// https://syzkaller.appspot.com/bug?id=a3a35d7c062b555efc476a1feba328553f3d729c // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } *(uint32_t*)0x20000200 = 4; *(uint32_t*)0x20000204 = 0xe; *(uint64_t*)0x20000208 = 0x20001ac0; memcpy( (void*)0x20001ac0, "\xb7\x02\x00\x00\x00\x00\x00\x00\xbf\xa3\x00\x00\x00\x00\x00\x00\x07\x03" "\x00\x00\x00\xfe\xff\xff\x7a\x0a\xf0\xff\xf8\xff\xf7\xff\x79\xa4\xf0\xff" "\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05\x00\x00\x00" "\x00\x00\x65\x04\x04\x00\x01\x00\x00\x00\x04\x04\x00\x00\x01\x00\x00\x00" "\xb7\x05\x00\x00\x00\x00\xe0\x00\x72\x0a\x23\xfe\x00\x00\x00\x00\x85\x00" "\x00\x00\x12\x00\x00\x00\xb7\x00\x00\x00\x00\x00\x00\x00\x95\x00\x00\x00" "\x00\x00\x00\x00\x4e\x62\x58\x94\x1c\x82\x3b\x75\x05\x60\x85\x56\xba\x4a" "\xba\xbb\x42\x68\x4e\x89\x0d\x31\xae\x45\x04\x00\x37\x3a\x0a\x54\x47\xa8" "\x01\xb8\xc1\xc4\xf0\xc4\xbd\x97\xc6\x55\x5e\x61\x34\x54\x00\xf9\xbd\x32" "\xab\xeb\x9a\xde\x01\x05\x00\x00\x00\x00\x00\x00\xa2\x19\x02\xff\x07\x00" "\x00\x94\xa2\xb5\x1c\x21\xdf\x74\x92\x4f\x54\x36\xa6\xed\x89\xb9\x8f\x75" "\xe8\x00\x23\x0c\x49\xc9\x0f\xe1\x33\x64\x81\xf3\xb9\x2a\x63\x33\x6c\x36" "\xfc\xd7\x45\xd6\x1d\x77\x39\xc6\x55\x4c\xa2\x01\x00\x00\x00\xbe\xbb\xe8" "\x28\x2f\x8b\x1e\x26\x40\x74\x37\xa3\x97\xbf\x8f\x50\xe8\x7e\xd4\xd2\x7a" "\xdf\xd8\x76\xbf\xfc\x40\x28\x87\x78\x19\x79\x46\x1c\x43\x63\xbc\x5c\x9b" "\x62\x02\xea\x47\x14\x28\x19\x7e\xf8\x8b\xc3\x33\xfb\xce\xc0\xea\x43\x34" "\xf1\xdd\xb9\xd6\x79\xae\x95\xa9\x0f\xd4\x1d\x52\x8f\x58\xd3\x05\x00\x00" "\x00\x43\x58\x83\xdf\x6c\x10\xce\x86\x18\x8c\x92\x29\x2b\x2d\x02\x26\x08" "\x29\x60\xbe\x68\x28\x36\xbd\xff\x8b\x09\x71\xf2\xa5\x40\x5e\x45\x32\x28" "\xe7\xb1\x00\x5b\xd7\x34\x79\x35\x8a\x90\xdf\x3e\x48\x19\x47\xde\x64\x53" "\x73\x6a\xa5\x72\x15\x8a\xf6\xea\x63\xd6\xd4\x18\xfb\xbd\x2b\xba\x05\x00" "\x00\x00\x1d\xa0\x00\xef\x78\xdf\x03\x00\x00\x00\xd1\x99\x13\xa5\xfb\x03" "\xc7\x9d\xac\x2e\x48\x9f\x68\x12\x78\x92\x65\x81\x15\xe7\xff\xb5\x88\xa7" "\x1d\xff\xff\xff\x95\x1b\x85\x35\x16\x7a\xb8\x06\x9a\x2c\x92\xa3\xaa\x18" "\xe2\x25\x17\x00\x00\x26\x63\x7b\x4c\x34\xbf\x2d\x0a\xa3\x04\xed\x42\xbf" "\x70\x48\x0e\x9e\x97\x20\x3f\xd1\x69\x41\x1f\x37\xfd\xdd\x1f\x7f\xbe\x16" "\xdb\xbc\x0f\x30\x7b\xce\xb5\x06\x4f\x38\x8a\x03\x50\xc3\xdc\x92\x8b\x0e" "\x63\x8b\x1e\x2b\x2a\x9d\x25\x26\x42\x33\xe5\xd4\x5e\xb3\x77\xf5\x6b\x95" "\x24\x10\x24\xdb\xe3\x0f\x67\x19\x1c\x2b\x56\xb7\x03\x28\xd6\xd3\x21\x5d" "\xff\xfe\x5d\x89\xaf\x1d\x10\x59\x9b\xd4\x94\xd9\x21\xd1\xfb\x2d\xb9\x9b" "\x6a\xba\x0f\xa9\x78\xf4\x1e\xb1\xd4\xc5\x53\xe5\xa9\x32\x6e\xd5\x50\xc1" "\x3f\x8d\xd3\x67\x16\xa8\x99\xa1\xe7\x92\x34\x29\x47\x07\xc5\x31\x2b\x92" "\x4d\x14\x2c\x17\xb2\x0b\xb8\x0e\xe2\x02\x22\x2c\x03\xfa\x84\xcc\xc3\x74" "\xe7\x17\xf6\x94\x01\x86\x30\x36\x63\x97\x26\x60\x90\xa8\x23\x43\xae\xdf" "\xbf\x7a\xfe\x89\x23\x90\xc2\xeb\x77\x5b\x0d\x16\x07\x3d\xa2\x22\x99\x58" "\xdb\x05\xde\x7d\xf6\xab\x76\x00\x00\x40\x00\x01\x00\x00\x00\x6d\x80\x81" "\xcb\x3b\xf2\x51\xd9\x06\xc0\x0d\xa0\xe2\x3b\x50\x46\x5f\x83\x94\x82\x0b" "\xe5\x71\xe3\x59\x2d\x00\x00\xc7\xef\x10\xfd\xc4\x62\xe7\x04\x0e\x70\x74" "\xec\x43\xaa\x46\x1f\xc5\x44\x01\xa7\x64\x06\xdb\x71\x8d\x4e\xfd\x6c\x1b" "\xd1\x0c\xe1\xd0\x87\xcf\x9b\xba\x46\x11\x62\x55\x5a\x95\x52\x4c\x84\xdf" "\x09\x52\xd3\x20\x93\x08\x2b\x7a\xa7\x13\x04\xe0\xd2\xd9\xec\x31\x0d\x1b" "\x67\x6b\x37\x8a\x58\x79\xe4\x79\x41\xde\x1a\x28\xc3\xa8\xf4\x00\x00\x00" "\x00\x00\x00\x00\x00\x0e\x03\x2b\x7d\x2b\xad\xd0\xbc\x66\x17\xa8\x59\xb7" "\xac\x27\x3b\x63\x04\x55\x5f\x66\x44\x69\xce\xc1\x52\x03\x0f\x06\xcc\x0c" "\xa1\x76\x58\x38\xeb\x55\x90\x26\x47\x36\xfb\xcc\xfc\x3a\x8f\x4e\x3b\x10" "\xda\xf6\xa2\x75\xda\xf5\xdb\x2d\xac\x70\x96\xfe\x8a\xc8\x87\x6a\xca\xad" "\x04\x36\x63\xb3\xb0\xfe\xdb\x05\xe6\xd3\x14\x08\xfa\x20\x14\x0c\x9d\x2d" "\xb1\xc5\x9a\xc8\xa3\xce\x28\xe4\x89\xd6\x7d\x87\xd3\xa1\x07\xcc\xea\x30" "\x07\xf5\x8f\x2c\x50\x17\xe8\x80\x71\x07\xf7\x9a\xc5\x0c\xc1\xd4\xf5\x46" "\xb4\x44\x3d\x13\x7e\xb7\x06\xb7\x1b\x17\x67\xa1\x0c\xca\x7a\x7c\x82\xb7" "\x6c\x96\xe8\x74\xaf\xf2\x49\xf3\x63\x29\xa6\x52\x6b\x35\x4b\x6e\x67\x4b" "\x08\xf7\xef\x49\x2b\x80\x4c\x4b\x08\xfb\x10\xde\x80\x7d\x79\xfd\x78\x20" "\x27\x31\x8c\xd7\x63\x2e\x22\xd2\xfa\xa1\x62\x09\x27\x2b\x39\xb5\xec\x8d" "\x23\x98\x32\xea\x02\xcc\x88\xe2\x49\xa2\xe7\x77\x53\xa5\x89\x87\x54\x75" "\x71\xfb\xc8\xde\x74\x7f\xaa\xb7\x24\xbe\xbb\x64\x01\x41\x2b\x49\x6e\x07" "\x8f\xcb\x6c\x78\xab\x44\x7e\x87\x1b\x76\xa8\xb0\x50\x6f\x49\x59\x4a\xa1" "\xd6\x10\x56\x7e\x14\xd7\x39\xa6\x0f\xf3\xce\x04\xd0\xd2\xe5\x68\x1e\x78" "\x7c\x7e\x1a\xd2\x54\x67\xbb\x81\xf2\xf4\x40\x12\x82\x07\xfe\x07\xa8\x37" "\x59\xec\x30\xcf\x9e\x0a\x3f\xd3\xf2\xfc\xee\x97\xfe\x8d\x27\x3f\x8e\x71" "\x2a\x8a\x64\xea\xf2\xd8\x9a\x1f\xa4\x45\x54\x35\x7f\xcd\x7a\xb5\x31\xff" "\x7a\x41\xc2\x71\x64\xfc\xa4\x30\xa6\x2d\x01\x5b\x47\x7d\xe6\x18\x53\xf5" "\xee\x2e\x25\xb0\x0a\x63\x64\x2e\xc3\x2e\xce\x2f\xf3\xbb\x58\x83\xde\xb8" "\x95\xf5\x2a\x92\x3b\x5c\x74\x4d\x8d\xcc\xdd\x6a\x09\xde\xd8\xb9\x0f\x1e" "\xed\xa8\xe6\xe8\x84\xa4\xf0\x90\xed\xb6\xab\x9f\xc8\x10\x78\x46\x50\x8d" "\x51\xf3\x73\x54\x93\xd5\x86\x0c\xf8\x02\x00\xce\x31\xb9\x2e\xb3\x56\x3d" "\x48\x5b\x5a\x7d\x19\x20\x92\xd7\xa9\xfd\x2b\xc6\x7d\x30\x5d\x1d\x45\x73" "\xaa\xd5\xf6\x50\x1d\x1c\xd2\x76\x57\xce\x17\x33\x04\x02\xda\xcb\x78\xd7" "\x2d\x77\x63\x30\x71\x16\x45\xee\xd7\xd4\xc2\x92\xf4\x44\x87\x33\xc0\x82" "\x6c\x4e\xb9\x50\xf3\xd4\x04\x53\xf8\x2d\x7f\x79\x2d\x10\x65\x18\xf6\xbd" "\xe8\x74\xaf\xf9\xe2\xbe\xa7\xd7\x3f\x74\xbe\xbe\xea\xcf\xc7\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\xd4\x0d\x73\xbe\x47\x80\x32\x97\xdb\x00\x42" "\x64\xc8\xc7\x0b\x77\x61\xb2\x2a\x71\x14\xa0\x78\xa8\x7d\x63\xd6\x3b\x0c" "\x9d\xcc\x26\x3a\x5b\x77\x3b\xfe\xba\x21\x2a\xbe\xf4\x18\x1a\xd9\xe4\x87" "\x2e\x32\x8c\x0f\x10\x5d\x51\xe3\xd1\x67\xa2\xb7\x17\x05\x1d\x76\x81\xba" "\x04\x55\x2e\xeb\xa1\x8a\x00\x00\x00\xb2\x2b\x50\xd7\x6d\x85\x04\x0c\x90" "\x00\xea\x68\xa5\x28\x04\x9a\x60\xd5\xe2\x6b\x20\x45\x51\x94\xf4\xbe\x3b" "\x84\x66\xfd\x66\xd0\xe6\xce\xfc\xff\x78\x91\xc4\x85\xd6\x1c\xb6\x6f\x40" "\x76\xcd\x60\xa2\x27\x33\xcb\x00\xcf\x7c\xc1\x2c\xa7\xd9\xbb\x86\x4c\x0e" "\x65\x02\x36\xa7\x9a\x5c\x85\x34\x9a\x9b\x1e\x6b\xbc\x3b\xac\xe1\x97\xe7" "\x24\x90\xc5\x66\x43\x1c\xd3\xa0\x8e\x9d\x1b\x64\x1c\x1b\xa1\xf6\x61\xd0" "\x15\x73\xb9\x04\xc3\xfa\x14\x27\x37\x0f\xa1\x5c\xec\xd2\x94\xac\x21\xfe" "\xfe\x3d\x16\x1f\xdf\x58\xe8\xbc\x59\x57\xef\x14\x58\x39\xf4\x37\x01\x76" "\xe1\xbe\x88\xd2\xe3\x51\x6a\x19\x98\xc1\x62\x1a\x00\xb4\x43\x8b\x85\xa4" "\xdf\xee\x6f\x61\x82\x7a\x1e\x50\xe1\x58\x03\x8b\x03\x7d\xfd\xa3\xff\xb3" "\x50\x69\xe4\x1f\xc7\x40\xae\x72\x08\x00\xde\x53\x94\x8f\x17\x6c\x3c\x15" "\xf3\xa5\x29\xc0\x24\x34\xb9\x20\xd8\x7f\x12\xa6\xe3\x42\x0a\x2f\xdc\xb3" "\x55\x9e\x7a\x5b\x1d\xdb\xb0\x6b\x7a\x59\x77\xf6\x3b\xfa\xc7\x01\xe6\x73" "\xbf\x62\x6d\x12\x6b\x21\x3c\x92\xe7\x16\x9a\x93\x0b\xeb\x8d\x76\xf9\xdb" "\x34\xe8\x09\x8b\xea\x30\x1b\xaa\x96\x91\x6d\x64\x58\xc9\x23\x86\x6d\xc1" "\x92\x92\x8b\x32\x07\x38\xd1\xb2\x98\xfb\x55\xf2\xa6\x45\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x98\x85\xa3\x8d\x9d\x99\x5a\x46" "\x81\x7e\x7f\xf7\xac\xdd\xcc\x5f\x92\x53\xc6\x3f\x86\xba\xf3\x3f\x92\x82" "\x0c\x9f\xf4\x97\xcf\x76\xb6\x48\x2c\x3a\xb5\x3f\xb6\xec\xea\x6d\x22\x0b" "\x91\xb9\x9b\x2f\xb4\x27\x9a\xb0\x9a\xe0\x64\x5a\xb9\x2d\xf3\x09\x00\x00" "\x00\x00\x00\x00\xa4\x86\x84\x11\x94\x8f\x8e\x3e\x25\x9f\x71\x7d\x72\x2a" "\x1e\xeb\xd3\xf6\x86\x0a\x17\xf1\xae\x9e\x10\xa1\x17\x8f\x6a\xef\x49\x51" "\xb1\x92\xd1\x3e\x96\x00\xc1\xf7\x00\xca\x7b\x1d\x12\x7e\x45\x10\x34\x46" "\x9b\xf2\xa8\xf9\x3d\xba\xe6\xad\x8e\x93\x2e\x43\x1d\xc1\x83\x23\x79\x41" "\x56\x23\x86\x25\xbb\x9c\x45\xc5\xa7\x6a\x68\xa8\x64\x6e\x70\x1b\x29\xa7" "\x1f\xfb\xd8\x54\xf5\x0f\x19\x58\x33\x10\x6a\x56\x25\xff\x94\x22\x1f\x1f" "\x04\xc7\x25\x25\xb5\x0a\xae\x69\x08\x1d\xe9\x62\x6d\xe9\x84\x7b\xf5\x34" "\x75\xd9\x06\x42\xd9\x73\x01\x01\xd8\x0b\x1b\x00\x00\x00\x00\x00\x00\x00" "\x00\x82\x2b\x06\x41\x69\x8d\x60\x16\x0d\x91\x57\x54\x83\x02\xdd\x26\x36" "\xd1\x2c\x43\x1f\x96\x72\x8a\xe4\xa4\x53\x61\xe6\xd4\x7a\x1c\x4a\x52\xd6" "\x7c\x0f\x0a\x62\x58\x5c\x09\xfc\xfd\x70\xd0\xf2\x49\xf8\x7c\x44\xb4\x72" "\x83\xc1\xc6\xf2\x43\x0d\x70\xc7\x51\xe4\xad\xa9\xb6\x46\xe6\xe7\xc1\x71" "\x9f\xae\xe4\x76\xd8\x8a\x29\x43\xc7\x1a\x21\xda\x55\xb7\x49\x7d\xd7\xed" "\x38\x5a\xc2\xe8\xcb\x91\x63\x90\xa3\xa0\xed\x52\xe7\x37\x1e\x1a\x14\x1e" "\x69\xaf\xa0\x7b\x46\xac\x20\xf3\x52\x1f\xb2\x51\xb7\x2c\x82\xee\x1c\x7e" "\xb4\xf6\x7c\x0d\xee\xd5\x61\x8d\x0d\xb9\x25\xce\x7a\x7c\x50\xa9\x98\x35" "\x54\x4c\x54\x0f\x5d\x52\x85\x87\xd1\xa2\x6e\x78\xdf\x1b\xc9\xa8\xe4\xd9" "\x0c\x57\xd0\xb8\x12\x2e\xae\x7b\x23\xe4\x45\x66\x24\xf5\x33\x7c\x16\xc4" "\x26\x48\xc7\xa3\xd0\xb7\x99\xad\x40\x9b\xef\xe0\xcb\xe2\xaa\x78\x1b\xa8" "\x26\x91\x8d\xf7\xaa\x80\xdf\xf4\xf6\x22\x58\xe5\x44\x19\x62\x9e\xb1\xd3" "\x7d\xe7\xf6\xa3\x51\x2b\xd6\x18\x78\x1d\x1a\xd3\xa4\xd4\xb0\xda\x44\xdf" "\x9f\x9a\x93\xf0\x48\x7f\x79\xa9\xb1\x6d\xfa\x6f\x68\xb0\x6c\xe6\xa9\x6c" "\xa3\x44\xd1\x94\xcd\xed\x05\x70\x2c\x23\x00\xd1\xa4\xf4\x51\xb3\x38\x30" "\x76\x5f\x81\x31\xf6\xc2\x8f\xad\xa6\x57\x01\x85\x1b\xba\x08\x9b\x8a\x83" "\x47\x90\x0e\x72\xd6\x8c\xea\x96\x5f\xeb\x6a\x06\x22\x5d\xd3\xf0\xe1\x35" "\x32\x3a\x5b\xde\x3b\x43\xc9\xd2\x42\xb7\x3a\xbf\x9e\x05\x33\x6a\xf0\x40" "\xa4\xa6\xbb\x59\x18\x14\x63\x93\xf1\xd5\x07\x05\xc1\xd1\xe9\x86\xbf\x2f" "\x69\x0d\xe5\x1e\xe8\x72\x7d\x37\x33\x9d\xf5\xfc\x1d\xb5\x35\xbb\x1e\x9b" "\xb3\xe5\xda\xdb\x6e\x5a\x2b\xb4\xfa\xa2\xdc\xbc\x6c\xa9\xb4\x0a\xc9\x6e" "\x44\x8b\x9d\xad\xeb\x08\xfc\x2c\xf3\xa9\x60\xf2\x2b\xf2\x0b\x9e\x96\x7b" "\x7a\x75\x68\x73\x72\xb8\xe3\xed\xc5\x43\x89\x6c\x36\x06\x74\xd9\x01\xa7" "\xf5\x6b\x07\xba\x14\x79\xb4\x6e\xea\x3d\x94\x02\x6a\x9c\x7e\x67\x0a\xb4" "\x0b\xb2\xc1\xca\x1a\x7c\x90\x29\x93\x61\x23\x9b\xef\x77\x31\x40\xaf\x97" "\x4c\x7e\xfc\x28\x5a\x64\x63\x3d\x21\x51\x34\x81\xb3\xac\x62\xde\xc9\xfa" "\x3e\x8c\xe6\x15\x6d\x76\xb8\x2b\xaa\x14\x5b\xc5\x50\xb0\xcc\xbc\x09\x34" "\xcc\xfe\xa4\x52\x92\xca\xa2\xf0\x65\x4f\xe1\x8d\xc0\x66\x9a\x4f\x2a\xf9" "\xfa\x23\x2a\x29\x3a\xd9\x42\x61\xf5\x56\x75\xcc\x68\x6d\xb7\x27\x83\xa6" "\xba\xcc\x0d\xf6\xa1\xea\x94\x3a\xe2\x66\xaf\x11\x2f\x35\x31\x99\x80\xcd" "\x68\x18\x11\xa3\x69\xe0\xd0\x3c\xf7\xd2\x2b\xed\x7c\xbe\x1a\xfe\x49\x8b" "\x88\x94\x2b\x1b\xf7\xed\xae\x44\x1a\x0d\x0d\x88\xfc\xe6\x5c\xb4\xe8\x48" "\x79\x3a\x28\xcb\xd7\x37\x3f\x6a\xcd\x3b\x5a\x48\xc0\x34\xe4\x87\x75\x03" "\x88\x92\x9d\x37\xfa\x31\x65\xf2\x05\xda\xb3\xbe\x5f\x3e\x57\x81\xa8\x42" "\x98\x68\x7c\xbf\x02\xdc\xaf\x0e\x14\xa2\xb2\x60\x29\x3f\x34\x9d\x07\x6e" "\xb7\x5a\x2d\xdc\x53\x82\xd1\x06\xf0\xbe\xea\x02\xaa\x45\x01\x8f\xe3\x6d" "\x11\x76\xcf\x77\x04\x38\x3b\x69\x22\xd1\x0d\xc9\xfe\xca\x39\x82\xae\x23" "\x2d\x4b\xb4\x7c\x72\x2c\x83\xa7\xcf\x6e\xe8\x83\x2f\x03\x8b\x07\x2e\xb8" "\x03\xa4\x7c\xd7\xf7\x53\xe8\x0c\x9f\x6e\xed\xb8\x9e\xe1\xc9\x53\x61\xde" "\xbf\x58\xf6\x71\x17\x0c\xfa\x57\xfb\x0c\x9c\xba\xd5\xc7\x02\x44\xa2\xb6" "\xde\x20\x62\xcb\xd1\xba\x2c\x85\xf7\x36\x89\xd3\xff\xcd\x37\x02\x2a\xb9" "\xfc\xab\xd1\x7f\xd4\x0b\xfd\x31\x60\x88\xdf\xfe\x92\x72\x80\x16\xec\x5c" "\x72\xe2\x1d\xa5\x2d\x09\xf8\x49\xab\x4a\x4b\x2d\x9b\x47\x99\xba\xb3\xa6" "\xd7\xf2\xba\x57\xe1\x00\xe7\xff\xec\x0b\xd4\xc0\x65\x9e\xba\xf7\xb2\x25" "\xed\xaa\x0a\xf3\xf5\xaa\x99\xd1\x55\x1d\x34\xb2\xd2\xfa\xf0\x97\x1d\xbe" "\x85\x21\x42\x08\x8b\x1c\x9b\x05\x2e\x11\x77\xc4\x73\x65\xd9\x50\xe2\x2c" "\x2b\x04\x28\x3f\x62\xfe\xc3\x18\x37\xb5\x06\x8d\xab\x60\xc5\xc2\xc1\x54" "\x7a\xcd\x52\xab\x5e\x5c\xde\x41\xd2\x45\x63\xb0\x5e\x22\x3e\x2a\xaf\xe2" "\xc5\x5b\xa3\x00\x1d\x12\xe4\xde\x86\x59\x74\x87\xe9\x9c\x3b\x2b\xf1\x93" "\xd7\xd6\xd0\x82\x14\x81\xc1\x6f\xd7\xce\xce\x5d\xf2\x56\x71\x82\xca\x1a" "\xd6\x02\x80\x28\xbf\x9f\x72\xd5\x03\xb3\xd7\x0e\x1c\x3c\x4b\x5e\x73\xac" "\x28\x6a\xbb\x2b\x3b\x06\x9f\x2c\xcd\xa4\xc6\xa7\xa3\x75\x93\x02\xb0\x20" "\x34\xe8\x21\x7b\x4e\xcd\xb9\xf1\x11\x8a\x41\x17\xfd\x49\xd5\x46\x7a\x84" "\xb7\x0f\xae\x67\x5a\xf1\x18\xbd\x88\x5e\xe7\x79\x87\x82\x76\x54\x38\xca" "\xaf\x69\x85\x6e\x23\x6b\xf4\xb3\x7b\xff\x5f\x97\x1d\xf3\xfd\x5e\x03\xa9" "\xea\x39\xd5\x39\x7b\x4e\x5c\x5a\x0d\x7e\xac\xf2", 2838); *(uint64_t*)0x20000210 = 0x20000340; memcpy((void*)0x20000340, "syzkaller\000", 10); *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint64_t*)0x20000220 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; memset((void*)0x20000230, 0, 16); *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = -1; *(uint32_t*)0x2000024c = 8; *(uint64_t*)0x20000250 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000258 = 0x1d4; *(uint32_t*)0x2000025c = 0x10; *(uint64_t*)0x20000260 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = -1; *(uint32_t*)0x20000274 = 0; *(uint64_t*)0x20000278 = 0; *(uint64_t*)0x20000280 = 0; *(uint32_t*)0x20000288 = 0x10; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000200ul, /*size=*/0x48ul); if (res != -1) r[0] = res; *(uint32_t*)0x20000040 = r[0]; *(uint32_t*)0x20000044 = 0x300f000; *(uint32_t*)0x20000048 = 0xe; *(uint32_t*)0x2000004c = 0; *(uint64_t*)0x20000050 = 0x20000080; memcpy((void*)0x20000080, "\x00\x69\xc2\x70\x4a\xde\x28\xed\xdb\x00\x00\x20\x00\x00", 14); *(uint64_t*)0x20000058 = 0; *(uint32_t*)0x20000060 = 0x48b8; *(uint32_t*)0x20000064 = 0; *(uint32_t*)0x20000068 = 0; *(uint32_t*)0x2000006c = 0; *(uint64_t*)0x20000070 = 0; *(uint64_t*)0x20000078 = 0; *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 0; *(uint32_t*)0x20000088 = 0; syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x20000040ul, /*size=*/0x48ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; for (procid = 0; procid < 5; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }