// autogenerated by syzkaller (https://github.com/google/syzkaller)#define _

1. // autogenerated by syzkaller (https://github.com/google/syzkaller)
2.  
3. #define _GNU_SOURCE
4.  
5. #include <arpa/inet.h>
6. #include <endian.h>
7. #include <errno.h>
8. #include <fcntl.h>
9. #include <net/if.h>
10. #include <netinet/in.h>
11. #include <setjmp.h>
12. #include <stdbool.h>
13. #include <stddef.h>
14. #include <stdint.h>
15. #include <stdio.h>
16. #include <stdlib.h>
17. #include <string.h>
18. #include <sys/ioctl.h>
19. #include <sys/mman.h>
20. #include <sys/mount.h>
21. #include <sys/socket.h>
22. #include <sys/stat.h>
23. #include <sys/syscall.h>
24. #include <sys/types.h>
25. #include <unistd.h>
26.  
27. #include <linux/genetlink.h>
28. #include <linux/if_addr.h>
29. #include <linux/if_link.h>
30. #include <linux/in6.h>
31. #include <linux/loop.h>
32. #include <linux/neighbour.h>
33. #include <linux/net.h>
34. #include <linux/netlink.h>
35. #include <linux/rtnetlink.h>
36. #include <linux/veth.h>
37.  
38. #ifndef __NR_fsopen
39. #define __NR_fsopen 430
40. #endif
41. #ifndef __NR_io_uring_register
42. #define __NR_io_uring_register 427
43. #endif
44. #ifndef __NR_io_uring_setup
45. #define __NR_io_uring_setup 425
46. #endif
47. #ifndef __NR_memfd_create
48. #define __NR_memfd_create 319
49. #endif
50. #ifndef __NR_move_mount
51. #define __NR_move_mount 429
52. #endif
53. #ifndef __NR_open_tree
54. #define __NR_open_tree 428
55. #endif
56. #ifndef __NR_pidfd_open
57. #define __NR_pidfd_open 434
58. #endif
59.  
60. static long syz_proconfig_set__sys_module_sg_parameters_def_reserved_size(volatile long val)
61. {
62. char command[256];
63. sprintf(command, "echo %ld > /sys/module/sg/parameters/def_reserved_size", val);
64. int ret = system(command);
65. if (ret != 0) {
66. return 0;
67. }
68. return 0;
69. }
70. static long syz_sysconfig_set__proc_sys_net_ipv6_neigh_eth0_interval_probe_time_ms(volatile long val)
71. {
72. char command[256];
73. sprintf(command, "echo %ld > /proc/sys/net/ipv6/neigh/eth0/interval_probe_time_ms", val);
74. int ret = system(command);
75. if (ret != 0) {
76. return 0;
77. }
78. return 0;
79. }
80.  
81. static unsigned long long procid;
82.  
83. #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
84. #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
85. *(type*)(addr) = \
86. htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
87. (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
88.  
89. struct csum_inet {
90. uint32_t acc;
91. };
92.  
93. static void csum_inet_init(struct csum_inet* csum)
94. {
95. csum->acc = 0;
96. }
97.  
98. static void csum_inet_update(struct csum_inet* csum, const uint8_t* data,
99. size_t length)
100. {
101. if (length == 0)
102. return;
103. size_t i = 0;
104. for (; i < length - 1; i += 2)
105. csum->acc += *(uint16_t*)&data[i];
106. if (length & 1)
107. csum->acc += le16toh((uint16_t)data[length - 1]);
108. while (csum->acc > 0xffff)
109. csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16);
110. }
111.  
112. static uint16_t csum_inet_digest(struct csum_inet* csum)
113. {
114. return ~csum->acc;
115. }
116.  
117. struct nlmsg {
118. char* pos;
119. int nesting;
120. struct nlattr* nested[8];
121. char buf[4096];
122. };
123.  
124. static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
125. const void* data, int size)
126. {
127. memset(nlmsg, 0, sizeof(*nlmsg));
128. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
129. hdr->nlmsg_type = typ;
130. hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
131. memcpy(hdr + 1, data, size);
132. nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
133. }
134.  
135. static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
136. int size)
137. {
138. struct nlattr* attr = (struct nlattr*)nlmsg->pos;
139. attr->nla_len = sizeof(*attr) + size;
140. attr->nla_type = typ;
141. if (size > 0)
142. memcpy(attr + 1, data, size);
143. nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
144. }
145.  
146. static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
147. int* reply_len, bool dofail)
148. {
149. if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
150. exit(1);
151. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
152. hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
153. struct sockaddr_nl addr;
154. memset(&addr, 0, sizeof(addr));
155. addr.nl_family = AF_NETLINK;
156. ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
157. (struct sockaddr*)&addr, sizeof(addr));
158. if (n != (ssize_t)hdr->nlmsg_len) {
159. if (dofail)
160. exit(1);
161. return -1;
162. }
163. n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
164. if (reply_len)
165. *reply_len = 0;
166. if (n < 0) {
167. if (dofail)
168. exit(1);
169. return -1;
170. }
171. if (n < (ssize_t)sizeof(struct nlmsghdr)) {
172. errno = EINVAL;
173. if (dofail)
174. exit(1);
175. return -1;
176. }
177. if (hdr->nlmsg_type == NLMSG_DONE)
178. return 0;
179. if (reply_len && hdr->nlmsg_type == reply_type) {
180. *reply_len = n;
181. return 0;
182. }
183. if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
184. errno = EINVAL;
185. if (dofail)
186. exit(1);
187. return -1;
188. }
189. if (hdr->nlmsg_type != NLMSG_ERROR) {
190. errno = EINVAL;
191. if (dofail)
192. exit(1);
193. return -1;
194. }
195. errno = -((struct nlmsgerr*)(hdr + 1))->error;
196. return -errno;
197. }
198.  
199. static int netlink_query_family_id(struct nlmsg* nlmsg, int sock,
200. const char* family_name, bool dofail)
201. {
202. struct genlmsghdr genlhdr;
203. memset(&genlhdr, 0, sizeof(genlhdr));
204. genlhdr.cmd = CTRL_CMD_GETFAMILY;
205. netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
206. netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name,
207. strnlen(family_name, GENL_NAMSIZ - 1) + 1);
208. int n = 0;
209. int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail);
210. if (err < 0) {
211. return -1;
212. }
213. uint16_t id = 0;
214. struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN +
215. NLMSG_ALIGN(sizeof(genlhdr)));
216. for (; (char*)attr < nlmsg->buf + n;
217. attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
218. if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
219. id = *(uint16_t*)(attr + 1);
220. break;
221. }
222. }
223. if (!id) {
224. errno = EINVAL;
225. return -1;
226. }
227. recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
228. return id;
229. }
230.  
231. const int kInitNetNsFd = 201;
232.  
233. #define SIZEOF_IO_URING_SQE 64
234. #define SIZEOF_IO_URING_CQE 16
235. #define SQ_HEAD_OFFSET 0
236. #define SQ_TAIL_OFFSET 64
237. #define SQ_RING_MASK_OFFSET 256
238. #define SQ_RING_ENTRIES_OFFSET 264
239. #define SQ_FLAGS_OFFSET 276
240. #define SQ_DROPPED_OFFSET 272
241. #define CQ_HEAD_OFFSET 128
242. #define CQ_TAIL_OFFSET 192
243. #define CQ_RING_MASK_OFFSET 260
244. #define CQ_RING_ENTRIES_OFFSET 268
245. #define CQ_RING_OVERFLOW_OFFSET 284
246. #define CQ_FLAGS_OFFSET 280
247. #define CQ_CQES_OFFSET 320
248.  
249. struct io_sqring_offsets {
250. uint32_t head;
251. uint32_t tail;
252. uint32_t ring_mask;
253. uint32_t ring_entries;
254. uint32_t flags;
255. uint32_t dropped;
256. uint32_t array;
257. uint32_t resv1;
258. uint64_t resv2;
259. };
260.  
261. struct io_cqring_offsets {
262. uint32_t head;
263. uint32_t tail;
264. uint32_t ring_mask;
265. uint32_t ring_entries;
266. uint32_t overflow;
267. uint32_t cqes;
268. uint64_t resv[2];
269. };
270.  
271. struct io_uring_params {
272. uint32_t sq_entries;
273. uint32_t cq_entries;
274. uint32_t flags;
275. uint32_t sq_thread_cpu;
276. uint32_t sq_thread_idle;
277. uint32_t features;
278. uint32_t resv[4];
279. struct io_sqring_offsets sq_off;
280. struct io_cqring_offsets cq_off;
281. };
282.  
283. #define IORING_OFF_SQ_RING 0
284. #define IORING_OFF_SQES 0x10000000ULL
285. #define IORING_SETUP_SQE128 (1U << 10)
286. #define IORING_SETUP_CQE32 (1U << 11)
287.  
288. static long syz_io_uring_setup(volatile long a0, volatile long a1,
289. volatile long a2, volatile long a3)
290. {
291. uint32_t entries = (uint32_t)a0;
292. struct io_uring_params* setup_params = (struct io_uring_params*)a1;
293. void** ring_ptr_out = (void**)a2;
294. void** sqes_ptr_out = (void**)a3;
295. setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128);
296. uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params);
297. uint32_t sq_ring_sz =
298. setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t);
299. uint32_t cq_ring_sz = setup_params->cq_off.cqes +
300. setup_params->cq_entries * SIZEOF_IO_URING_CQE;
301. uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz;
302. *ring_ptr_out =
303. mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE,
304. fd_io_uring, IORING_OFF_SQ_RING);
305. uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE;
306. *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE,
307. MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES);
308. uint32_t* array =
309. (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array);
310. for (uint32_t index = 0; index < entries; index++)
311. array[index] = index;
312. return fd_io_uring;
313. }
314.  
315. static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2,
316. volatile long a3, volatile long a4)
317. {
318. char* dest = (char*)a0;
319. uint32_t dest_off = (uint32_t)a1;
320. char* src = (char*)a2;
321. uint32_t src_off = (uint32_t)a3;
322. size_t n = (size_t)a4;
323. return (long)memcpy(dest + dest_off, src + src_off, n);
324. }
325.  
326. static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
327. {
328. if (a0 == 0xc || a0 == 0xb) {
329. char buf[128];
330. sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
331. (uint8_t)a2);
332. return open(buf, O_RDWR, 0);
333. } else {
334. char buf[1024];
335. char* hash;
336. strncpy(buf, (char*)a0, sizeof(buf) - 1);
337. buf[sizeof(buf) - 1] = 0;
338. while ((hash = strchr(buf, '#'))) {
339. *hash = '0' + (char)(a1 % 10);
340. a1 /= 10;
341. }
342. return open(buf, a2, 0);
343. }
344. }
345.  
346. static long syz_open_procfs(volatile long a0, volatile long a1)
347. {
348. char buf[128];
349. memset(buf, 0, sizeof(buf));
350. if (a0 == 0) {
351. snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1);
352. } else if (a0 == -1) {
353. snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1);
354. } else {
355. snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1);
356. }
357. int fd = open(buf, O_RDWR);
358. if (fd == -1)
359. fd = open(buf, O_RDONLY);
360. return fd;
361. }
362.  
363. static long syz_init_net_socket(volatile long domain, volatile long type,
364. volatile long proto)
365. {
366. return syscall(__NR_socket, domain, type, proto);
367. }
368.  
369. static long syz_genetlink_get_family_id(volatile long name,
370. volatile long sock_arg)
371. {
372. int fd = sock_arg;
373. if (fd < 0) {
374. fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
375. if (fd == -1) {
376. return -1;
377. }
378. }
379. struct nlmsg nlmsg_tmp;
380. int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false);
381. if ((int)sock_arg < 0)
382. close(fd);
383. if (ret < 0) {
384. return -1;
385. }
386. return ret;
387. }
388.  
389. //% This code is derived from puff.{c,h}, found in the zlib development. The
390. //% original files come with the following copyright notice:
391.  
392. //% Copyright (C) 2002-2013 Mark Adler, all rights reserved
393. //% version 2.3, 21 Jan 2013
394. //% This software is provided 'as-is', without any express or implied
395. //% warranty. In no event will the author be held liable for any damages
396. //% arising from the use of this software.
397. //% Permission is granted to anyone to use this software for any purpose,
398. //% including commercial applications, and to alter it and redistribute it
399. //% freely, subject to the following restrictions:
400. //% 1. The origin of this software must not be misrepresented; you must not
401. //% claim that you wrote the original software. If you use this software
402. //% in a product, an acknowledgment in the product documentation would be
403. //% appreciated but is not required.
404. //% 2. Altered source versions must be plainly marked as such, and must not be
405. //% misrepresented as being the original software.
406. //% 3. This notice may not be removed or altered from any source distribution.
407. //% Mark Adler [email protected]
408.  
409. //% BEGIN CODE DERIVED FROM puff.{c,h}
410.  
411. #define MAXBITS 15
412. #define MAXLCODES 286
413. #define MAXDCODES 30
414. #define MAXCODES (MAXLCODES + MAXDCODES)
415. #define FIXLCODES 288
416.  
417. struct puff_state {
418. unsigned char* out;
419. unsigned long outlen;
420. unsigned long outcnt;
421. const unsigned char* in;
422. unsigned long inlen;
423. unsigned long incnt;
424. int bitbuf;
425. int bitcnt;
426. jmp_buf env;
427. };
428. static int puff_bits(struct puff_state* s, int need)
429. {
430. long val = s->bitbuf;
431. while (s->bitcnt < need) {
432. if (s->incnt == s->inlen)
433. longjmp(s->env, 1);
434. val |= (long)(s->in[s->incnt++]) << s->bitcnt;
435. s->bitcnt += 8;
436. }
437. s->bitbuf = (int)(val >> need);
438. s->bitcnt -= need;
439. return (int)(val & ((1L << need) - 1));
440. }
441. static int puff_stored(struct puff_state* s)
442. {
443. s->bitbuf = 0;
444. s->bitcnt = 0;
445. if (s->incnt + 4 > s->inlen)
446. return 2;
447. unsigned len = s->in[s->incnt++];
448. len |= s->in[s->incnt++] << 8;
449. if (s->in[s->incnt++] != (~len & 0xff) ||
450. s->in[s->incnt++] != ((~len >> 8) & 0xff))
451. return -2;
452. if (s->incnt + len > s->inlen)
453. return 2;
454. if (s->outcnt + len > s->outlen)
455. return 1;
456. for (; len--; s->outcnt++, s->incnt++) {
457. if (s->in[s->incnt])
458. s->out[s->outcnt] = s->in[s->incnt];
459. }
460. return 0;
461. }
462. struct puff_huffman {
463. short* count;
464. short* symbol;
465. };
466. static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
467. {
468. int first = 0;
469. int index = 0;
470. int bitbuf = s->bitbuf;
471. int left = s->bitcnt;
472. int code = first = index = 0;
473. int len = 1;
474. short* next = h->count + 1;
475. while (1) {
476. while (left--) {
477. code |= bitbuf & 1;
478. bitbuf >>= 1;
479. int count = *next++;
480. if (code - count < first) {
481. s->bitbuf = bitbuf;
482. s->bitcnt = (s->bitcnt - len) & 7;
483. return h->symbol[index + (code - first)];
484. }
485. index += count;
486. first += count;
487. first <<= 1;
488. code <<= 1;
489. len++;
490. }
491. left = (MAXBITS + 1) - len;
492. if (left == 0)
493. break;
494. if (s->incnt == s->inlen)
495. longjmp(s->env, 1);
496. bitbuf = s->in[s->incnt++];
497. if (left > 8)
498. left = 8;
499. }
500. return -10;
501. }
502. static int puff_construct(struct puff_huffman* h, const short* length, int n)
503. {
504. int len;
505. for (len = 0; len <= MAXBITS; len++)
506. h->count[len] = 0;
507. int symbol;
508. for (symbol = 0; symbol < n; symbol++)
509. (h->count[length[symbol]])++;
510. if (h->count[0] == n)
511. return 0;
512. int left = 1;
513. for (len = 1; len <= MAXBITS; len++) {
514. left <<= 1;
515. left -= h->count[len];
516. if (left < 0)
517. return left;
518. }
519. short offs[MAXBITS + 1];
520. offs[1] = 0;
521. for (len = 1; len < MAXBITS; len++)
522. offs[len + 1] = offs[len] + h->count[len];
523. for (symbol = 0; symbol < n; symbol++)
524. if (length[symbol] != 0)
525. h->symbol[offs[length[symbol]]++] = symbol;
526. return left;
527. }
528. static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
529. const struct puff_huffman* distcode)
530. {
531. static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
532. 15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
533. 67, 83, 99, 115, 131, 163, 195, 227, 258};
534. static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
535. 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
536. static const short dists[30] = {
537. 1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
538. 33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
539. 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
540. static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
541. 4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
542. 9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
543. int symbol;
544. do {
545. symbol = puff_decode(s, lencode);
546. if (symbol < 0)
547. return symbol;
548. if (symbol < 256) {
549. if (s->outcnt == s->outlen)
550. return 1;
551. if (symbol)
552. s->out[s->outcnt] = symbol;
553. s->outcnt++;
554. } else if (symbol > 256) {
555. symbol -= 257;
556. if (symbol >= 29)
557. return -10;
558. int len = lens[symbol] + puff_bits(s, lext[symbol]);
559. symbol = puff_decode(s, distcode);
560. if (symbol < 0)
561. return symbol;
562. unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
563. if (dist > s->outcnt)
564. return -11;
565. if (s->outcnt + len > s->outlen)
566. return 1;
567. while (len--) {
568. if (dist <= s->outcnt && s->out[s->outcnt - dist])
569. s->out[s->outcnt] = s->out[s->outcnt - dist];
570. s->outcnt++;
571. }
572. }
573. } while (symbol != 256);
574. return 0;
575. }
576. static int puff_fixed(struct puff_state* s)
577. {
578. static int virgin = 1;
579. static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
580. static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
581. static struct puff_huffman lencode, distcode;
582. if (virgin) {
583. lencode.count = lencnt;
584. lencode.symbol = lensym;
585. distcode.count = distcnt;
586. distcode.symbol = distsym;
587. short lengths[FIXLCODES];
588. int symbol;
589. for (symbol = 0; symbol < 144; symbol++)
590. lengths[symbol] = 8;
591. for (; symbol < 256; symbol++)
592. lengths[symbol] = 9;
593. for (; symbol < 280; symbol++)
594. lengths[symbol] = 7;
595. for (; symbol < FIXLCODES; symbol++)
596. lengths[symbol] = 8;
597. puff_construct(&lencode, lengths, FIXLCODES);
598. for (symbol = 0; symbol < MAXDCODES; symbol++)
599. lengths[symbol] = 5;
600. puff_construct(&distcode, lengths, MAXDCODES);
601. virgin = 0;
602. }
603. return puff_codes(s, &lencode, &distcode);
604. }
605. static int puff_dynamic(struct puff_state* s)
606. {
607. static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
608. 11, 4, 12, 3, 13, 2, 14, 1, 15};
609. int nlen = puff_bits(s, 5) + 257;
610. int ndist = puff_bits(s, 5) + 1;
611. int ncode = puff_bits(s, 4) + 4;
612. if (nlen > MAXLCODES || ndist > MAXDCODES)
613. return -3;
614. short lengths[MAXCODES];
615. int index;
616. for (index = 0; index < ncode; index++)
617. lengths[order[index]] = puff_bits(s, 3);
618. for (; index < 19; index++)
619. lengths[order[index]] = 0;
620. short lencnt[MAXBITS + 1], lensym[MAXLCODES];
621. struct puff_huffman lencode = {lencnt, lensym};
622. int err = puff_construct(&lencode, lengths, 19);
623. if (err != 0)
624. return -4;
625. index = 0;
626. while (index < nlen + ndist) {
627. int symbol;
628. int len;
629. symbol = puff_decode(s, &lencode);
630. if (symbol < 0)
631. return symbol;
632. if (symbol < 16)
633. lengths[index++] = symbol;
634. else {
635. len = 0;
636. if (symbol == 16) {
637. if (index == 0)
638. return -5;
639. len = lengths[index - 1];
640. symbol = 3 + puff_bits(s, 2);
641. } else if (symbol == 17)
642. symbol = 3 + puff_bits(s, 3);
643. else
644. symbol = 11 + puff_bits(s, 7);
645. if (index + symbol > nlen + ndist)
646. return -6;
647. while (symbol--)
648. lengths[index++] = len;
649. }
650. }
651. if (lengths[256] == 0)
652. return -9;
653. err = puff_construct(&lencode, lengths, nlen);
654. if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
655. return -7;
656. short distcnt[MAXBITS + 1], distsym[MAXDCODES];
657. struct puff_huffman distcode = {distcnt, distsym};
658. err = puff_construct(&distcode, lengths + nlen, ndist);
659. if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
660. return -8;
661. return puff_codes(s, &lencode, &distcode);
662. }
663. static int puff(unsigned char* dest, unsigned long* destlen,
664. const unsigned char* source, unsigned long sourcelen)
665. {
666. struct puff_state s = {
667. .out = dest,
668. .outlen = *destlen,
669. .outcnt = 0,
670. .in = source,
671. .inlen = sourcelen,
672. .incnt = 0,
673. .bitbuf = 0,
674. .bitcnt = 0,
675. };
676. int err;
677. if (setjmp(s.env) != 0)
678. err = 2;
679. else {
680. int last;
681. do {
682. last = puff_bits(&s, 1);
683. int type = puff_bits(&s, 2);
684. err = type == 0 ? puff_stored(&s)
685. : (type == 1 ? puff_fixed(&s)
686. : (type == 2 ? puff_dynamic(&s) : -1));
687. if (err != 0)
688. break;
689. } while (!last);
690. }
691. *destlen = s.outcnt;
692. return err;
693. }
694.  
695. //% END CODE DERIVED FROM puff.{c,h}
696.  
697. #define ZLIB_HEADER_WIDTH 2
698.  
699. static int puff_zlib_to_file(const unsigned char* source,
700. unsigned long sourcelen, int dest_fd)
701. {
702. if (sourcelen < ZLIB_HEADER_WIDTH)
703. return 0;
704. source += ZLIB_HEADER_WIDTH;
705. sourcelen -= ZLIB_HEADER_WIDTH;
706. const unsigned long max_destlen = 132 << 20;
707. void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
708. MAP_PRIVATE | MAP_ANON, -1, 0);
709. if (ret == MAP_FAILED)
710. return -1;
711. unsigned char* dest = (unsigned char*)ret;
712. unsigned long destlen = max_destlen;
713. int err = puff(dest, &destlen, source, sourcelen);
714. if (err) {
715. munmap(dest, max_destlen);
716. errno = -err;
717. return -1;
718. }
719. if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
720. munmap(dest, max_destlen);
721. return -1;
722. }
723. return munmap(dest, max_destlen);
724. }
725.  
726. static int setup_loop_device(unsigned char* data, unsigned long size,
727. const char* loopname, int* loopfd_p)
728. {
729. int err = 0, loopfd = -1;
730. int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
731. if (memfd == -1) {
732. err = errno;
733. goto error;
734. }
735. if (puff_zlib_to_file(data, size, memfd)) {
736. err = errno;
737. goto error_close_memfd;
738. }
739. loopfd = open(loopname, O_RDWR);
740. if (loopfd == -1) {
741. err = errno;
742. goto error_close_memfd;
743. }
744. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
745. if (errno != EBUSY) {
746. err = errno;
747. goto error_close_loop;
748. }
749. ioctl(loopfd, LOOP_CLR_FD, 0);
750. usleep(1000);
751. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
752. err = errno;
753. goto error_close_loop;
754. }
755. }
756. close(memfd);
757. *loopfd_p = loopfd;
758. return 0;
759.  
760. error_close_loop:
761. close(loopfd);
762. error_close_memfd:
763. close(memfd);
764. error:
765. errno = err;
766. return -1;
767. }
768.  
769. static void reset_loop_device(const char* loopname)
770. {
771. int loopfd = open(loopname, O_RDWR);
772. if (loopfd == -1) {
773. return;
774. }
775. if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
776. }
777. close(loopfd);
778. }
779.  
780. static long syz_mount_image(volatile long fsarg, volatile long dir,
781. volatile long flags, volatile long optsarg,
782. volatile long change_dir,
783. volatile unsigned long size, volatile long image)
784. {
785. unsigned char* data = (unsigned char*)image;
786. int res = -1, err = 0, need_loop_device = !!size;
787. char* mount_opts = (char*)optsarg;
788. char* target = (char*)dir;
789. char* fs = (char*)fsarg;
790. char* source = NULL;
791. char loopname[64];
792. if (need_loop_device) {
793. int loopfd;
794. memset(loopname, 0, sizeof(loopname));
795. snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
796. if (setup_loop_device(data, size, loopname, &loopfd) == -1)
797. return -1;
798. close(loopfd);
799. source = loopname;
800. }
801. mkdir(target, 0777);
802. char opts[256];
803. memset(opts, 0, sizeof(opts));
804. if (strlen(mount_opts) > (sizeof(opts) - 32)) {
805. }
806. strncpy(opts, mount_opts, sizeof(opts) - 32);
807. if (strcmp(fs, "iso9660") == 0) {
808. flags |= MS_RDONLY;
809. } else if (strncmp(fs, "ext", 3) == 0) {
810. bool has_remount_ro = false;
811. char* remount_ro_start = strstr(opts, "errors=remount-ro");
812. if (remount_ro_start != NULL) {
813. char after = *(remount_ro_start + strlen("errors=remount-ro"));
814. char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
815. has_remount_ro = ((before == '\0' || before == ',') &&
816. (after == '\0' || after == ','));
817. }
818. if (strstr(opts, "errors=panic") || !has_remount_ro)
819. strcat(opts, ",errors=continue");
820. } else if (strcmp(fs, "xfs") == 0) {
821. strcat(opts, ",nouuid");
822. }
823. res = mount(source, target, fs, flags, opts);
824. if (res == -1) {
825. err = errno;
826. goto error_clear_loop;
827. }
828. res = open(target, O_RDONLY | O_DIRECTORY);
829. if (res == -1) {
830. err = errno;
831. goto error_clear_loop;
832. }
833. if (change_dir) {
834. res = chdir(target);
835. if (res == -1) {
836. err = errno;
837. }
838. }
839.  
840. error_clear_loop:
841. if (need_loop_device)
842. reset_loop_device(loopname);
843. errno = err;
844. return res;
845. }
846.  
847. static long syz_pidfd_open(volatile long pid, volatile long flags)
848. {
849. if (pid == 1) {
850. pid = 0;
851. }
852. return syscall(__NR_pidfd_open, pid, flags);
853. }
854.  
855. uint64_t r[80] = {0xffffffffffffffff,
856. 0xffffffffffffffff,
857. 0xffffffffffffffff,
858. 0xffffffffffffffff,
859. 0xffffffffffffffff,
860. 0x0,
861. 0xffffffffffffffff,
862. 0xffffffffffffffff,
863. 0xffffffffffffffff,
864. 0xffffffffffffffff,
865. 0xffffffffffffffff,
866. 0x0,
867. 0xffffffffffffffff,
868. 0xffffffffffffffff,
869. 0xffffffffffffffff,
870. 0xffffffffffffffff,
871. 0xffffffffffffffff,
872. 0xffffffffffffffff,
873. 0xffffffffffffffff,
874. 0xffffffffffffffff,
875. 0xffffffffffffffff,
876. 0xffffffffffffffff,
877. 0xffffffffffffffff,
878. 0x0,
879. 0x0,
880. 0x0,
881. 0x0,
882. 0x0,
883. 0xffffffffffffffff,
884. 0xffffffffffffffff,
885. 0xffffffffffffffff,
886. 0xffffffffffffffff,
887. 0x0,
888. 0xffffffffffffffff,
889. 0xffffffffffffffff,
890. 0xffffffffffffffff,
891. 0xffffffffffffffff,
892. 0xffffffffffffffff,
893. 0xffffffffffffffff,
894. 0xffffffffffffffff,
895. 0xffffffffffffffff,
896. 0xffffffffffffffff,
897. 0xffffffffffffffff,
898. 0xffffffffffffffff,
899. 0xffffffffffffffff,
900. 0xffffffffffffffff,
901. 0xffffffffffffffff,
902. 0x0,
903. 0xffffffffffffffff,
904. 0xffffffffffffffff,
905. 0xffffffffffffffff,
906. 0xffffffffffffffff,
907. 0xffffffffffffffff,
908. 0xffffffffffffffff,
909. 0xffffffffffffffff,
910. 0xffffffffffffffff,
911. 0xffffffffffffffff,
912. 0xffffffffffffffff,
913. 0xffffffffffffffff,
914. 0xffffffffffffffff,
915. 0xffffffffffffffff,
916. 0x0,
917. 0xffffffffffffffff,
918. 0xffffffffffffffff,
919. 0xffffffffffffffff,
920. 0xffffffffffffffff,
921. 0xffffffffffffffff,
922. 0xffffffffffffffff,
923. 0xffffffffffffffff,
924. 0xffffffffffffffff,
925. 0x0,
926. 0xffffffffffffffff,
927. 0xffffffffffffffff,
928. 0xffffffffffffffff,
929. 0xffffffffffffffff,
930. 0xffffffffffffffff,
931. 0xffffffffffffffff,
932. 0xffffffffffffffff,
933. 0xffffffffffffffff,
934. 0x0};
935.  
936. int main(void)
937. {
938. syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
939. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
940. /*offset=*/0ul);
941. syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
942. /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
943. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
944. /*offset=*/0ul);
945. syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
946. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
947. /*offset=*/0ul);
948. const char* reason;
949. (void)reason;
950. intptr_t res = 0;
951. if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
952. }
953. memcpy((void*)0x200000000180, "./file0\000", 8);
954. syscall(__NR_mknod, /*file=*/0x200000000180ul, /*mode=*/0ul, /*dev=*/0x700);
955. memcpy((void*)0x2000000002c0, "./file0\000", 8);
956. memcpy((void*)0x200000000300, "security.capability\000", 20);
957. *(uint32_t*)0x200000000340 = 0x3000000;
958. *(uint32_t*)0x200000000344 = 9;
959. *(uint32_t*)0x200000000348 = 0;
960. *(uint32_t*)0x20000000034c = 0;
961. *(uint32_t*)0x200000000350 = 0;
962. *(uint32_t*)0x200000000354 = -1;
963. syscall(__NR_lsetxattr, /*path=*/0x2000000002c0ul, /*name=*/0x200000000300ul,
964. /*val=*/0x200000000340ul, /*size=*/0x18ul, /*flags=*/0ul);
965. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/1ul, /*proto=*/0);
966. if (res != -1)
967. r[0] = res;
968. memcpy((void*)0x200000000040, "/dev/net/tun\000", 13);
969. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
970. /*file=*/0x200000000040ul, /*flags=*/0, /*mode=*/0);
971. if (res != -1)
972. r[1] = res;
973. memcpy((void*)0x200000000000,
974. "vlan0\000\000\000\000\000\000\000\000\000\000\000", 16);
975. *(uint16_t*)0x200000000010 = 0x802;
976. syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x400454ca,
977. /*arg=*/0x200000000000ul);
978. memcpy((void*)0x200000000000, "net/ip_mr_cache\000", 16);
979. res = -1;
980. res = syz_open_procfs(/*pid=*/0, /*file=*/0x200000000000);
981. if (res != -1)
982. r[2] = res;
983. syscall(__NR_pread64, /*fd=*/r[2], /*buf=*/0x200000000080ul, /*count=*/0x8ful,
984. /*pos=*/0ul);
985. memset((void*)0x2000000000c0, 0, 16);
986. *(uint16_t*)0x2000000000d0 = 2;
987. *(uint16_t*)0x2000000000d2 = htobe16(0);
988. *(uint32_t*)0x2000000000d4 = htobe32(0x7f000001);
989. syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x8916, /*arg=*/0x2000000000c0ul);
990. res = syscall(__NR_pipe, /*pipefd=*/0x200000000280ul);
991. if (res != -1)
992. r[3] = *(uint32_t*)0x200000000280;
993. memcpy((void*)0x200000000240, "nl80211\000", 8);
994. syz_genetlink_get_family_id(/*name=*/0x200000000240, /*fd=*/r[3]);
995. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/1ul, /*proto=*/0);
996. if (res != -1)
997. r[4] = res;
998. *(uint32_t*)0x200000683ff4 = htobe32(0xe0000002);
999. *(uint32_t*)0x200000683ff8 = htobe32(0x7f000001);
1000. *(uint32_t*)0x200000683ffc = 0;
1001. syscall(__NR_setsockopt, /*fd=*/r[4], /*level=*/0,
1002. /*optname=IP_ADD_MEMBERSHIP|0x4*/ 0x27, /*optval=*/0x200000683ff4ul,
1003. /*optlen=*/0xcul);
1004. syscall(__NR_dup, /*oldfd=*/-1);
1005. *(uint32_t*)0x200000000104 = 0;
1006. *(uint32_t*)0x200000000108 = 0;
1007. *(uint32_t*)0x20000000010c = 0;
1008. *(uint32_t*)0x200000000110 = 0;
1009. *(uint32_t*)0x200000000118 = -1;
1010. memset((void*)0x20000000011c, 0, 12);
1011. res = -1;
1012. res = syz_io_uring_setup(/*entries=*/0x5143, /*params=*/0x200000000100,
1013. /*ring_ptr=*/0x200000000080,
1014. /*sqes_ptr=*/0x200000000180);
1015. if (res != -1)
1016. r[5] = *(uint64_t*)0x200000000080;
1017. *(uint32_t*)0x2000000000c0 = 0;
1018. syz_memcpy_off(/*ring_ptr=*/r[5],
1019. /*off=CQ_TAIL_OFFSET|0xb463bca47b83c416*/ 0xb463bca47b83c4d6,
1020. /*src=*/0x2000000000c0, /*src_off=*/0, /*nbytes=*/4);
1021. syscall(__NR_mremap, /*addr=*/0x200000ffe000ul, /*len=*/0x2000ul,
1022. /*newlen=*/0x2000ul, /*flags=MREMAP_FIXED|MREMAP_MAYMOVE*/ 3ul,
1023. /*newaddr=*/0x200000311000ul);
1024. res = syscall(__NR_socketpair, /*domain=*/1ul, /*type=SOCK_STREAM*/ 1ul,
1025. /*proto=*/0, /*fds=*/0x200000000040ul);
1026. if (res != -1) {
1027. r[6] = *(uint32_t*)0x200000000040;
1028. r[7] = *(uint32_t*)0x200000000044;
1029. }
1030. memcpy((void*)0x200000000080, "./bus\000", 6);
1031. res = syscall(
1032. __NR_open, /*file=*/0x200000000080ul,
1033. /*flags=O_SYNC|O_NOATIME|O_CREAT|O_RDWR|0x400000000*/ 0x400141042ul,
1034. /*mode=*/0ul);
1035. if (res != -1)
1036. r[8] = res;
1037. syscall(
1038. __NR_mmap, /*addr=*/0x200000001000ul, /*len=*/0xa000ul,
1039. /*prot=PROT_GROWSUP|PROT_GROWSDOWN|PROT_WRITE|PROT_READ|PROT_EXEC|0x4800000*/
1040. 0x7800007ul, /*flags=MAP_FIXED|MAP_PRIVATE*/ 0x12ul, /*fd=*/r[8],
1041. /*offset=*/0ul);
1042. memcpy((void*)0x200000000000, "./bus\000", 6);
1043. syscall(__NR_creat, /*file=*/0x200000000000ul, /*mode=*/0ul);
1044. memcpy((void*)0x200000000040, "blkio.throttle.io_serviced_recursive\000", 37);
1045. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000040ul,
1046. /*flags=*/0x275a, /*mode=*/0);
1047. if (res != -1)
1048. r[9] = res;
1049. memcpy((void*)0x200000000140, "#! ", 3);
1050. *(uint8_t*)0x200000000143 = 0xa;
1051. syscall(__NR_write, /*fd=*/r[9], /*data=*/0x200000000140ul,
1052. /*len=*/0x1670e68ul);
1053. syscall(__NR_madvise, /*addr=*/0x200000000000ul, /*len=*/0x600003ul,
1054. /*advice=MADV_PAGEOUT*/ 0x15ul);
1055. *(uint64_t*)0x200000000100 = 0x2000000000c0;
1056. *(uint64_t*)0x200000000108 = 0x3f;
1057. syscall(__NR_preadv, /*fd=*/r[8], /*vec=*/0x200000000100ul, /*vlen=*/1ul,
1058. /*off_low=*/0, /*off_high=*/0);
1059. memcpy((void*)0x200000000080, "./bus\000", 6);
1060. res = syscall(__NR_open, /*file=*/0x200000000080ul,
1061. /*flags=O_SYNC|O_NOCTTY|O_DIRECT|O_CLOEXEC|O_RDWR*/ 0x185102ul,
1062. /*mode=*/0ul);
1063. if (res != -1)
1064. r[10] = res;
1065. syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xb36000ul,
1066. /*prot=PROT_WRITE*/ 2ul,
1067. /*flags=MAP_STACK|MAP_POPULATE|MAP_FIXED|MAP_SHARED*/ 0x28011ul,
1068. /*fd=*/r[10], /*offset=*/0ul);
1069. *(uint64_t*)0x200000000000 = 0;
1070. *(uint32_t*)0x200000000008 = 0;
1071. *(uint64_t*)0x200000000010 = 0x2000000001c0;
1072. *(uint64_t*)0x2000000001c0 = 0x200000000100;
1073. memset((void*)0x200000000100, 36, 1);
1074. *(uint64_t*)0x2000000001c8 = 1;
1075. *(uint64_t*)0x200000000018 = 1;
1076. *(uint64_t*)0x200000000020 = 0;
1077. *(uint64_t*)0x200000000028 = 0;
1078. *(uint32_t*)0x200000000030 = 0;
1079. syscall(__NR_sendmsg, /*fd=*/r[6], /*msg=*/0x200000000000ul,
1080. /*f=MSG_FASTOPEN|MSG_OOB*/ 0x20000001ul);
1081. *(uint64_t*)0x2000000019c0 = 0;
1082. *(uint32_t*)0x2000000019c8 = 0;
1083. *(uint64_t*)0x2000000019d0 = 0;
1084. *(uint64_t*)0x2000000019d8 = 0;
1085. *(uint64_t*)0x2000000019e0 = 0;
1086. *(uint64_t*)0x2000000019e8 = 0;
1087. *(uint32_t*)0x2000000019f0 = 0;
1088. *(uint32_t*)0x2000000019f8 = 0;
1089. syscall(__NR_recvmmsg, /*fd=*/r[7], /*mmsg=*/0x2000000019c0ul, /*vlen=*/1ul,
1090. /*f=MSG_WAITFORONE|MSG_WAITALL|MSG_PEEK|MSG_DONTWAIT*/ 0x10142ul,
1091. /*timeout=*/0ul);
1092. memcpy((void*)0x2000000000c0, "vfat\000", 5);
1093. memcpy((void*)0x200000000200, "./file0\000", 8);
1094. memcpy(
1095. (void*)0x200000000dc0,
1096. "\x78\x9c\xec\xdc\x4d\x6b\x13\x6b\x14\xc0\xf1\x93\xf4\x2d\x4d\x69\x93\xc5"
1097. "\xe5\x5e\xee\x85\x4b\x0f\xba\xd1\xcd\xd0\x46\xd7\x62\x90\x16\xc4\x80\xa5"
1098. "\x36\xe2\x0b\x08\xd3\x76\xa2\x21\x63\x52\x32\xa1\x12\x11\x5b\x57\x6e\xc5"
1099. "\x0f\xe1\xa2\x74\xd9\x5d\x41\xfb\x05\xba\x71\xa7\x1b\x37\xee\xba\x11\x5c"
1100. "\xb4\x0b\x71\x24\xf3\xd2\xd7\x94\x96\xd8\x74\x6c\xf3\xff\x41\x98\x27\x3c"
1101. "\xcf\x99\x39\x33\x99\x84\xf3\x0c\x99\xd9\xb8\xf7\xe6\x69\xa9\xe0\x18\x05"
1102. "\xb3\x26\xf1\x44\x4c\x62\x22\x22\x5b\x22\x69\x89\x4b\x28\x16\x2c\xe3\x5e"
1103. "\xbb\x57\x76\x5b\x94\xcb\x03\xdf\x3f\xfd\x7f\xe7\xfe\x83\x5b\xd9\x5c\x6e"
1104. "\x6c\x52\x75\x3c\x3b\x75\x25\xa3\xaa\x43\xc3\xef\x9f\xbd\xe8\x0f\x86\xad"
1105. "\xf6\xc9\x7a\xfa\xd1\xc6\xb7\xcc\xd7\xf5\xbf\xd7\xff\xdd\xf8\x39\xf5\xa4"
1106. "\xe8\x68\xd1\xd1\x72\xa5\xa6\xa6\x4e\x57\xbe\xd4\xcc\x69\xdb\xd2\xd9\xa2"
1107. "\x53\x32\x54\x27\x6c\xcb\x74\x2c\x2d\x96\x1d\xab\xea\xf7\x57\xfc\xfe\x82"
1108. "\x5d\x99\x9b\xab\xab\x59\x9e\x1d\x4c\xce\x55\x2d\xc7\x51\xb3\x5c\xd7\x92"
1109. "\x55\xd7\x5a\x45\x6b\xd5\xba\x9a\x8f\xcd\x62\x59\x0d\xc3\xd0\xc1\xa4\xe0"
1110. "\x28\xf9\xa5\xc9\x49\x33\xdb\x62\xf0\xcc\x09\x27\x83\x36\xa9\x56\xb3\x66"
1111. "\x97\x88\xf4\x1f\xe8\xc9\x2f\x45\x92\x10\x00\x00\x88\xd4\xde\xfa\x5f\x1b"
1112. "\x35\xfe\xe2\x09\xd6\xff\xcb\x17\xd6\x6a\x03\x77\x57\x86\x82\xfa\x7f\xb5"
1113. "\xb7\x59\xfd\x7f\xf5\xb3\xbf\xae\x3d\xf5\x7f\x42\x44\xda\x5e\xff\x1f\xac"
1114. "\x88\x3a\xcb\x6f\xd5\xff\x38\x23\x1a\xf5\x7f\x32\xf8\xfe\x7a\x5e\x3d\x5c"
1115. "\x1e\xf1\x1a\xd4\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1116. "\x00\x00\x00\x00\x9c\x05\x5b\xae\x9b\x72\x5d\x37\x15\x2e\xc3\x57\x9f\x88"
1117. "\x24\x44\x24\x7c\x1f\x75\x9e\x68\x0f\x3e\xff\xce\xb6\x73\xe3\x5e\xf7\x90"
1118. "\x88\xfd\x7a\x3e\x3f\x9f\xf7\x97\xc1\x80\x35\x11\xb1\xc5\x92\x11\x49\xc9"
1119. "\x0f\xef\x7c\x08\x34\xda\xe1\xbd\x80\xda\x90\x96\x0f\xf6\x42\x10\xbf\x30"
1120. "\x9f\xef\xf2\x7a\xb2\x05\x29\x7a\xf1\xa3\x92\x92\xf4\xfe\x78\xd7\x1d\xbf"
1121. "\x99\x1b\x1b\x55\xdf\xde\xf8\x1e\x49\xee\x8e\xcf\x48\x4a\xfe\x6a\x1e\x9f"
1122. "\x69\x1a\xdf\x2b\x97\x2e\xee\x8a\x37\x24\x25\x1f\x67\xa4\x22\xb6\xcc\x7a"
1123. "\xe7\xf5\x4e\xfc\xcb\x51\xd5\x1b\xb7\x73\xfb\xe2\xfb\xbd\x71\x00\x00\x00"
1124. "\x00\x00\x9c\x07\x86\x6e\x6b\x3a\x7f\x37\x8c\xc3\xfa\xfd\xf8\xed\xf9\x75"
1125. "\xd3\xeb\x03\xfe\xfc\x7a\xa4\xe9\xfc\xbc\x5b\xfe\xeb\x8e\x76\xdf\x01\x00"
1126. "\x00\x00\x00\xe8\x14\x4e\xfd\x79\xc9\xb4\x6d\xab\x7a\xee\x1a\xe1\x1e\x1e"
1127. "\x37\x2a\xfc\x2f\x43\x24\x39\x87\x1b\xff\x23\x0e\xdd\x71\xce\x8d\x78\x4b"
1128. "\xa9\x0e\x8b\x88\xad\x56\x35\x26\xb2\xd8\xd8\x42\x6b\x19\x86\x97\x8d\x0e"
1129. "\x1b\x23\x13\x51\x1d\xba\x7f\xde\xbe\xdb\x3c\xb9\x15\x5e\x5b\x49\x1c\xb1"
1130. "\xa7\x6d\x6b\xf4\x9c\xd6\xef\x0f\x00\x00\x00\x80\xd3\x73\x70\xd6\x77\x3d"
1131. "\xda\x84\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1132. "\x00\x00\x00\x00\x00\x00\x00\xe8\x40\xc7\x7f\x30\xd8\x66\xf0\x5c\xff\xd6"
1133. "\x9f\x27\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1134. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x74\xba\x5f\x01\x00\x00"
1135. "\xff\xff\x6a\x2f\x10\x85",
1136. 708);
1137. syz_mount_image(/*fs=*/0x2000000000c0, /*dir=*/0x200000000200, /*flags=*/0,
1138. /*opts=*/0x200000000ac0, /*chdir=*/5, /*size=*/0x2c4,
1139. /*img=*/0x200000000dc0);
1140. syz_proconfig_set__sys_module_sg_parameters_def_reserved_size(/*val=*/0x1f);
1141. res = syscall(__NR_getpgrp, /*pid=*/-1);
1142. if (res != -1)
1143. r[11] = res;
1144. *(uint64_t*)0x200000000040 = 9;
1145. syscall(__NR_set_mempolicy,
1146. /*mode=MPOL_F_RELATIVE_NODES|MPOL_BIND|0x2000*/ 0x6002ul,
1147. /*nodemask=*/0x200000000040ul, /*maxnode=*/3ul);
1148. syscall(__NR_shmget, /*key=*/0ul, /*size=*/0x3000ul,
1149. /*flags=SHM_HUGETLB*/ 0x800ul, /*unused=*/0x200000ffa000ul);
1150. memcpy((void*)0x200000001b40, "/proc/stat\000", 11);
1151. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
1152. /*file=*/0x200000001b40ul, /*flags=*/0, /*mode=*/0);
1153. if (res != -1)
1154. r[12] = res;
1155. res = syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x5441, /*arg=*/1ul);
1156. if (res != -1)
1157. r[13] = res;
1158. memcpy((void*)0x200000001b80, "/dev/null\000", 10);
1159. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
1160. /*file=*/0x200000001b80ul,
1161. /*flags=O_NOATIME|FASYNC|O_APPEND*/ 0x42400, /*mode=*/0);
1162. if (res != -1)
1163. r[14] = res;
1164. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=SOCK_DGRAM*/ 2ul,
1165. /*proto=*/0);
1166. if (res != -1)
1167. r[15] = res;
1168. memcpy((void*)0x200000000100,
1169. "security\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
1170. "\000\000\000\000\000\000\000\000\000",
1171. 32);
1172. *(uint32_t*)0x200000000120 = 0;
1173. *(uint32_t*)0x200000000124 = 0;
1174. *(uint32_t*)0x200000000128 = 0;
1175. *(uint32_t*)0x20000000012c = 0;
1176. *(uint32_t*)0x200000000130 = 0;
1177. *(uint32_t*)0x200000000134 = 0;
1178. memset((void*)0x200000000138, 0, 20);
1179. *(uint32_t*)0x20000000014c = 0;
1180. *(uint32_t*)0x200000000150 = 0;
1181. *(uint32_t*)0x200000000200 = 0x54;
1182. syscall(__NR_getsockopt, /*fd=*/r[15], /*level=*/0x29, /*opt=*/0x40,
1183. /*val=*/0x200000000100ul, /*len=*/0x200000000200ul);
1184. *(uint32_t*)0x200000001bc0 = 0;
1185. res = syscall(__NR_accept4, /*fd=*/-1, /*peer=*/0ul,
1186. /*peerlen=*/0x200000001bc0ul, /*flags=*/0ul);
1187. if (res != -1)
1188. r[16] = res;
1189. memcpy((void*)0x200000001c00, "/proc/sys/net/ipv4/tcp_congestion_control\000",
1190. 42);
1191. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
1192. /*file=*/0x200000001c00ul, /*flags=*/1, /*mode=*/0);
1193. if (res != -1)
1194. r[17] = res;
1195. memcpy((void*)0x200000001c40, "/proc/vmstat\000", 13);
1196. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
1197. /*file=*/0x200000001c40ul, /*flags=*/0, /*mode=*/0);
1198. if (res != -1)
1199. r[18] = res;
1200. memcpy((void*)0x200000001c80, "./binderfs2/custom0\000", 20);
1201. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
1202. /*file=*/0x200000001c80ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
1203. if (res != -1)
1204. r[19] = res;
1205. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/2ul, /*proto=*/1);
1206. if (res != -1)
1207. r[20] = res;
1208. memcpy((void*)0x200000001cc0, "/dev/ttyS3\000", 11);
1209. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
1210. /*file=*/0x200000001cc0ul,
1211. /*flags=O_TRUNC|O_EXCL|FASYNC*/ 0x2280, /*mode=*/0);
1212. if (res != -1)
1213. r[21] = res;
1214. res = syscall(__NR_socket, /*domain=*/1ul, /*type=SOCK_DGRAM*/ 2ul,
1215. /*proto=*/0);
1216. if (res != -1)
1217. r[22] = res;
1218. res = syscall(__NR_getpgrp, /*pid=*/0);
1219. if (res != -1)
1220. r[23] = res;
1221. res = syscall(__NR_getpgrp, /*pid=*/0);
1222. if (res != -1)
1223. r[24] = res;
1224. *(uint32_t*)0x200000001740 = 0xc;
1225. res = syscall(__NR_getsockopt, /*fd=*/r[14], /*level=*/1, /*optname=*/0x11,
1226. /*optval=*/0x200000001640ul, /*optlen=*/0x200000001740ul);
1227. if (res != -1)
1228. r[25] = *(uint32_t*)0x200000001640;
1229. *(uint64_t*)0x200000002780 = 0;
1230. *(uint32_t*)0x200000002788 = 0;
1231. *(uint64_t*)0x200000002790 = 0;
1232. *(uint64_t*)0x200000002798 = 0;
1233. *(uint64_t*)0x2000000027a0 = 0x200000001780;
1234. *(uint64_t*)0x200000001780 = 0x1c;
1235. *(uint32_t*)0x200000001788 = 1;
1236. *(uint32_t*)0x20000000178c = 2;
1237. *(uint32_t*)0x200000001790 = r[23];
1238. *(uint32_t*)0x200000001794 = 0;
1239. *(uint32_t*)0x200000001798 = 0xee01;
1240. *(uint64_t*)0x2000000017a0 = 0x1c;
1241. *(uint32_t*)0x2000000017a8 = 1;
1242. *(uint32_t*)0x2000000017ac = 2;
1243. *(uint32_t*)0x2000000017b0 = r[24];
1244. *(uint32_t*)0x2000000017b4 = 0;
1245. *(uint32_t*)0x2000000017b8 = 0;
1246. *(uint64_t*)0x2000000017c0 = 0x1c;
1247. *(uint32_t*)0x2000000017c8 = 1;
1248. *(uint32_t*)0x2000000017cc = 2;
1249. *(uint32_t*)0x2000000017d0 = r[25];
1250. *(uint32_t*)0x2000000017d4 = 0;
1251. *(uint32_t*)0x2000000017d8 = 0;
1252. *(uint64_t*)0x2000000017e0 = 0x1c;
1253. *(uint32_t*)0x2000000017e8 = 1;
1254. *(uint32_t*)0x2000000017ec = 1;
1255. *(uint32_t*)0x2000000017f0 = r[15];
1256. *(uint32_t*)0x2000000017f4 = r[20];
1257. *(uint32_t*)0x2000000017f8 = r[22];
1258. *(uint64_t*)0x2000000027a8 = 0x80;
1259. *(uint32_t*)0x2000000027b0 = 0;
1260. *(uint32_t*)0x2000000027b8 = 0;
1261. syscall(__NR_sendmmsg, /*fd=*/r[22], /*mmsg=*/0x200000002780ul, /*vlen=*/1ul,
1262. /*f=MSG_BATCH|MSG_CONFIRM*/ 0x40800ul);
1263. memcpy((void*)0x200000001d00, "./bus\000", 6);
1264. res = syscall(__NR_stat, /*file=*/0x200000001d00ul,
1265. /*statbuf=*/0x200000001d40ul);
1266. if (res != -1)
1267. r[26] = *(uint32_t*)0x200000001d58;
1268. res = syscall(__NR_getegid);
1269. if (res != -1)
1270. r[27] = res;
1271. *(uint64_t*)0x200000001ec0 = 0x2000000000c0;
1272. *(uint16_t*)0x2000000000c0 = 0;
1273. *(uint8_t*)0x2000000000c2 = 0;
1274. *(uint32_t*)0x2000000000c4 = 0x4e24;
1275. *(uint32_t*)0x200000001ec8 = 0x6e;
1276. *(uint64_t*)0x200000001ed0 = 0x200000001680;
1277. *(uint64_t*)0x200000001680 = 0x200000000140;
1278. memcpy(
1279. (void*)0x200000000140,
1280. "\xdc\x94\x43\xb7\x7e\x18\x9a\x09\xed\xac\x13\xa3\xcd\x76\xa5\x1b\x19\x26"
1281. "\x9c\x29\x3c\x7a\x94\xbc\xd1\xfd\x99\xe0\xa1\x72\x98\x3a\x65\xd2\xf4\x9a"
1282. "\x15\x6c\x50\xe4\x90\x22\xca\x9f\x59\x5a\x68\x10\xa0\xce\x3c\xed\x0f\xcf"
1283. "\x68\x42\x32\x88\x5f\x28\xf0\xd3\x4d\x7b\x46\x3d\xd1\x4d\x59\xa4\xb6\x24"
1284. "\x2e\x32\x0f\x34\x41\x70\x85\x44\xc6\x3b\x06\x03\xb4\x73\x4d\xc4\x1f\x24"
1285. "\x02\x09\x97\xee\x84\x8e\xb8\x6a\x66\x02\xc0\xfc\xc2\xa5\xb9\x77\x93\xf6"
1286. "\xe0\x26\xa5\x5a\xd8\x33\xdd\xd5\xd5\xfb\xb7\x97\xf6\xa1\x99\xd6\x26\x0a"
1287. "\x12\x61\xa3\x25\x4c\x9b\xba\x05\x33\xb6\x6a\x57\x38\x1f\x13\x4a\x07\x28"
1288. "\x77\xc9\x5b\x8a\x98\xee\x04\x55\x98\x34\xce\x38\xcf\xc9\x38\x34\xa6\x1d"
1289. "\x5c\x25\x65\x44\x99\x82\x46\x47\x33\x2e\xd0\x57\xf6\x67\x4f\x57\x8a\x12"
1290. "\x9e\x44\x51\x1a\x07\x62\x13\x44\xc1\x58\xc4\x7a\xfd\x06\x83\xfc\xdf\xcd"
1291. "\x0c\x01\x73\x4e\xe8\xe7\xd3\xf9\x58\x18\x5c\xda\xfd\x00\x6d\x77\x3b\x65"
1292. "\xdf\x53\x60\xa4\x46\xdb",
1293. 222);
1294. *(uint64_t*)0x200000001688 = 0xde;
1295. *(uint64_t*)0x200000001690 = 0x200000000240;
1296. memcpy(
1297. (void*)0x200000000240,
1298. "\x9c\xa1\x77\xd5\xb6\x53\x52\x9c\x5b\xd4\x6a\xb2\xed\xab\xd2\xce\xec\x82"
1299. "\x5b\x40\xf0\xb8\x56\x2a\x32\xf1\xc0\xdc\xbf\x9a\xce\x09\xf3\x95\x04\xc4"
1300. "\xc7\xc8\x0a\x6e\xf6\xdf\x65\x1b\xdc\x3c\xe7\x73\x5d\x79\xf1\xfb\xe5\xf6"
1301. "\x0a\x31\x80\xd6\xe5\xc7\x1e\x22\x8e\x13\xde\x17\x82\xd0\xc5\x66\x39\xf1"
1302. "\x89\x15\x02\x8b\x6b\xfc\xa7\x57\x6b\x96\x48\x0a\x6c\x46\x5a\x4f\xca\x7e"
1303. "\x79\x06\xd1\x37\x99\x85\x4c\xf5\x87\x6b\xe2\x94\x97\xd7\x2d\x1f\x9b\x8f"
1304. "\x3a\x41\xa6\x97\x99\xc4\xd8\x7d\x94\xe2\xc0\x53\xab",
1305. 121);
1306. *(uint64_t*)0x200000001698 = 0x79;
1307. *(uint64_t*)0x2000000016a0 = 0x2000000002c0;
1308. memcpy((void*)0x2000000002c0, "\xd5\xaa\x95\x07\xdf", 5);
1309. *(uint64_t*)0x2000000016a8 = 5;
1310. *(uint64_t*)0x2000000016b0 = 0x200000000300;
1311. memcpy((void*)0x200000000300,
1312. "\xe6\xb5\x1b\x63\x8a\x9e\x59\x0d\xa2\x64\xd1\x7b\x02\x82\x13\x63\xc7"
1313. "\x25\xe3\x17\x8a\xad\x55\x75\xb3\x10\x6a\x8f\xc5\xd9\xfe\xa6\x9e\x60"
1314. "\x49\x8b\xb3\xf2\x85\x1c\xe6\x7b\x34\xdc\x58\x92\x37\xea\xb2\xd1\xe8"
1315. "\xa4\x64\x86\x95\x31\x53\x43\xf8\x02\x45\x25\x63\xde\xe1\x10\xec\xa0"
1316. "\x46\xe6\x81\x9f\x24\x2d\xec\x9d\x9c\x9e\x3d\x56\x84\x69\x57\x9c\xaa"
1317. "\x08\x5e\xb0\xca\x4d\x21\x79\x18\xda\x19\x1f\xa7\xd4\xee\x7b\xf6\x0d"
1318. "\xeb\x8a\xe4\x2e\xd4\xf2\xf7\xe2\x4d\x66\x3b\x23\xda\x5a\xe9\x58\x4a"
1319. "\xa8\x97\xd5\x45\x3c\xc3\xa6\x7d\x99\x0f\x62\x5c\x41\x36\x4f\xfe\xea"
1320. "\x09\xbf\x16\x1b\x4e\x98\xe8\xf6\x43\x7a\x58\xb4\xfa",
1321. 149);
1322. *(uint64_t*)0x2000000016b8 = 0x95;
1323. *(uint64_t*)0x2000000016c0 = 0x2000000003c0;
1324. memcpy(
1325. (void*)0x2000000003c0,
1326. "\xcf\xc1\x87\x05\xed\x8d\x17\x36\x39\x6d\x28\x20\x86\xa0\xac\xc9\x33\x43"
1327. "\x88\x0a\x97\x4b\x42\xd3\x32\xcc\x56\x46\xb5\xef\xc9\x99\x0e\xdd\x04\xa8"
1328. "\xf6\x52\xc4\x09\x59\x90\x94\xa7\xe5\xde\x67\x5a\x1f\xa2\x1d\x20\xd5\x1d"
1329. "\x78\x51\x52\x1a\xfe\x72\xd0\x94\x18\xfc\x22\x96\x55\x78\xae\xc9\x3a\x8a"
1330. "\xe4\x55\x6f\xc5\xb1\xac\x45\x68\x25\x9b\x7b\xdd\x42\x5e\x3f\xe2\xf5\xed"
1331. "\x80\x31\x37\xa9\xbf\xeb\xa8\x19\x1d\x3b\xdb\x51\x42\xf0\x17\x9e\xd0\x6d"
1332. "\x66\x4e\x03\x6d\xab\xf0\xc3\xbb\xa3\x09\x43\x20\x2a\xa2\x86\x18\xfd\x6a"
1333. "\x3f\xcc\xa5\xdd\xca\xa4\x6f\x9c\x97\x7f\xb3\xac\xb6\x05\xe2\x29\x07\xb0"
1334. "\xde\xc4\xb1\x38\xcc\xb2\xe8\xce\x0f\xe1\x92\xd2",
1335. 156);
1336. *(uint64_t*)0x2000000016c8 = 0x9c;
1337. *(uint64_t*)0x2000000016d0 = 0x200000000480;
1338. memcpy(
1339. (void*)0x200000000480,
1340. "\x59\x69\x62\xc2\x71\xad\xa6\xeb\xdb\xa0\xd7\xff\x1b\xb3\x98\xc8\x06\xb6"
1341. "\x97\x09\x33\x09\x49\xd9\xd6\x2c\xa6\x2f\x11\xa2\x4f\x7d\x70\x24\xb3\xe6"
1342. "\x56\x04\x9e\x5f\x39\x18\x29\x23\xcf\x2f\xa0\xe9\x84\x56\x24\x25\x54\x57"
1343. "\xee\xaf\x15\xd7\x3e\xca\x90\x15\xcd\x33\xf6\x9d\x45\xd2\xf9\x3f\x92\x9c"
1344. "\x53\x9a\xf1\x8e\x32\x92\x09\x6b\x94\xb0\xbf\x4d\x0e\x97\x4d\x3f\x6b\x9d"
1345. "\x65\xfa\x90\x10\x6e\x1f\xc8\x22\x3e\x65\x34\x78\x73\xfe\x2d\x90\xc6\xc0"
1346. "\x9f\xe8\x29\xd3\xe0\x92\x37\x11\xdf\x90\x00\x2c\x5b\x88\x54\x74\x8b\x33"
1347. "\xcb\x61\x05\x8d\xae\x40\x8f\x8d\x93\x2b\x0f\xe0\x33\x40\xa5\x2f\x9d\xc2"
1348. "\xc2\xf2\x26\x3a\xdf\xa6\xf6\xbf\x3c\x44\xbe\x6f\xe7\x07\x8a\x24\x42\x2a"
1349. "\xc0\x1c\xb9\xc1\x4d\xf2\x2e\xa4\xa4\xb7\x59\x46\x3a\x46\x05\xa8\xf5\x65"
1350. "\x41\xfa\x09\x0a\x2b\x43\x3a\x80\xa2\xb6\x72\x88\x04\x02\xf4\xa5\x6f\x73"
1351. "\x47\x23\x07\xab\xff\x5b\x77\x10\x9c\xc4\x9c\x27\x90\x8c\x7a\xb4\xcd\x4d"
1352. "\x28\xe7\x22\xcf\x50\x43\x4c\x16\x22\x8f\x39",
1353. 227);
1354. *(uint64_t*)0x2000000016d8 = 0xe3;
1355. *(uint64_t*)0x2000000016e0 = 0x200000000580;
1356. memcpy(
1357. (void*)0x200000000580,
1358. "\x26\xd9\x09\x87\x63\x93\x10\x2e\x00\xf6\xaa\xc9\x4c\x34\x35\x3b\xb8\xa6"
1359. "\x04\xc6\x0e\xfb\x81\x84\x5b\x30\xd8\xe7\x78\x49\xfd\x2d\x53\x1e\xca\x63"
1360. "\xa7\xb8\xbf\xf2\x86\x6b\x1d\x9a\x10\xfa\x5b\x35\x85\x23\x80\xbe\x61\x2a"
1361. "\xaa\x51\xaa\x9d\x9d\xb0\x4c\x9e\xe9\x3b\xae\xdf\xc0\x8c\x47\x0a\xb9\xaf"
1362. "\xfc\x5d\x20\xd4\xf6\x2e\xe8\xd9\x17\x01\x26\x5f\xfc\x41\xad\x7d\x85\x16"
1363. "\x9c\x95\xc0\xb4\xeb\x2d\x55\x94\x4e\x75\x21\xca\x7e\x82\x9b\xe9\x1a\x72"
1364. "\xd1\x22\x2a\x8c\x76\x7c\x4e\x24\x82\x96\xf2\xb9\x28\x3a\xbe\xd7\xa8\xc2"
1365. "\x93\x33\xfa\x2c\x21\x7b\x8a\x06\x41\x76\x91\x0e\x44\xf6\x0f\xdb\x02\xd3"
1366. "\xb5\xca\x83\x96\xe8\x62\x6b\xa7\x46\xda\x9d\x2e\xb4\xb0\x2a\xb9\xa9\x20"
1367. "\xd3\x2f\x77\xd0\x6b\x98\x1f\x56\x45\x33\x61\xa1\x37\x71\xdb\xfa\x66\x32"
1368. "\xba\x8e\x29\xfd\x79\x45\x5a\x98\x37\x62\xfd\x86\x23\x8f\xcf\x9e\xa1\x00"
1369. "\xa5\x37\x06\x75\x2e\x02\x41\xdc\x6a\x52\xaa\x44\x36\xa8\xfc\x59\xb1\x5d"
1370. "\xd0\xd7\x16\xc7\x30\xfa\x52\xce\x11\x40\x44\x98\x6c\x5b\x06\x42\x63\x3b"
1371. "\xbc\x47\x8b\xfe\x3d\xbb\xb5\x1a\x56\xd3\x01\x46\x11\x66\xd9\x35\xd2\x7a"
1372. "\x2c\x38\x82\xcd\x79\xd7\xa6\xb8\x7b\xc9\xb5\x2e\xab\xa7\x35\xc5\xad\x5a"
1373. "\xda\xbf\x4b\x77\x2c\x23\x85\xd5\x64\xa4\x46\xfd\x18\x41\x1e\xc5\xe2\xff"
1374. "\x75\x43\x8a\x59\x35\xd4\xad\x2d\xc9\xc4\x56\x73\x62\x56\x8c\x5c\x6d\x36"
1375. "\x13\xb8\xe3\xd8\xef\x68\xb1\x71\x13\x36\xb7\x4b\xd6\xad\x78\x76\x3a\x1e"
1376. "\x8e\xce\x90\xf9\x55\x17\x48\x8e\x74\x08\x42\xf3\x7f\xcf\x09\x63\x13\x60"
1377. "\x07\x24\xee\xc8\x02\xfd\x9e\x9a\x9e\x85\x71\x97\xb5\xd3\x15\x02\x24\xd7"
1378. "\x84\x35\xf5\x60\x46\xf9\x80\x9d\x15\x24\xa4\x2f\x07\xf3\xb5\x5a\x65\xf4"
1379. "\x53\x7c\x34\x42\xcf\xd0\x78\x52\x1d\x25\x23\x9e\x4a\x8a\x81\x2e\xf1\x56"
1380. "\xe1\xdc\xcb\xdc\x0d\xd1\x58\xc7\xab\x9b\xa8\x91\xf4\x01\x32\xf7\xdc\x66"
1381. "\xe0\xa1\x33\xee\xe3\xad\xb9\xb8\x92\x0b\x90\xcb\x30\xc2\x54\x08\x08\x18"
1382. "\x69\xbe\xf7\x12\xfa\x07\xe5\x38\xcc\x16\xf3\x8b\x05\x5b\xe0\xc9\x0d\x2e"
1383. "\x94\x58\xc0\xec\x21\x32\x68\x0e\xf5\x1a\xe5\x45\xfa\x4b\xc5\x8f\x2d\x34"
1384. "\x99\x31\x10\x14\x57\xce\x97\x6c\x68\x75\x54\xde\x50\xd7\xd4\xfd\x69\x9b"
1385. "\x41\xda\x31\xb0\x6a\x4d\xd8\x0f\x8a\x53\xfa\x6d\xc9\x99\x0d\xf7\x8f\xd2"
1386. "\xa3\x69\xc9\x6b\x87\x1a\x8c\xd0\xe6\xc5\xfa\x89\x14\xa6\x75\xae\x29\x9c"
1387. "\x27\xf9\xb4\x0c\xdf\x79\x8c\xb6\x1c\x65\x27\x62\xd1\x40\x53\xee\xd1\xf6"
1388. "\xe1\x66\x1b\x27\xb2\x79\x1c\xd1\xda\xdf\x1c\x9f\xeb\x4c\xa5\x0e\xa6\x5f"
1389. "\xbf\xec\x0a\xa1\x86\xc5\xd9\xd7\x8a\x1f\xb6\xcd\xc6\x4a\x19\xd2\xca\xd3"
1390. "\x80\x75\xe1\x12\x13\x5b\xe8\x8c\x2d\x4e\x99\xa3\xc3\x32\x00\xa3\xfa\xa1"
1391. "\x5d\x5d\xee\xdf\x12\xdd\x0f\x78\xa6\x82\x92\x16\xdb\x69\xcc\x88\x56\x6d"
1392. "\xf7\x23\x8f\x08\x1a\x99\x91\x4f\x31\xd4\xd6\x57\x2c\x75\x5d\xc3\xcf\x97"
1393. "\x86\x80\x07\x5d\x1c\x6d\xaa\x43\x27\xd4\xbb\xe0\x87\x4b\xe7\xc7\xe5\x3c"
1394. "\xc6\x82\x8f\x63\x77\x90\x78\x54\xf3\xf8\x11\x7f\x50\xce\xf0\xf4\x28\x1e"
1395. "\xdf\x3d\xf5\xcb\x17\x7a\xbb\xce\x5d\xa0\xd1\x65\x4b\xa5\xee\x14\xd6\x28"
1396. "\x26\xc5\x3f\xf8\xa2\x59\x4e\xdf\xef\x67\x35\x18\x22\x2d\x60\xf1\x76\x3f"
1397. "\x35\x5d\xac\xb7\x33\x18\xdc\x79\x89\x81\x22\xe6\x88\xc4\xae\x2f\xe8\x57"
1398. "\x46\x5c\x52\x17\xee\xb2\xa6\x4a\x6d\x27\xe6\x9d\xdc\x78\x79\xf5\x78\xe6"
1399. "\x0a\xb8\x3a\xdb\xa7\xa2\x22\x9b\xc5\xa7\x48\x6a\x49\x09\xa9\xd4\x6e\xbc"
1400. "\x60\xd4\x43\x88\xb4\xce\xdf\x1e\xfe\x03\xc9\x33\x73\xce\x9d\x41\x69\x79"
1401. "\x8f\xae\x28\xe9\x9c\x2b\x0c\xbf\x8b\x67\xca\x4d\xf7\xb5\x18\x3d\xa4\xef"
1402. "\xf3\x84\x34\x5f\x5c\xb2\x92\x02\x08\x5b\x55\xbd\x65\xcd\x9a\xd8\xb5\x81"
1403. "\xf0\x12\xd2\x4c\xb9\xc6\x6b\xe9\x22\x19\x2a\x8c\x3c\xec\x77\x01\x14\xd5"
1404. "\x09\xf9\x2e\xd1\x2d\x4e\x3a\xf2\x20\xe0\x19\xee\x5b\x72\x14\x52\x49\x56"
1405. "\x8d\x80\xee\xd6\x48\xe3\x59\x24\xc2\xc2\xc1\x00\xc8\xc6\xdc\x45\x00\x7a"
1406. "\x7a\xa0\x59\xd8\x26\xa4\x0d\xbe\x84\x44\x3d\x53\xdc\x6c\xd6\x26\xe1\xf8"
1407. "\xab\xdc\x43\x5b\xc8\xd6\x05\x33\xda\xb0\x14\x14\xd4\x4b\x9a\xb7\xce\x93"
1408. "\x97\x7c\xc4\x4f\x44\x5e\xd1\x7f\xc4\x37\xa0\x94\x0b\xce\x98\x6b\x23\xd7"
1409. "\x2f\x97\xad\xd9\xb9\x47\xae\x4d\x3e\xf1\xca\x2e\x17\x9f\x4d\xe1\xc7\x45"
1410. "\x0b\x71\xac\x54\x46\x38\xbe\x96\x49\xc4\x31\x70\x01\xd9\x89\x3a\x6d\xf1"
1411. "\x12\x75\xc3\xc5\x4b\xb0\x8f\x58\x2d\x63\xe2\x13\x3e\xba\x4d\x17\x8e\xa6"
1412. "\xea\xf7\xdc\x4b\x82\x51\xe6\x3a\x0b\x92\xd3\xef\x76\x75\x63\xbd\x07\x7d"
1413. "\x00\x60\xaa\x63\x82\x76\xb5\x38\x3d\x27\x79\x5e\x7e\xc8\x7a\xa7\x55\x87"
1414. "\xc6\xd1\xae\xb6\x54\xe3\x6c\x9c\xa4\x55\x92\xa1\x0e\x29\x0b\x7c\xf8\x8c"
1415. "\x81\x28\x75\xf3\xe0\xd3\x53\xe5\x91\x34\x27\x06\x1b\x32\xf2\x6a\xe0\x97"
1416. "\x48\x4f\xb1\x5b\xc5\x1c\x75\xa2\x87\xed\x88\x99\x96\x5f\xa5\xb7\xa2\x3a"
1417. "\x70\x0d\xfe\xe8\x9e\x1a\xa4\x56\xfd\x58\x91\x36\x90\xef\xee\x76\xe1\xf1"
1418. "\xa6\x4d\xee\x59\x88\x27\x2a\x0a\x9e\x40\xe6\x8b\xb4\x6b\x66\x6d\x9d\xe2"
1419. "\x4e\xed\xe5\x94\x4c\x29\x3e\xf7\xe7\x48\xe9\xaf\xb2\xbd\x57\x24\xdd\x9c"
1420. "\x6d\xd5\x27\x74\x45\xe9\x60\x5c\x8a\xcf\xd2\xeb\x5e\xe9\xf9\x7d\xd2\xbb"
1421. "\xbf\x8c\x31\x96\x06\x81\x3b\xf8\xe4\x60\xac\x55\x3b\x1e\xba\xf8\x93\x88"
1422. "\xa0\xfe\xc9\x86\xbb\x5f\xfb\xb3\x22\xab\x41\x81\x0f\xd4\x01\xde\xed\x21"
1423. "\x7c\xa8\x6a\x22\x9b\x7b\x1d\x0b\xa9\xea\x51\x8e\x0b\x20\x09\xed\xe1\xac"
1424. "\xc6\x0b\x63\x5d\xe5\x47\x7d\x7c\x7a\xaf\xf1\x38\x92\x28\x8c\x05\x7e\x60"
1425. "\xbe\xd6\xbe\xb2\xf4\x3f\x6a\x21\xa2\x8a\x1f\x9f\x31\x28\x94\x90\xe1\xa4"
1426. "\xd3\xff\x41\x43\x4a\x99\x1c\x77\x26\xed\x1b\xfc\xfb\x68\x93\x46\x18\x6a"
1427. "\x85\x38\xea\x11\xcb\x98\x2b\x09\x9c\xce\x02\xf1\xce\x99\x72\x05\xd8\xda"
1428. "\x4e\x80\xd2\xf4\x58\xbb\xe2\xd2\x45\xa5\x2d\x66\x46\x58\x9c\x73\x93\x92"
1429. "\x21\x10\x55\x23\x71\x7f\x1b\x9f\x88\x5b\xb0\x7b\x7e\xb9\x67\x4d\x21\xae"
1430. "\xd6\x46\x6c\x70\x8f\xab\x0b\x02\x01\xb3\xd6\x08\x73\x5d\x64\xc8\xea\x25"
1431. "\x83\xbd\x10\xd2\xd1\xd3\x42\x4e\xe1\x23\xd2\x6f\x45\xcf\xf5\xe9\x76\x94"
1432. "\x6a\x48\x84\xdd\x34\xe4\x86\x7a\x93\x1e\x4b\x76\x3f\x9c\xee\xcb\xca\x96"
1433. "\x19\x04\x8d\x6b\xf5\x36\xc4\xd2\x31\xd3\xde\x0c\xfd\x46\x60\xf8\xf4\x1b"
1434. "\x3c\x7d\x01\x4c\xf0\xaf\xc8\xc0\xf7\xdb\x38\x51\xc1\x79\x5e\xdb\xa6\xf4"
1435. "\x4f\xea\x5b\xf8\x3d\xf2\xc1\x3c\x9e\x78\x9a\x2e\xbf\xc6\x6f\x93\x48\x55"
1436. "\x2f\x65\xbe\xc8\xe8\x86\x53\x6b\x4f\xd6\xd0\x9a\xe2\x9d\x68\x0d\x6a\x73"
1437. "\xbe\xff\x71\xc2\x17\xf4\x12\xf8\x4c\x73\xb5\x36\x81\x4a\x7b\x3d\xa5\x2e"
1438. "\x2c\x27\x14\x9d\x88\x84\x11\xf7\xed\x31\x5d\xf2\x40\xdf\x0f\xfa\xf6\x52"
1439. "\xd0\x3a\xd0\x88\xce\x25\x5d\xad\x0e\x5a\xc2\x7a\x29\x6c\xd9\xec\x01\xb2"
1440. "\xaa\x8c\x1e\x42\x1b\xfb\x05\xd0\xab\x41\x48\x84\x83\xcb\x7c\x74\x84\x5c"
1441. "\x66\xe7\xd7\xae\xaf\x56\x57\x1e\xe5\xb7\x2e\xf4\x80\xb3\x78\xbf\xb8\xd7"
1442. "\xa5\xe9\xea\x4a\x70\x8a\xa5\xd7\x66\xc4\x75\xbf\xa5\x31\x88\x7c\x73\x2b"
1443. "\x4d\x86\x28\x8c\x71\x9d\x22\x70\x5b\x30\xb3\x0c\xeb\x38\xd8\xf3\xac\xe3"
1444. "\xac\x51\x28\x6b\xd5\x87\x93\x72\x59\xa5\xd9\xf6\x4d\xc2\xf0\x41\x7e\xb2"
1445. "\xfe\xb1\x06\x03\xaa\x4e\x83\xce\x65\x59\x1a\x8f\x5a\xc0\xff\x50\xa8\xe6"
1446. "\x19\xd1\x60\x8f\x4f\xe4\xc2\x47\x48\xa5\x0b\xe8\xa0\xd2\xcf\xf0\x32\x77"
1447. "\x60\x2b\xcd\xa7\x6f\xfd\x3c\xb3\xad\x00\x22\xe8\xa5\x11\x47\xed\x53\x42"
1448. "\xaf\x37\x32\xbd\x59\x1f\x0d\x03\x60\xcf\x4e\x2a\x60\x5f\x35\x72\x39\x40"
1449. "\xcc\x47\x00\xce\xb1\x28\x53\x0b\xe2\xba\x2b\xd8\x73\x81\xa1\x73\xd5\x24"
1450. "\xf7\x1b\x96\xd7\xd8\xe4\x91\xd3\x51\x66\xf4\x41\xb2\x0a\x3c\xbd\xaf\x0e"
1451. "\xad\xed\xac\x2d\xbe\x50\xfe\x79\x76\x42\xe2\x30\xc8\x77\xe8\xd0\xf6\xf0"
1452. "\x35\x95\x7d\x5d\x3f\x58\x4e\xcc\x60\x79\x65\xe9\x55\x03\x24\x66\xdf\xc8"
1453. "\x66\xe4\x25\x14\x6f\xfe\x4d\x3b\x41\x69\x1b\xcb\xce\xca\xc7\x67\x53\x54"
1454. "\xe3\x56\xaf\x5b\x0a\xa3\x74\x2c\x0f\x57\x2b\xe1\x16\x81\x07\x5a\x03\xdf"
1455. "\x6d\x3d\xab\x8f\xed\xcb\x98\x56\x19\xc0\xc8\x3f\xc9\xe8\x82\x4d\x51\x37"
1456. "\xd4\x80\x10\x88\x92\x18\x30\xbe\x2a\x58\xfc\xd2\xd9\xab\x9d\xeb\xd6\x14"
1457. "\x3a\xd5\xe2\x4e\xd3\x3c\xd9\x7c\xaa\xaf\xc4\x48\x70\x3b\xcb\x09\x8e\x6e"
1458. "\xc4\xf1\xa8\xc7\x35\x1a\xc5\x03\xc5\xae\x76\xda\x90\x72\xe3\xa9\xea\xcc"
1459. "\x32\x17\x05\x4e\xdc\x48\x0a\x06\xb0\x28\x02\x3a\x49\xad\xf5\x8e\x06\x3b"
1460. "\xdb\x9b\x2a\x24\x9e\x22\xff\xa5\xb6\x17\x15\x7e\xc3\xa0\xc7\x44\xd1\xcb"
1461. "\xe8\xd4\xf0\xb5\x9f\x62\x80\x1e\x7e\x34\x4d\x21\x80\x5a\x68\x72\xc6\x28"
1462. "\xab\x15\x49\xa5\xd1\xfa\x0d\xb5\x55\xd9\x26\x40\x92\x44\xf9\xfb\x35\xb8"
1463. "\x6d\x6f\xe2\x38\x93\xe3\x38\xd7\xd9\x75\x50\x81\x7e\x25\x71\xcc\xd0\xc5"
1464. "\x1d\x45\x43\xcd\xfb\xd6\xd6\x25\x85\xb7\xd3\xcc\xdf\xae\x95\x84\x53\x72"
1465. "\x47\x17\x72\xd9\x3f\x68\x46\x1d\xb3\x87\xbd\xc7\xfb\x5e\x89\x37\xe7\x71"
1466. "\xa2\x35\x89\x41\x0b\xf7\xa3\xfe\xed\xed\x44\x41\xd8\xfb\x35\x55\xe3\xdd"
1467. "\x07\xba\xc2\x66\x69\x5c\x69\x3d\x9f\xae\xc4\x54\x94\xa2\x66\x56\x50\x14"
1468. "\x16\xa7\x88\x5e\xc0\x5e\x65\x31\x77\xac\x16\xe8\x5d\x6b\xb5\x2a\xc3\x05"
1469. "\x59\x14\x91\x82\xcf\x4a\x8a\xc9\x6a\xe4\xbf\x58\xac\x5a\x46\xd5\x4a\xf0"
1470. "\xe1\x57\x4b\xbc\x13\x7b\x29\xcf\x68\x00\x64\x84\x33\x87\x3e\x3b\xab\x9a"
1471. "\x41\x64\x2f\x20\xf3\xc5\xbf\x13\x63\xab\xfc\xd0\x87\x29\xfa\xed\x48\x25"
1472. "\x70\xe7\x0b\x28\x07\x40\x41\x14\x1b\xe8\x76\xa1\x02\x95\x83\x41\xc3\x99"
1473. "\x2f\xec\x1c\xd2\x4c\x6b\x42\x5f\x86\x9e\xef\xc7\x61\x20\x66\xaf\xb5\xff"
1474. "\xa4\xf0\x9d\xdd\x58\x4d\xd2\x60\x13\x86\x7b\x34\x84\x69\x22\x20\x5b\xa5"
1475. "\xe4\x5d\x59\xc1\x52\x58\x19\x1f\xd6\x78\x65\x6e\xef\xba\x67\xad\xea\x38"
1476. "\xcf\x77\xa2\x4f\x99\x65\x75\x45\x94\x09\x9a\xf1\x60\x9a\xa8\xa9\xe7\xda"
1477. "\x10\xe9\x98\x07\x46\xfd\xb2\xbc\x32\xe5\xa9\x02\xbc\xd3\x91\xbb\xaf\xce"
1478. "\x82\xc9\x2b\xc6\x14\xbc\x2e\xe1\xa6\x29\x19\x57\x28\x4f\x32\x85\x29\x1c"
1479. "\x1b\x53\x93\x83\x9e\x5e\x5c\x55\x96\xd6\x75\x2e\x9e\xed\x9e\x40\x3d\xe5"
1480. "\x69\x15\xb9\x90\xbd\x7e\xc2\xdf\x3b\x15\x0d\xe6\xfe\x1d\xf3\xc8\x05\xf8"
1481. "\x34\x24\x24\x4f\x36\xab\x29\xb1\x09\xea\xec\x40\x30\xf4\x79\x0a\xb8\x8f"
1482. "\x74\xf1\xe0\x67\x8a\x11\x90\xc9\xbc\x9f\xaf\xd8\xee\x90\x9c\x94\x70\x18"
1483. "\x7f\xa3\x20\xf8\x61\xb3\x36\x34\xdf\x06\xa4\x4d\xd0\x0e\x04\xf4\x42\x8e"
1484. "\x0f\x55\xd8\xaa\x7b\x85\xc3\x81\x54\xc6\x86\x19\xf2\x6d\x45\x59\x87\x05"
1485. "\x25\x48\x69\x57\x99\x2d\xed\xdb\xf2\x11\xa0\x5f\xf1\x9a\x19\xb1\xe4\x7e"
1486. "\x93\xf9\x66\xa2\xdd\x95\x0a\x48\xc9\xe3\x7a\x43\x74\x63\xb4\xad\x3d\x6a"
1487. "\xeb\x95\x61\xb2\x50\x27\xf3\xd5\x0b\x09\x7b\x6e\x3c\x5a\xf7\xb2\xf0\x8d"
1488. "\xe5\x38\xc6\x3e\x43\x47\xb3\x62\xed\x49\xb9\x8a\x7d\x5d\x04\x0d\xaf\x53"
1489. "\x7a\x4d\x56\xbe\xb0\x65\x1d\x22\x36\x55\xad\x65\xbe\x4f\xb5\x95\xf2\xb4"
1490. "\x39\x8b\x64\x0f\xb6\x55\x93\x2b\x03\xb6\x0b\xac\x8c\xa0\x44\xd2\x09\x3a"
1491. "\xe9\xc3\xb4\x79\x27\x66\x97\x09\xa0\x41\x4f\x23\x78\x5e\xe3\x09\x62\xde"
1492. "\xc3\xac\xde\xd5\x98\x0e\xe1\xd7\x70\x95\x65\x1d\xb2\xdb\x1a\xc1\x21\x6e"
1493. "\x04\xba\xd4\x32\xf1\x2e\x01\x5e\x69\x24\x6f\xac\x64\xf5\xf2\x52\x74\xd1"
1494. "\xa8\x29\xc1\xd1\x6b\xa8\x01\x62\xfe\x24\x9a\x67\xa1\x5e\x02\x8e\xa3\x3d"
1495. "\xa2\xbe\x03\xe7\x4a\x06\xb1\x3d\xd8\x2a\x52\x02\x3d\xb9\xfc\x48\xc2\xc4"
1496. "\xc2\x13\xae\x8a\xfd\x4b\x90\xc9\xf0\x22\xac\x3e\xa3\x5a\xaf\x12\x2c\x0c"
1497. "\xee\xf1\x67\x4e\x66\x31\xe9\x09\x37\x01\x95\x8c\x64\xcc\x1e\x32\x5d\x97"
1498. "\x6a\x46\x3d\x04\x5b\xf3\xc4\x41\x62\xcb\xb8\x33\x79\xeb\x64\x42\xe8\x43"
1499. "\x5c\x88\xab\xc2\xdc\x95\x72\x77\xe3\x4c\xb8\x3c\x37\x29\x4f\x7b\xae\x51"
1500. "\x50\x2b\x03\x13\x36\xae\x99\x72\x28\x23\x30\xd6\xef\xa7\x1a\xb3\x00\x82"
1501. "\x0d\x4e\xbb\x32\xa7\x2b\xf6\x71\x38\x71\x9f\x1a\xf8\x90\xea\xfc\xc1\x75"
1502. "\x0b\xa3\x9b\x63\x41\x78\x9a\xad\x93\xa9\x00\xce\x0e\xd5\x83\xcd\xdc\xc6"
1503. "\xfc\x7b\x56\x4f\x1c\x85\x97\xf0\xa1\xfa\x37\x37\x3a\x9b\xe1\xc8\x1a\x17"
1504. "\x88\xd9\x22\xe3\x4e\xba\x42\xe4\xed\x5b\x5d\xe1\xef\xef\xca\xee\x70\xa8"
1505. "\x5b\xb2\xc8\x9d\x37\x60\xdf\x3e\x7f\x8e\x19\x4c\xdc\x7b\x93\x98\xc9\x4b"
1506. "\x12\x4a\x4e\x05\xab\x2a\x1a\x29\xfc\x1a\x4b\x64\xda\x7e\x0f\x94\x30\x2f"
1507. "\x74\xa4\x3d\x4a\x4a\xce\x9d\xfa\x2f\x47\x86\x25\x94\x0a\x0e\x4f\xb9\x72"
1508. "\x0f\xf4\xce\x17\x41\x50\x67\x76\x97\x23\x7f\xc5\xc9\x54\x0a\xbe\xb6\x45"
1509. "\xab\x8e\xf1\x7e\xa1\x27\x40\x5a\x63\x68\x10\xe9\x5c\x69\xdf\x43\xad\x9b"
1510. "\xf3\x18\x83\x36\xc8\x9e\xd9\xab\xa1\x59\xe6\xbf\x05\x62\xeb\xd6\xc1\x42"
1511. "\x46\x74\x80\xf5\xf9\x58\x8d\xb9\x1e\x22\x85\xa0\xf0\x2f\x07\xce\x20\xc4"
1512. "\xcf\x5b\xed\x94\x1b\x81\xa5\x8f\x80\x1b\x8e\x60\x1d\xb1\xe0\xf8\x50\xbd"
1513. "\x90\xba\xed\x01\x1c\xb2\x32\xf9\xe1\x63\x81\xa0\xb1\x21\x49\x32\x7b\x21"
1514. "\xc0\xaa\x23\x98\x9e\xb9\xa9\xda\xb3\x65\x3f\xe9\x45\xed\x60\x5c\x78\x86"
1515. "\x27\xd8\x03\x59\x16\xf0\x54\x66\xa2\x12\x7d\xe1\xb2\xa5\xc7\xcf\x0f\xa5"
1516. "\xc5\x91\x4c\xca\xed\x6b\x0b\x96\xbc\x92\x06\xa8\x89\x1e\xbe\x18\x88\x4b"
1517. "\xb0\xf7\xa9\xea\xaa\x3f\xb0\x11\x87\x9f\xa1\xd6\x37\x0f\x23\xe7\x80\xff"
1518. "\x53\xa0\x48\x51\x41\xdd\x69\x0e\xf3\xdc\x49\x29\xff\x5d\x80\xa3\xf3\x7b"
1519. "\xf5\x08\xf3\x7b\xeb\xc3\x42\x3f\x55\x5c\x96\xd2\xda\xf1\xdb\x56\x92\xa7"
1520. "\x84\x7a\xf1\x24\x95\x42\xe0\xab\xc3\x94\xeb\xbc\xf8\x05\xe1\x3d\x2d\xe3"
1521. "\xbf\xbc\x20\x1d\x53\xca\x74\xe8\x84\x12\xdc\xed\xa8\x30\x9c\xa0\xbd\x52"
1522. "\xdb\xe3\x92\x61\xee\xf6\xd4\xc7\x2b\xa1\x07\xdf\x9b\x01\x72\xeb\xc8\xbf"
1523. "\xb5\xd6\x94\x45\x4a\x7c\x7d\xff\x9f\x1c\x0b\x89\xd8\xb9\x51\x2d\x64\xc1"
1524. "\x14\x4a\x71\xaf\x45\xfc\x2b\x2e\xc8\x84\x2c\x6c\xa3\xfa\xad\x10\xe3\x06"
1525. "\xaa\x45\xa5\x94\x59\xd3\x59\x40\xfc\xbc\xb4\x03\x37\xaa\x6b\xe3\x38\x84"
1526. "\xe5\xa2\x1a\xb6\x0a\xe6\x13\xab\x33\xa7\x7a\x40\x90\x89\x5a\xc5\x62\xf8"
1527. "\xfd\x22\x23\x38\x7f\x5d\x41\x7f\x76\x98\xe2\xf5\xed\x37\x89\xdf\x83\x4b"
1528. "\xa0\x52\x1f\x8f\xde\x87\x69\xbe\x11\x35\x88\x84\xa0\x24\x5e\xb4\x09\x93"
1529. "\x39\x2c\x5f\x99\xd5\x75\x9a\xdb\x73\xa5\x23\x75\x2a\x01\xfc\xf4\x78\x5e"
1530. "\xa7\x08\x4f\x18\xfa\xaf\x98\xb9\x4a\x04\x79\xcf\x1f\x6b\xd2\x19\xf4\x2d"
1531. "\x01\xf8\xae\xfc\x93\xe1\x56\x52\x38\x2a\xc8\x1a\x2a\x71\xef\xc6\x23\x19"
1532. "\x0c\x4d\x8d\x12\xc3\x62\x1e\x23\x2a\x15\x54\x6f\xe2\xfe\x5f\xe3\xd2\xff"
1533. "\x7d\xf3\x76\x36\xed\x01\x8e\x79\x06\xb8\x8a\xa1\x2e\x9a\x55\x03\x71\xb6"
1534. "\x52\x8c\xed\x1e\x2b\x24\x51\xda\x6a\x5d\xf3\x55\xde\xa4\x21\x96\x23\x82"
1535. "\x82\x88\x19\xbc\xeb\x91\x3f\x8e\xd2\xca\xa8\x85\x0a\xf6\x5f\x93\x68\x23"
1536. "\xb6\xc8\x91\x52\x66\x21\xec\x61\xa0\xf7\xb6\x61\xd9\xd9\x68\xff\x80\xb9"
1537. "\x26\x54\x43\x7d\xde\xca\x99\x28\x92\xb5\x90\x46\xb9\x90\xb8\xbe\xe4\xc1"
1538. "\xa6\x0b\xa4\xa2\x32\xf2\x27\x3a\x6b\x47\xee\x0f\xc5\x67\x3b\xa0\x56\x88"
1539. "\x8e\x44\xff\x93\xd8\x8a\xfb\x21\x77\xbe\xc6\x91\xd0\x3f\xb6\xf2\xff\x59"
1540. "\x3b\xfe\x30\xa7\x60\xf1\xf9\x34\x51\x69\xd4\x2d\xec\x29\xa7\x74\xf4\xb6"
1541. "\xb1\xd5\x7e\x14\xea\xa1\xdb\x9f\xf0\x21\xfa\xed\x19\x89\x34\x5e\xa1\x9b"
1542. "\x15\xca\x6f\x94\x46\xa2\xfd\x49\xb2\x4b\x3d\x2d\xdd\x8d\x83\xde\xb6\x2b"
1543. "\x07\xc3\xa5\x04\xba\x2f\x78\x3a\xf1\x48\x02\xbf\xd1\x7b\x9c\x24\x5b\x27"
1544. "\x52\xe2\x3e\xda\x86\x46\x59\xda\xd8\x86\xb2\x34\xe8\x69\xea\xab\xf6\xf6"
1545. "\x4c\x05\x17\xc5\x2a\xd5\xb8\xeb\xdf\x9f\x87\x6b\xc8\x48\x2a\x0d\x00\xed"
1546. "\x9a\x99\xbc\x82\x14\x3d\x5c\xb0\x93\x36\x4a\x88\xe7\x59\xd4\x17\x72\x0c"
1547. "\x79\x56\x13\xed\xb0\x0f\xb2\x74\x84\x67\x55\xa6\x37\x15\x19\x05\x96\xfd"
1548. "\x9d\x7b\xda\x30\x59\xb5\x20\x33\xef\xef\xd5\x7f\x3e\xb1\x79\x31\xf3\x6b"
1549. "\xf3\xc5\x1d\xf5\x9f\x6a\xff\xdd\xca\x18\xaa\x7a\x02\xb8\xe6\x2a\x6e\x0e"
1550. "\x01\x2f\x19\x3e\x1b\x20\x65\x75\xb0\xfd\xa6\x5b\x16\x59\x7d\xb4\xe1\x09"
1551. "\xd2\x19\x35\x3d\x67\x33\x29\x9e\x30\x0f\x48\x20\xf7\x09\x01\x21\x2a\xaa"
1552. "\xdc\xe9\xc7\x1a\x31\x8c\xa6\xdd\x28\x19\xcc\x85\x31\x86\x4e\xac\x0b\xa4"
1553. "\x81\x27\x00\xfb\x67\x3a\x75\x0d\xe3\x02\x90\xfd\xef\x72\x8a\xb6\x8c\xd1"
1554. "\xe3\x37\x34\x52\xd8\xea\x4f\xd0\x8f\xdd\x5f\xa5\xa2\x85\x4e\xf1\x5d\x0a"
1555. "\xbd\x73\x41\xbf\x10\x0d\x94\x08\x21\x96\xd5\x0e\xbc\xb0\x11\x7e\x8a\x95"
1556. "\x6b\xc8\x7e\xdd\x77\x86\xf3\x86\xa2\x4e\x8a\xb9\xe0\xaf\xc4\xae\xcf\x7f"
1557. "\xda\x1f\x9b\xb5\xe7\x7b\x1e\x1f\x5b\x4e\x77\x16\x0d\x52\x77\x4e\x3d\xc8"
1558. "\xda\xe1\x59\xcf\x48\xd2\x71\x5e\x29\x25\x4b\xd4\x4f\xad\x04\x77\x10\xf6"
1559. "\xf7\xb5\x67\x4f\x9f\xf3\xdd\xbd\xf0\xc5\xbd\x11\x0a\x97\xd7\x02\x1f\xf4"
1560. "\x91\x09\xa1\x80\xac\x92\x05\xbb\x5e\x12\xb0\x41\x98\x84\x8d\xec\x81\xa9"
1561. "\x6a\x41\x6d\x11\x32\x9f\x77\x01\x75\xe6\x90\x16\x81\xeb\xda\x06\xe8\xb2"
1562. "\x9f\xdc\xcb\x8a\x8c\x9b\x71\x51\x33\x11\x29\x8d\xfb\x8f\xd3\x97\xae\xee"
1563. "\x7b\x31\xd9\x11\x21\xfd\xa5\x83\xb7\x1d\x27\x67\x4d\x7c\x88\x8e\xc9\x74"
1564. "\xe1\x8b\x24\x3d\xc9\x97\xc4\xbe\xd6\xd2\xf7\xbe\x46\xab\x72\xb1\xb4\x79"
1565. "\x0c\xc4\x60\x39\x59\xe2\x58\x45\x91\x54\x3b\xd3\x16\xb2\xa9\xa4\x6c\x40"
1566. "\x16\xff\x2d\xfd\x2f\x89\xac\x49\x31\x88\x82\x02\x0f\xc5\x13\x6e\x40\xee"
1567. "\x23\xb9\x23\xe3\xa2\x51\xbb\x5f\x26\xfc\xe1\x99\xd0\x1e\x11\x1e\xa4\x7a"
1568. "\xd1\x5d\x7e\xec\x84\xf3\x50\x46\xde\x96\xa3\x07\x85\x12\x86\x09\x2f\x76"
1569. "\x48\xcb\x5f\xb6\x02\xdd\xd7\xe3\xe1\xaf\x63\xf8\x00\x15\x6d\x34\xd8\xb5"
1570. "\x12\x49\x6b\x5d\x6b\xf8\x21\xe9\xe6\xfc\x07\xa2\x4f\xfc\x62\xff\x2d\xef"
1571. "\x48\x24\xbd\xfd\x7e\x0e\x23\x30\x16\xac\x44\x86\x0f\x30\xc4\x84\x52\xf6"
1572. "\xa0\xf7\xb9\x46\x66\x8a\xc4\xac\xe2\x5a\xc0\xb2\xd7\x05\x5a\x0c\xe5\x4f"
1573. "\xd9\x39\xea\x52\x9f\x1f\x61\x19\x12\x27\x51\x29\x7e\x86\xd2\x7f\x54\x65"
1574. "\x68\x09\x2a\x49\x1e\x3c\x7c\x8b\x1c\x84\x32\xe4\x7b\x6f\xe7\x89\xab\xc2"
1575. "\xa3\xfb\x93\x82\x2b\x9b\x6e\xc5\x1c\x3a\x19\x00\xae\xc6\x0c\x07\x19\xd3"
1576. "\x8e\x7e\xf3\x1d\x8d\xab\x3e\x0f\x2d\xfa\xdf\x2b\x11\x98\xda\x27\xef\x95"
1577. "\x36\x61\xec\x90\x24\xcd\x4a\x5e\x17\x0e\x76\x8f\x39\x7b\x70\x39\x69\x59"
1578. "\xdd\x08\xc9\x54\xb7\x8b\x46\x09\x67\x8f\x2e\xae\x13\x74\x6c\x64\x41\xb3"
1579. "\x63\x81\x5f\xc0\x2b\xac\xa8\x92\xe0\xee\xcb\xd6\xc0\x91\x58\x03\x2d\x86"
1580. "\xef\x11\x2a\xa0\xfa\xab\xc1\x40\x3b\x2d\x5d\x04\x61\xb5\x2a\x2a\x9f\x59"
1581. "\xb3\x1e\xb5\x9b\x67\x83\xa4\x66\x9e\xc5\x4f\xc8\x85\x1f\x7e\xe9\xf5\x6d"
1582. "\x24\x60\x22\x12\xa8\xf9\x63\xe1\x03\x35\x91\x1a\x67\xd5\x5e\xed\x13\xb0"
1583. "\x89\xa4\x58\x9b\x75\x29\x66\x87\xac\x37\x71\x4d\xa5\xa5\x36\x9e\x51\xa1"
1584. "\x29\x94\xeb\xf8\xc8\x06\x11\x19\x36\x54\x97\xc3\xb9\x36\x11\x36\x52\xd4"
1585. "\x67\x02\x53\x42\x59\xb3\x7e\x63\x01\x22",
1586. 4096);
1587. *(uint64_t*)0x2000000016e8 = 0x1000;
1588. *(uint64_t*)0x2000000016f0 = 0x200000001580;
1589. memcpy((void*)0x200000001580,
1590. "\xe4\x8b\x16\x16\x93\x8b\xd4\xcd\x70\x3d\x89\x82\xb0\x95\x72\xdd\x21"
1591. "\x50\xc6\xad\x10\x2b\x2c\xbf\xc7\x04\x83\xfa\x4a\x44\x56\xfc\x4f\x63"
1592. "\x6e\x2c\xa3\xe9\x0b\x58\x33\xf7\x35\x20\x69\x16\x49\xf8\x42\xa5\xaf"
1593. "\x0a\x6f\x31\x0e\x9c\xc0\x46\xe3\x8c\xe8\x6d\x8a\xa0\x00\x57\xda\xec"
1594. "\x8e\x09\xa7\x1a\x9d\xad\xf9\x4c\x5e\x0f\x9f\x48\x45\x4a\x1d\x3b\x0c"
1595. "\x4b\x32\x74\xec\xb9\xf4\x1f\x49\x7b\xf3\x82\x38\xf3\xea\xcd\x6a\x34"
1596. "\x9a\xfd\xb5\x5e\x6a\xc3\xba\x0c\x6a\x67\x22\xf9\x60\xf3\x60\x87\x38"
1597. "\x65\x74\x7a\x4e\xd5\x27\x05\x6d\x44\xa1\xca\x0f\x2d\x47\x17\xcd\xcd"
1598. "\x87\x65\xc2\x22\x1d\x0c\x86\x84\xc0\xb8\xb4\xf5\x18\xf7\x47\x6e\xc2"
1599. "\x94\x10\x02\xc4\x31\x36\x7e\x61\x98\x36\x17\x2d\xa3",
1600. 166);
1601. *(uint64_t*)0x2000000016f8 = 0xa6;
1602. *(uint64_t*)0x200000001700 = 0x200000001640;
1603. *(uint64_t*)0x200000001708 = 0;
1604. *(uint64_t*)0x200000001ed8 = 9;
1605. *(uint64_t*)0x200000001ee0 = 0x200000001dc0;
1606. *(uint64_t*)0x200000001dc0 = 0x1c;
1607. *(uint32_t*)0x200000001dc8 = 1;
1608. *(uint32_t*)0x200000001dcc = 2;
1609. *(uint32_t*)0x200000001dd0 = r[11];
1610. *(uint32_t*)0x200000001dd4 = 0;
1611. *(uint32_t*)0x200000001dd8 = 0;
1612. *(uint64_t*)0x200000001de0 = 0x1c;
1613. *(uint32_t*)0x200000001de8 = 1;
1614. *(uint32_t*)0x200000001dec = 2;
1615. *(uint32_t*)0x200000001df0 = r[11];
1616. *(uint32_t*)0x200000001df4 = 0;
1617. *(uint32_t*)0x200000001df8 = 0;
1618. *(uint64_t*)0x200000001e00 = 0x1c;
1619. *(uint32_t*)0x200000001e08 = 1;
1620. *(uint32_t*)0x200000001e0c = 2;
1621. *(uint32_t*)0x200000001e10 = 0;
1622. *(uint32_t*)0x200000001e14 = 0;
1623. *(uint32_t*)0x200000001e18 = 0;
1624. *(uint64_t*)0x200000001e20 = 0x2c;
1625. *(uint32_t*)0x200000001e28 = 1;
1626. *(uint32_t*)0x200000001e2c = 1;
1627. *(uint32_t*)0x200000001e30 = r[12];
1628. *(uint32_t*)0x200000001e34 = r[13];
1629. *(uint32_t*)0x200000001e38 = -1;
1630. *(uint32_t*)0x200000001e3c = r[14];
1631. *(uint32_t*)0x200000001e40 = r[15];
1632. *(uint32_t*)0x200000001e44 = r[16];
1633. *(uint32_t*)0x200000001e48 = r[17];
1634. *(uint64_t*)0x200000001e50 = 0x34;
1635. *(uint32_t*)0x200000001e58 = 1;
1636. *(uint32_t*)0x200000001e5c = 1;
1637. *(uint32_t*)0x200000001e60 = r[18];
1638. *(uint32_t*)0x200000001e64 = r[19];
1639. *(uint32_t*)0x200000001e68 = -1;
1640. *(uint32_t*)0x200000001e6c = -1;
1641. *(uint32_t*)0x200000001e70 = r[20];
1642. *(uint32_t*)0x200000001e74 = -1;
1643. *(uint32_t*)0x200000001e78 = -1;
1644. *(uint32_t*)0x200000001e7c = r[21];
1645. *(uint32_t*)0x200000001e80 = -1;
1646. *(uint64_t*)0x200000001e88 = 0x1c;
1647. *(uint32_t*)0x200000001e90 = 1;
1648. *(uint32_t*)0x200000001e94 = 2;
1649. *(uint32_t*)0x200000001e98 = r[23];
1650. *(uint32_t*)0x200000001e9c = r[26];
1651. *(uint32_t*)0x200000001ea0 = r[27];
1652. *(uint64_t*)0x200000001ee8 = 0xe8;
1653. *(uint32_t*)0x200000001ef0 = 0x4000000;
1654. syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0x200000001ec0ul,
1655. /*f=MSG_BATCH*/ 0x40000ul);
1656. *(uint8_t*)0x200000000040 = 0;
1657. syscall(__NR_prctl, /*option=*/0x3bul, /*mode=*/1ul, /*offset=*/0ul,
1658. /*len=*/0ul, /*selector=*/0x200000000040ul);
1659. syz_pidfd_open(/*pid=*/r[11], /*flags=*/0);
1660. syscall(__NR_fadvise64, /*fd=*/r[13], /*offset=*/8ul,
1661. /*len=*/0x1ffffffffffcul, /*advice=POSIX_FADV_DONTNEED*/ 4ul);
1662. memcpy((void*)0x200000000000, "./bus\000", 6);
1663. res =
1664. syscall(__NR_open, /*file=*/0x200000000000ul,
1665. /*flags=O_NOFOLLOW|O_NOCTTY|O_NOATIME|O_CREAT|O_RDWR*/ 0x60142ul,
1666. /*mode=*/0ul);
1667. if (res != -1)
1668. r[28] = res;
1669. memcpy((void*)0x200000000080, "./bus\000", 6);
1670. res = syscall(__NR_open, /*file=*/0x200000000080ul,
1671. /*flags=O_SYNC|O_NOCTTY|O_DIRECT|O_CLOEXEC|O_RDWR*/ 0x185102ul,
1672. /*mode=*/0ul);
1673. if (res != -1)
1674. r[29] = res;
1675. syscall(__NR_ftruncate, /*fd=*/r[29], /*len=*/0x2007ffbul);
1676. syscall(__NR_sendfile, /*fdout=*/r[28], /*fdin=*/r[29], /*off=*/0ul,
1677. /*count=*/0x1000000201005ul);
1678. *(uint32_t*)0x200000000000 = r[11];
1679. syscall(__NR_ioctl, /*fd=*/r[28], /*cmd=*/0x8902, /*arg=*/0x200000000000ul);
1680. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0x88);
1681. if (res != -1)
1682. r[30] = res;
1683. memcpy((void*)0x200000000040, "memory.events\000", 14);
1684. syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000040ul,
1685. /*flags=*/0x275a, /*mode=*/0);
1686. memcpy((void*)0x200000000140, "memory.events\000", 14);
1687. syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000140ul,
1688. /*flags=*/0x7a05, /*mode=*/0x1700);
1689. memcpy((void*)0x200000000140, "memory.events\000", 14);
1690. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000140ul,
1691. /*flags=*/0x7a05, /*mode=*/0x1700);
1692. if (res != -1)
1693. r[31] = res;
1694. sprintf((char*)0x200000000200, "0x%016llx", (long long)0);
1695. syscall(__NR_write, /*fd=*/r[31], /*buf=*/0x200000000200ul, /*len=*/0xf000ul);
1696. sprintf((char*)0x200000000200, "0x%016llx", (long long)0xfffffffffffffffe);
1697. syscall(__NR_write, /*fd=*/r[31], /*buf=*/0x200000000200ul, /*len=*/0x12ul);
1698. *(uint32_t*)0x200000000280 = 5;
1699. res = syscall(__NR_getsockopt, /*fd=*/r[30], /*level=*/1, /*optname=*/0x11,
1700. /*optval=*/0x200000000240ul, /*optlen=*/0x200000000280ul);
1701. if (res != -1)
1702. r[32] = *(uint32_t*)0x200000000244;
1703. syscall(__NR_setreuid, /*ruid=*/0, /*euid=*/r[32]);
1704. memcpy((void*)0x200000000180, "fd/3\000", 5);
1705. syz_open_procfs(/*pid=*/0, /*file=*/0x200000000180);
1706. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul,
1707. /*proto=NETLINK_USERSOCK*/ 2);
1708. if (res != -1)
1709. r[33] = res;
1710. memcpy((void*)0x200000000040, "memory.events\000", 14);
1711. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000040ul,
1712. /*flags=*/0x275a, /*mode=*/0);
1713. if (res != -1)
1714. r[34] = res;
1715. memcpy((void*)0x200000000140, "memory.events\000", 14);
1716. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000140ul,
1717. /*flags=*/0x7a05, /*mode=*/0x1700);
1718. if (res != -1)
1719. r[35] = res;
1720. sprintf((char*)0x200000000200, "0x%016llx", (long long)0);
1721. syscall(__NR_write, /*fd=*/r[35], /*buf=*/0x200000000200ul, /*len=*/0xf000ul);
1722. syscall(__NR_sendfile, /*fdout=*/r[35], /*fdin=*/r[34], /*off=*/0ul,
1723. /*count=*/0xf03afffeul);
1724. syscall(__NR_ioctl, /*fd=*/r[34], /*cmd=*/0x6611, 0);
1725. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0);
1726. if (res != -1)
1727. r[36] = res;
1728. *(uint32_t*)0x200000000080 = 1;
1729. syscall(__NR_setsockopt, /*fd=*/r[36], /*level=*/6,
1730. /*optname=TCP_THIN_LINEAR_TIMEOUTS|TCP_CORK*/ 0x13,
1731. /*optval=*/0x200000000080ul, /*optlen=*/4ul);
1732. *(uint16_t*)0x200000000200 = 0xa;
1733. *(uint16_t*)0x200000000202 = htobe16(0);
1734. *(uint32_t*)0x200000000204 = htobe32(0);
1735. *(uint64_t*)0x200000000208 = htobe64(0);
1736. *(uint64_t*)0x200000000210 = htobe64(1);
1737. *(uint32_t*)0x200000000218 = 0;
1738. syscall(__NR_connect, /*fd=*/r[36], /*addr=*/0x200000000200ul,
1739. /*addrlen=*/0x1cul);
1740. *(uint32_t*)0x200000000300 = 2;
1741. syscall(__NR_setsockopt, /*fd=*/r[36], /*level=*/6, /*optname=*/0x14,
1742. /*optval=*/0x200000000300ul, /*optlen=*/0x54ul);
1743. *(uint64_t*)0x200000000e80 = 0x200000000080;
1744. *(uint16_t*)0x200000000080 = 0xa;
1745. *(uint16_t*)0x200000000082 = htobe16(0);
1746. *(uint32_t*)0x200000000084 = htobe32(0);
1747. memset((void*)0x200000000088, 0, 10);
1748. memset((void*)0x200000000092, 255, 2);
1749. *(uint32_t*)0x200000000094 = htobe32(0);
1750. *(uint32_t*)0x200000000098 = 0;
1751. *(uint32_t*)0x200000000e88 = 0x1c;
1752. *(uint64_t*)0x200000000e90 = 0;
1753. *(uint64_t*)0x200000000e98 = 0;
1754. *(uint64_t*)0x200000000ea0 = 0x2000000005c0;
1755. *(uint64_t*)0x200000000ea8 = 0;
1756. *(uint32_t*)0x200000000eb0 = 0;
1757. *(uint32_t*)0x200000000eb8 = 0;
1758. *(uint64_t*)0x200000000ec0 = 0x200000000600;
1759. *(uint16_t*)0x200000000600 = 0xa;
1760. *(uint16_t*)0x200000000602 = htobe16(0);
1761. *(uint32_t*)0x200000000604 = htobe32(0);
1762. *(uint8_t*)0x200000000608 = -1;
1763. *(uint8_t*)0x200000000609 = 2;
1764. memset((void*)0x20000000060a, 0, 13);
1765. *(uint8_t*)0x200000000617 = 1;
1766. *(uint32_t*)0x200000000618 = 0;
1767. *(uint32_t*)0x200000000ec8 = 0x1c;
1768. *(uint64_t*)0x200000000ed0 = 0;
1769. *(uint64_t*)0x200000000ed8 = 0;
1770. *(uint64_t*)0x200000000ee0 = 0x200000000000;
1771. *(uint64_t*)0x200000000000 = 0;
1772. *(uint32_t*)0x200000000008 = 0x29;
1773. *(uint32_t*)0x20000000000c = 0x3e;
1774. *(uint32_t*)0x200000000010 = 0;
1775. *(uint64_t*)0x200000000ee8 = 0x18;
1776. *(uint32_t*)0x200000000ef0 = 0;
1777. *(uint32_t*)0x200000000ef8 = 0;
1778. syscall(__NR_sendmmsg, /*fd=*/r[36], /*mmsg=*/0x200000000e80ul,
1779. /*vlen=*/0x10ul, /*f=*/0ul);
1780. *(uint64_t*)0x200000000040 = 0;
1781. *(uint32_t*)0x200000000048 = 0;
1782. *(uint64_t*)0x200000000050 = 0x200000002ec0;
1783. *(uint64_t*)0x200000002ec0 = 0x200000000000;
1784. *(uint32_t*)0x200000000000 = 0x1c;
1785. *(uint16_t*)0x200000000004 = 0x6a;
1786. *(uint16_t*)0x200000000006 = 1;
1787. *(uint32_t*)0x200000000008 = 0;
1788. *(uint32_t*)0x20000000000c = 0;
1789. *(uint16_t*)0x200000000010 = 8;
1790. STORE_BY_BITMASK(uint16_t, , 0x200000000012, 0, 0, 14);
1791. STORE_BY_BITMASK(uint16_t, , 0x200000000013, 0, 6, 1);
1792. STORE_BY_BITMASK(uint16_t, , 0x200000000013, 0, 7, 1);
1793. *(uint32_t*)0x200000000014 = -1;
1794. memset((void*)0x200000000018, 46, 1);
1795. *(uint64_t*)0x200000002ec8 = 0x1c;
1796. *(uint64_t*)0x200000000058 = 1;
1797. *(uint64_t*)0x200000000060 = 0;
1798. *(uint64_t*)0x200000000068 = 0;
1799. *(uint32_t*)0x200000000070 = 0;
1800. syscall(__NR_sendmsg, /*fd=*/r[33], /*msg=*/0x200000000040ul, /*f=*/0ul);
1801. syscall(__NR_socket, /*domain=*/0xaul, /*type=*/3ul, /*proto=*/0x3a);
1802. syscall(__NR_getpid);
1803. res = syscall(__NR_socketpair, /*domain=*/1ul,
1804. /*type=SOCK_DGRAM|SOCK_STREAM*/ 3ul, /*proto=*/0,
1805. /*fds=*/0x200000000080ul);
1806. if (res != -1) {
1807. r[37] = *(uint32_t*)0x200000000080;
1808. r[38] = *(uint32_t*)0x200000000084;
1809. }
1810. *(uint16_t*)0x20000057eff8 = 0;
1811. memcpy((void*)0x20000057effa,
1812. "./"
1813. "file0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
1814. "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
1815. "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
1816. "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
1817. "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
1818. "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000",
1819. 108);
1820. syscall(__NR_connect, /*fd=*/r[37], /*addr=*/0x20000057eff8ul,
1821. /*addrlen=*/0x6eul);
1822. syscall(__NR_sendmmsg, /*fd=*/r[38], /*mmsg=*/0x2000000bd000ul,
1823. /*vlen=*/0x318ul, /*f=*/0ul);
1824. res = syscall(__NR_epoll_create1, /*flags=*/0ul);
1825. if (res != -1)
1826. r[39] = res;
1827. *(uint32_t*)0x200000000004 = 0;
1828. *(uint32_t*)0x200000000008 = 0;
1829. *(uint32_t*)0x20000000000c = 0;
1830. *(uint32_t*)0x200000000010 = 0;
1831. *(uint32_t*)0x200000000018 = -1;
1832. memset((void*)0x20000000001c, 0, 12);
1833. res = -1;
1834. res = syz_io_uring_setup(/*entries=*/0x163c, /*params=*/0x200000000000,
1835. /*ring_ptr=*/0x2000000000c0,
1836. /*sqes_ptr=*/0x2000000001c0);
1837. if (res != -1)
1838. r[40] = res;
1839. syscall(__NR_io_uring_register, /*fd=*/r[40], /*opcode=*/0x1cul, /*arg=*/0ul,
1840. /*size=*/0ul);
1841. *(uint32_t*)0x200000000200 = 0x50004000;
1842. *(uint64_t*)0x200000000204 = 0;
1843. syscall(__NR_epoll_ctl, /*epfd=*/r[39], /*op=*/1ul, /*fd=*/r[37],
1844. /*ev=*/0x200000000200ul);
1845. *(uint32_t*)0x200000000000 = r[38];
1846. *(uint16_t*)0x200000000004 = 0x1200;
1847. *(uint16_t*)0x200000000006 = 0;
1848. syscall(__NR_ppoll, /*fds=*/0x200000000000ul, /*nfds=*/1ul, /*tsp=*/0ul,
1849. /*sigmask=*/0ul, /*size=*/0ul);
1850. syscall(__NR_close, /*fd=*/r[37]);
1851. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=SOCK_RAW*/ 3ul,
1852. /*proto=*/0x22);
1853. if (res != -1)
1854. r[41] = res;
1855. *(uint64_t*)0x200000000740 = 0x200000000340;
1856. *(uint32_t*)0x200000000748 = 0x6e;
1857. *(uint64_t*)0x200000000750 = 0x200000000680;
1858. *(uint64_t*)0x200000000680 = 0x2000000003c0;
1859. *(uint64_t*)0x200000000688 = 0xfa;
1860. *(uint64_t*)0x200000000690 = 0x2000000004c0;
1861. *(uint64_t*)0x200000000698 = 0xc0;
1862. *(uint64_t*)0x2000000006a0 = 0x200000000580;
1863. *(uint64_t*)0x2000000006a8 = 0x77;
1864. *(uint64_t*)0x2000000006b0 = 0x200000000600;
1865. *(uint64_t*)0x2000000006b8 = 0x2a;
1866. *(uint64_t*)0x200000000758 = 4;
1867. *(uint64_t*)0x200000000760 = 0x2000000006c0;
1868. *(uint64_t*)0x200000000768 = 0x60;
1869. *(uint32_t*)0x200000000770 = 0;
1870. syscall(
1871. __NR_recvmsg, /*fd=*/r[38], /*msg=*/0x200000000740ul,
1872. /*f=MSG_WAITFORONE|MSG_WAITALL|MSG_TRUNC|MSG_PEEK|MSG_ERRQUEUE|MSG_DONTWAIT*/
1873. 0x12162ul, 0);
1874. syscall(__NR_unshare, /*flags=*/0ul);
1875. memcpy((void*)0x200000000100, "./file0\000", 8);
1876. syscall(__NR_mkdirat, /*fd=*/0xffffff9c, /*path=*/0x200000000100ul,
1877. /*mode=*/0ul);
1878. memset((void*)0x200000000640, 0, 1);
1879. res = syscall(
1880. __NR_open_tree, /*dfd=*/0xffffff9c, /*filename=*/0x200000000640ul,
1881. /*flags=OPEN_TREE_CLOEXEC|OPEN_TREE_CLONE|AT_SYMLINK_NOFOLLOW|AT_RECURSIVE|AT_NO_AUTOMOUNT|AT_EMPTY_PATH*/
1882. 0x89901ul);
1883. if (res != -1)
1884. r[42] = res;
1885. memcpy((void*)0x200000000140, ".\000", 2);
1886. memcpy((void*)0x200000000180, "./file0\000", 8);
1887. syscall(__NR_move_mount, /*from_dfd=*/r[42],
1888. /*from_pathname=*/0x200000000140ul, /*to_dfd=*/0xffffff9c,
1889. /*to_pathname=*/0x200000000180ul,
1890. /*flags=MOVE_MOUNT_SET_GROUP|MOVE_MOUNT_F_EMPTY_PATH*/ 0x104ul);
1891. *(uint32_t*)0x200000000000 = 0x688;
1892. syscall(__NR_setsockopt, /*fd=*/r[41], /*level=*/1,
1893. /*optname=SO_TIMESTAMPING_OLD*/ 0x25, /*optval=*/0x200000000000ul,
1894. /*optlen=*/4ul);
1895. memcpy((void*)0x200000000a00, "cgroup2\000", 8);
1896. res = syscall(__NR_fsopen, /*type=*/0x200000000a00ul, /*flags=*/0ul);
1897. if (res != -1)
1898. r[43] = res;
1899. memcpy((void*)0x200000000340, "/dev/net/tun\000", 13);
1900. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
1901. /*file=*/0x200000000340ul, /*flags=*/0, /*mode=*/0);
1902. if (res != -1)
1903. r[44] = res;
1904. memcpy((void*)0x200000000080, "memory.numa_stat\000", 17);
1905. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000080ul,
1906. /*flags=*/0x275a, /*mode=*/0);
1907. if (res != -1)
1908. r[45] = res;
1909. memcpy((void*)0x200000000200,
1910. "\x99\x3e\x48\x3c\xb1\x8e\xc3\x1a\x9c\xd7\x98\x9a\xc5\x41\xef\xcb\x16"
1911. "\xa2\xd3\x49\x64\x35\x24\x1f\xbe\x28\x2f\x28\x40\x92\x84\xd4\x75\xc1"
1912. "\x27\x16\x8c\x51\xa3\xe7\x60\xb2\xe3\x97\x6c\x1e\xc7\x52\xc7\x7f\xbe"
1913. "\x3f\x33\x61\x14\x02\x21\x1c\x81\xe4\xca\x19\xdc\xf6\x84\x18\x31\x81"
1914. "\x9e\x99\x33\x32\x34\x83\xae\xc8\xac\x78\xa2\x1c\x01",
1915. 81);
1916. syscall(__NR_write, /*fd=*/r[45], /*buf=*/0x200000000200ul, /*count=*/0x51ul);
1917. syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xb36000ul,
1918. /*prot=PROT_READ|0x800000*/ 0x800001ul,
1919. /*flags=MAP_STACK|MAP_POPULATE|MAP_FIXED|MAP_SHARED*/ 0x28011ul,
1920. /*fd=*/r[45], /*offset=*/0ul);
1921. memcpy((void*)0x200000000040, "veth1_macvtap\000\000\000", 16);
1922. *(uint16_t*)0x200000000050 = 0;
1923. syscall(__NR_ioctl, /*fd=*/r[44], /*cmd=*/0x400454ca,
1924. /*arg=*/0x200000000040ul);
1925. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0);
1926. if (res != -1)
1927. r[46] = res;
1928. syscall(__NR_pread64, /*fd=*/r[44], /*buf=*/0x200000000440ul,
1929. /*count=*/0x7eul, /*pos=*/0ul);
1930. syscall(__NR_close, /*fd=*/r[44]);
1931. memcpy((void*)0x200000000040, "syzkaller1\000\000\000\000\000\000", 16);
1932. *(uint16_t*)0x200000000050 = 2;
1933. *(uint16_t*)0x200000000052 = htobe16(0);
1934. *(uint8_t*)0x200000000054 = 0xac;
1935. *(uint8_t*)0x200000000055 = 0x14;
1936. *(uint8_t*)0x200000000056 = 0x14;
1937. *(uint8_t*)0x200000000057 = 0xbb;
1938. syscall(__NR_ioctl, /*fd=*/r[46], /*cmd=*/0x8914, /*arg=*/0x200000000040ul);
1939. *(uint64_t*)0x200000000000 = 0;
1940. syscall(__NR_fcntl, /*fd=*/r[43], /*cmd=*/0x40cul, /*hint=*/0x200000000000ul);
1941. memcpy((void*)0x200000000240, "/dev/autofs\000", 12);
1942. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000240ul,
1943. /*flags=O_NONBLOCK|O_NOATIME*/ 0x40800, /*mode=*/0);
1944. memcpy((void*)0x2000000005c0, "ext4\000", 5);
1945. memcpy((void*)0x200000000000, "./file0\000", 8);
1946. *(uint8_t*)0x200000000b00 = 0;
1947. memcpy(
1948. (void*)0x200000000600,
1949. "\x78\x9c\xec\xdd\x4d\x6f\x54\x5f\x19\x00\xf0\x67\xa6\x6f\xd3\x52\x68\x41"
1950. "\x16\x6a\x54\x10\x51\x34\x84\x69\x3b\x40\x43\x58\x28\xae\x8c\x31\x24\x46"
1951. "\x96\x9a\x40\x6d\x87\xa6\xe9\x4c\xa7\xe9\x4c\x91\x56\x16\xe5\x3b\x98\x48"
1952. "\xe2\x4a\x97\x7e\x00\xd7\xac\xdc\xbb\x31\xba\x73\x83\x0b\x13\x5f\x1a\x0d"
1953. "\x25\x71\x31\xff\xdc\x3b\xb7\x65\x28\x1d\xda\x3f\x7d\x19\xd2\xf9\xfd\x92"
1954. "\x9b\x7b\xcf\x39\x33\xf3\x9c\xc3\xe4\x9e\xc3\x3c\x84\x7b\x02\xe8\x59\x97"
1955. "\x23\x62\x23\x22\x06\x23\xe2\x51\x44\x8c\x65\xf5\xb9\xec\x88\x7b\xad\x23"
1956. "\x79\xdd\xeb\xcd\x67\xb3\x5b\x9b\xcf\x66\x73\xd1\x6c\x3e\xf8\x77\x2e\x6d"
1957. "\x4f\xea\xa2\xed\x3d\x89\x33\xd9\x67\x16\x22\xe2\x27\x3f\x88\xf8\x79\xee"
1958. "\xfd\xb8\xf5\xb5\xf5\xc5\x99\x4a\xa5\xbc\x92\x95\x27\x1a\xd5\xe5\x89\xfa"
1959. "\xda\xfa\x8d\x85\xea\xcc\x7c\x79\xbe\xbc\x54\x2a\x4d\x4f\x4d\x4f\xde\xb9"
1960. "\x79\xbb\x74\x64\x63\xbd\x54\x1d\xcc\xae\xbe\xfa\xea\x4f\x1b\xdf\xf9\x65"
1961. "\xd2\xad\xd1\xac\xa6\x7d\x1c\x47\xa9\x35\xf4\x81\x9d\x38\x89\xfe\x88\xf8"
1962. "\xd1\x71\x04\xeb\x82\xbe\x6c\x3c\x83\xdd\xee\x08\x1f\x25\x1f\x11\x17\x22"
1963. "\xe2\x4a\x7a\xff\x8f\x45\x5f\xfa\x6d\x02\x00\xa7\x59\xb3\x39\x16\xcd\xb1"
1964. "\xf6\x32\x00\x70\xda\xe5\xd3\x1c\x58\x2e\x5f\xcc\x72\x01\xa3\x91\xcf\x17"
1965. "\x8b\xad\x1c\xde\xc5\x18\xc9\x57\x6a\xf5\xc6\xf5\xc7\xb5\xd5\xa5\xb9\x56"
1966. "\xae\x6c\x3c\x06\xf2\x8f\x17\x2a\xe5\xc9\x2c\x57\x38\x1e\x03\xb9\xa4\x3c"
1967. "\x95\x5e\xbf\x2d\x97\x76\x95\x6f\x46\xc4\xf9\x88\xf8\xd5\xd0\x70\x5a\x2e"
1968. "\xce\xd6\x2a\x73\xdd\xfc\x8b\x0f\x00\xf4\xb0\x33\xbb\xd6\xff\xff\x0d\xb5"
1969. "\xd6\x7f\x00\xe0\x94\x2b\x74\xbb\x03\x00\xc0\x89\xb3\xfe\x03\x40\xef\xb1"
1970. "\xfe\x03\x40\xef\xb1\xfe\x03\x40\xef\xb1\xfe\x03\x40\xef\xb1\xfe\x03\x40"
1971. "\xef\xb1\xfe\x03\x40\x4f\xf9\xf1\xfd\xfb\xc9\xd1\xdc\xca\x9e\x7f\x3d\xf7"
1972. "\x64\x6d\x75\xb1\xf6\xe4\xc6\x5c\xb9\xbe\x58\xac\xae\xce\x16\x67\x6b\x2b"
1973. "\xcb\xc5\xf9\x5a\x6d\x3e\x7d\x66\x4f\x75\xbf\xcf\xab\xd4\x6a\xcb\x53\xb7"
1974. "\x62\xf5\xe9\xf8\x77\x97\xeb\x8d\x89\xfa\xda\xfa\xc3\x6a\x6d\x75\xa9\xf1"
1975. "\x30\x7d\xae\xf7\xc3\xf2\xc0\x89\x8c\x0a\x00\xf8\x90\xf3\x97\x5e\xfe\x35"
1976. "\x17\x11\x1b\x77\x87\xd3\x23\xda\xf6\x72\xb0\x56\xc3\xe9\x96\xef\x76\x07"
1977. "\x80\xae\xe9\xeb\x76\x07\x80\xae\xb1\xdb\x17\xf4\xae\x43\xfc\xc6\x97\x1e"
1978. "\x80\x53\x62\x8f\x2d\x7a\xdf\x51\x88\x88\xe1\xdd\x95\xcd\x66\xb3\x79\x7c"
1979. "\x5d\x02\x8e\xd9\xb5\x2f\xc9\xff\x43\xaf\x92\xff\x87\xde\x25\xff\x0f\xbd"
1980. "\x4b\xfe\x1f\x7a\x57\xb3\x99\x3b\xe8\x9e\xff\x71\xd0\x17\x02\x00\x9f\x36"
1981. "\x39\x7e\xa0\xc3\xbf\xff\x5f\xc8\xce\xbf\xcf\x1e\x11\xf2\xb3\xb9\xdd\xaf"
1982. "\x78\x71\x9c\xbd\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1983. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x4f\xdb\xf6\xfe\xbf\xc5\x6c"
1984. "\x2f\xf0\xd1\xc8\xe7\x8b\xc5\x88\xb3\x11\x31\x1e\x03\xb9\xc7\x0b\x95\xf2"
1985. "\x64\x44\x9c\x8b\x88\xbf\x0c\x0d\x0c\x25\xe5\xa9\x2e\xf7\x19\x00\x38\xac"
1986. "\xfc\x3f\x72\xd9\xfe\x5f\xd7\xc6\xae\x8e\xee\x6e\x1d\xcc\xbd\x19\x4a\xcf"
1987. "\x11\xf1\x8b\xdf\x3c\xf8\xf5\xd3\x99\x46\x63\xe5\xcf\x49\xfd\x7f\x76\xea"
1988. "\x1b\x2f\xb2\xfa\x52\x37\xfa\x0f\x00\xec\x67\x7b\x9d\x4e\xcf\x6d\x3f\xe4"
1989. "\x5f\x6f\x3e\x9b\xdd\x3e\x4e\xb2\x3f\xff\xfc\x7e\x44\x14\x5a\xf1\xb7\x36"
1990. "\x07\x63\x6b\x27\x7e\x7f\xf4\xa7\xe7\x42\x0c\x44\xc4\xc8\x7f\x73\x59\xb9"
1991. "\x25\xd7\x96\xbb\x38\x8c\x8d\xe7\x11\xf1\xc5\xbd\xc6\x9f\x8b\xd1\x34\x07"
1992. "\xd2\xda\xf9\x74\x77\xfc\x24\xf6\xd9\x13\x8d\x9f\x7f\x27\x7e\x3e\x6d\x6b"
1993. "\x9d\x93\x3f\x8b\x2f\x1c\x41\x5f\xa0\xd7\xbc\x4c\xe6\x9f\x7b\x7b\xdd\x7f"
1994. "\xf9\xb8\x9c\x9e\xf7\xbe\xff\x0b\xe9\x0c\x75\x78\xd9\xfc\x97\x7c\xd4\xec"
1995. "\x56\x3a\x07\xbe\x8d\xbf\x3d\xff\xf5\x75\x98\xff\x2e\x1f\x34\xc6\xad\x3f"
1996. "\xfe\xb0\x75\x35\xfc\x7e\xdb\xf3\x88\x2f\xf7\x47\x6c\xc7\xde\x6a\x9b\x7f"
1997. "\xb6\xe3\xe7\x3a\xc4\xbf\x7a\xc0\xf8\x7f\xfb\xca\xd7\xae\x74\x6a\x6b\xfe"
1998. "\x36\xe2\x5a\xec\x1d\xbf\x3d\xd6\x44\xa3\xba\x3c\x51\x5f\x5b\xbf\xb1\x50"
1999. "\x9d\x99\x2f\xcf\x97\x97\x4a\xa5\xe9\xa9\xe9\xc9\x3b\x37\x6f\x97\x26\xd2"
2000. "\x1c\xf5\x44\xe7\xd5\xe0\x5f\x77\xaf\x9f\xeb\xd4\x96\x8c\x7f\xa4\x43\xfc"
2001. "\xc2\x3e\xe3\xff\xe6\x01\xc7\xff\xbb\xff\x3f\xfa\xe9\xd7\x3f\x10\xff\xdb"
2002. "\xdf\xd8\x2b\x7e\x3e\x2e\x7e\x20\x7e\xb2\x26\x7e\xeb\x80\xf1\x67\x46\xfe"
2003. "\x50\xe8\xd4\x96\xc4\x9f\xeb\x30\xfe\xfd\xbe\xff\xeb\x07\x8c\xff\xea\xef"
2004. "\xeb\xef\x6d\x1b\x0e\x00\x74\x4f\x7d\x6d\x7d\x71\xa6\x52\x29\xaf\xb8\x70"
2005. "\xe1\xe2\x30\x17\xdf\x3b\xa9\x58\x83\xf1\xb9\xde\xd5\x6c\x7e\x54\xac\x4e"
2006. "\x33\xc6\x51\x64\xdd\x80\x4f\xc1\xce\x4d\x1f\x11\x6f\xba\xdd\x19\x00\x00"
2007. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\x4f\x27\xf1\x3f\x96\xba\x3d\x46"
2008. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2009. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2010. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2011. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2012. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2013. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2014. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2015. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2016. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2017. "\x00\x00\x00\x00\x00\x00\x4e\xaf\xcf\x02\x00\x00\xff\xff\x77\x94\xd3"
2018. "\xd4",
2019. 1242);
2020. syz_mount_image(/*fs=*/0x2000000005c0, /*dir=*/0x200000000000,
2021. /*flags=MS_I_VERSION|MS_RELATIME|MS_NODEV*/ 0xa00004,
2022. /*opts=*/0x200000000b00, /*chdir=*/4, /*size=*/0x4da,
2023. /*img=*/0x200000000600);
2024. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x8922, /*arg=*/0ul);
2025. memcpy((void*)0x200000000180, "./file1/file4\000", 14);
2026. syscall(__NR_mount, /*src=*/0xfffff000ul, /*dst=*/0x200000000180ul,
2027. /*type=*/0ul, /*flags=*/0ul, /*opts=*/0ul);
2028. res = syscall(__NR_getpgrp, /*pid=*/-1);
2029. if (res != -1)
2030. r[47] = res;
2031. memcpy((void*)0x200000000040, "memory.current\000", 15);
2032. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000040ul,
2033. /*flags=*/0x275a, /*mode=*/0);
2034. if (res != -1)
2035. r[48] = res;
2036. *(uint32_t*)0x20000001d000 = 0;
2037. *(uint32_t*)0x20000001d004 = 0x80;
2038. *(uint8_t*)0x20000001d008 = 0;
2039. *(uint8_t*)0x20000001d009 = 0;
2040. *(uint8_t*)0x20000001d00a = 0;
2041. *(uint8_t*)0x20000001d00b = 0;
2042. *(uint32_t*)0x20000001d00c = 0;
2043. *(uint64_t*)0x20000001d010 = 0;
2044. *(uint64_t*)0x20000001d018 = 0;
2045. *(uint64_t*)0x20000001d020 = 0;
2046. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 0, 1);
2047. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 1, 1);
2048. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 2, 1);
2049. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 3, 1);
2050. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 4, 1);
2051. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 5, 1);
2052. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 6, 1);
2053. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 7, 1);
2054. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 8, 1);
2055. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 9, 1);
2056. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 10, 1);
2057. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 11, 1);
2058. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 12, 1);
2059. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 13, 1);
2060. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 14, 1);
2061. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 15, 2);
2062. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 17, 1);
2063. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 18, 1);
2064. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 19, 1);
2065. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 20, 1);
2066. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 21, 1);
2067. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 22, 1);
2068. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 23, 1);
2069. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 24, 1);
2070. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 25, 1);
2071. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 26, 1);
2072. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 27, 1);
2073. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 28, 1);
2074. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 29, 1);
2075. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 30, 1);
2076. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 31, 1);
2077. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 32, 1);
2078. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 33, 1);
2079. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 34, 1);
2080. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 35, 1);
2081. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 36, 1);
2082. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 37, 1);
2083. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 38, 26);
2084. *(uint32_t*)0x20000001d030 = 0;
2085. *(uint32_t*)0x20000001d034 = 0;
2086. *(uint64_t*)0x20000001d038 = 0x7375;
2087. *(uint64_t*)0x20000001d040 = 0x40;
2088. *(uint64_t*)0x20000001d048 = 0;
2089. *(uint64_t*)0x20000001d050 = 0;
2090. *(uint32_t*)0x20000001d058 = 0;
2091. *(uint32_t*)0x20000001d05c = 0;
2092. *(uint64_t*)0x20000001d060 = 0;
2093. *(uint32_t*)0x20000001d068 = 0;
2094. *(uint16_t*)0x20000001d06c = 0;
2095. *(uint16_t*)0x20000001d06e = 0;
2096. *(uint32_t*)0x20000001d070 = 0;
2097. *(uint32_t*)0x20000001d074 = 0;
2098. *(uint64_t*)0x20000001d078 = 0x40010000000;
2099. res = syscall(__NR_perf_event_open, /*attr=*/0x20000001d000ul, /*pid=*/0,
2100. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
2101. if (res != -1)
2102. r[49] = res;
2103. memcpy((void*)0x200000000100, "#! ", 3);
2104. *(uint8_t*)0x200000000103 = 0xa;
2105. syscall(__NR_write, /*fd=*/r[48], /*data=*/0x200000000100ul, /*len=*/4ul);
2106. syscall(__NR_mmap, /*addr=*/0x200000072000ul, /*len=*/0x1000ul,
2107. /*prot=PROT_GROWSUP|PROT_SEM|PROT_WRITE|PROT_READ*/ 0x200000bul,
2108. /*flags=MAP_STACK|MAP_POPULATE|MAP_FIXED|MAP_SHARED*/ 0x28011ul,
2109. /*fd=*/r[49], /*offset=*/0ul);
2110. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0);
2111. if (res != -1)
2112. r[50] = res;
2113. *(uint32_t*)0x2000000001c0 = 0;
2114. syscall(__NR_getsockopt, /*fd=*/r[50], /*level=*/6,
2115. /*optname=TCP_WINDOW_CLAMP*/ 0xa, /*optval=*/0ul,
2116. /*optlen=*/0x2000000001c0ul);
2117. *(uint64_t*)0x2000000015c0 = 0x200000000080;
2118. *(uint64_t*)0x2000000015c8 = 0xffffffff000;
2119. syscall(__NR_preadv, /*fd=*/r[48], /*vec=*/0x2000000015c0ul, /*vlen=*/5ul,
2120. /*off_low=*/0, /*off_high=*/0);
2121. res = -1;
2122. res = syz_pidfd_open(/*pid=*/r[47], /*flags=*/0);
2123. if (res != -1)
2124. r[51] = res;
2125. syscall(__NR_ioctl, /*fd=*/r[51], /*cmd=*/0xff06, /*arg=*/0ul);
2126. *(uint32_t*)0x20000001d000 = 0;
2127. *(uint32_t*)0x20000001d004 = 0x80;
2128. *(uint8_t*)0x20000001d008 = 0;
2129. *(uint8_t*)0x20000001d009 = 0;
2130. *(uint8_t*)0x20000001d00a = 0;
2131. *(uint8_t*)0x20000001d00b = 0;
2132. *(uint32_t*)0x20000001d00c = 0;
2133. *(uint64_t*)0x20000001d010 = 0xb9a;
2134. *(uint64_t*)0x20000001d018 = 0;
2135. *(uint64_t*)0x20000001d020 = 0xe;
2136. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 0, 1);
2137. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 1, 1);
2138. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 2, 1);
2139. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 3, 1);
2140. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 4, 1);
2141. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 5, 1);
2142. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 6, 1);
2143. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 7, 1);
2144. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 8, 1);
2145. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 9, 1);
2146. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 10, 1);
2147. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 11, 1);
2148. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 12, 1);
2149. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 13, 1);
2150. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 14, 1);
2151. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 15, 2);
2152. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 17, 1);
2153. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 18, 1);
2154. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 19, 1);
2155. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 20, 1);
2156. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 21, 1);
2157. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 22, 1);
2158. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 23, 1);
2159. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 24, 1);
2160. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 25, 1);
2161. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 26, 1);
2162. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 27, 1);
2163. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 28, 1);
2164. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 29, 1);
2165. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 30, 1);
2166. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 31, 1);
2167. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 32, 1);
2168. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 33, 1);
2169. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 34, 1);
2170. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 35, 1);
2171. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 36, 1);
2172. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 37, 1);
2173. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 38, 26);
2174. *(uint32_t*)0x20000001d030 = 0;
2175. *(uint32_t*)0x20000001d034 = 0;
2176. *(uint64_t*)0x20000001d038 = 0x8000;
2177. *(uint64_t*)0x20000001d040 = 0;
2178. *(uint64_t*)0x20000001d048 = 0;
2179. *(uint64_t*)0x20000001d050 = 0;
2180. *(uint32_t*)0x20000001d058 = 0;
2181. *(uint32_t*)0x20000001d05c = 0;
2182. *(uint64_t*)0x20000001d060 = 0;
2183. *(uint32_t*)0x20000001d068 = 0x5a;
2184. *(uint16_t*)0x20000001d06c = 0;
2185. *(uint16_t*)0x20000001d06e = 0;
2186. *(uint32_t*)0x20000001d070 = 0;
2187. *(uint32_t*)0x20000001d074 = 0;
2188. *(uint64_t*)0x20000001d078 = 0;
2189. res = syscall(__NR_perf_event_open, /*attr=*/0x20000001d000ul, /*pid=*/0,
2190. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
2191. if (res != -1)
2192. r[52] = res;
2193. res = syscall(__NR_socket, /*domain=AF_NETLINK*/ 0x10ul,
2194. /*type=SOCK_RAW*/ 3ul, /*proto=*/0);
2195. if (res != -1)
2196. r[53] = res;
2197. memcpy((void*)0x200000000140,
2198. "\x26\x00\x00\x00\x22\x00\x47\x01\x05\x00\x00\x07\x00\x00\x00\x00\x00"
2199. "\x00\x00\x20\x00\x2b\x1f\x00\x0a\x4a\x51\xf1\xee\x83\x9c\xd5\x34\x00"
2200. "\xb0\x17\xca\x5b",
2201. 38);
2202. syscall(__NR_write, /*fd=*/r[53], /*buf=*/0x200000000140ul, /*count=*/0x26ul);
2203. *(uint32_t*)0x200000000040 = 5;
2204. syscall(__NR_setsockopt, /*fd=*/r[53], /*level=*/1,
2205. /*optname=SO_PASSCRED*/ 0x10, /*optval=*/0x200000000040ul,
2206. /*optlen=*/4ul);
2207. memcpy((void*)0x200000000000, "ethtool\000", 8);
2208. syz_genetlink_get_family_id(/*name=*/0x200000000000, /*fd=*/r[53]);
2209. *(uint64_t*)0x200000003480 = 0;
2210. *(uint32_t*)0x200000003488 = 0;
2211. *(uint64_t*)0x200000003490 = 0;
2212. *(uint64_t*)0x200000003498 = 0;
2213. *(uint64_t*)0x2000000034a0 = 0x200000001540;
2214. *(uint64_t*)0x2000000034a8 = 0xf1;
2215. *(uint32_t*)0x2000000034b0 = 0;
2216. *(uint32_t*)0x2000000034b8 = 0;
2217. syscall(__NR_recvmmsg, /*fd=*/r[53], /*mmsg=*/0x200000003480ul, /*vlen=*/1ul,
2218. /*f=*/0ul, /*timeout=*/0ul);
2219. memcpy((void*)0x200000000240, "/dev/snapshot\000", 14);
2220. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
2221. /*file=*/0x200000000240ul,
2222. /*flags=O_CLOEXEC|O_APPEND|O_WRONLY*/ 0x80401, /*mode=*/0);
2223. if (res != -1)
2224. r[54] = res;
2225. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x3302, 0);
2226. syscall(__NR_write, /*fd=*/r[54], /*buffer=*/0ul, /*len=*/0ul);
2227. syscall(__NR_read, /*fd=*/r[52], /*buf=*/0x200000000280ul,
2228. /*count=*/0x1000ul);
2229. *(uint64_t*)0x200000000400 = 0x200000000380;
2230. *(uint16_t*)0x200000000380 = 0x10;
2231. *(uint16_t*)0x200000000382 = 0;
2232. *(uint32_t*)0x200000000384 = 0;
2233. *(uint32_t*)0x200000000388 = 0;
2234. *(uint32_t*)0x200000000408 = 0xc;
2235. *(uint64_t*)0x200000000410 = 0x2000000003c0;
2236. *(uint64_t*)0x2000000003c0 = 0x200000000500;
2237. *(uint64_t*)0x2000000003c8 = 0xac;
2238. *(uint64_t*)0x200000000418 = 1;
2239. *(uint64_t*)0x200000000420 = 0;
2240. *(uint64_t*)0x200000000428 = 0;
2241. *(uint32_t*)0x200000000430 = 0x800;
2242. syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0x200000000400ul,
2243. /*f=MSG_BATCH|MSG_NOSIGNAL*/ 0x44000ul);
2244. memcpy((void*)0x200000000000,
2245. "lo\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 16);
2246. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x8933, /*arg=*/0x200000000000ul);
2247. memcpy((void*)0x200000000080, "./file0\000", 8);
2248. res = syscall(
2249. __NR_open, /*file=*/0x200000000080ul,
2250. /*flags=O_TRUNC|O_NOFOLLOW|O_DIRECT|O_CREAT|O_CLOEXEC|0x3000*/ 0xa7240ul,
2251. /*mode=*/0ul);
2252. if (res != -1)
2253. r[55] = res;
2254. syscall(__NR_lseek, /*fd=*/r[55], /*offset=*/0ul, /*whence=SEEK_DATA*/ 3ul);
2255. res = -1;
2256. res = syz_io_uring_setup(/*entries=*/0x4333, /*params=*/0,
2257. /*ring_ptr=*/0x200000ff5000,
2258. /*sqes_ptr=*/0x200000ff4000);
2259. if (res != -1)
2260. r[56] = res;
2261. *(uint64_t*)0x2000000002c0 = 0;
2262. *(uint32_t*)0x2000000002c8 = 0;
2263. *(uint64_t*)0x2000000002d0 = 0;
2264. *(uint64_t*)0x2000000002d8 = 1;
2265. *(uint64_t*)0x2000000002e0 = 0;
2266. *(uint64_t*)0x2000000002e8 = 0;
2267. *(uint32_t*)0x2000000002f0 = 0;
2268. syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0x2000000002c0ul, /*f=*/0ul);
2269. syscall(__NR_listen, /*fd=*/-1, /*backlog=*/0);
2270. *(uint32_t*)0x200000000100 = 2;
2271. *(uint32_t*)0x200000000104 = 0x80;
2272. *(uint8_t*)0x200000000108 = 0x80;
2273. *(uint8_t*)0x200000000109 = 0;
2274. *(uint8_t*)0x20000000010a = 0;
2275. *(uint8_t*)0x20000000010b = 0;
2276. *(uint32_t*)0x20000000010c = 0;
2277. *(uint64_t*)0x200000000110 = 0;
2278. *(uint64_t*)0x200000000118 = 0;
2279. *(uint64_t*)0x200000000120 = 0;
2280. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 0, 1);
2281. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 1, 1);
2282. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 2, 1);
2283. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 3, 1);
2284. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 4, 1);
2285. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 5, 1);
2286. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 6, 1);
2287. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 7, 1);
2288. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 8, 1);
2289. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 9, 1);
2290. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 10, 1);
2291. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 11, 1);
2292. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 12, 1);
2293. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 13, 1);
2294. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 14, 1);
2295. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 15, 2);
2296. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 17, 1);
2297. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 18, 1);
2298. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 19, 1);
2299. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 20, 1);
2300. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 21, 1);
2301. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 22, 1);
2302. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 23, 1);
2303. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 24, 1);
2304. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 25, 1);
2305. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 26, 1);
2306. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 27, 1);
2307. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 28, 1);
2308. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 29, 1);
2309. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 30, 1);
2310. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 31, 1);
2311. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 32, 1);
2312. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 33, 1);
2313. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 34, 1);
2314. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 35, 1);
2315. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 36, 1);
2316. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 37, 1);
2317. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 38, 26);
2318. *(uint32_t*)0x200000000130 = 0;
2319. *(uint32_t*)0x200000000134 = 0;
2320. *(uint64_t*)0x200000000138 = 0;
2321. *(uint64_t*)0x200000000140 = 0;
2322. *(uint64_t*)0x200000000148 = 0;
2323. *(uint64_t*)0x200000000150 = 0;
2324. *(uint32_t*)0x200000000158 = 0;
2325. *(uint32_t*)0x20000000015c = 0;
2326. *(uint64_t*)0x200000000160 = 0;
2327. *(uint32_t*)0x200000000168 = 0;
2328. *(uint16_t*)0x20000000016c = 0;
2329. *(uint16_t*)0x20000000016e = 0;
2330. *(uint32_t*)0x200000000170 = 2;
2331. *(uint32_t*)0x200000000174 = 0;
2332. *(uint64_t*)0x200000000178 = 0;
2333. syscall(__NR_perf_event_open, /*attr=*/0x200000000100ul, /*pid=*/0,
2334. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
2335. syz_sysconfig_set__proc_sys_net_ipv6_neigh_eth0_interval_probe_time_ms(
2336. /*val=*/0);
2337. memcpy((void*)0x200000000040, "@\000", 2);
2338. res = syscall(__NR_memfd_create, /*name=*/0x200000000040ul,
2339. /*flags=MFD_HUGETLB|MFD_ALLOW_SEALING*/ 6ul);
2340. if (res != -1)
2341. r[57] = res;
2342. *(uint64_t*)0x200000000140 = 0xd692;
2343. *(uint64_t*)0x200000000148 = 1;
2344. *(uint16_t*)0x200000000150 = 4;
2345. *(uint16_t*)0x200000000152 = 0;
2346. *(uint32_t*)0x200000000154 = 0;
2347. *(uint32_t*)0x200000000158 = -1;
2348. *(uint64_t*)0x200000000160 = 0xff;
2349. *(uint64_t*)0x200000000168 = 0;
2350. *(uint32_t*)0x200000000170 = 0;
2351. *(uint32_t*)0x200000000174 = 0;
2352. *(uint32_t*)0x200000000178 = r[55];
2353. *(uint64_t*)0x200000000180 = 8;
2354. *(uint64_t*)0x200000000188 = 0;
2355. *(uint32_t*)0x200000000190 = 0;
2356. *(uint32_t*)0x200000000194 = 0;
2357. *(uint32_t*)0x200000000198 = r[57];
2358. *(uint64_t*)0x2000000001a0 = 2;
2359. *(uint64_t*)0x2000000001a8 = 0;
2360. *(uint32_t*)0x2000000001b0 = 0;
2361. *(uint32_t*)0x2000000001b4 = 0;
2362. *(uint32_t*)0x2000000001b8 = r[56];
2363. *(uint64_t*)0x2000000001c0 = 0xfffffffffffffffd;
2364. *(uint64_t*)0x2000000001c8 = 0;
2365. *(uint32_t*)0x2000000001d0 = 0;
2366. *(uint32_t*)0x2000000001d4 = 0;
2367. syscall(__NR_ioctl, /*fd=*/r[56], /*cmd=*/0xc0189436,
2368. /*arg=*/0x200000000140ul);
2369. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/3ul, /*proto=*/2);
2370. if (res != -1)
2371. r[58] = res;
2372. syscall(__NR_setsockopt, /*fd=*/r[58], /*level=*/0, /*opt=*/0xc9, /*val=*/0,
2373. /*len=*/0ul);
2374. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x89f3, /*arg=*/0ul);
2375. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0);
2376. if (res != -1)
2377. r[59] = res;
2378. memcpy((void*)0x200000000100,
2379. "sit0\000\000\000\000\000\000\000\000\000\000\000\000", 16);
2380. *(uint64_t*)0x200000000110 = 0x200000000500;
2381. memcpy((void*)0x200000000500,
2382. "tunl0\000\000\000\000\000\000\000\000\000\000\000", 16);
2383. *(uint32_t*)0x200000000510 = 0;
2384. *(uint16_t*)0x200000000514 = htobe16(0);
2385. *(uint16_t*)0x200000000516 = htobe16(0x700);
2386. *(uint32_t*)0x200000000518 = htobe32(1);
2387. *(uint32_t*)0x20000000051c = htobe32(0);
2388. STORE_BY_BITMASK(uint8_t, , 0x200000000520, 5, 0, 4);
2389. STORE_BY_BITMASK(uint8_t, , 0x200000000520, 4, 4, 4);
2390. STORE_BY_BITMASK(uint8_t, , 0x200000000521, 0, 0, 2);
2391. STORE_BY_BITMASK(uint8_t, , 0x200000000521, 0, 2, 6);
2392. *(uint16_t*)0x200000000522 = htobe16(0x14);
2393. *(uint16_t*)0x200000000524 = htobe16(3);
2394. *(uint16_t*)0x200000000526 = htobe16(0);
2395. *(uint8_t*)0x200000000528 = 0;
2396. *(uint8_t*)0x200000000529 = 0;
2397. *(uint16_t*)0x20000000052a = htobe16(0);
2398. *(uint8_t*)0x20000000052c = 0xac;
2399. *(uint8_t*)0x20000000052d = 0x14;
2400. *(uint8_t*)0x20000000052e = 0x14;
2401. *(uint8_t*)0x20000000052f = 0x38;
2402. *(uint8_t*)0x200000000530 = 0xac;
2403. *(uint8_t*)0x200000000531 = 0x14;
2404. *(uint8_t*)0x200000000532 = 0x14;
2405. *(uint8_t*)0x200000000533 = 0xaa;
2406. struct csum_inet csum_1;
2407. csum_inet_init(&csum_1);
2408. csum_inet_update(&csum_1, (const uint8_t*)0x200000000520, 20);
2409. *(uint16_t*)0x20000000052a = csum_inet_digest(&csum_1);
2410. syscall(__NR_ioctl, /*fd=*/r[59], /*cmd=*/0x89f1, /*arg=*/0x200000000100ul);
2411. memcpy((void*)0x200000000140, "wchan\000", 6);
2412. res = -1;
2413. res = syz_open_procfs(/*pid=*/0, /*file=*/0x200000000140);
2414. if (res != -1)
2415. r[60] = res;
2416. res = syscall(__NR_io_setup, /*n=*/3, /*ctx=*/0x200000000000ul);
2417. if (res != -1)
2418. r[61] = *(uint64_t*)0x200000000000;
2419. res = syscall(__NR_eventfd2, /*initval=*/5,
2420. /*flags=EFD_SEMAPHORE|EFD_NONBLOCK*/ 0x801ul);
2421. if (res != -1)
2422. r[62] = res;
2423. res = -1;
2424. res = syz_init_net_socket(/*domain=*/0x10, /*type=*/3, /*proto=*/0x10);
2425. if (res != -1)
2426. r[63] = res;
2427. syz_init_net_socket(/*domain=*/0x10, /*type=*/3, /*proto=*/0x10);
2428. res = -1;
2429. res = syz_init_net_socket(/*domain=*/0x10, /*type=*/3, /*proto=*/0x10);
2430. if (res != -1)
2431. r[64] = res;
2432. memcpy((void*)0x2000000001c0, "NLBL_CIPSOv4\000", 13);
2433. syz_genetlink_get_family_id(/*name=*/0x2000000001c0, /*fd=*/r[64]);
2434. memcpy((void*)0x2000000001c0, "NLBL_CIPSOv4\000", 13);
2435. res = -1;
2436. res = syz_genetlink_get_family_id(/*name=*/0x2000000001c0, /*fd=*/r[64]);
2437. if (res != -1)
2438. r[65] = res;
2439. *(uint64_t*)0x200000000840 = 0;
2440. *(uint32_t*)0x200000000848 = 0;
2441. *(uint64_t*)0x200000000850 = 0x200000000800;
2442. *(uint64_t*)0x200000000800 = 0x200000000000;
2443. memcpy((void*)0x200000000000, "P\000\000\000", 4);
2444. *(uint16_t*)0x200000000004 = r[65];
2445. memcpy((void*)0x200000000006,
2446. "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x04"
2447. "\x80\x08\x00\x01\x00\x00\x00\x00\x00\x08\x00\x02\x00\x01\x00\x00\x00"
2448. "\x10\x00\x0c\x80\x0c\x00\x0b\x80\x08\x00\x0a\x00\x44\xc9\x00\x00\x18"
2449. "\x00\x08\x80\x14\x00\x07\x80\x08",
2450. 59);
2451. *(uint64_t*)0x200000000808 = 0x50;
2452. *(uint64_t*)0x200000000858 = 1;
2453. *(uint64_t*)0x200000000860 = 0;
2454. *(uint64_t*)0x200000000868 = 0;
2455. *(uint32_t*)0x200000000870 = 0;
2456. syscall(__NR_sendmsg, /*fd=*/r[63], /*msg=*/0x200000000840ul, /*f=*/0ul);
2457. *(uint64_t*)0x200000000840 = 0;
2458. *(uint32_t*)0x200000000848 = 0;
2459. *(uint64_t*)0x200000000850 = 0x200000000800;
2460. *(uint64_t*)0x200000000800 = 0x200000000000;
2461. memcpy((void*)0x200000000000, "P\000\000\000", 4);
2462. *(uint16_t*)0x200000000004 = r[65];
2463. memcpy((void*)0x200000000006,
2464. "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x04"
2465. "\x80\x08\x00\x01\x00\x00\x00\x00\x00\x08\x00\x02\x00\x01\x00\x00\x00"
2466. "\x10\x00\x0c\x80\x0c\x00\x0b\x80\x08\x00\x0a\x00\x44\xc9\x00\x00\x18"
2467. "\x00\x08\x80\x14\x00\x07\x80\x08",
2468. 59);
2469. *(uint64_t*)0x200000000808 = 0x50;
2470. *(uint64_t*)0x200000000858 = 1;
2471. *(uint64_t*)0x200000000860 = 0;
2472. *(uint64_t*)0x200000000868 = 0;
2473. *(uint32_t*)0x200000000870 = 0;
2474. syscall(__NR_sendmsg, /*fd=*/r[63], /*msg=*/0x200000000840ul, /*f=*/0ul);
2475. res = syscall(__NR_eventfd, /*initval=*/8);
2476. if (res != -1)
2477. r[66] = res;
2478. syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0x10);
2479. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0x10);
2480. if (res != -1)
2481. r[67] = res;
2482. *(uint64_t*)0x2000000002c0 = 0;
2483. *(uint32_t*)0x2000000002c8 = 0;
2484. *(uint64_t*)0x2000000002d0 = 0x200000000280;
2485. *(uint64_t*)0x200000000280 = 0x200000000200;
2486. memcpy((void*)0x200000000200, "\x54\x84\x53\x6f", 4);
2487. *(uint16_t*)0x200000000204 = 0;
2488. memcpy((void*)0x200000000206,
2489. "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0d\x00\x00\x00", 14);
2490. *(uint64_t*)0x200000000288 = 0x14;
2491. *(uint64_t*)0x2000000002d8 = 1;
2492. *(uint64_t*)0x2000000002e0 = 0;
2493. *(uint64_t*)0x2000000002e8 = 0;
2494. *(uint32_t*)0x2000000002f0 = 0;
2495. syscall(__NR_sendmsg, /*fd=*/r[67], /*msg=*/0x2000000002c0ul, /*f=*/0ul);
2496. *(uint64_t*)0x2000000007c0 = 0x200000000280;
2497. *(uint64_t*)0x200000000280 = 0;
2498. *(uint32_t*)0x200000000288 = 0;
2499. *(uint32_t*)0x20000000028c = 0;
2500. *(uint16_t*)0x200000000290 = 0xf;
2501. *(uint16_t*)0x200000000292 = 0x1f;
2502. *(uint32_t*)0x200000000294 = r[60];
2503. *(uint64_t*)0x200000000298 = 0x200000000180;
2504. memcpy(
2505. (void*)0x200000000180,
2506. "\xb8\xcc\x94\x0b\xd9\x04\x6d\xe3\xdd\xf5\x7d\x3a\x5f\x6e\x3d\xf8\xc2\xcc"
2507. "\x88\x2d\xe2\xd3\x44\x1e\xb0\xe1\xa8\x68\x5f\x9f\x39\x89\x61\x13\x0a\x56"
2508. "\x3e\x23\xc7\x53\xd6\xcd\x3b\xdc\x3c\xd9\xdc\x36\xfd\x41\x0f\x71\x25\x25"
2509. "\xe0\x8e\x14\x4e\x00\x5e\x1d\x4f\xf2\x20\x5c\x4f\x60\x7d\x46\x02\xb0\x70"
2510. "\x97\x0f\xd7\xd7\xd7\x4c\x81\x9b\x7c\xad\xfe\x7d\x3a\xaa\x2b\xac\xba\xeb"
2511. "\xae\xf6\x82\x02\x2e\x60\x71\x75\x4f\xef\xe9\xeb\x25\xb1\xba\xf1\xf1\x11"
2512. "\xc7\x0d\x31\x91\x64\x95\xa4\xd8\x61\x9e\x00\xc3\x41\x03\x6e\xd7\xc9\xae"
2513. "\x03\x95\x10\x49\x07\xbe\xad\x74\x66\xdf\x18\xf5\xea\x1b\x3f\x6d\xad\xba"
2514. "\x4c\x0a\x23\x9d\xb3\xe1\xd3\x51\x9b\x55\x7c\x00\x2c\xbc\x07\x0d\x07\x23"
2515. "\xf5\xf3\xd3\x6d\xf4\xd9\x98\x6c\x63\x59\x40\x5f\x73\x7c\x59\x03\x9c\xec"
2516. "\xbd\x32\xaf\x39\xd3\xc6\x53\xd7\x8d\x06\x88\xc7\x2a\x31\x7c\xba\x46\x6e"
2517. "\x59\x10\x8e\xf2\xf2\x9f\x59\x1a\xeb\x11\x37\xee\xe7\x06\x0b\xbf\x43\x57"
2518. "\xe5\x38\xb5\x11\xd1\xff\x56\x66\x62",
2519. 225);
2520. *(uint64_t*)0x2000000002a0 = 0xe1;
2521. *(uint64_t*)0x2000000002a8 = 5;
2522. *(uint64_t*)0x2000000002b0 = 0;
2523. *(uint32_t*)0x2000000002b8 = 2;
2524. *(uint32_t*)0x2000000002bc = r[60];
2525. *(uint64_t*)0x2000000007c8 = 0x200000000340;
2526. *(uint64_t*)0x200000000340 = 0;
2527. *(uint32_t*)0x200000000348 = 0;
2528. *(uint32_t*)0x20000000034c = 0;
2529. *(uint16_t*)0x200000000350 = 3;
2530. *(uint16_t*)0x200000000352 = 7;
2531. *(uint32_t*)0x200000000354 = r[60];
2532. *(uint64_t*)0x200000000358 = 0x2000000002c0;
2533. memcpy((void*)0x2000000002c0,
2534. "\x74\xc1\x34\x5a\xb6\xa7\x40\xc0\x0a\x90\xbc\xc1\x6b\x20\xde\x08\x21"
2535. "\xab\xb8\x33\x4e\x5c\xa8\x4e\xe1\xbf\x17\xc6\x98\x9e\xfb\x47\xbf\x19"
2536. "\x70\x9c\x74\x13\x96\xbe\x38\x5d\x0b\x96\xf0\x31\x8d\xaa\x8f\x5f\x93"
2537. "\xba\x23\xc6\xd5\xe3\x06\xb9\x97\xa3\xf6\x46\xb4\xa4\xba\x16\xd2\x61"
2538. "\x08\x65\x8e\xcf\xd5\x52\x2c\xe8\x63\xdf\xb6",
2539. 79);
2540. *(uint64_t*)0x200000000360 = 0x4f;
2541. *(uint64_t*)0x200000000368 = 3;
2542. *(uint64_t*)0x200000000370 = 0;
2543. *(uint32_t*)0x200000000378 = 0;
2544. *(uint32_t*)0x20000000037c = -1;
2545. *(uint64_t*)0x2000000007d0 = 0x200000000480;
2546. *(uint64_t*)0x200000000480 = 0;
2547. *(uint32_t*)0x200000000488 = 0;
2548. *(uint32_t*)0x20000000048c = 0;
2549. *(uint16_t*)0x200000000490 = 8;
2550. *(uint16_t*)0x200000000492 = 0x4b;
2551. *(uint32_t*)0x200000000494 = r[60];
2552. *(uint64_t*)0x200000000498 = 0x200000000380;
2553. memcpy(
2554. (void*)0x200000000380,
2555. "\xdb\x01\xa0\x0d\x65\xbe\x4a\xd9\x92\x87\x8e\xd8\xac\x43\x03\xf1\xd2\xd9"
2556. "\xa9\xa0\xa7\x9d\x39\xd9\x8e\x9b\xd3\xb5\x33\x95\xaf\x54\x0b\x54\xa0\xa3"
2557. "\x8f\xfd\x44\x1f\x77\x71\x2d\xe5\xa5\x70\x54\xae\x85\x03\x99\xdf\x7d\xad"
2558. "\x94\x11\x72\xcb\x14\xaa\x67\x1f\x1e\x33\xf1\x99\xcd\x1a\x49\x14\xb6\x7d"
2559. "\x98\xda\x31\x28\xdf\x0f\xfa\xa5\x6a\xed\x6c\x2b\x53\xbb\x13\x3f\xc6\x39"
2560. "\x7c\xdc\x47\x15\xe3\xbf\x88\x52\xba\xa6\x05\x41\x84\xa3\xb5\xb6\x30\x08"
2561. "\x3e\x05\x58\x3e\x84\x4d\xf4\xce\x5c\x20\x20\x11\x68\x06\x8c\x71\xdf\x0d"
2562. "\x88\xeb\xf7\x7c\x7f\x3f\x9b\x1d\xd7\xf0\x54\x8a\x25\x5b\x40\x07\x7e\x0c"
2563. "\x27\x82\xd4\x26\x91\xb1\x3a\xde\xa5\x6a\xbc\xa0\x60\xaa\xf6\x0d\x71\x97"
2564. "\x68\xb6\x12\xef\x0f\xf0\xf5\x6f\x61\x56\x8c\xb2\x62\x02\xa9\x4c\x98\xec"
2565. "\x3e\x53\xd8\xdd\xc7\xe5\xd7\x1b\xe3\xe4\xb0\x36\x63\x8b\x20\x16\xb3\x88"
2566. "\xc1\x1a\x52\x17\x6f\xab\xdf\x68\x5f\x84\xc6\xd0\x7a\xb3\x00\x0a\xf7\x28"
2567. "\x69\x40\xd3\x8c\xea\x77\x28\xfe\x83\x10\x45\x6d\x5f\x89\x44",
2568. 231);
2569. *(uint64_t*)0x2000000004a0 = 0xe7;
2570. *(uint64_t*)0x2000000004a8 = 0xe;
2571. *(uint64_t*)0x2000000004b0 = 0;
2572. *(uint32_t*)0x2000000004b8 = 1;
2573. *(uint32_t*)0x2000000004bc = r[60];
2574. *(uint64_t*)0x2000000007d8 = 0x200000000540;
2575. *(uint64_t*)0x200000000540 = 0;
2576. *(uint32_t*)0x200000000548 = 0;
2577. *(uint32_t*)0x20000000054c = 0;
2578. *(uint16_t*)0x200000000550 = 0;
2579. *(uint16_t*)0x200000000552 = 5;
2580. *(uint32_t*)0x200000000554 = r[60];
2581. *(uint64_t*)0x200000000558 = 0x2000000004c0;
2582. memcpy((void*)0x2000000004c0,
2583. "\xfc\x46\x18\xbc\x8c\x56\x77\xac\x71\xcb\x08\xdc\x3b\xb1\xcf\xdb\xe9"
2584. "\xa1\x98\x26\x10\x90\xc8\x9d\x4a\xd2\x69\xe3\x80\xe6\x28\xaa\xff\xc4"
2585. "\xec\x2c\xfa\xea\xeb\x33\x33\x79\x98\x5f\xc5\xa3\x63\x78\x7a\x67\x49"
2586. "\xc5\xba\xf4\x1e\x2b\x63\xdf\x1a\x80\x5b\x3f\xef\x47\xd5\x00\xaf\xc2"
2587. "\x71\xe3\x41\x64\x99\x50\x0a\x44\xe4\xab\x8a\xbf\x2b\x10\x22\xe8\x0f"
2588. "\xfc\x70\xd6\x00\x41\xad\xfa\x68\xac\xf1\xdb\x03\x1d\x6a\x17\xd5\xd6"
2589. "\x83\x84\x9a\xf5\x89\x49\x9f\xa0\x48\xa4\xc1\x45\xae\x32\x5e\x01\xc0"
2590. "\x54\xa5\xf1\xe6\x2b\x8f\x20",
2591. 126);
2592. *(uint64_t*)0x200000000560 = 0x7e;
2593. *(uint64_t*)0x200000000568 = 8;
2594. *(uint64_t*)0x200000000570 = 0;
2595. *(uint32_t*)0x200000000578 = 3;
2596. *(uint32_t*)0x20000000057c = r[60];
2597. *(uint64_t*)0x2000000007e0 = 0x2000000005c0;
2598. *(uint64_t*)0x2000000005c0 = 0;
2599. *(uint32_t*)0x2000000005c8 = 0;
2600. *(uint32_t*)0x2000000005cc = 0;
2601. *(uint16_t*)0x2000000005d0 = 6;
2602. *(uint16_t*)0x2000000005d2 = 3;
2603. *(uint32_t*)0x2000000005d4 = r[60];
2604. *(uint64_t*)0x2000000005d8 = 0x200000000580;
2605. memcpy((void*)0x200000000580,
2606. "\x46\xfb\x49\x28\xfe\x1e\xb8\xc2\xa5\xcf\x9b\x38\x5b\xa7\x18\x50\x1d"
2607. "\x00\x8a\x5a\x56\x6c\x0a\xfa\x02\x2d\x5d\x48\x5c\x98\x72\xa5\x5a\x8e"
2608. "\x84\x4d\xfe\x10\x53\x2e\x43\x29\xcd\xfa\x33",
2609. 45);
2610. *(uint64_t*)0x2000000005e0 = 0x2d;
2611. *(uint64_t*)0x2000000005e8 = 3;
2612. *(uint64_t*)0x2000000005f0 = 0;
2613. *(uint32_t*)0x2000000005f8 = 2;
2614. *(uint32_t*)0x2000000005fc = r[62];
2615. *(uint64_t*)0x2000000007e8 = 0x2000000006c0;
2616. *(uint64_t*)0x2000000006c0 = 0;
2617. *(uint32_t*)0x2000000006c8 = 0;
2618. *(uint32_t*)0x2000000006cc = 0;
2619. *(uint16_t*)0x2000000006d0 = 5;
2620. *(uint16_t*)0x2000000006d2 = 1;
2621. *(uint32_t*)0x2000000006d4 = r[60];
2622. *(uint64_t*)0x2000000006d8 = 0x200000000600;
2623. memcpy(
2624. (void*)0x200000000600,
2625. "\x9e\xef\x20\xd5\x76\xe9\x43\x47\x04\x2a\x1c\xf8\x8e\xd7\xd5\xfd\xf2\xeb"
2626. "\xbf\x07\x8a\x40\x39\x46\x47\xbf\x0c\x77\x4b\x27\x86\xa4\x4b\xec\x64\x1f"
2627. "\xb6\x6f\x9d\x17\x89\x1f\xf0\xb4\x68\xa6\x43\xcd\x4b\xf3\x99\xc2\x48\x6d"
2628. "\xb2\xf2\x8b\xc7\x57\x31\x67\xf2\x99\xf6\xf2\x63\x60\xa2\xef\xa8\x30\x30"
2629. "\xd3\xd6\xc0\x57\x02\xa4\x25\x12\xfe\xcf\x49\xae\x38\xe6\x46\x84\xb9\xef"
2630. "\x7d\x75\xea\xb5\x6f\x9d\xd5\x1d\x1a\x04\x32\x80\xd4\x12\x4d\x98\x78\x3c"
2631. "\xf7\xf8\xb3\xa8\x8c\xb6\x19\x49\x4a\x95\x9e\x3f\x43\xd7\xa1\x05\x64\x26"
2632. "\xa3\x8c\xe7\x65\xc5\xfa\xa0\x6c\x2e\x28\xff\x20\x1e\x63\x9a\x50\xf3\x34"
2633. "\x1a\x92\xa1\x84\xe6\x6c\x15\x92\xaa\x31\xf7\x4e\x58\x15\x25\x9e\xd6\x6d"
2634. "\xd1\x41\xa3\xa4\x1b\xb3\x27\x9d\xe4\x11\x5e\x7e\xfc\x22",
2635. 176);
2636. *(uint64_t*)0x2000000006e0 = 0xb0;
2637. *(uint64_t*)0x2000000006e8 = 4;
2638. *(uint64_t*)0x2000000006f0 = 0;
2639. *(uint32_t*)0x2000000006f8 = 0;
2640. *(uint32_t*)0x2000000006fc = r[60];
2641. *(uint64_t*)0x2000000007f0 = 0x200000000780;
2642. *(uint64_t*)0x200000000780 = 0;
2643. *(uint32_t*)0x200000000788 = 0;
2644. *(uint32_t*)0x20000000078c = 0;
2645. *(uint16_t*)0x200000000790 = 1;
2646. *(uint16_t*)0x200000000792 = 5;
2647. *(uint32_t*)0x200000000794 = r[60];
2648. *(uint64_t*)0x200000000798 = 0x200000000700;
2649. memcpy((void*)0x200000000700,
2650. "\x5d\xe1\x6e\x1e\x21\xbc\x35\xd0\x9b\xac\x08\xbb\x0a\x11\x33\x64\x78"
2651. "\x19\x02\xde\xaf\xa0\x9f\x57\x60\xb1\x3f\xd6\x73\xb2\x20\xb0\x9f\xf0"
2652. "\x12\x46\x44\x96\x3f\x0b\x14\x36\x19\x60\x5a\x5b\xba\x3c\x25\xa8\x5e"
2653. "\xae\xbd\xcf\x27\xe6\x11\x5a\x4b\x71\xaf\x4b\xc1\x24\x5b\xb3\x06\xa3"
2654. "\xdf\x94\x54\x76\xcb\x82\xd4\xd0\x0c\xda",
2655. 78);
2656. *(uint64_t*)0x2000000007a0 = 0x4e;
2657. *(uint64_t*)0x2000000007a8 = 0x40;
2658. *(uint64_t*)0x2000000007b0 = 0;
2659. *(uint32_t*)0x2000000007b8 = 0;
2660. *(uint32_t*)0x2000000007bc = r[66];
2661. syscall(__NR_io_submit, /*ctx=*/r[61], /*nr=*/7ul,
2662. /*iocbpp=*/0x2000000007c0ul);
2663. *(uint16_t*)0x200000000800 = 0xa;
2664. *(uint16_t*)0x200000000802 = htobe16(0x4e21);
2665. *(uint32_t*)0x200000000804 = htobe32(3);
2666. *(uint8_t*)0x200000000808 = 0xfe;
2667. *(uint8_t*)0x200000000809 = 0x80;
2668. memset((void*)0x20000000080a, 0, 13);
2669. *(uint8_t*)0x200000000817 = 0xbb;
2670. *(uint32_t*)0x200000000818 = 0x1ff;
2671. syscall(__NR_bind, /*fd=*/r[60], /*addr=*/0x200000000800ul,
2672. /*addrlen=*/0x1cul);
2673. syscall(__NR_read, /*fd=*/r[60], /*buf=*/0x200000000040ul, /*count=*/0xecul);
2674. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0);
2675. if (res != -1)
2676. r[68] = res;
2677. *(uint64_t*)0x200000006440 = 0;
2678. *(uint32_t*)0x200000006448 = 7;
2679. *(uint64_t*)0x200000006450 = 0x2000000063c0;
2680. *(uint64_t*)0x2000000063c0 = 0x200000000000;
2681. memcpy((void*)0x200000000000,
2682. "\x38\x00\x00\x00\x10\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08"
2683. "\x00\x00\x00",
2684. 20);
2685. *(uint32_t*)0x200000000014 = 0;
2686. memcpy((void*)0x200000000018, "\b\000\000\000", 4);
2687. *(uint32_t*)0x20000000001c = 0;
2688. memcpy((void*)0x200000000020,
2689. "\x14\x00\x1b\x00\x00\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x00\x00"
2690. "\x00\x00\x01\x04\x00\x12",
2691. 23);
2692. *(uint64_t*)0x2000000063c8 = 0x38;
2693. *(uint64_t*)0x200000006458 = 1;
2694. *(uint64_t*)0x200000006460 = 0;
2695. *(uint64_t*)0x200000006468 = 0;
2696. *(uint32_t*)0x200000006470 = 0;
2697. syscall(__NR_sendmsg, /*fd=*/r[68], /*msg=*/0x200000006440ul, /*f=*/0ul);
2698. memcpy((void*)0x200000000240, "/dev/input/event#\000", 18);
2699. res = -1;
2700. res = syz_open_dev(/*dev=*/0x200000000240, /*id=*/0, /*flags=*/0);
2701. if (res != -1)
2702. r[69] = res;
2703. *(uint32_t*)0x200000000000 = 0xee00;
2704. *(uint32_t*)0x200000000004 = -1;
2705. res = syscall(__NR_getgroups, /*size=*/2ul, /*list=*/0x200000000000ul);
2706. if (res != -1)
2707. r[70] = *(uint32_t*)0x200000000004;
2708. *(uint32_t*)0x200000000180 = r[70];
2709. syscall(__NR_setgroups, /*size=*/1ul, /*list=*/0x200000000180ul);
2710. syscall(__NR_ioctl, /*fd=*/r[69], /*cmd=*/0x4b47, /*arg=*/0ul);
2711. memcpy(
2712. (void*)0x200000000480,
2713. "\000\254="
2714. "\235\322\333\032\'\370\n\355cJ\216\204\324N\000\233\037\t\275\021+"
2715. "\206T\026\243\263\2560\2379?\357o\244k\0012>"
2716. "\241\234\206x\034\237\204\0315\336\227_\t~\363Y\022\"p^"
2717. "\000\002\264\375\336\344\266\274K#^\000}2\306:|"
2718. "R\004\302\270I\243\271\342\242\353w^I\0177i$\361\324\233\307\262\276D`"
2719. "\217\303\226\274#4\027\365\263\311\262\224\250_f!\337\220}"
2720. "\272\243\001\342\317\267\"S\a\004ry\000#"
2721. "4\207m\367\343\365\247\332\271\313U\276\006]\251\266R~\311l}"
2722. "\267I\376H\263\025\214\006d\370c\300{\v\322\235\216\\\256>"
2723. "\366qucC\3242e9\340\277\335\334\231\364\\\320\226:\373\214\022o\314-"
2724. "\023\024\276v\256\200Zp\225c]\230\214\001\217o\257jN\313\230\337\323["
2725. "V\275["
2726. "\271\020v\356\334\310G\320\3349\314O\367\265\274\317\373\351\024\000\000"
2727. "dU\000\000\000\b\373\265Z\260-"
2728. "\310\333\243f\364W\353\006\302\321\266\321%\312\217\0013|"
2729. "\216z\036o\030\266#@P&[\255\332\nmU\2023\\&P\334\274S\200\301dJ!"
2730. "LH\252\a\202\363\336\226\205\305\335\250\222\307\313\221\362["
2731. "Y\006\212\237N\020\271\364\354q\316\322\027\210\256\3147r\327\352z\316vR"
2732. "\312u\r\361\t\302$k\337\217\342\276\376\024AN\370\306\250`Fs[6kYH+"
2733. "\245\334xUY3<v\361\r\256i\240Xam\vN\177R\226.^"
2734. "\323\001VbON\303P\347\026\314\312\326\345\350\r\233\215."
2735. "\335\032\252\246*"
2736. "\355\314h\177\373\027\334MmX\352\317\3040\031\b\341\261\364\177\312\276g"
2737. "\261bEm[\004\tX8\025#\224\246M?\340\2071\200\305~_\022J\353 "
2738. "\000R\247=/\375:\257\303\030\020\f\241\032\247Yt\0251\307T",
2739. 495);
2740. res = syscall(__NR_memfd_create, /*name=*/0x200000000480ul, /*flags=*/0ul);
2741. if (res != -1)
2742. r[71] = res;
2743. memset((void*)0x200000002000, 47, 1);
2744. syscall(__NR_write, /*fd=*/r[71], /*buf=*/0x200000002000ul, /*count=*/1ul);
2745. syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x3000ul,
2746. /*prot=PROT_SEM|PROT_EXEC*/ 0xcul,
2747. /*flags=MAP_FIXED|MAP_SHARED*/ 0x11ul, /*fd=*/r[71], /*offset=*/0ul);
2748. memcpy((void*)0x2000000000c0, "security.evm\000", 13);
2749. syscall(__NR_lsetxattr, /*path=*/0ul, /*name=*/0x2000000000c0ul, /*val=*/0ul,
2750. /*size=*/0ul, /*flags=*/0x200000000000000ul);
2751. res = syscall(__NR_socket, /*domain=AF_INET|0x840000000000*/ 0x840000000002ul,
2752. /*type=SOCK_RAW*/ 3ul, /*proto=*/6);
2753. if (res != -1)
2754. r[72] = res;
2755. *(uint16_t*)0x2000000005c0 = 2;
2756. *(uint16_t*)0x2000000005c2 = htobe16(0);
2757. *(uint8_t*)0x2000000005c4 = 0xac;
2758. *(uint8_t*)0x2000000005c5 = 0x14;
2759. *(uint8_t*)0x2000000005c6 = 0x14;
2760. *(uint8_t*)0x2000000005c7 = 0xaa;
2761. syscall(__NR_connect, /*fd=*/r[72], /*addr=*/0x2000000005c0ul,
2762. /*addrlen=*/0x10ul);
2763. *(uint64_t*)0x200000005240 = 0;
2764. *(uint32_t*)0x200000005248 = 0xa001800f;
2765. *(uint64_t*)0x200000005250 = 0;
2766. *(uint64_t*)0x200000005258 = 0;
2767. *(uint64_t*)0x200000005260 = 0;
2768. *(uint64_t*)0x200000005268 = 0;
2769. *(uint32_t*)0x200000005270 = 0xffeb;
2770. *(uint32_t*)0x200000005278 = 0xfffffdef;
2771. syscall(__NR_sendmmsg, /*fd=*/r[72], /*mmsg=*/0x200000005240ul,
2772. /*vlen=*/0x4000095ul, /*f=*/0ul);
2773. *(uint32_t*)0x200000000180 = 0;
2774. syscall(__NR_getsockname, /*fd=*/r[72], /*addr=*/0ul,
2775. /*addrlen=*/0x200000000180ul);
2776. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x8903, /*arg=*/0x2000000009c0ul);
2777. syscall(__NR_getresuid, /*ruid=*/0x200000000a00ul, /*euid=*/0x200000000a40ul,
2778. /*suid=*/0x200000000a80ul);
2779. *(uint32_t*)0x200000000ac0 = 1;
2780. *(uint32_t*)0x200000000ac4 = 1;
2781. *(uint32_t*)0x200000000ac8 = 0x18;
2782. *(uint32_t*)0x200000000acc = -1;
2783. *(uint32_t*)0x200000000ad0 = 0;
2784. *(uint32_t*)0x200000000ad4 = -1;
2785. memcpy((void*)0x200000000ad8, "./file0\000", 8);
2786. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0xc018937b, /*arg=*/0x200000000ac0ul);
2787. memcpy((void*)0x200000000b00, "/proc/sys/net/ipv4/tcp_congestion_control\000",
2788. 42);
2789. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000b00ul,
2790. /*flags=*/1, /*mode=*/0);
2791. memcpy((void*)0x200000000b40, "/dev/rtc#\000", 10);
2792. syz_open_dev(/*dev=*/0x200000000b40, /*id=*/0xca1,
2793. /*flags=O_NOFOLLOW*/ 0x20000);
2794. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0xc);
2795. if (res != -1)
2796. r[73] = res;
2797. memcpy((void*)0x2000000000c0,
2798. "lo\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 16);
2799. *(uint64_t*)0x2000000000d0 = 0x200000000040;
2800. *(uint32_t*)0x200000000040 = 0x4c;
2801. *(uint32_t*)0x200000000044 = 0;
2802. *(uint8_t*)0x200000000048 = 0;
2803. *(uint8_t*)0x200000000049 = 0;
2804. *(uint8_t*)0x20000000004a = 0;
2805. *(uint8_t*)0x20000000004b = 0;
2806. *(uint8_t*)0x20000000004c = 0;
2807. *(uint8_t*)0x20000000004d = 0;
2808. *(uint8_t*)0x20000000004e = 0x10;
2809. *(uint8_t*)0x20000000004f = 0;
2810. *(uint32_t*)0x200000000050 = 0;
2811. *(uint32_t*)0x200000000054 = 0;
2812. *(uint32_t*)0x200000000058 = 0;
2813. *(uint32_t*)0x20000000005c = 0;
2814. *(uint32_t*)0x200000000060 = 0;
2815. *(uint32_t*)0x200000000064 = 0;
2816. *(uint32_t*)0x200000000068 = 0;
2817. *(uint32_t*)0x20000000006c = 0;
2818. syscall(__NR_ioctl, /*fd=*/r[73], /*cmd=*/0x8946, /*arg=*/0x2000000000c0ul);
2819. res = syscall(
2820. __NR_socket, /*domain=AF_PACKET|0x200000000000000*/ 0x200000000000011ul,
2821. /*type=SOCK_CLOEXEC|SOCK_DGRAM|0x4000000000000000*/ 0x4000000000080002ul,
2822. /*proto=*/0);
2823. if (res != -1)
2824. r[74] = res;
2825. res = syscall(__NR_socket, /*domain=AF_NETLINK*/ 0x10ul,
2826. /*type=SOCK_RAW*/ 3ul, /*proto=*/0);
2827. if (res != -1)
2828. r[75] = res;
2829. memcpy((void*)0x200000000180,
2830. "\x90\x00\x00\x00\x18\x00\x1f\x2f\xb9\x40\x9b\x52\xff\xff\x65\x58\x02"
2831. "\x00\xbe\x08\x02\x0c\x06\x05\x60\x0a\x0b\x07\x43\x00\x05\x00\xff\xff"
2832. "\xff\x9e\x00\xc8\x38\x88\x27\xa6\x85\xa1\x4a\xd0\xbf\x47\xd3\x23\x45"
2833. "\x65\x36\x02\x78\x8d\xca\xaf\x6c\x26\xc2\x91\x21\x45\x49\x93\x5a\xde"
2834. "\x4a\x46\x0c\x20\xb6\xec\x0c\xff\x39\x59\x54\x7f\x50\x0f\x58\xba\x86"
2835. "\xc9\x02\x00\x0f\x1d\x01\x2e\xd6\x8d\xf6\x14\xa4\x16\xb1\xec\x02\x00"
2836. "\x02\x80\x16\x00\x12\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2837. "\x00\x00\x00\x00\x00\x3e\x5f\xa4\x24\xac\x4d\x31\xc4\xf7\xa1\xbd\xe0"
2838. "\x99\xd4\x12\x70\xc9\x34\xbd\xcf",
2839. 144);
2840. syscall(__NR_sendto, /*fd=*/r[75], /*buf=*/0x200000000180ul, /*len=*/0x90ul,
2841. /*f=*/0ul, /*addr=*/0ul, /*addrlen=*/0ul);
2842. memcpy((void*)0x200000000000,
2843. "sit0\000\000\000\000\000\000\000\000\000\000\000\000", 16);
2844. syscall(__NR_ioctl, /*fd=*/r[74], /*cmd=*/0x8933, /*arg=*/0x200000000000ul);
2845. res = -1;
2846. res = syz_open_dev(/*dev=*/0xc, /*major=*/4, /*minor=*/1);
2847. if (res != -1)
2848. r[76] = res;
2849. syscall(__NR_ioctl, /*fd=*/r[76], /*cmd=*/0x4b66, /*arg=*/0x200000000080ul);
2850. *(uint64_t*)0x200000001000 = 3;
2851. syscall(__NR_signalfd, /*fd=*/-1, /*mask=*/0x200000001000ul, /*size=*/8ul);
2852. memcpy((void*)0x200000001040, "/dev/random\000", 12);
2853. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000001040ul,
2854. /*flags=O_SYNC|O_CLOEXEC|FASYNC*/ 0x183000, /*mode=*/0);
2855. memcpy((void*)0x200000000180, "./bus\000", 6);
2856. res = syscall(__NR_open, /*file=*/0x200000000180ul,
2857. /*flags=O_TRUNC|O_SYNC|O_NOFOLLOW|O_NOATIME|O_EXCL|O_CREAT|0x2*/
2858. 0x1612c2ul, /*mode=*/0ul);
2859. if (res != -1)
2860. r[77] = res;
2861. memcpy((void*)0x200000000080, "/proc/diskstats\000", 16);
2862. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
2863. /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0);
2864. if (res != -1)
2865. r[78] = res;
2866. syscall(__NR_sendfile, /*fdout=*/r[77], /*fdin=*/r[78], /*off=*/0ul,
2867. /*count=*/0x4000000000010046ul);
2868. *(uint32_t*)0x200000000040 = 2;
2869. *(uint32_t*)0x200000000044 = 0x80;
2870. *(uint8_t*)0x200000000048 = 5;
2871. *(uint8_t*)0x200000000049 = 0;
2872. *(uint8_t*)0x20000000004a = 0;
2873. *(uint8_t*)0x20000000004b = 0;
2874. *(uint32_t*)0x20000000004c = 0;
2875. *(uint64_t*)0x200000000050 = 0;
2876. *(uint64_t*)0x200000000058 = 0;
2877. *(uint64_t*)0x200000000060 = 0;
2878. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 0, 1);
2879. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 1, 1, 1);
2880. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 2, 1);
2881. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 3, 1);
2882. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 4, 1);
2883. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 5, 1);
2884. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 6, 1);
2885. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 7, 1);
2886. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 8, 1);
2887. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 9, 1);
2888. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 10, 1);
2889. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 11, 1);
2890. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 12, 1);
2891. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 13, 1);
2892. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 14, 1);
2893. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 15, 2);
2894. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 17, 1);
2895. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 18, 1);
2896. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 19, 1);
2897. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 20, 1);
2898. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 21, 1);
2899. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 22, 1);
2900. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 23, 1);
2901. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 24, 1);
2902. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 25, 1);
2903. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 26, 1);
2904. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 27, 1);
2905. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 28, 1);
2906. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 29, 1);
2907. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 30, 1);
2908. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 31, 1);
2909. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 32, 1);
2910. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 33, 1);
2911. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 34, 1);
2912. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 35, 1);
2913. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 36, 1);
2914. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 37, 1);
2915. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 38, 26);
2916. *(uint32_t*)0x200000000070 = 0;
2917. *(uint32_t*)0x200000000074 = 0;
2918. *(uint64_t*)0x200000000078 = 0;
2919. *(uint64_t*)0x200000000080 = 0;
2920. *(uint64_t*)0x200000000088 = 0;
2921. *(uint64_t*)0x200000000090 = 0;
2922. *(uint32_t*)0x200000000098 = 0;
2923. *(uint32_t*)0x20000000009c = 0;
2924. *(uint64_t*)0x2000000000a0 = 0;
2925. *(uint32_t*)0x2000000000a8 = 0;
2926. *(uint16_t*)0x2000000000ac = 0;
2927. *(uint16_t*)0x2000000000ae = 0;
2928. *(uint32_t*)0x2000000000b0 = 6;
2929. *(uint32_t*)0x2000000000b4 = 0;
2930. *(uint64_t*)0x2000000000b8 = 0;
2931. syscall(__NR_perf_event_open, /*attr=*/0x200000000040ul, /*pid=*/0,
2932. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
2933. syscall(__NR_socket, /*domain=*/0xaul, /*type=*/2ul, /*proto=*/0x88);
2934. syz_open_dev(/*dev=*/0xc, /*major=*/2, /*minor=*/0x14);
2935. memcpy((void*)0x200000001280, ".pending_reads\000", 15);
2936. syscall(__NR_openat, /*fd=*/-1, /*file=*/0x200000001280ul,
2937. /*flags=O_NOFOLLOW*/ 0x20000, /*mode=S_IWUSR*/ 0x80);
2938. syscall(__NR_timer_create,
2939. /*id=CLOCK_REALTIME_COARSE|0xfffffff8*/ 0xfffffffdul, /*ev=*/0ul,
2940. /*timerid=*/0x200000000040ul);
2941. memcpy((void*)0x200000001500, "keyring\000", 8);
2942. memcpy((void*)0x200000001540, "syz", 3);
2943. *(uint8_t*)0x200000001543 = 0x22;
2944. *(uint8_t*)0x200000001544 = 0;
2945. res = syscall(__NR_add_key, /*type=*/0x200000001500ul,
2946. /*desc=*/0x200000001540ul, /*payload=*/0ul, /*paylen=*/0ul,
2947. /*keyring=*/0xfffffffb);
2948. if (res != -1)
2949. r[79] = res;
2950. syscall(__NR_keyctl, /*code=*/0x1eul, /*key=*/r[79], /*from_keyring=*/0,
2951. /*to_keyring=*/0, /*flags=*/0ul);
2952. *(uint64_t*)0x200000000140 = 0;
2953. *(uint64_t*)0x200000000148 = 0;
2954. *(uint64_t*)0x200000000150 = 0x77359400;
2955. *(uint64_t*)0x200000000158 = 0;
2956. syscall(__NR_timer_settime, /*timerid=*/0, /*flags=*/0ul,
2957. /*new=*/0x200000000140ul, /*old=*/0ul);
2958. return 0;
2959. }
2960.