x23\xd2\x80\xe0\x31\xdb\xc3\x60\x48\xed\x67\xb3\x18\xa0\x55\x3a\x54\x1c\x84\x16\x7d\x1b\xf3\x90\x95\x1a\xbf\xd5\x37\x01\x57\xad\x02\x4b\xea\x03\x0e\x6c\x00\x3d\x2e\x50\xa9\x32\x90\x39\x93\x42\x94\x72\xcc\xa8\xbe\x88\x08\xca\x29\x15\x85\x8e\xd2\x59\x8c\x1e\x76\xf9\x8e\x66\x2b\x06\x78\xbd\xfd\x91\x86\x2b\x0a\xf8\x4e\x15\x85\xc3\x70\x9e\xeb\x1b\x8f\x06\x57\x03\xa7\x5c\x12\xe1\xfa\x87\xb7\x7d\x46\xd3\x74\xee\x21\x13\xbb\xbd\x6b\xde\xbb\x4c\xf0\x68\x7f\x79\xdb\x89\x5a\x8a\xc8\x1c\x3b\x28\x6c\x03\x42\x7e\x32\x11\xe7\x14\x20\xaf\xa9\xb5\xc9\x01\x3e\x63\x8e\xd9\x7d\xe9\x98\x3f\xb3\x34\x24\xfe\x11\xef\xd7\x82\x4c\xd6\x97\x92\x86\xd5\x9a\x5c\x79\x33\x8b\x6a\x9a\x2d\x15\xe7\x07\x91\xbd\xb5\x18\x6a\xa7\x4e\x17\x5a\x00\x49\xc1\xe3\x9d\xb5\x36\x37\x7a\x83\x54\x91\x5a\x8a\x15\x12\x5b\x8b\xe6\x2f\x01\xa9\x37\x40\xb2\x42\x8b\x18\x9e\xa4\x2e\x31\xb6\xce\x7a\xa3\x67\x6b\xf1\x46\x8b\x75\x1b\xf0\x6a\xac\xf1\x59\x04\xdb\x50\xc1\xbe\x9d\xf4\xcc\x9d\x41\x59\x9c\x57\xcf\xaf\x66\xb7\xe5\xee\x2d\x23\x72\x63\x0a\x7b\xf5\x38\xda\x78\x6d\xff\xf6\x05\x2e\x02\x55\x8a\x4d\x1c\xcf\x70\x99\xa8\xc5\x99\xc3\xc8\xb5\x15\xe8\x44\xf1\xe2\x3d\xe7\x3d\x80\x61\x27\x22\x82\x53\xa7\x05\x3b\x5e\x91\x51\x16\x85\x37\x0c\x98\x0f\xfa\x72\xe5\x55\x1f\xf0\x5f\xcb\xd9\x40\xd5\x14\xbe\xd2\x86\x0b\x87\x5b\x9a\x12\xb2\x6e\xdb\xb2\x92\xe0\xe8\xd8\xcb\xcd\x9d\xe3\xab\xa6\x8f\x7c\x14\x19\x24\x9f\xe4\x3a\x67\x54\xbf\x02\xa3\x6e\x0f\xd1\xf2\x7c\x48\xe9\xd1\x6c\x18\xed\x14\x84\xe5\x6c\xc5\xbc\x34\x83\x51\x93\x11\xe3\x37\x54\xaf\x2f\xc4\xd3\x7c\xfa\x1c\x6e\x5f\x0d\x38\xae\x96\xa6\x21\xc0\x4d\xb0\xfd\x7d\x79\x32\x97\xe4\x98\x1f\x90\x82\x93\x7b\x93\x22\xf4\x94\xbd\x98\xb2\xf4\x3d\x9b\x5c\x19\xff\x19\xec\x17\x7c\x63\x05\xb1\x88\x00\x44\x51\x11\x76\x3c\xda\xee\xc3\x51\x68\x93\x84\x78\x3a\xe7\xcf\xf9\xb1\x06\x63\x9e\xa6\x11\xfb\x72\xe8\x6d\x68\x5e\xa0\xf6\xb6\x5d\xc3\xb9\xa2\x43\x6c\x89\x25\x73\x82\xd1\x15\x16\xa2\xb0\x66\x37\xcf\xd9\x31\xe2\xca\x4e\x62\x53\x43\xd6\xb9\x65\x25\xc5\xbf\x7d\xcc\x43\x7f\x47\x4e\x1f\xf9\xf3\xdc\xc8\x57\x40\x44\x4a\x4c\x56\x9f\x50\x37\x9b\x98\x5f\x68\x43\xac\x29\xf0\x9a\x9f\x99\x81\x9a\xe2\x10\xdb\x22\xab\x19\x34\x09\x74\x95\x7f\x1f\xbe\xa4\x1c\x58\x51\xb2\xfa\x7a\x2f\xa8\x75\x81\xa7\xfb\x42\xdb\x8c\x24\xb4\xc6\xf8\x29\xbe\x59\x2c\xa0\xd0\xcf\x1a\x2f\xe6\x7d\xec\x53\x2c\xfa\x77\xf8\xf1\x95\x5d\xa3\x35\xa8\x4d\x5a\xef\x49\x05\xa9\xa2\x36\xc6\x07\x77\x4a\x0b\x4e\xf1\xd5\x0b\x55\xbd\x49\xaa\x87\x7c\x2b\x6b\x2e\x37\xa3\xe4\xa3\xb2\x4e\x95\xfa\x55\x7b\xa8\x9a\xaf\x42\x27\xb5\xbb\x0e\x64\x0b\x46\x98\xcd\x00\x4f\x87\x0c\x7d\xaa\x9e\xa4\x41\xfd\xbe\x8b\x30\x53\xdf\xfc\xe6\x46\xc0\xb0\x6d\xf3\x23\x25\x2c\xad\xa7\xf2\x4f\xcc\x21\x62\x4e\xdf\x49\x56\x7b\x26\x93\xfe\xc0\x69\x3d\x24\x3e\x06\x7b\x21\xe2\xbe\x29\x6c\x52\xbb\x2a\x38\x1f\x47\x94\xaa\x2e\x85\xdd\x5c\xb6\x67\x7e\x94\xb7\xe0\x03\xeb\xad\x24\x57\x37\x62\xa6\x40\x97\x3c\x07\x72\x99\x4d\xa2\x8c\x64\x90\xc1\xaf\x8f\x0f\x91\x75\x4e\x71\xc7\xf3\x26\xbd\x31\xdf\xc9\xc6\xfc\x20\x76\x7d\x71\x3a\x93\x31\x7b\xcb\xe0\xa3\xef\xc9\xc5\xa8\x57\x1b\x7b\x0a\x02\x97\x77\x41\xe8\xa8\x3c\xa8\x12\x96\x14\x5e\xc9\x55\xe1\xab\x98\x2c\x7f\x46\x62\x84\x56\x2b\x52\xde\x13\x55\x68\xa1\x42\xe6\x77\xc3\x43\xf5\xeb\xd3\x37\x55\xd0\xb9\x15\x65\x64\x6d\x7c\x36\x2e\x46\x64\x00\x7c\xae\x21\x67\xdb\x5d\x0a\x93\x3e\x12\x19\xd3\xd6\xa7\x38\x75\x76\xe5\x42\xf8\x16\xfa\x51\x6d\x44\xaf\xc3\xd9\x92\x29\xd4\xf5\x7f\xa8\x3b\x89\x48\xf8\x98\xb8\x52\x8d\xed\x2c\x53\x9b\x60\x33\x49\x1c\x6d\x78\x0c\xac\xb2\xbc\x3f\x52\xc2\x79\x4d\xe8\xdb\x39\x58\x12\xd4\xf7\xa4\x4b\x9c\x04\xd6\xfd\x3c\xa8\x6c\x68\x64\x7d\x3e\x47\x5d\xe5\x81\xed\xc3\x88\xdc\xde\x91\xb8\xb2\x4c\xd4\x2b\x91\xa1\x9e\x91\xb4\xb6\x37\xb4\x3b\x6f\xa4\xe1\x50\x44\x3e\xc7\xc0\x86\x95\xc4\x2b\xc6\xa9\x30\xb3\x08\x42\x04\x02\x3b\xfd\x15\xe1\xc0\x31\x2e\x46\xf4\x30\xe2\x6b\x0f\xcc\xa1\x52\x20\x9f\xc1\xc7\xf9\x91\xc1\x11\xbd\xcd\xa7\x2e\x19\x86\x26\x76\x6e\xaf\xc8\xcf\x54\x92\x18\x9d\x4c\xc9\xa8\xe2\xa8\xa9\xcb\x73\x89\x78\xec\xec\x37\x37\x6d\xc9\x9c\xa8\xd3\xef\xcf\xe7\x3d\xa5\x38\x96\x0e\xbf\x78\xf0\xa4\x36\x63\x76\xae\x5f\x1b\xb1\xf8\x11\xec\xce\xb6\x25\x10\x89\x78\x55\xe3\x06\x61\x04\x70\x1b\x94\xf6\x19\x13\xda\x46\x99\x31\x3c\xec\x63\xa8\x8a\x9b\xa4\x44\xa5\xfc\x01\xc0\x03\xbf\x9d\x6b\x25\x25\x04\xe4\x77\xf4\x0f\xb3\x3e\x59\x5f\x30\xac\x53\x8b\xc9\xee\xb2\x93\x72\xb7\xa9\xd1\xf6\xa2\xa9\xb0\x17\x7a\x17\x1e\x5f\x87\x9e\xab\x36\x3c\x76\x08\x61\x7c\x26\x19\x7d\xf1\xda\x9b\xaa\x02\x75\xe2\x3e\xd1\xb5\x92\xce\xbd\xcd\x6e\xf2\x2b\x36\xc4\xf2\x87\xdf\xe8\x49\xcf\x54\xea\xed\x55\x70\xff\xc4\x50\xcd\xe8\xb6\xee\x12\xef\xbc\x8d\xdf\xea\x6b\xf7\x82\xc2\x7e\x5a\x58\x16\xb6\xf0\x4f\xf5\xfe\x97\x7f\x05\xa5\xb1\x2a\x13\x64\xa6\x59\xcb\x6b\x11\xab\x7a\x16\x82\xe1\x09\x7e\x61\x87\xcd\x7c\xbb\xa8\x7e\xf4\xca\x8c\x2c\xaf\x28\x49\x99\x13\xd9\x8a\x9e\x9f\x2e\x11\xc5\x2f\x37\xfa\xf2\xcd\x20\x7b\xbe\x57\x34\xda\x0e\x91\xba\x5f\x8b\x48\xad\x59\xb1\x22\x67\x85\x50\xb2\x7f\xef\xe7\x1a\xf5\x3d\x6f\x93\x41\x04\x38\x73\x89\xb5\x93\x24\xcd\xbf\x44\x6e\xfe\x50\xdb\xd2\x3d\xb7\x41\x8e\xc6\x66\x6e\xd9\xfc\xaa\x6f\x70\xbe\xac\x9c\xa4\x2a\x90\xee\xc8\x56\x7b\xe2\x1f\xb4\x5f\x08\x86\x75\x57\x15\xf3\x17\x37\x35\x23\xdf\xeb\x84\x5a\xb7\x73\x33\xcf\x8d\xdf\x92\x62\x44\xa3\x8e\x02\x4d\xf5\xaf\x9e\xa0\x72\x53\xd0\x7a\x59\xdb\x51\x12\x3f\xd8\x11\xcc\xe2\xd2\x06\xea\xe6\x94\x3e\xc8\x75\x59\xeb\x0e\xb2\x8a\x94\xa6\x27\x83\x1e\x45\xb3\xa7\xd1\xf8\x9f\x7a\x49\xfb\xce\x7c\x5a\x6e\xd8\x1f\x4e\x68\xdd\x3c\xe2\x93\x46\xf7\xc1\x4e\x50\x64\x54\x8d\x57\xf1\x13\x63\x13\x9e\x5b\x66\x9a\x17\x44\xbd\x99\x89\x40\x08\x27\x97\x3e\x67\xe9\x4c\xb5\x55\xb0\x8c\xf0\x45\x65\xf3\x3d\xb1\x71\x96\xd1\x65\x18\xb4\xf4\xb0\x23\x05\x3e\x86\xa7\x27\x55\x21\xfa\x5b\x20\x99\x3d\xe7\xc2\xfa\x09\x79\x7d\x92\x4d\x59\x89\x3c\xaa\x98\xd9\x7b\x58\x62\x89\xda\x8c\x9c\xc3\x81\x0c\xfd\xe8\x5b\x31\xa4\xe3\x11\x8a\x5c\xc2\xfb\x63\xe4\x07\x3d\xc2\x24\xe5\x01\xb6\x37\xc6\x66\x74\xea\xd1\xe8\x4a\x7e\x3e\x3c\xe4\xad\xaf\x0c\x72\x3e\x38\xa4\x1d\xb5\x47\xe9\xcc\x33\x82\xec\xf9\xf6\xb6\xf9\x64\xc1\xf8\x1f\xe7\x53\x65\x59\x3c\x9a\x55\x15\x2e\xc7\xc0\x50\x67\x47\x4b\xd7\x1a\x93\x70\x00\x9f\xee\x6d\x87\xf3\xee\xf6\xc9\x36\x0a\x50\x29\x41\xe9\x37\x30\x45\x41\x61\xd0\xf0\x39\x1f\x7c\x5e\xbd\xe6\x22\xf0\x5c\x1d\x67\x36\x89\x44\x39\x0b\x68\x17\x8f\xef\xb8\x25\xad\xd8\x12\xf4\x96\x86\x70\x53\x74\x01\x70\x35\x31\x66\x7c\xd5\x15\x0f\x21\x1b\x9f\xcf\xec\xf4\xee\x5e\x08\x80\xf3\x74\x8b\x9e\x7a\x74\x5e\x80\x2a\xff\xac\xc6\xb4\xaa\x5b\x5d\x83\x75\x0f\xc1\xc4\x7d\x4a\xb6\x91\x70\x90\x1e\x7f\x5e\x44\x2b\xb9\x8a\x89\x18\x60\x54\xac\xf2\x07\xa3\xcf\x70\x17\x31\x56\xc5\x59\xfd\x72\x86\x0a\x7d\x26\x79\xa2\xff\xcb\x53\x30\x20\x41\x13\xdb\xac\x6b\x3c\x3b\x69\xaa\x4f\x75\xf2\x1c\xb2\x15\x4a\x4a\x6b\x31\xc0\x25\xd5\x2a\xc5\x49\x60\x48\x3c\xed\xf3\xf1\x1a\x1a\xdf\xfe\xf2\xf1\xfe\xc9\x4a\x55\x61\xd9\x18\x68\x00\x1c\x3d\x83\x95\xff\x45\x0b\x14\x00\x95\xd6\x53\x64\x75\x37\x9f\x38\x63\x4a\xcf\x9d\xed\xff\x61\xb1\x7f\x7c\x87\xf8\xc0\x56\x6b\xe6\x25\x0c\xf4\x39\xeb\xa3\x8c\x37\x65\x39\x3a\x9e\xd1\x01\x6d\x50\x2b\xa1\x3a\x8e\xf6\xde\x35\xba\x66\x9b\x10\xa0\x00\x82\x23\xd2\xe2\xf8\x8d\x35\xfe\x0a\x73\x23\x32\x4b\xfa\xbf\x25\xa7\xac\x01\x90\x45\x49\xa2\x59\xe6\xa8\xd3\xa4\x96\x4f\x19\x7e\x94\xb8\xf9\xb3\xa3\x16\x3f\x63\x49\xe3\xda\xc7\xe0\x17\x48\xf6\x74\x79\x5c\xc3\xbd\x5a\x9a\x3a\xb5\xf2\xc1\x30\x81\x16\x7d\xf3\x7e\x37\x9e\xeb\x2e\xcf\x9c\xdf\xa2\x37\x15\x95\xf3\x08\x31\x05\x1a\xb1\x57\xac\x75\xf9\xeb\xc4\x8b\x49\x95\x59\x7e\x20\x6c\x7b\xa2\x29\xab\x30\xec\xcf\xe6\x62\x4d\x88\x49\xea\xe4\x1d\x2d\xc7\xa4\xd7\x57\xa3\x73\xb1\xd8\x66\x95\xc4\x20\xcc\x04\xbf\x0d\xa6\x64\xa7\x56\xb4\x82\x24\x16\x3d\xe4\x41\x8b\x93\x23\x39\xd2\x99\x06\x13\x13\xa6\x34\xa4\xba\x08\x9b\x12\xf8\x5d\x4d\xa1\xd2\x7d\x51\xde\x93\x08\x31\x0e\xf6\xae\xb3\x56\x23\xd0\xa7\x72\xc5\xce\xdd\x2a\x65\x9f\xde\xf0\x92\xb4\xdf\x6a\x88\xd2\x96\x42\x00\xc2\x85\xe8\xc1\x6e\x74\x89\xb8\x1e\x41\x59\xdb\x06\x2c\xe8\xa7\xd0\xda\xb6\x51\x80\x92\x11\xed\xf0\x58\x6f\x28\x9e\xf0\x3d\xee\x7b\xb9\xf4\x38\xc1\xa3\x52\xf6\x34\x2c\x66\x4b\xfd\x35\xd2\x38\x85\xb0\x9b\xd1\xda\x62\xbd\x65\xd0\xbc\x09\xa5\xeb\x5a\xe9\x5e\xa3\x10\x88\x14\x77\x81\xc3\x35\xea\x17\x77\x72\xa2\x28\x96\x19\x1a\x7d\x15\x70\x2b\x6b\x34\x37\xce\xd8\x86\xcc\x85\xbb\x26\x86\x5c\xe8\x28\xb9\xfe\x78\xa0\x7b\x46\x3d\xf7\x33\x2f\x67\x92\xb2\xfd\x86\xd1\x7b\x1e\x98\xa4\xcc\x77\x29\xb0\x58\xc5\x98\xc9\x61\xc6\x34\xb1\x5d\x09\x73\xca\xcd\xd9\x73\x5a\x0f\x77\x78\x6a\xe2\xb0\x76\x6b\x31\x94\xa1\x27\x34\x5d\xd8\xc1\x1f\x69\xfa\x4c\x44\xcc\x5b\x30\xe0\x1f\x6d\xc5\x61\x33\x0f\x63\x63\x29\xc9\x7e\xc0\x5a\xe8\x29\x1d\x9a\x26\xb6\x05\xf1\xb2\x77\xc9\x32\x21\x15\x62\x6e\x29\x75\xc7\x91\xc3\xef\x10\x95\x4c\xb8\xb4\x7c\xea\x6c\xf6\x97\xeb\x9d\xb3\xbe\xcb\x11\x14\xce\x63\x92\x19\x9e\x87\xba\xc0\x43\xed\x7a\x15\x83\xdc\x66\x0b\x36\xde\xb0\x22\x1a\x79\xed\x70\xbf\x71\x3f\x3c\x9c\x88\x25\x83\x81\x4c\x2e\xca\x81\x51\xd2\x71\x71\x95\x92\xd5\xc1\xfc\x62\x66\xa2\x76\xa3\xe8\xd3\x88\x27\xb2\x90\xe1\x04\x46\x06\x99\x2d\x13\x42\x36\xa1\xae\x87\xf9\x33\x8b\x77\x41\xf2\xe8\xa7\x46\xeb\x0f\x60\x77\x62\xed\x4e\x18\x92\x3d\xba\xcf\xea\x14\x7a\xd5\x7e\xff\x61\x71\x67\xd0\xf5\x4d\xaa\xc4\x54\x37\xc5\xe6\x1b\x45\x93\x7e\x8a\xa5\xe7\xce\xef\x4c\xa2\x25\x4b\x97\x01\xa2\x2f\x57\x7f\xb6\x27\xe8\xe1\xc1\xc7\x04\x01\xae\x81\x1b\x9a\x53\xf4\xc1\x6a\x79\x43\xe3\xd8\x1b\xa3\xd9\x20\x9c\xbd\xfb\x20\x8b\x04\xce\x15\x8e\x7b\xa8\xee\x77\xb0\xb7\x5f\x52\x08\x68\x6d\xf7\x87\x12\xd2\x8f\x70\x03\x61\x15\x91\x00\x36\x9b\x63\x33\x84\xdd\xff\x44\x02\xc0\xab\x0e\x2e\xc0\xaa\x87\x18\x6a\x65\xd3\x48\x4d\x29\x21\xd6\x25\x3f\xd1\xfb\xf4\x6b\x63\xba\x72\xeb\x79\x5c\xc0\x25\x69\x0f\x1f\x48\xdb\xe3\x08\xf9\x78\xe2\xfd\x55\x13\xe2\xdd\xc0\xb0\x66\x19\x4f\xd5\x8d\x3e\xaa\x49\x69\x0b\xd7\xe7\x86\x38\x85\xeb\x5e\x2a\xc6\x87\x0d\xe8\x35\x92\x67\x5f\x74\xcf\x89\x89\xe1\x8e\x68\xf1\xb6\x06\x78\x27\x0c\xa6\xb9\xc0\xda\xf4\x44\x27\x8a\x7d\xc8\x2a\x97\x80\x73\x0a\xa0\x3b\xe5\x68\x13\xe8\x1d\x6f\x29\x6c\x6f\x87\xd0\x09\x96\x18\xaf\x9f\x7e\x99\x16\x49\xec\x36\x49\x72\xd4\xc8\xfb\x66\x96\x70\xec\x92\x96\xce\x17\x38\x38\xb9\xc9\x2b\xaf\x6b\xf8\x83\xc1\x34\xd2\xc1\xcb\xcd\x92\x8b\x54\x99\x1d\x4c\x00\xf4\xaa\x72\x70\xbf\x3b\xef\xeb\x10\x8e\x98\x62\xf3\x46\x88\xcc\x2d\xb3\xb7\x94\x37\x77\x67\x12\x79\xa1\x7f\x9c\x64\xc4\x0b\xd8\x48\x5e\xf5\x2e\xb9\x64\x31\x4c\x65\xaa\x34\x59\x6f\x16\xb8\x0f\x9e\xf7\x81\xc4\xe8\xee\xb0\xac\xd2\x89\x38\x6c\x1a\xe5\x06\xae\x5b\xd2\xb2\x0b\x76\x0c\xe0\xc7\x9b\x56\xb1\x34\xe2\x2f\x57\xc4\x4a\xba\xe2\xf4\xec\xad\x82\xef\xe4\x02\xa4\x3a\x47\x59\x45\x77\xa2\x4b\x79\xa9\x4c\x6f\x7a\x5e\xda\xab\xeb\x48\xfc\x5e\xc2\x7a\xec\xd8\x23\x80\xd0\xe9\x40\xa0\x33\xe8\x7a\x44\x74\xb9\x5d\x58\xa5\xfe\xc5\x9d\x80\xb0\x91\xe9\x16\x5a\x14\x32\x5b\x38\xc5\xe4\x56\x5c\x3f\x0f\x12\x6f\x8b\x2a\xdf\x83\x26\x8e\x00\x76\x64\x7d\xdd\x43\xff\x2d\x52\xd7\x73\xab\x30\x40\x88\x45\x8f\xac\x4f\xb9\x37\x9e\x20\x96\x85\x60\xa0\x75\x17\xd6\xe0\x00\x1d\x2a\x08\xc3\xc6\xc9\x78\x25\xe1\x22\x59\xea\x86\x1b\x0a\xd5\x64\x94\x50\xdf\xfb\x3a\xfa\xe4\x9c\xd3\x1e\xfb\x40\x51\x3c\x06\xb7\x95\xe0\x71\x60\x3a\x47\xd3\xc8\x39\xc4\x01\xec\xc3\x8b\x11\x7d\xf9\x38\x83\x6a\x15\xb3\x1a\x13\x5b\x58\x89\x2d\xb9\xb4\xeb\xf6\x84\xdb\x3f\x7e\xce\x8a\x9d\x60\xbc\x8c\x81\x0e\xba\x0c\xa0\xd8\x75\x83\x57\x37\xd2\x5b\x94\x8b\x39\x28\x60\xaa\x82\xcd\xd5\xff\x7c\x6b\x0b\x4d\x7a\xe1\x82\x16\x89\x49\xd9\x84\x0e\x33\x54\x5d\x61\x27\x72\x7a\xbe\x02\xdd\x01\x41\x8c\xe4\xdd\x46\xaf\x7b\x5f\x08\x44\xcb\x51\xd4\x99\x2f\x4c\xe1\x22\x3c\x23\x13\x7c\x21\x13\x61\xd0\x15\x0e\xd2\x35\xa0\x59\x8f\x9e\x1d\x81\x6a\x40\xc6\xae\xb8\xad\x56\x26\xbc\x22\xb2\xe9\x39\x57\x47\x44\x1c\xc7\x8a\x55\x8d\xed\xc4\x02\x47\x32\x48\x98\x99\x12\xa0\xaa\x71\xac\x8d\x77\x54\xde\x78\xa1\xd5\xb9\xe5\x48\xd4\xeb\xef\x22\x4e\x82\xcd\x39\x35\x24\xd7\x9b\x88\xd6\xe0\x40\x5a\xd0\x2d\xa7\x11\x7b\xa0\x37\x29\x4e\x53\x5f\xff\x4b\xb7\xbf\xca\xce\xde\x33\x48\xf0\x1d\x16\x13\x48\xf4\xee\xe1\xa5\x15\xbe\x53\x0e\x0f\x0e\x64\xc5\x65\x44\xd4\xae\x10\x64\x45\xcc\xe1\x41\x0c\x79\x0b\xdb\xeb\x1e\x2d\x29\x3e\x01\x2e\x02\x97\xc4\x6c\x91\x45\xdc\xcb\xd6\xff\x77\xcb\xfa\xcd\xa4\x6f\x27\xd7\x1d\x02\xde\x14\xb6\x1c\x50\x53\x33\x19\xc6\x68\xfc\xfa\xc0\x36\xc7\x86\x7d\x12\xa3\xd0\xd8\xd4\x49\xc4\x96\x69\x58\x63\x49\xf2\x23\x9c\x4f\xa5\xc2\xb8\xfd\xfc\x42\x3e\xcd\x85\xed\xcc\xf6\x85\x47\xb1\xa9\x06\x76\x4c\x5c\x03\xff\x33\x2b\x56\x3e\xae\xee\xb8\x45\x65\x35\xc6\x1e\x91\x73\x92\xa0\x3d\xfe\x6b\xeb\xf3\xdc\x57\x10\xf9\x32\xb5\x07\xe3\xf0\xcd\xfb\x6a\x9d\xd0\x35\xf0\x6d\xe0\x55\x72\xca\x94\xd8\x5b\xfb\x15\x7e\x68\x44\x8a\xb8\xb0\xc4\xd5\x96\xce\x02\x0d\xad\xef\xce\xae\x68\x15\x3e\x5f\x62\xc5\xc0\x81\x43\xf5\xdb\x49\x7a\xaf\xab\x19\xcd\x33\x0c\x37\x84\xdb\x0a\xde\x50\x5a\x29\x51\x4b\xd1\xe8\xc3\xb9\x2c\x4f\x61\x65\x36\x22\xf8\x75\xec\xac\xc9\xe6\x77\x4a\xde\xca\x1c\xa4\x2f\x63\x7c\x70\x22\x99\xa2\xd3\xf8\x81\xbe\x79\x5b\xba\x9d\xb3\x40\xe4\x80\xaa\x4e\x94\x4d\xec\x20\x21\x6b\x83\x58\x45\x5d\xcf\x8e\xed\x99\x0e\x41\xf3\x37\x64\x42\xb9\xb3\xe0\xd8\x82\x38\x77\x5b\x8b\xea\x3f\x68\x8a\xf1\x85\x39\xb2\xe8\xba\xfa\xac\xc1\xc4\x06\x4e\x9a\xe8\x87\xc6\x9d\xca\x82\xac\xad\xf3\x55\x30\x92\xe7\x87\x97\xa6\x2c\xc8\x34\x44\x1c\x22\x2f\xf2\x26\xea\x32\xd2\x03\xc0\xb1\xfa\xcc\x67\xe6\x30\x71\x6a\x3f\x96\xa0\x77\xe2\x34\x8f\x2b\xe6\xd9\x3e\xc0\x63\x1a\x5e\xf1\xbe\xd4\x10\x61\x19\xd9\x70\xe6\x22\x8f\x01\x69\x89\xa8\xfd\xf0\x1b\xda\x8e\xdd\xfd\x60\x68\xd6\x49\xb3\x95\x6e\xab\x29\xd3\x03\xf1\xfc\x68\x67\xd8\x63\xc8\x7c\x35\x39\xe8\xe9\x9c\xe2\x39\x53\xc2\x5e\xe2\xb0\x98\x57\xd2\xdf\xdd\x4c\x2d\x24\x2b\xd8\x33\xf6\xb7\xf4\xa6\x7c\xde\x78\x63\xd6\x53\xa0\x05\x21\xfa\x68\xce\x23\x1d\x06\x15\xb0\x01\x75\xec\x1f\xca\x37\x7e\x4e\x72\xf7\x8a\x8f\x8f\xbc\xa9\xda\x4f\x40\x8b\xc1\xb7\x99\x97\x1c\x16\xce\x2e\x04\xaa\x24\x32\x79\xef\xcd\xb0\x78\x43\xd2\x55\xeb\x60\x67\xe3\x73\x2b\xcf\xdf\x1c\x17\x17\x8d\x77\xd3\xdf\xf4\x24\xd6\x77\x2e\x39\xae\xc3\xbe\xf9\x59\x2a\x25\xe9\xfb\xb5\x51\x09\x52\xe5\x83\xf5\x34\xa4\xd1\xf5\x7c\xce\xfe\x84\x55\xf3\x53\xdf\xee\xee\xdc\x8b\x3e\xa3\xd6\xc4\x1f\xf4\x16\x7d\xe5\x14\x55\x30\xf3\xdd\x70\xbc\x89\xfd\xcf\xa8\x63\xd8\xc5\x65\x20\x8d\x32\x72\xb0\x23\x8b\x97\xd9\x5c\x5a\x67\x87\x24\x15\xa2\x7e\xf0\x6f\xa2\x6c\x0f\x72\xb5\x71\xcf\xfb\x76\x23\x69\xc8\x0b\x5f\x33\x2f\x03\xa9\x75\x9f\xec\x50\xd6\x04\xa1\x8a\x69\xfb\x52\x13\x11\xfa\x17\x1e\xa6\xfa\x40\x48\x73\xde\x91\x95\xf8\x47\xd8\x1f\xd4\xba\xe3\xd5\x21\x6d\x6c\x00\xcc\x38\xd5\xc7\x5d\xad\x1e\xf6\x86\xd5\xce\x4a\xcb\xb4\x77\xfb\xf6\xc5\xad\x0b\x26\x9e\x69\x05\x4b\x4a\x59\xdb\x3c\x6e\xb0\xce\xc7\xfb\xdf\x32\xd3\x30\x6c\xeb\x5d\x10\x06\xeb\x7b\xf6\xf0\x70\x12\xb1\x16\xc9\x5f\xbf\xcf\xd9\x9e\x82\xf5\xab\xa8\xeb\xd7\xc7\x90\xc9\xf0\x40\x75\xe2\xbb\x39\x9d\x92\x29\xbe\x4a\x0e\x90\xdc\x1b\x03\x58\xee\xcf\xfa\xda\xeb\xc0\xbd\xc6\xff\x1c\xfd\x00\xdc\xeb\xc0\xa9\x0d\x7b\x96\xc9\x6f\xa5\x52\xdc\x82\x4b\x94\x4d\x95\x1d\xb7\xd2\xb6\xee\x39\x9b\x6c\x1f\x29\x65\xe5\x93\x1c\xea\x56\x1b\x9d\xda\x86\xb5\xe7\xc3\x67\x41\xc0\x4a\x97\xa0\x0b\x06\x95\xa9\xd8\x3d\x62\x9e\xb5\xde\x99\xbf\x8a\xe8\xd7\x55\xf3\x31\xe4\x02\x53\x39\x0a\xbb\x2e\x60\x49\x16\x74\x96\xd5\xca\x37\x56\x3b\xea\xbd\xa4\xf8\x2b\x2c\x9a\x58\xef\xf2\xa5\x8a\x1d\x2f\xbc\x8d\x72\xc1\x88\xd4\xb3\x39\x2b\x9b\x42\x86\xa8\x5f\x5d\xed\x71\x0f\x24\x3b\x24\x83\x2c\x54\x79\x1e\xee\x12\x09\x44\x3f\x07\xf3\x74\xea\x2a\xb6\x14\xd6\xa9\xac\x8b\x09\x81\xc3\x50\x96\x96\xc0\x58\xd3\x2f\x4a\xff\x5a\xf8\xe9\xeb\x22\x53\xed\x4f\x83\xe8\xb4\xf3\x29\x4b\x61\xc9\x0d\x54\xd3\xc3\x5f\x3d\x44\xd5\x5a\x5a\x1f\x55\xba\xc7\xe5\x97\x8b\x63\xfb\xb9\xdf\x0e\x9c\x6b\x15\x4d\x61\x24\xef\x4c\xf6\x3f\xf3\xae\x36\x10\x32\x14\x7f\x9e\xf7\x5f\x9e\xa2\xf4\xb2\x2e\xb1\x36\x93\xe2\x67\xb7\xc4\xf6\x36\x5d\xe5\x36\x86\x11\x8a\x93\x4a\x59\x8b\xa5\xa8\x17\x5e\xe5\x0f\x09\x9a\xa9\xac\xd7\xf2\xe2\xc9\xb0\x5b\x04\x4b\x3b\x06\x1b\xd1\xbb\x3b\x29\x6b\x6b\xf9\x00\xb8\x56\xa6\x44\x8d\x81\x2e\x68\xef\xd3\x1f\xef\xfd\x44\x52\x99\x0c\xd5\xf7\xcc\x02\x58\x8e\xef\xbe\xbb\x9f\x56\xab\x77\xcd\x50\x29\x89\xcd\x16\xe8\x9a\x44\x55\x3e\x19\x89\xd4\xdf\xfd\x97\x7b\x53\xea\x8b\x3b\x63\x6d\x62\xbb\xb2\x65\xc4\x28\x0c\xab\x59\xda\xb2\x4f\xbe\x7f\x16\x18\x0d\xfd\xdf\x62\xe4\x82\xed\x8e\xdc\xa2\x7a\x96\x7c\xe5\xfa\xe0\x32\x8b\x64\x03\xce\xe1\x7a\x6d\x63\xac\x71\xa8\xa4\x6f\x6c\xad\xdb\x53\x0c\x6d\x90\x5a\x8b\x6c\x8e\xd8\x9f\x62\x2a\x0c\x0a\x90\x67\x5c\x1f\x8d\x97\x9b\x34\xcd\x1e\x95\x4f\xa9\x15\x4f", 4096)); break; case 11: NONFAILING(memcpy((void*)0x20001000, "\xc4\x62\x39\x37\x47\x7e\x66\x0f\xe3\x0c\xa4\xf3\x3e\x45\x09\x17\xc4\x61\x78\xae\x91\x72\x98\x00\x00\xc4\x63\xe1\x22\xd6\x96\xc4\x03\x7d\x7b\x05\x0f\x00\x00\x00\x00\xc4\x63\x39\x5f\x47\x3f\xad\xc4\x03\x55\x5d\x3c\x56\x00\xc4\xe2\xb5\x96\xf0\xc4\x21\xfd\x5b\xfb", 65)); syz_execute_func(0x20001000); break; case 12: break; case 13: NONFAILING(memcpy((void*)0x200010c0, "\x5d\x8d\x97\xaf\xe9\x58\xa6\xb4\x6b\x8f\xef\xfe\x29\xf0\x51\x64\xa8\xee\xd8\xf0\x35\xa6\xc4\xd8\xf6\x97\x21\x06\xc0\xf6\xa0\x43\x0f\x03\x47\xa9\xad\x29\xa9\x40\xd3\xde\x0d\x19\xdd\x63\xc0\x6d\xad\x37\xea\x1e\x10\x5f\xec\x8b\x4d\xbd\xb4\xd7\xf9\x51\x64\xff\x31\x3f\x19\x9a\xaa\x43\x10\x8e\x96\x13\xc1\xe6\x29\x58\xe7\x76\x28\x47\x15\x8e\x87\x26\x92\x4d\xcb\xda\xff\xfd\x2a\x94\x2c\x44\x0d\x0a\x80\x34\x04\x87\xaf\x0e\xb9", 105)); NONFAILING(memcpy((void*)0x20001140, "\xe2\xf9\x19\x3e\xea\x7f\xea\x62\xb3\x74\xa3\x15\x14\x75\xbf\x3b\xe9\x82\x5d\xbe\x21\xd3\x90\x7a\x6b\xaf\x2f\xcd\xf0\xe6\xdd\x64\xfa\x7c\xcc\xe3\x73\x4b\xa6\x62\x73\xba\x0d\xb7\xe7\x9d\x31\x4b\x54\xd1\x01\x58\xb7\xd4\xa6\x7b\x5e\x26\x4c\xd1\xfe\x32\xc6\xba\xb3\xd0\x3f\xaa\x5b\xd6\x7a\x46\x09\xb4\x8a\x17\xeb\x03\x86\x53\x8a\xfe\x3d\x83\xa4\xf1\x95\x97\x90\x97\x73\xc9\x47\x4f\x1f\x66\x85\xe5\x91\x57\xf5\xc7\x6c\x2d\xe0\x65\xf5\x09\xb7\xa7\xcf\x8e\x62\x9c\xca\x55\x3d\xcb\x44\x45\xa3\x72\x88\x31\x99\xbe\x74\x66\x34\xe8\x57\x26\x6c\x27\x58\xf8\xd5\x8d\xd0\xde\xa4\x57\x79\x02\x04\xfc\x26\xe2\x69\x27\xd5\xbb\xff\x20\xa9\x9a\xed\x0a\x95\xd8\x50\xec\x32\x21\xf4\xf1\xd8\xf1\x3a\x8f\x00\xbe\x13\x51\x9e\xf8\x98\xd3\x9d\x28\x56\x8b\xb7\x89\x4c\x39", 186)); res = syz_usb_connect(0x721, 0x69, 0x200010c0, 0x20001140); if (res != -1) r[5] = res; break; case 14: syz_usb_disconnect(r[5]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); install_segv_handler(); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'syz_usb_connect_impl': :664:77: error: unknown type name 'usb_ctrlrequest' :57:110: note: in definition of macro 'NONFAILING' :669:55: error: unknown type name 'usb_ctrlrequest' compiler invocation: /syzkaller/netbsd/src/../tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor155816325 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/netbsd/src/../dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/13 (1.41s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false UseTmpDir:true HandleSegv:false Repro:false Trace:true} program: r0 = fcntl$dupfd(0xffffffffffffff9c, 0xc, 0xffffffffffffff9c) r1 = dup2(0xffffffffffffffff, r0) pwrite(r1, &(0x7f0000000000)="5d1dd436f0f5a32b117d0f61dc010511e7e3c7f92e33630dfc7a02f9f4df14c215d8716f98892cba0ddcbbd6b2683f5e028152ebbe2d26a7e4c45673b55cf76e7795dd124f82947e0244eb08cfb0b5da0c829b1580ac64473f069f9928c1043bdeaa541829f4ef60f80ea0b9b912a974a5e98ea75423d1126815de1319a78c8127c017f8cbe86d", 0x87, 0x6) getsockname$unix(r0, &(0x7f00000000c0)=@abs, &(0x7f0000000100)=0x8) accept$inet6(r1, &(0x7f0000000140), &(0x7f0000000180)=0xc) socketpair(0x18, 0x844590f3b4efa023, 0x7f, &(0x7f00000001c0)) r2 = accept(0xffffffffffffff9c, &(0x7f0000000200)=@un=@abs, &(0x7f0000000240)=0x8) r3 = getpgrp() stat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$sock_cred(r2, 0xffff, 0x11, &(0x7f00000003c0)={r3, r4}, 0xc) syz_emit_ethernet(0x1000, &(0x7f0000000000)="d28811eb3ef8057d4d7c7229ab1e5a02157440ec598663314f522e6a8f7e2b68cd210834f13e84f257c358e7e19717a79353a0609abf39fc23d280e031dbc36048ed67b318a0553a541c84167d1bf390951abfd5370157ad024bea030e6c003d2e50a932903993429472cca8be8808ca2915858ed2598c1e76f98e662b0678bdfd91862b0af84e1585c3709eeb1b8f065703a75c12e1fa87b77d46d374ee2113bbbd6bdebb4cf0687f79db895a8ac81c3b286c03427e3211e71420afa9b5c9013e638ed97de9983fb33424fe11efd7824cd6979286d59a5c79338b6a9a2d15e70791bdb5186aa74e175a0049c1e39db536377a8354915a8a15125b8be62f01a93740b2428b189ea42e31b6ce7aa3676bf1468b751bf06aacf15904db50c1be9df4cc9d41599c57cfaf66b7e5ee2d2372630a7bf538da786dfff6052e02558a4d1ccf7099a8c599c3c8b515e844f1e23de73d806127228253a7053b5e91511685370c980ffa72e5551ff05fcbd940d514bed2860b875b9a12b26edbb292e0e8d8cbcd9de3aba68f7c1419249fe43a6754bf02a36e0fd1f27c48e9d16c18ed1484e56cc5bc3483519311e33754af2fc4d37cfa1c6e5f0d38ae96a621c04db0fd7d793297e4981f9082937b9322f494bd98b2f43d9b5c19ff19ec177c6305b18800445111763cdaeec351689384783ae7cff9b106639ea611fb72e86d685ea0f6b65dc3b9a2436c89257382d11516a2b06637cfd931e2ca4e625343d6b96525c5bf7dcc437f474e1ff9f3dcc85740444a4c569f50379b985f6843ac29f09a9f99819ae210db22ab19340974957f1fbea41c5851b2fa7a2fa87581a7fb42db8c24b4c6f829be592ca0d0cf1a2fe67dec532cfa77f8f1955da335a84d5aef4905a9a236c607774a0b4ef1d50b55bd49aa877c2b6b2e37a3e4a3b24e95fa557ba89aaf4227b5bb0e640b4698cd004f870c7daa9ea441fdbe8b3053dffce646c0b06df323252cada7f24fcc21624edf49567b2693fec0693d243e067b21e2be296c52bb2a381f4794aa2e85dd5cb6677e94b7e003ebad24573762a640973c0772994da28c6490c1af8f0f91754e71c7f326bd31dfc9c6fc20767d713a93317bcbe0a3efc9c5a8571b7b0a02977741e8a83ca81296145ec955e1ab982c7f466284562b52de135568a142e677c343f5ebd33755d0b91565646d7c362e4664007cae2167db5d0a933e1219d3d6a7387576e542f816fa516d44afc3d99229d4f57fa83b8948f898b8528ded2c539b6033491c6d780cacb2bc3f52c2794de8db395812d4f7a44b9c04d6fd3ca86c68647d3e475de581edc388dcde91b8b24cd42b91a19e91b4b637b43b6fa4e150443ec7c08695c42bc6a930b3084204023bfd15e1c0312e46f430e26b0fcca152209fc1c7f991c111bdcda72e198626766eafc8cf5492189d4cc9a8e2a8a9cb738978ecec37376dc99ca8d3efcfe73da538960ebf78f0a4366376ae5f1bb1f811ecceb62510897855e3066104701b94f61913da4699313cec63a88a9ba444a5fc01c003bf9d6b252504e477f40fb33e595f30ac538bc9eeb29372b7a9d1f6a2a9b0177a171e5f879eab363c7608617c26197df1da9baa0275e23ed1b592cebdcd6ef22b36c4f287dfe849cf54eaed5570ffc450cde8b6ee12efbc8ddfea6bf782c27e5a5816b6f04ff5fe977f05a5b12a1364a659cb6b11ab7a1682e1097e6187cd7cbba87ef4ca8c2caf28499913d98a9e9f2e11c52f37faf2cd207bbe5734da0e91ba5f8b48ad59b122678550b27fefe71af53d6f934104387389b59324cdbf446efe50dbd23db7418ec6666ed9fcaa6f70beac9ca42a90eec8567be21fb45f0886755715f317373523dfeb845ab77333cf8ddf926244a38e024df5af9ea07253d07a59db51123fd811cce2d206eae6943ec87559eb0eb28a94a627831e45b3a7d1f89f7a49fbce7c5a6ed81f4e68dd3ce29346f7c14e5064548d57f11363139e5b669a1744bd9989400827973e67e94cb555b08cf04565f33db17196d16518b4f4b023053e86a7275521fa5b20993de7c2fa09797d924d59893caa98d97b586289da8c9cc3810cfde85b31a4e3118a5cc2fb63e4073dc224e501b637c66674ead1e84a7e3e3ce4adaf0c723e38a41db547e9cc3382ecf9f6b6f964c1f81fe75365593c9a55152ec7c05067474bd71a9370009fee6d87f3eef6c9360a502941e93730454161d0f0391f7c5ebde622f05c1d67368944390b68178fefb825add812f4968670537401703531667cd5150f211b9fcfecf4ee5e0880f3748b9e7a745e802affacc6b4aa5b5d83750fc1c47d4ab69170901e7f5e442bb98a89186054acf207a3cf70173156c559fd72860a7d2679a2ffcb5330204113dbac6b3c3b69aa4f75f21cb2154a4a6b31c025d52ac54960483cedf3f11a1adffef2f1fec94a5561d91868001c3d8395ff450b140095d6536475379f38634acf9dedff61b17f7c87f8c0566be6250cf439eba38c3765393a9ed1016d502ba13a8ef6de35ba669b10a0008223d2e2f88d35fe0a7323324bfabf25a7ac01904549a259e6a8d3a4964f197e94b8f9b3a3163f6349e3dac7e01748f674795cc3bd5a9a3ab5f2c13081167df37e379eeb2ecf9cdfa2371595f30831051ab157ac75f9ebc48b4995597e206c7ba229ab30eccfe6624d8849eae41d2dc7a4d757a373b1d86695c420cc04bf0da664a756b48224163de4418b932339d299061313a634a4ba089b12f85d4da1d27d51de9308310ef6aeb35623d0a772c5cedd2a659fdef092b4df6a88d2964200c285e8c16e7489b81e4159db062ce8a7d0dab651809211edf0586f289ef03dee7bb9f438c1a352f6342c664bfd35d23885b09bd1da62bd65d0bc09a5eb5ae95ea31088147781c335ea177772a22896191a7d15702b6b3437ced886cc85bb26865ce828b9fe78a07b463df7332f6792b2fd86d17b1e98a4cc7729b058c598c961c634b15d0973cacdd9735a0f77786ae2b0766b3194a127345dd8c11f69fa4c44cc5b30e01f6dc561330f636329c97ec05ae8291d9a26b605f1b277c9322115626e2975c791c3ef10954cb8b47cea6cf697eb9db3becb1114ce6392199e87bac043ed7a1583dc660b36deb0221a79ed70bf713f3c9c882583814c2eca8151d271719592d5c1fc6266a276a3e8d38827b290e1044606992d134236a1ae87f9338b7741f2e8a746eb0f607762ed4e18923dbacfea147ad57eff617167d0f54daac45437c5e61b45937e8aa5e7ceef4ca2254b9701a22f577fb627e8e1c1c70401ae811b9a53f4c16a7943e3d81ba3d9209cbdfb208b04ce158e7ba8ee77b0b75f5208686df78712d28f700361159100369b633384ddff4402c0ab0e2ec0aa87186a65d3484d2921d6253fd1fbf46b63ba72eb795cc025690f1f48dbe308f978e2fd5513e2ddc0b066194fd58d3eaa49690bd7e7863885eb5e2ac6870de83592675f74cf8989e18e68f1b60678270ca6b9c0daf444278a7dc82a9780730aa03be56813e81d6f296c6f87d0099618af9f7e991649ec364972d4c8fb669670ec9296ce173838b9c92baf6bf883c134d2c1cbcd928b54991d4c00f4aa7270bf3befeb108e9862f34688cc2db3b7943777671279a17f9c64c40bd8485ef52eb964314c65aa34596f16b80f9ef781c4e8eeb0acd289386c1ae506ae5bd2b20b760ce0c79b56b134e22f57c44abae2f4ecad82efe402a43a47594577a24b79a94c6f7a5edaabeb48fc5ec27aecd82380d0e940a033e87a4474b95d58a5fec59d80b091e9165a14325b38c5e4565c3f0f126f8b2adf83268e0076647ddd43ff2d52d773ab304088458fac4fb9379e20968560a07517d6e0001d2a08c3c6c97825e12259ea861b0ad5649450dffb3afae49cd31efb40513c06b795e071603a47d3c839c401ecc38b117df938836a15b31a135b58892db9b4ebf684db3f7ece8a9d60bc8c810eba0ca0d875835737d25b948b392860aa82cdd5ff7c6b0b4d7ae182168949d9840e33545d6127727abe02dd01418ce4dd46af7b5f0844cb51d4992f4ce1223c23137c211361d0150ed235a0598f9e1d816a40c6aeb8ad5626bc22b2e9395747441cc78a558dedc402473248989912a0aa71ac8d7754de78a1d5b9e548d4ebef224e82cd393524d79b88d6e0405ad02da7117ba037294e535fff4bb7bfcacede3348f01d161348f4eee1a515be530e0f0e64c56544d4ae106445cce1410c790bdbeb1e2d293e012e0297c46c9145dccbd6ff77cbfacda46f27d71d02de14b61c50533319c668fcfac036c7867d12a3d0d8d449c49669586349f2239c4fa5c2b8fdfc423ecd85edccf68547b1a906764c5c03ff332b563eaeeeb8456535c61e917392a03dfe6bebf3dc5710f932b507e3f0cdfb6a9dd035f06de05572ca94d85bfb157e68448ab8b0c4d596ce020dadefceae68153e5f62c5c08143f5db497aafab19cd330c3784db0ade505a29514bd1e8c3b92c4f61653622f875ecacc9e6774adeca1ca42f637c702299a2d3f881be795bba9db340e480aa4e944dec20216b8358455dcf8eed990e41f3376442b9b3e0d88238775b8bea3f688af18539b2e8bafaacc1c4064e9ae887c69dca82acadf3553092e78797a62cc834441c222ff226ea32d203c0b1facc67e630716a3f96a077e2348f2be6d93ec0631a5ef1bed4106119d970e6228f016989a8fdf01bda8eddfd6068d649b3956eab29d303f1fc6867d863c87c3539e8e99ce23953c25ee2b09857d2dfdd4c2d242bd833f6b7f4a67cde7863d653a00521fa68ce231d0615b00175ec1fca377e4e72f78a8f8fbca9da4f408bc1b799971c16ce2e04aa243279efcdb07843d255eb6067e3732bcfdf1c17178d77d3dff424d6772e39aec3bef9592a25e9fbb5510952e583f534a4d1f57ccefe8455f353dfeeeedc8b3ea3d6c41ff4167de5145530f3dd70bc89fdcfa863d8c565208d3272b0238b97d95c5a67872415a27ef06fa26c0f72b571cffb762369c80b5f332f03a9759fec50d604a18a69fb521311fa171ea6fa404873de9195f847d81fd4bae3d5216d6c00cc38d5c75dad1ef686d5ce4acbb477fbf6c5ad0b269e69054b4a59db3c6eb0cec7fbdf32d3306ceb5d1006eb7bf6f07012b116c95fbfcfd99e82f5aba8ebd7c790c9f04075e2bb399d9229be4a0e90dc1b0358eecffadaebc0bdc6ff1cfd00dcebc0a90d7b96c96fa552dc824b944d951db7d2b6ee399b6c1f2965e5931cea561b9dda86b5e7c36741c04a97a00b0695a9d83d629eb5de99bf8ae8d755f331e40253390abb2e6049167496d5ca37563beabda4f82b2c9a58eff2a58a1d2fbc8d72c188d4b3392b9b4286a85f5ded710f243b24832c54791eee1209443f07f374ea2ab614d6a9ac8b0981c3509696c058d32f4aff5af8e9eb2253ed4f83e8b4f3294b61c90d54d3c35f3d44d55a5a1f55bac7e5978b63fbb9df0e9c6b154d6124ef4cf63ff3ae361032147f9ef75f9ea2f4b22eb13693e267b7c4f6365de53686118a934a598ba5a8175ee50f099aa9acd7f2e2c9b05b044b3b061bd1bb3b296b6bf900b856a6448d812e68efd31feffd4452990cd5f7cc02588eefbebb9f56ab77cd502989cd16e89a44553e1989d4dffd977b53ea8b3b636d62bbb265c4280cab59dab24fbe7f16180dfddf62e482ed8edca27a967ce5fae0328b6403cee17a6d63ac71a8a46f6caddb530c6d905a8b6c8ed89f622a0c0a90675c1f8d979b34cd1e954fa9154f") syz_execute_func(&(0x7f0000001000)="c4623937477e660fe30ca4f33e450917c46178ae9172980000c463e122d696c4037d7b050f00000000c463395f473fadc403555d3c5600c4e2b596f0c421fd5bfb") syz_extract_tcp_res(&(0x7f0000001080), 0x5, 0x6fb) r5 = syz_usb_connect(0x721, 0x69, &(0x7f00000010c0)="5d8d97afe958a6b46b8feffe29f05164a8eed8f035a6c4d8f6972106c0f6a0430f0347a9ad29a940d3de0d19dd63c06dad37ea1e105fec8b4dbdb4d7f95164ff313f199aaa43108e9613c1e62958e7762847158e8726924dcbdafffd2a942c440d0a80340487af0eb9", &(0x7f0000001140)="e2f9193eea7fea62b374a3151475bf3be9825dbe21d3907a6baf2fcdf0e6dd64fa7ccce3734ba66273ba0db7e79d314b54d10158b7d4a67b5e264cd1fe32c6bab3d03faa5bd67a4609b48a17eb0386538afe3d83a4f19597909773c9474f1f6685e59157f5c76c2de065f509b7a7cf8e629cca553dcb4445a372883199be746634e857266c2758f8d58dd0dea457790204fc26e26927d5bbff20a99aed0a95d850ec3221f4f1d8f13a8f00be13519ef898d39d28568bb7894c39") syz_usb_disconnect(r5) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; dp = opendir(dir); if (dp == NULL) exit(1); while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } /* -------------------------------------------------------------------------- */ /* * Redefinitions to match the linux types used in common_usb.h. */ struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; int rv = 0; rv = parse_usb_descriptor(dev, dev_len, &usb_devices[i].index); if (!rv) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } /* -------------------------------------------------------------------------- */ static int vhci_open(void) { return open("/dev/vhci", O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } /* -------------------------------------------------------------------------- */ static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index; int portnum, fd, rv; bool done; portnum = procid + 1; if (!dev) { return -1; } if (portnum != 1) { /* For now, we support only one proc. */ return -1; } fd = vhci_open(); if (fd < 0) { return -1; } index = add_usb_index(fd, dev, dev_len); if (!index) { goto err; } rv = vhci_setport(fd, portnum); if (rv != 0) { goto err; } rv = vhci_usb_attach(fd); if (rv != 0) { goto err; } done = false; while (!done) { vhci_request_t req; rv = vhci_usb_recv(fd, &req, sizeof(req)); if (rv != 0) { goto err; } if (req.type != VHCI_REQ_CTRL) { goto err; } char* response_data = NULL; uint32_t response_length = 0; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { bool response_found = false; response_found = lookup_connect_response_in(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &response_data, &response_length); if (!response_found) { goto err; } } else { if (!lookup_connect_response_out(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &done)) { goto err; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { /* TODO: possibly revisit */ } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { goto err; } } sleep_ms(200); return fd; err: close(fd); return -1; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { fprintf(stderr, "### start\n"); int i, call, thread; for (call = 0; call < 15; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 13 ? 3000 : 0) + (call == 14 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_accept #define SYS_accept 30 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_fcntl #define SYS_fcntl 92 #endif #ifndef SYS_getpgrp #define SYS_getpgrp 81 #endif #ifndef SYS_getsockname #define SYS_getsockname 32 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_pwrite #define SYS_pwrite 174 #endif #ifndef SYS_setsockopt #define SYS_setsockopt 105 #endif #ifndef SYS_socketpair #define SYS_socketpair 135 #endif #ifndef SYS_stat #define SYS_stat 439 #endif uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_fcntl, 0xffffff9c, 0xcul, 0xffffff9c); fprintf(stderr, "### call=0 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[0] = res; break; case 1: res = syscall(SYS_dup2, -1, r[0]); fprintf(stderr, "### call=1 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[1] = res; break; case 2: memcpy((void*)0x20000000, "\x5d\x1d\xd4\x36\xf0\xf5\xa3\x2b\x11\x7d\x0f\x61\xdc\x01\x05\x11\xe7\xe3\xc7\xf9\x2e\x33\x63\x0d\xfc\x7a\x02\xf9\xf4\xdf\x14\xc2\x15\xd8\x71\x6f\x98\x89\x2c\xba\x0d\xdc\xbb\xd6\xb2\x68\x3f\x5e\x02\x81\x52\xeb\xbe\x2d\x26\xa7\xe4\xc4\x56\x73\xb5\x5c\xf7\x6e\x77\x95\xdd\x12\x4f\x82\x94\x7e\x02\x44\xeb\x08\xcf\xb0\xb5\xda\x0c\x82\x9b\x15\x80\xac\x64\x47\x3f\x06\x9f\x99\x28\xc1\x04\x3b\xde\xaa\x54\x18\x29\xf4\xef\x60\xf8\x0e\xa0\xb9\xb9\x12\xa9\x74\xa5\xe9\x8e\xa7\x54\x23\xd1\x12\x68\x15\xde\x13\x19\xa7\x8c\x81\x27\xc0\x17\xf8\xcb\xe8\x6d", 135); res = syscall(SYS_pwrite, r[1], 0x20000000ul, 0x87ul, 6ul); fprintf(stderr, "### call=2 errno=%u\n", res == -1 ? errno : 0); break; case 3: *(uint32_t*)0x20000100 = 8; res = syscall(SYS_getsockname, r[0], 0x200000c0ul, 0x20000100ul); fprintf(stderr, "### call=3 errno=%u\n", res == -1 ? errno : 0); break; case 4: *(uint32_t*)0x20000180 = 0xc; res = syscall(SYS_accept, r[1], 0x20000140ul, 0x20000180ul); fprintf(stderr, "### call=4 errno=%u\n", res == -1 ? errno : 0); break; case 5: res = syscall(SYS_socketpair, 0x18ul, 0x844590f3b4efa023ul, 0x7f, 0x200001c0ul); fprintf(stderr, "### call=5 errno=%u\n", res == -1 ? errno : 0); break; case 6: *(uint32_t*)0x20000240 = 8; res = syscall(SYS_accept, 0xffffff9c, 0x20000200ul, 0x20000240ul); fprintf(stderr, "### call=6 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[2] = res; break; case 7: res = syscall(SYS_getpgrp); fprintf(stderr, "### call=7 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[3] = res; break; case 8: memcpy((void*)0x20000280, "./file0\000", 8); res = syscall(SYS_stat, 0x20000280ul, 0x200002c0ul); fprintf(stderr, "### call=8 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[4] = *(uint32_t*)0x200002dc; break; case 9: *(uint32_t*)0x200003c0 = r[3]; *(uint32_t*)0x200003c4 = r[4]; *(uint32_t*)0x200003c8 = 0; res = syscall(SYS_setsockopt, r[2], 0xffff, 0x11, 0x200003c0ul, 0xcul); fprintf(stderr, "### call=9 errno=%u\n", res == -1 ? errno : 0); break; case 10: memcpy((void*)0x20000000, "\xd2\x88\x11\xeb\x3e\xf8\x05\x7d\x4d\x7c\x72\x29\xab\x1e\x5a\x02\x15\x74\x40\xec\x59\x86\x63\x31\x4f\x52\x2e\x6a\x8f\x7e\x2b\x68\xcd\x21\x08\x34\xf1\x3e\x84\xf2\x57\xc3\x58\xe7\xe1\x97\x17\xa7\x93\x53\xa0\x60\x9a\xbf\x39\xfc\x23\xd2\x80\xe0\x31\xdb\xc3\x60\x48\xed\x67\xb3\x18\xa0\x55\x3a\x54\x1c\x84\x16\x7d\x1b\xf3\x90\x95\x1a\xbf\xd5\x37\x01\x57\xad\x02\x4b\xea\x03\x0e\x6c\x00\x3d\x2e\x50\xa9\x32\x90\x39\x93\x42\x94\x72\xcc\xa8\xbe\x88\x08\xca\x29\x15\x85\x8e\xd2\x59\x8c\x1e\x76\xf9\x8e\x66\x2b\x06\x78\xbd\xfd\x91\x86\x2b\x0a\xf8\x4e\x15\x85\xc3\x70\x9e\xeb\x1b\x8f\x06\x57\x03\xa7\x5c\x12\xe1\xfa\x87\xb7\x7d\x46\xd3\x74\xee\x21\x13\xbb\xbd\x6b\xde\xbb\x4c\xf0\x68\x7f\x79\xdb\x89\x5a\x8a\xc8\x1c\x3b\x28\x6c\x03\x42\x7e\x32\x11\xe7\x14\x20\xaf\xa9\xb5\xc9\x01\x3e\x63\x8e\xd9\x7d\xe9\x98\x3f\xb3\x34\x24\xfe\x11\xef\xd7\x82\x4c\xd6\x97\x92\x86\xd5\x9a\x5c\x79\x33\x8b\x6a\x9a\x2d\x15\xe7\x07\x91\xbd\xb5\x18\x6a\xa7\x4e\x17\x5a\x00\x49\xc1\xe3\x9d\xb5\x36\x37\x7a\x83\x54\x91\x5a\x8a\x15\x12\x5b\x8b\xe6\x2f\x01\xa9\x37\x40\xb2\x42\x8b\x18\x9e\xa4\x2e\x31\xb6\xce\x7a\xa3\x67\x6b\xf1\x46\x8b\x75\x1b\xf0\x6a\xac\xf1\x59\x04\xdb\x50\xc1\xbe\x9d\xf4\xcc\x9d\x41\x59\x9c\x57\xcf\xaf\x66\xb7\xe5\xee\x2d\x23\x72\x63\x0a\x7b\xf5\x38\xda\x78\x6d\xff\xf6\x05\x2e\x02\x55\x8a\x4d\x1c\xcf\x70\x99\xa8\xc5\x99\xc3\xc8\xb5\x15\xe8\x44\xf1\xe2\x3d\xe7\x3d\x80\x61\x27\x22\x82\x53\xa7\x05\x3b\x5e\x91\x51\x16\x85\x37\x0c\x98\x0f\xfa\x72\xe5\x55\x1f\xf0\x5f\xcb\xd9\x40\xd5\x14\xbe\xd2\x86\x0b\x87\x5b\x9a\x12\xb2\x6e\xdb\xb2\x92\xe0\xe8\xd8\xcb\xcd\x9d\xe3\xab\xa6\x8f\x7c\x14\x19\x24\x9f\xe4\x3a\x67\x54\xbf\x02\xa3\x6e\x0f\xd1\xf2\x7c\x48\xe9\xd1\x6c\x18\xed\x14\x84\xe5\x6c\xc5\xbc\x34\x83\x51\x93\x11\xe3\x37\x54\xaf\x2f\xc4\xd3\x7c\xfa\x1c\x6e\x5f\x0d\x38\xae\x96\xa6\x21\xc0\x4d\xb0\xfd\x7d\x79\x32\x97\xe4\x98\x1f\x90\x82\x93\x7b\x93\x22\xf4\x94\xbd\x98\xb2\xf4\x3d\x9b\x5c\x19\xff\x19\xec\x17\x7c\x63\x05\xb1\x88\x00\x44\x51\x11\x76\x3c\xda\xee\xc3\x51\x68\x93\x84\x78\x3a\xe7\xcf\xf9\xb1\x06\x63\x9e\xa6\x11\xfb\x72\xe8\x6d\x68\x5e\xa0\xf6\xb6\x5d\xc3\xb9\xa2\x43\x6c\x89\x25\x73\x82\xd1\x15\x16\xa2\xb0\x66\x37\xcf\xd9\x31\xe2\xca\x4e\x62\x53\x43\xd6\xb9\x65\x25\xc5\xbf\x7d\xcc\x43\x7f\x47\x4e\x1f\xf9\xf3\xdc\xc8\x57\x40\x44\x4a\x4c\x56\x9f\x50\x37\x9b\x98\x5f\x68\x43\xac\x29\xf0\x9a\x9f\x99\x81\x9a\xe2\x10\xdb\x22\xab\x19\x34\x09\x74\x95\x7f\x1f\xbe\xa4\x1c\x58\x51\xb2\xfa\x7a\x2f\xa8\x75\x81\xa7\xfb\x42\xdb\x8c\x24\xb4\xc6\xf8\x29\xbe\x59\x2c\xa0\xd0\xcf\x1a\x2f\xe6\x7d\xec\x53\x2c\xfa\x77\xf8\xf1\x95\x5d\xa3\x35\xa8\x4d\x5a\xef\x49\x05\xa9\xa2\x36\xc6\x07\x77\x4a\x0b\x4e\xf1\xd5\x0b\x55\xbd\x49\xaa\x87\x7c\x2b\x6b\x2e\x37\xa3\xe4\xa3\xb2\x4e\x95\xfa\x55\x7b\xa8\x9a\xaf\x42\x27\xb5\xbb\x0e\x64\x0b\x46\x98\xcd\x00\x4f\x87\x0c\x7d\xaa\x9e\xa4\x41\xfd\xbe\x8b\x30\x53\xdf\xfc\xe6\x46\xc0\xb0\x6d\xf3\x23\x25\x2c\xad\xa7\xf2\x4f\xcc\x21\x62\x4e\xdf\x49\x56\x7b\x26\x93\xfe\xc0\x69\x3d\x24\x3e\x06\x7b\x21\xe2\xbe\x29\x6c\x52\xbb\x2a\x38\x1f\x47\x94\xaa\x2e\x85\xdd\x5c\xb6\x67\x7e\x94\xb7\xe0\x03\xeb\xad\x24\x57\x37\x62\xa6\x40\x97\x3c\x07\x72\x99\x4d\xa2\x8c\x64\x90\xc1\xaf\x8f\x0f\x91\x75\x4e\x71\xc7\xf3\x26\xbd\x31\xdf\xc9\xc6\xfc\x20\x76\x7d\x71\x3a\x93\x31\x7b\xcb\xe0\xa3\xef\xc9\xc5\xa8\x57\x1b\x7b\x0a\x02\x97\x77\x41\xe8\xa8\x3c\xa8\x12\x96\x14\x5e\xc9\x55\xe1\xab\x98\x2c\x7f\x46\x62\x84\x56\x2b\x52\xde\x13\x55\x68\xa1\x42\xe6\x77\xc3\x43\xf5\xeb\xd3\x37\x55\xd0\xb9\x15\x65\x64\x6d\x7c\x36\x2e\x46\x64\x00\x7c\xae\x21\x67\xdb\x5d\x0a\x93\x3e\x12\x19\xd3\xd6\xa7\x38\x75\x76\xe5\x42\xf8\x16\xfa\x51\x6d\x44\xaf\xc3\xd9\x92\x29\xd4\xf5\x7f\xa8\x3b\x89\x48\xf8\x98\xb8\x52\x8d\xed\x2c\x53\x9b\x60\x33\x49\x1c\x6d\x78\x0c\xac\xb2\xbc\x3f\x52\xc2\x79\x4d\xe8\xdb\x39\x58\x12\xd4\xf7\xa4\x4b\x9c\x04\xd6\xfd\x3c\xa8\x6c\x68\x64\x7d\x3e\x47\x5d\xe5\x81\xed\xc3\x88\xdc\xde\x91\xb8\xb2\x4c\xd4\x2b\x91\xa1\x9e\x91\xb4\xb6\x37\xb4\x3b\x6f\xa4\xe1\x50\x44\x3e\xc7\xc0\x86\x95\xc4\x2b\xc6\xa9\x30\xb3\x08\x42\x04\x02\x3b\xfd\x15\xe1\xc0\x31\x2e\x46\xf4\x30\xe2\x6b\x0f\xcc\xa1\x52\x20\x9f\xc1\xc7\xf9\x91\xc1\x11\xbd\xcd\xa7\x2e\x19\x86\x26\x76\x6e\xaf\xc8\xcf\x54\x92\x18\x9d\x4c\xc9\xa8\xe2\xa8\xa9\xcb\x73\x89\x78\xec\xec\x37\x37\x6d\xc9\x9c\xa8\xd3\xef\xcf\xe7\x3d\xa5\x38\x96\x0e\xbf\x78\xf0\xa4\x36\x63\x76\xae\x5f\x1b\xb1\xf8\x11\xec\xce\xb6\x25\x10\x89\x78\x55\xe3\x06\x61\x04\x70\x1b\x94\xf6\x19\x13\xda\x46\x99\x31\x3c\xec\x63\xa8\x8a\x9b\xa4\x44\xa5\xfc\x01\xc0\x03\xbf\x9d\x6b\x25\x25\x04\xe4\x77\xf4\x0f\xb3\x3e\x59\x5f\x30\xac\x53\x8b\xc9\xee\xb2\x93\x72\xb7\xa9\xd1\xf6\xa2\xa9\xb0\x17\x7a\x17\x1e\x5f\x87\x9e\xab\x36\x3c\x76\x08\x61\x7c\x26\x19\x7d\xf1\xda\x9b\xaa\x02\x75\xe2\x3e\xd1\xb5\x92\xce\xbd\xcd\x6e\xf2\x2b\x36\xc4\xf2\x87\xdf\xe8\x49\xcf\x54\xea\xed\x55\x70\xff\xc4\x50\xcd\xe8\xb6\xee\x12\xef\xbc\x8d\xdf\xea\x6b\xf7\x82\xc2\x7e\x5a\x58\x16\xb6\xf0\x4f\xf5\xfe\x97\x7f\x05\xa5\xb1\x2a\x13\x64\xa6\x59\xcb\x6b\x11\xab\x7a\x16\x82\xe1\x09\x7e\x61\x87\xcd\x7c\xbb\xa8\x7e\xf4\xca\x8c\x2c\xaf\x28\x49\x99\x13\xd9\x8a\x9e\x9f\x2e\x11\xc5\x2f\x37\xfa\xf2\xcd\x20\x7b\xbe\x57\x34\xda\x0e\x91\xba\x5f\x8b\x48\xad\x59\xb1\x22\x67\x85\x50\xb2\x7f\xef\xe7\x1a\xf5\x3d\x6f\x93\x41\x04\x38\x73\x89\xb5\x93\x24\xcd\xbf\x44\x6e\xfe\x50\xdb\xd2\x3d\xb7\x41\x8e\xc6\x66\x6e\xd9\xfc\xaa\x6f\x70\xbe\xac\x9c\xa4\x2a\x90\xee\xc8\x56\x7b\xe2\x1f\xb4\x5f\x08\x86\x75\x57\x15\xf3\x17\x37\x35\x23\xdf\xeb\x84\x5a\xb7\x73\x33\xcf\x8d\xdf\x92\x62\x44\xa3\x8e\x02\x4d\xf5\xaf\x9e\xa0\x72\x53\xd0\x7a\x59\xdb\x51\x12\x3f\xd8\x11\xcc\xe2\xd2\x06\xea\xe6\x94\x3e\xc8\x75\x59\xeb\x0e\xb2\x8a\x94\xa6\x27\x83\x1e\x45\xb3\xa7\xd1\xf8\x9f\x7a\x49\xfb\xce\x7c\x5a\x6e\xd8\x1f\x4e\x68\xdd\x3c\xe2\x93\x46\xf7\xc1\x4e\x50\x64\x54\x8d\x57\xf1\x13\x63\x13\x9e\x5b\x66\x9a\x17\x44\xbd\x99\x89\x40\x08\x27\x97\x3e\x67\xe9\x4c\xb5\x55\xb0\x8c\xf0\x45\x65\xf3\x3d\xb1\x71\x96\xd1\x65\x18\xb4\xf4\xb0\x23\x05\x3e\x86\xa7\x27\x55\x21\xfa\x5b\x20\x99\x3d\xe7\xc2\xfa\x09\x79\x7d\x92\x4d\x59\x89\x3c\xaa\x98\xd9\x7b\x58\x62\x89\xda\x8c\x9c\xc3\x81\x0c\xfd\xe8\x5b\x31\xa4\xe3\x11\x8a\x5c\xc2\xfb\x63\xe4\x07\x3d\xc2\x24\xe5\x01\xb6\x37\xc6\x66\x74\xea\xd1\xe8\x4a\x7e\x3e\x3c\xe4\xad\xaf\x0c\x72\x3e\x38\xa4\x1d\xb5\x47\xe9\xcc\x33\x82\xec\xf9\xf6\xb6\xf9\x64\xc1\xf8\x1f\xe7\x53\x65\x59\x3c\x9a\x55\x15\x2e\xc7\xc0\x50\x67\x47\x4b\xd7\x1a\x93\x70\x00\x9f\xee\x6d\x87\xf3\xee\xf6\xc9\x36\x0a\x50\x29\x41\xe9\x37\x30\x45\x41\x61\xd0\xf0\x39\x1f\x7c\x5e\xbd\xe6\x22\xf0\x5c\x1d\x67\x36\x89\x44\x39\x0b\x68\x17\x8f\xef\xb8\x25\xad\xd8\x12\xf4\x96\x86\x70\x53\x74\x01\x70\x35\x31\x66\x7c\xd5\x15\x0f\x21\x1b\x9f\xcf\xec\xf4\xee\x5e\x08\x80\xf3\x74\x8b\x9e\x7a\x74\x5e\x80\x2a\xff\xac\xc6\xb4\xaa\x5b\x5d\x83\x75\x0f\xc1\xc4\x7d\x4a\xb6\x91\x70\x90\x1e\x7f\x5e\x44\x2b\xb9\x8a\x89\x18\x60\x54\xac\xf2\x07\xa3\xcf\x70\x17\x31\x56\xc5\x59\xfd\x72\x86\x0a\x7d\x26\x79\xa2\xff\xcb\x53\x30\x20\x41\x13\xdb\xac\x6b\x3c\x3b\x69\xaa\x4f\x75\xf2\x1c\xb2\x15\x4a\x4a\x6b\x31\xc0\x25\xd5\x2a\xc5\x49\x60\x48\x3c\xed\xf3\xf1\x1a\x1a\xdf\xfe\xf2\xf1\xfe\xc9\x4a\x55\x61\xd9\x18\x68\x00\x1c\x3d\x83\x95\xff\x45\x0b\x14\x00\x95\xd6\x53\x64\x75\x37\x9f\x38\x63\x4a\xcf\x9d\xed\xff\x61\xb1\x7f\x7c\x87\xf8\xc0\x56\x6b\xe6\x25\x0c\xf4\x39\xeb\xa3\x8c\x37\x65\x39\x3a\x9e\xd1\x01\x6d\x50\x2b\xa1\x3a\x8e\xf6\xde\x35\xba\x66\x9b\x10\xa0\x00\x82\x23\xd2\xe2\xf8\x8d\x35\xfe\x0a\x73\x23\x32\x4b\xfa\xbf\x25\xa7\xac\x01\x90\x45\x49\xa2\x59\xe6\xa8\xd3\xa4\x96\x4f\x19\x7e\x94\xb8\xf9\xb3\xa3\x16\x3f\x63\x49\xe3\xda\xc7\xe0\x17\x48\xf6\x74\x79\x5c\xc3\xbd\x5a\x9a\x3a\xb5\xf2\xc1\x30\x81\x16\x7d\xf3\x7e\x37\x9e\xeb\x2e\xcf\x9c\xdf\xa2\x37\x15\x95\xf3\x08\x31\x05\x1a\xb1\x57\xac\x75\xf9\xeb\xc4\x8b\x49\x95\x59\x7e\x20\x6c\x7b\xa2\x29\xab\x30\xec\xcf\xe6\x62\x4d\x88\x49\xea\xe4\x1d\x2d\xc7\xa4\xd7\x57\xa3\x73\xb1\xd8\x66\x95\xc4\x20\xcc\x04\xbf\x0d\xa6\x64\xa7\x56\xb4\x82\x24\x16\x3d\xe4\x41\x8b\x93\x23\x39\xd2\x99\x06\x13\x13\xa6\x34\xa4\xba\x08\x9b\x12\xf8\x5d\x4d\xa1\xd2\x7d\x51\xde\x93\x08\x31\x0e\xf6\xae\xb3\x56\x23\xd0\xa7\x72\xc5\xce\xdd\x2a\x65\x9f\xde\xf0\x92\xb4\xdf\x6a\x88\xd2\x96\x42\x00\xc2\x85\xe8\xc1\x6e\x74\x89\xb8\x1e\x41\x59\xdb\x06\x2c\xe8\xa7\xd0\xda\xb6\x51\x80\x92\x11\xed\xf0\x58\x6f\x28\x9e\xf0\x3d\xee\x7b\xb9\xf4\x38\xc1\xa3\x52\xf6\x34\x2c\x66\x4b\xfd\x35\xd2\x38\x85\xb0\x9b\xd1\xda\x62\xbd\x65\xd0\xbc\x09\xa5\xeb\x5a\xe9\x5e\xa3\x10\x88\x14\x77\x81\xc3\x35\xea\x17\x77\x72\xa2\x28\x96\x19\x1a\x7d\x15\x70\x2b\x6b\x34\x37\xce\xd8\x86\xcc\x85\xbb\x26\x86\x5c\xe8\x28\xb9\xfe\x78\xa0\x7b\x46\x3d\xf7\x33\x2f\x67\x92\xb2\xfd\x86\xd1\x7b\x1e\x98\xa4\xcc\x77\x29\xb0\x58\xc5\x98\xc9\x61\xc6\x34\xb1\x5d\x09\x73\xca\xcd\xd9\x73\x5a\x0f\x77\x78\x6a\xe2\xb0\x76\x6b\x31\x94\xa1\x27\x34\x5d\xd8\xc1\x1f\x69\xfa\x4c\x44\xcc\x5b\x30\xe0\x1f\x6d\xc5\x61\x33\x0f\x63\x63\x29\xc9\x7e\xc0\x5a\xe8\x29\x1d\x9a\x26\xb6\x05\xf1\xb2\x77\xc9\x32\x21\x15\x62\x6e\x29\x75\xc7\x91\xc3\xef\x10\x95\x4c\xb8\xb4\x7c\xea\x6c\xf6\x97\xeb\x9d\xb3\xbe\xcb\x11\x14\xce\x63\x92\x19\x9e\x87\xba\xc0\x43\xed\x7a\x15\x83\xdc\x66\x0b\x36\xde\xb0\x22\x1a\x79\xed\x70\xbf\x71\x3f\x3c\x9c\x88\x25\x83\x81\x4c\x2e\xca\x81\x51\xd2\x71\x71\x95\x92\xd5\xc1\xfc\x62\x66\xa2\x76\xa3\xe8\xd3\x88\x27\xb2\x90\xe1\x04\x46\x06\x99\x2d\x13\x42\x36\xa1\xae\x87\xf9\x33\x8b\x77\x41\xf2\xe8\xa7\x46\xeb\x0f\x60\x77\x62\xed\x4e\x18\x92\x3d\xba\xcf\xea\x14\x7a\xd5\x7e\xff\x61\x71\x67\xd0\xf5\x4d\xaa\xc4\x54\x37\xc5\xe6\x1b\x45\x93\x7e\x8a\xa5\xe7\xce\xef\x4c\xa2\x25\x4b\x97\x01\xa2\x2f\x57\x7f\xb6\x27\xe8\xe1\xc1\xc7\x04\x01\xae\x81\x1b\x9a\x53\xf4\xc1\x6a\x79\x43\xe3\xd8\x1b\xa3\xd9\x20\x9c\xbd\xfb\x20\x8b\x04\xce\x15\x8e\x7b\xa8\xee\x77\xb0\xb7\x5f\x52\x08\x68\x6d\xf7\x87\x12\xd2\x8f\x70\x03\x61\x15\x91\x00\x36\x9b\x63\x33\x84\xdd\xff\x44\x02\xc0\xab\x0e\x2e\xc0\xaa\x87\x18\x6a\x65\xd3\x48\x4d\x29\x21\xd6\x25\x3f\xd1\xfb\xf4\x6b\x63\xba\x72\xeb\x79\x5c\xc0\x25\x69\x0f\x1f\x48\xdb\xe3\x08\xf9\x78\xe2\xfd\x55\x13\xe2\xdd\xc0\xb0\x66\x19\x4f\xd5\x8d\x3e\xaa\x49\x69\x0b\xd7\xe7\x86\x38\x85\xeb\x5e\x2a\xc6\x87\x0d\xe8\x35\x92\x67\x5f\x74\xcf\x89\x89\xe1\x8e\x68\xf1\xb6\x06\x78\x27\x0c\xa6\xb9\xc0\xda\xf4\x44\x27\x8a\x7d\xc8\x2a\x97\x80\x73\x0a\xa0\x3b\xe5\x68\x13\xe8\x1d\x6f\x29\x6c\x6f\x87\xd0\x09\x96\x18\xaf\x9f\x7e\x99\x16\x49\xec\x36\x49\x72\xd4\xc8\xfb\x66\x96\x70\xec\x92\x96\xce\x17\x38\x38\xb9\xc9\x2b\xaf\x6b\xf8\x83\xc1\x34\xd2\xc1\xcb\xcd\x92\x8b\x54\x99\x1d\x4c\x00\xf4\xaa\x72\x70\xbf\x3b\xef\xeb\x10\x8e\x98\x62\xf3\x46\x88\xcc\x2d\xb3\xb7\x94\x37\x77\x67\x12\x79\xa1\x7f\x9c\x64\xc4\x0b\xd8\x48\x5e\xf5\x2e\xb9\x64\x31\x4c\x65\xaa\x34\x59\x6f\x16\xb8\x0f\x9e\xf7\x81\xc4\xe8\xee\xb0\xac\xd2\x89\x38\x6c\x1a\xe5\x06\xae\x5b\xd2\xb2\x0b\x76\x0c\xe0\xc7\x9b\x56\xb1\x34\xe2\x2f\x57\xc4\x4a\xba\xe2\xf4\xec\xad\x82\xef\xe4\x02\xa4\x3a\x47\x59\x45\x77\xa2\x4b\x79\xa9\x4c\x6f\x7a\x5e\xda\xab\xeb\x48\xfc\x5e\xc2\x7a\xec\xd8\x23\x80\xd0\xe9\x40\xa0\x33\xe8\x7a\x44\x74\xb9\x5d\x58\xa5\xfe\xc5\x9d\x80\xb0\x91\xe9\x16\x5a\x14\x32\x5b\x38\xc5\xe4\x56\x5c\x3f\x0f\x12\x6f\x8b\x2a\xdf\x83\x26\x8e\x00\x76\x64\x7d\xdd\x43\xff\x2d\x52\xd7\x73\xab\x30\x40\x88\x45\x8f\xac\x4f\xb9\x37\x9e\x20\x96\x85\x60\xa0\x75\x17\xd6\xe0\x00\x1d\x2a\x08\xc3\xc6\xc9\x78\x25\xe1\x22\x59\xea\x86\x1b\x0a\xd5\x64\x94\x50\xdf\xfb\x3a\xfa\xe4\x9c\xd3\x1e\xfb\x40\x51\x3c\x06\xb7\x95\xe0\x71\x60\x3a\x47\xd3\xc8\x39\xc4\x01\xec\xc3\x8b\x11\x7d\xf9\x38\x83\x6a\x15\xb3\x1a\x13\x5b\x58\x89\x2d\xb9\xb4\xeb\xf6\x84\xdb\x3f\x7e\xce\x8a\x9d\x60\xbc\x8c\x81\x0e\xba\x0c\xa0\xd8\x75\x83\x57\x37\xd2\x5b\x94\x8b\x39\x28\x60\xaa\x82\xcd\xd5\xff\x7c\x6b\x0b\x4d\x7a\xe1\x82\x16\x89\x49\xd9\x84\x0e\x33\x54\x5d\x61\x27\x72\x7a\xbe\x02\xdd\x01\x41\x8c\xe4\xdd\x46\xaf\x7b\x5f\x08\x44\xcb\x51\xd4\x99\x2f\x4c\xe1\x22\x3c\x23\x13\x7c\x21\x13\x61\xd0\x15\x0e\xd2\x35\xa0\x59\x8f\x9e\x1d\x81\x6a\x40\xc6\xae\xb8\xad\x56\x26\xbc\x22\xb2\xe9\x39\x57\x47\x44\x1c\xc7\x8a\x55\x8d\xed\xc4\x02\x47\x32\x48\x98\x99\x12\xa0\xaa\x71\xac\x8d\x77\x54\xde\x78\xa1\xd5\xb9\xe5\x48\xd4\xeb\xef\x22\x4e\x82\xcd\x39\x35\x24\xd7\x9b\x88\xd6\xe0\x40\x5a\xd0\x2d\xa7\x11\x7b\xa0\x37\x29\x4e\x53\x5f\xff\x4b\xb7\xbf\xca\xce\xde\x33\x48\xf0\x1d\x16\x13\x48\xf4\xee\xe1\xa5\x15\xbe\x53\x0e\x0f\x0e\x64\xc5\x65\x44\xd4\xae\x10\x64\x45\xcc\xe1\x41\x0c\x79\x0b\xdb\xeb\x1e\x2d\x29\x3e\x01\x2e\x02\x97\xc4\x6c\x91\x45\xdc\xcb\xd6\xff\x77\xcb\xfa\xcd\xa4\x6f\x27\xd7\x1d\x02\xde\x14\xb6\x1c\x50\x53\x33\x19\xc6\x68\xfc\xfa\xc0\x36\xc7\x86\x7d\x12\xa3\xd0\xd8\xd4\x49\xc4\x96\x69\x58\x63\x49\xf2\x23\x9c\x4f\xa5\xc2\xb8\xfd\xfc\x42\x3e\xcd\x85\xed\xcc\xf6\x85\x47\xb1\xa9\x06\x76\x4c\x5c\x03\xff\x33\x2b\x56\x3e\xae\xee\xb8\x45\x65\x35\xc6\x1e\x91\x73\x92\xa0\x3d\xfe\x6b\xeb\xf3\xdc\x57\x10\xf9\x32\xb5\x07\xe3\xf0\xcd\xfb\x6a\x9d\xd0\x35\xf0\x6d\xe0\x55\x72\xca\x94\xd8\x5b\xfb\x15\x7e\x68\x44\x8a\xb8\xb0\xc4\xd5\x96\xce\x02\x0d\xad\xef\xce\xae\x68\x15\x3e\x5f\x62\xc5\xc0\x81\x43\xf5\xdb\x49\x7a\xaf\xab\x19\xcd\x33\x0c\x37\x84\xdb\x0a\xde\x50\x5a\x29\x51\x4b\xd1\xe8\xc3\xb9\x2c\x4f\x61\x65\x36\x22\xf8\x75\xec\xac\xc9\xe6\x77\x4a\xde\xca\x1c\xa4\x2f\x63\x7c\x70\x22\x99\xa2\xd3\xf8\x81\xbe\x79\x5b\xba\x9d\xb3\x40\xe4\x80\xaa\x4e\x94\x4d\xec\x20\x21\x6b\x83\x58\x45\x5d\xcf\x8e\xed\x99\x0e\x41\xf3\x37\x64\x42\xb9\xb3\xe0\xd8\x82\x38\x77\x5b\x8b\xea\x3f\x68\x8a\xf1\x85\x39\xb2\xe8\xba\xfa\xac\xc1\xc4\x06\x4e\x9a\xe8\x87\xc6\x9d\xca\x82\xac\xad\xf3\x55\x30\x92\xe7\x87\x97\xa6\x2c\xc8\x34\x44\x1c\x22\x2f\xf2\x26\xea\x32\xd2\x03\xc0\xb1\xfa\xcc\x67\xe6\x30\x71\x6a\x3f\x96\xa0\x77\xe2\x34\x8f\x2b\xe6\xd9\x3e\xc0\x63\x1a\x5e\xf1\xbe\xd4\x10\x61\x19\xd9\x70\xe6\x22\x8f\x01\x69\x89\xa8\xfd\xf0\x1b\xda\x8e\xdd\xfd\x60\x68\xd6\x49\xb3\x95\x6e\xab\x29\xd3\x03\xf1\xfc\x68\x67\xd8\x63\xc8\x7c\x35\x39\xe8\xe9\x9c\xe2\x39\x53\xc2\x5e\xe2\xb0\x98\x57\xd2\xdf\xdd\x4c\x2d\x24\x2b\xd8\x33\xf6\xb7\xf4\xa6\x7c\xde\x78\x63\xd6\x53\xa0\x05\x21\xfa\x68\xce\x23\x1d\x06\x15\xb0\x01\x75\xec\x1f\xca\x37\x7e\x4e\x72\xf7\x8a\x8f\x8f\xbc\xa9\xda\x4f\x40\x8b\xc1\xb7\x99\x97\x1c\x16\xce\x2e\x04\xaa\x24\x32\x79\xef\xcd\xb0\x78\x43\xd2\x55\xeb\x60\x67\xe3\x73\x2b\xcf\xdf\x1c\x17\x17\x8d\x77\xd3\xdf\xf4\x24\xd6\x77\x2e\x39\xae\xc3\xbe\xf9\x59\x2a\x25\xe9\xfb\xb5\x51\x09\x52\xe5\x83\xf5\x34\xa4\xd1\xf5\x7c\xce\xfe\x84\x55\xf3\x53\xdf\xee\xee\xdc\x8b\x3e\xa3\xd6\xc4\x1f\xf4\x16\x7d\xe5\x14\x55\x30\xf3\xdd\x70\xbc\x89\xfd\xcf\xa8\x63\xd8\xc5\x65\x20\x8d\x32\x72\xb0\x23\x8b\x97\xd9\x5c\x5a\x67\x87\x24\x15\xa2\x7e\xf0\x6f\xa2\x6c\x0f\x72\xb5\x71\xcf\xfb\x76\x23\x69\xc8\x0b\x5f\x33\x2f\x03\xa9\x75\x9f\xec\x50\xd6\x04\xa1\x8a\x69\xfb\x52\x13\x11\xfa\x17\x1e\xa6\xfa\x40\x48\x73\xde\x91\x95\xf8\x47\xd8\x1f\xd4\xba\xe3\xd5\x21\x6d\x6c\x00\xcc\x38\xd5\xc7\x5d\xad\x1e\xf6\x86\xd5\xce\x4a\xcb\xb4\x77\xfb\xf6\xc5\xad\x0b\x26\x9e\x69\x05\x4b\x4a\x59\xdb\x3c\x6e\xb0\xce\xc7\xfb\xdf\x32\xd3\x30\x6c\xeb\x5d\x10\x06\xeb\x7b\xf6\xf0\x70\x12\xb1\x16\xc9\x5f\xbf\xcf\xd9\x9e\x82\xf5\xab\xa8\xeb\xd7\xc7\x90\xc9\xf0\x40\x75\xe2\xbb\x39\x9d\x92\x29\xbe\x4a\x0e\x90\xdc\x1b\x03\x58\xee\xcf\xfa\xda\xeb\xc0\xbd\xc6\xff\x1c\xfd\x00\xdc\xeb\xc0\xa9\x0d\x7b\x96\xc9\x6f\xa5\x52\xdc\x82\x4b\x94\x4d\x95\x1d\xb7\xd2\xb6\xee\x39\x9b\x6c\x1f\x29\x65\xe5\x93\x1c\xea\x56\x1b\x9d\xda\x86\xb5\xe7\xc3\x67\x41\xc0\x4a\x97\xa0\x0b\x06\x95\xa9\xd8\x3d\x62\x9e\xb5\xde\x99\xbf\x8a\xe8\xd7\x55\xf3\x31\xe4\x02\x53\x39\x0a\xbb\x2e\x60\x49\x16\x74\x96\xd5\xca\x37\x56\x3b\xea\xbd\xa4\xf8\x2b\x2c\x9a\x58\xef\xf2\xa5\x8a\x1d\x2f\xbc\x8d\x72\xc1\x88\xd4\xb3\x39\x2b\x9b\x42\x86\xa8\x5f\x5d\xed\x71\x0f\x24\x3b\x24\x83\x2c\x54\x79\x1e\xee\x12\x09\x44\x3f\x07\xf3\x74\xea\x2a\xb6\x14\xd6\xa9\xac\x8b\x09\x81\xc3\x50\x96\x96\xc0\x58\xd3\x2f\x4a\xff\x5a\xf8\xe9\xeb\x22\x53\xed\x4f\x83\xe8\xb4\xf3\x29\x4b\x61\xc9\x0d\x54\xd3\xc3\x5f\x3d\x44\xd5\x5a\x5a\x1f\x55\xba\xc7\xe5\x97\x8b\x63\xfb\xb9\xdf\x0e\x9c\x6b\x15\x4d\x61\x24\xef\x4c\xf6\x3f\xf3\xae\x36\x10\x32\x14\x7f\x9e\xf7\x5f\x9e\xa2\xf4\xb2\x2e\xb1\x36\x93\xe2\x67\xb7\xc4\xf6\x36\x5d\xe5\x36\x86\x11\x8a\x93\x4a\x59\x8b\xa5\xa8\x17\x5e\xe5\x0f\x09\x9a\xa9\xac\xd7\xf2\xe2\xc9\xb0\x5b\x04\x4b\x3b\x06\x1b\xd1\xbb\x3b\x29\x6b\x6b\xf9\x00\xb8\x56\xa6\x44\x8d\x81\x2e\x68\xef\xd3\x1f\xef\xfd\x44\x52\x99\x0c\xd5\xf7\xcc\x02\x58\x8e\xef\xbe\xbb\x9f\x56\xab\x77\xcd\x50\x29\x89\xcd\x16\xe8\x9a\x44\x55\x3e\x19\x89\xd4\xdf\xfd\x97\x7b\x53\xea\x8b\x3b\x63\x6d\x62\xbb\xb2\x65\xc4\x28\x0c\xab\x59\xda\xb2\x4f\xbe\x7f\x16\x18\x0d\xfd\xdf\x62\xe4\x82\xed\x8e\xdc\xa2\x7a\x96\x7c\xe5\xfa\xe0\x32\x8b\x64\x03\xce\xe1\x7a\x6d\x63\xac\x71\xa8\xa4\x6f\x6c\xad\xdb\x53\x0c\x6d\x90\x5a\x8b\x6c\x8e\xd8\x9f\x62\x2a\x0c\x0a\x90\x67\x5c\x1f\x8d\x97\x9b\x34\xcd\x1e\x95\x4f\xa9\x15\x4f", 4096); (void)res; break; case 11: memcpy((void*)0x20001000, "\xc4\x62\x39\x37\x47\x7e\x66\x0f\xe3\x0c\xa4\xf3\x3e\x45\x09\x17\xc4\x61\x78\xae\x91\x72\x98\x00\x00\xc4\x63\xe1\x22\xd6\x96\xc4\x03\x7d\x7b\x05\x0f\x00\x00\x00\x00\xc4\x63\x39\x5f\x47\x3f\xad\xc4\x03\x55\x5d\x3c\x56\x00\xc4\xe2\xb5\x96\xf0\xc4\x21\xfd\x5b\xfb", 65); res = syz_execute_func(0x20001000); fprintf(stderr, "### call=11 errno=%u\n", res == -1 ? errno : 0); break; case 12: (void)res; break; case 13: memcpy((void*)0x200010c0, "\x5d\x8d\x97\xaf\xe9\x58\xa6\xb4\x6b\x8f\xef\xfe\x29\xf0\x51\x64\xa8\xee\xd8\xf0\x35\xa6\xc4\xd8\xf6\x97\x21\x06\xc0\xf6\xa0\x43\x0f\x03\x47\xa9\xad\x29\xa9\x40\xd3\xde\x0d\x19\xdd\x63\xc0\x6d\xad\x37\xea\x1e\x10\x5f\xec\x8b\x4d\xbd\xb4\xd7\xf9\x51\x64\xff\x31\x3f\x19\x9a\xaa\x43\x10\x8e\x96\x13\xc1\xe6\x29\x58\xe7\x76\x28\x47\x15\x8e\x87\x26\x92\x4d\xcb\xda\xff\xfd\x2a\x94\x2c\x44\x0d\x0a\x80\x34\x04\x87\xaf\x0e\xb9", 105); memcpy((void*)0x20001140, "\xe2\xf9\x19\x3e\xea\x7f\xea\x62\xb3\x74\xa3\x15\x14\x75\xbf\x3b\xe9\x82\x5d\xbe\x21\xd3\x90\x7a\x6b\xaf\x2f\xcd\xf0\xe6\xdd\x64\xfa\x7c\xcc\xe3\x73\x4b\xa6\x62\x73\xba\x0d\xb7\xe7\x9d\x31\x4b\x54\xd1\x01\x58\xb7\xd4\xa6\x7b\x5e\x26\x4c\xd1\xfe\x32\xc6\xba\xb3\xd0\x3f\xaa\x5b\xd6\x7a\x46\x09\xb4\x8a\x17\xeb\x03\x86\x53\x8a\xfe\x3d\x83\xa4\xf1\x95\x97\x90\x97\x73\xc9\x47\x4f\x1f\x66\x85\xe5\x91\x57\xf5\xc7\x6c\x2d\xe0\x65\xf5\x09\xb7\xa7\xcf\x8e\x62\x9c\xca\x55\x3d\xcb\x44\x45\xa3\x72\x88\x31\x99\xbe\x74\x66\x34\xe8\x57\x26\x6c\x27\x58\xf8\xd5\x8d\xd0\xde\xa4\x57\x79\x02\x04\xfc\x26\xe2\x69\x27\xd5\xbb\xff\x20\xa9\x9a\xed\x0a\x95\xd8\x50\xec\x32\x21\xf4\xf1\xd8\xf1\x3a\x8f\x00\xbe\x13\x51\x9e\xf8\x98\xd3\x9d\x28\x56\x8b\xb7\x89\x4c\x39", 186); res = syz_usb_connect(0x721, 0x69, 0x200010c0, 0x20001140); fprintf(stderr, "### call=13 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[5] = res; break; case 14: res = syz_usb_disconnect(r[5]); fprintf(stderr, "### call=14 errno=%u\n", res == -1 ? errno : 0); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'syz_usb_connect_impl': :637:63: error: unknown type name 'usb_ctrlrequest' :642:55: error: unknown type name 'usb_ctrlrequest' compiler invocation: /syzkaller/netbsd/src/../tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor962213057 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/netbsd/src/../dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/3 (1.40s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:false RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = fcntl$dupfd(0xffffffffffffff9c, 0xc, 0xffffffffffffff9c) r1 = dup2(0xffffffffffffffff, r0) pwrite(r1, &(0x7f0000000000)="5d1dd436f0f5a32b117d0f61dc010511e7e3c7f92e33630dfc7a02f9f4df14c215d8716f98892cba0ddcbbd6b2683f5e028152ebbe2d26a7e4c45673b55cf76e7795dd124f82947e0244eb08cfb0b5da0c829b1580ac64473f069f9928c1043bdeaa541829f4ef60f80ea0b9b912a974a5e98ea75423d1126815de1319a78c8127c017f8cbe86d", 0x87, 0x6) getsockname$unix(r0, &(0x7f00000000c0)=@abs, &(0x7f0000000100)=0x8) accept$inet6(r1, &(0x7f0000000140), &(0x7f0000000180)=0xc) socketpair(0x18, 0x844590f3b4efa023, 0x7f, &(0x7f00000001c0)) r2 = accept(0xffffffffffffff9c, &(0x7f0000000200)=@un=@abs, &(0x7f0000000240)=0x8) r3 = getpgrp() stat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$sock_cred(r2, 0xffff, 0x11, &(0x7f00000003c0)={r3, r4}, 0xc) syz_emit_ethernet(0x1000, &(0x7f0000000000)="d28811eb3ef8057d4d7c7229ab1e5a02157440ec598663314f522e6a8f7e2b68cd210834f13e84f257c358e7e19717a79353a0609abf39fc23d280e031dbc36048ed67b318a0553a541c84167d1bf390951abfd5370157ad024bea030e6c003d2e50a932903993429472cca8be8808ca2915858ed2598c1e76f98e662b0678bdfd91862b0af84e1585c3709eeb1b8f065703a75c12e1fa87b77d46d374ee2113bbbd6bdebb4cf0687f79db895a8ac81c3b286c03427e3211e71420afa9b5c9013e638ed97de9983fb33424fe11efd7824cd6979286d59a5c79338b6a9a2d15e70791bdb5186aa74e175a0049c1e39db536377a8354915a8a15125b8be62f01a93740b2428b189ea42e31b6ce7aa3676bf1468b751bf06aacf15904db50c1be9df4cc9d41599c57cfaf66b7e5ee2d2372630a7bf538da786dfff6052e02558a4d1ccf7099a8c599c3c8b515e844f1e23de73d806127228253a7053b5e91511685370c980ffa72e5551ff05fcbd940d514bed2860b875b9a12b26edbb292e0e8d8cbcd9de3aba68f7c1419249fe43a6754bf02a36e0fd1f27c48e9d16c18ed1484e56cc5bc3483519311e33754af2fc4d37cfa1c6e5f0d38ae96a621c04db0fd7d793297e4981f9082937b9322f494bd98b2f43d9b5c19ff19ec177c6305b18800445111763cdaeec351689384783ae7cff9b106639ea611fb72e86d685ea0f6b65dc3b9a2436c89257382d11516a2b06637cfd931e2ca4e625343d6b96525c5bf7dcc437f474e1ff9f3dcc85740444a4c569f50379b985f6843ac29f09a9f99819ae210db22ab19340974957f1fbea41c5851b2fa7a2fa87581a7fb42db8c24b4c6f829be592ca0d0cf1a2fe67dec532cfa77f8f1955da335a84d5aef4905a9a236c607774a0b4ef1d50b55bd49aa877c2b6b2e37a3e4a3b24e95fa557ba89aaf4227b5bb0e640b4698cd004f870c7daa9ea441fdbe8b3053dffce646c0b06df323252cada7f24fcc21624edf49567b2693fec0693d243e067b21e2be296c52bb2a381f4794aa2e85dd5cb6677e94b7e003ebad24573762a640973c0772994da28c6490c1af8f0f91754e71c7f326bd31dfc9c6fc20767d713a93317bcbe0a3efc9c5a8571b7b0a02977741e8a83ca81296145ec955e1ab982c7f466284562b52de135568a142e677c343f5ebd33755d0b91565646d7c362e4664007cae2167db5d0a933e1219d3d6a7387576e542f816fa516d44afc3d99229d4f57fa83b8948f898b8528ded2c539b6033491c6d780cacb2bc3f52c2794de8db395812d4f7a44b9c04d6fd3ca86c68647d3e475de581edc388dcde91b8b24cd42b91a19e91b4b637b43b6fa4e150443ec7c08695c42bc6a930b3084204023bfd15e1c0312e46f430e26b0fcca152209fc1c7f991c111bdcda72e198626766eafc8cf5492189d4cc9a8e2a8a9cb738978ecec37376dc99ca8d3efcfe73da538960ebf78f0a4366376ae5f1bb1f811ecceb62510897855e3066104701b94f61913da4699313cec63a88a9ba444a5fc01c003bf9d6b252504e477f40fb33e595f30ac538bc9eeb29372b7a9d1f6a2a9b0177a171e5f879eab363c7608617c26197df1da9baa0275e23ed1b592cebdcd6ef22b36c4f287dfe849cf54eaed5570ffc450cde8b6ee12efbc8ddfea6bf782c27e5a5816b6f04ff5fe977f05a5b12a1364a659cb6b11ab7a1682e1097e6187cd7cbba87ef4ca8c2caf28499913d98a9e9f2e11c52f37faf2cd207bbe5734da0e91ba5f8b48ad59b122678550b27fefe71af53d6f934104387389b59324cdbf446efe50dbd23db7418ec6666ed9fcaa6f70beac9ca42a90eec8567be21fb45f0886755715f317373523dfeb845ab77333cf8ddf926244a38e024df5af9ea07253d07a59db51123fd811cce2d206eae6943ec87559eb0eb28a94a627831e45b3a7d1f89f7a49fbce7c5a6ed81f4e68dd3ce29346f7c14e5064548d57f11363139e5b669a1744bd9989400827973e67e94cb555b08cf04565f33db17196d16518b4f4b023053e86a7275521fa5b20993de7c2fa09797d924d59893caa98d97b586289da8c9cc3810cfde85b31a4e3118a5cc2fb63e4073dc224e501b637c66674ead1e84a7e3e3ce4adaf0c723e38a41db547e9cc3382ecf9f6b6f964c1f81fe75365593c9a55152ec7c05067474bd71a9370009fee6d87f3eef6c9360a502941e93730454161d0f0391f7c5ebde622f05c1d67368944390b68178fefb825add812f4968670537401703531667cd5150f211b9fcfecf4ee5e0880f3748b9e7a745e802affacc6b4aa5b5d83750fc1c47d4ab69170901e7f5e442bb98a89186054acf207a3cf70173156c559fd72860a7d2679a2ffcb5330204113dbac6b3c3b69aa4f75f21cb2154a4a6b31c025d52ac54960483cedf3f11a1adffef2f1fec94a5561d91868001c3d8395ff450b140095d6536475379f38634acf9dedff61b17f7c87f8c0566be6250cf439eba38c3765393a9ed1016d502ba13a8ef6de35ba669b10a0008223d2e2f88d35fe0a7323324bfabf25a7ac01904549a259e6a8d3a4964f197e94b8f9b3a3163f6349e3dac7e01748f674795cc3bd5a9a3ab5f2c13081167df37e379eeb2ecf9cdfa2371595f30831051ab157ac75f9ebc48b4995597e206c7ba229ab30eccfe6624d8849eae41d2dc7a4d757a373b1d86695c420cc04bf0da664a756b48224163de4418b932339d299061313a634a4ba089b12f85d4da1d27d51de9308310ef6aeb35623d0a772c5cedd2a659fdef092b4df6a88d2964200c285e8c16e7489b81e4159db062ce8a7d0dab651809211edf0586f289ef03dee7bb9f438c1a352f6342c664bfd35d23885b09bd1da62bd65d0bc09a5eb5ae95ea31088147781c335ea177772a22896191a7d15702b6b3437ced886cc85bb26865ce828b9fe78a07b463df7332f6792b2fd86d17b1e98a4cc7729b058c598c961c634b15d0973cacdd9735a0f77786ae2b0766b3194a127345dd8c11f69fa4c44cc5b30e01f6dc561330f636329c97ec05ae8291d9a26b605f1b277c9322115626e2975c791c3ef10954cb8b47cea6cf697eb9db3becb1114ce6392199e87bac043ed7a1583dc660b36deb0221a79ed70bf713f3c9c882583814c2eca8151d271719592d5c1fc6266a276a3e8d38827b290e1044606992d134236a1ae87f9338b7741f2e8a746eb0f607762ed4e18923dbacfea147ad57eff617167d0f54daac45437c5e61b45937e8aa5e7ceef4ca2254b9701a22f577fb627e8e1c1c70401ae811b9a53f4c16a7943e3d81ba3d9209cbdfb208b04ce158e7ba8ee77b0b75f5208686df78712d28f700361159100369b633384ddff4402c0ab0e2ec0aa87186a65d3484d2921d6253fd1fbf46b63ba72eb795cc025690f1f48dbe308f978e2fd5513e2ddc0b066194fd58d3eaa49690bd7e7863885eb5e2ac6870de83592675f74cf8989e18e68f1b60678270ca6b9c0daf444278a7dc82a9780730aa03be56813e81d6f296c6f87d0099618af9f7e991649ec364972d4c8fb669670ec9296ce173838b9c92baf6bf883c134d2c1cbcd928b54991d4c00f4aa7270bf3befeb108e9862f34688cc2db3b7943777671279a17f9c64c40bd8485ef52eb964314c65aa34596f16b80f9ef781c4e8eeb0acd289386c1ae506ae5bd2b20b760ce0c79b56b134e22f57c44abae2f4ecad82efe402a43a47594577a24b79a94c6f7a5edaabeb48fc5ec27aecd82380d0e940a033e87a4474b95d58a5fec59d80b091e9165a14325b38c5e4565c3f0f126f8b2adf83268e0076647ddd43ff2d52d773ab304088458fac4fb9379e20968560a07517d6e0001d2a08c3c6c97825e12259ea861b0ad5649450dffb3afae49cd31efb40513c06b795e071603a47d3c839c401ecc38b117df938836a15b31a135b58892db9b4ebf684db3f7ece8a9d60bc8c810eba0ca0d875835737d25b948b392860aa82cdd5ff7c6b0b4d7ae182168949d9840e33545d6127727abe02dd01418ce4dd46af7b5f0844cb51d4992f4ce1223c23137c211361d0150ed235a0598f9e1d816a40c6aeb8ad5626bc22b2e9395747441cc78a558dedc402473248989912a0aa71ac8d7754de78a1d5b9e548d4ebef224e82cd393524d79b88d6e0405ad02da7117ba037294e535fff4bb7bfcacede3348f01d161348f4eee1a515be530e0f0e64c56544d4ae106445cce1410c790bdbeb1e2d293e012e0297c46c9145dccbd6ff77cbfacda46f27d71d02de14b61c50533319c668fcfac036c7867d12a3d0d8d449c49669586349f2239c4fa5c2b8fdfc423ecd85edccf68547b1a906764c5c03ff332b563eaeeeb8456535c61e917392a03dfe6bebf3dc5710f932b507e3f0cdfb6a9dd035f06de05572ca94d85bfb157e68448ab8b0c4d596ce020dadefceae68153e5f62c5c08143f5db497aafab19cd330c3784db0ade505a29514bd1e8c3b92c4f61653622f875ecacc9e6774adeca1ca42f637c702299a2d3f881be795bba9db340e480aa4e944dec20216b8358455dcf8eed990e41f3376442b9b3e0d88238775b8bea3f688af18539b2e8bafaacc1c4064e9ae887c69dca82acadf3553092e78797a62cc834441c222ff226ea32d203c0b1facc67e630716a3f96a077e2348f2be6d93ec0631a5ef1bed4106119d970e6228f016989a8fdf01bda8eddfd6068d649b3956eab29d303f1fc6867d863c87c3539e8e99ce23953c25ee2b09857d2dfdd4c2d242bd833f6b7f4a67cde7863d653a00521fa68ce231d0615b00175ec1fca377e4e72f78a8f8fbca9da4f408bc1b799971c16ce2e04aa243279efcdb07843d255eb6067e3732bcfdf1c17178d77d3dff424d6772e39aec3bef9592a25e9fbb5510952e583f534a4d1f57ccefe8455f353dfeeeedc8b3ea3d6c41ff4167de5145530f3dd70bc89fdcfa863d8c565208d3272b0238b97d95c5a67872415a27ef06fa26c0f72b571cffb762369c80b5f332f03a9759fec50d604a18a69fb521311fa171ea6fa404873de9195f847d81fd4bae3d5216d6c00cc38d5c75dad1ef686d5ce4acbb477fbf6c5ad0b269e69054b4a59db3c6eb0cec7fbdf32d3306ceb5d1006eb7bf6f07012b116c95fbfcfd99e82f5aba8ebd7c790c9f04075e2bb399d9229be4a0e90dc1b0358eecffadaebc0bdc6ff1cfd00dcebc0a90d7b96c96fa552dc824b944d951db7d2b6ee399b6c1f2965e5931cea561b9dda86b5e7c36741c04a97a00b0695a9d83d629eb5de99bf8ae8d755f331e40253390abb2e6049167496d5ca37563beabda4f82b2c9a58eff2a58a1d2fbc8d72c188d4b3392b9b4286a85f5ded710f243b24832c54791eee1209443f07f374ea2ab614d6a9ac8b0981c3509696c058d32f4aff5af8e9eb2253ed4f83e8b4f3294b61c90d54d3c35f3d44d55a5a1f55bac7e5978b63fbb9df0e9c6b154d6124ef4cf63ff3ae361032147f9ef75f9ea2f4b22eb13693e267b7c4f6365de53686118a934a598ba5a8175ee50f099aa9acd7f2e2c9b05b044b3b061bd1bb3b296b6bf900b856a6448d812e68efd31feffd4452990cd5f7cc02588eefbebb9f56ab77cd502989cd16e89a44553e1989d4dffd977b53ea8b3b636d62bbb265c4280cab59dab24fbe7f16180dfddf62e482ed8edca27a967ce5fae0328b6403cee17a6d63ac71a8a46f6caddb530c6d905a8b6c8ed89f622a0c0a90675c1f8d979b34cd1e954fa9154f") syz_execute_func(&(0x7f0000001000)="c4623937477e660fe30ca4f33e450917c46178ae9172980000c463e122d696c4037d7b050f00000000c463395f473fadc403555d3c5600c4e2b596f0c421fd5bfb") syz_extract_tcp_res(&(0x7f0000001080), 0x5, 0x6fb) r5 = syz_usb_connect(0x721, 0x69, &(0x7f00000010c0)="5d8d97afe958a6b46b8feffe29f05164a8eed8f035a6c4d8f6972106c0f6a0430f0347a9ad29a940d3de0d19dd63c06dad37ea1e105fec8b4dbdb4d7f95164ff313f199aaa43108e9613c1e62958e7762847158e8726924dcbdafffd2a942c440d0a80340487af0eb9", &(0x7f0000001140)="e2f9193eea7fea62b374a3151475bf3be9825dbe21d3907a6baf2fcdf0e6dd64fa7ccce3734ba66273ba0db7e79d314b54d10158b7d4a67b5e264cd1fe32c6bab3d03faa5bd67a4609b48a17eb0386538afe3d83a4f19597909773c9474f1f6685e59157f5c76c2de065f509b7a7cf8e629cca553dcb4445a372883199be746634e857266c2758f8d58dd0dea457790204fc26e26927d5bbff20a99aed0a95d850ec3221f4f1d8f13a8f00be13519ef898d39d28568bb7894c39") syz_usb_disconnect(r5) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } /* -------------------------------------------------------------------------- */ /* * Redefinitions to match the linux types used in common_usb.h. */ struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; int rv = 0; rv = parse_usb_descriptor(dev, dev_len, &usb_devices[i].index); if (!rv) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } /* -------------------------------------------------------------------------- */ static int vhci_open(void) { return open("/dev/vhci", O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } /* -------------------------------------------------------------------------- */ static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index; int portnum, fd, rv; bool done; portnum = procid + 1; if (!dev) { return -1; } if (portnum != 1) { /* For now, we support only one proc. */ return -1; } fd = vhci_open(); if (fd < 0) { return -1; } index = add_usb_index(fd, dev, dev_len); if (!index) { goto err; } rv = vhci_setport(fd, portnum); if (rv != 0) { goto err; } rv = vhci_usb_attach(fd); if (rv != 0) { goto err; } done = false; while (!done) { vhci_request_t req; rv = vhci_usb_recv(fd, &req, sizeof(req)); if (rv != 0) { goto err; } if (req.type != VHCI_REQ_CTRL) { goto err; } char* response_data = NULL; uint32_t response_length = 0; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { bool response_found = false; response_found = lookup_connect_response_in(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &response_data, &response_length); if (!response_found) { goto err; } } else { if (!lookup_connect_response_out(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &done)) { goto err; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { /* TODO: possibly revisit */ } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { goto err; } } sleep_ms(200); return fd; err: close(fd); return -1; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 15; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 13 ? 3000 : 0) + (call == 14 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } #ifndef SYS_accept #define SYS_accept 30 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_fcntl #define SYS_fcntl 92 #endif #ifndef SYS_getpgrp #define SYS_getpgrp 81 #endif #ifndef SYS_getsockname #define SYS_getsockname 32 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_pwrite #define SYS_pwrite 174 #endif #ifndef SYS_setsockopt #define SYS_setsockopt 105 #endif #ifndef SYS_socketpair #define SYS_socketpair 135 #endif #ifndef SYS_stat #define SYS_stat 439 #endif uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_fcntl, 0xffffff9c, 0xcul, 0xffffff9c); if (res != -1) r[0] = res; break; case 1: res = syscall(SYS_dup2, -1, r[0]); if (res != -1) r[1] = res; break; case 2: memcpy((void*)0x20000000, "\x5d\x1d\xd4\x36\xf0\xf5\xa3\x2b\x11\x7d\x0f\x61\xdc\x01\x05\x11\xe7\xe3\xc7\xf9\x2e\x33\x63\x0d\xfc\x7a\x02\xf9\xf4\xdf\x14\xc2\x15\xd8\x71\x6f\x98\x89\x2c\xba\x0d\xdc\xbb\xd6\xb2\x68\x3f\x5e\x02\x81\x52\xeb\xbe\x2d\x26\xa7\xe4\xc4\x56\x73\xb5\x5c\xf7\x6e\x77\x95\xdd\x12\x4f\x82\x94\x7e\x02\x44\xeb\x08\xcf\xb0\xb5\xda\x0c\x82\x9b\x15\x80\xac\x64\x47\x3f\x06\x9f\x99\x28\xc1\x04\x3b\xde\xaa\x54\x18\x29\xf4\xef\x60\xf8\x0e\xa0\xb9\xb9\x12\xa9\x74\xa5\xe9\x8e\xa7\x54\x23\xd1\x12\x68\x15\xde\x13\x19\xa7\x8c\x81\x27\xc0\x17\xf8\xcb\xe8\x6d", 135); syscall(SYS_pwrite, r[1], 0x20000000ul, 0x87ul, 6ul); break; case 3: *(uint32_t*)0x20000100 = 8; syscall(SYS_getsockname, r[0], 0x200000c0ul, 0x20000100ul); break; case 4: *(uint32_t*)0x20000180 = 0xc; syscall(SYS_accept, r[1], 0x20000140ul, 0x20000180ul); break; case 5: syscall(SYS_socketpair, 0x18ul, 0x844590f3b4efa023ul, 0x7f, 0x200001c0ul); break; case 6: *(uint32_t*)0x20000240 = 8; res = syscall(SYS_accept, 0xffffff9c, 0x20000200ul, 0x20000240ul); if (res != -1) r[2] = res; break; case 7: res = syscall(SYS_getpgrp); if (res != -1) r[3] = res; break; case 8: memcpy((void*)0x20000280, "./file0\000", 8); res = syscall(SYS_stat, 0x20000280ul, 0x200002c0ul); if (res != -1) r[4] = *(uint32_t*)0x200002dc; break; case 9: *(uint32_t*)0x200003c0 = r[3]; *(uint32_t*)0x200003c4 = r[4]; *(uint32_t*)0x200003c8 = 0; syscall(SYS_setsockopt, r[2], 0xffff, 0x11, 0x200003c0ul, 0xcul); break; case 10: memcpy((void*)0x20000000, "\xd2\x88\x11\xeb\x3e\xf8\x05\x7d\x4d\x7c\x72\x29\xab\x1e\x5a\x02\x15\x74\x40\xec\x59\x86\x63\x31\x4f\x52\x2e\x6a\x8f\x7e\x2b\x68\xcd\x21\x08\x34\xf1\x3e\x84\xf2\x57\xc3\x58\xe7\xe1\x97\x17\xa7\x93\x53\xa0\x60\x9a\xbf\x39\xfc\x23\xd2\x80\xe0\x31\xdb\xc3\x60\x48\xed\x67\xb3\x18\xa0\x55\x3a\x54\x1c\x84\x16\x7d\x1b\xf3\x90\x95\x1a\xbf\xd5\x37\x01\x57\xad\x02\x4b\xea\x03\x0e\x6c\x00\x3d\x2e\x50\xa9\x32\x90\x39\x93\x42\x94\x72\xcc\xa8\xbe\x88\x08\xca\x29\x15\x85\x8e\xd2\x59\x8c\x1e\x76\xf9\x8e\x66\x2b\x06\x78\xbd\xfd\x91\x86\x2b\x0a\xf8\x4e\x15\x85\xc3\x70\x9e\xeb\x1b\x8f\x06\x57\x03\xa7\x5c\x12\xe1\xfa\x87\xb7\x7d\x46\xd3\x74\xee\x21\x13\xbb\xbd\x6b\xde\xbb\x4c\xf0\x68\x7f\x79\xdb\x89\x5a\x8a\xc8\x1c\x3b\x28\x6c\x03\x42\x7e\x32\x11\xe7\x14\x20\xaf\xa9\xb5\xc9\x01\x3e\x63\x8e\xd9\x7d\xe9\x98\x3f\xb3\x34\x24\xfe\x11\xef\xd7\x82\x4c\xd6\x97\x92\x86\xd5\x9a\x5c\x79\x33\x8b\x6a\x9a\x2d\x15\xe7\x07\x91\xbd\xb5\x18\x6a\xa7\x4e\x17\x5a\x00\x49\xc1\xe3\x9d\xb5\x36\x37\x7a\x83\x54\x91\x5a\x8a\x15\x12\x5b\x8b\xe6\x2f\x01\xa9\x37\x40\xb2\x42\x8b\x18\x9e\xa4\x2e\x31\xb6\xce\x7a\xa3\x67\x6b\xf1\x46\x8b\x75\x1b\xf0\x6a\xac\xf1\x59\x04\xdb\x50\xc1\xbe\x9d\xf4\xcc\x9d\x41\x59\x9c\x57\xcf\xaf\x66\xb7\xe5\xee\x2d\x23\x72\x63\x0a\x7b\xf5\x38\xda\x78\x6d\xff\xf6\x05\x2e\x02\x55\x8a\x4d\x1c\xcf\x70\x99\xa8\xc5\x99\xc3\xc8\xb5\x15\xe8\x44\xf1\xe2\x3d\xe7\x3d\x80\x61\x27\x22\x82\x53\xa7\x05\x3b\x5e\x91\x51\x16\x85\x37\x0c\x98\x0f\xfa\x72\xe5\x55\x1f\xf0\x5f\xcb\xd9\x40\xd5\x14\xbe\xd2\x86\x0b\x87\x5b\x9a\x12\xb2\x6e\xdb\xb2\x92\xe0\xe8\xd8\xcb\xcd\x9d\xe3\xab\xa6\x8f\x7c\x14\x19\x24\x9f\xe4\x3a\x67\x54\xbf\x02\xa3\x6e\x0f\xd1\xf2\x7c\x48\xe9\xd1\x6c\x18\xed\x14\x84\xe5\x6c\xc5\xbc\x34\x83\x51\x93\x11\xe3\x37\x54\xaf\x2f\xc4\xd3\x7c\xfa\x1c\x6e\x5f\x0d\x38\xae\x96\xa6\x21\xc0\x4d\xb0\xfd\x7d\x79\x32\x97\xe4\x98\x1f\x90\x82\x93\x7b\x93\x22\xf4\x94\xbd\x98\xb2\xf4\x3d\x9b\x5c\x19\xff\x19\xec\x17\x7c\x63\x05\xb1\x88\x00\x44\x51\x11\x76\x3c\xda\xee\xc3\x51\x68\x93\x84\x78\x3a\xe7\xcf\xf9\xb1\x06\x63\x9e\xa6\x11\xfb\x72\xe8\x6d\x68\x5e\xa0\xf6\xb6\x5d\xc3\xb9\xa2\x43\x6c\x89\x25\x73\x82\xd1\x15\x16\xa2\xb0\x66\x37\xcf\xd9\x31\xe2\xca\x4e\x62\x53\x43\xd6\xb9\x65\x25\xc5\xbf\x7d\xcc\x43\x7f\x47\x4e\x1f\xf9\xf3\xdc\xc8\x57\x40\x44\x4a\x4c\x56\x9f\x50\x37\x9b\x98\x5f\x68\x43\xac\x29\xf0\x9a\x9f\x99\x81\x9a\xe2\x10\xdb\x22\xab\x19\x34\x09\x74\x95\x7f\x1f\xbe\xa4\x1c\x58\x51\xb2\xfa\x7a\x2f\xa8\x75\x81\xa7\xfb\x42\xdb\x8c\x24\xb4\xc6\xf8\x29\xbe\x59\x2c\xa0\xd0\xcf\x1a\x2f\xe6\x7d\xec\x53\x2c\xfa\x77\xf8\xf1\x95\x5d\xa3\x35\xa8\x4d\x5a\xef\x49\x05\xa9\xa2\x36\xc6\x07\x77\x4a\x0b\x4e\xf1\xd5\x0b\x55\xbd\x49\xaa\x87\x7c\x2b\x6b\x2e\x37\xa3\xe4\xa3\xb2\x4e\x95\xfa\x55\x7b\xa8\x9a\xaf\x42\x27\xb5\xbb\x0e\x64\x0b\x46\x98\xcd\x00\x4f\x87\x0c\x7d\xaa\x9e\xa4\x41\xfd\xbe\x8b\x30\x53\xdf\xfc\xe6\x46\xc0\xb0\x6d\xf3\x23\x25\x2c\xad\xa7\xf2\x4f\xcc\x21\x62\x4e\xdf\x49\x56\x7b\x26\x93\xfe\xc0\x69\x3d\x24\x3e\x06\x7b\x21\xe2\xbe\x29\x6c\x52\xbb\x2a\x38\x1f\x47\x94\xaa\x2e\x85\xdd\x5c\xb6\x67\x7e\x94\xb7\xe0\x03\xeb\xad\x24\x57\x37\x62\xa6\x40\x97\x3c\x07\x72\x99\x4d\xa2\x8c\x64\x90\xc1\xaf\x8f\x0f\x91\x75\x4e\x71\xc7\xf3\x26\xbd\x31\xdf\xc9\xc6\xfc\x20\x76\x7d\x71\x3a\x93\x31\x7b\xcb\xe0\xa3\xef\xc9\xc5\xa8\x57\x1b\x7b\x0a\x02\x97\x77\x41\xe8\xa8\x3c\xa8\x12\x96\x14\x5e\xc9\x55\xe1\xab\x98\x2c\x7f\x46\x62\x84\x56\x2b\x52\xde\x13\x55\x68\xa1\x42\xe6\x77\xc3\x43\xf5\xeb\xd3\x37\x55\xd0\xb9\x15\x65\x64\x6d\x7c\x36\x2e\x46\x64\x00\x7c\xae\x21\x67\xdb\x5d\x0a\x93\x3e\x12\x19\xd3\xd6\xa7\x38\x75\x76\xe5\x42\xf8\x16\xfa\x51\x6d\x44\xaf\xc3\xd9\x92\x29\xd4\xf5\x7f\xa8\x3b\x89\x48\xf8\x98\xb8\x52\x8d\xed\x2c\x53\x9b\x60\x33\x49\x1c\x6d\x78\x0c\xac\xb2\xbc\x3f\x52\xc2\x79\x4d\xe8\xdb\x39\x58\x12\xd4\xf7\xa4\x4b\x9c\x04\xd6\xfd\x3c\xa8\x6c\x68\x64\x7d\x3e\x47\x5d\xe5\x81\xed\xc3\x88\xdc\xde\x91\xb8\xb2\x4c\xd4\x2b\x91\xa1\x9e\x91\xb4\xb6\x37\xb4\x3b\x6f\xa4\xe1\x50\x44\x3e\xc7\xc0\x86\x95\xc4\x2b\xc6\xa9\x30\xb3\x08\x42\x04\x02\x3b\xfd\x15\xe1\xc0\x31\x2e\x46\xf4\x30\xe2\x6b\x0f\xcc\xa1\x52\x20\x9f\xc1\xc7\xf9\x91\xc1\x11\xbd\xcd\xa7\x2e\x19\x86\x26\x76\x6e\xaf\xc8\xcf\x54\x92\x18\x9d\x4c\xc9\xa8\xe2\xa8\xa9\xcb\x73\x89\x78\xec\xec\x37\x37\x6d\xc9\x9c\xa8\xd3\xef\xcf\xe7\x3d\xa5\x38\x96\x0e\xbf\x78\xf0\xa4\x36\x63\x76\xae\x5f\x1b\xb1\xf8\x11\xec\xce\xb6\x25\x10\x89\x78\x55\xe3\x06\x61\x04\x70\x1b\x94\xf6\x19\x13\xda\x46\x99\x31\x3c\xec\x63\xa8\x8a\x9b\xa4\x44\xa5\xfc\x01\xc0\x03\xbf\x9d\x6b\x25\x25\x04\xe4\x77\xf4\x0f\xb3\x3e\x59\x5f\x30\xac\x53\x8b\xc9\xee\xb2\x93\x72\xb7\xa9\xd1\xf6\xa2\xa9\xb0\x17\x7a\x17\x1e\x5f\x87\x9e\xab\x36\x3c\x76\x08\x61\x7c\x26\x19\x7d\xf1\xda\x9b\xaa\x02\x75\xe2\x3e\xd1\xb5\x92\xce\xbd\xcd\x6e\xf2\x2b\x36\xc4\xf2\x87\xdf\xe8\x49\xcf\x54\xea\xed\x55\x70\xff\xc4\x50\xcd\xe8\xb6\xee\x12\xef\xbc\x8d\xdf\xea\x6b\xf7\x82\xc2\x7e\x5a\x58\x16\xb6\xf0\x4f\xf5\xfe\x97\x7f\x05\xa5\xb1\x2a\x13\x64\xa6\x59\xcb\x6b\x11\xab\x7a\x16\x82\xe1\x09\x7e\x61\x87\xcd\x7c\xbb\xa8\x7e\xf4\xca\x8c\x2c\xaf\x28\x49\x99\x13\xd9\x8a\x9e\x9f\x2e\x11\xc5\x2f\x37\xfa\xf2\xcd\x20\x7b\xbe\x57\x34\xda\x0e\x91\xba\x5f\x8b\x48\xad\x59\xb1\x22\x67\x85\x50\xb2\x7f\xef\xe7\x1a\xf5\x3d\x6f\x93\x41\x04\x38\x73\x89\xb5\x93\x24\xcd\xbf\x44\x6e\xfe\x50\xdb\xd2\x3d\xb7\x41\x8e\xc6\x66\x6e\xd9\xfc\xaa\x6f\x70\xbe\xac\x9c\xa4\x2a\x90\xee\xc8\x56\x7b\xe2\x1f\xb4\x5f\x08\x86\x75\x57\x15\xf3\x17\x37\x35\x23\xdf\xeb\x84\x5a\xb7\x73\x33\xcf\x8d\xdf\x92\x62\x44\xa3\x8e\x02\x4d\xf5\xaf\x9e\xa0\x72\x53\xd0\x7a\x59\xdb\x51\x12\x3f\xd8\x11\xcc\xe2\xd2\x06\xea\xe6\x94\x3e\xc8\x75\x59\xeb\x0e\xb2\x8a\x94\xa6\x27\x83\x1e\x45\xb3\xa7\xd1\xf8\x9f\x7a\x49\xfb\xce\x7c\x5a\x6e\xd8\x1f\x4e\x68\xdd\x3c\xe2\x93\x46\xf7\xc1\x4e\x50\x64\x54\x8d\x57\xf1\x13\x63\x13\x9e\x5b\x66\x9a\x17\x44\xbd\x99\x89\x40\x08\x27\x97\x3e\x67\xe9\x4c\xb5\x55\xb0\x8c\xf0\x45\x65\xf3\x3d\xb1\x71\x96\xd1\x65\x18\xb4\xf4\xb0\x23\x05\x3e\x86\xa7\x27\x55\x21\xfa\x5b\x20\x99\x3d\xe7\xc2\xfa\x09\x79\x7d\x92\x4d\x59\x89\x3c\xaa\x98\xd9\x7b\x58\x62\x89\xda\x8c\x9c\xc3\x81\x0c\xfd\xe8\x5b\x31\xa4\xe3\x11\x8a\x5c\xc2\xfb\x63\xe4\x07\x3d\xc2\x24\xe5\x01\xb6\x37\xc6\x66\x74\xea\xd1\xe8\x4a\x7e\x3e\x3c\xe4\xad\xaf\x0c\x72\x3e\x38\xa4\x1d\xb5\x47\xe9\xcc\x33\x82\xec\xf9\xf6\xb6\xf9\x64\xc1\xf8\x1f\xe7\x53\x65\x59\x3c\x9a\x55\x15\x2e\xc7\xc0\x50\x67\x47\x4b\xd7\x1a\x93\x70\x00\x9f\xee\x6d\x87\xf3\xee\xf6\xc9\x36\x0a\x50\x29\x41\xe9\x37\x30\x45\x41\x61\xd0\xf0\x39\x1f\x7c\x5e\xbd\xe6\x22\xf0\x5c\x1d\x67\x36\x89\x44\x39\x0b\x68\x17\x8f\xef\xb8\x25\xad\xd8\x12\xf4\x96\x86\x70\x53\x74\x01\x70\x35\x31\x66\x7c\xd5\x15\x0f\x21\x1b\x9f\xcf\xec\xf4\xee\x5e\x08\x80\xf3\x74\x8b\x9e\x7a\x74\x5e\x80\x2a\xff\xac\xc6\xb4\xaa\x5b\x5d\x83\x75\x0f\xc1\xc4\x7d\x4a\xb6\x91\x70\x90\x1e\x7f\x5e\x44\x2b\xb9\x8a\x89\x18\x60\x54\xac\xf2\x07\xa3\xcf\x70\x17\x31\x56\xc5\x59\xfd\x72\x86\x0a\x7d\x26\x79\xa2\xff\xcb\x53\x30\x20\x41\x13\xdb\xac\x6b\x3c\x3b\x69\xaa\x4f\x75\xf2\x1c\xb2\x15\x4a\x4a\x6b\x31\xc0\x25\xd5\x2a\xc5\x49\x60\x48\x3c\xed\xf3\xf1\x1a\x1a\xdf\xfe\xf2\xf1\xfe\xc9\x4a\x55\x61\xd9\x18\x68\x00\x1c\x3d\x83\x95\xff\x45\x0b\x14\x00\x95\xd6\x53\x64\x75\x37\x9f\x38\x63\x4a\xcf\x9d\xed\xff\x61\xb1\x7f\x7c\x87\xf8\xc0\x56\x6b\xe6\x25\x0c\xf4\x39\xeb\xa3\x8c\x37\x65\x39\x3a\x9e\xd1\x01\x6d\x50\x2b\xa1\x3a\x8e\xf6\xde\x35\xba\x66\x9b\x10\xa0\x00\x82\x23\xd2\xe2\xf8\x8d\x35\xfe\x0a\x73\x23\x32\x4b\xfa\xbf\x25\xa7\xac\x01\x90\x45\x49\xa2\x59\xe6\xa8\xd3\xa4\x96\x4f\x19\x7e\x94\xb8\xf9\xb3\xa3\x16\x3f\x63\x49\xe3\xda\xc7\xe0\x17\x48\xf6\x74\x79\x5c\xc3\xbd\x5a\x9a\x3a\xb5\xf2\xc1\x30\x81\x16\x7d\xf3\x7e\x37\x9e\xeb\x2e\xcf\x9c\xdf\xa2\x37\x15\x95\xf3\x08\x31\x05\x1a\xb1\x57\xac\x75\xf9\xeb\xc4\x8b\x49\x95\x59\x7e\x20\x6c\x7b\xa2\x29\xab\x30\xec\xcf\xe6\x62\x4d\x88\x49\xea\xe4\x1d\x2d\xc7\xa4\xd7\x57\xa3\x73\xb1\xd8\x66\x95\xc4\x20\xcc\x04\xbf\x0d\xa6\x64\xa7\x56\xb4\x82\x24\x16\x3d\xe4\x41\x8b\x93\x23\x39\xd2\x99\x06\x13\x13\xa6\x34\xa4\xba\x08\x9b\x12\xf8\x5d\x4d\xa1\xd2\x7d\x51\xde\x93\x08\x31\x0e\xf6\xae\xb3\x56\x23\xd0\xa7\x72\xc5\xce\xdd\x2a\x65\x9f\xde\xf0\x92\xb4\xdf\x6a\x88\xd2\x96\x42\x00\xc2\x85\xe8\xc1\x6e\x74\x89\xb8\x1e\x41\x59\xdb\x06\x2c\xe8\xa7\xd0\xda\xb6\x51\x80\x92\x11\xed\xf0\x58\x6f\x28\x9e\xf0\x3d\xee\x7b\xb9\xf4\x38\xc1\xa3\x52\xf6\x34\x2c\x66\x4b\xfd\x35\xd2\x38\x85\xb0\x9b\xd1\xda\x62\xbd\x65\xd0\xbc\x09\xa5\xeb\x5a\xe9\x5e\xa3\x10\x88\x14\x77\x81\xc3\x35\xea\x17\x77\x72\xa2\x28\x96\x19\x1a\x7d\x15\x70\x2b\x6b\x34\x37\xce\xd8\x86\xcc\x85\xbb\x26\x86\x5c\xe8\x28\xb9\xfe\x78\xa0\x7b\x46\x3d\xf7\x33\x2f\x67\x92\xb2\xfd\x86\xd1\x7b\x1e\x98\xa4\xcc\x77\x29\xb0\x58\xc5\x98\xc9\x61\xc6\x34\xb1\x5d\x09\x73\xca\xcd\xd9\x73\x5a\x0f\x77\x78\x6a\xe2\xb0\x76\x6b\x31\x94\xa1\x27\x34\x5d\xd8\xc1\x1f\x69\xfa\x4c\x44\xcc\x5b\x30\xe0\x1f\x6d\xc5\x61\x33\x0f\x63\x63\x29\xc9\x7e\xc0\x5a\xe8\x29\x1d\x9a\x26\xb6\x05\xf1\xb2\x77\xc9\x32\x21\x15\x62\x6e\x29\x75\xc7\x91\xc3\xef\x10\x95\x4c\xb8\xb4\x7c\xea\x6c\xf6\x97\xeb\x9d\xb3\xbe\xcb\x11\x14\xce\x63\x92\x19\x9e\x87\xba\xc0\x43\xed\x7a\x15\x83\xdc\x66\x0b\x36\xde\xb0\x22\x1a\x79\xed\x70\xbf\x71\x3f\x3c\x9c\x88\x25\x83\x81\x4c\x2e\xca\x81\x51\xd2\x71\x71\x95\x92\xd5\xc1\xfc\x62\x66\xa2\x76\xa3\xe8\xd3\x88\x27\xb2\x90\xe1\x04\x46\x06\x99\x2d\x13\x42\x36\xa1\xae\x87\xf9\x33\x8b\x77\x41\xf2\xe8\xa7\x46\xeb\x0f\x60\x77\x62\xed\x4e\x18\x92\x3d\xba\xcf\xea\x14\x7a\xd5\x7e\xff\x61\x71\x67\xd0\xf5\x4d\xaa\xc4\x54\x37\xc5\xe6\x1b\x45\x93\x7e\x8a\xa5\xe7\xce\xef\x4c\xa2\x25\x4b\x97\x01\xa2\x2f\x57\x7f\xb6\x27\xe8\xe1\xc1\xc7\x04\x01\xae\x81\x1b\x9a\x53\xf4\xc1\x6a\x79\x43\xe3\xd8\x1b\xa3\xd9\x20\x9c\xbd\xfb\x20\x8b\x04\xce\x15\x8e\x7b\xa8\xee\x77\xb0\xb7\x5f\x52\x08\x68\x6d\xf7\x87\x12\xd2\x8f\x70\x03\x61\x15\x91\x00\x36\x9b\x63\x33\x84\xdd\xff\x44\x02\xc0\xab\x0e\x2e\xc0\xaa\x87\x18\x6a\x65\xd3\x48\x4d\x29\x21\xd6\x25\x3f\xd1\xfb\xf4\x6b\x63\xba\x72\xeb\x79\x5c\xc0\x25\x69\x0f\x1f\x48\xdb\xe3\x08\xf9\x78\xe2\xfd\x55\x13\xe2\xdd\xc0\xb0\x66\x19\x4f\xd5\x8d\x3e\xaa\x49\x69\x0b\xd7\xe7\x86\x38\x85\xeb\x5e\x2a\xc6\x87\x0d\xe8\x35\x92\x67\x5f\x74\xcf\x89\x89\xe1\x8e\x68\xf1\xb6\x06\x78\x27\x0c\xa6\xb9\xc0\xda\xf4\x44\x27\x8a\x7d\xc8\x2a\x97\x80\x73\x0a\xa0\x3b\xe5\x68\x13\xe8\x1d\x6f\x29\x6c\x6f\x87\xd0\x09\x96\x18\xaf\x9f\x7e\x99\x16\x49\xec\x36\x49\x72\xd4\xc8\xfb\x66\x96\x70\xec\x92\x96\xce\x17\x38\x38\xb9\xc9\x2b\xaf\x6b\xf8\x83\xc1\x34\xd2\xc1\xcb\xcd\x92\x8b\x54\x99\x1d\x4c\x00\xf4\xaa\x72\x70\xbf\x3b\xef\xeb\x10\x8e\x98\x62\xf3\x46\x88\xcc\x2d\xb3\xb7\x94\x37\x77\x67\x12\x79\xa1\x7f\x9c\x64\xc4\x0b\xd8\x48\x5e\xf5\x2e\xb9\x64\x31\x4c\x65\xaa\x34\x59\x6f\x16\xb8\x0f\x9e\xf7\x81\xc4\xe8\xee\xb0\xac\xd2\x89\x38\x6c\x1a\xe5\x06\xae\x5b\xd2\xb2\x0b\x76\x0c\xe0\xc7\x9b\x56\xb1\x34\xe2\x2f\x57\xc4\x4a\xba\xe2\xf4\xec\xad\x82\xef\xe4\x02\xa4\x3a\x47\x59\x45\x77\xa2\x4b\x79\xa9\x4c\x6f\x7a\x5e\xda\xab\xeb\x48\xfc\x5e\xc2\x7a\xec\xd8\x23\x80\xd0\xe9\x40\xa0\x33\xe8\x7a\x44\x74\xb9\x5d\x58\xa5\xfe\xc5\x9d\x80\xb0\x91\xe9\x16\x5a\x14\x32\x5b\x38\xc5\xe4\x56\x5c\x3f\x0f\x12\x6f\x8b\x2a\xdf\x83\x26\x8e\x00\x76\x64\x7d\xdd\x43\xff\x2d\x52\xd7\x73\xab\x30\x40\x88\x45\x8f\xac\x4f\xb9\x37\x9e\x20\x96\x85\x60\xa0\x75\x17\xd6\xe0\x00\x1d\x2a\x08\xc3\xc6\xc9\x78\x25\xe1\x22\x59\xea\x86\x1b\x0a\xd5\x64\x94\x50\xdf\xfb\x3a\xfa\xe4\x9c\xd3\x1e\xfb\x40\x51\x3c\x06\xb7\x95\xe0\x71\x60\x3a\x47\xd3\xc8\x39\xc4\x01\xec\xc3\x8b\x11\x7d\xf9\x38\x83\x6a\x15\xb3\x1a\x13\x5b\x58\x89\x2d\xb9\xb4\xeb\xf6\x84\xdb\x3f\x7e\xce\x8a\x9d\x60\xbc\x8c\x81\x0e\xba\x0c\xa0\xd8\x75\x83\x57\x37\xd2\x5b\x94\x8b\x39\x28\x60\xaa\x82\xcd\xd5\xff\x7c\x6b\x0b\x4d\x7a\xe1\x82\x16\x89\x49\xd9\x84\x0e\x33\x54\x5d\x61\x27\x72\x7a\xbe\x02\xdd\x01\x41\x8c\xe4\xdd\x46\xaf\x7b\x5f\x08\x44\xcb\x51\xd4\x99\x2f\x4c\xe1\x22\x3c\x23\x13\x7c\x21\x13\x61\xd0\x15\x0e\xd2\x35\xa0\x59\x8f\x9e\x1d\x81\x6a\x40\xc6\xae\xb8\xad\x56\x26\xbc\x22\xb2\xe9\x39\x57\x47\x44\x1c\xc7\x8a\x55\x8d\xed\xc4\x02\x47\x32\x48\x98\x99\x12\xa0\xaa\x71\xac\x8d\x77\x54\xde\x78\xa1\xd5\xb9\xe5\x48\xd4\xeb\xef\x22\x4e\x82\xcd\x39\x35\x24\xd7\x9b\x88\xd6\xe0\x40\x5a\xd0\x2d\xa7\x11\x7b\xa0\x37\x29\x4e\x53\x5f\xff\x4b\xb7\xbf\xca\xce\xde\x33\x48\xf0\x1d\x16\x13\x48\xf4\xee\xe1\xa5\x15\xbe\x53\x0e\x0f\x0e\x64\xc5\x65\x44\xd4\xae\x10\x64\x45\xcc\xe1\x41\x0c\x79\x0b\xdb\xeb\x1e\x2d\x29\x3e\x01\x2e\x02\x97\xc4\x6c\x91\x45\xdc\xcb\xd6\xff\x77\xcb\xfa\xcd\xa4\x6f\x27\xd7\x1d\x02\xde\x14\xb6\x1c\x50\x53\x33\x19\xc6\x68\xfc\xfa\xc0\x36\xc7\x86\x7d\x12\xa3\xd0\xd8\xd4\x49\xc4\x96\x69\x58\x63\x49\xf2\x23\x9c\x4f\xa5\xc2\xb8\xfd\xfc\x42\x3e\xcd\x85\xed\xcc\xf6\x85\x47\xb1\xa9\x06\x76\x4c\x5c\x03\xff\x33\x2b\x56\x3e\xae\xee\xb8\x45\x65\x35\xc6\x1e\x91\x73\x92\xa0\x3d\xfe\x6b\xeb\xf3\xdc\x57\x10\xf9\x32\xb5\x07\xe3\xf0\xcd\xfb\x6a\x9d\xd0\x35\xf0\x6d\xe0\x55\x72\xca\x94\xd8\x5b\xfb\x15\x7e\x68\x44\x8a\xb8\xb0\xc4\xd5\x96\xce\x02\x0d\xad\xef\xce\xae\x68\x15\x3e\x5f\x62\xc5\xc0\x81\x43\xf5\xdb\x49\x7a\xaf\xab\x19\xcd\x33\x0c\x37\x84\xdb\x0a\xde\x50\x5a\x29\x51\x4b\xd1\xe8\xc3\xb9\x2c\x4f\x61\x65\x36\x22\xf8\x75\xec\xac\xc9\xe6\x77\x4a\xde\xca\x1c\xa4\x2f\x63\x7c\x70\x22\x99\xa2\xd3\xf8\x81\xbe\x79\x5b\xba\x9d\xb3\x40\xe4\x80\xaa\x4e\x94\x4d\xec\x20\x21\x6b\x83\x58\x45\x5d\xcf\x8e\xed\x99\x0e\x41\xf3\x37\x64\x42\xb9\xb3\xe0\xd8\x82\x38\x77\x5b\x8b\xea\x3f\x68\x8a\xf1\x85\x39\xb2\xe8\xba\xfa\xac\xc1\xc4\x06\x4e\x9a\xe8\x87\xc6\x9d\xca\x82\xac\xad\xf3\x55\x30\x92\xe7\x87\x97\xa6\x2c\xc8\x34\x44\x1c\x22\x2f\xf2\x26\xea\x32\xd2\x03\xc0\xb1\xfa\xcc\x67\xe6\x30\x71\x6a\x3f\x96\xa0\x77\xe2\x34\x8f\x2b\xe6\xd9\x3e\xc0\x63\x1a\x5e\xf1\xbe\xd4\x10\x61\x19\xd9\x70\xe6\x22\x8f\x01\x69\x89\xa8\xfd\xf0\x1b\xda\x8e\xdd\xfd\x60\x68\xd6\x49\xb3\x95\x6e\xab\x29\xd3\x03\xf1\xfc\x68\x67\xd8\x63\xc8\x7c\x35\x39\xe8\xe9\x9c\xe2\x39\x53\xc2\x5e\xe2\xb0\x98\x57\xd2\xdf\xdd\x4c\x2d\x24\x2b\xd8\x33\xf6\xb7\xf4\xa6\x7c\xde\x78\x63\xd6\x53\xa0\x05\x21\xfa\x68\xce\x23\x1d\x06\x15\xb0\x01\x75\xec\x1f\xca\x37\x7e\x4e\x72\xf7\x8a\x8f\x8f\xbc\xa9\xda\x4f\x40\x8b\xc1\xb7\x99\x97\x1c\x16\xce\x2e\x04\xaa\x24\x32\x79\xef\xcd\xb0\x78\x43\xd2\x55\xeb\x60\x67\xe3\x73\x2b\xcf\xdf\x1c\x17\x17\x8d\x77\xd3\xdf\xf4\x24\xd6\x77\x2e\x39\xae\xc3\xbe\xf9\x59\x2a\x25\xe9\xfb\xb5\x51\x09\x52\xe5\x83\xf5\x34\xa4\xd1\xf5\x7c\xce\xfe\x84\x55\xf3\x53\xdf\xee\xee\xdc\x8b\x3e\xa3\xd6\xc4\x1f\xf4\x16\x7d\xe5\x14\x55\x30\xf3\xdd\x70\xbc\x89\xfd\xcf\xa8\x63\xd8\xc5\x65\x20\x8d\x32\x72\xb0\x23\x8b\x97\xd9\x5c\x5a\x67\x87\x24\x15\xa2\x7e\xf0\x6f\xa2\x6c\x0f\x72\xb5\x71\xcf\xfb\x76\x23\x69\xc8\x0b\x5f\x33\x2f\x03\xa9\x75\x9f\xec\x50\xd6\x04\xa1\x8a\x69\xfb\x52\x13\x11\xfa\x17\x1e\xa6\xfa\x40\x48\x73\xde\x91\x95\xf8\x47\xd8\x1f\xd4\xba\xe3\xd5\x21\x6d\x6c\x00\xcc\x38\xd5\xc7\x5d\xad\x1e\xf6\x86\xd5\xce\x4a\xcb\xb4\x77\xfb\xf6\xc5\xad\x0b\x26\x9e\x69\x05\x4b\x4a\x59\xdb\x3c\x6e\xb0\xce\xc7\xfb\xdf\x32\xd3\x30\x6c\xeb\x5d\x10\x06\xeb\x7b\xf6\xf0\x70\x12\xb1\x16\xc9\x5f\xbf\xcf\xd9\x9e\x82\xf5\xab\xa8\xeb\xd7\xc7\x90\xc9\xf0\x40\x75\xe2\xbb\x39\x9d\x92\x29\xbe\x4a\x0e\x90\xdc\x1b\x03\x58\xee\xcf\xfa\xda\xeb\xc0\xbd\xc6\xff\x1c\xfd\x00\xdc\xeb\xc0\xa9\x0d\x7b\x96\xc9\x6f\xa5\x52\xdc\x82\x4b\x94\x4d\x95\x1d\xb7\xd2\xb6\xee\x39\x9b\x6c\x1f\x29\x65\xe5\x93\x1c\xea\x56\x1b\x9d\xda\x86\xb5\xe7\xc3\x67\x41\xc0\x4a\x97\xa0\x0b\x06\x95\xa9\xd8\x3d\x62\x9e\xb5\xde\x99\xbf\x8a\xe8\xd7\x55\xf3\x31\xe4\x02\x53\x39\x0a\xbb\x2e\x60\x49\x16\x74\x96\xd5\xca\x37\x56\x3b\xea\xbd\xa4\xf8\x2b\x2c\x9a\x58\xef\xf2\xa5\x8a\x1d\x2f\xbc\x8d\x72\xc1\x88\xd4\xb3\x39\x2b\x9b\x42\x86\xa8\x5f\x5d\xed\x71\x0f\x24\x3b\x24\x83\x2c\x54\x79\x1e\xee\x12\x09\x44\x3f\x07\xf3\x74\xea\x2a\xb6\x14\xd6\xa9\xac\x8b\x09\x81\xc3\x50\x96\x96\xc0\x58\xd3\x2f\x4a\xff\x5a\xf8\xe9\xeb\x22\x53\xed\x4f\x83\xe8\xb4\xf3\x29\x4b\x61\xc9\x0d\x54\xd3\xc3\x5f\x3d\x44\xd5\x5a\x5a\x1f\x55\xba\xc7\xe5\x97\x8b\x63\xfb\xb9\xdf\x0e\x9c\x6b\x15\x4d\x61\x24\xef\x4c\xf6\x3f\xf3\xae\x36\x10\x32\x14\x7f\x9e\xf7\x5f\x9e\xa2\xf4\xb2\x2e\xb1\x36\x93\xe2\x67\xb7\xc4\xf6\x36\x5d\xe5\x36\x86\x11\x8a\x93\x4a\x59\x8b\xa5\xa8\x17\x5e\xe5\x0f\x09\x9a\xa9\xac\xd7\xf2\xe2\xc9\xb0\x5b\x04\x4b\x3b\x06\x1b\xd1\xbb\x3b\x29\x6b\x6b\xf9\x00\xb8\x56\xa6\x44\x8d\x81\x2e\x68\xef\xd3\x1f\xef\xfd\x44\x52\x99\x0c\xd5\xf7\xcc\x02\x58\x8e\xef\xbe\xbb\x9f\x56\xab\x77\xcd\x50\x29\x89\xcd\x16\xe8\x9a\x44\x55\x3e\x19\x89\xd4\xdf\xfd\x97\x7b\x53\xea\x8b\x3b\x63\x6d\x62\xbb\xb2\x65\xc4\x28\x0c\xab\x59\xda\xb2\x4f\xbe\x7f\x16\x18\x0d\xfd\xdf\x62\xe4\x82\xed\x8e\xdc\xa2\x7a\x96\x7c\xe5\xfa\xe0\x32\x8b\x64\x03\xce\xe1\x7a\x6d\x63\xac\x71\xa8\xa4\x6f\x6c\xad\xdb\x53\x0c\x6d\x90\x5a\x8b\x6c\x8e\xd8\x9f\x62\x2a\x0c\x0a\x90\x67\x5c\x1f\x8d\x97\x9b\x34\xcd\x1e\x95\x4f\xa9\x15\x4f", 4096); break; case 11: memcpy((void*)0x20001000, "\xc4\x62\x39\x37\x47\x7e\x66\x0f\xe3\x0c\xa4\xf3\x3e\x45\x09\x17\xc4\x61\x78\xae\x91\x72\x98\x00\x00\xc4\x63\xe1\x22\xd6\x96\xc4\x03\x7d\x7b\x05\x0f\x00\x00\x00\x00\xc4\x63\x39\x5f\x47\x3f\xad\xc4\x03\x55\x5d\x3c\x56\x00\xc4\xe2\xb5\x96\xf0\xc4\x21\xfd\x5b\xfb", 65); syz_execute_func(0x20001000); break; case 12: break; case 13: memcpy((void*)0x200010c0, "\x5d\x8d\x97\xaf\xe9\x58\xa6\xb4\x6b\x8f\xef\xfe\x29\xf0\x51\x64\xa8\xee\xd8\xf0\x35\xa6\xc4\xd8\xf6\x97\x21\x06\xc0\xf6\xa0\x43\x0f\x03\x47\xa9\xad\x29\xa9\x40\xd3\xde\x0d\x19\xdd\x63\xc0\x6d\xad\x37\xea\x1e\x10\x5f\xec\x8b\x4d\xbd\xb4\xd7\xf9\x51\x64\xff\x31\x3f\x19\x9a\xaa\x43\x10\x8e\x96\x13\xc1\xe6\x29\x58\xe7\x76\x28\x47\x15\x8e\x87\x26\x92\x4d\xcb\xda\xff\xfd\x2a\x94\x2c\x44\x0d\x0a\x80\x34\x04\x87\xaf\x0e\xb9", 105); memcpy((void*)0x20001140, "\xe2\xf9\x19\x3e\xea\x7f\xea\x62\xb3\x74\xa3\x15\x14\x75\xbf\x3b\xe9\x82\x5d\xbe\x21\xd3\x90\x7a\x6b\xaf\x2f\xcd\xf0\xe6\xdd\x64\xfa\x7c\xcc\xe3\x73\x4b\xa6\x62\x73\xba\x0d\xb7\xe7\x9d\x31\x4b\x54\xd1\x01\x58\xb7\xd4\xa6\x7b\x5e\x26\x4c\xd1\xfe\x32\xc6\xba\xb3\xd0\x3f\xaa\x5b\xd6\x7a\x46\x09\xb4\x8a\x17\xeb\x03\x86\x53\x8a\xfe\x3d\x83\xa4\xf1\x95\x97\x90\x97\x73\xc9\x47\x4f\x1f\x66\x85\xe5\x91\x57\xf5\xc7\x6c\x2d\xe0\x65\xf5\x09\xb7\xa7\xcf\x8e\x62\x9c\xca\x55\x3d\xcb\x44\x45\xa3\x72\x88\x31\x99\xbe\x74\x66\x34\xe8\x57\x26\x6c\x27\x58\xf8\xd5\x8d\xd0\xde\xa4\x57\x79\x02\x04\xfc\x26\xe2\x69\x27\xd5\xbb\xff\x20\xa9\x9a\xed\x0a\x95\xd8\x50\xec\x32\x21\xf4\xf1\xd8\xf1\x3a\x8f\x00\xbe\x13\x51\x9e\xf8\x98\xd3\x9d\x28\x56\x8b\xb7\x89\x4c\x39", 186); res = syz_usb_connect(0x721, 0x69, 0x200010c0, 0x20001140); if (res != -1) r[5] = res; break; case 14: syz_usb_disconnect(r[5]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'syz_usb_connect_impl': :599:63: error: unknown type name 'usb_ctrlrequest' :604:55: error: unknown type name 'usb_ctrlrequest' compiler invocation: /syzkaller/netbsd/src/../tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor038190380 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/netbsd/src/../dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/4 (1.42s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:10 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = fcntl$dupfd(0xffffffffffffff9c, 0xc, 0xffffffffffffff9c) r1 = dup2(0xffffffffffffffff, r0) pwrite(r1, &(0x7f0000000000)="5d1dd436f0f5a32b117d0f61dc010511e7e3c7f92e33630dfc7a02f9f4df14c215d8716f98892cba0ddcbbd6b2683f5e028152ebbe2d26a7e4c45673b55cf76e7795dd124f82947e0244eb08cfb0b5da0c829b1580ac64473f069f9928c1043bdeaa541829f4ef60f80ea0b9b912a974a5e98ea75423d1126815de1319a78c8127c017f8cbe86d", 0x87, 0x6) getsockname$unix(r0, &(0x7f00000000c0)=@abs, &(0x7f0000000100)=0x8) accept$inet6(r1, &(0x7f0000000140), &(0x7f0000000180)=0xc) socketpair(0x18, 0x844590f3b4efa023, 0x7f, &(0x7f00000001c0)) r2 = accept(0xffffffffffffff9c, &(0x7f0000000200)=@un=@abs, &(0x7f0000000240)=0x8) r3 = getpgrp() stat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$sock_cred(r2, 0xffff, 0x11, &(0x7f00000003c0)={r3, r4}, 0xc) syz_emit_ethernet(0x1000, &(0x7f0000000000)="d28811eb3ef8057d4d7c7229ab1e5a02157440ec598663314f522e6a8f7e2b68cd210834f13e84f257c358e7e19717a79353a0609abf39fc23d280e031dbc36048ed67b318a0553a541c84167d1bf390951abfd5370157ad024bea030e6c003d2e50a932903993429472cca8be8808ca2915858ed2598c1e76f98e662b0678bdfd91862b0af84e1585c3709eeb1b8f065703a75c12e1fa87b77d46d374ee2113bbbd6bdebb4cf0687f79db895a8ac81c3b286c03427e3211e71420afa9b5c9013e638ed97de9983fb33424fe11efd7824cd6979286d59a5c79338b6a9a2d15e70791bdb5186aa74e175a0049c1e39db536377a8354915a8a15125b8be62f01a93740b2428b189ea42e31b6ce7aa3676bf1468b751bf06aacf15904db50c1be9df4cc9d41599c57cfaf66b7e5ee2d2372630a7bf538da786dfff6052e02558a4d1ccf7099a8c599c3c8b515e844f1e23de73d806127228253a7053b5e91511685370c980ffa72e5551ff05fcbd940d514bed2860b875b9a12b26edbb292e0e8d8cbcd9de3aba68f7c1419249fe43a6754bf02a36e0fd1f27c48e9d16c18ed1484e56cc5bc3483519311e33754af2fc4d37cfa1c6e5f0d38ae96a621c04db0fd7d793297e4981f9082937b9322f494bd98b2f43d9b5c19ff19ec177c6305b18800445111763cdaeec351689384783ae7cff9b106639ea611fb72e86d685ea0f6b65dc3b9a2436c89257382d11516a2b06637cfd931e2ca4e625343d6b96525c5bf7dcc437f474e1ff9f3dcc85740444a4c569f50379b985f6843ac29f09a9f99819ae210db22ab19340974957f1fbea41c5851b2fa7a2fa87581a7fb42db8c24b4c6f829be592ca0d0cf1a2fe67dec532cfa77f8f1955da335a84d5aef4905a9a236c607774a0b4ef1d50b55bd49aa877c2b6b2e37a3e4a3b24e95fa557ba89aaf4227b5bb0e640b4698cd004f870c7daa9ea441fdbe8b3053dffce646c0b06df323252cada7f24fcc21624edf49567b2693fec0693d243e067b21e2be296c52bb2a381f4794aa2e85dd5cb6677e94b7e003ebad24573762a640973c0772994da28c6490c1af8f0f91754e71c7f326bd31dfc9c6fc20767d713a93317bcbe0a3efc9c5a8571b7b0a02977741e8a83ca81296145ec955e1ab982c7f466284562b52de135568a142e677c343f5ebd33755d0b91565646d7c362e4664007cae2167db5d0a933e1219d3d6a7387576e542f816fa516d44afc3d99229d4f57fa83b8948f898b8528ded2c539b6033491c6d780cacb2bc3f52c2794de8db395812d4f7a44b9c04d6fd3ca86c68647d3e475de581edc388dcde91b8b24cd42b91a19e91b4b637b43b6fa4e150443ec7c08695c42bc6a930b3084204023bfd15e1c0312e46f430e26b0fcca152209fc1c7f991c111bdcda72e198626766eafc8cf5492189d4cc9a8e2a8a9cb738978ecec37376dc99ca8d3efcfe73da538960ebf78f0a4366376ae5f1bb1f811ecceb62510897855e3066104701b94f61913da4699313cec63a88a9ba444a5fc01c003bf9d6b252504e477f40fb33e595f30ac538bc9eeb29372b7a9d1f6a2a9b0177a171e5f879eab363c7608617c26197df1da9baa0275e23ed1b592cebdcd6ef22b36c4f287dfe849cf54eaed5570ffc450cde8b6ee12efbc8ddfea6bf782c27e5a5816b6f04ff5fe977f05a5b12a1364a659cb6b11ab7a1682e1097e6187cd7cbba87ef4ca8c2caf28499913d98a9e9f2e11c52f37faf2cd207bbe5734da0e91ba5f8b48ad59b122678550b27fefe71af53d6f934104387389b59324cdbf446efe50dbd23db7418ec6666ed9fcaa6f70beac9ca42a90eec8567be21fb45f0886755715f317373523dfeb845ab77333cf8ddf926244a38e024df5af9ea07253d07a59db51123fd811cce2d206eae6943ec87559eb0eb28a94a627831e45b3a7d1f89f7a49fbce7c5a6ed81f4e68dd3ce29346f7c14e5064548d57f11363139e5b669a1744bd9989400827973e67e94cb555b08cf04565f33db17196d16518b4f4b023053e86a7275521fa5b20993de7c2fa09797d924d59893caa98d97b586289da8c9cc3810cfde85b31a4e3118a5cc2fb63e4073dc224e501b637c66674ead1e84a7e3e3ce4adaf0c723e38a41db547e9cc3382ecf9f6b6f964c1f81fe75365593c9a55152ec7c05067474bd71a9370009fee6d87f3eef6c9360a502941e93730454161d0f0391f7c5ebde622f05c1d67368944390b68178fefb825add812f4968670537401703531667cd5150f211b9fcfecf4ee5e0880f3748b9e7a745e802affacc6b4aa5b5d83750fc1c47d4ab69170901e7f5e442bb98a89186054acf207a3cf70173156c559fd72860a7d2679a2ffcb5330204113dbac6b3c3b69aa4f75f21cb2154a4a6b31c025d52ac54960483cedf3f11a1adffef2f1fec94a5561d91868001c3d8395ff450b140095d6536475379f38634acf9dedff61b17f7c87f8c0566be6250cf439eba38c3765393a9ed1016d502ba13a8ef6de35ba669b10a0008223d2e2f88d35fe0a7323324bfabf25a7ac01904549a259e6a8d3a4964f197e94b8f9b3a3163f6349e3dac7e01748f674795cc3bd5a9a3ab5f2c13081167df37e379eeb2ecf9cdfa2371595f30831051ab157ac75f9ebc48b4995597e206c7ba229ab30eccfe6624d8849eae41d2dc7a4d757a373b1d86695c420cc04bf0da664a756b48224163de4418b932339d299061313a634a4ba089b12f85d4da1d27d51de9308310ef6aeb35623d0a772c5cedd2a659fdef092b4df6a88d2964200c285e8c16e7489b81e4159db062ce8a7d0dab651809211edf0586f289ef03dee7bb9f438c1a352f6342c664bfd35d23885b09bd1da62bd65d0bc09a5eb5ae95ea31088147781c335ea177772a22896191a7d15702b6b3437ced886cc85bb26865ce828b9fe78a07b463df7332f6792b2fd86d17b1e98a4cc7729b058c598c961c634b15d0973cacdd9735a0f77786ae2b0766b3194a127345dd8c11f69fa4c44cc5b30e01f6dc561330f636329c97ec05ae8291d9a26b605f1b277c9322115626e2975c791c3ef10954cb8b47cea6cf697eb9db3becb1114ce6392199e87bac043ed7a1583dc660b36deb0221a79ed70bf713f3c9c882583814c2eca8151d271719592d5c1fc6266a276a3e8d38827b290e1044606992d134236a1ae87f9338b7741f2e8a746eb0f607762ed4e18923dbacfea147ad57eff617167d0f54daac45437c5e61b45937e8aa5e7ceef4ca2254b9701a22f577fb627e8e1c1c70401ae811b9a53f4c16a7943e3d81ba3d9209cbdfb208b04ce158e7ba8ee77b0b75f5208686df78712d28f700361159100369b633384ddff4402c0ab0e2ec0aa87186a65d3484d2921d6253fd1fbf46b63ba72eb795cc025690f1f48dbe308f978e2fd5513e2ddc0b066194fd58d3eaa49690bd7e7863885eb5e2ac6870de83592675f74cf8989e18e68f1b60678270ca6b9c0daf444278a7dc82a9780730aa03be56813e81d6f296c6f87d0099618af9f7e991649ec364972d4c8fb669670ec9296ce173838b9c92baf6bf883c134d2c1cbcd928b54991d4c00f4aa7270bf3befeb108e9862f34688cc2db3b7943777671279a17f9c64c40bd8485ef52eb964314c65aa34596f16b80f9ef781c4e8eeb0acd289386c1ae506ae5bd2b20b760ce0c79b56b134e22f57c44abae2f4ecad82efe402a43a47594577a24b79a94c6f7a5edaabeb48fc5ec27aecd82380d0e940a033e87a4474b95d58a5fec59d80b091e9165a14325b38c5e4565c3f0f126f8b2adf83268e0076647ddd43ff2d52d773ab304088458fac4fb9379e20968560a07517d6e0001d2a08c3c6c97825e12259ea861b0ad5649450dffb3afae49cd31efb40513c06b795e071603a47d3c839c401ecc38b117df938836a15b31a135b58892db9b4ebf684db3f7ece8a9d60bc8c810eba0ca0d875835737d25b948b392860aa82cdd5ff7c6b0b4d7ae182168949d9840e33545d6127727abe02dd01418ce4dd46af7b5f0844cb51d4992f4ce1223c23137c211361d0150ed235a0598f9e1d816a40c6aeb8ad5626bc22b2e9395747441cc78a558dedc402473248989912a0aa71ac8d7754de78a1d5b9e548d4ebef224e82cd393524d79b88d6e0405ad02da7117ba037294e535fff4bb7bfcacede3348f01d161348f4eee1a515be530e0f0e64c56544d4ae106445cce1410c790bdbeb1e2d293e012e0297c46c9145dccbd6ff77cbfacda46f27d71d02de14b61c50533319c668fcfac036c7867d12a3d0d8d449c49669586349f2239c4fa5c2b8fdfc423ecd85edccf68547b1a906764c5c03ff332b563eaeeeb8456535c61e917392a03dfe6bebf3dc5710f932b507e3f0cdfb6a9dd035f06de05572ca94d85bfb157e68448ab8b0c4d596ce020dadefceae68153e5f62c5c08143f5db497aafab19cd330c3784db0ade505a29514bd1e8c3b92c4f61653622f875ecacc9e6774adeca1ca42f637c702299a2d3f881be795bba9db340e480aa4e944dec20216b8358455dcf8eed990e41f3376442b9b3e0d88238775b8bea3f688af18539b2e8bafaacc1c4064e9ae887c69dca82acadf3553092e78797a62cc834441c222ff226ea32d203c0b1facc67e630716a3f96a077e2348f2be6d93ec0631a5ef1bed4106119d970e6228f016989a8fdf01bda8eddfd6068d649b3956eab29d303f1fc6867d863c87c3539e8e99ce23953c25ee2b09857d2dfdd4c2d242bd833f6b7f4a67cde7863d653a00521fa68ce231d0615b00175ec1fca377e4e72f78a8f8fbca9da4f408bc1b799971c16ce2e04aa243279efcdb07843d255eb6067e3732bcfdf1c17178d77d3dff424d6772e39aec3bef9592a25e9fbb5510952e583f534a4d1f57ccefe8455f353dfeeeedc8b3ea3d6c41ff4167de5145530f3dd70bc89fdcfa863d8c565208d3272b0238b97d95c5a67872415a27ef06fa26c0f72b571cffb762369c80b5f332f03a9759fec50d604a18a69fb521311fa171ea6fa404873de9195f847d81fd4bae3d5216d6c00cc38d5c75dad1ef686d5ce4acbb477fbf6c5ad0b269e69054b4a59db3c6eb0cec7fbdf32d3306ceb5d1006eb7bf6f07012b116c95fbfcfd99e82f5aba8ebd7c790c9f04075e2bb399d9229be4a0e90dc1b0358eecffadaebc0bdc6ff1cfd00dcebc0a90d7b96c96fa552dc824b944d951db7d2b6ee399b6c1f2965e5931cea561b9dda86b5e7c36741c04a97a00b0695a9d83d629eb5de99bf8ae8d755f331e40253390abb2e6049167496d5ca37563beabda4f82b2c9a58eff2a58a1d2fbc8d72c188d4b3392b9b4286a85f5ded710f243b24832c54791eee1209443f07f374ea2ab614d6a9ac8b0981c3509696c058d32f4aff5af8e9eb2253ed4f83e8b4f3294b61c90d54d3c35f3d44d55a5a1f55bac7e5978b63fbb9df0e9c6b154d6124ef4cf63ff3ae361032147f9ef75f9ea2f4b22eb13693e267b7c4f6365de53686118a934a598ba5a8175ee50f099aa9acd7f2e2c9b05b044b3b061bd1bb3b296b6bf900b856a6448d812e68efd31feffd4452990cd5f7cc02588eefbebb9f56ab77cd502989cd16e89a44553e1989d4dffd977b53ea8b3b636d62bbb265c4280cab59dab24fbe7f16180dfddf62e482ed8edca27a967ce5fae0328b6403cee17a6d63ac71a8a46f6caddb530c6d905a8b6c8ed89f622a0c0a90675c1f8d979b34cd1e954fa9154f") syz_execute_func(&(0x7f0000001000)="c4623937477e660fe30ca4f33e450917c46178ae9172980000c463e122d696c4037d7b050f00000000c463395f473fadc403555d3c5600c4e2b596f0c421fd5bfb") syz_extract_tcp_res(&(0x7f0000001080), 0x5, 0x6fb) r5 = syz_usb_connect(0x721, 0x69, &(0x7f00000010c0)="5d8d97afe958a6b46b8feffe29f05164a8eed8f035a6c4d8f6972106c0f6a0430f0347a9ad29a940d3de0d19dd63c06dad37ea1e105fec8b4dbdb4d7f95164ff313f199aaa43108e9613c1e62958e7762847158e8726924dcbdafffd2a942c440d0a80340487af0eb9", &(0x7f0000001140)="e2f9193eea7fea62b374a3151475bf3be9825dbe21d3907a6baf2fcdf0e6dd64fa7ccce3734ba66273ba0db7e79d314b54d10158b7d4a67b5e264cd1fe32c6bab3d03faa5bd67a4609b48a17eb0386538afe3d83a4f19597909773c9474f1f6685e59157f5c76c2de065f509b7a7cf8e629cca553dcb4445a372883199be746634e857266c2758f8d58dd0dea457790204fc26e26927d5bbff20a99aed0a95d850ec3221f4f1d8f13a8f00be13519ef898d39d28568bb7894c39") syz_usb_disconnect(r5) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; dp = opendir(dir); if (dp == NULL) exit(1); while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } /* -------------------------------------------------------------------------- */ /* * Redefinitions to match the linux types used in common_usb.h. */ struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; int rv = 0; rv = parse_usb_descriptor(dev, dev_len, &usb_devices[i].index); if (!rv) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } /* -------------------------------------------------------------------------- */ static int vhci_open(void) { return open("/dev/vhci", O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } /* -------------------------------------------------------------------------- */ static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index; int portnum, fd, rv; bool done; portnum = procid + 1; if (!dev) { return -1; } if (portnum != 1) { /* For now, we support only one proc. */ return -1; } fd = vhci_open(); if (fd < 0) { return -1; } index = add_usb_index(fd, dev, dev_len); if (!index) { goto err; } rv = vhci_setport(fd, portnum); if (rv != 0) { goto err; } rv = vhci_usb_attach(fd); if (rv != 0) { goto err; } done = false; while (!done) { vhci_request_t req; rv = vhci_usb_recv(fd, &req, sizeof(req)); if (rv != 0) { goto err; } if (req.type != VHCI_REQ_CTRL) { goto err; } char* response_data = NULL; uint32_t response_length = 0; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { bool response_found = false; response_found = lookup_connect_response_in(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &response_data, &response_length); if (!response_found) { goto err; } } else { if (!lookup_connect_response_out(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &done)) { goto err; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { /* TODO: possibly revisit */ } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { goto err; } } sleep_ms(200); return fd; err: close(fd); return -1; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 15; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 13 ? 3000 : 0) + (call == 14 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0; iter < 10; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_accept #define SYS_accept 30 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_fcntl #define SYS_fcntl 92 #endif #ifndef SYS_getpgrp #define SYS_getpgrp 81 #endif #ifndef SYS_getsockname #define SYS_getsockname 32 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_pwrite #define SYS_pwrite 174 #endif #ifndef SYS_setsockopt #define SYS_setsockopt 105 #endif #ifndef SYS_socketpair #define SYS_socketpair 135 #endif #ifndef SYS_stat #define SYS_stat 439 #endif uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_fcntl, 0xffffff9c, 0xcul, 0xffffff9c); if (res != -1) r[0] = res; break; case 1: res = syscall(SYS_dup2, -1, r[0]); if (res != -1) r[1] = res; break; case 2: memcpy((void*)0x20000000, "\x5d\x1d\xd4\x36\xf0\xf5\xa3\x2b\x11\x7d\x0f\x61\xdc\x01\x05\x11\xe7\xe3\xc7\xf9\x2e\x33\x63\x0d\xfc\x7a\x02\xf9\xf4\xdf\x14\xc2\x15\xd8\x71\x6f\x98\x89\x2c\xba\x0d\xdc\xbb\xd6\xb2\x68\x3f\x5e\x02\x81\x52\xeb\xbe\x2d\x26\xa7\xe4\xc4\x56\x73\xb5\x5c\xf7\x6e\x77\x95\xdd\x12\x4f\x82\x94\x7e\x02\x44\xeb\x08\xcf\xb0\xb5\xda\x0c\x82\x9b\x15\x80\xac\x64\x47\x3f\x06\x9f\x99\x28\xc1\x04\x3b\xde\xaa\x54\x18\x29\xf4\xef\x60\xf8\x0e\xa0\xb9\xb9\x12\xa9\x74\xa5\xe9\x8e\xa7\x54\x23\xd1\x12\x68\x15\xde\x13\x19\xa7\x8c\x81\x27\xc0\x17\xf8\xcb\xe8\x6d", 135); syscall(SYS_pwrite, r[1], 0x20000000ul, 0x87ul, 6ul); break; case 3: *(uint32_t*)0x20000100 = 8; syscall(SYS_getsockname, r[0], 0x200000c0ul, 0x20000100ul); break; case 4: *(uint32_t*)0x20000180 = 0xc; syscall(SYS_accept, r[1], 0x20000140ul, 0x20000180ul); break; case 5: syscall(SYS_socketpair, 0x18ul, 0x844590f3b4efa023ul, 0x7f, 0x200001c0ul); break; case 6: *(uint32_t*)0x20000240 = 8; res = syscall(SYS_accept, 0xffffff9c, 0x20000200ul, 0x20000240ul); if (res != -1) r[2] = res; break; case 7: res = syscall(SYS_getpgrp); if (res != -1) r[3] = res; break; case 8: memcpy((void*)0x20000280, "./file0\000", 8); res = syscall(SYS_stat, 0x20000280ul, 0x200002c0ul); if (res != -1) r[4] = *(uint32_t*)0x200002dc; break; case 9: *(uint32_t*)0x200003c0 = r[3]; *(uint32_t*)0x200003c4 = r[4]; *(uint32_t*)0x200003c8 = 0; syscall(SYS_setsockopt, r[2], 0xffff, 0x11, 0x200003c0ul, 0xcul); break; case 10: memcpy((void*)0x20000000, "\xd2\x88\x11\xeb\x3e\xf8\x05\x7d\x4d\x7c\x72\x29\xab\x1e\x5a\x02\x15\x74\x40\xec\x59\x86\x63\x31\x4f\x52\x2e\x6a\x8f\x7e\x2b\x68\xcd\x21\x08\x34\xf1\x3e\x84\xf2\x57\xc3\x58\xe7\xe1\x97\x17\xa7\x93\x53\xa0\x60\x9a\xbf\x39\xfc\x23\xd2\x80\xe0\x31\xdb\xc3\x60\x48\xed\x67\xb3\x18\xa0\x55\x3a\x54\x1c\x84\x16\x7d\x1b\xf3\x90\x95\x1a\xbf\xd5\x37\x01\x57\xad\x02\x4b\xea\x03\x0e\x6c\x00\x3d\x2e\x50\xa9\x32\x90\x39\x93\x42\x94\x72\xcc\xa8\xbe\x88\x08\xca\x29\x15\x85\x8e\xd2\x59\x8c\x1e\x76\xf9\x8e\x66\x2b\x06\x78\xbd\xfd\x91\x86\x2b\x0a\xf8\x4e\x15\x85\xc3\x70\x9e\xeb\x1b\x8f\x06\x57\x03\xa7\x5c\x12\xe1\xfa\x87\xb7\x7d\x46\xd3\x74\xee\x21\x13\xbb\xbd\x6b\xde\xbb\x4c\xf0\x68\x7f\x79\xdb\x89\x5a\x8a\xc8\x1c\x3b\x28\x6c\x03\x42\x7e\x32\x11\xe7\x14\x20\xaf\xa9\xb5\xc9\x01\x3e\x63\x8e\xd9\x7d\xe9\x98\x3f\xb3\x34\x24\xfe\x11\xef\xd7\x82\x4c\xd6\x97\x92\x86\xd5\x9a\x5c\x79\x33\x8b\x6a\x9a\x2d\x15\xe7\x07\x91\xbd\xb5\x18\x6a\xa7\x4e\x17\x5a\x00\x49\xc1\xe3\x9d\xb5\x36\x37\x7a\x83\x54\x91\x5a\x8a\x15\x12\x5b\x8b\xe6\x2f\x01\xa9\x37\x40\xb2\x42\x8b\x18\x9e\xa4\x2e\x31\xb6\xce\x7a\xa3\x67\x6b\xf1\x46\x8b\x75\x1b\xf0\x6a\xac\xf1\x59\x04\xdb\x50\xc1\xbe\x9d\xf4\xcc\x9d\x41\x59\x9c\x57\xcf\xaf\x66\xb7\xe5\xee\x2d\x23\x72\x63\x0a\x7b\xf5\x38\xda\x78\x6d\xff\xf6\x05\x2e\x02\x55\x8a\x4d\x1c\xcf\x70\x99\xa8\xc5\x99\xc3\xc8\xb5\x15\xe8\x44\xf1\xe2\x3d\xe7\x3d\x80\x61\x27\x22\x82\x53\xa7\x05\x3b\x5e\x91\x51\x16\x85\x37\x0c\x98\x0f\xfa\x72\xe5\x55\x1f\xf0\x5f\xcb\xd9\x40\xd5\x14\xbe\xd2\x86\x0b\x87\x5b\x9a\x12\xb2\x6e\xdb\xb2\x92\xe0\xe8\xd8\xcb\xcd\x9d\xe3\xab\xa6\x8f\x7c\x14\x19\x24\x9f\xe4\x3a\x67\x54\xbf\x02\xa3\x6e\x0f\xd1\xf2\x7c\x48\xe9\xd1\x6c\x18\xed\x14\x84\xe5\x6c\xc5\xbc\x34\x83\x51\x93\x11\xe3\x37\x54\xaf\x2f\xc4\xd3\x7c\xfa\x1c\x6e\x5f\x0d\x38\xae\x96\xa6\x21\xc0\x4d\xb0\xfd\x7d\x79\x32\x97\xe4\x98\x1f\x90\x82\x93\x7b\x93\x22\xf4\x94\xbd\x98\xb2\xf4\x3d\x9b\x5c\x19\xff\x19\xec\x17\x7c\x63\x05\xb1\x88\x00\x44\x51\x11\x76\x3c\xda\xee\xc3\x51\x68\x93\x84\x78\x3a\xe7\xcf\xf9\xb1\x06\x63\x9e\xa6\x11\xfb\x72\xe8\x6d\x68\x5e\xa0\xf6\xb6\x5d\xc3\xb9\xa2\x43\x6c\x89\x25\x73\x82\xd1\x15\x16\xa2\xb0\x66\x37\xcf\xd9\x31\xe2\xca\x4e\x62\x53\x43\xd6\xb9\x65\x25\xc5\xbf\x7d\xcc\x43\x7f\x47\x4e\x1f\xf9\xf3\xdc\xc8\x57\x40\x44\x4a\x4c\x56\x9f\x50\x37\x9b\x98\x5f\x68\x43\xac\x29\xf0\x9a\x9f\x99\x81\x9a\xe2\x10\xdb\x22\xab\x19\x34\x09\x74\x95\x7f\x1f\xbe\xa4\x1c\x58\x51\xb2\xfa\x7a\x2f\xa8\x75\x81\xa7\xfb\x42\xdb\x8c\x24\xb4\xc6\xf8\x29\xbe\x59\x2c\xa0\xd0\xcf\x1a\x2f\xe6\x7d\xec\x53\x2c\xfa\x77\xf8\xf1\x95\x5d\xa3\x35\xa8\x4d\x5a\xef\x49\x05\xa9\xa2\x36\xc6\x07\x77\x4a\x0b\x4e\xf1\xd5\x0b\x55\xbd\x49\xaa\x87\x7c\x2b\x6b\x2e\x37\xa3\xe4\xa3\xb2\x4e\x95\xfa\x55\x7b\xa8\x9a\xaf\x42\x27\xb5\xbb\x0e\x64\x0b\x46\x98\xcd\x00\x4f\x87\x0c\x7d\xaa\x9e\xa4\x41\xfd\xbe\x8b\x30\x53\xdf\xfc\xe6\x46\xc0\xb0\x6d\xf3\x23\x25\x2c\xad\xa7\xf2\x4f\xcc\x21\x62\x4e\xdf\x49\x56\x7b\x26\x93\xfe\xc0\x69\x3d\x24\x3e\x06\x7b\x21\xe2\xbe\x29\x6c\x52\xbb\x2a\x38\x1f\x47\x94\xaa\x2e\x85\xdd\x5c\xb6\x67\x7e\x94\xb7\xe0\x03\xeb\xad\x24\x57\x37\x62\xa6\x40\x97\x3c\x07\x72\x99\x4d\xa2\x8c\x64\x90\xc1\xaf\x8f\x0f\x91\x75\x4e\x71\xc7\xf3\x26\xbd\x31\xdf\xc9\xc6\xfc\x20\x76\x7d\x71\x3a\x93\x31\x7b\xcb\xe0\xa3\xef\xc9\xc5\xa8\x57\x1b\x7b\x0a\x02\x97\x77\x41\xe8\xa8\x3c\xa8\x12\x96\x14\x5e\xc9\x55\xe1\xab\x98\x2c\x7f\x46\x62\x84\x56\x2b\x52\xde\x13\x55\x68\xa1\x42\xe6\x77\xc3\x43\xf5\xeb\xd3\x37\x55\xd0\xb9\x15\x65\x64\x6d\x7c\x36\x2e\x46\x64\x00\x7c\xae\x21\x67\xdb\x5d\x0a\x93\x3e\x12\x19\xd3\xd6\xa7\x38\x75\x76\xe5\x42\xf8\x16\xfa\x51\x6d\x44\xaf\xc3\xd9\x92\x29\xd4\xf5\x7f\xa8\x3b\x89\x48\xf8\x98\xb8\x52\x8d\xed\x2c\x53\x9b\x60\x33\x49\x1c\x6d\x78\x0c\xac\xb2\xbc\x3f\x52\xc2\x79\x4d\xe8\xdb\x39\x58\x12\xd4\xf7\xa4\x4b\x9c\x04\xd6\xfd\x3c\xa8\x6c\x68\x64\x7d\x3e\x47\x5d\xe5\x81\xed\xc3\x88\xdc\xde\x91\xb8\xb2\x4c\xd4\x2b\x91\xa1\x9e\x91\xb4\xb6\x37\xb4\x3b\x6f\xa4\xe1\x50\x44\x3e\xc7\xc0\x86\x95\xc4\x2b\xc6\xa9\x30\xb3\x08\x42\x04\x02\x3b\xfd\x15\xe1\xc0\x31\x2e\x46\xf4\x30\xe2\x6b\x0f\xcc\xa1\x52\x20\x9f\xc1\xc7\xf9\x91\xc1\x11\xbd\xcd\xa7\x2e\x19\x86\x26\x76\x6e\xaf\xc8\xcf\x54\x92\x18\x9d\x4c\xc9\xa8\xe2\xa8\xa9\xcb\x73\x89\x78\xec\xec\x37\x37\x6d\xc9\x9c\xa8\xd3\xef\xcf\xe7\x3d\xa5\x38\x96\x0e\xbf\x78\xf0\xa4\x36\x63\x76\xae\x5f\x1b\xb1\xf8\x11\xec\xce\xb6\x25\x10\x89\x78\x55\xe3\x06\x61\x04\x70\x1b\x94\xf6\x19\x13\xda\x46\x99\x31\x3c\xec\x63\xa8\x8a\x9b\xa4\x44\xa5\xfc\x01\xc0\x03\xbf\x9d\x6b\x25\x25\x04\xe4\x77\xf4\x0f\xb3\x3e\x59\x5f\x30\xac\x53\x8b\xc9\xee\xb2\x93\x72\xb7\xa9\xd1\xf6\xa2\xa9\xb0\x17\x7a\x17\x1e\x5f\x87\x9e\xab\x36\x3c\x76\x08\x61\x7c\x26\x19\x7d\xf1\xda\x9b\xaa\x02\x75\xe2\x3e\xd1\xb5\x92\xce\xbd\xcd\x6e\xf2\x2b\x36\xc4\xf2\x87\xdf\xe8\x49\xcf\x54\xea\xed\x55\x70\xff\xc4\x50\xcd\xe8\xb6\xee\x12\xef\xbc\x8d\xdf\xea\x6b\xf7\x82\xc2\x7e\x5a\x58\x16\xb6\xf0\x4f\xf5\xfe\x97\x7f\x05\xa5\xb1\x2a\x13\x64\xa6\x59\xcb\x6b\x11\xab\x7a\x16\x82\xe1\x09\x7e\x61\x87\xcd\x7c\xbb\xa8\x7e\xf4\xca\x8c\x2c\xaf\x28\x49\x99\x13\xd9\x8a\x9e\x9f\x2e\x11\xc5\x2f\x37\xfa\xf2\xcd\x20\x7b\xbe\x57\x34\xda\x0e\x91\xba\x5f\x8b\x48\xad\x59\xb1\x22\x67\x85\x50\xb2\x7f\xef\xe7\x1a\xf5\x3d\x6f\x93\x41\x04\x38\x73\x89\xb5\x93\x24\xcd\xbf\x44\x6e\xfe\x50\xdb\xd2\x3d\xb7\x41\x8e\xc6\x66\x6e\xd9\xfc\xaa\x6f\x70\xbe\xac\x9c\xa4\x2a\x90\xee\xc8\x56\x7b\xe2\x1f\xb4\x5f\x08\x86\x75\x57\x15\xf3\x17\x37\x35\x23\xdf\xeb\x84\x5a\xb7\x73\x33\xcf\x8d\xdf\x92\x62\x44\xa3\x8e\x02\x4d\xf5\xaf\x9e\xa0\x72\x53\xd0\x7a\x59\xdb\x51\x12\x3f\xd8\x11\xcc\xe2\xd2\x06\xea\xe6\x94\x3e\xc8\x75\x59\xeb\x0e\xb2\x8a\x94\xa6\x27\x83\x1e\x45\xb3\xa7\xd1\xf8\x9f\x7a\x49\xfb\xce\x7c\x5a\x6e\xd8\x1f\x4e\x68\xdd\x3c\xe2\x93\x46\xf7\xc1\x4e\x50\x64\x54\x8d\x57\xf1\x13\x63\x13\x9e\x5b\x66\x9a\x17\x44\xbd\x99\x89\x40\x08\x27\x97\x3e\x67\xe9\x4c\xb5\x55\xb0\x8c\xf0\x45\x65\xf3\x3d\xb1\x71\x96\xd1\x65\x18\xb4\xf4\xb0\x23\x05\x3e\x86\xa7\x27\x55\x21\xfa\x5b\x20\x99\x3d\xe7\xc2\xfa\x09\x79\x7d\x92\x4d\x59\x89\x3c\xaa\x98\xd9\x7b\x58\x62\x89\xda\x8c\x9c\xc3\x81\x0c\xfd\xe8\x5b\x31\xa4\xe3\x11\x8a\x5c\xc2\xfb\x63\xe4\x07\x3d\xc2\x24\xe5\x01\xb6\x37\xc6\x66\x74\xea\xd1\xe8\x4a\x7e\x3e\x3c\xe4\xad\xaf\x0c\x72\x3e\x38\xa4\x1d\xb5\x47\xe9\xcc\x33\x82\xec\xf9\xf6\xb6\xf9\x64\xc1\xf8\x1f\xe7\x53\x65\x59\x3c\x9a\x55\x15\x2e\xc7\xc0\x50\x67\x47\x4b\xd7\x1a\x93\x70\x00\x9f\xee\x6d\x87\xf3\xee\xf6\xc9\x36\x0a\x50\x29\x41\xe9\x37\x30\x45\x41\x61\xd0\xf0\x39\x1f\x7c\x5e\xbd\xe6\x22\xf0\x5c\x1d\x67\x36\x89\x44\x39\x0b\x68\x17\x8f\xef\xb8\x25\xad\xd8\x12\xf4\x96\x86\x70\x53\x74\x01\x70\x35\x31\x66\x7c\xd5\x15\x0f\x21\x1b\x9f\xcf\xec\xf4\xee\x5e\x08\x80\xf3\x74\x8b\x9e\x7a\x74\x5e\x80\x2a\xff\xac\xc6\xb4\xaa\x5b\x5d\x83\x75\x0f\xc1\xc4\x7d\x4a\xb6\x91\x70\x90\x1e\x7f\x5e\x44\x2b\xb9\x8a\x89\x18\x60\x54\xac\xf2\x07\xa3\xcf\x70\x17\x31\x56\xc5\x59\xfd\x72\x86\x0a\x7d\x26\x79\xa2\xff\xcb\x53\x30\x20\x41\x13\xdb\xac\x6b\x3c\x3b\x69\xaa\x4f\x75\xf2\x1c\xb2\x15\x4a\x4a\x6b\x31\xc0\x25\xd5\x2a\xc5\x49\x60\x48\x3c\xed\xf3\xf1\x1a\x1a\xdf\xfe\xf2\xf1\xfe\xc9\x4a\x55\x61\xd9\x18\x68\x00\x1c\x3d\x83\x95\xff\x45\x0b\x14\x00\x95\xd6\x53\x64\x75\x37\x9f\x38\x63\x4a\xcf\x9d\xed\xff\x61\xb1\x7f\x7c\x87\xf8\xc0\x56\x6b\xe6\x25\x0c\xf4\x39\xeb\xa3\x8c\x37\x65\x39\x3a\x9e\xd1\x01\x6d\x50\x2b\xa1\x3a\x8e\xf6\xde\x35\xba\x66\x9b\x10\xa0\x00\x82\x23\xd2\xe2\xf8\x8d\x35\xfe\x0a\x73\x23\x32\x4b\xfa\xbf\x25\xa7\xac\x01\x90\x45\x49\xa2\x59\xe6\xa8\xd3\xa4\x96\x4f\x19\x7e\x94\xb8\xf9\xb3\xa3\x16\x3f\x63\x49\xe3\xda\xc7\xe0\x17\x48\xf6\x74\x79\x5c\xc3\xbd\x5a\x9a\x3a\xb5\xf2\xc1\x30\x81\x16\x7d\xf3\x7e\x37\x9e\xeb\x2e\xcf\x9c\xdf\xa2\x37\x15\x95\xf3\x08\x31\x05\x1a\xb1\x57\xac\x75\xf9\xeb\xc4\x8b\x49\x95\x59\x7e\x20\x6c\x7b\xa2\x29\xab\x30\xec\xcf\xe6\x62\x4d\x88\x49\xea\xe4\x1d\x2d\xc7\xa4\xd7\x57\xa3\x73\xb1\xd8\x66\x95\xc4\x20\xcc\x04\xbf\x0d\xa6\x64\xa7\x56\xb4\x82\x24\x16\x3d\xe4\x41\x8b\x93\x23\x39\xd2\x99\x06\x13\x13\xa6\x34\xa4\xba\x08\x9b\x12\xf8\x5d\x4d\xa1\xd2\x7d\x51\xde\x93\x08\x31\x0e\xf6\xae\xb3\x56\x23\xd0\xa7\x72\xc5\xce\xdd\x2a\x65\x9f\xde\xf0\x92\xb4\xdf\x6a\x88\xd2\x96\x42\x00\xc2\x85\xe8\xc1\x6e\x74\x89\xb8\x1e\x41\x59\xdb\x06\x2c\xe8\xa7\xd0\xda\xb6\x51\x80\x92\x11\xed\xf0\x58\x6f\x28\x9e\xf0\x3d\xee\x7b\xb9\xf4\x38\xc1\xa3\x52\xf6\x34\x2c\x66\x4b\xfd\x35\xd2\x38\x85\xb0\x9b\xd1\xda\x62\xbd\x65\xd0\xbc\x09\xa5\xeb\x5a\xe9\x5e\xa3\x10\x88\x14\x77\x81\xc3\x35\xea\x17\x77\x72\xa2\x28\x96\x19\x1a\x7d\x15\x70\x2b\x6b\x34\x37\xce\xd8\x86\xcc\x85\xbb\x26\x86\x5c\xe8\x28\xb9\xfe\x78\xa0\x7b\x46\x3d\xf7\x33\x2f\x67\x92\xb2\xfd\x86\xd1\x7b\x1e\x98\xa4\xcc\x77\x29\xb0\x58\xc5\x98\xc9\x61\xc6\x34\xb1\x5d\x09\x73\xca\xcd\xd9\x73\x5a\x0f\x77\x78\x6a\xe2\xb0\x76\x6b\x31\x94\xa1\x27\x34\x5d\xd8\xc1\x1f\x69\xfa\x4c\x44\xcc\x5b\x30\xe0\x1f\x6d\xc5\x61\x33\x0f\x63\x63\x29\xc9\x7e\xc0\x5a\xe8\x29\x1d\x9a\x26\xb6\x05\xf1\xb2\x77\xc9\x32\x21\x15\x62\x6e\x29\x75\xc7\x91\xc3\xef\x10\x95\x4c\xb8\xb4\x7c\xea\x6c\xf6\x97\xeb\x9d\xb3\xbe\xcb\x11\x14\xce\x63\x92\x19\x9e\x87\xba\xc0\x43\xed\x7a\x15\x83\xdc\x66\x0b\x36\xde\xb0\x22\x1a\x79\xed\x70\xbf\x71\x3f\x3c\x9c\x88\x25\x83\x81\x4c\x2e\xca\x81\x51\xd2\x71\x71\x95\x92\xd5\xc1\xfc\x62\x66\xa2\x76\xa3\xe8\xd3\x88\x27\xb2\x90\xe1\x04\x46\x06\x99\x2d\x13\x42\x36\xa1\xae\x87\xf9\x33\x8b\x77\x41\xf2\xe8\xa7\x46\xeb\x0f\x60\x77\x62\xed\x4e\x18\x92\x3d\xba\xcf\xea\x14\x7a\xd5\x7e\xff\x61\x71\x67\xd0\xf5\x4d\xaa\xc4\x54\x37\xc5\xe6\x1b\x45\x93\x7e\x8a\xa5\xe7\xce\xef\x4c\xa2\x25\x4b\x97\x01\xa2\x2f\x57\x7f\xb6\x27\xe8\xe1\xc1\xc7\x04\x01\xae\x81\x1b\x9a\x53\xf4\xc1\x6a\x79\x43\xe3\xd8\x1b\xa3\xd9\x20\x9c\xbd\xfb\x20\x8b\x04\xce\x15\x8e\x7b\xa8\xee\x77\xb0\xb7\x5f\x52\x08\x68\x6d\xf7\x87\x12\xd2\x8f\x70\x03\x61\x15\x91\x00\x36\x9b\x63\x33\x84\xdd\xff\x44\x02\xc0\xab\x0e\x2e\xc0\xaa\x87\x18\x6a\x65\xd3\x48\x4d\x29\x21\xd6\x25\x3f\xd1\xfb\xf4\x6b\x63\xba\x72\xeb\x79\x5c\xc0\x25\x69\x0f\x1f\x48\xdb\xe3\x08\xf9\x78\xe2\xfd\x55\x13\xe2\xdd\xc0\xb0\x66\x19\x4f\xd5\x8d\x3e\xaa\x49\x69\x0b\xd7\xe7\x86\x38\x85\xeb\x5e\x2a\xc6\x87\x0d\xe8\x35\x92\x67\x5f\x74\xcf\x89\x89\xe1\x8e\x68\xf1\xb6\x06\x78\x27\x0c\xa6\xb9\xc0\xda\xf4\x44\x27\x8a\x7d\xc8\x2a\x97\x80\x73\x0a\xa0\x3b\xe5\x68\x13\xe8\x1d\x6f\x29\x6c\x6f\x87\xd0\x09\x96\x18\xaf\x9f\x7e\x99\x16\x49\xec\x36\x49\x72\xd4\xc8\xfb\x66\x96\x70\xec\x92\x96\xce\x17\x38\x38\xb9\xc9\x2b\xaf\x6b\xf8\x83\xc1\x34\xd2\xc1\xcb\xcd\x92\x8b\x54\x99\x1d\x4c\x00\xf4\xaa\x72\x70\xbf\x3b\xef\xeb\x10\x8e\x98\x62\xf3\x46\x88\xcc\x2d\xb3\xb7\x94\x37\x77\x67\x12\x79\xa1\x7f\x9c\x64\xc4\x0b\xd8\x48\x5e\xf5\x2e\xb9\x64\x31\x4c\x65\xaa\x34\x59\x6f\x16\xb8\x0f\x9e\xf7\x81\xc4\xe8\xee\xb0\xac\xd2\x89\x38\x6c\x1a\xe5\x06\xae\x5b\xd2\xb2\x0b\x76\x0c\xe0\xc7\x9b\x56\xb1\x34\xe2\x2f\x57\xc4\x4a\xba\xe2\xf4\xec\xad\x82\xef\xe4\x02\xa4\x3a\x47\x59\x45\x77\xa2\x4b\x79\xa9\x4c\x6f\x7a\x5e\xda\xab\xeb\x48\xfc\x5e\xc2\x7a\xec\xd8\x23\x80\xd0\xe9\x40\xa0\x33\xe8\x7a\x44\x74\xb9\x5d\x58\xa5\xfe\xc5\x9d\x80\xb0\x91\xe9\x16\x5a\x14\x32\x5b\x38\xc5\xe4\x56\x5c\x3f\x0f\x12\x6f\x8b\x2a\xdf\x83\x26\x8e\x00\x76\x64\x7d\xdd\x43\xff\x2d\x52\xd7\x73\xab\x30\x40\x88\x45\x8f\xac\x4f\xb9\x37\x9e\x20\x96\x85\x60\xa0\x75\x17\xd6\xe0\x00\x1d\x2a\x08\xc3\xc6\xc9\x78\x25\xe1\x22\x59\xea\x86\x1b\x0a\xd5\x64\x94\x50\xdf\xfb\x3a\xfa\xe4\x9c\xd3\x1e\xfb\x40\x51\x3c\x06\xb7\x95\xe0\x71\x60\x3a\x47\xd3\xc8\x39\xc4\x01\xec\xc3\x8b\x11\x7d\xf9\x38\x83\x6a\x15\xb3\x1a\x13\x5b\x58\x89\x2d\xb9\xb4\xeb\xf6\x84\xdb\x3f\x7e\xce\x8a\x9d\x60\xbc\x8c\x81\x0e\xba\x0c\xa0\xd8\x75\x83\x57\x37\xd2\x5b\x94\x8b\x39\x28\x60\xaa\x82\xcd\xd5\xff\x7c\x6b\x0b\x4d\x7a\xe1\x82\x16\x89\x49\xd9\x84\x0e\x33\x54\x5d\x61\x27\x72\x7a\xbe\x02\xdd\x01\x41\x8c\xe4\xdd\x46\xaf\x7b\x5f\x08\x44\xcb\x51\xd4\x99\x2f\x4c\xe1\x22\x3c\x23\x13\x7c\x21\x13\x61\xd0\x15\x0e\xd2\x35\xa0\x59\x8f\x9e\x1d\x81\x6a\x40\xc6\xae\xb8\xad\x56\x26\xbc\x22\xb2\xe9\x39\x57\x47\x44\x1c\xc7\x8a\x55\x8d\xed\xc4\x02\x47\x32\x48\x98\x99\x12\xa0\xaa\x71\xac\x8d\x77\x54\xde\x78\xa1\xd5\xb9\xe5\x48\xd4\xeb\xef\x22\x4e\x82\xcd\x39\x35\x24\xd7\x9b\x88\xd6\xe0\x40\x5a\xd0\x2d\xa7\x11\x7b\xa0\x37\x29\x4e\x53\x5f\xff\x4b\xb7\xbf\xca\xce\xde\x33\x48\xf0\x1d\x16\x13\x48\xf4\xee\xe1\xa5\x15\xbe\x53\x0e\x0f\x0e\x64\xc5\x65\x44\xd4\xae\x10\x64\x45\xcc\xe1\x41\x0c\x79\x0b\xdb\xeb\x1e\x2d\x29\x3e\x01\x2e\x02\x97\xc4\x6c\x91\x45\xdc\xcb\xd6\xff\x77\xcb\xfa\xcd\xa4\x6f\x27\xd7\x1d\x02\xde\x14\xb6\x1c\x50\x53\x33\x19\xc6\x68\xfc\xfa\xc0\x36\xc7\x86\x7d\x12\xa3\xd0\xd8\xd4\x49\xc4\x96\x69\x58\x63\x49\xf2\x23\x9c\x4f\xa5\xc2\xb8\xfd\xfc\x42\x3e\xcd\x85\xed\xcc\xf6\x85\x47\xb1\xa9\x06\x76\x4c\x5c\x03\xff\x33\x2b\x56\x3e\xae\xee\xb8\x45\x65\x35\xc6\x1e\x91\x73\x92\xa0\x3d\xfe\x6b\xeb\xf3\xdc\x57\x10\xf9\x32\xb5\x07\xe3\xf0\xcd\xfb\x6a\x9d\xd0\x35\xf0\x6d\xe0\x55\x72\xca\x94\xd8\x5b\xfb\x15\x7e\x68\x44\x8a\xb8\xb0\xc4\xd5\x96\xce\x02\x0d\xad\xef\xce\xae\x68\x15\x3e\x5f\x62\xc5\xc0\x81\x43\xf5\xdb\x49\x7a\xaf\xab\x19\xcd\x33\x0c\x37\x84\xdb\x0a\xde\x50\x5a\x29\x51\x4b\xd1\xe8\xc3\xb9\x2c\x4f\x61\x65\x36\x22\xf8\x75\xec\xac\xc9\xe6\x77\x4a\xde\xca\x1c\xa4\x2f\x63\x7c\x70\x22\x99\xa2\xd3\xf8\x81\xbe\x79\x5b\xba\x9d\xb3\x40\xe4\x80\xaa\x4e\x94\x4d\xec\x20\x21\x6b\x83\x58\x45\x5d\xcf\x8e\xed\x99\x0e\x41\xf3\x37\x64\x42\xb9\xb3\xe0\xd8\x82\x38\x77\x5b\x8b\xea\x3f\x68\x8a\xf1\x85\x39\xb2\xe8\xba\xfa\xac\xc1\xc4\x06\x4e\x9a\xe8\x87\xc6\x9d\xca\x82\xac\xad\xf3\x55\x30\x92\xe7\x87\x97\xa6\x2c\xc8\x34\x44\x1c\x22\x2f\xf2\x26\xea\x32\xd2\x03\xc0\xb1\xfa\xcc\x67\xe6\x30\x71\x6a\x3f\x96\xa0\x77\xe2\x34\x8f\x2b\xe6\xd9\x3e\xc0\x63\x1a\x5e\xf1\xbe\xd4\x10\x61\x19\xd9\x70\xe6\x22\x8f\x01\x69\x89\xa8\xfd\xf0\x1b\xda\x8e\xdd\xfd\x60\x68\xd6\x49\xb3\x95\x6e\xab\x29\xd3\x03\xf1\xfc\x68\x67\xd8\x63\xc8\x7c\x35\x39\xe8\xe9\x9c\xe2\x39\x53\xc2\x5e\xe2\xb0\x98\x57\xd2\xdf\xdd\x4c\x2d\x24\x2b\xd8\x33\xf6\xb7\xf4\xa6\x7c\xde\x78\x63\xd6\x53\xa0\x05\x21\xfa\x68\xce\x23\x1d\x06\x15\xb0\x01\x75\xec\x1f\xca\x37\x7e\x4e\x72\xf7\x8a\x8f\x8f\xbc\xa9\xda\x4f\x40\x8b\xc1\xb7\x99\x97\x1c\x16\xce\x2e\x04\xaa\x24\x32\x79\xef\xcd\xb0\x78\x43\xd2\x55\xeb\x60\x67\xe3\x73\x2b\xcf\xdf\x1c\x17\x17\x8d\x77\xd3\xdf\xf4\x24\xd6\x77\x2e\x39\xae\xc3\xbe\xf9\x59\x2a\x25\xe9\xfb\xb5\x51\x09\x52\xe5\x83\xf5\x34\xa4\xd1\xf5\x7c\xce\xfe\x84\x55\xf3\x53\xdf\xee\xee\xdc\x8b\x3e\xa3\xd6\xc4\x1f\xf4\x16\x7d\xe5\x14\x55\x30\xf3\xdd\x70\xbc\x89\xfd\xcf\xa8\x63\xd8\xc5\x65\x20\x8d\x32\x72\xb0\x23\x8b\x97\xd9\x5c\x5a\x67\x87\x24\x15\xa2\x7e\xf0\x6f\xa2\x6c\x0f\x72\xb5\x71\xcf\xfb\x76\x23\x69\xc8\x0b\x5f\x33\x2f\x03\xa9\x75\x9f\xec\x50\xd6\x04\xa1\x8a\x69\xfb\x52\x13\x11\xfa\x17\x1e\xa6\xfa\x40\x48\x73\xde\x91\x95\xf8\x47\xd8\x1f\xd4\xba\xe3\xd5\x21\x6d\x6c\x00\xcc\x38\xd5\xc7\x5d\xad\x1e\xf6\x86\xd5\xce\x4a\xcb\xb4\x77\xfb\xf6\xc5\xad\x0b\x26\x9e\x69\x05\x4b\x4a\x59\xdb\x3c\x6e\xb0\xce\xc7\xfb\xdf\x32\xd3\x30\x6c\xeb\x5d\x10\x06\xeb\x7b\xf6\xf0\x70\x12\xb1\x16\xc9\x5f\xbf\xcf\xd9\x9e\x82\xf5\xab\xa8\xeb\xd7\xc7\x90\xc9\xf0\x40\x75\xe2\xbb\x39\x9d\x92\x29\xbe\x4a\x0e\x90\xdc\x1b\x03\x58\xee\xcf\xfa\xda\xeb\xc0\xbd\xc6\xff\x1c\xfd\x00\xdc\xeb\xc0\xa9\x0d\x7b\x96\xc9\x6f\xa5\x52\xdc\x82\x4b\x94\x4d\x95\x1d\xb7\xd2\xb6\xee\x39\x9b\x6c\x1f\x29\x65\xe5\x93\x1c\xea\x56\x1b\x9d\xda\x86\xb5\xe7\xc3\x67\x41\xc0\x4a\x97\xa0\x0b\x06\x95\xa9\xd8\x3d\x62\x9e\xb5\xde\x99\xbf\x8a\xe8\xd7\x55\xf3\x31\xe4\x02\x53\x39\x0a\xbb\x2e\x60\x49\x16\x74\x96\xd5\xca\x37\x56\x3b\xea\xbd\xa4\xf8\x2b\x2c\x9a\x58\xef\xf2\xa5\x8a\x1d\x2f\xbc\x8d\x72\xc1\x88\xd4\xb3\x39\x2b\x9b\x42\x86\xa8\x5f\x5d\xed\x71\x0f\x24\x3b\x24\x83\x2c\x54\x79\x1e\xee\x12\x09\x44\x3f\x07\xf3\x74\xea\x2a\xb6\x14\xd6\xa9\xac\x8b\x09\x81\xc3\x50\x96\x96\xc0\x58\xd3\x2f\x4a\xff\x5a\xf8\xe9\xeb\x22\x53\xed\x4f\x83\xe8\xb4\xf3\x29\x4b\x61\xc9\x0d\x54\xd3\xc3\x5f\x3d\x44\xd5\x5a\x5a\x1f\x55\xba\xc7\xe5\x97\x8b\x63\xfb\xb9\xdf\x0e\x9c\x6b\x15\x4d\x61\x24\xef\x4c\xf6\x3f\xf3\xae\x36\x10\x32\x14\x7f\x9e\xf7\x5f\x9e\xa2\xf4\xb2\x2e\xb1\x36\x93\xe2\x67\xb7\xc4\xf6\x36\x5d\xe5\x36\x86\x11\x8a\x93\x4a\x59\x8b\xa5\xa8\x17\x5e\xe5\x0f\x09\x9a\xa9\xac\xd7\xf2\xe2\xc9\xb0\x5b\x04\x4b\x3b\x06\x1b\xd1\xbb\x3b\x29\x6b\x6b\xf9\x00\xb8\x56\xa6\x44\x8d\x81\x2e\x68\xef\xd3\x1f\xef\xfd\x44\x52\x99\x0c\xd5\xf7\xcc\x02\x58\x8e\xef\xbe\xbb\x9f\x56\xab\x77\xcd\x50\x29\x89\xcd\x16\xe8\x9a\x44\x55\x3e\x19\x89\xd4\xdf\xfd\x97\x7b\x53\xea\x8b\x3b\x63\x6d\x62\xbb\xb2\x65\xc4\x28\x0c\xab\x59\xda\xb2\x4f\xbe\x7f\x16\x18\x0d\xfd\xdf\x62\xe4\x82\xed\x8e\xdc\xa2\x7a\x96\x7c\xe5\xfa\xe0\x32\x8b\x64\x03\xce\xe1\x7a\x6d\x63\xac\x71\xa8\xa4\x6f\x6c\xad\xdb\x53\x0c\x6d\x90\x5a\x8b\x6c\x8e\xd8\x9f\x62\x2a\x0c\x0a\x90\x67\x5c\x1f\x8d\x97\x9b\x34\xcd\x1e\x95\x4f\xa9\x15\x4f", 4096); break; case 11: memcpy((void*)0x20001000, "\xc4\x62\x39\x37\x47\x7e\x66\x0f\xe3\x0c\xa4\xf3\x3e\x45\x09\x17\xc4\x61\x78\xae\x91\x72\x98\x00\x00\xc4\x63\xe1\x22\xd6\x96\xc4\x03\x7d\x7b\x05\x0f\x00\x00\x00\x00\xc4\x63\x39\x5f\x47\x3f\xad\xc4\x03\x55\x5d\x3c\x56\x00\xc4\xe2\xb5\x96\xf0\xc4\x21\xfd\x5b\xfb", 65); syz_execute_func(0x20001000); break; case 12: break; case 13: memcpy((void*)0x200010c0, "\x5d\x8d\x97\xaf\xe9\x58\xa6\xb4\x6b\x8f\xef\xfe\x29\xf0\x51\x64\xa8\xee\xd8\xf0\x35\xa6\xc4\xd8\xf6\x97\x21\x06\xc0\xf6\xa0\x43\x0f\x03\x47\xa9\xad\x29\xa9\x40\xd3\xde\x0d\x19\xdd\x63\xc0\x6d\xad\x37\xea\x1e\x10\x5f\xec\x8b\x4d\xbd\xb4\xd7\xf9\x51\x64\xff\x31\x3f\x19\x9a\xaa\x43\x10\x8e\x96\x13\xc1\xe6\x29\x58\xe7\x76\x28\x47\x15\x8e\x87\x26\x92\x4d\xcb\xda\xff\xfd\x2a\x94\x2c\x44\x0d\x0a\x80\x34\x04\x87\xaf\x0e\xb9", 105); memcpy((void*)0x20001140, "\xe2\xf9\x19\x3e\xea\x7f\xea\x62\xb3\x74\xa3\x15\x14\x75\xbf\x3b\xe9\x82\x5d\xbe\x21\xd3\x90\x7a\x6b\xaf\x2f\xcd\xf0\xe6\xdd\x64\xfa\x7c\xcc\xe3\x73\x4b\xa6\x62\x73\xba\x0d\xb7\xe7\x9d\x31\x4b\x54\xd1\x01\x58\xb7\xd4\xa6\x7b\x5e\x26\x4c\xd1\xfe\x32\xc6\xba\xb3\xd0\x3f\xaa\x5b\xd6\x7a\x46\x09\xb4\x8a\x17\xeb\x03\x86\x53\x8a\xfe\x3d\x83\xa4\xf1\x95\x97\x90\x97\x73\xc9\x47\x4f\x1f\x66\x85\xe5\x91\x57\xf5\xc7\x6c\x2d\xe0\x65\xf5\x09\xb7\xa7\xcf\x8e\x62\x9c\xca\x55\x3d\xcb\x44\x45\xa3\x72\x88\x31\x99\xbe\x74\x66\x34\xe8\x57\x26\x6c\x27\x58\xf8\xd5\x8d\xd0\xde\xa4\x57\x79\x02\x04\xfc\x26\xe2\x69\x27\xd5\xbb\xff\x20\xa9\x9a\xed\x0a\x95\xd8\x50\xec\x32\x21\xf4\xf1\xd8\xf1\x3a\x8f\x00\xbe\x13\x51\x9e\xf8\x98\xd3\x9d\x28\x56\x8b\xb7\x89\x4c\x39", 186); res = syz_usb_connect(0x721, 0x69, 0x200010c0, 0x20001140); if (res != -1) r[5] = res; break; case 14: syz_usb_disconnect(r[5]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'syz_usb_connect_impl': :637:63: error: unknown type name 'usb_ctrlrequest' :642:55: error: unknown type name 'usb_ctrlrequest' compiler invocation: /syzkaller/netbsd/src/../tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor868558968 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/netbsd/src/../dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/9 (1.42s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = fcntl$dupfd(0xffffffffffffff9c, 0xc, 0xffffffffffffff9c) r1 = dup2(0xffffffffffffffff, r0) pwrite(r1, &(0x7f0000000000)="5d1dd436f0f5a32b117d0f61dc010511e7e3c7f92e33630dfc7a02f9f4df14c215d8716f98892cba0ddcbbd6b2683f5e028152ebbe2d26a7e4c45673b55cf76e7795dd124f82947e0244eb08cfb0b5da0c829b1580ac64473f069f9928c1043bdeaa541829f4ef60f80ea0b9b912a974a5e98ea75423d1126815de1319a78c8127c017f8cbe86d", 0x87, 0x6) getsockname$unix(r0, &(0x7f00000000c0)=@abs, &(0x7f0000000100)=0x8) accept$inet6(r1, &(0x7f0000000140), &(0x7f0000000180)=0xc) socketpair(0x18, 0x844590f3b4efa023, 0x7f, &(0x7f00000001c0)) r2 = accept(0xffffffffffffff9c, &(0x7f0000000200)=@un=@abs, &(0x7f0000000240)=0x8) r3 = getpgrp() stat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$sock_cred(r2, 0xffff, 0x11, &(0x7f00000003c0)={r3, r4}, 0xc) syz_emit_ethernet(0x1000, &(0x7f0000000000)="d28811eb3ef8057d4d7c7229ab1e5a02157440ec598663314f522e6a8f7e2b68cd210834f13e84f257c358e7e19717a79353a0609abf39fc23d280e031dbc36048ed67b318a0553a541c84167d1bf390951abfd5370157ad024bea030e6c003d2e50a932903993429472cca8be8808ca2915858ed2598c1e76f98e662b0678bdfd91862b0af84e1585c3709eeb1b8f065703a75c12e1fa87b77d46d374ee2113bbbd6bdebb4cf0687f79db895a8ac81c3b286c03427e3211e71420afa9b5c9013e638ed97de9983fb33424fe11efd7824cd6979286d59a5c79338b6a9a2d15e70791bdb5186aa74e175a0049c1e39db536377a8354915a8a15125b8be62f01a93740b2428b189ea42e31b6ce7aa3676bf1468b751bf06aacf15904db50c1be9df4cc9d41599c57cfaf66b7e5ee2d2372630a7bf538da786dfff6052e02558a4d1ccf7099a8c599c3c8b515e844f1e23de73d806127228253a7053b5e91511685370c980ffa72e5551ff05fcbd940d514bed2860b875b9a12b26edbb292e0e8d8cbcd9de3aba68f7c1419249fe43a6754bf02a36e0fd1f27c48e9d16c18ed1484e56cc5bc3483519311e33754af2fc4d37cfa1c6e5f0d38ae96a621c04db0fd7d793297e4981f9082937b9322f494bd98b2f43d9b5c19ff19ec177c6305b18800445111763cdaeec351689384783ae7cff9b106639ea611fb72e86d685ea0f6b65dc3b9a2436c89257382d11516a2b06637cfd931e2ca4e625343d6b96525c5bf7dcc437f474e1ff9f3dcc85740444a4c569f50379b985f6843ac29f09a9f99819ae210db22ab19340974957f1fbea41c5851b2fa7a2fa87581a7fb42db8c24b4c6f829be592ca0d0cf1a2fe67dec532cfa77f8f1955da335a84d5aef4905a9a236c607774a0b4ef1d50b55bd49aa877c2b6b2e37a3e4a3b24e95fa557ba89aaf4227b5bb0e640b4698cd004f870c7daa9ea441fdbe8b3053dffce646c0b06df323252cada7f24fcc21624edf49567b2693fec0693d243e067b21e2be296c52bb2a381f4794aa2e85dd5cb6677e94b7e003ebad24573762a640973c0772994da28c6490c1af8f0f91754e71c7f326bd31dfc9c6fc20767d713a93317bcbe0a3efc9c5a8571b7b0a02977741e8a83ca81296145ec955e1ab982c7f466284562b52de135568a142e677c343f5ebd33755d0b91565646d7c362e4664007cae2167db5d0a933e1219d3d6a7387576e542f816fa516d44afc3d99229d4f57fa83b8948f898b8528ded2c539b6033491c6d780cacb2bc3f52c2794de8db395812d4f7a44b9c04d6fd3ca86c68647d3e475de581edc388dcde91b8b24cd42b91a19e91b4b637b43b6fa4e150443ec7c08695c42bc6a930b3084204023bfd15e1c0312e46f430e26b0fcca152209fc1c7f991c111bdcda72e198626766eafc8cf5492189d4cc9a8e2a8a9cb738978ecec37376dc99ca8d3efcfe73da538960ebf78f0a4366376ae5f1bb1f811ecceb62510897855e3066104701b94f61913da4699313cec63a88a9ba444a5fc01c003bf9d6b252504e477f40fb33e595f30ac538bc9eeb29372b7a9d1f6a2a9b0177a171e5f879eab363c7608617c26197df1da9baa0275e23ed1b592cebdcd6ef22b36c4f287dfe849cf54eaed5570ffc450cde8b6ee12efbc8ddfea6bf782c27e5a5816b6f04ff5fe977f05a5b12a1364a659cb6b11ab7a1682e1097e6187cd7cbba87ef4ca8c2caf28499913d98a9e9f2e11c52f37faf2cd207bbe5734da0e91ba5f8b48ad59b122678550b27fefe71af53d6f934104387389b59324cdbf446efe50dbd23db7418ec6666ed9fcaa6f70beac9ca42a90eec8567be21fb45f0886755715f317373523dfeb845ab77333cf8ddf926244a38e024df5af9ea07253d07a59db51123fd811cce2d206eae6943ec87559eb0eb28a94a627831e45b3a7d1f89f7a49fbce7c5a6ed81f4e68dd3ce29346f7c14e5064548d57f11363139e5b669a1744bd9989400827973e67e94cb555b08cf04565f33db17196d16518b4f4b023053e86a7275521fa5b20993de7c2fa09797d924d59893caa98d97b586289da8c9cc3810cfde85b31a4e3118a5cc2fb63e4073dc224e501b637c66674ead1e84a7e3e3ce4adaf0c723e38a41db547e9cc3382ecf9f6b6f964c1f81fe75365593c9a55152ec7c05067474bd71a9370009fee6d87f3eef6c9360a502941e93730454161d0f0391f7c5ebde622f05c1d67368944390b68178fefb825add812f4968670537401703531667cd5150f211b9fcfecf4ee5e0880f3748b9e7a745e802affacc6b4aa5b5d83750fc1c47d4ab69170901e7f5e442bb98a89186054acf207a3cf70173156c559fd72860a7d2679a2ffcb5330204113dbac6b3c3b69aa4f75f21cb2154a4a6b31c025d52ac54960483cedf3f11a1adffef2f1fec94a5561d91868001c3d8395ff450b140095d6536475379f38634acf9dedff61b17f7c87f8c0566be6250cf439eba38c3765393a9ed1016d502ba13a8ef6de35ba669b10a0008223d2e2f88d35fe0a7323324bfabf25a7ac01904549a259e6a8d3a4964f197e94b8f9b3a3163f6349e3dac7e01748f674795cc3bd5a9a3ab5f2c13081167df37e379eeb2ecf9cdfa2371595f30831051ab157ac75f9ebc48b4995597e206c7ba229ab30eccfe6624d8849eae41d2dc7a4d757a373b1d86695c420cc04bf0da664a756b48224163de4418b932339d299061313a634a4ba089b12f85d4da1d27d51de9308310ef6aeb35623d0a772c5cedd2a659fdef092b4df6a88d2964200c285e8c16e7489b81e4159db062ce8a7d0dab651809211edf0586f289ef03dee7bb9f438c1a352f6342c664bfd35d23885b09bd1da62bd65d0bc09a5eb5ae95ea31088147781c335ea177772a22896191a7d15702b6b3437ced886cc85bb26865ce828b9fe78a07b463df7332f6792b2fd86d17b1e98a4cc7729b058c598c961c634b15d0973cacdd9735a0f77786ae2b0766b3194a127345dd8c11f69fa4c44cc5b30e01f6dc561330f636329c97ec05ae8291d9a26b605f1b277c9322115626e2975c791c3ef10954cb8b47cea6cf697eb9db3becb1114ce6392199e87bac043ed7a1583dc660b36deb0221a79ed70bf713f3c9c882583814c2eca8151d271719592d5c1fc6266a276a3e8d38827b290e1044606992d134236a1ae87f9338b7741f2e8a746eb0f607762ed4e18923dbacfea147ad57eff617167d0f54daac45437c5e61b45937e8aa5e7ceef4ca2254b9701a22f577fb627e8e1c1c70401ae811b9a53f4c16a7943e3d81ba3d9209cbdfb208b04ce158e7ba8ee77b0b75f5208686df78712d28f700361159100369b633384ddff4402c0ab0e2ec0aa87186a65d3484d2921d6253fd1fbf46b63ba72eb795cc025690f1f48dbe308f978e2fd5513e2ddc0b066194fd58d3eaa49690bd7e7863885eb5e2ac6870de83592675f74cf8989e18e68f1b60678270ca6b9c0daf444278a7dc82a9780730aa03be56813e81d6f296c6f87d0099618af9f7e991649ec364972d4c8fb669670ec9296ce173838b9c92baf6bf883c134d2c1cbcd928b54991d4c00f4aa7270bf3befeb108e9862f34688cc2db3b7943777671279a17f9c64c40bd8485ef52eb964314c65aa34596f16b80f9ef781c4e8eeb0acd289386c1ae506ae5bd2b20b760ce0c79b56b134e22f57c44abae2f4ecad82efe402a43a47594577a24b79a94c6f7a5edaabeb48fc5ec27aecd82380d0e940a033e87a4474b95d58a5fec59d80b091e9165a14325b38c5e4565c3f0f126f8b2adf83268e0076647ddd43ff2d52d773ab304088458fac4fb9379e20968560a07517d6e0001d2a08c3c6c97825e12259ea861b0ad5649450dffb3afae49cd31efb40513c06b795e071603a47d3c839c401ecc38b117df938836a15b31a135b58892db9b4ebf684db3f7ece8a9d60bc8c810eba0ca0d875835737d25b948b392860aa82cdd5ff7c6b0b4d7ae182168949d9840e33545d6127727abe02dd01418ce4dd46af7b5f0844cb51d4992f4ce1223c23137c211361d0150ed235a0598f9e1d816a40c6aeb8ad5626bc22b2e9395747441cc78a558dedc402473248989912a0aa71ac8d7754de78a1d5b9e548d4ebef224e82cd393524d79b88d6e0405ad02da7117ba037294e535fff4bb7bfcacede3348f01d161348f4eee1a515be530e0f0e64c56544d4ae106445cce1410c790bdbeb1e2d293e012e0297c46c9145dccbd6ff77cbfacda46f27d71d02de14b61c50533319c668fcfac036c7867d12a3d0d8d449c49669586349f2239c4fa5c2b8fdfc423ecd85edccf68547b1a906764c5c03ff332b563eaeeeb8456535c61e917392a03dfe6bebf3dc5710f932b507e3f0cdfb6a9dd035f06de05572ca94d85bfb157e68448ab8b0c4d596ce020dadefceae68153e5f62c5c08143f5db497aafab19cd330c3784db0ade505a29514bd1e8c3b92c4f61653622f875ecacc9e6774adeca1ca42f637c702299a2d3f881be795bba9db340e480aa4e944dec20216b8358455dcf8eed990e41f3376442b9b3e0d88238775b8bea3f688af18539b2e8bafaacc1c4064e9ae887c69dca82acadf3553092e78797a62cc834441c222ff226ea32d203c0b1facc67e630716a3f96a077e2348f2be6d93ec0631a5ef1bed4106119d970e6228f016989a8fdf01bda8eddfd6068d649b3956eab29d303f1fc6867d863c87c3539e8e99ce23953c25ee2b09857d2dfdd4c2d242bd833f6b7f4a67cde7863d653a00521fa68ce231d0615b00175ec1fca377e4e72f78a8f8fbca9da4f408bc1b799971c16ce2e04aa243279efcdb07843d255eb6067e3732bcfdf1c17178d77d3dff424d6772e39aec3bef9592a25e9fbb5510952e583f534a4d1f57ccefe8455f353dfeeeedc8b3ea3d6c41ff4167de5145530f3dd70bc89fdcfa863d8c565208d3272b0238b97d95c5a67872415a27ef06fa26c0f72b571cffb762369c80b5f332f03a9759fec50d604a18a69fb521311fa171ea6fa404873de9195f847d81fd4bae3d5216d6c00cc38d5c75dad1ef686d5ce4acbb477fbf6c5ad0b269e69054b4a59db3c6eb0cec7fbdf32d3306ceb5d1006eb7bf6f07012b116c95fbfcfd99e82f5aba8ebd7c790c9f04075e2bb399d9229be4a0e90dc1b0358eecffadaebc0bdc6ff1cfd00dcebc0a90d7b96c96fa552dc824b944d951db7d2b6ee399b6c1f2965e5931cea561b9dda86b5e7c36741c04a97a00b0695a9d83d629eb5de99bf8ae8d755f331e40253390abb2e6049167496d5ca37563beabda4f82b2c9a58eff2a58a1d2fbc8d72c188d4b3392b9b4286a85f5ded710f243b24832c54791eee1209443f07f374ea2ab614d6a9ac8b0981c3509696c058d32f4aff5af8e9eb2253ed4f83e8b4f3294b61c90d54d3c35f3d44d55a5a1f55bac7e5978b63fbb9df0e9c6b154d6124ef4cf63ff3ae361032147f9ef75f9ea2f4b22eb13693e267b7c4f6365de53686118a934a598ba5a8175ee50f099aa9acd7f2e2c9b05b044b3b061bd1bb3b296b6bf900b856a6448d812e68efd31feffd4452990cd5f7cc02588eefbebb9f56ab77cd502989cd16e89a44553e1989d4dffd977b53ea8b3b636d62bbb265c4280cab59dab24fbe7f16180dfddf62e482ed8edca27a967ce5fae0328b6403cee17a6d63ac71a8a46f6caddb530c6d905a8b6c8ed89f622a0c0a90675c1f8d979b34cd1e954fa9154f") syz_execute_func(&(0x7f0000001000)="c4623937477e660fe30ca4f33e450917c46178ae9172980000c463e122d696c4037d7b050f00000000c463395f473fadc403555d3c5600c4e2b596f0c421fd5bfb") syz_extract_tcp_res(&(0x7f0000001080), 0x5, 0x6fb) r5 = syz_usb_connect(0x721, 0x69, &(0x7f00000010c0)="5d8d97afe958a6b46b8feffe29f05164a8eed8f035a6c4d8f6972106c0f6a0430f0347a9ad29a940d3de0d19dd63c06dad37ea1e105fec8b4dbdb4d7f95164ff313f199aaa43108e9613c1e62958e7762847158e8726924dcbdafffd2a942c440d0a80340487af0eb9", &(0x7f0000001140)="e2f9193eea7fea62b374a3151475bf3be9825dbe21d3907a6baf2fcdf0e6dd64fa7ccce3734ba66273ba0db7e79d314b54d10158b7d4a67b5e264cd1fe32c6bab3d03faa5bd67a4609b48a17eb0386538afe3d83a4f19597909773c9474f1f6685e59157f5c76c2de065f509b7a7cf8e629cca553dcb4445a372883199be746634e857266c2758f8d58dd0dea457790204fc26e26927d5bbff20a99aed0a95d850ec3221f4f1d8f13a8f00be13519ef898d39d28568bb7894c39") syz_usb_disconnect(r5) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; dp = opendir(dir); if (dp == NULL) exit(1); while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } /* -------------------------------------------------------------------------- */ /* * Redefinitions to match the linux types used in common_usb.h. */ struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; int rv = 0; rv = parse_usb_descriptor(dev, dev_len, &usb_devices[i].index); if (!rv) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } /* -------------------------------------------------------------------------- */ static int vhci_open(void) { return open("/dev/vhci", O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } /* -------------------------------------------------------------------------- */ static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index; int portnum, fd, rv; bool done; portnum = procid + 1; if (!dev) { return -1; } if (portnum != 1) { /* For now, we support only one proc. */ return -1; } fd = vhci_open(); if (fd < 0) { return -1; } index = add_usb_index(fd, dev, dev_len); if (!index) { goto err; } rv = vhci_setport(fd, portnum); if (rv != 0) { goto err; } rv = vhci_usb_attach(fd); if (rv != 0) { goto err; } done = false; while (!done) { vhci_request_t req; rv = vhci_usb_recv(fd, &req, sizeof(req)); if (rv != 0) { goto err; } if (req.type != VHCI_REQ_CTRL) { goto err; } char* response_data = NULL; uint32_t response_length = 0; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { bool response_found = false; response_found = lookup_connect_response_in(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &response_data, &response_length); if (!response_found) { goto err; } } else { if (!lookup_connect_response_out(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &done)) { goto err; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { /* TODO: possibly revisit */ } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { goto err; } } sleep_ms(200); return fd; err: close(fd); return -1; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static int tunfd = -1; #define MAX_TUN 64 #define TUN_IFACE "tap%d" #define TUN_DEVICE "/dev/tap%d" #define LOCAL_MAC "aa:aa:aa:aa:aa:aa" #define REMOTE_MAC "aa:aa:aa:aa:aa:bb" #define LOCAL_IPV4 "172.20.%d.170" #define REMOTE_IPV4 "172.20.%d.187" #define LOCAL_IPV6 "fe80::%02hxaa" #define REMOTE_IPV6 "fe80::%02hxbb" static void vsnprintf_check(char* str, size_t size, const char* format, va_list args) { int rv; rv = vsnprintf(str, size, format, args); if (rv < 0) exit(1); if ((size_t)rv >= size) exit(1); } static void snprintf_check(char* str, size_t size, const char* format, ...) { va_list args; va_start(args, format); vsnprintf_check(str, size, format, args); va_end(args); } #define COMMAND_MAX_LEN 128 #define PATH_PREFIX "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin " #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1) static void execute_command(bool panic, const char* format, ...) { va_list args; char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN]; int rv; va_start(args, format); memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN); vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args); va_end(args); rv = system(command); if (rv) { if (panic) exit(1); } } static void initialize_tun(int tun_id) { if (tun_id < 0 || tun_id >= MAX_TUN) { exit(1); } char tun_device[sizeof(TUN_DEVICE)]; snprintf_check(tun_device, sizeof(tun_device), TUN_DEVICE, tun_id); char tun_iface[sizeof(TUN_IFACE)]; snprintf_check(tun_iface, sizeof(tun_iface), TUN_IFACE, tun_id); execute_command(0, "ifconfig %s destroy", tun_iface); execute_command(0, "ifconfig %s create", tun_iface); tunfd = open(tun_device, O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open %s: errno=%d\n", tun_device, errno); return; } const int kTunFd = 240; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; char local_mac[sizeof(LOCAL_MAC)]; snprintf_check(local_mac, sizeof(local_mac), LOCAL_MAC); execute_command(1, "ifconfig %s link %s", tun_iface, local_mac); char local_ipv4[sizeof(LOCAL_IPV4)]; snprintf_check(local_ipv4, sizeof(local_ipv4), LOCAL_IPV4, tun_id); execute_command(1, "ifconfig %s inet %s netmask 255.255.255.0", tun_iface, local_ipv4); char remote_mac[sizeof(REMOTE_MAC)]; char remote_ipv4[sizeof(REMOTE_IPV4)]; snprintf_check(remote_mac, sizeof(remote_mac), REMOTE_MAC); snprintf_check(remote_ipv4, sizeof(remote_ipv4), REMOTE_IPV4, tun_id); execute_command(0, "arp -s %s %s", remote_ipv4, remote_mac); char local_ipv6[sizeof(LOCAL_IPV6)]; snprintf_check(local_ipv6, sizeof(local_ipv6), LOCAL_IPV6, tun_id); execute_command(1, "ifconfig %s inet6 %s", tun_iface, local_ipv6); char remote_ipv6[sizeof(REMOTE_IPV6)]; snprintf_check(remote_ipv6, sizeof(remote_ipv6), REMOTE_IPV6, tun_id); execute_command(0, "ndp -s %s%%%s %s", remote_ipv6, tun_iface, remote_mac); } static long syz_emit_ethernet(volatile long a0, volatile long a1) { if (tunfd < 0) return (uintptr_t)-1; size_t length = a0; const char* data = (char*)a1; return write(tunfd, data, length); } static int read_tun(char* data, int size) { if (tunfd < 0) return -1; int rv = read(tunfd, data, size); if (rv < 0) { if (errno == EAGAIN) return -1; exit(1); } return rv; } struct tcp_resources { uint32_t seq; uint32_t ack; }; static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) return (uintptr_t)-1; char data[1000]; int rv = read_tun(&data[0], sizeof(data)); if (rv == -1) return (uintptr_t)-1; size_t length = rv; struct tcphdr* tcphdr; if (length < sizeof(struct ether_header)) return (uintptr_t)-1; struct ether_header* ethhdr = (struct ether_header*)&data[0]; if (ethhdr->ether_type == htons(ETHERTYPE_IP)) { if (length < sizeof(struct ether_header) + sizeof(struct ip)) return (uintptr_t)-1; struct ip* iphdr = (struct ip*)&data[sizeof(struct ether_header)]; if (iphdr->ip_p != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ether_header) + iphdr->ip_hl * 4 + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ether_header) + iphdr->ip_hl * 4]; } else { if (length < sizeof(struct ether_header) + sizeof(struct ip6_hdr)) return (uintptr_t)-1; struct ip6_hdr* ipv6hdr = (struct ip6_hdr*)&data[sizeof(struct ether_header)]; if (ipv6hdr->ip6_nxt != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ether_header) + sizeof(struct ip6_hdr) + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ether_header) + sizeof(struct ip6_hdr)]; } struct tcp_resources* res = (struct tcp_resources*)a0; res->seq = htonl((ntohl(tcphdr->th_seq) + (uint32_t)a1)); res->ack = htonl((ntohl(tcphdr->th_ack) + (uint32_t)a2)); return 0; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); initialize_tun(procid); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 15; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 13 ? 3000 : 0) + (call == 14 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_accept #define SYS_accept 30 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_fcntl #define SYS_fcntl 92 #endif #ifndef SYS_getpgrp #define SYS_getpgrp 81 #endif #ifndef SYS_getsockname #define SYS_getsockname 32 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_pwrite #define SYS_pwrite 174 #endif #ifndef SYS_setsockopt #define SYS_setsockopt 105 #endif #ifndef SYS_socketpair #define SYS_socketpair 135 #endif #ifndef SYS_stat #define SYS_stat 439 #endif uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_fcntl, 0xffffff9c, 0xcul, 0xffffff9c); if (res != -1) r[0] = res; break; case 1: res = syscall(SYS_dup2, -1, r[0]); if (res != -1) r[1] = res; break; case 2: memcpy((void*)0x20000000, "\x5d\x1d\xd4\x36\xf0\xf5\xa3\x2b\x11\x7d\x0f\x61\xdc\x01\x05\x11\xe7\xe3\xc7\xf9\x2e\x33\x63\x0d\xfc\x7a\x02\xf9\xf4\xdf\x14\xc2\x15\xd8\x71\x6f\x98\x89\x2c\xba\x0d\xdc\xbb\xd6\xb2\x68\x3f\x5e\x02\x81\x52\xeb\xbe\x2d\x26\xa7\xe4\xc4\x56\x73\xb5\x5c\xf7\x6e\x77\x95\xdd\x12\x4f\x82\x94\x7e\x02\x44\xeb\x08\xcf\xb0\xb5\xda\x0c\x82\x9b\x15\x80\xac\x64\x47\x3f\x06\x9f\x99\x28\xc1\x04\x3b\xde\xaa\x54\x18\x29\xf4\xef\x60\xf8\x0e\xa0\xb9\xb9\x12\xa9\x74\xa5\xe9\x8e\xa7\x54\x23\xd1\x12\x68\x15\xde\x13\x19\xa7\x8c\x81\x27\xc0\x17\xf8\xcb\xe8\x6d", 135); syscall(SYS_pwrite, r[1], 0x20000000ul, 0x87ul, 6ul); break; case 3: *(uint32_t*)0x20000100 = 8; syscall(SYS_getsockname, r[0], 0x200000c0ul, 0x20000100ul); break; case 4: *(uint32_t*)0x20000180 = 0xc; syscall(SYS_accept, r[1], 0x20000140ul, 0x20000180ul); break; case 5: syscall(SYS_socketpair, 0x18ul, 0x844590f3b4efa023ul, 0x7f, 0x200001c0ul); break; case 6: *(uint32_t*)0x20000240 = 8; res = syscall(SYS_accept, 0xffffff9c, 0x20000200ul, 0x20000240ul); if (res != -1) r[2] = res; break; case 7: res = syscall(SYS_getpgrp); if (res != -1) r[3] = res; break; case 8: memcpy((void*)0x20000280, "./file0\000", 8); res = syscall(SYS_stat, 0x20000280ul, 0x200002c0ul); if (res != -1) r[4] = *(uint32_t*)0x200002dc; break; case 9: *(uint32_t*)0x200003c0 = r[3]; *(uint32_t*)0x200003c4 = r[4]; *(uint32_t*)0x200003c8 = 0; syscall(SYS_setsockopt, r[2], 0xffff, 0x11, 0x200003c0ul, 0xcul); break; case 10: memcpy((void*)0x20000000, "\xd2\x88\x11\xeb\x3e\xf8\x05\x7d\x4d\x7c\x72\x29\xab\x1e\x5a\x02\x15\x74\x40\xec\x59\x86\x63\x31\x4f\x52\x2e\x6a\x8f\x7e\x2b\x68\xcd\x21\x08\x34\xf1\x3e\x84\xf2\x57\xc3\x58\xe7\xe1\x97\x17\xa7\x93\x53\xa0\x60\x9a\xbf\x39\xfc\x23\xd2\x80\xe0\x31\xdb\xc3\x60\x48\xed\x67\xb3\x18\xa0\x55\x3a\x54\x1c\x84\x16\x7d\x1b\xf3\x90\x95\x1a\xbf\xd5\x37\x01\x57\xad\x02\x4b\xea\x03\x0e\x6c\x00\x3d\x2e\x50\xa9\x32\x90\x39\x93\x42\x94\x72\xcc\xa8\xbe\x88\x08\xca\x29\x15\x85\x8e\xd2\x59\x8c\x1e\x76\xf9\x8e\x66\x2b\x06\x78\xbd\xfd\x91\x86\x2b\x0a\xf8\x4e\x15\x85\xc3\x70\x9e\xeb\x1b\x8f\x06\x57\x03\xa7\x5c\x12\xe1\xfa\x87\xb7\x7d\x46\xd3\x74\xee\x21\x13\xbb\xbd\x6b\xde\xbb\x4c\xf0\x68\x7f\x79\xdb\x89\x5a\x8a\xc8\x1c\x3b\x28\x6c\x03\x42\x7e\x32\x11\xe7\x14\x20\xaf\xa9\xb5\xc9\x01\x3e\x63\x8e\xd9\x7d\xe9\x98\x3f\xb3\x34\x24\xfe\x11\xef\xd7\x82\x4c\xd6\x97\x92\x86\xd5\x9a\x5c\x79\x33\x8b\x6a\x9a\x2d\x15\xe7\x07\x91\xbd\xb5\x18\x6a\xa7\x4e\x17\x5a\x00\x49\xc1\xe3\x9d\xb5\x36\x37\x7a\x83\x54\x91\x5a\x8a\x15\x12\x5b\x8b\xe6\x2f\x01\xa9\x37\x40\xb2\x42\x8b\x18\x9e\xa4\x2e\x31\xb6\xce\x7a\xa3\x67\x6b\xf1\x46\x8b\x75\x1b\xf0\x6a\xac\xf1\x59\x04\xdb\x50\xc1\xbe\x9d\xf4\xcc\x9d\x41\x59\x9c\x57\xcf\xaf\x66\xb7\xe5\xee\x2d\x23\x72\x63\x0a\x7b\xf5\x38\xda\x78\x6d\xff\xf6\x05\x2e\x02\x55\x8a\x4d\x1c\xcf\x70\x99\xa8\xc5\x99\xc3\xc8\xb5\x15\xe8\x44\xf1\xe2\x3d\xe7\x3d\x80\x61\x27\x22\x82\x53\xa7\x05\x3b\x5e\x91\x51\x16\x85\x37\x0c\x98\x0f\xfa\x72\xe5\x55\x1f\xf0\x5f\xcb\xd9\x40\xd5\x14\xbe\xd2\x86\x0b\x87\x5b\x9a\x12\xb2\x6e\xdb\xb2\x92\xe0\xe8\xd8\xcb\xcd\x9d\xe3\xab\xa6\x8f\x7c\x14\x19\x24\x9f\xe4\x3a\x67\x54\xbf\x02\xa3\x6e\x0f\xd1\xf2\x7c\x48\xe9\xd1\x6c\x18\xed\x14\x84\xe5\x6c\xc5\xbc\x34\x83\x51\x93\x11\xe3\x37\x54\xaf\x2f\xc4\xd3\x7c\xfa\x1c\x6e\x5f\x0d\x38\xae\x96\xa6\x21\xc0\x4d\xb0\xfd\x7d\x79\x32\x97\xe4\x98\x1f\x90\x82\x93\x7b\x93\x22\xf4\x94\xbd\x98\xb2\xf4\x3d\x9b\x5c\x19\xff\x19\xec\x17\x7c\x63\x05\xb1\x88\x00\x44\x51\x11\x76\x3c\xda\xee\xc3\x51\x68\x93\x84\x78\x3a\xe7\xcf\xf9\xb1\x06\x63\x9e\xa6\x11\xfb\x72\xe8\x6d\x68\x5e\xa0\xf6\xb6\x5d\xc3\xb9\xa2\x43\x6c\x89\x25\x73\x82\xd1\x15\x16\xa2\xb0\x66\x37\xcf\xd9\x31\xe2\xca\x4e\x62\x53\x43\xd6\xb9\x65\x25\xc5\xbf\x7d\xcc\x43\x7f\x47\x4e\x1f\xf9\xf3\xdc\xc8\x57\x40\x44\x4a\x4c\x56\x9f\x50\x37\x9b\x98\x5f\x68\x43\xac\x29\xf0\x9a\x9f\x99\x81\x9a\xe2\x10\xdb\x22\xab\x19\x34\x09\x74\x95\x7f\x1f\xbe\xa4\x1c\x58\x51\xb2\xfa\x7a\x2f\xa8\x75\x81\xa7\xfb\x42\xdb\x8c\x24\xb4\xc6\xf8\x29\xbe\x59\x2c\xa0\xd0\xcf\x1a\x2f\xe6\x7d\xec\x53\x2c\xfa\x77\xf8\xf1\x95\x5d\xa3\x35\xa8\x4d\x5a\xef\x49\x05\xa9\xa2\x36\xc6\x07\x77\x4a\x0b\x4e\xf1\xd5\x0b\x55\xbd\x49\xaa\x87\x7c\x2b\x6b\x2e\x37\xa3\xe4\xa3\xb2\x4e\x95\xfa\x55\x7b\xa8\x9a\xaf\x42\x27\xb5\xbb\x0e\x64\x0b\x46\x98\xcd\x00\x4f\x87\x0c\x7d\xaa\x9e\xa4\x41\xfd\xbe\x8b\x30\x53\xdf\xfc\xe6\x46\xc0\xb0\x6d\xf3\x23\x25\x2c\xad\xa7\xf2\x4f\xcc\x21\x62\x4e\xdf\x49\x56\x7b\x26\x93\xfe\xc0\x69\x3d\x24\x3e\x06\x7b\x21\xe2\xbe\x29\x6c\x52\xbb\x2a\x38\x1f\x47\x94\xaa\x2e\x85\xdd\x5c\xb6\x67\x7e\x94\xb7\xe0\x03\xeb\xad\x24\x57\x37\x62\xa6\x40\x97\x3c\x07\x72\x99\x4d\xa2\x8c\x64\x90\xc1\xaf\x8f\x0f\x91\x75\x4e\x71\xc7\xf3\x26\xbd\x31\xdf\xc9\xc6\xfc\x20\x76\x7d\x71\x3a\x93\x31\x7b\xcb\xe0\xa3\xef\xc9\xc5\xa8\x57\x1b\x7b\x0a\x02\x97\x77\x41\xe8\xa8\x3c\xa8\x12\x96\x14\x5e\xc9\x55\xe1\xab\x98\x2c\x7f\x46\x62\x84\x56\x2b\x52\xde\x13\x55\x68\xa1\x42\xe6\x77\xc3\x43\xf5\xeb\xd3\x37\x55\xd0\xb9\x15\x65\x64\x6d\x7c\x36\x2e\x46\x64\x00\x7c\xae\x21\x67\xdb\x5d\x0a\x93\x3e\x12\x19\xd3\xd6\xa7\x38\x75\x76\xe5\x42\xf8\x16\xfa\x51\x6d\x44\xaf\xc3\xd9\x92\x29\xd4\xf5\x7f\xa8\x3b\x89\x48\xf8\x98\xb8\x52\x8d\xed\x2c\x53\x9b\x60\x33\x49\x1c\x6d\x78\x0c\xac\xb2\xbc\x3f\x52\xc2\x79\x4d\xe8\xdb\x39\x58\x12\xd4\xf7\xa4\x4b\x9c\x04\xd6\xfd\x3c\xa8\x6c\x68\x64\x7d\x3e\x47\x5d\xe5\x81\xed\xc3\x88\xdc\xde\x91\xb8\xb2\x4c\xd4\x2b\x91\xa1\x9e\x91\xb4\xb6\x37\xb4\x3b\x6f\xa4\xe1\x50\x44\x3e\xc7\xc0\x86\x95\xc4\x2b\xc6\xa9\x30\xb3\x08\x42\x04\x02\x3b\xfd\x15\xe1\xc0\x31\x2e\x46\xf4\x30\xe2\x6b\x0f\xcc\xa1\x52\x20\x9f\xc1\xc7\xf9\x91\xc1\x11\xbd\xcd\xa7\x2e\x19\x86\x26\x76\x6e\xaf\xc8\xcf\x54\x92\x18\x9d\x4c\xc9\xa8\xe2\xa8\xa9\xcb\x73\x89\x78\xec\xec\x37\x37\x6d\xc9\x9c\xa8\xd3\xef\xcf\xe7\x3d\xa5\x38\x96\x0e\xbf\x78\xf0\xa4\x36\x63\x76\xae\x5f\x1b\xb1\xf8\x11\xec\xce\xb6\x25\x10\x89\x78\x55\xe3\x06\x61\x04\x70\x1b\x94\xf6\x19\x13\xda\x46\x99\x31\x3c\xec\x63\xa8\x8a\x9b\xa4\x44\xa5\xfc\x01\xc0\x03\xbf\x9d\x6b\x25\x25\x04\xe4\x77\xf4\x0f\xb3\x3e\x59\x5f\x30\xac\x53\x8b\xc9\xee\xb2\x93\x72\xb7\xa9\xd1\xf6\xa2\xa9\xb0\x17\x7a\x17\x1e\x5f\x87\x9e\xab\x36\x3c\x76\x08\x61\x7c\x26\x19\x7d\xf1\xda\x9b\xaa\x02\x75\xe2\x3e\xd1\xb5\x92\xce\xbd\xcd\x6e\xf2\x2b\x36\xc4\xf2\x87\xdf\xe8\x49\xcf\x54\xea\xed\x55\x70\xff\xc4\x50\xcd\xe8\xb6\xee\x12\xef\xbc\x8d\xdf\xea\x6b\xf7\x82\xc2\x7e\x5a\x58\x16\xb6\xf0\x4f\xf5\xfe\x97\x7f\x05\xa5\xb1\x2a\x13\x64\xa6\x59\xcb\x6b\x11\xab\x7a\x16\x82\xe1\x09\x7e\x61\x87\xcd\x7c\xbb\xa8\x7e\xf4\xca\x8c\x2c\xaf\x28\x49\x99\x13\xd9\x8a\x9e\x9f\x2e\x11\xc5\x2f\x37\xfa\xf2\xcd\x20\x7b\xbe\x57\x34\xda\x0e\x91\xba\x5f\x8b\x48\xad\x59\xb1\x22\x67\x85\x50\xb2\x7f\xef\xe7\x1a\xf5\x3d\x6f\x93\x41\x04\x38\x73\x89\xb5\x93\x24\xcd\xbf\x44\x6e\xfe\x50\xdb\xd2\x3d\xb7\x41\x8e\xc6\x66\x6e\xd9\xfc\xaa\x6f\x70\xbe\xac\x9c\xa4\x2a\x90\xee\xc8\x56\x7b\xe2\x1f\xb4\x5f\x08\x86\x75\x57\x15\xf3\x17\x37\x35\x23\xdf\xeb\x84\x5a\xb7\x73\x33\xcf\x8d\xdf\x92\x62\x44\xa3\x8e\x02\x4d\xf5\xaf\x9e\xa0\x72\x53\xd0\x7a\x59\xdb\x51\x12\x3f\xd8\x11\xcc\xe2\xd2\x06\xea\xe6\x94\x3e\xc8\x75\x59\xeb\x0e\xb2\x8a\x94\xa6\x27\x83\x1e\x45\xb3\xa7\xd1\xf8\x9f\x7a\x49\xfb\xce\x7c\x5a\x6e\xd8\x1f\x4e\x68\xdd\x3c\xe2\x93\x46\xf7\xc1\x4e\x50\x64\x54\x8d\x57\xf1\x13\x63\x13\x9e\x5b\x66\x9a\x17\x44\xbd\x99\x89\x40\x08\x27\x97\x3e\x67\xe9\x4c\xb5\x55\xb0\x8c\xf0\x45\x65\xf3\x3d\xb1\x71\x96\xd1\x65\x18\xb4\xf4\xb0\x23\x05\x3e\x86\xa7\x27\x55\x21\xfa\x5b\x20\x99\x3d\xe7\xc2\xfa\x09\x79\x7d\x92\x4d\x59\x89\x3c\xaa\x98\xd9\x7b\x58\x62\x89\xda\x8c\x9c\xc3\x81\x0c\xfd\xe8\x5b\x31\xa4\xe3\x11\x8a\x5c\xc2\xfb\x63\xe4\x07\x3d\xc2\x24\xe5\x01\xb6\x37\xc6\x66\x74\xea\xd1\xe8\x4a\x7e\x3e\x3c\xe4\xad\xaf\x0c\x72\x3e\x38\xa4\x1d\xb5\x47\xe9\xcc\x33\x82\xec\xf9\xf6\xb6\xf9\x64\xc1\xf8\x1f\xe7\x53\x65\x59\x3c\x9a\x55\x15\x2e\xc7\xc0\x50\x67\x47\x4b\xd7\x1a\x93\x70\x00\x9f\xee\x6d\x87\xf3\xee\xf6\xc9\x36\x0a\x50\x29\x41\xe9\x37\x30\x45\x41\x61\xd0\xf0\x39\x1f\x7c\x5e\xbd\xe6\x22\xf0\x5c\x1d\x67\x36\x89\x44\x39\x0b\x68\x17\x8f\xef\xb8\x25\xad\xd8\x12\xf4\x96\x86\x70\x53\x74\x01\x70\x35\x31\x66\x7c\xd5\x15\x0f\x21\x1b\x9f\xcf\xec\xf4\xee\x5e\x08\x80\xf3\x74\x8b\x9e\x7a\x74\x5e\x80\x2a\xff\xac\xc6\xb4\xaa\x5b\x5d\x83\x75\x0f\xc1\xc4\x7d\x4a\xb6\x91\x70\x90\x1e\x7f\x5e\x44\x2b\xb9\x8a\x89\x18\x60\x54\xac\xf2\x07\xa3\xcf\x70\x17\x31\x56\xc5\x59\xfd\x72\x86\x0a\x7d\x26\x79\xa2\xff\xcb\x53\x30\x20\x41\x13\xdb\xac\x6b\x3c\x3b\x69\xaa\x4f\x75\xf2\x1c\xb2\x15\x4a\x4a\x6b\x31\xc0\x25\xd5\x2a\xc5\x49\x60\x48\x3c\xed\xf3\xf1\x1a\x1a\xdf\xfe\xf2\xf1\xfe\xc9\x4a\x55\x61\xd9\x18\x68\x00\x1c\x3d\x83\x95\xff\x45\x0b\x14\x00\x95\xd6\x53\x64\x75\x37\x9f\x38\x63\x4a\xcf\x9d\xed\xff\x61\xb1\x7f\x7c\x87\xf8\xc0\x56\x6b\xe6\x25\x0c\xf4\x39\xeb\xa3\x8c\x37\x65\x39\x3a\x9e\xd1\x01\x6d\x50\x2b\xa1\x3a\x8e\xf6\xde\x35\xba\x66\x9b\x10\xa0\x00\x82\x23\xd2\xe2\xf8\x8d\x35\xfe\x0a\x73\x23\x32\x4b\xfa\xbf\x25\xa7\xac\x01\x90\x45\x49\xa2\x59\xe6\xa8\xd3\xa4\x96\x4f\x19\x7e\x94\xb8\xf9\xb3\xa3\x16\x3f\x63\x49\xe3\xda\xc7\xe0\x17\x48\xf6\x74\x79\x5c\xc3\xbd\x5a\x9a\x3a\xb5\xf2\xc1\x30\x81\x16\x7d\xf3\x7e\x37\x9e\xeb\x2e\xcf\x9c\xdf\xa2\x37\x15\x95\xf3\x08\x31\x05\x1a\xb1\x57\xac\x75\xf9\xeb\xc4\x8b\x49\x95\x59\x7e\x20\x6c\x7b\xa2\x29\xab\x30\xec\xcf\xe6\x62\x4d\x88\x49\xea\xe4\x1d\x2d\xc7\xa4\xd7\x57\xa3\x73\xb1\xd8\x66\x95\xc4\x20\xcc\x04\xbf\x0d\xa6\x64\xa7\x56\xb4\x82\x24\x16\x3d\xe4\x41\x8b\x93\x23\x39\xd2\x99\x06\x13\x13\xa6\x34\xa4\xba\x08\x9b\x12\xf8\x5d\x4d\xa1\xd2\x7d\x51\xde\x93\x08\x31\x0e\xf6\xae\xb3\x56\x23\xd0\xa7\x72\xc5\xce\xdd\x2a\x65\x9f\xde\xf0\x92\xb4\xdf\x6a\x88\xd2\x96\x42\x00\xc2\x85\xe8\xc1\x6e\x74\x89\xb8\x1e\x41\x59\xdb\x06\x2c\xe8\xa7\xd0\xda\xb6\x51\x80\x92\x11\xed\xf0\x58\x6f\x28\x9e\xf0\x3d\xee\x7b\xb9\xf4\x38\xc1\xa3\x52\xf6\x34\x2c\x66\x4b\xfd\x35\xd2\x38\x85\xb0\x9b\xd1\xda\x62\xbd\x65\xd0\xbc\x09\xa5\xeb\x5a\xe9\x5e\xa3\x10\x88\x14\x77\x81\xc3\x35\xea\x17\x77\x72\xa2\x28\x96\x19\x1a\x7d\x15\x70\x2b\x6b\x34\x37\xce\xd8\x86\xcc\x85\xbb\x26\x86\x5c\xe8\x28\xb9\xfe\x78\xa0\x7b\x46\x3d\xf7\x33\x2f\x67\x92\xb2\xfd\x86\xd1\x7b\x1e\x98\xa4\xcc\x77\x29\xb0\x58\xc5\x98\xc9\x61\xc6\x34\xb1\x5d\x09\x73\xca\xcd\xd9\x73\x5a\x0f\x77\x78\x6a\xe2\xb0\x76\x6b\x31\x94\xa1\x27\x34\x5d\xd8\xc1\x1f\x69\xfa\x4c\x44\xcc\x5b\x30\xe0\x1f\x6d\xc5\x61\x33\x0f\x63\x63\x29\xc9\x7e\xc0\x5a\xe8\x29\x1d\x9a\x26\xb6\x05\xf1\xb2\x77\xc9\x32\x21\x15\x62\x6e\x29\x75\xc7\x91\xc3\xef\x10\x95\x4c\xb8\xb4\x7c\xea\x6c\xf6\x97\xeb\x9d\xb3\xbe\xcb\x11\x14\xce\x63\x92\x19\x9e\x87\xba\xc0\x43\xed\x7a\x15\x83\xdc\x66\x0b\x36\xde\xb0\x22\x1a\x79\xed\x70\xbf\x71\x3f\x3c\x9c\x88\x25\x83\x81\x4c\x2e\xca\x81\x51\xd2\x71\x71\x95\x92\xd5\xc1\xfc\x62\x66\xa2\x76\xa3\xe8\xd3\x88\x27\xb2\x90\xe1\x04\x46\x06\x99\x2d\x13\x42\x36\xa1\xae\x87\xf9\x33\x8b\x77\x41\xf2\xe8\xa7\x46\xeb\x0f\x60\x77\x62\xed\x4e\x18\x92\x3d\xba\xcf\xea\x14\x7a\xd5\x7e\xff\x61\x71\x67\xd0\xf5\x4d\xaa\xc4\x54\x37\xc5\xe6\x1b\x45\x93\x7e\x8a\xa5\xe7\xce\xef\x4c\xa2\x25\x4b\x97\x01\xa2\x2f\x57\x7f\xb6\x27\xe8\xe1\xc1\xc7\x04\x01\xae\x81\x1b\x9a\x53\xf4\xc1\x6a\x79\x43\xe3\xd8\x1b\xa3\xd9\x20\x9c\xbd\xfb\x20\x8b\x04\xce\x15\x8e\x7b\xa8\xee\x77\xb0\xb7\x5f\x52\x08\x68\x6d\xf7\x87\x12\xd2\x8f\x70\x03\x61\x15\x91\x00\x36\x9b\x63\x33\x84\xdd\xff\x44\x02\xc0\xab\x0e\x2e\xc0\xaa\x87\x18\x6a\x65\xd3\x48\x4d\x29\x21\xd6\x25\x3f\xd1\xfb\xf4\x6b\x63\xba\x72\xeb\x79\x5c\xc0\x25\x69\x0f\x1f\x48\xdb\xe3\x08\xf9\x78\xe2\xfd\x55\x13\xe2\xdd\xc0\xb0\x66\x19\x4f\xd5\x8d\x3e\xaa\x49\x69\x0b\xd7\xe7\x86\x38\x85\xeb\x5e\x2a\xc6\x87\x0d\xe8\x35\x92\x67\x5f\x74\xcf\x89\x89\xe1\x8e\x68\xf1\xb6\x06\x78\x27\x0c\xa6\xb9\xc0\xda\xf4\x44\x27\x8a\x7d\xc8\x2a\x97\x80\x73\x0a\xa0\x3b\xe5\x68\x13\xe8\x1d\x6f\x29\x6c\x6f\x87\xd0\x09\x96\x18\xaf\x9f\x7e\x99\x16\x49\xec\x36\x49\x72\xd4\xc8\xfb\x66\x96\x70\xec\x92\x96\xce\x17\x38\x38\xb9\xc9\x2b\xaf\x6b\xf8\x83\xc1\x34\xd2\xc1\xcb\xcd\x92\x8b\x54\x99\x1d\x4c\x00\xf4\xaa\x72\x70\xbf\x3b\xef\xeb\x10\x8e\x98\x62\xf3\x46\x88\xcc\x2d\xb3\xb7\x94\x37\x77\x67\x12\x79\xa1\x7f\x9c\x64\xc4\x0b\xd8\x48\x5e\xf5\x2e\xb9\x64\x31\x4c\x65\xaa\x34\x59\x6f\x16\xb8\x0f\x9e\xf7\x81\xc4\xe8\xee\xb0\xac\xd2\x89\x38\x6c\x1a\xe5\x06\xae\x5b\xd2\xb2\x0b\x76\x0c\xe0\xc7\x9b\x56\xb1\x34\xe2\x2f\x57\xc4\x4a\xba\xe2\xf4\xec\xad\x82\xef\xe4\x02\xa4\x3a\x47\x59\x45\x77\xa2\x4b\x79\xa9\x4c\x6f\x7a\x5e\xda\xab\xeb\x48\xfc\x5e\xc2\x7a\xec\xd8\x23\x80\xd0\xe9\x40\xa0\x33\xe8\x7a\x44\x74\xb9\x5d\x58\xa5\xfe\xc5\x9d\x80\xb0\x91\xe9\x16\x5a\x14\x32\x5b\x38\xc5\xe4\x56\x5c\x3f\x0f\x12\x6f\x8b\x2a\xdf\x83\x26\x8e\x00\x76\x64\x7d\xdd\x43\xff\x2d\x52\xd7\x73\xab\x30\x40\x88\x45\x8f\xac\x4f\xb9\x37\x9e\x20\x96\x85\x60\xa0\x75\x17\xd6\xe0\x00\x1d\x2a\x08\xc3\xc6\xc9\x78\x25\xe1\x22\x59\xea\x86\x1b\x0a\xd5\x64\x94\x50\xdf\xfb\x3a\xfa\xe4\x9c\xd3\x1e\xfb\x40\x51\x3c\x06\xb7\x95\xe0\x71\x60\x3a\x47\xd3\xc8\x39\xc4\x01\xec\xc3\x8b\x11\x7d\xf9\x38\x83\x6a\x15\xb3\x1a\x13\x5b\x58\x89\x2d\xb9\xb4\xeb\xf6\x84\xdb\x3f\x7e\xce\x8a\x9d\x60\xbc\x8c\x81\x0e\xba\x0c\xa0\xd8\x75\x83\x57\x37\xd2\x5b\x94\x8b\x39\x28\x60\xaa\x82\xcd\xd5\xff\x7c\x6b\x0b\x4d\x7a\xe1\x82\x16\x89\x49\xd9\x84\x0e\x33\x54\x5d\x61\x27\x72\x7a\xbe\x02\xdd\x01\x41\x8c\xe4\xdd\x46\xaf\x7b\x5f\x08\x44\xcb\x51\xd4\x99\x2f\x4c\xe1\x22\x3c\x23\x13\x7c\x21\x13\x61\xd0\x15\x0e\xd2\x35\xa0\x59\x8f\x9e\x1d\x81\x6a\x40\xc6\xae\xb8\xad\x56\x26\xbc\x22\xb2\xe9\x39\x57\x47\x44\x1c\xc7\x8a\x55\x8d\xed\xc4\x02\x47\x32\x48\x98\x99\x12\xa0\xaa\x71\xac\x8d\x77\x54\xde\x78\xa1\xd5\xb9\xe5\x48\xd4\xeb\xef\x22\x4e\x82\xcd\x39\x35\x24\xd7\x9b\x88\xd6\xe0\x40\x5a\xd0\x2d\xa7\x11\x7b\xa0\x37\x29\x4e\x53\x5f\xff\x4b\xb7\xbf\xca\xce\xde\x33\x48\xf0\x1d\x16\x13\x48\xf4\xee\xe1\xa5\x15\xbe\x53\x0e\x0f\x0e\x64\xc5\x65\x44\xd4\xae\x10\x64\x45\xcc\xe1\x41\x0c\x79\x0b\xdb\xeb\x1e\x2d\x29\x3e\x01\x2e\x02\x97\xc4\x6c\x91\x45\xdc\xcb\xd6\xff\x77\xcb\xfa\xcd\xa4\x6f\x27\xd7\x1d\x02\xde\x14\xb6\x1c\x50\x53\x33\x19\xc6\x68\xfc\xfa\xc0\x36\xc7\x86\x7d\x12\xa3\xd0\xd8\xd4\x49\xc4\x96\x69\x58\x63\x49\xf2\x23\x9c\x4f\xa5\xc2\xb8\xfd\xfc\x42\x3e\xcd\x85\xed\xcc\xf6\x85\x47\xb1\xa9\x06\x76\x4c\x5c\x03\xff\x33\x2b\x56\x3e\xae\xee\xb8\x45\x65\x35\xc6\x1e\x91\x73\x92\xa0\x3d\xfe\x6b\xeb\xf3\xdc\x57\x10\xf9\x32\xb5\x07\xe3\xf0\xcd\xfb\x6a\x9d\xd0\x35\xf0\x6d\xe0\x55\x72\xca\x94\xd8\x5b\xfb\x15\x7e\x68\x44\x8a\xb8\xb0\xc4\xd5\x96\xce\x02\x0d\xad\xef\xce\xae\x68\x15\x3e\x5f\x62\xc5\xc0\x81\x43\xf5\xdb\x49\x7a\xaf\xab\x19\xcd\x33\x0c\x37\x84\xdb\x0a\xde\x50\x5a\x29\x51\x4b\xd1\xe8\xc3\xb9\x2c\x4f\x61\x65\x36\x22\xf8\x75\xec\xac\xc9\xe6\x77\x4a\xde\xca\x1c\xa4\x2f\x63\x7c\x70\x22\x99\xa2\xd3\xf8\x81\xbe\x79\x5b\xba\x9d\xb3\x40\xe4\x80\xaa\x4e\x94\x4d\xec\x20\x21\x6b\x83\x58\x45\x5d\xcf\x8e\xed\x99\x0e\x41\xf3\x37\x64\x42\xb9\xb3\xe0\xd8\x82\x38\x77\x5b\x8b\xea\x3f\x68\x8a\xf1\x85\x39\xb2\xe8\xba\xfa\xac\xc1\xc4\x06\x4e\x9a\xe8\x87\xc6\x9d\xca\x82\xac\xad\xf3\x55\x30\x92\xe7\x87\x97\xa6\x2c\xc8\x34\x44\x1c\x22\x2f\xf2\x26\xea\x32\xd2\x03\xc0\xb1\xfa\xcc\x67\xe6\x30\x71\x6a\x3f\x96\xa0\x77\xe2\x34\x8f\x2b\xe6\xd9\x3e\xc0\x63\x1a\x5e\xf1\xbe\xd4\x10\x61\x19\xd9\x70\xe6\x22\x8f\x01\x69\x89\xa8\xfd\xf0\x1b\xda\x8e\xdd\xfd\x60\x68\xd6\x49\xb3\x95\x6e\xab\x29\xd3\x03\xf1\xfc\x68\x67\xd8\x63\xc8\x7c\x35\x39\xe8\xe9\x9c\xe2\x39\x53\xc2\x5e\xe2\xb0\x98\x57\xd2\xdf\xdd\x4c\x2d\x24\x2b\xd8\x33\xf6\xb7\xf4\xa6\x7c\xde\x78\x63\xd6\x53\xa0\x05\x21\xfa\x68\xce\x23\x1d\x06\x15\xb0\x01\x75\xec\x1f\xca\x37\x7e\x4e\x72\xf7\x8a\x8f\x8f\xbc\xa9\xda\x4f\x40\x8b\xc1\xb7\x99\x97\x1c\x16\xce\x2e\x04\xaa\x24\x32\x79\xef\xcd\xb0\x78\x43\xd2\x55\xeb\x60\x67\xe3\x73\x2b\xcf\xdf\x1c\x17\x17\x8d\x77\xd3\xdf\xf4\x24\xd6\x77\x2e\x39\xae\xc3\xbe\xf9\x59\x2a\x25\xe9\xfb\xb5\x51\x09\x52\xe5\x83\xf5\x34\xa4\xd1\xf5\x7c\xce\xfe\x84\x55\xf3\x53\xdf\xee\xee\xdc\x8b\x3e\xa3\xd6\xc4\x1f\xf4\x16\x7d\xe5\x14\x55\x30\xf3\xdd\x70\xbc\x89\xfd\xcf\xa8\x63\xd8\xc5\x65\x20\x8d\x32\x72\xb0\x23\x8b\x97\xd9\x5c\x5a\x67\x87\x24\x15\xa2\x7e\xf0\x6f\xa2\x6c\x0f\x72\xb5\x71\xcf\xfb\x76\x23\x69\xc8\x0b\x5f\x33\x2f\x03\xa9\x75\x9f\xec\x50\xd6\x04\xa1\x8a\x69\xfb\x52\x13\x11\xfa\x17\x1e\xa6\xfa\x40\x48\x73\xde\x91\x95\xf8\x47\xd8\x1f\xd4\xba\xe3\xd5\x21\x6d\x6c\x00\xcc\x38\xd5\xc7\x5d\xad\x1e\xf6\x86\xd5\xce\x4a\xcb\xb4\x77\xfb\xf6\xc5\xad\x0b\x26\x9e\x69\x05\x4b\x4a\x59\xdb\x3c\x6e\xb0\xce\xc7\xfb\xdf\x32\xd3\x30\x6c\xeb\x5d\x10\x06\xeb\x7b\xf6\xf0\x70\x12\xb1\x16\xc9\x5f\xbf\xcf\xd9\x9e\x82\xf5\xab\xa8\xeb\xd7\xc7\x90\xc9\xf0\x40\x75\xe2\xbb\x39\x9d\x92\x29\xbe\x4a\x0e\x90\xdc\x1b\x03\x58\xee\xcf\xfa\xda\xeb\xc0\xbd\xc6\xff\x1c\xfd\x00\xdc\xeb\xc0\xa9\x0d\x7b\x96\xc9\x6f\xa5\x52\xdc\x82\x4b\x94\x4d\x95\x1d\xb7\xd2\xb6\xee\x39\x9b\x6c\x1f\x29\x65\xe5\x93\x1c\xea\x56\x1b\x9d\xda\x86\xb5\xe7\xc3\x67\x41\xc0\x4a\x97\xa0\x0b\x06\x95\xa9\xd8\x3d\x62\x9e\xb5\xde\x99\xbf\x8a\xe8\xd7\x55\xf3\x31\xe4\x02\x53\x39\x0a\xbb\x2e\x60\x49\x16\x74\x96\xd5\xca\x37\x56\x3b\xea\xbd\xa4\xf8\x2b\x2c\x9a\x58\xef\xf2\xa5\x8a\x1d\x2f\xbc\x8d\x72\xc1\x88\xd4\xb3\x39\x2b\x9b\x42\x86\xa8\x5f\x5d\xed\x71\x0f\x24\x3b\x24\x83\x2c\x54\x79\x1e\xee\x12\x09\x44\x3f\x07\xf3\x74\xea\x2a\xb6\x14\xd6\xa9\xac\x8b\x09\x81\xc3\x50\x96\x96\xc0\x58\xd3\x2f\x4a\xff\x5a\xf8\xe9\xeb\x22\x53\xed\x4f\x83\xe8\xb4\xf3\x29\x4b\x61\xc9\x0d\x54\xd3\xc3\x5f\x3d\x44\xd5\x5a\x5a\x1f\x55\xba\xc7\xe5\x97\x8b\x63\xfb\xb9\xdf\x0e\x9c\x6b\x15\x4d\x61\x24\xef\x4c\xf6\x3f\xf3\xae\x36\x10\x32\x14\x7f\x9e\xf7\x5f\x9e\xa2\xf4\xb2\x2e\xb1\x36\x93\xe2\x67\xb7\xc4\xf6\x36\x5d\xe5\x36\x86\x11\x8a\x93\x4a\x59\x8b\xa5\xa8\x17\x5e\xe5\x0f\x09\x9a\xa9\xac\xd7\xf2\xe2\xc9\xb0\x5b\x04\x4b\x3b\x06\x1b\xd1\xbb\x3b\x29\x6b\x6b\xf9\x00\xb8\x56\xa6\x44\x8d\x81\x2e\x68\xef\xd3\x1f\xef\xfd\x44\x52\x99\x0c\xd5\xf7\xcc\x02\x58\x8e\xef\xbe\xbb\x9f\x56\xab\x77\xcd\x50\x29\x89\xcd\x16\xe8\x9a\x44\x55\x3e\x19\x89\xd4\xdf\xfd\x97\x7b\x53\xea\x8b\x3b\x63\x6d\x62\xbb\xb2\x65\xc4\x28\x0c\xab\x59\xda\xb2\x4f\xbe\x7f\x16\x18\x0d\xfd\xdf\x62\xe4\x82\xed\x8e\xdc\xa2\x7a\x96\x7c\xe5\xfa\xe0\x32\x8b\x64\x03\xce\xe1\x7a\x6d\x63\xac\x71\xa8\xa4\x6f\x6c\xad\xdb\x53\x0c\x6d\x90\x5a\x8b\x6c\x8e\xd8\x9f\x62\x2a\x0c\x0a\x90\x67\x5c\x1f\x8d\x97\x9b\x34\xcd\x1e\x95\x4f\xa9\x15\x4f", 4096); syz_emit_ethernet(0x1000, 0x20000000); break; case 11: memcpy((void*)0x20001000, "\xc4\x62\x39\x37\x47\x7e\x66\x0f\xe3\x0c\xa4\xf3\x3e\x45\x09\x17\xc4\x61\x78\xae\x91\x72\x98\x00\x00\xc4\x63\xe1\x22\xd6\x96\xc4\x03\x7d\x7b\x05\x0f\x00\x00\x00\x00\xc4\x63\x39\x5f\x47\x3f\xad\xc4\x03\x55\x5d\x3c\x56\x00\xc4\xe2\xb5\x96\xf0\xc4\x21\xfd\x5b\xfb", 65); syz_execute_func(0x20001000); break; case 12: syz_extract_tcp_res(0x20001080, 5, 0x6fb); break; case 13: memcpy((void*)0x200010c0, "\x5d\x8d\x97\xaf\xe9\x58\xa6\xb4\x6b\x8f\xef\xfe\x29\xf0\x51\x64\xa8\xee\xd8\xf0\x35\xa6\xc4\xd8\xf6\x97\x21\x06\xc0\xf6\xa0\x43\x0f\x03\x47\xa9\xad\x29\xa9\x40\xd3\xde\x0d\x19\xdd\x63\xc0\x6d\xad\x37\xea\x1e\x10\x5f\xec\x8b\x4d\xbd\xb4\xd7\xf9\x51\x64\xff\x31\x3f\x19\x9a\xaa\x43\x10\x8e\x96\x13\xc1\xe6\x29\x58\xe7\x76\x28\x47\x15\x8e\x87\x26\x92\x4d\xcb\xda\xff\xfd\x2a\x94\x2c\x44\x0d\x0a\x80\x34\x04\x87\xaf\x0e\xb9", 105); memcpy((void*)0x20001140, "\xe2\xf9\x19\x3e\xea\x7f\xea\x62\xb3\x74\xa3\x15\x14\x75\xbf\x3b\xe9\x82\x5d\xbe\x21\xd3\x90\x7a\x6b\xaf\x2f\xcd\xf0\xe6\xdd\x64\xfa\x7c\xcc\xe3\x73\x4b\xa6\x62\x73\xba\x0d\xb7\xe7\x9d\x31\x4b\x54\xd1\x01\x58\xb7\xd4\xa6\x7b\x5e\x26\x4c\xd1\xfe\x32\xc6\xba\xb3\xd0\x3f\xaa\x5b\xd6\x7a\x46\x09\xb4\x8a\x17\xeb\x03\x86\x53\x8a\xfe\x3d\x83\xa4\xf1\x95\x97\x90\x97\x73\xc9\x47\x4f\x1f\x66\x85\xe5\x91\x57\xf5\xc7\x6c\x2d\xe0\x65\xf5\x09\xb7\xa7\xcf\x8e\x62\x9c\xca\x55\x3d\xcb\x44\x45\xa3\x72\x88\x31\x99\xbe\x74\x66\x34\xe8\x57\x26\x6c\x27\x58\xf8\xd5\x8d\xd0\xde\xa4\x57\x79\x02\x04\xfc\x26\xe2\x69\x27\xd5\xbb\xff\x20\xa9\x9a\xed\x0a\x95\xd8\x50\xec\x32\x21\xf4\xf1\xd8\xf1\x3a\x8f\x00\xbe\x13\x51\x9e\xf8\x98\xd3\x9d\x28\x56\x8b\xb7\x89\x4c\x39", 186); res = syz_usb_connect(0x721, 0x69, 0x200010c0, 0x20001140); if (res != -1) r[5] = res; break; case 14: syz_usb_disconnect(r[5]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'syz_usb_connect_impl': :648:63: error: unknown type name 'usb_ctrlrequest' :653:55: error: unknown type name 'usb_ctrlrequest' compiler invocation: /syzkaller/netbsd/src/../tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor826671904 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/netbsd/src/../dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/0 (1.44s) csource_test.go:123: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = fcntl$dupfd(0xffffffffffffff9c, 0xc, 0xffffffffffffff9c) r1 = dup2(0xffffffffffffffff, r0) pwrite(r1, &(0x7f0000000000)="5d1dd436f0f5a32b117d0f61dc010511e7e3c7f92e33630dfc7a02f9f4df14c215d8716f98892cba0ddcbbd6b2683f5e028152ebbe2d26a7e4c45673b55cf76e7795dd124f82947e0244eb08cfb0b5da0c829b1580ac64473f069f9928c1043bdeaa541829f4ef60f80ea0b9b912a974a5e98ea75423d1126815de1319a78c8127c017f8cbe86d", 0x87, 0x6) getsockname$unix(r0, &(0x7f00000000c0)=@abs, &(0x7f0000000100)=0x8) accept$inet6(r1, &(0x7f0000000140), &(0x7f0000000180)=0xc) socketpair(0x18, 0x844590f3b4efa023, 0x7f, &(0x7f00000001c0)) r2 = accept(0xffffffffffffff9c, &(0x7f0000000200)=@un=@abs, &(0x7f0000000240)=0x8) r3 = getpgrp() stat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$sock_cred(r2, 0xffff, 0x11, &(0x7f00000003c0)={r3, r4}, 0xc) syz_emit_ethernet(0x1000, &(0x7f0000000000)="d28811eb3ef8057d4d7c7229ab1e5a02157440ec598663314f522e6a8f7e2b68cd210834f13e84f257c358e7e19717a79353a0609abf39fc23d280e031dbc36048ed67b318a0553a541c84167d1bf390951abfd5370157ad024bea030e6c003d2e50a932903993429472cca8be8808ca2915858ed2598c1e76f98e662b0678bdfd91862b0af84e1585c3709eeb1b8f065703a75c12e1fa87b77d46d374ee2113bbbd6bdebb4cf0687f79db895a8ac81c3b286c03427e3211e71420afa9b5c9013e638ed97de9983fb33424fe11efd7824cd6979286d59a5c79338b6a9a2d15e70791bdb5186aa74e175a0049c1e39db536377a8354915a8a15125b8be62f01a93740b2428b189ea42e31b6ce7aa3676bf1468b751bf06aacf15904db50c1be9df4cc9d41599c57cfaf66b7e5ee2d2372630a7bf538da786dfff6052e02558a4d1ccf7099a8c599c3c8b515e844f1e23de73d806127228253a7053b5e91511685370c980ffa72e5551ff05fcbd940d514bed2860b875b9a12b26edbb292e0e8d8cbcd9de3aba68f7c1419249fe43a6754bf02a36e0fd1f27c48e9d16c18ed1484e56cc5bc3483519311e33754af2fc4d37cfa1c6e5f0d38ae96a621c04db0fd7d793297e4981f9082937b9322f494bd98b2f43d9b5c19ff19ec177c6305b18800445111763cdaeec351689384783ae7cff9b106639ea611fb72e86d685ea0f6b65dc3b9a2436c89257382d11516a2b06637cfd931e2ca4e625343d6b96525c5bf7dcc437f474e1ff9f3dcc85740444a4c569f50379b985f6843ac29f09a9f99819ae210db22ab19340974957f1fbea41c5851b2fa7a2fa87581a7fb42db8c24b4c6f829be592ca0d0cf1a2fe67dec532cfa77f8f1955da335a84d5aef4905a9a236c607774a0b4ef1d50b55bd49aa877c2b6b2e37a3e4a3b24e95fa557ba89aaf4227b5bb0e640b4698cd004f870c7daa9ea441fdbe8b3053dffce646c0b06df323252cada7f24fcc21624edf49567b2693fec0693d243e067b21e2be296c52bb2a381f4794aa2e85dd5cb6677e94b7e003ebad24573762a640973c0772994da28c6490c1af8f0f91754e71c7f326bd31dfc9c6fc20767d713a93317bcbe0a3efc9c5a8571b7b0a02977741e8a83ca81296145ec955e1ab982c7f466284562b52de135568a142e677c343f5ebd33755d0b91565646d7c362e4664007cae2167db5d0a933e1219d3d6a7387576e542f816fa516d44afc3d99229d4f57fa83b8948f898b8528ded2c539b6033491c6d780cacb2bc3f52c2794de8db395812d4f7a44b9c04d6fd3ca86c68647d3e475de581edc388dcde91b8b24cd42b91a19e91b4b637b43b6fa4e150443ec7c08695c42bc6a930b3084204023bfd15e1c0312e46f430e26b0fcca152209fc1c7f991c111bdcda72e198626766eafc8cf5492189d4cc9a8e2a8a9cb738978ecec37376dc99ca8d3efcfe73da538960ebf78f0a4366376ae5f1bb1f811ecceb62510897855e3066104701b94f61913da4699313cec63a88a9ba444a5fc01c003bf9d6b252504e477f40fb33e595f30ac538bc9eeb29372b7a9d1f6a2a9b0177a171e5f879eab363c7608617c26197df1da9baa0275e23ed1b592cebdcd6ef22b36c4f287dfe849cf54eaed5570ffc450cde8b6ee12efbc8ddfea6bf782c27e5a5816b6f04ff5fe977f05a5b12a1364a659cb6b11ab7a1682e1097e6187cd7cbba87ef4ca8c2caf28499913d98a9e9f2e11c52f37faf2cd207bbe5734da0e91ba5f8b48ad59b122678550b27fefe71af53d6f934104387389b59324cdbf446efe50dbd23db7418ec6666ed9fcaa6f70beac9ca42a90eec8567be21fb45f0886755715f317373523dfeb845ab77333cf8ddf926244a38e024df5af9ea07253d07a59db51123fd811cce2d206eae6943ec87559eb0eb28a94a627831e45b3a7d1f89f7a49fbce7c5a6ed81f4e68dd3ce29346f7c14e5064548d57f11363139e5b669a1744bd9989400827973e67e94cb555b08cf04565f33db17196d16518b4f4b023053e86a7275521fa5b20993de7c2fa09797d924d59893caa98d97b586289da8c9cc3810cfde85b31a4e3118a5cc2fb63e4073dc224e501b637c66674ead1e84a7e3e3ce4adaf0c723e38a41db547e9cc3382ecf9f6b6f964c1f81fe75365593c9a55152ec7c05067474bd71a9370009fee6d87f3eef6c9360a502941e93730454161d0f0391f7c5ebde622f05c1d67368944390b68178fefb825add812f4968670537401703531667cd5150f211b9fcfecf4ee5e0880f3748b9e7a745e802affacc6b4aa5b5d83750fc1c47d4ab69170901e7f5e442bb98a89186054acf207a3cf70173156c559fd72860a7d2679a2ffcb5330204113dbac6b3c3b69aa4f75f21cb2154a4a6b31c025d52ac54960483cedf3f11a1adffef2f1fec94a5561d91868001c3d8395ff450b140095d6536475379f38634acf9dedff61b17f7c87f8c0566be6250cf439eba38c3765393a9ed1016d502ba13a8ef6de35ba669b10a0008223d2e2f88d35fe0a7323324bfabf25a7ac01904549a259e6a8d3a4964f197e94b8f9b3a3163f6349e3dac7e01748f674795cc3bd5a9a3ab5f2c13081167df37e379eeb2ecf9cdfa2371595f30831051ab157ac75f9ebc48b4995597e206c7ba229ab30eccfe6624d8849eae41d2dc7a4d757a373b1d86695c420cc04bf0da664a756b48224163de4418b932339d299061313a634a4ba089b12f85d4da1d27d51de9308310ef6aeb35623d0a772c5cedd2a659fdef092b4df6a88d2964200c285e8c16e7489b81e4159db062ce8a7d0dab651809211edf0586f289ef03dee7bb9f438c1a352f6342c664bfd35d23885b09bd1da62bd65d0bc09a5eb5ae95ea31088147781c335ea177772a22896191a7d15702b6b3437ced886cc85bb26865ce828b9fe78a07b463df7332f6792b2fd86d17b1e98a4cc7729b058c598c961c634b15d0973cacdd9735a0f77786ae2b0766b3194a127345dd8c11f69fa4c44cc5b30e01f6dc561330f636329c97ec05ae8291d9a26b605f1b277c9322115626e2975c791c3ef10954cb8b47cea6cf697eb9db3becb1114ce6392199e87bac043ed7a1583dc660b36deb0221a79ed70bf713f3c9c882583814c2eca8151d271719592d5c1fc6266a276a3e8d38827b290e1044606992d134236a1ae87f9338b7741f2e8a746eb0f607762ed4e18923dbacfea147ad57eff617167d0f54daac45437c5e61b45937e8aa5e7ceef4ca2254b9701a22f577fb627e8e1c1c70401ae811b9a53f4c16a7943e3d81ba3d9209cbdfb208b04ce158e7ba8ee77b0b75f5208686df78712d28f700361159100369b633384ddff4402c0ab0e2ec0aa87186a65d3484d2921d6253fd1fbf46b63ba72eb795cc025690f1f48dbe308f978e2fd5513e2ddc0b066194fd58d3eaa49690bd7e7863885eb5e2ac6870de83592675f74cf8989e18e68f1b60678270ca6b9c0daf444278a7dc82a9780730aa03be56813e81d6f296c6f87d0099618af9f7e991649ec364972d4c8fb669670ec9296ce173838b9c92baf6bf883c134d2c1cbcd928b54991d4c00f4aa7270bf3befeb108e9862f34688cc2db3b7943777671279a17f9c64c40bd8485ef52eb964314c65aa34596f16b80f9ef781c4e8eeb0acd289386c1ae506ae5bd2b20b760ce0c79b56b134e22f57c44abae2f4ecad82efe402a43a47594577a24b79a94c6f7a5edaabeb48fc5ec27aecd82380d0e940a033e87a4474b95d58a5fec59d80b091e9165a14325b38c5e4565c3f0f126f8b2adf83268e0076647ddd43ff2d52d773ab304088458fac4fb9379e20968560a07517d6e0001d2a08c3c6c97825e12259ea861b0ad5649450dffb3afae49cd31efb40513c06b795e071603a47d3c839c401ecc38b117df938836a15b31a135b58892db9b4ebf684db3f7ece8a9d60bc8c810eba0ca0d875835737d25b948b392860aa82cdd5ff7c6b0b4d7ae182168949d9840e33545d6127727abe02dd01418ce4dd46af7b5f0844cb51d4992f4ce1223c23137c211361d0150ed235a0598f9e1d816a40c6aeb8ad5626bc22b2e9395747441cc78a558dedc402473248989912a0aa71ac8d7754de78a1d5b9e548d4ebef224e82cd393524d79b88d6e0405ad02da7117ba037294e535fff4bb7bfcacede3348f01d161348f4eee1a515be530e0f0e64c56544d4ae106445cce1410c790bdbeb1e2d293e012e0297c46c9145dccbd6ff77cbfacda46f27d71d02de14b61c50533319c668fcfac036c7867d12a3d0d8d449c49669586349f2239c4fa5c2b8fdfc423ecd85edccf68547b1a906764c5c03ff332b563eaeeeb8456535c61e917392a03dfe6bebf3dc5710f932b507e3f0cdfb6a9dd035f06de05572ca94d85bfb157e68448ab8b0c4d596ce020dadefceae68153e5f62c5c08143f5db497aafab19cd330c3784db0ade505a29514bd1e8c3b92c4f61653622f875ecacc9e6774adeca1ca42f637c702299a2d3f881be795bba9db340e480aa4e944dec20216b8358455dcf8eed990e41f3376442b9b3e0d88238775b8bea3f688af18539b2e8bafaacc1c4064e9ae887c69dca82acadf3553092e78797a62cc834441c222ff226ea32d203c0b1facc67e630716a3f96a077e2348f2be6d93ec0631a5ef1bed4106119d970e6228f016989a8fdf01bda8eddfd6068d649b3956eab29d303f1fc6867d863c87c3539e8e99ce23953c25ee2b09857d2dfdd4c2d242bd833f6b7f4a67cde7863d653a00521fa68ce231d0615b00175ec1fca377e4e72f78a8f8fbca9da4f408bc1b799971c16ce2e04aa243279efcdb07843d255eb6067e3732bcfdf1c17178d77d3dff424d6772e39aec3bef9592a25e9fbb5510952e583f534a4d1f57ccefe8455f353dfeeeedc8b3ea3d6c41ff4167de5145530f3dd70bc89fdcfa863d8c565208d3272b0238b97d95c5a67872415a27ef06fa26c0f72b571cffb762369c80b5f332f03a9759fec50d604a18a69fb521311fa171ea6fa404873de9195f847d81fd4bae3d5216d6c00cc38d5c75dad1ef686d5ce4acbb477fbf6c5ad0b269e69054b4a59db3c6eb0cec7fbdf32d3306ceb5d1006eb7bf6f07012b116c95fbfcfd99e82f5aba8ebd7c790c9f04075e2bb399d9229be4a0e90dc1b0358eecffadaebc0bdc6ff1cfd00dcebc0a90d7b96c96fa552dc824b944d951db7d2b6ee399b6c1f2965e5931cea561b9dda86b5e7c36741c04a97a00b0695a9d83d629eb5de99bf8ae8d755f331e40253390abb2e6049167496d5ca37563beabda4f82b2c9a58eff2a58a1d2fbc8d72c188d4b3392b9b4286a85f5ded710f243b24832c54791eee1209443f07f374ea2ab614d6a9ac8b0981c3509696c058d32f4aff5af8e9eb2253ed4f83e8b4f3294b61c90d54d3c35f3d44d55a5a1f55bac7e5978b63fbb9df0e9c6b154d6124ef4cf63ff3ae361032147f9ef75f9ea2f4b22eb13693e267b7c4f6365de53686118a934a598ba5a8175ee50f099aa9acd7f2e2c9b05b044b3b061bd1bb3b296b6bf900b856a6448d812e68efd31feffd4452990cd5f7cc02588eefbebb9f56ab77cd502989cd16e89a44553e1989d4dffd977b53ea8b3b636d62bbb265c4280cab59dab24fbe7f16180dfddf62e482ed8edca27a967ce5fae0328b6403cee17a6d63ac71a8a46f6caddb530c6d905a8b6c8ed89f622a0c0a90675c1f8d979b34cd1e954fa9154f") syz_execute_func(&(0x7f0000001000)="c4623937477e660fe30ca4f33e450917c46178ae9172980000c463e122d696c4037d7b050f00000000c463395f473fadc403555d3c5600c4e2b596f0c421fd5bfb") syz_extract_tcp_res(&(0x7f0000001080), 0x5, 0x6fb) r5 = syz_usb_connect(0x721, 0x69, &(0x7f00000010c0)="5d8d97afe958a6b46b8feffe29f05164a8eed8f035a6c4d8f6972106c0f6a0430f0347a9ad29a940d3de0d19dd63c06dad37ea1e105fec8b4dbdb4d7f95164ff313f199aaa43108e9613c1e62958e7762847158e8726924dcbdafffd2a942c440d0a80340487af0eb9", &(0x7f0000001140)="e2f9193eea7fea62b374a3151475bf3be9825dbe21d3907a6baf2fcdf0e6dd64fa7ccce3734ba66273ba0db7e79d314b54d10158b7d4a67b5e264cd1fe32c6bab3d03faa5bd67a4609b48a17eb0386538afe3d83a4f19597909773c9474f1f6685e59157f5c76c2de065f509b7a7cf8e629cca553dcb4445a372883199be746634e857266c2758f8d58dd0dea457790204fc26e26927d5bbff20a99aed0a95d850ec3221f4f1d8f13a8f00be13519ef898d39d28568bb7894c39") syz_usb_disconnect(r5) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; dp = opendir(dir); if (dp == NULL) exit(1); while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } /* -------------------------------------------------------------------------- */ /* * Redefinitions to match the linux types used in common_usb.h. */ struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; int rv = 0; rv = parse_usb_descriptor(dev, dev_len, &usb_devices[i].index); if (!rv) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } /* -------------------------------------------------------------------------- */ static int vhci_open(void) { return open("/dev/vhci", O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } /* -------------------------------------------------------------------------- */ static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index; int portnum, fd, rv; bool done; portnum = procid + 1; if (!dev) { return -1; } if (portnum != 1) { /* For now, we support only one proc. */ return -1; } fd = vhci_open(); if (fd < 0) { return -1; } index = add_usb_index(fd, dev, dev_len); if (!index) { goto err; } rv = vhci_setport(fd, portnum); if (rv != 0) { goto err; } rv = vhci_usb_attach(fd); if (rv != 0) { goto err; } done = false; while (!done) { vhci_request_t req; rv = vhci_usb_recv(fd, &req, sizeof(req)); if (rv != 0) { goto err; } if (req.type != VHCI_REQ_CTRL) { goto err; } char* response_data = NULL; uint32_t response_length = 0; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { bool response_found = false; response_found = lookup_connect_response_in(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &response_data, &response_length); if (!response_found) { goto err; } } else { if (!lookup_connect_response_out(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &done)) { goto err; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { /* TODO: possibly revisit */ } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { goto err; } } sleep_ms(200); return fd; err: close(fd); return -1; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_accept #define SYS_accept 30 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_fcntl #define SYS_fcntl 92 #endif #ifndef SYS_getpgrp #define SYS_getpgrp 81 #endif #ifndef SYS_getsockname #define SYS_getsockname 32 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_pwrite #define SYS_pwrite 174 #endif #ifndef SYS_setsockopt #define SYS_setsockopt 105 #endif #ifndef SYS_socketpair #define SYS_socketpair 135 #endif #ifndef SYS_stat #define SYS_stat 439 #endif uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(SYS_fcntl, 0xffffff9c, 0xcul, 0xffffff9c); if (res != -1) r[0] = res; res = syscall(SYS_dup2, -1, r[0]); if (res != -1) r[1] = res; memcpy((void*)0x20000000, "\x5d\x1d\xd4\x36\xf0\xf5\xa3\x2b\x11\x7d\x0f\x61\xdc\x01\x05\x11\xe7\xe3\xc7\xf9\x2e\x33\x63\x0d\xfc\x7a\x02\xf9\xf4\xdf\x14\xc2\x15\xd8\x71\x6f\x98\x89\x2c\xba\x0d\xdc\xbb\xd6\xb2\x68\x3f\x5e\x02\x81\x52\xeb\xbe\x2d\x26\xa7\xe4\xc4\x56\x73\xb5\x5c\xf7\x6e\x77\x95\xdd\x12\x4f\x82\x94\x7e\x02\x44\xeb\x08\xcf\xb0\xb5\xda\x0c\x82\x9b\x15\x80\xac\x64\x47\x3f\x06\x9f\x99\x28\xc1\x04\x3b\xde\xaa\x54\x18\x29\xf4\xef\x60\xf8\x0e\xa0\xb9\xb9\x12\xa9\x74\xa5\xe9\x8e\xa7\x54\x23\xd1\x12\x68\x15\xde\x13\x19\xa7\x8c\x81\x27\xc0\x17\xf8\xcb\xe8\x6d", 135); syscall(SYS_pwrite, r[1], 0x20000000ul, 0x87ul, 6ul); *(uint32_t*)0x20000100 = 8; syscall(SYS_getsockname, r[0], 0x200000c0ul, 0x20000100ul); *(uint32_t*)0x20000180 = 0xc; syscall(SYS_accept, r[1], 0x20000140ul, 0x20000180ul); syscall(SYS_socketpair, 0x18ul, 0x844590f3b4efa023ul, 0x7f, 0x200001c0ul); *(uint32_t*)0x20000240 = 8; res = syscall(SYS_accept, 0xffffff9c, 0x20000200ul, 0x20000240ul); if (res != -1) r[2] = res; res = syscall(SYS_getpgrp); if (res != -1) r[3] = res; memcpy((void*)0x20000280, "./file0\000", 8); res = syscall(SYS_stat, 0x20000280ul, 0x200002c0ul); if (res != -1) r[4] = *(uint32_t*)0x200002dc; *(uint32_t*)0x200003c0 = r[3]; *(uint32_t*)0x200003c4 = r[4]; *(uint32_t*)0x200003c8 = 0; syscall(SYS_setsockopt, r[2], 0xffff, 0x11, 0x200003c0ul, 0xcul); memcpy((void*)0x20000000, "\xd2\x88\x11\xeb\x3e\xf8\x05\x7d\x4d\x7c\x72\x29\xab\x1e\x5a\x02\x15\x74\x40\xec\x59\x86\x63\x31\x4f\x52\x2e\x6a\x8f\x7e\x2b\x68\xcd\x21\x08\x34\xf1\x3e\x84\xf2\x57\xc3\x58\xe7\xe1\x97\x17\xa7\x93\x53\xa0\x60\x9a\xbf\x39\xfc\x23\xd2\x80\xe0\x31\xdb\xc3\x60\x48\xed\x67\xb3\x18\xa0\x55\x3a\x54\x1c\x84\x16\x7d\x1b\xf3\x90\x95\x1a\xbf\xd5\x37\x01\x57\xad\x02\x4b\xea\x03\x0e\x6c\x00\x3d\x2e\x50\xa9\x32\x90\x39\x93\x42\x94\x72\xcc\xa8\xbe\x88\x08\xca\x29\x15\x85\x8e\xd2\x59\x8c\x1e\x76\xf9\x8e\x66\x2b\x06\x78\xbd\xfd\x91\x86\x2b\x0a\xf8\x4e\x15\x85\xc3\x70\x9e\xeb\x1b\x8f\x06\x57\x03\xa7\x5c\x12\xe1\xfa\x87\xb7\x7d\x46\xd3\x74\xee\x21\x13\xbb\xbd\x6b\xde\xbb\x4c\xf0\x68\x7f\x79\xdb\x89\x5a\x8a\xc8\x1c\x3b\x28\x6c\x03\x42\x7e\x32\x11\xe7\x14\x20\xaf\xa9\xb5\xc9\x01\x3e\x63\x8e\xd9\x7d\xe9\x98\x3f\xb3\x34\x24\xfe\x11\xef\xd7\x82\x4c\xd6\x97\x92\x86\xd5\x9a\x5c\x79\x33\x8b\x6a\x9a\x2d\x15\xe7\x07\x91\xbd\xb5\x18\x6a\xa7\x4e\x17\x5a\x00\x49\xc1\xe3\x9d\xb5\x36\x37\x7a\x83\x54\x91\x5a\x8a\x15\x12\x5b\x8b\xe6\x2f\x01\xa9\x37\x40\xb2\x42\x8b\x18\x9e\xa4\x2e\x31\xb6\xce\x7a\xa3\x67\x6b\xf1\x46\x8b\x75\x1b\xf0\x6a\xac\xf1\x59\x04\xdb\x50\xc1\xbe\x9d\xf4\xcc\x9d\x41\x59\x9c\x57\xcf\xaf\x66\xb7\xe5\xee\x2d\x23\x72\x63\x0a\x7b\xf5\x38\xda\x78\x6d\xff\xf6\x05\x2e\x02\x55\x8a\x4d\x1c\xcf\x70\x99\xa8\xc5\x99\xc3\xc8\xb5\x15\xe8\x44\xf1\xe2\x3d\xe7\x3d\x80\x61\x27\x22\x82\x53\xa7\x05\x3b\x5e\x91\x51\x16\x85\x37\x0c\x98\x0f\xfa\x72\xe5\x55\x1f\xf0\x5f\xcb\xd9\x40\xd5\x14\xbe\xd2\x86\x0b\x87\x5b\x9a\x12\xb2\x6e\xdb\xb2\x92\xe0\xe8\xd8\xcb\xcd\x9d\xe3\xab\xa6\x8f\x7c\x14\x19\x24\x9f\xe4\x3a\x67\x54\xbf\x02\xa3\x6e\x0f\xd1\xf2\x7c\x48\xe9\xd1\x6c\x18\xed\x14\x84\xe5\x6c\xc5\xbc\x34\x83\x51\x93\x11\xe3\x37\x54\xaf\x2f\xc4\xd3\x7c\xfa\x1c\x6e\x5f\x0d\x38\xae\x96\xa6\x21\xc0\x4d\xb0\xfd\x7d\x79\x32\x97\xe4\x98\x1f\x90\x82\x93\x7b\x93\x22\xf4\x94\xbd\x98\xb2\xf4\x3d\x9b\x5c\x19\xff\x19\xec\x17\x7c\x63\x05\xb1\x88\x00\x44\x51\x11\x76\x3c\xda\xee\xc3\x51\x68\x93\x84\x78\x3a\xe7\xcf\xf9\xb1\x06\x63\x9e\xa6\x11\xfb\x72\xe8\x6d\x68\x5e\xa0\xf6\xb6\x5d\xc3\xb9\xa2\x43\x6c\x89\x25\x73\x82\xd1\x15\x16\xa2\xb0\x66\x37\xcf\xd9\x31\xe2\xca\x4e\x62\x53\x43\xd6\xb9\x65\x25\xc5\xbf\x7d\xcc\x43\x7f\x47\x4e\x1f\xf9\xf3\xdc\xc8\x57\x40\x44\x4a\x4c\x56\x9f\x50\x37\x9b\x98\x5f\x68\x43\xac\x29\xf0\x9a\x9f\x99\x81\x9a\xe2\x10\xdb\x22\xab\x19\x34\x09\x74\x95\x7f\x1f\xbe\xa4\x1c\x58\x51\xb2\xfa\x7a\x2f\xa8\x75\x81\xa7\xfb\x42\xdb\x8c\x24\xb4\xc6\xf8\x29\xbe\x59\x2c\xa0\xd0\xcf\x1a\x2f\xe6\x7d\xec\x53\x2c\xfa\x77\xf8\xf1\x95\x5d\xa3\x35\xa8\x4d\x5a\xef\x49\x05\xa9\xa2\x36\xc6\x07\x77\x4a\x0b\x4e\xf1\xd5\x0b\x55\xbd\x49\xaa\x87\x7c\x2b\x6b\x2e\x37\xa3\xe4\xa3\xb2\x4e\x95\xfa\x55\x7b\xa8\x9a\xaf\x42\x27\xb5\xbb\x0e\x64\x0b\x46\x98\xcd\x00\x4f\x87\x0c\x7d\xaa\x9e\xa4\x41\xfd\xbe\x8b\x30\x53\xdf\xfc\xe6\x46\xc0\xb0\x6d\xf3\x23\x25\x2c\xad\xa7\xf2\x4f\xcc\x21\x62\x4e\xdf\x49\x56\x7b\x26\x93\xfe\xc0\x69\x3d\x24\x3e\x06\x7b\x21\xe2\xbe\x29\x6c\x52\xbb\x2a\x38\x1f\x47\x94\xaa\x2e\x85\xdd\x5c\xb6\x67\x7e\x94\xb7\xe0\x03\xeb\xad\x24\x57\x37\x62\xa6\x40\x97\x3c\x07\x72\x99\x4d\xa2\x8c\x64\x90\xc1\xaf\x8f\x0f\x91\x75\x4e\x71\xc7\xf3\x26\xbd\x31\xdf\xc9\xc6\xfc\x20\x76\x7d\x71\x3a\x93\x31\x7b\xcb\xe0\xa3\xef\xc9\xc5\xa8\x57\x1b\x7b\x0a\x02\x97\x77\x41\xe8\xa8\x3c\xa8\x12\x96\x14\x5e\xc9\x55\xe1\xab\x98\x2c\x7f\x46\x62\x84\x56\x2b\x52\xde\x13\x55\x68\xa1\x42\xe6\x77\xc3\x43\xf5\xeb\xd3\x37\x55\xd0\xb9\x15\x65\x64\x6d\x7c\x36\x2e\x46\x64\x00\x7c\xae\x21\x67\xdb\x5d\x0a\x93\x3e\x12\x19\xd3\xd6\xa7\x38\x75\x76\xe5\x42\xf8\x16\xfa\x51\x6d\x44\xaf\xc3\xd9\x92\x29\xd4\xf5\x7f\xa8\x3b\x89\x48\xf8\x98\xb8\x52\x8d\xed\x2c\x53\x9b\x60\x33\x49\x1c\x6d\x78\x0c\xac\xb2\xbc\x3f\x52\xc2\x79\x4d\xe8\xdb\x39\x58\x12\xd4\xf7\xa4\x4b\x9c\x04\xd6\xfd\x3c\xa8\x6c\x68\x64\x7d\x3e\x47\x5d\xe5\x81\xed\xc3\x88\xdc\xde\x91\xb8\xb2\x4c\xd4\x2b\x91\xa1\x9e\x91\xb4\xb6\x37\xb4\x3b\x6f\xa4\xe1\x50\x44\x3e\xc7\xc0\x86\x95\xc4\x2b\xc6\xa9\x30\xb3\x08\x42\x04\x02\x3b\xfd\x15\xe1\xc0\x31\x2e\x46\xf4\x30\xe2\x6b\x0f\xcc\xa1\x52\x20\x9f\xc1\xc7\xf9\x91\xc1\x11\xbd\xcd\xa7\x2e\x19\x86\x26\x76\x6e\xaf\xc8\xcf\x54\x92\x18\x9d\x4c\xc9\xa8\xe2\xa8\xa9\xcb\x73\x89\x78\xec\xec\x37\x37\x6d\xc9\x9c\xa8\xd3\xef\xcf\xe7\x3d\xa5\x38\x96\x0e\xbf\x78\xf0\xa4\x36\x63\x76\xae\x5f\x1b\xb1\xf8\x11\xec\xce\xb6\x25\x10\x89\x78\x55\xe3\x06\x61\x04\x70\x1b\x94\xf6\x19\x13\xda\x46\x99\x31\x3c\xec\x63\xa8\x8a\x9b\xa4\x44\xa5\xfc\x01\xc0\x03\xbf\x9d\x6b\x25\x25\x04\xe4\x77\xf4\x0f\xb3\x3e\x59\x5f\x30\xac\x53\x8b\xc9\xee\xb2\x93\x72\xb7\xa9\xd1\xf6\xa2\xa9\xb0\x17\x7a\x17\x1e\x5f\x87\x9e\xab\x36\x3c\x76\x08\x61\x7c\x26\x19\x7d\xf1\xda\x9b\xaa\x02\x75\xe2\x3e\xd1\xb5\x92\xce\xbd\xcd\x6e\xf2\x2b\x36\xc4\xf2\x87\xdf\xe8\x49\xcf\x54\xea\xed\x55\x70\xff\xc4\x50\xcd\xe8\xb6\xee\x12\xef\xbc\x8d\xdf\xea\x6b\xf7\x82\xc2\x7e\x5a\x58\x16\xb6\xf0\x4f\xf5\xfe\x97\x7f\x05\xa5\xb1\x2a\x13\x64\xa6\x59\xcb\x6b\x11\xab\x7a\x16\x82\xe1\x09\x7e\x61\x87\xcd\x7c\xbb\xa8\x7e\xf4\xca\x8c\x2c\xaf\x28\x49\x99\x13\xd9\x8a\x9e\x9f\x2e\x11\xc5\x2f\x37\xfa\xf2\xcd\x20\x7b\xbe\x57\x34\xda\x0e\x91\xba\x5f\x8b\x48\xad\x59\xb1\x22\x67\x85\x50\xb2\x7f\xef\xe7\x1a\xf5\x3d\x6f\x93\x41\x04\x38\x73\x89\xb5\x93\x24\xcd\xbf\x44\x6e\xfe\x50\xdb\xd2\x3d\xb7\x41\x8e\xc6\x66\x6e\xd9\xfc\xaa\x6f\x70\xbe\xac\x9c\xa4\x2a\x90\xee\xc8\x56\x7b\xe2\x1f\xb4\x5f\x08\x86\x75\x57\x15\xf3\x17\x37\x35\x23\xdf\xeb\x84\x5a\xb7\x73\x33\xcf\x8d\xdf\x92\x62\x44\xa3\x8e\x02\x4d\xf5\xaf\x9e\xa0\x72\x53\xd0\x7a\x59\xdb\x51\x12\x3f\xd8\x11\xcc\xe2\xd2\x06\xea\xe6\x94\x3e\xc8\x75\x59\xeb\x0e\xb2\x8a\x94\xa6\x27\x83\x1e\x45\xb3\xa7\xd1\xf8\x9f\x7a\x49\xfb\xce\x7c\x5a\x6e\xd8\x1f\x4e\x68\xdd\x3c\xe2\x93\x46\xf7\xc1\x4e\x50\x64\x54\x8d\x57\xf1\x13\x63\x13\x9e\x5b\x66\x9a\x17\x44\xbd\x99\x89\x40\x08\x27\x97\x3e\x67\xe9\x4c\xb5\x55\xb0\x8c\xf0\x45\x65\xf3\x3d\xb1\x71\x96\xd1\x65\x18\xb4\xf4\xb0\x23\x05\x3e\x86\xa7\x27\x55\x21\xfa\x5b\x20\x99\x3d\xe7\xc2\xfa\x09\x79\x7d\x92\x4d\x59\x89\x3c\xaa\x98\xd9\x7b\x58\x62\x89\xda\x8c\x9c\xc3\x81\x0c\xfd\xe8\x5b\x31\xa4\xe3\x11\x8a\x5c\xc2\xfb\x63\xe4\x07\x3d\xc2\x24\xe5\x01\xb6\x37\xc6\x66\x74\xea\xd1\xe8\x4a\x7e\x3e\x3c\xe4\xad\xaf\x0c\x72\x3e\x38\xa4\x1d\xb5\x47\xe9\xcc\x33\x82\xec\xf9\xf6\xb6\xf9\x64\xc1\xf8\x1f\xe7\x53\x65\x59\x3c\x9a\x55\x15\x2e\xc7\xc0\x50\x67\x47\x4b\xd7\x1a\x93\x70\x00\x9f\xee\x6d\x87\xf3\xee\xf6\xc9\x36\x0a\x50\x29\x41\xe9\x37\x30\x45\x41\x61\xd0\xf0\x39\x1f\x7c\x5e\xbd\xe6\x22\xf0\x5c\x1d\x67\x36\x89\x44\x39\x0b\x68\x17\x8f\xef\xb8\x25\xad\xd8\x12\xf4\x96\x86\x70\x53\x74\x01\x70\x35\x31\x66\x7c\xd5\x15\x0f\x21\x1b\x9f\xcf\xec\xf4\xee\x5e\x08\x80\xf3\x74\x8b\x9e\x7a\x74\x5e\x80\x2a\xff\xac\xc6\xb4\xaa\x5b\x5d\x83\x75\x0f\xc1\xc4\x7d\x4a\xb6\x91\x70\x90\x1e\x7f\x5e\x44\x2b\xb9\x8a\x89\x18\x60\x54\xac\xf2\x07\xa3\xcf\x70\x17\x31\x56\xc5\x59\xfd\x72\x86\x0a\x7d\x26\x79\xa2\xff\xcb\x53\x30\x20\x41\x13\xdb\xac\x6b\x3c\x3b\x69\xaa\x4f\x75\xf2\x1c\xb2\x15\x4a\x4a\x6b\x31\xc0\x25\xd5\x2a\xc5\x49\x60\x48\x3c\xed\xf3\xf1\x1a\x1a\xdf\xfe\xf2\xf1\xfe\xc9\x4a\x55\x61\xd9\x18\x68\x00\x1c\x3d\x83\x95\xff\x45\x0b\x14\x00\x95\xd6\x53\x64\x75\x37\x9f\x38\x63\x4a\xcf\x9d\xed\xff\x61\xb1\x7f\x7c\x87\xf8\xc0\x56\x6b\xe6\x25\x0c\xf4\x39\xeb\xa3\x8c\x37\x65\x39\x3a\x9e\xd1\x01\x6d\x50\x2b\xa1\x3a\x8e\xf6\xde\x35\xba\x66\x9b\x10\xa0\x00\x82\x23\xd2\xe2\xf8\x8d\x35\xfe\x0a\x73\x23\x32\x4b\xfa\xbf\x25\xa7\xac\x01\x90\x45\x49\xa2\x59\xe6\xa8\xd3\xa4\x96\x4f\x19\x7e\x94\xb8\xf9\xb3\xa3\x16\x3f\x63\x49\xe3\xda\xc7\xe0\x17\x48\xf6\x74\x79\x5c\xc3\xbd\x5a\x9a\x3a\xb5\xf2\xc1\x30\x81\x16\x7d\xf3\x7e\x37\x9e\xeb\x2e\xcf\x9c\xdf\xa2\x37\x15\x95\xf3\x08\x31\x05\x1a\xb1\x57\xac\x75\xf9\xeb\xc4\x8b\x49\x95\x59\x7e\x20\x6c\x7b\xa2\x29\xab\x30\xec\xcf\xe6\x62\x4d\x88\x49\xea\xe4\x1d\x2d\xc7\xa4\xd7\x57\xa3\x73\xb1\xd8\x66\x95\xc4\x20\xcc\x04\xbf\x0d\xa6\x64\xa7\x56\xb4\x82\x24\x16\x3d\xe4\x41\x8b\x93\x23\x39\xd2\x99\x06\x13\x13\xa6\x34\xa4\xba\x08\x9b\x12\xf8\x5d\x4d\xa1\xd2\x7d\x51\xde\x93\x08\x31\x0e\xf6\xae\xb3\x56\x23\xd0\xa7\x72\xc5\xce\xdd\x2a\x65\x9f\xde\xf0\x92\xb4\xdf\x6a\x88\xd2\x96\x42\x00\xc2\x85\xe8\xc1\x6e\x74\x89\xb8\x1e\x41\x59\xdb\x06\x2c\xe8\xa7\xd0\xda\xb6\x51\x80\x92\x11\xed\xf0\x58\x6f\x28\x9e\xf0\x3d\xee\x7b\xb9\xf4\x38\xc1\xa3\x52\xf6\x34\x2c\x66\x4b\xfd\x35\xd2\x38\x85\xb0\x9b\xd1\xda\x62\xbd\x65\xd0\xbc\x09\xa5\xeb\x5a\xe9\x5e\xa3\x10\x88\x14\x77\x81\xc3\x35\xea\x17\x77\x72\xa2\x28\x96\x19\x1a\x7d\x15\x70\x2b\x6b\x34\x37\xce\xd8\x86\xcc\x85\xbb\x26\x86\x5c\xe8\x28\xb9\xfe\x78\xa0\x7b\x46\x3d\xf7\x33\x2f\x67\x92\xb2\xfd\x86\xd1\x7b\x1e\x98\xa4\xcc\x77\x29\xb0\x58\xc5\x98\xc9\x61\xc6\x34\xb1\x5d\x09\x73\xca\xcd\xd9\x73\x5a\x0f\x77\x78\x6a\xe2\xb0\x76\x6b\x31\x94\xa1\x27\x34\x5d\xd8\xc1\x1f\x69\xfa\x4c\x44\xcc\x5b\x30\xe0\x1f\x6d\xc5\x61\x33\x0f\x63\x63\x29\xc9\x7e\xc0\x5a\xe8\x29\x1d\x9a\x26\xb6\x05\xf1\xb2\x77\xc9\x32\x21\x15\x62\x6e\x29\x75\xc7\x91\xc3\xef\x10\x95\x4c\xb8\xb4\x7c\xea\x6c\xf6\x97\xeb\x9d\xb3\xbe\xcb\x11\x14\xce\x63\x92\x19\x9e\x87\xba\xc0\x43\xed\x7a\x15\x83\xdc\x66\x0b\x36\xde\xb0\x22\x1a\x79\xed\x70\xbf\x71\x3f\x3c\x9c\x88\x25\x83\x81\x4c\x2e\xca\x81\x51\xd2\x71\x71\x95\x92\xd5\xc1\xfc\x62\x66\xa2\x76\xa3\xe8\xd3\x88\x27\xb2\x90\xe1\x04\x46\x06\x99\x2d\x13\x42\x36\xa1\xae\x87\xf9\x33\x8b\x77\x41\xf2\xe8\xa7\x46\xeb\x0f\x60\x77\x62\xed\x4e\x18\x92\x3d\xba\xcf\xea\x14\x7a\xd5\x7e\xff\x61\x71\x67\xd0\xf5\x4d\xaa\xc4\x54\x37\xc5\xe6\x1b\x45\x93\x7e\x8a\xa5\xe7\xce\xef\x4c\xa2\x25\x4b\x97\x01\xa2\x2f\x57\x7f\xb6\x27\xe8\xe1\xc1\xc7\x04\x01\xae\x81\x1b\x9a\x53\xf4\xc1\x6a\x79\x43\xe3\xd8\x1b\xa3\xd9\x20\x9c\xbd\xfb\x20\x8b\x04\xce\x15\x8e\x7b\xa8\xee\x77\xb0\xb7\x5f\x52\x08\x68\x6d\xf7\x87\x12\xd2\x8f\x70\x03\x61\x15\x91\x00\x36\x9b\x63\x33\x84\xdd\xff\x44\x02\xc0\xab\x0e\x2e\xc0\xaa\x87\x18\x6a\x65\xd3\x48\x4d\x29\x21\xd6\x25\x3f\xd1\xfb\xf4\x6b\x63\xba\x72\xeb\x79\x5c\xc0\x25\x69\x0f\x1f\x48\xdb\xe3\x08\xf9\x78\xe2\xfd\x55\x13\xe2\xdd\xc0\xb0\x66\x19\x4f\xd5\x8d\x3e\xaa\x49\x69\x0b\xd7\xe7\x86\x38\x85\xeb\x5e\x2a\xc6\x87\x0d\xe8\x35\x92\x67\x5f\x74\xcf\x89\x89\xe1\x8e\x68\xf1\xb6\x06\x78\x27\x0c\xa6\xb9\xc0\xda\xf4\x44\x27\x8a\x7d\xc8\x2a\x97\x80\x73\x0a\xa0\x3b\xe5\x68\x13\xe8\x1d\x6f\x29\x6c\x6f\x87\xd0\x09\x96\x18\xaf\x9f\x7e\x99\x16\x49\xec\x36\x49\x72\xd4\xc8\xfb\x66\x96\x70\xec\x92\x96\xce\x17\x38\x38\xb9\xc9\x2b\xaf\x6b\xf8\x83\xc1\x34\xd2\xc1\xcb\xcd\x92\x8b\x54\x99\x1d\x4c\x00\xf4\xaa\x72\x70\xbf\x3b\xef\xeb\x10\x8e\x98\x62\xf3\x46\x88\xcc\x2d\xb3\xb7\x94\x37\x77\x67\x12\x79\xa1\x7f\x9c\x64\xc4\x0b\xd8\x48\x5e\xf5\x2e\xb9\x64\x31\x4c\x65\xaa\x34\x59\x6f\x16\xb8\x0f\x9e\xf7\x81\xc4\xe8\xee\xb0\xac\xd2\x89\x38\x6c\x1a\xe5\x06\xae\x5b\xd2\xb2\x0b\x76\x0c\xe0\xc7\x9b\x56\xb1\x34\xe2\x2f\x57\xc4\x4a\xba\xe2\xf4\xec\xad\x82\xef\xe4\x02\xa4\x3a\x47\x59\x45\x77\xa2\x4b\x79\xa9\x4c\x6f\x7a\x5e\xda\xab\xeb\x48\xfc\x5e\xc2\x7a\xec\xd8\x23\x80\xd0\xe9\x40\xa0\x33\xe8\x7a\x44\x74\xb9\x5d\x58\xa5\xfe\xc5\x9d\x80\xb0\x91\xe9\x16\x5a\x14\x32\x5b\x38\xc5\xe4\x56\x5c\x3f\x0f\x12\x6f\x8b\x2a\xdf\x83\x26\x8e\x00\x76\x64\x7d\xdd\x43\xff\x2d\x52\xd7\x73\xab\x30\x40\x88\x45\x8f\xac\x4f\xb9\x37\x9e\x20\x96\x85\x60\xa0\x75\x17\xd6\xe0\x00\x1d\x2a\x08\xc3\xc6\xc9\x78\x25\xe1\x22\x59\xea\x86\x1b\x0a\xd5\x64\x94\x50\xdf\xfb\x3a\xfa\xe4\x9c\xd3\x1e\xfb\x40\x51\x3c\x06\xb7\x95\xe0\x71\x60\x3a\x47\xd3\xc8\x39\xc4\x01\xec\xc3\x8b\x11\x7d\xf9\x38\x83\x6a\x15\xb3\x1a\x13\x5b\x58\x89\x2d\xb9\xb4\xeb\xf6\x84\xdb\x3f\x7e\xce\x8a\x9d\x60\xbc\x8c\x81\x0e\xba\x0c\xa0\xd8\x75\x83\x57\x37\xd2\x5b\x94\x8b\x39\x28\x60\xaa\x82\xcd\xd5\xff\x7c\x6b\x0b\x4d\x7a\xe1\x82\x16\x89\x49\xd9\x84\x0e\x33\x54\x5d\x61\x27\x72\x7a\xbe\x02\xdd\x01\x41\x8c\xe4\xdd\x46\xaf\x7b\x5f\x08\x44\xcb\x51\xd4\x99\x2f\x4c\xe1\x22\x3c\x23\x13\x7c\x21\x13\x61\xd0\x15\x0e\xd2\x35\xa0\x59\x8f\x9e\x1d\x81\x6a\x40\xc6\xae\xb8\xad\x56\x26\xbc\x22\xb2\xe9\x39\x57\x47\x44\x1c\xc7\x8a\x55\x8d\xed\xc4\x02\x47\x32\x48\x98\x99\x12\xa0\xaa\x71\xac\x8d\x77\x54\xde\x78\xa1\xd5\xb9\xe5\x48\xd4\xeb\xef\x22\x4e\x82\xcd\x39\x35\x24\xd7\x9b\x88\xd6\xe0\x40\x5a\xd0\x2d\xa7\x11\x7b\xa0\x37\x29\x4e\x53\x5f\xff\x4b\xb7\xbf\xca\xce\xde\x33\x48\xf0\x1d\x16\x13\x48\xf4\xee\xe1\xa5\x15\xbe\x53\x0e\x0f\x0e\x64\xc5\x65\x44\xd4\xae\x10\x64\x45\xcc\xe1\x41\x0c\x79\x0b\xdb\xeb\x1e\x2d\x29\x3e\x01\x2e\x02\x97\xc4\x6c\x91\x45\xdc\xcb\xd6\xff\x77\xcb\xfa\xcd\xa4\x6f\x27\xd7\x1d\x02\xde\x14\xb6\x1c\x50\x53\x33\x19\xc6\x68\xfc\xfa\xc0\x36\xc7\x86\x7d\x12\xa3\xd0\xd8\xd4\x49\xc4\x96\x69\x58\x63\x49\xf2\x23\x9c\x4f\xa5\xc2\xb8\xfd\xfc\x42\x3e\xcd\x85\xed\xcc\xf6\x85\x47\xb1\xa9\x06\x76\x4c\x5c\x03\xff\x33\x2b\x56\x3e\xae\xee\xb8\x45\x65\x35\xc6\x1e\x91\x73\x92\xa0\x3d\xfe\x6b\xeb\xf3\xdc\x57\x10\xf9\x32\xb5\x07\xe3\xf0\xcd\xfb\x6a\x9d\xd0\x35\xf0\x6d\xe0\x55\x72\xca\x94\xd8\x5b\xfb\x15\x7e\x68\x44\x8a\xb8\xb0\xc4\xd5\x96\xce\x02\x0d\xad\xef\xce\xae\x68\x15\x3e\x5f\x62\xc5\xc0\x81\x43\xf5\xdb\x49\x7a\xaf\xab\x19\xcd\x33\x0c\x37\x84\xdb\x0a\xde\x50\x5a\x29\x51\x4b\xd1\xe8\xc3\xb9\x2c\x4f\x61\x65\x36\x22\xf8\x75\xec\xac\xc9\xe6\x77\x4a\xde\xca\x1c\xa4\x2f\x63\x7c\x70\x22\x99\xa2\xd3\xf8\x81\xbe\x79\x5b\xba\x9d\xb3\x40\xe4\x80\xaa\x4e\x94\x4d\xec\x20\x21\x6b\x83\x58\x45\x5d\xcf\x8e\xed\x99\x0e\x41\xf3\x37\x64\x42\xb9\xb3\xe0\xd8\x82\x38\x77\x5b\x8b\xea\x3f\x68\x8a\xf1\x85\x39\xb2\xe8\xba\xfa\xac\xc1\xc4\x06\x4e\x9a\xe8\x87\xc6\x9d\xca\x82\xac\xad\xf3\x55\x30\x92\xe7\x87\x97\xa6\x2c\xc8\x34\x44\x1c\x22\x2f\xf2\x26\xea\x32\xd2\x03\xc0\xb1\xfa\xcc\x67\xe6\x30\x71\x6a\x3f\x96\xa0\x77\xe2\x34\x8f\x2b\xe6\xd9\x3e\xc0\x63\x1a\x5e\xf1\xbe\xd4\x10\x61\x19\xd9\x70\xe6\x22\x8f\x01\x69\x89\xa8\xfd\xf0\x1b\xda\x8e\xdd\xfd\x60\x68\xd6\x49\xb3\x95\x6e\xab\x29\xd3\x03\xf1\xfc\x68\x67\xd8\x63\xc8\x7c\x35\x39\xe8\xe9\x9c\xe2\x39\x53\xc2\x5e\xe2\xb0\x98\x57\xd2\xdf\xdd\x4c\x2d\x24\x2b\xd8\x33\xf6\xb7\xf4\xa6\x7c\xde\x78\x63\xd6\x53\xa0\x05\x21\xfa\x68\xce\x23\x1d\x06\x15\xb0\x01\x75\xec\x1f\xca\x37\x7e\x4e\x72\xf7\x8a\x8f\x8f\xbc\xa9\xda\x4f\x40\x8b\xc1\xb7\x99\x97\x1c\x16\xce\x2e\x04\xaa\x24\x32\x79\xef\xcd\xb0\x78\x43\xd2\x55\xeb\x60\x67\xe3\x73\x2b\xcf\xdf\x1c\x17\x17\x8d\x77\xd3\xdf\xf4\x24\xd6\x77\x2e\x39\xae\xc3\xbe\xf9\x59\x2a\x25\xe9\xfb\xb5\x51\x09\x52\xe5\x83\xf5\x34\xa4\xd1\xf5\x7c\xce\xfe\x84\x55\xf3\x53\xdf\xee\xee\xdc\x8b\x3e\xa3\xd6\xc4\x1f\xf4\x16\x7d\xe5\x14\x55\x30\xf3\xdd\x70\xbc\x89\xfd\xcf\xa8\x63\xd8\xc5\x65\x20\x8d\x32\x72\xb0\x23\x8b\x97\xd9\x5c\x5a\x67\x87\x24\x15\xa2\x7e\xf0\x6f\xa2\x6c\x0f\x72\xb5\x71\xcf\xfb\x76\x23\x69\xc8\x0b\x5f\x33\x2f\x03\xa9\x75\x9f\xec\x50\xd6\x04\xa1\x8a\x69\xfb\x52\x13\x11\xfa\x17\x1e\xa6\xfa\x40\x48\x73\xde\x91\x95\xf8\x47\xd8\x1f\xd4\xba\xe3\xd5\x21\x6d\x6c\x00\xcc\x38\xd5\xc7\x5d\xad\x1e\xf6\x86\xd5\xce\x4a\xcb\xb4\x77\xfb\xf6\xc5\xad\x0b\x26\x9e\x69\x05\x4b\x4a\x59\xdb\x3c\x6e\xb0\xce\xc7\xfb\xdf\x32\xd3\x30\x6c\xeb\x5d\x10\x06\xeb\x7b\xf6\xf0\x70\x12\xb1\x16\xc9\x5f\xbf\xcf\xd9\x9e\x82\xf5\xab\xa8\xeb\xd7\xc7\x90\xc9\xf0\x40\x75\xe2\xbb\x39\x9d\x92\x29\xbe\x4a\x0e\x90\xdc\x1b\x03\x58\xee\xcf\xfa\xda\xeb\xc0\xbd\xc6\xff\x1c\xfd\x00\xdc\xeb\xc0\xa9\x0d\x7b\x96\xc9\x6f\xa5\x52\xdc\x82\x4b\x94\x4d\x95\x1d\xb7\xd2\xb6\xee\x39\x9b\x6c\x1f\x29\x65\xe5\x93\x1c\xea\x56\x1b\x9d\xda\x86\xb5\xe7\xc3\x67\x41\xc0\x4a\x97\xa0\x0b\x06\x95\xa9\xd8\x3d\x62\x9e\xb5\xde\x99\xbf\x8a\xe8\xd7\x55\xf3\x31\xe4\x02\x53\x39\x0a\xbb\x2e\x60\x49\x16\x74\x96\xd5\xca\x37\x56\x3b\xea\xbd\xa4\xf8\x2b\x2c\x9a\x58\xef\xf2\xa5\x8a\x1d\x2f\xbc\x8d\x72\xc1\x88\xd4\xb3\x39\x2b\x9b\x42\x86\xa8\x5f\x5d\xed\x71\x0f\x24\x3b\x24\x83\x2c\x54\x79\x1e\xee\x12\x09\x44\x3f\x07\xf3\x74\xea\x2a\xb6\x14\xd6\xa9\xac\x8b\x09\x81\xc3\x50\x96\x96\xc0\x58\xd3\x2f\x4a\xff\x5a\xf8\xe9\xeb\x22\x53\xed\x4f\x83\xe8\xb4\xf3\x29\x4b\x61\xc9\x0d\x54\xd3\xc3\x5f\x3d\x44\xd5\x5a\x5a\x1f\x55\xba\xc7\xe5\x97\x8b\x63\xfb\xb9\xdf\x0e\x9c\x6b\x15\x4d\x61\x24\xef\x4c\xf6\x3f\xf3\xae\x36\x10\x32\x14\x7f\x9e\xf7\x5f\x9e\xa2\xf4\xb2\x2e\xb1\x36\x93\xe2\x67\xb7\xc4\xf6\x36\x5d\xe5\x36\x86\x11\x8a\x93\x4a\x59\x8b\xa5\xa8\x17\x5e\xe5\x0f\x09\x9a\xa9\xac\xd7\xf2\xe2\xc9\xb0\x5b\x04\x4b\x3b\x06\x1b\xd1\xbb\x3b\x29\x6b\x6b\xf9\x00\xb8\x56\xa6\x44\x8d\x81\x2e\x68\xef\xd3\x1f\xef\xfd\x44\x52\x99\x0c\xd5\xf7\xcc\x02\x58\x8e\xef\xbe\xbb\x9f\x56\xab\x77\xcd\x50\x29\x89\xcd\x16\xe8\x9a\x44\x55\x3e\x19\x89\xd4\xdf\xfd\x97\x7b\x53\xea\x8b\x3b\x63\x6d\x62\xbb\xb2\x65\xc4\x28\x0c\xab\x59\xda\xb2\x4f\xbe\x7f\x16\x18\x0d\xfd\xdf\x62\xe4\x82\xed\x8e\xdc\xa2\x7a\x96\x7c\xe5\xfa\xe0\x32\x8b\x64\x03\xce\xe1\x7a\x6d\x63\xac\x71\xa8\xa4\x6f\x6c\xad\xdb\x53\x0c\x6d\x90\x5a\x8b\x6c\x8e\xd8\x9f\x62\x2a\x0c\x0a\x90\x67\x5c\x1f\x8d\x97\x9b\x34\xcd\x1e\x95\x4f\xa9\x15\x4f", 4096); memcpy((void*)0x20001000, "\xc4\x62\x39\x37\x47\x7e\x66\x0f\xe3\x0c\xa4\xf3\x3e\x45\x09\x17\xc4\x61\x78\xae\x91\x72\x98\x00\x00\xc4\x63\xe1\x22\xd6\x96\xc4\x03\x7d\x7b\x05\x0f\x00\x00\x00\x00\xc4\x63\x39\x5f\x47\x3f\xad\xc4\x03\x55\x5d\x3c\x56\x00\xc4\xe2\xb5\x96\xf0\xc4\x21\xfd\x5b\xfb", 65); syz_execute_func(0x20001000); memcpy((void*)0x200010c0, "\x5d\x8d\x97\xaf\xe9\x58\xa6\xb4\x6b\x8f\xef\xfe\x29\xf0\x51\x64\xa8\xee\xd8\xf0\x35\xa6\xc4\xd8\xf6\x97\x21\x06\xc0\xf6\xa0\x43\x0f\x03\x47\xa9\xad\x29\xa9\x40\xd3\xde\x0d\x19\xdd\x63\xc0\x6d\xad\x37\xea\x1e\x10\x5f\xec\x8b\x4d\xbd\xb4\xd7\xf9\x51\x64\xff\x31\x3f\x19\x9a\xaa\x43\x10\x8e\x96\x13\xc1\xe6\x29\x58\xe7\x76\x28\x47\x15\x8e\x87\x26\x92\x4d\xcb\xda\xff\xfd\x2a\x94\x2c\x44\x0d\x0a\x80\x34\x04\x87\xaf\x0e\xb9", 105); memcpy((void*)0x20001140, "\xe2\xf9\x19\x3e\xea\x7f\xea\x62\xb3\x74\xa3\x15\x14\x75\xbf\x3b\xe9\x82\x5d\xbe\x21\xd3\x90\x7a\x6b\xaf\x2f\xcd\xf0\xe6\xdd\x64\xfa\x7c\xcc\xe3\x73\x4b\xa6\x62\x73\xba\x0d\xb7\xe7\x9d\x31\x4b\x54\xd1\x01\x58\xb7\xd4\xa6\x7b\x5e\x26\x4c\xd1\xfe\x32\xc6\xba\xb3\xd0\x3f\xaa\x5b\xd6\x7a\x46\x09\xb4\x8a\x17\xeb\x03\x86\x53\x8a\xfe\x3d\x83\xa4\xf1\x95\x97\x90\x97\x73\xc9\x47\x4f\x1f\x66\x85\xe5\x91\x57\xf5\xc7\x6c\x2d\xe0\x65\xf5\x09\xb7\xa7\xcf\x8e\x62\x9c\xca\x55\x3d\xcb\x44\x45\xa3\x72\x88\x31\x99\xbe\x74\x66\x34\xe8\x57\x26\x6c\x27\x58\xf8\xd5\x8d\xd0\xde\xa4\x57\x79\x02\x04\xfc\x26\xe2\x69\x27\xd5\xbb\xff\x20\xa9\x9a\xed\x0a\x95\xd8\x50\xec\x32\x21\xf4\xf1\xd8\xf1\x3a\x8f\x00\xbe\x13\x51\x9e\xf8\x98\xd3\x9d\x28\x56\x8b\xb7\x89\x4c\x39", 186); res = syz_usb_connect(0x721, 0x69, 0x200010c0, 0x20001140); if (res != -1) r[5] = res; syz_usb_disconnect(r[5]); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'syz_usb_connect_impl': :546:63: error: unknown type name 'usb_ctrlrequest' :551:55: error: unknown type name 'usb_ctrlrequest' compiler invocation: /syzkaller/netbsd/src/../tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor009819966 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/netbsd/src/../dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/10 (1.43s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false UseTmpDir:false HandleSegv:false Repro:false Trace:false} program: r0 = fcntl$dupfd(0xffffffffffffff9c, 0xc, 0xffffffffffffff9c) r1 = dup2(0xffffffffffffffff, r0) pwrite(r1, &(0x7f0000000000)="5d1dd436f0f5a32b117d0f61dc010511e7e3c7f92e33630dfc7a02f9f4df14c215d8716f98892cba0ddcbbd6b2683f5e028152ebbe2d26a7e4c45673b55cf76e7795dd124f82947e0244eb08cfb0b5da0c829b1580ac64473f069f9928c1043bdeaa541829f4ef60f80ea0b9b912a974a5e98ea75423d1126815de1319a78c8127c017f8cbe86d", 0x87, 0x6) getsockname$unix(r0, &(0x7f00000000c0)=@abs, &(0x7f0000000100)=0x8) accept$inet6(r1, &(0x7f0000000140), &(0x7f0000000180)=0xc) socketpair(0x18, 0x844590f3b4efa023, 0x7f, &(0x7f00000001c0)) r2 = accept(0xffffffffffffff9c, &(0x7f0000000200)=@un=@abs, &(0x7f0000000240)=0x8) r3 = getpgrp() stat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$sock_cred(r2, 0xffff, 0x11, &(0x7f00000003c0)={r3, r4}, 0xc) syz_emit_ethernet(0x1000, &(0x7f0000000000)="d28811eb3ef8057d4d7c7229ab1e5a02157440ec598663314f522e6a8f7e2b68cd210834f13e84f257c358e7e19717a79353a0609abf39fc23d280e031dbc36048ed67b318a0553a541c84167d1bf390951abfd5370157ad024bea030e6c003d2e50a932903993429472cca8be8808ca2915858ed2598c1e76f98e662b0678bdfd91862b0af84e1585c3709eeb1b8f065703a75c12e1fa87b77d46d374ee2113bbbd6bdebb4cf0687f79db895a8ac81c3b286c03427e3211e71420afa9b5c9013e638ed97de9983fb33424fe11efd7824cd6979286d59a5c79338b6a9a2d15e70791bdb5186aa74e175a0049c1e39db536377a8354915a8a15125b8be62f01a93740b2428b189ea42e31b6ce7aa3676bf1468b751bf06aacf15904db50c1be9df4cc9d41599c57cfaf66b7e5ee2d2372630a7bf538da786dfff6052e02558a4d1ccf7099a8c599c3c8b515e844f1e23de73d806127228253a7053b5e91511685370c980ffa72e5551ff05fcbd940d514bed2860b875b9a12b26edbb292e0e8d8cbcd9de3aba68f7c1419249fe43a6754bf02a36e0fd1f27c48e9d16c18ed1484e56cc5bc3483519311e33754af2fc4d37cfa1c6e5f0d38ae96a621c04db0fd7d793297e4981f9082937b9322f494bd98b2f43d9b5c19ff19ec177c6305b18800445111763cdaeec351689384783ae7cff9b106639ea611fb72e86d685ea0f6b65dc3b9a2436c89257382d11516a2b06637cfd931e2ca4e625343d6b96525c5bf7dcc437f474e1ff9f3dcc85740444a4c569f50379b985f6843ac29f09a9f99819ae210db22ab19340974957f1fbea41c5851b2fa7a2fa87581a7fb42db8c24b4c6f829be592ca0d0cf1a2fe67dec532cfa77f8f1955da335a84d5aef4905a9a236c607774a0b4ef1d50b55bd49aa877c2b6b2e37a3e4a3b24e95fa557ba89aaf4227b5bb0e640b4698cd004f870c7daa9ea441fdbe8b3053dffce646c0b06df323252cada7f24fcc21624edf49567b2693fec0693d243e067b21e2be296c52bb2a381f4794aa2e85dd5cb6677e94b7e003ebad24573762a640973c0772994da28c6490c1af8f0f91754e71c7f326bd31dfc9c6fc20767d713a93317bcbe0a3efc9c5a8571b7b0a02977741e8a83ca81296145ec955e1ab982c7f466284562b52de135568a142e677c343f5ebd33755d0b91565646d7c362e4664007cae2167db5d0a933e1219d3d6a7387576e542f816fa516d44afc3d99229d4f57fa83b8948f898b8528ded2c539b6033491c6d780cacb2bc3f52c2794de8db395812d4f7a44b9c04d6fd3ca86c68647d3e475de581edc388dcde91b8b24cd42b91a19e91b4b637b43b6fa4e150443ec7c08695c42bc6a930b3084204023bfd15e1c0312e46f430e26b0fcca152209fc1c7f991c111bdcda72e198626766eafc8cf5492189d4cc9a8e2a8a9cb738978ecec37376dc99ca8d3efcfe73da538960ebf78f0a4366376ae5f1bb1f811ecceb62510897855e3066104701b94f61913da4699313cec63a88a9ba444a5fc01c003bf9d6b252504e477f40fb33e595f30ac538bc9eeb29372b7a9d1f6a2a9b0177a171e5f879eab363c7608617c26197df1da9baa0275e23ed1b592cebdcd6ef22b36c4f287dfe849cf54eaed5570ffc450cde8b6ee12efbc8ddfea6bf782c27e5a5816b6f04ff5fe977f05a5b12a1364a659cb6b11ab7a1682e1097e6187cd7cbba87ef4ca8c2caf28499913d98a9e9f2e11c52f37faf2cd207bbe5734da0e91ba5f8b48ad59b122678550b27fefe71af53d6f934104387389b59324cdbf446efe50dbd23db7418ec6666ed9fcaa6f70beac9ca42a90eec8567be21fb45f0886755715f317373523dfeb845ab77333cf8ddf926244a38e024df5af9ea07253d07a59db51123fd811cce2d206eae6943ec87559eb0eb28a94a627831e45b3a7d1f89f7a49fbce7c5a6ed81f4e68dd3ce29346f7c14e5064548d57f11363139e5b669a1744bd9989400827973e67e94cb555b08cf04565f33db17196d16518b4f4b023053e86a7275521fa5b20993de7c2fa09797d924d59893caa98d97b586289da8c9cc3810cfde85b31a4e3118a5cc2fb63e4073dc224e501b637c66674ead1e84a7e3e3ce4adaf0c723e38a41db547e9cc3382ecf9f6b6f964c1f81fe75365593c9a55152ec7c05067474bd71a9370009fee6d87f3eef6c9360a502941e93730454161d0f0391f7c5ebde622f05c1d67368944390b68178fefb825add812f4968670537401703531667cd5150f211b9fcfecf4ee5e0880f3748b9e7a745e802affacc6b4aa5b5d83750fc1c47d4ab69170901e7f5e442bb98a89186054acf207a3cf70173156c559fd72860a7d2679a2ffcb5330204113dbac6b3c3b69aa4f75f21cb2154a4a6b31c025d52ac54960483cedf3f11a1adffef2f1fec94a5561d91868001c3d8395ff450b140095d6536475379f38634acf9dedff61b17f7c87f8c0566be6250cf439eba38c3765393a9ed1016d502ba13a8ef6de35ba669b10a0008223d2e2f88d35fe0a7323324bfabf25a7ac01904549a259e6a8d3a4964f197e94b8f9b3a3163f6349e3dac7e01748f674795cc3bd5a9a3ab5f2c13081167df37e379eeb2ecf9cdfa2371595f30831051ab157ac75f9ebc48b4995597e206c7ba229ab30eccfe6624d8849eae41d2dc7a4d757a373b1d86695c420cc04bf0da664a756b48224163de4418b932339d299061313a634a4ba089b12f85d4da1d27d51de9308310ef6aeb35623d0a772c5cedd2a659fdef092b4df6a88d2964200c285e8c16e7489b81e4159db062ce8a7d0dab651809211edf0586f289ef03dee7bb9f438c1a352f6342c664bfd35d23885b09bd1da62bd65d0bc09a5eb5ae95ea31088147781c335ea177772a22896191a7d15702b6b3437ced886cc85bb26865ce828b9fe78a07b463df7332f6792b2fd86d17b1e98a4cc7729b058c598c961c634b15d0973cacdd9735a0f77786ae2b0766b3194a127345dd8c11f69fa4c44cc5b30e01f6dc561330f636329c97ec05ae8291d9a26b605f1b277c9322115626e2975c791c3ef10954cb8b47cea6cf697eb9db3becb1114ce6392199e87bac043ed7a1583dc660b36deb0221a79ed70bf713f3c9c882583814c2eca8151d271719592d5c1fc6266a276a3e8d38827b290e1044606992d134236a1ae87f9338b7741f2e8a746eb0f607762ed4e18923dbacfea147ad57eff617167d0f54daac45437c5e61b45937e8aa5e7ceef4ca2254b9701a22f577fb627e8e1c1c70401ae811b9a53f4c16a7943e3d81ba3d9209cbdfb208b04ce158e7ba8ee77b0b75f5208686df78712d28f700361159100369b633384ddff4402c0ab0e2ec0aa87186a65d3484d2921d6253fd1fbf46b63ba72eb795cc025690f1f48dbe308f978e2fd5513e2ddc0b066194fd58d3eaa49690bd7e7863885eb5e2ac6870de83592675f74cf8989e18e68f1b60678270ca6b9c0daf444278a7dc82a9780730aa03be56813e81d6f296c6f87d0099618af9f7e991649ec364972d4c8fb669670ec9296ce173838b9c92baf6bf883c134d2c1cbcd928b54991d4c00f4aa7270bf3befeb108e9862f34688cc2db3b7943777671279a17f9c64c40bd8485ef52eb964314c65aa34596f16b80f9ef781c4e8eeb0acd289386c1ae506ae5bd2b20b760ce0c79b56b134e22f57c44abae2f4ecad82efe402a43a47594577a24b79a94c6f7a5edaabeb48fc5ec27aecd82380d0e940a033e87a4474b95d58a5fec59d80b091e9165a14325b38c5e4565c3f0f126f8b2adf83268e0076647ddd43ff2d52d773ab304088458fac4fb9379e20968560a07517d6e0001d2a08c3c6c97825e12259ea861b0ad5649450dffb3afae49cd31efb40513c06b795e071603a47d3c839c401ecc38b117df938836a15b31a135b58892db9b4ebf684db3f7ece8a9d60bc8c810eba0ca0d875835737d25b948b392860aa82cdd5ff7c6b0b4d7ae182168949d9840e33545d6127727abe02dd01418ce4dd46af7b5f0844cb51d4992f4ce1223c23137c211361d0150ed235a0598f9e1d816a40c6aeb8ad5626bc22b2e9395747441cc78a558dedc402473248989912a0aa71ac8d7754de78a1d5b9e548d4ebef224e82cd393524d79b88d6e0405ad02da7117ba037294e535fff4bb7bfcacede3348f01d161348f4eee1a515be530e0f0e64c56544d4ae106445cce1410c790bdbeb1e2d293e012e0297c46c9145dccbd6ff77cbfacda46f27d71d02de14b61c50533319c668fcfac036c7867d12a3d0d8d449c49669586349f2239c4fa5c2b8fdfc423ecd85edccf68547b1a906764c5c03ff332b563eaeeeb8456535c61e917392a03dfe6bebf3dc5710f932b507e3f0cdfb6a9dd035f06de05572ca94d85bfb157e68448ab8b0c4d596ce020dadefceae68153e5f62c5c08143f5db497aafab19cd330c3784db0ade505a29514bd1e8c3b92c4f61653622f875ecacc9e6774adeca1ca42f637c702299a2d3f881be795bba9db340e480aa4e944dec20216b8358455dcf8eed990e41f3376442b9b3e0d88238775b8bea3f688af18539b2e8bafaacc1c4064e9ae887c69dca82acadf3553092e78797a62cc834441c222ff226ea32d203c0b1facc67e630716a3f96a077e2348f2be6d93ec0631a5ef1bed4106119d970e6228f016989a8fdf01bda8eddfd6068d649b3956eab29d303f1fc6867d863c87c3539e8e99ce23953c25ee2b09857d2dfdd4c2d242bd833f6b7f4a67cde7863d653a00521fa68ce231d0615b00175ec1fca377e4e72f78a8f8fbca9da4f408bc1b799971c16ce2e04aa243279efcdb07843d255eb6067e3732bcfdf1c17178d77d3dff424d6772e39aec3bef9592a25e9fbb5510952e583f534a4d1f57ccefe8455f353dfeeeedc8b3ea3d6c41ff4167de5145530f3dd70bc89fdcfa863d8c565208d3272b0238b97d95c5a67872415a27ef06fa26c0f72b571cffb762369c80b5f332f03a9759fec50d604a18a69fb521311fa171ea6fa404873de9195f847d81fd4bae3d5216d6c00cc38d5c75dad1ef686d5ce4acbb477fbf6c5ad0b269e69054b4a59db3c6eb0cec7fbdf32d3306ceb5d1006eb7bf6f07012b116c95fbfcfd99e82f5aba8ebd7c790c9f04075e2bb399d9229be4a0e90dc1b0358eecffadaebc0bdc6ff1cfd00dcebc0a90d7b96c96fa552dc824b944d951db7d2b6ee399b6c1f2965e5931cea561b9dda86b5e7c36741c04a97a00b0695a9d83d629eb5de99bf8ae8d755f331e40253390abb2e6049167496d5ca37563beabda4f82b2c9a58eff2a58a1d2fbc8d72c188d4b3392b9b4286a85f5ded710f243b24832c54791eee1209443f07f374ea2ab614d6a9ac8b0981c3509696c058d32f4aff5af8e9eb2253ed4f83e8b4f3294b61c90d54d3c35f3d44d55a5a1f55bac7e5978b63fbb9df0e9c6b154d6124ef4cf63ff3ae361032147f9ef75f9ea2f4b22eb13693e267b7c4f6365de53686118a934a598ba5a8175ee50f099aa9acd7f2e2c9b05b044b3b061bd1bb3b296b6bf900b856a6448d812e68efd31feffd4452990cd5f7cc02588eefbebb9f56ab77cd502989cd16e89a44553e1989d4dffd977b53ea8b3b636d62bbb265c4280cab59dab24fbe7f16180dfddf62e482ed8edca27a967ce5fae0328b6403cee17a6d63ac71a8a46f6caddb530c6d905a8b6c8ed89f622a0c0a90675c1f8d979b34cd1e954fa9154f") syz_execute_func(&(0x7f0000001000)="c4623937477e660fe30ca4f33e450917c46178ae9172980000c463e122d696c4037d7b050f00000000c463395f473fadc403555d3c5600c4e2b596f0c421fd5bfb") syz_extract_tcp_res(&(0x7f0000001080), 0x5, 0x6fb) r5 = syz_usb_connect(0x721, 0x69, &(0x7f00000010c0)="5d8d97afe958a6b46b8feffe29f05164a8eed8f035a6c4d8f6972106c0f6a0430f0347a9ad29a940d3de0d19dd63c06dad37ea1e105fec8b4dbdb4d7f95164ff313f199aaa43108e9613c1e62958e7762847158e8726924dcbdafffd2a942c440d0a80340487af0eb9", &(0x7f0000001140)="e2f9193eea7fea62b374a3151475bf3be9825dbe21d3907a6baf2fcdf0e6dd64fa7ccce3734ba66273ba0db7e79d314b54d10158b7d4a67b5e264cd1fe32c6bab3d03faa5bd67a4609b48a17eb0386538afe3d83a4f19597909773c9474f1f6685e59157f5c76c2de065f509b7a7cf8e629cca553dcb4445a372883199be746634e857266c2758f8d58dd0dea457790204fc26e26927d5bbff20a99aed0a95d850ec3221f4f1d8f13a8f00be13519ef898d39d28568bb7894c39") syz_usb_disconnect(r5) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } /* -------------------------------------------------------------------------- */ /* * Redefinitions to match the linux types used in common_usb.h. */ struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; int rv = 0; rv = parse_usb_descriptor(dev, dev_len, &usb_devices[i].index); if (!rv) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } /* -------------------------------------------------------------------------- */ static int vhci_open(void) { return open("/dev/vhci", O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } /* -------------------------------------------------------------------------- */ static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index; int portnum, fd, rv; bool done; portnum = procid + 1; if (!dev) { return -1; } if (portnum != 1) { /* For now, we support only one proc. */ return -1; } fd = vhci_open(); if (fd < 0) { return -1; } index = add_usb_index(fd, dev, dev_len); if (!index) { goto err; } rv = vhci_setport(fd, portnum); if (rv != 0) { goto err; } rv = vhci_usb_attach(fd); if (rv != 0) { goto err; } done = false; while (!done) { vhci_request_t req; rv = vhci_usb_recv(fd, &req, sizeof(req)); if (rv != 0) { goto err; } if (req.type != VHCI_REQ_CTRL) { goto err; } char* response_data = NULL; uint32_t response_length = 0; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { bool response_found = false; response_found = lookup_connect_response_in(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &response_data, &response_length); if (!response_found) { goto err; } } else { if (!lookup_connect_response_out(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &done)) { goto err; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { /* TODO: possibly revisit */ } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { goto err; } } sleep_ms(200); return fd; err: close(fd); return -1; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 15; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 13 ? 3000 : 0) + (call == 14 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } #ifndef SYS_accept #define SYS_accept 30 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_fcntl #define SYS_fcntl 92 #endif #ifndef SYS_getpgrp #define SYS_getpgrp 81 #endif #ifndef SYS_getsockname #define SYS_getsockname 32 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_pwrite #define SYS_pwrite 174 #endif #ifndef SYS_setsockopt #define SYS_setsockopt 105 #endif #ifndef SYS_socketpair #define SYS_socketpair 135 #endif #ifndef SYS_stat #define SYS_stat 439 #endif uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_fcntl, 0xffffff9c, 0xcul, 0xffffff9c); if (res != -1) r[0] = res; break; case 1: res = syscall(SYS_dup2, -1, r[0]); if (res != -1) r[1] = res; break; case 2: memcpy((void*)0x20000000, "\x5d\x1d\xd4\x36\xf0\xf5\xa3\x2b\x11\x7d\x0f\x61\xdc\x01\x05\x11\xe7\xe3\xc7\xf9\x2e\x33\x63\x0d\xfc\x7a\x02\xf9\xf4\xdf\x14\xc2\x15\xd8\x71\x6f\x98\x89\x2c\xba\x0d\xdc\xbb\xd6\xb2\x68\x3f\x5e\x02\x81\x52\xeb\xbe\x2d\x26\xa7\xe4\xc4\x56\x73\xb5\x5c\xf7\x6e\x77\x95\xdd\x12\x4f\x82\x94\x7e\x02\x44\xeb\x08\xcf\xb0\xb5\xda\x0c\x82\x9b\x15\x80\xac\x64\x47\x3f\x06\x9f\x99\x28\xc1\x04\x3b\xde\xaa\x54\x18\x29\xf4\xef\x60\xf8\x0e\xa0\xb9\xb9\x12\xa9\x74\xa5\xe9\x8e\xa7\x54\x23\xd1\x12\x68\x15\xde\x13\x19\xa7\x8c\x81\x27\xc0\x17\xf8\xcb\xe8\x6d", 135); syscall(SYS_pwrite, r[1], 0x20000000ul, 0x87ul, 6ul); break; case 3: *(uint32_t*)0x20000100 = 8; syscall(SYS_getsockname, r[0], 0x200000c0ul, 0x20000100ul); break; case 4: *(uint32_t*)0x20000180 = 0xc; syscall(SYS_accept, r[1], 0x20000140ul, 0x20000180ul); break; case 5: syscall(SYS_socketpair, 0x18ul, 0x844590f3b4efa023ul, 0x7f, 0x200001c0ul); break; case 6: *(uint32_t*)0x20000240 = 8; res = syscall(SYS_accept, 0xffffff9c, 0x20000200ul, 0x20000240ul); if (res != -1) r[2] = res; break; case 7: res = syscall(SYS_getpgrp); if (res != -1) r[3] = res; break; case 8: memcpy((void*)0x20000280, "./file0\000", 8); res = syscall(SYS_stat, 0x20000280ul, 0x200002c0ul); if (res != -1) r[4] = *(uint32_t*)0x200002dc; break; case 9: *(uint32_t*)0x200003c0 = r[3]; *(uint32_t*)0x200003c4 = r[4]; *(uint32_t*)0x200003c8 = 0; syscall(SYS_setsockopt, r[2], 0xffff, 0x11, 0x200003c0ul, 0xcul); break; case 10: memcpy((void*)0x20000000, "\xd2\x88\x11\xeb\x3e\xf8\x05\x7d\x4d\x7c\x72\x29\xab\x1e\x5a\x02\x15\x74\x40\xec\x59\x86\x63\x31\x4f\x52\x2e\x6a\x8f\x7e\x2b\x68\xcd\x21\x08\x34\xf1\x3e\x84\xf2\x57\xc3\x58\xe7\xe1\x97\x17\xa7\x93\x53\xa0\x60\x9a\xbf\x39\xfc\x23\xd2\x80\xe0\x31\xdb\xc3\x60\x48\xed\x67\xb3\x18\xa0\x55\x3a\x54\x1c\x84\x16\x7d\x1b\xf3\x90\x95\x1a\xbf\xd5\x37\x01\x57\xad\x02\x4b\xea\x03\x0e\x6c\x00\x3d\x2e\x50\xa9\x32\x90\x39\x93\x42\x94\x72\xcc\xa8\xbe\x88\x08\xca\x29\x15\x85\x8e\xd2\x59\x8c\x1e\x76\xf9\x8e\x66\x2b\x06\x78\xbd\xfd\x91\x86\x2b\x0a\xf8\x4e\x15\x85\xc3\x70\x9e\xeb\x1b\x8f\x06\x57\x03\xa7\x5c\x12\xe1\xfa\x87\xb7\x7d\x46\xd3\x74\xee\x21\x13\xbb\xbd\x6b\xde\xbb\x4c\xf0\x68\x7f\x79\xdb\x89\x5a\x8a\xc8\x1c\x3b\x28\x6c\x03\x42\x7e\x32\x11\xe7\x14\x20\xaf\xa9\xb5\xc9\x01\x3e\x63\x8e\xd9\x7d\xe9\x98\x3f\xb3\x34\x24\xfe\x11\xef\xd7\x82\x4c\xd6\x97\x92\x86\xd5\x9a\x5c\x79\x33\x8b\x6a\x9a\x2d\x15\xe7\x07\x91\xbd\xb5\x18\x6a\xa7\x4e\x17\x5a\x00\x49\xc1\xe3\x9d\xb5\x36\x37\x7a\x83\x54\x91\x5a\x8a\x15\x12\x5b\x8b\xe6\x2f\x01\xa9\x37\x40\xb2\x42\x8b\x18\x9e\xa4\x2e\x31\xb6\xce\x7a\xa3\x67\x6b\xf1\x46\x8b\x75\x1b\xf0\x6a\xac\xf1\x59\x04\xdb\x50\xc1\xbe\x9d\xf4\xcc\x9d\x41\x59\x9c\x57\xcf\xaf\x66\xb7\xe5\xee\x2d\x23\x72\x63\x0a\x7b\xf5\x38\xda\x78\x6d\xff\xf6\x05\x2e\x02\x55\x8a\x4d\x1c\xcf\x70\x99\xa8\xc5\x99\xc3\xc8\xb5\x15\xe8\x44\xf1\xe2\x3d\xe7\x3d\x80\x61\x27\x22\x82\x53\xa7\x05\x3b\x5e\x91\x51\x16\x85\x37\x0c\x98\x0f\xfa\x72\xe5\x55\x1f\xf0\x5f\xcb\xd9\x40\xd5\x14\xbe\xd2\x86\x0b\x87\x5b\x9a\x12\xb2\x6e\xdb\xb2\x92\xe0\xe8\xd8\xcb\xcd\x9d\xe3\xab\xa6\x8f\x7c\x14\x19\x24\x9f\xe4\x3a\x67\x54\xbf\x02\xa3\x6e\x0f\xd1\xf2\x7c\x48\xe9\xd1\x6c\x18\xed\x14\x84\xe5\x6c\xc5\xbc\x34\x83\x51\x93\x11\xe3\x37\x54\xaf\x2f\xc4\xd3\x7c\xfa\x1c\x6e\x5f\x0d\x38\xae\x96\xa6\x21\xc0\x4d\xb0\xfd\x7d\x79\x32\x97\xe4\x98\x1f\x90\x82\x93\x7b\x93\x22\xf4\x94\xbd\x98\xb2\xf4\x3d\x9b\x5c\x19\xff\x19\xec\x17\x7c\x63\x05\xb1\x88\x00\x44\x51\x11\x76\x3c\xda\xee\xc3\x51\x68\x93\x84\x78\x3a\xe7\xcf\xf9\xb1\x06\x63\x9e\xa6\x11\xfb\x72\xe8\x6d\x68\x5e\xa0\xf6\xb6\x5d\xc3\xb9\xa2\x43\x6c\x89\x25\x73\x82\xd1\x15\x16\xa2\xb0\x66\x37\xcf\xd9\x31\xe2\xca\x4e\x62\x53\x43\xd6\xb9\x65\x25\xc5\xbf\x7d\xcc\x43\x7f\x47\x4e\x1f\xf9\xf3\xdc\xc8\x57\x40\x44\x4a\x4c\x56\x9f\x50\x37\x9b\x98\x5f\x68\x43\xac\x29\xf0\x9a\x9f\x99\x81\x9a\xe2\x10\xdb\x22\xab\x19\x34\x09\x74\x95\x7f\x1f\xbe\xa4\x1c\x58\x51\xb2\xfa\x7a\x2f\xa8\x75\x81\xa7\xfb\x42\xdb\x8c\x24\xb4\xc6\xf8\x29\xbe\x59\x2c\xa0\xd0\xcf\x1a\x2f\xe6\x7d\xec\x53\x2c\xfa\x77\xf8\xf1\x95\x5d\xa3\x35\xa8\x4d\x5a\xef\x49\x05\xa9\xa2\x36\xc6\x07\x77\x4a\x0b\x4e\xf1\xd5\x0b\x55\xbd\x49\xaa\x87\x7c\x2b\x6b\x2e\x37\xa3\xe4\xa3\xb2\x4e\x95\xfa\x55\x7b\xa8\x9a\xaf\x42\x27\xb5\xbb\x0e\x64\x0b\x46\x98\xcd\x00\x4f\x87\x0c\x7d\xaa\x9e\xa4\x41\xfd\xbe\x8b\x30\x53\xdf\xfc\xe6\x46\xc0\xb0\x6d\xf3\x23\x25\x2c\xad\xa7\xf2\x4f\xcc\x21\x62\x4e\xdf\x49\x56\x7b\x26\x93\xfe\xc0\x69\x3d\x24\x3e\x06\x7b\x21\xe2\xbe\x29\x6c\x52\xbb\x2a\x38\x1f\x47\x94\xaa\x2e\x85\xdd\x5c\xb6\x67\x7e\x94\xb7\xe0\x03\xeb\xad\x24\x57\x37\x62\xa6\x40\x97\x3c\x07\x72\x99\x4d\xa2\x8c\x64\x90\xc1\xaf\x8f\x0f\x91\x75\x4e\x71\xc7\xf3\x26\xbd\x31\xdf\xc9\xc6\xfc\x20\x76\x7d\x71\x3a\x93\x31\x7b\xcb\xe0\xa3\xef\xc9\xc5\xa8\x57\x1b\x7b\x0a\x02\x97\x77\x41\xe8\xa8\x3c\xa8\x12\x96\x14\x5e\xc9\x55\xe1\xab\x98\x2c\x7f\x46\x62\x84\x56\x2b\x52\xde\x13\x55\x68\xa1\x42\xe6\x77\xc3\x43\xf5\xeb\xd3\x37\x55\xd0\xb9\x15\x65\x64\x6d\x7c\x36\x2e\x46\x64\x00\x7c\xae\x21\x67\xdb\x5d\x0a\x93\x3e\x12\x19\xd3\xd6\xa7\x38\x75\x76\xe5\x42\xf8\x16\xfa\x51\x6d\x44\xaf\xc3\xd9\x92\x29\xd4\xf5\x7f\xa8\x3b\x89\x48\xf8\x98\xb8\x52\x8d\xed\x2c\x53\x9b\x60\x33\x49\x1c\x6d\x78\x0c\xac\xb2\xbc\x3f\x52\xc2\x79\x4d\xe8\xdb\x39\x58\x12\xd4\xf7\xa4\x4b\x9c\x04\xd6\xfd\x3c\xa8\x6c\x68\x64\x7d\x3e\x47\x5d\xe5\x81\xed\xc3\x88\xdc\xde\x91\xb8\xb2\x4c\xd4\x2b\x91\xa1\x9e\x91\xb4\xb6\x37\xb4\x3b\x6f\xa4\xe1\x50\x44\x3e\xc7\xc0\x86\x95\xc4\x2b\xc6\xa9\x30\xb3\x08\x42\x04\x02\x3b\xfd\x15\xe1\xc0\x31\x2e\x46\xf4\x30\xe2\x6b\x0f\xcc\xa1\x52\x20\x9f\xc1\xc7\xf9\x91\xc1\x11\xbd\xcd\xa7\x2e\x19\x86\x26\x76\x6e\xaf\xc8\xcf\x54\x92\x18\x9d\x4c\xc9\xa8\xe2\xa8\xa9\xcb\x73\x89\x78\xec\xec\x37\x37\x6d\xc9\x9c\xa8\xd3\xef\xcf\xe7\x3d\xa5\x38\x96\x0e\xbf\x78\xf0\xa4\x36\x63\x76\xae\x5f\x1b\xb1\xf8\x11\xec\xce\xb6\x25\x10\x89\x78\x55\xe3\x06\x61\x04\x70\x1b\x94\xf6\x19\x13\xda\x46\x99\x31\x3c\xec\x63\xa8\x8a\x9b\xa4\x44\xa5\xfc\x01\xc0\x03\xbf\x9d\x6b\x25\x25\x04\xe4\x77\xf4\x0f\xb3\x3e\x59\x5f\x30\xac\x53\x8b\xc9\xee\xb2\x93\x72\xb7\xa9\xd1\xf6\xa2\xa9\xb0\x17\x7a\x17\x1e\x5f\x87\x9e\xab\x36\x3c\x76\x08\x61\x7c\x26\x19\x7d\xf1\xda\x9b\xaa\x02\x75\xe2\x3e\xd1\xb5\x92\xce\xbd\xcd\x6e\xf2\x2b\x36\xc4\xf2\x87\xdf\xe8\x49\xcf\x54\xea\xed\x55\x70\xff\xc4\x50\xcd\xe8\xb6\xee\x12\xef\xbc\x8d\xdf\xea\x6b\xf7\x82\xc2\x7e\x5a\x58\x16\xb6\xf0\x4f\xf5\xfe\x97\x7f\x05\xa5\xb1\x2a\x13\x64\xa6\x59\xcb\x6b\x11\xab\x7a\x16\x82\xe1\x09\x7e\x61\x87\xcd\x7c\xbb\xa8\x7e\xf4\xca\x8c\x2c\xaf\x28\x49\x99\x13\xd9\x8a\x9e\x9f\x2e\x11\xc5\x2f\x37\xfa\xf2\xcd\x20\x7b\xbe\x57\x34\xda\x0e\x91\xba\x5f\x8b\x48\xad\x59\xb1\x22\x67\x85\x50\xb2\x7f\xef\xe7\x1a\xf5\x3d\x6f\x93\x41\x04\x38\x73\x89\xb5\x93\x24\xcd\xbf\x44\x6e\xfe\x50\xdb\xd2\x3d\xb7\x41\x8e\xc6\x66\x6e\xd9\xfc\xaa\x6f\x70\xbe\xac\x9c\xa4\x2a\x90\xee\xc8\x56\x7b\xe2\x1f\xb4\x5f\x08\x86\x75\x57\x15\xf3\x17\x37\x35\x23\xdf\xeb\x84\x5a\xb7\x73\x33\xcf\x8d\xdf\x92\x62\x44\xa3\x8e\x02\x4d\xf5\xaf\x9e\xa0\x72\x53\xd0\x7a\x59\xdb\x51\x12\x3f\xd8\x11\xcc\xe2\xd2\x06\xea\xe6\x94\x3e\xc8\x75\x59\xeb\x0e\xb2\x8a\x94\xa6\x27\x83\x1e\x45\xb3\xa7\xd1\xf8\x9f\x7a\x49\xfb\xce\x7c\x5a\x6e\xd8\x1f\x4e\x68\xdd\x3c\xe2\x93\x46\xf7\xc1\x4e\x50\x64\x54\x8d\x57\xf1\x13\x63\x13\x9e\x5b\x66\x9a\x17\x44\xbd\x99\x89\x40\x08\x27\x97\x3e\x67\xe9\x4c\xb5\x55\xb0\x8c\xf0\x45\x65\xf3\x3d\xb1\x71\x96\xd1\x65\x18\xb4\xf4\xb0\x23\x05\x3e\x86\xa7\x27\x55\x21\xfa\x5b\x20\x99\x3d\xe7\xc2\xfa\x09\x79\x7d\x92\x4d\x59\x89\x3c\xaa\x98\xd9\x7b\x58\x62\x89\xda\x8c\x9c\xc3\x81\x0c\xfd\xe8\x5b\x31\xa4\xe3\x11\x8a\x5c\xc2\xfb\x63\xe4\x07\x3d\xc2\x24\xe5\x01\xb6\x37\xc6\x66\x74\xea\xd1\xe8\x4a\x7e\x3e\x3c\xe4\xad\xaf\x0c\x72\x3e\x38\xa4\x1d\xb5\x47\xe9\xcc\x33\x82\xec\xf9\xf6\xb6\xf9\x64\xc1\xf8\x1f\xe7\x53\x65\x59\x3c\x9a\x55\x15\x2e\xc7\xc0\x50\x67\x47\x4b\xd7\x1a\x93\x70\x00\x9f\xee\x6d\x87\xf3\xee\xf6\xc9\x36\x0a\x50\x29\x41\xe9\x37\x30\x45\x41\x61\xd0\xf0\x39\x1f\x7c\x5e\xbd\xe6\x22\xf0\x5c\x1d\x67\x36\x89\x44\x39\x0b\x68\x17\x8f\xef\xb8\x25\xad\xd8\x12\xf4\x96\x86\x70\x53\x74\x01\x70\x35\x31\x66\x7c\xd5\x15\x0f\x21\x1b\x9f\xcf\xec\xf4\xee\x5e\x08\x80\xf3\x74\x8b\x9e\x7a\x74\x5e\x80\x2a\xff\xac\xc6\xb4\xaa\x5b\x5d\x83\x75\x0f\xc1\xc4\x7d\x4a\xb6\x91\x70\x90\x1e\x7f\x5e\x44\x2b\xb9\x8a\x89\x18\x60\x54\xac\xf2\x07\xa3\xcf\x70\x17\x31\x56\xc5\x59\xfd\x72\x86\x0a\x7d\x26\x79\xa2\xff\xcb\x53\x30\x20\x41\x13\xdb\xac\x6b\x3c\x3b\x69\xaa\x4f\x75\xf2\x1c\xb2\x15\x4a\x4a\x6b\x31\xc0\x25\xd5\x2a\xc5\x49\x60\x48\x3c\xed\xf3\xf1\x1a\x1a\xdf\xfe\xf2\xf1\xfe\xc9\x4a\x55\x61\xd9\x18\x68\x00\x1c\x3d\x83\x95\xff\x45\x0b\x14\x00\x95\xd6\x53\x64\x75\x37\x9f\x38\x63\x4a\xcf\x9d\xed\xff\x61\xb1\x7f\x7c\x87\xf8\xc0\x56\x6b\xe6\x25\x0c\xf4\x39\xeb\xa3\x8c\x37\x65\x39\x3a\x9e\xd1\x01\x6d\x50\x2b\xa1\x3a\x8e\xf6\xde\x35\xba\x66\x9b\x10\xa0\x00\x82\x23\xd2\xe2\xf8\x8d\x35\xfe\x0a\x73\x23\x32\x4b\xfa\xbf\x25\xa7\xac\x01\x90\x45\x49\xa2\x59\xe6\xa8\xd3\xa4\x96\x4f\x19\x7e\x94\xb8\xf9\xb3\xa3\x16\x3f\x63\x49\xe3\xda\xc7\xe0\x17\x48\xf6\x74\x79\x5c\xc3\xbd\x5a\x9a\x3a\xb5\xf2\xc1\x30\x81\x16\x7d\xf3\x7e\x37\x9e\xeb\x2e\xcf\x9c\xdf\xa2\x37\x15\x95\xf3\x08\x31\x05\x1a\xb1\x57\xac\x75\xf9\xeb\xc4\x8b\x49\x95\x59\x7e\x20\x6c\x7b\xa2\x29\xab\x30\xec\xcf\xe6\x62\x4d\x88\x49\xea\xe4\x1d\x2d\xc7\xa4\xd7\x57\xa3\x73\xb1\xd8\x66\x95\xc4\x20\xcc\x04\xbf\x0d\xa6\x64\xa7\x56\xb4\x82\x24\x16\x3d\xe4\x41\x8b\x93\x23\x39\xd2\x99\x06\x13\x13\xa6\x34\xa4\xba\x08\x9b\x12\xf8\x5d\x4d\xa1\xd2\x7d\x51\xde\x93\x08\x31\x0e\xf6\xae\xb3\x56\x23\xd0\xa7\x72\xc5\xce\xdd\x2a\x65\x9f\xde\xf0\x92\xb4\xdf\x6a\x88\xd2\x96\x42\x00\xc2\x85\xe8\xc1\x6e\x74\x89\xb8\x1e\x41\x59\xdb\x06\x2c\xe8\xa7\xd0\xda\xb6\x51\x80\x92\x11\xed\xf0\x58\x6f\x28\x9e\xf0\x3d\xee\x7b\xb9\xf4\x38\xc1\xa3\x52\xf6\x34\x2c\x66\x4b\xfd\x35\xd2\x38\x85\xb0\x9b\xd1\xda\x62\xbd\x65\xd0\xbc\x09\xa5\xeb\x5a\xe9\x5e\xa3\x10\x88\x14\x77\x81\xc3\x35\xea\x17\x77\x72\xa2\x28\x96\x19\x1a\x7d\x15\x70\x2b\x6b\x34\x37\xce\xd8\x86\xcc\x85\xbb\x26\x86\x5c\xe8\x28\xb9\xfe\x78\xa0\x7b\x46\x3d\xf7\x33\x2f\x67\x92\xb2\xfd\x86\xd1\x7b\x1e\x98\xa4\xcc\x77\x29\xb0\x58\xc5\x98\xc9\x61\xc6\x34\xb1\x5d\x09\x73\xca\xcd\xd9\x73\x5a\x0f\x77\x78\x6a\xe2\xb0\x76\x6b\x31\x94\xa1\x27\x34\x5d\xd8\xc1\x1f\x69\xfa\x4c\x44\xcc\x5b\x30\xe0\x1f\x6d\xc5\x61\x33\x0f\x63\x63\x29\xc9\x7e\xc0\x5a\xe8\x29\x1d\x9a\x26\xb6\x05\xf1\xb2\x77\xc9\x32\x21\x15\x62\x6e\x29\x75\xc7\x91\xc3\xef\x10\x95\x4c\xb8\xb4\x7c\xea\x6c\xf6\x97\xeb\x9d\xb3\xbe\xcb\x11\x14\xce\x63\x92\x19\x9e\x87\xba\xc0\x43\xed\x7a\x15\x83\xdc\x66\x0b\x36\xde\xb0\x22\x1a\x79\xed\x70\xbf\x71\x3f\x3c\x9c\x88\x25\x83\x81\x4c\x2e\xca\x81\x51\xd2\x71\x71\x95\x92\xd5\xc1\xfc\x62\x66\xa2\x76\xa3\xe8\xd3\x88\x27\xb2\x90\xe1\x04\x46\x06\x99\x2d\x13\x42\x36\xa1\xae\x87\xf9\x33\x8b\x77\x41\xf2\xe8\xa7\x46\xeb\x0f\x60\x77\x62\xed\x4e\x18\x92\x3d\xba\xcf\xea\x14\x7a\xd5\x7e\xff\x61\x71\x67\xd0\xf5\x4d\xaa\xc4\x54\x37\xc5\xe6\x1b\x45\x93\x7e\x8a\xa5\xe7\xce\xef\x4c\xa2\x25\x4b\x97\x01\xa2\x2f\x57\x7f\xb6\x27\xe8\xe1\xc1\xc7\x04\x01\xae\x81\x1b\x9a\x53\xf4\xc1\x6a\x79\x43\xe3\xd8\x1b\xa3\xd9\x20\x9c\xbd\xfb\x20\x8b\x04\xce\x15\x8e\x7b\xa8\xee\x77\xb0\xb7\x5f\x52\x08\x68\x6d\xf7\x87\x12\xd2\x8f\x70\x03\x61\x15\x91\x00\x36\x9b\x63\x33\x84\xdd\xff\x44\x02\xc0\xab\x0e\x2e\xc0\xaa\x87\x18\x6a\x65\xd3\x48\x4d\x29\x21\xd6\x25\x3f\xd1\xfb\xf4\x6b\x63\xba\x72\xeb\x79\x5c\xc0\x25\x69\x0f\x1f\x48\xdb\xe3\x08\xf9\x78\xe2\xfd\x55\x13\xe2\xdd\xc0\xb0\x66\x19\x4f\xd5\x8d\x3e\xaa\x49\x69\x0b\xd7\xe7\x86\x38\x85\xeb\x5e\x2a\xc6\x87\x0d\xe8\x35\x92\x67\x5f\x74\xcf\x89\x89\xe1\x8e\x68\xf1\xb6\x06\x78\x27\x0c\xa6\xb9\xc0\xda\xf4\x44\x27\x8a\x7d\xc8\x2a\x97\x80\x73\x0a\xa0\x3b\xe5\x68\x13\xe8\x1d\x6f\x29\x6c\x6f\x87\xd0\x09\x96\x18\xaf\x9f\x7e\x99\x16\x49\xec\x36\x49\x72\xd4\xc8\xfb\x66\x96\x70\xec\x92\x96\xce\x17\x38\x38\xb9\xc9\x2b\xaf\x6b\xf8\x83\xc1\x34\xd2\xc1\xcb\xcd\x92\x8b\x54\x99\x1d\x4c\x00\xf4\xaa\x72\x70\xbf\x3b\xef\xeb\x10\x8e\x98\x62\xf3\x46\x88\xcc\x2d\xb3\xb7\x94\x37\x77\x67\x12\x79\xa1\x7f\x9c\x64\xc4\x0b\xd8\x48\x5e\xf5\x2e\xb9\x64\x31\x4c\x65\xaa\x34\x59\x6f\x16\xb8\x0f\x9e\xf7\x81\xc4\xe8\xee\xb0\xac\xd2\x89\x38\x6c\x1a\xe5\x06\xae\x5b\xd2\xb2\x0b\x76\x0c\xe0\xc7\x9b\x56\xb1\x34\xe2\x2f\x57\xc4\x4a\xba\xe2\xf4\xec\xad\x82\xef\xe4\x02\xa4\x3a\x47\x59\x45\x77\xa2\x4b\x79\xa9\x4c\x6f\x7a\x5e\xda\xab\xeb\x48\xfc\x5e\xc2\x7a\xec\xd8\x23\x80\xd0\xe9\x40\xa0\x33\xe8\x7a\x44\x74\xb9\x5d\x58\xa5\xfe\xc5\x9d\x80\xb0\x91\xe9\x16\x5a\x14\x32\x5b\x38\xc5\xe4\x56\x5c\x3f\x0f\x12\x6f\x8b\x2a\xdf\x83\x26\x8e\x00\x76\x64\x7d\xdd\x43\xff\x2d\x52\xd7\x73\xab\x30\x40\x88\x45\x8f\xac\x4f\xb9\x37\x9e\x20\x96\x85\x60\xa0\x75\x17\xd6\xe0\x00\x1d\x2a\x08\xc3\xc6\xc9\x78\x25\xe1\x22\x59\xea\x86\x1b\x0a\xd5\x64\x94\x50\xdf\xfb\x3a\xfa\xe4\x9c\xd3\x1e\xfb\x40\x51\x3c\x06\xb7\x95\xe0\x71\x60\x3a\x47\xd3\xc8\x39\xc4\x01\xec\xc3\x8b\x11\x7d\xf9\x38\x83\x6a\x15\xb3\x1a\x13\x5b\x58\x89\x2d\xb9\xb4\xeb\xf6\x84\xdb\x3f\x7e\xce\x8a\x9d\x60\xbc\x8c\x81\x0e\xba\x0c\xa0\xd8\x75\x83\x57\x37\xd2\x5b\x94\x8b\x39\x28\x60\xaa\x82\xcd\xd5\xff\x7c\x6b\x0b\x4d\x7a\xe1\x82\x16\x89\x49\xd9\x84\x0e\x33\x54\x5d\x61\x27\x72\x7a\xbe\x02\xdd\x01\x41\x8c\xe4\xdd\x46\xaf\x7b\x5f\x08\x44\xcb\x51\xd4\x99\x2f\x4c\xe1\x22\x3c\x23\x13\x7c\x21\x13\x61\xd0\x15\x0e\xd2\x35\xa0\x59\x8f\x9e\x1d\x81\x6a\x40\xc6\xae\xb8\xad\x56\x26\xbc\x22\xb2\xe9\x39\x57\x47\x44\x1c\xc7\x8a\x55\x8d\xed\xc4\x02\x47\x32\x48\x98\x99\x12\xa0\xaa\x71\xac\x8d\x77\x54\xde\x78\xa1\xd5\xb9\xe5\x48\xd4\xeb\xef\x22\x4e\x82\xcd\x39\x35\x24\xd7\x9b\x88\xd6\xe0\x40\x5a\xd0\x2d\xa7\x11\x7b\xa0\x37\x29\x4e\x53\x5f\xff\x4b\xb7\xbf\xca\xce\xde\x33\x48\xf0\x1d\x16\x13\x48\xf4\xee\xe1\xa5\x15\xbe\x53\x0e\x0f\x0e\x64\xc5\x65\x44\xd4\xae\x10\x64\x45\xcc\xe1\x41\x0c\x79\x0b\xdb\xeb\x1e\x2d\x29\x3e\x01\x2e\x02\x97\xc4\x6c\x91\x45\xdc\xcb\xd6\xff\x77\xcb\xfa\xcd\xa4\x6f\x27\xd7\x1d\x02\xde\x14\xb6\x1c\x50\x53\x33\x19\xc6\x68\xfc\xfa\xc0\x36\xc7\x86\x7d\x12\xa3\xd0\xd8\xd4\x49\xc4\x96\x69\x58\x63\x49\xf2\x23\x9c\x4f\xa5\xc2\xb8\xfd\xfc\x42\x3e\xcd\x85\xed\xcc\xf6\x85\x47\xb1\xa9\x06\x76\x4c\x5c\x03\xff\x33\x2b\x56\x3e\xae\xee\xb8\x45\x65\x35\xc6\x1e\x91\x73\x92\xa0\x3d\xfe\x6b\xeb\xf3\xdc\x57\x10\xf9\x32\xb5\x07\xe3\xf0\xcd\xfb\x6a\x9d\xd0\x35\xf0\x6d\xe0\x55\x72\xca\x94\xd8\x5b\xfb\x15\x7e\x68\x44\x8a\xb8\xb0\xc4\xd5\x96\xce\x02\x0d\xad\xef\xce\xae\x68\x15\x3e\x5f\x62\xc5\xc0\x81\x43\xf5\xdb\x49\x7a\xaf\xab\x19\xcd\x33\x0c\x37\x84\xdb\x0a\xde\x50\x5a\x29\x51\x4b\xd1\xe8\xc3\xb9\x2c\x4f\x61\x65\x36\x22\xf8\x75\xec\xac\xc9\xe6\x77\x4a\xde\xca\x1c\xa4\x2f\x63\x7c\x70\x22\x99\xa2\xd3\xf8\x81\xbe\x79\x5b\xba\x9d\xb3\x40\xe4\x80\xaa\x4e\x94\x4d\xec\x20\x21\x6b\x83\x58\x45\x5d\xcf\x8e\xed\x99\x0e\x41\xf3\x37\x64\x42\xb9\xb3\xe0\xd8\x82\x38\x77\x5b\x8b\xea\x3f\x68\x8a\xf1\x85\x39\xb2\xe8\xba\xfa\xac\xc1\xc4\x06\x4e\x9a\xe8\x87\xc6\x9d\xca\x82\xac\xad\xf3\x55\x30\x92\xe7\x87\x97\xa6\x2c\xc8\x34\x44\x1c\x22\x2f\xf2\x26\xea\x32\xd2\x03\xc0\xb1\xfa\xcc\x67\xe6\x30\x71\x6a\x3f\x96\xa0\x77\xe2\x34\x8f\x2b\xe6\xd9\x3e\xc0\x63\x1a\x5e\xf1\xbe\xd4\x10\x61\x19\xd9\x70\xe6\x22\x8f\x01\x69\x89\xa8\xfd\xf0\x1b\xda\x8e\xdd\xfd\x60\x68\xd6\x49\xb3\x95\x6e\xab\x29\xd3\x03\xf1\xfc\x68\x67\xd8\x63\xc8\x7c\x35\x39\xe8\xe9\x9c\xe2\x39\x53\xc2\x5e\xe2\xb0\x98\x57\xd2\xdf\xdd\x4c\x2d\x24\x2b\xd8\x33\xf6\xb7\xf4\xa6\x7c\xde\x78\x63\xd6\x53\xa0\x05\x21\xfa\x68\xce\x23\x1d\x06\x15\xb0\x01\x75\xec\x1f\xca\x37\x7e\x4e\x72\xf7\x8a\x8f\x8f\xbc\xa9\xda\x4f\x40\x8b\xc1\xb7\x99\x97\x1c\x16\xce\x2e\x04\xaa\x24\x32\x79\xef\xcd\xb0\x78\x43\xd2\x55\xeb\x60\x67\xe3\x73\x2b\xcf\xdf\x1c\x17\x17\x8d\x77\xd3\xdf\xf4\x24\xd6\x77\x2e\x39\xae\xc3\xbe\xf9\x59\x2a\x25\xe9\xfb\xb5\x51\x09\x52\xe5\x83\xf5\x34\xa4\xd1\xf5\x7c\xce\xfe\x84\x55\xf3\x53\xdf\xee\xee\xdc\x8b\x3e\xa3\xd6\xc4\x1f\xf4\x16\x7d\xe5\x14\x55\x30\xf3\xdd\x70\xbc\x89\xfd\xcf\xa8\x63\xd8\xc5\x65\x20\x8d\x32\x72\xb0\x23\x8b\x97\xd9\x5c\x5a\x67\x87\x24\x15\xa2\x7e\xf0\x6f\xa2\x6c\x0f\x72\xb5\x71\xcf\xfb\x76\x23\x69\xc8\x0b\x5f\x33\x2f\x03\xa9\x75\x9f\xec\x50\xd6\x04\xa1\x8a\x69\xfb\x52\x13\x11\xfa\x17\x1e\xa6\xfa\x40\x48\x73\xde\x91\x95\xf8\x47\xd8\x1f\xd4\xba\xe3\xd5\x21\x6d\x6c\x00\xcc\x38\xd5\xc7\x5d\xad\x1e\xf6\x86\xd5\xce\x4a\xcb\xb4\x77\xfb\xf6\xc5\xad\x0b\x26\x9e\x69\x05\x4b\x4a\x59\xdb\x3c\x6e\xb0\xce\xc7\xfb\xdf\x32\xd3\x30\x6c\xeb\x5d\x10\x06\xeb\x7b\xf6\xf0\x70\x12\xb1\x16\xc9\x5f\xbf\xcf\xd9\x9e\x82\xf5\xab\xa8\xeb\xd7\xc7\x90\xc9\xf0\x40\x75\xe2\xbb\x39\x9d\x92\x29\xbe\x4a\x0e\x90\xdc\x1b\x03\x58\xee\xcf\xfa\xda\xeb\xc0\xbd\xc6\xff\x1c\xfd\x00\xdc\xeb\xc0\xa9\x0d\x7b\x96\xc9\x6f\xa5\x52\xdc\x82\x4b\x94\x4d\x95\x1d\xb7\xd2\xb6\xee\x39\x9b\x6c\x1f\x29\x65\xe5\x93\x1c\xea\x56\x1b\x9d\xda\x86\xb5\xe7\xc3\x67\x41\xc0\x4a\x97\xa0\x0b\x06\x95\xa9\xd8\x3d\x62\x9e\xb5\xde\x99\xbf\x8a\xe8\xd7\x55\xf3\x31\xe4\x02\x53\x39\x0a\xbb\x2e\x60\x49\x16\x74\x96\xd5\xca\x37\x56\x3b\xea\xbd\xa4\xf8\x2b\x2c\x9a\x58\xef\xf2\xa5\x8a\x1d\x2f\xbc\x8d\x72\xc1\x88\xd4\xb3\x39\x2b\x9b\x42\x86\xa8\x5f\x5d\xed\x71\x0f\x24\x3b\x24\x83\x2c\x54\x79\x1e\xee\x12\x09\x44\x3f\x07\xf3\x74\xea\x2a\xb6\x14\xd6\xa9\xac\x8b\x09\x81\xc3\x50\x96\x96\xc0\x58\xd3\x2f\x4a\xff\x5a\xf8\xe9\xeb\x22\x53\xed\x4f\x83\xe8\xb4\xf3\x29\x4b\x61\xc9\x0d\x54\xd3\xc3\x5f\x3d\x44\xd5\x5a\x5a\x1f\x55\xba\xc7\xe5\x97\x8b\x63\xfb\xb9\xdf\x0e\x9c\x6b\x15\x4d\x61\x24\xef\x4c\xf6\x3f\xf3\xae\x36\x10\x32\x14\x7f\x9e\xf7\x5f\x9e\xa2\xf4\xb2\x2e\xb1\x36\x93\xe2\x67\xb7\xc4\xf6\x36\x5d\xe5\x36\x86\x11\x8a\x93\x4a\x59\x8b\xa5\xa8\x17\x5e\xe5\x0f\x09\x9a\xa9\xac\xd7\xf2\xe2\xc9\xb0\x5b\x04\x4b\x3b\x06\x1b\xd1\xbb\x3b\x29\x6b\x6b\xf9\x00\xb8\x56\xa6\x44\x8d\x81\x2e\x68\xef\xd3\x1f\xef\xfd\x44\x52\x99\x0c\xd5\xf7\xcc\x02\x58\x8e\xef\xbe\xbb\x9f\x56\xab\x77\xcd\x50\x29\x89\xcd\x16\xe8\x9a\x44\x55\x3e\x19\x89\xd4\xdf\xfd\x97\x7b\x53\xea\x8b\x3b\x63\x6d\x62\xbb\xb2\x65\xc4\x28\x0c\xab\x59\xda\xb2\x4f\xbe\x7f\x16\x18\x0d\xfd\xdf\x62\xe4\x82\xed\x8e\xdc\xa2\x7a\x96\x7c\xe5\xfa\xe0\x32\x8b\x64\x03\xce\xe1\x7a\x6d\x63\xac\x71\xa8\xa4\x6f\x6c\xad\xdb\x53\x0c\x6d\x90\x5a\x8b\x6c\x8e\xd8\x9f\x62\x2a\x0c\x0a\x90\x67\x5c\x1f\x8d\x97\x9b\x34\xcd\x1e\x95\x4f\xa9\x15\x4f", 4096); break; case 11: memcpy((void*)0x20001000, "\xc4\x62\x39\x37\x47\x7e\x66\x0f\xe3\x0c\xa4\xf3\x3e\x45\x09\x17\xc4\x61\x78\xae\x91\x72\x98\x00\x00\xc4\x63\xe1\x22\xd6\x96\xc4\x03\x7d\x7b\x05\x0f\x00\x00\x00\x00\xc4\x63\x39\x5f\x47\x3f\xad\xc4\x03\x55\x5d\x3c\x56\x00\xc4\xe2\xb5\x96\xf0\xc4\x21\xfd\x5b\xfb", 65); syz_execute_func(0x20001000); break; case 12: break; case 13: memcpy((void*)0x200010c0, "\x5d\x8d\x97\xaf\xe9\x58\xa6\xb4\x6b\x8f\xef\xfe\x29\xf0\x51\x64\xa8\xee\xd8\xf0\x35\xa6\xc4\xd8\xf6\x97\x21\x06\xc0\xf6\xa0\x43\x0f\x03\x47\xa9\xad\x29\xa9\x40\xd3\xde\x0d\x19\xdd\x63\xc0\x6d\xad\x37\xea\x1e\x10\x5f\xec\x8b\x4d\xbd\xb4\xd7\xf9\x51\x64\xff\x31\x3f\x19\x9a\xaa\x43\x10\x8e\x96\x13\xc1\xe6\x29\x58\xe7\x76\x28\x47\x15\x8e\x87\x26\x92\x4d\xcb\xda\xff\xfd\x2a\x94\x2c\x44\x0d\x0a\x80\x34\x04\x87\xaf\x0e\xb9", 105); memcpy((void*)0x20001140, "\xe2\xf9\x19\x3e\xea\x7f\xea\x62\xb3\x74\xa3\x15\x14\x75\xbf\x3b\xe9\x82\x5d\xbe\x21\xd3\x90\x7a\x6b\xaf\x2f\xcd\xf0\xe6\xdd\x64\xfa\x7c\xcc\xe3\x73\x4b\xa6\x62\x73\xba\x0d\xb7\xe7\x9d\x31\x4b\x54\xd1\x01\x58\xb7\xd4\xa6\x7b\x5e\x26\x4c\xd1\xfe\x32\xc6\xba\xb3\xd0\x3f\xaa\x5b\xd6\x7a\x46\x09\xb4\x8a\x17\xeb\x03\x86\x53\x8a\xfe\x3d\x83\xa4\xf1\x95\x97\x90\x97\x73\xc9\x47\x4f\x1f\x66\x85\xe5\x91\x57\xf5\xc7\x6c\x2d\xe0\x65\xf5\x09\xb7\xa7\xcf\x8e\x62\x9c\xca\x55\x3d\xcb\x44\x45\xa3\x72\x88\x31\x99\xbe\x74\x66\x34\xe8\x57\x26\x6c\x27\x58\xf8\xd5\x8d\xd0\xde\xa4\x57\x79\x02\x04\xfc\x26\xe2\x69\x27\xd5\xbb\xff\x20\xa9\x9a\xed\x0a\x95\xd8\x50\xec\x32\x21\xf4\xf1\xd8\xf1\x3a\x8f\x00\xbe\x13\x51\x9e\xf8\x98\xd3\x9d\x28\x56\x8b\xb7\x89\x4c\x39", 186); res = syz_usb_connect(0x721, 0x69, 0x200010c0, 0x20001140); if (res != -1) r[5] = res; break; case 14: syz_usb_disconnect(r[5]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); do_sandbox_none(); return 0; } : In function 'syz_usb_connect_impl': :596:63: error: unknown type name 'usb_ctrlrequest' :601:55: error: unknown type name 'usb_ctrlrequest' compiler invocation: /syzkaller/netbsd/src/../tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor879726235 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/netbsd/src/../dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/1 (1.43s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = fcntl$dupfd(0xffffffffffffff9c, 0xc, 0xffffffffffffff9c) r1 = dup2(0xffffffffffffffff, r0) pwrite(r1, &(0x7f0000000000)="5d1dd436f0f5a32b117d0f61dc010511e7e3c7f92e33630dfc7a02f9f4df14c215d8716f98892cba0ddcbbd6b2683f5e028152ebbe2d26a7e4c45673b55cf76e7795dd124f82947e0244eb08cfb0b5da0c829b1580ac64473f069f9928c1043bdeaa541829f4ef60f80ea0b9b912a974a5e98ea75423d1126815de1319a78c8127c017f8cbe86d", 0x87, 0x6) getsockname$unix(r0, &(0x7f00000000c0)=@abs, &(0x7f0000000100)=0x8) accept$inet6(r1, &(0x7f0000000140), &(0x7f0000000180)=0xc) socketpair(0x18, 0x844590f3b4efa023, 0x7f, &(0x7f00000001c0)) r2 = accept(0xffffffffffffff9c, &(0x7f0000000200)=@un=@abs, &(0x7f0000000240)=0x8) r3 = getpgrp() stat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$sock_cred(r2, 0xffff, 0x11, &(0x7f00000003c0)={r3, r4}, 0xc) syz_emit_ethernet(0x1000, &(0x7f0000000000)="d28811eb3ef8057d4d7c7229ab1e5a02157440ec598663314f522e6a8f7e2b68cd210834f13e84f257c358e7e19717a79353a0609abf39fc23d280e031dbc36048ed67b318a0553a541c84167d1bf390951abfd5370157ad024bea030e6c003d2e50a932903993429472cca8be8808ca2915858ed2598c1e76f98e662b0678bdfd91862b0af84e1585c3709eeb1b8f065703a75c12e1fa87b77d46d374ee2113bbbd6bdebb4cf0687f79db895a8ac81c3b286c03427e3211e71420afa9b5c9013e638ed97de9983fb33424fe11efd7824cd6979286d59a5c79338b6a9a2d15e70791bdb5186aa74e175a0049c1e39db536377a8354915a8a15125b8be62f01a93740b2428b189ea42e31b6ce7aa3676bf1468b751bf06aacf15904db50c1be9df4cc9d41599c57cfaf66b7e5ee2d2372630a7bf538da786dfff6052e02558a4d1ccf7099a8c599c3c8b515e844f1e23de73d806127228253a7053b5e91511685370c980ffa72e5551ff05fcbd940d514bed2860b875b9a12b26edbb292e0e8d8cbcd9de3aba68f7c1419249fe43a6754bf02a36e0fd1f27c48e9d16c18ed1484e56cc5bc3483519311e33754af2fc4d37cfa1c6e5f0d38ae96a621c04db0fd7d793297e4981f9082937b9322f494bd98b2f43d9b5c19ff19ec177c6305b18800445111763cdaeec351689384783ae7cff9b106639ea611fb72e86d685ea0f6b65dc3b9a2436c89257382d11516a2b06637cfd931e2ca4e625343d6b96525c5bf7dcc437f474e1ff9f3dcc85740444a4c569f50379b985f6843ac29f09a9f99819ae210db22ab19340974957f1fbea41c5851b2fa7a2fa87581a7fb42db8c24b4c6f829be592ca0d0cf1a2fe67dec532cfa77f8f1955da335a84d5aef4905a9a236c607774a0b4ef1d50b55bd49aa877c2b6b2e37a3e4a3b24e95fa557ba89aaf4227b5bb0e640b4698cd004f870c7daa9ea441fdbe8b3053dffce646c0b06df323252cada7f24fcc21624edf49567b2693fec0693d243e067b21e2be296c52bb2a381f4794aa2e85dd5cb6677e94b7e003ebad24573762a640973c0772994da28c6490c1af8f0f91754e71c7f326bd31dfc9c6fc20767d713a93317bcbe0a3efc9c5a8571b7b0a02977741e8a83ca81296145ec955e1ab982c7f466284562b52de135568a142e677c343f5ebd33755d0b91565646d7c362e4664007cae2167db5d0a933e1219d3d6a7387576e542f816fa516d44afc3d99229d4f57fa83b8948f898b8528ded2c539b6033491c6d780cacb2bc3f52c2794de8db395812d4f7a44b9c04d6fd3ca86c68647d3e475de581edc388dcde91b8b24cd42b91a19e91b4b637b43b6fa4e150443ec7c08695c42bc6a930b3084204023bfd15e1c0312e46f430e26b0fcca152209fc1c7f991c111bdcda72e198626766eafc8cf5492189d4cc9a8e2a8a9cb738978ecec37376dc99ca8d3efcfe73da538960ebf78f0a4366376ae5f1bb1f811ecceb62510897855e3066104701b94f61913da4699313cec63a88a9ba444a5fc01c003bf9d6b252504e477f40fb33e595f30ac538bc9eeb29372b7a9d1f6a2a9b0177a171e5f879eab363c7608617c26197df1da9baa0275e23ed1b592cebdcd6ef22b36c4f287dfe849cf54eaed5570ffc450cde8b6ee12efbc8ddfea6bf782c27e5a5816b6f04ff5fe977f05a5b12a1364a659cb6b11ab7a1682e1097e6187cd7cbba87ef4ca8c2caf28499913d98a9e9f2e11c52f37faf2cd207bbe5734da0e91ba5f8b48ad59b122678550b27fefe71af53d6f934104387389b59324cdbf446efe50dbd23db7418ec6666ed9fcaa6f70beac9ca42a90eec8567be21fb45f0886755715f317373523dfeb845ab77333cf8ddf926244a38e024df5af9ea07253d07a59db51123fd811cce2d206eae6943ec87559eb0eb28a94a627831e45b3a7d1f89f7a49fbce7c5a6ed81f4e68dd3ce29346f7c14e5064548d57f11363139e5b669a1744bd9989400827973e67e94cb555b08cf04565f33db17196d16518b4f4b023053e86a7275521fa5b20993de7c2fa09797d924d59893caa98d97b586289da8c9cc3810cfde85b31a4e3118a5cc2fb63e4073dc224e501b637c66674ead1e84a7e3e3ce4adaf0c723e38a41db547e9cc3382ecf9f6b6f964c1f81fe75365593c9a55152ec7c05067474bd71a9370009fee6d87f3eef6c9360a502941e93730454161d0f0391f7c5ebde622f05c1d67368944390b68178fefb825add812f4968670537401703531667cd5150f211b9fcfecf4ee5e0880f3748b9e7a745e802affacc6b4aa5b5d83750fc1c47d4ab69170901e7f5e442bb98a89186054acf207a3cf70173156c559fd72860a7d2679a2ffcb5330204113dbac6b3c3b69aa4f75f21cb2154a4a6b31c025d52ac54960483cedf3f11a1adffef2f1fec94a5561d91868001c3d8395ff450b140095d6536475379f38634acf9dedff61b17f7c87f8c0566be6250cf439eba38c3765393a9ed1016d502ba13a8ef6de35ba669b10a0008223d2e2f88d35fe0a7323324bfabf25a7ac01904549a259e6a8d3a4964f197e94b8f9b3a3163f6349e3dac7e01748f674795cc3bd5a9a3ab5f2c13081167df37e379eeb2ecf9cdfa2371595f30831051ab157ac75f9ebc48b4995597e206c7ba229ab30eccfe6624d8849eae41d2dc7a4d757a373b1d86695c420cc04bf0da664a756b48224163de4418b932339d299061313a634a4ba089b12f85d4da1d27d51de9308310ef6aeb35623d0a772c5cedd2a659fdef092b4df6a88d2964200c285e8c16e7489b81e4159db062ce8a7d0dab651809211edf0586f289ef03dee7bb9f438c1a352f6342c664bfd35d23885b09bd1da62bd65d0bc09a5eb5ae95ea31088147781c335ea177772a22896191a7d15702b6b3437ced886cc85bb26865ce828b9fe78a07b463df7332f6792b2fd86d17b1e98a4cc7729b058c598c961c634b15d0973cacdd9735a0f77786ae2b0766b3194a127345dd8c11f69fa4c44cc5b30e01f6dc561330f636329c97ec05ae8291d9a26b605f1b277c9322115626e2975c791c3ef10954cb8b47cea6cf697eb9db3becb1114ce6392199e87bac043ed7a1583dc660b36deb0221a79ed70bf713f3c9c882583814c2eca8151d271719592d5c1fc6266a276a3e8d38827b290e1044606992d134236a1ae87f9338b7741f2e8a746eb0f607762ed4e18923dbacfea147ad57eff617167d0f54daac45437c5e61b45937e8aa5e7ceef4ca2254b9701a22f577fb627e8e1c1c70401ae811b9a53f4c16a7943e3d81ba3d9209cbdfb208b04ce158e7ba8ee77b0b75f5208686df78712d28f700361159100369b633384ddff4402c0ab0e2ec0aa87186a65d3484d2921d6253fd1fbf46b63ba72eb795cc025690f1f48dbe308f978e2fd5513e2ddc0b066194fd58d3eaa49690bd7e7863885eb5e2ac6870de83592675f74cf8989e18e68f1b60678270ca6b9c0daf444278a7dc82a9780730aa03be56813e81d6f296c6f87d0099618af9f7e991649ec364972d4c8fb669670ec9296ce173838b9c92baf6bf883c134d2c1cbcd928b54991d4c00f4aa7270bf3befeb108e9862f34688cc2db3b7943777671279a17f9c64c40bd8485ef52eb964314c65aa34596f16b80f9ef781c4e8eeb0acd289386c1ae506ae5bd2b20b760ce0c79b56b134e22f57c44abae2f4ecad82efe402a43a47594577a24b79a94c6f7a5edaabeb48fc5ec27aecd82380d0e940a033e87a4474b95d58a5fec59d80b091e9165a14325b38c5e4565c3f0f126f8b2adf83268e0076647ddd43ff2d52d773ab304088458fac4fb9379e20968560a07517d6e0001d2a08c3c6c97825e12259ea861b0ad5649450dffb3afae49cd31efb40513c06b795e071603a47d3c839c401ecc38b117df938836a15b31a135b58892db9b4ebf684db3f7ece8a9d60bc8c810eba0ca0d875835737d25b948b392860aa82cdd5ff7c6b0b4d7ae182168949d9840e33545d6127727abe02dd01418ce4dd46af7b5f0844cb51d4992f4ce1223c23137c211361d0150ed235a0598f9e1d816a40c6aeb8ad5626bc22b2e9395747441cc78a558dedc402473248989912a0aa71ac8d7754de78a1d5b9e548d4ebef224e82cd393524d79b88d6e0405ad02da7117ba037294e535fff4bb7bfcacede3348f01d161348f4eee1a515be530e0f0e64c56544d4ae106445cce1410c790bdbeb1e2d293e012e0297c46c9145dccbd6ff77cbfacda46f27d71d02de14b61c50533319c668fcfac036c7867d12a3d0d8d449c49669586349f2239c4fa5c2b8fdfc423ecd85edccf68547b1a906764c5c03ff332b563eaeeeb8456535c61e917392a03dfe6bebf3dc5710f932b507e3f0cdfb6a9dd035f06de05572ca94d85bfb157e68448ab8b0c4d596ce020dadefceae68153e5f62c5c08143f5db497aafab19cd330c3784db0ade505a29514bd1e8c3b92c4f61653622f875ecacc9e6774adeca1ca42f637c702299a2d3f881be795bba9db340e480aa4e944dec20216b8358455dcf8eed990e41f3376442b9b3e0d88238775b8bea3f688af18539b2e8bafaacc1c4064e9ae887c69dca82acadf3553092e78797a62cc834441c222ff226ea32d203c0b1facc67e630716a3f96a077e2348f2be6d93ec0631a5ef1bed4106119d970e6228f016989a8fdf01bda8eddfd6068d649b3956eab29d303f1fc6867d863c87c3539e8e99ce23953c25ee2b09857d2dfdd4c2d242bd833f6b7f4a67cde7863d653a00521fa68ce231d0615b00175ec1fca377e4e72f78a8f8fbca9da4f408bc1b799971c16ce2e04aa243279efcdb07843d255eb6067e3732bcfdf1c17178d77d3dff424d6772e39aec3bef9592a25e9fbb5510952e583f534a4d1f57ccefe8455f353dfeeeedc8b3ea3d6c41ff4167de5145530f3dd70bc89fdcfa863d8c565208d3272b0238b97d95c5a67872415a27ef06fa26c0f72b571cffb762369c80b5f332f03a9759fec50d604a18a69fb521311fa171ea6fa404873de9195f847d81fd4bae3d5216d6c00cc38d5c75dad1ef686d5ce4acbb477fbf6c5ad0b269e69054b4a59db3c6eb0cec7fbdf32d3306ceb5d1006eb7bf6f07012b116c95fbfcfd99e82f5aba8ebd7c790c9f04075e2bb399d9229be4a0e90dc1b0358eecffadaebc0bdc6ff1cfd00dcebc0a90d7b96c96fa552dc824b944d951db7d2b6ee399b6c1f2965e5931cea561b9dda86b5e7c36741c04a97a00b0695a9d83d629eb5de99bf8ae8d755f331e40253390abb2e6049167496d5ca37563beabda4f82b2c9a58eff2a58a1d2fbc8d72c188d4b3392b9b4286a85f5ded710f243b24832c54791eee1209443f07f374ea2ab614d6a9ac8b0981c3509696c058d32f4aff5af8e9eb2253ed4f83e8b4f3294b61c90d54d3c35f3d44d55a5a1f55bac7e5978b63fbb9df0e9c6b154d6124ef4cf63ff3ae361032147f9ef75f9ea2f4b22eb13693e267b7c4f6365de53686118a934a598ba5a8175ee50f099aa9acd7f2e2c9b05b044b3b061bd1bb3b296b6bf900b856a6448d812e68efd31feffd4452990cd5f7cc02588eefbebb9f56ab77cd502989cd16e89a44553e1989d4dffd977b53ea8b3b636d62bbb265c4280cab59dab24fbe7f16180dfddf62e482ed8edca27a967ce5fae0328b6403cee17a6d63ac71a8a46f6caddb530c6d905a8b6c8ed89f622a0c0a90675c1f8d979b34cd1e954fa9154f") syz_execute_func(&(0x7f0000001000)="c4623937477e660fe30ca4f33e450917c46178ae9172980000c463e122d696c4037d7b050f00000000c463395f473fadc403555d3c5600c4e2b596f0c421fd5bfb") syz_extract_tcp_res(&(0x7f0000001080), 0x5, 0x6fb) r5 = syz_usb_connect(0x721, 0x69, &(0x7f00000010c0)="5d8d97afe958a6b46b8feffe29f05164a8eed8f035a6c4d8f6972106c0f6a0430f0347a9ad29a940d3de0d19dd63c06dad37ea1e105fec8b4dbdb4d7f95164ff313f199aaa43108e9613c1e62958e7762847158e8726924dcbdafffd2a942c440d0a80340487af0eb9", &(0x7f0000001140)="e2f9193eea7fea62b374a3151475bf3be9825dbe21d3907a6baf2fcdf0e6dd64fa7ccce3734ba66273ba0db7e79d314b54d10158b7d4a67b5e264cd1fe32c6bab3d03faa5bd67a4609b48a17eb0386538afe3d83a4f19597909773c9474f1f6685e59157f5c76c2de065f509b7a7cf8e629cca553dcb4445a372883199be746634e857266c2758f8d58dd0dea457790204fc26e26927d5bbff20a99aed0a95d850ec3221f4f1d8f13a8f00be13519ef898d39d28568bb7894c39") syz_usb_disconnect(r5) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; dp = opendir(dir); if (dp == NULL) exit(1); while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } /* -------------------------------------------------------------------------- */ /* * Redefinitions to match the linux types used in common_usb.h. */ struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; int rv = 0; rv = parse_usb_descriptor(dev, dev_len, &usb_devices[i].index); if (!rv) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } /* -------------------------------------------------------------------------- */ static int vhci_open(void) { return open("/dev/vhci", O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } /* -------------------------------------------------------------------------- */ static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index; int portnum, fd, rv; bool done; portnum = procid + 1; if (!dev) { return -1; } if (portnum != 1) { /* For now, we support only one proc. */ return -1; } fd = vhci_open(); if (fd < 0) { return -1; } index = add_usb_index(fd, dev, dev_len); if (!index) { goto err; } rv = vhci_setport(fd, portnum); if (rv != 0) { goto err; } rv = vhci_usb_attach(fd); if (rv != 0) { goto err; } done = false; while (!done) { vhci_request_t req; rv = vhci_usb_recv(fd, &req, sizeof(req)); if (rv != 0) { goto err; } if (req.type != VHCI_REQ_CTRL) { goto err; } char* response_data = NULL; uint32_t response_length = 0; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { bool response_found = false; response_found = lookup_connect_response_in(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &response_data, &response_length); if (!response_found) { goto err; } } else { if (!lookup_connect_response_out(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &done)) { goto err; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { /* TODO: possibly revisit */ } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { goto err; } } sleep_ms(200); return fd; err: close(fd); return -1; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 15; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 13 ? 3000 : 0) + (call == 14 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_accept #define SYS_accept 30 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_fcntl #define SYS_fcntl 92 #endif #ifndef SYS_getpgrp #define SYS_getpgrp 81 #endif #ifndef SYS_getsockname #define SYS_getsockname 32 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_pwrite #define SYS_pwrite 174 #endif #ifndef SYS_setsockopt #define SYS_setsockopt 105 #endif #ifndef SYS_socketpair #define SYS_socketpair 135 #endif #ifndef SYS_stat #define SYS_stat 439 #endif uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_fcntl, 0xffffff9c, 0xcul, 0xffffff9c); if (res != -1) r[0] = res; break; case 1: res = syscall(SYS_dup2, -1, r[0]); if (res != -1) r[1] = res; break; case 2: memcpy((void*)0x20000000, "\x5d\x1d\xd4\x36\xf0\xf5\xa3\x2b\x11\x7d\x0f\x61\xdc\x01\x05\x11\xe7\xe3\xc7\xf9\x2e\x33\x63\x0d\xfc\x7a\x02\xf9\xf4\xdf\x14\xc2\x15\xd8\x71\x6f\x98\x89\x2c\xba\x0d\xdc\xbb\xd6\xb2\x68\x3f\x5e\x02\x81\x52\xeb\xbe\x2d\x26\xa7\xe4\xc4\x56\x73\xb5\x5c\xf7\x6e\x77\x95\xdd\x12\x4f\x82\x94\x7e\x02\x44\xeb\x08\xcf\xb0\xb5\xda\x0c\x82\x9b\x15\x80\xac\x64\x47\x3f\x06\x9f\x99\x28\xc1\x04\x3b\xde\xaa\x54\x18\x29\xf4\xef\x60\xf8\x0e\xa0\xb9\xb9\x12\xa9\x74\xa5\xe9\x8e\xa7\x54\x23\xd1\x12\x68\x15\xde\x13\x19\xa7\x8c\x81\x27\xc0\x17\xf8\xcb\xe8\x6d", 135); syscall(SYS_pwrite, r[1], 0x20000000ul, 0x87ul, 6ul); break; case 3: *(uint32_t*)0x20000100 = 8; syscall(SYS_getsockname, r[0], 0x200000c0ul, 0x20000100ul); break; case 4: *(uint32_t*)0x20000180 = 0xc; syscall(SYS_accept, r[1], 0x20000140ul, 0x20000180ul); break; case 5: syscall(SYS_socketpair, 0x18ul, 0x844590f3b4efa023ul, 0x7f, 0x200001c0ul); break; case 6: *(uint32_t*)0x20000240 = 8; res = syscall(SYS_accept, 0xffffff9c, 0x20000200ul, 0x20000240ul); if (res != -1) r[2] = res; break; case 7: res = syscall(SYS_getpgrp); if (res != -1) r[3] = res; break; case 8: memcpy((void*)0x20000280, "./file0\000", 8); res = syscall(SYS_stat, 0x20000280ul, 0x200002c0ul); if (res != -1) r[4] = *(uint32_t*)0x200002dc; break; case 9: *(uint32_t*)0x200003c0 = r[3]; *(uint32_t*)0x200003c4 = r[4]; *(uint32_t*)0x200003c8 = 0; syscall(SYS_setsockopt, r[2], 0xffff, 0x11, 0x200003c0ul, 0xcul); break; case 10: memcpy((void*)0x20000000, "\xd2\x88\x11\xeb\x3e\xf8\x05\x7d\x4d\x7c\x72\x29\xab\x1e\x5a\x02\x15\x74\x40\xec\x59\x86\x63\x31\x4f\x52\x2e\x6a\x8f\x7e\x2b\x68\xcd\x21\x08\x34\xf1\x3e\x84\xf2\x57\xc3\x58\xe7\xe1\x97\x17\xa7\x93\x53\xa0\x60\x9a\xbf\x39\xfc\x23\xd2\x80\xe0\x31\xdb\xc3\x60\x48\xed\x67\xb3\x18\xa0\x55\x3a\x54\x1c\x84\x16\x7d\x1b\xf3\x90\x95\x1a\xbf\xd5\x37\x01\x57\xad\x02\x4b\xea\x03\x0e\x6c\x00\x3d\x2e\x50\xa9\x32\x90\x39\x93\x42\x94\x72\xcc\xa8\xbe\x88\x08\xca\x29\x15\x85\x8e\xd2\x59\x8c\x1e\x76\xf9\x8e\x66\x2b\x06\x78\xbd\xfd\x91\x86\x2b\x0a\xf8\x4e\x15\x85\xc3\x70\x9e\xeb\x1b\x8f\x06\x57\x03\xa7\x5c\x12\xe1\xfa\x87\xb7\x7d\x46\xd3\x74\xee\x21\x13\xbb\xbd\x6b\xde\xbb\x4c\xf0\x68\x7f\x79\xdb\x89\x5a\x8a\xc8\x1c\x3b\x28\x6c\x03\x42\x7e\x32\x11\xe7\x14\x20\xaf\xa9\xb5\xc9\x01\x3e\x63\x8e\xd9\x7d\xe9\x98\x3f\xb3\x34\x24\xfe\x11\xef\xd7\x82\x4c\xd6\x97\x92\x86\xd5\x9a\x5c\x79\x33\x8b\x6a\x9a\x2d\x15\xe7\x07\x91\xbd\xb5\x18\x6a\xa7\x4e\x17\x5a\x00\x49\xc1\xe3\x9d\xb5\x36\x37\x7a\x83\x54\x91\x5a\x8a\x15\x12\x5b\x8b\xe6\x2f\x01\xa9\x37\x40\xb2\x42\x8b\x18\x9e\xa4\x2e\x31\xb6\xce\x7a\xa3\x67\x6b\xf1\x46\x8b\x75\x1b\xf0\x6a\xac\xf1\x59\x04\xdb\x50\xc1\xbe\x9d\xf4\xcc\x9d\x41\x59\x9c\x57\xcf\xaf\x66\xb7\xe5\xee\x2d\x23\x72\x63\x0a\x7b\xf5\x38\xda\x78\x6d\xff\xf6\x05\x2e\x02\x55\x8a\x4d\x1c\xcf\x70\x99\xa8\xc5\x99\xc3\xc8\xb5\x15\xe8\x44\xf1\xe2\x3d\xe7\x3d\x80\x61\x27\x22\x82\x53\xa7\x05\x3b\x5e\x91\x51\x16\x85\x37\x0c\x98\x0f\xfa\x72\xe5\x55\x1f\xf0\x5f\xcb\xd9\x40\xd5\x14\xbe\xd2\x86\x0b\x87\x5b\x9a\x12\xb2\x6e\xdb\xb2\x92\xe0\xe8\xd8\xcb\xcd\x9d\xe3\xab\xa6\x8f\x7c\x14\x19\x24\x9f\xe4\x3a\x67\x54\xbf\x02\xa3\x6e\x0f\xd1\xf2\x7c\x48\xe9\xd1\x6c\x18\xed\x14\x84\xe5\x6c\xc5\xbc\x34\x83\x51\x93\x11\xe3\x37\x54\xaf\x2f\xc4\xd3\x7c\xfa\x1c\x6e\x5f\x0d\x38\xae\x96\xa6\x21\xc0\x4d\xb0\xfd\x7d\x79\x32\x97\xe4\x98\x1f\x90\x82\x93\x7b\x93\x22\xf4\x94\xbd\x98\xb2\xf4\x3d\x9b\x5c\x19\xff\x19\xec\x17\x7c\x63\x05\xb1\x88\x00\x44\x51\x11\x76\x3c\xda\xee\xc3\x51\x68\x93\x84\x78\x3a\xe7\xcf\xf9\xb1\x06\x63\x9e\xa6\x11\xfb\x72\xe8\x6d\x68\x5e\xa0\xf6\xb6\x5d\xc3\xb9\xa2\x43\x6c\x89\x25\x73\x82\xd1\x15\x16\xa2\xb0\x66\x37\xcf\xd9\x31\xe2\xca\x4e\x62\x53\x43\xd6\xb9\x65\x25\xc5\xbf\x7d\xcc\x43\x7f\x47\x4e\x1f\xf9\xf3\xdc\xc8\x57\x40\x44\x4a\x4c\x56\x9f\x50\x37\x9b\x98\x5f\x68\x43\xac\x29\xf0\x9a\x9f\x99\x81\x9a\xe2\x10\xdb\x22\xab\x19\x34\x09\x74\x95\x7f\x1f\xbe\xa4\x1c\x58\x51\xb2\xfa\x7a\x2f\xa8\x75\x81\xa7\xfb\x42\xdb\x8c\x24\xb4\xc6\xf8\x29\xbe\x59\x2c\xa0\xd0\xcf\x1a\x2f\xe6\x7d\xec\x53\x2c\xfa\x77\xf8\xf1\x95\x5d\xa3\x35\xa8\x4d\x5a\xef\x49\x05\xa9\xa2\x36\xc6\x07\x77\x4a\x0b\x4e\xf1\xd5\x0b\x55\xbd\x49\xaa\x87\x7c\x2b\x6b\x2e\x37\xa3\xe4\xa3\xb2\x4e\x95\xfa\x55\x7b\xa8\x9a\xaf\x42\x27\xb5\xbb\x0e\x64\x0b\x46\x98\xcd\x00\x4f\x87\x0c\x7d\xaa\x9e\xa4\x41\xfd\xbe\x8b\x30\x53\xdf\xfc\xe6\x46\xc0\xb0\x6d\xf3\x23\x25\x2c\xad\xa7\xf2\x4f\xcc\x21\x62\x4e\xdf\x49\x56\x7b\x26\x93\xfe\xc0\x69\x3d\x24\x3e\x06\x7b\x21\xe2\xbe\x29\x6c\x52\xbb\x2a\x38\x1f\x47\x94\xaa\x2e\x85\xdd\x5c\xb6\x67\x7e\x94\xb7\xe0\x03\xeb\xad\x24\x57\x37\x62\xa6\x40\x97\x3c\x07\x72\x99\x4d\xa2\x8c\x64\x90\xc1\xaf\x8f\x0f\x91\x75\x4e\x71\xc7\xf3\x26\xbd\x31\xdf\xc9\xc6\xfc\x20\x76\x7d\x71\x3a\x93\x31\x7b\xcb\xe0\xa3\xef\xc9\xc5\xa8\x57\x1b\x7b\x0a\x02\x97\x77\x41\xe8\xa8\x3c\xa8\x12\x96\x14\x5e\xc9\x55\xe1\xab\x98\x2c\x7f\x46\x62\x84\x56\x2b\x52\xde\x13\x55\x68\xa1\x42\xe6\x77\xc3\x43\xf5\xeb\xd3\x37\x55\xd0\xb9\x15\x65\x64\x6d\x7c\x36\x2e\x46\x64\x00\x7c\xae\x21\x67\xdb\x5d\x0a\x93\x3e\x12\x19\xd3\xd6\xa7\x38\x75\x76\xe5\x42\xf8\x16\xfa\x51\x6d\x44\xaf\xc3\xd9\x92\x29\xd4\xf5\x7f\xa8\x3b\x89\x48\xf8\x98\xb8\x52\x8d\xed\x2c\x53\x9b\x60\x33\x49\x1c\x6d\x78\x0c\xac\xb2\xbc\x3f\x52\xc2\x79\x4d\xe8\xdb\x39\x58\x12\xd4\xf7\xa4\x4b\x9c\x04\xd6\xfd\x3c\xa8\x6c\x68\x64\x7d\x3e\x47\x5d\xe5\x81\xed\xc3\x88\xdc\xde\x91\xb8\xb2\x4c\xd4\x2b\x91\xa1\x9e\x91\xb4\xb6\x37\xb4\x3b\x6f\xa4\xe1\x50\x44\x3e\xc7\xc0\x86\x95\xc4\x2b\xc6\xa9\x30\xb3\x08\x42\x04\x02\x3b\xfd\x15\xe1\xc0\x31\x2e\x46\xf4\x30\xe2\x6b\x0f\xcc\xa1\x52\x20\x9f\xc1\xc7\xf9\x91\xc1\x11\xbd\xcd\xa7\x2e\x19\x86\x26\x76\x6e\xaf\xc8\xcf\x54\x92\x18\x9d\x4c\xc9\xa8\xe2\xa8\xa9\xcb\x73\x89\x78\xec\xec\x37\x37\x6d\xc9\x9c\xa8\xd3\xef\xcf\xe7\x3d\xa5\x38\x96\x0e\xbf\x78\xf0\xa4\x36\x63\x76\xae\x5f\x1b\xb1\xf8\x11\xec\xce\xb6\x25\x10\x89\x78\x55\xe3\x06\x61\x04\x70\x1b\x94\xf6\x19\x13\xda\x46\x99\x31\x3c\xec\x63\xa8\x8a\x9b\xa4\x44\xa5\xfc\x01\xc0\x03\xbf\x9d\x6b\x25\x25\x04\xe4\x77\xf4\x0f\xb3\x3e\x59\x5f\x30\xac\x53\x8b\xc9\xee\xb2\x93\x72\xb7\xa9\xd1\xf6\xa2\xa9\xb0\x17\x7a\x17\x1e\x5f\x87\x9e\xab\x36\x3c\x76\x08\x61\x7c\x26\x19\x7d\xf1\xda\x9b\xaa\x02\x75\xe2\x3e\xd1\xb5\x92\xce\xbd\xcd\x6e\xf2\x2b\x36\xc4\xf2\x87\xdf\xe8\x49\xcf\x54\xea\xed\x55\x70\xff\xc4\x50\xcd\xe8\xb6\xee\x12\xef\xbc\x8d\xdf\xea\x6b\xf7\x82\xc2\x7e\x5a\x58\x16\xb6\xf0\x4f\xf5\xfe\x97\x7f\x05\xa5\xb1\x2a\x13\x64\xa6\x59\xcb\x6b\x11\xab\x7a\x16\x82\xe1\x09\x7e\x61\x87\xcd\x7c\xbb\xa8\x7e\xf4\xca\x8c\x2c\xaf\x28\x49\x99\x13\xd9\x8a\x9e\x9f\x2e\x11\xc5\x2f\x37\xfa\xf2\xcd\x20\x7b\xbe\x57\x34\xda\x0e\x91\xba\x5f\x8b\x48\xad\x59\xb1\x22\x67\x85\x50\xb2\x7f\xef\xe7\x1a\xf5\x3d\x6f\x93\x41\x04\x38\x73\x89\xb5\x93\x24\xcd\xbf\x44\x6e\xfe\x50\xdb\xd2\x3d\xb7\x41\x8e\xc6\x66\x6e\xd9\xfc\xaa\x6f\x70\xbe\xac\x9c\xa4\x2a\x90\xee\xc8\x56\x7b\xe2\x1f\xb4\x5f\x08\x86\x75\x57\x15\xf3\x17\x37\x35\x23\xdf\xeb\x84\x5a\xb7\x73\x33\xcf\x8d\xdf\x92\x62\x44\xa3\x8e\x02\x4d\xf5\xaf\x9e\xa0\x72\x53\xd0\x7a\x59\xdb\x51\x12\x3f\xd8\x11\xcc\xe2\xd2\x06\xea\xe6\x94\x3e\xc8\x75\x59\xeb\x0e\xb2\x8a\x94\xa6\x27\x83\x1e\x45\xb3\xa7\xd1\xf8\x9f\x7a\x49\xfb\xce\x7c\x5a\x6e\xd8\x1f\x4e\x68\xdd\x3c\xe2\x93\x46\xf7\xc1\x4e\x50\x64\x54\x8d\x57\xf1\x13\x63\x13\x9e\x5b\x66\x9a\x17\x44\xbd\x99\x89\x40\x08\x27\x97\x3e\x67\xe9\x4c\xb5\x55\xb0\x8c\xf0\x45\x65\xf3\x3d\xb1\x71\x96\xd1\x65\x18\xb4\xf4\xb0\x23\x05\x3e\x86\xa7\x27\x55\x21\xfa\x5b\x20\x99\x3d\xe7\xc2\xfa\x09\x79\x7d\x92\x4d\x59\x89\x3c\xaa\x98\xd9\x7b\x58\x62\x89\xda\x8c\x9c\xc3\x81\x0c\xfd\xe8\x5b\x31\xa4\xe3\x11\x8a\x5c\xc2\xfb\x63\xe4\x07\x3d\xc2\x24\xe5\x01\xb6\x37\xc6\x66\x74\xea\xd1\xe8\x4a\x7e\x3e\x3c\xe4\xad\xaf\x0c\x72\x3e\x38\xa4\x1d\xb5\x47\xe9\xcc\x33\x82\xec\xf9\xf6\xb6\xf9\x64\xc1\xf8\x1f\xe7\x53\x65\x59\x3c\x9a\x55\x15\x2e\xc7\xc0\x50\x67\x47\x4b\xd7\x1a\x93\x70\x00\x9f\xee\x6d\x87\xf3\xee\xf6\xc9\x36\x0a\x50\x29\x41\xe9\x37\x30\x45\x41\x61\xd0\xf0\x39\x1f\x7c\x5e\xbd\xe6\x22\xf0\x5c\x1d\x67\x36\x89\x44\x39\x0b\x68\x17\x8f\xef\xb8\x25\xad\xd8\x12\xf4\x96\x86\x70\x53\x74\x01\x70\x35\x31\x66\x7c\xd5\x15\x0f\x21\x1b\x9f\xcf\xec\xf4\xee\x5e\x08\x80\xf3\x74\x8b\x9e\x7a\x74\x5e\x80\x2a\xff\xac\xc6\xb4\xaa\x5b\x5d\x83\x75\x0f\xc1\xc4\x7d\x4a\xb6\x91\x70\x90\x1e\x7f\x5e\x44\x2b\xb9\x8a\x89\x18\x60\x54\xac\xf2\x07\xa3\xcf\x70\x17\x31\x56\xc5\x59\xfd\x72\x86\x0a\x7d\x26\x79\xa2\xff\xcb\x53\x30\x20\x41\x13\xdb\xac\x6b\x3c\x3b\x69\xaa\x4f\x75\xf2\x1c\xb2\x15\x4a\x4a\x6b\x31\xc0\x25\xd5\x2a\xc5\x49\x60\x48\x3c\xed\xf3\xf1\x1a\x1a\xdf\xfe\xf2\xf1\xfe\xc9\x4a\x55\x61\xd9\x18\x68\x00\x1c\x3d\x83\x95\xff\x45\x0b\x14\x00\x95\xd6\x53\x64\x75\x37\x9f\x38\x63\x4a\xcf\x9d\xed\xff\x61\xb1\x7f\x7c\x87\xf8\xc0\x56\x6b\xe6\x25\x0c\xf4\x39\xeb\xa3\x8c\x37\x65\x39\x3a\x9e\xd1\x01\x6d\x50\x2b\xa1\x3a\x8e\xf6\xde\x35\xba\x66\x9b\x10\xa0\x00\x82\x23\xd2\xe2\xf8\x8d\x35\xfe\x0a\x73\x23\x32\x4b\xfa\xbf\x25\xa7\xac\x01\x90\x45\x49\xa2\x59\xe6\xa8\xd3\xa4\x96\x4f\x19\x7e\x94\xb8\xf9\xb3\xa3\x16\x3f\x63\x49\xe3\xda\xc7\xe0\x17\x48\xf6\x74\x79\x5c\xc3\xbd\x5a\x9a\x3a\xb5\xf2\xc1\x30\x81\x16\x7d\xf3\x7e\x37\x9e\xeb\x2e\xcf\x9c\xdf\xa2\x37\x15\x95\xf3\x08\x31\x05\x1a\xb1\x57\xac\x75\xf9\xeb\xc4\x8b\x49\x95\x59\x7e\x20\x6c\x7b\xa2\x29\xab\x30\xec\xcf\xe6\x62\x4d\x88\x49\xea\xe4\x1d\x2d\xc7\xa4\xd7\x57\xa3\x73\xb1\xd8\x66\x95\xc4\x20\xcc\x04\xbf\x0d\xa6\x64\xa7\x56\xb4\x82\x24\x16\x3d\xe4\x41\x8b\x93\x23\x39\xd2\x99\x06\x13\x13\xa6\x34\xa4\xba\x08\x9b\x12\xf8\x5d\x4d\xa1\xd2\x7d\x51\xde\x93\x08\x31\x0e\xf6\xae\xb3\x56\x23\xd0\xa7\x72\xc5\xce\xdd\x2a\x65\x9f\xde\xf0\x92\xb4\xdf\x6a\x88\xd2\x96\x42\x00\xc2\x85\xe8\xc1\x6e\x74\x89\xb8\x1e\x41\x59\xdb\x06\x2c\xe8\xa7\xd0\xda\xb6\x51\x80\x92\x11\xed\xf0\x58\x6f\x28\x9e\xf0\x3d\xee\x7b\xb9\xf4\x38\xc1\xa3\x52\xf6\x34\x2c\x66\x4b\xfd\x35\xd2\x38\x85\xb0\x9b\xd1\xda\x62\xbd\x65\xd0\xbc\x09\xa5\xeb\x5a\xe9\x5e\xa3\x10\x88\x14\x77\x81\xc3\x35\xea\x17\x77\x72\xa2\x28\x96\x19\x1a\x7d\x15\x70\x2b\x6b\x34\x37\xce\xd8\x86\xcc\x85\xbb\x26\x86\x5c\xe8\x28\xb9\xfe\x78\xa0\x7b\x46\x3d\xf7\x33\x2f\x67\x92\xb2\xfd\x86\xd1\x7b\x1e\x98\xa4\xcc\x77\x29\xb0\x58\xc5\x98\xc9\x61\xc6\x34\xb1\x5d\x09\x73\xca\xcd\xd9\x73\x5a\x0f\x77\x78\x6a\xe2\xb0\x76\x6b\x31\x94\xa1\x27\x34\x5d\xd8\xc1\x1f\x69\xfa\x4c\x44\xcc\x5b\x30\xe0\x1f\x6d\xc5\x61\x33\x0f\x63\x63\x29\xc9\x7e\xc0\x5a\xe8\x29\x1d\x9a\x26\xb6\x05\xf1\xb2\x77\xc9\x32\x21\x15\x62\x6e\x29\x75\xc7\x91\xc3\xef\x10\x95\x4c\xb8\xb4\x7c\xea\x6c\xf6\x97\xeb\x9d\xb3\xbe\xcb\x11\x14\xce\x63\x92\x19\x9e\x87\xba\xc0\x43\xed\x7a\x15\x83\xdc\x66\x0b\x36\xde\xb0\x22\x1a\x79\xed\x70\xbf\x71\x3f\x3c\x9c\x88\x25\x83\x81\x4c\x2e\xca\x81\x51\xd2\x71\x71\x95\x92\xd5\xc1\xfc\x62\x66\xa2\x76\xa3\xe8\xd3\x88\x27\xb2\x90\xe1\x04\x46\x06\x99\x2d\x13\x42\x36\xa1\xae\x87\xf9\x33\x8b\x77\x41\xf2\xe8\xa7\x46\xeb\x0f\x60\x77\x62\xed\x4e\x18\x92\x3d\xba\xcf\xea\x14\x7a\xd5\x7e\xff\x61\x71\x67\xd0\xf5\x4d\xaa\xc4\x54\x37\xc5\xe6\x1b\x45\x93\x7e\x8a\xa5\xe7\xce\xef\x4c\xa2\x25\x4b\x97\x01\xa2\x2f\x57\x7f\xb6\x27\xe8\xe1\xc1\xc7\x04\x01\xae\x81\x1b\x9a\x53\xf4\xc1\x6a\x79\x43\xe3\xd8\x1b\xa3\xd9\x20\x9c\xbd\xfb\x20\x8b\x04\xce\x15\x8e\x7b\xa8\xee\x77\xb0\xb7\x5f\x52\x08\x68\x6d\xf7\x87\x12\xd2\x8f\x70\x03\x61\x15\x91\x00\x36\x9b\x63\x33\x84\xdd\xff\x44\x02\xc0\xab\x0e\x2e\xc0\xaa\x87\x18\x6a\x65\xd3\x48\x4d\x29\x21\xd6\x25\x3f\xd1\xfb\xf4\x6b\x63\xba\x72\xeb\x79\x5c\xc0\x25\x69\x0f\x1f\x48\xdb\xe3\x08\xf9\x78\xe2\xfd\x55\x13\xe2\xdd\xc0\xb0\x66\x19\x4f\xd5\x8d\x3e\xaa\x49\x69\x0b\xd7\xe7\x86\x38\x85\xeb\x5e\x2a\xc6\x87\x0d\xe8\x35\x92\x67\x5f\x74\xcf\x89\x89\xe1\x8e\x68\xf1\xb6\x06\x78\x27\x0c\xa6\xb9\xc0\xda\xf4\x44\x27\x8a\x7d\xc8\x2a\x97\x80\x73\x0a\xa0\x3b\xe5\x68\x13\xe8\x1d\x6f\x29\x6c\x6f\x87\xd0\x09\x96\x18\xaf\x9f\x7e\x99\x16\x49\xec\x36\x49\x72\xd4\xc8\xfb\x66\x96\x70\xec\x92\x96\xce\x17\x38\x38\xb9\xc9\x2b\xaf\x6b\xf8\x83\xc1\x34\xd2\xc1\xcb\xcd\x92\x8b\x54\x99\x1d\x4c\x00\xf4\xaa\x72\x70\xbf\x3b\xef\xeb\x10\x8e\x98\x62\xf3\x46\x88\xcc\x2d\xb3\xb7\x94\x37\x77\x67\x12\x79\xa1\x7f\x9c\x64\xc4\x0b\xd8\x48\x5e\xf5\x2e\xb9\x64\x31\x4c\x65\xaa\x34\x59\x6f\x16\xb8\x0f\x9e\xf7\x81\xc4\xe8\xee\xb0\xac\xd2\x89\x38\x6c\x1a\xe5\x06\xae\x5b\xd2\xb2\x0b\x76\x0c\xe0\xc7\x9b\x56\xb1\x34\xe2\x2f\x57\xc4\x4a\xba\xe2\xf4\xec\xad\x82\xef\xe4\x02\xa4\x3a\x47\x59\x45\x77\xa2\x4b\x79\xa9\x4c\x6f\x7a\x5e\xda\xab\xeb\x48\xfc\x5e\xc2\x7a\xec\xd8\x23\x80\xd0\xe9\x40\xa0\x33\xe8\x7a\x44\x74\xb9\x5d\x58\xa5\xfe\xc5\x9d\x80\xb0\x91\xe9\x16\x5a\x14\x32\x5b\x38\xc5\xe4\x56\x5c\x3f\x0f\x12\x6f\x8b\x2a\xdf\x83\x26\x8e\x00\x76\x64\x7d\xdd\x43\xff\x2d\x52\xd7\x73\xab\x30\x40\x88\x45\x8f\xac\x4f\xb9\x37\x9e\x20\x96\x85\x60\xa0\x75\x17\xd6\xe0\x00\x1d\x2a\x08\xc3\xc6\xc9\x78\x25\xe1\x22\x59\xea\x86\x1b\x0a\xd5\x64\x94\x50\xdf\xfb\x3a\xfa\xe4\x9c\xd3\x1e\xfb\x40\x51\x3c\x06\xb7\x95\xe0\x71\x60\x3a\x47\xd3\xc8\x39\xc4\x01\xec\xc3\x8b\x11\x7d\xf9\x38\x83\x6a\x15\xb3\x1a\x13\x5b\x58\x89\x2d\xb9\xb4\xeb\xf6\x84\xdb\x3f\x7e\xce\x8a\x9d\x60\xbc\x8c\x81\x0e\xba\x0c\xa0\xd8\x75\x83\x57\x37\xd2\x5b\x94\x8b\x39\x28\x60\xaa\x82\xcd\xd5\xff\x7c\x6b\x0b\x4d\x7a\xe1\x82\x16\x89\x49\xd9\x84\x0e\x33\x54\x5d\x61\x27\x72\x7a\xbe\x02\xdd\x01\x41\x8c\xe4\xdd\x46\xaf\x7b\x5f\x08\x44\xcb\x51\xd4\x99\x2f\x4c\xe1\x22\x3c\x23\x13\x7c\x21\x13\x61\xd0\x15\x0e\xd2\x35\xa0\x59\x8f\x9e\x1d\x81\x6a\x40\xc6\xae\xb8\xad\x56\x26\xbc\x22\xb2\xe9\x39\x57\x47\x44\x1c\xc7\x8a\x55\x8d\xed\xc4\x02\x47\x32\x48\x98\x99\x12\xa0\xaa\x71\xac\x8d\x77\x54\xde\x78\xa1\xd5\xb9\xe5\x48\xd4\xeb\xef\x22\x4e\x82\xcd\x39\x35\x24\xd7\x9b\x88\xd6\xe0\x40\x5a\xd0\x2d\xa7\x11\x7b\xa0\x37\x29\x4e\x53\x5f\xff\x4b\xb7\xbf\xca\xce\xde\x33\x48\xf0\x1d\x16\x13\x48\xf4\xee\xe1\xa5\x15\xbe\x53\x0e\x0f\x0e\x64\xc5\x65\x44\xd4\xae\x10\x64\x45\xcc\xe1\x41\x0c\x79\x0b\xdb\xeb\x1e\x2d\x29\x3e\x01\x2e\x02\x97\xc4\x6c\x91\x45\xdc\xcb\xd6\xff\x77\xcb\xfa\xcd\xa4\x6f\x27\xd7\x1d\x02\xde\x14\xb6\x1c\x50\x53\x33\x19\xc6\x68\xfc\xfa\xc0\x36\xc7\x86\x7d\x12\xa3\xd0\xd8\xd4\x49\xc4\x96\x69\x58\x63\x49\xf2\x23\x9c\x4f\xa5\xc2\xb8\xfd\xfc\x42\x3e\xcd\x85\xed\xcc\xf6\x85\x47\xb1\xa9\x06\x76\x4c\x5c\x03\xff\x33\x2b\x56\x3e\xae\xee\xb8\x45\x65\x35\xc6\x1e\x91\x73\x92\xa0\x3d\xfe\x6b\xeb\xf3\xdc\x57\x10\xf9\x32\xb5\x07\xe3\xf0\xcd\xfb\x6a\x9d\xd0\x35\xf0\x6d\xe0\x55\x72\xca\x94\xd8\x5b\xfb\x15\x7e\x68\x44\x8a\xb8\xb0\xc4\xd5\x96\xce\x02\x0d\xad\xef\xce\xae\x68\x15\x3e\x5f\x62\xc5\xc0\x81\x43\xf5\xdb\x49\x7a\xaf\xab\x19\xcd\x33\x0c\x37\x84\xdb\x0a\xde\x50\x5a\x29\x51\x4b\xd1\xe8\xc3\xb9\x2c\x4f\x61\x65\x36\x22\xf8\x75\xec\xac\xc9\xe6\x77\x4a\xde\xca\x1c\xa4\x2f\x63\x7c\x70\x22\x99\xa2\xd3\xf8\x81\xbe\x79\x5b\xba\x9d\xb3\x40\xe4\x80\xaa\x4e\x94\x4d\xec\x20\x21\x6b\x83\x58\x45\x5d\xcf\x8e\xed\x99\x0e\x41\xf3\x37\x64\x42\xb9\xb3\xe0\xd8\x82\x38\x77\x5b\x8b\xea\x3f\x68\x8a\xf1\x85\x39\xb2\xe8\xba\xfa\xac\xc1\xc4\x06\x4e\x9a\xe8\x87\xc6\x9d\xca\x82\xac\xad\xf3\x55\x30\x92\xe7\x87\x97\xa6\x2c\xc8\x34\x44\x1c\x22\x2f\xf2\x26\xea\x32\xd2\x03\xc0\xb1\xfa\xcc\x67\xe6\x30\x71\x6a\x3f\x96\xa0\x77\xe2\x34\x8f\x2b\xe6\xd9\x3e\xc0\x63\x1a\x5e\xf1\xbe\xd4\x10\x61\x19\xd9\x70\xe6\x22\x8f\x01\x69\x89\xa8\xfd\xf0\x1b\xda\x8e\xdd\xfd\x60\x68\xd6\x49\xb3\x95\x6e\xab\x29\xd3\x03\xf1\xfc\x68\x67\xd8\x63\xc8\x7c\x35\x39\xe8\xe9\x9c\xe2\x39\x53\xc2\x5e\xe2\xb0\x98\x57\xd2\xdf\xdd\x4c\x2d\x24\x2b\xd8\x33\xf6\xb7\xf4\xa6\x7c\xde\x78\x63\xd6\x53\xa0\x05\x21\xfa\x68\xce\x23\x1d\x06\x15\xb0\x01\x75\xec\x1f\xca\x37\x7e\x4e\x72\xf7\x8a\x8f\x8f\xbc\xa9\xda\x4f\x40\x8b\xc1\xb7\x99\x97\x1c\x16\xce\x2e\x04\xaa\x24\x32\x79\xef\xcd\xb0\x78\x43\xd2\x55\xeb\x60\x67\xe3\x73\x2b\xcf\xdf\x1c\x17\x17\x8d\x77\xd3\xdf\xf4\x24\xd6\x77\x2e\x39\xae\xc3\xbe\xf9\x59\x2a\x25\xe9\xfb\xb5\x51\x09\x52\xe5\x83\xf5\x34\xa4\xd1\xf5\x7c\xce\xfe\x84\x55\xf3\x53\xdf\xee\xee\xdc\x8b\x3e\xa3\xd6\xc4\x1f\xf4\x16\x7d\xe5\x14\x55\x30\xf3\xdd\x70\xbc\x89\xfd\xcf\xa8\x63\xd8\xc5\x65\x20\x8d\x32\x72\xb0\x23\x8b\x97\xd9\x5c\x5a\x67\x87\x24\x15\xa2\x7e\xf0\x6f\xa2\x6c\x0f\x72\xb5\x71\xcf\xfb\x76\x23\x69\xc8\x0b\x5f\x33\x2f\x03\xa9\x75\x9f\xec\x50\xd6\x04\xa1\x8a\x69\xfb\x52\x13\x11\xfa\x17\x1e\xa6\xfa\x40\x48\x73\xde\x91\x95\xf8\x47\xd8\x1f\xd4\xba\xe3\xd5\x21\x6d\x6c\x00\xcc\x38\xd5\xc7\x5d\xad\x1e\xf6\x86\xd5\xce\x4a\xcb\xb4\x77\xfb\xf6\xc5\xad\x0b\x26\x9e\x69\x05\x4b\x4a\x59\xdb\x3c\x6e\xb0\xce\xc7\xfb\xdf\x32\xd3\x30\x6c\xeb\x5d\x10\x06\xeb\x7b\xf6\xf0\x70\x12\xb1\x16\xc9\x5f\xbf\xcf\xd9\x9e\x82\xf5\xab\xa8\xeb\xd7\xc7\x90\xc9\xf0\x40\x75\xe2\xbb\x39\x9d\x92\x29\xbe\x4a\x0e\x90\xdc\x1b\x03\x58\xee\xcf\xfa\xda\xeb\xc0\xbd\xc6\xff\x1c\xfd\x00\xdc\xeb\xc0\xa9\x0d\x7b\x96\xc9\x6f\xa5\x52\xdc\x82\x4b\x94\x4d\x95\x1d\xb7\xd2\xb6\xee\x39\x9b\x6c\x1f\x29\x65\xe5\x93\x1c\xea\x56\x1b\x9d\xda\x86\xb5\xe7\xc3\x67\x41\xc0\x4a\x97\xa0\x0b\x06\x95\xa9\xd8\x3d\x62\x9e\xb5\xde\x99\xbf\x8a\xe8\xd7\x55\xf3\x31\xe4\x02\x53\x39\x0a\xbb\x2e\x60\x49\x16\x74\x96\xd5\xca\x37\x56\x3b\xea\xbd\xa4\xf8\x2b\x2c\x9a\x58\xef\xf2\xa5\x8a\x1d\x2f\xbc\x8d\x72\xc1\x88\xd4\xb3\x39\x2b\x9b\x42\x86\xa8\x5f\x5d\xed\x71\x0f\x24\x3b\x24\x83\x2c\x54\x79\x1e\xee\x12\x09\x44\x3f\x07\xf3\x74\xea\x2a\xb6\x14\xd6\xa9\xac\x8b\x09\x81\xc3\x50\x96\x96\xc0\x58\xd3\x2f\x4a\xff\x5a\xf8\xe9\xeb\x22\x53\xed\x4f\x83\xe8\xb4\xf3\x29\x4b\x61\xc9\x0d\x54\xd3\xc3\x5f\x3d\x44\xd5\x5a\x5a\x1f\x55\xba\xc7\xe5\x97\x8b\x63\xfb\xb9\xdf\x0e\x9c\x6b\x15\x4d\x61\x24\xef\x4c\xf6\x3f\xf3\xae\x36\x10\x32\x14\x7f\x9e\xf7\x5f\x9e\xa2\xf4\xb2\x2e\xb1\x36\x93\xe2\x67\xb7\xc4\xf6\x36\x5d\xe5\x36\x86\x11\x8a\x93\x4a\x59\x8b\xa5\xa8\x17\x5e\xe5\x0f\x09\x9a\xa9\xac\xd7\xf2\xe2\xc9\xb0\x5b\x04\x4b\x3b\x06\x1b\xd1\xbb\x3b\x29\x6b\x6b\xf9\x00\xb8\x56\xa6\x44\x8d\x81\x2e\x68\xef\xd3\x1f\xef\xfd\x44\x52\x99\x0c\xd5\xf7\xcc\x02\x58\x8e\xef\xbe\xbb\x9f\x56\xab\x77\xcd\x50\x29\x89\xcd\x16\xe8\x9a\x44\x55\x3e\x19\x89\xd4\xdf\xfd\x97\x7b\x53\xea\x8b\x3b\x63\x6d\x62\xbb\xb2\x65\xc4\x28\x0c\xab\x59\xda\xb2\x4f\xbe\x7f\x16\x18\x0d\xfd\xdf\x62\xe4\x82\xed\x8e\xdc\xa2\x7a\x96\x7c\xe5\xfa\xe0\x32\x8b\x64\x03\xce\xe1\x7a\x6d\x63\xac\x71\xa8\xa4\x6f\x6c\xad\xdb\x53\x0c\x6d\x90\x5a\x8b\x6c\x8e\xd8\x9f\x62\x2a\x0c\x0a\x90\x67\x5c\x1f\x8d\x97\x9b\x34\xcd\x1e\x95\x4f\xa9\x15\x4f", 4096); break; case 11: memcpy((void*)0x20001000, "\xc4\x62\x39\x37\x47\x7e\x66\x0f\xe3\x0c\xa4\xf3\x3e\x45\x09\x17\xc4\x61\x78\xae\x91\x72\x98\x00\x00\xc4\x63\xe1\x22\xd6\x96\xc4\x03\x7d\x7b\x05\x0f\x00\x00\x00\x00\xc4\x63\x39\x5f\x47\x3f\xad\xc4\x03\x55\x5d\x3c\x56\x00\xc4\xe2\xb5\x96\xf0\xc4\x21\xfd\x5b\xfb", 65); syz_execute_func(0x20001000); break; case 12: break; case 13: memcpy((void*)0x200010c0, "\x5d\x8d\x97\xaf\xe9\x58\xa6\xb4\x6b\x8f\xef\xfe\x29\xf0\x51\x64\xa8\xee\xd8\xf0\x35\xa6\xc4\xd8\xf6\x97\x21\x06\xc0\xf6\xa0\x43\x0f\x03\x47\xa9\xad\x29\xa9\x40\xd3\xde\x0d\x19\xdd\x63\xc0\x6d\xad\x37\xea\x1e\x10\x5f\xec\x8b\x4d\xbd\xb4\xd7\xf9\x51\x64\xff\x31\x3f\x19\x9a\xaa\x43\x10\x8e\x96\x13\xc1\xe6\x29\x58\xe7\x76\x28\x47\x15\x8e\x87\x26\x92\x4d\xcb\xda\xff\xfd\x2a\x94\x2c\x44\x0d\x0a\x80\x34\x04\x87\xaf\x0e\xb9", 105); memcpy((void*)0x20001140, "\xe2\xf9\x19\x3e\xea\x7f\xea\x62\xb3\x74\xa3\x15\x14\x75\xbf\x3b\xe9\x82\x5d\xbe\x21\xd3\x90\x7a\x6b\xaf\x2f\xcd\xf0\xe6\xdd\x64\xfa\x7c\xcc\xe3\x73\x4b\xa6\x62\x73\xba\x0d\xb7\xe7\x9d\x31\x4b\x54\xd1\x01\x58\xb7\xd4\xa6\x7b\x5e\x26\x4c\xd1\xfe\x32\xc6\xba\xb3\xd0\x3f\xaa\x5b\xd6\x7a\x46\x09\xb4\x8a\x17\xeb\x03\x86\x53\x8a\xfe\x3d\x83\xa4\xf1\x95\x97\x90\x97\x73\xc9\x47\x4f\x1f\x66\x85\xe5\x91\x57\xf5\xc7\x6c\x2d\xe0\x65\xf5\x09\xb7\xa7\xcf\x8e\x62\x9c\xca\x55\x3d\xcb\x44\x45\xa3\x72\x88\x31\x99\xbe\x74\x66\x34\xe8\x57\x26\x6c\x27\x58\xf8\xd5\x8d\xd0\xde\xa4\x57\x79\x02\x04\xfc\x26\xe2\x69\x27\xd5\xbb\xff\x20\xa9\x9a\xed\x0a\x95\xd8\x50\xec\x32\x21\xf4\xf1\xd8\xf1\x3a\x8f\x00\xbe\x13\x51\x9e\xf8\x98\xd3\x9d\x28\x56\x8b\xb7\x89\x4c\x39", 186); res = syz_usb_connect(0x721, 0x69, 0x200010c0, 0x20001140); if (res != -1) r[5] = res; break; case 14: syz_usb_disconnect(r[5]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'syz_usb_connect_impl': :637:63: error: unknown type name 'usb_ctrlrequest' :642:55: error: unknown type name 'usb_ctrlrequest' compiler invocation: /syzkaller/netbsd/src/../tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor598673271 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/netbsd/src/../dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/2 (1.46s) csource_test.go:123: opts: {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = fcntl$dupfd(0xffffffffffffff9c, 0xc, 0xffffffffffffff9c) r1 = dup2(0xffffffffffffffff, r0) pwrite(r1, &(0x7f0000000000)="5d1dd436f0f5a32b117d0f61dc010511e7e3c7f92e33630dfc7a02f9f4df14c215d8716f98892cba0ddcbbd6b2683f5e028152ebbe2d26a7e4c45673b55cf76e7795dd124f82947e0244eb08cfb0b5da0c829b1580ac64473f069f9928c1043bdeaa541829f4ef60f80ea0b9b912a974a5e98ea75423d1126815de1319a78c8127c017f8cbe86d", 0x87, 0x6) getsockname$unix(r0, &(0x7f00000000c0)=@abs, &(0x7f0000000100)=0x8) accept$inet6(r1, &(0x7f0000000140), &(0x7f0000000180)=0xc) socketpair(0x18, 0x844590f3b4efa023, 0x7f, &(0x7f00000001c0)) r2 = accept(0xffffffffffffff9c, &(0x7f0000000200)=@un=@abs, &(0x7f0000000240)=0x8) r3 = getpgrp() stat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$sock_cred(r2, 0xffff, 0x11, &(0x7f00000003c0)={r3, r4}, 0xc) syz_emit_ethernet(0x1000, &(0x7f0000000000)="d28811eb3ef8057d4d7c7229ab1e5a02157440ec598663314f522e6a8f7e2b68cd210834f13e84f257c358e7e19717a79353a0609abf39fc23d280e031dbc36048ed67b318a0553a541c84167d1bf390951abfd5370157ad024bea030e6c003d2e50a932903993429472cca8be8808ca2915858ed2598c1e76f98e662b0678bdfd91862b0af84e1585c3709eeb1b8f065703a75c12e1fa87b77d46d374ee2113bbbd6bdebb4cf0687f79db895a8ac81c3b286c03427e3211e71420afa9b5c9013e638ed97de9983fb33424fe11efd7824cd6979286d59a5c79338b6a9a2d15e70791bdb5186aa74e175a0049c1e39db536377a8354915a8a15125b8be62f01a93740b2428b189ea42e31b6ce7aa3676bf1468b751bf06aacf15904db50c1be9df4cc9d41599c57cfaf66b7e5ee2d2372630a7bf538da786dfff6052e02558a4d1ccf7099a8c599c3c8b515e844f1e23de73d806127228253a7053b5e91511685370c980ffa72e5551ff05fcbd940d514bed2860b875b9a12b26edbb292e0e8d8cbcd9de3aba68f7c1419249fe43a6754bf02a36e0fd1f27c48e9d16c18ed1484e56cc5bc3483519311e33754af2fc4d37cfa1c6e5f0d38ae96a621c04db0fd7d793297e4981f9082937b9322f494bd98b2f43d9b5c19ff19ec177c6305b18800445111763cdaeec351689384783ae7cff9b106639ea611fb72e86d685ea0f6b65dc3b9a2436c89257382d11516a2b06637cfd931e2ca4e625343d6b96525c5bf7dcc437f474e1ff9f3dcc85740444a4c569f50379b985f6843ac29f09a9f99819ae210db22ab19340974957f1fbea41c5851b2fa7a2fa87581a7fb42db8c24b4c6f829be592ca0d0cf1a2fe67dec532cfa77f8f1955da335a84d5aef4905a9a236c607774a0b4ef1d50b55bd49aa877c2b6b2e37a3e4a3b24e95fa557ba89aaf4227b5bb0e640b4698cd004f870c7daa9ea441fdbe8b3053dffce646c0b06df323252cada7f24fcc21624edf49567b2693fec0693d243e067b21e2be296c52bb2a381f4794aa2e85dd5cb6677e94b7e003ebad24573762a640973c0772994da28c6490c1af8f0f91754e71c7f326bd31dfc9c6fc20767d713a93317bcbe0a3efc9c5a8571b7b0a02977741e8a83ca81296145ec955e1ab982c7f466284562b52de135568a142e677c343f5ebd33755d0b91565646d7c362e4664007cae2167db5d0a933e1219d3d6a7387576e542f816fa516d44afc3d99229d4f57fa83b8948f898b8528ded2c539b6033491c6d780cacb2bc3f52c2794de8db395812d4f7a44b9c04d6fd3ca86c68647d3e475de581edc388dcde91b8b24cd42b91a19e91b4b637b43b6fa4e150443ec7c08695c42bc6a930b3084204023bfd15e1c0312e46f430e26b0fcca152209fc1c7f991c111bdcda72e198626766eafc8cf5492189d4cc9a8e2a8a9cb738978ecec37376dc99ca8d3efcfe73da538960ebf78f0a4366376ae5f1bb1f811ecceb62510897855e3066104701b94f61913da4699313cec63a88a9ba444a5fc01c003bf9d6b252504e477f40fb33e595f30ac538bc9eeb29372b7a9d1f6a2a9b0177a171e5f879eab363c7608617c26197df1da9baa0275e23ed1b592cebdcd6ef22b36c4f287dfe849cf54eaed5570ffc450cde8b6ee12efbc8ddfea6bf782c27e5a5816b6f04ff5fe977f05a5b12a1364a659cb6b11ab7a1682e1097e6187cd7cbba87ef4ca8c2caf28499913d98a9e9f2e11c52f37faf2cd207bbe5734da0e91ba5f8b48ad59b122678550b27fefe71af53d6f934104387389b59324cdbf446efe50dbd23db7418ec6666ed9fcaa6f70beac9ca42a90eec8567be21fb45f0886755715f317373523dfeb845ab77333cf8ddf926244a38e024df5af9ea07253d07a59db51123fd811cce2d206eae6943ec87559eb0eb28a94a627831e45b3a7d1f89f7a49fbce7c5a6ed81f4e68dd3ce29346f7c14e5064548d57f11363139e5b669a1744bd9989400827973e67e94cb555b08cf04565f33db17196d16518b4f4b023053e86a7275521fa5b20993de7c2fa09797d924d59893caa98d97b586289da8c9cc3810cfde85b31a4e3118a5cc2fb63e4073dc224e501b637c66674ead1e84a7e3e3ce4adaf0c723e38a41db547e9cc3382ecf9f6b6f964c1f81fe75365593c9a55152ec7c05067474bd71a9370009fee6d87f3eef6c9360a502941e93730454161d0f0391f7c5ebde622f05c1d67368944390b68178fefb825add812f4968670537401703531667cd5150f211b9fcfecf4ee5e0880f3748b9e7a745e802affacc6b4aa5b5d83750fc1c47d4ab69170901e7f5e442bb98a89186054acf207a3cf70173156c559fd72860a7d2679a2ffcb5330204113dbac6b3c3b69aa4f75f21cb2154a4a6b31c025d52ac54960483cedf3f11a1adffef2f1fec94a5561d91868001c3d8395ff450b140095d6536475379f38634acf9dedff61b17f7c87f8c0566be6250cf439eba38c3765393a9ed1016d502ba13a8ef6de35ba669b10a0008223d2e2f88d35fe0a7323324bfabf25a7ac01904549a259e6a8d3a4964f197e94b8f9b3a3163f6349e3dac7e01748f674795cc3bd5a9a3ab5f2c13081167df37e379eeb2ecf9cdfa2371595f30831051ab157ac75f9ebc48b4995597e206c7ba229ab30eccfe6624d8849eae41d2dc7a4d757a373b1d86695c420cc04bf0da664a756b48224163de4418b932339d299061313a634a4ba089b12f85d4da1d27d51de9308310ef6aeb35623d0a772c5cedd2a659fdef092b4df6a88d2964200c285e8c16e7489b81e4159db062ce8a7d0dab651809211edf0586f289ef03dee7bb9f438c1a352f6342c664bfd35d23885b09bd1da62bd65d0bc09a5eb5ae95ea31088147781c335ea177772a22896191a7d15702b6b3437ced886cc85bb26865ce828b9fe78a07b463df7332f6792b2fd86d17b1e98a4cc7729b058c598c961c634b15d0973cacdd9735a0f77786ae2b0766b3194a127345dd8c11f69fa4c44cc5b30e01f6dc561330f636329c97ec05ae8291d9a26b605f1b277c9322115626e2975c791c3ef10954cb8b47cea6cf697eb9db3becb1114ce6392199e87bac043ed7a1583dc660b36deb0221a79ed70bf713f3c9c882583814c2eca8151d271719592d5c1fc6266a276a3e8d38827b290e1044606992d134236a1ae87f9338b7741f2e8a746eb0f607762ed4e18923dbacfea147ad57eff617167d0f54daac45437c5e61b45937e8aa5e7ceef4ca2254b9701a22f577fb627e8e1c1c70401ae811b9a53f4c16a7943e3d81ba3d9209cbdfb208b04ce158e7ba8ee77b0b75f5208686df78712d28f700361159100369b633384ddff4402c0ab0e2ec0aa87186a65d3484d2921d6253fd1fbf46b63ba72eb795cc025690f1f48dbe308f978e2fd5513e2ddc0b066194fd58d3eaa49690bd7e7863885eb5e2ac6870de83592675f74cf8989e18e68f1b60678270ca6b9c0daf444278a7dc82a9780730aa03be56813e81d6f296c6f87d0099618af9f7e991649ec364972d4c8fb669670ec9296ce173838b9c92baf6bf883c134d2c1cbcd928b54991d4c00f4aa7270bf3befeb108e9862f34688cc2db3b7943777671279a17f9c64c40bd8485ef52eb964314c65aa34596f16b80f9ef781c4e8eeb0acd289386c1ae506ae5bd2b20b760ce0c79b56b134e22f57c44abae2f4ecad82efe402a43a47594577a24b79a94c6f7a5edaabeb48fc5ec27aecd82380d0e940a033e87a4474b95d58a5fec59d80b091e9165a14325b38c5e4565c3f0f126f8b2adf83268e0076647ddd43ff2d52d773ab304088458fac4fb9379e20968560a07517d6e0001d2a08c3c6c97825e12259ea861b0ad5649450dffb3afae49cd31efb40513c06b795e071603a47d3c839c401ecc38b117df938836a15b31a135b58892db9b4ebf684db3f7ece8a9d60bc8c810eba0ca0d875835737d25b948b392860aa82cdd5ff7c6b0b4d7ae182168949d9840e33545d6127727abe02dd01418ce4dd46af7b5f0844cb51d4992f4ce1223c23137c211361d0150ed235a0598f9e1d816a40c6aeb8ad5626bc22b2e9395747441cc78a558dedc402473248989912a0aa71ac8d7754de78a1d5b9e548d4ebef224e82cd393524d79b88d6e0405ad02da7117ba037294e535fff4bb7bfcacede3348f01d161348f4eee1a515be530e0f0e64c56544d4ae106445cce1410c790bdbeb1e2d293e012e0297c46c9145dccbd6ff77cbfacda46f27d71d02de14b61c50533319c668fcfac036c7867d12a3d0d8d449c49669586349f2239c4fa5c2b8fdfc423ecd85edccf68547b1a906764c5c03ff332b563eaeeeb8456535c61e917392a03dfe6bebf3dc5710f932b507e3f0cdfb6a9dd035f06de05572ca94d85bfb157e68448ab8b0c4d596ce020dadefceae68153e5f62c5c08143f5db497aafab19cd330c3784db0ade505a29514bd1e8c3b92c4f61653622f875ecacc9e6774adeca1ca42f637c702299a2d3f881be795bba9db340e480aa4e944dec20216b8358455dcf8eed990e41f3376442b9b3e0d88238775b8bea3f688af18539b2e8bafaacc1c4064e9ae887c69dca82acadf3553092e78797a62cc834441c222ff226ea32d203c0b1facc67e630716a3f96a077e2348f2be6d93ec0631a5ef1bed4106119d970e6228f016989a8fdf01bda8eddfd6068d649b3956eab29d303f1fc6867d863c87c3539e8e99ce23953c25ee2b09857d2dfdd4c2d242bd833f6b7f4a67cde7863d653a00521fa68ce231d0615b00175ec1fca377e4e72f78a8f8fbca9da4f408bc1b799971c16ce2e04aa243279efcdb07843d255eb6067e3732bcfdf1c17178d77d3dff424d6772e39aec3bef9592a25e9fbb5510952e583f534a4d1f57ccefe8455f353dfeeeedc8b3ea3d6c41ff4167de5145530f3dd70bc89fdcfa863d8c565208d3272b0238b97d95c5a67872415a27ef06fa26c0f72b571cffb762369c80b5f332f03a9759fec50d604a18a69fb521311fa171ea6fa404873de9195f847d81fd4bae3d5216d6c00cc38d5c75dad1ef686d5ce4acbb477fbf6c5ad0b269e69054b4a59db3c6eb0cec7fbdf32d3306ceb5d1006eb7bf6f07012b116c95fbfcfd99e82f5aba8ebd7c790c9f04075e2bb399d9229be4a0e90dc1b0358eecffadaebc0bdc6ff1cfd00dcebc0a90d7b96c96fa552dc824b944d951db7d2b6ee399b6c1f2965e5931cea561b9dda86b5e7c36741c04a97a00b0695a9d83d629eb5de99bf8ae8d755f331e40253390abb2e6049167496d5ca37563beabda4f82b2c9a58eff2a58a1d2fbc8d72c188d4b3392b9b4286a85f5ded710f243b24832c54791eee1209443f07f374ea2ab614d6a9ac8b0981c3509696c058d32f4aff5af8e9eb2253ed4f83e8b4f3294b61c90d54d3c35f3d44d55a5a1f55bac7e5978b63fbb9df0e9c6b154d6124ef4cf63ff3ae361032147f9ef75f9ea2f4b22eb13693e267b7c4f6365de53686118a934a598ba5a8175ee50f099aa9acd7f2e2c9b05b044b3b061bd1bb3b296b6bf900b856a6448d812e68efd31feffd4452990cd5f7cc02588eefbebb9f56ab77cd502989cd16e89a44553e1989d4dffd977b53ea8b3b636d62bbb265c4280cab59dab24fbe7f16180dfddf62e482ed8edca27a967ce5fae0328b6403cee17a6d63ac71a8a46f6caddb530c6d905a8b6c8ed89f622a0c0a90675c1f8d979b34cd1e954fa9154f") syz_execute_func(&(0x7f0000001000)="c4623937477e660fe30ca4f33e450917c46178ae9172980000c463e122d696c4037d7b050f00000000c463395f473fadc403555d3c5600c4e2b596f0c421fd5bfb") syz_extract_tcp_res(&(0x7f0000001080), 0x5, 0x6fb) r5 = syz_usb_connect(0x721, 0x69, &(0x7f00000010c0)="5d8d97afe958a6b46b8feffe29f05164a8eed8f035a6c4d8f6972106c0f6a0430f0347a9ad29a940d3de0d19dd63c06dad37ea1e105fec8b4dbdb4d7f95164ff313f199aaa43108e9613c1e62958e7762847158e8726924dcbdafffd2a942c440d0a80340487af0eb9", &(0x7f0000001140)="e2f9193eea7fea62b374a3151475bf3be9825dbe21d3907a6baf2fcdf0e6dd64fa7ccce3734ba66273ba0db7e79d314b54d10158b7d4a67b5e264cd1fe32c6bab3d03faa5bd67a4609b48a17eb0386538afe3d83a4f19597909773c9474f1f6685e59157f5c76c2de065f509b7a7cf8e629cca553dcb4445a372883199be746634e857266c2758f8d58dd0dea457790204fc26e26927d5bbff20a99aed0a95d850ec3221f4f1d8f13a8f00be13519ef898d39d28568bb7894c39") syz_usb_disconnect(r5) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; dp = opendir(dir); if (dp == NULL) exit(1); while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } /* -------------------------------------------------------------------------- */ /* * Redefinitions to match the linux types used in common_usb.h. */ struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; int rv = 0; rv = parse_usb_descriptor(dev, dev_len, &usb_devices[i].index); if (!rv) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } /* -------------------------------------------------------------------------- */ static int vhci_open(void) { return open("/dev/vhci", O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; ssize_t done; while (1) { done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } /* -------------------------------------------------------------------------- */ static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index; int portnum, fd, rv; bool done; portnum = procid + 1; if (!dev) { return -1; } if (portnum != 1) { /* For now, we support only one proc. */ return -1; } fd = vhci_open(); if (fd < 0) { return -1; } index = add_usb_index(fd, dev, dev_len); if (!index) { goto err; } rv = vhci_setport(fd, portnum); if (rv != 0) { goto err; } rv = vhci_usb_attach(fd); if (rv != 0) { goto err; } done = false; while (!done) { vhci_request_t req; rv = vhci_usb_recv(fd, &req, sizeof(req)); if (rv != 0) { goto err; } if (req.type != VHCI_REQ_CTRL) { goto err; } char* response_data = NULL; uint32_t response_length = 0; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { bool response_found = false; response_found = lookup_connect_response_in(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &response_data, &response_length); if (!response_found) { goto err; } } else { if (!lookup_connect_response_out(fd, descs, (const usb_ctrlrequest*)&req.u.ctrl, &done)) { goto err; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { /* TODO: possibly revisit */ } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { goto err; } } sleep_ms(200); return fd; err: close(fd); return -1; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 15; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45 + (call == 13 ? 3000 : 0) + (call == 14 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_accept #define SYS_accept 30 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_fcntl #define SYS_fcntl 92 #endif #ifndef SYS_getpgrp #define SYS_getpgrp 81 #endif #ifndef SYS_getsockname #define SYS_getsockname 32 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_pwrite #define SYS_pwrite 174 #endif #ifndef SYS_setsockopt #define SYS_setsockopt 105 #endif #ifndef SYS_socketpair #define SYS_socketpair 135 #endif #ifndef SYS_stat #define SYS_stat 439 #endif uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_fcntl, 0xffffff9c, 0xcul, 0xffffff9c); if (res != -1) r[0] = res; break; case 1: res = syscall(SYS_dup2, -1, r[0]); if (res != -1) r[1] = res; break; case 2: memcpy((void*)0x20000000, "\x5d\x1d\xd4\x36\xf0\xf5\xa3\x2b\x11\x7d\x0f\x61\xdc\x01\x05\x11\xe7\xe3\xc7\xf9\x2e\x33\x63\x0d\xfc\x7a\x02\xf9\xf4\xdf\x14\xc2\x15\xd8\x71\x6f\x98\x89\x2c\xba\x0d\xdc\xbb\xd6\xb2\x68\x3f\x5e\x02\x81\x52\xeb\xbe\x2d\x26\xa7\xe4\xc4\x56\x73\xb5\x5c\xf7\x6e\x77\x95\xdd\x12\x4f\x82\x94\x7e\x02\x44\xeb\x08\xcf\xb0\xb5\xda\x0c\x82\x9b\x15\x80\xac\x64\x47\x3f\x06\x9f\x99\x28\xc1\x04\x3b\xde\xaa\x54\x18\x29\xf4\xef\x60\xf8\x0e\xa0\xb9\xb9\x12\xa9\x74\xa5\xe9\x8e\xa7\x54\x23\xd1\x12\x68\x15\xde\x13\x19\xa7\x8c\x81\x27\xc0\x17\xf8\xcb\xe8\x6d", 135); syscall(SYS_pwrite, r[1], 0x20000000ul, 0x87ul, 6ul); break; case 3: *(uint32_t*)0x20000100 = 8; syscall(SYS_getsockname, r[0], 0x200000c0ul, 0x20000100ul); break; case 4: *(uint32_t*)0x20000180 = 0xc; syscall(SYS_accept, r[1], 0x20000140ul, 0x20000180ul); break; case 5: syscall(SYS_socketpair, 0x18ul, 0x844590f3b4efa023ul, 0x7f, 0x200001c0ul); break; case 6: *(uint32_t*)0x20000240 = 8; res = syscall(SYS_accept, 0xffffff9c, 0x20000200ul, 0x20000240ul); if (res != -1) r[2] = res; break; case 7: res = syscall(SYS_getpgrp); if (res != -1) r[3] = res; break; case 8: memcpy((void*)0x20000280, "./file0\000", 8); res = syscall(SYS_stat, 0x20000280ul, 0x200002c0ul); if (res != -1) r[4] = *(uint32_t*)0x200002dc; break; case 9: *(uint32_t*)0x200003c0 = r[3]; *(uint32_t*)0x200003c4 = r[4]; *(uint32_t*)0x200003c8 = 0; syscall(SYS_setsockopt, r[2], 0xffff, 0x11, 0x200003c0ul, 0xcul); break; case 10: memcpy((void*)0x20000000, "\xd2\x88\x11\xeb\x3e\xf8\x05\x7d\x4d\x7c\x72\x29\xab\x1e\x5a\x02\x15\x74\x40\xec\x59\x86\x63\x31\x4f\x52\x2e\x6a\x8f\x7e\x2b\x68\xcd\x21\x08\x34\xf1\x3e\x84\xf2\x57\xc3\x58\xe7\xe1\x97\x17\xa7\x93\x53\xa0\x60\x9a\xbf\x39\xfc\x23\xd2\x80\xe0\x31\xdb\xc3\x60\x48\xed\x67\xb3\x18\xa0\x55\x3a\x54\x1c\x84\x16\x7d\x1b\xf3\x90\x95\x1a\xbf\xd5\x37\x01\x57\xad\x02\x4b\xea\x03\x0e\x6c\x00\x3d\x2e\x50\xa9\x32\x90\x39\x93\x42\x94\x72\xcc\xa8\xbe\x88\x08\xca\x29\x15\x85\x8e\xd2\x59\x8c\x1e\x76\xf9\x8e\x66\x2b\x06\x78\xbd\xfd\x91\x86\x2b\x0a\xf8\x4e\x15\x85\xc3\x70\x9e\xeb\x1b\x8f\x06\x57\x03\xa7\x5c\x12\xe1\xfa\x87\xb7\x7d\x46\xd3\x74\xee\x21\x13\xbb\xbd\x6b\xde\xbb\x4c\xf0\x68\x7f\x79\xdb\x89\x5a\x8a\xc8\x1c\x3b\x28\x6c\x03\x42\x7e\x32\x11\xe7\x14\x20\xaf\xa9\xb5\xc9\x01\x3e\x63\x8e\xd9\x7d\xe9\x98\x3f\xb3\x34\x24\xfe\x11\xef\xd7\x82\x4c\xd6\x97\x92\x86\xd5\x9a\x5c\x79\x33\x8b\x6a\x9a\x2d\x15\xe7\x07\x91\xbd\xb5\x18\x6a\xa7\x4e\x17\x5a\x00\x49\xc1\xe3\x9d\xb5\x36\x37\x7a\x83\x54\x91\x5a\x8a\x15\x12\x5b\x8b\xe6\x2f\x01\xa9\x37\x40\xb2\x42\x8b\x18\x9e\xa4\x2e\x31\xb6\xce\x7a\xa3\x67\x6b\xf1\x46\x8b\x75\x1b\xf0\x6a\xac\xf1\x59\x04\xdb\x50\xc1\xbe\x9d\xf4\xcc\x9d\x41\x59\x9c\x57\xcf\xaf\x66\xb7\xe5\xee\x2d\x23\x72\x63\x0a\x7b\xf5\x38\xda\x78\x6d\xff\xf6\x05\x2e\x02\x55\x8a\x4d\x1c\xcf\x70\x99\xa8\xc5\x99\xc3\xc8\xb5\x15\xe8\x44\xf1\xe2\x3d\xe7\x3d\x80\x61\x27\x22\x82\x53\xa7\x05\x3b\x5e\x91\x51\x16\x85\x37\x0c\x98\x0f\xfa\x72\xe5\x55\x1f\xf0\x5f\xcb\xd9\x40\xd5\x14\xbe\xd2\x86\x0b\x87\x5b\x9a\x12\xb2\x6e\xdb\xb2\x92\xe0\xe8\xd8\xcb\xcd\x9d\xe3\xab\xa6\x8f\x7c\x14\x19\x24\x9f\xe4\x3a\x67\x54\xbf\x02\xa3\x6e\x0f\xd1\xf2\x7c\x48\xe9\xd1\x6c\x18\xed\x14\x84\xe5\x6c\xc5\xbc\x34\x83\x51\x93\x11\xe3\x37\x54\xaf\x2f\xc4\xd3\x7c\xfa\x1c\x6e\x5f\x0d\x38\xae\x96\xa6\x21\xc0\x4d\xb0\xfd\x7d\x79\x32\x97\xe4\x98\x1f\x90\x82\x93\x7b\x93\x22\xf4\x94\xbd\x98\xb2\xf4\x3d\x9b\x5c\x19\xff\x19\xec\x17\x7c\x63\x05\xb1\x88\x00\x44\x51\x11\x76\x3c\xda\xee\xc3\x51\x68\x93\x84\x78\x3a\xe7\xcf\xf9\xb1\x06\x63\x9e\xa6\x11\xfb\x72\xe8\x6d\x68\x5e\xa0\xf6\xb6\x5d\xc3\xb9\xa2\x43\x6c\x89\x25\x73\x82\xd1\x15\x16\xa2\xb0\x66\x37\xcf\xd9\x31\xe2\xca\x4e\x62\x53\x43\xd6\xb9\x65\x25\xc5\xbf\x7d\xcc\x43\x7f\x47\x4e\x1f\xf9\xf3\xdc\xc8\x57\x40\x44\x4a\x4c\x56\x9f\x50\x37\x9b\x98\x5f\x68\x43\xac\x29\xf0\x9a\x9f\x99\x81\x9a\xe2\x10\xdb\x22\xab\x19\x34\x09\x74\x95\x7f\x1f\xbe\xa4\x1c\x58\x51\xb2\xfa\x7a\x2f\xa8\x75\x81\xa7\xfb\x42\xdb\x8c\x24\xb4\xc6\xf8\x29\xbe\x59\x2c\xa0\xd0\xcf\x1a\x2f\xe6\x7d\xec\x53\x2c\xfa\x77\xf8\xf1\x95\x5d\xa3\x35\xa8\x4d\x5a\xef\x49\x05\xa9\xa2\x36\xc6\x07\x77\x4a\x0b\x4e\xf1\xd5\x0b\x55\xbd\x49\xaa\x87\x7c\x2b\x6b\x2e\x37\xa3\xe4\xa3\xb2\x4e\x95\xfa\x55\x7b\xa8\x9a\xaf\x42\x27\xb5\xbb\x0e\x64\x0b\x46\x98\xcd\x00\x4f\x87\x0c\x7d\xaa\x9e\xa4\x41\xfd\xbe\x8b\x30\x53\xdf\xfc\xe6\x46\xc0\xb0\x6d\xf3\x23\x25\x2c\xad\xa7\xf2\x4f\xcc\x21\x62\x4e\xdf\x49\x56\x7b\x26\x93\xfe\xc0\x69\x3d\x24\x3e\x06\x7b\x21\xe2\xbe\x29\x6c\x52\xbb\x2a\x38\x1f\x47\x94\xaa\x2e\x85\xdd\x5c\xb6\x67\x7e\x94\xb7\xe0\x03\xeb\xad\x24\x57\x37\x62\xa6\x40\x97\x3c\x07\x72\x99\x4d\xa2\x8c\x64\x90\xc1\xaf\x8f\x0f\x91\x75\x4e\x71\xc7\xf3\x26\xbd\x31\xdf\xc9\xc6\xfc\x20\x76\x7d\x71\x3a\x93\x31\x7b\xcb\xe0\xa3\xef\xc9\xc5\xa8\x57\x1b\x7b\x0a\x02\x97\x77\x41\xe8\xa8\x3c\xa8\x12\x96\x14\x5e\xc9\x55\xe1\xab\x98\x2c\x7f\x46\x62\x84\x56\x2b\x52\xde\x13\x55\x68\xa1\x42\xe6\x77\xc3\x43\xf5\xeb\xd3\x37\x55\xd0\xb9\x15\x65\x64\x6d\x7c\x36\x2e\x46\x64\x00\x7c\xae\x21\x67\xdb\x5d\x0a\x93\x3e\x12\x19\xd3\xd6\xa7\x38\x75\x76\xe5\x42\xf8\x16\xfa\x51\x6d\x44\xaf\xc3\xd9\x92\x29\xd4\xf5\x7f\xa8\x3b\x89\x48\xf8\x98\xb8\x52\x8d\xed\x2c\x53\x9b\x60\x33\x49\x1c\x6d\x78\x0c\xac\xb2\xbc\x3f\x52\xc2\x79\x4d\xe8\xdb\x39\x58\x12\xd4\xf7\xa4\x4b\x9c\x04\xd6\xfd\x3c\xa8\x6c\x68\x64\x7d\x3e\x47\x5d\xe5\x81\xed\xc3\x88\xdc\xde\x91\xb8\xb2\x4c\xd4\x2b\x91\xa1\x9e\x91\xb4\xb6\x37\xb4\x3b\x6f\xa4\xe1\x50\x44\x3e\xc7\xc0\x86\x95\xc4\x2b\xc6\xa9\x30\xb3\x08\x42\x04\x02\x3b\xfd\x15\xe1\xc0\x31\x2e\x46\xf4\x30\xe2\x6b\x0f\xcc\xa1\x52\x20\x9f\xc1\xc7\xf9\x91\xc1\x11\xbd\xcd\xa7\x2e\x19\x86\x26\x76\x6e\xaf\xc8\xcf\x54\x92\x18\x9d\x4c\xc9\xa8\xe2\xa8\xa9\xcb\x73\x89\x78\xec\xec\x37\x37\x6d\xc9\x9c\xa8\xd3\xef\xcf\xe7\x3d\xa5\x38\x96\x0e\xbf\x78\xf0\xa4\x36\x63\x76\xae\x5f\x1b\xb1\xf8\x11\xec\xce\xb6\x25\x10\x89\x78\x55\xe3\x06\x61\x04\x70\x1b\x94\xf6\x19\x13\xda\x46\x99\x31\x3c\xec\x63\xa8\x8a\x9b\xa4\x44\xa5\xfc\x01\xc0\x03\xbf\x9d\x6b\x25\x25\x04\xe4\x77\xf4\x0f\xb3\x3e\x59\x5f\x30\xac\x53\x8b\xc9\xee\xb2\x93\x72\xb7\xa9\xd1\xf6\xa2\xa9\xb0\x17\x7a\x17\x1e\x5f\x87\x9e\xab\x36\x3c\x76\x08\x61\x7c\x26\x19\x7d\xf1\xda\x9b\xaa\x02\x75\xe2\x3e\xd1\xb5\x92\xce\xbd\xcd\x6e\xf2\x2b\x36\xc4\xf2\x87\xdf\xe8\x49\xcf\x54\xea\xed\x55\x70\xff\xc4\x50\xcd\xe8\xb6\xee\x12\xef\xbc\x8d\xdf\xea\x6b\xf7\x82\xc2\x7e\x5a\x58\x16\xb6\xf0\x4f\xf5\xfe\x97\x7f\x05\xa5\xb1\x2a\x13\x64\xa6\x59\xcb\x6b\x11\xab\x7a\x16\x82\xe1\x09\x7e\x61\x87\xcd\x7c\xbb\xa8\x7e\xf4\xca\x8c\x2c\xaf\x28\x49\x99\x13\xd9\x8a\x9e\x9f\x2e\x11\xc5\x2f\x37\xfa\xf2\xcd\x20\x7b\xbe\x57\x34\xda\x0e\x91\xba\x5f\x8b\x48\xad\x59\xb1\x22\x67\x85\x50\xb2\x7f\xef\xe7\x1a\xf5\x3d\x6f\x93\x41\x04\x38\x73\x89\xb5\x93\x24\xcd\xbf\x44\x6e\xfe\x50\xdb\xd2\x3d\xb7\x41\x8e\xc6\x66\x6e\xd9\xfc\xaa\x6f\x70\xbe\xac\x9c\xa4\x2a\x90\xee\xc8\x56\x7b\xe2\x1f\xb4\x5f\x08\x86\x75\x57\x15\xf3\x17\x37\x35\x23\xdf\xeb\x84\x5a\xb7\x73\x33\xcf\x8d\xdf\x92\x62\x44\xa3\x8e\x02\x4d\xf5\xaf\x9e\xa0\x72\x53\xd0\x7a\x59\xdb\x51\x12\x3f\xd8\x11\xcc\xe2\xd2\x06\xea\xe6\x94\x3e\xc8\x75\x59\xeb\x0e\xb2\x8a\x94\xa6\x27\x83\x1e\x45\xb3\xa7\xd1\xf8\x9f\x7a\x49\xfb\xce\x7c\x5a\x6e\xd8\x1f\x4e\x68\xdd\x3c\xe2\x93\x46\xf7\xc1\x4e\x50\x64\x54\x8d\x57\xf1\x13\x63\x13\x9e\x5b\x66\x9a\x17\x44\xbd\x99\x89\x40\x08\x27\x97\x3e\x67\xe9\x4c\xb5\x55\xb0\x8c\xf0\x45\x65\xf3\x3d\xb1\x71\x96\xd1\x65\x18\xb4\xf4\xb0\x23\x05\x3e\x86\xa7\x27\x55\x21\xfa\x5b\x20\x99\x3d\xe7\xc2\xfa\x09\x79\x7d\x92\x4d\x59\x89\x3c\xaa\x98\xd9\x7b\x58\x62\x89\xda\x8c\x9c\xc3\x81\x0c\xfd\xe8\x5b\x31\xa4\xe3\x11\x8a\x5c\xc2\xfb\x63\xe4\x07\x3d\xc2\x24\xe5\x01\xb6\x37\xc6\x66\x74\xea\xd1\xe8\x4a\x7e\x3e\x3c\xe4\xad\xaf\x0c\x72\x3e\x38\xa4\x1d\xb5\x47\xe9\xcc\x33\x82\xec\xf9\xf6\xb6\xf9\x64\xc1\xf8\x1f\xe7\x53\x65\x59\x3c\x9a\x55\x15\x2e\xc7\xc0\x50\x67\x47\x4b\xd7\x1a\x93\x70\x00\x9f\xee\x6d\x87\xf3\xee\xf6\xc9\x36\x0a\x50\x29\x41\xe9\x37\x30\x45\x41\x61\xd0\xf0\x39\x1f\x7c\x5e\xbd\xe6\x22\xf0\x5c\x1d\x67\x36\x89\x44\x39\x0b\x68\x17\x8f\xef\xb8\x25\xad\xd8\x12\xf4\x96\x86\x70\x53\x74\x01\x70\x35\x31\x66\x7c\xd5\x15\x0f\x21\x1b\x9f\xcf\xec\xf4\xee\x5e\x08\x80\xf3\x74\x8b\x9e\x7a\x74\x5e\x80\x2a\xff\xac\xc6\xb4\xaa\x5b\x5d\x83\x75\x0f\xc1\xc4\x7d\x4a\xb6\x91\x70\x90\x1e\x7f\x5e\x44\x2b\xb9\x8a\x89\x18\x60\x54\xac\xf2\x07\xa3\xcf\x70\x17\x31\x56\xc5\x59\xfd\x72\x86\x0a\x7d\x26\x79\xa2\xff\xcb\x53\x30\x20\x41\x13\xdb\xac\x6b\x3c\x3b\x69\xaa\x4f\x75\xf2\x1c\xb2\x15\x4a\x4a\x6b\x31\xc0\x25\xd5\x2a\xc5\x49\x60\x48\x3c\xed\xf3\xf1\x1a\x1a\xdf\xfe\xf2\xf1\xfe\xc9\x4a\x55\x61\xd9\x18\x68\x00\x1c\x3d\x83\x95\xff\x45\x0b\x14\x00\x95\xd6\x53\x64\x75\x37\x9f\x38\x63\x4a\xcf\x9d\xed\xff\x61\xb1\x7f\x7c\x87\xf8\xc0\x56\x6b\xe6\x25\x0c\xf4\x39\xeb\xa3\x8c\x37\x65\x39\x3a\x9e\xd1\x01\x6d\x50\x2b\xa1\x3a\x8e\xf6\xde\x35\xba\x66\x9b\x10\xa0\x00\x82\x23\xd2\xe2\xf8\x8d\x35\xfe\x0a\x73\x23\x32\x4b\xfa\xbf\x25\xa7\xac\x01\x90\x45\x49\xa2\x59\xe6\xa8\xd3\xa4\x96\x4f\x19\x7e\x94\xb8\xf9\xb3\xa3\x16\x3f\x63\x49\xe3\xda\xc7\xe0\x17\x48\xf6\x74\x79\x5c\xc3\xbd\x5a\x9a\x3a\xb5\xf2\xc1\x30\x81\x16\x7d\xf3\x7e\x37\x9e\xeb\x2e\xcf\x9c\xdf\xa2\x37\x15\x95\xf3\x08\x31\x05\x1a\xb1\x57\xac\x75\xf9\xeb\xc4\x8b\x49\x95\x59\x7e\x20\x6c\x7b\xa2\x29\xab\x30\xec\xcf\xe6\x62\x4d\x88\x49\xea\xe4\x1d\x2d\xc7\xa4\xd7\x57\xa3\x73\xb1\xd8\x66\x95\xc4\x20\xcc\x04\xbf\x0d\xa6\x64\xa7\x56\xb4\x82\x24\x16\x3d\xe4\x41\x8b\x93\x23\x39\xd2\x99\x06\x13\x13\xa6\x34\xa4\xba\x08\x9b\x12\xf8\x5d\x4d\xa1\xd2\x7d\x51\xde\x93\x08\x31\x0e\xf6\xae\xb3\x56\x23\xd0\xa7\x72\xc5\xce\xdd\x2a\x65\x9f\xde\xf0\x92\xb4\xdf\x6a\x88\xd2\x96\x42\x00\xc2\x85\xe8\xc1\x6e\x74\x89\xb8\x1e\x41\x59\xdb\x06\x2c\xe8\xa7\xd0\xda\xb6\x51\x80\x92\x11\xed\xf0\x58\x6f\x28\x9e\xf0\x3d\xee\x7b\xb9\xf4\x38\xc1\xa3\x52\xf6\x34\x2c\x66\x4b\xfd\x35\xd2\x38\x85\xb0\x9b\xd1\xda\x62\xbd\x65\xd0\xbc\x09\xa5\xeb\x5a\xe9\x5e\xa3\x10\x88\x14\x77\x81\xc3\x35\xea\x17\x77\x72\xa2\x28\x96\x19\x1a\x7d\x15\x70\x2b\x6b\x34\x37\xce\xd8\x86\xcc\x85\xbb\x26\x86\x5c\xe8\x28\xb9\xfe\x78\xa0\x7b\x46\x3d\xf7\x33\x2f\x67\x92\xb2\xfd\x86\xd1\x7b\x1e\x98\xa4\xcc\x77\x29\xb0\x58\xc5\x98\xc9\x61\xc6\x34\xb1\x5d\x09\x73\xca\xcd\xd9\x73\x5a\x0f\x77\x78\x6a\xe2\xb0\x76\x6b\x31\x94\xa1\x27\x34\x5d\xd8\xc1\x1f\x69\xfa\x4c\x44\xcc\x5b\x30\xe0\x1f\x6d\xc5\x61\x33\x0f\x63\x63\x29\xc9\x7e\xc0\x5a\xe8\x29\x1d\x9a\x26\xb6\x05\xf1\xb2\x77\xc9\x32\x21\x15\x62\x6e\x29\x75\xc7\x91\xc3\xef\x10\x95\x4c\xb8\xb4\x7c\xea\x6c\xf6\x97\xeb\x9d\xb3\xbe\xcb\x11\x14\xce\x63\x92\x19\x9e\x87\xba\xc0\x43\xed\x7a\x15\x83\xdc\x66\x0b\x36\xde\xb0\x22\x1a\x79\xed\x70\xbf\x71\x3f\x3c\x9c\x88\x25\x83\x81\x4c\x2e\xca\x81\x51\xd2\x71\x71\x95\x92\xd5\xc1\xfc\x62\x66\xa2\x76\xa3\xe8\xd3\x88\x27\xb2\x90\xe1\x04\x46\x06\x99\x2d\x13\x42\x36\xa1\xae\x87\xf9\x33\x8b\x77\x41\xf2\xe8\xa7\x46\xeb\x0f\x60\x77\x62\xed\x4e\x18\x92\x3d\xba\xcf\xea\x14\x7a\xd5\x7e\xff\x61\x71\x67\xd0\xf5\x4d\xaa\xc4\x54\x37\xc5\xe6\x1b\x45\x93\x7e\x8a\xa5\xe7\xce\xef\x4c\xa2\x25\x4b\x97\x01\xa2\x2f\x57\x7f\xb6\x27\xe8\xe1\xc1\xc7\x04\x01\xae\x81\x1b\x9a\x53\xf4\xc1\x6a\x79\x43\xe3\xd8\x1b\xa3\xd9\x20\x9c\xbd\xfb\x20\x8b\x04\xce\x15\x8e\x7b\xa8\xee\x77\xb0\xb7\x5f\x52\x08\x68\x6d\xf7\x87\x12\xd2\x8f\x70\x03\x61\x15\x91\x00\x36\x9b\x63\x33\x84\xdd\xff\x44\x02\xc0\xab\x0e\x2e\xc0\xaa\x87\x18\x6a\x65\xd3\x48\x4d\x29\x21\xd6\x25\x3f\xd1\xfb\xf4\x6b\x63\xba\x72\xeb\x79\x5c\xc0\x25\x69\x0f\x1f\x48\xdb\xe3\x08\xf9\x78\xe2\xfd\x55\x13\xe2\xdd\xc0\xb0\x66\x19\x4f\xd5\x8d\x3e\xaa\x49\x69\x0b\xd7\xe7\x86\x38\x85\xeb\x5e\x2a\xc6\x87\x0d\xe8\x35\x92\x67\x5f\x74\xcf\x89\x89\xe1\x8e\x68\xf1\xb6\x06\x78\x27\x0c\xa6\xb9\xc0\xda\xf4\x44\x27\x8a\x7d\xc8\x2a\x97\x80\x73\x0a\xa0\x3b\xe5\x68\x13\xe8\x1d\x6f\x29\x6c\x6f\x87\xd0\x09\x96\x18\xaf\x9f\x7e\x99\x16\x49\xec\x36\x49\x72\xd4\xc8\xfb\x66\x96\x70\xec\x92\x96\xce\x17\x38\x38\xb9\xc9\x2b\xaf\x6b\xf8\x83\xc1\x34\xd2\xc1\xcb\xcd\x92\x8b\x54\x99\x1d\x4c\x00\xf4\xaa\x72\x70\xbf\x3b\xef\xeb\x10\x8e\x98\x62\xf3\x46\x88\xcc\x2d\xb3\xb7\x94\x37\x77\x67\x12\x79\xa1\x7f\x9c\x64\xc4\x0b\xd8\x48\x5e\xf5\x2e\xb9\x64\x31\x4c\x65\xaa\x34\x59\x6f\x16\xb8\x0f\x9e\xf7\x81\xc4\xe8\xee\xb0\xac\xd2\x89\x38\x6c\x1a\xe5\x06\xae\x5b\xd2\xb2\x0b\x76\x0c\xe0\xc7\x9b\x56\xb1\x34\xe2\x2f\x57\xc4\x4a\xba\xe2\xf4\xec\xad\x82\xef\xe4\x02\xa4\x3a\x47\x59\x45\x77\xa2\x4b\x79\xa9\x4c\x6f\x7a\x5e\xda\xab\xeb\x48\xfc\x5e\xc2\x7a\xec\xd8\x23\x80\xd0\xe9\x40\xa0\x33\xe8\x7a\x44\x74\xb9\x5d\x58\xa5\xfe\xc5\x9d\x80\xb0\x91\xe9\x16\x5a\x14\x32\x5b\x38\xc5\xe4\x56\x5c\x3f\x0f\x12\x6f\x8b\x2a\xdf\x83\x26\x8e\x00\x76\x64\x7d\xdd\x43\xff\x2d\x52\xd7\x73\xab\x30\x40\x88\x45\x8f\xac\x4f\xb9\x37\x9e\x20\x96\x85\x60\xa0\x75\x17\xd6\xe0\x00\x1d\x2a\x08\xc3\xc6\xc9\x78\x25\xe1\x22\x59\xea\x86\x1b\x0a\xd5\x64\x94\x50\xdf\xfb\x3a\xfa\xe4\x9c\xd3\x1e\xfb\x40\x51\x3c\x06\xb7\x95\xe0\x71\x60\x3a\x47\xd3\xc8\x39\xc4\x01\xec\xc3\x8b\x11\x7d\xf9\x38\x83\x6a\x15\xb3\x1a\x13\x5b\x58\x89\x2d\xb9\xb4\xeb\xf6\x84\xdb\x3f\x7e\xce\x8a\x9d\x60\xbc\x8c\x81\x0e\xba\x0c\xa0\xd8\x75\x83\x57\x37\xd2\x5b\x94\x8b\x39\x28\x60\xaa\x82\xcd\xd5\xff\x7c\x6b\x0b\x4d\x7a\xe1\x82\x16\x89\x49\xd9\x84\x0e\x33\x54\x5d\x61\x27\x72\x7a\xbe\x02\xdd\x01\x41\x8c\xe4\xdd\x46\xaf\x7b\x5f\x08\x44\xcb\x51\xd4\x99\x2f\x4c\xe1\x22\x3c\x23\x13\x7c\x21\x13\x61\xd0\x15\x0e\xd2\x35\xa0\x59\x8f\x9e\x1d\x81\x6a\x40\xc6\xae\xb8\xad\x56\x26\xbc\x22\xb2\xe9\x39\x57\x47\x44\x1c\xc7\x8a\x55\x8d\xed\xc4\x02\x47\x32\x48\x98\x99\x12\xa0\xaa\x71\xac\x8d\x77\x54\xde\x78\xa1\xd5\xb9\xe5\x48\xd4\xeb\xef\x22\x4e\x82\xcd\x39\x35\x24\xd7\x9b\x88\xd6\xe0\x40\x5a\xd0\x2d\xa7\x11\x7b\xa0\x37\x29\x4e\x53\x5f\xff\x4b\xb7\xbf\xca\xce\xde\x33\x48\xf0\x1d\x16\x13\x48\xf4\xee\xe1\xa5\x15\xbe\x53\x0e\x0f\x0e\x64\xc5\x65\x44\xd4\xae\x10\x64\x45\xcc\xe1\x41\x0c\x79\x0b\xdb\xeb\x1e\x2d\x29\x3e\x01\x2e\x02\x97\xc4\x6c\x91\x45\xdc\xcb\xd6\xff\x77\xcb\xfa\xcd\xa4\x6f\x27\xd7\x1d\x02\xde\x14\xb6\x1c\x50\x53\x33\x19\xc6\x68\xfc\xfa\xc0\x36\xc7\x86\x7d\x12\xa3\xd0\xd8\xd4\x49\xc4\x96\x69\x58\x63\x49\xf2\x23\x9c\x4f\xa5\xc2\xb8\xfd\xfc\x42\x3e\xcd\x85\xed\xcc\xf6\x85\x47\xb1\xa9\x06\x76\x4c\x5c\x03\xff\x33\x2b\x56\x3e\xae\xee\xb8\x45\x65\x35\xc6\x1e\x91\x73\x92\xa0\x3d\xfe\x6b\xeb\xf3\xdc\x57\x10\xf9\x32\xb5\x07\xe3\xf0\xcd\xfb\x6a\x9d\xd0\x35\xf0\x6d\xe0\x55\x72\xca\x94\xd8\x5b\xfb\x15\x7e\x68\x44\x8a\xb8\xb0\xc4\xd5\x96\xce\x02\x0d\xad\xef\xce\xae\x68\x15\x3e\x5f\x62\xc5\xc0\x81\x43\xf5\xdb\x49\x7a\xaf\xab\x19\xcd\x33\x0c\x37\x84\xdb\x0a\xde\x50\x5a\x29\x51\x4b\xd1\xe8\xc3\xb9\x2c\x4f\x61\x65\x36\x22\xf8\x75\xec\xac\xc9\xe6\x77\x4a\xde\xca\x1c\xa4\x2f\x63\x7c\x70\x22\x99\xa2\xd3\xf8\x81\xbe\x79\x5b\xba\x9d\xb3\x40\xe4\x80\xaa\x4e\x94\x4d\xec\x20\x21\x6b\x83\x58\x45\x5d\xcf\x8e\xed\x99\x0e\x41\xf3\x37\x64\x42\xb9\xb3\xe0\xd8\x82\x38\x77\x5b\x8b\xea\x3f\x68\x8a\xf1\x85\x39\xb2\xe8\xba\xfa\xac\xc1\xc4\x06\x4e\x9a\xe8\x87\xc6\x9d\xca\x82\xac\xad\xf3\x55\x30\x92\xe7\x87\x97\xa6\x2c\xc8\x34\x44\x1c\x22\x2f\xf2\x26\xea\x32\xd2\x03\xc0\xb1\xfa\xcc\x67\xe6\x30\x71\x6a\x3f\x96\xa0\x77\xe2\x34\x8f\x2b\xe6\xd9\x3e\xc0\x63\x1a\x5e\xf1\xbe\xd4\x10\x61\x19\xd9\x70\xe6\x22\x8f\x01\x69\x89\xa8\xfd\xf0\x1b\xda\x8e\xdd\xfd\x60\x68\xd6\x49\xb3\x95\x6e\xab\x29\xd3\x03\xf1\xfc\x68\x67\xd8\x63\xc8\x7c\x35\x39\xe8\xe9\x9c\xe2\x39\x53\xc2\x5e\xe2\xb0\x98\x57\xd2\xdf\xdd\x4c\x2d\x24\x2b\xd8\x33\xf6\xb7\xf4\xa6\x7c\xde\x78\x63\xd6\x53\xa0\x05\x21\xfa\x68\xce\x23\x1d\x06\x15\xb0\x01\x75\xec\x1f\xca\x37\x7e\x4e\x72\xf7\x8a\x8f\x8f\xbc\xa9\xda\x4f\x40\x8b\xc1\xb7\x99\x97\x1c\x16\xce\x2e\x04\xaa\x24\x32\x79\xef\xcd\xb0\x78\x43\xd2\x55\xeb\x60\x67\xe3\x73\x2b\xcf\xdf\x1c\x17\x17\x8d\x77\xd3\xdf\xf4\x24\xd6\x77\x2e\x39\xae\xc3\xbe\xf9\x59\x2a\x25\xe9\xfb\xb5\x51\x09\x52\xe5\x83\xf5\x34\xa4\xd1\xf5\x7c\xce\xfe\x84\x55\xf3\x53\xdf\xee\xee\xdc\x8b\x3e\xa3\xd6\xc4\x1f\xf4\x16\x7d\xe5\x14\x55\x30\xf3\xdd\x70\xbc\x89\xfd\xcf\xa8\x63\xd8\xc5\x65\x20\x8d\x32\x72\xb0\x23\x8b\x97\xd9\x5c\x5a\x67\x87\x24\x15\xa2\x7e\xf0\x6f\xa2\x6c\x0f\x72\xb5\x71\xcf\xfb\x76\x23\x69\xc8\x0b\x5f\x33\x2f\x03\xa9\x75\x9f\xec\x50\xd6\x04\xa1\x8a\x69\xfb\x52\x13\x11\xfa\x17\x1e\xa6\xfa\x40\x48\x73\xde\x91\x95\xf8\x47\xd8\x1f\xd4\xba\xe3\xd5\x21\x6d\x6c\x00\xcc\x38\xd5\xc7\x5d\xad\x1e\xf6\x86\xd5\xce\x4a\xcb\xb4\x77\xfb\xf6\xc5\xad\x0b\x26\x9e\x69\x05\x4b\x4a\x59\xdb\x3c\x6e\xb0\xce\xc7\xfb\xdf\x32\xd3\x30\x6c\xeb\x5d\x10\x06\xeb\x7b\xf6\xf0\x70\x12\xb1\x16\xc9\x5f\xbf\xcf\xd9\x9e\x82\xf5\xab\xa8\xeb\xd7\xc7\x90\xc9\xf0\x40\x75\xe2\xbb\x39\x9d\x92\x29\xbe\x4a\x0e\x90\xdc\x1b\x03\x58\xee\xcf\xfa\xda\xeb\xc0\xbd\xc6\xff\x1c\xfd\x00\xdc\xeb\xc0\xa9\x0d\x7b\x96\xc9\x6f\xa5\x52\xdc\x82\x4b\x94\x4d\x95\x1d\xb7\xd2\xb6\xee\x39\x9b\x6c\x1f\x29\x65\xe5\x93\x1c\xea\x56\x1b\x9d\xda\x86\xb5\xe7\xc3\x67\x41\xc0\x4a\x97\xa0\x0b\x06\x95\xa9\xd8\x3d\x62\x9e\xb5\xde\x99\xbf\x8a\xe8\xd7\x55\xf3\x31\xe4\x02\x53\x39\x0a\xbb\x2e\x60\x49\x16\x74\x96\xd5\xca\x37\x56\x3b\xea\xbd\xa4\xf8\x2b\x2c\x9a\x58\xef\xf2\xa5\x8a\x1d\x2f\xbc\x8d\x72\xc1\x88\xd4\xb3\x39\x2b\x9b\x42\x86\xa8\x5f\x5d\xed\x71\x0f\x24\x3b\x24\x83\x2c\x54\x79\x1e\xee\x12\x09\x44\x3f\x07\xf3\x74\xea\x2a\xb6\x14\xd6\xa9\xac\x8b\x09\x81\xc3\x50\x96\x96\xc0\x58\xd3\x2f\x4a\xff\x5a\xf8\xe9\xeb\x22\x53\xed\x4f\x83\xe8\xb4\xf3\x29\x4b\x61\xc9\x0d\x54\xd3\xc3\x5f\x3d\x44\xd5\x5a\x5a\x1f\x55\xba\xc7\xe5\x97\x8b\x63\xfb\xb9\xdf\x0e\x9c\x6b\x15\x4d\x61\x24\xef\x4c\xf6\x3f\xf3\xae\x36\x10\x32\x14\x7f\x9e\xf7\x5f\x9e\xa2\xf4\xb2\x2e\xb1\x36\x93\xe2\x67\xb7\xc4\xf6\x36\x5d\xe5\x36\x86\x11\x8a\x93\x4a\x59\x8b\xa5\xa8\x17\x5e\xe5\x0f\x09\x9a\xa9\xac\xd7\xf2\xe2\xc9\xb0\x5b\x04\x4b\x3b\x06\x1b\xd1\xbb\x3b\x29\x6b\x6b\xf9\x00\xb8\x56\xa6\x44\x8d\x81\x2e\x68\xef\xd3\x1f\xef\xfd\x44\x52\x99\x0c\xd5\xf7\xcc\x02\x58\x8e\xef\xbe\xbb\x9f\x56\xab\x77\xcd\x50\x29\x89\xcd\x16\xe8\x9a\x44\x55\x3e\x19\x89\xd4\xdf\xfd\x97\x7b\x53\xea\x8b\x3b\x63\x6d\x62\xbb\xb2\x65\xc4\x28\x0c\xab\x59\xda\xb2\x4f\xbe\x7f\x16\x18\x0d\xfd\xdf\x62\xe4\x82\xed\x8e\xdc\xa2\x7a\x96\x7c\xe5\xfa\xe0\x32\x8b\x64\x03\xce\xe1\x7a\x6d\x63\xac\x71\xa8\xa4\x6f\x6c\xad\xdb\x53\x0c\x6d\x90\x5a\x8b\x6c\x8e\xd8\x9f\x62\x2a\x0c\x0a\x90\x67\x5c\x1f\x8d\x97\x9b\x34\xcd\x1e\x95\x4f\xa9\x15\x4f", 4096); break; case 11: memcpy((void*)0x20001000, "\xc4\x62\x39\x37\x47\x7e\x66\x0f\xe3\x0c\xa4\xf3\x3e\x45\x09\x17\xc4\x61\x78\xae\x91\x72\x98\x00\x00\xc4\x63\xe1\x22\xd6\x96\xc4\x03\x7d\x7b\x05\x0f\x00\x00\x00\x00\xc4\x63\x39\x5f\x47\x3f\xad\xc4\x03\x55\x5d\x3c\x56\x00\xc4\xe2\xb5\x96\xf0\xc4\x21\xfd\x5b\xfb", 65); syz_execute_func(0x20001000); break; case 12: break; case 13: memcpy((void*)0x200010c0, "\x5d\x8d\x97\xaf\xe9\x58\xa6\xb4\x6b\x8f\xef\xfe\x29\xf0\x51\x64\xa8\xee\xd8\xf0\x35\xa6\xc4\xd8\xf6\x97\x21\x06\xc0\xf6\xa0\x43\x0f\x03\x47\xa9\xad\x29\xa9\x40\xd3\xde\x0d\x19\xdd\x63\xc0\x6d\xad\x37\xea\x1e\x10\x5f\xec\x8b\x4d\xbd\xb4\xd7\xf9\x51\x64\xff\x31\x3f\x19\x9a\xaa\x43\x10\x8e\x96\x13\xc1\xe6\x29\x58\xe7\x76\x28\x47\x15\x8e\x87\x26\x92\x4d\xcb\xda\xff\xfd\x2a\x94\x2c\x44\x0d\x0a\x80\x34\x04\x87\xaf\x0e\xb9", 105); memcpy((void*)0x20001140, "\xe2\xf9\x19\x3e\xea\x7f\xea\x62\xb3\x74\xa3\x15\x14\x75\xbf\x3b\xe9\x82\x5d\xbe\x21\xd3\x90\x7a\x6b\xaf\x2f\xcd\xf0\xe6\xdd\x64\xfa\x7c\xcc\xe3\x73\x4b\xa6\x62\x73\xba\x0d\xb7\xe7\x9d\x31\x4b\x54\xd1\x01\x58\xb7\xd4\xa6\x7b\x5e\x26\x4c\xd1\xfe\x32\xc6\xba\xb3\xd0\x3f\xaa\x5b\xd6\x7a\x46\x09\xb4\x8a\x17\xeb\x03\x86\x53\x8a\xfe\x3d\x83\xa4\xf1\x95\x97\x90\x97\x73\xc9\x47\x4f\x1f\x66\x85\xe5\x91\x57\xf5\xc7\x6c\x2d\xe0\x65\xf5\x09\xb7\xa7\xcf\x8e\x62\x9c\xca\x55\x3d\xcb\x44\x45\xa3\x72\x88\x31\x99\xbe\x74\x66\x34\xe8\x57\x26\x6c\x27\x58\xf8\xd5\x8d\xd0\xde\xa4\x57\x79\x02\x04\xfc\x26\xe2\x69\x27\xd5\xbb\xff\x20\xa9\x9a\xed\x0a\x95\xd8\x50\xec\x32\x21\xf4\xf1\xd8\xf1\x3a\x8f\x00\xbe\x13\x51\x9e\xf8\x98\xd3\x9d\x28\x56\x8b\xb7\x89\x4c\x39", 186); res = syz_usb_connect(0x721, 0x69, 0x200010c0, 0x20001140); if (res != -1) r[5] = res; break; case 14: syz_usb_disconnect(r[5]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'syz_usb_connect_impl': :637:63: error: unknown type name 'usb_ctrlrequest' :642:55: error: unknown type name 'usb_ctrlrequest' compiler invocation: /syzkaller/netbsd/src/../tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor406585855 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/netbsd/src/../dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/12 (1.47s) csource_test.go:121: --- FAIL: TestGenerate/netbsd/amd64/8 (1.48s) csource_test.go:121: --- FAIL: TestGenerate/netbsd/amd64/5 (1.51s) csource_test.go:121: --- FAIL: TestGenerate/netbsd/amd64/7 (1.52s) csource_test.go:121: --- FAIL: TestGenerate/netbsd/amd64/6 (1.55s) csource_test.go:121: FAIL FAIL github.com/google/syzkaller/pkg/csource 10.963s ok github.com/google/syzkaller/pkg/db (cached) ok github.com/google/syzkaller/pkg/email (cached) ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ok github.com/google/syzkaller/pkg/host (cached) ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ? github.com/google/syzkaller/pkg/ifuzz/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/generated [no test files] ok github.com/google/syzkaller/pkg/instance (cached) ok github.com/google/syzkaller/pkg/ipc (cached) ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig (cached) ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report (cached) ok github.com/google/syzkaller/pkg/repro (cached) ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest (cached) ok github.com/google/syzkaller/pkg/serializer (cached) ? github.com/google/syzkaller/pkg/signal [no test files] ok github.com/google/syzkaller/pkg/symbolizer (cached) ok github.com/google/syzkaller/pkg/vcs (cached) ok github.com/google/syzkaller/prog (cached) ok github.com/google/syzkaller/prog/test (cached) ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ok github.com/google/syzkaller/sys/linux (cached) ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ok github.com/google/syzkaller/sys/openbsd (cached) ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ok github.com/google/syzkaller/syz-ci (cached) ok github.com/google/syzkaller/syz-fuzzer (cached) ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state (cached) ? github.com/google/syzkaller/syz-manager [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-imagegen [no test files] ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached) ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm (cached) ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated (cached) ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files]