// autogenerated by syzkaller (https://github.com/google/syzkaller)#define _

1. // autogenerated by syzkaller (https://github.com/google/syzkaller)
2.  
3. #define _GNU_SOURCE
4.  
5. #include <arpa/inet.h>
6. #include <endian.h>
7. #include <errno.h>
8. #include <fcntl.h>
9. #include <net/if.h>
10. #include <netinet/in.h>
11. #include <setjmp.h>
12. #include <stdbool.h>
13. #include <stddef.h>
14. #include <stdint.h>
15. #include <stdio.h>
16. #include <stdlib.h>
17. #include <string.h>
18. #include <sys/ioctl.h>
19. #include <sys/mman.h>
20. #include <sys/mount.h>
21. #include <sys/socket.h>
22. #include <sys/stat.h>
23. #include <sys/syscall.h>
24. #include <sys/types.h>
25. #include <unistd.h>
26.  
27. #include <linux/genetlink.h>
28. #include <linux/if_addr.h>
29. #include <linux/if_link.h>
30. #include <linux/in6.h>
31. #include <linux/loop.h>
32. #include <linux/neighbour.h>
33. #include <linux/net.h>
34. #include <linux/netlink.h>
35. #include <linux/rtnetlink.h>
36. #include <linux/veth.h>
37.  
38. static long syz_sysconfig_set__proc_sys_vm_mmap_rnd_bits(volatile long val)
39. {
40. char command[256];
41. sprintf(command, "echo %ld > /proc/sys/vm/mmap_rnd_bits", val);
42. int ret = system(command);
43. if (ret != 0) {
44. return 0;
45. }
46. return 0;
47. }
48.  
49.  
50. static long syz_sysconfig_reset__proc_sys_vm_mmap_rnd_bits()
51. {
52. char command[256];
53. sprintf(command, "echo 28 > /proc/sys/vm/mmap_rnd_bits");
54. int ret = system(command);
55. if (ret != 0) {
56. return 0;
57. }
58. return 0;
59. }
60.  
61. static long syz_sysconfig_set__proc_sys_net_ipv4_conf_default_route_localnet(volatile long val)
62. {
63. char command[256];
64. sprintf(command, "echo %ld > /proc/sys/net/ipv4/conf/default/route_localnet", val);
65. int ret = system(command);
66. if (ret != 0) {
67. return 0;
68. }
69. return 0;
70. }
71.  
72. static long syz_sysconfig_set__proc_sys_vm_zone_reclaim_mode(volatile long val)
73. {
74. char command[256];
75. sprintf(command, "echo %ld > /proc/sys/vm/zone_reclaim_mode", val);
76. int ret = system(command);
77. if (ret != 0) {
78. return 0;
79. }
80. return 0;
81. }
82.  
83.  
84. static long syz_sysconfig_reset__proc_sys_vm_zone_reclaim_mode()
85. {
86. char command[256];
87. sprintf(command, "echo 0 > /proc/sys/vm/zone_reclaim_mode");
88. int ret = system(command);
89. if (ret != 0) {
90. return 0;
91. }
92. return 0;
93. }
94.  
95.  
96. #ifndef __NR_memfd_create
97. #define __NR_memfd_create 319
98. #endif
99. #ifndef __NR_seccomp
100. #define __NR_seccomp 317
101. #endif
102.  
103. static unsigned long long procid;
104.  
105. #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
106. #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
107. *(type*)(addr) = \
108. htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
109. (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
110.  
111. struct nlmsg {
112. char* pos;
113. int nesting;
114. struct nlattr* nested[8];
115. char buf[4096];
116. };
117.  
118. static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
119. const void* data, int size)
120. {
121. memset(nlmsg, 0, sizeof(*nlmsg));
122. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
123. hdr->nlmsg_type = typ;
124. hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
125. memcpy(hdr + 1, data, size);
126. nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
127. }
128.  
129. static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
130. int size)
131. {
132. struct nlattr* attr = (struct nlattr*)nlmsg->pos;
133. attr->nla_len = sizeof(*attr) + size;
134. attr->nla_type = typ;
135. if (size > 0)
136. memcpy(attr + 1, data, size);
137. nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
138. }
139.  
140. static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
141. int* reply_len, bool dofail)
142. {
143. if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
144. exit(1);
145. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
146. hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
147. struct sockaddr_nl addr;
148. memset(&addr, 0, sizeof(addr));
149. addr.nl_family = AF_NETLINK;
150. ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
151. (struct sockaddr*)&addr, sizeof(addr));
152. if (n != (ssize_t)hdr->nlmsg_len) {
153. if (dofail)
154. exit(1);
155. return -1;
156. }
157. n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
158. if (reply_len)
159. *reply_len = 0;
160. if (n < 0) {
161. if (dofail)
162. exit(1);
163. return -1;
164. }
165. if (n < (ssize_t)sizeof(struct nlmsghdr)) {
166. errno = EINVAL;
167. if (dofail)
168. exit(1);
169. return -1;
170. }
171. if (hdr->nlmsg_type == NLMSG_DONE)
172. return 0;
173. if (reply_len && hdr->nlmsg_type == reply_type) {
174. *reply_len = n;
175. return 0;
176. }
177. if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
178. errno = EINVAL;
179. if (dofail)
180. exit(1);
181. return -1;
182. }
183. if (hdr->nlmsg_type != NLMSG_ERROR) {
184. errno = EINVAL;
185. if (dofail)
186. exit(1);
187. return -1;
188. }
189. errno = -((struct nlmsgerr*)(hdr + 1))->error;
190. return -errno;
191. }
192.  
193. static int netlink_query_family_id(struct nlmsg* nlmsg, int sock,
194. const char* family_name, bool dofail)
195. {
196. struct genlmsghdr genlhdr;
197. memset(&genlhdr, 0, sizeof(genlhdr));
198. genlhdr.cmd = CTRL_CMD_GETFAMILY;
199. netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
200. netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name,
201. strnlen(family_name, GENL_NAMSIZ - 1) + 1);
202. int n = 0;
203. int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail);
204. if (err < 0) {
205. return -1;
206. }
207. uint16_t id = 0;
208. struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN +
209. NLMSG_ALIGN(sizeof(genlhdr)));
210. for (; (char*)attr < nlmsg->buf + n;
211. attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
212. if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
213. id = *(uint16_t*)(attr + 1);
214. break;
215. }
216. }
217. if (!id) {
218. errno = EINVAL;
219. return -1;
220. }
221. recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
222. return id;
223. }
224.  
225. static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
226. {
227. if (a0 == 0xc || a0 == 0xb) {
228. char buf[128];
229. sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
230. (uint8_t)a2);
231. return open(buf, O_RDWR, 0);
232. } else {
233. char buf[1024];
234. char* hash;
235. strncpy(buf, (char*)a0, sizeof(buf) - 1);
236. buf[sizeof(buf) - 1] = 0;
237. while ((hash = strchr(buf, '#'))) {
238. *hash = '0' + (char)(a1 % 10);
239. a1 /= 10;
240. }
241. return open(buf, a2, 0);
242. }
243. }
244.  
245. static long syz_open_procfs(volatile long a0, volatile long a1)
246. {
247. char buf[128];
248. memset(buf, 0, sizeof(buf));
249. if (a0 == 0) {
250. snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1);
251. } else if (a0 == -1) {
252. snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1);
253. } else {
254. snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1);
255. }
256. int fd = open(buf, O_RDWR);
257. if (fd == -1)
258. fd = open(buf, O_RDONLY);
259. return fd;
260. }
261.  
262. static long syz_genetlink_get_family_id(volatile long name,
263. volatile long sock_arg)
264. {
265. int fd = sock_arg;
266. if (fd < 0) {
267. fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
268. if (fd == -1) {
269. return -1;
270. }
271. }
272. struct nlmsg nlmsg_tmp;
273. int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false);
274. if ((int)sock_arg < 0)
275. close(fd);
276. if (ret < 0) {
277. return -1;
278. }
279. return ret;
280. }
281.  
282. //% This code is derived from puff.{c,h}, found in the zlib development. The
283. //% original files come with the following copyright notice:
284.  
285. //% Copyright (C) 2002-2013 Mark Adler, all rights reserved
286. //% version 2.3, 21 Jan 2013
287. //% This software is provided 'as-is', without any express or implied
288. //% warranty. In no event will the author be held liable for any damages
289. //% arising from the use of this software.
290. //% Permission is granted to anyone to use this software for any purpose,
291. //% including commercial applications, and to alter it and redistribute it
292. //% freely, subject to the following restrictions:
293. //% 1. The origin of this software must not be misrepresented; you must not
294. //% claim that you wrote the original software. If you use this software
295. //% in a product, an acknowledgment in the product documentation would be
296. //% appreciated but is not required.
297. //% 2. Altered source versions must be plainly marked as such, and must not be
298. //% misrepresented as being the original software.
299. //% 3. This notice may not be removed or altered from any source distribution.
300. //% Mark Adler [email protected]
301.  
302. //% BEGIN CODE DERIVED FROM puff.{c,h}
303.  
304. #define MAXBITS 15
305. #define MAXLCODES 286
306. #define MAXDCODES 30
307. #define MAXCODES (MAXLCODES + MAXDCODES)
308. #define FIXLCODES 288
309.  
310. struct puff_state {
311. unsigned char* out;
312. unsigned long outlen;
313. unsigned long outcnt;
314. const unsigned char* in;
315. unsigned long inlen;
316. unsigned long incnt;
317. int bitbuf;
318. int bitcnt;
319. jmp_buf env;
320. };
321. static int puff_bits(struct puff_state* s, int need)
322. {
323. long val = s->bitbuf;
324. while (s->bitcnt < need) {
325. if (s->incnt == s->inlen)
326. longjmp(s->env, 1);
327. val |= (long)(s->in[s->incnt++]) << s->bitcnt;
328. s->bitcnt += 8;
329. }
330. s->bitbuf = (int)(val >> need);
331. s->bitcnt -= need;
332. return (int)(val & ((1L << need) - 1));
333. }
334. static int puff_stored(struct puff_state* s)
335. {
336. s->bitbuf = 0;
337. s->bitcnt = 0;
338. if (s->incnt + 4 > s->inlen)
339. return 2;
340. unsigned len = s->in[s->incnt++];
341. len |= s->in[s->incnt++] << 8;
342. if (s->in[s->incnt++] != (~len & 0xff) ||
343. s->in[s->incnt++] != ((~len >> 8) & 0xff))
344. return -2;
345. if (s->incnt + len > s->inlen)
346. return 2;
347. if (s->outcnt + len > s->outlen)
348. return 1;
349. for (; len--; s->outcnt++, s->incnt++) {
350. if (s->in[s->incnt])
351. s->out[s->outcnt] = s->in[s->incnt];
352. }
353. return 0;
354. }
355. struct puff_huffman {
356. short* count;
357. short* symbol;
358. };
359. static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
360. {
361. int first = 0;
362. int index = 0;
363. int bitbuf = s->bitbuf;
364. int left = s->bitcnt;
365. int code = first = index = 0;
366. int len = 1;
367. short* next = h->count + 1;
368. while (1) {
369. while (left--) {
370. code |= bitbuf & 1;
371. bitbuf >>= 1;
372. int count = *next++;
373. if (code - count < first) {
374. s->bitbuf = bitbuf;
375. s->bitcnt = (s->bitcnt - len) & 7;
376. return h->symbol[index + (code - first)];
377. }
378. index += count;
379. first += count;
380. first <<= 1;
381. code <<= 1;
382. len++;
383. }
384. left = (MAXBITS + 1) - len;
385. if (left == 0)
386. break;
387. if (s->incnt == s->inlen)
388. longjmp(s->env, 1);
389. bitbuf = s->in[s->incnt++];
390. if (left > 8)
391. left = 8;
392. }
393. return -10;
394. }
395. static int puff_construct(struct puff_huffman* h, const short* length, int n)
396. {
397. int len;
398. for (len = 0; len <= MAXBITS; len++)
399. h->count[len] = 0;
400. int symbol;
401. for (symbol = 0; symbol < n; symbol++)
402. (h->count[length[symbol]])++;
403. if (h->count[0] == n)
404. return 0;
405. int left = 1;
406. for (len = 1; len <= MAXBITS; len++) {
407. left <<= 1;
408. left -= h->count[len];
409. if (left < 0)
410. return left;
411. }
412. short offs[MAXBITS + 1];
413. offs[1] = 0;
414. for (len = 1; len < MAXBITS; len++)
415. offs[len + 1] = offs[len] + h->count[len];
416. for (symbol = 0; symbol < n; symbol++)
417. if (length[symbol] != 0)
418. h->symbol[offs[length[symbol]]++] = symbol;
419. return left;
420. }
421. static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
422. const struct puff_huffman* distcode)
423. {
424. static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
425. 15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
426. 67, 83, 99, 115, 131, 163, 195, 227, 258};
427. static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
428. 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
429. static const short dists[30] = {
430. 1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
431. 33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
432. 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
433. static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
434. 4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
435. 9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
436. int symbol;
437. do {
438. symbol = puff_decode(s, lencode);
439. if (symbol < 0)
440. return symbol;
441. if (symbol < 256) {
442. if (s->outcnt == s->outlen)
443. return 1;
444. if (symbol)
445. s->out[s->outcnt] = symbol;
446. s->outcnt++;
447. } else if (symbol > 256) {
448. symbol -= 257;
449. if (symbol >= 29)
450. return -10;
451. int len = lens[symbol] + puff_bits(s, lext[symbol]);
452. symbol = puff_decode(s, distcode);
453. if (symbol < 0)
454. return symbol;
455. unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
456. if (dist > s->outcnt)
457. return -11;
458. if (s->outcnt + len > s->outlen)
459. return 1;
460. while (len--) {
461. if (dist <= s->outcnt && s->out[s->outcnt - dist])
462. s->out[s->outcnt] = s->out[s->outcnt - dist];
463. s->outcnt++;
464. }
465. }
466. } while (symbol != 256);
467. return 0;
468. }
469. static int puff_fixed(struct puff_state* s)
470. {
471. static int virgin = 1;
472. static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
473. static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
474. static struct puff_huffman lencode, distcode;
475. if (virgin) {
476. lencode.count = lencnt;
477. lencode.symbol = lensym;
478. distcode.count = distcnt;
479. distcode.symbol = distsym;
480. short lengths[FIXLCODES];
481. int symbol;
482. for (symbol = 0; symbol < 144; symbol++)
483. lengths[symbol] = 8;
484. for (; symbol < 256; symbol++)
485. lengths[symbol] = 9;
486. for (; symbol < 280; symbol++)
487. lengths[symbol] = 7;
488. for (; symbol < FIXLCODES; symbol++)
489. lengths[symbol] = 8;
490. puff_construct(&lencode, lengths, FIXLCODES);
491. for (symbol = 0; symbol < MAXDCODES; symbol++)
492. lengths[symbol] = 5;
493. puff_construct(&distcode, lengths, MAXDCODES);
494. virgin = 0;
495. }
496. return puff_codes(s, &lencode, &distcode);
497. }
498. static int puff_dynamic(struct puff_state* s)
499. {
500. static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
501. 11, 4, 12, 3, 13, 2, 14, 1, 15};
502. int nlen = puff_bits(s, 5) + 257;
503. int ndist = puff_bits(s, 5) + 1;
504. int ncode = puff_bits(s, 4) + 4;
505. if (nlen > MAXLCODES || ndist > MAXDCODES)
506. return -3;
507. short lengths[MAXCODES];
508. int index;
509. for (index = 0; index < ncode; index++)
510. lengths[order[index]] = puff_bits(s, 3);
511. for (; index < 19; index++)
512. lengths[order[index]] = 0;
513. short lencnt[MAXBITS + 1], lensym[MAXLCODES];
514. struct puff_huffman lencode = {lencnt, lensym};
515. int err = puff_construct(&lencode, lengths, 19);
516. if (err != 0)
517. return -4;
518. index = 0;
519. while (index < nlen + ndist) {
520. int symbol;
521. int len;
522. symbol = puff_decode(s, &lencode);
523. if (symbol < 0)
524. return symbol;
525. if (symbol < 16)
526. lengths[index++] = symbol;
527. else {
528. len = 0;
529. if (symbol == 16) {
530. if (index == 0)
531. return -5;
532. len = lengths[index - 1];
533. symbol = 3 + puff_bits(s, 2);
534. } else if (symbol == 17)
535. symbol = 3 + puff_bits(s, 3);
536. else
537. symbol = 11 + puff_bits(s, 7);
538. if (index + symbol > nlen + ndist)
539. return -6;
540. while (symbol--)
541. lengths[index++] = len;
542. }
543. }
544. if (lengths[256] == 0)
545. return -9;
546. err = puff_construct(&lencode, lengths, nlen);
547. if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
548. return -7;
549. short distcnt[MAXBITS + 1], distsym[MAXDCODES];
550. struct puff_huffman distcode = {distcnt, distsym};
551. err = puff_construct(&distcode, lengths + nlen, ndist);
552. if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
553. return -8;
554. return puff_codes(s, &lencode, &distcode);
555. }
556. static int puff(unsigned char* dest, unsigned long* destlen,
557. const unsigned char* source, unsigned long sourcelen)
558. {
559. struct puff_state s = {
560. .out = dest,
561. .outlen = *destlen,
562. .outcnt = 0,
563. .in = source,
564. .inlen = sourcelen,
565. .incnt = 0,
566. .bitbuf = 0,
567. .bitcnt = 0,
568. };
569. int err;
570. if (setjmp(s.env) != 0)
571. err = 2;
572. else {
573. int last;
574. do {
575. last = puff_bits(&s, 1);
576. int type = puff_bits(&s, 2);
577. err = type == 0 ? puff_stored(&s)
578. : (type == 1 ? puff_fixed(&s)
579. : (type == 2 ? puff_dynamic(&s) : -1));
580. if (err != 0)
581. break;
582. } while (!last);
583. }
584. *destlen = s.outcnt;
585. return err;
586. }
587.  
588. //% END CODE DERIVED FROM puff.{c,h}
589.  
590. #define ZLIB_HEADER_WIDTH 2
591.  
592. static int puff_zlib_to_file(const unsigned char* source,
593. unsigned long sourcelen, int dest_fd)
594. {
595. if (sourcelen < ZLIB_HEADER_WIDTH)
596. return 0;
597. source += ZLIB_HEADER_WIDTH;
598. sourcelen -= ZLIB_HEADER_WIDTH;
599. const unsigned long max_destlen = 132 << 20;
600. void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
601. MAP_PRIVATE | MAP_ANON, -1, 0);
602. if (ret == MAP_FAILED)
603. return -1;
604. unsigned char* dest = (unsigned char*)ret;
605. unsigned long destlen = max_destlen;
606. int err = puff(dest, &destlen, source, sourcelen);
607. if (err) {
608. munmap(dest, max_destlen);
609. errno = -err;
610. return -1;
611. }
612. if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
613. munmap(dest, max_destlen);
614. return -1;
615. }
616. return munmap(dest, max_destlen);
617. }
618.  
619. static int setup_loop_device(unsigned char* data, unsigned long size,
620. const char* loopname, int* loopfd_p)
621. {
622. int err = 0, loopfd = -1;
623. int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
624. if (memfd == -1) {
625. err = errno;
626. goto error;
627. }
628. if (puff_zlib_to_file(data, size, memfd)) {
629. err = errno;
630. goto error_close_memfd;
631. }
632. loopfd = open(loopname, O_RDWR);
633. if (loopfd == -1) {
634. err = errno;
635. goto error_close_memfd;
636. }
637. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
638. if (errno != EBUSY) {
639. err = errno;
640. goto error_close_loop;
641. }
642. ioctl(loopfd, LOOP_CLR_FD, 0);
643. usleep(1000);
644. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
645. err = errno;
646. goto error_close_loop;
647. }
648. }
649. close(memfd);
650. *loopfd_p = loopfd;
651. return 0;
652.  
653. error_close_loop:
654. close(loopfd);
655. error_close_memfd:
656. close(memfd);
657. error:
658. errno = err;
659. return -1;
660. }
661.  
662. static void reset_loop_device(const char* loopname)
663. {
664. int loopfd = open(loopname, O_RDWR);
665. if (loopfd == -1) {
666. return;
667. }
668. if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
669. }
670. close(loopfd);
671. }
672.  
673. static long syz_mount_image(volatile long fsarg, volatile long dir,
674. volatile long flags, volatile long optsarg,
675. volatile long change_dir,
676. volatile unsigned long size, volatile long image)
677. {
678. unsigned char* data = (unsigned char*)image;
679. int res = -1, err = 0, need_loop_device = !!size;
680. char* mount_opts = (char*)optsarg;
681. char* target = (char*)dir;
682. char* fs = (char*)fsarg;
683. char* source = NULL;
684. char loopname[64];
685. if (need_loop_device) {
686. int loopfd;
687. memset(loopname, 0, sizeof(loopname));
688. snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
689. if (setup_loop_device(data, size, loopname, &loopfd) == -1)
690. return -1;
691. close(loopfd);
692. source = loopname;
693. }
694. mkdir(target, 0777);
695. char opts[256];
696. memset(opts, 0, sizeof(opts));
697. if (strlen(mount_opts) > (sizeof(opts) - 32)) {
698. }
699. strncpy(opts, mount_opts, sizeof(opts) - 32);
700. if (strcmp(fs, "iso9660") == 0) {
701. flags |= MS_RDONLY;
702. } else if (strncmp(fs, "ext", 3) == 0) {
703. bool has_remount_ro = false;
704. char* remount_ro_start = strstr(opts, "errors=remount-ro");
705. if (remount_ro_start != NULL) {
706. char after = *(remount_ro_start + strlen("errors=remount-ro"));
707. char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
708. has_remount_ro = ((before == '\0' || before == ',') &&
709. (after == '\0' || after == ','));
710. }
711. if (strstr(opts, "errors=panic") || !has_remount_ro)
712. strcat(opts, ",errors=continue");
713. } else if (strcmp(fs, "xfs") == 0) {
714. strcat(opts, ",nouuid");
715. }
716. res = mount(source, target, fs, flags, opts);
717. if (res == -1) {
718. err = errno;
719. goto error_clear_loop;
720. }
721. res = open(target, O_RDONLY | O_DIRECTORY);
722. if (res == -1) {
723. err = errno;
724. goto error_clear_loop;
725. }
726. if (change_dir) {
727. res = chdir(target);
728. if (res == -1) {
729. err = errno;
730. }
731. }
732.  
733. error_clear_loop:
734. if (need_loop_device)
735. reset_loop_device(loopname);
736. errno = err;
737. return res;
738. }
739.  
740. uint64_t r[35] = {0xffffffffffffffff,
741. 0xffffffffffffffff,
742. 0xffffffffffffffff,
743. 0xffffffffffffffff,
744. 0xffffffffffffffff,
745. 0xffffffffffffffff,
746. 0xffffffffffffffff,
747. 0xffffffffffffffff,
748. 0xffffffffffffffff,
749. 0xffffffffffffffff,
750. 0xffffffffffffffff,
751. 0xffffffffffffffff,
752. 0xffffffffffffffff,
753. 0xffffffffffffffff,
754. 0x0,
755. 0xffffffffffffffff,
756. 0xffffffffffffffff,
757. 0xffffffffffffffff,
758. 0xffffffffffffffff,
759. 0xffffffffffffffff,
760. 0xffffffffffffffff,
761. 0xffffffffffffffff,
762. 0xffffffffffffffff,
763. 0xffffffffffffffff,
764. 0xffffffffffffffff,
765. 0xffffffffffffffff,
766. 0x0,
767. 0xffffffffffffffff,
768. 0xffffffffffffffff,
769. 0xffffffffffffffff,
770. 0xffffffffffffffff,
771. 0xffffffffffffffff,
772. 0xffffffffffffffff,
773. 0x0,
774. 0x0};
775.  
776. int main(void)
777. {
778. syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
779. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
780. /*offset=*/0ul);
781. syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
782. /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
783. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
784. /*offset=*/0ul);
785. syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
786. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
787. /*offset=*/0ul);
788. const char* reason;
789. (void)reason;
790. intptr_t res = 0;
791. if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
792. }
793. memcpy((void*)0x200000000040, "./bus\000", 6);
794. res = syscall(__NR_creat, /*file=*/0x200000000040ul, /*mode=*/0ul);
795. if (res != -1)
796. r[0] = res;
797. syscall(__NR_fcntl, /*fd=*/r[0], /*cmd=*/4ul,
798. /*flags=O_NONBLOCK|O_DIRECT|FASYNC|0x100*/ 0x6900ul);
799. memcpy((void*)0x200000000080, "./bus\000", 6);
800. syscall(__NR_truncate, /*file=*/0x200000000080ul, /*len=*/0x1000ul);
801. memcpy((void*)0x200000000000, "./bus\000", 6);
802. res = syscall(__NR_open, /*file=*/0x200000000000ul, /*flags=*/0ul,
803. /*mode=*/0ul);
804. if (res != -1)
805. r[1] = res;
806. syscall(__NR_sendfile, /*fdout=*/r[0], /*fdin=*/r[1], /*off=*/0ul,
807. /*count=*/0x8400fffffffaul);
808. *(uint64_t*)0x200000000980 = 0;
809. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x40086607, /*arg=*/0x200000000980ul);
810. memcpy((void*)0x200000000040, "/proc/sys/net/ipv4/tcp_wmem\000", 28);
811. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000040ul,
812. /*flags=*/1, /*mode=*/0);
813. memcpy((void*)0x200000000200, "ext4\000", 5);
814. memcpy((void*)0x2000000001c0, "./mnt\000", 6);
815. memcpy((void*)0x200000000080, "user_xattr", 10);
816. *(uint8_t*)0x20000000008a = 0x2c;
817. *(uint8_t*)0x20000000008b = 0;
818. memcpy(
819. (void*)0x200000000680,
820. "\x78\x9c\xec\xdd\x31\x68\x33\x65\x1c\x06\xf0\xe7\x2e\x89\x9f\xfd\xbe\x20"
821. "\x55\x17\x41\x50\x41\x44\xb4\x50\xea\x26\xb8\xd4\x45\xa1\x20\xa5\x88\x08"
822. "\x2a\x54\x44\x5c\x94\x56\xa8\x2d\x6e\xad\x93\x8b\x83\xce\x2a\x9d\x5c\x8a"
823. "\xb8\x59\x1d\xa5\x4b\x71\x51\x04\xa7\xaa\x1d\xea\x22\x68\x71\xb0\x38\xe8"
824. "\x10\xb9\x5c\x2b\xd5\x46\x14\x53\x73\xf2\xdd\xef\x07\x97\xdc\x25\xef\x7b"
825. "\xff\xf7\xb8\x7b\xde\x64\x39\x2e\x40\x6b\x4d\x27\x99\x4f\xd2\x49\x32\x93"
826. "\xa4\x97\xa4\x38\xdf\xe0\xae\x7a\x99\x3e\xdd\xdc\x9e\xda\x5f\x4e\x06\x83"
827. "\xc7\x7f\x2c\x86\xed\xea\xed\xda\x59\xbf\x6b\x49\xb6\x92\x3c\x98\x64\xaf"
828. "\x2c\xf2\x62\x37\xd9\xd8\x7d\xfa\xe8\xe7\x83\x47\xef\x7d\x63\xbd\x77\xcf"
829. "\x7b\xbb\x4f\x4d\x4d\xf4\x20\x4f\x1d\x1f\x1d\x3e\x76\xf2\xee\xe2\xeb\x1f"
830. "\x2e\x3c\xb0\xf1\xf9\x97\xdf\x2f\x16\x99\x4f\xff\x0f\xc7\x75\xf9\x8a\x11"
831. "\x9f\x75\x8b\xe4\x96\xff\xa2\xd8\xff\x44\xd1\x6d\x7a\x04\xfc\x13\x4b\xaf"
832. "\x7e\xf0\x55\x95\xfb\x5b\x93\xdc\x3d\xcc\x7f\x2f\x65\xea\x93\xf7\xe6\xda"
833. "\x0d\x7b\xbd\xdc\xff\xce\x5f\xf5\x7d\xeb\x87\x2f\x6e\x9f\xe4\x58\x81\xcb"
834. "\x37\x18\xf4\xaa\xdf\xc0\xad\x01\xd0\x3a\x65\x92\x7e\x8a\x72\x36\x49\xbd"
835. "\x5e\x96\xb3\xb3\xf5\x7f\xf8\xaf\x3b\x57\xcb\x97\x56\xd7\x5e\x99\x79\x61"
836. "\x75\x7d\xe5\xf9\xa6\x67\x2a\xe0\xb2\xf4\x93\xc3\x47\x3e\xbe\xf2\xd1\xb5"
837. "\x3f\xe5\xff\xbb\x4e\x9d\x7f\xe0\xfa\x55\xe5\xff\x89\xa5\x9d\x6f\xaa\xf5"
838. "\x93\x4e\xd3\xa3\x01\x26\xa9\xca\xff\xcc\xb3\x9b\xf7\x45\xfe\xa1\x75\xe4"
839. "\x1f\xda\x4b\xfe\xa1\xbd\xe4\x1f\xda\x4b\xfe\xa1\xbd\xe4\x1f\xda\x4b\xfe"
840. "\xa1\xbd\xe4\x1f\xda\x4b\xfe\xa1\xbd\xe4\x1f\xda\xeb\x7c\xfe\x01\x80\x76"
841. "\x19\x5c\x69\xfa\x0e\x64\xa0\x29\x4d\xcf\x3f\x00\x00\x00\x00\x00\x00\x00"
842. "\x00\x00\x00\x00\x00\x00\x00\xc0\x45\xdb\x53\xfb\xcb\x67\xcb\xa4\x6a\x7e"
843. "\xfa\x76\x72\xfc\x70\x92\xee\xa8\xfa\x9d\xe1\xf3\x88\x93\x1b\x87\xaf\x57"
844. "\x7f\x2a\xaa\x66\xbf\x2b\xea\x6e\x63\x79\xe6\xce\x31\x77\x30\xa6\xf7\x1b"
845. "\xbe\xfb\xfa\xa6\x6f\x9b\xad\xff\xd9\x1d\xcd\xd6\xdf\x5c\x49\xb6\x5e\x4b"
846. "\x32\xd7\xed\x5e\xbc\xfe\x8a\xd3\xeb\xef\xdf\xbb\xf9\x6f\xbe\xef\x3d\x37"
847. "\x66\x81\x31\x3d\xf4\x64\xb3\xf5\x7f\xdd\x69\xb6\xfe\xc2\x41\xf2\x49\x35"
848. "\xff\xcc\x8d\x9a\x7f\xca\xdc\x36\x7c\x1f\x3d\xff\xf4\xab\xf3\x37\x66\xfd"
849. "\x97\x7f\x19\x73\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
850. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4c\xcc\x6f\x01"
851. "\x00\x00\xff\xff\xc9\xf4\x6d\x29",
852. 566);
853. res = -1;
854. res = syz_mount_image(
855. /*fs=*/0x200000000200, /*dir=*/0x2000000001c0,
856. /*flags=MS_LAZYTIME|MS_I_VERSION|MS_SHARED|MS_PRIVATE|MS_REC|MS_RELATIME|MS_NOSUID*/
857. 0x2b44002, /*opts=*/0x200000000080, /*chdir=*/1, /*size=*/0x236,
858. /*img=*/0x200000000680);
859. if (res != -1)
860. r[2] = res;
861. memcpy((void*)0x200000000100, "/dev/input/event#\000", 18);
862. res = -1;
863. res = syz_open_dev(/*dev=*/0x200000000100, /*id=*/1, /*flags=*/0);
864. if (res != -1)
865. r[3] = res;
866. syscall(__NR_ioctl, /*fd=*/r[3], /*cmd=*/0x80284504,
867. /*arg=*/0x200000000780ul);
868. syscall(__NR_dup2, /*oldfd=*/-1, /*newfd=*/r[2]);
869. syscall(__NR_ioperm, /*from=*/1ul, /*num=*/0x3ful,
870. /*on=*/0xfffffffffffffff8ul);
871. memcpy((void*)0x200000000040, "/proc/sys/net/ipv4/tcp_congestion_control\000",
872. 42);
873. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000040ul,
874. /*flags=*/1, /*mode=*/0);
875. res = syscall(__NR_socket, /*domain=*/0x11ul, /*type=SOCK_DGRAM*/ 2ul,
876. /*proto=*/0x300);
877. if (res != -1)
878. r[4] = res;
879. *(uint16_t*)0x200000fbe000 = 2;
880. *(uint64_t*)0x200000fbe008 = 0x200000000140;
881. *(uint16_t*)0x200000000140 = 0x28;
882. *(uint8_t*)0x200000000142 = 3;
883. *(uint8_t*)0x200000000143 = 0;
884. *(uint32_t*)0x200000000144 = 0xfffff034;
885. *(uint16_t*)0x200000000148 = 6;
886. *(uint8_t*)0x20000000014a = 0;
887. *(uint8_t*)0x20000000014b = 0;
888. *(uint32_t*)0x20000000014c = 0x400;
889. syscall(__NR_setsockopt, /*fd=*/r[4], /*level=*/1, /*optname=*/0x1a,
890. /*optval=*/0x200000fbe000ul, /*optlen=*/0x10ul);
891. res = syscall(__NR_socket, /*domain=*/0xaul,
892. /*type=SOCK_RAW|0x100000000*/ 0x100000003ul, /*proto=*/0x3c);
893. if (res != -1)
894. r[5] = res;
895. memcpy((void*)0x200000000500, "iso9660\000", 8);
896. memcpy((void*)0x200000000280, "./file0\000", 8);
897. memcpy((void*)0x200000000540, "unhide,gid=", 11);
898. sprintf((char*)0x20000000054b, "0x%016llx", (long long)0);
899. memcpy((void*)0x20000000055d, ",map=off,norock,gid=", 20);
900. sprintf((char*)0x200000000571, "0x%016llx", (long long)0);
901. memcpy((void*)0x200000000583, ",giM\r", 5);
902. sprintf((char*)0x200000000588, "0x%016llx", (long long)0);
903. memcpy((void*)0x20000000059a, ",check=strict,\000", 15);
904. memcpy(
905. (void*)0x2000000002c0,
906. "\x78\x9c\xec\xdc\xcf\x6b\xe3\x46\x1c\x07\xd0\x51\x71\x8a\x49\x2f\x85\xa5"
907. "\x4d\xd6\x7b\x51\x77\xa1\xa4\xa1\xf5\x4a\x0a\x6b\x63\xf6\x64\x1c\xd9\xab"
908. "\xad\x7f\x14\xdb\x81\xe6\x58\x48\x02\xa5\x39\xb5\xa7\xe6\xd4\xff\xbc\x45"
909. "\xb6\x93\x92\x26\x8d\xdd\x92\x44\x21\xbc\x07\xc9\x8c\xa5\x8f\xe4\x31\x08"
910. "\x7d\xd1\x98\x71\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
911. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
912. "\x42\xd4\x3b\x4c\x92\x34\x0a\xc3\x62\x7c\xf4\x63\xfc\xef\x7a\x87\xd3\xc9"
913. "\xe8\x8e\xfd\x97\xe7\xfb\xea\x5a\x73\xc7\xfb\x86\x10\x95\x7f\xa1\x5e\x0f"
914. "\xbb\xcb\x4d\xbb\x2f\xfe\xde\xfd\x45\xf9\xef\x75\xd8\x59\xbe\xda\x09\xf5"
915. "\xb2\xa9\x87\x8b\xcf\xbe\xfc\xfc\xfd\x8b\xda\x27\x97\xc7\xdf\x31\xa0\x47"
916. "\xf1\xdb\xef\x17\xbf\xfc\x74\x7e\x7e\xfa\xeb\x7f\x39\xa8\x5e\xf9\xb0\xef"
917. "\xcd\x20\x1f\x17\xb3\x49\x31\xea\x0e\xf2\xb8\x98\x4d\xe2\x4e\xab\x95\xbc"
918. "\xfd\xd0\x9f\xc5\xfd\x62\x98\xcf\x8e\x67\xf3\x7c\x14\xf7\xa6\x79\x77\x3e"
919. "\x99\xc6\x7b\xbd\x6f\xe2\xb4\xd3\x39\x88\xf3\xe6\xf1\xe4\x68\x3c\x38\xec"
920. "\x0e\xf3\xcb\x8d\xed\xef\xb2\x24\x69\xc5\x1f\x9b\x3f\xe4\xdd\xe9\x6c\x32"
921. "\x7e\xfb\xb1\x39\xeb\x7d\x28\x86\xc3\x62\x3c\x58\x64\xca\xdd\x65\xa6\x5d"
922. "\x5e\x88\xdf\x17\xf3\x78\x9e\x77\x47\x71\x7c\xf6\xf3\xf9\xe9\xc1\xba\x41"
923. "\x96\xa1\x74\x93\x50\xb6\x2e\x94\x25\x59\x96\xa6\x59\x96\xb6\xde\x75\xde"
924. "\xb5\x93\xa4\x76\x63\x43\xf2\x0f\xe1\x46\xa2\xfa\x8b\x96\x6a\xdd\xf3\x1d"
925. "\x1c\xfe\xbf\x3f\x57\xf5\x1f\x00\x00\x00\x78\xbe\xa2\xc5\x1c\x7b\xf9\xfc"
926. "\xbf\xb5\x98\x87\x8f\x42\xbf\x18\xe6\x49\xd5\xc3\x02\x00\x00\x00\xee\xd1"
927. "\xe2\x9b\xff\x9d\xb2\xd9\x2a\x7b\xbb\x21\xf2\xfc\x0f\x00\x00\x00\xcf\xcd"
928. "\xfa\x35\x76\x6b\x13\xd1\xb7\xe1\xe5\x32\xf1\xf2\x64\xd9\x9e\xac\x12\xab"
929. "\x75\x7e\xdb\xfd\x62\x98\x37\x7b\x93\xb3\x76\x1a\xbe\xbe\x5a\xed\x77\xfb"
930. "\xd9\xb6\x16\xd3\x0f\xfb\xa1\xb1\x4c\x35\xb6\x97\xed\xf6\xf5\x33\xd6\xcb"
931. "\x54\xda\x7c\x9f\x86\xfd\xf0\x6a\x99\x78\xb5\xf7\xa6\x6c\xde\xec\xdd\x92"
932. "\xcc\x36\x4e\x1e\x94\x49\x00\x78\xee\x5e\xaf\xa9\xc7\x9b\xd4\xff\xfd\xb0"
933. "\x5a\xd3\x1a\x37\xca\x62\x1a\x6a\x8d\x5b\x2a\x6b\xa2\xb2\x02\xc0\x53\x71"
934. "\xf5\x0b\x36\x0f\xd8\xa9\xfa\x33\x02\x00\xd7\xa9\xd2\x00\x00\x00\x00\x00"
935. "\x00\x00\x00\x00\x00\x00\xf0\xf4\x3d\xc6\xfa\x3f\x1d\x9d\x2a\x3a\x51\x2d"
936. "\x84\x4d\xc2\x9f\x86\x10\x9e\xca\x98\x17\x9d\x10\xc2\x1f\x95\x0f\xa3\xea"
937. "\x3b\x13\xf0\xd0\xfe\x0a\x00\x00\xff\xff\xef\x66\xcd\x0d",
938. 572);
939. syz_mount_image(/*fs=*/0x200000000500, /*dir=*/0x200000000280, /*flags=*/0,
940. /*opts=*/0x200000000540, /*chdir=*/1, /*size=*/0x23c,
941. /*img=*/0x2000000002c0);
942. syscall(__NR_mprotect, /*addr=*/0x200000000000ul, /*len=*/0x2000ul,
943. /*prot=PROT_READ*/ 1ul);
944. syscall(__NR_dup, /*oldfd=*/-1);
945. res =
946. syscall(__NR_socket, /*domain=*/2ul, /*type=SOCK_RAW*/ 3ul, /*proto=*/5);
947. if (res != -1)
948. r[6] = res;
949. *(uint32_t*)0x200000000140 = 0xc;
950. syscall(__NR_getsockopt, /*fd=*/r[6], /*level=*/0, /*optname=*/8,
951. /*optval=*/0x200000000040ul, /*optlen=*/0x200000000140ul);
952. memcpy((void*)0x200000000080, "/dev/input/event#\000", 18);
953. res = -1;
954. res = syz_open_dev(/*dev=*/0x200000000080, /*id=*/1,
955. /*flags=O_SYNC|O_NOFOLLOW|O_CREAT|O_WRONLY*/ 0x121041);
956. if (res != -1)
957. r[7] = res;
958. syscall(__NR_write, /*fd=*/r[7], /*data=*/0x200000000040ul, /*len=*/0x373ul);
959. *(uint16_t*)0x200000000180 = 0xa;
960. *(uint16_t*)0x200000000182 = htobe16(0);
961. *(uint32_t*)0x200000000184 = htobe32(0);
962. *(uint64_t*)0x200000000188 = htobe64(0);
963. *(uint64_t*)0x200000000190 = htobe64(0xac141409);
964. *(uint32_t*)0x200000000198 = 0;
965. syscall(__NR_sendto, /*fd=*/r[5], /*buf=*/0x200000000000ul, /*len=*/0x6a48ul,
966. /*f=*/0ul, /*addr=*/0x200000000180ul, /*addrlen=*/0x1cul);
967. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0);
968. if (res != -1)
969. r[8] = res;
970. memcpy((void*)0x200000000080,
971. "#}\004\344\374\036\377~\261\340\245\235\310\3123\'\022xY!"
972. "\244\234\227\361\374\260\350~\221\325\004i}\003\000@"
973. "\016\346\2315b\000\000\000\000\000\000\000\216\226\267="
974. "\271OmILO\215\000\000\000\000\000\376\000\000\000\000\000\000\000\000"
975. "\000",
976. 74);
977. res = syscall(__NR_memfd_create, /*name=*/0x200000000080ul, /*flags=*/0ul);
978. if (res != -1)
979. r[9] = res;
980. *(uint32_t*)0x200000000000 = 4;
981. syscall(__NR_setsockopt, /*fd=*/r[8], /*level=*/0, /*optname=*/0xa,
982. /*optval=*/0x200000000000ul, /*optlen=*/4ul);
983. *(uint32_t*)0x200000000040 = 2;
984. *(uint32_t*)0x200000000044 = 0x80;
985. *(uint8_t*)0x200000000048 = 0xb8;
986. *(uint8_t*)0x200000000049 = 0;
987. *(uint8_t*)0x20000000004a = 0;
988. *(uint8_t*)0x20000000004b = 0;
989. *(uint32_t*)0x20000000004c = 0;
990. *(uint64_t*)0x200000000050 = 0;
991. *(uint64_t*)0x200000000058 = 0;
992. *(uint64_t*)0x200000000060 = 0;
993. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 0, 1);
994. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 1, 1);
995. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 2, 1);
996. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 3, 1);
997. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 4, 1);
998. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 5, 1);
999. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 6, 1);
1000. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 7, 1);
1001. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 8, 1);
1002. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 9, 1);
1003. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 10, 1);
1004. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 11, 1);
1005. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 12, 1);
1006. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 13, 1);
1007. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 14, 1);
1008. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 15, 2);
1009. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 17, 1);
1010. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 18, 1);
1011. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 19, 1);
1012. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 20, 1);
1013. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 21, 1);
1014. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 22, 1);
1015. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 23, 1);
1016. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 24, 1);
1017. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 25, 1);
1018. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 26, 1);
1019. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 27, 1);
1020. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 28, 1);
1021. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 29, 1);
1022. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 30, 1);
1023. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 31, 1);
1024. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 32, 1);
1025. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 33, 1);
1026. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 34, 1);
1027. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 35, 1);
1028. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 36, 1);
1029. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 37, 1);
1030. STORE_BY_BITMASK(uint64_t, , 0x200000000068, 0, 38, 26);
1031. *(uint32_t*)0x200000000070 = 0;
1032. *(uint32_t*)0x200000000074 = 0;
1033. *(uint64_t*)0x200000000078 = 0;
1034. *(uint64_t*)0x200000000080 = 0;
1035. *(uint64_t*)0x200000000088 = 0;
1036. *(uint64_t*)0x200000000090 = 0;
1037. *(uint32_t*)0x200000000098 = 0;
1038. *(uint32_t*)0x20000000009c = 0;
1039. *(uint64_t*)0x2000000000a0 = 0;
1040. *(uint32_t*)0x2000000000a8 = 0;
1041. *(uint16_t*)0x2000000000ac = 0;
1042. *(uint16_t*)0x2000000000ae = 0;
1043. *(uint32_t*)0x2000000000b0 = 0;
1044. *(uint32_t*)0x2000000000b4 = 0;
1045. *(uint64_t*)0x2000000000b8 = 0;
1046. syscall(__NR_perf_event_open, /*attr=*/0x200000000040ul, /*pid=*/0,
1047. /*cpu=*/-1, /*group=*/-1, /*flags=*/0ul);
1048. syscall(__NR_sync_file_range, /*fd=*/-1, /*off=*/0ul, /*nbytes=*/0ul,
1049. /*flags=*/0ul);
1050. syscall(__NR_ftruncate, /*fd=*/r[9], /*len=*/0x40001ul);
1051. memcpy((void*)0x200000000140, "msdos\000", 6);
1052. memcpy((void*)0x200000000180, "./file0\000", 8);
1053. memcpy((void*)0x200000000000,
1054. "\x00\x0f\x7f\xf7\x72\x18\x75\xd8\xba\xcc\xeb\x2f\xbb\x96\x0d\x5b\x1c"
1055. "\x33\x98\x8e\xac\x29\x7f\x7d\xed\xa3\x42\xbf\x10\xfb\x3d\x0a\x1e\x03"
1056. "\xa8\x0e\xf3\xae\xad\x29\x5a\xb1\xff\x55\x00\xa9\x93\x0e\x66\x77\x94"
1057. "\x15\xd3\x78\xac\x83\x82\x3c\xf0\x0e\x2c\xfe\x37\x6c\x78\x72\xfa\x83"
1058. "\xcd\x71\xe2\x9a\x17\xae\x07\x0b",
1059. 76);
1060. memcpy(
1061. (void*)0x200000000280,
1062. "\x78\x9c\xec\xdb\x31\x6b\x13\x61\x18\x07\xf0\x27\x31\x6a\xd4\x25\xb3\x38"
1063. "\x1c\xb8\x38\x05\x15\x3f\x80\x22\x11\xc4\x03\x41\xc9\xa0\x93\x42\x74\x49"
1064. "\x4a\xa1\x59\xae\x9d\xf2\x51\xfa\x69\xfa\x6d\x0a\x25\x53\xb6\xb7\xb4\xd7"
1065. "\x26\x6d\x48\x86\x0c\x97\x6b\x9b\xdf\x6f\xb9\x3f\xfc\xb9\xe3\x7d\x86\xbb"
1066. "\xe3\x3d\xb8\x3f\xaf\xf6\x86\x83\xfd\xf1\xff\xd1\x87\x69\xb4\x1b\x8d\x68"
1067. "\x7e\x8c\x2c\x66\x8d\xe8\x44\x33\xae\x4d\x02\x00\x78\x48\x66\x29\xc5\x59"
1068. "\x4a\x29\x3d\x9d\xc4\xb3\xe3\x48\x29\xd5\xbd\x22\x00\xa0\x6a\xde\xff\x00"
1069. "\xb0\x7b\x7e\xfe\xfa\xfd\xed\x53\x9e\xf7\x7e\x64\x59\x3b\xe2\x74\x52\xf4"
1070. "\x8b\x7e\x79\x2c\xfb\x2f\x5f\xf3\xde\xdb\xec\x52\x67\x71\xd6\xb4\x28\xfa"
1071. "\x8f\xe6\xfd\xbb\xb2\xcf\x6e\xf7\x8f\xe3\xf9\x55\xff\x7e\x65\xff\x24\xde"
1072. "\xbc\x2e\xfb\x8b\xee\xf3\xf7\x7c\xa9\x7f\x11\x83\xea\xc7\x07\x00\x00\x80"
1073. "\x9d\xd0\xcd\xe6\x56\xee\xef\xbb\xdd\x75\x7d\x99\x6e\x7c\x1f\x58\xda\xbf"
1074. "\xb7\xe2\x65\x6b\x6b\x63\x00\x00\x1b\x18\x1f\x1e\x0d\xff\x8e\x46\xff\x0e"
1075. "\xaa\x09\x71\x52\xd5\x95\x85\xfb\x11\x5a\x77\x63\x19\xc2\xa6\xa1\xee\x27"
1076. "\x13\x50\xb5\xc5\x4d\x5f\xf7\x4a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1077. "\x00\x80\x75\xb6\xf1\x3b\x51\xdd\x33\x02\x00\x00\x00\x00\x00\x00\x00\x00"
1078. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1079. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb0\x7b\xce\x03\x00\x00\xff\xff"
1080. "\xe4\x1d\x39\x6d",
1081. 328);
1082. syz_mount_image(/*fs=*/0x200000000140, /*dir=*/0x200000000180,
1083. /*flags=MS_SYNCHRONOUS*/ 0x10, /*opts=*/0x200000000000,
1084. /*chdir=*/1, /*size=*/0x148, /*img=*/0x200000000280);
1085. memcpy((void*)0x200000000240, "./file0\000", 8);
1086. syscall(__NR_chown, /*file=*/0x200000000240ul, /*uid=*/0, /*gid=*/0);
1087. syscall(__NR_socket, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0);
1088. syz_sysconfig_set__proc_sys_vm_mmap_rnd_bits(/*val=*/5);
1089. memcpy((void*)0x200000000000, "./bus\000", 6);
1090. syscall(__NR_creat, /*file=*/0x200000000000ul, /*mode=*/0ul);
1091. *(uint32_t*)0x200000000200 = 9;
1092. *(uint32_t*)0x200000000204 = 0x80;
1093. *(uint8_t*)0x200000000208 = 0;
1094. *(uint8_t*)0x200000000209 = 0;
1095. *(uint8_t*)0x20000000020a = 0;
1096. *(uint8_t*)0x20000000020b = 0;
1097. *(uint32_t*)0x20000000020c = 0;
1098. *(uint64_t*)0x200000000210 = 0;
1099. *(uint64_t*)0x200000000218 = 0;
1100. *(uint64_t*)0x200000000220 = 0;
1101. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 0, 1);
1102. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 1, 1);
1103. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 2, 1);
1104. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 3, 1);
1105. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 4, 1);
1106. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 5, 1);
1107. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 6, 1);
1108. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 7, 1);
1109. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 8, 1);
1110. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 9, 1);
1111. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 10, 1);
1112. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 11, 1);
1113. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 12, 1);
1114. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 13, 1);
1115. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 14, 1);
1116. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 15, 2);
1117. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 17, 1);
1118. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 18, 1);
1119. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 19, 1);
1120. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 20, 1);
1121. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 21, 1);
1122. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 22, 1);
1123. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 23, 1);
1124. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 24, 1);
1125. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 25, 1);
1126. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 26, 1);
1127. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 27, 1);
1128. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 28, 1);
1129. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 29, 1);
1130. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 30, 1);
1131. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 31, 1);
1132. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 32, 1);
1133. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 33, 1);
1134. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 34, 1);
1135. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 35, 1);
1136. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 36, 1);
1137. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 37, 1);
1138. STORE_BY_BITMASK(uint64_t, , 0x200000000228, 0, 38, 26);
1139. *(uint32_t*)0x200000000230 = 0;
1140. *(uint32_t*)0x200000000234 = 0;
1141. *(uint64_t*)0x200000000238 = 0x200000000000;
1142. *(uint64_t*)0x200000000240 = 0;
1143. *(uint64_t*)0x200000000248 = 0;
1144. *(uint64_t*)0x200000000250 = 0;
1145. *(uint32_t*)0x200000000258 = 0;
1146. *(uint32_t*)0x20000000025c = 0;
1147. *(uint64_t*)0x200000000260 = 0;
1148. *(uint32_t*)0x200000000268 = 0;
1149. *(uint16_t*)0x20000000026c = 0;
1150. *(uint16_t*)0x20000000026e = 0;
1151. *(uint32_t*)0x200000000270 = 0;
1152. *(uint32_t*)0x200000000274 = 0;
1153. *(uint64_t*)0x200000000278 = 0;
1154. syscall(__NR_perf_event_open, /*attr=*/0x200000000200ul, /*pid=*/0,
1155. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
1156. memcpy((void*)0x200000000080, "./bus\000", 6);
1157. res = syscall(__NR_open, /*file=*/0x200000000080ul, /*flags=*/0ul,
1158. /*mode=*/0ul);
1159. if (res != -1)
1160. r[10] = res;
1161. syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x600000ul,
1162. /*prot=*/0ul, /*flags=MAP_FIXED|MAP_PRIVATE*/ 0x12ul, /*fd=*/r[10],
1163. /*offset=*/0ul);
1164. *(uint16_t*)0x200000000040 = 2;
1165. *(uint16_t*)0x200000000042 = htobe16(0);
1166. *(uint8_t*)0x200000000044 = 0xac;
1167. *(uint8_t*)0x200000000045 = 0x14;
1168. *(uint8_t*)0x200000000046 = 0x14;
1169. *(uint8_t*)0x200000000047 = 0xaa;
1170. syscall(__NR_connect, /*fd=*/r[8], /*addr=*/0x200000000040ul,
1171. /*addrlen=*/0x10ul);
1172. res = syscall(__NR_pipe2, /*pipefd=*/0x200000000100ul, /*flags=*/0x80ul);
1173. if (res != -1)
1174. r[11] = *(uint32_t*)0x200000000104;
1175. syscall(__NR_shutdown, /*fd=*/r[11], /*how=*/0ul);
1176. res = syscall(__NR_socket, /*domain=*/0x11ul, /*type=SOCK_DGRAM*/ 2ul,
1177. /*proto=*/0x300);
1178. if (res != -1)
1179. r[12] = res;
1180. *(uint16_t*)0x200000000040 = 0;
1181. *(uint16_t*)0x200000000042 = 0x8000;
1182. syscall(__NR_setsockopt, /*fd=*/r[12], /*level=*/0x107, /*optname=*/0x12,
1183. /*optval=*/0x200000000040ul, /*optlen=*/4ul);
1184. syscall(__NR_sendfile, /*fdout=*/r[8], /*fdin=*/r[9], /*off=*/0ul,
1185. /*count=*/0xffe4ul);
1186. syz_sysconfig_reset__proc_sys_vm_mmap_rnd_bits();
1187. syz_sysconfig_set__proc_sys_net_ipv4_conf_default_route_localnet(/*val=*/1);
1188. *(uint16_t*)0x200000000180 = 3;
1189. *(uint64_t*)0x200000000188 = 0x2000000000c0;
1190. *(uint16_t*)0x2000000000c0 = 0x400;
1191. *(uint8_t*)0x2000000000c2 = 1;
1192. *(uint8_t*)0x2000000000c3 = 4;
1193. *(uint32_t*)0x2000000000c4 = 6;
1194. *(uint16_t*)0x2000000000c8 = 6;
1195. *(uint8_t*)0x2000000000ca = 0xa3;
1196. *(uint8_t*)0x2000000000cb = -1;
1197. *(uint32_t*)0x2000000000cc = 0xfffffffb;
1198. *(uint16_t*)0x2000000000d0 = 0x7fff;
1199. *(uint8_t*)0x2000000000d2 = 0x64;
1200. *(uint8_t*)0x2000000000d3 = -1;
1201. *(uint32_t*)0x2000000000d4 = 0x8f;
1202. res = syscall(__NR_seccomp, /*op=*/1ul,
1203. /*flags=SECCOMP_FILTER_FLAG_LOG_LISTENER*/ 0xaul,
1204. /*arg=*/0x200000000180ul);
1205. if (res != -1)
1206. r[13] = res;
1207. syscall(__NR_seccomp, /*op=*/1ul, /*flags=*/0ul, /*arg=*/0ul);
1208. *(uint64_t*)0x200000000080 = 0;
1209. *(uint64_t*)0x200000000088 = 0;
1210. syscall(__NR_prlimit64, /*pid=*/0, /*res=RLIMIT_NOFILE*/ 7ul,
1211. /*new=*/0x200000000080ul, /*old=*/0ul);
1212. res = syscall(__NR_ioctl, /*fd=*/r[13], /*cmd=*/0xc0502100,
1213. /*arg=*/0x200000000480ul);
1214. if (res != -1)
1215. r[14] = *(uint64_t*)0x200000000480;
1216. memcpy((void*)0x200000000140, "cgroup.controllers\000", 19);
1217. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000140ul,
1218. /*flags=*/0x275a, /*mode=*/0);
1219. if (res != -1)
1220. r[15] = res;
1221. syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xb36000ul,
1222. /*prot=*/0ul,
1223. /*flags=MAP_STACK|MAP_POPULATE|MAP_FIXED|MAP_SHARED*/ 0x28011ul,
1224. /*fd=*/r[15], /*offset=*/0ul);
1225. syz_sysconfig_set__proc_sys_vm_zone_reclaim_mode(/*val=*/6);
1226. *(uint64_t*)0x200000455000 = 0;
1227. *(uint32_t*)0x200000455008 = 0;
1228. *(uint64_t*)0x200000455010 = 0;
1229. syscall(__NR_sigaltstack, /*ss=*/0x200000455000ul, /*oss=*/0ul);
1230. *(uint32_t*)0x20000001d000 = 1;
1231. *(uint32_t*)0x20000001d004 = 0x80;
1232. *(uint8_t*)0x20000001d008 = 0;
1233. *(uint8_t*)0x20000001d009 = 0;
1234. *(uint8_t*)0x20000001d00a = 0;
1235. *(uint8_t*)0x20000001d00b = 0x48;
1236. *(uint32_t*)0x20000001d00c = 0;
1237. *(uint64_t*)0x20000001d010 = 0x100;
1238. *(uint64_t*)0x20000001d018 = 0;
1239. *(uint64_t*)0x20000001d020 = 0;
1240. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 0, 1);
1241. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 1, 1);
1242. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 2, 1);
1243. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 3, 1);
1244. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 4, 1);
1245. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 5, 1);
1246. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 6, 1);
1247. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 7, 1);
1248. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 8, 1);
1249. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 9, 1);
1250. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 10, 1);
1251. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 11, 1);
1252. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 12, 1);
1253. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 13, 1);
1254. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 14, 1);
1255. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 15, 2);
1256. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 17, 1);
1257. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 18, 1);
1258. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 19, 1);
1259. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 20, 1);
1260. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 21, 1);
1261. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 22, 1);
1262. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 23, 1);
1263. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 24, 1);
1264. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 25, 1);
1265. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 26, 1);
1266. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0xffdffffffffffffd, 27, 1);
1267. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 28, 1);
1268. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 29, 1);
1269. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 30, 1);
1270. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 31, 1);
1271. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 32, 1);
1272. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 33, 1);
1273. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 34, 1);
1274. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 35, 1);
1275. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 36, 1);
1276. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 37, 1);
1277. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 38, 26);
1278. *(uint32_t*)0x20000001d030 = 0;
1279. *(uint32_t*)0x20000001d034 = 0;
1280. *(uint64_t*)0x20000001d038 = 3;
1281. *(uint64_t*)0x20000001d040 = 0x401;
1282. *(uint64_t*)0x20000001d048 = 0x429;
1283. *(uint64_t*)0x20000001d050 = 0;
1284. *(uint32_t*)0x20000001d058 = 0;
1285. *(uint32_t*)0x20000001d05c = 4;
1286. *(uint64_t*)0x20000001d060 = 3;
1287. *(uint32_t*)0x20000001d068 = 0;
1288. *(uint16_t*)0x20000001d06c = 4;
1289. *(uint16_t*)0x20000001d06e = 0;
1290. *(uint32_t*)0x20000001d070 = 0;
1291. *(uint32_t*)0x20000001d074 = 0;
1292. *(uint64_t*)0x20000001d078 = 8;
1293. res = syscall(__NR_perf_event_open, /*attr=*/0x20000001d000ul, /*pid=*/0,
1294. /*cpu=*/0x20000000006ul, /*group=*/-1,
1295. /*flags=PERF_FLAG_FD_CLOEXEC|PERF_FLAG_FD_OUTPUT*/ 0xaul);
1296. if (res != -1)
1297. r[16] = res;
1298. syscall(__NR_mmap, /*addr=*/0x200000ffd000ul, /*len=*/0x3000ul, /*prot=*/0ul,
1299. /*flags=MAP_FIXED|MAP_SHARED|0x200000000000*/ 0x200000000011ul,
1300. /*fd=*/r[16], /*offset=*/0ul);
1301. *(uint32_t*)0x2000000009c0 = 1;
1302. *(uint32_t*)0x2000000009c4 = 0x80;
1303. *(uint8_t*)0x2000000009c8 = 0;
1304. *(uint8_t*)0x2000000009c9 = 6;
1305. *(uint8_t*)0x2000000009ca = 2;
1306. *(uint8_t*)0x2000000009cb = 0;
1307. *(uint32_t*)0x2000000009cc = 0;
1308. *(uint64_t*)0x2000000009d0 = 0;
1309. *(uint64_t*)0x2000000009d8 = 0;
1310. *(uint64_t*)0x2000000009e0 = 0;
1311. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 0, 1);
1312. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 1, 1);
1313. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 2, 1);
1314. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 3, 1);
1315. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 4, 1);
1316. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 5, 1);
1317. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 6, 1);
1318. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 7, 1);
1319. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 8, 1);
1320. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 9, 1);
1321. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 10, 1);
1322. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 11, 1);
1323. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 12, 1);
1324. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 13, 1);
1325. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 14, 1);
1326. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 15, 2);
1327. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 17, 1);
1328. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 18, 1);
1329. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 19, 1);
1330. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 20, 1);
1331. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 21, 1);
1332. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 22, 1);
1333. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 23, 1);
1334. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 24, 1);
1335. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 25, 1);
1336. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 26, 1);
1337. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 27, 1);
1338. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 28, 1);
1339. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 29, 1);
1340. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 30, 1);
1341. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 31, 1);
1342. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 32, 1);
1343. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 33, 1);
1344. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 34, 1);
1345. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 35, 1);
1346. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 36, 1);
1347. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 37, 1);
1348. STORE_BY_BITMASK(uint64_t, , 0x2000000009e8, 0, 38, 26);
1349. *(uint32_t*)0x2000000009f0 = 0;
1350. *(uint32_t*)0x2000000009f4 = 0;
1351. *(uint64_t*)0x2000000009f8 = 0;
1352. *(uint64_t*)0x200000000a00 = 0;
1353. *(uint64_t*)0x200000000a08 = 0;
1354. *(uint64_t*)0x200000000a10 = 0x800000000000;
1355. *(uint32_t*)0x200000000a18 = 0;
1356. *(uint32_t*)0x200000000a1c = 0;
1357. *(uint64_t*)0x200000000a20 = 5;
1358. *(uint32_t*)0x200000000a28 = 0;
1359. *(uint16_t*)0x200000000a2c = 0;
1360. *(uint16_t*)0x200000000a2e = 0;
1361. *(uint32_t*)0x200000000a30 = 9;
1362. *(uint32_t*)0x200000000a34 = 0;
1363. *(uint64_t*)0x200000000a38 = 0;
1364. res = syscall(__NR_perf_event_open, /*attr=*/0x2000000009c0ul, /*pid=*/0,
1365. /*cpu=*/0xful, /*group=*/-1, /*flags=*/0ul);
1366. if (res != -1)
1367. r[17] = res;
1368. memcpy((void*)0x200000000000, "/sys/kernel/notes", 17);
1369. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
1370. /*dir=*/0x200000000000ul, /*flags=*/0, /*mode=*/0);
1371. if (res != -1)
1372. r[18] = res;
1373. syscall(__NR_read, /*fd=*/r[18], /*buf=*/0x2000000003c0ul, /*count=*/0x86ul);
1374. syscall(__NR_ioctl, /*fd=*/r[18], /*cmd=*/0x80045300,
1375. /*arg=*/0x200000000040ul);
1376. syscall(__NR_ioctl, /*fd=*/r[17], /*cmd=*/0xf504, /*arg=*/0ul);
1377. *(uint64_t*)0x200000000500 = r[14];
1378. *(uint32_t*)0x200000000508 = 0;
1379. *(uint32_t*)0x20000000050c = r[13];
1380. *(uint32_t*)0x200000000510 = 0;
1381. *(uint32_t*)0x200000000514 = 0;
1382. syscall(__NR_ioctl, /*fd=*/r[13], /*cmd=*/0x40182103,
1383. /*arg=*/0x200000000500ul);
1384. syz_sysconfig_reset__proc_sys_vm_zone_reclaim_mode();
1385. syscall(
1386. __NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xa000ul,
1387. /*prot=PROT_WRITE|PROT_EXEC*/ 6ul,
1388. /*flags=MAP_LOCKED|MAP_GROWSDOWN|MAP_FIXED|MAP_ANONYMOUS|0x42*/ 0x2172ul,
1389. /*fd=*/-1, /*offset=*/0ul);
1390. syscall(__NR_mremap, /*addr=*/0x200000005000ul, /*len=*/0x4000ul,
1391. /*newlen=*/0x1000ul, /*flags=*/0ul, /*newaddr=*/0x200000003000ul);
1392. *(uint16_t*)0x200000000080 = 1;
1393. *(uint64_t*)0x200000000088 = 0x200000000040;
1394. *(uint16_t*)0x200000000040 = 6;
1395. *(uint8_t*)0x200000000042 = 0;
1396. *(uint8_t*)0x200000000043 = 0;
1397. *(uint32_t*)0x200000000044 = 0;
1398. res = syscall(__NR_seccomp, /*op=*/1ul,
1399. /*flags=SECCOMP_FILTER_FLAG_LOG_LISTENER*/ 0xaul,
1400. /*arg=*/0x200000000080ul);
1401. if (res != -1)
1402. r[19] = res;
1403. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0xc0502100, /*arg=*/0ul);
1404. *(uint32_t*)0x200000000700 = 1;
1405. *(uint32_t*)0x200000000704 = 0x80;
1406. *(uint8_t*)0x200000000708 = 0;
1407. *(uint8_t*)0x200000000709 = 0;
1408. *(uint8_t*)0x20000000070a = 0;
1409. *(uint8_t*)0x20000000070b = 0;
1410. *(uint32_t*)0x20000000070c = 0;
1411. *(uint64_t*)0x200000000710 = 0x40000000000050d;
1412. *(uint64_t*)0x200000000718 = 0;
1413. *(uint64_t*)0x200000000720 = 0;
1414. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 0, 1);
1415. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 1, 1);
1416. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 2, 1);
1417. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 3, 1);
1418. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 4, 1);
1419. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 5, 1);
1420. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 6, 1);
1421. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 7, 1);
1422. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 8, 1);
1423. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 9, 1);
1424. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 10, 1);
1425. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 11, 1);
1426. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 12, 1);
1427. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 13, 1);
1428. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 14, 1);
1429. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 15, 2);
1430. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 17, 1);
1431. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 18, 1);
1432. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 19, 1);
1433. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 20, 1);
1434. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 21, 1);
1435. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 22, 1);
1436. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 23, 1);
1437. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 24, 1);
1438. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 25, 1);
1439. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 26, 1);
1440. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 27, 1);
1441. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 28, 1);
1442. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 29, 1);
1443. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 30, 1);
1444. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 31, 1);
1445. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 32, 1);
1446. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 33, 1);
1447. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 34, 1);
1448. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 35, 1);
1449. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 36, 1);
1450. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 37, 1);
1451. STORE_BY_BITMASK(uint64_t, , 0x200000000728, 0, 38, 26);
1452. *(uint32_t*)0x200000000730 = 0x8000;
1453. *(uint32_t*)0x200000000734 = 0;
1454. *(uint64_t*)0x200000000738 = 0x200000001800;
1455. *(uint64_t*)0x200000000740 = 0;
1456. *(uint64_t*)0x200000000748 = 0;
1457. *(uint64_t*)0x200000000750 = 0;
1458. *(uint32_t*)0x200000000758 = 0;
1459. *(uint32_t*)0x20000000075c = 0;
1460. *(uint64_t*)0x200000000760 = 0;
1461. *(uint32_t*)0x200000000768 = 0;
1462. *(uint16_t*)0x20000000076c = 5;
1463. *(uint16_t*)0x20000000076e = 0;
1464. *(uint32_t*)0x200000000770 = 0;
1465. *(uint32_t*)0x200000000774 = 0;
1466. *(uint64_t*)0x200000000778 = 0;
1467. res = syscall(__NR_perf_event_open, /*attr=*/0x200000000700ul, /*pid=*/0,
1468. /*cpu=*/0xff7ffffffffffffful, /*group=*/-1, /*flags=*/0ul);
1469. if (res != -1)
1470. r[20] = res;
1471. memcpy((void*)0x2000000003c0, "/dev/hwrng\000", 11);
1472. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
1473. /*file=*/0x2000000003c0ul, /*flags=O_CREAT|O_RDWR*/ 0x42,
1474. /*mode=*/0);
1475. if (res != -1)
1476. r[21] = res;
1477. *(uint32_t*)0x200000000340 = 3;
1478. *(uint32_t*)0x200000000344 = 0x70;
1479. *(uint8_t*)0x200000000348 = -1;
1480. *(uint8_t*)0x200000000349 = 0x20;
1481. *(uint8_t*)0x20000000034a = 0;
1482. *(uint8_t*)0x20000000034b = 0;
1483. *(uint32_t*)0x20000000034c = 0;
1484. *(uint64_t*)0x200000000350 = 0x3c4;
1485. *(uint64_t*)0x200000000358 = 0x90400;
1486. *(uint64_t*)0x200000000360 = 8;
1487. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 0, 1);
1488. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 1, 1);
1489. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 2, 1);
1490. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 3, 1);
1491. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 4, 1);
1492. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 5, 1);
1493. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 6, 1);
1494. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 7, 1);
1495. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 8, 1);
1496. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 9, 1);
1497. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 10, 1);
1498. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 11, 1);
1499. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 12, 1);
1500. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 13, 1);
1501. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 14, 1);
1502. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 15, 2);
1503. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 17, 1);
1504. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 18, 1);
1505. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 19, 1);
1506. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 20, 1);
1507. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 21, 1);
1508. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 22, 1);
1509. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 23, 1);
1510. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 24, 1);
1511. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 25, 1);
1512. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 26, 1);
1513. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 27, 1);
1514. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 28, 1);
1515. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 29, 1);
1516. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 5, 30, 1);
1517. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 4, 31, 1);
1518. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 32, 1);
1519. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0x2000, 33, 1);
1520. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 4, 34, 1);
1521. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 6, 35, 1);
1522. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 4, 36, 1);
1523. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0xd5, 37, 1);
1524. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0x40, 38, 26);
1525. *(uint32_t*)0x200000000370 = 5;
1526. *(uint32_t*)0x200000000374 = 0;
1527. *(uint64_t*)0x200000000378 = 0x200000000000;
1528. *(uint64_t*)0x200000000380 = 0;
1529. *(uint64_t*)0x200000000388 = 0;
1530. *(uint64_t*)0x200000000390 = 0;
1531. *(uint32_t*)0x200000000398 = 0;
1532. *(uint32_t*)0x20000000039c = 0;
1533. *(uint64_t*)0x2000000003a0 = 0;
1534. *(uint32_t*)0x2000000003a8 = 0;
1535. *(uint16_t*)0x2000000003ac = 0;
1536. *(uint16_t*)0x2000000003ae = 0;
1537. *(uint32_t*)0x2000000003b0 = 0;
1538. *(uint32_t*)0x2000000003b4 = 0;
1539. *(uint64_t*)0x2000000003b8 = 0;
1540. syscall(__NR_perf_event_open, /*attr=*/0x200000000340ul, /*pid=*/-1,
1541. /*cpu=*/0xaul, /*group=*/r[21],
1542. /*flags=PERF_FLAG_FD_CLOEXEC|PERF_FLAG_FD_NO_GROUP*/ 9ul);
1543. syscall(__NR_rt_tgsigqueueinfo, /*gid=*/0, /*tid=*/0, /*sig=*/0,
1544. /*info=*/0ul);
1545. memcpy((void*)0x200000000080, "./cgroup/syz1\000", 14);
1546. syscall(__NR_mkdirat, /*fd=*/0xffffffffffffff9cul, /*path=*/0x200000000080ul,
1547. /*mode=*/0x1fful);
1548. memcpy((void*)0x200000000180, "./cgroup.cpu/syz0\000", 18);
1549. syscall(__NR_mkdirat, /*fd=*/0xffffffffffffff9cul, /*path=*/0x200000000180ul,
1550. /*mode=*/0x1fful);
1551. memcpy((void*)0x2000000001c0, "/dev/loop#\000", 11);
1552. res = -1;
1553. res = syz_open_dev(
1554. /*dev=*/0x2000000001c0, /*id=*/0x75f,
1555. /*flags=O_TRUNC|O_SYNC|O_NOCTTY|O_EXCL|FASYNC|O_RDWR*/ 0x103382);
1556. if (res != -1)
1557. r[22] = res;
1558. memcpy((void*)0x200000000240, ".^\305", 3);
1559. res = syscall(__NR_memfd_create, /*name=*/0x200000000240ul, /*flags=*/0ul);
1560. if (res != -1)
1561. r[23] = res;
1562. *(uint64_t*)0x2000000002c0 = 2;
1563. *(uint32_t*)0x2000000002c8 = 0;
1564. *(uint32_t*)0x2000000002cc = 9;
1565. syscall(__NR_ptrace, /*req=*/0x4209ul, /*pid=*/-1, /*args=*/0x2000000002c0ul,
1566. /*data=*/0x200000000840ul);
1567. *(uint64_t*)0x200000000540 = 0x2000000004c0;
1568. memset((void*)0x2000000004c0, 66, 1);
1569. *(uint64_t*)0x200000000548 = 1;
1570. syscall(__NR_pwritev, /*fd=*/r[23], /*vec=*/0x200000000540ul, /*vlen=*/1ul,
1571. /*off_low=*/0x81805, /*off_high=*/0);
1572. *(uint32_t*)0x200000000600 = 0;
1573. *(uint32_t*)0x200000000604 = 0x70;
1574. *(uint8_t*)0x200000000608 = 7;
1575. *(uint8_t*)0x200000000609 = 0;
1576. *(uint8_t*)0x20000000060a = 0x10;
1577. *(uint8_t*)0x20000000060b = -1;
1578. *(uint32_t*)0x20000000060c = 0;
1579. *(uint64_t*)0x200000000610 = 0x400000000000004;
1580. *(uint64_t*)0x200000000618 = 0x222;
1581. *(uint64_t*)0x200000000620 = 0;
1582. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 0, 1);
1583. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 1, 1);
1584. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 2, 1);
1585. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 3, 1);
1586. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 4, 1);
1587. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 5, 1);
1588. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 6, 1);
1589. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 7, 1);
1590. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 8, 1);
1591. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 9, 1);
1592. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 10, 1);
1593. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 11, 1);
1594. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 12, 1);
1595. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 13, 1);
1596. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 14, 1);
1597. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 15, 2);
1598. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 17, 1);
1599. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 18, 1);
1600. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 19, 1);
1601. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 20, 1);
1602. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 21, 1);
1603. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 22, 1);
1604. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 23, 1);
1605. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 24, 1);
1606. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 25, 1);
1607. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 26, 1);
1608. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 27, 1);
1609. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 28, 1);
1610. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 29, 1);
1611. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0x400, 30, 1);
1612. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 31, 1);
1613. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0, 32, 1);
1614. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 2, 33, 1);
1615. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 0x18ed, 34, 1);
1616. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 5, 35, 1);
1617. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 6, 36, 1);
1618. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 7, 37, 1);
1619. STORE_BY_BITMASK(uint64_t, , 0x200000000628, 1, 38, 26);
1620. *(uint32_t*)0x200000000630 = 0x1f;
1621. *(uint32_t*)0x200000000634 = 0;
1622. *(uint64_t*)0x200000000638 = 0x200000000000;
1623. *(uint64_t*)0x200000000640 = 0;
1624. *(uint64_t*)0x200000000648 = 0;
1625. *(uint64_t*)0x200000000650 = 0;
1626. *(uint32_t*)0x200000000658 = 0;
1627. *(uint32_t*)0x20000000065c = 0;
1628. *(uint64_t*)0x200000000660 = 0;
1629. *(uint32_t*)0x200000000668 = 0;
1630. *(uint16_t*)0x20000000066c = 0;
1631. *(uint16_t*)0x20000000066e = 0;
1632. *(uint32_t*)0x200000000670 = 0;
1633. *(uint32_t*)0x200000000674 = 0;
1634. *(uint64_t*)0x200000000678 = 0;
1635. syscall(__NR_perf_event_open, /*attr=*/0x200000000600ul, /*pid=*/0,
1636. /*cpu=*/0x40006ul, /*group=*/-1, /*flags=PERF_FLAG_FD_OUTPUT*/ 2ul);
1637. syscall(__NR_ioctl, /*fd=*/r[22], /*cmd=*/0x4c00, /*arg=*/r[23]);
1638. syscall(__NR_sendfile, /*fdout=*/r[22], /*fdin=*/r[22], /*off=*/0ul,
1639. /*count=*/0x24002da8ul);
1640. *(uint32_t*)0x2000000000c0 = 0;
1641. *(uint16_t*)0x2000000000c8 = 0;
1642. *(uint64_t*)0x2000000000d0 = 0;
1643. *(uint16_t*)0x2000000000d8 = 0;
1644. *(uint32_t*)0x2000000000e0 = 5;
1645. *(uint32_t*)0x2000000000e4 = 2;
1646. *(uint32_t*)0x2000000000e8 = 8;
1647. *(uint32_t*)0x2000000000ec = 0;
1648. memcpy((void*)0x2000000000f0,
1649. "\x5b\x6e\x29\x27\x20\xad\x1c\x12\x27\x16\x75\x1d\xa9\xbf\x18\x95\x13"
1650. "\xd6\x1d\x47\x96\xc0\x7a\x6a\x60\xc4\x8e\x0a\x82\x9f\x91\xb9\x77\x39"
1651. "\x80\x9d\x64\xe8\x69\xae\x16\x79\x8a\x44\xaa\xd6\x14\xfa\xc6\xa2\x1d"
1652. "\x3d\xcf\x2b\x3e\x87\x15\x87\xf5\x3c\xd8\x09\xf9\x8e",
1653. 64);
1654. memcpy((void*)0x200000000130,
1655. "\xf8\xb6\x99\xc9\x29\xb9\x2e\xe7\x22\x24\x0b\x5b\x4c\x44\xa4\x1e\xb8"
1656. "\x8c\x87\xcf\xf1\x86\x6b\xe0\xbe\xc4\x80\xeb\xc5\xc2\x18\x9e",
1657. 32);
1658. *(uint64_t*)0x200000000150 = 0;
1659. *(uint64_t*)0x200000000158 = 0x2d;
1660. *(uint32_t*)0x200000000160 = 0;
1661. syscall(__NR_ioctl, /*fd=*/r[22], /*cmd=*/0x4c02, /*arg=*/0x2000000000c0ul);
1662. *(uint64_t*)0x200000001780 = 0x200000000400;
1663. memcpy((void*)0x200000000400,
1664. "\x36\xc9\x7c\x5d\x31\x13\x14\x18\x06\x6f\x38\x49\xd2\xfb\x42\x61\x5b"
1665. "\xac\x0f\x05\x79\x77\xc1\xf7\x1c\x18\x07\xcb\xbc\xb7\x06\x41\x84\x2c"
1666. "\x59\x3d\x05\x0d\x2d\x59\xea\x59\x46\x9f\x46\xed\x74",
1667. 47);
1668. *(uint64_t*)0x200000001788 = 0x2f;
1669. *(uint64_t*)0x200000001790 = 0x200000001580;
1670. memcpy((void*)0x200000001580,
1671. "\x04\x7a\x8b\x91\x82\xc3\xd4\xb3\x95\xf6\x00\x45\xaf\x55\x4a\x7a\xca"
1672. "\x83\x45\x15\x7a\x24\x01\x14\x60\xa9\xf1\x5d\x41\x6f\x95\xc6\x26\x3e"
1673. "\x4a\x56\xb3\xbe\x54\xf2\xa7\xde\x5b\xca\xed\x31\x0e\x5f\x31\x94\x19"
1674. "\xa8\x36\x32\xa8\x81\x5e\x82\x2c\x67\x47\x00\x74\x7f\x13\x00\x0f\x4b"
1675. "\x0b\x8e\x1b\xc0\x89\x87\x28\x88\xdd\x53\x77\xa0\x7c\x38\x65\x52\xe4"
1676. "\x12\x73\x7c\x7b\x2a\x93\x9a\xb1\x31\x06\xbe\x21\x96\x3e\x6d\x77\x1a"
1677. "\x2c\x5a\x4d\x77\x21\xd8\x77\x06\x41\x13\x9b\x66\xd8\x5b\x56\xcd\x59"
1678. "\x4b\x21\xc9\x13\xd2\xb6\xbc\xb7\x6e\x24\x6b\xd9\x14\x39\x3a\x50\x4c"
1679. "\xa9\x8f\x84\xbe\x5c\x04\xe1\xb0\x67\x49\x60\x86\xcd\x1a\x7b\x68\x07"
1680. "\x8c\x1a\x86\x01\xaf\xb9\x78\x3e\xdd\xdc\x1b\x28\xee\x4f\xc5",
1681. 168);
1682. *(uint64_t*)0x200000001798 = 0xa8;
1683. *(uint64_t*)0x2000000017a0 = 0x200000000440;
1684. memcpy((void*)0x200000000440,
1685. "\x50\xce\xf2\x5c\xf1\xf6\xdd\x8f\x14\x65\x17\x48\x38\xd0\x14\xe4\x56"
1686. "\x57\x11\x11\x16\x3c\x21\x2d\x60\xcb\x60\xfb\x29\xd7\x8b\x70\x0d\x98"
1687. "\x17\x73\x65\x6b\xbb\x0c\x95\xc5\xf8\xba\x48\xc9\x76\x55\x1e\x29\x42"
1688. "\x47\x23\xca\x1d\x1b\xd9\xc4\x16\x87\xa7\x4a\xd7\x4e\xc6\x58\x98\x0e"
1689. "\x9b\x07\x47\xf6\xcd\x2d\x34\x26\xc0\x55\x9e\xe6\xdc\x41\x85\x9e\x6b"
1690. "\xb0\xa9\x85\xa6\x95\x1c\xa0\x80\x0d\x8c\xe0",
1691. 96);
1692. *(uint64_t*)0x2000000017a8 = 0x60;
1693. *(uint64_t*)0x2000000017b0 = 0x200000000500;
1694. memcpy((void*)0x200000000500, "*/a", 3);
1695. *(uint64_t*)0x2000000017b8 = 3;
1696. *(uint64_t*)0x2000000017c0 = 0x200000001640;
1697. memcpy((void*)0x200000001640,
1698. "\x22\x1c\xb9\x7f\xe0\x46\x14\x76\x99\x8a\x0c\x0a\xd8\x8d\x54\x51\xf2"
1699. "\xdc\x52\x97\xda\x62\xa0\x14\xb1\x5d\x1b\x89\x64\x84\x20\xa4\xf9\xee"
1700. "\xf2\x34\xa8\x42\x5b\xf9\x48\xf8\x38\x26",
1701. 44);
1702. *(uint64_t*)0x2000000017c8 = 0x2c;
1703. *(uint64_t*)0x2000000017d0 = 0x200000001680;
1704. memcpy((void*)0x200000001680,
1705. "\x22\xb7\x6e\x1a\x21\x64\xca\xcc\x70\xf6\xf3\xb7\x62\x6c\x97\xa0\x1a"
1706. "\xaa\xd8\xad\x35\x70\xce\x48\x4d\x28\xe4\x13\xde\x37\x44\x08\xbb\x40"
1707. "\xf5\x5a\x6f\x1f\x1f\x75\x8c\x7a\x52\x12\xee\xe3\xd1\x88\xa6\x58\x98"
1708. "\xfa\x2e\x2a\xe0\x15\x74\x64\xd1\xe2\xa4\x07\xb7\x12\xd2\x24\xf3\x33"
1709. "\xc4\xfa\x82\x48\x60\x0d\x86\x75\x4d\xbe\x9b\xd3\xb8\x43\x91\xf6\xbb"
1710. "\x10\xee\x12\x78\x0e\x9d\xa9\x67\x96\xfd\x88\x43\x2f\xb4\xba\x48\xc2"
1711. "\xab\x78\x74\xe4\xc3\xdc\x51\x88\x85\x65\x5d\x54\xf1\x30\x66\x11\x54"
1712. "\xd6\x43\x71\x35\xd5\xf1\x79\xe2\x47\x72\x80\x5d\x29\xe5\x8e\xdf\xfb"
1713. "\xe8\x6d\x1b\x10\xcc\xbd\xc5\xf2\x78\x06\x43\x39\xc7\x93\xa7\xb1\xa0"
1714. "\x5b\x47\x31\xa6\x9e\x2a\xc5\x0f\xc0\x20\xe8\x38\xc5\x95\xac\x97\x58"
1715. "\xee\x2d\x6b\x8d\x61\x1f\x68\x41\x48\xc5\x11\xe9\x15\x4a\x30\xeb\xfb"
1716. "\x60\x68\xd5\xf5\xa8\xe7\xf1\xdb\xf8\xd1\x1c\x43\x4c\xad\xa2\x4a\xff"
1717. "\x6e\x6d\x58\x4b\x48\x8d\x5b\x77\x47\xa7\xdf\x19\xa9\x6e\xf2\xdb\xf9"
1718. "\x25\xdd\x89\x26\x64\xd5\xb0\x20\x73\xb9\x24\x4f\xa5\xcf\x54\x88\x68"
1719. "\x0a\xa1\x69\x6a\xf9\x4b\x8b\xe0\xac\x5e\xe2\x76\x0c\x09",
1720. 252);
1721. *(uint64_t*)0x2000000017d8 = 0xfc;
1722. syscall(__NR_writev, /*fd=*/r[20], /*vec=*/0x200000001780ul, /*vlen=*/6ul);
1723. *(uint32_t*)0x200000000780 = 0;
1724. *(uint16_t*)0x200000000788 = 0;
1725. *(uint64_t*)0x200000000790 = 0;
1726. *(uint16_t*)0x200000000798 = 0;
1727. *(uint32_t*)0x2000000007a0 = 3;
1728. *(uint32_t*)0x2000000007a4 = 0;
1729. *(uint32_t*)0x2000000007a8 = 0xc;
1730. *(uint32_t*)0x2000000007ac = 0xd;
1731. memcpy((void*)0x2000000007b0,
1732. "\x0c\x7f\x70\xa1\x67\xf6\xcc\x18\x8c\xb6\x1c\x01\x00\x40\xc1\x4c\x32"
1733. "\xa9\xab\x32\x2f\xb8\xb5\x7b\xe5\xe3\xe3\xfc\xcf\xf8\xf0\x02\x3e\x2c"
1734. "\x81\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1735. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
1736. 64);
1737. memcpy((void*)0x2000000007f0,
1738. "\x94\x1a\xcb\x4e\x4d\x09\x17\x91\x5e\x09\x30\xcc\xea\xd6\xe9\x17\x80"
1739. "\xed\x6d\x96\x77\xf4\x13\x36\xde\x09\xd5\x26\x44\xd8\x82\xc5",
1740. 32);
1741. *(uint64_t*)0x200000000810 = 0xffff8001;
1742. *(uint64_t*)0x200000000818 = 0x64;
1743. *(uint32_t*)0x200000000820 = 0;
1744. syscall(__NR_ioctl, /*fd=*/r[22], /*cmd=*/0x4c02, /*arg=*/0x200000000780ul);
1745. *(uint64_t*)0x200000000140 = 0;
1746. *(uint32_t*)0x200000000148 = 0x3f37bf1f;
1747. *(uint32_t*)0x20000000014c = -1;
1748. *(uint32_t*)0x200000000150 = 0;
1749. *(uint32_t*)0x200000000154 = 0;
1750. syscall(__NR_ioctl, /*fd=*/r[19], /*cmd=*/0x40182103,
1751. /*arg=*/0x200000000140ul);
1752. syscall(__NR_munlock, /*addr=*/0x200000002000ul, /*size=*/0x1000ul);
1753. memcpy((void*)0x200000000300, "./bus\000", 6);
1754. res = syscall(__NR_creat, /*file=*/0x200000000300ul, /*mode=*/0ul);
1755. if (res != -1)
1756. r[24] = res;
1757. memcpy((void*)0x200000000580, "ext4\000", 5);
1758. memcpy((void*)0x200000000040, "./file0\000", 8);
1759. memcpy((void*)0x200000000280, "bsdgroups", 9);
1760. *(uint8_t*)0x200000000289 = 0x2c;
1761. memcpy((void*)0x20000000028a, "grpjquota=", 10);
1762. *(uint8_t*)0x200000000294 = 0x2c;
1763. memcpy((void*)0x200000000295, "discard", 7);
1764. *(uint8_t*)0x20000000029c = 0x2c;
1765. memcpy((void*)0x20000000029d, "init_itable", 11);
1766. *(uint8_t*)0x2000000002a8 = 0x3d;
1767. sprintf((char*)0x2000000002a9, "0x%016llx", (long long)0x61);
1768. *(uint8_t*)0x2000000002bb = 0x2c;
1769. memcpy((void*)0x2000000002bc, "nogrpid", 7);
1770. *(uint8_t*)0x2000000002c3 = 0x2c;
1771. memcpy((void*)0x2000000002c4, "subj_user", 9);
1772. *(uint8_t*)0x2000000002cd = 0x3d;
1773. memcpy((void*)0x2000000002ce, "/\242\305", 3);
1774. *(uint8_t*)0x2000000002d1 = 0x2c;
1775. memcpy((void*)0x2000000002d2, "func", 4);
1776. *(uint8_t*)0x2000000002d6 = 0x3d;
1777. memcpy((void*)0x2000000002d7, "FILE_MMAP", 9);
1778. *(uint8_t*)0x2000000002e0 = 0x2c;
1779. *(uint8_t*)0x2000000002e1 = 0;
1780. memcpy(
1781. (void*)0x2000000005c0,
1782. "\x78\x9c\xec\xdd\x4d\x6f\x1b\x45\x1f\x00\xf0\xff\xae\xe3\x3c\x69\x9b\x87"
1783. "\xa4\x08\xa1\x96\x0b\x11\x48\xa5\x12\xc2\x4d\x53\x28\x82\x0b\x6d\xcf\x20"
1784. "\x21\xc1\x85\x5b\xa3\xd6\xad\x42\xdd\x17\x25\x41\xa2\x15\x87\xf6\x80\xb8"
1785. "\x70\x28\x12\x52\x0f\x48\xa0\xaa\x17\x3e\x04\x87\x0a\x89\x2f\xc0\x89\x72"
1786. "\xe3\x8a\x54\x21\xd4\x56\xbc\x5c\x8c\xd6\x5e\xc7\x6e\x62\x27\x21\xd8\xdd"
1787. "\x24\xfb\xfb\x49\x6b\xcf\xec\x38\x9e\xf9\x7b\x33\xd9\x19\xaf\x27\x0e\xa0"
1788. "\xb4\x66\xb2\x9b\x34\xe2\x60\x44\x9c\x4e\x22\xa6\x7a\xca\xc6\x22\x2f\x9c"
1789. "\x69\x3f\xee\xc1\xef\x9f\x9c\xc9\xb6\x24\x9a\xcd\xf7\x7e\x4b\x22\xc9\xf7"
1790. "\x75\x1e\x9f\xe4\xf7\xfb\xf2\xcc\x44\x44\xfc\x78\x2a\xe2\xe9\xca\xda\x7a"
1791. "\x97\xae\x5e\xbb\x30\xdf\x68\xd4\x17\xf3\xfc\x91\xe5\x8b\x57\x8e\x2c\x5d"
1792. "\xbd\xf6\xca\xc2\xc5\xf9\xf3\xf5\xf3\xf5\x4b\xc7\x5f\x7d\xed\x8d\xb9\xd7"
1793. "\x8f\xcf\x1d\x1b\x5a\xa8\xd5\x0f\xbe\x6b\xdc\x3a\xf0\xf3\xa9\x3f\x3e\x5b"
1794. "\x7c\x74\xe8\xce\x9f\xf1\x61\x12\x27\x62\x32\x2f\xec\x8d\x63\x58\x66\x62"
1795. "\x66\xe5\x35\xe9\x95\xbd\xae\x6f\x0d\xbb\xb2\x82\x54\xf2\x78\xfa\xc5\xc9"
1796. "\xf6\xd7\x39\x7e\xd5\x88\x78\x36\xa6\xa2\x92\xf7\xfa\xcc\x54\x2c\x7c\x5e"
1797. "\x68\xe3\x80\x91\x6a\x56\x22\x9a\x40\x49\x25\xfa\x3f\x94\x54\x67\x1c\xd0"
1798. "\x99\xdb\x8f\x62\x1e\xbc\x9d\xdd\x3f\xd9\x9e\x00\xad\x8d\x7f\xac\xfd\xde"
1799. "\x48\x4c\xb4\xe6\x46\x7b\x1f\x24\x3d\x33\xa3\xf6\x7c\x77\x7a\x08\xf5\x67"
1800. "\x75\x4c\xfc\xf0\xed\x17\xd9\x16\x23\x7a\x1f\x62\x3d\xd7\x6f\x44\xc4\x81"
1801. "\x7e\xf1\x27\xad\xb6\x4d\xb7\xde\xc5\xc9\xe2\x4f\x1f\x8b\x3f\x8d\x88\xd9"
1802. "\xfc\x3e\xdb\x3f\xb7\xc5\xfa\x67\x56\xe5\x77\x52\xfc\x27\x7a\xe2\x3f\xb5"
1803. "\xc5\xfa\x8b\x8e\x1f\x80\x72\xba\x7b\xb2\x7d\x22\x5f\x7b\xfe\x4b\x57\xc6"
1804. "\x3f\xd1\x67\xfc\x33\xd9\xe7\xdc\xb5\x15\x45\x9f\xff\x06\x8f\xff\xba\xf1"
1805. "\x57\x06\x8c\xff\xde\xdd\x64\x1d\x77\x6e\x7f\x73\x62\x50\x59\xef\xf8\x2f"
1806. "\xdb\xb2\xfa\x3b\x63\xc1\x27\xe1\xfe\x8d\x88\xe7\xfa\xc6\x9f\xac\xc4\x9f"
1807. "\xf4\x89\x3f\x1b\xf7\x9c\xde\x64\x1d\x2f\xd4\xbf\xbe\x37\xa8\xac\xe8\xf8"
1808. "\x9b\xb7\x23\x0e\xf5\x9d\xff\x74\xaf\x68\x25\xeb\x5e\x9f\x3c\x72\x6e\xa1"
1809. "\x51\x9f\x6d\xdf\xf6\xaf\xe3\xe6\xa7\xcd\x5b\x83\xea\x2f\x3a\xfe\xec\xf8"
1810. "\xef\x1d\x10\xff\x7a\xc7\x3f\xdb\x77\x65\x93\x75\x7c\xff\xf0\xd1\x2f\x83"
1811. "\xca\x36\x8e\x3f\xfd\x75\x3c\x79\xbf\x95\x1a\xcf\xf7\x7c\x3c\xbf\xbc\xbc"
1812. "\x78\x34\x62\x3c\x79\x7b\xed\xfe\x0d\x26\x22\x9d\xc7\x74\x9e\x23\x8b\xff"
1813. "\xf0\x8b\xeb\xf7\xff\x7e\xf1\xef\xc9\xe6\x0e\x9b\x8c\xff\xc1\xe1\xe3\xef"
1814. "\x6c\x35\xfe\xfb\x7f\x75\xe7\xe8\xa3\x90\xc5\x7f\x76\x8b\xc7\xff\xe6\x26"
1815. "\xeb\x98\x9b\xad\x7d\x35\xa8\xac\xe8\xdf\x7f\x00\x00\x00\x00\x00\x00\xd8"
1816. "\x4d\xd2\xd6\x67\x39\x92\xb4\xb6\x92\x4e\xd3\x5a\xad\xbd\x86\xf7\x99\xd8"
1817. "\x9b\x36\x2e\x2f\x2d\xbf\x7c\xee\xf2\x47\x97\xce\xb6\x3f\xf3\x31\x1d\xd5"
1818. "\xb4\x73\xa9\x7b\xaa\x9d\x4f\xb2\xfc\xd1\xfc\xf3\xb0\x9d\xfc\xdc\xaa\xfc"
1819. "\xb1\x88\xd8\x1f\x11\x5f\x56\xf6\xb4\xf2\xb5\x33\x97\x1b\x67\x8b\x0e\x1e"
1820. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb6\x89\x7d"
1821. "\xab\xd6\xff\x3f\xac\xb4\xd7\xff\x03\x25\x31\x56\x74\x03\x80\xc2\xe8\xff"
1822. "\x50\x5e\xfa\x3f\x94\x97\xfe\x0f\xe5\xa5\xff\x43\x79\xe9\xff\x50\x5e\xfa"
1823. "\x3f\x94\x97\xfe\x0f\xe5\xa5\xff\x43\x79\xe9\xff\x50\x5e\xfa\x3f\x00\x00"
1824. "\x00\x00\xec\x4a\xfb\x9f\xbf\x7b\x2f\x89\x88\xeb\x6f\xee\x69\x6d\x99\xf1"
1825. "\xbc\xac\x5a\x68\xcb\x80\x51\x4b\x8b\x6e\x00\x50\x98\x4a\xd1\x0d\x00\x0a"
1826. "\xe3\xd2\x3f\x94\x97\x39\x3e\x90\xac\xa4\xfe\x6e\xb6\x3d\x5e\x3e\x31\xe8"
1827. "\x07\xef\x26\x23\x6d\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\xf5"
1828. "\xd2\x41\xeb\xff\xa1\xac\xac\xff\x87\xf2\xb2\xfe\x1f\xca\xeb\x3f\xac\xff"
1829. "\xf7\xaf\x03\x60\x87\x33\xc7\x07\x36\x5a\xc5\x6f\xfd\x3f\x00\x00\x00\x00"
1830. "\x00\x00\x00\x00\x00\x00\x14\x6f\xb2\xb5\x25\x69\x2d\x5f\x0b\x3c\x19\x69"
1831. "\x5a\xab\x45\xfc\x3f\x22\xa6\xa3\x9a\x9c\x5b\x68\xd4\x67\x23\xe2\xa9\x88"
1832. "\xf8\xa9\x52\xfd\x5f\x96\x3f\x5a\x74\xa3\x01\x00\x00\x00\x00\x00\x00\x00"
1833. "\x00\x00\x00\x00\x00\x00\x00\x60\x97\x59\xba\x7a\xed\xc2\x7c\xa3\x51\x5f"
1834. "\x1c\x42\xa2\x99\x7f\x99\xf0\xd0\x9e\xf0\x5f\x24\xc6\x22\xe2\x89\x57\x2a"
1835. "\x21\xb1\x6b\x13\x45\xff\x65\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1836. "\x00\x00\x00\x80\xf2\xe9\x2e\xfa\x2d\xba\x25\x00\x00\x00\x00\x00\x00\x00"
1837. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1838. "\x00\x00\x00\x00\x00\x00\x50\x9c\xee\xf7\xff\x8f\x2e\x51\x74\x8c\x00\x00"
1839. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1840. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1841. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1842. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1843. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1844. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1845. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1846. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1847. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1848. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1849. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1850. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1851. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1852. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1853. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1854. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1855. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1856. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1857. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1858. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1859. "\x00\x00\xc0\xce\xf4\x4f\x00\x00\x00\xff\xff\xaa\xbd\x24\xbf",
1860. 1401);
1861. syz_mount_image(/*fs=*/0x200000000580, /*dir=*/0x200000000040,
1862. /*flags=MS_NOATIME*/ 0x400, /*opts=*/0x200000000280,
1863. /*chdir=*/1, /*size=*/0x579, /*img=*/0x2000000005c0);
1864. memcpy((void*)0x200000000000, ".\000", 2);
1865. res = syscall(__NR_open, /*file=*/0x200000000000ul, /*flags=*/0ul,
1866. /*mode=*/0ul);
1867. if (res != -1)
1868. r[25] = res;
1869. memcpy((void*)0x200000000340, "./file0\000", 8);
1870. memcpy((void*)0x200000000200,
1871. "\023\023w\305\3745\324\024T\325\324\035)\255\032`)"
1872. "Y\201F\346\276\026nA\255\r\275@T\003<\2373\273\332\202$"
1873. "\242\363\327r\347cnH\263<\277p\203r\350\361\271\223>"
1874. "\305\022wC\276\"\006 \236\360-\371\313\362\366\350\200\3238/\000",
1875. 78);
1876. syscall(__NR_renameat, /*oldfd=*/r[25], /*old=*/0x200000000340ul,
1877. /*newfd=*/r[25], /*new=*/0x200000000200ul);
1878. *(uint32_t*)0x200000000100 = 4;
1879. *(uint32_t*)0x200000000104 = 0x80;
1880. *(uint8_t*)0x200000000108 = 3;
1881. *(uint8_t*)0x200000000109 = 7;
1882. *(uint8_t*)0x20000000010a = 8;
1883. *(uint8_t*)0x20000000010b = 0x5b;
1884. *(uint32_t*)0x20000000010c = 0;
1885. *(uint64_t*)0x200000000110 = 1;
1886. *(uint64_t*)0x200000000118 = 0x2002;
1887. *(uint64_t*)0x200000000120 = 1;
1888. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 0, 1);
1889. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 1, 1);
1890. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 2, 1);
1891. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 3, 1);
1892. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 4, 1);
1893. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 5, 1);
1894. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 6, 1);
1895. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 7, 1);
1896. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 8, 1);
1897. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 9, 1);
1898. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 10, 1);
1899. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 11, 1);
1900. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 12, 1);
1901. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 13, 1);
1902. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 14, 1);
1903. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 3, 15, 2);
1904. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 17, 1);
1905. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 18, 1);
1906. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 19, 1);
1907. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 20, 1);
1908. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 21, 1);
1909. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 22, 1);
1910. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 23, 1);
1911. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 24, 1);
1912. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 25, 1);
1913. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 26, 1);
1914. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 27, 1);
1915. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 28, 1);
1916. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 29, 1);
1917. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 30, 1);
1918. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 31, 1);
1919. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 32, 1);
1920. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 33, 1);
1921. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 34, 1);
1922. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 35, 1);
1923. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 36, 1);
1924. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 1, 37, 1);
1925. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 38, 26);
1926. *(uint32_t*)0x200000000130 = 8;
1927. *(uint32_t*)0x200000000134 = 4;
1928. *(uint64_t*)0x200000000138 = 0x200000000000;
1929. *(uint64_t*)0x200000000140 = 1;
1930. *(uint64_t*)0x200000000148 = 0x9bf301e579dcd74b;
1931. *(uint64_t*)0x200000000150 = 5;
1932. *(uint32_t*)0x200000000158 = 0xfffff456;
1933. *(uint32_t*)0x20000000015c = 3;
1934. *(uint64_t*)0x200000000160 = 0;
1935. *(uint32_t*)0x200000000168 = 0x800003fd;
1936. *(uint16_t*)0x20000000016c = 0x4400;
1937. *(uint16_t*)0x20000000016e = 0;
1938. *(uint32_t*)0x200000000170 = 0xae15;
1939. *(uint32_t*)0x200000000174 = 0;
1940. *(uint64_t*)0x200000000178 = 0x7ff;
1941. syscall(__NR_perf_event_open, /*attr=*/0x200000000100ul, /*pid=*/-1,
1942. /*cpu=*/1ul, /*group=*/r[24],
1943. /*flags=PERF_FLAG_FD_CLOEXEC|PERF_FLAG_FD_NO_GROUP*/ 9ul);
1944. res = syscall(__NR_io_setup, /*n=*/0xb, /*ctx=*/0x200000000040ul);
1945. if (res != -1)
1946. r[26] = *(uint64_t*)0x200000000040;
1947. *(uint64_t*)0x200000000540 = 0x2000000000c0;
1948. *(uint64_t*)0x2000000000c0 = 0;
1949. *(uint32_t*)0x2000000000c8 = 0;
1950. *(uint32_t*)0x2000000000cc = 0;
1951. *(uint16_t*)0x2000000000d0 = 1;
1952. *(uint16_t*)0x2000000000d2 = 0;
1953. *(uint32_t*)0x2000000000d4 = r[24];
1954. *(uint64_t*)0x2000000000d8 = 0x200000000000;
1955. *(uint64_t*)0x2000000000e0 = 0x200a00;
1956. *(uint64_t*)0x2000000000e8 = 0;
1957. *(uint64_t*)0x2000000000f0 = 0;
1958. *(uint32_t*)0x2000000000f8 = 0;
1959. *(uint32_t*)0x2000000000fc = -1;
1960. syscall(__NR_io_submit, /*ctx=*/r[26], /*nr=*/0xf10ul,
1961. /*iocbpp=*/0x200000000540ul);
1962. memcpy((void*)0x2000000001c0,
1963. "\x6c\xae\xdf\x78\xe8\x24\x0e\x44\x81\xff\x03\x43", 12);
1964. *(uint64_t*)0x2000000001d0 = 0x200000000580;
1965. memcpy(
1966. (void*)0x200000000580,
1967. "\x9b\x17\x72\x2d\x35\x6a\x4e\xcf\xac\x6d\xae\xd9\x61\x8c\x25\x89\xf5\x0e"
1968. "\xa9\x8d\x4d\xff\x5e\xa5\x21\xfb\x86\xdb\x39\x1f\x77\x34\x5c\xa6\xb2\x46"
1969. "\xfd\xb2\x7d\x96\x08\x0a\x72\xf4\x4f\xbb\x6b\x0b\x35\x09\x3b\xb6\x5d\x9d"
1970. "\x2d\x15\xe1\xa3\xdc\x21\xcd\x98\x8b\x8d\x57\xb2\xe7\xb8\xe7\xbb\x81\x9c"
1971. "\xd1\x30\x6c\x9c\x7c\x4f\xcd\x99\x90\x21\x34\x30\x5d\xde\x3c\x6d\xfb\xca"
1972. "\xbe\x7f\x32\x38\x86\x00\x43\xaf\x64\xb7\x0f\x94\xec\x9e\xb0\x33\x27\x46"
1973. "\xef\x78\x7a\x64\x5e\x65\x26\xaa\x51\x7b\x01\x2a\xd8\x0b\x40\x72\x7d\x00"
1974. "\x4e\x05\x6e\x37\x45\x7a\xbc\xd0\xd9\x2f\xa9\xca\x76\xdc\xe5\x69\x21\x26"
1975. "\xdc\xe5\x01\x45\xd8\xbe\x0f\x8f\x96\x9a\xdd\x79\xb8\xe4\x0c\x8f\x06\xe9"
1976. "\x51\xf7\xe3\xb9\x8d\xf9\x30\x7e\x11\x3d\x4d\x19\x0d\x51\x5f\x06\x52\xec"
1977. "\x02\x4e\xcb\x2e\xd9\x9c\x49\x4f\x5b\x16\xc5\x2b\x16\x52\x6f\xa2\x8f\x94"
1978. "\x25\x74\xab\x4b\x20\xdd\x55\xf4\x9d\x9d\xe8\x9c\x77\x81\x16\x75\x3b\x25"
1979. "\x12\x19\xc0\x6f\x12\xaf\x01\xf2\x17\xaf\x75\xb4\x09\x13\x46\x7b\x75\x27"
1980. "\xec\xf2\xcb\x6a\x81\xd5\xa5\xc8\x4a\x37\x20\xfc\xa8\x17\xd7\x9d\x5f\x6c"
1981. "\xc3\x99\xfd\xee\xc0\x25\x2f\x0f\x0b\x78\x6c\x75\x84\xdb\x3a\x2e\x50\xed"
1982. "\xef\x48\x56\x71\xd8\xbb\x73\x4c\xd6\x23\xfc\xf2\x63\x44\x97\xe8\xf3\xbf"
1983. "\xf7\xf7\x64\x9b\x27\x31\xdc\x00\x7e\x4b\xdb\x18\x0f\x43\xc4\x6a\xec\x0a"
1984. "\xa8\x36\x1d\x1b\xb6\x2f\xda\x8f\xf3\x4c\xd6\x4d\xec\xfe\x0e\xe8\x79\x5a"
1985. "\x5c\xbe\x22\x22\x26\xca\x12\x11\x35\xb9\x40\x59\x44\x79\x0b\x15\x2a\xa9"
1986. "\x33\x74\xce\x08\xf0\xaf\x5e\xf6\xc7\xe7\x1b\x82\x9e\x28\xe7\xc3\x65\xe3"
1987. "\xa3\x5a\xfa\x7f\xcd\xfc\x11\x48\x41\xcf\xeb\x69\x87\x32\x10\xf1\x32\xb7"
1988. "\x60\x27\xfb\xfa\xa1\x53\x62\x44\x28\x66\x23\x37\x90\x27\xc2\x78\x4e\x2d"
1989. "\xe1\x51\x18\x7c\x4e\x8f\xdc\x8a\x3a\xcb\x81\x45\x37\xf5\x97\x38\xbb\x7d"
1990. "\x3a\xbb\x68\x6a\x62\x5d\x1e\xfc\x86\xf1\x6d\x6f\xf7\xe1\x25\x33\x3f\xff"
1991. "\x62\x97\x8c\x02\xd2\xd1\x52\x44\x58\x41\xb6\x00\xf8\xd9\x2d\x72\x32\xa1"
1992. "\x32\x14\x53\xdf\xbd\xa5\x47\xbf\x67\xef\xa9\x15\xc1\x36\x5c\x6d\xf6\x6d"
1993. "\x69\x09\x16\x75\x34\x0f\x98\x0c\xed\x33\xd0\x6e\xbc\x34\x3c\x61\x66\x68"
1994. "\x1a\x37\x6b\x47\xad\x0d\x8f\x8a\xe0\xad\x20\x3c\xbf\x26\x29\x14\x0f\x7b"
1995. "\x71\x27\xfc\x45\x7d\xf0\xc7\xef\xfa\xd3\x6c\xbe\x58\x79\x33\xc1\xf0\x26"
1996. "\x7c\x66\x9d\xc6\xdb\x78\xe1\x02\xd3\x79\x86\xcf\xcd\xa1\x5a\xd5\x49\x53"
1997. "\x85\xb3\x02\x21\x92\xe1\xfc\xd8\x5b\x2f\xf3\x43\xb0\x92\x96\x31\x16\xd8"
1998. "\x50\xa8\x93\xb7\x94\x55\x27\xae\xe0\xfc\xe7\xc7\x76\xb9\xb1\x3f\x64\x3d"
1999. "\xd2\x19\xad\x85\xd0\x7e\xe8\x45\x0a\x74\xb8\x1b\xf5\x0c\x43\x88\x6b\xbd"
2000. "\xc7\xf1\x43\x80\xcc\x67\xa4\x26\xcd\x56\xd9\x9b\x60\xdb\x70\xb7\xa7\x40"
2001. "\x80\x79\x78\xe0\xe2\x7c\xe2\x52\x3b\x83\x7f\xbd\xf5\xc5\x0f\xeb\x27\x45"
2002. "\x68\x87\xdf\x29\x35\x34\x9e\x45\x30\x6d\xef\xf3\x15\xe9\x1b\x04\xc9\x18"
2003. "\xfb\xa4\xac\xb0\xe3\x67\x05\xd7\x5d\x9e\xfb\x85\x04\x51\x4d\x72\xca\x9e"
2004. "\x9a\x1b\xc6\x6d\xde\x70\x2f\x35\x47\xc4\x45\xbc\x68\x52\x75\xa4\x91\x13"
2005. "\x87\x89\x16\xcb\xdc\x9c\x9b\xc0\x3c\x5a\x6a\x82\xbc\x2c\xee\x29\x19\xac"
2006. "\x34\x83\xae\xc7\x4f\x9c\x96\xbe\x6f\x03\x78\x80\x88\xa5\x78\x72\x3d\x8b"
2007. "\xd7\x58\x4b\x83\x90\x55\x0a\x95\xb0\x87\x31\xe4\xf0\xf8\x1a\x2f\x6e\xa1"
2008. "\xe8\xb2\x3e\x43\x39\xbf\x40\xaa\xec\x7d\x76\x0e\x59\xad\x54\xbd\x7a\x14"
2009. "\x20\x76\xf7\xb1\xd2\x49\xc0\x66\xf2\x9c\x1a\xe7\x97\x71\x33\xa2\xe0\xb6"
2010. "\x0e\x3f\xf9\x83\x64\x49\x5f\x8b\x41\x27\xf5\x4c\xbf\x6f\x0c\x24\xa8\x0c"
2011. "\x5d\x39\x76\xd7\x7d\x62\xf2\xf1\xca\x50\xa5\x62\x0d\xab\x44\x79\xec\x7b"
2012. "\xb2\x9f\x48\x22\x50\xeb\xbd\x0a\x62\x13\x4e\x97\x55\x06\x5c\x71\x02\xa9"
2013. "\xe1\x17\xcb\x67\x57\x09\x6c\x9e\x69\x6d\x2a\x55\x24\xd4\xba\x41\x24\x33"
2014. "\x15\x0a\x06\x1c\x50\xce\x82\x79\x96\xbf\xe3\x69\xe0\x7c\xb4\xf2\xfb\x04"
2015. "\xae\x9a\xcc\xd3\x6a\xaf\xf6\x51\x42\xde\x55\x1d\x43\xc9\xe4\xb7\x4d\x49"
2016. "\x72\x1a\x8c\x56\x9c\x75\xd3\x45\xc0\x7a\x3a\x2e\x43\x76\xb5\x5a\x60\x37"
2017. "\x1c\x04\x45\xe7\xd2\xbb\x41\x45\x77\x63\xaf\x1d\x78\x97\x29\x33\x04\xd1"
2018. "\x33\xa3\xa8\xef\xf0\x83\xfd\xcf\x65\x14\xbf\xd6\xf8\x58\x44\x26\x73\x73"
2019. "\x3c\xdd\xb0\xcf\xd5\x07\xc6\x22\xea\x3a\x4b\x72\x6d\x79\x30\x36\x5a\x66"
2020. "\x53\xef\x0a\x4f\x70\x32\x4d\x7a\xc5\x82\x83\xa2\x3e\x0d\xdc\xb6\xab\xbb"
2021. "\x25\x2b\xf5\x75\x52\x9a\x30\xd6\xce\xa6\xb0\xa2\xba\xd8\xa7\x83\x9f\x1a"
2022. "\xc6\x9f\xd0\xff\xbe\x6f\xbb\x21\x7c\xcc\x0d\xfe\xb5\x13\x35\x09\x74\x69"
2023. "\xbf\x4a\x2c\x23\x7e\xbf\x88\x70\xb5\xd7\xe2\xa8\xfb\xb0\xc9\xc1\x18\xb6"
2024. "\x1b\x98\x10\xa6\x68\x65\x20\xc9\x2a\xe6\x99\x31\x9b\x7d\x7e\x23\x74\x06"
2025. "\x73\x33\xfb\x67\x81\xaf\x84\x5c\x22\x8d\xfd\x73\xc8\x28\x61\x13\x4e\xc9"
2026. "\xc9\xef\xcb\xc5\x29\x1f\xed\x3e\x99\x4e\x5f\xc0\xbe\x0e\x6c\x24\x21\x78"
2027. "\x88\x84\x87\x9f\xd2\x18\x90\x0d\x1f\xf9\x6b\xc9\x7c\x69\xce\xc0\x4d\x0a"
2028. "\x7e\x92\x33\xc2\xc5\xeb\xa3\x16\x30\x95\xb2\x78\xe9\x9c\x7d\x20\x1a\x37"
2029. "\x32\xec\x22\x0f\xdd\x73\xdb\xa8\x48\xb5\x3a\x86\xe5\x5f\xd0\x7e\x42\x90"
2030. "\x6b\xdc\x07\x81\x13\x52\xa2\x37\x51\x51\x27\x8b\x32\xda\xd0\x46\xea\x77"
2031. "\x99\x49\x22\xce\x49\x7f\x9a\x4d\x08\x69\x77\xd6\x52\x8a\xd6\xd7\x2e\x49"
2032. "\xb0\x87\xe6\xfd\x00\x2d\xae\x49\x74\xf3\x84\xdc\xa1\x81\x36\x25\x1d\xfa"
2033. "\xb2\xed\x17\x3d\x18\x60\x0a\xe5\x8f\x41\x58\xd1\xd1\x87\xc8\x3b\xd8\x11"
2034. "\x8e\x17\x99\x09\x33\x8a\x6b\x36\xe2\x37\xda\x91\x7a\xcb\xeb\xe6\x59\x13"
2035. "\xb2\x3c\xb8\x8e\x73\x8a\x0d\x66\xf7\x5d\x66\xed\xc7\xec\x29\x1d\x37\x12"
2036. "\xea\x49\x00\x56\x99\xe4\x69\x68\x83\x4b\xdb\x98\xbf\xac\x47\x67\x88\x8a"
2037. "\xea\xa5\xf1\x23\x3d\xcb\x85\xc3\xc0\x08\x93\x46\x6b\xa7\x1a\x7b\x80\x13"
2038. "\x7a\xa4\x9e\x07\x0e\x72\xdf\xe6\x11\xfd\x14\x46\xeb\x6a\x31\x12\x7c\xa5"
2039. "\x5e\xb3\x76\x57\xf3\x7a\x28\x24\x91\x0e\xf2\x44\x92\xce\xb4\x4a\x44\xcd"
2040. "\xbf\x0a\xc5\xe3\x36\x73\xe7\x09\x55\xfd\xcf\x5f\x18\xd5\xcc\x13\xac\xf1"
2041. "\x68\x59\x5e\x79\x76\xfd\xa9\x1a\x17\x08\x6e\x07\xf0\x48\x73\xfc\x51\xa5"
2042. "\xe4\x61\x23\x75\x02\xfd\xae\x2b\xc6\xe5\xca\x99\x0d\x8b\x3f\x73\x1a\xa1"
2043. "\x09\x0e\x70\x71\x2e\x4d\xa9\x5c\x5d\xd7\xb9\x10\x4c\xc1\xb8\xe2\x1f\xe2"
2044. "\x69\x7a\xc2\x74\x13\x18\x5c\x9d\xe2\xe7\xcd\xf0\xc2\x98\xc0\x5b\x37\x4d"
2045. "\xe1\x34\x81\x35\x2d\xac\xe4\x21\xfd\xe7\xb0\x3d\xcc\xda\x2b\x7a\xfc\x21"
2046. "\x31\xa8\x81\xfc\x5c\x70\x65\x9e\x86\xf7\xbf\x0a\x12\x58\xee\x1e\xf1\x2e"
2047. "\xe0\x9a\xe7\x19\xf5\x10\x53\x25\x02\x68\x8b\x98\x27\x9a\xe6\xa7\x9e\x87"
2048. "\xf3\x9f\x73\x49\xac\xfa\xa7\xf9\xdc\xbf\xd8\x8b\x46\x06\x6b\x9d\x5a\x32"
2049. "\xeb\xcf\x62\xd0\xf5\xef\x27\x77\x53\x50\xed\x2f\x80\x4c\xab\x07\x22\x88"
2050. "\x5b\x2d\x58\x72\xb6\xf3\xbd\xb7\x00\xc2\xc1\x58\x94\x83\xf1\x0d\xd3\xfc"
2051. "\xd8\x78\x57\x61\xad\xaf\x73\x11\x7b\x92\x9c\x88\x1d\x0e\x3c\x67\x9b\x37"
2052. "\xeb\x86\x5a\x50\xb9\xb1\xf9\x36\x23\xc9\xea\x33\x7c\xcf\x23\x1b\x77\xf0"
2053. "\x82\x47\x36\x64\xdf\xe9\x79\x7c\xeb\x10\x1c\x6c\x64\x68\x36\xf5\xb9\xa2"
2054. "\x45\xc9\x20\x23\x35\xfa\xf9\x31\x88\x04\xda\x3c\xca\x18\x6f\x87\x43\x07"
2055. "\xe4\x75\xa4\x8e\xb1\x75\x85\xf1\x4b\x8f\x8c\xf5\x17\x95\xff\xe9\xd5\x8a"
2056. "\x83\x68\x12\xe4\x25\x6c\x78\x2b\x11\xdf\x24\x8c\x71\x2e\x52\x1d\x6c\xf1"
2057. "\xbb\xd9\x16\x99\x38\x05\x1d\xfd\xae\x77\xed\xde\x9b\xe5\x32\x1e\x31\xa7"
2058. "\xd8\x3b\x6a\x33\xf4\x0a\xa2\xca\xca\x28\x80\xd1\xde\x2c\x44\x48\x28\x39"
2059. "\x92\xa4\x3e\x8c\x07\xc0\xe8\xdc\x41\xbd\xb1\x31\xb1\x96\xe0\x8e\x5d\xe9"
2060. "\x7b\x24\x8b\x7b\x83\xe1\xf6\xeb\xbb\x50\x45\x1f\x5f\x39\xc2\x54\x7a\xfd"
2061. "\x93\x8d\x2e\x51\xa1\xec\xc5\xd8\xd9\x34\x5f\xd3\x01\x3e\x9d\x45\x1a\xb4"
2062. "\x09\x95\x45\x11\x30\x9a\x91\xdf\xac\xd0\x45\x1c\x9f\xbd\x85\x49\xa9\xc4"
2063. "\x1a\x79\x2f\x3b\x54\xae\xd0\x92\x5a\x77\x77\x1e\x4f\x43\x67\x4e\x87\x7f"
2064. "\xef\xfd\x6a\x3c\x20\x8a\x5c\x27\xc9\xf8\xbe\x3e\xc8\x86\x79\xa3\x1a\xf5"
2065. "\x87\xbc\xd6\x64\x96\xd0\x49\x09\x7d\x94\x8e\x2f\x0b\x71\xe0\x7b\x80\xf2"
2066. "\x3b\x81\x45\x4c\x6c\xdc\x3e\x4e\x31\xa9\x37\x98\x8d\x4e\x75\x35\x4c\x54"
2067. "\xc7\xa6\x1d\x7a\xc8\xb3\x21\x8a\x38\xc1\x71\xfc\xda\x78\x4b\x16\xd9\x57"
2068. "\xa5\xe3\x26\x65\x7f\x10\xf5\x59\xb5\x65\x62\x45\x23\xce\xa8\x1c\xf6\xaa"
2069. "\x7f\xc6\x08\x3c\x26\x87\x10\xfc\xe6\x23\x4f\xbf\x16\xc4\x86\xca\x6e\x08"
2070. "\x6b\xad\x70\x68\xc0\x7f\x26\x70\x21\xcd\x58\xd4\x1a\x77\x9a\x09\xb9\x3d"
2071. "\xb5\x5b\x4d\x43\x70\xa5\x2b\x90\x14\x93\xa7\x92\xf3\x9e\x30\x0f\x35\x61"
2072. "\x8f\x4b\xd7\xcd\xd7\x2b\xe0\x23\x70\x4e\x0f\x2a\x1d\x4c\x92\x12\x3d\x26"
2073. "\x99\x59\xcb\x6a\x4a\x5d\x77\x87\xd8\x57\x14\x0e\xf6\x3f\xdb\xa3\x10\x7a"
2074. "\xbb\x10\x42\xe8\xa1\x0e\xec\x20\x95\xb4\xf0\xed\xae\x19\x8a\x10\x10\x56"
2075. "\x8c\x06\x04\x92\x2c\xfa\x83\x74\x2a\x6a\xe8\x0c\xf6\x29\x80\x83\xae\xc4"
2076. "\x52\x28\x29\x59\x72\xf9\xeb\xaf\x77\x05\x4c\xf4\xd5\x68\xe2\x72\xaf\xcb"
2077. "\x93\xc4\x11\x66\x6d\xfe\x22\x7c\x5c\x49\xc1\xcc\xb2\xaf\x96\x62\x32\x98"
2078. "\x62\x06\x62\xfd\x61\xfd\x2c\x16\x46\x90\xee\x91\xc4\x59\x53\xd1\x79\x95"
2079. "\xfa\x6b\xa0\xed\xe4\x1a\x79\xed\x64\x87\xa1\xc6\x19\xf0\xe6\x49\x82\xd6"
2080. "\x13\x7f\x94\x0d\xb3\x96\x6e\xa9\x28\x38\x27\x6f\xc2\x6e\xca\xf3\x8a\xd6"
2081. "\x8b\xd4\x17\x3d\xea\xd0\xe5\x93\x76\x24\xf6\xd0\x30\x2a\x38\x00\x98\x22"
2082. "\x30\xf3\x4d\xa3\x65\xf6\x06\x0e\xb9\x8d\x27\x93\xf4\x5d\xcc\x3d\x48\x40"
2083. "\x05\x01\xcf\xf9\x34\x13\x95\x00\x5c\xa1\x60\xd7\xee\xbe\x72\x7c\x41\x5f"
2084. "\x0f\xb4\x61\x80\x89\xc9\x95\xbb\x0a\x02\x0a\xb9\x1f\x27\x38\x6e\x26\x33"
2085. "\x7a\xe1\x1a\xe7\x40\x0c\xf0\xde\x8e\x62\xd7\xbd\x05\x43\x5a\x75\xc8\x53"
2086. "\xba\xb2\x73\xd9\x25\x37\x77\xed\x75\x4f\xab\x8c\x83\x29\xda\x2a\x02\x0f"
2087. "\xf9\xaf\xdd\x7a\x5c\xf3\x39\x3b\x93\x17\x18\x29\xf0\x54\xf4\x3e\x6f\xc7"
2088. "\x0c\x37\x57\x21\x5e\xa6\xa6\x14\x75\xe7\x0e\x1c\x5e\xf9\x84\x9a\xce\x8d"
2089. "\x19\x96\x6b\x07\xa0\xcf\xdd\xb9\xa4\xec\x09\x6a\x3e\x73\x56\xc1\xfe\xaf"
2090. "\x7d\x88\x82\x9e\xe6\x28\x1f\x9d\x28\xd5\x92\x96\x5b\xa4\xe6\x0c\xc2\xb9"
2091. "\x88\xcc\xc1\x00\xa0\x17\x38\x0e\xde\x1d\xce\xa9\xad\x25\x30\x40\x9c\xd6"
2092. "\x7c\x52\x95\x5d\xec\x91\x37\x4b\x2a\x66\xc4\x85\x82\x54\x70\xf1\x3c\x9e"
2093. "\x22\x1a\x74\xa3\xc3\x13\x2e\x12\x93\x0c\xa5\xa3\x7a\x69\xb6\x50\xd4\xd7"
2094. "\xb3\x70\x80\xb5\xbc\xe6\x0c\x44\x54\x3b\x41\xde\x85\x34\x53\x48\x41\x88"
2095. "\x36\x48\xae\xed\xb3\xf3\xe1\xb4\xd4\x0c\xee\x43\xec\x31\x05\x08\x80\xfa"
2096. "\x8e\x1b\xb5\x38\xa4\x5d\x5a\x8a\x8e\x6a\xdd\x20\xe9\x11\x4a\x60\x66\x8c"
2097. "\xaf\x68\xb4\x8b\x6b\xc5\xc2\xb5\x39\x6d\x5c\x41\x0c\x17\x90\x5e\x99\xed"
2098. "\xc7\xa5\x68\xce\xf9\x8e\x37\xfc\x9a\x0e\xa3\x77\x97\xe8\x93\xc4\x22\x09"
2099. "\x4c\x8a\x69\x8d\x48\xef\xaf\x94\x3b\x76\x36\x8b\xf5\x45\x3b\x65\x74\xa4"
2100. "\x4a\x64\x82\xac\x8b\x51\x80\xcd\x5b\x65\x14\xdb\xb7\x9e\x63\x22\xbe\x22"
2101. "\x28\xe9\xde\xf3\x74\xe5\xd6\x00\xb0\xc2\x03\x4f\xa7\x51\x6f\xa9\x8f\x59"
2102. "\x3b\xf8\x69\xae\x14\x40\xc0\x7f\xc2\xe2\x58\x89\xc1\x98\xf0\xf9\x91\x1a"
2103. "\xc5\x80\xc4\xf3\x5a\xa6\xe1\x74\x6b\x2c\xde\xe3\xef\x7a\xc9\xcf\x61\x44"
2104. "\x1a\xf4\xfd\x3a\x63\xc4\xdc\xba\x46\x78\xc2\x5d\x29\xbf\xc6\x8c\xb6\xc6"
2105. "\x66\x29\x40\x91\x1b\x2a\x30\xd9\xc6\x4f\xad\x5e\x36\x21\xe1\x33\x71\xbd"
2106. "\x37\xa2\xdc\xf9\x1a\xd1\x2b\xbe\x63\xca\x21\x1c\x43\x67\x02\x79\x8f\x7a"
2107. "\x9d\x14\x5d\x55\xa9\xaa\x6c\xe2\xd1\x13\xef\x3b\xe0\x80\x95\xc5\x3d\x12"
2108. "\xff\x28\xbe\xb8\xce\x64\x91\x72\x2d\xb9\x23\xa4\x63\x31\xaa\x7e\xfc\xe2"
2109. "\x4b\x57\x4c\xdd\xda\x69\xc2\xb2\x0f\x8d\xc7\x03\x00\x94\x07\xaf\x8e\xc6"
2110. "\x41\x2c\x37\xae\x4d\xfb\xe2\x89\x5c\xc3\x26\x84\xd7\x81\x07\xfe\x97\x73"
2111. "\x06\xa2\x77\xea\x65\x77\x05\x57\x0c\xf0\xec\xc0\x03\x3f\x26\x4b\x0e\xab"
2112. "\x5e\x93\xa3\xf5\xf8\xa3\x1c\x2f\x1e\x16\x86\xb2\x03\x57\xad\xad\x04\x75"
2113. "\x78\x12\xda\x2c\x2c\x0a\x95\x13\x7e\x1e\x46\x1c\xe4\xb6\xf6\x2b\xf5\x46"
2114. "\x5a\x91\xb2\x75\xc2\x91\xfd\x0b\x5e\x7a\x88\xc5\x4d\xc2\x5f\x0c\x83\x25"
2115. "\x35\x59\x37\xc0\x89\x78\x7c\xbc\x7c\xb8\xce\xf3\x88\x44\xce\x04\x42\xc9"
2116. "\x19\xc4\x31\xe1\x77\x05\x86\x68\x42\xa2\x3d\xf8\x03\x08\x50\x76\x4a\xa4"
2117. "\xbd\x24\x59\x98\x99\xca\x85\x02\xff\x33\xfc\x04\x42\x67\x3e\x23\x18\x79"
2118. "\xc3\x27\xd6\xd0\x83\xce\xac\x79\xce\x19\xe3\x91\x60\x59\xc4\x09\x62\x0a"
2119. "\xdc\x52\x23\xa8\x57\xd5\xf8\x68\x08\x36\x2f\x0f\xcc\x7d\x10\x9d\x98\xeb"
2120. "\xc4\x2e\xb4\xdc\x79\xec\x1e\x9f\x53\x0b\x03\xc9\x5f\xa6\x0d\x14\x9c\x3e"
2121. "\x27\xab\xf9\xca\xba\xf5\x22\x0b\x26\x1f\xfc\xd3\x91\x2e\x53\x9b\x89\x60"
2122. "\x1f\x35\x8e\x12\xfb\x6c\x71\x08\xa4\xf0\x7d\xa0\xa0\x08\xd1\x4c\x88\x35"
2123. "\x94\x1b\xcb\xa4\x15\xc8\x23\x0d\xd8\xe7\x33\x2b\x69\xa0\x2d\xe5\xcf\x90"
2124. "\xa7\x1b\x80\x74\x2d\xde\x73\x36\x0d\xa8\xbf\xd2\x46\x50\xcf\xc1\x95\xa8"
2125. "\xc6\xc6\xd5\x20\x4a\x05\x57\xfa\x20\x12\xc9\xf8\x99\xa3\xd6\x6d\xdf\xf4"
2126. "\x8f\xcf\xbe\x31\x09\x3c\x6f\xe8\xcc\x76\x48\x48\x8f\x0f\xdb\x77\xe3\xe9"
2127. "\x5f\x3d\xbe\xf1\x9f\x48\x98\x73\x0d\xd3\x80\xf2\xee\x3a\x23\x84\x0d\x69"
2128. "\x94\x11\xba\xcd\x4e\x1c\x0b\xb2\x3f\xe8\x5b\xc0\xa6\x7c\x64\x93\xa4\xaa"
2129. "\x1f\xd6\xfb\x2f\x9e\xa1\xb9\xaf\xc2\x02\x13\xdf\x74\x16\xe1\x02\xfb\x04"
2130. "\x6a\xdd\xb0\xc4\xc4\x14\xe1\x73\x8a\xc7\x1d\xe3\x45\x7d\x5b\x3c\xcf\x39"
2131. "\xca\x05\x7e\x52\x32\x8e\x23\x83\x1d\x16\xc6\xdc\x8f\x05\x9d\x6b\xd7\x49"
2132. "\x04\x82\xa0\x57\x32\xfd\x0f\x31\xb2\x19\xc7\x22\x3c\x49\x8e\xab\xf5\x86"
2133. "\x13\xc8\x0e\xfe\x9e\x0d\x5c\x78\x14\xe8\xde\x42\xbd\x2d\xf6\xe2\x05\x4f"
2134. "\x5b\xe2\xd7\x37\xb8\x37\x83\x0e\x73\x5b\x8b\xc7\x59\x58\xf8\xaa\x70\x84"
2135. "\x83\x6f\xeb\x74\xf0\xb7\x2b\x20\x3d\x8e\x48\xe2\x64\x3e\xc2\xc8\x55\x21"
2136. "\x55\x5c\xbe\xea\x8d\x51\x54\x7c\x8d\x13\x04\xb8\x3a\xc2\x54\x56\x21\xad"
2137. "\x42\x6a\xd5\x8a\x62\x6c\xf5\xeb\xe6\x3b\xd8\x05\x35\x97\x94\x9e\x43\x34"
2138. "\x11\x64\xf0\xdb\x93\x8e\x01\x3e\x87\xe9\x9a\x8f\xae\x9a\x55\xa9\x31\x49"
2139. "\x0f\x00\x6a\x6e\x6b\x2d\xd2\x64\xff\x55\x69\x7f\x66\xf7\x75\x22\x49\xe9"
2140. "\x93\xc0\x66\x2a\x91\xf6\x3c\x8e\x6c\x59\x73\xb0\x8c\x66\x0c\xf7\xf8\x80"
2141. "\x18\x4b\xd6\x61\xe3\xae\x6c\xea\xbd\x05\xad\x09\x88\x48\x71\x4d\xc7\xa9"
2142. "\xdc\x75\x5c\x8c\xf7\xe1\x95\x03\x7a\x43\xf2\x09\xb5\xcb\x4a\x3a\x17\xfd"
2143. "\xed\xcf\x1c\xa3\x9e\x81\xd0\x4e\xb0\x12\x61\xcd\xaf\x9d\xed\xde\x2a\xb2"
2144. "\x8e\x86\x34\x7b\x99\x22\xb3\x75\x23\xc1\xad\x5a\x75\x1a\x81\xec\x01\x46"
2145. "\x7a\x01\x5c\x76\xce\x9c\x85\xc7\x54\x07\xbe\x99\x72\x7b\x76\xe9\x72\x54"
2146. "\xe0\xec\x69\xe8\x1b\x05\x05\x36\xe5\xd0\x31\x21\x8c\x3f\xef\x6a\x31\xca"
2147. "\x76\x6c\x5d\x83\xa1\xe6\x74\x16\xb4\x06\x5c\xa7\x5f\x22\xb4\xef\xbe\x51"
2148. "\x3d\xf2\x91\x72\x42\x96\xc3\xeb\xd0\xbb\x84\x97\x0e\x14\x9b\xf5\xee\x80"
2149. "\x5b\x82\x0c\xd7\x9b\xa5\x2b\x40\x7c\x52\x13\xb6\x24\xa4\x8c\x8a\x3a\x70"
2150. "\xb0\xf6\xed\xc6\x11\x28\x6d\xf4\xc0\x7b\x97\x88\x32\x06\x07\xbe\xd6\x5b"
2151. "\x93\xda\x24\x55\x90\xba\xee\xd0\xb8\x92\x9f\xa6\x8c\xc8\xdf\x11\x92\xd7"
2152. "\x25\xce\x27\x10\x83\xb8\x1c\xc2\xc6\xba\xf5\x48\x46\xb4\x58\x58\x40\xec"
2153. "\x73\x3b\x9c\x19\x9b\x20\xea\x5f\x0b\x11\xdc\x20\xd4\x5e\xbd\x62\x76\xce"
2154. "\x95\x50\xe8\x63\x0b\x6e\x37\xca\xd4\xdf\x79\x9c\x93\x91\x2a\x5f\xc2\x2f"
2155. "\x18\x6c\xf5\xb9\xe0\x62\xfd\x23\x25\x8f\x29\xf6\xba\x93\xe5\x1b\x78\x08"
2156. "\x63\x6a\x89\xbc\x3b\x54\x01\x83\xb6\x3d\x36\x46\x3b\x41\x25\x54\xed\x86"
2157. "\x15\xea\xb7\xb4\x5d\x8f\xb7\x60\x82\xc3\xe9\x4a\xd4\x99\x25\x36\x3f\x77"
2158. "\x19\x8a\x33\xfa\x77\xdc\x76\xe4\xd2\x9f\x10\x46\xbb\x28\x94\x84\xbd\x37"
2159. "\xe3\x81\xac\xaf\x99\xfd\x74\x33\xc5\x8a\xe3\x02\xb5\x3d\x2a\x34\x4b\x8b"
2160. "\x29\x70\x2e\x47\x77\xa5\xbf\x5d\xab\x60\x3f\x38\xf1\x1e\xd7\x31\x6c\x16"
2161. "\x32\x0b\xc7\xed\xbf\xe9\xdb\x09\x3f\x28\xba\xf2\x3a\xc5\x32\x46\x0d\x3d"
2162. "\x86\x3d\x7d\xb5\x55\xb8\x43\x47\x62\xd9\xa9\x58\xb0\x7c\x7d\x5b\x52\x52"
2163. "\x90\x78\x01\xff\xf5\xa5\x51\xb7\xad\xa4\xee\xcc\xc0\xef\x74\xbe\xd9\x60"
2164. "\x0a\xcf\xf3\xe5\x49\x29\xba\xe1\x23\x87\x7d\x4c\x8c\xdd\xbb\xa2\xf6\xbf"
2165. "\x18\x5d\xf4\xcd\x0d\xb4\xa2\xa1\x2e\x0b\x60\x97\xc5\x9c\x0b\xd2\x5d\x39"
2166. "\xbc\xe6\x8d\x45\xf3\xec\x78\xcd\x03\x7d\x7b\xae\x19\xb3\x6e\x9a\xc6\x7e"
2167. "\x1f\xee\x4f\x39\xb6\x05\x52\x41\xe6\x13\xa4\xcb\x0a\x50\x2b\x1d\xec\x10"
2168. "\x90\xc4\xfb\xe7\x96\x27\xe1\xf4\x78\xe3\x0a\x7c\x96\x60\x8f\xbf\xd3\xae"
2169. "\x1a\xa1\xee\xd3\xde\x31\x46\x70\xad\xf9\x93\x29\x00\xcf\xf9\x51\x7b\xb8"
2170. "\xb0\x17\xab\xa5\x80\xfa\x72\x1a\x24\x51\x79\x46\x3c\x6c\x60\x90\x1e\x48"
2171. "\x88\x6e\xf3\x4a\xa6\x61\xc2\x71\xeb\x96\x22\xfa\x71\x47\xaa\x2b\x1c\xb8"
2172. "\xe2\xee\xc5\x9d\xd3\x51\x43\x0c\x29\x0d\x09\xb4\x0c\xf8\x4a\x3e\x07\x90"
2173. "\x63\x11\xdb\x19\xdf\x9d\x79\xde\xd4\xeb\x07\x1c\x89\xa3\x06\x21\x52\x25"
2174. "\x7b\xf9\xc5\x50\xdb\x20\x5f\x26\x64\x80\x2a\xbe\x0a\xfc\x4e\x8b\x9f\x0d"
2175. "\xe3\xb8\x75\xe6\x76\xdc\x50\x00\xed\x30\xaa\x73\x0a\x1c\xae\x4d\xaa\xce"
2176. "\x13\x02\x19\xac\x4f\xb9\xf6\x75\xb5\x25\x44\x56\x26\xa7\xc2\x56\x69\xd1"
2177. "\xc8\xdd\x8c\x37\x50\xde\x83\x05\x56\x30\x25\x8d\x8b\x38\xdf\xe4\xf8\x17"
2178. "\x7d\x05\xc8\xb3\x39\xaf\x5a\x6b\xbf\xd3\xa3\xae\xeb\x68\xcd\x1c\x65\x42"
2179. "\x5a\x5f\x27\x5f\xd7\xb2\x7f\xbc\xa4\x30\xca\x96\xdc\x5d\x39\xf6\xc5\xd7"
2180. "\xa8\xfc\xf5\xfe\x2d\x25\xee\x99\xf4\x91\x0b\x60\xd5\xd6\x04\x22\x1f\xac"
2181. "\xb8\xd2\x50\x70\xec\xea\xed\x53\x0f\x2c\xbc\xc2\xcf\xb8\xa0\xab\x25\xb0"
2182. "\x31\x8a\x69\xef\xaa\xd4\xd0\xc4\x1a\xee\x36\xd4\x93\x00\x4d\x16\x27\xc7"
2183. "\xc3\x18\x50\x0d\x17\x0e\x9d\xba\xcb\x6d\x7e\xb2\x53\xba\x73\x84\x26\xa1"
2184. "\xe8\x40\xa2\xda\x1d\x85\x5b\x10\x37\x4e\x2f\x83\x55\x26\x04\x25\x24\x89"
2185. "\x0b\x69\x88\x69\xaa\x4b\x4c\x0c\xc2\x52\x2c\xb7\x29\x9e\x14\x64\x7c\xe4"
2186. "\x49\x3a\x0a\x4e\x28\xe8\x93\xec\x16\x1a\xca\x2c\x82\x95\x35\x0e\x61\x46"
2187. "\x4c\x07\x18\xed\x00\xa1\xbd\xa7\xb0\x01\x6f\xa0\xdb\x9f\x04\xf4\x5c\x56"
2188. "\xac\x3f\x5a\x37\xf0\x54\xb5\x73\x2f\xa4\x3d\x96\x1b\x1f\x89\x7f\x5d\xe6"
2189. "\x83\x50\x48\xa0\x88\xee\x46\x96\xb4\x45\x41\xdc\x89\x8e\x28\x94\xb8\x89"
2190. "\xe0\xa0\x90\x99\xf5\xab\x2d\xb1\x1e\x76\x54\xdb\xb6\xc0\x5e\xc2\xd1\x0b"
2191. "\xdc\x62\x2e\x95\xc6\x02\xf7\x23\x53\x1b\xac\xf4\x9d\x5e\xe1\x59\xa2\x3a"
2192. "\x33\xdf\xb5\x9a\x7d\x9d\x7d\x0b\x07\x17\x89\x13\x68\x09\x0e\x38\xe7\x79"
2193. "\xe2\x6c\x4a\x43\x8f\xac\xb6\xee\xec\x84\x9f\x0b\x5e\xcd\x1f\x1a\xaf\x45"
2194. "\xc1\x24\x9f\x06\xc0\x67\x97\xc8\xd0\x56",
2195. 4096);
2196. *(uint32_t*)0x2000000001d8 = 0x1000;
2197. *(uint32_t*)0x2000000001dc = 3;
2198. *(uint64_t*)0x2000000001e0 = 0x200000000080;
2199. STORE_BY_BITMASK(uint8_t, , 0x200000000080, 0x4d, 0, 7);
2200. STORE_BY_BITMASK(uint8_t, , 0x200000000080, 1, 7, 1);
2201. *(uint8_t*)0x200000000081 = 1;
2202. STORE_BY_BITMASK(uint8_t, , 0x200000000082, 7, 0, 4);
2203. STORE_BY_BITMASK(uint8_t, , 0x200000000082, 0, 4, 1);
2204. STORE_BY_BITMASK(uint8_t, , 0x200000000082, 1, 5, 1);
2205. STORE_BY_BITMASK(uint8_t, , 0x200000000082, 0, 6, 2);
2206. memcpy((void*)0x200000000083, "\x9d\x66\x6b\xae", 4);
2207. *(uint8_t*)0x200000000087 = 3;
2208. memcpy((void*)0x200000000088, "\x50\x77\x68\xdf", 4);
2209. *(uint8_t*)0x20000000008c = 0xbf;
2210. *(uint8_t*)0x20000000008d = 1;
2211. *(uint8_t*)0x20000000008e = 7;
2212. memcpy((void*)0x20000000008f, "\xe6\x9f\xcd", 3);
2213. memcpy((void*)0x200000000092,
2214. "\x59\x5d\xc2\x2c\x97\x10\x47\x88\x80\x38\xc9\x42\x17\x4b\x02\x72\xe3"
2215. "\x21\x66\xe2\x94\x87\xeb\x6a\xe2\x6b\xf7\x12\x9c\x56\x0f\xe6\x04\x17"
2216. "\xc3\xfe\xba\xa7\x89\xd0\x4b\xa6\x78\xd8\xcb\x69",
2217. 46);
2218. *(uint8_t*)0x2000000001e8 = 1;
2219. *(uint32_t*)0x2000000001ec = 0x5be9;
2220. *(uint32_t*)0x2000000001f0 = 5;
2221. *(uint64_t*)0x2000000001f8 = 0x200000000180;
2222. syscall(__NR_ioctl, /*fd=*/r[24], /*cmd=*/0x5393, /*arg=*/0x2000000001c0ul);
2223. memcpy((void*)0x200000000000, "/dev/zero\000", 10);
2224. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
2225. /*file=*/0x200000000000ul, /*flags=*/0, /*mode=*/0);
2226. if (res != -1)
2227. r[27] = res;
2228. *(uint32_t*)0x200000000180 = 1;
2229. *(uint32_t*)0x200000000184 = 0x70;
2230. *(uint8_t*)0x200000000188 = 0;
2231. *(uint8_t*)0x200000000189 = 0;
2232. *(uint8_t*)0x20000000018a = 0;
2233. *(uint8_t*)0x20000000018b = 0;
2234. *(uint32_t*)0x20000000018c = 0;
2235. *(uint64_t*)0x200000000190 = 2;
2236. *(uint64_t*)0x200000000198 = 0;
2237. *(uint64_t*)0x2000000001a0 = 0;
2238. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 0, 1);
2239. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 1, 1);
2240. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 2, 1);
2241. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 3, 1);
2242. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 4, 1);
2243. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 3, 5, 1);
2244. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 6, 1);
2245. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 7, 1);
2246. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 8, 1);
2247. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 9, 1);
2248. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 10, 1);
2249. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 11, 1);
2250. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 12, 1);
2251. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 13, 1);
2252. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 14, 1);
2253. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 15, 2);
2254. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 17, 1);
2255. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 18, 1);
2256. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 19, 1);
2257. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 20, 1);
2258. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 21, 1);
2259. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 22, 1);
2260. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 23, 1);
2261. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 24, 1);
2262. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 25, 1);
2263. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 26, 1);
2264. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 27, 1);
2265. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 28, 1);
2266. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 29, 1);
2267. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 30, 1);
2268. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 31, 1);
2269. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 32, 1);
2270. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 33, 1);
2271. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 34, 1);
2272. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 35, 1);
2273. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 36, 1);
2274. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 37, 1);
2275. STORE_BY_BITMASK(uint64_t, , 0x2000000001a8, 0, 38, 26);
2276. *(uint32_t*)0x2000000001b0 = 0;
2277. *(uint32_t*)0x2000000001b4 = 0;
2278. *(uint64_t*)0x2000000001b8 = 0x200000000000;
2279. *(uint64_t*)0x2000000001c0 = 0;
2280. *(uint64_t*)0x2000000001c8 = 0;
2281. *(uint64_t*)0x2000000001d0 = 0;
2282. *(uint32_t*)0x2000000001d8 = 0;
2283. *(uint32_t*)0x2000000001dc = 0;
2284. *(uint64_t*)0x2000000001e0 = 0;
2285. *(uint32_t*)0x2000000001e8 = 0;
2286. *(uint16_t*)0x2000000001ec = 0;
2287. *(uint16_t*)0x2000000001ee = 0;
2288. *(uint32_t*)0x2000000001f0 = 0;
2289. *(uint32_t*)0x2000000001f4 = 0;
2290. *(uint64_t*)0x2000000001f8 = 0;
2291. syscall(__NR_perf_event_open, /*attr=*/0x200000000180ul, /*pid=*/0,
2292. /*cpu=*/-1, /*group=*/-1, /*flags=*/0ul);
2293. res = syscall(__NR_socket, /*domain=*/0xaul,
2294. /*type=SOCK_DGRAM|0x800000000000000*/ 0x800000000000002ul,
2295. /*proto=*/0);
2296. if (res != -1)
2297. r[28] = res;
2298. *(uint16_t*)0x200000000200 = 0xa;
2299. *(uint16_t*)0x200000000202 = htobe16(0);
2300. *(uint32_t*)0x200000000204 = htobe32(0);
2301. *(uint8_t*)0x200000000208 = 0xfe;
2302. *(uint8_t*)0x200000000209 = 0x80;
2303. memset((void*)0x20000000020a, 0, 13);
2304. *(uint8_t*)0x200000000217 = 0xaa;
2305. *(uint32_t*)0x200000000218 = 4;
2306. syscall(__NR_connect, /*fd=*/r[27], /*addr=*/0x200000000200ul,
2307. /*addrlen=*/0x1cul);
2308. *(uint8_t*)0x2000000001c0 = 0;
2309. *(uint8_t*)0x2000000001c1 = 0;
2310. *(uint8_t*)0x2000000001c2 = 0;
2311. STORE_BY_BITMASK(uint8_t, , 0x2000000001c3, 0, 0, 1);
2312. STORE_BY_BITMASK(uint8_t, , 0x2000000001c3, 0, 1, 2);
2313. STORE_BY_BITMASK(uint8_t, , 0x2000000001c3, 0, 3, 5);
2314. *(uint32_t*)0x2000000001c4 = 0;
2315. syscall(__NR_setsockopt, /*fd=*/r[28], /*level=*/0x29,
2316. /*optname=IPV6_HOPOPTS*/ 0x36, /*optval=*/0x2000000001c0ul,
2317. /*optlen=*/8ul);
2318. *(uint64_t*)0x200000006d00 = 0;
2319. *(uint32_t*)0x200000006d08 = 0x10020c5;
2320. *(uint64_t*)0x200000006d10 = 0;
2321. *(uint64_t*)0x200000006d18 = 0;
2322. *(uint64_t*)0x200000006d20 = 0;
2323. *(uint64_t*)0x200000006d28 = 0;
2324. *(uint32_t*)0x200000006d30 = 0xb605;
2325. *(uint32_t*)0x200000006d38 = 0;
2326. syscall(__NR_sendmmsg, /*fd=*/r[28], /*mmsg=*/0x200000006d00ul,
2327. /*vlen=*/0xc6ul, /*f=MSG_CONFIRM|0x31200*/ 0x31a00ul);
2328. syscall(__NR_getsockname, /*fd=*/-1, /*addr=*/0ul, /*addrlen=*/0ul);
2329. syscall(__NR_setsockopt, /*fd=*/r[28], /*level=*/0x29, /*optname=*/0x37,
2330. /*optval=*/0ul, /*optlen=*/0ul);
2331. res = syscall(__NR_socketpair, /*domain=*/1ul, /*type=SOCK_DGRAM*/ 2ul,
2332. /*proto=*/0, /*fds=*/0x200000000080ul);
2333. if (res != -1)
2334. r[29] = *(uint32_t*)0x200000000084;
2335. res = syscall(__NR_dup, /*oldfd=*/r[29]);
2336. if (res != -1)
2337. r[30] = res;
2338. memcpy(
2339. (void*)0x2000000000c0,
2340. "lo:|T{\334D\322\257>"
2341. "o\326Q\000\031\002\000\005\000\000\000\000\000\000\000\017\211d:"
2342. "\217\354b6\326\327AF,\243\000\000\000\000\221\355\005\000\000\000C\353&"
2343. "\306\326\313\205\232\006j\2426\027%"
2344. "\237d\000\000\000\000\000\000\000\000\000\000\000\360\000",
2345. 79);
2346. syscall(__NR_ioctl, /*fd=*/r[30], /*cmd=*/0x8913,
2347. /*filter=*/0x2000000000c0ul);
2348. memcpy((void*)0x200000000040, "pagemap\000", 8);
2349. res = -1;
2350. res = syz_open_procfs(/*pid=*/-1, /*file=*/0x200000000040);
2351. if (res != -1)
2352. r[31] = res;
2353. syscall(__NR_timer_create, /*id=*/0ul, /*ev=*/0ul, /*timerid=*/0ul);
2354. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0x10);
2355. if (res != -1)
2356. r[32] = res;
2357. memcpy((void*)0x200000000040, "ethtool\000", 8);
2358. res = -1;
2359. res = syz_genetlink_get_family_id(/*name=*/0x200000000040, /*fd=*/-1);
2360. if (res != -1)
2361. r[33] = res;
2362. *(uint64_t*)0x2000000001c0 = 0;
2363. *(uint32_t*)0x2000000001c8 = 0;
2364. *(uint64_t*)0x2000000001d0 = 0x200000000180;
2365. *(uint64_t*)0x200000000180 = 0x200000000080;
2366. *(uint32_t*)0x200000000080 = 0x1c;
2367. *(uint16_t*)0x200000000084 = r[33];
2368. *(uint16_t*)0x200000000086 = 1;
2369. *(uint32_t*)0x200000000088 = 0;
2370. *(uint32_t*)0x20000000008c = 0;
2371. *(uint8_t*)0x200000000090 = 1;
2372. *(uint8_t*)0x200000000091 = 0;
2373. *(uint16_t*)0x200000000092 = 0;
2374. *(uint16_t*)0x200000000094 = 4;
2375. STORE_BY_BITMASK(uint16_t, , 0x200000000096, 2, 0, 14);
2376. STORE_BY_BITMASK(uint16_t, , 0x200000000097, 0, 6, 1);
2377. STORE_BY_BITMASK(uint16_t, , 0x200000000097, 1, 7, 1);
2378. *(uint16_t*)0x200000000098 = 4;
2379. STORE_BY_BITMASK(uint16_t, , 0x20000000009a, 1, 0, 14);
2380. STORE_BY_BITMASK(uint16_t, , 0x20000000009b, 0, 6, 1);
2381. STORE_BY_BITMASK(uint16_t, , 0x20000000009b, 1, 7, 1);
2382. *(uint64_t*)0x200000000188 = 0x1c;
2383. *(uint64_t*)0x2000000001d8 = 1;
2384. *(uint64_t*)0x2000000001e0 = 0;
2385. *(uint64_t*)0x2000000001e8 = 0;
2386. *(uint32_t*)0x2000000001f0 = 0;
2387. syscall(__NR_sendmsg, /*fd=*/r[32], /*msg=*/0x2000000001c0ul, /*f=*/0ul);
2388. syscall(
2389. __NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xff5000ul, /*prot=*/0ul,
2390. /*flags=MAP_POPULATE|MAP_NORESERVE|MAP_NONBLOCK|MAP_HUGETLB|MAP_FIXED|0x2000000000821*/
2391. 0x200000005c831ul, /*fd=*/-1, /*offset=*/0ul);
2392. syscall(__NR_mprotect, /*addr=*/0x200000000000ul, /*len=*/0x800000ul,
2393. /*prot=PROT_WRITE|PROT_EXEC*/ 6ul);
2394. syscall(__NR_bind, /*fd=*/-1, /*addr=*/0ul, /*addrlen=*/0ul);
2395. *(uint64_t*)0x200000000100 = 0x60;
2396. *(uint64_t*)0x200000000108 = 0;
2397. *(uint64_t*)0x200000000110 = 0x200000ffc000;
2398. *(uint64_t*)0x200000000118 = 0x200000ffd000;
2399. *(uint64_t*)0x200000000120 = 0;
2400. *(uint64_t*)0x200000000128 = 0;
2401. *(uint64_t*)0x200000000130 = 0;
2402. *(uint64_t*)0x200000000138 = 0;
2403. *(uint64_t*)0x200000000140 = 0;
2404. *(uint64_t*)0x200000000148 = 0;
2405. *(uint64_t*)0x200000000150 = 0x4a;
2406. *(uint64_t*)0x200000000158 = 0;
2407. syscall(__NR_ioctl, /*fd=*/r[31], /*cmd=*/0xc0606610,
2408. /*arg=*/0x200000000100ul);
2409. syz_sysconfig_set__proc_sys_vm_zone_reclaim_mode(/*val=*/0);
2410. syscall(__NR_listen, /*fd=*/-1, /*backlog=*/0);
2411. syz_open_dev(/*dev=*/0, /*id=*/0, /*flags=*/0);
2412. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x40104593, /*arg=*/0ul);
2413. syz_open_procfs(/*pid=*/0, /*file=*/0);
2414. *(uint64_t*)0x200000000180 = 0;
2415. *(uint64_t*)0x200000000188 = 0;
2416. syscall(__NR_preadv, /*fd=*/r[31], /*vec=*/0x200000000180ul, /*vlen=*/1ul,
2417. /*off_low=*/0, /*off_high=*/0x35);
2418. syz_sysconfig_reset__proc_sys_vm_zone_reclaim_mode();
2419. res = -1;
2420. res = syz_genetlink_get_family_id(/*name=*/0, /*fd=*/-1);
2421. if (res != -1)
2422. r[34] = res;
2423. *(uint64_t*)0x200000000380 = 0x2000000000c0;
2424. *(uint16_t*)0x2000000000c0 = 0x10;
2425. *(uint16_t*)0x2000000000c2 = 0;
2426. *(uint32_t*)0x2000000000c4 = 0;
2427. *(uint32_t*)0x2000000000c8 = 0x40000000;
2428. *(uint32_t*)0x200000000388 = 0xc;
2429. *(uint64_t*)0x200000000390 = 0x200000000340;
2430. *(uint64_t*)0x200000000340 = 0x200000000540;
2431. memcpy((void*)0x200000000540,
2432. "\xf0\x00\x00\xd1\x42\x0a\xfe\x9d\x0f\xf1\xbe\xee\x03\xaf\x83\x00",
2433. 16);
2434. *(uint16_t*)0x200000000550 = r[34];
2435. memcpy(
2436. (void*)0x200000000552,
2437. "\x31\x0f\x27\xbd\x70\x00\xfd\xdb\xdf\x25\x03\x00\x00\x00\xcc\x00\x06\x80"
2438. "\x08\x00\x01\x00\x09\x00\x00\x00\x08\x00\x01\x00\x91\x0f\x00\x00\xb6\x00"
2439. "\x03\x00\xdf\x6d\xa8\x3d\x42\x07\xee\x32\xec\x58\x14\x2c\xda\x86\x42\xc5"
2440. "\x7e\xac\x00\xb5\x3f\xaf\x7d\x5d\x84\x31\xfa\xe2\x04\x69\xf2\x46\x91\xd8"
2441. "\xdf\x44\x02\xf5\xd0\x8d\x91\xca\xee\x8c\x78\x7d\x5c\x32\x99\x85\x07\xa2"
2442. "\x6a\x28\xd6\xa1\x63\x77\x3c\x9f\xfa\xf6\xef\xa9\xe3\x09\x00\x00\x00\x00"
2443. "\x00\x00\x00\xfc\xdd\x7d\xeb\x04\x8e\x69\xb1\x65\xfd\xff\xff\xff\xff\xff"
2444. "\xff\xff\xad\x31\xdb\x54\x42\x9a\x33\x78\xe0\xfa\x92\x35\xa8\x03\x4b\xe5"
2445. "\x6f\xa3\xbf\xd8\xaa\x9a\x8a\xee\x06\xd1\xd0\x58\x4e\x4e\x6f\x66\x74\xe1"
2446. "\x96\xf4\x7b\x63\xe4\xe0\xc2\x4f\x02\x7a\x30\x4a\x59\xdf\x77\x99\x93\x64"
2447. "\xc9\x35\x4e\x9d\xed\x02\xcf\xc6\x6b\x53\x87\x9b\x39\x2e\xcf\xa1\x62\x0d"
2448. "\xb0\x50\xfe\xfd\x7e\xfe\x60\xdc\x6c\xbc\x69\x51\xbe\x5c\xc3\xf2\x00\x0c"
2449. "\x51\x70\xe5\xc0\x76\x49\x08\xfe\xa3\xf4\x0e\xd9\x63\x1a\x00\x00\x10\x00"
2450. "\x06\x80\x04\x00\x02\x00\x08\x00\x01\x00\x6f\x06\x00\x00",
2451. 248);
2452. *(uint64_t*)0x200000000348 = 0xf0;
2453. *(uint64_t*)0x200000000398 = 1;
2454. *(uint64_t*)0x2000000003a0 = 0;
2455. *(uint64_t*)0x2000000003a8 = 0;
2456. *(uint32_t*)0x2000000003b0 = 0x8000;
2457. syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0x200000000380ul,
2458. /*f=MSG_FASTOPEN|MSG_PROBE|0x2*/ 0x20000012ul);
2459. *(uint64_t*)0x2000000007c0 = 0x200000000280;
2460. *(uint16_t*)0x200000000280 = 0x10;
2461. *(uint16_t*)0x200000000282 = 0;
2462. *(uint32_t*)0x200000000284 = 0;
2463. *(uint32_t*)0x200000000288 = 0x20;
2464. *(uint32_t*)0x2000000007c8 = 0xc;
2465. *(uint64_t*)0x2000000007d0 = 0x200000000780;
2466. *(uint64_t*)0x200000000780 = 0x2000000002c0;
2467. *(uint32_t*)0x2000000002c0 = 0x49c;
2468. *(uint16_t*)0x2000000002c4 = r[34];
2469. *(uint16_t*)0x2000000002c6 = 0x100;
2470. *(uint32_t*)0x2000000002c8 = 0x70bd25;
2471. *(uint32_t*)0x2000000002cc = 0x25dfdbff;
2472. *(uint8_t*)0x2000000002d0 = 0x15;
2473. *(uint8_t*)0x2000000002d1 = 0;
2474. *(uint16_t*)0x2000000002d2 = 0;
2475. *(uint16_t*)0x2000000002d4 = 0x144;
2476. STORE_BY_BITMASK(uint16_t, , 0x2000000002d6, 1, 0, 14);
2477. STORE_BY_BITMASK(uint16_t, , 0x2000000002d7, 0, 6, 1);
2478. STORE_BY_BITMASK(uint16_t, , 0x2000000002d7, 1, 7, 1);
2479. *(uint16_t*)0x2000000002d8 = 0x14;
2480. STORE_BY_BITMASK(uint16_t, , 0x2000000002da, 2, 0, 14);
2481. STORE_BY_BITMASK(uint16_t, , 0x2000000002db, 0, 6, 1);
2482. STORE_BY_BITMASK(uint16_t, , 0x2000000002db, 1, 7, 1);
2483. *(uint16_t*)0x2000000002dc = 8;
2484. *(uint16_t*)0x2000000002de = 4;
2485. *(uint32_t*)0x2000000002e0 = 2;
2486. *(uint16_t*)0x2000000002e4 = 8;
2487. *(uint16_t*)0x2000000002e6 = 1;
2488. *(uint32_t*)0x2000000002e8 = 6;
2489. *(uint16_t*)0x2000000002ec = 8;
2490. *(uint16_t*)0x2000000002ee = 3;
2491. *(uint32_t*)0x2000000002f0 = 0;
2492. *(uint16_t*)0x2000000002f4 = 0xd;
2493. *(uint16_t*)0x2000000002f6 = 1;
2494. memcpy((void*)0x2000000002f8, "udp:syz0\000", 9);
2495. *(uint16_t*)0x200000000304 = 0x38;
2496. *(uint16_t*)0x200000000306 = 4;
2497. *(uint16_t*)0x200000000308 = 0x14;
2498. *(uint16_t*)0x20000000030a = 1;
2499. *(uint16_t*)0x20000000030c = 2;
2500. *(uint16_t*)0x20000000030e = htobe16(0x4e22);
2501. *(uint8_t*)0x200000000310 = 0xac;
2502. *(uint8_t*)0x200000000311 = 0x1e;
2503. *(uint8_t*)0x200000000312 = 1;
2504. *(uint8_t*)0x200000000313 = 1;
2505. *(uint16_t*)0x20000000031c = 0x20;
2506. *(uint16_t*)0x20000000031e = 2;
2507. *(uint16_t*)0x200000000320 = 0xa;
2508. *(uint16_t*)0x200000000322 = htobe16(0x4e21);
2509. *(uint32_t*)0x200000000324 = htobe32(8);
2510. memset((void*)0x200000000328, 0, 10);
2511. memset((void*)0x200000000332, 255, 2);
2512. *(uint32_t*)0x200000000334 = htobe32(0x7f000001);
2513. *(uint32_t*)0x200000000338 = 0xffff;
2514. *(uint16_t*)0x20000000033c = 0x24;
2515. STORE_BY_BITMASK(uint16_t, , 0x20000000033e, 2, 0, 14);
2516. STORE_BY_BITMASK(uint16_t, , 0x20000000033f, 0, 6, 1);
2517. STORE_BY_BITMASK(uint16_t, , 0x20000000033f, 1, 7, 1);
2518. *(uint16_t*)0x200000000340 = 8;
2519. *(uint16_t*)0x200000000342 = 2;
2520. *(uint32_t*)0x200000000344 = 2;
2521. *(uint16_t*)0x200000000348 = 8;
2522. *(uint16_t*)0x20000000034a = 3;
2523. *(uint32_t*)0x20000000034c = 0x10001;
2524. *(uint16_t*)0x200000000350 = 8;
2525. *(uint16_t*)0x200000000352 = 3;
2526. *(uint32_t*)0x200000000354 = 7;
2527. *(uint16_t*)0x200000000358 = 8;
2528. *(uint16_t*)0x20000000035a = 1;
2529. *(uint32_t*)0x20000000035c = 4;
2530. *(uint16_t*)0x200000000360 = 0x38;
2531. *(uint16_t*)0x200000000362 = 4;
2532. *(uint16_t*)0x200000000364 = 0x20;
2533. *(uint16_t*)0x200000000366 = 1;
2534. *(uint16_t*)0x200000000368 = 0xa;
2535. *(uint16_t*)0x20000000036a = htobe16(0x4e22);
2536. *(uint32_t*)0x20000000036c = htobe32(0x20);
2537. memcpy((void*)0x200000000370,
2538. " \001\000\000\000\000\000\000\000\000\000\000\000\000\000\001", 16);
2539. *(uint32_t*)0x200000000380 = 9;
2540. *(uint16_t*)0x200000000384 = 0x14;
2541. *(uint16_t*)0x200000000386 = 2;
2542. *(uint16_t*)0x200000000388 = 2;
2543. *(uint16_t*)0x20000000038a = htobe16(0x4e21);
2544. *(uint32_t*)0x20000000038c = htobe32(0xa010102);
2545. *(uint16_t*)0x200000000398 = 0x38;
2546. *(uint16_t*)0x20000000039a = 4;
2547. *(uint16_t*)0x20000000039c = 0x20;
2548. *(uint16_t*)0x20000000039e = 1;
2549. *(uint16_t*)0x2000000003a0 = 0xa;
2550. *(uint16_t*)0x2000000003a2 = htobe16(0x4e23);
2551. *(uint32_t*)0x2000000003a4 = htobe32(8);
2552. *(uint64_t*)0x2000000003a8 = htobe64(0);
2553. *(uint64_t*)0x2000000003b0 = htobe64(1);
2554. *(uint32_t*)0x2000000003b8 = 0x401;
2555. *(uint16_t*)0x2000000003bc = 0x14;
2556. *(uint16_t*)0x2000000003be = 2;
2557. *(uint16_t*)0x2000000003c0 = 2;
2558. *(uint16_t*)0x2000000003c2 = htobe16(0x4e24);
2559. *(uint8_t*)0x2000000003c4 = 0xac;
2560. *(uint8_t*)0x2000000003c5 = 0x14;
2561. *(uint8_t*)0x2000000003c6 = 0x14;
2562. *(uint8_t*)0x2000000003c7 = 0x20;
2563. *(uint16_t*)0x2000000003d0 = 0xd;
2564. *(uint16_t*)0x2000000003d2 = 1;
2565. memcpy((void*)0x2000000003d4, "udp:syz1\000", 9);
2566. *(uint16_t*)0x2000000003e0 = 0x38;
2567. *(uint16_t*)0x2000000003e2 = 4;
2568. *(uint16_t*)0x2000000003e4 = 0x20;
2569. *(uint16_t*)0x2000000003e6 = 1;
2570. *(uint16_t*)0x2000000003e8 = 0xa;
2571. *(uint16_t*)0x2000000003ea = htobe16(0x4e21);
2572. *(uint32_t*)0x2000000003ec = htobe32(2);
2573. memset((void*)0x2000000003f0, 0, 10);
2574. memset((void*)0x2000000003fa, 255, 2);
2575. *(uint32_t*)0x2000000003fc = htobe32(0x7f000001);
2576. *(uint32_t*)0x200000000400 = 3;
2577. *(uint16_t*)0x200000000404 = 0x14;
2578. *(uint16_t*)0x200000000406 = 2;
2579. *(uint16_t*)0x200000000408 = 2;
2580. *(uint16_t*)0x20000000040a = htobe16(0x4e22);
2581. *(uint32_t*)0x20000000040c = htobe32(0xe0000001);
2582. *(uint16_t*)0x200000000418 = 0x60;
2583. STORE_BY_BITMASK(uint16_t, , 0x20000000041a, 7, 0, 14);
2584. STORE_BY_BITMASK(uint16_t, , 0x20000000041b, 0, 6, 1);
2585. STORE_BY_BITMASK(uint16_t, , 0x20000000041b, 1, 7, 1);
2586. *(uint16_t*)0x20000000041c = 8;
2587. *(uint16_t*)0x20000000041e = 1;
2588. *(uint32_t*)0x200000000420 = 0x1ff;
2589. *(uint16_t*)0x200000000424 = 8;
2590. *(uint16_t*)0x200000000426 = 1;
2591. *(uint32_t*)0x200000000428 = 5;
2592. *(uint16_t*)0x20000000042c = 8;
2593. *(uint16_t*)0x20000000042e = 1;
2594. *(uint32_t*)0x200000000430 = 7;
2595. *(uint16_t*)0x200000000434 = 0xc;
2596. *(uint16_t*)0x200000000436 = 4;
2597. *(uint64_t*)0x200000000438 = 6;
2598. *(uint16_t*)0x200000000440 = 8;
2599. *(uint16_t*)0x200000000442 = 2;
2600. *(uint32_t*)0x200000000444 = 0xf10;
2601. *(uint16_t*)0x200000000448 = 8;
2602. *(uint16_t*)0x20000000044a = 2;
2603. *(uint32_t*)0x20000000044c = -1;
2604. *(uint16_t*)0x200000000450 = 8;
2605. *(uint16_t*)0x200000000452 = 2;
2606. *(uint32_t*)0x200000000454 = 4;
2607. *(uint16_t*)0x200000000458 = 0xc;
2608. *(uint16_t*)0x20000000045a = 4;
2609. *(uint64_t*)0x20000000045c = 0xfffffffffffffff9;
2610. *(uint16_t*)0x200000000464 = 8;
2611. *(uint16_t*)0x200000000466 = 1;
2612. *(uint32_t*)0x200000000468 = 3;
2613. *(uint16_t*)0x20000000046c = 0xc;
2614. *(uint16_t*)0x20000000046e = 3;
2615. *(uint64_t*)0x200000000470 = 1;
2616. *(uint16_t*)0x200000000478 = 0x3c;
2617. STORE_BY_BITMASK(uint16_t, , 0x20000000047a, 4, 0, 14);
2618. STORE_BY_BITMASK(uint16_t, , 0x20000000047b, 0, 6, 1);
2619. STORE_BY_BITMASK(uint16_t, , 0x20000000047b, 1, 7, 1);
2620. *(uint16_t*)0x20000000047c = 0x24;
2621. STORE_BY_BITMASK(uint16_t, , 0x20000000047e, 7, 0, 14);
2622. STORE_BY_BITMASK(uint16_t, , 0x20000000047f, 0, 6, 1);
2623. STORE_BY_BITMASK(uint16_t, , 0x20000000047f, 1, 7, 1);
2624. *(uint16_t*)0x200000000480 = 8;
2625. *(uint16_t*)0x200000000482 = 4;
2626. *(uint32_t*)0x200000000484 = 9;
2627. *(uint16_t*)0x200000000488 = 8;
2628. *(uint16_t*)0x20000000048a = 4;
2629. *(uint32_t*)0x20000000048c = 0xe8;
2630. *(uint16_t*)0x200000000490 = 8;
2631. *(uint16_t*)0x200000000492 = 4;
2632. *(uint32_t*)0x200000000494 = 0x87a2e9b1;
2633. *(uint16_t*)0x200000000498 = 8;
2634. *(uint16_t*)0x20000000049a = 1;
2635. *(uint32_t*)0x20000000049c = 0xa;
2636. *(uint16_t*)0x2000000004a0 = 0x13;
2637. *(uint16_t*)0x2000000004a2 = 1;
2638. memcpy((void*)0x2000000004a4, "broadcast-link\000", 15);
2639. *(uint16_t*)0x2000000004b4 = 0x1c;
2640. STORE_BY_BITMASK(uint16_t, , 0x2000000004b6, 9, 0, 14);
2641. STORE_BY_BITMASK(uint16_t, , 0x2000000004b7, 0, 6, 1);
2642. STORE_BY_BITMASK(uint16_t, , 0x2000000004b7, 1, 7, 1);
2643. *(uint16_t*)0x2000000004b8 = 8;
2644. *(uint16_t*)0x2000000004ba = 1;
2645. *(uint32_t*)0x2000000004bc = 9;
2646. *(uint16_t*)0x2000000004c0 = 8;
2647. *(uint16_t*)0x2000000004c2 = 1;
2648. *(uint32_t*)0x2000000004c4 = 0x7ff;
2649. *(uint16_t*)0x2000000004c8 = 8;
2650. *(uint16_t*)0x2000000004ca = 1;
2651. *(uint32_t*)0x2000000004cc = 0x7f;
2652. *(uint16_t*)0x2000000004d0 = 0x44;
2653. STORE_BY_BITMASK(uint16_t, , 0x2000000004d2, 7, 0, 14);
2654. STORE_BY_BITMASK(uint16_t, , 0x2000000004d3, 0, 6, 1);
2655. STORE_BY_BITMASK(uint16_t, , 0x2000000004d3, 1, 7, 1);
2656. *(uint16_t*)0x2000000004d4 = 8;
2657. *(uint16_t*)0x2000000004d6 = 1;
2658. *(uint32_t*)0x2000000004d8 = 4;
2659. *(uint16_t*)0x2000000004dc = 0xc;
2660. *(uint16_t*)0x2000000004de = 4;
2661. *(uint64_t*)0x2000000004e0 = 9;
2662. *(uint16_t*)0x2000000004e8 = 0xc;
2663. *(uint16_t*)0x2000000004ea = 4;
2664. *(uint64_t*)0x2000000004ec = 1;
2665. *(uint16_t*)0x2000000004f4 = 0xc;
2666. *(uint16_t*)0x2000000004f6 = 3;
2667. *(uint64_t*)0x2000000004f8 = 0x10000;
2668. *(uint16_t*)0x200000000500 = 8;
2669. *(uint16_t*)0x200000000502 = 2;
2670. *(uint32_t*)0x200000000504 = 0x101;
2671. *(uint16_t*)0x200000000508 = 0xc;
2672. *(uint16_t*)0x20000000050a = 3;
2673. *(uint64_t*)0x20000000050c = 0x7ff;
2674. *(uint16_t*)0x200000000514 = 0xb4;
2675. STORE_BY_BITMASK(uint16_t, , 0x200000000516, 4, 0, 14);
2676. STORE_BY_BITMASK(uint16_t, , 0x200000000517, 0, 6, 1);
2677. STORE_BY_BITMASK(uint16_t, , 0x200000000517, 1, 7, 1);
2678. *(uint16_t*)0x200000000518 = 0x2c;
2679. STORE_BY_BITMASK(uint16_t, , 0x20000000051a, 7, 0, 14);
2680. STORE_BY_BITMASK(uint16_t, , 0x20000000051b, 0, 6, 1);
2681. STORE_BY_BITMASK(uint16_t, , 0x20000000051b, 1, 7, 1);
2682. *(uint16_t*)0x20000000051c = 8;
2683. *(uint16_t*)0x20000000051e = 3;
2684. *(uint32_t*)0x200000000520 = 8;
2685. *(uint16_t*)0x200000000524 = 8;
2686. *(uint16_t*)0x200000000526 = 2;
2687. *(uint32_t*)0x200000000528 = 0x8001;
2688. *(uint16_t*)0x20000000052c = 8;
2689. *(uint16_t*)0x20000000052e = 1;
2690. *(uint32_t*)0x200000000530 = 0xf;
2691. *(uint16_t*)0x200000000534 = 8;
2692. *(uint16_t*)0x200000000536 = 2;
2693. *(uint32_t*)0x200000000538 = 5;
2694. *(uint16_t*)0x20000000053c = 8;
2695. *(uint16_t*)0x20000000053e = 4;
2696. *(uint32_t*)0x200000000540 = 1;
2697. *(uint16_t*)0x200000000544 = 0x1c;
2698. STORE_BY_BITMASK(uint16_t, , 0x200000000546, 7, 0, 14);
2699. STORE_BY_BITMASK(uint16_t, , 0x200000000547, 0, 6, 1);
2700. STORE_BY_BITMASK(uint16_t, , 0x200000000547, 1, 7, 1);
2701. *(uint16_t*)0x200000000548 = 8;
2702. *(uint16_t*)0x20000000054a = 1;
2703. *(uint32_t*)0x20000000054c = 0x19;
2704. *(uint16_t*)0x200000000550 = 8;
2705. *(uint16_t*)0x200000000552 = 3;
2706. *(uint32_t*)0x200000000554 = 0x7618;
2707. *(uint16_t*)0x200000000558 = 8;
2708. *(uint16_t*)0x20000000055a = 4;
2709. *(uint32_t*)0x20000000055c = 0x101;
2710. *(uint16_t*)0x200000000560 = 9;
2711. *(uint16_t*)0x200000000562 = 1;
2712. memcpy((void*)0x200000000564, "syz0\000", 5);
2713. *(uint16_t*)0x20000000056c = 0xc;
2714. STORE_BY_BITMASK(uint16_t, , 0x20000000056e, 7, 0, 14);
2715. STORE_BY_BITMASK(uint16_t, , 0x20000000056f, 0, 6, 1);
2716. STORE_BY_BITMASK(uint16_t, , 0x20000000056f, 1, 7, 1);
2717. *(uint16_t*)0x200000000570 = 8;
2718. *(uint16_t*)0x200000000572 = 3;
2719. *(uint32_t*)0x200000000574 = 5;
2720. *(uint16_t*)0x200000000578 = 0x24;
2721. STORE_BY_BITMASK(uint16_t, , 0x20000000057a, 7, 0, 14);
2722. STORE_BY_BITMASK(uint16_t, , 0x20000000057b, 0, 6, 1);
2723. STORE_BY_BITMASK(uint16_t, , 0x20000000057b, 1, 7, 1);
2724. *(uint16_t*)0x20000000057c = 8;
2725. *(uint16_t*)0x20000000057e = 4;
2726. *(uint32_t*)0x200000000580 = 0xfffffffc;
2727. *(uint16_t*)0x200000000584 = 8;
2728. *(uint16_t*)0x200000000586 = 1;
2729. *(uint32_t*)0x200000000588 = 0xc;
2730. *(uint16_t*)0x20000000058c = 8;
2731. *(uint16_t*)0x20000000058e = 4;
2732. *(uint32_t*)0x200000000590 = 4;
2733. *(uint16_t*)0x200000000594 = 8;
2734. *(uint16_t*)0x200000000596 = 1;
2735. *(uint32_t*)0x200000000598 = 0xc;
2736. *(uint16_t*)0x20000000059c = 0x2c;
2737. STORE_BY_BITMASK(uint16_t, , 0x20000000059e, 7, 0, 14);
2738. STORE_BY_BITMASK(uint16_t, , 0x20000000059f, 0, 6, 1);
2739. STORE_BY_BITMASK(uint16_t, , 0x20000000059f, 1, 7, 1);
2740. *(uint16_t*)0x2000000005a0 = 8;
2741. *(uint16_t*)0x2000000005a2 = 3;
2742. *(uint32_t*)0x2000000005a4 = 7;
2743. *(uint16_t*)0x2000000005a8 = 8;
2744. *(uint16_t*)0x2000000005aa = 3;
2745. *(uint32_t*)0x2000000005ac = 5;
2746. *(uint16_t*)0x2000000005b0 = 8;
2747. *(uint16_t*)0x2000000005b2 = 4;
2748. *(uint32_t*)0x2000000005b4 = 2;
2749. *(uint16_t*)0x2000000005b8 = 8;
2750. *(uint16_t*)0x2000000005ba = 4;
2751. *(uint32_t*)0x2000000005bc = 1;
2752. *(uint16_t*)0x2000000005c0 = 8;
2753. *(uint16_t*)0x2000000005c2 = 1;
2754. *(uint32_t*)0x2000000005c4 = 0xd;
2755. *(uint16_t*)0x2000000005c8 = 0x88;
2756. STORE_BY_BITMASK(uint16_t, , 0x2000000005ca, 4, 0, 14);
2757. STORE_BY_BITMASK(uint16_t, , 0x2000000005cb, 0, 6, 1);
2758. STORE_BY_BITMASK(uint16_t, , 0x2000000005cb, 1, 7, 1);
2759. *(uint16_t*)0x2000000005cc = 0x13;
2760. *(uint16_t*)0x2000000005ce = 1;
2761. memcpy((void*)0x2000000005d0, "broadcast-link\000", 15);
2762. *(uint16_t*)0x2000000005e0 = 0xc;
2763. STORE_BY_BITMASK(uint16_t, , 0x2000000005e2, 7, 0, 14);
2764. STORE_BY_BITMASK(uint16_t, , 0x2000000005e3, 0, 6, 1);
2765. STORE_BY_BITMASK(uint16_t, , 0x2000000005e3, 1, 7, 1);
2766. *(uint16_t*)0x2000000005e4 = 8;
2767. *(uint16_t*)0x2000000005e6 = 4;
2768. *(uint32_t*)0x2000000005e8 = 4;
2769. *(uint16_t*)0x2000000005ec = 0x14;
2770. STORE_BY_BITMASK(uint16_t, , 0x2000000005ee, 7, 0, 14);
2771. STORE_BY_BITMASK(uint16_t, , 0x2000000005ef, 0, 6, 1);
2772. STORE_BY_BITMASK(uint16_t, , 0x2000000005ef, 1, 7, 1);
2773. *(uint16_t*)0x2000000005f0 = 8;
2774. *(uint16_t*)0x2000000005f2 = 2;
2775. *(uint32_t*)0x2000000005f4 = 0x800;
2776. *(uint16_t*)0x2000000005f8 = 8;
2777. *(uint16_t*)0x2000000005fa = 1;
2778. *(uint32_t*)0x2000000005fc = 0xb;
2779. *(uint16_t*)0x200000000600 = 9;
2780. *(uint16_t*)0x200000000602 = 1;
2781. memcpy((void*)0x200000000604, "syz1\000", 5);
2782. *(uint16_t*)0x20000000060c = 9;
2783. *(uint16_t*)0x20000000060e = 1;
2784. memcpy((void*)0x200000000610, "syz0\000", 5);
2785. *(uint16_t*)0x200000000618 = 0x13;
2786. *(uint16_t*)0x20000000061a = 1;
2787. memcpy((void*)0x20000000061c, "broadcast-link\000", 15);
2788. *(uint16_t*)0x20000000062c = 0x24;
2789. STORE_BY_BITMASK(uint16_t, , 0x20000000062e, 7, 0, 14);
2790. STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 0, 6, 1);
2791. STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 1, 7, 1);
2792. *(uint16_t*)0x200000000630 = 8;
2793. *(uint16_t*)0x200000000632 = 2;
2794. *(uint32_t*)0x200000000634 = 0xc73;
2795. *(uint16_t*)0x200000000638 = 8;
2796. *(uint16_t*)0x20000000063a = 4;
2797. *(uint32_t*)0x20000000063c = 0xfffffffc;
2798. *(uint16_t*)0x200000000640 = 8;
2799. *(uint16_t*)0x200000000642 = 4;
2800. *(uint32_t*)0x200000000644 = 0xa34f;
2801. *(uint16_t*)0x200000000648 = 8;
2802. *(uint16_t*)0x20000000064a = 2;
2803. *(uint32_t*)0x20000000064c = 8;
2804. *(uint16_t*)0x200000000650 = 0x48;
2805. STORE_BY_BITMASK(uint16_t, , 0x200000000652, 7, 0, 14);
2806. STORE_BY_BITMASK(uint16_t, , 0x200000000653, 0, 6, 1);
2807. STORE_BY_BITMASK(uint16_t, , 0x200000000653, 1, 7, 1);
2808. *(uint16_t*)0x200000000654 = 0xc;
2809. *(uint16_t*)0x200000000656 = 4;
2810. *(uint64_t*)0x200000000658 = 0xdb;
2811. *(uint16_t*)0x200000000660 = 0xc;
2812. *(uint16_t*)0x200000000662 = 3;
2813. *(uint64_t*)0x200000000664 = 6;
2814. *(uint16_t*)0x20000000066c = 0xc;
2815. *(uint16_t*)0x20000000066e = 3;
2816. *(uint64_t*)0x200000000670 = 0x2ef92203;
2817. *(uint16_t*)0x200000000678 = 8;
2818. *(uint16_t*)0x20000000067a = 1;
2819. *(uint32_t*)0x20000000067c = 0x1800000;
2820. *(uint16_t*)0x200000000680 = 8;
2821. *(uint16_t*)0x200000000682 = 2;
2822. *(uint32_t*)0x200000000684 = 1;
2823. *(uint16_t*)0x200000000688 = 8;
2824. *(uint16_t*)0x20000000068a = 1;
2825. *(uint32_t*)0x20000000068c = 0x81;
2826. *(uint16_t*)0x200000000690 = 8;
2827. *(uint16_t*)0x200000000692 = 1;
2828. *(uint32_t*)0x200000000694 = 0x1f;
2829. *(uint16_t*)0x200000000698 = 0xb0;
2830. STORE_BY_BITMASK(uint16_t, , 0x20000000069a, 1, 0, 14);
2831. STORE_BY_BITMASK(uint16_t, , 0x20000000069b, 0, 6, 1);
2832. STORE_BY_BITMASK(uint16_t, , 0x20000000069b, 1, 7, 1);
2833. *(uint16_t*)0x20000000069c = 0x14;
2834. STORE_BY_BITMASK(uint16_t, , 0x20000000069e, 2, 0, 14);
2835. STORE_BY_BITMASK(uint16_t, , 0x20000000069f, 0, 6, 1);
2836. STORE_BY_BITMASK(uint16_t, , 0x20000000069f, 1, 7, 1);
2837. *(uint16_t*)0x2000000006a0 = 8;
2838. *(uint16_t*)0x2000000006a2 = 3;
2839. *(uint32_t*)0x2000000006a4 = 0xee44;
2840. *(uint16_t*)0x2000000006a8 = 8;
2841. *(uint16_t*)0x2000000006aa = 2;
2842. *(uint32_t*)0x2000000006ac = 1;
2843. *(uint16_t*)0x2000000006b0 = 0xd;
2844. *(uint16_t*)0x2000000006b2 = 1;
2845. memcpy((void*)0x2000000006b4, "udp:syz0\000", 9);
2846. *(uint16_t*)0x2000000006c0 = 8;
2847. *(uint16_t*)0x2000000006c2 = 3;
2848. *(uint32_t*)0x2000000006c4 = 0x800;
2849. *(uint16_t*)0x2000000006c8 = 0x14;
2850. STORE_BY_BITMASK(uint16_t, , 0x2000000006ca, 2, 0, 14);
2851. STORE_BY_BITMASK(uint16_t, , 0x2000000006cb, 0, 6, 1);
2852. STORE_BY_BITMASK(uint16_t, , 0x2000000006cb, 1, 7, 1);
2853. *(uint16_t*)0x2000000006cc = 8;
2854. *(uint16_t*)0x2000000006ce = 3;
2855. *(uint32_t*)0x2000000006d0 = 0x1ff;
2856. *(uint16_t*)0x2000000006d4 = 8;
2857. *(uint16_t*)0x2000000006d6 = 3;
2858. *(uint32_t*)0x2000000006d8 = 9;
2859. *(uint16_t*)0x2000000006dc = 0xc;
2860. STORE_BY_BITMASK(uint16_t, , 0x2000000006de, 2, 0, 14);
2861. STORE_BY_BITMASK(uint16_t, , 0x2000000006df, 0, 6, 1);
2862. STORE_BY_BITMASK(uint16_t, , 0x2000000006df, 1, 7, 1);
2863. *(uint16_t*)0x2000000006e0 = 8;
2864. *(uint16_t*)0x2000000006e2 = 2;
2865. *(uint32_t*)0x2000000006e4 = 0x81;
2866. *(uint16_t*)0x2000000006e8 = 8;
2867. *(uint16_t*)0x2000000006ea = 3;
2868. *(uint32_t*)0x2000000006ec = 0xff;
2869. *(uint16_t*)0x2000000006f0 = 8;
2870. *(uint16_t*)0x2000000006f2 = 3;
2871. *(uint32_t*)0x2000000006f4 = 1;
2872. *(uint16_t*)0x2000000006f8 = 0x38;
2873. *(uint16_t*)0x2000000006fa = 4;
2874. *(uint16_t*)0x2000000006fc = 0x20;
2875. *(uint16_t*)0x2000000006fe = 1;
2876. *(uint16_t*)0x200000000700 = 0xa;
2877. *(uint16_t*)0x200000000702 = htobe16(0x4e22);
2878. *(uint32_t*)0x200000000704 = htobe32(0x7ff);
2879. memset((void*)0x200000000708, 0, 16);
2880. *(uint32_t*)0x200000000718 = 2;
2881. *(uint16_t*)0x20000000071c = 0x14;
2882. *(uint16_t*)0x20000000071e = 2;
2883. *(uint16_t*)0x200000000720 = 2;
2884. *(uint16_t*)0x200000000722 = htobe16(0x4e22);
2885. *(uint8_t*)0x200000000724 = 0xac;
2886. *(uint8_t*)0x200000000725 = 0x14;
2887. *(uint8_t*)0x200000000726 = 0x14;
2888. *(uint8_t*)0x200000000727 = 0xaa;
2889. *(uint16_t*)0x200000000730 = 0xf;
2890. *(uint16_t*)0x200000000732 = 1;
2891. memcpy((void*)0x200000000734, "ib", 2);
2892. *(uint8_t*)0x200000000736 = 0x3a;
2893. memcpy((void*)0x200000000737, "syz_tun\000", 8);
2894. *(uint16_t*)0x200000000740 = 8;
2895. *(uint16_t*)0x200000000742 = 3;
2896. *(uint32_t*)0x200000000744 = 0;
2897. *(uint16_t*)0x200000000748 = 0x14;
2898. STORE_BY_BITMASK(uint16_t, , 0x20000000074a, 7, 0, 14);
2899. STORE_BY_BITMASK(uint16_t, , 0x20000000074b, 0, 6, 1);
2900. STORE_BY_BITMASK(uint16_t, , 0x20000000074b, 1, 7, 1);
2901. *(uint16_t*)0x20000000074c = 8;
2902. *(uint16_t*)0x20000000074e = 2;
2903. *(uint32_t*)0x200000000750 = 7;
2904. *(uint16_t*)0x200000000754 = 8;
2905. *(uint16_t*)0x200000000756 = 1;
2906. *(uint32_t*)0x200000000758 = 0x80;
2907. *(uint64_t*)0x200000000788 = 0x49c;
2908. *(uint64_t*)0x2000000007d8 = 1;
2909. *(uint64_t*)0x2000000007e0 = 0;
2910. *(uint64_t*)0x2000000007e8 = 0;
2911. *(uint32_t*)0x2000000007f0 = 0x8031;
2912. syscall(__NR_sendmsg, /*fd=*/r[30], /*msg=*/0x2000000007c0ul,
2913. /*f=MSG_PROBE|MSG_EOR*/ 0x90ul);
2914. return 0;
2915. }
2916.