// https://syzkaller.appspot.com/bug?id=2090fc84c9b974b22907e37fb822191f1ecf60cc // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 4; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) { continue; } kill_and_wait(pid, &status); break; } } } #ifndef __NR_bpf #define __NR_bpf 321 #endif uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20000bc0 = 0; *(uint32_t*)0x20000bc8 = 0; *(uint64_t*)0x20000bd0 = 0x200008c0; *(uint64_t*)0x200008c0 = 0x200021c0; memcpy( (void*)0x200021c0, "\xdb\x73\xb6\xf0\xc0\x76\x8d\xd0\x93\x4f\x6d\xe3\xec\x72\xf0\xac\xd2" "\x69\x8c\xfe\x27\xd0\x0f\x28\x25\x27\x57\x9f\x4b\x42\x01\xd1\x97\x07" "\x71\xbe\xca\xe8\xde\xa3\x22\xad\x83\x8b\xc1\x0b\x4d\xf8\x13\x25\x50" "\x0f\x0b\x13\x70\xa8\x9a\x2b\xea\xaf\x5d\x3c\xd6\x82\xa0\x86\x8b\x2e" "\xdf\x8a\x47\xb3\x93\xda\x3e\xf6\xa2\x81\x6e\x21\x75\xb2\xc9\xb0\xe6" "\x62\x03\x20\x6d\xbf\x71\x1b\xf4\xdd\x2f\x7e\x45\xbe\x04\xd9\x3a\x7a" "\xc4\xe6\x55\x79\xa1\xd5\x29\x6d\xf2\xef\x8f\xd4\x5f\x52\x0a\xcd\x37" "\xd6\x3b\x98\xb9\x65\x8e\xc1\x98\x41\x60\x24\x83\xd0\x39\x35\x9d\x6f" "\xa9\xe1\xc4\xdf\x8b\xf5\x97\xa3\x5b\xec\x44\xa9\x3c\xb9\xea\x32\xad" "\x4e\x74\x08\x93\xd0\xe8\xdc\x5d\x6c\x86\x15\xd1\x73\x6e\xdc\x84\x87" "\xc9\xed\x68\x0a\x39\x1b\xf1\x17\x93\x4e\x88\xe6\x0c\x19\x0b\x25\x0c" "\x85\x62\x07\x0e\x52\xa9\x84\xd3\xd9\xa4\x1c\xd5\xf7\x67\x8e\xb3\x1c" "\x1f\x34\xea\xf6\x92\x6f\x6e\x3c\x89\x10\xd8\xeb\x87\x9d\x7e\x23\x39" "\x51\x0f\x43\x65\x09\x98\x76\x2a\xf5\xed\xc9\x79\xc4\xdd\x23\x39\x9a" "\xf8\x44\x13\xd7\x43\xdf\x3f\xa0\xef\xe0\x27\x5a\xe3\x51\x9e\xa0\x93" "\x42\x14\x3b\x23\xc4\xaf\x09\xf5\x37\x40\x82\xf0\x84\x19\xb7\x39\x54" "\x91\xd0\x9c\x5a\x4e\x89\x92\x6e\xeb\xba\x0f\x4b\x90\xe9\xb8\xd0\x93" "\x3e\xce\xaa\x05\x49\xf9\x64\x2f\x96\x21\x55\xb1\x95\xee\x00\x8d\xd6" "\x1a\xf5\x0f\x42\x50\xc7\x0b\x79\xcf\xfd\x94\x3c\x51\x07\xca\x24\x03" "\x06\xc0\x6d\x51\x7d\x33\x45\x7a\xb8\x82\x6b\x75\xb8\x1c\xcb\xcf\x6d" "\x8b\xe4\x40\xfe\x92\xc1\xf7\x2b\x46\x75\xdf\xab\x80\xe0\x9d\x43\x84" "\x1d\x36\x4b\x74\x78\x25\x51\x7b\x81\x28\x87\x64\xd6\xe8\xa7\xf9\x9c" "\xca\xd0\x2f\xcc\x53\x59\x23\xf7\x61\xc0\x0f\xb9\x9d\xfa\x92\x6f\x2b" "\x03\x96\x1c\x9f\xa4\xaa\x3f\x16\x15\x3e\x4a\xae\xa5\x2f\x40\x02\x10" "\x81\x1e\xcc\xf5\x07\xf4\x2c\xd8\x9d\x25\xb4\x0a\x24\x4c\xbe\x45\x67" "\xc5\x60\xba\xd0\x4f\x24\x55\xec\xc5\x62\x6b\xea\x4f\x4d\xce\x82\xe1" "\x1c\x78\x83\x67\x15\x14\xfa\x53\x45\x27\xcd\xae\x25\x3c\x46\xc6\x5e" "\x6a\x9c\x8a\x33\xe9\xad\xff\xbf\xa7\x20\x11\xee\xcf\x54\x83\x3f\xe7" "\x36\xa7\x35\x06\xce\xfd\x97\xcf\xec\xa0\xaf\x90\xf3\xd0\xec\x20\xcc" "\xca\xbb\xbd\x90\x01\x48\x53\x20\x96\x76\x87\x56\x7c\xdc\x82\x79\xcd" "\x70\x09\xb6\x51\x0c\x39\x87\x97\xa2\xda\x80\xa1\x74\x2e\x93\x9d\x18" "\xe9\xd0\x6f\x15\x23\x52\x5c\xaa\x62\xea\x30\xb0\x69\x11\x87\xb3\x37" "\x32\x48\x6e\xf8\xf6\xee\xa8\x1b\x9f\x01\x57\xee\x2e\xae\x1a\xad\x2a" "\xcb\x6a\x6f\xc6\xab\x52\x50\xc1\xf2\xeb\x50\xbf\x97\x4f\x8c\x69\x3a" "\x14\x7c\x38\x92\xd4\xfb\x1b\x56\xa1\x40\xf9\xf9\x79\xa9\x24\xe8\x17" "\xa7\xcc\x99\xc4\x8b\x0f\x2b\x17\x52\x2f\x1d\xff\x50\x2c\xd2\xbc\x8f" "\xe4\x19\xb4\xd4\x4e\xff\xa5\xe4\x9d\x37\x21\xb2\x15\x0d\xdf\xc5\x14" "\x94\x46\x5c\x72\xcb\x18\x70\x94\x7d\x52\xbf\x8e\xd5\x95\xb2\x90\xd7" "\x40\xed\x7e\xb3\x58\x14\x65\x71\xef\x74\xe5\x5f\xc8\xa8\x0d\x02\x18" "\xc6\x2e\x81\xcc\xfc\xe1\x81\xc1\xb7\x9b\xca\x79\x8e\x30\x77\xf4\x96" "\xea\xc0\x15\x6e\x76\x75\x16\xa2\x8a\x66\xd5\x9a\x6c\x28\x6c\x2c\x04" "\xd8\xe0\x55\x98\xff\xce\x6a\x14\xf1\x9f\x9c\xe6\xaf\x36\xa2\x48\x24" "\xb6\x46\xe6\x76\x57\xa4\xe9\x5a\xa5\x4f\xf5\x04\x85\x60\xd5\xff\x2b" "\xed\x2c\x35\xcc\x93\x0e\x31\xcf\xf8\xdd\xbe\x81\x98\xb0\x18\x62\xcb" "\xdc\xcd\x4b\x91\xf3\x13\xa7\xd4\x89\xd6\xd3\x5d\xdf\x67\xd9\x80\xf0" "\xb5\xa6\x18\x29\x16\x17\x19\xc7\x8f\x73\xfb\x0f\x20\x6a\x45\x8d\xb2" "\xe9\x62\x21\x4a\xa0\x94\x1f\x94\xb0\xad\xff\x8d\x27\xd7\x36\xa2\xf0" "\xc1\x6e\xa4\x48\xb9\x40\x28\x54\x11\xf0\x9d\x4c\xcf\x9e\xfc\x7e\x46" "\xa6\xa0\x84\xf7\x09\xcf\xd9\x2f\xb8\x1e\x24\x90\x3f\x3d\xf1\x80\xb6" "\xc2\x41\x95\x65\xb4\x75\xcc\x14\x9e\x15\x25\xeb\xb8\xdc\x63\x63\xad" "\x19\x54\x1d\x28\x73\xfc\x56\xff\xa8\x3f\xe1\x8c\x3c\x8d\xe5\x48\xad" "\xc7\xb1\xc1\xd0\x04\x0d\x00\xaf\x30\x09\x68\x72\x90\x20\xc8\x2d\x0b" "\x19\x76\x87\x9f\x8e\x5d\x4b\x35\xce\x55\x08\xb5\xf1\xe3\xb7\xe4\x0e" "\x0d\xf9\x75\xf2\x93\x21\xc9\x06\x83\x7d\xdf\x96\xa8\xcb\xa5\xf4\xe0" "\x9e\x4c\x67\x4d\xb0\xec\x51\xb6\x78\xba\x99\xe9\x65\x89\x16\x5e\x80" "\x4b\x0c\xa9\x39\x4e\x68\x56\x39\xde\x83\x6a\x37\x05\x73\x70\x75\x87" "\x58\xe2\xeb\x5c\xe4\x56\x21\x96\x82\x28\xaa\x5a\xb8\xa2\x73\xe0\xa5" "\x2a\x2a\x5c\xd6\xc1\x86\x33\x41\xfc\x99\x98\x39\xb1\x80\x66\x6f\x9b" "\x7e\xda\x3d\x48\x36\x66\x5e\x86\x54\x38\xbf\x20\x07\x1b\x7d\x74\xa4" "\xd6\x2c\x43\x4a\x0a\xde\xbd\xd6\xff\x39\xdf\xce\x03\xb7\x7c\x0d\x6a" "\xc0\x09\xa6\xe8\xb7\xa7\x1d\xcc\x20\x47\x1b\x3a\x22\x40\x22\xa9\xcf" "\x15\x0a\x93\xde\x8b\x82\x01\x69\x14\x5d\xf6\xdc\x2b\x99\xed\xac\xa2" "\xc7\xe4\xb5\x66\x71\x6d\x43\x45\xd0\xf7\x73\x5e\xf8\xc3\x62\x69\x8c" "\x9e\xc1\x2e\x4b\x68\xcb\x2e\xf7\xa8\x95\x30\x84\x82\x77\xd4\x03\x4c" "\x44\x3e\x70\x70\x97\xb8\x60\xcd\x00\xa5\x3e\xf1\x5a\xfa\xfa\x82\x81" "\xfe\x16\x62\x2b\xdb\x3c\xcc\x48\xf1\x21\x8f\xf2\x5b\xc1\x93\xb5\x6f" "\xe6\xa1\xeb\xbf\x02\xf4\x9e\xcb\x2e\x3c\xdd\xf9\x76\x0d\xfc\xfb\x6c" "\x00\x24\x5b\x23\xbb\x34\xbe\x6a\xc1\xb8\xbd\xa0\xa5\xd9\x8f\xc0\x24" "\xfa\xc1\x92\x27\xa0\xe6\x4b\x79\xe3\xe8\x02\x32\x80\x5b\x53\x7e\x90" "\x61\x5d\xba\x67\xdd\xe4\xe1\x61\x56\x0f\xe7\x1a\xaa\x25\x03\x37\xc9" "\xdc\xba\xa2\x08\x8e\xaa\xe6\xca\x60\x9d\xa2\xb0\x91\x32\x22\xda\xea" "\x8f\x76\x23\xfb\x69\x6c\x67\xa7\x66\xb0\x3f\xfa\x1c\x1e\x27\x45\xc4" "\x86\xfd\xc7\x89\x94\x06\x09\x36\xa3\x62\xed\xbf\xef\xfe\xff\xe5\xac" "\xbd\x9b\xbe\xd9\x28\x81\x15\x09\xd6\xae\x29\x70\x79\x9e\xfe\x19\xc7" "\xb0\xe3\x4c\x2d\xbd\x1c\xc5\x27\x2f\x62\x3b\xd7\xe7\x36\x9c\x49\x71" "\x85\x58\xee\xfa\xe5\xd5\x58\x4c\x06\x76\x2e\x76\xb9\xc3\xcc\xeb\x84" "\xe0\xd6\xab\x30\x4f\x8d\x41\x8a\xf4\x8c\x73\x20\x13\x03\x95\xbb\xa9" "\x9e\x7f\x1f\x84\x7d\x28\x69\xb1\xa0\xb7\xa6\x1a\x93\x71\x80\x64\x03" "\x47\xb0\x3e\x5b\xb6\x67\x72\xc8\xa5\xa6\xf6\x9f\x4b\x25\xf9\x2e\xfd" "\x9a\xcf\x91\x26\x29\x26\x4c\xc6\xa8\xc1\xf8\xfc\x61\x50\xc2\x65\xf6" "\x60\xeb\x12\xfa\x47\x6a\x16\x40\x35\xd9\x25\x2f\xa6\x01\x13\x23\x99" "\x98\x18\xde\xf1\x9e\xd6\x4c\xec\xb3\x36\xae\x42\xdb\xbe\xe3\xdd\x55" "\x04\x06\x36\x9c\x6c\x02\x82\xc6\xa2\x64\xdf\xce\xbb\xe5\xb1\x45\xb4" "\xac\x28\x78\x6d\x14\x59\x81\x8d\x08\xbd\x36\x03\x47\x46\x5e\x86\xca" "\xf4\xd3\xf1\x4a\x46\xc5\x76\x8b\xb6\xd5\x69\xb9\xf5\xc1\xf0\xb8\x33" "\x06\x2d\x72\x58\x7d\x03\xcf\x99\x3d\xb9\x73\x94\x34\xff\x42\x2b\xab" "\xc6\x32\xba\x4b\x48\x6f\x36\x23\x58\x45\xe6\x4f\x78\x42\xf4\xf3\xdf" "\xf8\x8f\x26\x54\x05\xd1\xde\xf8\xc7\x2e\xde\x4b\x13\x93\xa6\xc7\xd3" "\x21\xd1\x32\x95\xde\x9c\xbb\xfa\x1a\x5b\x46\xfb\xcc\xe8\x73\xf1\x79" "\xcd\x86\xa1\x41\x57\x07\x17\xbe\xd4\x7b\xa3\x09\x0f\xc5\x05\x4c\xca" "\xb4\x02\x9a\xc5\xe8\x57\x06\x2b\xb0\x46\xc0\xbb\x23\xf3\xdf\xd6\x97" "\xd9\xdc\x91\xcc\x7e\x50\x0c\x5d\xbf\x77\xec\xb5\xce\x9b\xae\x29\xcf" "\xdb\x01\x6d\x2e\x59\xf9\xe8\xf9\x2d\x67\x6d\x19\x4a\x3e\x5f\x6b\x7c" "\x30\xd1\xc0\x1b\x1d\x15\x61\x1a\x31\x06\x27\x41\x98\x6e\xaf\xc8\x9b" "\x69\xa5\x37\x93\x93\x76\x87\x7a\xe4\x23\x1a\x9b\x76\x78\x69\x43\x39" "\xdb\x57\xa6\x90\x60\x09\xf5\x50\x7d\x24\xcf\x62\xbc\x6a\xf6\xaa\x1c" "\x9d\x7e\xb7\x32\x41\x62\xa5\x38\x80\x58\x83\xf5\x44\xb1\x94\xf1\xaf" "\x1b\x9a\x81\xf2\x4f\x94\xb3\x77\x85\xa1\xe2\x51\x09\xbf\x73\x49\x4f" "\xc3\x48\x4b\x06\x93\xe0\x60\x7a\x89\x04\xcd\x6b\x6c\x7c\x13\xfd\xae" "\x80\xdb\x1f\x21\x02\x45\xdd\x04\x04\xdd\xc0\x83\x47\x85\xb7\xcf\x1e" "\x83\x54\xa1\xf2\xf0\x84\xb7\xd1\x85\xb0\x57\xea\xb8\x0c\x24\x1c\x94" "\x6f\xd2\x76\x63\x7a\x0c\xf5\x2b\x5b\xd1\x6f\xe3\x7b\xd5\xea\x02\x2e" "\x9f\x64\xfd\xe8\x87\x25\x68\xad\x30\x55\x40\x52\x4f\x9c\x9d\x18\xae" "\x14\xb6\xf9\xe7\x0c\xc2\x72\x84\xd1\x57\xef\x03\x45\xd5\x25\xcd\x67" "\xb9\x6d\x4a\x16\x7e\xe1\xcf\x3b\x56\x6d\xd9\xd7\x5c\x2a\xa3\xdb\xcf" "\x5e\xae\xe7\xf7\x51\x3e\x22\xc2\xe4\xd7\xb3\x6d\xe6\xc9\x68\x0e\xda" "\x74\x9a\xcd\xfb\x63\x8b\x07\x97\x5e\xd2\x20\xaa\x4a\x9a\x17\xda\x3f" "\x04\x40\x83\xf8\x7d\xbd\x4a\x29\x7c\xe6\xbd\xb0\x3c\xcc\x62\x37\xbd" "\xd5\xe4\x38\x11\x90\x46\xb8\xd7\xf8\x2c\x4d\x1a\xd6\xe5\xfc\x39\x94" "\xfd\x45\xda\x97\xca\x46\x86\xda\xb8\x30\x20\xee\xf2\x7c\xbb\xdd\x86" "\xb8\x2f\xcc\x66\xf5\xce\x4d\x6f\xb0\x81\x6c\x8c\x20\xce\x66\x64\x28" "\x0e\x34\xa3\xad\x07\x8f\x7f\xae\x13\x4a\x10\x54\x42\x93\x16\x27\xfa" "\xaa\xdf\x08\xac\xbf\xb5\x83\xb8\x3c\x16\x13\x2c\x94\xc4\xd0\x19\x6e" "\xd7\x85\x4b\x22\xaa\xf5\xaf\x46\xe9\x05\x05\xe6\x98\xba\xfe\xce\x00" "\xb6\x36\x11\xf1\xad\x8a\x80\xac\xa0\x82\x33\xca\x05\x3c\x0e\x3a\x26" "\xd4\xcd\xa2\xc7\xe3\xfa\x41\x3f\x54\xc6\x43\xb7\xe3\x33\x97\xb1\x16" "\x89\x99\x95\xd6\xcb\x16\xb4\x5e\xd2\x99\xd4\xf0\x82\xd1\xea\x15\xbb" "\x6b\xbc\xbe\x29\x9a\x28\x4e\xd1\xe9\x3e\xae\xc5\xe8\x82\x0b\x87\x6f" "\x30\x21\x2a\xa0\x4c\x66\xf4\x24\x92\xe2\x9b\xf5\xff\x78\x14\x0a\x2d" "\x07\x96\x44\x02\xa4\x43\xc6\xb9\xca\x2f\xdd\xba\xf7\x19\xc7\x70\x13" "\x2d\x30\xf8\x00\xeb\xe7\x9b\xc4\xfd\x47\x26\x0c\xdd\x8a\x9d\xfc\x58" "\xd2\x2d\x48\x25\xb1\xc4\xd3\x56\xc1\x27\x02\x5e\x33\x18\x84\xb3\x56" "\x4a\xab\xbe\x25\x40\x49\xda\x80\xd9\x52\xc6\x00\xa3\xda\xc0\x6c\xdf" "\x11\xe3\x38\x4b\x27\x5c\x09\x5e\xbc\x22\xad\x90\xd2\x0e\xfe\xf7\x16" "\x5a\x90\xdf\x52\x6c\xd7\x41\x85\xc0\x6c\x1d\xc7\xe8\x5c\x87\x3e\x90" "\x9b\x14\x04\xaf\x13\x6d\x50\x95\xa0\xbe\x7d\xeb\xa2\xf5\x17\x80\xc5" "\xdd\xbf\x5b\x7c\xad\xb6\x8a\x71\x63\x8f\x58\x04\x65\xfc\x60\x33\xe2" "\x79\x1b\x91\x62", 2163); *(uint64_t*)0x200008c8 = 0x873; *(uint64_t*)0x200008d0 = 0x200031c0; memcpy( (void*)0x200031c0, "\xf2\xaf\x3c\xb3\x8d\xe5\x65\xa3\x77\x73\x0a\x2e\x48\x21\xfc\x23\xef" "\x2c\x94\x04\x4d\xad\x2c\xe3\x14\xe7\x74\x42\xca\xc2\x83\x8b\x4c\x34" "\xe1\x1e\x84\x14\x92\x0a\xa6\x9f\xec\x43\xa6\xa0\xeb\x8b\x4c\xde\x06" "\x21\x61\x44\x1c\xa4\xe2\x20\x54\x9e\x1a\x84\x99\x49\xe9\xfa\x52\xa2" "\x08\x9e\x85\x13\x34\x6f\xcc\x79\xd0\x6a\x09\xe4\x09\xe3\xe2\xcf\x67" "\xba\x83\x1a\xc8\xea\xf8\xe6\x04\xa0\x7a\xa8\x6e\xcb\x86\x34\x2c\x39" "\x8a\xb0\x57\x67\x45\x12\x7d\x32\x3c\x2c\xb5\x32\xd0\x7e\x59\x32\x95" "\x8e\x88\x9c\x03\x6f\xbb\x77\x82\xd4\x94\x6f\x23\xab\xee\xf9\x89\xb4" "\x9c\x01\xde\xc5\x1a\x5c\xcf\xa3\x2f\xc1\xce\xf2\xa7\xd6\x22\x7b\x4f" "\x2e\x56\xcc\xf2\x9a\x0b\x48\xbc\x49\xce\x61\x26\x62\x08\x67\x83\x5a" "\xa1\xf5\xd9\xe1\xd5\xb6\x6c\x45\x93\xa9\x46\xfc\x4d\x4a\x4f\x85\x9a" "\xcb\x24\x0f\x17\x17\x44\xe4\x29\xa1\x68\x80\xcc\x7d\xa8\x06\x28\x88" "\x26\x73\x42\x36\x1b\xe1\x92\x44\x84\x2b\x88\xd1\xe3\x38\xe2\x3a\x6d" "\xf7\xa8\xd9\xb8\x90\x55\x10\x64\xc7\xfd\xe3\x79\x8a\x53\xdd\x2e\x49" "\x7a\x6e\x94\x75\x0d\xe7\x4f\x93\x11\xc5\x35\x2f\xba\x98\xb2\x6d\x9c" "\x06\xe2\x32\x13\x92\xd3\x59\x26\xfb\xea\x75\x99\x15\xe1\x6c\x3c\xef" "\x34\x2a\xb6\x70\x93\xe3\x26\x1b\xd7\x9c\x2a\x3a\x69\x9d\x44\x5b\x54" "\x01\xf7\x18\x52\x88\x5b\x89\x87\xd4\x6b\x91\xb9\x95\x8a\x1d\xbc\x40" "\x24\x6b\xef\xf4\xfa\x05\x01\xda\x22\xcc\xd2\x62\xbb\x43\x23\x84\xdb" "\xec\x22\x77\x1d\x15\x4e\x50\x79\x0e\x6d\xd4\x70\xb4\xfa\x38\x37\x7f" "\x80\x8f\xbe\x4f\xec\x6f\x78\x44\x9b\xc6\x0d\xee\xc6\x50\x36\xad\xc7" "\xa3\xa3\xd0\x02\x3a\xa9\xc0\x80\x27\x67\x27\x5e\xe8\xe4\x05\x3c\xa6" "\x6a\x8e\xa1\x77\x73\x87\x49\x65\xcb\x12\xb1\x49\x45\x53\x8b\xcd\x55" "\x09\xae\xfe\x07\xc2\x08\xd7\x52\xef\x16\x16\xca\xf3\x5b\xe0\x46\x8e" "\xc4\x2d\x65\xb1\x25\x5b\x38\x47\x22\xfc\x05\xcd\x46\xcd\xaf\x7e\xf8" "\xe3\x6e\xff\x9f\xe0\x1f\x2e\x49\x9e\x4e\x1e\x61\x58\xf7\xbd\x9a\xf5" "\x0e\xb7\x38\xe3\xd7\x40\xe2\x76\x5b\x42\x3d\x5a\x92\x29\x2e\xc6\xb2" "\x87\x51\x49\x67\xf0\xbc\xad\x65\xd9\x83\xe7\x10\xef\xa5\xc0\xce\x14" "\xcb\xd3\x43\x8f\x10\x3b\x55\x29\x41\x2a\x9e\x76\xe8\x6e\x12\xbe\x46" "\x51\x00\x0b\x58\xcf\x6d\x41\xc9\x83\xc4\x54\x19\x45\x36\xa9\x97\xfc" "\x4b\x1c\xb1\x7e\xdc\x67\xa2\xbd\x6a\xf5\x3f\xeb\x62\x26\xb6\xdc\x49" "\x59\x92\x1c\xd6\xe9\x3f\x85\xa8\x68\x0a\x81\xb0\x0b\xc4\xb1\xa6\x9e" "\x7d\x28\x9a\xc8\x5c\x19\x8e\xab\x79\x72\xf7\xe8\x19\x17\x17\xe8\xcd" "\x83\x33\x07\x8a\x84\x6f\x5a\x33\x13\x90\x9e\x9c\x28\x51\x46\xb4\xef" "\x90\xbf\x80\x67\x05\xd4\x38\x05\x41\xa6\x79\x9f\x72\x81\x64\xde\xe3" "\x72\xea\x82\x6d\xe1\x7b\x83\x0c\x7f\x69\xf1\xee\x63\x63\x37\xec\xc4" "\x64\xe5\x33\x36\xc2\xf7\x9e\xc0\x65\x97", 622); *(uint64_t*)0x200008d8 = 0x26e; *(uint64_t*)0x20000bd8 = 2; *(uint64_t*)0x20000be0 = 0; *(uint64_t*)0x20000be8 = 0; *(uint32_t*)0x20000bf0 = 0; *(uint32_t*)0x20000bf8 = 0; syscall(__NR_sendmmsg, -1, 0x20000bc0ul, 1ul, 0ul); break; case 1: *(uint32_t*)0x200000c0 = 9; *(uint32_t*)0x200000c4 = 7; *(uint32_t*)0x200000c8 = 0x6d; *(uint32_t*)0x200000cc = 0x7ff; *(uint32_t*)0x200000d0 = 0xc0; *(uint32_t*)0x200000d4 = -1; *(uint32_t*)0x200000d8 = 0; *(uint8_t*)0x200000dc = 0; *(uint8_t*)0x200000dd = 0; *(uint8_t*)0x200000de = 0; *(uint8_t*)0x200000df = 0; *(uint8_t*)0x200000e0 = 0; *(uint8_t*)0x200000e1 = 0; *(uint8_t*)0x200000e2 = 0; *(uint8_t*)0x200000e3 = 0; *(uint8_t*)0x200000e4 = 0; *(uint8_t*)0x200000e5 = 0; *(uint8_t*)0x200000e6 = 0; *(uint8_t*)0x200000e7 = 0; *(uint8_t*)0x200000e8 = 0; *(uint8_t*)0x200000e9 = 0; *(uint8_t*)0x200000ea = 0; *(uint8_t*)0x200000eb = 0; *(uint32_t*)0x200000ec = 0; *(uint32_t*)0x200000f0 = -1; *(uint32_t*)0x200000f4 = 0; *(uint32_t*)0x200000f8 = 0; *(uint32_t*)0x200000fc = 0; res = syscall(__NR_bpf, 0ul, 0x200000c0ul, 0x40ul); if (res != -1) r[0] = res; break; case 2: *(uint64_t*)0x20000100 = 0; *(uint64_t*)0x20000108 = 0; *(uint64_t*)0x20000110 = 0x20000240; *(uint64_t*)0x20000118 = 0x20000000; *(uint32_t*)0x20000120 = 0x80000001; *(uint32_t*)0x20000124 = r[0]; *(uint64_t*)0x20000128 = 0; *(uint64_t*)0x20000130 = 0; syscall(__NR_bpf, 0x1aul, 0x20000100ul, 0x38ul); break; case 3: *(uint64_t*)0x20000080 = 0; *(uint64_t*)0x20000088 = 0; *(uint64_t*)0x20000090 = 0x20000140; *(uint64_t*)0x20000098 = 0x20000140; *(uint32_t*)0x200000a0 = 0xbcc4; *(uint32_t*)0x200000a4 = r[0]; *(uint64_t*)0x200000a8 = 0; *(uint64_t*)0x200000b0 = 0; syscall(__NR_bpf, 0x19ul, 0x20000080ul, 0x38ul); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }