// https://syzkaller.appspot.com/bug?id=955cd77de977580908213f467a54d5832edc8e14 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static uintptr_t syz_open_procfs(uintptr_t a0, uintptr_t a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == (uintptr_t)-1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static void execute_one(); extern unsigned long long procid; static void loop() { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); execute_one(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) { break; } usleep(1000); if (current_time_ms() - start < 3 * 1000) continue; kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } } struct thread_t { int created, running, call; pthread_t th; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static int collide; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); } return 0; } static void execute(int num_calls) { int call, thread; running = 0; for (call = 0; call < num_calls; call++) { for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); pthread_create(&th->th, &attr, thr, th); } if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) { th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); if (collide && call % 2) break; struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 20 * 1000 * 1000; syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts); if (running) usleep((call == num_calls - 1) ? 10000 : 1000); break; } } } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { long res; switch (call) { case 0: memcpy((void*)0x20000000, "maps", 5); res = syz_open_procfs(0, 0x20000000); if (res != -1) r[0] = res; break; case 1: memcpy((void*)0x20000040, "threaded", 9); syscall(__NR_write, r[0], 0x20000040, 9); break; case 2: *(uint8_t*)0x20003680 = 0x7f; *(uint8_t*)0x20003681 = 0x45; *(uint8_t*)0x20003682 = 0x4c; *(uint8_t*)0x20003683 = 0x46; *(uint8_t*)0x20003684 = 0; *(uint8_t*)0x20003685 = 7; *(uint8_t*)0x20003686 = 0x80; *(uint8_t*)0x20003687 = 9; *(uint64_t*)0x20003688 = 3; *(uint16_t*)0x20003690 = 2; *(uint16_t*)0x20003692 = 3; *(uint32_t*)0x20003694 = 0x3ff; *(uint64_t*)0x20003698 = 0xbe; *(uint64_t*)0x200036a0 = 0x40; *(uint64_t*)0x200036a8 = 0x144; *(uint32_t*)0x200036b0 = 4; *(uint16_t*)0x200036b4 = 2; *(uint16_t*)0x200036b6 = 0x38; *(uint16_t*)0x200036b8 = 2; *(uint16_t*)0x200036ba = 7; *(uint16_t*)0x200036bc = 0xb13; *(uint16_t*)0x200036be = 0x7f; *(uint32_t*)0x200036c0 = 1; *(uint32_t*)0x200036c4 = 1; *(uint64_t*)0x200036c8 = 0x100; *(uint64_t*)0x200036d0 = 0x80000001; *(uint64_t*)0x200036d8 = 2; *(uint64_t*)0x200036e0 = 0x800; *(uint64_t*)0x200036e8 = 0x7fff; *(uint64_t*)0x200036f0 = 1; *(uint64_t*)0x200036f8 = 0; *(uint64_t*)0x20003700 = 0; *(uint64_t*)0x20003708 = 0; *(uint64_t*)0x20003710 = 0; *(uint64_t*)0x20003718 = 0; *(uint64_t*)0x20003720 = 0; *(uint64_t*)0x20003728 = 0; *(uint64_t*)0x20003730 = 0; *(uint64_t*)0x20003738 = 0; *(uint64_t*)0x20003740 = 0; *(uint64_t*)0x20003748 = 0; *(uint64_t*)0x20003750 = 0; *(uint64_t*)0x20003758 = 0; *(uint64_t*)0x20003760 = 0; *(uint64_t*)0x20003768 = 0; *(uint64_t*)0x20003770 = 0; *(uint64_t*)0x20003778 = 0; *(uint64_t*)0x20003780 = 0; *(uint64_t*)0x20003788 = 0; *(uint64_t*)0x20003790 = 0; *(uint64_t*)0x20003798 = 0; *(uint64_t*)0x200037a0 = 0; *(uint64_t*)0x200037a8 = 0; *(uint64_t*)0x200037b0 = 0; *(uint64_t*)0x200037b8 = 0; *(uint64_t*)0x200037c0 = 0; *(uint64_t*)0x200037c8 = 0; *(uint64_t*)0x200037d0 = 0; *(uint64_t*)0x200037d8 = 0; *(uint64_t*)0x200037e0 = 0; *(uint64_t*)0x200037e8 = 0; *(uint64_t*)0x200037f0 = 0; *(uint64_t*)0x200037f8 = 0; *(uint64_t*)0x20003800 = 0; *(uint64_t*)0x20003808 = 0; *(uint64_t*)0x20003810 = 0; *(uint64_t*)0x20003818 = 0; *(uint64_t*)0x20003820 = 0; *(uint64_t*)0x20003828 = 0; *(uint64_t*)0x20003830 = 0; *(uint64_t*)0x20003838 = 0; *(uint64_t*)0x20003840 = 0; *(uint64_t*)0x20003848 = 0; *(uint64_t*)0x20003850 = 0; *(uint64_t*)0x20003858 = 0; *(uint64_t*)0x20003860 = 0; *(uint64_t*)0x20003868 = 0; *(uint64_t*)0x20003870 = 0; *(uint64_t*)0x20003878 = 0; *(uint64_t*)0x20003880 = 0; *(uint64_t*)0x20003888 = 0; *(uint64_t*)0x20003890 = 0; *(uint64_t*)0x20003898 = 0; *(uint64_t*)0x200038a0 = 0; *(uint64_t*)0x200038a8 = 0; *(uint64_t*)0x200038b0 = 0; *(uint64_t*)0x200038b8 = 0; *(uint64_t*)0x200038c0 = 0; *(uint64_t*)0x200038c8 = 0; *(uint64_t*)0x200038d0 = 0; *(uint64_t*)0x200038d8 = 0; *(uint64_t*)0x200038e0 = 0; *(uint64_t*)0x200038e8 = 0; *(uint64_t*)0x200038f0 = 0; *(uint64_t*)0x200038f8 = 0; *(uint64_t*)0x20003900 = 0; *(uint64_t*)0x20003908 = 0; *(uint64_t*)0x20003910 = 0; *(uint64_t*)0x20003918 = 0; *(uint64_t*)0x20003920 = 0; *(uint64_t*)0x20003928 = 0; *(uint64_t*)0x20003930 = 0; *(uint64_t*)0x20003938 = 0; *(uint64_t*)0x20003940 = 0; *(uint64_t*)0x20003948 = 0; *(uint64_t*)0x20003950 = 0; *(uint64_t*)0x20003958 = 0; *(uint64_t*)0x20003960 = 0; *(uint64_t*)0x20003968 = 0; *(uint64_t*)0x20003970 = 0; *(uint64_t*)0x20003978 = 0; *(uint64_t*)0x20003980 = 0; *(uint64_t*)0x20003988 = 0; *(uint64_t*)0x20003990 = 0; *(uint64_t*)0x20003998 = 0; *(uint64_t*)0x200039a0 = 0; *(uint64_t*)0x200039a8 = 0; *(uint64_t*)0x200039b0 = 0; *(uint64_t*)0x200039b8 = 0; *(uint64_t*)0x200039c0 = 0; *(uint64_t*)0x200039c8 = 0; *(uint64_t*)0x200039d0 = 0; *(uint64_t*)0x200039d8 = 0; *(uint64_t*)0x200039e0 = 0; *(uint64_t*)0x200039e8 = 0; *(uint64_t*)0x200039f0 = 0; *(uint64_t*)0x200039f8 = 0; *(uint64_t*)0x20003a00 = 0; *(uint64_t*)0x20003a08 = 0; *(uint64_t*)0x20003a10 = 0; *(uint64_t*)0x20003a18 = 0; *(uint64_t*)0x20003a20 = 0; *(uint64_t*)0x20003a28 = 0; *(uint64_t*)0x20003a30 = 0; *(uint64_t*)0x20003a38 = 0; *(uint64_t*)0x20003a40 = 0; *(uint64_t*)0x20003a48 = 0; *(uint64_t*)0x20003a50 = 0; *(uint64_t*)0x20003a58 = 0; *(uint64_t*)0x20003a60 = 0; *(uint64_t*)0x20003a68 = 0; *(uint64_t*)0x20003a70 = 0; *(uint64_t*)0x20003a78 = 0; *(uint64_t*)0x20003a80 = 0; *(uint64_t*)0x20003a88 = 0; *(uint64_t*)0x20003a90 = 0; *(uint64_t*)0x20003a98 = 0; *(uint64_t*)0x20003aa0 = 0; *(uint64_t*)0x20003aa8 = 0; *(uint64_t*)0x20003ab0 = 0; *(uint64_t*)0x20003ab8 = 0; *(uint64_t*)0x20003ac0 = 0; *(uint64_t*)0x20003ac8 = 0; *(uint64_t*)0x20003ad0 = 0; *(uint64_t*)0x20003ad8 = 0; *(uint64_t*)0x20003ae0 = 0; *(uint64_t*)0x20003ae8 = 0; *(uint64_t*)0x20003af0 = 0; *(uint64_t*)0x20003af8 = 0; *(uint64_t*)0x20003b00 = 0; *(uint64_t*)0x20003b08 = 0; *(uint64_t*)0x20003b10 = 0; *(uint64_t*)0x20003b18 = 0; *(uint64_t*)0x20003b20 = 0; *(uint64_t*)0x20003b28 = 0; *(uint64_t*)0x20003b30 = 0; *(uint64_t*)0x20003b38 = 0; *(uint64_t*)0x20003b40 = 0; *(uint64_t*)0x20003b48 = 0; *(uint64_t*)0x20003b50 = 0; *(uint64_t*)0x20003b58 = 0; *(uint64_t*)0x20003b60 = 0; *(uint64_t*)0x20003b68 = 0; *(uint64_t*)0x20003b70 = 0; *(uint64_t*)0x20003b78 = 0; *(uint64_t*)0x20003b80 = 0; *(uint64_t*)0x20003b88 = 0; *(uint64_t*)0x20003b90 = 0; *(uint64_t*)0x20003b98 = 0; *(uint64_t*)0x20003ba0 = 0; *(uint64_t*)0x20003ba8 = 0; *(uint64_t*)0x20003bb0 = 0; *(uint64_t*)0x20003bb8 = 0; *(uint64_t*)0x20003bc0 = 0; *(uint64_t*)0x20003bc8 = 0; *(uint64_t*)0x20003bd0 = 0; *(uint64_t*)0x20003bd8 = 0; *(uint64_t*)0x20003be0 = 0; *(uint64_t*)0x20003be8 = 0; *(uint64_t*)0x20003bf0 = 0; *(uint64_t*)0x20003bf8 = 0; *(uint64_t*)0x20003c00 = 0; *(uint64_t*)0x20003c08 = 0; *(uint64_t*)0x20003c10 = 0; *(uint64_t*)0x20003c18 = 0; *(uint64_t*)0x20003c20 = 0; *(uint64_t*)0x20003c28 = 0; *(uint64_t*)0x20003c30 = 0; *(uint64_t*)0x20003c38 = 0; *(uint64_t*)0x20003c40 = 0; *(uint64_t*)0x20003c48 = 0; *(uint64_t*)0x20003c50 = 0; *(uint64_t*)0x20003c58 = 0; *(uint64_t*)0x20003c60 = 0; *(uint64_t*)0x20003c68 = 0; *(uint64_t*)0x20003c70 = 0; *(uint64_t*)0x20003c78 = 0; *(uint64_t*)0x20003c80 = 0; *(uint64_t*)0x20003c88 = 0; *(uint64_t*)0x20003c90 = 0; *(uint64_t*)0x20003c98 = 0; *(uint64_t*)0x20003ca0 = 0; *(uint64_t*)0x20003ca8 = 0; *(uint64_t*)0x20003cb0 = 0; *(uint64_t*)0x20003cb8 = 0; *(uint64_t*)0x20003cc0 = 0; *(uint64_t*)0x20003cc8 = 0; *(uint64_t*)0x20003cd0 = 0; *(uint64_t*)0x20003cd8 = 0; *(uint64_t*)0x20003ce0 = 0; *(uint64_t*)0x20003ce8 = 0; *(uint64_t*)0x20003cf0 = 0; *(uint64_t*)0x20003cf8 = 0; *(uint64_t*)0x20003d00 = 0; *(uint64_t*)0x20003d08 = 0; *(uint64_t*)0x20003d10 = 0; *(uint64_t*)0x20003d18 = 0; *(uint64_t*)0x20003d20 = 0; *(uint64_t*)0x20003d28 = 0; *(uint64_t*)0x20003d30 = 0; *(uint64_t*)0x20003d38 = 0; *(uint64_t*)0x20003d40 = 0; *(uint64_t*)0x20003d48 = 0; *(uint64_t*)0x20003d50 = 0; *(uint64_t*)0x20003d58 = 0; *(uint64_t*)0x20003d60 = 0; *(uint64_t*)0x20003d68 = 0; *(uint64_t*)0x20003d70 = 0; *(uint64_t*)0x20003d78 = 0; *(uint64_t*)0x20003d80 = 0; *(uint64_t*)0x20003d88 = 0; *(uint64_t*)0x20003d90 = 0; *(uint64_t*)0x20003d98 = 0; *(uint64_t*)0x20003da0 = 0; *(uint64_t*)0x20003da8 = 0; *(uint64_t*)0x20003db0 = 0; *(uint64_t*)0x20003db8 = 0; *(uint64_t*)0x20003dc0 = 0; *(uint64_t*)0x20003dc8 = 0; *(uint64_t*)0x20003dd0 = 0; *(uint64_t*)0x20003dd8 = 0; *(uint64_t*)0x20003de0 = 0; *(uint64_t*)0x20003de8 = 0; *(uint64_t*)0x20003df0 = 0; *(uint64_t*)0x20003df8 = 0; *(uint64_t*)0x20003e00 = 0; *(uint64_t*)0x20003e08 = 0; *(uint64_t*)0x20003e10 = 0; *(uint64_t*)0x20003e18 = 0; *(uint64_t*)0x20003e20 = 0; *(uint64_t*)0x20003e28 = 0; *(uint64_t*)0x20003e30 = 0; *(uint64_t*)0x20003e38 = 0; *(uint64_t*)0x20003e40 = 0; *(uint64_t*)0x20003e48 = 0; *(uint64_t*)0x20003e50 = 0; *(uint64_t*)0x20003e58 = 0; *(uint64_t*)0x20003e60 = 0; *(uint64_t*)0x20003e68 = 0; *(uint64_t*)0x20003e70 = 0; *(uint64_t*)0x20003e78 = 0; *(uint64_t*)0x20003e80 = 0; *(uint64_t*)0x20003e88 = 0; *(uint64_t*)0x20003e90 = 0; *(uint64_t*)0x20003e98 = 0; *(uint64_t*)0x20003ea0 = 0; *(uint64_t*)0x20003ea8 = 0; *(uint64_t*)0x20003eb0 = 0; *(uint64_t*)0x20003eb8 = 0; *(uint64_t*)0x20003ec0 = 0; *(uint64_t*)0x20003ec8 = 0; *(uint64_t*)0x20003ed0 = 0; *(uint64_t*)0x20003ed8 = 0; *(uint64_t*)0x20003ee0 = 0; *(uint64_t*)0x20003ee8 = 0; *(uint64_t*)0x20003ef0 = 0; *(uint64_t*)0x20003ef8 = 0; *(uint64_t*)0x20003f00 = 0; *(uint64_t*)0x20003f08 = 0; *(uint64_t*)0x20003f10 = 0; *(uint64_t*)0x20003f18 = 0; *(uint64_t*)0x20003f20 = 0; *(uint64_t*)0x20003f28 = 0; *(uint64_t*)0x20003f30 = 0; *(uint64_t*)0x20003f38 = 0; *(uint64_t*)0x20003f40 = 0; *(uint64_t*)0x20003f48 = 0; *(uint64_t*)0x20003f50 = 0; *(uint64_t*)0x20003f58 = 0; *(uint64_t*)0x20003f60 = 0; *(uint64_t*)0x20003f68 = 0; *(uint64_t*)0x20003f70 = 0; *(uint64_t*)0x20003f78 = 0; *(uint64_t*)0x20003f80 = 0; *(uint64_t*)0x20003f88 = 0; *(uint64_t*)0x20003f90 = 0; *(uint64_t*)0x20003f98 = 0; *(uint64_t*)0x20003fa0 = 0; *(uint64_t*)0x20003fa8 = 0; *(uint64_t*)0x20003fb0 = 0; *(uint64_t*)0x20003fb8 = 0; *(uint64_t*)0x20003fc0 = 0; *(uint64_t*)0x20003fc8 = 0; *(uint64_t*)0x20003fd0 = 0; *(uint64_t*)0x20003fd8 = 0; *(uint64_t*)0x20003fe0 = 0; *(uint64_t*)0x20003fe8 = 0; *(uint64_t*)0x20003ff0 = 0; syscall(__NR_write, r[0], 0x20003680, 0x978); break; case 3: *(uint64_t*)0x20003400 = 0x20000280; *(uint32_t*)0x20003408 = 0x80; *(uint64_t*)0x20003410 = 0x200003c0; *(uint64_t*)0x200003c0 = 0x20000300; *(uint64_t*)0x200003c8 = 0x26; *(uint64_t*)0x200003d0 = 0x20000340; *(uint64_t*)0x200003d8 = 0x5b; *(uint64_t*)0x20003418 = 2; *(uint64_t*)0x20003420 = 0x20000400; *(uint64_t*)0x20003428 = 0x9a; *(uint32_t*)0x20003430 = 7; *(uint32_t*)0x20003438 = 0x100; *(uint64_t*)0x20003440 = 0x200004c0; *(uint32_t*)0x20003448 = 0x80; *(uint64_t*)0x20003450 = 0x20000740; *(uint64_t*)0x20000740 = 0x20000540; *(uint64_t*)0x20000748 = 0x73; *(uint64_t*)0x20000750 = 0x200005c0; *(uint64_t*)0x20000758 = 0x48; *(uint64_t*)0x20000760 = 0x20000640; *(uint64_t*)0x20000768 = 0xf3; *(uint64_t*)0x20003458 = 3; *(uint64_t*)0x20003460 = 0x20000780; *(uint64_t*)0x20003468 = 0xf2; *(uint32_t*)0x20003470 = 9; *(uint32_t*)0x20003478 = 1; *(uint64_t*)0x20003480 = 0x20000880; *(uint32_t*)0x20003488 = 0x80; *(uint64_t*)0x20003490 = 0x20001dc0; *(uint64_t*)0x20001dc0 = 0x20000900; *(uint64_t*)0x20001dc8 = 0xb2; *(uint64_t*)0x20001dd0 = 0x200009c0; *(uint64_t*)0x20001dd8 = 0x1000; *(uint64_t*)0x20001de0 = 0x200019c0; *(uint64_t*)0x20001de8 = 0xba; *(uint64_t*)0x20001df0 = 0x20001a80; *(uint64_t*)0x20001df8 = 0xdd; *(uint64_t*)0x20001e00 = 0x20001b80; *(uint64_t*)0x20001e08 = 0xb9; *(uint64_t*)0x20001e10 = 0x20001c40; *(uint64_t*)0x20001e18 = 0xa3; *(uint64_t*)0x20001e20 = 0x20001d00; *(uint64_t*)0x20001e28 = 0x1a; *(uint64_t*)0x20001e30 = 0x20001d40; *(uint64_t*)0x20001e38 = 0x52; *(uint64_t*)0x20003498 = 8; *(uint64_t*)0x200034a0 = 0x20001e40; *(uint64_t*)0x200034a8 = 0x76; *(uint32_t*)0x200034b0 = 1; *(uint32_t*)0x200034b8 = 9; *(uint64_t*)0x200034c0 = 0x20001ec0; *(uint32_t*)0x200034c8 = 0x80; *(uint64_t*)0x200034d0 = 0x200030c0; *(uint64_t*)0x200030c0 = 0x20001f40; *(uint64_t*)0x200030c8 = 0x1000; *(uint64_t*)0x200030d0 = 0x20002f40; *(uint64_t*)0x200030d8 = 0x2e; *(uint64_t*)0x200030e0 = 0x20002f80; *(uint64_t*)0x200030e8 = 0x89; *(uint64_t*)0x200030f0 = 0x20003040; *(uint64_t*)0x200030f8 = 0x78; *(uint64_t*)0x200034d8 = 4; *(uint64_t*)0x200034e0 = 0x20003100; *(uint64_t*)0x200034e8 = 0x51; *(uint32_t*)0x200034f0 = 4; *(uint32_t*)0x200034f8 = 5; *(uint64_t*)0x20003500 = 0x20003180; *(uint32_t*)0x20003508 = 0x80; *(uint64_t*)0x20003510 = 0x20003200; *(uint64_t*)0x20003518 = 0; *(uint64_t*)0x20003520 = 0x20003240; *(uint64_t*)0x20003528 = 0x7b; *(uint32_t*)0x20003530 = 1; *(uint32_t*)0x20003538 = 0; *(uint64_t*)0x20003540 = 0x200032c0; *(uint32_t*)0x20003548 = 0x80; *(uint64_t*)0x20003550 = 0x20003380; *(uint64_t*)0x20003380 = 0x20003340; *(uint64_t*)0x20003388 = 0x15; *(uint64_t*)0x20003558 = 1; *(uint64_t*)0x20003560 = 0x200033c0; *(uint64_t*)0x20003568 = 0x1b; *(uint32_t*)0x20003570 = 2; *(uint32_t*)0x20003578 = 6; *(uint64_t*)0x20003580 = 0x77359400; *(uint64_t*)0x20003588 = 0; res = syscall(__NR_recvmmsg, r[0], 0x20003400, 6, 0x40000000, 0x20003580); if (res != -1) r[1] = *(uint32_t*)0x2000028a; break; case 4: syscall(__NR_ioctl, r[1], 0x89e4, 0x200035c0); break; case 5: syscall(__NR_pread64, r[0], 0x20000180, 0xdc, 0); break; case 6: *(uint32_t*)0x20000140 = 2; syscall(__NR_setsockopt, r[0], 0x10e, 8, 0x20000140, 4); break; case 7: syscall(__NR_read, r[0], 0x20000080, 0x8a); break; } } void execute_one() { execute(8); collide = 1; execute(8); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); for (;;) { loop(); } }