// https://syzkaller.appspot.com/bug?id=72d04c9002935958913af6cac25b42d8f22265f8 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 201; static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 5; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 2 || call == 4) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_perf_event_open, 0ul, 0, -1ul, -1, 0ul); break; case 1: res = -1; res = syz_init_net_socket(0x27, 2, 1); if (res != -1) r[0] = res; break; case 2: *(uint16_t*)0x20000300 = 0x27; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint8_t*)0x20000310 = 0; *(uint8_t*)0x20000311 = 0; memcpy((void*)0x20000312, "\x1e\x0e\x15\x69\xe5\xab\xa3\x6a\x54\x83\xb4\xa9\xcb\x9f\x5b\x9c" "\xa6\x24\x55\x2c\x2b\xa7\x77\xd7\xaf\x3d\xe4\x14\xcb\xf6\x5c\xe4" "\xda\xa3\x6a\x9e\x17\x13\xc2\x7c\xd3\xb2\xbd\x8c\x3c\x95\x72\x2d" "\xf7\x18\x13\xeb\x66\xdd\x81\xf9\xc0\xd4\xcd\x6a\x0d\x7f\xec", 63); *(uint64_t*)0x20000358 = 0x16; syscall(__NR_bind, r[0], 0x20000300ul, 0x60ul); { int i; for (i = 0; i < 64; i++) { syscall(__NR_bind, r[0], 0x20000300ul, 0x60ul); } } break; case 3: syscall(__NR_openat, 0xffffffffffffff9cul, 0ul, 0ul, 0ul); break; case 4: *(uint64_t*)0x20004cc0 = 0x20000280; *(uint16_t*)0x20000280 = 0x27; *(uint32_t*)0x20000284 = 1; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 3; *(uint8_t*)0x20000290 = 0; *(uint8_t*)0x20000291 = 1; memcpy((void*)0x20000292, "\x63\x11\xde\xbd\x13\xb4\xd2\xe0\xe8\x01\x54\x64\x6b\xe4\xaa\x91" "\x0e\x0f\x63\x97\xec\x47\xda\xa0\x49\xc3\x76\xfc\xcf\x67\x42\x4f" "\x30\x27\x75\x3d\x72\x11\x68\xc6\x07\xe0\x48\x35\x57\xa4\x48\x8e" "\x69\xa8\x94\x2c\x39\x47\x72\x76\xd7\x20\x8f\x7e\xf2\xa5\x86", 63); *(uint64_t*)0x200002d8 = 0; *(uint32_t*)0x20004cc8 = 0x60; *(uint64_t*)0x20004cd0 = 0x20001780; *(uint64_t*)0x20001780 = 0x20000380; *(uint64_t*)0x20001788 = 0; *(uint64_t*)0x20001790 = 0; *(uint64_t*)0x20001798 = 0; *(uint64_t*)0x200017a0 = 0x20000780; memcpy( (void*)0x20000780, "\x50\xc9\x9f\x0a\x58\x2a\xec\x23\xc8\x2a\x2f\x23\xa4\xbc\x1e\x82\x9f" "\x3e\x05\x06\x85\xbc\x55\x50\xde\xf6\xde\x34\x65\x0b\xd6\x6e\x2c\x65" "\x4b\x89\x32\xde\xd8\xb3\x25\xaa\x9e\x01\x74\xdf\x15\x92\x25\x40\x76" "\x6f\xa9\x8a\x24\x74\x3e\x0e\x1e\x9a\x4e\x4c\x09\x7b\xa1\x4d\xb4\x87" "\xc0\xca\x62\xf4\x2d\xee\xde\xe2\x55\x86\x58\x0a\x51\x33\xcf\xf9\x59" "\x5a\xb0\x36\xd7\xac\x6d\xc5\xd5\xf0\xbe\xc3\xcb\xc2\xbc\x99\x22\xa0" "\x9c\x24\x4f\xcb\xb2\x19\x06\x6e\x11\x0d\x06\x2f\x3a\x51\x7c\x1a\xcc" "\x0a\x1d\x1e\x2e\x03\x7a\xc2\xe7\xc4\xeb\xe3\xa6\x0e\x71\xc6\x86\xec" "\xa5\xd6\xb2\x50\xf6\xdc\x51\x40\x3b\x0b\xaa\x04\x21\x65\xa3\xd8\x99" "\x30\xce\xb0\x8d\xb7\x91\x90\x42\x4e\x1a\x47\xa9\x9e\xd8\x36\x96\xea" "\x75\x04\xe4\x64\xef\xf9\xdd\xf4\x0d\x8b\x91\x15\xd3\xc5\xcf\x9a\xd6" "\x98\x00\x10\x2b\x99\x5f\x02\xba\x1c\xff\xe3\x4a\xfa\xdd\xb3\x45\xc7" "\x9f\x56\xfe\x60\xc8\xc8\x81\x81\xeb\x76\x65\x77\x1a\x70\xd3\xd9\xe3" "\xec\xc5\xec\x00\x6c\xc9\xbb\xf6\xbd\x7a\x2e\xd3\xdf\x7a\xd2\x8d\x26" "\x28\x7b\xae\x09\xd2\x46\xf1\xe0\xdc\x03\x76\x86\xdd\xc9\xf0\x39\x5e" "\x06\x73\x0e\xfa\xf4\x5f\x47\xeb\xe0\x67\xfc\x81\x90\x6b\x0b\xae\x5e" "\xb4\x35\x4b\x80\x9e\x35\x7a\x02\x34\x10\x53\x01\x72\x2b\x71\x30\xf8" "\xc7\x33\xdd\xf7\xe5\x73\x27\x8c\x5f\x97\x4d\x5a\xf2\x23\xb1\x00\xad" "\x28\x12\xcf\x9e\xba\x13\x10\xea\x45\x82\x68\xed\xec\x31\x54\x3d\xc0" "\xc2\xec\x4a\xe1\x8d\x30\x67\x76\x8a\x35\xe0\x02\xbf\xfc\x31\xc7\x7f" "\x36\xd3\x64\x7f\x19\x21\x10\xc3\xde\x60\x3e\x85\x54\x59\x89\x94\xcb" "\xc6\x52\x61\xee\x50\xb1\x83\x8f\xc4\xf2\x58\x60\x2e\x65\xea\x15\xac" "\x32\x34\x1a\x02\x10\x70\xfe\xae\x7e\x75\x1e\xe5\xec\x4d\x06\x4e\xfa" "\xb5\x0b\x71\x83\x99\xe7\x25\x53\xf5\xd4\x4e\x7b\x93\x55\x4c\x66\xcf" "\xaf\x1c\xd3\x81\xb7\x38\x2b\x81\x67\xb0\x48\x1c\x16\x89\x2c\xaa\xb8" "\xe2\x65\x26\x55\xd6\x46\xfb\x38\xd6\x7a\x53\x8f\x1c\x15\xaf\x56\x26" "\x68\x68\xaa\x6b\x0e\x8f\xf9\xd2\x8c\xea\x34\x2f\x71\xdf\xa4\xc0\xd1" "\x96\x6a\x60\x77\xde\x1a\x91\x92\x5b\xa8\x10\x7a\xd0\x39\xf9\x0b\x83" "\x37\x34\x1a\x0f\xbb\xd5\x0c\xd0\xe2\x50\xdf\xff\x3d\x36\x1d\x48\x08" "\x58\x41\xb4\x82\x27\x94\x2b\x4e\xff\x43\x5d\x0f\x72\x32\x21\x4d\xaa" "\x5d\x24\x87\x16\x86\x02\x9e\xbe\xa6\x7b\x39\x2f\x1a\xbb\x38\x0e\x49" "\x44\x49\xaf\x72\x53\xf7\x20\x57\xbe\xaf\x41\x93\x90\xc4\x8c\x7a\x64" "\x56\xfc\x8e\xb5\x40\x05\x39\xe5\xef\x25\xa3\xe9\x4c\xe3\xfc\x75\xe1" "\xe2\x10\xbe\xc5\xb7\xc1\xcf\x8a\xb5\xf5\xe5\xe6\x15\x6c\x71\x3f\xaa" "\x6d\xd0\x17\x97\x43\x4e\xcc\x18\xf5\xc9\x8f\x74\x3a\xc0\xd5\x5e\x2d" "\x96\xf9\x41\xd7\xb7\x6d\xd4\x26\x01\x17\x0a\xb4\x52\x89\x9c\x3c\x1f" "\xaa\x22\xf7\x2d\xaa\x48\x45\xb4\x7f\xfc\xe3\xde\xc3\x59\x5f\x0f\x50" "\x21\x17\x31\x58\xcd\x84\x16\x8e\x65\x33\x1e\xbd\xac\xb8\x98\xc8\xed" "\x5f\x58\xdf\xb8\x04\x84\x4f\x14\x41\xa3\xb6\x95\x54\x96\xd8\x2a\xc2" "\x39\xc3\x2a\x0c\xd2\xe6\xf1\xa1\xf5\x42\x89\xd5\x3b\x5e\xb8\x40\x94" "\xbe\x8e\xff\x28\x08\x0f\x43\x7d\xb5\x36\xa9\xa1\x77\xc6\xc0\x04\x57" "\x26\xa7\x3a\x16\x14\x99\x12\xbd\xf4\x6f\x9d\xf3\x2c\x40\x65\x7b\x09" "\x40\x6f\xd6\xbc\x78\x15\xbe\x33\x23\x08\x04\x01\x3a\x8f\xfe\xd3\xc4" "\x4c\x59\x51\x25\x62\xc2\xc1\xa0\x04\x21\x2e\xfc\x20\xa7\xec\x49\x02" "\x5f\x89\x75\x55\x1a\x66\xda\x2d\x36\x85\x28\x79\x2f\x0c\xe7\xab\x00" "\x9a\xe8\x84\x02\x9d\x6f\x3e\xca\x27\x35\xda\x47\x85\x77\x16\x86\x3d" "\xa3\x3a\x18\x94\xa1\x17\x17\x71\x83\x76\x16\x10\xc8\x1a\xcc\x64\xa7" "\xa9\x46\x04\xcc\x72\x36\x42\x1b\x35\x72\xf4\x08\x33\xe6\xc2\xed\x42" "\x2c\xd7\x7d\x79\x2b\xa5\x7d\x54\x55\xc2\xfe\x86\xd6\x11\xcf\xfd\xe2" "\xab\x9d\x07\x7c\x3f\xe5\x95\xae\x04\x88\x83\x0c\x0f\x90\x1b\x7a\x12" "\xf0\x5f\xb1\xf4\x9b\xba\xd4\xa9\xe1\xe6\x02\xed\x7b\xad\xce\xd0\x53" "\x8c\xde\xe4\x21\x3f\xb4\xef\x65\x91\x0d\xc5\x68\x68\x88\xd4\x1c\xdb" "\x55\x24\x25\x2b\x3d\xfe\x4a\xb7\xdf\xf1\x2c\xdb\xa5\xf7\x36\x57\xf4" "\xc4\x49\xa3\x90\xf0\x1b\xdf\x09\xb2\x16\x34\xcc\xe6\xbe\x87\x36\x83" "\x01\x70\x42\x24\x3b\x6d\x72\x3b\x45\x95\xe1\x76\x57\x41\xe0\xb9\xb8" "\xf2\xa1\x3a\xb5\x41\xb2\xe9\xb0\x9d\x27\x09\x09\x0b\x0e\xc2\x37\x5a" "\xb6\xce\x52\xde\x89\x47\x95\x97\xd6\x3e\xcb\x74\x67\xc9\x28\xae\x54" "\x08\xaa\x36\xff\x08\x6c\xf9\x41\x22\xdf\x85\x49\x26\x60\x5b\x67\x8b" "\x79\x3e\x1d\x54\x31\x97\xfa\xaa\x81\x2a\x57\xfe\xb6\x45\x01\x82\x6d" "\xac\x71\xac\x46\xfa\xb0\x3d\x55\xf5\x50\x88\xfe\xac\x3d\x7a\x6e\x01" "\x3a\x8a\x0b\xdc\x06\x63\x83\xf0\xb6\x62\x30\xe1\x5c\x95\x32\x3c\x81" "\x46\x95\x21\x5b\x7c\xf1\xff\x5a\xdf\xd6\x8c\x00\xb0\xed\x21\x82\x94" "\xcc\x9d\x0d\xa5\x7e\xd6\x47\x89\x51\x28\x37\xe8\xa6\x33\x7b\x43\x42" "\xc1\x3a\xd9\x5f\x74\x82\xb1\x12\x54\x2e\x7d\x77\x40\x68\x01\xd2\xa9" "\x17\x39\xa8\x5f\xc9\x0b\xa5\xbb\x8a\x73\x0b\x07\xdf\x18\xc5\x52\x25" "\x77\xd6\xec\x06\xbf\x9c\xf4\x07\xe1\x26\xd5\x2e\x69\x34\x18\x31\x01" "\x14\x8f\x1d\x57\x6f\xd5\xea\xee\x64\x1a\xf4\x4c\x31\xc5\x5d\x41\x23" "\x4b\xad\x35\xa3\xd1\x80\x48\x7f\x29\x1e\x87\x29\xbf\x64\x16\x8a\x5d" "\xe0\x8e\x09\x14\x51\xe1\xe7\x96\x9a\xdb\x66\x0e\xbd\xb6\xb5\xfc\x0e" "\xb5\x94\xd3\x58\x86\xd5\x01\xf4\x75\x23\x56\xde\x39\xb6\xd6\x1f\x7a" "\xd1\xcd\x88\x37\xed\xca\xe1\xac\xfb\x1a\xf4\x0e\x0d\x50\x83\xb8\x71" "\x26\xc6\xc7\x3b\xcc\x4c\x67\x3b\x39\x39\x63\x29\xb3\x2d\x06\xef\xe2" "\xa2\xfb\x83\xd2\xda\x6c\x25\x59\xf0\x35\x4d\x1c\x95\x7f\xfb\x80\x7c" "\xd9\x1f\x38\x9c\x33\x26\x2a\xa6\xf9\xba\xa8\x73\xa9\x7e\x3f\x13\x6c" "\x10\xc8\x53\x5e\xf8\xe7\x2c\x4f\x41\x59\x55\x19\x38\x7a\x70\x0d\x54" "\x54\x9d\x12\xa2\x89\x83\x86\x78\xb3\xad\x91\x1c\xbd\x3b\x3d\xa2\x76" "\x11\x7e\x07\xc0\x13\xaf\x04\xfa\xb6\x77\x66\x87\x08\x03\xd0\x48\x50" "\x1a\x59\x52\x16\xcb\x1a\xe5\x2b\x9b\x45\x52\x95\x40\x1f\xc4\xdd\xfa" "\xaa\x8b\xd1\x30\xae\x83\xd7\x81\x18\x50\xfb\xfb\x34\x00\x85\xa1\xa5" "\x04\x83\xda\xdd\x81\xa3\x7f\xd2\xba\x41\x78\x7f\xd6\xc9\xdd\x57\xed" "\x10\xf1\x66\xde\xe5\xf2\x84\xd4\xc7\x71\x1e\x0b\xa1\xc8\x9c\xc7\xef" "\x95\xb6\xa0\x13\x3b\x9a\xe4\x7a\x7e\xf8\xac\x12\xd2\xa4\x4d\xad\xd3" "\x19\x2b\x00\xa0\xce\x86\xe5\xb2\x09\x30\x7e\x9b\xf5\x78\xc9\x29\xb3" "\x5a\x8d\xc8\x6b\x15\xc5\x89\x7c\x66\xec\x0c\xc9\x56\x97\xe2\x90\xb5" "\x02\x5e\xe3\x5f\xd7\x4f\x68\xbe\xa8\x69\xd9\x48\xb9\x5b\xbd\x31\x3b" "\xf3\x4b\x43\xd8\xe1\x0a\xe1\x10\x85\x91\x9e\x69\xce\x98\x68\xcb\xba" "\x34\xa5\x77\x69\x1d\xf0\xb8\x5c\x5a\xca\xeb\x47\x9b\xeb\x35\xa4\xf7" "\x25\x16\x2b\x59\x49\x92\xb5\xd0\xc4\x0e\x56\x3e\x7e\xd8\x52\x31\x2d" "\xe0\xed\xb2\x62\xc3\x07\x47\xcb\x51\x27\x8d\x41\xe0\xde\x22\x8c\x70" "\x97\xb9\x28\xeb\xb3\x67\xf3\x10\x65\x81\xf1\x2c\x74\x19\xc0\x63\x4f" "\xd9\x82\x03\x98\xf4\xda\x5d\x83\x90\x21\x12\x0d\x0c\xd9\xb4\x26\x4f" "\x07\x3d\x4d\xaf\xc9\x93\x8c\x92\x87\x75\xe5\xeb\xd2\x8c\x8d\x1b\x2b" "\xbe\xa6\x15\xde\xff\xde\x24\x6c\xc4\xde\x25\xbb\x90\xb2\x3a\xcf\x50" "\xbc\x14\x9a\x75\xf5\x50\x63\x0b\x8b\xf6\xad\xdd\x0e\x7f\x3d\x18\x0e" "\x92\xa4\x36\x52\x5a\x05\x82\x8e\xc7\x19\xd2\x69\xa7\xa5\xad\xcc\x9b" "\x56\x41\xd8\xd0\x2e\x09\xa2\x2b\x0f\x34\xaf\x7a\xba\x61\xd5\xba\x5d" "\x50\x93\xe1\x1d\x40\x16\xd3\xe1\x6a\xf9\xae\x9f\x52\x37\xe9\xf8\x44" "\xe0\x94\x11\x80\xea\xc8\x9a\x94\x68\xa0\x7a\x41\xdf\x70\xb1\xf2\x2c" "\xa9\x60\xb5\x52\xc8\x05\x6e\x8c\xe6\x84\x74\xc0\x5d\x30\x51\x29\x9e" "\x36\x0b\xa0\x1d\x99\x93\x3d\xc9\xe4\x68\xbe\xb6\xe1\x90\x3f\x42\x5a" "\xc0\xa8\x19\x6d\xd3\xe2\x57\x47\xd7\x6d\xbc\xfe\xc0\x8f\x47\xc3\xf1" "\xd8\xe8\x53\x24\xfe\xb6\x39\x4a\x44\x9e\xc2\x9f\x7d\x5d\xb5\xc0\x3a" "\x90\x1e\x94\xdc\x83\x12\x3d\xea\x21\xb8\x0b\x0f\x93\x48\x21\xd8\x76" "\x78\x6e\x96\x55\x77\xd0\xbb\x74\x34\xdb\x98\xb3\x1f\x0d\xe1\x67\x82" "\x0e\xc8\x84\x4d\x3e\x2a\x16\x05\x81\x06\x23\x9b\xf7\x75\xb2\x7b\x13" "\x46\x98\xae\x9e\x0e\x09\x45\x2c\xc7\x3c\xa0\x6b\xfe\x41\xa1\xf8\x51" "\x1a\xbb\x2f\xff\xb3\xe8\xe9\x6a\xd4\x13\xd9\x84\x34\xd3\xa0\xf0\xf2" "\x9c\x6e\x79\x87\xe9\x2d\xbc\x3f\xc0\x8d\x64\xc7\x8d\xce\x0f\x60\xf6" "\x98\xe4\x00\x06\x14\x4d\xfa\xba\xeb\xc0\x5e\xa2\x95\xb0\xeb\xd7\x03" "\x77\xe7\xba\x93\x2f\x9e\xc3\x0c\x89\xcb\x0a\x19\xed\xd7\xd2\x9c\x11" "\xf6\xbe\xf3\x77\xab\xb0\x1e\xba\x08\x38\x27\x27\xbe\x44\xb7\x4f\x55" "\x1e\xdd\xba\x8b\x7e\xbf\x25\x5f\x66\x4d\xd6\x26\x8b\x38\x69\x96\xcd" "\x0d\x54\x8e\x98\x94\xa7\x9e\xdb\xe4\x3a\x42\xfe\xb9\xab\x8a\xff\xc3" "\x5e\xc5\xbf\xac\xc5\x3c\x5d\xdb\xb3\x2c\x7d\x75\xeb\x6a\x41\xe2\xa0" "\xaf\x81\xe2\xcd\xa2\xc4\x01\xa2\x8c\x6b\x26\x19\xc5\xe0\x0b\x2f\xaa" "\x41\xb5\xde\x5a\x5e\x12\x13\x14\x93\xc2\xbf\xab\xc7\xd3\xf6\x1d\x28" "\x4c\x45\x7d\xe1\xdf\xf1\xee\xf8\x10\x74\x35\xab\x94\x76\x30\x5a\xff" "\x8c\xbc\x62\xd2\x1c\xab\xc9\x0b\xef\x91\x4c\x96\xb9\xa9\x5e\x56\x8e" "\xc1\x75\xd1\x9d\x0c\x02\xae\x32\x62\xeb\xe1\xbe\x69\x21\x11\x8c\xee" "\x3b\x01\xea\xfd\x41\x84\x9a\x12\x0c\x17\x6b\x4e\xb6\x7e\xf0\x41", 2039); *(uint64_t*)0x200017a8 = 0x7f7; *(uint64_t*)0x200017b0 = 0; *(uint64_t*)0x200017b8 = 0; *(uint64_t*)0x20004cd8 = 4; *(uint64_t*)0x20004ce0 = 0; *(uint64_t*)0x20004ce8 = 0; *(uint32_t*)0x20004cf0 = 0; *(uint64_t*)0x20004cf8 = 0; *(uint32_t*)0x20004d00 = 0; *(uint64_t*)0x20004d08 = 0; *(uint64_t*)0x20004d10 = 0; *(uint64_t*)0x20004d18 = 0; *(uint64_t*)0x20004d20 = 0; *(uint32_t*)0x20004d28 = 0x40; syscall(__NR_sendmmsg, r[0], 0x20004cc0ul, 2ul, 0x20000000ul); { int i; for (i = 0; i < 32; i++) { syscall(__NR_sendmmsg, r[0], 0x20004cc0ul, 2ul, 0x20000000ul); } } break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }