// https://syzkaller.appspot.com/bug?id=15d642c9d9680fa51e9dacf5590a958a8975f197 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[7] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20000040, "/dev/net/tun\000", 13); syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000040ul, /*flags=O_TRUNC|O_SYNC|O_NOCTTY|O_NOATIME|O_CREAT|O_CLOEXEC|0x1*/ 0x1c1341ul, /*mode=*/0ul); syscall(__NR_socketpair, /*domain=*/1ul, /*type=*/1ul, /*proto=*/0, /*fds=*/0x20000100ul); syscall(__NR_socketpair, /*domain=AF_UNIX*/ 1ul, /*type=SOCK_STREAM*/ 1ul, /*proto=*/0, /*fds=*/0x20000000ul); *(uint32_t*)0x200009c0 = 0xf; *(uint32_t*)0x200009c4 = 4; *(uint32_t*)0x200009c8 = 8; *(uint32_t*)0x200009cc = 0xc; *(uint32_t*)0x200009d0 = 0; *(uint32_t*)0x200009d4 = -1; *(uint32_t*)0x200009d8 = 0; memset((void*)0x200009dc, 0, 16); *(uint32_t*)0x200009ec = 0; *(uint32_t*)0x200009f0 = -1; *(uint32_t*)0x200009f4 = 0; *(uint32_t*)0x200009f8 = 0; *(uint32_t*)0x200009fc = 0; *(uint64_t*)0x20000a00 = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200009c0ul, /*size=*/0x48ul); if (res != -1) r[0] = res; *(uint32_t*)0x200000c0 = 0x1b; *(uint32_t*)0x200000c4 = 0; *(uint32_t*)0x200000c8 = 0; *(uint32_t*)0x200000cc = 0x8000; *(uint32_t*)0x200000d0 = 0; *(uint32_t*)0x200000d4 = -1; *(uint32_t*)0x200000d8 = 0; memset((void*)0x200000dc, 0, 16); *(uint32_t*)0x200000ec = 0; *(uint32_t*)0x200000f0 = -1; *(uint32_t*)0x200000f4 = 0; *(uint32_t*)0x200000f8 = 0; *(uint32_t*)0x200000fc = 0; *(uint64_t*)0x20000100 = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200000c0ul, /*size=*/0x48ul); if (res != -1) r[1] = res; *(uint32_t*)0x200000c0 = 0x11; *(uint32_t*)0x200000c4 = 0x10; *(uint64_t*)0x200000c8 = 0x20000280; memcpy((void*)0x20000280, "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18" "\x11\x00\x00", 20); *(uint32_t*)0x20000294 = r[1]; memcpy((void*)0x20000298, "\x00\x00\x00\x00\x00\x00\x00\x00\xb7\x02\x00\x00\x02\x00\x00\x00\x85" "\x00\x00\x00\x86\x00\x00\x00\x18\x11\x00\x00", 28); *(uint32_t*)0x200002b4 = r[0]; memcpy((void*)0x200002b8, "\x00\x00\x00\x00\x00\x00\x00\x00\xb7\x08\x00\x00\x00\x00\x00\x00\x7b" "\x8a\xf8\xff\x00\x00\x00\x00\xbf\xa2\x00\x00\x00\x00\x00\x00\x07\x02" "\x00\x00\xf8\xff\xff\xff\xb7\x03\x00\x00\x08\x00\x00\x00\xb7\x04\x00" "\x00\x00\x00\x00\x00\x85\x00\x00\x00\x03\x00\x00\x00\x95", 65); *(uint64_t*)0x200000d0 = 0x20000040; memcpy((void*)0x20000040, "syzkaller\000", 10); *(uint32_t*)0x200000d8 = 0; *(uint32_t*)0x200000dc = 0; *(uint64_t*)0x200000e0 = 0; *(uint32_t*)0x200000e8 = 0; *(uint32_t*)0x200000ec = 0; memset((void*)0x200000f0, 0, 16); *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = -1; *(uint32_t*)0x2000010c = 0; *(uint64_t*)0x20000110 = 0; *(uint32_t*)0x20000118 = 0; *(uint32_t*)0x2000011c = 0; *(uint64_t*)0x20000120 = 0; *(uint32_t*)0x20000128 = 0; *(uint32_t*)0x2000012c = 0; *(uint32_t*)0x20000130 = 0; *(uint32_t*)0x20000134 = 0; *(uint64_t*)0x20000138 = 0; *(uint64_t*)0x20000140 = 0; *(uint32_t*)0x20000148 = 0; *(uint32_t*)0x2000014c = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000c0ul, /*size=*/0x90ul); if (res != -1) r[2] = res; *(uint64_t*)0x200001c0 = 0x20000180; memcpy((void*)0x20000180, "kfree\000", 6); *(uint32_t*)0x200001c8 = r[2]; syscall(__NR_bpf, /*cmd=*/0x11ul, /*arg=*/0x200001c0ul, /*size=*/0x10ul); *(uint32_t*)0x20000000 = 0x19; *(uint32_t*)0x20000004 = 4; *(uint32_t*)0x20000008 = 4; *(uint32_t*)0x2000000c = 2; *(uint32_t*)0x20000010 = 0; *(uint32_t*)0x20000014 = 1; *(uint32_t*)0x20000018 = 0; memset((void*)0x2000001c, 0, 16); *(uint32_t*)0x2000002c = 0; *(uint32_t*)0x20000030 = -1; *(uint32_t*)0x20000034 = 0; *(uint32_t*)0x20000038 = 0; *(uint32_t*)0x2000003c = 0; *(uint64_t*)0x20000040 = 0; syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000000ul, /*size=*/0x48ul); *(uint32_t*)0x200009c0 = 5; *(uint32_t*)0x200009c4 = 4; *(uint32_t*)0x200009c8 = 2; *(uint32_t*)0x200009cc = 0xc; *(uint32_t*)0x200009d0 = 0; *(uint32_t*)0x200009d4 = -1; *(uint32_t*)0x200009d8 = 0; memset((void*)0x200009dc, 0, 16); *(uint32_t*)0x200009ec = 0; *(uint32_t*)0x200009f0 = -1; *(uint32_t*)0x200009f4 = 0; *(uint32_t*)0x200009f8 = 0; *(uint32_t*)0x200009fc = 0; *(uint64_t*)0x20000a00 = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200009c0ul, /*size=*/0x73ul); if (res != -1) r[3] = res; *(uint32_t*)0x200000c0 = 0x11; *(uint32_t*)0x200000c4 = 0xd; *(uint64_t*)0x200000c8 = 0x20000040; memcpy((void*)0x20000040, "\x18\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x85" "\x00\x00\x00\x08\x00\x00\x00\x18\x11\x00\x00", 28); *(uint32_t*)0x2000005c = r[3]; memcpy((void*)0x20000060, "\x00\x00\x00\x00\x00\x00\x00\x00\xb7\x08\x00\x00\x00\x00\x00\x00\x7b" "\x8a\xf8\xff\x00\x00\x00\x00\xbf\xa2\x00\x00\x00\x00\x00\x00\x07\x02" "\x00\x00\xf8\xff\xff\xff\xb7\x03\x00\x00\x08\x00\x00\x10\xb7\x04\x00" "\x00\x00\x00\x00\x00\x85\x00\x00\x00\x01\x00\x00\x00\x95", 65); *(uint64_t*)0x200000d0 = 0x200001c0; memcpy((void*)0x200001c0, "syzkaller\000", 10); *(uint32_t*)0x200000d8 = 0; *(uint32_t*)0x200000dc = 0; *(uint64_t*)0x200000e0 = 0; *(uint32_t*)0x200000e8 = 0; *(uint32_t*)0x200000ec = 0; memset((void*)0x200000f0, 0, 16); *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = -1; *(uint32_t*)0x2000010c = 0; *(uint64_t*)0x20000110 = 0; *(uint32_t*)0x20000118 = 0; *(uint32_t*)0x2000011c = 0; *(uint64_t*)0x20000120 = 0; *(uint32_t*)0x20000128 = 0; *(uint32_t*)0x2000012c = 0; *(uint32_t*)0x20000130 = 0; *(uint32_t*)0x20000134 = 0; *(uint64_t*)0x20000138 = 0; *(uint64_t*)0x20000140 = 0; *(uint32_t*)0x20000148 = 0; *(uint32_t*)0x2000014c = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000c0ul, /*size=*/0x90ul); syscall(__NR_socketpair, /*domain=*/1ul, /*type=SOCK_SEQPACKET*/ 5ul, /*proto=*/0, /*fds=*/0x200029c0ul); memcpy((void*)0x20000240, "cgroup.controllers\000", 19); syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000240ul, /*flags=*/0x26e1ul, /*mode=*/0ul); *(uint32_t*)0x200000c0 = 0; res = syscall(__NR_bpf, /*cmd=*/0x1ful, /*arg=*/0x200000c0ul, /*size=*/8ul); if (res != -1) r[4] = *(uint32_t*)0x200000c4; *(uint32_t*)0x20000100 = r[4]; syscall(__NR_bpf, /*cmd=*/0x1eul, /*arg=*/0x20000100ul, /*size=*/4ul); *(uint32_t*)0x20000180 = 1; *(uint32_t*)0x20000184 = 0x80; *(uint8_t*)0x20000188 = 0; *(uint8_t*)0x20000189 = 0; *(uint8_t*)0x2000018a = 0; *(uint8_t*)0x2000018b = 0; *(uint32_t*)0x2000018c = 0; *(uint64_t*)0x20000190 = 0; *(uint64_t*)0x20000198 = 0; *(uint64_t*)0x200001a0 = 0; STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 1, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 38, 26); *(uint32_t*)0x200001b0 = 0; *(uint32_t*)0x200001b4 = 0; *(uint64_t*)0x200001b8 = 0; *(uint64_t*)0x200001c0 = 0; *(uint64_t*)0x200001c8 = 0; *(uint64_t*)0x200001d0 = 0; *(uint32_t*)0x200001d8 = 0; *(uint32_t*)0x200001dc = 0; *(uint64_t*)0x200001e0 = 0; *(uint32_t*)0x200001e8 = 0; *(uint16_t*)0x200001ec = 0; *(uint16_t*)0x200001ee = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint64_t*)0x200001f8 = 0; syscall(__NR_perf_event_open, /*attr=*/0x20000180ul, /*pid=*/0, /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul); syscall(__NR_socketpair, /*domain=AF_UNIX*/ 1ul, /*type=SOCK_NONBLOCK|SOCK_SEQPACKET*/ 0x805ul, /*proto=*/0, /*fds=*/0x20000000ul); *(uint32_t*)0x200000c0 = 1; *(uint32_t*)0x200000c4 = 0x13; *(uint64_t*)0x200000c8 = 0x20000340; memcpy((void*)0x20000340, "\x18\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18" "\x01\x00\x00\x20\xa0\x70\x25\x00\x00\x00\x00\x00\x80\x00\x00\x7b\x1a" "\xf8\xff\x00\x00\x00\x00\xbf\xa1\x00\x00\x00\x00\x00\x00\x07\x01\x00" "\x00\xf8\xff\xff\xff\xb7\x02\x00\x00\x08\x00\x00\x00\xb7\x03\x00\x00" "\x00\x00\x00\x00\x04\x00\x00\x00\x06\x00\x00\x00\x18\x01\x00\x00\x20" "\x20\x70\x25\x00\x00\x00\x00\x00\x20\x20\x20\x7b\x1a\xf8\xff\x00\x00" "\x00\x00\xbf\xa1\x00\x00\x00\x00\x00\x00\x07\x01\x00\x00\xf8\xff\xff" "\xff\xb7\x02\x00\x00\x08\x00\x00\x00\xb7\x03\x00\x00\x00\x00\x00\x00" "\x85\x00\x00\x00\x08\x00\x00\x00\x95", 145); *(uint64_t*)0x200000d0 = 0x20000200; memcpy((void*)0x20000200, "GPL\000", 4); *(uint32_t*)0x200000d8 = 0; *(uint32_t*)0x200000dc = 0; *(uint64_t*)0x200000e0 = 0; *(uint32_t*)0x200000e8 = 0; *(uint32_t*)0x200000ec = 0; memset((void*)0x200000f0, 0, 16); *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint64_t*)0x20000110 = 0; *(uint32_t*)0x20000118 = 0; *(uint32_t*)0x2000011c = 0; *(uint64_t*)0x20000120 = 0; *(uint32_t*)0x20000128 = 0; *(uint32_t*)0x2000012c = 0; *(uint32_t*)0x20000130 = 0; *(uint32_t*)0x20000134 = 0; *(uint64_t*)0x20000138 = 0; *(uint64_t*)0x20000140 = 0; *(uint32_t*)0x20000148 = 0; *(uint32_t*)0x2000014c = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000c0ul, /*size=*/0x90ul); *(uint32_t*)0x200000c0 = 2; *(uint32_t*)0x200000c4 = 0x80; *(uint8_t*)0x200000c8 = 0x3a; *(uint8_t*)0x200000c9 = 8; *(uint8_t*)0x200000ca = 0; *(uint8_t*)0x200000cb = 0; *(uint32_t*)0x200000cc = 0; *(uint64_t*)0x200000d0 = 0; *(uint64_t*)0x200000d8 = 0; *(uint64_t*)0x200000e0 = 0; STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 38, 26); *(uint32_t*)0x200000f0 = 0; *(uint32_t*)0x200000f4 = 0; *(uint64_t*)0x200000f8 = 0; *(uint64_t*)0x20000100 = 0; *(uint64_t*)0x20000108 = 0; *(uint64_t*)0x20000110 = 0; *(uint32_t*)0x20000118 = 0; *(uint32_t*)0x2000011c = 0; *(uint64_t*)0x20000120 = 0; *(uint32_t*)0x20000128 = 0; *(uint16_t*)0x2000012c = 5; *(uint16_t*)0x2000012e = 0; *(uint32_t*)0x20000130 = 0; *(uint32_t*)0x20000134 = 0; *(uint64_t*)0x20000138 = 0; syscall(__NR_perf_event_open, /*attr=*/0x200000c0ul, /*pid=*/0, /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul); *(uint32_t*)0x200000c0 = 0x1b; *(uint32_t*)0x200000c4 = 0; *(uint32_t*)0x200000c8 = 0; *(uint32_t*)0x200000cc = 0x8000; *(uint32_t*)0x200000d0 = 0; *(uint32_t*)0x200000d4 = -1; *(uint32_t*)0x200000d8 = 0; memset((void*)0x200000dc, 0, 16); *(uint32_t*)0x200000ec = 0; *(uint32_t*)0x200000f0 = -1; *(uint32_t*)0x200000f4 = 0; *(uint32_t*)0x200000f8 = 0; *(uint32_t*)0x200000fc = 0; *(uint64_t*)0x20000100 = 0; syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200000c0ul, /*size=*/0x48ul); memcpy((void*)0x20000140, "cgroup.events\000", 14); syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000140ul, /*flags=*/0x275aul, /*mode=*/0ul); *(uint32_t*)0x20000040 = 0x12; *(uint32_t*)0x20000044 = 3; *(uint64_t*)0x20000048 = 0; *(uint64_t*)0x20000050 = 0; *(uint32_t*)0x20000058 = 0; *(uint32_t*)0x2000005c = 0; *(uint64_t*)0x20000060 = 0; *(uint32_t*)0x20000068 = 0; *(uint32_t*)0x2000006c = 0; memset((void*)0x20000070, 0, 16); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 0; *(uint32_t*)0x20000088 = -1; *(uint32_t*)0x2000008c = 0; *(uint64_t*)0x20000090 = 0; *(uint32_t*)0x20000098 = 0; *(uint32_t*)0x2000009c = 0; *(uint64_t*)0x200000a0 = 0; *(uint32_t*)0x200000a8 = 0; *(uint32_t*)0x200000ac = 0; *(uint32_t*)0x200000b0 = 0; *(uint32_t*)0x200000b4 = 0; *(uint64_t*)0x200000b8 = 0; *(uint64_t*)0x200000c0 = 0; *(uint32_t*)0x200000c8 = 0x10; *(uint32_t*)0x200000cc = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000040ul, /*size=*/0x90ul); *(uint32_t*)0x20000180 = 2; *(uint32_t*)0x20000184 = 0x80; *(uint8_t*)0x20000188 = 0x43; *(uint8_t*)0x20000189 = 1; *(uint8_t*)0x2000018a = 0; *(uint8_t*)0x2000018b = 0; *(uint32_t*)0x2000018c = 0; *(uint64_t*)0x20000190 = 0; *(uint64_t*)0x20000198 = 0; *(uint64_t*)0x200001a0 = 0; STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 38, 26); *(uint32_t*)0x200001b0 = 0; *(uint32_t*)0x200001b4 = 0; *(uint64_t*)0x200001b8 = 0; *(uint64_t*)0x200001c0 = 0; *(uint64_t*)0x200001c8 = 0; *(uint64_t*)0x200001d0 = 0; *(uint32_t*)0x200001d8 = 0; *(uint32_t*)0x200001dc = 0; *(uint64_t*)0x200001e0 = 0; *(uint32_t*)0x200001e8 = 0; *(uint16_t*)0x200001ec = 0; *(uint16_t*)0x200001ee = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint64_t*)0x200001f8 = 0; syscall(__NR_perf_event_open, /*attr=*/0x20000180ul, /*pid=*/0, /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul); *(uint32_t*)0x20000080 = 5; *(uint32_t*)0x20000084 = 3; *(uint64_t*)0x20000088 = 0x20001d00; memcpy( (void*)0x20001d00, "\x85\x00\x00\x00\x08\x00\x00\x00\x25\x00\x00\x00\x00\x00\x00\x00\x95\x00" "\x00\x00\x00\x00\x00\x00\xaf\xcd\x48\xd6\x49\x37\x90\x71\x00\x00\x00\x00" "\x00\x08\x00\x00\xb2\xc6\x16\x1d\xba\x39\x21\x76\xdd\x29\x63\x03\x8e\x1d" "\x69\xba\x7e\xa9\x4c\x50\x0d\xc4\xef\x2f\xad\x96\xed\x40\x6f\x21\xca\xf5" "\xad\xcf\x92\x05\x69\xc0\x0c\xc1\x19\x96\x84\xfa\x7c\x93\x83\x6d\x9e\xa2" "\xcf\xb0\xe6\x04\x36\xe0\x54\x25\xcc\x46\x86\xb0\x66\x70\x7d\xe9\x4a\x4f" "\x4d\x5f\xc7\x9c\x98\x7d\x66\x9f\x38\x1f\xac\xa0\xf9\xd9\x92\x4b\xe4\x1a" "\x91\x69\xbd\xfa\xf1\x6d\xa9\x15\xb2\xe2\x49\xf2\x1c\x6e\xee\x84\x30\x9e" "\x7a\x23\xc1\x9a\x39\x48\x48\x09\x53\x9f\xcb\x4e\x0b\x6e\xab\x1a\xa7\xd5" "\x55\x45\xa3\x4e\xff\xa0\x77\xfa\xa5\x5c\x59\xe8\x82\x54\xf5\x40\x77\xf7" "\x99\xbf\x16\x83\x01\x00\x00\x00\xbf\xb1\xc0\xe6\x06\x24\x4d\x35\xb2\x13" "\xbd\xa8\x4c\xc1\x72\xaf\xcc\x2e\x47\xa7\xd8\xb8\x5a\x5e\x3d\x77\xac\x46" "\x39\x20\xe2\x31\xb7\xae\x0d\xa8\x61\x6d\x2b\x79\x58\xf9\x1f\x5d\xa6\xc0" "\x25\xd0\x60\xab\x18\x6d\x94\xaf\x98\xaf\x1d\xa2\xb5\x95\x2e\xb1\x89\x21" "\x51\xfd\x21\x23\x04\xe0\x35\xf7\xa3\x5d\xfc\x72\xc8\x12\x56\xa5\x5a\x25" "\xf8\xfe\x3b\x28\xd7\xe5\x3c\x78\xfb\xb8\x88\xb0\x25\x5f\x34\x71\x60\xec" "\x83\x07\x00\x00\x00\x00\x00\x00\x40\x15\xcf\x10\x45\x3f\x6c\xf6\x8f\x96" "\xb4\xa4\x84\xeb\xad\x04\x85\x9d\x92\x83\x65\xa7\xea\x3f\xab\x2e\x4b\x38" "\x0a\x00\xd7\x2b\xc0\x48\x0f\x94\x47\x97\x57\x30\x67\x20\x39\x93\x79\xd9" "\x27\x1c\xf5\x55\xc1\x4d\x56\xb5\x1c\x22\x98\x23\x7b\xeb\xfc\x08\xe0\xd5" "\x97\x6a\x94\x2b\x84\x41\x39\xf1\x11\x1f\x2d\xc5\xe4\x6a\xc1\xc6\x0a\x9b" "\x03\x00\x74\xbf\xbc\xd4\xb0\x90\x12\x17\x54\x84\x13\x5f\x0e\x51\x9f\x0b" "\x1e\x4a\xaa\x02\x6d\x57\x0e\xcb\x5e\x8c\xdd\xbe\xd6\x5f\xf7\x02\x00\x00" "\x00\xa3\xff\x4f\x8a\x4c\xf7\x96\xb0\x7a\x6f\xf6\x1c\x55\x52\x41\x7f\xd7" "\x03\xf7\xf1\x4d\x8b\x78\xa6\x02\xca\x3c\xdf\x6a\x66\x2d\x8b\xc9\xc8\x9c" "\x91\x20\x07\x2a\x5d\x00\xdc\xdd\x85\x95\x35\x6c\x9b\x24\x92\xaa\xf1\x26" "\x4d\x4e\xf4\xa4\x10\xc8\x82\x83\x48\x67\xbc\xd2\xb6\xe5\x58\xd1\x78\x79" "\x57\x0c\x8a\xd9\x43\xe3\x92\x95\x5f\x4f\x97\x9e\xa1\x32\x01\xba\xfe\x4f" "\x0f\x6e\xa5\x08\x00\x00\x00\xc5\x76\x33\x1b\x2b\x57\x1b\xed\x56\x47\x32" "\x34\x78\xa9\x96\x81\x00\x00\x00\x05\x71\xcb\xb1\x7d\x9f\x37\x28\x24\x62" "\xf0\xe9\xc1\x47\xc0\xd4\x97\xc6\x14\x33\xc6\xcc\xc3\x56\x01\xee\xf9\x7e" "\xe6\x11\xbe\x8c\x97\xf4\x15\x1f\xcd\xa6\xcb\x79\x9c\x6e\x92\x49\x66\xa7" "\xf9\x0b\xf8\x0f\x1e\x75\xee\x76\xbd\x72\x34\x6c\xfb\xb5\x26\x89\x0a\xa7" "\xfe\x5e\x68\x94\x9a\x3b\x30\x47\x23\x17\x7d\x35\x6c\x46\x04\xbc\xa4\x92" "\xec\xec\x37\xe8\x3e\xfc\xee\xfd\x78\xa2\x53\x36\x59\xed\xc8\xbe\xf9\xcb" "\x85\x45\x1c\x6a\x14\x50\x74\x34\x3c\xae\xa5\xc4\xbf\x69\x04\x41\x97\x4b" "\x15\x5f\x5a\xdc\x68\x1a\x03\xc0\xbb\xb8\x35\x88\x56\x17\x5e\x2c\xe8\xb0" "\xcb\xbb\xe3\xc0\x33\xe5\x4f\xfc\xeb\xde\x1d\x9d\x3d\x35\x00\x00\x00\x00" "\x00\x00\x00\x00\xe0\xf2\x09\x15\x0a\x07\x68\x2c\x4e\x14\xe3\xa8\x35\x58" "\xdf\x6f\x3f\xc9\x7f\x17\x30\xa1\x36\xbd\xee\x07\xe9\x8c\xb9\x84\xb2\xe2" "\x30\x4a\x1b\x63\xaf\xef\xdb\x63\x6e\x56\xbb\xaa\xe4\xe6\x21\x36\x57\x4b" "\xc6\x37\x1a\x0b\xb2\xbe\x1a\x96\x2a\xae\x9c\x12\x58\xda\x6e\xf5\x90\xe1" "\xd8\x5e\xa9\xe1\x2b\x30\x25\xf4\x3e\x7e\x08\xcc\xff\xc5\x06\x4d\xea\x4c" "\x39\xcf\x4b\x98\xe1\xfc\x6e\xfb\x59\x78\xf5\x1e\x16\xb6\x78\xec\xa0\xb6" "\x58\xa5\x60\x08\x94\x8e\x5a\x61\x56\x1a\x98\x45\xe4\xff\x29\xe2\xbd\x43" "\xb5\xb9\x23\xb2\x72\x34\x1c\x5e\x09\x3f\xd6\x6a\x29\x46\x50\x15\x59\x33" "\x57\x81\x09\x2c\xf8\xce\x98\x7c\x56\xcd\x31\x12\x16\x24\xd7\x45\x5f\x2a" "\x36\x66\x27\x6c\x00\x7e\x8a\xd2\x3c\x0e\x81\x2b\x28\xe2\xf3\x0d\x03\x5c" "\xee\x5d\x0e\x77\xa3\xc7\x23\x08\xec\x65\x1c\xc0\xae\x63\x7f\xa4\x74\x81" "\x6b\xc5\x9d\x2e\x2a\x00\x09\x24\x19\x30\x4b\x33\x8a\x98\x7e\x9d\x30\x44" "\xd8\x56\xce\x24\xf3\x70\x03\x0b\xe3\xb5\xf7\x9f\x03\x0b\x8d\x3e\xbc\xef" "\x5a\xf4\x69\xab\xe7\x53\x31\x4f\xae\x31\xa0\x9c\x3a\x04\x1a\x1e\x7b\x55" "\xc4\xe8\x1d\xba\x1e\x12\x28\x9e\xe3\x44\x63\xaa\xf2\x83\x45\xbd\xe0\xc1" "\x95\xbc\x9f\x02\x2c\xa8\xce\x37\xed\x85\x46\x4c\x31\x67\x90\x53\xe7\xf9" "\xd0\x4b\xb5\xcb\x51\xda\x0b\x79\x58\x98\x9f\xd7\x0f\x24\x12\x62\xd0\xaf" "\x32\x46\xeb\x4f\xc4\xbd\xa3\x45\x36\x02\x00\x00\x00\x01\xfb\xdd\xea\xcd" "\x3a\xda\xa4\xd2\x71\x5e\x21\xc7\x72\xcc\xd4\x43\x41\xf7\xfd\x53\xdf\x58" "\xae\x79\x1e\xe8\xb4\x89\xa7\xc9\xef\xe3\x62\x5a\x9d\x97\x1b\x59\x97\x48" "\x5d\x6a\x06\x3d\xc6\xf7\x35\x9e\x2e\xcc\xc2\xfb\x39\xd4\x19\xde\x1a\x7b" "\x5c\x9d\xc2\x2c\x96\x29\x5a\x06\x00\xad\xf5\x9d\x44\xe5\x8e\xb1\xc6\x0b" "\x34\x75\xbe\x31\xa9\xb7\xcf\x42\xb6\x40\x23\x12\xd2\x72\x5b\x8d\x9f\xa7" "\x00\x00\x08\x00\xa9\xfc\x00\x00\x00\x11\x7c\xa6\x5f\xc8\x6c\x2d\xce\x97" "\xaa\x03\x27\x9a\x66\xec\x87\x12\x22\x19\xb0\xf7\x96\xab\x92\xb1\xad\xec" "\xae\x50\xfd\xb4\x08\xc8\xa8\x0f\x7f\x02\xf7\x50\xd6\xc9\x77\xa1\x91\x9f" "\x9f\x69\xa6\xcf\xef\xdf\x87\x9d\x44\x7d\xf5\x3f\x3b\x9b\x70\xd1\x03\x55" "\xb0\x74\x66\xd1\xef\x00\x56\xb5\xaf\x55\x3d\x18\xa6\xcd\x50\xfe\xeb\x7b" "\xfa\xd9\xb7\xbe\x32\x83\xb6\x45\x0d\x26\x4e\x77\x12\xd2\xf1\xd7\x00\x45" "\x48\xb1\x91\x62\xce\xf0\x4d\x18\xd4\xf5\x98\x7b\xaa\xb9\x7a\x9b\xfb\xd8" "\xf1\x85\xb5\xa7\x1e\x0d\x76\x96\xca\xba\x17\x27\x45\xc7\xdd\x91\x9f\xfb" "\x63\x18\x20\x42\x0b\x75\xb6\x52\x2c\x0e\x21\xc8\x82\xc6\x6f\x4f\x25\xff" "\xb6\xd9\x5e\x07\xe0\x68\x00\x00\x00\x00\x00\x00\xeb\x5b\x63\xe4\x5d\x5d" "\x80\xfe\x52\x73\x40\x93\xae\x5a\xa3\xc0\xb4\xf3\xf4\x5b\xff\xf2\x01\x00" "\x00\x00\x00\x00\x00\x00\x2e\x31\x56\x0e\x4b\xa0\xa7\x65\xd2\x0b\x30\xf8" "\x7a\xf9\x76\xa4\x6f\x9a\x9a\x1a\xc7\xde\xa1\xea\x68\x45\xf9\xaa\x66\x23" "\x7e\x0d\xac\xc1\x07\xf5\x32\x34\x8c\xc2\x11\x64\x73\x38\x1e\x96\x1f\x3d" "\x9c\x8c\x21\x57\x8f\xe3\x24\x50\xcb\xc2\xec\xd9\xe5\x14\x27\xb9\xf6\xcd" "\x72\xb5\xda\x6d\x02\x52\x80\x3c\x66\x73\x0c\xd5\xea\xc9\x07\xf0\x9b\x96" "\x95\x90\x63\x13\xf8\x87\x35\x22\x60\x8c\x6f\x01\x00\x00\x00\x00\x00\x00" "\x00\xf7\x21\x30\x3e\x6b\x89\xe5\xc5\x4d\x68\x0a\xc6\x6d\x09\xaf\x90\xdb" "\xf5\x0e\xe6\x9a\x39\x26\x59\x64\x27\x9d\x17\x4b\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\xfa\x08\xad\x15\x7e\x2b\x56\x5e\x7e\x1a\x08\x26\x5e" "\x7f\x1f\x4c\x2d\x97\xf4\x68\x0b\x13\x5f\x87\xc2\x28\xce\x69\x41\x8a\x28" "\x2b\x6c\xaa\x24\x81\xa0\xdf\x17\x74\xfa\x7d\x94\x94\x4b\xb9\x2d\x2b\x89" "\xf7\x3f\x0e\x8b\x63\xf6\x31\x6c\x57\x62\xf3\x28\x8b\xc9\x70\x72\x0f\x48" "\xb5\x64\x7d\xd1\x77\xdb\x68\x10\xfa\xe0\x53\x34\x96\xb6\xd5\x8d\xa5\x0e" "\xe8\x0a\x6b\x9a\x70\x38\x97\x8c\x54\x65\x11\x3f\x66\x8e\xb4\x48\x43\x50" "\x04\x82\x89\xd0\x7d\xbe\xf3\x25\xcf\x22\x1a\x7c\xb3\x5f\x81\x2f\x25\x79" "\x41\xa9\x78\x1e\x32\x14\xc2\xa3\xdc\xf8\x9d\x99\x84\x4b\x76\x2a\x9c\xf1" "\x75\x48\xc5\x4f\xcc\xad\x2c\x7a\xe8\x07\x2b\x82\xe0\x88\x08\x15\xda\xf9" "\x66\xbd\x53\x43\xc1\x63\x5e\x12\x3f\x86\x8a\x71\x7b\x1b\xcf\xf3\x33\x20" "\x25\x3a\xf5\x70\xf4\xef\x9c\x02\x54\xaf\xdd\x89\xac\x39\x43\x56\x2b\x53" "\x0d\xd8\x8d\xa8\xa9\x40\x13\xbb\xaf\x20\x4b\xeb\xc3\xe3\x25\x23\x70\xae" "\x96\xe3\xcc\x27\x11\xf4\xd1\xf6\xdc\xc9\x28\xd1\x57\x8a\x09\x3c\x07\x2e" "\x0b\x92\xba\xbc\x76\xf4\x7e\xe3\x67\xe7\x2c\x48\x0c\x15\x18\xb4\x08\x89" "\xc9\xff\xc2\x45\xa0\x24\xa2\x27\x83\x19\xd9\xa4\xd1\x37\x84\x82\xb7\x4c" "\x51\x66\x47\x65\x2b\xfb\x6e\x93\x00\xfe\x78\x23\x2e\x3a\xe2\x45\x88\x73" "\x44\x87\x06\x24\x37\xda\x23\xe1\xef\xa6\xef\x76\x74\x10\x8a\xaa\x3f\xfa" "\xc8\x59\xc3\x57\x7c\x26\x37\xbb\x3b\xdc\x69\xbc\x36\x5b\x1f\x20\xdb\xa9" "\x6b\x8a\xcc\xa6\x2f\x3f\x80\x04\x53\x18\xde\x0f\xac\xf2\xed\x44\xb8\x14" "\xe8\x42\xc2\xa5\x20\x15\x9b\xb6\xc3\x20\xce\xc0\x91\x0c\x0b\x8b\xd3\xd5" "\x47\xbd\xfb\xa2\xe0\x9d\x24\xd1\x17\xed\x03\xb9\x36\xe7\x43\xff\xba\xd2" "\xf9\xc7\x7c\x9c\x13\x14\xa1\x6f\xfe\x64\xf5\xe3\x74\x4a\x2f\xff\xd7\x03" "\x96\x70\xf5\x70\x6e\x58\x9a\x4c\x38\x68\xdb\x06\xfd\x89\x2d\x68\xa5\x47" "\x47\x7f\x8e\xf6\x86\xff\x0d\xba\x93\x8c\x18\xc9\x4d\x5a\x89\xb0\x56\x7a" "\x85\x17\x50\xa3\x5d\x9c\xc2\x21\x7d\xb8\x90\xd8\x93\x85\xfc\xaa\x00\xf0" "\xf2\xe5\x24\x67\x2e\x6f\x4c\x8b\xed\xfd\x5d\xa5\xb1\x57\x70\x9b\x82\x65" "\xcf\x51\x1d\xc5\x84\x6a\xb1\xd8\x59\x16\xc4\xa6\xb2\xd1\xb4\x08\x57\x59" "\x82\xe1\x12\x30\xcb\xac\x0a\x9c\x6e\xaa\x03\xc9\x45\x64\x55\x81\xf6\x78" "\x40\x3c\x2a\x93\x6c\x53\xae\x72\x94\x0a\xa9\x2b\xcf\x22\xb8\x2c\x6b\xc0" "\x28\xe0\xac\xdd\xdf\x9f\xef\x59\x5f\x0f\x7a\x9f\x80\xc0\xe4\xc6\x59\xce" "\xd7\x69\xec\x46\x3d\x26\xa8\x1e\x46\x88\x46\x76\x1a\x8e\x1e\xfd\x6a\x03" "\x1a\xb7\xad\xc8\x66\x5e\x26\x7b\xe0\x06\x5c\xc3\x15\xaa\x23\x01\x24\x23" "\xec\x8b\x84\x92\xd9\xb5\x0f\xa4\xd8\xc5\x89\x19\x59\xb7\x61\xee\xc6\xdc" "\x98\x85\x32\x78\x2f\xda\x13\x23\x9c\x63\x73\x70\x39\x35\x0d\xb5\x9e\x25" "\xc7\x96\xb7\x9c\xc0\x4f\x3d\x1a\x5a\x13\x00\x00\x00\x00\x58\x64\x9e\x9f" "\x33\xfe\x3b\x02\x87\x9d\xd2\x4c\x68\x69\x7c\x1b\xdd\x58\xa0\xd5\xee\xac" "\xb6\x3e\xab\xb8\xda\xd0\xdd\xab\x06\xdf\x62\x87\x87\x1f\x2b\x4d\x9f\xb7" "\x23\x27\xf0\xa4\x41\x88\xa6\xeb\x6c\x61\xd3\x38\xc1\x18\xfe\xfc\x8b\xcb" "\xab\xaf\xac\x67\x95\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\xff\xd8\x73\xa0\xb6\x68\xbb\x43\xaa\xf6\x89\x53\x68\xab\xac" "\x06\x30\x10\x7e\x3c\xb4\xda\xce\x87\x8d\x7c\xad\x5e\x67\xc4\x34\x1e\x29" "\xc1\x2b\xc1\x21\xba\x74\xc3\x3a\xfc\x86\x3d\x2c\x7e\x39\x8c\x49\x7a\x03" "\xa4\xd7\x72\x74\xe7\x25\xb4\x6b\x65\x73\x52\x6c\xf7\x88\xb9\x40\x2a\x22" "\x70\x00\x3e\x82\x01\x97\xe1\x47\x10\x60\x4d\xea\x82\x7d\x20\xca\xde\x4b" "\xf6\xfc\xf8\xeb\x11\xb9\x6b\x0c\x83\x95\x81\x87\xe2\xcf\x4f\xee\x70\x6c" "\x4d\x21\x83\xf7\xe0\x3e\x17\xd8\xed\xf7\xcd\x90\xfb\x7d\xc9\xae\x3c\x5e" "\xb1\x62\xb4\x2f\xd1\x8c\x17\xd8\xf4\xe2\xde\x31\xb3\x1f\x50\xab\xc0\xc6" "\xd3\xc8\xbf\x41\x31\x8b\x2e\x34\xd7\x05\x08\x2b\x7f\xe2\xd5\xfe\x9a\x4d" "\x62\xbf\x08\x89\x31\x9f\x8f\x28\xad\xf2\x2f\xfc\x01\x02\x62\xa6\x77\x9d" "\xca\x6c\x6f\x47\x2a\xcd\xeb\x42\xf6\x14\xf0\x73\x50\x18\x2b\xef\x52\x3b" "\xa3\x0e\xc5\xb4\x24\x5e\x72\xb7\x5b\x6b\x19\xfb\xbe\xb2\x3a\x3e\x28\x1c" "\x1c\xcd\xaf\x22\x9e\xd8\x68\x52\x31\xda\x25\x9f\x2a\xf1\xf1\xf0\x26\x84" "\xb5\xd0\x85\x9b\xe0\x64\x26\xc8\xb8\x63\x54\xe7\x1e\xd9\x0d\x47\xd9\x11" "\xb3\x49\x71\xa6\xb8\xe5\x65\xec\x7c\x6a\x10\xca\x84\x77\x40\x79\x71\x51" "\x50\x40\xf2\x3d\xee\xd7\x5c\x11\x0d\x8e\xee\x7c\x70\x59\x1c\xd6\xfa\x83" "\x5b\x25\x15\x5f\xa3\x80\x14\xf5\x25\xbd\x98\x0d\x22\x6e\xa7\x63\x0e\xf0" "\x29\x40\xbf\x72\x65\xb7\x8b\x7b\x98\x7c\xe4\xfd\x0c\x3d\xa7\xcb\x99\xd7" "\x78\xa2\xec\x10\x05\xfe\x0c\x01\xaf\x98\x5a\x89\xda\x14\x26\x88\x01\xb7" "\x14\xea\xd0\xb1\xc1\x21\x78\x91\x2c\xc4\x4c\x42\x13\x0b\xf5\x2a\xb1\x65" "\x5c\xa8\x6f\x8f\xa8\xb5\xa4\xcc\xaa\x14\xe9\x14\x0d\xd0\x96\xf7\x6e\xec" "\x7c\x06\xf3\x33", 2524); *(uint64_t*)0x20000090 = 0x20000000; memcpy((void*)0x20000000, "GPL\000", 4); *(uint32_t*)0x20000098 = 5; *(uint32_t*)0x2000009c = 0x252; *(uint64_t*)0x200000a0 = 0x2000cf3d; *(uint32_t*)0x200000a8 = 0; *(uint32_t*)0x200000ac = 0; memset((void*)0x200000b0, 0, 16); *(uint32_t*)0x200000c0 = 0; *(uint32_t*)0x200000c4 = 0; *(uint32_t*)0x200000c8 = -1; *(uint32_t*)0x200000cc = 8; *(uint64_t*)0x200000d0 = 0; *(uint32_t*)0x200000d8 = 0; *(uint32_t*)0x200000dc = 0x10; *(uint64_t*)0x200000e0 = 0; *(uint32_t*)0x200000e8 = 0; *(uint32_t*)0x200000ec = 0; *(uint32_t*)0x200000f0 = -1; *(uint32_t*)0x200000f4 = 0; *(uint64_t*)0x200000f8 = 0; *(uint64_t*)0x20000100 = 0; *(uint32_t*)0x20000108 = 0x10; *(uint32_t*)0x2000010c = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000080ul, /*size=*/0x48ul); *(uint32_t*)0x20000200 = 4; *(uint32_t*)0x20000204 = 0xe; *(uint64_t*)0x20000208 = 0x20000800; memcpy( (void*)0x20000800, "\xb7\x02\x00\x00\x09\x00\x00\x00\xbf\xa3\x00\x00\x00\x00\x00\x00\x07\x03" "\x00\x00\x00\xfe\xff\xff\x7a\x0a\xf0\xff\x00\x00\x00\x00\x79\xa4\xf0\xff" "\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05\x00\x00\x00" "\x00\x00\x65\x04\x04\x00\x01\x00\x01\x01\x04\x04\x00\x00\x09\x00\x00\x00" "\xb7\x03\x00\x00\x00\x00\x00\x00\x6a\x0a\x00\xfe\x00\x00\x00\x00\x85\x00" "\x00\x00\x32\x00\x00\x00\xb7\x00\x00\x00\x01\x00\x00\x00\x95\x00\x00\x00" "\x00\x00\x00\x00\x75\xcd\xc4\xb5\x7b\x0c\x65\x75\x2a\x3a\xd5\x00\x00\xba" "\x7d\xdd\x00\x00\xcb\x45\x00\x63\x91\x00\x00\x20\x00\x00\x00\x00\x00\x00" "\x00\xff\x7f\x00\x00\xb5\x2f\x17\xce\xe1\x9d\x00\x01\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xcb\x04\xfc\xbb\x0b\x9b\xaf\xe3\xba\x43\x13\x51\xa5\x8a" "\x88\x5b\xa9\x91\x8d\x37\xb0\x56\xb9\xbb\xd1\x1b\x6b\x9f\x6c\xf7\xdb\x6d" "\x57\x46\x20\x26\x00\x00\x00\x00\x00\x00\x80\x62\x93\x8f\x65\xaa\xc3\x3c" "\x4d\x62\x0d\xe2\xc9\xb7\xdc\x10\xd7\xd3\x13\x06\xf5\x76\x06\xb8\x3b\x99" "\x4f\xb4\x84\x51\x0b\xef\x2e\x48\x72\xf5\xc2\xfe\x6f\xaa\xf7\x5e\x5c\xc4" "\x7c\x73\x9b\xb3\x9a\xad\x16\xcc\x75\xfe\x36\x92\x58\x67\x3b\x5d\xf1\x1c" "\xc2\xaf\xb5\x36\x11\xcc\x32\xa7\x90\xbc\x0b\x80\xe8\x0e\xae\x8f\x5e\x64" "\xbe\x2c\x9d\x2d\x29\xdb\x3d\x36\xdd\x01\x5c\x7b\xd3\xf1\x5a\xa6\xaa\xdb" "\xea\xb2\xa0\x16\x85\x10\x8e\x00\x00\x00\x00\x8b\x79\x8b\x4f\x74\x58\xd1" "\x86\x3c\xc6\x7c\x4c\x6a\x06\xe8\x28\xe5\x21\x6f\x60\x1b\x19\xdb\x1a\xf1" "\xb5\xd3\x56\xd0\xf0\x62\x13\x7d\x86\x6d\x11\xbe\x4b\xa3\xf0\x15\x1f\xdb" "\xbd\x4e\x97\xd6\x2e\xcc\x64\x5e\x14\x3a\x60\xf1\xc6\xed\xc7\x66\x09\x07" "\x39\x09\x82\x61\x51\xe2\xb4\x2b\xf0\xed\x0c\x8c\xef\x3b\xa2\x04\x00\xa0" "\x0c\x87\xc4\x93\xdb\x84\x5b\xb4\x02\xa8\xb7\xda\x6f\x82\x88\x1e\xb8\xc9" "\xcf\xa7\x2b\x08\xee\xcc\x95\x2a\x3f\xd2\xc4\x6f\x3c\x1c\xde\x71\xa1\x9d" "\x1a\x29\x82\x49\x2a\x25\x0e\x00\xd2\xbf\xea\x3b\x8d\x18\x8d\xf2\xef\xf8" "\xd5\x6a\xaa\xe7\xd3\x2a\x2e\x18\x37\x22\x53\x73\x95\x01\x9f\x02\xec\x4b" "\x85\xf6\x00\x00\xfa\xca\x08\x8d\xe9\xb2\x67\x97\xa8\x44\x6b\x16\xc2\x8d" "\x85\xf2\x25\x99\x2d\xbd\xd5\xbb\x01\xba\x51\x50\x89\x51\xc7\xa7\xd6\xca" "\x09\x16\xc3\xa1\x29\x12\x71\x56\x49\xc2\xb1\xc7\x19\x20\x42\x51\xb5\x9d" "\x37\x8d\x1d\x16\xa4\x8c\x79\x57\xe1\x22\x76\x5c\x8b\x7e\x89\xed\xdf\xc3" "\x78\x3f\x6c\x91\x29\xa7\xc5\xf8\xee\x41\x91\xdc\x15\x2f\x63\x8f\x7e\xb1" "\x2f\x63\xbe\x72\xa3\xd8\x17\xb3\x24\xd6\xe4\x17\xb1\xc2\xcb\xfd\xca\xda" "\x0a\x16\xe3\x17\x90\xe2\x6c\xf1\x95\x88\xa7\xe0\x49\x6e\xe2\x78\x22\x24" "\xcf\x30\xf8\x10\xda\x86\xcf\x1a\x32\x04\xf4\xc9\x40\x4f\x5d\x73\x21\xa4" "\xfe\xfc\x0d\x1c\xf9\xff\xff\xff\xff\xff\xff\xff\x95\x00\x00\x00\x6b\x42" "\x07\x7c\xa6\x0f\xde\xcb\x27\x17\xe2\x1f\x8f\x18\x7b\x18\x66\x10\x8b\x66" "\x8c\x71\xe2\x60\x32\x17\x60\x66\x59\x97\x83\x56\x86\x28\xf0\x30\x9c\x3a" "\x01\x71\x6d\x37\x06\xe1\xfa\x89\x91\x7e\x13\x1f\x40\x34\xa8\x38\x3e\x99" "\xc3\x56\x8f\xd0\x42\x01\xb3\x7c\xd9\x2c\xa6\xeb\xf9\x4a\x6c\x88\x0e\x9e" "\x7d\xc9\x1e\x2b\x2d\x83\x10\xf7\x03\x27\x75\xcf\xd7\x56\xd2\xf8\x7b\x03" "\x9d\x54\x30\xb3\xc6\x64\x3e\x91\x46\xd2\x47\x8c\xe3\x13\x44\xb5\x54\xac" "\xa7\x28\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x13\x7c" "\x06\xe0\x59\x7a\x54\xfb\x1e\xc5\x2a\x8c\x44\xa6\xd8\xec\x2a\x83\x9b\xad" "\x84\xf9\x8e\x01\xac\xae\x55\x89\x84\x09\xfc\x0d\x6e\x23\x87\xd0\xf9\x90" "\xe0\xaa\x4d\x2c\x9e\xd6\x0a\x61\xe3\xea\x48\x68\x06\x6d\x2b\x9e\xf3\xb1" "\xb5\x07\xf4\x92\x87\x26\x7e\xa7\x7d\x7d\x28\x66\x39\x22\x8c\x53\x7f\x92" "\x51\x04\x75\xf6\xa4\xe4\xd7\x08\x9b\x5c\x06\xf3\xe2\x59\x90\x00\x2e\x3e" "\x8e\x77\x24\xc7\x31\xe8\xf3\x7f\x0f\x3e\xe2\x4e\x59\x87\x40\xc5\x93\xf9" "\x6c\xea\xe6\x5a\x7d\x32\x75\xe8\x58\x4d\xe7\xbe\xba\x41\x01\x75\x23\xc5" "\x6e\xf4\x4a\x8c\x32\x6a\x7a\x24\x7c\xcb\x16\xff\xb4\x35\xcf\x4b\x85\xbd" "\xbc\xd4\xfa\xcc\x7b\xfa\x3f\x4c\x47\x5c\x33\xf7\x1b\x6b\x20\x75\x83\x5b" "\x71\x95\x29\xa7\x8b\x93\x5d\x06\x3a\x2a\x98\x00\x99\x53\x67\xa9\x4b\xc3" "\x9c\x7a\x5e\x6e\x8a\xdc\x76\x98\x96\x8c\x49\xe4\x8a\xd2\xb5\x2f\x12\xef" "\x51\xf1\x41\x7a\xf0\xbd\x2b\x61\x0b\x34\xc0\x22\x50\xdf\x7a\xc7\x7b\x9c" "\x37\xc1\xd3\x98\xbe\xfd\x95\xe5\xfa\x92\x33\xf4\x12\xa0\x5e\xa3\xbe\x44" "\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\x1e\x86\xc3\xbf\x70" "\xe6\xf8\x33\xa4\xa5\xc5\xb8\x7a\xfb\xdc\x6f\xb7\xaf\x6f\xb5\xe5\xc2\x4f" "\x32\x0c\x99\xf8\x40\xc3\xdc\x10\x97\xab\x93\xba\xd7\xab\x6e\xb6\x4c\xbb" "\x5a\x48\x4f\xaf\xc0\x63\xf4\x6d\xfd\xe3\x90\x08\xe1\xd7\xea\x1f\x10\x11" "\x41\x86\x51\x5a\x78\x42\x7a\x74\xe3\xd7\x71\xfa\xa7\x84\x78\xe5\xf8\xd6" "\x44\xa5\xdf\x8f\x6b\xd7\xa6\xf4\x84\x6f\x20\x00\xd9\xe6\x4c\xd2\xe0\x29" "\x66\x8a\xb7\x9c\x8f\x05\x30\x03\xf3\xee\x5c\x5d\xe6\x66\xeb\xed\x18\x6b" "\x25\xb5\x7a\x1c\x32\xed\xb3\xb1\x8d\x81\x73\x7b\xbf\x3f\x91\x6c\x01\xcf" "\xe6\xbd\x50\x7b\x62\x59\x12\x1e\x37\x55\x42\x7f\x05\x38\xde\x98\x38\xd4" "\x61\xd6\x3f\x67\x9b\x44\x07\x99\x12\x3b\xfe\xf2\xce\x33\x15", 1167); *(uint64_t*)0x20000210 = 0x20000340; memcpy((void*)0x20000340, "GPL\000", 4); *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint64_t*)0x20000220 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; memset((void*)0x20000230, 0, 16); *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = -1; *(uint32_t*)0x2000024c = 8; *(uint64_t*)0x20000250 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000258 = 8; *(uint32_t*)0x2000025c = 0x10; *(uint64_t*)0x20000260 = 0x20000100; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000268 = 0x10; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = -1; *(uint32_t*)0x20000274 = 0; *(uint64_t*)0x20000278 = 0; *(uint64_t*)0x20000280 = 0; *(uint32_t*)0x20000288 = 0x10; *(uint32_t*)0x2000028c = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000200ul, /*size=*/0x14ul); memcpy((void*)0x20000000, "./cgroup.cpu/syz0\000", 18); syscall(__NR_mkdirat, /*fd=*/0xffffffffffffff9cul, /*path=*/0x20000000ul, /*mode=*/0x1fful); syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000000ul, /*flags=*/0x200002ul, /*mode=*/0ul); *(uint32_t*)0x2000e000 = 0x10; *(uint32_t*)0x2000e004 = 4; *(uint64_t*)0x2000e008 = 0x20000040; memcpy((void*)0x20000040, "\xb4\x00\x00\x00\x00\x00\x00\x00\x79\x10\x48\x00\x00\x00\x00\x00\x61" "\x04\x00\x00\x00\x00\x00\x00\x95\x00\x00\x00", 28); *(uint64_t*)0x2000e010 = 0x20003ff6; memcpy((void*)0x20003ff6, "GPL\000", 4); *(uint32_t*)0x2000e018 = 2; *(uint32_t*)0x2000e01c = 0xfd90; *(uint64_t*)0x2000e020 = 0x2000cf3d; *(uint32_t*)0x2000e028 = 0; *(uint32_t*)0x2000e02c = 0; memset((void*)0x2000e030, 0, 16); *(uint32_t*)0x2000e040 = 0; *(uint32_t*)0x2000e044 = 0; *(uint32_t*)0x2000e048 = -1; *(uint32_t*)0x2000e04c = 8; *(uint64_t*)0x2000e050 = 0; *(uint32_t*)0x2000e058 = 0; *(uint32_t*)0x2000e05c = 0x10; *(uint64_t*)0x2000e060 = 0; *(uint32_t*)0x2000e068 = 0; *(uint32_t*)0x2000e06c = 0; *(uint32_t*)0x2000e070 = -1; *(uint32_t*)0x2000e074 = 0; *(uint64_t*)0x2000e078 = 0; *(uint64_t*)0x2000e080 = 0; *(uint32_t*)0x2000e088 = 0x10; *(uint32_t*)0x2000e08c = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x2000e000ul, /*size=*/0x48ul); if (res != -1) r[5] = res; syscall(__NR_close, /*fd=*/r[5]); syscall(__NR_socketpair, /*domain=*/1ul, /*type=*/1ul, /*proto=*/0, /*fds=*/0x20000140ul); *(uint32_t*)0x20000200 = 0xf; *(uint32_t*)0x20000204 = 4; *(uint32_t*)0x20000208 = 4; *(uint32_t*)0x2000020c = 0x12; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = -1; *(uint32_t*)0x20000218 = 0; memset((void*)0x2000021c, 0, 16); *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = -1; *(uint32_t*)0x20000234 = 0; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = 0; *(uint64_t*)0x20000240 = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000200ul, /*size=*/0x48ul); if (res != -1) r[6] = res; *(uint32_t*)0x200000c0 = r[6]; *(uint64_t*)0x200000c8 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint64_t*)0x200000d0 = 0x20000080; *(uint32_t*)0x20000080 = r[5]; *(uint64_t*)0x200000d8 = 0; syscall(__NR_bpf, /*cmd=*/2ul, /*arg=*/0x200000c0ul, /*size=*/0x20ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); for (procid = 0; procid < 5; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }