Google Git
Sign in
kernel / pub / scm / linux / kernel / git / shuah / linux-arts / 6bb23cc7934bea6cb2a1436cea514c880c2d9f56 / . / syzkaller-repros / linux / c7e345ba243bc4476aae52a3354ccbd2a90e344e.c
blob: ef2d1b14f62f5d878b908f05fbb8cc4338b5b9fe [file] [log] [blame]
// KASAN: use-after-free Read in hidraw_ioctl
// https://syzkaller.appspot.com/bug?id=c7e345ba243bc4476aae52a3354ccbd2a90e344e
// status:dup
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/futex.h>
#include <linux/usb/ch9.h>
unsigned long long procid;
static __thread int skip_segv;
static __thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
(addr < prog_start || addr > prog_end)) {
_longjmp(segv_env, 1);
}
exit(sig);
}
static void install_segv_handler(void)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) \
{ \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
}
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i;
for (i = 0; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
int state;
} event_t;
static void event_init(event_t* ev)
{
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
if (ev->state)
exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
}
static void event_wait(event_t* ev)
{
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}
static int event_isset(event_t* ev)
{
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
return 1;
now = current_time_ms();
if (now - start > timeout)
return 0;
}
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
#define USB_DEBUG 0
#define USB_MAX_EP_NUM 32
struct usb_device_index {
struct usb_device_descriptor* dev;
struct usb_config_descriptor* config;
unsigned config_length;
struct usb_interface_descriptor* iface;
struct usb_endpoint_descriptor* eps[USB_MAX_EP_NUM];
unsigned eps_num;
};
static bool parse_usb_descriptor(char* buffer, size_t length,
struct usb_device_index* index)
{
if (length <
sizeof(*index->dev) + sizeof(*index->config) + sizeof(*index->iface))
return false;
index->dev = (struct usb_device_descriptor*)buffer;
index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev));
index->config_length = length - sizeof(*index->dev);
index->iface =
(struct usb_interface_descriptor*)(buffer + sizeof(*index->dev) +
sizeof(*index->config));
index->eps_num = 0;
size_t offset = 0;
while (true) {
if (offset + 1 >= length)
break;
uint8_t desc_length = buffer[offset];
uint8_t desc_type = buffer[offset + 1];
if (desc_length <= 2)
break;
if (offset + desc_length > length)
break;
if (desc_type == USB_DT_ENDPOINT) {
index->eps[index->eps_num] =
(struct usb_endpoint_descriptor*)(buffer + offset);
index->eps_num++;
}
if (index->eps_num == USB_MAX_EP_NUM)
break;
offset += desc_length;
}
return true;
}
enum usb_fuzzer_event_type {
USB_FUZZER_EVENT_INVALID,
USB_FUZZER_EVENT_CONNECT,
USB_FUZZER_EVENT_DISCONNECT,
USB_FUZZER_EVENT_SUSPEND,
USB_FUZZER_EVENT_RESUME,
USB_FUZZER_EVENT_CONTROL,
};
struct usb_fuzzer_event {
uint32_t type;
uint32_t length;
char data[0];
};
struct usb_fuzzer_init {
uint64_t speed;
const char* driver_name;
const char* device_name;
};
struct usb_fuzzer_ep_io {
uint16_t ep;
uint16_t flags;
uint32_t length;
char data[0];
};
#define USB_FUZZER_IOCTL_INIT _IOW('U', 0, struct usb_fuzzer_init)
#define USB_FUZZER_IOCTL_RUN _IO('U', 1)
#define USB_FUZZER_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_fuzzer_event)
#define USB_FUZZER_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_fuzzer_ep_io)
#define USB_FUZZER_IOCTL_EP0_READ _IOWR('U', 4, struct usb_fuzzer_ep_io)
#define USB_FUZZER_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor)
#define USB_FUZZER_IOCTL_EP_WRITE _IOW('U', 7, struct usb_fuzzer_ep_io)
#define USB_FUZZER_IOCTL_EP_READ _IOWR('U', 8, struct usb_fuzzer_ep_io)
#define USB_FUZZER_IOCTL_CONFIGURE _IO('U', 9)
#define USB_FUZZER_IOCTL_VBUS_DRAW _IOW('U', 10, uint32_t)
int usb_fuzzer_open()
{
return open("/sys/kernel/debug/usb-fuzzer", O_RDWR);
}
int usb_fuzzer_init(int fd, uint32_t speed, const char* driver,
const char* device)
{
struct usb_fuzzer_init arg;
arg.speed = speed;
arg.driver_name = driver;
arg.device_name = device;
return ioctl(fd, USB_FUZZER_IOCTL_INIT, &arg);
}
int usb_fuzzer_run(int fd)
{
return ioctl(fd, USB_FUZZER_IOCTL_RUN, 0);
}
int usb_fuzzer_event_fetch(int fd, struct usb_fuzzer_event* event)
{
return ioctl(fd, USB_FUZZER_IOCTL_EVENT_FETCH, event);
}
int usb_fuzzer_ep0_write(int fd, struct usb_fuzzer_ep_io* io)
{
return ioctl(fd, USB_FUZZER_IOCTL_EP0_WRITE, io);
}
int usb_fuzzer_ep0_read(int fd, struct usb_fuzzer_ep_io* io)
{
return ioctl(fd, USB_FUZZER_IOCTL_EP0_READ, io);
}
int usb_fuzzer_ep_write(int fd, struct usb_fuzzer_ep_io* io)
{
return ioctl(fd, USB_FUZZER_IOCTL_EP_WRITE, io);
}
int usb_fuzzer_ep_read(int fd, struct usb_fuzzer_ep_io* io)
{
return ioctl(fd, USB_FUZZER_IOCTL_EP_READ, io);
}
int usb_fuzzer_ep_enable(int fd, struct usb_endpoint_descriptor* desc)
{
return ioctl(fd, USB_FUZZER_IOCTL_EP_ENABLE, desc);
}
int usb_fuzzer_configure(int fd)
{
return ioctl(fd, USB_FUZZER_IOCTL_CONFIGURE, 0);
}
int usb_fuzzer_vbus_draw(int fd, uint32_t power)
{
return ioctl(fd, USB_FUZZER_IOCTL_VBUS_DRAW, power);
}
#define USB_MAX_PACKET_SIZE 1024
struct usb_fuzzer_control_event {
struct usb_fuzzer_event inner;
struct usb_ctrlrequest ctrl;
char data[USB_MAX_PACKET_SIZE];
};
struct usb_fuzzer_ep_io_data {
struct usb_fuzzer_ep_io inner;
char data[USB_MAX_PACKET_SIZE];
};
struct vusb_connect_string_descriptor {
uint32_t len;
char* str;
} __attribute__((packed));
struct vusb_connect_descriptors {
uint32_t qual_len;
char* qual;
uint32_t bos_len;
char* bos;
uint32_t strs_len;
struct vusb_connect_string_descriptor strs[0];
} __attribute__((packed));
static const char* default_string = "syzkaller";
static bool lookup_connect_response(struct vusb_connect_descriptors* descs,
struct usb_device_index* index,
struct usb_ctrlrequest* ctrl,
char** response_data,
uint32_t* response_length)
{
uint8_t str_idx;
switch (ctrl->bRequestType & USB_TYPE_MASK) {
case USB_TYPE_STANDARD:
switch (ctrl->bRequest) {
case USB_REQ_GET_DESCRIPTOR:
switch (ctrl->wValue >> 8) {
case USB_DT_DEVICE:
*response_data = (char*)index->dev;
*response_length = sizeof(*index->dev);
return true;
case USB_DT_CONFIG:
*response_data = (char*)index->config;
*response_length = index->config_length;
return true;
case USB_DT_STRING:
str_idx = (uint8_t)ctrl->wValue;
if (str_idx >= descs->strs_len) {
*response_data = (char*)default_string;
*response_length = strlen(default_string);
} else {
*response_data = descs->strs[str_idx].str;
*response_length = descs->strs[str_idx].len;
}
return true;
case USB_DT_BOS:
*response_data = descs->bos;
*response_length = descs->bos_len;
return true;
case USB_DT_DEVICE_QUALIFIER:
*response_data = descs->qual;
*response_length = descs->qual_len;
return true;
default:
exit(1);
return false;
}
break;
default:
exit(1);
return false;
}
break;
default:
exit(1);
return false;
}
return false;
}
static volatile long syz_usb_connect(volatile long a0, volatile long a1,
volatile long a2, volatile long a3)
{
uint64_t speed = a0;
uint64_t dev_len = a1;
char* dev = (char*)a2;
struct vusb_connect_descriptors* descs = (struct vusb_connect_descriptors*)a3;
if (!dev) {
return -1;
}
struct usb_device_index index;
memset(&index, 0, sizeof(index));
int rv = 0;
NONFAILING(rv = parse_usb_descriptor(dev, dev_len, &index));
if (!rv) {
return rv;
}
int fd = usb_fuzzer_open();
if (fd < 0) {
return fd;
}
char device[32];
sprintf(&device[0], "dummy_udc.%llu", procid);
rv = usb_fuzzer_init(fd, speed, "dummy_udc", &device[0]);
if (rv < 0) {
return rv;
}
rv = usb_fuzzer_run(fd);
if (rv < 0) {
return rv;
}
bool done = false;
while (!done) {
struct usb_fuzzer_control_event event;
event.inner.type = 0;
event.inner.length = sizeof(event.ctrl);
rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event);
if (rv < 0) {
return rv;
}
if (event.inner.type != USB_FUZZER_EVENT_CONTROL)
continue;
bool response_found = false;
char* response_data = NULL;
uint32_t response_length = 0;
if (event.ctrl.bRequestType & USB_DIR_IN) {
NONFAILING(response_found =
lookup_connect_response(descs, &index, &event.ctrl,
&response_data, &response_length));
if (!response_found) {
return -1;
}
} else {
if ((event.ctrl.bRequestType & USB_TYPE_MASK) != USB_TYPE_STANDARD ||
event.ctrl.bRequest != USB_REQ_SET_CONFIGURATION) {
exit(1);
return -1;
}
done = true;
}
if (done) {
rv = usb_fuzzer_vbus_draw(fd, index.config->bMaxPower);
if (rv < 0) {
return rv;
}
rv = usb_fuzzer_configure(fd);
if (rv < 0) {
return rv;
}
unsigned ep;
for (ep = 0; ep < index.eps_num; ep++) {
rv = usb_fuzzer_ep_enable(fd, index.eps[ep]);
if (rv < 0) {
} else {
}
}
}
struct usb_fuzzer_ep_io_data response;
response.inner.ep = 0;
response.inner.flags = 0;
if (response_length > sizeof(response.data))
response_length = 0;
if (event.ctrl.wLength < response_length)
response_length = event.ctrl.wLength;
response.inner.length = response_length;
if (response_data)
memcpy(&response.data[0], response_data, response_length);
else
memset(&response.data[0], 0, response_length);
if (event.ctrl.bRequestType & USB_DIR_IN)
rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response);
else
rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response);
if (rv < 0) {
return rv;
}
}
sleep_ms(200);
return fd;
}
struct vusb_descriptor {
uint8_t req_type;
uint8_t desc_type;
uint32_t len;
char data[0];
} __attribute__((packed));
struct vusb_descriptors {
uint32_t len;
struct vusb_descriptor* generic;
struct vusb_descriptor* descs[0];
} __attribute__((packed));
struct vusb_response {
uint8_t type;
uint8_t req;
uint32_t len;
char data[0];
} __attribute__((packed));
struct vusb_responses {
uint32_t len;
struct vusb_response* generic;
struct vusb_response* resps[0];
} __attribute__((packed));
static bool lookup_control_response(struct vusb_descriptors* descs,
struct vusb_responses* resps,
struct usb_ctrlrequest* ctrl,
char** response_data,
uint32_t* response_length)
{
int descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) /
sizeof(descs->descs[0]);
int resps_num = (resps->len - offsetof(struct vusb_responses, resps)) /
sizeof(resps->resps[0]);
uint8_t req = ctrl->bRequest;
uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK;
uint8_t desc_type = ctrl->wValue >> 8;
if (req == USB_REQ_GET_DESCRIPTOR) {
int i;
for (i = 0; i < descs_num; i++) {
struct vusb_descriptor* desc = descs->descs[i];
if (!desc)
continue;
if (desc->req_type == req_type && desc->desc_type == desc_type) {
*response_length = desc->len;
if (*response_length != 0)
*response_data = &desc->data[0];
else
*response_data = NULL;
return true;
}
}
if (descs->generic) {
*response_data = &descs->generic->data[0];
*response_length = descs->generic->len;
return true;
}
} else {
int i;
for (i = 0; i < resps_num; i++) {
struct vusb_response* resp = resps->resps[i];
if (!resp)
continue;
if (resp->type == req_type && resp->req == req) {
*response_length = resp->len;
if (*response_length != 0)
*response_data = &resp->data[0];
else
*response_data = NULL;
return true;
}
}
if (resps->generic) {
*response_data = &resps->generic->data[0];
*response_length = resps->generic->len;
return true;
}
}
return false;
}
static volatile long syz_usb_control_io(volatile long a0, volatile long a1,
volatile long a2)
{
int fd = a0;
struct vusb_descriptors* descs = (struct vusb_descriptors*)a1;
struct vusb_responses* resps = (struct vusb_responses*)a2;
struct usb_fuzzer_control_event event;
event.inner.type = 0;
event.inner.length = USB_MAX_PACKET_SIZE;
int rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event);
if (rv < 0) {
return rv;
}
if (event.inner.type != USB_FUZZER_EVENT_CONTROL) {
return -1;
}
bool response_found = false;
char* response_data = NULL;
uint32_t response_length = 0;
if (event.ctrl.bRequestType & USB_DIR_IN) {
NONFAILING(response_found =
lookup_control_response(descs, resps, &event.ctrl,
&response_data, &response_length));
if (!response_found) {
return -1;
}
} else {
response_length = event.ctrl.wLength;
}
struct usb_fuzzer_ep_io_data response;
response.inner.ep = 0;
response.inner.flags = 0;
if (response_length > sizeof(response.data))
response_length = 0;
if (event.ctrl.wLength < response_length)
response_length = event.ctrl.wLength;
response.inner.length = response_length;
if (response_data)
memcpy(&response.data[0], response_data, response_length);
else
memset(&response.data[0], 0, response_length);
if (event.ctrl.bRequestType & USB_DIR_IN) {
rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response);
} else {
rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response);
}
if (rv < 0) {
return rv;
}
sleep_ms(200);
return 0;
}
static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
(uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
NONFAILING(strncpy(buf, (char*)a0, sizeof(buf) - 1));
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
int i;
for (i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
int i, call, thread;
int collide = 0;
again:
for (call = 0; call < 20; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
if (collide && (call % 2) == 0)
break;
event_timedwait(&th->done,
45 + (call == 0 ? 2000 : 0) + (call == 1 ? 300 : 0) +
(call == 2 ? 300 : 0) + (call == 5 ? 2000 : 0) +
(call == 13 ? 2000 : 0) + (call == 14 ? 300 : 0) +
(call == 15 ? 300 : 0) + (call == 18 ? 2000 : 0) +
(call == 19 ? 300 : 0));
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
if (!collide) {
collide = 1;
goto again;
}
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter;
for (iter = 0;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5 * 1000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
uint64_t r[5] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,
0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res;
switch (call) {
case 0:
NONFAILING(memcpy((void*)0x20000000,
"\x12\x01\x00\x00\x00\x00\x00\x20\x6d\x90\xd9\xc3\x40\x00"
"\x00\x00\x00\x01\x09\x02\x24\x00\x01\x00\x00\xa0\x00\x09"
"\x04\x00\x00\x01\x03\x01\x01\x00\x09\x21\x00\x00\x00\x01"
"\x22\x05\x00\x09\x05\x81\x03\x00\xe1\x00\x00\x00",
54));
res = syz_usb_connect(0, 0x36, 0x20000000, 0);
if (res != -1)
r[0] = res;
break;
case 1:
syz_usb_control_io(r[0], 0, 0);
break;
case 2:
NONFAILING(*(uint32_t*)0x20000500 = 0x34);
NONFAILING(*(uint64_t*)0x20000504 = 0);
NONFAILING(*(uint64_t*)0x2000050c = 0);
NONFAILING(*(uint64_t*)0x20000514 = 0x200002c0);
NONFAILING(*(uint8_t*)0x200002c0 = 0);
NONFAILING(*(uint8_t*)0x200002c1 = 0x22);
NONFAILING(*(uint32_t*)0x200002c2 = 5);
NONFAILING(*(uint8_t*)0x200002c6 = 5);
NONFAILING(*(uint8_t*)0x200002c7 = 0xf);
NONFAILING(*(uint16_t*)0x200002c8 = 5);
NONFAILING(*(uint8_t*)0x200002ca = 0);
NONFAILING(*(uint64_t*)0x2000051c = 0);
NONFAILING(*(uint64_t*)0x20000524 = 0);
NONFAILING(*(uint64_t*)0x2000052c = 0);
NONFAILING(*(uint32_t*)0x20000700 = 0xcc);
NONFAILING(*(uint64_t*)0x20000704 = 0);
NONFAILING(*(uint64_t*)0x2000070c = 0);
NONFAILING(*(uint64_t*)0x20000714 = 0);
NONFAILING(*(uint64_t*)0x2000071c = 0);
NONFAILING(*(uint64_t*)0x20000724 = 0);
NONFAILING(*(uint64_t*)0x2000072c = 0);
NONFAILING(*(uint64_t*)0x20000734 = 0);
NONFAILING(*(uint64_t*)0x2000073c = 0);
NONFAILING(*(uint64_t*)0x20000744 = 0);
NONFAILING(*(uint64_t*)0x2000074c = 0);
NONFAILING(*(uint64_t*)0x20000754 = 0);
NONFAILING(*(uint64_t*)0x2000075c = 0);
NONFAILING(*(uint64_t*)0x20000764 = 0);
NONFAILING(*(uint64_t*)0x2000076c = 0);
NONFAILING(*(uint64_t*)0x20000774 = 0);
NONFAILING(*(uint64_t*)0x2000077c = 0);
NONFAILING(*(uint64_t*)0x20000784 = 0);
NONFAILING(*(uint64_t*)0x2000078c = 0);
NONFAILING(*(uint64_t*)0x20000794 = 0);
NONFAILING(*(uint64_t*)0x2000079c = 0);
NONFAILING(*(uint64_t*)0x200007a4 = 0);
NONFAILING(*(uint64_t*)0x200007ac = 0);
NONFAILING(*(uint64_t*)0x200007b4 = 0);
NONFAILING(*(uint64_t*)0x200007bc = 0);
NONFAILING(*(uint64_t*)0x200007c4 = 0);
syz_usb_control_io(r[0], 0x20000500, 0x20000700);
break;
case 3:
NONFAILING(memcpy((void*)0x20000000, "/dev/hidraw#\000", 13));
syz_open_dev(0x20000000, 0, 0);
break;
case 4:
res = syz_open_dev(0, 0, 0);
if (res != -1)
r[1] = res;
break;
case 5:
NONFAILING(*(uint8_t*)0x20000040 = 0x12);
NONFAILING(*(uint8_t*)0x20000041 = 1);
NONFAILING(*(uint16_t*)0x20000042 = 0x110);
NONFAILING(*(uint8_t*)0x20000044 = 0);
NONFAILING(*(uint8_t*)0x20000045 = 0);
NONFAILING(*(uint8_t*)0x20000046 = 0);
NONFAILING(*(uint8_t*)0x20000047 = 0x10);
NONFAILING(*(uint16_t*)0x20000048 = 0x5ac);
NONFAILING(*(uint16_t*)0x2000004a = 0x304);
NONFAILING(*(uint16_t*)0x2000004c = 0x40);
NONFAILING(*(uint8_t*)0x2000004e = 0x44);
NONFAILING(*(uint8_t*)0x2000004f = 0);
NONFAILING(*(uint8_t*)0x20000050 = -1);
NONFAILING(*(uint8_t*)0x20000051 = 1);
NONFAILING(*(uint8_t*)0x20000052 = 9);
NONFAILING(*(uint8_t*)0x20000053 = 2);
NONFAILING(*(uint16_t*)0x20000054 = 0x2d);
NONFAILING(*(uint8_t*)0x20000056 = 1);
NONFAILING(*(uint8_t*)0x20000057 = 7);
NONFAILING(*(uint8_t*)0x20000058 = 2);
NONFAILING(*(uint8_t*)0x20000059 = 0xa0);
NONFAILING(*(uint8_t*)0x2000005a = 9);
NONFAILING(*(uint8_t*)0x2000005b = 9);
NONFAILING(*(uint8_t*)0x2000005c = 4);
NONFAILING(*(uint8_t*)0x2000005d = 8);
NONFAILING(*(uint8_t*)0x2000005e = 4);
NONFAILING(*(uint8_t*)0x2000005f = 0x12);
NONFAILING(*(uint8_t*)0x20000060 = 3);
NONFAILING(*(uint8_t*)0x20000061 = 1);
NONFAILING(*(uint8_t*)0x20000062 = 0);
NONFAILING(*(uint8_t*)0x20000063 = 0);
NONFAILING(*(uint8_t*)0x20000064 = 9);
NONFAILING(*(uint8_t*)0x20000065 = 0x21);
NONFAILING(*(uint16_t*)0x20000066 = 9);
NONFAILING(*(uint8_t*)0x20000068 = 0);
NONFAILING(*(uint8_t*)0x20000069 = 1);
NONFAILING(*(uint8_t*)0x2000006a = 0x22);
NONFAILING(*(uint16_t*)0x2000006b = 0x680);
NONFAILING(*(uint8_t*)0x2000006d = 9);
NONFAILING(*(uint8_t*)0x2000006e = 5);
NONFAILING(*(uint8_t*)0x2000006f = 0x81);
NONFAILING(*(uint8_t*)0x20000070 = 3);
NONFAILING(*(uint16_t*)0x20000071 = 0xbb6);
NONFAILING(*(uint8_t*)0x20000073 = 2);
NONFAILING(*(uint8_t*)0x20000074 = 7);
NONFAILING(*(uint8_t*)0x20000075 = 0xd4);
NONFAILING(*(uint8_t*)0x20000076 = 9);
NONFAILING(*(uint8_t*)0x20000077 = 5);
NONFAILING(*(uint8_t*)0x20000078 = 2);
NONFAILING(*(uint8_t*)0x20000079 = 3);
NONFAILING(*(uint16_t*)0x2000007a = 0);
NONFAILING(*(uint8_t*)0x2000007c = 7);
NONFAILING(*(uint8_t*)0x2000007d = 0);
NONFAILING(*(uint8_t*)0x2000007e = 5);
NONFAILING(*(uint32_t*)0x20000480 = 0xa);
NONFAILING(*(uint64_t*)0x20000484 = 0x20000080);
NONFAILING(*(uint8_t*)0x20000080 = 0xa);
NONFAILING(*(uint8_t*)0x20000081 = 6);
NONFAILING(*(uint16_t*)0x20000082 = 0);
NONFAILING(*(uint8_t*)0x20000084 = 6);
NONFAILING(*(uint8_t*)0x20000085 = -1);
NONFAILING(*(uint8_t*)0x20000086 = 3);
NONFAILING(*(uint8_t*)0x20000087 = 0x40);
NONFAILING(*(uint8_t*)0x20000088 = 0);
NONFAILING(*(uint8_t*)0x20000089 = 0);
NONFAILING(*(uint32_t*)0x2000048c = 0xc5);
NONFAILING(*(uint64_t*)0x20000490 = 0x200000c0);
NONFAILING(*(uint8_t*)0x200000c0 = 5);
NONFAILING(*(uint8_t*)0x200000c1 = 0xf);
NONFAILING(*(uint16_t*)0x200000c2 = 0xc5);
NONFAILING(*(uint8_t*)0x200000c4 = 3);
NONFAILING(*(uint8_t*)0x200000c5 = 0xb);
NONFAILING(*(uint8_t*)0x200000c6 = 0x10);
NONFAILING(*(uint8_t*)0x200000c7 = 1);
NONFAILING(*(uint8_t*)0x200000c8 = 0xc);
NONFAILING(*(uint16_t*)0x200000c9 = 0x10);
NONFAILING(*(uint8_t*)0x200000cb = 1);
NONFAILING(*(uint8_t*)0x200000cc = 1);
NONFAILING(*(uint16_t*)0x200000cd = 8);
NONFAILING(*(uint8_t*)0x200000cf = -1);
NONFAILING(*(uint8_t*)0x200000d0 = 0xaa);
NONFAILING(*(uint8_t*)0x200000d1 = 0x10);
NONFAILING(*(uint8_t*)0x200000d2 = 2);
NONFAILING(memcpy(
(void*)0x200000d3,
"\xfc\x46\x69\x7f\x23\xee\x29\x2e\xb8\xbf\x56\xe8\x3b\xce\xc5\xcd\xbe"
"\x91\xf9\x1c\x8a\xb3\xde\xe0\xf5\x15\x80\xbd\xad\x5d\xb2\x8b\x44\x13"
"\x08\x63\xfd\xd0\x1a\x2f\xf5\xd8\xad\xb1\x50\x19\x93\x96\x38\xfe\x44"
"\x15\x08\xc9\x92\xd4\xda\xc0\x89\x35\x81\xa2\x65\x6b\x82\x20\x1b\x8f"
"\xbc\x68\x80\x7b\xca\x9f\xc5\xa6\xf1\x68\x68\x2a\x71\x74\x5e\x20\xda"
"\x99\x03\x9e\xb3\xad\x60\x4b\xcf\x05\xfd\x44\xb9\x1f\x5f\x33\x33\xcf"
"\x1c\xd0\x01\xe3\x4f\xd8\xfa\x3e\x60\xc8\x79\xdd\x8a\xc7\x27\x20\x73"
"\x07\x48\x13\x3c\xb5\x53\x40\x64\x6c\x81\x69\x14\x76\xd6\xd5\xb3\xf1"
"\xfa\x8b\x83\x92\xd0\x24\x13\x85\x6c\x21\x25\x53\xbd\xbd\x66\xf0\x42"
"\xe9\x32\x4d\x45\xef\xed\xb4\x35\x37\xcb\x42\x24\x3a\xf6",
167));
NONFAILING(*(uint8_t*)0x2000017a = 0xb);
NONFAILING(*(uint8_t*)0x2000017b = 0x10);
NONFAILING(*(uint8_t*)0x2000017c = 1);
NONFAILING(*(uint8_t*)0x2000017d = 8);
NONFAILING(*(uint16_t*)0x2000017e = 0);
NONFAILING(*(uint8_t*)0x20000180 = 2);
NONFAILING(*(uint8_t*)0x20000181 = -1);
NONFAILING(*(uint16_t*)0x20000182 = 2);
NONFAILING(*(uint8_t*)0x20000184 = 0);
NONFAILING(*(uint32_t*)0x20000498 = 6);
NONFAILING(*(uint32_t*)0x2000049c = 0);
NONFAILING(*(uint64_t*)0x200004a0 = 0);
NONFAILING(*(uint32_t*)0x200004a8 = 0x6c);
NONFAILING(*(uint64_t*)0x200004ac = 0x20000240);
NONFAILING(*(uint8_t*)0x20000240 = 0x6c);
NONFAILING(*(uint8_t*)0x20000241 = 3);
NONFAILING(*(uint16_t*)0x20000242 = 0x444f);
NONFAILING(memcpy((void*)0x20000244,
"\x2c\x9c\x9d\xae\x91\x9c\xe1\xf1\x49\x53\x25\xf6\xcd\x36"
"\x56\x70\xa0\x82\x3a\x8b\x3f\x5e\x40\x48\x6e\x57\x13\x51"
"\x3a\x71\x45\xc2\x47\x30\x4d\xd4\x0b\xb7\x67\xd9\x5d\x90"
"\x09\x9a\x63\xd1\xf4\x11\x25\xb8\x03\xae\xd5\x58\xab\xb5"
"\x0a\x98\x43\xc9\x9a\xec\x7a\x0c\x65\x5d\x7f\x82\xbc\x12"
"\x18\x55\x45\x96\xbd\x48\xca\xb9\x1b\xb0\xd9\x00\xf9\xa7"
"\x8a\x5f\x7e\x5f\x91\xa4\x37\x07\x9b\xae\xb1\x86\xff\xfd"
"\x84\xd1\xa4\x75\xdd\x1e",
104));
NONFAILING(*(uint32_t*)0x200004b4 = 0x92);
NONFAILING(*(uint64_t*)0x200004b8 = 0x20000300);
NONFAILING(*(uint8_t*)0x20000300 = 0x92);
NONFAILING(*(uint8_t*)0x20000301 = 3);
NONFAILING(*(uint16_t*)0x20000302 = 0);
NONFAILING(memcpy(
(void*)0x20000304,
"\x6f\xab\x6b\x87\x2a\x40\x75\x79\x5f\xe2\x7f\x87\x1d\xa4\x0b\x28\x28"
"\xe7\x7b\x33\x9d\xda\x12\xb5\x80\x66\xb1\x44\x2c\x7c\x95\x48\xbf\xd6"
"\x62\x81\x9f\x92\x44\xdf\xb8\x28\xda\x0b\x24\x5c\x66\x56\xbf\x5c\xef"
"\xda\xb1\x1d\x99\x7d\x34\x0c\xbc\x63\x4d\x3a\x06\x5c\x58\x8e\x74\xc6"
"\xa1\xe7\x7a\x04\xc4\x36\x76\x35\x35\xa4\x13\x26\x70\xe4\x39\xeb\x11"
"\x28\x9c\x8a\xef\xd5\x1b\xc6\x53\xe2\x04\x21\x53\x5b\x06\x45\x2e\xd7"
"\x9f\xb5\xb3\x37\xfc\x8d\x55\x42\x41\x3b\x72\x10\xac\x24\xaa\xb0\x8d"
"\x63\xcf\xe9\x05\x55\x0b\x4c\xb8\xf0\xf2\x9a\x41\xbd\x19\x17\x29\x49"
"\xcd\xd3\x97\x6b\x06\xfc",
142));
NONFAILING(*(uint32_t*)0x200004c0 = 4);
NONFAILING(*(uint64_t*)0x200004c4 = 0x200003c0);
NONFAILING(*(uint8_t*)0x200003c0 = 4);
NONFAILING(*(uint8_t*)0x200003c1 = 3);
NONFAILING(*(uint16_t*)0x200003c2 = 0x2401);
NONFAILING(*(uint32_t*)0x200004cc = 0x3e);
NONFAILING(*(uint64_t*)0x200004d0 = 0x20000400);
NONFAILING(*(uint8_t*)0x20000400 = 0x3e);
NONFAILING(*(uint8_t*)0x20000401 = 3);
NONFAILING(*(uint16_t*)0x20000402 = 0x541b);
NONFAILING(memcpy((void*)0x20000404,
"\x14\x87\xcc\xe8\x81\x59\xd6\x72\x19\x87\xbf\x1e\x40\xdd"
"\x77\x59\x97\x10\x27\x71\x83\xc8\x29\x3c\xe5\x25\x9f\x59"
"\xed\x5b\x73\x00\x40\x69\x6f\xca\xe0\x89\xaa\xc6\xab\xc7"
"\x89\x35\xdf\xcf\xd9\xa6\x58\xda\x79\x12\xf6\xca\xa3\x7b"
"\x1d\xa3",
58));
NONFAILING(*(uint32_t*)0x200004d8 = 0x11);
NONFAILING(*(uint64_t*)0x200004dc = 0x20000440);
NONFAILING(*(uint8_t*)0x20000440 = 0x11);
NONFAILING(*(uint8_t*)0x20000441 = 3);
NONFAILING(*(uint16_t*)0x20000442 = 0x809);
NONFAILING(memcpy((void*)0x20000444,
"\x07\x25\x18\x43\x89\xc3\x20\xe3\x34\xfc\xf6\xef\x26",
13));
syz_usb_connect(0, 0x3f, 0x20000040, 0x20000480);
break;
case 6:
syscall(__NR_ioctl, r[1], 0x80044801, 0x200015c0);
break;
case 7:
NONFAILING(memcpy((void*)0x20000040, "/dev/input/event#\000", 18));
res = syz_open_dev(0x20000040, 0, 0);
if (res != -1)
r[2] = res;
break;
case 8:
syscall(__NR_ioctl, r[2], 0x8000450a, 0xb3dc7000);
break;
case 9:
NONFAILING(memcpy((void*)0x20000040, "/dev/input/event#\000", 18));
syz_open_dev(0x20000040, 0, 0);
break;
case 10:
NONFAILING(memcpy((void*)0x20000000, "/dev/usb/hiddev#\000", 17));
res = syz_open_dev(0x20000000, 0x40, 0);
if (res != -1)
r[3] = res;
break;
case 11:
syscall(__NR_ioctl, r[3], 0x80044801, 0x20000080);
break;
case 12:
syscall(__NR_ioctl, r[3], 0x8000450a, 0xff);
break;
case 13:
NONFAILING(memcpy((void*)0x20000000,
"\x12\x01\x00\x00\x00\x00\x00\x20\x6d\x90\xd9\xc3\x40\x00"
"\x00\x00\x00\x01\x09\x02\x24\x00\x01\x00\x00\xa0\x00\x09"
"\x04\x00\x00\x01\x03\x01\x01\x00\x09\x21\x00\x00\x00\x01"
"\x22\x05\x00\x09\x05\x81\x03\x00\xe1\x00\x00\x00",
54));
res = syz_usb_connect(0, 0x36, 0x20000000, 0);
if (res != -1)
r[4] = res;
break;
case 14:
syz_usb_control_io(r[4], 0, 0);
break;
case 15:
NONFAILING(*(uint32_t*)0x20000500 = 0x34);
NONFAILING(*(uint64_t*)0x20000504 = 0);
NONFAILING(*(uint64_t*)0x2000050c = 0);
NONFAILING(*(uint64_t*)0x20000514 = 0x200002c0);
NONFAILING(*(uint8_t*)0x200002c0 = 0);
NONFAILING(*(uint8_t*)0x200002c1 = 0x22);
NONFAILING(*(uint32_t*)0x200002c2 = 5);
NONFAILING(*(uint8_t*)0x200002c6 = 5);
NONFAILING(*(uint8_t*)0x200002c7 = 0xf);
NONFAILING(*(uint16_t*)0x200002c8 = 5);
NONFAILING(*(uint8_t*)0x200002ca = 0);
NONFAILING(*(uint64_t*)0x2000051c = 0);
NONFAILING(*(uint64_t*)0x20000524 = 0);
NONFAILING(*(uint64_t*)0x2000052c = 0);
NONFAILING(*(uint32_t*)0x20000700 = 0xcc);
NONFAILING(*(uint64_t*)0x20000704 = 0);
NONFAILING(*(uint64_t*)0x2000070c = 0);
NONFAILING(*(uint64_t*)0x20000714 = 0);
NONFAILING(*(uint64_t*)0x2000071c = 0);
NONFAILING(*(uint64_t*)0x20000724 = 0);
NONFAILING(*(uint64_t*)0x2000072c = 0);
NONFAILING(*(uint64_t*)0x20000734 = 0);
NONFAILING(*(uint64_t*)0x2000073c = 0);
NONFAILING(*(uint64_t*)0x20000744 = 0);
NONFAILING(*(uint64_t*)0x2000074c = 0);
NONFAILING(*(uint64_t*)0x20000754 = 0);
NONFAILING(*(uint64_t*)0x2000075c = 0);
NONFAILING(*(uint64_t*)0x20000764 = 0);
NONFAILING(*(uint64_t*)0x2000076c = 0);
NONFAILING(*(uint64_t*)0x20000774 = 0);
NONFAILING(*(uint64_t*)0x2000077c = 0);
NONFAILING(*(uint64_t*)0x20000784 = 0);
NONFAILING(*(uint64_t*)0x2000078c = 0);
NONFAILING(*(uint64_t*)0x20000794 = 0);
NONFAILING(*(uint64_t*)0x2000079c = 0);
NONFAILING(*(uint64_t*)0x200007a4 = 0);
NONFAILING(*(uint64_t*)0x200007ac = 0);
NONFAILING(*(uint64_t*)0x200007b4 = 0);
NONFAILING(*(uint64_t*)0x200007bc = 0);
NONFAILING(*(uint64_t*)0x200007c4 = 0);
syz_usb_control_io(r[4], 0x20000500, 0x20000700);
break;
case 16:
NONFAILING(memcpy((void*)0x20000000, "/dev/hidraw#\000", 13));
syz_open_dev(0x20000000, 0, 0);
break;
case 17:
syz_open_dev(0, 0, 0);
break;
case 18:
NONFAILING(*(uint32_t*)0x20000480 = 0xa);
NONFAILING(*(uint64_t*)0x20000484 = 0x20000080);
NONFAILING(*(uint8_t*)0x20000080 = 0xa);
NONFAILING(*(uint8_t*)0x20000081 = 6);
NONFAILING(*(uint16_t*)0x20000082 = 0);
NONFAILING(*(uint8_t*)0x20000084 = 6);
NONFAILING(*(uint8_t*)0x20000085 = -1);
NONFAILING(*(uint8_t*)0x20000086 = 3);
NONFAILING(*(uint8_t*)0x20000087 = 0x40);
NONFAILING(*(uint8_t*)0x20000088 = 0);
NONFAILING(*(uint8_t*)0x20000089 = 0);
NONFAILING(*(uint32_t*)0x2000048c = 0xc5);
NONFAILING(*(uint64_t*)0x20000490 = 0x200000c0);
NONFAILING(*(uint8_t*)0x200000c0 = 5);
NONFAILING(*(uint8_t*)0x200000c1 = 0xf);
NONFAILING(*(uint16_t*)0x200000c2 = 0xc5);
NONFAILING(*(uint8_t*)0x200000c4 = 3);
NONFAILING(*(uint8_t*)0x200000c5 = 0xb);
NONFAILING(*(uint8_t*)0x200000c6 = 0x10);
NONFAILING(*(uint8_t*)0x200000c7 = 1);
NONFAILING(*(uint8_t*)0x200000c8 = 0xc);
NONFAILING(*(uint16_t*)0x200000c9 = 0x10);
NONFAILING(*(uint8_t*)0x200000cb = 1);
NONFAILING(*(uint8_t*)0x200000cc = 1);
NONFAILING(*(uint16_t*)0x200000cd = 8);
NONFAILING(*(uint8_t*)0x200000cf = -1);
NONFAILING(*(uint8_t*)0x200000d0 = 0xaa);
NONFAILING(*(uint8_t*)0x200000d1 = 0x10);
NONFAILING(*(uint8_t*)0x200000d2 = 2);
NONFAILING(memcpy(
(void*)0x200000d3,
"\xfc\x46\x69\x7f\x23\xee\x29\x2e\xb8\xbf\x56\xe8\x3b\xce\xc5\xcd\xbe"
"\x91\xf9\x1c\x8a\xb3\xde\xe0\xf5\x15\x80\xbd\xad\x5d\xb2\x8b\x44\x13"
"\x08\x63\xfd\xd0\x1a\x2f\xf5\xd8\xad\xb1\x50\x19\x93\x96\x38\xfe\x44"
"\x15\x08\xc9\x92\xd4\xda\xc0\x89\x35\x81\xa2\x65\x6b\x82\x20\x1b\x8f"
"\xbc\x68\x80\x7b\xca\x9f\xc5\xa6\xf1\x68\x68\x2a\x71\x74\x5e\x20\xda"
"\x99\x03\x9e\xb3\xad\x60\x4b\xcf\x05\xfd\x44\xb9\x1f\x5f\x33\x33\xcf"
"\x1c\xd0\x01\xe3\x4f\xd8\xfa\x3e\x60\xc8\x79\xdd\x8a\xc7\x27\x20\x73"
"\x07\x48\x13\x3c\xb5\x53\x40\x64\x6c\x81\x69\x14\x76\xd6\xd5\xb3\xf1"
"\xfa\x8b\x83\x92\xd0\x24\x13\x85\x6c\x21\x25\x53\xbd\xbd\x66\xf0\x42"
"\xe9\x32\x4d\x45\xef\xed\xb4\x35\x37\xcb\x42\x24\x3a\xf6",
167));
NONFAILING(*(uint8_t*)0x2000017a = 0xb);
NONFAILING(*(uint8_t*)0x2000017b = 0x10);
NONFAILING(*(uint8_t*)0x2000017c = 1);
NONFAILING(*(uint8_t*)0x2000017d = 8);
NONFAILING(*(uint16_t*)0x2000017e = 0);
NONFAILING(*(uint8_t*)0x20000180 = 2);
NONFAILING(*(uint8_t*)0x20000181 = -1);
NONFAILING(*(uint16_t*)0x20000182 = 2);
NONFAILING(*(uint8_t*)0x20000184 = 0);
NONFAILING(*(uint32_t*)0x20000498 = 6);
NONFAILING(*(uint32_t*)0x2000049c = 0x59);
NONFAILING(*(uint64_t*)0x200004a0 = 0x200001c0);
NONFAILING(*(uint8_t*)0x200001c0 = 0x59);
NONFAILING(*(uint8_t*)0x200001c1 = 3);
NONFAILING(*(uint16_t*)0x200001c2 = 0x2c01);
NONFAILING(memcpy(
(void*)0x200001c4,
"\xb6\xd3\x79\x09\xa6\x33\x18\x1b\x22\x48\xb8\x17\x46\x41\x24\x4d\xa3"
"\x2e\x1a\x18\xe2\x9c\x59\xed\x4b\x77\xf1\x35\x92\xa4\xe0\xc3\x5d\x1b"
"\xd8\x2a\xc6\x5a\xab\xab\x7e\xc3\x0d\x20\xae\xf1\xa4\x41\x96\xd5\xc7"
"\x9b\x20\xff\x77\xac\xda\x27\x48\x16\xec\xe9\x21\xa2\xae\x09\xd3\x61"
"\xf3\xef\xd3\x3b\xad\x8c\xc4\xf7\xc9\x0f\x9f\xb5\x74\x6a\xe6\x20\x4e",
85));
NONFAILING(*(uint32_t*)0x200004a8 = 0x6c);
NONFAILING(*(uint64_t*)0x200004ac = 0x20000240);
NONFAILING(*(uint8_t*)0x20000240 = 0x6c);
NONFAILING(*(uint8_t*)0x20000241 = 3);
NONFAILING(*(uint16_t*)0x20000242 = 0x444f);
NONFAILING(memcpy((void*)0x20000244,
"\x2c\x9c\x9d\xae\x91\x9c\xe1\xf1\x49\x53\x25\xf6\xcd\x36"
"\x56\x70\xa0\x82\x3a\x8b\x3f\x5e\x40\x48\x6e\x57\x13\x51"
"\x3a\x71\x45\xc2\x47\x30\x4d\xd4\x0b\xb7\x67\xd9\x5d\x90"
"\x09\x9a\x63\xd1\xf4\x11\x25\xb8\x03\xae\xd5\x58\xab\xb5"
"\x0a\x98\x43\xc9\x9a\xec\x7a\x0c\x65\x5d\x7f\x82\xbc\x12"
"\x18\x55\x45\x96\xbd\x48\xca\xb9\x1b\xb0\xd9\x00\xf9\xa7"
"\x8a\x5f\x7e\x5f\x91\xa4\x37\x07\x9b\xae\xb1\x86\xff\xfd"
"\x84\xd1\xa4\x75\xdd\x1e",
104));
NONFAILING(*(uint32_t*)0x200004b4 = 0x92);
NONFAILING(*(uint64_t*)0x200004b8 = 0x20000300);
NONFAILING(*(uint8_t*)0x20000300 = 0x92);
NONFAILING(*(uint8_t*)0x20000301 = 3);
NONFAILING(*(uint16_t*)0x20000302 = 0);
NONFAILING(memcpy(
(void*)0x20000304,
"\x6f\xab\x6b\x87\x2a\x40\x75\x79\x5f\xe2\x7f\x87\x1d\xa4\x0b\x28\x28"
"\xe7\x7b\x33\x9d\xda\x12\xb5\x80\x66\xb1\x44\x2c\x7c\x95\x48\xbf\xd6"
"\x62\x81\x9f\x92\x44\xdf\xb8\x28\xda\x0b\x24\x5c\x66\x56\xbf\x5c\xef"
"\xda\xb1\x1d\x99\x7d\x34\x0c\xbc\x63\x4d\x3a\x06\x5c\x58\x8e\x74\xc6"
"\xa1\xe7\x7a\x04\xc4\x36\x76\x35\x35\xa4\x13\x26\x70\xe4\x39\xeb\x11"
"\x28\x9c\x8a\xef\xd5\x1b\xc6\x53\xe2\x04\x21\x53\x5b\x06\x45\x2e\xd7"
"\x9f\xb5\xb3\x37\xfc\x8d\x55\x42\x41\x3b\x72\x10\xac\x24\xaa\xb0\x8d"
"\x63\xcf\xe9\x05\x55\x0b\x4c\xb8\xf0\xf2\x9a\x41\xbd\x19\x17\x29\x49"
"\xcd\xd3\x97\x6b\x06\xfc",
142));
NONFAILING(*(uint32_t*)0x200004c0 = 0x2e);
NONFAILING(*(uint64_t*)0x200004c4 = 0x200003c0);
NONFAILING(*(uint8_t*)0x200003c0 = 0x2e);
NONFAILING(*(uint8_t*)0x200003c1 = 3);
NONFAILING(*(uint16_t*)0x200003c2 = 0x2401);
NONFAILING(memcpy((void*)0x200003c4, "\x84\xd0\x41\xe7\x80\xd4\x04\x27\xee"
"\xfd\xd8\x02\xb8\x77\xfe\x7a\xeb\x58"
"\xaf\xfd\xbf\x97\x49\x54\xd4\x11\xf4"
"\xf9\x42\x35\xc1\x0d\x8e\xc2\x0a\x4d"
"\xef\xca\x5d\xd2\x57\x93",
42));
NONFAILING(*(uint32_t*)0x200004cc = 0);
NONFAILING(*(uint64_t*)0x200004d0 = 0);
NONFAILING(*(uint32_t*)0x200004d8 = 0x11);
NONFAILING(*(uint64_t*)0x200004dc = 0x20000440);
NONFAILING(*(uint8_t*)0x20000440 = 0x11);
NONFAILING(*(uint8_t*)0x20000441 = 3);
NONFAILING(*(uint16_t*)0x20000442 = 0x809);
NONFAILING(memcpy((void*)0x20000444,
"\x07\x25\x18\x43\x89\xc3\x20\xe3\x34\xfc\xf6\xef\x26",
13));
syz_usb_connect(5, 0, 0, 0x20000480);
break;
case 19:
NONFAILING(*(uint32_t*)0x20000b80 = 0x34);
NONFAILING(*(uint64_t*)0x20000b84 = 0x200005c0);
NONFAILING(*(uint8_t*)0x200005c0 = 0x60);
NONFAILING(*(uint8_t*)0x200005c1 = 0);
NONFAILING(*(uint32_t*)0x200005c2 = 0x7e);
NONFAILING(*(uint8_t*)0x200005c6 = 0x7e);
NONFAILING(*(uint8_t*)0x200005c7 = 0x2f);
NONFAILING(memcpy((void*)0x200005c8,
"\xd5\x44\x76\xe2\x79\xdc\x8a\x50\xfd\x1e\x25\x28\x5c\x4a"
"\x43\xd8\x60\x98\xb0\x1b\x00\x4a\x06\x73\x16\xb8\x66\xa7"
"\xcb\xc7\xff\xce\xdc\x23\xed\xf4\xd1\x70\x95\xe3\x76\x41"
"\xaf\xfb\xe4\x3c\xd4\x96\x73\xec\x90\x32\xef\x00\xec\xb3"
"\x8e\x4f\xb4\x99\x42\xd7\x43\xf5\xce\xb2\xeb\x59\xc9\x1d"
"\x2d\xf1\x72\x66\xef\x0e\x95\x5d\x57\xc1\xd8\x06\x31\xd9"
"\xc3\x1a\x42\xf4\xd3\x97\x1f\x15\xa8\x34\xd9\x02\xa4\x63"
"\x89\xa5\x6e\xef\x41\x0a\xad\x7f\xdc\x2a\xce\x3e\xc1\x99"
"\x09\x5b\x0e\x75\x7b\xbc\xbb\xbc\x07\x62\x36\x11",
124));
NONFAILING(*(uint64_t*)0x20000b8c = 0);
NONFAILING(*(uint64_t*)0x20000b94 = 0x20000900);
NONFAILING(*(uint8_t*)0x20000900 = 0);
NONFAILING(*(uint8_t*)0x20000901 = 0xf);
NONFAILING(*(uint32_t*)0x20000902 = 0xe3);
NONFAILING(*(uint8_t*)0x20000906 = 5);
NONFAILING(*(uint8_t*)0x20000907 = 0xf);
NONFAILING(*(uint16_t*)0x20000908 = 0xe3);
NONFAILING(*(uint8_t*)0x2000090a = 3);
NONFAILING(*(uint8_t*)0x2000090b = 0xa);
NONFAILING(*(uint8_t*)0x2000090c = 0x10);
NONFAILING(*(uint8_t*)0x2000090d = 3);
NONFAILING(*(uint8_t*)0x2000090e = 2);
NONFAILING(*(uint16_t*)0x2000090f = 0);
NONFAILING(*(uint8_t*)0x20000911 = 8);
NONFAILING(*(uint8_t*)0x20000912 = -1);
NONFAILING(*(uint16_t*)0x20000913 = 2);
NONFAILING(*(uint8_t*)0x20000915 = 0xa);
NONFAILING(*(uint8_t*)0x20000916 = 0x10);
NONFAILING(*(uint8_t*)0x20000917 = 3);
NONFAILING(*(uint8_t*)0x20000918 = 2);
NONFAILING(*(uint16_t*)0x20000919 = 0xc);
NONFAILING(*(uint8_t*)0x2000091b = 0);
NONFAILING(*(uint8_t*)0x2000091c = 9);
NONFAILING(*(uint16_t*)0x2000091d = 5);
NONFAILING(*(uint8_t*)0x2000091f = 0xca);
NONFAILING(*(uint8_t*)0x20000920 = 0x10);
NONFAILING(*(uint8_t*)0x20000921 = 3);
NONFAILING(memcpy(
(void*)0x20000922,
"\x59\x8f\x73\x44\x4d\x56\x65\x6f\xce\xc5\x0f\xfb\xdb\xb1\x32\xa4\xdc"
"\x49\x13\x28\xc2\xb8\x89\x5e\xcc\x30\xf8\xf9\x42\xc6\x94\xc9\xc1\x8c"
"\x63\xaf\x3b\xc1\x5c\xc4\x6a\x16\x8b\x46\xe1\xe3\xb9\x02\x5c\xb9\xa4"
"\x0e\xf3\x17\x75\x71\x3e\x38\xf9\x38\x45\xdc\x65\x66\xf4\x63\x80\xba"
"\xc1\x9e\x30\xbf\x42\x02\x5d\x19\xc5\xe3\xc3\x51\x91\x57\x80\xd0\xa9"
"\x04\x77\x0b\x74\x47\x4e\xf9\x20\x84\x7b\x0d\x70\x03\x9f\xb5\x8a\x8e"
"\x9f\xbc\x08\x98\xdf\x82\xfd\x06\xf1\x06\x80\x09\x18\x8a\xbe\x2f\x5e"
"\xf6\xcf\x00\x59\xc1\xb5\x46\x64\xc9\xc7\xfc\x96\x79\x61\xa3\x78\x27"
"\xd4\x17\x6f\x50\xee\xf6\x10\xb7\x7c\xf4\x94\xc2\xb9\x25\x17\x09\xe6"
"\x0f\xaf\xd2\xba\x9b\x95\x2f\x81\xa1\x3b\x99\x5b\x55\x4b\x48\x44\x4c"
"\x40\x8d\xeb\x71\x7d\xca\xb5\x74\xf4\x95\x85\x43\x7d\x5d\x7f\xc0\xa6"
"\x23\x30\xd2\xd6\xe4\x94\x82\x35\x2f\x3e\xd9\xf2",
199));
NONFAILING(*(uint64_t*)0x20000b9c = 0);
NONFAILING(*(uint64_t*)0x20000ba4 = 0x20000680);
NONFAILING(*(uint8_t*)0x20000680 = 0x20);
NONFAILING(*(uint8_t*)0x20000681 = 0x29);
NONFAILING(*(uint32_t*)0x20000682 = 0xf);
NONFAILING(*(uint8_t*)0x20000686 = 0xf);
NONFAILING(*(uint8_t*)0x20000687 = 0x29);
NONFAILING(*(uint8_t*)0x20000688 = 0x46);
NONFAILING(*(uint16_t*)0x20000689 = 0);
NONFAILING(*(uint8_t*)0x2000068b = 1);
NONFAILING(*(uint8_t*)0x2000068c = 8);
NONFAILING(memcpy((void*)0x2000068d, "\x76\xd5\xf5\x61", 4));
NONFAILING(memcpy((void*)0x20000691, "T=H\v", 4));
NONFAILING(*(uint64_t*)0x20000bac = 0x200006c0);
NONFAILING(*(uint8_t*)0x200006c0 = 0x20);
NONFAILING(*(uint8_t*)0x200006c1 = 0x2a);
NONFAILING(*(uint32_t*)0x200006c2 = 0xc);
NONFAILING(*(uint8_t*)0x200006c6 = 0xc);
NONFAILING(*(uint8_t*)0x200006c7 = 0x2a);
NONFAILING(*(uint8_t*)0x200006c8 = 0x4a);
NONFAILING(*(uint16_t*)0x200006c9 = 4);
NONFAILING(*(uint8_t*)0x200006cb = 0x40);
NONFAILING(*(uint8_t*)0x200006cc = 0);
NONFAILING(*(uint8_t*)0x200006cd = 2);
NONFAILING(*(uint16_t*)0x200006ce = 5);
NONFAILING(*(uint16_t*)0x200006d0 = 0xf4);
NONFAILING(*(uint32_t*)0x200014c0 = 0xcc);
NONFAILING(*(uint64_t*)0x200014c4 = 0x20000bc0);
NONFAILING(*(uint8_t*)0x20000bc0 = 0x40);
NONFAILING(*(uint8_t*)0x20000bc1 = 0xe);
NONFAILING(*(uint32_t*)0x20000bc2 = 0);
NONFAILING(*(uint64_t*)0x200014cc = 0x20000c00);
NONFAILING(*(uint8_t*)0x20000c00 = 0);
NONFAILING(*(uint8_t*)0x20000c01 = 0xa);
NONFAILING(*(uint32_t*)0x20000c02 = 1);
NONFAILING(*(uint8_t*)0x20000c06 = 0);
NONFAILING(*(uint64_t*)0x200014d4 = 0x20000c40);
NONFAILING(*(uint8_t*)0x20000c40 = 0);
NONFAILING(*(uint8_t*)0x20000c41 = 8);
NONFAILING(*(uint32_t*)0x20000c42 = 1);
NONFAILING(*(uint8_t*)0x20000c46 = 0x40);
NONFAILING(*(uint64_t*)0x200014dc = 0x20000c80);
NONFAILING(memcpy((void*)0x20000c80, "\000\000\000\000\000\000\000\b", 8));
NONFAILING(*(uint64_t*)0x200014e4 = 0x20000cc0);
NONFAILING(*(uint8_t*)0x20000cc0 = 0x20);
NONFAILING(*(uint8_t*)0x20000cc1 = 0x82);
NONFAILING(*(uint32_t*)0x20000cc2 = 1);
NONFAILING(memcpy((void*)0x20000cc6, "\xc5", 1));
NONFAILING(*(uint64_t*)0x200014ec = 0x20000d00);
NONFAILING(*(uint8_t*)0x20000d00 = 0x20);
NONFAILING(*(uint8_t*)0x20000d01 = 0x83);
NONFAILING(*(uint32_t*)0x20000d02 = 2);
NONFAILING(memcpy((void*)0x20000d06, "\xa6\xaa", 2));
NONFAILING(*(uint64_t*)0x200014f4 = 0);
NONFAILING(*(uint64_t*)0x200014fc = 0x20000d80);
NONFAILING(*(uint8_t*)0x20000d80 = 0x20);
NONFAILING(*(uint8_t*)0x20000d81 = 0x85);
NONFAILING(*(uint32_t*)0x20000d82 = 3);
NONFAILING(memcpy((void*)0x20000d86, "\xbd\xa1\x00", 3));
NONFAILING(*(uint64_t*)0x20001504 = 0x20000dc0);
NONFAILING(*(uint8_t*)0x20000dc0 = 0x20);
NONFAILING(*(uint8_t*)0x20000dc1 = 0);
NONFAILING(*(uint32_t*)0x20000dc2 = 0);
NONFAILING(*(uint64_t*)0x2000150c = 0);
NONFAILING(*(uint64_t*)0x20001514 = 0x20001100);
NONFAILING(*(uint8_t*)0x20001100 = 0x20);
NONFAILING(*(uint8_t*)0x20001101 = 0);
NONFAILING(*(uint32_t*)0x20001102 = 1);
NONFAILING(*(uint8_t*)0x20001106 = 1);
NONFAILING(*(uint64_t*)0x2000151c = 0x20001140);
NONFAILING(*(uint8_t*)0x20001140 = 0x20);
NONFAILING(*(uint8_t*)0x20001141 = 0);
NONFAILING(*(uint32_t*)0x20001142 = 4);
NONFAILING(*(uint16_t*)0x20001146 = 2);
NONFAILING(*(uint16_t*)0x20001148 = 1);
NONFAILING(*(uint64_t*)0x20001524 = 0x20001180);
NONFAILING(*(uint8_t*)0x20001180 = 0x20);
NONFAILING(*(uint8_t*)0x20001181 = 0);
NONFAILING(*(uint32_t*)0x20001182 = 8);
NONFAILING(*(uint16_t*)0x20001186 = 0x82);
NONFAILING(*(uint16_t*)0x20001188 = 0x20);
NONFAILING(*(uint32_t*)0x2000118a = 0xff00);
NONFAILING(*(uint64_t*)0x2000152c = 0x200011c0);
NONFAILING(*(uint8_t*)0x200011c0 = 0x20);
NONFAILING(*(uint8_t*)0x200011c1 = 0x80);
NONFAILING(*(uint32_t*)0x200011c2 = 0x1c);
NONFAILING(*(uint16_t*)0x200011c6 = 3);
NONFAILING(*(uint16_t*)0x200011c8 = 5);
NONFAILING(*(uint32_t*)0x200011ca = 0xbf);
NONFAILING(*(uint16_t*)0x200011ce = 0x7376);
NONFAILING(*(uint16_t*)0x200011d0 = 0xba0b);
NONFAILING(*(uint16_t*)0x200011d2 = 5);
NONFAILING(*(uint16_t*)0x200011d4 = 0);
NONFAILING(*(uint32_t*)0x200011d6 = 0x10000);
NONFAILING(*(uint16_t*)0x200011da = 0x3f5);
NONFAILING(*(uint16_t*)0x200011dc = 3);
NONFAILING(*(uint16_t*)0x200011de = 0xd9e3);
NONFAILING(*(uint16_t*)0x200011e0 = 0x81e);
NONFAILING(*(uint64_t*)0x20001534 = 0);
NONFAILING(*(uint64_t*)0x2000153c = 0);
NONFAILING(*(uint64_t*)0x20001544 = 0x20001280);
NONFAILING(*(uint8_t*)0x20001280 = 0x40);
NONFAILING(*(uint8_t*)0x20001281 = 0xb);
NONFAILING(*(uint32_t*)0x20001282 = 2);
NONFAILING(memcpy((void*)0x20001286, "\x11\x7f", 2));
NONFAILING(*(uint64_t*)0x2000154c = 0x200012c0);
NONFAILING(*(uint8_t*)0x200012c0 = 0x40);
NONFAILING(*(uint8_t*)0x200012c1 = 0xf);
NONFAILING(*(uint32_t*)0x200012c2 = 2);
NONFAILING(*(uint16_t*)0x200012c6 = 0xf0);
NONFAILING(*(uint64_t*)0x20001554 = 0x20001300);
NONFAILING(*(uint8_t*)0x20001300 = 0x40);
NONFAILING(*(uint8_t*)0x20001301 = 0x13);
NONFAILING(*(uint32_t*)0x20001302 = 6);
NONFAILING(*(uint8_t*)0x20001306 = 0xaa);
NONFAILING(*(uint8_t*)0x20001307 = 0xaa);
NONFAILING(*(uint8_t*)0x20001308 = 0xaa);
NONFAILING(*(uint8_t*)0x20001309 = 0xaa);
NONFAILING(*(uint8_t*)0x2000130a = 0xaa);
NONFAILING(*(uint8_t*)0x2000130b = 0xbb);
NONFAILING(*(uint64_t*)0x2000155c = 0x20001340);
NONFAILING(*(uint8_t*)0x20001340 = 0x40);
NONFAILING(*(uint8_t*)0x20001341 = 0x17);
NONFAILING(*(uint32_t*)0x20001342 = 6);
NONFAILING(*(uint8_t*)0x20001346 = 0xaa);
NONFAILING(*(uint8_t*)0x20001347 = 0xaa);
NONFAILING(*(uint8_t*)0x20001348 = 0xaa);
NONFAILING(*(uint8_t*)0x20001349 = 0xaa);
NONFAILING(*(uint8_t*)0x2000134a = 0xaa);
NONFAILING(*(uint8_t*)0x2000134b = 0xbb);
NONFAILING(*(uint64_t*)0x20001564 = 0x20001380);
NONFAILING(*(uint8_t*)0x20001380 = 0x40);
NONFAILING(*(uint8_t*)0x20001381 = 0x19);
NONFAILING(*(uint32_t*)0x20001382 = 2);
NONFAILING(memcpy((void*)0x20001386, "\x4a\xc3", 2));
NONFAILING(*(uint64_t*)0x2000156c = 0x200013c0);
NONFAILING(*(uint8_t*)0x200013c0 = 0x40);
NONFAILING(*(uint8_t*)0x200013c1 = 0x1a);
NONFAILING(*(uint32_t*)0x200013c2 = 2);
NONFAILING(*(uint16_t*)0x200013c6 = 0xac);
NONFAILING(*(uint64_t*)0x20001574 = 0x20001400);
NONFAILING(*(uint8_t*)0x20001400 = 0x40);
NONFAILING(*(uint8_t*)0x20001401 = 0x1c);
NONFAILING(*(uint32_t*)0x20001402 = 1);
NONFAILING(*(uint8_t*)0x20001406 = 0x40);
NONFAILING(*(uint64_t*)0x2000157c = 0x20001440);
NONFAILING(*(uint8_t*)0x20001440 = 0x40);
NONFAILING(*(uint8_t*)0x20001441 = 0x1e);
NONFAILING(*(uint32_t*)0x20001442 = 1);
NONFAILING(*(uint8_t*)0x20001446 = 1);
NONFAILING(*(uint64_t*)0x20001584 = 0x20001480);
NONFAILING(*(uint8_t*)0x20001480 = 0x40);
NONFAILING(*(uint8_t*)0x20001481 = 0x21);
NONFAILING(*(uint32_t*)0x20001482 = 1);
NONFAILING(*(uint8_t*)0x20001486 = -1);
syz_usb_control_io(r[4], 0x20000b80, 0x200014c0);
break;
}
}
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
install_segv_handler();
for (procid = 0; procid < 6; procid++) {
if (fork() == 0) {
loop();
}
}
sleep(1000000);
return 0;
}