// https://syzkaller.appspot.com/bug?id=3eeeb1f1513fa653ffe30eee433223bce17ff0b3 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; *(uint32_t*)0x20caefb8 = 8; *(uint32_t*)0x20caefbc = 3; *(uint64_t*)0x20caefc0 = 0x200005c0; memcpy( (void*)0x200005c0, "\x85\x00\x00\x00\x61\x00\x00\x00\x54\x00\x00\x00\x00\x00\x00\x00\x95\x00" "\x00\x00\x00\x00\x00\x00\xef\x02\x85\xb7\x2e\xae\x79\x5b\x11\xad\x26\x17" "\x77\xdb\x75\x18\x6b\xaf\x0b\x27\x92\xad\xe1\xf1\x07\x72\x66\x21\x81\xfe" "\x04\x60\x96\xc5\xdf\x69\x63\x34\xe2\xd8\x36\x39\x55\x60\x23\x05\x09\x00" "\x00\x00\x00\x00\x00\x00\x20\xc2\x47\xfd\x20\x08\x51\xf9\x0b\x2d\xd5\xe5" "\xf6\xb2\x39\x09\xa2\x3e\xe2\x70\x07\xda\xe2\xa0\xfd\x08\xdb\xf9\x28\x09" "\xa9\x31\x19\x6d\xf3\xbe\x84\x78\x1f\x7e\xca\xfa\x0a\x4b\xcf\x7e\x01\xa2" "\x39\x99\xfd\xfb\x4b\x49\x0f\x6c\xfe\x5e\xdf\x38\x50\x57\x6a\xcb\x26\x5f" "\x2e\xe2\x88\xa8\x5d\xfe\x7c\x79\xe9\x69\xb7\x38\xdb\xc6\x11\x71\xdf\xd8" "\xf5\xe3\x3f\xbf\x1e\xe0\x5b\xc5\xbd\xeb\x16\x4d\xc2\x45\x84\x55\xe3\xba" "\x43\x8c\x91\x09\xdd\x00\x1a\xd9\x3d\xf2\xfc\x23\x5b\xed\x50\xff\xce\x5e" "\xa7\x9c\xfc\x8c\xf7\xd5\x3a\x03\x16\x91\x36\x2b\xa2\x13\x94\xbd\x61\x4e" "\xc4\x1f\x63\x6e\xc0\xe2\x99\xe3\x70\xf5\x63\x1a\xcf\xab\x52\x65\x19\x03" "\x6f\x96\x36\x79\x45\x72\x41\xbc\x05\xa3\x07\xf8\xbe\x0c\x82\x8a\x43\xed" "\x21\xec\xdd\x1e\xe2\xb9\xb7\xae\x31\x5e\x5b\x51\x5c\x71\xc3\x9b\xf4\xb4" "\x5f\x5e\x3f\x7c\xd3\xf6\x40\x4f\xc9\x3c\xf5\x59\x49\xf0\xc3\xa7\xb8\x7f" "\x86\x12\x01\x53\x72\x57\x84\xe9\x89\x75\xe8\x61\x7f\xfc\x7e\x8c\xc4\x97" "\xf4\x37\x85\x3d\x1c\x04\xb1\x95\xfa\x52\x84\x8d\xd1\x55\x57\x96\xb3\xcd" "\xf2\x52\x7d\x79\x29\x63\x1c\xca\x05\xe2\x7c\x28\x56\x6d\x2c\x47\x69\x9b" "\xc6\xc3\xf5\xf7\x66\xc3\xcb\x8c\xd6\xa4\xa4\x68\x95\xdc\x5b\x44\xd2\x24" "\xa0\xb3\xc2\xca\x80\x87\x48\x6a\xea\xd1\xd0\x35\xd9\x4d\x32\xad\x67\x7b" "\x28\xb1\x0e\xd5\x8f\x8d\xe2\xd5\xa8\xc2\x5c\x7c\xae\x49\xba\x35\xbe\x2f" "\x88\x8e\xa8\xda\x62\x2d\xaf\x5f\x0f\x02\xd9\xc0\x87\x52\x11\x3a\xb1\xec" "\x6b\xde\x50\x94\x0e\x9b\xf3\x3f\x91\xa6\xc5\x05\x6a\xab\xc0\x4e\xed\xfe" "\xb6\x53\x55\x40\xe5\xc0\x27\xff\x4d\xf6\x58\x9c\xb4\x71\x71\xbf\xbb\x56" "\x4a\x23\x50\x56\x4f\x4b\xdb\xcf\x4e\x04\x8f\x2b\x34\x57\x0d\x5e\xf2\xbb" "\x8e\x92\x74\xd5\xd4\x0a\xf1\x9b\x0a\xfe\x0c\x77\x4b\x56\x23\x78\xfc\x3d" "\xbf\x8b\xe4\x28\x28\xb4\xcb\x3d\x6c\xf6\x93\x0f\x5c\x4c\x71\x56\x3e\x4e" "\xb0\xd3\x41\xdc\x74\x2b\xdb\x80\x2b\x49\x9c\xef\x84\x90\xb5\x2a\xd1\x6c" "\xd2\xd3\xa2\x31\x42\xef\x3f\xfb\xa8\x10\x85\xce\x4a\x02\x8c\x7a\xf4\x67" "\x74\xb3\x91\xe2\x12\x4f\xcd\x93\xff\x05\xc2\x1a\xd0\xda\x38\x4f\xf0\x01" "\x79\x57\x48\x1e\xe7\x90\xb3\x01\xe3\xe8\x17\xcf\xb6\x51\xbb\x99\x09\x01" "\x89\xee\xd2\x86\x2f\x89\xe6\xb5\xca\x8e\x62\xa5\xf5\xff\x0d\xc6\xed\x83" "\x39\x2f\xd5\xde\xbc\x5b\x69\x51\xd0\xee\xdc\x49\x1b\x3d\xf8\x35\x09\xd2" "\xfa\x10\x23\xeb\x77\xb8\xa1\x3d\xe0\x9e\x22\xa7\xf1\x90\x88\xbc\xbd\x8f" "\x47\xad\x5a\x96\x4a\xb6\xbb\xb9\x47\x84\xd3\x1b\x39\x72\x29\xae\x3f\xb6" "\x6f\xfe\x0e\x99\x13\xd3\x23\x01\xc8\x44\xe5\x8f\x00\x00\x94\xf5\x76\x6d" "\xc1\xca\x5e\x8c\xfe\xe3\x32\xa2\x88\x09\x59\x1c\x14\x09\x8f\x71\xa7\xbd" "\xcb\x88\x18\x6b\xcd\x36\xa2\xec\xce\x33\xa3\x04\x8f\x6f\x97\xe1\x4d\xac" "\x56\xe8\x4a\x1f\xdf\xde\xe2\xbc\xd2\x11\x32\x63\x29\x05\xc0\x60\xb3\xac" "\xa1\xd4\x44\x6f\x45\x6e\x20\x88\xe7\x25\x7d\x57\x5e\x84\x65\xd7\xed\x76" "\x7e\x41\x5a\x61\x6d\x14\x58\xa3\x2e\x90\x4a\x1f\xfa\xf0\x90\xc2\x88\x4d" "\x4a\x56\x95\x8a\xb1\x41\xcd\xb9\x5b\x6c\x39\xe0\x40\x10\xb8\x88\xbd\x00" "\xb0\x9d\x50\xd7\xe6\xc5\xc0\x84\xaa\x8c\xdc\x21\x89\x0b\x7e\xb8\x35\xd2" "\x8f\x97\x7a\xb4\x36\x70\x41\x2a\xfe\x83\x61\xb6\x0b\xf3\x61\xaa\x4d\x35" "\x12\x01\xb1\xa1\x73\xda\xd5\x0a\xd6\x17\x9a\x75\x07\x01\x1e\x30\x60\xba" "\xdb\xe3\x96\xb3\xfb\x92\x8c\x7e\x8b\x72\x89\xb2\x27\xc6\xb3\x13\xe2\x85" "\x2c\x5c\xd1\x24\x77\x1b\xef\x02\xf4\x31\xaf\xe5\x0e\x84\x60\x37\xf0\xbe" "\x2f\xfd\x5d\x53\x94\x36\xa7\x01\x55\xd0\x21\x7e\x11\x86\x0d", 879); *(uint64_t*)0x20caefc8 = 0x20281ffc; memcpy((void*)0x20281ffc, "GPL\000", 4); *(uint32_t*)0x20caefd0 = 0; *(uint32_t*)0x20caefd4 = 0; *(uint64_t*)0x20caefd8 = 0; *(uint32_t*)0x20caefe0 = 0; *(uint32_t*)0x20caefe4 = 0; memset((void*)0x20caefe8, 0, 16); *(uint32_t*)0x20caeff8 = 0; *(uint32_t*)0x20caeffc = 0; *(uint32_t*)0x20caf000 = -1; *(uint32_t*)0x20caf004 = 8; *(uint64_t*)0x20caf008 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20caf010 = 0x185; *(uint32_t*)0x20caf014 = 0x10; *(uint64_t*)0x20caf018 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000008 = 0; *(uint32_t*)0x2000000c = 0; *(uint32_t*)0x20caf020 = 0x5d6f31e; *(uint32_t*)0x20caf024 = 0; *(uint32_t*)0x20caf028 = -1; *(uint32_t*)0x20caf02c = 0; *(uint64_t*)0x20caf030 = 0; res = syscall(__NR_bpf, 5ul, 0x20caefb8ul, 0x48ul); if (res != -1) r[0] = res; *(uint32_t*)0x20000180 = r[0]; *(uint32_t*)0x20000184 = 0; *(uint32_t*)0x20000188 = 0x81; *(uint32_t*)0x2000018c = -1; *(uint64_t*)0x20000190 = 0x20000200; memcpy((void*)0x20000200, "\x5c\x71\xf9\x05\xca\xc4\x13\x55\x1b\x2a\xc0\x6c\x88\xa8", 14); *(uint64_t*)0x20000198 = 0; *(uint32_t*)0x200001a0 = 0x4000; *(uint32_t*)0x200001a4 = 0; *(uint32_t*)0x200001a8 = 0; *(uint32_t*)0x200001ac = 0; *(uint64_t*)0x200001b0 = 0x20000000; *(uint64_t*)0x200001b8 = 0x20000000; *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0; syscall(__NR_bpf, 0xaul, 0x20000180ul, 0x28ul); return 0; }