// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static long syz_sysconfig_set__proc_sys_net_ipv4_tcp_sack(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/net/ipv4/tcp_sack", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_net_ipv4_tcp_sack() { char command[256]; sprintf(command, "echo 1 > /proc/sys/net/ipv4/tcp_sack"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_set__proc_sys_fs_pipe_user_pages_soft(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/fs/pipe-user-pages-soft", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_fs_pipe_user_pages_soft() { char command[256]; sprintf(command, "echo 16384 > /proc/sys/fs/pipe-user-pages-soft"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_net_ipv6_conf_sit0_force_tllao() { char command[256]; sprintf(command, "echo 0 > /proc/sys/net/ipv6/conf/sit0/force_tllao"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_set__proc_sys_net_ipv6_conf_lo_drop_unicast_in_l2_multicast(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/net/ipv6/conf/lo/drop_unicast_in_l2_multicast", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_set__proc_sys_net_ipv4_tcp_no_ssthresh_metrics_save(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/net/ipv4/tcp_no_ssthresh_metrics_save", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_net_ipv4_tcp_no_ssthresh_metrics_save() { char command[256]; sprintf(command, "echo 1 > /proc/sys/net/ipv4/tcp_no_ssthresh_metrics_save"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_set__proc_sys_fs_protected_fifos(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/fs/protected_fifos", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_fs_protected_fifos() { char command[256]; sprintf(command, "echo 1 > /proc/sys/fs/protected_fifos"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_set__proc_sys_net_core_optmem_max(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/net/core/optmem_max", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_net_core_optmem_max() { char command[256]; sprintf(command, "echo 131072 > /proc/sys/net/core/optmem_max"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_set__proc_sys_net_ipv6_xfrm6_gc_thresh(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/net/ipv6/xfrm6_gc_thresh", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_net_ipv6_xfrm6_gc_thresh() { char command[256]; sprintf(command, "echo 32768 > /proc/sys/net/ipv6/xfrm6_gc_thresh"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_set__proc_sys_net_ipv6_conf_sit0_addr_gen_mode(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/net/ipv6/conf/sit0/addr_gen_mode", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_net_ipv6_conf_sit0_addr_gen_mode() { char command[256]; sprintf(command, "echo 0 > /proc/sys/net/ipv6/conf/sit0/addr_gen_mode"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_set__proc_sys_net_ipv4_conf_lo_proxy_arp(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/net/ipv4/conf/lo/proxy_arp", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_net_ipv4_conf_lo_proxy_arp() { char command[256]; sprintf(command, "echo 0 > /proc/sys/net/ipv4/conf/lo/proxy_arp"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_net_ipv6_conf_lo_drop_unicast_in_l2_multicast() { char command[256]; sprintf(command, "echo 0 > /proc/sys/net/ipv6/conf/lo/drop_unicast_in_l2_multicast"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_proconfig_set__sys_devices_pci0000_00_0000_00_01_1_ata1_host0_target0_0_0_0_0_0_0_block_sda_queue_max_sectors_kb(volatile long val) { char command[256]; sprintf(command, "echo %ld > /sys/devices/pci0000:00/0000:00:01.1/ata1/host0/target0:0:0/0:0:0:0/block/sda/queue/max_sectors_kb", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_hop_limit() { char command[256]; sprintf(command, "echo 64 > /proc/sys/net/ipv6/conf/eth0/hop_limit"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_set__proc_sys_net_ipv4_conf_lo_accept_redirects(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/net/ipv4/conf/lo/accept_redirects", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_net_ipv4_conf_lo_accept_redirects() { char command[256]; sprintf(command, "echo 1 > /proc/sys/net/ipv4/conf/lo/accept_redirects"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_set__proc_sys_net_ipv6_conf_eth0_hop_limit(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/net/ipv6/conf/eth0/hop_limit", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_set__proc_sys_user_max_mnt_namespaces(volatile long val) { char command[256]; sprintf(command, "echo %ld > /proc/sys/user/max_mnt_namespaces", val); int ret = system(command); if (ret != 0) { return 0; } return 0; } static long syz_sysconfig_reset__proc_sys_user_max_mnt_namespaces() { char command[256]; sprintf(command, "echo 3238 > /proc/sys/user/max_mnt_namespaces"); int ret = system(command); if (ret != 0) { return 0; } return 0; } static unsigned long long procid; #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff(unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } uint64_t r[23] = {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } syscall(__NR_clock_getres, /*id=*/0ul, /*tp=*/0ul); res = syscall(__NR_semget, /*key=*/0x798e2636ul, /*nsems=*/4ul, /*flags=IPC_EXCL|0x95*/ 0x495ul); if (res != -1) r[0] = res; res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/6); if (res != -1) r[1] = res; *(uint32_t*)0x200000000000 = 0; *(uint32_t*)0x200000000004 = 0; syscall(__NR_setsockopt, /*fd=*/r[1], /*level=*/1, /*optname=*/0xd, /*optval=*/0x200000000000ul, /*optlen=*/8ul); res = syscall(__NR_clock_gettime, /*id=*/0ul, /*tp=*/0x200000000040ul); if (res != -1) { r[2] = *(uint64_t*)0x200000000040; r[3] = *(uint64_t*)0x200000000048; } syz_sysconfig_set__proc_sys_net_ipv4_tcp_sack(/*val=*/4); *(uint16_t*)0x200000000000 = 0; *(uint16_t*)0x200000000002 = 0x80; *(uint16_t*)0x200000000004 = 0x1000; *(uint16_t*)0x200000000006 = 1; *(uint16_t*)0x200000000008 = 0xfffb; *(uint16_t*)0x20000000000a = 0x1000; *(uint16_t*)0x20000000000c = 2; *(uint16_t*)0x20000000000e = 9; *(uint16_t*)0x200000000010 = 0x800; *(uint16_t*)0x200000000012 = 4; *(uint16_t*)0x200000000014 = 6; *(uint16_t*)0x200000000016 = 0x1800; *(uint16_t*)0x200000000018 = 0; *(uint16_t*)0x20000000001a = 6; *(uint16_t*)0x20000000001c = 0x800; *(uint16_t*)0x20000000001e = 1; *(uint16_t*)0x200000000020 = 6; *(uint16_t*)0x200000000022 = 0x1000; *(uint64_t*)0x200000000080 = r[2]; *(uint64_t*)0x200000000088 = r[3] + 60000000; syscall(__NR_semtimedop, /*semid=*/r[0], /*ops=*/0x200000000000ul, /*nops=*/6ul, /*timeout=*/0x200000000080ul); syz_sysconfig_reset__proc_sys_net_ipv4_tcp_sack(); memcpy((void*)0x200000000000, "user\000", 5); memcpy((void*)0x200000000040, "syz", 3); *(uint8_t*)0x200000000043 = 0x21; *(uint8_t*)0x200000000044 = 0; memset((void*)0x200000000080, 99, 1); res = syscall(__NR_add_key, /*type=*/0x200000000000ul, /*desc=*/0x200000000040ul, /*payload=*/0x200000000080ul, /*paylen=*/1ul, /*keyring=*/-1); if (res != -1) r[4] = res; res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/4); if (res != -1) r[5] = res; memcpy((void*)0x200000000240, "ext4\000", 5); memcpy((void*)0x200000000000, "./mnt\000", 6); memcpy((void*)0x200000000180, "nobh", 4); *(uint8_t*)0x200000000184 = 0x2c; memcpy((void*)0x200000000185, "nouid32", 7); *(uint8_t*)0x20000000018c = 0x2c; memcpy((void*)0x20000000018d, "stripe", 6); *(uint8_t*)0x200000000193 = 0x3d; sprintf((char*)0x200000000194, "0x%016llx", (long long)0x8a7); *(uint8_t*)0x2000000001a6 = 0x2c; memcpy((void*)0x2000000001a7, "errors=continue", 15); *(uint8_t*)0x2000000001b6 = 0x2c; memcpy((void*)0x2000000001b7, "oldalloc", 8); *(uint8_t*)0x2000000001bf = 0x2c; memcpy((void*)0x2000000001c0, "data=journal", 12); *(uint8_t*)0x2000000001cc = 0x2c; memcpy((void*)0x2000000001cd, "debug_want_extra_isize", 22); *(uint8_t*)0x2000000001e3 = 0x3d; sprintf((char*)0x2000000001e4, "0x%016llx", (long long)0x9ca1); *(uint8_t*)0x2000000001f6 = 0x2c; memcpy((void*)0x2000000001f7, "errors=remount-ro", 17); *(uint8_t*)0x200000000208 = 0x2c; memcpy((void*)0x200000000209, "nodelalloc", 10); *(uint8_t*)0x200000000213 = 0x2c; *(uint8_t*)0x200000000214 = 0; memcpy( (void*)0x200000000300, "\x78\x9c\xec\xdd\x31\x68\x33\x65\x1c\x06\xf0\xe7\x2e\x89\x9f\xfd\xbe\x20" "\x55\x17\x41\x50\x41\x44\xb4\x50\xea\x26\xb8\xd4\x45\xa1\x20\xa5\x88\x08" "\x2a\x54\x44\x5c\x94\x56\xa8\x2d\x6e\xad\x93\x8b\x83\xce\x2a\x9d\x5c\x8a" "\xb8\x59\x1d\xa5\x4b\x71\x51\x04\xa7\xaa\x1d\xea\x22\x68\x71\xb0\x38\xe8" "\x10\xb9\x5c\x2b\xd5\x46\x14\x53\x73\xf2\xdd\xef\x07\x97\xdc\x25\xef\x7b" "\xff\xf7\xb8\x7b\xde\x64\x39\x2e\x40\x6b\x4d\x27\x99\x4f\xd2\x49\x32\x93" "\xa4\x97\xa4\x38\xdf\xe0\xae\x7a\x99\x3e\xdd\xdc\x9e\xda\x5f\x4e\x06\x83" "\xc7\x7f\x2c\x86\xed\xea\xed\xda\x59\xbf\x6b\x49\xb6\x92\x3c\x98\x64\xaf" "\x2c\xf2\x62\x37\xd9\xd8\x7d\xfa\xe8\xe7\x83\x47\xef\x7d\x63\xbd\x77\xcf" "\x7b\xbb\x4f\x4d\x4d\xf4\x20\x4f\x1d\x1f\x1d\x3e\x76\xf2\xee\xe2\xeb\x1f" "\x2e\x3c\xb0\xf1\xf9\x97\xdf\x2f\x16\x99\x4f\xff\x0f\xc7\x75\xf9\x8a\x11" "\x9f\x75\x8b\xe4\x96\xff\xa2\xd8\xff\x44\xd1\x6d\x7a\x04\xfc\x13\x4b\xaf" "\x7e\xf0\x55\x95\xfb\x5b\x93\xdc\x3d\xcc\x7f\x2f\x65\xea\x93\xf7\xe6\xda" "\x0d\x7b\xbd\xdc\xff\xce\x5f\xf5\x7d\xeb\x87\x2f\x6e\x9f\xe4\x58\x81\xcb" "\x37\x18\xf4\xaa\xdf\xc0\xad\x01\xd0\x3a\x65\x92\x7e\x8a\x72\x36\x49\xbd" "\x5e\x96\xb3\xb3\xf5\x7f\xf8\xaf\x3b\x57\xcb\x97\x56\xd7\x5e\x99\x79\x61" "\x75\x7d\xe5\xf9\xa6\x67\x2a\xe0\xb2\xf4\x93\xc3\x47\x3e\xbe\xf2\xd1\xb5" "\x3f\xe5\xff\xbb\x4e\x9d\x7f\xe0\xfa\x55\xe5\xff\x89\xa5\x9d\x6f\xaa\xf5" "\x93\x4e\xd3\xa3\x01\x26\xa9\xca\xff\xcc\xb3\x9b\xf7\x45\xfe\xa1\x75\xe4" "\x1f\xda\x4b\xfe\xa1\xbd\xe4\x1f\xda\x4b\xfe\xa1\xbd\xe4\x1f\xda\x4b\xfe" "\xa1\xbd\xe4\x1f\xda\x4b\xfe\xa1\xbd\xe4\x1f\xda\xeb\x7c\xfe\x01\x80\x76" "\x19\x5c\x69\xfa\x0e\x64\xa0\x29\x4d\xcf\x3f\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\xc0\x45\xdb\x53\xfb\xcb\x67\xcb\xa4\x6a\x7e" "\xfa\x76\x72\xfc\x70\x92\xee\xa8\xfa\x9d\xe1\xf3\x88\x93\x1b\x87\xaf\x57" "\x7f\x2a\xaa\x66\xbf\x2b\xea\x6e\x63\x79\xe6\xce\x31\x77\x30\xa6\xf7\x1b" "\xbe\xfb\xfa\xa6\x6f\x9b\xad\xff\xd9\x1d\xcd\xd6\xdf\x5c\x49\xb6\x5e\x4b" "\x32\xd7\xed\x5e\xbc\xfe\x8a\xd3\xeb\xef\xdf\xbb\xf9\x6f\xbe\xef\x3d\x37" "\x66\x81\x31\x3d\xf4\x64\xb3\xf5\x7f\xdd\x69\xb6\xfe\xc2\x41\xf2\x49\x35" "\xff\xcc\x8d\x9a\x7f\xca\xdc\x36\x7c\x1f\x3d\xff\xf4\xab\xf3\x37\x66\xfd" "\x97\x7f\x19\x73\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4c\xcc\x6f\x01" "\x00\x00\xff\xff\xc9\xf4\x6d\x29", 566); syz_mount_image(/*fs=*/0x200000000240, /*dir=*/0x200000000000, /*flags=MS_POSIXACL*/ 0x10000, /*opts=*/0x200000000180, /*chdir=*/1, /*size=*/0x236, /*img=*/0x200000000300); res = syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0xc0502100, /*arg=*/0x2000000000c0ul); if (res != -1) r[6] = *(uint32_t*)0x2000000000c8; syscall(__NR_ptrace, /*req=PTRACE_DETACH*/ 0x11ul, /*pid=*/r[6], 0, 0); *(uint32_t*)0x200000000080 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000000040ul, /*optlen=*/0x200000000080ul); if (res != -1) r[7] = *(uint32_t*)0x200000000044; syscall(__NR_keyctl, /*code=*/4ul, /*key=*/r[4], /*uid=*/r[7], /*gid=*/0, 0); syz_sysconfig_set__proc_sys_fs_pipe_user_pages_soft(/*val=*/0xfffffffa); syz_sysconfig_reset__proc_sys_fs_pipe_user_pages_soft(); memcpy((void*)0x200000000000, "./file0\000", 8); res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000000ul, /*flags=O_SYNC|O_NOATIME|O_DIRECT|O_CREAT|O_RDWR*/ 0x145042, /*mode=*/0); if (res != -1) r[8] = res; syscall(__NR_fallocate, /*fd=*/r[8], /*mode=FALLOC_FL_ZERO_RANGE|FALLOC_FL_KEEP_SIZE*/ 0x11ul, /*off=*/0ul, /*len=*/0ul); syscall(__NR_write, /*fd=*/r[8], /*buf=*/0ul, /*len=*/0ul); memcpy( (void*)0x200000000600, "\x78\x9c\xec\xdc\xb1\x6b\x53\x6b\x18\x07\xe0\x2f\x41\x22\x0a\x22\x6e\x6e" "\x06\x33\x44\x5c\x52\xc8\x18\x22\x68\x88\x87\x12\x30\x21\x78\xd1\x41\x44" "\xb7\x0a\x37\x8b\x4e\x0e\x31\x82\x01\x71\x30\x2e\x11\xc1\xa5\x0e\x8a\x50" "\x83\x72\xd1\x49\x44\x10\x44\x4c\x1c\x0a\x99\x4a\x4b\x7b\x97\xb6\x94\x0e" "\x97\x42\x97\x40\x29\xb9\x14\x4e\xff\x80\xde\x4b\x0a\xc2\xf3\xc0\x19\xbe" "\xf7\xfb\x9d\xf3\x9e\x97\xc3\x19\xcf\x09\xfc\xd6\x92\xe1\x9f\xf1\x78\x9c" "\x08\x21\x8c\x8f\x1e\xfc\xec\x3f\xe6\xca\x97\xa7\xd3\xb5\x8b\xf5\xab\x21" "\x24\xc2\x8d\x10\xc2\xd4\x5f\x85\x99\xbd\x9d\x44\x9c\xd8\xbf\xea\xd9\x78" "\xbd\x12\xaf\xf3\x5f\x8e\x34\x9e\xce\x45\x8f\x3b\xdd\x13\xa7\x3f\xa5\x77" "\x7e\x25\xe3\xfd\x87\x21\x84\x3f\x43\x08\xeb\x83\x97\x37\xff\xf7\x70\x4c" "\xdc\xb9\x7b\xe7\xbf\x9d\x19\x0d\x4f\x7d\xae\x84\x57\xfd\x0b\xfd\xc2\xf1" "\xc6\xf5\x99\x5e\xb6\xd4\xea\xcd\xd7\x3e\x5e\x7a\x93\x7e\xbb\xff\xdc\x73" "\x13\xea\xff\xa1\xf8\xe3\xe4\xa3\xf6\xdd\xa8\x73\xbf\x78\x67\x21\x6a\xae" "\x46\x1b\xc9\xed\xad\xe8\xca\x8b\xd9\x5c\xea\x59\xab\x9e\xdd\x9c\x8a\x73" "\xb7\x26\xd4\xbf\xb1\x7b\x2d\xf5\xee\xf5\xf7\x52\x7b\xed\x58\xfe\x67\xa5" "\x5a\xed\xbe\x5f\x7a\x9e\x69\x96\xbf\xb6\x1f\x0c\x07\x99\xc5\xd1\x93\xdb" "\x71\x6e\xf9\x3f\xbc\x5d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\xbe\x73\xf7" "\xce\x7f\x3b\x33\x1a\x9e\xfa\x5c\x09\xaf\xfa\x17\xfa\x85\xe3\x8d\xeb\x33" "\xbd\x6c\xa9\xd5\x9b\xaf\x7d\xbc\xf4\x26\xfd\xf6\x6c\x9c\xcb\x4d\xa8\xff" "\x87\xe2\x8f\x93\x8f\xda\x77\xa3\xce\xfd\xe2\x9d\x85\xa8\xb9\x1a\x6d\x24" "\xb7\xb7\xa2\x2b\x2f\x66\x73\xa9\x67\xad\x7a\x76\x73\x2a\xce\xdd\x9a\x50" "\xff\xc6\xee\xb5\xd4\xbb\xd7\xdf\x4b\xed\xb5\x63\xf9\x9f\x95\x6a\xb5\xfb" "\x7e\xe9\x79\xa6\x59\xfe\xda\x7e\x30\x1c\x64\x16\x47\x4f\x6e\xc7\xb9\xe5" "\xa3\x13\xba\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x08\x21\x94\x2f\x4f\xa7\x6b\x17\xeb\x57\x43\x48\x84\x1b\x21\x84\xc2" "\xec\xf4\xd2\x5e\x7d\x1c\x7f\xef\x9e\x88\x73\xfb\xff\x01\x58\x89\xeb\xf9" "\x2f\x47\x1a\x4f\xe7\xa2\xc7\x9d\xee\x89\xd3\x9f\xd2\x3b\xbf\xfe\x8e\xeb" "\x0f\xe3\x63\x7d\xf0\xf2\xe6\xa1\x0f\xc3\x81\xfd\x1b\x00\x00\xff\xff\x5f" "\x9f\x8a\x1c", 1497); syz_read_part_table(/*size=*/0x5d6, /*img=*/0x200000000600); res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/3ul, /*proto=*/2); if (res != -1) r[9] = res; *(uint32_t*)0x200000000140 = 0; syscall(__NR_setsockopt, /*fd=*/r[9], /*level=*/0, /*opt=*/0xc8, /*val=*/0x200000000140ul, /*len=*/4ul); syscall(__NR_setsockopt, /*fd=*/r[9], /*level=*/0, /*opt=*/5, /*val=*/0ul, /*len=*/0ul); memcpy((void*)0x200000000240, "ext4\000", 5); memcpy((void*)0x200000000280, "./mnt\000", 6); *(uint8_t*)0x2000000002c0 = 0; memcpy( (void*)0x200000000a40, "\x78\x9c\xec\xdd\x31\x68\x24\x55\x1c\x06\xf0\x6f\x66\x77\xef\xcc\xdd\x22" "\xa7\x36\x82\xa0\x82\x88\x68\x20\x9c\x9d\x60\x73\x36\x0a\x07\x72\x04\x11" "\x41\x85\x88\x88\x8d\x92\x08\x31\xc1\x2e\xb1\xb2\xb1\xd0\x5a\x25\x95\x4d" "\x10\x3b\xa3\xa5\xa4\x09\x36\x8a\x60\x15\x35\x45\x6c\x04\x0d\x16\x06\x0b" "\x2d\x56\x66\x27\x91\x68\x56\x0c\xee\x66\x47\x9c\xdf\x0f\x26\x99\xd9\x7d" "\xb3\xff\x37\xcc\x7c\xef\x4d\x33\x4c\x80\xd6\xba\x92\xe4\x5a\x92\x4e\x92" "\xd9\x24\xbd\x24\xc5\xc9\x06\x77\xd7\xcb\x95\xa3\xcd\x8d\x99\x9d\x85\x64" "\x30\x78\xe2\xa7\x62\xd8\xae\xde\xae\x1d\xef\x77\x39\xc9\x7a\x92\x87\x92" "\x6c\x97\x45\x5e\xea\x26\xab\x5b\xcf\xec\xff\xb2\xfb\xd8\x7d\x6f\xae\xf4" "\xee\x7d\x7f\xeb\xe9\x99\xa9\x1e\xe4\x91\x83\xfd\xbd\xc7\x0f\xdf\xbb\xf1" "\xc6\x47\xd7\x1f\x5c\xfd\xe2\xab\x1f\x6e\x14\xb9\x96\xfe\x9f\x8e\x6b\xf2" "\x8a\x11\x9f\x75\x8b\xe4\xd6\xf3\x28\xf6\x1f\x51\x74\x9b\xee\x01\x67\x31" "\xff\xda\x87\x5f\x57\xb9\xbf\x2d\xc9\x3d\xc3\xfc\xf7\x52\xa6\x3e\x79\x6f" "\x2d\x5f\xd8\xee\xe5\x81\x77\xff\x6e\xdf\xb7\x7f\xfc\xf2\x8e\x69\xf6\x15" "\x98\xbc\xc1\xa0\x57\xcd\x81\xeb\x03\xa0\x75\xca\x24\xfd\x14\xe5\x5c\x92" "\x7a\xbd\x2c\xe7\xe6\xea\x7b\xf8\x6f\x3a\x97\xca\x97\x97\x96\x5f\x9d\x7d" "\x71\x69\x65\xf1\x85\xa6\x47\x2a\x60\x52\xfa\xc9\xde\xa3\x9f\x5c\xfc\xf8" "\xf2\x5f\xf2\xff\x7d\xa7\xce\xff\x09\x77\x35\xd6\x49\xe0\x5c\x54\xf9\x7f" "\x72\x7e\xf3\xdb\x6a\xfd\xb0\xd3\x74\x6f\x80\x69\xaa\xf2\x3f\xfb\xdc\xda" "\xfd\x91\x7f\x68\x1d\xf9\x87\xff\xa3\x0b\x67\x6a\x25\xff\xd0\x5e\xf2\x0f" "\xed\x25\xff\xd0\x5e\x13\xc9\xff\xda\x64\xfb\x04\x4c\x87\xf9\x1f\xda\xeb" "\x64\xfe\x81\x76\x31\xff\x43\x7b\xc9\x3f\xb4\x97\xfb\x7f\x00\x68\xaf\xc1" "\xc5\xa6\x9f\x40\x06\x9a\xd2\xf4\xf8\x03\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x9c\xb6\x31\xb3\xb3\x70\xbc\x4c\xab\xe6\x67\xef" "\x24\x07\x8f\x24\xe9\x8e\xaa\xdf\x19\xbe\x8f\x38\xb9\x69\xf8\xf7\xd2\xcf" "\x45\xd5\xec\x0f\x45\xbd\xdb\x58\x9e\x6d\xf8\xcd\xc6\x1f\x34\xfc\xf4\xf5" "\xcd\xdf\x35\x5b\xff\xf3\x3b\x9b\xad\xbf\xb6\x98\xac\xbf\x9e\xe4\x6a\xb7" "\x7b\xfa\xfa\x2b\x8e\xae\xbf\x7f\xef\x96\x7f\xf8\xbe\xf7\xfc\x98\x05\xc6" "\xf4\xf0\x53\xcd\xd6\xff\x6d\xb3\xd9\xfa\xd7\x77\x93\x4f\xab\xf1\xe7\xea" "\xa8\xf1\xa7\xcc\xed\xc3\xff\xa3\xc7\x9f\x7e\x75\xfe\xc6\xac\xff\xca\xaf" "\x63\xfe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x53\xf3\x7b\x00\x00\x00" "\xff\xff\x9d\x1f\x6c\xd6", 582); syz_mount_image(/*fs=*/0x200000000240, /*dir=*/0x200000000280, /*flags=*/0, /*opts=*/0x2000000002c0, /*chdir=*/0, /*size=*/0x246, /*img=*/0x200000000a40); syz_sysconfig_reset__proc_sys_net_ipv6_conf_sit0_force_tllao(); syz_sysconfig_set__proc_sys_net_ipv6_conf_lo_drop_unicast_in_l2_multicast( /*val=*/5); syz_sysconfig_reset__proc_sys_net_ipv6_conf_lo_drop_unicast_in_l2_multicast(); res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/3ul, /*proto=*/1); if (res != -1) r[10] = res; memcpy((void*)0x200000000080, "system.posix_acl_default\000", 25); syscall(__NR_fsetxattr, /*fd=*/r[10], /*name=*/0x200000000080ul, /*val=*/0x200000000240ul, /*size=*/0x44ul, /*flags=*/0ul); syscall(__NR_semctl, /*semid=*/0, /*semnum=*/0ul, /*cmd=*/4ul, 0); syz_sysconfig_set__proc_sys_net_ipv4_tcp_no_ssthresh_metrics_save(/*val=*/7); syz_sysconfig_reset__proc_sys_net_ipv4_tcp_no_ssthresh_metrics_save(); memcpy((void*)0x200000000080, "./file1\000", 8); res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000080ul, /*flags=O_SYNC|O_DIRECT|O_CREAT|O_RDWR*/ 0x105042, /*mode=*/0); if (res != -1) r[11] = res; syscall(__NR_write, /*fd=*/r[11], /*buf=*/0ul, /*len=*/0xa12ul); memcpy((void*)0x200000000000, "ext4\000", 5); memcpy((void*)0x200000000080, "./mnt\000", 6); memcpy((void*)0x200000000040, "grpid", 5); *(uint8_t*)0x200000000045 = 0x2c; memcpy((void*)0x200000000046, "data=writeback", 14); *(uint8_t*)0x200000000054 = 0x2c; memcpy((void*)0x200000000055, "nombcache", 9); *(uint8_t*)0x20000000005e = 0x2c; memcpy((void*)0x20000000005f, "noauto_da_alloc", 15); *(uint8_t*)0x20000000006e = 0x2c; *(uint8_t*)0x20000000006f = 0; memcpy( (void*)0x200000000300, "\x78\x9c\xec\xdd\x31\x68\x33\x65\x1c\x06\xf0\xe7\x2e\x89\x9f\xfd\xbe\x20" "\x55\x17\x41\x50\x41\x44\xb4\x50\xea\x26\xb8\xd4\x45\xa1\x20\xa5\x88\x08" "\x2a\x54\x44\x5c\x94\x56\xa8\x2d\x6e\xad\x93\x8b\x83\xce\x2a\x9d\x5c\x8a" "\xb8\x59\x1d\xa5\x4b\x71\x51\x04\xa7\xaa\x1d\xea\x22\x68\x71\xb0\x38\xe8" "\x10\xb9\x5c\x2b\xd5\x46\x14\x53\x73\xf2\xdd\xef\x07\x97\xdc\x25\xef\x7b" "\xff\xf7\xb8\x7b\xde\x64\x39\x2e\x40\x6b\x4d\x27\x99\x4f\xd2\x49\x32\x93" "\xa4\x97\xa4\x38\xdf\xe0\xae\x7a\x99\x3e\xdd\xdc\x9e\xda\x5f\x4e\x06\x83" "\xc7\x7f\x2c\x86\xed\xea\xed\xda\x59\xbf\x6b\x49\xb6\x92\x3c\x98\x64\xaf" "\x2c\xf2\x62\x37\xd9\xd8\x7d\xfa\xe8\xe7\x83\x47\xef\x7d\x63\xbd\x77\xcf" "\x7b\xbb\x4f\x4d\x4d\xf4\x20\x4f\x1d\x1f\x1d\x3e\x76\xf2\xee\xe2\xeb\x1f" "\x2e\x3c\xb0\xf1\xf9\x97\xdf\x2f\x16\x99\x4f\xff\x0f\xc7\x75\xf9\x8a\x11" "\x9f\x75\x8b\xe4\x96\xff\xa2\xd8\xff\x44\xd1\x6d\x7a\x04\xfc\x13\x4b\xaf" "\x7e\xf0\x55\x95\xfb\x5b\x93\xdc\x3d\xcc\x7f\x2f\x65\xea\x93\xf7\xe6\xda" "\x0d\x7b\xbd\xdc\xff\xce\x5f\xf5\x7d\xeb\x87\x2f\x6e\x9f\xe4\x58\x81\xcb" "\x37\x18\xf4\xaa\xdf\xc0\xad\x01\xd0\x3a\x65\x92\x7e\x8a\x72\x36\x49\xbd" "\x5e\x96\xb3\xb3\xf5\x7f\xf8\xaf\x3b\x57\xcb\x97\x56\xd7\x5e\x99\x79\x61" "\x75\x7d\xe5\xf9\xa6\x67\x2a\xe0\xb2\xf4\x93\xc3\x47\x3e\xbe\xf2\xd1\xb5" "\x3f\xe5\xff\xbb\x4e\x9d\x7f\xe0\xfa\x55\xe5\xff\x89\xa5\x9d\x6f\xaa\xf5" "\x93\x4e\xd3\xa3\x01\x26\xa9\xca\xff\xcc\xb3\x9b\xf7\x45\xfe\xa1\x75\xe4" "\x1f\xda\x4b\xfe\xa1\xbd\xe4\x1f\xda\x4b\xfe\xa1\xbd\xe4\x1f\xda\x4b\xfe" "\xa1\xbd\xe4\x1f\xda\x4b\xfe\xa1\xbd\xe4\x1f\xda\xeb\x7c\xfe\x01\x80\x76" "\x19\x5c\x69\xfa\x0e\x64\xa0\x29\x4d\xcf\x3f\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\xc0\x45\xdb\x53\xfb\xcb\x67\xcb\xa4\x6a\x7e" "\xfa\x76\x72\xfc\x70\x92\xee\xa8\xfa\x9d\xe1\xf3\x88\x93\x1b\x87\xaf\x57" "\x7f\x2a\xaa\x66\xbf\x2b\xea\x6e\x63\x79\xe6\xce\x31\x77\x30\xa6\xf7\x1b" "\xbe\xfb\xfa\xa6\x6f\x9b\xad\xff\xd9\x1d\xcd\xd6\xdf\x5c\x49\xb6\x5e\x4b" "\x32\xd7\xed\x5e\xbc\xfe\x8a\xd3\xeb\xef\xdf\xbb\xf9\x6f\xbe\xef\x3d\x37" "\x66\x81\x31\x3d\xf4\x64\xb3\xf5\x7f\xdd\x69\xb6\xfe\xc2\x41\xf2\x49\x35" "\xff\xcc\x8d\x9a\x7f\xca\xdc\x36\x7c\x1f\x3d\xff\xf4\xab\xf3\x37\x66\xfd" "\x97\x7f\x19\x73\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4c\xcc\x6f\x01" "\x00\x00\xff\xff\xc9\xf4\x6d\x29", 566); syz_mount_image(/*fs=*/0x200000000000, /*dir=*/0x200000000080, /*flags=MS_SYNCHRONOUS|MS_NOATIME*/ 0x410, /*opts=*/0x200000000040, /*chdir=*/1, /*size=*/0x236, /*img=*/0x200000000300); *(uint32_t*)0x200000000140 = 0; *(uint32_t*)0x200000000144 = 0x80; *(uint8_t*)0x200000000148 = 0; *(uint8_t*)0x200000000149 = 0; *(uint8_t*)0x20000000014a = 0; *(uint8_t*)0x20000000014b = 0; *(uint32_t*)0x20000000014c = 0; *(uint64_t*)0x200000000150 = 0; *(uint64_t*)0x200000000158 = 0; *(uint64_t*)0x200000000160 = 0; STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 38, 26); *(uint32_t*)0x200000000170 = 0; *(uint32_t*)0x200000000174 = 0; *(uint64_t*)0x200000000178 = 0; *(uint64_t*)0x200000000180 = 0; *(uint64_t*)0x200000000188 = 0; *(uint64_t*)0x200000000190 = 0; *(uint32_t*)0x200000000198 = 0; *(uint32_t*)0x20000000019c = 0; *(uint64_t*)0x2000000001a0 = 0; *(uint32_t*)0x2000000001a8 = 0; *(uint16_t*)0x2000000001ac = 0; *(uint16_t*)0x2000000001ae = 0; *(uint32_t*)0x2000000001b0 = 0; *(uint32_t*)0x2000000001b4 = 0; *(uint64_t*)0x2000000001b8 = 0; res = syscall(__NR_perf_event_open, /*attr=*/0x200000000140ul, /*fd=*/-1, /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul); if (res != -1) r[12] = res; syz_sysconfig_set__proc_sys_fs_protected_fifos(/*val=*/0x100); syscall(__NR_ioctl, /*fd=*/r[12], /*cmd=*/0x2400, /*flags=*/0x99ul); res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0); if (res != -1) r[13] = res; *(uint64_t*)0x200000006cc0 = 0; *(uint32_t*)0x200000006cc8 = 0; *(uint64_t*)0x200000006cd0 = 0x200000006c80; *(uint64_t*)0x200000006c80 = 0x200000000680; *(uint32_t*)0x200000000680 = 0x23; *(uint16_t*)0x200000000684 = 0x2d; *(uint16_t*)0x200000000686 = 1; *(uint32_t*)0x200000000688 = 0; *(uint32_t*)0x20000000068c = 0; *(uint8_t*)0x200000000690 = 0; *(uint8_t*)0x200000000691 = 0; *(uint16_t*)0x200000000692 = 0; *(uint32_t*)0x200000000694 = 0; *(uint16_t*)0x200000000698 = 0; *(uint16_t*)0x20000000069a = 0; *(uint16_t*)0x20000000069c = 0; *(uint16_t*)0x20000000069e = 0; *(uint16_t*)0x2000000006a0 = 0; *(uint16_t*)0x2000000006a2 = 0; *(uint64_t*)0x200000006c88 = 0x24; *(uint64_t*)0x200000006cd8 = 1; *(uint64_t*)0x200000006ce0 = 0; *(uint64_t*)0x200000006ce8 = 0; *(uint32_t*)0x200000006cf0 = 0; syscall(__NR_sendmsg, /*fd=*/r[13], /*msg=*/0x200000006cc0ul, /*f=*/0ul); res = syscall(__NR_socketpair, /*domain=*/1ul, /*type=SOCK_SEQPACKET*/ 5ul, /*proto=*/0, /*fds=*/0x200000000040ul); if (res != -1) r[14] = *(uint32_t*)0x200000000044; *(uint16_t*)0x200000000080 = 1; *(uint8_t*)0x200000000082 = 0; *(uint32_t*)0x200000000084 = 0; syscall(__NR_bind, /*fd=*/r[14], /*addr=*/0x200000000080ul, /*addrlen=*/0x6eul); syscall(__NR_ioctl, /*fd=*/r[14], /*cmd=*/0x8983, /*arg=*/0x2000000000c0ul); syz_sysconfig_set__proc_sys_net_core_optmem_max(/*val=*/0x2000000); syz_sysconfig_reset__proc_sys_fs_protected_fifos(); memcpy((void*)0x200000000040, "ext4\000", 5); memcpy((void*)0x200000000440, "./file0\000", 8); memcpy((void*)0x200000000080, "discard", 7); *(uint8_t*)0x200000000087 = 0x2c; memcpy((void*)0x200000000088, "nodelalloc", 10); *(uint8_t*)0x200000000092 = 0x2c; memcpy((void*)0x200000000093, "errors=remount-ro", 17); *(uint8_t*)0x2000000000a4 = 0x2c; *(uint8_t*)0x2000000000a5 = 0; memcpy( (void*)0x200000000880, "\x78\x9c\xec\xdd\xcd\x6e\x1b\x45\x1c\x00\xf0\xff\x6e\xbe\x68\x5a\x70\x80" "\xc2\x01\x2a\x11\x54\x21\x22\x3e\xf2\xd1\x54\xa1\x11\x95\xf8\x10\x47\x4e" "\x94\x17\x08\x49\x5a\x05\xdc\x86\x36\x41\xa2\x55\x0e\x20\x21\xfa\x00\xc0" "\x03\x20\x8e\xe5\x11\x38\x20\x6e\x48\x48\x5c\x2a\xce\xdc\x40\x95\x2a\x94" "\xe4\x5c\x19\xad\xb3\x4e\x96\xc4\x76\x12\x3b\xc6\x69\xfd\xfb\x49\x23\xcd" "\xcc\xda\x9a\xf9\x7b\x77\x3d\xd3\xd9\xa9\x13\x40\xcf\x1a\x8d\x88\x2f\x22" "\x62\x30\x22\x3e\x8e\x88\x52\x5e\x9f\xe4\x29\xde\xde\x4a\xd9\xeb\x36\xd7" "\xd7\xe6\xb3\x94\x44\xa5\x72\xe9\x9f\xa4\x7a\x7c\x63\x7d\x6d\x3e\x0a\xef" "\xc9\x9c\xcc\x0b\x63\x69\x44\xfa\x55\x12\xcf\xd7\x69\x77\xe5\xe6\xad\x4f" "\xe6\xca\xe5\xc5\x1b\x79\x79\x62\xf5\xea\xa7\x13\x2b\x37\x6f\xbd\xbe\x74" "\x75\xee\xca\xe2\x95\xc5\x6b\xd3\x93\xb3\xb3\x93\xd3\x17\x66\x66\x67\x8e" "\x2c\xd6\xbf\xe2\xf6\x9f\x17\xef\xbe\x57\xfa\xe6\xb7\xb3\x7f\xfc\xf2\xd1" "\x07\x33\x59\x7f\x4f\xe5\xc7\x8a\x71\xb4\x26\xd9\x53\x33\xba\xb7\x6a\xdb" "\x78\x7b\x8d\x1d\x3b\x8f\x15\xf2\x49\x7f\x17\x3b\xc2\xa1\xa4\x11\xd1\x17" "\x11\xfd\xd5\xfb\xbf\x14\x7d\xb1\x73\xf2\x4a\xf1\x53\xa9\xab\x9d\x03\x00" "\x3a\xa2\x52\x79\x6b\x57\x19\x00\x78\xf4\x25\xc6\x7c\x00\xe8\x31\xb5\x7f" "\xf7\x6f\xac\xaf\xcd\xd7\xd2\xbe\x8b\x06\x69\x67\xd6\x22\xba\xe1\xfe\x3b" "\x5b\x0f\xaf\x36\xf2\x67\x9b\x9b\xdb\xf1\xf7\x6f\x3f\x09\x19\xd8\xf5\x7c" "\xeb\x28\x8d\x46\xc4\x8f\xdf\xbd\xf1\x42\x96\xe2\x48\x9e\x43\x02\x00\x34" "\xf7\x73\x36\xff\xb9\x50\x6f\xfe\x97\xc6\x99\xc2\xeb\x4e\x44\xc4\x70\xbe" "\xb7\xeb\x54\x44\x3c\x1e\x11\x4f\x14\xf6\x8b\xb5\x6a\x74\x57\x79\xef\xfc" "\x27\xbd\xd7\x66\x13\x4d\x65\xf3\xbf\x8b\x85\xbd\x6d\x9b\x85\xf8\x73\x23" "\x7d\x79\x29\x8b\x79\x24\x06\x92\xcb\x4b\xe5\xc5\xc9\x3c\xfe\xb1\x18\x18" "\xca\xca\x53\x4d\xda\x38\x73\xe9\xd9\x07\x8d\x8e\x15\xe7\x7f\x59\xca\xda" "\xaf\xcd\x05\xf3\x7e\xdc\xeb\x1f\xfa\xef\x7b\x16\xe6\x56\xe7\xda\x89\xb9" "\xe8\xfe\x97\x11\xcf\xf5\xd7\x8b\x3f\xd9\x9e\xff\x26\xd5\xb8\x5b\xf7\xe6" "\xf5\x3b\xcf\x34\x3a\xb6\x7f\xfc\x9d\x55\xf9\x3e\xe2\xe5\xba\xe7\x7f\x67" "\xf3\x5e\xd2\x7c\x7f\xe2\x44\xf5\x7a\x98\xa8\x5d\x15\x7b\xdd\x7e\xe5\xa5" "\xeb\x8d\xda\xef\x76\xfc\xd9\xf9\x1f\x6e\x1e\xff\x48\x52\xdc\xaf\xb9\x72" "\xf8\x36\x7e\x3d\xbf\xf4\x7b\xa3\x63\xad\x5e\xff\x83\xc9\x87\xd5\xfc\x60" "\x5e\xf7\xf9\xdc\xea\xea\x8d\xa9\x88\xc1\xe4\xfd\xbd\xf5\xe7\x76\xde\x5b" "\x2b\xd7\x5e\x9f\xc5\x3f\x76\xb6\xfe\xfd\x7f\x3a\x76\x3e\x89\x27\x23\xe2" "\xa9\x88\x78\x3a\xa2\x5a\xdf\xf0\x82\xae\xe3\xb5\xf2\x0f\x2f\xb6\x1e\x7f" "\x67\x65\xf1\x2f\x1c\xea\xfc\x1f\x3e\x33\xfc\xf5\x9d\xbb\x8d\xda\x3f\xd8" "\xf9\x3f\x5f\xcd\x8d\xe5\x35\x07\xf9\xfe\x3b\x68\x07\xdb\xf9\xec\x00\x00" "\x00\xe0\x61\x91\x56\xd7\x73\x93\x74\x7c\x3b\x9f\xa6\xe3\xe3\x5b\xeb\xbc" "\xa7\x63\x38\x2d\x2f\xaf\xac\xbe\x7a\x79\xf9\xb3\x6b\x0b\x5b\xeb\xbe\x23" "\x31\x90\xd6\x56\xba\x4a\x85\xf5\xd0\xa9\x7c\x8d\xb0\x56\x3e\xb7\xab\x3c" "\x9d\xaf\xa1\x7c\xfb\xee\x89\x6a\x79\x7c\x7e\xb9\xbc\xd0\xed\xe0\x01\xa0" "\x47\x9d\x6c\x30\xfe\x67\xfe\x1e\xea\x76\xef\x00\x80\x8e\x69\x6d\x73\xbb" "\xd9\x01\x00\x3c\xcc\xb2\xf1\xff\x41\xa5\xdb\xbd\x00\x00\xfe\x4f\x9d\xfa" "\xcf\xed\x00\xc0\xf1\x65\xfc\x07\x80\xde\x63\xfc\x07\x80\xde\x63\xfc\x07" "\x80\x9e\xd2\xce\xef\xfa\xc9\xec\x93\x49\xb6\xfe\xb6\xfa\x81\x7f\x8c\xf0" "\x18\x67\x86\xe2\x58\x74\x43\xa6\x76\xe3\x76\xbc\xad\xae\x7e\x2d\x01\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x74\xdd\xbf\x01\x00\x00\xff\xff\x8a\x43\xd0\x38", 1023); syz_mount_image(/*fs=*/0x200000000040, /*dir=*/0x200000000440, /*flags=MS_LAZYTIME*/ 0x2000000, /*opts=*/0x200000000080, /*chdir=*/1, /*size=*/0x3ff, /*img=*/0x200000000880); memcpy((void*)0x200000000000, "./mnt\000", 6); syscall(__NR_mknod, /*file=*/0x200000000000ul, /*mode=*/0x7000000ul, /*dev=*/0); syscall(__NR_epoll_wait, /*epfd=*/-1, /*events=*/0ul, /*maxevents=*/0ul, /*timeout=*/0xfc2b); syz_sysconfig_set__proc_sys_net_ipv6_xfrm6_gc_thresh(/*val=*/4); res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0x10); if (res != -1) r[15] = res; memcpy((void*)0x200000000080, "nl80211\000", 8); res = -1; res = syz_genetlink_get_family_id(/*name=*/0x200000000080, /*fd=*/-1); if (res != -1) r[16] = res; *(uint64_t*)0x200000000180 = 0; *(uint32_t*)0x200000000188 = 0; *(uint64_t*)0x200000000190 = 0x200000000140; *(uint64_t*)0x200000000140 = 0x2000000000c0; *(uint32_t*)0x2000000000c0 = 0x1c; *(uint16_t*)0x2000000000c4 = r[16]; *(uint16_t*)0x2000000000c6 = 0x50b; *(uint32_t*)0x2000000000c8 = 0; *(uint32_t*)0x2000000000cc = 0; *(uint8_t*)0x2000000000d0 = 0x1b; *(uint8_t*)0x2000000000d1 = 0; *(uint16_t*)0x2000000000d2 = 0; *(uint16_t*)0x2000000000d4 = 8; *(uint16_t*)0x2000000000d6 = 0x9a; *(uint32_t*)0x2000000000d8 = 2; *(uint64_t*)0x200000000148 = 0x1c; *(uint64_t*)0x200000000198 = 1; *(uint64_t*)0x2000000001a0 = 0; *(uint64_t*)0x2000000001a8 = 0; *(uint32_t*)0x2000000001b0 = 0; syscall(__NR_sendmsg, /*fd=*/r[15], /*msg=*/0x200000000180ul, /*f=*/0ul); memcpy((void*)0x200000000240, "ext4\000", 5); memcpy((void*)0x200000000280, "./mnt\000", 6); memcpy((void*)0x200000000000, "nobh", 4); *(uint8_t*)0x200000000004 = 0x2c; memcpy((void*)0x200000000005, "errors=remount-ro", 17); *(uint8_t*)0x200000000016 = 0x2c; memcpy((void*)0x200000000017, "bh", 2); *(uint8_t*)0x200000000019 = 0x2c; memcpy((void*)0x20000000001a, "grpjquota=", 10); *(uint8_t*)0x200000000024 = 0x2c; memcpy((void*)0x200000000025, "errors=remount-ro", 17); *(uint8_t*)0x200000000036 = 0x2c; memcpy((void*)0x200000000037, "nouid32", 7); *(uint8_t*)0x20000000003e = 0x2c; memcpy((void*)0x20000000003f, "lazytime", 8); *(uint8_t*)0x200000000047 = 0x2c; memcpy((void*)0x200000000048, "noquota", 7); *(uint8_t*)0x20000000004f = 0x2c; memcpy((void*)0x200000000050, "inode_readahead_blks", 20); *(uint8_t*)0x200000000064 = 0x3d; sprintf((char*)0x200000000065, "0x%016llx", (long long)4); *(uint8_t*)0x200000000077 = 0x2c; *(uint8_t*)0x200000000078 = 0; memcpy( (void*)0x200000000300, "\x78\x9c\xec\xdd\x3f\x68\x24\x65\x1c\x06\xe0\x77\x66\x77\xef\xcc\xdd\x22" "\xa7\x36\x82\xa0\x82\x88\x68\x20\x9c\x9d\x60\x73\x36\x0a\x07\x72\x1c\x22" "\x82\x0a\x27\x22\x36\xca\x9d\x70\x26\xd8\x25\xa9\x6c\x04\xb5\x56\x49\x65" "\x13\xc4\xce\x68\x29\x69\x82\x8d\x22\x58\x45\x4d\x11\x1b\x41\x83\x85\xc1" "\x42\x8b\x95\xdd\x49\x64\x35\x09\x26\xd9\x3f\x23\xce\xf3\xc0\xec\xce\xec" "\x7c\xb3\xbf\x6f\xd8\x79\xbf\x99\x66\x76\x02\x34\xd6\x85\x24\x97\x92\xb4" "\x92\xcc\x26\xe9\x24\x29\x86\x1b\xdc\x5b\x4d\x17\xf6\x16\x57\x66\x36\xae" "\x25\xbd\xde\x53\xbf\x14\x83\x76\xd5\x72\x65\x7f\xbb\xf3\x49\x96\x92\x3c" "\x92\x64\xbd\x2c\xf2\x4a\x3b\x59\x58\x7b\x6e\xfb\xb7\xcd\x27\x1e\x78\x6b" "\xbe\x73\xff\x87\x6b\xcf\xce\x4c\x75\x27\xf7\xec\x6c\x6f\x3d\xb9\xfb\xc1" "\x95\x37\x3f\xb9\xfc\xf0\xc2\x57\xdf\xfc\x74\xa5\xc8\xa5\x74\xff\xb6\x5f" "\xe3\x57\x1c\xf2\x59\xbb\x48\x6e\x9f\x44\xb1\xff\x88\xa2\x5d\x77\x0f\x38" "\x8e\xab\x6f\x7c\xfc\x6d\x3f\xf7\x77\x24\xb9\x6f\x90\xff\x4e\xca\x54\x3f" "\xde\x3b\x37\xcf\xac\x77\xf2\xd0\xfb\x47\x6d\xfb\xee\xcf\x5f\xdf\x35\xcd" "\xbe\x02\xe3\xd7\xeb\x75\xfa\xe7\xc0\xa5\x1e\xd0\x38\x65\x92\x6e\x8a\x72" "\x2e\x49\x35\x5f\x96\x73\x73\xd5\x35\xfc\x77\xad\x73\xe5\xab\x37\x6e\xbe" "\x3e\xfb\xf2\x8d\xf9\xeb\x2f\xd5\x3d\x52\x01\xe3\xd2\x4d\xb6\x1e\xff\xec" "\xec\xa7\xe7\xff\x91\xff\x1f\x5b\x55\xfe\x87\xdc\x53\x5b\x27\x81\x89\xe8" "\xe7\xff\xe9\xab\xab\xdf\xf7\xe7\x77\x5b\x75\xf7\x06\x98\xa6\x7e\xfe\x67" "\x5f\x58\x7c\x30\xf2\x0f\x8d\x23\xff\xf0\x7f\x74\xe6\x58\xad\xe4\x1f\x9a" "\x4b\xfe\xa1\xb9\xe4\x1f\x9a\xeb\xa8\xfc\x2f\x9f\xe4\x4b\x16\xc7\xdf\x2f" "\x60\xf2\x9c\xff\xa1\xb9\x86\xf3\x0f\x34\x8b\xf3\x3f\x34\xd7\x09\xf2\x5f" "\xad\xed\x4c\xa7\x5f\xc0\xe4\xb9\xfe\x07\x80\xe6\xea\x9d\xad\xfb\x0e\x64" "\xa0\x2e\x75\x8f\x3f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\xc0\x41\x2b\x33\x1b\xd7\xf6\xa7\x69\xd5\xfc\xe2\xbd\x64\xe7\xb1\x24" "\xed\x83\xf5\xcb\xb4\x06\xcf\x23\x4e\x6e\x19\xbc\x9e\xfb\xb5\xe8\x37\xfb" "\x4b\x51\x6d\x36\x92\xe7\x6b\x7e\xb2\xf1\x47\x35\xdf\x7d\x7d\xeb\x0f\xf5" "\xd6\xff\xf2\xee\x7a\xeb\x2f\x5e\x4f\x96\x96\x93\x5c\x6c\xb7\x0f\x1e\xff" "\xc5\xde\xf1\x77\x7a\xb7\xfd\xcb\xfa\xce\x8b\x23\x16\x18\xd1\xa3\xcf\xd4" "\x5b\xff\x8f\xd5\x7a\xeb\x5f\xde\x4c\x3e\xef\x8f\x3f\x17\x0f\x1b\xff\xca" "\xdc\x39\x78\x3f\x7c\xfc\xe9\x0e\xfd\x25\xe2\xc6\xdb\xa7\xab\xff\xda\xef" "\x23\x75\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x29\xfa\x33\x00\x00\xff" "\xff\x48\x7e\x6e\xb7", 599); syz_mount_image(/*fs=*/0x200000000240, /*dir=*/0x200000000280, /*flags=*/0, /*opts=*/0x200000000000, /*chdir=*/0, /*size=*/0x257, /*img=*/0x200000000300); syz_sysconfig_reset__proc_sys_net_ipv6_xfrm6_gc_thresh(); syscall(__NR_clock_gettime, /*id=*/8ul, /*tp=*/0x2000000000c0ul); res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0); if (res != -1) r[17] = res; memcpy((void*)0x200000000180, "/dev/loop#\000", 11); syz_open_dev(/*dev=*/0x200000000180, /*id=*/0, /*flags=*/0); memcpy((void*)0x200000000040, "./file1\000", 8); res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000040ul, /*flags=O_CREAT|O_RDWR*/ 0x42, /*mode=*/0); if (res != -1) r[18] = res; syscall(__NR_unshare, /*flags=CLONE_NEWPID|CLONE_FILES*/ 0x20000400ul); memcpy((void*)0x200000001200, "net/anycast6\000", 13); res = -1; res = syz_open_procfs(/*pid=*/-1, /*file=*/0x200000001200); if (res != -1) r[19] = res; memcpy((void*)0x200000000000, "/dev/sg#\000", 9); res = -1; res = syz_open_dev(/*dev=*/0x200000000000, /*id=*/0, /*flags=*/0); if (res != -1) r[20] = res; syscall(__NR_ioctl, /*fd=*/r[20], /*cmd=*/0x2270, /*arg=*/0x200000000040ul); syz_sysconfig_set__proc_sys_net_ipv6_conf_sit0_addr_gen_mode(/*val=*/1); syscall(__NR_setsockopt, /*fd=*/r[19], /*level=*/0, /*optname=*/0x29, /*optval=*/0ul, /*optlen=*/0ul); memcpy((void*)0x200000000040, "./file1\000", 8); res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000040ul, /*flags=O_CREAT|O_RDWR*/ 0x42, /*mode=*/0); if (res != -1) r[21] = res; syscall(__NR_pwritev, /*fd=*/r[21], /*vec=*/0ul, /*vlen=*/0ul, /*off_low=*/0, /*off_high=*/0); *(uint64_t*)0x200000000580 = 0; *(uint64_t*)0x200000000588 = 0; *(uint32_t*)0x200000000590 = 0; *(uint32_t*)0x200000000594 = 2; *(uint32_t*)0x200000000598 = 0; *(uint32_t*)0x20000000059c = 0; syscall(__NR_ioctl, /*fd=*/r[18], /*cmd=*/0x40305839, /*args=*/0x200000000580ul); syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0ul, /*f=*/0ul); memcpy((void*)0x2000000000c0, "vfat\000", 5); memcpy((void*)0x200000000240, "./file0\000", 8); memcpy( (void*)0x200000000280, "\x78\x9c\xec\xdb\xcf\x4a\x54\x6f\x18\x07\xf0\xaf\x7f\x7e\xfe\xa6\x5c\x8c" "\x44\xab\x68\x71\xa0\x45\xad\x06\xf5\x0a\x1a\xc2\x20\x1a\x08\x8c\x59\xd4" "\x2a\x49\x85\x70\x44\x50\x10\x6a\x91\xed\xba\x97\xa0\x9b\xe9\x0e\xda\x77" "\x01\x2e\x02\x83\x73\x26\x1d\xed\x08\x85\xd9\x29\xcf\xe7\x03\xc3\x79\x98" "\xf7\x7c\xe1\x39\x8b\x33\xcf\xbb\x78\xe7\xc5\xed\xed\xad\xf5\x9d\xbd\xcd" "\xf9\x8f\x9f\xd3\x99\x2a\x32\x9b\xdc\xcf\x61\xb2\x90\xe9\xcc\xa4\x32\x35" "\xbe\x4e\x97\xf5\x5c\x26\xbd\x0b\x00\xf0\xaf\x59\x5d\x5d\xeb\x37\xdd\x03" "\x97\x6b\x77\xb7\xbf\x76\x23\xc9\xfc\x0f\x2b\xc3\x0f\x8d\x34\x04\x00\x00" "\x00\x00\x00\x00\x00\x00\xc0\x85\x39\xff\x0f\x00\xed\xe3\xfc\xff\x15\xd7" "\x19\x5f\xa7\xeb\x16\x9d\xff\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x9a\x73\x78\x74\xd4\x3d\xaa\xf9\xfc\x9f\xa4\x93\xe4\x5a\x92\xeb" "\x49\xbe\x7f\xdf\x74\xbf\x00\xc0\xc5\x99\xff\x00\xd0\x3e\xe6\x3f\x00\xb4" "\x8f\xf9\x0f\x00\xed\xf3\xf4\xd9\xf3\xc7\xfd\xc1\x60\x65\xb5\x28\x3a\xc9" "\xf6\xfb\xfd\xe1\xfe\xb0\xba\x56\xeb\xfd\xcd\xbc\xca\x28\x1b\x59\x4c\x37" "\x5f\xcb\x7d\xc0\x58\x55\x3f\x7c\x34\x58\x59\x2c\x4a\x0b\xb9\xbb\x7d\x30" "\xce\x1f\xec\x0f\x67\x4e\xe7\x97\xd2\xcd\x42\x7d\x7e\xa9\xca\x17\xa7\xf3" "\xff\x95\xfb\x8e\xe3\xfc\x72\xba\xb9\x59\x9f\x5f\xae\xcd\xcf\xe5\xde\x9d" "\x89\x7c\x2f\xdd\x7c\x7a\x99\x9d\x8c\xb2\x5e\xee\x67\x4e\xf2\x6f\x97\x8a" "\xe2\xc1\x93\xc1\x99\xfc\x7c\x79\x1f\x00\x5c\x45\xbd\xe2\x58\xed\xfc\xee" "\xf5\xce\x5b\xaf\xf2\xbf\xb0\x3f\x38\x33\x5f\x67\x73\x6b\xb6\xd9\x67\x07" "\x80\xb6\xda\x7b\xfd\x66\x6b\x6d\x34\xda\xd8\x55\x28\x14\x93\xc5\xc1\x97" "\xea\x15\xf9\x5b\xfa\xf9\x4d\x45\xf1\x93\x37\x37\xfd\xcb\x04\x5c\xb6\x93" "\x97\xbe\xe9\x4e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\xf3\xfc" "\x89\xbf\x1c\x35\xfd\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\xb4\xcf\xb7\x00\x00\x00\xff\xff\xef\xf1\xe9" "\xd0", 505); syz_mount_image(/*fs=*/0x2000000000c0, /*dir=*/0x200000000240, /*flags=*/0, /*opts=*/0x2000000006c0, /*chdir=*/1, /*size=*/0x1f9, /*img=*/0x200000000280); memcpy((void*)0x200000000000, "./file1\000", 8); memcpy((void*)0x200000000040, "security.capability\000", 20); *(uint32_t*)0x200000000080 = 0x1000000; *(uint32_t*)0x200000000084 = 0; *(uint32_t*)0x200000000088 = 0; syscall(__NR_setxattr, /*path=*/0x200000000000ul, /*name=*/0x200000000040ul, /*val=*/0x200000000080ul, /*size=*/0xcul, /*flags=*/0ul); for (int i = 0; i < 64; i++) { syscall(__NR_setxattr, /*path=*/0x200000000000ul, /*name=*/0x200000000040ul, /*val=*/0x200000000080ul, /*size=*/0xcul, /*flags=*/0ul); } *(uint16_t*)0x200000000040 = 0xa; *(uint16_t*)0x200000000042 = htobe16(0x4e24); *(uint32_t*)0x200000000044 = htobe32(0); *(uint8_t*)0x200000000048 = 0xfe; *(uint8_t*)0x200000000049 = 0x80; memset((void*)0x20000000004a, 0, 13); *(uint8_t*)0x200000000057 = 0x13; *(uint32_t*)0x200000000058 = 2; syscall(__NR_connect, /*fd=*/r[17], /*addr=*/0x200000000040ul, /*addrlen=*/0x1cul); for (int i = 0; i < 64; i++) { syscall(__NR_connect, /*fd=*/r[17], /*addr=*/0x200000000040ul, /*addrlen=*/0x1cul); } syz_sysconfig_reset__proc_sys_net_ipv6_conf_sit0_addr_gen_mode(); res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/6); if (res != -1) r[22] = res; *(uint64_t*)0x200000000000 = 0; *(uint32_t*)0x200000000008 = 0; *(uint64_t*)0x200000000010 = 0x200000000100; *(uint64_t*)0x200000000100 = 0x200000000f00; memcpy((void*)0x200000000f00, "\xb8\x00\x00\x00\x15\x00\x01\x02", 8); *(uint64_t*)0x200000000108 = 0xb8; *(uint64_t*)0x200000000018 = 1; *(uint64_t*)0x200000000020 = 0; *(uint64_t*)0x200000000028 = 0x400300; *(uint32_t*)0x200000000030 = 0; syscall(__NR_sendmsg, /*fd=*/r[22], /*msg=*/0x200000000000ul, /*f=*/0ul); syscall(__NR_arch_prctl, /*cmd=*/0x4002ul, /*arg=*/1ul); syscall(__NR_arch_prctl, /*cmd=*/0x4002ul, /*arg=*/1ul); syz_sysconfig_set__proc_sys_net_ipv4_conf_lo_proxy_arp(/*val=*/0x3f); syscall(__NR_arch_prctl, /*cmd=*/0x4002ul, /*arg=*/5ul); syz_sysconfig_reset__proc_sys_net_ipv4_conf_lo_proxy_arp(); syz_sysconfig_set__proc_sys_net_ipv6_conf_eth0_hop_limit(/*val=*/6); syscall(__NR_arch_prctl, /*cmd=*/0x4002ul, /*arg=*/3ul); syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_hop_limit(); syz_sysconfig_set__proc_sys_net_ipv4_conf_lo_accept_redirects(/*val=*/0x3ff); syscall(__NR_arch_prctl, /*cmd=*/0x4002ul, /*arg=*/4ul); syz_sysconfig_reset__proc_sys_net_ipv4_conf_lo_accept_redirects(); syz_sysconfig_set__proc_sys_net_ipv6_conf_eth0_hop_limit(/*val=*/8); syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_hop_limit(); syz_sysconfig_set__proc_sys_user_max_mnt_namespaces(/*val=*/0xfffffff7); syscall(__NR_arch_prctl, /*cmd=*/0x4002ul, /*arg=*/1ul); syz_sysconfig_reset__proc_sys_user_max_mnt_namespaces(); syscall(__NR_arch_prctl, /*cmd=*/0x4002ul, /*arg=*/3ul); syz_sysconfig_reset__proc_sys_net_ipv4_conf_lo_proxy_arp(); syz_sysconfig_reset__proc_sys_user_max_mnt_namespaces(); syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_hop_limit(); syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_hop_limit(); syz_sysconfig_set__proc_sys_net_ipv6_conf_eth0_hop_limit(/*val=*/6); syz_sysconfig_reset__proc_sys_user_max_mnt_namespaces(); syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_hop_limit(); syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_hop_limit(); syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_hop_limit(); syz_sysconfig_reset__proc_sys_user_max_mnt_namespaces(); syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_hop_limit(); syz_proconfig_set__sys_devices_pci0000_00_0000_00_01_1_ata1_host0_target0_0_0_0_0_0_0_block_sda_queue_max_sectors_kb( /*val=*/0x3ff); syz_sysconfig_reset__proc_sys_user_max_mnt_namespaces(); return 0; }