// https://syzkaller.appspot.com/bug?id=cefaf1b99e8723ac3ea8f871f464451e55ba3e76 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_io_uring_enter #define __NR_io_uring_enter 426 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 15000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; *(uint32_t*)0x200005c4 = 0; *(uint32_t*)0x200005c8 = 0; *(uint32_t*)0x200005cc = 0; *(uint32_t*)0x200005d0 = 0; *(uint32_t*)0x200005d8 = -1; memset((void*)0x200005dc, 0, 12); res = -1; res = syz_io_uring_setup(0x3940, 0x200005c0, 0x20002000, 0x20ffd000, 0x20000100, 0x20000140); if (res != -1) r[0] = res; *(uint64_t*)0x20002200 = 0; *(uint64_t*)0x20002208 = 0; *(uint64_t*)0x20002210 = 0; *(uint64_t*)0x20002218 = 0; *(uint64_t*)0x20002220 = 0x200011c0; memcpy( (void*)0x200011c0, "\x6c\xe3\xb3\xd1\xac\x72\x06\x7d\xd2\x2a\x53\xf8\xf7\x81\x95\xa8\x99\x7a" "\x3f\x82\xb6\x38\xab\xce\xe7\x49\xa3\x6f\x43\xa0\xd5\x95\xc3\x40\xb4\xf0" "\x2f\x1d\x19\x8f\x8b\x2c\x9c\x71\x65\x42\x23\xe8\x7b\xd8\x0d\x50\x6d\x8c" "\x49\x8e\xd5\x9e\x67\x72\xa4\xca\x55\x37\x29\x8f\x46\xcd\x38\xa3\x4c\x1a" "\x85\x02\x3f\xfb\xb8\x5f\xdd\xc6\xa3\x3e\x11\xf3\xef\x1b\x20\x40\xbf\xe4" "\xe6\x81\x95\xec\x8b\x73\xaa\x9c\x7a\xdd\x88\x74\xe5\xc2\xde\x0c\x78\x81" "\x09\x56\x01\xe9\x41\x61\x27\xde\xe6\xe1\xae\x59\x6e\x64\x7e\x0f\xe0\x14" "\x3e\x48\x3c\xd0\xc2\xbe\xe7\x9c\xbc\x62\x3a\xde\x78\x02\xf5\x6d\x62\xb9" "\xf0\x10\xe5\x31\x91\x6f\x45\x82\xb4\x4d\xed\xe3\x3d\x25\x88\xb4\xcc\x29" "\x5b\x1d\xcf\x5a\xae\xf7\x7b\x28\xcd\x36\x01\x90\x76\x25\x46\x16\x9e\xd0" "\xcb\x07\xc1\xaa\x2c\x39\xee\xc4\xd1\xd0\x6e\xcc\x5d\x6d\x68\x78\x90\xa9" "\xbb\xa2\x06\xef\x28\x15\x77\xd9\xad\xe8\x9d\x67\x28\x4b\x38\x02\x2b\xc5" "\x68\xcb\x2b\x18\x96\xcc\xa3\x4d\x65\xed\xe1\x46\x47\xd8\x6f\xb1\x5f\xf2" "\x10\xfb\x69\xdb\x32\x6f\x91\xc5\x95\xaa\xc0\xee\x62\x0e\xc6\xd0\xb4\x1e" "\xed\xc6\xf6\x21\x4c\x87\x7d\x25\x08\x54\xb1\x79\xa7\x58\x72\x26\x32\x78" "\x07\xee\x01\x2e\x45\xe2\x19\x19\x60\x5c\xa8\xa2\x1e\x09\xa3\xd3\x2a\xcd" "\xae\x6d\x35\xe4\xeb\x78\x7f\x3f\x15\x65\xe9\xbf\x51\x1b\x49\x7e\x02\xdf" "\x75\x76\xfd\xf5\xce\x32\x1a\x83\x53\xfb\x6f\xd0\x8f\x77\xb3\x70\xdd\x44" "\x18\x32\x68\x29\x22\x52\xf9\xb6\x37\x6e\x03\x93\x9c\xd8\xb6\x7d\xc2\x9f" "\x70\x28\xe9\xba\x54\x16\x63\x19\xe9\x6e\xbb\xc9\xd7\x6b\xf0\x2d\x07\xa3" "\x35\x80\x4d\x0f\xb8\xea\xd7\x09\xd1\xf4\x3f\x1a\x01\xe1\x38\xb0\xf8\x6c" "\x26\xb7\xfe\x29\xbf\xe5\x42\x15\xfc\x15\x22\x46\x10\xd6\x81\x47\x37\xee" "\x08\x43\xc8\xa2\x8e\x11\x99\x63\x3b\xf3\x81\xf6\x9d\x07\xa0\xa1\xd5\xb3" "\xc5\x7f\xef\x37\x94\x24\x38\x91\xb8\xfa\x07\x83\x05\x87\xdd\x93\x16\x6c" "\x00\x89\x0d\x15\xbe\x81\x8f\x3b\x6a\xb3\x81\x50\xa6\x1a\xf2\xc9\xfb\x43" "\xbb\x5f\x9b\x76\xa1\x09\xd9\x94\x2f\x87\x50\x80\x25\xa4\x33\xcb\x8e\x1d" "\x18\x3f\x58\x41\x1f\x50\x6b\x49\x55\xdc\xd6\xb5\x51\xfa\x00\x50\xad\x33" "\x9b\xa1\xeb\xfa\xd9\xf2\xe3\xe0\x3c\x1d\xa2\xc7\x05\xc8\x1b\x9a\x85\xdc" "\x56\x09\x14\x85\x04\x06\xec\x17\x26\xab\xf3\x5e\x93\xd8\x4e\x2a\x3c\xa8" "\xf0\xa3\xf8\x48\x2b\x0a\xf3\xf9\xd5\xf5\x05\x09\x83\xc2\x16\x15\x92\x87" "\xc4\x3b\x58\xd7\x56\x3d\xe7\x29\x4e\xd0\x50\x9a\x77\x38\xa7\xb7\x18\x76" "\xf1\x92\x6e\x4a\x06\x96\x4e\xdc\xbe\xf7\xb5\x64\x0b\x48\xca\x71\x25\x04" "\x9c\x58\xfd\xd8\x6a\xd9\x7f\x57\xa8\x0c\x24\xf9\x44\x92\xe6\xd6\xf2\xfa" "\x35\x6c\xcc\x7f\xc4\x72\x95\xb5\xcf\x0a\xe3\x3b\x94\x70\x77\x50\xaa\x62" "\xef\xc9\x1d\x42\x53\x3d\xb3\x4c\x98\xf9\xc2\x83\xe9\xfa\x4b\x8e\xa3\x9c" "\xfc\xee\xec\xd8\xf0\x91\xaf\x8d\x80\x9b\x4a\x85\xe5\x6f\x37\x1a\x70\xc3" "\xdd\x95\xdd\x8c\xf9\x22\x11\x3a\xbe\x50\x66\x69\xa1\x6b\xd4\xe6\x75\xe8" "\xba\xdc\xb9\x5e\x7b\xf2\x32\xd4\xde\xd2\x06\x88\x0e\x06\xf9\xdd\x02\x58" "\x01\xb2\x79\x68\xbe\x00\x2a\x83\x40\x58\xd2\x78\xdf\xed\x05\x9b\x73\x69" "\x07\xc1\x09\x7b\x67\x96\x89\xa3\x44\x6d\x48\xe2\x35\x8b\xa6\xa7\x04\x33" "\x2b\x23\x22\xa1\x40\x4a\xd0\x0f\x6e\x57\xa4\x0f\x9c\x8f\xc8\x61\x74\xf5" "\x89\x75\xb9\xd4\xa1\x92\x1f\x98\x53\x60\xb7\xb7\x95\xc7\xc5\x36\x2b\x92" "\xc0\xf3\xb5\x4f\xee\xd9\xde\x17\x18\x6c\x95\x09\x47\xfd\xe5\xd4\x23\xc9" "\x92\x00\x04\x23\x40\x16\x15\x7a\x2b\x33\x2d\xc4\x7c\xbf\x66\x55\x82\x7a" "\x64\x2a\x6c\xc2\x74\x67\x15\x88\x77\x5b\x71\x65\x9f\xc0\xac\x89\xb2\x3f" "\x2b\x0a\x61\x71\x24\xf6\x3e\x7f\x88\x20\x2b\x79\x95\xb8\x65\xa2\x51\x3d" "\x83\xbc\xc3\x57\x80\x50\x90\x4d\x6e\xbe\x8e\x1e\xea\xc6\x5f\x74\x23\xfc" "\xe1\xb7\xc9\x32\x03\xbe\xc6\xcd\xe7\x45\x27\x5d\x2b\x12\xbf\x3a\xb3\x33" "\x5d\x6f\x1f\x3e\xc0\x7e\xf9\x6c\xca\x08\xdc\x02\x82\xeb\x2a\x95\x9f\xbd" "\x33\xc3\x7c\x50\x25\xc6\xe5\x71\x46\x57\x20\xc2\xc6\x70\xf0\x1f\xde\x37" "\x07\x23\xdc\x11\x54\xd5\x98\x42\xac\xf9\x0b\x82\x7a\xc0\xfc\xe3\x64\x05" "\x4d\x8a\x46\x30\x90\x4d\x5d\x89\x99\xc5\xab\x9b\x94\x7f\x9c\x09\x95\xf7" "\x39\x6f\x9f\xf1\x4a\xbc\xf2\x18\xca\xe8\x52\xa0\x72\x77\xb0\xf7\xc0\x4e" "\xf4\x66\x72\xeb\x21\x34\x31\x95\x6c\x1b\xb1\x47\xfb\x07\xf9\x2c\xfd\xbd" "\x85\x4b\x73\xd8\xb6\x49\x95\x68\x77\xc2\x54\x3c\xd9\x6f\x9a\x34\xb4\x66" "\x8d\x47\x49\x27\x38\x44\xe7\x51\x21\x52\x56\xa5\x46\xac\x53\x64\x31\x57" "\x72\x0e\x58\xc5\x69\x3a\xcb\x3f\x9a\xbf\x39\x28\x13\x7c\x37\x85\xff\x5a" "\x5b\x64\x23\x78\xed\xbc\xd3\xf4\x60\xbc\xaa\x2f\xd9\x95\x92\x54\x13\xa3" "\x55\xb3\x05\xfd\xb4\x86\x73\xe7\x30\x07\x44\x27\x76\xe9\x23\x18\x36\x07" "\x5f\x5c\x0f\x94\xb2\xbd\x42\x99\x0b\x48\x54\x06\x79\x8a\xa5\xf7\x01\xcb" "\xda\x1d\x88\x81\xe6\x38\x26\x75\xf0\x3f\xcf\x36\x53\xc7\x1a\x81\xb2\x3f" "\x95\x34\x1e\xc0\xda\x66\x1f\x85\x19\xab\xe8\xf3\x9a\xe4\x28\xfe\x4c\x64" "\x7a\x10\x13\x07\x62\xbd\x91\x96\x96\x14\xf7\x24\xee\x18\x01\x23\x5b\xea" "\x44\xa7\x2c\x33\x65\x25\x47\x44\x40\x0f\x82\x5d\x90\xa0\x3d\xdb\xc3\x80" "\xd3\x86\xe6\x81\x93\xcc\xeb\x9d\xfe\x8c\x28\x5f\xcd\x11\x55\x35\xbb\xf6" "\xb5\x2d\x13\xc5\x1b\x92\x76\x5f\x1d\x62\xb4\xd2\xfd\xa8\xdb\x78\x98\x66" "\xbc\xe4\x5c\xf5\x97\x6b\x29\xd4\xe0\x44\x60\x8c\xbf\xe0\x08\x61\xfe\x61" "\x7c\x2a\xad\x08\x79\x83\x2d\xdf\x2c\x69\x68\x74\x4b\x42\x69\x8f\xb9\x03" "\x34\x73\x9b\x8c\x5f\x35\x6e\x0a\x2f\x7d\x23\x0f\xb8\xae\x36\xe8\xdf\xea" "\xbe\xad\x4b\x05\xe6\xbd\x5e\x9b\xb8\xcc\x82\xe8\x85\x31\xd1\xb7\xfc\x94" "\x56\xc5\xa1\x4b\x97\xb0\x91\xda\xaf\xbc\x37\x96\x3a\x10\x82\x00\x0a\xce" "\x56\x63\x2c\x50\xe0\x5f\x4e\x77\x40\xc4\x1d\x9c\x17\x3b\xdb\x8d\xe4\xf5" "\x86\x2a\xde\x9c\xbd\xf5\xf1\xcc\xaa\xd9\x8f\xd4\x26\xb2\xf0\xe2\x10\xf9" "\xea\x9d\x47\x99\x20\x4d\xdf\xea\x11\x1a\x8e\x34\x3b\x6f\x4a\x98\x8b\x64" "\x62\x06\x16\xcd\xb4\xb3\xa4\x4e\x4c\x0b\xfb\x80\x3d\xdd\x7b\x32\x5f\x47" "\x8a\x20\x64\x2d\x7e\x3f\x39\x7c\xff\xec\xac\x1c\xd1\x90\x29\x09\x16\x09" "\x5a\x91\x57\xae\xa0\xb3\xc9\x21\x63\x05\x5a\x3c\x74\x7b\xf4\x9e\x08\x68" "\x15\x62\xdf\xa6\x43\x41\xcb\xde\x7d\xf7\xec\x19\x8f\x5c\x4f\x5a\xdb\x75" "\x8a\x70\x73\xbc\x02\x9e\x98\x05\xe5\xf3\xcd\xf2\x4e\xad\x67\xf1\x12\x61" "\xd2\x01\xff\x5c\xa7\x12\xfb\x29\x85\x50\x3f\x4f\xca\xac\x1b\x91\x69\xd6" "\x85\x4b\x44\x23\xec\xa2\xe4\x05\x59\xd5\xd3\x41\x5e\x95\x89\xc7\xdb\xde" "\x36\x5f\x34\xa4\x2a\x84\x53\xc2\x7e\xe9\x0f\x93\x78\xbe\xfc\xdf\x1e\xc9" "\xdf\xf7\xcd\x46\x33\x8a\x0a\xfb\x6e\x57\x75\xcc\x26\x9c\x38\xc8\x92\x8f" "\x55\x9f\x75\x7b\xcb\xbb\x4f\x25\xa5\x5e\x29\x0e\xb4\x2a\x33\x94\xc0\x8b" "\xbe\x77\x2c\x6b\xa6\x57\x88\x61\x7e\x5a\x7f\x1d\xd1\xcf\x73\xcc\x62\x61" "\x05\x59\x1d\xef\x8a\x4c\xe6\x2c\x2f\x2d\xe4\x44\xb4\x70\x05\xda\x02\xcd" "\xbc\xfc\xe6\x21\x4c\x7f\xf1\x52\xd6\xfe\x6f\x01\x12\x11\x03\x89\x26\xfc" "\xc1\x16\x8b\xf2\x46\x8f\xe3\xb8\xfc\xea\xf9\xa8\x96\x14\x20\x99\x8a\xa7" "\x2b\xa5\x61\x62\x5f\x9c\xd6\xfa\xbd\x7a\x1e\xc5\x80\x1c\x7b\x84\x97\x83" "\xdc\x72\xb5\x83\x58\x6d\x73\xfa\x5f\xf7\xb3\x7e\x63\x6d\x8f\x96\xa3\xe5" "\x6d\x2a\x87\x24\xe0\x9d\x55\x92\xbb\x70\x01\xfe\x47\x07\x81\xf5\x08\x17" "\xc5\xea\xfd\xbb\x4d\x01\xdd\x7a\x48\x5c\x76\x77\xa8\xb0\xf0\x7a\x78\xa9" "\x24\x7b\x4f\x45\x6a\x23\xce\xb9\x2b\xef\xf6\xb3\xfe\x4b\x75\x9e\xf0\x01" "\x17\x1d\x0f\x96\xb8\xc7\xc3\x7b\x29\x3e\xfd\xe6\xbf\xa7\x0f\xd7\x2f\x4e" "\x29\x39\xd6\xc3\x41\xcf\x92\xfa\xda\x16\xaa\x37\x90\xd5\x84\xe8\x6d\xf5" "\xf7\x88\x5c\x9e\xf7\x2d\x17\x86\x86\x0c\x04\xa5\x3a\x4e\x52\x72\x9c\xeb" "\x84\x6c\x75\xcd\x74\x2c\xc9\x18\x9d\x54\xe6\xd9\xd4\x54\x3a\xa4\xf1\x61" "\x04\x66\x0d\x1f\x07\x4f\xa3\xc3\x2b\x48\xd7\x31\xd7\x49\x52\x0d\x1d\xcc" "\x95\x7d\x2c\x54\x2c\x9e\xda\x98\xcd\xa5\x5a\x61\x55\xde\x3b\xc8\xf0\x4e" "\x27\x36\xea\xdc\xd9\xe1\x3d\xa4\xff\x63\xda\x17\xc0\x3b\x02\x2e\xc5\x0a" "\x38\x8b\x36\xe5\x9d\x7e\x7c\x4a\x2d\xef\x8d\x2d\x8f\x60\x6f\x62\x79\x7e" "\x5d\x2f\xad\xe9\x65\x4f\x96\x98\xc1\x5b\xe2\x90\x02\xa3\x75\xad\x9d\x62" "\xbe\x94\x07\xf0\x93\xaf\x02\xfe\x3e\x1a\xa1\xdc\xd4\xb8\x55\xe1\x1a\x06" "\x57\xe8\x43\xe4\x71\xe4\x4a\xe5\xcd\xa7\xb2\xb9\x0e\x74\x8b\x21\x67\x13" "\x34\x28\x5e\x8c\x2f\xed\x1a\x93\x7e\xf5\xfa\x69\xc6\x09\xe2\x90\xbe\x6f" "\xf5\xf1\x5c\xae\xee\xa4\xc1\xf7\xd9\x31\x1f\xa0\x65\x87\x29\x25\xa4\x3e" "\xea\xfa\xe3\x70\xc3\x8c\x8f\x73\xb4\xce\x5c\x59\x56\x60\x14\xf0\x4a\x11" "\xc7\x58\x93\x35\x96\xde\x7a\xa5\x93\x18\x51\xb6\x53\x59\xba\x15\x19\x2a" "\x52\x94\x50\x64\x29\x0a\x17\xf6\xa5\x3e\xae\x88\x85\x87\x07\x23\xd4\x8e" "\x16\x68\xca\x29\x25\x83\xdf\x13\x5f\xbc\x04\xf0\x1f\x05\xc9\xe7\x83\x25" "\x9b\x37\x17\x5b\x8d\xb6\xdb\x6c\xa8\x0c\x25\x8f\x74\x19\x08\x19\xf5\x95" "\xb4\x68\xca\x01\x63\x61\xe6\x03\x88\x18\x73\x78\xca\x70\x49\x47\x11\x3d" "\x43\x8a\x67\xea\x5a\xda\x12\x56\xfd\x0b\xb5\x3d\xa9\xa9\x33\xd7\xa5\xf9" "\x20\x19\xf5\x1a\xce\x6c\xa4\xf6\x4b\xf5\x2a\x36\x7b\xe0\xac\x99\x02\x27" "\x6a\xd4\x53\x80\x0c\xbe\x1e\x38\x77\xc7\x6b\xda\x41\x10\x76\xf4\xe0\x2c" "\xb2\x19\xcc\xb6\x74\x45\x78\x15\x3c\x78\x2a\x4c\xb8\x6c\x25\x5c\xa7\xa3" "\xec\x83\x7a\xcc\x86\x23\xb5\x8c\xeb\xce\x60\x54\xea\x38\x2f\x78\x1e\x40" "\x69\xed\x88\x64\xf3\x30\xfe\x48\xd9\x35\x93\xfe\xa5\x5f\x53\x01\x23\xfb" "\x38\xa2\x68\xd5\x42\xc2\x01\x43\xb4\xbd\xb1\x30\x09\xb7\x13\x2c\x64\x15" "\x6e\x4e\x3f\x64\x56\x42\xd1\xe4\x5e\x20\x6e\x81\xc3\xb7\x66\xad\x2b\x2e" "\x0f\xaf\xc2\xcb\xf0\xcb\xaf\x01\xb5\xc4\x81\xff\x2e\xe1\xb7\xf0\x7a\x6f" "\xb5\x88\xf7\xe7\xe4\xdd\x18\x5a\xa1\xaf\x0d\x3e\x75\x87\xfe\xb8\xc3\x74" "\x8c\x20\x0b\x85\xd2\xb2\xfb\x17\xfa\xf5\x2a\x2a\x9c\x2e\x29\x08\xdc\x13" "\x82\x8c\x24\xb1\x8c\x03\xe2\x8d\x78\xa6\x8c\x48\x24\x1b\xb2\x0c\xac\xe7" "\xc1\x2a\x20\xd2\xd9\xcc\x27\x6d\x8b\x60\x09\x68\xd3\xca\xdb\x1d\xc1\x16" "\xe9\x61\x9f\xe4\x94\x8d\xd2\x36\x66\xcb\xe6\x20\xb5\x4a\x0b\xc4\x5e\x72" "\x3c\xc3\x4e\xdf\x57\xc1\xb5\x62\xad\x5c\xa2\x78\x19\x8b\x96\xd9\x07\x02" "\x0f\xd4\xb9\x6c\xc8\x64\xd1\x1a\x82\x22\x2d\x2c\x59\xde\x76\x80\x6c\x75" "\xa6\x38\xf4\xfa\x2f\xa0\x52\x5f\x42\x29\xde\xb9\xeb\x21\xbf\xd8\x7e\xa3" "\xc7\x1a\xae\xf1\xe1\x58\x26\x46\x0d\x70\xab\x14\xb3\xf0\x46\xb7\xde\xea" "\x20\xa9\x45\x50\x6d\xb2\x90\x49\x9a\xb3\xba\x2d\xda\x2f\xb2\xc5\x8c\x2c" "\xac\x4a\x66\x18\xcc\x52\xfe\x5e\x6c\x08\x99\x09\x9a\xf5\xd2\x17\x8d\x5c" "\x17\xf9\xd9\x36\x92\xe2\xc5\x48\x0f\x3a\x10\xca\x84\xba\x35\x90\x3c\x2d" "\xe2\x61\xa0\x38\x05\x42\xec\x03\xfd\x03\x71\x7a\xc7\xea\xbb\x3f\x9c\xb1" "\xaa\xe0\x60\x9b\x3d\xcc\x92\xe5\xa3\x41\x46\xd7\x9f\xcb\xb0\x70\xa1\xcb" "\xfc\xc1\xc6\xd1\x0b\xa4\x5c\xf3\x6f\x25\xaf\x53\x27\x3f\x94\x35\xd1\x4b" "\x9f\x7c\x6d\xf3\xa2\x98\xc3\xb9\x95\x6e\x3c\xbb\xb6\x64\x27\xb8\x6b\x70" "\x9d\x0d\x59\x5a\xc7\xbe\x3e\xe0\x26\x86\x39\x62\x08\x5e\x53\xfa\xbb\x58" "\xf6\xf7\xa7\x01\x82\x1f\x1b\x52\x0d\xc4\x1d\x36\x15\x82\x3a\x81\xca\xa0" "\xb0\x6e\xdf\x9a\x5c\x3f\x72\x3e\x54\x50\x92\x2f\x9f\xf3\x62\xb6\x3a\x9e" "\xaa\x50\x8a\x9d\x2f\xfb\x3d\xea\xee\xe7\x26\xb0\xdc\xae\x79\x49\x80\xa1" "\xa2\xd8\x17\xd0\xdc\xa0\x95\xab\x1a\x6f\x78\xc6\x86\xf4\x0d\x6a\xef\xbf" "\xe4\x1e\xf9\xb5\x13\x68\xf4\x4d\xec\xd8\x3d\x57\xb0\x43\x95\x24\x07\x9c" "\x03\x4c\x89\x05\xf4\xf8\xeb\x4f\xa6\x1b\x46\xc6\x4e\x7a\xf0\x02\x7d\x4d" "\x8e\x5a\x0f\x70\x26\xd4\x80\x55\x71\x2e\x5f\x02\x05\x5f\x7c\x7d\xf2\xaa" "\x18\xc4\xed\xa9\xc1\xb9\xc8\x38\x23\xd9\x91\xab\xf1\xfe\xb8\x41\x19\x0d" "\xa0\x9e\x82\xa9\x56\x1c\x55\x75\xfb\x32\x35\x12\x02\xb9\x22\x8f\x10\xa0" "\x83\x31\x52\x63\xee\x03\x6d\x0e\xc3\x72\xe2\x12\x62\x7a\x9f\xd8\x3b\x41" "\x4f\x5a\x66\x5a\x28\x0c\x13\x47\x53\x62\xf8\xde\x30\x24\x93\x94\xa0\x30" "\x85\x15\xc7\xe6\x58\x8a\xe7\xf5\x39\xb7\x42\x4a\xe4\x33\x5b\x19\x98\x37" "\x93\x57\x57\xe8\x8f\x27\x25\xf5\xdd\x8b\x6b\x8e\x66\x18\x40\xaf\xa4\x87" "\x66\xd0\x93\x79\xb2\x01\xf2\x48\xf8\x17\xbb\xb9\x69\x75\x5e\x1f\x3a\x69" "\x7a\x6d\xb4\x51\xcb\x0b\x8a\xd1\x75\x51\x0c\x8b\x9c\xa7\xb0\x48\xc3\xaa" "\x3d\x8c\x3d\x54\x17\x15\x82\x45\xd6\x81\x00\x39\xf3\x2d\xe6\xd8\x4d\x2a" "\x4c\x79\xa2\x66\x33\x60\x9a\x8a\x20\x29\x2f\xce\xbf\x47\xb7\x96\xdb\x47" "\x94\x53\xf8\x4b\x00\x97\xdc\xa5\x83\x3c\xa2\xb1\x5b\xb3\xd1\xe8\x33\x4b" "\xfb\x7b\xb9\x9d\xce\x41\xfb\x78\xcf\xbf\xb4\xf6\x82\xfb\x52\xab\xa5\x9a" "\x6e\xd2\x4d\x5c\xc4\x85\xfe\x37\x84\xa6\x5a\x99\xc0\xff\x82\xd0\x15\x6e" "\xf0\x2f\x09\x8e\xad\x92\x6e\xc7\xc2\xc6\x6c\x67\x31\x2f\x27\xee\x5e\x84" "\x90\x50\x83\xf5\x25\xf6\x91\xdc\x1e\x8b\x1a\xd0\xa0\x9c\xc6\x54\x3f\xd4" "\x3e\xa7\x0d\xc6\x21\x8f\x22\xdb\x44\x5e\x12\x2a\xdc\xa0\x7f\xaa\x6a\x80" "\xa6\xea\x27\x23\xc0\xb0\xd6\xaf\xfa\xcc\xf6\x68\xa7\xdc\x4a\xf7\xb3\x52" "\x30\x62\xff\xc6\x5a\x31\x1c\xda\x25\x2c\xe6\x42\x16\xa9\x2c\x10\x6c\x80" "\x30\x61\x88\x5c\xcb\x11\x6e\xdb\xfc\x59\xfe\x31\x4d\x18\x88\x76\x74\x01" "\x47\x30\x79\x1f\xc8\x81\x14\x33\xba\x9a\xbb\xc6\xe4\xee\x94\x4a\x4b\x27" "\x6b\x96\x96\x00\x5f\xf1\xf1\x2a\x1d\xf7\x0d\x6a\xe7\x83\x87\x3f\x4f\xd2" "\x92\x69\xcf\x76\x0b\xa4\x44\x36\xbc\x27\xd9\x35\x45\x9e\x1a\x0a\xad\x63" "\x62\x26\x6c\x78\x71\x26\xcc\x92\xf5\x46\x10\x12\x02\xb7\x6c\xfc\x43\xee" "\x15\x55\x8f\xe0\xcd\x83\x2c\xb6\xe1\x33\xb6\x78\x4d\xfc\xfa\xb9\xfe\xf1" "\x7d\xaa\x1d\xbc\x9f\x51\xb9\x5a\x9f\x2e\xc0\xf2\x75\xcf\x4b\x2d\x3b\x59" "\x2f\x9f\x00\x2a\xc1\x34\x07\xb7\xfc\x03\x5d\xef\xac\x3f\xbf\xb4\x0e\x99" "\xa6\x72\x2b\x22\x01\xf2\xff\xd7\xa0\x4e\x73\x8a\x17\xaa\xee\x2a\xfc\xd5" "\xca\xc1\xed\x7b\x96\x6b\x92\xda\x07\x38\xb8\x4e\x47\x0b\x07\x9f\x9a\xde" "\x0f\x88\xad\x44\x80\x9c\xbe\x4c\x85\xd0\x7e\xfd\x64\x16\xb7\xbc\xcd\x56" "\xea\x9b\x6e\x7e\x37\xaa\xa6\x02\xa4\x0a\x25\x9e\x2d\xbd\xa8\xb8\x6d\xa2" "\xf5\xd5\x7f\x58\x17\x86\x8c\xa8\x83\x2f\x46\x34\x1e\xf6\x49\xd5\x56\x93" "\x13\x5f\xce\x92\xc3\x65\x7a\x70\xf3\x6c\xd3\x02\x69\xfa\xb4\x30\xe2\x3f" "\xf0\x9e\xa2\xd6\x7d\x46\x8c\xa9\xab\x0c\xdd\xa3\x7a\x75\x9c\x26\x19\x53" "\xe4\xec\xd6\xa1\x90\xe8\x5f\xd1\x71\xea\x58\xef\x04\x17\xf6\x3b\xc2\x49" "\x30\x3d\x3a\x6a\x0a\x0a\xcb\xba\x80\xcc\x74\xd3\xa8\x5b\x64\x67\x98\xea" "\x66\xa1\x9d\x67\xc8\xcb\x12\x62\xab\x14\xb9\x2d\x98\x90\x9b\x3a\xe6\x76" "\x43\xbc\xe1\x55\xdc\xb1\x88\x6d\x1e\xe4\x0e\xf7\x69\x28\x8f\xab\xf8\x42" "\x16\xc0\xab\xb5\x89\x64\x57\xa2\x4a\x60\x27\x96\x76\x96\x27\xc9\x9d\xc5" "\x87\x2b\xe4\x4e\x0c\xd2\x2a\xb1\xb7\x87\xd0\x79\x6a\x49\xcf\xa5\xe4\x8a" "\xe1\x23\xe7\x5a\x35\x89\x4a\x05\x69\xfa\x09\x43\xb5\x26\xc3\x08\x49\xfd" "\x2f\x2d\xa2\x27\xb6\xbb\xe3\x2b\xa9\x65\xd6\x36\x6c\xd8\x5d\x61\x91\x8a" "\xc0\x98\x6a\x1c\xc3\x38\xad\x9e\x99\xb0\x1f\x63\xf9\xb0\x17\x55\xfe\x05" "\x3f\x7f\x1a\xa1\x42\xed\xb4\x89\x98\x79\xb2\x55\x62\x05\xc8\xe9\x71\x3b" "\xff\x34\x69\x30\xb1\xdd\x13\x40\xe3\x75\xe2\x61\x18\x13\x51\x5d\x62\xb8" "\x54\xa9\xfb\x6e\xd8\x11\x2f\x93\x5e\x77\xeb\xd7\x55\x20\x1a\xe6\x5a\x77" "\xfa\x68\x1b\xc4\x94\x33\x4f\x9a\x81\xdf\x53\x29\xca\xb4\x06\x6c\x52\x0d" "\x5b\x54\xca\x97\x06\x28\x2b\x84\x65\xfd\x41\x09\xdb\xc3\x32\x72\x89\x61" "\xc2\x50\x07\xb3\x65\x0f\x3d\xaf\x75\xb3\x97\x09\x91\x6d\xf3\xfd\x6b\xc2" "\x1c\xaa\x2f\x03\x78\xf1\x71\x30\x84\x25\x26\xb0\xbf\x97\x97\x12\xdd\x18" "\xca\xe4\x25\x74\x9b\x4c\x95\xe7\xab\x4b\x65\xea\x4c\x1a\xbe\xd0\x7f\x25" "\x17\x6f\x9a\x61\x6e\x94\xcf\x70\xa8\x5d\x59\x5f\x67\xea\x8f\x97\x57\xf6" "\x6b\x02\x50\x68\xe9\xc7\x97\xf2\x5b\xb5\x7e\x8b\x64\x3e\x59\xf1\x85\x5b" "\xbd\x66\x1d\x13\x1a\xaa\xe7\xd6\x7d\xdf\x19\xbf\x61\x6e\xc6\xf0\xb6\xf0" "\x4b\xb2\xf8\x42\xc6\x9f\x15\xf1\xc0\xbf\xfc\x03\xaf\x3b\x0f\x00\x4a\x2f" "\x96\xd6\xb4\xfe\x1b\xf4\xc4\x1d\x0d\xd1\x45\xb9\xcd\x9c\xad\x84\x9c\xce" "\xac\x8d\x34\xeb\x54\x7c\x5d\xfc\x59\xfd\x35\x57\xc9\x38\x5c\xd9\x50\xce" "\x87\x5d\x1c\xb5\xde\x7b\x2f\xc6\xef\x19\x9b\xdd\x9e\x35\xb8\x89\x90\xe5" "\xd9\x2b\xbb\x20\xb2\xd1\x19\x8f\xea\xaf\x43\x96\x6b\x30\x00\x80\xc2\x67" "\x3b\x2b\x96\x9f\x62\x29\x22\x27\xad\x5e\x6e\x1f\xcf\x12\x00\x18\x3d\x13" "\x91\x69\x6f\x50\xac\x59\x5e\x85\x50\xee\x48\x6c\x11\x92\x49\x81\x42\x1b" "\xd8\x5a\x4f\x9a\xb7\x8e\x4f\xac\xdd\x3d\xc4\x7e\xb4\x1e\xea\xb7\x30\x9d" "\xd7\xe5\xe8\x63\x8c\x83\xe5\x4d\x33\x33\x23\xff\xdc\x50\x91\x88\x08\xb3" "\x0f\x47\xae\x48\x21\x85\xb0\xc9\x26\xf5\x6b\x43\x0a\x81\xa5\x00\xeb\x2b" "\xa8\x11\xc5\xc0\xb4\x54\xa1\xa5\xae\x1a\xe9\xf1\xc7\x1b\x85\x3e\xf0\xae" "\x98\x6a\xc0\x4e\x14\x6b\xa9\xba\x42\xde\xbc\x01\xde\x78\x4a\x1b\xad\x81" "\x35\xf9\x96\x0b\xdc\x6d\x64\xd7\x8e\x84\xa0\x8a\x9c\x49\xfd\x09\xc0\x0d" "\xdd\xe3\x9f\x16\x0f\x2d\x0b\x63\x3d\x33\x18\x74\x08\x63\x77\x3b\xe0\xe9" "\xd9\xe4\x2c\x2e\x50\x76\x02\x1f\xc2\xde\x11\x3f\x29\x49\xfc\x9b\xd9\xd1" "\xfb\x81\xab\xcb\x7e\x6c\x15\x6e\xfb\x7a\x58\x59\xaa\x63\xa4\x4d\xa3\xd8" "\xcc\x5c\x91\x41\xeb\x6e\x2c\xb3\x85\x60\x58\xf3\x48\x88\x75\xae\xf1\x8a" "\x36\x25\x3b\xcb\x72\x42\xe2\xbe\xa4\xec\xa7\x51\x3f\x4c\x17\x74\xee\xe6" "\x3e\xa7\x71\xd2\xbd\x44\x4b\x55\x11\x57\x90\x8d\xde\x22\x08\x82\x84\xc5" "\x5b\xba\x97\x90\xb3\x8b\x99\x1d\x1b\xe9\x34\xce\x39\x25\xba\x52\x8a\x35" "\x0a\x0c\x6d\xa5\x26\xa0\xe3\x18\x50\xe5\x2f\xf6\x5b\x9d\x4c\x72\x39\xb6" "\xd4\x20\x3f\x3b\xce\x46\x86\x19\x31\xbb\xe6\xe2\x78\x08\x04\x7b\xaf\x0d" "\xba\xef\xba\x72\x0a\x6f\xfe\xb0\x3f\x66\x01\xdc\x43\x03\xfd\xcf\xc0\x2d" "\xa5\xe4\x26\x6f\x5e\x9b\xb9\xef\x89\xad\x37\xa5\x6f\x23\x34\x45\x81\x43" "\x66\x1b\xf4\xf2\xbd\x91\xa9\x39\x98\x02\x26\x88\xae\xc0\xec\x06\xef\x7d" "\x12\x1b\xbe\x07\x89\xb0\x98\x0a\x75\xbb\x8b\x08\x92\xe3\x5a\xe3\xe0\x19" "\x72\x40\x49\x1a\x4a\x14\x78\xde\x20\xaf\x26\x94\xec\x18\x56\xa9\x0f\x50" "\x43\xd8\x05\x9a\xf7\xd7\x14\xb7\x31\x97\x4a\x18\xe6\x63\xda\xa3\xfd\x62" "\x18\xfe\xbc\x53\x97\x37\x20\xa1\x9a\xff\x61\xa8\xf6\x35\x1f\x37\x66\xf0" "\x2c\x51\x19\x5e\x09\x52\xde\x10\x0d\x99", 4096); *(uint64_t*)0x20002228 = 0x1000; syscall(__NR_pwritev, -1, 0x20002200ul, 3ul, 4, 0x200); syscall(__NR_io_uring_enter, r[0], 0xf1, 0, 0ul, 0ul, 0x5aul); } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); loop(); return 0; }