// https://syzkaller.appspot.com/bug?id=c0203bd72037d07493f4b7562411e4f5f4553a8f // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static struct { char* pos; int nesting; struct nlattr* nested[8]; char buf[1024]; } nlmsg; static void netlink_init(int typ, int flags, const void* data, int size) { memset(&nlmsg, 0, sizeof(nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg.pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; memcpy(attr + 1, data, size); nlmsg.pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(int sock, uint16_t reply_type, int* reply_len) { if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf; hdr->nlmsg_len = nlmsg.pos - nlmsg.buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != hdr->nlmsg_len) exit(1); n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0); if (n < sizeof(struct nlmsghdr)) exit(1); if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) exit(1); if (hdr->nlmsg_type != NLMSG_ERROR) exit(1); return -((struct nlmsgerr*)(hdr + 1))->error; } static int netlink_send(int sock) { return netlink_send_ext(sock, 0, NULL); } const int kInitNetNsFd = 239; #define DEVLINK_FAMILY_NAME "devlink" #define DEVLINK_CMD_RELOAD 37 #define DEVLINK_ATTR_BUS_NAME 1 #define DEVLINK_ATTR_DEV_NAME 2 #define DEVLINK_ATTR_NETNS_FD 137 static void netlink_devlink_netns_move(const char* bus_name, const char* dev_name, int netns_fd) { struct genlmsghdr genlhdr; struct nlattr* attr; int sock, err, n; uint16_t id = 0; sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(CTRL_ATTR_FAMILY_NAME, DEVLINK_FAMILY_NAME, strlen(DEVLINK_FAMILY_NAME) + 1); err = netlink_send_ext(sock, GENL_ID_CTRL, &n); if (err) { goto error; } attr = (struct nlattr*)(nlmsg.buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg.buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { goto error; } recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0); /* recv ack */ memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_RELOAD; netlink_init(id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); netlink_attr(DEVLINK_ATTR_NETNS_FD, &netns_fd, sizeof(netns_fd)); netlink_send(sock); error: close(sock); } static void initialize_devlink_pci(void) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); int ret = setns(kInitNetNsFd, 0); if (ret == -1) exit(1); netlink_devlink_netns_move("pci", "0000:00:10.0", netns); ret = setns(netns, 0); if (ret == -1) exit(1); close(netns); } #define MAX_FDS 30 #define USB_DEBUG 0 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; struct usb_endpoint_descriptor eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; static bool parse_usb_descriptor(char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num], buffer + offset, sizeof(iface->eps[iface->eps_num])); iface->eps_num++; } } offset += desc_length; } return true; } enum usb_raw_event_type { USB_RAW_EVENT_INVALID, USB_RAW_EVENT_CONNECT, USB_RAW_EVENT_CONTROL, }; struct usb_raw_event { uint32_t type; uint32_t length; char data[0]; }; struct usb_raw_init { uint64_t speed; const char* driver_name; const char* device_name; }; struct usb_raw_ep_io { uint16_t ep; uint16_t flags; uint32_t length; char data[0]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, int) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, uint32_t) static int usb_raw_open() { return open("/sys/kernel/debug/usb/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; arg.speed = speed; arg.driver_name = driver; arg.device_name = device; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } #define MAX_USB_FDS 6 struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[MAX_USB_FDS]; static int usb_devices_num; static struct usb_device_index* add_usb_index(int fd, char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= MAX_USB_FDS) return NULL; int rv = 0; rv = parse_usb_descriptor(dev, dev_len, &usb_devices[i].index); if (!rv) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < MAX_USB_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, ep); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep]); if (rv < 0) { } else { } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 1024 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = {8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0}; static const char default_lang_id[] = {4, USB_DT_STRING, 0x09, 0x04}; static bool lookup_connect_response(int fd, struct vusb_connect_descriptors* descs, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: exit(1); return false; } break; default: exit(1); return false; } break; default: exit(1); return false; } return false; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; char* dev = (char*)a2; struct vusb_connect_descriptors* descs = (struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; bool response_found = false; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { response_found = lookup_connect_response( fd, descs, &event.ctrl, &response_data, &response_length); if (!response_found) { return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) != USB_TYPE_STANDARD || event.ctrl.bRequest != USB_REQ_SET_CONFIGURATION) { exit(1); return -1; } done = true; } if (done) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } void execute_one(void) { *(uint8_t*)0x200001c0 = 0x12; *(uint8_t*)0x200001c1 = 1; *(uint16_t*)0x200001c2 = 0; *(uint8_t*)0x200001c4 = 0x2c; *(uint8_t*)0x200001c5 = 0xf7; *(uint8_t*)0x200001c6 = 0x18; *(uint8_t*)0x200001c7 = 0x40; *(uint16_t*)0x200001c8 = 0xaf7; *(uint16_t*)0x200001ca = 0x101; *(uint16_t*)0x200001cc = 0x10; *(uint8_t*)0x200001ce = 0; *(uint8_t*)0x200001cf = 0; *(uint8_t*)0x200001d0 = 0; *(uint8_t*)0x200001d1 = 1; *(uint8_t*)0x200001d2 = 9; *(uint8_t*)0x200001d3 = 2; *(uint16_t*)0x200001d4 = 0x12; *(uint8_t*)0x200001d6 = 1; *(uint8_t*)0x200001d7 = 0; *(uint8_t*)0x200001d8 = 0; *(uint8_t*)0x200001d9 = 0x20; *(uint8_t*)0x200001da = 0; *(uint8_t*)0x200001db = 9; *(uint8_t*)0x200001dc = 4; *(uint8_t*)0x200001dd = 0x17; *(uint8_t*)0x200001de = 0; *(uint8_t*)0x200001df = 0; *(uint8_t*)0x200001e0 = 0xcf; *(uint8_t*)0x200001e1 = 0x87; *(uint8_t*)0x200001e2 = 0x5a; *(uint8_t*)0x200001e3 = 0; *(uint8_t*)0x200001e4 = 9; *(uint8_t*)0x200001e5 = 5; *(uint8_t*)0x200001e6 = 3; *(uint8_t*)0x200001e7 = 0x12; *(uint16_t*)0x200001e8 = 0x2ca; *(uint8_t*)0x200001ea = 0x46; *(uint8_t*)0x200001eb = -1; *(uint8_t*)0x200001ec = 0x5e; *(uint8_t*)0x200001ed = 0; *(uint8_t*)0x200001ee = 0x13; memcpy( (void*)0x200001ef, "\x3e\x99\xd5\x78\x25\x1a\xec\x18\x80\xbd\xd6\x71\xf6\xc7\xa0\xcd\xa4\xd4" "\x3b\x72\xb2\x44\x84\xc2\xf7\x63\x48\xd8\x00\x7e\x95\x62\xe6\x3b\x15\xa1" "\x1e\xfc\x11\xc3\xb2\xeb\xb4\xcd\x9e\x70\xcb\xc7\xa2\xcd\xc3\xb8\x6d\x09" "\x39\x7a\x26\x3b\x5c\xb9\x7f\xf2\xbe\x09\x26\x20\x36\xd7\x16\x44\xaf\x24" "\x7e\x53\x3c\xa0\xfa\xc1\x54\xe7\xe3\xd2\xc8\x2c\x80\x5b\xe0\xe5\x9f\xa0" "\x1f\x0c\xd4\xcd\xd3\x78\xff\x75\x9e\xe4\x4b\x31\xc4\xbe\x19\x05\x61\x34" "\xd7\x31\xfc\x31\x1b\x37\x6a\x4b\xbf\xa7\x58\x7f\x59\xac\xc1\x77\xf0\xd9" "\x06\xca\x37\x80\x3c\x89\xb3\xb8\x95\x0c\x8b\x5f\xe1\xba\xe2\x20\x52\x1a" "\x5b\x92\xeb\x4a\xca\x40\x7e\x0e\x9c\xe7\x19\x46\x4c\x63\x63\x58\x78\x48" "\xa3\xdd\x02\xf9\x42\xc5\x9c\xf3\xc7\x4f\x61\x9b\x84\x1e\xdb\x58\x0d\x15" "\xd0\xc7\x47\x02\x11\x3c\x4a\x88\x72\xa2\x1a\x57\x25\x86\xef\x31\xa1\xfb" "\x27\x0a\x7d\x65\xbf\xf1\xcb\x0b\x97\x96\x93\xa7\xa2\xd6\xf7\x14\xf0\x66" "\xd3\x73\x92\x3b\xaa\xbd\xb2\xb2\xc2\xb6\x18\x52\x3a\x87\x68\x63\xff\x2f" "\xee\x60\xb0\x49\x47\x77\x4f\xc1\xb2\xa5\xdc\x33\x31\xa3\x84\x66\x1f\xed" "\x5e\xb6\xda\x38\x6e\xab\x16\x49\x38\x13\x9b\xd4\x1b\x29\x39\x23\xc4\xc9" "\xa8\xec\x5d\x42\x00\xf4\x04\x89\xc1\x53\x27\xff\xb2\xfd\x49\x2c\x82\x46" "\x59\x95\x92\xb0\x84\x3c\x9b\x32\xaf\xf0\x82\x5e\xff\xd8\x3e\xb1\xb3\x88" "\xde\xa6\x1e\xe6\xf5\x68\x9f\x76\x23\x77\xea\xcd\x9c\x93\xdb\xe9\xf1\x02" "\x7c\xee\xe9\xa5\x34\x55\xdb\xd9\x47\x42\x07\x9a\x8a\x34\x90\x0c\x91\xf2" "\x4b\xaa\xca\xd0\xcc\x18\x5a\x25\x3e\x61\xef\x23\x43\x83\x90\x67\x71\xde" "\x12\xa1\xfd\x52\xa2\x4c\xed\x88\x02\x23\x2e\xc9\x9c\xc6\x63\x15\xaf\x02" "\x56\x37\x9a\xf2\xd4\x2d\x00\x7e\xe7\x06\x0e\x26\x32\xaf\xb5\x40\xae\x6e" "\xfa\x2e\x5e\x29\xda\x64\xa4\xcc\x89\x6f\xbd\xd6\x24\x61\xfb\x34\x28\x7d" "\xc5\x37\xa7\xbe\xe2\x29\x25\x0d\xa8\x4f\x8a\xea\x26\x55\x4c\x18\x8e\x2e" "\x56\x66\x4d\xec\x63\x49\x10\x6a\x6f\xbc\xa1\xfc\xdd\xbf\x25\xe6\x1d\x18" "\x9e\x81\x8b\x3e\x8e\xf2\x58\x1c\x60\x5f\xca\xef\x8c\xef\x17\xca\x43\xcc" "\xc3\x8e\x6e\xb4\x5a\x41\x6d\x38\xae\xd5\xc1\x83\x18\x68\xa5\x86\x7e\xaa" "\xa2\x1f\xd9\x5e\xe4\xf0\xd5\x3b\xd7\xce\x4f\xae\x6c\x64\x3d\x78\xc7\x97" "\x96\x6c\xc8\x86\xd8\xcf\x61\xa1\x34\xdc\x8a\x9f\x5e\xf9\x48\x6a\xa6\x87" "\x42\xc0\x81\x95\xdd\x8c\x00\xf3\x12\x5d\x10\x1a\x0a\x35\xeb\x8b\xef\x99" "\xa5\x92\xea\xd3\xa9\x9e\xcc\x7e\x3b\x59\x7d\xd6\xcc\x85\xe6\xcc\xa0\x29" "\x4c\x72\x12\x2b\x4a\xe2\x9d\x5a\x87\xe5\x68\xd7\x73\x3a\x09\xf3\x1d\x71" "\x14\x57\xf7\xb0\x3d\x10\x03\xe1\x2d\x24\xae\x4b\xc1\x9d\xc4\xa3\x2a\x01" "\x79\x9c\x3b\x52\xb7\x67\xbb\x9a\xda\x4e\x43\x2c\x8f\x45\x33\x60\xad\xb5" "\x26\x7e\x0a\xcc\x68\xa1\x42\xc3\xdf\xfb\xf2\xe3\x35\x2b\x96\xf6\xc7\x14" "\x29\x68\x42\x5a\x7a\xfd\xd1\x38\xaf\xd3\xc3\x17\xc5\x4d\xc5\xae\x89\x16" "\x01\x64\xd0\xf5\xa8\x65\xba\x76\xfb\xc4\x36\x55\x0f\x47\xa1\x58\xea\x12" "\xfa\x2d\x60\xb8\x38\x85\x49\x11\x3c\xbb\x11\x38\x93\x3c\x29\x60\x02\xf5" "\xf6\x7c\x65\xa9\x09\x70\xea\x62\x84\x05\xf2\x47\xf0\xa9\xf7\xfa\x23\x1f" "\x91\x8e\xa4\xf5\x4b\x98\x1e\x28\x07\x29\x6f\xd0\xf1\x78\x2d\xd9\xf0\x41" "\x1d\x88\x63\x5e\x28\xe4\xbd\xe8\x9f\x19\x94\x51\x39\xd0\xb9\xc4\x70\x54" "\x53\xf6\x85\x59\x9a\xfa\x14\x3b\xfc\x4f\x59\x01\xf0\x1c\x15\x03\xb3\x6f" "\xc7\xfc\xb9\x3e\x06\xf3\xa4\x30\x53\x38\x93\x50\x17\xf2\x8b\x6e\x5e\x80" "\x3e\x64\x8a\x5e\xbc\x29\x22\x5c\xed\x3c\xfa\x41\xf1\x5b\x67\xa5\xfb\x59" "\xa7\xf1\x0f\xb5\x62\x9b\xed\x03\x13\xf0\x25\xb3\x58\x37\x24\x88\x9a\xab" "\x7c\xba\xa4\x3c\x29\x7e\x7a\x4c\x74\xc4\x93\x2c\xbf\x51\x4a\x5e\xc0\x90" "\x89\x53\xdb\x0f\x28\x2b\x7d\x85\x6a\x06\xbe\x87\x15\x57\x38\x24\x83\x50" "\x6b\x6d\x32\xc7\xfc\xd3\xe4\x6f\xb3\x88\x48\x4c\x11\x0c\x02\x9c\xd6\x32" "\x4e\x40\x4a\xb2\xaf\xd7\x26\xd3\x90\xf5\xbd\x9e\x18\xeb\x18\xed\x87\x33" "\x54\xb1\x3e\xe8\xd2\x31\xcc\x1b\x9e\x8b\xef\x62\x41\x4c\x78\xc8\xdb\x1a" "\x33\x62\x47\xd9\x59\xc5\xb9\x7a\xd5\x10\xe9\x62\x5c\xa1\xbe\xe4\x33\xbb" "\x16\x29\x8c\x25\xdb\xbb\xc2\x45\xf9\x95\x5f\xec\xc6\xb3\x44\xf9\xed\xd6" "\xae\xc5\xeb\x41\x70\x68\x52\xc2\xba\xd9\x1d\xce\xad\x5d\xe3\x5d\x0c\xf5" "\x78\x5c\x1a\x34\xde\x54\xcc\x4d\xf3\x7a\xca\xf6\xe4\x04\xe8\xed\xfc\x99" "\x47\x10\xa7\x94\xb2\xd2\xbe\xe7\x5f\x81\x3e\xb6\x2c\xc6\x08\x8c\x6b\x01" "\x07\xf1\xbf\x05\x8e\x71\x85\x5b\x94\x73\x28\x4d\x88\x8f\x7f\x98\xf9\x94" "\x29\x15\x20\xdd\x65\x43\x2f\xbe\x5b\x0f\x70\x24\xcc\x1f\x38\x97\xdb\xf7" "\x2d\xd9\x7d\x6f\x4c\x43\x29\x2d\x49\xf0\x49\xe2\x67\xe9\xb6\x65\xdf\xee" "\xb8\x6e\xea\xad\x21\x2b\x5a\x99\xe8\x48\x43\x0a\x55\x98\xc3\x7d\x9a\xf6" "\x98\x53\x76\x07\x51\xd9\xa4\xef\x8b\x05\xcd\x56\xbd\xe8\x42\xc7\xec\x7f" "\xca\x08\xe3\x2b\x90\x65\xbf\x41\xe7\x1f\xd2\xf3\x6e\x35\x4b\x99\xaf\x2e" "\x4f\x96\xcb\x61\x22\x2b\xbe\x95\x90\xbb\xfe\x31\x9e\x55\xf4\xdd\xde\x10" "\xf3\xe5\xf2\x9f\x49\xbd\x66\x5b\xcc\x2c\xda\x5a\x10\x8b\x0d\x92\xa2\xe0" "\x28\xd7\x26\x61\x9d\x5b\xcc\xba\x0d\x11\x5e\x80\x8e\x63\x31\x02\xbf\xc2" "\x8b\x54\xb2\x8f\x0b\xbb\xbe\x9e\xb7\xb2\xe7\x3f\xb4\x3c\xd4\x54\x77\xc3" "\xab\x79\x75\xba\x47\xb0\xb0\xcd\xff\xc2\x6d\xf3\x81\xfd\xba\x53\x52\xfb" "\xf4\x37\x9c\x44\x4d\x3a\x70\x9d\x59\x87\xe8\x23\x97\xd8\x89\x02\x05\xfc" "\x60\xa9\x70\x89\x14\x2f\x6e\xff\xad\x85\x22\x67\x8f\x44\x4d\xb8\x2a\x4c" "\xfe\x4e\xb9\x58\x58\x0d\x18\x14\x7f\x63\x44\xba\x8f\xf4\x5f\x27\x5f\x63" "\xea\xcd\xd1\xf6\xe4\x6a\xab\x77\x20\x84\x96\xe9\x97\x3f\x1a\xfc\xbb\xb0" "\xf2\x25\x77\x02\xb5\xf6\x5b\x9e\xb9\x26\xb4\x7e\x85\x22\x7b\xe9\x47\xb7" "\x1e\x43\xa5\x65\xd0\x32\x16\xf9\x7f\x59\x1f\x5d\x05\x66\xa1\x31\xc8\x42" "\x07\xc5\x5a\xb1\xde\x6f\xb6\x3c\xed\x20\x27\x6d\x10\xda\x71\x0b\xdf\x02" "\xfe\xfd\x16\xbf\x98\x5a\x7e\x12\xa4\x88\x73\xd9\x8a\x60\x92\xb8\xf6\xec" "\x62\x58\xde\x37\x6d\x0a\x58\x8a\xaa\x5e\xb3\xfb\x59\x21\x4d\x42\x42\xdc" "\xc2\x00\xbb\xc6\x58\x3d\x2c\x80\x82\xd5\x45\x9a\x8f\x99\xef\x27\x74\x52" "\x8d\x54\x5f\xa3\xce\x5f\xb1\x39\x1d\x49\x04\xee\x3c\x3c\x95\x28\xb4\xb1" "\x06\x01\x6d\xe1\x22\xec\xe1\x3b\x18\xce\x00\xc7\x85\x81\x4b\x1f\x40\x6f" "\x2e\x8f\xe3\x3b\xc7\x4b\x14\xf6\x92\xf0\x42\xa8\xbd\xdb\x3a\x32\xa0\x5a" "\x80\x39\x0f\xff\x18\x45\xbc\xcb\x0c\x08\xfd\x77\x43\x71\x93\x90\x4b\xfd" "\x7f\xf5\x49\x15\x7f\x33\x42\x5c\x08\xe9\xf1\x83\x13\xd9\x60\xb3\xc5\xb7" "\x26\x36\x6b\xa8\xc0\xe5\x91\x5e\x47\x73\x39\x2f\xb9\x37\x63\xe2\x8a\x39" "\xd9\x2b\xcf\xf1\x9e\x2e\x28\x2c\x1b\x87\xec\x35\xb9\x76\x18\xcd\x2d\x1f" "\xea\xf6\x67\x9d\xda\xa8\xbb\x9a\x59\x90\xdc\x5a\x7d\x77\x1c\xd7\xcd\xb8" "\xec\x18\xdd\xc0\xde\xbb\x59\x40\x0c\x69\x5c\x54\x3f\xad\x12\x24\x64\xf6" "\xb8\x7d\xf6\xeb\xbb\xd7\xef\x7c\xa9\x9f\x97\xa6\xfd\x63\x44\x71\x64\xec" "\x51\x9a\x7a\xd8\x1d\xc3\x33\x7e\x8f\xf9\x56\x8c\x4f\x98\xba\x1f\x9b\x80" "\x85\x95\x90\xfa\x40\x24\xa8\xc3\x74\x9f\x2a\xea\xb9\x6f\x7e\xb7\x6e\x23" "\xde\x9d\xe9\x5d\x7e\x54\x75\xc4\x20\x86\x9e\x10\x89\x7b\xca\x49\x66\x21" "\x2a\x7c\x47\xf6\xcb\x07\x84\xf6\x99\xd8\x23\xa4\xf2\xdc\x11\x79\xfe\xb3" "\x85\x71\x9b\x1e\x0f\x2c\xeb\x24\x5c\x65\x18\x5d\xcd\x72\x73\x0c\x09\x3c" "\x6b\x9d\x7f\xd6\x44\xa8\x86\x35\x49\x68\x9e\xfd\x38\xbc\x5d\x26\xea\xb6" "\x54\x0f\x4b\xef\x49\xb0\xec\x77\x85\xa4\xb9\xb2\xc4\x98\x1b\xfc\x88\x9c" "\xf9\xe5\x5e\xb9\x94\xb1\x92\x84\x34\x57\xbe\x7e\x70\x0c\xb0\xa1\x07\xca" "\x98\x60\x9c\x67\x59\xe1\xf2\x86\x7b\x08\x64\xbc\x37\x4d\x0e\x0f\xd2\xb5" "\xbb\x09\x92\x0f\xb1\x47\x47\x1d\x88\x36\x3a\xe6\xf9\xe5\x69\x05\x78\xaa" "\x71\x2c\x12\xf2\x62\x45\x02\xd0\x71\x9e\xf1\xe9\x53\x62\x06\xe0\x98\x01" "\x3d\x57\xf4\xe7\x3d\x2d\x71\x2c\x91\x5a\x2f\xda\x4a\x77\x89\x6b\x06\x24" "\x88\xeb\xbe\xa1\xa8\x4f\xdc\x8f\xe5\x90\xee\xd1\x54\x88\xd4\xf2\x32\x64" "\x87\x7e\x85\xec\xdb\x4b\xb3\x5f\xb8\x13\x93\x5e\x65\x50\x8c\xdc\xf1\x60" "\x5f\xd5\x93\x11\x05\xde\x0e\x52\xb0\x79\x7e\xae\x9b\xf8\x50\x6d\xec\x59" "\xa0\xd2\xeb\xff\x20\x9c\x3f\xac\x08\x80\x36\xb9\x45\x55\xda\x08\xf1\x13" "\x2d\xb3\x94\x05\xf8\xd4\xb5\xcf\x19\x07\xeb\xd3\x02\x15\xb8\x8b\x65\x62" "\x22\x1a\x9b\xfe\x22\x80\x46\x16\x94\x90\xc1\xdc\x37\x90\x35\x01\x7e\x7f" "\x40\xc1\xbf\xe4\xa2\xfb\x75\x51\x2a\x00\xe0\xe1\x90\x41\xe7\x98\x41\xe1" "\xac\x14\xac\x05\xcb\xba\x7c\x14\x92\x8d\x56\x24\xa8\x1f\x23\x28\x24\x52" "\x7c\xbf\x78\x59\xbd\xa7\x44\x55\x83\xf7\x41\x28\x6b\x9c\xfa\x4f\x7b\xf5" "\x81\x68\xc9\xf9\x97\xbe\xc8\xd3\x11\x7e\x30\x7c\x90\x1c\x0b\xa3\xd0\x88" "\x06\xe1\x27\xa4\x44\x11\xb5\xed\xd2\xdf\xc7\x76\x33\x80\x7f\x2b\xd3\x08" "\xde\x34\x4b\x1b\x35\xe1\x01\xe9\x7b\xe2\xad\xef\x5a\xf2\x10\x96\xf0\xdc" "\x6e\x84\xee\xd9\x53\x96\xfe\xed\x83\xdd\x46\x3c\xe7\x40\xe8\x66\xc7\x8b" "\xf2\x5a\xe6\x8a\xfa\x13\xba\xe8\xc7\x4e\xf0\xb2\x0e\x1f\x78\x36\x9e\xce" "\x2b\xad\xf8\xd0\x48\x36\x8f\xfa\x09\xac\x5f\x31\xb4\xaf\x14\x59\x77\xa1" "\xb1\xc3\xef\x95\xf4\xbb\x19\xec\xc0\x6f\x20\x30\x8d\x6d\xc7\x9d\x9d\x53" "\x26\x74\xc1\x8f\x67\x77\x70\xee\x24\x14\x13\x7e\xca\xba\x94\xd1\xf9\x4c" "\xc1\x82\xbe\xa6\x48\xcd\x40\xbe\x15\x72\x35\x3b\xb2\x58\xd9\x6a\xe9\xee" "\x9b\x15\x86\xbb\x59\xd8\x35\xda\x13\x58\x79\x35\xa0\x21\xaf\xad\xf3\xb5" "\xb1\xad\xad\x87\x44\x71\x60\x76\x4c\xd1\xa6\xe6\xc0\xd7\xec\xdf\xd5\x96" "\x46\xbe\xa2\x2e\x84\xf8\x53\x61\x2d\x59\x3b\xf8\x87\x79\x5a\x2d\x7b\xf1" "\xd9\x6d\xfb\xe9\x61\x56\x8b\x9f\x5f\xb9\xc3\x8e\xec\x31\x7c\x0a\x19\x05" "\x5c\x75\x60\x3b\x0e\x03\x91\x1a\x53\x37\x34\x2e\x0d\xdc\xba\x38\x1a\x63" "\x4d\xcc\x15\xf0\x5f\xa3\x43\x77\x16\xc2\x0c\xf2\x1b\x1f\xc6\x55\xf9\x79" "\xa4\xf1\xba\xa1\xef\x67\x09\x20\x3a\x93\x1d\x77\x9f\x5a\xf8\xd7\x12\xd6" "\xaa\x54\x7f\xa0\xb9\x4a\x48\x37\xee\xc7\x67\xd0\x92\x4d\xe8\xce\x9e\x8e" "\x57\xbe\x2d\x3b\x99\x63\x78\x03\x53\x74\xf5\x84\x1e\x19\x8c\xda\xc9\x55" "\x3f\x76\x12\xb8\xed\x8c\xd7\x8c\x52\x5b\x14\x6e\x94\x9b\x4b\x32\x30\x31" "\x17\xb3\x02\x77\xfe\x9f\x3c\xbf\xab\xd5\xe4\x4f\xea\xea\x97\x6d\xd9\x0c" "\xe7\x30\x52\x60\x04\xb6\x4e\xb8\x43\x40\x9b\x10\x77\xf8\x91\x50\x17\x6d" "\x3a\x6a\x28\x2c\xcb\x53\x51\x2c\x08\x27\xfc\x93\x25\xdb\x3a\x1f\x7d\x78" "\xe4\xe4\x71\xae\xab\xfb\x76\x61\x5d\xd9\xf4\x9c\xbe\x84\xaa\xdc\xad\xf7" "\x16\xfb\x1d\x33\x21\xb0\x90\x9b\x2f\x46\x9f\xad\x73\x72\x92\xa6\x3f\x17" "\x98\x5b\x1b\x2d\x6f\xb5\x96\xa4\x50\xbe\x45\x1a\x7c\x02\x21\x5e\xc2\x58" "\xfc\xcf\x44\x96\x3d\x9c\x58\x99\xf9\x34\x68\x7e\x36\x2e\x64\x45\xc4\xc7" "\x2a\x88\xf5\xff\xd2\x36\x8d\xea\x48\xdf\x3d\x1e\xb9\x9b\xcd\x1b\x8a\x5f" "\x0b\x89\x44\x89\xe6\x7a\x97\xfd\x4e\xdb\x0d\x4c\x13\x64\x61\xd8\x31\x9d" "\xa7\x59\xb1\x64\xf6\x97\xf5\x53\x58\x6c\x22\x44\x4a\x62\xe2\xa2\xe1\xb2" "\x0d\xcf\x32\x66\xd4\x00\xc4\x62\xb8\xfc\x02\x7c\x24\x2f\x0d\xb6\x1e\xe8" "\xd5\x40\x90\x38\x82\x7b\x7e\x26\xf7\x3f\x22\xb8\x13\x5d\x39\x5e\x3f\x9a" "\xd3\x87\x28\xd5\x55\x5f\x82\x49\x8c\x30\xcf\x2f\xa9\x13\xe5\x3f\x52\xb3" "\x89\x1a\xa3\xea\x4c\x84\x60\x42\x83\x9b\x2b\x77\xc7\x72\x44\x97\x72\x4a" "\x81\x0d\xaa\xc3\x6e\x54\xe0\x58\x29\xd1\xdb\xce\x51\x95\xd6\x5d\x94\xe2" "\xf1\xf9\x05\x28\x32\x32\xf3\x8e\xbb\x48\x62\x7c\x5e\xeb\x30\x12\x8e\xdb" "\x7f\x8f\xfa\xba\x10\x1a\xd6\x37\x36\xce\xe3\x17\x48\x7a\x44\xc2\x13\xc7" "\x32\x19\x56\xb6\x4d\xd6\x1c\x25\x45\x61\xc3\xf9\x04\x6a\x18\x13\xb5\x8e" "\xb6\x7b\x66\x68\xc1\xb8\xeb\x93\x3c\x5e\xc7\x24\x64\xe6\xf6\xa4\x0e\xa4" "\xef\x67\xe0\xdd\x49\x0e\xe5\x2f\xd0\x08\xd2\xcd\x15\xca\x5a\x6b\x42\xda" "\xdd\xcf\x11\xa2\x08\x7a\x5e\x24\x65\xaa\xfd\xc8\x60\xf7\xdd\x6b\x98\x16" "\x19\xdc\x45\xbd\x3f\x64\xc7\xca\x09\x1f\x36\x97\x88\x8e\xf3\xf8\xbe\xcb" "\xbd\x34\xb6\x4f\x9d\x08\x7d\x9c\xf0\x22\xbb\x42\x2c\xff\xa1\x78\x41\x16" "\xe8\xca\x1e\x21\xfb\x79\xc4\x99\xd2\x71\x67\x38\xc9\xa9\x61\x99\x20\xbb" "\xb0\x67\x77\xbb\xb2\x2a\x9a\x96\xb8\xa5\x01\x4c\x21\xd3\xf1\xf8\xe9\x26" "\x14\x41\x28\x5a\xa1\xd9\x4c\x95\xd8\xb0\x42\x8d\x92\x48\x3a\xc7\x5e\x91" "\xaf\x71\x49\x02\x9a\xcc\x31\x09\xf4\xd8\x53\x72\x30\xfb\x26\x0f\x46\x9b" "\xb5\xca\x3a\x32\x41\xeb\x63\x41\x91\xfe\x53\xa6\x35\x2c\xa5\x09\x4f\xf3" "\x42\xe4\xce\xdd\x51\xd8\x18\x5a\x60\x1a\x7b\x9d\xfe\x78\x44\xdd\x62\xa4" "\x3a\xb5\xc1\x97\xcf\xb7\xb5\x89\x74\xa6\xad\x23\x4b\x7f\xbf\x0b\x37\xc5" "\xc4\x9d\x03\x2c\x8c\x22\xa0\xd1\x8d\xeb\x66\xce\x1e\x0d\xd1\xde\x8b\xea" "\x5d\xd7\x13\x6d\x56\x61\x8b\xa2\x67\xbf\x06\xd4\x5d\x3b\xd6\x76\xb5\xde" "\x25\x8b\xca\x85\x8e\x4c\x3b\x6c\xef\xa9\xff\x0e\xb7\x02\x6f\x17\x22\x06" "\xa0\x8c\x1a\x09\xd6\x7a\xd6\x56\x53\x37\xc5\x6d\x90\xdf\xd7\x66\x5d\xf5" "\x44\x4b\x63\x9b\x3d\xc4\x2d\x34\xf8\x7d\x9c\xa9\x15\xb9\xfe\x67\x2b\x5f" "\x21\x91\x93\x21\x0f\xad\xb2\x7f\x73\xf0\x75\x7d\x17\x38\x33\x88\x24\xa8" "\xbf\xea\x42\x22\x03\x41\x50\x64\x40\x01\xea\x87\x98\x1b\x7c\xfa\x3d\x9e" "\xf3\x34\x2c\x1a\x0e\xaa\xeb\x5b\x8d\x27\x79\x9e\x1a\xd2\x3d\x49\x32\xc3" "\x28\xd2\xb1\x18\x11\xbd\xcf\x6f\xec\x57\x40\x12\x88\x00\x94\xe4\xd6\xd0" "\x4f\xb6\x5f\x01\x26\xbd\xd5\x2f\x2d\xbb\xf4\x7b\xfe\xfd\x1b\x66\x6a\x2f" "\x94\x41\xc0\x0e\x76\x91\xd8\xd7\x07\xb0\xda\x9d\x78\x6d\x16\x88\x47\x0d" "\xfe\xeb\x7c\xf7\x51\x86\x21\x53\x67\xfe\x25\x7f\x37\x5f\xfc\x75\x85\x0d" "\x89\xde\x98\x04\xa5\x47\x7f\x55\x50\xc5\x19\xc3\x9b\xfa\x00\xe6\x91\x9b" "\xa0\x45\x47\x9b\x50\xf0\x22\x9c\x3b\xfb\xfc\x42\xcd\x88\x6c\x31\xdf\x19" "\xde\x26\x06\xf3\xb1\xc3\x13\xf3\xe6\xc2\x40\x92\x8e\x83\x63\xdc\xb8\x42" "\x87\xb5\xec\xbc\xdc\x26\xe5\xa0\x7f\xda\x30\xcc\x86\x3a\x56\x47\xe2\x26" "\x3d\x0d\x33\xe9\x07\xe2\x9d\x00\x75\x70\xe1\xba\x72\x90\xef\x01\x25\x22" "\xfa\x16\x20\xa8\x27\xf6\xfd\x55\xbe\x80\x03\x61\xf3\x81\x1b\x61\xc5\xdd" "\x6b\x03\x5f\xc9\x5e\xf6\xd7\x27\x0f\xad\xb3\xe7\x19\xb7\x66\x95\x07\x09" "\x99\x51\x84\x00\x93\xc6\x17\x9c\xb0\x5e\x47\x87\x59\x1c\x39\x10\x74\x0e" "\x82\x01\x96\x58\x5f\x77\x38\x57\x27\xf7\x41\x86\xb8\xa7\x96\x6e\xee\x80" "\x5e\x40\xce\x05\x4b\x05\x1c\x07\xac\x69\x78\xf6\x90\xa1\x02\xfe\x84\x3e" "\xb2\x29\x31\x30\x93\xf4\x3e\x72\x90\xe2\x00\x9b\xcc\x68\x05\xfa\xb0\x87" "\x57\x18\xf3\xf8\xda\x83\xe6\x26\x87\x29\xdb\x2e\x32\x1d\xe1\x9a\xa2\x9c" "\x5f\x35\xf4\xb5\x60\x5c\xc9\x86\xb4\xb2\x9a\xc5\xd1\x0e\x57\x43\xba\x5b" "\xca\x31\xfa\x9e\x61\xf6\xa5\xfe\x20\xcc\xd0\xc5\x7c\x98\xd1\x2f\xbc\xb3" "\x91\xc4\xa9\xee\x0e\x38\x39\x7d\x86\xc3\xcb\xa9\x15\x0e\x4a\x55\x80\xf8" "\xee\x4a\xa7\x5c\x4f\x00\x3d\x6e\xf1\xe0\xef\x70\x80\xca\x2a\x13\xb6\xb2" "\x11\x2b\x31\x59\xeb\x48\xe7\x71\xc4\x14\x94\x24\x22\x11\x84\xf5\xe2\x0e" "\x0a\x2b\xae\xb6\xd7\x48\x81\x44\x0c\x4e\xba\x45\x54\xef\x04\xd7\x85\xfd" "\xa8\xe9\x4b\x7c\x8d\x40\x2f\x0d\x22\x0b\xaf\xc6\x75\xe6\x96\xc1\x6d\x97" "\x32\x45\x68\xce\x0c\x87\x90\x3c\x0f\x42\x09\xc4\x64\x24\x9e\x41\x6d\x40" "\xda\x3e\x7c\x5b\x31\x9b\x46\x26\x6f\x42\x32\x21\x24\x3e\x17\xb5\x18\xeb" "\x18\x7b\x67\xdf\xa9\x0d\xec\xaa\x75\x96\x33\x46\x73\x77\x85\x1d\xe3\xf3" "\xb8\xa8\xdb\x26\x3c\xeb\xce\xb2\xd3\xe8\x7a\x3c\x48\xa4\x5e\x6c\x89\x90" "\x71\xff\xb1\xea\xc1\x9d\x2d\xbc\xb2\x0e\xce\xdd\xd5\x67\x12\x82\x2d\x25" "\xba\x2a\xed\x4e\xe9\xcd\x14\x03\x08\x8b\x1e\xcf\x6f\x18\x83\xab\xaa\xd8" "\x79\x5b\x94\x06\x60\xf7\x9e\x24\xd3\x15\xd9\xee\xd8\x45\xe6\x2f\x04\x43" "\xbf\xde\xbc\x50\x95\x90\xa2\xf0\x3d\xe4\x8e\xb2\x89\xfc\xc0\xc5\x3e\xf0" "\x48\x55\x1b\xd2\x26\x6a\x33\x78\x94\xfd\x0f\xd8\x5b\x5a\xaf\x14\x31\x5a" "\x84\x0b\xc0\x0b\x33\xe5\x25\xfa\x12\x21\xf8\x5d\x6a\xc4\xfa\xa9\xb2\xdf" "\xd9\xa8\x0f\x1e\xec\x22\x8c\x28\x0a\x77\xc6\xb9\x86\xf4\x7b\xc6\x26\x5c" "\x12\x4f\x67\xda\xa1\xe7\x6e\xd8\x00\xd1\x53\xc7\xb1\x3f\x26\xe0\xcb\x50" "\xd0\x8b\xe1\x3e\xe7\x26\xd4\xe9\x46\x03\xd7\x2f\x43\x29\x66\xe2\x1f\xfa" "\x86\xbb\xe6\x12\xdc\x89\x53\x50\xb5\x97\xcc\x53\x5b\xb8\x30\xd1\xe7\x55" "\x5e\xa7\x51\x0f\xe8\x71\xfb\xc4\x9f\x2b\x82\xa8\x19\x38\xa4\x0d\xeb\x3b" "\x09\xec\xed\x82\x0b\x81\x91\xa8\x82\x90\x23\xa0\xdd\xaa\x09\xac\xbf\xee" "\x31\x8f\xdd\x15\x39\x79\x9d\xfe\x24\xb3\x58\x4e\x5c\x10\x47\x2b\x32\xc9" "\x79\x2c\xde\xff\x3e\xa7\x72\x37\x90\x50\x86\x2d\xd8\xba\xfc\x5f\x34\x61" "\x44\xc8\x93\x38\x82\x0c\xf2\xc3\x25\x24\xf9\xb5\x0f\xb7\x4a\x7c\x8e\x66" "\x4f\x26\x90\xe6\x70\x93\xa4\x34\x2d\x1c\xbd\xd8\x30\xc8\xf3\xf6\x10\x39" "\x79\x2a\x7a\x79\xaa\xf1\xaf\xdd\x4f\x30\x64\xcd\x69\x8a\xd2\xce\xe2\xe1" "\xa1\x81\x00\x88\x08\x47\xee\x7a\xae\x05\xb9\xdb\x1e\x72\x3f\x5c\x45\x7a" "\xf5\x1c\xdf\x6f\x3c\x03\xd8\xef\xac\xdc\x00\xb1\xf2\x11\xb4\x1f\x55\x1f" "\x3d\x77\x48\x6f\x4c\x5d\x58\xde\x11\xca\xe6\x83\x7e\x6e\x19\x29\x60\xfb" "\x19\x4d\x62\x31\x74\x38\x01\xc3\x86\x27\xf9\x96\x5f\xab\x87\x9c\xf4\x8d" "\x9d\xf0\x52\x6a\x8b\x0f\xba\xb8\x8b\x92\x22\xbb\xff\x1e\xd1\x7a\xec\x56" "\x4a\x0c\x83\x9a\x79\x42\x09\xd4\x05\x4f\x73\xa3\x6e\xb3\xfd\xa6\xf4\x87" "\x3c\x95\xd6\x85\x3e\x7c\x04\xb9\x34\x2b\x2d\x00\x5e\xa2\x60\x3d\xc8\xc8" "\xd9\xc4\xf9\xa7\x87\xb6\xd7\x59\x21\x25\x80\x72\x4b\x5d\x18\x05\xa7\x3f" "\x09\x21\xd3\xe5\x6b\x1d\xb8\xfd\x7f\x46\x1a\x20\x24\x71\xf2\xc0\x94\xf4" "\x0d\x28\xaa\xfa\xcc\xdc\xf3\x8b\x4c\xbb\xbb\x38\x43\x34\xcc\x0f\x03\xf4" "\xf4\xa6\x60\xf6\xa3\x71\x39\x5b\x8a\x22\xf3\x07\xc1\x62\x79\x0a\xc7\x1f" "\x74\xb3\x0d\x85\x7b\x99\x44\x92\x96\x77\x0f\x16\x4e\x2e\x17\x24\x37\x89" "\x9f\x63\x6f\x66\xd4\x42\xfe\xf7\xf2\x89\x84\x93\xbc\x2c\xfb\x77\x86\x56" "\x03\x1e\xa3\x5e\x68\x9a\xab\xd5\xb7\x43\x75\x9a\x5d\x97\x16\xad\x23\x24" "\x91\x57\x60\xe8\x6d\xad\x9a\xcf\x30\xc7\x93\x68\x1b\x7d\x48\xd1\x69\x7b" "\xdb\xcf\x8c\x16\x18\x33\xcf\x7c\xbf\x73\x97\x92\xf8\x71\x83\xf9\x99\x7c" "\x48\x13\x2c\xc9\x05\x5a\xac\x85\xa8\x36\x5b\x35\x6c\x72\xb1\xa4\xfb\x76" "\xbd\x82\xdc\xef\x85\x16\x4d\x21\xc5\x6a\x61\x3e\xef\xa1\xad\x6b\xbc\x03" "\xf7\x74\xfe\x21\xd9\x81\x00\xe3\x50\x85\x6e\x30\x00\x72\xf2\xf3\xb1\xe7" "\x93\x93\xb2\x71\x05\x2c\x58\x63\x54\xa1", 4096); *(uint8_t*)0x200011ef = 9; *(uint8_t*)0x200011f0 = 5; *(uint8_t*)0x200011f1 = 8; *(uint8_t*)0x200011f2 = 4; *(uint16_t*)0x200011f3 = 0x2c4; *(uint8_t*)0x200011f5 = 5; *(uint8_t*)0x200011f6 = 0xa; *(uint8_t*)0x200011f7 = 3; *(uint8_t*)0x200011f8 = 0; *(uint8_t*)0x200011f9 = 0x25; *(uint8_t*)0x200011fa = 1; *(uint8_t*)0x200011fb = 3; *(uint8_t*)0x200011fc = 4; *(uint16_t*)0x200011fd = 5; *(uint8_t*)0x200011ff = 0; *(uint8_t*)0x20001200 = 0x25; *(uint8_t*)0x20001201 = 1; *(uint8_t*)0x20001202 = 3; *(uint8_t*)0x20001203 = 1; *(uint16_t*)0x20001204 = 3; *(uint8_t*)0x20001206 = 9; *(uint8_t*)0x20001207 = 5; *(uint8_t*)0x20001208 = 5; *(uint8_t*)0x20001209 = 0; *(uint16_t*)0x2000120a = 0x367; *(uint8_t*)0x2000120c = 1; *(uint8_t*)0x2000120d = 0; *(uint8_t*)0x2000120e = 0x32; *(uint8_t*)0x2000120f = 9; *(uint8_t*)0x20001210 = 5; *(uint8_t*)0x20001211 = 1; *(uint8_t*)0x20001212 = 0x10; *(uint16_t*)0x20001213 = 0x192; *(uint8_t*)0x20001215 = 0xbc; *(uint8_t*)0x20001216 = 0; *(uint8_t*)0x20001217 = 3; *(uint8_t*)0x20001218 = 9; *(uint8_t*)0x20001219 = 5; *(uint8_t*)0x2000121a = 0x80; *(uint8_t*)0x2000121b = 2; *(uint16_t*)0x2000121c = 0x115; *(uint8_t*)0x2000121e = 0x1f; *(uint8_t*)0x2000121f = 1; *(uint8_t*)0x20001220 = 9; *(uint8_t*)0x20001221 = 9; *(uint8_t*)0x20001222 = 5; *(uint8_t*)0x20001223 = 0xd; *(uint8_t*)0x20001224 = 1; *(uint16_t*)0x20001225 = 0x343; *(uint8_t*)0x20001227 = 9; *(uint8_t*)0x20001228 = -1; *(uint8_t*)0x20001229 = 0xe5; *(uint8_t*)0x2000122a = 0; *(uint8_t*)0x2000122b = 0x25; *(uint8_t*)0x2000122c = 1; *(uint8_t*)0x2000122d = 1; *(uint8_t*)0x2000122e = 0xb3; *(uint16_t*)0x2000122f = 0x13; *(uint8_t*)0x20001231 = 9; *(uint8_t*)0x20001232 = 5; *(uint8_t*)0x20001233 = 9; *(uint8_t*)0x20001234 = 0xc; *(uint16_t*)0x20001235 = 0x1ec; *(uint8_t*)0x20001237 = 0xb; *(uint8_t*)0x20001238 = 8; *(uint8_t*)0x20001239 = 6; *(uint8_t*)0x2000123a = 9; *(uint8_t*)0x2000123b = 5; *(uint8_t*)0x2000123c = 8; *(uint8_t*)0x2000123d = 0x11; *(uint16_t*)0x2000123e = 0x3a2; *(uint8_t*)0x20001240 = 1; *(uint8_t*)0x20001241 = 4; *(uint8_t*)0x20001242 = 5; *(uint8_t*)0x20001243 = 0; *(uint8_t*)0x20001244 = 0x10; memcpy((void*)0x20001245, "\xb4\xc7\x8a\xcf\x97\xb8\x6f\x6c\xfd\x8a\x0d\xb2\x25\xc7\xea\xcf\x55" "\x68\xac\x52\x41\xb1\x69\xb1\xbf\x24\x10\xa1\xa8\xad\xe2\x10\x02\xa1" "\x77\x6c\x6a\x02\x0b\x3b\x08\xda\x86\x24\x63\x68\x16\x6e\x16\x21\x4a" "\x5d\x4c\xaf\xb5\x40\xf0\x9c\x95\x38\xf0\xdd\xfa\xb4\x6d\x9e\xa0\x53" "\x28\xbd\xf7\xfc\x15\x79\x68\x60\xb3\x62\x01\xad\x0f\x98\x12\x06\x70" "\x88\x4c\x85\xa2\x92\x45\xd3\xba\xbd\xf2\xfa\xcb\x56\x47\xaa\x75\x1d" "\x92\x9e\xcd\xac\xe7\xab\xb1\xe3\x16\xbd\xcb\x1b\xb0\xd4\x85\x02\x6f" "\x15\x9f\x91\x10\x93\xc1\x19\x0e\x52\xc3\x82\x6e\x41\x5b\x15\x25\x55" "\x7c\x56\x44\x42\x2f\xcf\xa8\xfc\xf8\x15\xc4\x01\xf4\x52\x7a\x8c\x98" "\x4d\x05\x55\x40\x0a\xc5\x97\x04\xf7\xee\xe2\x1f\x85\xfc\x32\xde\x63" "\x02\x65\xa9\x2d\x05\xc2\xd7\x17\xb6\x28\x8c\x34\x73\xae\xc0\xe0\x38" "\x13", 188); *(uint8_t*)0x20001301 = 0; *(uint8_t*)0x20001302 = 2; memcpy((void*)0x20001303, "\x34\xcb\x77\xfa\x13\xf8\xd5\x90\xdd\xd0\x1e\x38\x14\x08\xad\x48\xa7" "\xb1\x10\xfe\x5b\x67\x7d\xb2\xec\xd7\xb9\xeb\x88\x1e\x78\xdf\x17\xc5" "\xc7\x40\x9f\x78\x66\xad\x49\x62\x60\xe1\x88\x03\x7c\x11\x7a\xbb\xab" "\xad\x09\x8c\x69\xe3\x63\xa7\x35\xc5\xd9\x16\x2d\x74\x39\x4e\x73\x22" "\x02\x11\x11\xca\x83\x1d\x08\xbe\xd7\xa4\x44\x9d\x6d\x68\x53\x27\xd7" "\x76\x8c\xd0\x95\xa3\x37\x14\xed\x0f\x1e\x02\xf1\x93\xfd\xaa\xf3\x37" "\xe2\x34\x37\xa1\x7a\x40\xc9\x6e\x9c\x78\x2a\x3a\xd0\x88\xbd\x46\x27" "\x88\x19\x47\x51\x2b\x02\x55\x08\x26\x3d\xd8\x1e\xb2\x89\x45\x4a\xb6" "\xf0\xb4\xf4\x05\x2f\x1c\x81\x37\x39\xf1\x1a\xce\x2b\xc0\xba\x1b\x95" "\xd0\x3f\xae\x95\x55\x12\x65\x21\x01\x6e\x4a\xca\xa1\xbc\xfe\x5d\xdf" "\x46\x81\x17\x6e\x7f\x8c\x1f\x88\xb0\xc7\xca\xc3\xb4\x47\x87\xe9\x5b" "\x00\x91\x80\x73\x90\x07\x68\xa0\x72\x99\x60\x79\x6a\xe8", 201); *(uint8_t*)0x200013cc = 9; *(uint8_t*)0x200013cd = 5; *(uint8_t*)0x200013ce = 0xc; *(uint8_t*)0x200013cf = 0x10; *(uint16_t*)0x200013d0 = 0x249; *(uint8_t*)0x200013d2 = -1; *(uint8_t*)0x200013d3 = 9; *(uint8_t*)0x200013d4 = 0; *(uint8_t*)0x200013d5 = 9; *(uint8_t*)0x200013d6 = 5; *(uint8_t*)0x200013d7 = 0xa; *(uint8_t*)0x200013d8 = 1; *(uint16_t*)0x200013d9 = 1; *(uint8_t*)0x200013db = 1; *(uint8_t*)0x200013dc = 6; *(uint8_t*)0x200013dd = 8; *(uint8_t*)0x200013de = 0; *(uint8_t*)0x200013df = 0x25; *(uint8_t*)0x200013e0 = 1; *(uint8_t*)0x200013e1 = 0x82; *(uint8_t*)0x200013e2 = 0; *(uint16_t*)0x200013e3 = 0x7fff; *(uint8_t*)0x200013e5 = 9; *(uint8_t*)0x200013e6 = 5; *(uint8_t*)0x200013e7 = 6; *(uint8_t*)0x200013e8 = 1; *(uint16_t*)0x200013e9 = 0x3ec; *(uint8_t*)0x200013eb = 2; *(uint8_t*)0x200013ec = 8; *(uint8_t*)0x200013ed = 9; *(uint8_t*)0x200013ee = 9; *(uint8_t*)0x200013ef = 5; *(uint8_t*)0x200013f0 = 5; *(uint8_t*)0x200013f1 = 0x10; *(uint16_t*)0x200013f2 = 0x241; *(uint8_t*)0x200013f4 = 5; *(uint8_t*)0x200013f5 = 0; *(uint8_t*)0x200013f6 = -1; syz_usb_connect(0, 0xb7, 0x200001c0, 0); } int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }