// https://syzkaller.appspot.com/bug?id=ee3decf69584ffcf0b68ecf953db17445a5b8b69
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/futex.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
static unsigned long long procid;
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
typedef struct {
int state;
} event_t;
static void event_init(event_t* ev)
{
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
if (ev->state)
exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000);
}
static void event_wait(event_t* ev)
{
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}
static int event_isset(event_t* ev)
{
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
return 1;
now = current_time_ms();
if (now - start > timeout)
return 0;
}
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
#define USLEEP_FORKED_CHILD (3 * 50 * 1000)
static long handle_clone_ret(long ret)
{
if (ret != 0) {
return ret;
}
usleep(USLEEP_FORKED_CHILD);
syscall(__NR_exit, 0);
while (1) {
}
}
static long syz_clone(volatile long flags, volatile long stack,
volatile long stack_len, volatile long ptid,
volatile long ctid, volatile long tls)
{
long sp = (stack + stack_len) & ~15;
long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
return handle_clone_ret(ret);
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
}
int i, call, thread;
for (call = 0; call < 8; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
sleep_ms(10);
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
uint64_t r[3] = {0x0, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
res = syscall(__NR_getpid);
if (res != -1)
r[0] = res;
break;
case 1:
*(uint32_t*)0x200000000800 = 5;
*(uint32_t*)0x200000000804 = 0x80;
*(uint8_t*)0x200000000808 = 0;
*(uint8_t*)0x200000000809 = 0;
*(uint8_t*)0x20000000080a = 0;
*(uint8_t*)0x20000000080b = 0;
*(uint32_t*)0x20000000080c = 0;
*(uint64_t*)0x200000000810 = 6;
*(uint64_t*)0x200000000818 = 0;
*(uint64_t*)0x200000000820 = 0;
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 0, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 1, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 2, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 3, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 4, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 5, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 6, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 7, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 8, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 9, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 10, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 11, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 12, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 13, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 14, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 15, 2);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 17, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 18, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 19, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 20, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 21, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 22, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 23, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 24, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 25, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 26, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 27, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 28, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 29, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 30, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 31, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 1, 32, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 33, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 34, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 35, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 36, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 37, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000000828, 0, 38, 26);
*(uint32_t*)0x200000000830 = 1;
*(uint32_t*)0x200000000834 = 4;
*(uint64_t*)0x200000000838 = 0;
*(uint64_t*)0x200000000840 = 8;
*(uint64_t*)0x200000000848 = 0;
*(uint64_t*)0x200000000850 = 0;
*(uint32_t*)0x200000000858 = 0;
*(uint32_t*)0x20000000085c = 4;
*(uint64_t*)0x200000000860 = 2;
*(uint32_t*)0x200000000868 = 0;
*(uint16_t*)0x20000000086c = 4;
*(uint16_t*)0x20000000086e = 0;
*(uint32_t*)0x200000000870 = 0;
*(uint32_t*)0x200000000874 = 0;
*(uint64_t*)0x200000000878 = 0;
res = syscall(__NR_perf_event_open, /*attr=*/0x200000000800ul, /*pid=*/r[0],
/*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
if (res != -1)
r[1] = res;
break;
case 2:
syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x2000000021c0ul, /*size=*/0x48ul);
break;
case 3:
*(uint32_t*)0x200000000200 = 0xc;
*(uint32_t*)0x200000000204 = 0xe;
*(uint64_t*)0x200000000208 = 0x200000002500;
memcpy(
(void*)0x200000002500,
"\xb7\x02\x00\x00\x07\x00\x00\x00\xbf\xa3\x00\x00\x00\x00\x00\x00\x07"
"\x03\x00\x00\x00\xfe\xff\xff\x7a\x0a\xf0\xff\x01\x00\x00\x00\x79\xa4"
"\xf0\xff\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05"
"\x00\x00\x00\x00\x00\x65\x04\x04\x00\x01\x00\x00\x00\x04\x04\x00\x00"
"\x01\x00\x7d\x60\xb7\x03\x00\x00\x00\x00\x00\x00\x6a\x0a\x00\xfe\x00"
"\x00\x00\x00\x85\x00\x00\x00\x0d\x00\x00\x00\xb7\x00\x00\x00\x00\x00"
"\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00\x5e\xce\xfa\xb8\xf2\xe8\x5c"
"\x6c\x1c\xa7\x11\xfc\xd0\xcd\xfa\x14\x6e\xc5\x61\x75\x03\x79\x58\x5e"
"\x5a\x07\x6d\x83\x92\x40\xd2\x9c\x03\x40\x55\xb6\x7d\xaf\xe6\xc8\xdc"
"\x3d\x5d\x78\xc0\x7f\xa1\xf7\xe6\x55\xce\x34\xe4\xd5\xb3\x18\x5f\xec"
"\x0e\x07\x00\x4e\x60\xc0\x8d\xc8\xb8\xdb\xf1\x1e\x6e\x94\xd7\x59\x38"
"\x32\x1a\x3a\xa5\x02\xcd\x24\x24\xa6\x6e\x6d\x2e\xf8\x31\xab\x7e\xa0"
"\xc3\x4f\x17\xe3\x94\x6e\xf3\xbb\x62\x20\x03\xb5\x38\xdf\xd8\xe0\x12"
"\xe7\x95\x78\xe5\x1b\xc5\x30\x99\xe9\x0f\x45\x80\xd7\x60\x55\x1b\x5b"
"\x34\x1a\x29\xf3\x1e\x31\x06\xd1\xdd\xd6\x15\x2f\x7c\xbd\xb9\xcd\x38"
"\xbd\xb2\x20\x9c\x67\xde\xca\x8e\xeb\x9c\x15\xab\x3a\x14\x81\x7a\xc6"
"\x1e\x4d\xd1\x11\x83\xa1\x34\x77\xbf\x7e\x86\x0e\x36\x70\xef\x0e\x78"
"\x9f\x65\xf1\x32\x8d\x67\x04\x90\x2c\xbe\x7b\xc0\x4b\x82\xd2\x78\x9c"
"\xb1\x32\xb8\x66\x7c\x21\x47\x66\x1d\xf2\x8d\x99\x61\xb6\x3e\x1a\x9c"
"\xf6\xc2\xa6\x60\xa1\xfe\x3c\x18\x4b\x75\x1c\x51\x16\x0f\xb2\x0b\x1c"
"\x58\x1e\x7b\xe6\xba\x0d\xc0\x01\xc4\x11\x05\x55\x85\x09\x15\x14\x8b"
"\xa5\x32\xe6\xea\x09\xc3\x46\xdf\xeb\xd3\x86\x08\xb3\x28\x00\x80\x00"
"\x5d\x9a\x95\x00\x00\x00\x00\x00\x00\x00\x33\x4d\x83\x23\x9d\xd2\x70"
"\x80\x85\x1d\xca\xc3\xc1\x22\x33\xf9\xa1\xfb\x9c\x2a\xec\x61\xce\x63"
"\xa3\x8d\x2f\xd5\x01\x17\xb8\x9a\x9a\xb3\x59\xb4\xee\xa0\xc6\xe9\x57"
"\x67\xd4\x2b\x4e\x54\x86\x1d\x02\x27\xdb\xfd\x2e\x6d\x7f\x71\x5a\x7f"
"\x3d\xea\xdd\x71\x30\x85\x6f\x75\x64\x36\x30\x37\x67\xd2\xe2\x4f\x29"
"\xe5\xda\xd9\x79\x6e\xdb\x69\x7a\xee\xa0\x18\x2b\xab\xd1\x8c\xac\x1b"
"\xd4\xf4\x39\x0a\xf9\xa9\xce\xaf\xd0\x00\x2c\xab\x15\x4a\xd0\x29\xa1"
"\x09\x00\x00\x00\x27\x80\x87\x00\x14\xf5\x1c\x3c\x97\x5d\x5a\xec\x84"
"\x22\x2f\xd3\xa0\xec\x4b\xe3\xe5\x63\x11\x2b\x0b\x39\x50\x1a\xaf\xe2"
"\x34\x87\x00\x72\x85\x8d\xc0\x6e\x7c\x33\x76\x42\xd3\xe5\xa8\x15\x23"
"\x2f\x5e\x16\xc1\xb3\x0c\x3a\x6a\x71\xbc\x85\x01\x8e\x5f\xf2\xc9\x10"
"\x18\xaf\xc9\xff\xc2\xcc\x78\x8b\xee\x1b\x47\x68\x3d\xb0\x1a\xc6\x93"
"\x98\x68\x52\x11\xdf\xbb\xae\x3e\x2e\xd0\xa5\x0e\x73\x13\xbf\xf5\xd4"
"\xc3\x91\xdd\xec\xe0\x0f\xc7\x86\xb4\x09\xac\x93\x0c\x90\xff\x90\xf0"
"\x5c\xa3\xbd\xfc\x92\xc8\x8c\x5b\x8d\xcd\x36\xe7\x48\x7a\xfa\x44\x7e"
"\x2e\xdf\xae\x4f\x39\x0a\x83\x37\x84\x1c\xef\x38\x6e\x22\xcc\x22\xee"
"\x17\x47\x6d\x85\x89\x3f\x22\x96\x82\xe2\x4b\x92\x53\x3a\xc2\xa9\xf5"
"\xa6\x99\x59\x3f\x08\x44\x19\xca\xe0\xb4\x53\x2b\xcc\x97\xd3\xae\x48"
"\x6a\xca\x54\x18\x3f\xb0\x1c\x73\xf9\x79\xca\x98\x57\x39\x95\x37\xf5"
"\xdc\x2a\x2d\x0e\x00\x00\x00\x00\x00\x00\x05\x78\x67\x3f\x8b\x6e\x74"
"\xce\x23\x87\x7a\x6b\x24\xdb\x0e\x06\x73\x45\x56\x09\x42\xfa\x62\x9f"
"\xbe\xf2\x46\x1c\x96\xa0\x88\xa2\x2e\x8b\x15\xc3\xe2\x33\xdb\x7a\xb2"
"\x2e\x30\xd4\x6a\x9d\x24\xd3\x7c\xef\x09\x9e\xce\x72\x9a\xa2\x18\xf9"
"\xf4\x4a\x32\x10\x22\x3f\xda\xe7\xed\x04\x93\x5c\x3c\x90\xd3\xad\xd8"
"\xee\xbc\x86\x19\xd7\x34\x15\xcd\xa2\x13\x0f\x50\x11\xe4\x84\x55\xb5"
"\xa8\xb9\x0d\xfa\xe1\x58\xb9\x4f\x50\xad\xab\x98\x8d\xd8\xe1\x2b\xaf"
"\x5c\xc9\x39\x8f\xff\x00\x40\x4d\x5d\x99\xf8\x2e\x20\xef\x6a\x8c\x88"
"\xe1\x8c\x29\x77\xaa\xb3\x7d\x9a\xc4\xcf\xc1\xc7\xb4\x00\x00\x00\x00"
"\x00\x00\x07\xff\x57\xc3\x94\x95\xc8\x26\xb9\x56\xba\x85\x9a\xc8\xe3"
"\xc1\x77\xb9\x1b\xd7\xd5\xe4\x1f\xf8\x68\xf7\xca\x16\x64\xfe\x2f\x3c"
"\xed\x84\x68\x91\x18\x06\x04\xb6\xdd\x24\x99\xd1\x6d\x7d\x91\x58\xff"
"\xff\xff\xff\x00\x00\x00\x00\xef\x06\x9d\xc4\x27\x49\xa8\x9f\x85\x47"
"\x97\xf2\x9d\x00\x00\x00\x2d\x8c\x38\xa9\x67\xc1\xbb\xe0\x93\x15\xc2"
"\x98\x77\xa3\x08\xbc\xc8\x7d\xc3\xad\xdb\x08\x14\x1b\xde\xe5\xd2\x78"
"\x74\xb2\xf6\x63\xdd\xee\xf0\x00\x5b\x3d\x96\xc7\xaa\xbf\x4d\xf5\x17"
"\xd9\x0b\xdc\x01\xe7\x38\x35\xd5\xa3\xe1\xa9\x08\x00\xc6\x6e\xe2\xb1"
"\xad\x76\xdf\xf9\xf9\x00\x00\x71\x41\x4c\x99\xd4\x89\x4e\xe7\xf8\x24"
"\x9d\xc1\xe3\x42\x8d\x21\x29\x36\x9e\xe1\xb8\x5a\xf6\xeb\x2e\xea\x0d"
"\x0d\xf4\x14\xb3\x15\xf6\x51\xc8\x41\x23\x92\x19\x1f\xa8\x3e\xe8\x30"
"\x54\x8f\x11\xe1\x03\x6a\x8d\xeb\xd6\x4c\xbe\x35\x94\x54\xa3\xf2\x23"
"\x9c\xfe\x35\xf8\x1b\x7a\x49\x0f\x16\x7e\x6d\x5c\x11\x09\x00\x00\x00"
"\x00\x00\x00\x00\x00\x42\xb8\xff\x8c\x21\xad\x70\x2c\xca\xca\xd5\xb3"
"\x9e\xef\x21\x3d\x1c\xa2\x96\xd2\xa2\x77\x98\xc8\xce\x2a\x30\x5c\x0c"
"\x7d\x35\xcf\x4b\x22\x54\x9a\x4b\xd9\x20\x52\x18\x8b\xd1\xf2\x85\xf6"
"\x53\xb6\x21\x49\x12\xa5\x17\x81\x02\x00\xe2\xff\x08\x64\x4f\xb9\x4c"
"\x06\x00\x6e\xff\x1b\xe2\xf6\x33\xc1\xd9\x87\x59\x1e\xc3\xdb\x58\xa7"
"\xbb\x30\x42\xec\x3f\x77\x1f\x7a\x13\x38\xa5\xc3\xdd\x35\xe9\x26\x04"
"\x9f\xe8\x6e\x09\xe3\x18\x7a\x10\xd9\x05\xde\xb2\x8c\x13\xc1\xed\x1c"
"\x0d\x9c\xae\x84\x6b\xcb\xfa\x8c\xce\x7b\x89\x3e\x57\x8a\xf7\xdc\x7d"
"\x5e\x87\xd4\x4f\xf8\x28\xde\x45\x3f\x34\xc2\xb1\x86\x60\xb0\x80\xef"
"\xc7\x07\xe6\x76\xe1\xfb\x4d\x58\x25\xc0\xca\x17\x7a\x4c\x7f\xbb\x4e"
"\xda\x05\x45\xc0\x0f\x57\x6b\x2b\x5c\xc7\xf8\x19\xab\xd0\xf8\x85\xcc"
"\x48\x06\xf4\x03\x00\x96\x6f\xcf\x1e\x54\xf5\xa2\xd3\x87\x08\x29\x4c"
"\xd6\xf4\x96\xe5\xde\x09\x00\x00\x00\x00\x00\x00\x00\xcf\x44\x2d\x48"
"\x8a\xfd\xc0\xe1\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x05\x00"
"\x00\x00\xdc\x1c\x56\xd5\x9f\x35\xd3\x67\x63\x8c\xda\x69\x0d\x19\x2a"
"\x07\x08\x86\xdf\x42\xb2\x70\x98\x77\x3b\x45\x19\x8b\x4a\x34\xac\x97"
"\x7e\xbd\x44\x50\xe1\x21\x7c\x13\x42\x70\x3f\x5b\xf0\x30\xe9\x35\x87"
"\x8a\x6d\x16\x9c\x80\xaa\x42\x52\xd4\xea\x6b\x8f\x62\x16\xff\x20\x2b"
"\x5b\x5a\x18\x2c\xb5\xe8\x38\xb3\x07\x63\x2d\x03\xa7\xca\x6f\x6d\x03"
"\x39\xf9\x95\x3c\x30\x93\xc3\x69\x0d\x10\xec\xb6\x5d\xc5\xb4\x74\x81"
"\xed\xbf\x1f\x00\x00\x00\x00\x00\x00\x00\x4d\x16\xd2\x9c\x28\xeb\x51"
"\x67\xe9\x93\x6e\xd3\x27\xfb\x23\x7a\x56\x22\x4e\x49\xd9\xea\x95\x5a"
"\x5f\x0d\xec\x1b\x3c\xcd\x35\x36\x46\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x26\xde\xd4\xdd\x6f\xe1\x51\x8c\xc7\x80\x20\x43"
"\xec\xfe\x69\xf7\x43\xf1\x21\x3b\xf8\x17\x9e\xcd\x9e\x5a\x22\x5d\x67"
"\x52\x1d\xc7\x28\xea\xc7\xd8\x0a\x56\x56\xac\x2c\xbd\xe2\x1d\x3e\xbf"
"\xbf\x69\xff\x86\x1f\x43\x94\x83\x6d\xdf\x12\x8d\x6d\x19\x07\x9e\x64"
"\x33\x6e\x7c\x67\xdf\x4c\x65\x05\xc7\x8a\xd6\x75\x48\xf4\xb1\x92\xbe"
"\x18\x27\xfc\xd9\x5c\xf1\x07\x75\x3c\xb0\xa6\xa9\x79\xd3\xdb\x0c\x40"
"\x70\x81\xc6\x28\x1e\x2d\x84\x29\xa8\x63\x90\x3c\xa7\x5f\x4c\x7d\xf3"
"\xea\x8f\xc2\x01\x8d\x07\xaf\x14\x91\xef\x06\x0c\xd4\x40\x3a\x09\x9f"
"\x32\x46\x8f\x65\xbd\x06\xb4\x08\x2d\x43\xe1\x21\x86\x1b\x5c\xc0\x3f"
"\x1a\x15\x61\xf0\x58\x9e\x0d\x12\x96\x9b\xc9\x82\xff\x5d\x8e\x9b\x98"
"\x6c\x0c\x6c\x74\x7d\x9a\x1c\xc5\x00\xbb\x89\x2c\x3a\x16\xff\x10\xfe"
"\xea\x20\xbd\xac\x00\x00\x00\x00\x00\x00\x00\x00\xca\x06\xf2\x56\xc8"
"\x02\x8e\x0f\x9b\x65\xf0\x37\xb2\x1f\x32\x89\xf8\x6a\x68\x26\xc6\x9f"
"\xa3\x5b\xa5\xcb\xc3\xf2\xdb\x15\x16\xff\xc5\xc6\xe3\xfa\x61\x8b\x24"
"\xa6\xce\x16\xd6\xc7\x01\x0b\xb3\x7b\x61\xfa\x0a\x2d\x89\x74\xe6\x91"
"\x15\xd3\x33\x94\xe8\x6e\x4b\x83\x82\x97\xba\x20\xf9\x69\x36\xb7\xe4"
"\x74\x6e\x92\xde\xa6\xc5\xd1\xd3\x3d\x84\xd9\x6b\x50\xfb\x00\x00\x00"
"\xae\x07\xc6\x5b\x71\x08\x8d\xd7\xd5\xd1\xe1\xba\xb9\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\xb5\xac\xe2\x93\xbe\xc8\x33\xc1\x3e"
"\x32\x29\x43\x2a\xd7\x1d\x64\x62\x18\xb5\x22\x9d\xd8\x81\x37\xfc\x7c"
"\x59\xaa\x24\x2a\xf3\xbb\x4e\xfb\x82\x05\x5a\x3b\x61\x22\x7a\xd4\x0f"
"\x52\xc9\xf2\x50\x05\x79\xac\xa1\x10\x33\xec\x14\xbb\x9c\xc1\x6b\xd8"
"\x3a\x00\x84\x0e\x31\xd8\x28\xec\x78\xe1\x16\xae\x46\xc4\x89\x7e\x27"
"\x95\xb6\xff\x92\xe9\xa1\xe2\x4b\x0b\x85\x5c\x02\xf2\xb7\xad\xd5\x8f"
"\xfb\x25\xf3\x39\x29\x77\x29\xa7\xa5\x18\x10\x13\x4d\x3d\xfb\xf7\x1f"
"\x65\x16\x73\x7b\xe5\x5c\x06\xd9\xcd\xcf\xb1\xe2\xbb\x10\xb5\x00\x00"
"\xeb\x4a\xcf\xf9\x07\x56\xdb\xa1\xec\xf9\xf5\x8a\xfd\x3c\x19\xb5\xc4"
"\x55\x8b\xa9\xaf\x6b\x73\x33\xc8\x94\xa1\xfb\x29\xad\xe9\xad\x75\xc9"
"\xc0\x22\xe8\xd0\x3f\xe2\x8b\xc3\x58\x68\x44\x92\xaa\x77\x1d\xbf\xe8"
"\x07\x45\xfe\x89\xad\x34\x9f\xfa\xad\x76\xff\x9d\xd6\x43\x79\x6c\xaf"
"\xfd\xf6\x7a\xf5\xdd\x47\x6c\x37\xe7\xe9\xa8\x4e\x2e\x5d\xa2\x69\x6e"
"\x28\x5a\x59\xb5\x3f\x2f\xb0\xe1\x6d\x82\x62\xc0\x80\xc1\x59\xce\x40"
"\xc1\x40\x89\xc8\x27\x59\x10\x6f\x42\x25\x82\xb4\x2e\x3e\x84\x84\xea"
"\x5a\x6a\xd9\xaa\x52\x10\x6e\xaf\xe0\xe0\xca\xea\x1a\xd4\xcb\x23\xf3"
"\xc2\xb8\xa0\xf4\x55\xba\x69\xea\x28\x4c\x26\x8d\x54\xb4\x31\x58\xa8"
"\xb1\xd1\x28\xd0\x2a\xf2\x63\xb3\xdc\x1c\xab\x79\x4c\x9a\xc5\x7a\x2a"
"\x73\x32\xf4\xd8\x76\x4c\x30\x2c\xcd\x5a\xac\x11\x44\x82\xb6\x19\xfc"
"\x57\x5a\xa0\xdd\x27\x77\xe8\x81\xe2\x9a\x85\x43\x80\xe2\xf1\xe4\x9d"
"\xb5\xa1\x51\x7e\xc4\x0b\xb3\xfa\x44\xf9\x95\x9b\xad\x67\xcc\xab\xa7"
"\x64\x08\xda\x35\xc9\xf1\x53\x4c\x8b\xd4\x8b\xbd\x61\x62\x7a\x2e\x0a"
"\x74\xb5\xe6\xae\xfb\x7e\xee\x40\x35\x02\x73\x48\x37\xff\x47\x25\x7f"
"\x16\x43\x91\xc6\x73\xb6\x07\x9e\x65\xd7\x29\x5e\xed\x16\x4c\xa6\x3e"
"\x4e\xa2\x6d\xce\x0f\xb3\xce\x0f\x65\x91\xd8\x0d\xfb\x8f\x38\x6b\xb7"
"\x4b\x55\x89\x82\x9b\x6b\x06\x79\xb5\xd6\x5a\x6d\x07\x20\x34\xce\xcc"
"\x45\x77\x76\xc5\xfa\x1f\x33\xb0\x20\x3c\x07\x05\x2c\x6b\xc3\x14\xb0"
"\xac\x5c\x63\xbc\x20\x83\xc9\xcd\xa0\xb7\x48\x0e\x0b\x17\x85\x4f\xfc"
"\xc7\x61\x76\xce\x26\x6b\xc6\x98\xf7\x92\x1b\x8a\xfe\x79\x8a\x7a\x5e"
"\xd3\x3a\xb0\x37\x44\x55\xee\x36\x8f\xda\x99\xa0\xe6\x81\xbf\x94\x26"
"\x83\x1b\x19\x33\x95\xcb\x01\xa7\x33\x2a\x50\xaa\xc8\x41\xcb\x7d\x48"
"\xa1\x76\x8a\x76\x40\xa9\x82\x06\x31\xba\x77\x5a\x2d\x4f\x12\xe8\xe7"
"\x17\xea\xaa\x2a\x6d\x14\xfe\xe0\xc1\x5f\x36\xc2\x03\xdb\xc7\xc0\x61"
"\x28\xbe\xc8\x42\x31\xd4\x3e\x15\x2e\xf1\x9c\xe0\x27\x43\x6f\xb4\xeb"
"\xb9\xfc\xe4\x31\xb9\x13\xf4\x81\x75\x97\xa6\xf5\x3d\x16\x26\xf9\xd1"
"\xcb\x7b\x36\xfb\x18\xac\x19\x54\x7a\x9b\x20\xed\xe7\x0c\x81\xa7\x56"
"\x86\xce\xa8\x5d\xcd\x34\x40\x81\x28\xda\x7c\xab\x04\x55\x41\xbc\x6b"
"\x9a\x0a\x79\xf6\x3f\x2e\x76\x46\x35\x6e\x04\xb9\x77\xc9\xf4\x74\x67"
"\x53\x70\x15\x24\x0b\x97\x41\x84\xbe\x9c\x54\xb7\xc6\x28\xae\x4d\x97"
"\xeb\xdb\x06\x07\x03\x44\x46\x89\x94\xaf\xba\xac\x71\xe5\xff\xac\x2c"
"\x61\xd9\xaf\x66\xf9\xde\x27\x60\xa3\x8e\x96\x8a\x78\x15\x28\x53\x1c"
"\x1c\x93\x6a\x02\x06\x5b\xe4\x8f\x1e\xee\x77\xbe\x87\x88\x73\x20\x6d"
"\x65\xbd\x0b\x12\x41\xfa\xb9\x13\x9a\xbd\x7f\x40\xfe\xbe\x81\xfe\xd3"
"\x68\x4e\x6b\x59\x27\x3d\xa0\x1f\x17\x43\xc6\xa5\xdf\x30\x0e\xc5\x9c"
"\x65\xe8\x17\x4f\xc2\xd9\x5a\x62\xca\x7b\x93\x72\x89\xad\x14\x10\x73"
"\x33\x00\x7e\xab\x83\x3a\x58\x49\xeb\x19\xf1\x8a\xe4\x17\x43\xdf\xb9"
"\x49\x37\x7e",
2587);
*(uint64_t*)0x200000000210 = 0x200000000340;
memcpy((void*)0x200000000340, "syzkaller\000", 10);
*(uint32_t*)0x200000000218 = 0;
*(uint32_t*)0x20000000021c = 0;
*(uint64_t*)0x200000000220 = 0;
*(uint32_t*)0x200000000228 = 0;
*(uint32_t*)0x20000000022c = 0;
memset((void*)0x200000000230, 0, 16);
*(uint32_t*)0x200000000240 = 0;
*(uint32_t*)0x200000000244 = 0;
*(uint32_t*)0x200000000248 = -1;
*(uint32_t*)0x20000000024c = 8;
*(uint64_t*)0x200000000250 = 0;
*(uint32_t*)0x200000000258 = 0;
*(uint32_t*)0x20000000025c = 0x10;
*(uint64_t*)0x200000000260 = 0;
*(uint32_t*)0x200000000268 = 0;
*(uint32_t*)0x20000000026c = 0;
*(uint32_t*)0x200000000270 = -1;
*(uint32_t*)0x200000000274 = 0;
*(uint64_t*)0x200000000278 = 0;
*(uint64_t*)0x200000000280 = 0;
*(uint32_t*)0x200000000288 = 0x10;
*(uint32_t*)0x20000000028c = 0;
*(uint32_t*)0x200000000290 = 0;
res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000000200ul,
/*size=*/0x48ul);
if (res != -1)
r[2] = res;
break;
case 4:
*(uint32_t*)0x200000000080 = r[2];
*(uint32_t*)0x200000000084 = 0x2a0;
*(uint32_t*)0x200000000088 = 0xfe;
*(uint32_t*)0x20000000008c = 0x60000000;
*(uint64_t*)0x200000000090 = 0x200000000100;
memcpy(
(void*)0x200000000100,
"\xb9\xff\x03\x07\x68\x44\x26\x8c\xb8\x9e\x14\xf0\x08\x00\x4b\xe0\xff"
"\xff\x00\x12\x40\x00\x63\x2f\x77\xfb\xac\x14\x14\x16\xac\x14\x14\x16"
"\x44\x0c\x05\x11\x4d\x2f\x87\xe5\x94\x0c\x05\xab\x86\x0c\x13\xf2\x32"
"\x5f\x1a\x39\x01\x07\x02\x03\x8d\xa1\x88\x0b\x25\x18\x1a\xa5\x9d\x94"
"\x3b\xe3\xf4\xae\xd5\x0e\xa5\xa6\xb8\x68\x67\x31\xcb\x89\xef\x77\x12"
"\x3c\x89\x9b\x69\x9e\xea\xa8\xea\xa0\x07\x34\x61\x11\x96\x63\x90\x64"
"\x00\xf3\x0c\x06\x00\x00\x00\x00\x00\x00\x59\xb6\xd3\x29\x6e\x8c\xa3"
"\x1b\xce\x1d\x83\x92\x07\x8b\x72\xf2\x49\x96\xae\x17\xdf\xfc\x2e\x43"
"\xc8\x17\x4b\x54\xb6\x20\x63\x68\x94\xaa\xac\xf2\x8f\xf6\x26\x16\x36"
"\x3c\x70\xa4\x40\xae\xc4\x01\x4c\xaf\x28\xc0\xad\xc0\x43\x08\x46\x17"
"\xd7\xec\xf4\x1e\x9d\x13\x45\x89\xd4\x6e\x5d\xfc\x4c\xa5\x78\x0d\x38"
"\xca\xe8\x70\xb9\xa1\xdf\x48\xb2\x38\x19\x0d\xa4\x50\x29\x6b\x0a\xc0"
"\x14\x96\xac\xe2\x3e\xef\xc9\xd4\x24\x6d\xd1\x4a\xfb\xf7\x9a\x22\x83"
"\xa0\xbb\x7e\x1d\x23\x5f\x3d\xf1\x26\xc3\xac\xc2\x40\xd7\x5a\x05\x8f"
"\x6e\xfa\x6d\x1f\x5f\x7f\xf4\x00\x00\x00\x00\x00\x00\x00\x00\x00",
254);
*(uint64_t*)0x200000000098 = 0;
*(uint32_t*)0x2000000000a0 = 0xfe;
*(uint32_t*)0x2000000000a4 = 0x60000000;
*(uint32_t*)0x2000000000a8 = 0;
*(uint32_t*)0x2000000000ac = 0;
*(uint64_t*)0x2000000000b0 = 0x200000000000;
*(uint64_t*)0x2000000000b8 = 0x200000000000;
*(uint32_t*)0x2000000000c0 = 0;
*(uint32_t*)0x2000000000c4 = 0;
*(uint32_t*)0x2000000000c8 = 0;
syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x200000000080ul, /*size=*/0x2cul);
break;
case 5:
*(uint32_t*)0x200000000180 = 1;
*(uint32_t*)0x200000000184 = 0x80;
*(uint8_t*)0x200000000188 = 0;
*(uint8_t*)0x200000000189 = 0;
*(uint8_t*)0x20000000018a = 0;
*(uint8_t*)0x20000000018b = 0;
*(uint32_t*)0x20000000018c = 0;
*(uint64_t*)0x200000000190 = 0xf;
*(uint64_t*)0x200000000198 = 0x8000;
*(uint64_t*)0x2000000001a0 = 0;
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 0, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 1, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 2, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 3, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 4, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 5, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 6, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 7, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 8, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 9, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 10, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 11, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 12, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 13, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 14, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 15, 2);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 17, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 18, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 19, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 20, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 21, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 22, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 23, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 24, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 25, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 26, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 27, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 28, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 29, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 30, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 31, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 32, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 33, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 34, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 35, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 36, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 37, 1);
STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 38, 26);
*(uint32_t*)0x2000000001b0 = 0;
*(uint32_t*)0x2000000001b4 = 0;
*(uint64_t*)0x2000000001b8 = 0;
*(uint64_t*)0x2000000001c0 = 8;
*(uint64_t*)0x2000000001c8 = 0x1c00;
*(uint64_t*)0x2000000001d0 = 4;
*(uint32_t*)0x2000000001d8 = 0;
*(uint32_t*)0x2000000001dc = 0;
*(uint64_t*)0x2000000001e0 = 0;
*(uint32_t*)0x2000000001e8 = 0;
*(uint16_t*)0x2000000001ec = 0;
*(uint16_t*)0x2000000001ee = 0;
*(uint32_t*)0x2000000001f0 = 0;
*(uint32_t*)0x2000000001f4 = 0;
*(uint64_t*)0x2000000001f8 = 2;
syscall(__NR_perf_event_open, /*attr=*/0x200000000180ul, /*pid=*/0,
/*cpu=*/0xaffffff7fffffffful, /*group=*/-1,
/*flags=PERF_FLAG_FD_OUTPUT|PERF_FLAG_FD_NO_GROUP*/ 3ul);
break;
case 6:
syz_clone(
/*flags=CLONE_PIDFD|CLONE_IO|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWCGROUP|CLONE_CHILD_SETTID|0x8500*/
0xab009500, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0,
/*childtid=*/0, /*tls=*/0);
break;
case 7:
syscall(__NR_close, /*fd=*/r[1]);
break;
}
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
const char* reason;
(void)reason;
for (procid = 0; procid < 5; procid++) {
if (fork() == 0) {
loop();
}
}
sleep(1000000);
return 0;
}