// https://syzkaller.appspot.com/bug?id=ee3decf69584ffcf0b68ecf953db17445a5b8b69 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } #define USLEEP_FORKED_CHILD (3 * 50 * 1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 8; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[3] = {0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(__NR_getpid); if (res != -1) r[0] = res; break; case 1: *(uint32_t*)0x200000000800 = 5; *(uint32_t*)0x200000000804 = 0x80; *(uint8_t*)0x200000000808 = 0; *(uint8_t*)0x200000000809 = 0; *(uint8_t*)0x20000000080a = 0; *(uint8_t*)0x20000000080b = 0; *(uint32_t*)0x20000000080c = 0; *(uint64_t*)0x200000000810 = 6; *(uint64_t*)0x200000000818 = 0; *(uint64_t*)0x200000000820 = 0; STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 38, 26); *(uint32_t*)0x200000000830 = 1; *(uint32_t*)0x200000000834 = 4; *(uint64_t*)0x200000000838 = 0; *(uint64_t*)0x200000000840 = 8; *(uint64_t*)0x200000000848 = 0; *(uint64_t*)0x200000000850 = 0; *(uint32_t*)0x200000000858 = 0; *(uint32_t*)0x20000000085c = 4; *(uint64_t*)0x200000000860 = 2; *(uint32_t*)0x200000000868 = 0; *(uint16_t*)0x20000000086c = 4; *(uint16_t*)0x20000000086e = 0; *(uint32_t*)0x200000000870 = 0; *(uint32_t*)0x200000000874 = 0; *(uint64_t*)0x200000000878 = 0; res = syscall(__NR_perf_event_open, /*attr=*/0x200000000800ul, /*pid=*/r[0], /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul); if (res != -1) r[1] = res; break; case 2: syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x2000000021c0ul, /*size=*/0x48ul); break; case 3: *(uint32_t*)0x200000000200 = 0xc; *(uint32_t*)0x200000000204 = 0xe; *(uint64_t*)0x200000000208 = 0x200000002500; memcpy( (void*)0x200000002500, "\xb7\x02\x00\x00\x07\x00\x00\x00\xbf\xa3\x00\x00\x00\x00\x00\x00\x07" "\x03\x00\x00\x00\xfe\xff\xff\x7a\x0a\xf0\xff\x01\x00\x00\x00\x79\xa4" "\xf0\xff\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05" "\x00\x00\x00\x00\x00\x65\x04\x04\x00\x01\x00\x00\x00\x04\x04\x00\x00" "\x01\x00\x7d\x60\xb7\x03\x00\x00\x00\x00\x00\x00\x6a\x0a\x00\xfe\x00" "\x00\x00\x00\x85\x00\x00\x00\x0d\x00\x00\x00\xb7\x00\x00\x00\x00\x00" "\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00\x5e\xce\xfa\xb8\xf2\xe8\x5c" "\x6c\x1c\xa7\x11\xfc\xd0\xcd\xfa\x14\x6e\xc5\x61\x75\x03\x79\x58\x5e" "\x5a\x07\x6d\x83\x92\x40\xd2\x9c\x03\x40\x55\xb6\x7d\xaf\xe6\xc8\xdc" "\x3d\x5d\x78\xc0\x7f\xa1\xf7\xe6\x55\xce\x34\xe4\xd5\xb3\x18\x5f\xec" "\x0e\x07\x00\x4e\x60\xc0\x8d\xc8\xb8\xdb\xf1\x1e\x6e\x94\xd7\x59\x38" "\x32\x1a\x3a\xa5\x02\xcd\x24\x24\xa6\x6e\x6d\x2e\xf8\x31\xab\x7e\xa0" "\xc3\x4f\x17\xe3\x94\x6e\xf3\xbb\x62\x20\x03\xb5\x38\xdf\xd8\xe0\x12" "\xe7\x95\x78\xe5\x1b\xc5\x30\x99\xe9\x0f\x45\x80\xd7\x60\x55\x1b\x5b" "\x34\x1a\x29\xf3\x1e\x31\x06\xd1\xdd\xd6\x15\x2f\x7c\xbd\xb9\xcd\x38" "\xbd\xb2\x20\x9c\x67\xde\xca\x8e\xeb\x9c\x15\xab\x3a\x14\x81\x7a\xc6" "\x1e\x4d\xd1\x11\x83\xa1\x34\x77\xbf\x7e\x86\x0e\x36\x70\xef\x0e\x78" "\x9f\x65\xf1\x32\x8d\x67\x04\x90\x2c\xbe\x7b\xc0\x4b\x82\xd2\x78\x9c" "\xb1\x32\xb8\x66\x7c\x21\x47\x66\x1d\xf2\x8d\x99\x61\xb6\x3e\x1a\x9c" "\xf6\xc2\xa6\x60\xa1\xfe\x3c\x18\x4b\x75\x1c\x51\x16\x0f\xb2\x0b\x1c" "\x58\x1e\x7b\xe6\xba\x0d\xc0\x01\xc4\x11\x05\x55\x85\x09\x15\x14\x8b" "\xa5\x32\xe6\xea\x09\xc3\x46\xdf\xeb\xd3\x86\x08\xb3\x28\x00\x80\x00" "\x5d\x9a\x95\x00\x00\x00\x00\x00\x00\x00\x33\x4d\x83\x23\x9d\xd2\x70" "\x80\x85\x1d\xca\xc3\xc1\x22\x33\xf9\xa1\xfb\x9c\x2a\xec\x61\xce\x63" "\xa3\x8d\x2f\xd5\x01\x17\xb8\x9a\x9a\xb3\x59\xb4\xee\xa0\xc6\xe9\x57" "\x67\xd4\x2b\x4e\x54\x86\x1d\x02\x27\xdb\xfd\x2e\x6d\x7f\x71\x5a\x7f" "\x3d\xea\xdd\x71\x30\x85\x6f\x75\x64\x36\x30\x37\x67\xd2\xe2\x4f\x29" "\xe5\xda\xd9\x79\x6e\xdb\x69\x7a\xee\xa0\x18\x2b\xab\xd1\x8c\xac\x1b" "\xd4\xf4\x39\x0a\xf9\xa9\xce\xaf\xd0\x00\x2c\xab\x15\x4a\xd0\x29\xa1" "\x09\x00\x00\x00\x27\x80\x87\x00\x14\xf5\x1c\x3c\x97\x5d\x5a\xec\x84" "\x22\x2f\xd3\xa0\xec\x4b\xe3\xe5\x63\x11\x2b\x0b\x39\x50\x1a\xaf\xe2" "\x34\x87\x00\x72\x85\x8d\xc0\x6e\x7c\x33\x76\x42\xd3\xe5\xa8\x15\x23" "\x2f\x5e\x16\xc1\xb3\x0c\x3a\x6a\x71\xbc\x85\x01\x8e\x5f\xf2\xc9\x10" "\x18\xaf\xc9\xff\xc2\xcc\x78\x8b\xee\x1b\x47\x68\x3d\xb0\x1a\xc6\x93" "\x98\x68\x52\x11\xdf\xbb\xae\x3e\x2e\xd0\xa5\x0e\x73\x13\xbf\xf5\xd4" "\xc3\x91\xdd\xec\xe0\x0f\xc7\x86\xb4\x09\xac\x93\x0c\x90\xff\x90\xf0" "\x5c\xa3\xbd\xfc\x92\xc8\x8c\x5b\x8d\xcd\x36\xe7\x48\x7a\xfa\x44\x7e" "\x2e\xdf\xae\x4f\x39\x0a\x83\x37\x84\x1c\xef\x38\x6e\x22\xcc\x22\xee" "\x17\x47\x6d\x85\x89\x3f\x22\x96\x82\xe2\x4b\x92\x53\x3a\xc2\xa9\xf5" "\xa6\x99\x59\x3f\x08\x44\x19\xca\xe0\xb4\x53\x2b\xcc\x97\xd3\xae\x48" "\x6a\xca\x54\x18\x3f\xb0\x1c\x73\xf9\x79\xca\x98\x57\x39\x95\x37\xf5" "\xdc\x2a\x2d\x0e\x00\x00\x00\x00\x00\x00\x05\x78\x67\x3f\x8b\x6e\x74" "\xce\x23\x87\x7a\x6b\x24\xdb\x0e\x06\x73\x45\x56\x09\x42\xfa\x62\x9f" "\xbe\xf2\x46\x1c\x96\xa0\x88\xa2\x2e\x8b\x15\xc3\xe2\x33\xdb\x7a\xb2" "\x2e\x30\xd4\x6a\x9d\x24\xd3\x7c\xef\x09\x9e\xce\x72\x9a\xa2\x18\xf9" "\xf4\x4a\x32\x10\x22\x3f\xda\xe7\xed\x04\x93\x5c\x3c\x90\xd3\xad\xd8" "\xee\xbc\x86\x19\xd7\x34\x15\xcd\xa2\x13\x0f\x50\x11\xe4\x84\x55\xb5" "\xa8\xb9\x0d\xfa\xe1\x58\xb9\x4f\x50\xad\xab\x98\x8d\xd8\xe1\x2b\xaf" "\x5c\xc9\x39\x8f\xff\x00\x40\x4d\x5d\x99\xf8\x2e\x20\xef\x6a\x8c\x88" "\xe1\x8c\x29\x77\xaa\xb3\x7d\x9a\xc4\xcf\xc1\xc7\xb4\x00\x00\x00\x00" "\x00\x00\x07\xff\x57\xc3\x94\x95\xc8\x26\xb9\x56\xba\x85\x9a\xc8\xe3" "\xc1\x77\xb9\x1b\xd7\xd5\xe4\x1f\xf8\x68\xf7\xca\x16\x64\xfe\x2f\x3c" "\xed\x84\x68\x91\x18\x06\x04\xb6\xdd\x24\x99\xd1\x6d\x7d\x91\x58\xff" "\xff\xff\xff\x00\x00\x00\x00\xef\x06\x9d\xc4\x27\x49\xa8\x9f\x85\x47" "\x97\xf2\x9d\x00\x00\x00\x2d\x8c\x38\xa9\x67\xc1\xbb\xe0\x93\x15\xc2" "\x98\x77\xa3\x08\xbc\xc8\x7d\xc3\xad\xdb\x08\x14\x1b\xde\xe5\xd2\x78" "\x74\xb2\xf6\x63\xdd\xee\xf0\x00\x5b\x3d\x96\xc7\xaa\xbf\x4d\xf5\x17" "\xd9\x0b\xdc\x01\xe7\x38\x35\xd5\xa3\xe1\xa9\x08\x00\xc6\x6e\xe2\xb1" "\xad\x76\xdf\xf9\xf9\x00\x00\x71\x41\x4c\x99\xd4\x89\x4e\xe7\xf8\x24" "\x9d\xc1\xe3\x42\x8d\x21\x29\x36\x9e\xe1\xb8\x5a\xf6\xeb\x2e\xea\x0d" "\x0d\xf4\x14\xb3\x15\xf6\x51\xc8\x41\x23\x92\x19\x1f\xa8\x3e\xe8\x30" "\x54\x8f\x11\xe1\x03\x6a\x8d\xeb\xd6\x4c\xbe\x35\x94\x54\xa3\xf2\x23" "\x9c\xfe\x35\xf8\x1b\x7a\x49\x0f\x16\x7e\x6d\x5c\x11\x09\x00\x00\x00" "\x00\x00\x00\x00\x00\x42\xb8\xff\x8c\x21\xad\x70\x2c\xca\xca\xd5\xb3" "\x9e\xef\x21\x3d\x1c\xa2\x96\xd2\xa2\x77\x98\xc8\xce\x2a\x30\x5c\x0c" "\x7d\x35\xcf\x4b\x22\x54\x9a\x4b\xd9\x20\x52\x18\x8b\xd1\xf2\x85\xf6" "\x53\xb6\x21\x49\x12\xa5\x17\x81\x02\x00\xe2\xff\x08\x64\x4f\xb9\x4c" "\x06\x00\x6e\xff\x1b\xe2\xf6\x33\xc1\xd9\x87\x59\x1e\xc3\xdb\x58\xa7" "\xbb\x30\x42\xec\x3f\x77\x1f\x7a\x13\x38\xa5\xc3\xdd\x35\xe9\x26\x04" "\x9f\xe8\x6e\x09\xe3\x18\x7a\x10\xd9\x05\xde\xb2\x8c\x13\xc1\xed\x1c" "\x0d\x9c\xae\x84\x6b\xcb\xfa\x8c\xce\x7b\x89\x3e\x57\x8a\xf7\xdc\x7d" "\x5e\x87\xd4\x4f\xf8\x28\xde\x45\x3f\x34\xc2\xb1\x86\x60\xb0\x80\xef" "\xc7\x07\xe6\x76\xe1\xfb\x4d\x58\x25\xc0\xca\x17\x7a\x4c\x7f\xbb\x4e" "\xda\x05\x45\xc0\x0f\x57\x6b\x2b\x5c\xc7\xf8\x19\xab\xd0\xf8\x85\xcc" "\x48\x06\xf4\x03\x00\x96\x6f\xcf\x1e\x54\xf5\xa2\xd3\x87\x08\x29\x4c" "\xd6\xf4\x96\xe5\xde\x09\x00\x00\x00\x00\x00\x00\x00\xcf\x44\x2d\x48" "\x8a\xfd\xc0\xe1\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x05\x00" "\x00\x00\xdc\x1c\x56\xd5\x9f\x35\xd3\x67\x63\x8c\xda\x69\x0d\x19\x2a" "\x07\x08\x86\xdf\x42\xb2\x70\x98\x77\x3b\x45\x19\x8b\x4a\x34\xac\x97" "\x7e\xbd\x44\x50\xe1\x21\x7c\x13\x42\x70\x3f\x5b\xf0\x30\xe9\x35\x87" "\x8a\x6d\x16\x9c\x80\xaa\x42\x52\xd4\xea\x6b\x8f\x62\x16\xff\x20\x2b" "\x5b\x5a\x18\x2c\xb5\xe8\x38\xb3\x07\x63\x2d\x03\xa7\xca\x6f\x6d\x03" "\x39\xf9\x95\x3c\x30\x93\xc3\x69\x0d\x10\xec\xb6\x5d\xc5\xb4\x74\x81" "\xed\xbf\x1f\x00\x00\x00\x00\x00\x00\x00\x4d\x16\xd2\x9c\x28\xeb\x51" "\x67\xe9\x93\x6e\xd3\x27\xfb\x23\x7a\x56\x22\x4e\x49\xd9\xea\x95\x5a" "\x5f\x0d\xec\x1b\x3c\xcd\x35\x36\x46\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x26\xde\xd4\xdd\x6f\xe1\x51\x8c\xc7\x80\x20\x43" "\xec\xfe\x69\xf7\x43\xf1\x21\x3b\xf8\x17\x9e\xcd\x9e\x5a\x22\x5d\x67" "\x52\x1d\xc7\x28\xea\xc7\xd8\x0a\x56\x56\xac\x2c\xbd\xe2\x1d\x3e\xbf" "\xbf\x69\xff\x86\x1f\x43\x94\x83\x6d\xdf\x12\x8d\x6d\x19\x07\x9e\x64" "\x33\x6e\x7c\x67\xdf\x4c\x65\x05\xc7\x8a\xd6\x75\x48\xf4\xb1\x92\xbe" "\x18\x27\xfc\xd9\x5c\xf1\x07\x75\x3c\xb0\xa6\xa9\x79\xd3\xdb\x0c\x40" "\x70\x81\xc6\x28\x1e\x2d\x84\x29\xa8\x63\x90\x3c\xa7\x5f\x4c\x7d\xf3" "\xea\x8f\xc2\x01\x8d\x07\xaf\x14\x91\xef\x06\x0c\xd4\x40\x3a\x09\x9f" "\x32\x46\x8f\x65\xbd\x06\xb4\x08\x2d\x43\xe1\x21\x86\x1b\x5c\xc0\x3f" "\x1a\x15\x61\xf0\x58\x9e\x0d\x12\x96\x9b\xc9\x82\xff\x5d\x8e\x9b\x98" "\x6c\x0c\x6c\x74\x7d\x9a\x1c\xc5\x00\xbb\x89\x2c\x3a\x16\xff\x10\xfe" "\xea\x20\xbd\xac\x00\x00\x00\x00\x00\x00\x00\x00\xca\x06\xf2\x56\xc8" "\x02\x8e\x0f\x9b\x65\xf0\x37\xb2\x1f\x32\x89\xf8\x6a\x68\x26\xc6\x9f" "\xa3\x5b\xa5\xcb\xc3\xf2\xdb\x15\x16\xff\xc5\xc6\xe3\xfa\x61\x8b\x24" "\xa6\xce\x16\xd6\xc7\x01\x0b\xb3\x7b\x61\xfa\x0a\x2d\x89\x74\xe6\x91" "\x15\xd3\x33\x94\xe8\x6e\x4b\x83\x82\x97\xba\x20\xf9\x69\x36\xb7\xe4" "\x74\x6e\x92\xde\xa6\xc5\xd1\xd3\x3d\x84\xd9\x6b\x50\xfb\x00\x00\x00" "\xae\x07\xc6\x5b\x71\x08\x8d\xd7\xd5\xd1\xe1\xba\xb9\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\xb5\xac\xe2\x93\xbe\xc8\x33\xc1\x3e" "\x32\x29\x43\x2a\xd7\x1d\x64\x62\x18\xb5\x22\x9d\xd8\x81\x37\xfc\x7c" "\x59\xaa\x24\x2a\xf3\xbb\x4e\xfb\x82\x05\x5a\x3b\x61\x22\x7a\xd4\x0f" "\x52\xc9\xf2\x50\x05\x79\xac\xa1\x10\x33\xec\x14\xbb\x9c\xc1\x6b\xd8" "\x3a\x00\x84\x0e\x31\xd8\x28\xec\x78\xe1\x16\xae\x46\xc4\x89\x7e\x27" "\x95\xb6\xff\x92\xe9\xa1\xe2\x4b\x0b\x85\x5c\x02\xf2\xb7\xad\xd5\x8f" "\xfb\x25\xf3\x39\x29\x77\x29\xa7\xa5\x18\x10\x13\x4d\x3d\xfb\xf7\x1f" "\x65\x16\x73\x7b\xe5\x5c\x06\xd9\xcd\xcf\xb1\xe2\xbb\x10\xb5\x00\x00" "\xeb\x4a\xcf\xf9\x07\x56\xdb\xa1\xec\xf9\xf5\x8a\xfd\x3c\x19\xb5\xc4" "\x55\x8b\xa9\xaf\x6b\x73\x33\xc8\x94\xa1\xfb\x29\xad\xe9\xad\x75\xc9" "\xc0\x22\xe8\xd0\x3f\xe2\x8b\xc3\x58\x68\x44\x92\xaa\x77\x1d\xbf\xe8" "\x07\x45\xfe\x89\xad\x34\x9f\xfa\xad\x76\xff\x9d\xd6\x43\x79\x6c\xaf" "\xfd\xf6\x7a\xf5\xdd\x47\x6c\x37\xe7\xe9\xa8\x4e\x2e\x5d\xa2\x69\x6e" "\x28\x5a\x59\xb5\x3f\x2f\xb0\xe1\x6d\x82\x62\xc0\x80\xc1\x59\xce\x40" "\xc1\x40\x89\xc8\x27\x59\x10\x6f\x42\x25\x82\xb4\x2e\x3e\x84\x84\xea" "\x5a\x6a\xd9\xaa\x52\x10\x6e\xaf\xe0\xe0\xca\xea\x1a\xd4\xcb\x23\xf3" "\xc2\xb8\xa0\xf4\x55\xba\x69\xea\x28\x4c\x26\x8d\x54\xb4\x31\x58\xa8" "\xb1\xd1\x28\xd0\x2a\xf2\x63\xb3\xdc\x1c\xab\x79\x4c\x9a\xc5\x7a\x2a" "\x73\x32\xf4\xd8\x76\x4c\x30\x2c\xcd\x5a\xac\x11\x44\x82\xb6\x19\xfc" "\x57\x5a\xa0\xdd\x27\x77\xe8\x81\xe2\x9a\x85\x43\x80\xe2\xf1\xe4\x9d" "\xb5\xa1\x51\x7e\xc4\x0b\xb3\xfa\x44\xf9\x95\x9b\xad\x67\xcc\xab\xa7" "\x64\x08\xda\x35\xc9\xf1\x53\x4c\x8b\xd4\x8b\xbd\x61\x62\x7a\x2e\x0a" "\x74\xb5\xe6\xae\xfb\x7e\xee\x40\x35\x02\x73\x48\x37\xff\x47\x25\x7f" "\x16\x43\x91\xc6\x73\xb6\x07\x9e\x65\xd7\x29\x5e\xed\x16\x4c\xa6\x3e" "\x4e\xa2\x6d\xce\x0f\xb3\xce\x0f\x65\x91\xd8\x0d\xfb\x8f\x38\x6b\xb7" "\x4b\x55\x89\x82\x9b\x6b\x06\x79\xb5\xd6\x5a\x6d\x07\x20\x34\xce\xcc" "\x45\x77\x76\xc5\xfa\x1f\x33\xb0\x20\x3c\x07\x05\x2c\x6b\xc3\x14\xb0" "\xac\x5c\x63\xbc\x20\x83\xc9\xcd\xa0\xb7\x48\x0e\x0b\x17\x85\x4f\xfc" "\xc7\x61\x76\xce\x26\x6b\xc6\x98\xf7\x92\x1b\x8a\xfe\x79\x8a\x7a\x5e" "\xd3\x3a\xb0\x37\x44\x55\xee\x36\x8f\xda\x99\xa0\xe6\x81\xbf\x94\x26" "\x83\x1b\x19\x33\x95\xcb\x01\xa7\x33\x2a\x50\xaa\xc8\x41\xcb\x7d\x48" "\xa1\x76\x8a\x76\x40\xa9\x82\x06\x31\xba\x77\x5a\x2d\x4f\x12\xe8\xe7" "\x17\xea\xaa\x2a\x6d\x14\xfe\xe0\xc1\x5f\x36\xc2\x03\xdb\xc7\xc0\x61" "\x28\xbe\xc8\x42\x31\xd4\x3e\x15\x2e\xf1\x9c\xe0\x27\x43\x6f\xb4\xeb" "\xb9\xfc\xe4\x31\xb9\x13\xf4\x81\x75\x97\xa6\xf5\x3d\x16\x26\xf9\xd1" "\xcb\x7b\x36\xfb\x18\xac\x19\x54\x7a\x9b\x20\xed\xe7\x0c\x81\xa7\x56" "\x86\xce\xa8\x5d\xcd\x34\x40\x81\x28\xda\x7c\xab\x04\x55\x41\xbc\x6b" "\x9a\x0a\x79\xf6\x3f\x2e\x76\x46\x35\x6e\x04\xb9\x77\xc9\xf4\x74\x67" "\x53\x70\x15\x24\x0b\x97\x41\x84\xbe\x9c\x54\xb7\xc6\x28\xae\x4d\x97" "\xeb\xdb\x06\x07\x03\x44\x46\x89\x94\xaf\xba\xac\x71\xe5\xff\xac\x2c" "\x61\xd9\xaf\x66\xf9\xde\x27\x60\xa3\x8e\x96\x8a\x78\x15\x28\x53\x1c" "\x1c\x93\x6a\x02\x06\x5b\xe4\x8f\x1e\xee\x77\xbe\x87\x88\x73\x20\x6d" "\x65\xbd\x0b\x12\x41\xfa\xb9\x13\x9a\xbd\x7f\x40\xfe\xbe\x81\xfe\xd3" "\x68\x4e\x6b\x59\x27\x3d\xa0\x1f\x17\x43\xc6\xa5\xdf\x30\x0e\xc5\x9c" "\x65\xe8\x17\x4f\xc2\xd9\x5a\x62\xca\x7b\x93\x72\x89\xad\x14\x10\x73" "\x33\x00\x7e\xab\x83\x3a\x58\x49\xeb\x19\xf1\x8a\xe4\x17\x43\xdf\xb9" "\x49\x37\x7e", 2587); *(uint64_t*)0x200000000210 = 0x200000000340; memcpy((void*)0x200000000340, "syzkaller\000", 10); *(uint32_t*)0x200000000218 = 0; *(uint32_t*)0x20000000021c = 0; *(uint64_t*)0x200000000220 = 0; *(uint32_t*)0x200000000228 = 0; *(uint32_t*)0x20000000022c = 0; memset((void*)0x200000000230, 0, 16); *(uint32_t*)0x200000000240 = 0; *(uint32_t*)0x200000000244 = 0; *(uint32_t*)0x200000000248 = -1; *(uint32_t*)0x20000000024c = 8; *(uint64_t*)0x200000000250 = 0; *(uint32_t*)0x200000000258 = 0; *(uint32_t*)0x20000000025c = 0x10; *(uint64_t*)0x200000000260 = 0; *(uint32_t*)0x200000000268 = 0; *(uint32_t*)0x20000000026c = 0; *(uint32_t*)0x200000000270 = -1; *(uint32_t*)0x200000000274 = 0; *(uint64_t*)0x200000000278 = 0; *(uint64_t*)0x200000000280 = 0; *(uint32_t*)0x200000000288 = 0x10; *(uint32_t*)0x20000000028c = 0; *(uint32_t*)0x200000000290 = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000000200ul, /*size=*/0x48ul); if (res != -1) r[2] = res; break; case 4: *(uint32_t*)0x200000000080 = r[2]; *(uint32_t*)0x200000000084 = 0x2a0; *(uint32_t*)0x200000000088 = 0xfe; *(uint32_t*)0x20000000008c = 0x60000000; *(uint64_t*)0x200000000090 = 0x200000000100; memcpy( (void*)0x200000000100, "\xb9\xff\x03\x07\x68\x44\x26\x8c\xb8\x9e\x14\xf0\x08\x00\x4b\xe0\xff" "\xff\x00\x12\x40\x00\x63\x2f\x77\xfb\xac\x14\x14\x16\xac\x14\x14\x16" "\x44\x0c\x05\x11\x4d\x2f\x87\xe5\x94\x0c\x05\xab\x86\x0c\x13\xf2\x32" "\x5f\x1a\x39\x01\x07\x02\x03\x8d\xa1\x88\x0b\x25\x18\x1a\xa5\x9d\x94" "\x3b\xe3\xf4\xae\xd5\x0e\xa5\xa6\xb8\x68\x67\x31\xcb\x89\xef\x77\x12" "\x3c\x89\x9b\x69\x9e\xea\xa8\xea\xa0\x07\x34\x61\x11\x96\x63\x90\x64" "\x00\xf3\x0c\x06\x00\x00\x00\x00\x00\x00\x59\xb6\xd3\x29\x6e\x8c\xa3" "\x1b\xce\x1d\x83\x92\x07\x8b\x72\xf2\x49\x96\xae\x17\xdf\xfc\x2e\x43" "\xc8\x17\x4b\x54\xb6\x20\x63\x68\x94\xaa\xac\xf2\x8f\xf6\x26\x16\x36" "\x3c\x70\xa4\x40\xae\xc4\x01\x4c\xaf\x28\xc0\xad\xc0\x43\x08\x46\x17" "\xd7\xec\xf4\x1e\x9d\x13\x45\x89\xd4\x6e\x5d\xfc\x4c\xa5\x78\x0d\x38" "\xca\xe8\x70\xb9\xa1\xdf\x48\xb2\x38\x19\x0d\xa4\x50\x29\x6b\x0a\xc0" "\x14\x96\xac\xe2\x3e\xef\xc9\xd4\x24\x6d\xd1\x4a\xfb\xf7\x9a\x22\x83" "\xa0\xbb\x7e\x1d\x23\x5f\x3d\xf1\x26\xc3\xac\xc2\x40\xd7\x5a\x05\x8f" "\x6e\xfa\x6d\x1f\x5f\x7f\xf4\x00\x00\x00\x00\x00\x00\x00\x00\x00", 254); *(uint64_t*)0x200000000098 = 0; *(uint32_t*)0x2000000000a0 = 0xfe; *(uint32_t*)0x2000000000a4 = 0x60000000; *(uint32_t*)0x2000000000a8 = 0; *(uint32_t*)0x2000000000ac = 0; *(uint64_t*)0x2000000000b0 = 0x200000000000; *(uint64_t*)0x2000000000b8 = 0x200000000000; *(uint32_t*)0x2000000000c0 = 0; *(uint32_t*)0x2000000000c4 = 0; *(uint32_t*)0x2000000000c8 = 0; syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x200000000080ul, /*size=*/0x2cul); break; case 5: *(uint32_t*)0x200000000180 = 1; *(uint32_t*)0x200000000184 = 0x80; *(uint8_t*)0x200000000188 = 0; *(uint8_t*)0x200000000189 = 0; *(uint8_t*)0x20000000018a = 0; *(uint8_t*)0x20000000018b = 0; *(uint32_t*)0x20000000018c = 0; *(uint64_t*)0x200000000190 = 0xf; *(uint64_t*)0x200000000198 = 0x8000; *(uint64_t*)0x2000000001a0 = 0; STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 38, 26); *(uint32_t*)0x2000000001b0 = 0; *(uint32_t*)0x2000000001b4 = 0; *(uint64_t*)0x2000000001b8 = 0; *(uint64_t*)0x2000000001c0 = 8; *(uint64_t*)0x2000000001c8 = 0x1c00; *(uint64_t*)0x2000000001d0 = 4; *(uint32_t*)0x2000000001d8 = 0; *(uint32_t*)0x2000000001dc = 0; *(uint64_t*)0x2000000001e0 = 0; *(uint32_t*)0x2000000001e8 = 0; *(uint16_t*)0x2000000001ec = 0; *(uint16_t*)0x2000000001ee = 0; *(uint32_t*)0x2000000001f0 = 0; *(uint32_t*)0x2000000001f4 = 0; *(uint64_t*)0x2000000001f8 = 2; syscall(__NR_perf_event_open, /*attr=*/0x200000000180ul, /*pid=*/0, /*cpu=*/0xaffffff7fffffffful, /*group=*/-1, /*flags=PERF_FLAG_FD_OUTPUT|PERF_FLAG_FD_NO_GROUP*/ 3ul); break; case 6: syz_clone( /*flags=CLONE_PIDFD|CLONE_IO|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWCGROUP|CLONE_CHILD_SETTID|0x8500*/ 0xab009500, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0, /*childtid=*/0, /*tls=*/0); break; case 7: syscall(__NR_close, /*fd=*/r[1]); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; for (procid = 0; procid < 5; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }