// https://syzkaller.appspot.com/bug?id=8b60f6d13ec22648c4754e1175013888de3ff35e // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } memcpy((void*)0x200000000000, "/dev/mdctl\000", 11); res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul, /*flags=*/0ul, /*mode=*/0ul); if (res != -1) r[0] = res; *(uint32_t*)0x200000000a00 = 0; *(uint32_t*)0x200000000a04 = 2; *(uint32_t*)0x200000000a08 = 2; *(uint64_t*)0x200000000a10 = 0; *(uint64_t*)0x200000000a18 = 0x10002; *(uint32_t*)0x200000000a20 = 0x1000; *(uint32_t*)0x200000000a24 = 6; *(uint64_t*)0x200000000a28 = 0; *(uint32_t*)0x200000000a30 = 0; *(uint32_t*)0x200000000a34 = 0; *(uint64_t*)0x200000000a38 = 0; *(uint32_t*)0x200000000a40 = 2; *(uint32_t*)0x200000000a44 = 0; *(uint32_t*)0x200000000a48 = 0; *(uint32_t*)0x200000000a4c = 0; *(uint32_t*)0x200000000a50 = 0x1ff; *(uint32_t*)0x200000000a54 = 0; *(uint32_t*)0x200000000a58 = 0; *(uint32_t*)0x200000000a5c = 6; *(uint32_t*)0x200000000a60 = 0; *(uint32_t*)0x200000000a64 = 1; *(uint32_t*)0x200000000a68 = 0; *(uint32_t*)0x200000000a6c = 0; *(uint32_t*)0x200000000a70 = 3; *(uint32_t*)0x200000000a74 = 0x4f6; *(uint32_t*)0x200000000a78 = 0xfffffffb; *(uint32_t*)0x200000000a7c = 4; *(uint32_t*)0x200000000a80 = 0; *(uint32_t*)0x200000000a84 = 0; *(uint32_t*)0x200000000a88 = 0xa; *(uint32_t*)0x200000000a8c = 0; *(uint32_t*)0x200000000a90 = 0; *(uint32_t*)0x200000000a94 = 0; *(uint32_t*)0x200000000a98 = 0; *(uint32_t*)0x200000000a9c = 0; *(uint32_t*)0x200000000aa0 = 0x46c; *(uint32_t*)0x200000000aa4 = 0; *(uint32_t*)0x200000000aa8 = 0; *(uint32_t*)0x200000000aac = 0; *(uint32_t*)0x200000000ab0 = 0; *(uint32_t*)0x200000000ab4 = 0; *(uint32_t*)0x200000000ab8 = 0; *(uint32_t*)0x200000000abc = 0; *(uint32_t*)0x200000000ac0 = 0; *(uint32_t*)0x200000000ac4 = 3; *(uint32_t*)0x200000000ac8 = 4; *(uint32_t*)0x200000000acc = 0; *(uint32_t*)0x200000000ad0 = -1; *(uint32_t*)0x200000000ad4 = 0; *(uint32_t*)0x200000000ad8 = -1; *(uint32_t*)0x200000000adc = 0; *(uint32_t*)0x200000000ae0 = 2; *(uint32_t*)0x200000000ae4 = 0x10; *(uint32_t*)0x200000000ae8 = 0; *(uint32_t*)0x200000000aec = 0x8000; *(uint32_t*)0x200000000af0 = 0; *(uint32_t*)0x200000000af4 = 0; *(uint32_t*)0x200000000af8 = 0x200; *(uint32_t*)0x200000000afc = 0x7f; *(uint32_t*)0x200000000b00 = 0; *(uint32_t*)0x200000000b04 = 0; *(uint32_t*)0x200000000b08 = 0x200; *(uint32_t*)0x200000000b0c = 0; *(uint32_t*)0x200000000b10 = 0; *(uint32_t*)0x200000000b14 = 0; *(uint32_t*)0x200000000b18 = 0; *(uint32_t*)0x200000000b1c = 0; *(uint32_t*)0x200000000b20 = 0; *(uint32_t*)0x200000000b24 = 0; *(uint32_t*)0x200000000b28 = 0; *(uint32_t*)0x200000000b2c = 0; *(uint32_t*)0x200000000b30 = 0; *(uint32_t*)0x200000000b34 = 0; *(uint32_t*)0x200000000b38 = 0x2000; *(uint32_t*)0x200000000b3c = 0x481; *(uint32_t*)0x200000000b40 = 0; *(uint32_t*)0x200000000b44 = 4; *(uint32_t*)0x200000000b48 = 0; *(uint32_t*)0x200000000b4c = 0; *(uint32_t*)0x200000000b50 = -1; *(uint32_t*)0x200000000b54 = 0; *(uint32_t*)0x200000000b58 = 0; *(uint32_t*)0x200000000b5c = 0x54; *(uint32_t*)0x200000000b60 = 8; *(uint32_t*)0x200000000b64 = 0; *(uint32_t*)0x200000000b68 = 0; *(uint32_t*)0x200000000b6c = 0; *(uint32_t*)0x200000000b70 = 0; *(uint32_t*)0x200000000b74 = 0; *(uint32_t*)0x200000000b78 = 0; *(uint32_t*)0x200000000b7c = 0; *(uint32_t*)0x200000000b80 = 0; *(uint32_t*)0x200000000b84 = 0; *(uint32_t*)0x200000000b88 = 0; *(uint32_t*)0x200000000b8c = 0; *(uint32_t*)0x200000000b90 = 1; *(uint32_t*)0x200000000b94 = 0; *(uint32_t*)0x200000000b98 = 0; *(uint32_t*)0x200000000b9c = 0; *(uint32_t*)0x200000000ba0 = 0xfffffffc; *(uint32_t*)0x200000000ba4 = 0; *(uint32_t*)0x200000000ba8 = 0x40000; *(uint32_t*)0x200000000bac = 0; *(uint32_t*)0x200000000bb0 = 0; *(uint32_t*)0x200000000bb4 = 9; *(uint32_t*)0x200000000bb8 = 0; *(uint32_t*)0x200000000bbc = 0; syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc1c06d00ul, /*arg=*/0x200000000a00ul); return 0; }