// https://syzkaller.appspot.com/bug?id=f3b3fca5a52e0b446566a7c3372a49b89c97ff82 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[5] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; memcpy((void*)0x20000000, "/sys/kernel/debug/sync/sw_sync\000", 31); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0ul, 0ul); if (res != -1) r[0] = res; *(uint32_t*)0x20000040 = 0; memcpy((void*)0x20000044, "\x2f\x9c\xe2\x21\xbf\x62\xe6\x1f\xc5\x9f\x66\xf8\xee\xbf\x79\xb2\xc3" "\x87\xc3\xe7\xcf\x77\x29\xc6\xcc\xe0\x6c\x65\xc3\x3b\xdc\xa2", 32); res = syscall(__NR_ioctl, r[0], 0xc0285700, 0x20000040ul); if (res != -1) r[1] = *(uint32_t*)0x20000064; memcpy((void*)0x20000000, "/sys/kernel/debug/sync/sw_sync\000", 31); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0ul, 0ul); if (res != -1) r[2] = res; *(uint32_t*)0x20000040 = 0; memcpy((void*)0x20000044, "\x2f\x9c\xe2\x21\xbf\x62\xe6\x1f\xc5\x9f\x66\xf8\xee\xbf\x79\xb2\xc3" "\x87\xc3\xe7\xcf\x77\x29\xc6\xcc\xe0\x6c\x65\xc3\x3b\xdc\xa2", 32); res = syscall(__NR_ioctl, r[2], 0xc0285700, 0x20000040ul); if (res != -1) r[3] = *(uint32_t*)0x20000064; memcpy((void*)0x20001500, "\x7c\xe8\xfb\x1c\x5b\x98\xd8\xdb\x8d\x00\xdb\x13\x67\x4f\x4e\xa7\xd1" "\xa8\x8f\xcc\xbf\x75\xce\xd1\xeb\xae\xd9\xfa\x4e\xf2\x00\x59", 32); *(uint32_t*)0x20001520 = r[3]; *(uint32_t*)0x20001528 = 0; *(uint32_t*)0x2000152c = 0; res = syscall(__NR_ioctl, r[1], 0xc0303e03, 0x20001500ul); if (res != -1) r[4] = *(uint32_t*)0x20001524; *(uint32_t*)0x20001868 = 0; *(uint32_t*)0x2000186c = 0; *(uint64_t*)0x20001870 = 0; syscall(__NR_ioctl, r[4], 0xc0383e04, 0x20001840ul); return 0; }