// https://syzkaller.appspot.com/bug?id=9ad59c230741100eaaef8d512e27575b216e65ab // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[1024]; }; static struct nlmsg nlmsg; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; unsigned n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != hdr->nlmsg_len) exit(1); n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (hdr->nlmsg_type == NLMSG_DONE) { *reply_len = 0; return 0; } if (n < sizeof(struct nlmsghdr)) exit(1); if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) exit(1); if (hdr->nlmsg_type != NLMSG_ERROR) exit(1); return -((struct nlmsgerr*)(hdr + 1))->error; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL); } static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset, unsigned int total_len) { struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset); if (offset == total_len || offset + hdr->nlmsg_len > total_len) return -1; return hdr->nlmsg_len; } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } const int kInitNetNsFd = 239; #define DEVLINK_FAMILY_NAME "devlink" #define DEVLINK_CMD_PORT_GET 5 #define DEVLINK_CMD_RELOAD 37 #define DEVLINK_ATTR_BUS_NAME 1 #define DEVLINK_ATTR_DEV_NAME 2 #define DEVLINK_ATTR_NETDEV_NAME 7 #define DEVLINK_ATTR_NETNS_FD 138 static int netlink_devlink_id_get(struct nlmsg* nlmsg, int sock) { struct genlmsghdr genlhdr; struct nlattr* attr; int err, n; uint16_t id = 0; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, DEVLINK_FAMILY_NAME, strlen(DEVLINK_FAMILY_NAME) + 1); err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n); if (err) { return -1; } attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); /* recv ack */ return id; } static void netlink_devlink_netns_move(const char* bus_name, const char* dev_name, int netns_fd) { struct genlmsghdr genlhdr; int sock; int id, err; sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); id = netlink_devlink_id_get(&nlmsg, sock); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_RELOAD; netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_NETNS_FD, &netns_fd, sizeof(netns_fd)); err = netlink_send(&nlmsg, sock); if (err) { } error: close(sock); } static struct nlmsg nlmsg2; static void initialize_devlink_ports(const char* bus_name, const char* dev_name, const char* netdev_prefix) { struct genlmsghdr genlhdr; int len, total_len, id, err, offset; uint16_t netdev_index; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (rtsock == -1) exit(1); id = netlink_devlink_id_get(&nlmsg, sock); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_PORT_GET; netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); err = netlink_send_ext(&nlmsg, sock, id, &total_len); if (err) { goto error; } offset = 0; netdev_index = 0; while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) { struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg.buf + offset + len; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) { char* port_name; char netdev_name[IFNAMSIZ]; port_name = (char*)(attr + 1); snprintf(netdev_name, sizeof(netdev_name), "%s%d", netdev_prefix, netdev_index); netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0, 0, netdev_name); break; } } offset += len; netdev_index++; } error: close(rtsock); close(sock); } static void initialize_devlink_pci(void) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); int ret = setns(kInitNetNsFd, 0); if (ret == -1) exit(1); netlink_devlink_netns_move("pci", "0000:00:10.0", netns); ret = setns(netns, 0); if (ret == -1) exit(1); close(netns); initialize_devlink_ports("pci", "0000:00:10.0", "netpci"); } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); intptr_t res = 0; memcpy((void*)0x20000240, "/dev/vcsa#\000", 11); res = syz_open_dev(0x20000240, 0xb69, 0x2081); if (res != -1) r[0] = res; *(uint32_t*)0x20002300 = 8; memcpy( (void*)0x20002304, "\x98\x57\x1c\x6f\xcf\x4b\x7f\x6c\x58\x96\x66\x05\x03\xe5\x51\xd5\xb4\xec" "\xb0\xa8\xa3\x9b\x79\x96\xc9\xab\x71\x26\xab\x5c\x2a\x88\x6f\xde\x12\x6e" "\x4f\xbb\xd7\x0f\x1f\x6e\x48\x1b\x98\xda\xb9\x90\xee\x18\x03\xe1\xe2\xbd" "\xd0\x43\x8c\x71\x03\x0a\xa7\xfc\xc9\xb9\xbb\x30\x02\x74\x7f\x97\x00\xc0" "\x88\x08\xa5\xe9\xca\x23\xc1\x46\x93\xb1\x32\x7d\xac\xec\xdd\x63\x70\xdd" "\xd6\x38\xcb\x84\x89\x3d\x9e\xb7\x1f\xfd\x5c\x81\xf2\xb2\x55\xc8\x1c\xda" "\x89\xff\xc1\xbd\x92\x2c\x2d\xc2\x54\x65\x0c\x12\x49\x8b\x20\xd0\x81\x19" "\x51\x56\x36\x52\x16\xe3\x62\x36\x44\x67\x8c\x50\x17\x0c\x95\x9d\x86\x76" "\x08\x2e\x1d\x3f\xa1\x05\xfe\x28\xef\x88\x2a\xd3\xe9\xe1\xbe\xe8\x15\xd0" "\x9e\x0f\x47\x8a\x93\xa4\xca\x40\x20\xc6\x95\x27\xe4\x18\x3e\xd4\x12\x12" "\x59\x3b\x56\x37\x0b\xac\x9f\x22\xf0\xb0\x2c\x06\x41\x1f\xde\x50\x68\xfe" "\xb4\xce\x8d\xdd\x57\xf4\x37\xac\xa8\xcb\x3c\xea\xb4\xcb\xcc\x42\x56\x88" "\xdf\xb9\xe4\x3b\xd9\x92\xb5\x62\xef\xe7\x57\x7d\xe6\x21\xce\x46\x65\x3a" "\x73\x52\xf8\x75\xfd\x29\x96\x9a\x24\x86\xec\x6a\xf7\x5b\x4c\x74\x86\x20" "\x10\x7e\x9b\x67\x85\x62\xe6\xad\x9a\x34\x3d\x12\x46\x73\x36\x71\xe9\x02" "\x47\x33\xb8\x67\xe4\xdb\xb2\x75\x21\xb4\x88\x16\x3a\x5e\x02\x12\xed\xc9" "\xf1\x1d\x6e\xd6\x46\x21\xae\x8a\xf1\x29\xcc\x38\x93\x6c\x0a\x25\x66\x83" "\x04\xff\x73\x53\xcd\x8a\x66\x6e\x31\xd5\x3a\xa7\x72\x71\x47\xb6\x86\x28" "\x6b\x7a\xac\x52\x72\x3b\xad\x7b\x19\xe6\xe6\x89\x2e\x8f\x04\x89\xa9\x47" "\xbd\x64\x4a\xb3\x12\xf2\x32\xfa\x2a\x40\x38\xaa\xae\x5c\xba\xd6\x3f\xf4" "\xfb\xf6\xbb\xe2\xa7\x26\x6f\x50\x8a\x50\x8b\x49\x48\x37\x09\x53\x26\x0e" "\x1e\x13\x77\x15\x5a\x71\xb9\xae\x21\xd9\xe2\xb5\xfd\x77\xd1\x98\x68\x92" "\xed\x85\xc5\xde\xe6\x5b\x40\x69\x1c\xe1\x15\xb7\x3c\xaa\x18\xad\x40\x52" "\x3c\x26\x5b\x8d\x04\x43\x95\x71\x6f\x7d\x98\x9c\x88\xc2\xed\x66\x7f\xe7" "\x5d\x99\x55\xae\xd1\xa4\x1f\xd1\xaf\xc2\x79\x1c\x13\x70\x77\xd1\x59\xb0" "\xcb\x56\xe3\x4e\x3a\x67\xb6\xa7\x05\xe9\xc1\x0b\xaf\xe4\x13\xb2\xb2\x1b" "\x53\x8c\x39\xae\x61\x36\x4d\x20\x05\x11\xc1\x09\xdd\xc0\x3f\x76\x89\x2e" "\x7d\x0e\x85\xac\xd6\x8b\x25\xe0\xb7\xdd\xbe\xd8\x2e\xcd\x4c\x0f\x4d\xb8" "\xee\x48\xf6\xcc\xe5\x26\xf4\xfb\x4a\x5f\xaf\x60\x85\x7e\x9c\x4a\x6e\x9b" "\x22\x51\x85\x4e\xdb\x69\xfb\xea\xdc\x1d\x4c\xaf\x07\x3e\x36\xac\x50\x5e" "\xff\xe3\x6b\x71\xb9\x08\xc5\xeb\x47\x9b\x2a\x0e\x20\x62\x17\x24\x64\x72" "\x0d\xb9\x73\x41\xc8\x01\xc9\xca\xa9\x3c\xe6\xd9\xde\x4f\xa9\xf9\xbd\x56" "\xdc\xdb\x10\x6c\x04\xc5\x03\xd2\x84\xdd\x69\x64\xc4\xae\x57\xb9\x77\xde" "\x17\x57\xb4\x1b\x3f\xe5\x4c\x2f\xbc\xdd\x83\xd7\xb1\x7f\xe0\x4a\xfe\xd4" "\xd5\x29\xb4\x16\xfa\xb1\xb9\x16\xd8\x83\xd0\xde\x2d\xe8\x52\x52\xf8\x33" "\x6c\x09\xa0\x6d\x1d\x66\x3e\xd1\xaf\xde\x2e\x9c\xbe\xda\x05\x1f\x47\x29" "\xc1\x6f\x2a\xb6\xee\x31\xa5\x48\x89\xbc\x90\x04\x96\xb3\xf9\x89\xe8\xd5" "\xa2\x0f\x8e\xb6\x3f\x80\x0e\xe8\xcf\xc0\x01\x1d\xa1\x9d\xbf\xe1\x94\xe3" "\xd1\x02\x99\xcf\xd8\x8d\x0a\xb1\x2f\x73\xd4\xe0\x5b\x6e\xd4\x53\x46\x77" "\xa3\x1e\x9e\x7d\x97\xb1\x30\xc4\x57\x74\x9a\xcc\x9d\x03\x1b\xd4\x2d\x0a" "\xfd\x86\x72\x20\xbb\xf0\x60\x83\xf2\xd6\x77\x87\x02\x13\x62\xe6\x37\x29" "\x95\x14\x51\x98\xf3\xc6\xfe\x78\x42\xe3\xbe\x8c\x87\xc9\x37\xfb\xff\xe0" "\x7c\x87\x56\x6d\x97\xaf\x7f\xc0\x6c\xe3\xc9\xcc\xae\x5d\xe7\x75\x57\xe0" "\xb4\x18\xf8\x0f\x0f\x8b\xf4\xc9\x3f\x32\xcf\x5d\x71\x09\x9c\xdb\xb6\xa7" "\xf6\x0e\xbd\x12\x01\xb1\x55\x1d\x88\xd9\x3b\x44\x1b\x01\x7d\x94\x1b\x8d" "\xa0\x88\x0a\xa7\xae\xa7\x5c\x6e\xd4\x92\x2d\x9e\x24\x09\xc7\x05\x9d\xf0" "\xb7\x1a\xd4\xfd\xa1\xca\xbe\xaf\x22\x97\x11\x0f\x76\x59\x2b\xd6\xc4\xa6" "\x22\x53\xf1\x00\x61\xfd\xd6\xfc\x21\x50\x47\x0b\xfd\x79\xe3\x60\x16\xdc" "\x1c\x5d\x8b\xb1\x8c\xf1\x2d\x85\x58\x83\xa0\xa5\xdf\xca\x0b\x6a\xe6\xc5" "\x25\xb1\x49\xf6\xdd\x3d\x2c\x35\x0f\xbc\x28\xc5\x4c\xc2\xfb\x9b\xbf\x98" "\x73\xa6\xbe\x5e\x32\x6c\xa5\xb1\xd3\x49\xf7\x16\x62\x33\x9b\x32\x2e\xd2" "\xaa\xad\x97\xf3\x44\x64\x5e\x61\xa2\xed\xff\x10\xe5\xfb\x7e\x42\x05\x6b" "\xc4\x96\x51\xbb\xf6\x75\x40\x6d\x0f\x13\x72\x79\x08\xbe\x81\xec\x51\xd2" "\xd4\xc6\xde\xfb\x42\xd1\x79\x86\xea\xc5\x88\x6e\x67\xd0\xd7\x16\x51\x7b" "\x7a\xb5\xc7\x2d\x6e\x29\xc7\xdf\xe9\x3a\x18\x7e\x83\xb8\xe0\x14\x18\x76" "\x46\xe7\xb8\x1f\x5f\x55\xd5\xb8\x68\x32\x1c\x5b\x69\x64\x0d\xc8\xf1\x49" "\x41\x77\x93\xb2\xf6\x66\x4f\x2f\x71\x17\x26\x82\x35\xfa\xb3\xe3\x57\x3c" "\x3e\x94\x52\xeb\x05\xef\x09\x1f\x71\x6d\x26\xec\xca\x27\x66\x04\x0c\xb9" "\x1a\x77\xb2\x64\xdb\x72\x2b\x22\xfc\x6b\x9a\x98\xe3\x9b\xb3\x55\x57\xd6" "\x42\x6d\x4f\xfc\xf7\x7f\x1e\xb1\x96\x68\xcf\x3b\xf5\x8f\xd0\x55\xaf\xdf" "\xca\x68\xae\xa6\x99\xcb\xb1\x8c\x68\x9b\xe4\x5d\xc0\xab\xad\xa9\xb5\x9e" "\x90\xc3\xd1\x6e\xf8\x93\xd5\xcf\x98\x0b\xbf\x6f\x50\x00\x57\x6c\x26\x11" "\xfd\xb9\xa2\x6d\xb2\xa1\x61\xe7\x7b\x72\x46\x90\xeb\x69\x5c\x82\xc8\xbf" "\xc9\x11\xc7\xf8\x7b\xd8\x61\x93\x2f\x63\x32\xa9\xe1\xa0\x89\x4b\x3c\xc5" "\x72\xac\xb0\x6d\x4c\x73\x05\xfe\x9f\x43\x5a\x74\x2e\x36\x7f\xc0\x03\xc4" "\x9d\x88\x63\x1d\xe2\xa5\x37\x11\xbc\x4e\xaa\x90\x9f\xd3\xf1\x73\x9f\x9f" "\xf8\x32\xa4\x2f\x8b\x00\x58\x09\x13\xb5\x1a\x1a\xcb\x17\x68\x99\x16\xbe" "\x28\x51\x9a\x81\x73\xd4\x93\xa8\xf4\x20\xb7\x0e\xe7\x48\xa2\xbc\xd5\x7c" "\x9e\x0a\xe8\xad\x49\xaf\xd9\x70\xba\xcc\xd9\xe2\xf9\xf5\x78\x08\x3d\xf4" "\x7c\x90\x4d\x29\x94\xf6\xca\x2d\x04\xcc\xff\x30\x63\xd9\xed\xad\x6f\xcf" "\x45\xbe\xbf\xd0\xa3\x48\x23\xf6\x08\xcf\x41\x50\x07\xbe\x6b\xf8\x1b\x4d" "\x48\x00\x32\x11\x38\x94\xd0\x98\x03\x0f\x11\x05\xfb\xf8\x85\xce\xca\x8b" "\x70\x61\xee\x6e\x08\x27\xcb\x60\x5e\xdd\x73\xb8\xe4\xca\x0b\x69\xa5\xfe" "\xb6\x3c\x7d\x71\xec\x4c\x31\x78\x75\x47\xf6\x29\x76\x98\x1f\x55\xbb\x6e" "\x46\xb8\x59\x35\x44\xc6\x84\xfa\x92\x80\x97\xcd\x92\x65\x4f\x46\x27\xc4" "\x1c\xad\x57\x0c\x4c\x6c\x32\x21\x95\xe9\x87\x67\x7c\x61\xe5\x17\x18\x45" "\x59\x35\x5e\xfd\xa6\x9b\x3b\xa7\xf0\xbd\x45\xef\xeb\x73\x88\x49\x0f\x66" "\xf8\x1a\xda\x3c\xec\x71\xca\x24\xaa\xfd\xc2\x32\x1a\x3d\x9e\xa8\x7c\x5e" "\x34\x1d\xdc\x51\xeb\x02\x3d\x97\xd9\xde\x27\x4b\xf1\xd3\x31\xeb\x48\x38" "\xf2\x99\x33\x46\x3e\xde\x0c\x70\x7c\xcc\x03\x3d\x34\x11\x8e\x02\x33\x21" "\x8b\xc2\x73\xbf\x20\x74\x2c\x58\xfe\x63\xe8\x81\xf5\xcd\xe3\x91\xd4\x53" "\x70\x75\x9b\x1a\x82\xec\x3a\x88\x7a\x3b\x69\x29\x92\x37\x78\x57\xc9\xf4" "\x8a\x43\x43\x80\xd4\x3b\x27\x52\x9f\x9f\x12\xda\xe6\xdd\xbf\x30\x3e\x80" "\xf9\x02\xb1\xad\xc6\x11\x72\x96\x71\xd5\x0b\x79\x64\x4d\x88\xb8\x53\xaa" "\x74\xe3\xa6\x4f\xd9\x44\x40\xf7\x29\x65\x5f\x33\x9f\xaa\xde\xfa\xcd\x32" "\x12\xce\x30\xe8\xac\xbf\xe0\x89\x43\xa1\x38\x0e\x3a\x06\xe7\x59\x7a\x61" "\x6d\x5b\xba\x58\x14\xa5\x8b\x40\x53\x52\x84\x55\xe2\xe5\xcb\xd9\xf3\xc7" "\xa0\x44\x12\x5a\x27\x76\xdd\x70\xf7\xa2\x77\xaf\x59\xee\x6d\xac\xf7\x7a" "\x92\x6c\xdd\x9f\x76\x96\xef\x6f\x04\x11\x8d\x8e\xbe\x3d\x11\x2e\xb7\x7f" "\xab\x90\x26\xae\xeb\x75\x90\xad\x2b\x92\xc2\x84\xca\xd9\x45\x25\x18\x46" "\xac\x77\xf3\x8d\xc5\x7e\x8f\x81\x66\xe5\x04\xec\x26\xc6\xfc\xce\x4c\xeb" "\x07\x21\x65\xcb\xa3\x85\xea\x71\xc2\xa1\xab\xfc\x76\x5f\x67\x9d\xd7\x63" "\xbb\x3b\x88\xf4\x86\x75\xd5\xcf\x0d\x7d\x7a\x02\xd3\x04\x9f\x69\x3a\x96" "\x27\x9a\x0f\xca\x85\xac\x8c\xe0\x91\x0e\xec\x88\xbd\xf2\xb4\x9f\x79\xca" "\xb7\xfa\xc5\x5a\x34\x18\xa4\xff\x8a\xba\x1a\x32\x6b\x94\x00\x05\x7f\x87" "\x96\x09\xf1\x23\xcd\x32\x2f\x70\x75\x83\xc5\x24\x74\xe5\x3a\x98\x3a\x96" "\x32\x35\x3b\xeb\xe8\xe2\xaa\x6d\x55\x97\x0b\x42\xfa\x33\x3a\x59\x30\xf3" "\x2f\x2a\x88\xba\xa7\x76\x2a\xb6\xdc\xb0\x9d\xdc\x64\x85\x86\x97\x4b\x0b" "\xa4\x44\x7f\x99\x46\x0c\x21\xf4\x47\xf2\x56\x75\x9a\xa8\x01\xc8\x6a\x6b" "\x5d\x8b\xbb\x31\x32\x50\xe0\x79\x18\x31\x6a\xc9\x05\x58\x65\x44\xda\x69" "\xfb\x25\x3b\x25\x84\x4b\x03\x78\xd6\x48\x22\x5a\x5f\x60\x5f\xd5\x87\x5a" "\x2d\x0e\x09\x62\x7c\x72\x66\xfb\xed\x2d\xfc\x28\xce\x23\x5f\xca\x92\x15" "\x88\xcd\x38\x5b\x10\xeb\x3c\x20\x6c\x55\x78\x35\x97\xf4\x40\xa6\x17\x01" "\xa3\xc2\xa7\x97\x39\xdd\xd0\xda\x6f\xdd\x1d\x74\xe0\xd3\x4d\x7d\x0d\xb4" "\x77\xdb\x75\xb3\x5f\x68\xff\xf3\x34\xfc\xa5\x47\xdf\x0a\x85\xfd\xeb\x7d" "\xb9\xe8\xde\xb0\x87\x05\x93\xc0\x77\x14\x50\x31\x70\x74\x4e\x15\x34\x04" "\xf5\x18\x4c\x65\xff\xd8\x83\x88\x4f\xf5\xda\x67\x9f\x62\x39\xf4\xd0\x54" "\xe9\x08\xdc\x31\x82\x7f\x1e\xfc\x0e\xf5\x25\xc8\xeb\xc0\xbb\x2d\x3a\xe3" "\x30\xbe\x90\xba\x1b\xa7\x98\x18\x11\xdc\x26\xb8\xd2\x09\x36\x15\xff\x00" "\x0c\xac\xeb\x4d\xe3\x4c\xc2\xb1\x79\x8a\x16\xa2\xff\x74\x68\xca\x92\xa6" "\xa0\xba\x2e\x86\xc6\x36\x12\xb9\xa6\xb7\xba\x84\xea\xbd\x3e\x4f\x22\x27" "\x09\x04\xbb\xdd\x33\xfd\x1e\x02\x1f\x48\x16\xd1\xf6\x40\x60\xd7\x84\x25" "\x5b\x6d\x8a\x08\x08\xaf\x05\x98\x49\x5b\xa2\x25\xe9\x90\x75\x97\xcb\xc5" "\x76\x57\x7c\x20\x11\x83\xd6\x7a\x1d\xb0\xf7\x7b\x13\xe1\x37\x0d\x68\x21" "\x3d\x96\xc4\x5b\xef\xa3\xb2\x27\x1e\xc4\x0a\xec\x85\xda\x3f\xa1\x72\xe8" "\x30\x15\xf2\x75\x61\xa5\x4e\x16\x83\x7b\xcf\x9f\x3c\xad\x9d\xa3\xe1\x34" "\x11\xaf\xad\xcd\xad\x1c\x3c\x63\x4f\x25\x2c\x2c\xae\xf6\x2a\x80\xd0\x26" "\xdb\x05\xab\xfa\xa3\x44\xd4\x74\x38\xc5\xd9\xbf\x00\xed\x18\x3d\x43\x19" "\xeb\x57\xf8\xcd\x27\x07\xcb\xd8\x87\xae\xd4\x3c\x0f\x2f\x42\x11\xbc\xf9" "\x3c\xed\x3e\xbb\x7d\xae\xc2\x9a\x6f\xe6\x4c\xae\x5d\x13\xa3\x99\x63\x99" "\xa2\x76\xbd\x0d\x3b\x62\x05\x69\xea\x5f\x99\x6b\xdc\xf1\x75\x83\xcf\x75" "\x8c\x11\x74\xed\xba\xc3\x15\x58\xc7\xf1\x34\x47\x6f\x6d\xd4\x7d\x02\xb0" "\x8a\xc0\xc3\xee\x1a\x69\xc0\x41\xbd\x2f\x2a\xc6\x74\xd0\x59\x12\x6f\xa6" "\xa3\xca\x90\x5b\x50\x52\x3e\xe6\x81\xdd\x3d\x2a\x22\xd3\x30\xc6\x96\xfb" "\x94\x8f\x82\x73\x92\xf0\x39\x0a\x13\xbe\x7f\xc5\x75\x1d\xc4\x64\x3f\x0b" "\x4f\x7c\x18\x63\x5c\xda\x83\x3d\x95\x7a\x56\x7d\x1b\x76\xbf\x73\xb1\xc5" "\xc5\xf7\xf6\x17\x82\x35\xe0\x06\x02\xbd\x6c\x59\xde\x3d\x6c\x05\x0b\xe5" "\x83\x11\x06\xec\x7c\x77\x91\xc6\xa2\xb9\x38\xc3\x26\x59\x1f\xae\xeb\xaa" "\xb0\x70\xc4\x00\x11\x96\x53\x7c\x17\xd7\x7f\x9d\x38\x8d\x84\x04\x04\x05" "\x40\x97\x92\xb2\x1a\x8a\x80\x64\x89\xed\xc0\x58\x5a\x3d\x22\xc0\xc5\x27" "\x83\x1c\x55\x85\xac\xfd\xb8\x5b\xd8\x89\x6f\xb3\x6e\xff\xc9\xc4\x68\x44" "\x1a\x0b\xea\xed\x5f\x4b\xa9\x11\xa1\xc3\xfa\x9b\x31\xd0\x70\x2d\x8f\x70" "\x8c\xf2\x1b\x22\xf8\x01\x6f\x3d\xed\xd6\x3d\xa2\x31\x36\x4b\xbb\x1e\x4a" "\x8e\x24\x93\x03\x89\x63\x96\x2d\x5f\x30\x1d\x61\x18\xd0\x62\x4b\x54\xc6" "\x5c\xbf\x72\x13\x35\x60\x15\xdc\x0e\x21\x70\xf7\x40\x79\xbd\x67\x75\x1f" "\x0c\xc9\x95\x8f\xa4\xb9\x35\x09\x85\x65\x33\x7d\x74\x22\x38\x14\x4c\x85" "\x6e\x0c\x96\xf8\x67\xec\x22\x52\xb7\x55\xff\xde\xf3\xd7\x09\x17\x05\x0d" "\x5a\xd2\x8a\xfa\x9d\xe0\x63\xfb\x3d\x0d\xbe\xca\xe4\xa2\xa1\xea\x84\xb9" "\x7b\x6e\x99\xd7\xc7\x36\xa2\x30\x5d\xc4\xe3\x6c\x5a\xf7\x13\x00\x83\xb7" "\xcb\x2a\xbb\x0b\xa3\xd3\xa4\x03\x65\x87\x1f\x48\xc3\x75\xde\xc2\x83\xc3" "\x3d\xc3\x93\x9e\x72\xf3\xcb\xfc\x3c\xbc\x31\x66\xce\x40\x86\xf7\xa7\x42" "\xf3\xd0\xc1\xd4\xed\x1c\xdf\x6e\xf6\x9b\x34\x3c\xa1\x9c\x18\x6f\xf8\x88" "\xad\xa3\xfe\x95\xed\x2c\xa5\x4e\x80\xc7\xdb\xa1\xb9\x44\x70\x11\xa7\x03" "\xfb\xae\x5b\x29\xfa\xdb\xa2\x10\x0a\xbb\x47\xaa\x7d\x20\x57\x67\x14\x4b" "\x3b\x17\xbe\xe7\x4f\x4d\x36\x04\x47\xbf\xb4\xab\x14\xca\x5d\x16\x1a\x55" "\xbe\xe4\x2a\xa3\x65\x6b\x57\xa2\x3e\x18\x33\x5d\xaf\xca\x21\xf9\x07\xd2" "\x74\x6d\xdd\x63\x66\x8c\x12\x49\xdc\x1f\xa9\x6d\x88\x70\xf2\xad\xf1\x81" "\xb0\x66\xeb\xaa\xa2\x13\x9e\x0b\xe2\xa6\x4b\x55\xf8\x7a\x39\xf6\x92\x3a" "\x5f\xd1\x72\xac\xe8\x9d\xf0\x0f\x3d\xd6\xce\xd1\x18\x4d\x76\x0a\x45\xc3" "\xf0\xa3\xdc\xdf\x3a\x41\xb2\x72\x0e\xb3\x80\xf0\x56\x81\xa6\xed\x47\x6a" "\x84\xb2\x83\x5c\xef\xc2\xbb\x52\xb0\x60\x8a\x56\x8b\x0e\x82\x1f\x1c\xdc" "\x58\x21\xfa\xa6\xd2\x6f\xb7\x67\xda\x3a\x8f\xfb\x6f\xeb\x36\xec\xa4\x31" "\x1f\xd0\xe6\xe2\x81\x5e\x37\xad\x10\xa6\x0c\xf9\x07\xfb\xb8\x22\x5e\x1e" "\x98\x46\x53\xeb\x55\xe5\x86\x25\x49\x46\xca\xc0\x5d\x85\xe3\x18\x04\x4e" "\x63\x89\x20\xb6\x89\x55\x76\x80\xc4\x19\x86\x34\xfd\xab\x5a\x37\x63\x98" "\x86\x98\x1c\x04\xb4\xc7\xe5\xe2\x60\x9f\x79\x3f\x6c\xbc\x27\x92\x2f\xa0" "\x60\x67\x83\xb0\xff\xec\x9b\x62\xec\x38\x81\x65\x42\xd7\x07\x32\xf8\x69" "\xc1\x36\x6e\x2e\x81\x3b\xbf\x10\xff\xd5\x15\x17\xc3\x70\x30\x3b\xb8\x02" "\x02\xe0\x0d\x0e\x6c\xdb\xef\x70\xf9\x67\x75\x4a\xc6\x96\x27\x96\x83\xb4" "\x41\x98\x88\xd1\x91\x15\x65\x6b\xc3\xf6\x77\xf9\x84\x79\xa3\x0b\xe1\xdf" "\x4c\xfa\x5c\xc0\xa2\x97\xfc\x43\xa9\xc4\xa8\x49\xfe\xb6\x6e\xb5\xb7\x9d" "\x70\x99\x99\x17\x27\x15\x27\x8c\xe6\x32\xf7\xc7\xc9\x59\xdd\x4d\x70\x04" "\x44\x44\xfe\xc8\x3d\x6b\x47\xda\xa1\x23\x10\xe7\xac\x8c\xed\x8b\x2c\x53" "\x80\x13\x9e\xe9\xbe\x32\x05\x42\xda\x12\xd0\x03\xfe\x52\xee\x6e\xd3\x23" "\x08\xfe\x1f\xc9\x2d\x4c\x93\xa9\x41\x7c\x37\x76\xf8\x9a\xfb\x40\x6f\x06" "\x39\xf0\x7c\x25\x75\x7d\xf7\x20\x93\x2c\x80\x3f\xd1\x17\x48\xa7\x31\x7b" "\x21\x8c\x19\x45\xf8\x37\x49\x03\xa6\x03\x23\xf8\x84\x1e\x1f\x02\xef\xc0" "\x4f\x3b\x5e\x7f\x01\x03\x44\x99\x2e\x99\xf8\x65\x6d\x69\xb8\x79\x0e\xee" "\x83\x73\xfb\xa7\x68\xc4\xe2\x95\x5f\x44\x8c\xbe\x66\xd6\x8a\xf3\x15\x87" "\xd2\x3a\x57\xe9\xee\x53\x33\xfd\x78\xaf\x95\x11\x9f\xf4\x41\x94\xa3\xc1" "\x24\x85\xeb\x3d\xee\x1c\xe3\xa7\x9f\xef\xfa\x66\xad\xd4\x11\xf6\xb6\xc5" "\x73\x93\x9b\x9e\x75\x42\x7a\xe3\x8e\x3d\x4c\x71\xf1\xfc\xd4\xdb\xaf\xce" "\x68\x9b\x99\x1f\xfb\x51\x9a\xdc\x33\xd2\x10\x83\x8c\xe1\x41\x7f\x7c\xd4" "\x0e\x5d\x05\x67\x68\x2c\x57\x30\x50\xcd\x32\x7c\x2a\xb2\x0e\x5a\x35\x99" "\x89\x4f\xb1\x7e\x54\xba\x37\x60\x55\xeb\x62\x6b\x39\x6a\xc9\x45\x4e\x90" "\x27\xc0\x4e\x42\x96\x90\xfc\x43\x34\x14\xb2\xa1\x4c\x55\xed\xfc\x4c\x5b" "\xe2\x5d\xeb\xf1\x61\x75\xb8\xe0\x5a\x97\x9e\x8d\x35\xf2\x76\x24\x83\xd8" "\x28\x13\x15\x4f\x00\x45\x73\xbb\x8b\x9f\x41\xb5\x6e\x4c\xfe\x6a\x73\x3d" "\xd8\x63\x57\xc8\xd2\x52\x94\xd2\xfc\x62\x59\xf5\x68\x8e\xe7\x29\xf5\x53" "\xda\x2b\xc6\x46\x16\x52\x26\xdc\x16\xb4\xa2\x49\x4f\xac\xe3\xd5\xfe\x62" "\xcd\x82\x4f\x15\x0f\x25\x92\xfe\xee\xe9\xce\x84\xad\x31\xa5\xbc\xc1\xea" "\xba\xcf\x86\x04\x33\x65\x9b\xf0\xb1\x82\xf9\x39\x3d\x82\xc9\xf7\xcb\x08" "\x9f\xdf\xd0\x8c\x11\x2d\x51\x19\x51\xbb\xa3\x74\x5c\xe9\x08\x4a\x49\xf3" "\xba\xc1\x60\x91\x27\x7c\x97\xbe\x46\x88\x83\xa6\xae\x11\x70\xe9\x32\x79" "\xb5\xd0\xda\x82\x9a\xe2\x3f\x7a\x62\xb6\x1d\x95\x8b\xee\x33\x99\x9b\x13" "\x03\x5b\x28\xfe\xc0\x7b\x39\x5d\x07\x1a\x94\x44\x20\x19\x36\x93\xb6\x93" "\x55\xed\x72\x83\x39\xa8\x97\x7c\x3d\x32\x05\xec\x5b\xe5\xb7\x45\xe7\x29" "\xc1\x36\xf3\xb2\xe1\x63\xdf\x59\xd7\x7e\xf4\x37\x20\x74\x0d\xad\x97\xca" "\xd4\xf2\x54\xd3\x77\x8c\x9b\x65\xd8\xb1\x68\xb4\x66\xb8\x15\x47\xb6\xc3" "\x22\x1b\x7c\xea\xee\x2b\xbd\xc1\x76\x5f\xf2\x85\x8c\xc3\xd3\xbd\x1a\xc9" "\x31\xe9\xf3\x14\xf9\xcf\xa8\xd8\x68\x04\x76\x2c\x7d\x74\xd8\xbb\x84\x6e" "\x38\x0b\x6c\xe2\x33\x01\x08\x24\xe5\xe9\x1c\x13\x9a\xa0\x6e\x42\x01\xe3" "\xff\x72\x48\x21\x7a\x8a\x99\xc7\xdb\x9a\x51\x0f\x54\x83\x4d\xf7\x1d\x90" "\x7f\xd8\xa8\x9b\x5a\xcf\xc1\x57\xcc\x37\xde\xdd\x42\xa5\xf0\xc4\x4f\x89" "\xc0\xf1\x97\x83\xef\x6f\x90\x14\x09\x94\x92\xce\x51\x13\xe2\xe8\xc3\x0a" "\xeb\x26\xef\xb3\xb4\x46\xdc\xd9\x7f\x70\x4b\x5f\xee\x12\xc9\xab\xfa\xe2" "\x27\x09\xc5\x5b\xf2\x97\xeb\xdf\xf1\x88\x7b\xde\xd5\x7a\x4c\xdc\x6c\x88" "\x29\xd0\x4a\x7a\xf2\xa1\x8f\x0f\x7f\x3f\x88\x24\xde\xac\x72\x7c\xb2\x36" "\x96\xdc\x9d\xfc\x3d\x98\x07\x1f\x16\x93\xfe\xb5\x8f\xbc\x97\x2a\x36\xe6" "\x66\x29\x99\x48\xfd\x5b\xc1\x6b\xfa\x88\x21\x93\x32\x3f\x21\xa5\x34\x2b" "\xd0\xe4\x17\xaa\x5e\x4c\xf7\x45\x99\x59\x5f\xf6\xdb\xe3\x80\x7e\x98\x37" "\x97\xfb\x2c\x84\x87\x6b\xe8\xa6\x11\x50\xf5\x4c\x20\x88\x60\x57\x8d\x20" "\x0a\xca\xbf\x20\x7a\x80\x70\x47\x3a\x69\x4c\xec\x05\xc6\x72\x78\x5d\xfc" "\x00\xcb\xc8\x4d\xa2\xea\xe5\x16\x80\xdd\xf9\x7b\x73\x8c\x39\x51\xf6\x03" "\x63\x99\x6b\xc2\x0a\x76\x50\x9b\xff\xcf\xb8\x2d\x24\x65\x18\x28\x61\x48" "\xff\x95\xac\xc0\x26\x40\x85\xeb\xcc\x7c\xb4\x18\xd2\xdf\xc7\x17\x93\xd3" "\x0c\x1f\x4a\x6b\xde\x7c\x66\xc0\xe2\x4a\xa3\x61\xbd\x2b\x70\xa0\x07\xd6" "\x6f\x58\x13\x50\x3f\x7a\x9e\xa5\x3c\xa7\x21\x11\x34\xdb\x5e\x05\x02\xa2" "\xb1\x55\xf0\xd5\xc4\x0a\x07\x93\x39\x8b\x9d\x1a\xc8\x05\x9e\x90\xe7\x86" "\x55\x4c\xcd\xf4\x06\x49\x25\x3c\xc5\x7d\x11\x55\xf0\x74\x2b\x3d\x04\x43" "\x5d\x7c\xeb\x46\xbd\x8d\x41\xea\x39\x52\xfd\x02\x48\x73\x72\x03\x61\xc9" "\xf0\x6d\x9e\xb2\xa8\x07\x10\x61\xe3\xe9\x4a\x65\xc6\x53\x42\x2c\x42\x1f" "\x2f\x00\x5b\x25\x33\xa3\x6f\x5a\x30\x76\x38\x74\x92\x62\x4f\xa5\xf2\x89" "\xce\xd9\x12\xac\x91\x3f\x45\x8d\x44\xeb\xf5\x15\xf5\xcb\x38\xde\xd1\xa7" "\x50\xc9\xe4\x54\x13\x67\xcd\xaa\x8c\x67\x27\xbb\x73\xdb\x63\xb9\x43\x54" "\x0a\xcf\x1b\x82\x66\x10\xe3\x9c\xce\xc1\x3c\x65\x61\xff\xd6\xab\x6f\x91" "\xac\xe9\x51\xe8\xb6\xd0\xf9\xe3\x54\xf1\xf0\x5b\x44\xb0\x0d\x81\x1a\x87" "\xd3\x24\xde\x50\x53\x43\xc6\x29\x91\xe1\x30\x6c\xe3\x02\xbd\xe0\x48\x0d" "\x5b\x9d\x77\x62\x82\xe6\xe2\x2e\xd8\x18\xaf\x1c\xf0\xfd\xd6\x9c\x8b\xf9" "\xcc\x30\x60\x6b\xb3\xff\x06\x2b\x90\x87\x2f\xb6\x62\x0e\x1a\x97\xe9\x51" "\xd0\xf9\xc5\x3d\xc8\xb2\xad\x82\x25\x3c\x30\xb4\xa6\x75\x4e\xc5\x91\xa8" "\x7b\x73\x2c\xe3\x9d\x3e\xa3\xff\xf1\x73\x6d\x79\x15\x78\x54\x12\xff\xe8" "\x2c\xa3\x3c\x47\x0a\x7b\x04\xa6\x33\xb3\xec\xf3\x6a\x44\x2d\xb0\xc5\x4d" "\x30\xc0\x64\x28\xb4\xe2\x5b\x51\xce\xdb\x51\x54\x54\xcf\x04\xbc\x19\x97" "\x60\x8f\x5f\xbe\x50\x43\x21\x84\xbe\xfe\xf7\x49\xeb\x49\x61\x5c\x56\x5f" "\x3e\x0c\x68\x43\x65\x08\x59\x58\x2e\xaf\x2c\x3a\x35\xfd\x74\x90\x95\xed" "\x8e\xfa\x90\xcc\x07\xef\xc2\xfc\x8b\x5e\x58\x01\x79\xc9\x3e\x6e\xef\x9c" "\xfb\x04\x76\xfb\x38\x39\x03\x76\x48\x5f", 4096); *(uint16_t*)0x20003304 = 0x1000; syscall(__NR_write, r[0], 0x20002300ul, 0x1010ul); res = syz_open_dev(0xc, 4, 1); if (res != -1) r[1] = res; *(uint16_t*)0x20000000 = 0; *(uint16_t*)0x20000002 = 5; *(uint16_t*)0x20000004 = 0; *(uint16_t*)0x20000006 = 0x20; *(uint16_t*)0x20000008 = 0; *(uint16_t*)0x2000000a = 0; syscall(__NR_ioctl, r[1], 0x560aul, 0x20000000ul); return 0; }