#define _GNU_SOURCE#include <arpa/inet.h>#include <endian.h>#include <er

1. #define _GNU_SOURCE
2.  
3. #include <arpa/inet.h>
4. #include <endian.h>
5. #include <errno.h>
6. #include <fcntl.h>
7. #include <net/if.h>
8. #include <netinet/in.h>
9. #include <sched.h>
10. #include <setjmp.h>
11. #include <stdbool.h>
12. #include <stddef.h>
13. #include <stdint.h>
14. #include <stdio.h>
15. #include <stdlib.h>
16. #include <string.h>
17. #include <sys/ioctl.h>
18. #include <sys/mman.h>
19. #include <sys/mount.h>
20. #include <sys/socket.h>
21. #include <sys/stat.h>
22. #include <sys/syscall.h>
23. #include <sys/types.h>
24. #include <unistd.h>
25.  
26. #include <linux/genetlink.h>
27. #include <linux/icmp.h>
28. #include <linux/ipv6.h>
29. #include <linux/icmpv6.h>
30. #include <linux/if_addr.h>
31. #include <linux/if_link.h>
32. #include <linux/igmp.h>
33. #include <linux/in6.h>
34. #include <linux/ip.h>
35. #include <linux/loop.h>
36. #include <linux/neighbour.h>
37. #include <linux/net.h>
38. #include <linux/netlink.h>
39. #include <linux/rtnetlink.h>
40. #include <linux/sched.h>
41. #include <linux/sctp.h>
42. #include <linux/tcp.h>
43. #include <linux/udp.h>
44. #include <linux/veth.h>
45. static long syz_proconfig_set__sys_fs_cgroup_dev_mqueue_mount_cgroup_freeze(volatile long val)
46. {
47. char command[256];
48. sprintf(command, "echo %ld > /sys/fs/cgroup/dev-mqueue.mount/cgroup.freeze", val);
49. int ret = system(command);
50. if (ret != 0) {
51. return 0;
52. }
53. return 0;
54. }
55. static long syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(volatile long val)
56. {
57. char command[256];
58. sprintf(command, "echo %ld > /proc/sys/net/ipv6/route/gc_min_interval", val);
59. int ret = system(command);
60. if (ret != 0) {
61. return 0;
62. }
63. return 0;
64. }
65. static long syz_proconfig_set__sys_bus_clockevents_drivers_autoprobe(volatile long val)
66. {
67. char command[256];
68. sprintf(command, "echo %ld > /sys/bus/clockevents/drivers_autoprobe", val);
69. int ret = system(command);
70. if (ret != 0) {
71. return 0;
72. }
73. return 0;
74. }
75. static long syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len()
76. {
77. char command[256];
78. sprintf(command, "echo 1000 > /sys/devices/virtual/net/lo/tx_queue_len");
79. int ret = system(command);
80. if (ret != 0) {
81. return 0;
82. }
83. return 0;
84. }
85. static long syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_accept_ra_min_hop_limit()
86. {
87. char command[256];
88. sprintf(command, "echo 1 > /proc/sys/net/ipv6/conf/eth0/accept_ra_min_hop_limit");
89. int ret = system(command);
90. if (ret != 0) {
91. return 0;
92. }
93. return 0;
94. }
95.  
96.  
97. static long syz_proconfig_set__sys_module_tcp_cubic_parameters_hystart(volatile long val)
98. {
99. char command[256];
100. sprintf(command, "echo %ld > /sys/module/tcp_cubic/parameters/hystart", val);
101. int ret = system(command);
102. if (ret != 0) {
103. return 0;
104. }
105. return 0;
106. }
107.  
108. static long syz_sysconfig_set__proc_sys_net_ipv6_max_hbh_opts_number(volatile long val)
109. {
110. char command[256];
111. sprintf(command, "echo %ld > /proc/sys/net/ipv6/max_hbh_opts_number", val);
112. int ret = system(command);
113. if (ret != 0) {
114. return 0;
115. }
116. return 0;
117. }
118. static long syz_proconfig_set__sys_module_tcp_cubic_parameters_hystart_detect(volatile long val)
119. {
120. char command[256];
121. sprintf(command, "echo %ld > /sys/module/tcp_cubic/parameters/hystart_detect", val);
122. int ret = system(command);
123. if (ret != 0) {
124. return 0;
125. }
126. return 0;
127. }
128.  
129. static long syz_proconfig_reset__sys_devices_virtual_block_loop3_queue_max_sectors_kb()
130. {
131. char command[256];
132. sprintf(command, "echo 1280 > /sys/devices/virtual/block/loop3/queue/max_sectors_kb");
133. int ret = system(command);
134. if (ret != 0) {
135. return 0;
136. }
137. return 0;
138. }
139. static long syz_proconfig_reset__sys_devices_virtual_bdi_7_4_min_ratio()
140. {
141. char command[256];
142. sprintf(command, "echo 0 > /sys/devices/virtual/bdi/7:4/min_ratio");
143. int ret = system(command);
144. if (ret != 0) {
145. return 0;
146. }
147. return 0;
148. }
149. static long syz_proconfig_reset__sys_fs_cgroup_proc_sys_fs_binfmt_misc_mount_pids_max()
150. {
151. char command[256];
152. sprintf(command, "echo 971 > /sys/fs/cgroup/proc-sys-fs-binfmt_misc.mount/pids.max");
153. int ret = system(command);
154. if (ret != 0) {
155. return 0;
156. }
157. return 0;
158. }
159.  
160.  
161. static long syz_proconfig_set__sys_power_wakeup_count(volatile long val)
162. {
163. char command[256];
164. sprintf(command, "echo %ld > /sys/power/wakeup_count", val);
165. int ret = system(command);
166. if (ret != 0) {
167. return 0;
168. }
169. return 0;
170. }
171.  
172. #ifndef __NR_clone3
173. #define __NR_clone3 435
174. #endif
175. #ifndef __NR_close_range
176. #define __NR_close_range 436
177. #endif
178. #ifndef __NR_fsconfig
179. #define __NR_fsconfig 431
180. #endif
181. #ifndef __NR_fsopen
182. #define __NR_fsopen 430
183. #endif
184. #ifndef __NR_futex_waitv
185. #define __NR_futex_waitv 449
186. #endif
187. #ifndef __NR_getrandom
188. #define __NR_getrandom 318
189. #endif
190. #ifndef __NR_io_pgetevents
191. #define __NR_io_pgetevents 333
192. #endif
193. #ifndef __NR_io_uring_register
194. #define __NR_io_uring_register 427
195. #endif
196. #ifndef __NR_io_uring_setup
197. #define __NR_io_uring_setup 425
198. #endif
199. #ifndef __NR_lsm_list_modules
200. #define __NR_lsm_list_modules 461
201. #endif
202. #ifndef __NR_memfd_create
203. #define __NR_memfd_create 319
204. #endif
205. #ifndef __NR_openat2
206. #define __NR_openat2 437
207. #endif
208. #ifndef __NR_pidfd_getfd
209. #define __NR_pidfd_getfd 438
210. #endif
211. #ifndef __NR_pidfd_open
212. #define __NR_pidfd_open 434
213. #endif
214. #ifndef __NR_pidfd_send_signal
215. #define __NR_pidfd_send_signal 424
216. #endif
217. #ifndef __NR_preadv2
218. #define __NR_preadv2 327
219. #endif
220. #ifndef __NR_pwritev2
221. #define __NR_pwritev2 328
222. #endif
223. #ifndef __NR_renameat2
224. #define __NR_renameat2 316
225. #endif
226. #ifndef __NR_sched_setattr
227. #define __NR_sched_setattr 314
228. #endif
229. #ifndef __NR_seccomp
230. #define __NR_seccomp 317
231. #endif
232.  
233. static unsigned long long procid;
234.  
235. #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
236. #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
237. *(type*)(addr) = \
238. htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
239. (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
240.  
241. struct csum_inet {
242. uint32_t acc;
243. };
244.  
245. static void csum_inet_init(struct csum_inet* csum)
246. {
247. csum->acc = 0;
248. }
249.  
250. static void csum_inet_update(struct csum_inet* csum, const uint8_t* data,
251. size_t length)
252. {
253. if (length == 0)
254. return;
255. size_t i = 0;
256. for (; i < length - 1; i += 2)
257. csum->acc += *(uint16_t*)&data[i];
258. if (length & 1)
259. csum->acc += le16toh((uint16_t)data[length - 1]);
260. while (csum->acc > 0xffff)
261. csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16);
262. }
263.  
264. static uint16_t csum_inet_digest(struct csum_inet* csum)
265. {
266. return ~csum->acc;
267. }
268.  
269. struct nlmsg {
270. char* pos;
271. int nesting;
272. struct nlattr* nested[8];
273. char buf[4096];
274. };
275.  
276. static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
277. const void* data, int size)
278. {
279. memset(nlmsg, 0, sizeof(*nlmsg));
280. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
281. hdr->nlmsg_type = typ;
282. hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
283. memcpy(hdr + 1, data, size);
284. nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
285. }
286.  
287. static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
288. int size)
289. {
290. struct nlattr* attr = (struct nlattr*)nlmsg->pos;
291. attr->nla_len = sizeof(*attr) + size;
292. attr->nla_type = typ;
293. if (size > 0)
294. memcpy(attr + 1, data, size);
295. nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
296. }
297.  
298. static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
299. int* reply_len, bool dofail)
300. {
301. if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
302. exit(1);
303. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
304. hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
305. struct sockaddr_nl addr;
306. memset(&addr, 0, sizeof(addr));
307. addr.nl_family = AF_NETLINK;
308. ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
309. (struct sockaddr*)&addr, sizeof(addr));
310. if (n != (ssize_t)hdr->nlmsg_len) {
311. if (dofail)
312. exit(1);
313. return -1;
314. }
315. n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
316. if (reply_len)
317. *reply_len = 0;
318. if (n < 0) {
319. if (dofail)
320. exit(1);
321. return -1;
322. }
323. if (n < (ssize_t)sizeof(struct nlmsghdr)) {
324. errno = EINVAL;
325. if (dofail)
326. exit(1);
327. return -1;
328. }
329. if (hdr->nlmsg_type == NLMSG_DONE)
330. return 0;
331. if (reply_len && hdr->nlmsg_type == reply_type) {
332. *reply_len = n;
333. return 0;
334. }
335. if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
336. errno = EINVAL;
337. if (dofail)
338. exit(1);
339. return -1;
340. }
341. if (hdr->nlmsg_type != NLMSG_ERROR) {
342. errno = EINVAL;
343. if (dofail)
344. exit(1);
345. return -1;
346. }
347. errno = -((struct nlmsgerr*)(hdr + 1))->error;
348. return -errno;
349. }
350.  
351. static int netlink_query_family_id(struct nlmsg* nlmsg, int sock,
352. const char* family_name, bool dofail)
353. {
354. struct genlmsghdr genlhdr;
355. memset(&genlhdr, 0, sizeof(genlhdr));
356. genlhdr.cmd = CTRL_CMD_GETFAMILY;
357. netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
358. netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name,
359. strnlen(family_name, GENL_NAMSIZ - 1) + 1);
360. int n = 0;
361. int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail);
362. if (err < 0) {
363. return -1;
364. }
365. uint16_t id = 0;
366. struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN +
367. NLMSG_ALIGN(sizeof(genlhdr)));
368. for (; (char*)attr < nlmsg->buf + n;
369. attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
370. if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
371. id = *(uint16_t*)(attr + 1);
372. break;
373. }
374. }
375. if (!id) {
376. errno = EINVAL;
377. return -1;
378. }
379. recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
380. return id;
381. }
382.  
383. const int kInitNetNsFd = 201;
384.  
385. #define SIZEOF_IO_URING_SQE 64
386. #define SIZEOF_IO_URING_CQE 16
387. #define SQ_HEAD_OFFSET 0
388. #define SQ_TAIL_OFFSET 64
389. #define SQ_RING_MASK_OFFSET 256
390. #define SQ_RING_ENTRIES_OFFSET 264
391. #define SQ_FLAGS_OFFSET 276
392. #define SQ_DROPPED_OFFSET 272
393. #define CQ_HEAD_OFFSET 128
394. #define CQ_TAIL_OFFSET 192
395. #define CQ_RING_MASK_OFFSET 260
396. #define CQ_RING_ENTRIES_OFFSET 268
397. #define CQ_RING_OVERFLOW_OFFSET 284
398. #define CQ_FLAGS_OFFSET 280
399. #define CQ_CQES_OFFSET 320
400.  
401. struct io_sqring_offsets {
402. uint32_t head;
403. uint32_t tail;
404. uint32_t ring_mask;
405. uint32_t ring_entries;
406. uint32_t flags;
407. uint32_t dropped;
408. uint32_t array;
409. uint32_t resv1;
410. uint64_t resv2;
411. };
412.  
413. struct io_cqring_offsets {
414. uint32_t head;
415. uint32_t tail;
416. uint32_t ring_mask;
417. uint32_t ring_entries;
418. uint32_t overflow;
419. uint32_t cqes;
420. uint64_t resv[2];
421. };
422.  
423. struct io_uring_params {
424. uint32_t sq_entries;
425. uint32_t cq_entries;
426. uint32_t flags;
427. uint32_t sq_thread_cpu;
428. uint32_t sq_thread_idle;
429. uint32_t features;
430. uint32_t resv[4];
431. struct io_sqring_offsets sq_off;
432. struct io_cqring_offsets cq_off;
433. };
434.  
435. #define IORING_OFF_SQ_RING 0
436. #define IORING_OFF_SQES 0x10000000ULL
437. #define IORING_SETUP_SQE128 (1U << 10)
438. #define IORING_SETUP_CQE32 (1U << 11)
439.  
440. static long syz_io_uring_setup(volatile long a0, volatile long a1,
441. volatile long a2, volatile long a3)
442. {
443. uint32_t entries = (uint32_t)a0;
444. struct io_uring_params* setup_params = (struct io_uring_params*)a1;
445. void** ring_ptr_out = (void**)a2;
446. void** sqes_ptr_out = (void**)a3;
447. setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128);
448. uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params);
449. uint32_t sq_ring_sz =
450. setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t);
451. uint32_t cq_ring_sz = setup_params->cq_off.cqes +
452. setup_params->cq_entries * SIZEOF_IO_URING_CQE;
453. uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz;
454. *ring_ptr_out =
455. mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE,
456. fd_io_uring, IORING_OFF_SQ_RING);
457. uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE;
458. *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE,
459. MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES);
460. uint32_t* array =
461. (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array);
462. for (uint32_t index = 0; index < entries; index++)
463. array[index] = index;
464. return fd_io_uring;
465. }
466.  
467. static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
468. {
469. if (a0 == 0xc || a0 == 0xb) {
470. char buf[128];
471. sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
472. (uint8_t)a2);
473. return open(buf, O_RDWR, 0);
474. } else {
475. char buf[1024];
476. char* hash;
477. strncpy(buf, (char*)a0, sizeof(buf) - 1);
478. buf[sizeof(buf) - 1] = 0;
479. while ((hash = strchr(buf, '#'))) {
480. *hash = '0' + (char)(a1 % 10);
481. a1 /= 10;
482. }
483. return open(buf, a2, 0);
484. }
485. }
486.  
487. static long syz_open_procfs(volatile long a0, volatile long a1)
488. {
489. char buf[128];
490. memset(buf, 0, sizeof(buf));
491. if (a0 == 0) {
492. snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1);
493. } else if (a0 == -1) {
494. snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1);
495. } else {
496. snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1);
497. }
498. int fd = open(buf, O_RDWR);
499. if (fd == -1)
500. fd = open(buf, O_RDONLY);
501. return fd;
502. }
503.  
504. static long syz_init_net_socket(volatile long domain, volatile long type,
505. volatile long proto)
506. {
507. return syscall(__NR_socket, domain, type, proto);
508. }
509.  
510. static long syz_genetlink_get_family_id(volatile long name,
511. volatile long sock_arg)
512. {
513. int fd = sock_arg;
514. if (fd < 0) {
515. fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
516. if (fd == -1) {
517. return -1;
518. }
519. }
520. struct nlmsg nlmsg_tmp;
521. int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false);
522. if ((int)sock_arg < 0)
523. close(fd);
524. if (ret < 0) {
525. return -1;
526. }
527. return ret;
528. }
529.  
530. //% This code is derived from puff.{c,h}, found in the zlib development. The
531. //% original files come with the following copyright notice:
532.  
533. //% Copyright (C) 2002-2013 Mark Adler, all rights reserved
534. //% version 2.3, 21 Jan 2013
535. //% This software is provided 'as-is', without any express or implied
536. //% warranty. In no event will the author be held liable for any damages
537. //% arising from the use of this software.
538. //% Permission is granted to anyone to use this software for any purpose,
539. //% including commercial applications, and to alter it and redistribute it
540. //% freely, subject to the following restrictions:
541. //% 1. The origin of this software must not be misrepresented; you must not
542. //% claim that you wrote the original software. If you use this software
543. //% in a product, an acknowledgment in the product documentation would be
544. //% appreciated but is not required.
545. //% 2. Altered source versions must be plainly marked as such, and must not be
546. //% misrepresented as being the original software.
547. //% 3. This notice may not be removed or altered from any source distribution.
548. //% Mark Adler [email protected]
549.  
550. //% BEGIN CODE DERIVED FROM puff.{c,h}
551.  
552. #define MAXBITS 15
553. #define MAXLCODES 286
554. #define MAXDCODES 30
555. #define MAXCODES (MAXLCODES + MAXDCODES)
556. #define FIXLCODES 288
557.  
558. struct puff_state {
559. unsigned char* out;
560. unsigned long outlen;
561. unsigned long outcnt;
562. const unsigned char* in;
563. unsigned long inlen;
564. unsigned long incnt;
565. int bitbuf;
566. int bitcnt;
567. jmp_buf env;
568. };
569. static int puff_bits(struct puff_state* s, int need)
570. {
571. long val = s->bitbuf;
572. while (s->bitcnt < need) {
573. if (s->incnt == s->inlen)
574. longjmp(s->env, 1);
575. val |= (long)(s->in[s->incnt++]) << s->bitcnt;
576. s->bitcnt += 8;
577. }
578. s->bitbuf = (int)(val >> need);
579. s->bitcnt -= need;
580. return (int)(val & ((1L << need) - 1));
581. }
582. static int puff_stored(struct puff_state* s)
583. {
584. s->bitbuf = 0;
585. s->bitcnt = 0;
586. if (s->incnt + 4 > s->inlen)
587. return 2;
588. unsigned len = s->in[s->incnt++];
589. len |= s->in[s->incnt++] << 8;
590. if (s->in[s->incnt++] != (~len & 0xff) ||
591. s->in[s->incnt++] != ((~len >> 8) & 0xff))
592. return -2;
593. if (s->incnt + len > s->inlen)
594. return 2;
595. if (s->outcnt + len > s->outlen)
596. return 1;
597. for (; len--; s->outcnt++, s->incnt++) {
598. if (s->in[s->incnt])
599. s->out[s->outcnt] = s->in[s->incnt];
600. }
601. return 0;
602. }
603. struct puff_huffman {
604. short* count;
605. short* symbol;
606. };
607. static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
608. {
609. int first = 0;
610. int index = 0;
611. int bitbuf = s->bitbuf;
612. int left = s->bitcnt;
613. int code = first = index = 0;
614. int len = 1;
615. short* next = h->count + 1;
616. while (1) {
617. while (left--) {
618. code |= bitbuf & 1;
619. bitbuf >>= 1;
620. int count = *next++;
621. if (code - count < first) {
622. s->bitbuf = bitbuf;
623. s->bitcnt = (s->bitcnt - len) & 7;
624. return h->symbol[index + (code - first)];
625. }
626. index += count;
627. first += count;
628. first <<= 1;
629. code <<= 1;
630. len++;
631. }
632. left = (MAXBITS + 1) - len;
633. if (left == 0)
634. break;
635. if (s->incnt == s->inlen)
636. longjmp(s->env, 1);
637. bitbuf = s->in[s->incnt++];
638. if (left > 8)
639. left = 8;
640. }
641. return -10;
642. }
643. static int puff_construct(struct puff_huffman* h, const short* length, int n)
644. {
645. int len;
646. for (len = 0; len <= MAXBITS; len++)
647. h->count[len] = 0;
648. int symbol;
649. for (symbol = 0; symbol < n; symbol++)
650. (h->count[length[symbol]])++;
651. if (h->count[0] == n)
652. return 0;
653. int left = 1;
654. for (len = 1; len <= MAXBITS; len++) {
655. left <<= 1;
656. left -= h->count[len];
657. if (left < 0)
658. return left;
659. }
660. short offs[MAXBITS + 1];
661. offs[1] = 0;
662. for (len = 1; len < MAXBITS; len++)
663. offs[len + 1] = offs[len] + h->count[len];
664. for (symbol = 0; symbol < n; symbol++)
665. if (length[symbol] != 0)
666. h->symbol[offs[length[symbol]]++] = symbol;
667. return left;
668. }
669. static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
670. const struct puff_huffman* distcode)
671. {
672. static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
673. 15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
674. 67, 83, 99, 115, 131, 163, 195, 227, 258};
675. static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
676. 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
677. static const short dists[30] = {
678. 1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
679. 33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
680. 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
681. static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
682. 4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
683. 9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
684. int symbol;
685. do {
686. symbol = puff_decode(s, lencode);
687. if (symbol < 0)
688. return symbol;
689. if (symbol < 256) {
690. if (s->outcnt == s->outlen)
691. return 1;
692. if (symbol)
693. s->out[s->outcnt] = symbol;
694. s->outcnt++;
695. } else if (symbol > 256) {
696. symbol -= 257;
697. if (symbol >= 29)
698. return -10;
699. int len = lens[symbol] + puff_bits(s, lext[symbol]);
700. symbol = puff_decode(s, distcode);
701. if (symbol < 0)
702. return symbol;
703. unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
704. if (dist > s->outcnt)
705. return -11;
706. if (s->outcnt + len > s->outlen)
707. return 1;
708. while (len--) {
709. if (dist <= s->outcnt && s->out[s->outcnt - dist])
710. s->out[s->outcnt] = s->out[s->outcnt - dist];
711. s->outcnt++;
712. }
713. }
714. } while (symbol != 256);
715. return 0;
716. }
717. static int puff_fixed(struct puff_state* s)
718. {
719. static int virgin = 1;
720. static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
721. static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
722. static struct puff_huffman lencode, distcode;
723. if (virgin) {
724. lencode.count = lencnt;
725. lencode.symbol = lensym;
726. distcode.count = distcnt;
727. distcode.symbol = distsym;
728. short lengths[FIXLCODES];
729. int symbol;
730. for (symbol = 0; symbol < 144; symbol++)
731. lengths[symbol] = 8;
732. for (; symbol < 256; symbol++)
733. lengths[symbol] = 9;
734. for (; symbol < 280; symbol++)
735. lengths[symbol] = 7;
736. for (; symbol < FIXLCODES; symbol++)
737. lengths[symbol] = 8;
738. puff_construct(&lencode, lengths, FIXLCODES);
739. for (symbol = 0; symbol < MAXDCODES; symbol++)
740. lengths[symbol] = 5;
741. puff_construct(&distcode, lengths, MAXDCODES);
742. virgin = 0;
743. }
744. return puff_codes(s, &lencode, &distcode);
745. }
746. static int puff_dynamic(struct puff_state* s)
747. {
748. static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
749. 11, 4, 12, 3, 13, 2, 14, 1, 15};
750. int nlen = puff_bits(s, 5) + 257;
751. int ndist = puff_bits(s, 5) + 1;
752. int ncode = puff_bits(s, 4) + 4;
753. if (nlen > MAXLCODES || ndist > MAXDCODES)
754. return -3;
755. short lengths[MAXCODES];
756. int index;
757. for (index = 0; index < ncode; index++)
758. lengths[order[index]] = puff_bits(s, 3);
759. for (; index < 19; index++)
760. lengths[order[index]] = 0;
761. short lencnt[MAXBITS + 1], lensym[MAXLCODES];
762. struct puff_huffman lencode = {lencnt, lensym};
763. int err = puff_construct(&lencode, lengths, 19);
764. if (err != 0)
765. return -4;
766. index = 0;
767. while (index < nlen + ndist) {
768. int symbol;
769. int len;
770. symbol = puff_decode(s, &lencode);
771. if (symbol < 0)
772. return symbol;
773. if (symbol < 16)
774. lengths[index++] = symbol;
775. else {
776. len = 0;
777. if (symbol == 16) {
778. if (index == 0)
779. return -5;
780. len = lengths[index - 1];
781. symbol = 3 + puff_bits(s, 2);
782. } else if (symbol == 17)
783. symbol = 3 + puff_bits(s, 3);
784. else
785. symbol = 11 + puff_bits(s, 7);
786. if (index + symbol > nlen + ndist)
787. return -6;
788. while (symbol--)
789. lengths[index++] = len;
790. }
791. }
792. if (lengths[256] == 0)
793. return -9;
794. err = puff_construct(&lencode, lengths, nlen);
795. if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
796. return -7;
797. short distcnt[MAXBITS + 1], distsym[MAXDCODES];
798. struct puff_huffman distcode = {distcnt, distsym};
799. err = puff_construct(&distcode, lengths + nlen, ndist);
800. if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
801. return -8;
802. return puff_codes(s, &lencode, &distcode);
803. }
804. static int puff(unsigned char* dest, unsigned long* destlen,
805. const unsigned char* source, unsigned long sourcelen)
806. {
807. struct puff_state s = {
808. .out = dest,
809. .outlen = *destlen,
810. .outcnt = 0,
811. .in = source,
812. .inlen = sourcelen,
813. .incnt = 0,
814. .bitbuf = 0,
815. .bitcnt = 0,
816. };
817. int err;
818. if (setjmp(s.env) != 0)
819. err = 2;
820. else {
821. int last;
822. do {
823. last = puff_bits(&s, 1);
824. int type = puff_bits(&s, 2);
825. err = type == 0 ? puff_stored(&s)
826. : (type == 1 ? puff_fixed(&s)
827. : (type == 2 ? puff_dynamic(&s) : -1));
828. if (err != 0)
829. break;
830. } while (!last);
831. }
832. *destlen = s.outcnt;
833. return err;
834. }
835.  
836. //% END CODE DERIVED FROM puff.{c,h}
837.  
838. #define ZLIB_HEADER_WIDTH 2
839.  
840. static int puff_zlib_to_file(const unsigned char* source,
841. unsigned long sourcelen, int dest_fd)
842. {
843. if (sourcelen < ZLIB_HEADER_WIDTH)
844. return 0;
845. source += ZLIB_HEADER_WIDTH;
846. sourcelen -= ZLIB_HEADER_WIDTH;
847. const unsigned long max_destlen = 132 << 20;
848. void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
849. MAP_PRIVATE | MAP_ANON, -1, 0);
850. if (ret == MAP_FAILED)
851. return -1;
852. unsigned char* dest = (unsigned char*)ret;
853. unsigned long destlen = max_destlen;
854. int err = puff(dest, &destlen, source, sourcelen);
855. if (err) {
856. munmap(dest, max_destlen);
857. errno = -err;
858. return -1;
859. }
860. if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
861. munmap(dest, max_destlen);
862. return -1;
863. }
864. return munmap(dest, max_destlen);
865. }
866.  
867. static int setup_loop_device(unsigned char* data, unsigned long size,
868. const char* loopname, int* loopfd_p)
869. {
870. int err = 0, loopfd = -1;
871. int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
872. if (memfd == -1) {
873. err = errno;
874. goto error;
875. }
876. if (puff_zlib_to_file(data, size, memfd)) {
877. err = errno;
878. goto error_close_memfd;
879. }
880. loopfd = open(loopname, O_RDWR);
881. if (loopfd == -1) {
882. err = errno;
883. goto error_close_memfd;
884. }
885. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
886. if (errno != EBUSY) {
887. err = errno;
888. goto error_close_loop;
889. }
890. ioctl(loopfd, LOOP_CLR_FD, 0);
891. usleep(1000);
892. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
893. err = errno;
894. goto error_close_loop;
895. }
896. }
897. close(memfd);
898. *loopfd_p = loopfd;
899. return 0;
900.  
901. error_close_loop:
902. close(loopfd);
903. error_close_memfd:
904. close(memfd);
905. error:
906. errno = err;
907. return -1;
908. }
909.  
910. static void reset_loop_device(const char* loopname)
911. {
912. int loopfd = open(loopname, O_RDWR);
913. if (loopfd == -1) {
914. return;
915. }
916. if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
917. }
918. close(loopfd);
919. }
920.  
921. static long syz_read_part_table(volatile unsigned long size,
922. volatile long image)
923. {
924. unsigned char* data = (unsigned char*)image;
925. int err = 0, res = -1, loopfd = -1;
926. char loopname[64];
927. snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
928. if (setup_loop_device(data, size, loopname, &loopfd) == -1)
929. return -1;
930. struct loop_info64 info;
931. if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) {
932. err = errno;
933. goto error_clear_loop;
934. }
935. info.lo_flags |= LO_FLAGS_PARTSCAN;
936. if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) {
937. err = errno;
938. goto error_clear_loop;
939. }
940. res = 0;
941. for (unsigned long i = 1, j = 0; i < 8; i++) {
942. snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i);
943. struct stat statbuf;
944. if (stat(loopname, &statbuf) == 0) {
945. char linkname[64];
946. snprintf(linkname, sizeof(linkname), "./file%d", (int)j++);
947. if (symlink(loopname, linkname)) {
948. }
949. }
950. }
951. error_clear_loop:
952. if (res)
953. ioctl(loopfd, LOOP_CLR_FD, 0);
954. close(loopfd);
955. errno = err;
956. return res;
957. }
958.  
959. static long syz_mount_image(volatile long fsarg, volatile long dir,
960. volatile long flags, volatile long optsarg,
961. volatile long change_dir,
962. volatile unsigned long size, volatile long image)
963. {
964. unsigned char* data = (unsigned char*)image;
965. int res = -1, err = 0, need_loop_device = !!size;
966. char* mount_opts = (char*)optsarg;
967. char* target = (char*)dir;
968. char* fs = (char*)fsarg;
969. char* source = NULL;
970. char loopname[64];
971. if (need_loop_device) {
972. int loopfd;
973. memset(loopname, 0, sizeof(loopname));
974. snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
975. if (setup_loop_device(data, size, loopname, &loopfd) == -1)
976. return -1;
977. close(loopfd);
978. source = loopname;
979. }
980. mkdir(target, 0777);
981. char opts[256];
982. memset(opts, 0, sizeof(opts));
983. if (strlen(mount_opts) > (sizeof(opts) - 32)) {
984. }
985. strncpy(opts, mount_opts, sizeof(opts) - 32);
986. if (strcmp(fs, "iso9660") == 0) {
987. flags |= MS_RDONLY;
988. } else if (strncmp(fs, "ext", 3) == 0) {
989. bool has_remount_ro = false;
990. char* remount_ro_start = strstr(opts, "errors=remount-ro");
991. if (remount_ro_start != NULL) {
992. char after = *(remount_ro_start + strlen("errors=remount-ro"));
993. char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
994. has_remount_ro = ((before == '\0' || before == ',') &&
995. (after == '\0' || after == ','));
996. }
997. if (strstr(opts, "errors=panic") || !has_remount_ro)
998. strcat(opts, ",errors=continue");
999. } else if (strcmp(fs, "xfs") == 0) {
1000. strcat(opts, ",nouuid");
1001. }
1002. res = mount(source, target, fs, flags, opts);
1003. if (res == -1) {
1004. err = errno;
1005. goto error_clear_loop;
1006. }
1007. res = open(target, O_RDONLY | O_DIRECTORY);
1008. if (res == -1) {
1009. err = errno;
1010. goto error_clear_loop;
1011. }
1012. if (change_dir) {
1013. res = chdir(target);
1014. if (res == -1) {
1015. err = errno;
1016. }
1017. }
1018.  
1019. error_clear_loop:
1020. if (need_loop_device)
1021. reset_loop_device(loopname);
1022. errno = err;
1023. return res;
1024. }
1025.  
1026. #define USLEEP_FORKED_CHILD (3 * 50 * 1000)
1027.  
1028. static long handle_clone_ret(long ret)
1029. {
1030. if (ret != 0) {
1031. return ret;
1032. }
1033. usleep(USLEEP_FORKED_CHILD);
1034. syscall(__NR_exit, 0);
1035. while (1) {
1036. }
1037. }
1038.  
1039. static long syz_clone(volatile long flags, volatile long stack,
1040. volatile long stack_len, volatile long ptid,
1041. volatile long ctid, volatile long tls)
1042. {
1043. long sp = (stack + stack_len) & ~15;
1044. long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
1045. return handle_clone_ret(ret);
1046. }
1047.  
1048. #define MAX_CLONE_ARGS_BYTES 256
1049. static long syz_clone3(volatile long a0, volatile long a1)
1050. {
1051. unsigned long copy_size = a1;
1052. if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES)
1053. return -1;
1054. char clone_args[MAX_CLONE_ARGS_BYTES];
1055. memcpy(&clone_args, (void*)a0, copy_size);
1056. uint64_t* flags = (uint64_t*)&clone_args;
1057. *flags &= ~CLONE_VM;
1058. return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size));
1059. }
1060.  
1061. static long syz_pidfd_open(volatile long pid, volatile long flags)
1062. {
1063. if (pid == 1) {
1064. pid = 0;
1065. }
1066. return syscall(__NR_pidfd_open, pid, flags);
1067. }
1068.  
1069. #define IPPROTO_L2TP 115
1070. #define IPPROTO_GGP 3
1071. #define IPPROTO_ST 5
1072. #define IPPROTO_CBT 7
1073. #define IPPROTO_OSPF 89
1074. #define IPPROTO_VRRP 112
1075. size_t get_proto_hdr_len(int protocol)
1076. {
1077. switch (protocol) {
1078. case IPPROTO_IP:
1079. return 0;
1080. case IPPROTO_ICMP:
1081. return sizeof(struct icmphdr);
1082. case IPPROTO_ICMPV6:
1083. return sizeof(struct icmp6hdr);
1084. case IPPROTO_IGMP:
1085. return sizeof(struct igmphdr);
1086. case IPPROTO_IPIP:
1087. return 4;
1088. case IPPROTO_TCP:
1089. return sizeof(struct tcphdr);
1090. case IPPROTO_EGP:
1091. return 12;
1092. case IPPROTO_PUP:
1093. return 4;
1094. case IPPROTO_UDP:
1095. return sizeof(struct udphdr);
1096. case IPPROTO_IDP:
1097. return 10;
1098. case IPPROTO_TP:
1099. return 4;
1100. case IPPROTO_DCCP:
1101. return 12;
1102. case IPPROTO_IPV6:
1103. return 40;
1104. case IPPROTO_ROUTING:
1105. return 8;
1106. case IPPROTO_FRAGMENT:
1107. return 8;
1108. case IPPROTO_RSVP:
1109. return 8;
1110. case IPPROTO_GRE:
1111. return 4;
1112. case IPPROTO_ESP:
1113. return 8;
1114. case IPPROTO_AH:
1115. return 12;
1116. case IPPROTO_MTP:
1117. return 4;
1118. case IPPROTO_BEETPH:
1119. return 4;
1120. case IPPROTO_ENCAP:
1121. return 4;
1122. case IPPROTO_PIM:
1123. return 4;
1124. case IPPROTO_COMP:
1125. return 4;
1126. case IPPROTO_SCTP:
1127. return 12;
1128. case IPPROTO_UDPLITE:
1129. return 8;
1130. case IPPROTO_MPLS:
1131. return 4;
1132. case IPPROTO_RAW:
1133. return 0;
1134. case IPPROTO_L2TP:
1135. return 6;
1136. case IPPROTO_NONE:
1137. return 0;
1138. case IPPROTO_DSTOPTS:
1139. return 8;
1140. case IPPROTO_MH:
1141. return 8;
1142. case IPPROTO_GGP:
1143. return 8;
1144. case IPPROTO_ST:
1145. return 4;
1146. case IPPROTO_CBT:
1147. return 8;
1148. case IPPROTO_OSPF:
1149. return 24;
1150. case IPPROTO_VRRP:
1151. return 8;
1152. default:
1153. return 4;
1154. }
1155. }
1156. static long syz_emit_proto(volatile long proto, volatile long a0,
1157. volatile long a1, volatile long a2, volatile long a3)
1158. {
1159. if (!a0 || !a2)
1160. return -EINVAL;
1161. struct sockaddr* addr = (struct sockaddr*)a0;
1162. int addr_len = (int)a1;
1163. char* packet = (char*)a2;
1164. int ttl = (int)a3;
1165. int is_ipv6 = (addr->sa_family == AF_INET6);
1166. int domain = addr->sa_family;
1167. int protocol = (int)proto;
1168. if (!is_ipv6) {
1169. if (addr_len != sizeof(struct sockaddr_in)) {
1170. return -EINVAL;
1171. }
1172. } else {
1173. if (addr_len != sizeof(struct sockaddr_in6)) {
1174. return -EINVAL;
1175. }
1176. }
1177. int sock_type = (protocol == IPPROTO_TCP)
1178. ? SOCK_STREAM
1179. : (rand() % 2 ? SOCK_RAW : SOCK_DGRAM);
1180. int fd = socket(domain, sock_type, protocol);
1181. if (fd < 0)
1182. return fd;
1183. struct timeval tv = {.tv_sec = 0, .tv_usec = 1000};
1184. setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO_NEW, &tv, sizeof(tv));
1185. if (ttl > 0) {
1186. if (!is_ipv6) {
1187. if (setsockopt(fd, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl)) < 0) {
1188. close(fd);
1189. return -errno;
1190. }
1191. } else {
1192. if (setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl)) <
1193. 0) {
1194. close(fd);
1195. return -errno;
1196. }
1197. }
1198. }
1199. if (sock_type == SOCK_STREAM) {
1200. if (connect(fd, addr, addr_len) < 0) {
1201. close(fd);
1202. return -errno;
1203. }
1204. }
1205. size_t ip_hdr_len;
1206. size_t proto_len;
1207. void* hdr;
1208. char* payload;
1209. size_t plen;
1210. if (!is_ipv6) {
1211. struct iphdr* ip = (struct iphdr*)packet;
1212. ip_hdr_len = ip->ihl * 4;
1213. if (ip_hdr_len < sizeof(struct iphdr) || ip->protocol != protocol) {
1214. close(fd);
1215. return -EINVAL;
1216. }
1217. proto_len = ntohs(ip->tot_len) - ip_hdr_len;
1218. size_t hdr_len = get_proto_hdr_len(protocol);
1219. if (proto_len < hdr_len) {
1220. close(fd);
1221. return -EINVAL;
1222. }
1223. hdr = packet + ip_hdr_len;
1224. plen = proto_len - hdr_len;
1225. payload = (char*)hdr + hdr_len;
1226. } else {
1227. struct ipv6hdr* ip6 = (struct ipv6hdr*)packet;
1228. ip_hdr_len = sizeof(struct ipv6hdr);
1229. if (ip6->nexthdr != protocol) {
1230. close(fd);
1231. return -EINVAL;
1232. }
1233. proto_len = ntohs(ip6->payload_len);
1234. size_t hdr_len = get_proto_hdr_len(protocol);
1235. if (proto_len < hdr_len) {
1236. close(fd);
1237. return -EINVAL;
1238. }
1239. hdr = packet + ip_hdr_len;
1240. plen = proto_len - hdr_len;
1241. payload = (char*)hdr + hdr_len;
1242. }
1243. char final_pkt[4096] = {0};
1244. size_t total_len = 0;
1245. if (sock_type == SOCK_RAW) {
1246. total_len = ip_hdr_len + proto_len;
1247. memcpy(final_pkt, packet, total_len);
1248. } else {
1249. total_len = plen;
1250. memcpy(final_pkt, payload, plen);
1251. }
1252. struct iovec iov = {.iov_base = final_pkt, .iov_len = total_len};
1253. struct msghdr msg = {.msg_name = (sock_type == SOCK_STREAM) ? NULL : addr,
1254. .msg_namelen =
1255. (sock_type == SOCK_STREAM) ? 0 : (socklen_t)addr_len,
1256. .msg_iov = &iov,
1257. .msg_iovlen = 1};
1258. long ret = sendmsg(fd, &msg, MSG_DONTWAIT);
1259. close(fd);
1260. return ret;
1261. }
1262.  
1263. uint64_t r[267] = {0xffffffffffffffff,
1264. 0xffffffffffffffff,
1265. 0xffffffffffffffff,
1266. 0x0,
1267. 0x0,
1268. 0x0,
1269. 0x0,
1270. 0xffffffffffffffff,
1271. 0x0,
1272. 0xffffffffffffffff,
1273. 0xffffffffffffffff,
1274. 0xffffffffffffffff,
1275. 0xffffffffffffffff,
1276. 0xffffffffffffffff,
1277. 0xffffffffffffffff,
1278. 0xffffffffffffffff,
1279. 0xffffffffffffffff,
1280. 0xffffffffffffffff,
1281. 0xffffffffffffffff,
1282. 0xffffffffffffffff,
1283. 0xffffffffffffffff,
1284. 0x0,
1285. 0xffffffffffffffff,
1286. 0x0,
1287. 0xffffffffffffffff,
1288. 0xffffffffffffffff,
1289. 0xffffffffffffffff,
1290. 0x0,
1291. 0xffffffffffffffff,
1292. 0xffffffffffffffff,
1293. 0xffffffffffffffff,
1294. 0xffffffffffffffff,
1295. 0xffffffffffffffff,
1296. 0xffffffffffffffff,
1297. 0xffffffffffffffff,
1298. 0xffffffffffffffff,
1299. 0xffffffffffffffff,
1300. 0xffffffffffffffff,
1301. 0x0,
1302. 0xffffffffffffffff,
1303. 0xffffffffffffffff,
1304. 0xffffffffffffffff,
1305. 0xffffffffffffffff,
1306. 0xffffffffffffffff,
1307. 0xffffffffffffffff,
1308. 0x0,
1309. 0xffffffffffffffff,
1310. 0x0,
1311. 0xffffffffffffffff,
1312. 0xffffffffffffffff,
1313. 0xffffffffffffffff,
1314. 0xffffffffffffffff,
1315. 0xffffffffffffffff,
1316. 0x0,
1317. 0xffffffffffffffff,
1318. 0xffffffffffffffff,
1319. 0xffffffffffffffff,
1320. 0xffffffffffffffff,
1321. 0xffffffffffffffff,
1322. 0xffffffffffffffff,
1323. 0xffffffffffffffff,
1324. 0xffffffffffffffff,
1325. 0xffffffffffffffff,
1326. 0xffffffffffffffff,
1327. 0xffffffffffffffff,
1328. 0xffffffffffffffff,
1329. 0x0,
1330. 0xffffffffffffffff,
1331. 0xffffffffffffffff,
1332. 0xffffffffffffffff,
1333. 0xffffffffffffffff,
1334. 0xffffffffffffffff,
1335. 0xffffffffffffffff,
1336. 0xffffffffffffffff,
1337. 0xffffffffffffffff,
1338. 0xffffffffffffffff,
1339. 0xffffffffffffffff,
1340. 0x0,
1341. 0xffffffffffffffff,
1342. 0xffffffffffffffff,
1343. 0xffffffffffffffff,
1344. 0xffffffffffffffff,
1345. 0xffffffffffffffff,
1346. 0xffffffffffffffff,
1347. 0xffffffffffffffff,
1348. 0xffffffffffffffff,
1349. 0xffffffffffffffff,
1350. 0xffffffffffffffff,
1351. 0xffffffffffffffff,
1352. 0xffffffffffffffff,
1353. 0xffffffffffffffff,
1354. 0xffffffffffffffff,
1355. 0xffffffffffffffff,
1356. 0xffffffffffffffff,
1357. 0xffffffffffffffff,
1358. 0xffffffffffffffff,
1359. 0xffffffffffffffff,
1360. 0xffffffffffffffff,
1361. 0xffffffffffffffff,
1362. 0xffffffffffffffff,
1363. 0xffffffffffffffff,
1364. 0xffffffffffffffff,
1365. 0xffffffffffffffff,
1366. 0xffffffffffffffff,
1367. 0xffffffffffffffff,
1368. 0xffffffffffffffff,
1369. 0xffffffffffffffff,
1370. 0xffffffffffffffff,
1371. 0x0,
1372. 0xffffffffffffffff,
1373. 0xffffffffffffffff,
1374. 0xffffffffffffffff,
1375. 0xffffffffffffffff,
1376. 0xffffffffffffffff,
1377. 0xffffffffffffffff,
1378. 0xffffffffffffffff,
1379. 0xffffffffffffffff,
1380. 0xffffffffffffffff,
1381. 0xffffffffffffffff,
1382. 0xffffffffffffffff,
1383. 0xffffffffffffffff,
1384. 0xffffffffffffffff,
1385. 0xffffffffffffffff,
1386. 0xffffffffffffffff,
1387. 0x0,
1388. 0xffffffffffffffff,
1389. 0xffffffffffffffff,
1390. 0xffffffffffffffff,
1391. 0xffffffffffffffff,
1392. 0xffffffffffffffff,
1393. 0xffffffffffffffff,
1394. 0xffffffffffffffff,
1395. 0xffffffffffffffff,
1396. 0xffffffffffffffff,
1397. 0xffffffffffffffff,
1398. 0xffffffffffffffff,
1399. 0xffffffffffffffff,
1400. 0xffffffffffffffff,
1401. 0xffffffffffffffff,
1402. 0xffffffffffffffff,
1403. 0xffffffffffffffff,
1404. 0xffffffffffffffff,
1405. 0xffffffffffffffff,
1406. 0xffffffffffffffff,
1407. 0xffffffffffffffff,
1408. 0xffffffffffffffff,
1409. 0x0,
1410. 0xffffffffffffffff,
1411. 0xffffffffffffffff,
1412. 0x0,
1413. 0xffffffffffffffff,
1414. 0xffffffffffffffff,
1415. 0xffffffffffffffff,
1416. 0xffffffffffffffff,
1417. 0xffffffffffffffff,
1418. 0xffffffffffffffff,
1419. 0xffffffffffffffff,
1420. 0xffffffffffffffff,
1421. 0xffffffffffffffff,
1422. 0xffffffffffffffff,
1423. 0xffffffffffffffff,
1424. 0xffffffffffffffff,
1425. 0xffffffffffffffff,
1426. 0xffffffffffffffff,
1427. 0x0,
1428. 0x0,
1429. 0x0,
1430. 0xffffffffffffffff,
1431. 0xffffffffffffffff,
1432. 0xffffffffffffffff,
1433. 0xffffffffffffffff,
1434. 0xffffffffffffffff,
1435. 0xffffffffffffffff,
1436. 0x0,
1437. 0xffffffffffffffff,
1438. 0xffffffffffffffff,
1439. 0xffffffffffffffff,
1440. 0xffffffffffffffff,
1441. 0xffffffffffffffff,
1442. 0x0,
1443. 0x0,
1444. 0xffffffffffffffff,
1445. 0x0,
1446. 0xffffffffffffffff,
1447. 0xffffffffffffffff,
1448. 0xffffffffffffffff,
1449. 0xffffffffffffffff,
1450. 0xffffffffffffffff,
1451. 0xffffffffffffffff,
1452. 0xffffffffffffffff,
1453. 0xffffffffffffffff,
1454. 0xffffffffffffffff,
1455. 0xffffffffffffffff,
1456. 0xffffffffffffffff,
1457. 0xffffffffffffffff,
1458. 0xffffffffffffffff,
1459. 0xffffffffffffffff,
1460. 0xffffffffffffffff,
1461. 0xffffffffffffffff,
1462. 0xffffffffffffffff,
1463. 0xffffffffffffffff,
1464. 0xffffffffffffffff,
1465. 0xffffffffffffffff,
1466. 0xffffffffffffffff,
1467. 0xffffffffffffffff,
1468. 0xffffffffffffffff,
1469. 0xffffffffffffffff,
1470. 0xffffffffffffffff,
1471. 0xffffffffffffffff,
1472. 0xffffffffffffffff,
1473. 0xffffffffffffffff,
1474. 0xffffffffffffffff,
1475. 0xffffffffffffffff,
1476. 0x0,
1477. 0xffffffffffffffff,
1478. 0xffffffffffffffff,
1479. 0xffffffffffffffff,
1480. 0xffffffffffffffff,
1481. 0xffffffffffffffff,
1482. 0xffffffffffffffff,
1483. 0xffffffffffffffff,
1484. 0xffffffffffffffff,
1485. 0xffffffffffffffff,
1486. 0xffffffffffffffff,
1487. 0xffffffffffffffff,
1488. 0xffffffffffffffff,
1489. 0xffffffffffffffff,
1490. 0xffffffffffffffff,
1491. 0xffffffffffffffff,
1492. 0x0,
1493. 0xffffffffffffffff,
1494. 0xffffffffffffffff,
1495. 0xffffffffffffffff,
1496. 0xffffffffffffffff,
1497. 0xffffffffffffffff,
1498. 0xffffffffffffffff,
1499. 0xffffffffffffffff,
1500. 0xffffffffffffffff,
1501. 0xffffffffffffffff,
1502. 0xffffffffffffffff,
1503. 0xffffffffffffffff,
1504. 0xffffffffffffffff,
1505. 0xffffffffffffffff,
1506. 0xffffffffffffffff,
1507. 0xffffffffffffffff,
1508. 0xffffffffffffffff,
1509. 0xffffffffffffffff,
1510. 0xffffffffffffffff,
1511. 0xffffffffffffffff,
1512. 0xffffffffffffffff,
1513. 0xffffffffffffffff,
1514. 0x0,
1515. 0xffffffffffffffff,
1516. 0xffffffffffffffff,
1517. 0x0,
1518. 0xffffffffffffffff,
1519. 0xffffffffffffffff,
1520. 0xffffffffffffffff,
1521. 0xffffffffffffffff,
1522. 0xffffffffffffffff,
1523. 0xffffffffffffffff,
1524. 0xffffffffffffffff,
1525. 0xffffffffffffffff,
1526. 0xffffffffffffffff,
1527. 0xffffffffffffffff,
1528. 0xffffffffffffffff,
1529. 0xffffffffffffffff};
1530.  
1531. int main(void)
1532. {
1533. syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
1534. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
1535. /*offset=*/0ul);
1536. syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
1537. /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
1538. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
1539. /*offset=*/0ul);
1540. syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
1541. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
1542. /*offset=*/0ul);
1543. const char* reason;
1544. (void)reason;
1545. intptr_t res = 0;
1546. if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
1547. }
1548. memcpy((void*)0x200000000040, "ext4\000", 5);
1549. memcpy((void*)0x2000000000c0, "./file0\000", 8);
1550. *(uint8_t*)0x200000000180 = 0;
1551. memcpy(
1552. (void*)0x200000000800,
1553. "\x78\x9c\xec\xdd\xcd\x6b\x1c\xe5\x1f\x00\xf0\xef\x6c\x92\x26\xbf\xb4\x3f"
1554. "\x13\x41\xd0\x7a\x0a\x08\x1a\xa8\xdd\x98\x1a\x5b\x05\x0f\x15\x0f\x22\x58"
1555. "\x28\xe8\xd9\x74\xd9\x6c\x43\xcd\x26\x5b\xb2\x9b\xd2\x84\x40\x2d\x22\x78"
1556. "\x11\x54\x3c\x08\x7a\xe9\xd9\x97\x7a\xf3\xea\xcb\x55\xff\x0b\x0f\xd2\x52"
1557. "\x35\x2d\x56\x3c\x48\x64\x36\xb3\xed\xb6\xd9\x4d\x13\x9b\x6c\x52\xf7\xf3"
1558. "\x81\xa7\x7d\x9e\x99\x67\xf3\xcc\x77\x9f\x99\x79\x9e\xdd\x19\x76\x02\xe8"
1559. "\x5a\x23\xe9\x3f\xb9\x88\x83\x11\xf1\x41\x12\x31\x94\x2d\x4f\x22\xa2\xaf"
1560. "\x9e\xeb\x8d\x38\xbe\x56\xef\xe6\xca\x72\x31\x4d\x49\xac\xae\xbe\xfe\x5b"
1561. "\x52\xaf\x73\x63\x65\xb9\x18\x4d\xaf\x49\xed\xcf\x0a\x8f\x45\xc4\xf7\xef"
1562. "\x46\x1c\xca\x25\xeb\xda\xad\x2e\x2e\xcd\x14\xca\xe5\xd2\x7c\x56\x1e\xab"
1563. "\xcd\x9e\x1d\xab\x2e\x2e\x1d\x3e\x33\x5b\x98\x2e\x4d\x97\xe6\x8e\x8e\x4f"
1564. "\x4c\x1c\x39\xf6\xdc\xb1\xa3\xdb\x17\xeb\x1f\x3f\x2d\x1d\xb8\xfa\xe1\x2b"
1565. "\x4f\x7d\x75\xfc\xaf\x77\x1e\xbd\xfc\xfe\x0f\x49\x1c\x8f\x03\xd9\xba\xe6"
1566. "\x38\xb6\xcb\x48\x8c\x64\xef\x49\x5f\xfa\x16\xde\xe1\xe5\xed\x6e\x6c\x97"
1567. "\xad\xef\x61\x1e\x04\xb9\x88\xe8\x59\x3b\xca\xe3\x60\x0c\x45\x4f\x3d\x07"
1568. "\x00\xfc\x97\x5d\x88\x88\x55\x00\xa0\xcb\x24\xc6\x7f\x00\xe8\x32\x8d\xef"
1569. "\x01\x6e\xac\x2c\x17\x1b\x69\x77\xbf\x91\xe8\xac\x6b\x2f\x45\xc4\xc0\x5a"
1570. "\xfc\x8d\xeb\x9b\x6b\x6b\x7a\xb3\x6b\x76\x03\xf5\xeb\xa0\x83\x37\x92\x3b"
1571. "\xae\x8c\x24\x11\x31\xbc\x0d\xed\x8f\x44\xc4\x67\xdf\xbc\xf9\x45\x9a\x62"
1572. "\x87\xae\x43\x02\xb4\xf2\xf6\xc5\x88\x38\x35\x3c\xb2\xfe\xfc\x9f\xac\xbb"
1573. "\x67\x61\xab\x9e\xd9\x44\x9d\x91\xbb\xca\xce\x7f\xd0\x39\xdf\xa6\xf3\x9f"
1574. "\xe7\x5b\xcd\xff\x72\xb7\xe6\x3f\xd1\x62\xfe\xd3\xdf\xe2\xd8\xfd\x37\xee"
1575. "\x7d\xfc\xe7\xae\x6c\x43\x33\x6d\xa5\xf3\xbf\x17\x9b\xee\x6d\xbb\xd9\x14"
1576. "\x7f\x66\xb8\x27\x2b\xfd\xbf\x3e\xe7\xeb\x4b\x4e\x9f\x29\x97\xd2\x73\xdb"
1577. "\x43\x11\x31\x1a\x7d\xfd\x69\x79\x7c\x83\x36\x46\xaf\xff\x7d\xbd\xdd\xba"
1578. "\xe6\xf9\xdf\xef\x1f\xbd\xf5\x79\xda\x7e\xfa\xff\xed\x1a\xb9\x2b\xbd\xfd"
1579. "\x77\xbe\x66\xaa\x50\x2b\xdc\x4f\xcc\xcd\xae\x5d\x8c\x78\xbc\xb7\x55\xfc"
1580. "\xc9\xad\xfe\x4f\xda\xcc\x7f\x4f\x6e\xb2\x8d\x57\x5f\x78\xef\xd3\x76\xeb"
1581. "\xd2\xf8\xd3\x78\x1b\x69\x7d\xfc\x3b\x6b\xf5\x52\xc4\x93\x2d\xfb\xff\xf6"
1582. "\x1d\x6d\xc9\x86\xf7\x27\x8e\xd5\x77\x87\xb1\xc6\x4e\xd1\xc2\xd7\x3f\x7f"
1583. "\x32\xd8\xae\xfd\xe6\xfe\x4f\x53\xda\x7e\xe3\xb3\x40\x27\xa4\xfd\x3f\xb8"
1584. "\x71\xfc\xc3\x49\xf3\xfd\x9a\xd5\xad\xb7\xf1\xe3\xa5\xa1\xef\xda\xad\x6b"
1585. "\x19\xff\x85\xe6\x1a\xad\xf7\xff\x7d\xc9\x1b\xf5\xfc\xbe\x6c\xd9\xf9\x42"
1586. "\xad\x36\x3f\x1e\xb1\x2f\x79\x6d\xfd\xf2\x23\xb7\x5f\xdb\x28\x37\xea\xa7"
1587. "\xf1\x8f\x3e\xd1\xfa\xf8\xdf\x68\xff\x4f\x3f\x13\x9e\xda\x64\xfc\xbd\x57"
1588. "\x7f\xfd\x72\x4b\xf1\x77\xb8\xff\xa7\xb6\xd4\xff\x5b\xcf\x5c\xbe\x39\xd3"
1589. "\xd3\xae\xfd\x7b\xc7\x9f\xf6\xff\x44\x3d\x37\x9a\x2d\xd9\xcc\xf9\x6f\xb3"
1590. "\x1b\x78\x3f\xef\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1591. "\x00\x00\x00\x00\x00\x00\x6c\x56\x2e\x22\x0e\x44\x92\xcb\xdf\xca\xe7\x72"
1592. "\xf9\xfc\xda\x33\xbc\x1f\x89\xc1\x5c\xb9\x52\xad\x1d\x3a\x5d\x59\x98\x9b"
1593. "\x8a\xfa\xb3\xb2\x87\xa3\x2f\xd7\xf8\xa9\xcb\xa1\xa6\xdf\x43\x1d\xcf\x7e"
1594. "\x0f\xbf\x51\x3e\x72\x57\xf9\xd9\x88\x78\x38\x22\x3e\xee\xff\x5f\xbd\x9c"
1595. "\x2f\x56\xca\x53\xbb\x1d\x3c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1596. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1597. "\x00\x00\x64\xf6\xb7\x79\xfe\x7f\xea\x97\xfe\xdd\xde\x3a\x00\x60\xc7\x0c"
1598. "\xec\xf6\x06\x00\x00\x1d\x67\xfc\x07\x80\xee\x63\xfc\x07\x80\xee\x63\xfc"
1599. "\x07\x80\xee\x63\xfc\x07\x80\xee\x63\xfc\x07\x00\x00\x00\x00\x00\x00\x00"
1600. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1601. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1602. "\x00\x00\x00\x00\x00\x00\x00\x60\x87\x9d\x3c\x71\x22\x4d\xab\x7f\xae\x2c"
1603. "\x17\xd3\xf2\xd4\xb9\xc5\x85\x99\xca\xb9\xc3\x53\xa5\xea\x4c\x7e\x76\xa1"
1604. "\x98\x2f\x56\xe6\xcf\xe6\xa7\x2b\x95\xe9\x72\x29\x5f\xac\xcc\xde\xeb\xef"
1605. "\x95\x2b\x95\xb3\x13\x31\xb7\x70\x7e\xac\x56\xaa\xd6\xc6\xaa\x8b\x4b\x93"
1606. "\xb3\x95\x85\xb9\xda\xe4\x99\xd9\xc2\x74\x69\xb2\xd4\xd7\x91\xa8\x00\x00"
1607. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1608. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\x6b\xaa\x8b\x4b\x33\x85"
1609. "\x72\xb9\x34\xdf\x9d\x99\x81\xd8\x13\x9b\x21\xd3\xc1\xcc\xe4\xe8\xd3\xc9"
1610. "\x1e\xd8\x8c\xbd\x9e\xd9\xed\x33\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1611. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1612. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1613. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1614. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1615. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1616. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1617. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1618. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1619. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1620. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1621. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1622. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1623. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1624. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1625. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1626. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1627. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1628. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1629. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1630. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1631. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1632. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1633. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1634. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1635. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1636. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1637. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1638. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1639. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1640. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1641. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1642. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1643. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1644. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1645. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1646. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1647. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1648. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1649. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1650. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1651. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1652. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1653. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1654. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1655. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1656. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1657. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
1658. "\xc0\x83\xe1\x9f\x00\x00\x00\xff\xff\x4a\x6a\x27\x06",
1659. 1903);
1660. syz_mount_image(
1661. /*fs=*/0x200000000040, /*dir=*/0x2000000000c0,
1662. /*flags=MS_SYNCHRONOUS|MS_NOSUID|MS_NODIRATIME|MS_NOATIME*/ 0xc12,
1663. /*opts=*/0x200000000180, /*chdir=*/1, /*size=*/0x76f,
1664. /*img=*/0x200000000800);
1665. memcpy((void*)0x200000000100, "memory.events.local\000", 20);
1666. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000100ul,
1667. /*flags=*/0x275a, /*mode=*/0);
1668. if (res != -1)
1669. r[0] = res;
1670. memcpy((void*)0x200000002000, "./bus\000", 6);
1671. syscall(__NR_open, /*file=*/0x200000002000ul,
1672. /*flags=O_SYNC|O_NOCTTY|O_NOATIME|O_CREAT|FASYNC|0x2*/ 0x143142ul,
1673. /*mode=*/0ul);
1674. memcpy((void*)0x200000000380, "/dev/loop", 9);
1675. *(uint8_t*)0x200000000389 = 0x30;
1676. *(uint8_t*)0x20000000038a = 0;
1677. memcpy((void*)0x200000000140, "./bus\000", 6);
1678. syscall(__NR_mount, /*src=*/0x200000000380ul, /*dst=*/0x200000000140ul,
1679. /*type=*/0ul, /*flags=MS_BIND*/ 0x1000ul, /*data=*/0ul);
1680. memcpy((void*)0x2000000005c0, "./bus\000", 6);
1681. res = syscall(
1682. __NR_open, /*file=*/0x2000000005c0ul,
1683. /*flags=O_SYNC|O_NONBLOCK|O_NOATIME|O_DIRECT|O_CREAT|0x2*/ 0x145842ul,
1684. /*mode=*/0ul);
1685. if (res != -1)
1686. r[1] = res;
1687. *(uint64_t*)0x200000000240 = 0x200000000000;
1688. memset((void*)0x200000000000, 133, 1);
1689. *(uint64_t*)0x200000000248 = 0xa000;
1690. syscall(__NR_pwritev2, /*fd=*/r[1], /*vec=*/0x200000000240ul, /*vlen=*/1ul,
1691. /*off_low=*/0x1400, /*off_high=*/0,
1692. /*flags=RWF_HIPRI|RWF_DSYNC*/ 3ul);
1693. res = syscall(__NR_socket, /*domain=*/0x11ul, /*type=SOCK_DGRAM*/ 2ul,
1694. /*proto=*/0x300);
1695. if (res != -1)
1696. r[2] = res;
1697. memcpy((void*)0x200000000180,
1698. "lo\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 16);
1699. res = syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x8933,
1700. /*arg=*/0x200000000180ul);
1701. if (res != -1)
1702. r[3] = *(uint32_t*)0x200000000190;
1703. *(uint16_t*)0x2000000001c0 = 0x11;
1704. *(uint16_t*)0x2000000001c2 = htobe16(0);
1705. *(uint32_t*)0x2000000001c4 = r[3];
1706. *(uint16_t*)0x2000000001c8 = 1;
1707. *(uint8_t*)0x2000000001ca = 0;
1708. *(uint8_t*)0x2000000001cb = 6;
1709. memset((void*)0x2000000001cc, 170, 5);
1710. *(uint8_t*)0x2000000001d1 = 0;
1711. memset((void*)0x2000000001d2, 0, 2);
1712. syscall(__NR_sendto, /*fd=*/r[2], /*buf=*/0ul, /*len=*/0ul, /*f=*/0ul,
1713. /*addr=*/0x2000000001c0ul, /*addrlen=*/0x14ul);
1714. memcpy((void*)0x200000000080, "./bus\000", 6);
1715. res = syscall(__NR_stat, /*file=*/0x200000000080ul,
1716. /*statbuf=*/0x2000000001c0ul);
1717. if (res != -1)
1718. r[4] = *(uint32_t*)0x2000000001d8;
1719. *(uint32_t*)0x200000000280 = htobe32(0xa010100);
1720. *(uint32_t*)0x200000000290 = htobe32(0);
1721. *(uint16_t*)0x2000000002a0 = htobe16(0x4e22);
1722. *(uint16_t*)0x2000000002a2 = htobe16(0xb);
1723. *(uint16_t*)0x2000000002a4 = htobe16(0x4e20);
1724. *(uint16_t*)0x2000000002a6 = htobe16(6);
1725. *(uint16_t*)0x2000000002a8 = 0xa;
1726. *(uint8_t*)0x2000000002aa = 0x80;
1727. *(uint8_t*)0x2000000002ab = 0xa0;
1728. *(uint8_t*)0x2000000002ac = 0x87;
1729. *(uint32_t*)0x2000000002b0 = r[3];
1730. *(uint32_t*)0x2000000002b4 = r[4];
1731. *(uint64_t*)0x2000000002b8 = 0xb;
1732. *(uint64_t*)0x2000000002c0 = 4;
1733. *(uint64_t*)0x2000000002c8 = 0x8000000000000000;
1734. *(uint64_t*)0x2000000002d0 = 6;
1735. *(uint64_t*)0x2000000002d8 = 4;
1736. *(uint64_t*)0x2000000002e0 = 1;
1737. *(uint64_t*)0x2000000002e8 = 0x2208;
1738. *(uint64_t*)0x2000000002f0 = 0x190;
1739. *(uint64_t*)0x2000000002f8 = 0;
1740. *(uint64_t*)0x200000000300 = 8;
1741. *(uint64_t*)0x200000000308 = 0x7f;
1742. *(uint64_t*)0x200000000310 = 2;
1743. *(uint32_t*)0x200000000318 = 1;
1744. *(uint32_t*)0x20000000031c = 0;
1745. *(uint8_t*)0x200000000320 = 2;
1746. *(uint8_t*)0x200000000321 = 1;
1747. *(uint8_t*)0x200000000322 = 1;
1748. *(uint8_t*)0x200000000323 = 2;
1749. *(uint8_t*)0x200000000328 = 0xfc;
1750. *(uint8_t*)0x200000000329 = 1;
1751. memset((void*)0x20000000032a, 0, 13);
1752. *(uint8_t*)0x200000000337 = 1;
1753. *(uint32_t*)0x200000000338 = htobe32(0x4d5);
1754. *(uint8_t*)0x20000000033c = 0xcc;
1755. *(uint16_t*)0x200000000340 = 0xa;
1756. *(uint8_t*)0x200000000344 = -1;
1757. *(uint8_t*)0x200000000345 = 2;
1758. memset((void*)0x200000000346, 0, 13);
1759. *(uint8_t*)0x200000000353 = 1;
1760. *(uint32_t*)0x200000000354 = 0x3503;
1761. *(uint8_t*)0x200000000358 = 0;
1762. *(uint8_t*)0x200000000359 = 2;
1763. *(uint8_t*)0x20000000035a = 5;
1764. *(uint32_t*)0x20000000035c = 5;
1765. *(uint32_t*)0x200000000360 = 0xfc65;
1766. *(uint32_t*)0x200000000364 = 7;
1767. syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/0x29, /*optname=*/0x23,
1768. /*optval=*/0x200000000280ul, /*optlen=*/0xe8ul);
1769. sprintf((char*)0x200000000380, "0x%016llx", (long long)0);
1770. syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x200000000380ul, /*len=*/0x12ul);
1771. *(uint8_t*)0x200000000000 = 0;
1772. syscall(__NR_prctl, /*option=*/0x3bul, /*mode=*/1ul, /*offset=*/0ul,
1773. /*len=*/0ul, /*selector=*/0x200000000000ul);
1774. res = syscall(__NR_shmget, /*key=*/0ul, /*size=*/0x400000ul, /*flags=*/0ul,
1775. /*unused=*/0x20000000e000ul);
1776. if (res != -1)
1777. r[5] = res;
1778. res = syscall(__NR_getpid);
1779. if (res != -1)
1780. r[6] = res;
1781. *(uint64_t*)0x200000000000 = 0;
1782. *(uint64_t*)0x200000000008 = 0;
1783. syscall(__NR_setrlimit,
1784. /*res=RLIMIT_MEMLOCK|0x40000000000000*/ 0x40000000000008ul,
1785. /*rlim=*/0x200000000000ul);
1786. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0x88);
1787. if (res != -1)
1788. r[7] = res;
1789. *(uint32_t*)0x200000000280 = 5;
1790. res = syscall(__NR_getsockopt, /*fd=*/r[7], /*level=*/1, /*optname=*/0x11,
1791. /*optval=*/0x200000000240ul, /*optlen=*/0x200000000280ul);
1792. if (res != -1)
1793. r[8] = *(uint32_t*)0x200000000244;
1794. syscall(__NR_setresuid, /*ruid=*/0, /*euid=*/r[8], /*suid=*/0);
1795. res = syscall(__NR_socket, /*domain=*/0xaul,
1796. /*type=SOCK_DGRAM|0x800000000000000*/ 0x800000000000002ul,
1797. /*proto=*/0);
1798. if (res != -1)
1799. r[9] = res;
1800. *(uint16_t*)0x200000000200 = 0xa;
1801. *(uint16_t*)0x200000000202 = htobe16(0x4e20);
1802. *(uint32_t*)0x200000000204 = htobe32(0);
1803. *(uint8_t*)0x200000000208 = -1;
1804. *(uint8_t*)0x200000000209 = 2;
1805. memset((void*)0x20000000020a, 0, 13);
1806. *(uint8_t*)0x200000000217 = 1;
1807. *(uint32_t*)0x200000000218 = 0;
1808. syscall(__NR_sendto, /*fd=*/r[9], /*buf=*/0ul, /*len=*/0ul,
1809. /*f=MSG_ZEROCOPY|MSG_FASTOPEN|MSG_BATCH|MSG_MORE|0x10000002*/
1810. 0x34048002ul, /*addr=*/0x200000000200ul, /*addrlen=*/0x7aul);
1811. *(uint32_t*)0x200000000180 = 1;
1812. *(uint32_t*)0x200000000184 = 0;
1813. syscall(__NR_setsockopt, /*fd=*/r[9], /*level=*/1, /*optname=*/0x3c,
1814. /*optval=*/0x200000000180ul, /*optlen=*/8ul);
1815. *(uint64_t*)0x200000000840 = 0;
1816. *(uint32_t*)0x200000000848 = 0;
1817. *(uint64_t*)0x200000000850 = 0x2000000007c0;
1818. *(uint64_t*)0x2000000007c0 = 0x200000000040;
1819. memset((void*)0x200000000040, 1, 1);
1820. *(uint64_t*)0x2000000007c8 = 1;
1821. *(uint64_t*)0x200000000858 = 1;
1822. *(uint64_t*)0x200000000860 = 0;
1823. *(uint64_t*)0x200000000868 = 0;
1824. *(uint32_t*)0x200000000870 = 0;
1825. *(uint32_t*)0x200000000878 = 0;
1826. syscall(__NR_sendmmsg, /*fd=*/r[9], /*mmsg=*/0x200000000840ul, /*vlen=*/1ul,
1827. /*f=MSG_ZEROCOPY|MSG_CONFIRM|0x8*/ 0x4000808ul);
1828. *(uint32_t*)0x200000000200 = 0x24;
1829. syscall(__NR_sched_setscheduler, /*pid=*/r[6], /*policy=SCHED_RR*/ 2ul,
1830. /*prio=*/0x200000000200ul);
1831. res = syscall(__NR_socketpair, /*domain=*/1ul, /*type=SOCK_STREAM*/ 1ul,
1832. /*proto=*/0, /*fds=*/0x200000000100ul);
1833. if (res != -1) {
1834. r[10] = *(uint32_t*)0x200000000100;
1835. r[11] = *(uint32_t*)0x200000000104;
1836. }
1837. res = syscall(__NR_pipe, /*pipefd=*/0x2000000000c0ul);
1838. if (res != -1)
1839. r[12] = *(uint32_t*)0x2000000000c4;
1840. syscall(__NR_shmctl, /*shmid=*/r[5], /*cmd=*/2ul, /*buf=*/0x200000000140ul);
1841. syscall(__NR_splice, /*fdin=*/r[10], /*offin=*/0ul, /*fdout=*/r[12],
1842. /*offout=*/0ul, /*len=*/7ul, /*f=*/0ul);
1843. *(uint32_t*)0x200000004280 = 0xb;
1844. *(uint8_t*)0x200000004284 = 0x77;
1845. *(uint16_t*)0x200000004285 = 0;
1846. *(uint32_t*)0x200000004287 = 0;
1847. syscall(__NR_write, /*fd=*/r[12], /*data=*/0x200000004280ul, /*size=*/0xbul);
1848. syscall(__NR_dup2, /*oldfd=*/r[10], /*newfd=*/r[11]);
1849. syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0ul,
1850. /*statbuf=*/0x200000000000ul, /*flag=AT_EMPTY_PATH*/ 0x1000ul);
1851. memcpy(
1852. (void*)0x200000000080,
1853. "\x21\xd2\x12\xa9\x02\x86\x4a\xd5\x76\x37\xf5\x2a\xa3\x85\xa4\xed\x19\x7d"
1854. "\x36\x00\x9c\x0f\xb8\x82\x6b\x6a\x80\x55\xc6\xd2\xf7\x7d\x60\x46\xd9\x4c"
1855. "\x2c\xef\xab\xf0\x2e\x6c\x4d\xdb\x1f\x51\x7b\x53\x5f\xff\x3a\x3d\x7c\x4d"
1856. "\x26\x30\xa8\xc2\x26\x82\x97\x94\x60\xce\xee\xc2\xab\x5c\x1b\xff\x62\xfd"
1857. "\x7c\xf3\x72\x91\xa9\x86\x16\xa2\x01\x82\xb6\xd2\xc2\x7b\x3b\x13\xf0\x14"
1858. "\x92\x81\x88\xb6\xd4\xee\xbf\xbe\x01\x2b\x64\x42\x8a\xbf\xc6\x48\x08",
1859. 107);
1860. syscall(__NR_write, /*fd=*/-1, /*data=*/0x200000000080ul, /*len=*/0x6bul);
1861. *(uint32_t*)0x20000001d000 = 2;
1862. *(uint32_t*)0x20000001d004 = 0x80;
1863. *(uint8_t*)0x20000001d008 = 0x62;
1864. *(uint8_t*)0x20000001d009 = 0;
1865. *(uint8_t*)0x20000001d00a = 4;
1866. *(uint8_t*)0x20000001d00b = 0;
1867. *(uint32_t*)0x20000001d00c = 0;
1868. *(uint64_t*)0x20000001d010 = 0x8000000000000000;
1869. *(uint64_t*)0x20000001d018 = 0;
1870. *(uint64_t*)0x20000001d020 = 1;
1871. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 0, 1);
1872. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 1, 1);
1873. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 2, 1);
1874. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 3, 1);
1875. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 4, 1);
1876. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 5, 1);
1877. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 6, 1);
1878. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 7, 1);
1879. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 8, 1);
1880. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 9, 1);
1881. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 10, 1);
1882. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 11, 1);
1883. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 12, 1);
1884. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 13, 1);
1885. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 14, 1);
1886. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 15, 2);
1887. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 17, 1);
1888. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 18, 1);
1889. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 19, 1);
1890. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 20, 1);
1891. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 21, 1);
1892. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 22, 1);
1893. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 23, 1);
1894. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 24, 1);
1895. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 25, 1);
1896. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 26, 1);
1897. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 27, 1);
1898. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 28, 1);
1899. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 29, 1);
1900. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 30, 1);
1901. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 31, 1);
1902. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 32, 1);
1903. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 33, 1);
1904. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 34, 1);
1905. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 35, 1);
1906. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 36, 1);
1907. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 37, 1);
1908. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 38, 26);
1909. *(uint32_t*)0x20000001d030 = 0x40;
1910. *(uint32_t*)0x20000001d034 = 2;
1911. *(uint64_t*)0x20000001d038 = 6;
1912. *(uint64_t*)0x20000001d040 = 0x33;
1913. *(uint64_t*)0x20000001d048 = 0;
1914. *(uint64_t*)0x20000001d050 = 0;
1915. *(uint32_t*)0x20000001d058 = 0;
1916. *(uint32_t*)0x20000001d05c = 0;
1917. *(uint64_t*)0x20000001d060 = 0;
1918. *(uint32_t*)0x20000001d068 = 0;
1919. *(uint16_t*)0x20000001d06c = 0;
1920. *(uint16_t*)0x20000001d06e = 0;
1921. *(uint32_t*)0x20000001d070 = 0;
1922. *(uint32_t*)0x20000001d074 = 0;
1923. *(uint64_t*)0x20000001d078 = 0;
1924. syscall(__NR_perf_event_open, /*attr=*/0x20000001d000ul, /*pid=*/0,
1925. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
1926. syscall(__NR_shmctl, /*shmid=*/0, /*cmd=*/0ul, 0);
1927. memcpy((void*)0x200000000100,
1928. "\0203q}2[\340\232\356\257\003\227\236t\v\"|"
1929. "Ma\206\347\300\024\237\271h\261\226\347=I\2060S6\265\250\302\225Je%"
1930. "\376G\'e\345\217\370\322\034\300\373\034\246\253\bi\344^"
1931. "\325\375\251\r\2547A\224k\315\t\000\220k\326\005\266&"
1932. "\320\235aA\305\234_\324\030,\f\324s\262\231/"
1933. "\300\232\362Oc\300c\003gB!\260\270n\001\233T\225\020\206\350$\177\r["
1934. "\371\0161v\261\n\210\v\225uy\265:`\213\nC\030A;\252%"
1935. "\257\307\243\254\242D\265\342\341\334(\375\005\237B\204O\376@"
1936. "\000\000\000\000\000\000\000\000\000\000\000\000\032\240\027\343\254"
1937. "\351\311\247\212\033\003\"&\254\312p>"
1938. "\314Z\001\274\030\301\271\351\v\213\234\264Q\324\226EV<>"
1939. "\231\312\263\340\304tL\355\365W\275#\317\212\204\355\237/"
1940. "\324\273\352;-Dp\370\320F\220\370\222Ip6\364\026\350\024\340\222!"
1941. "\222-F\342\024D\221\250b\004\335\035\a\334\340\030\205{"
1942. "\200Q\366k\226\372Q\237W\vO\360\344O\\\316S\362\336\0049d\006#"
1943. "\210\303\337\205O\034\303\255?r\327\016\000\327\203\260\210\234\366Y-"
1944. "F\230\335\234~\375\225\303\266lC\252\"Y\242K\354z\204:*"
1945. "\365Y\321\2331\221\233\025\324\354\002o\001&"
1946. "\252\220w\304\307yn\265\032g\253&?"
1947. "\276\313\350v\250\340\244\201sW\254f\0249\322}\357CGa\232$4\214\245!"
1948. "p\203\005\226%\002%\253j\n\b\310NC\221}&"
1949. "y\323\341\356p\'\305\253\031GsX5\214\n\237h\356;4\261%"
1950. "V\340\251\216\3630:\330\030N~G\0239\312",
1951. 440);
1952. res = syscall(__NR_memfd_create, /*name=*/0x200000000100ul,
1953. /*flags=MFD_ALLOW_SEALING*/ 2ul);
1954. if (res != -1)
1955. r[13] = res;
1956. *(uint64_t*)0x200000000880 = 0x2000000005c0;
1957. memset((void*)0x2000000005c0, 231, 1);
1958. *(uint64_t*)0x200000000888 = 1;
1959. syscall(__NR_pwritev, /*fd=*/r[13], /*vec=*/0x200000000880ul, /*vlen=*/1ul,
1960. /*off_low=*/0xff, /*off_high=*/0);
1961. res = syscall(__NR_pipe, /*pipefd=*/0x200000000080ul);
1962. if (res != -1) {
1963. r[14] = *(uint32_t*)0x200000000080;
1964. r[15] = *(uint32_t*)0x200000000084;
1965. }
1966. memcpy((void*)0x200000000000,
1967. "\x24\x00\x00\x00\x1e\x00\x5f\x00\x14\xf9\xf5\x07\x00\x09\x04\xa9\x07",
1968. 17);
1969. syscall(__NR_write, /*fd=*/-1, /*buf=*/0x200000000000ul, /*count=*/0x11ul);
1970. syscall(__NR_write, /*fd=*/r[15], /*data=*/0x200000000000ul,
1971. /*len=*/0xfffffeccul);
1972. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0);
1973. if (res != -1)
1974. r[16] = res;
1975. syscall(__NR_splice, /*fdin=*/r[14], /*offin=*/0ul, /*fdout=*/r[16],
1976. /*offout=*/0ul, /*len=*/0x5976ul, /*f=*/0ul);
1977. syscall(__NR_fcntl, /*fd=*/r[13], /*cmd=*/0x409ul,
1978. /*seals=F_SEAL_GROW|F_SEAL_SHRINK*/ 6ul);
1979. *(uint32_t*)0x200000000100 = 2;
1980. *(uint32_t*)0x200000000104 = 0x80;
1981. *(uint8_t*)0x200000000108 = 0;
1982. *(uint8_t*)0x200000000109 = 2;
1983. *(uint8_t*)0x20000000010a = 0;
1984. *(uint8_t*)0x20000000010b = 0;
1985. *(uint32_t*)0x20000000010c = 0;
1986. *(uint64_t*)0x200000000110 = 0;
1987. *(uint64_t*)0x200000000118 = 0;
1988. *(uint64_t*)0x200000000120 = 0;
1989. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 0, 1);
1990. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 1, 1);
1991. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 2, 1);
1992. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 3, 1);
1993. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 4, 1);
1994. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 5, 1);
1995. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 6, 1);
1996. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 7, 1);
1997. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 8, 1);
1998. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 9, 1);
1999. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 10, 1);
2000. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 11, 1);
2001. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 12, 1);
2002. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 13, 1);
2003. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 14, 1);
2004. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 15, 2);
2005. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 17, 1);
2006. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 18, 1);
2007. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 19, 1);
2008. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 20, 1);
2009. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 21, 1);
2010. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 22, 1);
2011. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 23, 1);
2012. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 24, 1);
2013. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 25, 1);
2014. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 26, 1);
2015. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 27, 1);
2016. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 28, 1);
2017. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 29, 1);
2018. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 30, 1);
2019. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 31, 1);
2020. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 32, 1);
2021. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 33, 1);
2022. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 34, 1);
2023. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 35, 1);
2024. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 36, 1);
2025. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 37, 1);
2026. STORE_BY_BITMASK(uint64_t, , 0x200000000128, 0, 38, 26);
2027. *(uint32_t*)0x200000000130 = 0;
2028. *(uint32_t*)0x200000000134 = 0;
2029. *(uint64_t*)0x200000000138 = 0;
2030. *(uint64_t*)0x200000000140 = 0;
2031. *(uint64_t*)0x200000000148 = 0;
2032. *(uint64_t*)0x200000000150 = 0;
2033. *(uint32_t*)0x200000000158 = 0;
2034. *(uint32_t*)0x20000000015c = 0;
2035. *(uint64_t*)0x200000000160 = 0;
2036. *(uint32_t*)0x200000000168 = 0;
2037. *(uint16_t*)0x20000000016c = 0;
2038. *(uint16_t*)0x20000000016e = 0;
2039. *(uint32_t*)0x200000000170 = 0;
2040. *(uint32_t*)0x200000000174 = 0;
2041. *(uint64_t*)0x200000000178 = 0;
2042. syscall(__NR_perf_event_open, /*attr=*/0x200000000100ul, /*fd=*/-1,
2043. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
2044. *(uint32_t*)0x200000000140 = 2;
2045. *(uint32_t*)0x200000000144 = 0x80;
2046. *(uint8_t*)0x200000000148 = 0;
2047. *(uint8_t*)0x200000000149 = 2;
2048. *(uint8_t*)0x20000000014a = 0;
2049. *(uint8_t*)0x20000000014b = 0;
2050. *(uint32_t*)0x20000000014c = 0;
2051. *(uint64_t*)0x200000000150 = 0;
2052. *(uint64_t*)0x200000000158 = 0;
2053. *(uint64_t*)0x200000000160 = 0;
2054. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 0, 1);
2055. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 1, 1);
2056. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 2, 1);
2057. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 3, 1);
2058. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 4, 1);
2059. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 5, 1);
2060. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 6, 1);
2061. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 7, 1);
2062. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 8, 1);
2063. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 9, 1);
2064. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 10, 1);
2065. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 11, 1);
2066. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 12, 1);
2067. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 13, 1);
2068. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 14, 1);
2069. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 15, 2);
2070. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 17, 1);
2071. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 18, 1);
2072. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 19, 1);
2073. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 20, 1);
2074. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 21, 1);
2075. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 22, 1);
2076. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 23, 1);
2077. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 24, 1);
2078. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 25, 1);
2079. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 26, 1);
2080. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 27, 1);
2081. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 28, 1);
2082. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 29, 1);
2083. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 30, 1);
2084. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 31, 1);
2085. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 32, 1);
2086. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 33, 1);
2087. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 34, 1);
2088. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 35, 1);
2089. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 36, 1);
2090. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 37, 1);
2091. STORE_BY_BITMASK(uint64_t, , 0x200000000168, 0, 38, 26);
2092. *(uint32_t*)0x200000000170 = 0;
2093. *(uint32_t*)0x200000000174 = 0;
2094. *(uint64_t*)0x200000000178 = 0;
2095. *(uint64_t*)0x200000000180 = 0;
2096. *(uint64_t*)0x200000000188 = 0;
2097. *(uint64_t*)0x200000000190 = 0;
2098. *(uint32_t*)0x200000000198 = 0;
2099. *(uint32_t*)0x20000000019c = 0;
2100. *(uint64_t*)0x2000000001a0 = 0;
2101. *(uint32_t*)0x2000000001a8 = 0;
2102. *(uint16_t*)0x2000000001ac = 0;
2103. *(uint16_t*)0x2000000001ae = 0;
2104. *(uint32_t*)0x2000000001b0 = 5;
2105. *(uint32_t*)0x2000000001b4 = 0;
2106. *(uint64_t*)0x2000000001b8 = 0;
2107. syscall(__NR_perf_event_open, /*attr=*/0x200000000140ul, /*fd=*/-1,
2108. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
2109. memcpy((void*)0x2000000000c0, "/dev/loop#\000", 11);
2110. res = -1;
2111. res = syz_open_dev(/*dev=*/0x2000000000c0, /*id=*/0x800, /*flags=*/0);
2112. if (res != -1)
2113. r[17] = res;
2114. syscall(__NR_ioctl, /*fd=*/r[17], /*cmd=*/0x4c05, /*arg=*/0x2000000003c0ul);
2115. syscall(__NR_write, /*fd=*/r[13], /*data=*/0x200000000000ul, /*len=*/4ul);
2116. syscall(__NR_prctl, /*option=*/0x42ul, /*mode=*/0ul, 0, 0, 0);
2117. syz_proconfig_set__sys_fs_cgroup_dev_mqueue_mount_cgroup_freeze(
2118. /*val=*/0x80000000);
2119. memcpy((void*)0x200000000000, "./file0\000", 8);
2120. memcpy((void*)0x200000000040, "./file0\000", 8);
2121. syscall(__NR_pivot_root, /*new_root=*/0x200000000000ul,
2122. /*put_old=*/0x200000000040ul);
2123. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0);
2124. if (res != -1)
2125. r[18] = res;
2126. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0);
2127. if (res != -1)
2128. r[19] = res;
2129. res = syscall(__NR_socket, /*domain=*/2ul, /*type=SOCK_RAW*/ 3ul,
2130. /*proto=*/0x8d);
2131. if (res != -1)
2132. r[20] = res;
2133. memset((void*)0x2000000002c0, 156, 1);
2134. syscall(__NR_setsockopt, /*fd=*/r[20], /*level=*/0, /*optname=*/8,
2135. /*optval=*/0x2000000002c0ul, /*optlen=*/1ul);
2136. *(uint32_t*)0x200000000140 = 0xc;
2137. res = syscall(__NR_getsockopt, /*fd=*/r[20], /*level=*/0, /*optname=*/8,
2138. /*optval=*/0x200000000040ul, /*optlen=*/0x200000000140ul);
2139. if (res != -1)
2140. r[21] = *(uint32_t*)0x200000000040;
2141. *(uint64_t*)0x2000000001c0 = 0;
2142. *(uint32_t*)0x2000000001c8 = 0;
2143. *(uint64_t*)0x2000000001d0 = 0x200000000140;
2144. *(uint64_t*)0x200000000140 = 0x200000000300;
2145. *(uint32_t*)0x200000000300 = 0x24;
2146. *(uint16_t*)0x200000000304 = 0x2c;
2147. *(uint16_t*)0x200000000306 = 0;
2148. *(uint32_t*)0x200000000308 = 0;
2149. *(uint32_t*)0x20000000030c = 0;
2150. *(uint8_t*)0x200000000310 = 0;
2151. *(uint8_t*)0x200000000311 = 0;
2152. *(uint16_t*)0x200000000312 = 0;
2153. *(uint32_t*)0x200000000314 = r[21];
2154. *(uint16_t*)0x200000000318 = 0;
2155. *(uint16_t*)0x20000000031a = 0;
2156. *(uint16_t*)0x20000000031c = 0;
2157. *(uint16_t*)0x20000000031e = 0;
2158. *(uint16_t*)0x200000000320 = 0;
2159. *(uint16_t*)0x200000000322 = 0;
2160. *(uint64_t*)0x200000000148 = 0x24;
2161. *(uint64_t*)0x2000000001d8 = 1;
2162. *(uint64_t*)0x2000000001e0 = 0;
2163. *(uint64_t*)0x2000000001e8 = 0;
2164. *(uint32_t*)0x2000000001f0 = 0;
2165. syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0x2000000001c0ul, /*f=*/0ul);
2166. *(uint64_t*)0x2000000002c0 = 0;
2167. *(uint32_t*)0x2000000002c8 = 0;
2168. *(uint64_t*)0x2000000002d0 = 0x200000000940;
2169. *(uint64_t*)0x200000000940 = 0x200000000300;
2170. memcpy((void*)0x200000000300, "\x1c\x00\x00\x00\x5f\x00\x01", 7);
2171. *(uint64_t*)0x200000000948 = 0x1c;
2172. *(uint64_t*)0x2000000002d8 = 1;
2173. *(uint64_t*)0x2000000002e0 = 0;
2174. *(uint64_t*)0x2000000002e8 = 0;
2175. *(uint32_t*)0x2000000002f0 = 0;
2176. syscall(__NR_sendmsg, /*fd=*/r[19], /*msg=*/0x2000000002c0ul, /*f=*/0ul);
2177. *(uint64_t*)0x200000005200 = 0;
2178. *(uint32_t*)0x200000005208 = 0;
2179. *(uint64_t*)0x200000005210 = 0;
2180. *(uint64_t*)0x200000005218 = 0;
2181. *(uint64_t*)0x200000005220 = 0;
2182. *(uint64_t*)0x200000005228 = 0;
2183. *(uint32_t*)0x200000005230 = 0;
2184. *(uint32_t*)0x200000005238 = 0;
2185. syscall(__NR_sendmmsg, /*fd=*/r[18], /*mmsg=*/0x200000005200ul, /*vlen=*/1ul,
2186. /*f=*/0ul);
2187. syscall(__NR_pipe2, /*pipefd=*/0x200000000040ul, /*flags=*/0ul);
2188. *(uint8_t*)0x200000000480 = 0;
2189. syscall(__NR_prctl, /*option=*/0x3bul, /*mode=*/1ul, /*offset=*/0x5ea68159ul,
2190. /*len=*/4ul, /*selector=*/0x200000000480ul);
2191. *(uint32_t*)0x200000000340 = r[19];
2192. syscall(__NR_setsockopt, /*fd=*/r[20], /*level=*/0, /*optname=*/8,
2193. /*optval=*/0x200000000340ul, /*optlen=*/1ul);
2194. *(uint32_t*)0x200000000140 = 0;
2195. syscall(__NR_getsockopt, /*fd=*/-1, /*level=*/0, /*optname=*/8,
2196. /*optval=*/0ul, /*optlen=*/0x200000000140ul);
2197. *(uint32_t*)0x20000001d000 = 2;
2198. *(uint32_t*)0x20000001d004 = 0x80;
2199. *(uint8_t*)0x20000001d008 = 0xb9;
2200. *(uint8_t*)0x20000001d009 = 0;
2201. *(uint8_t*)0x20000001d00a = 0;
2202. *(uint8_t*)0x20000001d00b = 0;
2203. *(uint32_t*)0x20000001d00c = 0;
2204. *(uint64_t*)0x20000001d010 = 0;
2205. *(uint64_t*)0x20000001d018 = 0xa4000;
2206. *(uint64_t*)0x20000001d020 = 0;
2207. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 0, 1);
2208. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 1, 1);
2209. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 2, 1);
2210. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 3, 1);
2211. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 4, 1);
2212. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 5, 1);
2213. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 6, 1);
2214. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 7, 1);
2215. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 8, 1);
2216. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 9, 1);
2217. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 10, 1);
2218. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 11, 1);
2219. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 12, 1);
2220. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 13, 1);
2221. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 14, 1);
2222. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 15, 2);
2223. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 17, 1);
2224. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 18, 1);
2225. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 19, 1);
2226. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 20, 1);
2227. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 21, 1);
2228. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 22, 1);
2229. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 23, 1);
2230. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 24, 1);
2231. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 25, 1);
2232. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 26, 1);
2233. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 27, 1);
2234. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 28, 1);
2235. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 29, 1);
2236. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 30, 1);
2237. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 31, 1);
2238. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 32, 1);
2239. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 33, 1);
2240. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 34, 1);
2241. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 35, 1);
2242. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 36, 1);
2243. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 37, 1);
2244. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 38, 26);
2245. *(uint32_t*)0x20000001d030 = 0;
2246. *(uint32_t*)0x20000001d034 = 0;
2247. *(uint64_t*)0x20000001d038 = 0x5d;
2248. *(uint64_t*)0x20000001d040 = 0xfffffffffbfffffe;
2249. *(uint64_t*)0x20000001d048 = 0;
2250. *(uint64_t*)0x20000001d050 = 0;
2251. *(uint32_t*)0x20000001d058 = 0;
2252. *(uint32_t*)0x20000001d05c = 0;
2253. *(uint64_t*)0x20000001d060 = 0;
2254. *(uint32_t*)0x20000001d068 = 0;
2255. *(uint16_t*)0x20000001d06c = 0x28c0;
2256. *(uint16_t*)0x20000001d06e = 0;
2257. *(uint32_t*)0x20000001d070 = 5;
2258. *(uint32_t*)0x20000001d074 = 0;
2259. *(uint64_t*)0x20000001d078 = 0;
2260. syscall(__NR_perf_event_open, /*attr=*/0x20000001d000ul, /*pid=*/0,
2261. /*cpu=*/3ul, /*group=*/-1, /*flags=*/0ul);
2262. syscall(__NR_setgroups, /*size=*/0ul, /*list=*/0ul);
2263. memcpy((void*)0x200000000080, "./file0\000", 8);
2264. syscall(
2265. __NR_open, /*file=*/0x200000000080ul,
2266. /*flags=O_TRUNC|O_NOFOLLOW|O_DIRECT|O_CREAT|O_CLOEXEC|0x3000*/ 0xa7240ul,
2267. /*mode=*/0ul);
2268. res = syscall(__NR_pipe2, /*pipefd=*/0x200000000240ul, /*flags=*/0ul);
2269. if (res != -1)
2270. r[22] = *(uint32_t*)0x200000000244;
2271. syscall(__NR_socket, /*domain=*/1ul, /*type=SOCK_DGRAM*/ 2ul, /*proto=*/0);
2272. syscall(__NR_socket, /*domain=*/0x11ul, /*type=SOCK_DGRAM*/ 2ul,
2273. /*proto=*/0x300);
2274. syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0);
2275. syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0);
2276. memcpy((void*)0x2000000000c0, "fscrypt-provisioning\000", 21);
2277. memcpy((void*)0x200000000100, "syz", 3);
2278. *(uint8_t*)0x200000000103 = 0x22;
2279. *(uint8_t*)0x200000000104 = 0;
2280. *(uint32_t*)0x2000000001c0 = 3;
2281. *(uint32_t*)0x2000000001c4 = 0;
2282. *(uint8_t*)0x2000000001c8 = 0x25;
2283. *(uint8_t*)0x2000000001c9 = 0x1a;
2284. *(uint8_t*)0x2000000001ca = 0x34;
2285. *(uint8_t*)0x2000000001cb = 0x2b;
2286. *(uint8_t*)0x2000000001cc = 0x13;
2287. *(uint8_t*)0x2000000001cd = 0x2c;
2288. *(uint8_t*)0x2000000001ce = 0x35;
2289. *(uint8_t*)0x2000000001cf = 0x39;
2290. res = syscall(__NR_add_key, /*type=*/0x2000000000c0ul,
2291. /*desc=*/0x200000000100ul, /*payload=*/0x2000000001c0ul,
2292. /*paylen=*/0x10ul, /*keyring=*/0xfffffffb);
2293. if (res != -1)
2294. r[23] = res;
2295. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/2ul, /*proto=*/0);
2296. if (res != -1)
2297. r[24] = res;
2298. *(uint64_t*)0x200000000100 = 0x200000000000;
2299. *(uint16_t*)0x200000000000 = 0xa;
2300. *(uint16_t*)0x200000000002 = htobe16(0x4e21);
2301. *(uint32_t*)0x200000000004 = htobe32(0);
2302. *(uint8_t*)0x200000000008 = 0xfe;
2303. *(uint8_t*)0x200000000009 = 0x80;
2304. memset((void*)0x20000000000a, 0, 13);
2305. *(uint8_t*)0x200000000017 = 0;
2306. *(uint32_t*)0x200000000018 = 0;
2307. *(uint32_t*)0x200000000108 = 0x80;
2308. *(uint64_t*)0x200000000110 = 0;
2309. *(uint64_t*)0x200000000118 = 0;
2310. *(uint64_t*)0x200000000120 = 0;
2311. *(uint64_t*)0x200000000128 = 0;
2312. *(uint32_t*)0x200000000130 = 0;
2313. *(uint32_t*)0x200000000138 = 0;
2314. syscall(__NR_sendmmsg, /*fd=*/r[24], /*mmsg=*/0x200000000100ul, /*vlen=*/1ul,
2315. /*f=MSG_ZEROCOPY|MSG_MORE|MSG_CONFIRM*/ 0x4008800ul);
2316. *(uint64_t*)0x200000000380 = 0x200000000140;
2317. *(uint16_t*)0x200000000140 = 0;
2318. *(uint8_t*)0x200000000142 = 0;
2319. *(uint32_t*)0x200000000144 = 0;
2320. *(uint32_t*)0x200000000388 = 0x80;
2321. *(uint64_t*)0x200000000390 = 0;
2322. *(uint64_t*)0x200000000398 = 0;
2323. *(uint64_t*)0x2000000003a0 = 0;
2324. *(uint64_t*)0x2000000003a8 = 0;
2325. *(uint32_t*)0x2000000003b0 = 0;
2326. *(uint32_t*)0x2000000003b8 = 0;
2327. syscall(__NR_sendmmsg, /*fd=*/r[24], /*mmsg=*/0x200000000380ul, /*vlen=*/1ul,
2328. /*f=*/0ul);
2329. syscall(__NR_keyctl, /*code=*/5ul, /*key=*/r[23],
2330. /*perm=KEY_USR_LINK|KEY_USR_VIEW*/ 0x110000ul, 0, 0);
2331. memcpy((void*)0x2000000002c0,
2332. "\x15\x00\x00\x00\x65\xff\xff\x01\x80\x00\x00\x08\x00\x39\x50\x32\x30"
2333. "\x30\x30",
2334. 19);
2335. syscall(__NR_write, /*fd=*/r[22], /*data=*/0x2000000002c0ul, /*size=*/0x15ul);
2336. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/6);
2337. if (res != -1)
2338. r[25] = res;
2339. *(uint64_t*)0x200000000280 = 0;
2340. *(uint32_t*)0x200000000288 = 0;
2341. *(uint64_t*)0x200000000290 = 0x200000000240;
2342. *(uint64_t*)0x200000000240 = 0x2000000004c0;
2343. memcpy(
2344. (void*)0x2000000004c0,
2345. "\x64\x00\x00\x00\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2346. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2347. "\x00\x00\x00\xfd\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00"
2348. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24\x00\x09\x00\x00\x00\x00\x00\x00"
2349. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2350. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a\x4f\xee\x99\x7a\x2e\xc5\x93\xc8"
2351. "\xea\xf9\x17\x60\x3c\xd3\x28\x5e\x72\xe7\xc0\x45\xd3\x94\x61\x90\x76\xa6"
2352. "\xd9\x01\x44\xb6\x76\xf1\xcd\xf1\xff\x55\x06\x69\x58\x67\x54\x95\x9b\x81"
2353. "\x20\xbb\xdf\x06\x5e\xc5\x08\x4d\xfa\xbd\x18\xb4\xa3\xa1\x0c\xf0\xb2\x84"
2354. "\x2a\x12\x99\x87\x59\x26\x07\x55\x15\xb2\x1a\x90\xe1\x9f\xa9\xe9\x35\xc2"
2355. "\x85\xa3\x48\x36\xdc\x49\x7b\xf5\xc3\x28\x56\x5d\xb5\x8e\xa7\xda\xc3\x29"
2356. "\x90\x94\xe0\x2a\x79\x01\x97\xe6\x13\xbe\x35\x88\xbc\x2f\x24\x73\x25\x98"
2357. "\xd2\xb3\xa0\x21\x9d\x18\xb5\x0a\x18\xad\x11\x24\xcf\x69\x7a\xfa\x7a\x11"
2358. "\x14\xc9\x2b\x38\x3f\x48\xf2\x9d\xae\xb4\x6b\x89\xd2\x6f\x13\xeb\x73\xd4"
2359. "\x76\xe5\x71\x03\xd6\x06\x0d\x2b\x77\x23\x2e\x13\x55\xe9\x02\xf8\x43\xd7"
2360. "\x84\xf1\x28\x3f\x8e\x74\x4b\x5c\xfc\x96\x61\xd7\xe2\xcf\x8a\x2f\xe2\x6a"
2361. "\x93\x46\xc7\x62\xa4\x00",
2362. 294);
2363. *(uint64_t*)0x200000000248 = 0x64;
2364. *(uint64_t*)0x200000000298 = 1;
2365. *(uint64_t*)0x2000000002a0 = 0;
2366. *(uint64_t*)0x2000000002a8 = 0;
2367. *(uint32_t*)0x2000000002b0 = 0;
2368. syscall(__NR_sendmsg, /*fd=*/r[25], /*msg=*/0x200000000280ul, /*f=*/0ul);
2369. res = syscall(__NR_dup, /*oldfd=*/r[22]);
2370. if (res != -1)
2371. r[26] = res;
2372. *(uint8_t*)0x200000000040 = r[26];
2373. syscall(__NR_write, /*fd=*/r[26], /*data=*/0x200000000040ul, /*size=*/0x53ul);
2374. res = syscall(__NR_io_setup, /*n=*/0x8000000, /*ctx=*/0x200000000040ul);
2375. if (res != -1)
2376. r[27] = *(uint64_t*)0x200000000040;
2377. *(uint64_t*)0x200000000080 = 0;
2378. *(uint64_t*)0x200000000088 = 0x3938700;
2379. *(uint64_t*)0x2000000001c0 = 0xffffffff81000000;
2380. *(uint64_t*)0x2000000001c8 = 0;
2381. syscall(__NR_io_pgetevents, /*ctx=*/r[27], /*min_nr=*/6ul, /*nr=*/4ul,
2382. /*events=*/0x2000000002c0ul, /*timeout=*/0x200000000080ul,
2383. /*usig=*/0x2000000001c0ul);
2384. memcpy((void*)0x200000000180, "ext4\000", 5);
2385. memcpy((void*)0x2000000000c0, "./file0\000", 8);
2386. memcpy((void*)0x200000000000, "noauto_da_alloc", 15);
2387. *(uint8_t*)0x20000000000f = 0x2c;
2388. memcpy((void*)0x200000000010, "nobarrier", 9);
2389. *(uint8_t*)0x200000000019 = 0x2c;
2390. memcpy((void*)0x20000000001a, "data_err=abort", 14);
2391. *(uint8_t*)0x200000000028 = 0x2c;
2392. memcpy((void*)0x200000000029, "discard", 7);
2393. *(uint8_t*)0x200000000030 = 0x2c;
2394. *(uint8_t*)0x200000000031 = 0;
2395. memcpy(
2396. (void*)0x2000000001c0,
2397. "\x78\x9c\xec\xdc\xcd\x6f\x14\xe5\x1f\x00\xf0\xef\x4c\x5f\xe0\x07\xfc\x68"
2398. "\x45\x44\x41\xd0\x2a\x1a\x1b\x5f\x5a\x5a\x50\x39\x78\xd1\x68\xe2\x41\x13"
2399. "\x13\x3d\xe0\xb1\xb6\x0b\x22\x0b\x35\xb4\x26\x42\x88\x54\x63\xf0\x68\x48"
2400. "\xbc\x1b\x8f\x26\xfe\x05\x9e\xf4\x62\xd4\x93\x89\x57\xbd\x1b\x12\xa2\xc4"
2401. "\x04\xf4\xb4\x66\x5e\xb6\xb4\xcb\x6e\xe9\xb6\x5b\x16\xd8\xcf\x27\x19\xf6"
2402. "\x79\x76\x9e\x9d\xe7\xf9\xee\xcc\xb3\xf3\xcc\x3c\x4c\x03\xe8\x59\x23\xd9"
2403. "\x3f\x49\xc4\xb6\x88\xf8\x2d\x22\x86\x8a\xec\xf2\x02\x23\xc5\xcb\xb5\x2b"
2404. "\xe7\xa6\xff\xb9\x72\x6e\x3a\x89\x5a\xed\xcd\x3f\x93\xbc\xdc\xd5\x2b\xe7"
2405. "\xa6\x1b\xb7\xb9\xb5\xdc\xe6\x68\x1a\x91\x7e\x9a\x94\x95\x2c\x57\xab\xd5"
2406. "\xce\x67\xaf\xa7\xcb\xfc\xf8\xfc\xc9\xf7\xc7\xe7\xce\x9c\x7d\xe6\xf8\xc9"
2407. "\xa9\x63\x95\x63\x95\x53\x93\x87\x0f\x1f\x3a\x38\xf1\xfc\x73\x93\xcf\x76"
2408. "\x24\xce\x2c\xae\xab\x7b\x3e\x9a\xdd\xbb\xfb\xd5\xb7\x2f\xbe\x3e\x7d\xe4"
2409. "\xe2\x3b\x3f\x7d\x93\xb5\x7f\xd7\xbe\x62\x7d\xb3\x38\xd6\x6b\x24\x0b\xfc"
2410. "\xaf\x5a\xae\x71\xdd\xe3\x9d\xae\xac\xcb\xfe\xbf\x24\x9d\xf4\x77\xb1\x21"
2411. "\xb4\xa5\x2f\x22\xb2\xdd\x35\x90\xf7\xff\xa1\xe8\x8b\xeb\x3b\x6f\x28\x5e"
2412. "\xf9\xa4\xab\x8d\x03\x36\x54\x76\x6e\xda\xd4\x7a\xf5\x42\x0d\xb8\x8b\x25"
2413. "\xd1\xed\x16\x00\xdd\x51\x3f\xd1\x67\xd7\xbf\xf5\xe5\x16\x0d\x3d\x6e\x0b"
2414. "\x97\x5f\x2c\x2e\x80\xb2\xb8\xaf\x95\x4b\xb1\xa6\x3f\xd2\xb2\xcc\xc0\x06"
2415. "\xd6\x3f\x12\x11\x47\x16\xfe\xfd\x32\x5b\x62\x83\xee\x43\x00\x00\x2c\xf5"
2416. "\x5d\x36\xfe\x79\xba\xd9\xf8\x2f\x8d\x5d\xf9\x6b\x12\xb1\x10\xb1\xbd\x9c"
2417. "\x43\x19\x8e\x88\x7b\x22\x62\x47\x44\xdc\x1b\x11\x3b\x23\xe2\xbe\x88\xbc"
2418. "\xec\xfd\x11\xf1\x40\x9b\xf5\x37\x4e\x0d\xdd\x38\xfe\x49\x2f\xad\x23\xbc"
2419. "\x9b\xca\xc6\x7f\x2f\x94\x73\x5b\xcb\xc7\x7f\xe9\xe2\x75\x71\x5f\x9e\x2b"
2420. "\xe6\x38\x86\x63\x20\x39\x7a\xbc\x5a\x39\x10\xc5\x77\x32\x1a\x03\x9b\xb2"
2421. "\xfc\xc4\x0a\x75\x7c\xff\xf2\xaf\x9f\xb7\x5a\xb7\x74\xfc\x97\x2d\x59\xfd"
2422. "\xf5\xb1\x60\xd9\x8e\x4b\xfd\x0d\x37\xe8\x66\xa6\xe6\xa7\x3a\x35\x28\xbd"
2423. "\xfc\x71\xc4\x9e\xfe\x66\xf1\x27\x8b\x33\x01\x49\x44\xec\x8e\x88\x3d\xed"
2424. "\x6d\x7a\x7b\x3d\x71\xfc\xc9\xaf\xf7\xb6\x2a\x74\xf3\xf8\x9b\xdb\xdc\x5e"
2425. "\x5b\x5a\xaa\x7d\x15\xf1\x44\x39\x07\x12\x0d\xf1\xd7\x25\x2b\xcf\x4f\x8e"
2426. "\x6f\x8e\x6a\xe5\xc0\x78\xfd\xa8\xb8\xd1\xcf\xbf\x5c\x78\xa3\x55\xfd\x6b"
2427. "\x8d\xbf\x53\xf6\xbf\x1b\xb1\x65\xf9\xf1\xdf\x50\x62\xe8\xef\x2c\xfe\xb9"
2428. "\x33\x67\x4f\x4c\x55\xab\x95\xd3\x73\xed\xd7\x71\xe1\xf7\xcf\x5a\x5e\xd3"
2429. "\xac\xf5\xf8\x1f\x4c\xde\xca\xe7\xac\x07\xcb\xf7\x3e\x9c\x9a\x9f\x3f\x3d"
2430. "\x11\x31\x98\xbc\x96\xe7\x07\x8b\xa9\xad\xe2\xfd\xc9\xeb\x9f\xad\xe7\xeb"
2431. "\xe5\xb3\xe3\x7f\x74\x7f\xf3\xfe\xbf\xa3\xfc\x4c\x16\xff\x83\x11\x91\x1d"
2432. "\xc4\xfb\x22\xe2\xa1\x88\x78\xb8\x6c\xfb\x23\x11\xf1\x68\xf6\x3d\xae\x10"
2433. "\xff\x8f\x2f\x3d\xf6\xde\xda\xe3\x6f\xd4\xd9\xab\xd1\x2c\xfe\x99\xa6\xbf"
2434. "\x7f\x8b\xc7\xff\xf0\xf2\xfd\xdf\x7e\xa2\xef\xc4\x0f\xdf\xae\x3d\xfe\x6c"
2435. "\xff\x1f\xca\x53\xa3\xe5\x3b\xf9\xef\xdf\x4d\xac\xb6\x81\xeb\xf9\xee\x00"
2436. "\x00\x00\xe0\x4e\x91\x46\xc4\xb6\x48\xd2\xb1\xc5\x74\x9a\x8e\x8d\x15\xff"
2437. "\x87\x7f\x67\x6c\x49\xab\xb3\x73\xf3\x4f\x1d\x9d\xfd\xe0\xd4\x4c\xf1\x8c"
2438. "\xc0\x70\x0c\xa4\xf5\x3b\x5d\x43\x4b\xee\x87\x4e\x24\x0b\xe5\x16\x8b\xfc"
2439. "\x64\x79\xaf\x38\x5f\xbf\xa9\x5a\x39\x58\xde\x37\xfe\xa2\xef\x7f\xf9\xfa"
2440. "\xb1\xe9\xd9\xea\x4c\x97\x63\x87\x5e\xb7\xb5\x45\xff\xcf\xfc\xd1\xd7\xed"
2441. "\xd6\x01\x1b\xce\xf3\x5a\xd0\xbb\x1a\xfb\x7f\xda\xa5\x76\x00\xb7\xde\x2a"
2442. "\xcf\xff\x2b\x3c\x27\x08\xdc\xa9\x8c\xff\xa1\x27\x1d\x0b\xfd\x1f\x7a\x5a"
2443. "\xb3\xfe\x7f\xbe\x21\x6f\x2e\x00\xee\x4e\xce\xff\xd0\xbb\xf4\x7f\xe8\x5d"
2444. "\xfa\x3f\xf4\x2e\xfd\x1f\x7a\xd2\x7a\x9e\xeb\x5f\x6f\xa2\xbb\xb5\x6f\x54"
2445. "\x62\xd5\x7f\x7a\xe0\x0e\x4f\x44\xda\x46\xe1\xcd\x71\x5b\xb4\x59\x62\xf5"
2446. "\x89\x6e\xff\x32\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2447. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2448. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2449. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2450. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2451. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2452. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2453. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2454. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2455. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2456. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2457. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2458. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x74\xc6"
2459. "\x7f\x01\x00\x00\xff\xff\x08\xf7\xf1\x5f",
2460. 1126);
2461. syz_mount_image(
2462. /*fs=*/0x200000000180, /*dir=*/0x2000000000c0,
2463. /*flags=MS_I_VERSION|MS_SYNCHRONOUS|MS_NODEV|MS_NOATIME|0x300*/ 0x800714,
2464. /*opts=*/0x200000000000, /*chdir=*/0xfe, /*size=*/0x467,
2465. /*img=*/0x2000000001c0);
2466. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0);
2467. if (res != -1)
2468. r[28] = res;
2469. res = syscall(__NR_socket, /*domain=AF_NETLINK*/ 0x10ul,
2470. /*type=SOCK_RAW*/ 3ul, /*proto=*/0);
2471. if (res != -1)
2472. r[29] = res;
2473. memcpy(
2474. (void*)0x200000000080,
2475. "\x78\x00\x00\x00\x18\x00\x25\x07\xb9\x40\x9b\x14\xff\xff\x00\x00\x02\x02"
2476. "\xbe\x04\x02\x05\x06\x05\x0e\x13\x04\x09\x43\x00\x09\x00\x3f\x00\x20\x48"
2477. "\x0a\x00\x00\x00\x0d\x00\x85\xa1\x68\xd0\xbf\x46\xd3\x23\x45\x65\x36\x00"
2478. "\x64\x8d\x27\x00\x15\x00\x0a\x00\x00\x00\x49\x93\x5a\xde\x4a\x46\x0c\x89"
2479. "\xb6\xec\x0c\xff\x39\x59\x54\x7f\x50\x90\x58\xba\x86\xc9\x02\x00\x00\x00"
2480. "\x00\x4a\x32\x00\x04\x00\x16\x00\x0b\x00\x0a\x00\x00\x00\x00\x00\xe0\x00"
2481. "\xe2\x18\xd1\xdd\xf6\x6e\xd5\x38\xf2\x52\x32\x50",
2482. 120);
2483. syscall(__NR_sendto, /*fd=*/r[29], /*buf=*/0x200000000080ul, /*len=*/0x78ul,
2484. /*f=*/0ul, /*addr=*/0ul, /*addrlen=*/0ul);
2485. *(uint16_t*)0x200000000000 = 0xa;
2486. *(uint16_t*)0x200000000002 = htobe16(0);
2487. *(uint32_t*)0x200000000004 = htobe32(0);
2488. *(uint8_t*)0x200000000008 = 0xfe;
2489. *(uint8_t*)0x200000000009 = 0x88;
2490. memset((void*)0x20000000000a, 0, 12);
2491. *(uint8_t*)0x200000000016 = 0;
2492. *(uint8_t*)0x200000000017 = 1;
2493. *(uint32_t*)0x200000000018 = 8;
2494. syscall(__NR_bind, /*fd=*/r[28], /*addr=*/0x200000000000ul,
2495. /*addrlen=*/0x1cul);
2496. *(uint16_t*)0x200000000140 = 0xa;
2497. *(uint16_t*)0x200000000142 = htobe16(0x4e22);
2498. *(uint32_t*)0x200000000144 = htobe32(0);
2499. memset((void*)0x200000000148, 0, 16);
2500. *(uint32_t*)0x200000000158 = 0;
2501. syscall(__NR_bind, /*fd=*/r[28], /*addr=*/0x200000000140ul,
2502. /*addrlen=*/0x1cul);
2503. res = syscall(__NR_eventfd, /*initval=*/0xffff);
2504. if (res != -1)
2505. r[30] = res;
2506. *(uint64_t*)0x200000000740 = 0x200000000700;
2507. *(uint64_t*)0x200000000700 = 0;
2508. *(uint32_t*)0x200000000708 = 0;
2509. *(uint32_t*)0x20000000070c = 0;
2510. *(uint16_t*)0x200000000710 = 6;
2511. *(uint16_t*)0x200000000712 = 3;
2512. *(uint32_t*)0x200000000714 = r[28];
2513. *(uint64_t*)0x200000000718 = 0x200000000640;
2514. memcpy((void*)0x200000000640,
2515. "\x3f\x4b\x86\x05\x0b\x82\x43\x61\xa0\xf4\xda\xea\xf6\xd5\xd9\x9a\xe4"
2516. "\x73\x22\xcf\x0f\x26\xcf\x6e\x17\x3f\xde\x87\xd6\xc8\x05\xa9\x07\x99"
2517. "\xfc\xaa\xba\x38\x60\x34\x5c\x74\x24\xb5\xe4\xae\xeb\x8d\x7e\x33\x09"
2518. "\x77\x93\x01\xbb\x81\xe8\x3e\x45\xe5\x40\x34\x6c\x1c\x98\x7b\xdf\xdc"
2519. "\x28\x9b\xba\xbd\xa3\x1b\x34\x17\xa6\xf5\xbc\x5f\xad\xa5\x17\x65\x8f"
2520. "\x8b\xa1\xc0\xfd\x21\x87\x36\x5e\x2c\x4b\x90\xdc\xe7\xd8\x36\x50\x9c"
2521. "\x50\x2a\x67\x47\xd9\x4c\x90\x85\x27\x59\xe2\xeb\x5a\x74\x3b\xa4\x6e"
2522. "\x95\x82\x14\x4e\xfb\xcc\x14\xd0\xab\xd2\x01\x62\x03\xe4",
2523. 133);
2524. *(uint64_t*)0x200000000720 = 0x85;
2525. *(uint64_t*)0x200000000728 = 0xa3fc;
2526. *(uint64_t*)0x200000000730 = 0;
2527. *(uint32_t*)0x200000000738 = 3;
2528. *(uint32_t*)0x20000000073c = r[30];
2529. syscall(__NR_io_submit, /*ctx=*/0ul, /*nr=*/1ul, /*iocbpp=*/0x200000000740ul);
2530. memcpy((void*)0x2000000000c0, "/dev/rtc0\000", 10);
2531. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000000c0ul,
2532. /*flags=O_RDWR*/ 2, /*mode=*/0);
2533. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0);
2534. if (res != -1)
2535. r[31] = res;
2536. *(uint32_t*)0x200000000340 = 1;
2537. *(uint32_t*)0x200000000344 = 0x80;
2538. *(uint8_t*)0x200000000348 = 0;
2539. *(uint8_t*)0x200000000349 = 0;
2540. *(uint8_t*)0x20000000034a = 0x86;
2541. *(uint8_t*)0x20000000034b = 2;
2542. *(uint32_t*)0x20000000034c = 0;
2543. *(uint64_t*)0x200000000350 = 0x5afd;
2544. *(uint64_t*)0x200000000358 = 0x8000;
2545. *(uint64_t*)0x200000000360 = 2;
2546. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 0, 1);
2547. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 1, 1);
2548. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 2, 1);
2549. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 3, 1);
2550. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 4, 1);
2551. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 5, 1);
2552. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 6, 1);
2553. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 7, 1);
2554. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 8, 1);
2555. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 9, 1);
2556. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 10, 1);
2557. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 11, 1);
2558. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 12, 1);
2559. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 13, 1);
2560. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 14, 1);
2561. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 1, 15, 2);
2562. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 17, 1);
2563. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 18, 1);
2564. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 19, 1);
2565. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 20, 1);
2566. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 21, 1);
2567. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 22, 1);
2568. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 23, 1);
2569. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 24, 1);
2570. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 25, 1);
2571. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 26, 1);
2572. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 27, 1);
2573. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 28, 1);
2574. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 29, 1);
2575. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 30, 1);
2576. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 31, 1);
2577. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 32, 1);
2578. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 33, 1);
2579. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 34, 1);
2580. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 35, 1);
2581. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 36, 1);
2582. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 37, 1);
2583. STORE_BY_BITMASK(uint64_t, , 0x200000000368, 0, 38, 26);
2584. *(uint32_t*)0x200000000370 = 0;
2585. *(uint32_t*)0x200000000374 = 0;
2586. *(uint64_t*)0x200000000378 = 0;
2587. *(uint64_t*)0x200000000380 = 0;
2588. *(uint64_t*)0x200000000388 = 0;
2589. *(uint64_t*)0x200000000390 = 0;
2590. *(uint32_t*)0x200000000398 = 0;
2591. *(uint32_t*)0x20000000039c = 0;
2592. *(uint64_t*)0x2000000003a0 = 0;
2593. *(uint32_t*)0x2000000003a8 = 0;
2594. *(uint16_t*)0x2000000003ac = 0;
2595. *(uint16_t*)0x2000000003ae = 0;
2596. *(uint32_t*)0x2000000003b0 = 0;
2597. *(uint32_t*)0x2000000003b4 = 0;
2598. *(uint64_t*)0x2000000003b8 = 0;
2599. syscall(__NR_perf_event_open, /*attr=*/0x200000000340ul, /*fd=*/-1,
2600. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
2601. syscall(__NR_io_submit, /*ctx=*/0ul, /*nr=*/0ul, /*iocbpp=*/0ul);
2602. *(uint16_t*)0x200000d84000 = 0xa;
2603. *(uint16_t*)0x200000d84002 = htobe16(2);
2604. *(uint32_t*)0x200000d84004 = htobe32(0);
2605. *(uint64_t*)0x200000d84008 = htobe64(0);
2606. *(uint64_t*)0x200000d84010 = htobe64(1);
2607. *(uint32_t*)0x200000d84018 = 0;
2608. syscall(__NR_bind, /*fd=*/r[31], /*addr=*/0x200000d84000ul,
2609. /*addrlen=*/0x1cul);
2610. *(uint32_t*)0x200000000600 = 8;
2611. syscall(__NR_setsockopt, /*fd=*/r[31], /*level=*/0x29,
2612. /*optname=IPV6_RECVORIGDSTADDR*/ 0x4a, /*optval=*/0x200000000600ul,
2613. /*optlen=*/4ul);
2614. memcpy((void*)0x2000000000c0,
2615. "\x04\x4a\xac\x2f\x20\x2c\x5f\xed\xa7\x1e\x03\x9a\x57\xa9\x30\x88\xfd"
2616. "\xcc\xe4\xaf\xe2\x8a\xac\x61\x83\x77\x92\x74\x1a\x19\x06\x70\xcc\xbe"
2617. "\x1a\x2b\x00\xaa\x77\xa8\x7d\x56\xa3\xf1\x2c\x79\x20\xad\x02\x92\x8a"
2618. "\x5d\x10\x14\xe5\xb8\x96\xf0\x00\xfc\xf6\x52\x19\x28\x48\x0b\xe9\xaf"
2619. "\x82\x61\x3a\x5c\x66\x1f\x41\x10\xad\xba\x35\x8a\xfd\x8b\x5b\x4e\xf1"
2620. "\x70\x20\x51\xe3\x93\xed\xe2\x69\x81\x12\xa1\xf1\xbd\xf1\xd0\xf5\x68"
2621. "\x54\x6e\xd3\x22\xab\x4c\x53\x54\x5b\xd2\xcd\x6e\x48\x52\x2f\x0c\x15"
2622. "\x4c\xb3\xc6\x86\x4d\xc3\x0a\xe9\x21\xdb\x10\x0f\x1e\xe9\x7a\x23\x45"
2623. "\x03\x33\x8f\x8f\xdf\x35\x64\x72\xda\x0c\x7a\xb6\x2f\x27\x4f\x34",
2624. 152);
2625. *(uint16_t*)0x200000b63fe4 = 0xa;
2626. *(uint16_t*)0x200000b63fe6 = htobe16(2);
2627. *(uint32_t*)0x200000b63fe8 = htobe32(0);
2628. memset((void*)0x200000b63fec, 0, 16);
2629. *(uint32_t*)0x200000b63ffc = 0;
2630. syscall(__NR_sendto, /*fd=*/r[31], /*buf=*/0x2000000000c0ul,
2631. /*len=*/0x116d962d5f73552ul,
2632. /*f=MSG_FASTOPEN|MSG_OOB|MSG_DONTWAIT|MSG_DONTROUTE|MSG_CONFIRM*/
2633. 0x20000845ul, /*addr=*/0x200000b63fe4ul, /*addrlen=*/0x1cul);
2634. syscall(__NR_close, /*fd=*/r[31]);
2635. *(uint32_t*)0x200000000800 = 0x80;
2636. syscall(__NR_accept4, /*fd=*/r[28], /*peer=*/0x200000000780ul,
2637. /*peerlen=*/0x200000000800ul, /*flags=*/0x40000ul);
2638. memcpy((void*)0x200000000100, "./file0\000", 8);
2639. syz_mount_image(/*fs=*/0, /*dir=*/0x200000000100,
2640. /*flags=MS_SYNCHRONOUS|MS_RELATIME|MS_NOATIME*/ 0x200410,
2641. /*opts=*/0, /*chdir=*/1, /*size=*/0, /*img=*/0x200000000000);
2642. memcpy((void*)0x200000000080, "./file0\000", 8);
2643. memcpy((void*)0x200000000940, "tmpfs\000", 6);
2644. syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x200000000080ul,
2645. /*type=*/0x200000000940ul, /*flags=*/0ul, /*data=*/0ul);
2646. memcpy((void*)0x2000000000c0, "vfat\000", 5);
2647. memcpy((void*)0x200000000480, "./file0\000", 8);
2648. memcpy(
2649. (void*)0x200000000580,
2650. "\x78\x9c\xec\xdc\xcf\x4f\x13\x5b\x14\xc0\xf1\x43\x29\xa5\x2d\x81\x76\xf1"
2651. "\xf2\x5e\x9e\x89\xe1\x44\x37\xba\x99\x40\x75\x6d\x6c\x0c\x24\xc6\x26\x12"
2652. "\xa4\xc6\x1f\x89\xc9\x00\x53\x6d\x3a\xb6\xa4\xd3\x60\x6a\x8c\xe8\xca\xad"
2653. "\xf1\x8f\x70\x41\x58\xb2\x23\x51\xfe\x01\x36\xee\x74\xe3\xc6\x1d\x1b\x13"
2654. "\x17\xb2\x30\xd6\x74\x3a\x03\x2d\x14\x6a\x80\x32\x68\xbf\x9f\x84\xcc\x99"
2655. "\xb9\xf7\xdc\xb9\x17\x06\x72\x66\xc2\x74\xf3\xce\xeb\xc7\x85\x9c\x63\xe4"
2656. "\xcc\x8a\x84\xa2\x2a\x7d\x22\x22\x5b\x22\xc9\x46\xe4\xf2\xa3\x90\x1b\x47"
2657. "\xa4\xd9\x0b\xb9\x38\xf4\xed\xe3\xd9\x5b\x77\xef\xdd\x48\x67\x32\x13\xd3"
2658. "\xaa\x93\xe9\x99\x4b\x29\x55\x1d\x19\x7d\xf7\xe4\x59\xcc\xeb\xb6\x36\x28"
2659. "\x1b\xc9\x07\x9b\x5f\x53\x5f\x36\xfe\xdd\xf8\x7f\xf3\xe7\xcc\xa3\xbc\xa3"
2660. "\x79\x47\x8b\xa5\x8a\x9a\x3a\x5b\xfa\x5c\x31\x67\x6d\x4b\xe7\xf3\x4e\xc1"
2661. "\x50\x9d\xb2\x2d\xd3\xb1\x34\x5f\x74\xac\x72\xa3\xbd\xd4\x68\xcf\xd9\xa5"
2662. "\x85\x85\xaa\x9a\xc5\xf9\xe1\xf8\x42\xd9\x72\x1c\x35\x8b\x55\x2d\x58\x55"
2663. "\xad\x94\xb4\x52\xae\xaa\xf9\xd0\xcc\x17\xd5\x30\x0c\x1d\x8e\x0b\x3a\xc9"
2664. "\x2e\x4f\x4f\x9b\xe9\x43\x26\xcf\x1d\xf3\x64\xd0\x25\xe5\x72\xda\xec\x17"
2665. "\x91\xd8\x9e\x96\xec\x72\x20\x13\x02\x00\x00\x81\xda\x5d\xff\x87\xea\x25"
2666. "\xbd\x5b\xff\x87\xb6\xfb\x1c\xa1\xfe\x5f\x39\xb7\x5e\x19\xba\xbd\x3a\xe2"
2667. "\xd5\xff\x6b\x91\x76\xf5\xff\xe5\x4f\x8d\xb1\x9a\xea\x7f\xff\xe4\x5d\xae"
2668. "\xff\xf7\x56\x44\xbd\xe5\x48\xf5\x3f\x4e\x87\xd1\xc8\x9e\x43\x7d\x2d\x7b"
2669. "\xf5\xfa\x3f\xee\xfd\xfe\xba\x5e\xde\x5f\x19\x73\x03\xea\x7f\x00\x00\x00"
2670. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\x04\x5b\xb5"
2671. "\x5a\xa2\x56\xab\x25\xfc\xad\xff\x35\x28\x22\x51\x11\xf1\xf7\x83\x9e\x27"
2672. "\xba\x83\x9f\x7f\x6f\xdb\x79\x71\x2f\x3c\x22\x62\xbf\x5a\xcc\x2e\x66\x1b"
2673. "\x5b\xaf\xc3\xba\x88\xd8\x62\xc9\x98\x24\xe4\x87\x7b\x3d\x78\xea\xb1\xff"
2674. "\xe6\xd1\x80\xaa\x6a\x52\xde\xdb\x4b\x5e\xfe\xd2\x62\xb6\xdf\x6d\x49\xe7"
2675. "\x24\xef\xe6\x8f\x4b\x42\x92\xbb\xf3\x6b\xb5\xc9\xeb\x99\x89\x71\x75\x25"
2676. "\x5a\xf3\x07\x24\xde\x9c\x9f\x92\x84\xfc\xd3\x3e\x3f\xd5\xc8\xd7\xd6\xfc"
2677. "\x88\x5c\x38\xdf\x94\x6f\x48\x42\x3e\xcc\x49\x49\x6c\x99\x77\xaf\xeb\x9d"
2678. "\xfc\xe7\xe3\xaa\xd7\x6e\x66\x76\xe5\xc7\xdc\x7e\x00\x00\x00\x00\x00\xfc"
2679. "\x0d\x0c\xdd\xd6\xf6\xfe\xdd\x30\xf6\x6b\x17\x91\xb0\x37\xc8\xbe\xcf\x07"
2680. "\x1a\xf7\xd7\x63\x6d\xef\xcf\xc3\x72\x26\x1c\xe8\xd2\x01\x00\x00\x00\x00"
2681. "\xe8\x19\x4e\xf5\x69\xc1\xb4\x6d\xab\x7c\x40\x10\x93\xce\x7d\x0e\x1f\x84"
2682. "\xbb\x34\xb2\xbf\xc2\xdf\xcd\xf2\xff\x97\xa1\x7b\x2b\x3d\x20\xf0\x4f\xde"
2683. "\xd2\x14\xf5\x0e\x06\x30\x9f\x8e\x41\x48\x0e\x93\x35\x5a\x5f\x8d\x1e\xf5"
2684. "\xec\xfe\x63\xa3\xfd\xfa\xc8\x54\x50\xdf\x96\xff\xde\xbc\xfd\x7e\x7c\x03"
2685. "\x5e\x59\x8d\x76\x58\x69\xd7\x82\x81\x93\xfb\x0b\x04\x00\x00\x00\xe0\xa4"
2686. "\xec\x14\xfd\xfe\x91\xab\xc1\x4e\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2687. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x1e\x74\x12\x1f"
2688. "\x27\x16\xf4\x1a\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2689. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\xd3\xe2\x57\x00"
2690. "\x00\x00\xff\xff\x5f\x73\x0b\x18",
2691. 728);
2692. syz_mount_image(/*fs=*/0x2000000000c0, /*dir=*/0x200000000480, /*flags=*/0,
2693. /*opts=*/0x200000000000, /*chdir=*/8, /*size=*/0x2d8,
2694. /*img=*/0x200000000580);
2695. memcpy((void*)0x200000000080, "memory.current\000", 15);
2696. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000080ul,
2697. /*flags=*/0x275a, /*mode=*/0);
2698. if (res != -1)
2699. r[32] = res;
2700. *(uint16_t*)0x2000000001c0 = 1;
2701. *(uint64_t*)0x2000000001c8 = 0x200000000000;
2702. *(uint16_t*)0x200000000000 = 6;
2703. *(uint8_t*)0x200000000002 = 0;
2704. *(uint8_t*)0x200000000003 = 0;
2705. *(uint32_t*)0x200000000004 = 0x7fff4000;
2706. syscall(__NR_seccomp, /*op=*/1ul, /*flags=*/0ul, /*arg=*/0x2000000001c0ul);
2707. memcpy((void*)0x2000000000c0, "iso9660\000", 8);
2708. memcpy((void*)0x200000000000, "./file0\000", 8);
2709. memcpy(
2710. (void*)0x200000000880,
2711. "\x63\x27\x6a\x4f\x7c\x5a\x1d\xba\x5d\x94\x13\xe7\x7f\x69\x70\xdd\xdd\x4e"
2712. "\x1e\x68\x65\x63\x6b\x23\x36\x49\x3d\x72\x65\x6c\x61\x78\x65\x64\x2c\x62"
2713. "\x6c\x6f\x63\x6b\x3d\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
2714. "\x30\x30\x32\x30\x30\x2c\x73\x65\x73\x73\x69\x6f\x6e\x3d\x30\x78\x30\x30"
2715. "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x33\x37\x2c\x68\x69\x64"
2716. "\x65\x2c\x69\x6f\x5a\x38\x7f\xeb\x64\x12\x4b\x61\x97\x43\x8e\x22\x43\x03"
2717. "\xfa\x93\xdc\xea\xa2\xec\x18\x33\xfe\x9c\x47\x4a\x70\x7c\x9b\x1f\x82\x3a"
2718. "\xc2\x40\xc8\x2d\x09\x38\x7e\x76\x7b\x26\xc7\xeb\xc9\x65\x7d\x00\xe8\x27"
2719. "\x09\x4e\xa6\x1e\xa7\xbf\xe9\x78\x08\xfc\x52\xca\x74\x84\x73\xf0\x16\x5a"
2720. "\x7f\xf8\xa1\x48\xd6\x2c\xa1\x7f\x27\x08\x42\xd2\xf8\x83\x45\xb1\x9b\xb9"
2721. "\x9e\x16\x41\x83\x68\x86\x7c\x7c\x3c\xd3\xfd\x22\x51\x16\x9c\x5c\x6d\x0f"
2722. "\x04\x35\xd5\x6d\xbb\x19\x75\x7a\xdf\xf8\x43\x42\x36\xaf\x29\xb9\xcb\x40"
2723. "\xac\x56\xc1\x2b\xaf\x53\x63\x8e\x0f\xf5\x2a\x6c\x2a\x9e\x2b\x9a\x19\xe6"
2724. "\xec\xbb\xc6\xac\xf2\x28\x9a\x53\x7d\x36\x25\x65\x4d\x65\xa8\xef\x28\xb9"
2725. "\x72\x09\x59\x2d\xc3\xdf\xc5\x70\x88\xa5\x22\xf2\x08\x4d\xde\x04\x8d\x0a"
2726. "\x4f\x9f\x64\x63\x2a\x2a\xb1\x14\x0b\x54\xe1\x30\x81\xb0\x4e\x37\x30\xda"
2727. "\x92\xaa\xb6\x85\x74\x9a\x2d\x95\x44\x1e\xfd\x39\x98\x4f\xbe\xa4\x7d\xf4"
2728. "\x2a\x1c\xc9\xa3\xdb\xe6\x81\xf8\x49\xd7\xa6\xdf\x06\x5b\xf2\xad\xca\x9e"
2729. "\x95\xe1\x0d\xaf\x2b\x05\xc8\x97\x77\x7a\x27\xd4\x06\xe3\xd5\x41\x3f\xe9"
2730. "\xad\x1b\x7b\x93\x77\x82\x3b\xca\xea\xd1\x6a\x2f\x7e\xfe\x3f\x19\xf9\xbf"
2731. "\xcf\x45\x99\x47\x9f\x32\x10\x88\x0e\x7d\x7d\x5a\x83\x79\x5e\x7b\x69\x8b"
2732. "\x0a\xca\x61\x6a\xd5\x7e\xb1\xfe\x6f\x2f\xf9\x31\x56\xe7\xef\xff\xa2\xf5"
2733. "\xcd\x82\x83\xe4\xaf\x28\xc8\xe6\x9b\x2a\x34\x65\xa0\x51\xf1\x23\x61\x22"
2734. "\x62\x17\xb0\xa1\xb7\xfc\x2a\xe7\x0b\xa1\xef\x92\x00\x76\x6e\xf6\xb5\x28"
2735. "\x6c\x6a\xeb\x91\xdc\xfc\x9f\x06\x7c\x18\x16\xbc\x52\x4f\xb7\x4f\xfa\xd5"
2736. "\x91\xb2\x45\x9e",
2737. 454);
2738. memcpy(
2739. (void*)0x200000000a80,
2740. "\x78\x9c\xec\xdd\x5f\x6f\xdb\xd6\xfd\xc7\xf1\x0f\x65\xd9\x56\xfc\x03\x82"
2741. "\x1f\xb6\x21\x08\x82\x34\x39\x4d\x56\xc0\xc1\x52\x45\x92\x1b\x07\x42\x76"
2742. "\x31\x8e\x3a\xb2\xd9\x49\xa2\x40\xd2\x85\x0d\x0c\x28\xb2\xc6\x2e\x8c\xc8"
2743. "\xe9\x96\x74\xc0\xe2\x9b\xc2\x37\xfb\x03\x74\x0f\xa2\x37\xbb\xd8\x83\x18"
2744. "\xb0\xeb\x3d\x8b\x5d\x0e\x28\xb6\xbb\x01\xbb\xd1\x40\x52\xb2\x25\x5b\xff"
2745. "\x9c\x28\x71\xb2\xbe\x5f\x42\xc2\x63\xf2\xcb\x73\xbe\x87\x54\x78\x42\x4b"
2746. "\x24\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2747. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2748. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x78\xb5\x52\xa9"
2749. "\xec\xa8\xe1\xb7\xb6\xb6\xcd\x78\x5e\x2d\x0c\x9a\x13\x96\x67\xb5\x2d\xea"
2750. "\x4e\x56\xb8\x33\xb5\x5d\xc9\x49\xfe\xa8\x50\xd0\xd5\x6c\xd6\xd5\x1f\x9c"
2751. "\x2c\xbe\x92\xfc\x75\x4b\xd7\xb3\x9f\xae\xab\x90\x4c\x0a\x3a\xfc\xbf\x2b"
2752. "\xff\xff\xf0\xfb\xf9\x5c\x7f\xfd\x09\x09\xbd\x0c\x9d\xb7\xc2\xe7\x2f\x0e"
2753. "\x9f\x3c\xea\x74\x76\x9f\xcd\x39\x91\xb7\x80\x72\x33\x04\x6d\xd8\x96\x1f"
2754. "\x05\x7e\xd3\xdd\xb0\xc6\x8f\x02\x53\x5d\x5f\x2f\xdd\xdb\xac\x47\xa6\xee"
2755. "\x37\x6c\xb4\x13\xc5\xb6\x69\xbc\xd0\xba\x71\x10\x9a\x55\xef\x8e\x29\x57"
2756. "\xab\x6b\xc6\x16\x77\x82\xad\xd6\x46\xcd\x6d\xd8\xfe\xcc\x07\x1f\x56\x4a"
2757. "\xa5\x75\xf3\xf1\x72\x6f\xf7\xdf\xfb\xb8\x18\x79\x9b\x7e\xa3\xe1\xb7\x36"
2758. "\xd2\x98\x64\x71\x12\xf3\xc0\x7c\xfd\xf3\x2c\xc4\xba\x4d\x63\xf6\xf6\x3b"
2759. "\xbb\x6b\xd3\x92\x4c\x82\xca\xb3\x04\x55\xa6\x05\x55\x4a\x95\x4a\xb9\x5c"
2760. "\xa9\x94\xd7\xef\x57\xef\x3f\x28\x95\xf2\x67\x66\x94\x4e\xd1\x99\x88\xb9"
2761. "\xbf\x69\xf1\x8e\x99\xdf\xc1\x1b\x78\x45\xb9\x64\xfc\xff\xbb\x23\x35\x54"
2762. "\x50\x4b\x5b\xda\x96\x19\xf9\xf2\x54\x53\xa8\x40\xcd\x31\xcb\x7b\xfa\xe3"
2763. "\xff\x07\xf7\xec\xc4\x76\x07\xc7\xff\xfe\x28\x7f\xf5\x64\xf1\x35\xa5\xe3"
2764. "\xff\x8d\xec\xa7\x1b\xe3\xc6\xff\x31\xb9\x4c\x7a\x39\x7a\x99\xb5\xc6\xbd"
2765. "\x9e\xeb\x85\x0e\xf5\x44\x8f\xd4\x51\x47\xbb\x7a\x36\xc7\xba\xdf\x85\xd7"
2766. "\x86\xac\x5a\xf2\x15\x29\x90\xaf\xa6\xdc\x74\x8e\xe9\xcd\x31\xaa\x6a\x5d"
2767. "\xeb\x2a\xe9\x53\x6d\xaa\xae\x48\x46\x75\xf9\x6a\xc8\x2a\xd2\x8e\x22\xc5"
2768. "\xb2\xe9\x3b\xca\x53\x28\x2b\x57\xb1\x02\x85\x32\x5a\x95\xa7\x3b\x32\x2a"
2769. "\xab\xaa\xaa\xd6\x64\x64\x55\xd4\x8e\x02\x6d\xa9\xa5\x0d\xd5\xe4\xea\xdf"
2770. "\xdd\x6e\x77\x4f\xfb\xe9\x76\x5f\x9b\x90\xa3\xfa\x41\xe5\x59\x82\x2a\x13"
2771. "\x82\xc6\x8d\xff\xbf\xf8\x2a\x7b\x9f\x32\xfe\x7f\xd7\xf5\x8f\x5f\xb3\xc4"
2772. "\x00\x17\xae\xdb\x3b\xff\x3f\xa7\x9b\xaf\x27\x1b\x00\x00\x00\x00\x00\xf0"
2773. "\x3a\x38\xe9\x6f\xdf\x9d\xf4\xb3\xfb\xf7\x24\x75\x55\xf7\x1b\xb6\x74\xd1"
2774. "\x69\x01\x00\x00\x00\x00\x80\x39\x4a\x3f\xf9\xbf\x9e\x4c\x16\x93\xd2\x7b"
2775. "\x72\x38\xff\x07\x00\x00\x00\x00\xe0\x7f\x8d\x93\x5e\x63\xe7\x48\x5a\x49"
2776. "\xbf\xd4\xef\x9c\x5c\x09\x35\xcb\x2f\x01\x96\xdf\x40\x8a\x00\x00\x00\x00"
2777. "\x00\xe0\x15\xa5\x9f\xff\xdf\x58\x92\xba\xe9\xa9\xfc\x4d\x39\xe7\x3a\xff"
2778. "\x07\x00\x00\x00\x00\x00\xef\x80\xdf\x0f\xdc\x63\x3f\xdf\xbf\xc7\x6e\x77"
2779. "\xa1\xb7\x34\x27\x29\x6a\x2f\x3b\x7f\xf9\xe7\xb2\xc2\x45\xe7\xa8\xbd\xfd"
2780. "\x43\xe7\xc0\x4d\x96\xb8\x07\xbd\x98\x85\xd3\x35\xc6\xf5\x6b\xce\xe5\xde"
2781. "\x8d\x7a\xd3\xc9\x7a\xbe\xf7\x93\x67\xaf\x3b\xbd\xfb\x03\xf7\x6e\x82\x79"
2782. "\x7c\xdf\xc1\x6f\xf7\xa6\xdd\xeb\xdf\x09\x4f\x25\xb0\xb4\x30\x58\xc1\x4c"
2783. "\x09\xe8\x6b\xbd\x9f\xc5\xbc\x5f\xc8\xae\x77\x78\x7c\x98\x53\xba\x24\x6b"
2784. "\x65\xa5\xee\x37\x6c\xd1\x0b\x1a\x0f\xcb\x72\xdd\xcb\xb9\xd8\x6e\xc7\xbf"
2785. "\x7e\xba\xff\x1b\x29\x3c\xee\xe7\xde\x7e\x67\xb7\xf8\xd9\x17\x9d\xc7\x69"
2786. "\x2e\x47\xc9\xac\xa3\x83\x24\x8f\xaf\x86\xd2\xc9\x4d\xcb\xe5\xcb\xf4\x7e"
2787. "\x0b\xe9\x35\x17\x23\x7b\xbc\x58\xef\x37\xf9\x87\x56\x73\xc5\x49\xdb\x2d"
2788. "\xf5\xfb\xbf\x20\xf7\x20\x37\xd8\xd0\x6c\xfd\xff\xad\x6e\x65\x31\xb7\x56"
2789. "\xb2\xe9\xca\x61\xd6\x78\xaf\xff\x85\xa4\xff\xe5\xe2\xc3\x25\x49\x43\xbd"
2790. "\x0f\x17\x9d\x93\x2c\xca\xa7\x7b\x3e\x6a\x47\x8c\xc9\xa2\x90\x66\x71\x3b"
2791. "\x8b\xb9\xbd\x7a\x3b\x9b\xf4\xf3\xeb\x65\xf1\xa3\x05\xa9\x52\x3c\xbb\x0f"
2792. "\x86\xb2\xa8\x0c\x66\x31\x7d\x5b\x38\xff\x3a\xb3\x2d\xa6\x64\x91\x6c\x8b"
2793. "\xb5\x24\x8b\xbf\x26\x15\x8d\xc9\x62\xed\x7c\x59\x9c\xd9\x23\x00\x70\x51"
2794. "\xf6\xa6\x8c\x42\x8e\x4e\x8f\xbb\x2f\x73\x94\x9b\x3e\xba\xff\x64\xfc\x7f"
2795. "\x2f\xf2\xb3\xb4\x52\x50\x72\x44\x5f\xcd\x62\x96\xb2\x75\xf2\xd7\x46\x1c"
2796. "\xd1\x4b\xbd\x71\xa5\xa0\x31\x47\xf4\xd2\x2b\x8c\x6e\x49\x5b\x7f\x3e\x79"
2797. "\x06\x52\xef\xdb\x91\x67\xb2\xf8\x4f\xb7\xdb\x7d\x58\x4e\xdb\xfd\xe3\xa9"
2798. "\x51\xf5\x9b\x64\x85\x6f\xc6\xb6\x1b\x35\x2a\x0b\xc9\x26\x5c\xf8\xf2\xe0"
2799. "\x97\xba\xf2\xfc\xc5\xe1\x87\xfb\x07\x8f\x3e\xdf\xfd\x7c\xf7\x69\xa5\xb2"
2800. "\xb6\x5e\xfa\xa8\x54\xba\x5f\xd1\x62\xda\x8d\xde\x84\xb1\x07\x00\x30\xc2"
2801. "\xb4\x67\xec\x2c\x4d\x7f\x0a\x8f\xf3\xd1\xf1\x59\xf5\xe3\x7f\x7c\x90\x95"
2802. "\x86\x46\xbc\xef\x1d\x7f\xa5\xa0\xa8\xcf\xf4\x85\x3a\x7a\xac\xbb\xfd\x47"
2803. "\x08\xdc\x1c\x5d\xeb\xca\xc0\xd7\x10\xee\x9e\x3d\x6b\x4d\x62\x2f\x49\xa7"
2804. "\x63\xcb\xba\x3b\xe5\xac\x6e\x65\xe0\x41\x2f\xfd\xd8\x45\xf5\x57\x19\x17"
2805. "\xbb\xf6\xba\x77\x03\x00\x00\x6f\xd4\xad\x29\xe3\xb0\x33\xc3\xf8\x7f\xb7"
2806. "\x7f\xde\xbd\x7a\x6d\xe4\x79\xf7\xf0\x58\x7e\xfa\x09\xc1\xe3\x62\xcb\x6f"
2807. "\x78\x4b\x00\x00\xf0\xdd\x61\xc3\x6f\x9d\x95\xf8\x77\x4e\x18\xfa\xed\x4f"
2808. "\xcb\xd5\x6a\xd9\x8d\x37\xad\x09\x03\xef\x67\x26\xf4\x6b\x1b\xd6\xf8\xad"
2809. "\xd8\x86\xde\xa6\xdb\xda\xb0\xa6\x1d\x06\x71\xe0\x05\x8d\xa4\xf0\x89\x5f"
2810. "\xb3\x91\x89\xb6\xda\xed\x20\x8c\x4d\x3d\x08\x4d\x3b\x88\xfc\xed\xf4\xc9"
2811. "\xef\xa6\xf7\xe8\xf7\xc8\x36\xdd\x56\xec\x7b\x51\xbb\x61\xdd\xc8\x1a\x2f"
2812. "\x68\xc5\xae\x17\x9b\x9a\x1f\x79\xa6\xbd\xf5\xd3\x86\x1f\x6d\xda\x30\x5d"
2813. "\x39\x6a\x5b\xcf\xaf\xfb\x9e\x1b\xfb\x41\xcb\x44\xc1\x56\xe8\xd9\xa2\x31"
2814. "\x91\xb5\x03\x81\x7e\xcd\xb6\x62\xbf\xee\x27\xc5\x96\x69\x87\x7e\xd3\x0d"
2815. "\x77\xcc\x27\x41\x63\xab\x69\x4d\xcd\x46\x5e\xe8\xb7\xe3\x20\xab\xb0\xdf"
2816. "\x96\xdf\xaa\x07\x61\x33\xad\xb6\x78\xd1\x1b\x1b\x00\x80\xb7\xc4\xf3\x17"
2817. "\x87\x4f\x1e\x75\x3a\xbb\xcf\x26\x14\x8e\x34\x3d\xa6\x57\x58\x1a\x55\xe1"
2818. "\x45\xf7\x11\x00\x00\x0c\x63\x94\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00"
2819. "\x00\x00\x00\x00\x00\x00\x00\xe0\xed\x37\xcb\xf5\x7f\xe7\x2a\x2c\x8e\xba"
2820. "\x58\x50\x3a\x9e\xf3\xab\xcb\x33\xd5\xe3\x68\xde\x89\x9d\xa7\x90\x7b\xf9"
2821. "\xd5\xff\x36\x21\xe6\xd2\xf1\x9c\xfe\xe6\x1f\x8c\x39\xba\x80\x9e\x2a\x2b"
2822. "\xe4\xe7\x5f\xf3\x25\x69\xf6\xcb\x46\xe7\x50\xf8\xf1\x5e\xb6\x45\x4f\xe6"
2823. "\x2c\x0c\xc7\x24\x0b\x47\xae\xbe\x7c\xbc\x2f\xf2\xf3\xff\xe7\x90\x14\x9e"
2824. "\xfe\x69\xcc\xa2\x6e\xb7\xdb\x9d\xbc\xfa\xf2\xf0\x36\x5c\x1a\xea\xe0\xc4"
2825. "\x42\x5e\xd2\xb3\xa5\x57\xd8\x05\x17\x73\x3c\x02\xf0\xe6\xfc\x37\x00\x00"
2826. "\xff\xff\x86\xf3\x3b\xd2",
2827. 1554);
2828. syz_mount_image(/*fs=*/0x2000000000c0, /*dir=*/0x200000000000,
2829. /*flags=MS_REC|MS_NOSUID|MS_NODEV*/ 0x4006,
2830. /*opts=*/0x200000000880, /*chdir=*/0xc, /*size=*/0x612,
2831. /*img=*/0x200000000a80);
2832. memcpy((void*)0x200000000240, "./file0\000", 8);
2833. syscall(__NR_lchown, /*file=*/0x200000000240ul, /*uid=*/0, /*gid=*/0);
2834. memcpy((void*)0x2000000018c0, "/dev/snd/seq\000", 13);
2835. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
2836. /*file=*/0x2000000018c0ul, /*flags=*/0, 0);
2837. if (res != -1)
2838. r[33] = res;
2839. memcpy((void*)0x200000000000, "blkio.throttle.io_serviced_recursive\000", 37);
2840. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000000ul,
2841. /*flags=*/0x275a, /*mode=*/0);
2842. if (res != -1)
2843. r[34] = res;
2844. memcpy((void*)0x200000000340, "#! ", 3);
2845. *(uint8_t*)0x200000000343 = 0xa;
2846. syscall(__NR_write, /*fd=*/r[34], /*data=*/0x200000000340ul, /*len=*/4ul);
2847. syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x400000ul,
2848. /*prot=PROT_READ*/ 1ul,
2849. /*flags=MAP_NONBLOCK|MAP_FIXED|MAP_PRIVATE*/ 0x10012ul, /*fd=*/r[34],
2850. /*offset=*/0ul);
2851. *(uint32_t*)0x200000000380 = 0;
2852. *(uint32_t*)0x200000000384 = 0;
2853. STORE_BY_BITMASK(uint32_t, , 0x200000000388, 0, 0, 1);
2854. memcpy((void*)0x200000000389,
2855. "queue1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
2856. "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
2857. "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
2858. "\000\000\000\000\000\000\000\000\000",
2859. 64);
2860. *(uint32_t*)0x2000000003cc = 0;
2861. memset((void*)0x2000000003d0, 0, 60);
2862. syscall(__NR_ioctl, /*fd=*/r[33], /*cmd=*/0xc08c5332,
2863. /*arg=*/0x200000000380ul);
2864. memcpy((void*)0x200000000000, "./bus\000", 6);
2865. memcpy((void*)0x200000000140, "./file0\000", 8);
2866. syscall(__NR_symlink, /*old=*/0x200000000000ul, /*new=*/0x200000000140ul);
2867. memcpy((void*)0x200000000480, "/sys/power/mem_sleep", 20);
2868. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
2869. /*dir=*/0x200000000480ul, /*flags=*/0, /*mode=*/0);
2870. if (res != -1)
2871. r[35] = res;
2872. syscall(__NR_read, /*fd=*/r[35], /*data=*/0x2000000000c0ul, /*len=*/8ul);
2873. *(uint32_t*)0x200000000200 = 0x6e;
2874. syscall(__NR_accept4, /*fd=*/r[32], /*peer=*/0x2000000002c0ul,
2875. /*peerlen=*/0x200000000200ul, /*flags=SOCK_CLOEXEC*/ 0x80000ul);
2876. syscall(__NR_setresuid, /*ruid=*/0, /*euid=*/0xee00, /*suid=*/0);
2877. memcpy((void*)0x200000000280, "./file1\000", 8);
2878. memcpy((void*)0x200000000180, "user.incfs.metadata\000", 20);
2879. memcpy((void*)0x200000000380,
2880. "\x31\xcc\x87\x67\x67\x49\xf8\x3c\x00\x31\xba\xc2\x5a\x10\x54\x67\x74"
2881. "\xa4\x72\xbd\x19\xa4\x20\xec\xf5\x8a\xfe\x5e\xb1\x87\x99\x17\xaf\x3a"
2882. "\x8a\xf7\x5a\x26\x9f\x2a\xd3\x5a\xde\xdd\xd9\x27\x29\x93\xa1\x41\x4f"
2883. "\xb1\xe7\x22\x81\x2c\xcc\xcc\x69\x4a\xff\x2a\xe9\x1b\xaa\x6f\x0e\xa4"
2884. "\x3d\xba\x87\xf0\xd1\x9d\x18\x7b\xf3\x51\xce\xf9\x1e\xc1\x0a\x23\x4d"
2885. "\x4e\xf6\x71\x9b\x7f\x5e\x7a\x4a\x12\x5b\x85\xce\x0d\xe0\xd7\x93\x42"
2886. "\x30\x32\xe5\xf0\x73\x28\xdd\x62\xa4\xcf\xe6\x79\x76\x22\x72\xf0\x19"
2887. "\xa7\xea\x02\x83\x05\xb1\x72\x85\x76\x72\x4d\xd7\xce\x0b\x53\x66\x8f"
2888. "\xca\x5d\xb8\x10\xbf\xa4\x75\x94\xd8\xaf\xd0\xd2\x26\x4a",
2889. 150);
2890. syscall(__NR_setxattr, /*path=*/0x200000000280ul, /*name=*/0x200000000180ul,
2891. /*val=*/0x200000000380ul, /*size=*/0x96ul,
2892. /*flags=XATTR_CREATE*/ 1ul);
2893. memcpy((void*)0x2000000001c0, "./file0\000", 8);
2894. syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul,
2895. /*file=*/0x2000000001c0ul, /*statbuf=*/0ul, /*flag=*/0ul);
2896. *(uint32_t*)0x20000001d000 = 2;
2897. *(uint32_t*)0x20000001d004 = 0x80;
2898. *(uint8_t*)0x20000001d008 = 0x48;
2899. *(uint8_t*)0x20000001d009 = 0;
2900. *(uint8_t*)0x20000001d00a = 0;
2901. *(uint8_t*)0x20000001d00b = 0;
2902. *(uint32_t*)0x20000001d00c = 0;
2903. *(uint64_t*)0x20000001d010 = 0;
2904. *(uint64_t*)0x20000001d018 = 0;
2905. *(uint64_t*)0x20000001d020 = 0;
2906. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 0, 1);
2907. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 1, 1);
2908. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 2, 1);
2909. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 3, 1);
2910. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 4, 1);
2911. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 5, 1);
2912. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 6, 1);
2913. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 7, 1);
2914. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 8, 1);
2915. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 9, 1);
2916. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 10, 1);
2917. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 11, 1);
2918. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 12, 1);
2919. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 13, 1);
2920. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 14, 1);
2921. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 15, 2);
2922. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 17, 1);
2923. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 18, 1);
2924. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 19, 1);
2925. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 20, 1);
2926. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 21, 1);
2927. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 22, 1);
2928. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 23, 1);
2929. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 24, 1);
2930. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 25, 1);
2931. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 26, 1);
2932. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 27, 1);
2933. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 28, 1);
2934. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 29, 1);
2935. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 30, 1);
2936. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 31, 1);
2937. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 32, 1);
2938. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 33, 1);
2939. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 34, 1);
2940. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 35, 1);
2941. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 36, 1);
2942. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 37, 1);
2943. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 38, 26);
2944. *(uint32_t*)0x20000001d030 = 0;
2945. *(uint32_t*)0x20000001d034 = 0;
2946. *(uint64_t*)0x20000001d038 = 0;
2947. *(uint64_t*)0x20000001d040 = 0;
2948. *(uint64_t*)0x20000001d048 = 0;
2949. *(uint64_t*)0x20000001d050 = 0;
2950. *(uint32_t*)0x20000001d058 = 0;
2951. *(uint32_t*)0x20000001d05c = 0;
2952. *(uint64_t*)0x20000001d060 = 0;
2953. *(uint32_t*)0x20000001d068 = 0;
2954. *(uint16_t*)0x20000001d06c = 0;
2955. *(uint16_t*)0x20000001d06e = 0;
2956. *(uint32_t*)0x20000001d070 = 0;
2957. *(uint32_t*)0x20000001d074 = 0;
2958. *(uint64_t*)0x20000001d078 = 0;
2959. syscall(__NR_perf_event_open, /*attr=*/0x20000001d000ul, /*pid=*/0,
2960. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
2961. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x4b31, /*arg=*/0x200000000000ul);
2962. memcpy((void*)0x200000000040, "ext4\000", 5);
2963. memcpy((void*)0x200000000080, "./file0\000", 8);
2964. *(uint8_t*)0x200000000000 = 0;
2965. memcpy(
2966. (void*)0x200000000780,
2967. "\x78\x9c\xec\xdc\x4d\x6c\x54\x45\x1c\x00\xf0\xff\xdb\xb6\xb4\x7c\xd9\x05"
2968. "\xf1\x83\x0f\x65\x15\x8d\xc4\x8f\x16\x0a\x2a\x07\x2f\x18\x4d\xb8\x98\x98"
2969. "\xe8\x01\x8f\xb5\x14\x82\x14\x4a\x68\x4d\x84\x10\x5b\x8d\xc1\xa3\xe1\x6e"
2970. "\xa2\x1e\x4d\x3c\x78\x36\x1e\xf0\x62\x94\x93\xc6\xab\x9e\xbc\x18\x13\x62"
2971. "\xb8\x88\x1e\xcc\x33\x6f\x77\x5f\xbb\x6d\x77\xdb\xdd\xed\x17\x74\x7f\xbf"
2972. "\x64\xdb\x99\xf7\x66\xdf\xcc\xbf\xf3\xa6\x9d\x37\xc3\x12\x40\xc7\x2a\x65"
2973. "\x5f\x92\x88\x6d\x11\xf1\x6b\x44\xf4\x57\xb2\x73\x0b\x94\x2a\xdf\xee\xdc"
2974. "\xbe\x3a\xf2\xcf\xed\xab\x23\x49\xa4\xe9\x1b\x7f\x25\xe5\x72\x7f\xdf\xbe"
2975. "\x3a\x92\x17\xcd\xdf\xb7\xb5\x9a\xb9\x98\x44\x14\x3e\x4a\x62\x6f\x9d\x7a"
2976. "\x27\x2e\x5f\x39\x37\x3c\x36\x36\x7a\xa9\x9a\x1f\x9c\x3c\x7f\x71\x70\xe2"
2977. "\xf2\x95\xe7\xce\x9e\x1f\x3e\x33\x7a\x66\xf4\xc2\xd0\xb1\x63\x47\x8f\x1c"
2978. "\x7e\xf1\x85\xa1\xe7\x57\x24\xce\xed\x59\x5b\xf7\xbc\x3f\xbe\x6f\xf7\x89"
2979. "\xb7\xae\xbf\x36\x72\xf2\xfa\xdb\x3f\x7e\x15\xdf\x26\xe5\xb8\x63\x5e\x1c"
2980. "\x15\xc5\x65\xd7\x59\x8a\xd2\xdc\x9f\x65\x8d\x27\x97\x7d\xf5\xbb\xcb\xcd"
2981. "\x1d\xb3\xe9\xa4\xbb\xf6\xcc\xef\x79\xe2\xc6\xda\xb6\x88\x66\x74\x45\x44"
2982. "\xd6\x5d\x3d\xe5\xf1\xdf\x1f\x5d\x31\xdb\x79\xfd\xf1\xea\x87\xeb\xda\x38"
2983. "\x60\xb5\x15\x7a\x17\x1c\xea\xca\x13\xd3\x29\xb0\x81\x65\xb3\x79\xa0\x13"
2984. "\xe5\x7f\xe8\xb3\xe7\xdf\xfc\xb5\x86\x73\x8f\x75\x77\xeb\x78\x44\x12\x3d"
2985. "\xe5\xf8\xef\x54\x5f\x95\x33\xdd\x51\xc8\x9e\xe1\x8b\x95\x67\xa3\xed\xab"
2986. "\x54\x7f\x29\x22\x4e\x4e\xff\xfb\x59\xf6\x8a\xba\xeb\x10\x00\x00\x2b\xeb"
2987. "\xc6\xf1\x88\x78\xb6\xde\xfc\xaf\x10\x0f\xd6\x94\xbb\xaf\xba\x37\x54\x8c"
2988. "\x88\x1d\x11\xb1\x33\x22\xee\x8f\x88\x5d\x11\xf1\x40\x44\xb9\xec\x43\x11"
2989. "\xf1\x70\x8b\xf5\x97\xe6\xe5\x17\xce\x7f\x7e\xde\xdc\x56\x60\x4d\xca\xe6"
2990. "\x7f\x2f\x55\xf7\xb6\xe6\xce\xff\x0a\x79\x91\x62\x57\x35\xb7\xbd\x1c\x7f"
2991. "\x4f\x72\xfa\xec\xd8\xe8\xa1\xea\xcf\xe4\x60\xf4\xf4\x66\xf9\xc3\x8b\xd4"
2992. "\xf1\xdd\x2b\xbf\x7c\xd2\xe8\x5c\xcd\xfc\xaf\x2f\xfb\x9e\xd5\x9f\xcf\x05"
2993. "\x23\xa6\xb3\x9a\xff\xec\x9e\xb7\x40\x77\x6a\x78\x72\x78\xb9\x71\xe7\x6e"
2994. "\x7d\x10\xb1\xa7\xbb\x5e\xfc\xc9\xa6\xbc\x4c\x12\x11\xbb\x23\x62\x4f\x1b"
2995. "\xd7\xcf\x3a\xef\xec\xd3\x5f\xee\x6b\x74\xbe\x94\x5d\xbc\x3a\xff\x5d\x18"
2996. "\xff\x12\xba\xdb\x68\xd0\x3c\xe9\x17\x11\x4f\x55\xfa\x7f\x3a\xe6\xc6\x3f"
2997. "\x53\x26\x59\x7c\x7f\x72\xb0\x2f\xc6\x46\x0f\x0d\xe6\x77\xc5\x42\x37\x7f"
2998. "\xba\xf6\x7a\xa3\xfa\x6b\xe7\xff\x4b\xc4\xdf\x68\x2b\x71\x59\xb2\xfe\xdf"
2999. "\x52\xf7\xfe\x9f\xa9\xae\x98\xd4\xee\xd7\x4e\xb4\x5e\xc7\xb5\xdf\x3e\x6e"
3000. "\xf8\x4c\xb3\x74\xfc\xf5\xef\xff\x4d\xc9\x9b\xe5\x74\x7e\x93\xbe\x37\x3c"
3001. "\x39\x79\xe9\x70\xc4\xa6\x64\x7a\xe1\xf1\xa1\xd9\xf7\xe6\xf9\xbc\x7c\x16"
3002. "\xff\xc1\x03\xf5\xc7\xff\xce\x88\xff\x3e\xaf\xbe\x6f\x6f\x44\x64\x37\xf1"
3003. "\x23\x11\xf1\x68\x44\xec\xaf\xb6\xfd\xb1\x88\x78\x3c\x22\x0e\x2c\x12\xff"
3004. "\x0f\x2f\x3f\xf1\xce\x12\xf1\xe7\x11\xb6\x76\xff\xaf\x80\x2c\xfe\x53\x2d"
3005. "\xf5\x7f\x13\x89\x6c\x5c\xd6\x1c\xe9\x3a\xf7\xfd\x37\x8d\xea\x6f\xae\xff"
3006. "\x8f\x96\x53\x07\xab\x47\x9a\xf9\xfd\xd7\x64\x4b\xdb\xb8\x9b\x01\x00\x00"
3007. "\xe0\xde\x53\x88\x88\x6d\x91\x14\x06\x66\xd2\x85\xc2\xc0\x40\xe5\xdf\xf0"
3008. "\xef\x8a\x2d\x85\xb1\xf1\x89\xc9\x67\x4e\x8f\xbf\x7b\xe1\x54\xe5\x33\x02"
3009. "\xc5\xe8\x29\xe4\x2b\x5d\xfd\x35\xeb\xa1\x9b\xab\x6b\xc3\xc5\xe8\x99\x8a"
3010. "\x88\xd1\xa1\xd9\x7c\xf9\xfc\x91\xf2\xba\x71\x9a\xa6\xe9\xe6\x72\x7e\x60"
3011. "\x64\x7c\x6c\xb5\xf6\xd4\x81\xe6\x6c\x6d\x30\xfe\x33\x7f\x74\xad\x77\xeb"
3012. "\x80\x55\xb7\xc4\x3e\xda\xfe\xf2\xd7\xde\x88\xf8\x7a\xb5\xb6\xa1\x80\xf5"
3013. "\xb2\x02\xfb\xe8\xc0\x3d\xca\xf8\x87\xce\x65\xfc\x43\xe7\x5a\x62\xfc\xa7"
3014. "\x69\x3a\xb5\x56\x4d\x01\xd6\x58\xbd\xf1\x3f\x15\x71\x67\xe1\xd1\xc4\xf2"
3015. "\x1f\x6c\x30\x8b\xff\xfd\xb7\x0b\x08\x1b\x99\xe7\x7f\xe8\x5c\xc6\x3f\x74"
3016. "\x2e\xe3\x1f\x3a\x52\x4b\x9f\xeb\x6f\x21\xb1\xf3\xc4\x6a\x5d\x79\xa3\x25"
3017. "\xba\x66\x8e\x7c\x3a\xf7\xbf\x4d\xb8\xcb\x13\x51\xb8\x2b\x9a\xd1\x5e\xa2"
3018. "\x50\xef\x54\x5f\x44\xb4\x7f\xe5\x34\x4d\xd3\xe6\x0a\xef\x9f\x77\xa4\xb7"
3019. "\x85\x7e\x9f\x6a\xbb\x85\x7d\x2d\xbe\x6b\xe6\x57\x84\x15\x7f\x00\x00\x00"
3020. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3021. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3022. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3023. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3024. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3025. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3026. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3027. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3028. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3029. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3030. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3031. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3032. "\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x9e\xf6\x7f\x00\x00\x00\xff\xff\x83"
3033. "\x80\xe3\x94",
3034. 1191);
3035. syz_mount_image(/*fs=*/0x200000000040, /*dir=*/0x200000000080,
3036. /*flags=MS_LAZYTIME|MS_POSIXACL|MS_SYNCHRONOUS*/ 0x2010010,
3037. /*opts=*/0x200000000000, /*chdir=*/1, /*size=*/0x4a7,
3038. /*img=*/0x200000000780);
3039. memcpy((void*)0x200000000080, "/dev/net/tun\000", 13);
3040. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
3041. /*file=*/0x200000000080ul,
3042. /*flags=O_LARGEFILE|O_CLOEXEC|O_RDWR*/ 0x88002, /*mode=*/0);
3043. if (res != -1)
3044. r[36] = res;
3045. memcpy((void*)0x200000001000, "syzkaller1\000\000\000\000\000\000", 16);
3046. *(uint16_t*)0x200000001010 = 0x20;
3047. syscall(__NR_ioctl, /*fd=*/r[36], /*cmd=*/0x400454ca,
3048. /*arg=*/0x200000001000ul);
3049. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0);
3050. if (res != -1)
3051. r[37] = res;
3052. *(uint32_t*)0x20000001d000 = 2;
3053. *(uint32_t*)0x20000001d004 = 0x80;
3054. *(uint8_t*)0x20000001d008 = 0xba;
3055. *(uint8_t*)0x20000001d009 = 0;
3056. *(uint8_t*)0x20000001d00a = 0;
3057. *(uint8_t*)0x20000001d00b = 0;
3058. *(uint32_t*)0x20000001d00c = 0;
3059. *(uint64_t*)0x20000001d010 = 3;
3060. *(uint64_t*)0x20000001d018 = 0x2010;
3061. *(uint64_t*)0x20000001d020 = 0;
3062. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 0, 1);
3063. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 1, 1);
3064. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 2, 1);
3065. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 3, 1);
3066. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 4, 1);
3067. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 5, 1);
3068. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 6, 1);
3069. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 7, 1);
3070. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 8, 1);
3071. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 9, 1);
3072. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 10, 1);
3073. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 11, 1);
3074. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 12, 1);
3075. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 13, 1);
3076. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 14, 1);
3077. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 15, 2);
3078. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 17, 1);
3079. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 18, 1);
3080. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 19, 1);
3081. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 20, 1);
3082. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 21, 1);
3083. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 22, 1);
3084. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 23, 1);
3085. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 24, 1);
3086. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 25, 1);
3087. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 26, 1);
3088. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 27, 1);
3089. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 28, 1);
3090. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 29, 1);
3091. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 30, 1);
3092. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 31, 1);
3093. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 32, 1);
3094. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 33, 1);
3095. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 34, 1);
3096. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 35, 1);
3097. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 36, 1);
3098. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 37, 1);
3099. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 38, 26);
3100. *(uint32_t*)0x20000001d030 = 0;
3101. *(uint32_t*)0x20000001d034 = 0;
3102. *(uint64_t*)0x20000001d038 = 0;
3103. *(uint64_t*)0x20000001d040 = 0;
3104. *(uint64_t*)0x20000001d048 = 0;
3105. *(uint64_t*)0x20000001d050 = 0;
3106. *(uint32_t*)0x20000001d058 = 0;
3107. *(uint32_t*)0x20000001d05c = 0;
3108. *(uint64_t*)0x20000001d060 = 0x260;
3109. *(uint32_t*)0x20000001d068 = 0;
3110. *(uint16_t*)0x20000001d06c = 0;
3111. *(uint16_t*)0x20000001d06e = 0;
3112. *(uint32_t*)0x20000001d070 = 0;
3113. *(uint32_t*)0x20000001d074 = 0;
3114. *(uint64_t*)0x20000001d078 = 0;
3115. syscall(__NR_perf_event_open, /*attr=*/0x20000001d000ul, /*pid=*/0,
3116. /*cpu=*/-1, /*group=*/-1, /*flags=*/0ul);
3117. memcpy((void*)0x200000002dc0, "./file0\000", 8);
3118. syscall(__NR_mknod, /*file=*/0x200000002dc0ul, /*mode=S_ISVTX*/ 0x200ul,
3119. /*dev=*/0x100);
3120. *(uint32_t*)0x20000001d000 = 2;
3121. *(uint32_t*)0x20000001d004 = 0x80;
3122. *(uint8_t*)0x20000001d008 = 0x98;
3123. *(uint8_t*)0x20000001d009 = 0;
3124. *(uint8_t*)0x20000001d00a = 0;
3125. *(uint8_t*)0x20000001d00b = 0;
3126. *(uint32_t*)0x20000001d00c = 0;
3127. *(uint64_t*)0x20000001d010 = 0;
3128. *(uint64_t*)0x20000001d018 = 0;
3129. *(uint64_t*)0x20000001d020 = 0;
3130. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 0, 1);
3131. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 1, 1);
3132. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 2, 1);
3133. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 3, 1);
3134. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 4, 1);
3135. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 5, 1);
3136. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 6, 1);
3137. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 7, 1);
3138. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 8, 1);
3139. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 9, 1);
3140. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 10, 1);
3141. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 11, 1);
3142. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 12, 1);
3143. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 13, 1);
3144. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 14, 1);
3145. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 15, 2);
3146. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 17, 1);
3147. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 18, 1);
3148. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 19, 1);
3149. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 20, 1);
3150. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 21, 1);
3151. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 22, 1);
3152. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 23, 1);
3153. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 24, 1);
3154. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 25, 1);
3155. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 26, 1);
3156. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 27, 1);
3157. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 28, 1);
3158. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 29, 1);
3159. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 30, 1);
3160. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 31, 1);
3161. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 32, 1);
3162. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 33, 1);
3163. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 34, 1);
3164. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 35, 1);
3165. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 36, 1);
3166. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 37, 1);
3167. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 38, 26);
3168. *(uint32_t*)0x20000001d030 = 0;
3169. *(uint32_t*)0x20000001d034 = 0;
3170. *(uint64_t*)0x20000001d038 = 0;
3171. *(uint64_t*)0x20000001d040 = 0;
3172. *(uint64_t*)0x20000001d048 = 0;
3173. *(uint64_t*)0x20000001d050 = 0;
3174. *(uint32_t*)0x20000001d058 = 0;
3175. *(uint32_t*)0x20000001d05c = 0;
3176. *(uint64_t*)0x20000001d060 = 0;
3177. *(uint32_t*)0x20000001d068 = 0;
3178. *(uint16_t*)0x20000001d06c = 0;
3179. *(uint16_t*)0x20000001d06e = 0;
3180. *(uint32_t*)0x20000001d070 = 0;
3181. *(uint32_t*)0x20000001d074 = 0;
3182. *(uint64_t*)0x20000001d078 = 0;
3183. syscall(__NR_perf_event_open, /*attr=*/0x20000001d000ul, /*pid=*/0,
3184. /*cpu=*/-1, /*group=*/-1, /*flags=PERF_FLAG_FD_NO_GROUP*/ 1ul);
3185. syz_clone(
3186. /*flags=CLONE_PIDFD|CLONE_NEWNET|CLONE_NEWIPC|CLONE_NEWNS*/ 0x48021000,
3187. /*stack=*/0, /*stack_len=*/0, /*parentid=*/0, /*childtid=*/0, /*tls=*/0);
3188. *(uint64_t*)0x200000000000 = 0xa;
3189. *(uint64_t*)0x200000000008 = 0x8b;
3190. syscall(__NR_prlimit64, /*pid=*/0, /*res=RLIMIT_RTPRIO*/ 0xeul,
3191. /*new=*/0x200000000000ul, /*old=*/0ul);
3192. syscall(__NR_socket, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0x88);
3193. res = syscall(__NR_getpid);
3194. if (res != -1)
3195. r[38] = res;
3196. *(uint32_t*)0x200000000200 = 4;
3197. syscall(__NR_sched_setscheduler, /*pid=*/r[38], /*policy=SCHED_RR*/ 2ul,
3198. /*prio=*/0x200000000200ul);
3199. res = syscall(__NR_socketpair, /*domain=*/1ul, /*type=SOCK_STREAM*/ 1ul,
3200. /*proto=*/0, /*fds=*/0x200000000000ul);
3201. if (res != -1) {
3202. r[39] = *(uint32_t*)0x200000000000;
3203. r[40] = *(uint32_t*)0x200000000004;
3204. }
3205. *(uint64_t*)0x200000001580 = 0;
3206. *(uint32_t*)0x200000001588 = 0;
3207. *(uint64_t*)0x200000001590 = 0x200000001400;
3208. *(uint64_t*)0x200000001400 = 0x200000000080;
3209. memcpy((void*)0x200000000080,
3210. "\x3b\xfd\xd7\x5f\xa5\x71\x78\x52\xd5\x9a\x93\x67\x44\x4a\x21\x30\xe7"
3211. "\x2c\xd4\xda\xbc\x88\x54\x53\x2c\xca\x0c\x32\xa5\xb9\xf8\x44\xa4\x61"
3212. "\x0c\x75\x25\x65\x0c\xe3\xd3\xb7\x6b\x15\x02\x6d\x93\xe6\xde\xe8\x96"
3213. "\x11\x5e\x93\x64\x06\x6a\xa3\xd1\x4e\x33\xef\x73\x2b\x46\x81\x33\x5c"
3214. "\x57\x69\x02\x15\x31\x14\xbd\xb9\xc7\x4b\x53\x8a\x71\x11\x5f\xb1\xd1"
3215. "\xa6\x3d\x1b\x04\x12\x96\x61\xb2\x9a\xab\x89\xd0\xbe\x99\x9a\x6b\x7c"
3216. "\x9b\xea\x75\x5a\xde\xdb\xf3\x05\xa7\x9f\x70\xb7\x1d\x3d\x4c\x98\x57"
3217. "\x7b\x49\xdb\x49\x63\xce\x89\xb0\xde\xf5\xe8\x40\xf4\x59\x65\x9c\xb6"
3218. "\xf8\x6d\x56\xb0\x69\xa5\xde\x11\xd6\x01\xd3\x48\xff\x88\xca\x6e\x5e"
3219. "\x2c\xfe\x40\x17\x68\x80\xb3\x3e\x9e\x8d\xbc\x32\xba\x2e\x6a\x99\xb1"
3220. "\xb5\x02\x76\xdc\x4f\x06\x16\x60\x00\xd7\x06\x9a\x3c\xc7\x6f",
3221. 185);
3222. *(uint64_t*)0x200000001408 = 0xb9;
3223. *(uint64_t*)0x200000001410 = 0x200000000180;
3224. memcpy((void*)0x200000000180,
3225. "\x89\x29\x50\xe2\x40\x5e\xe8\x62\x9d\x93\x84\xa9\x1c\x16\xd1\x70\x6a"
3226. "\x3e\x61\xf3\x05\x11\x9f\x95\xca\xc0\xf1\x92\x7f\x4c\x20\x5b\x97\x1e"
3227. "\xb4\x11\x47\xcb\x1f\x86\x88\x3d\x69\x10\xe6\x8a\xc3\x99\x65\x51\x80"
3228. "\x0b\x3e\xc6\x4b\x77\xf8\x44\x4b\x18\x34\x5a\x2c\x8b\x17\x8e\xee\xba"
3229. "\x0c\xde\x73\x19\xa5\xa4\x6b\xfe\x7f\x57\x70\xe0\x19\xef\xd9\xd5\x20"
3230. "\x69\xed\xcc\xed\x33\xa7\x58\xc4\xe6\x57\xf3\xa7\x92\xdc\x19\x3a\x19"
3231. "\x11\xb4\xe8\x2e\xa8\x00\xad\x7a\xfe\x03\xc8\x51\xa8",
3232. 115);
3233. *(uint64_t*)0x200000001418 = 0xbb;
3234. *(uint64_t*)0x200000001420 = 0x200000000200;
3235. memcpy((void*)0x200000000200,
3236. "\xa6\x8c\xde\x0d\x56\xb1\x70\xdf\x77\x10\xb5\x4f\x17\xd9\xa3\x9c\x4f"
3237. "\x98\xf3\x54\x71\x90",
3238. 22);
3239. *(uint64_t*)0x200000001428 = 0x20000216;
3240. *(uint64_t*)0x200000001430 = 0x200000000240;
3241. memcpy(
3242. (void*)0x200000000240,
3243. "\x45\xe0\x44\x00\xf2\xb3\x83\x51\x7a\x08\xc3\x97\xdd\x0a\x76\xe6\x7e\xcf"
3244. "\xc8\xe7\x45\x73\xc2\x4d\xed\xd3\xa4\x8f\xb6\x24\x18\xc1\x41\x2f\xdc\xd1"
3245. "\x5e\x88\x8c\xb0\xf5\xd0\x2e\x77\xbf\xec\xef\xda\x6b\x06\x4c\x0b\xb2\xb6"
3246. "\x6a\x9a\x52\x2e\x63\x87\x3d\xde\x02\x33\x05\x10\x25\x5e\xec\x7d\xfa\x1a"
3247. "\xf7\x08\xcd\xab\x59\xfb\x71\xec\xa7\x86\xa3\x59\xa2\xc3\xb0\xcb\xad\x35"
3248. "\x14\x4e\xc5\xb0\x69\xc5\x3f\x90\xe4\x33\x39\x84\x5d\xc7\xfd\x14\x0c\x55"
3249. "\xb0\x14\x9a\xb3\x8e\xb2\x7c\x14\x0f\x37\x4b\xcc\x2c\x95\xb0\xb1\x21\xd1"
3250. "\xa9\x30\x2f\x3a\x01\xb8\x88\x24\x3b\x3f\xc0\xd4\x6f\x0d\xe0",
3251. 141);
3252. *(uint64_t*)0x200000001438 = 0x8d;
3253. *(uint64_t*)0x200000001440 = 0x200000000300;
3254. memcpy(
3255. (void*)0x200000000300,
3256. "\x87\xfb\x74\xcf\x4d\x67\xad\xbb\xd0\x62\x63\x7f\x51\x4c\x1f\x5e\xb1\x8d"
3257. "\x7b\x44\x2e\x64\x57\xa3\x56\xc6\xcb\x1f\x71\xa4\x3d\xfa\xe7\x73\xc8\x48"
3258. "\x9c\xce\x51\x45\xf9\x26\x15\xd4\xbd\xb1\x3e\xf5\x4d\x6a\xe9\x0e\xc7\x73"
3259. "\x31\x80\xfc\xf5\xad\xf3\xe1\x3f\xdb\x05\xb5\x7b\x74\x8b\xd1\x4e\xda\x04"
3260. "\x2a\x97\xfd\xd8\x44\x98\x30\x4a\x50\x4a\x0a\x15\x9b\x97\x2e\x82\x00\xc2"
3261. "\xd0\xf5\x36\xa3\x46\x5e\xc4\x98\xed\x12\xb9\x24\xbd\x13\x40\x57\xdf\x36"
3262. "\x12\x9d\x3e\xbe\x3d\xd3\xce\x9f\x06\x71\xe5\x27\x81\x43\xe4\xaf\xa3\xd4"
3263. "\x3f\x44\x46\x81\xde\x1b\x5f\x97\x25\xfc\xa3\x4f\xa3\x57\xfe\x21\x54\x98"
3264. "\x16\x66\xfb\x9d\xc2\x02\xfc\x17\xa0\x19\x9e\xb1\xc2\x5b\xdd\x10\x05\xe5"
3265. "\x4a\xee\xe3\x1d\x11\x4a\xcf\xa0\xbc\xd2\x35\xd5\x71\xcd\x76\x5f\x4b\x92"
3266. "\x59\xba\x43\xe6\xfc\x30\x29\x1d\x8a\x64\x21\x46\xc4\x77\x18\x98\x03\x0b"
3267. "\x73\x6a\xee\xe6\xb2\x47\xab\xb0\x78\x4b\x15\x4e\x10\x4e\x7d\xcd\xa4\x01"
3268. "\xf9\xb1\x73\x6f\xea\x30\xa4\x1a\x41\x53\xfe\x6a\x9a\x52\x5b\xd0\xa3\x48"
3269. "\x75\x71\xf9\x14\xf0\x5b\x59\x0e\x24\x23\x41\xad\xe2\x89\xd8\xf5\xb8\x42"
3270. "\xc6\xbe\x4a\x93\xc2\x75\x5d\xfd\x47\x17\x4d\xef\x78\x2a\x2f\x8f\x61\xc0"
3271. "\x68\xb5\xa0\x12\xf0\x2c\x08\x01\x60\x1e\x86\x0d\xef\x78\x81\x21\xe8\x80"
3272. "\x8c\x01\xfe\xd4\xc9\x20\xa3\x69\x8d\x0d\x68\x49\x20\x91\x8c\x95\xb1\x7f"
3273. "\x76\xbb\xcb\x4f\x26\x5c\x93\x1d\x8f\x79\x56\x0f\xf8\x11\x4b\x70\xf4\xdd"
3274. "\x67\x91\xe2\xed\x70\xcf\xeb\x89\x90\x57\x91\xb8\x8b\xe2\x6e\xfe\x1c\x5c"
3275. "\x66\xb7\xb5\x0b\x3d\x2b\xe0\xdb\xc0\x66\xdf\xc3\x16\x18\xf9\x50\x7f\x6f"
3276. "\x34\x0b\x85\xa2\xf7\x6a\x6d\xca\xc9\xd6\xcc\xc2\x89\xac\xe5\xe5\xfe\xcd"
3277. "\x25\xaf\xe2\x2f\xfa\x45\x1f\x5e\x36\x5a\xb3\x3c\xc9\x85\xf2\xe9\xd7\xf7"
3278. "\xfb\x1b\xe4\x79\x47\x40\xa9\x42\x15\xd7\xdb\x14\xb0\xff\xce\xc1\x9e\x5e"
3279. "\x3c\x5a\xe0\xd8\x57\x8e\xf3\xb6\x5d\x2a\x7a\x77\xa1\x1e\x39\x0a\x6c\x3a"
3280. "\x6b\x39\x10\x61\xc8\x86\xb9\x61\xe3\xc2\xf4\x2d\x62\x04\x7b\xfe\x13\x56"
3281. "\xa4\x4b\x84\x0d\x3d\x95\x61\x05\xf4\xc0\xfa\x95\xdb\x08\xc4\x93\x3f\x00"
3282. "\xde\x77\xcd\xc0\x57\xc2\x8b\x41\xfe\xcf\xc8\x39\x8c\x44\x2b\xe1\xad\x06"
3283. "\x59\x54\xf6\xc9\xdf\xeb\x2f\xd7\x20\x7e\x85\x48\xa0\x0a\x1d\x50\xbd\xf5"
3284. "\x22\xd2\xab\xfd\xaf\xd7\x17\x23\x61\x6a\x34\x83\x0f\xbf\xa8\xfc\x81\xe0"
3285. "\xc2\x63\x9c\xc1\x2f\x36\x3a\x49\x19\xb7\xa0\x0a\xc8\x18\x9d\xad\x3e\x7e"
3286. "\x54\x12\x2a\x2e\xf4\x30\xf6\x23\x65\x8d\x5e\x28\x1c\x9a\x19\x44\x29\x95"
3287. "\xbb\x9b\x0e\x3f\x7d\x13\xe3\x01\x6b\x6f\x95\x23\xbe\x19\x6b\xf2\x3b\xbc"
3288. "\xc5\xec\x80\x2f\x43\xef\x8b\x65\x1d\x68\x8d\x9d\x5a\x44\xf3\x5c\x98\x47"
3289. "\xe4\xc3\x2b\xce\x3e\x9e\xbe\xd2\x32\x6a\xda\xdc\x76\xf0\x6a\x19\x5d\xb3"
3290. "\x2c\x80\xb3\x09\x0d\x7c\xd6\x5c\x9d\x85\x18\xba\x4e\x52\x8c\x5e\xb5\xc7"
3291. "\xa1\xc5\x69\x5b\x21\x59\x5f\xa8\xa8\x62\x17\x34\xbf\xda\x8a\xfd\xdd\x65"
3292. "\xe1\xf3\x7a\x19\x90\x22\x0a\x00\xfa\x9b\xd2\xc2\x2b\x01\x17\xce\xb0\x8a"
3293. "\xe6\xaf\x3c\x94\x4c\x2e\xca\x92\x4a\xbf\xdd\xad\x06\x5d\x14\x72\xd0\xc3"
3294. "\xf7\x42\xa4\x9b\x1e\x78\xc6\x69\x47\x18\x73\x70\x6a\xd1\x57\xd8\x31\xd7"
3295. "\x48\x2b\x77\x3f\x07\xb0\x67\x3a\x6c\xe1\xe2\x27\xa7\xa4\xd1\x37\x44\xbf"
3296. "\x45\x94\x34\xc0\xab\x1c\x32\x3a\x38\xb1\xa8\x4c\xbf\x1c\xe9\x74\x1f\x2b"
3297. "\x8f\xdc\xc2\xe0\x73\xe5\x61\x71\x60\x3d\x03\x5a\xac\xd8\x3e\x71\xd5\x13"
3298. "\x28\x31\xf4\xf1\xd2\xbf\x51\x79\x79\xf1\x32\xa3\x3f\xd0\x37\x83\x27\x2e"
3299. "\x9b\x8c\x96\xdf\xa4\xe1\xd3\x20\xa5\x8d\x82\xac\xfc\x8d\x3d\x53\xa5\xa5"
3300. "\x2d\xaa\xfe\x4d\xc8\xbe\x08\xf4\xad\x53\xe1\x1c\xc2\x13\x74\xb6\xff\x4f"
3301. "\xf5\xea\x2e\xcc\x5d\x3f\x7c\x05\x7f\x74\xf0\x09\x8e\x57\xd9\x90\x09\x04"
3302. "\x75\xcd\xaf\xfd\xef\x0d\xa9\x17\x65\x3e\xd1\x0f\xb7\x0b\x94\xb7\x2e\x5b"
3303. "\x4d\x95\xcb\xea\x0f\xc1\xdd\x25\x79\x63\x5a\xd6\xab\x54\x5b\xa4\xd7\xb6"
3304. "\xd2\xf5\x44\x2b\xdb\x78\xbe\xb6\xc8\xed\x62\x94\x2a\x43\x91\x17\x02\x5b"
3305. "\x45\x66\xb4\x8d\x9f\x3a\x17\xfd\xf4\x57\x7e\x86\x06\xa4\xbc\x4c\x26\x55"
3306. "\x7e\x58\x31\x2f\xd2\xd1\xa5\x41\xeb\xec\x3e\x5a\xe2\x8e\xef\x8b\x2a\xb0"
3307. "\x59\x70\x83\x71\x6d\xd1\x28\x89\x33\x55\x70\xee\x78\x39\x53\x0e\xee\x87"
3308. "\x9d\x9b\x13\x76\x06\xcd\x4d\xd7\x10\x39\x91\x67\x1b\x44\x64\xbb\x68\x52"
3309. "\x9e\xb1\x9f\xb7\xa8\x84\x5e\x34\x91\xbf\xba\xc6\x88\xa8\x7c\xf0\x74\x4f"
3310. "\x42\x9e\xa1\x12\x01\x44\x02\x91\x5c\x4c\x1f\x6b\xae\x08\xd6\x89\xd3\xcb"
3311. "\x7d\x64\x1d\x7b\xef\xe8\xfc\x74\xa2\x24\x23\x10\xa9\xa3\x67\xa3\x95\x31"
3312. "\xb4\xc8\x6d\xa5\xb3\x9d\xf5\x24\xe5\x2f\x33\xff\x9c\x40\xb4\x8c\xb1\x96"
3313. "\xff\xc9\xca\x85\x5b\x6e\x69\x8a\xde\x8a\x83\xe5\x2b\x9d\xdc\x50\x31\xff"
3314. "\x09\xe1\x90\x7e\x4f\x8b\x0d\x07\xe6\x4e\x1f\xb8\xe4\x27\xf8\x81\x9a\x7b"
3315. "\xe9\x07\xaa\x21\x6b\xf8\xe2\xa4\xc7\xcc\x87\xed\x53\xbf\x94\x90\xd4\xcc"
3316. "\x78\x8b\x91\xf3\xb9\xf7\x05\xe9\x84\xa7\xe6\x2c\x7a\x49\x5e\x84\x21\xb9"
3317. "\x7c\x39\xdc\x95\x4b\x35\x46\x8f\x17\xc6\x68\x23\x34\xf4\xe1\x63\x08\x44"
3318. "\x8f\x45\x7f\xae\xff\xff\x6d\x1f\x81\x85\x22\xfa\x44\x1d\x3a\x48\x16\x8b"
3319. "\xdb\x12\xff\xeb\xac\xe4\x36\xa3\x91\x5b\x63\x07\x6c\xb6\xa6\x55\x71\x86"
3320. "\x47\xf8\x7e\xaa\xf3\x13\xb5\xbb\xd4\x30\x42\x1e\xed\x3a\x22\x15\xe4\x39"
3321. "\x60\x0a\x56\xea\xc8\xc6\x52\x91\xeb\x10\x33\x26\xa8\x03\x46\x62\xbd\x33"
3322. "\x7a\xb5\x15\x77\xd9\x11\x0e\xc7\x15\x1b\xe5\xcc\x9c\x54\xb2\xa3\x08\x91"
3323. "\xac\xac\x5a\xd0\x06\xed\x53\x7d\xbe\xb8\xf1\x6e\xec\xbd\xe7\xcf\x4e\x71"
3324. "\x37\x3f\xaf\x3c\x36\xb7\x72\xf6\xd7\xea\x93\x46\x87\x5c\x8c\xf1\x04\x9d"
3325. "\x49\xd4\xf8\xeb\x01\xb9\x46\xc1\x1e\x8c\x8e\x3a\xb2\x01\x5f\x28\x21\x67"
3326. "\xac\xdd\xcc\x77\xff\xf0\x3e\x1b\xe9\x13\x42\x52\xaf\x0a\xbf\xe5\x38\xb4"
3327. "\xd2\x5f\xc4\xff\x87\x4b\x52\xb9\xfb\x09\x96\xb5\xf3\x2b\x41\x41\xdb\xd3"
3328. "\x05\x78\xff\x46\xe1\x3e\xf6\xc6\x3f\xc1\x62\x0f\x62\xcb\x11\xa3\xdc\xe4"
3329. "\x01\x99\x39\x76\xc2\x72\xa5\xf6\x2f\xde\x3f\x2a\x0e\x65\x4d\x19\xe7\xa3"
3330. "\x9d\xcd\xb6\x22\xb9\x52\x6d\x2a\x15\xcc\x18\xe6\xf8\x17\xc9\x16\xa0\x07"
3331. "\x75\x35\x3d\xd9\xc8\x95\x4e\x66\xd0\x44\x5b\x59\xbb\x0f\x5e\x6e\x3b\x46"
3332. "\x44\x72\x32\xf5\x2a\x0e\x39\x8b\x05\x7d\x12\x3e\xf5\x03\xaf\xcb\xd4\x85"
3333. "\x44\xdb\x64\x34\xd2\x02\x5b\xfc\x8d\xab\x72\x26\x2a\x4f\xa5\x42\x6a\x03"
3334. "\x06\x1e\x7f\x89\x66\xe0\x08\x6f\xf8\xab\x5a\x91\xab\x59\xf1\x9b\x83\x03"
3335. "\x94\xee\x8b\xc7\x6d\x6f\xb4\x81\x6b\x8f\x4c\xde\x35\xb7\xeb\x9d\x38\x11"
3336. "\x22\x8d\x51\xc5\x48\x28\xf9\x7f\xd1\xe6\x48\x19\x6c\x81\xbc\x73\xed\x56"
3337. "\x24\x9a\x59\xf3\x18\x70\x4e\x84\x65\x6a\x6c\xed\xd2\xb8\xc1\xe1\x80\x8d"
3338. "\x1c\xc6\x48\x74\x9a\xbc\x64\x31\x31\xe4\x94\xc0\x13\x36\xd4\xa1\x4b\x86"
3339. "\x09\x65\x6f\x2c\x97\x2d\xc2\x3c\x5c\x2e\x43\xfe\x40\x11\x9f\xb8\x8b\x5e"
3340. "\xc2\xaa\xde\x35\xc0\x36\x46\xe3\x47\x35\x4c\x49\x3d\xe8\xab\x36\x72\xcc"
3341. "\xf9\x4a\xf0\xdf\x33\x3c\x66\x78\x29\x91\x29\xd7\x9b\xe0\xee\xc2\x81\xc5"
3342. "\xb3\x85\xca\x3a\xe1\x47\x5c\xd8\x3f\x0d\xbf\x10\xf7\x82\xe3\x5b\x06\x8c"
3343. "\xe3\x99\x55\x66\xa3\x90\xb6\x74\x63\x5b\x35\x66\x92\xe3\xe9\xc5\x3a\x08"
3344. "\x96\x38\xba\x0d\x69\xe7\x72\xb7\xb4\x10\xa5\xae\x03\xde\x12\xe7\xde\x75"
3345. "\x5e\xe5\x59\xe1\x70\x7b\x7b\x80\x03\xaa\xbc\x8e\x2c\xe0\x3c\x01\xe3\x18"
3346. "\x3f\xf2\xd9\x32\x62\xf6\xd5\xce\xaa\xfe\xcd\xae\x66\xbc\x7c\xb3\x95\x2c"
3347. "\x5a\x65\x71\xd8\x64\xd5\x02\xf2\x81\xdb\x5a\x22\x86\x95\xba\xdc\xa5\xd0"
3348. "\x22\xfd\xb6\xda\x56\xab\x15\xdc\x37\x7d\x1c\x1f\x85\x81\xff\x56\xe2\x8c"
3349. "\x2b\x2a\x84\xed\xb6\x29\x54\x7d\x28\x27\x5c\x2e\xd5\x71\x10\x3b\x4c\xa7"
3350. "\xcd\xeb\x07\x76\xba\x9f\x9d\xff\xcd\x78\xd2\x1c\x3d\x4c\xaa\x92\x89\xed"
3351. "\x19\x96\x72\xf4\xe7\xb9\x12\x06\x8c\x49\xc8\x17\x11\x4c\x37\xd3\x7e\xa0"
3352. "\x39\x54\xba\xe8\x7d\x1d\xda\xe3\xda\x2a\xd8\x5f\xeb\x2f\xbb\x73\x5b\x75"
3353. "\xa5\x1f\x7b\xee\x5c\x8d\x88\xcc\x7b\xf6\x47\x00\xd1\xa4\x6e\xc6\xb6\x31"
3354. "\xae\x22\xac\x7b\x06\x73\x0a\x86\xa2\x6b\xdc\xb9\x92\xe1\xc7\xb5\x01\x42"
3355. "\xde\x96\xb1\x4a\x84\x68\xe4\x51\x40\x68\xa3\x08\x96\xfc\x67\x7f\xdd\xef"
3356. "\xae\xbb\x12\x5c\x69\x3a\x8d\x46\x04\x69\xc7\xfe\x53\x5f\x84\x47\x81\x94"
3357. "\x0f\x66\xd6\xab\xd0\x91\x19\x1c\x31\x22\xd5\x84\xf5\xb0\xf5\xb0\xd4\x43"
3358. "\x71\x3d\x7d\x51\x86\x12\x4d\x73\xde\x28\xac\xa3\x0b\x71\x9d\x4a\x55\xe0"
3359. "\x9d\x25\x9b\xdd\xbf\x16\x99\x5a\xeb\x10\x00\x88\x08\x90\xaf\xbd\x24\xd4"
3360. "\x06\x6b\x03\x98\x98\x5a\x40\x99\x9d\xe2\x2c\xe1\x76\x34\x8e\x1c\x1f\x57"
3361. "\xea\xf7\x5b\x92\xa1\xe4\xf1\x48\x2e\x89\xa0\x0a\xc2\xcc\x36\xb2\x0e\x36"
3362. "\xaf\x9e\xc3\x10\x59\x9c\x19\xa5\xb1\xd6\xf8\xfa\xdb\xa1\x04\xc5\x8c\x80"
3363. "\x1c\x66\x33\x31\x5f\x82\xeb\xfa\x88\xfa\xdd\xd0\xb6\x93\xe2\xf8\x27\xf5"
3364. "\x86\xc1\xcc\x55\x38\xe9\x3b\xcf\x10\xf8\x1a\xf6\xdd\x7e\xe7\x27\xdf\x3b"
3365. "\x50\x18\xc0\xb4\xe3\x1e\x40\xd0\x40\xa4\x75\x03\xb6\xac\xe4\xd2\x9a\x11"
3366. "\x62\xce\x48\x73\x51\x82\x52\x55\xf5\x58\x4a\xff\x7c\xbd\x42\x1f\x85\xc3"
3367. "\xd9\xfb\xb3\x78\x4a\xbd\x98\x48\xf1\x60\x28\xb6\x8f\x0d\x32\xed\x8b\xb8"
3368. "\x01\x06\xe8\xcc\x4a\xcb\x93\x9f\xf8\x8b\xd3\x99\x76\xd1\x66\xb2\xad\xde"
3369. "\xbf\x62\x8b\x3f\xcd\x05\x6d\xa2\xf6\x0e\x1b\x90\xf7\xa3\x27\x02\x95\x49"
3370. "\x21\x90\x8e\xbc\xcb\x68\x36\x22\xa1\xf5\x74\xce\xba\x69\x51\xbe\xf5\xe7"
3371. "\x51\xc3\x38\xc8\x27\x93\x18\xdc\x28\xe3\x6b\x9f\xc2\xbb\x17\xc3\xad\x08"
3372. "\xac\xeb\x00\xfc\x38\x8e\x6d\xb1\x12\xa7\x38\xf8\x6a\x4a\x1e\xb1\x15\x26"
3373. "\xe1\xb9\xd7\x32\x50\xb3\x26\x28\x5e\xd4\x7c\x43\x98\xd9\x3a\x39\x33\xd9"
3374. "\xa7\x84\x24\x9b\x65\xad\x7d\x78\xa1\xf8\x1d\x96\xef\x36\x49\x3e\xd6\x93"
3375. "\x04\x5a\x21\x50\xa8\xeb\x43\xce\xcc\x0c\x93\xe7\xd2\x0b\x15\xb3\x9a\x06"
3376. "\x46\xb0\x81\xc2\x92\x3b\x81\x63\x65\xb7\xfb\xb4\x16\x83\xa4\x17\x32\xd9"
3377. "\x42\xc5\xaa\x12\xfa\xf8\x76\xec\x7f\x03\x6b\xec\xde\x8f\x32\x95\xaf\x6d"
3378. "\xac\xff\x38\xd0\x76\xd8\xe0\x62\x60\xfe\xe1\x67\x70\x3b\xb6\x10\x74\x53"
3379. "\x74\xa2\x75\x8a\x6b\x88\xe4\x65\xca\x77\xd1\xf3\x10\x5a\xe8\xb6\xb0\x4a"
3380. "\x1e\xb5\x09\xfb\x17\x8d\x62\x49\xdb\xbc\x84\xd5\xd1\xd0\x69\x27\x84\x49"
3381. "\xa8\x9d\x03\xe4\xa9\xa3\x95\xd8\x17\x0c\x32\x9a\x29\x6c\xfc\x32\x97\x98"
3382. "\xcb\x9b\x9f\x10\x78\xd0\x98\xcf\x3f\x98\x9f\xd4\xec\x53\xe0\x13\xfb\xe9"
3383. "\x17\xdf\x35\x29\x2d\x44\xfb\x1f\x3d\xa4\xda\x44\x32\xa1\x84\x7d\x47\x21"
3384. "\x51\x4a\xde\x8c\xda\x5e\x5c\x0b\x51\x18\x35\x80\xfc\x35\x26\x6a\x97\x0e"
3385. "\xbb\xa7\x4f\xae\xda\x56\xd4\xdc\xb5\x6d\xf5\x1f\x96\xad\x23\x74\x52\xce"
3386. "\xdb\xd0\xcb\x2b\xee\x11\x27\x13\xc3\xd4\x50\x83\x58\x11\xbf\x3d\xa9\x74"
3387. "\x51\x36\xd4\x28\xe1\x48\xfd\x09\x32\xdc\x77\xc8\xd8\xe6\x1a\x16\xc6\x25"
3388. "\x24\x1f\xad\x84\x25\xb4\xec\xe3\x94\xee\xdd\x5f\x16\x5b\xd9\x49\x23\xbf"
3389. "\xa1\x17\x2b\xe8\xed\xc8\xa4\xfc\xaa\xe5\xf7\x7e\xe8\xcc\x51\x01\x92\xb2"
3390. "\x79\x64\xda\x09\xc3\xe8\x4e\xfb\x4b\xc7\x15\x4d\xa1\xa2\x4d\xa8\xb7\xe5"
3391. "\x44\xb4\x22\x78\xd2\x57\x46\x87\xec\x76\x14\x3a\xfa\x6c\xf1\x93\xd5\x2a"
3392. "\x2a\x7f\x4c\x20\xee\x57\xb6\x05\x6a\x13\x37\xd5\xe4\x08\x11\x7a\x6c\xf1"
3393. "\xab\x49\xc8\x98\x0f\x39\x59\x7f\x69\x90\x20\x85\xd3\xe8\xd3\x74\xd4\x4e"
3394. "\x6a\xb4\xed\x11\x85\xa2\x6b\xe2\xbc\x72\x81\xe9\xcf\xbb\xeb\x6b\xed\x89"
3395. "\x9a\xa1\x92\x4d\x3f\xaa\x06\xd9\x59\x99\xfb\xea\xf2\x33\x74\x94\xe0\xc2"
3396. "\xc3\x9e\xef\x5a\x73\xfc\xde\x84\x45\x9a\x9e\xa4\x8d\x4e\x01\x5d\x9e\x5b"
3397. "\xb5\x83\x93\x54\x96\x7c\xe0\x2f\x63\x7b\xc8\x67\x8d\x25\x95\xb9\xa9\x18"
3398. "\xfc\x36\xb9\x27\xd7\x50\x1f\x0a\xc2\xe3\x47\x1c\xe0\x2b\x5d\xf3\x55\x68"
3399. "\x9c\x87\xf1\x91\xef\x53\x90\x90\x0a\x41\xde\xec\x29\x98\x4e\x45\xa8\x78"
3400. "\xec\xe9\x64\xb0\x00\x9a\xad\x56\x13\x16\xfc\x3b\x30\xce\x1b\x49\x26\x6d"
3401. "\x32\xeb\x17\xcd\x30\xf3\xe1\x7e\x1f\x59\x01\x4e\x8c\x51\x89\x40\xdd\x0a"
3402. "\x09\x3d\x13\x49\xc1\xa7\xc2\x58\x19\x63\xbb\xe0\xba\x37\x2b\x64\x26\xe8"
3403. "\x1c\x33\xc7\x1b\x2e\xc8\x14\x1c\x57\x13\xe5\x2a\x37\xff\xf0\xa4\x17\xa5"
3404. "\xb2\x59\xe1\x42\x0d\x9f\xb6\xa7\x31\xf5\xba\xa0\xcc\x49\x42\x21\x94\x78"
3405. "\x95\xaa\x8f\xa1\x47\x45\xa9\x86\xa3\x66\xbf\xf9\xd0\xc2\x39\xa1\x9f\x85"
3406. "\x37\x24\x97\x56\x5b\x5b\x70\x3d\xa1\x64\x39\x01\x9d\xf5\xf3\xd2\x9f\x42"
3407. "\x47\xfb\x52\x88\x54\xc9\x64\x86\x30\xf0\x3e\x9d\xed\xde\x5a\x08\xa4\x77"
3408. "\x28\xea\x6a\x4d\x42\xe6\x2e\xff\x6f\xa3\xbd\x40\x23\x25\xe0\xf4\x38\x7b"
3409. "\x60\x17\x1c\x37\xc1\x80\xf9\x58\xad\x80\x95\x57\x79\xc8\x99\x51\x7e\x7e"
3410. "\xa7\x6e\xed\x00\x59\x8e\x01\x55\x2e\xaa\xf0\x8b\x72\x3d\xaf\x9d\x46\x6e"
3411. "\x8c\x57\xaf\x43\xa1\x5a\x46\x52\x8b\x11\x19\xf5\x07\x4a\xa3\xc5\x1f\x77"
3412. "\x35\x7e\xbe\x15\x82\x75\xbc\x06\xb8\x96\x40\xd7\xce\x3c\x0a\x03\xaf\x01"
3413. "\x41\x8d\x7d\xc6\xae\x8a\x1b\xe8\xab\x08\xc1\x72\x2d\x66\xd1\xe9\x27\x74"
3414. "\x80\xb8\xb1\x78\x44\x76\x67\xc0\x24\xf9\xb7\x8f\x8a\x87\x8a\x2d\x7c\xf8"
3415. "\xe8\x3e\x51\x04\xf6\x96\x4b\x29\x07\xa9\x89\xab\xaf\xc7\xd7\xd0\xdf\x94"
3416. "\x1a\xbf\x3d\x72\x83\xb6\xa1\x1d\x46\xc2\x91\x1a\x42\x18\x2e\xc2\x7a\xb7"
3417. "\x85\xd9\x29\x46\xe1\xee\x8e\xf4\x48\x46\xd5\x61\x85\x0d\x2a\x98\xc3\x05"
3418. "\xc3\x82\xf3\x6d\x4c\xfc\x9b\x2b\xfd\x3b\x86\xef\x21\xa0\xd1\x87\xad\xca"
3419. "\xfb\xec\x82\x68\xc7\xd6\x62\xa3\x4d\xda\x1c\x83\xc4\x96\x70\x97\x74\x31"
3420. "\x33\xbc\x8c\x58\x7e\xdf\x24\x9f\x56\x68\xc3\x4d\xdb\x11\x2f\xa4\xeb\x1b"
3421. "\xea\x9c\x8f\x6a\x00\x0f\x1f\x34\x42\x8b\x54\x68\x8a\x5e\x21\x4a\x79\x19"
3422. "\x86\x8b\x25\xdb\xe9\x30\xe8\x6a\x24\x3e\xcf\x54\xaf\xe0\xb5\x18\xc6\x47"
3423. "\xd0\x48\x73\xd2\xcf\x62\xcb\x2a\xb2\x7f\x00\x01\x55\x37\xa4\xfd\x2e\xa3"
3424. "\xdc\x87\x77\xab\xdf\x32\x84\x62\x23\x47\x01\x65\x66\xda\x0b\x9c\x40\x6c"
3425. "\xa8\xc4\x06\x94\xe4\x01\x3a\x53\xfb\xf2\xe8\x03\xd5\x1b\x0b\xbe\x5e\x9d"
3426. "\xf5\xfc\x74\xf6\x6b\xe6\x18\x85\x63\x57\xcc\xf8\x03\xc5\x3e\xd0\xe3\xb3"
3427. "\xfe\x79\xf6\x9f\x0e\xde\x9b\x56\x5d\x8f\x7a\x8c\xe5\xaa\x8c\xbb\x4e\x8f"
3428. "\x7f\xd9\xe7\x52\x0c\x2d\x6a\x1c\x45\x06\x54\x98\x92\x5c\x14\xc0\xb3\x11"
3429. "\x94\x2d\x4e\xd9\x51\xad\x62\x37\xaa\xdb\x54\x05\xbc\x7b\x2d\x79\xe1\xfd"
3430. "\x29\x5b\x7c\x2e\xd8\xef\xa8\x83\xe4\x4c\x86\xa5\x05\x3e\x2f\x42\x1c\x6d"
3431. "\x4d\xc0\xc4\x7d\x3a\x05\xd9\x11\xdb\x37\xd6\xef\xdb\x8e\x50\xfb\x3f\x06"
3432. "\x13\x9a\xc1\x47\xbc\x71\x62\xc2\x1a\xec\xe7\x9e\xaf\x72\xe9\x77\x9f\x19"
3433. "\xeb\x53\x95\xce\xc3\xd1\x5a\x75\x94\xea\x70\xa6\xb3\x73\xd9\x86\x51\xd2"
3434. "\x21\x5b\x21\x0f\x03\x7e\xa3\xf8\xa5\x7d\xed\x74\x47\x4f\x6f\xdb\x64\xa0"
3435. "\x8b\x56\xaf\x52\x16\x8d\xa7\x0b\x30\xae\xe0\x34\x72\xcd\x8b\xee\x5a\xf0"
3436. "\x4c\xad\x73\x03\x00\x4a\x4a\xba\x46\x4b\x99",
3437. 3251);
3438. *(uint64_t*)0x200000001448 = 0xcb3;
3439. *(uint64_t*)0x200000001598 = 5;
3440. *(uint64_t*)0x2000000015a0 = 0x200000000fc0;
3441. *(uint64_t*)0x200000000fc0 = 0x1c;
3442. *(uint32_t*)0x200000000fc8 = 0;
3443. *(uint32_t*)0x200000000fcc = 8;
3444. *(uint32_t*)0x200000000fd0 = 0;
3445. *(uint32_t*)0x200000000fd4 = htobe32(0);
3446. *(uint8_t*)0x200000000fd8 = 0xac;
3447. *(uint8_t*)0x200000000fd9 = 0x14;
3448. *(uint8_t*)0x200000000fda = 0x14;
3449. *(uint8_t*)0x200000000fdb = 0x42;
3450. *(uint64_t*)0x2000000015a8 = 0x20;
3451. *(uint32_t*)0x2000000015b0 = 0;
3452. syscall(__NR_sendmsg, /*fd=*/r[39], /*msg=*/0x200000001580ul, /*f=*/0ul);
3453. memcpy((void*)0x200000000100, "/proc/thread-self/attr/sockcreate\000", 34);
3454. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
3455. /*file=*/0x200000000100ul, /*flags=*/2, /*mode=*/0);
3456. if (res != -1)
3457. r[41] = res;
3458. memcpy((void*)0x200000000000, "system_u:object_r:clock_device_t:s0\000", 36);
3459. syscall(__NR_write, /*fd=*/r[41], /*data=*/0x200000000000ul, /*len=*/0x24ul);
3460. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=SOCK_DGRAM*/ 2ul,
3461. /*proto=*/0);
3462. if (res != -1)
3463. r[42] = res;
3464. *(uint32_t*)0x2000000000c0 = 0;
3465. syscall(__NR_getsockname, /*fd=*/r[42], /*addr=*/0ul,
3466. /*addrlen=*/0x2000000000c0ul);
3467. *(uint64_t*)0x200000001140 = 0;
3468. *(uint32_t*)0x200000001148 = 0;
3469. *(uint64_t*)0x200000001150 = 0x200000001040;
3470. *(uint64_t*)0x200000001040 = 0x2000000015c0;
3471. *(uint64_t*)0x200000001048 = 0x7ffff000;
3472. *(uint64_t*)0x200000001158 = 1;
3473. *(uint64_t*)0x200000001160 = 0;
3474. *(uint64_t*)0x200000001168 = 0;
3475. *(uint32_t*)0x200000001170 = 0;
3476. syscall(__NR_recvmsg, /*fd=*/r[40], /*msg=*/0x200000001140ul,
3477. /*f=MSG_WAITALL|MSG_CMSG_CLOEXEC*/ 0x40000100ul, 0);
3478. memcpy((void*)0x200000000140, "syzkaller1\000\000\000\000\000\000", 16);
3479. *(uint16_t*)0x200000000150 = 7;
3480. *(uint16_t*)0x200000000152 = htobe16(0);
3481. *(uint32_t*)0x200000000154 = htobe32(0);
3482. syscall(__NR_ioctl, /*fd=*/r[37], /*cmd=*/0x8914, /*arg=*/0x200000000140ul);
3483. memcpy((void*)0x200000000000, "comm\000", 5);
3484. res = -1;
3485. res = syz_open_procfs(/*pid=*/0, /*file=*/0x200000000000);
3486. if (res != -1)
3487. r[43] = res;
3488. *(uint64_t*)0x200000000440 = 0x200000000340;
3489. *(uint64_t*)0x200000000448 = 0x63;
3490. syscall(__NR_preadv, /*fd=*/r[43], /*vec=*/0x200000000440ul, /*vlen=*/1ul,
3491. /*off_low=*/0x7cb16791, /*off_high=*/0);
3492. memcpy((void*)0x200000000140, "net/tcp6\000", 9);
3493. res = -1;
3494. res = syz_open_procfs(/*pid=*/0, /*file=*/0x200000000140);
3495. if (res != -1)
3496. r[44] = res;
3497. syscall(__NR_read, /*fd=*/r[44], /*buf=*/0x200000000100ul, /*count=*/0xdul);
3498. *(uint8_t*)0x200000000040 = 0;
3499. syscall(__NR_prctl, /*option=*/0x3bul, /*mode=*/1ul, /*offset=*/0ul,
3500. /*len=*/0ul, /*selector=*/0x200000000040ul);
3501. for (int i = 0; i < 64; i++) {
3502. syscall(__NR_prctl, /*option=*/0x3bul, /*mode=*/1ul, /*offset=*/0ul,
3503. /*len=*/0ul, /*selector=*/0x200000000040ul);
3504. }
3505. syscall(__NR_eventfd2, /*initval=*/0, /*flags=*/0ul);
3506. for (int i = 0; i < 64; i++) {
3507. syscall(__NR_eventfd2, /*initval=*/0, /*flags=*/0ul);
3508. }
3509. syscall(__NR_pidfd_send_signal, /*fd=*/-1, /*sig=*/0, /*info=*/0ul,
3510. /*flags=*/3ul);
3511. res = syscall(__NR_getpgrp, /*pid=*/-1);
3512. if (res != -1)
3513. r[45] = res;
3514. syz_pidfd_open(/*pid=*/r[45], /*flags=*/0);
3515. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0x10);
3516. if (res != -1)
3517. r[46] = res;
3518. memcpy((void*)0x200000000100, "nl80211\000", 8);
3519. res = -1;
3520. res = syz_genetlink_get_family_id(/*name=*/0x200000000100, /*fd=*/-1);
3521. if (res != -1)
3522. r[47] = res;
3523. *(uint64_t*)0x200000000000 = 0;
3524. *(uint32_t*)0x200000000008 = 0;
3525. *(uint64_t*)0x200000000010 = 0x200000000300;
3526. *(uint64_t*)0x200000000300 = 0x200000000480;
3527. *(uint32_t*)0x200000000480 = 0x24;
3528. *(uint16_t*)0x200000000484 = r[47];
3529. *(uint16_t*)0x200000000486 = 0x338b;
3530. *(uint32_t*)0x200000000488 = 0;
3531. *(uint32_t*)0x20000000048c = 0;
3532. *(uint8_t*)0x200000000490 = 0x15;
3533. *(uint8_t*)0x200000000491 = 0;
3534. *(uint16_t*)0x200000000492 = 0;
3535. *(uint16_t*)0x200000000494 = 0x10;
3536. STORE_BY_BITMASK(uint16_t, , 0x200000000496, 0x11d, 0, 14);
3537. STORE_BY_BITMASK(uint16_t, , 0x200000000497, 0, 6, 1);
3538. STORE_BY_BITMASK(uint16_t, , 0x200000000497, 1, 7, 1);
3539. *(uint16_t*)0x200000000498 = 0xc;
3540. STORE_BY_BITMASK(uint16_t, , 0x20000000049a, 0, 0, 14);
3541. STORE_BY_BITMASK(uint16_t, , 0x20000000049b, 0, 6, 1);
3542. STORE_BY_BITMASK(uint16_t, , 0x20000000049b, 1, 7, 1);
3543. *(uint16_t*)0x20000000049c = 8;
3544. STORE_BY_BITMASK(uint16_t, , 0x20000000049e, 0xd, 0, 14);
3545. STORE_BY_BITMASK(uint16_t, , 0x20000000049f, 0, 6, 1);
3546. STORE_BY_BITMASK(uint16_t, , 0x20000000049f, 1, 7, 1);
3547. *(uint16_t*)0x2000000004a0 = 4;
3548. STORE_BY_BITMASK(uint16_t, , 0x2000000004a2, 0, 0, 14);
3549. STORE_BY_BITMASK(uint16_t, , 0x2000000004a3, 0, 6, 1);
3550. STORE_BY_BITMASK(uint16_t, , 0x2000000004a3, 1, 7, 1);
3551. *(uint64_t*)0x200000000308 = 0x24;
3552. *(uint64_t*)0x200000000018 = 1;
3553. *(uint64_t*)0x200000000020 = 0;
3554. *(uint64_t*)0x200000000028 = 0;
3555. *(uint32_t*)0x200000000030 = 0;
3556. syscall(__NR_sendmsg, /*fd=*/r[46], /*msg=*/0x200000000000ul, /*f=*/0ul);
3557. for (int i = 0; i < 32; i++) {
3558. syscall(__NR_sendmsg, /*fd=*/r[46], /*msg=*/0x200000000000ul, /*f=*/0ul);
3559. }
3560. syscall(__NR_unshare, /*flags=*/0ul);
3561. for (int i = 0; i < 32; i++) {
3562. syscall(__NR_unshare, /*flags=*/0ul);
3563. }
3564. syscall(__NR_mlock, /*addr=*/0x200000ffd000ul, /*size=*/0x3000ul);
3565. *(uint64_t*)0x2000000000c0 = 2;
3566. syscall(__NR_mbind, /*addr=*/0x200000ffc000ul, /*len=*/0x4000ul,
3567. /*mode=MPOL_F_RELATIVE_NODES|MPOL_BIND|0x4*/ 0x4006ul,
3568. /*nodemask=*/0x2000000000c0ul, /*maxnode=*/3ul,
3569. /*flags=MPOL_MF_MOVE*/ 2ul);
3570. *(uint16_t*)0x200000000180 = 5;
3571. *(uint64_t*)0x200000000188 = 0x200000000080;
3572. *(uint16_t*)0x200000000080 = 8;
3573. *(uint8_t*)0x200000000082 = 0;
3574. *(uint8_t*)0x200000000083 = 4;
3575. *(uint32_t*)0x200000000084 = 7;
3576. *(uint16_t*)0x200000000088 = 0xffbe;
3577. *(uint8_t*)0x20000000008a = 0xb;
3578. *(uint8_t*)0x20000000008b = 7;
3579. *(uint32_t*)0x20000000008c = 8;
3580. *(uint16_t*)0x200000000090 = 0;
3581. *(uint8_t*)0x200000000092 = 8;
3582. *(uint8_t*)0x200000000093 = 1;
3583. *(uint32_t*)0x200000000094 = 3;
3584. *(uint16_t*)0x200000000098 = 0x101;
3585. *(uint8_t*)0x20000000009a = 8;
3586. *(uint8_t*)0x20000000009b = 4;
3587. *(uint32_t*)0x20000000009c = 0x9ec3;
3588. *(uint16_t*)0x2000000000a0 = 1;
3589. *(uint8_t*)0x2000000000a2 = 9;
3590. *(uint8_t*)0x2000000000a3 = 0;
3591. *(uint32_t*)0x2000000000a4 = 1;
3592. syscall(__NR_seccomp, /*op=*/1ul,
3593. /*flags=SECCOMP_FILTER_FLAG_SPEC_ALLOW_LISTENER*/ 0xcul,
3594. /*arg=*/0x200000000180ul);
3595. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/3ul, /*proto=*/2);
3596. if (res != -1)
3597. r[48] = res;
3598. *(uint32_t*)0x200000000040 = 0x10;
3599. syscall(__NR_accept, /*fd=*/r[48], /*peer=*/0x200000000000ul,
3600. /*peerlen=*/0x200000000040ul);
3601. memcpy((void*)0x2000000000c0, "ext4\000", 5);
3602. memcpy((void*)0x200000000000, "./file0\000", 8);
3603. memcpy((void*)0x2000000002c0, "debug", 5);
3604. *(uint8_t*)0x2000000002c5 = 0x2c;
3605. memcpy((void*)0x2000000002c6, "init_itable", 11);
3606. *(uint8_t*)0x2000000002d1 = 0x3d;
3607. sprintf((char*)0x2000000002d2, "0x%016llx", (long long)0x9d);
3608. *(uint8_t*)0x2000000002e4 = 0x2c;
3609. memcpy((void*)0x2000000002e5, "jqfmt=vfsv1", 11);
3610. *(uint8_t*)0x2000000002f0 = 0x2c;
3611. memcpy((void*)0x2000000002f1, "nobarrier", 9);
3612. *(uint8_t*)0x2000000002fa = 0x2c;
3613. memcpy((void*)0x2000000002fb, "grpquota", 8);
3614. *(uint8_t*)0x200000000303 = 0x2c;
3615. memcpy((void*)0x200000000304, "journal_ioprio", 14);
3616. *(uint8_t*)0x200000000312 = 0x3d;
3617. sprintf((char*)0x200000000313, "0x%016llx", (long long)5);
3618. *(uint8_t*)0x200000000325 = 0x2c;
3619. memcpy((void*)0x200000000326, "noinit_itable", 13);
3620. *(uint8_t*)0x200000000333 = 0x2c;
3621. *(uint8_t*)0x200000000334 = 0;
3622. memcpy(
3623. (void*)0x200000001500,
3624. "\x78\x9c\xec\xdd\xcf\x6f\x23\x57\x1d\x00\xf0\xef\x38\x89\xe3\xa4\x69\x93"
3625. "\x96\x1e\x00\x41\xbb\x94\xc2\x82\x56\xeb\x24\xde\x36\xaa\x7a\x80\x72\x42"
3626. "\x08\x55\x42\xf4\x08\xd2\x36\x38\xde\x28\x8a\x1d\x47\xb1\x53\x9a\x90\x43"
3627. "\xf6\x7f\x40\xa2\x12\x27\x38\xf2\x07\x70\xee\x89\x3b\x17\x04\x37\x2e\xe5"
3628. "\x80\xc4\x8f\x08\xb4\x59\x89\x83\xd1\x8c\x27\xbb\xde\x6c\x9c\xa4\x89\x37"
3629. "\x5e\xc5\x9f\x8f\x34\x9a\x79\xf3\x26\xf3\x7d\x6f\xa3\x79\x6f\xfd\xb5\x32"
3630. "\x2f\x80\x91\x75\x23\x22\xf6\x23\xa2\x18\x11\x1f\x46\xc4\x6c\x7e\x3e\xc9"
3631. "\xb7\x78\xaf\xbb\xa5\xd7\x3d\x38\xd8\xab\x1e\x1e\xec\x55\x93\xe8\x74\x3e"
3632. "\xf8\x57\x92\xd5\xa7\xe7\xa2\xe7\x67\x52\x2f\xe4\xf7\x2c\x45\xc4\x8f\xbf"
3633. "\x1f\xf1\xb3\xe4\xe9\xb8\xad\x9d\xdd\xf5\xe5\x7a\xbd\xb6\x95\x97\xe7\xdb"
3634. "\x8d\xcd\xf9\xd6\xce\xee\xed\xb5\xc6\xf2\x6a\x6d\xb5\xb6\x51\xa9\x2c\x2d"
3635. "\x2e\x2d\xbc\x73\xe7\xed\xca\xc0\xfa\xfa\x7a\xa3\x98\x1f\x7d\xf5\xb3\x3f"
3636. "\xee\x7f\xfb\x17\x69\xb3\x66\xf2\x33\xbd\xfd\xe8\x9a\x1c\x48\xcc\x6e\xd7"
3637. "\x27\x1e\xc5\x49\x8d\x47\xc4\x0f\x07\x72\xf7\xe1\x1b\xcb\xfb\x53\x1c\x76"
3638. "\x43\xb8\x90\x42\x44\xbc\x12\x11\x6f\x64\xcf\xff\x6c\x8c\x65\xbf\x4d\x00"
3639. "\xe0\x3a\xeb\x74\x66\xa3\x33\xdb\x5b\x06\x00\xae\xbb\x42\x96\x03\x4b\x0a"
3640. "\xe5\x3c\x17\x30\x13\x85\x42\xb9\xdc\xcd\xe1\xbd\x1a\xd3\x85\x7a\xb3\xd5"
3641. "\xbe\x75\xaf\xb9\xbd\xb1\xd2\xcd\x95\xcd\xc5\x44\xe1\xde\x5a\xbd\xb6\x90"
3642. "\xe7\x0a\xe7\x62\x22\x49\xcb\x8b\xd9\xf1\xe3\x72\xe5\x58\xf9\x4e\x44\xbc"
3643. "\x1c\x11\xbf\x9c\x9c\xca\xca\xe5\x6a\xb3\xbe\x32\xcc\xff\xf8\x00\xc0\x08"
3644. "\x7b\xe1\xd8\xfc\xff\xdf\xc9\xee\xfc\x0f\x00\x5c\x73\xa5\x61\x37\x00\x00"
3645. "\xb8\x72\xe6\x7f\x00\x18\x3d\xe6\x7f\x00\x18\x3d\xe6\x7f\x00\x18\x3d\xe6"
3646. "\x7f\x00\x18\x3d\xe6\x7f\x00\x18\x3d\xe6\x7f\x00\x18\x29\x3f\x7a\xff\xfd"
3647. "\x74\xeb\x1c\xe6\xef\xbf\x5e\xf9\x68\x67\x7b\xbd\xf9\xd1\xed\x95\x5a\x6b"
3648. "\xbd\xdc\xd8\xae\x96\xab\xcd\xad\xcd\xf2\x6a\xb3\xb9\x9a\xbd\xb3\xa7\x71"
3649. "\xd6\xfd\xea\xcd\xe6\xe6\xe2\x5b\xb1\xfd\xf1\xdc\x77\x36\x5b\xed\xf9\xd6"
3650. "\xce\xee\xdd\x46\x73\x7b\xa3\x7d\x37\x7b\xaf\xf7\xdd\xda\xc4\x95\xf4\x0a"
3651. "\x00\x38\xcd\xcb\xaf\x7f\xfa\x97\x24\x22\xf6\xdf\x9d\xca\xb6\xe8\x59\xcb"
3652. "\xc1\x5c\x0d\xd7\x5b\x61\xd8\x0d\x00\x86\x66\x6c\xd8\x0d\x00\x86\xe6\x82"
3653. "\xab\x7d\xdd\x1f\x74\x3b\x80\xab\x77\x89\xcf\xf8\xd2\x03\x70\x4d\x9c\xb0"
3654. "\x44\xef\x13\x4a\x11\x31\x75\xfc\x64\xa7\xd3\xe9\x3c\xbb\x26\x01\xcf\xd8"
3655. "\xcd\x2f\xc9\xff\xc3\xa8\x92\xff\x87\xd1\x25\xff\x0f\xa3\xeb\x82\xf9\x7f"
3656. "\xe0\x1a\xe8\x74\x92\xf3\xae\xf9\x1f\xe7\xbd\x10\x00\x78\xbe\xc9\xf1\x03"
3657. "\x7d\xbe\xff\x7f\x25\xdf\xff\x2e\x7f\x45\xc8\x4f\x57\x8e\x5f\xf1\xc9\xb3"
3658. "\x6c\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3659. "\x00\x00\x00\x00\x00\x00\x00\x00\x3c\xdf\x8e\xd6\xff\x2d\xe7\x6b\x81\xcf"
3660. "\x44\xa1\x50\x2e\x47\xbc\x18\x11\x73\x31\x91\xdc\x5b\xab\xd7\x16\x22\xe2"
3661. "\xa5\x88\xf8\xf3\xe4\xc4\x64\x5a\x5e\x1c\x72\x9b\x01\x80\xcb\x2a\xfc\x3d"
3662. "\xc9\xd7\xff\xba\x39\xfb\xe6\xcc\xf1\xda\x62\xf2\x70\x32\xdb\x47\xc4\xcf"
3663. "\x7f\xfd\xc1\xaf\x3e\x5e\x6e\xb7\xb7\xfe\x94\x9e\xff\xf7\xa3\xf3\xed\x4f"
3664. "\xf2\xf3\x95\x61\xb4\x1f\x00\x38\xcb\xd1\x3c\x9d\xed\x7b\x3e\xc8\x3f\x38"
3665. "\xd8\xab\xe6\x5b\xf1\x2a\xdb\xf3\x8f\xef\x45\x44\xa9\x1b\xff\xf0\xa0\x18"
3666. "\x87\x07\x7b\xd5\x6e\xcd\x78\x8c\x67\xfb\x52\x4c\x44\xc4\xf4\x7f\x92\xbc"
3667. "\xdc\x95\xf4\xe4\x2e\x2e\x63\xff\x7e\x44\x7c\xf1\x89\xfe\x57\x8f\x22\xcc"
3668. "\x64\x39\x90\xee\xca\xa7\xc7\xe3\xa7\xb1\x5f\x1c\x5c\xfc\xd7\x22\xe2\x8c"
3669. "\xf8\x85\x27\xe2\x17\xb2\xba\xee\x3e\xfd\xb7\xf8\xc2\x00\xda\x02\xa3\xe6"
3670. "\xd3\x74\xfc\x79\x2f\xe2\x41\xf1\xf8\xf3\x5f\x88\x1b\xd9\xfe\xe4\xe7\xbf"
3671. "\x94\x8d\x50\x97\x97\x8f\x7f\xe9\xad\xaa\x87\xd9\x18\xf8\x38\xfe\xd1\xf8"
3672. "\x37\xd6\x67\xfc\xbb\x71\xde\x18\x6f\xfd\xe1\x07\xdd\xa3\xa9\xa7\xeb\xee"
3673. "\x47\x7c\x79\x3c\xe2\x28\xf6\x61\xcf\xf8\x73\x14\x3f\xe9\x13\xff\xcd\x73"
3674. "\xc6\xff\xeb\x57\x5e\x7b\xa3\x5f\x5d\xe7\x37\x11\x37\xe3\xe4\xf8\xbd\xb1"
3675. "\xe6\xdb\x8d\xcd\xf9\xd6\xce\xee\xed\xb5\xc6\xf2\x6a\x6d\xb5\xb6\x51\xa9"
3676. "\x2c\x2d\x2e\x2d\xbc\x73\xe7\xed\xca\x7c\x96\xa3\x9e\xef\x3f\x1b\xfc\xf3"
3677. "\xdd\x5b\x2f\xf5\xab\x4b\xfb\x3f\xdd\x27\x7e\x69\xf2\xf4\xfe\x7f\xe3\x9c"
3678. "\xfd\xff\xed\xff\x3e\xfc\xc9\xd7\x4e\x89\xff\xad\xaf\x9f\x14\xbf\x10\xaf"
3679. "\x46\xff\xf8\xe9\x9c\xf8\xcd\x73\xc6\x5f\x9e\xfe\x7d\xa9\x5f\x5d\x1a\x7f"
3680. "\xa5\x4f\xff\xcf\xfa\xfd\xdf\x3a\x67\xfc\xcf\xfe\xb6\xfb\xd4\xb2\xe1\x00"
3681. "\xc0\xf0\xb4\x76\x76\xd7\x97\xeb\xf5\xda\x96\x03\x07\x0e\x2e\x73\xf0\xdd"
3682. "\xab\x8a\x55\x8c\xcf\xf5\x53\x9d\xce\x85\x62\xf5\x1b\x31\x06\x91\x75\x03"
3683. "\x9e\x07\x8f\x1e\xfa\x88\x78\x78\xfa\xa5\x57\xfa\xbd\x00\x00\x00\x00\x00"
3684. "\x00\x00\x00\x00\x00\x00\x00\xf0\xd8\xe0\xff\x3e\x29\x49\x92\xfd\xee\xbd"
3685. "\x77\xd7\x93\x61\x77\x0f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3686. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3687. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3688. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3689. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3690. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3691. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3692. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3693. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3694. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x6b\xee\xff\x01\x00\x00"
3695. "\xff\xff\x80\x1f\xca\x83",
3696. 1284);
3697. syz_mount_image(
3698. /*fs=*/0x2000000000c0, /*dir=*/0x200000000000,
3699. /*flags=MS_POSIXACL|MS_SYNCHRONOUS|MS_RELATIME|MS_NODIRATIME*/ 0x210810,
3700. /*opts=*/0x2000000002c0, /*chdir=*/4, /*size=*/0x504,
3701. /*img=*/0x200000001500);
3702. memcpy((void*)0x200000000080, "memory.events\000", 14);
3703. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000080ul,
3704. /*flags=*/0x275a, /*mode=*/0);
3705. if (res != -1)
3706. r[49] = res;
3707. *(uint32_t*)0x200000000000 = 1;
3708. *(uint64_t*)0x200000000008 = 1;
3709. *(uint64_t*)0x200000000010 = 9;
3710. *(uint64_t*)0x200000000018 = 0;
3711. *(uint32_t*)0x200000000020 = 0xfffffffd;
3712. *(uint16_t*)0x200000000024 = 3;
3713. *(uint16_t*)0x200000000026 = 0;
3714. syscall(__NR_ioctl, /*fd=*/r[49], /*cmd=*/0x40286608,
3715. /*arg=*/0x200000000000ul);
3716. memcpy((void*)0x200000000100, "./file0\000", 8);
3717. syz_mount_image(/*fs=*/0, /*dir=*/0x200000000100,
3718. /*flags=MS_SYNCHRONOUS|MS_RELATIME|MS_NOATIME*/ 0x200410,
3719. /*opts=*/0, /*chdir=*/1, /*size=*/0, /*img=*/0x200000000000);
3720. res = syscall(__NR_socket, /*domain=*/2ul, /*type=SOCK_DGRAM*/ 2ul,
3721. /*proto=*/0);
3722. if (res != -1)
3723. r[50] = res;
3724. *(uint32_t*)0x200000000740 = htobe32(0xe0000002);
3725. *(uint32_t*)0x200000000744 = htobe32(0x7f000001);
3726. *(uint32_t*)0x200000000748 = 0;
3727. syscall(__NR_setsockopt, /*fd=*/r[50], /*level=*/0,
3728. /*optname=IP_ADD_MEMBERSHIP*/ 0x23, /*optval=*/0x200000000740ul,
3729. /*optlen=*/0xcul);
3730. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0);
3731. if (res != -1)
3732. r[51] = res;
3733. *(uint64_t*)0x2000000003c0 = 0x200000000180;
3734. memcpy((void*)0x200000000180,
3735. "\x39\x00\x00\x00\x13\x00\x03\x47\x00\xbb\x65\xe1\xc3\xe4\xff\xff\x01"
3736. "\x00\x00\x00\x01\x00\x00\x00\x56\x00\x00\x00\x25\x00\x00\x00\x19\x00"
3737. "\x04\x00\x04\x00\x00\x00\x07\xfd\x17\xe5\xff\xff\x08\x00\x04\x00\x00"
3738. "\x00\x00\x00\x00\x00\x00",
3739. 57);
3740. *(uint64_t*)0x2000000003c8 = 0x39;
3741. syscall(__NR_writev, /*fd=*/r[51], /*vec=*/0x2000000003c0ul, /*vlen=*/1ul);
3742. *(uint64_t*)0x200000000040 = 0x200000000400;
3743. memcpy((void*)0x200000000400,
3744. "\x39\x00\x00\x00\x13\x00\x03\x47\x00\xbb\x5b\xe1\xc3\xe4\xfe\xff\x06"
3745. "\x00\x00\x00\x01\x00\x00\x00\x45\x00\x00\x00\x25\x00\x00\x00\x19\x00"
3746. "\x04\x00\x04\x00\xad\x00\x02\x00\x00\x00\x00\x00\x00\x06\x04\x00\x00"
3747. "\x00\x00\x00\xf9\x31\x32",
3748. 57);
3749. *(uint64_t*)0x200000000048 = 0x39;
3750. syscall(__NR_writev, /*fd=*/r[51], /*vec=*/0x200000000040ul, /*vlen=*/1ul);
3751. *(uint32_t*)0x200000000000 = htobe32(0xe0000002);
3752. *(uint32_t*)0x200000000004 = htobe32(0x7f000001);
3753. *(uint32_t*)0x200000000008 = 0;
3754. *(uint32_t*)0x20000000000c = 1;
3755. *(uint32_t*)0x200000000010 = htobe32(0xe0000002);
3756. syscall(__NR_setsockopt, /*fd=*/r[50], /*level=*/0, /*optname=*/0x29,
3757. /*optval=*/0x200000000000ul, /*optlen=*/0x14ul);
3758. memcpy((void*)0x200000000080, "./file0\000", 8);
3759. memcpy((void*)0x200000000140, "binfmt_misc\000", 12);
3760. syscall(
3761. __NR_mount, /*src=*/0ul, /*dst=*/0x200000000080ul,
3762. /*type=*/0x200000000140ul,
3763. /*flags=MS_LAZYTIME|MS_POSIXACL|MS_STRICTATIME|MS_RELATIME|MS_NODIRATIME*/
3764. 0x3210800ul, /*data=*/0ul);
3765. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0x88);
3766. if (res != -1)
3767. r[52] = res;
3768. *(uint32_t*)0x200000000280 = 5;
3769. res = syscall(__NR_getsockopt, /*fd=*/r[52], /*level=*/1, /*optname=*/0x11,
3770. /*optval=*/0x200000000240ul, /*optlen=*/0x200000000280ul);
3771. if (res != -1)
3772. r[53] = *(uint32_t*)0x200000000244;
3773. syscall(__NR_setuid, /*uid=*/r[53]);
3774. memcpy((void*)0x200000000200, "./file0\000", 8);
3775. syscall(__NR_chdir, /*dir=*/0x200000000200ul);
3776. memcpy((void*)0x200000000180, "./bus\000", 6);
3777. syscall(__NR_open, /*file=*/0x200000000180ul,
3778. /*flags=O_TRUNC|O_SYNC|O_NOATIME|O_LARGEFILE|O_DIRECT|O_CREAT|0x3e*/
3779. 0x14d27eul, /*mode=*/0ul);
3780. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0);
3781. if (res != -1)
3782. r[54] = res;
3783. *(uint32_t*)0x200000000640 = 4;
3784. syscall(__NR_setsockopt, /*fd=*/r[54], /*level=*/0x10e, /*opt=*/0xc,
3785. /*arg=*/0x200000000640ul, /*arglen=*/4ul);
3786. *(uint64_t*)0x200000000080 = 0;
3787. *(uint32_t*)0x200000000088 = 0;
3788. *(uint64_t*)0x200000000090 = 0x200000000000;
3789. *(uint64_t*)0x200000000000 = 0x200000000040;
3790. *(uint32_t*)0x200000000040 = 0x18;
3791. *(uint16_t*)0x200000000044 = 0x5a;
3792. *(uint16_t*)0x200000000046 = 0x401;
3793. *(uint32_t*)0x200000000048 = 0;
3794. *(uint32_t*)0x20000000004c = 0;
3795. memcpy((void*)0x200000000050, "\x8d\x47\x45\x7f\x96", 5);
3796. *(uint64_t*)0x200000000008 = 0x18;
3797. *(uint64_t*)0x200000000098 = 1;
3798. *(uint64_t*)0x2000000000a0 = 0;
3799. *(uint64_t*)0x2000000000a8 = 0;
3800. *(uint32_t*)0x2000000000b0 = 0;
3801. syscall(__NR_sendmsg, /*fd=*/r[54], /*msg=*/0x200000000080ul, /*f=*/0ul);
3802. res = syscall(__NR_socketpair, /*domain=*/1ul, /*type=SOCK_STREAM*/ 1ul,
3803. /*proto=*/0, /*fds=*/0x200000000480ul);
3804. if (res != -1)
3805. r[55] = *(uint32_t*)0x200000000484;
3806. syscall(__NR_recvmmsg, /*fd=*/-1, /*mmsg=*/0ul, /*vlen=*/0ul, /*f=*/0ul,
3807. /*timeout=*/0ul);
3808. *(uint64_t*)0x200000001140 = 0;
3809. *(uint32_t*)0x200000001148 = 0;
3810. *(uint64_t*)0x200000001150 = 0;
3811. *(uint64_t*)0x200000001158 = 0;
3812. *(uint64_t*)0x200000001160 = 0;
3813. *(uint64_t*)0x200000001168 = 0;
3814. *(uint32_t*)0x200000001170 = 0;
3815. *(uint32_t*)0x200000001178 = 0;
3816. syscall(__NR_recvmmsg, /*fd=*/r[55], /*mmsg=*/0x200000001140ul,
3817. /*vlen=*/0x700ul, /*f=*/0ul, /*timeout=*/0ul);
3818. memcpy((void*)0x200000000700, "./bus\000", 6);
3819. syscall(__NR_creat, /*file=*/0x200000000700ul, /*mode=*/0ul);
3820. memcpy(
3821. (void*)0x200000000080,
3822. "\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3823. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02"
3824. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
3825. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
3826. 71);
3827. syscall(__NR_setsockopt, /*fd=*/r[48], /*level=*/0, /*opt=*/0x41,
3828. /*val=*/0x200000000080ul, /*len=*/0xff57ul);
3829. res = syscall(__NR_socket, /*domain=*/2ul,
3830. /*type=SOCK_STREAM|0x4000000000000000*/ 0x4000000000000001ul,
3831. /*proto=*/0);
3832. if (res != -1)
3833. r[56] = res;
3834. *(uint16_t*)0x200000000480 = 2;
3835. *(uint16_t*)0x200000000482 = htobe16(0x4e23);
3836. *(uint32_t*)0x200000000484 = htobe32(0xe0000001);
3837. syscall(__NR_bind, /*fd=*/r[56], /*addr=*/0x200000000480ul,
3838. /*addrlen=*/0x10ul);
3839. *(uint16_t*)0x200000000000 = 2;
3840. *(uint16_t*)0x200000000002 = htobe16(0x4e23);
3841. *(uint32_t*)0x200000000004 = htobe32(0x7f000001);
3842. syscall(
3843. __NR_sendto, /*fd=*/r[56], /*buf=*/0ul, /*len=*/0ul,
3844. /*f=MSG_FASTOPEN|MSG_PROBE|MSG_OOB|MSG_EOR|MSG_DONTWAIT|MSG_DONTROUTE|0x728*/
3845. 0x200007fdul, /*addr=*/0x200000000000ul, /*addrlen=*/0x10ul);
3846. syscall(__NR_write, /*fd=*/r[56], /*data=*/0x2000000000c0ul,
3847. /*len=*/0xc63b9e35ul);
3848. *(uint32_t*)0x200000000380 = 2;
3849. syscall(__NR_setsockopt, /*fd=*/r[56], /*level=*/6, /*optname=TCP_NODELAY*/ 1,
3850. /*optval=*/0x200000000380ul, /*optlen=*/4ul);
3851. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0);
3852. if (res != -1)
3853. r[57] = res;
3854. *(uint64_t*)0x200000000040 = 0;
3855. *(uint32_t*)0x200000000048 = 0;
3856. *(uint64_t*)0x200000000050 = 0x200000002ec0;
3857. *(uint64_t*)0x200000002ec0 = 0x200000000000;
3858. *(uint32_t*)0x200000000000 = 0x1c;
3859. *(uint16_t*)0x200000000004 = 0x69;
3860. *(uint16_t*)0x200000000006 = 0x5ad;
3861. *(uint32_t*)0x200000000008 = 0;
3862. *(uint32_t*)0x20000000000c = 0;
3863. *(uint16_t*)0x200000000010 = 8;
3864. STORE_BY_BITMASK(uint16_t, , 0x200000000012, 0, 0, 14);
3865. STORE_BY_BITMASK(uint16_t, , 0x200000000013, 0, 6, 1);
3866. STORE_BY_BITMASK(uint16_t, , 0x200000000013, 0, 7, 1);
3867. *(uint32_t*)0x200000000014 = -1;
3868. memset((void*)0x200000000018, 46, 1);
3869. *(uint64_t*)0x200000002ec8 = 0x1c;
3870. *(uint64_t*)0x200000000058 = 1;
3871. *(uint64_t*)0x200000000060 = 0;
3872. *(uint64_t*)0x200000000068 = 0;
3873. *(uint32_t*)0x200000000070 = 0;
3874. syscall(__NR_sendmsg, /*fd=*/r[57], /*msg=*/0x200000000040ul, /*f=*/0ul);
3875. *(uint64_t*)0x200000001180 = 0xffff;
3876. *(uint64_t*)0x200000001188 = 0x200000000080;
3877. *(uint64_t*)0x200000000080 = 1;
3878. *(uint32_t*)0x200000001190 = 2;
3879. *(uint32_t*)0x200000001194 = 0;
3880. *(uint64_t*)0x200000001198 = 4;
3881. *(uint64_t*)0x2000000011a0 = 0x2000000000c0;
3882. *(uint64_t*)0x2000000000c0 = 0x101;
3883. *(uint32_t*)0x2000000011a8 = 0x82;
3884. *(uint32_t*)0x2000000011ac = 0;
3885. *(uint64_t*)0x2000000011b0 = 0xc0;
3886. *(uint64_t*)0x2000000011b8 = 0x200000000100;
3887. *(uint64_t*)0x200000000100 = 2;
3888. *(uint32_t*)0x2000000011c0 = 2;
3889. *(uint32_t*)0x2000000011c4 = 0;
3890. *(uint64_t*)0x2000000011c8 = 2;
3891. *(uint64_t*)0x2000000011d0 = 0x200000000140;
3892. *(uint64_t*)0x200000000140 = 9;
3893. *(uint32_t*)0x2000000011d8 = 0x82;
3894. *(uint32_t*)0x2000000011dc = 0;
3895. *(uint64_t*)0x2000000011e0 = 1;
3896. *(uint64_t*)0x2000000011e8 = 0x200000000180;
3897. *(uint64_t*)0x200000000180 = 0xee4;
3898. *(uint32_t*)0x2000000011f0 = 0x82;
3899. *(uint32_t*)0x2000000011f4 = 0;
3900. *(uint64_t*)0x2000000011f8 = 6;
3901. *(uint64_t*)0x200000001200 = 0x2000000001c0;
3902. *(uint64_t*)0x2000000001c0 = 2;
3903. *(uint32_t*)0x200000001208 = 0xdb460315;
3904. *(uint32_t*)0x20000000120c = 0;
3905. *(uint64_t*)0x200000001210 = 2;
3906. *(uint64_t*)0x200000001218 = 0x200000000200;
3907. *(uint64_t*)0x200000000200 = 0x91ff;
3908. *(uint32_t*)0x200000001220 = 2;
3909. *(uint32_t*)0x200000001224 = 0;
3910. *(uint64_t*)0x200000001228 = 0x100;
3911. *(uint64_t*)0x200000001230 = 0x200000000240;
3912. *(uint64_t*)0x200000000240 = 0;
3913. *(uint32_t*)0x200000001238 = 0x80;
3914. *(uint32_t*)0x20000000123c = 0;
3915. *(uint64_t*)0x200000001240 = 0x3ff;
3916. *(uint64_t*)0x200000001248 = 0x200000000280;
3917. *(uint64_t*)0x200000000280 = 6;
3918. *(uint32_t*)0x200000001250 = 0x82;
3919. *(uint32_t*)0x200000001254 = 0;
3920. *(uint64_t*)0x200000001258 = 2;
3921. *(uint64_t*)0x200000001260 = 0x2000000002c0;
3922. *(uint64_t*)0x2000000002c0 = 6;
3923. *(uint32_t*)0x200000001268 = 0x82;
3924. *(uint32_t*)0x20000000126c = 0;
3925. *(uint64_t*)0x200000001270 = 0;
3926. *(uint64_t*)0x200000001278 = 0x200000000300;
3927. *(uint64_t*)0x200000000300 = 0x10001;
3928. *(uint32_t*)0x200000001280 = 2;
3929. *(uint32_t*)0x200000001284 = 0;
3930. *(uint64_t*)0x200000001288 = 0;
3931. *(uint64_t*)0x200000001290 = 0x200000000340;
3932. *(uint64_t*)0x200000000340 = -1;
3933. *(uint32_t*)0x200000001298 = 2;
3934. *(uint32_t*)0x20000000129c = 0;
3935. *(uint64_t*)0x2000000012a0 = 0x27;
3936. *(uint64_t*)0x2000000012a8 = 0x2000000003c0;
3937. *(uint64_t*)0x2000000003c0 = 5;
3938. *(uint32_t*)0x2000000012b0 = 0x82;
3939. *(uint32_t*)0x2000000012b4 = 0;
3940. *(uint64_t*)0x2000000012b8 = 9;
3941. *(uint64_t*)0x2000000012c0 = 0x200000000400;
3942. *(uint64_t*)0x200000000400 = 0x6dc;
3943. *(uint32_t*)0x2000000012c8 = 2;
3944. *(uint32_t*)0x2000000012cc = 0;
3945. *(uint64_t*)0x2000000012d0 = 5;
3946. *(uint64_t*)0x2000000012d8 = 0x200000000440;
3947. *(uint64_t*)0x200000000440 = 5;
3948. *(uint32_t*)0x2000000012e0 = 0x82;
3949. *(uint32_t*)0x2000000012e4 = 0;
3950. *(uint64_t*)0x2000000012e8 = 6;
3951. *(uint64_t*)0x2000000012f0 = 0x2000000004c0;
3952. *(uint64_t*)0x2000000004c0 = 8;
3953. *(uint32_t*)0x2000000012f8 = 2;
3954. *(uint32_t*)0x2000000012fc = 0;
3955. *(uint64_t*)0x200000001300 = 0x40;
3956. *(uint64_t*)0x200000001308 = 0x200000000500;
3957. *(uint64_t*)0x200000000500 = 9;
3958. *(uint32_t*)0x200000001310 = 2;
3959. *(uint32_t*)0x200000001314 = 0;
3960. *(uint64_t*)0x200000001318 = 7;
3961. *(uint64_t*)0x200000001320 = 0x200000000540;
3962. *(uint64_t*)0x200000000540 = 2;
3963. *(uint32_t*)0x200000001328 = 2;
3964. *(uint32_t*)0x20000000132c = 0;
3965. *(uint64_t*)0x200000001330 = 0xfffffffffffffff9;
3966. *(uint64_t*)0x200000001338 = 0x200000000580;
3967. *(uint64_t*)0x200000000580 = 2;
3968. *(uint32_t*)0x200000001340 = 2;
3969. *(uint32_t*)0x200000001344 = 0;
3970. *(uint64_t*)0x200000001348 = 0x8000000000000000;
3971. *(uint64_t*)0x200000001350 = 0x2000000005c0;
3972. *(uint64_t*)0x2000000005c0 = 0;
3973. *(uint32_t*)0x200000001358 = 2;
3974. *(uint32_t*)0x20000000135c = 0;
3975. *(uint64_t*)0x200000001360 = 0x800;
3976. *(uint64_t*)0x200000001368 = 0x200000000600;
3977. *(uint64_t*)0x200000000600 = 2;
3978. *(uint32_t*)0x200000001370 = 0;
3979. *(uint32_t*)0x200000001374 = 0;
3980. *(uint64_t*)0x200000001378 = 0x7fffffff;
3981. *(uint64_t*)0x200000001380 = 0x200000001800;
3982. *(uint64_t*)0x200000001800 = 0x8000;
3983. *(uint32_t*)0x200000001388 = 2;
3984. *(uint32_t*)0x20000000138c = 0;
3985. *(uint64_t*)0x200000001390 = 0x8000000000000000;
3986. *(uint64_t*)0x200000001398 = 0x200000000680;
3987. *(uint64_t*)0x200000000680 = 0xc7d2;
3988. *(uint32_t*)0x2000000013a0 = 0x82;
3989. *(uint32_t*)0x2000000013a4 = 0;
3990. *(uint64_t*)0x2000000013a8 = 9;
3991. *(uint64_t*)0x2000000013b0 = 0x2000000006c0;
3992. *(uint64_t*)0x2000000006c0 = 3;
3993. *(uint32_t*)0x2000000013b8 = 0x82;
3994. *(uint32_t*)0x2000000013bc = 0;
3995. *(uint64_t*)0x2000000013c0 = 0x8000000000000001;
3996. *(uint64_t*)0x2000000013c8 = 0x200000000700;
3997. *(uint64_t*)0x200000000700 = 2;
3998. *(uint32_t*)0x2000000013d0 = 0x82;
3999. *(uint32_t*)0x2000000013d4 = 0;
4000. *(uint64_t*)0x2000000013d8 = -1;
4001. *(uint64_t*)0x2000000013e0 = 0x200000000740;
4002. *(uint64_t*)0x200000000740 = 3;
4003. *(uint32_t*)0x2000000013e8 = 0x82;
4004. *(uint32_t*)0x2000000013ec = 0;
4005. *(uint64_t*)0x2000000013f0 = 0x39;
4006. *(uint64_t*)0x2000000013f8 = 0x200000000780;
4007. *(uint64_t*)0x200000000780 = 0xbb4f;
4008. *(uint32_t*)0x200000001400 = 0x82;
4009. *(uint32_t*)0x200000001404 = 0;
4010. *(uint64_t*)0x200000001408 = 0x8000000000000000;
4011. *(uint64_t*)0x200000001410 = 0x2000000007c0;
4012. *(uint64_t*)0x2000000007c0 = 5;
4013. *(uint32_t*)0x200000001418 = 0x82;
4014. *(uint32_t*)0x20000000141c = 0;
4015. *(uint64_t*)0x200000001420 = 0x80;
4016. *(uint64_t*)0x200000001428 = 0x200000000800;
4017. *(uint64_t*)0x200000000800 = 0x100;
4018. *(uint32_t*)0x200000001430 = 2;
4019. *(uint32_t*)0x200000001434 = 0;
4020. *(uint64_t*)0x200000001438 = 4;
4021. *(uint64_t*)0x200000001440 = 0x200000000840;
4022. *(uint64_t*)0x200000000840 = 2;
4023. *(uint32_t*)0x200000001448 = 2;
4024. *(uint32_t*)0x20000000144c = 0;
4025. *(uint64_t*)0x200000001450 = 8;
4026. *(uint64_t*)0x200000001458 = 0x200000000880;
4027. *(uint64_t*)0x200000000880 = 9;
4028. *(uint32_t*)0x200000001460 = 0x82;
4029. *(uint32_t*)0x200000001464 = 0;
4030. *(uint64_t*)0x200000001468 = 0;
4031. *(uint64_t*)0x200000001470 = 0x2000000008c0;
4032. *(uint64_t*)0x2000000008c0 = 0x400;
4033. *(uint32_t*)0x200000001478 = 2;
4034. *(uint32_t*)0x20000000147c = 0;
4035. *(uint64_t*)0x200000001480 = 0xc6;
4036. *(uint64_t*)0x200000001488 = 0x200000000900;
4037. *(uint64_t*)0x200000000900 = 0x3ff;
4038. *(uint32_t*)0x200000001490 = 0x82;
4039. *(uint32_t*)0x200000001494 = 0;
4040. *(uint64_t*)0x200000001498 = 0xa;
4041. *(uint64_t*)0x2000000014a0 = 0x200000000940;
4042. *(uint64_t*)0x200000000940 = 7;
4043. *(uint32_t*)0x2000000014a8 = 0x82;
4044. *(uint32_t*)0x2000000014ac = 0;
4045. *(uint64_t*)0x2000000014b0 = 0;
4046. *(uint64_t*)0x2000000014b8 = 0x200000000980;
4047. *(uint64_t*)0x200000000980 = 3;
4048. *(uint32_t*)0x2000000014c0 = 0x80;
4049. *(uint32_t*)0x2000000014c4 = 0;
4050. *(uint64_t*)0x2000000014c8 = 0;
4051. *(uint64_t*)0x2000000014d0 = 0x2000000009c0;
4052. *(uint64_t*)0x2000000009c0 = 0xfff;
4053. *(uint32_t*)0x2000000014d8 = 2;
4054. *(uint32_t*)0x2000000014dc = 0;
4055. *(uint64_t*)0x2000000014e0 = 0x97;
4056. *(uint64_t*)0x2000000014e8 = 0x200000000a00;
4057. *(uint64_t*)0x200000000a00 = 0x10;
4058. *(uint32_t*)0x2000000014f0 = 2;
4059. *(uint32_t*)0x2000000014f4 = 0;
4060. *(uint64_t*)0x2000000014f8 = 8;
4061. *(uint64_t*)0x200000001500 = 0x200000000a40;
4062. *(uint64_t*)0x200000000a40 = 0x99;
4063. *(uint32_t*)0x200000001508 = 0x82;
4064. *(uint32_t*)0x20000000150c = 0;
4065. *(uint64_t*)0x200000001510 = 0xa5;
4066. *(uint64_t*)0x200000001518 = 0x200000000a80;
4067. *(uint64_t*)0x200000000a80 = 2;
4068. *(uint32_t*)0x200000001520 = 0x82;
4069. *(uint32_t*)0x200000001524 = 0;
4070. *(uint64_t*)0x200000001528 = 3;
4071. *(uint64_t*)0x200000001530 = 0x200000000ac0;
4072. *(uint64_t*)0x200000000ac0 = 0x44;
4073. *(uint32_t*)0x200000001538 = 2;
4074. *(uint32_t*)0x20000000153c = 0;
4075. *(uint64_t*)0x200000001540 = 8;
4076. *(uint64_t*)0x200000001548 = 0x200000000b00;
4077. *(uint64_t*)0x200000000b00 = 0x800;
4078. *(uint32_t*)0x200000001550 = 0x82;
4079. *(uint32_t*)0x200000001554 = 0;
4080. *(uint64_t*)0x200000001558 = 0x500;
4081. *(uint64_t*)0x200000001560 = 0x200000000b40;
4082. *(uint64_t*)0x200000000b40 = 0x4b1;
4083. *(uint32_t*)0x200000001568 = 2;
4084. *(uint32_t*)0x20000000156c = 0;
4085. *(uint64_t*)0x200000001570 = 4;
4086. *(uint64_t*)0x200000001578 = 0x200000000b80;
4087. *(uint64_t*)0x200000000b80 = 0xf1f1;
4088. *(uint32_t*)0x200000001580 = 2;
4089. *(uint32_t*)0x200000001584 = 0;
4090. *(uint64_t*)0x200000001588 = 0x8bcf;
4091. *(uint64_t*)0x200000001590 = 0x200000000bc0;
4092. *(uint64_t*)0x200000000bc0 = 1;
4093. *(uint32_t*)0x200000001598 = 0x82;
4094. *(uint32_t*)0x20000000159c = 0;
4095. *(uint64_t*)0x2000000015a0 = 0x7be;
4096. *(uint64_t*)0x2000000015a8 = 0x200000000c00;
4097. *(uint64_t*)0x200000000c00 = 0x81;
4098. *(uint32_t*)0x2000000015b0 = 2;
4099. *(uint32_t*)0x2000000015b4 = 0;
4100. *(uint64_t*)0x2000000015b8 = 0xfa;
4101. *(uint64_t*)0x2000000015c0 = 0x200000000c40;
4102. *(uint64_t*)0x200000000c40 = 0xe31;
4103. *(uint32_t*)0x2000000015c8 = 0x82;
4104. *(uint32_t*)0x2000000015cc = 0;
4105. *(uint64_t*)0x2000000015d0 = 5;
4106. *(uint64_t*)0x2000000015d8 = 0x200000000c80;
4107. *(uint64_t*)0x200000000c80 = 4;
4108. *(uint32_t*)0x2000000015e0 = 0x82;
4109. *(uint32_t*)0x2000000015e4 = 0;
4110. *(uint64_t*)0x2000000015e8 = 0xab;
4111. *(uint64_t*)0x2000000015f0 = 0x200000000cc0;
4112. *(uint64_t*)0x200000000cc0 = 8;
4113. *(uint32_t*)0x2000000015f8 = 0x82;
4114. *(uint32_t*)0x2000000015fc = 0;
4115. *(uint64_t*)0x200000001600 = 0x7fffffff;
4116. *(uint64_t*)0x200000001608 = 0x200000000d00;
4117. *(uint64_t*)0x200000000d00 = 0x7c;
4118. *(uint32_t*)0x200000001610 = 0x82;
4119. *(uint32_t*)0x200000001614 = 0;
4120. *(uint64_t*)0x200000001618 = 1;
4121. *(uint64_t*)0x200000001620 = 0x200000000d40;
4122. *(uint64_t*)0x200000000d40 = 0x81;
4123. *(uint32_t*)0x200000001628 = 0x82;
4124. *(uint32_t*)0x20000000162c = 0;
4125. *(uint64_t*)0x200000001630 = 0x77;
4126. *(uint64_t*)0x200000001638 = 0x200000000d80;
4127. *(uint64_t*)0x200000000d80 = 0;
4128. *(uint32_t*)0x200000001640 = 2;
4129. *(uint32_t*)0x200000001644 = 0;
4130. *(uint64_t*)0x200000001648 = 5;
4131. *(uint64_t*)0x200000001650 = 0x200000000dc0;
4132. *(uint64_t*)0x200000000dc0 = 0x6a1;
4133. *(uint32_t*)0x200000001658 = 2;
4134. *(uint32_t*)0x20000000165c = 0;
4135. *(uint64_t*)0x200000001660 = 0xadfc;
4136. *(uint64_t*)0x200000001668 = 0x200000000e00;
4137. *(uint64_t*)0x200000000e00 = 6;
4138. *(uint32_t*)0x200000001670 = 2;
4139. *(uint32_t*)0x200000001674 = 0;
4140. *(uint64_t*)0x200000001678 = 6;
4141. *(uint64_t*)0x200000001680 = 0x200000000e40;
4142. *(uint64_t*)0x200000000e40 = 0xad;
4143. *(uint32_t*)0x200000001688 = 0x82;
4144. *(uint32_t*)0x20000000168c = 0;
4145. *(uint64_t*)0x200000001690 = 0x100;
4146. *(uint64_t*)0x200000001698 = 0x200000000e80;
4147. *(uint64_t*)0x200000000e80 = 0x10000;
4148. *(uint32_t*)0x2000000016a0 = 0x82;
4149. *(uint32_t*)0x2000000016a4 = 0;
4150. *(uint64_t*)0x2000000016a8 = 0x58;
4151. *(uint64_t*)0x2000000016b0 = 0x200000000ec0;
4152. *(uint64_t*)0x200000000ec0 = 6;
4153. *(uint32_t*)0x2000000016b8 = 0x82;
4154. *(uint32_t*)0x2000000016bc = 0;
4155. *(uint64_t*)0x2000000016c0 = 4;
4156. *(uint64_t*)0x2000000016c8 = 0x200000000f00;
4157. *(uint64_t*)0x200000000f00 = 0x7fff;
4158. *(uint32_t*)0x2000000016d0 = 2;
4159. *(uint32_t*)0x2000000016d4 = 0;
4160. *(uint64_t*)0x2000000016d8 = 2;
4161. *(uint64_t*)0x2000000016e0 = 0x200000000f40;
4162. *(uint64_t*)0x200000000f40 = 3;
4163. *(uint32_t*)0x2000000016e8 = 0x82;
4164. *(uint32_t*)0x2000000016ec = 0;
4165. *(uint64_t*)0x2000000016f0 = 0x8000000000000001;
4166. *(uint64_t*)0x2000000016f8 = 0x200000000f80;
4167. *(uint64_t*)0x200000000f80 = 0x1ff;
4168. *(uint32_t*)0x200000001700 = 2;
4169. *(uint32_t*)0x200000001704 = 0;
4170. *(uint64_t*)0x200000001708 = -1;
4171. *(uint64_t*)0x200000001710 = 0x200000000fc0;
4172. *(uint64_t*)0x200000000fc0 = 0x80000001;
4173. *(uint32_t*)0x200000001718 = 0x82;
4174. *(uint32_t*)0x20000000171c = 0;
4175. *(uint64_t*)0x200000001720 = 2;
4176. *(uint64_t*)0x200000001728 = 0x200000001000;
4177. *(uint64_t*)0x200000001000 = 0x10000;
4178. *(uint32_t*)0x200000001730 = 0x82;
4179. *(uint32_t*)0x200000001734 = 0;
4180. *(uint64_t*)0x200000001738 = 7;
4181. *(uint64_t*)0x200000001740 = 0x200000001040;
4182. *(uint64_t*)0x200000001040 = 4;
4183. *(uint32_t*)0x200000001748 = 0x782da19c;
4184. *(uint32_t*)0x20000000174c = 0;
4185. *(uint64_t*)0x200000001750 = 0x40;
4186. *(uint64_t*)0x200000001758 = 0x200000001080;
4187. *(uint64_t*)0x200000001080 = 0x1ff;
4188. *(uint32_t*)0x200000001760 = 2;
4189. *(uint32_t*)0x200000001764 = 0;
4190. *(uint64_t*)0x200000001768 = 0x8001;
4191. *(uint64_t*)0x200000001770 = 0x2000000010c0;
4192. *(uint64_t*)0x2000000010c0 = 2;
4193. *(uint32_t*)0x200000001778 = 2;
4194. *(uint32_t*)0x20000000177c = 0;
4195. *(uint64_t*)0x200000001780 = 5;
4196. *(uint64_t*)0x200000001788 = 0x200000001100;
4197. *(uint64_t*)0x200000001100 = 0x1c;
4198. *(uint32_t*)0x200000001790 = 0x82;
4199. *(uint32_t*)0x200000001794 = 0;
4200. *(uint64_t*)0x200000001798 = 0;
4201. *(uint64_t*)0x2000000017a0 = 0x200000001140;
4202. *(uint64_t*)0x200000001140 = 0xf8;
4203. *(uint32_t*)0x2000000017a8 = 0x82;
4204. *(uint32_t*)0x2000000017ac = 0;
4205. *(uint64_t*)0x2000000017c0 = 0;
4206. *(uint64_t*)0x2000000017c8 = 0x989680;
4207. syscall(__NR_futex_waitv, /*addr=*/0x200000001180ul, /*val=*/0x42ul,
4208. /*flg=*/0ul, /*timeout=*/0x2000000017c0ul, /*clockid=*/0ul);
4209. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0);
4210. if (res != -1)
4211. r[58] = res;
4212. *(uint16_t*)0x2000000001c0 = 0xa;
4213. *(uint16_t*)0x2000000001c2 = htobe16(0x4e22);
4214. *(uint32_t*)0x2000000001c4 = htobe32(0);
4215. memset((void*)0x2000000001c8, 0, 16);
4216. *(uint32_t*)0x2000000001d8 = 0;
4217. syscall(__NR_bind, /*fd=*/r[58], /*addr=*/0x2000000001c0ul,
4218. /*addrlen=*/0x1cul);
4219. *(uint32_t*)0x200000000180 = 0x100003;
4220. syscall(__NR_setsockopt, /*fd=*/r[58], /*level=*/0x29,
4221. /*optname=IPV6_2292HOPOPTS*/ 3, /*optval=*/0x200000000180ul,
4222. /*optlen=*/4ul);
4223. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/3ul, /*proto=*/2);
4224. if (res != -1)
4225. r[59] = res;
4226. *(uint32_t*)0x2000000003c0 = 1;
4227. *(uint32_t*)0x2000000003c4 = 1;
4228. *(uint32_t*)0x2000000003c8 = 0x18;
4229. *(uint32_t*)0x2000000003cc = r[58];
4230. *(uint64_t*)0x2000000003d0 = 0x81;
4231. memcpy((void*)0x2000000003d8, "./bus\000", 6);
4232. res = syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0xc018937a,
4233. /*arg=*/0x2000000003c0ul);
4234. if (res != -1)
4235. r[60] = *(uint32_t*)0x2000000003cc;
4236. *(uint32_t*)0x200000000580 = r[59];
4237. *(uint64_t*)0x200000000588 = 5;
4238. *(uint64_t*)0x200000000590 = 0x2000000004c0;
4239. *(uint64_t*)0x2000000004c0 = 5;
4240. *(uint64_t*)0x2000000004c8 = 8;
4241. *(uint64_t*)0x2000000004d0 = 1;
4242. *(uint64_t*)0x2000000004d8 = 0x7ff;
4243. *(uint64_t*)0x2000000004e0 = 0x60;
4244. *(uint64_t*)0x200000000598 = 3;
4245. *(uint64_t*)0x2000000005a0 = 6;
4246. *(uint32_t*)0x2000000005a8 = 0;
4247. memset((void*)0x2000000005ac, 0, 28);
4248. syscall(__NR_ioctl, /*fd=*/r[60], /*cmd=*/0x40489426,
4249. /*arg=*/0x200000000580ul);
4250. *(uint32_t*)0x200000000040 = 0;
4251. syscall(__NR_getsockopt, /*fd=*/r[59], /*level=*/0, /*opt=MRT_PIM*/ 0xd0,
4252. /*val=*/-1, /*len=*/0x200000000040ul);
4253. *(uint16_t*)0x20000072e000 = 0xa;
4254. *(uint16_t*)0x20000072e002 = htobe16(0x4e22);
4255. *(uint32_t*)0x20000072e004 = htobe32(4);
4256. *(uint64_t*)0x20000072e008 = htobe64(0);
4257. *(uint64_t*)0x20000072e010 = htobe64(1);
4258. *(uint32_t*)0x20000072e018 = 0x80000;
4259. syscall(
4260. __NR_sendto, /*fd=*/r[58], /*buf=*/0ul, /*len=*/0ul,
4261. /*f=MSG_FASTOPEN|MSG_PROBE|MSG_EOR|MSG_DONTWAIT|MSG_DONTROUTE|MSG_CONFIRM*/
4262. 0x200008d4ul, /*addr=*/0x20000072e000ul, /*addrlen=*/0x1cul);
4263. syscall(__NR_setsockopt, /*fd=*/r[58], /*level=*/0x29, /*optname=*/0x36,
4264. /*optval=*/0x200000000280ul, /*optlen=*/8ul);
4265. res = syscall(__NR_socket, /*domain=*/1ul, /*type=SOCK_STREAM*/ 1ul,
4266. /*proto=*/0);
4267. if (res != -1)
4268. r[61] = res;
4269. *(uint16_t*)0x200000000100 = 0;
4270. *(uint8_t*)0x200000000102 = 0;
4271. *(uint32_t*)0x200000000104 = 0;
4272. syscall(__NR_bind, /*fd=*/r[61], /*addr=*/0x200000000100ul, /*addrlen=*/2ul);
4273. res = syscall(__NR_socket, /*domain=*/2ul, /*type=SOCK_STREAM*/ 1ul,
4274. /*proto=*/0);
4275. if (res != -1)
4276. r[62] = res;
4277. memcpy((void*)0x200000000000, "\x89\x07\x04\x04\x00", 5);
4278. syscall(__NR_setsockopt, /*fd=*/r[62], /*level=*/0, /*optname=IP_OPTIONS*/ 4,
4279. /*optval=*/0x200000000000ul, /*optlen=*/5ul);
4280. syscall(__NR_setsockopt, /*fd=*/r[62], /*level=*/0, /*optname=IP_OPTIONS*/ 4,
4281. /*optval=*/0ul, /*optlen=*/0ul);
4282. memcpy((void*)0x200000000000, "/selinux/status\000", 16);
4283. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
4284. /*file=*/0x200000000000ul, /*flags=*/0, /*mode=*/0);
4285. if (res != -1)
4286. r[63] = res;
4287. syscall(__NR_mmap, /*addr=*/0x200000ffd000ul, /*len=*/0x1000ul, /*prot=*/0ul,
4288. /*flags=MAP_FIXED|MAP_SHARED*/ 0x11ul, /*fd=*/r[63], /*offset=*/0ul);
4289. syscall(__NR_munmap, /*addr=*/0x200000ffd000ul, /*len=*/0x3000ul);
4290. memcpy((void*)0x200000000280,
4291. "\x2a\x6f\xae\x87\xf8\xdd\xba\xa0\x15\x70\x72\x7c\xa4\x81\xc0", 15);
4292. syscall(
4293. __NR_sendto, /*fd=*/r[58], /*buf=*/0x200000000280ul, /*len=*/0xful,
4294. /*f=MSG_ZEROCOPY|MSG_BATCH|MSG_OOB|MSG_NOSIGNAL|MSG_MORE|MSG_EOR|MSG_DONTWAIT|0xc2fb3f2a*/
4295. 0xc6ffffebul, /*addr=*/0ul, /*addrlen=*/0ul);
4296. memcpy((void*)0x200000000180, "vfat\000", 5);
4297. memcpy((void*)0x200000000000, "./file0\000", 8);
4298. memcpy((void*)0x2000000002c0, "uni_xlate=1", 11);
4299. *(uint8_t*)0x2000000002cb = 0x2c;
4300. memcpy((void*)0x2000000002cc, "errors=continue", 15);
4301. *(uint8_t*)0x2000000002db = 0x2c;
4302. memcpy((void*)0x2000000002dc, "utf8=0", 6);
4303. *(uint8_t*)0x2000000002e2 = 0x2c;
4304. memcpy((void*)0x2000000002e3, "nocase", 6);
4305. *(uint8_t*)0x2000000002e9 = 0x2c;
4306. memcpy((void*)0x2000000002ea, "uni_xlate=1", 11);
4307. *(uint8_t*)0x2000000002f5 = 0x2c;
4308. memcpy((void*)0x2000000002f6, "utf8=1", 6);
4309. *(uint8_t*)0x2000000002fc = 0x2c;
4310. memcpy((void*)0x2000000002fd, "uid", 3);
4311. *(uint8_t*)0x200000000300 = 0x3d;
4312. sprintf((char*)0x200000000301, "0x%016llx", (long long)0);
4313. *(uint8_t*)0x200000000313 = 0x2c;
4314. memcpy((void*)0x200000000314, "shortname=win95", 15);
4315. *(uint8_t*)0x200000000323 = 0x2c;
4316. memcpy((void*)0x200000000324, "nfs", 3);
4317. *(uint8_t*)0x200000000327 = 0x2c;
4318. memcpy((void*)0x200000000328, "flush", 5);
4319. *(uint8_t*)0x20000000032d = 0x2c;
4320. memcpy((void*)0x20000000032e, "shortname=win95", 15);
4321. *(uint8_t*)0x20000000033d = 0x2c;
4322. memcpy((void*)0x20000000033e, "shortname=win95", 15);
4323. *(uint8_t*)0x20000000034d = 0x2c;
4324. memcpy((void*)0x20000000034e, "sys_immutable", 13);
4325. *(uint8_t*)0x20000000035b = 0x2c;
4326. memcpy((void*)0x20000000035c, "gid", 3);
4327. *(uint8_t*)0x20000000035f = 0x3d;
4328. sprintf((char*)0x200000000360, "0x%016llx", (long long)0);
4329. *(uint8_t*)0x200000000372 = 0x2c;
4330. memcpy((void*)0x200000000373, "shortname=winnt", 15);
4331. *(uint8_t*)0x200000000382 = 0x2c;
4332. memcpy((void*)0x200000000383, "uni_xlate=1", 11);
4333. *(uint8_t*)0x20000000038e = 0x2c;
4334. memcpy((void*)0x20000000038f, "nonumtail=0", 11);
4335. *(uint8_t*)0x20000000039a = 0x2c;
4336. *(uint8_t*)0x20000000039b = 0;
4337. memcpy(
4338. (void*)0x200000002300,
4339. "\x78\x9c\xec\xdd\x3f\x6b\x23\x47\x14\x00\xf0\xb7\xb2\x2c\x29\x49\x21\x15"
4340. "\xa9\x42\x20\x0b\x49\x91\xca\xd8\x6e\xd3\xc8\x04\x1b\x4c\x54\x25\xa8\x48"
4341. "\x52\x24\x26\xb6\x21\x58\x22\x60\x83\x21\x7f\x88\xe2\x2a\x6d\x9a\x94\xf9"
4342. "\x04\x81\x40\xba\xfb\x12\xd7\xdc\x37\x38\xb8\xf6\xe0\xba\x73\x61\xd8\x63"
4343. "\xa5\xdd\x93\xec\x93\x65\xeb\xb0\xec\xfb\xf3\xfb\x35\x1e\xcf\xce\x9b\x79"
4344. "\x33\x1e\x6c\x5c\xec\xd3\xf7\x1f\xf6\x0f\x76\xd3\xd8\x3f\xf9\xed\x61\x34"
4345. "\x1a\x49\x54\xda\xd1\x8e\xd3\x24\x5a\x51\x89\xd2\x1f\x71\x4e\xfb\xaf\x00"
4346. "\x00\x5e\x67\xa7\x59\x16\x4f\xb2\x91\x79\xe2\x92\x88\x68\x2c\x2e\x2d\x00"
4347. "\x60\x81\xe6\xfe\xfb\xff\xff\xc2\x53\x02\x00\x16\xec\xab\xaf\xbf\xf9\x62"
4348. "\xa3\xd3\xd9\xfc\x32\x4d\x1b\xb1\xd5\xff\xf3\xb8\x9b\xff\x67\x9f\x7f\x1d"
4349. "\x3d\xdf\xd8\x8f\x1f\xa3\x17\x7b\xb1\x1a\xcd\x38\x8b\xc8\x9e\x1b\xb5\xb7"
4350. "\xb2\x2c\x1b\x54\xd3\x5c\x2b\x3e\xe9\x0f\x8e\xbb\x79\x64\xff\xbb\xfb\xc5"
4351. "\xfc\x1b\x8f\x23\x86\xf1\x6b\xd1\x8c\xd6\xb0\xeb\x7c\xfc\x76\x67\x73\x2d"
4352. "\x1d\x99\x88\x1f\xe4\x79\xbc\x5b\xac\xdf\xce\xe3\xd7\xa3\x19\xef\x4f\x59"
4353. "\x7f\xbb\xb3\xb9\x3e\x25\x3e\xba\xb5\xf8\xf4\xe3\x89\xfc\x57\xa2\x19\x0f"
4354. "\x7e\x88\x9f\xa2\x17\xbb\xc3\x24\xc6\xf1\xbf\xaf\xa5\xe9\xe7\xd9\xdf\x4f"
4355. "\x7f\xfd\x36\x4f\x2f\x8f\x4f\x06\xc7\xdd\xfa\x70\xdc\x58\xb6\x74\xcb\x3f"
4356. "\x1a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4357. "\xde\x60\x2b\x45\xed\x9c\x7a\x0c\xeb\xf7\xe4\x5d\x45\xfd\x9d\xa5\xb3\xfc"
4358. "\x9b\xe5\x48\x4b\xad\xf3\xf5\x79\x46\xf1\x49\x39\xd1\x85\xfa\x40\x83\x2c"
4359. "\xfe\x29\xeb\xeb\xac\xa6\x69\x9a\x15\x03\xc7\xf1\xd5\xf8\xa0\x1a\xd5\xbb"
4360. "\xd9\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbc"
4361. "\x5a\x8e\x7e\xfe\xe5\x60\xa7\xd7\xdb\x3b\xbc\x91\x46\x59\x0d\xa0\x7c\xad"
4362. "\xff\x65\xe7\x69\x4f\xf4\x7c\x14\xb3\x07\xd7\xc7\x6b\x55\x8a\xe6\x8c\x99"
4363. "\x63\xa9\x1c\x93\x44\xcc\x4c\x23\xdf\xc4\x0d\x1d\xcb\x55\x8d\x77\x2e\xcb"
4364. "\xf9\xdf\xff\xe6\x9d\xb0\x71\xf5\x98\xe5\x59\xe7\x73\x33\x8d\xf2\x76\x1d"
4365. "\xec\x24\xd3\xcf\xb0\x1e\x65\x4f\xa3\xbc\x24\xf7\x26\xc7\xd4\xe2\x9a\x6b"
4366. "\xd5\x2e\x7b\x94\xcd\x75\xfd\x6a\x53\x1f\x35\xe7\xde\x7b\xed\xbd\x61\x63"
4367. "\x30\x63\x4c\x24\xb3\x12\xfb\xec\xd1\xe8\xe4\x8a\x9e\xe4\xe2\x2e\x6a\xc3"
4368. "\x53\x9d\x1a\xbe\x5c\x34\x26\xc2\x2f\xdc\x8d\xb9\xee\xf3\x8b\xbf\x2b\x12"
4369. "\xd5\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\xa1"
4370. "\xc6\x2f\xfd\x4e\x79\x78\x32\x33\xb4\x92\xd5\x17\x96\x16\x00\x00\x00\x00"
4371. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4372. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdc\xaa\xf1\xe7\xff\xcf\xd1\x18\x14"
4373. "\xc1\xd7\x18\x5c\x8b\xc3\xa3\x3b\xde\x22\x00\x00\x00\x00\x00\x00\x00\x00"
4374. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4375. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6f\x81\x67\x01\x00"
4376. "\x00\xff\xff\xc3\x51\x62\x02",
4377. 673);
4378. res = -1;
4379. res = syz_mount_image(
4380. /*fs=*/0x200000000180, /*dir=*/0x200000000000,
4381. /*flags=MS_I_VERSION|MS_NOSUID|MS_NOEXEC|MS_DIRSYNC*/ 0x80008a,
4382. /*opts=*/0x2000000002c0, /*chdir=*/7, /*size=*/0x2a1,
4383. /*img=*/0x200000002300);
4384. if (res != -1)
4385. r[64] = res;
4386. memcpy((void*)0x200000000140, "./bus\000", 6);
4387. res = syscall(__NR_creat, /*file=*/0x200000000140ul, /*mode=*/0ul);
4388. if (res != -1)
4389. r[65] = res;
4390. res = syscall(__NR_io_setup, /*n=*/8, /*ctx=*/0x200000000200ul);
4391. if (res != -1)
4392. r[66] = *(uint64_t*)0x200000000200;
4393. res = syscall(__NR_socketpair, /*domain=*/1ul, /*type=SOCK_STREAM*/ 1ul,
4394. /*proto=*/0, /*fds=*/0x200000000000ul);
4395. if (res != -1)
4396. r[67] = *(uint32_t*)0x200000000004;
4397. syscall(__NR_getpgrp, /*pid=*/-1);
4398. *(uint16_t*)0x200000000080 = 2;
4399. *(uint16_t*)0x200000000082 = htobe16(0x4e22);
4400. *(uint32_t*)0x200000000084 = htobe32(-1);
4401. memcpy(
4402. (void*)0x200000000400,
4403. "\x46\x19\x00\x8d\x00\x66\x00\x00\x00\x00\x90\x78\xac\x14\x14\x29\xac\x14"
4404. "\x14\x3a\x00\x00\x00\x00\x8f\xf3\x74\x2d\x56\x71\x42\xe1\xe1\x9c\x48\x89"
4405. "\xe3\x78\x32\x6b\x8c\x89\xa9\x8b\xa1\x63\x4f\x51\xaf\x13\xf3\xd2\xd5\xbd"
4406. "\x99\x86\xb6\x28\x30\x73\xdf\x1d\x55\xb5\x74\x33\x84\xef\x32\x17\xb9\xd8"
4407. "\x73\xd8\x1f\x83\x6d\xae\x23\x31\x1e\x15\xa3\x8e\x0a\x66\x55\xc8\xc6\x07"
4408. "\xab\x61\x19\x1f\xf9\x79\x20\xec\x47\xc4\x04\x98\x08\x9f\x58\x06\x70\xb3"
4409. "\x4b\xe6\xcd\xff\xa5\x6b\x1b\x48\xfc\xfa\x0c\x1a\xcb\x4d\x98\x10\x2c\x85"
4410. "\xb9\x89\x79\x71\xc1\xeb\xcc\xda\x95\xf7\x04\xcb\x38\x07\xed",
4411. 141);
4412. res = -1;
4413. res =
4414. syz_emit_proto(/*proto=*/0x2b, /*addr=*/0x200000000080, /*addrlen=*/0x10,
4415. /*packet=*/0x200000000400, /*ttl=*/0x40);
4416. if (res != -1)
4417. r[68] = res;
4418. *(uint64_t*)0x200000001240 = 0;
4419. *(uint32_t*)0x200000001248 = 0;
4420. *(uint64_t*)0x200000001250 = 0x200000001100;
4421. *(uint64_t*)0x200000001100 = 0x200000000240;
4422. memcpy((void*)0x200000000240,
4423. "\x2e\xb2\x3b\xf0\x23\x71\x64\x85\xf0\x71\x5b\xf8\x46\x3d\xb0\x9a",
4424. 16);
4425. *(uint64_t*)0x200000001108 = 0x10;
4426. *(uint64_t*)0x200000001258 = 1;
4427. *(uint64_t*)0x200000001260 = 0x200000000100;
4428. *(uint64_t*)0x200000000100 = 0x24;
4429. *(uint32_t*)0x200000000108 = 1;
4430. *(uint32_t*)0x20000000010c = 1;
4431. *(uint32_t*)0x200000000110 = -1;
4432. *(uint32_t*)0x200000000114 = r[65];
4433. *(uint32_t*)0x200000000118 = r[64];
4434. *(uint32_t*)0x20000000011c = r[68];
4435. *(uint32_t*)0x200000000120 = r[65];
4436. *(uint64_t*)0x200000001268 = 0x28;
4437. *(uint32_t*)0x200000001270 = 0;
4438. syscall(__NR_sendmsg, /*fd=*/r[67], /*msg=*/0x200000001240ul,
4439. /*f=MSG_OOB|MSG_NOSIGNAL|MSG_CONFIRM*/ 0x4801ul);
4440. syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/6);
4441. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x8946, /*arg=*/0ul);
4442. syscall(__NR_getrandom, /*buf=*/0x200000000440ul,
4443. /*len=*/0x7591fcc76eda37b7ul, /*flags=*/0ul);
4444. syscall(__NR_madvise, /*addr=*/0x200000000000ul, /*len=*/0x600003ul,
4445. /*advice=MADV_PAGEOUT*/ 0x15ul);
4446. *(uint64_t*)0x200000000540 = 0x2000000000c0;
4447. *(uint64_t*)0x2000000000c0 = 0;
4448. *(uint32_t*)0x2000000000c8 = 0;
4449. *(uint32_t*)0x2000000000cc = 3;
4450. *(uint16_t*)0x2000000000d0 = 1;
4451. *(uint16_t*)0x2000000000d2 = 0;
4452. *(uint32_t*)0x2000000000d4 = r[65];
4453. *(uint64_t*)0x2000000000d8 = 0x200000000000;
4454. *(uint64_t*)0x2000000000e0 = 0x10000;
4455. *(uint64_t*)0x2000000000e8 = 0;
4456. *(uint64_t*)0x2000000000f0 = 0;
4457. *(uint32_t*)0x2000000000f8 = 0;
4458. *(uint32_t*)0x2000000000fc = -1;
4459. syscall(__NR_io_submit, /*ctx=*/r[66], /*nr=*/8ul,
4460. /*iocbpp=*/0x200000000540ul);
4461. res = -1;
4462. res = syz_open_dev(/*dev=*/0xc, /*major=*/4, /*minor=*/1);
4463. if (res != -1)
4464. r[69] = res;
4465. syscall(__NR_fchmod, /*fd=*/r[69], /*mode=*/0ul);
4466. memcpy((void*)0x200000000040, "./file0\000", 8);
4467. syz_mount_image(/*fs=*/0, /*dir=*/0x200000000040, /*flags=*/0, /*opts=*/0,
4468. /*chdir=*/0, /*size=*/0, /*img=*/0x200000000000);
4469. res = syscall(__NR_pipe2, /*pipefd=*/0x200000000240ul, /*flags=*/0ul);
4470. if (res != -1) {
4471. r[70] = *(uint32_t*)0x200000000240;
4472. r[71] = *(uint32_t*)0x200000000244;
4473. }
4474. memcpy((void*)0x2000000000c0,
4475. "\x15\x00\x00\x00\x65\xff\xff\x01\x80\x00\x00\x08\x00\x39\x50\x32\x30"
4476. "\x30\x30",
4477. 19);
4478. syscall(__NR_write, /*fd=*/r[71], /*data=*/0x2000000000c0ul, /*size=*/0x15ul);
4479. res = syscall(__NR_dup, /*oldfd=*/r[71]);
4480. if (res != -1)
4481. r[72] = res;
4482. memcpy((void*)0x200000000140, "S\000\000\000\a", 5);
4483. syscall(__NR_write, /*fd=*/r[72], /*data=*/0x200000000140ul, /*size=*/0x53ul);
4484. memcpy((void*)0x200000000000, "./file0\000", 8);
4485. memcpy((void*)0x200000000180, "9p\000", 3);
4486. memcpy((void*)0x200000000080, "trans=fd,", 9);
4487. memcpy((void*)0x200000000089, "rfdno", 5);
4488. *(uint8_t*)0x20000000008e = 0x3d;
4489. sprintf((char*)0x20000000008f, "0x%016llx", (long long)r[70]);
4490. *(uint8_t*)0x2000000000a1 = 0x2c;
4491. memcpy((void*)0x2000000000a2, "wfdno", 5);
4492. *(uint8_t*)0x2000000000a7 = 0x3d;
4493. sprintf((char*)0x2000000000a8, "0x%016llx", (long long)r[72]);
4494. *(uint8_t*)0x2000000000ba = 0x2c;
4495. *(uint8_t*)0x2000000000bb = 0x6b;
4496. syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x200000000000ul,
4497. /*type=*/0x200000000180ul, /*flags=*/0ul, /*opts=*/0x200000000080ul);
4498. memcpy((void*)0x200000000040, "./file0\000", 8);
4499. syscall(__NR_mkdir, /*path=*/0x200000000040ul, /*mode=*/0ul);
4500. memcpy((void*)0x200000000080, "./file0\000", 8);
4501. memcpy((void*)0x2000000000c0, "./file0\000", 8);
4502. syscall(__NR_symlink, /*old=*/0x200000000080ul, /*new=*/0x2000000000c0ul);
4503. res = syscall(__NR_pipe2, /*pipefd=*/0x200000000240ul, /*flags=*/0ul);
4504. if (res != -1) {
4505. r[73] = *(uint32_t*)0x200000000240;
4506. r[74] = *(uint32_t*)0x200000000244;
4507. }
4508. memcpy((void*)0x200000000300, ".\000", 2);
4509. res = syscall(__NR_open, /*file=*/0x200000000300ul, /*flags=*/0ul,
4510. /*mode=*/0ul);
4511. if (res != -1)
4512. r[75] = res;
4513. memcpy((void*)0x200000000100, "./bus\000", 6);
4514. memcpy((void*)0x2000000002c0, "./file0\000", 8);
4515. syscall(__NR_renameat2, /*oldfd=*/r[75], /*old=*/0x200000000100ul,
4516. /*newfd=*/r[75], /*new=*/0x2000000002c0ul, /*flags=*/0ul);
4517. *(uint64_t*)0x200000000540 = 0x10;
4518. syscall(__NR_lsm_list_modules, /*ids=*/0ul, /*size=*/0x200000000540ul,
4519. /*flags=*/0ul);
4520. memcpy((void*)0x200000000100, "./file0\000", 8);
4521. syscall(__NR_openat, /*fd=*/r[75], /*file=*/0x200000000100ul,
4522. /*flags=FASYNC*/ 0x2000, /*mode=S_IXOTH|S_IXGRP|S_IRGRP*/ 0x29);
4523. syscall(__NR_io_setup, /*n=*/0xfffffe00, /*ctx=*/0x200000000200ul);
4524. syscall(__NR_geteuid);
4525. memcpy((void*)0x200000000000, "./file0\000", 8);
4526. memcpy((void*)0x200000000140, "9p\000", 3);
4527. memcpy((void*)0x200000000180, "trans=fd,", 9);
4528. memcpy((void*)0x200000000189, "rfdno", 5);
4529. *(uint8_t*)0x20000000018e = 0x3d;
4530. sprintf((char*)0x20000000018f, "0x%016llx", (long long)r[73]);
4531. *(uint8_t*)0x2000000001a1 = 0x2c;
4532. memcpy((void*)0x2000000001a2, "wfdno", 5);
4533. *(uint8_t*)0x2000000001a7 = 0x3d;
4534. sprintf((char*)0x2000000001a8, "0x%016llx", (long long)r[74]);
4535. *(uint8_t*)0x2000000001ba = 0x2c;
4536. memcpy((void*)0x2000000001bb, "msize", 5);
4537. *(uint8_t*)0x2000000001c0 = 0x3d;
4538. sprintf((char*)0x2000000001c1, "0x%016llx", (long long)0x400001);
4539. *(uint8_t*)0x2000000001d3 = 0x2c;
4540. memcpy((void*)0x2000000001d4, "msize", 5);
4541. *(uint8_t*)0x2000000001d9 = 0x3d;
4542. sprintf((char*)0x2000000001da, "0x%016llx", (long long)0xb);
4543. *(uint8_t*)0x2000000001ec = 0x2c;
4544. *(uint8_t*)0x2000000001ed = 0;
4545. syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x200000000000ul,
4546. /*type=*/0x200000000140ul, /*flags=*/0ul, /*opts=*/0x200000000180ul);
4547. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/0xe59);
4548. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/2);
4549. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/4);
4550. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/9);
4551. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/0x6c);
4552. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/1);
4553. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/3);
4554. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/8);
4555. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/0x80000);
4556. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/0xffff);
4557. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/1);
4558. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/5);
4559. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/6);
4560. syz_proconfig_set__sys_bus_clockevents_drivers_autoprobe(/*val=*/3);
4561. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/1);
4562. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/3);
4563. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/1);
4564. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(
4565. /*val=*/0x80000001);
4566. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/0x774);
4567. syz_proconfig_set__sys_bus_clockevents_drivers_autoprobe(/*val=*/9);
4568. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(
4569. /*val=*/0x6207e4a5);
4570. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/8);
4571. syz_proconfig_set__sys_bus_clockevents_drivers_autoprobe(/*val=*/3);
4572. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(
4573. /*val=*/0x80000000);
4574. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/0x2bb);
4575. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/0x57b);
4576. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/0xffff);
4577. syz_sysconfig_set__proc_sys_net_ipv6_route_gc_min_interval(/*val=*/0x10);
4578. syz_proconfig_set__sys_bus_clockevents_drivers_autoprobe(/*val=*/6);
4579. syz_proconfig_set__sys_bus_clockevents_drivers_autoprobe(/*val=*/3);
4580. syscall(
4581. __NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xff5000ul, /*prot=*/0ul,
4582. /*flags=MAP_POPULATE|MAP_NORESERVE|MAP_NONBLOCK|MAP_HUGETLB|MAP_FIXED|0x2000000000822*/
4583. 0x200000005c832ul, /*fd=*/-1, /*offset=*/0ul);
4584. syscall(__NR_socket, /*domain=*/2ul, /*type=*/1ul, /*proto=*/0);
4585. syscall(__NR_eventfd, /*initval=*/0);
4586. memcpy((void*)0x2000000000c0, "fdinfo/4\000", 9);
4587. res = -1;
4588. res = syz_open_procfs(/*pid=*/-1, /*file=*/0x2000000000c0);
4589. if (res != -1)
4590. r[76] = res;
4591. syscall(__NR_read, /*fd=*/r[76], /*buffer=*/0x200000000080ul, /*len=*/0x3eul);
4592. syscall(__NR_mprotect, /*addr=*/0x200000000000ul, /*len=*/0x800000ul,
4593. /*prot=PROT_WRITE*/ 2ul);
4594. syscall(__NR_mprotect, /*addr=*/0x200000000000ul, /*len=*/0x800000ul,
4595. /*prot=PROT_WRITE*/ 2ul);
4596. *(uint32_t*)0x20000001d000 = 2;
4597. *(uint32_t*)0x20000001d004 = 0x80;
4598. *(uint8_t*)0x20000001d008 = 0xba;
4599. *(uint8_t*)0x20000001d009 = 0;
4600. *(uint8_t*)0x20000001d00a = 0;
4601. *(uint8_t*)0x20000001d00b = 0;
4602. *(uint32_t*)0x20000001d00c = 0;
4603. *(uint64_t*)0x20000001d010 = 0x6f0d;
4604. *(uint64_t*)0x20000001d018 = 0x1001e2;
4605. *(uint64_t*)0x20000001d020 = 0;
4606. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 0, 1);
4607. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 1, 1);
4608. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 2, 1);
4609. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 3, 1);
4610. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 4, 1);
4611. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 5, 1);
4612. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 6, 1);
4613. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 7, 1);
4614. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 8, 1);
4615. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 9, 1);
4616. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 10, 1);
4617. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 11, 1);
4618. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 12, 1);
4619. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 13, 1);
4620. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 14, 1);
4621. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 15, 2);
4622. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 17, 1);
4623. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 18, 1);
4624. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 19, 1);
4625. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 20, 1);
4626. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 21, 1);
4627. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 22, 1);
4628. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 23, 1);
4629. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 24, 1);
4630. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 25, 1);
4631. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 26, 1);
4632. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 27, 1);
4633. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 28, 1);
4634. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 29, 1);
4635. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 30, 1);
4636. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 31, 1);
4637. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 32, 1);
4638. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 33, 1);
4639. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 34, 1);
4640. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 35, 1);
4641. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 36, 1);
4642. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 37, 1);
4643. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 38, 26);
4644. *(uint32_t*)0x20000001d030 = 0;
4645. *(uint32_t*)0x20000001d034 = 0;
4646. *(uint64_t*)0x20000001d038 = 0;
4647. *(uint64_t*)0x20000001d040 = 0;
4648. *(uint64_t*)0x20000001d048 = 0;
4649. *(uint64_t*)0x20000001d050 = 0;
4650. *(uint32_t*)0x20000001d058 = 0;
4651. *(uint32_t*)0x20000001d05c = 0;
4652. *(uint64_t*)0x20000001d060 = 0;
4653. *(uint32_t*)0x20000001d068 = 0;
4654. *(uint16_t*)0x20000001d06c = 0;
4655. *(uint16_t*)0x20000001d06e = 0;
4656. *(uint32_t*)0x20000001d070 = 0;
4657. *(uint32_t*)0x20000001d074 = 0;
4658. *(uint64_t*)0x20000001d078 = 0;
4659. syscall(__NR_perf_event_open, /*attr=*/0x20000001d000ul, /*pid=*/0,
4660. /*cpu=*/-1, /*group=*/-1, /*flags=*/0ul);
4661. res = syscall(__NR_getpid);
4662. if (res != -1)
4663. r[77] = res;
4664. syscall(__NR_getpriority, /*which=*/0ul, /*who=*/r[77]);
4665. syscall(__NR_getpriority, /*which=*/0ul, /*who=*/r[77]);
4666. *(uint64_t*)0x200000000000 = 0x73b7;
4667. *(uint32_t*)0x200000000008 = 0;
4668. *(uint32_t*)0x20000000000c = 3;
4669. syscall(__NR_ptrace, /*req=*/0x4209ul, /*pid=*/r[77],
4670. /*args=*/0x200000000000ul, /*data=*/0x200000000100ul);
4671. *(uint64_t*)0x200000000000 = 0x73b7;
4672. *(uint32_t*)0x200000000008 = 0;
4673. *(uint32_t*)0x20000000000c = 3;
4674. syscall(__NR_ptrace, /*req=*/0x4209ul, /*pid=*/r[77],
4675. /*args=*/0x200000000000ul, /*data=*/0x200000000100ul);
4676. res = syscall(__NR_socket, /*domain=AF_NETLINK*/ 0x10ul,
4677. /*type=SOCK_RAW*/ 3ul, /*proto=*/0);
4678. if (res != -1)
4679. r[78] = res;
4680. *(uint16_t*)0x200000000040 = 1;
4681. *(uint64_t*)0x200000000048 = 0x200000000000;
4682. *(uint16_t*)0x200000000000 = 0x45;
4683. *(uint8_t*)0x200000000002 = 0;
4684. *(uint8_t*)0x200000000003 = 0;
4685. *(uint32_t*)0x200000000004 = 0;
4686. syscall(__NR_seccomp, /*op=*/1ul, /*flags=*/0ul, /*arg=*/0x200000000040ul);
4687. *(uint32_t*)0x200000000000 = 0xfffffffb;
4688. *(uint32_t*)0x200000000004 = 0;
4689. *(uint32_t*)0x200000000008 = 0;
4690. *(uint32_t*)0x20000000000c = 0;
4691. syscall(__NR_setsockopt, /*fd=*/r[78], /*level=*/0x10e, /*opt=*/0xc,
4692. /*arg=*/0x200000000000ul, /*arglen=*/0x10ul);
4693. memcpy((void*)0x200000000140,
4694. "\x24\x00\x00\x00\x1a\x00\x5f\x02\x14\xf9\xf4\x07\x00\x09\x09\x00\x0a"
4695. "\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x08\x00\x0f\x00\xff\xff"
4696. "\xf0\x00",
4697. 36);
4698. syscall(__NR_write, /*fd=*/r[78], /*buf=*/0x200000000140ul, /*count=*/0x24ul);
4699. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0);
4700. if (res != -1)
4701. r[79] = res;
4702. *(uint32_t*)0x200000000040 = 0;
4703. syscall(__NR_getsockopt, /*fd=*/r[79], /*level=*/6, /*optname=*/3,
4704. /*optval=*/0ul, /*optlen=*/0x200000000040ul);
4705. memcpy((void*)0x200000000800, "/dev/ttyS3\000", 11);
4706. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
4707. /*file=*/0x200000000800ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
4708. if (res != -1)
4709. r[80] = res;
4710. syscall(__NR_ioctl, /*fd=*/r[80], /*cmd=*/0xf50f, /*arg=*/0ul);
4711. syscall(__NR_getrandom, /*buf=*/0x200000000080ul,
4712. /*len=*/0xfffffffffffffe77ul, /*flags=*/0ul);
4713. memcpy((void*)0x200000000080, "ext4\000", 5);
4714. memcpy((void*)0x2000000007c0, "./file0\000", 8);
4715. *(uint8_t*)0x2000000000c0 = 0;
4716. memcpy(
4717. (void*)0x200000000fc0,
4718. "\x78\x9c\xec\xdd\xcd\x6b\x1c\xe5\x1f\x00\xf0\xef\x6c\x92\xa6\xbf\xb4\x3f"
4719. "\x13\x41\xd0\x7a\x0a\x08\x1a\x28\xdd\x98\x1a\x5b\x05\x0f\x15\x0f\x22\x58"
4720. "\x28\xe8\xd9\x76\xd9\x6c\x43\xcd\x6e\xb6\x64\x37\xa5\x09\x01\x2d\x22\x78"
4721. "\x11\x54\x3c\x08\x7a\xe9\xd9\x97\x7a\xf3\xea\xcb\x55\xff\x0b\x0f\xd2\x52"
4722. "\x35\x2d\x56\x3c\x48\x64\x36\xb3\xe9\xb6\xd9\x4d\x37\x6d\x92\x45\xf7\xf3"
4723. "\x81\xa7\x7d\x9e\x99\xd9\x3c\xf3\x9d\x67\x66\x9e\x67\x77\x86\x99\x00\xfa"
4724. "\xd6\x78\xfa\x4f\x2e\xe2\x50\x44\x7c\x90\x44\x8c\x66\xd3\x93\x88\x18\x6a"
4725. "\xe4\x06\x23\x4e\xac\x2f\x77\x6b\x75\xa5\x98\xa6\x24\xd6\xd6\x5e\xfb\x2d"
4726. "\x69\x2c\x73\x73\x75\xa5\x18\x2d\x9f\x49\x1d\xc8\x0a\x8f\x45\xc4\xf7\xef"
4727. "\x46\x1c\xce\x6d\xae\xb7\xb6\xb4\x3c\x57\x28\x97\x4b\x0b\x59\x79\xb2\x5e"
4728. "\x39\x3f\x59\x5b\x5a\x3e\x72\xae\x52\x98\x2d\xcd\x96\xe6\x8f\x4d\x4d\x4f"
4729. "\x1f\x3d\xfe\xec\xf1\x63\x3b\x17\xeb\x1f\x3f\x2d\x1f\xbc\xf6\xe1\xcb\x4f"
4730. "\x7d\x75\xe2\xaf\x77\x1e\xbd\xf2\xfe\x0f\x49\x9c\x88\x83\xd9\xbc\xd6\x38"
4731. "\x76\xca\x78\x8c\x67\xdb\x64\x28\xdd\x84\x77\x78\x69\xa7\x2b\xeb\xb1\xa4"
4732. "\xd7\x2b\xc0\x7d\x49\x0f\xcd\x81\xf5\xa3\x3c\x0e\xc5\x68\x0c\x34\x72\x00"
4733. "\xc0\x7f\xd9\x5b\x11\xb1\x06\x00\xf4\x99\x44\xff\x0f\x00\x7d\xa6\xf9\x3b"
4734. "\xc0\xcd\xd5\x95\x62\x33\xf5\xf6\x17\x89\xbd\x75\xfd\xc5\x88\xd8\xbf\x1e"
4735. "\x7f\xf3\xfa\xe6\xfa\x9c\xc1\xec\x9a\xdd\xfe\xc6\x75\xd0\x91\x9b\xc9\x1d"
4736. "\x57\x46\x92\x88\x18\xdb\x81\xfa\xc7\x23\xe2\xb3\x6f\xde\xf8\x22\x4d\xb1"
4737. "\x4b\xd7\x21\x01\xda\x79\xfb\x52\x44\x9c\x19\x1b\xdf\x7c\xfe\x4f\x36\xdd"
4738. "\xb3\xb0\x5d\x4f\x77\xb1\xcc\xf8\x5d\x65\xe7\x3f\xd8\x3b\xdf\xa6\xe3\x9f"
4739. "\xe7\xda\x8d\xff\x72\x1b\xe3\x9f\x68\x33\xfe\x19\x6e\x73\xec\xde\x8f\x7b"
4740. "\x1f\xff\xb9\xab\x3b\x50\x4d\x47\xe9\xf8\xef\x85\x96\x7b\xdb\x6e\xb5\xc4"
4741. "\x9f\x19\x1b\xc8\x4a\xff\x6f\x8c\xf9\x86\x92\xb3\xe7\xca\xa5\xf4\xdc\xf6"
4742. "\x50\x44\x4c\xc4\xd0\x70\x5a\x9e\xda\xa2\x8e\x89\x1b\x7f\xdf\xe8\x34\xaf"
4743. "\x75\xfc\xf7\xfb\x47\x6f\x7e\x9e\xd6\x9f\xfe\x7f\x7b\x89\xdc\xd5\xc1\xe1"
4744. "\x3b\x3f\x33\x53\xa8\x17\x1e\x24\xe6\x56\xd7\x2f\x45\x3c\x3e\xd8\x2e\xfe"
4745. "\x64\xa3\xfd\x93\x0e\xe3\xdf\x53\x5d\xd6\xf1\xca\xf3\xef\x7d\xda\x69\x5e"
4746. "\x1a\x7f\x1a\x6f\x33\x6d\x8e\x7f\x77\xad\x5d\x8e\x78\xb2\x6d\xfb\xdf\xbe"
4747. "\xa3\x2d\xd9\xf2\xfe\xc4\xc9\xc6\xee\x30\xd9\xdc\x29\xda\xf8\xfa\xe7\x4f"
4748. "\x46\x3a\xd5\xdf\xda\xfe\x69\x4a\xeb\x6f\x7e\x17\xd8\x0b\x69\xfb\x8f\x6c"
4749. "\x1d\xff\x58\xd2\x7a\xbf\x66\x6d\xfb\x75\xfc\x78\x79\xf4\xbb\x4e\xf3\xee"
4750. "\x1d\x7f\xfb\xfd\x7f\x5f\xf2\x7a\x23\xbf\x2f\x9b\x76\xb1\x50\xaf\x2f\x4c"
4751. "\x45\xec\x4b\x5e\xdd\x3c\xfd\xe8\xed\xcf\x36\xcb\xcd\xe5\xd3\xf8\x27\x9e"
4752. "\x68\x7f\xfc\x6f\xb5\xff\xa7\xdf\x09\xcf\x74\x19\xff\xe0\xb5\x5f\xbf\xbc"
4753. "\xff\xf8\x77\x57\x1a\xff\xcc\xb6\xda\x7f\xfb\x99\x2b\xb7\xe6\x06\x3a\xd5"
4754. "\xdf\x5d\xfb\x4f\x37\x72\x13\xd9\x94\x6e\xce\x7f\xdd\xae\xe0\x83\x6c\x3b"
4755. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4756. "\x00\xe8\x56\x2e\x22\x0e\x46\x92\xcb\x6f\xe4\x73\xb9\x7c\x7e\xfd\x1d\xde"
4757. "\x8f\xc4\x48\xae\x5c\xad\xd5\x0f\x9f\xad\x2e\xce\xcf\x44\xe3\x5d\xd9\x63"
4758. "\x31\x94\x6b\x3e\xea\x72\xb4\xe5\x79\xa8\x53\xd9\xf3\xf0\x9b\xe5\xa3\x77"
4759. "\x95\x9f\x89\x88\x87\x23\xe2\xe3\xe1\xff\x35\xca\xf9\x62\xb5\x3c\xd3\xeb"
4760. "\xe0\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4761. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x73\xa0\xc3"
4762. "\xfb\xff\x53\xbf\x0c\xf7\x7a\xed\x00\x80\x5d\xb3\xbf\xd7\x2b\x00\x00\xec"
4763. "\x39\xfd\x3f\x00\xf4\x1f\xfd\x3f\x00\xf4\x1f\xfd\x3f\x00\xf4\x1f\xfd\x3f"
4764. "\x00\xf4\x1f\xfd\x3f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4765. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4766. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4767. "\x00\x00\xbb\xec\xd4\xc9\x93\x69\x5a\xfb\x73\x75\xa5\x98\x96\x67\x2e\x2c"
4768. "\x2d\xce\x55\x2f\x1c\x99\x29\xd5\xe6\xf2\x95\xc5\x62\xbe\x58\x5d\x38\x9f"
4769. "\x9f\xad\x56\x67\xcb\xa5\x7c\xb1\x5a\xb9\xd7\xdf\x2b\x57\xab\xe7\xa7\x63"
4770. "\x7e\xf1\xe2\x64\xbd\x54\xab\x4f\xd6\x96\x96\x4f\x57\xaa\x8b\xf3\xf5\xd3"
4771. "\xe7\x2a\x85\xd9\xd2\xe9\xd2\xd0\x9e\x44\x05\x00\x00\x00\x00\x00\x00\x00"
4772. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4773. "\x00\x00\x00\x00\x00\x00\xdb\x53\x5b\x5a\x9e\x2b\x94\xcb\xa5\x05\x19\x19"
4774. "\x19\x99\x8d\x4c\xaf\xcf\x4c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4775. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4776. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4777. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4778. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4779. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4780. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4781. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4782. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4783. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4784. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4785. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4786. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4787. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4788. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4789. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4790. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4791. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4792. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4793. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4794. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4795. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4796. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4797. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4798. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4799. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4800. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4801. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4802. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4803. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4804. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4805. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4806. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4807. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4808. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4809. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4810. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4811. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4812. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4813. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4814. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4815. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4816. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4817. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4818. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4819. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4820. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4821. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
4822. "\x0e\xff\x04\x00\x00\xff\xff\x3e\x07\x2a\x2f",
4823. 1883);
4824. syz_mount_image(/*fs=*/0x200000000080, /*dir=*/0x2000000007c0,
4825. /*flags=MS_NOATIME|MS_DIRSYNC*/ 0x480,
4826. /*opts=*/0x2000000000c0, /*chdir=*/1, /*size=*/0x75b,
4827. /*img=*/0x200000000fc0);
4828. *(uint32_t*)0x20000001d000 = 2;
4829. *(uint32_t*)0x20000001d004 = 0x80;
4830. *(uint8_t*)0x20000001d008 = 0xe0;
4831. *(uint8_t*)0x20000001d009 = 1;
4832. *(uint8_t*)0x20000001d00a = 0;
4833. *(uint8_t*)0x20000001d00b = 0;
4834. *(uint32_t*)0x20000001d00c = 0;
4835. *(uint64_t*)0x20000001d010 = 0x2000;
4836. *(uint64_t*)0x20000001d018 = 0;
4837. *(uint64_t*)0x20000001d020 = 0;
4838. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 0, 1);
4839. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 1, 1);
4840. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 2, 1);
4841. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 3, 1);
4842. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 4, 1);
4843. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 5, 1);
4844. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 6, 1);
4845. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 7, 1);
4846. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 8, 1);
4847. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 9, 1);
4848. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 10, 1);
4849. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 11, 1);
4850. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 12, 1);
4851. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 13, 1);
4852. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 14, 1);
4853. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 15, 2);
4854. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 17, 1);
4855. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 18, 1);
4856. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 19, 1);
4857. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 20, 1);
4858. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 21, 1);
4859. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 22, 1);
4860. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 23, 1);
4861. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 24, 1);
4862. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 25, 1);
4863. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 26, 1);
4864. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 27, 1);
4865. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 28, 1);
4866. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 29, 1);
4867. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 30, 1);
4868. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 31, 1);
4869. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 32, 1);
4870. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 33, 1);
4871. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 34, 1);
4872. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 35, 1);
4873. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 36, 1);
4874. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 37, 1);
4875. STORE_BY_BITMASK(uint64_t, , 0x20000001d028, 0, 38, 26);
4876. *(uint32_t*)0x20000001d030 = 0;
4877. *(uint32_t*)0x20000001d034 = 0;
4878. *(uint64_t*)0x20000001d038 = 0x800;
4879. *(uint64_t*)0x20000001d040 = 1;
4880. *(uint64_t*)0x20000001d048 = 0x120;
4881. *(uint64_t*)0x20000001d050 = 0;
4882. *(uint32_t*)0x20000001d058 = 6;
4883. *(uint32_t*)0x20000001d05c = 6;
4884. *(uint64_t*)0x20000001d060 = 0;
4885. *(uint32_t*)0x20000001d068 = 0;
4886. *(uint16_t*)0x20000001d06c = 0xfffd;
4887. *(uint16_t*)0x20000001d06e = 0;
4888. *(uint32_t*)0x20000001d070 = 0;
4889. *(uint32_t*)0x20000001d074 = 0;
4890. *(uint64_t*)0x20000001d078 = 0;
4891. res = syscall(__NR_perf_event_open, /*attr=*/0x20000001d000ul, /*pid=*/0,
4892. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
4893. if (res != -1)
4894. r[81] = res;
4895. memcpy((void*)0x200000000240, "/dev/loop-control\000", 18);
4896. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000240ul,
4897. /*flags=__O_TMPFILE|O_NOCTTY|O_APPEND*/ 0x400500, /*mode=*/0);
4898. memcpy((void*)0x200000000040, "blkio.bfq.avg_queue_size\000", 25);
4899. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000040ul,
4900. /*flags=*/0x275a, /*mode=*/0);
4901. if (res != -1)
4902. r[82] = res;
4903. syscall(__NR_fchdir, /*fd=*/r[81]);
4904. res = syscall(__NR_socket, /*domain=AF_INET*/ 2ul, /*type=SOCK_RAW*/ 3ul,
4905. /*proto=*/8);
4906. if (res != -1)
4907. r[83] = res;
4908. res = syscall(__NR_getuid);
4909. if (res != -1)
4910. r[84] = res;
4911. memcpy((void*)0x200000000140, "msdos\000", 6);
4912. memcpy((void*)0x200000000040, "./file0\000", 8);
4913. *(uint64_t*)0x200000000100 = r[84];
4914. sprintf((char*)0x200000000108, "%020llu", (long long)-1);
4915. sprintf((char*)0x20000000011c, "0x%016llx", (long long)r[84]);
4916. memcpy(
4917. (void*)0x200000000280,
4918. "\x78\x9c\xec\xd5\xbd\x6e\xd3\x50\x18\x06\xe0\xaf\x69\x28\x81\xa9\x33\x62"
4919. "\x38\x12\x0b\x53\x55\xd8\x98\x08\x42\xa9\x54\x61\x09\x09\x94\x01\x26\x22"
4920. "\x35\x2c\x31\x42\x8a\x17\x27\x53\x2f\x81\x0b\xe0\xc2\x18\xb8\x08\x94\xa9"
4921. "\x5b\x50\x65\x17\x68\xc5\x58\xff\xa8\x79\x9e\x25\x9f\xf2\xda\x3e\xe7\x3d"
4922. "\x83\xfd\xe9\xf1\x97\xc5\xd9\xd7\xe2\xf3\x8f\x6f\xdf\x63\x34\xde\x8b\xc1"
4923. "\x38\x1e\x0c\x2e\xf6\xe2\x30\x06\x71\xe5\x3c\x00\x80\xbb\xe4\x62\xbb\x8d"
4924. "\x5f\xdb\x4a\xd7\x7b\x01\x00\xda\xe1\xfb\x0f\x00\xbb\xe7\xfd\x87\x8f\x6f"
4925. "\x5e\x65\xd9\xe4\x5d\x4a\xa3\x88\xcd\x79\x39\x2d\xa7\xd5\x6f\x95\x9f\x9c"
4926. "\x66\x93\xe3\x74\xe9\xe0\x9f\xbb\x36\x65\x39\xdd\xff\x93\x3f\x4b\x95\xeb"
4927. "\xf9\xbd\x78\x58\xe7\xcf\xff\x9b\x1f\xc4\xd3\x27\x55\x7e\x99\xbd\x7e\x9b"
4928. "\xdd\xc8\xef\xc7\x59\xe3\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4929. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4930. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4931. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4932. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4933. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4934. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4935. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\xb7\x1d\xa5\x34\x8c\x88\x94\x52"
4936. "\x3a\xfc\xfb\xef\xa6\x2c\xa7\xfb\x55\x7e\x94\xae\xdc\xc8\xab\xe9\xe4\x34"
4937. "\x9b\x1c\xd7\x17\x5c\xcf\x87\xf1\x68\xd8\x5a\x0d\x00\x00\x00\x00\x00\x00"
4938. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4939. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4940. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4941. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4942. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4943. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4944. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x16\x14\xab\xf5\x62"
4945. "\x96\xe7\xf3\xe5\x1d\x1b\x22\x7e\x46\xcb\x8b\x8e\xea\x23\x6d\xb9\xe9\xb8"
4946. "\x5e\xb6\x2f\x27\xdf\xe4\xf0\xb2\x89\x27\xbf\x88\x88\xbe\x14\xec\xd1\xd0"
4947. "\xe1\x4b\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4948. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4949. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4950. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4951. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4952. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4953. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4954. "\x00\x00\xe8\x54\xb1\x5a\x2f\x66\x79\x3e\x5f\x16\x5d\xef\x04\x00\x00\x00"
4955. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4956. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4957. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4958. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4959. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4960. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4961. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4962. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4963. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4964. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4965. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4966. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4967. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4968. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe8\x8b"
4969. "\x62\xb5\x5e\xcc\xf2\x7c\xbe\x6c\x70\xe8\xba\x23\x00\x00\x00\x00\x00\x00"
4970. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4971. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4972. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4973. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4974. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4975. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4976. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4977. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4978. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4979. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4980. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4981. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4982. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4983. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4984. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4985. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4986. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4987. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4988. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4989. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
4990. "\x00\x00\x00\x00\x00\x00\xd0\x8d\xdf\x01\x00\x00\xff\xff\xcf\x08\x2e"
4991. "\x3a",
4992. 1314);
4993. syz_mount_image(/*fs=*/0x200000000140, /*dir=*/0x200000000040, /*flags=*/0,
4994. /*opts=*/0x200000000100, /*chdir=*/1, /*size=*/0x522,
4995. /*img=*/0x200000000280);
4996. syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0ul, /*flags=*/0x275a,
4997. /*mode=*/0);
4998. memcpy((void*)0x200000001100, "./bus\000", 6);
4999. res = syscall(
5000. __NR_open, /*file=*/0x200000001100ul,
5001. /*flags=O_TRUNC|O_SYNC|O_NOATIME|O_LARGEFILE|O_DIRECT|O_CREAT|0x3e*/
5002. 0x14d27eul, /*mode=*/0ul);
5003. if (res != -1)
5004. r[85] = res;
5005. memcpy((void*)0x2000000003c0, "cgroup2\000", 8);
5006. res = syscall(__NR_fsopen, /*type=*/0x2000000003c0ul, /*flags=*/0ul);
5007. if (res != -1)
5008. r[86] = res;
5009. syscall(__NR_fsconfig, /*fd=*/r[86], /*cmd=*/6ul, /*key=*/0ul, /*value=*/0ul,
5010. /*aux=*/0ul);
5011. syscall(__NR_fallocate, /*fd=*/r[85], /*mode=*/0ul, /*off=*/0ul,
5012. /*len=*/0x1000f0ul);
5013. res = -1;
5014. res = syz_open_dev(/*dev=*/0xc, /*major=*/4, /*minor=*/1);
5015. if (res != -1)
5016. r[87] = res;
5017. *(uint64_t*)0x2000000012c0 = 0x200000000100;
5018. memcpy(
5019. (void*)0x200000000100,
5020. "\xfc\x4c\x10\xf4\xdd\xd9\x01\x27\x89\x55\x25\x74\x0a\xda\xae\xcd\x81\xac"
5021. "\xbc\x98\x01\x32\x09\x83\x17\x1c\x49\x0e\x9c\x03\xa5\x26\xb6\x1c\x3f\xe4"
5022. "\x3f\x77\x23\x36\xf6\xfe\x5b\x61\x94\xa3\xd0\xab\x5d\xcd\x23\xe6\x45\xc8"
5023. "\x09\xef\xe6\x51\x0d\xb1\x0b\x72\x04\xfc\x00\xa0\x2f\x2f\xc8\x1f\x8b\x51"
5024. "\xd6\xf2\xf4\xbe\xfa\x16\xae\x3e\x1d\xa5\x82\x9b\x39\x3b",
5025. 86);
5026. *(uint64_t*)0x2000000012c8 = 0x56;
5027. syscall(__NR_writev, /*fd=*/r[87], /*vec=*/0x2000000012c0ul, /*vlen=*/1ul);
5028. *(uint64_t*)0x200000000200 = 0x200000000000;
5029. *(uint64_t*)0x200000000208 = 0x7ffff000;
5030. *(uint64_t*)0x200000000210 = 0x200000000100;
5031. *(uint64_t*)0x200000000218 = 0x22;
5032. syscall(__NR_preadv2, /*fd=*/r[85], /*vec=*/0x200000000200ul, /*vlen=*/2ul,
5033. /*off_low=*/0, /*off_high=*/0, /*flags=*/0ul);
5034. memcpy((void*)0x200000000000,
5035. "sit0\000\000\000\000\000\000\000\000\000\000\000\000", 16);
5036. *(uint16_t*)0x200000000010 = 2;
5037. *(uint16_t*)0x200000000012 = htobe16(0);
5038. *(uint32_t*)0x200000000014 = htobe32(0);
5039. syscall(__NR_ioctl, /*fd=*/r[83], /*cmd=*/0x8915, /*arg=*/0x200000000000ul);
5040. memcpy((void*)0x200000000000, "#! ", 3);
5041. *(uint8_t*)0x200000000003 = 0xa;
5042. syscall(__NR_write, /*fd=*/r[82], /*data=*/0x200000000000ul,
5043. /*len=*/0x208e24bul);
5044. syscall(__NR_getrandom, /*buf=*/0x200000000180ul, /*len=*/0x84ul,
5045. /*flags=GRND_NONBLOCK*/ 1ul);
5046. syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xb36000ul,
5047. /*prot=PROT_GROWSUP|PROT_WRITE|PROT_EXEC*/ 0x2000006ul,
5048. /*flags=MAP_POPULATE|MAP_FIXED|MAP_ANONYMOUS|MAP_SHARED*/ 0x8031ul,
5049. /*fd=*/-1, /*offset=*/0ul);
5050. memcpy((void*)0x200000000800, "./control\000", 10);
5051. syscall(__NR_creat, /*file=*/0x200000000800ul, /*mode=*/0ul);
5052. *(uint64_t*)0x2000007aeff8 = 0;
5053. res = syscall(__NR_signalfd, /*fd=*/-1, /*mask=*/0x2000007aeff8ul,
5054. /*size=*/8ul);
5055. if (res != -1)
5056. r[88] = res;
5057. syscall(__NR_close, /*fd=*/r[88]);
5058. memcpy((void*)0x200000000000, "/dev/autofs\000", 12);
5059. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
5060. /*file=*/0x200000000000ul, /*flags=*/0, /*mode=*/0);
5061. if (res != -1)
5062. r[89] = res;
5063. syscall(__NR_ioctl, /*fd=*/r[89], /*cmd=*/0x541b, /*arg=*/0ul);
5064. memcpy((void*)0x2000000004c0, "/dev/sg#\000", 9);
5065. syz_open_dev(/*dev=*/0x2000000004c0, /*id=*/0, /*flags=*/0);
5066. res = syscall(__NR_epoll_create, /*size=*/4);
5067. if (res != -1)
5068. r[90] = res;
5069. memcpy((void*)0x200000000180, "/dev/input/event#\000", 18);
5070. res = -1;
5071. res = syz_open_dev(/*dev=*/0x200000000180, /*id=*/0xe,
5072. /*flags=O_DIRECT*/ 0x4000);
5073. if (res != -1)
5074. r[91] = res;
5075. syscall(__NR_fcntl, /*fd=*/r[91], /*cmd=*/0x40dul, /*hint=*/0x2000000001c0ul);
5076. memcpy((void*)0x200000000040, "./control\000", 10);
5077. memcpy((void*)0x200000000000, "9p\000", 3);
5078. memcpy((void*)0x2000000003c0, "trans=fd,rfdno=", 15);
5079. sprintf((char*)0x2000000003cf, "0x%016llx", (long long)r[88]);
5080. memcpy((void*)0x2000000003e1, ",wfdno=", 7);
5081. sprintf((char*)0x2000000003e8, "0x%016llx", (long long)r[90]);
5082. syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x200000000040ul,
5083. /*type=*/0x200000000000ul, /*flags=*/0ul, /*opts=*/0x2000000003c0ul);
5084. memcpy((void*)0x200000000440, "ext4\000", 5);
5085. memcpy((void*)0x200000000480, "./bus\000", 6);
5086. memcpy((void*)0x2000000000c0, "resgid", 6);
5087. *(uint8_t*)0x2000000000c6 = 0x3d;
5088. sprintf((char*)0x2000000000c7, "0x%016llx", (long long)0xee01);
5089. *(uint8_t*)0x2000000000d9 = 0x2c;
5090. memcpy((void*)0x2000000000da, "bsdgroups", 9);
5091. *(uint8_t*)0x2000000000e3 = 0x2c;
5092. memcpy((void*)0x2000000000e4, "debug_want_extra_isize", 22);
5093. *(uint8_t*)0x2000000000fa = 0x3d;
5094. sprintf((char*)0x2000000000fb, "0x%016llx", (long long)0x80);
5095. *(uint8_t*)0x20000000010d = 0x2c;
5096. memcpy((void*)0x20000000010e, "resuid", 6);
5097. *(uint8_t*)0x200000000114 = 0x3d;
5098. sprintf((char*)0x200000000115, "0x%016llx", (long long)0);
5099. *(uint8_t*)0x200000000127 = 0x2c;
5100. memcpy((void*)0x200000000128, "init_itable", 11);
5101. *(uint8_t*)0x200000000133 = 0x3d;
5102. sprintf((char*)0x200000000134, "0x%016llx", (long long)0xcc72);
5103. *(uint8_t*)0x200000000146 = 0x2c;
5104. memcpy((void*)0x200000000147, "usrquota", 8);
5105. *(uint8_t*)0x20000000014f = 0x2c;
5106. memcpy((void*)0x200000000150, "stripe", 6);
5107. *(uint8_t*)0x200000000156 = 0x3d;
5108. sprintf((char*)0x200000000157, "0x%016llx", (long long)4);
5109. *(uint8_t*)0x200000000169 = 0x2c;
5110. *(uint8_t*)0x20000000016a = 0;
5111. memcpy(
5112. (void*)0x200000000900,
5113. "\x78\x9c\xec\xdb\xcb\x6f\x1b\xc5\x1f\x00\xf0\xef\xae\x93\xf6\xf7\xeb\x83"
5114. "\x84\x52\x1e\x2d\x05\x0c\x05\x11\xf1\x48\x9a\xb4\x40\x0f\x5c\x40\x20\x71"
5115. "\x00\x09\x09\x0e\xe5\x18\x92\xb4\x0a\x75\x1b\xd4\x04\x89\x56\x11\x04\x84"
5116. "\xca\x11\x55\xe2\x8e\x38\x22\xf1\x17\x70\x82\x0b\x02\x4e\x48\x5c\xe1\x8e"
5117. "\x2a\x55\x28\x97\x16\x4e\x46\x6b\xef\x26\xae\x63\x87\x3c\x9c\xba\xb0\x9f"
5118. "\x8f\xb4\xed\x8c\x77\x9c\x99\xaf\x67\xc7\x9e\x9d\xb1\x03\x28\xad\x6a\xf6"
5119. "\x4f\x12\xb1\x2f\x22\x7e\x8d\x88\xa1\x66\xf6\xe6\x02\xd5\xe6\x7f\x37\x96"
5120. "\x17\xa7\xfe\x5c\x5e\x9c\x4a\xa2\x5e\x7f\xe3\x8f\xa4\x51\xee\xfa\xf2\xe2"
5121. "\x54\x51\xb4\x78\xde\xde\x3c\x33\x92\x46\xa4\x9f\x24\x6d\x7f\xb0\x69\xfe"
5122. "\xe2\xa5\xb3\x93\xb5\xda\xcc\x85\x3c\x3f\xb6\x70\xee\xdd\xb1\xf9\x8b\x97"
5123. "\x9e\x9e\x3d\x37\x79\x66\xe6\xcc\xcc\xf9\x89\x93\x27\x4f\x1c\x1f\x7f\xee"
5124. "\xd9\x89\x67\x7a\x12\x67\xd6\xa6\xeb\x87\x3f\x98\x3b\x72\xe8\x95\xb7\xae"
5125. "\xbc\x36\x75\xea\xca\xdb\x3f\x7e\x9d\x35\x6b\x5f\x7e\xbe\x35\x8e\x5e\xa9"
5126. "\x46\xb5\x53\xe8\x0d\x8f\xf5\xba\xb2\x3e\xdb\xdf\x92\x4e\x06\xfa\xd8\x10"
5127. "\x36\xa5\x12\x11\x59\x77\x0d\x36\xc6\xff\x50\x54\x62\xb5\xf3\x86\xe2\xe5"
5128. "\x8f\xfb\xda\x38\x60\x47\xd5\xeb\xf5\xfa\xee\xee\xa7\x97\xea\xc0\x7f\x58"
5129. "\x12\xfd\x6e\x01\xd0\x1f\xc5\x07\x7d\x76\xff\x5b\x1c\xb7\x68\xea\x71\x5b"
5130. "\xb8\xf6\x42\xf3\x06\x28\x8b\xfb\x46\x7e\x34\xcf\x0c\x44\x9a\x97\x19\x6c"
5131. "\xbb\xbf\xed\xa5\x6a\x44\x9c\x5a\xfa\xeb\x8b\xec\x88\x1d\x5a\x87\x00\x00"
5132. "\x68\xf5\x6d\x36\xff\x79\xaa\xd3\xfc\x2f\x8d\x7b\x5a\xca\xdd\x91\xef\x0d"
5133. "\x0d\x47\xc4\x9d\x11\x71\x20\x22\xee\x8a\x88\x83\x11\x71\x77\x44\xa3\xec"
5134. "\xbd\x11\x71\xdf\x26\xeb\xaf\xb6\xe5\xd7\xce\x7f\xd2\xab\x5b\x0a\x6c\x83"
5135. "\xb2\xf9\xdf\xf3\xf9\xde\xd6\xcd\xf3\xbf\x62\xf6\x17\xc3\x95\x3c\xb7\xbf"
5136. "\x11\xff\x60\x72\x7a\xb6\x36\x73\x2c\x7f\x4d\x46\x62\x70\x77\x96\x1f\x5f"
5137. "\xa7\x8e\xef\x5e\xfa\xe5\xb3\x6e\xe7\x5a\xe7\x7f\xd9\x91\xd5\x5f\xcc\x05"
5138. "\xf3\x76\x5c\x1d\x68\x5b\xa0\x9b\x9e\x5c\x98\xdc\x4e\xcc\xad\xae\x7d\x14"
5139. "\x71\x78\xa0\x53\xfc\xc9\xca\x4e\x40\x12\x11\x87\x22\xe2\xf0\x16\xeb\x98"
5140. "\x7d\xe2\xab\x23\xdd\xce\xfd\x73\xfc\xeb\xe8\xc1\x3e\x53\xfd\xcb\x88\xc7"
5141. "\x9b\xfd\xbf\x14\x6d\xf1\x17\x92\xf5\xf7\x27\xc7\xfe\x17\xb5\x99\x63\x63"
5142. "\xc5\x55\xb1\xd6\x4f\x3f\x5f\x7e\xbd\x5b\xfd\xdb\x8a\xbf\x07\xb2\xfe\xdf"
5143. "\xd3\xf1\xfa\x5f\x89\x7f\x38\x69\xdd\xaf\x9d\xdf\x7c\x1d\x97\x7f\xfb\xb4"
5144. "\xeb\x3d\xcd\x56\xaf\xff\x5d\xc9\x9b\x8d\xf4\xae\xfc\xb1\xf7\x27\x17\x16"
5145. "\x2e\x8c\x47\xec\x4a\x5e\x5d\xfb\xf8\xc4\xea\x73\x8b\x7c\x51\x3e\x8b\x7f"
5146. "\xe4\x68\xe7\xf1\x7f\x20\x56\x5f\x89\xfb\x23\x22\xbb\x88\x1f\x88\x88\x07"
5147. "\x23\xe2\xa1\xbc\xed\x0f\x47\xc4\x23\x11\x71\x74\x9d\xf8\x7f\x78\xf1\xd1"
5148. "\x77\xb6\x1e\xff\xce\xca\xe2\x9f\xde\x54\xff\x6f\x3e\x51\x39\xfb\xfd\x37"
5149. "\xdd\xea\xdf\x58\xff\x9f\x68\xa4\x46\xf2\x47\x36\xf2\xfe\xb7\xd1\x06\x6e"
5150. "\xe7\xb5\x03\x00\x00\x80\x7f\x8b\xb4\xf1\x1d\xf8\x24\x1d\x5d\x49\xa7\xe9"
5151. "\xe8\x68\xf3\xfb\xf2\x07\x63\x4f\x5a\x9b\x9b\x5f\x78\xf2\xf4\xdc\x7b\xe7"
5152. "\xa7\x9b\xdf\x95\x1f\x8e\xc1\xb4\x58\xe9\x1a\x6a\x59\x0f\x1d\xcf\xd7\x86"
5153. "\x8b\xfc\x44\x5b\xfe\x78\xbe\x6e\xfc\x79\xe5\xff\x8d\xfc\xe8\xd4\x5c\x6d"
5154. "\xba\xdf\xc1\x43\xc9\xed\xed\x32\xfe\x33\xbf\x57\xfa\xdd\x3a\x60\xc7\xf9"
5155. "\xbd\x16\x94\x97\xf1\x0f\xe5\x65\xfc\x43\x79\x19\xff\x50\x5e\xc6\x3f\x94"
5156. "\x57\xa7\xf1\xff\x61\x1f\xda\x01\xdc\x7a\x3e\xff\xa1\xbc\x8c\x7f\x28\x2f"
5157. "\xe3\x1f\xca\xcb\xf8\x87\x52\xda\xce\xef\xfa\x25\xca\x9c\x88\xf4\xb6\x68"
5158. "\x86\xc4\x0e\x25\xfa\xfd\xce\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5159. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5160. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5161. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5162. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5163. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5164. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5165. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5166. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5167. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5168. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5169. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5170. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5171. "\x00\xd0\x1b\x7f\x07\x00\x00\xff\xff\x03\x34\xe6\x63",
5172. 1057);
5173. syz_mount_image(/*fs=*/0x200000000440, /*dir=*/0x200000000480, /*flags=*/0,
5174. /*opts=*/0x2000000000c0, /*chdir=*/-1, /*size=*/0x421,
5175. /*img=*/0x200000000900);
5176. memcpy((void*)0x200000000080, "memory.events.local\000", 20);
5177. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000080ul,
5178. /*flags=*/0x275a, /*mode=*/0);
5179. if (res != -1)
5180. r[92] = res;
5181. memcpy((void*)0x200000003a80, "#! ", 3);
5182. *(uint8_t*)0x200000003a83 = 0xa;
5183. syscall(__NR_write, /*fd=*/r[92], /*data=*/0x200000003a80ul,
5184. /*len=*/0x208e24bul);
5185. memcpy((void*)0x200000000200, "/dev/snd/seq\000", 13);
5186. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000200ul,
5187. /*flags=O_PATH|FASYNC*/ 0x202000, 0);
5188. memcpy((void*)0x2000000010c0, "/dev/cdrom\000", 11);
5189. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
5190. /*file=*/0x2000000010c0ul, /*flags=O_NONBLOCK*/ 0x800,
5191. /*mode=*/0);
5192. if (res != -1)
5193. r[93] = res;
5194. *(uint32_t*)0x2000000000c0 = -1;
5195. *(uint16_t*)0x2000000000c4 = 0;
5196. syscall(__NR_ioctl, /*fd=*/r[93], /*cmd=*/0x2275, /*arg=*/0x2000000000c0ul);
5197. memcpy((void*)0x200000000140, "/proc/thread-self/attr/current\000", 31);
5198. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000140ul,
5199. /*flags=*/2, /*mode=*/0);
5200. *(uint16_t*)0x200000000000 = 1;
5201. *(uint64_t*)0x200000000008 = 0x2000000000c0;
5202. *(uint16_t*)0x2000000000c0 = 6;
5203. *(uint8_t*)0x2000000000c2 = 0;
5204. *(uint8_t*)0x2000000000c3 = 0;
5205. *(uint32_t*)0x2000000000c4 = 0;
5206. syscall(__NR_seccomp, /*op=*/1ul, /*flags=*/0ul, /*arg=*/0x200000000000ul);
5207. syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0ul, /*flags=*/0x275a,
5208. /*mode=*/0);
5209. memcpy((void*)0x200000000180, "fd/3\000", 5);
5210. syz_open_procfs(/*pid=*/0, /*file=*/0x200000000180);
5211. syscall(__NR_close, /*fd=*/4);
5212. res = syscall(__NR_socket, /*domain=*/1ul, /*type=SOCK_DGRAM*/ 2ul,
5213. /*proto=*/0);
5214. if (res != -1)
5215. r[94] = res;
5216. *(uint16_t*)0x200000000000 = 1;
5217. *(uint8_t*)0x200000000002 = 0;
5218. *(uint32_t*)0x200000000004 = 0;
5219. syscall(__NR_bind, /*fd=*/r[94], /*addr=*/0x200000000000ul,
5220. /*addrlen=*/0x6eul);
5221. memcpy((void*)0x200000000000, "net/unix\000", 9);
5222. res = -1;
5223. res = syz_open_procfs(/*pid=*/0, /*file=*/0x200000000000);
5224. if (res != -1)
5225. r[95] = res;
5226. *(uint64_t*)0x200000000240 = 0x200000000100;
5227. *(uint64_t*)0x200000000248 = 0xec;
5228. syscall(__NR_preadv, /*fd=*/r[95], /*vec=*/0x200000000240ul, /*vlen=*/1ul,
5229. /*off_low=*/0, /*off_high=*/0);
5230. syscall(__NR_mknodat, /*dirfd=*/-1, /*file=*/0ul, /*mode=*/8ul,
5231. /*dev=*/0x103);
5232. *(uint16_t*)0x200000000080 = 0xa;
5233. *(uint16_t*)0x200000000082 = htobe16(0x4e22);
5234. *(uint32_t*)0x200000000084 = htobe32(0x10001);
5235. *(uint8_t*)0x200000000088 = 0xfe;
5236. *(uint8_t*)0x200000000089 = 0x80;
5237. memset((void*)0x20000000008a, 0, 13);
5238. *(uint8_t*)0x200000000097 = 0xbb;
5239. *(uint32_t*)0x200000000098 = 0xec;
5240. STORE_BY_BITMASK(uint8_t, , 0x200000000280, 1, 0, 4);
5241. STORE_BY_BITMASK(uint8_t, , 0x200000000280, 6, 4, 4);
5242. memcpy((void*)0x200000000281, "\xec\x70\x09", 3);
5243. *(uint16_t*)0x200000000284 = htobe16(0x25a);
5244. *(uint8_t*)0x200000000286 = 0x2f;
5245. *(uint8_t*)0x200000000287 = 1;
5246. *(uint8_t*)0x200000000288 = 0xfe;
5247. *(uint8_t*)0x200000000289 = 0x80;
5248. memset((void*)0x20000000028a, 0, 13);
5249. *(uint8_t*)0x200000000297 = 0xc;
5250. *(uint8_t*)0x200000000298 = 0xfc;
5251. *(uint8_t*)0x200000000299 = 2;
5252. memset((void*)0x20000000029a, 0, 13);
5253. *(uint8_t*)0x2000000002a7 = 0;
5254. *(uint8_t*)0x2000000002a8 = 0;
5255. *(uint8_t*)0x2000000002a9 = 4;
5256. *(uint8_t*)0x2000000002aa = 4;
5257. *(uint8_t*)0x2000000002ab = 2;
5258. *(uint8_t*)0x2000000002ac = 5;
5259. *(uint8_t*)0x2000000002ad = 0xe0;
5260. *(uint16_t*)0x2000000002ae = 3;
5261. *(uint8_t*)0x2000000002b0 = 0xfe;
5262. *(uint8_t*)0x2000000002b1 = 0x80;
5263. memset((void*)0x2000000002b2, 0, 13);
5264. *(uint8_t*)0x2000000002bf = 0xbb;
5265. *(uint8_t*)0x2000000002c0 = 0xfc;
5266. *(uint8_t*)0x2000000002c1 = 0;
5267. memset((void*)0x2000000002c2, 0, 13);
5268. *(uint8_t*)0x2000000002cf = 1;
5269. STORE_BY_BITMASK(uint16_t, , 0x2000000002d0, 0, 0, 1);
5270. STORE_BY_BITMASK(uint16_t, , 0x2000000002d0, 0, 1, 1);
5271. STORE_BY_BITMASK(uint16_t, , 0x2000000002d0, 1, 2, 1);
5272. STORE_BY_BITMASK(uint16_t, , 0x2000000002d0, 0, 3, 1);
5273. STORE_BY_BITMASK(uint16_t, , 0x2000000002d0, 0, 4, 4);
5274. STORE_BY_BITMASK(uint16_t, , 0x2000000002d1, 0, 0, 1);
5275. STORE_BY_BITMASK(uint16_t, , 0x2000000002d1, 0, 1, 4);
5276. STORE_BY_BITMASK(uint16_t, , 0x2000000002d1, 1, 5, 3);
5277. *(uint16_t*)0x2000000002d2 = htobe16(0x880b);
5278. *(uint16_t*)0x2000000002d4 = htobe16(0x34);
5279. *(uint16_t*)0x2000000002d6 = htobe16(0);
5280. *(uint16_t*)0x2000000002d8 = htobe16(0x36d);
5281. memcpy(
5282. (void*)0x2000000002da,
5283. "\x96\x4e\x1f\x96\xf5\x0e\xd9\xab\x62\x8f\x47\xcd\xf2\x1d\x8e\x2c\x9c\xe1"
5284. "\x88\x9d\x6d\xa9\x30\x66\xb6\x06\xb5\x81\x05\x6e\xc8\x86\x98\xd8\x16\xeb"
5285. "\xa1\xc5\x44\x7b\x64\x9a\x28\x8b\x9b\x5c\x14\x53\xc7\x94\x99\x89",
5286. 52);
5287. STORE_BY_BITMASK(uint16_t, , 0x20000000030e, 1, 0, 1);
5288. STORE_BY_BITMASK(uint16_t, , 0x20000000030e, 0, 1, 1);
5289. STORE_BY_BITMASK(uint16_t, , 0x20000000030e, 0, 2, 1);
5290. STORE_BY_BITMASK(uint16_t, , 0x20000000030e, 1, 3, 1);
5291. STORE_BY_BITMASK(uint16_t, , 0x20000000030e, 0, 4, 9);
5292. STORE_BY_BITMASK(uint16_t, , 0x20000000030f, 0, 5, 3);
5293. *(uint16_t*)0x200000000310 = htobe16(0x800);
5294. *(uint16_t*)0x200000000312 = htobe16(0xfff);
5295. memcpy((void*)0x200000000314,
5296. "\xc1\xc4\xca\x59\xbf\xbd\x81\x8e\xcf\xa6\x77\xbd\x63\xf7\x7c\x7d\x77"
5297. "\x15\x0b\x87\x9b\x06\x61\x8b\xd9\x32\x78\x6e\x4d\xc7\x4e\xb0\x27\x82"
5298. "\x2e\x91\x78\xfa\x5e\xfb\x8e\x93\xcb\x39\xf6\xc5\xe8\x55\x55\xf0\x9d"
5299. "\xa8\x05\x15\x64\x7a\xe1\x33\xfa\x5f\xe3\x7f\xed\xae\x2d\x05\x55\x5b"
5300. "\x53\x04\x8d\x0b\x69\x86\x02\x96\xcc\xb3\xfc\x01\x60\xc3\xd5\x2e\x66"
5301. "\x31\xe8\xca\x33\x55\xd2\x28\x4f\xbf\x18\x3c\x5f\xdf\x00\x19\x6a\xf2"
5302. "\xfe\xac\x19\x7c\x05\x0b\xe5\xe5\xb8\x22\xb1\x1e\xaf\x98\xc4\xc0\x58"
5303. "\x9f\x22\x3c\x9a\xe2\x74\x61\x29\xac\x4d\xf4\xae\x54\x91\xe6\x44\x5a"
5304. "\x80\xda\x40\xa4\x32\x25\x8b\x91\xb7\x16\xe7\x0d",
5305. 148);
5306. STORE_BY_BITMASK(uint16_t, , 0x2000000003a8, 0, 0, 1);
5307. STORE_BY_BITMASK(uint16_t, , 0x2000000003a8, 0, 1, 1);
5308. STORE_BY_BITMASK(uint16_t, , 0x2000000003a8, 1, 2, 1);
5309. STORE_BY_BITMASK(uint16_t, , 0x2000000003a8, 1, 3, 1);
5310. STORE_BY_BITMASK(uint16_t, , 0x2000000003a8, 0, 4, 9);
5311. STORE_BY_BITMASK(uint16_t, , 0x2000000003a9, 0, 5, 3);
5312. *(uint16_t*)0x2000000003aa = htobe16(0x86dd);
5313. *(uint16_t*)0x2000000003ac = htobe16(0xfff);
5314. *(uint16_t*)0x2000000003ae = htobe16(7);
5315. *(uint16_t*)0x2000000003b0 = htobe16(0);
5316. memcpy((void*)0x2000000003b2,
5317. "\xb3\x72\x90\xe3\xde\x3d\xce\x8a\x23\x9f\xb7\x36\x49\xf6\x66\xb2\xec"
5318. "\x36\x47\x3d\xb2\xc4\x3d\xfc\x11\xb5\x42\xab\x6a\xcc\x29\x96\xad\x37"
5319. "\xc7\x68\x50\xe6\xae\x93\xa8\x6e\xe2\xcf\xc6\x69\x37\x80\xb5\xf0\x71"
5320. "\x5e\x80\x77\xd8\x37\xdb\xb0\xd6\x9c\xf6\x61\x00\x18\x8d\xd2\xc7\xbc"
5321. "\x3b\xb2\xa1\x61\xf1\x37\x32\xb4\xc0\xcb\xc4\x9f\x40",
5322. 81);
5323. *(uint16_t*)0x200000000403 = 8;
5324. *(uint16_t*)0x200000000405 = htobe16(0x88be);
5325. *(uint32_t*)0x200000000407 = htobe32(3);
5326. STORE_BY_BITMASK(uint8_t, , 0x20000000040b, 5, 0, 4);
5327. STORE_BY_BITMASK(uint8_t, , 0x20000000040b, 1, 4, 4);
5328. STORE_BY_BITMASK(uint8_t, , 0x20000000040c, 2, 0, 8);
5329. STORE_BY_BITMASK(uint8_t, , 0x20000000040d, 0, 0, 2);
5330. STORE_BY_BITMASK(uint8_t, , 0x20000000040d, 1, 2, 1);
5331. STORE_BY_BITMASK(uint8_t, , 0x20000000040d, 1, 3, 2);
5332. STORE_BY_BITMASK(uint8_t, , 0x20000000040d, 7, 5, 3);
5333. STORE_BY_BITMASK(uint8_t, , 0x20000000040e, 4, 0, 8);
5334. *(uint32_t*)0x20000000040f = 1;
5335. *(uint32_t*)0x200000000413 = htobe32(9);
5336. *(uint16_t*)0x200000000417 = 8;
5337. *(uint16_t*)0x200000000419 = htobe16(0x22eb);
5338. *(uint32_t*)0x20000000041b = htobe32(0);
5339. STORE_BY_BITMASK(uint8_t, , 0x20000000041f, 0, 0, 4);
5340. STORE_BY_BITMASK(uint8_t, , 0x20000000041f, 2, 4, 4);
5341. STORE_BY_BITMASK(uint8_t, , 0x200000000420, 9, 0, 8);
5342. STORE_BY_BITMASK(uint8_t, , 0x200000000421, 0, 0, 2);
5343. STORE_BY_BITMASK(uint8_t, , 0x200000000421, 0, 2, 1);
5344. STORE_BY_BITMASK(uint8_t, , 0x200000000421, 1, 3, 2);
5345. STORE_BY_BITMASK(uint8_t, , 0x200000000421, 6, 5, 3);
5346. STORE_BY_BITMASK(uint8_t, , 0x200000000422, 5, 0, 8);
5347. *(uint32_t*)0x200000000423 = 2;
5348. *(uint32_t*)0x200000000427 = htobe32(0);
5349. *(uint16_t*)0x20000000042b = htobe16(1);
5350. STORE_BY_BITMASK(uint8_t, , 0x20000000042d, 0, 0, 2);
5351. STORE_BY_BITMASK(uint8_t, , 0x20000000042d, 0xb, 2, 5);
5352. STORE_BY_BITMASK(uint8_t, , 0x20000000042d, 0, 7, 1);
5353. STORE_BY_BITMASK(uint8_t, , 0x20000000042e, 0, 0, 1);
5354. STORE_BY_BITMASK(uint8_t, , 0x20000000042e, 2, 1, 2);
5355. STORE_BY_BITMASK(uint8_t, , 0x20000000042e, 1, 3, 1);
5356. STORE_BY_BITMASK(uint8_t, , 0x20000000042e, 1, 4, 1);
5357. *(uint16_t*)0x20000000042f = 8;
5358. *(uint16_t*)0x200000000431 = htobe16(0x6558);
5359. *(uint32_t*)0x200000000433 = htobe32(0);
5360. memcpy((void*)0x200000000437,
5361. "\x8f\x7e\xce\x38\xbd\xd7\xfc\x84\x83\xf1\x3f\xa9\x95\x8d\xc8\x4e\xc4"
5362. "\xee\x4b\x2e\x53\x3d\x76\x2b\x6d\xee\xf8\xfa\xaa\x32\xfd\x48\xd3\xb5"
5363. "\x2c\x2a\xf4\xd6\xd2\x5d\xb2\x18\xd1\x6c\xbe\xc0\xe9\xa6\x1b\x78\xed"
5364. "\xdf\xbd\x87\xb7\xd7\xb2\x79\x9b\x2a\xb6\x00\xd2\xad\x28\x71\x61\xa8"
5365. "\x96\xda\xcd\x88\xd7\x10\xdc\x6a\x25\x4f\xaa\x2a\x43\xf9\x1b\x01\x0f"
5366. "\x34\x57\x8b\x74\x13\x5e\x2e\x1e\x1c\x43\xea\xd3\x1f\x7e\x2d\xdb\x7c"
5367. "\x68\x72\x60\xc7\x51\x4f\x29\xee\x78\xcd\x7c\xf9\x3c\xfa\xc3\x36\x63"
5368. "\x7b\xf0\x0f\xfc\x69\xef\xd3\xe6\x2c\xd2\x0f\x27\x80\x8a\x15\x97\xab"
5369. "\xc5\x21\x7c\x67\x61\xba\x47\x20\x14\x4d\x6d\xdd\xf1\x09\x38\xc4\xf1"
5370. "\x34\xae\x5d\x1f\x4e\x98\xc2\xd6\x2d\x9f\xc7\x27\xba\x6a\x71\x02\x79"
5371. "\xeb\x27\x36\x59\x8a\xe9\xa2\x92\x2c\xca\xdb\x41\xb8\x36\xd5\x9f\x45"
5372. "\xfa\x6c\xda\xd2\xec\x3e\x2b\xa8\xda\x8d\x10\x14\x51\xa6\x7d\xf7",
5373. 203);
5374. res = -1;
5375. res = syz_emit_proto(/*proto=*/0x33, /*addr=*/0x200000000080,
5376. /*addrlen=*/0x1c, /*packet=*/0x200000000280, /*ttl=*/-1);
5377. if (res != -1)
5378. r[96] = res;
5379. syscall(__NR_close_range, /*fd=*/r[94], /*max_fd=*/r[96],
5380. /*flags=CLOSE_RANGE_UNSHARE*/ 2ul);
5381. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/3ul, /*proto=*/2);
5382. if (res != -1)
5383. r[97] = res;
5384. *(uint16_t*)0x200000000300 = 2;
5385. *(uint16_t*)0x200000000302 = htobe16(0);
5386. *(uint8_t*)0x200000000304 = 0xac;
5387. *(uint8_t*)0x200000000305 = 0x14;
5388. *(uint8_t*)0x200000000306 = 0x14;
5389. *(uint8_t*)0x200000000307 = 0;
5390. syscall(__NR_connect, /*fd=*/r[97], /*addr=*/0x200000000300ul,
5391. /*addrlen=*/0x10ul);
5392. memcpy((void*)0x200000000080, "/dev/loop#\000", 11);
5393. res = -1;
5394. res = syz_open_dev(/*dev=*/0x200000000080, /*id=*/0,
5395. /*flags=O_TRUNC|O_LARGEFILE|O_CREAT|O_WRONLY*/ 0x8241);
5396. if (res != -1)
5397. r[98] = res;
5398. syscall(__NR_ioctl, /*fd=*/r[98], /*cmd=*/0x4c02, /*arg=*/-1);
5399. *(uint16_t*)0x2000000000c0 = 2;
5400. *(uint16_t*)0x2000000000c2 = htobe16(0);
5401. *(uint8_t*)0x2000000000c4 = 0xac;
5402. *(uint8_t*)0x2000000000c5 = 0x14;
5403. *(uint8_t*)0x2000000000c6 = 0x14;
5404. *(uint8_t*)0x2000000000c7 = 0x20;
5405. syscall(__NR_bind, /*fd=*/r[97], /*addr=*/0x2000000000c0ul, /*addrlen=*/7ul);
5406. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/9);
5407. if (res != -1)
5408. r[99] = res;
5409. *(uint64_t*)0x200000004f40 = 0;
5410. *(uint32_t*)0x200000004f48 = 0;
5411. *(uint64_t*)0x200000004f50 = 0x200000000000;
5412. *(uint64_t*)0x200000000000 = 0x2000000002c0;
5413. memset((void*)0x2000000002c0, 217, 1);
5414. *(uint64_t*)0x200000000008 = 1;
5415. *(uint64_t*)0x200000004f58 = 1;
5416. *(uint64_t*)0x200000004f60 = 0;
5417. *(uint64_t*)0x200000004f68 = 0;
5418. *(uint32_t*)0x200000004f70 = 0;
5419. *(uint32_t*)0x200000004f78 = 0;
5420. *(uint64_t*)0x200000004f80 = 0;
5421. *(uint32_t*)0x200000004f88 = 0;
5422. *(uint64_t*)0x200000004f90 = 0x200000001480;
5423. *(uint64_t*)0x200000001480 = 0;
5424. *(uint64_t*)0x200000001488 = 0;
5425. *(uint64_t*)0x200000001490 = 0;
5426. *(uint64_t*)0x200000001498 = 0;
5427. *(uint64_t*)0x2000000014a0 = 0;
5428. *(uint64_t*)0x2000000014a8 = 0;
5429. *(uint64_t*)0x2000000014b0 = 0;
5430. *(uint64_t*)0x2000000014b8 = 0;
5431. *(uint64_t*)0x2000000014c0 = 0;
5432. *(uint64_t*)0x2000000014c8 = 0;
5433. *(uint64_t*)0x2000000014d0 = 0;
5434. *(uint64_t*)0x2000000014d8 = 0;
5435. *(uint64_t*)0x2000000014e0 = 0;
5436. *(uint64_t*)0x2000000014e8 = 0;
5437. *(uint64_t*)0x2000000014f0 = 0;
5438. *(uint64_t*)0x2000000014f8 = 0x4f;
5439. *(uint64_t*)0x200000001500 = 0;
5440. *(uint64_t*)0x200000001508 = 0;
5441. *(uint64_t*)0x200000004f98 = 9;
5442. *(uint64_t*)0x200000004fa0 = 0;
5443. *(uint64_t*)0x200000004fa8 = 0;
5444. *(uint32_t*)0x200000004fb0 = 0;
5445. *(uint32_t*)0x200000004fb8 = 0;
5446. syscall(__NR_sendmmsg, /*fd=*/r[99], /*mmsg=*/0x200000004f40ul, /*vlen=*/2ul,
5447. /*f=*/0ul);
5448. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5449. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5450. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5451. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5452. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5453. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5454. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5455. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5456. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5457. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5458. syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_accept_ra_min_hop_limit();
5459. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5460. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5461. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5462. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5463. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5464. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5465. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5466. res = syscall(__NR_pipe2, /*pipefd=*/0x200000000000ul,
5467. /*flags=O_NOTIFICATION_PIPE*/ 0x80ul);
5468. if (res != -1)
5469. r[100] = *(uint32_t*)0x200000000004;
5470. *(uint32_t*)0x200000000040 = 7;
5471. *(uint8_t*)0x200000000044 = 0x21;
5472. *(uint16_t*)0x200000000045 = 1;
5473. syscall(__NR_write, /*fd=*/r[100], /*data=*/0x200000000040ul, /*size=*/7ul);
5474. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5475. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5476. memcpy((void*)0x200000000080, "./file0\000", 8);
5477. res = syscall(__NR_open, /*file=*/0x200000000080ul,
5478. /*flags=O_SYNC*/ 0x101000ul, /*mode=S_IXGRP*/ 8ul);
5479. if (res != -1)
5480. r[101] = res;
5481. syz_sysconfig_reset__proc_sys_net_ipv6_conf_eth0_accept_ra_min_hop_limit();
5482. memcpy(
5483. (void*)0x2000000000c0,
5484. "\xd5\x48\xd9\x09\x83\xbd\x37\x5f\x48\xb8\xca\xf1\x34\x04\x7b\xe3\x40\xb3"
5485. "\xe8\xa7\x32\xe0\x55\x53\x83\x2c\x97\x6e\x82\xd3\x17\xbb\x94\xb0\x2b\x92"
5486. "\x7f\xd9\xa9\x69\x3d\x12\xf7\x00\xa8\xac\xf5\xf7\xb7\x85\x50\xe8\xed\x0f"
5487. "\x31\xd8\xa8\x0d\x04\xab\xfa\x4b\x8e\xd6\xcf\xc0\x40\xa4\x78\x51\xc8\x15"
5488. "\xcf\xb7\x8f\x85\x03\x4e\x7c\xd2\xba\x5b\x9d\x85\x17\x36\xe0\xda\x6e\xe4"
5489. "\xce\xcb\xf1\x41\x5f\x9f\x56\xb4\x9c\xc0\x86\x7e\x8c\xbe\x67\x8c\xcc\xaf"
5490. "\x53\x54\x71\x71\xc0\xff\xda\xb5\x6d\xb2\xb3\x75\x3f\xa8\xa1\xa8\xad\x12"
5491. "\xe1\x0f\xb2\xeb\xb1\xc6\x88\x91\x44\x18\x96\x1c\xf3\x35\x30\xfc\x6c\xc8"
5492. "\xf1\xf5\x4b\xdc\xdb\x4a\x29\x58\xaa\x7d",
5493. 154);
5494. syscall(__NR_ioctl, /*fd=*/r[101], /*cmd=*/0x89f3, /*arg=*/0x2000000000c0ul);
5495. memcpy((void*)0x200000000180, "./file0\000", 8);
5496. res = syscall(__NR_open, /*file=*/0x200000000180ul,
5497. /*flags=O_NOATIME|O_EXCL|O_CLOEXEC*/ 0xc0080ul,
5498. /*mode=S_IXGRP*/ 8ul);
5499. if (res != -1)
5500. r[102] = res;
5501. memcpy((void*)0x2000000001c0, "rw\000", 3);
5502. syscall(__NR_fsconfig, /*fd=*/r[102], /*cmd=*/0ul, /*key=*/0x2000000001c0ul,
5503. /*value=*/0ul, /*aux=*/0ul);
5504. *(uint32_t*)0x200000000200 = 8;
5505. *(uint32_t*)0x200000000204 = 0;
5506. *(uint32_t*)0x200000000208 = 4;
5507. syscall(__NR_pidfd_send_signal, /*fd=*/r[102], /*sig=*/0x2d,
5508. /*info=*/0x200000000200ul, /*flags=*/0ul);
5509. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5510. syz_proconfig_reset__sys_devices_virtual_net_lo_tx_queue_len();
5511. *(uint16_t*)0x200000000080 = 1;
5512. *(uint64_t*)0x200000000088 = 0x200000000000;
5513. *(uint16_t*)0x200000000000 = 6;
5514. *(uint8_t*)0x200000000002 = 0;
5515. *(uint8_t*)0x200000000003 = 0;
5516. *(uint32_t*)0x200000000004 = 0x7fff0000;
5517. syscall(__NR_seccomp, /*op=*/1ul, /*flags=*/0ul, /*arg=*/0x200000000080ul);
5518. memcpy((void*)0x200000000240, ".\000", 2);
5519. memcpy((void*)0x20000015bffc, "nfs\000", 4);
5520. syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x200000000240ul,
5521. /*type=*/0x20000015bffcul, /*flags=*/0ul, /*data=*/0ul);
5522. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/2ul, /*proto=*/0);
5523. if (res != -1)
5524. r[103] = res;
5525. memset((void*)0x200000000000, 0, 10);
5526. memset((void*)0x20000000000a, 255, 2);
5527. *(uint32_t*)0x20000000000c = htobe32(0x7f000001);
5528. *(uint32_t*)0x200000000010 = 0;
5529. syscall(__NR_setsockopt, /*fd=*/r[103], /*level=*/0x29, /*optname=*/0x11,
5530. /*optval=*/0x200000000000ul, /*optlen=*/0x14ul);
5531. memset((void*)0x200000000000, 0, 10);
5532. memset((void*)0x20000000000a, 255, 2);
5533. *(uint32_t*)0x20000000000c = htobe32(0x7f000001);
5534. *(uint32_t*)0x200000000010 = 0;
5535. syscall(__NR_setsockopt, /*fd=*/r[103], /*level=*/0x29, /*optname=*/0x11,
5536. /*optval=*/0x200000000000ul, /*optlen=*/0x14ul);
5537. memcpy((void*)0x200000000340, "./file0\000", 8);
5538. *(uint64_t*)0x2000000000c0 = 0x26240;
5539. *(uint64_t*)0x2000000000c8 = 0xb5;
5540. *(uint64_t*)0x2000000000d0 = 2;
5541. syscall(__NR_openat2, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000340ul,
5542. /*how=*/0x2000000000c0ul, /*size=*/0x18ul);
5543. memcpy((void*)0x200000000000, "/dev/sr0\000", 9);
5544. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
5545. /*file=*/0x200000000000ul, /*flags=O_NONBLOCK*/ 0x800,
5546. /*mode=*/0);
5547. if (res != -1)
5548. r[104] = res;
5549. memcpy((void*)0x200000000200, "./file0\000", 8);
5550. syscall(__NR_readlinkat, /*fd=*/r[104], /*path=*/0x200000000200ul,
5551. /*buf=*/0x200000000240ul, /*siz=*/0xe2ul);
5552. memcpy((void*)0x200000000200, "./file0\000", 8);
5553. syscall(__NR_readlinkat, /*fd=*/r[104], /*path=*/0x200000000200ul,
5554. /*buf=*/0x200000000240ul, /*siz=*/0xe2ul);
5555. memcpy((void*)0x200000000180, "ext4\000", 5);
5556. memcpy((void*)0x2000000000c0, "./file0\000", 8);
5557. memcpy((void*)0x2000000001c0, "dioread_nolock", 14);
5558. *(uint8_t*)0x2000000001ce = 0x2c;
5559. memcpy((void*)0x2000000001cf, "grpquota", 8);
5560. *(uint8_t*)0x2000000001d7 = 0x2c;
5561. memcpy((void*)0x2000000001d8, "debug_want_extra_isize", 22);
5562. *(uint8_t*)0x2000000001ee = 0x3d;
5563. sprintf((char*)0x2000000001ef, "0x%016llx", (long long)0x60);
5564. *(uint8_t*)0x200000000201 = 0x2c;
5565. memcpy((void*)0x200000000202, "journal_ioprio", 14);
5566. *(uint8_t*)0x200000000210 = 0x3d;
5567. sprintf((char*)0x200000000211, "0x%016llx", (long long)5);
5568. *(uint8_t*)0x200000000223 = 0x2c;
5569. memcpy((void*)0x200000000224, "errors=continue", 15);
5570. *(uint8_t*)0x200000000233 = 0x2c;
5571. memcpy((void*)0x200000000234, "errors=continue", 15);
5572. *(uint8_t*)0x200000000243 = 0x2c;
5573. memcpy((void*)0x200000000244, "usrjquota=", 10);
5574. *(uint8_t*)0x20000000024e = 0x2c;
5575. *(uint8_t*)0x20000000024f = 0;
5576. memcpy(
5577. (void*)0x200000000600,
5578. "\x78\x9c\xec\xdd\xcd\x6f\x54\x55\x1b\x00\xf0\xe7\xde\xe9\xc0\xfb\x22\xd0"
5579. "\x8a\xf8\x01\xa2\x56\xd1\xd8\xf8\xd1\xd2\x82\xca\xc2\xc4\x68\x34\x71\xa1"
5580. "\x89\x89\x2e\x70\x59\xdb\x42\x90\x81\x1a\x5a\x13\x21\x44\xab\x31\xb8\x34"
5581. "\x24\xee\x8d\x4b\x13\xff\x02\x57\xba\x31\xea\xca\xc4\xad\xee\x0d\x09\x51"
5582. "\x36\xa0\x1b\x6b\xee\x9d\x7b\x61\x3a\xcc\x94\x7e\x4c\x3b\x6d\xe7\xf7\x4b"
5583. "\x2e\x9c\x33\xf7\xcc\x9c\xf3\xcc\xb9\x67\xee\xb9\xf7\xcc\xa4\x01\xf4\xac"
5584. "\xc1\xec\x9f\x24\x62\x67\x44\xfc\x16\x11\xfd\xf5\xec\xc2\x02\x83\xf5\xff"
5585. "\xae\x5f\xbd\x30\xf1\xf7\xd5\x0b\x13\x49\xcc\xcf\xbf\xf9\x67\x92\x97\xbb"
5586. "\x76\xf5\xc2\x44\x59\xb4\x7c\xde\x1d\x45\x66\x28\x8d\x48\x3f\x4d\x8a\x4a"
5587. "\x16\x9a\x39\x77\xfe\xd4\x78\xad\x36\x75\xb6\xc8\x8f\xcc\x9e\x7e\x6f\x64"
5588. "\xe6\xdc\xf9\xa7\x4f\x9e\x1e\x3f\x31\x75\x62\xea\xcc\xd8\xd1\xa3\x47\x0e"
5589. "\x8f\x3e\xf7\xec\xd8\x33\x1d\x89\x33\x8b\xeb\xda\xfe\x0f\xa7\x0f\xec\x7b"
5590. "\xf5\xed\x4b\xaf\x4f\x1c\xbb\xf4\xce\x4f\xdf\x64\xed\xdd\x59\xec\x6f\x8c"
5591. "\xa3\x53\x06\xb3\xc0\xff\x9a\xcf\x35\xef\x7b\xac\xd3\x95\x75\xd9\xae\x86"
5592. "\x74\xd2\xd7\xc5\x86\xb0\x2c\x95\x88\xc8\xba\xab\x9a\x8f\xff\xfe\xa8\xc4"
5593. "\xcd\xce\xeb\x8f\x57\x3e\xe9\x6a\xe3\x80\x35\x95\x9d\x9b\xb6\xb7\xdf\x3d"
5594. "\x97\x24\xf3\xc0\x96\x95\x44\xb7\x5b\x00\x74\x47\x79\xa2\xcf\xae\x7f\xcb"
5595. "\x6d\x9d\xa6\x1e\x1b\xc2\x95\x17\xeb\x17\x40\x59\xdc\xd7\x8b\xad\xbe\xa7"
5596. "\x2f\xd2\xa2\x4c\xb5\xe9\xfa\xb6\x93\x06\x23\xe2\xd8\xdc\x3f\x5f\x66\x5b"
5597. "\xac\xd1\x7d\x08\x00\x80\x46\xdf\x65\xf3\x9f\xa7\x5a\xcd\xff\xd2\xb8\xa7"
5598. "\xa1\xdc\xee\x62\x0d\x65\x20\x22\xee\x8c\x88\x3d\x11\x71\x57\x44\xec\x8d"
5599. "\x88\xbb\x23\xf2\xb2\xf7\x46\xc4\x7d\xcb\xac\xbf\x79\x69\xe8\xd6\xf9\x4f"
5600. "\x7a\x79\x45\x81\x2d\x51\x36\xff\x7b\xbe\x58\xdb\x5a\x38\xff\x2b\x67\x7f"
5601. "\x31\x50\x29\x72\xbb\xf2\xf8\xab\xc9\xf1\x93\xb5\xa9\x43\xc5\x7b\x32\x14"
5602. "\xd5\xed\x59\x7e\x74\x91\x3a\xbe\x7f\xf9\xd7\xcf\xdb\xed\x6b\x9c\xff\x65"
5603. "\x5b\x56\x7f\x39\x17\x2c\xda\x71\xb9\xaf\xe9\x06\xdd\xe4\xf8\xec\x78\x3e"
5604. "\x29\xed\x80\x2b\x1f\x47\xec\xef\x6b\x15\x7f\x72\x63\x25\x20\x89\x88\x7d"
5605. "\x11\xb1\x7f\x79\x2f\xbd\xbb\x4c\x9c\x7c\xe2\xeb\x03\xed\x0a\xdd\x3e\xfe"
5606. "\x45\x74\x60\x9d\x69\xfe\xab\x88\xc7\xeb\xfd\x3f\x17\x4d\xf1\x97\x92\xc5"
5607. "\xd7\x27\x47\xfe\x17\xb5\xa9\x43\x23\xe5\x51\x71\xab\x9f\x7f\xb9\xf8\x46"
5608. "\xbb\xfa\x57\x15\x7f\x07\x64\xfd\xbf\x63\xe1\xf1\xdf\x5c\x64\x20\x69\x5c"
5609. "\xaf\x9d\x59\x7e\x1d\x17\x7f\xff\xac\xed\x35\xcd\x4a\x8f\xff\x6d\xc9\x5b"
5610. "\x79\xbf\x6c\x2b\x1e\xfb\x60\x7c\x76\xf6\xec\x68\xc4\xb6\xe4\xb5\x3c\xbf"
5611. "\xe0\xf1\xb1\x9b\xcf\x2d\xf3\x65\xf9\x2c\xfe\xa1\x83\xad\xc7\xff\x9e\xe2"
5612. "\x39\x59\x3d\xf7\x47\x44\x76\x10\x3f\x10\x11\x0f\x46\xc4\x43\x45\xdb\x1f"
5613. "\x8e\x88\x47\x22\xe2\x60\x59\xc1\xbf\xb7\xc6\xf8\xe3\x4b\x8f\xbe\xbb\xf2"
5614. "\xf8\xd7\x56\x16\xff\x64\xcb\xcf\xbf\x1b\xc7\xff\x40\x12\x49\x43\xff\x2f"
5615. "\x3f\x51\x39\xf5\xc3\xb7\xed\xea\x5f\x5a\xff\x1f\xc9\x53\x43\xc5\x23\xf9"
5616. "\xe7\xdf\x6d\x2c\xb5\x81\xab\x79\xef\x00\x00\x00\x60\xb3\x48\xf3\xef\xc0"
5617. "\x27\xe9\xf0\x8d\x74\x9a\x0e\x0f\xd7\xbf\xc3\xbf\x37\x76\xa4\xb5\xe9\x99"
5618. "\xd9\x27\x8f\x4f\xbf\x7f\x66\xb2\xfe\x5d\xf9\x81\xa8\xa6\xe5\x9d\xae\xfe"
5619. "\x86\xfb\xa1\xa3\xc9\x5c\xf1\x8a\xf5\xfc\x58\x0c\xf6\x37\xe6\x0f\x17\xf7"
5620. "\x8d\xbf\xa8\xfc\x3f\xcf\x0f\x4f\x4c\xd7\x26\xbb\x19\x38\x90\x8f\xf3\x56"
5621. "\xe3\x3f\xf3\x47\xa5\xdb\xad\x03\xd6\x9c\xdf\x6b\x41\xef\x6a\x1e\xff\x69"
5622. "\x97\xda\x01\xac\x3f\xe7\x7f\xe8\x5d\xc6\x3f\xf4\x2e\xe3\x1f\x7a\x57\xab"
5623. "\xf1\xff\x51\x53\xde\x5a\x00\x6c\x4d\xce\xff\xd0\xbb\x8c\x7f\xe8\x5d\xc6"
5624. "\x3f\xf4\xae\x45\xc7\xff\x0b\xeb\xd7\x0e\x60\x5d\xad\xe6\x77\xfd\x9b\x21"
5625. "\x51\xbd\xf9\x87\x06\xd2\x8d\xd0\x9e\xad\x93\x88\x74\x43\x34\x43\xa2\x39"
5626. "\xd1\x99\x41\xdd\x7c\xff\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5627. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5628. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5629. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5630. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5631. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5632. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5633. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5634. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5635. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5636. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5637. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5638. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5639. "\x60\x93\xfa\x2f\x00\x00\xff\xff\x8f\x93\xea\xbb",
5640. 1110);
5641. syz_mount_image(
5642. /*fs=*/0x200000000180, /*dir=*/0x2000000000c0,
5643. /*flags=MS_I_VERSION|MS_REC|MS_SYNCHRONOUS|MS_RELATIME|MS_NOATIME|0x300*/
5644. 0xa04710, /*opts=*/0x2000000001c0, /*chdir=*/1, /*size=*/0x456,
5645. /*img=*/0x200000000600);
5646. memcpy((void*)0x2000000000c0, "/dev/full\000", 10);
5647. res = syscall(
5648. __NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000000c0ul,
5649. /*flags=O_SYNC|O_NONBLOCK|O_NOCTTY|O_WRONLY*/ 0x101901, /*mode=*/0);
5650. if (res != -1)
5651. r[105] = res;
5652. memcpy((void*)0x200000001480, "ip6erspan0\000", 11);
5653. res = syscall(__NR_memfd_create, /*name=*/0x200000001480ul, /*flags=*/0ul);
5654. if (res != -1)
5655. r[106] = res;
5656. res = syscall(__NR_socket, /*domain=*/0x11ul, /*type=SOCK_DGRAM*/ 2ul,
5657. /*proto=*/0x300);
5658. if (res != -1)
5659. r[107] = res;
5660. *(uint32_t*)0x200000000000 = 0;
5661. syscall(__NR_setsockopt, /*fd=*/r[107], /*level=*/0x107,
5662. /*optname=PACKET_TX_TIMESTAMP|PACKET_COPY_THRESH*/ 0x17,
5663. /*optval=*/0x200000000000ul, /*optlen=*/4ul);
5664. *(uint16_t*)0x200000000300 = 1;
5665. *(uint64_t*)0x200000000308 = 0x200000000000;
5666. *(uint16_t*)0x200000000000 = 6;
5667. *(uint8_t*)0x200000000002 = 0;
5668. *(uint8_t*)0x200000000003 = 0;
5669. *(uint32_t*)0x200000000004 = 0x7fffffff;
5670. syscall(__NR_seccomp, /*op=*/1ul, /*flags=*/0ul, /*arg=*/0x200000000300ul);
5671. memcpy((void*)0x200000000000, "keyring\000", 8);
5672. memcpy((void*)0x200000000040, "syz", 3);
5673. *(uint8_t*)0x200000000043 = 0x20;
5674. *(uint8_t*)0x200000000044 = 0;
5675. res = syscall(__NR_add_key, /*type=*/0x200000000000ul,
5676. /*desc=*/0x200000000040ul, /*payload=*/0ul, /*paylen=*/0ul,
5677. /*keyring=*/0xfffffffd);
5678. if (res != -1)
5679. r[108] = res;
5680. *(uint32_t*)0x200000000140 = 5;
5681. syscall(__NR_ioctl, /*fd=*/r[105], /*cmd=*/0x2201, /*arg=*/0x200000000140ul);
5682. for (int i = 0; i < 32; i++) {
5683. syscall(__NR_ioctl, /*fd=*/r[105], /*cmd=*/0x2201,
5684. /*arg=*/0x200000000140ul);
5685. }
5686. memcpy((void*)0x200000000040, "asymmetric\000", 11);
5687. syscall(__NR_keyctl, /*code=*/0xbul, /*key=*/r[108],
5688. /*type=*/0x200000000040ul, /*restriction=*/0ul, 0);
5689. for (int i = 0; i < 32; i++) {
5690. syscall(__NR_keyctl, /*code=*/0xbul, /*key=*/r[108],
5691. /*type=*/0x200000000040ul, /*restriction=*/0ul, 0);
5692. }
5693. syscall(__NR_utimensat, /*dir=*/-1, /*pathname=*/0ul,
5694. /*times=*/0xffffffff81000000ul, /*flags=*/0ul);
5695. res = syscall(__NR_fcntl, /*fd=*/r[105], /*cmd=*/0ul, /*arg=*/r[106]);
5696. if (res != -1)
5697. r[109] = res;
5698. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/3ul, /*proto=*/2);
5699. if (res != -1)
5700. r[110] = res;
5701. *(uint32_t*)0x200000000040 = 0x52;
5702. syscall(__NR_getsockopt, /*fd=*/r[110], /*level=*/0, /*optname=*/0x41,
5703. /*optval=*/0ul, /*optlen=*/0x200000000040ul);
5704. *(uint32_t*)0x200000000044 = 0xe476;
5705. *(uint32_t*)0x200000000048 = 0x10000;
5706. *(uint32_t*)0x20000000004c = 0;
5707. *(uint32_t*)0x200000000050 = 0;
5708. *(uint32_t*)0x200000000058 = -1;
5709. memset((void*)0x20000000005c, 0, 12);
5710. res = -1;
5711. res = syz_io_uring_setup(/*entries=*/0x14aa, /*params=*/0x200000000040,
5712. /*ring_ptr=*/0x2000000000c0,
5713. /*sqes_ptr=*/0x200000000100);
5714. if (res != -1)
5715. r[111] = res;
5716. *(uint32_t*)0x200000000780 = 2;
5717. *(uint32_t*)0x200000000784 = 0;
5718. *(uint64_t*)0x200000000788 = 0;
5719. *(uint64_t*)0x200000000790 = 0x200000000700;
5720. *(uint64_t*)0x200000000700 = 0x200000000480;
5721. *(uint64_t*)0x200000000708 = 0x8b;
5722. *(uint64_t*)0x200000000710 = 0;
5723. *(uint64_t*)0x200000000718 = 0;
5724. *(uint64_t*)0x200000000798 = 0x200000000740;
5725. *(uint64_t*)0x200000000740 = 0xfffffffffffffffe;
5726. *(uint64_t*)0x200000000748 = 1;
5727. syscall(__NR_io_uring_register, /*fd=*/r[111], /*opcode=*/0xful,
5728. /*arg=*/0x200000000780ul, /*size=*/0x20ul);
5729. syscall(__NR_write, /*fd=*/r[109], /*data=*/0ul,
5730. /*len=*/0xfffffffffffffec2ul);
5731. memcpy((void*)0x200000000a80,
5732. "./"
5733. "file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
5734. "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
5735. "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
5736. "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\000",
5737. 257);
5738. *(uint64_t*)0x200000000c80 = 0x200000000540;
5739. memcpy((void*)0x200000000540, "}/\000", 3);
5740. *(uint64_t*)0x200000000c88 = 0x200000000580;
5741. memcpy((void*)0x200000000580, "asymmetric\000", 11);
5742. *(uint64_t*)0x200000000c90 = 0x2000000005c0;
5743. memcpy((void*)0x2000000005c0, "asymmetric\000", 11);
5744. *(uint64_t*)0x200000000c98 = 0x200000000bc0;
5745. memcpy((void*)0x200000000bc0, "c\'-[m{\000", 7);
5746. *(uint64_t*)0x200000000ca0 = 0x200000000c00;
5747. memcpy((void*)0x200000000c00, "\')\371^+@(G\360/\\\000", 12);
5748. *(uint64_t*)0x200000000ca8 = 0x200000000c40;
5749. memcpy((void*)0x200000000c40, "$$-*{\005^\'-@-\000", 12);
5750. *(uint64_t*)0x200000000cb0 = 0;
5751. *(uint64_t*)0x200000000d80 = 0x200000000cc0;
5752. memset((void*)0x200000000cc0, 0, 1);
5753. *(uint64_t*)0x200000000d88 = 0x200000000d00;
5754. memcpy((void*)0x200000000d00, "usrjquota=", 10);
5755. *(uint64_t*)0x200000000d90 = 0x200000000d40;
5756. memcpy((void*)0x200000000d40, "errors=continue", 15);
5757. *(uint64_t*)0x200000000d98 = 0;
5758. syscall(__NR_execve, /*file=*/0x200000000a80ul, /*argv=*/0x200000000c80ul,
5759. /*envp=*/0x200000000d80ul);
5760. for (int i = 0; i < 64; i++) {
5761. syscall(__NR_execve, /*file=*/0x200000000a80ul, /*argv=*/0x200000000c80ul,
5762. /*envp=*/0x200000000d80ul);
5763. }
5764. memcpy((void*)0x2000000003c0,
5765. "./"
5766. "file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
5767. "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
5768. "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
5769. "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\000",
5770. 257);
5771. memcpy((void*)0x200000000280,
5772. "./"
5773. "file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
5774. "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
5775. "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
5776. "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\000",
5777. 257);
5778. syscall(__NR_symlinkat, /*old=*/0x2000000003c0ul, /*newfd=*/r[109],
5779. /*new=*/0x200000000280ul);
5780. for (int i = 0; i < 64; i++) {
5781. syscall(__NR_symlinkat, /*old=*/0x2000000003c0ul, /*newfd=*/r[109],
5782. /*new=*/0x200000000280ul);
5783. }
5784. *(uint32_t*)0x2000000001c4 = 0xf5b9;
5785. *(uint32_t*)0x2000000001c8 = 0x3f00;
5786. *(uint32_t*)0x2000000001cc = 0;
5787. *(uint32_t*)0x2000000001d0 = 0;
5788. *(uint32_t*)0x2000000001d8 = -1;
5789. memset((void*)0x2000000001dc, 0, 12);
5790. syz_io_uring_setup(/*entries=*/0xebc, /*params=*/0x2000000001c0,
5791. /*ring_ptr=*/0, /*sqes_ptr=*/0);
5792. syscall(__NR_mprotect, /*addr=*/0x200000000000ul, /*len=*/0x4000ul,
5793. /*prot=PROT_READ*/ 1ul);
5794. *(uint32_t*)0x2000000001c0 = 0x38;
5795. *(uint32_t*)0x2000000001c4 = 5;
5796. *(uint64_t*)0x2000000001c8 = 0;
5797. *(uint32_t*)0x2000000001d0 = 0;
5798. *(uint32_t*)0x2000000001d4 = 0;
5799. *(uint64_t*)0x2000000001d8 = 0;
5800. *(uint64_t*)0x2000000001e0 = 0;
5801. *(uint64_t*)0x2000000001e8 = 0;
5802. *(uint32_t*)0x2000000001f0 = 0;
5803. *(uint32_t*)0x2000000001f4 = 0;
5804. syscall(__NR_sched_setattr, /*pid=*/0, /*attr=*/0x2000000001c0ul,
5805. /*flags=*/0ul);
5806. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=SOCK_RAW*/ 3ul,
5807. /*proto=*/0);
5808. if (res != -1)
5809. r[112] = res;
5810. res = syscall(__NR_socket, /*domain=AF_NETLINK*/ 0x10ul,
5811. /*type=SOCK_RAW*/ 3ul, /*proto=*/0);
5812. if (res != -1)
5813. r[113] = res;
5814. *(uint32_t*)0x200000000040 = 0x802;
5815. *(uint32_t*)0x200000000044 = 0;
5816. *(uint32_t*)0x200000000048 = 0;
5817. *(uint32_t*)0x20000000004c = 0;
5818. syscall(__NR_setsockopt, /*fd=*/r[113], /*level=*/0x10e, /*opt=*/0xc,
5819. /*arg=*/0x200000000040ul, /*arglen=*/0x10ul);
5820. *(uint64_t*)0x200000002ac0 = 0;
5821. *(uint32_t*)0x200000002ac8 = 0;
5822. *(uint64_t*)0x200000002ad0 = 0x200000002a80;
5823. *(uint64_t*)0x200000002a80 = 0x200000000300;
5824. *(uint32_t*)0x200000000300 = 0x1c;
5825. *(uint16_t*)0x200000000304 = 0x1a;
5826. *(uint16_t*)0x200000000306 = 1;
5827. *(uint32_t*)0x200000000308 = 0;
5828. *(uint32_t*)0x20000000030c = 0;
5829. *(uint8_t*)0x200000000310 = 2;
5830. *(uint8_t*)0x200000000311 = 0;
5831. *(uint16_t*)0x200000000312 = 0;
5832. *(uint16_t*)0x200000000314 = 5;
5833. STORE_BY_BITMASK(uint16_t, , 0x200000000316, 0, 0, 14);
5834. STORE_BY_BITMASK(uint16_t, , 0x200000000317, 0, 6, 1);
5835. STORE_BY_BITMASK(uint16_t, , 0x200000000317, 1, 7, 1);
5836. memset((void*)0x200000000318, 141, 1);
5837. *(uint64_t*)0x200000002a88 = 0x1c;
5838. *(uint64_t*)0x200000002ad8 = 1;
5839. *(uint64_t*)0x200000002ae0 = 0;
5840. *(uint64_t*)0x200000002ae8 = 0;
5841. *(uint32_t*)0x200000002af0 = 0;
5842. syscall(__NR_sendmsg, /*fd=*/r[113], /*msg=*/0x200000002ac0ul, /*f=*/0ul);
5843. *(uint64_t*)0x2000000000c0 = 0;
5844. *(uint32_t*)0x2000000000c8 = 2;
5845. *(uint64_t*)0x2000000000d0 = 0x200000000080;
5846. *(uint64_t*)0x200000000080 = 0x200000000140;
5847. memcpy((void*)0x200000000140,
5848. "\x55\x00\x00\x00\x20\x00\x7f\xaf\xb7\x2d\x13\xb2\xa4\xa2\x71\x93\x02"
5849. "\x00\x00\x00\x03\x0b\x43\x02\x6c\x26\x23\x69\x25\x00\x04\x00\xfe\x7f"
5850. "\x06\x00\xbd\x2d\xca\x8a\x98\x48\xa3\xc7\x28\xf1\xc4\x6b\x7b\x31\xaf"
5851. "\xdc\x13\x38\xd5\x09\x00\x00\x00\x00\x01\x00\x00\x5a\xe5\x83\xde\x0d"
5852. "\xd7\xd8\x31\x9f\x98\xaf\x84\xfd\xa5\x42\xe7\x18\xf9\x4b\x92\x9a\xde",
5853. 85);
5854. *(uint64_t*)0x200000000088 = 0x55;
5855. *(uint64_t*)0x2000000000d8 = 1;
5856. *(uint64_t*)0x2000000000e0 = 0;
5857. *(uint64_t*)0x2000000000e8 = 0;
5858. *(uint32_t*)0x2000000000f0 = 0;
5859. syscall(__NR_sendmsg, /*fd=*/r[112], /*msg=*/0x2000000000c0ul, /*f=*/0ul);
5860. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/2ul, /*proto=*/0);
5861. if (res != -1)
5862. r[114] = res;
5863. memcpy((void*)0x200000000140, "/dev/net/tun\000", 13);
5864. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
5865. /*file=*/0x200000000140ul, /*flags=*/0, /*mode=*/0);
5866. if (res != -1)
5867. r[115] = res;
5868. memcpy((void*)0x2000000000c0, "syzkaller1\000\000\000\000\000\000", 16);
5869. *(uint16_t*)0x2000000000d0 = 0x8c32;
5870. syscall(__NR_ioctl, /*fd=*/r[115], /*cmd=*/0x400454ca,
5871. /*arg=*/0x2000000000c0ul);
5872. *(uint16_t*)0x200000000080 = 0;
5873. *(uint16_t*)0x200000000082 = 0;
5874. syscall(__NR_ioctl, /*fd=*/r[115], /*cmd=*/0x400454d1,
5875. /*arg=*/0x200000000080ul);
5876. syscall(__NR_dup2, /*oldfd=*/r[114], /*newfd=*/r[115]);
5877. *(uint16_t*)0x200000000080 = 2;
5878. *(uint64_t*)0x200000000088 = 0x200000000400;
5879. *(uint16_t*)0x200000000400 = 0x20;
5880. *(uint8_t*)0x200000000402 = 0;
5881. *(uint8_t*)0x200000000403 = 0;
5882. *(uint32_t*)0x200000000404 = 4;
5883. *(uint16_t*)0x200000000408 = 6;
5884. *(uint8_t*)0x20000000040a = 0;
5885. *(uint8_t*)0x20000000040b = 0;
5886. *(uint32_t*)0x20000000040c = 9;
5887. syscall(__NR_seccomp, /*op=*/1ul,
5888. /*flags=SECCOMP_FILTER_FLAG_LOG_LISTENER*/ 0xaul,
5889. /*arg=*/0x200000000080ul);
5890. memcpy((void*)0x200000000100, "./file0\000", 8);
5891. syscall(__NR_mkdir, /*path=*/0x200000000100ul, /*mode=*/0ul);
5892. syscall(__NR_mlock, /*addr=*/0x200000ffb000ul, /*size=*/0x4000ul);
5893. syscall(__NR_madvise, /*addr=*/0x200000ffc000ul, /*len=*/0x1000ul,
5894. /*advice=MADV_DONTNEED*/ 4ul);
5895. syscall(__NR_sched_setscheduler, /*pid=*/0, /*policy=SCHED_RR*/ 2ul,
5896. /*prio=*/0ul);
5897. memcpy((void*)0x200000000040, "/dev/cdrom\000", 11);
5898. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
5899. /*file=*/0x200000000040ul,
5900. /*flags=O_SYNC|O_NONBLOCK|O_WRONLY*/ 0x101801, /*mode=*/0);
5901. if (res != -1)
5902. r[116] = res;
5903. syscall(__NR_setresuid, /*ruid=*/0xee00, /*euid=*/0xfffe, /*suid=*/0);
5904. syscall(__NR_ioctl, /*fd=*/r[116], /*cmd=*/0x401070ca, /*lock=*/0ul);
5905. syz_clone3(/*args=*/0, /*size=*/0);
5906. syscall(__NR_waitid, /*which=*/0ul, /*pid=*/0, /*infop=*/0ul,
5907. /*options=__WCLONE|WNOWAIT|WSTOPPED|WEXITED*/ 0x81000006ul,
5908. /*ru=*/0ul);
5909. memcpy((void*)0x200000000140, "/selinux/load\000", 14);
5910. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
5911. /*file=*/0x200000000140ul, /*flags=*/2, /*mode=*/0);
5912. if (res != -1)
5913. r[117] = res;
5914. memcpy((void*)0x200000000180,
5915. "\x8c\xff\x7c\xf9\x08\x00\x00\x00\x53\x45\x20\x4c\x69\x6e\x75\x78\x15"
5916. "\x00\x00\x00\x00\xf6\x00\x00\x08\x00\x00\x00\x07\x00\x00\x00\x40\x2c"
5917. "\x11\x00\x00\x00\x00\x00\x09\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00"
5918. "\x00\x00\x00\x00\x00\x01\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5919. "\x00\x00\x00\x00\x00\x6d\xbd\x00\x60\x15\x24\xc9",
5920. 80);
5921. syscall(__NR_write, /*fd=*/r[117], /*buf=*/0x200000000180ul,
5922. /*count=*/0x50ul);
5923. memcpy((void*)0x200000000200, "msdos\000", 6);
5924. memcpy((void*)0x200000000240, "./file0\000", 8);
5925. memcpy((void*)0x200000000000, "nodots", 6);
5926. *(uint8_t*)0x200000000006 = 0x2c;
5927. *(uint8_t*)0x200000000007 = 0;
5928. memcpy(
5929. (void*)0x2000000002c0,
5930. "\x78\x9c\xec\xda\x3f\x6b\x1b\x67\x1c\x07\xf0\xe7\x6c\x17\xbb\x36\xfe\x53"
5931. "\x4a\x5b\xec\xa5\x0f\xed\xe2\x2e\x47\xed\xb9\x83\x4d\xb1\xa1\x54\xd0\xd2"
5932. "\x5a\x85\x26\x10\x7c\xc6\x72\x22\xa4\x48\x46\xa7\x41\x0a\x19\x34\x67\xca"
5933. "\x4b\xc8\x1c\x32\x66\x0b\x04\xbf\x01\xbf\x87\x0c\xd9\x4c\xc0\xc9\xe4\x29"
5934. "\x17\x12\x05\xff\xc3\x19\x92\x60\x8b\xa0\xcf\x67\xb9\x2f\x7c\x39\x78\x1e"
5935. "\x7e\x70\xfc\x86\x3b\xf8\xed\xfe\xed\xda\x4e\x9e\xee\x64\xed\x30\x92\x24"
5936. "\x61\x6c\x25\xf4\xc2\x51\x12\xe6\xc2\x48\x18\x0d\x7d\xbd\xf0\xcb\xe2\xda"
5937. "\xcb\x7b\xff\xfe\x7f\xed\xcf\xd5\x52\x69\xed\x9f\x18\xd7\x57\x37\x96\x96"
5938. "\x63\x8c\x33\x3f\x3e\xbd\x7e\xf7\xd1\x4f\x7b\xed\xa9\xff\x1e\xcf\x3c\x19"
5939. "\x0f\xfb\x73\x37\x0e\x0e\x97\x9f\xef\x7f\xbf\x3f\x7f\xf0\x7a\xe3\x56\x35"
5940. "\x8f\xd5\x3c\x36\x9a\xed\x98\xc5\xad\x66\xb3\x9d\x6d\xd5\x2b\x71\xbb\x9a"
5941. "\xd7\xd2\x18\xff\xae\x57\xb2\xbc\x12\xab\x8d\xbc\xd2\x3a\xd3\xef\xd4\x9b"
5942. "\xbb\xbb\xdd\x98\x35\xb6\xa7\x27\x77\x5b\x95\x3c\x8f\x59\xa3\x1b\x6b\x95"
5943. "\x6e\x6c\x37\x63\xbb\xd5\x8d\xd9\xcd\xac\xda\x88\x69\x9a\xc6\xe9\xc9\xc0"
5944. "\xe7\x28\x3f\x3c\x2a\x8a\x70\x58\x7c\xb5\x19\x8a\xa2\xf8\xfa\x41\x98\xda"
5945. "\x0b\xd3\xcf\xc2\x6c\x48\xbe\x89\xc9\xb7\x2b\xc9\x77\x9b\xc9\x0f\xbd\x64"
5946. "\xfe\xb0\x28\x66\x07\x7d\x54\x2e\x85\xf9\x0f\x37\xf3\x1f\x6e\xe6\x3f\xdc"
5947. "\x4e\x2d\x75\x13\x21\xbc\xe8\x75\xca\x9d\x72\xff\xd9\xef\xd7\xff\x28\xad"
5948. "\xfd\x1a\xdf\x99\x3b\x79\xeb\x55\xa7\x53\x1e\x3d\xee\x97\xfa\x7d\x3c\xdb"
5949. "\x8f\x87\xc9\xf7\xfd\xf2\x85\xfd\x44\x58\xfc\xb9\xdf\xbf\xed\x7e\xff\xab"
5950. "\x74\xae\x5f\x08\xdb\x97\x7f\x7d\x00\x80\xa1\x93\xc6\x63\x17\xee\x77\x69"
5951. "\xfa\xa1\xbe\x9f\x4e\xed\x87\xe7\xf6\xb7\xb1\xb0\x30\x76\x65\xd7\xe0\x13"
5952. "\xe5\xdd\x3b\xb5\xac\x5e\xaf\xb4\x04\x41\x10\x8e\xc3\xa0\xbf\x4c\x5c\x85"
5953. "\x93\xa1\x0f\xfa\x24\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7c\x8c\xab\xf8"
5954. "\x9d\x70\xd0\x77\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5955. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
5956. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbe\x0c\x6f"
5957. "\x02\x00\x00\xff\xff\x08\xed\x96\xfc",
5958. 495);
5959. syz_mount_image(/*fs=*/0x200000000200, /*dir=*/0x200000000240, /*flags=*/0,
5960. /*opts=*/0x200000000000, /*chdir=*/1, /*size=*/0x1ef,
5961. /*img=*/0x2000000002c0);
5962. memcpy((void*)0x2000000000c0, "./file1\000", 8);
5963. syscall(__NR_open, /*file=*/0x2000000000c0ul, /*flags=*/0ul, /*mode=*/0ul);
5964. memcpy((void*)0x200000000180, "./bus\000", 6);
5965. syscall(__NR_open, /*file=*/0x200000000180ul,
5966. /*flags=O_TRUNC|O_SYNC|O_NOATIME|O_LARGEFILE|O_DIRECT|O_CREAT|0x3e*/
5967. 0x14d27eul, /*mode=*/0ul);
5968. memcpy((void*)0x200000000380, "/dev/loop", 9);
5969. *(uint8_t*)0x200000000389 = 0x30;
5970. *(uint8_t*)0x20000000038a = 0;
5971. memcpy((void*)0x200000000140, "./bus\000", 6);
5972. syscall(__NR_mount, /*src=*/0x200000000380ul, /*dst=*/0x200000000140ul,
5973. /*type=*/0ul, /*flags=MS_BIND*/ 0x1000ul, /*data=*/0ul);
5974. memcpy((void*)0x200000000400, "./bus\000", 6);
5975. res = syscall(__NR_open, /*file=*/0x200000000400ul,
5976. /*flags=O_SYNC|O_NOCTTY|O_NOATIME|O_RDWR|0x3c*/ 0x14113eul,
5977. /*mode=*/0ul);
5978. if (res != -1)
5979. r[118] = res;
5980. memcpy((void*)0x2000000001c0, "#! ", 3);
5981. *(uint8_t*)0x2000000001c3 = 0xa;
5982. syscall(__NR_write, /*fd=*/r[118], /*data=*/0x2000000001c0ul,
5983. /*len=*/0x208e24bul);
5984. memcpy((void*)0x200000000040, "./file1\000", 8);
5985. res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000040ul,
5986. /*flags=O_CREAT|O_RDWR*/ 0x42, /*mode=*/0);
5987. if (res != -1)
5988. r[119] = res;
5989. syscall(__NR_ftruncate, /*fd=*/r[119], /*len=*/0x8000ul);
5990. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0ul,
5991. /*flags=*/0x41, /*mode=*/0x1ff);
5992. syscall(__NR_write, /*fd=*/-1, /*data=*/0ul, /*len=*/0ul);
5993. syscall(__NR_getrandom, /*buf=*/0x200000000080ul,
5994. /*len=*/0xfffffffffffffe77ul, /*flags=*/0ul);
5995. syscall(__NR_fchdir, /*fd=*/-1);
5996. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0xc0502100, /*arg=*/0ul);
5997. memcpy((void*)0x2000000004c0, "ext4\000", 5);
5998. memcpy((void*)0x200000000500, "./file0\000", 8);
5999. *(uint8_t*)0x200000001480 = 0;